Localizing Open Source Malware

0
September 26, 2007
Can you find the differences in this piece of malware compared to the previous open source one I covered recently? Besides its localization to Chinese there aren't any, and this development clearly demonstrates the dynamics of the malware scene. A common Web 2.0 mentality is that the more people use the service, the better it gets, a mode of thinking we could see applied in the case of open source malware, and malware as a web service. Once the source code becomes publicly obtainable, it's not just new features and modules that get introduced, but also, the malware starts using the Web as a platform. In fact, some of the most popular open source malware codes are successfully building communities around their open source nature, thus, attracting "malicious innovation" on behalf of third-party coders. Should we therefore make a distinction between a malware author, and a malware module coder? Continue reading →

The Dark Web and Cyber Jihad

0
September 24, 2007
It's interesting to monitor the use and abuse of the buzz word "Dark Web". This press release for instance, tries to imply that the crawlers are actually crawling the Dark Web and analyzing cyber jihadist activities, a bit of an awkward statement given what the Dark Web is at the bottom line - a web that is closed for web crawlers either thought standard measures, or authentication :

"This is where the Dark Web project comes in. Using advanced techniques such as Web spidering, link analysis, content analysis, authorship analysis, sentiment analysis and multimedia analysis, Chen and his team can find, catalogue and analyze extremist activities online. According to Chen, scenarios involving vast amounts of information and data points are ideal challenges for computational scientists, who use the power of advanced computers and applications to find patterns and connections where humans can not. One of the tools developed by Dark Web is a technique called Writeprint, which automatically extracts thousands of multilingual, structural, and semantic features to determine who is creating 'anonymous' content online. Writeprint can look at a posting on an online bulletin board, for example, and compare it with writings found elsewhere on the Internet. By analyzing these certain features, it can determine with more than 95 percent accuracy if the author has produced other content in the past. The system can then alert analysts when the same author produces new content, as well as where on the Internet the content is being copied, linked to or discussed."

I've blogged about this AI project over an year ago, and have been following it ever since while experimenting with link and multimedia analysis of cyber jihadist communities before they were shut down. And while the innovations they've introduced for this period are impressive in terms of drawing social networking maps, the Dark Web's very principle, namely that it's authentication only Web, meaning it's closed for spiders, even human based researchers thought basic invite only or password authentication methods will prompt researchers to adapt in the long-term. Many of the cyber jihadist forums I didn't include in my last external links extraction were great examples of the dark cyber jihadist web, knowing where you crawl doesn't mean there'll be anything publicly available to crawl, and the trend is just starting to emerge. Such VIP clubs represent closed communities where more efforts should be put in taking a peek, thus it's ruining previous efficiency centered approaches of analyzing cyber jihadist communities. The alternatives remain rather contradictive but fully realistic - infecting terrorist suspects with malware, embedding malware within cyber jihadist communities, or unethically pen-testing the cyber jihadist communities to have the AI analyze the data obtained from the closed community, thus the Dark Web, at a later stage.

Meanwhile, after having the Global Islamic Media Front's online presence limited to the minimum, GIMF is making it in the mainstream media :

"On sites easily traceable via search engines, the German-language arm of the "Global Islamic Media Front" (GIMF) appeals for volunteer translators, inviting them to reply to a Hotmail address, and posts links to dozens of al Qaeda videos. "After some brothers and sisters were arrested (may Allah free them) and the Forum and blog of the GIMF were removed, we say this: the GIMF still exists and will continue its work," a statement from the front says. "To the Kuffar (infidels) who try to fight us, we say: you can do what you like, make as many arrests as you like...you will not reach your goal. We will always keep going until we achieve victory or martyrdom."The re-emergence of the GIMF in German highlights the difficulty for authorities of shutting down radical Islamist Web sites, which often simply spring up at new addresses."

Easily traceable mainly because they're not behind the Dark Web, at least not for now. Currently active GIMF URLs :

gimf.12gbfree.com
gimf.22web.net
gimf.cjb.net
gimfupload.blogspot.com with two redirectors gimfupload.notlong.com ; gimfupload.2ya.com

Despite that there're still literally hundreds of cyber jihadist forums and sites, quantity is not always equal to quality, namely, only a few of these will achieve success and mature into potentially dangerous communities. In the long term, however, once the "tip of the iceberg" communities dissapear, efficiency from the cyber jihadists will get sacrificed for improved OPSEC, namely they'll start operating behind the true Dark Web, making them more difficult and time-consuming to assess, track down, and shut down.

UPDATE: Inshallahshaheed (GIMF) has a new home. Continue reading →

The Truth Serum - Have a Drink!

0
September 21, 2007
Which security vendor would you rather choose if you were to ignore your current Return on Security Investment model? The one telling you "everything's under control" , that "malicious attackers are loosing creativity and cannot bypass our security solutions", or the one who's attitude is "our solutions fully demonstrate marginal thinking in respect to fighting cyber threats, namely, they mitigate certain risks and limit the probability for a security incident, but do not and cannot provide 100% security"?

Basic human psychology and purchasing habits would stick to the first one, the one pretending to offer 100% security -- something even a condom cannot offer yet everyone's thankfully using them. Even worse, which is falling victim into the myopia that the market leader, or the company with the highest brand equity is actually the one worth doing business with. As it appears, McAfee CEO David DeWalt had a drink from the truth serum before InformationWeek's 500 Conference in order to comment that "We're in inning two of a nine-inning game here" in respect to how cyber threats often outpace security measures. Moreover, an year ago I commented on a Gartner analyst's statement that security is all about percentage of budget allocation, and therefore the more you spend the more secure you get, among the most common myopias nowadays. Now, Gartner vice-president John Pescatore is wisely insisting that companies spend less on IT security, and given how when Gartner sneezes the whole industry gets cold, it's a step in the right direction - debunking common security myopias.

In a world dominated by perimeter defense solutions, being a visionary realist is an objective luxury. Continue reading →

DIY Phishing Kit Goes 2.0

0
September 20, 2007
With the release of the second version of the DIY phishing kit that I covered in a previous post, next to commentary on another one and a DIY pharming tool, the timeframe for creating a phishing page just got shorter than it used to be before. Moreover, the phishing ecosystem is getting closer to fully achieving its malicious economies of scale, ones where the number of phishing campaigns in the wild outpaces the possibilities for timely shutting them down. Even worse, phishers do not seem to be interested in re-inventing the wheel, and having to create a new phishing page for any site or service, instead, such phishing pages are now a commodity, and with the ecosystem itself clearly cooperating with malware authors, you end up in a situation where a malware infected host is not just hosting malware for the next victim to get infected, running multiple DNS servers, sending out spam and phishing emails, but also, hosting the phishing pages themselves.

Amateur phishers do not put efforts into ensuring the quality and the lifetime of their phishing campaigns, and you can clearly recognize such amateur campaign by visiting the phishing URL you've just received to figure out it's already down. The more sophisticated phishers, however, are not just efficiency-obsessed, but also, take advantage of typosquatting and basic segmentation approaches, for instance, acquiring a Russian email database to use as the foundation for a WebMoney phishing campaign, and a U.S one for a PayPal one. Moreover, sophisticated phishers also put more efforts and invest more time into personalizing the emails and in rare cases, the phishing pages themsleves, that's of course in between localizing the campaign by having it translated into the local language of the country for which the emails database belongs to, thus improving the chances of the campaign. This is yet another disturbing trend worth commenting on - malware is maturing into a services centered economy, and so is the case with spamming and phishing, a logical development with the commodization of what used to very exclusive tools.

What are the major improvements in the new version? In the first one, the phisher had to manually paste the source code of the real page, have the kit automatically redirect the data to a third party URL, and also manually fix the image locations to ensure that they will load properly. In the second version, there're POST and GET commands available so that the source code gets acquired automatically, and an internal Image Grabber so that the exact URLs of all the images within the login page can get easily integrated within the phishing page about to get generated. Getting back to differentiating the amateur from sophisticated phishers, the second have more resources at their disposal and better confidence in their hosting provider so that compared to loading the images from the original site, they're hosting them locally. This kit will inevitably continue to evolve, wish it was proportionally with the end user's understanding of how to protect against "push" phishing attacks though.

Related posts:
Taking Down Phishing Sites - A Business Model?
Continue reading →

Custom DDoS Capabilities Within a Malware

0
September 19, 2007
DDoS capabilities within a malware are nothing new and are in fact becoming a commodity feature, but compared to the average DDoS-ers with up to two different DoS attack approaches, or the types of malware with hardcoded IPs to be attacked, there's a disturbing trend to diversify the DoS techniques used as much as possible to improve the chances of a successful attack, let's not mention the allocation of automatic self-defensive DDoS back at curious parties due to the oversupply of infected hosts. As you can see in this particular malware -- high detection rate -- the DDoS variables within are not only diverse enough to cause a lot of damage, but also, simultaneous combinations are also possible.

Now comes the digitally ugly part. Open source malware results in many different variants with a huge variety of new modules and options implemented within, even worse, the software client can indeed mature into a web based malware C&C like the ones we've been seeing since the beginning of 2007. And this is exactly what happened with this open source malware - a Chinese hacking team is currently offering a Web builder for sale, making it possible to integrate the malware on the Web in a typical do-it-yourself fashion. What types of attacks are included anyway :

- ICMP/SYN/TCP and UDP flooding
- HTTP no-cache, GET flooding
- CC variety
- GAME, CIDR, Hybrid flooding capabilities

The Black Sun bot, the Cyber bot, MPack, IcePack, WebAttacker, the Nuclear Malware Kit and Zunker, are all Web based malware platforms and were originally released as such compared to the Web adaption of this one.
Continue reading →

Two Cyber Jihadist Blogs Now Offline

0
September 19, 2007
Jihad Fields are Calling and The Ignored Puzzle of Knowledge are down, apparently the authors themselves decided to delete them compared to Wordpress shutting down the Global Islamic Media Front like it happened before. Ensuring that these "tip of the iceberg" cyber jihadist communities stay offline has a long-term PSYOPS effect on future wannabe cyber jihadists wanting to operate such communities, ones where talkers eventually turn into doers. Continue reading →

A Chinese Malware Downloader in the Wild

0
September 17, 2007
This is an example of a recently released in the wild DIY downloader with rather average features such as the ability for the malware author to choose multiple locations of the files to be "dropped", as well as the time interval to check for the newly distributed binaries. The high detection rate of the downloader itself -- Result: 23/32 (71.88%) -- is not the main point I'd like to emphasize on, but rather that compared to the majority of downloaders courtesy of Russian malware authors I come across to occasionally, this is a Chinese one. China is often blamed to be the country hosting the highest percentage of malware in the world, however, China is also the country with highest percentage of infected PCs, and as we've seen with Storm Worm an infected host starts acting as both infection and propagation vector for the malware in question. As in any other local malware market, DIY tools get released so that script kiddies can generate enough noise to keep the more sophisticated malware campaigns running behind the curtains. Continue reading →

PayPal and Ebay Phishing Domains

0
September 17, 2007
As I needed another benchmark for a creative typosquatting next to my best finding of this World of Warcraft domain scam, I stumbled upon the following list of domains, where the most creative domain squatting is done solely for the purpose of including the domains within a typical phishing scam URL structure. Some of the domains are actual Rock Phish ones that are currently hosting live phishing campaigns :

paypal-online-account.com
paypal-user-update.com
paypal-support1.com
paypal-account-protection.com
paypal1-login.com
paypal-accounts-update.com

Some "creative" ones to be abused :

paypal-aspx.com
paypal-cgi3.info
paypal-cmd.com
paypal-comlwebscrc-login-run.com
paypal-confirmation-id-0746795.com

And since PayPal is actually EBay after the acqusition, here're some "creative" Ebay domain scams as well :

ebay-com-isapidll.com
ebayisapidll-cgi.com
ebayisapidllaw2.com
ebayisapidllu.com

Authentication itself seems to be a priority as the customer must possess a tangible proof that her transactions' security is somehow enhanced by a layered authentication, no doubt about it. But with phishers actively using a "push" model that is starting to visually social engineer the customers by registering domains imitating PayPal and EBay's web application structure, authentication itself shouldn't be a priority number one the way it is for the time being as phishers are not even trying to bypass it.

Stats courtesy of the Anti-Phishing Working Group. Continue reading →

Storm Worm's DDoS Attitude - Part Two

0
September 17, 2007
After commenting on Storm Worm's logical connection with the recent DDoS attacks against anti-scam web sites, SecureWorks timely released details of what actions could trigger a DDoS attack from Storm back at the researcher's host and what type of DDoS attacks are launched exactly :

"The attacks do show signs of being automated. Certain actions reliably trigger attacks. Investigators who can withstand the onslaught and have decided to test their theories (with cooperation from their ISPs, of course) can reliably trigger DDoS attacks on themselves. In one case, probing more than four unique Peacomm botnet HTTP proxies within ten seconds results in a flood of TCP SYN and ICMP packets, which last for about two hours. That’s all fairly regular."

To me, this tactic is more of a "hey our situational awareness on your actions to shut us down is fairly food enough" type of statement, but why would the botnet masters risk exposing infected hosts compared to the opportunity to have them act like nothing's in fact wrong with them? Mainly because if infected hosts were a scarce resource perhaps they would, but in Storm Worm's case the oversupply of infected hosts is allowing them to dedicate resources for automatic self-defensive DDoS. Continue reading →

U.S Consulate St. Petersburg Serving Malware

0
September 14, 2007
If that's not a pattern and good timing, it's a malicious anomaly. On the 31 of August, 2007, Bank of India was serving malware courtesy of the Russian Business Network. This week, evidence that the U.S Consulate in St. Petersburg, Russia was serving malware to its visitors proved to be true. The web site is now clean, but assessing the IFRAME-ed URLs used in the attack is possible as they're still reachable. It's still unknown for long the IFRAMEs remain embedded at the Consulate's web site, as well as when were they cleaned, but the attack was still active on the 2nd of September, 2007, just two days after Bank of India's malware attack. It's also worth mentioning that compared to the most recent malware embedded attacks which had the IFRAMEs directly embedded within, in this one the IFRAME itself is obfuscated but the live exploit URL isn't.

Tipped by a third-party, Sophos managed to locate the exact URL by deobfuscating the rather simple URL obfuscation, and Fraser Howard posted some interesting details at their blog :

"The purpose of the attacks is to infect victims with Trojans from the two attack sites. As discussed in a recent paper, the increased use of automation to continually re-encrypt/pack/obfuscate the Trojans highlights the need for good generic detection technology. A system to continuously monitor these files in order to maintain detection is essential. So, to answer the question of whether the U.S. Consulate General site was specifically targeted in this attack - my answer is no, probably not. The prevalence of other much smaller sites compromised in exactly the same way (in just seven days worth of data) suggests that the hackers just happened to have caught a big fish as they trawled for vulnerable servers. It just goes to show that security is important on all machines hosting both small and large websites."

We could greatly expand those as a matter of fact. The IFRAME used leads us to verymonkey.com/goof/index.php (209.123.181.185) and verymonkey.com/test/index.php which is exploiting a modified MDAC, and aims to execute the following binary Virus.Win32.Zapchast.DA :

Detection rate : Result: 6/32 (18.75%)
AntiVir 2007.09.14 DR/Delphi.Gen
AVG 2007.09.14 Obfustat.NPJ
eSafe 2007.09.13 Suspicious Trojan/Worm
Ikarus 2007.09.14 Virus.Win32.Zapchast.DA
VirusBuster 2007.09.13 Trojan.Agent.JVF
Webwasher-Gateway 2007.09.14 Trojan.Delphi.Gen

File size: 28672 bytes
MD5: a25ad0045d195016690b299bfb8b75d1
SHA1: ab219c50b0adc84f702c696797e81411b6eab596

Is this obfuscated IFRAME-ing a fad or a trend? I think it's a trend since IFRAME-ing to a secondary domain taking advantage of popular web malware exploitation techniques is already rated as suspicious by security vendors, and Google themselves warning you that "this site may harm your computer", and so they ought to win time. Moreover, such obfuscations are making it harder to assess how many sites and which ones exactly were victims of the attack in an OSINT manner. It gets even more interesting, the IP hosting verymonkey.com was historically used to host banksoffscotland.co.uk scam web site in March this year. In case you wonder, it's not the RBN that's behind this malware embedded attack, but let's say it's a subsidiary of the RBN.
Continue reading →

209 Host Locked

0
September 12, 2007
Ever came across this fake error message? A "209 Host Locked" message on a fraudulent domain is the default indication that you're on a Rock Phish domain, that is a single domain hosting multiple phishing campaigns aimed at different financial institutions. And as more Royal Bank of Scotland phishing emails are cirtulating in the wild, these very same emails pointed me to a Chinese Rock Phish campaign which was shut down as of yesterday. What is different in this campaign, compared to the previous one? The phishers put more efforts into ensuring the phishing email gets through spam filters by using spacing, adding _ in front of random words, as well as the usual garbage content at the end of the email. All the URLs within the campaign are already in the Phishtank, DSLreports.com's wisdom of the anti-phishers crowd continues exposing Rock Phish domains on a daily basis, an effort worth keeping track of.

The Rock Phish Kit is the logical evolution from DIY phishing kits like the one I've already blogged about, however, both concepts are not mutually exclusive but apparently tend to work together. The DIY phishing kits on their part are largely used in the planning stage of the phishing campaign, that is, fake sites get generated and the data obtained forwarded to a single place, which is where Rock Phish starts getting used, namely, in the execution stage, where all the phishing pages generated get hosted on a single domain. Phishing efficiency vs Rock Phish's weakness due to centralization of numerous campaigns on a single domain - it's the phishers' trade-off. Within the phishing ecosystem, there's are numerous approaches phishers tend to use to achieve maximum efficiency, ones I've already discussed in a previous post. The most prolific problem to me remains phishing 1.0's "push" model that is still remarkably successful compared to the more advanced man in the middle phishing attacks and pharming. From my perspective, if a financial institution really wants to protect its customers from phishing scams, it would first segment the threat, evaluate its customer's perception of it and current level of awareness, and then start an educational campaign aiming to not teach them how to recognize whether a site is a phish or not, but how to report and ignore the "push" models emails that arrive in their mailboxes. From another rather pragmatic perspective, phishers don't just load images for their phish emails from the company's website, but also the majority of phishing emails redirect to the real web site after the data was submitted - an early warning system by itself. Continue reading →

Storm Worm's DDoS Attitude

0
September 11, 2007
Stage one - infect as many end users with high speed Internet access as possible through the use of client side vulnerabilities. Stage two - ensure the longest possible lifecycle for the malware campaign by having the newly released binaries hosted at the infected PCs themselves. Stage three - take advantage of fast-flux networks to make it harder to shut down the entire botnet. And stage four - strike back at any security researcher or vendor playing around with Storm Worm's fast-flux network or somehow messing up with the malicious economies of scale on a worldwide basis. On Friday I received an email from Susan Williams at aa419.org, and as it looks like several other anti-fraud sites are getting DDoS-ed too :

"On September 2 2007, online scammers began an automated DDoS attack against aa419.org, with the goal of shutting down the anti-fraud site. For some time, aa419 was able to filter the worldwide botnet's attacks by monitoring connections and only allowing legitimate visitors to access thesite. However, by September 5 the hoster was being overwhelmed with nearly 400 GB of incoming requests every hour. Rather than let their infrastructure melt under the onslaught, the server is currently offline. This massive distributed denial of service (DDoS) attack was inspired by aa419.org's mission to blacklist and shut down scam web sites. Since 2004, the all-volunteer organization has recorded more than 18,000 such sites. In addition to publicly warning potential victims of fraud, they work with hosters and registrars to take scam web sites offline quickly, with a success rate of over 97% shut down. Susan Williams, press officer for aa419.org, said, "On the whole, we're positive about this. Not that we enjoy being offline; quite the opposite. But being attacked with a botnet of this magnitude tells us that we are doing serious damage to the organized crime networks that run these scams." Internet crime is increasing at record rates, and aa419.org is at the forefront of the fight against it. "We will continue our work regardless of how many criminals are annoyed by it," Williams said."

Castlecops comments on the DDoS taking place at the site too :

"This newest ddos round started about a week ago and knocked us offline for a couple hours while we figured out what was going on. And we're still under attack, so if the site is a bit slower, you know why. Odd month really, lots of sites, lots of sites, are under ddos. We've got over 10k bots attacking us with more being added daily."

As a friend recently pointed out - you ain't making a difference until you start getting DDoS-ed.

Cartoon courtesy of Joyoftech.com, here're more courtesy of myself.

Related posts:
The War against botnets and DDoS attacks
Emerging DDoS Attack Trends
DDoS On Demand vs DDoS Extortion Continue reading →

Google Hacking for MPacks, Zunkers and WebAttackers

0
September 10, 2007
If wannabe botnet masters really wanted to hide their activities online, they would have blocked Google's crawlers from indexing their default malware kit installations, and changed the default installation settings to random directory and filename, wouldn't they? Apparently, a default deny:all rule for anyone but the botnet masters doesn't exist as a principle among botnet amateurs, which leaves us with lots of malware campaigns to assess and shut down.

The following are IPs and domain names currently or historically used to host MPack, WebAttacker and Zunker control panels, as well as live exploit URLs within the packs. Some are down, others are still accessible, the rest are publicly cached. If index.php doesn't exist, admin.php or zu.php act as the default admin panel.

MPack Malware Campaigns :

wmigra.org/mpack/index.php
64.62.137.149/~edit/
81.95.145.240/logo/
81.95.150.42/MPack091cbt/index.php
brbody.info/mpack/index.php
innaidina.info/mpack/index.php
rallyesimages.ch/liens/test/
sol.h18.ru/mpack/index.php
81.95.145.240/logo/
icqmir.iplot.ru/mpack/index.php
cordon.ru/mp/
havephun.org/mpack/index.php
xbr.ru/images/old/mpack/index.php
evil-x.org/spk2/
tyt-menia.net/mpack/index.php
rufat.info/mpack/index.php
iwiw-hosting.com/upload/
stepbystepbg.org/img/
mydulichusa.com/mpack/index.php
csextra.wz.cz/weapons/mpack/index.php
d34thnation.com/mpack/index.php
mp3fans.org/mpack084/
innaidina.info/mpack/

WebAttacker's Hosts :

secondsite2.com/cgi-bin/ie0604.cgi
lsdman.info/cgi-bin/ie0604.cgi?bug=MS05-001&SP1
telecarrier.es/cgi-bin/ie0604.cgi
stmare.info/cgi-bin/ie0604.cgi
redcrossonline.cn/cgi-bin/ie0604.cgi

Zunker's C&C :

66.148.74.7/zu/
bundeswehrzentrale.org
skilltests.org/zu/zc.php
zup.secondsite1.com/zu/index.php
stat1.realstatscollect.com/zu/
webcounterstat.info/zu/

I also find it very interesting to see VeriSign publicly admitting of hacking into the hosts behind the malware kits -- the Russian Business Network in this case -- to assess the damages done in the form of number of infected PCs and with what exactly :

"When VeriSign managed to hack into the RBN computer running the scam, it found accumulated data representing 30,000 such infections. “Every major trojan in the last year links to RBN” says a VeriSign sleuth."

Unethical penetration testing of malicious hosts to assess the damages by the malware campaign in question wouldn't result in the malware authors striking back with legal complaints, instead, they'll forward some DDoS bandwidth back at the investigating IPs, a consequence I'm sure researchers reading here have experienced before. On the other hand, the RBN themselves are getting more malicious with every new campaign, just consider for instance that Russian Business Network's IPs were behind the Massive Embedded Web Attack in Italy that took place in June, 2007, and the most recent Bank of India breach as well. Continue reading →

Popular Web Malware Exploitation Techniques

0
September 10, 2007
Who needs zero day vulnerabilities to achieve a widescale malware infection these days? Obviously the lack of this popular in the past prerequisite for a successful client side vulnerability exploitation, is no longer needed, but how come? Rather simple and that's the disturbing part - malicious parties stopped falling victims into the common perception that the end user is so fully patched, that zero day vulnerabilities are needed to break thought his thought to be complex use of security measures, instead, whether an event-study or plain simple common sense on their part, they've realized that an unpatched and obfuscated vulnerability is just as dangerous as a zero day, and the results have been evident ever since.

Going through the screenshots of the infected population of a certain malware kit, you can clearly see the diversity of the outdated vulnerabilities used. Multi-browser vulnerabilities IFRAME-ed all-in-one to achive the highest possible efficiency rate as there's a slight chance a visitor will return to a site they've managed to embedd the malware at, twice. The success of the these kits therefore has nothing to do with malicious innovations, but rather a successful tactical warfare against reactive security response. If perimeter defense cannot be breached, it will get either ignored or bypassed, precisely why client side vulnerabilities are back in the game with full speed.

Evidence showcasing this KISS (Keep it Simple Stupid) principle :

- IcePack, MPack, WebAttacker, the Nuclear Malware Kit, and pretty much every popular malware kit is taking advantage of outdated vulnerabilities, whether obfuscated or not depends on the pack's version and the malicious party's understanding of the concept

- The Massive Embedded Web Attack in Italy was using MPack's outdated arsenal of obfuscated vulnerabilities and despite that it achieved its objectives and infected thousands of hosts

- The recent Bank of India breach was using a modified version of the popular malware kits mentioned above, in between syndicating the hack with another campaign using a multi-IFRAME-ing techniques, again taking advantage of outdated vulnerabilities

- Storm Worm's success is mostly due to the fact that the end user is still living in the "malicious attachment" world, and so outdated vulnerabilities are again successfully used again her

Exploit Prevention Labs's recent stats on common vulnerabilities used as an infection vector can come very handy in terms of demonstrating the mass use of these malware kits. The bottom line is that their modularity combined with features and add-ons for them available either though a purchase or on demand, is an emerging trend by itself, one whether you cannot tell is it a script kiddie or sophisticated malicious party you're dealing with. And even if it's the second, the KISS principle has its own ugly applicability in the malware world. Continue reading →

Infecting Terrorist Suspects with Malware

0
September 06, 2007
As we've already seen in the past, cyber jihadists, thus wannabe terrorists, use commercial anti virus, anti spyware and anonymity software. Therefore, if law enforcement starts benchmarking its creations against the most popular anti virus software, and purchasing private malware crypters to obfuscate the binaries, who would security vendors be protecting you from - law enforcement, or Yuri and Andrei, the fictional characters of two botnet masters? The practice is nothing new when it comes to intelligence gathering and the concept of OSINT through malware for instance. What's new is its applicability to law enforcement, which in a combination with bureaucracy could mean a law in a typical Chinese anti-censorship enforcement, that would oblige security vendors in the coutry to ignore the malware if they want to continue doing business there. Could we perhaps also witness a collective bargaining effort from security vendors not to do this, given the interest of using malware against potential suspects, a largely open topic by itself? Germany floats Trojan for terror suspects :

"Would-be terrorists need only use Ubuntu Linux to avoid the ploy. And even if they stuck with Windows their anti-virus software might detect the malware. Anti-virus firms that accede to law enforcement demands to turn a blind eye to state-sanctioned malware risk undermining trust in their software, as similar experience in the US has shown. Once the malware gets into circulation there's no guarantee it won't be turned against innocent users. The whole concept is loaded with irony. For one thing, German government computers, like those in the UK before them, are currently under targeted Trojan assault."

Targeted mailings to potential terrorists wouldn't work as effective as embedding IFRAMES within the cyber jihadist communities, and in the future, we may also see anti-terrorist malware kits courtesy of an unknown government that's purchasing or bidding for zero day browser vulnerabilities or anti virus software ones, in order to infect potential terrorists by bypassing their security solutions in place. Continue reading →

Examples of Search Engine Spam

0
September 05, 2007
Perhaps I should say an example of a 50/50 black hat SEO, as Google's not listing the first, but has already crawled the second -cashhomes.info/content ; mydream-condos.info/content. While assesing the first link farm I found out that on average, 263 pages have exactly 6411 outside links in them, 24.3 links per page. Pretty much the same case with the second one. Owning hundreds of domains like these and feeding them with garbage content in between syndicating ads can undermine a search engine's credibility if the black hat SEO operation starts appearing at the top results, and as we've already seen, both black hat SEO and paid keywords advertising can lead to malware embedded sites. Continue reading →

Storm Worm's Fast Flux Networks

0
September 05, 2007
Following my previous posts on "Storm Worm Malware Back in the Game" and "Storm Worm's use of Dropped Domains", here are some handy graphs of Storm Worm's use of fast-flux networks generated during the last several hours, acting as great examples of how diverse malware C&C has become.

- bnably.com

Domain servers in listed order:
ns13.bnably.com
ns12.bnably.com
ns11.bnably.com
ns10.bnably.com
ns9.bnably.com
ns8.bnably.com
ns7.bnably.com
ns6.bnably.com
ns5.bnably.com
ns4.bnably.com
ns3.bnably.com
ns2.bnably.com


- wxtaste.com

Domain servers in listed order:
ns13.wxtaste.com
ns12.wxtaste.com
ns11.wxtaste.com
ns10.wxtaste.com
ns9.wxtaste.com
ns8.wxtaste.com
ns7.wxtaste.com
ns6.wxtaste.com
ns5.wxtaste.com
ns4.wxtaste.com
ns3.wxtaste.com
ns2.wxtaste.com


- snbane.com

Domain servers in listed order:
ns13.snbane.com
ns12.snbane.com
ns11.snbane.com
ns10.snbane.com
ns9.snbane.com
ns8.snbane.com
ns7.snbane.com
ns6.snbane.com
ns5.snbane.com
ns4.snbane.com
ns3.snbane.com
ns2.snbane.com

- tibeam.com
Domain servers in listed order:
ns13.tibeam.com
ns12.tibeam.com
ns11.tibeam.com
ns10.tibeam.com
ns9.tibeam.com
ns8.tibeam.com
ns7.tibeam.com
ns6.tibeam.com
ns5.tibeam.com
ns4.tibeam.com
ns3.tibeam.com
ns2.tibeam.com


- eqcorn.com

Domain servers in listed order:
ns10.eqcorn.com
ns11.eqcorn.com
ns12.eqcorn.com
ns13.eqcorn.com
ns2.eqcorn.com
ns3.eqcorn.com
ns4.eqcorn.com
ns5.eqcorn.com
ns6.eqcorn.com
ns7.eqcorn.com
ns8.eqcorn.com
ns9.eqcorn.com

The Honeynet Project & Research Alliance defines a fast-flux network as :

"Fast-flux service networks are a network of compromised computer systems with public DNS records that are constantly changing, in some cases every few minutes. These constantly changing architectures make it much more difficult to track down criminal activities and shut down their operations."

In Storm Worm's case, we have an example of fast-fluxing dropped domains, and if you research a little further, you'll see that newly infected Storm Worm hosts shown in this particular moment of the fast-flux are already sending out spam.
Continue reading →

Login Details for Foreign Embassies in the Wild

0
September 04, 2007
Login details for international embassies have been in the wild since August 30th in a full disclosure style :

"Here is a list with working passwords to exactly 100 email-accounts to Embassies and Governments around the world. Yes it’s the real deal and still working when we are posting this. So why in the world would anyone publish this kind of information? Because seriously, I’m not going to call the president of Iran and tell him that I got access to all their embassies. I’m DEranged, not suicidal! He has bombs and stuff…"

The researcher's main motivation behind releasing these is that there's no point in contacting the email owners directly as no one would take his emails seriously enought and change them, so by going full disclosure it would prompt the embassies in question to change the passwords. Dan Egerstad may be quite right, at least on the passwords changing issue. Could these email accounts be accessed globally and if yes why? For instance, could Uzbekistan's embassy in London successfully login into Uzbekistan's embassy in Moscow, and even worse, could a host not belonging to the embassy's network access these mailboxes for flexibility? If yes, there're way too many ways this data could have been obtained. While going through the accounting data, we could both confirm that best practices for strong passwords are place at some embassies, and also question the lack of such best practices at certain ones, a security measure that works against brute forcing attempts, but is totally irrelevant when it comes to keylogging and sniffing.

Many people would logically consider the possibility of abusing these login details by obtaining the content of the mailboxes. However, another perspective worth keeping in mind is the use of this login data as the foundation for targeted attacks on a embassy-to-embassy basis, the way we've seen it happen before.
Continue reading →

DIY Exploits Embedding Tools - a Retrospective

0
September 04, 2007
Great analysis by the Spywareguide folks -- Chris Boyd and Peter Jayaraj in this assessment -- especially my deja vu moment with the King's IE Exploiter tool which I intented to cover in an upcoming post, in a combination with a brief retrospective of exploit and malware embedding tools that were empowering entire generations of script kiddies during the last couple of years. These tools are a great example of what the DIY trend used to look like before malicious economies of scale were embraced in the form of today's modular and efficiency-centered malware kits we're aware of.

-- The IE Exploiter v1.0/2.0

The tool is first know to have emerged back in 2002, with its latest version released in 2004. It was first branded as the "Fearless IE Exploiter" and then returned back to it's original name. Description of the v1.0 : "Fearless IE Exploiter allows you to embed executable files into HTML documents, that when viewed in an unpatched version of Internet Explorer 5.* will automatically download and execute the .exe". And the description of v2.0 : "IE Exploiter v2 is a very simple tool that creates a HTML file with an embedded executable file. Once the HTML file is viewed the executable file will overwrite notepad.exe on the target system and then execute it using the view-source: prefix."

Result: 22/32 (68.75%)
File size: 149359 bytes
MD5: 315cd35aa5a0334697832e83fac7b0dc
SHA1: 71a7929f7781d969a63e532cd8cd877940a2ca12

-- King's IE Exploiter

King's IE Exploiter is an Arabic DIY exploit embedding tool released around 2004. Despite that the malware embedded sites generated on-the-fly come totally unobfuscated, we will yet wait and see the eventual release of such feature.

Result: 6/32 (18.75%)
File size: 253440 bytes
MD5: e6052d3abf95429fd761feef0a695470
SHA1: 9f91e21bf9e8898a09c36b31bb1f5afff3cb8f35

-- Zephyrus

Again relased around 2004, the description reads : "Its a prove of concept tool to generate a Stench MediaPlayer Exploit file more infos about stench can be found here http://malware.com or at here AVP calls it exploit.win32.zephyrus"

Result: 30/32 (93.75%)

-- God's Will

The description reads : "A GODMESSAGE page is an HTML page that works with an ACTIVEX bug founded in IE5.5/OUTLOOK/OUTLOOK EXPRESS. Thanks to this bug when someone view our godmessaged page he downloads an HTA file in his STARTUP FOLDER.'

Result: 32/32 (100%)

-- Ed Html Infector

The description of the tool circa 2004 reads : "Ed HTML Infector is a very simple tool that creates HTML file with an embedded executable file within."

Result: 14/32 (43.75%)
File size: 118784 bytes
MD5: 94c642903318f89d410c64d46f2047aa
SHA1: b834cd34283e541dccb5aad81fb49ca97adbb48c
Continue reading →

Spammers and Phishers Breaking CAPTCHAs

0
September 03, 2007
The emergence of CAPTCHA based authentication was a logical move in the fight against automated brute forcing of login details, registrations, spamming and sploging in the form of comments and splogs registration. And consequently, spammers, phishers and malware authors started figuring out how to automatically achieve their objectives, by either breaking or adapting to a certain CAPTCHA, and even more pragmatic - outsourcing the request to a third-party.

Two months ago, there were news stories on how spammers and phishers feeling the pressure put on them by anti spam vendors, have supposedly broken Hotmail and Yahoo's CAPTCHA. Nothing is impossible, the impossible just takes a little longer, what's important is discussing the many other perspectives related to adapting to a CAPTCHA, directly breaking it, or entirely ignoring it.


In the first example you can see an automatic CAPTCHA recognition at a Russian email provider. What the script is doing is basically syndicating proxies, ensuring they work, and starting the mass registration process while providing confirmation or error results in between. The CAPTCHA in question is indeed primitive, but the email provider's clear IP reputation and launch pads for spam, phishing and malware is what the malicious parties are really interested in. Once the CAPTCHA becomes easily recognizable, the entire process of logging in and sending the malicious content can also be fully automated.

In the second example you can see a great example of the adaptation process. The CAPTCHA cannot be efficiently abused we we've seen with the first case, but instead of putting efforts into breaking it directly, the malicious parties are simply adapting. Once proxies get syndicated and verified for connectivity, a request for the number of accounts to be registered is initiated, the script then responds with automatically generated logins, and presents the CAPTCHA to be manually entered by the malicious party. Malicious economies of scale in action, despite that the CAPTCHA cannot be broken, the process is still partly automated, another example of marginal thinking applied in order to achive an objective.

Sample CAPTCHA breaking project requests :

- "I need a captcha breaker that can break captchas that are of the same style i will upload here.I will want a c++ dll that recieves a file path and returns a char* with the content of the picture (letters and numbers)"

- "The program needs to take a myspace captcha image and determine what the text says in the image. The accuracy needs to be 80%+"

- "We are an expert group for inputing captcha for you with very low price and high accuracy. We can input 10k to 100k (depending on how many you can offer to us) per day with accuracy at least 70% (for simple captcha such as yahoo, it is above 95%). We also own expert programmers who can help you with writting your spiders or other softwares to get and manage all the captchas."

Some are purely malicious, others aim to verify the security of a CAPTCHA in development for instance. Let's summarize - Why are malicious parties interested in defeating CAPTCHA's at popular sites?

- take advantage of the clear IP reputation of the email service in order to improve the chance of having their phishing/spam/malware email successfully received

- set the foundations for a large scale automated spamming/phishing operations by using legitimate email addresses, thus improving their chances of not getting filtered

- automated registration of splogs -- spam blogs

- as search engines are starting to crawl sites submitted at the most popular social networks in real time, spammers or malware authors are naturally interested in abusing this development to timely attract huge
audiences at their splogs who often have malware embedded within

What are malicious parties doing to achieve efficiency despite their inability to defeat an advanced CAPTCHA?

- humans entering the CAPTCHAs while the script is auto generating, storing and auto logging with the passwords in a combinated with the human entered CAPTCHA

- adapting compared to putting more efforts into rocket science as whenever a CAPTCHA cannot be beated automatically, as you already saw on the second screenshot, they're making it easier for humans to enter the CAPTCHA and faster compared to an end user browsing

- outsourcing making it sound it's more of a quality assurance project of CAPTCHA to be introduced on the market

What can web sites do to prevent that sort of malicious behaviour? Strong CAPTCHAs should be in place by default, but taking another perspective, the way I discussed how click fraud could be easily detected by advertising networks syndicating IPs of already known to be malware infected hosts, in this very same fashion we could have CAPTCHA system that would check to see if, for instance, default proxy ports are opened at the host trying to register, and whether or not they're part of a botnet. With data like this now a commodity, a prioritization process to closely monitor mass registrations from these IPs is a pragmatic early warning system.
Interesting reading on the big picture too - CAPTCHA - The Broken Token :

"How much does it cost to have a CAPTCHA hack custom developed? $10 to $20 ought to do the trick; certainly no more than $50. But the cost isn’t the point. What’s more alarming is that thousands upon thousands of site owners are depending upon flawed technology to protect their sites from spam even though they know, or at least should know, that it’s only a matter of time until some spam robot shows up and starts hammering away at those worthless little images."

The irony regarding CAPTCHAs are how less popular sites compared to the Web 2.0 darlings often have a more sophisticted CAPTCHA compared to the most widely used web sites.

Related links:
Continue reading →
Subscribe to: Comments (Atom)