Friday, August 31, 2007

Bank of India Serving Malware

Ryan at ZDNet's Security blog is reporting on the breached site of Bank of India, which in the time of blogging is still serving malware to its current and potential customers through the infamous Russian Business Network - 81.95.144.0 / 81.95.147.255.

At the bank's URL there's a link pointing out to goodtraff.biz (58.65.239.66) where an IFRAME loads to 81.95.144.148/in.cgi?10 whereas while accessing it we get response from 81.95.144.146, where we get the usual javascript obfuscation leading us to 81.95.144.146/at/index.php and 81.95.144.146/rut/index.php. Furthermore, the second IFRAME leads us to x-traffic.biz/ts/in.cgi?user0224 (which is a Russian Adult Traffic network) redirecting us to mymoonsite.net/check/version.php?t=167 (81.95.148.13) and a third one loading goodtraff.biz/tds/index.php (empty). What does it mean? It means the Russian Business Network has not just managed to inject its presence on Bank of India's site, but is also using multiple-iframing as an attack vector, thus creating a fast-flux network with multiple campaigns within I'll assess in this post.

Apparently, Trend Micro's been busy uncovering the n404 exploit kit, which is also used in this campaign aimed
at the Bank of India. Is this a newly developed attack kit, or a modification of another popular one? Further attack clues will definitely indicate the second, namely that's it's a modification. In respect to this kit, it returns a 404 error within which is the obfuscated javascript, thus we have a fast-flux oriented kit aiming to diversify and include as many infected nodes in the attack process to improve its chances of infecting the host while the campaign remains in tact. The malicious URLs structure is again static just like Storm Worm's, and is in the following format n404-(number from 1 to 9).htm where each page contains a different malware.

Several more n404 exploit kit campaigns are currently active at the following URLs :

msiesettings.com - 81.95.148.14
winmplayer.com
smoothdns.net - 81.95.148.12
protriochki.com - 81.95.148.14
susliksuka.com - 81.95.148.12
uspocketpc.com - 81.95.148.13

The exact campaign URLs :

- mymoonsite.net/check/versionml.php?t=141
mymoonsite.net/check/version.php?t=15
mymoonsite.net/check/n404-1.htm
n404-(number from 1 to 9).htm

- uspocketpc.com/check/n404-1.htm
n404-(number from 1 to 9).htm

- s75.msiesettings.com/check/versionst.php?t=75
s75.msiesettings.com/check/n404-1.htm
n404-(number from 1 to 9).htm

- s99.winmplayer.com/check/n404-1.php
n404-(number from 1 to 9).htm

- smoothdns.net/check/n404-1.htm
n404-(number from 1 to 9).htm

- protriochki.com/check/n404-1.htm
n404-(number from 1 to 9).htm

- susliksuka.com/check/n404-1.htm
n404-(number from 1 to 9).htm

What makes an impression is that it's relying on as many possible malware infections as possible, thus visiting a central campaign site such as mymoonsite.net/check/version.php?t=158 results in all the n404 malicious pages within the domain to get automatically loaded via an IFRAME, and as you've successfully guesed, they all contain different types of malware. Despite that javascript obfuscation is often used to hide the real location of the exploit or binary, in this campaign each and every n404-1.htm obtained from all domains has the same checksum, therefore the files at the different domains are identical - at least so far :

File size: 10636 bytes
MD5: 45594ef52a9f53f2140d4797826156ff
SHA1: 7c4f7d183dfaf39410902a629b13ae5112b847f0

AntiVir 2007.08.31 HTML/Crypted.Gen
eSafe 2007.08.29 JS.Agent.ke
Fortinet 2007.08.31 HTML/Heuri.BIU!tr.dldr
F-Secure 2007.08.31 Trojan-Downloader.JS.Agent.no
Kaspersky 2007.08.31 Trojan-Downloader.JS.Agent.no
Webwasher-Gateway 2007.08.31 Script.Crypted.Gen

A great example of a fast-flux network with way too many infected hosts participating in the attack, and despite that some seems to be down, the attack is still fully operational in a typical fast-flux style.

UPDATE: F-Secure's and McAfee's comments on the case, as well as two related posts - Bank of India’s Website has been Compromised by Trojan downloader; Bank of India Official Web Site Unsafe at the Moment.

UPDATE 2:
Several hours after the Bank of India got rid of the iframe at its homepage, the main URL for this malware campaign (81.95.144.148/in.cgi?10) removed the javascript obfuscation and is now forwarding to Google.com.

"We have taken up the matter with our technology-partner and all necessary action will be taken to rectify the matter. In my view, the users will not be faced with any major problems,” said BoI general manager PA Kalyansundar. “However, we are not completely sure that an attack actually happened,” he clarified."

Here's another article from The Register mentioning the three key points related to the campaign - the Russian Business Network, the n404 exploit kit which is definitely a modification of the popular ones currently in the wild, and the use of fast-flux networks. And this is what happened when an Indian tried to reach the local Cybercrime unit.

Malware as a Web Service

Popular malware tools such as binders and downloaders usually come in a typical software application form. Moreover, when I talk about malware services I mean crypting, packing and limiting the detection rate on demand, while in this case we have a DIY malware as a web service, a trend to come or a fad to dissapear, only time will show but the possibilities for porting popular malware tools in a web service form are quite disturbing.

In the first example we have a malware downloader as a web service with various diversified variables such as custom port and IP to obtain the payload from, as well as the ability to modify the extraction and execution of it. Combined with the option to choose a packer, and whether or not to melt the downloader after it delivers the payload, as well as with the opportunity to choose from a set of predefined icons or select a custom one, turn this malware web service an interesting one to monitor.

A sample of the first service :

Result: 5/32 (15.63%)
BitDefender 2007.08.31 Generic.Malware.Fdld!.D8E4DF1F
eSafe 2007.08.29 suspicious Trojan/Worm
NOD32v2 2007.08.30 probably unknown NewHeur_PE virus
Sophos 2007.08.30 Mal/Heuri-D
Webwasher-Gateway 2007.08.30 Trojan.Downloader.Win32.ModifiedUPX.gen (suspicious)

File size: 11776 bytes
MD5: e9df373f1561bed2a2899707869a7a44
SHA1: 295c6702cb19f6b20720057d61d940921602a0cd

In the second example, we have a malware binder as a web service with pretty much identical features with the first example. If traders of malware services such as the above mentioned crypting, packing and ensuring a lower detection rate, start embracing Web 2.0 in the process of efficiently construction malware, or providing their customers with a DIY experience by constantly ensuring their " web dashboard" is up to date with new services and features - it can get very ugly. So, let's hope it's just a fad.

Thursday, August 30, 2007

Massive Online Games Malware Attack

Despite Storm Worm's worldwide media coverage, there're many other malware campaigns currently active in the wild, again exploiting outdated browser vulnerabilities such as this one aiming to steal passwords for MMORPGs. The folks at the SANS ISC recently assessed yet another malicious URL following a lead from the recently breached site of Leuven, a city in Belgium. Apparently, the Chinese domain that's naturally exploiting an already patched vulnerability has been embedded within many other sites as well. MMORPGs password stealing malware is nothing new especially in Asia where online games dominate the vast majority of Internet activity for local netizens. Creative typosquatting domain scams are still filling different domain niches left at the phisher's disposal.

VBS/Psyme.CB detection rate :
Result: 10/32 (31.25%)
File size: 9857 bytes
MD5: 2a5eff5381cec4a7d5478b989aeb2ada
SHA1: e08cdb74965c31b70ab24d82761b652035283a87

Trojan-PSW.Win32.WOW.sp detection rate :
Result: 19/32 (59.38%)
File size: 52170 bytes
MD5: f37a18d2e991ef5cd7ea7a4dfcb6e3f5
SHA1: c1cbee89ba1033b8e739067eab086f70b476c5aa

What's also worth mentioning is that the campaign has a built-in freely available counter compared to the typical campaigns who tend to use malware kits for C&C and detailed statistics of the infected population.

Wednesday, August 29, 2007

Storm Worm's use of Dropped Domains

The daily updated Bleedingthreats.org's Rules to block Storm worm DNS and C&C keeps growing at a significant speed, and with the group behind Storm Worm constantly changing the social engineering tactics -- but continuing to exploit already patched vulnerabilities in case the user doesn't self infect herself -- anti virus vendors are literally crunching out new signatures for yet another Storm Worm variant. Reactive response is a daily reality, however, proactive response such as making sure your customers cannot have their browsers automatically exploited even if they follow Storm Worm's IP links, is far more pragmatic, and the results can be easily evaluated while the mass mailing campaign is still active online. Here's an interesting list especially the fact that pretty much all of these domains were purchased as "dropped" ones, and are again part of the BYDLOSHKA campaign with a static domain.com/ind.php structure :

tushove.com; tibeam.com; kqfloat.com; snbane.com; yxbegan.com; snlilac.com; qavoter.com; ptowl.com; wxtaste.com; eqcorn.com; ltbrew.com; bnably.com; fncarp.com

The obfuscated javascript exploiting the browser vulnerabilities still includes offensive language against an anti virus vendor. Moreover, in case you remember the second Storm Worm wave had a very creative feature, namely to automatically inject a malicious URL in a forum or blog post, right after the infected party has authenticated herself in order for the malware to not have to figure out how to bypass the authentication. As it looks like, the current campaign has also hit Blogger and many other forums as well.

DIY Phishing Kits

In times when socially oriented bureaucrats are prompting such popular projects as the KisMAC and the Default Password List to seek hosting in a foreign country, the German scene seems to be very active with yet another DIY phishing kit released in the wild which I'll dicuss in this post, following the first rather primitive one I came across to a while ago. As we've seen with a previous phishing kit, and the infamous Rock Phish, malicious economies of scale in terms of efficiently generating fake pages to be forwarded to a central logging location are the second most important goal of this trend. What's the first? It's noise generation compared to the common wisdom that such tools are supposed to be exclusive and private. Talking about the economics of phishing, with the already a commodity scam pages available at the phishers' disposal, fast-flux hosting of the pages and maintaining their "online lifetime", thus playing a cat and mouse game with researchers and vendors shutting them down, is perhaps the next stage in further developing the phishing ecosystem.

File size: 5844992 bytes
MD5: ae3a3cbb873c69843455c46ad6e62f40
SHA1: 7606b3cccbb3cccb95bbe32b688e350d42aeffc5

Related posts:
Pharming Attacks Through DNS Cache Poisoning
DIY Pharming Tools

Tuesday, August 28, 2007

The Economics of Phishing

Years ago, phishing used to be like fishing at least in respect to the preparation and the patience required for the fisherman to catch something. Nowadays, phishing is like fishing with dynamite, very effective and entirely efficiency centered. After discussing the economics of spamming -- within the posts's comments -- I emphasized on the fact that both the underground's economy supply of goods and the phishing ecosystem, are entirely based on the cooperating among spammers, phishers and malware authors, and so is the rise of the DIY phishing kits. I recently came across a very good analysis conducted by Cloudmark with a huge sample of phishing emails to draw conclusions out of. The Economy of Phishing - A Survey of the Operations of the Phishing Market :

"We have conducted extensive research to uncover phishing networks. The result is detailed analysis from 3,900,000 phishing e–mails, 220,000 messages collected from 13 key phishing–related chat rooms, 13,000 chat rooms and 48,000 users, which were spidered across six chat networks and 4,400 compromised hosts used in botnets."

The research once again demonstrates the diversity of phishing techniques used, and covers the following segments - Webservers used in phishing attacks; Institutions by advertising rate; Institutions by report rate, and perhaps the most interesting part is an IRC visualization of underground social networks for trading of stolen digital goods.

Furthermore, it's great to note that it's not just vendors actively researching the average time a phishing site remains online, but also, third-party researchers such as Richard Clayton and Tyler Moore at the Security Research Computer Laboratory, University of Cambridge with some recently released research notes. It's one thing to consider the daily reality of malware and phishing pages hosted on infected home users' PCs, another to see malicious parties offering fast-flux networks on demand while vendors are figuring out how to timely shut down the pages, but totally out of the blue to see such a party -- the always on malicious service is ironically down -- offering phishing hosting and spam sending in between child porn and zoofilia hosting.

Sunday, August 26, 2007

Your Point of View - Requested!

Question : What is the most realistic scenario on what exactly happened in the recent DDoS attacks aimed at Estonia, from your point of view?

- It was a Russian government-sponsored hacktivism, or shall we say a government-tolerated one

- Too much media hype over a sustained ICMP flood, given the publicly obtained statistics of the network traffic

- Certain individuals of the collectivist Russian society, botnet masters for instance, were automatically recruited based on a nationalism sentiments so that they basically forwarded some of their bandwidth to key web servers

- In order to generate more noise, DIY DoS tools were distributed to the masses so that no one would ever know who's really behind the attacks

- Don't know who did it, but I can assure you my kid was playing !synflood at that time

- Offended by the not so well coordinated removal of the Soviet statue, Russian oligarchs felt the need to send back a signal but naturally lacking any DDoS capabilities, basically outsourced the DDoS attacks

- A foreign intelligence agency twisting the reality and engineering cyber warfare tensions did it, while taking advantage of the momentum and the overall public perception that noone else but the affected Russia could be behind the attacks

- I hate scenario building, reminds me of my academic years, however, yours are pretty good which doesn't necessarily mean I actually care who did it, and pssst - it's not cyberwar, as in cyberwar you have two parties with virtual engagement points, in this case it was bandwidth domination by whoever did it over the other. A virtual shock and awe

- I stopped following the news story by the time every reporter dubbed it the first cyber war, and started following it again when the word hacktivism started gaining popularity. So, hacktivists did it to virtually state their political preferences

Voting link - your opinion is greatly appreciated.

Stats courtesy of Arbor Networks' ATLAS, among the several early warning security event systems publicly available online.

Saturday, August 25, 2007

DIY Pharming Tools

In a previous post I discussed pharming from the perspective of abusing a DNS server and starting a wide-scale pharming attack. However, it's also vital to discuss the second perspective, namely the malware infected PCs whose hosts files could be abused to faciliate MITM phishing attack for instance. Consider the following DIY pharming tool that basically allows a list of anti virus software's update locations IPs to be added, and consequently blocked, as well as complete take control over the infected user's perception of where exactly is she online. The second version is lacking the "add a list" feature, and is entirely phishing attacks centered, and the way lists of the process names/files for every anti virus software have been used by malware shutting down the software, in this very same way, the online update locations for multiple AVs are also easily obtainable -- a topic I covered in a previous post.

Panda 2007.08.25 Suspicious file
Prevx1 2007.08.25 Generic.Malware
File size: 623616 bytes
MD5: 4ab0d055bee708dd0046af0b8800594a
SHA1: 41b93e16127964b89bb9e34af8d12411323e631f

An old friend recently approached me asking for my opinion on man-in-the-middle phishing attacks, and whether or not I'm aware of any such DIY type of functions. Simultaneously, PandaSecurity released a very good screenshot of a feature within a botnet's C&C interface, worth seeing for yourself too. Despite that the current "push" phishing model seems to be fully working, and keylogging started evolving into "form grabbing", MITM phishing attacks I think would remain at the bottom of the attack model for the pragmatic and efficiency-centered phisher,who would otherwise have to either build a botnet on her own, or request access to such on demand.

Friday, August 24, 2007

Distributed WiFi Scanning Through Malware

Distributed computing through malware, OSINT thought botnets, distributed password cracking and distributed malicious economies of scale - are all fully realistic nowadays. And so is a plugin for a popular RAT which is scanning for open WiFi networks based on an article released by the inframous 29a group :

"This plugin enables you to scan for available nearby WLANs. The bins (wifiC.dll and wifiS.dll) have been packed with UPX 3.00w. Place them in the \Plugin\ folder or load wifiC.dll manually to use the plugin."

Perhaps this is the perfect moment to comment on Maureen Vilar's email, a moderator for ClimatePrediction at BOINC's project who contacted me regarding my blog post on distributed computing through malware, and described the incident in details :

"The 5000+ computers attached to Wate's account were very different in profile from anormal DC farm and easily identified as abnormal. Attached computers are now being looked at by members much more critically. It now appears that the trojan that attached the computers to Wate's account and thus to boinc projects was probably bundled with P2P downloads.The owners of the 5000+ computers must not have scanned these P2Pdownloads, and many of them must have failed to investigate why their computers were probably running slowly at 100% CPU, or in thecase of laptops why they were in some cases doubtless overheating or the batteries running down. They must also have failed to check which programs were installed, even though many of the affected computers cannot have been running normally for everyday use. Imagine that many of these computers did not have an active or up-to-date firewall, or that firewall warnings were ignored. These were all basic security failures on the part of the owners of these 5000+ computers, some of which were powerful machines. The developers of legitimate software unfortunately cannot ensure that all computer owners worldwide implement basic security measures. The problem of Wate's account was first discovered by boinc team crunchers in Italy who took speedy action to inform the boinc development team in Berkeley. They in turn took rapid action to inform the administrators of the affected boinc projects. The Wate accounts on all the affected projects were disabled. Because boinc projects run a competitive credits system, it is in the interests of members to ensure that no-one is able to compete dishonestly."

To sum up - The BOINC's servers weren't breached and malware "pushed" into the participants' hosts through BOINC's client, instead BOINC's client got "pulled" from the infected PCs, so they started participating in ClimatePrediction. And obviously, they have anomaly detection practices ensuring such incidents get easily detected.

Detection rates for the WiFi plugin
:

wifiC.dll
AVG 2007.08.23 BackDoor.PoisonIvy.B
Ikarus 2007.08.23 Trojan-Downloader.Win32.QQHelper.vn
Webwasher-Gateway 2007.08.23 Win32.UPXpacked.gen!94 (suspicious)

File size: 198144 bytes
MD5: 15cbfa1ed47e45f30be0eb0dcd1ec5e3
SHA1: bdd9994a20b4ae753951c09506ae0e2db59f63e2

wifiS.dll
AntiVir 2007.08.23 BDS/BlackH.2005.A.1
AVG 2007.08.23 BackDoor.PoisonIvy.B
Panda 2007.08.23 Suspicious file
Webwasher-Gateway 2007.08.23 Trojan.BlackH.2005.A.1

File size: 10240 bytes
MD5: 11aa54103e7311ad23b4e60292dc9e82
SHA1: 59e7f0aaa8305ad0c5c830c16b531d1e2ab641b4

Consider the following scenarios :

- malware infected PCs actually opening a WiFi connection in a port-knocking nature to the wireless botnet master only
- no need for wardriving, as malware authors would quickly map the entire WiFi vulnerable population around a given region in the age of malware geolocating IPs using commercial services
- once a PC gets infected inside an organization, it can automatically turn into a wardriving zombie exposing vulnerable WiFi connections within
- Bluetooth scanning plugins expose even more vulnerable Bluetooth-enabled devices in the range of the infected host

GIMF - "We Will Remain"

After having both of its blogs shut down, the Global Islamic Media Front issued a modest statement "Global Islamic Media Front: We were and will remain". But of course - however in banner form only. Here're two more GIMF related URls of a sexy layout in progress, a propaganda flash, and an article related to the Middle East Media Research Institute (MEMRI).

Wednesday, August 22, 2007

The Nuclear Malware Kit

Web based C&C malware kits are already a commodity, and with the source codes of MPack and IcePack freely available in the wild, modifications of the kits with far more advanced features will sooner or later get released. But what is prompting the botnet masters' interest of a web interface to their fast-flux networks, and in-depth statistics for the infected hosts? It's a results-oriented mindset, and the core objective of achieving malicious economies of scale. What does this mean from a psychological point of view? It means that even before launching a mass-spreading attack they've already anticipated its success so that more efforts go to assessing which are the most effective campaigns, countries prone to malware infections, and specific browser vulnerabilities used in order for them to tailor even more successful attacks in the future. When looking at screenshots of stats like these you realize that the browser and client side vulnerabilities in principle are the infection vector of choice, especially the unpatched ones, as given the last wide scale IFRAME attacks we've seen in the past six months, all the malware kits were using outdated browser vulnerabilities, and despite that, achieved enormous success.

More screenshots of a previous version of the Nuclear Malware Kit - yet another web based C&C available for sale :
- Infections per browser


- Infections per OS






- Infections per country










Related posts:
The Black Sun Bot - web based malware
The Cyber Bot - web based malware
Malware Embedded Sites Increasing
Botnet Communication Platforms
OSINT Through Botnets
Corporate Espionage Through Botnets

Excuse Us for Our Insecurities

This Security Public Relations Excuse Bingo is very entertaining as it objectively provides random excuses that security vendors and public companies often use, when not addressing a security issue concerning them, and consequently their customers. You may also find Matasano's Kübler-Ross Model Of Vulnerability Management informative.

Tuesday, August 21, 2007

Offensive Storm Worm Obfuscation

Malware authors, often pissed off at the detection rates of their malware releases, tend to include offensive comments or messages within the malware's code against anti virus vendors. At this Storm Worm URL we see offensive function within the obfuscated exploit aiming at Kaspersky.

The recent Storm Worm campaign may indeed look like a huge security threat given the millions of emails sent, however, I feel more awareness should be built on the fact that the malware has slightly adapted, and is using browser based vulnerabilities (client side one) to automatically push the binary onto the host, compared to the urban legend of not openning email attachments from unknown parties. The current Storm Worm's main benefit in terms of efficiency is the client side exploited vulnerabilities within each and every malicious IP, and the main weakness is the pattern based nature of the binaries hosted at the IPs such as maliciousIP/file.php and maliciousIP/ecard.exe, thefore periodically verifying the checksums of the still active Storm Worm IPs results in new malware variants. Or starting from the basic premise that prevention is better than the cure, Bleedingthreats have already released IDS signatures for the Storm Worm :

"This first list has over 800 servers that are confirmed hostile, and were active in the last 24 hours. http://www.bleedingthreats.net/rules/bleeding-storm.rules
And a version prebuilt with a 30 day Snortsam block:
http://www.bleedingthreats.net/rules/bleeding-storm-BLOCK.rules
We’ll be collating Storm related links and data sources on the following page which is referenced in these sigs:
http://doc.bleedingthreats.net/bin/view/Main/StormWorm"

Let's assess yet another Storm Worm infected PC and reveal yet another campaign called BYDLOSHKA :

01. 75.37.132.98 is using the Q4-06 Roll-up package exploits kit like all Storm Worm URLs

02. The downloader makes a DNS query to fncarp.com (24.1.243.46) where we have a second offensive obfuscation and the BODLOSHKA campaign under the following URLs : snlilac.com/ind.php (123.236.116.111) ; eqcorn.com/ind.php (66.24.211.96) ; fncarp.com/ind.php The downloaders here obtain the actual binaries from a third party (81.9.141.13) creating a fast-flux network.

03. What's interesting and rather disturbing is a proof that phishers, spammers and malware authors indeed work together, as Storm Worm is also comming in the form of phishing emails where the main objective isn't to steal confidential accounting data, but to only infect the users visiting the site (74.102.159.188)

All this leads me to the conclusion that the campaign may in fact be a Russian operation.

Related posts:
Oh boy, more Nuwar tricks!
New Storm Front Moving In
Zhelatin/Storm changes yet again

Monday, August 20, 2007

RATs or Malware?

After the Shark 2 DIY Malware got the publicity it deserved as perhaps the most recent and publicly obtainable DIY malware, another DIY RAT has been gaining popularity amoung the script kiddies crowd for a while. Shark 2's features and capabilities for "killing" anti virus software and tricking sandboxes are far more advanced than this RAT's one, no doubt about it. However, what makes an impression in this one is the built-in capability to check the latest server against the most popular anti virus software engines.

Detection rate for the latest builder : Result: 15/32 (46.88%)
File size: 2981888 bytes
MD5: 5683024dbfd73d92c103d2ecc4f98258
SHA1: 34d341df36582906eb5d18e12139478b8772ea64

Detection rate for a previous version of the builder : Result: 9/32 (28.13%)
File size: 2426880 bytes
MD5: 4343eb64b3d4836b5ef49643b3320112
SHA1: beb6bd04d587f4253e5b26e4ba1827c8b200a214

Detection rate for another version of the builder : Result: 23/32 (71.88%)
File size: 4860416 bytes
MD5: 0fef106915b40cf1c0a411a4f5aee4bb
SHA1: a7a1c1bdd388c20964cf54db4607bf650d890562

Detection rate for the first version of the builder : Result: 24/32 (75%)
File size: 2466304 bytes
MD5: 1ee90062bebfe3dd9bbdd9d3c9fc1f6c
SHA1: 2c02b76497dd3bfa00c313e9e4a0bd0d8b2893a6

Another issue that deserves more attention is VT's opt-out feature for not distributing the sample to AV vendors "If checked, in case the file is suspicious of being malware we will not distribute it to antivirus companies." Any malware authors or script kiddies out there, wanting to measure the detecting rates for their release without providing the AVs not currently detecting it with a sample of it? Perhaps thousands of them.

The line between RATs and malware is definitely getting thinner these days.

Friday, August 17, 2007

Analyses of Cyber Jihadist Forums and Blogs

Where are cyber jihadists linking to, outside their online communities? Which are the most popular file sharing and video hosting services used to spread propaganda, training material and communicate with each other? What are their favorite blogs, and international news sources? How does the Internet look like through the eyes of the cyber jihadist? This post will provide links to cyber jihadist communities, with the idea to aggregate a decent sample of how cyber jihadists use, and abuse the Internet to achieve their objectives. It is based on external URLs extraction of over 5,000 web pages directly related to cyber jihadist communities. The snapshot was obtained during the last 7 days, therefore if you're to data mine the free online data hosting URLs, do so in a timely manner before they dissapear due to one reason or another.

Key summary points :

- Over 4,000 external URLs pointing to suicide bomber's videos, propaganda, warfare, bombings, recruitment, torture videos, and numerous other still not analyzed cyber jihadist forums and blogs
- In between 500 to 600 web pages per domain were crawled based on their last modified data, namely the most current 500 to 600 posts
- The sample consists of 14 jihadist blogs and forums
- Depending on the online file storage service of choice, files will remain online forever if accessed at least once every 30-to-45 days, or by the time they don't get removed due to their nature
- Video multimedia is often released in a multi-video-format fashion, and multi-quality variants with respect to the file size
- The crawled external URLs are in .txt format, in a one full URL per line format

You are what you link to, so let's assess the "tip of the iceberg" cyber jihadist communities online :


Dates : Created 20-nov-2003 ; Updated 15-jun-2007; Expires 20-nov-2007

DNS Servers : SERVER.3ASFH.NET; SERVER1.3ASFH.NET

External URLs : 3asfh.net_vb.txt



Dates : Created 16-aug-200; Updated 16-aug-2006; Expires 16-aug-2011

DNS Servers
: NS2.MYDYNDNS.ORG; NS1.MYDYNDNS.ORG; NS3.MYDYNDNS.ORG

External URLs : alsayf.com_forum.txt



Dates : Created 01-dec-2002; Updated 13-mar-2007; Expires 01-dec-2008
DNS Servers : NS1.EGYHOSTING.COM; NS2.EGYHOSTING.COM; NS1.EGYWWW.COM; NS2.EGYWWW.COM

External URLs
: egysite.com_al2nsar.txt



Dates : Domain created on 2006-09-15 00:08:38; Domain last updated on 2006-09-15 00:08:39

DNS Servers : ns11.uae-dns.com; ns12.uae-dns.com

External URLs : elshouraa.ws_vb.txt



Dates : Created 25-oct-2000; Updated 21-jul-2007; Expires 25-oct-2007

DNS Servers : NS1.MUSLM.NET NS2.MUSLM.NET

External URLs : muslm.net_vb.txt



06. URL : http://w-n-n.net/ - DOWN as of yesterday, best sample

Dates : Creation Date: 16-feb-2006; Updated Date: 13-aug-2007; Expiration Date: 16-feb-2009
DNS Servers : A.NS.JOKER.COM; B.NS.JOKER.COM; C.NS.JOKER.COM;

External URLs
: w-n-n.net.txt



Dates
: Created 28-feb-2006; Updated 10-mar-2007; Expires 28-feb-2008

DNS Servers: NS1.BRAVEHOST.COM; NS2.BRAVEHOST.COM

External URLs : minbar-sos.com.txt



08. URL - Radical Muslim
External URLs
















10. URL
External URLs








11. URL
External URLs








12. URL
External URLs








13. URL
External URLs








14. URL
External URLs







Now, it's up to your data mining and crawling capabilities.

Related posts:
Cyberterrorism - don't stereotype and it's there
Tracking Down Internet Terrorist Propaganda
Arabic Extremist Group Forum Messages' Characteristics
Cyber Terrorism Communications and Propaganda
Techno Imperialism and the Effect of Cyberterrorism
A Cost-Benefit Analysis of Cyber Terrorism
Current State of Internet Jihad
Characteristics of Islamist Websites
Hezbollah's DNS Service Providers from 1998 to 2006
Full List of Hezbollah's Internet Sites
Internet PSYOPS - Psychological Operations
Cyber Traps for Wannabe Jihadists
Mujahideen Secrets Encryption Tool
An Analysis of the Technical Mujahid Issue One
An Analysis of the Technical Mujahid Issue Two
Terrorist Groups' Brand Identities
A List of Terrorists' Blogs
Jihadists' Anonymous Internet Surfing Preferences
Samping Jihadist IPs
Cyber Jihadists' and TOR
A Cyber Jihadist DoS Tool
GIMF Now Permanently Shut Down
Steganography and Cyber Terrorism Communications

Thursday, August 16, 2007

534 Biographies of Jihadist Fighters

On the look for patterns of terrorist behaviour researchers often stereotype in order to portrait a terrorist. The Book of Martyrs (compiled in English on June 9th, 2007) is a great OSINT source for analysts and intelligence agencies wanting to obtain data regarding the lifetime or jihadist martyrs, segmented on a per country basis, including photos, poems, interviews, transcripts, and links to multimedia files. Much like the Technical Mujahid E-zine, the Mujahideen Harvest magazine, and the Jihadist Security Encyclopedia, this E-book is a yet another handy source of OSINT data, at least in respect to jihadist social networks :

Therefore, out of these 81 names: 40 are from the Arabian Peninsula, 7 from Yemen, 7 from Syria, 5 from Algeria, 4 from Kuwait, 4 from Iraq, 3 from Turkey, 1 each from Bahrain, Bangladesh, Tunisia, Libya, France and the USA whilst the nationalities of the remainder are unknown. Theses figures correspond to the relative contribution of the Muslim Ummah towards the Jihad in the world today. Sadly, there are hardly any Muslims from Western nationalities and usually they are the most vocal in their slogans for Jihad.

A link to a video entitled "Russian Hell in the year 2000, Jihad in Chechnya Part One" 511MB is included :

"At the time of release of this CD, (July 2000), nine months of the War have passed with no end in sight. Russian casualties stand at over 15,000 killed or missing in action (MIA) and over 30,000 injured. They have lost hundreds of battle tanks, fighting vehicles and trucks and tens of fighter aircraft and helicopter gunships."

To a second video entitled "Russian Hell in the year 2000, Jihad in Chechnya Part Two" :

"Exclusive, live film footage of two martyrdom operations carried out against Russian Barracks in Argun and Gudermes in July 2000 Combat footage of Mujahideen operations, ambushes and remote-control detonation of Russian Military vehicles throughout the Year 2000 Video of the nine OMON troops after they were executed due to the failure of the Russian Government to hand over the Russian War Criminal Colonel Yuri Budanov to the Mujahideen (April 2000)"

And to a third one entitled "The Martyrs of Bosnia Part One and Part Two" :

"This unique video by Azzam Publications, the first of its kind in the English language with real-life combat footage and the first of a four part series, narrates the biographies of some of these magnificent individuals, who sacrificed their own lives in order to bring life to those around them."

Some interesting sections related to ITsecurity and anonymity as well :

- Useful programs to protect personal information on computer and on-line
Tor [Anonymous web-surfing] ; True crypt [File & disk encryption - better than PGP] ; Window Washer [Shred free space and files] ; Spy Sweeper [Spyware remover] ; Avast [Anti-virus protection] ; Outpost [Computer Firewall] ; Winpt [secure encrypted email - better than PGP] ; Ad-aware professional [ Another spyware remover ] ; AbiWord [Open source - Better alternative to Word] ; Enigmail

- Best method to protect your chat!
Use Gaim with OTR plugin and and configure to use TOR network ; Gaim [Encrypt your chat conversations]; Off-the-Record Messaging [OTR Plug-in]

- Must have programs for your USB drive
Mobility Email - Best option for sending secure encrypted emails ; GAIM - for secure chat conversation ; Portable Firefox ; TorPark - for anonymous web browsing ; True Crypt - Best disk encryption & file protection program ; Tutorial for securing a USB drive using True Crypt ; Cyber Shredder : File wiping utility ; ClamWin [Open source anti-Virus Program] ; Greatnews - The Intelligent RSS Reader ; Foxit PDF Reader opens PDF files ; Abiword - full featured open source word processor ; Portable Open Office is really the only option for an Office Suite

Propaganda and twisted reality and its best hosted at Archive.org, courtesy of Azzam Publications.

PayPal's Security Key

PayPal's recently introduced Security Key two-factor authentication for the millions of its customers in cooperation with VeriSign's growing centralization of two-factor authentication in a typical OpenID style -- Ebay's also a partner -- is adding an extra layer of security to the authentication process, it's a fact. The entire strategy relies on the fact that, if a customer's accounting details get keylogged, or they fall victims into a phishing scam and provide the accounting data themselves, the phishers or malware authors wouldn't be able to login since the key generated in the time of keylogging wouldn't be active by the time the malicious parties use it the next time. PayPal's Security Key :

"Generates a unique six-digit security code about every 30 seconds. You enter that code when you log in to your PayPal or eBay account with your regular user name and password. Then the code expires – no one else can use it. Watch the demo"

However, given the spooky commitment from phishers and malware authors we've been witnessing for the last several years years, wouldn't they entirely bypass this extra layer for authentication by basically purchasing the $5 Security Key and like legitimate customers, start generating security codes ending up with having both the accounting data, and the ability to generate valid access codes as well? Take E-banking for instance, the pseudo random key generators issued by different banks are supposed to have different algorithms for generating the codes, so that we never get the chance to discuss monocultural insecurities in two-factor authentication. Malicious parties are no longer interested in showing off as rocket scientists, but as a pragmatic and efficiency centered crowd. The way keylogging evolved into "form grabbing" and entire sessions hijackings of malware infected PCs right after the user herself authenticates though several factors based authentication, in this very same way malicious parties started coming up with ways of bypassing compared to directly confronting the security measures put in place.

The flexibility of notifications for financial transactions via alert based system and static receipt of notices sent to a mobile are an alternative. For instance, via the web interface of my E-banking provider I can set to receive an SMS when a given range of money come and go out of the account, sort of an early warning system for self-vigilance. What I'm missing is a historical "last logged from" feature, and the option to receive an SMS each and every time, I or maybe not me logs into the account. Features like these should be provided on an opt-in basis, and those customers truly perceiving the value of them will pay for the service. As always, the market delivers what the customer wants - two-factor authentication, and the irony from a psychological perspective is that in fact, those with less income are more vigilant for possible fraud attempts, than those with more income who are more gullible since they can afford the losses.

The Shark 2 DIY Malware

The Shark2 DIY malware (screenshots, its features, checksums of the builder, and the detection rates as of Saturday, 28th of July) finally made it though the mainstream media, as yet another DIY malware builder in the wild, despite that the what's promoted as a RAT but is actually a malware, has been around since November, 2006 :

"The tool is being distributed via several underground internet forums. Software development is almost equivalent to that available from legitimate software vendors with regular updates to the code bringing the latest detected version up to version 2.3.2. Virus creation toolkits have been available for years, but have mostly been restricted to the creation of mass mailing worms and their ilk. DIY phishing kits that dumb down the process of constructing fraudulent websites began about two years ago. Shark 2 makes the process of infecting targets for phishing attacks or performing other malign actions easier than ever. It means money making malware rackets are no longer the preserve of those with at least some programming skills."

As I've already pointed out in numerous posts, the ongoing trend of disseminating DIY malware is mainly done in order to generate as much noise as possible thought the easy of use of such builders by the average script kiddies. And while the infamous Sub7 DIY malware had the same features within its builder without, of course, Shark2's anti-sandboxing capabilities, back in 2003 Sub7's mission was more of a intellectual opportunism one, compared to today's noise generation mindset of sophisticated malware authors wanting to remain as untraceable as possible. DIY malware builders evolved proportionally with the malware authors' needs for diversity of the way the malware "phones home" in order to get efficiently controlled and the data within the infected host efficiently abused.

Every newly configured trojan variant thought the builder is an undetected piece of malware in terms of signatures based scanning, and always in the nasty combination with malware packers and crypters. Even more interesting is the fact that the authors behind the trojan are also reading the news, and as always, periodically verifying the detecting rates of the builder, namely, the checksums of the new builder compared to the one as of 28th of July that I provided have changed, and so is the detection rate for the latest release (15th of August) :

Detection rate : 4 AVs out of 32 (12.5%) detect it
AntiVir 2007.08.15 TR/Sniffer.VB.C.2
F-Secure 2007.08.15 Backdoor.Win32.VB.bax
Kaspersky 2007.08.16 Backdoor.Win32.VB.bax
Webwasher-Gateway 2007.08.15 Trojan.Sniffer.VB.C.2

File size: 2506752 bytes
MD5: e63498f392eed84b1c8a66dbb288d459
SHA1: 5aa39b70d17d16055d8084e534806d8e26a37fda

Monday, August 13, 2007

Pharming Attacks Through DNS Cache Poisoning

A month ago, a detailed assessment of a recently released vulnerability in BIND9 was conducted by Amit Klein to highlight the wide impact typical nameserver vulnerabilities have in general, and this one in particular. Now that an exploit is available as well, the possibility for large scale pharming attacks in an automated fashion, becomes fully realistic :

"A program has appeared on the Milw0rm exploit portal which is able to exploit the recently reported vulnerability in the BIND9 nameserver. Transaction IDs can be predicted or guessed relatively easily, so the cache of a vulnerable nameserver can be poisoned. Phishers can use cache poisoning for pharming attacks on users by manipulating the assignment of a server name to an IP address. Even if the user enters the name of his bank in the address line of his browser manually, he will still be taken to a counterfeit web page."

Pharming, like any other threat usually receives a cyclical media attention, either prompted by a massive discovered attack, or to build awareness on an advanced phishing scheme to come in a typical "focus on current instead on emerging trends" mindset. How would access to a namerserver be obtained if not by hacking into it? The never-ending underground economy's supply of goods model indicates that certain goods such as access to breached FTP, Web and DNS servers change value over time through the release of such exploits. So suddenly, an access to a namerserver gets a higher valuation than usual.

I've been using a handy Firefox add-on to keep track of the constantly changing IPs of various cyber jihadist forums and web sites for quite some time now. The tool is actually pitching itself as an anti-pharming add-on you ought to evaluate for yourself :

"SCM performs Site Continuity Management validations on websites to help prevent Pharming attacks. Pharming attacks are an advanced form of Phishing where an adversary poisons the data held in the user’s DNS server. SCM is believed to be the first add-on to protect users from this advanced attack."

DIY Phishing Kits

Rock Phish's efficiency-centered approach in terms of hosting numerous phishing pages on a single domain, often infected home user's host, easily turned it into the default application for DIY phishing attacks. And despite that we still haven't seen a multi-feature phishing kits like the ones I'm certain will emerge anytime now, here's an automatic URL redirector of data submitted to a phishing site that's showcasing the ongoing DIY phishing kits trend. Basically, once the source code of a, for instance, fake paypal login page is pasted, it will ensure all the submitted accounting data is forwarded to the malicious server where it gets logged. The main aim of this tool isn't to achieve mass scale efficiency as is the case with Rock Phish, but to make it easier for phishers to poin'n'click create or update the fake pages to be hosted on a Rock Phish domain. The program's intro :

"Steps to creating a fake login, simple as 1,2,3. Go you your web site or the site you have permisson to make a fake web login and right click then press "Source". Double click here to begin. Enter the redirection URL. The redirection URL is the site in which the user who enters their login details will be forwarded to after they fill out the form. Optional : For some web sites after you creat the phisher some images will not load properly. This is due to the source directing the images to be loaded from your database instead of their database. For example you will probably find this in your source img src="/images/image.gif". To fix this you would have to direct the source to load from the site's database by editing the source to look a little like this img src="http://site.com/images/image.gif". To automatically do this double click here."

Why are DIY phishing kits turning into a commodity, and what are some of the strategies to deal with phishing sites?

- fake pages for each and every financial institution plus the associated images are a commodity. They look like the real ones, sound like the real ones, but anything submitted within gets forwarded to a third party presumably using DIY tools like these

- phishing should be treated as spam, namely it should never reach the end user's mailbox, but as we've already seen in the past, certain financial institutions are trying to rebuild confidence in the email communication with their customers whereas they should build more awareness on how they'd never ever initiate such communication as it will create even more confusion for the customer, the one who's still not aware of the basic phishing techniques

- HTTP referer logs to static images via email clients or web based emails could act as an early warning system and provide a list of URLs to be automatically feeded into a to-be shut down tracking system, ones we've seen getting commercialized by vendors already

- Phishing has become such a widespread problem that he latest versions of IE and Firefox now have anti phishing protection built-in. Moreover, phishing sites are known to exploit browser vulnerabilities to hide the real .info and .biz extension of a site, so that a built-in anti phishing toolbar picks up where the browser can no longer perform.

As far as the recent increase of Rock Phish domains is concerned, DSLreports.com has been keeping track of, and shutting down Rock Phish domains for a while. Once shut down, new domain names usually recently dropped ones appear online, such as userport.li and userport.ch for instance. Go through an article on "The History of Rock Phish" as well.

Thursday, August 09, 2007

The Storm Worm Malware Back in the Game

After coming across the story on how Storm Worm is taking over the world for yet another time, I wondered - who are the novice malware authors behind Storm Worm that switch tactics by the time their old ones become inefficient? After commenting on the first Storm Worm wave -- it's not even a worm -- with an emphasis of the outdate social engineering techniques it was using back in January, 2007, it's time we assess the current situation and how have Storm Worm evolved. What has changed? Direct .exe email attachments matured into a direct link to an infected IP address. Mass mailings are now sent with campaign ID to measure efficiency. Outdated social engineering tactics became a direct exploitation of old and already patched vulnerabilities to ensure a higher probability of infecting the visitor whose lack of understanding on how client side vulnerabilities should get a higher priority compared to visual .exe vigilance often result in an infection. Here's a sample infected IP spreading Storm Worm binaries :

Message content : "Your Download Should Begin Shortly. If your download does not start in approximately 15 seconds, you can click here to launch the download"
Original URL : 77.96.240.142 /?232c3a9ebeed435601e5ee71
Binary URL : 77.96.240.142/ecard .exe
Server response : HTTP/1.1 200 OK
Server: nginx/0.5.17
Date: Thu, 09 Aug 2007 00:12:15 GMT
Content-Type: text/html
Transfer-Encoding: chunked
X-Powered-By: PHP/5.2.1

Email spoofed from : "postcards.com" jyg @ alltel.net
Mail server : exchange.moneytreemortgage.biz, 64.220.230.118
IP blacklisted by : SpamCop, CASA-CBL, UCEPROTECTL1, PSBL
Sender's IP : 73.208.110.36
IP blacklisted by : Spamhaus PBL, NJABL Dynablock

ecard.exe
Detection rate : 17 AVs out of 32 detect it (53.13%)
File size: 113195 bytes
MD5: 63fe9896fbbca6471ec216c9dee0b0e9
SHA1: 170eb66ca28f74d291e07a0383564b465d373f06

file.exe - downloader
Detection Rate: 17 AVs out of 32 detect it (53.13%)
File size: 4608 bytes
MD5: 7ea2baadfe3a8a54635cea72526ff391
SHA1: ae32bb7df491fb52650144931c10a7bd5ebf6a2c

alt.exe
Detection Rate : 17 AVs out of 32 detect it (53.13%)
File size: 113168 bytes
MD5: 4ac8a3242e945215469ec08bc5603418
SHA1: 75b8aadab3626e39b570d7e7494d3be63cc582d1

At every infected IP acting as a web server, we have a typical MPack style XOR-ifying javascript obfuscation. And while it's not that hard to deobfuscate it, the interesting part is the type of vulnerabilities exploited to obtain the downloader and the payload. The current campaign is a good example of a fast-flux network as the malware authors used one mail server to sent the email, another IP as actual sender, and a third one where the payload, the downloader are hosted with the web page itself using the Q4-06 Roll-up package exploits kit :

"This is a set of exploit scripts mostly from the end of 2006. It includes an MS06-042, a SetSlice, an MDAC, a WinZip, and a QuickTime. It is typically encrypted using a wide variety of javascript obfuscators, but is usually about the same source code underneath. Recently it sometimes includes an ANI exploit from April 2007."

As we have already seen with the most recent and wide scale malware campaigns, such as with the IcePack's and MPack's kits, the malware authors are entirely relying on patched vulnerabilities compared to purchasing zero day ones, further fueling the superficial zero day vulnerabilities cash bubble, and proving that using old vulnerabilities is just as effective as using a zero day one - they are both unpatched at the end user's PC. Ensure attacks using outdated vulnerabilities cannot take place by patching, and don't forget that Storm Worm is among the many other malware and spam oubtreaks currently active in the wild.

Related posts:
Malware Embedded Sites Increasing
Massive Embedded Web Attack in Italy
The MPack Attack Kit on Video
The WebAttacker in Action
The IcePack Malware Kit in Action
The Underground Economy's Supply of Goods

More info:
Malware - Future Trends
New wave of nuwars storming in
Storm Worm Continues to Spread
The Storm Worm
Storm Worm growth is getting out of hand, researchers fear
Storm Trojan Worm evolves and creates Havoc on the Internet, warns SecureWorks
Storm Worm's Virulence May Mean Tactics Change
Storm Worm Hype Batters Media