Dissecting the WordPress Blogs Compromise at Network Solutions

UPDATED: Network Solutions issued an update to the situation.

The folks at Sucuri Security have posted an update on the reemergence of  mass site compromises at Network Solutions, following last week's WordPress attack.

What has changed since last week's campaign? Several new domains were introduced, including new phone back locations, with the majority of new domains once again parked on the same IP as they were last week - 64.50.165.169 - AS15244, LUNARPAGES proxy aut-num for Lunarpages by MZIMA.

The exploitation chain of the currently embedded domain is as follows:
- corpadsinc.com/grep /?spl=3&br=MSIE&vers=7.0&s=
        - corpadsinc.com /grep/soc.php
            - corpadsinc.com /grep/load.php?spl=ActiveX_pack
                - corpadsinc.com /grep/load.php?spl=pdf_2020
                    - corpadsinc.com /grep/load.php?spl=javal
                        - corpadsinc.com /grep/j2_079.jar

Detection rates for some of the obtained exploits:
- update.vbe - VBS:Encrypted-gen; Trojan-Downloader.VBS.Agent.yw - Result: 11/40 (27.5%)
- j2_079.jar - Exploit.Java.29; Exploit.Java.CVE-2009-3867.c; JAVA/Byteverify.O - Result: 5/40 (12.5%)

Responding to 64.50.165.169 - AS15244, LUNARPAGES proxy aut-num for Lunarpages by MZIMA are also:
binglbalts.com - Email: alex1978a@bigmir.net
corpadsinc.com - Email: alex1978a@bigmir.net
fourkingssports.com - Email: alex1978a@bigmir.net
networkads.net - Email: alex1978a@bigmir.net
mainnetsoll.com - Email: alex1978a@bigmir.net
lasvegastechreport.com
mauiexperts.com
mauisportsinsider.com

Upon successful exploitation from corpadsinc.com the campaigns drops load.exe - Trojan:Win32/Meredrop; Trojan.Win32.Sasfis.a (v) - Result: 7/40 (17.50%).

The sample load.exe also phones back to the following locations:
- nonstopacc.com/tmp /bb.php?v=200&id=130306319&b=7231522200&tm=8 - 188.124.16.95 - Email: alex1978a@bigmir.net
- nonstopacc.com/tmp /bb.php?v=200&id=130306319&tid=6&b=7231522200&r=1&tm=9
- 188.124.16.96 /blackout_dem.exe

Detection rate for blackout_dem.exe - Trojan-Dropper - Result: 7/40 (17.5%) which phones back to mazcostrol.com/inst.php ?aid=blackout - 188.124.16.103 - Email: alex1978a@bigmir.net.

Interestingly, the sample attempts to install a Firefox add-on in the following way:
- %ProgramFiles%\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul - MD5: 963136ADAA2B1C823F6C0E355800CE02 Detected by different vendors as IRC/Flood.gen.h or TROJ_BUZUS.ZYX;

It's also worth pointing out that the campaign's admin panel is pointing to a third-party -- cybercrime friendly IP that's currently offline -- corpadsinc.com/grep/stats.php -> HTTP/1.1 302 Found at 217.23.14.25, AS49981, WorldStream = Transit Imports = -CAIW.

The bottom line - although Network Solutions criticized the media last week, for blaming this on Network Solutions, or WordPress itself, the company should realize that for the sake of its reputation it should always use the following mentality - "protect the end user from himself" when offering any of its services.

Related WordPress security resources:
20 Wordpress Security Plug-ins And Tips To keep Hackers Away
11 Best Ways to Improve WordPress Security
20+ Powerful Wordpress Security Plugins and Some Tips and Tricks

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dissecting the WordPress Blogs Compromise at Network Solutions

UPDATED: Network Solutions issued an update to the situation.

The folks at Sucuri Security have posted an update on the reemergence of  mass site compromises at Network Solutions, following last week's WordPress attack.

What has changed since last week's campaign? Several new domains were introduced, including new phone back locations, with the majority of new domains once again parked on the same IP as they were last week - 64.50.165.169 - AS15244, LUNARPAGES proxy aut-num for Lunarpages by MZIMA.

The exploitation chain of the currently embedded domain is as follows:
- corpadsinc.com/grep /?spl=3&br=MSIE&vers=7.0&s=
        - corpadsinc.com /grep/soc.php
            - corpadsinc.com /grep/load.php?spl=ActiveX_pack
                - corpadsinc.com /grep/load.php?spl=pdf_2020
                    - corpadsinc.com /grep/load.php?spl=javal
                        - corpadsinc.com /grep/j2_079.jar

Detection rates for some of the obtained exploits:
- update.vbe - VBS:Encrypted-gen; Trojan-Downloader.VBS.Agent.yw - Result: 11/40 (27.5%)
- j2_079.jar - Exploit.Java.29; Exploit.Java.CVE-2009-3867.c; JAVA/Byteverify.O - Result: 5/40 (12.5%)

Responding to 64.50.165.169 - AS15244, LUNARPAGES proxy aut-num for Lunarpages by MZIMA are also:
binglbalts.com - Email: alex1978a@bigmir.net
corpadsinc.com - Email: alex1978a@bigmir.net
fourkingssports.com - Email: alex1978a@bigmir.net
networkads.net - Email: alex1978a@bigmir.net
mainnetsoll.com - Email: alex1978a@bigmir.net
lasvegastechreport.com
mauiexperts.com
mauisportsinsider.com

Upon successful exploitation from corpadsinc.com the campaigns drops load.exe - Trojan:Win32/Meredrop; Trojan.Win32.Sasfis.a (v) - Result: 7/40 (17.50%).

The sample load.exe also phones back to the following locations:
- nonstopacc.com/tmp /bb.php?v=200&id=130306319&b=7231522200&tm=8 - 188.124.16.95 - Email: alex1978a@bigmir.net
- nonstopacc.com/tmp /bb.php?v=200&id=130306319&tid=6&b=7231522200&r=1&tm=9
- 188.124.16.96 /blackout_dem.exe

Detection rate for blackout_dem.exe - Trojan-Dropper - Result: 7/40 (17.5%) which phones back to mazcostrol.com/inst.php ?aid=blackout - 188.124.16.103 - Email: alex1978a@bigmir.net.

Interestingly, the sample attempts to install a Firefox add-on in the following way:
- %ProgramFiles%\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul - MD5: 963136ADAA2B1C823F6C0E355800CE02 Detected by different vendors as IRC/Flood.gen.h or TROJ_BUZUS.ZYX;

It's also worth pointing out that the campaign's admin panel is pointing to a third-party -- cybercrime friendly IP that's currently offline -- corpadsinc.com/grep/stats.php -> HTTP/1.1 302 Found at 217.23.14.25, AS49981, WorldStream = Transit Imports = -CAIW.

The bottom line - although Network Solutions criticized the media last week, for blaming this on Network Solutions, or WordPress itself, the company should realize that for the sake of its reputation it should always use the following mentality - "protect the end user from himself" when offering any of its services.

Related WordPress security resources:
20 Wordpress Security Plug-ins And Tips To keep Hackers Away
11 Best Ways to Improve WordPress Security
20+ Powerful Wordpress Security Plugins and Some Tips and Tricks

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Facebook FarmTown Malvertising Campaign Courtesy of the Koobface Gang

Earlier this week, another malvertising campaign affected a popular community, in the face of Facebook's FarmTown.

You have to analyze,  and cross-check it to believe it.

Key summary points:

• the email test@now.net.cn used to register all the domains involved in the malvertising campaign, is exclusively used by the Koobface gang for numerous scareware registrations seen -

a

iPhone Unlocking Themed Malware Campaign Spamvertised

UPDATED: Sunday, April 18, 2010: The folks at EmergingThreats pinged me on the fact that  immediately after the brief assessment went public, the cybercriminals moved iphone-iphone.info to 174.37.172.68 (SoftLayer Technologies Inc.) Currently responding to the same IP are also the following domains known to have been connected with previous malware campaigns - startexag.com - Email: venterprize@gmail.com; exposingpics.com, and animezhd.com.

Researchers from BitDefender are reporting on a currently spamvertised malware campaign, using a "Unlock, Jailbrake and "hack"tivate iPhone 3.1.3" theme.

The spamvertised domain iphone-iphone.info - 188.210.236.181 - Email: iphone-iphone.info@protecteddomainservices.com, is enticing the end user into download the malware from pepd.org/blackra1n.exe - 188.210.236.109 - Email: pepd.org@protecteddomainservices.com.

Detection rate: blackra1n.exe - Trojan.BAT.AACL - Result: 10/40 (25%), with the malware itself attempting to change the default DNS settings on the infected hosts to the following IP - 188.210.236.250 (188-210-236-250.hotnet.ro), AS39443, HOTNET-AS SC Hot Net SRL Baia de Aries, Nr 3, Bl 5B, Sc A, Ap 39, Bucuresti, 6.

- Creates the following registry entry in an attempt to change default DNS settings:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5D19E473-BE30-416B-B5C7-D8A091C41D2F} "NameServer" = 188.210.236.250

- Creates Process - Filename () CommandLine: 
(C:\WINDOWS\system32\NETSH.EXE: interface ip set dns "Local Area Connection" static 188.210.236.250) As User: () Creation Flags: (CREATE_DEFAULT_ERROR_MODE CREATE_SUSPENDED) interface ip set dns "wireles network connection" static 188.210.236.250) As User: () Creation Flags: (CREATE_DEFAULT_ERROR_MODE CREATE_SUSPENDED)

From Romania, with DNS changing malware. 

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Copyright Violation Alert Themed Ransomware in the Wild

The copyright violation alert themed ransomware campaign (Copyright violation alert ransomware in the wild; ICPP Copyright Foundation is Fake) is not just a novel approach for extortion of the highest amount of money seen in ransomware variants so far, but also, offers interesting clues into the multitasking mentality of the cybercriminals whose campaigns have already been profiled.

The bogus ICPP Foundation (icpp-online.com - 193.33.114.77 - Email: ovenersbox@yahoo.com) describes itself as:

"We are a law firm which specialises in assisting intellectual property rights holders exploit and enforce their rights globally. Illegal file sharing costs the creative industries billions of pounds every year. The impact of this is huge, resulting in job losses, declining profit margins and reduced investment in product development. Action needs to be taken and we believe a coordinated effort is needed now, before irreparable damage is done.

We have developed effective and unique methods for organisations to enforce their intellectual rights. By working effectively with forensic IT experts, law firms and anti-piracy organisations, we seek to eliminate the illegal distribution of copyrighted material through our revolutionary business model. Whilst many companies offer anti-piracy measures, these are often costly and ineffective. Our approach is quite the opposite, it generates revenue for rights holders and effectively decreases copyright infringement in a measurable and sustainable way. We offer high quality advice and excellent client care by delivering a thorough and reliable service. If you are interested in our services, please contact us for a no obligation consultation."

Responding to the same IP (193.33.114.77) are also:
green-stat.com - Email: tahli@yahoo.com
media-magnats.com - Email: tahli@yahoo.com

Where do we know the tahli@yahoo.com email from? From the "The Koobface Gang Wishes the Industry "Happy Holidays" where it was used to register Zeus C&Cs as well as money mule recruitment domains, from the "Money Mule Recruitment Campaign Serving Client-Side Exploits" where it was used to register the client-side exploit serving mule recruitment site, and most recently from "Keeping Money Mule Recruiters on a Short Leash - Part Four" used in another mule recruitment site registration.

What's particularly interesting about the ransomware variant, is the fact that it has been localized to the following languages: Czech, Danish, Dutch, English, French, German, Italian, Portuguese, Slovak and Spanish, as well as the fact that it will attempt to build its torrents list from actual torrent files it is able to locate within the victim's hard drive.

Detection rates, for the ransomware:
- mm.exe - Win32/Adware.Antipiracy - Result: 2/39 (5.13%)
- iqmanager.exe - Rogue:W32/DotTorrent.A - Result: 5/39 (12.83%)
- uninstall.exe - Reser.Reputation.1 - Result: 1/39 (2.57%)

Upon execution, the sample phones back to 91.209.238.2/m5install/774/1 (AS48671, GROZA-AS Cyber Internet Bunker) with the actual affiliate ID "afid=774" found in the settings.ini file. Active on the same IP are also related phone back directories, from different campaigns"
91.209.238.2/r2newinstall/freemen/1
91.209.238.2/r2newinstall/02937/1
91.209.238.2/r2hit/7/0/0

This is perhaps the first recorded case of cybercriminals ignoring the basics of micro-payments, and emphasizing on profit margins by attempting to extort the amount of $400.

Related ransomware posts:
Mac OS X SMS ransomware - hype or real threat?
iHacked: jailbroken iPhones compromised, $5 ransom demanded
New LoroBot ransomware encrypts files, demands $100 for decryption
New ransomware locks PCs, demands premium SMS for removal
Scareware meets ransomware: “Buy our fake product and we’ll decrypt the files”
Who’s behind the GPcode ransomware?
How to recover GPcode encrypted files?

SMS Ransomware Displays Persistent Inline Ads
SMS Ransomware Source Code Now Offered for Sale
3rd SMS Ransomware Variant Offered for Sale
4th SMS Ransomware Variant Offered for Sale
5th SMS Ransomware Variant Offered for Sale
6th SMS Ransomware Variant Offered for Sale

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Copyright Violation Alert Themed Ransomware in the Wild

UPDATED: Wednesday, April 28, 2010: The universal license code required in the "Enter a previously purchased license code" window is RFHM2-TPX47-YD6RT-H4KDM

The copyright violation alert themed ransomware campaign (Copyright violation alert ransomware in the wild; ICPP Copyright Foundation is Fake) is not just a novel approach for extortion of the highest amount of money seen in ransomware variants so far, but also, offers interesting clues into the multitasking mentality of the cybercriminals whose campaigns have already been profiled.

The bogus ICPP Foundation (icpp-online.com - 193.33.114.77 - Email: ovenersbox@yahoo.com) describes itself as:

"We are a law firm which specialises in assisting intellectual property rights holders exploit and enforce their rights globally. Illegal file sharing costs the creative industries billions of pounds every year. The impact of this is huge, resulting in job losses, declining profit margins and reduced investment in product development. Action needs to be taken and we believe a coordinated effort is needed now, before irreparable damage is done.

We have developed effective and unique methods for organisations to enforce their intellectual rights. By working effectively with forensic IT experts, law firms and anti-piracy organisations, we seek to eliminate the illegal distribution of copyrighted material through our revolutionary business model. Whilst many companies offer anti-piracy measures, these are often costly and ineffective. Our approach is quite the opposite, it generates revenue for rights holders and effectively decreases copyright infringement in a measurable and sustainable way. We offer high quality advice and excellent client care by delivering a thorough and reliable service. If you are interested in our services, please contact us for a no obligation consultation."

Responding to the same IP (193.33.114.77) are also:
green-stat.com - Email: tahli@yahoo.com
media-magnats.com - Email: tahli@yahoo.com

Where do we know the tahli@yahoo.com email from? From the "The Koobface Gang Wishes the Industry "Happy Holidays" where it was used to register Zeus C&Cs as well as money mule recruitment domains, from the "Money Mule Recruitment Campaign Serving Client-Side Exploits" where it was used to register the client-side exploit serving mule recruitment site, and most recently from "Keeping Money Mule Recruiters on a Short Leash - Part Four" used in another mule recruitment site registration.

What's particularly interesting about the ransomware variant, is the fact that it has been localized to the following languages: Czech, Danish, Dutch, English, French, German, Italian, Portuguese, Slovak and Spanish, as well as the fact that it will attempt to build its torrents list from actual torrent files it is able to locate within the victim's hard drive.

Detection rates, for the ransomware:
- mm.exe - Win32/Adware.Antipiracy - Result: 2/39 (5.13%)
- iqmanager.exe - Rogue:W32/DotTorrent.A - Result: 5/39 (12.83%)
- uninstall.exe - Reser.Reputation.1 - Result: 1/39 (2.57%)

Upon execution, the sample phones back to 91.209.238.2/m5install/774/1 (AS48671, GROZA-AS Cyber Internet Bunker) with the actual affiliate ID "afid=774" found in the settings.ini file. Active on the same IP are also related phone back directories, from different campaigns"
91.209.238.2/r2newinstall/freemen/1
91.209.238.2/r2newinstall/02937/1
91.209.238.2/r2hit/7/0/0

This is perhaps the first recorded case of cybercriminals ignoring the basics of micro-payments, and emphasizing on profit margins by attempting to extort the amount of $400.

Related ransomware posts:
Mac OS X SMS ransomware - hype or real threat?
iHacked: jailbroken iPhones compromised, $5 ransom demanded
New LoroBot ransomware encrypts files, demands $100 for decryption
New ransomware locks PCs, demands premium SMS for removal
Scareware meets ransomware: “Buy our fake product and we’ll decrypt the files”
Who’s behind the GPcode ransomware?
How to recover GPcode encrypted files?

SMS Ransomware Displays Persistent Inline Ads
SMS Ransomware Source Code Now Offered for Sale
3rd SMS Ransomware Variant Offered for Sale
4th SMS Ransomware Variant Offered for Sale
5th SMS Ransomware Variant Offered for Sale
6th SMS Ransomware Variant Offered for Sale

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.