This summary is not available. Please
click here to view the post.
Continue reading →
Snakes never whisper in one another's ear - it's supposed to tickle. In a blog post yesterday, Sunbelt Labs pointed out on the re-emergence of the Botnet on Demand Service that I covered last year. It's great to see we're on the same page, or wiki article as we can always expand the discussion. In need of more such fancy snakes admin panels courtesy of a web based malware C&C? Here are four more related :legendarypornmovies.net/ts (88.85.81.211)
slutl.com/ts (88.85.78.7)
cwazo.net/ts (83.222.14.218)
oin.ru/ts (194.135.105.203)
Now the juicy details regarding loads.cc. During the time of posting this, the malicious domain is starting to redirect to a very descriptive one, which basically says "given up on ddos-ing", and a featured ad in between loads.cc's old interface is pitching the new service - contextual advertising consultations, as you can see in the attached screenshot. Apparently, a little more in-depth research acts as public pressure, especially when they're lazy enough to have a great deal of malware variants "phone back home" to their promotional domain. However, the current one responding to 67.228.69.191 is hosted by SoftLayer, and is using ns1.4wap.org as DNS server provided by Layered Technologies again confirming the Russian Business Network connection since, both, Layered Technologies and SoftLayer are known to have been and continue providing services to the RBN, knowingly or unknowingly. Moreover, the malware infected counter at the stats section continues reporting new additions.Being one of the most venerable examples of DDoS for hire services, it's worth reposting its FAQ in an automatically translated fashion, so that a better perspective to the dynamics of offering such services is provided to the readers. Here's the FAQ on using the service, which is relatively easy to understand :
- All that is pure downloads nothing is loaded simultaneously- The "mix" is not Buro countries on specified individual prices
- Loaded only those countries which are specified in the problem
- The country is determined to maxmind geoip
- When it ALL loaded all countries and the price of downloads is calculated separately for each country that is DE for the download you pay for a $ 0.2 PE 0.03
- Prices for downloads can sometimes vary slightly this watch themselves
- As such, the concept of mix does not exist, each country has its own price, and if the country is not clearly specified in the price is $ 30 price / 1k
- The money is withdrawn from the account in accordance with the facts and running leaps ekze by car users
- In the balance on deposit $ 5 or less stopped loading
- No minimum, it is possible to load even though 3 pc 10k limit pointing in the problem
- The claims, made by ALREADY download will not be accepted, DICOM small parties or do the test to check quality
- Following the establishment of tasks it must be activated by clicking on the link in the status, the same method could be suspended
- Pole challenge "received" shows how many bots believed assignment, it is usually little more than a "loaded" on the fabric sur somehow prichnam some boats were not able to download and run your ekze dolzhili or not yet know
Undercover DDoS in between contextual advertising, or "giving up on DDoS" entirely? Let's wait and see, without being naive enough to forget that this among the hundreds of other DDoS for hire services currently available in the wild.
Sometimes patterns are just meant to be, and so is the process of diving into the semantics of RBN's ex/current customers base, in this case the New Media Malware Gang. The latest pack of this group specific live exploit URLs :bentham-mps.org/mansoor/cgi/index.php (205.234.186.26)
5fera.cn/adp/index.php (72.233.60.90)
ls-al.biz/1/index.php (78.109.22.245)
iwrx.com/images/index.php (74.53.174.34)
pizda.cc/in.htm (78.109.19.226)
ugl.vrlab.org/www/index.php (91.123.28.32)
eastcourier.com/reff/index.php (91.195.124.20)
thelobanoff.com/myshop/test/index.php (64.191.78.229)
203.117.170.40/~whyme/my/index.php
195.93.218.25/us/index.php
195.93.218.25/kam/index.php
85.255.116.206/ax5/index.php
Going through Part one, Part two, and Part three, clearly indicates an ongoing migration. Continue reading →
This summary is not available. Please
click here to view the post.
Continue reading →
More news coverage follows regarding the now fixed, injection of IFRAMEs at high page rank-ed sites owned by CNET Networks, in fact Symantec's Internet Threat Meter monitor for web activities rated it medium risk, and urged extra caution :"On March 4, 2008, reports of an IFRAME attack coming from ZDNet Asia began to surface. Attackers appear to have abused the ZDNet search engine's cache by exploiting a script-injection issue, which is then being cached in Google. Clicking the affected link in Google will cause the browser to be redirected to a malicious site that attempts to install a rogue ActiveX control. On March 6, 2008, the research that discovered the initial attack published an update stating that a number of CNET sites including TV.com, News.com, and MySimon.com are also affected by a similar issue."
At 19:45 (EET) all of the sites have their input validation checks applied so loadable IFRAMEs can no longer load or be accepted at all, despite that the injected pages are still indexed by search engines. A malicious campaign targeting high profile sites that went online and got taken care of for some 48 hours, that's good.
How was the IFRAME injection possible at the first place? OWASP lists input validation as one of the top 10 injection flaws for 2007, which in a combination with a site's SEO practice of caching pages with the injected input in the form of a keyword and the IFRAME, is what we've been seeing during the week :
"Input validation refers to the process of validating all the input to an application before using it. Input validation is absolutely critical to application security, and most application risks involve tainted input at some level. Many applications do not plan input validation, and leave it up to the individual developers. This is a recipe for disaster, as different developers will certainly all choose a different approach, and many will simply leave it out in the pursuit of more interesting development."
And since I've already established the RBN connection, it would be perhaps the perfect moment to demonstrate the abuse of input validation by injecting the Russian Business Network's Wikipedia entry in exactly the same fashion the malicious IFRAMEs were allowed to be injected at the first place. The bottom line - even with the input validation flaw accepting and loading the IFRAME, this attack wouldn't have been successful if it wasn't executed in a combination with the sites' keywords caching function.
News is spreading fast, appropriate credit is given, but not as fast as the IFRAME campaign targeting several more CNET Networks' web properties besides ZDNet Asia, namely, TV.com, News.com and MySimon.com which I'll assess in this post. In the time of posting this, no other CNET sites are involved in the campaign, including ZDNet's international sites such as, ZDNet India, ZDNet U.K, and ZDNet Australia, but the abovementioned ones. And so, we have three more sites part of CNET Networks' portfolio, getting injected with more IFRAMEs, abusing their search engine's local caching, and storing of any keyword feature, in a combination with a loadable IFRAME.What has changed for the past 24 hours, despite that the now over 51,900 pages at zdnetasia.com continue to be indexed by search engines? The folks at ZDNet Asia have taken care of the IFRAME issue, so that such injection is no longer possible. However, the same IPs used in this IFRAME campaign, including two new domains introduced have been injected, and are loading at TV.com, News.com and MySimon.com, again pushing the rogue XP AntiVirus, the rogue Spyshredderscanner, as well as another fake codec MediaTubeCodec.exe, hosted and distributed under two new domains.
Which sites are currently targeted?ZDNet Asia - currently has 51,900 injected pages
TV.com - 49,600 locally hosted IFRAME injected pages
News.com - 167 locally hosted pages, injection is ongoing
MySimon.com - currently 4 pages, the campaign is ongoing
Which domains and IPs are behind the IFRAMEs?
do-t-h-e.com (69.50.167.166)
rx-pharmacy.cn (82.103.140.65)
m5b.info (124.217.253.6)
89.149.243.201
89.149.243.202
72.232.39.252
195.225.178.21
Where's the malware?
It's there, you just have to triple check different IFRAME-ed search results and finally you'll get to install XP AntiVirus 2008 and a fake codec, the only two pieces of malware currently served. What's important to note is that this is the current state of the campaign, and with the huge number of IFRAME-ed pages in such a way, targeted attacks on a per keyword basis are possible, and since they ensure you're served on the basis of where you're coming from, things can change pretty fast. These are all of the domains that follow after the IFRAME redirects for all the campaigns currently detected, and the detection rates for the malware from the last campaign :
hotpornotube08.com (206.51.229.67)
hot-pornotube-2008.com (206.51.229.67)
hot-pornotube08.com (206.51.229.67)
adult-tubecodec2008.com (195.93.218.43)
adulttubecodec2008.com (195.93.218.43)
hot-tubecodec20.com (195.93.218.43)
media-tubecodec2008.com (195.93.218.43)
porn-tubecodec20.com (195.93.218.43)
scanner.spyshredderscanner.com (77.91.229.106)
xpantivirus2008.com (69.50.173.10)
xpantivirus.com (72.36.198.2)
bestsexworld.info (72.232.224.154)
requestedlinks.com (216.255.185.82)
MediaTubeCodec.com
Scanner results : 11% Scanner(4/36) found malware!
Time : 2008/03/06 16:38:39 (EET)
File Size : 85520 byte
MD5 : 25708e1168e0e5dae87851ec24c6e9f7
SHA1 : 33b502b13cab7a34bb959d363ae4b7afd23919a6
AVG - I-Worm/Nuwar.P
Fortinet - Suspicious
Prevx - TROJAN.DOWNLOADER.GEN
Quick Heal - Suspicious - DNAScan
Tries to connect to websoftcodecdriver.com; websoftcodecdriver2.com and 77.91.227.179, in between listening on local port 1034. The downloader tries to drop Adware.Agent.BN - "Adware.Agent.BN is an adware program that displays pop-up advertisements and adds a runkey to run at startup, and also modifies Windows system configuration in order to download more malwares on to infected computer." and RogueAntiSpyware.AntiVirusPro - "RogueAntiSpyware.AntiVirusPro is a Rogue Anti-Spyware product which comes bundled along with a malicious downloader. It is downloaded and installed without the users consent."
Spyshredderscanner.exe
Scanner results : 42% Scanner(15/36) found malware!
Time : 2008/03/06 17:02:23 (EET)
File Size : 33224 byte
MD5 : bc232dbd6b75cc020af1fcf7cee5f018
SHA1 : fc2f70fd9ce76fe2e1fe157c6d2d8ba015ad099f
Detected as : Win32.FraudTool.SpyShredder; Downloader.MisleadApp
Again opening local port 1034 and tries to connect to 69.50.168.51, ATRIVO = RBN's well known netblock.
Who's behind it?
It's all a matter of perspective, if you look at the IPs used in the IFRAMEs, these are the front-end to rogue anti virus and anti spyware tools that were using RBN's infrastructure before it went dark, and continue using some of the new netblocks acquired by the RBN. However as I've once pointed out in respect to the New Media Malware Gang and its connection with the RBN and Storm Worm, for the time being it's unclear which one of these is the operational department if any, of the RBN is vertically integrating to provide more than the hosting infrastructure, and diversify to malware, or spyware installation on a revenue-sharing basis participating in an affiliate program.
This malicious campaign will continue to be monitored, particularly the RBN connection, and whether or not they will start targeting CNET's other sites. Continue reading →
Why did I bother to send this message to Full-Disclosure last night, despite that I already posted it here? Because I knew that this would happen, it's happened before, and it will happen in the future, so having dates and hours to prove what you see on the top of each and every blog post here, namely the real-time situational awareness objective, is what I wanted to achieve. And I did. Thankfully, there're Sophos, TrendMicro, McAfee and Commtouch realizing that corporate blogging evolved from hard selling and the basics of marketing, to a complex PR platform, and therefore quote and link to my blog, to have me link back, so that a conversation emerges. Redefining the process of rephrasing so that my creative commons license per post is not violated? Find the ten differences between my post yesterday, its title, and today's statements:"Continuing, Chia says that: “Leveraging on the fact that the site is, legitimate, and has high page ranks, the popular search engines are returning some of these iFRAME-ed results in the first few pages of the search results. And the objective? To get the unsuspicious user to click on the link”."
So, my original post went online yesterday, TeMerc reposted it, so did Paul, I sent it to Full-Disclosure, and as it looks like F-Secure's Wing Fei Chia seems to read, either Full-Disclosure, or my blog to come up this post, 24 hours later. Anyway, SecurityFocus, again covers the incident in an article entitled "Fraudsters piggyback on search engines", quoting me, this time professionally. Continue reading →
On numerous occasions in the past, I emphasized on the malicious attacker Keep it Simple Stupid (KISS) approach for anything starting from Rock Phishing, to maintaining a huge live exploits domains portfolio hosted on a single IP. This is yet another example of the KISS strategy uncovering another huge IFRAME campaign, again taking advantage of locally cached pages generated upon searching for a particular word, and the IFRAME itself. In the previous example for instance, we had an second ongoing IFRAME campaign with just 4 pages injected with 89.149.243.201, however, what Keep it Simple Stupid really means in this case is that the next IP in their netblock 89.149.243.202 is currently getting injected at many other sites as well. The difference between the previous campaign and this one, is that the previous one was targeting just two high page rank-ed sites, while in the second one, the malicious parties pushing RBN's rogue XP AntiVirus are relying on a much more diverse set of domains loading the IFRAME. One factor remains the same, both campaigns continue pushing the rogue XP AntiVirus. XP AntiVirus's pitch, note the downloads success rate mentioned and how they forgot to change the template used in the campaign by putting the rogue's name :
"XP antivirus has been downloaded over 4 Million times; with a 20,000 more downloads every week. Millions of people worldwide use Spyware Doctor to protect their identity and PC security. XP antivirus has consistently been awarded Editors' Choice, by leading PC magazines and testing laboratories around the world, including United States, United Kingdom, Germany and Australia. All current versions of XP antivirus have won Editors' Choice awards from Secure Home PC Magazine in United States. XP antivirus is advanced technology designed specially for people, not experts. It is automatically configured out of the box to give you optimal protection with limited interaction so all you need to do is install it for immediate and ongoing protection. XP antivirus's advanced RealOnGuard technology only alerts users on a true Spyware detection. This is significant because you should not be interrupted by cryptic questions every time you install software, add a site to your favorites or change your PC settings."Upon visiting 89.149.243.202/t and 89.149.243.202/a we get forwarded to bestsexworld.info/soft.php?aid=0064&d=3&product=XPA (72.232.224.154) and from there to xpantivirus2008.com (69.50.173.10). There're in fact several other domains currently promoting this as well : xpantiviruspro.com (69.50.183.50); xpdownloadings.com (69.50.183.50); xpantivirus.com (216.255.180.58), as well as the following : hotantivirus.info (74.86.81.80); easyantivirus.info (74.86.81.80); a2zantivirus.com (74.86.81.80). The downloader's detection rate :
Scanner results : 17% Scanner(6/36) found malware!
Time : 2008/03/05 13:57:48 (EET)
File Size : 47104 byte
MD5 : 2102cb53606f535ca8132c3324953596
SHA1 : 0756f530e782c3d2e85a8186e052b722b017f1ea
AntiVir - TR/Crypt.ULPM.Gen
Fortinet - Suspicious
Microsoft - Trojan:Win32/Vxidl.gen!B(Suspicious)
Panda - Suspicious file
Prevx - TROJAN.DOWNLOADER.GEN
Sophos - Mal/HckPk-A
Smells like RBN's used InterCage and ATRIVO netblocks from routers away.
Related RBN coverage:
RBN's Phishing Activities
RBN's Puppets Need Their Master
RBN's Fake Account Suspended Notices
A Diverse Portfolio of Fake Security Software
Go to Sleep, Go to Sleep my Little RBN
Exposing the Russian Business Network
Detecting the Blocking the Russian Business Network
Over 100 Malwares Hosted on a Single RBN IP
RBN's Fake Security Software
The Russian Business Network Continue reading →
This currently ongoing malware embedded attack aimed at ZDNet Asia and TorrentReactor is very creative at the strategic level, whereas the IFRAME-ing tactic remains the same. The sites' search engines seem to have been exploited to have the IFRAME injected, not embedded, within the last 24 hours, redirecting to known Russian Business Network's IPs and ex-customers in the face of rogue anti-virus and anti-spyware applications. For the time being, zdnetasia.com has 11,200 cached pages loading the IFRAME, and torrentreactor.net - 29,300 cached pages loading the IFRAME. Even worse, the IFRAME embedded search results hosted on their sites, are appearing between the first ten to twenty search results, thanks to the sites high page ranks. Sample search queries :
jamie presley
jamie presley
mari misato
risa coda
kasumi tokumoto
jill criscuolo
The IFRAME is loading 72.232.39.252/a also responding to themaleks.net. The link itself is loading an obfuscated javascript, which once deobfuscated attempts to load a-n-d-the.com/wtr/router.php (216.255.185.82 - INTERCAGE-NETWORK-GROUP2) also responding to ppcan.info, with two more domains sharing nameservers, findhowto.net, searchhowto.net. Ppcan.net has already been assessed by Microsoft's Security Team :"The advantage gained by faking the Referer field is nullified when pages use client-side cloaking to distinguish between fake and real Referer field data by running a script in the client’s browser to check the document.referrer variable. Example 1 shows a script used by the spam URL naha.org/old/tmp/evans-sara-real-fine-place/index.html. The script checks whether the document.referrer string contains the name of any major search engines. If successful the browser redirects to ppcan.info/mp3re.php and eventually to spam; otherwise, the browser stays at the current doorway page. To defeat the simple client-side cloaking, issuing a query of the form “url:link1” is sufficient. This allows us to fake a click through from a real search engine page."
So the malicious parties are implementing simple referrer techniques to verify that the end users coming to their IP, are the ones they expect to come from the campaign, and not client-side honeypots or even security researchers. And if you're not coming from you're supposed to come, you get a 404 error message, deceptive to the very end of it. Sample redirects upon visiting the IFRAME-ed pages at ZDNet Asia with the right referrer :
xpantivirus2008.com (69.50.173.10)
scanner.spyshredderscanner.com (77.91.229.106)
hot-pornotube-2008.com (206.51.229.67)porn-tubecodec20.com (195.93.218.43)
Once the junkware inventory is empty, all pages redirect to requestedlinks.com (216.255.185.82). Let's take a peek at the codec :
Scanner results : 11% Scanner (4/36) found malware!
File Size : 85008 byteMD5 : 6b325c53987c488c89636670a25d5664
SHA1 : c6aeeafffe10e70973a45e5b6af97304ca20b3bdFortinet - Suspicious
Norman - Tibs.gen200Prevx - TROJAN.DOWNLOADER.GEN
Quick Heal - Suspicious - DNAScanEven more interesting is the fact that literally minutes before posting this, another such campaign got launched at ZDNet Asia, this time having just 24 pages locally cached, and loading another IFRAME to 89.149.243.201/a redirecting to cialis2men.com/product/61 (92.241.162.154).
What is going on, have the sites been compromised, or the attackers are in fact smarter than those who would even bother to scan for remotely exploitable web application vulnerabilities, next to remote file inclusion? ZDNet Asia and TorrentReactor themselves aren't compromised, their SEO practices of locally caching any search queries submitted are abused. Basically, whenever the malicious attacker is feeding the search engine with popular quaries, the sites are caching the search results, so when the malicious party is also searching for the IFRAME in an "loadable state" next to the keyword, it loads. Therefore, relying on the high page ranks of both sites, the probability to have the cached pages with the popular key words easy to find on the major search engines, with the now "creative" combination of the embedded IFRAME, becomes a reality if you even take a modest sample, mostly names.
The bottom line is that ZDNet Asia and TorrentReactor SEO practices of caching the search queriesAnd given that the malicius parties can now easily tweak popular keywords to appear on ZDNet Asia and TorrentReactor's sites, thereby getting a front placement on search engines, they can pretty much shift the SEO campaign to a malware campaign by taking advantage of "event-based social engineering".
Continue reading →
What is going on, have the sites been compromised, or the attackers are in fact smarter than those who would even bother to scan for remotely exploitable web application vulnerabilities, next to remote file inclusion? ZDNet Asia and TorrentReactor themselves aren't compromised, their SEO practices of locally caching any search queries submitted are abused. Basically, whenever the malicious attacker is feeding the search engine with popular quaries, the sites are caching the search results, so when the malicious party is also searching for the IFRAME in an "loadable state" next to the keyword, it loads. Therefore, relying on the high page ranks of both sites, the probability to have the cached pages with the popular key words easy to find on the major search engines, with the now "creative" combination of the embedded IFRAME, becomes a reality if you even take a modest sample, mostly names.
The bottom line is that ZDNet Asia and TorrentReactor SEO practices of caching the search queriesAnd given that the malicius parties can now easily tweak popular keywords to appear on ZDNet Asia and TorrentReactor's sites, thereby getting a front placement on search engines, they can pretty much shift the SEO campaign to a malware campaign by taking advantage of "event-based social engineering".
Keywords for gaining attention from a marketing perspective for last week - embedded malware, IFRAMEs, stolen FTP accounts, Fortune 500 companies, Russia. Nothing's wrong with that unless of course you're interested in the whole story and the big picture, which wouldn't be excluding the possibility for having a Fortune 500 company's servers acting as C&Cs for a large botnet. Why are Fortune 500 servers excluded as impossible to get hacked at the first place, making it look like that the amount of money spent on security is proportional with the level of security reached? The more you spend does not mean the more secure it gets if you're not allocating the money where they have to be allocated at, in a particular moment of time, given the dynamic threatscape these days. 
What's most important to point out about the recent incident of Fortune 500 companies stolen FTP accounts, is that it's "stolen accounting data for sale" as usual, as usual in the sense of the hundreds of other such propositions currently active online. And if we're to use an analogy on its importance as a event, it's like your smell receptors, namely the more you use a particular fragnance, the less you're capable of sensing it since you're getting used to the smell. In this line of thoughts, what's "stolen accounting data for sale as usual" for some, is exclusive event for others. Even worse, it's "slicing the threat on pieces" compared to discussing the "pie" itself. Moreover, the shift from products to services in the underground marketplace is something that's been happening for the past three years, and therefore making it sound like it's been happening as of yesterday, brings the discussion to the lowest possible level - right from the very beginning. Try the following malicious services on demand for instance, demostranting key business concepts such as consolidation, vertical integration, benchmarking -Q&A, and standartization :
"The concept of Software-as-a-Service (SaaS) is nothing new, but this is the first time anyone has organized the purchase of FTP login credentials, with additional tools available to help a buyer confirm he's making a smart purchase."
on the other side of the universe on Neosploit's "purpose in life" :
"The information was available for blackmarket trade, along with the NeoSploit version 2 crimeware toolkit, a malicious application specifically designed to abuse and trade stolen FTP account credentials from numerous legitimate companies."
Robert Lemos is however, reasonably pointing out that :
"The tool, which is at least a year old, was described by antivirus firm Panda Software in June 2007."
Key summary points :
- the tool's been around since February, 2007, making it exactly one year old
- it has built-in accounting data validation, pagerank measurement of the sites whose FTP accounting data has been stolen as you can see in the third screenshot attached
- IP Geolocation for the now pagerank-ed sites is also included
- the tool's functions are relatively primitive compared to three other alternative ones that I'm aware of taking advantage of anything by stolen FTP accounts, a logical fad by itself
- the script is officially sold for $25, but as we've seen it in the past with MPack and IcePack, buyers unaware of other outlets for the tool would pay the high-profit margins offered by the seller
- FTP accounting data can be imported, and once verified, a statistical output for the automated process of logging in and embedding the IFRAME is provided
- IFRAMEs are automatically embedded within .php; .html; .asp; .htm extensions
- embedding iframes through stolen FTP accounts is a fad, purchasing and selling shells/web backdoors and huge domain portfolios controlled via Cpanels is a trend, as automatic injection of malicious IFRAMEs through remote file inclusion and remotely exploitable SQL injection vulnerabilities is
Your situational awareness about the emerging threatspace is as always up to the information sources that you use, or still haven't started using. My point is that exposing Pinch in the summer of 2007 despite that the tool's been around since 2004/2005, and exposing this malicious FTP account checker and IFRAMEs embedder in February, 2008, when it hasn't been updated since February, 2007, greatly contributes to the development of a twisted situational awareness. Realizing it or not, with the time, security researchers or intelligence analysts establish a very good sense of intuition about what's happening at a particular moment in time, or what will be happening anytime now. And using stolen FTP accounts for embedding IFRAMEs never picked up as a tactic, compared to using the stolen FTP accounts for hosting blackhat SEO content. Scenario building intelligence, or playing the devil's advocate, it's a mindset only a small crowd possess.
As we're on the topic of RBN's zombies trying to connect to their old netblocks, and botnets being used to host and send out phishing content, what looks like entirely isolated incidents in the present, is what has actually being going on on RBN's network during the summer of 2007. A picture is worth a thousand speculations, yes it is. As you can see in the attached historical screenshot of a web based botnet C&C, the Russian Business Network's old infrastructure has also been involved into delivering phishing pages to malware infected hosts, whose requests to the legitimate sites were getting forwarded to RBN's old netblock. The process is too simple, thereby lowering the entry barriers into phishing activities due to its modularity. Basically, the botnet master can easily configure to which fake phishing site the infected population would be redirected to, if they are to visit the original one with no more than three clicks. And so, for the purpose of historical preservation of CYBERINT data given the quality of the identical screenshot obtained through OSINT techniques -RBN URLs used in the phishing redirects :
81.95.149.226/scm/us/wels/index.html
81.95.149.226/scm/uk/lloydstsb/personal/index.html
81.95.149.226/scm/cyprus/persmain.html
81.95.149.226/scm/au/westpac/index.html
81.95.149.226/scm/au/commonwealth/
81.95.149.226/scm/au/warwickcreditunion/index.html
81.95.149.226/scm/uk/lloydstsb/business/index.html
81.95.149.226/scm/uk/halifax.php
81.95.149.226/scm/uk/rbsdigital/index.html
81.95.149.226/scm/uk/co-operative/index.html
81.95.149.226/scm/uk/cahoot.php
Known malware to have been connecting to 81.95.149.226 :
Trojan-PSW.Win32.LdPinch.bno, Trojan-Downloader.Win32.Small.emg, Trojan.Nuklus, where the malware detected under different names by multiple vendors is the only one that ever made a request to 81.95.149.226, which in a combination with the fact that the screenshot is made out of Nuklus production speaks for itself.
Some facts are better known later, than never. Continue reading →
The following central redirection point in a portfolio of exploits and malware serving domains - buytraffic.cn/in.cgi?11 is currently embedded at couple of hundred sites and forums across the web. And just like the many previous such examples, the process is automated to the very last stage. Repeated requests expose the entire domains portfolio, where once the live exploit is served with the help of a javascript obfuscations, the binaries come into play. Here are all the domains and live exploit URLs involved for this particular campaign :buytraffic.cn/in.cgi?11 - 62.149.18.34
sclgntfy.com/ent2763.htm - 85.255.118.12
tds-service.net/in.cgi?20 - 72.233.50.148
spywareisolator.com/landing/?wmid=sga - 72.233.50.150
warinmyarms.com/check/upd.php?t=670 - 58.65.239.114
coripastares.com/in.php?adv=1267&val=3ee328 - 202.83.197.239
xanjan.cn/in.cgi?mikh - 78.109.22.246
chportal.cn/top/count.php?o=4 - 203.117.111.102
buhaterafe.com/in.php?adv=1208&val=65286d - 202.83.197.239
193.109.163.179/exp/count.php
193.109.163.179/exp/getexe.php
78.109.22.242/mikh/1.html
78.109.22.242/sh.html
Who says there's no such thing as free malware cocktails.
Related posts :
MDAC ActiveX Code Execution Exploit Still in the Wild
Malware Serving Exploits Embedded Sites as Usual
Massive RealPlayer Exploit Embedded Attack
Syrian Embassy in London Serving Malware
Bank of India Serving Malware
U.S Consulate St. Petersburg Serving Malware
The Dutch Embassy in Moscow Serving Malware
U.K's FETA Serving Malware
Anti-Malware Vendor's Site Serving Malware
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
A Portfolio of Malware Embedded Magazines
Another Massive Embedded Malware Attack
I See Alive IFRAMEs Everywhere
I See Alive IFRAMEs Everywhere - Part Two Continue reading →
Despite that it's already been a couple of months since RBN's main ASN got "withdrawn" from the Internet due the public pressure put on the Russian Business Network's malicious activities, hundreds of malware variants continue trying to access their C&Cs and update locations from RBN's old netblock. Malware puppets with no master to connect to despite their endless efforts - now these are the real zombies if we're to stick to the terminology. Catch up with more details on RBNs migration, and extended partnership network.
Continue reading →
As it's becoming increasing clear that blackhat SEOers are actively experimenting with embedding their content on high pagerank sites, such as .govs, the numerous campaigns, one of which was by the way serving malware, indicate that injection the content through remote file inclussion or remotely exploitable web application vulnerabilities is an emerging trend that deserves to be closely examined. Here are several more currently active blackhat SEO campaigns located at :- Utah Attorney General’s Office Identity Theft Reporting Information System -
idtheft.utah.gov/pn/modules/pagesetter/pntemplates/plugins - 20, 200 SEO pages
- Mid-Region Council of Governments - mrcog-nm.gov/includes/phpmailer/language - 3, 630 pages
- Readyforwinners e-magazine - readyforwinners.hertscc.gov.uk/templates/2 - 890 SEO pages
- National Homecare Council - homecare.gov.uk/nhcc.nsf/discmainview - 220 SEO pages
- Washington Wing Website - wawg.cap.gov/calendar/editor/themes/simple - 93 SEO pages
- Fauquier County - fauquiercounty.gov/government/departments/procurement - 69 SEO pages
- Wisconsin Department of Military Affairs - dma.wi.gov/mediapublicaffairs - over 1,000 pages embedded with "invisible SEO content" meaning the content is also visible to search engines just like the one in a previous assessment
The number of pages currently hosted at these high pagerank domains is indeed disturbing, but here comes the juicy part in the form of yet another "invisible blackhat SEO" campaign, where outgoing links and SEO content is embedded at the host, but is only visible to web crawlers. Take the Wisconsin Department of Military Affairs's site for instance, where a news item that was posted in 2003, yes five years ago, is still embedded with "invisible blackhat SEO content" in between a fancy javascript obfuscation that once deobfuscated tries to connect to a third-party host feeding it with referring keywords, sort of keywords blackhole for optimizing future SEO campaigns based on increasing or decreasing popularity of specific ones.
Sampling the outgoing links also speaks for itself, take canadianmedsworld.com (217.170.77.162) for instance, and the fact that a great deal of outgoing links also respond to nearby IPs within the scammy ecosystem (217.170.77.*) such as :
canadianpharmacyltd.org
ns1.viagrabestprice.info
ns2.viagrabestprice.info
officialmedicines.us
pharm-shop.net
thecanadianpharmacymeds.com
viagrabestprice.info
viagraforlove.com
xdrugpill.com
This is perhaps the perfect moment to clarify that the appropriate people responsible for auditing and securing these hosts, are already doing their forensics job and are coming up with more data, on how it happened, when it happened, and who could be behind it - an example of threat intell sharing a concept that should be getting more attention than it is for the time being. So far, there haven't been repeated incidents like the malware serving ones I assessed in previous posts, but as it's obvious they're automatically capable of embedding and locally hosting any content, it's only a matter of intentions in this case. Continue reading →
The following service that's offering socks hosts on demand, is pretty much like the Botnet on Demand one, with the only difference in its marketing pitch, namely, these are malware infected hosts as well, however, access is offered through them, but not to them. The degree of maliciousness of these hosts can only be measured once the exact IPs are known, and by degree of maliciousness I'm refering to their state of openess, namely, can malware, spam and phishing be also relayed through them, or we can eventually look up the historical IP reputation to figure out whether such activities have been going on in the past as well. Moreover, such commercial propositions are directly related with proxy threats, ones outlined in a KYE paper entitled "Proxy Threats - Port v666" discussing various detection and mitigation approaches :"In typical proxybot infections we investigate proxy servers are installed on compromised machines on random high ports (above 1024) and the miscreants track their active proxies by making them "call home" and advertise their availability, IP address, and port(s) their proxies are listening on. These aggregated proxy lists are then used in-house, leased, or sold to other criminals. Proxies are used for a variety of purposes by a wide variety of people (some who don't realize they are using compromised machines), but spam (either SMTP-based or WEB-based) is definitely the top application. The proxy user will configure their application to point at lists of IP:Port combinations of proxybots which have called home. This results in a TCP connection from the "outside" to a proxybot on the "inside" and a subsequent TCP (or UDP) connection to the target destination (typically a mail server on the outside)."
The commercial aspect's always there to say, and vertically integrate since besides selling the product in the form of the tool for, they could eventually start coming up with various related, and of course malicious services in the form of spamming, phishing etc. It's perhaps more interesting to discuss the big picture. Once a great deal of these malware infected hosts is accumulated in such a way, there's no accountability, and these act as stepping stones for any kind of cybercrime activities, as well as the foundation for other services such as the managed fast-flux provider I once exposed.
Stepping stones as a concept in cyberspace, can be used for various purposes such as, engineering cyber warfare tensions, virtual deception, hedging of risk of getting caught, or actually risk forwarding to the infected party/country of question, PSYOPs, the scenario building approach can turn out to be very creative. One of the main threats possed by the use of infected hosts as stepping stones that I've been covering in previous posts related to China's active cyber espionage and cyber warfare doctrine, is that of on purposely creating a twisted reality. China's for instance the country with the second largest Internet population, and will soon surpass the U.S, logically, it would also surpass the U.S in terms of malware infects hosts, and with today's reality of malware, spam and phishing coming from such, China will also undoubtedly top the number one position on malicious activities.
However, with lack of accountability and so many infected hosts, is China the puppet master the mainstream media wants you to believe in so repeatedly, or is the country's infrastructure a puppet itself? One thing's for sure - asymmetric and cost-effective methods for obtaining foreign intelligence and research data is on the top of the agenda on every government with an offensive cyber warfare doctrine in place.
Continue reading →
Cultural diversity on demand is something I anticipated as a future malware trend two years ago - "Localization as a concept will attract the coders’ attention" :"By localization of malware, I mean social engineering attacks, use of spelling and grammar free native language catches, IP Geolocation, in both when it comes to future or current segmented attacks/reports on a national, or city level. We are already seeing localization of phishing and have been seeing it in spam for quite some time as well. The “best” phish attack to be achieved in that case would be, to timely respond on a nation-wide event/disaster in the most localized way as possible. If I were to also include intellectual property theft on such level, it would be too paranoid to mention, still relevant I think. Abusing the momentum and localizing the attack totarget specific users only, would improve its authenticity. For instance, I’ve come across harvested emails for sale segmented not only on cities in the country involved, but on specific industries as well, that could prove invaluable to a malicious attack, given today’s growth in more targeted attacks, compared to mass ones."
It's been happening ever since, and despite that it's already getting the attention of vendors, malware authors do not need to know any type of foreign language to spread malware, spam and phishing emails in the local language, they do what they're best at (coding, modifying publicly obtainable bots source code), and outsource the things they cannot do on their own - come up with a locally sound message which would leter on be used for localized malware, spam and phishing attacks, a tactic with a higher probability of success if there were to also request that spammers can segment the harvested email databases for better campaign targeting. The Release of Sage 3 - The Globalization of Malware :
"In this issue we look at the growing trend of localization in malware and threats. Cybercriminals are increasingly crafting attacks in multiple languages and are exploiting popular local applications to maximize their profits. Cybercrooks have become extremely deft at learning the nuances of the local regions and creating malware specific to each country. They're not just skilled at computer programming they're skilled at psychology and linguistics, too."
With all due respect, but I would have agreed with this simple logic only if I wasn't aware of translation services on demand for anything starting from malware to spam and phishing messages. We can in fact position them in a much more appropriate way, as "cultural diversity on demand" services, where local citizens knowingly or unknowingly localize messages to be later on abused by malicious parties. Malware authors aren't skilled at linguistics and would never be, mainly because they don't even have to build this capability on their own, instead outsource it to cultural diversity on demand translation services, ones that are knowingly translating content for malware, spam and phishing campaigns.
The perfect example would be MPack and IcePack's localization to Chinese, and yet another malware localized to Chinese, as these two kits are released by different Russian malware groups, but weren't translated by them to Chinese, instead, were localized by the Chinese themselves having access to the kits - a flattery for the kits' functionality, just like when a bestseller book gets translated in multiple languages. As for the socioeconomic stereotype of unemployed programmers coding malware, envision the reality by considering that sociocultural, rather than socioeconomic factors drive cybercrime, in between the high level of liquidity achieved of course. Continue reading →
In the wake of the recent malvertising incidents, it's about time we get to the bottom of the campaigns, define the exact hosts and IPs participating, all of their current campaigns, and who's behind them. Who's been hit at the first place? Expedia, Excite, Rhapsody, MySpace, all major web properties. Now let's outline the malicious parties involved. These are the currently active domains delivering malicious flash advertisements that were, and still participate in the rogue ads attacks :01. quinquecahue.com (190.15.64.190)
quinquecahue.com/swf/gnida.swf?campaign=tautonymus
quinquecahue.com/swf/gnida.swf?campaign=atliverish
quinquecahue.com/statsg.php?campaign=meatrichia
quinquecahue.com/swf/gnida.swf?campaign=atticismus
02. akamahi.net (190.15.64.185)
akamahi.net/swf/gnida.swf?cam
akamahi.net/swf/gnida.swf?campaign=innational
akamahi.net/swf/gnida.swf?campaign=annalistno
akamahi.net/statsg.php?u=1199891594&campaign=annalistno
03. thetechnorati.com (190.15.64.191)
thetechnorati.com/swf/gnida.swf?campaign=ofcavalier
thetechnorati.com/swf/gnida.swf?campaign=whoduniton
thetechnorati.com/statsg.php?u=1198689218
04. vozemiliogaranon.com (190.15.64.192)
vozemiliogaranon.com/statss.php?campaign=zoolatrymy
vozemiliogaranon.com/swf/gnida.swf?campaign=zoolatrymy
vozemiliogaranon.com/statss.php?campaign=revenantan
05. newbieadguide.com (190.15.64.188)
newbieadguide.com/statsg.php?campaign=missblue
newbieadguide.com/statsg.php?campaign=2rapid1y
newbieadguide.com/statsg.php?campaign=missblue
newbieadguide.com/statsg.php?campaign=germanit
newbieadguide.com/swf/gnida.swf?campaign=ta5temix
newbieadguide.com/swf/gnida.swf?campaign=c0pperin
newbieadguide.com/swf/gnida.swf?campaign=remain0r
newbieadguide.com/swf/gnida.swf?campaign=mi1eroof
newbieadguide.com/swf/gnida.swf?campaign=m9in9re9
06. traffalo.com (84.243.252.94)
traffalo.com/swf/gnida.swf?campaign=atekistics
traffalo.com/swf/gnida.swf?campaign=byagnostic
traffalo.com/statsg.php?u=1201711626
traffalo.com/statsg.php?u=1202224809
07. burnads.com (84.243.252.85)
burnads.com/swf/gnida.swf?campaign=1akeweak
burnads.com/swf/gnida.swf?campaign=flatfootup
08. v0zemili0garan0n.com
v0zemili0garan0n.com/statsg.php?u=1199391035
09. adtraff.com (84.243.252.84)
adtraff.com/swf/gnida.swf?campaign=forcejoe
adtraff.com/swf/gnida.swf?campaign=forcejoe
adtraff.com/swf/gnida.swf?campaign=forcejoe
adtraff.com/swf/gnida.swf?campaign=forcejoe
adtraff.com/swf/gnida.swf?campaign=forcejoeadtraff.com/swf/gnida.swf?campaign=weightt0
10. mysurvey4u.com (194.110.67.22)
mysurvey4u.com/swf/gnida.swf?campaign=rubberu5
mysurvey4u.com/swf/gnida.swf?campaign=me9ntthe
11. traveltray.com (194.110.67.23)
traveltray.com/swf/gnida.swf?campaign=pavoninean
12. tds.promoplexer.com (217.20.175.39)
tds.promoplexer.com/statsg.php
adtds2.promoplexer.com/in.cgi?2
Additional domains sharing IPs with some of the domains, ones that will eventually used in upcoming campaigns :
aboutstat.com
newstat.net
officialstat.com
stathisranch.net
station-appraisals.net
Contact details of the fake new media advertising agencies :
- Traffalo - "A Leader in Online Behavioral Marketing"
Phone: +46-40-627-1655
Fax: +46-8-501-09210
- MyServey4u - "Relax At Home ... And Get Paid For Your Opinion!"
mysurvey4u.com
- AdTraff - "Leader enterprise in Online Marketing"
Phone number: +49-511-26-098-2104
Fax: +353-1-633-51-70
Detection rate :
gnida.swf : Result: 21/32 (65.63%)
Trojan-Downloader.SWF.Gida.a; Troj/Gida-A
File size: 3186 bytes
MD5: 015ebcd3ad6fef1cb1b763ccdd63de0c
SHA1: 5150568667809b1443b5187ce922b490fe884349
packers: Swf2Swc
The bottom line - who's behind it? Now that pretty much all the domains involved are known, as well as the structure of the campaign itself, it's interesting to discuss where are all the advertisements pointing to. Can you name a three letter acronym for a cybercrime powerhouse? Yep, RBN's historical customers' base, still using RBN's infrastructure and services. Here's further analysis of this particular case as well - Inside Rogue Flash Ads, by Dennis Elser and Micha Pekrul, Secure Computing Corporation, Germany, as well as a tool specifically written to detect and prevent such types of malvertising practices.
Continue reading →
Subscribe to:
Comments (Atom)
RSS Feed