A Chinese Malware Downloader in the Wild

This is an example of a recently released in the wild DIY downloader with rather average features such as the ability for the malware author to choose multiple locations of the files to be "dropped", as well as the time interval to check for the newly distributed binaries. The high detection rate of the downloader itself -- Result: 23/32 (71.88%) -- is not the main point I'd like to emphasize on, but rather that compared to the majority of downloaders courtesy of Russian malware authors I come across to occasionally, this is a Chinese one. China is often blamed to be the country hosting the highest percentage of malware in the world, however, China is also the country with highest percentage of infected PCs, and as we've seen with Storm Worm an infected host starts acting as both infection and propagation vector for the malware in question. As in any other local malware market, DIY tools get released so that script kiddies can generate enough noise to keep the more sophisticated malware campaigns running behind the curtains.

PayPal and Ebay Phishing Domains

As I needed another benchmark for a creative typosquatting next to my best finding of this World of Warcraft domain scam, I stumbled upon the following list of domains, where the most creative domain squatting is done solely for the purpose of including the domains within a typical phishing scam URL structure. Some of the domains are actual Rock Phish ones that are currently hosting live phishing campaigns :

paypal-online-account.com
paypal-user-update.com
paypal-support1.com
paypal-account-protection.com
paypal1-login.com
paypal-accounts-update.com

Some "creative" ones to be abused :

paypal-aspx.com
paypal-cgi3.info
paypal-cmd.com
paypal-comlwebscrc-login-run.com
paypal-confirmation-id-0746795.com

And since PayPal is actually EBay after the acqusition, here're some "creative" Ebay domain scams as well :

ebay-com-isapidll.com
ebayisapidll-cgi.com
ebayisapidllaw2.com
ebayisapidllu.com

Authentication itself seems to be a priority as the customer must possess a tangible proof that her transactions' security is somehow enhanced by a layered authentication, no doubt about it. But with phishers actively using a "push" model that is starting to visually social engineer the customers by registering domains imitating PayPal and EBay's web application structure, authentication itself shouldn't be a priority number one the way it is for the time being as phishers are not even trying to bypass it.

Stats courtesy of the Anti-Phishing Working Group.

Storm Worm's DDoS Attitude - Part Two

After commenting on Storm Worm's logical connection with the recent DDoS attacks against anti-scam web sites, SecureWorks timely released details of what actions could trigger a DDoS attack from Storm back at the researcher's host and what type of DDoS attacks are launched exactly :

"The attacks do show signs of being automated. Certain actions reliably trigger attacks. Investigators who can withstand the onslaught and have decided to test their theories (with cooperation from their ISPs, of course) can reliably trigger DDoS attacks on themselves. In one case, probing more than four unique Peacomm botnet HTTP proxies within ten seconds results in a flood of TCP SYN and ICMP packets, which last for about two hours. That’s all fairly regular."

To me, this tactic is more of a "hey our situational awareness on your actions to shut us down is fairly food enough" type of statement, but why would the botnet masters risk exposing infected hosts compared to the opportunity to have them act like nothing's in fact wrong with them? Mainly because if infected hosts were a scarce resource perhaps they would, but in Storm Worm's case the oversupply of infected hosts is allowing them to dedicate resources for automatic self-defensive DDoS.