Monday, October 22, 2018

HIstorical OSINT - Malicious Economies of Scale - The Emergence of Efficient Platforms for Exploitation - 2007

Dear blog readers it's been several years since I last posted a quality update following my 2010 disappearance. As it's been quite a significant period of time since I last posted a quality update I feel it's about time I post an quality update by detailing the Web Malware Exploitation market segment circa 2007 prior to my visit to the GCHQ as an independent contractor with the Honeynet Project.

In this post I'll discuss the rise of Web malware exploitation kits circa 2007 and offer in-depth discussion on the current and emerging tactics techniques and procedures (TTPs) of the cybercriminals behind it. With cybercriminals continuing to actively rely on the exploitation of patched and outdated vulnerabilities and with end users continuing to actively utilize unpatched and outdated third-party software it shouldn't be surprising that today's botnets remain relatively easy to generate and orchestrate for the purpose of committing financial fraud.

Malicious Economies of Scale literally means utilizing attack techniques and exploitation approaches to efficiently, yet cost and time effectively, infect or abuse as many victims as possible, in a combination with an added layer of improved metrics on the success of the campaigns. What are the most popular web exploitation kits that malicious parties use to achieve this? Which are the most popular vulnerabilities used in the majority of the kits? What are the most popular techniques for embedding malware? This white paper will outline this efficiency-centered attack model, and will cover web application vulnerabilities, client-side vulnerabilities, malvertising and black hat SEO (search engine optimization).

An overview of the threats posed by rising number of malware embedded sites, with a discussion of the exploitation techniques and kits used, as well as detailed summaries of all the high-profile such attacks during 2007.

01. Reaching the Efficiency Scale Through a Diverse Set of Exploited Vulnerabilities

2007 was the year in which client-side vulnerabilities significantly replaced server-side ones as the preferred choice of malicious attackers on their way to achieve the highest possible attack success rate, while keeping their investment in terms of know-how and personal efforts to the minimum. Among the most successful such attacks during 2007 was Storm Worm, the perfect example that the use of outdated and already patched vulnerabilities can result in aggregating the world’s largest botnet according to industry and independent researchers’ estimates. By itself, this attack technique is in direct contradiction with the common wisdom that zero day vulnerabilities are more dangerous than already patched ones, however, the gang behind Storm Worm quickly envisioned this biased statement as false, and by standardizing the exploitation process with the help of outdated vulnerabilities achieved an enormous success.

Years ago, whenever, a vulnerability was found and exploit code released in the wild, malicious attackers used to quickly released a do-it-yourself exploitation kit to take advantage of a single exploit only. Nowadays, that’s no longer the case, since by using a single exploit whether an outdated, or zero day one, they’re significantly limiting the probability for a successful attack, and therefore the more diverse and served on-the-fly is the set of exploits used in an attack, the higher would the success rate be.

What was even more interesting to monitor during 2007, was the rise of high-profile sites serving malware, and the decline of malware coming from bogus ones. From the Massive Embedded Malware Attack at a large Italian ISP to the Bank of India, the Syrian Embassy in the U.K, the U.S Consulate in St. Petersburg, China’s CSIRT, Possibility Media’s entire portfolio of E-zines, to the French government’s site related to Lybia, these trusted web sites were all found to serve malware though an embedded link pointing back to the attacker’s malicious server. Let’s clarify what malicious economies of scale means, and how do they do it.

02. What is malicious economies of scale, and how is it achieved?

Malicious economies of scale is a term I coined in 2007 to summarize the ongoing trend of efficiently attacking online users, by standardizing the exploitation process, and by doing so, not just lowering the entry barriers into the process of exploiting a large number of users, but also, maintaining a rather static success rate of infections. Malicious economies of scale is the efficient way by which a large number of end users get infected, or have their online abused, with the malicious parties maintaining a static attack model. It’s perhaps more important to also describe how is the process achieved at the first place? The first strategy applied has to do with common sense in respect to the most popular software applications present at the end user’s end, and the first touch-point in this case would be the end user’s Internet browser.

Having its version easily detected and exploit served, one that’s directly matching the vulnerable version, is among the web exploitation kits main functionalities. Let’s continue with the second strategy, namely to increase the probability of success. As I’ve already pointed out, do-it-yourself single vulnerability exploiting tools matured into web exploitation malware kits, now backed up with a diverse set of exploits targeting different client-side applications, which in this case is the process of increasing the probability of successful infection. The third strategy has to do with attracting the traffic to the malicious server, that as I’ve already discussed is already automatically set to anticipate the upcoming flood of users and serve the malware through exploiting client-side software vulnerabilities on their end. This is mainly done through exploiting remote file inclusion vulnerabilities within the high-profile targets, or through remotely exploitable web application vulnerabilities to basically embed a single line of code, or an obfuscated javascript that when deobfuscated will load the malicious URL in between loading the legitimate site.

Popular Malware Embedded Attack Tactics

This part of the article will briefly describe some of the most common attack tactics malicious parties use to embed links to their malicious servers on either high-profile sites, or any other site with a high pagerank, something they’ve started measuring as of recently according to threat intell assessment on an automated system to embed links based on a site’s popularity.
  • The “pull” Approach – Blackhat SEO, Harnessing the Trusted Audience of a Hacked Site
In this tactic, malicious parties entirely rely on the end users to reach their malicious server, compared to the second tactic of “pushing” the malicious links to them. This is primarily accomplished through the use of Blackhat SEO tools generating junk content with the idea to successfully attract search engine traffic for popular queries, thus infecting anyone who visits the site, who often appear within the first twenty search results. The second “pull” approach such tactic is harnessing the already established trust of a site such as major news portal for instance, and by embedding a link to automatically load on the portal, have the users actually “pull” the malware for themselves
  • The “push” Approach – Here’s Your Malware Embedded Link
The “push” approach’s success relies in its simple logic, with end users still worrying about downloading or clicking on email attachments given the overall lack of understanding on how to protect from sites serving malware, it’s logical to consider that basically sending a link which once visited will automatically infect the visitor though exploiting a client-side vulnerability, actually works. Storm Worm is the perfect example, and to demonstrate what malicious economies of scale means once again, it’s worth mentioning Storm’s approach of having an already infected host act as an infection vector itself, compared to its authors having to register multiple domains and change them periodically. The result is malware embedded links exploiting client-side vulnerabilities in the form of an IP address, in this case an already infected host that’s now aiming to infect another one
  • Automatically Exploiting Web Application Vulnerabilities – Mass SQL Injection Attacks
As I’ve already pointed out, malicious parties are not just efficiently scanning for remotely exploitable web application vulnerabilities or looking for ways to remotely include files on any random host, they’ve started putting efforts into analyzing the page rank, and overall popularity of a site they could exploit. This prioritizing of the sites to be used for a “pull” tactic is aiming to achieve the highest possible success rate by targeting a high-trafficked site, where even though the attack can be detected, the “window of opportunity” while the users were also accessing the malicious server could be far more beneficial than having a permanent malware link on a less popular site for an indefinite period of time.
  • Malicious Advertisements - Malvertising
Among the most popular traffic acquisition tactics nowadays remain the active utilization of legitimate Web properties for the purpose of socially engineering an ad network provider into featuring a specific malware-serving advertising at the targeted Web site including active Web site compromise for the purpose of injecting rogue and malicious ads on the targeted host.

Related posts:
  • Buying Access to Hacked Cpanels or Web Servers
Thanks to a vibrant DIY (do-it-yourself) Web malware exploitation kit culture including the active utilization of various DIY Web site exploitation and malware-generating cybercriminals continue actively utilizing stolen and compromised accounting data for the purpose of injecting malicious scripts on the targeted host further compromising the confidentiality availability and integrity of the targeted host.
  • Harvesting accounting data from malware infected hosts
Having an administrator access to a domains portfolio, or any type of access though a web application backdoor or direct FTP/SSH, has reached its commercial level a long time ago. In fact, differentiated pricing applies in this case, on the basis of a site’s page rank, whereas I’ve stumbled upon great examples of “underground goods liquidity” as a process, where access to a huge domains portfolio though a hacked Cpanels is being offered for cents with the seller’s main concern that cents are better than nothing, nothing in the sense that she may loose access to the Cpanel before its being sold and thus ends up with nothing. Now, let’s discuss the most popular malware exploitation kits currently in the wild.

The Most Popular Web Malware Exploitation Kits

Going into detail about the most common vulnerabilities used in the multitude of web malware exploitation kits could be irrelevant from the perspective of their current state of “modularity”, that is, once the default installation of the kit contains a rather modest set of exploits, the possibility to add new exploits to be used has long reached the point’n’click stage. Even worse, localizing the kits to different languages further contributes to their easy of use and acceptance on a large scale, just as is their open source nature making it easy for coders to use a successful kit’s modules as a foundation for a new one – something’s that’s happening already, namely the different between a copycat kit and an original coded from scratch one. Among the most popular malware kits remain :
  • A Brief Overview of MPack, IcePack, Zunker, Advanced Pack and Fire Pack
During 2007, Mpack emerged as the most popular malware exploitation kit. Originally available for purchase, by the time copies of the kit started leaking out, anyone from a script kiddie to a pragmatic attacker have obtained copy of it. Mpack’s main strength is that of its well configured default installation, which in a combination with a rather modest, but then again, modular set of exploits included, as well as its point’n’click level of sophistication automatically turned it into the default malware kit. Mpack’s malware kit has been widely used on nearly all of the high-profile malware embedded attacks during 2007, however, its popularity resulted in way too much industry attention towards its workings, and therefore, malicious parties starting coming up with new kits, still using Mpack as the foundation at least from a theoretical perspective.

The list is endless, the Nuclear Malware kit, Metaphisher, old version of the WebAttacker and the Rootlauncher kit, with the latest and most advanced innovation named the Random JS Exploitation Kit. Compared to the previous one, this one is going a step beyond the usual centralized malicious server.

With malicious parties now interested in controlling as much infected hosts with as little effort as possible, client-side vulnerabilities will continue to be largely abused in an efficient way thought web malware exploitation kits in 2008. The events that took place during 2007, clearly demonstrate the pragmatic attack approaches malicious parties started applying, namely realizing that an outdated but unpatched on a large scale vulnerability is just as valuable as a zero day one.