Visualizing a SEO Links Farm

This visualization was generated over a month ago, using one of the two search engine optimization link farms I blogged about before, as a sample. Perhaps the most important issue to point out is that the farms are automatically generated with the help of blackhat SEO tools, where the level of internal linking has been set a relatively modest one, as for instance, the core pages extensively link one another, but a huge proportion of the SEO content remains burried in a number of hops a crawler may not be interested in making - this could be automatically taken care of in the process of generating the content to end up with a closed circle when visualizing.

The New Media Malware Gang - Part Three

Boutique cybercrime organizations are on the verge of extinction, and are getting replaced by cybercrime powerhouses, the indication for which is the increase of static netblocks used by well known groups such as the ones I've been exposing for a while - take the New Media Malware Gang for instance, and its entire portfolio of malicious domains that keeps expanding to include the latest ones such as :

sratong.ac.th/ch24/config/index.php
79.135.166.138/us/index.php
users-online.org/get/index.php
x-y-zz.org/exp2/index.php
dimaannetta.ws/adpack/index.php
dagtextiles.biz/adpack/index.php
freescanpro.com/count
keeberg.info
wmstore.info/1
78.109.22.242/a/index.php
208.72.168.176/e-zl0102/index.php
absent09.phpnet.us
podarok24.info/xxx
drl-id.com
supachicks.com

And with Mpack's now easily detectable routines, they're migrating to use the Advanced Pack, a copycat malware exploitation kit, trouble is it's all done in an organized and efficient manner.

Anti-Malware Vendor's Site Serving Malware

Even though AvSoft Technologies isn't really enjoying a large market share, making the impact of this malware coming out of their site even bigger, the irony is perhaps what truly matters in the situation. Some press coverage - Hackers Turn Antivirus Site Into Virus Spreader; Antivirus company's Web site downloads ... a virus; Hackers seed malware on Indian anti-virus site :

"Hackers planted malicious script on the site of an Indian anti-virus firm this week. The website of AVsoft Technologies was attacked by unidentified miscreants in order to distribute a variant of the Virut virus. AVsoft Technologies makes the SmartCOP antivirus package. One of the download pages of the site was boobytrapped with malicious code that used the infamous iFrame exploit to push copies of the Virut virus onto visiting unpatched (or poorly patched) Windows PCs."

The IFRAME at the site used to point to ntkrnlpa.info/rc/?i=1 (85.114.143.207) which also responds to zief.pl, where an obfuscation tries to server ntkrnlpa.info/rc/load.exe through the usual diverse set of exploits served by MPack.

Detection rate : 17/32 (53.13%) for Win32.Virtob.BV; W32/Virut.j

File size: 8704 bytes

MD5: 31f8a31adfdff5557876a57ff1624caa

SHA1: 7f36e192030f7cbd8b47bd2cb9a60e9a3fe384d2

Naturally, according to publicly obtainable data in a typical OSINT style, the domain used to respond to an IP within RBN's previous infrastructure. The big picture is even more ugly as you can see in the attached screenshot indicating a huge number of different malwares that were using ntkrnlpa.info as a connection/communication host in the past and in the present. I wonder would the vendor brag about their outbreak response time regarding the malware that come out of their site in times when malware authors are waging polymorphic DoS attacks on vendors/reseachers honeyfarms to generate noise?

BlackEnergy DDoS Bot Web Based C&Cs

Remember the Google Hacking for MPacks, Zunkers and WebAttackers experiment, proving that malicious parties don't even take the basic precautions to camouflage their ongoing migration to the web for the purpose of botnet and malware kits C&Cs? Let's experiment wi the BlackEnergy DDoS bot, and prove it's the same situation. What's the BlackEnergy DDoS bot anyway :

"BlackEnergy is an HTTP-based botnet used primarily for DDoS attacks. Unlike mostcommon bots, this bot does not communicate with the botnet master using IRC. Also, wedo not see any exploit activities from this bot, unlike a traditional IRC bot. This is a small(under 50KB) binary for the Windows platform that uses a simple grammar tocommunicate. Most of the botnets we have been tracking (over 30 at present) are locatedin Malaysian and Russian IP address space and have targeted Russian sites with theirDDoS attacks."

The following are currently live botnet C&Cs administration panels, and with BlackEnergy's only functionality in the form of DDOS attacks, it's a good example of how DDoS on demand or DDoS extortion get orchestrated through such interfaces :

httpdoc.info/black/auth.php (66.29.71.16)
wmstore.info/hello/auth.php (216.241.21.62)
lunaroverlord.awardspace.com/auth.php (82.197.131.52)
333prn.com/xxx/auth.php (64.247.18.208)

It's getting even more interesting to see different campaigns within, that in between serving Trojan.Win32.Buzus.yn; Trojan.Win32.Buzus.ym; Trojan-Proxy.Small.DU, there's also an instance of Email-Worm.Zhelatin. A clear indication of a botnet in its startup phrase is also the fact that all the malware binaries that you see in the attached screenshot use one of these hosts as both the C&C and the main binary update/download location.

U.K's FETA Serving Malware

Yet another high-profile malware embedded attack worth commenting on, just like the most recent one at the Dutch embassy in Moscow. Website of UK landmark hacked to serve malware :

"The website of one of the UK's most famous landmarks, the Forth Road Bridge, has been torn open in embarrassing fashion to serve malware, researchers are reporting. According to the security blog of a small consultancy, Roundtrip Solutions, the website is now hosting an 'obfuscated' Javascript hack created using the Neosploit Crimeware Toolkit, dishing out payloads including, the blog reports, porn pop-ups."

The deobfuscated javascript attempts to load the currently live 88.255.90.130/cgi-bin/in.cgi?p=admin (MDAC ActiveX code execution (CVE-2006-0003), also responding to Silentwork.ws and Tide.ws which is deceptively forwarding to BBC's web site, deceptively in the sense that were I to use a U.K based IP to access it for instance it will try to serve the malware, thus, malware campaigners are now able to segment the malware attacks on a basis of IP geolocation. Who's behind it? A group that's in direct affiliation with the RBN and the New Media Malware Gang, where the three of these operate on the same netblocks.

The bottom line - according to publicly obtainable stats and the ever-growing list of high-profile malware embedded attacks, legitimate sites serve more malware than bogus ones as it was in the past in the form of dropped domains for instance. How come? Malware campaigners figured out that trying to attract traffic to their malware domains is more time and resources consuming than it is to take advantage of the traffic a legitimate site is already getting. In fact, they're getting so successful at embedding their presence on a legitimate site that they're currently taking advantage of "event-based social engineering" campaigns by embedding the malware at one of the first five search engine results to appear on a particular event.

GCHQing with the Honeynet Project

Nothing's impossible, the impossible just takes a little longer. If someone told me an year ago that I'll be presenting next to the dudes from the Honeynet Project, I would have been rather skeptical. So, after a week of intensive socializing among geeks, a windy trip to Stonehenge along the way and lots of drinks, it's becoming increasingly clear to me how important face-to-face conversations are for the sake of improving productivity and relationship building. It's also worth pointing out how issues such as dealing with information oveload, data sharing, and actually communicating all the aggregated data to the industry and the general public, need to get a boost especially at the strategic level. And now that I'll be officially joining the organization, stay tuned for for a diverse set of KYE (Know Your Enemy) coverage of the emerging threatscape.