Update on the MySpace Phishing Campaign

It seems that the parties behind the Large Scale MySpace Phishing Attack which I covered in a previous post, have recently changed the main login redirector from 319303.cn/login.php to z8atr.cn/login.php, and the attached z8atr.cn's fast-flux can be greatly compared to that of Storm Worm's fast-flux networks in terms of its size. The updated campaign is also taking advantage of the following DNS servers :

Name Server: ns1.4980603.com
Name Server: ns2.4980603.com
Name Server: ns3.4980603.com
Name Server: ns4.4980603.com

Here's more coverage courtesy of the ISC assessing a previous state of the campaign in the form of different domain names used :

"Two primary infection vectors have been observed providing us with unique insight into the life cycle involved in propagating a fast flux service network. The attack vectors include: Compromised MySpace Member profiles redirecting to phishing sites; SWF Flash image malicious redirection to Phishing and drive-by browser exploit attempt. All Flash redirects were observed redirecting browsers. The successful compromise of a windows host via this exploit content results in the download of a malicious downloader stub executable (session.exe) that is then responsible for attempting to download additional malicious components necessary for integration of new compromised hosts into a fast flux service network."

The fast-flux, the javascript obfuscation, and the process of serving malware still remain the same, so they're basically doing what looks like maintenance of the fast-flux.

Inside the Chinese Underground Economy

Here's a very detailed, and recently released event-study on Malicious Websites and Underground Economy on the Chinese Web, and this is how they assessed the high activity at the underground related forums :

"Unlike the US or EU blackhats communities, Chinese blackhats are typically not familiar with IRC (In-ternet Relay Chat). They typically use bulletin board systems on the Web or IM software like QQ tocommunicate with each other. Orthogonal to a study on the underground black market located within IRC networks, we measure the Chinese-specific underground black market on the Web. We focus onthe most important part located at post.baidu.com, the largest bulletin board community in China. We crawled the portal and stored all posts and replies posted on some certain post bars which are all dedicated for the underground black market on this particular website. The post bars we examined include Traffic bar, Trojans bar, Web-based Trojans bar, Wangma bar (acronyms of Web-based Trojans inChinese), Box bar, Huigezi bar, Trojanized websites bar, and Envelopes bar."

What's the big picture on the Chinese IT Underground anyway? It's a very curious perspective next to China's economy self-awareness from a supplier of the parts that make up the products, to the independent manufacturer of them in real life. In cyberspace, the people driving the Chinese Underground tend to borrow malicious know-how from their Russian colleagues by localizing the most popular web malware exploitation kits such as Mpack and IcePack to Chinese, as well as benefiting from the proven capabilities of an open source DDoS-centered malware by also localizing it to Chinese and porting it to a Web interface. And so once they've localized the most effective attack approaches by making them even easier to use, the start adding new features and functionalities in between coming up with unique tools by themselves.

The bottom line - China's IT Underground is indirectly monitored and controlled by China's Communist Party, with the big thinkers realizing the potential for asymmetric warfare dominance as the foundation for economic espionage, and the largest cyberwarriors buildup in the face of people's information warfare armies driven by collectivism sentiments.

Here's a very interesting article detailing some of perspectives of the China Eagle Union, the Hacker Union of China, and the Red Hacker's Alliance :

"The Chinese red hackers have their own organizations and websites, such as the Hacker Union of China (www.cnhonker.com/), the China Eagle Union (www.chinaeagle.org/), and the Red Hacker's Alliance (www.redhacker.org). The Hacker Union of China (HUC) was founded on December 31, 2000, and is the largest and earliest hacker group in China. It had 80,000 registered members at its peak, and reportedly has 20,000 members after regrouping in April 2005."

Phishers, Spammers, and Malware Authors Clearly Consolidating

In a recent article entitled "Popular Spammers Strategies and Tactics" I emphasized on the consolidation that's been going on between phishers, spammers and malware authors for a while :

"The allure of being self-sufficient doesn’t seem to be a relevant one when it comes to a spammer’s results oriented attitude. Spammers excel at harvesting and purchasing email addresses, sending, and successfully delivering the messages, phishers are masters of social engineering, while on the other hand malware authors or botnet masters in this case, provide the infrastructure for both the fast-fluxing spam and scams in the form of infected hosts. We’ve been witnessing this consolidation for quite some time now, and some of the recent events greatly illustrate this development of an underground ecosystem. Take for instance the cases when spam comes with embedded keyloggers, when phishing emails contain malware, and a rather ironical situation where malware infected hosts inside Pfizer are spamming viagra emails."

The recently uncovered breach at the U.S Oak Ridge National Laboratory is a perfect example of some of the key concepts I covered in the article, namely, harvesting of the emails courtesy of the spammers, segmenting the emails database for targeted mailings on a per company, institution basis, and malware authors eventually purchasing the now segmented databases for such targeted attacks with the spammers earning a higher profit margin for providing the service of segmentation :

"The unknown attackers managed to access a non-classified computer maintained by the Oak Ridge National Laboratory by sending employees hoax emails that contained malicious attachments. That allowed them to access a database containing the personal information of people who visited the lab over a 14-year period starting in 1990. The institution, which has a staff of about 3,800, conducts top-secret research that is used for homeland security and military purposes."

And, of course, there's a Chinese connection, but thankfully there're articles emphasizing on the concept of stepping-stones before reaching the final destination, with China's highly malware infected Internet population acting as the stepping-stone, not the original source of the attack :

"Security researchers said the memorandum, which was obtained by The New York Times from an executive at a private company, included a list of Web and Internet addresses that were linked to locations in China. However, they noted that such links did not prove that the Chinese government or Chinese citizens were involved in the attacks. In the past, intruders have compromised computers in China and then used them to disguise their true location."

Publicly obtainable research, and common sense state that malware coming through email attachments is slowing down, and is actually supposed to be filtered on the gateway perimeter by default, especially executables. Even the first round of Storm Worm malware in January, 2007, concluded that email attachments are not longer as effective as they used to be, and therefore migrated to spamming malware embedded links exploiting outdated vulnerabilities.

How such type of targeted malware attack could have been prevented?

- ensure that the emails are harvested much harder than they are for the time being, in this particular case, a huge percentage of the emails account, thus the future contact points for the malicious parties to take advantage of ornl.gov can be harvested without even bothering to crawl the domain itself through web scrapping ornl.gov

- a freely avaivable, but highly effective tool to evaluate whether or not your mail server filtering capabilities for such type of content work, is PIRANA - Email Content Filters Exploitation Framework :

"PIRANA is an exploitation framework that tests the security of a email content filter. By means of a vulnerability database, the content filter to be tested will be bombarded by various emails containing a malicious payload intended to compromise the computing platform. PIRANA's goal is to test whether or not any vulnerability exists on the content filtering platform. This tool uses the excellent shellcode generator from the Metasploit framework!"

Taking the second possible scenario, namely that it wasn't a targeted attack, but malware attachments "as usual", mostly because the fact that modern malware automatically excludes mailings to .gov's .mil's and the majority of known to them anti-virus vendor's related email addresses, hoping to infect as much people as possible before a reactive response is in place.

If it were a spammed malware embedded link, the chances are the receipts followed it, but a spammed malware as an attachment is too Web 1.0 for someone to fall victim into, and it's rocket scientists we're talking about anyway.

The Shark Malware - New Version's Coming

Remember Shark, the DIY malware pitched as a Remote Administration Tool (RAT), whose publicity among script kiddies, and the press given the easy with which an undetected malware can be build with it, prompted the author behind the project to publicly announce that he's shutting down work on the RAT? However, as it looks like, the project is still under development, and the author's recent announcement of the upcoming version of Shark3 further confirms that the shut down announcement was valid by the time the publicity started to fade away. Here're some screenshots of what's to come in the new version :

Shark3 Window's Info

Shark3 Keylogger

Previous versions included features not so popular among RATs by default such as, built-in VirusTotal submission, process injection, and with the new version promoted to have a built-in rootkit capabilities, next to its Vista compatibility, let's ask the ultimate question - is it a RAT, or is it a malware? That's the rhetorical question.

A Diverse Portfolio of Fake Security Software

The recently exposed RBN's fake security software was literally just the tip of the iceberg in this ongoing practice of distributing spyware and malware under the shadow of software that's positioned as anti-spyware and anti-malware one. The domain farm of fake security software which I'll assess in this post is worth discussing due to the size of its portfolio, how they've spread the scammy ecosystem on different networks, as well as the directory structure they take advantage of, one whose predictability makes it faily easy to efficiency obtain all the fake applications. This particular case is also a great example of the typical for a Rock Phish kit efficiency vs quality trade off, namely, all the binaries dispersed through the different domains are actually hosted on a single IP, and are identical.

Who's hosting the malware and what directory structure per campaign do they use?

It seems as content.onerateld.com (87.248.197.26) which is hosted at Limelight Networks is used in all the domains as the central download location. The directory structure is as follows :

content.onerateld.com/antiworm2008.com/AntiWorm2008/install_en.exe
content.onerateld.com/avsystemcare.com/AVSystemCare/install_en.exe
content.onerateld.com/winsecureav.com/WinSecureAv/install_en.exe
content.onerateld.com/goldenantispy.com/GoldenAntiSpy/install_en.exe
content.onerateld.com/menacerescue.com/MenaceRescue/install_en.exe
content.onerateld.com/antispywaresuite.com/AntiSpywareSuite/install_en.exe
content.onerateld.com/trojansfilter.com/TrojansFilter/install_en.exe
content.onerateld.com/bestsellerantivirus.com/BestsellerAntivirus/install_en.exe

Therefore, if you have secureyourpc.com the directory structure would be /SecureYourPC.com/SecureYourPC/install_en.exe

Sample domains portfolio of digitally alike samples of each of these :

antivirusfiable.com
antivirusmagique.com
bastioneantivirus.com
gubbishremover.com
pchealthkeeper.com
securepccleaner.com
storageprotector.com
trustedprotection.com
yourprivacyguard.com

DNS servers further expanding the domains portfolio :

ns1.bestsellerantivirus.com
ns2.bestsellerantivirus.com
ns3.bestsellerantivirus.com
ns4.bestsellerantivirus.com
ns1.onerateld.com
ns2.onerateld.com

Main portfolio domain farm IPs :

- 87.117.252.11
- 85.12.60.22
- 85.12.60.11
- 85.12.60.30

Laziness on behalf of the malicious parties in this campaign, leads to better detection rate, thus, they didn't hedge the risks of having their releases detected by diversifying not just the domains portfolio, but the actual binaries themselves.

MDAC ActiveX Code Execution Exploit Still in the Wild

Who needs zero day vulnerabilities when the average end user is still living in the perimeter defense world and believes that security means having a firewall and an anti virus software running only? Now that's of course a rhetoric question given how modern malware is either blocking the update process of these applications, or shutting them down almost by default these days.

The following URLs are currently active and exploiting CVE-2006-0003, and despite that it was patched in 11 April, 2006, the last quarter of 2007 showcased the malware authors simplistic assumption that outdated but unpatched vulnerabilities can be just as effective as zero day ones, and when the assumption proved to be true -- take Storm Worm's use of outdated vulnerabilities as the best and most effective example -- it automatically lowered the entry barriers into the world of malware, breaking through the myth that it's zero day vulnerabilities acting as they key success factors for a malware embedded attack on a large scale :

dgst.cgs.gov.cn/docc/index.htm
dhyjagri.gov.cn/program/images/img/New/index.htm
sell.c2bsales.com/look.htm
nesoy.com/svcdir/index.htm
qyxjxx.com/admin/inc/index.htm
xi530.com
jzkj.icp365.cn/index.htm
52fans.net
218.84.59.218/img/c/
918a.com.cn/123/index.htm
flch.net/img/img/liqiuf.htm
jiashiyin.com/qq/index.htm
flymir2.com/liouliang/mama/index.htm
22229682.com/pop/20.htm
heitianshi.cn/love/index.htm
jm.xiliao.cc/windows/vip.htm
90to.com/qq/index.htm
cmctn.com
jcqing.com/mm/index.htm
chinesefreewebs.com/admin88/2.htm

These are all courtesy of what looks like Chinese folks, and represent a good example of what malicious economies of scale are as a concept that emerged during 2007. Years ago, when a vulnerability was found and exploit released, malicious parties were quickly taking advantage of the "window of opportunity" following the myth that the more publicity the vulnerability receives, the more useless it will get, given more people will patch. That's such a wishful thinking, one the people behind Storm Worm apparently perceived as FUD-ish one, and by not following it, ended up with operating the largest botnet known for the time being - a botnet that was built on the foundations of outdated vulnerabilities pushed through emails, using sites as the infection vector , and not a single zero day one.

How are risks hedged? Risks are hedged by following the simple diversification principle, which from a malicious perspective means increasing the probability for success. By using a single exploit URLs like the MDAC in this case, the chances for success are much lower compared to diversification of the "exploits set", a daily reality these days thanks to the emerging malicious economies of scale mentality in the form of web exploitation kits such as MPack, IcePack, WebAttacker, the Nuclear Malware Kit and Zunker as the most popular ones.

Here's a related article - "Zero-Day Exploits on The Decline" :

"One of the reasons is that bad guys don't have to use them (zero day)," said Skoudis, who also founded information security consultancy Intelguardians. For example, he said, the Storm worm propagates itself though users clicking on an e-mail link, and does not require a zero-day exploit to function. "When simple techniques work, there is no need to unfurl zero-days," Skoudis said. "Attackers can just save them for more targeted attacks."

So, how did the people behind Storm Worm ended up with the world's largest botnet? They simply didn't believe in the effectiveness of populist generalizations of security in the form of patching, and abused the miscommunication between the industry that's still preaching perimeter defense is the panacea of security, and the end user, the one whose Internet connectivity results in all the spam, phishing and malware we're all receiving, by stopping to target what the solutions protect from, and migrating to niche attack approaches to use as infection vectors - today's client side vulnerabilities courtesy of a malware exploitation kit that were found embedded on the majority of infected web sites incidents I've been assessing for the last couple of months.