Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Monday, February 02, 2009

The Template-ization of Malware Serving Sites - Part Two

The growing use of "visual social engineering" in the form of legitimately looking codecs, flash player error screens, adult web sites, and YouTube windows in order to forward the infection process to the end use himself, is the direct result of the ongoing template-ization of malware serving sites. This standardizing is all about achieving efficiency, in this case, coming up with high-quality and legitimately looking templates impersonating the average Internet user by enjoying the clean reputation of the impersonated service in question.

The attached screenshot of very latest DIY windows media player with pretty straightforward instructions on how to modify the timing of the "missing codec" pop-up, is a great example of how cybercriminals rarely value the intellectual property of their fellow colleagues. The DIY template has in fact been ripped-off from a competing affiliate network participant (currently active xxxporn-tube .com/123/2/FFFFFF/3127/TestCodec/Best), its images hosted at ImageShack, and the codec released for everyone in the ecosystem to use -- and so they will.

Interestingly, within the mirrored copy now tweaked and distributed for free using free image hosting services as infrastructure provider for the layout, there are also leftovers from the original campaign template that they mirrored - which ultimately leads us to DATORU EXPRESS SERVISS Ltd (AS12553 PCEXPRESS-AS) or zlkon.lv In the wake of UkrTeleGroup Ltd's demise -- don't pop the corks just yet since the revenues they've been generating for the past several years will make it much less painful -- a significant number of UkrTeleGroup customer, of course under domains, have been generating quite some malicious activity at zlkon.lv for a while.

Portfolio of fake codecs serving domains parked at the original mirrored domain's IP :
xxxporn-tube .com (93.190.140.56)
uporntube-07 .com
tubeporn08 .com
porn-tube09 .com
tubeporn09 .com
xxxporn-tube .com
allsoft-free .com
all-softfree .com
lsoftfree .com
porntubenew .com

Download locations :
brakeextra .com/download/FlashPlayer.v..exe (94.247.2.183)
brakeextra .com/download/TestCodec.v.3.127.exe

Entire portfolio of domains parked at (94.247.2.183) :
brakeextra .com
thebestporndump2 .com
fire-extra .com
xp-extra .com
delfiextra .com
qazextra .com
track-end .com
fire-movie .com
extrabrake .com
crack-serial-keygen-online .com
extra-turbo .com
extra-nitro .com
apple-player .com
meggauploads .com
soft-free-updates .com
quicktimesoft .com
cleanmovie .net
nitromovie .net
trackgame .net
quotre .net
rexato .net
spacekeys .net

Dots, dots dots, trackgame .net is once again proving the multitasking mentality of cybercriminals these days - it's one of the download locations participating in the recent Google Video search queries poisoning attacks.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Wednesday, January 28, 2009

Poisoned Search Queries at Google Video Serving Malware

UPDATE: A recently published article at the Register by John Leyden incorrectly states that "researchers at Trend Micro discovered that around 400,000 queries returning malicious results that lead to a single redirection point" wherease the researchers in question went public with the attack data on the 27th of January, and then again on the 28th of January.

This isn't the first time the Register shows an oudated siatuational awareness, following the two month-old coverage of a proprietary email and personal information harvesting tool, which I extensively covered in between receiving comments from one of the affected sites.

A blackhat SEO-ers group that's been generating bogus link farms ultimately serving malware to their visitors during the past couple of months, has recently started poisoning Google Video search queries and redirecting the traffic to a fake flash player using the PornTube template. (The Template-ization of Malware Serving Sites). Approximately 400,000+ bogus video titles have already been crawled by Google Video.

Instead of sticking to a proven traffic acquisition tactic in the face of adult videos, the campaigns are in fact syndicating the titles of legitimate YouTube videos in order to populate the search results. What's also worth pointing out that is that once they start duplicating the content -- like they're doing with specific titles -- based on their 21 bogus publisher domains, they can easily hijack each and every of the first 21 results for a particular video. The fake flash player redirection is served only when the visitor is coming from Google Video, if he or a researcher isn't based on a simple http referer check, a legitimate YouTube video is served.

Upon clicking on the video from any of their publisher domains, the user is taken to porncowboys .net/continue.php (94.247.2.34) then forwarded do xfucked .org/video.php?genre=babes&id=7375 (94.247.2.34) to have the binary served at trackgame .net/download/FlashPlayer.v3.181.exe and qazextra .com/download/FlashPlayer.v3.181.exe. Detection rate for the flash player.

The malware publisher domains crawled by Google Video redirecting to the bogus flash player :
nudistxxx .net - 22,000 bogus video titles
realsexygirls .net - 21,000 bogus video titles
trulysexy .net - 27,100 bogus video titles
madsexygirls .net - 18,900 bogus video titles
mypornoplace .net - 25,700 bogus video titles
hotcasinoxxx .net - 28,900 bogus video titles
hotgirlstube .net - 37,900 bogus video titles
xgirlplayground .com - 50,600 bogus video titles
puresextube .net - 20,700 bogus video titles
xxxtube4u .com - 11,400 bogus video titles
sexygirlstube .net - 63,100 bogus video titles
xporntube .org - 12,800 bogus video titles
xxxgirls .name - 33,500 bogus video titles
girlyvideos .net - 37,500 bogus video titles
mytubecentral .net - 38,900 bogus video titles
puresextube .net - 20,700 bogus video titles
teencamtube .com - 18,400 bogus video titles
celebtube .org - 41,100 bogus video titles
truexx .com - 16,900 bogus video titles
hottesttube .net - 28,100 bogus video titles
hotgirlsvids .net - 27,200 bogus video titles
watch-music-videos .net - 14,900 bogus video titles
marketvids .net - 29,900 bogus video titles
gamingvids .net - 7,930 bogus video titles
hentaixxx .info - 25,500 bogus video titles

The campaign is currently in a cover-up phrase since discussing it yesterday and notifying Google with all the details. But the potential for abuse remains there. Timeliness vs comphrenesiveness of a malware campaign?

Following this example of comprehensivess, take into consideration the timeliness in the face of October 2008's campaign when hot Google Trends keywords were automatically syndicated in order to hijack search traffic which was then redirected to several hundred automatically registered Windows Live blogs whose high pagerank made it possible for the blogs to appear within the first 5 results.

Dancho Danchev

Tuesday, January 27, 2009

Embassy of India in Spain Serving Malware

The very latest addition to the "embassies serving malware" series is the Indian Embassy in Spain/Embajada de la India en España (embajadaindia.com) which is currently iFrame-ED -- original infection seems to have taken place two weeks ago -- with three well known malicious domains.

Interestingly, the malicious attackers centralized the campaign by parking the three iFrames at the same IP, and since no efforts are put into diversifying the hosting locations, two of them have already been suspended. Let's dissect the third, and the only currently active one. iFrames embedded at the embassy's site:
msn-analytics .net/count.php?o=2
pinoc .org/count.php?o=2
wsxhost .net/count.php?o=2

wsxhost .net/count.php?o=2 (202.73.57.6) redirects to 202.73.57.6 /mito/?t=2 and then to 202.73.57.6 /mito/?h=2e where the binary is served, a compete analysis of which has already been published. The rest of the malicious domains -- registered to palfreycrossvw@gmail.com -- parked at mito's IP appear to have been participating in iFrame campaigns since August, 2008 :

google-analyze .cn
yahoo-analytics .net
google-analyze .org
qwehost .com
zxchost .com
odile-marco .com
edcomparison .com
fuadrenal .com
rx-white .com

As always, the embassy is iFramed "in between" the rest of the remotely injectable sites part of their campaigns.

Related assessments of embassies serving malware:
Embassy of Brazil in India Compromised
The Dutch Embassy in Moscow Serving Malware
U.S Consulate in St. Petersburg Serving Malware
Syrian Embassy in London Serving Malware
French Embassy in Libya Serving Malware

Dancho Danchev

Wednesday, January 21, 2009

Exposing a Fraudulent Google AdWords Scheme

UPDATE: Conduit's Director of Strategic Marketing Hai Habot contacted me in regard to the campaign. Comment published at the bottom of the post.

Despite my personal reservations towards the use of Google sponsored ads as an emerging traffic acquisition tactic on behalf of scammers and cybercriminals -- blackhat SEO is getting more sophisticated -- Google sponsored ads are whatsoever still taken into consideration.

The fraudulent AdWords scheme that I'll discuss in this post, is an example of a Dominican scammer (ayuda@shareware.pro; Sms Telecom LLC, Roseau, St. George (00152) Dominica Tel: +117674400530) who's hijacking search queries for popular software applications, taking advantage of geolocation and http referer checks, in order to deliver a customized toolbar while earning revenue part of the Conduit Rewards Program.

Naturally, the traffic acquisition tactic and the brandjacking of legitimate software are against the rules of both Google's, and Conduit's terms of use. Interestingly, out of all the adware-ish toolbars and affiliate based networks out there, he's chosen to participate in an affiliate network without a flat rate on per toolbar installation basis. Despite the efforts put into the typosquatting, the descriptive binaries on a country basis, and the localization of the sites in several different languages, he's failing to monetize the scam in the way he could possibly do compared to "fellow colleagues" of his.

Brandjacked software domains part of the AdWords campaign :
adobe-reader-co .com
adware-co .com
flash-player-co .com
paint-shop-pro .com
winrar-co .com
ccleaner-co .com
firefox-co .com
avi-codec-co .com
guitar-pro-co .com
codec-co .com
opera-co .com
messenger-comp .com
servicepack-co .com
azureus-co .com
emulegratis .es
messenger-plus-co .com
zone-alarm-co .com
directx-co .com
bittorrent-co .com
media-player-co .com
emulefree .com
divx-co .com
office-co .com
virtualdj-co .com
zattoo-co .com
clonecd-co .com
tuneup-co.com
lphant-co.com
explorer-co.com
amule-co .com
messenger75-co .com
limewire-comp .com
lite-codec-co .com
power-dvd-co .com
messenger-plus-live-co .com
reamweaver-co .com
aresgratis .net
vuze-co .com
emuleespaña .es
regcleaner-co .com
paint-net-co .com
download-acelerator .com
windownloadweb .com
xp-codecpack-co .com

The AdWords campaigns are spread across different local Google sites, and are targeting a particular local demographic only. Moreover, if the end user isn't coming from a sponsored ad, the download link on each and every of the participating sites is linking to the official site of the brandjacked software, and if he's coming from where he's supposed to be coming the software bundle including the revenue-generating toolbar is served in the following way :

firefox-co .com/downloads/installer-5-firefox-uk.exe
winamp-co .com/downloads/installer-37-winamp-uk.exe
winamp-co .com/downloads/installer-37-winamp-nl.exe
zone-alarm-co .com/downloads/installer-18-zonealarm-nl.exe
servicepack-co .com/downloads/installer-14-service-pack-3-uk.exe
divx-co .com/downloads/installer-25-divx-uk.exe

Upon installation the toolbar generates revenue for the campaigner, and given the fact that a single DIY toolbar can be associated with a single rewards account, the campaigner is also maintaining a modest portfolio of toolbars. For instance :

peer2peerne.media-toolbar.com - UserID=UN20090120111936062
peer2peeren.media-toolbar.com - UserID =598F9353-BD10-47B9-8B40-29B33AD7A3E4

The bottom line is that despite the fact that the campaigner is acquiring lots of traffic through the brandjacking, and is definitely breaking even based on the number of toolbars installed, he's failing to monetize the fraud scheme, at least for the time being.

UPDATE: Hai Habot's comments - "The information you have provided will help us track the publisher and I will personally see that our compliance team looks into it ASAP.

As you may know, Conduit does not have full control over the promotional activity of the publisher (i.e. his fraudulent use of Google AdWords or any other usage of third party ads or links) however, the activity described in your post is clearly in violation of our terms of use (section V of the Conduit Publisher Agreement) and our compliance team can take different measures against this publisher including the removal of the toolbar from our platform.

The Conduit Rewards program is not a standard affiliate network. It offers incentives to publishers based on their toolbar’s long term performance. I didn’t look into the stats of this specific publisher yet but I can assure you that such spam traffic would generate very little (if any) rewards. In any case – we will make sure that the rewards account of this publisher will be disabled until this compliance issue is resolved."

Dancho Danchev

Monday, January 19, 2009

A Diverse Portfolio of Fake Security Software - Part Fourteen

The following currently active fake security software domains have been included within ongoing blackhat SEO campaigns, among the many other tactics that they use in order to attract traffic to them. Needless to say that the Diverse Portfolio of Fake Security Software domains series is prone to expand throughout the year.

rapidspywarescanner .com (78.47.172.67)
live-antiviruspc-scan .com
professional-virus-scan .com
proantiviruscomputerscan .com
bestantivirusfastscan .com
premium-advanced-scanner .com

Domain owner:
Name: Aennova M Decisionware
Organization: NA
Address: Rua Maestro Cardim 1101 cj. 112
City: Sgo Paulo
Province/state: NA
Country: BR
Postal Code: 01323
Phone: +5.5113245388
Fax: +5.5113245388
Email: victor@aennovas.com

rapidantiviruspcscan .com (78.46.216.237)
securedserverdownload .com
securedonlinewebspace .com
securedupdateupdatesoftware .com
bestantivirusdefense .com
live-pc-antivirus-scan .com
best-antivirus-protection .com
proantivirusprotection .com
best-anti-virus-scanner .com
best-antivirus-scanner .com
bestantivirusproscanner .com
bestantivirusfastscanner .com
protectedsystemupdates .com
liveantispywarescan .com
live-antispyware-scan .com
internet-antispyware-scan .com

Domain owner:
Vadim Selin anzo45@freebbmail.com
+74952783432 fax: +74952783432
ul. Vorobieva 98-34
Moskva Moskovskay oblast 127129
ru

antivirus-scan-your-pc .com (75.126.175.232; 209.160.21.126)
bestantivirusdefence .com
best-antivirus-defense .com
premiumadvancedscan .com
bestantivirusproscan .com
best-antivirus-pro-scanner .com
internetprotectedpayments .com

Domain owner:
Name: Nikolai V Chernikov
Address: yl. Kravchenko 4 korp. 2 kv.17
City: Moskva
Province/state: NA
Country: RU
Postal Code: 119334
Email: promasteryouth@gmail.com

Dancho Danchev

Embedding Malicious IFRAMEs Through Stolen FTP Accounts - Part Two

The practice of using stolen or data mined -- from a botnet's infected population -- FTP accounts is nothing new. In March, 2008, a tool originally published in February, 2007, got some publicity once details of stolen FTP accounts belonging to Fortune 500 companies were found in the wild. Interestingly, none of the companies were serving malicious iFrames on their compromised hosts back then.

Despite the fact that 2008 was clearly the year of the massive SQL injection attacks hitting everyone, everywhere, massive iFrame injection tools through stolen FTP accounts are still in development. Take for instance this very latest console/web interface based proprietary one currently offered for sale at $30.

Its main differentiation factors according to the author are the pre-verification of the accounting data in order to achieve better speed, advanced logs management and update feature allowing the malicious campaigner to easily introduce new iFrame at already iFrame-ED hosts through the compromised FTP accounts, and, of course, the what's turning into a commodity feature in the face of long-term customer support. In this case, that would be a hundred FTP accounting details to get the customers accustomed to the tool's features.

Interestingly, at least according to the massive SQL injections taking place during the entire 2008, iFrame-ing has reached its decline stage, at least as the traffic acqusition/abuse method of choice. And with SQL injections growing, this very same FTP account data is serving the needs of the blackhat search engine optimizers bargaining on the basis of a pagerank.

Dancho Danchev