Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: 07/26/07

Thursday, July 26, 2007

More Malware Crypters for Sale

There's an ongoing trend among malware authors to either code malware crypters and packers from scratch and sell then at a later stage, or even more interesting, obtain publicly available crypters source code, modify, add extra featured and new encryption routines and make them available for sale. The rise of DIY malware crypters enables literally everyone to fully obfuscate an already detected piece of malware, so that if no extra security measures but only virus signatures scanning are in place, an infection takes place.

The first crypter has the following options :

- Memory execution/injection within its own process, execute in a default browser's memory, or no execution in memory takes place but dropping

- Custom encryption with min and max encryption layers, RC4, and NTDLL Compression API

The second crypter, a previous version of the first one, has the following

options :

- custom resource names

- scramble

- custom encryption layer

Moreover, realizing the ongoing competition among coders or modifyers of

malware crypters, services such as already packed dozens of bots often act as a bargain in case of a possible and much more flexible purchase. The third crypter is a perfect example of a source code modification since its lacking any significant and unique features.

The most dangerous threat, however, remains your lack of decent situational awareness.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Cyber Jihadists' and TOR

You've always knew it, I've always speculated on it, now I can finally provide a decent screenshot of cyber jihadist's howto recommending and taking the average reader step by step through the process of obtaining and using TOR -- a "rocket science" by itself. Following previous comments regarding Jihadists' Anonymous Internet Surfing Preferences I also pointed out on the obsolesence of Samping Jihadist IPs at various forums and sites, as it's both obvious and logical to consider that surfing, reconnaissance and communication is happening in a tunneled nature.

Related posts:
Cyber Traps for Wannabe Jihadists
Mujahideen Secrets Encryption Tool
The Current State of Internet Jihad
Characteristics of Islamist Web Sites
A List of Terrorists' Blogs
An Analysis of the Technical Mujahid Issue One
An Analysis of the Technical Mujahid Issue Two
Terrorist Groups' Brand Identities

Dancho Danchev

Confirm Your Gullibility

The Rock Phish kit in action. Registered yesterday, a .info domain is faking a Royal Bank of Scotland Customer Confirmation Form, and is a great indication on the convergence of spam and phishing, part of the phishing ecosystem in terms of cooperation.

Message source spoofed from : corporateclients.refj2225451hh.ib @ rbs.co.uk

Message content : Dear Royal Bank of Scotland customer,
The Royal Bank of Scotland Customer Service requests you to complete Digital Banking Customer Confirmation Form (CCF). This procedure is obligatory for all customers of the Royal Bank of Scotland. Please select the hyperlink and visit the address listed to access Digital Banking Customer Confirmation Form (CCF). Again, thank you for choosing the Royal Bank of Scotland for your business needs. We look forward to working with you. ***** Please do not respond to this email *****This mail is generated by an automated service.

Sender's IP : Listed by only one of the popular anti-spam blacklists
Domain info : buhank.info ; 81.215.226.34 ; Created On: 25-Jul-2007 18:53:03 UTC ; Expiration Date: 25-Jul-2008 18:53:03 UTC.

HTTP/1.1 200 OK
Date: Wed, 25 Jul 2007 22:21:30 GMT
Server: Apache/1.3.37 (Unix) mod_ssl/2.8.28 OpenSSL/0.9.7f PHP/4.4.4
mod_perl/1.29 FrontPage/5.0.2.2510
Last-Modified: Tue, 26 Jun 2007 19:05:56 GMT
ETag: "e6c64f-23f9-46816394"
Accept-Ranges: bytes
Content-Length: 9209
Content-Type: text/html

Main index returns "209 Host Locked" message typical for Rock Phish.

Phishing URL : sessionid-02792683.rbs.co.uk.buhank.info/customerdirectory/direct/ccf.aspx
Original URL : rbs.co.uk/Bank_Online/logon_to_digital_banking/default.asp

It's cost-effective not to register a phishing domain for longer than an year, given its "lifetime", that's for sure. Having your own certificate authority is even better, given they've actually implemented it since there's no httpS option available, thus this phishing campaign is doomed to failure. And while the message and the spoofed site look relatively decent, the people behind this phishing campaign are newbies using the Rock Phish phishing kit. Efficiency of DIY phishing kits VS the quality of the phishing site. More info on this campaign and Rock Phish, as well as SpamHaus.org's recent efforts on limiting the lifetime of Rock Phish domains.

Rock Phish screenshot courtesy of Fortinet.

Related posts :
Phishing Domains Hosting Multiple Phishing Sites
Interesting Anti-phishing Projects
Taking Down Phishing Sites - a Business Model?
Take this Malicious Site Down - Processing Order..
Anti-phishing Toolbars - Can You Trust Them?

Dancho Danchev