Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Monday, April 28, 2008

DIY Exploit Embedding Tool - A Proprietary Release

Remember the reprospective on DIY exploit embedding tools, those cybercrime 1.0 point'n'click exploits serving generators? Despite that the cybercrime 2.0 has to do with malicious economies of scale, that is the use of web malware exploitation kits compared to their 1.0 alternative, the DIY tools, such tools continue to be developed, like this proprietary one including sixteen exploits for the buyer to take advantage of, if she's willing to invest £100 (GBP) of course. Exploits listed :

- D-Link MPEG4 VAPGDecoder ActiveX
- Macrovision Installshield ActiveX
- MySpace Uploader ActiveX
- Symantec BackupExec ActiveX
- Yahoo! JukeBox ActiveX
- Microsoft Works ActiveX (0day)
- Microsoft Internet Explorer MS06-014 (MDAC)
- Microsoft Internet Explorer MS07-009
- Facebook Uploader ActiveX
- Microsoft DirectSpeechSynthesis ActiveX
- Realplayer ActiveX
- WinZip FileView ActiveX
- Yahoo Messenger Webcam ActiveX
- Microsoft Internet Explorer MS06-013
- Microsoft Internet Explorer MS07-004
- Microsoft Internet Explorer MS07-055

With the now commodity web malware exploitation kits and their modularity streamlining "innovation" in the field, such DIY tools are only a fad compared to malicious parties' interest in exploiting as many people as possible, without putting extra efforts in the process (malicious economies of scale). And with the overall proliferation of client-side vulnerabilities, and the surprisingly high success rate of exploiting outdated and already patched vulnerabilities on a large scale (Stormy Wormy), ensuring your client-side applications are vulnerable to zero days only is highly recommended.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Web Site Defacement Groups Going Phishing

Following a recent post commenting on changing phishing tactics, more evidence of web site defacement groups' vertical integration in the underground market in respect to hosting phishing pages on the defaced hosts, is starting to emerge. Take for instance yet another currently live phishing page - bamaangels.net/photogallery/content/Models/Brigitte/boa. The site is known to has been defaced in the past, and it looks like it's been re-defaced again, this time hosting a single phishing page within, compared to the examples I provided in a previous post. The current defacement located at - bamaangels.net/photogallery/content/Models/Brigitte/deface.htm - reads :

"Defaced by Zeus ;) contacto: z3us @ live.com Saludos: Juan Pablo :D"

The fact that web site defacements groups are going into phishing, and as we've already seen numerous times, abusing the access to the host to serve malware, with their malicious economies of scale type of automated defacement approaches and web application vulnerabilities exploitation, this is only going to get worse. One thing's for sure - phishers, spammers, malwaware authors, and now web site defacements groups are consolidating, or even if there are exceptions, those exceptions are figuring out how to vertically integrate and build the capability to participate in multiple malicious activities simultaneously.

Dancho Danchev

Sunday, April 27, 2008

The FirePack Exploitation Kit - Part Two

Has the web malware exploitations kits cash bubble popped already? A recently released, yet another proprietary version of the Firepack malware exploitation kit and its largely decreased price from the original one, which in February was $3000, speaks for itself. Firepack's original version was a great example of biased exclusiveness on behalf of the malicious parties, wanting to quickly cash in by pitching a new and undetected malware kit, and literally zero differentiaton factor next to now commodity web malware exploitations kits such as IcePack and MPack.

The original Firepack kit came with six exploits included within, and more to come in the scheduled updates to come. The exploits, and the current signature based detection rates are as follows :

FF5B341AC.php - MSIE 6
EF57CCF90.php - MSIE 7
EF57CCF90.php - Firefox 1
CCF45A00D.php - Firefox 2
CCF45A00D.php - Opera 7
99FFC5BA4.php - Opera 9

00FAA7CF5.php
Scanners result : 11/32 (34.38%)
HTML/MS06006.DF!exploit; Exploit-MS06-006.gen
File size: 3685 bytes
MD5...: ed71d57ddf70a5993b34e3bbcda23f2d
SHA1..: cc0eceb9e8cc3475752c959be70204b6f4d82168

99FFC5BA4.php
Scanners result : 6/32 (18.75%)
Trojan.DL.Script.JS.Agent.low; Exploit-OperaTN
File size: 1815 bytes
MD5...: 166fa42343dd59d941e24177a0da9102
SHA1..: e85701841a40c0017c06e2feb023272bff1b06f1

CCF45A00D.php
Scanners result : 15/32 (46.88%)
HTML/MS06006.BB!exploit; Exploit:JS/ShellCode.A
File size: 5861 bytes
MD5...: 9a6fe9ce8ed521ceb499954c944be812
SHA1..: 4ad63cc7ee602b2f57032b4e524064ac459df150

EF57CCF90.php
Scanners result : 18/30 (60%)
JS/MS05-054!exploit; Exp/MS06071-A
File size: 6996 bytes
MD5...: e5e3623838da4d0b7922a3cde229c7c3
SHA1..: 2d951f1368311873321b6bfc292644b090f93305

FF5B341AC.php
Scanners result : 10/32 (31.25%)
Generic.XPL.ADODB.42D1EF40; Exploit-MS06-014
File size: 2123 bytes
MD5...: bac1e03a64ba47a3005d435af8954cd6
SHA1..: e46afa408445ac5f2331119b746605a4bf8d0904

The latest release offered for $300, is entirely Internet Explorer centered, including all of the publicly available exploits for IE6 and IE7, with the natural modularity so that the buyer can include any set of exploits to serve of a large scale.

A proprietary tool or a service does not necessarily mean it outpaces a free one in terms of quality and reliability. Then again, when there's demand for web malware exploitation kits, there's also supply of what looks like commodity ones for the time being. The irony is what the sellers of these could actually be making more money from the services that they offer with the kit, than from volume based selling of the kits. What's to come? Hybrid web malware exploitation kits with all-in-one exploits set on a per OS, and software, not just browser basis, putting the emphasis on client side vulnerabilities even better.

The IcePack Malware Kit in Action

MPack and IcePack Localized to Chinese

Dancho Danchev

Saturday, April 26, 2008

A Botnet Master's To-Do List

Directory climbing it all of its simplicity, and OSINT quality, just like it's happened before.

The process of developing malware bots that would either succeed based on the diversification of the spreading and infection vectors used, or end up as a backdoor-ed commodity for experienced botnet masters to sent to novice ones, is entirely up to the coder, or perhaps module copy and paster. Some are going as far as implementing quality assurance approaches to ensure their malware has the lowest possible detection rate, before spreading it, on the anti malware and firewall level, while others are benchmarking and setting strategic objectives to achieve before starting the process itself.

However, there are also wannabe botnet masters whose lack of understanding of the different between project management and "to-do list organization", and of course, setting their directory permissions right, leads us to a a first-hand malware bot's to-do list courtesy of the coder itself. Here's the to-do list itself, with all the static and variable features :

Spreading the malware
- NetAPI spreading
- VNC spreading
- MSN spreading
- ICQ spreading
- Email spreading
- Seeding via torrent (warez)
- Downloading (ftp & http)

DDoS features
- general ddos attacks (udp&tcp)
- tsunami ddos (push +ack flood)

Scanning features
- latest vulnerabilities scan
- exploits scann for homepages (php/perl/cgi scripts (not a priority)

Sniffers and interceptors
- bank sniffer & readers
- paypal
- boa
- egold
- nationwide
- usw.
- game reader
- steam

Misc features
- encrypted config
- better clonning function (with timer based join (no massjoin)) + fixed channel messages
- noise at network sniffer (e.g.: honeypot (tool either shutdown and/or blocked))
- invisible to task manager
- more configuration settings
- melt exe on startup (true/false)
- startup (error) message editable (e.g.: (you need windows vista to run this programm) or (successfully installed))
- undetected source code

And while this wannabe botnet master is trying to achieve self-sufficiency, thereby slowing down the development process, others are not so close minded and are actively building communities around their malware botnets by releasing the source code for free, enjoying the innovation added by third party coders wanting to contribute to the community, where the bottom line is the inevitable localization of the bot to other languages once enough features have been developed to distinguish it among the rest of the commodity malware bots.

From a wannabe botnet master's perspective, the more propagation vectors added, the higher the probability for infection, however, the probability for infection is also proportional with the probability for detection on behalf of researcher's and vendors honeyfarms. And therefore, would less noise would mean slow infection rate, but higher lifecycle due to the less noise generated? The Stormy Wormy people for instance entirely relied on perhaps the most noise generation method - email distribution with malware hosted on IPs, however, their persistence and strategy to put more efforts into ensuring that no matter samples get obtained in the first couple of minutes a campaign is launched, the botnet itself should be harder to shut down.

Dancho Danchev

Thursday, April 24, 2008

Crimeware in the Middle - Zeus

Virtual greed, or response rate optimization? The idea of converging phishing emails with embedded exploits and banking malware is nothing new, in fact phishers realizing that combining attack approaches can increase the chance of achieving their objective which in this case is either logging the authentication process or hijacking it, often forget that the phishing email could have succeeded without the embedded malware or exploit, which in many cases would have triggered an alarm.

Yesterday, Uriel Maimon posted an overview of the convergence of Rock Phish emails with Zeus, a crimeware kit used to deliver banking trojans :

"The Trojan that was used in this attack belonged to the "Zeus" family of malware. Zeus is a nefarious type of Trojan for multiple reasons:

1. The Zeus Trojan is a kit for sale: Anyone in the criminal community can purchase it for roughly $700. This means that the Rock group did not need to develop new skill-sets to write Trojan horses; they just purchased it on the open market. In the past 6 months RSA's Anti-Fraud Command Center has detected more than 150 different uses of the Zeus kit, each one infecting on average roughly 4,000 different computers a day.

2. Resistance to detection: The kit purchased is a binary generator. Each use creates a new binary file, and these files are radically different from each other -- making them notoriously difficult for anti-virus or security software to detect. To date very few variants have had effective anti-virus signatures against them and each use of the kit usually makes existing signatures ineffective. Just like in most cases, this particular use of the Zeus kit did not have any anti-virus detection (with the popular engines we tested) at the time of this writing.

3. Rich feature set: the Zeus Trojan has many startling capabilities. In addition to listening in on the submission of forms in the browser, the Trojan also has advanced capabilities, for instance the ability to take screenshots of a victim's machine, or control it remotely, or add additional pages to a website and monitor it, or steal passwords that have been stored by popular programs (remember when you clicked on the "Remember this password?" checkbox?)... And the features-list goes on. As I look upon this blissful union of fraud and crime technologies, I can only envy the criminals who can find such coupling. Looking forward to my next birthday, I can only hope that I will have the opportunity to find such partnership in my own life (and maybe give my mother one less reason for disappointment)."

We cannot talk about Zeus unless we compare it to another such crimeware kit serving banking trojans, in this the Metaphisher kit. Metaphisher is particularly interested because of its much more customized GUI, it's modular nature, allowing its sellers to lower or increase the price depending on which modules you'd like included, and which ones you'd like excluded, where a module means a preconfigured fakes, TANs, and phishing pages for all the banks in a country of choice. Moreover, despite that both, Zeus and Metaphisher are open source, and therefore malicious parties visionary enough to build communities around their kits in order to enjoy the innovation brought by multiple parties, Metaphisher has a bigger community next to Zeus, considered as the MPack in the web malware exploitations kits, namely a bit of an outdated commodity that is of course still capable of doing what does best - hijacking E-banking sessions and logging them to the level of impersonation.

How are the authors of Zeus describing the kit themselves? Here's a description :

"ZeuS has the following main features and properties (full list is given here, in your part of assembling this list may not):

Bot: - Written in VC + + 8.0, without the use of RTL, etc., on pure WinAPI, this is achieved at the expense of small size (10-25 Kb, depends on the assembly).

- There has its own process, through this can not be detected in the process list.
- Workaround most firewall (including the popular Outpost Firewall versions 3, 4, but suschetvuet temporary small problem with antishpionom). Not a guarantee unimpeded reception incoming connections.
- Difficult to detect finder / analysis, bot sets the victim and creates a file, the system files and arbitrary size.
- Works in limited accounts Windows (work in the guest account is not currently supported).
- Nevid ekvaristiki for antivirus, Bot body is encrypted.
- Some way creates a suspected its presence, if you do not want it. Here is the view of the fact that many authors do love spyware: unloading firewall, antivirus, the ban on their renewal, blocking Ctrl + Alt + Del, etc.
- Locking Windows Firewall (the feature is required only for the smooth reception incoming connections).
- All your settings / logs / team keeps bot / Takes / sends encrypted on HTTP (S) protocol. (ie, in text form data will see only you, everything else bot <-> server will look like garbage).
- Detecting NAT through verification of their IP through your preferred site.
- A separate configuration file that allows itself to protect against loss in cases of inaccessibility botneta main server. Plus additional (reserve) configuration files, to which the bot will apply, will not be available when the main configuration file. This system ensures the survival of your botneta in 90% of cases.
- Ability to work with any browsers / programs work through wininet.dll (Internet Explorer, AOL, Maxton, etc.):
- Intercepting POST-data + interception hitting (including inserted data from the clipboard).
- Transparent URL-redirection (at feyk sites, etc.) c task redirect the simplest terms (for example: only when GET or POST request, in the presence or absence of certain data in POST-request).
- Transparent HTTP (S) substitution content (Web inzhekt, which allows a substitute for not only HTML pages, but also any other type of data). Substitution of sets with the help of guidance masks substitute.
- Obtaining the required contents page, with the exception HTML-tags. Based on Web inzhekte.
- Customizable TAN-grabber for any country.
- Obtaining a list of questions and answers in the bank "Bank Of America" after successful authentication.
- Removing POST-needed data on the right URL.
- Ideal Virtual Keylogger solution: After a call to the requested URL, a screenshot happening in the area, where was clicking.
- Receiving certificates from the repository "MY" (certificates marked "No exports" are not exported correctly) and its clearance. Following is any imported certificate will be saved on the server.
- Intercepting ID / password protocols POP3 and FTP in the independence of the port and its record in the log only with a successful authorise.
- Changing the local DNS, removal / appendix records in the file% system32% \ drivers \ etc \ hosts, ie comparison specified domain with the IP for WinSocket.
- Keeps contents Protected Storage at first start the computer.
- Removes S ookies from the cache when Internet Explorer first run on a computer.
- Search on the logical disk files by mask or download a specific file.
- Recorded just visited the page at first start the computer. Useful when installing through sployty, if you buy a download service from the suspect, you can see that even loaded in parallel.
- Getting screenshot with the victim's computer in real time, the computer must be located outside the NAT.
- Admission commands from the server and sending reports back on the successful implementation. (There are currently launching a local / remote file an immediate update the configuration file, the destruction OS).
- Socks4-server.
- HTTP (S) PROXY-server.
- Bot Upgrading to the latest version (URL new version set in the configuration file)."

What's most important to keep in mind in regarding to these crimeware kits, is that the sellers are shifting from product-centered to service-centered propositions, and while an year ago they would have been selling the kit only, today they've realized that it's the output of the kit in terms of logged stolen accounting data that they're selling. Committing identity theft and abusing stolen E-banking accounting data is already a service, compared to the product it used to be.

Related posts:
Targeted Spamming of Bankers Malware
Localized Bankers Malware Campaign
Client Application for Secure E-banking?
Defeating Virtual Keyboards
PayPal's Security Key
Nuclear Grabber Kit
Apophis Kit

Dancho Danchev

Wednesday, April 23, 2008

The United Nations Serving Malware

Yet another massive SQL injection attack is making its rounds online, and this time without the SEO poisoning as an attack tactic, has managed to successfully infect the United Nations events page, which is now also marked as malware infected page, and with a reason since both the malicious URl and the injection are still active. According to WebSense :

"This mass injection is remarkably similar to the attack we saw earlier this month. When a user browses to a compromised site, the injected JavaScript loads a file named 1.js which is hosted on http://www.nihao[removed].com The JavaScript code then redirects the user to 1.htm (also hosted on the same server). Once loaded, the file attempts 8 different exploits (the attack last April utilised 12). The exploits target Microsoft applications, specifically browsers not patched against the VML exploit MS07-004 as well as other applications. Ominously files named McAfee.htm and Yahoo.php are also called by 1.htm but are no longer active at the time of writing. There are further similarities too between the two mass attacks. Resident on the latest malicious domain is a tool used in the execution of the attack. An analysis of that tool can be found in the ISC diary entry here. Mentioned in that diary entry is http://www.2117[removed].net. Our blog on that attack can be found here. It appears that same tool was used to orchestrate this attack too. "

Let's assess the malicious injection. nihaorr1.com/ 1.js (219.153.46.28) is attempting to load nihaorr1.com/ 1.htm, where several other internal exploit serving URLs and javascript obfuscations load through IFRAMES, such as :

nihaorr1.com/ Real.gif
nihaorr1.com/ Yahoo.php
nihaorr1.com/ cuteqq.htm
nihaorr1.com/ Ms07055.htm
nihaorr1.com/ Ms07033.htm
nihaorr1.com/ Ms07018.htm
nihaorr1.com/ Ms07004.htm
nihaorr1.com/ Ajax.htm
nihaorr1.com/ Ms06014.htm
nihaorr1.com/ Bfyy.htm
nihaorr1.com/ Lz.htm
nihaorr1.com/ Pps.htm
nihaorr1.com/ XunLei.htm

and finally serve the malware, by also taking us out of the point and loading another malicious IFRAME farm at gg.haoliuliang.net/one/ hao8.htm?036 (222.73.44.162) :

Scanners Result: 18/32 (56.25%) :
W32/PWStealer1!Generic; PWS:Win32/Lineage.WI.dr
File size: 24667 bytes
MD5...: 4b913be127d648373e511974351ff04e
SHA1..: 0ab703c93e3ad7c03d1aae5ea394d7db3b89bfd2

Another internal IFRAME serving exploits is also loading at haoliuliang.net, gg.haoliuliang.net/wmwm/ new.htm where a new piece of malware is served :

Scanners Result: 26/32 (81.25%)
Trojan-PSW.Win32.OnLineGames.ppu; Trojan.PSW.Win32.OnlineGames.GEN
File size: 7205 bytes
MD5...: af05c777700b338f428463e56f316a05
SHA1..: bd68f621ec6c9796afa8b766c6cf4167afbd4703

As it appears, everyone's a victim of web application vulnerabilities discovered automatically, and either filtered based on high-page rank, or trying to take advantage of the long-tail of SQL injected sites to compensate for the lack of vulnerable high profile sites.

Related posts:
UNICEF Too IFRAME Injected and SEO Poisoned
Embedded Malware at Bloggies Awards Site
Embedding Malicious IFRAMEs Through Stolen FTP Accounts
Yet Another Massive Embedded Malware Attack
MDAC ActiveX Code Execution Exploit Still in the Wild
Malware Serving Exploits Embedded Sites as Usual
Massive RealPlayer Exploit Embedded Attack
Syrian Embassy in London Serving Malware
Bank of India Serving Malware
U.S Consulate St. Petersburg Serving Malware
The Dutch Embassy in Moscow Serving Malware
U.K's FETA Serving Malware
Anti-Malware Vendor's Site Serving Malware
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
A Portfolio of Malware Embedded Magazines
Another Massive Embedded Malware Attack
I See Alive IFRAMEs Everywhere
I See Alive IFRAMEs Everywhere - Part Two

Dancho Danchev