Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: 05/20/08

Tuesday, May 20, 2008

Pro-Serbian Hacktivists Attacking Albanian Web Sites

The rise of pro-kosovo web site defacement groups was marked in April, 2008, with a massive web site defacement spreading pro-kosovo propaganda. The ongoing monitoring of pro-kosovo hacktivists indicates an ongoing cyberwar between pro-serbian supporting hacktivists successfully defacing Albanian sites, and building up capabilities by releasing a list of vulnerable Albanian sites (remote SQL injections for remote file inclusion, defacements or installing web shells/backdoors) to assist supports into importing the list within their do-it-yourself web site defacement tools.

Go through the complete post - Pro-Serbian hacktivists attacking albanian web sites.

Related posts:

Hacktivism Tensions

Hacktivism Tensions - Israel vs Palestine Cyberwars

Mass Defacement by Turkish Hacktivists

Overperforming Turkish Hacktivists

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Fake PestPatrol Security Software

Continuing the rogue security software series I've just stumbled upon a fake PestPatrol site - pest-patrol.com (85.255.121.181) hosted at the the RBN connected Ukrtelegroup Ltd (85.255.112.0-85.255.127.255 UkrTeleGroup UkrTeleGroup Ltd. 27595 ASN ATRIVO), just like the majority of sites assessed in previous posts.

Where's the malware at pest-patrol.com? In one of these anecdotal cases, the way the people behind these rogue sites use the same template over and over again, and consequently forget to change the rogue software's name, in this case, not only is pest-patrol.com's mail server responding to antispycheck.com, but they've also uploaded a broken template.

Dancho Danchev

All You Need is Storm Worm's Love

The Storm Worm malware launched yet another spam campaign promoting links to malware serving hosts, in between a SQL injection related to Storm Worm.

These are Storm Worm's latest domains where the infected hosts try to phone back :

cadeaux-avenue.cn (active)
polkerdesign.cn (active)
tellicolakerealty.cn (active and SQL injected at vulnerable sites)
Administrative Email for the three emails : glinson156 @ yahoo.com

Related DNS servers for the latest campaign :

ns.orthelike.com
ns2.orthelike.com
ns3.orthelike.com
ns4.orthelike.com
ns.likenewvideos.com
ns2.likenewvideos.com
ns3.likenewvideos.com
ns4.likenewvideos.com

Storm Worm related domains which are now down :

centerprop.cn
apartment-mall.cn
stateandfed.cn
phillipsdminc.cn
apartment-mall.cn
biggetonething.cn
gasperoblue.cn
giftapplys.cn
gribontruck.cn
ibank-halifax.com
limpodrift.cn
loveinlive.cn
newoneforyou.cn
normocock.cn
orthelike.com
supersameas.com
thingforyoutoo.cn

One of the domains that is injected as an iFrame is using ns.likenewvideos.com as DNS server, whereas likenewvideos.com is currently suspended due to "violating Spam Policy". Precisely.

Related posts:
Social Engineering and Malware
Storm Worm Switching Propagation Vectors
Storm Worm's use of Dropped Domains
Offensive Storm Worm Obfuscation
Storm Worm's Fast Flux Networks
Storm Worm's St. Valentine Campaign
Storm Worm's DDoS Attitude
Riders on the Storm Worm
The Storm Worm Malware Back in the Game

Dancho Danchev