Terror on the Internet - Conflict of Interest

Insightful article by Greg Goth, discussing various aspects of the pros and cons of monitoring cyber jihadist sites next to shutting them down, as well as mentioning my analysis of the Mujahideen Secrets encryption tool v1.0 and v2.0. Terror on the Internet: A Complex Issue, and Getting Harder :

"Indeed, politicians around the world call at regular intervals for terrorist websites to be removed from their host sites’ servers or for search engines to block access to them. They also call for laws that would make posting instructions on how to kill or maim people or destroy property punishable by law. Franco Frattini, the European Commission’s Vice President for Freedom, Justice, and Security, called for a prohibition on websites that post bomb-making instructions in September 2007. And just as quickly, he rushed to announce that in doing so he was not trying to impinge on freedom of speech or information access or to inhibit law enforcement agencies from monitoring sites."

There're three perspectives related to cyber jihad, should the virtual communities be shut down, monitored, or censored so that they cannot be accessed by people who would potentially get radicalized and brainwashed by the amazingly well created propaganda in the form of interactive multimedia? Given the different mandates given to different intelligence services and independent researchers, is where the conflict of interest begins. Moreover, don't forget that independent researchers sometimes come up with the final piece of the puzzle to have an intelligence agency come up with the big picture in a cost-effective and timely manner, given they actually believe in OSINT and trust the source of the intell data of course. Now, picture the situation where an intelligence agency is shutting down cyber jihadist sites on a large scale not believing in the value that the intelligence data they they could provide, another one given a mandate to censor cyber jihadist communities compiling reports stating that someone's shutting them down before they could even censor them, and a third one who would have to again play cat and mouse game the locate them once they've shut down by the first intel agency already. Ironic or not, different mandates and empowerment is where the contradiction begins. Let's discuss the three mandates and go in-depth into the pros and cons of each of them to come up with a philosophic solution to the problem, as I belive it's perhaps the only way to provoke some thought on the best variant.

Shutting the communities down -

Before shuting them down you need to know where they are, their neighbourhood of supporters who will indirectly tip you on the their latest location once they have their previous domain shut down. Personal experience and third party research indicates that over 90% of the cyber jihadist communities/blogs are hosted by U.S based not owned companies. And with the lack of real-time intell sharing between the agencies themselves, the first who picks up the community will be responsible for its faith, literally. But in reality, preserving the integrity of a cyber jihadist community, and convincing the right people that balanced monitoring next to shutting it down is more beneficial, remains an idea yet to be considered. Back in 2007, I did an experiment, namely I crawled ten cyber jihadist forums and blogs and extracted all the outgoing links from these communities to see their preferred choice for online video and files hosting. A couple of months later, the communities got shut down, so when the same thing happened while I was crawling the Global Islamic Media Front's, and Inshallahshaheed's web presence, it became clear that while some are crawling, and others censoring, third parties are shutting them down.

The bottom line - shutting them down doesn't mean that they'll dissapear and will never come back, exactly the opposite. Personal experience while handling the Global Islamic Media Front is perhaps the perfect and best hands-on experience on the benefits of shutting them down, given you've built enough convidence in your abilities to locate their new location. If you think that the cyber jihadist site or community you're currently monitoring is a star, look above, it's full of starts everywhere, once you start drawing the lines between them, a figure of something known emerges, in this case once a cyber jihadist community is shut down, its most loyal and closely connected cyber jihadist communities will expose their intimate connection not by just starting to promote their new location online, but even better, you'll have them use the second cyber jihadist community to directly reach their audience by the time they set up the new location and resume the propaganda and radicalization.

There's no shortage of cyber jihadist blogs, forums and sites, and personal experience shows that upon having a cyber jihadist community shut down, they re-appear at another location. It's shut down again, it re-appears for a second time. I've seen this situation with Instahaleed and GIMF, and each and every time they had their blogs and sites removed from their hosting providers, mainly because it's rather disturbing that the majority of such communities are hosted on U.S servers, it's this short time frame which will either lead you to their new location, you risk loosing their tracks. However, the vivid supporters of PSYOPs are logically visionary enough to understand what does undermining their audiences' confidence in the community's capability to remain online means.

Monitoring the communities -

In order to reach the "shut it down or monitor it" stage in your analysis process, you really need to know where the cyber jihadists forums and sites are, else, you will be wasting your time, money and energy to create fake cyber jihadist communities in the form of web honeypots for jihadist communication. Monitoring is tricky, especially when you don't know what you're looking for, don't prioritize, don't have a contingency plan or an offline copy of the communitiy and wrongly building confidence in its ability to remain online. Moreover, monitoring for too long results in terrabytes of noise, and from a psychological perspective sometimes the rush for yet another fancy social networking graph to better communicate the collected data, ends up in the worst possible way - you miss the tipping point moment.

Censoring the communities -

I often come across wishful comments in the lines of "blocking access to bomb and poison making tutorials", missing a very important point, namely, that these very same manuals, and jihadist magazines are not residing in a cyber-jihad.com/bomb-making-guide.zip domain and file extension form, making the process a bit more complex to realize. Unless of course the censorship systems figures out ways to detect the content in password encrypted archive files served with random file names and hosted on one of the hundreds free web space providers. Then again, given the factual evidence that cyber jihadists are encouraging the use of Internet anonymization services and software, your censorship efforts will remain futile.

As I'm posting this overview of various ways of handling cyber jihadist communities, yet another community is starting to attract cyber jihadists, thanks to their understanding of noise generation by teaching the novice cyber jihadists on the basics of running and maintaing such a community. What's perhaps most important to keep in mind is that, what you're currently analyzing, trying to shut down or censor whatsoever, is the public web, the Dark Web, the one closed behind authentication and invite-only access yet remains to be located and properly analyzed. If cyber jihad is really a priority, then there's nothing more effective than the combination of independent researchers and intelligence analysts.

Related posts:
Inshallahshaheed - Come Out, Come Out Wherever You Are
GIMF Switching Blogs
GIMF Now Permanently Shut Down
GIMF - "We Will Remain"
Wisdom of the Anti Cyber Jihadist Crowd
Cyber Jihadist Blogs Switching Locations

Internet PSYOPS - Psychological Operations

Electronic Jihad v3.0 - What Cyber Jihad Isn't

Electronic Jihad's Targets List

Teaching Cyber Jihadists How to Hack

A Botnet of Infected Terrorists?
Infecting Terrorist Suspects with Malware
The Dark Web and Cyber Jihad
Cyber Jihadist Hacking Teams
Cyberterrorism - don't stereotype and it's there
Tracking Down Internet Terrorist Propaganda
Arabic Extremist Group Forum Messages' Characteristics
Cyber Terrorism Communications and Propaganda
Techno Imperialism and the Effect of Cyberterrorism
A Cost-Benefit Analysis of Cyber Terrorism
Current State of Internet Jihad
Characteristics of Islamist Websites
Hezbollah's DNS Service Providers from 1998 to 2006
Full List of Hezbollah's Internet Sites
Cyber Traps for Wannabe Jihadists
Mujahideen Secrets Encryption Tool
An Analysis of the Technical Mujahid Issue One
An Analysis of the Technical Mujahid Issue Two
Terrorist Groups' Brand Identities
A List of Terrorists' Blogs
Jihadists' Anonymous Internet Surfing Preferences
Samping Jihadist IPs
Cyber Jihadists' and TOR
A Cyber Jihadist DoS Tool
GIMF Now Permanently Shut Down
Steganography and Cyber Terrorism Communications

Continue reading →

PR Storm - Mass iFRAME Injectable Attacks

Here's some recent media coverage regarding the SEO poisoning attack through exploiting the ABC of web application security, namely input validation, a good example of tactical warfare combing two different attack tactics, blackhat SEO for traffic acquisition and abusing input validation for injecting iFRAMES, and abusing the sites' search engine optimization practices of storing the now input violated pages. Meanwhile, Iftach Amit at Finjan points out that as it looks like we were on the same page. Here's Google's comment regarding these incidents provided to Finjan :

"Google acknowledged that this was a known attack vector, and confirmed that they are indeed working on ways to manipulate and “sanitize” links provided by them in an effort to minimize the effect of incidents such as XSS on indexed sites. They also share our opinion on the reality of XSS and its affects on web browsing: "Google recommends that sites fix their cross-site scripting vulnerabilities as a priority. These can be abused in a number of ways, including bad interactions with search engines. Google is helping by reaching out to affected organizations. In addition, Google has internal processes to block abuses when the situation warrants."

The responsible full-disclosure, namely disclosing and every domain affected, the IPs of the malicious domains used in the redirection, and obtained a sampled result of where are the domains actually leading to, should have had the effect it's supposed to - raise awareness and put responsible pressure on the people involved in taking care of making sure no one can submit executable commands that will later on get cached, and load, such as iFRAMES in this case. Most of all, these are high page rank-ed sites, namely the junk that they submit is appearing within the first 10/20 search results and is getting crawled within hours upon submitting it, and therefore it must be taken care of as soon as possible, on multiple fronts.

- The Other iframe attack
- Optimizing Cross Site Scripting - and general security practices
- Follow up to yesterday's mass hack attack
- Hackers launch massive IFrame attack
- SEO poisoning attacks growing
- Attackers hijacking web site search engines to push malware; German article
- Developers: Check Your %*^& Inputs
- Researcher: Beware of massive IFrame attack
- iFrame attacks: Blame your Web admin guy
- More Search Results Getting iFRAMEd
- Ongoing IFrame attack proving difficult to kill
- Injection attacks target legit websites - twenty-nine thousand sites and counting
- Mass Hack Hits 200,000 Web Pages
- 200.000 nettsider hacket

In an upcoming post, I'll expose many other such fake codecs about to get included in future campaigns, and emphasize on the dynamics of orchestrating such a malicious campaign, namely keep it as sophisticated and as deep-linking/deep-iframing as possible to confuse automated malware aggregation approaches at the beginning of the campaign, and Keep it Simple Stupid at the very end of the campaign.

Malicious economies of scale means an efficient and standardized attack approach, take Rock Phish for instance, but it also means an easy way to detect and mitigate certain threats. In this malicious campaing for instance, nearly all the bogus .info domains with several exceptions are operating within the same netblock, and continue doing so. And the exceptions? It's all a matter of perspective, whether or not you believe having a RBN hosted domain within the actual iFRAME, or the result of the iFRAME redirection in terms of importance. Continue reading →

Embedded Malware at Bloggies Awards Site

The "window of opportunity" for traffic acquisition by taking advantage of a huge anticipated traffic is something malicious parties always find adaptive ways to take advantage of. Back in December, 2007, the same event based malware embedded attack appeared at a French government's site covering France/Libya relations right in the middle of Libya's leader visit in the country. My detailed analysis back then revealed details of the usual RBN connection, with IFRAME hosts switchng between HostFresh, Ukrtelegroup Ltd, and Turkey Abdallah Internet Hizmetleri, to surprisingly end up to the New Media Malware Gang original IP, futher confirming the existence of what's now a diverse ecosystem.

The same timely malware embedded attack happened at the top of the Annual Weblog Awards site - The Bloggies as TrendMicro assessed on Monday :

"The Web site of the Annual Weblogs Awards — more informally known as the Bloggies — was hacked recently, serving up a malicious Javascript to its visitors. This happened on the eve of the award ceremony, as reported in NEWS.com.au."

An embedded malware screenshot is worth a thousand words, so here it goes attached, and IcePack's now easily detectable module :

Scanner results : 47% Scanner(17/36) found malware!
File Size : 10666 byte
MD5 : 0860a1f5f1b27db14fedbfc979399fa4
SHA1 : 81c4ca763850fd3d675a0955ee6885ce83db53a5
HTML/Psyme.Gen; Trojan-Downloader.JS.Agent.et

Moreover, wilicenwww.biz/1/1/ice-pack/index.php is currently responding to 202.75.38.150, and besides the descriptive IcePack host, the IP also responds to the following domains :

bigsavingpharmacy.com
infosecurestatus.com
pharmacysuperdiscount.com
rspectrum.name
sicil.info
sicil256.info
superdiscountpills.com
mydnsweb.net
thegogosearch.com

So what? Historical CYBERINT untimately improves your situational awareness. Sicil.info was the main domain behind the Syrian Embassy in the U.K malware embedded attack. Back then, sicil.info was responding to 203.121.79.71, and now to 202.75.38.150, switching locations doesn't mean a clean domain reputation anyway. Continue reading →

More High Profile Sites IFRAME Injected

This summary is not available. Please click here to view the post. Continue reading →

Loads.cc's DDoS for Hire Service

Snakes never whisper in one another's ear - it's supposed to tickle. In a blog post yesterday, Sunbelt Labs pointed out on the re-emergence of the Botnet on Demand Service that I covered last year. It's great to see we're on the same page, or wiki article as we can always expand the discussion. In need of more such fancy snakes admin panels courtesy of a web based malware C&C? Here are four more related :

legendarypornmovies.net/ts (88.85.81.211)

slutl.com/ts (88.85.78.7)

cwazo.net/ts (83.222.14.218)

oin.ru/ts (194.135.105.203)

Now the juicy details regarding loads.cc. During the time of posting this, the malicious domain is starting to redirect to a very descriptive one, which basically says "given up on ddos-ing", and a featured ad in between loads.cc's old interface is pitching the new service - contextual advertising consultations, as you can see in the attached screenshot. Apparently, a little more in-depth research acts as public pressure, especially when they're lazy enough to have a great deal of malware variants "phone back home" to their promotional domain. However, the current one responding to 67.228.69.191 is hosted by SoftLayer, and is using ns1.4wap.org as DNS server provided by Layered Technologies again confirming the Russian Business Network connection since, both, Layered Technologies and SoftLayer are known to have been and continue providing services to the RBN, knowingly or unknowingly. Moreover, the malware infected counter at the stats section continues reporting new additions.

Being one of the most venerable examples of DDoS for hire services, it's worth reposting its FAQ in an automatically translated fashion, so that a better perspective to the dynamics of offering such services is provided to the readers. Here's the FAQ on using the service, which is relatively easy to understand :

- All that is pure downloads nothing is loaded simultaneously

- The "mix" is not Buro countries on specified individual prices

- Loaded only those countries which are specified in the problem

- The country is determined to maxmind geoip

- When it ALL loaded all countries and the price of downloads is calculated separately for each country that is DE for the download you pay for a $ 0.2 PE 0.03

- Prices for downloads can sometimes vary slightly this watch themselves

- As such, the concept of mix does not exist, each country has its own price, and if the country is not clearly specified in the price is $ 30 price / 1k

- The money is withdrawn from the account in accordance with the facts and running leaps ekze by car users

- In the balance on deposit $ 5 or less stopped loading

- No minimum, it is possible to load even though 3 pc 10k limit pointing in the problem

- The claims, made by ALREADY download will not be accepted, DICOM small parties or do the test to check quality

- Following the establishment of tasks it must be activated by clicking on the link in the status, the same method could be suspended

- Pole challenge "received" shows how many bots believed assignment, it is usually little more than a "loaded" on the fabric sur somehow prichnam some boats were not able to download and run your ekze dolzhili or not yet know

Undercover DDoS in between contextual advertising, or "giving up on DDoS" entirely? Let's wait and see, without being naive enough to forget that this among the hundreds of other DDoS for hire services currently available in the wild.

Continue reading →

The New Media Malware Gang - Part Four

Sometimes patterns are just meant to be, and so is the process of diving into the semantics of RBN's ex/current customers base, in this case the New Media Malware Gang. The latest pack of this group specific live exploit URLs :

bentham-mps.org/mansoor/cgi/index.php (205.234.186.26)
5fera.cn/adp/index.php (72.233.60.90)
ls-al.biz/1/index.php (78.109.22.245)
iwrx.com/images/index.php (74.53.174.34)
pizda.cc/in.htm (78.109.19.226)
ugl.vrlab.org/www/index.php (91.123.28.32)
eastcourier.com/reff/index.php (91.195.124.20)
thelobanoff.com/myshop/test/index.php (64.191.78.229)
203.117.170.40/~whyme/my/index.php
195.93.218.25/us/index.php
195.93.218.25/kam/index.php
85.255.116.206/ax5/index.php

Going through Part one, Part two, and Part three, clearly indicates an ongoing migration. Continue reading →

Wired.com and History.com Getting RBN-ed

This summary is not available. Please click here to view the post. Continue reading →

Injecting IFRAMEs by Abusing Input Validation

More news coverage follows regarding the now fixed, injection of IFRAMEs at high page rank-ed sites owned by CNET Networks, in fact Symantec's Internet Threat Meter monitor for web activities rated it medium risk, and urged extra caution :

"On March 4, 2008, reports of an IFRAME attack coming from ZDNet Asia began to surface. Attackers appear to have abused the ZDNet search engine's cache by exploiting a script-injection issue, which is then being cached in Google. Clicking the affected link in Google will cause the browser to be redirected to a malicious site that attempts to install a rogue ActiveX control. On March 6, 2008, the research that discovered the initial attack published an update stating that a number of CNET sites including TV.com, News.com, and MySimon.com are also affected by a similar issue."

At 19:45 (EET) all of the sites have their input validation checks applied so loadable IFRAMEs can no longer load or be accepted at all, despite that the injected pages are still indexed by search engines. A malicious campaign targeting high profile sites that went online and got taken care of for some 48 hours, that's good.

How was the IFRAME injection possible at the first place? OWASP lists input validation as one of the top 10 injection flaws for 2007, which in a combination with a site's SEO practice of caching pages with the injected input in the form of a keyword and the IFRAME, is what we've been seeing during the week :

"Input validation refers to the process of validating all the input to an application before using it. Input validation is absolutely critical to application security, and most application risks involve tainted input at some level. Many applications do not plan input validation, and leave it up to the individual developers. This is a recipe for disaster, as different developers will certainly all choose a different approach, and many will simply leave it out in the pursuit of more interesting development."

And since I've already established the RBN connection, it would be perhaps the perfect moment to demonstrate the abuse of input validation by injecting the Russian Business Network's Wikipedia entry in exactly the same fashion the malicious IFRAMEs were allowed to be injected at the first place. The bottom line - even with the input validation flaw accepting and loading the IFRAME, this attack wouldn't have been successful if it wasn't executed in a combination with the sites' keywords caching function.

Continue reading →

More CNET Sites Under IFRAME Attack

News is spreading fast, appropriate credit is given, but not as fast as the IFRAME campaign targeting several more CNET Networks' web properties besides ZDNet Asia, namely, TV.com, News.com and MySimon.com which I'll assess in this post. In the time of posting this, no other CNET sites are involved in the campaign, including ZDNet's international sites such as, ZDNet India, ZDNet U.K, and ZDNet Australia, but the abovementioned ones. And so, we have three more sites part of CNET Networks' portfolio, getting injected with more IFRAMEs, abusing their search engine's local caching, and storing of any keyword feature, in a combination with a loadable IFRAME.

What has changed for the past 24 hours, despite that the now over 51,900 pages at zdnetasia.com continue to be indexed by search engines? The folks at ZDNet Asia have taken care of the IFRAME issue, so that such injection is no longer possible. However, the same IPs used in this IFRAME campaign, including two new domains introduced have been injected, and are loading at TV.com, News.com and MySimon.com, again pushing the rogue XP AntiVirus, the rogue Spyshredderscanner, as well as another fake codec MediaTubeCodec.exe, hosted and distributed under two new domains.

Which sites are currently targeted?
ZDNet Asia - currently has 51,900 injected pages
TV.com - 49,600 locally hosted IFRAME injected pages
News.com - 167 locally hosted pages, injection is ongoing
MySimon.com - currently 4 pages, the campaign is ongoing

Which domains and IPs are behind the IFRAMEs?
do-t-h-e.com (69.50.167.166)
rx-pharmacy.cn (82.103.140.65)
m5b.info (124.217.253.6)
89.149.243.201
89.149.243.202
72.232.39.252
195.225.178.21

Where's the malware?
It's there, you just have to triple check different IFRAME-ed search results and finally you'll get to install XP AntiVirus 2008 and a fake codec, the only two pieces of malware currently served. What's important to note is that this is the current state of the campaign, and with the huge number of IFRAME-ed pages in such a way, targeted attacks on a per keyword basis are possible, and since they ensure you're served on the basis of where you're coming from, things can change pretty fast. These are all of the domains that follow after the IFRAME redirects for all the campaigns currently detected, and the detection rates for the malware from the last campaign :

hotpornotube08.com (206.51.229.67)
hot-pornotube-2008.com (206.51.229.67)
hot-pornotube08.com (206.51.229.67)
adult-tubecodec2008.com (195.93.218.43)
adulttubecodec2008.com (195.93.218.43)
hot-tubecodec20.com (195.93.218.43)
media-tubecodec2008.com (195.93.218.43)
porn-tubecodec20.com (195.93.218.43)
scanner.spyshredderscanner.com (77.91.229.106)
xpantivirus2008.com (69.50.173.10)
xpantivirus.com (72.36.198.2)
bestsexworld.info (72.232.224.154)
requestedlinks.com (216.255.185.82)

MediaTubeCodec.com
Scanner results : 11% Scanner(4/36) found malware!
Time : 2008/03/06 16:38:39 (EET)
File Size : 85520 byte
MD5 : 25708e1168e0e5dae87851ec24c6e9f7
SHA1 : 33b502b13cab7a34bb959d363ae4b7afd23919a6
AVG - I-Worm/Nuwar.P
Fortinet - Suspicious
Prevx - TROJAN.DOWNLOADER.GEN
Quick Heal - Suspicious - DNAScan

Tries to connect to websoftcodecdriver.com; websoftcodecdriver2.com and 77.91.227.179, in between listening on local port 1034. The downloader tries to drop Adware.Agent.BN - "Adware.Agent.BN is an adware program that displays pop-up advertisements and adds a runkey to run at startup, and also modifies Windows system configuration in order to download more malwares on to infected computer." and RogueAntiSpyware.AntiVirusPro - "RogueAntiSpyware.AntiVirusPro is a Rogue Anti-Spyware product which comes bundled along with a malicious downloader. It is downloaded and installed without the users consent."

Spyshredderscanner.exe
Scanner results : 42% Scanner(15/36) found malware!
Time : 2008/03/06 17:02:23 (EET)
File Size : 33224 byte
MD5 : bc232dbd6b75cc020af1fcf7cee5f018
SHA1 : fc2f70fd9ce76fe2e1fe157c6d2d8ba015ad099f
Detected as : Win32.FraudTool.SpyShredder; Downloader.MisleadApp

Again opening local port 1034 and tries to connect to 69.50.168.51, ATRIVO = RBN's well known netblock.

Who's behind it?
It's all a matter of perspective, if you look at the IPs used in the IFRAMEs, these are the front-end to rogue anti virus and anti spyware tools that were using RBN's infrastructure before it went dark, and continue using some of the new netblocks acquired by the RBN. However as I've once pointed out in respect to the New Media Malware Gang and its connection with the RBN and Storm Worm, for the time being it's unclear which one of these is the operational department if any, of the RBN is vertically integrating to provide more than the hosting infrastructure, and diversify to malware, or spyware installation on a revenue-sharing basis participating in an affiliate program.

This malicious campaign will continue to be monitored, particularly the RBN connection, and whether or not they will start targeting CNET's other sites. Continue reading →

Unprofessionally Piggybacking on my Research

Why did I bother to send this message to Full-Disclosure last night, despite that I already posted it here? Because I knew that this would happen, it's happened before, and it will happen in the future, so having dates and hours to prove what you see on the top of each and every blog post here, namely the real-time situational awareness objective, is what I wanted to achieve. And I did. Thankfully, there're Sophos, TrendMicro, McAfee and Commtouch realizing that corporate blogging evolved from hard selling and the basics of marketing, to a complex PR platform, and therefore quote and link to my blog, to have me link back, so that a conversation emerges. Redefining the process of rephrasing so that my creative commons license per post is not violated? Find the ten differences between my post yesterday, its title, and today's statements:

"Continuing, Chia says that: “Leveraging on the fact that the site is, legitimate, and has high page ranks, the popular search engines are returning some of these iFRAME-ed results in the first few pages of the search results. And the objective? To get the unsuspicious user to click on the link”."

So, my original post went online yesterday, TeMerc reposted it, so did Paul, I sent it to Full-Disclosure, and as it looks like F-Secure's Wing Fei Chia seems to read, either Full-Disclosure, or my blog to come up this post, 24 hours later. Anyway, SecurityFocus, again covers the incident in an article entitled "Fraudsters piggyback on search engines", quoting me, this time professionally. Continue reading →

Rogue RBN Software Pushed Through Blackhat SEO

On numerous occasions in the past, I emphasized on the malicious attacker Keep it Simple Stupid (KISS) approach for anything starting from Rock Phishing, to maintaining a huge live exploits domains portfolio hosted on a single IP. This is yet another example of the KISS strategy uncovering another huge IFRAME campaign, again taking advantage of locally cached pages generated upon searching for a particular word, and the IFRAME itself. In the previous example for instance, we had an second ongoing IFRAME campaign with just 4 pages injected with 89.149.243.201, however, what Keep it Simple Stupid really means in this case is that the next IP in their netblock 89.149.243.202 is currently getting injected at many other sites as well. The difference between the previous campaign and this one, is that the previous one was targeting just two high page rank-ed sites, while in the second one, the malicious parties pushing RBN's rogue XP AntiVirus are relying on a much more diverse set of domains loading the IFRAME. One factor remains the same, both campaigns continue pushing the rogue XP AntiVirus. XP AntiVirus's pitch, note the downloads success rate mentioned and how they forgot to change the template used in the campaign by putting the rogue's name :

"XP antivirus has been downloaded over 4 Million times; with a 20,000 more downloads every week. Millions of people worldwide use Spyware Doctor to protect their identity and PC security. XP antivirus has consistently been awarded Editors' Choice, by leading PC magazines and testing laboratories around the world, including United States, United Kingdom, Germany and Australia. All current versions of XP antivirus have won Editors' Choice awards from Secure Home PC Magazine in United States. XP antivirus is advanced technology designed specially for people, not experts. It is automatically configured out of the box to give you optimal protection with limited interaction so all you need to do is install it for immediate and ongoing protection. XP antivirus's advanced RealOnGuard technology only alerts users on a true Spyware detection. This is significant because you should not be interrupted by cryptic questions every time you install software, add a site to your favorites or change your PC settings."

Upon visiting 89.149.243.202/t and 89.149.243.202/a we get forwarded to bestsexworld.info/soft.php?aid=0064&d=3&product=XPA (72.232.224.154) and from there to xpantivirus2008.com (69.50.173.10). There're in fact several other domains currently promoting this as well : xpantiviruspro.com (69.50.183.50); xpdownloadings.com (69.50.183.50); xpantivirus.com (216.255.180.58), as well as the following : hotantivirus.info (74.86.81.80); easyantivirus.info (74.86.81.80); a2zantivirus.com (74.86.81.80). The downloader's detection rate :

Scanner results : 17% Scanner(6/36) found malware!
Time : 2008/03/05 13:57:48 (EET)
File Size : 47104 byte
MD5 : 2102cb53606f535ca8132c3324953596
SHA1 : 0756f530e782c3d2e85a8186e052b722b017f1ea
AntiVir - TR/Crypt.ULPM.Gen
Fortinet - Suspicious
Microsoft - Trojan:Win32/Vxidl.gen!B(Suspicious)
Panda - Suspicious file
Prevx - TROJAN.DOWNLOADER.GEN
Sophos - Mal/HckPk-A

Smells like RBN's used InterCage and ATRIVO netblocks from routers away.

Related RBN coverage:
RBN's Phishing Activities
RBN's Puppets Need Their Master
RBN's Fake Account Suspended Notices
A Diverse Portfolio of Fake Security Software
Go to Sleep, Go to Sleep my Little RBN
Exposing the Russian Business Network
Detecting the Blocking the Russian Business Network
Over 100 Malwares Hosted on a Single RBN IP
RBN's Fake Security Software
The Russian Business Network Continue reading →

ZDNet Asia and TorrentReactor IFRAME-ed

UPDATED: More CNET Sites Under IFRAME Attack; Rogue RBN Software Pushed Through Blackhat SEO.

This currently ongoing malware embedded attack aimed at ZDNet Asia and TorrentReactor is very creative at the strategic level, whereas the IFRAME-ing tactic remains the same. The sites' search engines seem to have been exploited to have the IFRAME injected, not embedded, within the last 24 hours, redirecting to known Russian Business Network's IPs and ex-customers in the face of rogue anti-virus and anti-spyware applications. For the time being, zdnetasia.com has 11,200 cached pages loading the IFRAME, and torrentreactor.net - 29,300 cached pages loading the IFRAME. Even worse, the IFRAME embedded search results hosted on their sites, are appearing between the first ten to twenty search results, thanks to the sites high page ranks. Sample search queries :

jamie presley

mari misato

risa coda

kasumi tokumoto

jill criscuolo

The IFRAME is loading 72.232.39.252/a also responding to themaleks.net. The link itself is loading an obfuscated javascript, which once deobfuscated attempts to load a-n-d-the.com/wtr/router.php (216.255.185.82 - INTERCAGE-NETWORK-GROUP2) also responding to ppcan.info, with two more domains sharing nameservers, findhowto.net, searchhowto.net. Ppcan.net has already been assessed by Microsoft's Security Team :

"The advantage gained by faking the Referer field is nullified when pages use client-side cloaking to distinguish between fake and real Referer field data by running a script in the client’s browser to check the document.referrer variable. Example 1 shows a script used by the spam URL naha.org/old/tmp/evans-sara-real-fine-place/index.html. The script checks whether the document.referrer string contains the name of any major search engines. If successful the browser redirects to ppcan.info/mp3re.php and eventually to spam; otherwise, the browser stays at the current doorway page. To defeat the simple client-side cloaking, issuing a query of the form “url:link1” is sufficient. This allows us to fake a click through from a real search engine page."

So the malicious parties are implementing simple referrer techniques to verify that the end users coming to their IP, are the ones they expect to come from the campaign, and not client-side honeypots or even security researchers. And if you're not coming from you're supposed to come, you get a 404 error message, deceptive to the very end of it. Sample redirects upon visiting the IFRAME-ed pages at ZDNet Asia with the right referrer :

xpantivirus2008.com (69.50.173.10)

scanner.spyshredderscanner.com (77.91.229.106)

hot-pornotube-2008.com (206.51.229.67)

porn-tubecodec20.com (195.93.218.43)

Once the junkware inventory is empty, all pages redirect to requestedlinks.com (216.255.185.82). Let's take a peek at the codec :

Scanner results : 11% Scanner (4/36) found malware!

File Size : 85008 byte

MD5 : 6b325c53987c488c89636670a25d5664

SHA1 : c6aeeafffe10e70973a45e5b6af97304ca20b3bd

Fortinet - Suspicious

Norman - Tibs.gen200

Prevx - TROJAN.DOWNLOADER.GEN

Quick Heal - Suspicious - DNAScan

Even more interesting is the fact that literally minutes before posting this, another such campaign got launched at ZDNet Asia, this time having just 24 pages locally cached, and loading another IFRAME to 89.149.243.201/a redirecting to cialis2men.com/product/61 (92.241.162.154).

What is going on, have the sites been compromised, or the attackers are in fact smarter than those who would even bother to scan for remotely exploitable web application vulnerabilities, next to remote file inclusion? ZDNet Asia and TorrentReactor themselves aren't compromised, their SEO practices of locally caching any search queries submitted are abused. Basically, whenever the malicious attacker is feeding the search engine with popular quaries, the sites are caching the search results, so when the malicious party is also searching for the IFRAME in an "loadable state" next to the keyword, it loads. Therefore, relying on the high page ranks of both sites, the probability to have the cached pages with the popular key words easy to find on the major search engines, with the now "creative" combination of the embedded IFRAME, becomes a reality if you even take a modest sample, mostly names.

The bottom line is that ZDNet Asia and TorrentReactor SEO practices of caching the search queriesAnd given that the malicius parties can now easily tweak popular keywords to appear on ZDNet Asia and TorrentReactor's sites, thereby getting a front placement on search engines, they can pretty much shift the SEO campaign to a malware campaign by taking advantage of "event-based social engineering".

Continue reading →

Embedding Malicious IFRAMEs Through Stolen FTP Accounts

Keywords for gaining attention from a marketing perspective for last week - embedded malware, IFRAMEs, stolen FTP accounts, Fortune 500 companies, Russia. Nothing's wrong with that unless of course you're interested in the whole story and the big picture, which wouldn't be excluding the possibility for having a Fortune 500 company's servers acting as C&Cs for a large botnet. Why are Fortune 500 servers excluded as impossible to get hacked at the first place, making it look like that the amount of money spent on security is proportional with the level of security reached? The more you spend does not mean the more secure it gets if you're not allocating the money where they have to be allocated at, in a particular moment of time, given the dynamic threatscape these days.

What's most important to point out about the recent incident of Fortune 500 companies stolen FTP accounts, is that it's "stolen accounting data for sale" as usual, as usual in the sense of the hundreds of other such propositions currently active online. And if we're to use an analogy on its importance as a event, it's like your smell receptors, namely the more you use a particular fragnance, the less you're capable of sensing it since you're getting used to the smell. In this line of thoughts, what's "stolen accounting data for sale as usual" for some, is exclusive event for others. Even worse, it's "slicing the threat on pieces" compared to discussing the "pie" itself. Moreover, the shift from products to services in the underground marketplace is something that's been happening for the past three years, and therefore making it sound like it's been happening as of yesterday, brings the discussion to the lowest possible level - right from the very beginning. Try the following malicious services on demand for instance, demostranting key business concepts such as consolidation, vertical integration, benchmarking -Q&A, and standartization :

- Wild Wild Underground

- DDoS on Demand VS DDoS Extortion

- Malware as a Web Service

- Multiple Firewalls Bypassing Verification on Demand

- Managed Spamming Appliances - The Future of Spam

- Botnet on Demand Service

- DIY CAPTCHA Breaking Service

- Managed Fast-Flux Provider

- Which CAPTCHA Do You Want to Decode Today?

- Localizing Cybercrime - Cultural Diversity on Demand

On the other side of the universe :

"The concept of Software-as-a-Service (SaaS) is nothing new, but this is the first time anyone has organized the purchase of FTP login credentials, with additional tools available to help a buyer confirm he's making a smart purchase."

on the other side of the universe on Neosploit's "purpose in life" :

"The information was available for blackmarket trade, along with the NeoSploit version 2 crimeware toolkit, a malicious application specifically designed to abuse and trade stolen FTP account credentials from numerous legitimate companies."

Robert Lemos is however, reasonably pointing out that :

"The tool, which is at least a year old, was described by antivirus firm Panda Software in June 2007."

Key summary points :

- the tool's been around since February, 2007, making it exactly one year old

- it has built-in accounting data validation, pagerank measurement of the sites whose FTP accounting data has been stolen as you can see in the third screenshot attached

- IP Geolocation for the now pagerank-ed sites is also included

- the tool's functions are relatively primitive compared to three other alternative ones that I'm aware of taking advantage of anything by stolen FTP accounts, a logical fad by itself

- the script is officially sold for $25, but as we've seen it in the past with MPack and IcePack, buyers unaware of other outlets for the tool would pay the high-profit margins offered by the seller

- FTP accounting data can be imported, and once verified, a statistical output for the automated process of logging in and embedding the IFRAME is provided

- IFRAMEs are automatically embedded within .php; .html; .asp; .htm extensions

- embedding iframes through stolen FTP accounts is a fad, purchasing and selling shells/web backdoors and huge domain portfolios controlled via Cpanels is a trend, as automatic injection of malicious IFRAMEs through remote file inclusion and remotely exploitable SQL injection vulnerabilities is

Your situational awareness about the emerging threatspace is as always up to the information sources that you use, or still haven't started using. My point is that exposing Pinch in the summer of 2007 despite that the tool's been around since 2004/2005, and exposing this malicious FTP account checker and IFRAMEs embedder in February, 2008, when it hasn't been updated since February, 2007, greatly contributes to the development of a twisted situational awareness. Realizing it or not, with the time, security researchers or intelligence analysts establish a very good sense of intuition about what's happening at a particular moment in time, or what will be happening anytime now. And using stolen FTP accounts for embedding IFRAMEs never picked up as a tactic, compared to using the stolen FTP accounts for hosting blackhat SEO content. Scenario building intelligence, or playing the devil's advocate, it's a mindset only a small crowd possess.

Continue reading →

RBN's Phishing Activities

As we're on the topic of RBN's zombies trying to connect to their old netblocks, and botnets being used to host and send out phishing content, what looks like entirely isolated incidents in the present, is what has actually being going on on RBN's network during the summer of 2007. A picture is worth a thousand speculations, yes it is. As you can see in the attached historical screenshot of a web based botnet C&C, the Russian Business Network's old infrastructure has also been involved into delivering phishing pages to malware infected hosts, whose requests to the legitimate sites were getting forwarded to RBN's old netblock. The process is too simple, thereby lowering the entry barriers into phishing activities due to its modularity. Basically, the botnet master can easily configure to which fake phishing site the infected population would be redirected to, if they are to visit the original one with no more than three clicks. And so, for the purpose of historical preservation of CYBERINT data given the quality of the identical screenshot obtained through OSINT techniques -

RBN URLs used in the phishing redirects :
81.95.149.226/scm/us/wels/index.html
81.95.149.226/scm/uk/lloydstsb/personal/index.html
81.95.149.226/scm/cyprus/persmain.html
81.95.149.226/scm/au/westpac/index.html
81.95.149.226/scm/au/commonwealth/
81.95.149.226/scm/au/warwickcreditunion/index.html
81.95.149.226/scm/uk/lloydstsb/business/index.html
81.95.149.226/scm/uk/halifax.php
81.95.149.226/scm/uk/rbsdigital/index.html
81.95.149.226/scm/uk/co-operative/index.html
81.95.149.226/scm/uk/cahoot.php

Known malware to have been connecting to 81.95.149.226 :
Trojan-PSW.Win32.LdPinch.bno, Trojan-Downloader.Win32.Small.emg, Trojan.Nuklus, where the malware detected under different names by multiple vendors is the only one that ever made a request to 81.95.149.226, which in a combination with the fact that the screenshot is made out of Nuklus production speaks for itself.

Some facts are better known later, than never. Continue reading →

Yet Another Massive Embedded Malware Attack

The following central redirection point in a portfolio of exploits and malware serving domains - buytraffic.cn/in.cgi?11 is currently embedded at couple of hundred sites and forums across the web. And just like the many previous such examples, the process is automated to the very last stage. Repeated requests expose the entire domains portfolio, where once the live exploit is served with the help of a javascript obfuscations, the binaries come into play. Here are all the domains and live exploit URLs involved for this particular campaign :

buytraffic.cn/in.cgi?11 - 62.149.18.34
sclgntfy.com/ent2763.htm - 85.255.118.12
tds-service.net/in.cgi?20 - 72.233.50.148
spywareisolator.com/landing/?wmid=sga - 72.233.50.150
warinmyarms.com/check/upd.php?t=670 - 58.65.239.114
coripastares.com/in.php?adv=1267&val=3ee328 - 202.83.197.239
xanjan.cn/in.cgi?mikh - 78.109.22.246
chportal.cn/top/count.php?o=4 - 203.117.111.102
buhaterafe.com/in.php?adv=1208&val=65286d - 202.83.197.239
193.109.163.179/exp/count.php
193.109.163.179/exp/getexe.php
78.109.22.242/mikh/1.html
78.109.22.242/sh.html

Who says there's no such thing as free malware cocktails.

Related posts :
MDAC ActiveX Code Execution Exploit Still in the Wild
Malware Serving Exploits Embedded Sites as Usual
Massive RealPlayer Exploit Embedded Attack
Syrian Embassy in London Serving Malware
Bank of India Serving Malware
U.S Consulate St. Petersburg Serving Malware
The Dutch Embassy in Moscow Serving Malware
U.K's FETA Serving Malware
Anti-Malware Vendor's Site Serving Malware
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
A Portfolio of Malware Embedded Magazines
Another Massive Embedded Malware Attack
I See Alive IFRAMEs Everywhere
I See Alive IFRAMEs Everywhere - Part Two Continue reading →