Wednesday, February 27, 2008

RBN's Phishing Activities

As we're on the topic of RBN's zombies trying to connect to their old netblocks, and botnets being used to host and send out phishing content, what looks like entirely isolated incidents in the present, is what has actually being going on on RBN's network during the summer of 2007. A picture is worth a thousand speculations, yes it is. As you can see in the attached historical screenshot of a web based botnet C&C, the Russian Business Network's old infrastructure has also been involved into delivering phishing pages to malware infected hosts, whose requests to the legitimate sites were getting forwarded to RBN's old netblock. The process is too simple, thereby lowering the entry barriers into phishing activities due to its modularity. Basically, the botnet master can easily configure to which fake phishing site the infected population would be redirected to, if they are to visit the original one with no more than three clicks. And so, for the purpose of historical preservation of CYBERINT data given the quality of the identical screenshot obtained through OSINT techniques -

RBN URLs used in the phishing redirects :

Known malware to have been connecting to :
Trojan-PSW.Win32.LdPinch.bno, Trojan-Downloader.Win32.Small.emg, Trojan.Nuklus, where the malware detected under different names by multiple vendors is the only one that ever made a request to, which in a combination with the fact that the screenshot is made out of Nuklus production speaks for itself.

Some facts are better known later, than never.

Yet Another Massive Embedded Malware Attack

The following central redirection point in a portfolio of exploits and malware serving domains - is currently embedded at couple of hundred sites and forums across the web. And just like the many previous such examples, the process is automated to the very last stage. Repeated requests expose the entire domains portfolio, where once the live exploit is served with the help of a javascript obfuscations, the binaries come into play. Here are all the domains and live exploit URLs involved for this particular campaign : - - - - - - - - -

Who says there's no such thing as free malware cocktails.

Related posts :
MDAC ActiveX Code Execution Exploit Still in the Wild
Malware Serving Exploits Embedded Sites as Usual
Massive RealPlayer Exploit Embedded Attack
Syrian Embassy in London Serving Malware
Bank of India Serving Malware
U.S Consulate St. Petersburg Serving Malware
The Dutch Embassy in Moscow Serving Malware
U.K's FETA Serving Malware
Anti-Malware Vendor's Site Serving Malware
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
A Portfolio of Malware Embedded Magazines
Another Massive Embedded Malware Attack
I See Alive IFRAMEs Everywhere
I See Alive IFRAMEs Everywhere - Part Two

Tuesday, February 26, 2008

RBN's Malware Puppets Need Their Master

Despite that it's already been a couple of months since RBN's main ASN got "withdrawn" from the Internet due the public pressure put on the Russian Business Network's malicious activities, hundreds of malware variants continue trying to access their C&Cs and update locations from RBN's old netblock. Malware puppets with no master to connect to despite their endless efforts - now these are the real zombies if we're to stick to the terminology. Catch up with more details on RBNs migration, and extended partnership network.

Monday, February 25, 2008

Inside a Botnet's Phishing Activities

The following incident response assessment will demonstrate how a botnet's infected hosts can not only be used as stepping stones, but also for the purpose of sending out phishing emails, and hosting the domains used in the scams themselves, thereby forwarding the responsibility for the scams to the infected parties, in between remaining relatively untraceable. The malware variants are still in the wild, and the ecosystem itself is currently active as well. Upon receiving and sandboxing the malware detected as BKDR_AGENT.AKJZ, Backdoor.Agent.AJU, and, BKDR_AGENT.AKJZ, both binaries attempt to connect to several IPs, one's that's resolving to the entire ecosystem's name servers, namely This KISS strategy allows us to quickly expand the entire domain portfolio and the associated phishing campaigns already in the wild. Here are the domains serving the phishing pages that are actually hosted on the botnet's infected hosts :

It's quite obvious that their descriptive nature, just like the ones I've discussed before, is to be used in phishing attacks in order to visually social engineer the receipts. And as you can see in the attached graphs, the IPs resolving to the domains are the typical home based infected end users, who would from a theoretical perspective be sending phishing emails to themselves at a later stage. And so once infected the hosts phone back home to receive instructions on participating in the malicius ecosystem by temporarily serving the phishing domains. Upon infection the hosts try to connect to;; and, where for the time being there're twenty different variants that are known to have been using for DNS resolving purposes. All of these domains are using the same nameservers indicating their connection. Here are some of the subdomains in the already running, and spammed phishing campaigns :

Now that the botnet's phishing activities are exposed, it's also important to mention the fact that besides the phishing activities, this is the botnet that's been sending out the recent fake Microsoft Critical Live Update emails.

The Continuing .Gov Blackhat SEO Campaign - Part Two

As it's becoming increasing clear that blackhat SEOers are actively experimenting with embedding their content on high pagerank sites, such as .govs, the numerous campaigns, one of which was by the way serving malware, indicate that injection the content through remote file inclussion or remotely exploitable web application vulnerabilities is an emerging trend that deserves to be closely examined. Here are several more currently active blackhat SEO campaigns located at :

- Utah Attorney General’s Office Identity Theft Reporting Information System - - 20, 200 SEO pages

- Mid-Region Council of Governments - - 3, 630 pages

- Readyforwinners e-magazine - - 890 SEO pages

- National Homecare Council - - 220 SEO pages

- Washington Wing Website - - 93 SEO pages

- Fauquier County - - 69 SEO pages

- Wisconsin Department of Military Affairs - - over 1,000 pages embedded with "invisible SEO content" meaning the content is also visible to search engines just like the one in a previous assessment

The number of pages currently hosted at these high pagerank domains is indeed disturbing, but here comes the juicy part in the form of yet another "invisible blackhat SEO" campaign, where outgoing links and SEO content is embedded at the host, but is only visible to web crawlers. Take the Wisconsin Department of Military Affairs's site for instance, where a news item that was posted in 2003, yes five years ago, is still embedded with "invisible blackhat SEO content" in between a fancy javascript obfuscation that once deobfuscated tries to connect to a third-party host feeding it with referring keywords, sort of keywords blackhole for optimizing future SEO campaigns based on increasing or decreasing popularity of specific ones.

Sampling the outgoing links also speaks for itself, take ( for instance, and the fact that a great deal of outgoing links also respond to nearby IPs within the scammy ecosystem (217.170.77.*) such as :

This is perhaps the perfect moment to clarify that the appropriate people responsible for auditing and securing these hosts, are already doing their forensics job and are coming up with more data, on how it happened, when it happened, and who could be behind it - an example of threat intell sharing a concept that should be getting more attention than it is for the time being. So far, there haven't been repeated incidents like the malware serving ones I assessed in previous posts, but as it's obvious they're automatically capable of embedding and locally hosting any content, it's only a matter of intentions in this case.

Friday, February 22, 2008

Malware Infected Hosts as Stepping Stones

The following service that's offering socks hosts on demand, is pretty much like the Botnet on Demand one, with the only difference in its marketing pitch, namely, these are malware infected hosts as well, however, access is offered through them, but not to them. The degree of maliciousness of these hosts can only be measured once the exact IPs are known, and by degree of maliciousness I'm refering to their state of openess, namely, can malware, spam and phishing be also relayed through them, or we can eventually look up the historical IP reputation to figure out whether such activities have been going on in the past as well. Moreover, such commercial propositions are directly related with proxy threats, ones outlined in a KYE paper entitled "Proxy Threats - Port v666" discussing various detection and mitigation approaches :

"In typical proxybot infections we investigate proxy servers are installed on compromised machines on random high ports (above 1024) and the miscreants track their active proxies by making them "call home" and advertise their availability, IP address, and port(s) their proxies are listening on. These aggregated proxy lists are then used in-house, leased, or sold to other criminals. Proxies are used for a variety of purposes by a wide variety of people (some who don't realize they are using compromised machines), but spam (either SMTP-based or WEB-based) is definitely the top application. The proxy user will configure their application to point at lists of IP:Port combinations of proxybots which have called home. This results in a TCP connection from the "outside" to a proxybot on the "inside" and a subsequent TCP (or UDP) connection to the target destination (typically a mail server on the outside)."

The commercial aspect's always there to say, and vertically integrate since besides selling the product in the form of the tool for, they could eventually start coming up with various related, and of course malicious services in the form of spamming, phishing etc. It's perhaps more interesting to discuss the big picture. Once a great deal of these malware infected hosts is accumulated in such a way, there's no accountability, and these act as stepping stones for any kind of cybercrime activities, as well as the foundation for other services such as the managed fast-flux provider I once exposed.

Stepping stones as a concept in cyberspace, can be used for various purposes such as, engineering cyber warfare tensions, virtual deception, hedging of risk of getting caught, or actually risk forwarding to the infected party/country of question, PSYOPs, the scenario building approach can turn out to be very creative. One of the main threats possed by the use of infected hosts as stepping stones that I've been covering in previous posts related to China's active cyber espionage and cyber warfare doctrine, is that of on purposely creating a twisted reality. China's for instance the country with the second largest Internet population, and will soon surpass the U.S, logically, it would also surpass the U.S in terms of malware infects hosts, and with today's reality of malware, spam and phishing coming from such, China will also undoubtedly top the number one position on malicious activities.

However, with lack of accountability and so many infected hosts, is China the puppet master the mainstream media wants you to believe in so repeatedly, or is the country's infrastructure a puppet itself? One thing's for sure - asymmetric and cost-effective methods for obtaining foreign intelligence and research data is on the top of the agenda on every government with an offensive cyber warfare doctrine in place.

Thursday, February 21, 2008

Localizing Cybercrime - Cultural Diversity on Demand

Cultural diversity on demand is something I anticipated as a future malware trend two years ago - "Localization as a concept will attract the coders’ attention" :

"By localization of malware, I mean social engineering attacks, use of spelling and grammar free native language catches, IP Geolocation, in both when it comes to future or current segmented attacks/reports on a national, or city level. We are already seeing localization of phishing and have been seeing it in spam for quite some time as well. The “best” phish attack to be achieved in that case would be, to timely respond on a nation-wide event/disaster in the most localized way as possible. If I were to also include intellectual property theft on such level, it would be too paranoid to mention, still relevant I think. Abusing the momentum and localizing the attack totarget specific users only, would improve its authenticity. For instance, I’ve come across harvested emails for sale segmented not only on cities in the country involved, but on specific industries as well, that could prove invaluable to a malicious attack, given today’s growth in more targeted attacks, compared to mass ones."

It's been happening ever since, and despite that it's already getting the attention of vendors, malware authors do not need to know any type of foreign language to spread malware, spam and phishing emails in the local language, they do what they're best at (coding, modifying publicly obtainable bots source code), and outsource the things they cannot do on their own - come up with a locally sound message which would leter on be used for localized malware, spam and phishing attacks, a tactic with a higher probability of success if there were to also request that spammers can segment the harvested email databases for better campaign targeting. The Release of Sage 3 - The Globalization of Malware :

"In this issue we look at the growing trend of localization in malware and threats. Cybercriminals are increasingly crafting attacks in multiple languages and are exploiting popular local applications to maximize their profits. Cybercrooks have become extremely deft at learning the nuances of the local regions and creating malware specific to each country. They're not just skilled at computer programming they're skilled at psychology and linguistics, too."

With all due respect, but I would have agreed with this simple logic only if I wasn't aware of translation services on demand for anything starting from malware to spam and phishing messages. We can in fact position them in a much more appropriate way, as "cultural diversity on demand" services, where local citizens knowingly or unknowingly localize messages to be later on abused by malicious parties. Malware authors aren't skilled at linguistics and would never be, mainly because they don't even have to build this capability on their own, instead outsource it to cultural diversity on demand translation services, ones that are knowingly translating content for malware, spam and phishing campaigns.

The perfect example would be MPack and IcePack's localization to Chinese, and yet another malware localized to Chinese, as these two kits are released by different Russian malware groups, but weren't translated by them to Chinese, instead, were localized by the Chinese themselves having access to the kits - a flattery for the kits' functionality, just like when a bestseller book gets translated in multiple languages. As for the socioeconomic stereotype of unemployed programmers coding malware, envision the reality by considering that sociocultural, rather than socioeconomic factors drive cybercrime, in between the high level of liquidity achieved of course.

Malicious Advertising (Malvertising) Increasing

In the wake of the recent malvertising incidents, it's about time we get to the bottom of the campaigns, define the exact hosts and IPs participating, all of their current campaigns, and who's behind them. Who's been hit at the first place? Expedia, Excite, Rhapsody, MySpace, all major web properties. Now let's outline the malicious parties involved. These are the currently active domains delivering malicious flash advertisements that were, and still participate in the rogue ads attacks :

01. (

02. (

03. (

04. (

05. (

06. (

07. (


09. (

10. (

11. (

12. (

Additional domains sharing IPs with some of the domains, ones that will eventually used in upcoming campaigns :

Contact details of the fake new media advertising agencies :

- Traffalo - "A Leader in Online Behavioral Marketing"
Phone: +46-40-627-1655
Fax: +46-8-501-09210

- MyServey4u - "Relax At Home ... And Get Paid For Your Opinion!"

- AdTraff - "Leader enterprise in Online Marketing"

Phone number: +49-511-26-098-2104
Fax: +353-1-633-51-70

Detection rate :

gnida.swf : Result: 21/32 (65.63%)
Trojan-Downloader.SWF.Gida.a; Troj/Gida-A
File size: 3186 bytes
MD5: 015ebcd3ad6fef1cb1b763ccdd63de0c
SHA1: 5150568667809b1443b5187ce922b490fe884349
packers: Swf2Swc

The bottom line - who's behind it? Now that pretty much all the domains involved are known, as well as the structure of the campaign itself, it's interesting to discuss where are all the advertisements pointing to. Can you name a three letter acronym for a cybercrime powerhouse? Yep, RBN's historical customers' base, still using RBN's infrastructure and services. Here's further analysis of this particular case as well - Inside Rogue Flash Ads, by Dennis Elser and Micha Pekrul, Secure Computing Corporation, Germany, as well as a tool specifically written to detect and prevent such types of malvertising practices.

Wednesday, February 20, 2008

Uncovering a MSN Social Engineering Scam

This MSN scam trying to socially engineer end users into handling their accounting data by offering them the opportunity to supposidely see who's blocked them at MSN, has been circulating online for a while in the form of new domains that get actively spammed across different forums. The scam itself is just the tip of the iceberg, however it's a good example of a basic social engineering technique, the one with the basic promise. The scam's pitch :

"Quickly and easily learn who blocked you on MSN. The longly awaited feature for MSN Messenger, completely for free! Please input your MSN Messenger account information to learn who has blocked you. Our system will login with this information and learn who has blocked you."

Domains and DNS entries are still active, content's currently hidden : - - - -

Why would malicious parties care for collecting accounting data for IM users? If we're to put basic scenario building intelligence logic in this particular case, having access to couple of hundreds IM accounts acts as the perfect foundation for a IM malware spreading campaign, where access to the stolen data is actually the distribution vector. What would malicious parties do if they want to vertically integrate and earn higher return on investment in this case? They would segment the screenames by countries, cities and other OSINT data available, and earn higher-profit margins with the segmentation service offered to SPIMmmers.

Related posts:
MSN Spamming Bot
DIY Fake MSN Client Stealing Passwords
Thousands of IM Screen Names in the Wild
Yahoo Messenger Controlled Malware

The FirePack Web Malware Exploitation Kit

In a typical tactical warfare from a marketing perspective, malicious parties are fighting for "hearth share" of their potential customers through active branding like the case with this malware kit. In a frontal competition attack aimed at IcePack, the authors of FirePack are pitching yet another "copycat" web exploitation malware kit for purchase at $3,000. Why a copycat anyway? Mainly because it lacks any major differentiation factors next to both, IcePack and MPack, except of course the different javascript obfuscation technique used. As in the majority of open source malware kits, their "modularity" namely easy for including new exploits and features within, is perhaps what makes assessing the impact of malware kits permanently outdated - a kit that you're assessing today has already been improved and new functionalities added in between.

The business strategies applied for such a hefty amount of money, are the lack of transparency means added biased exclusiveness, in order to cash-out through high-profit margins while taking advantage of the emerging malware kits cash bubble. A bargain hunter will however look for the cheapest proposition from multiple sellers, or subconsiously ignore the existence of the kit until it leaks out, and turns into a commodity just like MPack and IcePack are nowadays.

Related posts :
The WebAttacker in Action
Nuclear Malware Kit
The Random JS Malware Exploitation Kit
Metaphisher Malware Kit Spotted in the Wild
The Black Sun Bot
The Cyber Bot

Monday, February 18, 2008

The Continuing .Gov Blackat SEO Campaign

Just like the situation in the previous case of injecting SEO content into .gov domains, once the pages are up and running, they get actively advertised across the Web, again automatically. While responds to, the subdomain is pointing to another netblock, in this case, exactly the same approach was used in a previous such assessment that was however serving malware to its visitors. Here are some of the very latest such examples listed by directory :

- Cobb County Government - - over 2,240 pages
- Benton Franklin Health District - - 1,200 pages
- Bridger, Montana - - 778 pages
- Mid-Region Council of Governments - - 336 pages
- Michigan Senate - - 26 pages
- Nevada City, California - - 13 pages
- Brookhaven National Laboratory - - 12 pages

Who's behind all of these? Checking the outgoing links and verifying the forums the advertisements got posted at could prove informative, but for instance, where a single blackhat SEO page was located seems to have been hacked by a turkish defacement group who left the following - "RapciSeLo WaS HeRe !!! OwNz You - For AvciHack.CoM with greets given to "J0k3R inf3RNo ByMs-Dos FuriOuS SSeS UmuT SerSeriiii Ov3R YstanBLue DeHS@ CMD 3RR0R SaNaLBeLa Keyser-SoZe GoLg3 J0k3ReM JackalTR Albay ParS MicroP"

Serving Malware Through Advertising Networks

In need of fresh binaries and malware serving domains? Start feeding your honeyfarm, or professional interests by participating in an affiliate network -- just like pharmaceutical scammers do -- that's literally serving live exploit URLs and dropping malware in real-time.

Upon registering at, you're enticed to IFRAME your web property, and point to (, also responds to and and currently trying to exploit MDAC ActiveX code execution (CVE-2006-0003) through the Neosploit malware kit. Banner.php is for the time being loading IFRAMEs to : ( ( ( - Neosploit malware kit

Moreover, two other IFRAMEs within banner.php attempt to load a multitude of exploit serving URLs. loads : (; the malware embedded attack againt the French government's Lybia site) loads : ( ( ( ( ( ( ( ( loads :

Upon registering at the second affiliate program, the participant is asked to use the following URL to redirect traffic to (; (; ( Known domains/IPs with bad reputation. It gets even more interesting as we try to further expand the affiliate program under the many other different domain names they use such as :

Why would they bother sharing the revenues with other parties at the first place? To hedge of risk of getting caught serving malware directly, so what they're basically doing is risk-forwarding the serving process to each and every participant in the affiliate network. The bottom line - is a frontend to's malicious practices, and itself is a frontend to, among the many affiliate programs that once establishing trust with a web site owner, start abusing it by randomly serving live exploir URLs and dropping malware.

Geolocating Malicious ISPs

Here are some of the ISPs knowingly or unknowingly providing infrastructure to the RBN and the New Media Malware Gang, a customer of the RBN or RBN's actual operational department. To clarify even further, these are what can be defined as malicious ecosystems that actually interact with each other quite often.

- Ukrtelegroup Ltd -
UkrTeleGroup Ltd.
Mechnikova 58/5
65029 Odessa
phone: +380487311011
fax-no: +380487502499

- Turkey Abdallah Internet Hizmetleri
TurkTelekom -

- Hong Kong Hostfresh -
Hong Kong Hostfresh
No. 500, Post Office,
Tuen Mun, N.T,
Hong Kong
phone: +852-35979788
fax-no: +852-24522539

These are not just some of the major malware hosting and C&C providers, their infrastructure is also appearing on each and every high-profile malware embedded attack assessment that I conduct. And since all of these are malicious, the question is which one is the most malicious one? Let's say certain netblocks at TurkTelecom are competing with certain netblocks at UkrTeleGroup Ltd, however, the emphasis shouldn't be on the volukme of malicious activities, but mostly regarding the ones related to the RBN, and the majority of high-profile malware embedded attacks during 2007, and early 2008.

Massive Blackhat SEO Targeting Blogspot

With Blogspot's fancy pagerank and with Google's recent introduction of real-time content indexing of blogs using the service, the interest of blackhat SEO-ers into the efficient registration and posting of junk content with the idea to monetize the traffic that will come from the process, seems to continue evolving as a process. In this specific case, we have (; a blackhat SEO links farm that's visualized in the attached screenshot, and several thousands of automatically registered blogspot accounts directly feeding the searching queries that led to visiting them into What's also worth mentioning about this campaign is that the's javascript search field appears at the top of every blog, whereas the blog's content itself consists of outgoing links to nearly fifty other such automatically registered blogs, again redirecting the search queries to, whereas advertisements get served from

Sample blogs :

With a basic sample of ten such blogs, the entire operation could be tracked down and removed from Google's index. And while is pitching itself as a "search engine that you can trust", it looks like it's not generating revenues for the people behind the operation, but also, acts as a keyword popularity blackhole.

Related posts:
The Invisible Blackhat SEO Campaign
Attack of the SEO Bots on the .EDU Domain
Malicious Keywords Advertising
Visualizing a SEO Links Farm
Spammers and Phishers Breaking CAPTCHAs
But of Course It's a Pleasant Transaction
Vladuz's EBay CAPTCHA Populator
The Blogosphere and Splogs - The Ongoing Blackhat SEO Operation

Malware Embedded Link at Pod-Planet

The "the World's largest Podcast Directory" is currently embedded with a malicious link, whereas thankfully the campaign's already in an undercover phrase and stopped responding over the weekend. The embedded link points to ( then loads, once deobfuscated attempts to load as well as acting as the counter for the campaign. In case you remember, the web counter services offered by were also used in the malware embedded attack at Chinese Internet Security Response Team. And with hosted in China, someone's either engineering a situation where we're supposed to believe it's Chinese malicious parties behind it, thereby taking advantage of the media buzz, or it's Chinese attackers for real. For this particular case however, I'd go for the second scenario.

Wednesday, February 13, 2008

Statistics from a Malware Embedded Attack

It's all a matter of perspective. For instance, it's one thing to do unethical pen-testing on the RBN's infrastructure, and entirely another to ethically peek at the statistics for a sample malware embedded attack on of the hosts of a group that's sharing infrastructure with the RBN, namely UkrTeleGroup Ltd as well as Atrivo. For yet another time they didn't bother taking care of their directory permissions. Knowing the number of unique visits that were redirected to the malware embedded host, the browsers and OSs they were using in a combination with confirming the malware kit used could result in a rather accurate number of infected hosts per a campaign - an OSINT technique that given enough such stats are obtained an properly analyzed we'd easily come to a quantitative conclusion on a malware infected hosts per campaign/malware group in question.

In this particular case, 99% of the traffic for the last three days came from a single location that's using multiple IFRAMEs to make it hard to trace back the actual number of sites embedded since there's no obfuscation at the first level - - ( is also loading and As for the countries where all the traffic was coming from, take a peek at the second screenshot. The big picture has to do with another operational intelligence approach, namely establishing the connections between the malicious hosts that participated in the compaign, in this case it's between groups known to have been exchanging infrastructure for a while.

Visualizing a SEO Links Farm

This visualization was generated over a month ago, using one of the two search engine optimization link farms I blogged about before, as a sample. Perhaps the most important issue to point out is that the farms are automatically generated with the help of blackhat SEO tools, where the level of internal linking has been set a relatively modest one, as for instance, the core pages extensively link one another, but a huge proportion of the SEO content remains burried in a number of hops a crawler may not be interested in making - this could be automatically taken care of in the process of generating the content to end up with a closed circle when visualizing.

The New Media Malware Gang - Part Three

Boutique cybercrime organizations are on the verge of extinction, and are getting replaced by cybercrime powerhouses, the indication for which is the increase of static netblocks used by well known groups such as the ones I've been exposing for a while - take the New Media Malware Gang for instance, and its entire portfolio of malicious domains that keeps expanding to include the latest ones such as :

And with Mpack's now easily detectable routines, they're migrating to use the Advanced Pack, a copycat malware exploitation kit, trouble is it's all done in an organized and efficient manner.

Anti-Malware Vendor's Site Serving Malware

Even though AvSoft Technologies isn't really enjoying a large market share, making the impact of this malware coming out of their site even bigger, the irony is perhaps what truly matters in the situation. Some press coverage - Hackers Turn Antivirus Site Into Virus Spreader; Antivirus company's Web site downloads ... a virus; Hackers seed malware on Indian anti-virus site :

"Hackers planted malicious script on the site of an Indian anti-virus firm this week. The website of AVsoft Technologies was attacked by unidentified miscreants in order to distribute a variant of the Virut virus. AVsoft Technologies makes the SmartCOP antivirus package. One of the download pages of the site was boobytrapped with malicious code that used the infamous iFrame exploit to push copies of the Virut virus onto visiting unpatched (or poorly patched) Windows PCs."

The IFRAME at the site used to point to ( which also responds to, where an obfuscation tries to server through the usual diverse set of exploits served by MPack.

Detection rate
: 17/32 (53.13%) for Win32.Virtob.BV; W32/Virut.j
File size: 8704 bytes
MD5: 31f8a31adfdff5557876a57ff1624caa
SHA1: 7f36e192030f7cbd8b47bd2cb9a60e9a3fe384d2

Naturally, according to publicly obtainable data in a typical OSINT style, the domain used to respond to an IP within RBN's previous infrastructure. The big picture is even more ugly as you can see in the attached screenshot indicating a huge number of different malwares that were using as a connection/communication host in the past and in the present. I wonder would the vendor brag about their outbreak response time regarding the malware that come out of their site in times when malware authors are waging polymorphic DoS attacks on vendors/reseachers honeyfarms to generate noise?

Tuesday, February 12, 2008

BlackEnergy DDoS Bot Web Based C&Cs

Remember the Google Hacking for MPacks, Zunkers and WebAttackers experiment, proving that malicious parties don't even take the basic precautions to camouflage their ongoing migration to the web for the purpose of botnet and malware kits C&Cs? Let's experiment wi the BlackEnergy DDoS bot, and prove it's the same situation. What's the BlackEnergy DDoS bot anyway :

"BlackEnergy is an HTTP-based botnet used primarily for DDoS attacks. Unlike mostcommon bots, this bot does not communicate with the botnet master using IRC. Also, wedo not see any exploit activities from this bot, unlike a traditional IRC bot. This is a small(under 50KB) binary for the Windows platform that uses a simple grammar tocommunicate. Most of the botnets we have been tracking (over 30 at present) are locatedin Malaysian and Russian IP address space and have targeted Russian sites with theirDDoS attacks."

The following are currently live botnet C&Cs administration panels, and with BlackEnergy's only functionality in the form of DDOS attacks, it's a good example of how DDoS on demand or DDoS extortion get orchestrated through such interfaces : ( ( ( (

It's getting even more interesting to see different campaigns within, that in between serving Trojan.Win32.Buzus.yn; Trojan.Win32.Buzus.ym; Trojan-Proxy.Small.DU, there's also an instance of Email-Worm.Zhelatin. A clear indication of a botnet in its startup phrase is also the fact that all the malware binaries that you see in the attached screenshot use one of these hosts as both the C&C and the main binary update/download location.

U.K's FETA Serving Malware

Yet another high-profile malware embedded attack worth commenting on, just like the most recent one at the Dutch embassy in Moscow. Website of UK landmark hacked to serve malware :

"The website of one of the UK's most famous landmarks, the Forth Road Bridge, has been torn open in embarrassing fashion to serve malware, researchers are reporting. According to the security blog of a small consultancy, Roundtrip Solutions, the website is now hosting an 'obfuscated' Javascript hack created using the Neosploit Crimeware Toolkit, dishing out payloads including, the blog reports, porn pop-ups."

The deobfuscated javascript attempts to load the currently live (MDAC ActiveX code execution (CVE-2006-0003), also responding to and which is deceptively forwarding to BBC's web site, deceptively in the sense that were I to use a U.K based IP to access it for instance it will try to serve the malware, thus, malware campaigners are now able to segment the malware attacks on a basis of IP geolocation. Who's behind it? A group that's in direct affiliation with the RBN and the New Media Malware Gang, where the three of these operate on the same netblocks.

The bottom line - according to publicly obtainable stats and the ever-growing list of high-profile malware embedded attacks, legitimate sites serve more malware than bogus ones as it was in the past in the form of dropped domains for instance. How come? Malware campaigners figured out that trying to attract traffic to their malware domains is more time and resources consuming than it is to take advantage of the traffic a legitimate site is already getting. In fact, they're getting so successful at embedding their presence on a legitimate site that they're currently taking advantage of "event-based social engineering" campaigns by embedding the malware at one of the first five search engine results to appear on a particular event.