Statistics from a Malware Embedded Attack

It's all a matter of perspective. For instance, it's one thing to do unethical pen-testing on the RBN's infrastructure, and entirely another to ethically peek at the statistics for a sample malware embedded attack on of the hosts of a group that's sharing infrastructure with the RBN, namely UkrTeleGroup Ltd as well as Atrivo. For yet another time they didn't bother taking care of their directory permissions. Knowing the number of unique visits that were redirected to the malware embedded host, the browsers and OSs they were using in a combination with confirming the malware kit used could result in a rather accurate number of infected hosts per a campaign - an OSINT technique that given enough such stats are obtained an properly analyzed we'd easily come to a quantitative conclusion on a malware infected hosts per campaign/malware group in question.

In this particular case, 99% of the traffic for the last three days came from a single location that's using multiple IFRAMEs to make it hard to trace back the actual number of sites embedded since there's no obfuscation at the first level - vertuslkj.com/check/versionl.php?t=585 - (58.65.239.114) is also loading vertuslkj.com/n14041.htm and vertuslkj.com/n14042.htm. As for the countries where all the traffic was coming from, take a peek at the second screenshot. The big picture has to do with another operational intelligence approach, namely establishing the connections between the malicious hosts that participated in the compaign, in this case it's between groups known to have been exchanging infrastructure for a while.

Visualizing a SEO Links Farm

This visualization was generated over a month ago, using one of the two search engine optimization link farms I blogged about before, as a sample. Perhaps the most important issue to point out is that the farms are automatically generated with the help of blackhat SEO tools, where the level of internal linking has been set a relatively modest one, as for instance, the core pages extensively link one another, but a huge proportion of the SEO content remains burried in a number of hops a crawler may not be interested in making - this could be automatically taken care of in the process of generating the content to end up with a closed circle when visualizing.

The New Media Malware Gang - Part Three

Boutique cybercrime organizations are on the verge of extinction, and are getting replaced by cybercrime powerhouses, the indication for which is the increase of static netblocks used by well known groups such as the ones I've been exposing for a while - take the New Media Malware Gang for instance, and its entire portfolio of malicious domains that keeps expanding to include the latest ones such as :

sratong.ac.th/ch24/config/index.php
79.135.166.138/us/index.php
users-online.org/get/index.php
x-y-zz.org/exp2/index.php
dimaannetta.ws/adpack/index.php
dagtextiles.biz/adpack/index.php
freescanpro.com/count
keeberg.info
wmstore.info/1
78.109.22.242/a/index.php
208.72.168.176/e-zl0102/index.php
absent09.phpnet.us
podarok24.info/xxx
drl-id.com
supachicks.com

And with Mpack's now easily detectable routines, they're migrating to use the Advanced Pack, a copycat malware exploitation kit, trouble is it's all done in an organized and efficient manner.

Anti-Malware Vendor's Site Serving Malware

Even though AvSoft Technologies isn't really enjoying a large market share, making the impact of this malware coming out of their site even bigger, the irony is perhaps what truly matters in the situation. Some press coverage - Hackers Turn Antivirus Site Into Virus Spreader; Antivirus company's Web site downloads ... a virus; Hackers seed malware on Indian anti-virus site :

"Hackers planted malicious script on the site of an Indian anti-virus firm this week. The website of AVsoft Technologies was attacked by unidentified miscreants in order to distribute a variant of the Virut virus. AVsoft Technologies makes the SmartCOP antivirus package. One of the download pages of the site was boobytrapped with malicious code that used the infamous iFrame exploit to push copies of the Virut virus onto visiting unpatched (or poorly patched) Windows PCs."

The IFRAME at the site used to point to ntkrnlpa.info/rc/?i=1 (85.114.143.207) which also responds to zief.pl, where an obfuscation tries to server ntkrnlpa.info/rc/load.exe through the usual diverse set of exploits served by MPack.

Detection rate : 17/32 (53.13%) for Win32.Virtob.BV; W32/Virut.j

File size: 8704 bytes

MD5: 31f8a31adfdff5557876a57ff1624caa

SHA1: 7f36e192030f7cbd8b47bd2cb9a60e9a3fe384d2

Naturally, according to publicly obtainable data in a typical OSINT style, the domain used to respond to an IP within RBN's previous infrastructure. The big picture is even more ugly as you can see in the attached screenshot indicating a huge number of different malwares that were using ntkrnlpa.info as a connection/communication host in the past and in the present. I wonder would the vendor brag about their outbreak response time regarding the malware that come out of their site in times when malware authors are waging polymorphic DoS attacks on vendors/reseachers honeyfarms to generate noise?