Romanian Script Kiddies and the Screensavers Botnet

Shall we turn into zombies, and peek into the modest botnet courtesy of Romanian script kiddies, that are currently spamming postcard.scr greeting cards? Meet the script kiddies. This botnet is going nowhere mostly because knowing how to compile an IRC bot doesn't necessarily mean you posses a certain know-how, a know-how that experienced botnet masters have been outsourcing for years. Malware is obtained through links pointing to :

xhost.ro/filehost/phrame.php?action=saveDownload&fileId=15735
xhost.ro/filehost/phrame.php?action=editDownload&fileId=12923
xhost.ro/filehost/phrame.php?action=saveDownload&fileId=3656
xhost.ro/filehost/phrame.php?action=editDownload&fileId=10936

Scanners result : Result: 22/32 (68.75%)
Trojan.Zapchas.F; IRC/BackDoor.Flood; Backdoor.IRC.Zapchast
File size: 735139 bytes
MD5...: 015e5826084f2302b4b2c3237a62e244
SHA1..: 7d05949f6dfffdc58033c9d8b86210a9bd34897c

Sample traffic output :
"NICK Mq2kC01
USER las "" "pic.kauko.lt" :Px7aW6
USER las "" "Helsinki.FI.EU.Undernet.org" :Px7aW6
USERHOST Mq2kC01
NICK :Rk1zK50
AWAY :Eu te scuip in cap si'n gura, tu ma pupi in cur si'n pula =))!
MODE Mq2kC01 +i
ISON loverboy loveru SirDulce
JOIN #madarfakar
USER kzg "" "Helsinki.FI.EU.Undernet.org" :Ho5xI1
NICK :Vm3uF52
MODE Mq2kC01 +wx"

And in next couple of hours, the most interesting domain that joined the IRC channel was :

Ny2fW15 is fwuser@mails.legislature.maine.gov * Kg1jT7
Ny2fW15 on #madarfakar
Ny2fW15 using Noteam.Vs.undernet.org I'm too lazy to edit ircd.conf
Ny2fW15 is away: Eu te scuip in cap si'n gura, tu ma pupi in cur si'n pula =))!
Ny2fW15 has been idle 1min 31secs, signed on Fri Apr 04 12:05:17
Ny2fW15 End of /WHOIS list.

This botnet's futile attempt to scale is a great example of the growing importance of knowlege and experience empowered botnet masters, as a key success factor for sustainability, and also, basic understanding of economic forces, namely, when they're not making an investment there cannot be a return on investment on their efforts at the first place. Take a peek at the efficiency level of remote file inclusion achieved by another botnet, and at alternative botnet C&C channels courtesy of botnet masters realizing that diversity is vital.

Skype Spamming Tool in the Wild

Have you ever wondered what's contributing to the rise of instant messanging spam (SPIM), and through the use of which tools is the proccess accomplished? Take this recent proposition for a proprietary Skype Spamming Tool, and you'll get the point from a do-it-yourself (DIY) perspective. This proprietary tool's main differentiation factor is its wildcast capability, namely searching for John will locate and send mass authorization requests to all usernames containing John. So basically, by implementing a simple timeout limit, mass authorization requests are successfully sent. The more average the username provided, the more contacts obtained who will get spammed with anything starting from phishing attempts and going to live exploit URLs automatically infecting with malware upon visiting them.

There're, however, two perspectives we should distinguish as seperate attack tactics, each of which requires a different set of expertise to conduct, as well as different entry barries to bypass to reach the efficiency stage. If you find this DIY type of tool's efficiency disturbing in terms of the ease of use and its potential for spreading malware serving URLs, you should consider its logical super efficiency stage, namely the use of botnets for SPIMMING.

Will malware authors, looking for shorter time-to-infect lifecycles, try to replace email as infection vector of choice, with IM applications, which when combined with typosquatting and cybersquatting could result in faster infections based on impulsive social engineering attacks? Novice botnet masters looking for ways to set up the foundations of their botnet could, the pragmatic attacks will however, continue using the most efficient and reliable way to infect as many people as possible, in the shortest timeframe achievable - injecting or embedding malicious links at legitimate sites.

Related posts:
Uncovering a MSN Social Engineering Scam
MSN Spamming Bot
DIY Fake MSN Client Stealing Passwords
Thousands of IM Screen Names in the Wild
Yahoo Messenger Controlled Malware

The Cyber Storm II Cyber Exercise

I first blogged about the "Cyber Storm" Cyber Exercise aiming to evaluate the preparedness for cyber attacks of several governments two years ago, and pointed out that :

"Frontal attacks could rarely occur, as cyberterrorism by itself wouldn't need to interact with the critical infrastructure, it would abuse it, use it as platform. However, building confidence within the departments involved is as important as making them actually communicate with each other."

And while I'm still sticking to this statement, a year later I also pointed out that :

"In a nation2nation cyber warfare scenario, the country that's relying on and empowering its citizens with cyber warfare or CYBERINT capabilities, will win over the country that's dedicating special units for both defensive and offensive activities, something China's that's been copying attitude from the U.S military thinkers, is already envisioning."

Morever, Taiwan, too, copycating the U.S, performed a cyber warfare exercise codenamed "Hankuang No. 22" (Han Glory) in 2006 as well, fearing cyber warfare attacks from China.

The new "Cyber Storm" Cyber Exercise, is particularly interesting, especially the initiative to measure the response time to an OPSEC violation in the form of sensitive information leaking on blogs. A very ambitious initiative, given the many other distribution channels, which when combined in a timely manner make it virtually impossible to shut down and censor, the leaked material. What if it gets spammed? Moreover, what's a leak to some, is transparency into the process for others. Cyber Storm II is already a fact whatsoever :

"At a cost of roughly $6.2 million, Cyber Storm II has been nearly 18 months in the planning, with representatives from across the government and technology industry devising attack scenarios aimed at testing specific areas of weakness in their respective disaster recovery and response plans. 'The exercises really are designed to push the envelope and take your failover and backup plans and shred them to pieces,' said Carl Banzhof, chief technology evangelist at McAfee and a cyber warrior in the 2006 exercise. Cyber Storm planners say they intend to throw a simulated Internet outage into this year's exercise, but beyond that they are holding their war game playbooks close to the vest."

The main issue with this type of cyber exercises is that starting with wrong assumptions undermines a great deal of the developments that would follow. Cyber warfare is just an extension of the much broader information warfare as a concept, namely, Lawfare, Econonomic Warfare, PSYOPS, to ultimately end up in an unrestricted warfare stage. Subverting the enemy without fighting with him, that's what offensive cyber warfare is all about, even if you take people's information warfare concept as an example. It's a government tolerated/sponsored activity, whereas the government itself is suverting the enemy without fighting him, but forwarding the process to their collectivism minded citizens. The strong lose, since the adversary is abusing the most unprotected engagement point, thereby underminig the investments made into securing the most visible touch points. A couple of key points to consider in respect to the cyber exercise modelling weakness :

- White hats pretending to be black hats simply doesn't work

- Frontal attack against critical infrastructure is pointless, insiders are always there to "take care"

- Passive cyber warfare such as gathering OSINT and conducting espionage through botnets

- Cyber warfare tensions engineering through the use of stepping stones

- Stolen and manipulated data is more valuable than destroyed data

- Lack of pragmatic blackhat mentality scenario building intelligence capabilities

- Unrestricted Warfare must be first understood as a concept, than anticipated as the real threat

From a strategic perspective, securing and fortifying what you have control of is exactly what the bad guys would simply bypass in their attack process, among the first rules of unrestricted warfare is that there're no rules with the idea to emphasize on the adaptation and going a step beyond the adversary's defense systems in place.

Quality and Assurance in Malware Attacks

The rise of multiple antivirus scanners and sandboxes as a web service, did not only increase the productivity level of researchers and utilized the wisdom of crowds concept by sharing the infected samples among all the participants courstesy of the crowds submitting them, it also logically contributed to the use of these freely available services by malware authors themselves. In fact, the low detection rate is often pointed out as the quality of the crypting service by the authors themselves while advertising their malware or crypting services. And when a popular piece of malware known as Shark introduced a built-in VirusTotal submission to verify the low detecting rate of the newly generated server, something really had to change - like it did.

At the beginning of 2008, VirusTotal which is among the most widely known and used such multiple antivirus scanner as a web service, decided to remove the "Do not distribute the sample" option, directly undermining the malware authors' logical option not to share their malware with anti virus vendors, but continue using the service. The multiple antivirus scanner as a web service is such a popular model, that there're several other such services available for free, with many other underground alternatives for internal Q&A purposes. But now that each and every possible service that comes with the malware product is starting to get commercialized, it is logical to question how would quality and assurance obsessed malware authors disintermediate the intermediary to actually break-even out of their investment in a malware campaign? Would they continue porting malware services to the Web, or would they take some of their Q&A activities offline?

In the past, there've been numerous underground initiatives to come up with an offline multiple virus scanners, and here are some examples courtesy of PandaSecurity's Xabier Francisco, and as you can see in the attached screenshot, development in this area is continuing, with the following anti virus scanners included within this all-in-one offline malware scanner :

"A-Squared, AntiVir, Avast; AVG Anti-Virus Free Edition, BitDefender, Clam Win, Dr.Web, eTrust; F-Prot, Kaspersky Antivirus 7, McAfee, Nod32; Norman, Norton, Panda, QuickHeal, Sophos, TrendMicro, VBA32"

Talking about reactive security, the concept of doing this has always been there, and will continue to evolve despite that the most popular online multiple anti virus scanning services started sharing all the infected samples between the anti virus vendors themselves. And now that malware authors are also starting to understand what behavior-based malware detection is, and how a host based firewall can prevent their malware from phoning back home, even though the host is already infected, the success rates of their malware campaigns is prone to improve even before they've launched the campaign.

When malware authors start embracing the OODA loop concept -- Observation, Orientation, Decision, Action -- things can get really ugly. Why haven't they done this yet? They Keep it Simple, and it seems to work just fine in terms of the ROI out of their actions. One thing's for sure - malware will start getting benchmarked against each and every antivirus solution and firewall before the campaign gets launched, in a much more efficient and Q&A structured approach than it is for the time being.

HACKED BY THE RBN!

The RBN 0wnZ 7th1$ Bl0g! April 1st, 2008, St.Petersburg, Russia. The Russian Business Network, an internationally renowned cyber crime powerhouse is proud to present its very latest malware cocktail by embedding live exploit URLs within one of the top ten blogs to be malware embedded due to their overall negative attitude regarding the RBN's operational activities. A negative attitude that's been nailing down the RBN's cyber coffin as early 2007, prompting us to hire extra personel, thereby increasing our operational costs.

Hijacked readers of this blog, executing the harmless to a VMware backed up PC setup files below, will not just strengthen our relationship by having your computer contact ours, but will also help us pay for the infrastructure we use to host these, and let us continue maintaining our 99% uptime even in times of negative attitude on a large scale against our business services.

How can you too, support the RBN, just like hundreds of thousands customers whose computers keep on connecting to ours already did? Do the following :

- Execute our very latest, small sized executable files and let them do their job

58.65.239.42/jdk7dx/ inst250.exe
58.65.239.42/jdk7dx/ alexey.exe
58.65.239.42/jdk7dx/ 6.exe
58.65.239.42/jdk7dx/ 1103.exe
58.65.239.42/jdk7dx/ eagle.exe
58.65.239.42/jdk7dx/ krab.exe
58.65.239.42/jdk7dx/ win32.exe
58.65.239.42/jdk7dx/ pinch.exe
58.65.239.42/jdk7dx/ ldig0031242.exe
58.65.239.42/jdk7dx/ 64.exe
58.65.239.42/jdk7dx/ system.exe
58.65.239.42/jdk7dx/ bhos.exe
58.65.239.42/jdk7dx/ bho.exe

- Once you've executed them, make sure you initiate an E-banking transaction right way. Do not worry, you don't to give us your banking details for the donation, we already have them, and will equally distribute your income by meeting our financial objectives

- Now that you're done transfering money, authenticate yourself at each every web service that you've ever been using. Trust is vital, and so that we've trusted you by providing you with our latest small sized executable files, it's your turn to trust us when asking you to do so

- Don't forget to plug-in any kind of writeble removable media once you've executed the files above as well, as we'd really like to deepen our relationship by storing them, and having them automatically execute themselves the next time you plug-in your removable media

- Sharing is what drives our business. Just like the way we've shared and trusted with by providing you with direct links to our executables, in exchange we know you wouldn't mind sharing some of that free hard disk space you have for our own distributed hosting purposes

Stop hating and start participating, join our botnet TODAY! Don't forget, diamonds degrade their quality, hosting services courtesy of the RBN are forever!

Sincerely yours,
"HostFresh" - RBN's Hong Kong subsidiary

Cybersquatting Symantec's Norton AntiVirus

For the purpose of what? Upcoming fraudulent activities, again courtesy of Interactivebrand's undercover domains portfolio having registered the following domains cybersquatting Norton AntiVirus, next to the PandaSecurity and McAfee ones I listed in a previous post :

antivirus-norton.org
norton-2007.org
norton-antivirus-2007.org
norton-virus-scan.org
nortonsecurityscan.org
norton-antivirus-2007.net
norton-antivirus-2008.net
norton2008.net
nortonantivirus2007.net
nortonantivirus2008.net
nortonsecurityscan.net
norton-2008.com
norton-antivirus2007.com
norton-virus-scan.com
nortonsecurity2008.com

Registed and again operated by :

Interactivebrands
Tech City:St-Laurent
Tech State/Province:Quebec
Tech Postal Code:H4L4V5
Tech Country:CA
Tech Phone:+1.5147332556
Tech FAX:+1.5147332533
Tech Email:admindns @ interactivebrands.com

Now that's a proactive response to another upcoming scam, an here are some comments on one of the domains.