Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Monday, January 19, 2009

A Diverse Portfolio of Fake Security Software - Part Fourteen

The following currently active fake security software domains have been included within ongoing blackhat SEO campaigns, among the many other tactics that they use in order to attract traffic to them. Needless to say that the Diverse Portfolio of Fake Security Software domains series is prone to expand throughout the year.

rapidspywarescanner .com (78.47.172.67)
live-antiviruspc-scan .com
professional-virus-scan .com
proantiviruscomputerscan .com
bestantivirusfastscan .com
premium-advanced-scanner .com

Domain owner:
Name: Aennova M Decisionware
Organization: NA
Address: Rua Maestro Cardim 1101 cj. 112
City: Sgo Paulo
Province/state: NA
Country: BR
Postal Code: 01323
Phone: +5.5113245388
Fax: +5.5113245388
Email: victor@aennovas.com

rapidantiviruspcscan .com (78.46.216.237)
securedserverdownload .com
securedonlinewebspace .com
securedupdateupdatesoftware .com
bestantivirusdefense .com
live-pc-antivirus-scan .com
best-antivirus-protection .com
proantivirusprotection .com
best-anti-virus-scanner .com
best-antivirus-scanner .com
bestantivirusproscanner .com
bestantivirusfastscanner .com
protectedsystemupdates .com
liveantispywarescan .com
live-antispyware-scan .com
internet-antispyware-scan .com

Domain owner:
Vadim Selin anzo45@freebbmail.com
+74952783432 fax: +74952783432
ul. Vorobieva 98-34
Moskva Moskovskay oblast 127129
ru

antivirus-scan-your-pc .com (75.126.175.232; 209.160.21.126)
bestantivirusdefence .com
best-antivirus-defense .com
premiumadvancedscan .com
bestantivirusproscan .com
best-antivirus-pro-scanner .com
internetprotectedpayments .com

Domain owner:
Name: Nikolai V Chernikov
Address: yl. Kravchenko 4 korp. 2 kv.17
City: Moskva
Province/state: NA
Country: RU
Postal Code: 119334
Email: promasteryouth@gmail.com

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Embedding Malicious IFRAMEs Through Stolen FTP Accounts - Part Two

The practice of using stolen or data mined -- from a botnet's infected population -- FTP accounts is nothing new. In March, 2008, a tool originally published in February, 2007, got some publicity once details of stolen FTP accounts belonging to Fortune 500 companies were found in the wild. Interestingly, none of the companies were serving malicious iFrames on their compromised hosts back then.

Despite the fact that 2008 was clearly the year of the massive SQL injection attacks hitting everyone, everywhere, massive iFrame injection tools through stolen FTP accounts are still in development. Take for instance this very latest console/web interface based proprietary one currently offered for sale at $30.

Its main differentiation factors according to the author are the pre-verification of the accounting data in order to achieve better speed, advanced logs management and update feature allowing the malicious campaigner to easily introduce new iFrame at already iFrame-ED hosts through the compromised FTP accounts, and, of course, the what's turning into a commodity feature in the face of long-term customer support. In this case, that would be a hundred FTP accounting details to get the customers accustomed to the tool's features.

Interestingly, at least according to the massive SQL injections taking place during the entire 2008, iFrame-ing has reached its decline stage, at least as the traffic acqusition/abuse method of choice. And with SQL injections growing, this very same FTP account data is serving the needs of the blackhat search engine optimizers bargaining on the basis of a pagerank.

Dancho Danchev

Wednesday, January 14, 2009

Pro-Israeli (Pseudo) Cyber Warriors Want your Bandwidth

This summary is not available. Please click here to view the post.

Dancho Danchev

Domains Serving Internet Explorer Zero Day in December

December, 2008 was marked by yet another widespread Koobface campaign, next to a massive SQL injection attack targeting Asian countries and serving the ex-Internet Explorer XML parsing zero day. Monitoring the attack closely and issuing abuse notices, it's worth pointing out that only two domains were SQL to target international sites, with the rest injected at Asian sites only.

This tactic once again demonstrates the dynamics of the international underground communities whose understanding of valuable stolen goods greatly differ based on the local market's demand for a particular item. For instance, stolen accounting data for a MMORPG is more than access to a stolen banking account on the Chinese underground marketplace, and exactly the opposite on the Russian underground marketplace. Interestingly, if the IE zero day was first discovered and abused in a targeted nature by Russian parties the very last thing they'd be serving is a password stealer for a MMORPG given the far more valuable from their perspective crimeware. Here are all of the SQL injected domains participating in the attack, with two Chinese groups responsible for them :

SQL injected domains currently active:
- c.nuclear3 .com/css/c.js (121.10.108.161; 121.10.107.233;70.38.99.97) also SQL injected as c.%6Euclear3 .com/css/c.js in a cheap attempt to avoid detection
- zs.gcp.edu .cn/z.js redirects to alimcma .3322.org/a0076159/a07.htm (121.12.173.218) and then to tongjitj.3322 .org/tj/a07.htm
- w.94saomm .com/js.js (58.53.128.177) redirects to clc2007.nenu.edu .cn/tt/swf.htm (218.62.16.47)
- idea21.org/h.js (66.249.130.142) redirects to idea21 .org/index1.htm
- yrwap .cn/h.js (59.63.157.71) redirects to kodim .net/CONTENT/faq.htm

Currently down, for historical preservation purposes and case building as these were exclusively serving the ex-IE zero day in December, 2008:
17gamo .com/1.js
s4d. in/h.js
dbios .org/h.js
armsart .com/h.js
acglgoa .com/h.js
9i5t .cn/a.js
qq117cc .cn/k.js
s800qn .cn/csrss/w.js
twwen .com/1.js
s.shunxing .com.cn/s.js
ko118 .cn/a.js
s.shunxing .com.cn/s.js
17aq .com/17aq/a.js
s.kaisimi .net/s.js
sshanghai .com/s.js
s.ardoshanghai .com/s.js
s.cawjb .com/s.js
mysy8 .com/1/1.js
mvoyo .com/1.js
nmidahena .com/1.js
tjwh202.162 .ns98.cn/1.js

Thankfully, the IE zero day attack in December is an example of a "wasted" zero day, with the potential for abuse not taken advantage of.

Related posts:
Massive SQL Injection Attacks - the Chinese Way
Yet Another Massive SQL Injection Spotted in the Wild
Obfuscating Fast-fluxed SQL Injected Domains
Smells Like a Copycat SQL Injection In the Wild
SQL Injecting Malicious Doorways to Serve Malware
SQL Injection Through Search Engines Reconnaissance
Stealing Sensitive Databases Online - the SQL Style
Fast-Fluxing SQL injection attacks executed from the Asprox botnet
Sony PlayStation's site SQL injected, redirecting to rogue security software
Redmond Magazine Successfully SQL Injected by Chinese Hacktivists

Dancho Danchev

Wednesday, January 07, 2009

Dissecting the Bogus LinkedIn Profiles Malware Campaign

Nice catch, in the sense that LinkedIn was among the very few social networking sites left untouched by cybercriminals in 2008. With LinkedIn's staff actively removing the close to a hundred bogus profiles, let's dissect the campaign by exposing all the participating malware domains, the redirectors, the droppers' detection rates and the rest of the domains in their portfolio.

Domains used on the bogus profiles :
sextapegirls .net (88.214.200.5)
celebsvids .net (216.195.57.47)
katynude .com (216.195.57.47)
delshikandco .com (82.103.132.114)

All the internal pages at sextapegirls .net (sextapegirls .net/1.html; sextapegirls .net/2.html; sextapegirls .net/3.html; sextapegirls .net/4.html; sextapegirls .net/5.html) redirect to hotvidz .info/5.html (88.214.200.5) as well as all the internal pages at celebsvids .net where TubePlayer.ver.6.20885.exe is served as a fake video player.

Among the rest of the domains used, katynude .com/1.html (216.195.57.47) redirects to quickly-porn-tube .net/get.php?id=20885&p=74 (69.59.21.247) which then redirects to tube-4you-best .com/xxplay.php?id=20885 (69.59.21.247) where 2009download-best-soft .com/TubePlayer.ver.6.20885.exe (94.247.3.228) is again served.

The fourth domain used on the bogus LinkedIn profiles, delshikandco .com/movies/linkedin.html (82.103.132.114) once deobfuscated leads to delshiktds .com/in.cgi?6 (64.27.28.225), a traffic management kit's redirection point which redirects to delshiktds .com/in.cgi?11, celebs-online2009 .com/video.php (64.27.28.225) and megaporntubesonline .com/xplays.php?id=88 where codecdownload.filesstorage4you .com/exclusivemovie.88.exe is served next to codecdownload.viewersoftwarearchive .com/exclusivemovie.0.exe (94.247.3.232) which a copy of Win32/Renos.

The downloader then phones back to :
dasgdasg .net (91.205.96.12)
new-york-images .com (89.149.207.114)
future-pictures .com (94.247.2.117)
download-everything.com (69.46.16.99)
archiveviewsoftware.com

193.142.244.17

Naturally, the people behind this malware campaign have centralized the rest of the malicious domains by parking them at the very same IPs used in the redirectors. The domains are pretty descriptive themselves, and it's also worth pointing out that they intend to start introducing newly registered fake security software ones:

94.247.3.228
files-upload-21 .com
downloabsecurehere1 .com
downloabsecurehere2 .com
downloabsecurehere3 .com
downloabsecurehere4 .com
fast-download-base-free .com
download-all4free .com
download-softarch .com
dwnld-files .com
get-frsh-files .com
download-fls.com
downloadall-soft-now .com
downloadallsoft-now. com
download-allsoftnow .com
downloadallsoftnow .com
soft-4-you-download .net
get-files-4free .net
download-top-software .net
files-download-arch .net
download-files-bak .net
download-files-plus .net
pure-download-new .net

69.59.21.247
uni-tube-911 .com
bestmytubeonilne1 .com
bestmytubeonilne2 .com
bestmytubeonilne3 .com
mybest-pov-tube .com
my-bestpov-tube .com
u-tube-verse .com
tubeger .com
tube-4-free-center .com
tube-4you-best .com
tube-hu .com
tube-more-sex .com
quickly-porn-tube .net
fast-xxx-tube .net
tube-chick .net
tube-free-4-adult .net

antivir-av-toolz .net
scanner-pc-toolz .net
av-scan-soft .net
av-scan-here .net
anti-vir-toolz .com
freenonline-scannerw .com
freenonline-scanner .com
av-mc-antivir-checker .com
freenonline-scannera .com
bestmyscanneronilne3 .com
bestmytubeonilne3 .com
bestmyscanneronilne2 .com
bestmytubeonilne2 .com

94.247.3.232
viewerdownload2009 .com
freedownload2009 .com
filesstorage2009 .com
exefileshere2009 .com
bestfilesarchive2009 .com
softwareviewers2009 .com
filesinnet4you2009 .com
downloadfilesservice .com
jetexestorage .com
clickandgetfile .com
secretfilesstoragehere .com
x-filesstorehere .com
filesportalhere .com
exefileshere .com
extrafilesonlyhere .com
pornexearchive .com
viewerarchive .com
crystalfilesarchive .com
download2009exe .com
3d-softwareportal .com
downloadfilesportal .com
exesoftportal .com
softwareportalexefiles .com
becollectionoffiles .com
extracoolfiles .com
freepornclips2u .com
filesstorage4you.com
downloadexenow .com

The same people, the same tactics, different domains and netblocks used.

Dancho Danchev

Tuesday, January 06, 2009

Summarizing Zero Day's Posts for December

The following is a brief summary of all of my posts at Zero Day for December, 2008. You can also go through previous summaries for November, October, September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed.

Notable articles for December include ICANN terminates EstDomains, Directi takes over 280k domains (interview with Stacy Burnette from the ICANN); With 256-bit encryption, Acrobat 9 passwords still easy to crack (interview with Dmitry Sklyarov and Vladimir Katalov from Elcomsoft) and Gmail, Yahoo and Hotmail systematically abused by spammers.

01. AlertPay hit by a large scale DDoS attack
02. IT expert executed in Iran
03. Vendor claims Acrobat 9 passwords easier to crack than ever
04. Microsoft’s Live Search (finally) adds malware warnings
05. ICANN terminates EstDomains, Directi takes over 280k domains
06. Password stealing malware masquerades as Firefox add-on
07. With 256-bit encryption, Acrobat 9 passwords still easy to crack
08. Trusteer launches search engine for malware configuration files
09. With or without McColo, spam volume increasing again
10. Vint Cerf’s Twitter account hacked, suspended for spam
11. Gmail, Yahoo and Hotmail systematically abused by spammers
12. IE7 XML parsing zero day exploited in the wild
13. Four XSS flaws hit Facebook
14. Thousands of legitimate sites SQL injected to serve IE exploit

Dancho Danchev