Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Wednesday, April 08, 2009

Inside a Zeus Crimeware Developer's To-Do List

Every then and now I get asked a similar question in regard to crimeware kits - which is the latest version of a particular crimeware/web malware exploitation kit?

The short answer is - I don't know. And I don't know not because I'm a victim of an outdated situational awareness, but due to the fact that nowadays third-party developers are so actively tweaking it that coming up with a version number would be inaccurate from my perspective. Therefore, whenever I provide such a version number, I try to emphasize and provide practical examples of how the current decentralization of coding from the core authors to third-party developers and, of course, scammers brand jacking the Zeus brand, is making the answer a little bit more complex than it may seem at the first place.

For instance, cybercriminals themselves have been capitalizing on this situation during the last two quarters, by speculating with the version numbers and offering backdoored copies of non-existent Zeus releases, in a attempt to hijack their Zeus botnets at a later stage -- a practice that phishers have been taking advantage of for a while. Anyway, once I'm able to sort of cluster a particular third-party developer's persistence in tweaking the Zeus crimeware kit, an interesting picture emerges. For instance, a team member from a third-party developer of backend systems for botnets that came up with the built-in MP3 player in a Zeus release, is also directly involved in developing the backend system and GUI for the Chimera botnet which the British Broadcasting Corporation purchased last month.

Let's discuss the way the version number system in the Zeus crimeware, before we take a peek at a recent CHANGELOG, and a future TO-DO list from one of the third-party developers. Zeus version a.b.c.d means that change in A stands for a complete change in the bot, B stands for major changes that make previous bot versions incompatible, C stands for modifications and performance boosting, and D is a prophylactic change in order to avoid antivirus solutions from detecting it.

The Q&A applied in Zeus can be easily seen by taking a peek at some of the changes that took place in December, 2008 :

"Change 10.12.2008
- Documentation will no longer be available in a CHM format, instead in a plain-text format
- The bot is a now able to receive commands not only by using the send command function, but also during requests for files and logs changes
- Local data requests to the server and the configuration file can be encrypted with RC4 key depending on your choice
- In order to decrease the load on the server, a fully updated bot-to-server and server-to-bot communication protocol is introduced

Change 20.12.2008
- Small error fixed when sending reports
- The size of the report cannot exceed 550 characters
- Error fixed in the bot due to low timeout for sending POST requests resulting in dropping requests for log files bigger than 1 MB

Change 2.03.2009
- Changed the default cryptor routines
- Updated process of building the bot
- Optimized compressed of the binary
- Rewritten the process of assembling the configuration file
- Changed the MyMSQL tables
- Fixed fonts in the panel due to bogus displaying of characters
- Updated Geolocation database"

The following "To-Do" list, pretty similar to another one which I discussed last year (A Botnet Master's To-Do List). What's to come in the Zeus crimeware kit, at least courtesy of a sampled third-party developer? The following features have been in the works for several months now:

"- Compatibility with Windows Vista and Windows 7
- Improved WinAPI hooking
- Random generation of configuration files to avoid generic detection"
- Console-based builder
- Version supporing x86 processors
- Full IPv6 support
- Detailed statistics on antivirus software and firewalls installed on the infected machines"

The Zeus crimeware is not going away from the radar anytime soon, and the main reason for that is not the fact that its exclusive features outperform the ones in the Limbo crimeware and the Adrenalin crimeware, but due to the fact that Zeus has a much bigger fan base, and well established third-party community around it.

Image courtesy of Abuse.ch's Zeus Tracker -- the one that got DDoS-ed in February due to its apparent usefulness.

Related posts:
Crimeware in the Middle - Limbo
Crimeware in the Middle - Adrenalin
Crimeware in the Middle - Zeus
76Service - Cybercrime as a Service Going Mainstream
Zeus Crimeware as a Service Going Mainstream
Modified Zeus Crimeware Kit Gets a Performance Boost
Modified Zeus Crimeware Kit Comes With Built-in MP3 Player
Zeus Crimeware Kit Gets a Carding Layout
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Wednesday, April 01, 2009

Bogus LinkedIn Profiles Redirect to Malware and Rogue Security Software

From the automatically registered bogus LinkedIn profiles promoting pharmaceuticals campaign in February, to January's malware campaign redirecting to malware Zlob variants and rogue security software, the malware gang behind both of these campaigns is once again showcasing its persistence.

It gets even more interesting when a direct connection between January's, this very latest campaign, and the most recent massive comment-spam attack at Digg.com, is established since the very same malware domains are participating in all of the campaigns (e.g funkytube .net)

Bogus LinkedIn profiles for March:
linkedin .com/in/keeleyhazellsextape
linkedin .com/in/minimesextape
linkedin .com/in/lindsaylohansextape1
linkedin .com/in/vernetroyersextape
linkedin.com/in/freejennifertoasteetoofsex
linkedin .com/in/parishiltonsextapeq
linkedin .com/in/britneyspearssextapeq
linkedin .com/in/carmenelectra
linkedin .com/in/halleberrysexscene
linkedin .com/pub/dir/tila tequila/sex
linkedin .com/in/carmenelectrasex1
linkedin .com/in/carmenelectrasexscene1
linkedin .com/pub/dir/jennifer%20aniston/sex%20scene
linkedin .com/in/lindsaylohansex1
linkedin.com/in/olsentwinsnude
linkedin.com/in/keiraknightleynude
linkedin.com/in/christinaaguileradirrty1
linkedin.com/pub/dir/emma watson/wearing
linkedin.com/in/trishstratusnude
linkedin.com/pub/dir/ellen degeneres/gay
linkedin.com/in/angelinajolienaked1
linkedin.com/in/carmenelectranaked1
linkedin.com/pub/dir/tila tequila/porn
linkedin.com/pub/dir/emma watson/porn

linkedin.com/pub/dir/disney's raven/symone nude
linkedin .com/pub/dir/olsen twins/camel toe
linkedin .com/in/aliciamachadodesnuda
linkedin .com/pub/dir/leighton meester/nude
linkedin .com/in/katehudsonnude
linkedin .com/in/jenniferanistonbangs1
linkedin .com/in/hilaryduffnude2
linkedin .com/in/adriennebailonnaked
linkedin .com/in/jennifermorrisonnude1
linkedin .com/in/jenniferlopezdesnuda
linkedin .com/in/jennifergarnernude1
linkedin .com/in/aishwaryaraiwearingnothing
linkedin .com/in/isprinceharrygay
linkedin .com/in/vanessahudgensnude
linkedin .com/in/mariahcareynude1
linkedin .com/pub/dir/olsen twins/nudity
linkedin .com/pub/dir/denise richards/naked
linkedin .com/pub/dir/kate mara/naked
linkedin .com/in/carmencocks1
linkedin .com/in/ravensymonebreast
linkedin .com/in/adriennebailonnudephotos
linkedin .com/pub/dir/shakira/nude
linkedin .com/in/jenniferanistonnude
linkedin .com/in/emmawatsonkissingsomeone

Using a celebrities theme, all of these bogus accounts are linking to the same malware serving domains. The following central redirectors :
oymomahon .com/fathulla/11.html
oymomahon .com/mirolim-video/3.html
oymomahon .com/paqi-video/28.html
muse.100-celebrities .com/paqi-video/1.html
nahyu .org/xxxx/
1k .pl/nufexz

are then redirecting to another set of fake codec domains :
xretrotube .com
globextubes .com
globalstube2009 .com
globerstube .com
spywareremover21 .com
antispyscanner13 .com
privacyscanner15 .com
easywinscanner17 .com
systemscanner19 .com
sgviralscan .com

to ultimately direct the visitor to the actual binaries:
nahyu .org/xxx/video/teens_fuck_orgy11.mpeg.exe - detection rate
loyaldown99 .com/codec/186.exe - detection rate
kol-development .com/viewtubesoftware.40012.exe - detection rate

Despite the fact that real-time/event-based blackhat search engine optimization is gaining popularity these days, blackhat SEO in its very nature relies on huge bogsus content farms, using a diverse theme-based set of content, usually generated in an automated fashion. Real-time blackhat SEO or standard volume-based blackhat SEO as a tactic of choice? Does it really matter given that from the perspective of tactical warfare, combining well proven tactics results in high click-through/infection rates for the campaigns in question.

Related posts:
Blackhat SEO Redirects to Malware and Rogue Software
The Invisible Blackhat SEO Campaign
Attack of the SEO Bots on the .EDU Domain
p0rn.gov - The Ongoing Blackhat SEO Operation
The Continuing .Gov Blackat SEO Campaign
The Continuing .Gov Blackhat SEO Campaign - Part Two
Rogue RBN Software Pushed Through Blackhat SEO
Massive Blackhat SEO Targeting Blogspot
Blackhat SEO Campaign at The Millennium Challenge Corporation

Fake Porn Sites Serving Malware
Fake Porn Sites Serving Malware - Part Two
Fake Celebrity Video Sites Serving Malware
Fake Celebrity Video Sites Serving Malware - Part Two
Fake Celebrity Video Sites Serving Malware - Part Three
The Template-ization of Malware Serving Sites
The Template-ization of Malware Serving Sites - Part Two
A Portfolio of Fake Video Codecs

Dancho Danchev

Tuesday, March 31, 2009

Diverse Portfolio of Fake Security Software - Part Seventeen

The following are some of the currently active/about to go online rogue security software domains, and their associated payment gateways exposed in the spirit of the Diverse Portfolio of Fake Security Software series. During the past two months, an obvious migration of well known Russian Business Network customers continues taking place, with their portfolios of malicious campaigns currently parked several ISPs. zlkon.lv (DATORU EXPRESS SERVISS Ltd (AS12553 PCEXPRESS-AS) remaining the ISP of choice for the time being, in the context of rogue security software.

mydwnld .com (94.102.51.14; 88.198.8.15; 94.102.51.14)
desktoprepairpackage .com
malwareremovingtool .com
spywareprotectiontool .com
pcantimalwaresolution .com
pcsolutionshelp .com
removespywarethreats .com

yournetcheckonline .com (94.247.2.215)
bestnetcheckonline .com
easynetcheckonline .com
yourwebexamine .com
bestwebexamine .com
easywebexamine .com
yourinternetexamine .com
myinternetexamine .com
linkcanlive .com
yourwebscanlive .com
easywebscanlive .com
internethomecheck .com
websecurecheck .com
websportscheck .com
websmartcheck .com
yournetascertain .com
yournetcheckpro .com
bestwebscanpro .com
security-check-center .com
downloadantivirusplus .com
theantivirusplus .com
myantivirusplus .com
safeyouthnet .com
av-plus-support .com

antispywareproupdates .com (94.76.213.227) Jeanne M Bartels Email: dev@angelespd.com
microsoft.infosecuritycenter .com
microsoft.softwaresecurityhelp .com
professionalupdateservice .com
platinumsecurityupdate .com
platinumsecurityupdate .com
antispywarequickupdates .com (78.137.168.33)

paymentsystemonline .com (213.239.210.54) Jerom M Collins Email: admin@routerpayments.com
liveupdatesoftware .com
royalsoftwareupdate .com
protectionsoftwarecheck .com
securitysoftwarecheck .com
privateupdatesystem .com
updatesoftwarecenter .com
updateprotectioncenter .com
updatepcsecuritycenter .com
powerdownloadserver .com
rapidsoftwareupdates .com
professionalsoftwareupdates .com
allsoftwarepayments .com
powerfullantivirusproduct .com
securedprostatsupdates .cn

Dancho Danchev

Summarizing Zero Day's Posts for March

The following is a brief summary of all of my posts at ZDNet's Zero Day for March. You can also go through previous summaries for February, January, December, November, October, September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed.

Notable articles include: Inside BBC's Chimera botnet and Study: IE8's SmartScreen leads in malware protection.

01. Conficker worm to DDoS legitimate sites in March
02. Bad, bad, cybercrime-friendly ISPs!
03. Google downplays severity of Gmail CSRF flaw
04. USAID.gov compromised, malware and exploits served
05. International Kaspersky sites susceptible to SQL injection attacks
06. New study details the dynamics of successful phishing
07. BBC team buys a botnet, DDoSes security company Prevx
08. Comcast responds to passwords leak on Scribd
09. Diebold ATMs infected with credit card skimming malware
10. Ex-botnet master hired by TelstraClear
11. Study: IE8's SmartScreen leads in malware protection
12. Scareware meets ransomware: "Buy our fake product and we'll decrypt the files"
13. Inside BBC's Chimera botnet

Dancho Danchev

Thursday, March 26, 2009

A Diverse Portfolio of Fake Security Software - Part Sixteen

The following are some of the very latest typosquatted rogue security software domains pushed through blackhat SEO, web site compromises, and systematic abuse of legitimate Web 2.0 services.

yourstabilitysystem .com (209.44.126.14)
onlinescanservice .com
scanalertspage .com
getscanonline .com
bestfiresfull .com
yourstabilitysystem .com
mostpopularscan .com
vistastabilitynow .com
scanvistanow .net
vistastabilitynow .net

central-scan .com (212.117.165.126) Maureen Whelan Email: maureenwhelanjr@googlemail.com
royalsoftwareupdate .com
uptodate-protection .com
updatesoftwarecenter .com
webscannertools .com

protectprivacy18 .com (209.249.222.48) Arnes Skopec Email: arnessl2370@gmail.com
malwarescanner20 .com
antispyscanner13 .com
privacyscanner15 .com
easywinscanner17 .com
systemscanner19 .com

malwaredefender2009 .com (67.43.237.75) Josef Branc Email: jsfsl2341@googlemail.com
systemguard2009 .com
systemguard2009m .com

angantivirus-2009 .com (70.38.73.26)
angantivirus2009 .com

check-ms-antivirus .com (78.26.179.131) Brett Quihuiz Email: BrettQuihuiz@gmail.com
ms-loads-av .com (78.26.179.137) Hou Stephen Email: StepDunnu@gmail.com
secure-data-group .com (209.8.45.147) Joseph Barnes Email: jhbarnes40@gmail.com

dlmaldef09 .com (67.43.237.78) Josef Branc Email: jsfsl2341@googlemail.com
dlsgd3 .com
getsgd3 .com
getsysgd09 .com
getmaldef09 .com
dlsg09 .com
getsg09 .com

Dancho Danchev

Wednesday, March 25, 2009

Embassy of Portugal in India Serving Malware

Yet another embassy web site is falling victim into a malware attack serving Adobe exploits to its visitors. As of last Friday, the official web site of the Embassy of Portugal in India has been compromised (embportindia.co.in). Who's behind the attack? Interestingly, that's the very same group that compromised the Azerbaijanian Embassies in Pakistan and Hungary earlier this month. Assessing this campaign once again establishes a direct connection with the Rusian Business Network's pre-shutdown netblocks and static locations.

The very same domain using the same web traffic redirection script, used in the malware campaigns at the Azerbaijanian Embassies in Pakistan and Hungary, can be found at the Portugal embassy's web site. betstarwager .cn/in.cgi?cocacola84 redirects to ghrgt.hostindianet .com/index.php?cocacola84 (94.247.3.151) where Multiple Adobe Reader and Acrobat buffer overflows are served :

zzzz.hostindianet .com/load.php?id=4 -> ghrgt.hostindianet .com/cache/readme.pdf
zzzz.hostindianet .com/load.php?id=5 -> ghrgt.hostindianet .com/cache/flash.swf

The second iFramed domain ntkrnlpa .cn/rc/ (159.226.7.162) has a juicy history linking it to previous campaigns. In February, 2008, an anti-malware vendor's site (AvSoft Technologie) was iFramed with the iFrame back then (ntkrnlpa .info/rc/?i=1) pointing to the Russian Business Network's original netblock It gets even more interesting when you take into consideration the fact that ntkrnlpa.info was also sharing ifrastructure with zief.pl, among the most widely abused domains in the recent Google Trends keywords hijacking campaigns. Zief.pl is also service of choice for certain campaigns of the Virut malware family, irc.zief.pl in particular.

It gets even more malicious considering that on the same IP (ntkrnlpa .cn/rc/ 159.226.7.162) where one of the malware domains in the embassy's campaign is parked, we can easily spot domains (baidu-baiduxin3 .cn for instance) that were participating in last year's IE7 massive zero day exploit serving campaign. Moreover, in a typical multitasking stage, the cybercriminals behind the campaign are also hosting Zeus crimeware campaigns on it.

A reincarnation of a well known RBN domain, confirmed participation at related compromises of embassy web sites by the same group, sharing ifrastructure with domains from a massive IE7 ex-zero day attack and hosting Zeus crimeware command and control locations -underground multitasking at its best.

Related posts:
Ethiopian Embassy in Washington D.C Serving Malware
USAID.gov compromised, malware and exploits served
Azerbaijanian Embassies in Pakistan and Hungary Serving Malware
Embassy of India in Spain Serving Malware
Embassy of Brazil in India Compromised
The Dutch Embassy in Moscow Serving Malware
U.S Consulate in St. Petersburg Serving Malware
Syrian Embassy in London Serving Malware
French Embassy in Libya Serving Malware

Dancho Danchev