Teaching Cyber Jihadists How to Hack

Yet another indication of the emerging trend of building a knowledge-driven cyber jihadist community, are such online archives with localized to Arabic standard security and hacking research papers, ones you definitely came across to before, or may have in fact written by yourself. As I've already discussed this trend in previous posts, it's a PSYOPS strategy in action, one that's aiming to improve the overall perception of cyber jihadists' ability to wage their battles without using software and web services of their enemies. Whether the investment in time and resources is worth it is another topic, what's worth pointing out are the efforts they put into localizing the content in between adding the standard propaganda layer, and later on, building a community around it.

p0rn.gov - The Ongoing Blackhat SEO Operation

Want pr0n? Try .gov domains in general, ones that have been getting the attention of blackhat SEO-ers for a while, just like the most recent related cases where the City of Chetek, Winsonsin, the City of Somerset, Texas and Town of Norwood, Massachusetts got their blackhat SEO injection. The previous attack is related to the one I'll assess in this post, the blackhat SEO tool is the same given the static subdomains generated, what remains to be answered is how they've managed to get access to the control panels of the domains in order to add the subdomains? Let's look at the facts :

- the targets in this attack are The Virgin Islands Housing Finance Authority (VIHFA), and the City Of Selma, Alabama

- this is the second blackhat SEO operation uncovered during the past couple of months targeting .gov domains

- access to the control panels is somehow obtained so that subdomains pointing to 89.28.13.207 (89-28-13-207.starnet.md) and 89.28.13.195 (89-28-13-195.starnet.md) are added at both domains

- both .gov domains that are targets in this attack are using a shared hosting provider, meaning their IP reputation is in the hands of everyone else's web activities responding under the same IP

- no malware is served in this incident, compared to the previous one, a combination of malware and blackhat SEO

Subdomains at City of Selma currently hosting around 9000 blackhat SEO pages :

m21.selma-al.gov

m22.selma-al.gov

m23.selma-al.gov

m24.selma-al.gov

m25.selma-al.gov

m26.selma-al.gov

m27.selma-al.gov

m28.selma-al.gov

m29.selma-al.gov

m30.selma-al.gov

m31.selma-al.gov

m32.selma-al.gov

m33.selma-al.gov

m34.selma-al.gov

Subdomains at the Virgin Islands Housing Finance Authority with constantly changing structure :

a1.a.vihfa.gov

a2.a.vihfa.gov

a3.a.vihfa.gov

a4.a.vihfa.gov

a5.a.vihfa.gov

a6.a.vihfa.gov

a7.a.vihfa.gov

a8.a.vihfa.gov

a9.a.vihfa.gov

a10.a.vihfa.gov

Related subdomains now no longer responding :

2k110.x.vihfa.gov

2k106.x.vihfa.gov

j11.y.vihfa.gov

j9.y.vihfa.gov
z1.z.vihfa.gov

Where's the connection between this blackhat SEO operation and the previous one? It's not just that both subdomains at the different .gov's are responding to IPs from the same netblock, but also, 89.28.13.202 is responding to City of Somerset's subdomains from the previous incident such as : j6.y.somersettx.gov; st9.x.somersettx.gov; x.somersettx.gov.

Looks like someone in Moldova will get spanked for these incidents.

Targeted Spamming of Bankers Malware

This particular incident is interesting mostly because we have a good example that once a site gets compromised the potential for abusing the access for malware distribution becomes very realistic, this is in fact what happened with autobroker.com.pl, as the following URLs were active as of yesterday, now down due to notification. Basically, the compromised host, compromised in an automatic and efficient way for sure, started acting as the foundation for the campaign, which as it looks like was spammed in a targetted manner. A tiny php file at autobroker.com.pl/l.php was launching the downloader :

TROJ.BANLOAD
Result: 18/31 (58.07%)
File size: 46080 bytes
MD5: 690e71077c9d78347368c6cf8752741e
SHA1: 7dedad0778a24c69d6df4c8ceedc94f20292473e

the downloader then drops the following bankers that are strangely hosted on the French site Opus Citatum, and are still active :

opuscitatum.com/modules/PHP%20Files/__steampw12318897_.exe

Trojan-Spy.Win32.Banker.ciy
Result: 9/32 (28.13%)
File size: 2498560 bytes
MD5: cee1fdea650487e0865a1b8831db1e73
SHA1: ad55ff3e5519d88b930d6a0a695e71fcc253351e

opuscitatum.com/modules/PHP%20Files/Ivete_Sangalo.scr

Trojan.PWS.Banker
Result: 13/32 (40.63%)
File size: 2505216 bytes
MD5: 1bdb0d3e13b93c76e50b93db1adeed3e
SHA1: f472693da81202f4322425b952ec02cbff8d72bc

The campaign was originally spammed with the messages : "Chegou 1 vivo foto torpedo" and "Vivo torpedo foi enviado de um celular para seu e" by using the web based spammer you can see in the attached screenshot.

More info about banking malware, comments on a recently advertised metaphisher malware kit with banker trojans infected hosts only showcasing the malicious economies of scale botnet masters mentality, as well as related posts on targeted malware attacks.

Yet Another Malware Outbreak Monitor

Such early warning security events systems always come as handy research tools for security analysts and reporters, and it's great to see that more and more vendors are continuing to share interactive threats data in real-time, type of data that used to be proprietary one several years ago. Commtouch's recently announced Malware Outbreak Center is another step in the right direction of intelligence data sharing, and building more transparency on emerging spam and malware outbreaks :

"The Commtouch Malware Outbreak Center displays a sample of email-borne malware that has recently been detected and blocked by Commtouch's Zero-Hour(TM) Virus Outbreak Protection solution. It also incorporates data from AV-Test.org, an independent third-party organization that tests most of the commercially available anti-virus scanners. This data enables the Center to publish comparative detection times for leading AV vendors, a first in this comprehensive format which includes malware variant checksum. Detection times are critical, since individual virus variants often peak and then nearly disappear, all in under three hours. IT managers now have access to an online tool that allows them to verify their AV vendor's performance for each new outbreak, and to download comparative data per malware variant."

Zero day DIY malware, and open source one undermine the reactive response time's model, but without anti virus signatures in 2007 your company and customers would still be getting infected by outdated Netsky samples - it's a fact, yet not the panacea of dealing with malware, and has never been. Another important issue that deserves to be discussed is the issue with the virus outbreak time of different vendors in Stormy Wormy times for instance. In the past, vendors were even using their detection in the wild, and on-the-fly binary obfuscation which in times of open source malware results in countless number of variants. Good PR is vital, and so is gaining competitive advatange in the minds of prospective customers by positioning the company among the first to have responded to the outbreak, but it raises the issue on the degree of exchanging malware samples between the vendors themselves, and the lack of transparency here. The way initiatives in the form of honeyfarms contributing hundreds of malware samples, and "wisdom of crowds" end users filling the gaps in reactive response indirectly protect millions of customers on behalf of anti virus software, in this very same way exchanging malware samples in the shortest possible time frame, ultimately benefits each and every customer and organization that's having an anti virus in its perimeter defense strategy.

A non-profit honeyfarm can collect hundreds of thousands of undetected malware samples in a single month, let's speculate that it could even outperform a small AV vendor's malware aggregation capabilities. In the anti virus industry, branding is crucial and therefore the non-profit honeyfarm cannot enter the market, instead, it's only incentive to donate the samples to the anti virus vendors is that of social responsibility. AVs should build more awareness on the importance of malware samples sharing among them, compared to pitching themselves as the vendor who first picked up the outbreak and protected its customers. Bargaining with someone's upcoming infection isn't that much of a success if you think about it. "Hey that signature is mine" days should have been over by now.

Moreover, it's a basic principle of every competitive market that the more competition, the more choices the customer would have, thereby making vendors innovate or cease to exist in irrelevance. Does the same apply to the anti virus market? Can we have a built-to-flip honeyfarm into an anti virus vendor to be later on acquired and integrated within a company's existing products portfolio? Let's hope not, and it's doubtful as there's a difference between an anti virus software and an "anti virus software", at least from the perspective that the second "anti virus software" may be occupying markets that could have otherwise been served by a better market proposition. Product development of an AV courtesy of a security vendor's products portfolio given the vendor realized that a huge percentage of security spending goes to perimeter defense solutions can be tricky, and even if acquisition has taken place you'd better stick to a company whose core competency is anti virus solutions.

Still Living in the Perimeter Defense World?

Go to Sleep, Go to Sleep my Little RBN

Yesterday, Paul Ferguson tipped me on the sudden disappearance of the Russian Business Network. And just like babies have different understanding of day and night, the RBN isn't interested in going to sleep too, in fact there's a speculation that they're relocating their infrastructure to China, speculation in terms of that it could be another such localized RBN operation :

"Jamz Yaneza, a Trend Micro research project manager, agreed. "We're seeing signs of RBN-like activity elsewhere, in Turkey, Taiwan and China. RBN may be moving to places even more inaccessible to the law [than Russia]. Everyone knows they were in St. Petersburg, but now they're changing houses, changing addresses. The Spamhaus Project antispam group has posted information that indicates RBN may have already laid claim to IP blocks located in China, Shanghai in particular."

It's always a pleasure to monitor the RBN, a single activity on behalf of their customers represents an entire sample to draw conclusions out of. Catch up with such activities like over 100 Malwares Hosted on a Single RBN IP, Fake Anti Virus and Anti Spyware Software, and the most recent Fake Suspended Account Messages while the IPs are alive and serving exploits and malware. Well, used to.

UPDATE: RBN - Russian Business Network, Chinese Web Space and Misdirection

Electronic Jihad v3.0 - What Cyber Jihad Isn't

It's intergalactic security statements like these that provoked me to do my most insightful research into the topic of what is cyber jihad, or what cyber jihad isn't. The news item on cyber jihadists coordinating a massive DDoS attack is a cyclical one, namely it reappears every quarter as it happened in August, and so I reviewed the tool, provided screenshots, and commented that while it's an aspirational initiative, with thankfully lame execution, it's not the coordinated DDoS attack executed in such way that should be feared, but cyber jihadists outsourcing the process. Despite that absolutely nothing has changed in respect to the way the program operates since v2.0, except that al-jinan.org changed to the now down al-jinan.net, the web is buzzing about the plans of wannabe cyber jihadists, the Al Ansar Hacking Team to be precise, to DDoS infidel sites on the 11th of November. Boo! Spooky - Al Qaeda cyber-jihad to begin Nov. 11; The e-Jihadists are coming, the e-Jihadists are coming!; Report: Al Qaeda to Launch Cyber-Attack on Nov. 11; Al-Qaeda Planning Cyber Attack?.

Key points :

- despite that the recommended DoS tool itself in the previous post is detected by almost all the anti virus vendors, in a people's information warfare situation, the participants will on purposely turn off their AVs to be able to use it

- the Electronic Jihad program is an example of poorly coded one, poorly in the sense of obtaining lists of the sites to be attacked from a single location, so you have a situation with 1000 wannabe cyber jihadists not being able to attack anyone in a coordinated manner given the host gets shut down

- the central update locations at the al-jinan.net domain are down, thank you Warintel, and so are the several others included, so you have a situation where forums and people start recommending the tool, they obtained it before the site was shut down, but couldn't get the targets to be attacked list

Time to assess the binary. The program archive's fingerprints as originally distributed :

File size: 358490 bytes

MD5: f38736dd16a5ef039dda940941bb2c0d

SHA1: 769157c6d3fe01aeade73a2de71e54e792047455

No AV detects this one.

E-Jihad.exe as the main binary

File size: 94208 bytes

MD5: caf858af42c3ec55be0e1cca7c86dde3

SHA1: f61fde991bfcc6096fa1278315cad95b1028cb4b

ClamAV - Flooder.VB-15

Panda - Suspicious file

Symantec - Hacktool.DoS

In a people's information warfare incident where the ones contributing bandwidth would on purposely shut down their AVs, does it really matter whether or not an perimeter defense solution detects it? It does from the perspective of wannabe cyber jihadists wanting to using their company's bandwidth for the purposely, an environment in which they are hopefully not being able to shut down the AV, thus forwarding the responsibility for the participation in the attack to their companies.

Al-jinan.org has been down since the Electronic Jihad Against Infidel Sites campaign became evident, the question is - where's the current DDoS campaign site? A mirror of the first campaign is available here - al-ansar.virtue.nu. Cached copy of al-jinan.net (202.71.104.200) is still available. Emails related to Al Ansar Hacking Group - the_crusaders_hell @ yahoo.com; the_crusaders_hell @ hotmail.com; al-ansar @ gooh.net Now the interesting part - where are Al-Jinan's new target synchronization URLs, and did they actually diversified them given that Al-Jinan.net is now down courtesy of what looks like Warintel's efforts? Partly. Here are the update URLs found within the binary :

al-jinan.net/ntarg.php?notdoing=yes

al-jinan.net/ntarg.php?howme=re

al-jinan.net/tlog.php?

al-jinan.net/tnewu.php?

arddra.host.sk/ntarg.php

jofpmuytrvcf.com/ntarg.php

jo-uf.net/ntarg.php

All are down, and jo-uf.net was among the domains used in the first version of the attack. If you think about it, even a wannabe botnet master will at least ensure the botnet's update locations are properly hardcoded within the malware. More details on jo-uf.net.

Let's discuss what cyber jihad isn't. Cyber jihad is anything but shutting down the critical infrastructure of a country in question, despite the potential for blockbuster movie scenario here. It's news stories like these, emphasizing on abusing the Internet medium for achieving their objectives in the form of recruitment, research, fund raising, propaganda, training, compared to wanting to shut it down. Logically, this is where all the investments go, because this is the most visible engagement point between a government and potential cyber terrorists - its critical infrastructure. I'm not saying don't invest in securing it, I'm just emphasizing on the fact that you should balance such spendings with the pragmatic reality which can be greatly described by using an analogy from the malware world, and how what used to be destructive viruses are now the types of malware interested in abusing your data, not destroying it.

The real threat does not come from wannabe cyber jihadists flooding a particular site in a coordinated manner, but from outsourcing the entire process to those who specialize in the service, or providing the infrastructure for it on demand. Now that's of course given they actually manage to keep up the update locations for longer than 24 hours, and achieve the mass effect of wannabe cyber jihadists using it all at once, the type of Dark Web Cyber Jihad trade-off.