Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Tuesday, August 04, 2009

Managed Polymorphic Script Obfuscation Services

Cybecriminals understand the value of quality assurance, and have been actively running business models on the top of it for the past two years.

From the multiple offline antivirus scanners using pirated software, the online detection rate checking services allowing scheduled URL scan and notification upon detection by antivirus vendors, to the underground alternatives of VirusTotal in the form of multiple firewalls bypass verification checks - cybercriminals are actively benchmarking and optimizing their releases before launching yet another campaign.

A newly launched service aims to port a universal managed malware feature on the web - the polymorphic obfuscation of malicious scripts in an attempt to increase the lifecycle of a particular campaign.

Interestingly, due to the obvious software piracy within the cybercrime ecosystem which allowed proprietary malware tools to leak in the wild, the service is using a particular malware kit's javascript obfuscation routines and is running a business model on it.

For the time being, it relies on three obfuscation algorithms, HTMLCryptor olnly - used 56 times, TextUnescape - used 109 times, and PolyLite - already used 177 times. The DIY obfuscation service, also checks and notifies the cybercriminal over ICQ in cases when his IPs and domain names have been blacklisted by Google's Safebrowsing, as well as Spamhaus, and more checks against public malware domain/IP databases are on the developer's to-do list.

The price? $20 for monthly access and $5 for weekly. Despite the fact that the service is attempting to monetize a commodity feature available to cybecriminals through the managed updates that come with the purchase of a proprietary web malware exploitation kit, it's not a fad since it fills in the DIY niche where the variety of the algorithms offered and their actual quality will either spell the doom or the rise of the service.

This post has been reproduced from Dancho Danchev's blog.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Monday, August 03, 2009

Summarizing Zero Day's Posts for July

The following is a brief summary of all of my posts at ZDNet's Zero Day for July.

You can also go through previous summaries for June, May, April, March, February, January, December, November, October, September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed.

Notable articles include - Manchester City Council pays $2.4m in Conficker clean up costs; Transmitter.C mobile malware spreading in the wild and Does free antivirus offer a false feeling of security?

01. Manchester City Council pays $2.4m in Conficker clean up costs
02. EyeWonder malware incident affects popular web sites
03. Koobface worm joins the Twittersphere
04. Transmitter.C mobile malware spreading in the wild
05. ImageShack hacked by anti-full disclosure movement
06. Does free antivirus offer a false feeling of security?
07. Remote code execution exploit for Firefox 3.5 in the wild
08. Adobe ships insecure version of Reader from official site
09. The future of mobile malware - digitally signed by Symbian?
10. 419 scammers using Dilbert.com
11. Spammers go multilingual, use automatic translation services

This post has been reproduced from Dancho Danchev's blog.

Dancho Danchev

Thursday, July 30, 2009

Social Engineering Driven Web Malware Exploitation Kit

The standardization through template-ization of bogus codec/flash player/video pages, taking place during the past two years, has exponentially increased the efficiency levels of malware campaigns relying exclusively on social engineering.

Just like phishing pages being commodity, these commodity spoofs of legitimate software/plugins relying on "visual social engineering" represent a market segment by themselves, one that some cybercriminals have been attempting to monetize for a while.

Case in point - their latest attempt to do so comes in the form of the first social engineering driven web malware exploitation kit.

Despite that the kit's author has ripped off a well known exploits-serving malware kit's statistics interface, what's unique about this release is the fact that the exploit modules come in the form of "Missing Flash Player", "Outdated Flash Player", "Missing Video Codec", "Outdated Video Codec", "Codec Required" modules.

These very same modules represent the dominant social engineering attack vector on the Internet due to the quality of the spoofs and the end users' gullibility while self-infecting themselves. For the time being, the author appears to be an opportunist rather than someone interested in setting new benchmarks for standardization social engineering by using the efficiency and delivery methods offered by a web malware exploitation kit.

Interestingly, a huge number of fake codec serving web sites are already detecting the OS/Browser of the visitor, and serving Mac OS X based malware or Windows based malware based on the detection. This fact, as well as the fact that visual spoofs of OS X like dialogs are also getting template-ized are not a coincidence - it's a signal for an efficient and social engineering driven malware delivery mechanism in the works. The development of the kit will be monitored and updates posted - if any.

Meanwhile, the recent blackhat SEO campaign which attempted to hijack 'Harry Potter and the Half-Blood Prince' related traffic is a good example on how despite the magnitude of the campaign -- hundreds of thousands of indexed and malware serving pages -- due to the manual campaign management, its centralized nature makes it easier to shut down.

Upon clicking on a link, the end user was redirected to usa-top-news .info - 67.228.147.71 - Email: fullhdvid@gmail.com, then to world-news-scandals .com Email: wnscandals@gmail.com, and finally to tubesbargain .com/xplay.php?id=40018 - 216.240.143.7 - j0cqware@gmail.com where the codec was served from exefreefiles .com - 95.211.8.20 - Email: case0ns@gmail.com. More coded serving domains are parked on the same IPs:

216.240.143.7

sunny-tube-world .com - Email: briashou@gmail.com
the-blue-tube .com - Email: malccrome@gmail.com
onlysteeltube.com - Email: briashou@gmail.com
thecooltube .com - Email: malccrome@gmail.com
etesttube .com - Email: katschezz@gmail.com
thegrouttube .com - Email: katschezz@gmail.com
fllcorp .com

95.211.8.20

exe-load-2009 .com - Email: robeshur@gmail.com
exefiledata .com - Email: robeshur@gmail.com
exereload .com - Email: robeshur@gmail.com
load-exe-world .com - Email: robeshur@gmail.com
cool-exe-file .com - Email: robeshur@gmail.com
last-home-exe .com - Email: robeshur@gmail.com
exefreefiles .com - Email: case0ns@gmail.com
boardexefiles .com - Email: case0ns@gmail.com
exeloadsite .com - Email: j0cqware@gmail.com

The gang maintains another domain portfolio with pretty descriptive nature for phone back, direct fake codec serving purposes:

agro-files-archive .com
alkbbs-files .com
all-tube-world .com
best-light-search .com
besttubetech .com
chamitron .com
cheappharmaad .com
dipexe .com
downloadnativeexe .com
ebooks-archive .org
etesttube .com
exedownloadfull .com
exefiledata .com
exe-paste .com
exe-soft-development .com
exe-xxx-file .com
eyeexe .com
go-exe-go .com
greattubeamp .com
green-tube-site .com
hotexedownload .com
hot-exe-load .com
imagescopybetween .com
isyouimageshere .com
labsmedcom .com
last-exe-portal .com
lost-exe-site .com
lyy-exe .com
main-exe-home .com
mchedlishvili .name
metro-tube .net
my-exe-load .com
newfileexe .com
protectionimage .com
robo-exe .com
rube-exe .com
securetaxexe .com
softportal-extrafiles .com
softportal-files .com
storeyourimagehere .com
super0tube .com
super-exe-home .com
supertubetop .com
sysreport1 .com
sysreport2 .com
testtubefilms .com
texasimages2009 .com
the-blue-tube.com
thecooltube .com
thegrouttube .com
thetubeamps .com
thetubesmovie .com
tiaexe .com
tube-best-4free .com
tube-collection .com
tvtesttube .com
yourtubetop .com

Who's behind these domains and the Harry Potter blackhat SEO campaign? But, "of course", it's the "fan club" with the Koobface connection, continuing to use the same phone back locations that they've been using during the past couple of months - myart-gallery .com/senm.php - 64.27.5.202 - Email: jnthndnl@gmail.com; robert-art .com/senm.php - 66.199.229.229 - Email: robesha@gmail.com; superarthome .com/senm.php - 216.240.146.119 - Email: chucjack@gmail.com.

This post has been reproduced from Dancho Danchev's blog.

Dancho Danchev

Social Engineering Driven Web Malware Exploitation Kit

Case in point - their latest attempt to do so comes in the form of the first social engineering driven web malware exploitation kit.

216.240.143.7

The gang maintains another domain portfolio with pretty descriptive nature for phone back, direct fake codec serving purposes:

agro-files-archive .com
alkbbs-files .com
all-tube-world .com
best-light-search .com
besttubetech .com
chamitron .com
cheappharmaad .com
dipexe .com
downloadnativeexe .com
ebooks-archive .org
etesttube .com
exedownloadfull .com
exefiledata .com
exe-paste .com
exe-soft-development .com
exe-xxx-file .com
eyeexe .com
go-exe-go .com
greattubeamp .com
green-tube-site .com
hotexedownload .com
hot-exe-load .com
imagescopybetween .com
isyouimageshere .com
labsmedcom .com
last-exe-portal .com
lost-exe-site .com
lyy-exe .com
main-exe-home .com
mchedlishvili .name
metro-tube .net
my-exe-load .com
newfileexe .com
protectionimage .com
robo-exe .com
rube-exe .com
securetaxexe .com
sk1project .org
softportal-extrafiles .com
softportal-files .com
storeyourimagehere .com
super0tube .com
super-exe-home .com
supertubetop .com
sysreport1 .com
sysreport2 .com
testtubefilms .com
texasimages2009 .com
the-blue-tube.com
thecooltube .com
thegrouttube .com
thetubeamps .com
thetubesmovie .com
tiaexe .com
tube-best-4free .com
tube-collection .com
tvtesttube .com
yourtubetop .com

Dancho Danchev

Wednesday, July 29, 2009

5th SMS Ransomware Variant Offered for Sale

"Your system has been blocked because it is running a pirated copy of Windows. In order to unblock it, enter the activation code sent to you by SMS-ing the following number."

Demand and emerging business models based on micro-payment ransom meet supply, with yet another SMS-based ransomware variant offered for sale ($25). Just like in previous underground market propositions, this one comes with a value-added service in the form of managed undetected binaries on a daily basis for an extra $5 for an undetected copy. It's worth pointing out that due to the customization offered, their original layouts and the error messages will look a lot different once their customers get hold of the ransomware.

Key features include:
- protecting against repeated infection through Mutex
- pops-up on the top of all windows
- disables safe mode, as well as possible key combinations attempting to bypass the window
- adds itself as a trusted executable/excluded one in Windows Firewall
- variety of non-intrusive auto-starting/executable injecting capabilities
- Rotx encryption for the activation codes
- ability to embedd more than one activation code
- monitors and automatically blocks process names of tools that could allow removal
- complete removal of the code from the system once the correct activation code is entered
- zero detection rate of a sampled binary -- of course the advertiser is biased and he didn't bother including reference to the service he used (Virustotal, NoVirusThanks.org etc.)

Despite several isolated cases where the originally Russian-based ransomware is affecting international English-speaking users, the campaigns are primarily targeting Russian speaking users -- at least for the time being until the malware authors or their customers start localizing it. This emerging micro-payment ransomware business model is the direct result of largely unregulated market segments allowing literally anyone to get hold of a premium and automatically managed number in order to facilitate it.

Related posts:
4th SMS Ransomware Variant Offered for Sale
3rd SMS Ransomware Variant Offered for Sale
SMS Ransomware Source Code Now Offered for Sale
New ransomware locks PCs, demands premium SMS for removal

This post has been reproduced from Dancho Danchev's blog.

Dancho Danchev

Monday, July 27, 2009

A Diverse Portfolio of Fake Security Software - Part Twenty Three

Part twenty three of the diverse portfolio of fake security software series, will once again summarize the scareware domains currently in circulation, delivered through the usual channels - blackhat SEO, compromises of legitimate web sites, comment spam and bogus adult web sites, with an emphasis on a yet another bogus company acting as a front-end to an affiliate network - AK Network Commerce Ltd.

Scareware remains the dominant monetization tactic applied by cybercriminals automatically abusing Web 2.0 properties.

The latest scareware domains are as follows:
scanyourcomputeronlinev1 .com - 78.46.251.41; 83.133.126.155; 91.212.107.5; 94.102.48.29; 78.46.251.41 - Email: info@chinainindia.org.in
promalwarescannerv2 .com - Email: info@researchcmr.com
spywarefolderscannerv2 .com Email: willpan@glamoxcon.com
antivirusscannerv10 .com - Email: mohammed32@yahoo.com
scanyourcomputeronlinev1 .com - Email: info@chinainindia.org.in
folder-antivirus-scanv1 .com - Email: info@duebamet.com
personalfolderscanv2 .com - Email: hfbeauty@yahoo.com
spywarefolderscannerv2 .com - Email: willpan@glamoxcon.com
privatevirusscannerv2 .com - Email: hfbeauty@yahoo.com
secure-antivirus-scanv3 .com - Email: info@duebamet.com
bestfoldervirusscanv3 .com - Email: alfonso-li@sohun.com
antispyware-scannerv3 .com - Email: willpan@glamoxcon.com
liveantimalwarescannerv3 .com - Email: hongkong@campusparis.org
onlinespywarescannerv3 .com - Email: Peng@pradac.cn
onlineantivirusscanv4 .com - Email: Peng@pradac.cn
onlineantispywarescanv6 .com - Email: czoao@hotmail.com
antivirus-scannerv6 .com - Email: paul.smith@acdc.cn
antivirusonlinescanv9 .com - Email: info@chinainindia.org.in
antimalwarescannerv9 .com - Email: mohammed32@yahoo.com
antispywarescannerv9 .com - Email: mohammed32@yahoo.com
bestcomputerscanv7 .com - Email: cgrenier@reclamation.com

in5id .com - 67.212.71.196 - Email: getoony@gmail.com
goscantune .com - Email: canrcnad@gmail.com
in5ch .com - Email: getoony@gmail.com
goscanback .com - Email: alcnafuch@gmail.com
goscanlook .com - Email: chinrfi@gmail.com
gotunescan .com - Email: canrcnad@gmail.com
gofatescan .com - Email: alcnafuch@gmail.com
gobackscan .com - Email: alcnafuch@gmail.com
goparkscan .com - Email: canrcnad@gmail.com
in5st .com - Email: getoony@gmail.com
gagtemple .info - Email: tiermity@gmail.com
strelyk .info - Email: tiermity@gmail.com
mixsoul .info - Email: tiermity@gmail.com
loacher .info - Email: tiermity@gmail.com
unvelir .info - Email: tiermity@gmail.com
lendshaft .info - Email: tiermity@gmail.com

goironscan .com - 209.44.126.152 - Email: aloxier@gmail.com
metascan4 .com - Email: exmcon@gmail.com
notescan4 .com - Email: exmcon@gmail.com
genscan4 .com - Email: exmcon@gmail.com
scanlist6 .com - Email: exmcon@gmail.com
goscanpark .com - Email: exmcon@gmail.com
gobackscan .com - Email: exmcon@gmail.com
gomapscan .com - Email: exmcon@gmail.com
scan4gen .com - Email: exmcon@gmail.com
namearra .info - Email: stnorvel@gmail.com
xtraroom .info - Email: stnorvel@gmail.com
sundalet .info - Email: stnorvel@gmail.com

privacy-centre .org - 89.208.136.91 - Email: acapz@freebbmail.com
prvacy-centre .org - Email: acapz@freebbmail.com
privacy-centar .org - Email: acapz@freebbmail.com
prvacy-centar .org - Email: acapz@freebbmail.com
privacy-ceter .org - Email: acapz@freebbmail.com
prvacy-ceter .org - Email: acapz@freebbmail.com
privacy-center .org - Email: acapz@freebbmail.com
prvacy-center .org - Email: acapz@freebbmail.com
privacy-centor .org - Email: acapz@freebbmail.com
privacy-centr .org - Email: acapz@freebbmail.com
prvacy-centr .org - Email: acapz@freebbmail.com
pcenter56 .com
privacyupdate447 .com - Email: prv54@lycos.com
pcenter57 .com

personalonlinescanv3 .com - 78.46.251.41 - Email: vms@hellofm.in
antivirusfolderscanv5. com - Email: Bush.Mussar@yahoo.com
antivirusfolderscannerv5 .com - Email: Bush.Mussar@yahoo.com
privatevirusscannerv5 .com - Email: cs@pakoil.com.pk
antivirusforcomputrerv5 .com - Email: Bush.Mussar@yahoo.com
spywarefastscannerv6 .com - Email: cs@pakoil.com.pk
antimalwarescanv7 .com - Email: Bush.Mussar@yahoo.com
antimalwareproscannerv8 .com - Email: Bush.Mussar@yahoo.com
antimalwareproscannerv9 .com - Email: Bush.Mussar@yahoo.com
antivirusscannerv9 .com - Email: Bush.Mussar@yahoo.com
advanedspywarescan .com - Email: xors678@freebbmail.com
securedvirusscan .com - Email: adsff@freebbmail.com
secured-virus-scanner .com - Email: adsff@freebbmail.com

free-spyware-cleaner .com - 212.117.160.18 - Email: robertsimonkroon@gmail.com
free-spyware-checker .org - Email: robertsimonkroon@gmail.com
fast-spyware-cleaner .org - Email: robertsimonkroon@gmail.com
clean-pc-now .org - Email: robertsimonkroon@gmail.com
spyware-scaner .com - Email: robertsimonkroon@gmail.com
free-spyware-cleaner .com - Email: robertsimonkroon@gmail.com
free-tube-orgasm .net - Email: robertsimonkroon@gmail.com
free-spyware-cleaner .net - Email: robertsimonkroon@gmail.com
clean-pc-now .net - Email: robertsimonkroon@gmail.com
spyware-killer .biz - Email: robertsimonkroon@gmail.com

protectionsystemlab .com - 89.149.254.174; 91.212.198.36
ez-scanner-online .com
smart-antivirus-online .com
uptodatesystem .com
checks-files-now .com
download-filez-now .us
files-download-now .net
check-files-now .net

antispyware2009 .com - 75.125.241.58
remover .org
antispyware .com
regsweep .com
registryclear .com
adwarebot .com

cleanmalwarefree .com - 218.93.205.244 - Email: IvanMaltzev@gmail.com
killlabs .com - Email: ad6@safe-mail.net
cleanmalwarefast .com - Email: ad6@safe-mail.net
cleanmalwareeasy .com - Email: ad6@safe-mail.net

adware-2010 .com - 67.211.161.49
adware-2009.comantispyware2013 .com - 98.124.199.1; 98.124.198.1
antispyware2012 .com
securityscanweb .com - 209.44.126.22 - Email: Gerald.A.Flowers@trashymail.com
securitytestavailable .com - 209.44.126.81 - Email: Roy.M.Tucker@pookmail.com
liveantivirusinfov2 .com - 78.47.132.222; 78.47.172.69 - Email: cgrenier@reclamation.com
antivirus-scannerv9 .com - Email: paul.smith@acdc.cn
purchuaseonlinedefence .com - 78.47.91.154 - Email: jenny@allbestmarine.com.sg
purchuaseliveprotection .com - Email: jenny@allbestmarine.com.sg

windowssecurityinfo .com - 83.133.123.113 - Email: arziw12@freebbmail.com
antimalwarescanner-v2 .com - Email: tareen@yahoo.com
maliciousbaseupdates .com - Email: freight@beds.com
ieprotectionlist .com - Email: vanmullem@yahoo.com

personalcleaner2009 .com - 88.208.19.4 - Email: personalcleaner2009.com@liveinternetmarketingltd.com
ak-networkcommerce .com - Email: ak-networkcommerce.com@liveinternetmarketingltd.com
pc-antimalwaresuite .com - Email: pc-antimalwaresuite.com@liveinternetmarketingltd.com
basepayment .com - Email: basepayment.com@liveinternetmarketingltd.com

Sampled malware phones back to od32qjx6meqos .cn/ua.php, more phone back locations are also parked there:
0ni9o1s3feu60 .cn - 220.196.59.23 - Email: robertsimonkroon@gmail.com
mf6gy4lj79ny5 .cn - Email: robertsimonkroon@gmail.com
84u9wb2hsh4p6 .cn - Email: robertsimonkroon@gmail.com
7bs5nfzfkp8q8 .cn - Email: robertsimonkroon@gmail.com
kt4lwumfhjb7a .cn - Email: robertsimonkroon@gmail.com
q2bf0fzvjb5ca .cn - Email: robertsimonkroon@gmail.com
rncocnspr44va .cn - Email: robertsimonkroon@gmail.com
t1eayoft9226b .cn - Email: robertsimonkroon@gmail.com
4go4i9n76ttwd .cn - Email: robertsimonkroon@gmail.com
kzvi4iiutr11e .cn - Email: robertsimonkroon@gmail.com
hxc7jitg7k57e .cn - Email: robertsimonkroon@gmail.com
mt3pvkfmpi7de .cn - Email: robertsimonkroon@gmail.com
fyivbrl3b0dyf .cn - Email: robertsimonkroon@gmail.com
z6ailnvi94jgg .cn - Email: robertsimonkroon@gmail.com
p7keflvui9fkl .cn - Email: robertsimonkroon@gmail.com
f1uq1dfi3qkcm .cn - Email: robertsimonkroon@gmail.com
p0umob9k2g7mp .cn - Email: robertsimonkroon@gmail.com
7zju2l82i2zhz .cn - Email: robertsimonkroon@gmail.com

One of the latest front-ends to scareware affiliate networks is AK Network Commerce Ltd (ak-networkcommerce .com) :

"Implementing latest anti-hacker technology based on expert and user reviews AK Network Commerce Ltd enables hacker-proof defense, blocks unauthorized access to your private information, and hides your identity. Having combined latest features of cutting-edge privacy protection technologies our knowledgeable team designed products to easily and effectively fight perilous cyber attempts. Thorough selection and step-by-step application of elements and tools required for comprehensive protection of your personal data helped us achieve success and become industry leading representatives. We did our best to prove that the time has come to leave behind worries about private data theft."

The company is the very latest attempt of a bogus company to build legitimacy into their "latest anti-hacker technology". Meanwhile, the blacklisting , sample distribution, and shutting down the scareware domains not only undermines the effectiveness of their largely centralized malware campaigns, costs them missed revenue projections, but also, it increases the opportunity costs for the gang.

Related posts:
A Diverse Portfolio of Fake Security Software - Part Twenty Two
A Diverse Portfolio of Fake Security Software - Part Twenty One
A Diverse Portfolio of Fake Security Software - Part Twenty
A Diverse Portfolio of Fake Security Software - Part Nineteen
A Diverse Portfolio of Fake Security Software - Part Eighteen
A Diverse Portfolio of Fake Security Software - Part Seventeen
A Diverse Portfolio of Fake Security Software - Part Sixteen
A Diverse Portfolio of Fake Security Software - Part Fifteen
A Diverse Portfolio of Fake Security Software - Part Fourteen
A Diverse Portfolio of Fake Security Software - Part Thirteen
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software

This post has been reproduced from Dancho Danchev's blog.

Dancho Danchev