'Anonymous' Group's DDoS Operation Titstorm

With last months 'Anonymous' Group's DDoS Operation Titstorm campaign a clear success based on the real-time monitoring of the crowdsourcing-driven attack, it's time to take a brief retrospective on the tools and tactics used, and relate

•  Go through an analysis of 2009's failed Operation Didgeridie DDoS campaign

Why is Operation Titstorm an important one to profile? Not only because it worked compared to Operation Didgeridie, but also, due to the fact that crowdsourcing driven (malicious culture of participation) DDoS attacks have proven themselves throughout the past several years, as an alternative to DDoS for hire attacks.


- DIY ICMP flooders
- Web based multiple iFrame loaders to consume server CPU
- Web based email bombing tools+predefined lists of emails belonging to government officials/employees




Go through related posts on crowdsourcing DDoS attacks/malicious culture of participation:
Coordinated Russia vs Georgia cyber attack in progress
Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites
People's Information Warfare Concept
Electronic Jihad v3.0 - What Cyber Jihad Isn't
Electronic Jihad's Targets List
The DDoS Attack Against CNN.com
Chinese Hacktivists Waging People's Information Warfare Against CNN
The Russia vs Georgia Cyber Attack
Real-Time OSINT vs Historical OSINT in Russia/Georgia Cyberattacks
Pro-Israeli (Pseudo) Cyber Warriors Want your Bandwidth
Iranian Opposition DDoS-es pro-Ahmadinejad Sites

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Malware-Serving "Who's Viewed Your Facebook Profile" Campaign Spreading Across Facebook

A currently ongoing Facebook spreading malware-serving campaign, entices users into downloading and executing a malicious executable, pretending to be a "Who's Viewed Your Facebook Profile" extension. In reality though, the executable, part of a campaign that's been ongoing for several months, will steal private information from local browsers, will auto-start on Windows starup, and will attempt to infect all of the victim's friends across Facebook.

The executable, including several other related executables part of the campaign, are currently hosted on Google Code, and according to Google Code's statistics, one of the malicious files has already been downloaded 1,870,788 times. Surprisingly, the Coode Project is called "Project Don't Download". Very interesting self-contradicting social engineering attempt.

Let's dissect the campaign, list the domain's portfolio used in it, provide detection rates for the malicious executables, and connect the campaign to multiple other campaigns observed in the wild over the last couple of weeks.

 

Sample redirection chain:
hxxp://cnlz3.tk/?2959858 -> hxxp://profilelo.8c1.net/ -> hxxp://profileste.uni.me/?skuwjjsadsuquwhdas -> hxxps://project-dont-download.googlecode.com/files/Profile%20View%20-%205v2.exe

Subdomain reconnaissance:
profilelo.8c1.net - 82.208.40.3
profileste.uni.me - 198.23.52.98
project-dont-download.googlecode.com - Email: mergimi14@live.com

Detection rate for the malicious executable: MD5: c5b2247a37a8d26063af55c6c975782d - detected by 23 out of 47 antivirus scanners as JS:Clicker-P [Trj]; RDN/Generic.dx!chs

Once executed, the sample drops the following MD5s on the affected hosts:
MD5: 3729796a618de670128e80bb750dba35
MD5: bc5ea93000fd79cf3d874567068adfc5
MD5: 3448d5a74e86fdc88569df99dbc19c55
MD5: c3c67c3df487390dfdfa4890832b8a46
MD5: 161fff31429f1fcd99a56208cf9d2b58
MD5: c8dfbeb2e89a9557523b5a57619a9c44
MD5: b83d2283066c68e8cc448c578dd121aa
MD5: 0e254726843ed308ca142333ea0c5d28
MD5: cbb6e03d0b08ba4a8eeac1467921b7dd
MD5: a3ef72a0345a564bde3df2654f384a21
MD5: 123c9d897b74548aa6ce65b456a8b732
MD5: 181f01156f23d4e732a414eaa2f6b870
MD5: 74d4b4298bc6fe8871ad1aa654d347c6

Download statistics for the malicious executables hosted on Google Code:
Profile Viewer - 5.exe - 1,870,788 downloads
Profile Stalker - V.exe - 45983 downloads
Profile View - 5v2.exe - 9496 downloads
Profile Stalker - D.exe - 2 downloads

Detection rates for the malicious executables hosted on Google Code:
Profile Stalker - D.exe - MD5: c9220176786fe074de210529570959c5 - detected by 3 out of 47 antivirus scanners as Trojan.AVKill.30538; JS/TrojanClicker.Agent.NDL
Profile Stalker - V.exe - MD5: a6073378d764e3af4cb289cac91b3f97 - detected by 24 out of 47 antivirus scanners as JS/TrojanClicker.Agent.NDL; Trojan.Win32.Clicker!BT
Profile Viewer - 5.exe - MD5: 814837294bc34f288e31637bab955e6c - detected by 24 out of 47 antivirus scanners as Troj/Agent-ABOE

Samples phone back to the followind URLs/domains:
hxxp://stats.app-data.net/installer.gif?action=started&browser=ie6&ver=1_26_153&bic=00A473047B09414785A7A54908970321IE&app=30413&appver=0&verifier=d3459d462f931be10f76456d86fe24d5&srcid=0&subid=0&zdata=0&ff=0&ch=0&default=ie&os=XP32&admin=1&type=1&asw=0

stats.app-data.net - 207.171.163.139
app-static.crossrider.com - 69.16.175.10
errors.app-data.net - 207.171.163.139

Facebook and Google have been notified.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Malware-Serving "Who's Viewed Your Facebook Profile" Campaign Spreading Across Facebook

A currently ongoing Facebook spreading malware-serving campaign, entices users into downloading and executing a malicious executable, pretending to be a "Who's Viewed Your Facebook Profile" extension. In reality though, the executable, part of a campaign that's been ongoing for several months, will steal private information from local browsers, will auto-start on Windows starup, and will attempt to infect all of the victim's friends across Facebook.

The executable, including several other related executables part of the campaign, are currently hosted on Google Code, and according to Google Code's statistics, one of the malicious files has already been downloaded 1,870,788 times. Surprisingly, the Coode Project is called "Project Don't Download". Very interesting self-contradicting social engineering attempt.

Let's dissect the campaign, list the domain's portfolio used in it, provide detection rates for the malicious executables, and connect the campaign to multiple other campaigns observed in the wild over the last couple of weeks.

 

Sample redirection chain:
hxxp://cnlz3.tk/?2959858 -> hxxp://profilelo.8c1.net/ -> hxxp://profileste.uni.me/?skuwjjsadsuquwhdas -> hxxps://project-dont-download.googlecode.com/files/Profile%20View%20-%205v2.exe

Subdomain reconnaissance:
profilelo.8c1.net - 82.208.40.3
profileste.uni.me - 198.23.52.98
project-dont-download.googlecode.com - Email: mergimi14@live.com

Detection rate for the malicious executable: MD5: c5b2247a37a8d26063af55c6c975782d - detected by 23 out of 47 antivirus scanners as JS:Clicker-P [Trj]; RDN/Generic.dx!chs

Once executed, the sample drops the following MD5s on the affected hosts:
MD5: 3729796a618de670128e80bb750dba35
MD5: bc5ea93000fd79cf3d874567068adfc5
MD5: 3448d5a74e86fdc88569df99dbc19c55
MD5: c3c67c3df487390dfdfa4890832b8a46
MD5: 161fff31429f1fcd99a56208cf9d2b58
MD5: c8dfbeb2e89a9557523b5a57619a9c44
MD5: b83d2283066c68e8cc448c578dd121aa
MD5: 0e254726843ed308ca142333ea0c5d28
MD5: cbb6e03d0b08ba4a8eeac1467921b7dd
MD5: a3ef72a0345a564bde3df2654f384a21
MD5: 123c9d897b74548aa6ce65b456a8b732
MD5: 181f01156f23d4e732a414eaa2f6b870
MD5: 74d4b4298bc6fe8871ad1aa654d347c6

Download statistics for the malicious executables hosted on Google Code:
Profile Viewer - 5.exe - 1,870,788 downloads
Profile Stalker - V.exe - 45983 downloads
Profile View - 5v2.exe - 9496 downloads
Profile Stalker - D.exe - 2 downloads

Detection rates for the malicious executables hosted on Google Code:
Profile Stalker - D.exe - MD5: c9220176786fe074de210529570959c5 - detected by 3 out of 47 antivirus scanners as Trojan.AVKill.30538; JS/TrojanClicker.Agent.NDL
Profile Stalker - V.exe - MD5: a6073378d764e3af4cb289cac91b3f97 - detected by 24 out of 47 antivirus scanners as JS/TrojanClicker.Agent.NDL; Trojan.Win32.Clicker!BT
Profile Viewer - 5.exe - MD5: 814837294bc34f288e31637bab955e6c - detected by 24 out of 47 antivirus scanners as Troj/Agent-ABOE

Samples phone back to the followind URLs/domains:
hxxp://stats.app-data.net/installer.gif?action=started&browser=ie6&ver=1_26_153&bic=00A473047B09414785A7A54908970321IE&app=30413&appver=0&verifier=d3459d462f931be10f76456d86fe24d5&srcid=0&subid=0&zdata=0&ff=0&ch=0&default=ie&os=XP32&admin=1&type=1&asw=0

stats.app-data.net - 207.171.163.139
app-static.crossrider.com - 69.16.175.10
errors.app-data.net - 207.171.163.139

Facebook and Google have been notified.

Updates will be posted as soon as new developments take place. Continue reading →

Summarizing Webroot's Threat Blog Posts for May

The following is a brief summary of all of my posts at Webroot's Threat Blog for May, 2013. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:

01. FedWire ‘Your Wire Transfer’ themed emails lead to malware
02. A peek inside a CVE-2013-0422 exploiting DIY malicious Java applet generating tool
03. New IRC/HTTP based DDoS bot wipes out competing malware
04. New version of DIY Google Dorks based mass website hacking tool spotted in the wild
05. Citibank ‘Merchant Billing Statement’ themed emails lead to malware
06. Fake Amazon ‘Your Kindle E-Book Order’ themed emails circulating in the wild, lead to client-side exploits and malware
07. Cybercriminals impersonate New York State’s Department of Motor Vehicles (DMV), serve malware
08. Cybercriminals offer HTTP-based keylogger for sale, accept Bitcoin
09. Newly launched E-shop for hacked PCs charges based on malware ‘executions’
10. New subscription-based ‘stealth Bitcoin miner’ spotted in the wild
11. Fake ‘Free Media Player’ distributed via rogue ‘Adobe Flash Player HD’ advertisement
12. Newly launched ‘Magic Malware’ spam campaign relies on bogus ‘New MMS’ messages
13. Commercial ‘form grabbing’ rootkit spotted in the wild
14. DIY malware cryptor as a Web service spotted in the wild – part two
15. CVs and sensitive info soliciting email campaign impersonates NATO
16. New commercially available DIY invisible Bitcoin miner spotted in the wild
17. Fake ‘Export License/Payment Invoice’ themed emails lead to malware
18. Compromised Indian government Web site leads to Black Hole Exploit Kit
19. Cybercriminals resume spamvertising Citibank ‘Merchant Billing Statement’ themed emails, serve malware
20. Marijuana-themed DDoS for hire service spotted in the wild
21. Fake ‘Vodafone U.K Images’ themed malware serving spam campaign circulating in the wild

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

A Peek Inside the Russian Underground Market for Fake Documents/IDs/Passports

 
Fake IDs/fake passports have always been a hot commodity within the cybercrime ecosystem.

Thanks to their general availability and affordable prices -- naturally based on the quality that a potential cybercriminal/fraudster is seeking -- the vendors behind them continue undermining the trust chain that society/market thrives on, by empowering cybercriminals and fugitives with new IDs to be later on used in related fraudulent activities.

In this post, I'll sample fraudulent activity on the Russian underground marketplace, feature exclusive screenshots of fake passports currently offered for sale, and discuss how relatively low profile cybercriminals have been literally generating fake (Russian) passports for years, primarily relying on DIY passport/stamp generating tools.

Sample screenshots of the inventory of available fake passports for multiple countries:

Affected countries include: Russia, Belarus, Canada, Germany, Denmark, Finland, Israel, Netherlands (Holland), Norway, Romania, United Kingdom, United States, Australia, Ukraine. The prices vary between $20-30, and according to the vendors, use real people's data/photos etc.

It's also worth emphasizing on the fact that, of all the countries, Russia's underground marketplace for fake documents is perhaps the most vibrant one. Next to high-quality fake documments/IDs/passports, they're naturally the cheap alternatives, which Russian fraudsters have been literally generating for years, relying on DIY (do-it-yourself) tools/stamp editors like these:

Thanks to the demand for such kind of underground market assets, I'm certain that that market would continue flourishing, and would eventually reach a stage where the vendors would start sacrificing OPSEC (Operational Security) in an attempt to reach customers from virtually every country. With localization on demand services proliferating, next to the ubiquitous for the cybercrime ecosystem, affiliate based revenue-sharing models, vendors of fake documents/IDs/passports, have virtually everything that they need at their disposal, if they were to start targeting the international audience.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

A Peek Inside the Russian Underground Market for Fake Documents/IDs/Passports

 
Fake IDs/fake passports have always been a hot commodity within the cybercrime ecosystem.

Thanks to their general availability and affordable prices -- naturally based on the quality that a potential cybercriminal/fraudster is seeking -- the vendors behind them continue undermining the trust chain that society/market thrives on, by empowering cybercriminals and fugitives with new IDs to be later on used in related fraudulent activities.

In this post, I'll sample fraudulent activity on the Russian underground marketplace, feature exclusive screenshots of fake passports currently offered for sale, and discuss how relatively low profile cybercriminals have been literally generating fake (Russian) passports for years, primarily relying on DIY passport/stamp generating tools.

Sample screenshots of the inventory of available fake passports for multiple countries:

Affected countries include: Russia, Belarus, Canada, Germany, Denmark, Finland, Israel, Netherlands (Holland), Norway, Romania, United Kingdom, United States, Australia, Ukraine. The prices vary between $20-30, and according to the vendors, use real people's data/photos etc.

It's also worth emphasizing on the fact that, of all the countries, Russia's underground marketplace for fake documents is perhaps the most vibrant one. Next to high-quality fake documments/IDs/passports, they're naturally the cheap alternatives, which Russian fraudsters have been literally generating for years, relying on DIY (do-it-yourself) tools/stamp editors like these:

Thanks to the demand for such kind of underground market assets, I'm certain that that market would continue flourishing, and would eventually reach a stage where the vendors would start sacrificing OPSEC (Operational Security) in an attempt to reach customers from virtually every country. With localization on demand services proliferating, next to the ubiquitous for the cybercrime ecosystem, affiliate based revenue-sharing models, vendors of fake documents/IDs/passports, have virtually everything that they need at their disposal, if they were to start targeting the international audience. Continue reading →