Saturday, September 11, 2010

Summarizing 3 Years of Research Into Cyber Jihad


From the "been there, actively researched that" department.
  1. Tracking Down Internet Terrorist Propaganda
  2. Arabic Extremist Group Forum Messages' Characteristics
  3. Cyber Terrorism Communications and Propaganda
  4. A Cost-Benefit Analysis of Cyber Terrorism
  5. Current State of Internet Jihad
  6. Analysis of the Technical Mujahid - Issue One
  7. Full List of Hezbollah's Internet Sites
  8. Steganography and Cyber Terrorism Communications
  9. Hezbollah's DNS Service Providers from 1998 to 2006
  10. Mujahideen Secrets Encryption Tool
  11. Analyses of Cyber Jihadist Forums and Blogs
  12. Cyber Traps for Wannabe Jihadists
  13. Inshallahshaheed - Come Out, Come Out Wherever You Are
  14. GIMF Switching Blogs
  15. GIMF Now Permanently Shut Down
  16. GIMF - "We Will Remain"
  17. Wisdom of the Anti Cyber Jihadist Crowd
  18. Cyber Jihadist Blogs Switching Locations Again
  19. Electronic Jihad v3.0 - What Cyber Jihad Isn't
  20. Electronic Jihad's Targets List
  21. Teaching Cyber Jihadists How to Hack
  22. A Botnet of Infected Terrorists?
  23. Infecting Terrorist Suspects with Malware
  24. The Dark Web and Cyber Jihad
  25. Cyber Jihadist Hacking Teams
  26. Two Cyber Jihadist Blogs Now Offline
  27. Characteristics of Islamist Websites
  28. Cyber Traps for Wannabe Jihadists
  29. Mujahideen Secrets Encryption Tool
  30. An Analysis of the Technical Mujahid - Issue Two
  31. Terrorist Groups' Brand Identities
  32. A List of Terrorists' Blogs
  33. Jihadists' Anonymous Internet Surfing Preferences
  34. Sampling Jihadists' IPs
  35. Cyber Jihadists' and TOR
  36. A Cyber Jihadist DoS Tool
  37. GIMF Now Permanently Shut Down
  38. Mujahideen Secrets 2 Encryption Tool Released
  39. Terror on the Internet - Conflict of Interest
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Wednesday, September 08, 2010

Historical OSINT: Celebrities Death, Fedex Invoices, Office-Themed Malware Campaigns

As promised, this would be a pretty short historical OSINT post -- catching up is in progress -- detailing the structure of several campaigns that took place throughout July-August, 2010, and (as always) try to emphasize on the connection with historical malware campaigns profiled on my personal blog.

Campaigns of notice include: spamvertised "Celebrities death-themed emails", "Fedex shipment status themed invoices", and "Office-themed documents".

Sample subjects:
Angelina Jolie died; Gwen Stefani died; Oprah Winfrey died; Tom Cruise died; Application; Thursday Journal Club; End Of Rotation; Abstracts; Project Declaration; Residency Happy Hour: SOP_POLICIES; Fwd: Updated Journal Club Handout

Sample attachments:
journal club articles.zip; Rotation Input Sheet.zip; ppi and c dif.zip; MSpeck.zip; ResidencyPrep.zip; speck Case presentation draft.zip; journal club template.zip

Detection rates, phone back URLs, and connections with previously profiled campaigns:
- news.exe - Trojan.Bredolab-993 - 40/ 43 (93.0%)
MD5: 44522def7cf2a42aa26f59c2ac4ced58
SHA1: 2f60531b6e33d842eba505f3c3cb81a3ff6e3e6a

- journal club articles.exe - Backdoor/Bredolab.edb - 41/ 43 (95.3%)
MD5: 72e90fd1264e731109d1b6b977b2c744
SHA1: 0a36b882d1b4d8b42cc466ec286e95bbb2e77d49

Upon execution, the samples phone back to:
188.65.74.161 /mrmun_sgjlgdsjrthrtwg.exe - AS42473 - DOWN
194.28.112.3 /outlook.exe - AS48691 - ACTIVE

- outlook.exe - TrojanSpy:Win32/Fitmu.A - 17/ 43 (39.5%)
MD5: 8f4eca49b87e36daae14b8549071dece
SHA1: 1d390e9f8d6e744ead58dd6c424581419f732498

Upon execution, the dropped sample phones back to:
cuscuss.com - 188.65.74.164 - Email: info@blackry.com


Responding to 188.65.74.164 at AS42473 are also:
wiggete.com - Email: info@blackry.com
depenam.com - Email: info@blackry.com
fishum.com - Email: info@blackry.com
blackry.com - Email: info@blackry.com

Two of the domains are know to have been serving client-side exploits, but the redirection is currently returning an error "Connect to 188.40.232.254 on port 80 ... failed".

- depenam .com/count22.php
- blackry .com/count21.php
    - vseohuenno .com/trans/b3/ - 188.40.232.254 - Email: latertrans@gmail.com

Responding to 188.40.232.254, AS24940 are also the following command and control, client-side exploit serving domains:
gurgamer.com - (New IP: 86.155.172.30) Email: latertrans@gmail.com
moneybeerers.com - Email: latertrans@gmail.com
daeshnew.com - (New IP: 86.145.158.90) Email: latertrans@gmail.com
volosatyhren.com - Email: latertrans@gmail.com
vyebyvglaz.com - Email: latertrans@gmail.com
---------------------------------------------------------------------------------

- FedexInvoice_EE776129.exe - Win32/Oficla.LK - 41/ 43 (95.3%)
MD5: d4e2875127f5cbdf797de7f1417f96a7
SHA1: c2df8d8c178142ba7bee48dbf9a9f68c32a14f5e

Upon execution, the sample phones back to:
ilovelasvegas .ru/web/St/bb.php?v=200&id=636608811&b=24augNEW&tm= - 109.196.134.44, AS39150 - Email: vadim.rinatovich@yandex.ru with x5vsm5.ru - Email: vadim.rinatovich@yandex.ru also parked there.

Where do we know the vadim.rinatovich@yandex.ru email from? From two previously profiled campaigns "Spamvertised iTunes Gift Certificates and CV Themed Malware Campaigns"; and "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign" having a direct relationship with the Asprox botnet.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.