Tuesday, October 30, 2007

Botnet on Demand Service

Once this "rent a botnet" or "botnet on demand" service depending on the perspective made it in the mainstream press, they switched locations, but I'm sure they'll continue to advertise themselves given the potential for such a service. The first screenshot provides the "botnet inventory", as you can see the botnet has a total 35015 infected hosts, but with only 2342 of them online when I last checked. On a per rate of 252 infected hosts for the last two hours, and with 5279 for the last 24, their only problem is to have the malware actually respond, and "phone back home".

From another perspective, "rent a botnet" is a bit different as a service concept next to "botnet on demand" where this service is a combination of the two of these. Rent a botnet means there's an already available inventory, that is they're aware of the exact number of infected hosts they have, and are capable of meeting the demand until their supply gets depleted, which is where "botnet on demand" comes into play. Botnet on demand, like the entire "on demand" concept, doesn't build inventory of infected hosts and sit on them waiting for someone to require them. Instead, infected hosts get "infected" as requested, another indication of their understanding of what malicious economies of scale is all about - anticipating the success of exploiting outdated client side vulnerabilities on a large scale.

What about the prices? Differentiated pricing on a per country is an interesting pricing approach, for instance, 1000 infected hosts in Germany are available for $220, and 1000 infected hosts in the U.S go for half the price $110. It doesn't really feel very comfortable knowing someone's bargaining with your bandwidth and clean IP reputation, does it? What's worth discussing is the fact that the service isn't marketed as a DIY DDoS service, but as a simple acccess to a botnet one, where the possibilities for abuse are well known to everyone reading here. Spamming and phishing mailings, hosting and distribution of malware using the rented infrastructure, OSINT through botnets, corporate espionage through botnets, pretty much all the ugly practices you can think of.

If the service was a "rent a botnet" it could have increased its chances of having something to do with Storm Worm's "divide and conquer" approach of segmenting the botnet into smaller ones, since Storm Worm is the biggest inventory of infected hosts currently available online. But since they offer the "on demand" feature, thereby indicating they're surveying the demand for the service itself before putting more efforts into building the inventory, I doubt it's Storm Worm related.

Possibility Media's Malware Fiasco

After both TrendMicro and Sophos acknowledged the attack on Possibility Media's portfolio of online publications, added detection, further clustered the attack, as well as came up with a fancy graph to visualize the IFRAME-ing attack, the attackers changed the IFRAME code and directed it to another location, and perhaps it's more interesting to see them express their feelings about getting exposed in such a coordinated manner. The second IFRAME URL from the previous post now greets with "ai siktir vee?" message. What does "ai siktir vee" means? It means "get lost". The new IFRAME URLs as of yesterday are exploiting MDAC ActiveX code execution (CVE-2006-0003), and here are more details :

(58.65.239.28) ilovemyloves.com/films/in.cgi?11
ilovemyloves.com/traff.php
ilovemyloves.com/fuck.php
ilovemyloves.com/lol.php
ilovemyloves.com/nuc/index.php
ilovemyloves.com/games/index.php
ilovemyloves.com/ra/load.php

Is there by any chance the possibility that the Russian Business Network's IPs might be somehow involved? Don't be naive - of course there are RBN IPs involved and talking about them, deobfuscating scripts or analyzing the binaries related to RBN is becoming a rather boring task given nothing's changing. Remember all those parked domains on the second IFRAME IP from the previous post? According to this writeup by Symantec's Kaoru Hayashi, some of the hosts - fiderfox.info:8081; gipperlox.info:8081; gipperlox.info:8081 - are acting as communication platforms with a trojan downloaded from an RBN IP - 81.95.144.146 in order for the trojan to receive spam sending configurations. Now, where do we know 81.95.144.146 from? From the Bank of India hack as it was among the several IPs used in the IFRAME attack.

Getting back to the latest developments behind the dynamic tactical warfare applied by the attackers at 208.72.168.176, they seem to have introduced a new obfuscation at : 208.72.168.176/e-Mikhalich2210/index.php which you can see in the screenshot attached. Once we get to feel the binary we can conclude it's a spam bot known under different names such as Dropped:Trojan.Proxy.Pixoliz.I; Trojan-Proxy.Pixoliz and W32/Pixoliz.

Detection rate : Result: 11/32 (34.38%)
File size: 123924 bytes
MD5: 15027f9e4dc93e95e70f7086f2bf22de
SHA1: 494a675df55167cf4ed5a2c0320cdaa90dbbc10e

New domains under different IPs are also connected with the previous and the current IFRAMEs as they all tell me to "ai siktir", for instance :

privatechecking.cn/stool/index.php
musicbox1.cn/iframe.php
xanjan.info/ad/index.php

There's even a Storm Worm connection. For instance, musicbox1.cn/iframe.php refreshes textdesk.com which is heavily polluted with known storm worm domains such as : eliteproject.cn/ts/in.cgi/alex; 88.255.90.74/su/in.cgi?3; 81.95.144.150/in.cgi?11; takenames.cn/in.php; bl0cker.info/in.php; space-sms.info etc.

Dots, dots, dots and data speaks for itself.

Monday, October 29, 2007

Wisdom of the Anti Cyber Jihadist Crowd

Interesting opinion by Gerald at the Internet Anthropologist Warintel blog :

"And I want to call this the "Brilliant civilian sector". It included the likes of Bill Roggio, Dancho Danchev, Douglas Farah, Ray Robison, team at Counter terrorism Blog, Jamestown, Memri, SITE, and many many others. This "Brilliant sector " is missing part of the "Civilian War Effort Paradigm". The output has been voluminous and timely and very high quality. But it has been aimed at only part of the Demographic. The American or Western sector. The "Brilliant sector" recognizes the value of translating terrorist media, documents etc. And their analysis is top level. But they seem to have missed the value in translating their analysis into indigenous languages, or Arabic at least."

Wisdom of the opinionated crowds, the value added objectivity due to non-existing departamental budget allocation battles, combined with state of the art open source intelligence gathering for the world's intelligence community to take advantage of - all courtesy of the "Brilliant civilian sector". And why not? While I fully agree with Gerald's point on translating anti-terror PSYOPS material into Arabic, the way cyber jihadists are actively recruiting and winning the minds and hearts of English speaking/understanding web surfers, thus radicalizing them to the bottom of their brains, it's also worth mentioning that cyber jihadists are already doing it by actively translating English2Arabic the way I'm for instance translating Arabic2English - using commercial or free services. Moreover, the way the "brilliant civilian sector" is watching video material that they've uploaded, they're also watching news excerpts on YouTube, and following everything related to terrorism. Perhaps more research should be conducted on the cyber jihadists' counter surveillance practices, how decent is their level of situational awareness, which are their main sources for OSINT, and how influential they are so that adequate measures could be taken. One way to do is is by taking a rather big sample of outgoing links from their communities in order to better understand their main OSINT sources.

By the way, remember the Caravan of Martyrs which I first mentioned in June, and later on crawled knowing it will sooner or later dissapear? It's now gone with the summer wind, for good.

Multiple Firewalls Bypassing Verification on Demand

Next to the proprietary malware tools, malware as a web service, Shark2's built-in VirusTotal submission, the numerous malware crypting on demand services, the complete outsourcing of spam in the form of a "managed spamming appliance", and the built-in firewall and anti virus killing capabilities in commodity DIY malware droppers, all indicate that the dynamics of the malware industry are once again shifting towards a service based economy with a recently offered multiple firewall bypassing verification on demand service. The following is an automatically translated excerpt :

"Here are a new feature-check your files against popular firewalls. You send us a file, we run it in each individual fayrvole, after full you personal checking account. The cost of single use service is $3. A special service for developers, we check your software and your otpisyvaemsya subject to the results of the verification. File of our service to circumvent firewalls. The cost of the service so far is no different from the usual check. Testing takes about 30/40 minutes, the countdown begins once you responded Support "Doc passed ordering" Every fifth-free ordering. When paying full use prepaid services. Do not worry about sending stay online, with a corresponding demand will be organized kurglosutochnaya work 24/7/365! List of our firewalls at the moment: ZoneAlarm Pro v7.0; Sygate Personal Firewall 5.5; Ashampoo FireWall PRO; Sunbelt Personal Firewall; Outpost Internet Security 2008; Filseclab Personal Firewall Professional Edition; F-Secure Internet Security 2008; Comodo Firewall Pro.

Every feature is installed on a separate Windows XP Service PAck2, with all the critical updates for September 2007. All default. After each check all operatsionki regress back to the condition it was prior to the launch your executable file. None of the transferred files, we will not be forwarded to third parties, including anti-virus companies, to study the existence of malicious code. After verifying the files removed. Now the service does not work in the automatic mode, not around the clock, with breaks. We would be happy to cooperate and permanent clients."

Basically, they're testing whether or not a malware will "phone back home" by running it against the popular firewall products, and giving it a green or red light if it does, or if it does not pass the test. QA is vital to reliable and bug-free software, but when QA as a concept starts getting abused to improve the quality of a malware campaign itself it would improve its chances for success, and actually achive it given a bypassing confirmation is already anticipated.

Is this malware QA a trend, or is it a fad? I think it's a trend mostly because malware authors seem to have realized the potential of launching "quality assured malware", take storm worm for instance, and the possibility for crunching out DIY malware through commodity kits in enormous quantities in the form of a managed malware provider.

Thursday, October 25, 2007

A Portfolio of Malware Embedded Magazines

This is perhaps my most important discovery of malware embedded sites farm in a while, at least in respect to the potential impact it is currently having on the unprotected visitors browsing the sites of Possibility Media's portfolio of online magazines, which are pretty weird content by themselves. Possibility Media's (now owned by GM Media Worldwide Inc.) 24 online publications are currently serving embedded malware in the form of IFRAMEs on each and every domain, a logical development given they're all hosted on a single server (216.251.43.11). The affected domains include the following e-zines :

networkweekmag.com - Network Week Magazine
portablecomputingmag.com - Portable Computing Magazine
businesscomputingmagazine.com - Business Computing Magazine
communicationsworldmag.com - Communications World Magazine
spweekly.com - Service Provider Weekly
webweekmag.com - Web Week Magazine
pcnewsweeklymag.com - PC News Weekly
itweekmagazine.com - IT Week Magazine
communicationsweekmag.com - Communication Week Magazine
ipworldmag.com - IP World Magazine
networkweekmag.com - Network Week Magazine
thebestpcmag.com - The Best PC
technologyweekmag.com - Technology Week Magazine
theinternetstandardmag.com - The Internet Standard
securitystandardmag.com - Security Standard
theitstandard.com - The IT Standard
hostingweekmag.com - Hosting Week
enterpriseweekmag.com - Enterprise Week
computernewsmagazine.com - Computer News
theinternetstandardmag.com - The Internet Standard
ceweekmag.com - CE Week Magazine
ebusinessmag.com - Ebusiness Magazine
healthcareitmagazine.com - Health Care IT Magazine
serviceprovidermagazine.com - Service Provider Magazine

Deobfuscating the obfuscated javascripts, we see that the first IFRAME points to : lilohost.hk/cgi/index.php ; lilohost.hk/cgi/indexx.php ; lilohost.hk/cgi/tdss/index.php?out=1192369270 ; and lilohost.hk/cgi/indexx.php - where we get the actual malware under the umbrella of a typical WebAttacker obfuscation. The main index of the domain includes links to pharmaceuticals, making it an interesting on in a combination with embedded malware.

The second IFRAME points to 208.72.168.176/e-Sr1pt2210/index.php where we're greeted with the following message "asdfasdfIt works!" and a piece of Trojan.Srizbi.

Detection rate : Result: 8/31 (25.81%)
File size: 113152 bytes
MD5: a4733e1901653da7086930588d699c85
SHA1: 3e65be5e54b893cddf8f5f9bec2591425d49579a

It gets even more interesting with the following domains returning the same message within their indexes, and also hosted at the second IFRAME-ing IP - 208.72.168.176. Possibility Media's vision states "New Media Making The Difference!" Indeed.

Related posts:

Tuesday, October 23, 2007

Over 100 Malwares Hosted on a Single RBN IP

The never ending Russian Business Network's saga on whether or not they host malware on behalf of their customers enters in an entirely new phrase with the discovery of over 100 malwares hosted on a single IP - 81.95.149.51/ms where the directory listing indicates that the earliest binary was uploaded on 19-Sep-2006 and the most recent one on the 28-May-2007. If only was the directory listing denied we would only be speculating on such a development, and as it's obvious that it isn't sooner or later they'll simple rename the directory as they apparently did in the past from 81.95.149.51/ms21 to 81.95.149.51/ms51 and to the current state.

Meanwhile, there's an active mass mailing campaign going on in the time of blogging, that's exploiting the recent mailto PDF vulnerability. Guess where does the PDF file's payload point to? The Russian Bussiness Network, again, again and again.

RBN's Fake Security Software

In need of a good example of coordinated CYBERINT so that enough data is gathered before the domains stop responding or get transfered to a network not belonging to the Russian Business Network? Try this one. Yesterday, the RBN monitoring blog picked up the fake anti virus and spyware applications I covered in a previous post, and came up with a great table of 20 fake anti virus and anti spyware applications hosted at the RBN.

Ain't That Ugly?

During the weekend I stumbled upon a herbal enlargement domains farm hosted on a single IP (210.52.223.26) on their way to start the spam campaign. Earlier this month, in exactly the same fashion I assessed a Rock Phish domains farm you may also be interested in taking a look at. Scammy, scammy.

Introducing Jiglu - Tags That Think

With the idea to make this blog easier to read and much more interactive at the same time, I'm happy to let you know that I've just tested an incredibly well performing service called Jiglu :

"a super-smart engine that pieces your site together, intelligently tagging and linking your web content"

Here's the tag cloud, and these the topic categories for easier navigation. The service is very handy when browsing the archive of a specific month, or the main index itself, in fact, it's bringing new perspectives to every post. Enjoy!

Monday, October 22, 2007

Empowering the Script Kiddies

What are the chances tools like these, even this one in particular were distibuted to the masses during the Russia vs Estonia DDoS attacks to achieve a full scale people's information warfare effect? Too high not to state it as a fact. What's interesting about this tool is that the authors behind it backdoored it, and so whenever an enthusiastic wannabe hacktivist loads it on her way to DoS a site, a connection to a predefined IRC server opens up providing the authors behind the tool with access to the host. Ironic and bandwidth greedy.

DDoS attacks happen inside Russia too, compared to the inside-to-outside stereotype only. The most recent case of hacktivism in the form of a DDoS attack is for instance the attack on Politcom.Ru Information and Analytic. Summary in English :

"Politcom.Ru Information and Analytic site operations have been halted because of intensive DDoS-attacks. The attacks started on October, 12th and lasted for six days with various intensity. The hosting support service has undertaken attempts to resume the site operations tree-four times a day. But in several hours the attacks would resume. The change of the hosting provider IP-address did not give any positive results, as the attacks removed from the old IP-address to the new one."

Sunday, October 21, 2007

China's Cyber Warriors - Video

Originally aired on Discovery Channel, this documentary on Chinese hackers is worth watching in the wake of the recent speculations of Chinese cyber warriors probing the networks of numerous governments across the globe. All warfare is based on deception, especially people's information warfare.

Saturday, October 20, 2007

Random Flickr Jewel - Hold it Right There!

If you don't respect your privacy, or at least put efforts into preserving it - you don't deserve any, it's simple. Great shot courtesy of floze.

Friday, October 19, 2007

eCrime Researchers Summit 2007 - Papers Available

Some informative papers covering various aspects of analyzing and protecting against phishing attacks were made available at the beginning of this month, courtesy of this year's APWG eCrime Researchers Summit :

"The Anti-Phishing Working Group eCrime Researchers Summit was conceived by APWG Secretary General Peter Cassidy in 2006 as a comprehensive venue for the presentation of the state-of-the-art basic and applied research into electronic crime, engaging every aspect of its development (technical, behavioral, social and legal) as well as technologies and techniques for its detection, related forensics and its prevention."

Papers presented include :

- Examining the Impact of Website Take-down on Phishing
- Fishing for Phishes: Applying Capture-Recapture to Phishing
- Evaluating a Trial Deployment of Password Re-use for Phishing Prevention
- Behavioral Response to Phishing Risk
- Fighting Obfuscated Spam
- A Comparison of Machine Learning Techniques for Phishing Detection
- Getting Users to Pay Attention to Anti-Phishing Education

Everyone's Guide to By-Passing Internet Censorship

Following the recently released "Journey to the Heart of Internet Censorship" report, University of Toronto's Citizen Lab took advantage of the momentum and released a guide entitled "Everyone's Guide to By-Passing Internet Censorship" :

"This guide is meant to introduce non-technical users to Internet censorship circumvention technologies, and help them choose which of them best suits their circumstances and needs."

Here's another interesting perspective that took event recently, the art of using censorship for economic warfare by stealing Internet traffic from the U.S and forwarding the loyal visitors to local Internet properties in China :

"I’ve written previously on the possibility that China may use its firewall as an economic tool as opposed to a censorship tool alone, and although censorship may be partially behind todays blanket ban of US search sites, the redirect to Baidu would indicate an economic motive; if the Chinese Government were serious about censorship alone we would have reports of page not found/ blocked messages, not redirects to Baidu."

It's all a matter of perspective - privacy is just as vital to maintain in a democratic society, as is anonymity in a modern communism societies where f*** speech is a censored word by itself.

Thursday, October 18, 2007

The Russian Business Network

In case you haven't come across it before, here's an informative blog whose objective is to track events related to the Russian Business Network (RBN) and expose its nodes in between :

"Everything you wanted to know about the RBN and related enterprises - AKA ; Russian Business Network, RBNnetwork, RBusinessNetwork; the Internet Community's favorite - exploiters, phishers, hacks, spammers, etc."

Under the pressure put by the "wisdom of crowds" collective intelligence capabilities in analyzing pieces of the puzzle who make up the big picture in respect to the Russian Business Network, a representative of the RBN speaks out for the first time :

"We can't understand on which basis these organizations have such an opinion about our company," Tim Jaret of the Russian Business Network says in an e-mail interview. "We can say that this is subjective opinion based on these organizations' guesswork." Jaret's e-mail signature identifies him as working in RBN's abuse department. Security researchers and anti-spam groups say the St. Petersburg-based RBN caters to the worst of the internet's scammers, renting them servers used for phishing and malware attacks, all the while enjoying the protection of Russian government officials. A report by VeriSign called the business "entirely illegal."

What is the RBN at the bottom line? A diversified set of IP blocks located at different parts of world, who periodically appear within the deobfuscated javascipts of the sites who got IFRAME-ed and were found to serve malware by exploiting outdated browser vulnerabilities. What's more interesting to me than the "yet another popular site which got IFRAME-ed by the RBN's network" is the success of the popular malware exploitating kits using outdated and already patched vulnerabilities. What use are patches when no one is applying them, and aren't unpatched vulnerabilities just as effective as zero day ones? Yes, they are.

Issues to consider :

- the RBN offers bullet proof hosting upon signing some sort of contract, where they may easily forward the responsibility to the hoster of the malware, phishing and spamming, namely, on a contract basis those hosting such content violate their TOS agreement, now whether or not the RBN will remove them in a self-regulation manner or wait for an abuse letter to come, then delay it for couple of weeks while the campaign is still active is entirely different topic

- during the first couple of hours of the Bank of India hack, once vendors and researchers started assessing the site, the RBN IP that was used as redirector removed the javascript obfuscation and forwarded every visitor to Google.com. My point is that, unless real-time CYBERINT is collected by trusted parties, it would be very hard to come up with historical evidence on some of their malicious activities

- despite being a consolidated organization offering bullet proof hosting, they're still not fast-fluxing any of their services on a large scale, an indication of a botnet behind the fast-flux, and while they're just a couple of netblocks to filter, it could get more ugly and harder to trace back. So let's "appreciate" the RBN's laziness for the time being

- the RBN is the tip of the iceberg whose clients' successes in the form of embedding RBN IPs on the most recent malware cases led to the inevitable wisdom of crowds effect. What about the hundreds of thousands other not so well known malware serving netblocks?

What were some of the most recent cases where RBN IPs were used to serve malware? The Massive Embedded Web Attack in Italy used to orbit around RBN IPs, various other exploits serving domains and the fake ms-counter.com were using RBN IPs, Bank of India's IFRAME and several MPack control panels were pointing to RBN's network too, and also the most recent Beer.ch malware attack. It gets even more interesting.

Here are for instance some of the fake anti-virus and anti-spyware applications hosted at the Russian Business Network in the time of blogging. The applications are cute, little, tiny 35kb adwares :

malwarealarm.com - active - Adware.Spysheriff
xscanner.malwarealarm.com - active
scanner.malwarealarm.com - active
windowsafesurf.com - 403 forbidden
spy-shredder.com - Adware.Spysheriff
scanner.spy-shredder.com - active
proantivirus.net - expired
dragracers.biz - VirusBurst
antivermins.com - Application.Antivermins.B / Virus.Win32.Spycrush.B
adwareremover2007.com - Adware.Spysheriff

The enemy you know is better than the enemy you don't know, but on a large scale I fear the enemy I don't know, namely the hundreds of thousands script kiddies now empowered with open source and localized malware kits. Here are two more related blog posts on the RBN as well.

Wednesday, October 17, 2007

Thousands of IM Screen Names in the Wild

In the past, malware interested in establishing a one-to-one social engineering communication channel with potential victims, used to crawl the hard drive, even the web address book of the infected party looking for emails to self-email the binary to. And with the rise of instant messaging communications, malware authors adapted old techniques such as harvesting for emails to IM communications by introducing IM screen names harvesting and positioning the practice as both a product in the form of the segmented email databases of millions of emails already harvested, and as a service, by aggregating publicly available profile data to deliver targeted messages often in the form of phishing, malware embedded URLs, and spam. Hitlist's based malware is nothing new, it's actually malware authors borrowing the spammers "direct marketing" communication model, and while you cannot change your email's account name unless of course you're using a disposable or temporary email service, you can easily, in fact periodically change your screen name.

IM networks are on the other hand, slowly adopting a "save the world from the clicking crowd" security awareness model by blocking common malicious file and domain extensions, an initiative that's both applaudable and futile at the same time given the failure of URL filtering in today's dynamic and user-generated content Web. Go through an informative article by ScanSafe's Dan Nadir with comments on Signature-based detection, Heuristics, Code Analysis, Code reputation, URL Reputation, and Traffic Behavioral Analysis.

Tuesday, October 16, 2007

MPack and IcePack Localized to Chinese

It is logical to consider the possibility that once a malware author starts evaluating the benefits out of releasing a malware in an open source form, malware exploitation kits can also build communities around them. Since August, 2007, Chinese hacking groups can freely enjoy "the benefits" of IcePack's and MPack's malicious economies of scale attacking approach in the combination of a brain-damaging Keep It Simple Stupid exploitation tactic in the form of serving exploit URLs, which get automatically embedded via a web application bug, or via automated remote file inclusion enabled web site.

Let's once again emphasize on the research question of wouldn't such malware kits and tools have a higher value if kept private, and why someone release them in the wild? Couple of months ago, the tools themselves were used as a bargain for improving the UVP (unique value proposition) on a large scale, that's of course until they became a commodity. From my perspective, all warfare is based on deception, especially infowar, namely, if the idea of embedding an exploiting serving URL at a popular site in order to infect all of its visits becomes a commodity as an attack tactic, at the end it will be the ones whose fast-fluxing, javascript obfuscation, and timely crypting and rotating the malware binary skills will put them in a market leader position, where the new entrants, the ones cheering for having access to such tools will make the headlines, like the default malware kit installation wannabies they are.

By ensuring that the market segment for malware in this case, has many participants and is not concentrated and operated by a few over-performing groups is a highly beneficial from the perspective of the most skilled and advanced groups continuing their operations in between the noise generated by the rest of market challengers. Now Playing in Cyberspace - "The Revenge of the Chinese Script Kiddies".

Fast Fluxing Yet Another Pharmacy Scam

Spam and phishing are indeed starting to operate behind the curtains of a fast-flux network of constantly changing IPs of malware infected PCs that end up hosting the scams and phishing pages themselves for a certain period of time. And I'm certain that's a trend and not a fad given the potential for increasing the average time a phishing or a scam site remains online, even the inability prove a certain IP was hosting it at a given period.

Take for instance the latest Canadian Pharmacy spam campaign, where in between the fast-flux, they didn't even bother to register and use a legitimate SSL certificate, among the few visual proofs for the average end user that's ensuring a certain degree of security, yet, in order to establish more trust, dead link logos such as "Verified by Visa", "Secured by GeoTrust", "ScanAlert - Hacker Safe", and "Verisign" are included at the processing order page. To me, that's a typical Rock Phish mentality - efficiency vs quality of the phishing/scam campaign. The whole Canadian Pharmacy spam campaign is behind an affiliate program forwarding the responsibility for promotion (spamming) and fast-fluxing, to the participants.

DIY German Malware Dropper

Yet another publicly available DIY malware dropper this time courtesy of German compared to Russian malware crews, whose releases on the other hand are starting to live in a "high profit margins only" product/service business model, thus introducing propriatery malware tools like the ones I've discussed in a previous post. Why would a malware crew member release such a tool for free? Respect, ego, quota of tools released to meet in order to remain inside the team? Could be, but on several occasions such freely available tools get backdoored too, like just the source codes for popular malware kits.

You often hear that anti virus software is dead, that vendors end up their with quarters with meaningless percentage increases in every malware segment, meaningless in respect to the DIY trend. The idea has its pros and cons, no doubt about it, however it should orbit around different research questions such as :

- which AVs are more ineffective, the ones which are not running due to the process list of each and every anti virus software now easily integrated within each and every malware dropper and malware tool in the wild?

- or the ones whose often static update locations online get blocked by a malware in in order to prevent its detection supposedely to come in the next signatures update?

Here're related overviews of malware tools.

Monday, October 15, 2007

The Global Security Challenge - 2007

The Global Security Challenge have just announced the world's five most promising security startups chosen to compete at the GSC Final in London for a $500K grant this November. They are:

- Auxetix (UK) - fortifies protection against multiple explosions through helical-auxetic nets

- EyeMarker (USA) - scans the eye to rapidly and non-invasively assess a person's health

- NoblePeak Vision (USA) - enabling the rapid detection and identification of people and objects at night without active illumination

- Psylock (Germany) - identifies users through biometric analysis of typing behavior

- XID Technology (Singapore) - face synthesis technology for real-time 3D rediction/replacement in a 2D video

Disintermediating the main sources of R&D with innovation and cost-effectiveness in mind, is a business practice that's already embraced by numerous deep pocketed future clients interested in outsourcing innovation in the form of such contests. I'm particularly interested in Psylock's future development, and it's great to note that the folks behind this typing behavior authentication even set up a demo of the concept.

And given that the GSC are also embracing the blogosphere, let's wish them long-term passion and sustained professionalism in their initiative to fund promising security oriented startups.

Saturday, October 13, 2007

Managed Spamming Appliances - The Future of Spam

What's the future of spam? Spammers breaking CAPTCHAs of legitimate email providers and take advantage of their clean IP reputation to send out their junk, or spammers cooperating with botnet masters supplying newly infected hosts? Try outsourcing as a concept by renting a "managed spamming appliance" like the ones advertised as of recently.

This is an automatically translated excerpt from a recent proposition for a newly developed spam system that comes in the form of hardware with embedded botnet, just consider the idea for a second before reading and you'll get the point :

Among spammers very agreement that spam has become a profitable and die their last months, years. And it is understandable: profit fell, suppliers downloads expensive prices almost to the size of profits, a dozen well-known and had a good year or two ago turnover spammers departed from the market, so even monsters flow of spam once died theme ran in the stream than definitive did the topic boring.

I am pleased to present to you the technology that will make your distribution more efficient and voskresit characteristic of the spam profits.

Our software allows you spamit in such quantities that letter competitors simply lost among your. Also you get tools to control the delivery of letters and inboks spam those domains that are not being held by any other spam.

We have reached the maximum speed possible with the distribution of each bot and defended it against possible anti-virus and firewalls. In doing so, your botnety invincible. Interesting? And now in more detail.

Overall software works like any other botmeyler. Botnet controlled part of a server, it created letters and mailing bases loaded. Botha knocking over the job to a server, get a piece base, and a letter vdohnovlenno spamyat until the turn will come next door for the job.

Each server keeps 2500 + online bots, and the maximum speed reaches 7000 mailing letters per second, is the highest speed of all current market spam systems. Of course, the speed depends largely on the quantity and quality of downloads, quality and type of database (country, large domains, etc). 2500 online for you too little? No problem. Berit 2, 5, 10 servers, as long as you want.

In our system, there is every possible means to randomise from any randomise texts finishing randomnyh generate images on the fly or finished morphing images, as well as the ability to create their own makro-skripty. You can independently create and edit headers (if there is time to do so, fresh headlines you will download our spam-inzhenery).

You can do so zarandomlennye letter, as far themselves want. After randomization letter, you can immediately check finished look and see the results of the verification Spam Assasin ohm.

For specific newsletters (probiv major domains, etc), there is a possibility in detail settings bots (different types of reactions to the texts of error codes and mail servers). You can customize the system to thin to work with certain domains to improve the quality and speed of spam to these domains, identifying the individual parameters for each domain (how many letters it takes for a session timeouts, own blacklist bots, enter special codes for SMTP session for given domain, etc.)

To avoid zamorachivatsya processing bases on a separate server, all options included in the processing software. Among them: removal from the database of addresses abuzerov, splitting bases on the large and normal domains merger bases subtraction bases and checking for uniqueness.

24 hours a day, 7 days a week, you can use the services tehpodderzhki and complex issues of sending spam to discuss with our engineers. In addition, you can order the service "personal manager" who will help draw up a letter to monitor the continuous distribution, will help choose the supplier of downloads and decide on the overall strategy for working with partnerkami. The main advantages :

1. The speed and delivery. Average up-to medium-speed downloads of 1.5 letters per second from one spamyaschego bots, 2 to bots spamyat at speeds of 3000 letters per second, equal to 10 leading to millions of messages delivered per hour. This average figures for good loading each bot could spamit up to 3.5 letters per second.

2. The persistence of bots. Botha bypass all the latest version of anti-virus and faervollov, including the latest version of Zone Alarm, Outpost, Kaspersky, and the bot rigidly set in the system so that they are impossible to remove, even in safe mode. All innovation and refinement, we test drivers bots not only stands the test on different versions of the OS, but also on actual downloads from various suppliers. Cleaning loadera happens every day.

3. Convenience work, and further opportunities for constant refinement. We make the process convenient and efficient spam, the whole routine in the most automated, the time our customers spend at statov refresh. However, if you or your staff would like to have enough knowledge to extract the maximum from their bots and bases, you have a beautiful high-tech istrument it may izmennie any settings.

4. Business centers, skilled technical support. Complex program complex, which is fully explored - unique challenge, our support team will help you in any questions and solve any problems.

5. Flexible pricing policy. Our command is spam many years in different directions, and our customers are top-sellerami many partnerships programs we are familiar with the process of naslyshke not spam. With this experience and knowledge, we do your business more stable and profitable. Our tariff plans:

1-2 servers - $ 4000 per server
3-5 servers - $ 3000 per server

Let's summarize the key points :

- a "spamming appliance" comes with 2500+ zombie bots, capable of sending 7000 emails per second
- built-in verification for detection against common spam scoring systems
- managed anti virus bypassing capabilities and signatures based detection
- technical support

What's next to come? Possibly a USB stick with built-in C&C to a botnet with full admin rights.

Thursday, October 11, 2007

A Journey to the Heart of Internet Censorship

Reporters Without Borders just released their latest report on China's Internet Censorship practices, outlining how exactly bureaucracy intersects with technology, perhaps the worst combination I could think of :

"The report also documents how the Beijing Internet Information Administrative Bureau has in practice asserted its daily editorial control over the leading news websites based in the nation’s Capital. It gives many examples of the actual instructions issued by officials in charge of this bureau. The last part of the report gives the results of a series of tests conducted with the mechanism of control through filtering keywords. These tests clearly show that, though there are still many disparities in the levels of censorship, the authorities have successfully coerced the online media into submission to censor themselves heavily on sensitive subjects."

Information is not free, but it just wants to be free and you cannot control the rules of curiosity and the basic right to know who's what and what's when -- even if you shut down the Internet access inside the country. China's Internet censorship is on the other hand a driving force for academic research across the globe. Even wondered what are the latest blocked keywords discovered filtered over time? Try the list of blacklisted keywords discovered by ConceptDoppler, as of 19 Sep 2007, part of the ConceptDoppler project - A Weather Tracker for Internet Censorship.

Related posts:
Twisted Reality
China - the biggest black spot on the Internet’s map
Chinese Internet Censorship efforts and the outbreak
Securing Political Investments Through Censorship
World's Internet Censorship Map
China's Interest of Censoring Mobile Communications
South Korea's View on China's Media Control and Censorship
China's Internet Censorship Report 2006
Media Censorship in China - FAQ
Google and Yahoo's Shareholders Against Censorship
It's all About the Vision and the Courage to Execute it
Gender Based Censorship in the News Media
Real Time Censored URL Check in China
Censoring Flickr in China

Does This Blog Speak for Itself?

Before January 2007, I could only say that I'm glad to have you as a reader of this blog, but with the Talkr-ization of my blog during that month, I can now freely say I'm also glad to have you as both, a reader and a listener taking into consideration the interest in the audio versions of my analyses. It's great to follow the progress of the service and the efforts the folks behind it put into improving its quality. I can only hope that they reach Ms. Dewey's speech engine, even go beyond it by allowing customization in the form of different voices to choose from.

Moreover, all the readers who are interested in reading this blog on a mobile device, can do so via a newly started service called MoFuse that I'm using as of recently :

"MoFuse is short for Mobile Fusion. MoFuse was founded in July of 2007 and released it's first private beta in late September of 2007. MoFuse allows content publishers to create RSS driven mobile sites and gives our users the ability to control almost every aspect of the design using some of our AJAX features."

Enjoy!

Fast-Flux Spam and Scams Increasing

As I pointed out in my last series of posts assessing pharmaceutical scams and phishing campaigns, both, botnet masters, pharma masters, and rock phishers, are starting to take advantage of fast-flux networks to make it harder to trace back and shut down their operations. Here's a related article on the topic :

"With fast-flux, spammers continually change the URL in the e-mail to counter filtering efforts. The constant change requires a corresponding defense that recognizes those changes as they occur, Red Condor officials said. Fast-flux botnets turn IP addresses against anti-spammers. Using a large number of servers, fast-flux DNS uses a compromised PC as a proxy, frustrating investigators. In its September intelligence report, MessageLabs counted fast-flux DNS techniques as one of the key reasons botnets are hard to shut down. The MySpace worm that compromised thousands of MySpace users' sites earlier this year utilized fast-flux techniques."

Let's showcase this emerging trend. Take for instance some recently spammed .cn domains such as considerjust.cn and pageagainst.cn advertising a Canadian Pharmacy scam. The domains have an allocated space of IPs to rotate on each and every request to them, something you can easily verify by pinging them and see how their IPs change on every new ping in coordination with the allocated IP table you can see in the screenshot. It gets even more interesting, especially in terms of locating the main fast-flux domain, in this case it's mainseven.com, a central point for a great deal of other pharma domains in its fast-flux. Here are graphs of fast-flux spam and scam networks :




aaapills.org


comproper.com

lovelypills.com


fonteay.com


drugslovetown.com


abcmeds.org

As in every other competitive industry, pretty much all the market participants such as botnet masters, pharma masters, spammers and scammers, follow what the others are doing and by taking notice in which practices the others outperform them, figure out how to apply them within their practices at a later stage - competitive benchmarking within the underground ecosystem is already a fact.

Wednesday, October 10, 2007

Compromised Sites Serving Malware and Spam

Wish it was the average .cn domain I'm referring to, in this case it's the web sites of three U.S towns, namely the City of Chetek, Winsonsin, the City of Somerset, Texas and Town of Norwood, Massachusetts, who are the latest victims of embedded malware and blackhat SEO injected within their juicy from a blackhat SEO perspective .gov tld extensions.

Apparently, malicious parties managed to compromise City of Chetek's official site and created several subdomains with URLs consisting of spam redirecting to the downloader's page :

st-3.x.cityofchetek-wi.gov/porn/st3/502.html
st-3.x.cityofchetek-wi.gov/porn/st3/537.html
st-2.x.cityofchetek-wi.gov/porn/st2/322.html

2k.x.cityofchetek-wi.gov/porn/2k-003/1618.html

st-2.x.cityofchetek-wi.gov/porn/st2/409.html

The following URLs redirect to the downloader : freeclipoftheday.com/movie1.php?id=4154&n=teens&border=FFFFFF&bgcolor=000000

Detection rate : Result: 9/32 (28.13%)
File size: 75771 bytes
MD5: a74b09c7e6ca828ec0382c4f4f234bac
SHA1: 2861a4215dd2a579afe1e30372e05d2ea00223f2

City of Somerset, Texas official site is also embedded with the same blackhat SEO content structure, which leads me to the conclusion that these two are related :

2k.x.somersettx.gov/porn/2k-004/156.html
2k.x.somersettx.gov/porn/2k-004/313.html
2k.x.somersettx.gov/porn/2k-004/829.html
2k.x.somersettx.gov/porn/2k-004/830.html
st-5.x.somersettx.gov/porn/st5/103.html

Town of Norwood, Massachusetts :

sql.norwood-ma.gov/libraries/transformations/.dir/132/valium-cost.html
ldap.norwood-ma.gov/htdocs/js/.dir/12/valium-online-order.html

Several more high profile sites hosting such scams I came across to yesterday are NASA's Worldwind, and the State of New Jersey that used to historically host such pages :

issues.worldwind.arc.nasa.gov/secure/attachment/10781/Buy-Valium.html
issues.worldwind.arc.nasa.gov/secure/attachment/10800/Valium.html
issues.worldwind.arc.nasa.gov/secure/attachment/10791/Panasonic-Ringtone.html

nj.gov/education/voc/9/2007/
nj.gov/education/voc/9/2007/viagra/viagra-online.html
nj.gov/education/voc/9/2007/zoloft/buy-zoloft-online.html
nj.gov/education/voc/9/2007/tramadol/discount-tramadol.html

Moreover, during the last week, another pack of sites were also reported to serve malware, spam, and blackhat SEO pages on their servers :

Just yesterday for instance, F-Secure discovered a phishing page hosted at India's Police Academy site, and
Sunbelt pointed out that Beer.ch got IFRAME-ed with the following URLs belonging to the Russian Business Network who also IFRAME-ed Bank of India once :

81.95.149.74/1/index.php
81.95.149.74/22/index.php

How is all this happening? In both, automated, and sometimes targeted way, where automated stands for remote file inclusion through botnets.

Incentives Model for Pharmaceutical Scams

Sometimes, it's unbelievable how easy is in fact to social engineer people on their way to "make a deal" online, especially when buying pharmaceuticals online. Let's discuss organized pharmaceutical scams the way I perceive them, which like phishing also aim at reaching the efficiency level.

It's a public secret that Amazon.com's success in terms of sustained profitability has to do with their affiliation based model, namely "let the others do the sale for you". Pharmaceutical scammers have been anticipating this model for quite some now, a model where the pharma masters forward the processes of collecting potential customers (emails harvesting), contacting them and letting them know of how cheap their pharmaceutical are (spamming), enticing them to initiate a transaction with a fancy and professionally looking like site (freely available pharmacuitical web site templates) to those who become part of an affiliate network like the one you can see in the screenshot.

Pharmaceutical scammers have their own fast-flux networks of constantly changing domain and IP addresses, shared hosting of multiple scams in different segmets. Remember meds247.org? It's still up and running but the javascript obfuscation I reviewed before is now pointing to web server's directory whose main index hosts a p0rn site - center4cares.com, so you have a p0rn site that's hosting viagra propositions - "insightful". Moreover, pharmacuitical scam campaigns are also known to use free web space providers as doorway pages in the form of redirectors. For instance, the most recent spamming campaign promoting a Canadian Pharmacy scam located at rxlovecaptain.com, is taking advantage of the already established trusted brand of Geocities to redirect the spammers users to the main page :

geocities.com/MorganLogan82
geocities.com/AishaDeleon78
geocities.com/CarsonNguyen93

If efficiency truly matters from a scammer's perspective, we may soon witness actual DIY marketing packages with templates, "collection of potential customers", and a list of services to use when "contacting them". Now, if the pharma masters want to diversify as well, they can vertically integrate by owning or renting the spamming services themselves, something I haven't come across to - yet.

Monday, October 08, 2007

Assessing a Rock Phish Campaign

The majority of Rock Phish campaigns usually take advantage of a single domain that's hosting numerous different phishing scams targeting different financial organizations. However, another trend is slowly emerging and that is the development of phishing domain farms, either taking advantage of a shared hosting as you can see in the graph on the left, or fast-fluxing the campaigns to increase the average time a phishing site remains online. Here's the interesting part acting as proof on the emerging trend of so called malicious economies of scale, and also, showcasing Rock Phish's effiency vs security trade off due to the centralization of the campaign on a single IP only. In this campaign we see a single IP (200.77.213.15) hosting 38 rock phish domains, that on the other hand in a typical Rock Phish style host multiple phishing pages targeting different companies.

Meanwhile, there's still a lot of confusion going on about what exactly Rock Phish is, and as you can see in this article, it's wrongly implied that it's some sort of a phisher's group :

"Nobody knows exactly who or what Rock Phish are -- whether it's one person or a group of people -- but security researchers believe Rock Phish is behind as many as half of all phishing attacks on the Web. Fast flux is a method by which a domain name that phishers use has multiple IP addresses assigned to it. The phishers switch those domains quickly between the addresses so that it's not as easy to find or shut down the phishing sites."


"Of particular concern is an increase in “rock phishing,” originated by the Rock Phish Gang based in Eastern Europe. Rock phishers use stolen information to register and rapidly cycle through domain names and IP addresses. They obscure their origin with botnets, which automate unwitting consumers’ computers to send out spam."

In reality, Rock Phish is a script taking advantage of the now commoditized phishing pages of each and every web property and company that is a potential victim, hosted on a single domain in order to achieve efficiency. Once the script and the phishing pages are in the wild, the entry barriers into phishing scams become significantly lower allowing novice phishers to easily launch what used to a professional phishing campaign much easier than ever.