Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Wednesday, February 27, 2008
RBN's Phishing Activities
RBN URLs used in the phishing redirects :
81.95.149.226/scm/us/wels/index.html
81.95.149.226/scm/uk/lloydstsb/personal/index.html
81.95.149.226/scm/cyprus/persmain.html
81.95.149.226/scm/au/westpac/index.html
81.95.149.226/scm/au/commonwealth/
81.95.149.226/scm/au/warwickcreditunion/index.html
81.95.149.226/scm/uk/lloydstsb/business/index.html
81.95.149.226/scm/uk/halifax.php
81.95.149.226/scm/uk/rbsdigital/index.html
81.95.149.226/scm/uk/co-operative/index.html
81.95.149.226/scm/uk/cahoot.php
Known malware to have been connecting to 81.95.149.226 :
Trojan-PSW.Win32.LdPinch.bno, Trojan-Downloader.Win32.Small.emg, Trojan.Nuklus, where the malware detected under different names by multiple vendors is the only one that ever made a request to 81.95.149.226, which in a combination with the fact that the screenshot is made out of Nuklus production speaks for itself.
Some facts are better known later, than never.
Yet Another Massive Embedded Malware Attack
buytraffic.cn/in.cgi?11 - 62.149.18.34
sclgntfy.com/ent2763.htm - 85.255.118.12
tds-service.net/in.cgi?20 - 72.233.50.148
spywareisolator.com/landing/?wmid=sga - 72.233.50.150
warinmyarms.com/check/upd.php?t=670 - 58.65.239.114
coripastares.com/in.php?adv=1267&val=3ee328 - 202.83.197.239
xanjan.cn/in.cgi?mikh - 78.109.22.246
chportal.cn/top/count.php?o=4 - 203.117.111.102
buhaterafe.com/in.php?adv=1208&val=65286d - 202.83.197.239
193.109.163.179/exp/count.php
193.109.163.179/exp/getexe.php
78.109.22.242/mikh/1.html
78.109.22.242/sh.html
Who says there's no such thing as free malware cocktails.
Related posts :
MDAC ActiveX Code Execution Exploit Still in the Wild
Malware Serving Exploits Embedded Sites as Usual
Massive RealPlayer Exploit Embedded Attack
Syrian Embassy in London Serving Malware
Bank of India Serving Malware
U.S Consulate St. Petersburg Serving Malware
The Dutch Embassy in Moscow Serving Malware
U.K's FETA Serving Malware
Anti-Malware Vendor's Site Serving Malware
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
A Portfolio of Malware Embedded Magazines
Another Massive Embedded Malware Attack
I See Alive IFRAMEs Everywhere
I See Alive IFRAMEs Everywhere - Part Two
Tuesday, February 26, 2008
RBN's Malware Puppets Need Their Master
Monday, February 25, 2008
The Continuing .Gov Blackhat SEO Campaign - Part Two
- Utah Attorney General’s Office Identity Theft Reporting Information System -
idtheft.utah.gov/pn/modules/pagesetter/pntemplates/plugins - 20, 200 SEO pages
- Mid-Region Council of Governments - mrcog-nm.gov/includes/phpmailer/language - 3, 630 pages
- Readyforwinners e-magazine - readyforwinners.hertscc.gov.uk/templates/2 - 890 SEO pages
- National Homecare Council - homecare.gov.uk/nhcc.nsf/discmainview - 220 SEO pages
- Washington Wing Website - wawg.cap.gov/calendar/editor/themes/simple - 93 SEO pages
- Fauquier County - fauquiercounty.gov/government/departments/procurement - 69 SEO pages
- Wisconsin Department of Military Affairs - dma.wi.gov/mediapublicaffairs - over 1,000 pages embedded with "invisible SEO content" meaning the content is also visible to search engines just like the one in a previous assessment
The number of pages currently hosted at these high pagerank domains is indeed disturbing, but here comes the juicy part in the form of yet another "invisible blackhat SEO" campaign, where outgoing links and SEO content is embedded at the host, but is only visible to web crawlers. Take the Wisconsin Department of Military Affairs's site for instance, where a news item that was posted in 2003, yes five years ago, is still embedded with "invisible blackhat SEO content" in between a fancy javascript obfuscation that once deobfuscated tries to connect to a third-party host feeding it with referring keywords, sort of keywords blackhole for optimizing future SEO campaigns based on increasing or decreasing popularity of specific ones.
Sampling the outgoing links also speaks for itself, take canadianmedsworld.com (217.170.77.162) for instance, and the fact that a great deal of outgoing links also respond to nearby IPs within the scammy ecosystem (217.170.77.*) such as :
canadianpharmacyltd.org
ns1.viagrabestprice.info
ns2.viagrabestprice.info
officialmedicines.us
pharm-shop.net
thecanadianpharmacymeds.com
viagrabestprice.info
viagraforlove.com
xdrugpill.com
This is perhaps the perfect moment to clarify that the appropriate people responsible for auditing and securing these hosts, are already doing their forensics job and are coming up with more data, on how it happened, when it happened, and who could be behind it - an example of threat intell sharing a concept that should be getting more attention than it is for the time being. So far, there haven't been repeated incidents like the malware serving ones I assessed in previous posts, but as it's obvious they're automatically capable of embedding and locally hosting any content, it's only a matter of intentions in this case.
Friday, February 22, 2008
Malware Infected Hosts as Stepping Stones
"In typical proxybot infections we investigate proxy servers are installed on compromised machines on random high ports (above 1024) and the miscreants track their active proxies by making them "call home" and advertise their availability, IP address, and port(s) their proxies are listening on. These aggregated proxy lists are then used in-house, leased, or sold to other criminals. Proxies are used for a variety of purposes by a wide variety of people (some who don't realize they are using compromised machines), but spam (either SMTP-based or WEB-based) is definitely the top application. The proxy user will configure their application to point at lists of IP:Port combinations of proxybots which have called home. This results in a TCP connection from the "outside" to a proxybot on the "inside" and a subsequent TCP (or UDP) connection to the target destination (typically a mail server on the outside)."
The commercial aspect's always there to say, and vertically integrate since besides selling the product in the form of the tool for, they could eventually start coming up with various related, and of course malicious services in the form of spamming, phishing etc. It's perhaps more interesting to discuss the big picture. Once a great deal of these malware infected hosts is accumulated in such a way, there's no accountability, and these act as stepping stones for any kind of cybercrime activities, as well as the foundation for other services such as the managed fast-flux provider I once exposed.
Stepping stones as a concept in cyberspace, can be used for various purposes such as, engineering cyber warfare tensions, virtual deception, hedging of risk of getting caught, or actually risk forwarding to the infected party/country of question, PSYOPs, the scenario building approach can turn out to be very creative. One of the main threats possed by the use of infected hosts as stepping stones that I've been covering in previous posts related to China's active cyber espionage and cyber warfare doctrine, is that of on purposely creating a twisted reality. China's for instance the country with the second largest Internet population, and will soon surpass the U.S, logically, it would also surpass the U.S in terms of malware infects hosts, and with today's reality of malware, spam and phishing coming from such, China will also undoubtedly top the number one position on malicious activities.
However, with lack of accountability and so many infected hosts, is China the puppet master the mainstream media wants you to believe in so repeatedly, or is the country's infrastructure a puppet itself? One thing's for sure - asymmetric and cost-effective methods for obtaining foreign intelligence and research data is on the top of the agenda on every government with an offensive cyber warfare doctrine in place.
Thursday, February 21, 2008
Localizing Cybercrime - Cultural Diversity on Demand
"By localization of malware, I mean social engineering attacks, use of spelling and grammar free native language catches, IP Geolocation, in both when it comes to future or current segmented attacks/reports on a national, or city level. We are already seeing localization of phishing and have been seeing it in spam for quite some time as well. The “best” phish attack to be achieved in that case would be, to timely respond on a nation-wide event/disaster in the most localized way as possible. If I were to also include intellectual property theft on such level, it would be too paranoid to mention, still relevant I think. Abusing the momentum and localizing the attack totarget specific users only, would improve its authenticity. For instance, I’ve come across harvested emails for sale segmented not only on cities in the country involved, but on specific industries as well, that could prove invaluable to a malicious attack, given today’s growth in more targeted attacks, compared to mass ones."
It's been happening ever since, and despite that it's already getting the attention of vendors, malware authors do not need to know any type of foreign language to spread malware, spam and phishing emails in the local language, they do what they're best at (coding, modifying publicly obtainable bots source code), and outsource the things they cannot do on their own - come up with a locally sound message which would leter on be used for localized malware, spam and phishing attacks, a tactic with a higher probability of success if there were to also request that spammers can segment the harvested email databases for better campaign targeting. The Release of Sage 3 - The Globalization of Malware :
"In this issue we look at the growing trend of localization in malware and threats. Cybercriminals are increasingly crafting attacks in multiple languages and are exploiting popular local applications to maximize their profits. Cybercrooks have become extremely deft at learning the nuances of the local regions and creating malware specific to each country. They're not just skilled at computer programming they're skilled at psychology and linguistics, too."
With all due respect, but I would have agreed with this simple logic only if I wasn't aware of translation services on demand for anything starting from malware to spam and phishing messages. We can in fact position them in a much more appropriate way, as "cultural diversity on demand" services, where local citizens knowingly or unknowingly localize messages to be later on abused by malicious parties. Malware authors aren't skilled at linguistics and would never be, mainly because they don't even have to build this capability on their own, instead outsource it to cultural diversity on demand translation services, ones that are knowingly translating content for malware, spam and phishing campaigns.
The perfect example would be MPack and IcePack's localization to Chinese, and yet another malware localized to Chinese, as these two kits are released by different Russian malware groups, but weren't translated by them to Chinese, instead, were localized by the Chinese themselves having access to the kits - a flattery for the kits' functionality, just like when a bestseller book gets translated in multiple languages. As for the socioeconomic stereotype of unemployed programmers coding malware, envision the reality by considering that sociocultural, rather than socioeconomic factors drive cybercrime, in between the high level of liquidity achieved of course.
Malicious Advertising (Malvertising) Increasing
01. quinquecahue.com (190.15.64.190)
quinquecahue.com/swf/gnida.swf?campaign=tautonymus
quinquecahue.com/swf/gnida.swf?campaign=atliverish
quinquecahue.com/statsg.php?campaign=meatrichia
02. akamahi.net (190.15.64.185)
akamahi.net/swf/gnida.swf?cam
akamahi.net/swf/gnida.swf?campaign=innational
akamahi.net/swf/gnida.swf?campaign=annalistno
akamahi.net/statsg.php?u=1199891594&campaign=annalistno
03. thetechnorati.com (190.15.64.191)
thetechnorati.com/swf/gnida.swf?campaign=ofcavalier
thetechnorati.com/swf/gnida.swf?campaign=whoduniton
thetechnorati.com/statsg.php?u=1198689218
04. vozemiliogaranon.com (190.15.64.192)
vozemiliogaranon.com/statss.php?campaign=zoolatrymy
vozemiliogaranon.com/swf/gnida.swf?campaign=zoolatrymy
vozemiliogaranon.com/statss.php?campaign=revenantan
05. newbieadguide.com (190.15.64.188)
newbieadguide.com/statsg.php?campaign=missblue
newbieadguide.com/statsg.php?campaign=2rapid1y
newbieadguide.com/statsg.php?campaign=missblue
newbieadguide.com/statsg.php?campaign=germanit
newbieadguide.com/swf/gnida.swf?campaign=ta5temix
newbieadguide.com/swf/gnida.swf?campaign=c0pperin
newbieadguide.com/swf/gnida.swf?campaign=remain0r
newbieadguide.com/swf/gnida.swf?campaign=mi1eroof
newbieadguide.com/swf/gnida.swf?campaign=m9in9re9
06. traffalo.com (84.243.252.94)
traffalo.com/swf/gnida.swf?campaign=atekistics
traffalo.com/swf/gnida.swf?campaign=byagnostic
traffalo.com/statsg.php?u=1201711626
07. burnads.com (84.243.252.85)
burnads.com/swf/gnida.swf?campaign=1akeweak
burnads.com/swf/gnida.swf?campaign=flatfootup
08. v0zemili0garan0n.com
v0zemili0garan0n.com/statsg.php?u=1199391035
09. adtraff.com (84.243.252.84)
adtraff.com/swf/gnida.swf?campaign=forcejoe
adtraff.com/swf/gnida.swf?campaign=forcejoe
adtraff.com/swf/gnida.swf?campaign=forcejoe
adtraff.com/swf/gnida.swf?campaign=weightt0
10. mysurvey4u.com (194.110.67.22)
mysurvey4u.com/swf/gnida.swf?campaign=rubberu5
11. traveltray.com (194.110.67.23)
traveltray.com/swf/gnida.swf?campaign=pavoninean
12. tds.promoplexer.com (217.20.175.39)
tds.promoplexer.com/statsg.php
adtds2.promoplexer.com/in.cgi?2
Additional domains sharing IPs with some of the domains, ones that will eventually used in upcoming campaigns :
aboutstat.com
newstat.net
officialstat.com
stathisranch.net
Contact details of the fake new media advertising agencies :
- Traffalo - "A Leader in Online Behavioral Marketing"
Phone: +46-40-627-1655
Fax: +46-8-501-09210
- MyServey4u - "Relax At Home ... And Get Paid For Your Opinion!"
mysurvey4u.com
- AdTraff - "Leader enterprise in Online Marketing"
Phone number: +49-511-26-098-2104
Fax: +353-1-633-51-70
Detection rate :
gnida.swf : Result: 21/32 (65.63%)
Trojan-Downloader.SWF.Gida.a; Troj/Gida-A
File size: 3186 bytes
MD5: 015ebcd3ad6fef1cb1b763ccdd63de0c
SHA1: 5150568667809b1443b5187ce922b490fe884349
packers: Swf2Swc
The bottom line - who's behind it? Now that pretty much all the domains involved are known, as well as the structure of the campaign itself, it's interesting to discuss where are all the advertisements pointing to. Can you name a three letter acronym for a cybercrime powerhouse? Yep, RBN's historical customers' base, still using RBN's infrastructure and services. Here's further analysis of this particular case as well - Inside Rogue Flash Ads, by Dennis Elser and Micha Pekrul, Secure Computing Corporation, Germany, as well as a tool specifically written to detect and prevent such types of malvertising practices.
Wednesday, February 20, 2008
Uncovering a MSN Social Engineering Scam
"Quickly and easily learn who blocked you on MSN. The longly awaited feature for MSN Messenger, completely for free! Please input your MSN Messenger account information to learn who has blocked you. Our system will login with this information and learn who has blocked you."
Domains and DNS entries are still active, content's currently hidden :
msnliststatus.com - 222.73.220.237
msnblockerlist.com - 64.202.189.170
msnblocklist.org - 72.55.142.113
blockdelete.com - 89.149.242.248
Why would malicious parties care for collecting accounting data for IM users? If we're to put basic scenario building intelligence logic in this particular case, having access to couple of hundreds IM accounts acts as the perfect foundation for a IM malware spreading campaign, where access to the stolen data is actually the distribution vector. What would malicious parties do if they want to vertically integrate and earn higher return on investment in this case? They would segment the screenames by countries, cities and other OSINT data available, and earn higher-profit margins with the segmentation service offered to SPIMmmers.
Related posts:
MSN Spamming Bot
DIY Fake MSN Client Stealing Passwords
Thousands of IM Screen Names in the Wild
Yahoo Messenger Controlled Malware
The FirePack Web Malware Exploitation Kit
The business strategies applied for such a hefty amount of money, are the lack of transparency means added biased exclusiveness, in order to cash-out through high-profit margins while taking advantage of the emerging malware kits cash bubble. A bargain hunter will however look for the cheapest proposition from multiple sellers, or subconsiously ignore the existence of the kit until it leaks out, and turns into a commodity just like MPack and IcePack are nowadays.
Related posts :
The WebAttacker in Action
Nuclear Malware Kit
The Random JS Malware Exploitation Kit
Metaphisher Malware Kit Spotted in the Wild
The Black Sun Bot
The Cyber Bot
Monday, February 18, 2008
The Continuing .Gov Blackat SEO Campaign
- Cobb County Government - cobbcountyga.gov/css - over 2,240 pages
- Benton Franklin Health District - bfhd.wa.gov/search/templates/dark/.thumbs - 1,200 pages
- Bridger, Montana - freeporn.eee.bridger-mt.gov - 778 pages
- Mid-Region Council of Governments - mrcog-nm.gov/includes/phpmailer/language - 336 pages
- Michigan Senate - senate.michigan.gov/FindYourSenator/top - 26 pages
- Nevada City, California - nevadacityca.gov/postcards - 13 pages
- Brookhaven National Laboratory - pvd.chm.bnl.gov/twiki/pub/Trash/OnlinePharmacy - 12 pages
Who's behind all of these? Checking the outgoing links and verifying the forums the advertisements got posted at could prove informative, but for instance, topsfield-ma.gov/warrant where a single blackhat SEO page was located seems to have been hacked by a turkish defacement group who left the following - "RapciSeLo WaS HeRe !!! OwNz You - For AvciHack.CoM with greets given to "J0k3R inf3RNo ByMs-Dos FuriOuS SSeS UmuT SerSeriiii Ov3R YstanBLue DeHS@ CMD 3RR0R SaNaLBeLa Keyser-SoZe GoLg3 J0k3ReM JackalTR Albay ParS MicroP"
Serving Malware Through Advertising Networks
Geolocating Malicious ISPs
- Ukrtelegroup Ltd
85.255.112.0 - 85.255.127.255
UkrTeleGroup Ltd.
Mechnikova 58/5
65029 Odessa
UKRAINE
phone: +380487311011
fax-no: +380487502499
- Turkey Abdallah Internet Hizmetleri
TurkTelekom
88.255.0.0/16 - 88.255.0.0/17
- Hong Kong Hostfresh
58.65.232.0 - 58.65.239.255
Hong Kong Hostfresh
No. 500, Post Office,
Tuen Mun, N.T,
Hong Kong
phone: +852-35979788
fax-no: +852-24522539
These are not just some of the major malware hosting and C&C providers, their infrastructure is also appearing on each and every high-profile malware embedded attack assessment that I conduct. And since all of these are malicious, the question is which one is the most malicious one? Let's say certain netblocks at TurkTelecom are competing with certain netblocks at UkrTeleGroup Ltd, however, the emphasis shouldn't be on the volukme of malicious activities, but mostly regarding the ones related to the RBN, and the majority of high-profile malware embedded attacks during 2007, and early 2008.
Massive Blackhat SEO Targeting Blogspot
Sample blogs :
tilas--paralyze--video.blogspot.com
parentdirectoryofnokia19942.blogspot.com
imelodyalesana.blogspot.com
iberryblack8320.blogspot.com
ku990downloadwallpaper.blogspot.com
blackberrypearl8100fre62265.blogspot.com
motorolarazrv3amdriver90079.blogspot.com
downloadcredmakerforf64090.blogspot.com
smsmarathi.blogspot.com
pradaphonethemes.blogspot.com
With a basic sample of ten such blogs, the entire operation could be tracked down and removed from Google's index. And while firesearch.sc is pitching itself as a "search engine that you can trust", it looks like it's not generating revenues for the people behind the operation, but also, acts as a keyword popularity blackhole.
Related posts:
The Invisible Blackhat SEO Campaign
Attack of the SEO Bots on the .EDU Domain
Malicious Keywords Advertising
Visualizing a SEO Links Farm
Spammers and Phishers Breaking CAPTCHAs
But of Course It's a Pleasant Transaction
Vladuz's EBay CAPTCHA Populator
The Blogosphere and Splogs
p0rn.gov - The Ongoing Blackhat SEO Operation
Malware Embedded Link at Pod-Planet
Wednesday, February 13, 2008
Statistics from a Malware Embedded Attack
Visualizing a SEO Links Farm
The New Media Malware Gang - Part Three
sratong.ac.th/ch24/config/index.php
79.135.166.138/us/index.php
users-online.org/get/index.php
x-y-zz.org/exp2/index.php
dimaannetta.ws/adpack/index.php
dagtextiles.biz/adpack/index.php
freescanpro.com/count
keeberg.info
wmstore.info/1
78.109.22.242/a/index.php
208.72.168.176/e-zl0102/index.php
absent09.phpnet.us
podarok24.info/xxx
drl-id.com
supachicks.com
And with Mpack's now easily detectable routines, they're migrating to use the Advanced Pack, a copycat malware exploitation kit, trouble is it's all done in an organized and efficient manner.
Anti-Malware Vendor's Site Serving Malware
Detection rate : 17/32 (53.13%) for Win32.Virtob.BV; W32/Virut.j
Naturally, according to publicly obtainable data in a typical OSINT style, the domain used to respond to an IP within RBN's previous infrastructure. The big picture is even more ugly as you can see in the attached screenshot indicating a huge number of different malwares that were using ntkrnlpa.info as a connection/communication host in the past and in the present. I wonder would the vendor brag about their outbreak response time regarding the malware that come out of their site in times when malware authors are waging polymorphic DoS attacks on vendors/reseachers honeyfarms to generate noise?
Tuesday, February 12, 2008
BlackEnergy DDoS Bot Web Based C&Cs
"BlackEnergy is an HTTP-based botnet used primarily for DDoS attacks. Unlike mostcommon bots, this bot does not communicate with the botnet master using IRC. Also, wedo not see any exploit activities from this bot, unlike a traditional IRC bot. This is a small(under 50KB) binary for the Windows platform that uses a simple grammar tocommunicate. Most of the botnets we have been tracking (over 30 at present) are locatedin Malaysian and Russian IP address space and have targeted Russian sites with theirDDoS attacks."
The following are currently live botnet C&Cs administration panels, and with BlackEnergy's only functionality in the form of DDOS attacks, it's a good example of how DDoS on demand or DDoS extortion get orchestrated through such interfaces :
httpdoc.info/black/auth.php (66.29.71.16)
wmstore.info/hello/auth.php (216.241.21.62)
lunaroverlord.awardspace.com/auth.php (82.197.131.52)
333prn.com/xxx/auth.php (64.247.18.208)
It's getting even more interesting to see different campaigns within, that in between serving Trojan.Win32.Buzus.yn; Trojan.Win32.Buzus.ym; Trojan-Proxy.Small.DU, there's also an instance of Email-Worm.Zhelatin. A clear indication of a botnet in its startup phrase is also the fact that all the malware binaries that you see in the attached screenshot use one of these hosts as both the C&C and the main binary update/download location.
U.K's FETA Serving Malware
"The website of one of the UK's most famous landmarks, the Forth Road Bridge, has been torn open in embarrassing fashion to serve malware, researchers are reporting. According to the security blog of a small consultancy, Roundtrip Solutions, the website is now hosting an 'obfuscated' Javascript hack created using the Neosploit Crimeware Toolkit, dishing out payloads including, the blog reports, porn pop-ups."
The deobfuscated javascript attempts to load the currently live 88.255.90.130/cgi-bin/in.cgi?p=admin (MDAC ActiveX code execution (CVE-2006-0003), also responding to Silentwork.ws and Tide.ws which is deceptively forwarding to BBC's web site, deceptively in the sense that were I to use a U.K based IP to access it for instance it will try to serve the malware, thus, malware campaigners are now able to segment the malware attacks on a basis of IP geolocation. Who's behind it? A group that's in direct affiliation with the RBN and the New Media Malware Gang, where the three of these operate on the same netblocks.
The bottom line - according to publicly obtainable stats and the ever-growing list of high-profile malware embedded attacks, legitimate sites serve more malware than bogus ones as it was in the past in the form of dropped domains for instance. How come? Malware campaigners figured out that trying to attract traffic to their malware domains is more time and resources consuming than it is to take advantage of the traffic a legitimate site is already getting. In fact, they're getting so successful at embedding their presence on a legitimate site that they're currently taking advantage of "event-based social engineering" campaigns by embedding the malware at one of the first five search engine results to appear on a particular event.