Price Discrimination in the Market for Stolen Credit Cards

What would be the price of a stolen credit card with an already verified balance, and based on what factors would the sellers come up with the price range? Depends on who you're buying the goods from. Continuing the discussion on the Underground Economy's Supply of Goods, the service I'll comment on in this post is among the countless number of others offering stolen credit card numbers, however, in this one we have a great example of price discrimination compared to the majority of other propositions, emphasizing on a volume basis propositions - the more you buy the cheaper it gets.

Let's go through this proposition differentiating itself on the basis of the balance available on a per bank basis :

- Bank Of America/Between 2k - 50k/400$
- WellsFargo/Between 4k - 40k/300$
- Chase Bank/Between 2k - 30k/250$
- Citibank/Between 9k - 70k/300$
- Wachovia/Between 2k - 18k/275$
- Barclays/Any Balance/400$
- HSBC/Between 30k - 312k/400$ up to 100k=600$
- Halifax/Between 20k 180k/450$
- Nationwide/Between 15k - 230k/450$
- Lloyds TSB/Between 10k - 400k/600$

How they come up with these prices remains a subject to speculation, what's important to point out is that in between the price discrimination used here on a good that in reality is a commodity good, is that they're cashing-in on the high profit margins since when investing the time and efforts into stealing these credit card numbers though banker malware infected PCs, they weren't even aware of what their ROI would be, consequently any price set would be a profitable price outpacing the investments they've made into obtaining the accounting data.

We can also theoretically have the same seller making propositions on a volume basis, operating another site this time targeting different marketing segment, where the site itself would have also been advertised to reach that very segment. What he's enjoying is the overall lack of market transparency and the fact that it's not a daily practice for someone to come across sites selling stolen credit card details, which is where the first proposition would take place. The second, the one on a volume basis, would be targeting the experienced identity thieves who never even consider spending so much money on a good that they come across to, and have good understanding of the market, thus, know where to find bargain deals for it.

Who's supplying the bargain deals anyway, and how are the bargain deals affecting the behavior of the experienced sellers in the market? New market entrants that suddenly managed to get hold of huge amounts of stolen credit cards, consciously or subconsciously introduce penetration pricing in the market. Basically, they are aware of several services and they prices they charge for the goods offered, so on the basis of these prices they start to on purposely undercutting them in order to achieve the necessary growth during the introduction period.

With the ever decreasing cost required to conduct cybercrime, any investment made would automatically result in a positive return on investment. Moreover, for the time being, there's no way we can even consider talking about the average price for a stolen credit card number, as everyone is playing by their own rules, with only a few exceptions using basic market principles. So if you even come across an article or a report stating that the price of a certain good is the specific amount of money pointed out, don't take the number of granted, as this is just one of the many such servics and propositons the researchers came across to, not the average.

Ironically, just like you have publicly available backdoored versions of Mpack and Icepack aiming to trick the average script kiddies into providing those who backdoored the kits with the opportunity to hijack their successful campaigns, that's of course next to the backdoored phishing pages released in the very same fashion, we also have scammers trying to scam other scammers by pitching the stolen credit cards and never "delivering the goods". Continue reading →

U.K's Crime Reduction Portal Hosting Phishing Pages

Poste Italiane seems to have relocated to a brand new location online, in this case the U.K's Crime Reduction Portal which is currently hosting a phishing page - crimereduction.homeoffice.gov.uk/alcoholorders/Archive070410/poste/cartepr

What's special about this incident is that it's becoming increasingly common to come across phishing sites that have been remotely-file-included or SQL injected at vulnerable sites. In ca you remember, the Police Academy in India too, used to host phishing pages in the past. The irony in both cases is highly visible, and for good or bad, it's anecdotal cases like these that are supposed to build awareness on the adapting tactics phishers use nowadays - forwarding the responsibility for hosting as well as managing a shadow infrastructure like this one for instance.
Continue reading →

Storm Worm Hosting Pharmaceutical Scams

With Storm's recent SQL injection and introduction of several new domains within, the very latest additions to their domain portfolio are the following domains (naturally in a fast-flux provided by already infected hosts) hosting pharmaceutical scams :

producemorning.com
pressrose.com
posestory.com
picturewest.com
lowsmell.com
catsharp.com
printlength.com

All of the domain's DNS entries are set to update every 2 minutes, meaning they every 2 minutes another 20 different and infected IPs will be hosting the domains, which on the other hand logically have identical WHOIS entry records :

Administrative Contact:
WenFeng NO.397,zhuquedadao street,xian
City,shanxi Province xi an Shanxi 710061 CN
tel: 298 5228188
fax: 298 5393585
yayun22@163.com

It's also worth pointing out how they emphasize on the benefits of SSL based transactions, when none of the sites is supporting SSL, but is doing something a great number of phishers do - they've changed the favicon to a key lock looking one, since maintaining a SSL infrastructure on the infected hosts is both, unpragmatic, and a bit unnecessary if they social engineer the visitor :

"SSL Encryption or Https is a technique used to safeguard private information which is sent via Internet. To prove the site's legitimacy, the SSL encryption uses a PKI (Public Key Infrastructure) - public/private key, to encrypt IDs, documents, or messages to securely transmit the information in the World Wide Web. In order to show that our transmission is encrypted, most browsers will display a small icon that would look like a pad "lock" or a key and the URL begins with "https" instead of "http". SSL Encryption or https from a digital certification authority will helps the secure web site with confidential information on web. "

With pharma masters increasingly using fast-flux to increase the survivability of their domains participating in affiliation based pharmaceutical affiliate programs, Storm Worm is anything but lacking behind programs that connect scammers and (infected) infrastructure providers.

Related posts:
All You Need is Storm Worm's Love
Social Engineering and Malware
Storm Worm Switching Propagation Vectors
Storm Worm's use of Dropped Domains
Offensive Storm Worm Obfuscation
Storm Worm's Fast Flux Networks
Storm Worm's St. Valentine Campaign
Storm Worm's DDoS Attitude
Riders on the Storm Worm
The Storm Worm Malware Back in the Game Continue reading →

Comcast.net not Hacked, DNS Records Hijacked

Two days ago in a show off move, the Kryogenics team managed to change the DNS records of Comcast.net, and consequently, redirect traffic to third-party servers, which in this incident only served a defaced-looking like page, and denied email services to Comcast's millions of email users for a period of three hours.

The message they appear to have left at the first place, is actually hosted on third-party servers and reads :

"KRYOGENIKS EBK and DEFIANT RoXed COMCAST sHouTz To VIRUS Warlock elul21 coll1er seven"

Comcast's changed whois records looked like this, and were restored to their original state approximately three hours later :

Administrative Contact:
Domain Registrations,
Comcast kryogenicsdefiant@gmail.com
Defiant still raping 2k8 ebk 69 dick
tard lane dildo room
PHILADELPHIA, PA 19103
US 4206661870 fax: 6664200187

The hacked page was loading from the following locations :
freewebs.com/buttpussy69
freewebs.com/kryogeniks911
defiants.net/hacked.html

Comcast's comments :
"Last night users attempting to access Comcast.net were temporarily redirected to another site by an unauthorized person," he says. "While that issue has been resolved and customers have continued to have access to the Internet and email through services like Outlook, some customers are currently not able to access Comcast.net or Webmail." Douglas says that network engineers continue to work on the issue. "We believe that our registration information at the vendor that registers the Comcast.net domain address was altered, which redirected the site, and is the root cause of today's continued issues as well," he says. "We have alerted law enforcement authorities and are working in conjunction with them."

Network Solutions comments :
"Somebody was able to log into the account using the username and password. It was an unauthorized access," said spokeswoman Susan Wade. "It wasn't like somebody hacked into it. The Network Solutions account was not hacked. "They ping us and say this is my domain and say, 'I'd like to reset my password,'" Wade said. "It could have been compromised through e-mail. They could have gotten it if they acted as the customer. We're not clear."

"Pinging a domain registrar" has been around since the early days of the Internet, and it's obviously still possible to socially engineer one in 2008. A recently released ICANN advisory on the topic of registrar impersonation phishing attacks provides a decent overview of the threat, and in Comcast's case, I think someone impersonated Comcast in front of Network Solutions compared to the other way around, namely someone phished the person possessing the accounting data at Comcast, by making them think it's Network Solutions contacting them.

With Comcast.net now back to normal, the possibilities for abusing the redirected traffic given that the content was loading from web sites they controlled are pretty evident. And despite that there are speculations the hijack is courtesy of the BitTorrent supporters, in this case, the motivation behind this seem to have been to prove that it's possible.

UPDATE :
An interview with the hijackers including a screenshot of the control panel for over 200 Comcast operated domains is available.
Continue reading →

Malware Attack Exploiting Flash Zero Day Vulnerability

It's been a while since we've last witnessed malware attacks using zero day vulnerabilities, and the latest one exploiting a zero day in Adobe's flash player is definitely worth assessing. The current malware attack has been traced back to Chinese blackhats, who are using a zero day to infect users with password stealers, moreover, one of the domains serving the Adobe zero day has been sharing the same IP with four of the malware domains in the recent waves of massive SQL injection attacks, indicating this incident and the previous ones are connected. According to Symantec :

"Preliminary investigation suggests that the DeepSight honeynet may also have captured this attack. We are looking into this further. Currently two Chinese sites are known to be hosting exploits for this flaw: wuqing17173.cn and woai117.cn. The sites appear to be exploiting the same flaw, but are using different payloads. At the moment these domains do not appear to be resolving, but they may come back in the future. Network administrators are advised to blacklist these domains to prevent clients from inadvertently being redirected to them. Avoid browsing to untrustworthy sites. Also, consider disabling Flash or use some sort of script-blocking mechanism, such as NoScript for Firefox, to explicitly allow SWFs to run only on trusted sites. "

The Internet Storm Center also made an announcement and assessed a malware domain that was using the exploits in this case play0nlnie.com (125.46.104.172), next to Adobe's Product Security Incident Response Team (PSIRT) original announcement of the vulnerability. What about the original hosting sites for this exploits? Are they still active and serving it, what are the detection rates of the exploits and the malware served, and are there any other domains that should be blocked, also responding to the same IPs.

Let's assess the campaign using the Adobe Flash Player SWF File Unspecified Remote Code Execution Vulnerability. At count18.wuqing17173.cn/click.aspx.php (58.215.87.11) the end user is receiving a look looks like a 404 error message, however, within the 404 message there's a great deal of information exposing the exploits location and participation domains, which you can see attached in the screenshot above. In between several obfuscations we are finally able to locate the exploits serving host, as there are multiple exploits this particular campaign is taking advatange of, in between the Adobe Flash Player one :

0novel.com /real.js
0novel.com /rl.htm
0novel.com /lz.htm
0novel.com /bf.htm
0novel.com /xl.htm
0novel.com /flash.swf
0novel.com /flash1.swf

Let's get back to the second domain which is not returning a valid 403 error forbidden message, woai117.cn (221.206.20.145) which has also been sharing the same IP with kisswow.com.cn; qiqi111.cn; ririwow.cn; wowgm1.cn, among the domains used in the ongoing SQL injection attacks. Once the binary located at woai117.cn /bak.exe was obtained and sandboxed, it tried to download more malware by accessing woai117.cn /kiss.txt with the following binaries already obtained, analyzed and distributed among AV vendors :

117276.cn /1.exe
117276.cn /2.exe
117276.cn /3.exe
woai117.cn /bing.exe

Detection rates for the exploit, the obfuscations and the malware binaries obtained :

Sample obfuscation
Scanners result : 3/32 (9.38%)
F-Secure - Exploit.JS.Agent.oa
GData - Exploit.JS.Agent.oa
Kaspersky - Exploit.JS.Agent.oa
File size: 35767 bytes
MD5...: 11d2b82a35cd37560673680f25571bac
SHA1..: 687066c90bb44fee574f2763041ee80dfee4d5bf

A sample flash file with the exploit
Scanners result : 2/32 (6.25%)
eSafe - SWF.Exploit
Symantec - Downloader.Swif.C
File size: 846 bytes
MD5...: 1222bf4627894cb88142236481680d03
SHA1..: bbf59d9e6610e6f982a7ce7fc9e9878ffd3bfe70

The malware served
Scanners result : 18/32 (56.25%)
MemScan:Win32.Worm.Otwycal.T; a variant of Win32/AutoRun.NAD
File size: 25229 bytes
MD5...: 6be5a7b11601f8cb06ebba08c063aa09
SHA1..: 95d266e2e04e27a923467f483c23818c38ebe19e

The password stealers
Scanners result : 19/32 (59.38%)
Trojan.PWS.OnLineGames.WOM; Win32/TrojanDropper.Agent.NKK
File size: 42268 bytes
SHA1..: 7dfd51e96269f8d53354dd4c028d0c9481ebf4c8

Scanners result : 13/32 (40.63%)
W32/Heuristic-159!Eldorado; Suspicious:W32/Malware!Gemini
File size: 108172 bytes
MD5...: a0383dd1571af5e2f104e1f7d6df7a67
SHA1..: be5b9b00ce9e378e545fa4f1e67160f20ba82ad2

Consider blocking flash by using Flashblock for instance, until the issue is taken care of :

"Flashblock is an extension for the Mozilla, Firefox, and Netscape browsers that takes a pessimistic approach to dealing with Macromedia Flash content on a webpage and blocks ALL Flash content from loading. It then leaves placeholders on the webpage that allow you to click to download and then view the Flash content. "

It could have been worse, as "wasting a zero day exploit" affecting such ubiquitous player such as Adobe's flash player for infecting the end users with a rather average password stealer is better, than having had the exploit leaked to others who would have have introduced their latest rootkits and banker malware.

UPDATE - 5/28/2008

Consider blocking the following domains currently serving the malicious flash files :

tongji123.org
bb.wudiliuliang.com
user1.12-26.net
user1.12-27.net
ageofconans.net
lkjrc.cn
psp1111.cn
zuoyouweinan.com
user1.isee080.net
guccime.net
woai117.cn
wuqing17173.cn
dota11.cn
play0nlnie.com
0novel.com

UPDATE - 5/29/2008

Zero day or no zero day? It appears that the exploit used in this campaign is an already known one, namely CVE-2007-0071, and this has since been verified by multiple parties who were assessing the incident. Some related comments :

Flaw Watch: Why Adobe Flash Attacks Matter
"Thursday, however, Symantec backtracked after Adobe released a statement denying that the matter concerned a new flaw. In a progress report posted to the official Adobe PSIRT blog, David Lenoe said the exploit "appears to be taking advantage of a known vulnerability, reported by Mark Dowd of the ISS X-Force and wushi of team509, that was resolved in Flash Player 9.0.124.0." In an update to that blog entry, he said Symantec had confirmed that all versions of Flash Player 9.0.124.0 are not vulnerable to the exploits. Symantec Senior Researcher Ben Greenbaum acknowledged the flaw was previously known and patched by Adobe April 8, though the Linux version of Adobe's stand-alone Flash Player version 9.0.124 was indeed vulnerable to the attack."

Potential Flash Player issue - update
"We've just gotten confirmation from Symantec that all versions of Flash Player 9.0.124.0 are not vulnerable to these exploits. Again, we strongly encourage everyone to download and install the latest Flash Player update, 9.0.124.0. To verify the Adobe Flash Player version number, access the About Flash Player page, or right-click on Flash content and select “About Adobe (or Macromedia) Flash Player” from the menu. Customers using multiple browsers are advised to perform the check for each browser installed on their system and update if necessary. Thanks to Symantec for working very closely with us over the last 2 days to confirm that this is not a zero-day issue, and to Mark Dowd and wushi for originally reporting this issue. "

More information on recent Flash Player exploit
"This is not a zero-day exploit. Despite various reports that have been circulating, the Flash Player Standalone 9.0.124.0 and Linux Player 9.0.124.0 are NOT vulnerable to the exploits discussed in conjunction with the previously disclosed vulnerability Symantec posted on 5/27/08. Symantec originally believed this to be a zero-day, unpatched vulnerability, but as their latest update on their Threatcon page indicates, they have now confirmed this issue does not affect any versions of Flash Player 9.0.124.0."

Followup to Flash/swf stories
"On closer examination, this does not appear to be a "0-day exploit". Symantec has updated their threatcon info, as well. We have yet to see one of these that succeeds against the current version (9.0.124.0), if you find one that does, please let us know via the contact page."

Why was the possibility of finding one that succeeds against the current version of Flash considered in ISC's post? Because with no samples distributed by Symantec verifying the zero day, the way the exploit serving flash files were generated at the malicious domains on a version basis (WIN%209,0,115,0ie.swf for instance), and with everyone trying to figure it out in order to obtain the malicious flash file for the latest version in order to verify its zero day state, this timeframe resulted in the delay of assessing the real situation.
Continue reading →

Asprox Phishing Campaigns Dominated in April

According to the latest report from the Phishtank, a great resource for OSINT data, five IPs were hosting 6547 phishing campaigns in April, all of which are courtesy of the Asprox botnet, a botnet that despite being actively sending phishing emails for the last couple of months, received more publicity for its introduction of SQL injection capabilities, like the ones I've assessed in a previous post. The IPs in question :

212.174.25.241
62.233.145.45
218.92.205.246
85.105.182.6
212.0.85.6

Where's the connection? It's in the historical domains that used to respond to the IPs, in the Asprox case, a great deal of the original domain names used a couple of months ago are still in a fast-flux and further expose and connection between these IPs and Asprox. For instance, 62.233.145.45, is known to have been hosting xml52.com; www5.yahoo.american-greeting.ca.xml52.com; yahoo.americangreeting.ca.www05.net; bendigobank.com.au.tampost5.ws; among the domains used in some of the previous phishing domains. The rest of the IPs are also known to have participated in the fast-flux, and therefore, as long as they remain using some of their old domains, and fast-flux them in a way that can be compared to the data from previous months, monitoring the prevalence of Asprox phishing campaigns and making the connection between a phishing campaign and the botnet, would remain easy to do.

Related posts:
Fast-Fluxing SQL injection attacks executed from the Asprox botnet
Inside a Botnet's Phishing Activities
Fake Yahoo Greetings Malware Campaign Circulating
Phishing Emails Generating Botnet Scaling
Continue reading →

Yet Another Massive SQL Injection Spotted in the Wild

Another SQL injection attack was spotted in the wild during the last couple of hours, and while it continues remaining active, surprisingly, the malicious domain is not in a fast-flux. As I've already pointed out, the upcoming SQL injection attacks for the next couple of months, will be primarily executed by copycats, where among the few differentiation factors left is increasing the survivability of the domain.

In the particular attack, the injected domain chliyi.com /reg.js loads an iFrame to chliyi.com /img/info.htm where a VBS script attempts to execute by exploiting MDAC ActiveX code execution (CVE-2006-0003), whose detection rate is 1/32 (3.13%) and is detected as Mal/Psyme-A. Approximately, 8,900 sites have been affected. Continue reading →

Web 2.0 Privacy and Security Workshop - Papers Released

Last week, the 2008's W2Sp workshop held in Oakland, California and sponsored by the IEEE Symposium on Security and Privacy, made available all the papers from the workshop, including catchy titles such as :

- input type="password" must die!
- Web Authentication by Email Address
- Beware of Finer-Grained Origins
- On the Design of a Web Browser: Lessons learned from Operating Systems
- Analysis of Hypertext Markup Isolation Techniques for XSS Prevention
- Privacy Protection for Social Networking Platforms
- (Under) mining Privacy in Social Networks
- Building Secure Mashups
- Web-key: Mashing with Permission
- Private Use of Untrusted Web Servers via Opportunistic Encryption
- Evidence-Based Access Control for Ubiquitous Web Services
- Privacy Preserving History Mining for Web Browsers
- Towards Privacy Propagation in the Social Web

Information is not free, it just wants to be free. Continue reading →

A Review of Hakin9 IT Security Magazine

A new issue of the Hakin9 - Hard Core IT Security Magazine is "in the wild", and since the editorial staff has been kind enough to provide me with issues of the magazine for a while now, in this post I'll review the latest issue with the idea that constructive confrontation leads to the best output achievable.

There are many different ways to review a magazine, however, I'm always sticking to the following critical success factors for a quality magazine :

- The presence of a vision
While a vision is often taken for granted, or even worse, a mission gets misunderstood for a vision, in Hakin9's case the vision could be perhaps best rephrased as "Spoiling the geeks who beg for a nerdy talk to them".

- Content quality

The magazine truly delivers what it promises, namely, hardcode content in sections such as tools review, basics, attack, defense, book reviews, consumers test, and interviews. And whereas the key topic in this issue is LDAP cracking, I really enjoyed the Javascript obfuscation article, with the practical examples provided. A bit ironic, the issue is also reviewing a commercial source code obfuscator, which just like legitimate anti-piracy tools used by malware authors to make their binaries harder to analyze, can also be abused for malicious purposes.

- Relevance of information
The information provided in the articles is highly relevant, and timely, lacking any retrospective approaches and focusing on current and emerging threats only. The same goes for the extensive external resources provided, emphasizing on the importance of self-education.

- Layout

Very well structured, and so far I haven't come across an article where the images weren't syndicated the way they should be, for instance the figures mentioned on a certain page, are the same figures available at that page. Three differentiation points make a very good impression, the level of difficulty for the article, what you should know before reading it in order to understand it, and what you will know after reading it, which you can find at the end of every article.

- Visual materials
The surplus of visual materials is perhaps what won me as a reader from the first moment. In fact, the issues are so rich on visual material illustrating the topic covered in such details, that you can actually take entire sniffing, and javascript obfuscation sessions offline with you, and never ever have to picture the output of a certain process in your mind again.

- Ads

Highly targeted, and primary security related, and best of all, very well spread across the magazine, so you're exposed to more content than ads.

Overall, the magazine successfully delivers what it promises to deliver - hardcode technical content from the geeks, for the geeks. Informative reading!

Continue reading →

How Does a Botnet with 100k Infected PCs Look Like?

Digitally ugly for sure, the point is that this malware campaign has been spreading pretty rapidly over MSN and AIM as of recently, and with its success rate so efficiently infecting new hosts, that going through chat logs indicates the botnet master's will to stop spreading it as there are simply too many hosts getting infected faster than he had anticipated at the first place. Ironic, but a perfect example of what happens once the entry barriers into a certain market segment of the IT underground have been lowered to the stage where, it's not about having the capabilities, but the motive to embrace the success rate, like this case.

Botnet masters are also masters in social engineering. Apparently, the success rate for this campaign is so high due to its social engineering tactic, which in this case is to establish as many touch points with the potential victim as possible, and also, entice clicking on a commonly accepted as harmless .php file followed by the victim's username in a username@hotmail.com fashion.

What you see is not always what you get, especially with more and more droppers requesting other malware with image file extensions, which gets locally saved in its real nature - %Windir%\Media\System.exe for instance. Continue reading →

The Icepack Exploitation Kit Localized to French

Bonjour! In a surprising move by the French blackhats, the Icepack web malware exploitation kit has been localized to French, further expanding the list of malware kits localized to foreign languages, and confirming the localization trend (page 18). Localization has been silently taking plance in the IT underground for the last couple of years, and as of recently going mainstream, followed by the localization of such popular web malware exploitation kits such as MPack, Icepack and Firepack, all to Chinese.

The long term impact of localization will improve the communication between those offering malicious services, and those looking for them in their native language. For instance, the sites of certain malicious services are already available in several different languages, and the quality of the translation is courtesy of available translation services provided by native speakers.

Moreover, breaking the language barrier doesn't just expand the market, but also, improves targeting for malware, spam, and phishing campaigns, where a truly professional campaign would speak the native language so naturally, it would leave the receipt with the feeling that it's originating from somewhere within their homeland. In reality though, the malicious parties behind it, or the managed spam providers vertically integrating to offer translations services, would be on the other side of the planet. Continue reading →

Malware Domains Used in the SQL Injection Attacks

Whereas the value of these malicious domains lies in the historical preservation of evidence, as long as hundreds of thousands of sites continue operating with outdated and unpatched web applications, the list is prone to grow on a daily basis, thanks to copycats and the Asprox botnet. The Shadowserver Foundation's list of malicious domains used in the SQL injection attacks :

nihaorr1.com
free.hostpinoy.info
xprmn4u.info
nmidahena.com
winzipices.cn
sb.5252.ws
aspder.com
11910.net
bbs.jueduizuan.com
bluell.cn
2117966.net
s.see9.us
xvgaoke.cn
1.hao929.cn
414151.com
cc.18dd.net
kisswow.com.cn
urkb.net
c.uc8010.com
rnmb.net
ririwow.cn
killwow1.cn
qiqigm.com
wowgm1.cn
wowyeye.cn
9i5t.cn
computershello.cn
z008.net
b15.3322.org
direct84.com
caocaowow.cn
qiuxuegm.com
firestnamestea.cn
qiqi111.cn
banner82.com s
meisp.cn
okey123.cn
b.kaobt.cn
nihao112.com
al.99.vc
aidushu.net
chliyi.com
free.edivid.info
52-o.cn
actualization.cn
d39.6600.org
h28.8800.org
ucmal.com
t.uc8010.com
dota11.cn
bc0.cn
adword71.com
killpp.cn
w11.6600.org
usuc.us
msshamof.com
newasp.com.cn
wowgm2.cn
mm.jsjwh.com.cn
17ge.cn
adword72.com
117275.cn
vb008.cn
wow112.cn
nihaoel3.com

Some new additions that I'm tracking :

a.13175.com
r.you30.cn
d39.6600.org
001yl.com
free.edivid.info
aaa.1l1l1l.Com/error/404.html
cc.buhaoyishi.com/one/hao5.htm?015
aaa.77xxmm.cn/new858.htm?075
llSging.com/ww/new05.htm?075
shIjIedIyI.net/one/hao8.htm?005
congtouzaIlaI.net/one/hao8.htm?005
aa.llsging.com/ww/new05.hTm?075

The rough number of SQL injected sites is around 1.5 million pages, in reality the number is much bigger, and there are several ongoing campaigns injecting obfuscated characters making it a bit more time consuming to track down. Who's behind these attacks? Besides the automation courtesy of botnets, the short answer is everyone with a decent SQL injector, and today's SQL injectors have a built-in reconnaissance capabilities, like this one which I assessed in a previous post. Continue reading →

Yet Another DIY Proprietary Malware Builder

Following the most recent proprietary web malware exploitation kits, and DIY malware tools found in the wild, this is among the latest malware builders with a special emphasis on spreading from PCs to USB mass storage devices, and from USB mass storage devices to PCs. On 2008/04/28 when a sample generated binary was checked with multiple antivirus scanners, the detection was 2/32 with Panda Security and F-Secure detecting it, according to the seller of the builder.

For the time being, malware authors continue emphasizing on the product concept, namely they build a malware based on their perception of what a malware should constitute of, then start offering it for sale as well as it's source code. In the long-term however, based on the increasing number of malware and spyware coding on demand, malware authors would undoubtedly embrace the customerization concept and start putting more efforts into figuring out what the customer really want compared to their current "built it, price, advertise it" and they'll come mentality.

Moreover, despite the generated buzz over the Zeus banker malware and its copyright notice, Zeus remains publicly available, and so is its source code, placing it under the open-source malware segment. So emphasizing on how malware authors are trying to protect their work is exactly what's not happening right now. Releasing it in open-source form increases its life cycle, and both, the original authors, and the community build around the malware benefit from the new features introduced within.

And now that the most popular web malware exploitation kits are already localized to Chinese due to their open-source nature, making it harder to maintain a decent situational awareness on the new features introduced courtesy of third-party coders, we may that easily see Zeus localized to Chinese as well. It's a trend, not a fad. Continue reading →

The Whitehouse.org Serving Malware

The Whitehouse.org a parody site of the original Whitehouse.gov is serving malware. From TrendMicro's blog :

"According to Trend Micro Advanced Threats Researcher David Sancho, whitehouse.org has been compromised to harbor some malicious, obfuscated JavaScript code which “background downloads” code to unsuspecting visitors of the site, where a malicious file is downloaded (which is detected by Trend Micro as TROJ_DELF.GKP ). Of course, the official White House Web site is whitehouse.gov, and although it has been reported that some people believe whitehouse.org is the real deal, even those looking for this site specifically should be forewarned."

The malicious domain embedded within the site ad.ox88.info/13.htm (67.15.212.150) is using Mal/ObfJS-AP/Exploit:HTML/AdoStream to serve the malware, whereas the domain itself is using DNS servers known to provide service to malicious domains from previous malware embedded attacks that I've been assessing. Continue reading →

Pro-Serbian Hacktivists Attacking Albanian Web Sites

The rise of pro-kosovo web site defacement groups was marked in April, 2008, with a massive web site defacement spreading pro-kosovo propaganda. The ongoing monitoring of pro-kosovo hacktivists indicates an ongoing cyberwar between pro-serbian supporting hacktivists successfully defacing Albanian sites, and building up capabilities by releasing a list of vulnerable Albanian sites (remote SQL injections for remote file inclusion, defacements or installing web shells/backdoors) to assist supports into importing the list within their do-it-yourself web site defacement tools.

Go through the complete post - Pro-Serbian hacktivists attacking albanian web sites.

Related posts:

Hacktivism Tensions

Hacktivism Tensions - Israel vs Palestine Cyberwars

Mass Defacement by Turkish Hacktivists

Overperforming Turkish Hacktivists

Continue reading →

Fake PestPatrol Security Software

Continuing the rogue security software series I've just stumbled upon a fake PestPatrol site - pest-patrol.com (85.255.121.181) hosted at the the RBN connected Ukrtelegroup Ltd (85.255.112.0-85.255.127.255 UkrTeleGroup UkrTeleGroup Ltd. 27595 ASN ATRIVO), just like the majority of sites assessed in previous posts.

Where's the malware at pest-patrol.com? In one of these anecdotal cases, the way the people behind these rogue sites use the same template over and over again, and consequently forget to change the rogue software's name, in this case, not only is pest-patrol.com's mail server responding to antispycheck.com, but they've also uploaded a broken template. Continue reading →

All You Need is Storm Worm's Love

The Storm Worm malware launched yet another spam campaign promoting links to malware serving hosts, in between a SQL injection related to Storm Worm.

These are Storm Worm's latest domains where the infected hosts try to phone back :

cadeaux-avenue.cn (active)
polkerdesign.cn (active)
tellicolakerealty.cn (active and SQL injected at vulnerable sites)
Administrative Email for the three emails : glinson156 @ yahoo.com

Related DNS servers for the latest campaign :

ns.orthelike.com
ns2.orthelike.com
ns3.orthelike.com
ns4.orthelike.com
ns.likenewvideos.com
ns2.likenewvideos.com
ns3.likenewvideos.com
ns4.likenewvideos.com

Storm Worm related domains which are now down :

centerprop.cn
apartment-mall.cn
stateandfed.cn
phillipsdminc.cn
apartment-mall.cn
biggetonething.cn
gasperoblue.cn
giftapplys.cn
gribontruck.cn
ibank-halifax.com
limpodrift.cn
loveinlive.cn
newoneforyou.cn
normocock.cn
orthelike.com
supersameas.com
thingforyoutoo.cn

One of the domains that is injected as an iFrame is using ns.likenewvideos.com as DNS server, whereas likenewvideos.com is currently suspended due to "violating Spam Policy". Precisely.

Related posts:
Social Engineering and Malware
Storm Worm Switching Propagation Vectors
Storm Worm's use of Dropped Domains
Offensive Storm Worm Obfuscation
Storm Worm's Fast Flux Networks
Storm Worm's St. Valentine Campaign
Storm Worm's DDoS Attitude
Riders on the Storm Worm
The Storm Worm Malware Back in the Game Continue reading →

Fast-Fluxing SQL Injection Attacks

The botnet masters behind Asprox are converging tactics already, by fast-fluxing the SQL injected domains. Related URLs for this campaign :

banner82.com
dll64.com
aspx88.com
bank11.net
cookie68.com
exportpe.net

Read the complete assessment - Fast-Fluxing SQL Injection Attacks Executed from the Asprox Botnet, and go through previous posts related to the botnet as well - Phishing Emails Generating Botnet Scaling; Inside a Botnet's Phishing Activities; Fake Yahoo Greetings Malware Campaign Circulating. Continue reading →

The Small Pack Web Malware Exploitation Kit

Yet another proprietary web malware exploitation kit has been released at the beginning of this month, further indicating that the efficient supply of such kits is proportional to their simplistic nature. The only differentiation factor in the Small Pack is perhaps the inclusion of all known Opera exploits up to version 9.20, however, the rest of the features are the natural ones included in the majority of already known exploitation kits :

- IE exploits included - Quick TIme Modified, PNG, MDAC, DX Media
- Firefox exploits included - Quick Time, PNG, EMBED
- Opera - all exploits up to version 9.20
- RC4 encryption
- lifetime updates
- Geolocation
- opportunity to request additional functions

Converging infection and distribution vectors, evasion and survivability, metrics and command and control in a single all-in-one web malware exploitation kits is, however, is definitely in the works considering the developments introduced in the rest of the kits currently available. For instance, despite that the ongoing waves of SQL injection attacks with multiple campaigns are injecting the malicious domains in its original form, certain attacks are starting to inject obfuscated URLs making it harder to assess the impact of the campaign using open source intelligence techniques.

The bottom line, as long as webmasters continue participating in the so called "traffic exchange" revenue models, knowingly or unknowingly embedding links that would later on ultimately redirect to a malicious site, "traffic exchange" is receiving the most attention at the strategic level, next to "traffic acquisition" at the tactical level. Basically, the traffic inventory that could be supplied is the direct result of an ongoing SQL injection attack, or malware embedded through other means, with the traffic brokers directly undermining webmaster's unethical inclusion of exploits within their domains portfolio.

One thing's for sure - web malware exploitation kits are not just getting localized, they're also being cloned.

Related posts:
The FirePack Exploitation Kit Localized to Chinese
MPack and IcePack Localized to Chinese
The FirePack Exploitation Kit - Part Two
The FirePack Web Malware Exploitation Kit
The WebAttacker in Action
Nuclear Malware Kit
The Random JS Malware Exploitation Kit
Metaphisher Malware Kit Spotted in the Wild
The Black Sun Bot
The Cyber Bot
Google Hacking for MPacks, Zunkers and WebAttackers
The IcePack Malware Kit in Action Continue reading →

Redmond Magazine SQL Injected by Chinese Hacktivists

Four Redmond related web properties appear to have been SQL injected by Chinese hacktivists, namely, Redmond - The Independent Voice of the Microsoft IT Community formerly known as Microsoft Certified Professional Magazine, the Redmond Developer News as well as the Redmond Channel Partner Online.

The lone hacktivist also left a message at the malicious domain (wowyeye.cn), which reads :

“The invasion can not control bulk!!!!If the wrong target. Please forgive! Sorry if you are a hacker. send email to kiss117276@163.com my name is lonely-shadow TALK WITH ME! china is great! f**k france! f**k CNN! f**k ! HACKER have matherland!”

Go through related posts on the recent Chinese Anti-CNN campaign. Continue reading →