[SecurityRatty] tag: obvious

Guerilla Marketing for a Conspiracy Site

Thu, 14 Aug 2008 09:58:54 +0000

An image is worth a thousand words they say, especially when it's creative enough to count as a decent guerrilla marketing campaign for Alex Jones' infowars.com :

"Alex Jones is considered by many to be the grandfather of what has come to be known as the 9/11 Truth Movement. Jones predicted the 9/11 attack in a July 2001 television taping when he warned that the Globalists were going to attack New York and blame it on their asset Osama bin Laden. Since 9/11 Jones has broken many of the stories which later became the foundation of the evidence that the government was involved."

Sorry to disappoint, but as always, The Lone Gunmen were first to predict 9/11 in their "Pilot" episode, originally aired on 03/04/2001, obviously several months before Alex Jones did. How did they do it? By having a firm grasp of the obvious I guess.

76Service - Cybercrime as a Service Going Mainstream

Wed, 13 Aug 2008 04:08:43 +0000

Disintermediating the intermediaries in the cybercrime ecosystem, ultimately results in more profitable operations. Controversial to the concept of outsourcing, some cybercriminals are in fact so self-sufficient, that the stereotype of a mysterious 76service server offered for rent could in fact easily cease to exist in an ecosystem so vibrant that literally everyone can partion their botnet and start offering access to it on a multi-user basis. Evil? Obviously. Extending the lifecycle of a proprietary malware tool? Definitely.

The infamous 76service, a cybercrime as a service web interface where customers basically collect the final output out of the banking malware botnet during the specific period of time for which they've purchases access to the service, is going mainstream, with 76Service's Spring Edition apparently leaking out, and cybercriminals enjoying its interoperability potential by introducing different banking trojans in their campaigns.

In this post, I'll discuss the 76service's spring.edition that has been combined with a Metaphisher banking malware, an a popular web malware exploitation kit, with two campaigns currently hosting 5.51GB of stolen banking data based on over 1 million compromised hosts 59% of which are based in Russia. Screenshots courtesy of an egocentric underground show-off.

Some general info on the 76service :

"Subscribers could log in with their assigned user name and password any time during the 30-day project. They’d be met with a screen that told them which of their bots was currently active, and a side bar of management options. For example, they could pull down the latest drops—data deposits that the Gozi-infected machines they subscribed to sent to the servers, like the 3.3 GB one Jackson had found. A project was like an investment portfolio. Individual Gozi-infected machines were like stocks and subscribers bought a group of them, betting they could gain enough personal information from their portfolio of infected machines to make a profit, mostly by turning around and selling credentials on the black market. (In some cases, subscribers would use a few of the credentials themselves). Some machines, like some stocks, would under perform and provide little private information. But others would land the subscriber a windfall of private data. The point was to subscribe to several infected machines to balance that risk, the way Wall Street fund managers invest in many stocks to offset losses in one company with gains in another."

The 76service empowers everyone who is either not willing to spend time and resources for building and maintaining a botnet, launching campaigns, and SQL injecting hundreds of thousands of sites in order to take advantage of the long tail of malware infected sites that theoretically can outpace the traffic that could come from a SQL injected high-profile site.

Next to the spring.edition, the winter edition's price starts from $1000 and goes to $2000, which is all a matter of who you're buying it from, unless of course you haven't come across leaked copies :

"Assuming that the dealer offering what he claimed was the 76service kit was correct, the profit is not only in the kit, but in selling value added services like exploitation, compromised servers/accounts, database configuration, and customization of the interface. Prices start between $1000 to $2000 and go up based on added services. The underground payment methods generally involve hard-to-track virtual currencies, whose central authority is in a jurisdiction where regulation is liberal to non-existent, and feature non-reversible transactions. The individual or group called "76service" was easy to track down on the Web, but not in person."

It's interesting to monitor how services aiming to provide specific malicious services are vertically integrating by expanding their portfolio of related services -- taka a spamming vendor that will offer the segmented email databases, the advanced metrics, and the localization of the spam messages to different languages -- or letting the buyer have full control of anything that comes out of a particular botnet for a specific period of time in which he has bought access to it. For instance, DDoS for hire matured into botnet for hire, which evolved into today's "What type of stolen data do you want?" for hire mentality I'm starting to see emerging, next to the usual interest in improving the metrics and thereby the probability for a more succesful campaign.

Ironically, this cybercrime model is so efficient that the people behind it cannot seem to be able to process all of the stolen data, which like a great deal of underground assets loses its value if not sold as fast as possible. The result of this oversupply of stolen data are the increasing number of services selling raw logs segmented based on a particular country for a specific period of time.

Time for a remotely exploitable vulnerability in yet another malware kit about to go mainstream? Definitely, unless of course backdooring it and releasing it doesn't achieve the obvious results of controlling someone else's cybercrime ecosystem.

Related posts:
The Underground Economy's Supply of Goods and Services
The Dynamics of the Malware Industry - Proprietary Malware Tools
Using Market Forces to Disrupt Botnets
Multiple Firewalls Bypassing Verification on Demand
Managed Spamming Appliances - The Future of Spam
Localizing Cybercrime - Cultural Diversity on Demand
E-crime and Socioeconomic Factors
Malware as a Web Service
Coding Spyware and Malware for Hire
Are Stolen Credit Card Details Getting Cheaper?
Neosploit Team Leaving the IT Underground
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
Pinch Vulnerable to Remotely Exploitable Flaw
Dissecting a Managed Spamming Service
Managed "Spamming Appliances" - The Future of Spam

People said China was safe, but danger still lurks in the so-called "safe" places.

Tue, 12 Aug 2008 12:06:00 +0000

The unfortunate stabbing death of an american who travelled with the Olympians showed that we should not take safety for granted.

Without being there, it is difficult to know, but one wonders if the press got it right when they reported that the killer did not know that the people he attacked were from America. It is highly probable that most American tourists would stand out on the streets of Beijing. If they followed the advice of security consultants who advise about trying to "blend in", there is a chance that they would be less obvious, but due to the fact that many were there to support the atheletes,I think it is very likley that the killer was able to identify them as being American.

The attacker did commit suicide after the attack, so there is a good chance that he was mentally disturbed. When we travel abroad, or even within our own countries for that matter, we should not only be looking for potential terrorists. There are a lot of other categories that can cause harm; burglars, robbers, purse snatchers, street con artists, kidnappers, people under the influence of alcohol/drugs and so on.

For many people, it is difficult to switch from relaxed tourist one minute to a defensive positon the next. Remember that it is alright to be cautous and suspicious. You don't have to make friends with everyone you meet on the street. It is much more important to be able to come home safe and sound to your family at the end of your trip.

How to find new features in Snort 2.8.2

Mon, 11 Aug 2008 06:34:39 +0000

Each version of Snort brings new features, but they aren't always immediately obvious or clearly documented. Using the release candidate of Snort 2.8.2 as an example, learn how to interpret Snort's release notes, README file and the snort.conf configuration file to locate new Snort features to deploy at customer sites.

CNN Custom Alerts Spam

Sun, 10 Aug 2008 13:28:40 +0000

In general, my anti-spam filters and tools are pretty effective. So when I start to see something like this....

....it's obvious that a huge spam wave is underway. These are, of course, related to the fake CNN Spam from a few days ago. Here, the emails take the form of "custom alerts":

Click to Enlarge

I've seen two types of this mail - one links to a genuine CNN article from the headline text (with the smaller link underneath leading to an infection site), the other simply links to the infection site from both clickable links. As before, deleting these Emails is the best course of action. Interestingly, the format of these mails might not be working to the spammers advantage. Lots of people I've talked to who had one of these mails sent through simply deleted them without a second thought, thinking it was merely something on the real CNN they thought they'd signed up to and didn't actually want.

Black Hat : Got2 Luv the H8ers

Thu, 07 Aug 2008 01:07:02 +0000

So, this afternoon, I'm in the Microsoft booth at Black Hat when this guy comes up (badge hidden of course) and starts talking to some of my colleagues. Right away, it was pretty obvious that he was antagonistic. I will refer to him as "h8er" from here on out. Though I am paraphrasing a bit, this is based upon a true story. It gave me a chuckle, so I thought I'd share.

h8er: So, how does it feel to work for a company that has made so many bad security decisions.

MSFT guy: Well, I feel lucky to be in a position to try and influence good security decisions going forward - are there any specifics you want to give me feedback on?

h8er: All those prompts irritating people, for example.

MSFT guy: Oh, so you don't like that aspect of UAC. We've gotten a lot of feedback on that, but the UAC security changes in Windows Vista encompass a pretty wide range of options designed to make it easier for most users to run as non-admin. Plus, we've incorporated some of the feedback into SP1 and I think it is a lot better. Have you tried SP1?

h8er:

MSFT guy: (still trying) Let me ask it a different way. A lot of folks have said that after the first few weeks, the UAC prompts tapered off, have you not found that to be the case?

h8er:

MSFT guy: What about some of the other changes in Windows Vista - I think the addition of ASLR, for example, was a good decision and raises the bars for attackers developing exploits.

non-MSFT guys standing nearby: He has probably never even tried Vista - I bet you run Linux and just heard the prompt stuff second hand.

h8er: I don't run Linux ... I run a Mac!

(NOTE: This seemed to rattle him, so he went on the offensive.)

h8er: Don't you feel embarrassed working for Microsoft knowing that 40% of your customers are infected with Malware?

MSFT guy: Actually, based upon research in the latest Security Intelligence Report, less than 1% of machines have malware and need corrective action - plus, recent research in the same report has shown that most of that is on older platforms and Windows Vista has an even lower incidence. 40% is a pretty high number, what source did you hear that from?

h8er:

(NOTE: Need a new tack, better try something different.)

h8er: Well, I feel a lot safer running my Mac and knowing the malware writers aren't targeting me.

MSFT guy: Oh, threat landscape is a different topic than the security of the software, but I can't really agree anyway. Many of the folks I talk to are more concerned about spearphishing or targeted attacks specifically against their valuable data. Recent data shows that Mac OS X has quite a higher incidence of security vulnerabilities that other comparable systems. That means that if an attacker did target them, he'd have a lot more options to choose from. In that case, I feel much more comfortable using or recommending Windows Vista than I would using your Mac.

He left shortly after that, but not before giving the Microsoft guy an invite to his company's party - I won't tell you which company it was, but it makes the story even funnier. To cap it, a few minutes later, one of the bystanders came by and said "so, did the Mac fanboy get tired of harrassing you and leave?"

Having lots of fun at Black Hat 2008 ~ Jeff

Exploitability Index - More Information for Customers

Wed, 06 Aug 2008 12:20:56 +0000

Yesterday at Black Hat 2008, along with some other stuff, we announced that we will be adding some new information to Security Bulletins - an "Exploitability Index" for each of the vulnerabilities addressed by the bulletin.

Based upon talking with Microsoft customers over the past five years, they are always looking for that little bit of extra information to help make prioritization decisions. An obvious example of this is the severity attached to the vulns. However, as explained by Mike Reavey of the the Microsoft Security Response Center (MSRC) over on the Ecostrat blog today, customers are also very interested in which vulnerabilities already have exploit code or sample exploits available.

According to our analysis in the most recent Security Intelligence Report (SIR), only about 30 percent of the vulnerabilities we fix each year have exploit code released. Why is it not 100% ? Some are not interesting to attackers, sure, but some are simply more challenging to develop a consistent exploit against. It seems like it would be practically useful if this sort of information could be analyzed and published for customers.

How does one come up with an Exploitability Index?

The MSRC will analyze the vulnerability and explore what it would take to exploit it, with the support of our Security Vulnerability Research & Defense (SVRD) team. This will include leveraging methodologies from the broad researcher community.
We will also ask security researcher members of the Microsoft Active Protections Program (MAPP) (download FAQ) to review the vulnerabilities and check our analysis before releasing the index.

The idea of the Exploitability Index is to provide more information to help customers prioritize Microsoft security updates. This Index will reflect our best estimate, scrutinized by MAPP partners, of the likelihood of a functional exploit being developed for a given vulnerability.

If you are interested, I did an interview with Mike Reavey a while back, where we discuss what sort of information customers want that isn't yet in Security Bulletins. FYI, the video is about 15 minutes long and the early part focuses on Mike, how he got into security and how he ended up at Microsoft before we get to the Security Bulletin discussion ... if you want to get right to the Security Bulletin discussion, skip forward to about 08:40.

If you like these sorts of videos, click on
SecurityGuy 001 - Interview with MSRC Leader Mike Reavey and it'll take you to the edge.technet.com site and you can check out the related videos.

Regards ~ Jeff

Compromised Web Servers Serving Fake Flash Players

Tue, 05 Aug 2008 10:50:04 +0000

The tactic of abusing web servers whose vulnerable web applications allow a malicious attacker to locally host a malicious campaign is nothing new. In fact, malicious attackers have been building so much confidence in this risk-forwarding process of hosting their campaigns, that they would start actively spamming the links residing within low-profile legitimate sites across the web.

This campaign serving fake flash players is getting so prevalent these days due to the multiple spamming approaches used, that it's hard not to notice it - and expose it. From a strategic perspective, having a legitimate low-profile site -- of course with the obvious exceptions being on purposely registered for malicious purposes within the participating sites -- hosting your malicious campaign is pretty creative in terms of forwarding the responsibility, and the eventual blocking of a legitimate site to the its owner. As far as the owner's are concerned, it appears that some of them are already seeing the malware page popping-up on the top of their daily traffic stats, and have taken measures to remove it.

Moreover, Adobe's Product Security Incident Response Team (PSIRT) issued a warning notice about the attack yesterday, which could come handy if the attackers weren't taking advantage of client-side vulnerabilities, putting the unware end user is a situation where he wouldn't even receive a download dialog :

"We have seen coverage from the security community of a worm on popular social networking sites that is using social engineering lures to get users to install a piece of malware. According to the reports, the worm posts comments on these sites that include links to a fake site. If the link is followed, users are told they need to update their Flash Player. The installer, posted on a malicious site, of course installs malware instead of Flash Player.We’d like to take this opportunity to reiterate the importance of validating installers and updates before installing them. First off, do not download Flash Player from a site other than adobe.com – you can find the link for downloading Flash Player here. This goes for any piece of software (Reader, Windows Media Player, Quicktime, etc.) – if you get a notice to update, it’s not a bad idea to go directly to the site of the software vendor and download the update directly from the source. If the download is from an unfamiliar URL or an IP address, you should be suspicious."

The structure of the malware campaign is pretty static, with several exceptions where they also take advange of client-side vulnerabilities (Real player exploit) attempting to automatically deliver the fake flash update or player depending on the campaign. On each and every site, there are dnd.js and master.js scripts shich serve the rogue download window, and another .html file, where an IFRAME attempts to access the traffic management command and control, in a random URL it was 207.10.234.217/cgi-bin/index.cgi?user200. A sample list of participating URLs, most of which are still active and running :

joseantoniobaltanas .com

automoviliaria .es/hotnews.html
risasnc .it/fresh.html
carpe-diem .com.mx/fresh.html
kotilogullari .com.tr/hotnews.html
ferrariclubpesaro .it/hotnews.html
imobiliariacom .com.br/default.html
misoares .com
osniehus .de/fresh.html
mydirecttube .com/1/5098/
madosma .com/default.html
tutotic .com/checkit.html
veit-team .si/default.html
antigewaltkurse .de/stream.html
kwhgs .ca/topnews.html
vorgo .com/stream.html
ankaraspor .com.tr/default.html
xxxdnn0314 .locaweb.com.br/watchit.html
ossuzio .com/watchit.html
cit-inc .net/default.html
negocioindependiente .biz/default.html
ambermarketing .com/topnews.html
web27 .login-7.loginserver.ch/stream.html
moretewebdesign .br-web.com/stream.html
omdconsulting .es/topnews.html
parapendiolestreghe .it/hotnews.html
campodifiori .it/topnews.html
212.50.55.81 /stream.html
logisigns .net/fresh.html
intimaescorts .com/default.html
ghioautotre .it/live.html
geckert .de/stream.html
yuricardinali .com/watchit.html
retder .com/fresh.html
valdaran .es/default.html
getadultaccess .com/movie/?aff=5274
bauelemente-giering .de/stream.html
newyork-hebergement .com/watchit.html
allevatoritrotto .it/live.html
exoss2 .com/hotnews.html
soundandlightkaraoke .com/stream.html
land-kan .com/stream.html
grimaldi.nexenservices .com/watchit.html
inconstancia .com.br/watchit.html
gretelstudio .com/stream.html
sumacyl .com/watchit.html
mysna .net/fresh.html
gimnasioyx .com.ar/watchit.html
lagalbana .com/watchit.html
bielizna.tgory .pl/topnews.html
bcs92.imingo .net/stream.html
lapiramidecoslada .es/topnews.html
raulortega .com/stream.html
go-art-morelli .de/hotnews.html
wowhard.baewha .ac.kr/watchit.html
dianagraf .es/default.html
komma10-thueringen .de/hotnews.html
miavassilev .com/stream.html
swampgiants .com/watchit.html
compagniedephalsbourg .com/fresh.html
arla-rc .net/hotnews.html
salacopernico .es/watchit.html
drfinster .de/checkit.html
healthylifehypnotherapy .com/stream.html
ecotrike-bg .com/fresh.html
paoepalavra .org/watchit.html
jureplaninc-sp .com/topnews.html
fichte-lintfort .de/default.html
hergert-band .de/checkit.html
izliyorum .org/topnews.html
lideka .com/stream.html
athena-digitaldesign .com.tw/hotnews.html
e-paso .pl/stream.html
colombeblanche .org/stream.html
teatromalasa .es/watchit.html
mesporte.digiweb.com .br/stream.html
bistrodavila.com .br/watchit.html
hausfeld-solar .de/topnews.html
nakedinbed.co .uk/topnews.html
csr.imb .br/stream.html
herion-architekten .de/default.html
jbhumet .com/default.html
gruppouni .com/hotnews.html
francex .net/fresh.html
galvatoledo .com/topnews.html
cmeedilizia .eu/topnews.html
kroenert .name/default.html
textilhogarnovadecor .com/topnews.html
keithcrook .com/stream.html
elpatiodejesusmaria .com/checkit.html
neticon .pl/hotnews.html
malerbetrieb-pelzer .de/hotnews.html
easterstreet .de/fresh.html
piogiovannini .com.ar/watchit.html
ser-all .com/topnews.html
petzold-dieter .de/checkit.html
beatmung-brandenburg .de/checkit.html
ossuzio .com/watchit.html
teatromalasa .es/watchit.html
vuelosultimahora .com/topnews.html
zelenaratolest .cz/pornotube/index1.htm
ambulatoriovirtuale .it/topnews.html
10a3 .ru/index1.php
izliyorum .org/topnews.html
collectedthoughts .co.uk/index12.html
afg .es/topnews.html
albertruiz .net/topnews.html
bielizna.tgory .pl/topnews.html
blueseven.com .br/topnews.html
bollettinogiuridicosanitario .it/topnews.html
caprilchamonix.com .br/topnews.html
carlolongarini .it/topnews.html
champimousse .com/topnews.html
cheviot.org .nz/topnews.html
contrapie .com/topnews.html
gruppouni .com/topnews.html
hausfeld-solar .de/topnews.html
herbatele .com/topnews.html
houseincostaricaforsale .com/topnews.html
alim.co .il/topnews.html
allevatoritrotto .it/topnews.html
amafe .org/topnews.html
ambulatoriovirtuale .it/topnews.html
atelier-de-loulou .fr/topnews.html
automoviliaria .es/topnews.html
autoreserve .fr/topnews.html
izliyorum .org/topnews.html
jureplaninc-sp .com/topnews.html
kwhgs .ca/topnews.html
lapiramidecoslada .es/topnews.html
last-minute-reisen-4u .de/topnews.html
marcadina .fr/topnews.html
maremax .it/topnews.html
corradiproject .info/topnews.html
dantealighieriasturias .es/topnews.html
deliriuslaspalmas .com/topnews.html
ecchoppers .co.za/topnews.html
elianacaminada .net/topnews.html
fonavistas .com/topnews.html
fraemma .com/topnews.html
fundmyira .com/topnews.html
galvatoledo .com/topnews.html
grafisch-ontwerpburo .nl/topnews.html
markmaverick .com/topnews.html
micela .info/topnews.html
motoclubnosvamos .com/topnews.html
nebottorrella .com/topnews.html
negozistore .it/topnews.html
neticon .pl/topnews.html
norbert-leifheit.gmxhome .de/topnews.html
segelclub-honau .de/topnews.html
snmobilya .com/topnews.html
splashcor .com.br/topnews.html
stephanmager .gmxhome.de/topnews.html
svcanvas .com/topnews.html
tautau.web .simplesnet.pt/topnews.html
textilhogarnovadecor .com/topnews.html
theflorist4u .com/topnews.html
thewindsorhotel .it/topnews.html
vuelosultimahora .com/topnews.html
aliarzani .de/topnews.html
ambermarketing .com/topnews.html
arnold82.gmxhome .de/topnews.html
ocoartefatos.com .br/topnews.html
omdconsulting .es/topnews.html
parapendiolestreghe .it/topnews.html
positive-begegnungen .de/topnews.html
projetsoft .net/topnews.html
rbc.gmxhome .de/topnews.html
beatmung-sachsen .eu/topnews.html
campodifiori .it/topnews.html
clickjava .net/topnews.html
cmeedilizia .eu/topnews.html
dammer .info/topnews.html
embedded-silicon .de/topnews.html
ferrariclubpesaro .it/topnews.html
fgwiese .de/topnews.html
fswash.site .br.com/topnews.html
fytema .es/topnews.html
gildas-saliou. com/topnews.html
go-art-morelli .de/topnews.html
go-siegmund .de/topnews.html
guerrero-tuning .com/topnews.html
gut-barbarastein .de/topnews.html
japansec .com/topnews.html
komma10-thueringen .de/topnews.html
koon-design .de/topnews.html
lanz-volldiesel .de/topnews.html
lauscher-staat .de/topnews.html
losnaranjos.com .es/topnews.html
medical-service-krause .de/topnews.html
nakedinbed.co .uk/topnews.html
nepi.si/topnews .html
radieschenhein. de/topnews.html
residenceflora .it/topnews.html
sabuha .de/topnews.html
ser-all .com/topnews.html
siemieniewicz .de/topnews.html
viajesk .es/topnews.html
allevatoritrotto .it/live.html
bollettinogiuridicosanitario .it/live.html
carlolongarini .it/topnews.html
maremax .it/topnews.html
negozistore .it/topnews.html
parapendiolestreghe .it/live.html
www.donlisander .it/stream.html
aerogenesis .net/watchit.html
allevatoritrotto .it/live.html
atelier-de-loulou .fr/topnews.html
bistrodavila.com .br/watchit.html
bollettinogiuridicosanitario .it/live.html
caprilchamonix.com .br/topnews.html
cheviot.org .nz/live.html
condorautocenter .com.br/watchit.html
dantealighieriasturias .es/live.html
ecchoppers .co.za/topnews.html
elianacaminada .net/live.html
fonavistas .com/topnews.html
fundmyira .com/topnews.html
g6esporte .com.br/stream.html
grafisch-ontwerpburo .nl/topnews.html
gretelstudio .com/stream.html
gutierrezymoralo .com/watchit.html
healthylifehypnotherapy .com/stream.html
herbatele .com/live.html
jureplaninc-sp .com/topnews.html
lacomercialsrl .com.ar/stream.html
lagalbana .com/watchit.html
lapuertaestrecha .com.es/watchit.html
marcadina .fr/topnews.html
maremax .it/topnews.html
myadultcube .com/flash//aff=5176
myadultcube .com/flash//aff=5810
myadultcube .com/movie//aff=5155
newyork-hebergement .com/watchit.html
norbert-leifheit.gmxhome .de/topnews.html
omdconsulting .es/topnews.html
oyakatakent46537 .com/stream.html
parapendiolestreghe .it/live.html
regesh. co.il/watchit.html
rikkeroenneberg .dk/watchit.html
s215847279 .onlinehome.fr/stream.html
salacopernico .es/watchit.html
seekzones .com/watchit.html
seicomsl .es/watchit.html
sigma-lux .ro/watchit.html
soundandlightkaraoke .com/stream.html
stephanmager.gmxhome .de/topnews.html
tartuinstituut .ca/watchit.html
teatromalasa .es/watchit.html
vuelosultimahora .com/topnews.html
wowhard.baewha .ac.kr/watchit.html
aliarzani .de/topnews.html
ambermarketing. com/live.html
bilbondo .com/watchit.html
bollettinogiuridicosanitario .it/live.html
colombeblanche .org/stream.html
donlisander .it/stream.html
fgwiese .de/topnews.html
geckert .de/stream.html
helene-taucher .de/watchit.html
lanz-volldiesel .de/topnews.html
mairie-margnylescompiegne .fr/watchit.html
medical-service-krause .de/topnews.html
nakedinbed.co .uk/topnews.html
ossuzio .com/watchit.html
piogiovannini .com.ar/watchit.html
sabuha .de/topnews.html
sumacyl .com/watchit.html
swampgiants .com/watchit.html
xn--glland-3ya .de/stream.html
yuricardinali .com/watchit.html
nepi .si/topnews.html
dammer .info/topnews.html
atelier-de-loulou .fr/topnews.html
galvatoledo .com/topnews.html
allevatoritrotto .it/topnews.html
hausfeld-solar .de/topnews.html
micela .info/topnews.html
bistrodavila .com.br/watchit.html
hausfeld-solar .de/topnews.html
csr.imb .br/stream.html
herion-architekten .de/default.html
gruppouni .com/hotnews.html
galvatoledo .com/topnews.html
kroenert .name/default.html
keithcrook .com/stream.html
elpatiodejesusmaria .com/checkit.html
malerbetrieb-pelzer .de/hotnews.html
dantealighieriasturias .es/topnews.html
oyakatakent46537 .com/stream.html
89.19.29 .13/stream.html
slobodandjakovic .com/fresh.html
cqcs.com .br/stream.html
seekzones .com/watchit.html
pascosa .it/stream.html
caprilchamonix .com.br/topnews.html
positive-begegnungen .de/topnews.html
ferien-urlaub-lastminute .de/default.html
mueggelpark .info/watchit.html
hillner-online .de/fresh.html
guiasaojose .net/default.html
deliriuslaspalmas .com/topnews.html
fraemma .com/topnews.html
morsbaby .net/default.html
vickywhite .com/fresh.html
micela .info/topnews.html
corradiproject .info/topnews.html
liguehavraise .com/live.html
capacitacaoemlideranca .com.br/fresh.html
materialesyacabados .com.mx/stream.html
208.112.7.68 /checkit.html
152.10.1.37 /1.html
carlolongarini .it/topnews.html
splashcor.com .br/topnews.html
lobpreisstrasse .org/1.html
motoclubnosvamos .com/hotnews.html
hk-rc.com /1.html
taaf.re /stream.html
dulceysalao .com/default.html
amafe .org/topnews.html

Sample detection rate : flashupdate.exe
Scanners Result: 35/36 (97.23%)
Trojan-Downloader.Win32.Exchanger.hk; Troj/Cbeplay-A
File size: 78848 bytes
MD5...: c81b29a3662b6083e3590939b6793bb8
SHA1..: d513275c276840cb528ce11dd228eae46a74b4b4

The downloader then "phones back home" at 72.9.98.234 port 443 which is responding to the rogue security software AntiSpy Spider (antispyspider.net) :

"AntiSpy Spider is a cutting-edge anti-spyware solution.This revolutionary anti-spyware program was created by the industry's top spyware experts in order to protect your computer and your privacy.html, while ensuring optimal system performance.With the ability to locate, eliminate and prevent the widest range of spyware threats, AntispyStorm is able to offer its users a safe, spyware-free computing experience; and with it's convenient automatic update feature, AntispyStorm ensures continuous up-to-date protection."

Sample detection rate : antispyspider.msi
Scanners Result: 11/35 (31.43%)
FraudTool.Win32.AntiSpySpider.b;
File size: 1851904 bytes
MD5...: 2f1389e445f65e8a9c1a648b42a23827
SHA1..: e32aa6aa791e98fe6fdef451bd3b8a45bad0acd8

The bottom line - over a thousand domains are participating, with many other apparently joining the party proportionally with the web site owner's actions to get rid of the malware campaign hosted on their servers.

Related posts:
Lazy Summer Days at UkrTeleGroup Ltd
Fake Porn Sites Serving Malware - Part Two
Fake Porn Sites Serving Malware
Underground Multitasking in Action
Fake Celebrity Video Sites Serving Malware
Blackhat SEO Redirects to Malware and Rogue Software
Malicious Doorways Redirecting to Malware
A Portfolio of Fake Video Codecs

On CEP as a Discipline

Tue, 05 Aug 2008 04:46:27 +0000

In CEP as a Discipline, David Luckham wrote:

“Actually, it is fair to say that some of CEP can be found in other disciplines. Event processing has been going on in one form or another, for the past 50 years. Simulation, Networking, Active DBs, Middleware.

{ …. }

CEP has only just begun. The foundations are unexplored. Its an open field of research issues.”

Actually, on slide 12 of this presentation from 2006 Processing Patterns for PredictiveBusiness, we show that the foundations for complex event processing have been in place for many years and in many disciplines such as multisensor data fusion, control theory, sensor management, planning, correlation, estimation, tracking, information fusion, data fusion, data mining and more.

One obvious problem (or at least obvious to many of us) with the current group think marketing CEP is that many have ignored the established foundations for event processing and complex event processing that have been mature for many decades. It is not very efficient (nor good for customers) to pick a phrase, or concept, like “CEP” and ignore the relevant mulitiple disciplines that have been used to solve complex classes of distributed event processing problems for decades.

Therefore, “CEP has only begun” is only true for those who have ‘drank the CEP koolaid” and do not understand (yet) that they are “reinventing the event processing wheel” and ignoring (by accident or purposely, I have no idea of the motives) the prior-art and/or selectively picking the prior art or research associated with their company, byline, favorite researcher, CEO, etc. This is a fundamental issue (and constraint) with CEP, in my opinion. Complex event processing does not stand alone as an art or a science, nor should it, nor should it be based on single dimensional, or small groups of single dimensional, technologies.

If you want to see many of the foundations of CEP, you don’t need to go much further than slide 12 of this presentation from 2006, Processing Patterns for PredictiveBusiness.

Based on my observation, it reminds me of a small group of folks on a discovery mission where their ship lands on the shore of a distant land and they call this “new land” — “CEP” because they feel they have discovered a new land. Nevermind the big cities that already exist or the many people already “in the fields” of their new land. These ”CEP explorers” are seemingly in some kind of modern day epic struggle to define themselves as “discoverers” or “founders” and they are coming up with new names of the lakes, rivers, streams and mountains that defined the landscape long before their ship arrived.

Note: It is encouraging to see folks slowly “catching up”…. maybe in a few years we will move CEP beyond the “not invented here” mind share that we see today.

Also note that, recently we saw a flurry of posts where many people rightly stated that “CEP was overhyped” - but then in rebuttal the EPTS community leaders came back with “Is CEP a mere hype?” or “Is CEP a hype?”. spinning the discussion to an extreme position that is wildly different than “CEP is Overhyped”.

Summarizing July's Threatscape

Fri, 01 Aug 2008 12:08:24 +0000

July's threatscape -- consider going through June's summary as well -- once again demonstrated that nothing is impossible, the impossible just takes a little longer where the incentive would be the ultimate monetization of the process.

Russian hacktivists attacking Lithuania and Georgia, several Storm Worm campaigns, a couple of new malware tools, Neosploit team abandoning support for their web malware exploitation kit, CAPTCHA for several of the most popular free email providers getting efficiently attacked in order to resell the bogus accounts registered in the process, several copycat SQL injects next to the evasion techniques applied by the copycats, botnets continuing to commit click fraud and generate revenue for those who own or have rented them, an infamous money mule recruitment service taking advantage of the fast-fluxed network provided by the ASProx botnet - pretty interesting month indeed.

01. Decrypting and Restoring GPcode Encrypted Files -
The GPcode authors read the news too, and are catching up with the major weaknesses pointed out in their previous release in order to come with a virtually unbreakable algorithm. And since more evidence of who's behind the GPcode ransomware was gathered, vendors and independent researchers realized that the latest release is also susceptible to a plain simple flaw, namely the encrypted files were basically getting deleting and not securely erased making them fairly easy to recover.

02. Chinese Bloggers Bypassing Censorship by Blogging Backward -
When you know how it works, you can either improve, abuse or destroy it in that very particular order. Chinese bloggers are always very adaptive in respect to spreading their message by obfuscating their messages in a way that common keywords filtering software wouldn't be able to pick them.

03. Gmail, Yahoo and Hotmail’s CAPTCHA Broken -
This has been an urban legend for a while, but with more services starting to offer hundreds of thousands of pre-registered accounts at these providers, it's surprising that spam and phishing emails coming from legitimate email providers is increasing. The "vendors" behind these propositions are naturally starting to "vertically integrate" by offering value-added services for extra payments, namely, scripts to automatically abuse the pre-registered accounts for automatic registration of splogs and anything else malicious or blackhat SEO related.

04. The Antivirus Industry in 2008 -
If it were anyone else but a security vendor to come up with such a realistic cartoon aiming to stimulate innovation by emphasizing on how prolific and sophisticated malware groups have become, it would have been a biased cartoon. However, this one is courtesy of a security vendor, and it's pretty objective.

05. Lithuania Attacked by Russian Hacktivists, 300 Sites Defaced -
This attack is a good example of a decent PSYOPS operation. Of course they have already build the capabilities to deface and even execute DDoS attacks against Lithuania, so why not put them in a "stay tuned" mode, by speculating on the upcoming attack and then executing it making it look like they delived what they've promised? This a lone gunman mass defacement given that the sites were all hosted on a single ISP, with no indication of any kind of coordination whatsoever. The same for the Georgia President’s web site which was under DDoS attack from Russian hackers later this month. Despite that the hacktivists behind it dedicated a separate C&C for the attack, one that hasn't been used in any type of previous attacks so far, they did a minor mistake by using a secondary command and control location that's known to have been connected with a particular "botnet on demand" service in the past. The second attack once again proves that you don't need to build capacity when you can basically outsource the process to someone else.

06. The ICANN Responds to the DNS Hijacking, Its Blog Under Attack -
The ICANN finally issued a statement concerning the DNS hijacking of some of their domains, which is in fact what Comcast.net and Photobucket.com should have done as well, next to stating it was a "glitch". The ICANN also took advantage of the moment and also pointed out that their blog has also been under attack during the month. There's no better example of how the combination of tactics can result in the hijacking of the domains of the organizations implementing procedures aiming to protect against these very same attacks. And while Photobucket.com remained silent during the entire incident, the hosting provider that was used by the Netdevilz team in the two attacks, since they were also responsible for the ICANN and IANA DNS hijackings, technological and social engineeringissued a statement.

07. The Risks of Outdated Situational Awareness -
Security vendors are often in a "catch-up mode" and if I were an average Internet user not knowing that real-time situational awareness speaks for the degree to which my vendor knows what going on online, I'd be pretty excited. However, I'm not. Prevx were catching up with a service which I covered approximately two months ago, I even had the chance to constructively confront with one of the affected sites on how despite their security measures in place, this attack was still possible. Recently Prevx have once again demonstrated an outdated situational awareness by coming across a banking malware in July 2008, whereas the malware has been around since July 2007, and earlier depending on which version you're referring to.

08. Fake Porn Sites Serving Malware - Part Two -
Yet another domain portfolio of fake porn sites serving rogue codecs and live exploit URLs, just the tip of the iceberg as usual, however their centralization is greatly assisting in tracking them down.

09. Storm Worm's U.S Invasion of Iran Campaign -
Stormy Wormy is once again making the headlines with their ability to actually make up the headlines on their own.

10. Mobile Malware Scam iSexPlayer Wants Your Money -
The best scams are the ones to which you've personally agreed to be scammed with without even knowing it. Like this one, which was tracked down and analyzed a couple of hours once a uset tipped on it.

11. The Template-ization of Malware Serving Sites -
The increase of fake porn and celebrity sites is due to the overall template-ization of these, with the people behind them basically implementing several malicious doorways to ensure that the domains get rotated on the fly. Despite that they all look the same, they all sever different type of malware, and zero porn of celebrity content at all except the thumbnails.

12. Violating OPSEC for Increasing the Probability of Malware Infection -
No better way to expose your affiliations and several unknown bad netblocks so far, by adding the netblocks and the malicious domains as trusted sites upon infecting a PC with the malware. Of course, the usual suspects lead the "trusted netblocks".

13. Monetizing Compromised Web Sites -
Several years ago, a script kiddie would install Apache on a mail server, they claim that they defaced it. Today, these amusing situations are replaced by monetization of the compromised sites, by reselling the access to them to blackhat SEO-ers, malware authors, phishers, or personally starting to manage a scammy infrastructure on them, by earning money on an affiliate based model, like this particular attack.

14. Malware and Office Documents Joining Forces -
A recent DIY malware kit, sold as a proprietary tool basically crunching out malware infected office documents, whose built-in obfuscation makes them harder to detect. It will sooner or later leak out, turning into a commodity tool, a process that's been pretty evident for web malware exploitation kits as well.

15. Are Stolen Credit Card Details Getting Cheaper? -
Depends on who you're buying them from, and whether or not they offer discounts on a volume basis, namely the more you buy the cheaper the price of a card is supposed to get. With the current oversupply of stolen credit card details, what used to be an exclusive good once where they could enjoy a higher profit-margin, is today's commodity good.

16. The Neosploit Malware Kit Updated with Snapshot ActiveX Exploit -
Since alll the web malware exploitation kits are open source, and leaked in the wild at large, their modularity allows everyone to easily embed any type of exploit that they want to, resulting in Neosploit's single most beneficial feature, the fact that certain versions include all the publicly available exploits targeting Internet Explorer, Firefox and Opera. Moreover, the open source nature of the kit is resulting in a countless number of modified versions yet to be detected and analyzed, therefore keeping track of the exploits included in a malware kit can only be realistic if you take into considered the exploits that come with the default installation.

17. Obfuscating Fast-fluxed SQL Injected Domains -
Now that's a very good example of different tactics combined to attack, ensure survivability, and apply a certain degree of evasion in between.

18. The Unbreakable CAPTCHA -
There's never been a shortage of ideas, there's always been an issue of usability.

19. The Ayyildiz Turkish Hacking Group VS Everyone -
That's a pretty inspiring mission if you are to ensure your future in the next couple of years, by targeting everyone, everywhere that has ever publicly stated their disagreement with the Turkish foreign policy.

20. Money Mule Recruiters use ASProx's Fast Fluxing Services -
A true multitasking in action with a botnet that's been crunching out phishing emails, SQL injecting and now hosting a well known money mule recruitment service.

21. SQL Injecting Malicious Doorways to Serve Malware -
Constantly switching tactics and combining different ones to achive an objective that used to be accomplished by plain simple techniques, is only starting to take place. In this case, instead of a hard coded SQL injected domain, we have the typical malicious doorways the result of the converging traffic management tools with web malware exploitation kits.

22. Impersonating StopBadware.org to Serve Fake Security Warnings -
Typosquatting popular security vendors and services is nothing new, by having HostFresh providing the hosting for the parked domains promoting the rogue security software, is a privilege and flattery for the success of the Stopbadware initiative.

23. Coding Spyware and Malware for Hire -
Customerization -- not customization -- has been taking place for a while, that's the process of tailoring your upcoming products to the needs of your future customers, compared to the product concept myopia where the malware coder would code something that he believes would be valuable to the potential customers. End user agreements, issuing licenses for the malware tool, as well as forbidding the reverse engineering of the malware so that no remotely exploitable flaws could be, are among the requirements the coder assists on.

24. Lazy Summer Days at UkrTeleGroup Ltd -
Taking a random snapshot of the current malicious activity at a well known provider of hosting services for rogue security applications, live exploit URLs and botnet command&control locations, always provides an insight into what are their customers up to. In this case, centralization of their scammy ecosystem, and parking a countless number of rogue domains on the same server.

25. Email Hacking Going Commercial -
Cybercrime is in fact getting easier to outsource, and while the number of scammers trying to offer non-existent services, or at least services where they cannot deliver the goods, the business model of this service that is that you only pay once they show you a proof that they've managed to hack the email address you game them. How are they doing it? Social engineering and enticing the user to click on live exploit URL from where they'll infect the PC and obtain the email password, of course, next to definitely abusing it for many other purposes in the process.

26. Vulnerabilities in Antivirus Software - Conflict of Interest -
You can easily twist the number of vulnerabilities found in your antivirus solution, but not recognizing them as vulnerabilities at the first place. It's all a matter of what you define as a vulnerability, or perhaps what you admit as a serious vulnerability - remote code execution through a security software, or a flaw that's allowing malware to bypass the security solution itself.

27. Counting the Bullets on the (Malware) Front -
Emphasizing on the number of malware/threats/viruses/worms/slugs your solution detects may be marketable in the short-term, but is damaging the end user's understanding of the threatscape in the long-term. So, by the time he catches up with what exactly is going on, he'll recall the moment in time where he was using the number of threats his solution was detecting as the main benchmark for its usefulness. In reality through, the number is irrelevant from a pro-active point of view, with zero day malware like the one coded for hire undermining the signatures based scanning model.

28. Smells Like a Copycat SQL Injection In the Wild -
It was pretty obvious that copycats seeing the success of SQL injections the the huge number of sites susceptible to exploitation, would also starting taking advantage of the practice. Some are, however, targeting local communities and trying to avoid detection by using targeted SQL injections.

29. Click Fraud, Botnets and Parked Domains - All Inclusive -
The scheme is nothing new, what's new is that the botnet masters are trying to limit the revenues that used to go out to affiliate networks they were participating in, and are trying to own or rent the entire infrastructure on their own.

30. Over 80 percent of Storm Worm Spam Sent by Pharmaceutical Spam Kings -
With access to Storm Worm sold and resold, and new malware introduced on Storm Worm infected hosts used as foundation for the propagation of the new malware in this case, it's questionable whether or not the Storm Worm-ers themselves are sending out the junk emails, or are they people who've rented access to the botnet doing it.

31. Neosploit Team Leaving the IT Underground -
Pretty surprising at the first place, but in reality it clearly demonstrates that when you cannot enforce the end user agreement on your crimeware kit, but continue seeing it used in a very profitable malware operations, you basically shut down the support for the public version. The team is not going to stop innovating for their own purposes, and in the long-term they may in fact re-appear with an updated malware kit that's converging different services next to the product itself.

32. Dissecting a Managed Spamming Service -
Managed spamming services using botnets as the foundation for the campaigns are starting to introduce improved metrics for the delivery, as well as experienced customer support ensuring the spam messages make it through spam filters, or at least increase the probability of making the happen. This is an example of a random service emphasizing on the improved metrics they're capable of delivering.

33. Storm Worm's Lazy Summer Campaigns -
Looks like a "cybercrime intern" launched this campaign, lacking any of the usual Storm Worm evasive practices, no exploitation of client side vulnerabilities, as well as no survivability offered by their usual fast-flux nodes.