Managed Fast Flux Provider - Part Two

We're slowly entering into a stage where RBN bullet proof hosting franchises are vertically integrating, and due to the requests from their customers are starting to offer that they refer to as "mirrored hosting" which in practice is plain simple fast flux network consisting of RBN-alike purchased netblocks, and naturally, botnet infected hosts.

Managed fast-fluxing is only starting to go mainstream, for instance, in July I found evidence that money mule recruiters were using ASProx's infected hosts as hosting infrastructure, and in November, 2007, an infamous spamming software vendor was also found to have been offering fast-flux services in the past.

In this most recent fast-flux service, we have a known spammer and botnet master that in between self-serving himself on is way to ensure his portfolio of scammy domains remains online for a "little longer", is commercializing fast-fluxing and is offered a DIY service :

"Finally after hardwork and great appreciation from our normal bullet proof hosting/server clients we are able to launch Mirrored hosting. What is Mirrored hosting ?

================
Mirrored hosting is a powerful mirrored web hosting management, uses multiple Virtual servers to host website with 100% uptime. Mirrored hosting is a combination of two things, which are:

1. Specially Designed Virtual Servers
2. Powerful Automated Control Panel

How does it work ?
=============== 

Mirrored hosting uses specially configured Virtual Servers making them link with the Mirrored hosting Control Panel which is then controlled by our own control panel allowing us to provide smooth streamline hosting with no downtime. No one is able to trace original IP of the server or the place where the files are hosted so the websites/domains hosted have a 100% Uptime. This is achieved by unique customisation of our Virtual Servers.

Actually, it takes ips around the world and our powerful control panel just rotates the ips every 15 minutes. though all these ips you will see will be fake no one can trace the orignal ip where files are hosted. Sometimes the ip is from China, Korea, USA, UK, Japan, Lithuania etc."

The concept has always been there for cybercriminals to take advantage of, but once it matures into a managed service it would undoubtedly lower down the entry barriers allowing yesterday's average phishers to take advantage of what only the "pros" were used to.

Related posts:
Storm Worm's Fast Flux Networks
Managed Fast Flux Provider
Fast Flux Spam and Scams Increasing
Fast Fluxing Yet Another Pharmacy Spam
Obfuscating Fast Fluxed SQL Injected Domains
Storm Worm Hosting Pharmaceutical Scams
Fast-Fluxing SQL injection attacks executed from the Asprox botnet

Knock, Knock, Knockin' on Carder's Door

This video of Cha0's bust earlier this month in Turkey, is a perfect example of what happens when someone starts over-performing in the field of carding.

Try counting the desktops, and notice the "full package" a carder can dream of - the box full of ATM skimmers, the holograms, the plastic cards machine, the suitcase with the POS (point of sale) terminals, the house and swimming pool, and, of course, the hard cash.

Monetizing Infected Hosts by Hijacking Search Results

When logs with accounting data are no longer of interest due to low liquidity on the underground market, monetization of the infected hosts comes into play.

This web based malware seems like an early BETA aiming to scale, however it's only unique features are its ability to hijack the infected user's searches and server relevant ads courtesy of the affiliate networks the administrator participates in, and also, an integrated DDoS module that the author simply stole from another kit. Strangely, it's 2008 yet the author also included the ability to turn on the telnet service on an infected host.

With the search queries feature easy to duplicate by other kits, this web based malware is a great example of how the time-to-market mentality lacking any kind of personal experience -- the malware cannot intercept SSL sessions compared to the majority of crimeware kits that can -- ends up in a weird hybrid of random features.
 
Customerization will inevitably prevail over the product concept mentality.

Copycat Web Malware Exploitation Kit Comes with Disclaimer

Such disclaimers make you wonder what's the point of including a notice forwarding the responsibility for the upcoming cybercrime activities to the buyer, when the seller himself is offering daily updates with undetected bots, and is promising to include new exploits within the kit.

For the time being, this recently released copycat web exploitation malware kit, includes two PDF exploits, IE snapshot, and naturally MDAC, with a DIY builder for the binary. Here's the disclaimer, greatly reminding us of Zeus's copyright notice :

"Purchasing this product, you hold the full responsibility for its usage and for consequences which may have been caused by incorrect usage or the usage with some evil intent or violation of the usage rules. The author excludes the placement of the scripts somewhere on the Internet, you can only place them on localhost, virtual machine or on a test botnet (minibotnet). WARNING! The usage of this product with evil intent leads to the criminal responsibility!"

What happens when the buyer tries to resell the kit? - "If you try to resell, decode, remove the boundaries, you will lose all the support, updates and guarantees." which is surreal considering that the kit is open source one, and just like we've seen with a recent modification of Zeus if it were to include unique features -- which it doesn't -- others would build upon its foundations.

Going through the exploitation statistics of a sample campaign, you can clearly see that out of the 859 unique visits 250 got exploited with outdated and already patched vulnerabilities. Therefore, diversifying the exploits set would have increased the number of exploited hosts.

With IE6 visitors exploited at 46% as a whole, it would be hard not to notice that just like Stormy Wormy's historical persistence of using outdated vulnerabilities, a great majority of today's botnets have been aggregated using old exploits.

Trying to enforce the intellectual property of a malware kit means you're claiming ownership, and therefore the disclaimer becomes irrelevant.