Thursday, November 27, 2008

A Diverse Portfolio of Fake Security Software - Part Fourteen

You didn't even think for a second that the supply of typosqutted domains serving packed and triple crypted to the point where the binary is not longer executing, fake security software domains is declining? With the upcoming holidays and the usual peak of web traffic, malicious activity on all fronts is prone to increase during December. YEWGATE LTD, Sawert Alliance, and Sagent Group, personal favorites affiliate participants in a revenue sharing program for serving fake security software, try to maintain a decent rhythm in their typosquatting process, always worth taking a peek at. The very latest rogue security software additions include :

micro-antiv2009 .com (91.208.0.223)
micro-antivir2009 .com
micro-antivirus-2009 .com
micro-av-2009 .com

Sawert Alliance
Peltonen Martti  seodancer@gmail.com
33 New Road, Upper Flat
Belize City
Belize
Tel: +7.9602578790


avmyscan .com (91.203.92.186; 78.157.143.184)
go-your-scan .com
bestproscan .com
avproscan .com
goyourscan .com
iabestscan .com
avmyscan .com
best-scan-pro .com
avscan-pro .com
bestscanner-pro .com
avscanpro .com
iascannerpro .com

Jaroslav Voltz
Email: mensfult@gmail.com
Organization: Private person
Address: Biskupsk 9
City: Praha
State: Praha
ZIP: 11000
Country: CZ
Phone: +420.2224811382


virus-labs2009 .com (66.232.113.62)
virus-trigger .com
virusresponse2009 .com
virusresplab .com
virus-response .com


Roman Spitsikov
Uus-Sadama 12 
Tallinn, Tallinn 10120
Estonia
Roman.Spitsikov@gmail.com


virusremover2008plus .com (77.245.61.80; 93.190.139.229)

Sagent Group  (sergbelo@gmail.com)
Brignal Solutions
P.O. Box 3469 Geneva Place, Waterfront drive
Road town,   BVI
BZ
+1.14193017015


antivirus-pro-scan.com (84.243.197.183)
anti-virus-defence.com
protection-livescan.com

Aleksey Kononov cndomainz@yahoo.com
+74954538435 fax: +74954538435
ul. Yakimanskay 34-56
Moskva Moskovskay oblast 112745
ru

rapidantivir .com (91.208.0.220)
rapidantivirus-2009 .com
securityscanner2009 .com
rapidantivirus2009 .com
rapid-antivir .com
extraantivir .com
rapid-antivirus .com
rapidantivirus .com


Sawert Alliance
Peltonen Martti  seodancer@gmail.com
33 New Road, Upper Flat
Belize City
Belize
Tel: +7.9602578790


sgscanner .com (116.50.14.185)
sguardscan .com
scansguard .com
getsg2008 .com


Vrenk Tihomil
Email: gray444371@gmail.com
Organization: Private person
Address: Kolodvorska 73, Sl3270 Lasko
City: Lasko
State: LaskoLasko
ZIP: Sl1355
Country: SI
Phone: +386.14588324


adwaredeluxe .com (64.40.118.8) (private whois)
antivirusadvanced .com
antivirusadvance .com
spydestroy .com
spywareremoval .ws


Shipping them in batches means exposing them in batches.

Related posts:
A Diverse Portfolio of Fake Security Software - Part Thirteen
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software

Tuesday, November 25, 2008

Localizing Cybercrime - Cultural Diversity on Demand Part Two

It's where you advertise your services, and how you position yourself that speak for your intentions, of course, "between the lines". There's a common misunderstanding that in order for a malware campaigner or scammer to launch a localized attack speaking the native language of their potential victims, they need to speak the local language. This misconception is largely based on the fact that a huge number of people remain unaware on how core strategic business practices have been in operation across the cybercrime underground for the last couple of years.

Outsourcing the localization process (translation services for spam/phishing/malware campaigns) has been happening for a while, courtsy of DIY servics ensuring complete anonymity of their customers. Interestingly, the translators may in fact be unaware that the advertising channels the service is using is directly attracting everyone from the bottom to the top of the cybercriminal food chain as a customer. Sometimes, it's services like this that open a new market segment covering an untapped opportunity, with this particular service already pointing out that it's charging cheaper than their competitors.

"We offer our services in translation. We are only competent translators profile higher education. Service is working with all types of texts. Languages available at this time of Russian, English, German. Average translation of the text takes up to 10 hours (usually much faster) through the full automation of the order and payment. Just want to note that we do not keep any logs on IP and does not require registration. In addition you can remove your order from the database after his execution. In addition to running more than 1000 translations already, we can use all the lessons learned to be more effective in our services. Prices vary depending on the complexity of the topic covered.

Prices and deadlines:
* Standard - the deadline is not more than 24 hours. Prices depend on the direction and guidance from the 'Order'. 

* Term - work on your translation begins precedence. The price of the 50% more than the standard translation. Prices also depend on the direction and guidance from the 'Order'.

The cost of the transfer depends on the amount of work. The workload is measured in symbols. In calculating the characters are shown letters and numbers. Punctuation do not count. Minimum order 100 characters.
"

I'm particularly curious how is a contractor(translator) going to react to a situation when a large scale malware campaign speaking several different languages tell a fake story that the contractor might have recently translated for them. With the employer positioning itself as a fully legitimate company, whereas its customers requesting localized version of texts for the spam/phishing/malware campaigns are the "usual suspects", the contractors would continue allowing cybercriminals the opportunity to build more authenticity within their campaigns.

Related posts:
E-crime and Socioeconomic Factors
MPack and IcePack Localized to Chinese
The Icepack Exploitation Kit Localized to French
The FirePack Exploitation Kit Localized to Chinese
Localizing Open Source Malware
Localized Fake Security Software
A Localized Bankers Malware Campaign
Lonely Polina's Secret (Localized malware campaign)

Wednesday, November 19, 2008

The DDoS Attack Against Bobbear.co.uk

When you get the "privilege" of getting DDoS-ed by a high profile DDoS for hire service used primarily by cybercriminals attacking other cybercriminals, you're officially doing hell of a good job exposing money laundering scams.

The attached screenshot demonstrates how even the relatively more sophisticated counter surveillance approaches taken by a high profile DDoS for hire service can be, and were in fact bypassed, ending up in a real-time peek at how they've dedicated 4 out of their 10 BlackEnergy botnets to Bobbear exclusively.

Perhaps for the first time ever, I come across a related DoS service offered by the very same vendor - insider sabotage on demand given they have their own people in a particular company/ISP in question. Makes you think twice before considering a minor network glitch what could easily turn into a coordinated insider attack requested by a third-party. Moreover, now that I've also established the connection between this DDoS for hire service and one of the command and control locations (all active and online) of one of the botnets used in the Russia vs Georgia cyberattack, the concept of engineering cyber warfare tensions once again proves to be a fully realistic one.

Related posts:
A U.S military botnet in the works
DDoS Attack Graphs from Russia vs Georgia's Cyberattacks
Botnet on Demand Service
OSINT Through Botnets
Corporate Espionage Through Botnets
The DDoS Attack Against CNN.com
A New DDoS Malware Kit in the Wild
Electronic Jihad v3.0 - What Cyber Jihad Isn't

New Web Malware Exploitation Kit in the Wild

Oops, they keep doing it, again and again - trying to cash-in on the biased exclusiveness of web malware exploitation kits in general, which when combined with active branding is supposed to make them rich. However, despite the low price of $300 in this particular case, this copycat kit is once again lacking any signification differentiation factors besides perhaps the 20+ exploits targeting Opera and Internet Explorer included within.

Marketed for novice users, despite lacking any key features worth being worried about, it's still managing to maintain a steady infection rate of unpatched Opera browsers. Such statistics obtained in an OSINT fashion always provide a realistic perspective on publicly known facts, like the one where millions of end users continue getting exploited due to their overall misunderstanding of today's threatscape driven by the ubiquitous web exploitation kits. 

Related posts:
Modified Zeus Crimeware Kit Gets a Performance Boost 
Zeus Crimeware Kit Gets a Carding Layout
Web Based Malware Emphasizes on Anti-Debugging Features
Copycat Web Malware Exploitation Kit Comes with Disclaimer
Web Based Malware Eradicates Rootkits and Competing Malware
Two Copycat Web Malware Exploitation Kits in the Wild
Copycat Web Malware Exploitation Kits are Faddish
Web Based Botnet Command and Control Kit 2.0
BlackEnergy DDoS Bot Web Based
A New DDoS Malware Kit in the Wild
The Small Pack Web Malware Exploitation Kit
The Nuclear Grabber Kit
The Apophis Kit
Nuclear Malware Kit
The Random JS Malware Exploitation Kit
Metaphisher Malware Kit Spotted in the Wild

Tuesday, November 18, 2008

Will Code Malware for Financial Incentives

A couple of hundred dollars can indeed get you state of the art undetectable piece of malware with post-purchase service in the form of automatic lower detection rate for sure, but what happens when the vendors of such releases start vertically integrating just like everyone else, and start offering OS-independent spamming, flooding, modifications and tweaking of popular crimeware kits in the very same fashion? The quality assurance process gets centralized into the hands of experienced programmers that have been developing cybercrime facilitating tools for years.

It's interesting to monitor the pricing schemes that they implement. For instance, the modularity of a particular malware, that is the additional functions that a buyer may want or not want, increase or decrease the price respectively. Others, tend to leave the price open topic by only mentioning the starting price for their services and they increasing it again in open topic fashion.

Let's take look at some recently advertised (translated) "malware coding for hire" propositions, highlighting some of the latest developments in their pricing strategies :

Proposition 1 :
"Programs and scripts under the following categories are accepted :
grabbers; spamming tools for forums, spamming tools for social networking sites, modifications of admin panels for (popular crimeware kits), phishing pages

Platform: software running on MAC OS to Windows
Multitasking: have the capacity to work on multiple projects
Speed and responsibility: at the highest level
Pre-payment for new customers: 50% of the whole price, 30% pre-pay of the whole price for repreated customers
Support: Paid
Rates: starting from 100 euros

If, after speaking ultimate price, you decide to add to your order something else - the price change. Prepare the job immediately, which will understand what to do and how much it will cost you, if you have any suggestions for a price, then lays them immediately and not after the work is completed. If you order something that requires parsing your logs, and their continued use, you agree to provide "a significant portion of the logs, so that after putting the project did not raise misunderstandings due to the fact that some logs are no longer "fresh", because of their "uniqueness". In this case, for the finalization of the project will be charged an additional fee."

This is an example of an "open topic pricing scheme" with the vendor offering the possibility to code the malware or the tool for any price above 100 euro based on what he perceives as features included within worth the price.

Proposition 2:
"Starting price for my malware is 250 EUR. Additional modules like P2P features, source code for a particular module go for an additional 50 EUR. If you're paying in another currency the price is 200 GBP or 395 dollars. I sell only ten copies of the builder so hurry up. The trading process is simple - a password protected file with the malware is sent to you so you can see the files inside. You then sent the money and I mail you back the password. If you don't like this way you lose. 

I can also offer you another deal, I will share the complete source code in exchange to access to a botnet with at least 4000 infected hosts because I don't have time to play around with me bot right now.

This proposition is particularly interesting because the seller is introducing basic understanding of exchange rates, but most of all because he's in fact offering a direct bargain in the form of access to a botnet in exchange for a complete source code of his malware bot. Both propositions are also great examples that vendors engage by keeping their current and potential customers up-to-date with TODO lists of features to come next to the usual CHANGELOGS, and, of course,  establish trust by allowing potential customers to take a peek at the source code of the malware they're about to purchase.

Related posts:
Coding Spyware and Malware for Hire
The Underground Economy's Supply of Goods and Services
The Dynamics of the Malware Industry - Proprietary Malware Tools
Using Market Forces to Disrupt Botnets
Multiple Firewalls Bypassing Verification on Demand
Managed Spamming Appliances - The Future of Spam
Localizing Cybercrime - Cultural Diversity on Demand
E-crime and Socioeconomic Factors
Russia's FSB vs Cybercrime
Malware as a Web Service
Localizing Open Source Malware
Quality and Assurance in Malware Attacks
Benchmarking and Optimising Malware

Thursday, November 13, 2008

Embassy of Brazil in India Compromised

Only an amateur or unethical competition would embedd malicious links at the Embassy of Brazil in India's site, referencing their online community. With the chances of an Embassy involvement into the fake antivirus software industry close to zero, let's assess the attack that took place.

The compromise is a great example of a mixed use of pure malicious domains in a combination with compromised legitimate ones and on purposely registered accounts at free web space providers, hosting the blackhat SEO content. However, digging deeper we expose the entire malicious doorways ecosystem pushing PDF exploits, banker malware and Zlob variants. The malicious attackers embedded links to their blackhat SEO farms advertising fake security software, and also a link to a traffic redirection doorway

epmwckme.dex1.com
htkobaf.dex1.com
ogbucof.dex1.com
segundomuelle.com/mex/antivirus
jgzleaa.dex1.com
igpran.ru/services/tolstye

The active and redirecting traff .asia (89.149.251.203) is currently serving a fake account suspended notice - "This account has been suspended. Either the domain has been overused, or the reseller ran out of resources." but is whatsoever redirecting us to antimalware09 .net. This particular traffic redirection doorway is actively redirecting us to a command and control server running a well known web malware exploitation kit which is currently serving PDF exploits.  

google-analyze .com/socket/index.php (216.195.59.77) from where we're redirected to google-analyze.com/tracker/load.php which is serving system.exe (Trojan-Spy.Win32.Zbot.ehk; Win32.TrojanSpy.Zbot.gen!C.5), and google-analyze .com/tracker/pdf.php (Exploit:Win32/Pdfjsc.G; Exploit.JS.Pdfka.w; Bloodhound.Exploit.196). Naturally, within the live exploit URLs there are multiple IFRAMEs redirecting us to more of this group's campaigns. google-analyze .com  has multiple IFRAMEs pointing to google-analystic .net (209.160.67.56), yet another traffic redirection doorway further exposing their campaigns.

For instance, google-analystic .net/in.cgi?20 loads google-analystic.net/tea.php (209.160.67.56) where google-analystic .net/in.cgi?8 is redirecting to 91.203.93.61 /in.cgi?2 taking us to 91.203.93.61 /25/2/ where we deobfuscate the javascript leading us to the exact location of the PDF exploit - 91.203.93.61 /25/2/getfile.php?f=pdf. This is just for starters. google-analystic .net/in.cgi?9 redirects to mangust32 .cn/pod/index.php (218.93.202.102) where they serve load.exe (Backdoor:Win32/Koceg.gen!A) at
mangust32 .cn/pod2/load.php and load.exe at mangust32 .cn/eto2/load.php, moreover, google-analystic .net/in.cgi?10 leads us to mmcounter .com/in.cgi?id194 (94.102.50.130) a traffic management login which is no longer responding. The last IFRAME found within google-analystic points to busyhere .ru/in.cgi?pipka (91.203.93.16) which redirects to beshragos .com/work/index.php (79.135.187.38) where once we deobfuscate the script, we get to see the PDF exploit location beshragos.com /work/getfile.php?f=pdf.

What's contributing to the increase of PDF exploits durin the last month? It's an updated version of a web based malware exploitation tool, which despite the fact that it remains proprietary for the time being, will leak in the next couple of weeks causing the usual short-lived epidemic.

Related posts:
The Dutch Embassy in Moscow Serving Malware
U.S Consulate in St. Petersburg Serving Malware
Syrian Embassy in London Serving Malware
French Embassy in Libya Serving Malware

Dissecting the Latest Koobface Facebook Campaign

The latest Koobface malware campaign at Facebook, is once again exposing a diverse ecosystem worth assessing in times of active migration to alternative ISPs tolerating or conveniently ignoring the malicious activities courtesy of their customers. The -- now removed -- binaries that the dropper was requesting were hosted at the American International Baseball Club in Vienna, indicating a compromise.

us.geocities .com/adanbates84/index.htm
lostart .info/js/js.js (79.132.211.51)
off34 .com/go/fb.php (79.132.211.51)
youtube-spyvideo .com/youtube_file.html (58.241.255.37)
ahdirz .com/movie1.php?id=638&n=teen (208.85.181.69)
top100clipz .com/m6/movie1.php?id=638&n=teen (208.85.181.67)
hq-vidz .com/movie1.php?id=638&n=teen (208.85.181.68)

The dropper then phones back home to : f071108 .com/fb/first.php (79.132.211.50) with the binaries hosted at a legitimate site that's been compromised :

aibcvienna.org/youtube/ bnsetup24.exe
aibcvienna.org/youtube/ tinyproxy.exe

Related fake Youtube domains participating :
catshof .com (79.132.211.51)
youtube-spy .info (94.102.60.119)
youtubehof .net (218.93.205.30)
youtube-spyvideo .com (58.241.255.37)
yyyaaaahhhhoooo.ocom .pl (67.15.104.83)
youtube-x-files .com (94.102.60.119)

The development of cybercrime platforms utilizing legitimate infrastructure only, has always been in the works. With spamming systems relying exclusively on the automatically registered email accounts at free web based providers, to the automatic bulk registration of hundreds of thousands of domains enjoying a particular domain registrar's weak anti-abuse policies, it would be interesting to monitor whether marginal thinking or improved OPSEC relying on compromised hosts will be favored in 2009.

Related posts:
Fake YouTube Site Serving Flash Exploits
Facebook Malware Campaigns Rotating Tactics
Phishing Campaign Spreading Across Facebook
Large Scale MySpace Phishing Attack
Update on the MySpace Phishing Campaign
MySpace Phishers Now Targeting Facebook
MySpace Hosting MySpace Phishing Profiles

Wednesday, November 12, 2008

A Diverse Portfolio of Fake Security Software - Part Thirteen

What is the difference between a reactive and proactive threat intell? A reactive threat intell is assessing a campaign, individual, a group of individuals, how are they related to one another, and what have they been doing in the past, based exclusively on a lead that's been found within the past couple of hours.

Try the very latest rogue security domains courtesy of three domainers (Fedor Ibragimov cndomainz@yahoo.com, Anton Golovayk gpdomains@yahoo.com and Ivan Durov idomains.admin@gmail.com ) whose portfolios can always keep you updated about the latest releases of such popular software as The Best Antivirus Cleaner 2008.

powerfullantivirusscan .com (78.159.118.217; 89.149.253.215; 208.72.168.185)
protection-update .com
updatepcprotection .com
updateyourprotection .com
mac-imunizator .net (67.205.75.10)
avproinstall .com (78.157.141.26)
winavpro .com (92.241.163.30)


As far as proactive threat intell is concerned, try the following "upcoming fake security software domains" :

spywaredefender2009 .com
spywaredestroyer2009 .com
spywareeliminator2009 .com
spywareprotector2009 .com


It would be interesting to monitor whether or not the well known non-existent security software brands we've monitoring throughout 2008, will be basically typosquatted in a 2009 like fashion, or would they simply introduce new brands. With their business model under pressure, I'm starting to see evidence of schemes involving the illegal advertisement of affiliate links to legitimate security software, where the cybercriminals are actual resellers of it. There's also no shortage of surreal situations, where a fake security software is taking advantage of blackhat SEO practices promising the removal of competing fake security software brands.

Last week, the noadware .net (69.20.71.82; 69.20.104.139) software was persistently advertised in such a way, mostly by generating Wordpress accounts promising to remove competing software :

antiviruspro2009.wordpress .com
ultraantivirus2009.wordpress .com
smartantivirus.wordpress .com
antiviruslab2009.wordpress .com
antivirusvip.wordpress .com
personaldefender2009.wordpress .com
malwareremoval.wordpress .com


Naturally, it didn't take long before blackhat SEO farms were created for the purpose, like these very latest ones :

removal-tool.blogspot .com
cgidoctor .com
spywareremoval .net
spyware-adware-remover .com
spywarestop .com
zero-adware .net
adware-remove .com
antispywaresecrets .com
protectyourcomputerfromspyware .info
cleanpcfree .net
spyware-bot  .com
spywarezapper.co .uk
thepcsecurity .com
noadware-official-site .com
spywaredoctorfavor .cn
removespywareedge .cn
thespywareremover .com
virusremovalguru .com
virusremovalguide .org


The day when fake security software sites start attracting traffic by promising to remove other fake security software, is the day when we have clear evidence that an ecosystem has emerged.

Related posts:
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software

More Compromised Portfolios of Legitimate Domains for Sale

The ongoing supply of access to compromised portfolios consisting of hundreds, sometimes thousands of legitimate domains, is continuing to produce anecdotal situations. For instance, in one of the latest propositions, a cybercriminal has managed to hijack the blackhat SEO domains portfolio (8,145 domains plus another 100 legitimate ones) of another cybercriminal, and is now offering it for sale.

From an attacker's perspective, are remotely exploitable SQL injections, the insecure hosting provider's web interfaces, or the pragmatic possibility for data mining a botnet's accounting data for access to such portfolios the tactic of choice? In both of these propositions, the seller is citing vulnerabilities within the web hosting providers as an attack tactic.

The continues supply of such access is, however, a great indicator for the upcoming development of this segment within the underground marketplace in 2009.

DIY Skype Malware Spreading Tool in the Wild

Who needs to build hit lists by harvesting user names when a usability feature allows you to expose millions of users to your latest social engineering campaign? That seems to be the mentality of yet another Skype malware spreading tool, which just like the majority of publicly obtainable tools is aiming to contact everyone, everywhere.

The tool's main differentiation factor is its feature of harvesting the personal information of users it has managed to detect randomly, that's of course in between the mass spamming of malicious URLs. However, despite it's DIY nature allowing someone to easily launch a malware campaign spreading across Skype, the tool is lacking the segmentation features offered by related Skype spamming tools. Just like in a cybercrime 1.0 world where DIY exploit embedding tools were favored due to the lack of web malware exploitation kits, in a cybercrime 2.0 world these DIY tools matured into IM malware spreading modules easily attached to any infected host given the botnet master is looking for such a functionality.

Related posts:
Skype Spamming Tool in the Wild - Part Two
Skype Spamming Tool in the Wild
Harvesting Youtube Usernames for Spamming
Uncovering a MSN Social Engineering Scam
MSN Spamming Bot
DIY Fake MSN Client Stealing Passwords
Thousands of IM Screen Names in the Wild
Yahoo Messenger Controlled Malware

Monday, November 10, 2008

Zeus Crimeware Kit Gets a Carding Layout

With cybercriminals clearly expressing their nostalgia for several notorious and already shut down credit card fraud communities, they seem to have found a way to once again give their self-esteem a boost. Following the ongoing modification of open source crimeware kits and the inevitable innovation introduced by third parties, last week a new layout was introduced for Zeus, once again courtesy of a group that's piggybacking on Zeus popularity.

It's particularly interesting to see how a one-man operation evolves into a group of third-party developers starting to claim ownership rights over the modified versions despite that they're basically brandjacking the Zeus brand and building business models on the top of it.

Open source crimeware and web malware exploitation kits on the other hand undermine the business model of a great number of "malware/spyware for hire" vendors, which surprisingly doesn't stop them from continuing offering their services and products which are often using the de facto crimeware kits as the foundations for their propositions. Are the buyers even aware of this fact? From a buyer's perspective in times when most of the output is sold in bulk form, or access to the botnet rented for a specific period of time, the buyer doesn't care about the cybercrime platform of use, but is looking for transparent ways to justify the investment he's made into renting the service.

Now that Zeus administrators and their cybercrime clerks in the face of those managing the campaigns knowingly or unknowingly knowing the type of campaigns and the data that they manage, can listen to their favorite music within Zeus and choose different layouts for the command and control interfaces while commiting cybercrime, what's next?

Convergence and improved monetization.

Thursday, November 06, 2008

DIY Phishing Pages With Command and Control Interfaces

The day when DIY phishing pages start coming with manuals is the day when consciously or subconsciously a phisher is lowering down the entry barriers into phishing for yet another time. A much more user-friendly compared to the old-fashioned -- yet effective -- rock phish directory listing, a recently released command and control interface for Rapidshare phishing campaigns aims to empower its users with easy dynamic link generation for their campaigns.

What they've managed to achieve is another trust factor since Rapidshare generates a second dynamic link upon clicking on the original one. The script not only generates a dynamically looking link, but also, actually logs in the victim into their account in order to avoid suspicion whereas it still logs all the accounting data.

Scammers also tend to be ironic every then and now. For instance, in this particular case, one of the users finds it ironic that the Rapidshare phishing page is hosted at Rapidshare itself. Is the script actually working? It appears so at least going through a misconfigured accounting data dump left by one of the phishers.

Related posts:
Phishing Pages for Every Bank are a Commodity
DIY Phishing Kits
DIY Phishing Kit Goes 2.0
DIY Phishing Kits Introducing New Features
209 Host Locked
209.1 Host Locked
66.1 Host Locked

Tuesday, November 04, 2008

Summarizing Zero Day's Posts for October

Here's a brief summary of all of my posts at Zero Day for October. You can also go through previous summaries for September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed.

Notable articles for October - Scammers introduce ATM skimmers with built-in SMS notification; Inside an affiliate spam program for pharmaceuticals; CardCops: Stolen credit card details getting cheaper.

01. Cybercriminals syndicating Google Trends keywords to serve malware
02. Scammers introduce ATM skimmers with built-in SMS notification
03. Atrivo/Intercage's disconnection briefly disrupts spam levels
04. Adobe posts workaround for clickjacking flaw, NoScript releases ClearClick
05. Asus ships Eee Box PCs with malware
06. Fake Microsoft Patch Tuesday malware campaign spreading
07. Secunia: popular security suites failing to block exploits
08. Survey: 88% of Mumbai's wireless networks easy to compromise
09. Adobe's Serious Magic site SQL Injected by Asprox botnet
10. Inside an affiliate spam program for pharmaceuticals
11. Google to introduce warnings for potentially hackable sites
12. Lack of phishing attacks data sharing puts $300M at stake annually
13. CardCops: Stolen credit card details getting cheaper
14. Cybercrime friendly EstDomains loses ICANN registrar accreditation
15. Phishers apply quality assurance, start validating credit card numbers
16. Spammers targeting Bebo, generate thousands of bogus accounts

Monday, November 03, 2008

A Diverse Portfolio of Fake Security Software - Part Twelve

These very latest rogue security software domains have been in circulation -- blackhat SEO, SQL injections, traffic redirection scripts -- since Friday and remain active :

premium-pc-scan .com (78.159.118.217; 89.149.253.215; 91.203.92.47)
antivirus-pc-scan .com (208.72.169.100)
securityfullscan .com (84.243.197.184)
antivirus-live-scan .com (84.243.196.136; 89.149.227.196)
windefender-2009 .com - (200.63.45.55)
windefender2009 .com

What these domains have in common, excluding the last two WinDefender ones, is the domain registrant, the DNS servers used, and that despite the fact that it has already been featured in several malicious doorways, meaning these are receiving traffic already, they forgot to upload the binaries on all of the active domains :

"Not Found. The requested URL /2009/download/trial/A9installer_.exe was not found on this server."

Registrant: 
Vladimir Polilov 
Email: gpdomains@yahoo.com
Organization: Private person
Address: ul. Bauma 13-76
City: Moskva
State: Moskovskaya oblast
ZIP: 112621
Country: RU
Phone: +7.9031609536

DNS servers used - ns1.freefastdns.com; ns2.freefastdns.com

Moreover, the following domains are also parked at the same IPs, but are currently in stand-by mode, yet they're also using the same DNS servers with the only difference in the registrant who seems to have been running a very extensive portfolio of bogus domains, potentially making hundreds of thousands in the process :

save-my-pc-now .com
real-antivirus .com
liveantivirustest .com
antiviruspctest .com
premium-live-scan .com
liveantivirustest .com
antiviruspersonaltest .com
mysecuritysupport .com
updateyourprotection .com
antivirus-premiumscan .com
securitylivescan .com
security-full-scan .com
secured-liveupdate .com
livepcupdate .com
protection-update .com
antivirus-scan-online .com
xpsoftupgrade .com
live-virus-defence .com


Registrant:
Shestakov Yuriy
alexey@cocainmail.com/alexeyvas@safe-mail.net
+7.9218839910
Lenina 21 16
Mirniy,MSK,RU 102422


The sampled WinDefender binaries phone back to megauplinkbindinstaller .com/cfg1.php (91.203.92.99) with the entire netblock clearly a bad neighborhood. Here are some sample command and control locations :

91.203.92.101 /admin/cd.php?userid=19102008_184429_260953
91.203.92.25 /dmn/domen.txt
91.203.92.135 /alligator/cfg.bin
91.203.92.132 /c.bin


This operation is being monitored, results will be posted as they emerge.

Related posts:
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software

Modified Zeus Crimeware Kit Gets a Performance Boost

Oops, they did it again - modifying an open source crimeware kit like Zeus in order to improve its performance, fix previously known bugs, and release the improved administration script for free at the end of October.

It's important to point out that both of these modifications haven't been released by the original author of Zeus, but by third parties filling in the gaps he has left open. The very nature of open source web based malware exploitation kits is one of the key factors for the ongoing convergence of traffic management, exploits serving, ddos, and cybercrime as a service features into a simplified cybercrime platform available on demand.

Following the discovery of a remotely exploitable flaw within Zeus in June -- a flaw affecting Pinch leaked out two months later -- allowing cyberciminals to inject their own credentials and hijack the botnet of other cybercriminals, this modified version claims to have fixed three vulnerabilities within the original Zeus release, namely, a remote file inclusion flaw and two SQL injections within the administration panel. Here's the new CHANGELOG :

"- code improvements and optimizations
- internal data checkings added
- exit() function instead of die()
- echo() function instead of print()
- mysql_affected_rows () changed to mysql_num_rows () everywhere
- all queries are fixed in system or mod .php files
- no text password in the database and clear text password in $_SESSION, cookies authentication is gone and md5 hashes are everywhere
- Geo IP support has been added
- umask () bug fixed, the file has been created (chmoded) with different permissions
- language improvements and pre-installation checks
- checking for php version/safe_mod/open_basedir as you're required to run php 5.1.0 or higher to run it successfully
- fixed sql injection in credentials checking
- GetUserData () function has been rewritten - possible sql injection fixed
- possible remote file inclusion fixed
- socket error definition changed
- gcnt () function has been rewritten so you can use geolication - GeoIP which is free and GeoIPCity which is paid
- ip address checking improved through validIP() function improvement
- all queries are now fixed, input data has been sanitized
- fs () function has been fixed in order to improve the quality of the log names
- formatFilePath () function has been added for file upload purposes
- arbitrary file upload bug has been fixed so that you can now upload only images with original names
- the Log2SQL () function has been changed and stricter data checking/sanitizing is added
- internal file sorting mechanism is improved so that files/dirs are sorted by file modification time
"

As it's becoming increasingly clear that what once used to be a proprietary crimeware kits whose business model got undermined by their open source nature and the fact that they've started leaking for average cybercriminals and script kiddies to take advantage of, are today's "open source projects" - and therefore maintaining static lists of exploits and features included within a particular kit is getting even more irrelevant these days. In the long term, the quality assurance processes applied within crimeware kits courtesy of third party cybercriminals, is prone to shift from performance to improving the infection rates.