Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: 04/01/08

Tuesday, April 01, 2008

HACKED BY THE RBN!

The RBN 0wnZ 7th1$ Bl0g! April 1st, 2008, St.Petersburg, Russia. The Russian Business Network, an internationally renowned cyber crime powerhouse is proud to present its very latest malware cocktail by embedding live exploit URLs within one of the top ten blogs to be malware embedded due to their overall negative attitude regarding the RBN's operational activities. A negative attitude that's been nailing down the RBN's cyber coffin as early 2007, prompting us to hire extra personel, thereby increasing our operational costs.

Hijacked readers of this blog, executing the harmless to a VMware backed up PC setup files below, will not just strengthen our relationship by having your computer contact ours, but will also help us pay for the infrastructure we use to host these, and let us continue maintaining our 99% uptime even in times of negative attitude on a large scale against our business services.

How can you too, support the RBN, just like hundreds of thousands customers whose computers keep on connecting to ours already did? Do the following :

- Execute our very latest, small sized executable files and let them do their job

58.65.239.42/jdk7dx/ inst250.exe
58.65.239.42/jdk7dx/ alexey.exe
58.65.239.42/jdk7dx/ 6.exe
58.65.239.42/jdk7dx/ 1103.exe
58.65.239.42/jdk7dx/ eagle.exe
58.65.239.42/jdk7dx/ krab.exe
58.65.239.42/jdk7dx/ win32.exe
58.65.239.42/jdk7dx/ pinch.exe
58.65.239.42/jdk7dx/ ldig0031242.exe
58.65.239.42/jdk7dx/ 64.exe
58.65.239.42/jdk7dx/ system.exe
58.65.239.42/jdk7dx/ bhos.exe
58.65.239.42/jdk7dx/ bho.exe

- Once you've executed them, make sure you initiate an E-banking transaction right way. Do not worry, you don't to give us your banking details for the donation, we already have them, and will equally distribute your income by meeting our financial objectives

- Now that you're done transfering money, authenticate yourself at each every web service that you've ever been using. Trust is vital, and so that we've trusted you by providing you with our latest small sized executable files, it's your turn to trust us when asking you to do so

- Don't forget to plug-in any kind of writeble removable media once you've executed the files above as well, as we'd really like to deepen our relationship by storing them, and having them automatically execute themselves the next time you plug-in your removable media

- Sharing is what drives our business. Just like the way we've shared and trusted with by providing you with direct links to our executables, in exchange we know you wouldn't mind sharing some of that free hard disk space you have for our own distributed hosting purposes

Stop hating and start participating, join our botnet TODAY! Don't forget, diamonds degrade their quality, hosting services courtesy of the RBN are forever!

Sincerely yours,
"HostFresh" - RBN's Hong Kong subsidiary

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Cybersquatting Symantec's Norton AntiVirus

For the purpose of what? Upcoming fraudulent activities, again courtesy of Interactivebrand's undercover domains portfolio having registered the following domains cybersquatting Norton AntiVirus, next to the PandaSecurity and McAfee ones I listed in a previous post :

antivirus-norton.org
norton-2007.org
norton-antivirus-2007.org
norton-virus-scan.org
nortonsecurityscan.org
norton-antivirus-2007.net
norton-antivirus-2008.net
norton2008.net
nortonantivirus2007.net
nortonantivirus2008.net
nortonsecurityscan.net
norton-2008.com
norton-antivirus2007.com
norton-virus-scan.com
nortonsecurity2008.com

Registed and again operated by :

Interactivebrands
Tech City:St-Laurent
Tech State/Province:Quebec
Tech Postal Code:H4L4V5
Tech Country:CA
Tech Phone:+1.5147332556
Tech FAX:+1.5147332533
Tech Email:admindns @ interactivebrands.com

Now that's a proactive response to another upcoming scam, an here are some comments on one of the domains.

Dancho Danchev

UNICEF Too IFRAME Injected and SEO Poisoned

The very latest, and hopefully very last, high profile site to successfully participate in the recently exposed massive SEO poisoning, is UNICEF's official site. In fact the campaign is so successful, where successful means that each and every poisoned result loads the injected IFRAME using UNICEF.org as a doorway to pharmaceutical spam and scams, that one of the most prolific domains within the IFRAMES (highjar.info) is already returning "Bandwidth Limit Exceeded. The server is temporarily unable to service your request due to the site owner reaching his/her bandwidth limit. Please try again later" messages.

This is the perfect moment to point out that as of yesterday's afternoon the search engines that were indexing the SEO poisoned pages have implemented filters so that the malicious pages no longer appear in their indexes, thereby undermining the critical success factor for this campaign - hijacking search traffic. Case closed? At least for now, and even though the black hat SEO is taken care of the last time I checked, some of the sites originally mentioned, and many others still need to take care of the web application vulnerabilities.

Tracking this campaign in a detailed manner inevitably results in a quality actionable intelligence data, in between the added value out of the historical preservation of evidence. The malicious parties behind this know what they're doing, they've been doing it in the past, and will continue doing it, therefore it's extremely important to document what was going on at a particular moment in time. It's all a matter of perspective, some care about the type of vulnerability exploited, others care who's hosting the rogue security applications and the malware, others want to establish the RBN connection, and others want to know who's behind this. Virtual situational awareness through CYBERINT is what I care about.

Let's close the case by assessing UNICEF.org's IFRAME injection state as of yesterday's afternoon. What is highjar.info/error (75.127.104.26) anyway? Before it felt the "UNICEF effect" in terms of traffic, it used to be a "Easy SEO | A Coaching Site For BEGINNING webmasters". And the last time it was active, the injected redirect was forwarding to ravepills.com/?TOPQUALITY (69.50.196.63) and RavePills is what looks like a "legal alternative to Ecstasy" :

"On the other hand, Rave is the safest option available to you without the fear of nasty side-effects or a long time in jail. Rave gives you the same buzz that the illegal ones do but without any proven side-effects. It's absolutely non-addictive & is legal to possess in every country. Rave gives you the freedom to carry it anywhere you go as it also comes in a mini-pack of 10 capsules."

IFRAMES injected within UNICEF.org :

highjar.info (75.127.104.26)
viagrabest.info (81.222.139.184)
pharmacytop.net (216.98.148.6)
grabest.info

Now that the entire campaign received the necessary attention and raised awareness on its impact, let's move onto the next one(s), shall we?

Dancho Danchev

A Commercial Web Site Defacement Tool

On the look for creative approaches to cash out of selling commodity tools and services, malicious parties within the underground economy continue applying basic market approaches to further commercialize what was once a tax free area. Commercial click fraud tools, managed spamming services and fast-fluxing on demand, botnets and DDoS attacks as a service, malware pitched as a remote access tool with limited functionality to prompt the user to buy the full version, malware crypting as a service, and the very latest indication for this trend is the availability of commercial web site defacement tools.

There's a common misunderstanding regarding web site defacement tools, namely that of a defacer on purposely targeting a specific domain. That's at least the way it used to be, before defacers started embracing the efficiency model, namely deface anyone, anywhere, than parse the successful defacements logs, come across a high profile site and make sure the entire defacers community knows that they've defaced it - well at least their automated web sites defacement tools did in a combination with remotely included web backdoors.

This particular commercial web site defacement tool's main differentiation factor compared to others is it's efficiency centered functionability, namely it has a built-in Zone-H defacement archive submission. Moreover, within the functions changelog we see :

"Choose number of perm folder to check it and go another site with out load all perm it cause to deface with more speed; Working back proxy and cache servers; Get Connect back with php in all servers that safe mode is Off ( with out need any command same as system() ; Auto Detect Open Command"

It is such kind of commercialization approaches of commodity goods that increase the market valuation of the underground economy in general, one thing for sure though - while certain parties are messing up with entry barriers making it damn easy to launch a phishing or a malware attack, others are trying to prove themselves as aspiring entrepreneurs. In the long-term, I'd rather we have defacers deface than consolidate with phishers, spammers and malware authors for the purpose of malware embedded attacks, hosting and sending of scams, a development that is slowly starting to take place despite my wishful thinking.

Related posts:

Hacktivism Tensions

Hacktivism Tensions - Israel vs Palestine Cyberwars

Mass Defacement by Turkish Hacktivists

Overperforming Turkish Hacktivists

Dancho Danchev