Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Monday, May 26, 2008

How Does a Botnet with 100k Infected PCs Look Like?

Digitally ugly for sure, the point is that this malware campaign has been spreading pretty rapidly over MSN and AIM as of recently, and with its success rate so efficiently infecting new hosts, that going through chat logs indicates the botnet master's will to stop spreading it as there are simply too many hosts getting infected faster than he had anticipated at the first place. Ironic, but a perfect example of what happens once the entry barriers into a certain market segment of the IT underground have been lowered to the stage where, it's not about having the capabilities, but the motive to embrace the success rate, like this case.

Botnet masters are also masters in social engineering. Apparently, the success rate for this campaign is so high due to its social engineering tactic, which in this case is to establish as many touch points with the potential victim as possible, and also, entice clicking on a commonly accepted as harmless .php file followed by the victim's username in a username@hotmail.com fashion.

What you see is not always what you get, especially with more and more droppers requesting other malware with image file extensions, which gets locally saved in its real nature - %Windir%\Media\System.exe for instance.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Friday, May 23, 2008

The Icepack Exploitation Kit Localized to French

Bonjour! In a surprising move by the French blackhats, the Icepack web malware exploitation kit has been localized to French, further expanding the list of malware kits localized to foreign languages, and confirming the localization trend (page 18). Localization has been silently taking plance in the IT underground for the last couple of years, and as of recently going mainstream, followed by the localization of such popular web malware exploitation kits such as MPack, Icepack and Firepack, all to Chinese.

The long term impact of localization will improve the communication between those offering malicious services, and those looking for them in their native language. For instance, the sites of certain malicious services are already available in several different languages, and the quality of the translation is courtesy of available translation services provided by native speakers.

Moreover, breaking the language barrier doesn't just expand the market, but also, improves targeting for malware, spam, and phishing campaigns, where a truly professional campaign would speak the native language so naturally, it would leave the receipt with the feeling that it's originating from somewhere within their homeland. In reality though, the malicious parties behind it, or the managed spam providers vertically integrating to offer translations services, would be on the other side of the planet.

Dancho Danchev

Thursday, May 22, 2008

Malware Domains Used in the SQL Injection Attacks

Whereas the value of these malicious domains lies in the historical preservation of evidence, as long as hundreds of thousands of sites continue operating with outdated and unpatched web applications, the list is prone to grow on a daily basis, thanks to copycats and the Asprox botnet. The Shadowserver Foundation's list of malicious domains used in the SQL injection attacks :

nihaorr1.com
free.hostpinoy.info
xprmn4u.info
nmidahena.com
winzipices.cn
sb.5252.ws
aspder.com
11910.net
bbs.jueduizuan.com
bluell.cn
2117966.net
s.see9.us
xvgaoke.cn
1.hao929.cn
414151.com
cc.18dd.net
kisswow.com.cn
urkb.net
c.uc8010.com
rnmb.net
ririwow.cn
killwow1.cn
qiqigm.com
wowgm1.cn
wowyeye.cn
9i5t.cn
computershello.cn
z008.net
b15.3322.org
direct84.com
caocaowow.cn
qiuxuegm.com
firestnamestea.cn
qiqi111.cn
banner82.com s
meisp.cn
okey123.cn
b.kaobt.cn
nihao112.com
al.99.vc
aidushu.net
chliyi.com
free.edivid.info
52-o.cn
actualization.cn
d39.6600.org
h28.8800.org
ucmal.com
t.uc8010.com
dota11.cn
bc0.cn
adword71.com
killpp.cn
w11.6600.org
usuc.us
msshamof.com
newasp.com.cn
wowgm2.cn
mm.jsjwh.com.cn
17ge.cn
adword72.com
117275.cn
vb008.cn
wow112.cn
nihaoel3.com

Some new additions that I'm tracking :

a.13175.com
r.you30.cn
d39.6600.org
001yl.com
free.edivid.info
aaa.1l1l1l.Com/error/404.html
cc.buhaoyishi.com/one/hao5.htm?015
aaa.77xxmm.cn/new858.htm?075
llSging.com/ww/new05.htm?075
shIjIedIyI.net/one/hao8.htm?005
congtouzaIlaI.net/one/hao8.htm?005
aa.llsging.com/ww/new05.hTm?075

The rough number of SQL injected sites is around 1.5 million pages, in reality the number is much bigger, and there are several ongoing campaigns injecting obfuscated characters making it a bit more time consuming to track down. Who's behind these attacks? Besides the automation courtesy of botnets, the short answer is everyone with a decent SQL injector, and today's SQL injectors have a built-in reconnaissance capabilities, like this one which I assessed in a previous post.

Dancho Danchev

Wednesday, May 21, 2008

Yet Another DIY Proprietary Malware Builder

Following the most recent proprietary web malware exploitation kits, and DIY malware tools found in the wild, this is among the latest malware builders with a special emphasis on spreading from PCs to USB mass storage devices, and from USB mass storage devices to PCs. On 2008/04/28 when a sample generated binary was checked with multiple antivirus scanners, the detection was 2/32 with Panda Security and F-Secure detecting it, according to the seller of the builder.

For the time being, malware authors continue emphasizing on the product concept, namely they build a malware based on their perception of what a malware should constitute of, then start offering it for sale as well as it's source code. In the long-term however, based on the increasing number of malware and spyware coding on demand, malware authors would undoubtedly embrace the customerization concept and start putting more efforts into figuring out what the customer really want compared to their current "built it, price, advertise it" and they'll come mentality.

Moreover, despite the generated buzz over the Zeus banker malware and its copyright notice, Zeus remains publicly available, and so is its source code, placing it under the open-source malware segment. So emphasizing on how malware authors are trying to protect their work is exactly what's not happening right now. Releasing it in open-source form increases its life cycle, and both, the original authors, and the community build around the malware benefit from the new features introduced within.

And now that the most popular web malware exploitation kits are already localized to Chinese due to their open-source nature, making it harder to maintain a decent situational awareness on the new features introduced courtesy of third-party coders, we may that easily see Zeus localized to Chinese as well. It's a trend, not a fad.

Dancho Danchev

The Whitehouse.org Serving Malware

The Whitehouse.org a parody site of the original Whitehouse.gov is serving malware. From TrendMicro's blog :

"According to Trend Micro Advanced Threats Researcher David Sancho, whitehouse.org has been compromised to harbor some malicious, obfuscated JavaScript code which “background downloads” code to unsuspecting visitors of the site, where a malicious file is downloaded (which is detected by Trend Micro as TROJ_DELF.GKP ). Of course, the official White House Web site is whitehouse.gov, and although it has been reported that some people believe whitehouse.org is the real deal, even those looking for this site specifically should be forewarned."

The malicious domain embedded within the site ad.ox88.info/13.htm (67.15.212.150) is using Mal/ObfJS-AP/Exploit:HTML/AdoStream to serve the malware, whereas the domain itself is using DNS servers known to provide service to malicious domains from previous malware embedded attacks that I've been assessing.

Dancho Danchev

Tuesday, May 20, 2008

Pro-Serbian Hacktivists Attacking Albanian Web Sites

The rise of pro-kosovo web site defacement groups was marked in April, 2008, with a massive web site defacement spreading pro-kosovo propaganda. The ongoing monitoring of pro-kosovo hacktivists indicates an ongoing cyberwar between pro-serbian supporting hacktivists successfully defacing Albanian sites, and building up capabilities by releasing a list of vulnerable Albanian sites (remote SQL injections for remote file inclusion, defacements or installing web shells/backdoors) to assist supports into importing the list within their do-it-yourself web site defacement tools.

Go through the complete post - Pro-Serbian hacktivists attacking albanian web sites.

Related posts:

Hacktivism Tensions

Hacktivism Tensions - Israel vs Palestine Cyberwars

Mass Defacement by Turkish Hacktivists

Overperforming Turkish Hacktivists

Dancho Danchev