Thursday, July 31, 2008

Storm Worm's Lazy Summer Campaigns

The Storm Worm-ers seem to be lacking their usual creativity in respect to the usual social engineering attacks taking advantage of the momentum we're used to seeing. These days they're not piggybacking on real news items, they're starting to come up with new ones.



Storm's latest "FBI vs Facebook" campaign is an example of very badly executed one, lacking their usual fast-flux, any kind of social engineering common sense,  as well as client side exploits next to centralizing all the participating domains on a single nameserver.



Domains used :

wapdailynews .com

smartnewsradio .com

bestvaluenews .com

toplessnewsradio .com

companynewsnetwork .com

goodnewsgames .com

marketgoodnews .com

fednewsworld .com

toplessdailynews .com

stocklownews .com




DNS servers :

NS.BRPRBGOK6 .COM

NS2.BRPRBGOK6 .COM

NS3.BRPRBGOK6 .COM 

NS4.BRPRBGOK6 .COM

NS5.BRPRBGOK6 .COM

NS6.BRPRBGOK6 .COM



Strangely, the domain has been registered using an email hosted on a known Storm fast-flux node used in the recent 4th of July campaign and the U.S's invasion of Iran :



Administrative Contact:

Lee Chung lee@likethisone1.com

+13205897845 fax:

1743, 34

Los-Angeles CA 321458

us




This Storm Worm sample is also "phoning back home" over HTTP next to the P2P traffic, and trying to obtain the rootkit from the now down, policy-studies.cn /getbackup.php using already known Storm nameservers :



ns2.verynicebank .com

ns3.verynicebank .com

ns.likethisone1 .com

ns2.likethisone1 .com

ns3.lollypopycandy .com

ns4.lollypopycandy .com



Someone's bored, definitely, making it look like it's almost someone else managing a Storm Worm campaign on behalf of them.

Wednesday, July 30, 2008

Dissecting a Managed Spamming Service

With cybercrime getting easier to outsource these days, and with the overall underground economy's natural maturity from products to services, "managed spamming appliances" and managed spamming services are becoming rather common. Increasingly, these "vendors" are starting to "vertically integrate", namely, start diversifying the portfolio of services they offer in order to steal market share from other "vendors" offering related services like, email database cleaning, segmentation of email databases, email servers or botnets whose hosts have a pre-checked and relatively clean IP reputation, namely they're not blacklisted yet.



How much does it cost to send 1 million spam emails these days? According to a random spamming service, $100 excluding the discounts based on the speed of sending desired, namely 10-20 per second or 20-30 per second. Let's dissect the service, and emphasize on its key differentiation factors, as well as the customerization offered in the form of a dedicated server if the customer would like to send billions of emails :



"-- High quality and percentage of spam delivery 

-- Fast speed of delivery

-- Spam database on behalf of the vendor, or using your own database of harvested emails

-- Easily obtainable and segmented spam databases on per country basis

-- Randomization of the spam email's body and headers in order to achieve a higher delivery rate

-- Support for attachments, executables, and image files



The cost - $100 for a million for letters delivered spam, with the large volume of spam discounts 20% -30% -40% based on the value-added Do-it-yourself customer interfare based on a multi-user botnet command and control interface :

 


-- Automatic RBL verification

-- Support for many subjects, headers,

-- Total customization of the email sending process

-- Autogenerating junk content next to the spammers email/link in order to bypass filtering

-- Faking Outlook Message ID / Boundary / Content-ID

-- Interface added. Now do not necessarily understand all the features into the system to start the list.

-- Convenient management tasks.

-- A high percentage of punching, on the basis of good europe - 40-60% (For the United States - less because there aol and others).

-- Improved metrics, whether or not the emails have been sent, lost, unknown receipt, or have been RBL-ed



With the weight of a billion - even discounts and the possibility of making a personal server. "



Rather surprising, they state that European email users have a higher probability of receiving the spam message compared the U.S due to AOL. What they're actually trying to say is due to AOL's use of Domain Keys Identified Mail (DKIM). As far as localization of the spam to the email owner's native language is concerned, this segmentation concept has been take place for over an year now.



This service, like the majority of others rely entirely on malware infected hosts, which due to the multi-user nature of most of the malware command and control interfaces, allows them to easily add customers and set their privileges based on the type of service that they purchase. This leaves a countless number of opportunities for targeted spamming, and yes, spear phishing attacks made possible due to the segmentation of the emails based on a country, city, even company.



In the long term, the people behind spamming providers, web malware exploitation kits and DIY phishing kits, will inevitably start introducing built-in features which were once available through third-party services. For instance, hosting infrastructure for the spam/phishing/live exploit URLs, or even managed fast-flux infrastructure, have the potential to become widely available if such optional features get built-in phishing kits, or start getting offered by the spamming provider itself. And since the affiliate based model seems to be working just fine, the ongoing underground consolidation will converge providers of different underground goods and services, where everyone would be driving customers to one another's services and earning revenue in the process.

Tuesday, July 29, 2008

Neosploit Team Leaving the IT Underground

The Neosploit Team are abandoning support for their Neosploit web exploitation malware kit, citing a negative return on investment as the main reason behind their decision. However, given Neosploit's open source nature just like the majority of web malware kits, and the fact that it's slowly, but surely turning into a commodity malware kit just like MPack and Icepack did, greatly contribute to its extended "product lifecycle" :



"Let’s discuss their business model, how other cybercriminals disintermediated it thereby ruining it, and most importantly, how is it possible that such a popular web malware exploitation kit cannot seem to achieve a positive return on investment (ROI). The short answer is - piracy in the IT underground, and their over-optimistic assumption that high-profit margins can compensate the lack of long-term growth strategy, which in respect to web malware exploitation kits has do with the benefits coming from converging with traffic management tools. Let’s discuss some key points."



The end of Neosploit malware kit, doesn't mean the end of Neosploit Team, or the sudden migration to other malware kits since they're no longer providing support in the form of new obfuscations and set of exploits to their customers. Their customers have been in fact self-servicing their needs enjoying the modular nature of the kit, the result of which is an unknown number of modified Neosploit kits.



Related posts:

The Underground Economy's Supply of Goods and Services

The Dynamics of the Malware Industry - Proprietary Malware Tools 

Localizing Cybercrime - Cultural Diversity on Demand 

E-crime and Socioeconomic Factors 

Localizing Open Source Malware 

Coding Spyware and Malware for Hire

The FirePack Exploitation Kit Localized to Chinese

MPack and IcePack Localized to Chinese

The Icepack Exploitation Kit Localized to French 

Over 80 percent of Storm Worm Spam Sent by Pharmaceutical Spam Kings

It used to be a case where a botnet would be used for a single purpose, spamming, phishing, or malware spreading. At a later stage, the steady supply of malware infected allowed botnet masters more opportunities to "sacrifice" the clean IP reputation and engage in several malicious activities simultaneously - today's underground multitasking improving the monetization of what used to be commodity goods and services.



Today, a botnet will not only be sending out phishing emails, automatically SQL inject vulnerable sites across the web, but also, provide fast-flux infrastructure to money mule recruitment services, all of this for the sake of optimizing the efficiency provided by the botnet in general. This optimization makes it possible for a single botnet to be partitioned and access it it sold and resold so many times, that it would be hard to keep track of all the malicious activities it participates in. Cybercrime in between on multiple fronts using a single botnet is only starting to take place as concept.



That's the case with Stormy Wormy, according to IronPort whose "Researchers Link Storm Botnet to Illegal Pharmaceutical Sales" :



"Our previous research revealed an extremely sophisticated supply chain behind the illegal pharmacy products shipped after orders were placed on botnet-spammed Canadian pharmacy websites. But the relationship between the technology-focused botnet masters and the global supply chain organizations was murky until now," said Patrick Peterson, vice president of technology at IronPort and a Cisco fellow. "Our research has revealed a smoking gun that shows that Storm and other botnet spam generates commissionable orders, which are then fulfilled by the supply chains, generating revenue in excess of (US)$150 million per year."



Murky until now? I can barely see anything around me due to all the smoke coming from the smoking guns of who's what, what's when, and who's done what with who, especially in respect to Storm Worm whose multitasking on different fronts in the first stages of their appearance online made it possible to establish links between several different malware groups and the "upstream hosting providers", until the botnet scaled enough making it harder to keep track of all of their activities.



The Storm Worm-ers themselves aren't sending out pharma spam, the customers to whom they've sold access to parts of Storm Worm are the ones sending the pharma spam. Here's a brief analysis published in May - "Storm Worm Hosting Pharmaceutical Scams". What's in it for the scammers? Income based on a revenue-sharing affiliate program, a pharmacy affiliate program has been around for several years :



"This criminal organization recruits botnet spamming partners to advertise their illegal pharmacy websites, which receive a 40 percent commission on sales orders. The organization offers fulfillment of the pharmaceutical product orders, credit card processing and customer support services"



What's coming out of Storm Worm's botnet isn't necessarily coming from the hardcore Storm Worm-ers whose job today is more of a campaign-rotation related in order to ensure new bots are added, what's coming out of Storm Worm is coming from those using the access they've purchased to a part of the botnet.



Related posts:

Storm Worm Hosting Pharmaceutical Scams

All You Need is Storm Worm's Love

Social Engineering and Malware

Storm Worm Switching Propagation Vectors

Storm Worm's use of Dropped Domains

Offensive Storm Worm Obfuscation

Storm Worm's Fast Flux Networks

Storm Worm's St. Valentine Campaign

Storm Worm's DDoS Attitude

Riders on the Storm Worm

The Storm Worm Malware Back in the Game

Monday, July 28, 2008

Click Fraud, Botnets and Parked Domains - All Inclusive

It gets very ugly when someone owns both, the botnet, and the portfolio of parked domains actively participating in PPC (pay per click) advertising programs, where the junk content, or the typosquatted domain names is aiming to attract high value and expensive keywords in order for the scammer to year higher on per click percentage. This is among the very latest tactics applied by those engaging in click fraud. Hypothetically, the cost to rent the botnet and commit click fraud would be cheaper than sharing revenue on per click basis with "human clickers" who earn money based on how many ads they click given a set of scammer's owned sites, where the customer supports represents a DIY proxy switching application changing their IP on the fly.



Click Forensics's recent Q2 2008 report indicates that botnets were responsible for over 25% of all click fraud activity they were monitoring during Q2. Not surprising, given that botnets have long been observed to commit blick fraud, using a common traffic exchange scheme. What's new is the use and abuse of parked domains :



"Despite indication that some of the clicks from parked domains were invalid, Google failed to disclose to the plaintiff specific domain names in which these ads were clicked on, making detection of invalid clicks difficult and even worse concealing any evidence of invalid clicks," the lawsuit alleges. RK West eventually went through its server logs and discovered the source of the clicks, said Alfredo Torrijos, one of the company's attorneys."



Cybersquatting security vendors in order to improve the chances of attracting high-valued keywords to later on commit click fraud on the parked domains, now showing relevant security ads, is nothing new. The trend has been pretty evident for a while, with cybersquatting increasing on an yearly basis according to multiple sources :



"Rise in pay-per-click advertising where cybersquatters link the domain name they have registered with a website containing ads promoting a variety of competing brands.  The cybersquatter receives money every time internet users access this website and click on one of the ads."



However, the "internet users who are supposed to click on one of the ads on the parked domains owned by the scammers" will get clicked by a botnet owned or cost-effectively rented by the scammer. Here's a sample of currently parked domains attracting Symantec ads :



symentec .com

symantek .com

symanteck .com

symantac .com

symantaec .com

symantic .com

symmantec .com

symanntec .com

ssymantec .com

symanthec .com

symanzec .com

symanttec .com

sjmantec .com

saimantec .com

seymantec .com

symanrec .com

symantrc .com

symantwc .com

aymantec .com

dymantec .com

sxmantec .com

symantex .com

symantev .com

symabtec .com

symamtec .com

synantec .com

stmantec .com

symanyec .com

sumantec .com

symant3c .com

syman5ec .com

wwwsymantec .com

symanteccom .com

ymantec .com

syantec .com

symntec .com

symanec .com

symantc .com

symante .com

symattec .com

symantcc .com

syman-tec .com

syymantec .com

symaantec .com

symanteec .com

symantecc .com

ysmantec .com

syamntec .com

symnatec .com

symatnec .com

symanetc .com

symantce .com




As well as recent sample brandjacking Kaspersky :

kespersky .com

kasparsky .com

kaspaersky .com

kaspasky .com

kasperscky .com

gaspersky .com

kasbersky .com

kasppersky .com

kasperrsky .com

kasperssky .com

kasperskj .com

kasperskey .com

kaapersky .com

kasperaky .com

kasperdky .com

laspersky .com

kaspersly .com

kasperskt .com

kaspersku .com

kasp3rsky .com

kaspe4sky .com

kas0ersky .com

wwwkasperskycom .com

wwwkaspersky .com

kasperskycom .com

aspersky .com

kspersky .com

kasersky .com

kaspesky .com   

kaspersy .com

kaspersk .com

kappersky .com

kaspessky .com

kas-persky .com

kasp-ersky .com

kasper-sky .com

kasperskyy .com

akspersky .com

ksapersky .com

kapsersky .com

kaseprsky .com

kaspesrky .com   

kaspersyk .com

kaspersky24 .com

kasperskyonline .com

kaspersky-online .com




What's most disturbing is that instead of having cybersquatting taken care take of a long time ago, so that scammers would need to emphasize on the junk content in order to attract the relevant ads on the bogus domains, cybersquatting still does the magic by including the targeted word in the domain name itself, so that no junk content generation courtesy of a blackhat SEO tool is needed.



Related posts:

Cybersquatting Security Vendors for Fraudulent Purposes

Cybersquatting Symantec's Norton AntiVirus

The State of Typosquatting - 2007

Smells Like a Copycat SQL Injection In the Wild

In between the massive SQL injections, that as a matter of fact remain ongoing, copycats taking advantage of the very same SQL injection tools using public search engine's indexes as a reconnaissance tools, are also starting to take advantage of localized and targeted attacks, attacking specific online communities. Among these is mx.content-type.cn /day.js using day.js to attempt multiple exploitation using publicly obtainlable exploits such as Adodb.Stream, MPS.StormPlayer, DPClient.Vod, IERPCtl.IERPCtl.1, GLIEDown.IEDown.1, and targeting primarily Chinese web communities.



Compared to a bit more sophisticated attack tactics applied by Chinese hackers, taking advantage of localized versions of the de facto web malware exploitation kits, those who don't have access to such continue using cybercrime 1.0 DIY exploit embedding tools at large. The rest of the SQL injected domains as well as the exploits themselves are parked on the same plaee - 222.216.28.25, also responding to :



down.goodnetads .org

ads.goodnetads .org

real.kav2008 .com

hk.www404 .cn

err.www404 .cn

mx.content-type .cn

sun.63afe561 .info

ads.633f94d3 .info

ads.1234214 .info

ad.50db34d5 .info

ads.50db34d5 .info

ad.8d77b42a .info

web.adsidc .info

free.idcads .info

free.cjads .info

ads.adslooks .info

list.adslooks .info

ad.5iyy .info




The SQL injected domains :

ads.633f94d3.info/day .js

ad.8d77b42a.info/day .js

ad.5iyy.info/day .js

free.idcads.info/day .js

efreesky.com/day .js

v.freefl.info/day .js




The internal structure :

free.idcads.info/f/index .htm

free.idcads.info/014 .htm

free.idcads.info/real11 .htm

free.idcads.info/real10 .htm

free.idcads.info/lz .htm

free.idcads.info/bf .htm

free.idcads.info/kong .htm

free.idcads.info/f/swfobject .js

ad.50db34d5.info//rm%5C/rm .exe




Parked domains responding to the command and control locations, 60.191.223.76 and 222.216.28.100 :

ftp.gggjjj .info

live.ads002 .net

log.goodnetads .org

dat.goodnetads .org

root.51113 .com

sun.update999 .cn

abb.633f94d3 .info

up.50db34d5 .info


web.cn3721 .org   

dat.goodnetads .org

cs.rm510 .com

sb.sb941 .com

k.sb941 .com

info.sb941 .com

day.sb941 .com

post.ad9178 .com

v.91tg .net




Centralizing their scammy ecosystem always makes it easier to monitor, keep track of, and of course, expose.



Related posts:

SQL Injecting Malicious Doorways to Serve Malware

Yet Another Massive SQL Injection Spotted in the Wild

Malware Domains Used in the SQL Injection Attacks

SQL Injection Through Search Engines Reconnaissance

Google Hacking for Vulnerabilities

Fast-Fluxing SQL injection attacks executed from the Asprox botnet

Sony PlayStation's site SQL injected, redirecting to rogue security software

Redmond Magazine Successfully SQL Injected by Chinese Hacktivists

Friday, July 25, 2008

Counting the Bullets on the (Malware) Front

How much malware is your antivirus solution detecting? A million, ten million, even "worse", less than a million? Does it really matter? No, it doesn't. What's marketable can also be irrelevant if you are to consider that today's malware is no longer coded, but generated efficiently and obfuscated on the fly. Sophos's recent statistics :

"It is estimated that the total number of unique malware samples in existence now exceeds 11 million, with Sophos currently receiving approximately 20,000 new samples of suspicious software every single day - one every four seconds."

F-Secure's comments according to which they're "lacking behind" Sophos with ten million malware samples :

"Our AVP database reached one million detection records last night. Dr. Evil would be so impressed…"

McAfee's recent comments as well, which seem to detect less malware samples than F-Secure, depending on how you count them of course :

"It demonstrates that it is possible to announce that we detected, at the end of 2007, “between 357,820 (DAT-5196) and 8,600,000 pieces of malware”. And I predict we will detect at the end of 2008 between 450,000 and 22,000,000 malware”. OK, I joke a bit, but I also want to demonstrate there are many manners to count malware and you must not judge a product only by the announced number of detections."

You have an antivirus software that's detecting 10 million malware samples, in reality, while it's protecting you from 10 million malware samples it wouldn't protect you from the just coded for hire malware bot that's about to get used in a targeted attack. The number of malware samples detected by any antivirus vendor is up to how they actually count them, do they take into consideration malware families, do they actually distinguish them, or are they in fact perceiving each and every malware as as seperate "bachelor".

Given the speed in which malware authors are lauching a DDoS attack against AV vendors by crunching out dozens of malware variants parts of a single family, their actions could start directly driving the data storage market, and if they continue maintaining the same rhythm, soon you'll be partitioning a separate GB for the signatures files. Then again, the number of malware samples detected by an antivirus solution isn't the single most important benchmark for its actual usability in a real-life situation, keep that in mind.

Where's the Count when you need him most? Well, he's somewhere out there counting.

Counting the Bullets on the (Malware) Front

How much malware is your antivirus solution detecting? A million, ten million, even "worse", less than a million? Does it really matter? No, it doesn't. What's marketable can also be irrelevant if you are to consider that today's malware is no longer coded, but generated efficiently and obfuscated on the fly. Sophos's recent statistics :



"It is estimated that the total number of unique malware samples in existence now exceeds 11 million, with Sophos currently receiving approximately 20,000 new samples of suspicious software every single day - one every four seconds."



F-Secure's comments according to which they're "lacking behind" Sophos with ten million malware samples :



"Our AVP database reached one million detection records last night. Dr. Evil would be so impressed…"



McAfee's recent comments as well, which seem to detect less malware samples than F-Secure, depending on how you count them of course :



"It demonstrates that it is possible to announce that we detected, at the end of 2007, “between 357,820 (DAT-5196) and 8,600,000 pieces of malware”. And I predict we will detect at the end of 2008 between 450,000 and 22,000,000 malware”. OK, I joke a bit, but I also want to demonstrate there are many manners to count malware and you must not judge a product only by the announced number of detections."



You have an antivirus software that's detecting 10 million malware samples, in reality, while it's protecting you from 10 million malware samples it wouldn't protect you from the just coded for hire malware bot that's about to get used in a targeted attack. The number of malware samples detected by any antivirus vendor is up to how they actually count them, do they take into consideration malware families, do they actually distinguish them, or are they in fact perceiving each and every malware as as seperate "bachelor".



Given the speed in which malware authors are lauching a DDoS attack against AV vendors by crunching out dozens of malware variants parts of a single family, their actions could start directly driving the data storage market, and if they continue maintaining the same rhythm, soon you'll be partitioning a separate GB for the signatures files. Then again, the number of malware samples detected by an antivirus solution isn't the single most important benchmark for its actual usability in a real-life situation, keep that in mind.



Where's the Count when you need him most? Well, he's somewhere out there counting.

Thursday, July 24, 2008

Vulnerabilities in Antivirus Software - Conflict of Interest

Vulnerabilities within security solutions -- antivirus software in this case -- are a natural event, however, the conflict of interests and failure of communication between those finding them and those failing to acknowledge them as vulnerabilities in general, harms the customer. How they get count, and how is their severity measured in a situation where a vulnerability bypassing the scanning method of an antivirus software allowing malware to sneak in, is less important than a remote code execution through the antivirus software, is a good example of short sightedness. Here's a related development regarding a recent study regarding vulnerabilities in antivirus software - "McAfee debunks recent vulnerabilities in AV software research, n.runs restates its position" :



"Several days after blogging about a research conduced by n.runs AG that managed to discover approximately 800 vulnerabilities in antivirus products, McAfee issued a statement basically debunking the number of vulnerabilities found, and providing its own account into the number of vulnerabilities affecting its own products :



“A recent ZDnet blog discusses a large number of vulnerabilities German research team N.Runs says it found in antimalware products from nearly every vendor. The ZDNet posting includes scary graphs to frighten users of security products. We researched the N.Runs claims by analyzing the raw data and found their claims to be somewhat exaggerated. We will discuss our findings (and make available our source data) in the attached document. We have also provided our source data for anyone who wishes to examine it.”



Today, n.runs AG has issued a response to McAfee’s statement, providing even more insights into the vulnerabilities they’ve managed to find, how they found them, and why are the affected antivirus vendors questioning the number of flaws in general."



Consider going through the interview with Thierry Zoller as well.



UPDATE: The folks at ThreatFire know how to appreciate my rhetoric.



Related posts:

Scientifically Predicting Software VulnerabilitiesZero Day Initiative "Upcoming Zero Day Vulnerabilities"

Delaying Yesterday's "0day" Security Vulnerability

Shaping the Market for Security Vulnerabilities Through Exploit Derivatives

Zero Day Vulnerabilities Market Model Gone Wrong

Zero Day Vulnerabilities Auction

The Zero Day Vulnerabilities Cash Bubble

People's Information Warfare vs the U.S DoD Cyber Warfare Doctrine

Which doctrine would you choose if you had the mandate to? Dark room a

We cannot discuss these if we don't compare their cyber warfare approaches next to one another. It's rather ironic situation, since China has built its cyber
warfare doctrine based on the research conducted into the topic by U.S military personel. At a later stage, Chinese military thinkers perceved the combination
of Sun Tzu's military strategies in the virtual realm

Email Hacking Going Commercial

This email hacking as a service offering is the direct result of the public release of a DIY hacking kit consisting of each and every publicly known vulnerability for a variety of web based email service providers, with the idea to make it easier for someone to execute their attacks more efficiently. Outsource the hacking of someone's email, and receive a proof in the form of a screenshot of the inbox, next to a guarantee that you'll be able to get back in even after they've changed their passwords? Too good to be true, but since they only charge after they provide you with a proof that they did the job, they could be in fact attempting to hack these emails, compared to the majority of cases where scammers scam the scammers. The service works in 7 steps :



"1- Submit your case to one of our experts.

2- After successful submission , you will be sent a confirmation email along with your Case Reference Number (CRN) .

3- Our expert(s) will revert back to you in a few minutes with the details, the charges & the turn-around time. You may also be asked to provided additional information through a private form if required by our expert.

4- Once our expert has all the required information, you will be provided a username/password to our client area where you can view the real-time progress of your case.

5- Within a matter of hours (maximum 72 hrs), you can see the results. Our expert will provide you with proof-of-success , which you can verify and confirm.

6- Once you have verified the authenticity of success, you will be sent detailed payment instructions. You will be asked to pay using anyone of our multiple payment methods.

7- Once the payment is realized, we will provide you the requisite information
"



Who's doing the actual email hacking? Independent contractors on behalf of the service as it looks like :



"Most other groups employ phishing , trojans or viruses which could damage or even alert the target. Our experts use techniques which are developed by themselves , not shared by anyone. We don't ask them how they do it, but as long as they provide us the desired results, its ok for us. Since we test their methods while they are on probation period with us, we check if the target is being alerted or not. As of now, for the past 4 years, we have NOT RECEIVED A SINGLE COMPLAINT IN THIS REGARD, which is testimonial to the ingenuity of the methods used by CSP."



How would they prove that they've managed to hack the email account before requesting the payment?



"1- Multiple screenshots of the mailbox

2- A copy of your own email which you had sent to the target

3- A copy / part of the address-book of the target mailbox.
"



Ironically, a hypothetical questionarry that I once speculated a private detection would require from someone interested in Outsourcing The Spying on Their Wife, in order to set the foundations for a successful social engineering attack, is being used by the email hacking group.

Tuesday, July 22, 2008

Lazy Summer Days at UkrTeleGroup Ltd

The result of building extra confidence into your malicious hosting provider's ability to remain online, is a scammy ecosystem that's constantly jumping from one netblock to another, whose very latest exploit URLs and rogue security software nexto to the codecs served, always represent a decent sample of malicious activities to analyze.



UkrTeleGroup Ltd (85.255.112.0-85.255.127.255 UkrTeleGroup UkrTeleGroup Ltd. 27595 ASN ATRIVO), a personal favorite due to its historical connection with the Russian Business Network, and hosting provider for a countless of number of injected and malware embedded campaigns during the last two years, is still keeping it as lazy as possible, a laziness allowing you to easily expose a great deal of the malicious activities going on there, and establish the connections between the hosting provider, its current and historical customers.



Take microsoftcodecs.com (88.214.198.220) for instance, and avxp08.com where it redirects the user into yet another rogue security software. avxp08.com is responding to 194.110.162.114; 216.195.41.11; 216.195.41.11; 216.240.139.169, and to UkrTeleGroup Ltd's 85.255.117.163.



Each of these IPs are also being shared by other rogue software and fake codecs simultaneously :



(216.195.41.11)

antivirusxp2008 .com

malwareprotector2008 .com

antivirxp08 .com

antivirusxp08 .com

avxp08 .com

youpornztube .com

winifixer .com

advancedxpfixer .com

encountertracker .ws




It gets even more UkrTeleGroup Ltd related upon the malware (Trojan:Win32/Tibs.HK) served at the avxp08.com gets sandboxed. The malware phones back home stat.avxp08 .com (85.255.118.172) announcing the successful infection winifixer .com/log2.php?affid=980382bdb4e7b779ff6308b0b706571c&uid=06f80eaf-94d7-4b8b-9cf0-5c6f75d2c69f&tm=1211198022 (85.255.118.171), and the scammy ecosystem continues using the same hosting provider. The rest of the rogue tools are also using the same subdomain structure, and IP, stat.antivirusxp2008 .com (85.255.118.172), stat.antivirxp08 .com (85.255.118.172), stat.antivirusxp08 .com (85.255.118.172) in order to phone back home.



winifixer .com, a well known rogue software, is entirely relying on UkrTeleGroup's hosting services hosted at 85.255.117.163; 85.255.118.171; 85.255.120.115; 85.255.120.139; 216.195.41.11 pinpoing several other obvious and well known netblocks hosting anything starting from fake celebrity video sites serving fake Windows Media Player videos, to rogue security software and live exploit URLs. Take for instance their efficiency centered approach to park numerous malicious domains on a single IP, like 85.255.117.218 in this case :



bestfunnyvids .com

celebs69 .com

celebsnofake .com

celebstape .com

celebsvidsonline .com

codecservice1 .com

freevidshardcore .com

newfunnyvideo .com

sexlookupworld .com

starfeed1 .com

starfeed2 .com

topdirectdownload .com   

topsearchresults1 .com

topsoftupdate .com

yourfavoritetube .com




Now that it's becoming clear who's providing the hosting infrastructure, it's perhaps also worth pointing out who's using the hosting infrastructure to serve rogue security software and fake codecs on the basis of participating in an affiliate program? A great number of domains used by the rogue security software are registered by krab@thekrab.com behind which is supposedly Mishakov Viktor Ivanovich support@tobesoftware.com, and ironically tobesoftware.com is again hosting within UkrTeleGroup (85.255.120.115). The personal efforts into the number of the typosquatted domains and the persistence applied when registered and spamming them across the web, is the result of the incentives provided to them by the affiliate program they participate in.

Coding Spyware and Malware for Hire

What type of antivirus evasion do you want today? For the past several years, we have been witnessing the emerging customerization applied in malware and spyware for hire services. What used to be a situation where the malware authors would code and then start promoting a piece of malware including features that he thinks his potential customers would want by generalizing a cybercriminal's needs, is today's "listening to the customer" win-win situation that they've reached already.

The whole maturity from a product concept to customerization is in fact so prevalent these days, that malware authors wanting to preserve their intellectual property are forbidding their customers from reverse engineering their malware modules, presumably fearing that remotely exploitable flaws like this one in one of the most popular Ebanker malwares for the last two yers Zeus, could be discovered due to the malware author's insecure coding practices. Moreover, limiting the distribution of a single license they are given to more than three people will result in the malware author ignoring any future business relationships with the party that ruined the exclusiveness of the malware, thereby leaking it to the public, something that's been happening and will continue happening with web malware exploitation kits.

What would be the price of a custom malware module coded on demand? How much does it cost to have a built in email harvester that would sniff all the incoming and outgoing email addresses from the infected host to later on include them in upcoming spam and malware campaigns? Would the malware author also provide a managed hosting service for the command and control and the actual binaries on a revenue sharing

Here's an automatically translated, and fairly easy to understand random proposition for coding spyware and malware for hire, aiming to answer many of these questions, clearly demonstrating that today's malware is coded in exactly the same way the customer wants it to :

"As you can see in the history of its development turned directly into the combine, while almost no raspuh in weight, full-size pack аж 18 kb and minialno 5 kb, for all nampomnyu again, all descriptions below can be done as otdelnym bot, and any combination of cross except for a few restrictions. This product is targeted at mass-user and will not be all prodavatsya row. So, you can choose from:

Actually loader - is able to load a file from adminki, by country and other characteristics, such as the number of animals on board with a specific bot, a country group of countries, the availability of certain authors or Fire, sredenemu time online, etc. etc.. You can adjust the speed of shipping limits for each file, can load 1 as well as how files simultaneously
300 €


FTP and not only Graber
Analyzes user traffic and collects from the ftp acclamation, that is ftp acclamation would you regardless of how the customer uses ftp user, thus can be obtained most valuable ftp aka (even those to which the password is not saved), you can also grab other in a way not only acclamation acclamation and other tasty things more)
150 € 


Assembler spam bases

Analyzes user traffic and collects from all email, snifit http pop3 smtp protocols, keeps records unikallnosti locally on each boat to reduce the burden on the server as well as globally on a server has 2 mode of operation - ie passive with only collects user to please and active - the very beginning to download the entire inet) in search of soap
220 €

Socks 4 / 5
 

Normal soks with competently implemented multithreading, is activated only if the user real Ip, otherwise not. And also optional, depending on the connection type and speed ineta.
70 €

Indicates

The primitive method, contamination fleshek avtoranom gives 2-3% increase in the first week and up to 7% in the next, a pleasant trifle)
35 €

Scripts

Loader supports internal scripting language - jscript, to carry out arbitrary actions on the victim machine, whether recording data in the register, setting authentic hon-Pago, opening URL in your browser (it was done so to please with 90% punching)), apload arbitrary files on a server, even theoretically possible to form and grabing inzhekty in IE) has only to write the script zaebetes, vobschem lyuboye actions soul who wish)
70 € basic functionality

Assembler passwords

Collects data such as passwords pstorage IE, MSN, etc., will be added at the request of other sources of passwords
70 €

Mini-AV

When installing loadera wheelbarrows to remove BHO shaped three, zevso-shaped, the majority of shit from all avtoranov, render most keylogerov until all) forward proposals to improve
70 €

File-default

In exe loadera program URL (in adminke) to the file which once progruzit 1 and run at first start loadera on wheelbarrows, while simultaneously helping progruzke Trojan for example, in its entire botnet that does not paired with challenges in adminke, the module operates in 20 seconds after the mini - av which excludes the removal of your Trojan bot, after progruza this exe bot continues to normal activities.
35 €

Form Graber

While in beta version, robbed IE. Sends logs in adminku, folding country. Logs are like logs agent. It consists of:

Graber certificats

On the idea is part formgrabera but could work and of itself, actually there is nothing to describe)

Injections

Literacy sold inzhekty, did not begin work after full progruza pages (as in bolshistve three) and immediately supported injection yavaskript code, which allows avtozalivy and DC inzhekty for data collection. For example not to yuzat acclamation at all is not yet introduce the necessary number of Britain, after which inzhekt ceases to operate. Вобщем mdelat can be anything and in any form) rather than the meager request field pin) And also inzhektov subspecies - a substitute for the issuance of search enginee.

Graber balances

Makes loot aka balances at the entrance to the user acclamation, detail added to the logs.

Screen

Universal method to grab information from absolutely any species and varieties klaiviatur screens, in particular html, flash, in one picture, with a drop-down fields after choosing your encrypted, as well as information such as "enter 3 yu secret letter word" etc. as well as any information which is visible a user but not seen in the logs. Screen settings of adminki, set URL where do screen as well as the type of screen: for virtual keyboard (done several small images of areas around the clique) or to "enter 3 yu secret letter words" (makes 1 full shot). With the withdrawal screen recorded in the log entry with the name of the file to the screen this position.

Antiabuznost for botneta

Feachem adminki, keep botnet enables fast, normal, bezglyuchnyh NEabuzoustoychivyh hosting, with features that you forget what abuzy, nohistory week saporta "abuzoustoychivogo" hosting inaccessibility host to half ineta etc., etc., also with the help of the supplement will be able to keep huge botnety (over SL) at 1 dedike with 512 Lake) and well on the price of hosting a savings, not $ 500 a month and 150. It may use this feature to stroronnim development, Trojans, bots, etc., actually is a separate product. And incidentally, if you do not understand the theory that nenado ask "and how does it work?" imagine that it works and point and neubivaemo in pritsnipe.
600 € +


All prices are in euros, the calculation is made at the rate of CB on the day of purchase. ps I will not disappear as most authors after months of sales, I DONT how to please you get to the assembly ftp, I DONT how many soap collects soap-graber, I DONT what otstuk from loadera, I DONT soksov how many will be from 1 to downloads, and how best To work load a file is not dead quickly, if you are confused my ignorance - that my loader so you do not need more tries)

Rules / Licence

-- Customer has no right to transfer any of his three 3 persons except options for harmonizing with me

-- Customer does not have the right to make any decompile, research, malicious modification of any three parts

-- Customer has no right where either rasprostanyat information about three and a public discussion with the exception of three entries.

-- For violating the rules - without any license denial manibekov and further conversations
"

This malware coder seems to be participating in an affiliate program with a malicious ISP that is offering hosting services for the entire campaign, not just the malware binaries, so you have a rather good example that incentives and revenue-sharing models result in value-added services, a all-in-one shop for a customer to take advantage of without bothering to approach a third-party.

Cybercrime is getting even more easier to outsource these days, and with the malicious parties improving their communication and incentives model, the resulting transparency in the underground market

Related posts:
The Underground Economy's Supply of Goods and Services
The Dynamics of the Malware Industry - Proprietary Malware Tools
Using Market Forces to Disrupt Botnets
Multiple Firewalls Bypassing Verification on Demand
Managed Spamming Appliances - The Future of Spam
Localizing Cybercrime - Cultural Diversity on Demand
E-crime and Socioeconomic Factors
Russia's FSB vs Cybercrime
Malware as a Web Service
Localizing Open Source Malware
Quality and Assurance in Malware Attacks
Benchmarking and Optimising Malware

Monday, July 21, 2008

Impersonating StopBadware.org to Serve Fake Security Warnings

Malware is known to have been hijacking search results, take for instance the rogue Antivirus XP 2008 as a recent example, but it's even more interesting to see other rogue security software impersonating Stopbadware.org in order to server fake security warnings that ultimately lead to fake security software.



stopbadware2008 .com (58.65.238.171) is one of these examples, where stopbadware2008 .com/antivirus.php  redirects to infectionscanner .com and attempts to trick the user into installing download.infectionscanner.com /AntvrsInstall.exe.  The message used :



"Reported Insecure Browsing: Navigation blocked. Due to insecure Internet browsing your PC can easily get infected with viruses, worms and trojans without your knowledge, and that can lead to system slowdown, freezes and crashes. Also insecure Internet activity can result in revealing your personal information. To get full advanced real-time protection for PC and Internet activity, register Antivirus 2008. We recommend you to protect your PC now and continue safe Internet browsing."



There's in fact even more rogue software using the same IP (58.65.238.171), courtesy of HostFresh :

virus-scanner-online .com

security-scanner-online .com

viruses-scanonline .com

virus-scanonline .com

antivirus-scanonline .com

download.antivirus-scanonline .com

topantivirus-scan .com

topvirusscan .com

virusbestscan .com

virus-detection-scanner .com

antivirus-scanner .com

infectionscanner .com

virusbestscanner .com

internet-security-antivirus .com




It would be interested to monitor whether or not the template for the fake security warning would start getting used on a large scale.



Related posts:

A Portfolio of Fake Video Codecs 

Fake PestPatrol Security Software

Got Your XPShield up and Running?

Localized Fake Security Software

A Diverse Portfolio of Fake Security Software

RBN's Fake Security Software

SQL Injecting Malicious Doorways to Serve Malware

Abusing legitimate sites as redirectors to malicious doorways serving malware is becoming increasing common, as is the use of SQL injections in order for the malicious parties to ensure their campaigns will receive enough generic traffic to their redirectors. Excluding the use of the very same traffic management tools, web malware exploitation kits, templates for the rogue adult sites and the rogue security software, perhaps the most important thing to point out regarding all of the previously analyzed such campaigns, is that they are all related to one another, and are operated by the same people, using the very same infrastructure and live exploit URLs most of the time.



Let's expose yet another such campaign, that has been SQL injected and spammed across a couple of hundred web forums. gpamelaaandersona .info (82.103.129.98) is the typical comprehensive malicious doorway, whose galleries redirect to tds.zbestservice .info/tds/in.cgi?11 (85.255.120.45), and from there the following campaigns load on-the-fly :



porntubev20 .com/viewmovie.php?id=86 (74.50.117.84)

getmyvideonow .com/exclusive2/id/3912999/2/black/white/ - (89.149.194.188)

immenseclips .com/m6/movie1.php?id=1552&n=celebs (85.255.118.156)

movieexternal .com/download.php?id=1552 (77.91.231.201)

2008adults2008a .com/freemovie/144/0/

avwav .com/1931.htm

codecupgrade .com (74.50.117.84)

iwillseethatvideo .com (91.203.92.53)

dciman32 .com (85.255.120.45)



Naturally, these are just the tip of the iceberg, and the deeper you go, the more connections with malware gangs and previous campaigns can be established. For instance, here are some more "sleeping beauties" at 74.50.117.84 :



 winantivirus2008 .org

porntubev20 .com

crack-land .com

just-tube .com   

codecupgrade .com

codecupgrade .com

scanner-tool .com

surf-scanner .com

best-cracks .com

updatehost .com

updatehost .com

freemoviesdb .net

megasoftportal .net




And even more malicious doorways, and rogue software at 89.149.227.195 :



musicportalfree .com

softportalfree .com

verifiedpaymentsolutionsonline .com

my-adult-catalog .com

indafuckfuck .com

best-porncollection .com

funfuckporn .com

sanxporn .com

dolcevido .com

xiedefender .com

online-malwarescanner .com

easyvideoaccess .com

my-searchresults .com

creatonsoft .com

ihavewetfuckpussy .com




How come none of these are in a fast-flux? Pretty simple. Keeping in mind that they continue using the services of the ISPs that you rarely see in any report, survivability through fast-flux is irrelevant when emails sent to abuse@cybercrime.tolerating.isp receive a standard response two weeks later, and when your abuse emails become more persistent, a fake account suspended notice makes it to the front page, whereas the campaigns get automatically updated to redirect to an internal page, again serving the malware and the redirectors.



Related posts:

Fake Porn Sites Serving Malware - Part Two

Fake Porn Sites Serving Malware

Underground Multitasking in Action

Fake Celebrity Video Sites Serving Malware

Blackhat SEO Redirects to Malware and Rogue Software

Malicious Doorways Redirecting to Malware

A Portfolio of Fake Video Codecs

Friday, July 18, 2008

Money Mule Recruiters use ASProx's Fast Fluxing Services

Just consider this scheme for a second. A well known money mule recruitment site Cash Transfers is maintaining a fast-flux infrastructure on behalf of the Asprox botnet, that is also providing hosting services for several hundred domains used on the last wave of SQL injection attacks. Ironically, the money mule recruitment site is sharing IPs with many of them. Who are these money launderers (cashtransfers.tk; cashtransfers.eu; type53.eu; sid57.tk; catdbw.mobi; cdrpoex.com etc.  ) anyway?

"Cash-Transfers Inc. is an online-to-offline international money transfer service. We offer a secure, fast, and inexpensive means of sending money from the UK to offline recipients worldwide. Recipients do not require a bank account or Internet connection to receive funds. We have teamed with select local disbursement partners to provide a convenient, secure, and cost-effective means of sending money to family, friends and business partners abroad. The basic requirements to send money/transfer money are:

1) Senders must have Internet access and a bank account or credit/debit card to transfer money. However, recipients do not require either a bank account or Internet connection.

2) Money sent through Cash-Transfers Inc. is available for pick up at the distribution partner instantly, or, in most countries, money can be delivered to the recipient in a matter of hours.

3) Our local agents will call your recipient (during local business hours) to provide additional details, including: forms of identification required, hours of operation, and other locations. The sender will also receive an email confirmation with transaction details and tracking information.
"


The fast-flux infrastructure they're currently using is also providing services to domains that are currently used, or have been used in previous SQL injection attacks. Some info on the current DNS servers used in the fast-flux :

ns10.cashtransfers.tk
ns11.cashtransfers.tk
ns1.cashtransfers.tk
ns12.cashtransfers.tk
ns2.cashtransfers.tk
ns13.cashtransfers.tk
ns3.cashtransfers.tk
ns14.cashtransfers.tk
ns4.cashtransfers.tk
ns15.cashtransfers.tk
ns5.cashtransfers.tk
ns16.cashtransfers.tk
ns6.cashtransfers.tk
ns17.cashtransfers.tk
ns7.cashtransfers.tk
ns8.cashtransfers.tk


With the distributed and dynamic hosting infrastructure courtesy of the malware infected user, scammers, spammers, phishers and malware authors are only starting to experiment with the potential abuses of such an underground ecosystem build on the foundations of compromises hosts.

Related posts:
Storm Worm's Fast Flux Networks
Managed Fast Flux Provider
Fast Flux Spam and Scams Increasing
Fast Fluxing Yet Another Pharmacy Spam
Obfuscating Fast Fluxed SQL Injected Domains
Storm Worm Hosting Pharmaceutical Scams
Fast-Fluxing SQL injection attacks executed from the Asprox botnet

Money Mule Recruiters use ASProx's Fast Fluxing Services

Just consider this scheme for a second. A well known money mule recruitment site Cash Transfers is maintaining a fast-flux infrastructure on behalf of the Asprox botnet, that is also providing hosting services for several hundred domains used on the last wave of SQL injection attacks. Ironically, the money mule recruitment site is sharing IPs with many of them. Who are these money launderers (cashtransfers.tk; cashtransfers.eu; type53.eu; sid57.tk; catdbw.mobi; cdrpoex.com etc.  ) anyway?



"Cash-Transfers Inc. is an online-to-offline international money transfer service. We offer a secure, fast, and inexpensive means of sending money from the UK to offline recipients worldwide. Recipients do not require a bank account or Internet connection to receive funds. We have teamed with select local disbursement partners to provide a convenient, secure, and cost-effective means of sending money to family, friends and business partners abroad. The basic requirements to send money/transfer money are:


1) Senders must have Internet access and a bank account or credit/debit card to transfer money. However, recipients do not require either a bank account or Internet connection.



2) Money sent through Cash-Transfers Inc. is available for pick up at the distribution partner instantly, or, in most countries, money can be delivered to the recipient in a matter of hours.



3) Our local agents will call your recipient (during local business hours) to provide additional details, including: forms of identification required, hours of operation, and other locations. The sender will also receive an email confirmation with transaction details and tracking information.
"



The fast-flux infrastructure they're currently using is also providing services to domains that are currently used, or have been used in previous SQL injection attacks. Some info on the current DNS servers used in the fast-flux :



ns10.cashtransfers.tk

ns11.cashtransfers.tk

ns1.cashtransfers.tk

ns12.cashtransfers.tk

ns2.cashtransfers.tk

ns13.cashtransfers.tk

ns3.cashtransfers.tk

ns14.cashtransfers.tk

ns4.cashtransfers.tk

ns15.cashtransfers.tk

ns5.cashtransfers.tk

ns16.cashtransfers.tk

ns6.cashtransfers.tk

ns17.cashtransfers.tk

ns7.cashtransfers.tk

ns8.cashtransfers.tk




With the distributed and dynamic hosting infrastructure courtesy of the malware infected user, scammers, spammers, phishers and malware authors are only starting to experiment with the potential abuses of such an underground ecosystem build on the foundations of compromises hosts.



Related posts:

Storm Worm's Fast Flux Networks

Managed Fast Flux Provider

Fast Flux Spam and Scams Increasing

Fast Fluxing Yet Another Pharmacy Spam

Obfuscating Fast Fluxed SQL Injected Domains

Storm Worm Hosting Pharmaceutical Scams

Fast-Fluxing SQL injection attacks executed from the Asprox botnet

Money Mule Recruiters use ASProx's Fast Fluxing Services

Just consider this scheme for a second. A well known money mule recruitment site Cash Transfers is maintaining a fast-flux infrastructure on behalf of the Asprox botnet, that is also providing hosting services for several hundred domains used on the last wave of SQL injection attacks. Ironically, the money mule recruitment site is sharing IPs with many of them. Who are these money launderers (cashtransfers.tk; cashtransfers.eu; type53.eu; sid57.tk; catdbw.mobi; cdrpoex.com etc.  ) anyway?

"Cash-Transfers Inc. is an online-to-offline international money transfer service. We offer a secure, fast, and inexpensive means of sending money from the UK to offline recipients worldwide. Recipients do not require a bank account or Internet connection to receive funds. We have teamed with select local disbursement partners to provide a convenient, secure, and cost-effective means of sending money to family, friends and business partners abroad. The basic requirements to send money/transfer money are:

1) Senders must have Internet access and a bank account or credit/debit card to transfer money. However, recipients do not require either a bank account or Internet connection.

2) Money sent through Cash-Transfers Inc. is available for pick up at the distribution partner instantly, or, in most countries, money can be delivered to the recipient in a matter of hours.

3) Our local agents will call your recipient (during local business hours) to provide additional details, including: forms of identification required, hours of operation, and other locations. The sender will also receive an email confirmation with transaction details and tracking information.
"

The fast-flux infrastructure they're currently using is also providing services to domains that are currently used, or have been used in previous SQL injection attacks. Some info on the current DNS servers used in the fast-flux :

ns10.cashtransfers.tk
ns11.cashtransfers.tk
ns1.cashtransfers.tk
ns12.cashtransfers.tk
ns2.cashtransfers.tk
ns13.cashtransfers.tk
ns3.cashtransfers.tk
ns14.cashtransfers.tk
ns4.cashtransfers.tk
ns15.cashtransfers.tk
ns5.cashtransfers.tk
ns16.cashtransfers.tk
ns6.cashtransfers.tk
ns17.cashtransfers.tk
ns7.cashtransfers.tk
ns8.cashtransfers.tk


With the distributed and dynamic hosting infrastructure courtesy of the malware infected user, scammers, spammers, phishers and malware authors are only starting to experiment with the potential abuses of such an underground ecosystem build on the foundations of compromises hosts.

Related posts:
Storm Worm's Fast Flux Networks
Managed Fast Flux Provider
Fast Flux Spam and Scams Increasing
Fast Fluxing Yet Another Pharmacy Spam
Obfuscating Fast Fluxed SQL Injected Domains
Storm Worm Hosting Pharmaceutical Scams
Fast-Fluxing SQL injection attacks executed from the Asprox botnet