Uncovering a MSN Social Engineering Scam

This MSN scam trying to socially engineer end users into handling their accounting data by offering them the opportunity to supposidely see who's blocked them at MSN, has been circulating online for a while in the form of new domains that get actively spammed across different forums. The scam itself is just the tip of the iceberg, however it's a good example of a basic social engineering technique, the one with the basic promise. The scam's pitch :

"Quickly and easily learn who blocked you on MSN. The longly awaited feature for MSN Messenger, completely for free! Please input your MSN Messenger account information to learn who has blocked you. Our system will login with this information and learn who has blocked you."

Domains and DNS entries are still active, content's currently hidden :

msnliststatus.com - 222.73.220.237
msnblockerlist.com - 64.202.189.170
msnblocklist.org - 72.55.142.113
blockdelete.com - 89.149.242.248

Why would malicious parties care for collecting accounting data for IM users? If we're to put basic scenario building intelligence logic in this particular case, having access to couple of hundreds IM accounts acts as the perfect foundation for a IM malware spreading campaign, where access to the stolen data is actually the distribution vector. What would malicious parties do if they want to vertically integrate and earn higher return on investment in this case? They would segment the screenames by countries, cities and other OSINT data available, and earn higher-profit margins with the segmentation service offered to SPIMmmers.

Related posts:
MSN Spamming Bot
DIY Fake MSN Client Stealing Passwords
Thousands of IM Screen Names in the Wild
Yahoo Messenger Controlled Malware Continue reading →

The FirePack Web Malware Exploitation Kit

In a typical tactical warfare from a marketing perspective, malicious parties are fighting for "hearth share" of their potential customers through active branding like the case with this malware kit. In a frontal competition attack aimed at IcePack, the authors of FirePack are pitching yet another "copycat" web exploitation malware kit for purchase at $3,000. Why a copycat anyway? Mainly because it lacks any major differentiation factors next to both, IcePack and MPack, except of course the different javascript obfuscation technique used. As in the majority of open source malware kits, their "modularity" namely easy for including new exploits and features within, is perhaps what makes assessing the impact of malware kits permanently outdated - a kit that you're assessing today has already been improved and new functionalities added in between.

The business strategies applied for such a hefty amount of money, are the lack of transparency means added biased exclusiveness, in order to cash-out through high-profit margins while taking advantage of the emerging malware kits cash bubble. A bargain hunter will however look for the cheapest proposition from multiple sellers, or subconsiously ignore the existence of the kit until it leaks out, and turns into a commodity just like MPack and IcePack are nowadays.

Related posts :
The WebAttacker in Action
Nuclear Malware Kit
The Random JS Malware Exploitation Kit
Metaphisher Malware Kit Spotted in the Wild
The Black Sun Bot
The Cyber Bot Continue reading →

The Continuing .Gov Blackat SEO Campaign

Just like the situation in the previous case of injecting SEO content into .gov domains, once the pages are up and running, they get actively advertised across the Web, again automatically. While bridger-mt.gov responds to 72.22.69.184, the subdomain freeporn.eee.bridger-mt.gov is pointing to another netblock, in this case 66.49.238.80, exactly the same approach was used in a previous such assessment that was however serving malware to its visitors. Here are some of the very latest such examples listed by directory :

- Cobb County Government - cobbcountyga.gov/css - over 2,240 pages
- Benton Franklin Health District - bfhd.wa.gov/search/templates/dark/.thumbs - 1,200 pages
- Bridger, Montana - freeporn.eee.bridger-mt.gov - 778 pages
- Mid-Region Council of Governments - mrcog-nm.gov/includes/phpmailer/language - 336 pages
- Michigan Senate - senate.michigan.gov/FindYourSenator/top - 26 pages
- Nevada City, California - nevadacityca.gov/postcards - 13 pages
- Brookhaven National Laboratory - pvd.chm.bnl.gov/twiki/pub/Trash/OnlinePharmacy - 12 pages

Who's behind all of these? Checking the outgoing links and verifying the forums the advertisements got posted at could prove informative, but for instance, topsfield-ma.gov/warrant where a single blackhat SEO page was located seems to have been hacked by a turkish defacement group who left the following - "RapciSeLo WaS HeRe !!! OwNz You - For AvciHack.CoM with greets given to "J0k3R inf3RNo ByMs-Dos FuriOuS SSeS UmuT SerSeriiii Ov3R YstanBLue DeHS@ CMD 3RR0R SaNaLBeLa Keyser-SoZe GoLg3 J0k3ReM JackalTR Albay ParS MicroP" Continue reading →

Serving Malware Through Advertising Networks

This summary is not available. Please click here to view the post. Continue reading →

Geolocating Malicious ISPs

Here are some of the ISPs knowingly or unknowingly providing infrastructure to the RBN and the New Media Malware Gang, a customer of the RBN or RBN's actual operational department. To clarify even further, these are what can be defined as malicious ecosystems that actually interact with each other quite often.

- Ukrtelegroup Ltd
85.255.112.0 - 85.255.127.255
UkrTeleGroup Ltd.
Mechnikova 58/5
65029 Odessa
UKRAINE
phone: +380487311011
fax-no: +380487502499

- Turkey Abdallah Internet Hizmetleri
TurkTelekom
88.255.0.0/16 - 88.255.0.0/17

- Hong Kong Hostfresh
58.65.232.0 - 58.65.239.255
Hong Kong Hostfresh
No. 500, Post Office,
Tuen Mun, N.T,
Hong Kong
phone: +852-35979788
fax-no: +852-24522539

These are not just some of the major malware hosting and C&C providers, their infrastructure is also appearing on each and every high-profile malware embedded attack assessment that I conduct. And since all of these are malicious, the question is which one is the most malicious one? Let's say certain netblocks at TurkTelecom are competing with certain netblocks at UkrTeleGroup Ltd, however, the emphasis shouldn't be on the volukme of malicious activities, but mostly regarding the ones related to the RBN, and the majority of high-profile malware embedded attacks during 2007, and early 2008.

Continue reading →

Massive Blackhat SEO Targeting Blogspot

With Blogspot's fancy pagerank and with Google's recent introduction of real-time content indexing of blogs using the service, the interest of blackhat SEO-ers into the efficient registration and posting of junk content with the idea to monetize the traffic that will come from the process, seems to continue evolving as a process. In this specific case, we have firesearch.sc (64.111.196.120; 64.111.197.88) a blackhat SEO links farm that's visualized in the attached screenshot, and several thousands of automatically registered blogspot accounts directly feeding the searching queries that led to visiting them into firesearch.sc. What's also worth mentioning about this campaign is that the firesearch.sc's javascript search field appears at the top of every blog, whereas the blog's content itself consists of outgoing links to nearly fifty other such automatically registered blogs, again redirecting the search queries to firesearch.sc, whereas advertisements get served from 64.111.196.117/c.php

Sample blogs :

tilas--paralyze--video.blogspot.com
parentdirectoryofnokia19942.blogspot.com
imelodyalesana.blogspot.com
iberryblack8320.blogspot.com
ku990downloadwallpaper.blogspot.com
blackberrypearl8100fre62265.blogspot.com
motorolarazrv3amdriver90079.blogspot.com
downloadcredmakerforf64090.blogspot.com
smsmarathi.blogspot.com
pradaphonethemes.blogspot.com

With a basic sample of ten such blogs, the entire operation could be tracked down and removed from Google's index. And while firesearch.sc is pitching itself as a "search engine that you can trust", it looks like it's not generating revenues for the people behind the operation, but also, acts as a keyword popularity blackhole.

Related posts:
The Invisible Blackhat SEO Campaign
Attack of the SEO Bots on the .EDU Domain
Malicious Keywords Advertising
Visualizing a SEO Links Farm
Spammers and Phishers Breaking CAPTCHAs
But of Course It's a Pleasant Transaction
Vladuz's EBay CAPTCHA Populator
The Blogosphere and Splogs
p0rn.gov - The Ongoing Blackhat SEO Operation Continue reading →

Malware Embedded Link at Pod-Planet

The "the World's largest Podcast Directory" is currently embedded with a malicious link, whereas thankfully the campaign's already in an undercover phrase and stopped responding over the weekend. The embedded link points to ame8.com/a.js (222.73.254.56) then loads ame8.com/app/helptop.do, once deobfuscated attempts to load ame8.com/app/cc.do as well as 51.la/?1587102 acting as the counter for the campaign. In case you remember, the web counter services offered by 51.la were also used in the malware embedded attack at Chinese Internet Security Response Team. And with ame8.com hosted in China, someone's either engineering a situation where we're supposed to believe it's Chinese malicious parties behind it, thereby taking advantage of the media buzz, or it's Chinese attackers for real. For this particular case however, I'd go for the second scenario. Continue reading →

Statistics from a Malware Embedded Attack

It's all a matter of perspective. For instance, it's one thing to do unethical pen-testing on the RBN's infrastructure, and entirely another to ethically peek at the statistics for a sample malware embedded attack on of the hosts of a group that's sharing infrastructure with the RBN, namely UkrTeleGroup Ltd as well as Atrivo. For yet another time they didn't bother taking care of their directory permissions. Knowing the number of unique visits that were redirected to the malware embedded host, the browsers and OSs they were using in a combination with confirming the malware kit used could result in a rather accurate number of infected hosts per a campaign - an OSINT technique that given enough such stats are obtained an properly analyzed we'd easily come to a quantitative conclusion on a malware infected hosts per campaign/malware group in question.

In this particular case, 99% of the traffic for the last three days came from a single location that's using multiple IFRAMEs to make it hard to trace back the actual number of sites embedded since there's no obfuscation at the first level - vertuslkj.com/check/versionl.php?t=585 - (58.65.239.114) is also loading vertuslkj.com/n14041.htm and vertuslkj.com/n14042.htm. As for the countries where all the traffic was coming from, take a peek at the second screenshot. The big picture has to do with another operational intelligence approach, namely establishing the connections between the malicious hosts that participated in the compaign, in this case it's between groups known to have been exchanging infrastructure for a while.

Continue reading →

Visualizing a SEO Links Farm

This visualization was generated over a month ago, using one of the two search engine optimization link farms I blogged about before, as a sample. Perhaps the most important issue to point out is that the farms are automatically generated with the help of blackhat SEO tools, where the level of internal linking has been set a relatively modest one, as for instance, the core pages extensively link one another, but a huge proportion of the SEO content remains burried in a number of hops a crawler may not be interested in making - this could be automatically taken care of in the process of generating the content to end up with a closed circle when visualizing. Continue reading →

The New Media Malware Gang - Part Three

Boutique cybercrime organizations are on the verge of extinction, and are getting replaced by cybercrime powerhouses, the indication for which is the increase of static netblocks used by well known groups such as the ones I've been exposing for a while - take the New Media Malware Gang for instance, and its entire portfolio of malicious domains that keeps expanding to include the latest ones such as :

sratong.ac.th/ch24/config/index.php
79.135.166.138/us/index.php
users-online.org/get/index.php
x-y-zz.org/exp2/index.php
dimaannetta.ws/adpack/index.php
dagtextiles.biz/adpack/index.php
freescanpro.com/count
keeberg.info
wmstore.info/1
78.109.22.242/a/index.php
208.72.168.176/e-zl0102/index.php
absent09.phpnet.us
podarok24.info/xxx
drl-id.com
supachicks.com

And with Mpack's now easily detectable routines, they're migrating to use the Advanced Pack, a copycat malware exploitation kit, trouble is it's all done in an organized and efficient manner. Continue reading →

Anti-Malware Vendor's Site Serving Malware

Even though AvSoft Technologies isn't really enjoying a large market share, making the impact of this malware coming out of their site even bigger, the irony is perhaps what truly matters in the situation. Some press coverage - Hackers Turn Antivirus Site Into Virus Spreader; Antivirus company's Web site downloads ... a virus; Hackers seed malware on Indian anti-virus site :

"Hackers planted malicious script on the site of an Indian anti-virus firm this week. The website of AVsoft Technologies was attacked by unidentified miscreants in order to distribute a variant of the Virut virus. AVsoft Technologies makes the SmartCOP antivirus package. One of the download pages of the site was boobytrapped with malicious code that used the infamous iFrame exploit to push copies of the Virut virus onto visiting unpatched (or poorly patched) Windows PCs."

The IFRAME at the site used to point to ntkrnlpa.info/rc/?i=1 (85.114.143.207) which also responds to zief.pl, where an obfuscation tries to server ntkrnlpa.info/rc/load.exe through the usual diverse set of exploits served by MPack.

Detection rate : 17/32 (53.13%) for Win32.Virtob.BV; W32/Virut.j

File size: 8704 bytes

MD5: 31f8a31adfdff5557876a57ff1624caa

SHA1: 7f36e192030f7cbd8b47bd2cb9a60e9a3fe384d2

Naturally, according to publicly obtainable data in a typical OSINT style, the domain used to respond to an IP within RBN's previous infrastructure. The big picture is even more ugly as you can see in the attached screenshot indicating a huge number of different malwares that were using ntkrnlpa.info as a connection/communication host in the past and in the present. I wonder would the vendor brag about their outbreak response time regarding the malware that come out of their site in times when malware authors are waging polymorphic DoS attacks on vendors/reseachers honeyfarms to generate noise?

Continue reading →

BlackEnergy DDoS Bot Web Based C&Cs

Remember the Google Hacking for MPacks, Zunkers and WebAttackers experiment, proving that malicious parties don't even take the basic precautions to camouflage their ongoing migration to the web for the purpose of botnet and malware kits C&Cs? Let's experiment wi the BlackEnergy DDoS bot, and prove it's the same situation. What's the BlackEnergy DDoS bot anyway :

"BlackEnergy is an HTTP-based botnet used primarily for DDoS attacks. Unlike mostcommon bots, this bot does not communicate with the botnet master using IRC. Also, wedo not see any exploit activities from this bot, unlike a traditional IRC bot. This is a small(under 50KB) binary for the Windows platform that uses a simple grammar tocommunicate. Most of the botnets we have been tracking (over 30 at present) are locatedin Malaysian and Russian IP address space and have targeted Russian sites with theirDDoS attacks."

The following are currently live botnet C&Cs administration panels, and with BlackEnergy's only functionality in the form of DDOS attacks, it's a good example of how DDoS on demand or DDoS extortion get orchestrated through such interfaces :

httpdoc.info/black/auth.php (66.29.71.16)
wmstore.info/hello/auth.php (216.241.21.62)
lunaroverlord.awardspace.com/auth.php (82.197.131.52)
333prn.com/xxx/auth.php (64.247.18.208)

It's getting even more interesting to see different campaigns within, that in between serving Trojan.Win32.Buzus.yn; Trojan.Win32.Buzus.ym; Trojan-Proxy.Small.DU, there's also an instance of Email-Worm.Zhelatin. A clear indication of a botnet in its startup phrase is also the fact that all the malware binaries that you see in the attached screenshot use one of these hosts as both the C&C and the main binary update/download location. Continue reading →

U.K's FETA Serving Malware

Yet another high-profile malware embedded attack worth commenting on, just like the most recent one at the Dutch embassy in Moscow. Website of UK landmark hacked to serve malware :

"The website of one of the UK's most famous landmarks, the Forth Road Bridge, has been torn open in embarrassing fashion to serve malware, researchers are reporting. According to the security blog of a small consultancy, Roundtrip Solutions, the website is now hosting an 'obfuscated' Javascript hack created using the Neosploit Crimeware Toolkit, dishing out payloads including, the blog reports, porn pop-ups."

The deobfuscated javascript attempts to load the currently live 88.255.90.130/cgi-bin/in.cgi?p=admin (MDAC ActiveX code execution (CVE-2006-0003), also responding to Silentwork.ws and Tide.ws which is deceptively forwarding to BBC's web site, deceptively in the sense that were I to use a U.K based IP to access it for instance it will try to serve the malware, thus, malware campaigners are now able to segment the malware attacks on a basis of IP geolocation. Who's behind it? A group that's in direct affiliation with the RBN and the New Media Malware Gang, where the three of these operate on the same netblocks.

The bottom line - according to publicly obtainable stats and the ever-growing list of high-profile malware embedded attacks, legitimate sites serve more malware than bogus ones as it was in the past in the form of dropped domains for instance. How come? Malware campaigners figured out that trying to attract traffic to their malware domains is more time and resources consuming than it is to take advantage of the traffic a legitimate site is already getting. In fact, they're getting so successful at embedding their presence on a legitimate site that they're currently taking advantage of "event-based social engineering" campaigns by embedding the malware at one of the first five search engine results to appear on a particular event. Continue reading →

GCHQing with the Honeynet Project

Nothing's impossible, the impossible just takes a little longer. If someone told me an year ago that I'll be presenting next to the dudes from the Honeynet Project, I would have been rather skeptical. So, after a week of intensive socializing among geeks, a windy trip to Stonehenge along the way and lots of drinks, it's becoming increasingly clear to me how important face-to-face conversations are for the sake of improving productivity and relationship building. It's also worth pointing out how issues such as dealing with information oveload, data sharing, and actually communicating all the aggregated data to the industry and the general public, need to get a boost especially at the strategic level. And now that I'll be officially joining the organization, stay tuned for for a diverse set of KYE (Know Your Enemy) coverage of the emerging threatscape. Continue reading →

The Shark3 Malware is in the Wild

Life's too short to live in uncertainty, the stakes are too high. A month ago, I indicated the upcoming release of the third version of the script kiddies favorite Shark Malware. Despite that after the negative publicity of the malware that's actually promotd as a RAT, the authors supposedly abondoned the malware, they seem to have logically resumed its development. And so, the Shark3 malware is continuing its development.

What's new? Anti-debugger capabilities in particural against - VmWare, Norman Sandbox, Sandboxie, VirtualPC, Symantec Sandbox, Virtual Box etc.

Detection rate : Result: 15/31 (48.39%) - Backdoor.Win32.Shark.if

File size: 3104768 bytes

MD5: e3a6758f5c90b39b59c6cd7551224d52

SHA1: 25f025f31560a28275aab006e04aace828e012ea

Some key points regarding Shark :

- its do-it-yourself nature, just like many of the malware tools I've covered before is empowering script kiddies with advanced point'n'click capabilities

- built-in spyware functionaly, namely "aggressive service" which resets the start-up values when they're delted, yet another indication that what's pitched as a RAT is in fact malware

- once released in an open source form, a community emerges around it one that starts innovating and coming up with new features

Continue reading →

The Dutch Embassy in Moscow Serving Malware

The Register reports that the Royal Netherlands Embassy in Moscow was serving malware to its visitors at the beginning of last week :

"Earlier this week, the site for the Netherlands Embassy in Russia was caught serving a script that tried to dupe people into installing software that made their machines part of a botnet, according to Ofer Elzam, director of product management for eSafe, a business unit of Aladdin that blocks malicious web content from its customers' networks."

Let's be a little more descriptive. The only IP that was included in the IFRAME was 68.178.194.64/tab.php which was then forwarding to 68.178.194.64/w/wtsin.cgi?s=z. ip-68-178-194-64.ip.secureserver.net (also responding to lmifsp.com and foxbayrental.com) has been down as of 22 Jan 2008 18:56:38 GMT, but apparantly it was also used in several other malware embedded attacks. For instance, the IFRAME is currently active at restorants.ru. The secondary IFRAME is a redirector script in a traffic management script that can load several different URLs, to both, generate fake visits to certain sites that are paying for this, and a live exploit URL as it happens in between.

Historical preservation of actionable intelligence on who's what and what's when is a necessity. Here are for instance two far more in-depth assessments given the exploits URLs were still alive back then, discussing the malware embedded at the sites of the U.S Consulate in St. Petersburg, and the Syrian Embassy in the U.K.

Related posts:
MDAC ActiveX Code Execution Exploit Still in the Wild
Malware Serving Exploits Embedded Sites as Usual
Massive RealPlayer Exploit Embedded Attack
A Portfolio of Malware Embedded Magazines
The New Media Malware Gang
The New Media Malware Gang - Part Two
Another Massive Embedded Malware Attack
I See Alive IFRAMEs Everywhere
I See Alive IFRAMEs Everywhere - Part Two
Have Your Malware in a Timely Fashion
Cached Malware Embedded Sites
Compromised Sites Serving Malware and Spam
Malware Serving Online Casinos Continue reading →

Mujahideen Secrets 2 Encryption Tool Released

Originally introduced by the Global Islamic Media Front (GIMF), the second version of the Mujahideen Secrets encryption tool was released online approximately two days ago, on behalf of the Al-Ekhlaas Islamic Network. Original and translated press release :

"Is the first program of the Islamic multicast security across networks. It represents the highest level of technical multicast encrypted but far superior. All communications software, which are manufactured by major companies in the world so that integrates all services communications encrypted in the small-sized portable. Release I of the "secrets of the mujahideen" the bulletin brothers in the International Islamic Front and the media have registered so scoop qualitatively in the field of information and jihadist exploit the opportunity to thank them for their wonderful and distinctive. And the continuing support of a media jihadist group loyalty in the technical development of a network of Islamic loyalty program and the issuance of this version, in support of the mujahideen general and the Islamic State of Iraq in particular."

Key features in the first version :

-- Encryption algorithms using the best five in cryptography. (AES finalist algorithms)

-- Symmetrical encryption keys along the 256-bit (Ultra Strong Symmetric Encryption)

-- Encryption keys for symmetric length of 2048-bit RSA (husband of a public key and private)

-- Pressure data ROM (the highest levels of pressure)

-- Keys and encryption algorithms changing technology ghost (Stealthy Cipher)

-- Automatic identification algorithm encryption during decoding (Cipher Auto-detection)

-- Program consisting of one file Facility file does not need assistance to install and can run from the memory portable

-- Scanning technology security for the files to be cleared with the impossibility of retrieving files (Files Shredder)

New features introduced in the second version :

-- Multicast encrypted via text messages supporting the immediate use forums (Secure Messaging)

-- Transfer files of all kinds to be shared across texts forums (Files to Text Encoding)

-- Production of digital signature files and make sure it is correct

-- Digital signature of messages and files and to ensure the authenticity of messages and files

So far, Reuters picked up the topic - Jihadi software promises secure Web contacts :

"The efficacy of the new Arabic-language software to ensure secure e-mail and other communications could not be immediately gauged. But some security experts had warned that the wide distribution of its earlier version among Islamists and Arabic-speaking hackers could prove significant. Al Qaeda supporters widely use the Internet to spread the group's statements through hundreds of Islamist sites where anyone can post messages. Al Qaeda-linked groups also set up their own sites, which frequently have to move after being shut by Internet service providers."

Needless to say that the new features, even the fact that they've updated the program has to be discussed from a strategic perspective. The improved GUI and the introduction of digital signing makes the program a handy tool for the desktop of the average cyber jihadist, average in respect to more advanced data hiding techniques, ones already discussed in previous issues of the Technical Mujahid E-zine. With the tempting feature to embedd the encrypted message on a web page instead of sending it, a possibility that's always been there namely to use the Dark Web for secure communication tool is getting closer to reality. Knowing that trying to directly break the encryption is impractical, coming up with pragmatic ways to obtain the passphrase is what government funded malware coders are trying to figure out. Screenshots courtesy of the tool's tutorial.

Continue reading →

E-crime and Socioeconomic Factors

Interesting points by F-Secure with two main issues covered, namely the lack of employment opportunities for skilled IT people who turn to cyber crime to make a living, and the emerging economies across the globe, whose citizens in their early stages of embracing new economic models will suffer from the inevitable unequal distribution of income due to their government's lack of experience or motivation. To me, however, it's more sociocultural than socioeconomic factors that contribute to these future developments. Several more key points worth discussing :

- Malware is no longer created, it's being generated

The myth of someone reinventing the wheel, namely coding a malware bot from scratch is no longer realistic. Modern malware is open source, modular, localized to different languages, comes with extensive documentation/comments and HOWTO guides/videos. Moreover, these publicly obtainable open source malware bots were released in the wild for free, namely, the coders that originally started the "generators" or the "compilers" generation took, and enjoyed only the fame that came with coming up with the most widely used and successful bot family. Take Pinch for instance and the recent arrest of the "coders". New and improved versions of Pinch are making their rounds online, but how is this possible since the people behind it are no longer able to update it? To achieve immortality for Pinch, they've released it as open source tool, namely anyone can use its successful foundation for any other upcoming innovation. The original coders are gone, the "malware generators" and the "compilers" are cheering since they still have access to the tool. Another popular entry obstacle such as advanced coding skills is gone, anyone can compile, generate and spread the samples, or used them for targeted attacks.

- "Will code malware for food" type of individuals don't really exist anymore

A cat doesn't eat mice when it's hungry, it eats mice when it's already been fed, and therefore does it for prestige and entertainment. Storm Worm is not released by the "desperation department", it's an investment on behalf of someone who will monetize the infected hosts, or who has outsourced the infection process to botnet aggregators. Moreover, there's no lack of IT employment opportunities in times of growing economy, exactly the opposite, the economy is booming, investments are made in networks and infrastructure and therefore people will start receiving incentives for training and therefore the demand for IT experts will increase given the government is visionary enough to invest in the long-term, in terms of education and training. If it's not, structural unemployment will undermine the local industry, you'll end up with software engineers working at the local McDonald's during the day, and coding malware during the night - a stereotype. For instance, go through this article and notice the quote regarding the attitude towards the U.S. Malware coders/generators aren't on the verge of starvation, they're on a mission with or without actually realizing it :

"I don't see in this a big tragedy," said a respondent who used the name Lightwatch. "Western countries played not the smallest role in the fall of the Soviet Union. But the Russians have a very amusing feature — they are able to get up from their knees, under any conditions or under any circumstances. As for the West? "You are getting what you deserve."

It's a type of "Why are you doing me a favour that I still cannnot appreciate?" issue, collectivism vs individualistic societies. E-crime is not just easy to outsource, but the entry barriers in space are so low, we can easily argue it's no longer about the lack of capabilities, but the lack of motivation to participate, and actually survive, that drive E-crime particularly in respect to malware. From an economic perspective, the Underground Economy's high liquidity is perhaps the most logical incentive to participate, which is a clear indication on the transparency and communication that parties involved have managed to achieve. Continue reading →

DIY Fake MSN Client Stealing Passwords

This tool deserves our attention mostly because of its do-it-yourself (DIY) nature, just like the many other related ones I discussed before. Custom error messages, two options for to kill or restore MSN after the password is obtained, and custom FTP settings to upload the accounting data. Why did they choose FTP compared to email as the leak point for the data? From my perspective uploading the accounting data on an FTP server means compatibility from the perspective of easily obtaining the accounting data to be used as foundation for another MSN spreading malware or spim, compared to accessing it from an email account.

File size: 888832 bytes
MD5: 02b0d887aa1cbfd4f602de83f79cf571
SHA1: da49527e96bb998b3763c1d45db97a4d3bccea7a

A sample is detected as W32/VB-Remote-TClient-based!Maximus.

In related news, MSN is said to be the most targeted IM client :

"Within the IM category, 19 percent of threats were reported on the AOL Instant Messenger network, 45 percent on MSN Messenger, 20 percent on Yahoo! Instant Messenger and 15 percent on all other IM networks including Jabber-based IM private networks. Attacks on these private networks have more than doubled in share since 2003, rising from seven percent of all IM attacks to 15 percent in 2007."

As always, it's a matter of a vendor's sensors network to come up with increasing or decreasing levels of a particular threat, but the pragmatic reality nowadays has to do with less IM spreading malware, and much, much more malware embedded trusted web sites.

Moreover, according to some publicly obtainable stats, IM spreading malware in general has been declining for the past two years, but how come? It's because of their broken and bit outdated social engineering model, namely the lack of messages localization, abuse of public events as windows of opportunities, and the lack of any kind of segmentation. One-to-many may be logical from an efficiency point of view, but it's like embedding a single exploit on hundreds of thousands of sites compared to a set of exploits, or a set of techniques like in this case. Continue reading →

Storm Worm's St. Valentine Campaign

The Riders on the Storm Worm started riding on yet another short term window of opportunity as always - St. Valentine's day with a mass mailing email campaign linking to two files with_love.exe and withlove.exe, using an already infected host as a propagation vector itself in the very same fashion they've been doing so far.

Detection rate : 3/32 (9.38%)
File size: 114689 bytes
MD5: 31ac9582674cad4c8c8068efb173d7c7
SHA1: cee93d3021318a34e188b8fae812aa929cb2bc9c

NOD32v2 - a variant of Win32/Nuwar
Prevx1 - Stormy:All Strains-All Variants
Webwasher-Gateway - Win32.Malware.gen!88 (suspicious)

The binary drops burito.ini (MD5 - A65FA0C23B1078B0758B80B5C0FD37F3) and burito1205-67d5.sys (MD5 - C4B9DD12714666C0707F5A6E39156C11), and creates the following registry entries :

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BURITO1205-67D5 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BURITO1205-67D5\0000 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\burito1205-67d5 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\burito1205-67d5\Security

Surprisingly, there are no client-side vulnerabilities used in last two campaigns. Continue reading →