Friday, December 28, 2007
Now go migrate your "infrastructure" on the 31st of December. Happy holidays to you too!
Administrative, Technical Contact
Contact Name: Bill Gudzon
Contact E-mail: bgudzon1956 @ hotmail.com
Administrative, Technical Contact
Contact Name: Kerry Corsten
Contact E-mail: kryport2000 @ hotmail.com
Administrative, Technical Contact
Contact Name: Bill Gudzon
Contact E-mail: bgudzon1956 @ hotmail.com
Administrative, Technical Contact
Contact Name: Bill Gudzon
Contact E-mail: bgudzon1956 @ hotmail.com
Moreover, Paul is also pointing out on the use of Blogspot blackhat SEO generated blogs in this Storm Worm campaign. In case you remember, the first one was relying on the infected user to first authenticate herself, and therefore authenticate for Storm Worm to add a link to a malware infected IP. Sample Blogspot URLs :
As for the complete list of the email subjects used for the time being, here's a rather complete one courtesy of US-CERT.
With end users getting warned about the insecurities of visiting an IP next to a domain name, this campaign is relying on descriptive domains compared to the previous one, while the use of IPs was among the few tactics that helped Storm Worm's first campaign scale so with every infected host acting as an infection vector by itself. And despite that I'm monitoring the use of such IPs from the first campaign in this campaign on a limited set of Storm Worm infected PCs, the next couple of days will shred more light into whether they'll start using the already infected hosts as infection vectors, or remain to the descriptive domains already used.
Keep riding on the storm.
Monday, December 24, 2007
Administrative, Technical Contact
Contact Name: John A Cortas
Contact Organization: John A Cortas
Contact Street1: Green st 322, fl.10
Contact City: Toronto
Contact Postal Code: 12345
Contact Country: CA
Contact Phone: +1 435 2312633
Contact E-mail: cortas2008 @ yahoo.com
Name Server: NS.MERRYCHRISTMASDUDE.COM
Name Server: NS10.MERRYCHRISTMASDUDE.COM
Name Server: NS13.MERRYCHRISTMASDUDE.COM
Name Server: NS9.MERRYCHRISTMASDUDE.COM
Name Server: NS11.MERRYCHRISTMASDUDE.COM
Name Server: NS3.MERRYCHRISTMASDUDE.COM
Name Server: NS4.MERRYCHRISTMASDUDE.COM
Name Server: NS6.MERRYCHRISTMASDUDE.COM
Name Server: NS2.MERRYCHRISTMASDUDE.COM
Name Server: NS5.MERRYCHRISTMASDUDE.COM
Name Server: NS7.MERRYCHRISTMASDUDE.COM
Name Server: NS8.MERRYCHRISTMASDUDE.COM
Name Server: NS12.MERRYCHRISTMASDUDE.COM
The domain also has an embedded IFRAME pointing to merrychristmasdude.com/cgi-bin/in.cgi?p=100 where two javascipt obfuscations, courtesy of the Neosploit attack kit attempt to load. Current binary (stripshow.exe) has an over 50% detection rate 17/32 (53.13%). Stay tuned, AV vendors will reach another milestone on the number of malware variants detected, despite that compared to the real, massive Storm Worm campaign this one is fairly easy to prevent on a large scale.
Related info - SANS, ASERT, TEMERC, DISOG.
File Size: 22016 bytes
MD5 : cb0a480fd845632b9c4df0400f512bb3
SHA1 : 83bb4132d1df8a42603977bd2b1f9c4de07463ab
What's important to point out in this case, is that the main index and the pages within the site are clean, so instead of trying to infect the visitors, the malicious parties are basically using it as a web dropper. Moreover, in the wake of Pinch-ing the Pinch authors, this variant generated on the fly courtesy of their tool fully confirms the simple logic that once released in the wild, DIY malware builders and open source malware greatly extend their lifecycles and possibility for added innovation on behalf of the community behind them.
Thursday, December 20, 2007
Don't forget that a country that's poised for asymmetric warfare domination in the long-term, will tolerate any such asymmetric warfare capabilities in the form of botnets for instance, for as long as they're not aimed at the homeland, in order for the country's intell services to acquire either capabilities or "visionaries" by diving deep into the HR pool available. The rest is muppet show.
inshallahshaheed.hadithuna.com - down
inshallahshaheed.acbox.com - down
inshallahshaheed.muslimpad.com - down
worldclash.wordpress.com - down
inshallahshaheed.blogspot.com - abondoned
ignoredknowlege.blogspot.com - active
And so the ultimate question remains, where is the very last and active blog operated by the Ignored Puzzle Pieces of Knowledge or Inshallahshaheed? Here it is - revival.muslimpad.com
Wednesday, December 19, 2007
"The malware to be downloaded by Pushdo depends on the value following the "s-underscore" part of the URL. The Pushdo controller is preloaded with multiple executable files - the one we looked at contained 421 different malware samples ready to be delivered. The Pushdo controller also uses the GeoIP geolocation database in conjunction with whitelists and blacklists of country codes. This enables the Pushdo author to limit distribution of any one of the malware loads from infecting users located in a particular country, or provides the ability to target a specfic country or countries with a specific payload."
Talkely.com (18.104.22.168) is also responding to arenatalk.net and worldtalk.net. There's also another bogus message next to the one mentioned in SecureWorks analysis - and it's "Under Construction Try google".
Related posts on Web Based Malware :
Tuesday, December 18, 2007
The second one is located in CL-ECSA-LACNIC ENTEL CHILE S.A. at 22.214.171.124, and the IP is acting as the main IP for a wide range of NS servers which further expand the domain farm. As I've already pointed out numerous times, Rock Phish is a great example of how centralization means, both, efficiency and easy of management, and an insecurity from the perspective that shutting down the IP will shut down the entire scammy ecosystem of over 30 Rock Phish domains hosting approximately from 5 to 10 different phishing campaigns targeting different brands on a single domain. Here's another perspective on the blended threat posed by phishing emails that come with embedded banker malware, the results of which get later on aggregated in a banking malware infected botnet only. Find out more about trends and developments related to phishing in 2007 in a related article, and the Rock Phish kit in principle.
Monday, December 17, 2007
The teams, and the lone gunmen cyber jihadists in this post are : Osama Bin Laden's Hacking Crew, Ansar AL-Jihad Hackers Team, HaCKErS aLAnSaR, The Designer - Islamic HaCKEr and Alansar Fantom. None of these are known to have any kind of direct relationships with terrorist groups, therefore they should be considered as terrorist sympathizers.
_Osama Bin Laden's Hacking Crew
OBL's Hacking Crew are anything but cheap PSYOPsers trying to teke advantage of outdated conversational marketing approaches to recruit more members, for what yet remains unknown given the lack of any kind of structured formulation of their long-term objectives. They're also promoting the buzz word "E-MUJAHID" to summarize all the possible taska and objectives one would have. This is how they define E-JIHAD :
"JIHAD is the term used for struggle against evil. Electronic jihad or simply, E-JIHAD, is the jihad in cyberspace against all the propagandas and false allegations against the message of truth. E-JIHAD is the struggle in cyber space against all false and evil disciplines, ideology and forces of evil. Have you ever think what is the need of army? To defend the freedom and liberty of a territory and defend it from the attacks of evil intruders. similarly , E-jihad is the battle in the field of cyber space, against all false believes, and to defend the truth against the false and mean propagandas and cults. It is as necessary as a regular army, to defend the ideological borders of a nation. It is said, “ it is not the gun, it is man behind the gun “. Do you ever think what makes a “man “? Nothing, but just the faith and ideology. Without faith and ideology, there is no man and definitely , we then have gun , but without any man ."
These are the tips provided for "defending the ideological borders" :
- They have created anti-Islamic web sites, which are full of everything except the truth. They are full of mean and vulgar allegations against our HOLY QURA’AN, HOLY PROPHAT MOHAMMAD (PEACE BE UPON HIM) and our teachings. We must defend our teachings and fight against the evils. We have to create Islamic web sites, eGroups, Forums, Message boards, & we must support our Mujahideen brothers in Iraq, Afghanistan, Palestine, Kashmir and elsewhere.
- Many non-Muslims specially jews, Christians and hindus are working in different web groups and communities (like yahoo groups and msn communities) and spreading propaganda against us Muslims. There is a strong need to join such groups and try to refute them. At the moment, the cyber space is free of their opponents. Try to join and refute them, defend your HOLY TEACHINGS OF ISLAM and bring before everyone, nothing but just the truth.
- One of the most dangerous enemies is those who impersonate themselves as a Muslims but they are not Muslims infact. They are Islamic cults. They are usually qadyanis/ahmadis/mirzais and bahais. some are jews and christians. They are all non Muslims but they impersonate as a Muslim and try to misguide others. They are spreading non-Islamic believes. It needs to be taken care of, we have to fight them. Otherwise, you can imagine how disastrous this situation can be for Muslims. These culprit groups even tried to spread a copy of their teachings in the name of HOLY QURA’ AN. but ALLAH has promised that HE will keep HOLY QURA’AN preserved. That’s why, their attempt failed. What is our job? We must fight with these muslim cults and have to tell others the difference between Muslims and muslims cults.
- You can even make your own groups and communities to send mails having Muslim news and Islamic teachings. It is a time convenient method because if you have 500 members in your group, by sending a single mail in the group, your message will be in the inboxes of 500 users, and it takes hardly 1-2 minutes. Isn’t it a time saving technique?
- Many non-Muslim specially Americans, Israelis and Indian hackers always attack our web sites, which are refuting their falsehood and spreading the truth of Islam, the truth that is the only reality. To defend us against such “satanic groups “, we have to organize teamwork, consists of team of Muslim Hackers. Diamond cuts a diamond, to fight with hackers, we need hackers who will defend our sites and make it sure to convey uninterrupted messages to refute the evil and to spread the truth.
_Ansar AL-Jihad Hackers Team and HaCKErS aLAnSaR
Objective : Will be updated automatically in the main program and the extra room in the conversation. Date : Saturday, 26 /8/2006 - Hours are from 6 pm to 10 Mecca Time - Jerusalem-Cairo. From 3 pm until 7 Time 05:00 Enter chat http: al-jinan.org/chat. Will work only half an hour before the attack. Leadership decided to use only the major programme in the attack, Lltali follows : The programme operates in the same manner but more strongly Durrah, Member faced many problems in the modernization Durra because of their Alcockez, and the present quality, The programme is designed to automatically update speeds.
Their "pitch" :
"We note that our enemies Zionists have such groups in order to eliminate sites and sites of resistance Islamic profess. The notes on the Internet that many of the sites Mujahideen are taking place and the closure of sites and this immoral act of brotherhood pigs. Under such a senseless war on Lebanon and Palestine, the Zionists any target in any area. The factors that are responsible for targeting this will affect them and Ihabtahm and create terror in the hearts of God."
_The Designer - Islamic HaCKEr
"Muslims are not Terrorists and U.S.A & Israel & europa are Terrorists. america and israel and europa they terrorists and we moslems not is terrorists . and It was hacked because you are supporting the war in Iraq, palestine and Afghanistan, and it was hacked because you are killing our people and our kids in Iraq, palestine and Afghanistan , and It was hacked because they invaders our land and they vandals our homes and hacked your sites is our solution."
The bottom line, script kiddies cyber jihadists dominate, PSYOPS fill the gaps where there's zero technical know-how, mentors are slowly emerging and providing interactive tutorials to reach a wider audience, localization of knowledge from English2Arabic is taking place the way propaganda is also localized from Arabic2English, and there's also an ongoing networking going on between cyber jihadists and Turkish hacktivists converting into such on a religious level. Case in point - MuslimWarriors.Org defacement campaigns with "anti-infidel" related messages.
Sunday, December 16, 2007
"Researchers at Aladdin Knowledge Systems have discovered a “significant” vulnerability in the page-caching technologies of three major search engines, allowing them to deliver malicious pages that have been removed from the web. The researchers discovered the vulnerability when analysing the content of a hacked university website. The site was cleaned, but malicious content was still reachable via search engine caches. The flaw is a "glimpse of the future" of multifaceted web-based attacks, said Ofer Elzam, director of product management at Aladdin."
Let's discuss the current model of dealing with such sites. Whenever Google comes across a site that's potentially malware embedded, they don't just label it "this site may harm you computer" but also remove all the cached copies of the site. By doing so, they protect the "cached surfers crowd", and by doing so, often prompt me to locate the actual cached copies with the embedded malware hopefully still there by using other search engines, ones whose crawling capabilities aren't as fast as Google's.
Here's an example of how useful cached malware sites are for research purposes. Back in September, the U.S Consulate in St.Petersburg was serving malware, and the embedded malware link was removed sooner than I could obtain a copy of the infected page. Best of all - there were still cached copies available serving the malware which lead to the assessment of the campaign. Another great example that the intelligence sharing between the industry, independent reseachers and non-profit organizations, is resulting in far more detailed exposures of various malicious campaigns, compared to a vendor's self-sufficiency mentality.
This is how Google understand the malicious economies of scale, where efficiency gets sacrificed for a short lifecycle of the campaign, a trade-off I've been discussing for a while especially in respect to the Rock Phish Kit :
Google are clearly aware of what's going on, but are trying to limit the potential for false positives of sites wrongly flagged as ones serving malware, which is where malicious parties will be innovating in the future, while it still remains questionable why they still haven't done so by obvious means - RBN's directory permissions gone wrong for instance.
The bottom line - cached malware embedded sites are a valuable resource in the arsenal of tools for the security researcher/malware analyst to use, and not necessarily a threat if it's Google's approach of removing the cached copies we're talking about, prior to notifying of the infection. Which leads us to more realistic attack tactic than the one discussed in the article, where an attacker will supposedely embedd malware at different sites, let the search engines crawl and cache it, than remove the sites and wait for the visitors to use the cache, thereby infecting themselves. Case in point - the U.S Consulate's site for instance wasn't even flagged by Google as malware embedded one, which is hopefully the result of their fast crawling capabilities, but the ugly attack tactic I have in mind is not just embedding the IFRAME, but embedding an obfuscated IFRAME that leads to the usual obfuscated exploit URL, which is what happend in the Consulate's case, an obfuscated IFRAME by itself.
Saturday, December 15, 2007
If it were "embedded malware as usual" the wannabes would have started mass mailing links to malware infected sites spreading rumors regarding the visit, like a previous PSYOPS operation on behalf of an unnamed intelligence agency. However, in this case they embedded malware at a French Government's site related to Libya in order to eventually infect all the visitors looking for more information during the visit. That's a social engineering trick taking advantage of the momentum by proactively anticipating the rush of visitors to the site. Another such recent combination of tactics aimed to increase the lifecycle of the malware embedded attack by embedding it at Chinese Internet Security Response Team's site during the China's "Golden Week" holiday.
According to McAfee "Web Site of the French Embassy in Libya Under Attack" :
"The people behind these attacks love to use highly topical issues in order to attract as many people as possible. This week in my country, the visit by Libyan President Muammar Khadafi is stirring controversy. It has made many headlines in France. No doubt this is why the French Embassy Web Site is now infected by malicious code. Please do not attempt to reach the site, it is still dangerous."
Let's pick up from where McAfee left in the assessment. 4qobj63z.tarog.us/tds/in.cgi?14 (126.96.36.199) loads an IFRAME to fernando123.ws/forum/index.php (188.8.131.52) which is MPack hosting the actual binary at fernando123.ws/forum/load.php or fernando123.ws/forum/load.exe
Detection rate : Result: 9/32 (28.13%)
File size: 43008 bytes
As for the second campaign at 4583lwi4.tarog.us/in.cgi?19, the malicious parties were quick enough to redirect the IFRAME to Google.com, in exactly the same fashion the RBN did in the Bank of India incident definitely monitoring the exposure activities in real-time. However, accessing through a secondary IP retrieves the real IFRAME, namely winhex.org/tds/in.cgi?19 (184.108.40.206) which loads winhex.org/traff/all.php that on the other hand loads kjlksjwflk.com/check/versionl.php?t=577 which is now down, and 220.127.116.11/e-notfound1212/index.php where an obfuscation that's once deobfuscated attempts to load 18.104.22.168/e-notfound1212/load.php
Detection rate : Result: 14/32 (43.75%)
File size: 116244 bytes
Deja vu - 22.214.171.124 is the "New Media Malware Gang" in action, whose ecosystem clearly indicated connections with the RBN, Possibility Media's malware attack, Bank of India and the Syrian Embassy malware attacks, and Storm Worm which I assessed in numerous previous posts.
All your malware downloaders are belong to us - again and again.
Wednesday, December 12, 2007
Each of these is a visionary reading by itself, but perhaps it was the need for setting a new milestone into such warfare thinking that prompted the public release of the Unrestricted Warfare Symposium Proceedings Book in 2006 and in 2007. An excerpt from the introduction of the 2006 edition :
All of these reports and Ebooks are highly recomended bedtime reading, and so is the last but not least one, namely "Victory in Cyberspace" released October, 2007. Besides generalizing cyberspace war activities, it includes a comprehensive summary of the events that took place in Estonia during the DDoS attacks.
Tuesday, December 11, 2007
Name Server: ns1.4980603.com
Name Server: ns2.4980603.com
Name Server: ns3.4980603.com
Name Server: ns4.4980603.com
Here's more coverage courtesy of the ISC assessing a previous state of the campaign in the form of different domain names used :
"Two primary infection vectors have been observed providing us with unique insight into the life cycle involved in propagating a fast flux service network. The attack vectors include: Compromised MySpace Member profiles redirecting to phishing sites; SWF Flash image malicious redirection to Phishing and drive-by browser exploit attempt. All Flash redirects were observed redirecting browsers. The successful compromise of a windows host via this exploit content results in the download of a malicious downloader stub executable (session.exe) that is then responsible for attempting to download additional malicious components necessary for integration of new compromised hosts into a fast flux service network."
Monday, December 10, 2007
"Unlike the US or EU blackhats communities, Chinese blackhats are typically not familiar with IRC (In-ternet Relay Chat). They typically use bulletin board systems on the Web or IM software like QQ tocommunicate with each other. Orthogonal to a study on the underground black market located within IRC networks, we measure the Chinese-specific underground black market on the Web. We focus onthe most important part located at post.baidu.com, the largest bulletin board community in China. We crawled the portal and stored all posts and replies posted on some certain post bars which are all dedicated for the underground black market on this particular website. The post bars we examined include Traffic bar, Trojans bar, Web-based Trojans bar, Wangma bar (acronyms of Web-based Trojans inChinese), Box bar, Huigezi bar, Trojanized websites bar, and Envelopes bar."
What's the big picture on the Chinese IT Underground anyway? It's a very curious perspective next to China's economy self-awareness from a supplier of the parts that make up the products, to the independent manufacturer of them in real life. In cyberspace, the people driving the Chinese Underground tend to borrow malicious know-how from their Russian colleagues by localizing the most popular web malware exploitation kits such as Mpack and IcePack to Chinese, as well as benefiting from the proven capabilities of an open source DDoS-centered malware by also localizing it to Chinese and porting it to a Web interface. And so once they've localized the most effective attack approaches by making them even easier to use, the start adding new features and functionalities in between coming up with unique tools by themselves.
The bottom line - China's IT Underground is indirectly monitored and controlled by China's Communist Party, with the big thinkers realizing the potential for asymmetric warfare dominance as the foundation for economic espionage, and the largest cyberwarriors buildup in the face of people's information warfare armies driven by collectivism sentiments.
Here's a very interesting article detailing some of perspectives of the China Eagle Union, the Hacker Union of China, and the Red Hacker's Alliance :
"The Chinese red hackers have their own organizations and websites, such as the Hacker Union of China (www.cnhonker.com/), the China Eagle Union (www.chinaeagle.org/), and the Red Hacker's Alliance (www.redhacker.org). The Hacker Union of China (HUC) was founded on December 31, 2000, and is the largest and earliest hacker group in China. It had 80,000 registered members at its peak, and reportedly has 20,000 members after regrouping in April 2005."
"The allure of being self-sufficient doesn’t seem to be a relevant one when it comes to a spammer’s results oriented attitude. Spammers excel at harvesting and purchasing email addresses, sending, and successfully delivering the messages, phishers are masters of social engineering, while on the other hand malware authors or botnet masters in this case, provide the infrastructure for both the fast-fluxing spam and scams in the form of infected hosts. We’ve been witnessing this consolidation for quite some time now, and some of the recent events greatly illustrate this development of an underground ecosystem. Take for instance the cases when spam comes with embedded keyloggers, when phishing emails contain malware, and a rather ironical situation where malware infected hosts inside Pfizer are spamming viagra emails."
The recently uncovered breach at the U.S Oak Ridge National Laboratory is a perfect example of some of the key concepts I covered in the article, namely, harvesting of the emails courtesy of the spammers, segmenting the emails database for targeted mailings on a per company, institution basis, and malware authors eventually purchasing the now segmented databases for such targeted attacks with the spammers earning a higher profit margin for providing the service of segmentation :
"The unknown attackers managed to access a non-classified computer maintained by the Oak Ridge National Laboratory by sending employees hoax emails that contained malicious attachments. That allowed them to access a database containing the personal information of people who visited the lab over a 14-year period starting in 1990. The institution, which has a staff of about 3,800, conducts top-secret research that is used for homeland security and military purposes."
And, of course, there's a Chinese connection, but thankfully there're articles emphasizing on the concept of stepping-stones before reaching the final destination, with China's highly malware infected Internet population acting as the stepping-stone, not the original source of the attack :
"Security researchers said the memorandum, which was obtained by The New York Times from an executive at a private company, included a list of Web and Internet addresses that were linked to locations in China. However, they noted that such links did not prove that the Chinese government or Chinese citizens were involved in the attacks. In the past, intruders have compromised computers in China and then used them to disguise their true location."
Publicly obtainable research, and common sense state that malware coming through email attachments is slowing down, and is actually supposed to be filtered on the gateway perimeter by default, especially executables. Even the first round of Storm Worm malware in January, 2007, concluded that email attachments are not longer as effective as they used to be, and therefore migrated to spamming malware embedded links exploiting outdated vulnerabilities.
How such type of targeted malware attack could have been prevented?
- ensure that the emails are harvested much harder than they are for the time being, in this particular case, a huge percentage of the emails account, thus the future contact points for the malicious parties to take advantage of ornl.gov can be harvested without even bothering to crawl the domain itself through web scrapping ornl.gov
- a freely avaivable, but highly effective tool to evaluate whether or not your mail server filtering capabilities for such type of content work, is PIRANA - Email Content Filters Exploitation Framework :
"PIRANA is an exploitation framework that tests the security of a email content filter. By means of a vulnerability database, the content filter to be tested will be bombarded by various emails containing a malicious payload intended to compromise the computing platform. PIRANA's goal is to test whether or not any vulnerability exists on the content filtering platform. This tool uses the excellent shellcode generator from the Metasploit framework!"
Taking the second possible scenario, namely that it wasn't a targeted attack, but malware attachments "as usual", mostly because the fact that modern malware automatically excludes mailings to .gov's .mil's and the majority of known to them anti-virus vendor's related email addresses, hoping to infect as much people as possible before a reactive response is in place.
If it were a spammed malware embedded link, the chances are the receipts followed it, but a spammed malware as an attachment is too Web 1.0 for someone to fall victim into, and it's rocket scientists we're talking about anyway.
Shark3 Window's Info
Previous versions included features not so popular among RATs by default such as, built-in VirusTotal submission, process injection, and with the new version promoted to have a built-in rootkit capabilities, next to its Vista compatibility, let's ask the ultimate question - is it a RAT, or is it a malware? That's the rhetorical question.
Friday, December 07, 2007
Who's hosting the malware and what directory structure per campaign do they use?
It seems as content.onerateld.com (126.96.36.199) which is hosted at Limelight Networks is used in all the domains as the central download location. The directory structure is as follows :
Therefore, if you have secureyourpc.com the directory structure would be /SecureYourPC.com/SecureYourPC/install_en.exe
Sample domains portfolio of digitally alike samples of each of these :
DNS servers further expanding the domains portfolio :
Main portfolio domain farm IPs :
Laziness on behalf of the malicious parties in this campaign, leads to better detection rate, thus, they didn't hedge the risks of having their releases detected by diversifying not just the domains portfolio, but the actual binaries themselves.
Wednesday, December 05, 2007
The following URLs are currently active and exploiting CVE-2006-0003, and despite that it was patched in 11 April, 2006, the last quarter of 2007 showcased the malware authors simplistic assumption that outdated but unpatched vulnerabilities can be just as effective as zero day ones, and when the assumption proved to be true -- take Storm Worm's use of outdated vulnerabilities as the best and most effective example -- it automatically lowered the entry barriers into the world of malware, breaking through the myth that it's zero day vulnerabilities acting as they key success factors for a malware embedded attack on a large scale :
These are all courtesy of what looks like Chinese folks, and represent a good example of what malicious economies of scale are as a concept that emerged during 2007. Years ago, when a vulnerability was found and exploit released, malicious parties were quickly taking advantage of the "window of opportunity" following the myth that the more publicity the vulnerability receives, the more useless it will get, given more people will patch. That's such a wishful thinking, one the people behind Storm Worm apparently perceived as FUD-ish one, and by not following it, ended up with operating the largest botnet known for the time being - a botnet that was built on the foundations of outdated vulnerabilities pushed through emails, using sites as the infection vector , and not a single zero day one.
How are risks hedged? Risks are hedged by following the simple diversification principle, which from a malicious perspective means increasing the probability for success. By using a single exploit URLs like the MDAC in this case, the chances for success are much lower compared to diversification of the "exploits set", a daily reality these days thanks to the emerging malicious economies of scale mentality in the form of web exploitation kits such as MPack, IcePack, WebAttacker, the Nuclear Malware Kit and Zunker as the most popular ones.
Here's a related article - "Zero-Day Exploits on The Decline" :
"One of the reasons is that bad guys don't have to use them (zero day)," said Skoudis, who also founded information security consultancy Intelguardians. For example, he said, the Storm worm propagates itself though users clicking on an e-mail link, and does not require a zero-day exploit to function. "When simple techniques work, there is no need to unfurl zero-days," Skoudis said. "Attackers can just save them for more targeted attacks."
So, how did the people behind Storm Worm ended up with the world's largest botnet? They simply didn't believe in the effectiveness of populist generalizations of security in the form of patching, and abused the miscommunication between the industry that's still preaching perimeter defense is the panacea of security, and the end user, the one whose Internet connectivity results in all the spam, phishing and malware we're all receiving, by stopping to target what the solutions protect from, and migrating to niche attack approaches to use as infection vectors - today's client side vulnerabilities courtesy of a malware exploitation kit that were found embedded on the majority of infected web sites incidents I've been assessing for the last couple of months.
Monday, December 03, 2007
And just as important it is to take advantage of the wisdom of crowds, whose collective intelligence can in fact act as an early warning system, it's also important to educate those who cannot freely express their opinion on the process of expressing it
Thursday, November 29, 2007
The first one is poker.gagnantscasino.com (188.8.131.52) with current obfuscation loading statistics-gdf.cn/ad/index.php (184.108.40.206) where another obfuscation loads, deobfuscated attempts to load p423ck.exe (Zlob) at statistics-gdf.cn/ad/load.php, playing around with the host for too long results in zero malicious activity, at least they make you think so. Here's another internal URL statistics-gdf.cn/ad/index.php?com
Detection rate : Result: 7/32 (21.88%)
File size: 43008 bytes
Last week's obfuscation at this online casino was pointing to traffmaster.biz/ra/in.cgi?5 which is now down.
The second casino is fabispalmscasino.com (220.127.116.11) with current obfuscation attempting to connect to the now down stat1count.net/strong, a host residing on a netblock I covered before showcasing a scammy ecosystem. The third one is sypercasino.com which was resolving to 18.104.22.168 early this week, and taking advantage of WebAttacker at sypercasino.com/biling/index.php. Now it resolves to 22.214.171.124 and promotes banner.casino.com/cgi-bin/SetupCasino.exe
Detection rate: 9/32 (28.13%)
File size: 194077 bytes
It's interesting to monitor how people behind these manually change the obfuscations to further expand their connections with other scammers, or services and attack approaches they use, and even more interesting to see it happen on-the-fly just like meds247.org for instance.
Don't play poker on an infected table.
Wednesday, November 28, 2007
Moreover, a recently released survey results by Cloudmark, whose study into the Economics of Phishing is also worth going through, indicates that current and prospective customers of a certain brand lose trust in it, if they're exposed to phishing emails pretending to be from that brand :
The survey revealed that:
- 42% of respondents surveyed feel that the trust in a brand would be greatly reduced if they received a phishing email claiming to be sent by that brand
The last point is perhaps the most insightful one, given it has to do with self-awareness and responsibility, forwarding the responsibility to the provider of the email service, and best of all, seeking more responsibility in fighting outgoing phishing and spam compared to incoming one.