PAINTing a Botnet IRC Channel

0
January 14, 2008
I suppose that even for a script kiddie it takes extra time and patience to come up with such a spoofed IRC channel getting crowded with infected hosts. Drawing courtesy of a script kiddie's wishful thinking. Here are some screenshots from the real world, and some of the most recent developments I covered in previous posts. Continue reading →

The Pseudo "Real Players"

0
January 14, 2008
What happened with the recent RealPlayer massive embedded malware attack? Two of the main hosts are now, and the third one ucmal.com/0.js is strangely loading an iframe to ISC's blog in between the following 61.188.39.218/pingback.txt which was returning the following message during the last couple of hours "You're welcome for being saved from near infection".

As I'm sure others too like to analyze post incident response behavior of the malicious parties, in respect to this particular attack, during the weekend they took advantage of what's now a patent of the Russian Business Network, namely to serve a fake 404 error message but continue the campaign. However, in RBN's case, only the indexes were serving the fake account suspended messages, but the campaign was still active on the rest of the internal pages. In the RealPlayer's campaign case, the 404 error messages themselves were embedded with the same IFRAMEs as well, in order to make it look like there's an error, at least in front of the eyes of the average Internet user.

Despite that the main campaign domains are blocked on a worldwide scale, the hundreds of thousands of sites that originally participated are still not clean and continue trying to load the now down domains. Moreover, the big picture has to do with a fourth domain as well, yl18.net/0.js, that used to be a part of the same type of massive malware embedded attack in November, 2007.

Why pseudo "real players" anyway? Because for this attack, they took advantage of what can be defined as a fad, namely the use seperate exploit as the cornerstone of the campaign, at least if its massive infection they wanted to achieve. The "real players" or script kiddies on the majority of occasions, serve exploits on a client-side matching basis, and therefore the more diverse the exploits set, the higher the probability a vulnerable application will be detected and exploited. Therefore, given the number of sites affected it could have been much worse than it is currently based on speculations of the success rate of the campaign in terms of infections, not the sites affected - a success by itself. Execution gone wrong given the foundation for the attack - until the next time. Continue reading →

Malware Serving Exploits Embedded Sites as Usual

0
January 10, 2008
The combination of the recent RealPlayer exploit and MDAC is a fad, but the very same is getting embraced in the short-term by malicious parties in China that have also started combining the Internet Explorer VML Download and Execute Exploit (MS07-004), thanks to recent localized forum postings on modifying the third exploit. Let's assess several sample domains.

8v8.biz/ms07004.htm (58.53.128.98) is such a domain that's serving a combination of these starting with Exploit-MS07-004 :

Result: 12/32 (37.5%)
File size: 3432 bytes
MD5: bafab9b8e38527e9830047fd66b39532
SHA1: b81abcf63a2c4bcf43526f28aec20fca2f58d67c

8v8.biz/1.htm - MDAC also loads 8v8.biz/06014.html in between 8v8.biz/r.htm - real player unobfuscated, wheere all of these attempt to load 8v8.biz/v.exe - Worm.Win32.AutoRun.bkx; Win32/Cekar!generic

Result: 27/31 (87.10%)
File size: 19501 bytes
MD5: 7b101f7baeae0ebab9ecc06fdb9542dc
SHA1: 36ffa50ce3873fb04c13c80421c205a7760f47ca

The binary is using a default set of known executables of anti malware products, and is installing a default debugger injected upon execution of any of these, and is therefore successfully killing many of the applications.

Another exploit serving domain with a very diverse set of exploits used, but again serving the faddish RealPlayer plus MDAC combination is uc147.com (218.107.216.85) :

uc147.com/test/MS07004.htm
uc147.com/test/PPs.htm
uc147.com/test/biaxing06014.Htm
uc147.com/test/index.htm
uc147.com/test/Click_here.html
uc147.com/test/PPLIVE.htm
uc147.com/test/Thunder.html
uc147.com/test/bf.htm
uc147.com/test/Open.htm
uc147.com/test/ms06014.htm
uc147.com/test/jetAudio%207.x.htm

where all are trying to load uc147.com/zy.exe :

Result: 24/32 (75%)
File size: 15456 bytes
MD5: 3a0804d8e12706e97cdda6aa4f50ef5f
SHA1: cfd2f158a658dc0d8618c35806b94008b4fb1c0f

The third domain is great example of what's an emerging trend rather than a fad, namely the use of comprehensive multiple IFRAMES loading campaigns. qx13.cn/3.htm (61.174.61.94) (IE COM CreateObject Code Execution (MS06-042) which loads sp.070808.net/23.htm, (75.126.3.218) where the following try to load as well :

sp.070808.net/in.htm
wc.070808.net/37.htm
az.sbb22.com/hh.htm
um.uuzzvv.com/uu.htm
fa.55189.net
acc.jqxx.org/40.htm
ktv.mm5208.com/25.htm

Two other IFRAMES within within qx13.cn/3.htm, w.aeaer.com/ae.htm (75.126.3.216) loads the same IFRAMES, and qi.ccbtv.net/btv.htm (66.90.79.138) again loads the same IFRAMEs. It gets even more complicated and the ecosystem more comprehensive as the secondary IFRAMEs logically load many others such as :

68yu.cn/s29.htm
ermei.loveyoushipin.com/pic/9041.htm
yun.yun878.com/web/6619038.htm
ppp.749571.com/ww/new82.htm
2.xks08.com/dm1.htm?60
ad.2365.us/110

The more complicated and dynamic these IFRAME-ing attacks get, the higher the campaign's lifecycle becomes, making it harder the determine where's the weakest link, and making it easier for the malicious parties to evaluate which node needs a boost by including new domains spread across different netblocks like this case. Continue reading →

The Invisible Blackhat SEO Campaign

0
January 08, 2008
Count this as a historical example of a blackhat SEO campaign, and despite that "Fresh Afield's" blog (blogs.mdc.mo.gov) is now clean, cached copies confirm the existence of hidden links that were embedded on each and every post on it, apparently due to a compromise. The blackhat SEO links invisible embedded within the blog's posts on the other hand point to a compromised account at the Texas A&M University (aero.tamu.edu/people/raktim), as you can see in the screenshot. Moreover, there's also a visible part of the campaign that was located under blogs.mdc.mo.gov/custom/?0f, and as usual, once the blackhat SEO pages were either uploaded or embedded like it happened in this case, the campaigns under the blogs.mdc.mo.gov URL were spammed across the Internet. Continue reading →

MySpace Phishers Now Targeting Facebook

0
January 07, 2008
The "campaigners" behind the MySpace phishing attack which I briefly assessed in previous posts seem to have started targeting Facebook as well. Ryan Singel comments, and quotes me in a related article :

"Hackers for the first time are targeting the popular social networking site Facebook with a phishing scam that harvests users' login details and passwords. Some Facebook users checking their accounts Wednesday found odd postings of messages on their "wall" from one of their friends, saying: "lol i can't believe these pics got posted.... it's going to be BADDDD when her boyfriend sees these," followed by what looks like a genuine Facebook link. But the link leads to a fake Facebook login page hosted on a Chinese .cn domain. The fake page actually logs the victims into Facebook, but also keeps a copy of their user names and passwords."

Compared to their previous MySpace phishing campaign that was also serving malware in between, this was was purely done for stealing accounting data of Facebook users only. And as we're on a Facebook malicious campaigns topic, impersonating Facebook's login or web presence from a blackhat SEO perspective to serve malware is always trendy. Take this fake facebook login subdomain serving malware for instance - facebook-login.vylo.org (209.160.73.132) redirects to iscoolmovies.com/movie/black/0/2/541/1/ which attempts to load 209.160.73.132/download/502/541/1/ where 209.160.73.132/dw.php is the adware in this case - Adware:Win32/SmitFraud. And yet another one - facebook-login-61248sf1.krantik.info (89.149.206.225) whose once deobfuscated javascript attempts to load topsearch10.com/search.php (209.8.25.156). Spammy, yammy. Continue reading →

Massive RealPlayer Exploit Embedded Attack

0
January 07, 2008
This malware embedded attack is massive and ugly, what's most disturbing about it is the number of sites affected, which speaks for coordination at least in respect to having established the infrastructure for serving the exploit before the vulnerability became public :

"One of our readers noted that there are a number of state government and educational sites that appear to have been compromised with the uc8010 domain. Upon review, I see that some of these have already been cleaned up. However, the .gov and .edu sites are only a few of the many many sites that are turned up via google searches for the uc8010 domain. As that domain was only registered as of Dec 28th, compromises of websites probably occurred in the past week."

According to SANS, there are only two domains involved in the attack uc8010.com/0.js and ucmal.com/0.js however, there's also a third one, namely rnmb.net/0.js. This attack is nothing else but "embedded malware as usual", javascript obfuscations, multiple IFRAME redirectors to and from internal pages, and scripts within the domains. Let's assess those that are still active :

- n.uc8010.com/0.js returns "ok ^_^" message and loads c.uc8010.com/ip/Cip.aspx (61.188.39.218) which says "Hello", furthermore, c.uc8010.com/0/w.js loads c.uc8010.com/1.htm; count38.51yes.com/click.aspx?id=389925362&logo=1 and s106.cnzz.com/stat.php?id=742266&web_id=742266

The internal structure is as follows :

c.uc8010.com/1.htm - attempts MDAC ActiveX code execution (CVE-2006-0003) in between the following
c.uc8010.com/046.htm - javascript obfuscation
c.uc8010.com/r.htm - real player exploit
c.uc8010.com/014.js - javascript obfuscation
c.uc8010.com/111.htm - unobfuscated real player exploit

- ucmal.com/0.js (122.224.146.246) - another obfuscation

- rnmb.net/0.js says "ok! ^_^ Don't hank me !" but compared to the first two that are still active, this one is down as of yesterday, despite that it still remains embedded on many sites

Detection rate for the unobfuscated exploit :
Result: 17/32 (53.13%) - Exploit-RealPlay; JS/RealPlay.B
File size: 3003 bytes
MD5: a85a28b686fc2deedb8d833feaacef16
SHA1: 0282e945ded85007b5f99ddee896ed5e31775715

Detection rate for the obfuscated exploit :
Result: 11/32 (34.38%) - JS/Agent.AMJ!exploit; Trojan-Downloader.JS.Agent.amj
File size: 2880 bytes
MD5: d363ffca061ebf564340c4ac899e3573
SHA1: 1226d3d9fcc5052a623b481b48443aeb246ab5db

A lot of university, and international government sites continue to be embedded with the script, and so is Computer Associates site according to this article :

"Part of security software vendor CA's Web site was hacked earlier this week and was redirecting visitors to a malicious Web site hosted in China. Although the problem now appears to have been corrected, cached versions of some pages in the press section of CA.com show that earlier this week the site had been redirecting visitors to the uc8010.com domain, which has been serving malicious software since late December, according to Marcus Sachs, director of the SANS Internet Storm Center."

Compared to each and every malware embedded attack that I assessed in 2007, including all of Storm Worm's campaigns, they were all relying on outdated vulnerabilities to achieve their success, but this one is taking advantage of the now old-fashioned window of opportunity courtesy of a malicious party enjoying the given the lack of a patch for the vulnerability. Why old-fashioned? Because malware exploitation kits like MPack, IcePack, WebAttacker, the Nuclear Malware Kit and Zunker, changed the threatscape by achieving a 100% success rate through first identifying the victim's browser, than serving the exact exploit. Another such one-vulnerability-serving malware embedded attack was the MDAC exploits farm spread across different networks I covered in a previous post. It's also interesting to note that a MDAC live exploit page was also found within what was originally thought to be a RealPlayer exploit serving campaign only. Shall we play the devil's advocate? The campaign would have been far more successful if a malware exploitation kit was used, as by using a single exploit only, the campaign's success entirely relies on the eventual presence of RealPlayer on the infected machine.
Continue reading →

The New Media Malware Gang - Part Two

0
December 28, 2007
This summary is not available. Please click here to view the post. Continue reading →

Riders on the Storm Worm

0
December 28, 2007
During the last couple of days the folks behind Storm Worm have started using several new, and highly descriptive domains. It seems they've also changed the layout as well, and despite that the exploit IFRAME is now gone, automatically registered Blogspot accounts are also disseminating links to the domains. Some of these have been registered as of recently, others have been around in a blackhat SEO operation for a while and are getting used as a foundation for the campaign. These are all known Storm Worm fast-fluxed domains for the time being :

merrychristmasdude.com
happycards2008.com
uhavepostcard.com
newyearwithlove.com
newyearcards2008.com


_happycards2008.com
Administrative, Technical Contact
Contact Name: Bill Gudzon
Contact E-mail: bgudzon1956 @ hotmail.com




_uhavepostcard.com
Administrative, Technical Contact
Contact Name: Kerry Corsten
Contact E-mail: kryport2000 @ hotmail.com





_newyearwithlove.com
Administrative, Technical Contact
Contact Name: Bill Gudzon
Contact E-mail: bgudzon1956 @ hotmail.com






_newyearcards2008.com
Administrative, Technical Contact
Contact Name: Bill Gudzon
Contact E-mail: bgudzon1956 @ hotmail.com









Moreover, Paul is also pointing out on the use of Blogspot blackhat SEO generated blogs in this Storm Worm campaign. In case you remember, the first one was relying on the infected user to first authenticate herself, and therefore authenticate for Storm Worm to add a link to a malware infected IP. Sample Blogspot URLs :

cbcemployee.blogspot.com
canasdelbohio.blogspot.com
1dailygrind.blogspot.com
traceofworld.blogspot.com/2007/12/opportunities-for-new-year.html
jariver.blogspot.com/2007/12/opportunities-for-new-year.html
antispamstore.blogspot.com/2007/12/opportunities-for-new-year.html

As for the complete list of the email subjects used for the time being, here's a rather complete one courtesy of US-CERT.

With end users getting warned about the insecurities of visiting an IP next to a domain name, this campaign is relying on descriptive domains compared to the previous one, while the use of IPs was among the few tactics that helped Storm Worm's first campaign scale so with every infected host acting as an infection vector by itself. And despite that I'm monitoring the use of such IPs from the first campaign in this campaign on a limited set of Storm Worm infected PCs, the next couple of days will shred more light into whether they'll start using the already infected hosts as infection vectors, or remain to the descriptive domains already used.

Keep riding on the storm. Continue reading →

Spreading Malware Around the Christmas Tree

0
December 24, 2007
Stormy Wormy is back in the game on the top of Xmas eve, enticing the end users with a special Xmas strip show for those who dare to download the binary. The domain merrychristmasdude.com is logically in a fast-flux, here are some more details :

Administrative, Technical Contact
Contact Name: John A Cortas
Contact Organization: John A Cortas
Contact Street1: Green st 322, fl.10
Contact City: Toronto
Contact Postal Code: 12345
Contact Country: CA
Contact Phone: +1 435 2312633
Contact E-mail: cortas2008 @ yahoo.com

Name Server: NS.MERRYCHRISTMASDUDE.COM
Name Server: NS10.MERRYCHRISTMASDUDE.COM
Name Server: NS13.MERRYCHRISTMASDUDE.COM
Name Server: NS9.MERRYCHRISTMASDUDE.COM
Name Server: NS11.MERRYCHRISTMASDUDE.COM
Name Server: NS3.MERRYCHRISTMASDUDE.COM
Name Server: NS4.MERRYCHRISTMASDUDE.COM
Name Server: NS6.MERRYCHRISTMASDUDE.COM
Name Server: NS2.MERRYCHRISTMASDUDE.COM
Name Server: NS5.MERRYCHRISTMASDUDE.COM
Name Server: NS7.MERRYCHRISTMASDUDE.COM
Name Server: NS8.MERRYCHRISTMASDUDE.COM
Name Server: NS12.MERRYCHRISTMASDUDE.COM

The domain also has an embedded IFRAME pointing to merrychristmasdude.com/cgi-bin/in.cgi?p=100 where two javascipt obfuscations, courtesy of the Neosploit attack kit attempt to load. Current binary (stripshow.exe) has an over 50% detection rate 17/32 (53.13%). Stay tuned, AV vendors will reach another milestone on the number of malware variants detected, despite that compared to the real, massive Storm Worm campaign this one is fairly easy to prevent on a large scale.

Related info - SANS, ASERT, TEMERC, DISOG. Continue reading →

Pinch Variant Embedded Within RussianNews.ru

0
December 24, 2007
This is a perfect and currently live example demonstrating how a once compromised site can also be used as a web dropper compared to the default infection vector mentality we've been witnessing on pretty much each and every related case of malware embedded sites during 2007. The URL at a popular news portal for Russian/Iranian related news at : russiannews.ru/arabic/data/news/upload/exp is serving a Pinch variant thought an MDAC ActiveX code execution exploit - CVE-2006-0003, the type of virtual Keep it Simple Stupid strategy of using outdated vulnerabilities I discussed before. Deobfuscation leads us to : russiannews.ru/arabic/data/news/upload/exp/exe.php

Trojan-PSW.Win32.LdPinch.dzr
File Size: 22016 bytes
MD5 : cb0a480fd845632b9c4df0400f512bb3
SHA1 : 83bb4132d1df8a42603977bd2b1f9c4de07463ab

What's important to point out in this case, is that the main index and the pages within the site are clean, so instead of trying to infect the visitors, the malicious parties are basically using it as a web dropper. Moreover, in the wake of Pinch-ing the Pinch authors, this variant generated on the fly courtesy of their tool fully confirms the simple logic that once released in the wild, DIY malware builders and open source malware greatly extend their lifecycles and possibility for added innovation on behalf of the community behind them. Continue reading →

ClubHack 2007 - Papers and Presentations

0
December 20, 2007
Informative presentations and papers from ClubHack 2007- India's premier security event :

"ClubHack is one of its kind hackers' convention in India which serves as a meeting place for hackers, security professionals, law enforcement agencies and all other security enthusiasts."


Such localized events are always beneficial from a networking and a relationship building perspective. Something bigger is (always) going one though. You may not be aware that, for instance, Microsoft have been running the Securewars contest in India for a while, seeking to improve the favorability scale and awareness of the company's activities, to later on improve their chances of recruiting the most talented participants.
Continue reading →

Russia's FSB vs Cybercrime

0
December 20, 2007
In what looks like a populist move from my perspective, the FSB, the successor of the KGB, have "Pinch-ED" the authors of the DIY malware Pinch. A populist move mainly because the Russian Business Network is still 100% fully operational, the Storm Worm botnet was originally launched and is currently controlled by Russian folks, and the lack of any kind of structured response on who was behind Estonia's DDoS attack. Pinch-ing the authors is one thing, pinch-ing everyone that's now literally generating undetected pieces of malware through the use of the kit on an hourly basis is another :

"Today Nikolay Patrushev, head of the Federal Security Services, announced the results of the measures taken to combat cyber crime in 2007. Among other information, it was announced that it had been established who was the author of the notorious Pinch Trojan - two Russian virus writers called Ermishkin and Farkhutdinov. The investigation will soon be completed and taken to court. The arrest of the Pinch authors is on a level with the arrests of other well known virus writers such as the author of NetSky and Sasser, and the authors of the Chernobyl and Melissa viruses."

This event will get cheered be many, but those truly perceiving what's going on the bottom line will consider the fact that fighting cybercrime isn't a priority for the FSB, and perhaps even worse, they're prioritizing in a awkward manner. I once pointed out, and got quoted on the same idea in a related research, that, Pandora's box in the form of open source malware and DIY malware builders is being opened by malware authors to let the script kiddies generate enough noise for them to remain undetected, and for everyone to benefit from those who enhance the effectiveness of the malware by coming up with new modifications for it. I'm still sticking to this statement. If the authors behind Pinch weren't interested in reselling copies of the builder, but were keeping it to themselves, thereby increasing its value, they would have been the average botnet masters in the eyes of the FSB, but now that the builder got sold and resold so many times I can count it as a public one, the authors compared to the users got the necessary attention.

I'll be covering Pinch in an upcoming post, mainly to debunk other such populist discoveries of Pinch in 2007, given that according to an encrypted screenshot of its stolen data crypter, and many other indicators, Pinch has been around since 2005, yes, exactly two ago. Why is this important? It's important because if the industry is waking up on the concept of form-grabbing and TAN grabbing in respect to banking malware in 2007, the bad guys have been doing it for the last couple of years, whereas customers are finding it necessary to maintain another keychain entirely consisting of pseudo-random number generators pitched as layered authentication. The bad guys do not target the authentication process, or aim at breaking it - they bypass it as a point of engagement, efficiently.

Don't forget that a country that's poised for asymmetric warfare domination in the long-term, will tolerate any such asymmetric warfare capabilities in the form of botnets for instance, for as long as they're not aimed at the homeland, in order for the country's intell services to acquire either capabilities or "visionaries" by diving deep into the HR pool available. The rest is muppet show. Continue reading →

Pushdo - Web Based Malware as Usual

0
December 19, 2007
Interesting assessment, especially the explanation of the GET variables, however, such descriptive use of POST variables to a malware's C&C server have been around for the last couple of years. What has logically changed is the added layer of obfuscation and complexity to make it hard to assess what does such a URL actually mean :

"The malware to be downloaded by Pushdo depends on the value following the "s-underscore" part of the URL. The Pushdo controller is preloaded with multiple executable files - the one we looked at contained 421 different malware samples ready to be delivered. The Pushdo controller also uses the GeoIP geolocation database in conjunction with whitelists and blacklists of country codes. This enables the Pushdo author to limit distribution of any one of the malware loads from infecting users located in a particular country, or provides the ability to target a specfic country or countries with a specific payload."

This is an excerpt from a previous post on "Botnet Communication Platforms" including various graphs courtesy of botnet masters circa 2004/2005 :

"The possiblities with PHP and MySQL in respect to flexibility of the statistics, layered encryption and tunneling, and most importantly, decentralizing the command even improving authentication with port knocking are countless. Besides, with all the buzz of botnets continuing to use IRC, it's a rather logical move for botnet masters to shift to other platforms, where communicating in between HTTP's noise improves their chance of remaining undetected. Rather ironic, the author warns of possible SQL injection vulnerabilities in the botnet's command panel."

Here're some C&C IPs related to Pushdo :

208.66.195.71
208.66.194.242
66.246.252.215
66.246.252.213
66.246.72.173
67.18.114.98
74.53.42.34
74.53.42.61
talkely.com

Talkely.com (217.14.132.178) is also responding to arenatalk.net and worldtalk.net. There's also another bogus message next to the one mentioned in SecureWorks analysis - and it's "Under Construction Try google".

Related posts on Web Based Malware :
The Cyber Bot Continue reading →

Cyber Jihadist Hacking Teams

0
December 17, 2007
These groups and fractions of religiously brainwashed IT enthusiasts utilizing outdated ping and HTTP GET flooding attack tools, represent today's greatly overhyped threat possed by the cyber jihadists whose cheap PSYOPS dominate, given the lack of strategical thinking, and the lack of sustainable communication channels between them, ruined all of their Electronic Jihad campaigns so far. Religious fundamentalism by itself evolves into religious fanaticism, and with the indoviduals in a desperate psychological need for a belonging to a cause, ends up in one of the oldest and easiest methods for recruitment - the one based on religious beliefs.

The teams, and the lone gunmen cyber jihadists in this post are : Osama Bin Laden's Hacking Crew, Ansar AL-Jihad Hackers Team, HaCKErS aLAnSaR, The Designer - Islamic HaCKEr and Alansar Fantom. None of these are known to have any kind of direct relationships with terrorist groups, therefore they should be considered as terrorist sympathizers.

_Osama Bin Laden's Hacking Crew
OBL's Hacking Crew are anything but cheap PSYOPsers trying to teke advantage of outdated conversational marketing approaches to recruit more members, for what yet remains unknown given the lack of any kind of structured formulation of their long-term objectives. They're also promoting the buzz word "E-MUJAHID" to summarize all the possible taska and objectives one would have. This is how they define E-JIHAD :

"JIHAD is the term used for struggle against evil. Electronic jihad or simply, E-JIHAD, is the jihad in cyberspace against all the propagandas and false allegations against the message of truth. E-JIHAD is the struggle in cyber space against all false and evil disciplines, ideology and forces of evil. Have you ever think what is the need of army? To defend the freedom and liberty of a territory and defend it from the attacks of evil intruders. similarly , E-jihad is the battle in the field of cyber space, against all false believes, and to defend the truth against the false and mean propagandas and cults. It is as necessary as a regular army, to defend the ideological borders of a nation. It is said, “ it is not the gun, it is man behind the gun “. Do you ever think what makes a “man “? Nothing, but just the faith and ideology. Without faith and ideology, there is no man and definitely , we then have gun , but without any man ."

These are the tips provided for "defending the ideological borders" :

- They have created anti-Islamic web sites, which are full of everything except the truth. They are full of mean and vulgar allegations against our HOLY QURA’AN, HOLY PROPHAT MOHAMMAD (PEACE BE UPON HIM) and our teachings. We must defend our teachings and fight against the evils. We have to create Islamic web sites, eGroups, Forums, Message boards, & we must support our Mujahideen brothers in Iraq, Afghanistan, Palestine, Kashmir and elsewhere.

- Many non-Muslims specially jews, Christians and hindus are working in different web groups and communities (like yahoo groups and msn communities) and spreading propaganda against us Muslims. There is a strong need to join such groups and try to refute them. At the moment, the cyber space is free of their opponents. Try to join and refute them, defend your HOLY TEACHINGS OF ISLAM and bring before everyone, nothing but just the truth.

- One of the most dangerous enemies is those who impersonate themselves as a Muslims but they are not Muslims infact. They are Islamic cults. They are usually qadyanis/ahmadis/mirzais and bahais. some are jews and christians. They are all non Muslims but they impersonate as a Muslim and try to misguide others. They are spreading non-Islamic believes. It needs to be taken care of, we have to fight them. Otherwise, you can imagine how disastrous this situation can be for Muslims. These culprit groups even tried to spread a copy of their teachings in the name of HOLY QURA’ AN. but ALLAH has promised that HE will keep HOLY QURA’AN preserved. That’s why, their attempt failed. What is our job? We must fight with these muslim cults and have to tell others the difference between Muslims and muslims cults.

- You can even make your own groups and communities to send mails having Muslim news and Islamic teachings. It is a time convenient method because if you have 500 members in your group, by sending a single mail in the group, your message will be in the inboxes of 500 users, and it takes hardly 1-2 minutes. Isn’t it a time saving technique?

- Many non-Muslim specially Americans, Israelis and Indian hackers always attack our web sites, which are refuting their falsehood and spreading the truth of Islam, the truth that is the only reality. To defend us against such “satanic groups “, we have to organize teamwork, consists of team of Muslim Hackers. Diamond cuts a diamond, to fight with hackers, we need hackers who will defend our sites and make it sure to convey uninterrupted messages to refute the evil and to spread the truth.

_Ansar AL-Jihad Hackers Team and HaCKErS aLAnSaR
Both of these are actually the same, and the group's popularity comes from the al-jinan.net and the al-jinan.org Electronic Jihad campaigns, yes, the failed ones. The original message from Al-jinan's first campaign back in 2006 :

Objective : Will be updated automatically in the main program and the extra room in the conversation. Date : Saturday, 26 /8/2006 - Hours are from 6 pm to 10 Mecca Time - Jerusalem-Cairo. From 3 pm until 7 Time 05:00 Enter chat http: al-jinan.org/chat. Will work only half an hour before the attack. Leadership decided to use only the major programme in the attack, Lltali follows : The programme operates in the same manner but more strongly Durrah, Member faced many problems in the modernization Durra because of their Alcockez, and the present quality, The programme is designed to automatically update speeds.

Their "pitch" :

"We note that our enemies Zionists have such groups in order to eliminate sites and sites of resistance Islamic profess. The notes on the Internet that many of the sites Mujahideen are taking place and the closure of sites and this immoral act of brotherhood pigs. Under such a senseless war on Lebanon and Palestine, the Zionists any target in any area. The factors that are responsible for targeting this will affect them and Ihabtahm and create terror in the hearts of God."

_The Designer - Islamic HaCKEr
A defacer going by the handle of The Designer - Islamic HaCKEr was a vivid hacktivist for a while, than switched handles and continued to deface spreading cyber jihadist PSYOPS such as the following message courtesy of one of his defacements :

"Muslims are not Terrorists and U.S.A & Israel & europa are Terrorists. america and israel and europa they terrorists and we moslems not is terrorists . and It was hacked because you are supporting the war in Iraq, palestine and Afghanistan, and it was hacked because you are killing our people and our kids in Iraq, palestine and Afghanistan , and It was hacked because they invaders our land and they vandals our homes and hacked your sites is our solution."

_Alansar Fantom
In direct coordination with The Designer and Al-Ansar Hackers Team, basically a low-profile script kiddie that's also involved in spreading the campaign message and the flood tools to be used in eh Electrnic Jihad campaign.
Offensive cyber terrorism on behalf of terrorists in the sense of cyber mujahideens is overhyped if they're to do it on their own given the factual based evidence of their current state of technical know-how, with the Electronic Jihad program among the most recent such overhyped threats. Defensive cyber terrorism as an extension of cyber jihad in an asymmetric nature, is what is going on online for the time being, and has been going on for the last couple of years.

The bottom line, script kiddies cyber jihadists dominate, PSYOPS fill the gaps where there's zero technical know-how, mentors are slowly emerging and providing interactive tutorials to reach a wider audience, localization of knowledge from English2Arabic is taking place the way propaganda is also localized from Arabic2English, and there's also an ongoing networking going on between cyber jihadists and Turkish hacktivists converting into such on a religious level. Case in point - MuslimWarriors.Org defacement campaigns with "anti-infidel" related messages. Continue reading →

Cached Malware Embedded Sites

0
December 16, 2007
Google, with its almost real-time crawling capabilities, has rarely proved useful while researching malware embedded sites who were cleaned before they could be analyzed, mainly popular sites who get crawled several times daily. However, Yahoo's and MSN's search engines, with MSN providing Archive.org type of historical crawling content, have been an invaluable resource in providing the actionable historical intelligence in the form of what was embedded at the site, where was it pointing, are there many other sites currently embedded by the same campaign etc. This is an interesting opinion stating that cached malware embedded sites are a security problem, well they're, but the bigger problem to me is that it's only Google that's taken efforts to deal with the problem next to the market challengers - Yahoo and MSN - "Google, Yahoo, Microsoft Live search engines contain page-caching flaw, says Aladdin" :

"Researchers at Aladdin Knowledge Systems have discovered a “significant” vulnerability in the page-caching technologies of three major search engines, allowing them to deliver malicious pages that have been removed from the web. The researchers discovered the vulnerability when analysing the content of a hacked university website. The site was cleaned, but malicious content was still reachable via search engine caches. The flaw is a "glimpse of the future" of multifaceted web-based attacks, said Ofer Elzam, director of product management at Aladdin."

Let's discuss the current model of dealing with such sites. Whenever Google comes across a site that's potentially malware embedded, they don't just label it "this site may harm you computer" but also remove all the cached copies of the site. By doing so, they protect the "cached surfers crowd", and by doing so, often prompt me to locate the actual cached copies with the embedded malware hopefully still there by using other search engines, ones whose crawling capabilities aren't as fast as Google's.

Therefore, don't put Google in the same row as Yahoo and MSN, since Yahoo and MSN do not provide such in-house built malware embedded sites notification services, and given the slow content crawling, it's among the top reasons why I love using their search engines given I'm aware of a malware embedded site, but couldn't obtain the obfuscated javascript/IFRAME before it got removed.

Here's an example of how useful cached malware sites are for research purposes. Back in September, the U.S Consulate in St.Petersburg was serving malware, and the embedded malware link was removed sooner than I could obtain a copy of the infected page. Best of all - there were still cached copies available serving the malware which lead to the assessment of the campaign. Another great example that the intelligence sharing between the industry, independent reseachers and non-profit organizations, is resulting in far more detailed exposures of various malicious campaigns, compared to a vendor's self-sufficiency mentality.

This is how Google understand the malicious economies of scale, where efficiency gets sacrificed for a short lifecycle of the campaign, a trade-off I've been discussing for a while especially in respect to the Rock Phish Kit :

"Examining our data corpus over time, we discovered that the majority of the exploits were hosted on third-party servers and not on the compromised web sites. The attacker had managed to compromise the web site content to point towards an external URL hosting the exploit either via iframes or external JavaScript. Another, less popular technique, is to completely redirect all requests to the legitimate site to another malicious site. It appears that hosting exploits on dedicated servers offers the attackers ease of management. Having pointers to a single site offers an aggregation point to monitor and generate statistics for all the exploited users. In addition, attackers can update their portfolio of exploits by just changing a single web page without having to replicate these changes to compromised sites. On the other hand, this can be a weakness for the attackers since the aggregating site or domain can become a single point of failure."

Google are clearly aware of what's going on, but are trying to limit the potential for false positives of sites wrongly flagged as ones serving malware, which is where malicious parties will be innovating in the future, while it still remains questionable why they still haven't done so by obvious means - RBN's directory permissions gone wrong for instance.

The bottom line - cached malware embedded sites are a valuable resource in the arsenal of tools for the security researcher/malware analyst to use, and not necessarily a threat if it's Google's approach of removing the cached copies we're talking about, prior to notifying of the infection. Which leads us to more realistic attack tactic than the one discussed in the article, where an attacker will supposedely embedd malware at different sites, let the search engines crawl and cache it, than remove the sites and wait for the visitors to use the cache, thereby infecting themselves. Case in point - the U.S Consulate's site for instance wasn't even flagged by Google as malware embedded one, which is hopefully the result of their fast crawling capabilities, but the ugly attack tactic I have in mind is not just embedding the IFRAME, but embedding an obfuscated IFRAME that leads to the usual obfuscated exploit URL, which is what happend in the Consulate's case, an obfuscated IFRAME by itself. Continue reading →

Have Your Malware In a Timely Fashion

0
December 15, 2007
Keep your allies close, the human right violators closer. French officials have been receiving lots of criticism by human rights groups regarding Moammar Gadhafi's visit in France, in fact Human Rights Watch issued a press release entitled Al-Qadhafi in France. Despite the logical response in the form of criticism, it's lacking the long-term strategic vision and the proven approach of dealing with crying kids - pay them attention, give them a candy and therefore try to integrate them don't isolate them.

If it were "embedded malware as usual" the wannabes would have started mass mailing links to malware infected sites spreading rumors regarding the visit, like a previous PSYOPS operation on behalf of an unnamed intelligence agency. However, in this case they embedded malware at a French Government's site related to Libya in order to eventually infect all the visitors looking for more information during the visit. That's a social engineering trick taking advantage of the momentum by proactively anticipating the rush of visitors to the site. Another such recent combination of tactics aimed to increase the lifecycle of the malware embedded attack by embedding it at Chinese Internet Security Response Team's site during the China's "Golden Week" holiday.

According to McAfee "Web Site of the French Embassy in Libya Under Attack" :

"The people behind these attacks love to use highly topical issues in order to attract as many people as possible. This week in my country, the visit by Libyan President Muammar Khadafi is stirring controversy. It has made many headlines in France. No doubt this is why the French Embassy Web Site is now infected by malicious code. Please do not attempt to reach the site, it is still dangerous."

Let's pick up from where McAfee left in the assessment. 4qobj63z.tarog.us/tds/in.cgi?14 (58.65.233.98) loads an IFRAME to fernando123.ws/forum/index.php (88.255.94.114) which is MPack hosting the actual binary at fernando123.ws/forum/load.php or fernando123.ws/forum/load.exe

Detection rate : Result: 9/32 (28.13%)
File size: 43008 bytes
MD5: 8ce2134060b284fa9826d8d7ca119f33
SHA1: 3074f95d6b54fa49079b20876efa0f4722e7fe7d

As for the second campaign at 4583lwi4.tarog.us/in.cgi?19, the malicious parties were quick enough to redirect the IFRAME to Google.com, in exactly the same fashion the RBN did in the Bank of India incident definitely monitoring the exposure activities in real-time. However, accessing through a secondary IP retrieves the real IFRAME, namely winhex.org/tds/in.cgi?19 (85.255.120.194) which loads winhex.org/traff/all.php that on the other hand loads kjlksjwflk.com/check/versionl.php?t=577 which is now down, and 208.72.168.176/e-notfound1212/index.php where an obfuscation that's once deobfuscated attempts to load 208.72.168.176/e-notfound1212/load.php

Detection rate : Result: 14/32 (43.75%)
File size: 116244 bytes
MD5: 42dacb9f7dd4beeb7a1718a8d843e000
SHA1: d595dd0e4dcf37b69b48b8932dcf08e9f73623d0

Deja vu - 208.72.168.176 is the "New Media Malware Gang" in action, whose ecosystem clearly indicated connections with the RBN, Possibility Media's malware attack, Bank of India and the Syrian Embassy malware attacks, and Storm Worm which I assessed in numerous previous posts.

All your malware downloaders are belong to us - again and again. Continue reading →

Combating Unrestricted Warfare

0
December 12, 2007
It's February, 1999, and two senior colonels from China's PLA, namely Qiao Liang and Wang Xiangsui depressed the world's military thinkers by coming up with a study on the future developments and potential of asymmetric warfare in a surprising move next to the overall discussion always orbiting around symmetric warfare. The study itself entitled "Unconventional Warfare" is an ugly combination of Sun Tzu's 3D perspective on warfare in combination with guerilla approaches to achieve one of Sun Tzu's most insightful quotes - "One hundred victories in one hundred battles is not the most skillful. Seizing the enemy without fighting is the most skillful." Here's a summary of the study :

"Two senior PLA Air Force colonels wrote "Unrestricted Warfare", presented here in summary translation, to explore how technology innovation is setting off a revolution in military tactics, strategy and organization. "Unrestricted Warfare" discusses new types of warfare which may be conducted by civilians as well as by soldiers including computer hacker attacks, trade wars and finance wars."

During the years, and especially since 9/11, the tipping point acting as the wake up call that asymmetric warfare is also getting embraced by the bad guys, many other niche research papers were published in the context of information warfare and cyber warfare such as :

Cyber Warfare: An Analysis of the Means and Motivations of Selected Nation States

Each of these is a visionary reading by itself, but perhaps it was the need for setting a new milestone into such warfare thinking that prompted the public release of the Unrestricted Warfare Symposium Proceedings Book in 2006 and in 2007. An excerpt from the introduction of the 2006 edition :

"To compensate for their weaker military forces, these actors will employ a multitude of means, both military and nonmilitary, to strike out during times of conflict. The first rule of unrestricted warfare is that there are no rules; no measure is forbidden. It involves multidimensional, asymmetric attacks on almost every aspect of the adversary’s social, economic, and political life. Unrestricted warfare employs surprise and deception and uses both civilian technology and military weapons to break the opponent’s will."

Moreover, the 2007 edition is covering in-depth such popular asymmetric threats posed by jihadists (pages 135/143) debunking the use of WMD as a priority, and the cyber dimension (pages 251/297) with some remarkable analogies post Cold-War strategies applied to modern digital threats :

"Technology alone is never going to solve the IA problem. We have no informed national defensive strategy in this area. The situation is starting to change and improve, in large part because visionaries like General Cartwright are in key slots. But we do not have a lot of time. The intelligence community is not sufficiently engaged in conducting, analyzing, and reporting those issues. During the Cold War, we analyzed Soviet capabilities exhaustively. We did everything possible to understand our adversary and manage that gap. We need to do the same thing today. The bottom line is that it is dangerous to underestimate the capabilities of our adversaries. They do whatever it takes to win. Good adversaries know our strengths and weaknesses. They develop surprising partners that sometimes do not even know they are partners—they will give someone an honorarium to talk at a conference and ask that person for information on associates. They play by a different set of rules. They see offense as a systems problem, while our defense is fragmented."

All of these reports and Ebooks are highly recomended bedtime reading, and so is the last but not least one, namely "Victory in Cyberspace" released October, 2007. Besides generalizing cyberspace war activities, it includes a comprehensive summary of the events that took place in Estonia during the DDoS attacks.

Continue reading →

Phishing Metamorphosis in 2007 - Trends and Developments

0
December 12, 2007
WindowSecurity.com have just published my second article entitled "Phishing Metamorphosis in 2007 - Trends and Developments" :
"During 2007, phishers demonstrated for yet another consecutive year their persistence and creativity on their way to socially engineer as many people online as possible, into believing they are who they pretend to be. Why did phishers embrace economies of scale during 2007, what factors contributed to the constantly shrinking period of time it takes for the phishers to come up with a fake email, and how come that despite all the public awareness put into the problem, people still fall victim to phishing scams? This article aims to provide an overview of the key factors that contributed to the growth and evolution of phishing during the year."

An article, which you'll definitely find as informative as the first one from last month related to "Popular Spammers Strategies and Tactics".
Continue reading →

Update on the MySpace Phishing Campaign

0
December 11, 2007
It seems that the parties behind the Large Scale MySpace Phishing Attack which I covered in a previous post, have recently changed the main login redirector from 319303.cn/login.php to z8atr.cn/login.php, and the attached z8atr.cn's fast-flux can be greatly compared to that of Storm Worm's fast-flux networks in terms of its size. The updated campaign is also taking advantage of the following DNS servers :

Name Server: ns1.4980603.com
Name Server: ns2.4980603.com
Name Server: ns3.4980603.com
Name Server: ns4.4980603.com

Here's more coverage courtesy of the ISC assessing a previous state of the campaign in the form of different domain names used :

"Two primary infection vectors have been observed providing us with unique insight into the life cycle involved in propagating a fast flux service network. The attack vectors include: Compromised MySpace Member profiles redirecting to phishing sites; SWF Flash image malicious redirection to Phishing and drive-by browser exploit attempt. All Flash redirects were observed redirecting browsers. The successful compromise of a windows host via this exploit content results in the download of a malicious downloader stub executable (session.exe) that is then responsible for attempting to download additional malicious components necessary for integration of new compromised hosts into a fast flux service network."

The fast-flux, the javascript obfuscation, and the process of serving malware still remain the same, so they're basically doing what looks like maintenance of the fast-flux. Continue reading →

Inside the Chinese Underground Economy

0
December 10, 2007
Here's a very detailed, and recently released event-study on Malicious Websites and Underground Economy on the Chinese Web, and this is how they assessed the high activity at the underground related forums :

"Unlike the US or EU blackhats communities, Chinese blackhats are typically not familiar with IRC (In-ternet Relay Chat). They typically use bulletin board systems on the Web or IM software like QQ tocommunicate with each other. Orthogonal to a study on the underground black market located within IRC networks, we measure the Chinese-specific underground black market on the Web. We focus onthe most important part located at post.baidu.com, the largest bulletin board community in China. We crawled the portal and stored all posts and replies posted on some certain post bars which are all dedicated for the underground black market on this particular website. The post bars we examined include Traffic bar, Trojans bar, Web-based Trojans bar, Wangma bar (acronyms of Web-based Trojans inChinese), Box bar, Huigezi bar, Trojanized websites bar, and Envelopes bar."

What's the big picture on the Chinese IT Underground anyway? It's a very curious perspective next to China's economy self-awareness from a supplier of the parts that make up the products, to the independent manufacturer of them in real life. In cyberspace, the people driving the Chinese Underground tend to borrow malicious know-how from their Russian colleagues by localizing the most popular web malware exploitation kits such as Mpack and IcePack to Chinese, as well as benefiting from the proven capabilities of an open source DDoS-centered malware by also localizing it to Chinese and porting it to a Web interface. And so once they've localized the most effective attack approaches by making them even easier to use, the start adding new features and functionalities in between coming up with unique tools by themselves.

The bottom line - China's IT Underground is indirectly monitored and controlled by China's Communist Party, with the big thinkers realizing the potential for asymmetric warfare dominance as the foundation for economic espionage, and the largest cyberwarriors buildup in the face of people's information warfare armies driven by collectivism sentiments.

Here's a very interesting article detailing some of perspectives of the China Eagle Union, the Hacker Union of China, and the Red Hacker's Alliance :

"The Chinese red hackers have their own organizations and websites, such as the Hacker Union of China (www.cnhonker.com/), the China Eagle Union (www.chinaeagle.org/), and the Red Hacker's Alliance (www.redhacker.org). The Hacker Union of China (HUC) was founded on December 31, 2000, and is the largest and earliest hacker group in China. It had 80,000 registered members at its peak, and reportedly has 20,000 members after regrouping in April 2005." Continue reading →
Subscribe to: Comments (Atom)