Storm Worm's Fast Flux Networks

Following my previous posts on "Storm Worm Malware Back in the Game" and "Storm Worm's use of Dropped Domains", here are some handy graphs of Storm Worm's use of fast-flux networks generated during the last several hours, acting as great examples of how diverse malware C&C has become.

- bnably.com

Domain servers in listed order:

ns13.bnably.com

ns12.bnably.com
ns11.bnably.com
ns10.bnably.com
ns9.bnably.com

ns8.bnably.com

ns7.bnably.com

ns6.bnably.com
ns5.bnably.com

ns4.bnably.com

ns3.bnably.com

ns2.bnably.com

- wxtaste.com

Domain servers in listed order:

ns13.wxtaste.com

ns12.wxtaste.com

ns11.wxtaste.com

ns10.wxtaste.com

ns9.wxtaste.com
ns8.wxtaste.com

ns7.wxtaste.com

ns6.wxtaste.com

ns5.wxtaste.com
ns4.wxtaste.com

ns3.wxtaste.com

ns2.wxtaste.com

- snbane.com

Domain servers in listed order:

ns13.snbane.com

ns12.snbane.com

ns11.snbane.com

ns10.snbane.com

ns9.snbane.com

ns8.snbane.com

ns7.snbane.com

ns6.snbane.com

ns5.snbane.com

ns4.snbane.com

ns3.snbane.com
ns2.snbane.com

- tibeam.com

Domain servers in listed order:

ns13.tibeam.com

ns12.tibeam.com

ns11.tibeam.com

ns10.tibeam.com

ns9.tibeam.com

ns8.tibeam.com

ns7.tibeam.com

ns6.tibeam.com

ns5.tibeam.com
ns4.tibeam.com

ns3.tibeam.com

ns2.tibeam.com

- eqcorn.com

Domain servers in listed order:

ns10.eqcorn.com

ns11.eqcorn.com

ns12.eqcorn.com

ns13.eqcorn.com

ns2.eqcorn.com

ns3.eqcorn.com

ns4.eqcorn.com

ns5.eqcorn.com

ns6.eqcorn.com

ns7.eqcorn.com

ns8.eqcorn.com

ns9.eqcorn.com

The Honeynet Project & Research Alliance defines a fast-flux network as :

"Fast-flux service networks are a network of compromised computer systems with public DNS records that are constantly changing, in some cases every few minutes. These constantly changing architectures make it much more difficult to track down criminal activities and shut down their operations."

In Storm Worm's case, we have an example of fast-fluxing dropped domains, and if you research a little further, you'll see that newly infected Storm Worm hosts shown in this particular moment of the fast-flux are already sending out spam.

Continue reading →

Login Details for Foreign Embassies in the Wild

Login details for international embassies have been in the wild since August 30th in a full disclosure style :

"Here is a list with working passwords to exactly 100 email-accounts to Embassies and Governments around the world. Yes it’s the real deal and still working when we are posting this. So why in the world would anyone publish this kind of information? Because seriously, I’m not going to call the president of Iran and tell him that I got access to all their embassies. I’m DEranged, not suicidal! He has bombs and stuff…"

The researcher's main motivation behind releasing these is that there's no point in contacting the email owners directly as no one would take his emails seriously enought and change them, so by going full disclosure it would prompt the embassies in question to change the passwords. Dan Egerstad may be quite right, at least on the passwords changing issue. Could these email accounts be accessed globally and if yes why? For instance, could Uzbekistan's embassy in London successfully login into Uzbekistan's embassy in Moscow, and even worse, could a host not belonging to the embassy's network access these mailboxes for flexibility? If yes, there're way too many ways this data could have been obtained. While going through the accounting data, we could both confirm that best practices for strong passwords are place at some embassies, and also question the lack of such best practices at certain ones, a security measure that works against brute forcing attempts, but is totally irrelevant when it comes to keylogging and sniffing.

Many people would logically consider the possibility of abusing these login details by obtaining the content of the mailboxes. However, another perspective worth keeping in mind is the use of this login data as the foundation for targeted attacks on a embassy-to-embassy basis, the way we've seen it happen before.

Continue reading →

DIY Exploits Embedding Tools - a Retrospective

Great analysis by the Spywareguide folks -- Chris Boyd and Peter Jayaraj in this assessment -- especially my deja vu moment with the King's IE Exploiter tool which I intented to cover in an upcoming post, in a combination with a brief retrospective of exploit and malware embedding tools that were empowering entire generations of script kiddies during the last couple of years. These tools are a great example of what the DIY trend used to look like before malicious economies of scale were embraced in the form of today's modular and efficiency-centered malware kits we're aware of.

-- The IE Exploiter v1.0/2.0

The tool is first know to have emerged back in 2002, with its latest version released in 2004. It was first branded as the "Fearless IE Exploiter" and then returned back to it's original name. Description of the v1.0 : "Fearless IE Exploiter allows you to embed executable files into HTML documents, that when viewed in an unpatched version of Internet Explorer 5.* will automatically download and execute the .exe". And the description of v2.0 : "IE Exploiter v2 is a very simple tool that creates a HTML file with an embedded executable file. Once the HTML file is viewed the executable file will overwrite notepad.exe on the target system and then execute it using the view-source: prefix."

Result: 22/32 (68.75%)

File size: 149359 bytes

MD5: 315cd35aa5a0334697832e83fac7b0dc

SHA1: 71a7929f7781d969a63e532cd8cd877940a2ca12

-- King's IE Exploiter

King's IE Exploiter is an Arabic DIY exploit embedding tool released around 2004. Despite that the malware embedded sites generated on-the-fly come totally unobfuscated, we will yet wait and see the eventual release of such feature.

Result: 6/32 (18.75%)
File size: 253440 bytes

MD5: e6052d3abf95429fd761feef0a695470

SHA1: 9f91e21bf9e8898a09c36b31bb1f5afff3cb8f35

-- Zephyrus

Again relased around 2004, the description reads : "Its a prove of concept tool to generate a Stench MediaPlayer Exploit file more infos about stench can be found here http://malware.com or at here AVP calls it exploit.win32.zephyrus"

Result: 30/32 (93.75%)

-- God's Will

The description reads : "A GODMESSAGE page is an HTML page that works with an ACTIVEX bug founded in IE5.5/OUTLOOK/OUTLOOK EXPRESS. Thanks to this bug when someone view our godmessaged page he downloads an HTA file in his STARTUP FOLDER.'

Result: 32/32 (100%)

-- Ed Html Infector

The description of the tool circa 2004 reads : "Ed HTML Infector is a very simple tool that creates HTML file with an embedded executable file within."

Result: 14/32 (43.75%)

File size: 118784 bytes

MD5: 94c642903318f89d410c64d46f2047aa

SHA1: b834cd34283e541dccb5aad81fb49ca97adbb48c

Continue reading →

Spammers and Phishers Breaking CAPTCHAs

The emergence of CAPTCHA based authentication was a logical move in the fight against automated brute forcing of login details, registrations, spamming and sploging in the form of comments and splogs registration. And consequently, spammers, phishers and malware authors started figuring out how to automatically achieve their objectives, by either breaking or adapting to a certain CAPTCHA, and even more pragmatic - outsourcing the request to a third-party.

Two months ago, there were news stories on how spammers and phishers feeling the pressure put on them by anti spam vendors, have supposedly broken Hotmail and Yahoo's CAPTCHA. Nothing is impossible, the impossible just takes a little longer, what's important is discussing the many other perspectives related to adapting to a CAPTCHA, directly breaking it, or entirely ignoring it.

In the first example you can see an automatic CAPTCHA recognition at a Russian email provider. What the script is doing is basically syndicating proxies, ensuring they work, and starting the mass registration process while providing confirmation or error results in between. The CAPTCHA in question is indeed primitive, but the email provider's clear IP reputation and launch pads for spam, phishing and malware is what the malicious parties are really interested in. Once the CAPTCHA becomes easily recognizable, the entire process of logging in and sending the malicious content can also be fully automated.

In the second example you can see a great example of the adaptation process. The CAPTCHA cannot be efficiently abused we we've seen with the first case, but instead of putting efforts into breaking it directly, the malicious parties are simply adapting. Once proxies get syndicated and verified for connectivity, a request for the number of accounts to be registered is initiated, the script then responds with automatically generated logins, and presents the CAPTCHA to be manually entered by the malicious party. Malicious economies of scale in action, despite that the CAPTCHA cannot be broken, the process is still partly automated, another example of marginal thinking applied in order to achive an objective.

Sample CAPTCHA breaking project requests :

- "I need a captcha breaker that can break captchas that are of the same style i will upload here.I will want a c++ dll that recieves a file path and returns a char* with the content of the picture (letters and numbers)"

- "The program needs to take a myspace captcha image and determine what the text says in the image. The accuracy needs to be 80%+"

- "We are an expert group for inputing captcha for you with very low price and high accuracy. We can input 10k to 100k (depending on how many you can offer to us) per day with accuracy at least 70% (for simple captcha such as yahoo, it is above 95%). We also own expert programmers who can help you with writting your spiders or other softwares to get and manage all the captchas."

Some are purely malicious, others aim to verify the security of a CAPTCHA in development for instance. Let's summarize - Why are malicious parties interested in defeating CAPTCHA's at popular sites?

- take advantage of the clear IP reputation of the email service in order to improve the chance of having their phishing/spam/malware email successfully received

- set the foundations for a large scale automated spamming/phishing operations by using legitimate email addresses, thus improving their chances of not getting filtered

- automated registration of splogs -- spam blogs

- as search engines are starting to crawl sites submitted at the most popular social networks in real time, spammers or malware authors are naturally interested in abusing this development to timely attract huge
audiences at their splogs who often have malware embedded within

What are malicious parties doing to achieve efficiency despite their inability to defeat an advanced CAPTCHA?

- humans entering the CAPTCHAs while the script is auto generating, storing and auto logging with the passwords in a combinated with the human entered CAPTCHA

- adapting compared to putting more efforts into rocket science as whenever a CAPTCHA cannot be beated automatically, as you already saw on the second screenshot, they're making it easier for humans to enter the CAPTCHA and faster compared to an end user browsing

- outsourcing making it sound it's more of a quality assurance project of CAPTCHA to be introduced on the market

What can web sites do to prevent that sort of malicious behaviour? Strong CAPTCHAs should be in place by default, but taking another perspective, the way I discussed how click fraud could be easily detected by advertising networks syndicating IPs of already known to be malware infected hosts, in this very same fashion we could have CAPTCHA system that would check to see if, for instance, default proxy ports are opened at the host trying to register, and whether or not they're part of a botnet. With data like this now a commodity, a prioritization process to closely monitor mass registrations from these IPs is a pragmatic early warning system.

Interesting reading on the big picture too - CAPTCHA - The Broken Token :

"How much does it cost to have a CAPTCHA hack custom developed? $10 to $20 ought to do the trick; certainly no more than $50. But the cost isn’t the point. What’s more alarming is that thousands upon thousands of site owners are depending upon flawed technology to protect their sites from spam even though they know, or at least should know, that it’s only a matter of time until some spam robot shows up and starts hammering away at those worthless little images."

The irony regarding CAPTCHAs are how less popular sites compared to the Web 2.0 darlings often have a more sophisticted CAPTCHA compared to the most widely used web sites.

Related links:

Craziest Captchas on the Web
Cryptographp

OCR Research Team; List of Weakness

PWNtcha - captcha decoder

XRumer

Related posts:

But of Course It's a Pleasant Transaction

Vladuz's EBay CAPTCHA Populator

Attack of the SEO Bots on the .EDU Domain

Spam Comments Attack on Techcrunch Continuing

The Blogosphere and Splogs

Continue reading →

Bank of India Serving Malware

Ryan at ZDNet's Security blog is reporting on the breached site of Bank of India, which in the time of blogging is still serving malware to its current and potential customers through the infamous Russian Business Network - 81.95.144.0 / 81.95.147.255.

At the bank's URL there's a link pointing out to goodtraff.biz (58.65.239.66) where an IFRAME loads to 81.95.144.148/in.cgi?10 whereas while accessing it we get response from 81.95.144.146, where we get the usual javascript obfuscation leading us to 81.95.144.146/at/index.php and 81.95.144.146/rut/index.php. Furthermore, the second IFRAME leads us to x-traffic.biz/ts/in.cgi?user0224 (which is a Russian Adult Traffic network) redirecting us to mymoonsite.net/check/version.php?t=167 (81.95.148.13) and a third one loading goodtraff.biz/tds/index.php (empty). What does it mean? It means the Russian Business Network has not just managed to inject its presence on Bank of India's site, but is also using multiple-iframing as an attack vector, thus creating a fast-flux network with multiple campaigns within I'll assess in this post.

Apparently, Trend Micro's been busy uncovering the n404 exploit kit, which is also used in this campaign aimed

at the Bank of India. Is this a newly developed attack kit, or a modification of another popular one? Further attack clues will definitely indicate the second, namely that's it's a modification. In respect to this kit, it returns a 404 error within which is the obfuscated javascript, thus we have a fast-flux oriented kit aiming to diversify and include as many infected nodes in the attack process to improve its chances of infecting the host while the campaign remains in tact. The malicious URLs structure is again static just like Storm Worm's, and is in the following format n404-(number from 1 to 9).htm where each page contains a different malware.

Several more n404 exploit kit campaigns are currently active at the following URLs :

msiesettings.com - 81.95.148.14

winmplayer.com
smoothdns.net - 81.95.148.12
protriochki.com - 81.95.148.14
susliksuka.com - 81.95.148.12
uspocketpc.com - 81.95.148.13

The exact campaign URLs :

- mymoonsite.net/check/versionml.php?t=141

mymoonsite.net/check/version.php?t=15

mymoonsite.net/check/n404-1.htm
n404-(number from 1 to 9).htm

- uspocketpc.com/check/n404-1.htm
n404-(number from 1 to 9).htm

- s75.msiesettings.com/check/versionst.php?t=75
s75.msiesettings.com/check/n404-1.htm
n404-(number from 1 to 9).htm

- s99.winmplayer.com/check/n404-1.php

n404-(number from 1 to 9).htm

- smoothdns.net/check/n404-1.htm

n404-(number from 1 to 9).htm

- protriochki.com/check/n404-1.htm

n404-(number from 1 to 9).htm

- susliksuka.com/check/n404-1.htm

n404-(number from 1 to 9).htm

What makes an impression is that it's relying on as many possible malware infections as possible, thus visiting a central campaign site such as mymoonsite.net/check/version.php?t=158 results in all the n404 malicious pages within the domain to get automatically loaded via an IFRAME, and as you've successfully guesed, they all contain different types of malware. Despite that javascript obfuscation is often used to hide the real location of the exploit or binary, in this campaign each and every n404-1.htm obtained from all domains has the same checksum, therefore the files at the different domains are identical - at least so far :

File size: 10636 bytes

MD5: 45594ef52a9f53f2140d4797826156ff
SHA1: 7c4f7d183dfaf39410902a629b13ae5112b847f0

AntiVir 2007.08.31 HTML/Crypted.Gen

eSafe 2007.08.29 JS.Agent.ke

Fortinet 2007.08.31 HTML/Heuri.BIU!tr.dldr

F-Secure 2007.08.31 Trojan-Downloader.JS.Agent.no

Kaspersky 2007.08.31 Trojan-Downloader.JS.Agent.no

Webwasher-Gateway 2007.08.31 Script.Crypted.Gen

A great example of a fast-flux network with way too many infected hosts participating in the attack, and despite that some seems to be down, the attack is still fully operational in a typical fast-flux style.

UPDATE: F-Secure's and McAfee's comments on the case, as well as two related posts - Bank of India’s Website has been Compromised by Trojan downloader; Bank of India Official Web Site Unsafe at the Moment.

UPDATE 2: Several hours after the Bank of India got rid of the iframe at its homepage, the main URL for this malware campaign (81.95.144.148/in.cgi?10) removed the javascript obfuscation and is now forwarding to Google.com.

Bank of India's post-breach statement :

"We have taken up the matter with our technology-partner and all necessary action will be taken to rectify the matter. In my view, the users will not be faced with any major problems,” said BoI general manager PA Kalyansundar. “However, we are not completely sure that an attack actually happened,” he clarified."

Here's another article from The Register mentioning the three key points related to the campaign - the Russian Business Network, the n404 exploit kit which is definitely a modification of the popular ones currently in the wild, and the use of fast-flux networks. And this is what happened when an Indian tried to reach the local Cybercrime unit.

Related links:
Video of the attack
Graph of the n404 exploit kit

Continue reading →

Malware as a Web Service

Popular malware tools such as binders and downloaders usually come in a typical software application form. Moreover, when I talk about malware services I mean crypting, packing and limiting the detection rate on demand, while in this case we have a DIY malware as a web service, a trend to come or a fad to dissapear, only time will show but the possibilities for porting popular malware tools in a web service form are quite disturbing.

In the first example we have a malware downloader as a web service with various diversified variables such as custom port and IP to obtain the payload from, as well as the ability to modify the extraction and execution of it. Combined with the option to choose a packer, and whether or not to melt the downloader after it delivers the payload, as well as with the opportunity to choose from a set of predefined icons or select a custom one, turn this malware web service an interesting one to monitor.

A sample of the first service :

Result: 5/32 (15.63%)

BitDefender 2007.08.31 Generic.Malware.Fdld!.D8E4DF1F

eSafe 2007.08.29 suspicious Trojan/Worm

NOD32v2 2007.08.30 probably unknown NewHeur_PE virus

Sophos 2007.08.30 Mal/Heuri-D

Webwasher-Gateway 2007.08.30 Trojan.Downloader.Win32.ModifiedUPX.gen (suspicious)

File size: 11776 bytes

MD5: e9df373f1561bed2a2899707869a7a44

SHA1: 295c6702cb19f6b20720057d61d940921602a0cd

In the second example, we have a malware binder as a web service with pretty much identical features with the first example. If traders of malware services such as the above mentioned crypting, packing and ensuring a lower detection rate, start embracing Web 2.0 in the process of efficiently construction malware, or providing their customers with a DIY experience by constantly ensuring their " web dashboard" is up to date with new services and features - it can get very ugly. So, let's hope it's just a fad.

Continue reading →

Massive Online Games Malware Attack

Despite Storm Worm's worldwide media coverage, there're many other malware campaigns currently active in the wild, again exploiting outdated browser vulnerabilities such as this one aiming to steal passwords for MMORPGs. The folks at the SANS ISC recently assessed yet another malicious URL following a lead from the recently breached site of Leuven, a city in Belgium. Apparently, the Chinese domain that's naturally exploiting an already patched vulnerability has been embedded within many other sites as well. MMORPGs password stealing malware is nothing new especially in Asia where online games dominate the vast majority of Internet activity for local netizens. Creative typosquatting domain scams are still filling different domain niches left at the phisher's disposal.

VBS/Psyme.CB detection rate :
Result: 10/32 (31.25%)
File size: 9857 bytes
MD5: 2a5eff5381cec4a7d5478b989aeb2ada
SHA1: e08cdb74965c31b70ab24d82761b652035283a87

Trojan-PSW.Win32.WOW.sp detection rate :
Result: 19/32 (59.38%)
File size: 52170 bytes
MD5: f37a18d2e991ef5cd7ea7a4dfcb6e3f5
SHA1: c1cbee89ba1033b8e739067eab086f70b476c5aa

What's also worth mentioning is that the campaign has a built-in freely available counter compared to the typical campaigns who tend to use malware kits for C&C and detailed statistics of the infected population. Continue reading →

Storm Worm's use of Dropped Domains

The daily updated Bleedingthreats.org's Rules to block Storm worm DNS and C&C keeps growing at a significant speed, and with the group behind Storm Worm constantly changing the social engineering tactics -- but continuing to exploit already patched vulnerabilities in case the user doesn't self infect herself -- anti virus vendors are literally crunching out new signatures for yet another Storm Worm variant. Reactive response is a daily reality, however, proactive response such as making sure your customers cannot have their browsers automatically exploited even if they follow Storm Worm's IP links, is far more pragmatic, and the results can be easily evaluated while the mass mailing campaign is still active online. Here's an interesting list especially the fact that pretty much all of these domains were purchased as "dropped" ones, and are again part of the BYDLOSHKA campaign with a static domain.com/ind.php structure :

tushove.com; tibeam.com; kqfloat.com; snbane.com; yxbegan.com; snlilac.com; qavoter.com; ptowl.com; wxtaste.com; eqcorn.com; ltbrew.com; bnably.com; fncarp.com

The obfuscated javascript exploiting the browser vulnerabilities still includes offensive language against an anti virus vendor. Moreover, in case you remember the second Storm Worm wave had a very creative feature, namely to automatically inject a malicious URL in a forum or blog post, right after the infected party has authenticated herself in order for the malware to not have to figure out how to bypass the authentication. As it looks like, the current campaign has also hit Blogger and many other forums as well. Continue reading →

DIY Phishing Kits

In times when socially oriented bureaucrats are prompting such popular projects as the KisMAC and the Default Password List to seek hosting in a foreign country, the German scene seems to be very active with yet another DIY phishing kit released in the wild which I'll dicuss in this post, following the first rather primitive one I came across to a while ago. As we've seen with a previous phishing kit, and the infamous Rock Phish, malicious economies of scale in terms of efficiently generating fake pages to be forwarded to a central logging location are the second most important goal of this trend. What's the first? It's noise generation compared to the common wisdom that such tools are supposed to be exclusive and private. Talking about the economics of phishing, with the already a commodity scam pages available at the phishers' disposal, fast-flux hosting of the pages and maintaining their "online lifetime", thus playing a cat and mouse game with researchers and vendors shutting them down, is perhaps the next stage in further developing the phishing ecosystem.

File size: 5844992 bytes
MD5: ae3a3cbb873c69843455c46ad6e62f40
SHA1: 7606b3cccbb3cccb95bbe32b688e350d42aeffc5

Related posts:
Pharming Attacks Through DNS Cache Poisoning
DIY Pharming Tools Continue reading →

The Economics of Phishing

Years ago, phishing used to be like fishing at least in respect to the preparation and the patience required for the fisherman to catch something. Nowadays, phishing is like fishing with dynamite, very effective and entirely efficiency centered. After discussing the economics of spamming -- within the posts's comments -- I emphasized on the fact that both the underground's economy supply of goods and the phishing ecosystem, are entirely based on the cooperating among spammers, phishers and malware authors, and so is the rise of the DIY phishing kits. I recently came across a very good analysis conducted by Cloudmark with a huge sample of phishing emails to draw conclusions out of. The Economy of Phishing - A Survey of the Operations of the Phishing Market :

"We have conducted extensive research to uncover phishing networks. The result is detailed analysis from 3,900,000 phishing e–mails, 220,000 messages collected from 13 key phishing–related chat rooms, 13,000 chat rooms and 48,000 users, which were spidered across six chat networks and 4,400 compromised hosts used in botnets."

The research once again demonstrates the diversity of phishing techniques used, and covers the following segments - Webservers used in phishing attacks; Institutions by advertising rate; Institutions by report rate, and perhaps the most interesting part is an IRC visualization of underground social networks for trading of stolen digital goods.

Furthermore, it's great to note that it's not just vendors actively researching the average time a phishing site remains online, but also, third-party researchers such as Richard Clayton and Tyler Moore at the Security Research Computer Laboratory, University of Cambridge with some recently released research notes. It's one thing to consider the daily reality of malware and phishing pages hosted on infected home users' PCs, another to see malicious parties offering fast-flux networks on demand while vendors are figuring out how to timely shut down the pages, but totally out of the blue to see such a party -- the always on malicious service is ironically down -- offering phishing hosting and spam sending in between child porn and zoofilia hosting.

Continue reading →

Your Point of View - Requested!

Question : What is the most realistic scenario on what exactly happened in the recent DDoS attacks aimed at Estonia, from your point of view?

- It was a Russian government-sponsored hacktivism, or shall we say a government-tolerated one

- Too much media hype over a sustained ICMP flood, given the publicly obtained statistics of the network traffic

- Certain individuals of the collectivist Russian society, botnet masters for instance, were automatically recruited based on a nationalism sentiments so that they basically forwarded some of their bandwidth to key web servers

- In order to generate more noise, DIY DoS tools were distributed to the masses so that no one would ever know who's really behind the attacks

- Don't know who did it, but I can assure you my kid was playing !synflood at that time

- Offended by the not so well coordinated removal of the Soviet statue, Russian oligarchs felt the need to send back a signal but naturally lacking any DDoS capabilities, basically outsourced the DDoS attacks

- A foreign intelligence agency twisting the reality and engineering cyber warfare tensions did it, while taking advantage of the momentum and the overall public perception that noone else but the affected Russia could be behind the attacks

- I hate scenario building, reminds me of my academic years, however, yours are pretty good which doesn't necessarily mean I actually care who did it, and pssst - it's not cyberwar, as in cyberwar you have two parties with virtual engagement points, in this case it was bandwidth domination by whoever did it over the other. A virtual shock and awe

- I stopped following the news story by the time every reporter dubbed it the first cyber war, and started following it again when the word hacktivism started gaining popularity. So, hacktivists did it to virtually state their political preferences

Voting link - your opinion is greatly appreciated.

Stats courtesy of Arbor Networks' ATLAS, among the several early warning security event systems publicly available online. Continue reading →

DIY Pharming Tools

In a previous post I discussed pharming from the perspective of abusing a DNS server and starting a wide-scale pharming attack. However, it's also vital to discuss the second perspective, namely the malware infected PCs whose hosts files could be abused to faciliate MITM phishing attack for instance. Consider the following DIY pharming tool that basically allows a list of anti virus software's update locations IPs to be added, and consequently blocked, as well as complete take control over the infected user's perception of where exactly is she online. The second version is lacking the "add a list" feature, and is entirely phishing attacks centered, and the way lists of the process names/files for every anti virus software have been used by malware shutting down the software, in this very same way, the online update locations for multiple AVs are also easily obtainable -- a topic I covered in a previous post.

Panda 2007.08.25 Suspicious file

Prevx1 2007.08.25 Generic.Malware

File size: 623616 bytes

MD5: 4ab0d055bee708dd0046af0b8800594a

SHA1: 41b93e16127964b89bb9e34af8d12411323e631f

An old friend recently approached me asking for my opinion on man-in-the-middle phishing attacks, and whether or not I'm aware of any such DIY type of functions. Simultaneously, PandaSecurity released a very good screenshot of a feature within a botnet's C&C interface, worth seeing for yourself too. Despite that the current "push" phishing model seems to be fully working, and keylogging started evolving into "form grabbing", MITM phishing attacks I think would remain at the bottom of the attack model for the pragmatic and efficiency-centered phisher,who would otherwise have to either build a botnet on her own, or request access to such on demand.

Continue reading →

Distributed WiFi Scanning Through Malware

Distributed computing through malware, OSINT thought botnets, distributed password cracking and distributed malicious economies of scale - are all fully realistic nowadays. And so is a plugin for a popular RAT which is scanning for open WiFi networks based on an article released by the inframous 29a group :

"This plugin enables you to scan for available nearby WLANs. The bins (wifiC.dll and wifiS.dll) have been packed with UPX 3.00w. Place them in the \Plugin\ folder or load wifiC.dll manually to use the plugin."

Perhaps this is the perfect moment to comment on Maureen Vilar's email, a moderator for ClimatePrediction at BOINC's project who contacted me regarding my blog post on distributed computing through malware, and described the incident in details :

"The 5000+ computers attached to Wate's account were very different in profile from anormal DC farm and easily identified as abnormal. Attached computers are now being looked at by members much more critically. It now appears that the trojan that attached the computers to Wate's account and thus to boinc projects was probably bundled with P2P downloads.The owners of the 5000+ computers must not have scanned these P2Pdownloads, and many of them must have failed to investigate why their computers were probably running slowly at 100% CPU, or in thecase of laptops why they were in some cases doubtless overheating or the batteries running down. They must also have failed to check which programs were installed, even though many of the affected computers cannot have been running normally for everyday use. Imagine that many of these computers did not have an active or up-to-date firewall, or that firewall warnings were ignored. These were all basic security failures on the part of the owners of these 5000+ computers, some of which were powerful machines. The developers of legitimate software unfortunately cannot ensure that all computer owners worldwide implement basic security measures. The problem of Wate's account was first discovered by boinc team crunchers in Italy who took speedy action to inform the boinc development team in Berkeley. They in turn took rapid action to inform the administrators of the affected boinc projects. The Wate accounts on all the affected projects were disabled. Because boinc projects run a competitive credits system, it is in the interests of members to ensure that no-one is able to compete dishonestly."

To sum up - The BOINC's servers weren't breached and malware "pushed" into the participants' hosts through BOINC's client, instead BOINC's client got "pulled" from the infected PCs, so they started participating in ClimatePrediction. And obviously, they have anomaly detection practices ensuring such incidents get easily detected.

Detection rates for the WiFi plugin :

wifiC.dll

AVG 2007.08.23 BackDoor.PoisonIvy.B

Ikarus 2007.08.23 Trojan-Downloader.Win32.QQHelper.vn

Webwasher-Gateway 2007.08.23 Win32.UPXpacked.gen!94 (suspicious)

File size: 198144 bytes

MD5: 15cbfa1ed47e45f30be0eb0dcd1ec5e3

SHA1: bdd9994a20b4ae753951c09506ae0e2db59f63e2

wifiS.dll

AntiVir 2007.08.23 BDS/BlackH.2005.A.1

AVG 2007.08.23 BackDoor.PoisonIvy.B

Panda 2007.08.23 Suspicious file

Webwasher-Gateway 2007.08.23 Trojan.BlackH.2005.A.1

File size: 10240 bytes

MD5: 11aa54103e7311ad23b4e60292dc9e82

SHA1: 59e7f0aaa8305ad0c5c830c16b531d1e2ab641b4

Consider the following scenarios :

- malware infected PCs actually opening a WiFi connection in a port-knocking nature to the wireless botnet master only

- no need for wardriving, as malware authors would quickly map the entire WiFi vulnerable population around a given region in the age of malware geolocating IPs using commercial services

- once a PC gets infected inside an organization, it can automatically turn into a wardriving zombie exposing vulnerable WiFi connections within

- Bluetooth scanning plugins expose even more vulnerable Bluetooth-enabled devices in the range of the infected host

Continue reading →

GIMF - "We Will Remain"

After having both of its blogs shut down, the Global Islamic Media Front issued a modest statement "Global Islamic Media Front: We were and will remain". But of course - however in banner form only. Here're two more GIMF related URls of a sexy layout in progress, a propaganda flash, and an article related to the Middle East Media Research Institute (MEMRI). Continue reading →

The Nuclear Malware Kit

Web based C&C malware kits are already a commodity, and with the source codes of MPack and IcePack freely available in the wild, modifications of the kits with far more advanced features will sooner or later get released. But what is prompting the botnet masters' interest of a web interface to their fast-flux networks, and in-depth statistics for the infected hosts? It's a results-oriented mindset, and the core objective of achieving malicious economies of scale. What does this mean from a psychological point of view? It means that even before launching a mass-spreading attack they've already anticipated its success so that more efforts go to assessing which are the most effective campaigns, countries prone to malware infections, and specific browser vulnerabilities used in order for them to tailor even more successful attacks in the future. When looking at screenshots of stats like these you realize that the browser and client side vulnerabilities in principle are the infection vector of choice, especially the unpatched ones, as given the last wide scale IFRAME attacks we've seen in the past six months, all the malware kits were using outdated browser vulnerabilities, and despite that, achieved enormous success.

More screenshots of a previous version of the Nuclear Malware Kit - yet another web based C&C available for sale :

- Infections per browser

- Infections per OS

- Infections per country

Related posts:
The Black Sun Bot - web based malware
The Cyber Bot - web based malware
Malware Embedded Sites Increasing
Botnet Communication Platforms
OSINT Through Botnets
Corporate Espionage Through Botnets Continue reading →

Excuse Us for Our Insecurities

This Security Public Relations Excuse Bingo is very entertaining as it objectively provides random excuses that security vendors and public companies often use, when not addressing a security issue concerning them, and consequently their customers. You may also find Matasano's Kübler-Ross Model Of Vulnerability Management informative. Continue reading →

Offensive Storm Worm Obfuscation

Malware authors, often pissed off at the detection rates of their malware releases, tend to include offensive comments or messages within the malware's code against anti virus vendors. At this Storm Worm URL we see offensive function within the obfuscated exploit aiming at Kaspersky.

The recent Storm Worm campaign may indeed look like a huge security threat given the millions of emails sent, however, I feel more awareness should be built on the fact that the malware has slightly adapted, and is using browser based vulnerabilities (client side one) to automatically push the binary onto the host, compared to the urban legend of not openning email attachments from unknown parties. The current Storm Worm's main benefit in terms of efficiency is the client side exploited vulnerabilities within each and every malicious IP, and the main weakness is the pattern based nature of the binaries hosted at the IPs such as maliciousIP/file.php and maliciousIP/ecard.exe, thefore periodically verifying the checksums of the still active Storm Worm IPs results in new malware variants. Or starting from the basic premise that prevention is better than the cure, Bleedingthreats have already released IDS signatures for the Storm Worm :

"This first list has over 800 servers that are confirmed hostile, and were active in the last 24 hours. http://www.bleedingthreats.net/rules/bleeding-storm.rules
And a version prebuilt with a 30 day Snortsam block:
http://www.bleedingthreats.net/rules/bleeding-storm-BLOCK.rules
We’ll be collating Storm related links and data sources on the following page which is referenced in these sigs:
http://doc.bleedingthreats.net/bin/view/Main/StormWorm"

Let's assess yet another Storm Worm infected PC and reveal yet another campaign called BYDLOSHKA :

01. 75.37.132.98 is using the Q4-06 Roll-up package exploits kit like all Storm Worm URLs

02. The downloader makes a DNS query to fncarp.com (24.1.243.46) where we have a second offensive obfuscation and the BODLOSHKA campaign under the following URLs : snlilac.com/ind.php (123.236.116.111) ; eqcorn.com/ind.php (66.24.211.96) ; fncarp.com/ind.php The downloaders here obtain the actual binaries from a third party (81.9.141.13) creating a fast-flux network.

03. What's interesting and rather disturbing is a proof that phishers, spammers and malware authors indeed work together, as Storm Worm is also comming in the form of phishing emails where the main objective isn't to steal confidential accounting data, but to only infect the users visiting the site (74.102.159.188)

All this leads me to the conclusion that the campaign may in fact be a Russian operation.

Related posts:
Oh boy, more Nuwar tricks!
New Storm Front Moving In
Zhelatin/Storm changes yet again Continue reading →

RATs or Malware?

After the Shark 2 DIY Malware got the publicity it deserved as perhaps the most recent and publicly obtainable DIY malware, another DIY RAT has been gaining popularity amoung the script kiddies crowd for a while. Shark 2's features and capabilities for "killing" anti virus software and tricking sandboxes are far more advanced than this RAT's one, no doubt about it. However, what makes an impression in this one is the built-in capability to check the latest server against the most popular anti virus software engines.

Detection rate for the latest builder : Result: 15/32 (46.88%)
File size: 2981888 bytes
MD5: 5683024dbfd73d92c103d2ecc4f98258
SHA1: 34d341df36582906eb5d18e12139478b8772ea64

Detection rate for a previous version of the builder : Result: 9/32 (28.13%)
File size: 2426880 bytes
MD5: 4343eb64b3d4836b5ef49643b3320112
SHA1: beb6bd04d587f4253e5b26e4ba1827c8b200a214

Detection rate for another version of the builder : Result: 23/32 (71.88%)
File size: 4860416 bytes
MD5: 0fef106915b40cf1c0a411a4f5aee4bb
SHA1: a7a1c1bdd388c20964cf54db4607bf650d890562

Detection rate for the first version of the builder : Result: 24/32 (75%)
File size: 2466304 bytes
MD5: 1ee90062bebfe3dd9bbdd9d3c9fc1f6c
SHA1: 2c02b76497dd3bfa00c313e9e4a0bd0d8b2893a6

Another issue that deserves more attention is VT's opt-out feature for not distributing the sample to AV vendors "If checked, in case the file is suspicious of being malware we will not distribute it to antivirus companies." Any malware authors or script kiddies out there, wanting to measure the detecting rates for their release without providing the AVs not currently detecting it with a sample of it? Perhaps thousands of them.

The line between RATs and malware is definitely getting thinner these days. Continue reading →

Analyses of Cyber Jihadist Forums and Blogs

Where are cyber jihadists linking to, outside their online communities? Which are the most popular file sharing and video hosting services used to spread propaganda, training material and communicate with each other? What are their favorite blogs, and international news sources? How does the Internet look like through the eyes of the cyber jihadist? This post will provide links to cyber jihadist communities, with the idea to aggregate a decent sample of how cyber jihadists use, and abuse the Internet to achieve their objectives. It is based on external URLs extraction of over 5,000 web pages directly related to cyber jihadist communities. The snapshot was obtained during the last 7 days, therefore if you're to data mine the free online data hosting URLs, do so in a timely manner before they dissapear due to one reason or another.

Key summary points :

- Over 4,000 external URLs pointing to suicide bomber's videos, propaganda, warfare, bombings, recruitment, torture videos, and numerous other still not analyzed cyber jihadist forums and blogs

- In between 500 to 600 web pages per domain were crawled based on their last modified data, namely the most current 500 to 600 posts

- The sample consists of 14 jihadist blogs and forums

- Depending on the online file storage service of choice, files will remain online forever if accessed at least once every 30-to-45 days, or by the time they don't get removed due to their nature

- Video multimedia is often released in a multi-video-format fashion, and multi-quality variants with respect to the file size
- The crawled external URLs are in .txt format, in a one full URL per line format

You are what you link to, so let's assess the "tip of the iceberg" cyber jihadist communities online :

01. URL : http://3asfh.net/vb

Dates : Created 20-nov-2003 ; Updated 15-jun-2007; Expires 20-nov-2007

DNS Servers : SERVER.3ASFH.NET; SERVER1.3ASFH.NET

External URLs : 3asfh.net_vb.txt

02. URL : http://alsayf.com/forum

Dates : Created 16-aug-200; Updated 16-aug-2006; Expires 16-aug-2011

DNS Servers : NS2.MYDYNDNS.ORG; NS1.MYDYNDNS.ORG; NS3.MYDYNDNS.ORG

External URLs : alsayf.com_forum.txt

03. URL : http://egysite.com/al2nsar

Dates : Created 01-dec-2002; Updated 13-mar-2007; Expires 01-dec-2008
DNS Servers : NS1.EGYHOSTING.COM; NS2.EGYHOSTING.COM; NS1.EGYWWW.COM; NS2.EGYWWW.COM

External URLs : egysite.com_al2nsar.txt

04. URL : http://elshouraa.ws/vb

Dates : Domain created on 2006-09-15 00:08:38; Domain last updated on 2006-09-15 00:08:39

DNS Servers : ns11.uae-dns.com; ns12.uae-dns.com

External URLs : elshouraa.ws_vb.txt

05. URL : http://muslm.net/vb

Dates : Created 25-oct-2000; Updated 21-jul-2007; Expires 25-oct-2007

DNS Servers : NS1.MUSLM.NET NS2.MUSLM.NET

External URLs : muslm.net_vb.txt

06. URL : http://w-n-n.net/ - DOWN as of yesterday, best sample

Dates : Creation Date: 16-feb-2006; Updated Date: 13-aug-2007; Expiration Date: 16-feb-2009

DNS Servers : A.NS.JOKER.COM; B.NS.JOKER.COM; C.NS.JOKER.COM;

External URLs : w-n-n.net.txt

07. URL : http://minbar-sos.com

Dates : Created 28-feb-2006; Updated 10-mar-2007; Expires 28-feb-2008

DNS Servers: NS1.BRAVEHOST.COM; NS2.BRAVEHOST.COM

External URLs : minbar-sos.com.txt

08. URL - Radical Muslim
External URLs

09. URL
External URLs

10. URL

External URLs

11. URL

External URLs

12. URL

External URLs

13. URL

External URLs

14. URL

External URLs

Now, it's up to your data mining and crawling capabilities.

Related posts:
Cyberterrorism - don't stereotype and it's there
Tracking Down Internet Terrorist Propaganda
Arabic Extremist Group Forum Messages' Characteristics
Cyber Terrorism Communications and Propaganda
Techno Imperialism and the Effect of Cyberterrorism
A Cost-Benefit Analysis of Cyber Terrorism
Current State of Internet Jihad
Characteristics of Islamist Websites

Hezbollah's DNS Service Providers from 1998 to 2006
Full List of Hezbollah's Internet Sites
Internet PSYOPS - Psychological Operations
Cyber Traps for Wannabe Jihadists
Mujahideen Secrets Encryption Tool
An Analysis of the Technical Mujahid Issue One
An Analysis of the Technical Mujahid Issue Two
Terrorist Groups' Brand Identities
A List of Terrorists' Blogs
Jihadists' Anonymous Internet Surfing Preferences
Samping Jihadist IPs
Cyber Jihadists' and TOR
A Cyber Jihadist DoS Tool
GIMF Now Permanently Shut Down
Steganography and Cyber Terrorism Communications

Continue reading →