Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Summarizing Webroot's Threat Blog Posts for May

June 06, 2012

The following is a brief summary of all of my posts at Webroot's Threat Blog for May, 2012. You can subscribe to my Webroot's Threat Blog RSS Feed or follow me on Twitter:

01. London’s InfoSec 2012 Event – recap
02. Managed SMS spamming services going mainstream
03. A peek inside a boutique cybercrime-friendly E-shop
04. Cybercriminals release ‘Sweet Orange’ – new web malware exploitation kit
05. Spamvertised ‘Pizzeria Order Details’ themed campaign serving client-side exploits and malware
06. Poison Ivy trojan spreading across Skype
07. A peek inside a managed spam service
08. Ongoing ‘LinkedIn Invitation’ themed campaign serving client-side exploits and malware
09. Spamvertised bogus online casino themed emails serving adware
10. Spamvertised ‘YouTube Video Approved’ and ‘Twitter Support” themed emails lead to pharmaceutical scams
11. A peek inside a boutique cybercrime-friendly E-shop – part two
12. Spamvertised CareerBuilder themed emails serving client-side exploits and malware
13. Pop-ups at popular torrent trackers serving W32/Casonline adware
14.‘Windstream bill’ themed emails serving client-side exploits and malware

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Continue reading →

Summarizing ZDNet's Zero Day Posts for May

June 06, 2012

The following is a brief summary of all of my posts at ZDNet's Zero Day for May, 2012. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

01. Is Mozilla's Firefox 'click-to-play' feature a sound response to drive-by malware attacks?
02. Rogue Firefox extension hijacks browser sessions
03. Spamvertised 'PayPal payment notifications' lead to client-side exploits and malware
04. Israeli Institute for National Security Studies compromised, serving Poison Ivy DIY malware
05. Researchers spot new Web malware exploitation kit
06. 2012 Olympics themed malware circulating in the wild
07. New ransomware impersonates the U.S Department of Justice
08. Localized ransomware variants circulating in the wild
09. Cybercriminals offer bogus fraud insurance services
10. Researchers spot fake mobile antivirus scanners on Google Play
11. The cyber security implications of Iran's government-backed antivirus software
12. Q&A of the week: 'The current state of the cyber warfare threat' featuring Jeffrey Carr
13. Researchers intercept Tatanga malware bypassing SMS based transaction authorization
14. New SpyEye plugin takes control of crimeware victims' webcam and microphone
15. Comcast phishing site contains valid TRUSTe seal
16. Q&A of the Week: 'The current state of the cybercrime ecosystem' featuring Mikko Hypponen

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Dissecting the Ongoing Client-Side Exploits Serving Lizamoon Mass SQL Injection Attacks

May 08, 2012

The Lizamoon mass SQL injection attacks gang is continuing to efficiently inject malicious code on hundreds of thousands of legitimate sites, for the purpose of serving fake security software -- also known as scareware -- and client-side exploits.

The latest round of the campaign is serving client-side exploits through multiple redirections taking place once the end user loads the malicious script embedded on legitimate sites. In comparison, in the past the gang used to monetize the hijacked traffic by serving scareware and bogus Adobe Flash Players.

What are some of the currently SQL injected malicious domains? How does the redirection take place? Did they take into consideration basic QA (quality assurance) tactics into place? Let's find out.

Currrently injected malicious domains are parked at 31.210.100.242 (AS42926, RADORE Hosting), with the following domains currently responding to that IP:
skdjui.com/r.php - Email: jamesnorthone@hotmailbox.com
njukol.com/r.php - Email: jamesnorthone@hotmailbox.com
hnjhkm.com/r.php - Email: jamesnorthone@hotmailbox.com
nikjju.com/r.php - Email: jamesnorthone@hotmailbox.com
hgbyju.com/r.php - Email: jamesnorthone@hotmailbox.com
uhjiku.com/r.php - Email: jamesnorthone@hotmailbox.com
uhijku.com/r.php - Email: jamesnorthone@hotmailbox.com
werlontally.net/r.php - Email: jamesnorthone@hotmailbox.com

March's round of malicious domains was hosted at 91.226.78.148 (AS56697, LISIK-AS OOO “Byuro Remontov “FAST”).

The redirection takes us to these two domains: www3.topcumaster.com - 75.102.21.120 (AS23352, SERVERCENTRAL)

Parked at 75.102.21.120 are also the following domains:
www3.personal-scanera.com - Email: benji.rubes@yahoo.com
www3.personalvoguard.com - Email: benji.rubes@yahoo.com
www3.hard-zdsentinel.com - Email: benji.rubes@yahoo.com
www3.bestbxcleaner.com - Email: benji.rubes@yahoo.com
www3.topcumaster.com - Email: benji.rubes@yahoo.com
www3.safe-defensefu.com - Email: benji.rubes@yahoo.com

and www1.safe-wnmaster.it.cx - 217.23.8.123 (AS49981, WorldStream)

Parked on 217.23.8.123 are also the following client-side exploits serving domains part of the Lizamoon mass SQL injection attacks:
www1.thebestscannerdc.it.cx/i.html
www1.safebh-defense.it.cx/i.html
www1.strongdkdefense.it.cx/i.html
www2.best-czsuite.it.cx/i.html
www1.smartmasterf.it.cx/i.html
www1.simplescanerei.it.cx/i.html
www1.bestic-network.it.cx/i.html
www1.topqonetwork.it.cx/i.html
www2.topasnetwork.it.cx/i.html
www1.powerynetwork.it.cx/i.html
www1.simplemasterzk.it.cx/i.html
www1.powerneholder.it.cx/i.html
www1.personalkochecker.it.cx/i.html
www1.smarthdschecker.it.cx/i.html
www1.safebacleaner.it.cx/i.html
www1.strongzkcleaner.it.cx/i.html
www1.topumcleaner.it.cx/i.html
www1.topgdscanner.it.cx/i.html
www1.smartwoscanner.it.cx/i.html
www1.safe-wnmaster.it.cx/i.html
www1.powervmaster.it.cx/i.html
www1.top-armyvs.it.cx/i.html
www2.saveocsoft.it.cx/i.html
www1.top-zjsoft.it.cx/i.html
www1.powerdefensekt.it.cx/i.html
www1.best-scanersw.it.cx/i.html
www1.powermb-security.it.cx/i.html
www1.strongxd-security.it.cx/i.html
www1.strongbtsecurity.it.cx/i.html

Client side exploits, CVE-2010-0188 and CVE-2012-0507 in particular are served through the i.html file located on these hosts. In order for the client-side exploitation process to take place, the redirection chain must be correct, if not the server will return a "404 Error Message" when requesting a specific file part of the campaign. There are no HTTP referrer checks in place, at least for the time being. What's particularly interesting about the current campaign, is that during a period of time, it will on purposely serve a "404 Error Message" no matter what happens.

Updates will be posted, as soon as new developments emerge.

Related posts:

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Continue reading →

Dissecting the Ongoing Client-Side Exploits Serving Lizamoon Mass SQL Injection Attacks

May 08, 2012

Summarizing Webroot's Threat Blog Posts for April

May 08, 2012

The following is a brief summary of all of my posts at Webroot's Threat Blog for April, 2012. You can subscribe to my Webroot's Threat Blog RSS Feed or follow me on Twitter:

01. Adobe patches critical security flaws, introduces auto-updating mechanism
02. Email hacking for hire going mainstream – part two
03. Spamvertised ‘US Airways’ themed emails serving client-side exploits and malware
04. New underground service offers access to hundreds of hacked PCs
05. Google’s Chrome patches 12 ‘high risk’ security vulnerabilities
06. Adobe plans to issue Acrobat Reader ‘security update’ next week
07. Microsoft issues 6 security bulletins on ‘Patch Tuesday’
08. Adobe patches critical Reader and Acrobat security vulnerabilities
09. Hewlett-Packard shipping malware-infected compact flash cards
10. New DIY email harvester released in the wild
11. Upcoming Webroot briefing at InfoSec, 2012, London – “Current and Emerging Trends Within the Cybercrime Ecosystem”

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Continue reading →

Summarizing ZDNet's Zero Day Posts for April

May 08, 2012

The following is a brief summary of all of my posts at ZDNet's Zero Day for April, 2012. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

01. Researcher: 50 percent of Mac OS X users still running outdated Java versions
02. Malicious version of Angry Birds Space spotted in the wild
03. French gaming site serving ZeuS crimeware for over 8 weeks
04. New ransomware variants spotted in the wild
05. Nuclear Pack exploit kit introduces anti-honeyclient crawling feature

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Summarizing Webroot's Threat Blog Posts for March

April 09, 2012

The following is a brief summary of all of my posts at Webroot's Threat Blog for March, 2012. You can subscribe to my Webroot's Threat Blog RSS Feed or follow me on Twitter:

01. New service converts malware-infected hosts into anonymization proxies
02. Spamvertised ‘Temporary Limit Access To Your Account’ emails lead to Citi phishing emails
03. A peek inside the Darkness (Optima) DDoS Bot
04. Research: proper screening could have prevented 67% of abusive domain registrations
05. Spamvertised ‘Your accountant license can be revoked’ emails lead to client-side exploits and malware
06. Spamvertised ‘Google Pharmacy’ themed emails lead to pharmaceutical scams
07. Research: U.S accounts for 72% of fraudulent pharmaceutical orders
08. Millions of harvested U.S government and U.S military email addresses offered for sale
09. Spamvertised ‘Your tax return appeal is declined’ emails serving client-side exploits and malware
10. Malicious USPS-themed emails circulating in the wild
11. Spamvertised LinkedIn notifications serving client-side exploits and malware
12. Tens of thousands of web sites affected in ongoing mass SQL injection attack
13. Spamvertised Verizon-themed ‘Your Bill Is Now Available’ emails lead to ZeuS crimeware
14. Spamvertised ‘Scan from a Hewlett-Packard ScanJet’ emails lead to client-side exploits and malware

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Summarizing ZDNet's Zero Day Posts for March

April 09, 2012

The following is a brief summary of all of my posts at ZDNet's Zero Day for March, 2012. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

01. New Mac OS X malware variant spotted in the wild
02. Researchers intercept targeted malware attack against Tibetan organizations
03. Skype vouchers themed site serving client-side exploits and malware
04. Stratfor subscribers targeted by passwords-stealing malicious emails
05. Spoofed LinkedIn emails serving client-side exploits
06. Fake YouTube sites target Syrian activists with malware
07. New Mac OS X malware variant spotted in the wild
08. Spamvertised 'DHL Tracking Notification' emails serve malware
09. Compromised WordPress sites serving client-side exploits and malware
10. 'Pixmania.com payment order detail' themed emails serving SpyEye crimeware
11. Fake 'Roar of the Pharaoh' Android game spreads premium-rate SMS trojan
12. Research: Many mobile password managers offer false feeling of security
13. Targeted Pro-Tibetan malware attacks hit Mac OS X users
14. Opera for Mac OS X patches 6 security holes
15. Cybercriminals use Twitter, LinkedIn, Baidu, MSDN as command and control infrastructure
16. Facebook phishing attack targets Syrian activists

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Summarizing Webroot's Threat Blog Posts for February

March 07, 2012

The following is a brief summary of all of my posts at Webroot's Threat Blog for February, 2012. You can subscribe to my Webroot's Threat Blog RSS Feed or follow me on Twitter:

01. Research: Google’s reCAPTCHA under fire
02. Spamvertised ‘You have 1 lost message on Facebook’ campaign leads to pharmaceutical scams
03. A peek inside the Smoke Malware Loader
04. Researchers spot Citadel, a ZeuS crimeware variant
05. Researchers intercept two client-side exploits serving malware campaigns
06. Pharmaceutical scammers launch their own Web contest
07. The United Nations hacked, Team Poison claims responsibility
08. Report: Internet Explorer 9 leads in socially-engineered malware protection
09. Twitter adds HTTPS support by default
10. Spamvertised “Hallmark ecard” campaign leads to malware
11. Report: 3,325% increase in malware targeting the Android OS
12. Why relying on antivirus signatures is simply not enough anymore
13. Researchers intercept malvertising campaign using Yahoo’s ad network
14. A peek inside the Ann Malware Loader
15. Spamvertised ‘Termination of your CPA license’ campaign serving client-side exploits
16. How cybercriminals monetize malware-infected hosts
17. A peek inside the Elite Malware Loader
18. BlackHole exploit kits gets updated with new features

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Summarizing ZDNet's Zero Day Posts for February

March 07, 2012

The following is a brief summary of all of my posts at ZDNet's Zero Day for February, 2012. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

01. Spamvertised 'Tax information needed urgently' emails lead to malware
02. Researchers spot a fake version of Temple Run on Android's Market
03. Which are the most commonly observed Web exploits in the wild?
04. Cryptome.org hacked, serving client-side exploits
05. Report: third party programs rather than Microsoft programs responsible for most vulnerabilities
06. Anonymous launches 'Operation Global Blackout', aims to DDoS the Root Internet servers
07. Report: malware pushed by affiliate networks remains the primary growth factor of the cybercrime ecosystem
08.Cutwail botnet resurrects, launches massive malware campaigns using HTML attachments
09. New Mac OS X trojan spotted in the wild
10. Spamvertised 'Scan from a HP OfficeJet' emails lead to exploits and malware
11. XSS Flaw discovered in Skype's Shop, user accounts targeted

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Summarizing Webroot's Threat Blog Posts for January

February 02, 2012

The following is a brief summary of all of my posts at Webroot's Threat Blog for January, 2012. You can subscribe to my Webroot's Threat Blog RSS Feed or follow me on Twitter:

01. Millions of harvested emails offered for sale
02. Email hacking for hire going mainstream
03. Mass SQL injection attack affects over 200,000 URLs
04. A peek inside the PickPocket Botnet
05. A peek inside the Cythosia v2 DDoS Bot
06. Google announces new anti-malware features in Chrome
07. Adobe issues a patch for critical security holes in Reader and Acrobat
08. Inside a clickjacking/likejacking scam distribution platform for Facebook
09. Zappos.com hacked, 24 million users affected
10. Inside AnonJDB – a Java based malware distribution platforms for drive-by downloads
11. How malware authors evade antivirus detection
12. A peek inside the Umbra malware loader
13. How phishers launch phishing attacks
14. Researchers intercept a client-side exploits serving malware campaign
15. A peek inside the uBot malware bot
16. Cisco releases ‘Cisco Global Threat Report’ for 4Q11
17. Cybercriminals generate malicious Java applets using DIY tools

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Summarizing ZDNet's Zero Day Posts for January

February 01, 2012

The following is a brief summary of all of my posts at ZDNet's Zero Day for January, 2012. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

01. 'Most beautiful' scams proliferate on Facebook
02. Android users hit by scareware scam
03. 'Remove Facebook Timeline' themed scam circulating on Facebook
04. Fake Kim Jong-il video distributing malware
05. Researchers spot pharmaceutical spam campaign using QR Codes
06. Report: Conficker and AutoRun infections proliferating
07. Researchers spot scammers using fake browser plug-ins
08. New variants of premium rate SMS trojan 'RuFraud' detected in the wild
09. Research: Spammers actively harvesting emails from Twitter in real-time
10. DreamHost hacked, mass password-reset issued

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Who's Behind the Koobface Botnet? - An OSINT Analysis

January 09, 2012

It's full disclosure time.

In this post, I will perform an OSINT analysis, exposing one of the key botnet masters behind the infamous Koobface botnet, that I have been extensively profiling and infiltrating since day one. I will include photos of the botnet master, his telephone numbers, multiple email addresses, license plate for a BMW, and directly connect him with the infrastructure -- now offline or migrated to a different place -- of Koobface 1.0.

The analysis is based on a single mistake that the botnet master made - namely using his personal email for registering a domain parked within Koobface's command and control infrastructure, that at a particular moment in time was directly redirecting to the ubiquitous fake Youtube page pushed by the Koobface botnet.

Let's start from the basics. Here's an excerpt from a previous research conducted on the Koobface botnet:

However, what the Koobface gang did was to register a new domain and use it as Koobface C&C again parked at the same IP, which remains active - zaebalinax.com Email: krotreal@gmail.com - 78.110.175.15 - in particular zaebalinax.com/the/?pid=14010 which is redirecting to the Koobface botnet. Two more domains were also registered and parked there, u15jul .com and umidsummer .com - Email: 2009polevandrey@mail.ru which remain in stand by mode at least for the time being.

The Koobface botnet master's biggest mistake is using the Koobface infrastructure for hosting a domain that was registered with the botnet master's personal email address. In this case that zaebalinax.com and krotreal@gmail.com. zaebalinax.com is literally translated to "Gave up on Linux". UPDATED: Multiple readers have to contacted me to point out that zaebalinax is actually translated to "f*ck you all" or "you all are p*ssing me off".

The same email krotreal@gmail.com was used to advertise the sale of Egyptian Sphynx kittens on 05.09.2007:

The following telephone belonging to Anton was provided - +79219910190. The interesting part is that the same telephone was also used in another advertisement, this time for the sale of a BMW:

Photos of the BMW, offered for sale, by the same Anton that was using the Koobface infrastructure to host zaebalinax.com Email: krotreal@gmail.com:

License plane for Anton's newest BMW:

Upon further analysis, it becomes evident that his real name is Anton Nikolaevich Korotchenko (Антон Николаевич Коротченко). Here are more details of this online activities:

Real name: Anton Nikolaevich Korotchenko (Антон Николаевич Коротченко)
City of origin: St. Petersburg
Primary address: Omskaya st. 26-61; St. Petersburg; Leningradskaya oblast,197343
Associated phone numbers obtained through OSINT analysis, not whois records:
+79219910190
+380505450601
050-545-06-01
ICQ - 444374
Emails: krotreal@yahoo.com
krotreal@gmail.com
krotreal@mail.ru
krotreal@livejournal.com
newfider@rambler.ru
WM identification (WEB MONEY) : 425099205053
Twitter account: @KrotReal; @Real_Koobface
Flickr account: KrotReal
Vkontakte.ru Account: KrotReal; tonystarx
Foursquare Account: KrotReal

Photos of Koobface botnet's master Anton Nikolaevich Korotchenko (Антон Николаевич Коротченко):