Compromised Sites Serving Malware and Spam

Wish it was the average .cn domain I'm referring to, in this case it's the web sites of three U.S towns, namely the City of Chetek, Winsonsin, the City of Somerset, Texas and Town of Norwood, Massachusetts, who are the latest victims of embedded malware and blackhat SEO injected within their juicy from a blackhat SEO perspective .gov tld extensions.

Apparently, malicious parties managed to compromise City of Chetek's official site and created several subdomains with URLs consisting of spam redirecting to the downloader's page :

st-3.x.cityofchetek-wi.gov/porn/st3/502.html
st-3.x.cityofchetek-wi.gov/porn/st3/537.html
st-2.x.cityofchetek-wi.gov/porn/st2/322.html
2k.x.cityofchetek-wi.gov/porn/2k-003/1618.html
st-2.x.cityofchetek-wi.gov/porn/st2/409.html

The following URLs redirect to the downloader : freeclipoftheday.com/movie1.php?id=4154&n=teens&border=FFFFFF&bgcolor=000000

Detection rate : Result: 9/32 (28.13%)
File size: 75771 bytes
MD5: a74b09c7e6ca828ec0382c4f4f234bac
SHA1: 2861a4215dd2a579afe1e30372e05d2ea00223f2

City of Somerset, Texas official site is also embedded with the same blackhat SEO content structure, which leads me to the conclusion that these two are related :

2k.x.somersettx.gov/porn/2k-004/156.html
2k.x.somersettx.gov/porn/2k-004/313.html
2k.x.somersettx.gov/porn/2k-004/829.html
2k.x.somersettx.gov/porn/2k-004/830.html
st-5.x.somersettx.gov/porn/st5/103.html

Town of Norwood, Massachusetts :

sql.norwood-ma.gov/libraries/transformations/.dir/132/valium-cost.html

ldap.norwood-ma.gov/htdocs/js/.dir/12/valium-online-order.html

Several more high profile sites hosting such scams I came across to yesterday are NASA's Worldwind, and the State of New Jersey that used to historically host such pages :

issues.worldwind.arc.nasa.gov/secure/attachment/10781/Buy-Valium.html
issues.worldwind.arc.nasa.gov/secure/attachment/10800/Valium.html
issues.worldwind.arc.nasa.gov/secure/attachment/10791/Panasonic-Ringtone.html

nj.gov/education/voc/9/2007/
nj.gov/education/voc/9/2007/viagra/viagra-online.html
nj.gov/education/voc/9/2007/zoloft/buy-zoloft-online.html
nj.gov/education/voc/9/2007/tramadol/discount-tramadol.html

Moreover, during the last week, another pack of sites were also reported to serve malware, spam, and blackhat SEO pages on their servers :

Collateral Damage: CA County Site Redirects to Porn, Countermeasure Causes Major Hassle

Arizona Government University Site: Hacked!

Calipornication… Again

Bank of Ghana, others, compromised

Brookhaven National Labs hacked, serving porn

Just yesterday for instance, F-Secure discovered a phishing page hosted at India's Police Academy site, and
Sunbelt pointed out that Beer.ch got IFRAME-ed with the following URLs belonging to the Russian Business Network who also IFRAME-ed Bank of India once :

81.95.149.74/1/index.php

81.95.149.74/22/index.php

How is all this happening? In both, automated, and sometimes targeted way, where automated stands for remote file inclusion through botnets.

I sure know all the pharmaceutical blockbusters now.

Related posts:
Bank of India Serving Malware
U.S Consulate in St.Petersburg Serving Malware
Syrian Embassy in London Serving Malware
CISRT Serving Malware

Attack of the SEO Bots on the .EDU Domain

Malicious Keywords Advertising

Continue reading →

Incentives Model for Pharmaceutical Scams

Sometimes, it's unbelievable how easy is in fact to social engineer people on their way to "make a deal" online, especially when buying pharmaceuticals online. Let's discuss organized pharmaceutical scams the way I perceive them, which like phishing also aim at reaching the efficiency level.

It's a public secret that Amazon.com's success in terms of sustained profitability has to do with their affiliation based model, namely "let the others do the sale for you". Pharmaceutical scammers have been anticipating this model for quite some now, a model where the pharma masters forward the processes of collecting potential customers (emails harvesting), contacting them and letting them know of how cheap their pharmaceutical are (spamming), enticing them to initiate a transaction with a fancy and professionally looking like site (freely available pharmacuitical web site templates) to those who become part of an affiliate network like the one you can see in the screenshot.

Pharmaceutical scammers have their own fast-flux networks of constantly changing domain and IP addresses, shared hosting of multiple scams in different segmets. Remember meds247.org? It's still up and running but the javascript obfuscation I reviewed before is now pointing to web server's directory whose main index hosts a p0rn site - center4cares.com, so you have a p0rn site that's hosting viagra propositions - "insightful". Moreover, pharmacuitical scam campaigns are also known to use free web space providers as doorway pages in the form of redirectors. For instance, the most recent spamming campaign promoting a Canadian Pharmacy scam located at rxlovecaptain.com, is taking advantage of the already established trusted brand of Geocities to redirect the spammers users to the main page :

geocities.com/MorganLogan82
geocities.com/AishaDeleon78
geocities.com/CarsonNguyen93

If efficiency truly matters from a scammer's perspective, we may soon witness actual DIY marketing packages with templates, "collection of potential customers", and a list of services to use when "contacting them". Now, if the pharma masters want to diversify as well, they can vertically integrate by owning or renting the spamming services themselves, something I haven't come across to - yet.

Continue reading →

Assessing a Rock Phish Campaign

The majority of Rock Phish campaigns usually take advantage of a single domain that's hosting numerous different phishing scams targeting different financial organizations. However, another trend is slowly emerging and that is the development of phishing domain farms, either taking advantage of a shared hosting as you can see in the graph on the left, or fast-fluxing the campaigns to increase the average time a phishing site remains online. Here's the interesting part acting as proof on the emerging trend of so called malicious economies of scale, and also, showcasing Rock Phish's effiency vs security trade off due to the centralization of the campaign on a single IP only. In this campaign we see a single IP (200.77.213.15) hosting 38 rock phish domains, that on the other hand in a typical Rock Phish style host multiple phishing pages targeting different companies.

Meanwhile, there's still a lot of confusion going on about what exactly Rock Phish is, and as you can see in this article, it's wrongly implied that it's some sort of a phisher's group :

"Nobody knows exactly who or what Rock Phish are -- whether it's one person or a group of people -- but security researchers believe Rock Phish is behind as many as half of all phishing attacks on the Web. Fast flux is a method by which a domain name that phishers use has multiple IP addresses assigned to it. The phishers switch those domains quickly between the addresses so that it's not as easy to find or shut down the phishing sites."

and another one :

"Of particular concern is an increase in “rock phishing,” originated by the Rock Phish Gang based in Eastern Europe. Rock phishers use stolen information to register and rapidly cycle through domain names and IP addresses. They obscure their origin with botnets, which automate unwitting consumers’ computers to send out spam."

In reality, Rock Phish is a script taking advantage of the now commoditized phishing pages of each and every web property and company that is a potential victim, hosted on a single domain in order to achieve efficiency. Once the script and the phishing pages are in the wild, the entry barriers into phishing scams become significantly lower allowing novice phishers to easily launch what used to a professional phishing campaign much easier than ever.

Why give the kid a phish, when you can teach them to phish?

Continue reading →

People's Information Warfare Concept

Malicious Culture of Participation

DoS battle stations operational in the name of the "Please, input your cause". Preventing a malware infection in order to limit the possibility for the host to become part of a botnet that will later one start a large scale DDoS attack is such a rational thinking that information warriors truly understanding what information warfare is all about, tend to undermine. The recently discussed "people's information warfare" concept highlighting China's growing interest in the idea, is a great example of a culture of participation orbiting around hacktivism cause, a culture we've also seen in many other hacktivism tensions in the past, and will continue to see in the future. The entire concept is relying on the fact that the collective bandwidth of people voluntarily "donating" it, is far more efficient from a "malicious economies of scale" perspective, compared to for instance the botnet masters having to create the botnet by infecting users in one way or another. Moreover, empowering an average Internet user with diversified DoS capabilities is directly increasing the nation's asymmetric warfare capabilities in an event of a hacktivism war.

Furthermore, the majority of DoS or DDoS flooding tools have a relatively high detection rate, but when people want to use them, they'll simply turn off their anti virus software, the one they use to prevent malware infections, but in a "people's information warfare" they can go as far as consciously becoming a part of a hacktivism centered botnet. Take this DoS tool featured in the screenshot for instance, it has a high detection rate only if the anti virus software is running, but in situation where a "malicious culture of participation" is the desired outcome it doesn't really matter. Donating their bandwidth and pretending to be malware infected is far more dangerous than botnet masters acquiring DDoS capability by figuring out how to infect the massess. It's one thing to operate a botnet and direct it to attack a certain site, and entirely another to be infected with a malware that's DDoS-ing the site, a situation where you become an "awakened and fully conscious zombie host".

Examples of the "People's Information Warfare Concept" :

- During the China/U.S hacktivism tensions in 2001 over the death of a Chinese pilot crashing into an AWACS, Chinese hacktivists released mail bombers with pre-defined U.S government and military emails to be attacked, thus taking advantage of the people's information warfare concept

- The release of the Muhammad cartoons had its old-school hacktivism effect, namely mass defacements of Danish sites courtesy of Muslim hacktivists to achieve a decent PSYOPS effect online and in real-life

- The Israel vs Palestine Cyberwars is a great example of how DIY web site defacement tools were released from both sites which resulted in a web vulnerabilities audit of the entire web space they were interested in defacing to spread hacktivism propaganda

- Cyber jihadists taking advantage of the "people's information warfare" concept by syndicating a list of sites to be attacked from a central location, and promoting the use of a Arabic themed DoS tool against "infidel" supporting sites

- What exactly happened during Russia's and Estonia's hacktivism tensions? The voting poll that is still available indicates that people believe it was botnet masters with radical nationalism modes of thinking. But judging from the publicly obtainable stats, ICMP often comes in the form of primitive DIY DoS tools compared to the more advanced attacks for instance. Collectivist societies do not need coordination because they know everyone else will do it one way or another.

Power to the people.

UPDATE:
Turkish hackers target Swedish Web sites - "Hackers in Turkey have attacked more than 5,000 Swedish Web sites in the past week, and at least some of the sabotage appears linked to Muslim anger over a Swedish newspaper drawing that depicted the Prophet Muhammad's head on a dog's body. Around 1,600 Web sites hosted by server-provider Proinet and 3,800 sites hosted by another company have been targeted, Proinet spokesman Kjetil Jensen said Sunday. Jensen said hackers, operating on a Turkish network, at times replaced files on the sites with messages."
Continue reading →

DIY CAPTCHA Breaking Service

Given that spammers and phishers are already breaking, bypassing our outsourcing their CAPTCHA breaking needs, the introduction of a DIY (do-it-yourself) model provided confidence in the recognition process is over 80%, was inevitable. The CAPTCHA Bot is a good example of a recently released DIY CAPTCHA breaking service where the users feed their accounts with credits, sets URLs and CAPTCHA's to get recognized. If it were pitched at vendors or anyone out there maintaining a CAPTCHA as a service it would have been a great idea, trouble is, it would be largely abused in its current form. Let's discuss the incentives model. Are developers of CAPTCHAs interested in improving the security of their CAPTCHAs in the form of contests with financial rewards or job propositions for those who dare to break them in a contest form? Not necessarily, and fixing vulnerabilities whenever such appear is done in an "on demand" fashion like we've seen with Vladuz's Ebay CAPTCHA populator. CAPTCHAs at the most popular web services are the gatekeepers of their online reputation, else, the flood of splogs and malware embedded blogs, as well as spam and phishing emails coming from free web based email providers may outpace the current model. Continue reading →

CISRT Serving Malware

The Chinese Internet Security Response Team is reporting that it has found embedded IFRAMEs serving malware within some of its pages. And despite that the blog itself is now clean, Trend Micro are pointing out that the main index is still IFRAME-ed and that the attackers took advantage of the momentum during China's "Golden Week" holiday.

IFRAMEs at the main index lead to :

js.users.51.la/392481.js
51.la/?392481
img.users.51.la/392481.asp

IFRAMEs at the blog used to point to :

mms.nmmmn.com/99913.htm
mms.nmmmn.com/30000.htm
mms.nmmmn.com/11122.htm

and ganbibi.com - where the twenty password stealers for online games located at ads.ganbibi.com/100.exe to ads.ganbibi.com/120.exe in numerical order are still active.

Related posts:
Bank of India Serving Malware
U.S Consulate St. Petersburg Serving Malware
Syrian Embassy in London Serving Malware Continue reading →

The Dynamics of the Malware Industry - Proprietary Malware Tools

The Underground Economy's Supply of Goods and Services

The demand for private malware tools such as crypters, loaders and droppers is in tact with the supply of such tools, a market model whose higher profit margins satisfy both the coder of the tool as the seller and the buyer who's willing to pay a higher price for an undetected malware tool compared to using the publicly available and therefore with a high detection rate ones. The seller's one-to-many market proposition may generate sales on a volume basis, but the more people have the malware tool in question, the more commoditized, thus ineffective and much easier to fall into the hands of an anti virus vendor or a researcher it gets. And so, proprietary malware tools started emerging, ones only a small amount of people have access to. Nowadays, the malware industry is slowly maturing to a services-oriented economy as the logical evolution from a products-centered one, further accelerating its dynamics and future growth. What follows once goods and services both mature as a concept? Outsourcing, which as a matter of fact is already happening.

The Invisible Hand of the Malware Coder

The concept of proprietary malware tools is a very interesting one mainly because the coders of the malware tools are exercising control over the supply and distribution of the malicious goods in order to earn a higher return on investment, and ensure the customer gets the best product ever, one that must remain undetected for as long as possible. In respect to the distribution, it's sort of a self-regulation issue mainly because the buyer that spent a significant amount of money to obtain the latest malware tool will not leak it online and turn it into a commodity. As for the seller, he's ensuring that the tool will be sold to, for instance, five different people, no more and no less, since the perceived value and coder-added exclusiveness will result in a very high profit margin.

The market gets even more dynamic with the possibility for the buyer to exchange the malware tool he obtained at the over-the-counter market, and by doing so to limit the tool's exclusiveness, risk to have its value come close to zero if it leaks online, and most interestingly, his actions would have a butterfly effect on the other four people that hypothetically paid a higher profit margin price to obtain it. Given that the seller is interested in a higher profit margin only, he could either increase it and sell it to less than five people thinking that the less people have it the lower the chance it will leak or get exchanged, or if customer satisfaction and long-term relationships matter come up with a strategy on how to ensure the tools remain exclusive, though educating his customers for instance.

Images of crypters and joiners are samples of currently available proprietary malware tools for sale.

Continue reading →

Love is a Psychedelic Too

Compared to a previous example of an over-performing image spammer whose efforts to bypass spam filters make it virtually impossible for someone to fall victim into the pharmaceutical scam, in this example of image spam we have something very interesting, namely a dynamic subdomain generating spamming host running a proxy server every time the central campaign URL gets refreshed via an obfuscated javascript. meds247.org (216.55.70.170) is the public face of abetterlevel.org (221.130.192.17), and here are examples of the "one-time-scams-in-everything" style subdomains :

cpv9c5pt.abetterlevel.org:8080/cg/viagra.php

ccj70tjcm.abetterlevel.org:8088/cg/viagra.php

fdbtpju.abetterlevel.org:8080/cg/viagra.php

b80cpno.abetterlevel.org:8088/cg/viagra.php

ffh3rj8zn.abetterlevel.org:8088/cg/viagra.php

Once accessed, a few minutes later the subdomains either stop responding, or start listening on the second port. Moreover, all the subdomains generated at abetterlevel.org resolve to radius.tercernivel.com (200.57.39.20) an indication of an ecosystem operating on three different networks.

Continue reading →

Don't Play Poker on an Infected Table

The scammy Euro VIP Casino is making another round this afternoon and trying to entice the spammed European users into downloading its software by promising $400 as a welcome bonus. Needless to say you ought to ignore it. Here's a full list of the typosquatted domains serving the scams.

Detection rate : Result: 11/32 (34.38%)
File size: 461341 bytes
MD5: e68763c16f31de340681b2c7c7eb6b0e
SHA1: 6174960cf5a6c503b97c9160f5e6a5babfef96e9

Online gambling is a buzz Internet activity allowing malicious parties to enjoy the "pull effect" by end users who themselves look for and download such applications. In this spamming campaign, however, we have a combination of a "push" approach, segmentation targeting European users, social engineering in the form of a promotion, and typosquatting. The first campaign (SetupCasino.exe) is currently hosted in China (116.199.136.29) on a host managing a second online gambling scam campaign impersonating Golden Gate Casino (SmartDownload.exe) under the following domains topgamecasino.net; superroyalcasino.com; nlymycasino.cn; lookforcasino.cn Continue reading →

Zero Day Vulnerabilities Market Model Gone Wrong

It's one thing to allow legitimate buyers, presumably the affected vendors themselves to bid for a zero day vulnerability discovered within their products in order to provide financial incentive for the researcher that discovered the flaw, another to superficially increase the monetary value of a zero day vulnerability taking advantage of its vendor-added exclusiveness, but entirely another to position responsible disclosure as an exclusive courteousness. Here's a sample letter informing the company within whose products a vulnerability has been found, and yes, the ultimatum for not releasing it :

"We've discovered an attack against the LinkedIn toolbar. If you are interested in the bug, we would like to give first right of refusal to purchase it. We'd also like to perform a more complete security audit of your products. We can help make the LinkedIn products more secure," DeMott stated in e-mail sent to LinkedIn on July 10, as viewed by CNET News.com. The e-mail continues: "If you wouldn't like to buy it then we are happy to resell or release as a full disclosure to help prevent security issues arising on end users servers. We strongly believe in keeping users safe. We are unique in that we give vendors a first chance at the bugs we discover rather than selling to a third-party or releasing publicly. Please find the VDA Labs Value add document attached. If you'd like to buy the bug we will provide working attack code, so that you can verify the bug, before you send the check." VDA set a deadline of July 17 and requested a payment of $5,000."

I first mentioned the possibility of having a security researcher blackmail an affected party a long time ago, however, I never thought it would be a company with serious knowledge in the field that's setting ultimatums, doubling the requested amount for the vulnerabilities if the vendor delays the response and threatening to release a PoC in a full disclosure style. Getting paid for getting hacked in reverse order - getting hacked for not paying. However, the ugly reality goes that what's a zero day for the mainstream media today is last month's zero day for the underground that's been improving the chances of success of their targeted attacks against a specific company or an individual. That's of course in the rare cases when malware authors no longer keep it simple, the stupids.

Here's another article on this story. Image courtesy of eEye's Zero Day Tracker. Continue reading →

DIY Chinese Passwords Stealer

This DIY passwords stealer courtesy of a chinese hacking group is pitched as Vista Compatible, with a server size in less than 20kb, process injection, form grabbing and password stealing capabilities for anything keyloggable, anti virus software killing capabilities, and uploading of the results to a central location, in this particular case an example is given for notification via Tencent, China's main IM network. More info :

"Backdoor.Hupigon.GEN has rootkit functionality. It injects itself into Internet Explorer causing IE to hide itself. It also logs keystrokes and sends this information to remote servers."

Detection rate of the builder: Result: 15/32 (46.88%)
File size: 267213 bytes
MD5: a4b9c9f42629865c542ac7b823982843
SHA1: 78f855843d312ab76e1f8f0b912bd475781a8864

Here are several more recent releases by Chinese hacking groups, as well as a comment on the big picture. Continue reading →

A New DDoS Malware Kit in the Wild

On the majority of occasions, malware authors either put efforts into implementing a set of standard features within a malware enabling them to send out spam, use the already infected hosts as future infection and propagation vectors, or entirely outsource the features by releasing the malware as open source one. On the other hand, certain malware authors seem to avoid diversification and tend to stick to core competencies only, in this case a DDoS ready infected host as its only function, thereby decreasing the file size of the malware and sort of improving its stealthiness by putting the infected host in a passive "on demand" state compared to a situation where the host is already sending out spam and phishing emails could be much more easily identified as an infected one and its DDoS capability could turn irrelevant due the malware's multi tasking activities.

This specific DDoS malware kit currently offered for sale includes the standard firewall bypassing and rootkit capabilities, in between offering the possibility for zero day malware on demand once previous instances of the bot in question achieve a high detection rate. Moreover, in between providing custom DDoS capabilities like the ones I discussed in a previous post, it's yet another indication of the ongoing Web-ization of botnet communications which I think is about to replace the default use of the IRC command and control in the long term. Continue reading →

Syrian Embassy in London Serving Malware

After Bank of India was serving malware in August, next to the U.S Consulate in St.Petersburg two days later in September, now the Syrian Embassy in London is the latest victim of a popular malware embedding attack which took place between the 21st and 24th of September. As obfuscating the IFRAMEs in order to make it harder for a security researcher to conduct CYBERINT is about to become a commodity with the feature implemented within the now commoditized malware kits, it's interesting to note that in this particular attack the attackers took advantage of different javascript obfuscations, and that once control of the domain was obtained, scam pages were uploaded on the embassy's server. The embassy had recently removed the malicious IFRAMEs, but the third one remains active acting as a counter for the malicious campaign.

Which domains act as infection vectors?

sicil.info/forum/index.php and sicil.info/g/index.php (203.121.79.71) using patched vulnerabilities exploited in the usual MPack style :

function setslice_exploit

function vml_exploit

function firefox_exploit

function firefox1_exploit

function wmplayer_exploit

function qtime_exploit
function yahoo_e

function winzip_exploit

function flash_exploit

function w2k_ex

0ki.ru/forum/index.php (80.91.191.224) where a WebAttacker launches several other exploits, and x12345.org/img/counter.php?out=1189360677 (66.36.243.97)

What are the malware authors trying to infect the visitors with?

A Banker Trojan with a low detection rate :

BitDefender 2007.09.28 BehavesLike:Win32.ProcessHijack

Ikarus 2007.09.28 Trojan.Delf.NEB

Microsoft 2007.09.28 PWS:Win32/Ldpinch.gen

Symantec 2007.09.28 Infostealer.Banker.C

98shd3.exe

File size: 65024 bytes

MD5: ef98a662c72e3227d5c4bb3465133040

SHA1: e5b9b216d77de977848f8791850c726b45fc18c2

Think malware authors were virtually satisfied to only have the visitors infected with the malware? Not at all. This is perhaps the first but definitely not the last time I see an embassy hosting pharmaceutical scam pages and ring tone ones. List of historically hosted scam pages :

syrianembassy.co.uk/news/lv/levitra-vs-viagra.htm

syrianembassy.co.uk/news/lv/buy-levitra.htm

syrianembassy.co.uk/news/rn/michael-jackson-ringtone.htm

syrianembassy.co.uk/news/xa/cheap-discount.htm-group.com-herbal-xanax-xnx.htm
syrianembassy.co.uk/news/rn/free-mp3-ringtone-maker.htm

syrianembassy.co.uk/news/xa/buy-site-xanax.htm

syrianembassy.co.uk/news/ph/37-5mg-phentermine.htm

UPDATE :

The folks at ScanSafe contacted me to point out that they've discovered the malware at the Syrian embassy on the 12th of August providing us with more insights on how long the attackers had access to the embassy's site. In ScanSafe's example, different malicious URLs (miron555.org/s/index.php) were rotated compared to the ones used during 21/24 of September. And given the embassy's site states it was last updated in 2005, cleaning it up and ensuring the attackers no longer have access to it may take a while.

Continue reading →

Syrian Embassy in London Serving Malware

After Bank of India was serving malware in August, next to the U.S Consulate in St.Petersburg two days later in September, now the Syrian Embassy in London is the latest victim of a popular malware embedding attack which took place between the 21st and 24th of September.

As obfuscating the IFRAMEs in order to make it harder for a security researcher to conduct CYBERINT is about to become a commodity with the feature implemented within the now commoditized malware kits, it's interesting to note that in this particular attack the attackers took advantage of different javascript obfuscations, and that once control of the domain was obtained, scam pages were uploaded on the

embassy's server. The embassy had recently removed the malicious IFRAMEs, but the third one remains active acting as a counter for the malicious campaign.

Which domains act as infection vectors?

sicil.info/forum/index.php and sicil.info/g/index.php (203.121.79.71) using patched vulnerabilities exploited in the usual MPack style :

function setslice_exploit
function vml_exploit
function firefox_exploit
function firefox1_exploit
function wmplayer_exploit
function qtime_exploit
function yahoo_e
function winzip_exploit
function flash_exploit
function w2k_ex

0ki.ru/forum/index.php (80.91.191.224) where a WebAttacker launches several other exploits, and x12345.org/img/counter.php?out=1189360677 (66.36.243.97)

What are the malware authors trying to infect the visitors with?

A Banker Trojan with a low detection rate :

BitDefender 2007.09.28 BehavesLike:Win32.ProcessHijack
Ikarus 2007.09.28 Trojan.Delf.NEB
Microsoft 2007.09.28 PWS:Win32/Ldpinch.gen
Symantec 2007.09.28 Infostealer.Banker.C

98shd3.exe
File size: 65024 bytes
MD5: ef98a662c72e3227d5c4bb3465133040
SHA1: e5b9b216d77de977848f8791850c726b45fc18c2

Think malware authors were virtually satisfied to only have the visitors infected with the malware? Not at all. This is perhaps the first but definitely not the last time I see an embassy hosting pharmaceutical scam pages and ring tone ones. List of historically hosted scam pages :

syrianembassy.co.uk/news/lv/levitra-vs-viagra.htm
syrianembassy.co.uk/news/lv/buy-levitra.htm
syrianembassy.co.uk/news/rn/michael-jackson-ringtone.htm
syrianembassy.co.uk/news/xa/cheap-discount.htm-group.com-herbal-xanax-xnx.htm
syrianembassy.co.uk/news/rn/free-mp3-ringtone-maker.htm
syrianembassy.co.uk/news/xa/buy-site-xanax.htm
syrianembassy.co.uk/news/ph/37-5mg-phentermine.htm

UPDATE :
The folks at ScanSafe contacted me to point out that they've discovered the malware at the Syrian embassy on the 12th of August providing us with more insights on how long the attackers had access to the embassy's site.

In ScanSafe's example, different malicious URLs (miron555.org/s/index.php) were rotated compared to the ones used during 21/24 of September. And given the embassy's site states it was last updated in 2005, cleaning it up and ensuring the attackers no longer have access to it may take a while. Continue reading →

A New Issue of (IN)Secure Magazine "in the Wild"

(IN)Secure Magazine's Issue 13 was released yesterday, and as always is definitely worth printing out. What is (IN)Secure Magazine? (IN)Secure Magazine is the type of "too good to be for free" kind of publication, covering the information security industry, the newly emerging technologies and threats, as well as the people who put it all together.

It's also great to note that my blog has been featured in their new section at page 62, an indication for an upcoming flood of an even more quality audience, and a personal incentive to contribute to a future issue of the magazine with a qualitative research on zero day vulnerability markets I've been working on for a while. Continue reading →

China's Cyber Espionage Ambitions

Must have been slow news week, so slow that all of a sudden Germany, the U.K, France, New Zealand, and the U.S got hacked by China's cyber spies. "Poor China" not just denied, but also admitted of getting hacked by supposedly one of the countries that started the alligations. Pretty much all the news articles basically enjoying the media-echo effect exclude the reality as an issue, namely that each of the country that's blaming China for cyber espionage, has been developing its own offensive cyber warfare capabilities for years. Some of the good examples to illustrate the diverse topic are for instance, North Korea's Cyber Warfare Unit 121 that was originally started in order for North Korea to balance its lack of conventional weaponry capabilities by improving its asymmetric warfare ones, passive cyber espionage in the form of gathering OSINT Through Botnets, releasing DIY attack tools in times of hacktivism tensions, or the healthy paranoia posed by the fear of now Chinese owned Lenovo could be implementing hardware backdoors in between China's recent interest in buying Seagate Technology fueling the tensions even further.

In a nation2nation cyber warfare scenario, the country that's relying on and empowering its citizens with cyber warfare or CYBERINT capabilities, will win over the country that's dedicating special units for both defensive and offensive activities, something China's that's been copying attitude from the U.S military thinkers, is already envisioning :

"It also put forward the concept of a "people's information war" for the first time, describing this as a form of national non-symmetric warfare, with the people at the core, computers as the weapons, knowledge as the ammunition and the enemy's information network as the battlefield. These experts believe that ordinary people can be mobilized to provide global information support, spread global propaganda and conduct global psychological warfare. Such attacks could be launched from anywhere in the world at the enemy's military, political and economic information systems. If necessary, the experts suggested, computers currently under the control of Chinese enterprises could be dispersed among the people and connected to volunteer Web portals around the world, which would become a combined strategic cyber attack force. The article concluded by emphasizing that training "hacker warriors" should be a priority within the Chinese military."

All warfare is indeed based on deception. Go thought a related post on the The Biggest Military Hacks of All Time as well, and if objectivity is important to you, ask yourself the following, or question the lack of its answer within an article stating a country did something :

Was it the NSANet, the Joint Worldwide Intelligence Communications System [JWICS], the Secret Internet Protocol Router Network (SIPRNET), or the Unclassified but Sensitive Internet Protocol Router Network (NIPRNet) actually breached?

Cover courtesy of Der Spiegel. Continue reading →

Localizing Open Source Malware

Can you find the differences in this piece of malware compared to the previous open source one I covered recently? Besides its localization to Chinese there aren't any, and this development clearly demonstrates the dynamics of the malware scene. A common Web 2.0 mentality is that the more people use the service, the better it gets, a mode of thinking we could see applied in the case of open source malware, and malware as a web service. Once the source code becomes publicly obtainable, it's not just new features and modules that get introduced, but also, the malware starts using the Web as a platform. In fact, some of the most popular open source malware codes are successfully building communities around their open source nature, thus, attracting "malicious innovation" on behalf of third-party coders. Should we therefore make a distinction between a malware author, and a malware module coder? Continue reading →

The Dark Web and Cyber Jihad

It's interesting to monitor the use and abuse of the buzz word "Dark Web". This press release for instance, tries to imply that the crawlers are actually crawling the Dark Web and analyzing cyber jihadist activities, a bit of an awkward statement given what the Dark Web is at the bottom line - a web that is closed for web crawlers either thought standard measures, or authentication :

"This is where the Dark Web project comes in. Using advanced techniques such as Web spidering, link analysis, content analysis, authorship analysis, sentiment analysis and multimedia analysis, Chen and his team can find, catalogue and analyze extremist activities online. According to Chen, scenarios involving vast amounts of information and data points are ideal challenges for computational scientists, who use the power of advanced computers and applications to find patterns and connections where humans can not. One of the tools developed by Dark Web is a technique called Writeprint, which automatically extracts thousands of multilingual, structural, and semantic features to determine who is creating 'anonymous' content online. Writeprint can look at a posting on an online bulletin board, for example, and compare it with writings found elsewhere on the Internet. By analyzing these certain features, it can determine with more than 95 percent accuracy if the author has produced other content in the past. The system can then alert analysts when the same author produces new content, as well as where on the Internet the content is being copied, linked to or discussed."

I've blogged about this AI project over an year ago, and have been following it ever since while experimenting with link and multimedia analysis of cyber jihadist communities before they were shut down. And while the innovations they've introduced for this period are impressive in terms of drawing social networking maps, the Dark Web's very principle, namely that it's authentication only Web, meaning it's closed for spiders, even human based researchers thought basic invite only or password authentication methods will prompt researchers to adapt in the long-term. Many of the cyber jihadist forums I didn't include in my last external links extraction were great examples of the dark cyber jihadist web, knowing where you crawl doesn't mean there'll be anything publicly available to crawl, and the trend is just starting to emerge. Such VIP clubs represent closed communities where more efforts should be put in taking a peek, thus it's ruining previous efficiency centered approaches of analyzing cyber jihadist communities. The alternatives remain rather contradictive but fully realistic - infecting terrorist suspects with malware, embedding malware within cyber jihadist communities, or unethically pen-testing the cyber jihadist communities to have the AI analyze the data obtained from the closed community, thus the Dark Web, at a later stage.

Meanwhile, after having the Global Islamic Media Front's online presence limited to the minimum, GIMF is making it in the mainstream media :

"On sites easily traceable via search engines, the German-language arm of the "Global Islamic Media Front" (GIMF) appeals for volunteer translators, inviting them to reply to a Hotmail address, and posts links to dozens of al Qaeda videos. "After some brothers and sisters were arrested (may Allah free them) and the Forum and blog of the GIMF were removed, we say this: the GIMF still exists and will continue its work," a statement from the front says. "To the Kuffar (infidels) who try to fight us, we say: you can do what you like, make as many arrests as you like...you will not reach your goal. We will always keep going until we achieve victory or martyrdom."The re-emergence of the GIMF in German highlights the difficulty for authorities of shutting down radical Islamist Web sites, which often simply spring up at new addresses."

Easily traceable mainly because they're not behind the Dark Web, at least not for now. Currently active GIMF URLs :

gimf.12gbfree.com
gimf.22web.net
gimf.cjb.net
gimfupload.blogspot.com with two redirectors gimfupload.notlong.com ; gimfupload.2ya.com

Despite that there're still literally hundreds of cyber jihadist forums and sites, quantity is not always equal to quality, namely, only a few of these will achieve success and mature into potentially dangerous communities. In the long term, however, once the "tip of the iceberg" communities dissapear, efficiency from the cyber jihadists will get sacrificed for improved OPSEC, namely they'll start operating behind the true Dark Web, making them more difficult and time-consuming to assess, track down, and shut down.

UPDATE: Inshallahshaheed (GIMF) has a new home. Continue reading →

The Truth Serum - Have a Drink!

Which security vendor would you rather choose if you were to ignore your current Return on Security Investment model? The one telling you "everything's under control" , that "malicious attackers are loosing creativity and cannot bypass our security solutions", or the one who's attitude is "our solutions fully demonstrate marginal thinking in respect to fighting cyber threats, namely, they mitigate certain risks and limit the probability for a security incident, but do not and cannot provide 100% security"?

Basic human psychology and purchasing habits would stick to the first one, the one pretending to offer 100% security -- something even a condom cannot offer yet everyone's thankfully using them. Even worse, which is falling victim into the myopia that the market leader, or the company with the highest brand equity is actually the one worth doing business with. As it appears, McAfee CEO David DeWalt had a drink from the truth serum before InformationWeek's 500 Conference in order to comment that "We're in inning two of a nine-inning game here" in respect to how cyber threats often outpace security measures. Moreover, an year ago I commented on a Gartner analyst's statement that security is all about percentage of budget allocation, and therefore the more you spend the more secure you get, among the most common myopias nowadays. Now, Gartner vice-president John Pescatore is wisely insisting that companies spend less on IT security, and given how when Gartner sneezes the whole industry gets cold, it's a step in the right direction - debunking common security myopias.

In a world dominated by perimeter defense solutions, being a visionary realist is an objective luxury. Continue reading →

DIY Phishing Kit Goes 2.0

With the release of the second version of the DIY phishing kit that I covered in a previous post, next to commentary on another one and a DIY pharming tool, the timeframe for creating a phishing page just got shorter than it used to be before. Moreover, the phishing ecosystem is getting closer to fully achieving its malicious economies of scale, ones where the number of phishing campaigns in the wild outpaces the possibilities for timely shutting them down. Even worse, phishers do not seem to be interested in re-inventing the wheel, and having to create a new phishing page for any site or service, instead, such phishing pages are now a commodity, and with the ecosystem itself clearly cooperating with malware authors, you end up in a situation where a malware infected host is not just hosting malware for the next victim to get infected, running multiple DNS servers, sending out spam and phishing emails, but also, hosting the phishing pages themselves.

Amateur phishers do not put efforts into ensuring the quality and the lifetime of their phishing campaigns, and you can clearly recognize such amateur campaign by visiting the phishing URL you've just received to figure out it's already down. The more sophisticated phishers, however, are not just efficiency-obsessed, but also, take advantage of typosquatting and basic segmentation approaches, for instance, acquiring a Russian email database to use as the foundation for a WebMoney phishing campaign, and a U.S one for a PayPal one. Moreover, sophisticated phishers also put more efforts and invest more time into personalizing the emails and in rare cases, the phishing pages themsleves, that's of course in between localizing the campaign by having it translated into the local language of the country for which the emails database belongs to, thus improving the chances of the campaign. This is yet another disturbing trend worth commenting on - malware is maturing into a services centered economy, and so is the case with spamming and phishing, a logical development with the commodization of what used to very exclusive tools.

What are the major improvements in the new version? In the first one, the phisher had to manually paste the source code of the real page, have the kit automatically redirect the data to a third party URL, and also manually fix the image locations to ensure that they will load properly. In the second version, there're POST and GET commands available so that the source code gets acquired automatically, and an internal Image Grabber so that the exact URLs of all the images within the login page can get easily integrated within the phishing page about to get generated. Getting back to differentiating the amateur from sophisticated phishers, the second have more resources at their disposal and better confidence in their hosting provider so that compared to loading the images from the original site, they're hosting them locally. This kit will inevitably continue to evolve, wish it was proportionally with the end user's understanding of how to protect against "push" phishing attacks though.

Related posts:

The Phishing Ecosystem

Confirm Your Gullibility

The Economics of Phishing

Pharming Attacks Through DNS Cache Poisoning

Average Online Time for Phishing Sites

Clustering Phishing Attacks

Phishing Domains Hosting Multiple Phishing Sites

209 Host Locked

PayPal and Ebay Phishing Domains

Spammers and Phishers Breaking CAPTCHAs

The Brandjacking Index

Take this Malicious Site Down - Processing Order..

Taking Down Phishing Sites - A Business Model?

Continue reading →