Thursday, February 21, 2013

Dissecting NBC's Exploits and Malware Serving Web Site Compromise

The web site of the National Broadcasting Company (NBC), NBC.com, is currently compromised, and is redirecting tens of thousands of legitimate users to multiple exploits serving and malware dropping malicious URLs. The campaign appears to have been launched by the same gang of cybercriminals that's also been recently involved in impersonating Facebook Inc. and Verizon Wireless, in an attempt to trick their users/customers into clicking on links found in hundreds of thousands of spamvertised emails pretending to come from the companies.

Let's dissect the campaign, expose its structure, the dropped malware, and connect the dots on who's behind it.

Observed iFrames in rotation:
hxxp://umaiskhan.com/znzd.html
hxxp://umaiskhan.com/ztuj.html
hxxp://priceworldpublishing.com/aynk.html
hxxp://toplineops.com/mtnk.html
hxxp://moi-npovye-sploett.com/qqqq/1.php
hxxp://www.jaylenosgarage.com/trucks/PHP/google.php
hxxp://nikweinstein.com/cl/google.php


Observed redirections leading to:
hxxp://gonullersultani.net/znzd.htm
hxxp://erabisnis.net/znzd.htm
hxxp://electricianfortwayne.info/62.html
hxxp://moi-npovye-sploett.com/cGeQc0wz1KPI/larktion.php



Sample client-side exploitation chain for the first campaign: hxxp://toplineops.com/mtnk.html -> hxxp://electricianfortwayne.info/62.html -> hxxp://electricianfortwayne.info/987.pdf

Upon successful client-side exploitation, the campaign drops MD5: 4e48ddc2a2481f9ff27113e6395160e1 - detected by 7 out of 46 antivirus scanners as Trojan-Spy.Win32.Zbot.jfgj.


Once executed the sample creates the "Xi3FVneIx" Mutex and phones back to:
hxxp://eastsidetennisassociation.com/i.htm?jzd63F1JyFUfMyyf1Q8U9 - 74.220.215.229
hxxp://envirsoft.com/n.htm?xWasESNrgozQ13QNR1PNCGTGhPAW16QJ67Bnj - 174.120.29.2 - Email: louis.bouchard@envirsoft.com
hxxp://beautiesofcanada.com/s.htm?2dlYtfCwTLfFBzTL8TrY7btwJDVszO - 66.96.145.104 - Email: eddom@yahoo.com
hxxp://magasin-shop.com/v.htm?ZPlkcqLyyHFRxHmhVxQN8HdfszymBrXxuy - 66.96.160.143
hxxp://couche-transport.comlu.com/r.htm?Mb6kKF3mq5H8YxeVXYM9yOwK - 31.170.161.96

Second redirection redirection chain for a sampled iFrame: hxxp://moi-npovye-sploett.com/qqqq/1.php -> hxxp://moi-npovye-sploett.com/cGeQc0wz1KPI/larktion.php -> hxxp://moi-npovye-sploett.com/cGeQc0wz1KPI/aflybing.php?esusvity=785280 where it attempts to exploit CVE-2010-0188.

Malicious domains reconnaissance:
umaiskhan.com - 173.254.28.49 - Email: chfaisal009@gmail.com - appears to be a compromised site belonging to someone named "Azhar Mahmood", unless of course you want to believe that Pakistan's cyber warfare unit is behind the campaign, since this is the second time that I come across to this IP. Keep reading!
priceworldpublishing.com - 174.122.45.74 - Email: info@sportsworkout.com
electricianfortwayne.info - 173.201.92.1 - Email: mdkline65@yahoo.com
gonullersultani.net - 72.167.2.128 - Email: gonullersultani@gmail.com
erabisnis.net - 74.220.207.161
moi-npovye-sploett.com - 130.185.157.102 - Email: josephhaddad829@yahoo.com
jaylenosgarage.com - 80.239.148.217
nikweinstein.com - 205.178.145.95 - Email: nikweinstein@hotmail.com

mdkline65@yahoo.com is also known to have registered the following domains:
dedirt.com
dogsrit.com
spiritualspice.us
madamerufus.com
herbalstatelegal.com
myauditionsite.com
injurylawyercleveland.info
injurylawyerspringfieldmo.info
injurylawyercolumbus.info
injurylawyerindianapolis.info



Who's behind this campaign and can we connect this malicious activities to previously analyzed malicious campaigns? But, of course.

umaiskhan.com responds to 173.254.28.49, and on 2013-01-28 18:56:19 we know that another domain used in a Facebook Inc. themed campaign was also responding to the same IP, namely hxxp://shutterstars.com/wp-content/plugins/akismet/resume_facebook.html. The compromised legitimate host back then used to serve client-side exploits through hxxp://gotina.net/detects/sign_on_to_resume.php – 222.238.109.66 – Email: lockwr@rocketmail.com.

Deja vu! We've already seen and profiled this malicious domain in the following assessment "Fake ‘You’ve blocked/disabled your Facebook account’ themed emails serve client-side exploits and malware", indicating that both of these campaigns have been launched by the same cybercriminal/gang of cybercriminals. What's also worth emphasizing on is that the same email (lockwr@rocketmail.com) used to register gonita.net was also profiled in the following assessment "Fake ‘Verizon Wireless Statement” themed emails lead to Black Hole Exploit Kit", where it was used to register the Name Servers used in the campaign.

Someone's multi-tasking. That's for sure.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dissecting NBC's Exploits and Malware Serving Web Site Compromise

The web site of the National Broadcasting Company (NBC), NBC.com, is currently compromised, and is redirecting tens of thousands of legitimate users to multiple exploits serving and malware dropping malicious URLs. The campaign appears to have been launched by the same gang of cybercriminals that's also been recently involved in impersonating Facebook Inc. and Verizon Wireless, in an attempt to trick their users/customers into clicking on links found in hundreds of thousands of spamvertised emails pretending to come from the companies.

Let's dissect the campaign, expose its structure, the dropped malware, and connect the dots on who's behind it.

Observed iFrames in rotation:
hxxp://umaiskhan.com/znzd.html
hxxp://umaiskhan.com/ztuj.html
hxxp://priceworldpublishing.com/aynk.html
hxxp://toplineops.com/mtnk.html
hxxp://moi-npovye-sploett.com/qqqq/1.php
hxxp://www.jaylenosgarage.com/trucks/PHP/google.php
hxxp://nikweinstein.com/cl/google.php


Observed redirections leading to:
hxxp://gonullersultani.net/znzd.htm
hxxp://erabisnis.net/znzd.htm
hxxp://electricianfortwayne.info/62.html
hxxp://moi-npovye-sploett.com/cGeQc0wz1KPI/larktion.php



Sample client-side exploitation chain for the first campaign: hxxp://toplineops.com/mtnk.html -> hxxp://electricianfortwayne.info/62.html -> hxxp://electricianfortwayne.info/987.pdf

Upon successful client-side exploitation, the campaign drops MD5: 4e48ddc2a2481f9ff27113e6395160e1 - detected by 7 out of 46 antivirus scanners as Trojan-Spy.Win32.Zbot.jfgj.


Once executed the sample creates the "Xi3FVneIx" Mutex and phones back to:
hxxp://eastsidetennisassociation.com/i.htm?jzd63F1JyFUfMyyf1Q8U9 - 74.220.215.229
hxxp://envirsoft.com/n.htm?xWasESNrgozQ13QNR1PNCGTGhPAW16QJ67Bnj - 174.120.29.2 - Email: louis.bouchard@envirsoft.com
hxxp://beautiesofcanada.com/s.htm?2dlYtfCwTLfFBzTL8TrY7btwJDVszO - 66.96.145.104 - Email: eddom@yahoo.com
hxxp://magasin-shop.com/v.htm?ZPlkcqLyyHFRxHmhVxQN8HdfszymBrXxuy - 66.96.160.143
hxxp://couche-transport.comlu.com/r.htm?Mb6kKF3mq5H8YxeVXYM9yOwK - 31.170.161.96

Second redirection redirection chain for a sampled iFrame: hxxp://moi-npovye-sploett.com/qqqq/1.php -> hxxp://moi-npovye-sploett.com/cGeQc0wz1KPI/larktion.php -> hxxp://moi-npovye-sploett.com/cGeQc0wz1KPI/aflybing.php?esusvity=785280 where it attempts to exploit CVE-2010-0188.

Malicious domains reconnaissance:
umaiskhan.com - 173.254.28.49 - Email: chfaisal009@gmail.com - appears to be a compromised site belonging to someone named "Azhar Mahmood", unless of course you want to believe that Pakistan's cyber warfare unit is behind the campaign, since this is the second time that I come across to this IP. Keep reading!
priceworldpublishing.com - 174.122.45.74 - Email: info@sportsworkout.com
electricianfortwayne.info - 173.201.92.1 - Email: mdkline65@yahoo.com
gonullersultani.net - 72.167.2.128 - Email: gonullersultani@gmail.com
erabisnis.net - 74.220.207.161
moi-npovye-sploett.com - 130.185.157.102 - Email: josephhaddad829@yahoo.com
jaylenosgarage.com - 80.239.148.217
nikweinstein.com - 205.178.145.95 - Email: nikweinstein@hotmail.com

mdkline65@yahoo.com is also known to have registered the following domains:
dedirt.com
dogsrit.com
spiritualspice.us
madamerufus.com
herbalstatelegal.com
myauditionsite.com
injurylawyercleveland.info
injurylawyerspringfieldmo.info
injurylawyercolumbus.info
injurylawyerindianapolis.info



Who's behind this campaign and can we connect this malicious activities to previously analyzed malicious campaigns? But, of course.

umaiskhan.com responds to 173.254.28.49, and on 2013-01-28 18:56:19 we know that another domain used in a Facebook Inc. themed campaign was also responding to the same IP, namely hxxp://shutterstars.com/wp-content/plugins/akismet/resume_facebook.html. The compromised legitimate host back then used to serve client-side exploits through hxxp://gotina.net/detects/sign_on_to_resume.php – 222.238.109.66 – Email: lockwr@rocketmail.com.

Deja vu! We've already seen and profiled this malicious domain in the following assessment "Fake ‘You’ve blocked/disabled your Facebook account’ themed emails serve client-side exploits and malware", indicating that both of these campaigns have been launched by the same cybercriminal/gang of cybercriminals. What's also worth emphasizing on is that the same email (lockwr@rocketmail.com) used to register gonita.net was also profiled in the following assessment "Fake ‘Verizon Wireless Statement” themed emails lead to Black Hole Exploit Kit", where it was used to register the Name Servers used in the campaign.

Someone's multi-tasking. That's for sure.

Updates will be posted as soon as new developments take place.

Wednesday, February 06, 2013

Historical OSINT - Hacked Databases Offered for Sale

In the wake of the recently announced security breaches at the NYTimes, WSJ, and the Washington Post, I decided to shed more light on what happens once a database gets compromised by Russian cybercriminals, compared to (supposedly) Chinese spies, with the idea to provide factual evidence that these breaches are just the tip of the iceberg.

In this intelligence brief, I'll profile a service that was originally operating throughout the entire 2009, selling access to compromised databases of multiple high-trafficked Web sites, through the direct compromise of their databases, hence, the name of the service - GiveMeDB.

Primary URL: hxxp://givemedb.com - Email: giverems@mail.ru
Secondary URL: hxxp://shopdb.blogspot.com
ICQ: 9348793; 5190451

During 2009, the domain used to respond to 83.133.123.228 (LAMBDANET-AS European Backbone of LambdaNet), it then changed IPs to 74.54.82.209 (THEPLANET-AS - ThePlanet.com Internet Services, Inc.). The following domains used to respond to the same IP (83.133.123.228), pornofotki.com.ua, mail.vipnkvd.ru. What are the chances that these IPs are known to have been involved in related malicious/cybercrime-friendly activities? Appreciate my rhetoric.

We've got the following MD5: 6a9b128545bd095dbbb697756f5586a9 spamming links to the same (hxxp://83.133.123.228/uksus/?t=3) in particular. Cross-checking the second IP (74.54.82.209) across multiple proprietary and public databases, reveals a diversified criminal enterprise that's been using it for years.

The following MD5s are known to have phoned back to the same IP (74.54.82.209):
MD5: d48a7ae9934745964951a704bcc70fe9
MD5: 4626de911152ae7618c9936d8d258577
MD5: ca4b79a33ea6e311eafa59a6c3fffee2
MD5: eb3b44cee34ec09ec6c5917c5bd7cfb4

As well as a recent (2011) Palevo C&C activity. Clearly, they've been multi-tasking on multiple fronts.

The structure of propositions is the following: partial URL of the hacked Web site, country of the Web site, Quantity of records per database, First-time price, Exclusive price. The list of affected Web sites is as follows: 
 
Job/CV Databases:
jobsbazaar.*
availablejobs.*
ecarers.*
fecareers.*
healthmeet.*
youths.*
jobpilot.*
thecareerengineer.*
iauk.*
jobboerse.*
creativepool.*
jobsinkent.*
jobsinthemoney.*
jobup.*
rxcareercenter.*
 
 
Dating Databases:
freedating.*
singles-bar.*
muenchner-singles.*
dateclub.*
websingles.*
find-you.*
fitness-singles.*
houstonconnect.*
datingz.*
loveandfriends.*
lovebyrd.*
mydatingplacephx.*
cozydating.*
singletreffen.*
datearea.*
endless-fantasy.*
 
 
Financial Databases:
importers.*
money.*
pcquote.*
investorvillage.*
gurufocus.*
individual.*
arabianbusiness.*
ecademy.*
 
 
Other Databases:
pokersourceonline.*
wickedcolors.*
salespider.*
busytrade.*
funky.*


Purchasing these hacked databases, immediately improves the competitiveness of a potential cybercriminal, who now has everything he/she needs to launch spam, spear phishing, and money mule recruitment campaigns, at their disposal.

For years, novice cybercriminals or unethical competitors have been on purposely joining closed cybercrime-friendly communities, seeking help in exchange for a financial incentive, in obtaining access to a particular database, or for the "defacement" of a specific Web site. What this service proves is that, the model can actually scale to disturbing proportions, offering access to millions of compromised database records to virtually anyone who pays for them.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Historical OSINT - Hacked Databases Offered for Sale

In the wake of the recently announced security breaches at the NYTimes, WSJ, and the Washington Post, I decided to shed more light on what happens once a database gets compromised by Russian cybercriminals, compared to (supposedly) Chinese spies, with the idea to provide factual evidence that these breaches are just the tip of the iceberg.

In this intelligence brief, I'll profile a service that was originally operating throughout the entire 2009, selling access to compromised databases of multiple high-trafficked Web sites, through the direct compromise of their databases, hence, the name of the service - GiveMeDB.


Primary URL: hxxp://givemedb.com - Email: giverems@mail.ru
Secondary URL: hxxp://shopdb.blogspot.com
ICQ: 9348793; 5190451

During 2009, the domain used to respond to 83.133.123.228 (LAMBDANET-AS European Backbone of LambdaNet), it then changed IPs to 74.54.82.209 (THEPLANET-AS - ThePlanet.com Internet Services, Inc.). The following domains used to respond to the same IP (83.133.123.228), pornofotki.com.ua, mail.vipnkvd.ru. What are the chances that these IPs are known to have been involved in related malicious/cybercrime-friendly activities? Appreciate my rhetoric.

We've got the following MD5: 6a9b128545bd095dbbb697756f5586a9 spamming links to the same (hxxp://83.133.123.228/uksus/?t=3) in particular. Cross-checking the second IP (74.54.82.209) across multiple proprietary and public databases, reveals a diversified criminal enterprise that's been using it for years.

The following MD5s are known to have phoned back to the same IP (74.54.82.209):
MD5: d48a7ae9934745964951a704bcc70fe9
MD5: 4626de911152ae7618c9936d8d258577
MD5: ca4b79a33ea6e311eafa59a6c3fffee2
MD5: eb3b44cee34ec09ec6c5917c5bd7cfb4

As well as a recent (2011) Palevo C&C activity. Clearly, they've been multi-tasking on multiple fronts.

The structure of propositions is the following: partial URL of the hacked Web site, country of the Web site, Quantity of records per database, First-time price, Exclusive price. The list of affected Web sites is as follows: 
 
Job/CV Databases:
jobsbazaar.*
availablejobs.*
ecarers.*
fecareers.*
healthmeet.*
youths.*
jobpilot.*
thecareerengineer.*
iauk.*
jobboerse.*
creativepool.*
jobsinkent.*
jobsinthemoney.*
jobup.*
rxcareercenter.*
 

Dating Databases:
freedating.*
singles-bar.*
muenchner-singles.*
dateclub.*
websingles.*
find-you.*
fitness-singles.*
houstonconnect.*
datingz.*
loveandfriends.*
lovebyrd.*
mydatingplacephx.*
cozydating.*
singletreffen.*
datearea.*
endless-fantasy.*
 

Financial Databases:
importers.*
money.*
pcquote.*
investorvillage.*
gurufocus.*
individual.*
arabianbusiness.*
ecademy.*
 
 
Other Databases:
pokersourceonline.*
wickedcolors.*
salespider.*
busytrade.*
funky.*


Purchasing these hacked databases, immediately improves the competitiveness of a potential cybercriminal, who now has everything he/she needs to launch spam, spear phishing, and money mule recruitment campaigns, at their disposal.

For years, novice cybercriminals or unethical competitors have been on purposely joining closed cybercrime-friendly communities, seeking help in exchange for a financial incentive, in obtaining access to a particular database, or for the "defacement" of a specific Web site. What this service proves is that, the model can actually scale to disturbing proportions, offering access to millions of compromised database records to virtually anyone who pays for them.

Updates will be posted as soon as new developments take place.

Monday, February 04, 2013

Summarizing Webroot's Threat Blog Posts for January


The following is a brief summary of all of my posts at Webroot's Threat Blog for January, 2013. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:


01. Spamvertised ‘Your Recent eBill from Verizon Wireless’ themed emails serve client-side exploits and malware
02. Fake BBB (Better Business Bureau) Notifications lead to Black Hole Exploit Kit
03. ‘Attention! Changes in the bank reports!’ themed emails lead to Black Hole Exploit Kit
04. Fake ‘You have made an Ebay purchase’ themed emails lead to client-side exploits and malware
05. A peek inside a boutique cybercrime-friendly E-shop – part six
06. Black Hole Exploit Kit author’s ‘vertical market integration’ fuels growth in malicious Web activity
07. Spamvertised AICPA themed emails serve client-side exploits and malware
08. ‘Please confirm your U.S Airways online registration’ themed emails lead to Black Hole Exploit Kit
09. Malicious DIY Java applet distribution platforms going mainstream
10. Fake ‘ADP Speedy Notifications’ lead to client-side exploits and malware
11. Cybercriminals release automatic CAPTCHA-solving bogus Youtube account generating tool
12. ‘Batch Payment File Declined’ EFTPS themed emails lead to Black Hole Exploit Kit
13. Cybercriminals resume spamvertising fake Vodafone ‘A new picture or video message’ themed emails, serve malware
14. Leaked DIY malware generating tool spotted in the wild
15. Email hacking for hire going mainstream – part three
16. Android malware spreads through compromised legitimate Web sites
17. Fake Intuit ‘Direct Deposit Service Informer’ themed emails lead to Black Hole Exploit Kit
18. Fake LinkedIn ‘Invitation Notifications’ themed emails lead to client-side exploits and malware
19. Novice cybercriminals experiment with DIY ransomware tools
20. Bogus ‘Your Paypal Transaction Confirmation’ themed emails lead to Black Hole Exploit Kit
21. Fake ‘FedEx Online Billing – Invoice Prepared to be Paid’ themed emails lead to Black Hole Exploit Kit
22. A peek inside a DIY password stealing malware
23. Malicious ‘Facebook Account Cancellation Request” themed emails serve client-side exploits and malware

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Summarizing ZDNet's Zero Day Posts for January


The following is a brief summary of all of my posts at ZDNet's Zero Day for January, 2013. You can subscribe to Zero Day's main feed, or follow me on Twitter:


01. Dutch security researchers dissect the Pobelka botnet
02. ESPN's ScoreCenter for iOS sends passwords in clear-text, susceptible to XSS flaw
03. Report: AutoRun malware infections continue topping the charts
04. Comparative review: Opera leads in browser anti-phishing protection
05. Italian-language page at MSN redirects to Cool Exploit Kit, serves ransomware
06. WordPress releases version 3.5.1, fixes 3 security issues
07. Targeted attack against UAE activist utilizes CVE-2013-0422, drops malware
 

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.