The United Nations Serving Malware

Yet another massive SQL injection attack is making its rounds online, and this time without the SEO poisoning as an attack tactic, has managed to successfully infect the United Nations events page, which is now also marked as malware infected page, and with a reason since both the malicious URl and the injection are still active. According to WebSense :

"This mass injection is remarkably similar to the attack we saw earlier this month. When a user browses to a compromised site, the injected JavaScript loads a file named 1.js which is hosted on http://www.nihao[removed].com The JavaScript code then redirects the user to 1.htm (also hosted on the same server). Once loaded, the file attempts 8 different exploits (the attack last April utilised 12). The exploits target Microsoft applications, specifically browsers not patched against the VML exploit MS07-004 as well as other applications. Ominously files named McAfee.htm and Yahoo.php are also called by 1.htm but are no longer active at the time of writing. There are further similarities too between the two mass attacks. Resident on the latest malicious domain is a tool used in the execution of the attack. An analysis of that tool can be found in the ISC diary entry here. Mentioned in that diary entry is http://www.2117[removed].net. Our blog on that attack can be found here. It appears that same tool was used to orchestrate this attack too. "

Let's assess the malicious injection. nihaorr1.com/ 1.js (219.153.46.28) is attempting to load nihaorr1.com/ 1.htm, where several other internal exploit serving URLs and javascript obfuscations load through IFRAMES, such as :

nihaorr1.com/ Real.gif
nihaorr1.com/ Yahoo.php
nihaorr1.com/ cuteqq.htm
nihaorr1.com/ Ms07055.htm
nihaorr1.com/ Ms07033.htm
nihaorr1.com/ Ms07018.htm
nihaorr1.com/ Ms07004.htm
nihaorr1.com/ Ajax.htm
nihaorr1.com/ Ms06014.htm
nihaorr1.com/ Bfyy.htm
nihaorr1.com/ Lz.htm
nihaorr1.com/ Pps.htm
nihaorr1.com/ XunLei.htm

and finally serve the malware, by also taking us out of the point and loading another malicious IFRAME farm at gg.haoliuliang.net/one/ hao8.htm?036 (222.73.44.162) :

Scanners Result: 18/32 (56.25%) :
W32/PWStealer1!Generic; PWS:Win32/Lineage.WI.dr
File size: 24667 bytes
MD5...: 4b913be127d648373e511974351ff04e
SHA1..: 0ab703c93e3ad7c03d1aae5ea394d7db3b89bfd2

Another internal IFRAME serving exploits is also loading at haoliuliang.net, gg.haoliuliang.net/wmwm/ new.htm where a new piece of malware is served :

Scanners Result: 26/32 (81.25%)
Trojan-PSW.Win32.OnLineGames.ppu; Trojan.PSW.Win32.OnlineGames.GEN
File size: 7205 bytes
MD5...: af05c777700b338f428463e56f316a05
SHA1..: bd68f621ec6c9796afa8b766c6cf4167afbd4703

As it appears, everyone's a victim of web application vulnerabilities discovered automatically, and either filtered based on high-page rank, or trying to take advantage of the long-tail of SQL injected sites to compensate for the lack of vulnerable high profile sites.

Related posts:
UNICEF Too IFRAME Injected and SEO Poisoned
Embedded Malware at Bloggies Awards Site
Embedding Malicious IFRAMEs Through Stolen FTP Accounts
Yet Another Massive Embedded Malware Attack
MDAC ActiveX Code Execution Exploit Still in the Wild
Malware Serving Exploits Embedded Sites as Usual
Massive RealPlayer Exploit Embedded Attack
Syrian Embassy in London Serving Malware
Bank of India Serving Malware
U.S Consulate St. Petersburg Serving Malware
The Dutch Embassy in Moscow Serving Malware
U.K's FETA Serving Malware
Anti-Malware Vendor's Site Serving Malware
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
A Portfolio of Malware Embedded Magazines
Another Massive Embedded Malware Attack
I See Alive IFRAMEs Everywhere
I See Alive IFRAMEs Everywhere - Part Two

Continue reading →

The DDoS Attack Against CNN.com

The DDoS attack against CNN.com, whether successful or not in terms of the perspective of complete knock-out, which didn't happen, is a perfect and perhaps the most recent example of a full scale people's information warfare in action. Utilizing the bandwidth of the over 200 million nationalism minded Chinese Internet users, can greatly outpace any botnet's capacity if coordinated, or though the use of automated DIY tools, like the ones we've seen released for the purpose of attacking CNN.com

CNN.com was indeed inacessible for a period of three hours according to NetCraft, and literally any web site performance monitoring too with a historical perspective for a host can prove the same :

"The CNN News website has twice been affected since an earlier distributed denial of service attack last Thursday. CNN fixed Thursday's attack by limiting the number of users who could access the site from specific geographical areas. Subsequently, an attack was purportedly organised to start on Saturday 19th April, but cancelled. However, our performance monitoring graph shows CNN's website suffered downtime within a 3 hour period on Sunday morning, followed by other anomalous activity on Monday morning, where response times were greatly inflated. Netcraft is continuing to monitor the CNN News website. Live uptime graphs can be viewed here."

Unrestricted warfare is all about bypassing the most fortified engagement points, and achieving asymmetric dominance by excelling where there are no engagement points, in order for the attacker to enjoy the pioneer advantage. Now that CNN.com was indeed slowed down to a situation where it was unnacessible, what remains to be answered is how was CNN.com DDoS? Throught a botnet, or through the collective bandwidth of virtually recruited Chinese citizens? Despite that the common wisdom in terms of botnets used speaks for itself, this is China hacktivism and therefore common wisdom does not apply in an unrestricted warfare situation, and best of all data speaks for itself.

- Through the use of DIY DDoS Tools

Besides anticnn.exe which I assessed in a previous post, there's also the Supper DDoS tool that as it appears was also getting actively recommended for participating in the attack, courtsy of a Chinese script kiddies group. Some basic info :

Scanners Result: 3/32 (9.38%)
DDoS.Win32.Sdattack.A; DDoS.Trojan
File size: 1510643 bytes
MD5...: ed25e7188e5aa17f6b35496a267be557
SHA1..: 71138f0c0556dde789854398c3c7cde29352662b

For instance, Estonia's DDoS attacks were a combination of botnets and DIY attack tools released in the wild, whereas the attacks on CNN.com were primarily the effect of people's information warfare, a situation where people would on purposely infect themselves with malware released on behalf of Chinese hacktivists to automatically utilize their Internet bandwidth for the purpose of a coordinated attack against a particular site.


- Collectively building bandwidth capacity and mobilizing novice cyber warriors

What if a simple script that is automatically refreshing CNN.com multiple times in several IFRAME windows, gets embedded at thousands of sites, and then promoted at hundreds of forums, with a single line stating that - "If you're a patriot, forward this to all your friends"? Now, what if this gets coordinate to happen at a particular moment in time? This is perhaps the most realistic scenario to what exactly happened with CNN.com, and data speaks for itself, in fact I can easily state that the bandwidth generated by this massive PSYOPs campaign is greater than the one used by a botnet that's also been DDoS-ing CNN.com. All of these sites are basically refreshing CNN.com every couple of seconds, thereby wasting the sites's bandwidth, the only flaw of this attack approach compared to a botnet, is that all the participating hosts are Chinese, and therefore as NetCraft pointed out, CNN blocked access to certain countries, take these countries as China for instance. If it were a botnet used, the diversity of the infected hosts would have required more efforts into dealing with the attack, then again from another perspective regular web traffic compared to network flood is sometimes harder to detect as a DDoS attack.

hackerhf.com/cnn.html
80aft.com/cnn.htm
tom765.cn/cnn.html
ah930.com/cnn.htm
0851qiche.cn/cnn.html
xdadmin.com/cnn.html
ah930.com/cnn.html
s234sdf3.cn.webz.datasir.com/cnn.asp
bbscar.com.cn/cnn
120abc.cn/cnn.html
hospltal.cn/cnn.html
bbs.cityzx.cn/cnn.htm
bestmf.cn/cnn.html
anlycloud.com/cnn/cnn
qibubbs.net/ddoscnn.htm
maje.cn/cnn.html
edu.sina.googlepages.com/FuckCNN.htm
urlonline.com.cn/kaocnn.html
lmpx.net/cnn.htm
ily88.com/cnn.html
zjipc.net/cnn
axlovechina.cn/
idernice.com/cnn.asp
conncn.com/cnn.html
xuanxuanmu.000webhost.com/cnn.html
jianw1.cn/cnn.htm
bjzs114.com/cnn.htm
0851qiche.cn/cnn.html
yaanren.net/cnn.html
todayol.cn/cnn.html
17bnb.com/cnn.htm
hackerhf.com/cnn.html
hnjdbbs.com/cnn.html
sql8.net/cnn
bh125.cn/cnn.html
razorcn.cn/cnn.html
93HR.com/cnn.html
tke08.com/cnn.htm
vipeee.com/cnn.htm

This is also the statement made for the recruiting purpose across the forums, including remarks against France's policy against China :

Anti-CNN Plans v4.19

"Revenge of the flame - we, as the publicity in the network of special groups, we notice as follows: We are still able to recall that the Sino-US hackers exciting war, and that war, what are the reasons? That have taken place in Indonesia because of the large-scale anti-Chinese, the majority of Chinese women were raped, killed, and we Chinese hackers predecessors such unbearable humiliation, and from the other side of the ocean in advance of the attack, losing their right to. " cn "for China's first website launched a large-scale attack, but at that time the Chinese network is not very developed, we use the most immature way to attack, but in any case, we all expressed their intention by everyone, although we on the network do not know each other, but we have a common motherland.

We know that the 2008 Olympic Games will be held in our beloved motherland, which is the dream of the people look forward to for a long time, and we in the passing of the torch in the process of being repeatedly obstructed because we all know that, as an act of Tibetan independence elements each of us Mission hearts have a personal anger. Then we briefly look at the practice of France: France is now the largest in the protection of Tibetan independence, advocates in support of France is in support of splitting China, French President Sarkozy, the country is now the world just for a dare to openly resist Beijing Olympic Games President, the Chinese go-vern-ment has just come to an end with the French Airbus as much as billions of dollars in trade contracts. France on bad faith.

Recently, the United States "cnn" Since, as we said a number of Chinese people can not accept things, is that we are willing to endure, willing to yield? We plan on taking the lead in the 2008.4.19 "cnn" Web site attacks, as a Chinese, please support us.

Plot:
1, first of all, all the conditions for full, I expect four days later, in the - on April 19, 2008, 8:00 p.m., at www.cnn.com against a DDOS attack! More than three hours on the CNN Web site with the assistance of attacks, How DOS attack CNN website? If you are patriotic, please forward!

iframe Id="cnn" width="100%" height="100">
script>
Var e = document.getElementById ( 'cnn');
SetInterval ( "e.src = 'http://www.cnn.com'", 3000);
/ / 1000 said that 1,000 ms, you can modify and transmit

You can also directly open qibubbs.net/ddoscnn.htm open on the trip, you do not affect anything. I have to, I have friends in all of it again, the strong support of friends, and their repercussions great, and to many people, have been transmitted in other friend, a classmate now has begun to link their Web sites the I believe that compatriots in China, in collaboration with CNN article seconds click rate in the second can at least 50 million times, if the 200 million Internet users click on, I believe CNN, will be suspended instantaneous, as our fellow countrymen will be more hackers the chance to win big, exciting good mood now, and looks forward to 8:00 after we are all fellow hackers smoothly, we will sincerely pray that China win. The great motherland is not to take advantage of the separatist elements, all anti-China reunification of the sophistry of speech are all in vain Revenge of the flame - we, as the publicity in the network of special groups, we notice as follows:

We are still able to recall that the Sino-US hackers exciting war, and that war, what are the reasons? That have taken place in Indonesia because of the large-scale anti-Chinese, the majority of Chinese women were raped, killed, and we Chinese hackers predecessors such unbearable humiliation, and from the other side of the ocean in advance of the attack, losing their right to. " cn "for China's first website launched a large-scale attack, but at that time the Chinese network is not very developed, we use the most immature way to attack, but in any case, we all expressed their intention by everyone, although we on the network do not know each other, but we have a common motherland. We know that the 2008 Olympic Games will be held in our beloved motherland, which is the dream of the people look forward to for a long time, and we in the passing of the torch in the process of being repeatedly obstructed because we all know that, as an act of Tibetan independence elements each of us Mission hearts have a personal anger. Then we briefly look at the practice of France: France is now the largest in the protection of Tibetan independence, advocates in support of France is in support of splitting China, French President Sarkozy, the country is now the world just for a dare to openly resist Beijing Olympic Games President, the Chinese go-vern-ment has just come to an end with the French Airbus as much as billions of dollars in trade contracts. "

This particular DDoS people's information warfare attack against CNN.com is also a great example of a psychological operations (PSYOPS) chain-letter. Given China's 3.0 state of social networking, messages forwarding people to sites that would automatically refresh their browsers with CNN.com were distributed at over 5000 web forums, with a bit of propanga taste enticing everyone to forward the message by telling them "If you're a patriot forward this attack link", so if you don't, it means you're not a patriot, another indication of China's understanding of the effectiveness of psychological operations (PSYOPS) online.

Continue reading →

Chinese Hacktivists Waging People's Information Warfare Against CNN

Empowering and coordinating script kiddies by releasing DIY DDoS tools (backdoored as well) during the DDoS attacks against Estonia for instance, is exactly what is happening in the time of blogging with a massive forum and IM coordination between Chinese netizens enticed to install a pre-configured to flood CNN.com piece of malware. Both of these coordinated incidents greatly illustrate what people's information warfare, and the malicious culture of participation is all about. The PSYOPS anti-cnn.com initiative is maturing into a central coordination point for recruiting DDoS participants on a nationalism level. Some info on hackcnn.com, the malware, internal commentary on behalf of the hacktivists, and who's behind it :

hackcnn.com (58.49.59.253)
58.48.0.0-58.55.255.255 CHINANET-HB CHINANET Hubei province network China Telecom A12
Xin-Jie-Kou-Wai Street Beijing 100088,
China, Beijing 100000
tel: 101 1010000
fax: 101 1010000
china@hackcnn.com

Upon execution of the tool, 18 TCP Connection Attempts to cnn.com (64.236.91.24:80) start, trying to access the following file at CNN.com :

- Request: GET /aux/con/com1/../../[LAG]../.%./../../../../fakecnn/redflag-stay-here.php.aspx.asp.cfm.jsp
Response: 400 "Bad Request"

antiCnn.exe
Scanner results : 3% Scanner(1/36) found malware!
TROJAN.DOWNLOADER.GEN
File size: 174592 bytes
MD5...: c03abd4d871cd83fe00df38536f26422
SHA1..: 0502c74ee90e110ceed3cbb81b2ee53d26068691
Released by : Red Flag Cyber Operations nixrumor@gmail.com

From a network reconnaissance perspective, the Chinese hacktivists didn't even bother to take care of Apache's /server status, and therefore we're easily able
to obtain such juicy inside information about hackcnn.com such as :

Current Time: Tuesday, 22-Apr-2008 07:00:56
Restart Time: Monday, 21-Apr-2008 15:25:39
Parent Server Generation: 0
Server uptime: 15 hours 35 minutes 17 seconds
Total accesses: 291670 - Total Traffic: 533.8 MB
5.2 requests/sec - 9.7 kB/second - 1918 B/request
4 requests currently being processed, 246 idle workers

Internal commentary excerpts regarding the motivation and their updates on the first DDoS round :

"Our team of non-governmental organisations, We only private network enthusiasts. However, we have a patriotic heart, We will absolutely not permit any person to discredit our motherland under any name, We are committed to attack some spreading false information, and malicious slander, libel, support Tibet independence site."

"User to a black CNN website suffer the same name. Yesterday, some Internet users attacked the domain name contains a "cnn" sports Web site, leaving protest speech, but reporters did not check the site found a relationship with CNN. Yesterday's attack was the website with the domain name sports.si.cnn.com engaged in the work of the network of residents in Urumqi Mr. Chen, at about 2 pm, the attackers up a website hackcnn.com know, the "CNN sub-station" invasion and modify their pages. "Tug-of-war administrator and hackers," Mr. Chen said, after sports.si.cnn.com pages sometimes normal, and sometimes been modified. 16:50, the reporter saw on the pages left in bilingual text and flash animation, stressed that Tibet is a part of China, cnn protest against prejudice and false reports, the title page column was changed to "F * * kCNN!. " A few minutes later, the web site to enter a user ID and password before connecting, "evidently administrator of the authority." Chen analysis. Yesterday, the reporter tried to contact the attack, but received no response. Reporter verify that the contact address sports.si.cnn.com Pennsylvania in the United States, and the sports channel CNN web site is not the same, did not disclose information with the CNN."

DDoS-ing is one thing, defacing is entirely another, try sports.si.cnn.com/test.htm which was last defaced yesterday spreading "We are not against the western media, but against the lies and fabricated stories in the media", "We are not against the western people, but against the prejudice from the western society.!" messages.

According to forum postings however, now that they've sent a signal, the attitude is shifting from attacking CNN to Western media in general. Thankfully, just like the case with the Electronic Jihad program, they did not put a lot of efforts into ensuring the lifecycle of the tool will remain as long as possible, by introducing a way to automatically update the tool with new targets. In fact, in the Electronic Jihad case, the hardcoded update locations were all down priot to releasing the tool, making a bit more efforts cunsuming to finally manage to obtain the targets list. Continue reading →

Ten Signs It's a Slow News Week

You know it's a slow news week when you come across :

1. Articles starting that malware increased 450% during the last quarter - of course it's supposed to increase given the automated polymorphism they've achieved thereby having anti virus vendors spend more money on infrastructure to analyze it

2. Articles starting that spam and malware attacks will increase and get more sophisticated - and the sun too, will continue expanding

3. Articles discussing a new malware spreading around instant messenging networks -- psst they're hundreds of them currently spreading

4. Articles discussing how signature based malware scanning is dead while an anti virus vendor's ad is rotating on the right side of the article - it's not dead it's just getting bypassed as a reactive security measure by the bad guys

5. Articles commenting on an exploit code for a high risk vulnerability made it public -- it's been usually circulating around VIP underground forums weeks before it made to the mainstream media, with script kiddies leaking it to other script kiddies

6. Articles pointing out how phishers started targeting a specific company - they target them all automatically, so don't take it personally if it's your company getting targeted

7. Article emphasizing on how mobile malware will take over the world, despite that there no known outbreaks currently active in the wild - once mobile commerce stars taking place in full scale for sure

8. Articles pointing out that having a firewall and an updated anti virus software is important - in times when client side vulnerabilities are serving a new binary on the fly with quality assurance applied before the campaign is launched to make sure it will bypass the most popular firewalls, things are changing and so must your perspective on what's important

9. Articles discussing which OS is the most secure one - the better configured one in terms of usability vs security, or the one where there're no currently active bounties offered for vulnerabilities within

10. Articles mentioning that China is hosting the most malware in the world - and while China is hosting it, the U.S is operating the most malware C&Cs in the world Continue reading →

Phishing Tactics Evolving

Malware authors, phishers and spammers have been actively consolidating for the past couple of years, and until they figure out to to vertically integrate and limit the participation of other parties in their activities, this development will continue to remain so. Malware infected hosts are not getting used as stepping stones these days, for OSINT or cyber espionage purposes, but also, for sending and hosting phishing pages, a tactic in which I'm seeing an increased interest as of recently. Here are some example of recently spammed phishing campaigns hosting the phishing pages on end user's PCs :

- pool-71-116-244-232.lsanca.dsl-w.verizon.net
- user-142o3ds.cable.mindspring.com/online.lloydstsb.co.uk/customer.ibc/logon.html
- user-142o3ds.cable.mindspring.com/onlineid/cgi-bin/onlineid.bankofamerica/sso.login.controller
- user-142o3ds.cable.mindspring.com/halifax-online.co.uk/_mem_bin/halifax_LogIn/formslogin.aspsource=halifaxcouk
- stolnick-8marta-8b-r1-c1-45.ekb.unitline.ru/halifax-online.co.uk/_mem_bin
- zux006-052-125.adsl.green.ch/onlineid/cgi-bin/onlineid.bankofamerica/sso.login.controller
- rrcs-74-218-5-6.central.biz.rr.com/webview/files//onlineid/cgi-bin/onlineid.bankofamerica/sso.login.controller
- user-0c93qog.cable.mindspring.com/onlineid/cgi-bin/onlineid.bankofamerica/sso.login.controller

The second tactic that I've been researching for a while is that of remotely SQL injecting or remotely file including phishing pages on vulnerable sites, as for instance, someone's actively abusing vulnerable sites, which are apparently noticing this malicious activities and taking care of their web application vulnerabilities. Some recent examples include :

- kclmc.org/components/www.halifax.co.uk/_mem_bin/FormsLogin.aspsource=halifaxcouk/Index.PHP
- citrusfsc.org/templates_c/www.halifax-online.co.uk/_mem_bin/halifax_LogIn/formslogin.aspsource=halifaxcouk/index.html
- agentur-schneckenreither.com/administrator/components/com_joomfish/help/www.halifax.co.uk/_mem_bin/formslogin.asp/index.php
- dziswesele.pl/media/www.halifax.co.uk/_mem_bin/formslogin.asp/

In November, 2007, I started making the connecting between a Turkish defacement group that wasn't just defacing the web sites it was coming across, but was also hosting malware on the vulnerable sites :

"It gets even more interesting, as it appears that a Turkish defacer like the ones I blogged about yesterday is somehow connected with the group behind the recent Possibility Media's Attack, and the Syrian Embassy Hack as some of his IFRAMES are using the exact urls in the previous attacks."

As of recently, I'm starting to see more such activity, with various defacing groups realizing that monetizing their defacements can indeed improve their revenue streams. For instance, findaswap.co.uk/administrator/components/com_extplorer/www.Halifax.co.uk/_mem_bin/formslogin.asp/was serving a phishing page, and was also recently hacked by a Turkish defacement group. Moreover, equidi.com which is currently defaced is also hosting the following phishing pages within its directory structure, namely, equidi.com/New2008/Orange; equidi.com/New2008/www.bankofamerica.com; equidi.com/New2008/www.halifax.co.uk

Why are all of these tactics so smart? Mainly because they forward the responsibility to the infected party, and I can reasonably argue that a phishing page hosted at a .biz or .info tld will get shut down faster than the one hosted at a home user's PC. As for the SQL injections, the RFI, and the consolidation between defacers and phishers if it's not defacers actually phishing for themselves, what we might witness anytime now is a vulnerable financial institutions web sites' hosting phishing page, or its web application vulnerabilities used against itself in a social engineering attempt. Continue reading →

The Rise of Kosovo Defacement Groups

There's no better way to assess the incident that still haven't made it into the mainstream media, but to violate defacement group's OPSEC, by obtaining internal metrics for defaced sites on behalf of a particular group. According to this screenshot, released by one of the members of the Kosovo Hackers Group, a group that's been defacement beneath the radar as of recently, the mass deface included 300 sites, and on the 13th of April, Quebec's Common Ground Alliance site got also defaced by the group. Web application vulnerabilities in a combination with SQL injecting web backdoors is what is greatly contributing to the success of newly born defacement groups. And of course, commercially obtainable tools as you can see one of the bookmarks in the screenshot, indicating the use of such.

The rise of this particular group greatly showcases the cyclical pattern of cyber conflicts as the extensions of propaganda, PSYOPs and demonstration of power online, most interestingly the fact that at the beginning of their capabilities development process, they target everyone, everywhere, to later on move to more targeted attacks to greatly improve the effectiveness of the PSYOPs motives. Continue reading →

China's CERT Annual Security Report - 2007

Every coin has two sides, and while China has long embraced unrestricted warfare and people's information warfare for conducting cyber espionage, China's networked infrastructure is also under attack, and is logically used as stepping stone to hit others country's infrastructures, thereby contributing to the possibility to engineer cyber warfare tensions.

A week ago, China's CERT released their annual security report (in Chinese for the time being), outlining the local threatscape with data indicating the increasing efficiency applied by Turkish web site defacement groups, in between the logical increases in spam/phishing and malware related incidents. Here's an excerpt from the report :

"According CNCERT / CC monitoring found that in 2007 China's mainland are implanted into the host Trojans alarming increase in the number of IP is 22 times last year, the Trojans have become the largest Internet hazards. Underground black mature industrial chain for the production and the large number of Trojans wide dissemination provides a very convenient conditions, Trojan horses on the Internet led to the proliferation of a lot of personal information and the privacy of data theft, to the personal reputation and cause serious economic losses; In addition, the Trojans also increasingly being used to steal state secrets and secrets of the state and enterprises incalculable losses, the Chinese mainland are implanted into the Trojan Horse computer controlled source, the majority in China's Taiwan region, the phenomenon has been brought to the agency's attention. Zombie network is still the basic network attacks platform means and resources. 2007 CNCERT / CC sampling found to be infected with a zombie monitoring procedures inside and outside the mainframe amounted to 6.23 million, of which China's mainland has 3.62 million IP addresses were implanted zombie mainframe procedures, and more than 10,000 outside the control server to China Host mainland control. Zombie networks primarily be used launch denial of service (DdoS) attacks, send spam, spread malicious code, as well as theft of the infected host of sensitive information, issued by the zombie network flow, distributed DDOS attack is recognized in the world problems not only seriously affect the operation of the Internet business, but also a serious threat to China's Internet infrastructure in the safe operation. 2007 China's Internet domain name registration and the use of quantitative rapid growth, reaching 11.93 million, an annual growth rate of 190.4 percent, while hackers use of domain names has become a major tool. Use of domain names, the attackers could be flexible, hidden website linked to the implementation of large-scale horse zombie network control, network malicious activities such as counterfeiting. Fast-Flux domain names, such as dynamic analysis technologies, resulting in accordance with the IP to the attacks more difficult to trace and block; 2007 domain names which has been in use analytical services for the existence of security flaws, the public domain analysis of the server domain hijacking security incidents, a large number of users without knowing the circumstances of their fishing lure to the site or sites containing malicious code, such incidents very great danger. Therefore, the strengthening of the management of domain names and domain names analytic system's security protection is very important."

6.23 million botnet participating hosts according to their stats, where 3.62 million are Chinese IPs is a great example of how the Chinese Internet infrastructure's getting heavily abused by experienced malware and botnet masters, primarily taking advantage of what's old school social engineering, and outdated malware infection techniques, which undoubtedly will work given China's immature and inexperienced from a security perspective emerging Internet generation.

Getting back to the globalization and efficiency of Turkish web site defacement groups' worldwide web application security audit, indicated in the report, according to China's CERT these are the top 10 defacers, where 7 are well known Turkish ones, and 3 are interestingly Chinese :

sinaritx - 1731 defacements

1923turk - 1417 defacements

the freedom - 1156 defacements

aLpTurkTegin - 1052 defacements

Mor0Ccan Islam Defenders Team - 864 defacements

iskorpitx - 761 defacements

lucifercihan - 525 defacements

It's also interesting to see pro-democratic Chinese hackers attacking homeland networks.

Cyber warfare tensions engineering is only starting to take place, and state sponsored or perhaps even tolerated cyber espionage building capabilities in order for the state to later on acquire the already developed resources and capabilities in a cost-effective manner. However, considering the recent cyber attacks against "Free Tibet" movements, as well as the DDoS attack attempts at CNN due to CNN's coverage of Tibet, Chinese cyber warriors continue demonstrating people's information warfare, and Internet PSYOPs by developing an anti-cnn.com (121.52.208.243) community, with some catchy altered images from the originals broadcasted worldwide, and with a special section to improve China's image across the world.

And logically, there's a PSYOPs centered malware released in the wild, a sample of which is basically embedding links to a non-existent domain, descriptive enough to point to TibetIsAPartOFChina.com :

%\CommonDocuments%\My Music\My Playlists\WWW.cgjSFGrz_TibetIsAPartOFChina.COM

%CommonDocuments%\My Music\WWW.bimStzno_TibetIsAPartOFChina.COM

%CommonDocuments%\My Videos\WWW.kUJs_TibetIsAPartOFChina.COM

%CommonPrograms%\Accessories\Accessibility\WWW.RSulr_TibetIsAPartOFChina.COM

%CommonPrograms%\Accessories\System Tools\WWW.aEGXBl_TibetIsAPartOFChina.COM

Now that's effective digital PSYOPs, isn't it? If you're visionary enough to tolerate the development of underground communities, whereas ensuring their nationalism level remain a priority for anything they do, you end up with a powerful cyber army whose every action perfectly fits with your political and military doctrine, without you even bothering to coordinate their efforts, thereby eliminating the need for a command and control structure.

Related posts:

China's Cyber Espionage Ambitions
Chinese Hackers Attacking U.S Department of Defense Networks
Inside the Chinese Underground Economy
China's Cyber Warriors - Video Continue reading →

Phishing Emails Generating Botnet Scaling

A bigger and much more detailed picture is starting to emerge, with yet another spammed malware campaign courtesy of the botnet that is so far responsible for a massive flood of fake Windows updates, phishing emails targeting the usual diverse set of brands, fake yahoo greeting cards, and most recently delivering "executable news items", through Backdoor.Agent.AJU malware infected hosts.

Within the first five minutes, thirty three (33) phishing emails attempted to be delivered out of a sample infected host, all of them targeting NatWest or The National Westminster Bank Plc. Here are some samples, that of course never made it out to their recipient :

- Sender Address: "NatWest Internet Banking '2008" to Recipient: <@fs1.ge.man.ac.uk>Subject: Natwest Bank Bankline: Confirm Your Login Email Content: //ver2.natwest-commercial3.com/customerupdate?tag=3D19ecygtKZDzrozrznhOzn These directives are to be sent and followed by all members of the NatWest Private and Corporate Natwest does apologize for any problems caused, and is very thankful for your cooperation. If you are not client of Natwest OnLine Banking please ignore this notice! *** This is robot generated message please do not reply *** (C) 2008 Natwest Bankline. All Rights Reserved. Attached File: "ods096.gif" (image/gif)

- Sender Address: "NatWest Bank On-line Banking'2008" to Recipient: <@bbc.co.uk> Subject: Natwest OnLine Banking Important Notice From Technical Department Id: 9044 Email Content: //ver2.natwest-commercial3.com/customerupdate?tag=3D15urOBFDffkOkhOvp These directives are to be sent and followed by all members of the NatWest Private and Corporate Natwest does apologize for any problems caused, and is very thankful for your cooperation. If you are not client of Natwest OnLine Banking please ignore this notice! *** This is robot generated message please do not reply *** (C) 2008 Natwest Bankline. All Rights Reserved. Attached File: "ods096.gif" (image/gif)

- Sender Address: "Natwest Bank Internet Banking Support" to Recipient: <@yahoo.co.uk> Subject: NatWest Private and Corporate: Confirm Your Login Password Email Content: //ver2.natwest-commercial3.com/customerupdate?tag=3D24ecyuczfscwzbDtcwhhOkhOvp These directives are to be sent and followed by all members of the NatWest Private and Corporate Natwest does apologize for any problems caused, and is very thankful for your cooperation. If you are not client of Natwest OnLine Banking please ignore this notice! *** This is robot generated message please do not reply *** (C) 2008 Natwest Bankline. All Rights Reserved.

- Sender Address: "Natwest Private and Corporate Support" to Recipient: <@yahoo.co.uk> Subject: Natwest Bankline Internet Banking Important: Submit Your Records id: 1191 Email Content: //pool32-nwolb20.com/customerupdate?cid=3D27kwszewcenzdFECKDtcwhhOkhOvp These directives are to be sent and followed by all customers of the Natwest On-line Banking NatWest Bank does apologize for the troubles caused to you, and is very thankful for your collaboration. If you are not user of NatWest Bank Digital Banking please delete this letter! *** This is automatically generated message please do not reply *** (C) 2008 Natwest Bank On-line Banking. All Rights Reserved. Attached File: "rwu909.gif" (image/gif)

- Sender Address: "Natwest Private and Corporate Support" to Recipient: <@56bridgwater.fsnet.co.uk> Subject: Natwest Internet Banking: Please Update Your Internet Banking Details Email Content: //pool32-nwolb20.com/customerupdate?cid=3D37kwszewcnnhrrDRCfszlaucndsOoerdnOkhOvp These directives are to be sent and followed by all customers of the Natwest On-line Banking NatWest Bank does apologize for the troubles caused to you, and is very thankful for your collaboration. If you are not user of NatWest Bank Digital Banking please delete this letter! *** This is automatically generated message please do not reply *** (C) 2008 Natwest Bank On-line Banking. All Rights Reserved. Attached File: "rwu909.gif" (image/gif)

What is making an impression besides the malicious economies of scale achieved on behalf of the malware infected hosts used for sending, and as we've already seen, hosting and phishing pages and the malware itslef? It's the campaing's targeted nature in respect to the segmented emails database used for achieving a better response rate. The National Westminster Bank Plcis a U.K bank, and 10 out of 15 email recepient are of U.K citizens, the rest are targeting Italian users. Malware variants signal their presence to 66.199.241.98/forum.php and try to obtain campaigns to participate in, this is a sample detection rate for the latest fake news items one, and more details on the domains and nameservers used in the latest campaign :

news_report-pdf_content.exe

Scanners result : 14/31 (45.17%)

Backdoor.Win32.Agent.gvk; Backdoor:Win32/Agent.ACG

File size: 45056 bytes

MD5...: c4849207a94d1db4a0211f88e84b0b59

SHA1..: 32ef2a074d563370f46738565ecf9bb53c75909c

SHA256: 12a124cc2352f3ef68ddf06e0ed111c617d95cffd807dc502ae474960a60411c

An internal nameservers ecosystem within the botnet, active and resolving :

ns1.ns4.ns2.ns3.id759.com

ns3.ns1.id759.com

ns1.ns2.ns1.ns4.ns2.ns3.id759.com

ns1.ns2.ns3.id759.com

ns1.ns2.ns4.id759.com

ns1.ns4.ns4.ns2.ns3.id759.com

ns2.id759.com

ns2.ns1.ns2.ns3.id759.com

ns2.ns1.ns2.ns4.id759.com

ns3.ns2.ns1.ns2.ns3.id759.com

ns4.ns1.ns1.ns2.ns3.id759.com

Yet another internal nameservers ecosystem within the botnet :

ns1.serial43.in

ns2.serial43.in

ns3.serial43.in

ns4.serial43.in

ns1.ns1.ns1.serial43.in

ns1.ns2.ns1.ns1.serial43.in

ns1.ns2.ns2.serial43.in

ns1.ns4.ns1.ns1.serial43.in

ns2.ns1.ns2.serial43.in

ns2.ns1.ns4.ns1.ns1.serial43.in

ns2.ns2.ns1.ns1.serial43.in

To sum up - these are all of the domains currently active and used for the malware/spam/phishing campaigns on behalf of this botnet :

server52.org

set45.net

site83.net

sid95.com

shell54.com

siteid64.com

setup36.com

share73.com

service28.biz

There are several scenarious related to this particular botnet. Despite that it's the same piece of malware that's successfully adding new zombies to the infected population, the diversity of the campaigns, as well as the fact that for instance share73.com is registered by casta4000 @ mail.ru and is into the "reklama uslug" business which translates to advertising services, in this case spam and phishing emails sending on demand, access to the botnet could be either offered on demand, or the service itself performed in a typical managed spamming appliance outsourced business model. Are they also vertically integrating in respect to the fast-fluxing? Yes they are, since they're achieving it without the need to hire a managed fast-flux provider, which isn't excluding the possibility that they aren't in fact one themselves, as it's evident they've got the capability to become one.

Continue reading →

Fake Yahoo Greetings Malware Campaign Circulating

The persistence of certain botnet masters cannot remain unnoticed even if you're used to going through over a dozen active malware campaigns per day, in this case it's their persistence that makes them worth assessing and profiling. The botnet which I assesed in February, the one that was crunching out phishing emails and using the infected hosts for hosting the pages, and parking the phishing domains, is still operational this time starting a fake Yahoo Greetings malware campaign by spamming the cybersquatted domains and enticing the user into updating their flash player with a copy of Backdoor.Agent.AJU.

Upon visiting www4.yahoo.american-greeting.com.tag38.com/ecards/view.pd.htm it redirects to www3.yahoo.americangreetings.com.id759.com/ecards/view.pd.htm

id759.com is currently responding to 24.161.232.218; 24.192.140.204; 68.36.236.67; 76.230.108.105; 83.5.203.163; 85.109.42.164; 216.170.109.206 and also to set45.net; service28.biz; setup36.com and serves the Backdoor.Agent :

www3.yahoo.americangreetings.com.id759.com/ecards/get_new_flashplayer .exe

Scanners Result : 12/31 (38.71%)
Suspicious:W32/Malware!Gemini; W32/Agent.Q.gen!Eldorado
File size: 44544 bytes
MD5...: fe97eb8c0518005075fd638b33d5b165
SHA1..: d7a4258e37ce0dab0f7d770d1a9d979e921be07b
SHA256: 138d31ae1bbdec215d980c7b57be6e624c2f2e1cacd3934b77f50be8adabfb97

"Backdoor.Agent.AJU is a malicious backdoor trojan that is capable to run and open random TCP port in a multiple instances attempting to connect to its predefined public SMTP servers. It then spams itself in email with a file attached in zip and password protected format. Furthermore, the password is included in the body of the email."

tag38.com is responding to 211.142.23.21, and is a part of a scammy ecosystem of other phishing and malware related domains responding to the same IP. And these are the related subdomains impersonating Yahoo Greetings within :

american-greeting.ca.xml52.com
www5.yahoo.american-greeting.ca.xml52.com
www9.yahoo.americangreeting.ca.www05.net
yahoo.americangreetings.com.droeang.net
yahoo.americangreetings.com.s8a1.psmtp.com
yahoo.americangreetings.com.s8a2.psmtp.com
yahoo.americangreetings.com.s8b1.psmtp.com
yahoo.americangreetings.com.s8b2.psmtp.com
yahoo.americangreetings.droeang.net
yahoo.americangreeting.ca.www05.net
www6.yahoo.american-greetings.com.www05.net

What you see when in a hurry is not what you get when you got time to look at it twice. This and the previous campaign launched by the same party is a great example of risk and responsibility forwarding, in this case to the infected party, so what used to be a situation where an infected host was sending spamming and phishing emails only, is today's malicious hosting infrastructure on demand. Continue reading →

Web Email Exploitation Kit in the Wild

XSS exploitation within the most popular Russian, and definitely international in the long-term, web email service providers is also embracing the efficiency mindset as a process. This web based exploitation kit is great example of customization applied to publicly known XSS vulnerabilities within a segmented set of web sites, email providers in this case.

The kit's pitch automatically translated :

"Ie script contains vulnerability to 15 - not the most popular Russian postal services (except
buy), and one of the largest foreign mail servers that provide free mail - mail.com. Three of the vulnerabilities work only under Internet Explorer, all the rest - under Internet Explorer and Opera.

The system also includes a 16 ready-to-use pages feykovyh authorization to enter the mail. Thus the use of the script is that you choose a template-XSS (code obhodyaschy security filters for your desired mail server) on which the attack would take place, complete field for a minimum of sending letters (sender, recipient, the subject, message) and choose Type of stuffing: 1) your own yavaskript code (convenient option to insert malicious code with iframe) 2) code, driving the victim to a page feykovuyu authorization. In the first case, the victim is in the browser's just a matter of your own scripte but in the second case, the victim is redirected to a page with false authorization, there enters its data, which logiruyutsya you, and sent back to his box. For the script is simple and free hosting with support for sendmail, php, but nonetheless you should be aware that for more kachetvennoy work will not prevent you buy a beautiful domain. Also appearing inexpensive paid updated as closing loopholes in the mail filters."

Automating the process of phishing by using the vulnerable sites as redirectors can outpace the success of the Rock Phish kit whose key success factor relies on diversity of the brands targeted whereas all the campaigns operate on the same IP.

Moreover, as we've seen recently, highly popular and high-profile sites whose ever growing web applications infrastructure continues to grow, still remain vulnerable to XSS vulnerabilities which were used in a successful blackhat SEO poisoning campaign by injecting IFRAME redirectors to rogue security applications in between live exploit URLs. In fact, Ryan Singel is also pointing out on such existing vulnerability at the CIA.gov, showcasing that spear phishing in times when phishers, spammers and malware authors are consolidating, can be just as effective for conducting cyber espionage, just as gathering OSINT through botnets by segmenting the infected population is. Why try to malware infect the high-profile targets, when they could already be malware infected?

Furthermore, XSS vulnerabilities within banking sites are also nothing new, and as always the very latest XSS vulnerabilities will go on purposely unreported by the time phishers move onto new ones. How about the customer service aspect given that this XSS exploitation kit is yet another example of a proprietary underground tool? If the XSS vulnerabilities aren't working, custom zero day XSS vulnerabilities within the providers can be provided to the customer. Commercializing XSS vulnerabilities is one thing, embedding the exploits in a do-it-yourself type of tool another, but positioning the kit as a efficient way for running your "Request an Email Account to be Hacked" business is entirely another, which is the case with the kit.

In 2008, is the infamous quote "Hack the Planet!" still relevant, or has it changed to "XSS the Planet!" already, perhaps even "Remotely File Include the Planet!"? Continue reading →

Malware and Exploits Serving Girls

Descriptive domains such as beautiful-and-lonely-girl dot com, amateur homepage looking sites, a modest photo archive of different girls, apparently amateur malware spreaders think that spamming these links to as many people as possible would entice them into visting the sites, thus infecting themselves with malware.

It all started with Lonely Polina, than came lonely Ms. Polinka, and now we have Victoria. And despite that Polina and Polinka are both connected in terms of the malware served, and the natural RBN connection in face of HostFresh, as well as the site template used, Victoria is an exception. Some details on the recently spammed campaign :

voena.net (199.237.229.158) is also responding to prettyblondywoman.com, where the exploit (WebViewFolderIcon setSlice) and the malware (Trojan-Spy.Win32.Goldun) are served from voena.net/incoming.php and voena.net/get.php, both with a high detection rate 27/32 (84.38%).

Individual homepages are dead, and this is perhaps where the social engineering aspect of the attack fails, all these girls for sure have their MySpace profiles up and running already, in between taking advantage of a popular photo sharing service. Continue reading →

Localized Fake Security Software

Would you believe that in times when top tier antivirus vendors are feeling the heat from the malware authors' DoS attacks on their honeyfarms, and literally cannot keep up with their releases, someone out there is using an antivirus scanner that doesn't really exist? It's one thing to promote fake security software in a one-to-many communication channel by using a single language in a combination with cybersquatted domains, and entirely another to do the same in different languages. Localization for anything malicious is already taking place, as originally anticipated as an emerging trend back in 2006. The following currently active fake security software scams are promoted in Dutch, French, German, Italian, and you don't get to download them until you hand out your credit card details, and once you do so, you'll end up in the same situation just like many other people did in the past. Some sample fake brands :

SpyGuardPro; PCSecureSystem; AntiWorm2008; WinSecureAv; MenaceRescue; PCVirusless; LifeLongPC; NoChanceForVirus; MenaceMonitor; TrojansFilter; TrojansFilter; LongLifePC; KnowHowProtection; BestsellerAntivirus; PCVirusSweeper; AVSystemCare; AVSecurityPlus; AVSecurityPlus; PCAssertor; PoseidonAntivirus; TrustedAntivirus; PCBoosterPro; DefensiveSystem; GoldenAntiSpy; AntiSpywareSuite; AntiMalwareShield; AntivirusPCSuite; AntivirusForAll; TrustedProtection; NoWayVirus; AntiSpywareConductor; AntiSpywareMaster; TurnkeyAntiVirus; YourSystemGuard;

Portfolio one :

alfaantivirus.com
antivirusalmassimo.com
farrevirus.com
fomputervagt.com
figitalerschutz.com
flmejorcuidado.com
ferramentantivirus.com
filterprogram.com
filtredevirus.com
geeninfectie.com
harddrivefilter.com
keineinfektionen.com
longueviepc.com
maseg.net
nonstopantivirus.com
pcantivirenloesung.com
pcsystemschutz.com
plutoantivirus.com
psbeveiligingssysteem.com
riendevirus.com
securepcguard.com
sekyuritikojo.com
sistemadedefensa.com
sumejorantivirus.com
totaltrygghet.com
viruscontrolleuer.com
viruswacht.com
votremeilleurantivirus.com
zeusantivirus.com

Portfolio two :

advancedcleaner.com
alltiettantivirus.com
antispionage.com
antispionagepro.com
antispypremium.com
antispywarecontrol.com
antispywaresuite.com
antiver2008.com
antivirusaskeladd.com
antivirusfiable.com
antivirusforall.com
antivirusforalla.com
antivirusfueralle.com
antivirusgenial.com
antivirusmagique.com
antivirusordi.com
antivirusparatodos.com
antiviruspcpakke.com
antiviruspcsuite.com
antiviruspertutti.com
antivirusscherm.com
antiworm2008.com
antiwurm2008.com
archivoprotector.com
avsystemcare.com
avsystemshield.com
barrevirus.com
bastioneantivirus.com
bestsellerantivirus.com
bortmedvirus.com
cerovirus.com
debellaworm2008.com
defensaantimalware.com
defensaantivirus.com
drivedefender.com
exterminadordevirus.com
fiksdinpc.com
mijnantivirus.com
mobileantiviruspro.com
norwayvirus.com
nowayvirus.com
pcantivirenloesung.com
plutoantivirus.com
viruscontrolleuer.com
zebraantivirus.com
zeusantivirus.com

Portfolio three :

pcsecuresystem.com
antiworm2008.com
winsecureav.com
menacerescue.com
pcvirusless.com
lifelongpc.com
nochanceforvirus.com
menacemonitor.com
trojansfilter.com
longlifepc.com
knowhowprotection.com
bestsellerantivirus.com
pcvirussweeper.com
antiespiadorado.com
avsecurityplus.com
apolloantivirus.com
pcassertor.com
menacesecure.com
poseidonantivirus.com
trustedantivirus.net
pcboosterpro.com
defensivesystem.com
goldenantispy.com
avsystemcare.com
trustedantivirus.com
antimalwareshield.com
avsystemcare.com
antiviruspcsuite.com
antivirusforall.com
trustedprotection.com
nowayvirus.com
pcantiviruspro.com
antispywareconductor.com
antispywaremaster.com
turnkeyantivirus.com
yoursystemguard.com

Just like a previous proactive incident response where I pointed out that these fake security applications are starting to appear as the final output in malicious campaigns injected
at high profile sites, ensuring that your customers or infrastructure cannot connect to these, will render current and upcoming massive IFRAME injected or embedded attacks pointless at least from the perspective of serving the rogue software.

Continue reading →

ICQ Messenger Controlled Malware

IM me a command, master - part two. Diversifying the command and control channels of malware is always in a permanent development phrase, with malware authors trying to adapt their releases in order for them to bypass popular detection mechanisms. IM controlled malware is a great example of such a development, and now that I've already covered a Yahoo Messenger controlled malware in previous post, it would be logical to come up with more evidence on alternative IM networks used as a main C&C interface, such as ICQ in this case. The ICQ controlled malware's pitch :


"With this program, you will always be able to access the necessary functions of your computer using ordinary ICQ. It has the opportunity to add their scripts and commands, thus becoming a universal tool for controlling the computer - it all depends on your imagination and skills. Through the program operations like the following can be run by default - viewing directories, displaying messages, lauching programs, killing processes, shutdown, view active windows, and much more."


Released primarily as a Proof of Concept, its source code is freely available which as we've already seen in the past results in more innovation added on behalf of those using the idea as a foundation for achieving their own malicious purposes.


The whole concept of abusing third-party communication applications for malware purposes, has always been there, in fact two years ago, there were even speculations that Skype could be used to control botnets. A fad or a trend? The lone malware author who's not embracing malicious economies of scale and looking for reliable and efficient ways to infect and control as many hosts as possible, is taking advantage of this, the rest are always looking for ways to port their botnets to a different C&C without loosing a single host in order to benefit from what a web application C&C can provide in respect to the old-fashioned IRCd command line commands. Continue reading →

Romanian Script Kiddies and the Screensavers Botnet

Shall we turn into zombies, and peek into the modest botnet courtesy of Romanian script kiddies, that are currently spamming postcard.scr greeting cards? Meet the script kiddies. This botnet is going nowhere mostly because knowing how to compile an IRC bot doesn't necessarily mean you posses a certain know-how, a know-how that experienced botnet masters have been outsourcing for years. Malware is obtained through links pointing to :

xhost.ro/filehost/phrame.php?action=saveDownload&fileId=15735
xhost.ro/filehost/phrame.php?action=editDownload&fileId=12923
xhost.ro/filehost/phrame.php?action=saveDownload&fileId=3656
xhost.ro/filehost/phrame.php?action=editDownload&fileId=10936

Scanners result : Result: 22/32 (68.75%)
Trojan.Zapchas.F; IRC/BackDoor.Flood; Backdoor.IRC.Zapchast
File size: 735139 bytes
MD5...: 015e5826084f2302b4b2c3237a62e244
SHA1..: 7d05949f6dfffdc58033c9d8b86210a9bd34897c

Sample traffic output :
"NICK Mq2kC01
USER las "" "pic.kauko.lt" :Px7aW6
USER las "" "Helsinki.FI.EU.Undernet.org" :Px7aW6
USERHOST Mq2kC01
NICK :Rk1zK50
AWAY :Eu te scuip in cap si'n gura, tu ma pupi in cur si'n pula =))!
MODE Mq2kC01 +i
ISON loverboy loveru SirDulce
JOIN #madarfakar
USER kzg "" "Helsinki.FI.EU.Undernet.org" :Ho5xI1
NICK :Vm3uF52
MODE Mq2kC01 +wx"

And in next couple of hours, the most interesting domain that joined the IRC channel was :

Ny2fW15 is fwuser@mails.legislature.maine.gov * Kg1jT7
Ny2fW15 on #madarfakar
Ny2fW15 using Noteam.Vs.undernet.org I'm too lazy to edit ircd.conf
Ny2fW15 is away: Eu te scuip in cap si'n gura, tu ma pupi in cur si'n pula =))!
Ny2fW15 has been idle 1min 31secs, signed on Fri Apr 04 12:05:17
Ny2fW15 End of /WHOIS list.

This botnet's futile attempt to scale is a great example of the growing importance of knowlege and experience empowered botnet masters, as a key success factor for sustainability, and also, basic understanding of economic forces, namely, when they're not making an investment there cannot be a return on investment on their efforts at the first place. Take a peek at the efficiency level of remote file inclusion achieved by another botnet, and at alternative botnet C&C channels courtesy of botnet masters realizing that diversity is vital. Continue reading →

Skype Spamming Tool in the Wild

Have you ever wondered what's contributing to the rise of instant messanging spam (SPIM), and through the use of which tools is the proccess accomplished? Take this recent proposition for a proprietary Skype Spamming Tool, and you'll get the point from a do-it-yourself (DIY) perspective. This proprietary tool's main differentiation factor is its wildcast capability, namely searching for John will locate and send mass authorization requests to all usernames containing John. So basically, by implementing a simple timeout limit, mass authorization requests are successfully sent. The more average the username provided, the more contacts obtained who will get spammed with anything starting from phishing attempts and going to live exploit URLs automatically infecting with malware upon visiting them.

There're, however, two perspectives we should distinguish as seperate attack tactics, each of which requires a different set of expertise to conduct, as well as different entry barries to bypass to reach the efficiency stage. If you find this DIY type of tool's efficiency disturbing in terms of the ease of use and its potential for spreading malware serving URLs, you should consider its logical super efficiency stage, namely the use of botnets for SPIMMING.

Will malware authors, looking for shorter time-to-infect lifecycles, try to replace email as infection vector of choice, with IM applications, which when combined with typosquatting and cybersquatting could result in faster infections based on impulsive social engineering attacks? Novice botnet masters looking for ways to set up the foundations of their botnet could, the pragmatic attacks will however, continue using the most efficient and reliable way to infect as many people as possible, in the shortest timeframe achievable - injecting or embedding malicious links at legitimate sites.

Related posts:
Uncovering a MSN Social Engineering Scam
MSN Spamming Bot
DIY Fake MSN Client Stealing Passwords
Thousands of IM Screen Names in the Wild
Yahoo Messenger Controlled Malware Continue reading →