Thursday, December 27, 2012

Dancho Danchev's Blog Most Popular Posts for 2012

The time has come to reflect on this year's most popular posts, and emphasize on the key points about what made them special.
  1. Who's Behind the Koobface Botnet? - An OSINT Analysis - Indisputably, the exposing of Koobface botnet master KrotReal is this year's most popular blog post. The release of the post, and the New York Times article discussing the case, immediately resulted in the shut down of the Koobface botnet.
  2. Exposing the Market for Stolen Credit Cards Data - Although the post was originally published in 2011, it's the second most popular for 2012, proving that factually presenting the existence of a growing trend, inevitably reaches a wider audience.
  3. Dissecting 'Operation Ababil' - an OSINT Analysis - The OSINT analysis of 'Operation Ababil' is this year's third most popular post. The analysis correctly identified a key participant in certain parts of the campaign, although it explicitly emphasized on the fact just how easy is it to launch a cyber false flag operation online.
  4. Profiling a Vendor of Visa/Mastercard Plastics and Holograms - The main purpose of this post, was to shed more light into the increasing availability of "blank plastic" services, whose QA (Quality Assurance) processes sometimes outpace the OPSEC (Operational Security) efforts put in place by the targeted companies.
  5. Pricing Scheme for a DDoS Extortion Attack - This post highlighted a bold, but obtained from "in the wild" DDoS extortion letter, indicating the degree of flexibility and professionalism applied by the cybercriminals behind it.
  6. A Peek Inside the Vertex Net Loader - This post summarized the key features of the Vertex Net Loader, and emphasized on the systematic release of related DIY malware loaders/bots within the cybercrime ecosystem.
  7. Dissecting the Ongoing Mass SQL Injection Attack - Regular readers of my personal blog are used to getting the latest threat intelligence regarding a particular widespread campaign, virtually in real-time. That was the main objective of this analysis, fortunately, successfully achieved.
  8. Dissecting the Massive SQL Injection Attack Serving Scareware - An ever-green analysis demonstrating monetization of hijacked Web traffic through a scareware affiliate program.
  9. Koobface Botnet Master KrotReal Back in Business, Distributes Ransomware And Promotes BHSEO Service/Product - The second post in the series profiling ex-Koobface botnet master KrotReal's cybercrime-friendly operations, also gained a lot of attention, and proved that the lack of prosecution in this case, can, and will, ultimately lead to more cybercrime-friendly activities.
  10. Dissecting 'Operation Ababil' - an OSINT Analysis - Part Two - With 'Operation Ababil' still an open question to many of the major media outlets, the second part of the analysis discussed another tool used in the campaign, with the idea to raise more awareness on the tools and techniques used by the attackers behind the campaign.
Thank you all for being regular blog readers! The best is yet to come! See you all in 2013!

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Thursday, December 13, 2012

Upcoming Portfolio of Commercially Available CYBERINT Reports

Valued blog readers,

Over the years, you've been exposed to insightful, in-depth, "God Eye's View" of some of the most prolific, targeted, and trending cyber attacks/cybercriminal schemes, that shaped the way we fight and anticipate cybercrime campaigns throughout the years.

Although the production of such publicly available and socially oriented content at this blog will continue, it's time to raise the stakes even higher - in 2013, I'll be systematically making available commercially available CYBERINT assessments on multiple aspects of the cybercrime ecosystem. It's the stuff that will help your decision-making process, it's the data to help you prosecute those behind these fraudulent operations, it's the tactics and trends you don't get to read about anywhere online.

Please, take 1 second of your precious time, and participate in the voting poll on the right side of the blog.

Enjoy the holidays, and see you all in 2013!

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Friday, November 30, 2012

Summarizing Webroot's Threat Blog Posts for November


The following is a brief summary of all of my posts at Webroot's Threat Blog for November, 2012. You can subscribe to my Webroot's Threat Blog RSS Feed or follow me on Twitter:


01. BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and malware
02. ‘ADP Immediate Notification’ themed emails lead to Black Hole Exploit Kit
03. USPS ‘Postal Notification’ themed emails lead to malware
04. ‘Fwd: Scan from a Xerox W. Pro’ themed emails lead to Black Hole Exploit Kit
05. ‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware
06. ‘Payroll Account Holded by Intuit’ themed emails lead to Black Hole Exploit Kit
07. ‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits and malware
08. Cybercriminals abuse major U.S SMS gateways, release DIY Mail-to-SMS flooders
09. ‘PayPal Account Modified’ themed emails lead to Black Hole Exploit Kit
10. Bogus Better Business Bureau themed notifications serve client-side exploits and malware
11. Cybercriminals spamvertise bogus eFax Corporate delivery messages, serve multiple malware variants
12. Bogus IRS ‘Your tax return appeal is declined’ themed emails lead to malware
13. ‘Copies of Missing EPLI Policies’ themed emails lead to Black Hole Exploit Kit
14. Cybercriminals spamvertise bogus ‘Microsoft License Orders’ serve client-side exploits and malware
15. Cybercriminals resume spamvertising ‘Payroll Account Cancelled by Intuit’ themed emails, serve client-side exploits and malware
16. Cybercriminals spamvertise millions of FDIC ‘Your activity is discontinued’ themed emails, serve client-side exploits and malware
17. Cybercriminals release stealthy DIY mass iFrame injecting Apache 2 modules
18. Multiple ‘Inter-company’ invoice themed campaigns serve malware and client-side exploits
19. Bogus Facebook ‘pending notifications’ themed emails serve client-side exploits and malware
20. Cybercriminals target U.K users with bogus ‘Pay by Phone Parking Receipts’ serve malware
21. Bogus DHL ‘Express Delivery Notifications’ serve malware
22. Cybercriminals impersonate Vodafone U.K, spread malicious MMS notifications
23. Cybercriminals impersonate T-Mobile U.K, serve malware
24. Bogus ‘Meeting Reminder” themed emails serve malware
25. Bogus 'Intuit Software Order Confirmations' lead to Black Hole Exploit Kit
26. Bogus 'End of August Invoices' themed emails serve malware and client-side exploits

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Summarizing ZDNet's Zero Day Posts for November


The following is a brief summary of all of my posts at ZDNet's Zero Day for November, 2012. You can subscribe to Zero Day's main feed, or follow me on Twitter:


01. Opera for Mac OS X patches six security vulnerabilities
02. Cybercriminals start spamvertising Xmas themed scams and malware campaigns
03. Apple releases QuickTime 7.7.3 for Windows, patches critical security vulnerabilities
04. Active XSS flaw discovered on eBay
05. A patched browser - false feeling of security or a security utopia that actually exists?

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Monday, November 26, 2012

Koobface Botnet Master KrotReal Back in Business, Distributes Ransomware And Promotes BHSEO Service/Product

On January 09, 2012 I exposed Koobface botnet master KrotReal. On January 16, 2012, The New York Times went public with data from Facebook Inc. exposing the identities of the rest of the group. What happened? With the botnet masters still at large, and the Koobface botnet currently offline, a logical question emerges - what are these cybercriminals up to now that they're no longer involved in managing Koobface?

Cybercrime as usual!

Continuing to squeeze the cybercrime ecosystem, and keep known bad actors on a short leash, in this intelligence brief I'll expose Anton Nikolaevich Korotchenko a.k.a KrotReal's s latest activities, indicating that he's currently busy experimenting with two projects:
  • A Black Hat (SEO) Search Engine Optimization related service/product
  • Underground traffic exchange/pay-pay-install network currently distributing localized Ransomware
Just like the case when KrotReal's real life identity was revealed due to a single mistake he made over a period of several years, namely to register a Koobface command and control server using his personal GMail account, in this intelligence brief I'll once again expose his malicious and fraudulent activities by profiling two of the most recently domains he once again registered with his personal GMail account.

Let's start by profiling his Black Hat SEO service/product, currently hosted on one of the domains he registered in 2011.

trafficconverter.in - 176.9.146.78 - Email: krotreal@gmail.com
Created On:28-Jul-2011 12:37:45 UTC
Last Updated On:28-Jun-2012 08:11:43 UTC
Expiration Date:28-Jul-2013 12:37:45 UTC

The service/produce apparently allows the systematic abuse of legitimate blogging platforms such as Google's Blogger and Wordpress, next to Yoom CMS. KrotReal himself might be using the tool, or sell/offer access to it as a managed service. Does this mean he's not using it by himself to monetize the hijacked legitimate traffic that he's able to obtain through his Black Hat SEO campaigns? Not at all.

More domains presumably to be used for Black Hat SEO purposes registered with KrotReal's personal email account (krotreal@gmail.com):
superstarfind.com
celeb-search.com
myown-search.com
myfindstuff.com
network-find.com
coolfind200309.com
experimentsearch.com
fashion-overview.com
krotpong.com
adultpartypics.com
findhunt.com


How is he actually monetizing the hijacked traffic? Keep reading. Now it's time to expose his malicious activities in the form of spreading localized Ransomware variants. For the record, the Koobface gang distributed primarly scareware -- there's evidence that the group was also involved in other malicious campaigns -- and even bragged about the fact that they're not damaging infected user PCs.

What's particularly interesting about profiling this campaign, is that it's a great example of double-layer monetization, as KrotReal is earning revenue through the Traffic Holder Adult Affiliate Program, in between serving client-side exploits and ultimately dropping Ransomware on the affected host using the same redirection chain.


Sample malicious domain name reconnaissance:
traffictracker.in - 176.9.146.78 (AS24940) - Email: krotreal@gmail.com
Created On:22-Nov-2011 13:42:53 UTC
Last Updated On:22-Nov-2012 22:33:25 UTC
Expiration Date:22-Nov-2013 13:42:53 UTC

Responding to the same IP 176.9.146.78 (AS24940):
allcelebrity.ru
easypereezd.ru


Sample malicious activity redirection chain: hxxp://traffictracker.in/in.cgi?11&parameter=nude+girls&CS=1 -> hxxp://celeb-search.com/in.php?source=th&q=nude+girls -> hxxp://celeb-search.com/in3.php?source=th&q=nude+girls -> hxxp://www.trafficholder.com/in/in2.php?ppillow-pics_erotic -> hxxp://hit.trafficholder.com/cgi-bin/traffic/process.fcgi?a=ppillow&c=1&n=pics_erotic&r= ->  hxxp://gravityexp.com/go.php?sid=12 -> hxxp://nosnowfevere.com/ZqRqk (exploiting CVE-2008-5353) -> hxxp://nosnowfevere.com/oxsXAE?KpDzQ=61 -> hxxp://nosnowfevere.com/ZqRqk -> hxxp://nosnowfevere.com/EHSvFc -> hxxp://nosnowfevere.com/XMDrkH

KrotReal's Traffic Holder Adult Affiliate Network ID is ppillow-pics_erotic.


Malicious domain names reconnaissance:
gravityexp.com - returns "Digital River GmbH" on its home page - 46.163.117.144 - Email: francesca.muglia.130@istruzione.it
Updated Date: 30-aug-2012
Creation Date: 30-aug-2012
Expiration Date: 30-aug-2013

nosnowfevere.com - 91.211.119.32 - Email: djbroning@definefm.com
Updated Date: 25-nov-2012
Creation Date: 25-nov-2012
Expiration Date: 25-nov-2013

Upon successful client-side exploitation, the campaign drops MD5: d234a238eb8686d08cd4e0b8b705da14 - detected by 10 out of 43 antivirus scanners as Trojan.Winlock.7431

Sample screenshot displayed to users from geolocated countries:
Second screenshot of a sample page displayed to affected U.K users:
Additional malicious payload obtained from the campaign:
MD5: fd47fe3659d7604d93c3ce0c0581fed7 - detected by 4 out of 44 antivirus scanners as Exploit:Java/CVE-2012-5076.BBW
MD5: e47991d7f172e893317f44ee8afe3811 - detected by 5 out of 44 antivirus scanners as JS:Pdfka-gen [Expl]
MD5: 7e58703026c7ffba05ac0d2ae4d3c62f - detected by 5 out of 44 antivirus scanners as Exploit:Java/CVE-2012-1723!generic

Ransomware C&C malicious domain name reconnaissance:
sarscowoy.com - currently responds to 176.28.22.32 (AS20773); 176.28.14.42 (AS20773) - Email: rmasela@ymail.com

On 2012-06-21 the domain responded to 204.13.160.28 (AS33626), then on 2012-07-01 it changed IPs to 46.163.113.79 (AS20773), then again on 2012-11-14 it changed IP to 176.28.14.42 (AS20773), followed by one last change on 2012-11-24 to 176.28.22.32 (AS20773)

One more MD5 is known to have phoned back to the same Ransomware C&C URL - MD5: 1600577edece1efe11c75158f9dd24db - detected by 28 out of 38 antivirus scanners as Trojan:Win32/Tobfy.H

Interestingly, the cybercriminals behind the Ransomware left the administration panel open to anyone who wants to take a look at the way the whole process works. 

Sample screenshot of the administration panel:
Second screenshot of the administration panel, showing a directory listing, including unique and localized files for potential victims from multiple countries:

More domains are currently responding to the same IPs (176.28.22.32; 176.28.14.42):
bussinesmail.org - Email: belov28@gmail.com
elitesecuritynet.com - Email: pescifabio83@yahoo.fi
ideasdeunion.com - Email: esbornikk@aol.com
ineverworrynet.com - pescifabio83@yahoo.fi
testcitycheckers.com - pescifabio83@yahoo.fi
uneugroup.com - Email: anders_christensen@yahoo.com
winntegroups.eu - Email: robertobona69@yahoo.com
sexchatvideo.org - Email: daddario.maria@virgilio.it
quasarnet.co - Email: valter.bars@venezia.pecavvocati.it
bestconsultingoffice.com
apaineal.ru

What we've got here is a great example of the following - when you don't fear legal prosecution for your fraudulent activities over a period of several years, earning you potentially hundreds of thousands of dollars, you just launch new projects, continuing to cause more harm and fraudulently obtain funds from infected victims.
 
For those who are interested in more details on the technical side of this Ransomware, you should consider going through this research.

Hat tip to Steven Adair from Shadowserver for the additional input.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Koobface Botnet Master KrotReal Back in Business, Distributes Ransomware And Promotes BHSEO Service/Product

On January 09, 2012 I exposed Koobface botnet master KrotReal. On January 16, 2012, The New York Times went public with data from Facebook Inc. exposing the identities of the rest of the group. What happened? With the botnet masters still at large, and the Koobface botnet currently offline, a logical question emerges - what are these cybercriminals up to now that they're no longer involved in managing Koobface?

Cybercrime as usual!

Continuing to squeeze the cybercrime ecosystem, and keep known bad actors on a short leash, in this intelligence brief I'll expose Anton Nikolaevich Korotchenko a.k.a KrotReal's s latest activities, indicating that he's currently busy experimenting with two projects:
  • A Black Hat (SEO) Search Engine Optimization related service/product
  • Underground traffic exchange/pay-pay-install network currently distributing localized Ransomware
Just like the case when KrotReal's real life identity was revealed due to a single mistake he made over a period of several years, namely to register a Koobface command and control server using his personal GMail account, in this intelligence brief I'll once again expose his malicious and fraudulent activities by profiling two of the most recently domains he once again registered with his personal GMail account.

Let's start by profiling his Black Hat SEO service/product, currently hosted on one of the domains he registered in 2011.

trafficconverter.in - 176.9.146.78 - Email: krotreal@gmail.com
Created On:28-Jul-2011 12:37:45 UTC
Last Updated On:28-Jun-2012 08:11:43 UTC
Expiration Date:28-Jul-2013 12:37:45 UTC

The service/produce apparently allows the systematic abuse of legitimate blogging platforms such as Google's Blogger and Wordpress, next to Yoom CMS. KrotReal himself might be using the tool, or sell/offer access to it as a managed service. Does this mean he's not using it by himself to monetize the hijacked legitimate traffic that he's able to obtain through his Black Hat SEO campaigns? Not at all.

More domains presumably to be used for Black Hat SEO purposes registered with KrotReal's personal email account (krotreal@gmail.com):
superstarfind.com
celeb-search.com
myown-search.com
myfindstuff.com
network-find.com
coolfind200309.com
experimentsearch.com
fashion-overview.com
krotpong.com
adultpartypics.com
findhunt.com


How is he actually monetizing the hijacked traffic? Keep reading. Now it's time to expose his malicious activities in the form of spreading localized Ransomware variants. For the record, the Koobface gang distributed primarly scareware -- there's evidence that the group was also involved in other malicious campaigns -- and even bragged about the fact that they're not damaging infected user PCs.

What's particularly interesting about profiling this campaign, is that it's a great example of double-layer monetization, as KrotReal is earning revenue through the Traffic Holder Adult Affiliate Program, in between serving client-side exploits and ultimately dropping Ransomware on the affected host using the same redirection chain.


Sample malicious domain name reconnaissance:
traffictracker.in - 176.9.146.78 (AS24940) - Email: krotreal@gmail.com
Created On:22-Nov-2011 13:42:53 UTC
Last Updated On:22-Nov-2012 22:33:25 UTC
Expiration Date:22-Nov-2013 13:42:53 UTC

Responding to the same IP 176.9.146.78 (AS24940):
allcelebrity.ru
easypereezd.ru


Sample malicious activity redirection chain: hxxp://traffictracker.in/in.cgi?11&parameter=nude+girls&CS=1 -> hxxp://celeb-search.com/in.php?source=th&q=nude+girls -> hxxp://celeb-search.com/in3.php?source=th&q=nude+girls -> hxxp://www.trafficholder.com/in/in2.php?ppillow-pics_erotic -> hxxp://hit.trafficholder.com/cgi-bin/traffic/process.fcgi?a=ppillow&c=1&n=pics_erotic&r= ->  hxxp://gravityexp.com/go.php?sid=12 -> hxxp://nosnowfevere.com/ZqRqk (exploiting CVE-2008-5353) -> hxxp://nosnowfevere.com/oxsXAE?KpDzQ=61 -> hxxp://nosnowfevere.com/ZqRqk -> hxxp://nosnowfevere.com/EHSvFc -> hxxp://nosnowfevere.com/XMDrkH

KrotReal's Traffic Holder Adult Affiliate Network ID is ppillow-pics_erotic.


Malicious domain names reconnaissance:
gravityexp.com - returns "Digital River GmbH" on its home page - 46.163.117.144 - Email: francesca.muglia.130@istruzione.it
Updated Date: 30-aug-2012
Creation Date: 30-aug-2012
Expiration Date: 30-aug-2013

nosnowfevere.com - 91.211.119.32 - Email: djbroning@definefm.com
Updated Date: 25-nov-2012
Creation Date: 25-nov-2012
Expiration Date: 25-nov-2013

Upon successful client-side exploitation, the campaign drops MD5: d234a238eb8686d08cd4e0b8b705da14 - detected by 10 out of 43 antivirus scanners as Trojan.Winlock.7431

Sample screenshot displayed to users from geolocated countries:
Second screenshot of a sample page displayed to affected U.K users:
Additional malicious payload obtained from the campaign:
MD5: fd47fe3659d7604d93c3ce0c0581fed7 - detected by 4 out of 44 antivirus scanners as Exploit:Java/CVE-2012-5076.BBW
MD5: e47991d7f172e893317f44ee8afe3811 - detected by 5 out of 44 antivirus scanners as JS:Pdfka-gen [Expl]
MD5: 7e58703026c7ffba05ac0d2ae4d3c62f - detected by 5 out of 44 antivirus scanners as Exploit:Java/CVE-2012-1723!generic

Ransomware C&C malicious domain name reconnaissance:
sarscowoy.com - currently responds to 176.28.22.32 (AS20773); 176.28.14.42 (AS20773) - Email: rmasela@ymail.com

On 2012-06-21 the domain responded to 204.13.160.28 (AS33626), then on 2012-07-01 it changed IPs to 46.163.113.79 (AS20773), then again on 2012-11-14 it changed IP to 176.28.14.42 (AS20773), followed by one last change on 2012-11-24 to 176.28.22.32 (AS20773)

One more MD5 is known to have phoned back to the same Ransomware C&C URL - MD5: 1600577edece1efe11c75158f9dd24db - detected by 28 out of 38 antivirus scanners as Trojan:Win32/Tobfy.H

Interestingly, the cybercriminals behind the Ransomware left the administration panel open to anyone who wants to take a look at the way the whole process works. 

Sample screenshot of the administration panel:
Second screenshot of the administration panel, showing a directory listing, including unique and localized files for potential victims from multiple countries:

More domains are currently responding to the same IPs (176.28.22.32; 176.28.14.42):
bussinesmail.org - Email: belov28@gmail.com
elitesecuritynet.com - Email: pescifabio83@yahoo.fi
ideasdeunion.com - Email: esbornikk@aol.com
ineverworrynet.com - pescifabio83@yahoo.fi
testcitycheckers.com - pescifabio83@yahoo.fi
uneugroup.com - Email: anders_christensen@yahoo.com
winntegroups.eu - Email: robertobona69@yahoo.com
sexchatvideo.org - Email: daddario.maria@virgilio.it
quasarnet.co - Email: valter.bars@venezia.pecavvocati.it
bestconsultingoffice.com
apaineal.ru

What we've got here is a great example of the following - when you don't fear legal prosecution for your fraudulent activities over a period of several years, earning you potentially hundreds of thousands of dollars, you just launch new projects, continuing to cause more harm and fraudulently obtain funds from infected victims.
 
For those who are interested in more details on the technical side of this Ransomware, you should consider going through this research.

Hat tip to Steven Adair from Shadowserver for the additional input.

Friday, November 23, 2012

Managed Embedding of Malicious iFrames Through Compromised Accounts as a Service


a

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Friday, November 02, 2012

Summarizing Webroot's Threat Blog Posts for October


The following is a brief summary of all of my posts at Webroot's Threat Blog for October, 2012. You can subscribe to my Webroot's Threat Blog RSS Feed or follow me on Twitter:

 
01. Russian cybercriminals release new DIY SMS flooder
02. Upcoming Webroot presentation on Cyber Jihad and Cyberterrorism at RSA Europe 2012
03. Recently launched E-shop sells access to hundreds of hacked PayPal accounts
04. New Russian service sells access to compromised Steam accounts
05. ‘Vodafone Europe: Your Account Balance’ themed emails serve malware
06. Cybercriminals impersonate UPS, serve client-side exploits and malware
07. ‘Your video may have illegal content’ themed emails serve malware
08. Cybercriminals spamvertise ‘Amazon Shipping Confirmation’ themed emails, serve client-side exploits and malware
09. American Airlines themed emails lead to the Black Hole Exploit Kit
10. Bogus Facebook notifications lead to malware
11. Spamvertised ‘KLM E-ticket’ themed emails serve malware
12. ‘Intuit Payroll Confirmation inquiry’ themed emails lead to the Black Hole exploit kit
13. Malware campaign spreading via Facebook direct messages spotted in the wild
14. ‘Regarding your Friendster password’ themed emails lead to Black Hole exploit kit
15. Russian cybercriminals release new DIY DDoS malware loader
16. PayPal ‘Notification of payment received’ themed emails serve malware
17. Cybercriminals impersonate Delta Airlines, serve malware
18. ‘Your UPS Invoice is Ready’ themed emails serve malware
19. Bogus Skype ‘Password successfully changed’ notifications lead to malware
20. RSA Conference Europe 2012 – recap
21. Cybercriminals impersonate Verizon Wireless, serve client-side exploits and malware
22. Spamvertised ‘BT Business Direct Order’ themed emails lead to malware
23. Cybercriminals spamvertise millions of British Airways themed e-ticket receipts, serve malware
24. Cybercriminals spamvertise millions of bogus Facebook notifications, serve malware
25. Nuclear Exploit Pack goes 2.0

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Summarizing ZDNet's Zero Day Posts for October


The following is a brief summary of all of my posts at ZDNet's Zero Day for October, 2012. You can subscribe to Zero Day's main feed, or follow me on Twitter:


01. Report: Large US bank hit by 20 different crimeware families
02. Localized Dorkbot malware variant spreading across Skype
03. Sopelka botnet drops Citadel, Feodo, and Tatanga crimeware variants
04. Adobe patches 6 critical security flaws in Shockwave

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Friday, October 26, 2012

Dissecting 'Operation Ababil' - an OSINT Analysis - Part Two

With more crowdsourced intelligence on "Operation Ababil" published in the recent weeks, it's time to revisit the campaign's core strategy for harnessing enough bandwidth to successfully take down major U.S financial institutions.

As you can remember, in Part One of the OSINT analysis for "Operation Ababil" I emphasized on the crowdsourcing campaign launched by Izz ad-Din al-Qassam a.k.a Qassam Cyber Fighters, which led to the successful DDoS attack against these institutions. It appears that this is just one of the many stages of the campaign.

According to security researchers from Proxelic, the attackers also relied on a PHP based DDoS attack script known as "itsoknoproblembro" that was installed on servers susceptible to exploitation through the Bluestork Joomla template. By combining crowdsourced bandwidth and bandwidth from the compromised servers, the attackers managed to successfully achieve their objectives.

The DDoS script in question,"itsoknoproblembro", has been publicly available as a download for months before the attacks started, indicating that it was not on purposely coded to be used in the campaign against major U.S financial institutions.


Detection rate: PHP_DDoS.html - MD5: 9ebab9f37f2b17529ccbcdf9209891be - detected by 9 out of 44 antivirus scanners as PHP/Obfuscated.F; Heuristic.BehavesLike.JS.Suspicious.A

Next to Prolexic's claims, th3j35t3r also published an analysis of the situation that's primarily relying on wishful thinking and social engineering, claiming that Anonymous supplied the operators of "Operation Ababil" with DDoS bandwidth by using a service called Multiboot.me - 108.162.193.85; 108.162.193.185, AS13335.

Sample screenshots of the Multiboom.me's GUI:





With "Operation Ababil" continuing to fuel political tensions between the U.S and Iran, which is blamed for organizing the launching these attacks, it's worth emphasizing on the basics of 'false-flag' cyber operations, and "aggregate-and-forget" type of botnets.

When was the first time you heard of Izz ad-Din al-Qassam a.k.a Qassam Cyber Fighters? Appreciate my rhetoric - right after they started their crowdsourcing campaign. With the group lacking any significant digital fingerprint prior to these attacks, virtually anyone can localize their objectives with a little twist of politics and propaganda, and easily set the foundations for what is now perceived as an Iranian cyber operation.

Moreover, their bandwidth acquisition techniques clearly indicate that the attackers are aware of the dynamics of modern cyber operations in general, and by doing so, chose to acquire bandwidth without outsourcing their needs to ubiquitous and sophisticated Russian DDoS on demand services, which could have led to the easy identification of the service in question, next to the cybercriminals behind it.

Updates will be posted as soon as new intel becomes available.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dissecting 'Operation Ababil' - an OSINT Analysis - Part Two

With more crowdsourced intelligence on "Operation Ababil" published in the recent weeks, it's time to revisit the campaign's core strategy for harnessing enough bandwidth to successfully take down major U.S financial institutions.

As you can remember, in Part One of the OSINT analysis for "Operation Ababil" I emphasized on the crowdsourcing campaign launched by Izz ad-Din al-Qassam a.k.a Qassam Cyber Fighters, which led to the successful DDoS attack against these institutions. It appears that this is just one of the many stages of the campaign.

According to security researchers from Proxelic, the attackers also relied on a PHP based DDoS attack script known as "itsoknoproblembro" that was installed on servers susceptible to exploitation through the Bluestork Joomla template. By combining crowdsourced bandwidth and bandwidth from the compromised servers, the attackers managed to successfully achieve their objectives.

The DDoS script in question,"itsoknoproblembro", has been publicly available as a download for months before the attacks started, indicating that it was not on purposely coded to be used in the campaign against major U.S financial institutions.


Detection rate: PHP_DDoS.html - MD5: 9ebab9f37f2b17529ccbcdf9209891be - detected by 9 out of 44 antivirus scanners as PHP/Obfuscated.F; Heuristic.BehavesLike.JS.Suspicious.A

Next to Prolexic's claims, th3j35t3r also published an analysis of the situation that's primarily relying on wishful thinking and social engineering, claiming that Anonymous supplied the operators of "Operation Ababil" with DDoS bandwidth by using a service called Multiboot.me - 108.162.193.85; 108.162.193.185, AS13335.

Sample screenshots of the Multiboom.me's GUI:





With "Operation Ababil" continuing to fuel political tensions between the U.S and Iran, which is blamed for organizing the launching these attacks, it's worth emphasizing on the basics of 'false-flag' cyber operations, and "aggregate-and-forget" type of botnets.

When was the first time you heard of Izz ad-Din al-Qassam a.k.a Qassam Cyber Fighters? Appreciate my rhetoric - right after they started their crowdsourcing campaign. With the group lacking any significant digital fingerprint prior to these attacks, virtually anyone can localize their objectives with a little twist of politics and propaganda, and easily set the foundations for what is now perceived as an Iranian cyber operation.

Moreover, their bandwidth acquisition techniques clearly indicate that the attackers are aware of the dynamics of modern cyber operations in general, and by doing so, chose to acquire bandwidth without outsourcing their needs to ubiquitous and sophisticated Russian DDoS on demand services, which could have led to the easy identification of the service in question, next to the cybercriminals behind it.

Updates will be posted as soon as new intel becomes available.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Monday, October 01, 2012

Summarizing Webroot's Threat Blog Posts for September


The following is a brief summary of all of my posts at Webroot's Threat Blog for September, 2012. You can subscribe to my Webroot's Threat Blog RSS Feed or follow me on Twitter:


01. Spamvertised ‘Wire Transfer Confirmation’ themed emails lead to Black Hole exploit kit
02. Intuit themed ‘QuickBooks Update: Urgent’ emails lead to Black Hole exploit kit
03. Cybercriminals resume spamvertising bogus greeeting cards, serve exploits and malware
04. Cybercriminals abuse Skype’s SMS sending feature, release DIY SMS flooders
05. New Russian service sells access to thousands of automatically registered accounts
06. Spamvertised ‘Your Fedex invoice is ready to be paid now’ themed emails lead to Black Hole Exploit kit
07. New Russian DIY SMS flooder using ICQ’s SMS sending feature spotted in the wild
08. Spamvertised ‘US Airways reservation confirmation’ themed emails serve exploits and malware
09. Cybercriminals impersonate FDIC, serve client-side exploits and malware
10. Managed Ransomware-as-a-Service spotted in the wild
11. A peek inside a boutique cybercrime-friendly E-shop – part four
12. New E-shop selling stolen credit cards data spotted in the wild
13. From Russia with iPhone selling affiliate networks
14. New Russian DIY DDoS bot spotted in the wild

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Friday, September 28, 2012

Summarizing Webroot's Threat Blog Posts for August


The following is a brief summary of all of my posts at Webroot's Threat Blog for August, 2012. You can subscribe to my Webroot's Threat Blog RSS Feed or follow me on Twitter:


01. Spamvertised AICPA themed emails lead to Black Hole exploit kit
02. Spamvertised ‘PayPal has sent you a bank transfer’ themed emails lead to Black Hole exploit kit
03. Ongoing spam campaign impersonates LinkedIn, serves exploits and malware
04. Millions of spamvertised emails lead to W32/Casonline
05. Cybercriminals impersonate AT&T’s Billing Service, serve exploits and malware
06. IRS themed spam campaign leads to Black Hole exploit kit
07. Cybercriminals spamvertise bogus greeting cards, serve exploits and malware
08. Spamvertised ‘Federal Tax Payment Rejected’ themed emails lead to Black Hole exploit kit
09. Spamvertised ‘Fwd: Scan from a Hewlett-Packard ScanJet’ emails lead to Black Hole exploit kit
10. Spamvertised ‘Royal Mail Shipping Advisory’ themed emails serve malware
11. Cybercriminals impersonate Intuit Market, mass mail millions of exploits and malware serving emails
12. Cybercriminals spamvertise PayPay themed ‘Notification of payment received’ emails, serve malware
13. Cybercriminals impersonate UPS, serve malware

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Summarizing ZDNet's Zero Day Posts for August


The following is a brief summary of all of my posts at ZDNet's Zero Day for August, 2012. You can subscribe to Zero Day's main feed, or follow me on Twitter:

 
01. BlackBerry users targeted with malware-serving email campaign
02. Java zero day vulnerability actively used in targeted attacks
03. Loozfon Android malware targets Japanese female users
04. Researcher reports a CSRF vulnerability in Facebook's App Center, earns $5,000
05. Cybercriminals impersonate popular security vendors, serve malware

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dissecting 'Operation Ababil' - an OSINT Analysis

Provoked by a questionable online video posted on YouTube, Muslims from the around the world united in an apparent opt-in botnet crowdsourcing campaign aiming to launch a DDoS (denial of service attack) against YouTube for keeping the video online, and against several major U.S banks and financial institutions.

Dubbed "Operation Ababil", and operated by the Izz ad-Din al-Qassam a.k.a Qassam Cyber Fighters , the campaign appear to have had a limited, but highly visible impact on the targeted web sites. Just like in every other crowdsourced opt-in botnet campaign such as the "Coordinated Russia vs Georgia cyber attack in progress", the "Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites", the "Electronic Jihad v3.0 - What Cyber Jihad Isn't" campaign, and the "The DDoS Attack Against CNN.com" campaign, political sentiments over the attribution element seem to have orbited around the notion that it was nation-sponsored by the Iranian government.

What's so special about this attack? Did the individuals behind it poses sophisticated hacking or coding abilities? Was the work of hacktivists crowdsourcing bandwidth, or was it actually sponsored by the Iranian government? Can we even talk about attack attribution given that the group claiming responsibility for the attacks doesn't have a strong digital fingerprint?

In this post, I'll perform an OSINT (open source intelligence) analysis aiming to expose one of the individuals part of the group that organized the campaign, spread their propaganda message to as many Muslim Facebook groups as possible, and actually claim responsibility for the attacks once they took place.

The campaign originally began with a message left on Pastebin.com by the Qassam Cyber Fighters group announcing "Operation Ababil":


The original message left is as follows:
"Operation Ababil, The second weekIn the previous announcements we stated that we will not tolerate insulting exalted character of the prophet of mercy and kindness. Due to the insult, we planned and accomplished a series of cyber operations against the insulting country's credit and financial centers.Some U.S. officials tried to divert people's attention from the subject and claimed that the main aim of the operation was not deal to insults but it had other intentions. 

The officials claimed that certain countries have taken these measures to solve their internal problems.We strongly reject the American officials' insidious attempts to deceive public opinion. We declare that the kindness and love of Muslims and free-minded people of the world to the great prophet of Islam is much more than their violent anger be deflected and controlled by such deceptive tricks.Insult to a prophet is not acceptable especially when it is the Last prophet Muhammad (Peace Be upon Him). 

So as we promised before, the attack will be continued until the removal of that sacrilegious movie from the Internet.Therefore, we suggest a Timetable for this week attacks. Knowing which times the banks and other targets are out of service, the customers of targeted sites also can manage to do their jobs as well and have a rest while the specific organization is under attack.We shall attack for 8 hours daily, starting at 2:30 PM GMT, every day. 

We repeat again the attacks will continue for sure till the removal of that sacrilegious movie.We invite all cyberspace workers to join us in this Proper Act. If America's arrogant government do not submit, the attack will be large and larger and will include other evil countries like Israel, French and U.Kingdom indeed.Tuesday 9/25/2012 : attack to Wells Fargo site, www.wellsfargo.comWednesday 9/26/2012 : attack to U.S. Bank site, www.usbank.comThursday 9/27/2012 : attack to PNC site, www.pnc.com Weekends: planning for the next week' attacks.Mrt. Izz ad-Din al-Qassam Cyber Fighters"

Periodically, the group also released update notes for the campaigns currently taking place:


The original message published is as follows:
"Operation Ababil" started over BoA :http://pastebin.com/mCHia4W5 http://pastebin.com/wMma9zyGIn the second step we attacked the largest bank of the united states, the "chase" bank. These series of attacks will continue untill the Erasing of that nasty movie from the Internet.The site "www.chase.com" is down and also Online banking at "chaseonline.chase.com" is being decided to be Offline !Down with modern infidels.### Cyber fighters of Izz ad-din Al qassam ###"

Second statement released by the group:


The original message published is as follows:
"Dear Muslim youths, Muslims Nations and are noblemenWhen Arab nations rose against their corrupt regimes (those who support Zionist regime) at the other hand when, Crucify infidels are terrified and they are no more supporting human rights. United States of America with the help of Zionist Regime made a Sacrilegious movie insulting all the religions not only Islam.All the Muslims worldwide must unify and Stand against the action, Muslims must do whatever is necessary to stop spreading this movie. 

We will attack them for this insult with all we have.All the Muslim youths who are active in the Cyber world will attack to American and Zionist Web bases as much as needed such that they say that they are sorry about that insult.We, Cyber fighters of Izz ad-din Al qassam will attack the Bank of America and New York Stock Exchange for the first step. These Targets are properties of American-Zionist Capitalists. This attack will be started today at 2 pm. GMT. This attack will continue till the Erasing of that nasty movie. Beware this attack can vary in type. Down with modern infidels."

Clearly, the group behind the campaigns aimed to deliver concise propaganda to prospective Internet connected users who would later on be instructed on how to participate in the DDoS attacks. Let's assess the potential of the distributed DDoS tool that was used in the campaign.

Sample screenshot of the DDoS script in Arabic:


Inside the .html file, we can see that there are only three web addresses that will be targeted in their campaign:


Detection rate for the DDoS script:
youtube.html - MD5: c3fd7601b4aefe70e4a8f6d73bf5c997
Detected by 6 out of 43 antivirus scanners as HTool-Loic; Hacktool.Generic; TROJ_GEN.F47V0924

Originally, the attack relied on a static recruitment message which included links to the DIY DDoS script located on 4shared.com and Mediafire.com. What's particularly interesting is the fact that the files were uploaded by a user going under the handle of "Marzi Mahdavi II". It's important to point out that these static links were distributed as part of the recruitment campaign across multiple Muslim-friendly Facebook groups.
Thanks to this fact, we could easily identify the user's Facebook account, and actually spot the original message seeking participation in the upcoming attacks.

Marzi Mahdavi II's Facebook account:


Sample shared Wall post seeking participation in the upcoming DDoS campaign:


Sample blog post enticing users to participate:


Marzi Mahdavi II has once referenced a link pointing to the same blog, clearly indicating that he's following the ongoing recruitment campaigns across multiple Web sites:

Second blog post enticing users to participate in the DDoS campaign:


This very latest example of Iran's hacktivist community understanding of the cyber operations, once again lead me to the conclusion that what we've got here is either the fact that Iran's hacktivist community is lacking behind with years compared to sophisticated Eastern European hacking teams and cybercrime-friendly communities, or that Iran is on purposely demonstrating low cyber operation capabilities in an attempt to trick the Western world into thinking that it's still in a "catch up mode" with the rest of the world when it comes to offensive cyber operations.

Did these coordinated DDoS campaigns actually had any impact on the targered web sites? According to data from the Host-Tracker, they seem to have achieved limited, but visible results, a rather surprising fact given the low profile DDoS script released by the campaigners.

Sample Host-Tracker report for a targeted web site during the campaign:


Second Host-Tracker report for a targeted web site during the campaign:





Third Host-Tracker report for a targeted web site during the campaign:
 


Fourth Host-Tracker report for a targeted web site during the campaign:





Fifth Host-Tracker report for a targeted web site during the campaign: 

  

Is the Iranian government really behind this campaign, or was it actually the work of amateurs with outdated and virtually irrelevant technical skills? Taking into consideration the previous DDoS campaign launched by Iranian hacktivists in 2009, in this very latest one we once again see a rather limited understanding of cyber operations taking into consideration the centralized nature of the chain of command in this group.

What's also worth pointing out is the fact that this is the first public appearance of the group that claims responsibility for these attacks. Considering this and the lack of a strong digital fingerprint for the group in question, virtually anyone on the Internet can engineer cyber warfare tensions between Iran and the U.S, by basically impersonating a what's believed to be an Iranian group.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.