Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Monday, February 01, 2010

Summarizing Zero Day's Posts for January

The following is a brief summary of all of my posts at ZDNet's Zero Day for January, 2010. You can also go through previous summaries, as well as subscribe to my personal RSS feed, Zero Day's main feed, follow me or all of ZDNet's blogs on Twitter.

Recommended reading - Google-China cyber espionage saga - FAQ.

01. Baidu DNS records hijacked by Iranian Cyber Army
02. Haiti earthquake themed blackhat SEO campaigns serving scareware
03. Google-China cyber espionage saga - FAQ
04. And the most popular password is...
05. Bogus IQ test with destructive payload in the wild
06. Report: 48% of 22 million scanned computers infected with malware

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Tuesday, January 26, 2010

Inside a Commercial Chinese DIY DDoS Platform

With China in the focus of international fiasco (consider going through the Google-China cyber espionage saga - FAQ)

Related Chinese hacking/hacktivism coverage:
Localizing Open Source Malware
Custom DDoS Capabilities Within a Malware
Custom DDoS Attacks Within Popular Malware Diversifying

The FirePack Exploitation Kit Localized to Chinese
MPack and IcePack Localized to Chinese
Massive SQL Injection Attacks - the Chinese Way
A Chinese DIY Multi-Feature Malware
DIY Chinese Passwords Stealer
A Chinese Malware Downloader in the Wild
Chinese Hackers Attacking U.S Department of Defense Networks
Chinese Hacktivists Waging People's Information Warfare Against CNN
The DDoS Attack Against CNN.com

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Inside a Commercial Chinese DIY DDoS Platform

Dancho Danchev

Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits

Continuing the Pushdo coverage from last week, the "Your AOL Instant Messenger account is flagged as inactive" "or the latest update for the AIM" themed campaign from the weekend, has once again returned to a well known theme, namely, the "Facebook Update Tool" spam campaign.

The botnet masters have introduced several new name servers -- domain suspension is pending -- but continue using the same IP embedded on all the pages, for serving the client-side exploits, with a slight change in the directory structure.

- Sample subject: Facebook Update Tool
- Sample body: "Dear Facebook user, In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security. Before you are able to use the new login system, you will be required to update your account. Click here to update your account online now. If you have any questions, reference our New User Guide. Thanks, The Facebook Team"
- Sample URL: facebook.com.ddeassrq .vc/usr/LoginFacebook.php?ref
- Detection rates for scripts/crimeware/exploits: File.exe (phones back to the currently down nekovo .ru/cbd/nekovo.bri); IE.js; IE2.js; nowTrue.swf; pdf.pdf
- Sample iFrame exploitation structure: 109.95.114 .251/us01d/in.php
    - 109.95.114 .251/us01d/jquery.jxx
        - 109.95.114 .251/us01d/xd/pdf.pdf
            - 109.95.114 .251/us01d/load.php
                - 109.95.114 .251/us01d/file.exe

- Sample typosquatted and currently active domains:
ddeasaeq .vc - Email: mspspaceki@mad.scientist.com
ddeasuqq .vc - Email: mspspaceki@mad.scientist.com
ddeassrq .vc - Email: mspspaceki@mad.scientist.com
ddeasutq .vc - Email: mspspaceki@mad.scientist.com
ddeasauq .vc - Email: mspspaceki@mad.scientist.com
ddeasqwq .vc - Email: mspspaceki@mad.scientist.com
ddeasqyq .vc - Email: mspspaceki@mad.scientist.com

reeesassf .la - Email: palatalizefxt@popstar.com
ukgedsa.com .hn - Email: zmamarc689@witty.com
ukgedsc.com .vc - Email: zmamarc689@witty.com
ukgedse.com .hn - Email: zmamarc689@witty.com
ukgedsg.com .vc - Email: zmamarc689@witty.com
ukgedsh.com .vc - Email: zmamarc689@witty.com
ukgedsi .hn - Email: zmamarc689@witty.com

ukgedsq.com .hn - Email: zmamarc689@witty.com
ukgedsr.com .sc - Email: zmamarc689@witty.com
ukgedst.com .sc - Email: zmamarc689@witty.com
ukgedsu.com .vc - Email: zmamarc689@witty.com
ukgedsv.com .vc - Email: zmamarc689@witty.com
ukgedsy.com .vc - Email: zmamarc689@witty.com

- Name servers of notice:
ns1.availname .net - 204.12.229.89 - Email: Larimore@yahoo.com
ns1.sorbauto .com - 204.12.229.89 - Email: xtrai@email.com
ns1.worldkinofest .com - Email: tolosa1965@snail-mail.net
ns1.pdsproperties .net - 92.84.23.138 - Email: PDSProperties@yahoo.com
ns1.drinckclub .com - 94.23.177.147 - Email: excins@iname.com
ns1.transsubmit .net - 94.23.177.147 - Email: Alaniz@gmail.com
ns1.theautocompany .net - suspended
ns1.24stophours .com - suspended
ns1.disksilver .net - suspended

Thankfully, quality assurance is not taken into consideration in this campaign - the iFrame's IP is already heavily blacklisted, and the crimeware sample itself attempts to phone back to a C&C that has been down for several days.

The gang's activities will be updated as they happen.

Related posts:
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

This post has been reproduced from Dancho Danchev's blog.

Dancho Danchev

Monday, January 18, 2010

Follow Me on Twitter!

Are you on Twitter? If so, consider following my tweets, or if you're not using it you can always subscribe to the RSS feed.

Dancho Danchev

Wednesday, January 13, 2010

Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams

UPDATED, Friday, 15, 2010: The gang continues rotating the campaigns by targeting different brands. Over the 24 hours they've spamming the well known "Notice of Underreported Income" theme this time targeting HM Revenue and Customs (HMRC), and have also introduced new portfolios of typosquatted domains next to changing the client-side exploits serving iFrame embedded on each and every page.

- Sample message: "Filing and paying your federal taxes correctly and on time is an important part of living and working in the United Kingdom. Please review (download and execute) your tax statement. If the statement is incorrect, contact our Taxpayer Advocate Service."
- Sample URL: online.hmrc.gov.uk.olpiku5v .com.pl/SecurityWebApp/httpsmode/statement.php

Detection rates for tax-statement.exe (Trojan-Spy.Win32.Zbot.gen) and file.exe (Trojan-Spy.Win32.Zbot.gen). Upon execution, the samples attempt to connect to elnasa .ru/asd/elnasa.ble (109.95.114 .71/asd/elnasa.ble).

The structure of the iFrame, now using an IP address instead of a domain name, remains the same:
- 109.95.114.251 /uks1/in.php - 109.95.114.251 - AS50369 - VISHCLUB-as Kanyovskiy Andriy Yuriyovich - akanyovskiy@troyak.org
    - 109.95.114.251 /uks1/jquery.jxx
            - 109.95.114.251 /uks1/xd/pdf.pdf
                - 109.95.114.251 /uks1/load.php
                    - 109.95.114.251 /uks1/file.exe

DNS servers of notice:
ns1.pds-properties .com - 89.238.165.195
ns1.noeproperties .com - 84.243.201.159
ns1.densondatabase .com - 94.23.177.147
ns1.dogsgrem .net - 89.238.165.195 - Email: glonders@gmail.com - Email seen in previous domain registrations

Typosquatted domains spammed over the past 24 hours:
olpiku5a .com.pl
olpiku5b .com.pl
olpiku5c .com.pl
olpiku5d .com.pl
olpiku5e .com.pl
olpiku5f .com.pl
olpiku5g .com.pl
olpiku5q .com.pl
olpiku5r .com.pl
olpiku5s .com.pl
olpiku5t .com.pl
olpiku5v .com.pl
olpiku5w .com.pl
olpiku5x .com.pl
olpiku5z .com.pl

ujo9ia .com.pl
ujo9id .com.pl
ujo9ie .com.pl
ujo9if .com.pl
ujo9ig .com.pl
ujo9ih .com.pl
ujo9im .com.pl
ujo9in .com.pl
ujo9iq .com.pl
ujo9ir .com.pl
ujo9is .com.pl
ujo9it .com.pl
ujo9iw .com.pl
ujo9iy .com.pl
ujo9iz .com.pl

t111ut .me.uk
t111uy .me.uk
t111uz .me.uk
t111uk .org.uk
t111ut .org.uk
t111uz .org.uk
t111uk .co.uk
t111uy .co.uk

okio1h .ne.kr
okio1w .ne.kr
okio1h .kr
okio1h .co.kr
okio1u .co.kr
okio1v .co.kr
okio1w .co.kr
okio1h .or.kr
okio1u .or.kr
okio1v .or.kr
okio1w .or.kr
okio1u .kr
okio1v .kr
okio1w .kr

proterp1 .im
virtdit1 .im
virtdit2 .im
virtdit3 .im
virtdit4 .im
virtdit5 .im
virtdit6 .im
virtdit7 .im
virtdit8 .im

UPDATED: Gary Warner offers additional insights into the latest campaigns - This Week in Avalanche / Zbot / Zeus Bot: HSBC & eBay.

What the botnet masters forget is that with each and every campaign, based on a number of factors, they reveal more about themselves and their affiliations within the cybercrime ecosystem. The degree of monetization is proportional with the loss of OPSEC (operational security), and this remains valid for any fraudulent campaign, botnet or cybercrime community in general.

UPDATED: To clarify, in this campaign Pushdo acts as the spam platform for the Avalanche/MS-Redirect botnet.

In need of a good example why you shouldn't be interacting with spam/phishing emails in any other way but reporting/deleting them, unless of course you're in the business of analyzing them?

Last week's OWA-themed Zeus-serving spam campaign courtesy of the Pushdo botnet, has not just resumed, but is continuing to serve client-side exploits (CVE-2007-5659; CVE-2008-2992; CVE-2009-0927) to anyone visiting the spammed web sites through an iFrame embedded on all of them. Such traffic optimization tactics are nothing new, since the botnet master is anticipating the fact that the visitor that clicked on the link, may not be that stupid the next time, so attempting to serve the malware without any kind of interaction on his behalf through client-side exploits is the tactic of choice.

Let's dissect the campaign, list all of the currently active fast-fluxed domains, the name servers of notice, the client-side exploit serving structure, and the Russian Brides scam domains spamvertised over the last few days.

Active fast-fluxed domains part of the campaign:
leptprs.co .kr - Email: wawddhaepny@yahoo.com
leptprs .kr - Email: wawddhaepny@yahoo.com
leptprs.ne .kr - Email: wawddhaepny@yahoo.com
leptprs.or .kr - Email: wawddhaepny@yahoo.com
oki8uuu.co .kr - Email: wawddhaepny@yahoo.com
ui7772.co .kr - Email: jn.hadler@jkh.org.uk
ui7772 .kr - Email: jn.hadler@jkh.org.uk
ui7772.ne .kr - Email: jn.hadler@jkh.org.uk
ui7772.or .kr - Email: jn.hadler@jkh.org.uk
ui777f .kr - Email: jn.hadler@jkh.org.uk
ui777f.ne .kr - Email: jn.hadler@jkh.org.uk
ui777f.or .kr - Email: jn.hadler@jkh.org.uk
ui777fne .kr - Email: jn.hadler@jkh.org.uk
ui777l.co .kr - Email: jn.hadler@jkh.org.uk
ui777p.co .kr - Email: jn.hadler@jkh.org.uk
ui777p .kr - Email: jn.hadler@jkh.org.uk
ui777p.ne .kr - Email: jn.hadler@jkh.org.uk
ui777p.or .kr - Email: jn.hadler@jkh.org.uk

DNS servers of notice:
ns1.raddoor .com - Email: figarro77@gmail.com
ns1.snup-up .net - Email: dietsnak@socialworker.net
ns1.aj-realty .net - Email: support@aj-realty.net
ns1.aj-administration .com - Email: manager@mack.net
ns1.aj-talentsearch .com - Email: supp@mail.net
ns1.eurobankfinance .net - Email: termer@counsellor.com
ns1.hetn91 .com - Email: astrix@aol.com
ns1.personnel-aj .com - Email: KimMIngram@aol.com
ns1.nitroexcel .net
ns1.fredoms .com
ns1.ajstaffing .net
ns1.angel-death .net
ns1.aj-estate .com
ns1.aj-realtors .com
ns1.pdsproperties .com
ns1.groupswat .com

Upon execution, settings-file.exe (Trojan-Spy.Win32.Zbot.adsy), phones back to 109.123.70 .97/fh3245sq/config.bin. Detection rate for pdf.pdf (Exploit-PDF.ac) and file.exe (Trojan.Win32.Riern). The structure of the iFrame is as follows:
- atthisstage .com/uksp/in.php - 84.45.45.135 - Email: soakes@soakes.com
    - atthisstage .com/uksp/jquery.jxx
        - atthisstage .com/uksp/xd/pdf.pdf
            - atthisstage .com/uksp/load.php
                - atthisstage .com/uksp/file.exe

Russian Brides spamvertised domains part of an affiliate network:
toolbarsunited .com - Email: soft.tj@gmail.com
2006jubilee .com - Email: soft.tj@gmail.com
avtofo .org - Email: flarnes@gmail.com
lovesexdatings .com - Email: kauplus@li.ru
stars-dating .com - Email: kauplus@li.ru
avtofo.com .ua
dinenyc .net

cid-f5f40ef1f5210d08.spaces .live.com
cid-c1b015ffe1b44573.spaces .live.com
cid-b78f4f23e27d2b45.spaces .live.com
cid-8d3413073f537740.spaces .live.com
cid-205046cf66900102.spaces .live.com

If you want to know more the inner workings of the Pushdo/Cutwail botnet, consider going through the Pushdo / Cutwail - An Indepth Analysis report.

Related posts:
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

This post has been reproduced from Dancho Danchev's blog.

Dancho Danchev