Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: 04/08/09

Wednesday, April 08, 2009

A Diverse Portfolio of Fake Security Software - Part Eighteen

With Microsoft's latest Security Intelligence Report indicating that scareware/fake security software continues growing, it's worth exposing some of the currently circulating rogue security software domains, their registrants, and the usual "Deja Vu" moment putting the spotlight on well-known RBN web properties, whose exposure demonstrates that some of the groups that I've been tracking are still alive and kicking, but this time are much more actively monetizing their cybercrime committing capabilities.

avs-online-scan .org (209.250.241.164) Oleg Bajenov Email: oleg.bajenov@gmail.com
av-lookup .org
am-scan .com
system-scan-1 .biz
sys-scanner-1 .biz
sys-scan-wiz .biz
scanner-wiz-1 .com

webwidesecurity .com (94.247.3.3) Rosalind Lewis Email: RosalindRLewis@text2re.com
webprotectionscan .com
greatvirusscan .com
beststabilityscans .com

todaybestscan .com (174.129.241.185; 174.129.244.106; 209.44.126.14) Elliott Cameron Email: support@zitoclick.com; Anatolij Andreev Email: yeep33@gmail.com
thebestsecurityspot .com
securitytopagent .com
inetsecuritycenter .com
fullandtotalsecurity .com
activesecurityshield .com
getpcguard .com
websecurityvoice .com
onlinescanservice .com
scanalertspage .com
scanbaseonline .com
bestsecurityupdate .com
getsecuritywall .com
bestfiresfull .com
initialsecurityscan .com
websecuritymaster .com
runpcscannow .com
thegreatsecurity .com
truescansecurity .com
checkonlinesecurity .com
spy-protector-pro .com

DNS servers of notice:
ns1.ahuliard .com
ns2.ahuliard .com
ns1.fuckmoneycash .com
ns2.fuckmoneycash .com
ns1.zitodns .com
ns2.zitodns .com

Now comes the deja vu moment. At 174.129.241.185 and 174.129.244.106 we also have parked ilovemyloves .com one of the domains used in the iFrame attack during the "Possibility Media's Malware Fiasco" back in 2007 which was then parked at the RBN's HostFresh ifrastructure (58.65.239.28). Behind the malware campaign back then was the New Media Malware Gang" (Part Three; Part Two and Part One) which was not only using RBN services, but was directly cooperating with the Storm Worm authors. Among their most recent campaigns was the groups direct involvement in the malware campaigns at the Azerbaijanian Embassies in Pakistan and Hungary.

It gets even more interesting to see what they're up to in 2009, considering the fact that they have also parked domains used (174.129.241.185 and 174.129.244.106) in currently ongoing Facebook phishing campaign, which is switching themes from Match.com to Classmates.com :

facebook.shared.id-pegxaaei62.emberuiweb .765access.com
facebook.shared.id-0izlud0w6j.launchpad .765access.com
facebook.shared.id-6oxyclcpus.initiated .765access.com
facebook.shared.id-6xcse5q79c.usermanage .765access.com
facebook.shared.id-9q0bfta8bf.login .765access.com
facebook.shared.id-l8rz3d87j7.processlogon .765access.com
facebook.shared.id-m071qcxkf3.version .765access.com
facebook.shared.id-ao7zx28bhw.identification .765access.com
facebook.shared.id-usxeye68vn.secureconnection .765access.com
facebook.shared.id-lc9i4p09yi.disbursements .765access.com
facebook.shared.id-6y8nzpemkx.securedocuments .765access.com
facebook.shared.id-0u1o0e9gyj.cebmainservlet .765access.com
facebook.shared.id-4b16kzpiuk.ceptservlet .765access.com
facebook.shared.id-xqa6odo94z.content .765access.com
facebook.shared.id-5u10q3vp8q.completeserv .765access.com
facebook.shared.id-ql2fzhydat.intvitation .9845account.com
facebook.shared.id-5ajv5861qd.securedocuments .9845account.com
facebook.shared.id-3dcznhmord.statement .9845account.com
facebook.shared.id-o6lo04atww.statement .9845account.com

The group has clearly diversified its activities, but continues relying on its well known portfolio of domains as a foundation.

Related posts:
A Diverse Portfolio of Fake Security Software - Part Seventeen
A Diverse Portfolio of Fake Security Software - Part Sixteen
A Diverse Portfolio of Fake Security Software - Part Fifteen
A Diverse Portfolio of Fake Security Software - Part Fourteen
A Diverse Portfolio of Fake Security Software - Part Thirteen
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Inside a Zeus Crimeware Developer's To-Do List

Every then and now I get asked a similar question in regard to crimeware kits - which is the latest version of a particular crimeware/web malware exploitation kit?

The short answer is - I don't know. And I don't know not because I'm a victim of an outdated situational awareness, but due to the fact that nowadays third-party developers are so actively tweaking it that coming up with a version number would be inaccurate from my perspective. Therefore, whenever I provide such a version number, I try to emphasize and provide practical examples of how the current decentralization of coding from the core authors to third-party developers and, of course, scammers brand jacking the Zeus brand, is making the answer a little bit more complex than it may seem at the first place.

For instance, cybercriminals themselves have been capitalizing on this situation during the last two quarters, by speculating with the version numbers and offering backdoored copies of non-existent Zeus releases, in a attempt to hijack their Zeus botnets at a later stage -- a practice that phishers have been taking advantage of for a while. Anyway, once I'm able to sort of cluster a particular third-party developer's persistence in tweaking the Zeus crimeware kit, an interesting picture emerges. For instance, a team member from a third-party developer of backend systems for botnets that came up with the built-in MP3 player in a Zeus release, is also directly involved in developing the backend system and GUI for the Chimera botnet which the British Broadcasting Corporation purchased last month.

Let's discuss the way the version number system in the Zeus crimeware, before we take a peek at a recent CHANGELOG, and a future TO-DO list from one of the third-party developers. Zeus version a.b.c.d means that change in A stands for a complete change in the bot, B stands for major changes that make previous bot versions incompatible, C stands for modifications and performance boosting, and D is a prophylactic change in order to avoid antivirus solutions from detecting it.

The Q&A applied in Zeus can be easily seen by taking a peek at some of the changes that took place in December, 2008 :

"Change 10.12.2008
- Documentation will no longer be available in a CHM format, instead in a plain-text format
- The bot is a now able to receive commands not only by using the send command function, but also during requests for files and logs changes
- Local data requests to the server and the configuration file can be encrypted with RC4 key depending on your choice
- In order to decrease the load on the server, a fully updated bot-to-server and server-to-bot communication protocol is introduced

Change 20.12.2008
- Small error fixed when sending reports
- The size of the report cannot exceed 550 characters
- Error fixed in the bot due to low timeout for sending POST requests resulting in dropping requests for log files bigger than 1 MB

Change 2.03.2009
- Changed the default cryptor routines
- Updated process of building the bot
- Optimized compressed of the binary
- Rewritten the process of assembling the configuration file
- Changed the MyMSQL tables
- Fixed fonts in the panel due to bogus displaying of characters
- Updated Geolocation database"

The following "To-Do" list, pretty similar to another one which I discussed last year (A Botnet Master's To-Do List). What's to come in the Zeus crimeware kit, at least courtesy of a sampled third-party developer? The following features have been in the works for several months now:

"- Compatibility with Windows Vista and Windows 7
- Improved WinAPI hooking
- Random generation of configuration files to avoid generic detection"
- Console-based builder
- Version supporing x86 processors
- Full IPv6 support
- Detailed statistics on antivirus software and firewalls installed on the infected machines"

The Zeus crimeware is not going away from the radar anytime soon, and the main reason for that is not the fact that its exclusive features outperform the ones in the Limbo crimeware and the Adrenalin crimeware, but due to the fact that Zeus has a much bigger fan base, and well established third-party community around it.

Image courtesy of Abuse.ch's Zeus Tracker -- the one that got DDoS-ed in February due to its apparent usefulness.

Related posts:
Crimeware in the Middle - Limbo
Crimeware in the Middle - Adrenalin
Crimeware in the Middle - Zeus
76Service - Cybercrime as a Service Going Mainstream
Zeus Crimeware as a Service Going Mainstream
Modified Zeus Crimeware Kit Gets a Performance Boost
Modified Zeus Crimeware Kit Comes With Built-in MP3 Player
Zeus Crimeware Kit Gets a Carding Layout
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw

Dancho Danchev