- its do-it-yourself nature, just like many of the malware tools I've covered before is empowering script kiddies with advanced point'n'click capabilities
Thursday, January 31, 2008
- its do-it-yourself nature, just like many of the malware tools I've covered before is empowering script kiddies with advanced point'n'click capabilities
Monday, January 28, 2008
"Earlier this week, the site for the Netherlands Embassy in Russia was caught serving a script that tried to dupe people into installing software that made their machines part of a botnet, according to Ofer Elzam, director of product management for eSafe, a business unit of Aladdin that blocks malicious web content from its customers' networks."
Let's be a little more descriptive. The only IP that was included in the IFRAME was 188.8.131.52/tab.php which was then forwarding to 184.108.40.206/w/wtsin.cgi?s=z. ip-68-178-194-64.ip.secureserver.net (also responding to lmifsp.com and foxbayrental.com) has been down as of 22 Jan 2008 18:56:38 GMT, but apparantly it was also used in several other malware embedded attacks. For instance, the IFRAME is currently active at restorants.ru. The secondary IFRAME is a redirector script in a traffic management script that can load several different URLs, to both, generate fake visits to certain sites that are paying for this, and a live exploit URL as it happens in between.
Historical preservation of actionable intelligence on who's what and what's when is a necessity. Here are for instance two far more in-depth assessments given the exploits URLs were still alive back then, discussing the malware embedded at the sites of the U.S Consulate in St. Petersburg, and the Syrian Embassy in the U.K.
MDAC ActiveX Code Execution Exploit Still in the Wild
Malware Serving Exploits Embedded Sites as Usual
Massive RealPlayer Exploit Embedded Attack
A Portfolio of Malware Embedded Magazines
The New Media Malware Gang
The New Media Malware Gang - Part Two
Another Massive Embedded Malware Attack
I See Alive IFRAMEs Everywhere
I See Alive IFRAMEs Everywhere - Part Two
Have Your Malware in a Timely Fashion
Cached Malware Embedded Sites
Compromised Sites Serving Malware and Spam
Malware Serving Online Casinos
Monday, January 21, 2008
"Is the first program of the Islamic multicast security across networks. It represents the highest level of technical multicast encrypted but far superior. All communications software, which are manufactured by major companies in the world so that integrates all services communications encrypted in the small-sized portable. Release I of the "secrets of the mujahideen" the bulletin brothers in the International Islamic Front and the media have registered so scoop qualitatively in the field of information and jihadist exploit the opportunity to thank them for their wonderful and distinctive. And the continuing support of a media jihadist group loyalty in the technical development of a network of Islamic loyalty program and the issuance of this version, in support of the mujahideen general and the Islamic State of Iraq in particular."
Key features in the first version :
-- Encryption algorithms using the best five in cryptography. (AES finalist algorithms)
-- Symmetrical encryption keys along the 256-bit (Ultra Strong Symmetric Encryption)
-- Keys and encryption algorithms changing technology ghost (Stealthy Cipher)
-- Program consisting of one file Facility file does not need assistance to install and can run from the memory portable
-- Multicast encrypted via text messages supporting the immediate use forums (Secure Messaging)
-- Transfer files of all kinds to be shared across texts forums (Files to Text Encoding)
-- Production of digital signature files and make sure it is correct
-- Digital signature of messages and files and to ensure the authenticity of messages and files
So far, Reuters picked up the topic - Jihadi software promises secure Web contacts :
"The efficacy of the new Arabic-language software to ensure secure e-mail and other communications could not be immediately gauged. But some security experts had warned that the wide distribution of its earlier version among Islamists and Arabic-speaking hackers could prove significant. Al Qaeda supporters widely use the Internet to spread the group's statements through hundreds of Islamist sites where anyone can post messages. Al Qaeda-linked groups also set up their own sites, which frequently have to move after being shut by Internet service providers."
- Malware is no longer created, it's being generated
The myth of someone reinventing the wheel, namely coding a malware bot from scratch is no longer realistic. Modern malware is open source, modular, localized to different languages, comes with extensive documentation/comments and HOWTO guides/videos. Moreover, these publicly obtainable open source malware bots were released in the wild for free, namely, the coders that originally started the "generators" or the "compilers" generation took, and enjoyed only the fame that came with coming up with the most widely used and successful bot family. Take Pinch for instance and the recent arrest of the "coders". New and improved versions of Pinch are making their rounds online, but how is this possible since the people behind it are no longer able to update it? To achieve immortality for Pinch, they've released it as open source tool, namely anyone can use its successful foundation for any other upcoming innovation. The original coders are gone, the "malware generators" and the "compilers" are cheering since they still have access to the tool. Another popular entry obstacle such as advanced coding skills is gone, anyone can compile, generate and spread the samples, or used them for targeted attacks.
- "Will code malware for food" type of individuals don't really exist anymore
A cat doesn't eat mice when it's hungry, it eats mice when it's already been fed, and therefore does it for prestige and entertainment. Storm Worm is not released by the "desperation department", it's an investment on behalf of someone who will monetize the infected hosts, or who has outsourced the infection process to botnet aggregators. Moreover, there's no lack of IT employment opportunities in times of growing economy, exactly the opposite, the economy is booming, investments are made in networks and infrastructure and therefore people will start receiving incentives for training and therefore the demand for IT experts will increase given the government is visionary enough to invest in the long-term, in terms of education and training. If it's not, structural unemployment will undermine the local industry, you'll end up with software engineers working at the local McDonald's during the day, and coding malware during the night - a stereotype. For instance, go through this article and notice the quote regarding the attitude towards the U.S. Malware coders/generators aren't on the verge of starvation, they're on a mission with or without actually realizing it :
"I don't see in this a big tragedy," said a respondent who used the name Lightwatch. "Western countries played not the smallest role in the fall of the Soviet Union. But the Russians have a very amusing feature — they are able to get up from their knees, under any conditions or under any circumstances. As for the West? "You are getting what you deserve."
It's a type of "Why are you doing me a favour that I still cannnot appreciate?" issue, collectivism vs individualistic societies. E-crime is not just easy to outsource, but the entry barriers in space are so low, we can easily argue it's no longer about the lack of capabilities, but the lack of motivation to participate, and actually survive, that drive E-crime particularly in respect to malware. From an economic perspective, the Underground Economy's high liquidity is perhaps the most logical incentive to participate, which is a clear indication on the transparency and communication that parties involved have managed to achieve.
Thursday, January 17, 2008
File size: 888832 bytes
A sample is detected as W32/VB-Remote-TClient-based!Maximus.
In related news, MSN is said to be the most targeted IM client :
"Within the IM category, 19 percent of threats were reported on the AOL Instant Messenger network, 45 percent on MSN Messenger, 20 percent on Yahoo! Instant Messenger and 15 percent on all other IM networks including Jabber-based IM private networks. Attacks on these private networks have more than doubled in share since 2003, rising from seven percent of all IM attacks to 15 percent in 2007."
As always, it's a matter of a vendor's sensors network to come up with increasing or decreasing levels of a particular threat, but the pragmatic reality nowadays has to do with less IM spreading malware, and much, much more malware embedded trusted web sites.
Moreover, according to some publicly obtainable stats, IM spreading malware in general has been declining for the past two years, but how come? It's because of their broken and bit outdated social engineering model, namely the lack of messages localization, abuse of public events as windows of opportunities, and the lack of any kind of segmentation. One-to-many may be logical from an efficiency point of view, but it's like embedding a single exploit on hundreds of thousands of sites compared to a set of exploits, or a set of techniques like in this case.
Wednesday, January 16, 2008
Detection rate : 3/32 (9.38%)
File size: 114689 bytes
NOD32v2 - a variant of Win32/Nuwar
Prevx1 - Stormy:All Strains-All Variants
Webwasher-Gateway - Win32.Malware.gen!88 (suspicious)
The binary drops burito.ini (MD5 - A65FA0C23B1078B0758B80B5C0FD37F3) and burito1205-67d5.sys (MD5 - C4B9DD12714666C0707F5A6E39156C11), and creates the following registry entries :
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BURITO1205-67D5 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BURITO1205-67D5\0000 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\burito1205-67d5 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\burito1205-67d5\Security
Surprisingly, there are no client-side vulnerabilities used in last two campaigns.
Tuesday, January 15, 2008
The following files are partly accessible at the still active C&C's, the first one for instance :
dev.aero4.cn/adpack/index.php (220.127.116.11) once deobfuscated loads dev.aero4.cn/adpack/load.php :
Detection rate : 11/32 (34.38%)
File size: 6656 bytes
It gets even more interesting as the downloader attempts to download the following :
And as I've already pointed out in a previous post, 18.104.22.168 is the New Media Malware Gang. Moreover, next to m.exe and d.exe with an over 50% detection rates, 200.exe is impressively detected by one anti virus vendor only :
Detection rate : 1/32 (3.13%)
File size: 33280 bytes
Further continuing this assessment, firewalllab.cn (22.214.171.124) also responds to aero4.cn, and is hosted at AS4657 STARHUBINTERNET AS Starhub Internet Pte Ltd 31, Kaki Bukit Rd 3 SINGAPORE (previously known as CyberWay Pte Ltd). Even more interesting is the fact that 126.96.36.199 is also responding to known New Media Malware Gang domains :
Furthermore, 188.8.131.52 seems to have made an appearance at otrix.ru, where in between the obfuscation an IFRAME loads to 184.108.40.206/forum.php, where two more get loaded 4qobj63z.tarog.us/tds/in.cgi?14; 4qobj63z.tarog.us/tds/in.cgi?15. Deja vu, again, again and again - 4qobj63z.tarog.us was among the domains used in the malware embedded attack again the French government's site related to Lybia, and there I made the connection with the New Media Malware Gang for yet another time.
There's indeed a connection between the RBN, Storm Worm and the The New Media malware gang. The malware gang is either a customer of the RBN, partners with the RBN sharing know-how in exchange for infrastructure on behalf of the RBN, or RBN's actual operational department. Piece by piece and an ugly puzzle picture appears thanks to everyone monitoring the RBN that is still 100% operational.
Monday, January 14, 2008
As I'm sure others too like to analyze post incident response behavior of the malicious parties, in respect to this particular attack, during the weekend they took advantage of what's now a patent of the Russian Business Network, namely to serve a fake 404 error message but continue the campaign. However, in RBN's case, only the indexes were serving the fake account suspended messages, but the campaign was still active on the rest of the internal pages. In the RealPlayer's campaign case, the 404 error messages themselves were embedded with the same IFRAMEs as well, in order to make it look like there's an error, at least in front of the eyes of the average Internet user.
Despite that the main campaign domains are blocked on a worldwide scale, the hundreds of thousands of sites that originally participated are still not clean and continue trying to load the now down domains. Moreover, the big picture has to do with a fourth domain as well, yl18.net/0.js, that used to be a part of the same type of massive malware embedded attack in November, 2007.
Why pseudo "real players" anyway? Because for this attack, they took advantage of what can be defined as a fad, namely the use seperate exploit as the cornerstone of the campaign, at least if its massive infection they wanted to achieve. The "real players" or script kiddies on the majority of occasions, serve exploits on a client-side matching basis, and therefore the more diverse the exploits set, the higher the probability a vulnerable application will be detected and exploited. Therefore, given the number of sites affected it could have been much worse than it is currently based on speculations of the success rate of the campaign in terms of infections, not the sites affected - a success by itself. Execution gone wrong given the foundation for the attack - until the next time.
Thursday, January 10, 2008
8v8.biz/ms07004.htm (220.127.116.11) is such a domain that's serving a combination of these starting with Exploit-MS07-004 :
Result: 12/32 (37.5%)
File size: 3432 bytes
8v8.biz/1.htm - MDAC also loads 8v8.biz/06014.html in between 8v8.biz/r.htm - real player unobfuscated, wheere all of these attempt to load 8v8.biz/v.exe - Worm.Win32.AutoRun.bkx; Win32/Cekar!generic
Result: 27/31 (87.10%)
File size: 19501 bytes
The binary is using a default set of known executables of anti malware products, and is installing a default debugger injected upon execution of any of these, and is therefore successfully killing many of the applications.
Another exploit serving domain with a very diverse set of exploits used, but again serving the faddish RealPlayer plus MDAC combination is uc147.com (18.104.22.168) :
where all are trying to load uc147.com/zy.exe :
Result: 24/32 (75%)
File size: 15456 bytes
The third domain is great example of what's an emerging trend rather than a fad, namely the use of comprehensive multiple IFRAMES loading campaigns. qx13.cn/3.htm (22.214.171.124) (IE COM CreateObject Code Execution (MS06-042) which loads sp.070808.net/23.htm, (126.96.36.199) where the following try to load as well :
Two other IFRAMES within within qx13.cn/3.htm, w.aeaer.com/ae.htm (188.8.131.52) loads the same IFRAMES, and qi.ccbtv.net/btv.htm (184.108.40.206) again loads the same IFRAMEs. It gets even more complicated and the ecosystem more comprehensive as the secondary IFRAMEs logically load many others such as :
The more complicated and dynamic these IFRAME-ing attacks get, the higher the campaign's lifecycle becomes, making it harder the determine where's the weakest link, and making it easier for the malicious parties to evaluate which node needs a boost by including new domains spread across different netblocks like this case.
Tuesday, January 08, 2008
Monday, January 07, 2008
"Hackers for the first time are targeting the popular social networking site Facebook with a phishing scam that harvests users' login details and passwords. Some Facebook users checking their accounts Wednesday found odd postings of messages on their "wall" from one of their friends, saying: "lol i can't believe these pics got posted.... it's going to be BADDDD when her boyfriend sees these," followed by what looks like a genuine Facebook link. But the link leads to a fake Facebook login page hosted on a Chinese .cn domain. The fake page actually logs the victims into Facebook, but also keeps a copy of their user names and passwords."
- rnmb.net/0.js says "ok! ^_^ Don't hank me !" but compared to the first two that are still active, this one is down as of yesterday, despite that it still remains embedded on many sites
Detection rate for the unobfuscated exploit :
Detection rate for the obfuscated exploit :
A lot of university, and international government sites continue to be embedded with the script, and so is Computer Associates site according to this article :
"Part of security software vendor CA's Web site was hacked earlier this week and was redirecting visitors to a malicious Web site hosted in China. Although the problem now appears to have been corrected, cached versions of some pages in the press section of CA.com show that earlier this week the site had been redirecting visitors to the uc8010.com domain, which has been serving malicious software since late December, according to Marcus Sachs, director of the SANS Internet Storm Center."