Inside (Yet Another) Managed Spam Service

Several years ago, getting into the spam business used to involve the process of harvesting emails, figuring out ways to segment the database, localize the spam campaign by using a free translation service eventually ruining the social engineering effect, creating your very own botnet and coming up with creative ways to bypass anti-spam filters, ensuring the botnet remains operational, coming up with ways to obtain access to IPs with clean reputation, with little or no campaign effectiveness measurement at all..

These relatively higher market entry barriers are long gone. Today, every single step in the spamming process is managed and can be outsourced in a cost-effective manner to the point where the one-stop-shop spam vendors have vertically integrated and occupied every single market segment possible in order to increase the "lifetime value" of their potential customers.

When do you know that it's going to get uglier in the long term? It's that very special moment in time when the backend for such a managed spam system utilizing malware infected hosts and legitimate servers for achieving its objectives, goes mainstream and its authors remove the "proprietary, high-profit margin revenues earning business model" label from it.

And with this particular moment in time already a fact since the middle of 2008 (Spamming vendor launches managed spamming service), yet another new market entrant is pitching its managed spam service with the ambition to monetize his access to a particular botnet, and break-even from the investment made in the backend system.

With 9 different campaigns already finished (see the top screenshot) and another one currently in progress spamming out 3215 emails using 1672 infected hosts based on a harvested email database consisting of 306204 emails (notice the percentage of non-existent emails potentially spam-poison traps), his business model is up and running.

Further developments and new features within the service would remain under close monitoring in the future as well. In particular, the original vendor's updates which would ultimately affect all of his "value-added partners" improved managed spamming capabilities.

Russian Homosexual Sites Under (Commissioned) DDoS Attack

From Russia with homophobia?

A week long DDoS attack launched against Russia's most popular commercial homosexual sites has finally ended. The simultaneous attack managed to successfully shut down the web servers of most of the sites, which responded with filtering of all traffic that is not coming from Russia. Ironically, the attack was in fact coming from Russian, courtesy from a botnet operated by a DDoS for hire service.

Here's a list of the sites that were subject to the DDoS, with the majority of them returning "503 Service Temporarily Unavailable" error message during last week :
gogay.ru
1gay.ru
androgin.ru
boysclub.ru
egay.ru
gaylines.ru
gaymoney.ru
gayplanet.ru
gayrelax.ru
xabalka.ru

On the 25th of January, gogay.ru was among the few sites to issue a statement and confirm the attacks offering financial reward for information leading to the source :

"Yesterday (25 February), our site is subjected to serious hacker attacks (flood-attack capacity of 2 Mbit / sec). The attack reflected, but is still continuing at other gay sites 1gay.ru, egay.ru, xabalka.ru and so on. If you have any information (we are willing to pay for инфу of tailor-made) on the causes of the attack, if you - the webmaster and your own gay website exposed attacks (if the last few days your site has been slow to load and create a greater burden - it is very likely that the same attack, only disguised), sabotage, blackmail or extortion by unidentified persons - always contact us."

Since the sites are commercial providers of homosexual multimedia content and are thereby bandwidth-consuming, the attacks were aiming to disrupt their business operations, and they managed to do so. Russia's government is well known to have a rather violent take on homosexuality in general, and with overall availability of outsourced DDoS attack services offering anonymity and destructive bandwidth, the efforts to request such an attack remain minimal.

Summarizing Zero Day's Posts for February

The following is a brief summary of all of my posts at ZDNet's Zero Day for February. You can also go through previous summaries for January, December, November, October, September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed.

01. Commercial Twitter spamming tool hits the market
02. Fake Antivirus XP pops-up at Cleveland.com
03. Report: 92% of critical Microsoft vulnerabilities mitigated by Least Privilege accounts
04. Massive comment spam attack on Digg.com leads to malware
05. Crimeware tracking service hit by a DDoS attack
06. Targeted malware attacks exploiting IE7 flaw detected
07. New Symbian-based mobile worm circulating in the wild
08. Rogue security software spoofs ZDNet Reviews
09. Adobe Reader 9 and Acrobat 9 zero day exploited in the wild
10. Chinese hackers deface the Russian Consulate in Shanghai
11. eBay solutions provider Auctiva.com infected with malware
12. Malware campaign at YouTube uses social engineering tricks
13. Research: 76% of phishing sites hosted on compromised web servers

Inside a DIY Image Spam Generating Traffic Management Kit

Whatever the spammer/pharma master or plain simple cybercriminal requires - the spamware vendors deliver so that a win-win-win scenario takes place for the buyer, the seller, and the enabler, in this case the affiliate network allowing image-based spam compared to Web 1.0's link based performance measurement.

That's the main objective of one of the very latest traffic management kit is once again quality assurance in the process of managing image-spam based campaigns.

Here's a translated description of the traffic management kit:
"As you know, now many pay per click networks offer within their ad scripts the so called graphic feeds.Any site allowing the use of the IMG tag can serve them, that includes popular free web based services. The problem so far has been the lack of quality measurement and optimization of this approach. 

This imposes severe restrictions on the ability to convert traffic to the resource, the automatic redirection of which is impossible. Our system allows you to allows you to create your own ads and send traffic to them to where you think they fit. 

How it works: you create a campaign with your own keywords, generate a random image, customize it, generate a link to the ad and paste it into the hosting site, or include it in your email campaigns. By doing this you're able to add more interactivity in your campaigns and improve your click through rates.

Here's a summary of the features we offer you:

- Create messages with random text and random design. Change ad size and font color, underline, and the selection, styles, font and alignment, frames - everything is set up. You can use any font that you want to - it's completely up to you
- Manage design ads through profiles within the system, save your creativity
- Use of any image as the ads. This may be a screenshot of your pharmacy, banner, and even anything

- Combine different types of simple ads on the same page
- Create messages with any embedded images. For example (click on picture to see actual ad size)
- Use alternative keywords in the references (some of the resources do not allow to post links containing the names of pills and other banned words)
- Filter incoming traffic to the countries of the User-Agent, IP or range of IP"

It's important to emphasize on the fact that this is a DIY image-spam generating kit, in comparison, the much more efficient and again random image-spam generating service is offered by the sophisticated and experienced managed spam service providers who still prefer working with reputable and well known individuals, instead of going mainstream.

Related posts:
Quality Assurance in a Managed Spamming Service
Managed Spamming Appliances - The Future of Spam
Dissecting a Managed Spamming Service
Inside a Managed Spam Service
Spamming vendor launches managed spamming service
Segmenting and Localizing Spam Campaigns

Help! Someone Hijacked my 100k+ Zeus Botnet!

I've been looking for a similar chatter for a while now, given the existence of a remotely exploitable vulnerability in an old Zeus crimeware release allowing a cybercriminal to inject a new user within the admin panel of another cybecriminal.

It appears that this guy has had his 100k+ Zeus botnet hijacked several months ago, and now that he's managed to at least partly recover the number of infected hosts in two separate botnets, is requesting advice on how to properly secure his administration panel.

Here's an exact translation of his concerns :
"Dear colleagues, I'd like to hear all sorts of ideas regarding to security of Zeus. I've been using Zeus for over an year now, and while I managed to create a botnet of 100k infected hosts someone hijacked it from me by adding a new user and changing my default layout to orange just to tip once he did it. Once I fixed my directory permissions. I now have two botnets, the first one is 30k and the second (thanks to a partnership with a friend) is now 3k located at different hosting providers. 

Sadly, yesterday I once again found out that my admin panel seems to have been compromised since all the files were changed to different name, and access to the admin panel blocked by IP. Yes, that seems to be the IP the hijacker is using. The attacker has been snooping Apache logs in order to find IPs that have been used for logging purposes and blocked them all. Therefore I think the new user has been added by exploiting a flaw in Zeus. In my opinion a request  was made to the database, either through an sql injection in s.php a file or a request from within a user with higher privileges.

Since I've aplied patches to known bugs, this could also be a compromise of my hosting provider. So here are some clever tips which I offer based on my experience with securing Zeus. 

- Change the default set of commands, make them unique to your needs only. 
- If it is possible to prohibit the reading and dump tables with logs all IP, to allow only certain (so that the crackers were not able to make a dump and did not read the logs in the database). 
- If it is possible to prohibit editing of tables with all the commands of Zeus IP, to allow only certain (that could not be "hijacked", insert the command bots)"

Surreal? Not at all, given the existing monoculture on the crimeware market. Morever, yet another vulnerability was found in the Firepack web malware exploitation kit earlier this month (Firepack remote command execution exploit that leverages admin/ref.php). This exploit could have made a bigger impact in early 2008, the peak of the Firepack kit, which was also localized to Chinese several months later:

The FirePack Web Malware Exploitation Kit
The FirePack Exploitation Kit - Part Two
The FirePack Exploitation Kit Localized to Chinese

Ironically, cybercriminals too, seem to be using outdated versions of their crimeware.

Related posts:
Crimeware in the Middle - Adrenalin
76Service - Cybercrime as a Service Going Mainstream
Zeus Crimeware as a Service Going Mainstream
Modified Zeus Crimeware Kit Gets a Performance Boost
Modified Zeus Crimeware Kit Comes With Built-in MP3 Player
Zeus Crimeware Kit Gets a Carding Layout
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
Crimeware in the Middle - Zeus

The Cost of Anonymizing a Cybercriminal's Internet Activities - Part Two

With VPN-enabled malware infected hosts easily acting as stepping stones thanks to modules within popular malware bots, next to commercial VPN-based services, the cost of anonymizing a cybecriminal's Internet activities is not only getting lower, but the process is ironically managed in data retention heavens such as the Netherlands, Luxembourg, USA and Germany in this particular case, by using the services of the following ISPs: LeaseWeb AS Amsterdam, Netherlands; ROOT-AS root eSolutions; HOPONE-DCA HopOne Internet Corp.; NETDIRECT AS NETDIRECT Frankfurt, DE.

Operating since 2004, yet another "cybercrime anonymization" service is using the bandwidth of legitimate data centers in order to run its VPN/Double/Triple VPN channels service which it exclusively markets in a "it's where you advertise your services, and how you position yourself that speak for your intentions" fashion.

Description of the service:

"- We will never sought to make the service cheaper than saving the safety of customers.

- Our servers are located in one of the most stable and high-speed date points (total channel gigabita 1.2)
- Only we have the full support service to the date of the center, which prevents the installation of sniffers and monitoring.
- We do not use standard solutions, our software is based on the modified code.
- Only here you get a stable and reliable service.

Characteristics of Sites:
- Channel 100MB, total channels gigabita 1.2.
- MPPE encryption algorithm is 128 bit
- Complete lack of logs and monitoring - a guarantee of your safety.
- Completely unlimited traffic.
- Support for all protocols of the Internet."

On the basis of chaining several different VPN channels located in different countries all managed by the same service, combined with a Socks-to-VPN functionality where the Socks host is a malware compromised one, all of which maintain no logs at all, is directly undermining the usefulness of already implemented data retention laws. Moreover, even a not so technically sophisticated user is aware that chaining these and adding more VPN servers in countries where no data retention laws exist at all, would result in the perfect anonymization service where the degree of anonymization would be proportional with the speed of the connection. In this case, it's the mix of legitimate and compromised infrastructure that makes it so cybercrime-friendly.

In respect to the "no logs and monitoring for the sake of our customers security" claims, such services are based on trust, namely the customers are aware of the cybercriminals running them "in between" the rest of the services they offer, which and since they're all "on the same page" an encrypted connection is more easily established. However, an interesting perspective is worth pointing out - are the owners of the cybecrime-friendly VPN service forwarding the responsibility to their customers, or are in fact the customers forwarding the responsibility for their activities to the owners which are directly violating data retention laws and on purposely getting rid of forensic evidence?

Things are getting more complicated in the "cybercrime cloud" these days.