Tuesday, March 31, 2009

Diverse Portfolio of Fake Security Software - Part Seventeen

The following are some of the currently active/about to go online rogue security software domains, and their associated payment gateways exposed in the spirit of the Diverse Portfolio of Fake Security Software series. During the past two months, an obvious migration of well known Russian Business Network customers continues taking place, with their portfolios of malicious campaigns currently parked several ISPs. zlkon.lv (DATORU EXPRESS SERVISS Ltd (AS12553 PCEXPRESS-AS) remaining the ISP of choice for the time being, in the context of rogue security software.

mydwnld .com (94.102.51.14; 88.198.8.15; 94.102.51.14)
desktoprepairpackage .com
malwareremovingtool .com
spywareprotectiontool .com
pcantimalwaresolution .com

pcsolutionshelp .com
removespywarethreats .com


yournetcheckonline .com (94.247.2.215)
bestnetcheckonline .com
easynetcheckonline .com
yourwebexamine .com
bestwebexamine .com
easywebexamine .com
yourinternetexamine .com
myinternetexamine .com
linkcanlive .com
yourwebscanlive .com
easywebscanlive .com
internethomecheck .com
websecurecheck .com
websportscheck .com
websmartcheck .com
yournetascertain .com
yournetcheckpro .com
bestwebscanpro .com
security-check-center .com
downloadantivirusplus .com
theantivirusplus .com
myantivirusplus .com
safeyouthnet .com
av-plus-support .com


antispywareproupdates .com (94.76.213.227) Jeanne M Bartels Email: dev@angelespd.com
microsoft.infosecuritycenter .com
microsoft.softwaresecurityhelp .com
professionalupdateservice .com
platinumsecurityupdate .com
platinumsecurityupdate .com

antispywarequickupdates .com (78.137.168.33)

paymentsystemonline .com (213.239.210.54) Jerom M Collins Email: admin@routerpayments.com
liveupdatesoftware .com
royalsoftwareupdate .com
protectionsoftwarecheck .com
securitysoftwarecheck .com
privateupdatesystem .com
updatesoftwarecenter .com
updateprotectioncenter .com
updatepcsecuritycenter .com
powerdownloadserver .com
rapidsoftwareupdates .com
professionalsoftwareupdates .com
allsoftwarepayments .com
powerfullantivirusproduct .com
securedprostatsupdates .cn


liveantimalwareproscan .com (91.211.64.47) Giang B Ahrens Email: chu-thi-huong@giang.com
liveantimalwarequickscnan .com
online-antimalware-scanner .com
advancedprotectionscanner .com
advancedproantivirusscanner .com


securedsystemupdates .com (78.47.248.113) Anatoliy Lushko Email: tvdomains@lycos.com
premiumworldpayments .com
systemsecuritytool .com (209.44.126.16)
systemsecurityonline .com
internetsafetyexamine .com (91.212.65.55)
youronlinestability .com
promotion-offer .com (78.46.148.49; 85.17.254.158; 88.198.233.225; 89.248.168.46) Email: Roland Peters rolandpeters@europe.com

During March, a new type of scareware with elements of ransomware started circulating in the wild. It will be interesting to monitor whether it will become the de-facto standard for optimizing revenues out of rogue security software.

Related posts:
A Diverse Portfolio of Fake Security Software - Part Sixteen
A Diverse Portfolio of Fake Security Software - Part Fifteen
A Diverse Portfolio of Fake Security Software - Part Fourteen
A Diverse Portfolio of Fake Security Software - Part Thirteen
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software

Thursday, March 26, 2009

A Diverse Portfolio of Fake Security Software - Part Sixteen

The following are some of the very latest typosquatted rogue security software domains pushed through blackhat SEO, web site compromises, and systematic abuse of legitimate Web 2.0 services.

yourstabilitysystem .com (209.44.126.14)
onlinescanservice .com
scanalertspage .com
getscanonline .com
bestfiresfull .com
yourstabilitysystem .com
mostpopularscan .com
vistastabilitynow .com
scanvistanow .net
vistastabilitynow .net


central-scan .com (212.117.165.126) Maureen Whelan Email: maureenwhelanjr@googlemail.com
royalsoftwareupdate .com
uptodate-protection .com
updatesoftwarecenter .com
webscannertools .com


protectprivacy18 .com (209.249.222.48) Arnes Skopec Email: arnessl2370@gmail.com
malwarescanner20 .com
antispyscanner13 .com
privacyscanner15 .com
easywinscanner17 .com
systemscanner19 .com


malwaredefender2009 .com (67.43.237.75) Josef Branc Email: jsfsl2341@googlemail.com
systemguard2009 .com
systemguard2009m .com


angantivirus-2009 .com (70.38.73.26)
angantivirus2009 .com

check-ms-antivirus .com (78.26.179.131) Brett Quihuiz Email: BrettQuihuiz@gmail.com
ms-loads-av .com (78.26.179.137) Hou Stephen Email: StepDunnu@gmail.com
secure-data-group .com (209.8.45.147) Joseph Barnes Email: jhbarnes40@gmail.com

dlmaldef09 .com (67.43.237.78) Josef Branc Email: jsfsl2341@googlemail.com
dlsgd3 .com
getsgd3 .com
getsysgd09 .com
getmaldef09 .com
dlsg09 .com
getsg09 .com


gomaldef09 .com (67.43.237.77) Josef Branc Email: jsfsl2341@googlemail.com
gosgd3 .com
gosysgd09 .com
gosg09 .com


anti-virus-2010-pro .info (70.38.19.201) Ivan Durov Email: idomains.admin@gmail.com
av2010pro .com
anti-virus-1 .info
bestdownloadav1 .info
antivirus1-site .info
anti-virus-2010-pro-downloads .info
anti-virus1-installs .info


webprotectionreads .com (94.247.3.74)
stabilitytraceweb .com
safetyscanworld .com
instantsecurityscanworld .com
thestabilityinternetworld .com
stabilityexamineguide .com
scanusonline .com
websafetynetscan .com
websafetynetscan .com
webstabilityscan .com


Bad, bad, cybercrime-friendly ISPs!

Related posts:
A Diverse Portfolio of Fake Security Software - Part Fifteen
A Diverse Portfolio of Fake Security Software - Part Fourteen
A Diverse Portfolio of Fake Security Software - Part Thirteen
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software

Wednesday, March 25, 2009

Embassy of Portugal in India Serving Malware

Yet another embassy web site is falling victim into a malware attack serving Adobe exploits to its visitors. As of last Friday, the official web site of the Embassy of Portugal in India has been compromised (embportindia.co.in). Who's behind the attack? Interestingly, that's the very same group that compromised the Azerbaijanian Embassies in Pakistan and Hungary earlier this month. Assessing this campaign once again establishes a direct connection with the Rusian Business Network's pre-shutdown netblocks and static locations.

The very same domain using the same web traffic redirection script,  used in the malware campaigns at the Azerbaijanian Embassies in Pakistan and Hungary, can be found at the Portugal embassy's web site. betstarwager .cn/in.cgi?cocacola84 redirects to ghrgt.hostindianet .com/index.php?cocacola84 (94.247.3.151) where Multiple Adobe Reader and Acrobat buffer overflows are served :

zzzz.hostindianet .com/load.php?id=4 -> ghrgt.hostindianet .com/cache/readme.pdf
zzzz.hostindianet .com/load.php?id=5 -> ghrgt.hostindianet .com/cache/flash.swf

The second iFramed domain ntkrnlpa .cn/rc/ (159.226.7.162) has a juicy history linking it to previous campaigns. In February, 2008, an anti-malware vendor's site (AvSoft Technologie) was iFramed with the iFrame back then (ntkrnlpa .info/rc/?i=1) pointing to the Russian Business Network's original netblock It gets even more interesting when you take into consideration the fact that ntkrnlpa.info was also sharing ifrastructure with zief.pl, among the most widely abused domains in the recent Google Trends keywords hijacking campaigns. Zief.pl is also service of choice for certain campaigns of the Virut malware family, irc.zief.pl in particular.

It gets even more malicious considering that on the same IP (ntkrnlpa .cn/rc/ 159.226.7.162) where one of the malware domains in the embassy's campaign is parked, we can easily spot domains (baidu-baiduxin3 .cn for instance) that were participating in last year's IE7 massive zero day exploit serving campaign.  Moreover, in a typical multitasking stage, the cybercriminals behind the campaign are also hosting Zeus crimeware campaigns on it.

A reincarnation of a well known RBN domain, confirmed participation at related compromises of embassy web sites by the same group, sharing ifrastructure with domains from a massive IE7 ex-zero day attack and hosting Zeus crimeware command and control locations -underground multitasking at its best.

Related posts:
Ethiopian Embassy in Washington D.C Serving Malware
USAID.gov compromised, malware and exploits served
Azerbaijanian Embassies in Pakistan and Hungary Serving Malware
Embassy of India in Spain Serving Malware
Embassy of Brazil in India Compromised
The Dutch Embassy in Moscow Serving Malware
U.S Consulate in St. Petersburg Serving Malware
Syrian Embassy in London Serving Malware
French Embassy in Libya Serving Malware

Thursday, March 19, 2009

Crimeware in the Middle - Limbo

While you were out - "Cybercrime-as-a-Service is finally taking off" and a $400 will get you in the hacking business. Such a mentality speaks for an outdated situational awareness.

Cybercrime as a service originally started in the form of "value-added" post-purchase services, the now ubiquitous lower detection rate management for a malware binary, and anti-abuse domain hosting for the command and control interface, several years ago. As far as the $400 required as an entry barrier into cybercrime no longer exists. In reality, pirated copies each and every web malware exploitation kit including the proprietary crimeware kits are becoming more widespread these days.

The cybercrime economy has not only matured into a sophisticated services-driven marketplace a long time ago, but also, nowadays we can clearly see how standardizing the exploitation approach is inevitably resulting in efficiencies -- think web malware exploitation kits with diverse exploits sets and massive SQL injection attacks. The underground economy is in fact so vibrant, that the existing monoculture on the crimeware front is already allowing cybercriminals to hijack the crimeware botnets of other cybercriminals unaware of the fact that they're running an oudated copy of their kit.

Followed by Zeus and Adrenalin, it's time to profile Limbo, an alternative crimeware kit that's been publicly available for purchase since 2007. Interestingly, none of these kits can compare to the current market share of Zeus, perhaps the most popular crimeware kit these days, a development largely driven by the community build around Zeus, and the major enhancements introduced within the kit on behalf of third-party developers.

Here's what Limbo is all about:

"It works on the principle of the add-in to Internet Explorer, not visible in the processes to make the logs being hidden from the firewall redirector, and other programs to monitor network activity. Supplied as a loader, which is removed after the launch, unpacks itself and make all necessary entries in the registry. When you first start IE it cleans Cookies, reads Protected Storage (Autosaved passwords in IE, Outlook passwords, etc.) Whenever a user visits the monitored sites, Limbo intercepts the parameters which are later on transmitted to the server once the user presses the browser key.

Commands:
- Update the binary
- Launch arbitrary exe file 
- Update configurator (xml file available)
- Cleaning Cookies
- Remove Limbo
- Theft of keys for Bank of America, as well as the keys of those banks that have moved to a system of keys
- Exclude all the keys for Bank of America, as well as other banks of keys (control questions asked again, and you can intercept the answers to them)
- Add to your hosts - to block a certain site (it seems as if it does not boot at all)
- Reboot Windows
- Destroy Windows

Main features:
- Grabs data from forms, including data around forms (all in a row or a pattern described in the configuration file)
- Logging of keystrokes in the browser, at the time when the user enters something in the edit form (it is sometimes useful - for example when the entered data is encrypted after submit form)
- Logging of virtual keyboards (universal technology was developed for the Turkish and Australian banks)
- Theft of keys (Bank of America, as well as other banks, whose protection is key-based) - are in the archive, the archive is created from the user on the computer.
- Delete key (Bank of America, as well as other banks, whose protection is built based on keys) - it is useful to force the user to enter answers to security questions
- Scam page redirection (the fake of same page with the substitution of the address bar of IE and the status bar on infected hosts)
- Harvesting of emails (including the address book user) - by request includes this possibility
- Set the filter for sites that do not need to intercept
- Simple injects-based system (paste your text input field on a particular site - for example, to ask for a pin Holder)
- Smart injects system - blocking form until user input is not injected into the data fields (checking for the count-woo characters of their type - the numbers or letters)
- TANs grabbing - vital for the German sites

Paid only features: 
- A hidden transfer (transfer of command from the admin panel) - HARD-sharpen under one bank
- Autocomplete of hijacked session (eg when a user makes a transfer, useful if the transfer requires the SMS confirmation. Strictly tied to a particular bank only.

PHP based admin includes: 
- Mapping of users to the admin
- Directing teams selected users
- Delete commands and users
- Showing the status of the command
- Mapping and IP users
- Ability to delete tax
- Display the size of logs
- Search for logs
- Archiving of logs
- Filter by country
- Possibility of sending logs to email
- Statistics on infection
- View collected emails
- The giving of the notes selected users
- The last call
- Displaying a page by page (say 200 records per page)
- An opportunity to log everything in one file (optional)
- Sorting of logs according to different criteria
- Delete all logs
- Have the opportunity to log into mysql, as well as the ability to search for him there is (an order of magnitude faster search)

These commands are downloaded to the host after a certain period of time and performed in the admin panel you can see the status of commands for a specific user - download \ downloaded but not executed \ implemented."

With crimeware in the middle, no SSL/two-factor based authentication can ensure a non-transparent to the eyes of the cybercriminal transaction.

Related posts:
Crimeware in the Middle - Adrenalin
Crimeware in the Middle - Zeus
76Service - Cybercrime as a Service Going Mainstream
Zeus Crimeware as a Service Going Mainstream
Modified Zeus Crimeware Kit Gets a Performance Boost
Modified Zeus Crimeware Kit Comes With Built-in MP3 Player
Zeus Crimeware Kit Gets a Carding Layout
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw

Wednesday, March 18, 2009

Ethiopian Embassy in Washington D.C Serving Malware

Oops, they keep doing it again and again. The web site of the Ethiopian Embassy in Washington D.C (ethiopianembassy.org) has been compromised and is currently iFrame-ed to point to a live exploits serving URL on behalf of Russian cybercriminals, naturally in a multitasking mode since the iFrame used to act as a redirector in several other malware campaigns.

Despite that the iFrame domain (1tvv .com/index.php) is already "taken care of", details on the original campaign can still be provided. Multiple dynamic redirectors with a hard coded malware serving domain are nothing new, thanks to sophisticated traffic management kits allowing this to happen. The mentality applied here is pretty simple and is basically mimicking fast-flux as a concept.

With or without one of the redirection domains, the campaign keeps running like the following: us18.ru/@/include/spl.php (91.203.4.112) as the hard coded malware serving domain within the mix, is currently serving Office Snapshot Viewer, MDAC, Adobe Collab overflow exploits etc. courtesy of web malware exploitation kit (Fiesta). Traffic management is done through trafficinc .ru and trafficmonsterinc .ru also parked at 91.203.4.112 with Win32.VirToolObfusca served at the end.

Related posts:
USAID.gov compromised, malware and exploits served
Azerbaijanian Embassies in Pakistan and Hungary Serving Malware
Embassy of India in Spain Serving Malware
Embassy of Brazil in India Compromised
The Dutch Embassy in Moscow Serving Malware
U.S Consulate in St. Petersburg Serving Malware
Syrian Embassy in London Serving Malware
French Embassy in Libya Serving Malware

Thursday, March 12, 2009

Who's Behind the Estonian DDoS Attacks from 2007?

The rush to claim responsibility for 2007's DDoS attacks against Estonia

Wednesday, March 11, 2009

Azerbaijanian Embassies in Pakistan and Hungary Serving Malware

The very latest addition to the "Compromised International Embassies Series" are the Hungarian and Pakistani embassies of the Republic of Azerbaijan, which are currently iFramed with exploits-serving domains.

Is there such a thing as a coincidence, especially when it comes to three malware embedded attacks in a week affecting Azerbaijan's USAID.gov section, and now their Pakistani (azembassy.com.pk) and Hungarian (azerembassy.hu) embassies?  Depends, and while the USAID.gov attack was exclusively orchestrated for their section, the Pakistani and Hungarian ones are part of a more widespread campaign. Theoretically, this could be a noise generation tactic. Here's a brief assessment of the attacks.

Both embassies are embedded with identical domains, parked at the same IP and redirecting to the same client-side exploits serving URL operated by Russian cybercriminals. filmlifemusicsite .cn/in.cgi?cocacola95; promixgroup .cn/in.cgi?cocacola91; betstarwager .cn/in.cgi?cocacola86 and betstarwager .cn/in.cgi?cocacola80 all respond to (78.26.179.64; 66.232.116.3) and redirect to clickcouner .cn/?t=5 (193.138.173.251)

Parked domains at 78.26.179.64; 66.232.116.3 :
denverfilmdigitalmedia .cn
litetopfindworld .cn
nanotopfind .cn
filmlifemusicsite .cn
litetoplocatesite .cn
litedownloadseek .cn
yourliteseek .cn
diettopseek .cn
bestlotron .cn
promixgroup .cn
betstarwager .cn


What prompted this sudden attention to Azerbaijanian web sites? Azerbaijan's President visit to Iran in the same week when Russian Foreign Minister Sergei Lavrov is visiting Azerbaijan? And why is the phone back domain for the malware served at the USAID.gov site phoning back to a well known Russian Business Network domain (fileuploader .cn/check/check.php) which was again active in January, 2008 and used by one of my favorite malware groups to monitor during 2007/2008 - the "New Media Malware Gang" (Part Three; Part Two and Part One)?

Food for thought.

Related posts:
Embassy of India in Spain Serving Malware
Embassy of Brazil in India Compromised
The Dutch Embassy in Moscow Serving Malware
U.S Consulate in St. Petersburg Serving Malware
Syrian Embassy in London Serving Malware
French Embassy in Libya Serving Malware

Monday, March 09, 2009

Inside (Yet Another) Managed Spam Service

Several years ago, getting into the spam business used to involve the process of harvesting emails, figuring out ways to segment the database, localize the spam campaign by using a free translation service eventually ruining the social engineering effect, creating your very own botnet and coming up with creative ways to bypass anti-spam filters, ensuring the botnet remains operational, coming up with ways to obtain access to IPs with clean reputation, with little or no campaign effectiveness measurement at all..

These relatively higher market entry barriers are long gone. Today, every single step in the spamming process is managed and can be outsourced in a cost-effective manner to the point where the one-stop-shop spam vendors have vertically integrated and occupied every single market segment possible in order to increase the "lifetime value" of their potential customers.

When do you know that it's going to get uglier in the long term? It's that very special moment in time when the backend for such a managed spam system utilizing malware infected hosts and legitimate servers for achieving its objectives, goes mainstream and its authors remove the "proprietary, high-profit margin revenues earning business model" label from it.

And with this particular moment in time already a fact since the middle of 2008 (Spamming vendor launches managed spamming service), yet another new market entrant is pitching its managed spam service with the ambition to monetize his access to a particular botnet, and break-even from the investment made in the backend system.

With 9 different campaigns already finished (see the top screenshot) and another one currently in progress spamming out 3215 emails using 1672 infected hosts based on a harvested email database consisting of 306204 emails (notice the percentage of non-existent emails potentially spam-poison traps), his business model is up and running.

Further developments and new features within the service would remain under close monitoring in the future as well. In particular, the original vendor's updates which would ultimately affect all of his "value-added partners" improved managed spamming capabilities.

Wednesday, March 04, 2009

Russian Homosexual Sites Under (Commissioned) DDoS Attack

From Russia with homophobia?

A week long DDoS attack launched against Russia's most popular commercial homosexual sites has finally ended. The simultaneous attack managed to successfully shut down the web servers of most of the sites, which responded with filtering of all traffic that is not coming from Russia. Ironically, the attack was in fact coming from Russian, courtesy from a botnet operated by a DDoS for hire service.

Here's a list of the sites that were subject to the DDoS, with the majority of them returning "503 Service Temporarily Unavailable" error message during last week :
gogay.ru
1gay.ru
androgin.ru
boysclub.ru
egay.ru
gaylines.ru
gaymoney.ru
gayplanet.ru
gayrelax.ru
xabalka.ru


On the 25th of January, gogay.ru was among the few sites to issue a statement and confirm the attacks offering financial reward for information leading to the source :

"Yesterday (25 February), our site is subjected to serious hacker attacks (flood-attack capacity of 2 Mbit / sec). The attack reflected, but is still continuing at other gay sites 1gay.ru, egay.ru, xabalka.ru and so on. If you have any information (we are willing to pay for инфу of tailor-made) on the causes of the attack, if you - the webmaster and your own gay website exposed attacks (if the last few days your site has been slow to load and create a greater burden - it is very likely that the same attack, only disguised), sabotage, blackmail or extortion by unidentified persons - always contact us."

Since the sites are commercial providers of homosexual multimedia content and are thereby bandwidth-consuming, the attacks were aiming to disrupt their business operations, and they managed to do so. Russia's government is well known to have a rather violent take on homosexuality in general, and with overall availability of outsourced DDoS attack services offering anonymity and destructive bandwidth, the efforts to request such an attack remain minimal.