Monday, July 30, 2007

World of Warcraft Domain Scam

World of Warcraft playing species, beware! Can you find the differences? Depending on the font type, font size and email client, an euphoric gamer can easily fall victim into this, and she will, since the domain is currently redirecting to Blizzard's real WoW site in Europe. As you can see in the attached screenshot, this domain registered a week ago aims to trick you, and your email client font preferences, into thinking VV equals W, and that vvovv-europe.com is indeed wow-europe.com.

vvovv-europe.com
69.147.83.157
Creation Date........ 2007-07-25
Expiry Date.......... 2008-07-25

Some developments on the cybersquatting front :

"The Coalition Against Domain Name Abuse (CADNA) is announcing the launch of its national campaign against Internet fraud. A non-profit organization based in Washington D.C., CADNA is leading the way in confronting cybersquatting – the fraudulent abuse of domain name registration that threatens the future viability of Internet commerce. Although the Anti-Cybersquatting Consumer Protection Act (ACPA) was introduced in 1999, cybersquatting remains an underestimated threat. The number of .com domain names alone has doubled since 2003, and the number of cybersquatting disputes being filed with the World Intellectual Property Organization (WIPO) is on the rise – up 25% in 2006 from 2005. According to a recent independent report, cybersquatting increased by 248% in the past year."

So far, this remains the most creative typosquatting "scam to come" I've seen in a while.
- No comments:

The IcePack Malware Kit in Action

The IcePack is a rather average web based malware C&C kit compared to for instance, the Black Sun, the Cyber Bot, Mpack, and mostly to Zunker. Average in terms of the lack of unique features offered, which makes me think that it's a hybrid of publicly obtainable stats and exploits rotation modules.

After providing you with in-depth overviews of the WebAttacker and the Mpack kit large scale attacks in previous posts, in this post I'll showcase the IcePack kit in action. As I've already pointed out in a previous post related to the increasing number of malware embedded sites, malware authors are diversifying their traffic aggregation approaches, and are either exploiting the sites themselves, their ISP's CPanel, or using push, pull and passive embedding techniques to achieve their goal.

Listening to your infection? Indeed. In the middle of the month, the Brazil's fan sites of popular music bands such as t.A.T.u and Linkinpark got IFRAME-ed, and had their visitors infected with a IcePack loader. Let's assess the URL within the IFRAME appropriately.

URL : hllp://my-loads.info
IP : 203.121.71.165
Response : HTTP/1.1 200 OK
Date: Mon, 30 Jul 2007 01:02:43 GMT
Server: Apache/1.3.37 (Unix) mod_ssl/2.8.28 OpenSSL/0.9.8a PHP/5.2.3 mod_perl/1.29
FrontPage/5.0.2.2510
X-Powered-By: PHP/5.2.3
Transfer-Encoding: chunked
Content-Type: text/html

Then, we are taken to a not so sophisticated obfuscation pointing us to the vulnerabilities exploited and the actual binary. Detection rates for the loader so far :

AntiVir 2007.07.28 TR/Crypt.U.Gen
AVG 2007.07.28 Obfustat.AGS
eSafe 2007.07.29 suspicious Trojan/Worm
Ikarus 2007.07.29 Trojan-Downloader.IcePack
McAfee 2007.07.27 New Win32
Panda 2007.07.29 Generic Malware
Sophos 2007.07.26 Mal/HckPk-A
Sunbelt 2007.07.28 Trojan-Downloader.IcePack
Symantec 2007.07.29 Downloader
Webwasher-Gateway 2007.07.29 Trojan.Crypt.U.Gen

File size: 6792 bytes
MD5: ce3291be2ded8b82fc973e5f5473b1fe
SHA1: fcf4cab3ade392c611c95e16c913fbc967577222

More screenshots of the IFRAME at Finjan's blog and a comment on evasive attacks : "The toolkit also uses evasive attack. By blocking specified countries and multiple instances from the same IP address, it minimizes exposure to security vendors." Very true. Re-visting it again, I no longer get exploited.

Ice Pack kit screenshots courtesy of IDT Group member while pitching the kit.
- No comments:
Subscribe to: Posts (Atom)