I See Alive IFRAMEs Everywhere

During the weekend, the entire Newsland.ru which is among the most popular Russian news portals, was marked as as "this site may harm your computer" by StopBadware.org due to an IFRAME embedded link pointing to where else if not to the RBN. Considering that each and every embedded malware attack during 2007 that I assessed in previous posts, had something to do with the RBN in the form of a single RBN IP which was used in numerous malicious activities all at once, different sites get embedded with it, blackhat SEO postings at different forums etc. in this one the parties behind the attack dedicated a special IP with what looks like as a clean IP reputation. A cached copy of the page will still load the live exploit url at 81.95.150.115/cgi-bin/in.cgi?p=user1 What really happened at Newsland.ru? Was it an end user who submitted a news story with the somehow embedded IFRAME to sort of conduct unethical competitive engagement by having Google mark the entire portal as harmful, or it was planned and executed on purposely?

In another such incident, Podfeed.net was recently hacked and malware embedded at its front page. The now clean site however, used to have an embedded link, over 20 times to be precise, pointing to the following URL :

yl18.net/0.js (125.65.77.25) with the .js having two IFRAMEs within, namely yl18.net/0.html - 404 dead, and the second IFRAME yl18.net/z.html which loads a third IFRAME within, pointing to yzgames.cn/game.htm (125.46.105.140). This IFRAME-ing game relies entirely on yl18.net/0.js to keep up and running, and a direct loading link to the script was also somehow embedded on high trafficked sites such as cincinnatiusa.com; cincinnati.com; guidance.nice.org.uk. Moreover, Maarten Van Horenbeeck at the ISC's blog has some detection rates while the malware was still active. This embedded malware campaign is a perfect example of an ongoing cover up, just like the case when several hours after the community started looking at the Bank of India's malware serving site and the RBN URL removed the javascript and redirected it to Google.com, and we had the same situation with the recent discovery of 100 malwares on a single RBN IP, where the directory name has changed several hours later for yet another time. The same is the situation withe the malicious parties behind Possibility Media's malware attack that once started getting visited by security vendors replaced all their main index page with a "get lost" message, as well as with RBN's fake "account suspended" messages which aren't really in a process of cover up, but in a deception stage like always.

While I was researching a third domain that was serving a Banking trojan, and loading IFRAMEs to sicil.info which in case you don't remember is the IFRAME behind the Syrian Embassy hack, I came across to injected blackhat SEO campaigns at two universities advertised in between the IFRAMEs, now removed, cached copies available - emissary.wm.edu/EE/cache; hsutx.edu/student_life/brand/wp-content/uploads. The reason I won't mention the domain in question is that the script kiddies behind it forgot to take care of their directory permissions just like the Russian Business Network did recently, and while in RBN's case over 100 malwares were spotted, in this case it's a web C&C for a metaphisher type of banking malware kit, namely Zeus. It gets even more interesting, as it appears that a Turkish defacer like the ones I blogged about yesterday is somehow connected with the group behind the recent Possibility Media's Attack, and the Syrian Embassy Hack as some of his IFRAMES are using the exact urls in the previous attacks. And you you already know while reading my previous assessments and the connections between them, one of the attack IP's in the Possibility Media's malware attack was also among the ones used in the Bank of India hack - it's the "ai siktir vee?" group with another unique IP.

Key points :

- a Turkish defacer is taking advantage of an remotely installed web backdoor in order to host a metaphisher type of banking malware kit
- the defacer is embedding iframes that were used in the Bank of India hack, the Syrian Embassy hack, and the recent Possibility Media's malware attack
- if defacers start cooperating with malware groups given each of them excels at different practices, it's gonna get very ugly

If you don't take care of your site's web vulnerability management, someone else will.

Overperforming Turkish Hacktivists

Last month's Turkish/Sweden hacktivism tensions surprised me mainly because the Swedes responded to the defacements in an entirely different way :

"On Saturday a group of disgruntled hackers posted a comment to the Flashback online forum linking to a stolen database containing thousands of user names and passwords from Turkish forum Ayyldz, the site thelocal.se reported on Tuesday. The Swedes also broke into the e-mail and MSN accounts of Turkish Web users and sent messages using the stolen identities. Among the images in circulation was a pornographic illustration of the Prophet Mohammed and Mustafa Kemal Ataturk, the founder of the modern Turkish state."

How do you keep track of defaced sites "courtesy" of Turkish script kiddies? Zone-h for sure, while in fact there're so many defacements done by Turkish hacking groups, that the hacktivists have localized the defacement achives into Turkish for better transparency, and by doing so it makes Turkish defacements during hacktivism wars much easier to keep track of. Who are the most active Turkish defacers anyway?

Top 5 Turkish Defacers at the first defacement mirror :

U-H-T - 8517
1923turk - 6711
hackpowerteam.org - 5364
By_CECEN - 5230
nadir_piero - 4440

Top 5 Turkish Defacers at the second defacement mirror :

Lonely.Antalya - 1101
Pit10 - 1000
beyrut-KaI3uS - 863
HEXB00T3R - 747
myturkx.org - 675

Lots of data to cross-check for sure. Best of all - it's a real time example of the people's information warfare concept, virtual PSYOPS to be precise. Defacing sites using automated vulnerability scanning and exploitation tools is one thing, embedding malware on the defaced sites is totally another, and while we've been witnessing the emergence of embedded malware during 2007, it's questionable whether it's done for the aggregation of infected hosts into botnets only, or a specific hacktivist cause for instance.

Rebranding a Security Vendor

Rebranding by itself is a tricky process, which if not coordinated at all levels of the enterprise could result in severe channel conflicts damaging the brand's image, and increasing the risk of confused positioning.

PandaSoftware's recent rebranding to PandaSecurity comes as a smoothly executed example of the process, as it needed to take advantange of the entire marketing toolset in order to communicate their new vision, mostly a sound repositioning strategy emphasizing that the company's core competency is not software in general, but IT security. As in every other marketing campaign aiming to achieve such effect, the business lingo used affects the prospective audience of the campaign, be it the U.S or the EMEA markets or even better in respect to globalization - try to influence both with a clear vision, namely that "Prevention is better than the cure". The question from a marketing perspective always remains - is it a brand with a mission, or is it a mission with a brand, and isn't the second a better socially oriented positioning than the standard practice?

Meanwhile, here's another proof that building a solid brand results in sustained brand equity, thereby attracting potential acquirers' interest which is the case with McAfee's recent acquisition of ScanAlert for $51M. What they're buying is not the technology behind the company, a daily managed penetration testing process, but ScanAlert's brand and clients list.

Related posts:

Microsoft's Forefront Ad Campaign

Microsoft's OneCare Penetration Pricing Strategy

Microsoft in the Information Security Market

Overachieving Technology Companies

China's Information Security Market

Spotting valuable investments in the information security market

Look who's gonna cash for evaluating the maliciousness of the Web?

Taking Down Phishing Sites - a Business Model?

Take this Malicious Site Down - Processing order..

Budget Allocation Myopia and Prioritizing Your Expenditures

Valuing Security and Prioritizing Your Expenditures

Managed Fast-Flux Provider

Vertical integration in the spamming market means you don't just provide potential customers lists in the form of harvested emails, the infrastructure for the mass mailing consisting of hundreds of infected PCs, but also, occupying emerging market segments such as the need for increasing the overal time a spam/phishing campaign remains online, as well as make it hard to traceback courtesy of fast-flux networks. And so, the IP that was hosting the spam/phishing campaign in the last 5 minutes is now clean and has nothing to do with it.

There's an interesting tactic phishers and spammers are starting to use, next to the pure fast-flux at the DNS level I covered in a previous post, and that is a dynamically serving the data from multiple locations per web session. Take meds247.org for instance. Who's providing meds247.org's fast-flux infrastructure? In the first example we had "a dynamic subdomain generating spamming host running a proxy server every time the central campaign URL gets refreshed via an obfuscated javascript". The javascript is now gone, but the content (dynamic per page view) is obtained from dynamic locations behind a proxy. For instance, while the domain responds to 78.94.45.76, the content in the session is obtained from 72.2.16.236:8088/vti_sys. And despite that the DNS records and the content IPs change the vti_sys directory structure doesn't, a fax fluxing service that I feel Send-Safe.com branded as "Your Own Proxies" and as it looks like, use on for their own order processing next to maintaining a rogue certificate authority for anyone who dares to shop there :

216.153.170.110:8088/vti_sys/order.php?product=ssnp
216.153.170.110:8088/vti_sys/order.php?product=sspc
216.153.170.110:8088/vti_sys/order.php?product=sse1
216.153.170.110:8088/vti_sys/order.php?product=ssalonesite
67.118.79.234:8088/vti_sys/order.php?product=sslm

More info about Send-Safe.com, a spamware vendor that's vertically integrating in the spamming market.

Detecting and Blocking the Russian Business Network

Bleeding Edge Threats recently announced the release of some very handy RBN blocking/detecting rulesets :

"Call these hosts what you like, we see a large amount of hostile activity from these nets, and get little to no abuse response for takedown, Do what you will with this information."

Remember RBN's fake anti virus and anti spyware software? The list is getting bigger with another 20 additions again hosted on RBN IPs exposed by the RBNExploit blog.

Meanwhile you may be also be interested in how does an abuse request get handled at the RBN? Deceptively of course. Each and every domain or IP that has been somehow reported malicious to them, not once but numerous times by different organizations starts serving a fake account suspended message like the following malicious domains hosted at the RBN do :

"This Account Has Been Suspended For Violation Of Hosting Terms And Conditions. Please contact the billing/support department as soon as possible"

- superengine.cn (81.95.149.181) - fake account suspended message, no malicious script at front page but within the domain

- eliteproject.cn (81.95.149.124) - fake account suspended message, no malicious script at front page but within the domain

- space-sms.info (200.115.174.248) - fake account suspended, loads the malicious takenames.cn

- lem0n.info - (200.115.174.248) fake account suspended message, obfuscated javascript to bl0cker.info

- worldtraff.cn (200.115.174.248) - fake account suspended message, loads bl0cker.info and takenames.cn

- takenames.cn (58.65.239.66) - fake of eValid web testing solution, interacting with all of these domains

Dots, dots, dots, 58.65.239.66 or takenames.cn for the time being, used to resolve to goodtraff.biz in the past, another RBN operation we know from the Bank of India hack, where the second RBN IP was used in the most recent Possibility Media's Malware Fiasco as well.

Metaphisher Malware Kit Spotted in the Wild

Such crimeware botnet C&Cs entirely encompassing of banker trojans infected PCs can depress every financial institution's PR department who often talk more about SSL as the cornerstone of secure E-banking than they should, next to forwarding the responsibility for fraud prevention to the SSL secured customers under the umbrella of a signed e-banking contract. No Anti Virus Software, no E-banking for You mindset is greatly desired to at least slow down the emergence of such banking malware botnets. When you come across something like this, you get the cyber shivers, as it's done for pure massive banking frauds in a typical malicious economies of scale fashion. Once success is anticipated in the form of infecting as many PCs as possible, methods to steamline efficiency start emerging.

As I've once pointed out, one-time-passwords in everything and two-factor authentication is marketable, yet it's not the authentication process malware authors excel at breaking as they don't even have to. They "form grab" and "session grab" efficiently in a Nuclear Grabber style, the 1.0 version of the currently emerging e-banking malware.

Another related post on FortifySoftware's blog wisely debunks the notion that online banking is safer than physical banking as an executive tried to convince them.