[SecurityRatty] tag: campaign

Cybercriminals Abusing Lycos Spain To Serve Malware

Thu, 09 Oct 2008 00:28:17 +0000

Spanish cybercriminals have recently started taking advantage of the bogus accounts at Lycos Spain, which they seem to be registering on their own, by releasing a do-it-yourself malicious link generator redirecting to fake YouTube and Adobe Flash video pages. Whereas the concept of abusing legitimate web services for infection and propagation isn't new, what's new is the fact that the FTP access is efficiently abused.

Here's a description of the link generator :

"Download the program and run it asks for an ID (identifier), then copy it and paste it there, then press' Create Installer 'and the program will create the Installer! (this program to run a simulation that is installing the Adobe Flash and indicates to our page that "has been installed Adobe Flash," in order to show the video when YouVideo refresh the page, this you must file tie it in with your server! and what flames or Installer Setup (simulating being an installer)! Now you need to upload that file you've joined an FTP, click Next and put the path of that file in the next step!"

Whereas the tool is exclusively relying on Lycos Spain to host the binaries and the campaign itself, the recent blackhat SEO campaign relying on pre-registered Windows Live Spaces and AOL Journals syndicating hot Google Trends keywords, further indicates the malicious attacker's capabilities of efficiently abusing legitimate services. And with the process of bogus accounts registration performed automatically, or outsourced entirely, malicious services aiming to automate the abuse process are only going to get more efficient.

Laptop stolen from McCain campaign in Missouri

Fri, 03 Oct 2008 20:00:00 +0000

Republican campaigners in Missouri are beefing up security after a laptop containing "strategic information" was stolen from a campaign field office of presidential contender John...

Inside a Managed Spam Service

Fri, 03 Oct 2008 07:20:32 +0000

A managed spam vendor always has to raise the stakes during its introduction period on the market. But what happens when a market follower starts using the market leader's proprietary managed spamming system, and is able to provide better spamming rates at a cheaper prices? Market forces and unethical competition at its best.

So, what is this market challenger using the monopolist's -- in respect to managed spamming services not spam in general -- proprietary system (Spamming vendor launches managed spamming service) up to anyway? Promising and delivering, 1, 400,000 emails daily, 60,000 mails per hour, and 100 emails per minute. What we've got here are the spam metrics out of 5 already finished spam campaigns that has managed to sent out a million spam emails using only 2000 malware infected hosts. Also, CC-ing and BCC-ing made it possible to multiple the effect of the campaign and increase the total number of emails spammed. Talking about benchmarks, 789 emails per minute at a rate of 12/13 emails per second is a pretty good one, considering it's only 2k bots that they were using. What they also promise is automatic rotation of IPs upon automatically checking them against public blacklists, and a mix rotation of IPs from their own netblocks located in Russia and Germany with the fresh IPs coming from the newly infected hosts.

Earlier this month, I discussed the market leader's managed spamming system, access to which they also offer for rent :

"An inside look of the system obtained on 2008-08-12 indicates that they are indeed capable of delivering what they promise - speed, simplicity and 5000 malware infected hosts. Moreover, the attached screenshot demonstrates that 20 different email databases can be simultaneously used resulting in 16,523,247 emails about to get spammed using 52 different macroses. Furthermore, what they refer to as a dynamic set of regional servers aiming to ensure that the central server never gets exposed, is in fact fast-flux which depending on how many bots they are willing to put into “rtsegional server mode” shapes the size of the fast-flux network at a later stage."

With cutting edge managed spam services like the ones currently in circulation, it remains to be seen whether or not spammers would migrate to this outsourcing model, or continue coming up with adaptive ways to send out their scams and malware on their own.

Syndicating Google Trends Keywords for Blackhat SEO

Fri, 03 Oct 2008 00:19:24 +0000

Several hundred Windows Live Spaces and AOL Journals, are currently syndicating the most popular keywords provided by Google Trends, and are consequently hijacking the top search queries exposing users to Zlob codecs.

Here are some same bogus blogs used in the campaign, naturally pre-registered long before they executed it :

vinniedigg18 .spaces.live.com
journals.aol .com/iolatour16
fredabreak02 .spaces.live.com
thedaalerts01 .spaces.live.com
allisonpolls08 .spaces.live.com
rheabreak18 .spaces.live.com
racquellog17 .spaces.live.com
monikavideo11 .spaces.live.com
journals.aol .com/shelvakill27
tomekadigg26 .spaces.live.com
ivahnet19 .spaces.live.com
journals.aol .com/louisathere13
allisonpolls08 .spaces.live.com
valericatch03 .spaces.live.com
journals.aol .com/iolatour16
hadleycue01 .spaces.live.com
journals.aol .com/staceyliving01
collettebreak17 .spaces.live.com
journals.aol .com/nataliablog16
natalymore26 .spaces.live.com

A comprehensive listing of the blogs involved can be downloaded here.

What do all of these bogus blogs have in common? The fact that they are all being abused by a single malware campaign, and the Keep it Simple Stupid mentality only a lazy malware campaigner can take advantage of. All of the blogs as using a central redirection domain, shutting it down or blocking it renders the number of bogus blogs is circulation irrelevant. In this case, the domain in question is video.xmancer.org (216.195.59.75).

Here are the the rest of the domains participating in the campaign, as well as the parked ones at the corresponding IPs :

video.xmancer .org (216.195.59.75)
buynowbe .com
loveniche .com
antivirus-freecheck .com
jetelephone .cn
reducki .cn
woteenhas .cn
lilaloft .cn

clipztimes .com (78.157.143.235)
imagelized .com
vidzdaily .com

gotmovz .com (78.108.177.91)
dwnld-clips .com

movwmstream .com (77.91.231.183)
newwmpupdate .com
zaeplugin .com
movaccelerator .com
optimwares .com
piterserv .com

moviesportal2008p .com (72.232.183.154)
movieportal2008a .com
funnyportal2008l .com
starsportal2008p .com
softportal2008p .com
movieportal2008q .com

In short, despite that the campaign is poised to attract generic search traffic, it's a self-exposing blackhat SEO campaign since each and every blog participating is also linking to the rest of the ones within the ecosystem.

Related posts:
Blackhat SEO Redirects to Malware and Rogue Software
Blackhat SEO Campaign at The Millennium Challenge Corporation
Massive IFRAME SEO Poisoning Attack Continuing
Massive Blackhat SEO Targeting Blogspot
The Invisible Blackhat SEO Campaign
Attack of the SEO Bots on the .EDU Domain
p0rn.gov - The Ongoing Blackhat SEO Operation
The Continuing .Gov Blackat SEO Campaign
The Continuing .Gov Blackhat SEO Campaign - Part Two
Compromised Sites Serving Malware and Spam

Copycat Web Malware Exploitation Kit Comes with Disclaimer

Wed, 01 Oct 2008 22:58:01 +0000

Such disclaimers make you wonder what's the point of including a notice forwarding the responsibility for the upcoming cybercrime activities to the buyer, when the seller himself is offering daily updates with undetected bots, and is promising to include new exploits within the kit.

For the time being, this recently released copycat web exploitation malware kit, includes two PDF exploits, IE snapshot, and naturally MDAC, with a DIY builder for the binary. Here's the disclaimer, greatly reminding us of Zeus's copyright notice :

"Purchasing this product, you hold the full responsibility for its usage and for consequences which may have been caused by incorrect usage or the usage with some evil intent or violation of the usage rules. The author excludes the placement of the scripts somewhere on the Internet, you can only place them on localhost, virtual machine or on a test botnet (minibotnet). WARNING! The usage of this product with evil intent leads to the criminal responsibility!"

What happens when the buyer tries to resell the kit? - "If you try to resell, decode, remove the boundaries, you will lose all the support, updates and guarantees." which is surreal considering that the kit is open source one, and just like we've seen with a recent modification of Zeus if it were to include unique features -- which it doesn't -- others would build upon its foundations.

Going through the exploitation statistics of a sample campaign, you can clearly see that out of the 859 unique visits 250 got exploited with outdated and already patched vulnerabilities. Therefore, diversifying the exploits set would have increased the number of exploited hosts.

With IE6 visitors exploited at 46% as a whole, it would be hard not to notice that just like Stormy Wormy's historical persistence of using outdated vulnerabilities, a great majority of today's botnets have been aggregated using old exploits.

Trying to enforce the intellectual property of a malware kit means you're claiming ownership, and therefore the disclaimer becomes irrelevant.

Fort Jennings State Bank Website Hacked, Hosting A Phishing Page For Italian Poste Italiane Bank

Wed, 01 Oct 2008 18:56:25 +0000

SophosLabs reports an unusual bank phishing spam campaign where particular image phish targets the Italian bank Poste Italiane. The phishing email itself (in Italian) entices users to go to the link in order to receive 250 Euros worth of “loyalty bonus”. This scheme is fairly typical and the link in the message goes to a [...]

Web Based Malware Eradicates Rootkits and Competing Malware

Wed, 01 Oct 2008 14:08:43 +0000

A tiny 20kb antivirus module within "yet another web based malware in the wild", promises to get rid of all Zeus variants, and also, detect and remove rootkits found on the infected system in order to ensure that it's the only malware the victim remains infected with. What's really special about its command and control interface is that it's AJAX based, with the seller pitching the feature as "you no longer have to hit F5 in order to see how's your malware campaign doing".

Here's a brief (translated) description :

- Simultaneously execute different campaigns, allocate specific bots for specific countries only, set time and data for automatic update with the new binaries
- Firewalls and antivirus bypassing capabilities, Anti-tracing, anti-reverse engineering
- Self defense mechanism for harder removal
- ICQ notifications for finished tasks, newly infected hosts, graphical statistics

Exactly how it removes rootkits remains yet unknown due to its proprietary nature and brief description, but resetting the hosts file and taking advantage of updated BHO list of known malware are among the ways it removes competing malware.

Gov. Palin, Yahoo! Email and SecurityA Call To Action?

Mon, 29 Sep 2008 20:00:00 +0000

The McCain-Palin campaign has offered a rather muted response to the Yahoo! email account breach of Gov. Palin, and so far, the grand jury has opted not to indict the hacker. Is this the end to this sordid tale? Not quite. I believe that the average citizen has been left with a myriad of questions as to the security in as basic a utility as free email.

What’s going on?

“Rubico”, as the hacker called himself, used an automated password recovery tool where he was asked fairly simple questions to identify himself as Gov. Palin [birthday, zip code, etc.]. Rubico found answers to these within 45 minutes on Google and Wikipedia! Wow! Is it really that easy to hack into email or messaging services that the common person uses globally?...

John McCain: Desperate and Reckless

Fri, 26 Sep 2008 14:54:27 +0000

Normally I would not blog about political topics here, but this is an extraordinary time in history and extraordinary times call for extraordinary posts from time-to-time.

John McCain is, objectively, a bad decision maker, desperate and reckless. He knows that his party is in trouble and that the Democrats have the advantage; so what does he do?

First, he picks a very conservative, inexperienced female governor from Alaska who, until recently, did not even have a US passport, as his running mate. This was an obvious act of desperation, thinking that he could pull the Hillary votes in the election. A heartbeat from the US Presidency at a time when there are two ongoing wars and our country on the verge of economic collapse and he gambles with a “Hail Mary” touchdown pass? This is not the man we need as President.

Then, not even a member of the Banking committee in the Senate, and self-described “not knowledgeable on economic issues”, John McCain tries another “Hail Mary” pass by rushing off to DC to “save the world” and tries to demand Obama suspend his campaign and the debates? The US is on the brink of economic collapse and McCain puts politics and election desperation above the future of the country? This is not the man we need as President.

During the same period, Barack Obama has proven to be cool, intelligent, and a good decision maker. This should be obvious to anyone with the mind to actually think what is good for the country and not about politics.

John McCain is desperate and reckless. We don’t need desperate and reckless people leading this country.

Hijacking a Spam Campaign's Click-through Rate

Fri, 26 Sep 2008 06:07:16 +0000

This spammer is DomainKeys verified, a natural observation considering that the spam compaign which I discussed last Wednesday is using bogus Yahoo Mail accounts, and is spamming only Yahoo Mail users through a segmented emails database.

Not necessarily what I wanted to achieve, but once posting the spam campaigns SEO URLs, Yahoo's crawler's picked up the post pretty fast, and have ruined the SEO effect, with everyone clicking on the campaign's links reaching the post. Close to 15,000 unique visitors reached the article during the past 7 days since the now hijacked, spammer's link is no longer achieving the effect it used to.

What does this prove? It proves that users tend to trust emails that pass through spam filters so much that they actually click on the links. And whereas it's a spam campaign, and not a malware campaign, the next time they over trust such a email, they'll expose themselves to client-side vulnerabilities coursesy of a copycat web malware exploitation kit.

The latest search query the campaign is using :
- yahoo.com/search/search;_ylt=?p=...........................................stossregularnew............$0.00.........

leads to stossregularnew.com (61.255.135.185).