Friday, December 28, 2007

The New Media Malware Gang - Part Two

This summary is not available. Please click here to view the post.

Riders on the Storm Worm

During the last couple of days the folks behind Storm Worm have started using several new, and highly descriptive domains. It seems they've also changed the layout as well, and despite that the exploit IFRAME is now gone, automatically registered Blogspot accounts are also disseminating links to the domains. Some of these have been registered as of recently, others have been around in a blackhat SEO operation for a while and are getting used as a foundation for the campaign. These are all known Storm Worm fast-fluxed domains for the time being :

merrychristmasdude.com
happycards2008.com
uhavepostcard.com
newyearwithlove.com
newyearcards2008.com


_happycards2008.com
Administrative, Technical Contact
Contact Name: Bill Gudzon
Contact E-mail: bgudzon1956 @ hotmail.com




_uhavepostcard.com
Administrative, Technical Contact
Contact Name: Kerry Corsten
Contact E-mail: kryport2000 @ hotmail.com





_newyearwithlove.com
Administrative, Technical Contact
Contact Name: Bill Gudzon
Contact E-mail: bgudzon1956 @ hotmail.com






_newyearcards2008.com
Administrative, Technical Contact
Contact Name: Bill Gudzon
Contact E-mail: bgudzon1956 @ hotmail.com









Moreover, Paul is also pointing out on the use of Blogspot blackhat SEO generated blogs in this Storm Worm campaign. In case you remember, the first one was relying on the infected user to first authenticate herself, and therefore authenticate for Storm Worm to add a link to a malware infected IP. Sample Blogspot URLs :

cbcemployee.blogspot.com
canasdelbohio.blogspot.com
1dailygrind.blogspot.com
traceofworld.blogspot.com/2007/12/opportunities-for-new-year.html
jariver.blogspot.com/2007/12/opportunities-for-new-year.html
antispamstore.blogspot.com/2007/12/opportunities-for-new-year.html

As for the complete list of the email subjects used for the time being, here's a rather complete one courtesy of US-CERT.

With end users getting warned about the insecurities of visiting an IP next to a domain name, this campaign is relying on descriptive domains compared to the previous one, while the use of IPs was among the few tactics that helped Storm Worm's first campaign scale so with every infected host acting as an infection vector by itself. And despite that I'm monitoring the use of such IPs from the first campaign in this campaign on a limited set of Storm Worm infected PCs, the next couple of days will shred more light into whether they'll start using the already infected hosts as infection vectors, or remain to the descriptive domains already used.

Keep riding on the storm.

Monday, December 24, 2007

Spreading Malware Around the Christmas Tree

Stormy Wormy is back in the game on the top of Xmas eve, enticing the end users with a special Xmas strip show for those who dare to download the binary. The domain merrychristmasdude.com is logically in a fast-flux, here are some more details :

Administrative, Technical Contact
Contact Name: John A Cortas
Contact Organization: John A Cortas
Contact Street1: Green st 322, fl.10
Contact City: Toronto
Contact Postal Code: 12345
Contact Country: CA
Contact Phone: +1 435 2312633
Contact E-mail: cortas2008 @ yahoo.com

Name Server: NS.MERRYCHRISTMASDUDE.COM
Name Server: NS10.MERRYCHRISTMASDUDE.COM
Name Server: NS13.MERRYCHRISTMASDUDE.COM
Name Server: NS9.MERRYCHRISTMASDUDE.COM
Name Server: NS11.MERRYCHRISTMASDUDE.COM
Name Server: NS3.MERRYCHRISTMASDUDE.COM
Name Server: NS4.MERRYCHRISTMASDUDE.COM
Name Server: NS6.MERRYCHRISTMASDUDE.COM
Name Server: NS2.MERRYCHRISTMASDUDE.COM
Name Server: NS5.MERRYCHRISTMASDUDE.COM
Name Server: NS7.MERRYCHRISTMASDUDE.COM
Name Server: NS8.MERRYCHRISTMASDUDE.COM
Name Server: NS12.MERRYCHRISTMASDUDE.COM

The domain also has an embedded IFRAME pointing to merrychristmasdude.com/cgi-bin/in.cgi?p=100 where two javascipt obfuscations, courtesy of the Neosploit attack kit attempt to load. Current binary (stripshow.exe) has an over 50% detection rate 17/32 (53.13%). Stay tuned, AV vendors will reach another milestone on the number of malware variants detected, despite that compared to the real, massive Storm Worm campaign this one is fairly easy to prevent on a large scale.

Related info - SANS, ASERT, TEMERC, DISOG.

Pinch Variant Embedded Within RussianNews.ru

This is a perfect and currently live example demonstrating how a once compromised site can also be used as a web dropper compared to the default infection vector mentality we've been witnessing on pretty much each and every related case of malware embedded sites during 2007. The URL at a popular news portal for Russian/Iranian related news at : russiannews.ru/arabic/data/news/upload/exp is serving a Pinch variant thought an MDAC ActiveX code execution exploit - CVE-2006-0003, the type of virtual Keep it Simple Stupid strategy of using outdated vulnerabilities I discussed before. Deobfuscation leads us to : russiannews.ru/arabic/data/news/upload/exp/exe.php

Trojan-PSW.Win32.LdPinch.dzr
File Size: 22016 bytes
MD5 : cb0a480fd845632b9c4df0400f512bb3
SHA1 : 83bb4132d1df8a42603977bd2b1f9c4de07463ab

What's important to point out in this case, is that the main index and the pages within the site are clean, so instead of trying to infect the visitors, the malicious parties are basically using it as a web dropper. Moreover, in the wake of Pinch-ing the Pinch authors, this variant generated on the fly courtesy of their tool fully confirms the simple logic that once released in the wild, DIY malware builders and open source malware greatly extend their lifecycles and possibility for added innovation on behalf of the community behind them.

Thursday, December 20, 2007

ClubHack 2007 - Papers and Presentations

Informative presentations and papers from ClubHack 2007- India's premier security event :

"ClubHack is one of its kind hackers' convention in India which serves as a meeting place for hackers, security professionals, law enforcement agencies and all other security enthusiasts."


Such localized events are always beneficial from a networking and a relationship building perspective. Something bigger is (always) going one though. You may not be aware that, for instance, Microsoft have been running the Securewars contest in India for a while, seeking to improve the favorability scale and awareness of the company's activities, to later on improve their chances of recruiting the most talented participants.

Russia's FSB vs Cybercrime

In what looks like a populist move from my perspective, the FSB, the successor of the KGB, have "Pinch-ED" the authors of the DIY malware Pinch. A populist move mainly because the Russian Business Network is still 100% fully operational, the Storm Worm botnet was originally launched and is currently controlled by Russian folks, and the lack of any kind of structured response on who was behind Estonia's DDoS attack. Pinch-ing the authors is one thing, pinch-ing everyone that's now literally generating undetected pieces of malware through the use of the kit on an hourly basis is another :

"Today Nikolay Patrushev, head of the Federal Security Services, announced the results of the measures taken to combat cyber crime in 2007. Among other information, it was announced that it had been established who was the author of the notorious Pinch Trojan - two Russian virus writers called Ermishkin and Farkhutdinov. The investigation will soon be completed and taken to court. The arrest of the Pinch authors is on a level with the arrests of other well known virus writers such as the author of NetSky and Sasser, and the authors of the Chernobyl and Melissa viruses."

This event will get cheered be many, but those truly perceiving what's going on the bottom line will consider the fact that fighting cybercrime isn't a priority for the FSB, and perhaps even worse, they're prioritizing in a awkward manner. I once pointed out, and got quoted on the same idea in a related research, that, Pandora's box in the form of open source malware and DIY malware builders is being opened by malware authors to let the script kiddies generate enough noise for them to remain undetected, and for everyone to benefit from those who enhance the effectiveness of the malware by coming up with new modifications for it. I'm still sticking to this statement. If the authors behind Pinch weren't interested in reselling copies of the builder, but were keeping it to themselves, thereby increasing its value, they would have been the average botnet masters in the eyes of the FSB, but now that the builder got sold and resold so many times I can count it as a public one, the authors compared to the users got the necessary attention.

I'll be covering Pinch in an upcoming post, mainly to debunk other such populist discoveries of Pinch in 2007, given that according to an encrypted screenshot of its stolen data crypter, and many other indicators, Pinch has been around since 2005, yes, exactly two ago. Why is this important? It's important because if the industry is waking up on the concept of form-grabbing and TAN grabbing in respect to banking malware in 2007, the bad guys have been doing it for the last couple of years, whereas customers are finding it necessary to maintain another keychain entirely consisting of pseudo-random number generators pitched as layered authentication. The bad guys do not target the authentication process, or aim at breaking it - they bypass it as a point of engagement, efficiently.

Don't forget that a country that's poised for asymmetric warfare domination in the long-term, will tolerate any such asymmetric warfare capabilities in the form of botnets for instance, for as long as they're not aimed at the homeland, in order for the country's intell services to acquire either capabilities or "visionaries" by diving deep into the HR pool available. The rest is muppet show.

Wednesday, December 19, 2007

Pushdo - Web Based Malware as Usual

Interesting assessment, especially the explanation of the GET variables, however, such descriptive use of POST variables to a malware's C&C server have been around for the last couple of years. What has logically changed is the added layer of obfuscation and complexity to make it hard to assess what does such a URL actually mean :

"The malware to be downloaded by Pushdo depends on the value following the "s-underscore" part of the URL. The Pushdo controller is preloaded with multiple executable files - the one we looked at contained 421 different malware samples ready to be delivered. The Pushdo controller also uses the GeoIP geolocation database in conjunction with whitelists and blacklists of country codes. This enables the Pushdo author to limit distribution of any one of the malware loads from infecting users located in a particular country, or provides the ability to target a specfic country or countries with a specific payload."

This is an excerpt from a previous post on "Botnet Communication Platforms" including various graphs courtesy of botnet masters circa 2004/2005 :

"The possiblities with PHP and MySQL in respect to flexibility of the statistics, layered encryption and tunneling, and most importantly, decentralizing the command even improving authentication with port knocking are countless. Besides, with all the buzz of botnets continuing to use IRC, it's a rather logical move for botnet masters to shift to other platforms, where communicating in between HTTP's noise improves their chance of remaining undetected. Rather ironic, the author warns of possible SQL injection vulnerabilities in the botnet's command panel."

Here're some C&C IPs related to Pushdo :

208.66.195.71
208.66.194.242
66.246.252.215
66.246.252.213
66.246.72.173
67.18.114.98
74.53.42.34
74.53.42.61
talkely.com

Talkely.com
(217.14.132.178) is also responding to arenatalk.net and worldtalk.net. There's also another bogus message next to the one mentioned in SecureWorks analysis - and it's "Under Construction Try google".

Related posts on Web Based Malware :
The Cyber Bot

Monday, December 17, 2007

Cyber Jihadist Hacking Teams

These groups and fractions of religiously brainwashed IT enthusiasts utilizing outdated ping and HTTP GET flooding attack tools, represent today's greatly overhyped threat possed by the cyber jihadists whose cheap PSYOPS dominate, given the lack of strategical thinking, and the lack of sustainable communication channels between them, ruined all of their Electronic Jihad campaigns so far. Religious fundamentalism by itself evolves into religious fanaticism, and with the indoviduals in a desperate psychological need for a belonging to a cause, ends up in one of the oldest and easiest methods for recruitment - the one based on religious beliefs.

The teams, and the lone gunmen cyber jihadists in this post are : Osama Bin Laden's Hacking Crew, Ansar AL-Jihad Hackers Team, HaCKErS aLAnSaR, The Designer - Islamic HaCKEr and Alansar Fantom. None of these are known to have any kind of direct relationships with terrorist groups, therefore they should be considered as terrorist sympathizers.

_Osama Bin Laden's Hacking Crew
OBL's Hacking Crew are anything but cheap PSYOPsers trying to teke advantage of outdated conversational marketing approaches to recruit more members, for what yet remains unknown given the lack of any kind of structured formulation of their long-term objectives. They're also promoting the buzz word "E-MUJAHID" to summarize all the possible taska and objectives one would have. This is how they define E-JIHAD :

"JIHAD is the term used for struggle against evil. Electronic jihad or simply, E-JIHAD, is the jihad in cyberspace against all the propagandas and false allegations against the message of truth. E-JIHAD is the struggle in cyber space against all false and evil disciplines, ideology and forces of evil. Have you ever think what is the need of army? To defend the freedom and liberty of a territory and defend it from the attacks of evil intruders. similarly , E-jihad is the battle in the field of cyber space, against all false believes, and to defend the truth against the false and mean propagandas and cults. It is as necessary as a regular army, to defend the ideological borders of a nation. It is said, “ it is not the gun, it is man behind the gun “. Do you ever think what makes a “man “? Nothing, but just the faith and ideology. Without faith and ideology, there is no man and definitely , we then have gun , but without any man ."

These are the tips provided for "defending the ideological borders" :

- They have created anti-Islamic web sites, which are full of everything except the truth. They are full of mean and vulgar allegations against our HOLY QURA’AN, HOLY PROPHAT MOHAMMAD (PEACE BE UPON HIM) and our teachings. We must defend our teachings and fight against the evils. We have to create Islamic web sites, eGroups, Forums, Message boards, & we must support our Mujahideen brothers in Iraq, Afghanistan, Palestine, Kashmir and elsewhere.

- Many non-Muslims specially jews, Christians and hindus are working in different web groups and communities (like yahoo groups and msn communities) and spreading propaganda against us Muslims. There is a strong need to join such groups and try to refute them. At the moment, the cyber space is free of their opponents. Try to join and refute them, defend your HOLY TEACHINGS OF ISLAM and bring before everyone, nothing but just the truth.

- One of the most dangerous enemies is those who impersonate themselves as a Muslims but they are not Muslims infact. They are Islamic cults. They are usually qadyanis/ahmadis/mirzais and bahais. some are jews and christians. They are all non Muslims but they impersonate as a Muslim and try to misguide others. They are spreading non-Islamic believes. It needs to be taken care of, we have to fight them. Otherwise, you can imagine how disastrous this situation can be for Muslims. These culprit groups even tried to spread a copy of their teachings in the name of HOLY QURA’ AN. but ALLAH has promised that HE will keep HOLY QURA’AN preserved. That’s why, their attempt failed. What is our job? We must fight with these muslim cults and have to tell others the difference between Muslims and muslims cults.

- You can even make your own groups and communities to send mails having Muslim news and Islamic teachings. It is a time convenient method because if you have 500 members in your group, by sending a single mail in the group, your message will be in the inboxes of 500 users, and it takes hardly 1-2 minutes. Isn’t it a time saving technique?

- Many non-Muslim specially Americans, Israelis and Indian hackers always attack our web sites, which are refuting their falsehood and spreading the truth of Islam, the truth that is the only reality. To defend us against such “satanic groups “, we have to organize teamwork, consists of team of Muslim Hackers. Diamond cuts a diamond, to fight with hackers, we need hackers who will defend our sites and make it sure to convey uninterrupted messages to refute the evil and to spread the truth.

_Ansar AL-Jihad Hackers Team and HaCKErS aLAnSaR
Both of these are actually the same, and the group's popularity comes from the al-jinan.net and the al-jinan.org Electronic Jihad campaigns, yes, the failed ones. The original message from Al-jinan's first campaign back in 2006 :

Objective
: Will be updated automatically in the main program and the extra room in the conversation. Date : Saturday, 26 /8/2006 - Hours are from 6 pm to 10 Mecca Time - Jerusalem-Cairo. From 3 pm until 7 Time 05:00 Enter chat http: al-jinan.org/chat. Will work only half an hour before the attack. Leadership decided to use only the major programme in the attack, Lltali follows : The programme operates in the same manner but more strongly Durrah, Member faced many problems in the modernization Durra because of their Alcockez, and the present quality, The programme is designed to automatically update speeds.

Their "pitch"
:

"We note that our enemies Zionists have such groups in order to eliminate sites and sites of resistance Islamic profess. The notes on the Internet that many of the sites Mujahideen are taking place and the closure of sites and this immoral act of brotherhood pigs. Under such a senseless war on Lebanon and Palestine, the Zionists any target in any area. The factors that are responsible for targeting this will affect them and Ihabtahm and create terror in the hearts of God."

_The Designer - Islamic HaCKEr
A defacer going by the handle of The Designer - Islamic HaCKEr was a vivid hacktivist for a while, than switched handles and continued to deface spreading cyber jihadist PSYOPS such as the following message courtesy of one of his defacements :

"Muslims are not Terrorists and U.S.A & Israel & europa are Terrorists. america and israel and europa they terrorists and we moslems not is terrorists . and It was hacked because you are supporting the war in Iraq, palestine and Afghanistan, and it was hacked because you are killing our people and our kids in Iraq, palestine and Afghanistan , and It was hacked because they invaders our land and they vandals our homes and hacked your sites is our solution."

_Alansar Fantom
In direct coordination with The Designer and Al-Ansar Hackers Team, basically a low-profile script kiddie that's also involved in spreading the campaign message and the flood tools to be used in eh Electrnic Jihad campaign.
Offensive cyber terrorism on behalf of terrorists in the sense of cyber mujahideens is overhyped if they're to do it on their own given the factual based evidence of their current state of technical know-how, with the Electronic Jihad program among the most recent such overhyped threats. Defensive cyber terrorism as an extension of cyber jihad in an asymmetric nature, is what is going on online for the time being, and has been going on for the last couple of years.

The bottom line, script kiddies cyber jihadists dominate, PSYOPS fill the gaps where there's zero technical know-how, mentors are slowly emerging and providing interactive tutorials to reach a wider audience, localization of knowledge from English2Arabic is taking place the way propaganda is also localized from Arabic2English, and there's also an ongoing networking going on between cyber jihadists and Turkish hacktivists converting into such on a religious level. Case in point - MuslimWarriors.Org defacement campaigns with "anti-infidel" related messages.

Sunday, December 16, 2007

Cached Malware Embedded Sites

Google, with its almost real-time crawling capabilities, has rarely proved useful while researching malware embedded sites who were cleaned before they could be analyzed, mainly popular sites who get crawled several times daily. However, Yahoo's and MSN's search engines, with MSN providing Archive.org type of historical crawling content, have been an invaluable resource in providing the actionable historical intelligence in the form of what was embedded at the site, where was it pointing, are there many other sites currently embedded by the same campaign etc. This is an interesting opinion stating that cached malware embedded sites are a security problem, well they're, but the bigger problem to me is that it's only Google that's taken efforts to deal with the problem next to the market challengers - Yahoo and MSN - "Google, Yahoo, Microsoft Live search engines contain page-caching flaw, says Aladdin" :

"Researchers at Aladdin Knowledge Systems have discovered a “significant” vulnerability in the page-caching technologies of three major search engines, allowing them to deliver malicious pages that have been removed from the web. The researchers discovered the vulnerability when analysing the content of a hacked university website. The site was cleaned, but malicious content was still reachable via search engine caches. The flaw is a "glimpse of the future" of multifaceted web-based attacks, said Ofer Elzam, director of product management at Aladdin."

Let's discuss the current model of dealing with such sites. Whenever Google comes across a site that's potentially malware embedded, they don't just label it "this site may harm you computer" but also remove all the cached copies of the site. By doing so, they protect the "cached surfers crowd", and by doing so, often prompt me to locate the actual cached copies with the embedded malware hopefully still there by using other search engines, ones whose crawling capabilities aren't as fast as Google's.

Therefore, don't put Google in the same row as Yahoo and MSN, since Yahoo and MSN do not provide such in-house built malware embedded sites notification services, and given the slow content crawling, it's among the top reasons why I love using their search engines given I'm aware of a malware embedded site, but couldn't obtain the obfuscated javascript/IFRAME before it got removed.

Here's an example of how useful cached malware sites are for research purposes. Back in September, the U.S Consulate in St.Petersburg was serving malware, and the embedded malware link was removed sooner than I could obtain a copy of the infected page. Best of all - there were still cached copies available serving the malware which lead to the assessment of the campaign. Another great example that the intelligence sharing between the industry, independent reseachers and non-profit organizations, is resulting in far more detailed exposures of various malicious campaigns, compared to a vendor's self-sufficiency mentality.

This is how Google understand the malicious economies of scale, where efficiency gets sacrificed for a short lifecycle of the campaign, a trade-off I've been discussing for a while especially in respect to the Rock Phish Kit :

"Examining our data corpus over time, we discovered that the majority of the exploits were hosted on third-party servers and not on the compromised web sites. The attacker had managed to compromise the web site content to point towards an external URL hosting the exploit either via iframes or external JavaScript. Another, less popular technique, is to completely redirect all requests to the legitimate site to another malicious site. It appears that hosting exploits on dedicated servers offers the attackers ease of management. Having pointers to a single site offers an aggregation point to monitor and generate statistics for all the exploited users. In addition, attackers can update their portfolio of exploits by just changing a single web page without having to replicate these changes to compromised sites. On the other hand, this can be a weakness for the attackers since the aggregating site or domain can become a single point of failure."

Google are clearly aware of what's going on, but are trying to limit the potential for false positives of sites wrongly flagged as ones serving malware, which is where malicious parties will be innovating in the future, while it still remains questionable why they still haven't done so by obvious means - RBN's directory permissions gone wrong for instance.

The bottom line - cached malware embedded sites are a valuable resource in the arsenal of tools for the security researcher/malware analyst to use, and not necessarily a threat if it's Google's approach of removing the cached copies we're talking about, prior to notifying of the infection. Which leads us to more realistic attack tactic than the one discussed in the article, where an attacker will supposedely embedd malware at different sites, let the search engines crawl and cache it, than remove the sites and wait for the visitors to use the cache, thereby infecting themselves. Case in point - the U.S Consulate's site for instance wasn't even flagged by Google as malware embedded one, which is hopefully the result of their fast crawling capabilities, but the ugly attack tactic I have in mind is not just embedding the IFRAME, but embedding an obfuscated IFRAME that leads to the usual obfuscated exploit URL, which is what happend in the Consulate's case, an obfuscated IFRAME by itself.

Saturday, December 15, 2007

Have Your Malware In a Timely Fashion

Keep your allies close, the human right violators closer. French officials have been receiving lots of criticism by human rights groups regarding Moammar Gadhafi's visit in France, in fact Human Rights Watch issued a press release entitled Al-Qadhafi in France. Despite the logical response in the form of criticism, it's lacking the long-term strategic vision and the proven approach of dealing with crying kids - pay them attention, give them a candy and therefore try to integrate them don't isolate them.

If it were "embedded malware as usual" the wannabes would have started mass mailing links to malware infected sites spreading rumors regarding the visit, like a previous PSYOPS operation on behalf of an unnamed intelligence agency. However, in this case they embedded malware at a French Government's site related to Libya in order to eventually infect all the visitors looking for more information during the visit. That's a social engineering trick taking advantage of the momentum by proactively anticipating the rush of visitors to the site. Another such recent combination of tactics aimed to increase the lifecycle of the malware embedded attack by embedding it at Chinese Internet Security Response Team's site during the China's "Golden Week" holiday.

According to McAfee "Web Site of the French Embassy in Libya Under Attack" :

"The people behind these attacks love to use highly topical issues in order to attract as many people as possible. This week in my country, the visit by Libyan President Muammar Khadafi is stirring controversy. It has made many headlines in France. No doubt this is why the French Embassy Web Site is now infected by malicious code. Please do not attempt to reach the site, it is still dangerous."

Let's pick up from where McAfee left in the assessment. 4qobj63z.tarog.us/tds/in.cgi?14 (58.65.233.98) loads an IFRAME to fernando123.ws/forum/index.php (88.255.94.114) which is MPack hosting the actual binary at fernando123.ws/forum/load.php or fernando123.ws/forum/load.exe

Detection rate : Result: 9/32 (28.13%)
File size: 43008 bytes
MD5: 8ce2134060b284fa9826d8d7ca119f33
SHA1: 3074f95d6b54fa49079b20876efa0f4722e7fe7d

As for the second campaign at 4583lwi4.tarog.us/in.cgi?19, the malicious parties were quick enough to redirect the IFRAME to Google.com, in exactly the same fashion the RBN did in the Bank of India incident definitely monitoring the exposure activities in real-time. However, accessing through a secondary IP retrieves the real IFRAME, namely winhex.org/tds/in.cgi?19 (85.255.120.194) which loads winhex.org/traff/all.php that on the other hand loads kjlksjwflk.com/check/versionl.php?t=577 which is now down, and 208.72.168.176/e-notfound1212/index.php where an obfuscation that's once deobfuscated attempts to load 208.72.168.176/e-notfound1212/load.php

Detection rate : Result: 14/32 (43.75%)
File size: 116244 bytes
MD5: 42dacb9f7dd4beeb7a1718a8d843e000
SHA1: d595dd0e4dcf37b69b48b8932dcf08e9f73623d0

Deja vu - 208.72.168.176 is the "New Media Malware Gang" in action, whose ecosystem clearly indicated connections with the RBN, Possibility Media's malware attack, Bank of India and the Syrian Embassy malware attacks, and Storm Worm which I assessed in numerous previous posts.

All your malware downloaders are belong to us - again and again.

Wednesday, December 12, 2007

Combating Unrestricted Warfare

It's February, 1999, and two senior colonels from China's PLA, namely Qiao Liang and Wang Xiangsui depressed the world's military thinkers by coming up with a study on the future developments and potential of asymmetric warfare in a surprising move next to the overall discussion always orbiting around symmetric warfare. The study itself entitled "Unconventional Warfare" is an ugly combination of Sun Tzu's 3D perspective on warfare in combination with guerilla approaches to achieve one of Sun Tzu's most insightful quotes - "One hundred victories in one hundred battles is not the most skillful. Seizing the enemy without fighting is the most skillful." Here's a summary of the study :

"Two senior PLA Air Force colonels wrote "Unrestricted Warfare", presented here in summary translation, to explore how technology innovation is setting off a revolution in military tactics, strategy and organization. "Unrestricted Warfare" discusses new types of warfare which may be conducted by civilians as well as by soldiers including computer hacker attacks, trade wars and finance wars."

During the years, and especially since 9/11, the tipping point acting as the wake up call that asymmetric warfare is also getting embraced by the bad guys, many other niche research papers were published in the context of information warfare and cyber warfare such as :

Cyber Warfare: An Analysis of the Means and Motivations of Selected Nation States

Each of these is a visionary reading by itself, but perhaps it was the need for setting a new milestone into such warfare thinking that prompted the public release of the Unrestricted Warfare Symposium Proceedings Book in 2006 and in 2007. An excerpt from the introduction of the 2006 edition :

"To compensate for their weaker military forces, these actors will employ a multitude of means, both military and nonmilitary, to strike out during times of conflict. The first rule of unrestricted warfare is that there are no rules; no measure is forbidden. It involves multidimensional, asymmetric attacks on almost every aspect of the adversary’s social, economic, and political life. Unrestricted warfare employs surprise and deception and uses both civilian technology and military weapons to break the opponent’s will."

Moreover, the 2007 edition is covering in-depth such popular asymmetric threats posed by jihadists (pages 135/143) debunking the use of WMD as a priority, and the cyber dimension (pages 251/297) with some remarkable analogies post Cold-War strategies applied to modern digital threats :

"Technology alone is never going to solve the IA problem. We have no informed national defensive strategy in this area. The situation is starting to change and improve, in large part because visionaries like General Cartwright are in key slots. But we do not have a lot of time. The intelligence community is not sufficiently engaged in conducting, analyzing, and reporting those issues. During the Cold War, we analyzed Soviet capabilities exhaustively. We did everything possible to understand our adversary and manage that gap. We need to do the same thing today. The bottom line is that it is dangerous to underestimate the capabilities of our adversaries. They do whatever it takes to win. Good adversaries know our strengths and weaknesses. They develop surprising partners that sometimes do not even know they are partners—they will give someone an honorarium to talk at a conference and ask that person for information on associates. They play by a different set of rules. They see offense as a systems problem, while our defense is fragmented."

All of these reports and Ebooks are highly recomended bedtime reading, and so is the last but not least one, namely "Victory in Cyberspace" released October, 2007. Besides generalizing cyberspace war activities, it includes a comprehensive summary of the events that took place in Estonia during the DDoS attacks.

Phishing Metamorphosis in 2007 - Trends and Developments

WindowSecurity.com have just published my second article entitled "Phishing Metamorphosis in 2007 - Trends and Developments" :
"During 2007, phishers demonstrated for yet another consecutive year their persistence and creativity on their way to socially engineer as many people online as possible, into believing they are who they pretend to be. Why did phishers embrace economies of scale during 2007, what factors contributed to the constantly shrinking period of time it takes for the phishers to come up with a fake email, and how come that despite all the public awareness put into the problem, people still fall victim to phishing scams? This article aims to provide an overview of the key factors that contributed to the growth and evolution of phishing during the year."

An article, which you'll definitely find as informative as the first one from last month related to "Popular Spammers Strategies and Tactics".

Tuesday, December 11, 2007

Update on the MySpace Phishing Campaign

It seems that the parties behind the Large Scale MySpace Phishing Attack which I covered in a previous post, have recently changed the main login redirector from 319303.cn/login.php to z8atr.cn/login.php, and the attached z8atr.cn's fast-flux can be greatly compared to that of Storm Worm's fast-flux networks in terms of its size. The updated campaign is also taking advantage of the following DNS servers :

Name Server: ns1.4980603.com
Name Server: ns2.4980603.com
Name Server: ns3.4980603.com
Name Server: ns4.4980603.com

Here's more coverage courtesy of the ISC assessing a previous state of the campaign in the form of different domain names used :

"Two primary infection vectors have been observed providing us with unique insight into the life cycle involved in propagating a fast flux service network. The attack vectors include: Compromised MySpace Member profiles redirecting to phishing sites; SWF Flash image malicious redirection to Phishing and drive-by browser exploit attempt. All Flash redirects were observed redirecting browsers. The successful compromise of a windows host via this exploit content results in the download of a malicious downloader stub executable (session.exe) that is then responsible for attempting to download additional malicious components necessary for integration of new compromised hosts into a fast flux service network."

The fast-flux, the javascript obfuscation, and the process of serving malware still remain the same, so they're basically doing what looks like maintenance of the fast-flux.

Monday, December 10, 2007

Inside the Chinese Underground Economy

Here's a very detailed, and recently released event-study on Malicious Websites and Underground Economy on the Chinese Web, and this is how they assessed the high activity at the underground related forums :

"Unlike the US or EU blackhats communities, Chinese blackhats are typically not familiar with IRC (In-ternet Relay Chat). They typically use bulletin board systems on the Web or IM software like QQ tocommunicate with each other. Orthogonal to a study on the underground black market located within IRC networks, we measure the Chinese-specific underground black market on the Web. We focus onthe most important part located at post.baidu.com, the largest bulletin board community in China. We crawled the portal and stored all posts and replies posted on some certain post bars which are all dedicated for the underground black market on this particular website. The post bars we examined include Traffic bar, Trojans bar, Web-based Trojans bar, Wangma bar (acronyms of Web-based Trojans inChinese), Box bar, Huigezi bar, Trojanized websites bar, and Envelopes bar."

What's the big picture on the Chinese IT Underground anyway? It's a very curious perspective next to China's economy self-awareness from a supplier of the parts that make up the products, to the independent manufacturer of them in real life. In cyberspace, the people driving the Chinese Underground tend to borrow malicious know-how from their Russian colleagues by localizing the most popular web malware exploitation kits such as Mpack and IcePack to Chinese, as well as benefiting from the proven capabilities of an open source DDoS-centered malware by also localizing it to Chinese and porting it to a Web interface. And so once they've localized the most effective attack approaches by making them even easier to use, the start adding new features and functionalities in between coming up with unique tools by themselves.

The bottom line - China's IT Underground is indirectly monitored and controlled by China's Communist Party, with the big thinkers realizing the potential for asymmetric warfare dominance as the foundation for economic espionage, and the largest cyberwarriors buildup in the face of people's information warfare armies driven by collectivism sentiments.

Here's a very interesting article detailing some of perspectives of the China Eagle Union, the Hacker Union of China, and the Red Hacker's Alliance :

"The Chinese red hackers have their own organizations and websites, such as the Hacker Union of China (www.cnhonker.com/), the China Eagle Union (www.chinaeagle.org/), and the Red Hacker's Alliance (www.redhacker.org). The Hacker Union of China (HUC) was founded on December 31, 2000, and is the largest and earliest hacker group in China. It had 80,000 registered members at its peak, and reportedly has 20,000 members after regrouping in April 2005."

Phishers, Spammers, and Malware Authors Clearly Consolidating

In a recent article entitled "Popular Spammers Strategies and Tactics" I emphasized on the consolidation that's been going on between phishers, spammers and malware authors for a while :

"The allure of being self-sufficient doesn’t seem to be a relevant one when it comes to a spammer’s results oriented attitude. Spammers excel at harvesting and purchasing email addresses, sending, and successfully delivering the messages, phishers are masters of social engineering, while on the other hand malware authors or botnet masters in this case, provide the infrastructure for both the fast-fluxing spam and scams in the form of infected hosts. We’ve been witnessing this consolidation for quite some time now, and some of the recent events greatly illustrate this development of an underground ecosystem. Take for instance the cases when spam comes with embedded keyloggers, when phishing emails contain malware, and a rather ironical situation where malware infected hosts inside Pfizer are spamming viagra emails."

The recently uncovered breach at the U.S Oak Ridge National Laboratory is a perfect example of some of the key concepts I covered in the article, namely, harvesting of the emails courtesy of the spammers, segmenting the emails database for targeted mailings on a per company, institution basis, and malware authors eventually purchasing the now segmented databases for such targeted attacks with the spammers earning a higher profit margin for providing the service of segmentation :

"The unknown attackers managed to access a non-classified computer maintained by the Oak Ridge National Laboratory by sending employees hoax emails that contained malicious attachments. That allowed them to access a database containing the personal information of people who visited the lab over a 14-year period starting in 1990. The institution, which has a staff of about 3,800, conducts top-secret research that is used for homeland security and military purposes."

And, of course, there's a Chinese connection, but thankfully there're articles emphasizing on the concept of stepping-stones before reaching the final destination, with China's highly malware infected Internet population acting as the stepping-stone, not the original source of the attack :

"Security researchers said the memorandum, which was obtained by The New York Times from an executive at a private company, included a list of Web and Internet addresses that were linked to locations in China. However, they noted that such links did not prove that the Chinese government or Chinese citizens were involved in the attacks. In the past, intruders have compromised computers in China and then used them to disguise their true location."

Publicly obtainable research, and common sense state that malware coming through email attachments is slowing down, and is actually supposed to be filtered on the gateway perimeter by default, especially executables. Even the first round of Storm Worm malware in January, 2007, concluded that email attachments are not longer as effective as they used to be, and therefore migrated to spamming malware embedded links exploiting outdated vulnerabilities.

How such type of targeted malware attack could have been prevented?

- ensure that the emails are harvested much harder than they are for the time being, in this particular case, a huge percentage of the emails account, thus the future contact points for the malicious parties to take advantage of ornl.gov can be harvested without even bothering to crawl the domain itself through web scrapping ornl.gov

- a freely avaivable, but highly effective tool to evaluate whether or not your mail server filtering capabilities for such type of content work, is PIRANA - Email Content Filters Exploitation Framework :

"PIRANA is an exploitation framework that tests the security of a email content filter. By means of a vulnerability database, the content filter to be tested will be bombarded by various emails containing a malicious payload intended to compromise the computing platform. PIRANA's goal is to test whether or not any vulnerability exists on the content filtering platform. This tool uses the excellent shellcode generator from the Metasploit framework!"

Taking the second possible scenario, namely that it wasn't a targeted attack, but malware attachments "as usual", mostly because the fact that modern malware automatically excludes mailings to .gov's .mil's and the majority of known to them anti-virus vendor's related email addresses, hoping to infect as much people as possible before a reactive response is in place.

If it were a spammed malware embedded link, the chances are the receipts followed it, but a spammed malware as an attachment is too Web 1.0 for someone to fall victim into, and it's rocket scientists we're talking about anyway.

The Shark Malware - New Version's Coming

Remember Shark, the DIY malware pitched as a Remote Administration Tool (RAT), whose publicity among script kiddies, and the press given the easy with which an undetected malware can be build with it, prompted the author behind the project to publicly announce that he's shutting down work on the RAT? However, as it looks like, the project is still under development, and the author's recent announcement of the upcoming version of Shark3 further confirms that the shut down announcement was valid by the time the publicity started to fade away. Here're some screenshots of what's to come in the new version :

Shark3 Window's Info











Shark3 Keylogger







Previous versions included features not so popular among RATs by default such as, built-in VirusTotal submission, process injection, and with the new version promoted to have a built-in rootkit capabilities, next to its Vista compatibility, let's ask the ultimate question - is it a RAT, or is it a malware? That's the rhetorical question.

Friday, December 07, 2007

A Diverse Portfolio of Fake Security Software

The recently exposed RBN's fake security software was literally just the tip of the iceberg in this ongoing practice of distributing spyware and malware under the shadow of software that's positioned as anti-spyware and anti-malware one. The domain farm of fake security software which I'll assess in this post is worth discussing due to the size of its portfolio, how they've spread the scammy ecosystem on different networks, as well as the directory structure they take advantage of, one whose predictability makes it faily easy to efficiency obtain all the fake applications. This particular case is also a great example of the typical for a Rock Phish kit efficiency vs quality trade off, namely, all the binaries dispersed through the different domains are actually hosted on a single IP, and are identical.

Who's hosting the malware and what directory structure per campaign do they use?

It seems as content.onerateld.com (87.248.197.26) which is hosted at Limelight Networks is used in all the domains as the central download location. The directory structure is as follows :

content.onerateld.com/antiworm2008.com/AntiWorm2008/install_en.exe
content.onerateld.com/avsystemcare.com/AVSystemCare/install_en.exe
content.onerateld.com/winsecureav.com/WinSecureAv/install_en.exe
content.onerateld.com/goldenantispy.com/GoldenAntiSpy/install_en.exe
content.onerateld.com/menacerescue.com/MenaceRescue/install_en.exe
content.onerateld.com/antispywaresuite.com/AntiSpywareSuite/install_en.exe
content.onerateld.com/trojansfilter.com/TrojansFilter/install_en.exe
content.onerateld.com/bestsellerantivirus.com/BestsellerAntivirus/install_en.exe

Therefore, if you have secureyourpc.com the directory structure would be /SecureYourPC.com/SecureYourPC/install_en.exe

Sample domains portfolio of digitally alike samples of each of these :

antivirusfiable.com
antivirusmagique.com
bastioneantivirus.com
gubbishremover.com
pchealthkeeper.com
securepccleaner.com
storageprotector.com
trustedprotection.com
yourprivacyguard.com

DNS servers further expanding the domains portfolio :

ns1.bestsellerantivirus.com
ns2.bestsellerantivirus.com
ns3.bestsellerantivirus.com
ns4.bestsellerantivirus.com
ns1.onerateld.com
ns2.onerateld.com

Main portfolio domain farm IPs :

- 87.117.252.11
- 85.12.60.22
- 85.12.60.11
- 85.12.60.30

Laziness on behalf of the malicious parties in this campaign, leads to better detection rate, thus, they didn't hedge the risks of having their releases detected by diversifying not just the domains portfolio, but the actual binaries themselves.

Wednesday, December 05, 2007

MDAC ActiveX Code Execution Exploit Still in the Wild

Who needs zero day vulnerabilities when the average end user is still living in the perimeter defense world and believes that security means having a firewall and an anti virus software running only? Now that's of course a rhetoric question given how modern malware is either blocking the update process of these applications, or shutting them down almost by default these days.

The following URLs are currently active and exploiting CVE-2006-0003, and despite that it was patched in 11 April, 2006, the last quarter of 2007 showcased the malware authors simplistic assumption that outdated but unpatched vulnerabilities can be just as effective as zero day ones, and when the assumption proved to be true -- take Storm Worm's use of outdated vulnerabilities as the best and most effective example -- it automatically lowered the entry barriers into the world of malware, breaking through the myth that it's zero day vulnerabilities acting as they key success factors for a malware embedded attack on a large scale :

dgst.cgs.gov.cn/docc/index.htm
dhyjagri.gov.cn/program/images/img/New/index.htm
sell.c2bsales.com/look.htm
nesoy.com/svcdir/index.htm
qyxjxx.com/admin/inc/index.htm
xi530.com
jzkj.icp365.cn/index.htm
52fans.net
218.84.59.218/img/c/
918a.com.cn/123/index.htm
flch.net/img/img/liqiuf.htm
jiashiyin.com/qq/index.htm
flymir2.com/liouliang/mama/index.htm
22229682.com/pop/20.htm
heitianshi.cn/love/index.htm
jm.xiliao.cc/windows/vip.htm
90to.com/qq/index.htm
cmctn.com
jcqing.com/mm/index.htm
chinesefreewebs.com/admin88/2.htm

These are all courtesy of what looks like Chinese folks, and represent a good example of what malicious economies of scale are as a concept that emerged during 2007. Years ago, when a vulnerability was found and exploit released, malicious parties were quickly taking advantage of the "window of opportunity" following the myth that the more publicity the vulnerability receives, the more useless it will get, given more people will patch. That's such a wishful thinking, one the people behind Storm Worm apparently perceived as FUD-ish one, and by not following it, ended up with operating the largest botnet known for the time being - a botnet that was built on the foundations of outdated vulnerabilities pushed through emails, using sites as the infection vector , and not a single zero day one.

How are risks hedged? Risks are hedged by following the simple diversification principle, which from a malicious perspective means increasing the probability for success. By using a single exploit URLs like the MDAC in this case, the chances for success are much lower compared to diversification of the "exploits set", a daily reality these days thanks to the emerging malicious economies of scale mentality in the form of web exploitation kits such as MPack, IcePack, WebAttacker, the Nuclear Malware Kit and Zunker as the most popular ones.

Here's a related article - "Zero-Day Exploits on The Decline" :

"One of the reasons is that bad guys don't have to use them (zero day)," said Skoudis, who also founded information security consultancy Intelguardians. For example, he said, the Storm worm propagates itself though users clicking on an e-mail link, and does not require a zero-day exploit to function. "When simple techniques work, there is no need to unfurl zero-days," Skoudis said. "Attackers can just save them for more targeted attacks."

So, how did the people behind Storm Worm ended up with the world's largest botnet? They simply didn't believe in the effectiveness of populist generalizations of security in the form of patching, and abused the miscommunication between the industry that's still preaching perimeter defense is the panacea of security, and the end user, the one whose Internet connectivity results in all the spam, phishing and malware we're all receiving, by stopping to target what the solutions protect from, and migrating to niche attack approaches to use as infection vectors - today's client side vulnerabilities courtesy of a malware exploitation kit that were found embedded on the majority of infected web sites incidents I've been assessing for the last couple of months.

Monday, December 03, 2007

Censoring Web 2.0 - The Access Denied Map

Remember the World's Internet Censorship Map? This is a niche version of it that's "mapping the online censorship and anti-censorship efforts related to the Web 2.0". Compared to, for instance, Irrepressible, whose idea is to take advantage of the long-tail of anti-censorship by allowing everyone to embedd a badge that's spreading censored content, the Global Voices Advocacy "seeks to build a global anti-censorship network of bloggers and online activists dedicated to protecting freedom of expression and free access to information online." and aims to act as a vehicle to communicate the censored information to the rest of the world, a far more pragmatic approach than having the censored bloggers figure out how to post the facts online - they'll simply forward them to the GVA.

And just as important it is to take advantage of the wisdom of crowds, whose collective intelligence can in fact act as an early warning system, it's also important to educate those who cannot freely express their opinion on the process of expressing it

Thursday, November 29, 2007

Malware Serving Online Casinos

Don't play poker on an infected table part two. The following three online casinos are currently serving embedded malware in the form of IFRAMES and the average javascript obfuscation.

The first one is poker.gagnantscasino.com (213.186.33.4) with current obfuscation loading statistics-gdf.cn/ad/index.php (116.0.103.133) where another obfuscation loads, deobfuscated attempts to load p423ck.exe (Zlob) at statistics-gdf.cn/ad/load.php, playing around with the host for too long results in zero malicious activity, at least they make you think so. Here's another internal URL statistics-gdf.cn/ad/index.php?com

Detection rate : Result: 7/32 (21.88%)
File size: 43008 bytes
MD5: 08f445712adcef5ef091378c51bbbaaa
SHA1: 3478fe6a600251b2ee147dbd50eaf4f204a884cb

Last week's obfuscation at this online casino was pointing to traffmaster.biz/ra/in.cgi?5 which is now down.

The second casino is fabispalmscasino.com (82.165.121.138) with current obfuscation attempting to connect to the now down stat1count.net/strong, a host residing on a netblock I covered before showcasing a scammy ecosystem. The third one is sypercasino.com which was resolving to 203.117.111.102 early this week, and taking advantage of WebAttacker at sypercasino.com/biling/index.php. Now it resolves to 58.65.236.10 and promotes banner.casino.com/cgi-bin/SetupCasino.exe

Detection rate: 9/32 (28.13%)
File size: 194077 bytes
MD5: 26da6f81349ff388d08280ababab9150
SHA1: f20e8fee439264915710f9478ec1e74583563851

It's interesting to monitor how people behind these manually change the obfuscations to further expand their connections with other scammers, or services and attack approaches they use, and even more interesting to see it happen on-the-fly just like meds247.org for instance.

Don't play poker on an infected table.