Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Wednesday, November 12, 2008

A Diverse Portfolio of Fake Security Software - Part Thirteen

What is the difference between a reactive and proactive threat intell? A reactive threat intell is assessing a campaign, individual, a group of individuals, how are they related to one another, and what have they been doing in the past, based exclusively on a lead that's been found within the past couple of hours.

Try the very latest rogue security domains courtesy of three domainers (Fedor Ibragimov cndomainz@yahoo.com, Anton Golovayk gpdomains@yahoo.com and Ivan Durov idomains.admin@gmail.com ) whose portfolios can always keep you updated about the latest releases of such popular software as The Best Antivirus Cleaner 2008.

powerfullantivirusscan .com (78.159.118.217; 89.149.253.215; 208.72.168.185)
protection-update .com
updatepcprotection .com
updateyourprotection .com
mac-imunizator .net (67.205.75.10)
avproinstall .com (78.157.141.26)
winavpro .com (92.241.163.30)

As far as proactive threat intell is concerned, try the following "upcoming fake security software domains" :

spywaredefender2009 .com
spywaredestroyer2009 .com
spywareeliminator2009 .com
spywareprotector2009 .com

It would be interesting to monitor whether or not the well known non-existent security software brands we've monitoring throughout 2008, will be basically typosquatted in a 2009 like fashion, or would they simply introduce new brands. With their business model under pressure, I'm starting to see evidence of schemes involving the illegal advertisement of affiliate links to legitimate security software, where the cybercriminals are actual resellers of it. There's also no shortage of surreal situations, where a fake security software is taking advantage of blackhat SEO practices promising the removal of competing fake security software brands.

Last week, the noadware .net (69.20.71.82; 69.20.104.139) software was persistently advertised in such a way, mostly by generating Wordpress accounts promising to remove competing software :

antiviruspro2009.wordpress .com
ultraantivirus2009.wordpress .com
smartantivirus.wordpress .com
antiviruslab2009.wordpress .com
antivirusvip.wordpress .com
personaldefender2009.wordpress .com
malwareremoval.wordpress .com

Naturally, it didn't take long before blackhat SEO farms were created for the purpose, like these very latest ones :

removal-tool.blogspot .com
cgidoctor .com
spywareremoval .net
spyware-adware-remover .com
spywarestop .com
zero-adware .net
adware-remove .com
antispywaresecrets .com
protectyourcomputerfromspyware .info
cleanpcfree .net
spyware-bot .com
spywarezapper.co .uk
thepcsecurity .com
noadware-official-site .com
spywaredoctorfavor .cn
removespywareedge .cn
thespywareremover .com
virusremovalguru .com
virusremovalguide .org

The day when fake security software sites start attracting traffic by promising to remove other fake security software, is the day when we have clear evidence that an ecosystem has emerged.

Related posts:
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

More Compromised Portfolios of Legitimate Domains for Sale

The ongoing supply of access to compromised portfolios consisting of hundreds, sometimes thousands of legitimate domains, is continuing to produce anecdotal situations. For instance, in one of the latest propositions, a cybercriminal has managed to hijack the blackhat SEO domains portfolio (8,145 domains plus another 100 legitimate ones) of another cybercriminal, and is now offering it for sale.

From an attacker's perspective, are remotely exploitable SQL injections, the insecure hosting provider's web interfaces, or the pragmatic possibility for data mining a botnet's accounting data for access to such portfolios the tactic of choice? In both of these propositions, the seller is citing vulnerabilities within the web hosting providers as an attack tactic.

The continues supply of such access is, however, a great indicator for the upcoming development of this segment within the underground marketplace in 2009.

Dancho Danchev

DIY Skype Malware Spreading Tool in the Wild

Who needs to build hit lists by harvesting user names when a usability feature allows you to expose millions of users to your latest social engineering campaign? That seems to be the mentality of yet another Skype malware spreading tool, which just like the majority of publicly obtainable tools is aiming to contact everyone, everywhere.

The tool's main differentiation factor is its feature of harvesting the personal information of users it has managed to detect randomly, that's of course in between the mass spamming of malicious URLs. However, despite it's DIY nature allowing someone to easily launch a malware campaign spreading across Skype, the tool is lacking the segmentation features offered by related Skype spamming tools. Just like in a cybercrime 1.0 world where DIY exploit embedding tools were favored due to the lack of web malware exploitation kits, in a cybercrime 2.0 world these DIY tools matured into IM malware spreading modules easily attached to any infected host given the botnet master is looking for such a functionality.

Related posts:
Skype Spamming Tool in the Wild - Part Two
Skype Spamming Tool in the Wild
Harvesting Youtube Usernames for Spamming
Uncovering a MSN Social Engineering Scam
MSN Spamming Bot
DIY Fake MSN Client Stealing Passwords
Thousands of IM Screen Names in the Wild
Yahoo Messenger Controlled Malware

Dancho Danchev

Monday, November 10, 2008

Zeus Crimeware Kit Gets a Carding Layout

With cybercriminals clearly expressing their nostalgia for several notorious and already shut down credit card fraud communities, they seem to have found a way to once again give their self-esteem a boost. Following the ongoing modification of open source crimeware kits and the inevitable innovation introduced by third parties, last week a new layout was introduced for Zeus, once again courtesy of a group that's piggybacking on Zeus popularity.

It's particularly interesting to see how a one-man operation evolves into a group of third-party developers starting to claim ownership rights over the modified versions despite that they're basically brandjacking the Zeus brand and building business models on the top of it.

Open source crimeware and web malware exploitation kits on the other hand undermine the business model of a great number of "malware/spyware for hire" vendors, which surprisingly doesn't stop them from continuing offering their services and products which are often using the de facto crimeware kits as the foundations for their propositions. Are the buyers even aware of this fact? From a buyer's perspective in times when most of the output is sold in bulk form, or access to the botnet rented for a specific period of time, the buyer doesn't care about the cybercrime platform of use, but is looking for transparent ways to justify the investment he's made into renting the service.

Now that Zeus administrators and their cybercrime clerks in the face of those managing the campaigns knowingly or unknowingly knowing the type of campaigns and the data that they manage, can listen to their favorite music within Zeus and choose different layouts for the command and control interfaces while commiting cybercrime, what's next?

Convergence and improved monetization.

Dancho Danchev

Thursday, November 06, 2008

DIY Phishing Pages With Command and Control Interfaces

The day when DIY phishing pages start coming with manuals is the day when consciously or subconsciously a phisher is lowering down the entry barriers into phishing for yet another time. A much more user-friendly compared to the old-fashioned -- yet effective -- rock phish directory listing, a recently released command and control interface for Rapidshare phishing campaigns aims to empower its users with easy dynamic link generation for their campaigns.

What they've managed to achieve is another trust factor since Rapidshare generates a second dynamic link upon clicking on the original one. The script not only generates a dynamically looking link, but also, actually logs in the victim into their account in order to avoid suspicion whereas it still logs all the accounting data.

Scammers also tend to be ironic every then and now. For instance, in this particular case, one of the users finds it ironic that the Rapidshare phishing page is hosted at Rapidshare itself. Is the script actually working? It appears so at least going through a misconfigured accounting data dump left by one of the phishers.

Related posts:
Phishing Pages for Every Bank are a Commodity
DIY Phishing Kits
DIY Phishing Kit Goes 2.0
DIY Phishing Kits Introducing New Features
209 Host Locked
209.1 Host Locked
66.1 Host Locked

Dancho Danchev

Tuesday, November 04, 2008

Summarizing Zero Day's Posts for October

Here's a brief summary of all of my posts at Zero Day for October. You can also go through previous summaries for September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed.

Notable articles for October - Scammers introduce ATM skimmers with built-in SMS notification; Inside an affiliate spam program for pharmaceuticals; CardCops: Stolen credit card details getting cheaper.

01. Cybercriminals syndicating Google Trends keywords to serve malware
02. Scammers introduce ATM skimmers with built-in SMS notification
03. Atrivo/Intercage's disconnection briefly disrupts spam levels
04. Adobe posts workaround for clickjacking flaw, NoScript releases ClearClick
05. Asus ships Eee Box PCs with malware
06. Fake Microsoft Patch Tuesday malware campaign spreading
07. Secunia: popular security suites failing to block exploits
08. Survey: 88% of Mumbai's wireless networks easy to compromise
09. Adobe's Serious Magic site SQL Injected by Asprox botnet
10. Inside an affiliate spam program for pharmaceuticals
11. Google to introduce warnings for potentially hackable sites
12. Lack of phishing attacks data sharing puts $300M at stake annually
13. CardCops: Stolen credit card details getting cheaper
14. Cybercrime friendly EstDomains loses ICANN registrar accreditation
15. Phishers apply quality assurance, start validating credit card numbers
16. Spammers targeting Bebo, generate thousands of bogus accounts

Dancho Danchev