Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Diverse Portfolio of Fake Security Software - Part Seventeen

March 31, 2009

The following are some of the currently active/about to go online rogue security software domains, and their associated payment gateways exposed in the spirit of the Diverse Portfolio of Fake Security Software series. During the past two months, an obvious migration of well known Russian Business Network customers continues taking place, with their portfolios of malicious campaigns currently parked several ISPs. zlkon.lv (DATORU EXPRESS SERVISS Ltd (AS12553 PCEXPRESS-AS) remaining the ISP of choice for the time being, in the context of rogue security software.

mydwnld .com (94.102.51.14; 88.198.8.15; 94.102.51.14)
desktoprepairpackage .com
malwareremovingtool .com
spywareprotectiontool .com
pcantimalwaresolution .com
pcsolutionshelp .com
removespywarethreats .com

yournetcheckonline .com (94.247.2.215)
bestnetcheckonline .com
easynetcheckonline .com
yourwebexamine .com
bestwebexamine .com
easywebexamine .com
yourinternetexamine .com
myinternetexamine .com
linkcanlive .com
yourwebscanlive .com
easywebscanlive .com
internethomecheck .com
websecurecheck .com
websportscheck .com
websmartcheck .com
yournetascertain .com
yournetcheckpro .com
bestwebscanpro .com
security-check-center .com
downloadantivirusplus .com
theantivirusplus .com
myantivirusplus .com
safeyouthnet .com
av-plus-support .com

antispywareproupdates .com (94.76.213.227) Jeanne M Bartels Email: dev@angelespd.com
microsoft.infosecuritycenter .com
microsoft.softwaresecurityhelp .com
professionalupdateservice .com
platinumsecurityupdate .com
platinumsecurityupdate .com
antispywarequickupdates .com (78.137.168.33)

paymentsystemonline .com (213.239.210.54) Jerom M Collins Email: admin@routerpayments.com
liveupdatesoftware .com
royalsoftwareupdate .com
protectionsoftwarecheck .com
securitysoftwarecheck .com
privateupdatesystem .com
updatesoftwarecenter .com
updateprotectioncenter .com
updatepcsecuritycenter .com
powerdownloadserver .com
rapidsoftwareupdates .com
professionalsoftwareupdates .com
allsoftwarepayments .com
powerfullantivirusproduct .com
securedprostatsupdates .cn

Summarizing Zero Day's Posts for March

March 31, 2009

The following is a brief summary of all of my posts at ZDNet's Zero Day for March. You can also go through previous summaries for February, January, December, November, October, September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed.

Notable articles include: Inside BBC's Chimera botnet and Study: IE8's SmartScreen leads in malware protection.

01. Conficker worm to DDoS legitimate sites in March
02. Bad, bad, cybercrime-friendly ISPs!
03. Google downplays severity of Gmail CSRF flaw
04. USAID.gov compromised, malware and exploits served
05. International Kaspersky sites susceptible to SQL injection attacks
06. New study details the dynamics of successful phishing
07. BBC team buys a botnet, DDoSes security company Prevx
08. Comcast responds to passwords leak on Scribd
09. Diebold ATMs infected with credit card skimming malware
10. Ex-botnet master hired by TelstraClear
11. Study: IE8's SmartScreen leads in malware protection
12. Scareware meets ransomware: "Buy our fake product and we'll decrypt the files"
13. Inside BBC's Chimera botnet Continue reading →

A Diverse Portfolio of Fake Security Software - Part Sixteen

March 26, 2009

The following are some of the very latest typosquatted rogue security software domains pushed through blackhat SEO, web site compromises, and systematic abuse of legitimate Web 2.0 services.

yourstabilitysystem .com (209.44.126.14)
onlinescanservice .com
scanalertspage .com
getscanonline .com
bestfiresfull .com
yourstabilitysystem .com
mostpopularscan .com
vistastabilitynow .com
scanvistanow .net
vistastabilitynow .net

central-scan .com (212.117.165.126) Maureen Whelan Email: maureenwhelanjr@googlemail.com
royalsoftwareupdate .com
uptodate-protection .com
updatesoftwarecenter .com
webscannertools .com

protectprivacy18 .com (209.249.222.48) Arnes Skopec Email: arnessl2370@gmail.com
malwarescanner20 .com
antispyscanner13 .com
privacyscanner15 .com
easywinscanner17 .com
systemscanner19 .com

malwaredefender2009 .com (67.43.237.75) Josef Branc Email: jsfsl2341@googlemail.com
systemguard2009 .com
systemguard2009m .com

angantivirus-2009 .com (70.38.73.26)
angantivirus2009 .com

check-ms-antivirus .com (78.26.179.131) Brett Quihuiz Email: BrettQuihuiz@gmail.com
ms-loads-av .com (78.26.179.137) Hou Stephen Email: StepDunnu@gmail.com
secure-data-group .com (209.8.45.147) Joseph Barnes Email: jhbarnes40@gmail.com

dlmaldef09 .com (67.43.237.78) Josef Branc Email: jsfsl2341@googlemail.com
dlsgd3 .com
getsgd3 .com
getsysgd09 .com
getmaldef09 .com
dlsg09 .com
getsg09 .com

Embassy of Portugal in India Serving Malware

March 25, 2009

Yet another embassy web site is falling victim into a malware attack serving Adobe exploits to its visitors. As of last Friday, the official web site of the Embassy of Portugal in India has been compromised (embportindia.co.in). Who's behind the attack? Interestingly, that's the very same group that compromised the Azerbaijanian Embassies in Pakistan and Hungary earlier this month. Assessing this campaign once again establishes a direct connection with the Rusian Business Network's pre-shutdown netblocks and static locations.

The very same domain using the same web traffic redirection script, used in the malware campaigns at the Azerbaijanian Embassies in Pakistan and Hungary, can be found at the Portugal embassy's web site. betstarwager .cn/in.cgi?cocacola84 redirects to ghrgt.hostindianet .com/index.php?cocacola84 (94.247.3.151) where Multiple Adobe Reader and Acrobat buffer overflows are served :

zzzz.hostindianet .com/load.php?id=4 -> ghrgt.hostindianet .com/cache/readme.pdf
zzzz.hostindianet .com/load.php?id=5 -> ghrgt.hostindianet .com/cache/flash.swf

The second iFramed domain ntkrnlpa .cn/rc/ (159.226.7.162) has a juicy history linking it to previous campaigns. In February, 2008, an anti-malware vendor's site (AvSoft Technologie) was iFramed with the iFrame back then (ntkrnlpa .info/rc/?i=1) pointing to the Russian Business Network's original netblock It gets even more interesting when you take into consideration the fact that ntkrnlpa.info was also sharing ifrastructure with zief.pl, among the most widely abused domains in the recent Google Trends keywords hijacking campaigns. Zief.pl is also service of choice for certain campaigns of the Virut malware family, irc.zief.pl in particular.

It gets even more malicious considering that on the same IP (ntkrnlpa .cn/rc/ 159.226.7.162) where one of the malware domains in the embassy's campaign is parked, we can easily spot domains (baidu-baiduxin3 .cn for instance) that were participating in last year's IE7 massive zero day exploit serving campaign. Moreover, in a typical multitasking stage, the cybercriminals behind the campaign are also hosting Zeus crimeware campaigns on it.

A reincarnation of a well known RBN domain, confirmed participation at related compromises of embassy web sites by the same group, sharing ifrastructure with domains from a massive IE7 ex-zero day attack and hosting Zeus crimeware command and control locations -underground multitasking at its best.

Related posts:
Ethiopian Embassy in Washington D.C Serving Malware
USAID.gov compromised, malware and exploits served
Azerbaijanian Embassies in Pakistan and Hungary Serving Malware
Embassy of India in Spain Serving Malware
Embassy of Brazil in India Compromised
The Dutch Embassy in Moscow Serving Malware
U.S Consulate in St. Petersburg Serving Malware
Syrian Embassy in London Serving Malware
French Embassy in Libya Serving Malware
Continue reading →

Crimeware in the Middle - Limbo

March 19, 2009

While you were out - "Cybercrime-as-a-Service is finally taking off" and a $400 will get you in the hacking business. Such a mentality speaks for an outdated situational awareness.

Cybercrime as a service originally started in the form of "value-added" post-purchase services, the now ubiquitous lower detection rate management for a malware binary, and anti-abuse domain hosting for the command and control interface, several years ago. As far as the $400 required as an entry barrier into cybercrime no longer exists. In reality, pirated copies each and every web malware exploitation kit including the proprietary crimeware kits are becoming more widespread these days.

The cybercrime economy has not only matured into a sophisticated services-driven marketplace a long time ago, but also, nowadays we can clearly see how standardizing the exploitation approach is inevitably resulting in efficiencies -- think web malware exploitation kits with diverse exploits sets and massive SQL injection attacks. The underground economy is in fact so vibrant, that the existing monoculture on the crimeware front is already allowing cybercriminals to hijack the crimeware botnets of other cybercriminals unaware of the fact that they're running an oudated copy of their kit.

Followed by Zeus and Adrenalin, it's time to profile Limbo, an alternative crimeware kit that's been publicly available for purchase since 2007. Interestingly, none of these kits can compare to the current market share of Zeus, perhaps the most popular crimeware kit these days, a development largely driven by the community build around Zeus, and the major enhancements introduced within the kit on behalf of third-party developers.

Here's what Limbo is all about:

"It works on the principle of the add-in to Internet Explorer, not visible in the processes to make the logs being hidden from the firewall redirector, and other programs to monitor network activity. Supplied as a loader, which is removed after the launch, unpacks itself and make all necessary entries in the registry. When you first start IE it cleans Cookies, reads Protected Storage (Autosaved passwords in IE, Outlook passwords, etc.) Whenever a user visits the monitored sites, Limbo intercepts the parameters which are later on transmitted to the server once the user presses the browser key.

Commands:
- Update the binary
- Launch arbitrary exe file
- Update configurator (xml file available)
- Cleaning Cookies
- Remove Limbo
- Theft of keys for Bank of America, as well as the keys of those banks that have moved to a system of keys
- Exclude all the keys for Bank of America, as well as other banks of keys (control questions asked again, and you can intercept the answers to them)
- Add to your hosts - to block a certain site (it seems as if it does not boot at all)
- Reboot Windows
- Destroy Windows

Main features:
- Grabs data from forms, including data around forms (all in a row or a pattern described in the configuration file)
- Logging of keystrokes in the browser, at the time when the user enters something in the edit form (it is sometimes useful - for example when the entered data is encrypted after submit form)
- Logging of virtual keyboards (universal technology was developed for the Turkish and Australian banks)
- Theft of keys (Bank of America, as well as other banks, whose protection is key-based) - are in the archive, the archive is created from the user on the computer.
- Delete key (Bank of America, as well as other banks, whose protection is built based on keys) - it is useful to force the user to enter answers to security questions
- Scam page redirection (the fake of same page with the substitution of the address bar of IE and the status bar on infected hosts)
- Harvesting of emails (including the address book user) - by request includes this possibility
- Set the filter for sites that do not need to intercept
- Simple injects-based system (paste your text input field on a particular site - for example, to ask for a pin Holder)
- Smart injects system - blocking form until user input is not injected into the data fields (checking for the count-woo characters of their type - the numbers or letters)
- TANs grabbing - vital for the German sites

Paid only features:
- A hidden transfer (transfer of command from the admin panel) - HARD-sharpen under one bank
- Autocomplete of hijacked session (eg when a user makes a transfer, useful if the transfer requires the SMS confirmation. Strictly tied to a particular bank only.

PHP based admin includes:
- Mapping of users to the admin
- Directing teams selected users
- Delete commands and users
- Showing the status of the command
- Mapping and IP users
- Ability to delete tax
- Display the size of logs
- Search for logs
- Archiving of logs
- Filter by country
- Possibility of sending logs to email
- Statistics on infection
- View collected emails
- The giving of the notes selected users
- The last call
- Displaying a page by page (say 200 records per page)
- An opportunity to log everything in one file (optional)
- Sorting of logs according to different criteria
- Delete all logs
- Have the opportunity to log into mysql, as well as the ability to search for him there is (an order of magnitude faster search)

These commands are downloaded to the host after a certain period of time and performed in the admin panel you can see the status of commands for a specific user - download \ downloaded but not executed \ implemented."

With crimeware in the middle, no SSL/two-factor based authentication can ensure a non-transparent to the eyes of the cybercriminal transaction.

Related posts:
Crimeware in the Middle - Adrenalin
Crimeware in the Middle - Zeus
76Service - Cybercrime as a Service Going Mainstream
Zeus Crimeware as a Service Going Mainstream
Modified Zeus Crimeware Kit Gets a Performance Boost
Modified Zeus Crimeware Kit Comes With Built-in MP3 Player
Zeus Crimeware Kit Gets a Carding Layout
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
Continue reading →

Ethiopian Embassy in Washington D.C Serving Malware

March 18, 2009

Oops, they keep doing it again and again. The web site of the Ethiopian Embassy in Washington D.C (ethiopianembassy.org) has been compromised and is currently iFrame-ed to point to a live exploits serving URL on behalf of Russian cybercriminals, naturally in a multitasking mode since the iFrame used to act as a redirector in several other malware campaigns.

Despite that the iFrame domain (1tvv .com/index.php) is already "taken care of", details on the original campaign can still be provided. Multiple dynamic redirectors with a hard coded malware serving domain are nothing new, thanks to sophisticated traffic management kits allowing this to happen. The mentality applied here is pretty simple and is basically mimicking fast-flux as a concept.

With or without one of the redirection domains, the campaign keeps running like the following: us18.ru/@/include/spl.php (91.203.4.112) as the hard coded malware serving domain within the mix, is currently serving Office Snapshot Viewer, MDAC, Adobe Collab overflow exploits etc. courtesy of web malware exploitation kit (Fiesta). Traffic management is done through trafficinc .ru and trafficmonsterinc .ru also parked at 91.203.4.112 with Win32.VirToolObfusca served at the end.

Related posts:
USAID.gov compromised, malware and exploits served
Azerbaijanian Embassies in Pakistan and Hungary Serving Malware
Embassy of India in Spain Serving Malware
Embassy of Brazil in India Compromised
The Dutch Embassy in Moscow Serving Malware
U.S Consulate in St. Petersburg Serving Malware
Syrian Embassy in London Serving Malware
French Embassy in Libya Serving Malware Continue reading →

Who's Behind the Estonian DDoS Attacks from 2007?

March 12, 2009

The rush to claim responsibility for 2007's DDoS attacks against Estonia Continue reading →

Azerbaijanian Embassies in Pakistan and Hungary Serving Malware

March 11, 2009

The very latest addition to the "Compromised International Embassies Series" are the Hungarian and Pakistani embassies of the Republic of Azerbaijan, which are currently iFramed with exploits-serving domains.

Is there such a thing as a coincidence, especially when it comes to three malware embedded attacks in a week affecting Azerbaijan's USAID.gov section, and now their Pakistani (azembassy.com.pk) and Hungarian (azerembassy.hu) embassies? Depends, and while the USAID.gov attack was exclusively orchestrated for their section, the Pakistani and Hungarian ones are part of a more widespread campaign. Theoretically, this could be a noise generation tactic. Here's a brief assessment of the attacks.

Both embassies are embedded with identical domains, parked at the same IP and redirecting to the same client-side exploits serving URL operated by Russian cybercriminals. filmlifemusicsite .cn/in.cgi?cocacola95; promixgroup .cn/in.cgi?cocacola91; betstarwager .cn/in.cgi?cocacola86 and betstarwager .cn/in.cgi?cocacola80 all respond to (78.26.179.64; 66.232.116.3) and redirect to clickcouner .cn/?t=5 (193.138.173.251)

Parked domains at 78.26.179.64; 66.232.116.3 :
denverfilmdigitalmedia .cn
litetopfindworld .cn
nanotopfind .cn
filmlifemusicsite .cn
litetoplocatesite .cn
litedownloadseek .cn
yourliteseek .cn
diettopseek .cn
bestlotron .cn
promixgroup .cn
betstarwager .cn

What prompted this sudden attention to Azerbaijanian web sites? Azerbaijan's President visit to Iran in the same week when Russian Foreign Minister Sergei Lavrov is visiting Azerbaijan? And why is the phone back domain for the malware served at the USAID.gov site phoning back to a well known Russian Business Network domain (fileuploader .cn/check/check.php) which was again active in January, 2008 and used by one of my favorite malware groups to monitor during 2007/2008 - the "New Media Malware Gang" (Part Three; Part Two and Part One)?

Food for thought.

Related posts:
Embassy of India in Spain Serving Malware
Embassy of Brazil in India Compromised
The Dutch Embassy in Moscow Serving Malware
U.S Consulate in St. Petersburg Serving Malware
Syrian Embassy in London Serving Malware
French Embassy in Libya Serving Malware Continue reading →

Inside (Yet Another) Managed Spam Service

March 09, 2009

Several years ago, getting into the spam business used to involve the process of harvesting emails, figuring out ways to segment the database, localize the spam campaign by using a free translation service eventually ruining the social engineering effect, creating your very own botnet and coming up with creative ways to bypass anti-spam filters, ensuring the botnet remains operational, coming up with ways to obtain access to IPs with clean reputation, with little or no campaign effectiveness measurement at all..

These relatively higher market entry barriers are long gone. Today, every single step in the spamming process is managed and can be outsourced in a cost-effective manner to the point where the one-stop-shop spam vendors have vertically integrated and occupied every single market segment possible in order to increase the "lifetime value" of their potential customers.

When do you know that it's going to get uglier in the long term? It's that very special moment in time when the backend for such a managed spam system utilizing malware infected hosts and legitimate servers for achieving its objectives, goes mainstream and its authors remove the "proprietary, high-profit margin revenues earning business model" label from it.

And with this particular moment in time already a fact since the middle of 2008 (Spamming vendor launches managed spamming service), yet another new market entrant is pitching its managed spam service with the ambition to monetize his access to a particular botnet, and break-even from the investment made in the backend system.

With 9 different campaigns already finished (see the top screenshot) and another one currently in progress spamming out 3215 emails using 1672 infected hosts based on a harvested email database consisting of 306204 emails (notice the percentage of non-existent emails potentially spam-poison traps), his business model is up and running.

Further developments and new features within the service would remain under close monitoring in the future as well. In particular, the original vendor's updates which would ultimately affect all of his "value-added partners" improved managed spamming capabilities. Continue reading →

Russian Homosexual Sites Under (Commissioned) DDoS Attack

March 04, 2009

From Russia with homophobia?

A week long DDoS attack launched against Russia's most popular commercial homosexual sites has finally ended. The simultaneous attack managed to successfully shut down the web servers of most of the sites, which responded with filtering of all traffic that is not coming from Russia. Ironically, the attack was in fact coming from Russian, courtesy from a botnet operated by a DDoS for hire service.

Here's a list of the sites that were subject to the DDoS, with the majority of them returning "503 Service Temporarily Unavailable" error message during last week :
gogay.ru
1gay.ru
androgin.ru
boysclub.ru
egay.ru
gaylines.ru
gaymoney.ru
gayplanet.ru
gayrelax.ru
xabalka.ru

On the 25th of January, gogay.ru was among the few sites to issue a statement and confirm the attacks offering financial reward for information leading to the source :

"Yesterday (25 February), our site is subjected to serious hacker attacks (flood-attack capacity of 2 Mbit / sec). The attack reflected, but is still continuing at other gay sites 1gay.ru, egay.ru, xabalka.ru and so on. If you have any information (we are willing to pay for инфу of tailor-made) on the causes of the attack, if you - the webmaster and your own gay website exposed attacks (if the last few days your site has been slow to load and create a greater burden - it is very likely that the same attack, only disguised), sabotage, blackmail or extortion by unidentified persons - always contact us."

Since the sites are commercial providers of homosexual multimedia content and are thereby bandwidth-consuming, the attacks were aiming to disrupt their business operations, and they managed to do so. Russia's government is well known to have a rather violent take on homosexuality in general, and with overall availability of outsourced DDoS attack services offering anonymity and destructive bandwidth, the efforts to request such an attack remain minimal. Continue reading →

Summarizing Zero Day's Posts for February

March 04, 2009

The following is a brief summary of all of my posts at ZDNet's Zero Day for February. You can also go through previous summaries for January, December, November, October, September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed.

01. Commercial Twitter spamming tool hits the market
02. Fake Antivirus XP pops-up at Cleveland.com
03. Report: 92% of critical Microsoft vulnerabilities mitigated by Least Privilege accounts
04. Massive comment spam attack on Digg.com leads to malware
05. Crimeware tracking service hit by a DDoS attack
06. Targeted malware attacks exploiting IE7 flaw detected
07. New Symbian-based mobile worm circulating in the wild
08. Rogue security software spoofs ZDNet Reviews
09. Adobe Reader 9 and Acrobat 9 zero day exploited in the wild
10. Chinese hackers deface the Russian Consulate in Shanghai
11. eBay solutions provider Auctiva.com infected with malware
12. Malware campaign at YouTube uses social engineering tricks
13. Research: 76% of phishing sites hosted on compromised web servers Continue reading →

Inside a DIY Image Spam Generating Traffic Management Kit

February 26, 2009

Whatever the spammer/pharma master or plain simple cybercriminal requires - the spamware vendors deliver so that a win-win-win scenario takes place for the buyer, the seller, and the enabler, in this case the affiliate network allowing image-based spam compared to Web 1.0's link based performance measurement.

That's the main objective of one of the very latest traffic management kit is once again quality assurance in the process of managing image-spam based campaigns.

Here's a translated description of the traffic management kit:
"As you know, now many pay per click networks offer within their ad scripts the so called graphic feeds.Any site allowing the use of the IMG tag can serve them, that includes popular free web based services. The problem so far has been the lack of quality measurement and optimization of this approach.

This imposes severe restrictions on the ability to convert traffic to the resource, the automatic redirection of which is impossible. Our system allows you to allows you to create your own ads and send traffic to them to where you think they fit.

How it works: you create a campaign with your own keywords, generate a random image, customize it, generate a link to the ad and paste it into the hosting site, or include it in your email campaigns. By doing this you're able to add more interactivity in your campaigns and improve your click through rates.

Here's a summary of the features we offer you:

- Create messages with random text and random design. Change ad size and font color, underline, and the selection, styles, font and alignment, frames - everything is set up. You can use any font that you want to - it's completely up to you
- Manage design ads through profiles within the system, save your creativity
- Use of any image as the ads. This may be a screenshot of your pharmacy, banner, and even anything

- Combine different types of simple ads on the same page
- Create messages with any embedded images. For example (click on picture to see actual ad size)
- Use alternative keywords in the references (some of the resources do not allow to post links containing the names of pills and other banned words)
- Filter incoming traffic to the countries of the User-Agent, IP or range of IP"

It's important to emphasize on the fact that this is a DIY image-spam generating kit, in comparison, the much more efficient and again random image-spam generating service is offered by the sophisticated and experienced managed spam service providers who still prefer working with reputable and well known individuals, instead of going mainstream.

Related posts:
Quality Assurance in a Managed Spamming Service
Managed Spamming Appliances - The Future of Spam
Dissecting a Managed Spamming Service
Inside a Managed Spam Service
Spamming vendor launches managed spamming service
Segmenting and Localizing Spam Campaigns Continue reading →

Help! Someone Hijacked my 100k+ Zeus Botnet!

February 26, 2009

I've been looking for a similar chatter for a while now, given the existence of a remotely exploitable vulnerability in an old Zeus crimeware release allowing a cybercriminal to inject a new user within the admin panel of another cybecriminal.

It appears that this guy has had his 100k+ Zeus botnet hijacked several months ago, and now that he's managed to at least partly recover the number of infected hosts in two separate botnets, is requesting advice on how to properly secure his administration panel.

Here's an exact translation of his concerns :
"Dear colleagues, I'd like to hear all sorts of ideas regarding to security of Zeus. I've been using Zeus for over an year now, and while I managed to create a botnet of 100k infected hosts someone hijacked it from me by adding a new user and changing my default layout to orange just to tip once he did it. Once I fixed my directory permissions. I now have two botnets, the first one is 30k and the second (thanks to a partnership with a friend) is now 3k located at different hosting providers.

Sadly, yesterday I once again found out that my admin panel seems to have been compromised since all the files were changed to different name, and access to the admin panel blocked by IP. Yes, that seems to be the IP the hijacker is using. The attacker has been snooping Apache logs in order to find IPs that have been used for logging purposes and blocked them all. Therefore I think the new user has been added by exploiting a flaw in Zeus. In my opinion a request was made to the database, either through an sql injection in s.php a file or a request from within a user with higher privileges.

Since I've aplied patches to known bugs, this could also be a compromise of my hosting provider. So here are some clever tips which I offer based on my experience with securing Zeus.

- Change the default set of commands, make them unique to your needs only.
- If it is possible to prohibit the reading and dump tables with logs all IP, to allow only certain (so that the crackers were not able to make a dump and did not read the logs in the database).
- If it is possible to prohibit editing of tables with all the commands of Zeus IP, to allow only certain (that could not be "hijacked", insert the command bots)"

Surreal? Not at all, given the existing monoculture on the crimeware market. Morever, yet another vulnerability was found in the Firepack web malware exploitation kit earlier this month (Firepack remote command execution exploit that leverages admin/ref.php). This exploit could have made a bigger impact in early 2008, the peak of the Firepack kit, which was also localized to Chinese several months later:

The FirePack Web Malware Exploitation Kit
The FirePack Exploitation Kit - Part Two
The FirePack Exploitation Kit Localized to Chinese

Ironically, cybercriminals too, seem to be using outdated versions of their crimeware.

Related posts:
Crimeware in the Middle - Adrenalin
76Service - Cybercrime as a Service Going Mainstream
Zeus Crimeware as a Service Going Mainstream
Modified Zeus Crimeware Kit Gets a Performance Boost
Modified Zeus Crimeware Kit Comes With Built-in MP3 Player
Zeus Crimeware Kit Gets a Carding Layout
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
Crimeware in the Middle - Zeus Continue reading →

The Cost of Anonymizing a Cybercriminal's Internet Activities - Part Two

February 24, 2009

With VPN-enabled malware infected hosts easily acting as stepping stones thanks to modules within popular malware bots, next to commercial VPN-based services, the cost of anonymizing a cybecriminal's Internet activities is not only getting lower, but the process is ironically managed in data retention heavens such as the Netherlands, Luxembourg, USA and Germany in this particular case, by using the services of the following ISPs: LeaseWeb AS Amsterdam, Netherlands; ROOT-AS root eSolutions; HOPONE-DCA HopOne Internet Corp.; NETDIRECT AS NETDIRECT Frankfurt, DE.

Operating since 2004, yet another "cybercrime anonymization" service is using the bandwidth of legitimate data centers in order to run its VPN/Double/Triple VPN channels service which it exclusively markets in a "it's where you advertise your services, and how you position yourself that speak for your intentions" fashion.

Description of the service:

"- We will never sought to make the service cheaper than saving the safety of customers.

- Our servers are located in one of the most stable and high-speed date points (total channel gigabita 1.2)
- Only we have the full support service to the date of the center, which prevents the installation of sniffers and monitoring.
- We do not use standard solutions, our software is based on the modified code.
- Only here you get a stable and reliable service.

Characteristics of Sites:
- Channel 100MB, total channels gigabita 1.2.
- MPPE encryption algorithm is 128 bit
- Complete lack of logs and monitoring - a guarantee of your safety.
- Completely unlimited traffic.
- Support for all protocols of the Internet."

On the basis of chaining several different VPN channels located in different countries all managed by the same service, combined with a Socks-to-VPN functionality where the Socks host is a malware compromised one, all of which maintain no logs at all, is directly undermining the usefulness of already implemented data retention laws. Moreover, even a not so technically sophisticated user is aware that chaining these and adding more VPN servers in countries where no data retention laws exist at all, would result in the perfect anonymization service where the degree of anonymization would be proportional with the speed of the connection. In this case, it's the mix of legitimate and compromised infrastructure that makes it so cybercrime-friendly.

In respect to the "no logs and monitoring for the sake of our customers security" claims, such services are based on trust, namely the customers are aware of the cybercriminals running them "in between" the rest of the services they offer, which and since they're all "on the same page" an encrypted connection is more easily established. However, an interesting perspective is worth pointing out - are the owners of the cybecrime-friendly VPN service forwarding the responsibility to their customers, or are in fact the customers forwarding the responsibility for their activities to the owners which are directly violating data retention laws and on purposely getting rid of forensic evidence?

Things are getting more complicated in the "cybercrime cloud" these days. Continue reading →

Fake Celebrity Video Sites Serving Malware - Part Three

February 23, 2009

In the overwhelming sea of template-ization of malware serving sites, (naked )celebrities would always remain the default choice offered in the majority of bogus content generating tools taking advantage of the high-page rank of legitimate Web 2.0 services.

Following the 2008's Fake Celebrity Video Sites Serving Malware series (Part Two) the very latest addition to the series demonstrates the automatic abuse of legitimate infrastructure - in this case Blogspot for the purpose of traffic acquisition.

The following are currently active and part of the same campaign:
lisa-bonet-angel-heart.blogspot.com
milla-jovovich-gallery.blogspot.com
pamela-anderson-hot-sex-tape.blogspot.com
rihanna-nude-gallery.blogspot.com
kate-hudson-nude-gallery.blogspot.com
milla-jovovich-gallery.blogspot.com
teacher-slept-with-boy.blogspot.com
meg-white-new-sex-tape.blogspot.com
anna-faris-hot-video.blogspot.com
so-hard-movies.blogspot.com

vanessa-hot.blogspot.com
paris-hilton-sexass.blogspot.com
sex-tape-lindsay-lohan.blogspot.com
chloesevigny-privategallery.blogspot.com
kate-winslet-nude-gallery.blogspot.com
keeley-hazell-sex-hot-video .blogspot.com
miley-cyrus-sex-tape .blogspot.com
britney-spears-hottest-video .blogspot.com
miley-cyrus-naked-video .blogspot.com
alyssa-milano-naked-video .blogspot.com
kardashian-hot-video .blogspot.com
naked-jennifer-lopez .blogspot.com
vanessa-hudgens-hot-video .blogspot.com
hottest-lindsay-lohan-video .blogspot.com
cameron-diaz-porn .blogspot.com
underworld-rise-lycans .blogspot.com

Compared to the single-post only Blogspots, the following domains top100videoz.com; cinemacafe.tv; xvids-top.com have a lot more bogus content to offer. Continue reading →

Pharmaceutical Spammers Targeting LinkedIn

February 18, 2009

Following January's malware campaign relying on bogus LinkedIn profiles, this time it's pharmaceutical spammers' turn to target the business-oriented social networking site.

From a spammers/blackhat SEO-er's perspective, this is done for the purpose of increasing the page rank of their pharmaceutical domains based on the number of links coming from LinkedIn. The campaigns are monetized through the usual affiliate based pharmaceutical networks.

The following is a complete list of the currently active bogus domains, all part of identical campaigns:
linkedin .com/in/buyviagra45
linkedin .com/in/phenterminetrueway
linkedin .com/in/OnlineBuyProzac
linkedin .com/in/CheapBuyGabapentin
linkedin .com/in/BuyCheapTramadol
linkedin .com/in/cheaptramadol
linkedin .com/in/buybactrimonline
linkedin .com/in/OnlineBuyAugmentin
linkedin .com/in/OnlineBuyMetformin
linkedin .com/in/OnlineBuyBiaxin
linkedin .com/in/CheapBuyNorvasc
linkedin .com/in/OrderBuyCelebrex
linkedin .com/in/OnlineBuyLipitor
linkedin .com/in/BuyCheapOxycontin
linkedin .com/in/OnlineBuyHydrocodone
linkedin .com/in/OrderBuyPercocet
linkedin .com/in/OnlineBuyFioricet
linkedin .com/in/OrderBuyKlonopin
linkedin .com/in/OnlineBuyDiazepam
linkedin .com/in/OnlineBuyXanax
linkedin .com/in/CheapBuyOxycodone
linkedin .com/in/OnlineBuyClonazepam
linkedin .com/in/OnlineBuyEffexor
linkedin .com/in/OnlineBuyAmbien
linkedin .com/in/OnlineBuyAtivan
linkedin .com/in/OnlineBuyVicodin
linkedin .com/in/OnlineBuyNexium
linkedin .com/in/OrderBuyCipro
linkedin .com/in/OnlineBuyLorazepam
linkedin .com/in/propecia
linkedin .com/in/OnlineBuyAllegra
linkedin .com/in/CheapBuyMeridia
linkedin .com/in/OnlineBuyZithromax
linkedin .com/in/OnlineBuyCelexa
linkedin .com/in/clomid
linkedin .com/in/clonazepam
linkedin .com/in/BuyCheapNeurontin
linkedin .com/in/cheapfioricet
linkedin .com/in/OnlineBuyClomid
linkedin .com/in/OnlineBuyIbuprofen
linkedin .com/in/OnlineBuyZoloft
linkedin .com/in/OnlineBuyToprol
linkedin .com/in/OnlineBuyAleve
linkedin .com/in/OnlineBuyAleve
linkedin .com/in/OnlineBuyVioxx
linkedin .com/in/OnlineBuyWellbutrin
linkedin .com/in/OnlineBuyAmoxicillin
linkedin .com/in/OnlineBuySuboxone
linkedin .com/in/OnlineBuyOxycodone
linkedin .com/in/OnlineBuyLisinopril
linkedin .com/in/OrderBuyPrevacid
linkedin .com/in/OnlineBuyLevaquin
linkedin .com/in/OnlineBuyUltram
linkedin .com/in/OnlineBuyAlprazolam
linkedin .com/in/OnlineBuyLamictal
linkedin .com/in/OnlineBuyNaproxen
linkedin .com/in/OnlineBuyZyprexa
linkedin .com/in/OnlineBuyCoumadin
linkedin .com/in/OnlineBuyValium
linkedin .com/in/OnlineBuyLithium
linkedin .com/in/OnlineBuySynthroid
linkedin .com/in/OnlineBuyHerceptin
linkedin .com/in/OnlineBuyAvandia

linkedin .com/in/OnlineBuyTramadol
linkedin .com/in/OnlineBuyCymbalta
linkedin .com/in/OnlineBuyDoxycycline
linkedin .com/in/OnlineBuyProtonix
linkedin .com/in/OnlineBuyTestosterone
linkedin .com/in/OnlineBuyTopamax
linkedin .com/in/OnlineBuyBenadryl
linkedin .com/in/OnlineBuyBactrim
linkedin .com/in/OnlineBuyMethadone
linkedin .com/in/OnlineBuyAtenolol
linkedin .com/in/OnlineBuyConcerta
linkedin .com/in/OnlineBuyCrestor
linkedin .com/in/OnlineBuyTrazodone
linkedin .com/in/OnlineBuyVytorin
linkedin .com/in/OnlineBuyMelatonin
linkedin .com/in/OnlineBuyCephalexin
linkedin .com/in/OnlineBuyThyroid
linkedin .com/in/OnlineBuyChantix
linkedin .com/in/OnlineBuyInsulin
linkedin .com/in/OnlineBuyGenace
linkedin .com/in/OnlineBuyByetta
linkedin .com/in/OnlineBuyPropecia
linkedin .com/in/OnlineBuyPlavix
linkedin .com/in/OnlineBuyYaz
linkedin .com/in/OnlineBuyYasmin
linkedin .com/in/OnlineBuyPotassium
linkedin .com/in/OnlineBuyValtrex
linkedin .com/in/OnlineBuyVoltaren
linkedin .com/in/OnlineBuyPenicillin
linkedin .com/in/OnlineBuyZyrtec
linkedin .com/in/OnlineBuyMagnesium
linkedin .com/in/OnlineBuyPrednisone
linkedin .com/in/OnlineBuySeroquel
linkedin .com/in/OnlineBuySoma
linkedin .com/in/OnlineBuyGabapentin
linkedin .com/in/OnlineBuyAspirin
linkedin .com/in/OnlineBuyPseudovent
linkedin .com/in/OnlineBuyLortab
linkedin .com/in/OnlineBuyPaxil
linkedin .com/in/OnlineBuyAlli
linkedin .com/in/BuyCheapXenical
linkedin .com/in/CheapBuyUltracet
linkedin .com/in/buyhydrocodone
linkedin .com/in/OrderBuyAlli
linkedin .com/in/buypaxilonline
linkedin .com/in/OnlineBuyMobic
linkedin .com/in/OnlineBuyNaprosyn
linkedin .com/in/OnlineBuyCipro
linkedin .com/in/OnlineBuyMorphine
linkedin .com/in/vimax
linkedin .com/in/OnlineBuyAccutane
linkedin .com/in/vigrx
linkedin .com/in/OnlineBuyNorvasc
linkedin .com/in/OnlineBuyOxycontin
linkedin .com/in/OnlineBuyProvigil
linkedin .com/in/OnlineBuyPercocet
linkedin .com/in/OnlineBuyCelebrex
linkedin .com/in/OnlineBuyAdipex
linkedin .com/in/OnlineBuyRitalin
linkedin .com/pub/dir/purchase/viagra
linkedin .com/pub/dir/cialis/online
linkedin .com/pub/dir/methocarbamol/online
linkedin .com/pub/dir/acyclovir/online
linkedin .com/pub/dir/klonopin/online
linkedin .com/pub/dir/zyprexa/online
linkedin .com/pub/dir/amitriptyline/online
linkedin .com/pub/dir/buymodalertonline/buymodalertonline
linkedin .com/pub/dir/zocor/online
linkedin .com/pub/dir/levitra/online
linkedin .com/pub/dir/citalopram/online
linkedin .com/pub/dir/arimidex/online
linkedin .com/pub/dir/niacin/online
linkedin .com/pub/dir/phentermine/online
linkedin .com/pub/dir/provigil/online
linkedin .com/pub/dir/ritalin/online

Pharmaceutical domains used in the campaigns:
buy-pharmacy .info
viagra-pills .info
nenene .og
rxoffers .net
allrxs .org
onlinepharmacy4u .org
cheap-tramadol .us
buy-tramadol.blogdrive .com
buymodalert .com
rx-prime .com
suche-project .eu

Acquiring new users in a highly competitive Web 2.0 world is crucial, no doubt about it. But in 2009, if you're not at least requiring a valid email address, a confirmation of the registration combined with a CAPTCHA to at least slow down the bogus account registration process and ruin their efficiency model - systematic abuse of the service is inevitable (Commercial Twitter spamming tool hits the market).

LinkedIn's abuse team has already been notified of these accounts. Continue reading →

Community-driven Revenue Sharing Scheme for CAPTCHA Breaking

February 17, 2009

What follows when a system that was originally created to be recognizable by humans only, gets undermined by low-waged humans or grassroots movements? Irony, with no chance of reincarnation. CAPTCHA is dead, humans killed it, not bots.

A new market entrant into the CAPTCHA-breaking economy, is proposing a novel approach that is not only going to result in a more efficient human-based CAPTCHA solving on a large scale, but is also going to generate additional revenues for webmasters and their site's community members. The concept is fairly simple, since it's mimicking reCAPTCHA's core idea.

However, instead of digitizing books, the CAPTCHA entry field that any webmaster of an underground community, or a general site in particular that would like to syndicate CAPTCHAs from Web 2.0 web properties is free to do so on a revenue-sharing, or plain simple voluntary basis.

Consider for a moment the implications if such a project of they manage to execute it successfully. Starting from community-driven CAPTCHA breaking of Web 2.0 sites on basic forum registration fields using MySpace.com's CAPTCHA for authenticating new/old users, the plain simple automatic rotation for idle community users, to the enforcement of CAPTCHA authentication for each and every new forum post/reply.

What happens with the successfully recognized CAPTCHAs? As usual, hundreds of thousands of bogus profiles will get automatically registered for the purpose of spam and malware spreading, or reselling purposes. The development of this service -- if any -- will be monitored and updates posted if it goes mainstream.

Related posts:
The Unbreakable CAPTCHA
Spammers attacking Microsoft's CAPTCHA -- again
Spam coming from free email providers increasing
Gmail, Yahoo and Hotmail’s CAPTCHA broken by spammers
Microsoft’s CAPTCHA successfully broken
Vladuz's Ebay CAPTCHA Populator
Spammers and Phishers Breaking CAPTCHAs
DIY CAPTCHA Breaking Service
Which CAPTCHA Do You Want to Decode Today? Continue reading →

Quality Assurance in a Managed Spamming Service

February 11, 2009

Following previous coverage of the managed spam services offered by the Set-X mail system and a copycat variant of it, a newly introduced managed spam service is emphasizing on quality assurance through the use of a Google Search Appliance for storing of the harvested email databases and the spam templates.

Here's an automatic translation of some of the key features offered by the system, currently having a price tag of $1,200 per month:

"A summary of the main possibilities of the system
- Innovative technology deliver a unique e-mail system designed specifically for ******** to maximize serve up e-mails with a low rate of rejection-Kernel Multi-organization system provides extremely high speed while the low-platform-Provide complete sender's anonymity at the maximum system performance in terms multi-technology operating system bypass content filters using the built-in special tags:

+ Configurable generation of random strings

+ Change the case of letters randomly in a block
+ random permutation of symbols in the block
+ Inserting a random character in an arbitrary place in the block
+ Replacing the same style of letters Latin alphabet for the Russian block
+ Duplicating a random character in the block
+ Paste into the body of a random letter strings from a file
+ Managed morfirovanie image files in the format GIF-Correct emulation header sent letters Simultaneous connection of several bases e-mail addresses of those letter-substitution is performed from file-substitution e-mail addresses for the fields From and Reply-To is performed from a file-format of outgoing messages TEXT and HTML
+Ability to send emails from attachments
+Correct work with images in HTML messages possible as a direct method and with copies of CC , BCC-record-keeping system, results of the system is stored in files good, bad and unlucky for each connection of e-mail addresses, respectively
+The system is convenient and intuitive graphical user interface

System management
The system is operated under the interface to "Control Panel". The first is of them is multifunctional and serves to start the process of sending (the state of the "Run"), pause (the state of "pause") and confirm the end of the (state "Report") . The second button ( "Stop") serves to interrupt the process otpravki. Data section also contains the following information fields:
- executes an action in this field is carried out to date, the system-progress indicator graphic indication of progress the task, Completed Display task progress percentage
- Successful delivery of letters to the number of addresses that had been carried out successfully, failure of the number of addresses that failed to deliver a letter-number bad non-existent addresses, duration of the actual time of the task-status displays the status of the kernel system kernel kernel memory Displays memory core systems"

The ongoing arms race between the security industry and cybercriminals, is inevitably driving innovation at both sides of the front. However, based on the scalability of these managed spam services, it's only a matter of time for the vendors to embrace simple penetration pricing strategies that would allow even the most price-conscious cybercriminals, or novice cybercriminals in general to take advantage of this standardized spamming approach. The disturbing part is that the innovation introduced on behalf of the spam vendors in terms of bypassing spam filters, seems to be introduced not on the basis of lower delivery rates, but due to the internal competition in the cybercrime ecosystem.

For instance, new market entrants in the face of botnet masters attempting to monetize their botnets by offering the usual portfolio of cybercrime services, often undercut the offerings of the sophisticated managed spam vendors. And so the vendors innovate with capabilities that the new market entrants cannot match, in order to not only preserve their current customers, but also, acquire new ones. Managed spam services as a business model is entirely driven by long term "bulk orders", compared to earning revenues on a volume basis by empowering low profile spammers with sophisticated delivery mechanisms.

In the long term, just like every other segment within the cybercrime ecosystem, vertical integration and consolidation will continue taking place, and thankfully we'll have a situation where the spam vendors would be sacrificing OPSEC (operational security) on their way to scale their business model and acquire more customers. Continue reading →