[SecurityRatty] tag: continue

Gartner Data Center Conference 2008

Tue, 02 Dec 2008 15:55:49 +0000

The Gartner Data Center Conference kicked off this morning in Las Vegas. Despite the completely packed plane coming out here, Vegas seems quieter and not so crowded. The bartender at Wolfgang Puck’s Bistro told me they were looking forward to the 1800 people coming to this show to fill the hotel up. As we’ve noted, the economic crisis is impacting business travel all around.

22% of the attendees at Data Center come from the public sector and government, with 44% coming from very large enterprises of 20K+ employees.

During the Gartner IOM conference in June, some of the most interesting info coming out of it was the quick polls of the audience on a variety of infrastructure and operations management topics. What are enterprises doing? Where are they headed? What’s important to them? Here are some quick takes from the opening session:

1) What is the largest data center challenge that you currently face?

Smaller Budgets: 21%
Power & Cooling: 20%
Dealing with the Rate of Technology Change: 15%
Aligning Activities with the Business: 15%
Modernizing Legacy Applications: 10%
Lack of Data Center Space because of Equipment Spread: 9%
How to Source IT Services: 5%
How to Find and Retain Talent: 5%

Well, it’s taken almost a year to be “official”, but the National Bureau of Economic Research just announced that the US has been in a recession since December of 2007. It should come as a surprise to no one that dealing with smaller budgets is top of mind, even for the predominantly larger enterprises attending here.

2) What projects will receive the most funding in 2009?

Virtualization/Consolidation: 31%
Data Center Facilities – new builds: 17%
IT Operations Process Improvement: 12%
IT Modernization: 7%
Green IT: 5%

Virtualization and (server) consolidation projects are clearly a priority for larger enterprises in 2009. What’s interesting here is the relatively very low priority of Green IT projects – in spite of the importance to attendees of getting power and cooling costs under control. Perhaps there’s a gap here between what’s often the hype of Green IT and practical considerations for data center managers when it comes to power and cooling management.

3) Where are you with server consolidation projects?

No Plans: 3%
Looking at it now and will start in next 2 years: 13%
In process now: 58%
Have already completed server consolidation project: 26%

Larger enterprises are consolidating servers with a quarter of attendees already having gone through the process at least once. And according to poll #2, this trend will definitely continue.

Rock Phish-ing in December

Tue, 02 Dec 2008 04:12:31 +0000

Nothing can warm up the hearth of a security researcher than a batch of currently active Rock Phish domains, fast-fluxing by using U.S based malware infected hosts as infrastructure provider. What is this assessment of currently active Rock Phish campaign aiming to achieve? In short, prove that the people that were Rock Phish-ing at the beginning of the year, are exactly the same people that continue Rock Phish-ing at the end of the year, thereby pointing out that as long as they're not where they're supposed to be, they are not going to stop innovating and working on a higher average online time for their campaigns.

What's particularly interesting about this campaign, is that compared to previous ones targeting multiple brands, the thousands of malware infected hosts and domains are targeting Alliance & Leicester and Abbey National only.

Active Rock Phish Domains in fast-flux :
stgsfw7sr .com
q06ciwt60 .com
jnlyf96v4 .com
neegzlh35 .com
7azwmrsg5 .com
pn3ekq976 .com
2coxi8sb6 .com
d8ri1iz5d .com

ki7wvgauf .com
5nt5r3keh .com
5nt29884j .com
bgoryomek .com
a725jv8ik .com
fke5nnp8m .com
stgsfw7sr .com
10c0ka49t .com
zp304ju3z .com
j0rykafwn .cn
2j1f .net

confirm-updates .com
paypal.confirm-updates .com
user-data-confirmation .com
paypal.user-data-confirmation .com
capitalone.updating-informations .com

Sample sub-domain structure :
mybank.alliance-leicester.co.uk.7azwmrsg5 .com
mybank.alliance-leicester.co.uk.bgoryomek .com
mybank.aliance-leicester.co.uk.stgsfw7sr .com
mybank.alliance-leicester.co.uk.zp304ju3z .com
mybank.alliance-leicester.co.uk.5nt29884j .com
mybank.aliance-leicester.co.uk.bgoryomek .com
mybank.alliance-leicester.co.uk.bgoryomek .com
mybank.aliance-leicester.co.uk.stgsfw7sr .com
mybank.alliance-leicester.co.uk.stgsfw7sr .com
mybank.aliance-leicester.co.uk.zp304ju3z .com
mybank.alliance-leicester.co.uk.zp304ju3z .com
myonlineaccounts2.abbeynational.co.uk.pn3ekq976 .com
myonlineaccounts1.abeynational.com.pn3ekq976 .com

DNS servers for the campaigns :
ns1.thecherrydns .com
ns2.thecherrydns .com
ns3.thecherrydns .com
ns4.thecherrydns .com
ns5.thecherrydns .com
ns6.thecherrydns .com

ns10.realgoodnameserver .com
ns1.realgoodnameserver .com
rens2.realgoodnameserver .com
rns3.realgoodnameserver .com
ns4.realgoodnameserver .com
ns8.realgoodnameserver .com

ns6.myboomdns .com
ns4.myboomdns .com

Domains registrant :
Name : Pan Wei wei
Organization : Pan Wei wei
Address : BaoChun Rd. 27, No. 3, 1F, Apt. 1903
City : Bejing
Province/State : Beijing
Country : CN
Postal Code : 100176
Phone Number : 010-010-58022118-58022118
Fax : 86-010-58022118-58022118
Email : 127@126.com

These well known Rock Phish campaigners, have been naturally multitasking on several different underground fronts throughout the year. For instance, their 2j1f .net is known to have been hosting money mule company's site, and also, it was used in a previously analyzed phishing campaign that was spreading across Facebook in June. Need more evidence on the consolidation that's been ongoing for over an year and half now? An infamous money mule recruiting company (Cash-Transfers Inc.) was also taking advantage of the fast-flux network offered by the ASProx botnet masters in July.

As a firm believer in that "the whole is greater than the sum of its parts", the popular "sitting duck" cybercrime infrastructure hosting model will be either replaced by a cybercrime infrastructure relying entirely on legitimate services, or one where the average malware infected Internet user would be temporarily used as a hosting provider.

If millions were made by using the "sitting duck" hosting model, how many would be made using the others, given that they would inevitably increase the average online time for a malicious campaign?

Related Rock Phish research :
209 Host Locked
209.1 Host Locked
66.1 Host Locked
Confirm Your Gullibility
Assessing a Rock Phish Campaign

Related fast-flux research :
Fast-Flux Spam and Scams Increasing
Fast Fluxing Yet Another Pharmacy Scam
Storm Worm's Fast Flux Networks
Managed Fast Flux Provider
Managed Fast Flux Provider - Part Two
Obfuscating Fast Fluxed SQL Injected Domains
Storm Worm Hosting Pharmaceutical Scams
Fast-Fluxing SQL injection attacks executed from the Asprox botnet

Yet Another Web Malware Exploitation Kit in the Wild

Tue, 02 Dec 2008 03:24:43 +0000

With business-minded malicious attackers embracing basic marketing practices like branding, it is becoming increasingly harder, if not pointless to keep track of all XYZ-Packs currently in circulation. How come? Due to their open source nature allowing modifications, claiming copyright over the modified and re-branded kit, the source code of core web malware exploitation kits continue representing the foundation source code for each and every newly released kit.

In fact, the practice is becoming so evident, that anecdotal evidence in the form of monitoring ongoing communications between sellers and buyers reveals actual attempts of intellectual property enforcement in the form of exchange of flames between an author of a original kit, and a newly born author who seems to have copied over 80% of his source code, changed the layout, re-branded it, added several more exploits and started pitching it as the most exclusive kit there is available in the underground marketplace.

What's new about this particular kit anyway? Changed iframe and js obfuscation techniques, doesn't require MySQL to run, with several modified Adobe Acrobat and Flash exploits - all patched and publicly obtainable. This is precisely where the marketing pitch ends for the majority of malware kits released during the last quarter.

As always, there are noticable exceptions to the common wisdom that time-to-underground market isn't allowing them to innovate, but thankfully, these exceptions aren't yet going mainstream. What is going to change in the upcoming 2009? Web malware exploitation kits are slowly maturing into multi-user cybercrime platforms, where traffic management coming from the SQL injected or malware embedded sites is automatically exploited with access to the infected hosts or to the traffic volume in general offered for sale under a flat rate, or on a volume basis.

Converging traffic management with drive-by exploitation and offering the output for sale, all from a single web interface, is precisely what malicious economies of scale is all about.

Related posts:
Cybercriminals release Christmas themed web malware exploitation kit
New Web Malware Exploitation Kit in the Wild
Modified Zeus Crimeware Kit Gets a Performance Boost
Zeus Crimeware Kit Gets a Carding Layout
Web Based Malware Emphasizes on Anti-Debugging Features
Copycat Web Malware Exploitation Kit Comes with Disclaimer
Web Based Malware Eradicates Rootkits and Competing Malware
Two Copycat Web Malware Exploitation Kits in the Wild
Copycat Web Malware Exploitation Kits are Faddish
Web Based Botnet Command and Control Kit 2.0
BlackEnergy DDoS Bot Web Based
A New DDoS Malware Kit in the Wild
The Small Pack Web Malware Exploitation Kit
The Nuclear Grabber Kit
The Apophis Kit
Nuclear Malware Kit
The Random JS Malware Exploitation Kit
Metaphisher Malware Kit Spotted in the Wild

Links for 2008-12-01 [del.icio.us]

Mon, 01 Dec 2008 21:00:00 +0000

Last In - First Out: Janke’s Official 2009 Technology Predictions
Prediction 6: There will be a major security panic over some widely used but inherently insecure Internet protocol. The problem will not get resolved. Prediction 9: Web Apps will continue to be deployed with a 1:1 ratio of new web applications to applications that are vulnerable to SQL injection, XSS or XSRF. A few new applications will not be vulnerable. The rest will make up for those few with multiple vulnerabilities, keeping the overall ratio constant.

Tough times and risk management, Part 2

Sun, 30 Nov 2008 21:00:00 +0000

Gibbs discussed the concept of risk management in IT a couple of weeks ago, and vowed to continue with a discussion of the consequent politics. True to his word, here 'tis . . .

Online Finance Flaws: An Awareness Campaign

Sat, 29 Nov 2008 19:08:00 +0000

Here begins a series regarding web application security inadequacies in online financial service offerings. The services to be discussed will include banks, credit unions, credit card companies, and others. As the economy struggles profoundly, and much of the blame points at the financial sector, I believe it important to point out the false sense of security so many brand-name financial services wrongly instill in their customers.
Often this sense of security is coupled with a typical "security badge" provider, helping drive conversions rather than security, as we will also legitimize how often the badge providers miss the mark on their promises.
Accountability in loan making decisions and practices might have prevented the sub-prime market collapse and the subsequent credit crunch that has hogtied our economy.
Accountability with regard to web application security while providing online financial services is now all the more important as cybercrime will continue to increase at a pace proportionate to economic woes.
Each post relevant to this campaign will include Online Finance Flaw in its title for tracking purposes.
Look forward to surprising flaws in financial services brands you'll recognize.
Perhaps, the more attention we draw to services that should place security above all else, the more likely it is they'll commit to improving their security posture.
Feel free to comment or contribute; we'll begin in a day or two.

Links for 2008-11-25 [del.icio.us]

Tue, 25 Nov 2008 21:00:00 +0000

The Myth of Software Support « Chris Swan’s Weblog
More On Why I Think Free Microsoft AV Will Be Good For Consumers | securosis.com
My belief is that we essentially have both conditions today (low innovation, easy evasion), and the nature of attacks will continue to change rapidly enough to exceed the current capabilities of AV.
Idiocy | securosis.com
The Impact Of Free Antivirus From Microsoft | securosis.com
This gives them enough time to avoid suddenly losing 40% (don’t quote me on that, I’m on an airplane and just guessing) of profits over 12 months. The real losers will be the consumer-only AV companies without diversified portfolios or a larger enterprise base.
Rich Mogull: 7 Infosec Trends for 2009 - CSO Online - Security and Risk
Safe bets for IT spending in '09 | Business Tech - CNET News
Second, security management will merge with log management. That works for ArcSight, RSA, LogLogic, and LogRhythm.
Dark Matters: Land of Confusion
InternetNews Realtime IT News - Enterprise SaaS Buyers Want More Than Uptime
High Tower Software Shuts Down | socalTECH.com
Aliso Viejo-based High Tower Software, a venture-backed developer of security, compliance, and log management software, has shut down.

Localizing Cybercrime - Cultural Diversity on Demand Part Two

Tue, 25 Nov 2008 05:55:21 +0000

It's where you advertise your services, and how you position yourself that speak for your intentions, of course, "between the lines". There's a common misunderstanding that in order for a malware campaigner or scammer to launch a localized attack speaking the native language of their potential victims, they need to speak the local language. This misconception is largely based on the fact that a huge number of people remain unaware on how core strategic business practices have been in operation across the cybercrime underground for the last couple of years.

Outsourcing the localization process (translation services for spam/phishing/malware campaigns) has been happening for a while, courtsy of DIY servics ensuring complete anonymity of their customers. Interestingly, the translators may in fact be unaware that the advertising channels the service is using is directly attracting everyone from the bottom to the top of the cybercriminal food chain as a customer. Sometimes, it's services like this that open a new market segment covering an untapped opportunity, with this particular service already pointing out that it's charging cheaper than their competitors.

"We offer our services in translation. We are only competent translators profile higher education. Service is working with all types of texts. Languages available at this time of Russian, English, German. Average translation of the text takes up to 10 hours (usually much faster) through the full automation of the order and payment. Just want to note that we do not keep any logs on IP and does not require registration. In addition you can remove your order from the database after his execution. In addition to running more than 1000 translations already, we can use all the lessons learned to be more effective in our services. Prices vary depending on the complexity of the topic covered.

Prices and deadlines:
* Standard - the deadline is not more than 24 hours. Prices depend on the direction and guidance from the 'Order'.
* Term - work on your translation begins precedence. The price of the 50% more than the standard translation. Prices also depend on the direction and guidance from the 'Order'.

The cost of the transfer depends on the amount of work. The workload is measured in symbols. In calculating the characters are shown letters and numbers. Punctuation do not count. Minimum order 100 characters."

I'm particularly curious how is a contractor(translator) going to react to a situation when a large scale malware campaign speaking several different languages tell a fake story that the contractor might have recently translated for them. With the employer positioning itself as a fully legitimate company, whereas its customers requesting localized version of texts for the spam/phishing/malware campaigns are the "usual suspects", the contractors would continue allowing cybercriminals the opportunity to build more authenticity within their campaigns.

Related posts:
E-crime and Socioeconomic Factors
MPack and IcePack Localized to Chinese
The Icepack Exploitation Kit Localized to French
The FirePack Exploitation Kit Localized to Chinese
Localizing Open Source Malware
Localized Fake Security Software
A Localized Bankers Malware Campaign
Lonely Polina's Secret (Localized malware campaign)

Spam levels fluctuate as crooks try to revive botnets

Mon, 24 Nov 2008 21:00:00 +0000

Two weeks after a hosting firm's shutdown sent global spam volumes plummeting, some researchers continue to claim that junk mail rates remain dramatically down, while others say spam has already bounced back.

New Web Malware Exploitation Kit in the Wild

Wed, 19 Nov 2008 01:15:01 +0000

Oops, they keep doing it, again and again - trying to cash-in on the biased exclusiveness of web malware exploitation kits in general, which when combined with active branding is supposed to make them rich. However, despite the low price of $300 in this particular case, this copycat kit is once again lacking any signification differentiation factors besides perhaps the 20+ exploits targeting Opera and Internet Explorer included within.

Marketed for novice users, despite lacking any key features worth being worried about, it's still managing to maintain a steady infection rate of unpatched Opera browsers. Such statistics obtained in an OSINT fashion always provide a realistic perspective on publicly known facts, like the one where millions of end users continue getting exploited due to their overall misunderstanding of today's threatscape driven by the ubiquitous web exploitation kits.