Wednesday, April 30, 2008
- Most Aggressive Malware Attack Source and Filters
- Most Effective Malware-Related Snort Signatures
- Most Prolific BotNet Command and Control Servers and Filters
- Most Observed Malware-Related DNS Names
- Most Effective Antivirus Tools Against New Malware Binaries
- Most Aggressively Spreading Malware Binaries
I was particularly interested in the rankings in the "Most Effective Antivirus Tools Against New Malware Binaries" section, especially its emphasis on malware that's currently in the wild. Furthermore, to prove my point, you can see the top 10 list of Anti virus vendors as it were on the 20th, and the top 10 list of anti virus vendors as it were yesterday? Can you find the differences? Grisoft, Avira, Secure Computing and Quick Heal remain on the same
positions, whereas the rest of the vendors are in a different rank, although on the 20th they were exposed to 1030 binaries only, and on the 29th to 1759.
So what? In respect to signatures based malware scanning, every vendor has its 15 minutes of fame, however, as I pointed out two years ago :
"Avoid the signatures hype and start rethinking the concept of malware on demand, open source malware, and the growing trend of malicious software to disable an anti virus scanner, or its ability to actually obtain the latest signatures available."
What has changed? The DIY nature of malware building, the managed undetected binaries as a service coming with the purchase of proprietary malware tools, the fact that malware is tested against all the anti virus vendors and the most popular personal firewalls before it starts participating in a campaign, and is also getting benchmarked and optimized against the objectives set for its lifecycle. Moreover, with malware authors waging tactical warfare on the vendors infrastructure by supplying more malware variants than then can timely analyze, this tactical warfare on behalf of the malicious parties is only going to get more efficient.
Inside a non-malicious download.php file :
$file = "sexy.gif"; header("Content-type: application/force-download"); header("Content-Transfer-Encoding: Binary"); header("Content-Disposition: attachment; filename=\"".basename($file)."\""); readfile("$file"); ?>
Spammers, phishers, malware authors, and of course, black hat search engine optimizers, are known to have been using technique for enforcing downloads, loading live exploit URls, or plain simple redirection to a place where the malicious magic happens.
A fake directory listing of images, where the images themselves load image files of the icon to make themselves look like images - trying saying this again, and consider this attack tactic as SEO 1.0, where the 2.0 stage has long embraced GUIs and all-in-one anti-doorway detection techniques for blackhat SEO-ers to take advantage of.
the response rate for the campaign can change in a minute. Go through a related post on "Statistics from a Malware Embedded Attack" taking another perspective into consideration.
Tuesday, April 29, 2008
How is a seller of yet another DIY malware going to differentiate her market proposition? Adding a service in the form of managing and verifying the buyer's undetected binaries is slowly maturing into what 24/7 customer support service is for most market propositions - a commodity and something that's often taken for granted. In the case of this DIY malware, the author is aiming to differentiate the proposition by also offering the source code of the malware, thus, embracing the open source mentality just like many other malware authors are, believing that innovation will come on behalf of those adding extra features and fixing bugs within the malware - and they are sadly right about the innovation belief. Some features of this malware :
- Stealing an Uploading to a specific FTP ( ICQ, FireFox, WinXP Keys, CD Keys )
- HTTP Get Flooding
- Syn Flooding and IP Spoofing
- Process Hiding without Register Service
- Hides from any kind of Taskmanager : Windows Taskmanager, Security Taskmanager )
- Settings can be changed all time. ( in running bots as well )
- Mutexes Checking
- Anti VMware, Anti VPC, Anti Sandboxing, Anti Norman Sandbox
- Settings encrypted with RC-4
- Doesn't need .ocx
- Killing Windows Firewall
It looks and sounds, as a novice malware coder integrating publicly obtainble malware modules, hoping to cash in. Moreover, in regard to open source malware, questioning "Which is the latest version of the MPack web exploitation kit?" is slowly becoming pointless mainly because of the kits' open source nature, and besides localizing them to different languages, their effectiveness is also acting as the foundation for malware kits to come.
DIY Exploit Embedding Tool - A Proprietary Release
DIY Exploits Embedding Tools - a Retrospective
DIY German Malware Dropper
DIY Fake MSN Client Stealing Passwords
A Malware Loader for Sale
Yet Another Malware Cryptor In the Wild
DIY Malware Droppers in the Wild
More Malware Crypters for Sale
A Multi-Feature Malware Crypter
Monday, April 28, 2008
- D-Link MPEG4 VAPGDecoder ActiveX
- Macrovision Installshield ActiveX
- MySpace Uploader ActiveX
- Symantec BackupExec ActiveX
- Yahoo! JukeBox ActiveX
- Microsoft Works ActiveX (0day)
- Microsoft Internet Explorer MS06-014 (MDAC)
- Microsoft Internet Explorer MS07-009
- Facebook Uploader ActiveX
- Microsoft DirectSpeechSynthesis ActiveX
- Realplayer ActiveX
- WinZip FileView ActiveX
- Yahoo Messenger Webcam ActiveX
- Microsoft Internet Explorer MS06-013
- Microsoft Internet Explorer MS07-004
- Microsoft Internet Explorer MS07-055
With the now commodity web malware exploitation kits and their modularity streamlining "innovation" in the field, such DIY tools are only a fad compared to malicious parties' interest in exploiting as many people as possible, without putting extra efforts in the process (malicious economies of scale). And with the overall proliferation of client-side vulnerabilities, and the surprisingly high success rate of exploiting outdated and already patched vulnerabilities on a large scale (Stormy Wormy), ensuring your client-side applications are vulnerable to zero days only is highly recommended.
"Defaced by Zeus ;) contacto: z3us @ live.com Saludos: Juan Pablo :D"
The fact that web site defacements groups are going into phishing, and as we've already seen numerous times, abusing the access to the host to serve malware, with their malicious economies of scale type of automated defacement approaches and web application vulnerabilities exploitation, this is only going to get worse. One thing's for sure - phishers, spammers, malwaware authors, and now web site defacements groups are consolidating, or even if there are exceptions, those exceptions are figuring out how to vertically integrate and build the capability to participate in multiple malicious activities simultaneously.
Sunday, April 27, 2008
The original Firepack kit came with six exploits included within, and more to come in the scheduled updates to come. The exploits, and the current signature based detection rates are as follows :
FF5B341AC.php - MSIE 6
EF57CCF90.php - MSIE 7
EF57CCF90.php - Firefox 1
CCF45A00D.php - Firefox 2
CCF45A00D.php - Opera 7
99FFC5BA4.php - Opera 9
Scanners result : 11/32 (34.38%)
File size: 3685 bytes
Scanners result : 6/32 (18.75%)
File size: 1815 bytes
Scanners result : 15/32 (46.88%)
File size: 5861 bytes
Scanners result : 18/30 (60%)
File size: 6996 bytes
Scanners result : 10/32 (31.25%)
File size: 2123 bytes
The latest release offered for $300, is entirely Internet Explorer centered, including all of the publicly available exploits for IE6 and IE7, with the natural modularity so that the buyer can include any set of exploits to serve of a large scale.
The WebAttacker in Action
Nuclear Malware Kit
The Random JS Malware Exploitation Kit
Metaphisher Malware Kit Spotted in the Wild
The Black Sun Bot
The Cyber Bot
Google Hacking for MPacks, Zunkers and WebAttackers
Saturday, April 26, 2008
The process of developing malware bots that would either succeed based on the diversification of the spreading and infection vectors used, or end up as a backdoor-ed commodity for experienced botnet masters to sent to novice ones, is entirely up to the coder, or perhaps module copy and paster. Some are going as far as implementing quality assurance approaches to ensure their malware has the lowest possible detection rate, before spreading it, on the anti malware and firewall level, while others are benchmarking and setting strategic objectives to achieve before starting the process itself.
However, there are also wannabe botnet masters whose lack of understanding of the different between project management and "to-do list organization", and of course, setting their directory permissions right, leads us to a a first-hand malware bot's to-do list courtesy of the coder itself. Here's the to-do list itself, with all the static and variable features :
Spreading the malware
- NetAPI spreading
- VNC spreading
- MSN spreading
- ICQ spreading
- Email spreading
- Seeding via torrent (warez)
- Downloading (ftp & http)
- general ddos attacks (udp&tcp)
- tsunami ddos (push +ack flood)
- latest vulnerabilities scan
- exploits scann for homepages (php/perl/cgi scripts (not a priority)
Sniffers and interceptors
- bank sniffer & readers
- game reader
- encrypted config
- better clonning function (with timer based join (no massjoin)) + fixed channel messages
- noise at network sniffer (e.g.: honeypot (tool either shutdown and/or blocked))
- invisible to task manager
- more configuration settings
- melt exe on startup (true/false)
- startup (error) message editable (e.g.: (you need windows vista to run this programm) or (successfully installed))
- undetected source code
And while this wannabe botnet master is trying to achieve self-sufficiency, thereby slowing down the development process, others are not so close minded and are actively building communities around their malware botnets by releasing the source code for free, enjoying the innovation added by third party coders wanting to contribute to the community, where the bottom line is the inevitable localization of the bot to other languages once enough features have been developed to distinguish it among the rest of the commodity malware bots.
From a wannabe botnet master's perspective, the more propagation vectors added, the higher the probability for infection, however, the probability for infection is also proportional with the probability for detection on behalf of researcher's and vendors honeyfarms. And therefore, would less noise would mean slow infection rate, but higher lifecycle due to the less noise generated? The Stormy Wormy people for instance entirely relied on perhaps the most noise generation method - email distribution with malware hosted on IPs, however, their persistence and strategy to put more efforts into ensuring that no matter samples get obtained in the first couple of minutes a campaign is launched, the botnet itself should be harder to shut down.
Thursday, April 24, 2008
Yesterday, Uriel Maimon posted an overview of the convergence of Rock Phish emails with Zeus, a crimeware kit used to deliver banking trojans :
"The Trojan that was used in this attack belonged to the "Zeus" family of malware. Zeus is a nefarious type of Trojan for multiple reasons:
1. The Zeus Trojan is a kit for sale: Anyone in the criminal community can purchase it for roughly $700. This means that the Rock group did not need to develop new skill-sets to write Trojan horses; they just purchased it on the open market. In the past 6 months RSA's Anti-Fraud Command Center has detected more than 150 different uses of the Zeus kit, each one infecting on average roughly 4,000 different computers a day.
2. Resistance to detection: The kit purchased is a binary generator. Each use creates a new binary file, and these files are radically different from each other -- making them notoriously difficult for anti-virus or security software to detect. To date very few variants have had effective anti-virus signatures against them and each use of the kit usually makes existing signatures ineffective. Just like in most cases, this particular use of the Zeus kit did not have any anti-virus detection (with the popular engines we tested) at the time of this writing.
3. Rich feature set: the Zeus Trojan has many startling capabilities. In addition to listening in on the submission of forms in the browser, the Trojan also has advanced capabilities, for instance the ability to take screenshots of a victim's machine, or control it remotely, or add additional pages to a website and monitor it, or steal passwords that have been stored by popular programs (remember when you clicked on the "Remember this password?" checkbox?)... And the features-list goes on. As I look upon this blissful union of fraud and crime technologies, I can only envy the criminals who can find such coupling. Looking forward to my next birthday, I can only hope that I will have the opportunity to find such partnership in my own life (and maybe give my mother one less reason for disappointment)."
We cannot talk about Zeus unless we compare it to another such crimeware kit serving banking trojans, in this the Metaphisher kit. Metaphisher is particularly interested because of its much more customized GUI, it's modular nature, allowing its sellers to lower or increase the price depending on which modules you'd like included, and which ones you'd like excluded, where a module means a preconfigured fakes, TANs, and phishing pages for all the banks in a country of choice. Moreover, despite that both, Zeus and Metaphisher are open source, and therefore malicious parties visionary enough to build communities around their kits in order to enjoy the innovation brought by multiple parties, Metaphisher has a bigger community next to Zeus, considered as the MPack in the web malware exploitations kits, namely a bit of an outdated commodity that is of course still capable of doing what does best - hijacking E-banking sessions and logging them to the level of impersonation.
How are the authors of Zeus describing the kit themselves? Here's a description :
"ZeuS has the following main features and properties (full list is given here, in your part of assembling this list may not):
Bot: - Written in VC + + 8.0, without the use of RTL, etc., on pure WinAPI, this is achieved at the expense of small size (10-25 Kb, depends on the assembly).
- There has its own process, through this can not be detected in the process list.
- Workaround most firewall (including the popular Outpost Firewall versions 3, 4, but suschetvuet temporary small problem with antishpionom). Not a guarantee unimpeded reception incoming connections.
- Difficult to detect finder / analysis, bot sets the victim and creates a file, the system files and arbitrary size.
- Works in limited accounts Windows (work in the guest account is not currently supported).
- Nevid ekvaristiki for antivirus, Bot body is encrypted.
- Some way creates a suspected its presence, if you do not want it. Here is the view of the fact that many authors do love spyware: unloading firewall, antivirus, the ban on their renewal, blocking Ctrl + Alt + Del, etc.
- Locking Windows Firewall (the feature is required only for the smooth reception incoming connections).
- All your settings / logs / team keeps bot / Takes / sends encrypted on HTTP (S) protocol. (ie, in text form data will see only you, everything else bot <-> server will look like garbage).
- Detecting NAT through verification of their IP through your preferred site.
- A separate configuration file that allows itself to protect against loss in cases of inaccessibility botneta main server. Plus additional (reserve) configuration files, to which the bot will apply, will not be available when the main configuration file. This system ensures the survival of your botneta in 90% of cases.
- Ability to work with any browsers / programs work through wininet.dll (Internet Explorer, AOL, Maxton, etc.):
- Intercepting POST-data + interception hitting (including inserted data from the clipboard).
- Transparent URL-redirection (at feyk sites, etc.) c task redirect the simplest terms (for example: only when GET or POST request, in the presence or absence of certain data in POST-request).
- Transparent HTTP (S) substitution content (Web inzhekt, which allows a substitute for not only HTML pages, but also any other type of data). Substitution of sets with the help of guidance masks substitute.
- Obtaining the required contents page, with the exception HTML-tags. Based on Web inzhekte.
- Customizable TAN-grabber for any country.
- Obtaining a list of questions and answers in the bank "Bank Of America" after successful authentication.
- Removing POST-needed data on the right URL.
- Ideal Virtual Keylogger solution: After a call to the requested URL, a screenshot happening in the area, where was clicking.
- Receiving certificates from the repository "MY" (certificates marked "No exports" are not exported correctly) and its clearance. Following is any imported certificate will be saved on the server.
- Intercepting ID / password protocols POP3 and FTP in the independence of the port and its record in the log only with a successful authorise.
- Changing the local DNS, removal / appendix records in the file% system32% \ drivers \ etc \ hosts, ie comparison specified domain with the IP for WinSocket.
- Keeps contents Protected Storage at first start the computer.
- Removes S ookies from the cache when Internet Explorer first run on a computer.
- Search on the logical disk files by mask or download a specific file.
- Recorded just visited the page at first start the computer. Useful when installing through sployty, if you buy a download service from the suspect, you can see that even loaded in parallel.
- Getting screenshot with the victim's computer in real time, the computer must be located outside the NAT.
- Admission commands from the server and sending reports back on the successful implementation. (There are currently launching a local / remote file an immediate update the configuration file, the destruction OS).
- HTTP (S) PROXY-server.
- Bot Upgrading to the latest version (URL new version set in the configuration file)."
What's most important to keep in mind in regarding to these crimeware kits, is that the sellers are shifting from product-centered to service-centered propositions, and while an year ago they would have been selling the kit only, today they've realized that it's the output of the kit in terms of logged stolen accounting data that they're selling. Committing identity theft and abusing stolen E-banking accounting data is already a service, compared to the product it used to be.
Targeted Spamming of Bankers Malware
Localized Bankers Malware Campaign
Client Application for Secure E-banking?
Defeating Virtual Keyboards
PayPal's Security Key
Nuclear Grabber Kit
Wednesday, April 23, 2008
and finally serve the malware, by also taking us out of the point and loading another malicious IFRAME farm at gg.haoliuliang.net/one/ hao8.htm?036 (22.214.171.124) :
Scanners Result: 18/32 (56.25%) :
File size: 24667 bytes
Another internal IFRAME serving exploits is also loading at haoliuliang.net, gg.haoliuliang.net/wmwm/ new.htm where a new piece of malware is served :
Scanners Result: 26/32 (81.25%)
File size: 7205 bytes
As it appears, everyone's a victim of web application vulnerabilities discovered automatically, and either filtered based on high-page rank, or trying to take advantage of the long-tail of SQL injected sites to compensate for the lack of vulnerable high profile sites.
UNICEF Too IFRAME Injected and SEO Poisoned
Embedded Malware at Bloggies Awards Site
Embedding Malicious IFRAMEs Through Stolen FTP Accounts
Yet Another Massive Embedded Malware Attack
MDAC ActiveX Code Execution Exploit Still in the Wild
Malware Serving Exploits Embedded Sites as Usual
Massive RealPlayer Exploit Embedded Attack
Syrian Embassy in London Serving Malware
Bank of India Serving Malware
U.S Consulate St. Petersburg Serving Malware
The Dutch Embassy in Moscow Serving Malware
U.K's FETA Serving Malware
Anti-Malware Vendor's Site Serving Malware
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
A Portfolio of Malware Embedded Magazines
Another Massive Embedded Malware Attack
I See Alive IFRAMEs Everywhere
I See Alive IFRAMEs Everywhere - Part Two
CNN.com was indeed inacessible for a period of three hours according to NetCraft, and literally any web site performance monitoring too with a historical perspective for a host can prove the same :
"The CNN News website has twice been affected since an earlier distributed denial of service attack last Thursday. CNN fixed Thursday's attack by limiting the number of users who could access the site from specific geographical areas. Subsequently, an attack was purportedly organised to start on Saturday 19th April, but cancelled. However, our performance monitoring graph shows CNN's website suffered downtime within a 3 hour period on Sunday morning, followed by other anomalous activity on Monday morning, where response times were greatly inflated. Netcraft is continuing to monitor the CNN News website. Live uptime graphs can be viewed here."
Unrestricted warfare is all about bypassing the most fortified engagement points, and achieving asymmetric dominance by excelling where there are no engagement points, in order for the attacker to enjoy the pioneer advantage. Now that CNN.com was indeed slowed down to a situation where it was unnacessible, what remains to be answered is how was CNN.com DDoS? Throught a botnet, or through the collective bandwidth of virtually recruited Chinese citizens? Despite that the common wisdom in terms of botnets used speaks for itself, this is China hacktivism and therefore common wisdom does not apply in an unrestricted warfare situation, and best of all data speaks for itself.
- Through the use of DIY DDoS Tools
Besides anticnn.exe which I assessed in a previous post, there's also the Supper DDoS tool that as it appears was also getting actively recommended for participating in the attack, courtsy of a Chinese script kiddies group. Some basic info :
Scanners Result: 3/32 (9.38%)
File size: 1510643 bytes
For instance, Estonia's DDoS attacks were a combination of botnets and DIY attack tools released in the wild, whereas the attacks on CNN.com were primarily the effect of people's information warfare, a situation where people would on purposely infect themselves with malware released on behalf of Chinese hacktivists to automatically utilize their Internet bandwidth for the purpose of a coordinated attack against a particular site.
- Collectively building bandwidth capacity and mobilizing novice cyber warriors
What if a simple script that is automatically refreshing CNN.com multiple times in several IFRAME windows, gets embedded at thousands of sites, and then promoted at hundreds of forums, with a single line stating that - "If you're a patriot, forward this to all your friends"? Now, what if this gets coordinate to happen at a particular moment in time? This is perhaps the most realistic scenario to what exactly happened with CNN.com, and data speaks for itself, in fact I can easily state that the bandwidth generated by this massive PSYOPs campaign is greater than the one used by a botnet that's also been DDoS-ing CNN.com. All of these sites are basically refreshing CNN.com every couple of seconds, thereby wasting the sites's bandwidth, the only flaw of this attack approach compared to a botnet, is that all the participating hosts are Chinese, and therefore as NetCraft pointed out, CNN blocked access to certain countries, take these countries as China for instance. If it were a botnet used, the diversity of the infected hosts would have required more efforts into dealing with the attack, then again from another perspective regular web traffic compared to network flood is sometimes harder to detect as a DDoS attack.
This is also the statement made for the recruiting purpose across the forums, including remarks against France's policy against China :
Anti-CNN Plans v4.19
"Revenge of the flame - we, as the publicity in the network of special groups, we notice as follows: We are still able to recall that the Sino-US hackers exciting war, and that war, what are the reasons? That have taken place in Indonesia because of the large-scale anti-Chinese, the majority of Chinese women were raped, killed, and we Chinese hackers predecessors such unbearable humiliation, and from the other side of the ocean in advance of the attack, losing their right to. " cn "for China's first website launched a large-scale attack, but at that time the Chinese network is not very developed, we use the most immature way to attack, but in any case, we all expressed their intention by everyone, although we on the network do not know each other, but we have a common motherland.
We know that the 2008 Olympic Games will be held in our beloved motherland, which is the dream of the people look forward to for a long time, and we in the passing of the torch in the process of being repeatedly obstructed because we all know that, as an act of Tibetan independence elements each of us Mission hearts have a personal anger. Then we briefly look at the practice of France: France is now the largest in the protection of Tibetan independence, advocates in support of France is in support of splitting China, French President Sarkozy, the country is now the world just for a dare to openly resist Beijing Olympic Games President, the Chinese go-vern-ment has just come to an end with the French Airbus as much as billions of dollars in trade contracts. France on bad faith.
Recently, the United States "cnn" Since, as we said a number of Chinese people can not accept things, is that we are willing to endure, willing to yield? We plan on taking the lead in the 2008.4.19 "cnn" Web site attacks, as a Chinese, please support us.
1, first of all, all the conditions for full, I expect four days later, in the - on April 19, 2008, 8:00 p.m., at www.cnn.com against a DDOS attack! More than three hours on the CNN Web site with the assistance of attacks, How DOS attack CNN website? If you are patriotic, please forward!
iframe Id="cnn" width="100%" height="100">
Var e = document.getElementById ( 'cnn');
SetInterval ( "e.src = 'http://www.cnn.com'", 3000);
/ / 1000 said that 1,000 ms, you can modify and transmit
You can also directly open qibubbs.net/ddoscnn.htm open on the trip, you do not affect anything. I have to, I have friends in all of it again, the strong support of friends, and their repercussions great, and to many people, have been transmitted in other friend, a classmate now has begun to link their Web sites the I believe that compatriots in China, in collaboration with CNN article seconds click rate in the second can at least 50 million times, if the 200 million Internet users click on, I believe CNN, will be suspended instantaneous, as our fellow countrymen will be more hackers the chance to win big, exciting good mood now, and looks forward to 8:00 after we are all fellow hackers smoothly, we will sincerely pray that China win. The great motherland is not to take advantage of the separatist elements, all anti-China reunification of the sophistry of speech are all in vain Revenge of the flame - we, as the publicity in the network of special groups, we notice as follows:
We are still able to recall that the Sino-US hackers exciting war, and that war, what are the reasons? That have taken place in Indonesia because of the large-scale anti-Chinese, the majority of Chinese women were raped, killed, and we Chinese hackers predecessors such unbearable humiliation, and from the other side of the ocean in advance of the attack, losing their right to. " cn "for China's first website launched a large-scale attack, but at that time the Chinese network is not very developed, we use the most immature way to attack, but in any case, we all expressed their intention by everyone, although we on the network do not know each other, but we have a common motherland. We know that the 2008 Olympic Games will be held in our beloved motherland, which is the dream of the people look forward to for a long time, and we in the passing of the torch in the process of being repeatedly obstructed because we all know that, as an act of Tibetan independence elements each of us Mission hearts have a personal anger. Then we briefly look at the practice of France: France is now the largest in the protection of Tibetan independence, advocates in support of France is in support of splitting China, French President Sarkozy, the country is now the world just for a dare to openly resist Beijing Olympic Games President, the Chinese go-vern-ment has just come to an end with the French Airbus as much as billions of dollars in trade contracts. "
Tuesday, April 22, 2008
126.96.36.199-188.8.131.52 CHINANET-HB CHINANET Hubei province network China Telecom A12
Xin-Jie-Kou-Wai Street Beijing 100088,
China, Beijing 100000
tel: 101 1010000
fax: 101 1010000
Upon execution of the tool, 18 TCP Connection Attempts to cnn.com (184.108.40.206:80) start, trying to access the following file at CNN.com :
- Request: GET /aux/con/com1/../../[LAG]../.%./../../../../fakecnn/redflag-stay-here.php.aspx.asp.cfm.jsp
Response: 400 "Bad Request"
Scanner results : 3% Scanner(1/36) found malware!
File size: 174592 bytes
Released by : Red Flag Cyber Operations email@example.com
From a network reconnaissance perspective, the Chinese hacktivists didn't even bother to take care of Apache's /server status, and therefore we're easily able
to obtain such juicy inside information about hackcnn.com such as :
Current Time: Tuesday, 22-Apr-2008 07:00:56
Restart Time: Monday, 21-Apr-2008 15:25:39
Parent Server Generation: 0
Server uptime: 15 hours 35 minutes 17 seconds
Total accesses: 291670 - Total Traffic: 533.8 MB
5.2 requests/sec - 9.7 kB/second - 1918 B/request
4 requests currently being processed, 246 idle workers
Internal commentary excerpts regarding the motivation and their updates on the first DDoS round :
"Our team of non-governmental organisations, We only private network enthusiasts. However, we have a patriotic heart, We will absolutely not permit any person to discredit our motherland under any name, We are committed to attack some spreading false information, and malicious slander, libel, support Tibet independence site."
"User to a black CNN website suffer the same name. Yesterday, some Internet users attacked the domain name contains a "cnn" sports Web site, leaving protest speech, but reporters did not check the site found a relationship with CNN. Yesterday's attack was the website with the domain name sports.si.cnn.com engaged in the work of the network of residents in Urumqi Mr. Chen, at about 2 pm, the attackers up a website hackcnn.com know, the "CNN sub-station" invasion and modify their pages. "Tug-of-war administrator and hackers," Mr. Chen said, after sports.si.cnn.com pages sometimes normal, and sometimes been modified. 16:50, the reporter saw on the pages left in bilingual text and flash animation, stressed that Tibet is a part of China, cnn protest against prejudice and false reports, the title page column was changed to "F * * kCNN!. " A few minutes later, the web site to enter a user ID and password before connecting, "evidently administrator of the authority." Chen analysis. Yesterday, the reporter tried to contact the attack, but received no response. Reporter verify that the contact address sports.si.cnn.com Pennsylvania in the United States, and the sports channel CNN web site is not the same, did not disclose information with the CNN."
DDoS-ing is one thing, defacing is entirely another, try sports.si.cnn.com/test.htm which was last defaced yesterday spreading "We are not against the western media, but against the lies and fabricated stories in the media", "We are not against the western people, but against the prejudice from the western society.!" messages.
According to forum postings however, now that they've sent a signal, the attitude is shifting from attacking CNN to Western media in general. Thankfully, just like the case with the Electronic Jihad program, they did not put a lot of efforts into ensuring the lifecycle of the tool will remain as long as possible, by introducing a way to automatically update the tool with new targets. In fact, in the Electronic Jihad case, the hardcoded update locations were all down priot to releasing the tool, making a bit more efforts cunsuming to finally manage to obtain the targets list.
Monday, April 21, 2008
1. Articles starting that malware increased 450% during the last quarter - of course it's supposed to increase given the automated polymorphism they've achieved thereby having anti virus vendors spend more money on infrastructure to analyze it
2. Articles starting that spam and malware attacks will increase and get more sophisticated - and the sun too, will continue expanding
3. Articles discussing a new malware spreading around instant messenging networks -- psst they're hundreds of them currently spreading
4. Articles discussing how signature based malware scanning is dead while an anti virus vendor's ad is rotating on the right side of the article - it's not dead it's just getting bypassed as a reactive security measure by the bad guys
5. Articles commenting on an exploit code for a high risk vulnerability made it public -- it's been usually circulating around VIP underground forums weeks before it made to the mainstream media, with script kiddies leaking it to other script kiddies
6. Articles pointing out how phishers started targeting a specific company - they target them all automatically, so don't take it personally if it's your company getting targeted
7. Article emphasizing on how mobile malware will take over the world, despite that there no known outbreaks currently active in the wild - once mobile commerce stars taking place in full scale for sure
8. Articles pointing out that having a firewall and an updated anti virus software is important - in times when client side vulnerabilities are serving a new binary on the fly with quality assurance applied before the campaign is launched to make sure it will bypass the most popular firewalls, things are changing and so must your perspective on what's important
9. Articles discussing which OS is the most secure one - the better configured one in terms of usability vs security, or the one where there're no currently active bounties offered for vulnerabilities within
10. Articles mentioning that China is hosting the most malware in the world - and while China is hosting it, the U.S is operating the most malware C&Cs in the world
The second tactic that I've been researching for a while is that of remotely SQL injecting or remotely file including phishing pages on vulnerable sites, as for instance, someone's actively abusing vulnerable sites, which are apparently noticing this malicious activities and taking care of their web application vulnerabilities. Some recent examples include :
In November, 2007, I started making the connecting between a Turkish defacement group that wasn't just defacing the web sites it was coming across, but was also hosting malware on the vulnerable sites :
"It gets even more interesting, as it appears that a Turkish defacer like the ones I blogged about yesterday is somehow connected with the group behind the recent Possibility Media's Attack, and the Syrian Embassy Hack as some of his IFRAMES are using the exact urls in the previous attacks."
As of recently, I'm starting to see more such activity, with various defacing groups realizing that monetizing their defacements can indeed improve their revenue streams. For instance, findaswap.co.uk/administrator/components/com_extplorer/www.Halifax.co.uk/_mem_bin/formslogin.asp/was serving a phishing page, and was also recently hacked by a Turkish defacement group. Moreover, equidi.com which is currently defaced is also hosting the following phishing pages within its directory structure, namely, equidi.com/New2008/Orange; equidi.com/New2008/www.bankofamerica.com; equidi.com/New2008/www.halifax.co.uk
Why are all of these tactics so smart? Mainly because they forward the responsibility to the infected party, and I can reasonably argue that a phishing page hosted at a .biz or .info tld will get shut down faster than the one hosted at a home user's PC. As for the SQL injections, the RFI, and the consolidation between defacers and phishers if it's not defacers actually phishing for themselves, what we might witness anytime now is a vulnerable financial institutions web sites' hosting phishing page, or its web application vulnerabilities used against itself in a social engineering attempt.
The rise of this particular group greatly showcases the cyclical pattern of cyber conflicts as the extensions of propaganda, PSYOPs and demonstration of power online, most interestingly the fact that at the beginning of their capabilities development process, they target everyone, everywhere, to later on move to more targeted attacks to greatly improve the effectiveness of the PSYOPs motives.
A week ago, China's CERT released their annual security report (in Chinese for the time being), outlining the local threatscape with data indicating the increasing efficiency applied by Turkish web site defacement groups, in between the logical increases in spam/phishing and malware related incidents. Here's an excerpt from the report :
6.23 million botnet participating hosts according to their stats, where 3.62 million are Chinese IPs is a great example of how the Chinese Internet infrastructure's getting heavily abused by experienced malware and botnet masters, primarily taking advantage of what's old school social engineering, and outdated malware infection techniques, which undoubtedly will work given China's immature and inexperienced from a security perspective emerging Internet generation.
sinaritx - 1731 defacements
It's also interesting to see pro-democratic Chinese hackers attacking homeland networks.
Cyber warfare tensions engineering is only starting to take place, and state sponsored or perhaps even tolerated cyber espionage building capabilities in order for the state to later on acquire the already developed resources and capabilities in a cost-effective manner. However, considering the recent cyber attacks against "Free Tibet" movements, as well as the DDoS attack attempts at CNN due to CNN's coverage of Tibet, Chinese cyber warriors continue demonstrating people's information warfare, and Internet PSYOPs by developing an anti-cnn.com (220.127.116.11) community, with some catchy altered images from the originals broadcasted worldwide, and with a special section to improve China's image across the world.And logically, there's a PSYOPs centered malware released in the wild, a sample of which is basically embedding links to a non-existent domain, descriptive enough to point to TibetIsAPartOFChina.com :
%\CommonDocuments%\My Music\My Playlists\WWW.cgjSFGrz_TibetIsAPartOFChina.COM
%CommonPrograms%\Accessories\System Tools\WWW.aEGXBl_TibetIsAPartOFChina.COMNow that's effective digital PSYOPs, isn't it? If you're visionary enough to tolerate the development of underground communities, whereas ensuring their nationalism level remain a priority for anything they do, you end up with a powerful cyber army whose every action perfectly fits with your political and military doctrine, without you even bothering to coordinate their efforts, thereby eliminating the need for a command and control structure.
Related posts:China's Cyber Espionage Ambitions
Chinese Hackers Attacking U.S Department of Defense Networks
Inside the Chinese Underground Economy
China's Cyber Warriors - Video
Friday, April 18, 2008
Within the first five minutes, thirty three (33) phishing emails attempted to be delivered out of a sample infected host, all of them targeting NatWest or The National Westminster Bank Plc. Here are some samples, that of course never made it out to their recipient :
- Sender Address: "Natwest Bank Internet Banking Support"
- Sender Address: "Natwest Private and Corporate Support"
What is making an impression besides the malicious economies of scale achieved on behalf of the malware infected hosts used for sending, and as we've already seen, hosting and phishing pages and the malware itslef? It's the campaing's targeted nature in respect to the segmented emails database used for achieving a better response rate. The National Westminster Bank Plcis a U.K bank, and 10 out of 15 email recepient are of U.K citizens, the rest are targeting Italian users. Malware variants signal their presence to 18.104.22.168/forum.php and try to obtain campaigns to participate in, this is a sample detection rate for the latest fake news items one, and more details on the domains and nameservers used in the latest campaign :
Yet another internal nameservers ecosystem within the botnet :