Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

A Diverse Portfolio of Fake Security Software - Part Fifteen

February 03, 2009

Descriptive fake security software domains speak for themselves, and what follows are the very latest ones currently active in the wild :

spywareguard2009m .com (78.26.179.253; 94.247.2.39)
systemguard2009m .com
spywareguard2009 .com
systemguard2009 .com
getsysgd09 .com

Registrant : Damir Sbil; Email: damirsbils791@googlemail.com

antispyscanner13 .com (94.247.2.39; 78.26.179.253)
sgproductm .com
sgviralscan .com
sg10scanner .com
sg11scanner .com
sg12scanner .com
sg9scanner .com
sgproduct .com

Registrant: Ahmo Stolica; Email: ahmostoln73@yahoo.com

buysysantivirus2009 .com (94.247.2.75)
sysav-download .com
sysav-storage .com
sysantivirus-check .com
antispyware-pro-dl .com
sysantivirus2009 .com
sysav-download .com
sysav-storage .com
sysantivirus-check .com
antispywarefastcheck .com
antispyware-scanner-2009 .com
antispyware-pro-dl .com

Registrant: Dion Choiniere; Email: noelwollenberg@ymail.com

premium-antivirus-defence.com (195.24.78.186)
lite-antispyware-scan.com
computeronlinescan.com
lite-antispyware-scan.com
liteantispywarescan.com
liteantispywarescanner.com
liteantispywareproscan.com
onlineproantispywarescan.com
bestantispywarescan.com
bestantispywarelivescan.com
antispywareliveproscan.com
antispywareinternetproscan.com
bestanti-virusscan.com
antimalware-scanner.com
computerantivirusproscanner.com
antimalwareproscanner.com
antimalware-pro-scanner.com
antimalware-scanner.com
antimalware-scan.com
computeronlineproscanner.com

Registrant: Maksim Hirivskiy Email: alt165@freebbmail.com

Crimeware in the Middle - Adrenalin

February 03, 2009

What is Adrenalin? Adrenalin is an alternative to the Zeus crimeware kit that never actually managed to scale the way Zeus did. Following recently leaked copies of what is originally costing a hefty $3000, crimeware kit Adrenalin, it's time to profile the kit, discuss its key differentiation factors from Zeus, and emphasize on why despite the fact that it leaked, the kit is not going to take any of Zeus-es market share. At least not in its current form.

In the spirit of the emerging copycat web malware exploitation kits, Adrenalin too, isn't coded from scratch, but appears that -- at least according to cybercriminals questioning its authenticity on their way to secure a bargain deal when purchasing it -- Adrenalin is using portions of Corpse's original A-311 release.

Adrenalin's description and features :
"Injections system - inserting html / javascript code in the page / files / javascript or substitution of one code by another injection occurs in the stream mode, ie the modified page is loaded at once!
(not as in the other BHO based trojans with insertions only after the full load the page (causing javascript problems) or limiting the impact (if for instance the user is on a mobile device connection). In our implementation, all works quickly and efficiently!

- The collection of pieces of text from the html pages, as one of the modes of operation injector (balance, etc ..)

- Ftp grabbing - sniffer handles traffic and rip out from access to FTP. All of this is going in an easy to read and process the form

- Collector of certificates. Pulling out of all installed certificates including attempts to commit, and certificates that are marked as uncrackable. Certificates neatly stored for each individual bot.

- Page redirector. allows you to replace a page or separate framing in the network. everything is done completely unnoticed. substitution of the content occurs in the interior windsurfing, and even then the browser and any special lotion can be confident that is what you want.

- Domain redirector. forwards all requests from the original site on the fake. address bar, and all references point to the original course can also be used to block access to certain sites

- Universal form grabbing puller forms, can strip the data from the virtual keyboard these forms can rip off, even with not fully loaded pages. As distinguished from the other crimeware kits working through the tracking of users clicking buttons / links it intercepts the data has already been formed, which can be seen in the log. Data can be collected all the running, and keyword (filter)
to delete the logs; noise over debris to chat and not necessary for the work sites.

All data are transmitted in encrypted form, which is important to bypass the protection, like for instance ZoneAlarm's ID Lock. Undoubted advantage is also that the logs are sent instantly - in parallel with the data sent to the original site. No need to worry that the victim will go into an offline and accumulated locally log form grabbing are not able to send.

- Screenshots at the address
- TAN grabbing. The technology allows to effectively collect workers TANs
- Periodic cleaning of cookies/flashcookie.
- Grabbing around-the-forms words (without adjustment - Adrenalin defines its own algorithm that it must be collected. algorithm Improved!)
- The collection of passwords, for instance Protected Storage (IE auto complete, protected sites, outlook)
- Classic keylogger
- Cleaning system from BHO trojans, advertising panels and other debris. As is well known - are less vulnerable machines, and want to put on something more. Cleaning system greatly increases the chances of survival
- Anti-Anti Rootkit mechanisms
- Work on the system without the EXE file
- User-friendly format logs! Forget the piles of files stupid!
- Socks4 / 5 + http (s) proxy server enabled on the infected host
- Shell + Backshell enabled on the infected host
- Socks admin
- Management of each bot individually, or simultaneously (Downloading files, updating settings, etc.)
- Requires PHP on the web based command and control host
- Ability to output commands (including downloads), taking into account the country's bot (function as a resident loader statistically for programs) - and other small pleasures"

Without the web injection and the TAN grabbing ability, Adrenalin is your typical malware kit, whose only differentiation factor would have been the customer support in the form of the managed undetected malware binaries that naturally comes with it. However, it's TAN grabbing ability, proprietary collection of data "around the forms", stripping content from virtual keyboards and automatic certificates collection on per host basis, and its ability to clean the system from competing BHO-based trojans, make it special.

How do you actually measure the popularity of crimeware kit? Based on the the market share of the crime kit, or based on another benchmark? It's all a matter a perspective and a quantitative/qualitative approach. For instance, I can easily argue that if the very same community was build around Adrenalin the way it was built around Zeus making the original Zeus release looks like an amateur-ish release, perhaps Adrenalin would have scaled pretty fast. Some of the community improvements include :

- Modified Zeus Crimeware Kit Comes With Built-in MP3 Player
- Modified Zeus Crimeware Kit Gets a Performance Boost
- Zeus Crimeware Kit Gets a Carding Layout

For the time being, the innovation or user-friendly features boosting the popularity of Zeus come from the third-party coders improving the original Zeus release. Moreover, not only are they improving it, they're also looking for vulnerabilities within the different releases, and actually finding some. What does this mean? It means that we have clear evidence of crimeware monoculture, with a single kit maintaining the largest market share.

With the cybercrime ecosystem clearly embracing the outsourcing concept for a while, it shouldn't come as a surprise, that botnets running the Zeus crimeware are offered for rent at such cheap rates that purchasing the kit and putting efforts into aggregating the botnet may seem a pointless endeavor in the eyes of a prospective cybercriminal, even an experienced one interested in milking inexperienced cybercriminals not knowing the real value of what they're doing.

Moreover, speaking of monetization, the attached screenshots represent a very decent example of monetizing the reconaissance process of E-banking authentication that cybercriminals or vendors of crimeware services undertake in order to come up with the modules targeting the financial institutions of a particular country. Is this monetization just "monetization of what used to be a commodity good/service" as usual taking into consideration this overall trend, or perhaps there's another reason for monetizing snapshots of E-banking authentication activities in order to later on achieve efficiency in the process of abusing them? But of course there is, and in that case it's the fact that no matter that a potential cybercriminal has obtained access to a crimeware kit, its database of injects is outdated and therefore a new one has to be either built or purchased.

With Adrenalin now leaked to the general script kiddies and wannabe cybercriminals, it's only a matter of time until a community is build around it, one that would inevitably increase is popularity and prompt others to introduce new features within the kit.

Related posts:
Targeted Spamming of Bankers Malware
Localized Bankers Malware Campaign
Client Application for Secure E-banking?
Defeating Virtual Keyboards
PayPal's Security Key Continue reading →

Copycat Web Malware Exploitation Kits Are Still Faddish

February 02, 2009

The oversupply of web malware exploitation kits is in fact Continue reading →

The Template-ization of Malware Serving Sites - Part Two

February 02, 2009

The growing use of "visual social engineering" in the form of legitimately looking codecs, flash player error screens, adult web sites, and YouTube windows in order to forward the infection process to the end use himself, is the direct result of the ongoing template-ization of malware serving sites. This standardizing is all about achieving efficiency, in this case, coming up with high-quality and legitimately looking templates impersonating the average Internet user by enjoying the clean reputation of the impersonated service in question.

The attached screenshot of very latest DIY windows media player with pretty straightforward instructions on how to modify the timing of the "missing codec" pop-up, is a great example of how cybercriminals rarely value the intellectual property of their fellow colleagues. The DIY template has in fact been ripped-off from a competing affiliate network participant (currently active xxxporn-tube .com/123/2/FFFFFF/3127/TestCodec/Best), its images hosted at ImageShack, and the codec released for everyone in the ecosystem to use -- and so they will.

Interestingly, within the mirrored copy now tweaked and distributed for free using free image hosting services as infrastructure provider for the layout, there are also leftovers from the original campaign template that they mirrored - which ultimately leads us to DATORU EXPRESS SERVISS Ltd (AS12553 PCEXPRESS-AS) or zlkon.lv In the wake of UkrTeleGroup Ltd's demise -- don't pop the corks just yet since the revenues they've been generating for the past several years will make it much less painful -- a significant number of UkrTeleGroup customer, of course under domains, have been generating quite some malicious activity at zlkon.lv for a while.

Portfolio of fake codecs serving domains parked at the original mirrored domain's IP :
xxxporn-tube .com (93.190.140.56)
uporntube-07 .com
tubeporn08 .com
porn-tube09 .com
tubeporn09 .com
xxxporn-tube .com
allsoft-free .com
all-softfree .com
lsoftfree .com
porntubenew .com

Download locations :
brakeextra .com/download/FlashPlayer.v..exe (94.247.2.183)
brakeextra .com/download/TestCodec.v.3.127.exe

Entire portfolio of domains parked at (94.247.2.183) :
brakeextra .com
thebestporndump2 .com
fire-extra .com
xp-extra .com
delfiextra .com
qazextra .com
track-end .com
fire-movie .com
extrabrake .com
crack-serial-keygen-online .com
extra-turbo .com
extra-nitro .com
apple-player .com
meggauploads .com
soft-free-updates .com
quicktimesoft .com
cleanmovie .net
nitromovie .net
trackgame .net
quotre .net
rexato .net
spacekeys .net

Dots, dots dots, trackgame .net is once again proving the multitasking mentality of cybercriminals these days - it's one of the download locations participating in the recent Google Video search queries poisoning attacks. Continue reading →

Poisoned Search Queries at Google Video Serving Malware

January 28, 2009

UPDATE: A recently published article at the Register by John Leyden incorrectly states that "researchers at Trend Micro discovered that around 400,000 queries returning malicious results that lead to a single redirection point" wherease the researchers in question went public with the attack data on the 27th of January, and then again on the 28th of January.

This isn't the first time the Register shows an oudated siatuational awareness, following the two month-old coverage of a proprietary email and personal information harvesting tool, which I extensively covered in between receiving comments from one of the affected sites.

A blackhat SEO-ers group that's been generating bogus link farms ultimately serving malware to their visitors during the past couple of months, has recently started poisoning Google Video search queries and redirecting the traffic to a fake flash player using the PornTube template. (The Template-ization of Malware Serving Sites). Approximately 400,000+ bogus video titles have already been crawled by Google Video.

Instead of sticking to a proven traffic acquisition tactic in the face of adult videos, the campaigns are in fact syndicating the titles of legitimate YouTube videos in order to populate the search results. What's also worth pointing out that is that once they start duplicating the content -- like they're doing with specific titles -- based on their 21 bogus publisher domains, they can easily hijack each and every of the first 21 results for a particular video. The fake flash player redirection is served only when the visitor is coming from Google Video, if he or a researcher isn't based on a simple http referer check, a legitimate YouTube video is served.

Upon clicking on the video from any of their publisher domains, the user is taken to porncowboys .net/continue.php (94.247.2.34) then forwarded do xfucked .org/video.php?genre=babes&id=7375 (94.247.2.34) to have the binary served at trackgame .net/download/FlashPlayer.v3.181.exe and qazextra .com/download/FlashPlayer.v3.181.exe. Detection rate for the flash player.

The malware publisher domains crawled by Google Video redirecting to the bogus flash player :
nudistxxx .net - 22,000 bogus video titles
realsexygirls .net - 21,000 bogus video titles
trulysexy .net - 27,100 bogus video titles
madsexygirls .net - 18,900 bogus video titles
mypornoplace .net - 25,700 bogus video titles
hotcasinoxxx .net - 28,900 bogus video titles
hotgirlstube .net - 37,900 bogus video titles
xgirlplayground .com - 50,600 bogus video titles
puresextube .net - 20,700 bogus video titles
xxxtube4u .com - 11,400 bogus video titles
sexygirlstube .net - 63,100 bogus video titles
xporntube .org - 12,800 bogus video titles
xxxgirls .name - 33,500 bogus video titles
girlyvideos .net - 37,500 bogus video titles
mytubecentral .net - 38,900 bogus video titles
puresextube .net - 20,700 bogus video titles
teencamtube .com - 18,400 bogus video titles
celebtube .org - 41,100 bogus video titles
truexx .com - 16,900 bogus video titles
hottesttube .net - 28,100 bogus video titles
hotgirlsvids .net - 27,200 bogus video titles
watch-music-videos .net - 14,900 bogus video titles
marketvids .net - 29,900 bogus video titles
gamingvids .net - 7,930 bogus video titles
hentaixxx .info - 25,500 bogus video titles

The campaign is currently in a cover-up phrase since discussing it yesterday and notifying Google with all the details. But the potential for abuse remains there. Timeliness vs comphrenesiveness of a malware campaign?

Following this example of comprehensivess, take into consideration the timeliness in the face of October 2008's campaign when hot Google Trends keywords were automatically syndicated in order to hijack search traffic which was then redirected to several hundred automatically registered Windows Live blogs whose high pagerank made it possible for the blogs to appear within the first 5 results. Continue reading →

Embassy of India in Spain Serving Malware

January 27, 2009

The very latest addition to the "embassies serving malware" series is the Indian Embassy in Spain/Embajada de la India en España (embajadaindia.com) which is currently iFrame-ED -- original infection seems to have taken place two weeks ago -- with three well known malicious domains.

Interestingly, the malicious attackers centralized the campaign by parking the three iFrames at the same IP, and since no efforts are put into diversifying the hosting locations, two of them have already been suspended. Let's dissect the third, and the only currently active one. iFrames embedded at the embassy's site:
msn-analytics .net/count.php?o=2
pinoc .org/count.php?o=2
wsxhost .net/count.php?o=2

wsxhost .net/count.php?o=2 (202.73.57.6) redirects to 202.73.57.6 /mito/?t=2 and then to 202.73.57.6 /mito/?h=2e where the binary is served, a compete analysis of which has already been published. The rest of the malicious domains -- registered to palfreycrossvw@gmail.com -- parked at mito's IP appear to have been participating in iFrame campaigns since August, 2008 :

google-analyze .cn
yahoo-analytics .net
google-analyze .org
qwehost .com
zxchost .com
odile-marco .com
edcomparison .com
fuadrenal .com
rx-white .com

As always, the embassy is iFramed "in between" the rest of the remotely injectable sites part of their campaigns.

Related assessments of embassies serving malware:
Embassy of Brazil in India Compromised
The Dutch Embassy in Moscow Serving Malware
U.S Consulate in St. Petersburg Serving Malware
Syrian Embassy in London Serving Malware
French Embassy in Libya Serving Malware Continue reading →

Exposing a Fraudulent Google AdWords Scheme

January 21, 2009

UPDATE: Conduit's Director of Strategic Marketing Hai Habot contacted me in regard to the campaign. Comment published at the bottom of the post.

Despite my personal reservations towards the use of Google sponsored ads as an emerging traffic acquisition tactic on behalf of scammers and cybercriminals -- blackhat SEO is getting more sophisticated -- Google sponsored ads are whatsoever still taken into consideration.

The fraudulent AdWords scheme that I'll discuss in this post, is an example of a Dominican scammer (ayuda@shareware.pro; Sms Telecom LLC, Roseau, St. George (00152) Dominica Tel: +117674400530) who's hijacking search queries for popular software applications, taking advantage of geolocation and http referer checks, in order to deliver a customized toolbar while earning revenue part of the Conduit Rewards Program.

Naturally, the traffic acquisition tactic and the brandjacking of legitimate software are against the rules of both Google's, and Conduit's terms of use. Interestingly, out of all the adware-ish toolbars and affiliate based networks out there, he's chosen to participate in an affiliate network without a flat rate on per toolbar installation basis. Despite the efforts put into the typosquatting, the descriptive binaries on a country basis, and the localization of the sites in several different languages, he's failing to monetize the scam in the way he could possibly do compared to "fellow colleagues" of his.

Brandjacked software domains part of the AdWords campaign :
adobe-reader-co .com
adware-co .com
flash-player-co .com
paint-shop-pro .com
winrar-co .com
ccleaner-co .com
firefox-co .com
avi-codec-co .com
guitar-pro-co .com
codec-co .com
opera-co .com
messenger-comp .com
servicepack-co .com
azureus-co .com
emulegratis .es
messenger-plus-co .com
zone-alarm-co .com
directx-co .com
bittorrent-co .com
media-player-co .com
emulefree .com
divx-co .com
office-co .com
virtualdj-co .com
zattoo-co .com
clonecd-co .com
tuneup-co.com
lphant-co.com
explorer-co.com
amule-co .com
messenger75-co .com
limewire-comp .com
lite-codec-co .com
power-dvd-co .com
messenger-plus-live-co .com
reamweaver-co .com
aresgratis .net
vuze-co .com
emuleespaña .es
regcleaner-co .com
paint-net-co .com
download-acelerator .com
windownloadweb .com
xp-codecpack-co .com

The AdWords campaigns are spread across different local Google sites, and are targeting a particular local demographic only. Moreover, if the end user isn't coming from a sponsored ad, the download link on each and every of the participating sites is linking to the official site of the brandjacked software, and if he's coming from where he's supposed to be coming the software bundle including the revenue-generating toolbar is served in the following way :

firefox-co .com/downloads/installer-5-firefox-uk.exe
winamp-co .com/downloads/installer-37-winamp-uk.exe
winamp-co .com/downloads/installer-37-winamp-nl.exe
zone-alarm-co .com/downloads/installer-18-zonealarm-nl.exe
servicepack-co .com/downloads/installer-14-service-pack-3-uk.exe
divx-co .com/downloads/installer-25-divx-uk.exe

Upon installation the toolbar generates revenue for the campaigner, and given the fact that a single DIY toolbar can be associated with a single rewards account, the campaigner is also maintaining a modest portfolio of toolbars. For instance :

peer2peerne.media-toolbar.com - UserID=UN20090120111936062
peer2peeren.media-toolbar.com - UserID =598F9353-BD10-47B9-8B40-29B33AD7A3E4

The bottom line is that despite the fact that the campaigner is acquiring lots of traffic through the brandjacking, and is definitely breaking even based on the number of toolbars installed, he's failing to monetize the fraud scheme, at least for the time being.

UPDATE: Hai Habot's comments - "The information you have provided will help us track the publisher and I will personally see that our compliance team looks into it ASAP.

As you may know, Conduit does not have full control over the promotional activity of the publisher (i.e. his fraudulent use of Google AdWords or any other usage of third party ads or links) however, the activity described in your post is clearly in violation of our terms of use (section V of the Conduit Publisher Agreement) and our compliance team can take different measures against this publisher including the removal of the toolbar from our platform.

The Conduit Rewards program is not a standard affiliate network. It offers incentives to publishers based on their toolbar’s long term performance. I didn’t look into the stats of this specific publisher yet but I can assure you that such spam traffic would generate very little (if any) rewards. In any case – we will make sure that the rewards account of this publisher will be disabled until this compliance issue is resolved." Continue reading →

A Diverse Portfolio of Fake Security Software - Part Fourteen

January 19, 2009

The following currently active fake security software domains have been included within ongoing blackhat SEO campaigns, among the many other tactics that they use in order to attract traffic to them. Needless to say that the Diverse Portfolio of Fake Security Software domains series is prone to expand throughout the year.

rapidspywarescanner .com (78.47.172.67)
live-antiviruspc-scan .com
professional-virus-scan .com
proantiviruscomputerscan .com
bestantivirusfastscan .com
premium-advanced-scanner .com

Domain owner:
Name: Aennova M Decisionware
Organization: NA
Address: Rua Maestro Cardim 1101 cj. 112
City: Sgo Paulo
Province/state: NA
Country: BR
Postal Code: 01323
Phone: +5.5113245388
Fax: +5.5113245388
Email: victor@aennovas.com

rapidantiviruspcscan .com (78.46.216.237)
securedserverdownload .com
securedonlinewebspace .com
securedupdateupdatesoftware .com
bestantivirusdefense .com
live-pc-antivirus-scan .com
best-antivirus-protection .com
proantivirusprotection .com
best-anti-virus-scanner .com
best-antivirus-scanner .com
bestantivirusproscanner .com
bestantivirusfastscanner .com
protectedsystemupdates .com
liveantispywarescan .com
live-antispyware-scan .com
internet-antispyware-scan .com

Domain owner:
Vadim Selin anzo45@freebbmail.com
+74952783432 fax: +74952783432
ul. Vorobieva 98-34
Moskva Moskovskay oblast 127129
ru

antivirus-scan-your-pc .com (75.126.175.232; 209.160.21.126)
bestantivirusdefence .com
best-antivirus-defense .com
premiumadvancedscan .com
bestantivirusproscan .com
best-antivirus-pro-scanner .com
internetprotectedpayments .com

Domain owner:
Name: Nikolai V Chernikov
Address: yl. Kravchenko 4 korp. 2 kv.17
City: Moskva
Province/state: NA
Country: RU
Postal Code: 119334
Email: promasteryouth@gmail.com

Embedding Malicious IFRAMEs Through Stolen FTP Accounts - Part Two

January 19, 2009

The practice of using stolen or data mined -- from a botnet's infected population -- FTP accounts is nothing new. In March, 2008, a tool originally published in February, 2007, got some publicity once details of stolen FTP accounts belonging to Fortune 500 companies were found in the wild. Interestingly, none of the companies were serving malicious iFrames on their compromised hosts back then.

Despite the fact that 2008 was clearly the year of the massive SQL injection attacks hitting everyone, everywhere, massive iFrame injection tools through stolen FTP accounts are still in development. Take for instance this very latest console/web interface based proprietary one currently offered for sale at $30.

Its main differentiation factors according to the author are the pre-verification of the accounting data in order to achieve better speed, advanced logs management and update feature allowing the malicious campaigner to easily introduce new iFrame at already iFrame-ED hosts through the compromised FTP accounts, and, of course, the what's turning into a commodity feature in the face of long-term customer support. In this case, that would be a hundred FTP accounting details to get the customers accustomed to the tool's features.

Interestingly, at least according to the massive SQL injections taking place during the entire 2008, iFrame-ing has reached its decline stage, at least as the traffic acqusition/abuse method of choice. And with SQL injections growing, this very same FTP account data is serving the needs of the blackhat search engine optimizers bargaining on the basis of a pagerank. Continue reading →

Pro-Israeli (Pseudo) Cyber Warriors Want your Bandwidth

January 14, 2009

This summary is not available. Please click here to view the post. Continue reading →

Domains Serving Internet Explorer Zero Day in December

January 14, 2009

December, 2008 was marked by yet another widespread Koobface campaign, next to a massive SQL injection attack targeting Asian countries and serving the ex-Internet Explorer XML parsing zero day. Monitoring the attack closely and issuing abuse notices, it's worth pointing out that only two domains were SQL to target international sites, with the rest injected at Asian sites only.

This tactic once again demonstrates the dynamics of the international underground communities whose understanding of valuable stolen goods greatly differ based on the local market's demand for a particular item. For instance, stolen accounting data for a MMORPG is more than access to a stolen banking account on the Chinese underground marketplace, and exactly the opposite on the Russian underground marketplace. Interestingly, if the IE zero day was first discovered and abused in a targeted nature by Russian parties the very last thing they'd be serving is a password stealer for a MMORPG given the far more valuable from their perspective crimeware. Here are all of the SQL injected domains participating in the attack, with two Chinese groups responsible for them :

SQL injected domains currently active:
- c.nuclear3 .com/css/c.js (121.10.108.161; 121.10.107.233;70.38.99.97) also SQL injected as c.%6Euclear3 .com/css/c.js in a cheap attempt to avoid detection
- zs.gcp.edu .cn/z.js redirects to alimcma .3322.org/a0076159/a07.htm (121.12.173.218) and then to tongjitj.3322 .org/tj/a07.htm
- w.94saomm .com/js.js (58.53.128.177) redirects to clc2007.nenu.edu .cn/tt/swf.htm (218.62.16.47)
- idea21.org/h.js (66.249.130.142) redirects to idea21 .org/index1.htm
- yrwap .cn/h.js (59.63.157.71) redirects to kodim .net/CONTENT/faq.htm

Currently down, for historical preservation purposes and case building as these were exclusively serving the ex-IE zero day in December, 2008:
17gamo .com/1.js
s4d. in/h.js
dbios .org/h.js
armsart .com/h.js
acglgoa .com/h.js
9i5t .cn/a.js
qq117cc .cn/k.js
s800qn .cn/csrss/w.js
twwen .com/1.js
s.shunxing .com.cn/s.js
ko118 .cn/a.js
s.shunxing .com.cn/s.js
17aq .com/17aq/a.js
s.kaisimi .net/s.js
sshanghai .com/s.js
s.ardoshanghai .com/s.js
s.cawjb .com/s.js
mysy8 .com/1/1.js
mvoyo .com/1.js
nmidahena .com/1.js
tjwh202.162 .ns98.cn/1.js

Thankfully, the IE zero day attack in December is an example of a "wasted" zero day, with the potential for abuse not taken advantage of.

Related posts:
Massive SQL Injection Attacks - the Chinese Way
Yet Another Massive SQL Injection Spotted in the Wild
Obfuscating Fast-fluxed SQL Injected Domains
Smells Like a Copycat SQL Injection In the Wild
SQL Injecting Malicious Doorways to Serve Malware
SQL Injection Through Search Engines Reconnaissance
Stealing Sensitive Databases Online - the SQL Style
Fast-Fluxing SQL injection attacks executed from the Asprox botnet
Sony PlayStation's site SQL injected, redirecting to rogue security software
Redmond Magazine Successfully SQL Injected by Chinese Hacktivists Continue reading →

Dissecting the Bogus LinkedIn Profiles Malware Campaign

January 07, 2009

Nice catch, in the sense that LinkedIn was among the very few social networking sites left untouched by cybercriminals in 2008. With LinkedIn's staff actively removing the close to a hundred bogus profiles, let's dissect the campaign by exposing all the participating malware domains, the redirectors, the droppers' detection rates and the rest of the domains in their portfolio.

Domains used on the bogus profiles :
sextapegirls .net (88.214.200.5)
celebsvids .net (216.195.57.47)
katynude .com (216.195.57.47)
delshikandco .com (82.103.132.114)

All the internal pages at sextapegirls .net (sextapegirls .net/1.html; sextapegirls .net/2.html; sextapegirls .net/3.html; sextapegirls .net/4.html; sextapegirls .net/5.html) redirect to hotvidz .info/5.html (88.214.200.5) as well as all the internal pages at celebsvids .net where TubePlayer.ver.6.20885.exe is served as a fake video player.

Among the rest of the domains used, katynude .com/1.html (216.195.57.47) redirects to quickly-porn-tube .net/get.php?id=20885&p=74 (69.59.21.247) which then redirects to tube-4you-best .com/xxplay.php?id=20885 (69.59.21.247) where 2009download-best-soft .com/TubePlayer.ver.6.20885.exe (94.247.3.228) is again served.

The fourth domain used on the bogus LinkedIn profiles, delshikandco .com/movies/linkedin.html (82.103.132.114) once deobfuscated leads to delshiktds .com/in.cgi?6 (64.27.28.225), a traffic management kit's redirection point which redirects to delshiktds .com/in.cgi?11, celebs-online2009 .com/video.php (64.27.28.225) and megaporntubesonline .com/xplays.php?id=88 where codecdownload.filesstorage4you .com/exclusivemovie.88.exe is served next to codecdownload.viewersoftwarearchive .com/exclusivemovie.0.exe (94.247.3.232) which a copy of Win32/Renos.

The downloader then phones back to :
dasgdasg .net (91.205.96.12)
new-york-images .com (89.149.207.114)
future-pictures .com (94.247.2.117)
download-everything.com (69.46.16.99)
archiveviewsoftware.com

193.142.244.17

Naturally, the people behind this malware campaign have centralized the rest of the malicious domains by parking them at the very same IPs used in the redirectors. The domains are pretty descriptive themselves, and it's also worth pointing out that they intend to start introducing newly registered fake security software ones:

94.247.3.228
files-upload-21 .com
downloabsecurehere1 .com
downloabsecurehere2 .com
downloabsecurehere3 .com
downloabsecurehere4 .com
fast-download-base-free .com
download-all4free .com
download-softarch .com
dwnld-files .com
get-frsh-files .com
download-fls.com
downloadall-soft-now .com
downloadallsoft-now. com
download-allsoftnow .com
downloadallsoftnow .com
soft-4-you-download .net
get-files-4free .net
download-top-software .net
files-download-arch .net
download-files-bak .net
download-files-plus .net
pure-download-new .net

69.59.21.247
uni-tube-911 .com
bestmytubeonilne1 .com
bestmytubeonilne2 .com
bestmytubeonilne3 .com
mybest-pov-tube .com
my-bestpov-tube .com
u-tube-verse .com
tubeger .com
tube-4-free-center .com
tube-4you-best .com
tube-hu .com
tube-more-sex .com
quickly-porn-tube .net
fast-xxx-tube .net
tube-chick .net
tube-free-4-adult .net

antivir-av-toolz .net
scanner-pc-toolz .net
av-scan-soft .net
av-scan-here .net
anti-vir-toolz .com
freenonline-scannerw .com
freenonline-scanner .com
av-mc-antivir-checker .com
freenonline-scannera .com
bestmyscanneronilne3 .com
bestmytubeonilne3 .com
bestmyscanneronilne2 .com
bestmytubeonilne2 .com

94.247.3.232
viewerdownload2009 .com
freedownload2009 .com
filesstorage2009 .com
exefileshere2009 .com
bestfilesarchive2009 .com
softwareviewers2009 .com
filesinnet4you2009 .com
downloadfilesservice .com
jetexestorage .com
clickandgetfile .com
secretfilesstoragehere .com
x-filesstorehere .com
filesportalhere .com
exefileshere .com
extrafilesonlyhere .com
pornexearchive .com
viewerarchive .com
crystalfilesarchive .com
download2009exe .com
3d-softwareportal .com
downloadfilesportal .com
exesoftportal .com
softwareportalexefiles .com
becollectionoffiles .com
extracoolfiles .com
freepornclips2u .com
filesstorage4you.com
downloadexenow .com

The same people, the same tactics, different domains and netblocks used. Continue reading →

Summarizing Zero Day's Posts for December

January 06, 2009

The following is a brief summary of all of my posts at Zero Day for December, 2008. You can also go through previous summaries for November, October, September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed.

Notable articles for December include ICANN terminates EstDomains, Directi takes over 280k domains (interview with Stacy Burnette from the ICANN); With 256-bit encryption, Acrobat 9 passwords still easy to crack (interview with Dmitry Sklyarov and Vladimir Katalov from Elcomsoft) and Gmail, Yahoo and Hotmail systematically abused by spammers.

01. AlertPay hit by a large scale DDoS attack
02. IT expert executed in Iran
03. Vendor claims Acrobat 9 passwords easier to crack than ever
04. Microsoft’s Live Search (finally) adds malware warnings
05. ICANN terminates EstDomains, Directi takes over 280k domains
06. Password stealing malware masquerades as Firefox add-on
07. With 256-bit encryption, Acrobat 9 passwords still easy to crack
08. Trusteer launches search engine for malware configuration files
09. With or without McColo, spam volume increasing again
10. Vint Cerf’s Twitter account hacked, suspended for spam
11. Gmail, Yahoo and Hotmail systematically abused by spammers
12. IE7 XML parsing zero day exploited in the wild
13. Four XSS flaws hit Facebook
14. Thousands of legitimate sites SQL injected to serve IE exploit Continue reading →

Squeezing the Cybercrime Ecosystem in 2009

January 06, 2009

How do you trigger a change that would ultimately affect the entire cybercrime ecosystem? Going full disclosure may be the most logical option, but past experience reveals that using it has a modest temporary effect. For instance, exposing a stolen credit cards shop isn't going to separate the owner from the stolen database, neither would his customers base disappear, so stating that it's shut down in reality means that it's currently active at another location which the owner quickly communicates to the customers base. I keep seeing it happen once a sample service gets media attention, and I'll keep seeing it happen.

The myth that geolocating their malicious activities would always end up in an Eastern European network where developed law enforcement agencies would have little to no jurisdiction at all, proved to be a common stereotype given that the well known cybercrime-friendly ISPs that were shut down in 2008 were and have always been U.S based operations. Therefore, the excuse of not being able to take action due to the lack of international law enforcement cooperation isn't appicable in this case.

So how should the cybercrime ecosystem be squeezed? Personalize it and communicate the levels of efficiency cybercriminals achieve by using the very same disturbing photos that they use to demonstrate the effectiveness of their web based stolen credit card shops in order to achieve the necessary public outbreak.

Even though I pretend that the research and profiles of the underground tools and services that I've been detailing throughout 2008 is cutting-edge research, this research is basically scratching the surface, but how come? Just like there's a perfect and bad timing for a particular product or service to hit the market, in this very same fashion the general public is still not ready to embrace some of the highly disturbing point'n'click identity theft services that have been operating for years. Sadly, some even question the usability and authenticity of these underground services, and therefore a change has to be triggered by starting to publish the cybercriminals' ROI out of using them in the form of the photos of users swimming in cash that they've cashed-out of the stolen credit cards. Disturbing? It's supposed to be, since it will not only prompt public outbreak, but also, have a well proven self-regulation effect on behalf of the service owner's, at least from my personal experience while profiling related services.

This is perhaps the perfect moment to emphasize on how important threat intell sharing with law enforcement, whether directly based on personal contacts or through one-to-many communication model through private mailing lists, a cyber threats analysts case-building capabilities would not only prove valuable in the long term, but would also make it easier for someone to do their prosecuting job faster. And while important, threat intell sharing with law enforcement is not the panacea of squeezing the cybecrime ecosystem, since cybercrime should not be treated as the systematic abuse of common IT insecurities for fraudulent purposes, instead, it should be treated as a form of economic terrorism. Only then, would cybercrime receive the necessary attention instead of such comments regarding McColo or Atrivo - "Resource-wise, we can't be in the business of prevention. We have to be in the business of prosecution." Exactly. I guess that just like you cannot be a prophet in your own country, you cannot also be a prophet in your own agency, thankfully, the wisdom of the cybercrime fighting crowd is always there to take care and get zero credit at the end of the day.

Personally, 2009 is going to be the year when personalizing cybercriminals would be taking place on a more regular basis, so stay tuned for an upcoming report summarizing "behind the curtains" cybercrime activities in 2008, underground responses to some of major busts of year including the DarkMarket operation, the fraudulent schemes allowing them to cash-out digital assets into hard cash, the basics of their social networking model, who's who in the hierarchy of a sampled business model of vendors of ATM skimming devices, the post-DarkMarket OPSEC practices introduced in order for cybecrime communities to verify the authenticity of their customers, the process of advertising and operating underground services as well as the communication methods used, in short - all the juicy details, screenshots and photos courtesy of the owners and customers of the services that haven't been communicated to the industry and the world throughout 2008.

Find attached a photo teaser acting as a confirmation for the usefulness of "yet another stolen credit card details service" in the wild, and have a productive year exposing low lifes and spilling coffee over their business models.

Related posts:
76Service - Cybercrime as a Service Going Mainstream
Using Market Forces to Disrupt Botnets
Localizing Cybercrime - Cultural Diversity on Demand
Localizing Cybercrime - Cultural Diversity on Demand Part Two
EstDomains and Intercage VS Cybercrime
E-crime and Socioeconomic Factors
Money Mules Syndicate Actively Recruiting Since 2002
Price Discrimination in the Market for Stolen Credit Cards
Are Stolen Credit Card Details Getting Cheaper?
The Underground Economy's Supply of Goods Continue reading →

Squeezing the Cybecrime Ecosystem in 2009

January 06, 2009

Cyber Jihadists part of the GIMF Busted

December 17, 2008

In one of those "better late than never" type of situations, last month members of the Global Islamic Media Front were busted in Germany. The group is largely known due to their releases and propaganda of the Technical Mujahid E-zine (Part Two) and the Mujahideen Secrets encryption tool (Second Version). GIMF was distributing its multimedia through popular Web 2.0 video sharing sites, perfectly fitting into the profile of the majority of cyber jihadist groups.

GIMF used to be one of my favorite sources of raw OSINT regarding various cyber jihadist activities due to its centralized nature and lack of any operational security in place, in particular the ways it was unknowingly exposing their social networks online.

Related posts:
GIMF Switching Blogs
GIMF Now Permanently Shut Down
GIMF - "We Will Remain"
Inshallahshaheed - Come Out, Come Out Wherever You Are
A List of Terrorists' Blogs
Cyber Jihadist Blogs Switching Locations Again
Wisdom of the Anti Cyber Jihadist Crowd
Analyses of Cyber Jihadist Forums and Blogs
Terror on the Internet - Conflict of Interest Continue reading →

Skype Phishing Pages Serving Exploits and Malware - Part Two

December 15, 2008

Dear malware spreader, here we meet again. It's been a while since I last wrote to you, half an year ago to be precise. Since I first met you, keeping (automated) track of your phishing campaigns serving old school VBS scripts has become an inseparable part of my daily routine.

I really enjoyed the fact that since then you've changed your email address from ikbaman@gmail.com to ikbasoft@gmail.com and due to its descriptive nature speaking for a software company set up, I can only envy your profitability. However, due to the tough economic times, your latest round of blended with malware phishing emails has to go down. I'm sure you'd understand, as it only took "5 minutes out of my online experience" to notice you, and so I'm no longer interested in processing the /service-peyment/ that you require on the majority of brandjacked subdomains that you keep creating at the very same ns8-wistee.fr.

secureskype.uuuq .com redirects to monybokers.ns8-wistee .fr/skype/cgi-bin/us/security/update-skype/service-peyment/update/login.aspx/index.htmls where the VBS is pushed, with its detection rate prone to improve. Continue reading →

Localized Social Engineering on Demand

December 15, 2008

If I were to come across this service last year, I'd be very surprised. But coming across it in 2008 isn't surprising at all, and that's the disturbing part.

Following the ongoing trend of localizing cybercrime (Localizing Cybercrime - Cultural Diversity on Demand; Localizing Cybercrime - Cultural Diversity on Demand Part Two) a new service takes the concept further by introducing a multilingual on demand social engineering service especially targeting scammers and fraudsters that are unable to "properly scam an international financial institution" due to the language limitations. What is the service all about? Currently offering to "talk cybercrime on behalf of you", the service is charging $9 for a call with increased use of it leading to the usual price discounts falling to $6 per call. The languages covered and the male/female voices available are as follows :

- English (3 male voices and 2 female ones)
- German (2 male voices and 1 female one)
- Spanish (1 male voice and 2 female ones)
- Italian (1 male voice and 1 female one)
- French (1 male voice and 1 female one)

If the service was only advertising male or female English voices, I'd suspect it of being run by a single individual using a commercial voice changer application, however, due to the fact that it's currently offering male and female voices in 5 languages, there's a great chance that these are in fact separate people they're working with. The ugly part is that the whole business model is very well thought of in the sense that given that fact that certain banks or online services can automatically freeze the assets to which the cybercriminal has access to, the service, through its multilingual capabilities can indeed convince the institution in the authenticity of the Spanish caller that's indeed Spanish based on the stolen personal information provided by the cybercriminal in the first place.

Where's the trade-off for cybercriminals? They would have to very specific in order for the service to work, meaning, they would have to use it as a intermediary by sharing data regarding compromised banking accounts, expected courier deliveries obtained through fraudulent means (stolen credit card details), and the service reserves the right not to work with them. Consequently, the people working with the service easily act as the weakest link in the process of exposing ongoing cybercrime or real-life crime activities, and compared to plain simple localization in the sense of translation services, the real nature of the type of conversations and impersonation happening through this one should be pretty obvious to the people offering their natural cultural diversity and voices for sale.

Despite that monetizing social engineering is not new, monetizing (accomplice) voices, and running a social engineering ring definitely is. Continue reading →

Localized Social Engineering on Demand

December 15, 2008

If I were to come aross this service last year, I'd be very surprised. But coming across it in 2008 isn't surprising at all, and that's the disturbing part.

Following the ongoing trend of localizing cybercrime (Localizing Cybercrime - Cultural Diversity on Demand; Localizing Cybercrime - Cultural Diversity on Demand Part Two) a new service takes the concept further by introducing a multilingual on demand social engineering service especially targeting scammers and fraudsters that are unable to "properly scam an international financial institution" due to the language limitations. What is the service all about? Currently offering to "talk cybercrime on behalf of you", the service is charging $9 for a call with increased use of it leading to the usual price discounts falling to $6 per call. The languages covered and the male/female voices available are as follows :

- English (3 male voices and 2 female ones)
- German (2 male voices and 1 female one)
- Spanish (1 male voice and 2 female ones)
- Italian (1 male voice and 1 female one)
- French (1 male voice and 1 female one)

If the service was only advertising male or female English voices, I'd suspect it of being run by a single individual using a commercial voice changer application, however, due to the fact that it's currently offering male and female voices in 5 languages, there's a great chance that these are in fact separate people they're working with. The ugly part is that the whole business model is very well thought of in the sense that given that fact that certain banks or online services can automatically freeze the assets to which the cybercriminal has access to, the service, through its multilingual capabilities can indeed convince the institution in the authenticity of the Spanish caller that's indeed Spanish based on the stolen personal information provided by the cybercriminal in the first place.

Where's the trade-off for cybercriminals? They would have to very specific in order for the service to work, meaning, they would have to use it as a intermediary by sharing data regarding compromised banking accounts, expected courier deliveries obtained through fraudulent means (stolen credit card details), and the service reserves the right not to work with them. Consequently, the people working with the service easily act as the weakest link in the process of exposing ongoing cybercrime or real-life crime activities, and compared to plain simple localization in the sense of translation services, the real nature of the type of conversations and impersonation happening through this one should be pretty obvious to the people offering their natural cultural diversity and voices for sale.

Despite that monetizing social engineering is not new, monetizing (accomplice) voices, and running a social engineering ring definitely is. Continue reading →

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

A Diverse Portfolio of Fake Security Software - Part Fifteen

Crimeware in the Middle - Adrenalin

Copycat Web Malware Exploitation Kits Are Still Faddish

The Template-ization of Malware Serving Sites - Part Two

Poisoned Search Queries at Google Video Serving Malware

Embassy of India in Spain Serving Malware

Exposing a Fraudulent Google AdWords Scheme

A Diverse Portfolio of Fake Security Software - Part Fourteen

Embedding Malicious IFRAMEs Through Stolen FTP Accounts - Part Two

Pro-Israeli (Pseudo) Cyber Warriors Want your Bandwidth

Domains Serving Internet Explorer Zero Day in December

Dissecting the Bogus LinkedIn Profiles Malware Campaign

Summarizing Zero Day's Posts for December

Squeezing the Cybercrime Ecosystem in 2009

Squeezing the Cybecrime Ecosystem in 2009

Cyber Jihadists part of the GIMF Busted

Skype Phishing Pages Serving Exploits and Malware - Part Two

Localized Social Engineering on Demand

Localized Social Engineering on Demand

RSS Feed

About Me

Blog Archive

Tags

Popular Posts