Which CAPTCHA Do You Want to Decode Today?

Once you anticipate your success, you logically start putting more efforts into achieving a decent level of efficiency in the process of breaking CAPTCHA, now that's of course in between commercializing your know-how. CAPTCHA breaking or decoding on demand has been a reality for a while, with malicious parties empowered by proprietary tools, publicly available DIY CAPTCHA breakers, or services like this one doing it on demand.

The following service is offering the possibility for CAPTCHA decoding on a per web service basis, and enticing future customers by providing percentage of accuracy, the price, and the ease of difficulty of breaking it. CAPTCHA decoding is listed for the following services : 9you, tiancity, cncard, the9, kingsoft, taobao, dvbbs, shanda, csdn, chinaren, monter, and baidu. The hardest to break CAPTCHAs mentioned are those of Yahoo, Hotmail, QQ, Google. Moreover, Ticketmaster's the most expensive one, followed by Ebay's CAPTCHA decoding process.

What happens when malicious parties cannot directly decode the CAPTCHA? They figure out ways to adapt to the situation, namely by enjoying the benefits of the human factor in the process while sacrificing some of the efficiency, but continuing to achieve their objective.

A TrustedSource for Threats Intell Data

Following the series of posts on early warning security events systems, Secure Computing have just announced a major upgrade of their threat intell service :

"Secure Computing's TrustedSource acts like a satellite advanced-warning system for the Internet that detects suspicious behavior patterns at their origins, and then instructs security devices to take corrective precautions or action," said Dr. Phyllis Schneck, vice president of research integration for Secure Computing. "TrustedSource pinpoints reputation by looking at behavior and specific factors such as traffic volumes, patterns and trends, and enabling it to rapidly identify deviations from the norm on a minute-by-minute basis."

I've already mentioned the radical perspective of integrating all the publicly known IPs with bad reputation, and sort of ignoring their online activities in order to prevent common problems such as click fraud for instance. Think from the end user's perspective, what's the worst thing that could happen to both the average and experienced end user? Try witnessing the situation when a known to be infected with malware end user starts receiving messages like these, and will continue to receive them until a certain action is taken presumably disinfecting themselves. Of course, it's more complex than it sounds, but start from the basics in terms of the incentives for end users to disinfect themselves, the masses of which aren't that very socially oriented unless of course it's global warming and the possibility for a white Christmas you're talking about. Issuing an "Internet Driver's License" wouldn't work on an international scale, and even if it works on a local scale somewhere in the world, it wouldn't really matter, since you'll have the rest of the world driving unsafely, and you'll be the only country which has fastened its seat belt. Here's an example of such mode of thinking.

Are You Botnet-ing With Me?

Informative and recently released study by ENISA on the problem of botnets, especially the emphasis on how client side vulnerabilities surpassed email attachments, and downloading of infected files as infection vectors. Not because these aren't working, but because of the botnet's masters attitude for achieving malicious economies of scale has changed. Despite that we can question whether or not they put so much efforts while strategizing this, let's say they stopped pushing malware, and started coming up with ways for the end users to pull it for themselves :

"The most common infection methods are browser exploits (65%), email attachments (13%,) operating system exploits (11%), and downloaded Internet files (9%). Currently, the most dangerous infection method is surfing to an infected webpage. Indications of a bot on your computer include e.g.: Slow Internet connection, strange browser behavior (home page change, new windows, unknown plug-ins), disabled anti-virus software; unknown autostart programs etc."

Here's the entire publication - "Botnets - The Silent Threat" by David Barroso.

I See Alive IFRAMEs Everywhere - Part Two

The never ending IFRAME-ing of relatively popular or niche domains whose popularity is attracting loyal and well segmented audience, never ends. Which leads us to part two of this series uncovering such domains and tracing back the malicious campaign to the very end of it. Some of these are still IFRAME-ed, others cleaned the IFRAMEs despite Google's warning indicating they're still harmful, the point is that all of these are connected.

Affected sites :

Epilepsie France - epilepsie-france.org
Iran Art News - iranartnews.com
The Media Women Forum - yfmf.org
Le Bowling en France - bowling-france.fr
The Hong Kong Physiotherapists Union - hkpu.org
The Wireless LAN Community - wlan.org
The First HELLENIC Linux Distribution - zeuslinux.gr

The entire campaign is orbiting around pornopervoi.com, which was last responding to 81.177.3.225, an IP that's also known to be hosting a fake bank (weiterweg-intl.com) according to Artists Against 419. Within the domain, there were small files loading a second IFRAME. For instance, pornopervoi.com/u.php leads to 88.255.94.246/freehost1/georg/index.php?id=0290 (WebAttacker), the same campaign is also active at 81.29.241.238/freehost1/georg/index.php?id=0290, these try to drop the following :

88.255.94.246/freehost1/chris0039/lu/dm_0039.exe
81.29.241.238/freehost1/chris0031/lu/dm_0031.exe

An Apophis C&C panel was located in this ecosystem as well. Among the other files at pornopervoi.com, are pornopervoi.com/i.php where we're redirected to the second one spelredeadread.com/in.php?adv=678. Even more interesting, energy.org.ru a Web hosting provider is also embedded with pornopervoi.com/m.php again forwarding to spelredeadread.com. To further expand this ecosystem, yfmf.org the Media Women Forum is also IFRAME-ed with a link pointing to pornopervoi.com/m.php. Another site that's also pointing to pornopervoi.com/m.php is the Hong Kong Physiotherapists Union hkpu.org. Two more sites serving malware, namely wlan.org, the Wireless LAN Community also pointing to pornopervoi.com/m.php, and zeuslinux.gr, The First HELLENIC Linux Distribution.

Who's behind this malware embedded attack? It's the ongoing consolidation between defacers, malware authors, and blackhat SEO-ers using the infamous infrastructure of the RBN.

Related posts:
Bank of India Serving Malware
U.S Consulate in St.Petersburg Serving Malware
Syrian Embassy in London Serving Malware
CISRT Serving Malware
Compromised Sites Serving Malware and Spam
A Portfolio of Malware Embedded Magazines
Possibility Media's Malware Fiasco
The "New Media" Malware Gang
Another Massive Embedded Malware Attack

But Malware is Prone to be Profitable

Read this a couple of times, than read it several more times, and repeat. It's usually "powerful stuff" that prompts such confusing descriptions of what sound like defense in-depth at one point, and a combination of intergalactic security statements in respect to the "massive amounts of computing power required" to solve the "security problem" at another. Stop predicting weather and assessing the impact of global warming, and command the supercomputers to figure our the scientific mysteries behind common insecurities :

"Even if we can't produce effective network security, we can at least make it more difficult and therefore expensive to attack a network by adopting some of the hacker's own techniques. He favors randomizing the use of a number of techniques for filtering content, so that individual malware vectors will sporadically stop working. By changing the challenge involved in compromising systems, the whole malware economy is changed. Stolfo also took a positively Darwinian view of how much change was needed, suggesting that security only had to be good enough to make someone else's system look like a more economical target. Overall, the talks were pretty depressing, given that the operating systems and software we rely on will probably never be truly secure. The process of blocking malware that takes advantage of this insecurity appears to be entering the realm where true security has become one of those problems that requires massive amounts of computing power and an inordinate amount of time."

The operating systems and the software we use can be truly secure, but will be useless compared to the currently insecure, but useful ones we're using. Now here's a great and straight to the point article, that's segmenting the possible uses of a host that's already been compromised, a great example of how innovations in terms of improved Internet connectivity, increased CPU power, and flexibility of online payments both steamline progress, and contribute to the growth of the underground.

Beat malware by doing what malware authors do? Sounds great. Malware authors outsource, do it too. Malware authors embraced the on demand SCM concept, embrace it too. Malware authors consolidate with stronger strategic partners, and acquire the weaker ones by providing them with DIY malware creation tools in order for them to make the headlines at a later stage, consolidate too. Malware authors keep it simple the stupids, you fight back with rocket science theoretical models and shift the focus from the pragmatic reality just the way it is - consolidation, outsourcing, shift towards a service based economy, quality and assurance of the malware releases, malicious economies of scale in the form of malware exploitating kits, ones it's getting hard to keep track of these days.

At the bottom line, how to solve the "malware problem"? It all depends on who you're solving it for. Long live marginal thinking.

Related posts:
Malware - Future Trends, January, 2006
Underground Economy's Supply of Goods and Services
The Dynamics of the Malware Industry - Proprietary Malware Tools
Managed Spamming Appliance - The Future of Spam
Multiple Firewalls Bypassing Verification on Demand

Exposing the Russian Business Network

It was about time someone comes up with an in-depth study summarizing all of the Russian Business Network's activities, as for me personally, 2007 is the year when bloggers demonstrated what wisdom of the crowds really means, by putting each and every piece of the puzzle to come up with the complete picture, one the whole world benefits from. A highly recommened account into the RBN's activities courtesy of David Bizeul's "Russian Business Network study" :

"It’s interesting to observe that many recent cyber crime troubles are relating to Russia. This observation is obviously a simple shortening. Indeed nothing seems to link to Russia at first sight, it’s a nasty country for sending spam but many are worst, Russia is only the 8th top spam country. We need to dig deeper to identify that cyber crime is originating mostly from Russian dark zones. In a digital world, those dark zones exist where the Internet becomes invisible and it’s used for collecting phishing sites credentials, for distributing drive by download exploits, for collecting malware stolen data, etc. It’s a considerable black market as it has been revealed in this paper. A lot of information can be available over the web on Russian malicious activities and precisely on the way RBN (Russian Business Network) plays a major role in these cases."

What contributed to such a well coordinated exposure of the RBN during the last two quarters at the bottom line? It's not just security researchers exchanging info behind the curtains, but mostly due to RBN's customers confidence in RBN's ability to remain online. And while remaining online has never been a problem for the RBN, until recently when DIY IP blocking rulesets were available for the world to use, they undermined their abilities to remain undetected. In fact, I was about start a contest asking anyone who can come up with a IP with a clean reputation within the RBN's main netblock right before it dissapeared, and would have been suprised if someone managed to find one.

The RBN doesn't just makes mistakes when its customers embedd malware hosting and live exploit URLs on each and every malware and high-profile attack during the year, it simply doesn't care in covering its tracks and so doesn't their customers as well. RBN's second biggest mistake for receiving so much attention is their laziness which comes in the form of over 100 pieces of malware hosted on a single IP, without actually bothering to take care of their directory listing permissions, allowing my neatly crafred OSINT gathering techniques to come up with yet proof of a common belief into their practice of laziness. Moreover, the KISS strategy that I often relate to the successful malicious economies of scale that malware authors achieve due to DIY malware kits using outdated exploits compared to bothering to purchase zero day ones, didn't work for the RBN. Remember that each and every of the several Storm Worm related IPs that I covered once were returning fake suspended account notices in a typical KISS strategy, while the live exploit URLs and the actual binaries were still active within the domains.

This isn't exactly what you would expect from what's turning into a case study on conversational marketing, or perhaps how conversational marketing provokes the wisdom of crowds effect to materialize, so that the entire community benefits from each and everyone's contribution - in this case exposing the RBN.

How would the RBN change its practices in the upcoming future given all the publicity it received as of recently? They will simply stop benefing from the easy of management of their old centralized infrastructure, and will segment the network into smaller pieces, but while still providing services to their old customers, they're easy to traceback, and to sum up this post in one sentence - the Russian Business Network is alive, and is providing the same services to the same customers, including malware and live exploits hosting URLs under several different netblocks.

It's also great to note that David's been keeping track of my research into the RBN's activities. Go through the study and find out more about the RBN practices.

Related posts:
Go to Sleep, Go to Sleep my Little RBN
Detecting and Blocking the Russian Business Network
RBN's Fake Security Software
Over 100 Malwares Hosted on a Single RBN IP
The Russian Business Network