Friday, May 30, 2008
All of the domain's DNS entries are set to update every 2 minutes, meaning they every 2 minutes another 20 different and infected IPs will be hosting the domains, which on the other hand logically have identical WHOIS entry records :
WenFeng NO.397,zhuquedadao street,xian
City,shanxi Province xi an Shanxi 710061 CN
tel: 298 5228188
fax: 298 5393585
It's also worth pointing out how they emphasize on the benefits of SSL based transactions, when none of the sites is supporting SSL, but is doing something a great number of phishers do - they've changed the favicon to a key lock looking one, since maintaining a SSL infrastructure on the infected hosts is both, unpragmatic, and a bit unnecessary if they social engineer the visitor :
"SSL Encryption or Https is a technique used to safeguard private information which is sent via Internet. To prove the site's legitimacy, the SSL encryption uses a PKI (Public Key Infrastructure) - public/private key, to encrypt IDs, documents, or messages to securely transmit the information in the World Wide Web. In order to show that our transmission is encrypted, most browsers will display a small icon that would look like a pad "lock" or a key and the URL begins with "https" instead of "http". SSL Encryption or https from a digital certification authority will helps the secure web site with confidential information on web. "
With pharma masters increasingly using fast-flux to increase the survivability of their domains participating in affiliation based pharmaceutical affiliate programs, Storm Worm is anything but lacking behind programs that connect scammers and (infected) infrastructure providers.
All You Need is Storm Worm's Love
Social Engineering and Malware
Storm Worm Switching Propagation Vectors
Storm Worm's use of Dropped Domains
Offensive Storm Worm Obfuscation
Storm Worm's Fast Flux Networks
Storm Worm's St. Valentine Campaign
Storm Worm's DDoS Attitude
Riders on the Storm Worm
The Storm Worm Malware Back in the Game
The message they appear to have left at the first place, is actually hosted on third-party servers and reads :
"KRYOGENIKS EBK and DEFIANT RoXed COMCAST sHouTz To VIRUS Warlock elul21 coll1er seven"
Comcast's changed whois records looked like this, and were restored to their original state approximately three hours later :
Defiant still raping 2k8 ebk 69 dick
tard lane dildo room
PHILADELPHIA, PA 19103
US 4206661870 fax: 6664200187
The hacked page was loading from the following locations :
Comcast's comments :
"Last night users attempting to access Comcast.net were temporarily redirected to another site by an unauthorized person," he says. "While that issue has been resolved and customers have continued to have access to the Internet and email through services like Outlook, some customers are currently not able to access Comcast.net or Webmail." Douglas says that network engineers continue to work on the issue. "We believe that our registration information at the vendor that registers the Comcast.net domain address was altered, which redirected the site, and is the root cause of today's continued issues as well," he says. "We have alerted law enforcement authorities and are working in conjunction with them."
Network Solutions comments :
"Somebody was able to log into the account using the username and password. It was an unauthorized access," said spokeswoman Susan Wade. "It wasn't like somebody hacked into it. The Network Solutions account was not hacked. "They ping us and say this is my domain and say, 'I'd like to reset my password,'" Wade said. "It could have been compromised through e-mail. They could have gotten it if they acted as the customer. We're not clear."
"Pinging a domain registrar" has been around since the early days of the Internet, and it's obviously still possible to socially engineer one in 2008. A recently released ICANN advisory on the topic of registrar impersonation phishing attacks provides a decent overview of the threat, and in Comcast's case, I think someone impersonated Comcast in front of Network Solutions compared to the other way around, namely someone phished the person possessing the accounting data at Comcast, by making them think it's Network Solutions contacting them.
With Comcast.net now back to normal, the possibilities for abusing the redirected traffic given that the content was loading from web sites they controlled are pretty evident. And despite that there are speculations the hijack is courtesy of the BitTorrent supporters, in this case, the motivation behind this seem to have been to prove that it's possible.
An interview with the hijackers including a screenshot of the control panel for over 200 Comcast operated domains is available.
Tuesday, May 27, 2008
"Preliminary investigation suggests that the DeepSight honeynet may also have captured this attack. We are looking into this further. Currently two Chinese sites are known to be hosting exploits for this flaw: wuqing17173.cn and woai117.cn. The sites appear to be exploiting the same flaw, but are using different payloads. At the moment these domains do not appear to be resolving, but they may come back in the future. Network administrators are advised to blacklist these domains to prevent clients from inadvertently being redirected to them. Avoid browsing to untrustworthy sites. Also, consider disabling Flash or use some sort of script-blocking mechanism, such as NoScript for Firefox, to explicitly allow SWFs to run only on trusted sites. "
The Internet Storm Center also made an announcement and assessed a malware domain that was using the exploits in this case play0nlnie.com (188.8.131.52), next to Adobe's Product Security Incident Response Team (PSIRT) original announcement of the vulnerability. What about the original hosting sites for this exploits? Are they still active and serving it, what are the detection rates of the exploits and the malware served, and are there any other domains that should be blocked, also responding to the same IPs.
Let's assess the campaign using the Adobe Flash Player SWF File Unspecified Remote Code Execution Vulnerability. At count18.wuqing17173.cn/click.aspx.php (184.108.40.206) the end user is receiving a look looks like a 404 error message, however, within the 404 message there's a great deal of information exposing the exploits location and participation domains, which you can see attached in the screenshot above. In between several obfuscations we are finally able to locate the exploits serving host, as there are multiple exploits this particular campaign is taking advatange of, in between the Adobe Flash Player one :
Let's get back to the second domain which is not returning a valid 403 error forbidden message, woai117.cn (220.127.116.11) which has also been sharing the same IP with kisswow.com.cn; qiqi111.cn; ririwow.cn; wowgm1.cn, among the domains used in the ongoing SQL injection attacks. Once the binary located at woai117.cn /bak.exe was obtained and sandboxed, it tried to download more malware by accessing woai117.cn /kiss.txt with the following binaries already obtained, analyzed and distributed among AV vendors :
Detection rates for the exploit, the obfuscations and the malware binaries obtained :
Scanners result : 3/32 (9.38%)
F-Secure - Exploit.JS.Agent.oa
GData - Exploit.JS.Agent.oa
Kaspersky - Exploit.JS.Agent.oa
File size: 35767 bytes
A sample flash file with the exploit
Scanners result : 2/32 (6.25%)
eSafe - SWF.Exploit
Symantec - Downloader.Swif.C
File size: 846 bytes
The malware served
Scanners result : 18/32 (56.25%)
MemScan:Win32.Worm.Otwycal.T; a variant of Win32/AutoRun.NAD
File size: 25229 bytes
The password stealers
Scanners result : 19/32 (59.38%)
File size: 42268 bytes
Scanners result : 13/32 (40.63%)
File size: 108172 bytes
Consider blocking flash by using Flashblock for instance, until the issue is taken care of :
"Flashblock is an extension for the Mozilla, Firefox, and Netscape browsers that takes a pessimistic approach to dealing with Macromedia Flash content on a webpage and blocks ALL Flash content from loading. It then leaves placeholders on the webpage that allow you to click to download and then view the Flash content. "
It could have been worse, as "wasting a zero day exploit" affecting such ubiquitous player such as Adobe's flash player for infecting the end users with a rather average password stealer is better, than having had the exploit leaked to others who would have have introduced their latest rootkits and banker malware.
UPDATE - 5/28/2008
Consider blocking the following domains currently serving the malicious flash files :
UPDATE - 5/29/2008
Zero day or no zero day? It appears that the exploit used in this campaign is an already known one, namely CVE-2007-0071, and this has since been verified by multiple parties who were assessing the incident. Some related comments :
Flaw Watch: Why Adobe Flash Attacks Matter
"Thursday, however, Symantec backtracked after Adobe released a statement denying that the matter concerned a new flaw. In a progress report posted to the official Adobe PSIRT blog, David Lenoe said the exploit "appears to be taking advantage of a known vulnerability, reported by Mark Dowd of the ISS X-Force and wushi of team509, that was resolved in Flash Player 18.104.22.168." In an update to that blog entry, he said Symantec had confirmed that all versions of Flash Player 22.214.171.124 are not vulnerable to the exploits. Symantec Senior Researcher Ben Greenbaum acknowledged the flaw was previously known and patched by Adobe April 8, though the Linux version of Adobe's stand-alone Flash Player version 9.0.124 was indeed vulnerable to the attack."
Potential Flash Player issue - update
"We've just gotten confirmation from Symantec that all versions of Flash Player 126.96.36.199 are not vulnerable to these exploits. Again, we strongly encourage everyone to download and install the latest Flash Player update, 188.8.131.52. To verify the Adobe Flash Player version number, access the About Flash Player page, or right-click on Flash content and select “About Adobe (or Macromedia) Flash Player” from the menu. Customers using multiple browsers are advised to perform the check for each browser installed on their system and update if necessary. Thanks to Symantec for working very closely with us over the last 2 days to confirm that this is not a zero-day issue, and to Mark Dowd and wushi for originally reporting this issue. "
More information on recent Flash Player exploit
"This is not a zero-day exploit. Despite various reports that have been circulating, the Flash Player Standalone 184.108.40.206 and Linux Player 220.127.116.11 are NOT vulnerable to the exploits discussed in conjunction with the previously disclosed vulnerability Symantec posted on 5/27/08. Symantec originally believed this to be a zero-day, unpatched vulnerability, but as their latest update on their Threatcon page indicates, they have now confirmed this issue does not affect any versions of Flash Player 18.104.22.168."
Followup to Flash/swf stories
"On closer examination, this does not appear to be a "0-day exploit". Symantec has updated their threatcon info, as well. We have yet to see one of these that succeeds against the current version (22.214.171.124), if you find one that does, please let us know via the contact page."
Why was the possibility of finding one that succeeds against the current version of Flash considered in ISC's post? Because with no samples distributed by Symantec verifying the zero day, the way the exploit serving flash files were generated at the malicious domains on a version basis (WIN%209,0,115,0ie.swf for instance), and with everyone trying to figure it out in order to obtain the malicious flash file for the latest version in order to verify its zero day state, this timeframe resulted in the delay of assessing the real situation.
Where's the connection? It's in the historical domains that used to respond to the IPs, in the Asprox case, a great deal of the original domain names used a couple of months ago are still in a fast-flux and further expose and connection between these IPs and Asprox. For instance, 126.96.36.199, is known to have been hosting xml52.com; www5.yahoo.american-greeting.ca.xml52.com; yahoo.americangreeting.ca.www05.net; bendigobank.com.au.tampost5.ws; among the domains used in some of the previous phishing domains. The rest of the IPs are also known to have participated in the fast-flux, and therefore, as long as they remain using some of their old domains, and fast-flux them in a way that can be compared to the data from previous months, monitoring the prevalence of Asprox phishing campaigns and making the connection between a phishing campaign and the botnet, would remain easy to do.
Fast-Fluxing SQL injection attacks executed from the Asprox botnet
Inside a Botnet's Phishing Activities
Fake Yahoo Greetings Malware Campaign Circulating
Phishing Emails Generating Botnet Scaling
Monday, May 26, 2008
In the particular attack, the injected domain chliyi.com /reg.js loads an iFrame to chliyi.com /img/info.htm where a VBS script attempts to execute by exploiting MDAC ActiveX code execution (CVE-2006-0003), whose detection rate is 1/32 (3.13%) and is detected as Mal/Psyme-A. Approximately, 8,900 sites have been affected.
- input type="password" must die!
- Web Authentication by Email Address
- Beware of Finer-Grained Origins
- On the Design of a Web Browser: Lessons learned from Operating Systems
- Analysis of Hypertext Markup Isolation Techniques for XSS Prevention
- Privacy Protection for Social Networking Platforms
- (Under) mining Privacy in Social Networks
- Building Secure Mashups
- Web-key: Mashing with Permission
- Private Use of Untrusted Web Servers via Opportunistic Encryption
- Evidence-Based Access Control for Ubiquitous Web Services
- Privacy Preserving History Mining for Web Browsers
- Towards Privacy Propagation in the Social Web
Information is not free, it just wants to be free.
There are many different ways to review a magazine, however, I'm always sticking to the following critical success factors for a quality magazine :
- The presence of a vision
While a vision is often taken for granted, or even worse, a mission gets misunderstood for a vision, in Hakin9's case the vision could be perhaps best rephrased as "Spoiling the geeks who beg for a nerdy talk to them".
- Relevance of information
The information provided in the articles is highly relevant, and timely, lacking any retrospective approaches and focusing on current and emerging threats only. The same goes for the extensive external resources provided, emphasizing on the importance of self-education.
- Visual materials
Botnet masters are also masters in social engineering. Apparently, the success rate for this campaign is so high due to its social engineering tactic, which in this case is to establish as many touch points with the potential victim as possible, and also, entice clicking on a commonly accepted as harmless .php file followed by the victim's username in a firstname.lastname@example.org fashion.
What you see is not always what you get, especially with more and more droppers requesting other malware with image file extensions, which gets locally saved in its real nature - %Windir%\Media\System.exe for instance.
Friday, May 23, 2008
The long term impact of localization will improve the communication between those offering malicious services, and those looking for them in their native language. For instance, the sites of certain malicious services are already available in several different languages, and the quality of the translation is courtesy of available translation services provided by native speakers.
Moreover, breaking the language barrier doesn't just expand the market, but also, improves targeting for malware, spam, and phishing campaigns, where a truly professional campaign would speak the native language so naturally, it would leave the receipt with the feeling that it's originating from somewhere within their homeland. In reality though, the malicious parties behind it, or the managed spam providers vertically integrating to offer translations services, would be on the other side of the planet.
Thursday, May 22, 2008
Some new additions that I'm tracking :
The rough number of SQL injected sites is around 1.5 million pages, in reality the number is much bigger, and there are several ongoing campaigns injecting obfuscated characters making it a bit more time consuming to track down. Who's behind these attacks? Besides the automation courtesy of botnets, the short answer is everyone with a decent SQL injector, and today's SQL injectors have a built-in reconnaissance capabilities, like this one which I assessed in a previous post.
Wednesday, May 21, 2008
For the time being, malware authors continue emphasizing on the product concept, namely they build a malware based on their perception of what a malware should constitute of, then start offering it for sale as well as it's source code. In the long-term however, based on the increasing number of malware and spyware coding on demand, malware authors would undoubtedly embrace the customerization concept and start putting more efforts into figuring out what the customer really want compared to their current "built it, price, advertise it" and they'll come mentality.
Moreover, despite the generated buzz over the Zeus banker malware and its copyright notice, Zeus remains publicly available, and so is its source code, placing it under the open-source malware segment. So emphasizing on how malware authors are trying to protect their work is exactly what's not happening right now. Releasing it in open-source form increases its life cycle, and both, the original authors, and the community build around the malware benefit from the new features introduced within.
And now that the most popular web malware exploitation kits are already localized to Chinese due to their open-source nature, making it harder to maintain a decent situational awareness on the new features introduced courtesy of third-party coders, we may that easily see Zeus localized to Chinese as well. It's a trend, not a fad.
The malicious domain embedded within the site ad.ox88.info/13.htm (188.8.131.52) is using Mal/ObfJS-AP/Exploit:HTML/AdoStream to serve the malware, whereas the domain itself is using DNS servers known to provide service to malicious domains from previous malware embedded attacks that I've been assessing.
Tuesday, May 20, 2008
Go through the complete post - Pro-Serbian hacktivists attacking albanian web sites.
Where's the malware at pest-patrol.com? In one of these anecdotal cases, the way the people behind these rogue sites use the same template over and over again, and consequently forget to change the rogue software's name, in this case, not only is pest-patrol.com's mail server responding to antispycheck.com, but they've also uploaded a broken template.
These are Storm Worm's latest domains where the infected hosts try to phone back :
tellicolakerealty.cn (active and SQL injected at vulnerable sites)
Administrative Email for the three emails : glinson156 @ yahoo.com
Related DNS servers for the latest campaign :
Storm Worm related domains which are now down :
One of the domains that is injected as an iFrame is using ns.likenewvideos.com as DNS server, whereas likenewvideos.com is currently suspended due to "violating Spam Policy". Precisely.
Social Engineering and Malware
Storm Worm Switching Propagation Vectors
Storm Worm's use of Dropped Domains
Offensive Storm Worm Obfuscation
Storm Worm's Fast Flux Networks
Storm Worm's St. Valentine Campaign
Storm Worm's DDoS Attitude
Riders on the Storm Worm
The Storm Worm Malware Back in the Game
Monday, May 19, 2008
Read the complete assessment - Fast-Fluxing SQL Injection Attacks Executed from the Asprox Botnet, and go through previous posts related to the botnet as well - Phishing Emails Generating Botnet Scaling; Inside a Botnet's Phishing Activities; Fake Yahoo Greetings Malware Campaign Circulating.
- IE exploits included - Quick TIme Modified, PNG, MDAC, DX Media
- Firefox exploits included - Quick Time, PNG, EMBED
- Opera - all exploits up to version 9.20
- RC4 encryption
- lifetime updates
- opportunity to request additional functions
Converging infection and distribution vectors, evasion and survivability, metrics and command and control in a single all-in-one web malware exploitation kits is, however, is definitely in the works considering the developments introduced in the rest of the kits currently available. For instance, despite that the ongoing waves of SQL injection attacks with multiple campaigns are injecting the malicious domains in its original form, certain attacks are starting to inject obfuscated URLs making it harder to assess the impact of the campaign using open source intelligence techniques.
The bottom line, as long as webmasters continue participating in the so called "traffic exchange" revenue models, knowingly or unknowingly embedding links that would later on ultimately redirect to a malicious site, "traffic exchange" is receiving the most attention at the strategic level, next to "traffic acquisition" at the tactical level. Basically, the traffic inventory that could be supplied is the direct result of an ongoing SQL injection attack, or malware embedded through other means, with the traffic brokers directly undermining webmaster's unethical inclusion of exploits within their domains portfolio.
One thing's for sure - web malware exploitation kits are not just getting localized, they're also being cloned.
The FirePack Exploitation Kit Localized to Chinese
MPack and IcePack Localized to Chinese
The FirePack Exploitation Kit - Part Two
The FirePack Web Malware Exploitation Kit
The WebAttacker in Action
Nuclear Malware Kit
The Random JS Malware Exploitation Kit
Metaphisher Malware Kit Spotted in the Wild
The Black Sun Bot
The Cyber Bot
Google Hacking for MPacks, Zunkers and WebAttackers
The IcePack Malware Kit in Action
Saturday, May 17, 2008
The lone hacktivist also left a message at the malicious domain (wowyeye.cn), which reads :
“The invasion can not control bulk!!!!If the wrong target. Please forgive! Sorry if you are a hacker. send email to email@example.com my name is lonely-shadow TALK WITH ME! china is great! f**k france! f**k CNN! f**k ! HACKER have matherland!”
Go through related posts on the recent Chinese Anti-CNN campaign.
Thursday, May 15, 2008
The detection rates for the time being :
Scanners result : 1/32 (3.13%)
File size: 517632 bytes
Scanners result : 4/32 (12.5%)
File size: 65024 bytes
How would the end user reach these domains from a malicious attacker's perspective at the first place? Once being redirected to them through an already SQL injected or iFrame embedded legitimate site, with evidence of the practice seen in the majority of massive iFrame, SEO poisoning and SQL injections campaigns from the last couple of months.
In the long term, however, features and customizations already adopted by ethical phishing initiatives, would become the default set of features for public, and not the proprietary kits that theoretically should act as the benchmark. As in a previous discussion on the dynamics of the malware industry and the proprietary tools within, lowering the entry barriers into phishing by releasing this applications for free, greatly benefits the more experienced phishers, as the novice market entrants would be the ones making the headlines :
"The DIY phishing kits trend started emerging around August, 2007, with the distribution of a simple kit (screenshots included), whose objective was to make it easy for a phisher already possessing the phishing page, to enter a URL where all the data would be forwarded to. Several months later, the kit went 2.0 (screenshots included) and introduced new preview, and image grabber features in order to make it easier for the phisher to obtain the images to be used in the attack. In early 2008, two more phishing kits made it in the wild, with the first once having direct FTP upload capabilities as well DIY Phishing Kit as automated updating of the latest phishing page, and the second one taking advantage of plugins under a .phish file extension."
Read the entire post - DIY phishing kits introducing new features.
Wednesday, May 14, 2008
"Where’s the enemy, and where’s the enemy’s communications and network infrastructure at the first place? It’s both nowhere, and everywhere, and you cannot DDoS “everywhere”, and even if you waste a decade building up the capability to DDoS everywhere, your adaptive enemy will undermine the resources, time and money you’ve put into the process by avoiding outside-to-inside attacks, and DDoS your infrastructure from inside-to-inside."
Here are related comments on how unnecessary the whole idea is at the first place.
Tuesday, May 13, 2008
What is prompting Chinese users to translate these kits to their native language anyway? Is it the kit's popularity, success rates, lack of alternatives, or capability matching with the rest of the internaltional underground community? I'd go for the last point.
Monday, May 12, 2008
Go through the complete assessment of the tool used for extracting personal data from major career sites as well.
The ongoing development of the tool showcases several important key points, namely, how a market share leader's products in a certain region, Korea in this case, often receive the attention of malware authors embedding product-specific DoS attacks within, and also, the fact that the average script kiddies are continuing getting empowered with access to DDoS tools going beyond the average HTTP request flooders and ICMP flooding attacks. Furthermore, realizing the PSYOPs effect that could be created out of the popularity of this DIY malware, a specific Anti CNN version was released during the Anti CNN attack campaigns, and as you can also see, ABC.com is hard coded as an example of a site to be attacked.
From an unrestricted warfare perspective, what is the difference between someone who has on purposely infected themselves with malware to appear as an infected hosts in this malware's C&C, and when traced back as a participant in the DDoS attacks simply states she's been infected with malware, next to those infected hosts who were unknowingly participating in the DDoS attacks? There wouldn't be any.
In reality, reconnaissance through search engine's indexes to build a hit list of E-shops with a higher probability for exploitation, is what malicious attackers who lack the skills and capacity to build a botnet, even invest money into renting one on demand and collecting the output in the form of credit cards numbers and accounting data, have been doing for the past of couple of years. Moreover, as I've already pointed out and provided relevant examples, it's perhaps even more disturbing to see the automated process of building such hitlists, verifying that they're exploitable, remotely exploiting them by embedding malicious links within their pages, and of this made possible through the use of botnets.
The whole is greater than the sum of its parts, and while some are putting time and efforts into figuring out whether or not a specific vulnerability is exploited, and through the use of which hundreds of thousands web sites again end up injected with automatically loading links to malicious domains, the bad guys are keeping it simple, sometimes way too simple to end up with the most successful and efficient ways to achieve their objectives. Furthermore, waging verbal warfare on whether or not XSS are a greater security risk than currently perceived, is definitely making a lot of malicious attackers out there enjoy the lack of situational awareness of those who are supposed to have a better grasp of what they're up to, not what they might be up to.
The bottom line - from a malicious economies of scale perspective, are massive SQL injections attacks serving malware to a speculated number of hundreds of thousands susceptible to clien-side attacks exploitation site visitors, more effective, than obtaining the low-hanging databases in a site-specific vulnerability manner? Depends entirely on what the bad guys are trying to obtain, access to as many infected hosts as possible to be later on used for phishing, spamming, stepping stones, hosting and distribution of malware and conducting OSINT for corporate espionage by segmenting the infected population into organizations of importance, or access to "the whole" benefits package coming with having a complete access over an Internet connected host.
Friday, May 09, 2008
Original message : "Dear valued skype member: It has come to our attention that your skype account informations needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service. However, failure to update your records will result in account suspension. Please update your records on or before May 11, 2008. you are requested to update your account informations at the following link. To update your informations."
Phishing URL : alertskype.freehostia.com, which is then forwarding to skypealert.ns8-wistee.fr/Secure.skype.com/store/member/login.html/Login.aspx/index/Skype.Members/index.htmls/ where the malware and the exploit are hosted.
Scanners result : Result: 3/31 (9.68%)
File size: 13569 bytes
Thursday, May 08, 2008
In people's information warfare self-mobilization happens consciously, and the anti CNN campaigns perfectly demonstrate this, with an emphasis on how even the non-technical, but Internet bandwidth empowered Chinese user can consciously become a part of a PuppetNet. And while it may also seem logical that the attacking crowds would already be using a well known set of DoS tools, the most recent case demonstrates their capabilities to code and release such DoS tools on demand. For instance, excluding a popular in China DIY malware with custom DDoS capabilities, the rest of the tools were released for this particular campaign.
Furthermore, in between the average password stealers, and DIY malware droppers, there are releases going beyond the average tools, which demonstrate a certain degree of creativity - like this one.
Key features :
- the GUI C&C's objective is to make it easier to control a large number of infected hosts with an interesting option to measure the bandwidth in order to properly allocate it for DDoS attacks
- has a built-in dropping capability for backdooring the already infected hosts through a web shell
- has a built-in dropping capability of several exploits onto the infected hosts in order to use the infected hosts as infection vectors, a malicious infrastructure on demand
- intranet and Internet port scanning
Scanners result : 13/31 (41.94%)
File size: 660659 bytes
Using a DIY malware kit as a dropper of exploits onto infected hosts, who would later on be used as infection vectors to increase the botnet's population is a new approach applied by the Chinese underground. In comparrison, following an underground's lifecycle, the Chinese one is still more features-centered compared to the Russian one for instance, where once features become a commodity, more emphasis is put into quality assurance and extending the lifecycle of the malware by ensuring it remains undetected for as long as possible - the product concept vs the rootkit stage.
Wednesday, May 07, 2008
The injected pages are loading remote images from what looks like a secondary compromised site, in this case ttv-bit.nl which is a legitimate Dutch table tennis association. Compared to previous blackhat SEO campaigns that I've assessed in the past taking advantage of redirection only, the layout of the embedded pages in this one is sticking the remotely loading images at the top of the page, and placing the original at the bottom.
The campaign's main URl is ttv-bit.nl/rr/c.php where a redirector is forwarding to canadiandiscountsmeds.com, and these are some of the remotely loading images ttv-bit.nl/rr/s.JPG; ttv-bit.nl/rr/l.JPG; ttv-bit.nl/rr/c.JPG; ttv-bit.nl/rr/v.JPG
Moreover, as in the recent massive SEO poisoning attacks, the referrer is checked, and given that the campaign URL is dedicated to mcc.gov only, only mcc.gov referrers are directed to the spam pages. These blackhat SEO incidents targeting sites with high page ranks, are either the result of the automated process of searching for vulnerable such high page rank-ed sites, or direct abuse of purchased access to the already compromised hosts via web shells or web backdoors.
Massive IFRAME SEO Poisoning Attack Continuing
Massive Blackhat SEO Targeting Blogspot
The Invisible Blackhat SEO Campaign
Attack of the SEO Bots on the .EDU Domain
p0rn.gov - The Ongoing Blackhat SEO Operation
The Continuing .Gov Blackat SEO Campaign
The Continuing .Gov Blackhat SEO Campaign - Part Two
Compromised Sites Serving Malware and Spam
Building such "hitlists" of end points to be spammed, or served malware, is setting up the foundations for the success of popular tools used for spamming video and social networking sites, efficiently, and with a very low degree of unsuccessful attempts to deliver the message. Moreover, these developments seem to indicate an emerging trend of building databases that would later one be efficiently abused, starting from the Thousands of IM Screen Names in the Wild uncovered in October, 2007, and going to the spamming of Skype users.
Direct applicability for spamming and malware campaigns, or a bargain for finalizing a deal, databases of any kind are prone to be abused in principle, and it's malicious parties in general I'm refering to in this case.
Tuesday, May 06, 2008
"Effective, memorable, and secure user awareness testing and training is now available with just a few clicks. Using PhishMe.com’s built-in templates and WYSIWYG functionality, you can emulate real phishing attacks against your employees within minutes. Focus your training efforts on the most susceptible employees by providing immediate feedback to anyone that falls victim to these exercises. Phish your employees before hackers do!"
Once watching the demo online, you'll get the feeling that it's actually a real phisher's web interface to spamming out phishing emails, so I guess the bad guys can in fact learn from the good guys standardizing approach and metrics mentality applied.
For the time being, Rock Phish represents the most efficiency centered phishing approach, with a single IP hosting numerous domains, each of those hosting over ten different phishing campaigns on average each of these with a dedicated cybersquatted subdomain. However, with the ongoing commoditization of phishing pages, the localization and segmentation of phishing campaigns, the next logical development would be the public release of a point'n' click web interface for managing real phishing campaigns.
Or perhaps a public leak, given that someone out there might have already came up with such an interface, without the sexy layout? And by the time there hasn't been a release or a leak, spamming tools would continue getting adapted for phishing purposes, and log parsers would be a phisher's best friend in respect to evaluating the success rate of a phishing campaign.