Don't play poker on an infected table part two. The following three online casinos are currently serving embedded malware in the form of IFRAMES and the average javascript obfuscation.
The first one is poker.gagnantscasino.com (213.186.33.4) with current obfuscation loading statistics-gdf.cn/ad/index.php (116.0.103.133) where another obfuscation loads, deobfuscated attempts to load p423ck.exe (Zlob) at statistics-gdf.cn/ad/load.php, playing around with the host for too long results in zero malicious activity, at least they make you think so. Here's another internal URL statistics-gdf.cn/ad/index.php?com
Detection rate : Result: 7/32 (21.88%)
File size: 43008 bytes
MD5: 08f445712adcef5ef091378c51bbbaaa
SHA1: 3478fe6a600251b2ee147dbd50eaf4f204a884cb
Last week's obfuscation at this online casino was pointing to traffmaster.biz/ra/in.cgi?5 which is now down.
The second casino is fabispalmscasino.com (82.165.121.138) with current obfuscation attempting to connect to the now down stat1count.net/strong, a host residing on a netblock I covered before showcasing a scammy ecosystem. The third one is sypercasino.com which was resolving to 203.117.111.102 early this week, and taking advantage of WebAttacker at sypercasino.com/biling/index.php. Now it resolves to 58.65.236.10 and promotes banner.casino.com/cgi-bin/SetupCasino.exe
Detection rate: 9/32 (28.13%)
File size: 194077 bytes
MD5: 26da6f81349ff388d08280ababab9150
SHA1: f20e8fee439264915710f9478ec1e74583563851
It's interesting to monitor how people behind these manually change the obfuscations to further expand their connections with other scammers, or services and attack approaches they use, and even more interesting to see it happen on-the-fly just like meds247.org for instance.
Don't play poker on an infected table.
Having found a static pattern for identifying a Rock Phish domain a couple of months ago in the form of the bogus "209 Host Locked" message, the Rock Phishers seems to have picked up the finding and changed the default domain message to "66.1 Host Locked" as of recently. Here are the very latest Rock Phish domains using this :
Moreover, a recently released survey results by Cloudmark, whose study into the Economics of Phishing is also worth going through, indicates that current and prospective customers of a certain brand lose trust in it, if they're exposed to phishing emails pretending to be from that brand :
The survey revealed that:
- 42% of respondents surveyed feel that the trust in a brand would be greatly reduced if they received a phishing email claiming to be sent by that brand
The last point is perhaps the most insightful one, given it has to do with self-awareness and responsibility, forwarding the responsibility to the provider of the email service, and best of all, seeking more responsibility in fighting outgoing phishing and spam compared to incoming one.
Once you anticipate your success, you logically start putting more efforts into achieving a decent level of efficiency in the process of breaking CAPTCHA, now that's of course in between commercializing your know-how. CAPTCHA breaking or decoding on demand has been a reality for a while, with malicious parties empowered by proprietary tools, publicly available DIY CAPTCHA breakers, or services like this one doing it on demand.
The following service is offering the possibility for CAPTCHA decoding on a per web service basis, and enticing future customers by providing percentage of accuracy, the price, and the ease of difficulty of breaking it. CAPTCHA decoding is listed for the following services : 9you, tiancity, cncard, the9, kingsoft, taobao, dvbbs, shanda, csdn, chinaren, monter, and baidu. The hardest to break CAPTCHAs mentioned are those of Yahoo, Hotmail, QQ, Google. Moreover, Ticketmaster's the most expensive one, followed by Ebay's CAPTCHA decoding process.
What happens when malicious parties cannot directly decode the CAPTCHA? They figure out ways to adapt to the situation, namely by enjoying the benefits of the human factor in the process while sacrificing some of the efficiency, but continuing to achieve their objective.
Following the series of posts on early warning security events systems, Secure Computing have just announced a major upgrade of their threat intell service :
Informative and recently released study by ENISA on the problem of botnets, especially the emphasis on how client side vulnerabilities surpassed email attachments, and downloading of infected files as infection vectors. Not because these aren't working, but because of the botnet's masters attitude for achieving malicious economies of scale has changed. Despite that we can question whether or not they put so much efforts while strategizing this, let's say they stopped pushing malware, and started coming up with ways for the end users to pull it for themselves :
"The most common infection methods are browser exploits (65%), email attachments (13%,) operating system exploits (11%), and downloaded Internet files (9%). Currently, the most dangerous infection method is surfing to an infected webpage. Indications of a bot on your computer include e.g.: Slow Internet connection, strange browser behavior (home page change, new windows, unknown plug-ins), disabled anti-virus software; unknown autostart programs etc."
Here's the entire publication - "Botnets - The Silent Threat" by David Barroso.
The never ending IFRAME-ing of relatively popular or niche domains whose popularity is attracting loyal and well segmented audience, never ends. Which leads us to part two of this series uncovering such domains and tracing back the malicious campaign to the very end of it. Some of these are still IFRAME-ed, others cleaned the IFRAMEs despite Google's warning indicating they're still harmful, the point is that all of these are connected.
Affected sites :
Epilepsie France - epilepsie-france.org
Iran Art News - iranartnews.com
The Media Women Forum - yfmf.org
Le Bowling en France - bowling-france.fr
The Hong Kong Physiotherapists Union - hkpu.org
The Wireless LAN Community - wlan.org
The First HELLENIC Linux Distribution - zeuslinux.gr
The entire campaign is orbiting around pornopervoi.com, which was last responding to 81.177.3.225, an IP that's also known to be hosting a fake bank (weiterweg-intl.com) according to Artists Against 419. Within the domain, there were small files loading a second IFRAME. For instance, pornopervoi.com/u.php leads to 88.255.94.246/freehost1/georg/index.php?id=0290 (WebAttacker), the same campaign is also active at 81.29.241.238/freehost1/georg/index.php?id=0290, these try to drop the following :
88.255.94.246/freehost1/chris0039/lu/dm_0039.exe
81.29.241.238/freehost1/chris0031/lu/dm_0031.exe
An Apophis C&C panel was located in this ecosystem as well. Among the other files at pornopervoi.com, are pornopervoi.com/i.php where we're redirected to the second one spelredeadread.com/in.php?adv=678. Even more interesting, energy.org.ru a Web hosting provider is also embedded with pornopervoi.com/m.php again forwarding to spelredeadread.com. To further expand this ecosystem, yfmf.org the Media Women Forum is also IFRAME-ed with a link pointing to pornopervoi.com/m.php. Another site that's also pointing to pornopervoi.com/m.php is the Hong Kong Physiotherapists Union hkpu.org. Two more sites serving malware, namely wlan.org, the Wireless LAN Community also pointing to pornopervoi.com/m.php, and zeuslinux.gr, The First HELLENIC Linux Distribution.
Who's behind this malware embedded attack? It's the ongoing consolidation between defacers, malware authors, and blackhat SEO-ers using the infamous infrastructure of the RBN.
Related posts:
Bank of India Serving Malware
U.S Consulate in St.Petersburg Serving Malware
Syrian Embassy in London Serving Malware
CISRT Serving Malware
Compromised Sites Serving Malware and Spam
A Portfolio of Malware Embedded Magazines
Possibility Media's Malware Fiasco
The "New Media" Malware Gang
Another Massive Embedded Malware Attack
Read this a couple of times, than read it several more times, and repeat. It's usually "powerful stuff" that prompts such confusing descriptions of what sound like defense in-depth at one point, and a combination of intergalactic security statements in respect to the "massive amounts of computing power required" to solve the "security problem" at another. Stop predicting weather and assessing the impact of global warming, and command the supercomputers to figure our the scientific mysteries behind common insecurities :
"Even if we can't produce effective network security, we can at least make it more difficult and therefore expensive to attack a network by adopting some of the hacker's own techniques. He favors randomizing the use of a number of techniques for filtering content, so that individual malware vectors will sporadically stop working. By changing the challenge involved in compromising systems, the whole malware economy is changed. Stolfo also took a positively Darwinian view of how much change was needed, suggesting that security only had to be good enough to make someone else's system look like a more economical target. Overall, the talks were pretty depressing, given that the operating systems and software we rely on will probably never be truly secure. The process of blocking malware that takes advantage of this insecurity appears to be entering the realm where true security has become one of those problems that requires massive amounts of computing power and an inordinate amount of time."
The operating systems and the software we use can be truly secure, but will be useless compared to the currently insecure, but useful ones we're using. Now here's a great and straight to the point article, that's segmenting the possible uses of a host that's already been compromised, a great example of how innovations in terms of improved Internet connectivity, increased CPU power, and flexibility of online payments both steamline progress, and contribute to the growth of the underground.
Beat malware by doing what malware authors do? Sounds great. Malware authors outsource, do it too. Malware authors embraced the on demand SCM concept, embrace it too. Malware authors consolidate with stronger strategic partners, and acquire the weaker ones by providing them with DIY malware creation tools in order for them to make the headlines at a later stage, consolidate too. Malware authors keep it simple the stupids, you fight back with rocket science theoretical models and shift the focus from the pragmatic reality just the way it is - consolidation, outsourcing, shift towards a service based economy, quality and assurance of the malware releases, malicious economies of scale in the form of malware exploitating kits, ones it's getting hard to keep track of these days.
At the bottom line, how to solve the "malware problem"? It all depends on who you're solving it for. Long live marginal thinking.
Related posts:
Malware - Future Trends, January, 2006
Underground Economy's Supply of Goods and Services
The Dynamics of the Malware Industry - Proprietary Malware Tools
Managed Spamming Appliance - The Future of Spam
Multiple Firewalls Bypassing Verification on Demand
It was about time someone comes up with an in-depth study summarizing all of the Russian Business Network's activities, as for me personally, 2007 is the year when bloggers demonstrated what wisdom of the crowds really means, by putting each and every piece of the puzzle to come up with the complete picture, one the whole world benefits from. A highly recommened account into the RBN's activities courtesy of David Bizeul's "Russian Business Network study" :
"It’s interesting to observe that many recent cyber crime troubles are relating to Russia. This observation is obviously a simple shortening. Indeed nothing seems to link to Russia at first sight, it’s a nasty country for sending spam but many are worst, Russia is only the 8th top spam country. We need to dig deeper to identify that cyber crime is originating mostly from Russian dark zones. In a digital world, those dark zones exist where the Internet becomes invisible and it’s used for collecting phishing sites credentials, for distributing drive by download exploits, for collecting malware stolen data, etc. It’s a considerable black market as it has been revealed in this paper. A lot of information can be available over the web on Russian malicious activities and precisely on the way RBN (Russian Business Network) plays a major role in these cases."
What contributed to such a well coordinated exposure of the RBN during the last two quarters at the bottom line? It's not just security researchers exchanging info behind the curtains, but mostly due to RBN's customers confidence in RBN's ability to remain online. And while remaining online has never been a problem for the RBN, until recently when DIY IP blocking rulesets were available for the world to use, they undermined their abilities to remain undetected. In fact, I was about start a contest asking anyone who can come up with a IP with a clean reputation within the RBN's main netblock right before it dissapeared, and would have been suprised if someone managed to find one.
The RBN doesn't just makes mistakes when its customers embedd malware hosting and live exploit URLs on each and every malware and high-profile attack during the year, it simply doesn't care in covering its tracks and so doesn't their customers as well. RBN's second biggest mistake for receiving so much attention is their laziness which comes in the form of over 100 pieces of malware hosted on a single IP, without actually bothering to take care of their directory listing permissions, allowing my neatly crafred OSINT gathering techniques to come up with yet proof of a common belief into their practice of laziness. Moreover, the KISS strategy that I often relate to the successful malicious economies of scale that malware authors achieve due to DIY malware kits using outdated exploits compared to bothering to purchase zero day ones, didn't work for the RBN. Remember that each and every of the several Storm Worm related IPs that I covered once were returning fake suspended account notices in a typical KISS strategy, while the live exploit URLs and the actual binaries were still active within the domains.
This isn't exactly what you would expect from what's turning into a case study on conversational marketing, or perhaps how conversational marketing provokes the wisdom of crowds effect to materialize, so that the entire community benefits from each and everyone's contribution - in this case exposing the RBN.
How would the RBN change its practices in the upcoming future given all the publicity it received as of recently? They will simply stop benefing from the easy of management of their old centralized infrastructure, and will segment the network into smaller pieces, but while still providing services to their old customers, they're easy to traceback, and to sum up this post in one sentence - the Russian Business Network is alive, and is providing the same services to the same customers, including malware and live exploits hosting URLs under several different netblocks.
It's also great to note that David's been keeping track of my research into the RBN's activities. Go through the study and find out more about the RBN practices.
Related posts:
Go to Sleep, Go to Sleep my Little RBN
Detecting and Blocking the Russian Business Network
RBN's Fake Security Software
Over 100 Malwares Hosted on a Single RBN IP
The Russian Business Network
The recently released "What’s In A Name: The State of Typo-Squatting 2007" is a very in-depth and well segmented study into the topic, you should consider going through :
Introduction
Typo- and Cyber-squatting on the rise
Key Findings
Methodology
Rankings by Category
Sample site: McAfee.com
The Economics of Typo-Squatting: Why it Works
What is driving the increase in typo-squatting
The decline in adult content on typo-squatters
Discussion of our methodology
Defining Typo-Squatting
Other Methods for Combating Typo-Squatting
Conclusions
Complete Results
Is it just me using bookmarks and only risking to fall victim into a pharming attack, compared to manually typing and mistyping an URL? My point is that coming across several articles emphasizing how important typing the right URLs is, I think they've missed an important point which is that typosquatting by itself isn't that big of a security threat, but in a combination of tactics it becomes such. There's no chance you will ever mistype an URL such as paypal-comlwebscrc-login-run.com, a typosquatted domain like the ones I covered in September, since these ones come in as phishing emails hosting a Rock Phish kit, namely they turn into threats when combined with other tactics. Blackhat SEO is another such tactic. The type of buy-cheap-iphones.com always aim to trick search engines into positioning them among the first 20 results, and they often succeed until a search engine figures out it's a blackhat SEO spam and removes it from the index.
Here's an example of such combination of tactics, use-iphone.com for instance was spammed according McAfee, the folks behind the study. What's was use-iphone.com all about? Icepack kit in action - use-iphone.com/ice-pack/index.php.
Redefining malware to minimize the negative public outbreak by renaming it to Remote Forensic Software, now that's a evil marketing department's positioning strategy in action. I've already discussed how inpractical the utopian central planning of a security industry is, and while you're limiting the access to the tools who may help someone unethically pen testing an internal asset, you're also limiting the possibility for the discovery of such vulnerable asset - basically a false feeling of security, you don't touch it, it doesn't move, until of course someone else outside your controlled environment comes across it, the way they will sooner or later since it's an open network, one you benefit from, but cannot fully control.
Australian law enforcement have been using spyware for a while, and Austria following Germany's interest into the concept is getting involved too:
"Germany is hiring software specialists to design "white-hat" viruses that could infiltrate terrorists' computers and help police detect upcoming attacks, an Interior Ministry spokeswoman in Berlin confirmed Saturday. The government is still drafting legislation to permit snooping via the internet under judicial control, but has decided there is no time to lose in developing the "remote forensic software." The ministry said the BKA federal police had been instructed to resume the development and hire two specialists."
Are cyber criminals or bureaucrats the industry's top performer? In November, 2008, we'll be discussing how come so much money were spend to develop the malware, given the lack of any ROI out of this idea during the entire period, whereas DIY malware tools are not just a commodity, but also freely available for a law enforcement to use. Moreover, emailing malware is so old-fashioned and noise generating, that even the average Internet users knows "not to click on those email attachments sent from unknown source". A far more pragmatic approach would be to embedd the malware on sites suspected of evangelizing terrorism, or radicalizing their audiences, by doing so you'll end up with a larger infected sample, and eventually someone, let's say 1 out of 10,000 infected will turn out to be a terrorist, by whatever definition you're referring to in the case. Even more pragmatic, by requesting a botnet on demand, and requiring the botnet master to tailor your purchase by providing you with infected hosts in Germany whose browser language, and default fonts used are Arabic, you will not just save money, but will increase the probability of coming across a stereotyped terrorist, by outsourcing the infecting stage to those who excell at it.
Excluding the sarcasm, it's your money that go for funding of such initiatives who basically "shoot into the dark" to see if they can hit someone. Even if they manage to infect someone, more staff will be required to monitor the collected data, which means more money will go into this, ending up with an entire department monitoring wishful thinking and thought crime. Geheime Staatspolizei anyone?
If you really want access to real-time early warning threat intell for possible threats, monitor the public cyber jihadist communities don't come up with new ones to use them as honeypots for cyber jihadists, identify local residents, evaluate their state of radicalization and attitudes towards standard terrorist ideas, prioritize, and take action if necessary.
Cartoon courtesy of Mahjjob.com
At first it appeared that it was just the official site of Goa's DoIP, that's been defaced by Turkish defacers, but looking further the campaign gets much bigger than originally anticipated :
"The official website of the Goa government’s Department of Information and Publicity (DoIP) - goainformation.org - was hacked by a group of Turkish militants on Saturday. The hacker has not only defaced the website, replacing all information with the group’s propaganda material in Turkish language, but also posted some gory pictures of slain terrorists. The DoIP has now lodged a complaint with the Panjim Police and the Panjim crime branch is investigating the matter."
The campaign is aiming to send a PSYOPS signal to the rest of the world regarding the recent tensions between Turkey's military operations in northern Iraq against PKK, an action the U.S doesn't seem to enjoy at all. Some sample defaced sites are savymedia.com; itrit.com; sledderforever.com; pssoc.org; youthblood.org; prisonministry.com. The defacers are sending the following message :
"The United States of America who is feeding on and strengthening behind closed doors the universal terrorists, is the greatest terrorist country. pkk/kadek/hpg/kkk is the world's most bloody and brutal terrorism group. They killed approximately 35.000 innocent people without any cruel till now. All the nations and states must know which are supporting these bloody and brutal terrorism groups, supporting terrorism will brings suffer and deathness. We are always be a side of peace. but we have always some words to say these terrorists "which" wants to seperate us and kill innocent people"
Moreover, Turkish hacktivists from another group have also been active recently by defacing the Assyrian Academic Society, Assyrian actress and author Rosie Malek-Yonan's site, and International Campaign to Support the Christians of Iraq petition's site. Three other Turkish hacktivists are also currently defacing under the handles of NusreT, MUSTAFAGAZI, and Storm, using the same defacement templates. The first group is reachable at a closed forum turkmilliyetcileri.org, and the second at turkittifak.org. Apparently, these groups are all under the umbrella of the Turkish Republican Hackers group.
In need of a "creative phishing campaign of the year"? Try this, perhaps the largest phishing attack spoofing MySpace and collecting all the login details at a central location, that's been active for over a month and continues to be. A Chinese phishing group have come up with legitimate looking MySpace profiles (profile.myspace.com) in the form of subdomains at their original .cn domains, and by doing so achieve its ultimate objective - establish trust through typosquatting, remain beneath the security vendors radar by comment spamming the URLs inside MySpace, and obtain the login details of everyone who got tricked.978bg33.cn
Does all the data lead us to conclude that this could be the most "creative phishing campaign of the year"? Let's have it offline first.
Since Possibility Media's Malware Fiasco, I've been successfully tracking the group behind the malware embedded attack at each and every online publication of Possibility Media. Successfully tracking mostly because of their lack of interest in putting any kind of effort of making them harder to trace back, namely, maintaining a static web presence, but one with diversifying set of malware and exploits used. Possibility Media's main IFRAME used was 208.72.168.176/e-Sr1pt2210/index.php, and at 208.72.168.176 we have a great deal of parked domains in standby mode such as :
repairhddtech.com
granddslp.net
prevedltd.net
stepling.net
softoneveryday.com
samsntafox.com
himpax.com
grimpex.org
trakror.org
dpsmob.com
besotrix.net
gotizon.net
besttanya.com
carsent.com
heliosab.info
gipperlox.info
leader-invest.net
fiderfox.info
potec.net
However, the latest IPs and domains related to the group are dispersed on different netblocks and are actively serving malware through exploit URLs :
78.109.16.242/us3/index.php
x-victory.ru/forum/index.php (85.255.114.170)
asechka.cn/traff/out.php (78.109.18.154)
trafika.info/stools/index.php (203.223.159.92)
What's so special about this group? It's the connection with the Russian Business Network. As I've already pointed out, the malware attack behind Possibility Media's was using IPs rented on behalf of RBN customers from their old netblock, here are two such examples of RBN IPs used by this group as well :
81.95.149.236/us3/index.php
81.95.148.162/e202/
In case you also remember, some of this group's URLs were also used as communication vehicle with a downloader that was hosted on a RBN IP, that very same RBN IP that was behind Bank of India's main IFRAME. Now that's a mutually beneficial malicious ecosystem for both sides. Here are more comments on other ecosystems.
Remember those old school fake hard drive erasers where a status bar that's basically doing a directory listing is shown, and HDD activity is stimulated so that the end user gets the false feeling of witnessing the process? Fake anti spyware and anti virus software, like the ones courtesy of the now fast-moving RBN, have been using this tactic for a while, and adding an additional layer of social engineering tricks by obtaining the PCs details with simple javascript. The folks behind online-scan.com; spyware.online-scan.com; antivirus.online-scan.com own a far more deceptive domain name compared to RBN's ones. In fact, even an anti virus vendor could envy them for not picking it up earlier and integrating it in upcoming marketing campaign or service to come. SpywareSoftStop's statements :
"At present the Internet is stuffed with viruses of any kind. Every PC is at risk and most probably IS infected. Anti-viruses can detect viruses only, but spyware, installed surreptitiously on a PC without the user's informed consent, is modified each day and solely particularized software can help to detect and remove it. However, a spyware program is rarely alone on a computer: an affected machine can rapidly be infected by many other components. In some infections, the spyware is not even evident; moreover, some types of spyware disable software firewalls and anti-virus software, and/or reduce browser security settings, thus opening the system to further opportunistic infections, much like an immune deficiency disease. Right now your system is going to be scanned and spyware, if any, will be detected."The name servers preved.spywaresoftstop-support.com and medved.spywaresoftstop-support.com serve : spywaresoftstop.com; spywaresoftstop-cash.com; spywaresoftstop-support.com. The popup at online-scan.com that's now returning a 404 error for ldr.exe (downloadfilesldr.com/download/2/ldr.exe) will even appear if you try to close the window while your PC is "being scanned". What's ldr.exe? It's the default output of a DIY malware courtesy of Pinch.
Just as I've been monitoring lots of spam that's using Geocities redirectors, yesterday Nicholas posted some details on a malware campaign using Geocities pages as redirectors, and Roderick Ordonez acknowledged the same. Original Geocities URLs used : geocities.com/MediciChavez7861 (active) ; geocities.com/IliseNkrumah2 (down) ; geocities.com/GounodNanon5 (down). Original message of the spam campaign :
"Hallo! Meine Name ist Polina. Ich bin Studentin und Ich habe zur Germany zu lernen angekommen . Ich suche mich den Freund und der Sex-Partner. Aller dass Ich will es ist ein guter Mann. Sie sollen ernst, sicher, klug sein. Geben Sie mich zu wissen wenn Sie wollen mit mir treffen. Ebenso konnen Sie einfach mein Freund sein. Sie konnen meine Fotos auf meiner Seite sehen: geocities.com/MediciChavez7861 BITTE, NURR DIE ERNSTE Vorschlages. KUSSE, POLINA"
The fake lonely German student Polina was also accessible from other URLs as well - ThePagesBargain.ru/polina; dibopservice.com, both now down as well as the main 58.65.238.36/polina URL which is forwarding to baby.com in an attempt to cover up the campaign -- you wish. Internal pages within the IP are still accessible - 58.65.238.36/index2_files/index3.htm; 58.65.238.36/index2_files/index.htm, and so is the malware itself - 58.65.238.36/iPIX-install.exe.
Malware campaigners are not just setting objectives and achieving them, they're also evaluating the results and drawing conclusions on how to improve the next campaign. Back in January, 2006, I emphasized on the emerging trend of localization in respect to malware, take for instance the release of a trojan in an open source form so that hacking groups from different countries could localize it by translating to their native language and making it even more easy to use, as well as the localization of MPack and IcePack malware kits to Chinese. In this campaign, a localized URL was also available targeting Dutch speaking visitors 58.65.238.36/polinanl, so you you have a German and Dutch languages included, and as we've seen the ongoing consolidation of malware authors and spammers serves well to both sides, spammers will on one hand segment all the German and Dutch emails, and the malware authors will mass mail using localized message templates. Great social engineering abusing a common stereotype that for instance German users were definitely flooded with English messages courtesy of Storm Worm targeting U.S citizens, which is like a Chinese user who's receiving a phishing email from the Royal Bank of Scotland - it's obvious both of these are easy to detect. Which is what localization is all about, the malware and spam speaks your local language. One downsize of this campaign is that Polina doesn't really look like a lonely German student, in fact she's a model and these are some of her portfolio shots.
Let's discuss how are the malware campaigners coming up with these Geocities accounts at the first place. Are the people behind the campaign manually registering them, outsourcing the registration process to someone else, or directly breaking the CAPTCHA? Could be even worse - they may be buying the already registered Geocities accounts from another group that's specializes in registering these, a group which like a previously covered concept of Proprietary Malware Tools is earning revenues based on higher profit margins given they don't distribute the product, but provide the service thereby keeping the automatic registration process know-how to themselves. Once the authentication details are known, the process of anything starting from blackhat SEO, direct spamming, malware hosting, and embedding such scripts, even IFRAMEs in a fully automated fashion.
Meanwhile, what are the chances there's another scammy ecosystem on the same netblock? But of course. vaichoau.com fake watches, pimpmovie.net malware C&C, urolicali.com.cn spammers, westernunion.reg-login.com a phishing url.
Just when you think you've seen everything "evil marketers" can come up to both, consciously and subconsciously influence your purchasing behaviour and improve the favorability scale towards a company - you can still get surprised. After a decent example of the DIY marketing concept, Microsoft's perception of security as a "threat from outer space", an example of rebranding a security vendor, the Invible Burglar game, here comes another good example of new media marketering practice - while some companies seek to embed their logos into popular games, others are coming up with ones on their own. Symantec's Endpoint Protection Game - a first person shooter where the typically mutated creatures are replaces with viruses, spyware and rootkits is what I'm blogging about :
Having had their blogs removed from Wordpress in a coordinated shutdown operation courtesy of the wisdom of the anti cyber jihadist crowd, The Ignored Puzzle Pieces of Knowledge and The Caravan of Martyrs have switched location to these URLs - inshallahshaheed.muslimpad.com; inshallahshaheed.acbox.com; caravanofmartyrs.muslimpad.com; ignoredknowledge.blogspot.com. Apparently there's an ongoing migration of cyber jihadist blogs from Wordpress to Muslimpads presumably with the idea to increase the time from a TOS abuse letter to shut down, if shut down ever occures given Muslimpad is significantly biased in removing such positioned as "free speech" communities given it's hosting provider is islamicnetwork.com. Should such propaganda be tolerated? This is where the different mandates of anti cyber jihadist organizations across the world contradict with each other. Some have a mandate to shut down such blogs and sites as soon as they come across such, others have a mandate to monitor and analyze these to keep in pace with emerging threats in the form of real-time intelligence, and in the near future other participants will have a mandate to infect such communities with malware ultimately targeting the cyber jihadists behind them or the visitors themselves.
The bottom line - the propaganda in the form of step-by-step video of an attack in question is a direct violation of their operational security (OPSEC) thereby providing the world's intelligence community with raw data on their warfare tactics. The propaganda's trade off is similar to that of the Dark Cyber Jihadist Web, while you may want to reach as many future recruits and "converts" as possible, you increase the chance of an intelligence analyst coming across your community, compared to closing it down to sorted and trustworthy individuals and therefore limiting the number of potential future jihadists. Inshallahshaheed are however, going for mass marketing with full speed, and in fact maintain a modest repository of videos at inshallahshaheed.vodpod.com. By the way, what's the difference between wishful thinking and thought crime? It's a threat that proves there's a positive ROI of your actions.
Related posts :
GIMF Switching Blogs
GIMF Now Permanently Shut Down
GIMF - "We Will Remain"
It's been a while since I last participated with an article for WindowSecurity.com, so here it goes - Popular Spammers Strategies and Tactics :
"During 2007, spammers on a worldwide basis demonstrated their adaptability to the ongoing efforts anti-spam vendors put into ensuring their customers enjoy the benefits of having a spam-free inbox. What strategies do spammers use in order to achieve this? What tactics do they use in order to obtain email addresses, verify their validity, ensure they reach the highest number of receipts as possible in the shortest time span achievable, while making sure their spam campaigns remain virtually impossible to shut down?"
The article covers strategies and tactics such as : Redirectors/doorway pages; Rapid tactical warfare; Verification/confirmation of delivery; Consolidation; Outsourcing; and Affiliation based models.
Despite the fact that the Electronic Jihad 3.0 campaign was a futile attempt right from the very beginning, given the domains that were supposed to synchronize the targets to be attacked were down, it's interesting to try finding out who were they targeting at the first place? In the first campaigns, the URLs of the targets, not the victims since they couldn't scale enough to cause even partial damage, were obtainable via the web, compared to the third one where they were about to get synchronized. And since the synchronization URLs were down before we could take a peek, here are the targets URLs from the first two campaigns.
First campaign's targets list :
gov.il
keshmesh.net
meca-love4all.com
love4all.us
Second campaign's targets list :
love4all.us
islameyat.com
aldalil-walborhan.com
rapsaweyat.com
investigateislam.com
meca-me.org
ladeeni.net
meca-love4all.com
The attached table is the classificaton of the attacks, as site to be attacked, reason for the attack, importance, the results, and the site's status after tha attack, namely is it up and running or shut down completely, and how shutting it down would please God.
There's a saying that a person is judged by the type of enemies he has. If we apply it in this situation, you would see a bunch of inspired wannabe cyber jihadists whose biggest enemy is their idiocity at the first place. So, if these are the cyber jihadist enemies of yours - lucky you, and your critical infrastructure's integrity.
In this example of a scammy ecosystem, you have a single IP (88.255.90.50) hosting the now, retro WebAttacker exploitation kit (inn2coming.com/income/index.php), a viagra scam (pctabletshop.hk) on the second parked domain, and an investment banking scams on another two - progold-inv.biz; cfinancialservice.com. Now, all they're missing is a Rock Phish kit hosted on it and it would have made it an even more interesting operation to monitor. Of course putting more personal efforsts into everything pays off. The same netblock is also hosting such popular downloader's update locations and live exploit URLs such as stat1count.net; all1count.net; and the recently appeared on the radar mediacount.net (88.255.90.253).
Yet another indication of the emerging trend of building a knowledge-driven cyber jihadist community, are such online archives with localized to Arabic standard security and hacking research papers, ones you definitely came across to before, or may have in fact written by yourself. As I've already discussed this trend in previous posts, it's a PSYOPS strategy in action, one that's aiming to improve the overall perception of cyber jihadists' ability to wage their battles without using software and web services of their enemies. Whether the investment in time and resources is worth it is another topic, what's worth pointing out are the efforts they put into localizing the content in between adding the standard propaganda layer, and later on, building a community around it.
Want pr0n? Try .gov domains in general, ones that have been getting the attention of blackhat SEO-ers for a while, just like the most recent related cases where the City of Chetek, Winsonsin, the City of Somerset, Texas and Town of Norwood, Massachusetts got their blackhat SEO injection. The previous attack is related to the one I'll assess in this post, the blackhat SEO tool is the same given the static subdomains generated, what remains to be answered is how they've managed to get access to the control panels of the domains in order to add the subdomains? Let's look at the facts :
m21.selma-al.gov
a1.a.vihfa.govz1.z.vihfa.gov
This particular incident is interesting mostly because we have a good example that once a site gets compromised the potential for abusing the access for malware distribution becomes very realistic, this is in fact what happened with autobroker.com.pl, as the following URLs were active as of yesterday, now down due to notification. Basically, the compromised host, compromised in an automatic and efficient way for sure, started acting as the foundation for the campaign, which as it looks like was spammed in a targetted manner. A tiny php file at autobroker.com.pl/l.php was launching the downloader :
TROJ.BANLOAD
Result: 18/31 (58.07%)
File size: 46080 bytes
MD5: 690e71077c9d78347368c6cf8752741e
SHA1: 7dedad0778a24c69d6df4c8ceedc94f20292473e
the downloader then drops the following bankers that are strangely hosted on the French site Opus Citatum, and are still active :
opuscitatum.com/modules/PHP%20Files/__steampw12318897_.exe
Trojan-Spy.Win32.Banker.ciy
Result: 9/32 (28.13%)
File size: 2498560 bytes
MD5: cee1fdea650487e0865a1b8831db1e73
SHA1: ad55ff3e5519d88b930d6a0a695e71fcc253351e
opuscitatum.com/modules/PHP%20Files/Ivete_Sangalo.scr
Trojan.PWS.Banker
Result: 13/32 (40.63%)
File size: 2505216 bytes
MD5: 1bdb0d3e13b93c76e50b93db1adeed3e
SHA1: f472693da81202f4322425b952ec02cbff8d72bc
The campaign was originally spammed with the messages : "Chegou 1 vivo foto torpedo" and "Vivo torpedo foi enviado de um celular para seu e" by using the web based spammer you can see in the attached screenshot.
More info about banking malware, comments on a recently advertised metaphisher malware kit with banker trojans infected hosts only showcasing the malicious economies of scale botnet masters mentality, as well as related posts on targeted malware attacks.
Such early warning security events systems always come as handy research tools for security analysts and reporters, and it's great to see that more and more vendors are continuing to share interactive threats data in real-time, type of data that used to be proprietary one several years ago. Commtouch's recently announced Malware Outbreak Center is another step in the right direction of intelligence data sharing, and building more transparency on emerging spam and malware outbreaks :
"The Commtouch Malware Outbreak Center displays a sample of email-borne malware that has recently been detected and blocked by Commtouch's Zero-Hour(TM) Virus Outbreak Protection solution. It also incorporates data from AV-Test.org, an independent third-party organization that tests most of the commercially available anti-virus scanners. This data enables the Center to publish comparative detection times for leading AV vendors, a first in this comprehensive format which includes malware variant checksum. Detection times are critical, since individual virus variants often peak and then nearly disappear, all in under three hours. IT managers now have access to an online tool that allows them to verify their AV vendor's performance for each new outbreak, and to download comparative data per malware variant."
Zero day DIY malware, and open source one undermine the reactive response time's model, but without anti virus signatures in 2007 your company and customers would still be getting infected by outdated Netsky samples - it's a fact, yet not the panacea of dealing with malware, and has never been. Another important issue that deserves to be discussed is the issue with the virus outbreak time of different vendors in Stormy Wormy times for instance. In the past, vendors were even using their detection in the wild, and on-the-fly binary obfuscation which in times of open source malware results in countless number of variants. Good PR is vital, and so is gaining competitive advatange in the minds of prospective customers by positioning the company among the first to have responded to the outbreak, but it raises the issue on the degree of exchanging malware samples between the vendors themselves, and the lack of transparency here. The way initiatives in the form of honeyfarms contributing hundreds of malware samples, and "wisdom of crowds" end users filling the gaps in reactive response indirectly protect millions of customers on behalf of anti virus software, in this very same way exchanging malware samples in the shortest possible time frame, ultimately benefits each and every customer and organization that's having an anti virus in its perimeter defense strategy.
A non-profit honeyfarm can collect hundreds of thousands of undetected malware samples in a single month, let's speculate that it could even outperform a small AV vendor's malware aggregation capabilities. In the anti virus industry, branding is crucial and therefore the non-profit honeyfarm cannot enter the market, instead, it's only incentive to donate the samples to the anti virus vendors is that of social responsibility. AVs should build more awareness on the importance of malware samples sharing among them, compared to pitching themselves as the vendor who first picked up the outbreak and protected its customers. Bargaining with someone's upcoming infection isn't that much of a success if you think about it. "Hey that signature is mine" days should have been over by now.
Moreover, it's a basic principle of every competitive market that the more competition, the more choices the customer would have, thereby making vendors innovate or cease to exist in irrelevance. Does the same apply to the anti virus market? Can we have a built-to-flip honeyfarm into an anti virus vendor to be later on acquired and integrated within a company's existing products portfolio? Let's hope not, and it's doubtful as there's a difference between an anti virus software and an "anti virus software", at least from the perspective that the second "anti virus software" may be occupying markets that could have otherwise been served by a better market proposition. Product development of an AV courtesy of a security vendor's products portfolio given the vendor realized that a huge percentage of security spending goes to perimeter defense solutions can be tricky, and even if acquisition has taken place you'd better stick to a company whose core competency is anti virus solutions.
Still Living in the Perimeter Defense World?
Yesterday, Paul Ferguson tipped me on the sudden disappearance of the Russian Business Network. And just like babies have different understanding of day and night, the RBN isn't interested in going to sleep too, in fact there's a speculation that they're relocating their infrastructure to China, speculation in terms of that it could be another such localized RBN operation :
"Jamz Yaneza, a Trend Micro research project manager, agreed. "We're seeing signs of RBN-like activity elsewhere, in Turkey, Taiwan and China. RBN may be moving to places even more inaccessible to the law [than Russia]. Everyone knows they were in St. Petersburg, but now they're changing houses, changing addresses. The Spamhaus Project antispam group has posted information that indicates RBN may have already laid claim to IP blocks located in China, Shanghai in particular."
It's always a pleasure to monitor the RBN, a single activity on behalf of their customers represents an entire sample to draw conclusions out of. Catch up with such activities like over 100 Malwares Hosted on a Single RBN IP, Fake Anti Virus and Anti Spyware Software, and the most recent Fake Suspended Account Messages while the IPs are alive and serving exploits and malware. Well, used to.
UPDATE: RBN - Russian Business Network, Chinese Web Space and Misdirection
It's intergalactic security statements like these that provoked me to do my most insightful research into the topic of what is cyber jihad, or what cyber jihad isn't. The news item on cyber jihadists coordinating a massive DDoS attack is a cyclical one, namely it reappears every quarter as it happened in August, and so I reviewed the tool, provided screenshots, and commented that while it's an aspirational initiative, with thankfully lame execution, it's not the coordinated DDoS attack executed in such way that should be feared, but cyber jihadists outsourcing the process. Despite that absolutely nothing has changed in respect to the way the program operates since v2.0, except that al-jinan.org changed to the now down al-jinan.net, the web is buzzing about the plans of wannabe cyber jihadists, the Al Ansar Hacking Team to be precise, to DDoS infidel sites on the 11th of November. Boo! Spooky - Al Qaeda cyber-jihad to begin Nov. 11; The e-Jihadists are coming, the e-Jihadists are coming!; Report: Al Qaeda to Launch Cyber-Attack on Nov. 11; Al-Qaeda Planning Cyber Attack?.
In a people's information warfare incident where the ones contributing bandwidth would on purposely shut down their AVs, does it really matter whether or not an perimeter defense solution detects it? It does from the perspective of wannabe cyber jihadists wanting to using their company's bandwidth for the purposely, an environment in which they are hopefully not being able to shut down the AV, thus forwarding the responsibility for the participation in the attack to their companies.
All are down, and jo-uf.net was among the domains used in the first version of the attack. If you think about it, even a wannabe botnet master will at least ensure the botnet's update locations are properly hardcoded within the malware. More details on jo-uf.net.
During the weekend, the entire Newsland.ru which is among the most popular Russian news portals, was marked as as "this site may harm your computer" by StopBadware.org due to an IFRAME embedded link pointing to where else if not to the RBN. Considering that each and every embedded malware attack during 2007 that I assessed in previous posts, had something to do with the RBN in the form of a single RBN IP which was used in numerous malicious activities all at once, different sites get embedded with it, blackhat SEO postings at different forums etc. in this one the parties behind the attack dedicated a special IP with what looks like as a clean IP reputation. A cached copy of the page will still load the live exploit url at 81.95.150.115/cgi-bin/in.cgi?p=user1 What really happened at Newsland.ru? Was it an end user who submitted a news story with the somehow embedded IFRAME to sort of conduct unethical competitive engagement by having Google mark the entire portal as harmful, or it was planned and executed on purposely?
In another such incident, Podfeed.net was recently hacked and malware embedded at its front page. The now clean site however, used to have an embedded link, over 20 times to be precise, pointing to the following URL :
yl18.net/0.js (125.65.77.25) with the .js having two IFRAMEs within, namely yl18.net/0.html - 404 dead, and the second IFRAME yl18.net/z.html which loads a third IFRAME within, pointing to yzgames.cn/game.htm (125.46.105.140). This IFRAME-ing game relies entirely on yl18.net/0.js to keep up and running, and a direct loading link to the script was also somehow embedded on high trafficked sites such as cincinnatiusa.com; cincinnati.com; guidance.nice.org.uk. Moreover, Maarten Van Horenbeeck at the ISC's blog has some detection rates while the malware was still active. This embedded malware campaign is a perfect example of an ongoing cover up, just like the case when several hours after the community started looking at the Bank of India's malware serving site and the RBN URL removed the javascript and redirected it to Google.com, and we had the same situation with the recent discovery of 100 malwares on a single RBN IP, where the directory name has changed several hours later for yet another time. The same is the situation withe the malicious parties behind Possibility Media's malware attack that once started getting visited by security vendors replaced all their main index page with a "get lost" message, as well as with RBN's fake "account suspended" messages which aren't really in a process of cover up, but in a deception stage like always.
While I was researching a third domain that was serving a Banking trojan, and loading IFRAMEs to sicil.info which in case you don't remember is the IFRAME behind the Syrian Embassy hack, I came across to injected blackhat SEO campaigns at two universities advertised in between the IFRAMEs, now removed, cached copies available - emissary.wm.edu/EE/cache; hsutx.edu/student_life/brand/wp-content/uploads. The reason I won't mention the domain in question is that the script kiddies behind it forgot to take care of their directory permissions just like the Russian Business Network did recently, and while in RBN's case over 100 malwares were spotted, in this case it's a web C&C for a metaphisher type of banking malware kit, namely Zeus. It gets even more interesting, as it appears that a Turkish defacer like the ones I blogged about yesterday is somehow connected with the group behind the recent Possibility Media's Attack, and the Syrian Embassy Hack as some of his IFRAMES are using the exact urls in the previous attacks. And you you already know while reading my previous assessments and the connections between them, one of the attack IP's in the Possibility Media's malware attack was also among the ones used in the Bank of India hack - it's the "ai siktir vee?" group with another unique IP.
Key points :
- a Turkish defacer is taking advantage of an remotely installed web backdoor in order to host a metaphisher type of banking malware kit
- the defacer is embedding iframes that were used in the Bank of India hack, the Syrian Embassy hack, and the recent Possibility Media's malware attack
- if defacers start cooperating with malware groups given each of them excels at different practices, it's gonna get very ugly
If you don't take care of your site's web vulnerability management, someone else will.
