Massive SQL Injection Attacks - the Chinese Way

From copycats and "localizers" of Russian web malware exploitation kits, to suppliers of original hacking tools, the Chinese IT underground has been closely following the emerging threats and the obvious insecurities on a large scale, and so is either filling the niches left open by other international communities, or coming up with tools setting new benchmarks for massive SQL injection attacks, like the case with this one :

"A professional web site vulnerability scanning, use of tools, SQL injection is a new generation of tools to help Web developers and site of the station quickly find vulnerabilities in order to be able to effectively prepare Security work. At the same time, the tool to Web developers to demonstrate the ways in which hackers are using these vulnerabilities, hackers, as well as through the loopholes to do things, can effectively raise the safety awareness of relevant personnel."

Nothing's wrong with the marketing pitch at the first place, but going through the features, the "massive SQL injections through search engine reconnaissance" and automatic page rank verification which you can see in the attached screenshots, ruin the "security auditing" marketing pitch. The tool not only allows easy integration of potentially vulnerable sites obtained through search engines reconnaissance, but also, is prioritizing the results based on the probability for successful injection, next to the page rank of the domains in question. A simple demonstration offered by the company is also, directly enticing its users to "localize" the search engine reconnaissance, by filtering the search results for a particupar country, in this case they used French sites for one of the demos. Here are some excerpts from its CHANGE log speaking for themselves :

"2008.7.15 release version 1.3
 

- New powerful "automatic machine cycle" feature 
- Automatic machine cycle is to provide assistance to the advanced user manual into the use of a very 
- powerful and flexible module, the main sites used for some special filtering into the hand, is almost a 
- universal tool, you can achieve the following:
 
1. In support of GET / POST / COOKIES in a variety of ways, such as the injection. 
2. Scan the key to the page (background, upload, WebShell, databases, backup files, etc.). 
3. According to the dictionary to violence landing back-guess solution WebShell password and password (required to verify that the code can not guess solution). 
4. Page language does not limit the types and databases (to provide specific statements into the database). 
5. At the same time, support for the circulation of the two variables and two dictionaries, fast running and violent content of the database solution to guess a password."

It gets even more interesting in terms of the massive SQL injection attacks mentality which is pretty evident on all fronts :

"- The use of the three search engine sites scans to invade the side to complete
- in scanning probe into the Web site ranking points
- added, "VBS upload to download", "upload directory Web site viewer," "FTP upload to download configuration file" function to make it more convenient for the sa rights to use the site.
- New "sequence document scanners"
- What is the sequence document scanners role? Upload to find loopholes, some of the procedures to upload the file after the upload will be renamed, rename the way the system is usually based on time or incremental increase in the number prefix code for the upload process, if not to return after the file name, Upload files to know the url is usually very difficult to sequence the use of paper scanner can be scanned out

- The best reverse domain name query engine, and quasi-wide
- in scanning the database of basic information, an increase of the database of information related to the process, the link has information on the database server user login (sa need permission)
- control of the interface had a big adjustment, the interface process easier to understand and operate.
- based on a significant site of the wrong mode of access to a comprehensive code optimization and more accurate access to the content, accuracy and access to show progress.
- added, "VBS upload to download", "upload directory Web site viewer," "FTP upload to download configuration file" function to make it more convenient for the sa rights to use the site. 

- point into the types of improved detection order to improve the efficiency of detection.
- improved automatic keyword detection, automatic keyword detection more accurate.
- probe into the points the way to improve and increase the use of automatic detection of the keyword detection.
- type of database to improve the detection, the use of the contents of the length of the failure to detect the type of database automatically switch to the probe through the keyword.
- automatically save and load solution has been to guess the tree structure of the database, guess Solutions has been the content and structure of the database will automatically save and open the next time the injection point will be automatically made available, the solutions do not have to guess again, the continuity of work Greatly increased. 

- solved from the database to read large amounts of data (on hundreds of thousands or millions of records), the half-way card program will die.
- increased significantly on the wrong model of ASP.NET and SQL Server2005 significant mode of dealing with mistakes, error messages can be extracted from a Web directory!
- significant amendments to the wrong mode, some of the injected one by one point in the field or access to the contents of the issue can not be successful (error code in hand); for increased access to specific points table and into the field. 

- amendments to the text of a significant error patterns to detect and correct use of loopholes in the system can be used more to expand. (Text significantly in the wrong mode in version 1.1 already supported, but in the version 1.2 upgrade in the process of scanning to improve the performance of the Gaodiao careless. -_-#)
- on a variety of encoded text can be significantly wrong in the right-compatible, able to correctly handle the ASP.NET page of the text marked wrong. Through custom error keyword, truly compatible with any language, any coding error message.
- crack anti-improvement and enhancement.
- An increase of auto-detection feature keywords. 

- Mssql database specifically for significant points into the wrong mode of detection and the use of up and down the hard work, and many other software can not detect the point of injection can also be used.
- Automatic save and load access to the database, to allow manual known to add tables and fields for solutions to guess.
- Can be used to amend the degree of accuracy; optimize the code to reduce memory footprint; enhance the stability of multi-threading.
- Significant amendments to the wrong mode solution guess the contents of the database must be checked first field defects."

The public version of the tool has been in the while for over an year, with a VIP version available to customers only. Continue reading →

Real-Time OSINT vs Historical OSINT in Russia/Georgia Cyberattacks

The original real-time OSINT analysis of the Russian cyberattacks against Georgia conducted on the 11th of August, not only closed the Russia vs Georgia cyberwar case for me personally, but also, once again proved that real-time OSINT is invaluable compared to historical OSINT using a commercial social network visualization/data mining tool which cannot and will never be able to access the Dark Web, accessible only through real-time CYBERINT practices.

The value of real-time OSINT in such people's information warfare cyberattacks -- with Chinese hacktivists perfectly aware of the meaning of the phrase -- relies on the relatively lower operational security (OPSEC) the initiators of a particular campaign apply at the beginning, so that it would scale faster and attract more participants. What the Russian government was doing is fueling the (cyber) fire - literally, since all it takes for a collectivist socienty's cyber militia to organize, is a "call for action" which was taking place at the majority of forums, with the posters of these messages apparently using a spamming application to achieve better efficiency.

The results from 56 days of Project Grey Goose in action got published last week, a project I discussed back in August, point out to the bottom of the food chain in the entire campaign - stopgeorgia.ru :

"Furthermore, coming up with Social Network analysis of the cyberattacks would produce nothing more but a few fancy graphs of over enthusiastic Russian netizen's distributing the static list of the targets. The real conversations, as always, are happening in the "Dark Web" limiting the possibilities for open source intelligence using a data mining software. Things changed, OPSEC is slowly emerging as a concept among malicious parties, whenever some of the "calls for action" in the DDoS attacks were posted at mainstream forums, they were immediately removed so that they don't show up in such academic initiatives"

So what's the bottom line? Nothing that I haven't already pointed out back in August : "Report: Russian Hacker Forums Fueled Georgia Cyber Attacks" :

"But experts say evidence suggests that Russian officials did little to discourage the online assault, which was coordinated through a Russian online forum that appeared to have been prepped with target lists and details about Georgian Web site vulnerabilities well before the two countries engaged in a brief but deadly ground, sea and air war."

Some more comments :

"Just because there was no smoking gun doesn't mean there's no connection," said Jeff Carr, the principal investigator of Project Grey Goose, a group of around 15 computer security, technology and intelligence experts that investigated the August attacks against Georgia. "I can't imagine that this came together sporadically," he said. "I don't think that a disorganized group can coalesce in 24 hours with its own processes in place. That just doesn't make sense."

It wouldn't make sense if this was the first time Russian hacktivists are maintaining the same rhythm as real-life events - which of course isn't.

Moreover, exactly what would have constituted a "smoking gun" proving that the Russian government was involved in the campaign, remains unknown -- I'm still sticking to my comment regarding the web site defacement creative. If they truly wanted to compromise themselves, they would have cut Georgia off the Internet, at least from the perspective offered by this graph courtesy of the Packet Clearing House speaking for their dependability on Russian ISPs.

As for the script kiddies at stopgeorgia.ru, they were informed enough to feature my research into their "negative public comments section". To sum up - the "DoS battle stations operational in the name of the "Please, input your cause" mentality is always going to be there.
Continue reading →

A Diverse Portfolio of Fake Security Software - Part Nine

Among the most recently spotted rogue security software applications and fake system maintenance tools are :

pcvirusremover2008 .com (78.157.142.47; 92.62.101.67)
registrydoctorpro2008 .com
powerfulvirusremover2008 .com
registrydoctor2008 .com
topregistrydoctor2008 .com
securefileshredder2009 .com
securefilesshred .com
registrydoctor2008-scan .com
registrydoctor2008-pro .com
prosecureexpertcleanerpro .com
supersecurefileshredder .com
hypersecurefileshredder .com
securefilesshredder .com
secureexpertcleaner .com
winsecureexpertcleaner .com
prosecureexpertcleaner .com
yoursecureexpertcleaner .com
bestsecureexpertcleaner .com
mysecureexpertcleaner .com
energysavecenter .com
virusremover2008plus .com

malwarecrashpro .com (195.5.117.248)
antimalwareguard .com
malwarecrash .com
antimalwareguardpro .com   
antimalwaremasterpro .com

xp-antispyware-2009 .com (206.161.120.21)
xp-antispyware2009 .com (206.161.120.20)
xp-as-2009 .com (206.161.120.24)
xpantispyware-2009 .com (206.161.120.22)
xpas2009 .com (206.161.120.23)

killwinpc .com (200.63.45.20)
registryupdate .org (216.122.218.11)
antivirus-2009-pro .net (217.20.175.44)

a-a-v-2008 .com (92.241.163.27)
aav2008 .com
adv-a-v .com

ietoolsupdate .com (208.72.168.84)
iexplorerfile .com

Registrants of notice for cross-checking purposes :
Sagent Group  (adminsagent@gmail.com)
Billy A. Schmitt  (admiragroup@yahoo.com)
Shestakov Yuriy (alexvasiliev1987@cocainmail.com)
Andrej Kazanski (akazanski@europe.com)

Related posts:
Violating OPSEC for Increasing the Probability of Malware Infection
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software  Continue reading →

TorrentReactor Compromised, 1.2M Users Database In the Wild

It appears that TorrentReactor.net, a highly popular torrent tracker, got compromised in September, with it's users database concisting of 1.2M users and TorrentReactor's source code stolen.

Despite that the attacker claiming responsibility is citing reputation enhancement as the reason for the attack, sooner or later the personal details will be sold and resold to spammers, with the possibilitity for spear phishing attacks left wide open. Continue reading →

DDoS Attack Graphs from Russia vs Georgia's Cyberattacks

Part of Georgia's information warfare campaign aiming to minimize the bandwidth impact on its de-facto media platforms such as the web site of  their Ministry of Foreign Affairs, I've just received a report part of Georgia's "Russian Invasion of Georgia" series entitled "Russian Cyberwar on Georgia", which is quoting me on page 4 in regard to the "too good to be courtesy of Russia's cyber militia" creative that appeared on the defaced Georgian President's web site. The report also includes DDoS attack graphs and related details worth going through :

"The last large cyberattack took place on 27 August. After that, there have been no serious attacks on Georgian cyberspace. By that is meant that minor attacks are still continuing but these are indistinguishable from regular traffic and can certainly be attributed to regular civilians. On 27 August, at approximately 16:18 (GMT +3) a DDoS attack against the Georgian websites was launched. The main target was the Georgian Ministry of Foreign Affairs. The attacks peaked at approx 0,5 million network packets per second, and up to 200–250 Mbits per second in bandwidth (see attached graphs). The graphs represent a 5-minute average: actual peaks were higher.

The attacks mainly consisted of HTTP queries to the http://mfa.gov.ge website. These were requests for the main page script with randomly generated parameters. These requests were generated to overload the web server in a way where every single request would need significant CPU time. The initial wave of the attack disrupted services for some Georgian websites. The services became slow and unresponsive. This was due to the load on the servers by these requests. As you see from the graphs above the attacks started to wind down after most of the attackers were successfully blocked. The latest attack may have been initiated as a response to the media coverage on the Russian cyber attacks."

In case you're interested in more factual evidence about what was happening at the particular moment in time, go through the following assessment - "Coordinated Russia vs Georgia cyber attack in progress", as well as through the following posts - "The Russia vs Georgia Cyber Attack"; "Who's Behind the Georgia Cyber Attacks?"; "Georgia President’s web site under DDoS attack from Russian hackers". Continue reading →

The Cost of Anonymizing a Cybercriminal's Internet Activities

What would the perfect traffic anonymity service provider targeting cybercriminals consist of? A service operating in Russia that is on purposely not logging any of its user's activities, next to allowing direct spamming from the socks servers, automatic rotation of the VPN servers which they operate in a RBN style hosting provider, or a service using actual malware infected hosts as VPN tunnels not only securing the cybercrime traffic, but also, forwarding the responsibility for the malicious activities to the end user?

Long gone are the days of socks chaining, the practice of automatically connecting to multiple malware infected hosts in order to use them as stepping stones, in between the rest of the malicious activities going on their behalf.

The possibilities for building point-to-point or server-to-multiclient encrypted tunnels between malware infected hosts by using already available Socks5 functions has always been there. As of August, the coders behind a relatively popular web based malware originally started as a DDoS kit, but later on started introducing new features on a "module basis", they have started offering a BETA module for building a VPN network of malware infected hosts, including an admin panel for reselling access to these hosts in order to better monetize their botnet.

This VPN-owning of malware infected hosts is not only resulting in improved anonymity for botnet masters and anyone else having access to the network, but is also contributing to the growth of VPN services designed specifically to be accessed by cybercriminals created on the foundatiosn of such admin panels offering easier reselling of access to the network.

So, what's the cost of anonymizing a cybercriminal's Internet activities? Starting from $40 and going to $300 for a quarter of access, with the price increasing based on the level of anonymity added. Continue reading →

Quality Assurance in Malware Attacks - Part Two

Surprisingly, while opportunistic cybercriminals have long embraced the malware as a service model, and are offering managed lower detection rate services for a customer's malware, or DIY ones where the customer can take advantage of popular tools ported to the Web, others are still trying to innovate at a faddish market niche - multiple offline AV scanners tools aiming to ensure that their malware doesn't end up in the hands of vendors/researchers.

Multiple offline AV scanning tools like this very latest release, naturally using pirated copies of popular antivirus software, are faddish, due to the fact that during the last two years, the underground has been busy working on several paid web based services, that not only make sure vendors and researchers never get the chance to obtain the samples, but also, are already offering scheduled scanning of malware and automatic ICQ/Jabber notifications for QA of the campaign, next to the rest of unique features disintermediating legitimate multiple AV scanning services.

Certain features within such services clearly speak for the intentions of the people behind the service. For instance, among one of these features is the ability to fetch a binary from a set of given dropper URLs like malwaredomain.com/binary.exe, the result of the scan can then alert the malware campaigner about the current state of detection.

What's on these proprietary multiple AV scanning service's to-do list? Let's say anything that a legitimate multiple AV scanning service would never offer, like the following according to one of the services in question :

- DIY heuristic scanning level settings for each of the software in place
- upcoming sets of anti spyware and personal firewalls with detailed statistics of the sandboxing
- behavior-based detection results

The possibilities for integrating such proprietary multi AV scanning services within the QA process of a malware campaign are countless, and both, the customers and the sellers seem to have realized the potential of this ecosystem. Continue reading →

Cybercriminals Abusing Lycos Spain To Serve Malware

Spanish cybercriminals have recently started taking advantage of the bogus accounts at Lycos Spain, which they seem to be registering on their own, by releasing a do-it-yourself malicious link generator redirecting to fake YouTube and Adobe Flash video pages. Whereas the concept of abusing legitimate web services for infection and propagation isn't new, what's new is the fact that the FTP access is efficiently abused. 

Here's a description of the link generator :

"Download the program and run it asks for an ID (identifier), then copy it and paste it there, then press' Create Installer 'and the program will create the Installer! (this program to run a simulation that is installing the Adobe Flash and indicates to our page that "has been installed Adobe Flash," in order to show the video when YouVideo refresh the page, this you must file tie it in with your server! and what flames or Installer Setup (simulating being an installer)!  Now you need to upload that file you've joined an FTP, click Next and put the path of that file in the next step!"

Whereas the tool is exclusively relying on Lycos Spain to host the binaries and the campaign itself, the recent blackhat SEO campaign relying on pre-registered Windows Live Spaces and AOL Journals syndicating hot Google Trends keywords, further indicates the malicious attacker's capabilities of efficiently abusing legitimate services. And with the process of bogus accounts registration performed automatically, or outsourced entirely, malicious services aiming to automate the abuse process are only going to get more efficient. Continue reading →

Commoditization of Anti Debugging Features in RATs - Part Two

Yet another piece of malware promoted as a RAT (remote access tool) includes what's turning into the defacto set of anti-debugging features within RATs.

As the authors point out, the Anti Virtual PC, VMware, Virtualbox, Sandboxie, ThreatExpert, Anubis, CWSandbox, Joebox, Norman Sandbox features inevitably increase the server size. Next to the product, there's always the managed service of ensuring a lower detection rate for binaries submitted to the authors. Continue reading →

Summarizing Zero Day's Posts for September

As usual, here's September's summary of all of my posts at Zero Day. You may also want to catch up and go through August's and July's summaries, next to adding my personal RSS feed or Zero Day's main feed to your RSS reader.

Notable article for September - Spamming vendor launches managed spamming service.

01. DoS vulnerability hits Google's Chrome, crashes with all tabs
02. Malware and spam attacks exploiting Picasa and ImageShack
03. Spamming vendor launches managed spamming service
04. Facebook introducing new security warning feature
05. Google downplays Chrome's carpet-bombing flaw
06. Targeted malware attack against U.S schools intercepted
07. The most "dangerous" celebrities to search for in 2008
08. Norwegian BitTorrent tracker under DDoS attack
09. Attacker: Hacking Sarah Palin's email was easy
10. Bill O'Reilly's web site hacked, attackers release personal details of users
11. India's government: At last, we've cracked Blackberry's encryption
12. Memory exhaustion DoS vulnerability hits Google's Chrome
13. 44% of second hand mobile devices still contain sensitive data
14. Spammers attacking Microsoft's CAPTCHA -- again Continue reading →

A Diverse Portfolio of Fake Security Software - Part Eight

In the spirit of "taking a bite out of cybercrime", here are the latest fake security software domains, typosquatted and already acquiring traffic through a dozen of malware campaigns redirecting to most of them :



antivirus-scanner-online.com (67.205.75.14)



archivepacker.com (78.157.142.111)

winpacker.com

xh-codec.net



securedownloadcenter.com (89.18.189.44)

winupdates-server.com

browserssecuritypage.com

megatradetds0.com

quickscanpc.com (78.159.118.144)

clickchecker6.com



gensoftdownload.com (91.203.93.25)



online-av-scan2008.com (66.232.105.232)

anothersoftportal09.com

bigfreesoftarchive.com

celebs-on-video-08.com

celebs-on-video-2008.com

cleansoftportal2009.com

hot-p0rntube.com

hot-porn-tube-2008.com

hot-porn-tube2008.com

hot-porn-tube2009.com

justdomain08.com

new-porntube-2008.com

online-av-scan2008.com

s0ftvvarep0rtal.com

s0ftvvareportal.com

s0ftvvareportal08.com

s0ftwarep0rtal08.com

softportalforfun.com

softportalforfun08.com

softportalforfun2008.com

softvvareportal.com

softvvareportal08.com

softvvareportal2008.com

trustedsoftportal06.com

trustedsoftportal2008.com

antivirus-online-08.com (89.187.48.155; 218.106.90.227)

anti-virus-xp.com

anti-virus-xp.net

anti-virusxp2008.net

antimalware09.com

antivirxp.net

av-xp08.net

av-xp2008.com

av-xp2008.net

avx08.net

axp2008.com

e-antiviruspro.com

eantivirus-payment.com

ekerberos.com

online-security-systems.com

xpprotector.com

youpornzztube.com

sp-preventer.com (92.241.163.32)

spypreventers.com



u-a-v-2008.com (92.241.163.31)

uav2008.com



power-avcc.com (92.62.101.57)

power-avc.com

pvrantivirus.com



m-s-a-v-c.com (92.62.101.55)

ms-avcc.com

ms-avc.com



wav2008.com (92.241.163.30)

wiav2009.com

win-av.com

windows-av.com

windowsav.com 



You know the drill. 



Related posts:

A Diverse Portfolio of Fake Security Software - Part Seven

A Diverse Portfolio of Fake Security Software - Part Six

A Diverse Portfolio of Fake Security Software - Part Five

A Diverse Portfolio of Fake Security Software - Part Four

A Diverse Portfolio of Fake Security Software - Part Three

A Diverse Portfolio of Fake Security Software - Part Two

Diverse Portfolio of Fake Security Software Continue reading →

Web Based Malware Emphasizes on Anti-Debugging Features

Following the ongoing development of a particular web based malware, always comes handy in terms of assessing the commoditization of anti-debugging features within modern malware. With plain simple, "managed binary crypting and firewall bypassing verification" on demand in February, to August's overall anti antivirus software mentality as a key differentiation factor of the malware.

So what are they working on? Anti tracing and emulation protection, PeiD and PESniffer protection, as well as anti heuristic scanning with a simple junk data adding feature in order to maintain a smaller binary size.

Here's a translated description :

"- The binary works under admin and under normal user
- The binary is always run as the "current user"
- An unlimited number of bots can be loaded and integrated within the command and control, and with the geolocation feature, filters can be applied for a particular country
-After successful infection, the binary which is tested against popular firewall and proactive protection security ensures that the actions it takes and their order do not trigger protactive protection mechanisms in place
- binary file size is 25k, the size can be reduced once it's crypted

- Doesn't take advantage of BITS protocol
- Doesn't allow an infected host to be infected twice
- Bypassing NAT and supporting "always-on" connections
- A simple, easy to configure web based admin panel"

What if the buyer doesn't care about the quality assurance practices applied? Managed lower AV detection and firewall bypassing service comes into play. Continue reading →

Fake Windows XP Activation Trojan Wants Your CVV2 Code

In a self-contradicting social engineering attempt, a malware author is offering to sale a (updated version of Kardphisher) DIY fake Windows XP activation builder, which despite the fact that it claims "We will ask for your billing details, but your credit card will NOT be charged", is requesting and remotely uploading all the credit card details required for a successfully credit card theft.

Perhaps among the main reasons why such simplistic social engineering attempts never scaled in a "malicious economies of scale" approach, is because sophisticated crimeware kits capable of obtaining the very same data automatically, started leaking for everyone to start taking advantage of - including yesterday's cybercriminals using such DIY fake message builders.

Moreover, according to recently reseased survey results, end users cannot distinguish between fake popups and real ones, and on their way to continue doing what they were doing, click OK on that pesky warning message telling them that they're about to get infected with malware. Taking into consideration the fact that the popup windows the researchers used look like cheap creative compared to the average fake security software's layout high quality GUIs, it is perhaps worth restating your research questions with something in the lines of - What motivates end users to install an antivirus application going under the name of Super Antivirus 2009 or Mega Virus Cleaner 2008? The fact that the fake status bar is telling them that they're infected with 47 spyware cookies, or the fact that they ended up at the fake site while browsing their trusted web services?

The increase of rogue security software domains is happening due to the high payout affiliation based model, the standardized creative allowing the participants to come up with their own fake names if they want to, and due to the fact that the fake security threats scareware approach seems to be perfectly taking advantage of the overall suspicion on the effectiveness of their legitimate security software. Continue reading →

Inside a Managed Spam Service

A managed spam vendor always has to raise the stakes during its introduction period on the market. But what happens when a market follower starts using the market leader's proprietary managed spamming system, and is able to provide better spamming rates at a cheaper prices?  Market forces and unethical competition at its best.

So, what is this market challenger using the monopolist's -- in respect to managed spamming services not spam in general -- proprietary system (Spamming vendor launches managed spamming service) up to anyway? Promising and delivering, 1, 400,000 emails daily, 60,000 mails per hour, and 100 emails per minute. What we've got here are the spam metrics out of 5 already finished spam campaigns that has managed to sent out a million spam emails using only 2000 malware infected hosts. Also, CC-ing and BCC-ing made it possible to multiple the effect of the campaign and increase the total number of emails spammed. Talking about benchmarks, 789 emails per minute at a rate of 12/13 emails per second is a pretty good one, considering it's only 2k bots that they were using. What they also promise is automatic rotation of IPs upon automatically checking them against public blacklists, and a mix rotation of IPs from their own netblocks located in Russia and Germany with the fresh IPs coming from the newly infected hosts.

Earlier this month, I discussed the market leader's managed spamming system, access to which they also offer for rent :

"An inside look of the system obtained on 2008-08-12 indicates that they are indeed capable of delivering what they promise - speed, simplicity and 5000 malware infected hosts. Moreover, the attached screenshot demonstrates that 20 different email databases can be simultaneously used resulting in 16,523,247 emails about to get spammed using 52 different macroses. Furthermore, what they refer to as a dynamic set of regional servers aiming to ensure that the central server never gets exposed, is in fact fast-flux which depending on how many bots they are willing to put into “rtsegional server mode” shapes the size of the fast-flux network at a later stage."

With cutting edge managed spam services like the ones currently in circulation, it remains to be seen whether or not spammers would migrate to this outsourcing model, or continue coming up with adaptive ways to send out their scams and malware on their own. Continue reading →

Syndicating Google Trends Keywords for Blackhat SEO

Several hundred Windows Live Spaces and AOL Journals, are currently syndicating the most popular keywords provided by Google Trends, and are consequently hijacking the top search queries exposing users to Zlob codecs.

Here are some same bogus blogs used in the campaign, naturally pre-registered long before they executed it :

vinniedigg18 .spaces.live.com
journals.aol .com/iolatour16
fredabreak02 .spaces.live.com
thedaalerts01 .spaces.live.com
allisonpolls08 .spaces.live.com
rheabreak18 .spaces.live.com
racquellog17 .spaces.live.com
monikavideo11 .spaces.live.com
journals.aol .com/shelvakill27
tomekadigg26 .spaces.live.com
ivahnet19 .spaces.live.com
journals.aol .com/louisathere13
allisonpolls08 .spaces.live.com
valericatch03 .spaces.live.com
journals.aol .com/iolatour16
hadleycue01 .spaces.live.com
journals.aol .com/staceyliving01
collettebreak17 .spaces.live.com
journals.aol .com/nataliablog16
natalymore26 .spaces.live.com


A comprehensive listing of the blogs involved can be downloaded here.

What do all of these bogus blogs have in common? The fact that they are all being abused by a single malware campaign, and the Keep it Simple Stupid mentality only a lazy malware campaigner can take advantage of. All of the blogs as using a central redirection domain, shutting it down or blocking it renders the number of bogus blogs is circulation irrelevant. In this case, the domain in question is video.xmancer.org (216.195.59.75).

Here are the the rest of the domains participating in the campaign, as well as the parked ones at the corresponding IPs :

video.xmancer .org (216.195.59.75)
buynowbe .com
loveniche .com
antivirus-freecheck .com
jetelephone .cn
reducki .cn
woteenhas .cn
lilaloft .cn

clipztimes .com (78.157.143.235)
imagelized .com
vidzdaily .com

gotmovz .com (78.108.177.91)
dwnld-clips .com

movwmstream .com (77.91.231.183)
newwmpupdate .com
zaeplugin .com
movaccelerator .com
optimwares .com
piterserv .com

moviesportal2008p .com (72.232.183.154)
movieportal2008a .com
funnyportal2008l .com
starsportal2008p .com
softportal2008p .com
movieportal2008q .com

In short, despite that the campaign is poised to attract generic search traffic, it's a self-exposing blackhat SEO campaign since each and every blog participating is also linking to the rest of the ones within the ecosystem.

Related posts:
Blackhat SEO Redirects to Malware and Rogue Software
Blackhat SEO Campaign at The Millennium Challenge Corporation
Massive IFRAME SEO Poisoning Attack Continuing
Massive Blackhat SEO Targeting Blogspot
The Invisible Blackhat SEO Campaign
Attack of the SEO Bots on the .EDU Domain
p0rn.gov - The Ongoing Blackhat SEO Operation
The Continuing .Gov Blackat SEO Campaign
The Continuing .Gov Blackhat SEO Campaign - Part Two
Compromised Sites Serving Malware and Spam Continue reading →

Managed Fast Flux Provider - Part Two

We're slowly entering into a stage where RBN bullet proof hosting franchises are vertically integrating, and due to the requests from their customers are starting to offer that they refer to as "mirrored hosting" which in practice is plain simple fast flux network consisting of RBN-alike purchased netblocks, and naturally, botnet infected hosts.

Managed fast-fluxing is only starting to go mainstream, for instance, in July I found evidence that money mule recruiters were using ASProx's infected hosts as hosting infrastructure, and in November, 2007, an infamous spamming software vendor was also found to have been offering fast-flux services in the past.

In this most recent fast-flux service, we have a known spammer and botnet master that in between self-serving himself on is way to ensure his portfolio of scammy domains remains online for a "little longer", is commercializing fast-fluxing and is offered a DIY service :

"Finally after hardwork and great appreciation from our normal bullet proof hosting/server clients we are able to launch Mirrored hosting. What is Mirrored hosting ?

================
Mirrored hosting is a powerful mirrored web hosting management, uses multiple Virtual servers to host website with 100% uptime. Mirrored hosting is a combination of two things, which are:

1. Specially Designed Virtual Servers
2. Powerful Automated Control Panel

How does it work ?
=============== 

Mirrored hosting uses specially configured Virtual Servers making them link with the Mirrored hosting Control Panel which is then controlled by our own control panel allowing us to provide smooth streamline hosting with no downtime. No one is able to trace original IP of the server or the place where the files are hosted so the websites/domains hosted have a 100% Uptime. This is achieved by unique customisation of our Virtual Servers.

Actually, it takes ips around the world and our powerful control panel just rotates the ips every 15 minutes. though all these ips you will see will be fake no one can trace the orignal ip where files are hosted. Sometimes the ip is from China, Korea, USA, UK, Japan, Lithuania etc."

The concept has always been there for cybercriminals to take advantage of, but once it matures into a managed service it would undoubtedly lower down the entry barriers allowing yesterday's average phishers to take advantage of what only the "pros" were used to.

Related posts:
Storm Worm's Fast Flux Networks
Managed Fast Flux Provider
Fast Flux Spam and Scams Increasing
Fast Fluxing Yet Another Pharmacy Spam
Obfuscating Fast Fluxed SQL Injected Domains
Storm Worm Hosting Pharmaceutical Scams
Fast-Fluxing SQL injection attacks executed from the Asprox botnet Continue reading →

Knock, Knock, Knockin' on Carder's Door

This video of Cha0's bust earlier this month in Turkey, is a perfect example of what happens when someone starts over-performing in the field of carding.

Try counting the desktops, and notice the "full package" a carder can dream of - the box full of ATM skimmers, the holograms, the plastic cards machine, the suitcase with the POS (point of sale) terminals, the house and swimming pool, and, of course, the hard cash. Continue reading →

Monetizing Infected Hosts by Hijacking Search Results

When logs with accounting data are no longer of interest due to low liquidity on the underground market, monetization of the infected hosts comes into play.

This web based malware seems like an early BETA aiming to scale, however it's only unique features are its ability to hijack the infected user's searches and server relevant ads courtesy of the affiliate networks the administrator participates in, and also, an integrated DDoS module that the author simply stole from another kit. Strangely, it's 2008 yet the author also included the ability to turn on the telnet service on an infected host.

With the search queries feature easy to duplicate by other kits, this web based malware is a great example of how the time-to-market mentality lacking any kind of personal experience -- the malware cannot intercept SSL sessions compared to the majority of crimeware kits that can -- ends up in a weird hybrid of random features.
 
Customerization will inevitably prevail over the product concept mentality.

Continue reading →

Copycat Web Malware Exploitation Kit Comes with Disclaimer

Such disclaimers make you wonder what's the point of including a notice forwarding the responsibility for the upcoming cybercrime activities to the buyer, when the seller himself is offering daily updates with undetected bots, and is promising to include new exploits within the kit.

For the time being, this recently released copycat web exploitation malware kit, includes two PDF exploits, IE snapshot, and naturally MDAC, with a DIY builder for the binary. Here's the disclaimer, greatly reminding us of Zeus's copyright notice :

"Purchasing this product, you hold the full responsibility for its usage and for consequences which may have been caused by incorrect usage or the usage with some evil intent or violation of the usage rules. The author excludes the placement of the scripts somewhere on the Internet, you can only place them on localhost, virtual machine or on a test botnet (minibotnet). WARNING! The usage of this product with evil intent leads to the criminal responsibility!"

What happens when the buyer tries to resell the kit? - "If you try to resell, decode, remove the boundaries, you will lose all the support, updates and guarantees." which is surreal considering that the kit is open source one, and just like we've seen with a recent modification of Zeus if it were to include unique features -- which it doesn't -- others would build upon its foundations.

Going through the exploitation statistics of a sample campaign, you can clearly see that out of the 859 unique visits 250 got exploited with outdated and already patched vulnerabilities. Therefore, diversifying the exploits set would have increased the number of exploited hosts.

With IE6 visitors exploited at 46% as a whole, it would be hard not to notice that just like Stormy Wormy's historical persistence of using outdated vulnerabilities, a great majority of today's botnets have been aggregated using old exploits.

Trying to enforce the intellectual property of a malware kit means you're claiming ownership, and therefore the disclaimer becomes irrelevant. Continue reading →