Pro-Israeli (Pseudo) Cyber Warriors Want your Bandwidth

This summary is not available. Please click here to view the post.

Domains Serving Internet Explorer Zero Day in December

December, 2008 was marked by yet another widespread Koobface campaign, next to a massive SQL injection attack targeting Asian countries and serving the ex-Internet Explorer XML parsing zero day. Monitoring the attack closely and issuing abuse notices, it's worth pointing out that only two domains were SQL to target international sites, with the rest injected at Asian sites only.

This tactic once again demonstrates the dynamics of the international underground communities whose understanding of valuable stolen goods greatly differ based on the local market's demand for a particular item. For instance, stolen accounting data for a MMORPG is more than access to a stolen banking account on the Chinese underground marketplace, and exactly the opposite on the Russian underground marketplace. Interestingly, if the IE zero day was first discovered and abused in a targeted nature by Russian parties the very last thing they'd be serving is a password stealer for a MMORPG given the far more valuable from their perspective crimeware. Here are all of the SQL injected domains participating in the attack, with two Chinese groups responsible for them :

SQL injected domains currently active:
- c.nuclear3 .com/css/c.js (121.10.108.161; 121.10.107.233;70.38.99.97) also SQL injected as c.%6Euclear3 .com/css/c.js in a cheap attempt to avoid detection
- zs.gcp.edu .cn/z.js redirects to alimcma .3322.org/a0076159/a07.htm (121.12.173.218) and then to tongjitj.3322 .org/tj/a07.htm
- w.94saomm .com/js.js (58.53.128.177) redirects to clc2007.nenu.edu .cn/tt/swf.htm (218.62.16.47)
- idea21.org/h.js (66.249.130.142) redirects to idea21 .org/index1.htm
- yrwap .cn/h.js (59.63.157.71) redirects to kodim .net/CONTENT/faq.htm

Currently down, for historical preservation purposes and case building as these were exclusively serving the ex-IE zero day in December, 2008:
17gamo .com/1.js
s4d. in/h.js
dbios .org/h.js
armsart .com/h.js
acglgoa .com/h.js
9i5t .cn/a.js
qq117cc .cn/k.js
s800qn .cn/csrss/w.js
twwen .com/1.js
s.shunxing .com.cn/s.js
ko118 .cn/a.js
s.shunxing .com.cn/s.js
17aq .com/17aq/a.js
s.kaisimi .net/s.js
sshanghai .com/s.js
s.ardoshanghai .com/s.js
s.cawjb .com/s.js
mysy8 .com/1/1.js
mvoyo .com/1.js
nmidahena .com/1.js
tjwh202.162 .ns98.cn/1.js

Thankfully, the IE zero day attack in December is an example of a "wasted" zero day, with the potential for abuse not taken advantage of.

Related posts:
Massive SQL Injection Attacks - the Chinese Way
Yet Another Massive SQL Injection Spotted in the Wild
Obfuscating Fast-fluxed SQL Injected Domains
Smells Like a Copycat SQL Injection In the Wild
SQL Injecting Malicious Doorways to Serve Malware
SQL Injection Through Search Engines Reconnaissance
Stealing Sensitive Databases Online - the SQL Style
Fast-Fluxing SQL injection attacks executed from the Asprox botnet
Sony PlayStation's site SQL injected, redirecting to rogue security software
Redmond Magazine Successfully SQL Injected by Chinese Hacktivists

Dissecting the Bogus LinkedIn Profiles Malware Campaign

Nice catch, in the sense that LinkedIn was among the very few social networking sites left untouched by cybercriminals in 2008. With LinkedIn's staff actively removing the close to a hundred bogus profiles, let's dissect the campaign by exposing all the participating malware domains, the redirectors, the droppers' detection rates and the rest of the domains in their portfolio.

Domains used on the bogus profiles :
sextapegirls .net (88.214.200.5)
celebsvids .net (216.195.57.47)
katynude .com (216.195.57.47)
delshikandco .com (82.103.132.114)

All the internal pages at sextapegirls .net (sextapegirls .net/1.html; sextapegirls .net/2.html; sextapegirls .net/3.html; sextapegirls .net/4.html; sextapegirls .net/5.html) redirect to hotvidz .info/5.html (88.214.200.5) as well as all the internal pages at celebsvids .net where TubePlayer.ver.6.20885.exe is served as a fake video player.

Among the rest of the domains used, katynude .com/1.html (216.195.57.47) redirects to quickly-porn-tube .net/get.php?id=20885&p=74 (69.59.21.247) which then redirects to tube-4you-best .com/xxplay.php?id=20885 (69.59.21.247) where 2009download-best-soft .com/TubePlayer.ver.6.20885.exe (94.247.3.228) is again served.

The fourth domain used on the bogus LinkedIn profiles, delshikandco .com/movies/linkedin.html (82.103.132.114) once deobfuscated leads to delshiktds .com/in.cgi?6 (64.27.28.225), a traffic management kit's redirection point which redirects to delshiktds .com/in.cgi?11, celebs-online2009 .com/video.php (64.27.28.225) and megaporntubesonline .com/xplays.php?id=88 where codecdownload.filesstorage4you .com/exclusivemovie.88.exe is served next to codecdownload.viewersoftwarearchive .com/exclusivemovie.0.exe (94.247.3.232) which a copy of Win32/Renos.

The downloader then phones back to :
dasgdasg .net (91.205.96.12)
new-york-images .com (89.149.207.114)
future-pictures .com (94.247.2.117)
download-everything.com (69.46.16.99)
archiveviewsoftware.com

193.142.244.17

Naturally, the people behind this malware campaign have centralized the rest of the malicious domains by parking them at the very same IPs used in the redirectors. The domains are pretty descriptive themselves, and it's also worth pointing out that they intend to start introducing newly registered fake security software ones:

94.247.3.228
files-upload-21 .com
downloabsecurehere1 .com
downloabsecurehere2 .com
downloabsecurehere3 .com
downloabsecurehere4 .com
fast-download-base-free .com
download-all4free .com
download-softarch .com
dwnld-files .com
get-frsh-files .com
download-fls.com
downloadall-soft-now .com
downloadallsoft-now. com
download-allsoftnow .com
downloadallsoftnow .com
soft-4-you-download .net
get-files-4free .net
download-top-software .net
files-download-arch .net
download-files-bak .net
download-files-plus .net
pure-download-new .net

69.59.21.247
uni-tube-911 .com
bestmytubeonilne1 .com
bestmytubeonilne2 .com
bestmytubeonilne3 .com
mybest-pov-tube .com
my-bestpov-tube .com
u-tube-verse .com
tubeger .com
tube-4-free-center .com
tube-4you-best .com
tube-hu .com
tube-more-sex .com
quickly-porn-tube .net
fast-xxx-tube .net
tube-chick .net
tube-free-4-adult .net

antivir-av-toolz .net
scanner-pc-toolz .net
av-scan-soft .net
av-scan-here .net
anti-vir-toolz .com
freenonline-scannerw .com
freenonline-scanner .com
av-mc-antivir-checker .com
freenonline-scannera .com
bestmyscanneronilne3 .com
bestmytubeonilne3 .com
bestmyscanneronilne2 .com
bestmytubeonilne2 .com

94.247.3.232
viewerdownload2009 .com
freedownload2009 .com
filesstorage2009 .com
exefileshere2009 .com
bestfilesarchive2009 .com
softwareviewers2009 .com
filesinnet4you2009 .com
downloadfilesservice .com
jetexestorage .com
clickandgetfile .com
secretfilesstoragehere .com
x-filesstorehere .com
filesportalhere .com
exefileshere .com
extrafilesonlyhere .com
pornexearchive .com
viewerarchive .com
crystalfilesarchive .com
download2009exe .com
3d-softwareportal .com
downloadfilesportal .com
exesoftportal .com
softwareportalexefiles .com
becollectionoffiles .com
extracoolfiles .com
freepornclips2u .com
filesstorage4you.com
downloadexenow .com

The same people, the same tactics, different domains and netblocks used.

Summarizing Zero Day's Posts for December

The following is a brief summary of all of my posts at Zero Day for December, 2008. You can also go through previous summaries for November, October, September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed.

Notable articles for December include ICANN terminates EstDomains, Directi takes over 280k domains (interview with Stacy Burnette from the ICANN); With 256-bit encryption, Acrobat 9 passwords still easy to crack (interview with Dmitry Sklyarov and Vladimir Katalov from Elcomsoft) and Gmail, Yahoo and Hotmail systematically abused by spammers.

01. AlertPay hit by a large scale DDoS attack
02. IT expert executed in Iran
03. Vendor claims Acrobat 9 passwords easier to crack than ever
04. Microsoft’s Live Search (finally) adds malware warnings
05. ICANN terminates EstDomains, Directi takes over 280k domains
06. Password stealing malware masquerades as Firefox add-on
07. With 256-bit encryption, Acrobat 9 passwords still easy to crack
08. Trusteer launches search engine for malware configuration files
09. With or without McColo, spam volume increasing again
10. Vint Cerf’s Twitter account hacked, suspended for spam
11. Gmail, Yahoo and Hotmail systematically abused by spammers
12. IE7 XML parsing zero day exploited in the wild
13. Four XSS flaws hit Facebook
14. Thousands of legitimate sites SQL injected to serve IE exploit

Squeezing the Cybercrime Ecosystem in 2009

How do you trigger a change that would ultimately affect the entire cybercrime ecosystem? Going full disclosure may be the most logical option, but past experience reveals that using it has a modest temporary effect. For instance, exposing a stolen credit cards shop isn't going to separate the owner from the stolen database, neither would his customers base disappear, so stating that it's shut down in reality means that it's currently active at another location which the owner quickly communicates to the customers base. I keep seeing it happen once a sample service gets media attention, and I'll keep seeing it happen.

The myth that geolocating their malicious activities would always end up in an Eastern European network where developed law enforcement agencies would have little to no jurisdiction at all, proved to be a common stereotype given that the well known cybercrime-friendly ISPs that were shut down in 2008 were and have always been U.S based operations. Therefore, the excuse of not being able to take action due to the lack of international law enforcement cooperation isn't appicable in this case.

So how should the cybercrime ecosystem be squeezed? Personalize it and communicate the levels of efficiency cybercriminals achieve by using the very same disturbing photos that they use to demonstrate the effectiveness of their web based stolen credit card shops in order to achieve the necessary public outbreak.

Even though I pretend that the research and profiles of the underground tools and services that I've been detailing throughout 2008 is cutting-edge research, this research is basically scratching the surface, but how come? Just like there's a perfect and bad timing for a particular product or service to hit the market, in this very same fashion the general public is still not ready to embrace some of the highly disturbing point'n'click identity theft services that have been operating for years. Sadly, some even question the usability and authenticity of these underground services, and therefore a change has to be triggered by starting to publish the cybercriminals' ROI out of using them in the form of the photos of users swimming in cash that they've cashed-out of the stolen credit cards. Disturbing? It's supposed to be, since it will not only prompt public outbreak, but also, have a well proven self-regulation effect on behalf of the service owner's, at least from my personal experience while profiling related services.

This is perhaps the perfect moment to emphasize on how important threat intell sharing with law enforcement, whether directly based on personal contacts or through one-to-many communication model through private mailing lists, a cyber threats analysts case-building capabilities would not only prove valuable in the long term, but would also make it easier for someone to do their prosecuting job faster. And while important, threat intell sharing with law enforcement is not the panacea of squeezing the cybecrime ecosystem, since cybercrime should not be treated as the systematic abuse of common IT insecurities for fraudulent purposes, instead, it should be treated as a form of economic terrorism. Only then, would cybercrime receive the necessary attention instead of such comments regarding McColo or Atrivo - "Resource-wise, we can't be in the business of prevention. We have to be in the business of prosecution." Exactly. I guess that just like you cannot be a prophet in your own country, you cannot also be a prophet in your own agency, thankfully, the wisdom of the cybercrime fighting crowd is always there to take care and get zero credit at the end of the day.

Personally, 2009 is going to be the year when personalizing cybercriminals would be taking place on a more regular basis, so stay tuned for an upcoming report summarizing "behind the curtains" cybercrime activities in 2008, underground responses to some of major busts of year including the DarkMarket operation, the fraudulent schemes allowing them to cash-out digital assets into hard cash, the basics of their social networking model, who's who in the hierarchy of a sampled business model of vendors of ATM skimming devices, the post-DarkMarket OPSEC practices introduced in order for cybecrime communities to verify the authenticity of their customers, the process of advertising and operating underground services as well as the communication methods used, in short - all the juicy details, screenshots and photos courtesy of the owners and customers of the services that haven't been communicated to the industry and the world throughout 2008.

Find attached a photo teaser acting as a confirmation for the usefulness of "yet another stolen credit card details service" in the wild, and have a productive year exposing low lifes and spilling coffee over their business models.

Related posts:
76Service - Cybercrime as a Service Going Mainstream
Using Market Forces to Disrupt Botnets
Localizing Cybercrime - Cultural Diversity on Demand
Localizing Cybercrime - Cultural Diversity on Demand Part Two
EstDomains and Intercage VS Cybercrime
E-crime and Socioeconomic Factors
Money Mules Syndicate Actively Recruiting Since 2002
Price Discrimination in the Market for Stolen Credit Cards
Are Stolen Credit Card Details Getting Cheaper?
The Underground Economy's Supply of Goods

Squeezing the Cybecrime Ecosystem in 2009

How do you trigger a change that would ultimately affect the entire cybercrime ecosystem? Going full disclosure may be the most logical option, but past experience reveals that using it has a modest temporary effect. For instance, exposing a stolen credit cards shop isn't going to separate the owner from the stolen database, neither would his customers base disappear, so stating that it's shut down in reality means that it's currently active at another location which the owner quickly communicates to the customers base. I keep seeing it happen once a sample service gets media attention, and I'll keep seeing it happen.

The myth that geolocating their malicious activities would always end up in an Eastern European network where developed law enforcement agencies would have little to no jurisdiction at all, proved to be a common stereotype given that the well known cybercrime-friendly ISPs that were shut down in 2008 were and have always been U.S based operations. Therefore, the excuse of not being able to take action due to the lack of international law enforcement cooperation isn't appicable in this case.

So how should the cybercrime ecosystem be squeezed? Personalize it and communicate the levels of efficiency cybercriminals achieve by using the very same disturbing photos that they use to demonstrate the effectiveness of their web based stolen credit card shops in order to achieve the necessary public outbreak.

Even though I pretend that the research and profiles of the underground tools and services that I've been detailing throughout 2008 is cutting-edge research, this research is basically scratching the surface, but how come? Just like there's a perfect and bad timing for a particular product or service to hit the market, in this very same fashion the general public is still not ready to embrace some of the highly disturbing point'n'click identity theft services that have been operating for years. Sadly, some even question the usability and authenticity of these underground services, and therefore a change has to be triggered by starting to publish the cybercriminals' ROI out of using them in the form of the photos of users swimming in cash that they've cashed-out of the stolen credit cards. Disturbing? It's supposed to be, since it will not only prompt public outbreak, but also, have a well proven self-regulation effect on behalf of the service owner's, at least from my personal experience while profiling related services.

This is perhaps the perfect moment to emphasize on how important threat intell sharing with law enforcement, whether directly based on personal contacts or through one-to-many communication model through private mailing lists, a cyber threats analysts case-building capabilities would not only prove valuable in the long term, but would also make it easier for someone to do their prosecuting job faster. And while important, threat intell sharing with law enforcement is not the panacea of squeezing the cybecrime ecosystem, since cybercrime should not be treated as the systematic abuse of common IT insecurities for fraudulent purposes, instead, it should be treated as a form of economic terrorism. Only then, would cybercrime receive the necessary attention instead of such comments regarding McColo or Atrivo - "Resource-wise, we can't be in the business of prevention. We have to be in the business of prosecution." Exactly. I guess that just like you cannot be a prophet in your own country, you cannot also be a prophet in your own agency, thankfully, the wisdom of the cybercrime fighting crowd is always there to take care and get zero credit at the end of the day.

Personally, 2009 is going to be the year when personalizing cybercriminals would be taking place on a more regular basis, so stay tuned for an upcoming report summarizing "behind the curtains" cybercrime activities in 2008, underground responses to some of major busts of year including the DarkMarket operation, the fraudulent schemes allowing them to cash-out digital assets into hard cash, the basics of their social networking model, who's who in the hierarchy of a sampled business model of vendors of ATM skimming devices, the post-DarkMarket OPSEC practices introduced in order for cybecrime communities to verify the authenticity of their customers, the process of advertising and operating underground services as well as the communication methods used, in short - all the juicy details, screenshots and photos courtesy of the owners and customers of the services that haven't been communicated to the industry and the world throughout 2008.

Find attached a photo teaser acting as a confirmation for the usefulness of "yet another stolen credit card details service" in the wild, and have a productive year exposing low lifes and spilling coffee over their business models.

Related posts:
76Service - Cybercrime as a Service Going Mainstream
Using Market Forces to Disrupt Botnets
Localizing Cybercrime - Cultural Diversity on Demand
Localizing Cybercrime - Cultural Diversity on Demand Part Two
EstDomains and Intercage VS Cybercrime
E-crime and Socioeconomic Factors
Money Mules Syndicate Actively Recruiting Since 2002
Price Discrimination in the Market for Stolen Credit Cards
Are Stolen Credit Card Details Getting Cheaper?
The Underground Economy's Supply of Goods