Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Help! Someone Hijacked my 100k+ Zeus Botnet!

February 26, 2009

I've been looking for a similar chatter for a while now, given the existence of a remotely exploitable vulnerability in an old Zeus crimeware release allowing a cybercriminal to inject a new user within the admin panel of another cybecriminal.

It appears that this guy has had his 100k+ Zeus botnet hijacked several months ago, and now that he's managed to at least partly recover the number of infected hosts in two separate botnets, is requesting advice on how to properly secure his administration panel.

Here's an exact translation of his concerns :
"Dear colleagues, I'd like to hear all sorts of ideas regarding to security of Zeus. I've been using Zeus for over an year now, and while I managed to create a botnet of 100k infected hosts someone hijacked it from me by adding a new user and changing my default layout to orange just to tip once he did it. Once I fixed my directory permissions. I now have two botnets, the first one is 30k and the second (thanks to a partnership with a friend) is now 3k located at different hosting providers.

Sadly, yesterday I once again found out that my admin panel seems to have been compromised since all the files were changed to different name, and access to the admin panel blocked by IP. Yes, that seems to be the IP the hijacker is using. The attacker has been snooping Apache logs in order to find IPs that have been used for logging purposes and blocked them all. Therefore I think the new user has been added by exploiting a flaw in Zeus. In my opinion a request was made to the database, either through an sql injection in s.php a file or a request from within a user with higher privileges.

Since I've aplied patches to known bugs, this could also be a compromise of my hosting provider. So here are some clever tips which I offer based on my experience with securing Zeus.

- Change the default set of commands, make them unique to your needs only.
- If it is possible to prohibit the reading and dump tables with logs all IP, to allow only certain (so that the crackers were not able to make a dump and did not read the logs in the database).
- If it is possible to prohibit editing of tables with all the commands of Zeus IP, to allow only certain (that could not be "hijacked", insert the command bots)"

Surreal? Not at all, given the existing monoculture on the crimeware market. Morever, yet another vulnerability was found in the Firepack web malware exploitation kit earlier this month (Firepack remote command execution exploit that leverages admin/ref.php). This exploit could have made a bigger impact in early 2008, the peak of the Firepack kit, which was also localized to Chinese several months later:

The FirePack Web Malware Exploitation Kit
The FirePack Exploitation Kit - Part Two
The FirePack Exploitation Kit Localized to Chinese

Ironically, cybercriminals too, seem to be using outdated versions of their crimeware.

Related posts:
Crimeware in the Middle - Adrenalin
76Service - Cybercrime as a Service Going Mainstream
Zeus Crimeware as a Service Going Mainstream
Modified Zeus Crimeware Kit Gets a Performance Boost
Modified Zeus Crimeware Kit Comes With Built-in MP3 Player
Zeus Crimeware Kit Gets a Carding Layout
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
Crimeware in the Middle - Zeus Continue reading →

The Cost of Anonymizing a Cybercriminal's Internet Activities - Part Two

February 24, 2009

With VPN-enabled malware infected hosts easily acting as stepping stones thanks to modules within popular malware bots, next to commercial VPN-based services, the cost of anonymizing a cybecriminal's Internet activities is not only getting lower, but the process is ironically managed in data retention heavens such as the Netherlands, Luxembourg, USA and Germany in this particular case, by using the services of the following ISPs: LeaseWeb AS Amsterdam, Netherlands; ROOT-AS root eSolutions; HOPONE-DCA HopOne Internet Corp.; NETDIRECT AS NETDIRECT Frankfurt, DE.

Operating since 2004, yet another "cybercrime anonymization" service is using the bandwidth of legitimate data centers in order to run its VPN/Double/Triple VPN channels service which it exclusively markets in a "it's where you advertise your services, and how you position yourself that speak for your intentions" fashion.

Description of the service:

"- We will never sought to make the service cheaper than saving the safety of customers.

- Our servers are located in one of the most stable and high-speed date points (total channel gigabita 1.2)
- Only we have the full support service to the date of the center, which prevents the installation of sniffers and monitoring.
- We do not use standard solutions, our software is based on the modified code.
- Only here you get a stable and reliable service.

Characteristics of Sites:
- Channel 100MB, total channels gigabita 1.2.
- MPPE encryption algorithm is 128 bit
- Complete lack of logs and monitoring - a guarantee of your safety.
- Completely unlimited traffic.
- Support for all protocols of the Internet."

On the basis of chaining several different VPN channels located in different countries all managed by the same service, combined with a Socks-to-VPN functionality where the Socks host is a malware compromised one, all of which maintain no logs at all, is directly undermining the usefulness of already implemented data retention laws. Moreover, even a not so technically sophisticated user is aware that chaining these and adding more VPN servers in countries where no data retention laws exist at all, would result in the perfect anonymization service where the degree of anonymization would be proportional with the speed of the connection. In this case, it's the mix of legitimate and compromised infrastructure that makes it so cybercrime-friendly.

In respect to the "no logs and monitoring for the sake of our customers security" claims, such services are based on trust, namely the customers are aware of the cybercriminals running them "in between" the rest of the services they offer, which and since they're all "on the same page" an encrypted connection is more easily established. However, an interesting perspective is worth pointing out - are the owners of the cybecrime-friendly VPN service forwarding the responsibility to their customers, or are in fact the customers forwarding the responsibility for their activities to the owners which are directly violating data retention laws and on purposely getting rid of forensic evidence?

Things are getting more complicated in the "cybercrime cloud" these days. Continue reading →

Fake Celebrity Video Sites Serving Malware - Part Three

February 23, 2009

In the overwhelming sea of template-ization of malware serving sites, (naked )celebrities would always remain the default choice offered in the majority of bogus content generating tools taking advantage of the high-page rank of legitimate Web 2.0 services.

Following the 2008's Fake Celebrity Video Sites Serving Malware series (Part Two) the very latest addition to the series demonstrates the automatic abuse of legitimate infrastructure - in this case Blogspot for the purpose of traffic acquisition.

The following are currently active and part of the same campaign:
lisa-bonet-angel-heart.blogspot.com
milla-jovovich-gallery.blogspot.com
pamela-anderson-hot-sex-tape.blogspot.com
rihanna-nude-gallery.blogspot.com
kate-hudson-nude-gallery.blogspot.com
milla-jovovich-gallery.blogspot.com
teacher-slept-with-boy.blogspot.com
meg-white-new-sex-tape.blogspot.com
anna-faris-hot-video.blogspot.com
so-hard-movies.blogspot.com

vanessa-hot.blogspot.com
paris-hilton-sexass.blogspot.com
sex-tape-lindsay-lohan.blogspot.com
chloesevigny-privategallery.blogspot.com
kate-winslet-nude-gallery.blogspot.com
keeley-hazell-sex-hot-video .blogspot.com
miley-cyrus-sex-tape .blogspot.com
britney-spears-hottest-video .blogspot.com
miley-cyrus-naked-video .blogspot.com
alyssa-milano-naked-video .blogspot.com
kardashian-hot-video .blogspot.com
naked-jennifer-lopez .blogspot.com
vanessa-hudgens-hot-video .blogspot.com
hottest-lindsay-lohan-video .blogspot.com
cameron-diaz-porn .blogspot.com
underworld-rise-lycans .blogspot.com

Compared to the single-post only Blogspots, the following domains top100videoz.com; cinemacafe.tv; xvids-top.com have a lot more bogus content to offer. Continue reading →

Pharmaceutical Spammers Targeting LinkedIn

February 18, 2009

Following January's malware campaign relying on bogus LinkedIn profiles, this time it's pharmaceutical spammers' turn to target the business-oriented social networking site.

From a spammers/blackhat SEO-er's perspective, this is done for the purpose of increasing the page rank of their pharmaceutical domains based on the number of links coming from LinkedIn. The campaigns are monetized through the usual affiliate based pharmaceutical networks.

The following is a complete list of the currently active bogus domains, all part of identical campaigns:
linkedin .com/in/buyviagra45
linkedin .com/in/phenterminetrueway
linkedin .com/in/OnlineBuyProzac
linkedin .com/in/CheapBuyGabapentin
linkedin .com/in/BuyCheapTramadol
linkedin .com/in/cheaptramadol
linkedin .com/in/buybactrimonline
linkedin .com/in/OnlineBuyAugmentin
linkedin .com/in/OnlineBuyMetformin
linkedin .com/in/OnlineBuyBiaxin
linkedin .com/in/CheapBuyNorvasc
linkedin .com/in/OrderBuyCelebrex
linkedin .com/in/OnlineBuyLipitor
linkedin .com/in/BuyCheapOxycontin
linkedin .com/in/OnlineBuyHydrocodone
linkedin .com/in/OrderBuyPercocet
linkedin .com/in/OnlineBuyFioricet
linkedin .com/in/OrderBuyKlonopin
linkedin .com/in/OnlineBuyDiazepam
linkedin .com/in/OnlineBuyXanax
linkedin .com/in/CheapBuyOxycodone
linkedin .com/in/OnlineBuyClonazepam
linkedin .com/in/OnlineBuyEffexor
linkedin .com/in/OnlineBuyAmbien
linkedin .com/in/OnlineBuyAtivan
linkedin .com/in/OnlineBuyVicodin
linkedin .com/in/OnlineBuyNexium
linkedin .com/in/OrderBuyCipro
linkedin .com/in/OnlineBuyLorazepam
linkedin .com/in/propecia
linkedin .com/in/OnlineBuyAllegra
linkedin .com/in/CheapBuyMeridia
linkedin .com/in/OnlineBuyZithromax
linkedin .com/in/OnlineBuyCelexa
linkedin .com/in/clomid
linkedin .com/in/clonazepam
linkedin .com/in/BuyCheapNeurontin
linkedin .com/in/cheapfioricet
linkedin .com/in/OnlineBuyClomid
linkedin .com/in/OnlineBuyIbuprofen
linkedin .com/in/OnlineBuyZoloft
linkedin .com/in/OnlineBuyToprol
linkedin .com/in/OnlineBuyAleve
linkedin .com/in/OnlineBuyAleve
linkedin .com/in/OnlineBuyVioxx
linkedin .com/in/OnlineBuyWellbutrin
linkedin .com/in/OnlineBuyAmoxicillin
linkedin .com/in/OnlineBuySuboxone
linkedin .com/in/OnlineBuyOxycodone
linkedin .com/in/OnlineBuyLisinopril
linkedin .com/in/OrderBuyPrevacid
linkedin .com/in/OnlineBuyLevaquin
linkedin .com/in/OnlineBuyUltram
linkedin .com/in/OnlineBuyAlprazolam
linkedin .com/in/OnlineBuyLamictal
linkedin .com/in/OnlineBuyNaproxen
linkedin .com/in/OnlineBuyZyprexa
linkedin .com/in/OnlineBuyCoumadin
linkedin .com/in/OnlineBuyValium
linkedin .com/in/OnlineBuyLithium
linkedin .com/in/OnlineBuySynthroid
linkedin .com/in/OnlineBuyHerceptin
linkedin .com/in/OnlineBuyAvandia

linkedin .com/in/OnlineBuyTramadol
linkedin .com/in/OnlineBuyCymbalta
linkedin .com/in/OnlineBuyDoxycycline
linkedin .com/in/OnlineBuyProtonix
linkedin .com/in/OnlineBuyTestosterone
linkedin .com/in/OnlineBuyTopamax
linkedin .com/in/OnlineBuyBenadryl
linkedin .com/in/OnlineBuyBactrim
linkedin .com/in/OnlineBuyMethadone
linkedin .com/in/OnlineBuyAtenolol
linkedin .com/in/OnlineBuyConcerta
linkedin .com/in/OnlineBuyCrestor
linkedin .com/in/OnlineBuyTrazodone
linkedin .com/in/OnlineBuyVytorin
linkedin .com/in/OnlineBuyMelatonin
linkedin .com/in/OnlineBuyCephalexin
linkedin .com/in/OnlineBuyThyroid
linkedin .com/in/OnlineBuyChantix
linkedin .com/in/OnlineBuyInsulin
linkedin .com/in/OnlineBuyGenace
linkedin .com/in/OnlineBuyByetta
linkedin .com/in/OnlineBuyPropecia
linkedin .com/in/OnlineBuyPlavix
linkedin .com/in/OnlineBuyYaz
linkedin .com/in/OnlineBuyYasmin
linkedin .com/in/OnlineBuyPotassium
linkedin .com/in/OnlineBuyValtrex
linkedin .com/in/OnlineBuyVoltaren
linkedin .com/in/OnlineBuyPenicillin
linkedin .com/in/OnlineBuyZyrtec
linkedin .com/in/OnlineBuyMagnesium
linkedin .com/in/OnlineBuyPrednisone
linkedin .com/in/OnlineBuySeroquel
linkedin .com/in/OnlineBuySoma
linkedin .com/in/OnlineBuyGabapentin
linkedin .com/in/OnlineBuyAspirin
linkedin .com/in/OnlineBuyPseudovent
linkedin .com/in/OnlineBuyLortab
linkedin .com/in/OnlineBuyPaxil
linkedin .com/in/OnlineBuyAlli
linkedin .com/in/BuyCheapXenical
linkedin .com/in/CheapBuyUltracet
linkedin .com/in/buyhydrocodone
linkedin .com/in/OrderBuyAlli
linkedin .com/in/buypaxilonline
linkedin .com/in/OnlineBuyMobic
linkedin .com/in/OnlineBuyNaprosyn
linkedin .com/in/OnlineBuyCipro
linkedin .com/in/OnlineBuyMorphine
linkedin .com/in/vimax
linkedin .com/in/OnlineBuyAccutane
linkedin .com/in/vigrx
linkedin .com/in/OnlineBuyNorvasc
linkedin .com/in/OnlineBuyOxycontin
linkedin .com/in/OnlineBuyProvigil
linkedin .com/in/OnlineBuyPercocet
linkedin .com/in/OnlineBuyCelebrex
linkedin .com/in/OnlineBuyAdipex
linkedin .com/in/OnlineBuyRitalin
linkedin .com/pub/dir/purchase/viagra
linkedin .com/pub/dir/cialis/online
linkedin .com/pub/dir/methocarbamol/online
linkedin .com/pub/dir/acyclovir/online
linkedin .com/pub/dir/klonopin/online
linkedin .com/pub/dir/zyprexa/online
linkedin .com/pub/dir/amitriptyline/online
linkedin .com/pub/dir/buymodalertonline/buymodalertonline
linkedin .com/pub/dir/zocor/online
linkedin .com/pub/dir/levitra/online
linkedin .com/pub/dir/citalopram/online
linkedin .com/pub/dir/arimidex/online
linkedin .com/pub/dir/niacin/online
linkedin .com/pub/dir/phentermine/online
linkedin .com/pub/dir/provigil/online
linkedin .com/pub/dir/ritalin/online

Pharmaceutical domains used in the campaigns:
buy-pharmacy .info
viagra-pills .info
nenene .og
rxoffers .net
allrxs .org
onlinepharmacy4u .org
cheap-tramadol .us
buy-tramadol.blogdrive .com
buymodalert .com
rx-prime .com
suche-project .eu

Acquiring new users in a highly competitive Web 2.0 world is crucial, no doubt about it. But in 2009, if you're not at least requiring a valid email address, a confirmation of the registration combined with a CAPTCHA to at least slow down the bogus account registration process and ruin their efficiency model - systematic abuse of the service is inevitable (Commercial Twitter spamming tool hits the market).

LinkedIn's abuse team has already been notified of these accounts. Continue reading →

Community-driven Revenue Sharing Scheme for CAPTCHA Breaking

February 17, 2009

What follows when a system that was originally created to be recognizable by humans only, gets undermined by low-waged humans or grassroots movements? Irony, with no chance of reincarnation. CAPTCHA is dead, humans killed it, not bots.

A new market entrant into the CAPTCHA-breaking economy, is proposing a novel approach that is not only going to result in a more efficient human-based CAPTCHA solving on a large scale, but is also going to generate additional revenues for webmasters and their site's community members. The concept is fairly simple, since it's mimicking reCAPTCHA's core idea.

However, instead of digitizing books, the CAPTCHA entry field that any webmaster of an underground community, or a general site in particular that would like to syndicate CAPTCHAs from Web 2.0 web properties is free to do so on a revenue-sharing, or plain simple voluntary basis.

Consider for a moment the implications if such a project of they manage to execute it successfully. Starting from community-driven CAPTCHA breaking of Web 2.0 sites on basic forum registration fields using MySpace.com's CAPTCHA for authenticating new/old users, the plain simple automatic rotation for idle community users, to the enforcement of CAPTCHA authentication for each and every new forum post/reply.

What happens with the successfully recognized CAPTCHAs? As usual, hundreds of thousands of bogus profiles will get automatically registered for the purpose of spam and malware spreading, or reselling purposes. The development of this service -- if any -- will be monitored and updates posted if it goes mainstream.

Related posts:
The Unbreakable CAPTCHA
Spammers attacking Microsoft's CAPTCHA -- again
Spam coming from free email providers increasing
Gmail, Yahoo and Hotmail’s CAPTCHA broken by spammers
Microsoft’s CAPTCHA successfully broken
Vladuz's Ebay CAPTCHA Populator
Spammers and Phishers Breaking CAPTCHAs
DIY CAPTCHA Breaking Service
Which CAPTCHA Do You Want to Decode Today? Continue reading →

Quality Assurance in a Managed Spamming Service

February 11, 2009

Following previous coverage of the managed spam services offered by the Set-X mail system and a copycat variant of it, a newly introduced managed spam service is emphasizing on quality assurance through the use of a Google Search Appliance for storing of the harvested email databases and the spam templates.

Here's an automatic translation of some of the key features offered by the system, currently having a price tag of $1,200 per month:

"A summary of the main possibilities of the system
- Innovative technology deliver a unique e-mail system designed specifically for ******** to maximize serve up e-mails with a low rate of rejection-Kernel Multi-organization system provides extremely high speed while the low-platform-Provide complete sender's anonymity at the maximum system performance in terms multi-technology operating system bypass content filters using the built-in special tags:

+ Configurable generation of random strings

+ Change the case of letters randomly in a block
+ random permutation of symbols in the block
+ Inserting a random character in an arbitrary place in the block
+ Replacing the same style of letters Latin alphabet for the Russian block
+ Duplicating a random character in the block
+ Paste into the body of a random letter strings from a file
+ Managed morfirovanie image files in the format GIF-Correct emulation header sent letters Simultaneous connection of several bases e-mail addresses of those letter-substitution is performed from file-substitution e-mail addresses for the fields From and Reply-To is performed from a file-format of outgoing messages TEXT and HTML
+Ability to send emails from attachments
+Correct work with images in HTML messages possible as a direct method and with copies of CC , BCC-record-keeping system, results of the system is stored in files good, bad and unlucky for each connection of e-mail addresses, respectively
+The system is convenient and intuitive graphical user interface

System management
The system is operated under the interface to "Control Panel". The first is of them is multifunctional and serves to start the process of sending (the state of the "Run"), pause (the state of "pause") and confirm the end of the (state "Report") . The second button ( "Stop") serves to interrupt the process otpravki. Data section also contains the following information fields:
- executes an action in this field is carried out to date, the system-progress indicator graphic indication of progress the task, Completed Display task progress percentage
- Successful delivery of letters to the number of addresses that had been carried out successfully, failure of the number of addresses that failed to deliver a letter-number bad non-existent addresses, duration of the actual time of the task-status displays the status of the kernel system kernel kernel memory Displays memory core systems"

The ongoing arms race between the security industry and cybercriminals, is inevitably driving innovation at both sides of the front. However, based on the scalability of these managed spam services, it's only a matter of time for the vendors to embrace simple penetration pricing strategies that would allow even the most price-conscious cybercriminals, or novice cybercriminals in general to take advantage of this standardized spamming approach. The disturbing part is that the innovation introduced on behalf of the spam vendors in terms of bypassing spam filters, seems to be introduced not on the basis of lower delivery rates, but due to the internal competition in the cybercrime ecosystem.

For instance, new market entrants in the face of botnet masters attempting to monetize their botnets by offering the usual portfolio of cybercrime services, often undercut the offerings of the sophisticated managed spam vendors. And so the vendors innovate with capabilities that the new market entrants cannot match, in order to not only preserve their current customers, but also, acquire new ones. Managed spam services as a business model is entirely driven by long term "bulk orders", compared to earning revenues on a volume basis by empowering low profile spammers with sophisticated delivery mechanisms.

In the long term, just like every other segment within the cybercrime ecosystem, vertical integration and consolidation will continue taking place, and thankfully we'll have a situation where the spam vendors would be sacrificing OPSEC (operational security) on their way to scale their business model and acquire more customers. Continue reading →

Summarizing Zero Day's Posts for January

February 05, 2009

The following is a brief summary of all of my posts at ZDNet's Zero Day for January. You can also go through previous summaries for December, November, October, September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed.

Notable articles for January include Microsoft study debunks phishing profitability; Legal concerns stop researchers from disrupting the Storm Worm botnet and Google Video search results poisoned to serve malware.

01. Thousands of Israeli web sites under attack
02. Bogus LinkedIn profiles serving malware
03. Microsoft study debunks phishing profitability
04. Paris Hilton's official web site serving malware
05. Malware author greets Microsoft's Windows Defender team
06. 3.5m hosts affected by the Conficker worm globally
07. GoDaddy hit by a DDoS attack
08. Legal concerns stop researchers from disrupting the Storm Worm botnet
09. Malware-infected WinRAR distributed through Google AdWords
10. New mobile malware silently transfers account credit
11. GPU-Accelerated Wi-Fi password cracking goes mainstream
12. Google Video search results poisoned to serve malware Continue reading →

A Diverse Portfolio of Fake Security Software - Part Fifteen

February 03, 2009

Descriptive fake security software domains speak for themselves, and what follows are the very latest ones currently active in the wild :

spywareguard2009m .com (78.26.179.253; 94.247.2.39)
systemguard2009m .com
spywareguard2009 .com
systemguard2009 .com
getsysgd09 .com

Registrant : Damir Sbil; Email: damirsbils791@googlemail.com

antispyscanner13 .com (94.247.2.39; 78.26.179.253)
sgproductm .com
sgviralscan .com
sg10scanner .com
sg11scanner .com
sg12scanner .com
sg9scanner .com
sgproduct .com

Registrant: Ahmo Stolica; Email: ahmostoln73@yahoo.com

buysysantivirus2009 .com (94.247.2.75)
sysav-download .com
sysav-storage .com
sysantivirus-check .com
antispyware-pro-dl .com
sysantivirus2009 .com
sysav-download .com
sysav-storage .com
sysantivirus-check .com
antispywarefastcheck .com
antispyware-scanner-2009 .com
antispyware-pro-dl .com

Registrant: Dion Choiniere; Email: noelwollenberg@ymail.com

premium-antivirus-defence.com (195.24.78.186)
lite-antispyware-scan.com
computeronlinescan.com
lite-antispyware-scan.com
liteantispywarescan.com
liteantispywarescanner.com
liteantispywareproscan.com
onlineproantispywarescan.com
bestantispywarescan.com
bestantispywarelivescan.com
antispywareliveproscan.com
antispywareinternetproscan.com
bestanti-virusscan.com
antimalware-scanner.com
computerantivirusproscanner.com
antimalwareproscanner.com
antimalware-pro-scanner.com
antimalware-scanner.com
antimalware-scan.com
computeronlineproscanner.com

Registrant: Maksim Hirivskiy Email: alt165@freebbmail.com

Crimeware in the Middle - Adrenalin

February 03, 2009

What is Adrenalin? Adrenalin is an alternative to the Zeus crimeware kit that never actually managed to scale the way Zeus did. Following recently leaked copies of what is originally costing a hefty $3000, crimeware kit Adrenalin, it's time to profile the kit, discuss its key differentiation factors from Zeus, and emphasize on why despite the fact that it leaked, the kit is not going to take any of Zeus-es market share. At least not in its current form.

In the spirit of the emerging copycat web malware exploitation kits, Adrenalin too, isn't coded from scratch, but appears that -- at least according to cybercriminals questioning its authenticity on their way to secure a bargain deal when purchasing it -- Adrenalin is using portions of Corpse's original A-311 release.

Adrenalin's description and features :
"Injections system - inserting html / javascript code in the page / files / javascript or substitution of one code by another injection occurs in the stream mode, ie the modified page is loaded at once!
(not as in the other BHO based trojans with insertions only after the full load the page (causing javascript problems) or limiting the impact (if for instance the user is on a mobile device connection). In our implementation, all works quickly and efficiently!

- The collection of pieces of text from the html pages, as one of the modes of operation injector (balance, etc ..)

- Ftp grabbing - sniffer handles traffic and rip out from access to FTP. All of this is going in an easy to read and process the form

- Collector of certificates. Pulling out of all installed certificates including attempts to commit, and certificates that are marked as uncrackable. Certificates neatly stored for each individual bot.

- Page redirector. allows you to replace a page or separate framing in the network. everything is done completely unnoticed. substitution of the content occurs in the interior windsurfing, and even then the browser and any special lotion can be confident that is what you want.

- Domain redirector. forwards all requests from the original site on the fake. address bar, and all references point to the original course can also be used to block access to certain sites

- Universal form grabbing puller forms, can strip the data from the virtual keyboard these forms can rip off, even with not fully loaded pages. As distinguished from the other crimeware kits working through the tracking of users clicking buttons / links it intercepts the data has already been formed, which can be seen in the log. Data can be collected all the running, and keyword (filter)
to delete the logs; noise over debris to chat and not necessary for the work sites.

All data are transmitted in encrypted form, which is important to bypass the protection, like for instance ZoneAlarm's ID Lock. Undoubted advantage is also that the logs are sent instantly - in parallel with the data sent to the original site. No need to worry that the victim will go into an offline and accumulated locally log form grabbing are not able to send.

- Screenshots at the address
- TAN grabbing. The technology allows to effectively collect workers TANs
- Periodic cleaning of cookies/flashcookie.
- Grabbing around-the-forms words (without adjustment - Adrenalin defines its own algorithm that it must be collected. algorithm Improved!)
- The collection of passwords, for instance Protected Storage (IE auto complete, protected sites, outlook)
- Classic keylogger
- Cleaning system from BHO trojans, advertising panels and other debris. As is well known - are less vulnerable machines, and want to put on something more. Cleaning system greatly increases the chances of survival
- Anti-Anti Rootkit mechanisms
- Work on the system without the EXE file
- User-friendly format logs! Forget the piles of files stupid!
- Socks4 / 5 + http (s) proxy server enabled on the infected host
- Shell + Backshell enabled on the infected host
- Socks admin
- Management of each bot individually, or simultaneously (Downloading files, updating settings, etc.)
- Requires PHP on the web based command and control host
- Ability to output commands (including downloads), taking into account the country's bot (function as a resident loader statistically for programs) - and other small pleasures"

Without the web injection and the TAN grabbing ability, Adrenalin is your typical malware kit, whose only differentiation factor would have been the customer support in the form of the managed undetected malware binaries that naturally comes with it. However, it's TAN grabbing ability, proprietary collection of data "around the forms", stripping content from virtual keyboards and automatic certificates collection on per host basis, and its ability to clean the system from competing BHO-based trojans, make it special.

How do you actually measure the popularity of crimeware kit? Based on the the market share of the crime kit, or based on another benchmark? It's all a matter a perspective and a quantitative/qualitative approach. For instance, I can easily argue that if the very same community was build around Adrenalin the way it was built around Zeus making the original Zeus release looks like an amateur-ish release, perhaps Adrenalin would have scaled pretty fast. Some of the community improvements include :

- Modified Zeus Crimeware Kit Comes With Built-in MP3 Player
- Modified Zeus Crimeware Kit Gets a Performance Boost
- Zeus Crimeware Kit Gets a Carding Layout

For the time being, the innovation or user-friendly features boosting the popularity of Zeus come from the third-party coders improving the original Zeus release. Moreover, not only are they improving it, they're also looking for vulnerabilities within the different releases, and actually finding some. What does this mean? It means that we have clear evidence of crimeware monoculture, with a single kit maintaining the largest market share.

With the cybercrime ecosystem clearly embracing the outsourcing concept for a while, it shouldn't come as a surprise, that botnets running the Zeus crimeware are offered for rent at such cheap rates that purchasing the kit and putting efforts into aggregating the botnet may seem a pointless endeavor in the eyes of a prospective cybercriminal, even an experienced one interested in milking inexperienced cybercriminals not knowing the real value of what they're doing.

Moreover, speaking of monetization, the attached screenshots represent a very decent example of monetizing the reconaissance process of E-banking authentication that cybercriminals or vendors of crimeware services undertake in order to come up with the modules targeting the financial institutions of a particular country. Is this monetization just "monetization of what used to be a commodity good/service" as usual taking into consideration this overall trend, or perhaps there's another reason for monetizing snapshots of E-banking authentication activities in order to later on achieve efficiency in the process of abusing them? But of course there is, and in that case it's the fact that no matter that a potential cybercriminal has obtained access to a crimeware kit, its database of injects is outdated and therefore a new one has to be either built or purchased.

With Adrenalin now leaked to the general script kiddies and wannabe cybercriminals, it's only a matter of time until a community is build around it, one that would inevitably increase is popularity and prompt others to introduce new features within the kit.

Related posts:
Targeted Spamming of Bankers Malware
Localized Bankers Malware Campaign
Client Application for Secure E-banking?
Defeating Virtual Keyboards
PayPal's Security Key Continue reading →

Copycat Web Malware Exploitation Kits Are Still Faddish

February 02, 2009

The oversupply of web malware exploitation kits is in fact Continue reading →

The Template-ization of Malware Serving Sites - Part Two

February 02, 2009

The growing use of "visual social engineering" in the form of legitimately looking codecs, flash player error screens, adult web sites, and YouTube windows in order to forward the infection process to the end use himself, is the direct result of the ongoing template-ization of malware serving sites. This standardizing is all about achieving efficiency, in this case, coming up with high-quality and legitimately looking templates impersonating the average Internet user by enjoying the clean reputation of the impersonated service in question.

The attached screenshot of very latest DIY windows media player with pretty straightforward instructions on how to modify the timing of the "missing codec" pop-up, is a great example of how cybercriminals rarely value the intellectual property of their fellow colleagues. The DIY template has in fact been ripped-off from a competing affiliate network participant (currently active xxxporn-tube .com/123/2/FFFFFF/3127/TestCodec/Best), its images hosted at ImageShack, and the codec released for everyone in the ecosystem to use -- and so they will.

Interestingly, within the mirrored copy now tweaked and distributed for free using free image hosting services as infrastructure provider for the layout, there are also leftovers from the original campaign template that they mirrored - which ultimately leads us to DATORU EXPRESS SERVISS Ltd (AS12553 PCEXPRESS-AS) or zlkon.lv In the wake of UkrTeleGroup Ltd's demise -- don't pop the corks just yet since the revenues they've been generating for the past several years will make it much less painful -- a significant number of UkrTeleGroup customer, of course under domains, have been generating quite some malicious activity at zlkon.lv for a while.

Portfolio of fake codecs serving domains parked at the original mirrored domain's IP :
xxxporn-tube .com (93.190.140.56)
uporntube-07 .com
tubeporn08 .com
porn-tube09 .com
tubeporn09 .com
xxxporn-tube .com
allsoft-free .com
all-softfree .com
lsoftfree .com
porntubenew .com

Download locations :
brakeextra .com/download/FlashPlayer.v..exe (94.247.2.183)
brakeextra .com/download/TestCodec.v.3.127.exe

Entire portfolio of domains parked at (94.247.2.183) :
brakeextra .com
thebestporndump2 .com
fire-extra .com
xp-extra .com
delfiextra .com
qazextra .com
track-end .com
fire-movie .com
extrabrake .com
crack-serial-keygen-online .com
extra-turbo .com
extra-nitro .com
apple-player .com
meggauploads .com
soft-free-updates .com
quicktimesoft .com
cleanmovie .net
nitromovie .net
trackgame .net
quotre .net
rexato .net
spacekeys .net

Dots, dots dots, trackgame .net is once again proving the multitasking mentality of cybercriminals these days - it's one of the download locations participating in the recent Google Video search queries poisoning attacks. Continue reading →

Poisoned Search Queries at Google Video Serving Malware

January 28, 2009

UPDATE: A recently published article at the Register by John Leyden incorrectly states that "researchers at Trend Micro discovered that around 400,000 queries returning malicious results that lead to a single redirection point" wherease the researchers in question went public with the attack data on the 27th of January, and then again on the 28th of January.

This isn't the first time the Register shows an oudated siatuational awareness, following the two month-old coverage of a proprietary email and personal information harvesting tool, which I extensively covered in between receiving comments from one of the affected sites.

A blackhat SEO-ers group that's been generating bogus link farms ultimately serving malware to their visitors during the past couple of months, has recently started poisoning Google Video search queries and redirecting the traffic to a fake flash player using the PornTube template. (The Template-ization of Malware Serving Sites). Approximately 400,000+ bogus video titles have already been crawled by Google Video.

Instead of sticking to a proven traffic acquisition tactic in the face of adult videos, the campaigns are in fact syndicating the titles of legitimate YouTube videos in order to populate the search results. What's also worth pointing out that is that once they start duplicating the content -- like they're doing with specific titles -- based on their 21 bogus publisher domains, they can easily hijack each and every of the first 21 results for a particular video. The fake flash player redirection is served only when the visitor is coming from Google Video, if he or a researcher isn't based on a simple http referer check, a legitimate YouTube video is served.

Upon clicking on the video from any of their publisher domains, the user is taken to porncowboys .net/continue.php (94.247.2.34) then forwarded do xfucked .org/video.php?genre=babes&id=7375 (94.247.2.34) to have the binary served at trackgame .net/download/FlashPlayer.v3.181.exe and qazextra .com/download/FlashPlayer.v3.181.exe. Detection rate for the flash player.

The malware publisher domains crawled by Google Video redirecting to the bogus flash player :
nudistxxx .net - 22,000 bogus video titles
realsexygirls .net - 21,000 bogus video titles
trulysexy .net - 27,100 bogus video titles
madsexygirls .net - 18,900 bogus video titles
mypornoplace .net - 25,700 bogus video titles
hotcasinoxxx .net - 28,900 bogus video titles
hotgirlstube .net - 37,900 bogus video titles
xgirlplayground .com - 50,600 bogus video titles
puresextube .net - 20,700 bogus video titles
xxxtube4u .com - 11,400 bogus video titles
sexygirlstube .net - 63,100 bogus video titles
xporntube .org - 12,800 bogus video titles
xxxgirls .name - 33,500 bogus video titles
girlyvideos .net - 37,500 bogus video titles
mytubecentral .net - 38,900 bogus video titles
puresextube .net - 20,700 bogus video titles
teencamtube .com - 18,400 bogus video titles
celebtube .org - 41,100 bogus video titles
truexx .com - 16,900 bogus video titles
hottesttube .net - 28,100 bogus video titles
hotgirlsvids .net - 27,200 bogus video titles
watch-music-videos .net - 14,900 bogus video titles
marketvids .net - 29,900 bogus video titles
gamingvids .net - 7,930 bogus video titles
hentaixxx .info - 25,500 bogus video titles

The campaign is currently in a cover-up phrase since discussing it yesterday and notifying Google with all the details. But the potential for abuse remains there. Timeliness vs comphrenesiveness of a malware campaign?

Following this example of comprehensivess, take into consideration the timeliness in the face of October 2008's campaign when hot Google Trends keywords were automatically syndicated in order to hijack search traffic which was then redirected to several hundred automatically registered Windows Live blogs whose high pagerank made it possible for the blogs to appear within the first 5 results. Continue reading →

Embassy of India in Spain Serving Malware

January 27, 2009

The very latest addition to the "embassies serving malware" series is the Indian Embassy in Spain/Embajada de la India en España (embajadaindia.com) which is currently iFrame-ED -- original infection seems to have taken place two weeks ago -- with three well known malicious domains.

Interestingly, the malicious attackers centralized the campaign by parking the three iFrames at the same IP, and since no efforts are put into diversifying the hosting locations, two of them have already been suspended. Let's dissect the third, and the only currently active one. iFrames embedded at the embassy's site:
msn-analytics .net/count.php?o=2
pinoc .org/count.php?o=2
wsxhost .net/count.php?o=2

wsxhost .net/count.php?o=2 (202.73.57.6) redirects to 202.73.57.6 /mito/?t=2 and then to 202.73.57.6 /mito/?h=2e where the binary is served, a compete analysis of which has already been published. The rest of the malicious domains -- registered to palfreycrossvw@gmail.com -- parked at mito's IP appear to have been participating in iFrame campaigns since August, 2008 :

google-analyze .cn
yahoo-analytics .net
google-analyze .org
qwehost .com
zxchost .com
odile-marco .com
edcomparison .com
fuadrenal .com
rx-white .com

As always, the embassy is iFramed "in between" the rest of the remotely injectable sites part of their campaigns.

Related assessments of embassies serving malware:
Embassy of Brazil in India Compromised
The Dutch Embassy in Moscow Serving Malware
U.S Consulate in St. Petersburg Serving Malware
Syrian Embassy in London Serving Malware
French Embassy in Libya Serving Malware Continue reading →

Exposing a Fraudulent Google AdWords Scheme

January 21, 2009

UPDATE: Conduit's Director of Strategic Marketing Hai Habot contacted me in regard to the campaign. Comment published at the bottom of the post.

Despite my personal reservations towards the use of Google sponsored ads as an emerging traffic acquisition tactic on behalf of scammers and cybercriminals -- blackhat SEO is getting more sophisticated -- Google sponsored ads are whatsoever still taken into consideration.

The fraudulent AdWords scheme that I'll discuss in this post, is an example of a Dominican scammer (ayuda@shareware.pro; Sms Telecom LLC, Roseau, St. George (00152) Dominica Tel: +117674400530) who's hijacking search queries for popular software applications, taking advantage of geolocation and http referer checks, in order to deliver a customized toolbar while earning revenue part of the Conduit Rewards Program.

Naturally, the traffic acquisition tactic and the brandjacking of legitimate software are against the rules of both Google's, and Conduit's terms of use. Interestingly, out of all the adware-ish toolbars and affiliate based networks out there, he's chosen to participate in an affiliate network without a flat rate on per toolbar installation basis. Despite the efforts put into the typosquatting, the descriptive binaries on a country basis, and the localization of the sites in several different languages, he's failing to monetize the scam in the way he could possibly do compared to "fellow colleagues" of his.

Brandjacked software domains part of the AdWords campaign :
adobe-reader-co .com
adware-co .com
flash-player-co .com
paint-shop-pro .com
winrar-co .com
ccleaner-co .com
firefox-co .com
avi-codec-co .com
guitar-pro-co .com
codec-co .com
opera-co .com
messenger-comp .com
servicepack-co .com
azureus-co .com
emulegratis .es
messenger-plus-co .com
zone-alarm-co .com
directx-co .com
bittorrent-co .com
media-player-co .com
emulefree .com
divx-co .com
office-co .com
virtualdj-co .com
zattoo-co .com
clonecd-co .com
tuneup-co.com
lphant-co.com
explorer-co.com
amule-co .com
messenger75-co .com
limewire-comp .com
lite-codec-co .com
power-dvd-co .com
messenger-plus-live-co .com
reamweaver-co .com
aresgratis .net
vuze-co .com
emuleespaña .es
regcleaner-co .com
paint-net-co .com
download-acelerator .com
windownloadweb .com
xp-codecpack-co .com

The AdWords campaigns are spread across different local Google sites, and are targeting a particular local demographic only. Moreover, if the end user isn't coming from a sponsored ad, the download link on each and every of the participating sites is linking to the official site of the brandjacked software, and if he's coming from where he's supposed to be coming the software bundle including the revenue-generating toolbar is served in the following way :

firefox-co .com/downloads/installer-5-firefox-uk.exe
winamp-co .com/downloads/installer-37-winamp-uk.exe
winamp-co .com/downloads/installer-37-winamp-nl.exe
zone-alarm-co .com/downloads/installer-18-zonealarm-nl.exe
servicepack-co .com/downloads/installer-14-service-pack-3-uk.exe
divx-co .com/downloads/installer-25-divx-uk.exe

Upon installation the toolbar generates revenue for the campaigner, and given the fact that a single DIY toolbar can be associated with a single rewards account, the campaigner is also maintaining a modest portfolio of toolbars. For instance :

peer2peerne.media-toolbar.com - UserID=UN20090120111936062
peer2peeren.media-toolbar.com - UserID =598F9353-BD10-47B9-8B40-29B33AD7A3E4

The bottom line is that despite the fact that the campaigner is acquiring lots of traffic through the brandjacking, and is definitely breaking even based on the number of toolbars installed, he's failing to monetize the fraud scheme, at least for the time being.

UPDATE: Hai Habot's comments - "The information you have provided will help us track the publisher and I will personally see that our compliance team looks into it ASAP.

As you may know, Conduit does not have full control over the promotional activity of the publisher (i.e. his fraudulent use of Google AdWords or any other usage of third party ads or links) however, the activity described in your post is clearly in violation of our terms of use (section V of the Conduit Publisher Agreement) and our compliance team can take different measures against this publisher including the removal of the toolbar from our platform.

The Conduit Rewards program is not a standard affiliate network. It offers incentives to publishers based on their toolbar’s long term performance. I didn’t look into the stats of this specific publisher yet but I can assure you that such spam traffic would generate very little (if any) rewards. In any case – we will make sure that the rewards account of this publisher will be disabled until this compliance issue is resolved." Continue reading →

A Diverse Portfolio of Fake Security Software - Part Fourteen

January 19, 2009

The following currently active fake security software domains have been included within ongoing blackhat SEO campaigns, among the many other tactics that they use in order to attract traffic to them. Needless to say that the Diverse Portfolio of Fake Security Software domains series is prone to expand throughout the year.

rapidspywarescanner .com (78.47.172.67)
live-antiviruspc-scan .com
professional-virus-scan .com
proantiviruscomputerscan .com
bestantivirusfastscan .com
premium-advanced-scanner .com

Domain owner:
Name: Aennova M Decisionware
Organization: NA
Address: Rua Maestro Cardim 1101 cj. 112
City: Sgo Paulo
Province/state: NA
Country: BR
Postal Code: 01323
Phone: +5.5113245388
Fax: +5.5113245388
Email: victor@aennovas.com

rapidantiviruspcscan .com (78.46.216.237)
securedserverdownload .com
securedonlinewebspace .com
securedupdateupdatesoftware .com
bestantivirusdefense .com
live-pc-antivirus-scan .com
best-antivirus-protection .com
proantivirusprotection .com
best-anti-virus-scanner .com
best-antivirus-scanner .com
bestantivirusproscanner .com
bestantivirusfastscanner .com
protectedsystemupdates .com
liveantispywarescan .com
live-antispyware-scan .com
internet-antispyware-scan .com

Domain owner:
Vadim Selin anzo45@freebbmail.com
+74952783432 fax: +74952783432
ul. Vorobieva 98-34
Moskva Moskovskay oblast 127129
ru

antivirus-scan-your-pc .com (75.126.175.232; 209.160.21.126)
bestantivirusdefence .com
best-antivirus-defense .com
premiumadvancedscan .com
bestantivirusproscan .com
best-antivirus-pro-scanner .com
internetprotectedpayments .com

Domain owner:
Name: Nikolai V Chernikov
Address: yl. Kravchenko 4 korp. 2 kv.17
City: Moskva
Province/state: NA
Country: RU
Postal Code: 119334
Email: promasteryouth@gmail.com

Embedding Malicious IFRAMEs Through Stolen FTP Accounts - Part Two

January 19, 2009

The practice of using stolen or data mined -- from a botnet's infected population -- FTP accounts is nothing new. In March, 2008, a tool originally published in February, 2007, got some publicity once details of stolen FTP accounts belonging to Fortune 500 companies were found in the wild. Interestingly, none of the companies were serving malicious iFrames on their compromised hosts back then.

Despite the fact that 2008 was clearly the year of the massive SQL injection attacks hitting everyone, everywhere, massive iFrame injection tools through stolen FTP accounts are still in development. Take for instance this very latest console/web interface based proprietary one currently offered for sale at $30.

Its main differentiation factors according to the author are the pre-verification of the accounting data in order to achieve better speed, advanced logs management and update feature allowing the malicious campaigner to easily introduce new iFrame at already iFrame-ED hosts through the compromised FTP accounts, and, of course, the what's turning into a commodity feature in the face of long-term customer support. In this case, that would be a hundred FTP accounting details to get the customers accustomed to the tool's features.

Interestingly, at least according to the massive SQL injections taking place during the entire 2008, iFrame-ing has reached its decline stage, at least as the traffic acqusition/abuse method of choice. And with SQL injections growing, this very same FTP account data is serving the needs of the blackhat search engine optimizers bargaining on the basis of a pagerank. Continue reading →

Pro-Israeli (Pseudo) Cyber Warriors Want your Bandwidth

January 14, 2009

This summary is not available. Please click here to view the post. Continue reading →

Domains Serving Internet Explorer Zero Day in December

January 14, 2009

December, 2008 was marked by yet another widespread Koobface campaign, next to a massive SQL injection attack targeting Asian countries and serving the ex-Internet Explorer XML parsing zero day. Monitoring the attack closely and issuing abuse notices, it's worth pointing out that only two domains were SQL to target international sites, with the rest injected at Asian sites only.

This tactic once again demonstrates the dynamics of the international underground communities whose understanding of valuable stolen goods greatly differ based on the local market's demand for a particular item. For instance, stolen accounting data for a MMORPG is more than access to a stolen banking account on the Chinese underground marketplace, and exactly the opposite on the Russian underground marketplace. Interestingly, if the IE zero day was first discovered and abused in a targeted nature by Russian parties the very last thing they'd be serving is a password stealer for a MMORPG given the far more valuable from their perspective crimeware. Here are all of the SQL injected domains participating in the attack, with two Chinese groups responsible for them :

SQL injected domains currently active:
- c.nuclear3 .com/css/c.js (121.10.108.161; 121.10.107.233;70.38.99.97) also SQL injected as c.%6Euclear3 .com/css/c.js in a cheap attempt to avoid detection
- zs.gcp.edu .cn/z.js redirects to alimcma .3322.org/a0076159/a07.htm (121.12.173.218) and then to tongjitj.3322 .org/tj/a07.htm
- w.94saomm .com/js.js (58.53.128.177) redirects to clc2007.nenu.edu .cn/tt/swf.htm (218.62.16.47)
- idea21.org/h.js (66.249.130.142) redirects to idea21 .org/index1.htm
- yrwap .cn/h.js (59.63.157.71) redirects to kodim .net/CONTENT/faq.htm

Currently down, for historical preservation purposes and case building as these were exclusively serving the ex-IE zero day in December, 2008:
17gamo .com/1.js
s4d. in/h.js
dbios .org/h.js
armsart .com/h.js
acglgoa .com/h.js
9i5t .cn/a.js
qq117cc .cn/k.js
s800qn .cn/csrss/w.js
twwen .com/1.js
s.shunxing .com.cn/s.js
ko118 .cn/a.js
s.shunxing .com.cn/s.js
17aq .com/17aq/a.js
s.kaisimi .net/s.js
sshanghai .com/s.js
s.ardoshanghai .com/s.js
s.cawjb .com/s.js
mysy8 .com/1/1.js
mvoyo .com/1.js
nmidahena .com/1.js
tjwh202.162 .ns98.cn/1.js

Thankfully, the IE zero day attack in December is an example of a "wasted" zero day, with the potential for abuse not taken advantage of.

Related posts:
Massive SQL Injection Attacks - the Chinese Way
Yet Another Massive SQL Injection Spotted in the Wild
Obfuscating Fast-fluxed SQL Injected Domains
Smells Like a Copycat SQL Injection In the Wild
SQL Injecting Malicious Doorways to Serve Malware
SQL Injection Through Search Engines Reconnaissance
Stealing Sensitive Databases Online - the SQL Style
Fast-Fluxing SQL injection attacks executed from the Asprox botnet
Sony PlayStation's site SQL injected, redirecting to rogue security software
Redmond Magazine Successfully SQL Injected by Chinese Hacktivists Continue reading →

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Help! Someone Hijacked my 100k+ Zeus Botnet!

The Cost of Anonymizing a Cybercriminal's Internet Activities - Part Two

Fake Celebrity Video Sites Serving Malware - Part Three

Pharmaceutical Spammers Targeting LinkedIn

Community-driven Revenue Sharing Scheme for CAPTCHA Breaking

Quality Assurance in a Managed Spamming Service

Summarizing Zero Day's Posts for January

A Diverse Portfolio of Fake Security Software - Part Fifteen

Crimeware in the Middle - Adrenalin

Copycat Web Malware Exploitation Kits Are Still Faddish

The Template-ization of Malware Serving Sites - Part Two

Poisoned Search Queries at Google Video Serving Malware

Embassy of India in Spain Serving Malware

Exposing a Fraudulent Google AdWords Scheme

A Diverse Portfolio of Fake Security Software - Part Fourteen

Embedding Malicious IFRAMEs Through Stolen FTP Accounts - Part Two

Pro-Israeli (Pseudo) Cyber Warriors Want your Bandwidth

Domains Serving Internet Explorer Zero Day in December

RSS Feed

About Me

Blog Archive

Tags

Popular Posts