Thursday, February 26, 2009
That's the main objective of one of the very latest traffic management kit is once again quality assurance in the process of managing image-spam based campaigns.
Here's a translated description of the traffic management kit:
"As you know, now many pay per click networks offer within their ad scripts the so called graphic feeds.Any site allowing the use of the IMG tag can serve them, that includes popular free web based services. The problem so far has been the lack of quality measurement and optimization of this approach.
This imposes severe restrictions on the ability to convert traffic to the resource, the automatic redirection of which is impossible. Our system allows you to allows you to create your own ads and send traffic to them to where you think they fit.
How it works: you create a campaign with your own keywords, generate a random image, customize it, generate a link to the ad and paste it into the hosting site, or include it in your email campaigns. By doing this you're able to add more interactivity in your campaigns and improve your click through rates.
Here's a summary of the features we offer you:
- Create messages with random text and random design. Change ad size and font color, underline, and the selection, styles, font and alignment, frames - everything is set up. You can use any font that you want to - it's completely up to you
- Manage design ads through profiles within the system, save your creativity
- Use of any image as the ads. This may be a screenshot of your pharmacy, banner, and even anything
- Combine different types of simple ads on the same page
- Create messages with any embedded images. For example (click on picture to see actual ad size)
- Use alternative keywords in the references (some of the resources do not allow to post links containing the names of pills and other banned words)
- Filter incoming traffic to the countries of the User-Agent, IP or range of IP"
It's important to emphasize on the fact that this is a DIY image-spam generating kit, in comparison, the much more efficient and again random image-spam generating service is offered by the sophisticated and experienced managed spam service providers who still prefer working with reputable and well known individuals, instead of going mainstream.
Quality Assurance in a Managed Spamming Service
Managed Spamming Appliances - The Future of Spam
Dissecting a Managed Spamming Service
Inside a Managed Spam Service
Spamming vendor launches managed spamming service
Segmenting and Localizing Spam Campaigns
Posted by Dancho Danchev at Thursday, February 26, 2009
It appears that this guy has had his 100k+ Zeus botnet hijacked several months ago, and now that he's managed to at least partly recover the number of infected hosts in two separate botnets, is requesting advice on how to properly secure his administration panel.
Here's an exact translation of his concerns :
"Dear colleagues, I'd like to hear all sorts of ideas regarding to security of Zeus. I've been using Zeus for over an year now, and while I managed to create a botnet of 100k infected hosts someone hijacked it from me by adding a new user and changing my default layout to orange just to tip once he did it. Once I fixed my directory permissions. I now have two botnets, the first one is 30k and the second (thanks to a partnership with a friend) is now 3k located at different hosting providers.
Sadly, yesterday I once again found out that my admin panel seems to have been compromised since all the files were changed to different name, and access to the admin panel blocked by IP. Yes, that seems to be the IP the hijacker is using. The attacker has been snooping Apache logs in order to find IPs that have been used for logging purposes and blocked them all. Therefore I think the new user has been added by exploiting a flaw in Zeus. In my opinion a request was made to the database, either through an sql injection in s.php a file or a request from within a user with higher privileges.
Since I've aplied patches to known bugs, this could also be a compromise of my hosting provider. So here are some clever tips which I offer based on my experience with securing Zeus.
- Change the default set of commands, make them unique to your needs only.
- If it is possible to prohibit the reading and dump tables with logs all IP, to allow only certain (so that the crackers were not able to make a dump and did not read the logs in the database).
- If it is possible to prohibit editing of tables with all the commands of Zeus IP, to allow only certain (that could not be "hijacked", insert the command bots)"
Surreal? Not at all, given the existing monoculture on the crimeware market. Morever, yet another vulnerability was found in the Firepack web malware exploitation kit earlier this month (Firepack remote command execution exploit that leverages admin/ref.php). This exploit could have made a bigger impact in early 2008, the peak of the Firepack kit, which was also localized to Chinese several months later:
The FirePack Web Malware Exploitation Kit
The FirePack Exploitation Kit - Part Two
The FirePack Exploitation Kit Localized to Chinese
Ironically, cybercriminals too, seem to be using outdated versions of their crimeware.
Crimeware in the Middle - Adrenalin
76Service - Cybercrime as a Service Going Mainstream
Zeus Crimeware as a Service Going Mainstream
Modified Zeus Crimeware Kit Gets a Performance Boost
Modified Zeus Crimeware Kit Comes With Built-in MP3 Player
Zeus Crimeware Kit Gets a Carding Layout
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
Crimeware in the Middle - Zeus
Posted by Dancho Danchev at Thursday, February 26, 2009
Tuesday, February 24, 2009
Operating since 2004, yet another "cybercrime anonymization" service is using the bandwidth of legitimate data centers in order to run its VPN/Double/Triple VPN channels service which it exclusively markets in a "it's where you advertise your services, and how you position yourself that speak for your intentions" fashion.
Description of the service:
- Only we have the full support service to the date of the center, which prevents the installation of sniffers and monitoring.
- We do not use standard solutions, our software is based on the modified code.
- Only here you get a stable and reliable service.
Characteristics of Sites:
- Channel 100MB, total channels gigabita 1.2.
- MPPE encryption algorithm is 128 bit
- Complete lack of logs and monitoring - a guarantee of your safety.
- Completely unlimited traffic.
- Support for all protocols of the Internet."
On the basis of chaining several different VPN channels located in different countries all managed by the same service, combined with a Socks-to-VPN functionality where the Socks host is a malware compromised one, all of which maintain no logs at all, is directly undermining the usefulness of already implemented data retention laws. Moreover, even a not so technically sophisticated user is aware that chaining these and adding more VPN servers in countries where no data retention laws exist at all, would result in the perfect anonymization service where the degree of anonymization would be proportional with the speed of the connection. In this case, it's the mix of legitimate and compromised infrastructure that makes it so cybercrime-friendly.
In respect to the "no logs and monitoring for the sake of our customers security" claims, such services are based on trust, namely the customers are aware of the cybercriminals running them "in between" the rest of the services they offer, which and since they're all "on the same page" an encrypted connection is more easily established. However, an interesting perspective is worth pointing out - are the owners of the cybecrime-friendly VPN service forwarding the responsibility to their customers, or are in fact the customers forwarding the responsibility for their activities to the owners which are directly violating data retention laws and on purposely getting rid of forensic evidence?
Things are getting more complicated in the "cybercrime cloud" these days.
Posted by Dancho Danchev at Tuesday, February 24, 2009
Monday, February 23, 2009
Following the 2008's Fake Celebrity Video Sites Serving Malware series (Part Two) the very latest addition to the series demonstrates the automatic abuse of legitimate infrastructure - in this case Blogspot for the purpose of traffic acquisition.
The following are currently active and part of the same campaign:
Compared to the single-post only Blogspots, the following domains top100videoz.com; cinemacafe.tv; xvids-top.com have a lot more bogus content to offer.
Posted by Dancho Danchev at Monday, February 23, 2009
Wednesday, February 18, 2009
From a spammers/blackhat SEO-er's perspective, this is done for the purpose of increasing the page rank of their pharmaceutical domains based on the number of links coming from LinkedIn. The campaigns are monetized through the usual affiliate based pharmaceutical networks.
The following is a complete list of the currently active bogus domains, all part of identical campaigns:
Pharmaceutical domains used in the campaigns:
Acquiring new users in a highly competitive Web 2.0 world is crucial, no doubt about it. But in 2009, if you're not at least requiring a valid email address, a confirmation of the registration combined with a CAPTCHA to at least slow down the bogus account registration process and ruin their efficiency model - systematic abuse of the service is inevitable (Commercial Twitter spamming tool hits the market).
LinkedIn's abuse team has already been notified of these accounts.
Posted by Dancho Danchev at Wednesday, February 18, 2009
Tuesday, February 17, 2009
A new market entrant into the CAPTCHA-breaking economy, is proposing a novel approach that is not only going to result in a more efficient human-based CAPTCHA solving on a large scale, but is also going to generate additional revenues for webmasters and their site's community members. The concept is fairly simple, since it's mimicking reCAPTCHA's core idea.
However, instead of digitizing books, the CAPTCHA entry field that any webmaster of an underground community, or a general site in particular that would like to syndicate CAPTCHAs from Web 2.0 web properties is free to do so on a revenue-sharing, or plain simple voluntary basis.
Consider for a moment the implications if such a project of they manage to execute it successfully. Starting from community-driven CAPTCHA breaking of Web 2.0 sites on basic forum registration fields using MySpace.com's CAPTCHA for authenticating new/old users, the plain simple automatic rotation for idle community users, to the enforcement of CAPTCHA authentication for each and every new forum post/reply.
What happens with the successfully recognized CAPTCHAs? As usual, hundreds of thousands of bogus profiles will get automatically registered for the purpose of spam and malware spreading, or reselling purposes. The development of this service -- if any -- will be monitored and updates posted if it goes mainstream.
The Unbreakable CAPTCHA
Spammers attacking Microsoft's CAPTCHA -- again
Spam coming from free email providers increasing
Gmail, Yahoo and Hotmail’s CAPTCHA broken by spammers
Microsoft’s CAPTCHA successfully broken
Vladuz's Ebay CAPTCHA Populator
Spammers and Phishers Breaking CAPTCHAs
DIY CAPTCHA Breaking Service
Which CAPTCHA Do You Want to Decode Today?
Posted by Dancho Danchev at Tuesday, February 17, 2009
Wednesday, February 11, 2009
The complete list of the domain redirectors used in the comment spam attack:
worldnews-video .com - 459,000 bogus comments
youtube-top-video .com - 98,000 bogus comments
new-videos .info - 92,500 bogus comments
film-man .com - 50,700 bogus comments
last-sex-news .com - 26, 000 bogus comments
video-news .cn - 25, 500 bogus comments
last-porno-news .com - 21,500 bogus comments
fresh-video-news .com - 10,900 bogus comments
broken-tv .com - 10,000 bogus comments
video-trailers .net - 8,370 bogus comments
exclusive-videos .net - 7860 bogus comments
funkytube .net - 6,170 bogus comments
shocking-stars .net - 2,600 bogus comments
cinemacafe .tv - 1560 bogus comments
watch-video .cn - 3000 bogus comments
vidstream .cn - 397 bogus comments
divgg .com - 174 bogus comments
golden-portal .us - 3040 bogus comments
tubedirects .net - 290 bogus comments
funkytube .net - 6,480 bogus comments
watchepisodes .cn - 331 bogus comments
video-sensation .com - 1,500 bogus comments
bestlive-tv .cn - 216 bogus comments
svtube .cn - 222 bogus comments
onlyhotvideos .com - 413 bogus comments
celebnudestars .net - 326 bogus comments
usatvshows .us - 41 bogus comments
vidstream .cn - 398 bogus comments
divgg .com - 171 bogus comments
tubedirects .net - 285 bogus comments
yuotnbe .com - 370 bogus comments
omeia .info - 769 bogus comments
video.stumbulepon .com - 669 bogus comments
shocking-stars .net - 2,650 bogus comments
sowonder .net - 3000 bogus comments
sex-tapes-celebs .com - 2,210 bogus comments
video-sensation .com - 1,690 bogus comments
Currently active download locations for the fake codecs, and the rogue security software:
Detection rates for the codecs/rogue security software:
Result: 8/39 (20.51%)
File size: 71680 bytes
Result: 7/39 (17.95%)
File size: 62464 bytes
Result: 5/39 (12.82%)
File size: 77830 bytes
Result: 4/39 (10.26%)
File size: 73222 bytes
The first comments including links to these domains have been posted at Digg.com on January, 2008 - over an year ago.
Posted by Dancho Danchev at Wednesday, February 11, 2009
Here's an automatic translation of some of the key features offered by the system, currently having a price tag of $1,200 per month:
"A summary of the main possibilities of the system
- Innovative technology deliver a unique e-mail system designed specifically for ******** to maximize serve up e-mails with a low rate of rejection-Kernel Multi-organization system provides extremely high speed while the low-platform-Provide complete sender's anonymity at the maximum system performance in terms multi-technology operating system bypass content filters using the built-in special tags:
+ random permutation of symbols in the block
+ Inserting a random character in an arbitrary place in the block
+ Replacing the same style of letters Latin alphabet for the Russian block
+ Duplicating a random character in the block
+ Paste into the body of a random letter strings from a file
+ Managed morfirovanie image files in the format GIF-Correct emulation header sent letters Simultaneous connection of several bases e-mail addresses of those letter-substitution is performed from file-substitution e-mail addresses for the fields From and Reply-To is performed from a file-format of outgoing messages TEXT and HTML
+Ability to send emails from attachments
+Correct work with images in HTML messages possible as a direct method and with copies of CC , BCC-record-keeping system, results of the system is stored in files good, bad and unlucky for each connection of e-mail addresses, respectively
+The system is convenient and intuitive graphical user interface
The system is operated under the interface to "Control Panel". The first is of them is multifunctional and serves to start the process of sending (the state of the "Run"), pause (the state of "pause") and confirm the end of the (state "Report") . The second button ( "Stop") serves to interrupt the process otpravki. Data section also contains the following information fields:
- executes an action in this field is carried out to date, the system-progress indicator graphic indication of progress the task, Completed Display task progress percentage
- Successful delivery of letters to the number of addresses that had been carried out successfully, failure of the number of addresses that failed to deliver a letter-number bad non-existent addresses, duration of the actual time of the task-status displays the status of the kernel system kernel kernel memory Displays memory core systems"
The ongoing arms race between the security industry and cybercriminals, is inevitably driving innovation at both sides of the front. However, based on the scalability of these managed spam services, it's only a matter of time for the vendors to embrace simple penetration pricing strategies that would allow even the most price-conscious cybercriminals, or novice cybercriminals in general to take advantage of this standardized spamming approach. The disturbing part is that the innovation introduced on behalf of the spam vendors in terms of bypassing spam filters, seems to be introduced not on the basis of lower delivery rates, but due to the internal competition in the cybercrime ecosystem.
For instance, new market entrants in the face of botnet masters attempting to monetize their botnets by offering the usual portfolio of cybercrime services, often undercut the offerings of the sophisticated managed spam vendors. And so the vendors innovate with capabilities that the new market entrants cannot match, in order to not only preserve their current customers, but also, acquire new ones. Managed spam services as a business model is entirely driven by long term "bulk orders", compared to earning revenues on a volume basis by empowering low profile spammers with sophisticated delivery mechanisms.
In the long term, just like every other segment within the cybercrime ecosystem, vertical integration and consolidation will continue taking place, and thankfully we'll have a situation where the spam vendors would be sacrificing OPSEC (operational security) on their way to scale their business model and acquire more customers.
Posted by Dancho Danchev at Wednesday, February 11, 2009
Thursday, February 05, 2009
Notable articles for January include Microsoft study debunks phishing profitability; Legal concerns stop researchers from disrupting the Storm Worm botnet and Google Video search results poisoned to serve malware.
01. Thousands of Israeli web sites under attack
02. Bogus LinkedIn profiles serving malware
03. Microsoft study debunks phishing profitability
04. Paris Hilton's official web site serving malware
05. Malware author greets Microsoft's Windows Defender team
06. 3.5m hosts affected by the Conficker worm globally
07. GoDaddy hit by a DDoS attack
08. Legal concerns stop researchers from disrupting the Storm Worm botnet
09. Malware-infected WinRAR distributed through Google AdWords
10. New mobile malware silently transfers account credit
11. GPU-Accelerated Wi-Fi password cracking goes mainstream
12. Google Video search results poisoned to serve malware
Posted by Dancho Danchev at Thursday, February 05, 2009
Tuesday, February 03, 2009
spywareguard2009m .com (184.108.40.206; 220.127.116.11)
Registrant : Damir Sbil; Email: firstname.lastname@example.org
antispyscanner13 .com (18.104.22.168; 22.214.171.124)
Registrant: Ahmo Stolica; Email: email@example.com
buysysantivirus2009 .com (126.96.36.199)
Registrant: Dion Choiniere; Email: firstname.lastname@example.org
Registrant: Maksim Hirivskiy Email: email@example.com
DNS servers to keep an eye on, courtesy of UralComp-as Ural Industrial Company LTD (AS48511) :
Proactively blocking these undermines a great deal of traffic acquisition campaigns whose aim is to hijack legitimate traffic to these domains.
A Diverse Portfolio of Fake Security Software - Part Fourteen
A Diverse Portfolio of Fake Security Software - Part Thirteen
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software
Posted by Dancho Danchev at Tuesday, February 03, 2009
What is Adrenalin? Adrenalin is an alternative to the Zeus crimeware kit that never actually managed to scale the way Zeus did. Following recently leaked copies of what is originally costing a hefty $3000, crimeware kit Adrenalin, it's time to profile the kit, discuss its key differentiation factors from Zeus, and emphasize on why despite the fact that it leaked, the kit is not going to take any of Zeus-es market share. At least not in its current form.
In the spirit of the emerging copycat web malware exploitation kits, Adrenalin too, isn't coded from scratch, but appears that -- at least according to cybercriminals questioning its authenticity on their way to secure a bargain deal when purchasing it -- Adrenalin is using portions of Corpse's original A-311 release.
Adrenalin's description and features :
- The collection of pieces of text from the html pages, as one of the modes of operation injector (balance, etc ..)
- Ftp grabbing - sniffer handles traffic and rip out from access to FTP. All of this is going in an easy to read and process the form
- Collector of certificates. Pulling out of all installed certificates including attempts to commit, and certificates that are marked as uncrackable. Certificates neatly stored for each individual bot.
- Page redirector. allows you to replace a page or separate framing in the network. everything is done completely unnoticed. substitution of the content occurs in the interior windsurfing, and even then the browser and any special lotion can be confident that is what you want.
- Domain redirector. forwards all requests from the original site on the fake. address bar, and all references point to the original course can also be used to block access to certain sites
- Universal form grabbing puller forms, can strip the data from the virtual keyboard these forms can rip off, even with not fully loaded pages. As distinguished from the other crimeware kits working through the tracking of users clicking buttons / links it intercepts the data has already been formed, which can be seen in the log. Data can be collected all the running, and keyword (filter)
to delete the logs; noise over debris to chat and not necessary for the work sites.
All data are transmitted in encrypted form, which is important to bypass the protection, like for instance ZoneAlarm's ID Lock. Undoubted advantage is also that the logs are sent instantly - in parallel with the data sent to the original site. No need to worry that the victim will go into an offline and accumulated locally log form grabbing are not able to send.
- Screenshots at the address
- TAN grabbing. The technology allows to effectively collect workers TANs
- Periodic cleaning of cookies/flashcookie.
- Grabbing around-the-forms words (without adjustment - Adrenalin defines its own algorithm that it must be collected. algorithm Improved!)
- The collection of passwords, for instance Protected Storage (IE auto complete, protected sites, outlook)
- Classic keylogger
- Cleaning system from BHO trojans, advertising panels and other debris. As is well known - are less vulnerable machines, and want to put on something more. Cleaning system greatly increases the chances of survival
- Anti-Anti Rootkit mechanisms
- Work on the system without the EXE file
- User-friendly format logs! Forget the piles of files stupid!
- Socks4 / 5 + http (s) proxy server enabled on the infected host
- Shell + Backshell enabled on the infected host
- Socks admin
- Management of each bot individually, or simultaneously (Downloading files, updating settings, etc.)
- Requires PHP on the web based command and control host
- Ability to output commands (including downloads), taking into account the country's bot (function as a resident loader statistically for programs) - and other small pleasures"
How do you actually measure the popularity of crimeware kit? Based on the the market share of the crime kit, or based on another benchmark? It's all a matter a perspective and a quantitative/qualitative approach. For instance, I can easily argue that if the very same community was build around Adrenalin the way it was built around Zeus making the original Zeus release looks like an amateur-ish release, perhaps Adrenalin would have scaled pretty fast. Some of the community improvements include :
- Modified Zeus Crimeware Kit Comes With Built-in MP3 Player
- Modified Zeus Crimeware Kit Gets a Performance Boost
- Zeus Crimeware Kit Gets a Carding Layout
For the time being, the innovation or user-friendly features boosting the popularity of Zeus come from the third-party coders improving the original Zeus release. Moreover, not only are they improving it, they're also looking for vulnerabilities within the different releases, and actually finding some. What does this mean? It means that we have clear evidence of crimeware monoculture, with a single kit maintaining the largest market share.
With the cybercrime ecosystem clearly embracing the outsourcing concept for a while, it shouldn't come as a surprise, that botnets running the Zeus crimeware are offered for rent at such cheap rates that purchasing the kit and putting efforts into aggregating the botnet may seem a pointless endeavor in the eyes of a prospective cybercriminal, even an experienced one interested in milking inexperienced cybercriminals not knowing the real value of what they're doing.
Moreover, speaking of monetization, the attached screenshots represent a very decent example of monetizing the reconaissance process of E-banking authentication that cybercriminals or vendors of crimeware services undertake in order to come up with the modules targeting the financial institutions of a particular country. Is this monetization just "monetization of what used to be a commodity good/service" as usual taking into consideration this overall trend, or perhaps there's another reason for monetizing snapshots of E-banking authentication activities in order to later on achieve efficiency in the process of abusing them? But of course there is, and in that case it's the fact that no matter that a potential cybercriminal has obtained access to a crimeware kit, its database of injects is outdated and therefore a new one has to be either built or purchased.
With Adrenalin now leaked to the general script kiddies and wannabe cybercriminals, it's only a matter of time until a community is build around it, one that would inevitably increase is popularity and prompt others to introduce new features within the kit.
Targeted Spamming of Bankers Malware
Localized Bankers Malware Campaign
Client Application for Secure E-banking?
Defeating Virtual Keyboards
PayPal's Security Key
Posted by Dancho Danchev at Tuesday, February 03, 2009
Monday, February 02, 2009
The attached screenshot of very latest DIY windows media player with pretty straightforward instructions on how to modify the timing of the "missing codec" pop-up, is a great example of how cybercriminals rarely value the intellectual property of their fellow colleagues. The DIY template has in fact been ripped-off from a competing affiliate network participant (currently active xxxporn-tube .com/123/2/FFFFFF/3127/TestCodec/Best), its images hosted at ImageShack, and the codec released for everyone in the ecosystem to use -- and so they will.
Interestingly, within the mirrored copy now tweaked and distributed for free using free image hosting services as infrastructure provider for the layout, there are also leftovers from the original campaign template that they mirrored - which ultimately leads us to DATORU EXPRESS SERVISS Ltd (AS12553 PCEXPRESS-AS) or zlkon.lv In the wake of UkrTeleGroup Ltd's demise -- don't pop the corks just yet since the revenues they've been generating for the past several years will make it much less painful -- a significant number of UkrTeleGroup customer, of course under domains, have been generating quite some malicious activity at zlkon.lv for a while.
Portfolio of fake codecs serving domains parked at the original mirrored domain's IP :
xxxporn-tube .com (188.8.131.52)
Download locations :
brakeextra .com/download/FlashPlayer.v..exe (184.108.40.206)
Entire portfolio of domains parked at (220.127.116.11) :
Dots, dots dots, trackgame .net is once again proving the multitasking mentality of cybercriminals these days - it's one of the download locations participating in the recent Google Video search queries poisoning attacks.
Posted by Dancho Danchev at Monday, February 02, 2009