Summarizing June's Threatscape

June's threatscape that I'll summarize in this post based on all the research conducted during the month, was a very vibrant one. With the return of GPcode, a remotely exploitable flaw in the Zeus crimeware kit allowing both, researchers and malicious parties to assess the severity of a particular banker malware campaign, the increasing use of malicious doorways next to ICANN and IANA's DNS hijacking, all speak for themselves and how diverse the threats and, of course, the abilities to maintain a decent situatiational awareness about what's going on have become.

01.  U.K's Crime Reduction Portal Hosting Phishing Pages - nothing new here since vulnerable sites are to be "remotely file included" and SQL injected to locally host anything on behalf of a malicious party. Risk and responsibility forwarding is one thing, but having a crime reduction portal hosting phishing pages is entirely another. The phishing pages was shut down in less than 12 hours upon notification

02. Price Discrimination in the Market for Stolen Credit Cards - Tracking down "yet another stolen credit cards for sale" service in the wild, the price discremination that they applied greatly reflects the current lack of transpararency for a potential buyer of stolen credit cards, and how higher profit margins are driving the entire business model. With script kiddies running their own botnets and undermining the sophisticated botnet master's high profit margin business model by undercutting their prices, stolen credit cards are not what they used to be - an exclussive good. Nowadays, they are a commodity good and often a bargain

03. Blackhat SEO Redirects to Malware and Rogue Software - Sampling an active blackhat SEO campaign out of the hundreds of thousands currently active online, releaved a large portfolio of domains serving Zlob variants by pitching them as fake codecs that the end user should download if they are to view the non existent adult content at the sites. Where's the OSINT mean? It's in the fact that the codecs and the fake security software phone back to UkrTeleGroup Ltd's network

04. Using Market Forces to Disrupt Botnets - With the current oversupply of malware infected hosts, and botnet masters embracing the services model for anything malicious, in this post I discussed the radical security approach of puchasing already infected malware hosts on a per country basis, disinfecting them and forcing them to update all the software on the infected PCs. Of course, on an opt-in basis. The possibility to directly provide incentives for botnet hunters to shut down whatever they come across to on a daily basis, and that's a lot of botnets, is also there

05. Who's Behind the GPcode Ransomware? - The title speaks for itself, the research with enough actionable intelligence gathered in the shortest timeframe possible is already proving accurate and highly valuable. How come? Stay tuned for more developments

06. ImageShack Typosquatted to Serve Malware - In a rare instance of a creative attack combining typosquatting in order to impersonate ImageShack and serve malware by redirecting users to an image file that is actually forwarding to the binary, I was recently tipped by the folks at TrendMicro who are also following this that the site is up and running again. Not for long

07. Fake YouTube Site Serving Flash Exploits - Next to using the usual set of exploits courtesy of a commodity web malware exploitation kit, this campaign was also using flash exploits. Even more interesting is the fact that the password stealer obtained was attempting to phone back to a misconfigured malware command and control interface, basically allowing you to assess the campaign from the eyes of the "campaigner"

08. Monetizing Web Site Defacements - Web site defacements are getting monetized just like SQL injections are in order to locally host a blackhat search engine optimization campaign on a vulnerable site with a high page rank. In this post I've assessed such monetization courtesy of a web site defacer at The Africa Middle Market Fund

09. Malicious Doorways Redirecting to Malware - Yet another large domains portfolio exposed though a malicious doorway redirecting to fake porn and video sites serving Zlob variants, tracking down the initial spamming of the malicious doorways across multiple vulnerable forums and guestbooks

10. The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw - When cyber criminals get advised to patch their vulnerable versons of the Zeus Crimeware Kit, you know there's a monoculture in the crimeware market. This flaw released publicly in May, 2008, not just allows others to hijack someone's ebanking botnet, but also, vendors and researchers to better assess a vulnerable Zeus command and control location

11. Fake Celebrity Video Sites Serving Malware - When templates for fake video and adult sites are just as available as they are now, anyone can take advantage of this cheap social engineering track that seems to work just fine. Compared to relying on blackhat search optimization to acquire traffic, some of the campaigns were SQL injected at vulnerable sites in order to drive traffic to them, next to several other tactics which when combined can result in a lot of people unknowingly visiting the sites

12. Phishing Campaign Spreading Across Facebook - An internal phishing campaign was circulating across Facebook, which got taken care of thanks to coordinated efforts with Facebook's security folks. There's also an indicating tha they are currently typosquatting other social networking sites like Hi5 for instance

13. Underground Multitasking in Action - As a firm believed in taking a random sample for a particular threat segment, this was once of these cases confirming the confidence I've built into anticipating upcoming tactics and strategies to be used

14. An Update to Photobucket's DNS Hijacking - Despite that Photobucket didn't oficially acknowledge the DNS hijacking, the hosting provider the NetDevilz hacking team used issued a statement. Ironically, the Turkish hacking group used the same provider weeks later to redirect ICANN and IANA's domains to Atspace.com

15. Fake Porn Sites Serving Malware - Among the largest domains portfolio of malware serving porn sites I've exposed in a while, all of them naturally remain active since they are hosted on a partition of RBN's diverse network. Visualizing a malicious doorway or the entire ecosystem provides a better understanding at how structured the ecosystems are

16. Backdoording Cyber Jihadist Ebooks for Surveillance Purposes - Despite that in this case we have a cyber jihadist backdoording his own released books, the international intelligence community next to law enforcement are known to have expressed interest in backdooring suspect's PCs, so why not SQL inject the cyber jihadist forums themselves?



17. Right Wing Israeli Hackers Deface Hamas's Site - When you read that Hamas's site is hacked, you ask yourself the following, do they even have a web site that's up the running? The answer to which would be the fact that even Hezbollah has been maintaining an Internet infrastructure since 1998



18. ICANN and IANA's Domain Names Hijacked by the NetDevilz Hacking Group - A fact is a fact, no comment here, go through all the technical details of the hijacking, including some actionable intelligence on who's behind the hijacking



19. The Malicious ISPs You Rarely See in Any Report - Who's tolerating malicious activities on their network, and how is the RBN related to all this? Well, when combined, the tiny parts of these ISPs represent a tiny part of the Russian Business Network itself Continue reading →

The Malicious ISPs You Rarely See in Any Report

The recently released badware report entitled “May 2008 Badware Websites Report" lists several Chinese netblocks tolerating malicious sites on their networks. As always, these are just the tip of the iceberg out of a relatively good sample that the folks at Stopbadware.org used for the purposes of their report. In the long term however, with the increasing prelevance of fast-fluxing, a country's malicious rating could become a variable based on the degree of dynamic fast-fluxing abusing its infrastructure in a particular moment in time. Moreover, forwarding the risk and the malicious infrastructure to malware infected hosts, and exploited web servers, creates a "twisted reality" where the countries with the most disperse infrastructure act as a front end to the countries abusing it, ones that make it in any report, since they are the abusers.



The report lists the following malicious netblocks, a great update to a previous post on "Geolocating Malicious ISPs" :



- CHINANET-BACKBONE No.31,Jin-rong Street

- CHINA169-BACKBONE CNCGROUP China169

- CHINANET-SH-AP China Telecom (Group)

- CNCNET-CN China Netcom Corp.

- GOOGLE - Google Inc.

- DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd.

- SOFTLAYER - SoftLayer Technologies Inc.

- THEPLANET-AS - ThePlanet.com Internet Services, Inc.

- INETWORK-AS IEUROP AS

- CHINANET-IDC-BJ-AP IDC, China



With some minor exceptions though, in the face of the following ISPs you rarely see in any report - InterCage, Inc., Softlayer Technologies, Layered Technologies, Inc., Ukrtelegroup Ltd, Turkey Abdallah Internet Hizmetleri, and Hostfresh. Ignoring for a second the fact that the "the whole is greater than the sum of it's parts", in this case, the parts represent RBN's split network. Since it's becoming increasingly common for any of these ISPs to provide standard abuse replies and make it look like there's a shutdown in process, the average time it takes to shut down a malware command and control, or a malicious domain used in a high-profile web malware attack is enough for the campaign to achieve its objective. The evasive tactics applied by the malicious parties in order to make it harder to assess and prove there's anything malicious going on, unless of course you have access to multiple sources of information in cases when OSINT isn't enough, are getting even more sophisticated these days. For instance, the Russian Business Network has always been taking advantage of "fake account suspended notices" on the front indexes of its domains, whereas the live exploit URLs and the malware command and controls remained active.



And while misconfigured web malware exploitation kits and malicious doorways continue supplying good samples of malicious activity, we will inevitable start witnessing more evasive practices applied in the very short term.



Related posts:

The New Media Malware Gang - Part Three

The New Media Malware Gang - Part Two

The New Media Malware Gang

HACKED BY THE RBN!

Rogue RBN Software Pushed Through Blackhat SEO

RBN's Phishing Activities

RBN's Puppets Need Their Master

RBN's Fake Account Suspended Notices

A Diverse Portfolio of Fake Security Software

Go to Sleep, Go to Sleep my Little RBN

Exposing the Russian Business Network

Detecting the Blocking the Russian Business Network

Over 100 Malwares Hosted on a Single RBN IP

RBN's Fake Security Software

The Russian Business Network  Continue reading →

ICANN and IANA's Domain Names Hijacked by the NetDevilz Hacking Group

The official domains of ICANN, the Internet Corporation for Assigned Names and Numbers, and IANA, the Internet Assigned Numbers Authority were hijacked earlier today, by the NetDevilz Turkish hacking group which also hijacked Photobucket’s domain on the 18th of June. Zone-H mirrored the defacements, some of which still remain active for the time being.



Read more here - "ICANN and IANA’s domains hijacked by Turkish hacking group". A single email appears to have been used in the updated DNS records of all domains, logically courtesy of the NetDevilz team - foricann1230@gmail.com



More details will be posted as soon as they emerge.



UPDATE:



The ICANN has restored access to its domains, and as in every other DNS hijacking the correct records will be updated on a mass scale in 24/48 hours. Some press coverage :



Ankle-biting hackers storm net's overlords, hijack their domains

Hackers hijack critical Internet organization sites

No such thing as a guaranteed safe site

Good Always Comes Out of Bad

Hackers Deface ICANN, IANA Sites

ICANN publicity may have triggered malicious behavior

Turkish Hackers Relive Memories in Photobucket

ICANN Web Site Compromise

Moreover, according to an article at Computerworld, the ICANN weren't aware of the hijack :



"A spokesman for ICANN contacted Friday morning wasn't aware of the hack, and declined comment until he find out more."



Let's hope that they issue a statement on the situation once they know more about how it happened. More comments follow from the ICANN - "Turkish Hacker Group Strikes Again, This Time Victims are ICANN and IANA" :



"Latest response received by CircleID from ICANN states that the problem took place at their registrar level. A Whois look up shows Register.com as the registrar for the hacked domains. ICANN has further stated that the registrar "fixed the dns redirection within 20 minutes of us notifying them of the problem. The registrar is actively investigating what happened and has promised to report back to us on what happened."



This is the second time in a row when DNS hijacking happens through Register.com compared to Comcast.net's one done through Network Solutions. Continue reading →

Right Wing Israeli Hackers Deface Hamas's Site

Compared to historical hacktivism tensions between different nations, Israeli and Palestinian hacktivists seem to be most sensitive to "virtual fire exchange" like this one, and consequently, just like in real-life, always look and find for an excuse to engage in a conflict. Israeli hackers penetrate Hamas website :

"Israeli hackers boasted Thursday about breaking into the website of Izz al-Din al-Qassam, Hamas’ military wing, which now displays a white screen and words in Arabic announcing technical difficulties. The hacker group, which calls itself Fanat al-Radical (the fanatical radicals), also said that it broke into additional terror organizations’ sites and those of various leftist movements. In a Ynet interview, a group representative who refused to reveal his name said, “We searched for relevant sites with the criteria we look for, whether leftist or anti-Zionist, and looked for loopholes. Our emphasis was always on the al-Qassam site. "The criteria are defined as anti-Zionist or anti-Jewish sites that support or assist in harming Zionism and the existence of Israel as a Zionistic, Jewish state."

The message they left :

"Hacked by XcxooXL and FENiX from Fanat Al Radical Greets: Sn4k3 Contact: Fanat.al.Radical@gmail.com "

These script kiddies using SQL injection vulnerabilities within the affected sites, since they indeed managed to deface several other as well, seem to have also participated in the 2006 cyber conflict sparkled due to the the kidnapping of three soldiers. One of their defacements remains still active (aviv.perffect-x.net/deface.html)

"We will stand against the Islam until the kidnapped soldiers, Gilad Shalit, Eldad Regev and Ehod Goldvaser will be return, We will attack arabic servers and site which support the Islam and protest against the zionism"

What if every script kiddie with a SQL injection scanners goes into politics? It's a mess already.

Related posts:
Monetizing Web Site Defacements
Pro-Serbian Hacktivists Attacking Albanian Web Sites
The Rise of Kosovo Defacement Groups
A Commercial Web Site Defacement Tool
Phishing Tactics Evolving
Web Site Defacement Groups Going Phishing
Hacktivism Tensions
Hacktivism Tensions - Israel vs Palestine Cyberwars
Mass Defacement by Turkish Hacktivists
Overperforming Turkish Hacktivists
Continue reading →

Backdoording Cyber Jihadist Ebooks for Surveillance Purposes

It appears that cyber jihadists are striking back at the academic and intelligence community, by binding their propaganda Ebooks with malware, then distributing them across different forums, thanks to a recently analyzed Ebook entitled "The Al-Qaeda network's timely entrance in Palestine" distributed by the Global Islamic Media Front - hat tip to Warintel.

If it were posted by a newly joined forum member, it would have logically raises the suspicion that it's in fact intelligence agencies spreading malware infected Ebooks around cyber jihadist forums, but it's since this one in particular is being distributed by what looks like a hardcore cyber jihadist, it brings the discussion to a whole new level.

What are they trying to achive? Abuse the already established trust of their readers and cyber jihadist supporters in order to snoop on their Internet activities, or it's the academic and intelligence community they are trying to monitor? In times when botnets can be rented and created on demand, they seem to be more interested in infecting their enemies. Moreover, I suspect that prior to the forum posting, private messages and emails were automatically sent to notify members whose number of posts at the forum greate outpace those of average observers, perhaps the target in such an attack.

The malware is detected by 9 out of 33 antivirus scanners as Trojan.Midgare.gra. Consider reading a previous post on "Terror on the Internet - Conflict of Interest" as well as through the related posts summarizing all the cyber jihadist research I've conducted so far. Continue reading →

Fake Porn Sites Serving Malware

Ah, that RBN with its centralization mentality for the sake of ease of management and 99.999% uptime. In this very latest example of using malicious doorways redirecting to fake porn sites, consisting of over twenty different domains serving the usual Zlob malware variants, we have a decent abuse of a template for a porn site.

The easy of management of such domain farms and the availability of templates for high trafficked topic segments such as celebrities and pornography, continue contributing to the increasing number of Zlob variants served through fake codecs. Moreover, once set up, the malicious infrastructure starts attracting now just generic search traffic, but also traffic coming from affiliates with whom revenue is shared on the basis of the number of people that downloaded the codec.

In this campaign, the malicious doorway that expands the entire ecosystem is located at search-top.com/in.cgi?5&parameter=drs (66.96.85.113). A redirector that appears to have been operating since 2006, according to this forum posting.

What follows on-the-fly, are all the fake porn sites whose legitimately looking videos attempt to download a Zlob malware variant from a single location - vipcodec.net. Here are all the fake porn sites, and the associated campaigns in this redirection :

watchnenjoy .com/index.php?id=1287&style=white
craziestclips .com/index.php?id=1287&q=
immensevids .com
planetfreepornmovies .com/?t=1&id=1219
poweradult .net/edmund/16551689/1/&id=1219
scan-porn .net/rosalyn/1742941675/1/&id=1219
about-adult .net/emiline/108846601/1/&id=1219
service-porn .com/inde/964842117/1/&id=1219
pleasure-porn .com/elnora/648311952/1/&id=1219
porn-the .net/verge/1734135233/1/&id=1219
porn-pleasure .net/dal/1663381205/1/&id=1219
scan-porn .net/gretchen/515268975/1/&id=1219
abc-adult .com/lillah/1467790484/1/&id=1219
about-adult .net/jenne/434165228/1/&id=1219
look-adult .net/ette/681831796/1/&id=1219
about-adult .net/mime/65729013/1/&id=1219
name-adult .net/alfe/550398461/1/&id=1219
group-adult .net/demerias/867452637/1/&id=1219
useporn .net/rhode/167691118/1/&id=1219
porn-look .net/hephsibah/1254235416/1/&id=1219
scan-porn .net/hence/1684651134/1/&id=1219
abc-adult .com/kendra/371598555/1/&id=1219
name-adult .net/link/1334727639/1/&id=1219
porn-the .net/flo/84660854/1/&id=1219
porn-popular .com/assene/875893411/1/&id=1219
about-adult .net/charlotta/972714195/1/&id=1219
porn-comp .com/orlando/761508522/1/&id=1219
useporn .net/jemima/1405735776/1/&id=1219
about-adult .net/obadiah/263904242/1/&id=1219
group-adult .net/douglas/1110779475/1/&id=1219
porn-look .net/lydde/1844064103/1/&id=1219
pleasure-porn .com/marcia/1627490290/1/&id=1219
service-porn .com/cono/295680123/1/&id=1219
group-adult .net/wes/1733468207/1/&id=1219
abc-adult .com/wib/648341815/1/&id=1219
scan-porn .net/greg/2064937302/1/&id=1219
contact-adult .net/maris/33184936/1/&id=1219
look-adult .net/regina/1273816838/1/&id=1219
abc-adult .com/gwendolyn/869744046/1/&id=1219
service-porn .com/carthaette/1021629112/1/&id=1219
scan-porn .net/ninell/1522355420/1/&id=1219
porn-pleasure .net/waldo/755290223/1/&id=1219
porn-the .net/green/669090607/1/&id=1219
try-adult .com/lula/447057398/1/&id=1219
visit-adult .net/jay/1021153563/1/&id=1219
contact-adult .net/rosa/849017739/1/&id=1219
name-adult .net/hannah/2111126283/1/&id=1219
about-adult .net/robin/2114086747/1/&id=1219
scan-porn .net/geraldine/921262381/1/&id=1219
contact-adult .net/christine/1821111087/1/&id=1219
porn-popular .com/frederica/364993202/1/&id=1219
about-adult .net/kerste/735582753/1/&id=1219
porn-the .net/vine/715820953/1/&id=1219
porn-the .net/newt/1835463160/1/&id=1219
try-adult .com/max/602914725/1/&id=1219
porn-pleasure .net/cille/1420660046/1/&id=1219
poweradult .net/phililpa/178057959/1/&id=1219
name-adult .net/lise/1379126759/1/&id=1219
pleasure-porn .com/marianne/1083617952/1/&id=1219
poweradult .net/emile/1173468576/1/&id=1219
useporn .net/patse/155685496/1/&id=1219
helpporn .net/verna/625840253/1/&id=1219
name-adult .net/aubrey/190928373/1/&id=1219
about-adult .net/alphinias/1345158043/1/&id=1219
useporn .net/rosa/223743611/1/&id=1219
pleasure-porn .com/nerva/1509620489/1/&id=1219
helpporn .net/leet/1619667733/1/&id=1219
about-adult .net/roberta/887345003/1/&id=1219
porn-pleasure .net/tore/1032556395/1/&id=1219
useporn .net/bo/1963737386/1/&id=1219
porn-look .net/karon/136085893/1/&id=1219
poweradult .net/tense/1523522750/1/&id=1219
poweradult .net/hopp/1955964399/1/&id=1219
scan-porn .net/vanne/350822489/1/&id=1219
porn-comp .com/deb/1451360694/1/&id=1219
about-adult .net/moll/1511640690/1/&id=1219
porn-popular .com/obediah/562846948/1/&id=1219
helpporn .net/tamarra/776122096/1/&id=1219
pleasure-porn .com/aristotle/1046422029/1/&id=1219
porn-comp .com/titia/158157566/1/&id=1219
group-adult .net/gay/1297835054/1/&id=1219
porn-look .net/katherine/2136357734/1/&id=1219
helpporn .net/azubah/1197502147/1/&id=1219
porn-comp .com/claes/770105101/1/&id=1219

Associated fake porn sites :

pornbrake .com
sexnitro .net
brakesex .net
pornnitro .net
adultbookings .com
qazsex .com
lightporn .net
delfiporn .net
pornqaz .com
megazporn .com
uinsex .com
xerosex .com
serviceporn .com
aboutadultsex .com
superliveporn .com
bestpriceporn .com
contactporn .net
relatedporn .com
landporno .com
adultsper .com
plus-porn .com
adultstarworld .com
cutadult .com
moviexxxhotel .com
porno-go .com
pornxxxfilm .com
porn-sea .com
review-sex .com
sureadult .com
browseadult .com
network-adult .com
timeadult .com
virtual-sexy .net
funxxxporn .com
loweradult .com
adultfilmsite .com
xxxallvideo .com
custom-sex .com
gallerypictures .net
usaadultvideo .com
adultmovieplus .com
porn-cruise .com
clubxxxvideo .com
mitadult .com
galleryalbum .net
xxxteenfilm .com
hardcorevideosite .com
helpadult .com
portaladult .net
service-sex .com
driveadult .com
access-porno .com
time-sex .com
plus-adult .com
worldadultvideo .com
key-adult .com
estatesex .com
superadultfriend .com
superporncity .com
zero-porno .com
scanadult .com
adultsexpro .com
adultzoneworld .com
porntimeguide .com
usbestporn .com
adulttow .com
look-porn .com
galleryclick .net
micro-sex .com
estatesex .com
try-sex .com
0bucksforpornmovie .com
gays-video-xxx .com
hackthegrid .com
savetop .info
vidsplanet .net
freexxxhere .com
gestkoeporno .com
tv-adult .info
gays-adult-video .com
matures-video .com
analcekc .com
tabletskard .in
molodiedevki .com
dom-porno .com
pornoaziatki .com
latinosvideo .com
geiporno .com
sweetfreeporn .com

If exposing a huge domains portfolio of currently active redirectors has the potential to ruin someone's vacation, then consider someone's vacation ruined already.

Related posts:
Underground Multitasking in Action
Fake Celebrity Video Sites Serving Malware
Blackhat SEO Redirects to Malware and Rogue Software
Malicious Doorways Redirecting to Malware
A Portfolio of Fake Video Codecs Continue reading →

An Update to Photobucket's DNS Hijacking

With Photobucket’s recently hijacked DNS records by Turkish hacking group, the second high profile DNS hijack for the past two months next to Comcast.net's DNS hijacking in May, domain registrant impersonation attacks seems to fully work, and Tier 1 domain registrars remain susceptible to them.

So far, none of these DNS hijacks served any malware, live exploits, or bogus home pages aiming to steal accounting data. However, the DNS hijacking by itself resulted in a Denial of Service attack on Photobucket, one that would have required a great deal of bandwidth if it were executed in the old fashioned frontal attack approach.

And with Photobucket still labeling the DNS hijacking as a "DNS error", their failure to admit what has actually happened is already sparkling quite a few negative comments across the Web - with a reason. Creating alternate realities when it comes to evidential proof of a hack isn't necessarily state of the art public relations. Photobucket.com's domain registrar, the Register.com comments on the DNS hijacking :

"The Photobucket site was down for a very short time and was restored immediately when we became aware of the issue." Roni Jacobson, general counsel of Register.com, said in a statement on Thursday. "We are currently investigating the source of the problem."

As well as Atspace.com's (Zettahost.com) statement left on their site regarding the DNS hijacking :

"IMPORTANT! Photobucket.com problem read here: Last night Photobucket.com DNS at register.com was hacked by malicious people that are trying to compromise our business! We are in no way affiliated with such bad deeds and cooperate with photobucket in capturing these individuals. They have pointed the domain photobucket.com to an account hosted on our systems! We have blocked that and photobucked techs have restored the domain pointing to its original location!ALL account information and pictures on photobucket.com are OK, please have patience! Unfortunately the complete DNS replication usually takes 24-48 hours and during this time caches DNS records might still point to us! The normal operation of Photobucket is restored and as soon as the replication is complete there should be no further such issues! We would like to emphasize that we are in now way responsible for what happens with photobucket and all users bumping across our systems! We are a legitimate web hosting company operating since 2003 and in no way tolerate such hacking attempts! If you have any questions please do not hesitate to contact us at abuse@zettahost.com! Thanks for your patience and understanding!"

When the affected company acts like nothing's happened, whereas multiple sources continue providing pieces of the puzzle, a statement on the measures taken to prevent that type of hijacking in the future would be better PR than denying the hijacking of the first place and the fact that they could have pointed Photobucket.com to anywhere they wanted to. Continue reading →

Underground Multitasking in Action

How many ways in which a malicious party can abuse its unauthorized access to a host, can you think of? In this example of remotely file included web backdoor (web shell), we have a malicious party that's hosting a web spammer, planning to launch a phishing attack impersonating Halifax, locally hosting blackhat SEO junk pages redirecting to rogue security software, redirecting to multiple live exploit URLs through javascript obfuscations, as well as to fake casinos and fake celebrity video sites - all from a single location.

This risk-forwarding process for all the malicious and criminal activities to the owner of the compromised web server is something usual, what's more interesting in this case is the number and diversity of the affiliations this guy has set up in order to monetize the unauthorized access by using all the possible sources of revenues like the ones I pointed on in a previous post regarding increasing monetization of web site defacements.

In fact, he seems to have built enough confidence in the new "hosting provider", that he's even hosting his blackhat SEO advetising services there. The multiple javascript obfuscations hosted locally, point to the following malicious domains which expose all the revenue generating affiliations, and even more malicious doorways :

analytics-google .info/q/urchin.js
209.205.196.16/freehost22/paula2/index.php?id=0271
209.205.196.16/freehost22/paula2/exxe.php?id=0271
crklab .us/index.php
my-page-de .info/in.cgi?2&1400397
tapki .cn/1.html?92465
dificalgot .net/s/in.cgi?2?1121268b0d022308
my-page-de .info?default.cgi
magichotgaming .net
allextra .com/best/go.php?sid=2&tds-parametr1=Taryn+Manning
newextra .com/in.cgi?19&group=allextra
drivemedirect .com/soft.php?aid=0358&d=3&product=XPA securityscannersite .com/2008/3/freescan.php?aid=880358

Sampe detection rate for the casino adware, a reminder on why you shouldn't play poker on an infected table :

Scanners result : 7/33 (21.22%)
Trojan.Casino.466752; W32/Casino.A.gen!Eldorado; Adware.Casino-18
File size: 466752 bytes
MD5...: b0f70441dde5c2b82ba5388f3d566576
SHA1..: 5603b1b972e2cff99d6339fbd8970278f5ff371d


To sum up - with the overall availability of templates for phishing sites, fake video sites, fake security software, as well as the ongoing traffic management tool's convergence with web malware exploitation kits, the opportunity for a malicious party to participate in different affiliate based scams on revenue sharing basis, increases. Therefore, what looked like an isolated attack, is slowly becoming an "attack in between" the rest of the malicious activities lunched by the same party. Continue reading →

Phishing Campaign Spreading Across Facebook

Phishers have once again indicated their interest in obtaining fresh passwords for social networking sites, by using the already hacked accounts there in order to social engineer the account holder's friends that the phishing links they leave as comments are legitimate. This latest internal phishing campaign circulating across Facebook, is a part of a bigger phishing operation, whose reliance on fast-fluxed domains used in the campaign indicates it's a part of a botnet.

Sample messages spammed across Facebook :

"hey, howdy?? oh lisen i got a new friend here shex kinda new on facebook..maybe you can give her a lil tym so she can enjoy here?? not forcin u but u can chk out =)"

"i got a new friend here..shex kinda new here..maybe you can give her a lil tym so she can enjoy here?? not forcin u but u can chk out =)...her profile is"

"hi, watsup?? luk i want you to add ma new friend, as she is new here maybe you can give her lil time so she enjoys her online stay :P her profile is"

Sample phishing URLs and fast-flux domains from this campaign :

- facebook.com.profile.id.ep7vu2.749e92q.916ad771.info/facebook/index.php?id=f543li12

- facebook.com.profile.id.mgt9fr5n.mg6qdo.e77c98037.com/facebook/index.php?id=sjv5ppwqb&auth=5086550&cyua=dm2yozoq3y

- facebook.com.profile.id.bvbu38.krpz.dortos.net/facebook/index.php?id=y39zjy4c6&auth=462&cyua=2wr8tckkg8

- facebook.com.profile.id.10g10th3.7q342k8.31dd6db6.com/facebook/index.php?id=b36a7sh7&auth=bnspa&cyua=31064jrv8u2

1d27c9b8fb.com
31dd6db6.com
dortos.net
e77c98037.com
916ad771.info

Related phishing domains sharing fast-flux infrastructure with one another :


paypal.client-confirmation.com
acznc84.com
ccitu938.com
e77c98037.com
ccitu938.com
civvi05.com
client29184146.com
cnzu390.com
d71adb12.com
dd25d624.com
f009c270.com
fzkgoo6.com
lvozx90.com
r8t0p0l4.net
2j1f.com
31c5f18a7f.com
3h8ax3.com
4442852.com
47cx972x.com
72195e6.info
aur83jf82la.com
f80a5b31be7.com
gllofj8532.com
3h8ax3.com
47cx972x.com
aur83jf82la.com
client1874741.com
client1929848.com
client9994414.com
ringbe.com
ringbean.com
ringwe.com
xctiw4.com

They also seem to be in a process of diversifying the social networks to be attacked, having Hi5 in mind - hi5.com.profile.id.yijs.dcrt.1d27c9b8fb.com/hi5/?id=chrislef&auth=rwx&cyua=albumem

Related posts:
Large Scale MySpace Phishing Attack
Update on the MySpace Phishing Campaign
MySpace Phishers Now Targeting Facebook
MySpace Hosting MySpace Phishing Profiles
Continue reading →

Fake Celebrity Video Sites Serving Malware

With blackhat search engine optimization tactics clearly converging with social engineering, the result of which is the increasing supply of Zlob malware variants served as fake codecs, it's about time we spill some coffee on several campaigns in order to get a better understanding of the way the campaigns function.

These campaigns are also starting to get so sophisticated, that analyzing a single one will expose another massive SQL injection, reveal several blackhat SEO domain farms, let you obtain fresh Zlob malware variants, and point you to the very latest and undetected rogue software if you manage to expose the entire scammy ecosystem through all the redirections put in place to make it harder to get to the bottom of it.

What's important to keep in mind when assessing and shutting down such comprehensive campaigns is that on the majority of occassions the front end domains as well as the secondary ones are all attempting to download the codecs from hardcoded locations. Consequently, you have 50 front end domains and another 50 as secondary redirection points all attempting to download the codecs from 3 download locations. Once again, the malware authors efficiency centered mentality emphasising on the easy of management for the campaign is making it possible to.

Here's are some currently active fake celebrity video sites serving malware including the codec redirectors :

stillnaked.net
funkytube.net
starvid.info
yetmorefun.net
hotnudity.net
alreadynude.com
celebvids.info
sexystar.name
hotserved.net
thestars2008.com
nudde.net
gottabigfuick.com
moviecity.se
gossip-starz.com
tmz-video.com
js0.info
superfakamyvideo.com
hdavidz.com
blog-x.in
tmz-video.com
newhotpeople.com
dirty-gossips.com
flaxxvid.com
videoid.info
realvideofree.com
yetmorefun.net
popvids.info
ihavewetfuckpussy.com
virus-scanonline.com
adultx2008.com
lux-software2008.com

As well as some sample subdomains for traffic acquisition purposes, since all of these have already been crawled by search engines :

jodie.popvids.info
jessica.popvids.info
tila.popvids.info
paris.celebvids.info
vanessa.celebvids.info
britney.nudde.net
paris.nudde.net
kardashian.nudde.net
vanessahudgens.yetmorefun.net
lindsaylohan.yetmorefun.net
britneyspears.yetmorefun.net
parishilton.yetmorefun.net
kardashian.nudde.net

We also have embedded IFRAMEs and as well as injected ones into vulnerable sites, acting as redirectors to some of these fake video sites. For instance, at the pedophilesexstories.blog.com we have an injected redirector - js0.info/?s=16&k=pedophile+sex+stories&c=5 and js0.info itself is a blackhat SEO operation that's aggregating generic search traffic like this :

js0.info/16/5/ragnarok+hentai
js0.info/15/4/antivirus+characteristic
js0.info/16/5/msn+monkey
js0.info/15/4/airplus+internet+security

Once accessed, you get redirected to through two separate redirection campaigns at searchaw.info/sa/in.cgi?16; and hmel.info/stds13/go.php, until you finally get to the codecs.

With blackhat SEO-ers already well developed inventory of topical junk content, and experience in what's popular content and what's not, the entry barriers for malware authors into the traffic acquisition joys of blackhat SEO has never lower.

Continue reading →

The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw

Just like you have sophisticated cyber criminals trying to scam wannabe cyber criminals by providing them with backdoored web malware exploitation kits and phishing pages, you have cyber criminals looking for ways to obtain access to the most popular exploitation kits and bankers malware C&Cs by finding vulnerabilities within them.

Apparently, Zeus, the crimeware kit which I discussed in a previous post, is susceptible to a remotely exploitable vulnerability according to a proof of concept code I obtained recently . The vulnerability allows the injection of logins and passwords within any misconfigured web interface, due to the way in which Zeus is processing php scripts (web shells and backdoors) from the directory in which it stores the stolen data. Ironically, "Zeus users are advised to take care of their directory permissions, and forbid the execution of scripts from the folder holding all the encrypted stolen information".

The implications of this flaw are huge, since, what used to be the practice of hijacking someone's misconfigured botnet a couple of years ago, is today's hijacking of the malware campaigns's command and control interface, which on the majority of occasions is left accessible to everyone - including independent researchers and the security community.

Picture the following situation - right before the Russian Business Network "disappeared", it threatened to sue Spamhaus for blacklisting most of its old infrastructure, what would happen if the security community starts unethically pen-testing the RBN's infrastructure, and remotely exploit misconfigured Zeus C&Cs in order to estimate the number of infected hosts and the type of stolen data in order to communite its findings to the appropriate parties on all fronts? If the RBN starts suing for getting unethically pen-tested, it would automatically claim ownership of, well, the Russian Business Network's infrastructure which you must be pretty familiar with by now.

Moreover, can we even dare to speculate on the existence of monoculture in crimeware software? You bet, and finding vulnerabilities within popular crimeware kits and web malware exploitation kits is only starting to emerge, a situation where the market share of a certain kit would attract the most vulnerability research. Continue reading →

Malicious Doorways Redirecting to Malware

This summary is not available. Please click here to view the post. Continue reading →

Monetizing Web Site Defacements

What used to be a harmless web site defacements back in the old school days, is today's ongoing monetization of defaced web sites, a logical development given the consolidation between different underground parties, evidence of which can be seen in the majority of incidents I've been analyzing recently.

The Africa Middle Market Fund' site is the latest example of a web site defacer is abusing the access to the web server to generate and locally host blackhat SEO pages, which when once access only by searching for the keywords and consequently returning 404 if traffic isn't coming from a search engine, redirect to known rogue security software, in this case, the XP antivirus protection (securityscannersite.com) which you must be familiar with if you were following the assessments of the massive IFRAME SEO poisoning attacks that took place during March this year. More about the found :

"The Africa Middle Market Fund is a private capital fund that invests in small and medium sized African businesses who need from $500,000 up to $2 million to grow and succeed to their full potential. We are a "double bottom-line" or "impact investment" fund, meaning that we care equally about financial performance and social benefit. We are for-profit and insist on our investees employing world standards of financial and business management to maximize their chances of success"

Most of the outgoing links from a sample of over 50 blackhat SEO pages at the site point to 23search.org, which is an invitation-only affiliate based network for traffic exchange, connecting different malicious parties together :

"What is this site? This site helps webmasters to earn money with their sites. How it works? Our program generate traffic from search engines and display advertising. What shell I do to start with you? Signup, get php file from member area, put file into your website directory, modify or create .htaccess in the same directory, and receive money!"

The session is then redirected to drivemedirect.com/soft.php?aid=0195&d=3&product=XPA, as well as to drivemedirect.com/soft.php?aid=0263&d=2&product=XPC to ultimately redirect the user to online-xpcleaner.com/2/freescan.php?aid=880263

Moreover, the majority of blackhat SEO campaigns are also starting to apply evasive techniques to make it harder to analyze them. In this particular campaign for instance, only traffic comming from search engines would get the chance to see the SEO page due to the use of document.referrer tags. Here are some sample monitization practices from what I've seen between the lines of recently defaced sites :

- installing web backdoors and reselling the access to phishers, spammers and malware authors who would have full control over the content, and can therefore do whatever they to with the web server

- installing web based spamming tools that later on will be either used directly by the defacers, or access to the tools sold to those interested in using them

- participating in an affiliate based blackhat SEO networks, where revenue coming of the victims who installed the rogue software is shared among the defacer and the affiliate based network, which doesn't really care how and where is all the traffic coming from

- forwarding the responsibility of hosting phishing pages to the legitimate site by hosting them locally in between sending the phishing emails again using the same host

- selling the access by promoting it based on its page rank

Web site defacements in times when traffic suppliers are efficiently coordinating campaigns with traffic seekers, will mature into a tool for providing malicious infrastructure on demand, just like botnets did. Then again, the endless possibilities provided by insecure web applications are already blurring the lines between web site defacements and SQL injections.

Related posts:
Pro-Serbian Hacktivists Attacking Albanian Web Sites
The Rise of Kosovo Defacement Groups
A Commercial Web Site Defacement Tool
Phishing Tactics Evolving
Web Site Defacement Groups Going Phishing
Hacktivism Tensions

Hacktivism Tensions - Israel vs Palestine Cyberwars

Mass Defacement by Turkish Hacktivists

Overperforming Turkish Hacktivists
Blackhat SEO Campaign at The Millennium Challenge Corporation
Massive IFRAME SEO Poisoning Attack Continuing
Massive Blackhat SEO Targeting Blogspot
The Invisible Blackhat SEO Campaign
Attack of the SEO Bots on the .EDU Domain
p0rn.gov - The Ongoing Blackhat SEO Operation
The Continuing .Gov Blackat SEO Campaign
The Continuing .Gov Blackhat SEO Campaign - Part Two
Compromised Sites Serving Malware and Spam Continue reading →