MySpace Phishers Now Targeting Facebook

The "campaigners" behind the MySpace phishing attack which I briefly assessed in previous posts seem to have started targeting Facebook as well. Ryan Singel comments, and quotes me in a related article :

"Hackers for the first time are targeting the popular social networking site Facebook with a phishing scam that harvests users' login details and passwords. Some Facebook users checking their accounts Wednesday found odd postings of messages on their "wall" from one of their friends, saying: "lol i can't believe these pics got posted.... it's going to be BADDDD when her boyfriend sees these," followed by what looks like a genuine Facebook link. But the link leads to a fake Facebook login page hosted on a Chinese .cn domain. The fake page actually logs the victims into Facebook, but also keeps a copy of their user names and passwords."

Compared to their previous MySpace phishing campaign that was also serving malware in between, this was was purely done for stealing accounting data of Facebook users only. And as we're on a Facebook malicious campaigns topic, impersonating Facebook's login or web presence from a blackhat SEO perspective to serve malware is always trendy. Take this fake facebook login subdomain serving malware for instance - facebook-login.vylo.org (209.160.73.132) redirects to iscoolmovies.com/movie/black/0/2/541/1/ which attempts to load 209.160.73.132/download/502/541/1/ where 209.160.73.132/dw.php is the adware in this case - Adware:Win32/SmitFraud. And yet another one - facebook-login-61248sf1.krantik.info (89.149.206.225) whose once deobfuscated javascript attempts to load topsearch10.com/search.php (209.8.25.156). Spammy, yammy.

Massive RealPlayer Exploit Embedded Attack

This malware embedded attack is massive and ugly, what's most disturbing about it is the number of sites affected, which speaks for coordination at least in respect to having established the infrastructure for serving the exploit before the vulnerability became public :

"One of our readers noted that there are a number of state government and educational sites that appear to have been compromised with the uc8010 domain. Upon review, I see that some of these have already been cleaned up. However, the .gov and .edu sites are only a few of the many many sites that are turned up via google searches for the uc8010 domain. As that domain was only registered as of Dec 28th, compromises of websites probably occurred in the past week."

According to SANS, there are only two domains involved in the attack uc8010.com/0.js and ucmal.com/0.js however, there's also a third one, namely rnmb.net/0.js. This attack is nothing else but "embedded malware as usual", javascript obfuscations, multiple IFRAME redirectors to and from internal pages, and scripts within the domains. Let's assess those that are still active :

- n.uc8010.com/0.js returns "ok ^_^" message and loads c.uc8010.com/ip/Cip.aspx (61.188.39.218) which says "Hello", furthermore, c.uc8010.com/0/w.js loads c.uc8010.com/1.htm; count38.51yes.com/click.aspx?id=389925362&logo=1 and s106.cnzz.com/stat.php?id=742266&web_id=742266

The internal structure is as follows :

c.uc8010.com/1.htm - attempts MDAC ActiveX code execution (CVE-2006-0003) in between the following

c.uc8010.com/046.htm - javascript obfuscation

c.uc8010.com/r.htm - real player exploit

c.uc8010.com/014.js - javascript obfuscation

c.uc8010.com/111.htm - unobfuscated real player exploit

- ucmal.com/0.js (122.224.146.246) - another obfuscation

- rnmb.net/0.js says "ok! ^_^ Don't hank me !" but compared to the first two that are still active, this one is down as of yesterday, despite that it still remains embedded on many sites

Detection rate for the unobfuscated exploit :

Result: 17/32 (53.13%) - Exploit-RealPlay; JS/RealPlay.B

File size: 3003 bytes

MD5: a85a28b686fc2deedb8d833feaacef16

SHA1: 0282e945ded85007b5f99ddee896ed5e31775715

Detection rate for the obfuscated exploit :

Result: 11/32 (34.38%) - JS/Agent.AMJ!exploit; Trojan-Downloader.JS.Agent.amj

File size: 2880 bytes

MD5: d363ffca061ebf564340c4ac899e3573

SHA1: 1226d3d9fcc5052a623b481b48443aeb246ab5db

A lot of university, and international government sites continue to be embedded with the script, and so is Computer Associates site according to this article :

"Part of security software vendor CA's Web site was hacked earlier this week and was redirecting visitors to a malicious Web site hosted in China. Although the problem now appears to have been corrected, cached versions of some pages in the press section of CA.com show that earlier this week the site had been redirecting visitors to the uc8010.com domain, which has been serving malicious software since late December, according to Marcus Sachs, director of the SANS Internet Storm Center."

Compared to each and every malware embedded attack that I assessed in 2007, including all of Storm Worm's campaigns, they were all relying on outdated vulnerabilities to achieve their success, but this one is taking advantage of the now old-fashioned window of opportunity courtesy of a malicious party enjoying the given the lack of a patch for the vulnerability. Why old-fashioned? Because malware exploitation kits like MPack, IcePack, WebAttacker, the Nuclear Malware Kit and Zunker, changed the threatscape by achieving a 100% success rate through first identifying the victim's browser, than serving the exact exploit. Another such one-vulnerability-serving malware embedded attack was the MDAC exploits farm spread across different networks I covered in a previous post. It's also interesting to note that a MDAC live exploit page was also found within what was originally thought to be a RealPlayer exploit serving campaign only. Shall we play the devil's advocate? The campaign would have been far more successful if a malware exploitation kit was used, as by using a single exploit only, the campaign's success entirely relies on the eventual presence of RealPlayer on the infected machine.

The New Media Malware Gang - Part Two

This summary is not available. Please click here to view the post.

Riders on the Storm Worm

During the last couple of days the folks behind Storm Worm have started using several new, and highly descriptive domains. It seems they've also changed the layout as well, and despite that the exploit IFRAME is now gone, automatically registered Blogspot accounts are also disseminating links to the domains. Some of these have been registered as of recently, others have been around in a blackhat SEO operation for a while and are getting used as a foundation for the campaign. These are all known Storm Worm fast-fluxed domains for the time being :

merrychristmasdude.com
happycards2008.com
uhavepostcard.com
newyearwithlove.com
newyearcards2008.com


_happycards2008.com
Administrative, Technical Contact
Contact Name: Bill Gudzon
Contact E-mail: bgudzon1956 @ hotmail.com




_uhavepostcard.com
Administrative, Technical Contact
Contact Name: Kerry Corsten
Contact E-mail: kryport2000 @ hotmail.com





_newyearwithlove.com
Administrative, Technical Contact
Contact Name: Bill Gudzon
Contact E-mail: bgudzon1956 @ hotmail.com






_newyearcards2008.com
Administrative, Technical Contact
Contact Name: Bill Gudzon
Contact E-mail: bgudzon1956 @ hotmail.com









Moreover, Paul is also pointing out on the use of Blogspot blackhat SEO generated blogs in this Storm Worm campaign. In case you remember, the first one was relying on the infected user to first authenticate herself, and therefore authenticate for Storm Worm to add a link to a malware infected IP. Sample Blogspot URLs :

cbcemployee.blogspot.com
canasdelbohio.blogspot.com
1dailygrind.blogspot.com
traceofworld.blogspot.com/2007/12/opportunities-for-new-year.html
jariver.blogspot.com/2007/12/opportunities-for-new-year.html
antispamstore.blogspot.com/2007/12/opportunities-for-new-year.html

As for the complete list of the email subjects used for the time being, here's a rather complete one courtesy of US-CERT.

With end users getting warned about the insecurities of visiting an IP next to a domain name, this campaign is relying on descriptive domains compared to the previous one, while the use of IPs was among the few tactics that helped Storm Worm's first campaign scale so with every infected host acting as an infection vector by itself. And despite that I'm monitoring the use of such IPs from the first campaign in this campaign on a limited set of Storm Worm infected PCs, the next couple of days will shred more light into whether they'll start using the already infected hosts as infection vectors, or remain to the descriptive domains already used.

Keep riding on the storm.

Spreading Malware Around the Christmas Tree

Stormy Wormy is back in the game on the top of Xmas eve, enticing the end users with a special Xmas strip show for those who dare to download the binary. The domain merrychristmasdude.com is logically in a fast-flux, here are some more details :

Administrative, Technical Contact
Contact Name: John A Cortas
Contact Organization: John A Cortas
Contact Street1: Green st 322, fl.10
Contact City: Toronto
Contact Postal Code: 12345
Contact Country: CA
Contact Phone: +1 435 2312633
Contact E-mail: cortas2008 @ yahoo.com

Name Server: NS.MERRYCHRISTMASDUDE.COM
Name Server: NS10.MERRYCHRISTMASDUDE.COM
Name Server: NS13.MERRYCHRISTMASDUDE.COM
Name Server: NS9.MERRYCHRISTMASDUDE.COM
Name Server: NS11.MERRYCHRISTMASDUDE.COM
Name Server: NS3.MERRYCHRISTMASDUDE.COM
Name Server: NS4.MERRYCHRISTMASDUDE.COM
Name Server: NS6.MERRYCHRISTMASDUDE.COM
Name Server: NS2.MERRYCHRISTMASDUDE.COM
Name Server: NS5.MERRYCHRISTMASDUDE.COM
Name Server: NS7.MERRYCHRISTMASDUDE.COM
Name Server: NS8.MERRYCHRISTMASDUDE.COM
Name Server: NS12.MERRYCHRISTMASDUDE.COM

The domain also has an embedded IFRAME pointing to merrychristmasdude.com/cgi-bin/in.cgi?p=100 where two javascipt obfuscations, courtesy of the Neosploit attack kit attempt to load. Current binary (stripshow.exe) has an over 50% detection rate 17/32 (53.13%). Stay tuned, AV vendors will reach another milestone on the number of malware variants detected, despite that compared to the real, massive Storm Worm campaign this one is fairly easy to prevent on a large scale.

Related info - SANS, ASERT, TEMERC, DISOG.

Pinch Variant Embedded Within RussianNews.ru

This is a perfect and currently live example demonstrating how a once compromised site can also be used as a web dropper compared to the default infection vector mentality we've been witnessing on pretty much each and every related case of malware embedded sites during 2007. The URL at a popular news portal for Russian/Iranian related news at : russiannews.ru/arabic/data/news/upload/exp is serving a Pinch variant thought an MDAC ActiveX code execution exploit - CVE-2006-0003, the type of virtual Keep it Simple Stupid strategy of using outdated vulnerabilities I discussed before. Deobfuscation leads us to : russiannews.ru/arabic/data/news/upload/exp/exe.php

Trojan-PSW.Win32.LdPinch.dzr
File Size: 22016 bytes
MD5 : cb0a480fd845632b9c4df0400f512bb3
SHA1 : 83bb4132d1df8a42603977bd2b1f9c4de07463ab

What's important to point out in this case, is that the main index and the pages within the site are clean, so instead of trying to infect the visitors, the malicious parties are basically using it as a web dropper. Moreover, in the wake of Pinch-ing the Pinch authors, this variant generated on the fly courtesy of their tool fully confirms the simple logic that once released in the wild, DIY malware builders and open source malware greatly extend their lifecycles and possibility for added innovation on behalf of the community behind them.