<![CDATA[[SecurityRatty] tag: osint]]>

<![CDATA[[SecurityRatty] tag: osint]]> http://securityratty.com/tag/osint Sun, 11 May 2008 21:13:00 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[The DDoS Attack Against Bobbear.co.uk]]> http://securityratty.com/article/290801c330ee41caec63af5966719ea1 http://securityratty.com/article/290801c330ee41caec63af5966719ea1

When you get the "privilage" of getting DDoS-ed by a high profile DDoS for hire service used primarily by cybercriminals attacking other cybercriminals, you're officially doing hell of a good job exposing money laundering scams.

The attached screenshot demonstrates how even the relatively more sophisticated countersurveillance approaches taken by a high profile DDoS for hire service can be, and were in fact bypassed, ending up in a real-time peek at how they've dedicated 4 out of their 10 BlackEnergy botnets to Bobbear exclusively.

Perhaps for the first time ever, I come across a related DoS service offered by the very same vendor - insider sabotage on demand given they have their own people in a particular company/ISP in question. Makes you think twice before considering a minor network glitch what could easily turn into a coordinated insider attack requested by a third-party. Moreover, now that I've also established the connection between this DDoS for hire service and one of the command and control locations (all active and online) of one of the botnets used in the Russia vs Georgia cyberattack, the concept of engineering cyber warfare tensions once again proves to be a fully realistic one.

Related posts:
A U.S military botnet in the works
DDoS Attack Graphs from Russia vs Georgia's Cyberattacks
Botnet on Demand Service
OSINT Through Botnets
Corporate Espionage Through Botnets
The DDoS Attack Against CNN.com
A New DDoS Malware Kit in the Wild
Electronic Jihad v3.0 - What Cyber Jihad Isn't

]]> Wed, 19 Nov 2008 05:35:01 +0000 ddos ddos attack ddos-ed ddos malware kit ddos attack graphs hire service profile ddos botnets blackenergy botnets The DDoS Attack Against Bobbear.co.uk <![CDATA[New Web Malware Exploitation Kit in the Wild]]> http://securityratty.com/article/b14bf267debe94a6c65be57f5460b9a5 http://securityratty.com/article/b14bf267debe94a6c65be57f5460b9a5

Oops, they keep doing it, again and again - trying to cash-in on the biased exclusiveness of web malware exploitation kits in general, which when combined with active branding is supposed to make them rich. However, despite the low price of $300 in this particular case, this copycat kit is once again lacking any signification differentiation factors besides perhaps the 20+ exploits targeting Opera and Internet Explorer included within.

Marketed for novice users, despite lacking any key features worth being worried about, it's still managing to maintain a steady infection rate of unpatched Opera browsers. Such statistics obtained in an OSINT fashion always provide a realistic perspective on publicly known facts, like the one where millions of end users continue getting exploited due to their overall misunderstanding of today's threatscape driven by the ubiquitous web exploitation kits.

]]> Wed, 19 Nov 2008 01:15:01 +0000 malware malware exploitation kit web based malware nuclear malware kit ddos malware kit zeus crimeware kit wild key features worth metaphisher malware kit New Web Malware Exploitation Kit in the Wild <![CDATA[Real-Time OSINT vs Historical OSINT in Russia/Georgia Cyberattacks]]> http://securityratty.com/article/20a44f5ecd81be809dacc26141c04b6b http://securityratty.com/article/20a44f5ecd81be809dacc26141c04b6b

The original real-time OSINT analysis of the Russian cyberattacks against Georgia conducted on the 11th of August, not only closed the Russia vs Georgia cyberwar case for me personally, but also, once again proved that real-time OSINT is invaluable compared to historical OSINT using a commercial social network visualization/data mining tool which cannot and will never be able to access the Dark Web, accessible only through real-time CYBERINT practices.

The value of real-time OSINT in such people's information warfare cyberattacks -- with Chinese hacktivists perfectly aware of the meaning of the phrase -- relies on the relatively lower operational security (OPSEC) the initiators of a particular campaign apply at the beginning, so that it would scale faster and attract more participants. What the Russian government was doing is fueling the (cyber) fire - literally, since all it takes for a collectivist socienty's cyber militia to organize, is a "call for action" which was taking place at the majority of forums, with the posters of these messages apparently using a spamming application to achieve better efficiency.

The results from 56 days of Project Grey Goose in action got published last week, a project I discussed back in August, point out to the bottom of the food chain in the entire campaign - stopgeorgia.ru :

"Furthermore, coming up with Social Network analysis of the cyberattacks would produce nothing more but a few fancy graphs of over enthusiastic Russian netizen's distributing the static list of the targets. The real conversations, as always, are happening in the "Dark Web" limiting the possibilities for open source intelligence using a data mining software. Things changed, OPSEC is slowly emerging as a concept among malicious parties, whenever some of the "calls for action" in the DDoS attacks were posted at mainstream forums, they were immediately removed so that they don't show up in such academic initiatives"

So what's the bottom line? Nothing that I haven't already pointed out back in August : "Report: Russian Hacker Forums Fueled Georgia Cyber Attacks" :

"But experts say evidence suggests that Russian officials did little to discourage the online assault, which was coordinated through a Russian online forum that appeared to have been prepped with target lists and details about Georgian Web site vulnerabilities well before the two countries engaged in a brief but deadly ground, sea and air war."

Some more comments :

"Just because there was no smoking gun doesn't mean there's no connection," said Jeff Carr, the principal investigator of Project Grey Goose, a group of around 15 computer security, technology and intelligence experts that investigated the August attacks against Georgia. "I can't imagine that this came together sporadically," he said. "I don't think that a disorganized group can coalesce in 24 hours with its own processes in place. That just doesn't make sense."

It wouldn't make sense if this was the first time Russian hacktivists are maintaining the same rhythm as real-life events - which of course isn't.

Moreover, exactly what would have constituted a "smoking gun" proving that the Russian government was involved in the campaign, remains unknown -- I'm still sticking to my comment regarding the web site defacement creative. If they truly wanted to compromise themselves, they would have cut Georgia off the Internet, at least from the perspective offered by this graph courtesy of the Packet Clearing House speaking for their dependability on Russian ISPs.

As for the script kiddies at stopgeorgia.ru, they were informed enough to feature my research into their "negative public comments section". To sum up - the "DoS battle stations operational in the name of the "Please, input your cause" mentality is always going to be there.

]]> Mon, 20 Oct 2008 05:58:59 +0000 georgia cyberattacks cyber georgia cyber attacks real-time osint project project grey goose forums cut georgia Real-Time OSINT vs Historical OSINT in Russia/Georgia Cyberattacks <![CDATA[Identifying the Gpcode Ransomware Author]]> http://securityratty.com/article/7fcd166cea35b581caf45eb753d96890 http://securityratty.com/article/7fcd166cea35b581caf45eb753d96890

Interesting article, but it implies that there has been a shortage of quality OSINT regarding the campaigners behind the recent Gpcode targeted cryptoviral extortion attacks :

"The individual is believed to be a Russian national, and has been in contact with at least one anti-malware company, Kaspersky Lab, in an attempt to sell a tool that could be used to decrypt victims' files. Kaspersky Lab set about locating the man by resolving the proxied IP addresses used to communicate with the world to their real addresses. The proxied addresses turned out to be zombie PCs in countries such as the US, which pointed to the fact that GPcode's author had almost certainly used compromised PCs from a single botnet to get Gpcode on to victim's machines."

In reality, there hasn't been a shortage of timely OSINT aiming to to identify the authors - "Who’s behind the GPcode ransomware?" :

"So, the ultimate question - who’s behind the GPcode ransomware? It’s Russian teens with pimples, using E-gold and Liberty Reserve accounts, running three different GPcode campaigns, two of which request either $100 or $200 for the decryptor, and communicating from Chinese IPs. Here are all the details regarding the emails they use, the email responses they sent back, the currency accounts, as well their most recent IPs used in the communication (58.38.8.211; 221.201.2.227) :

Emails used by the GPcode authors where the infected victims are supposed to contact them :
content715@yahoo .com
saveinfo89@yahoo .com
cipher4000@yahoo .com
decrypt482@yahoo .com

Virtual currency accounts used by the malware authors :
Liberty Reserve - account U6890784
E-Gold - account - 5431725
E-Gold - account - 5437838"

The bottom line - out of the four unique emails used by the GPcode campaigners, only two were actively corresponding with the victims, each of them requesting a different amount of money, but both, taking advantage of U.S based web services to accomplish their attack.

]]> Tue, 30 Sep 2008 13:23:32 +0000 gpcode gpcode campaigns recent gpcode gpcode ransomware gpcode campaigners gpcode authors kaspersky lab virtual currency accounts liberty reserve accounts Identifying the Gpcode Ransomware Author <![CDATA[Web Based Botnet Command and Control Kit 2.0]]> http://securityratty.com/article/4f945955ba8a424fe6b9352583602062 http://securityratty.com/article/4f945955ba8a424fe6b9352583602062

The average web based command and control kit for a botnet consisting of single user, single campaign functions only, has just lost its charm, with a recent discovery of a proprietary botnet kit whose features clearly indicate that the kit's coder know exactly which niches to fill - presumably based on his personal experience or market research into competing products.

What are some its key differentiation factors? Multitasking at its best, for instance, the kits provides the botnet master with the opportunity to manage numerous different task such as several malware campaigns and DDoS attacks simultaneously, where each of these gets a separate metrics page.

Automation of malicious tasks, by setting up tasks, and issuing notices on the status of the task, when it was run and when it was ended. Just consider the possibilities for a scheduling malware and DDoS attacks for different quarters.

Segmentation in every aspect of the tasks, for instance, a DDoS attacks against a particular site can be scheduled to launched on a specific date from infected hosts based in chosen countries only.

Customized DDoS in the sense of empowering the botnet master with point'n'click ability to dedicate a precise number of the bots to participate, which countries they should be based in, and for how long the attack should remain active. Quality and assurance in DDoS attacks based on the measurement of the bot's bandwidth against a particular country, in this case the object of the attack, so theoretically bots from neighboring countries would DDoS the country in question far more efficiently.

Historical malware campaign performance, is perhaps the most quality assurance feature in the entire kit, presumably created in order to allow the person behind it to measure which were the most effective malware and DDoS campaigns that he executed in the past. From an OSINT perspective, sacrificing his operational security by maintaing detailed logs from previous attacks is a gold mine directly establishing his relationships with previous malware campaigns.

Bot Description:

1. Completely invisible Bot work in the system.
2. Not loads system.
3. Invisible in the process.
4. Workaround all firewall.
5. Bot implemented as a driver.

Functions Bot (constantly updated):

1. Downloading a file (many options).
2. HTTP DDoS (many options, including http authentication).

The web interface

-- Convenient manager tasks.
-- Every task can be stopped, put on pause, etc. ...
-- Interest and visual scale of the task.

-- A task manager for DDoS and Loader

-- For DDoS tasks

Bots involved in DDoS 'f.
Condition of the victim (works, fell).

2. Bots manager
-- Displays a list of bots (postranichno).
-- Obratseniya date of the first and last.
-- ID Bot.
-- Country Bot.
-- Type Bot.
-- The status Bot (online / offline).
-- Bot bandwidth to different parts of the world (europe, asia).
-- The possibility of removing bots

-- When you click on ID Bot loadable still a wealth of information about it

3. Statistics botneta
-- Statistics both common and build Bot.
-- Information on the growth and decline botneta dates (and build).
-- Bots online
-- All bots

-- Dead bots.

4. Statistics botneta country

-- All countries to work on

-- New work by country

-- Online work from country to country

-- Dead bots by country

5. Detailed history botneta

6. Convenient user-friendly interface adding teams
8. Admin minimal server loads
-- Use php5/mysql

Upcoming features :
1. Form grabber (price increase substantially), for old customers will be charged as an upgrade
2. Public key cryptography
3. Clustering campaigns and DDoS attacks

Despite it's proprietary nature, it's quality and innovative features will sooner or later leak out for everyone to take advantage of, a rather common lifecycle for the majority of proprietary malware kits in general.

Related posts:

BlackEnergy DDoS Bot Web Based

A New DDoS Malware Kit in the Wild

The Cyber Bot - Web Based Malware

The Black Sun Bot - Web Based Malware

Custom DDoS Capabilities Within a Malware

Botnet on Demand Service

Loads.cc - DDoS for Hire Service

Using Market Forces to Disrupt Botnets

Botnet Communication Platforms

A Botnet Master's To-Do List

DDoS on Demand VS DDoS Extortion
How Does a Botnet with 100k Infected PCs Look Like?

]]> Fri, 22 Aug 2008 10:02:15 +0000 ddos attacks based ddos attacks malware previous malware campaigns ddos attacks simultaneously botnet country country bot ddos Web Based Botnet Command and Control Kit 2.0 <![CDATA[Who's Behind the Georgia Cyber Attacks?]]> http://securityratty.com/article/5b529a9f3815b10331813e58bacf8129 http://securityratty.com/article/5b529a9f3815b10331813e58bacf8129

Of course the Klingons did it, or you were naive enough to even think for a second that Russians were behind it at the first place? Of the things I hate most, it's lowering down the quality of the discussion I hate the most. Even if you're excluding all the factual evidence (Coordinated Russia vs Georgia cyber attack in progress), common sense must prevail.

Sometimes, the degree of incompetence can in fact be pretty entertaining, and greatly explains why certain countries are lacking behind others with years in their inability to understand the rules of information warfare, or the basic premise of unrestricted warfare, that there are no rules on how to achieve your objectives.

So who's behind the Georgia cyber attacks, encompassing of plain simple ping floods, web site defacements, to sustained DDoS attacks, which no matter the fact that Geogia has switched hosting location to the U.S remain ongoing? It's Russia's self-mobilizing cyber militia, the product of a collectivist society having the capacity to wage cyber wars and literally dictating the rhythm in this space. What is militia anyway :

"civilians trained as soldiers but not part of the regular army; the entire body of physically fit civilians eligible by law for military service; a military force composed of ordinary citizens to provide defense, emergency law enforcement, or paramilitary service, in times of emergency; without being paid a regular salary or committed to a fixed term of service; an army of trained civilians, which may be an official reserve army, called upon in time of need; the national police force of a country; the entire able-bodied population of a state; or a private force, not under government control; An army or paramilitary group comprised of citizens to serve in times of emergency"

Next to the "blame the Russian Business Network for the lack of large scale implementation of DNSSEC" mentality, certain news articles also try to wrongly imply that there's no Russian connection in these attacks, and that the attacks are not "state-sponsored", making it look like that there should be a considerable amount of investment made into these attacks, and that the Russian government has the final word on whether or not its DDoS capabilities empowered citizens should launch any attacks or not. In reality, the only thing the Russian government was asking itself during these attacks was "why didn't they start the attacks earlier?!".

Thankfully, there are some visionary folks out there understanding the situation. Last year, I asked the following question - What is the most realistic scenario on what exactly happened in the recent DDoS attacks aimed at Estonia, from your point of view? and some of the possible answers still fully apply in this situation :

- It was a Russian government-sponsored hacktivism, or shall we say a government-tolerated one

- Too much media hype over a sustained ICMP flood, given the publicly obtained statistics of the network traffic

- Certain individuals of the collectivist Russian society, botnet masters for instance, were automatically recruited based on a nationalism sentiments so that they basically forwarded some of their bandwidth to key web servers

- In order to generate more noise, DIY DoS tools were distributed to the masses so that no one would ever know who's really behind the attacks

- Don't know who did it, but I can assure you my kid was playing !synflood at that time

- Offended by the not so well coordinated removal of the Soviet statue, Russian oligarchs felt the need to send back a signal but naturally lacking any DDoS capabilities, basically outsourced the DDoS attacks

- A foreign intelligence agency twisting the reality and engineering cyber warfare tensions did it, while taking advantage of the momentum and the overall public perception that noone else but the affected Russia could be behind the attacks

- I hate scenario building, reminds me of my academic years, however, yours are pretty good which doesn't necessarily mean I actually care who did it, and pssst - it's not cyberwar, as in cyberwar you have two parties with virtual engagement points, in this case it was bandwidth domination by whoever did it over the other. A virtual shock and awe

- I stopped following the news story by the time every reporter dubbed it the first cyber war, and started following it again when the word hacktivism started gaining popularity. So, hacktivists did it to virtually state their political preferences

Departamental cyber warfare would never reach the flexibity state of people's information warfare where everyone is a cyber warrior given he's empowered with access to the right tools at a particular moment in time.

Related posts:
People's Information Warfare Concept
Combating Unrestricted Warfare
The Cyber Storm II Cyber Exercise
Chinese Hacktivists Waging People's Information Warfare Against CNN
The DDoS Attacks Against CNN.com
China's Cyber Espionage Ambitions
North Korea's Cyber Warfare Unit 121

Chinese Hackers Attacking U.S Department of Defense Networks

Electronic Jihad v3.0 - What Cyber Jihad Isn't

Electronic Jihad's Targets List

Teaching Cyber Jihadists How to Hack

Empowering the Script Kiddies

OSINT Through Botnets

Corporate Espionage Through Botnets

Malware Infected Hosts as Stepping Stones

Hacktivism Tensions - Israel vs Palestine Cyberwars

The Current, Emerging, and Future State of Hacktivism

Internet PSYOPS - Psychological Operations

]]> Thu, 14 Aug 2008 06:16:34 +0000 attacks georgia cyber attacks warfare departamental cyber warfare cyber warfare tensions information warfare concept information warfare russian russian oligarchs Who's Behind the Georgia Cyber Attacks? <![CDATA[Summarizing June's Threatscape]]> http://securityratty.com/article/520325188c71fdacd3f86834feb1cdc5 http://securityratty.com/article/520325188c71fdacd3f86834feb1cdc5

June's threatscape that I'll summarize in this post based on all the research conducted during the month, was a very vibrant one. With the return of GPcode, a remotely exploitable flaw in the Zeus crimeware kit allowing both, researchers and malicious parties to assess the severity of a particular banker malware campaign, the increasing use of malicious doorways next to ICANN and IANA's DNS hijacking, all speak for themselves and how diverse the threats and, of course, the abilities to maintain a decent situatiational awareness about what's going on have become.

01. U.K's Crime Reduction Portal Hosting Phishing Pages - nothing new here since vulnerable sites are to be "remotely file included" and SQL injected to locally host anything on behalf of a malicious party. Risk and responsibility forwarding is one thing, but having a crime reduction portal hosting phishing pages is entirely another. The phishing pages was shut down in less than 12 hours upon notification

02. Price Discrimination in the Market for Stolen Credit Cards - Tracking down "yet another stolen credit cards for sale" service in the wild, the price discremination that they applied greatly reflects the current lack of transpararency for a potential buyer of stolen credit cards, and how higher profit margins are driving the entire business model. With script kiddies running their own botnets and undermining the sophisticated botnet master's high profit margin business model by undercutting their prices, stolen credit cards are not what they used to be - an exclussive good. Nowadays, they are a commodity good and often a bargain

03. Blackhat SEO Redirects to Malware and Rogue Software - Sampling an active blackhat SEO campaign out of the hundreds of thousands currently active online, releaved a large portfolio of domains serving Zlob variants by pitching them as fake codecs that the end user should download if they are to view the non existent adult content at the sites. Where's the OSINT mean? It's in the fact that the codecs and the fake security software phone back to UkrTeleGroup Ltd's network

04. Using Market Forces to Disrupt Botnets - With the current oversupply of malware infected hosts, and botnet masters embracing the services model for anything malicious, in this post I discussed the radical security approach of puchasing already infected malware hosts on a per country basis, disinfecting them and forcing them to update all the software on the infected PCs. Of course, on an opt-in basis. The possibility to directly provide incentives for botnet hunters to shut down whatever they come across to on a daily basis, and that's a lot of botnets, is also there

05. Who's Behind the GPcode Ransomware? - The title speaks for itself, the research with enough actionable intelligence gathered in the shortest timeframe possible is already proving accurate and highly valuable. How come? Stay tuned for more developments

06. ImageShack Typosquatted to Serve Malware - In a rare instance of a creative attack combining typosquatting in order to impersonate ImageShack and serve malware by redirecting users to an image file that is actually forwarding to the binary, I was recently tipped by the folks at TrendMicro who are also following this that the site is up and running again. Not for long

07. Fake YouTube Site Serving Flash Exploits - Next to using the usual set of exploits courtesy of a commodity web malware exploitation kit, this campaign was also using flash exploits. Even more interesting is the fact that the password stealer obtained was attempting to phone back to a misconfigured malware command and control interface, basically allowing you to assess the campaign from the eyes of the "campaigner"

08. Monetizing Web Site Defacements - Web site defacements are getting monetized just like SQL injections are in order to locally host a blackhat search engine optimization campaign on a vulnerable site with a high page rank. In this post I've assessed such monetization courtesy of a web site defacer at The Africa Middle Market Fund

09. Malicious Doorways Redirecting to Malware - Yet another large domains portfolio exposed though a malicious doorway redirecting to fake porn and video sites serving Zlob variants, tracking down the initial spamming of the malicious doorways across multiple vulnerable forums and guestbooks

10. The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw - When cyber criminals get advised to patch their vulnerable versons of the Zeus Crimeware Kit, you know there's a monoculture in the crimeware market. This flaw released publicly in May, 2008, not just allows others to hijack someone's ebanking botnet, but also, vendors and researchers to better assess a vulnerable Zeus command and control location

11. Fake Celebrity Video Sites Serving Malware - When templates for fake video and adult sites are just as available as they are now, anyone can take advantage of this cheap social engineering track that seems to work just fine. Compared to relying on blackhat search optimization to acquire traffic, some of the campaigns were SQL injected at vulnerable sites in order to drive traffic to them, next to several other tactics which when combined can result in a lot of people unknowingly visiting the sites

12. Phishing Campaign Spreading Across Facebook - An internal phishing campaign was circulating across Facebook, which got taken care of thanks to coordinated efforts with Facebook's security folks. There's also an indicating tha they are currently typosquatting other social networking sites like Hi5 for instance

13. Underground Multitasking in Action - As a firm believed in taking a random sample for a particular threat segment, this was once of these cases confirming the confidence I've built into anticipating upcoming tactics and strategies to be used

14. An Update to Photobucket's DNS Hijacking - Despite that Photobucket didn't oficially acknowledge the DNS hijacking, the hosting provider the NetDevilz hacking team used issued a statement. Ironically, the Turkish hacking group used the same provider weeks later to redirect ICANN and IANA's domains to Atspace.com

15. Fake Porn Sites Serving Malware - Among the largest domains portfolio of malware serving porn sites I've exposed in a while, all of them naturally remain active since they are hosted on a partition of RBN's diverse network. Visualizing a malicious doorway or the entire ecosystem provides a better understanding at how structured the ecosystems are

16. Backdoording Cyber Jihadist Ebooks for Surveillance Purposes - Despite that in this case we have a cyber jihadist backdoording his own released books, the international intelligence community next to law enforcement are known to have expressed interest in backdooring suspect's PCs, so why not SQL inject the cyber jihadist forums themselves?
17. Right Wing Israeli Hackers Deface Hamas's Site - When you read that Hamas's site is hacked, you ask yourself the following, do they even have a web site that's up the running? The answer to which would be the fact that even Hezbollah has been maintaining an Internet infrastructure since 1998
18. ICANN and IANA's Domain Names Hijacked by the NetDevilz Hacking Group - A fact is a fact, no comment here, go through all the technical details of the hijacking, including some actionable intelligence on who's behind the hijacking
19. The Malicious ISPs You Rarely See in Any Report - Who's tolerating malicious activities on their network, and how is the RBN related to all this? Well, when combined, the tiny parts of these ISPs represent a tiny part of the Russian Business Network itself

]]> Tue, 01 Jul 2008 03:05:01 +0000 site fake youtube site web site defacements malware malware hosts web site defacer sites vulnerable sites malicious Summarizing June's Threatscape <![CDATA[The Malicious ISPs You Rarely See in Any Report]]> http://securityratty.com/article/698e36c7aa4d5f39635cf50fa8e91834 http://securityratty.com/article/698e36c7aa4d5f39635cf50fa8e91834

The recently released badware report entitled “May 2008 Badware Websites Report" lists several Chinese netblocks tolerating malicious sites on their networks. As always, these are just the tip of the iceberg out of a relatively good sample that the folks at Stopbadware.org used for the purposes of their report. In the long term however, with the increasing prelevance of fast-fluxing, a country's malicious rating could become a variable based on the degree of dynamic fast-fluxing abusing its infrastructure in a particular moment in time. Moreover, forwarding the risk and the malicious infrastructure to malware infected hosts, and exploited web servers, creates a "twisted reality" where the countries with the most disperse infrastructure act as a front end to the countries abusing it, ones that make it in any report, since they are the abusers.

The report lists the following malicious netblocks, a great update to a previous post on "Geolocating Malicious ISPs" :

- CHINANET-BACKBONE No.31,Jin-rong Street
- CHINA169-BACKBONE CNCGROUP China169
- CHINANET-SH-AP China Telecom (Group)
- CNCNET-CN China Netcom Corp.
- GOOGLE - Google Inc.
- DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd.
- SOFTLAYER - SoftLayer Technologies Inc.
- THEPLANET-AS - ThePlanet.com Internet Services, Inc.
- INETWORK-AS IEUROP AS
- CHINANET-IDC-BJ-AP IDC, China

With some minor exceptions though, in the face of the following ISPs you rarely see in any report - InterCage, Inc., Softlayer Technologies, Layered Technologies, Inc., Ukrtelegroup Ltd, Turkey Abdallah Internet Hizmetleri, and Hostfresh. Ignoring for a second the fact that the "the whole is greater than the sum of it's parts", in this case, the parts represent RBN's split network. Since it's becoming increasingly common for any of these ISPs to provide standard abuse replies and make it look like there's a shutdown in process, the average time it takes to shut down a malware command and control, or a malicious domain used in a high-profile web malware attack is enough for the campaign to achieve its objective. The evasive tactics applied by the malicious parties in order to make it harder to assess and prove there's anything malicious going on, unless of course you have access to multiple sources of information in cases when OSINT isn't enough, are getting even more sophisticated these days. For instance, the Russian Business Network has always been taking advantage of "fake account suspended notices" on the front indexes of its domains, whereas the live exploit URLs and the malware command and controls remained active.

And while misconfigured web malware exploitation kits and malicious doorways continue supplying good samples of malicious activity, we will inevitable start witnessing more evasive practices applied in the very short term.

Related posts:
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
HACKED BY THE RBN!
Rogue RBN Software Pushed Through Blackhat SEO
RBN's Phishing Activities
RBN's Puppets Need Their Master
RBN's Fake Account Suspended Notices
A Diverse Portfolio of Fake Security Software
Go to Sleep, Go to Sleep my Little RBN
Exposing the Russian Business Network
Detecting the Blocking the Russian Business Network
Over 100 Malwares Hosted on a Single RBN IP
RBN's Fake Security Software
The Russian Business Network

]]> Mon, 30 Jun 2008 05:31:08 +0000 malicious malicious isps isps report malicious doorways continue infrastructure malicious infrastructure malicious domain malware command The Malicious ISPs You Rarely See in Any Report <![CDATA[Asprox Phishing Campaigns Dominated in April]]> http://securityratty.com/article/dcbd7c5743ac36e20feaabc0f44bed3f http://securityratty.com/article/dcbd7c5743ac36e20feaabc0f44bed3f

According to the latest report from the Phishtank, a great resource for OSINT data, five IPs were hosting 6547 phishing campaigns in April, all of which are courtesy of the Asprox botnet, a botnet that despite being actively sending phishing emails for the last couple of months, received more publicity for its introduction of SQL injection capabilities, like the ones I've assessed in a previous post. The IPs in question :

212.174.25.241
62.233.145.45
218.92.205.246
85.105.182.6
212.0.85.6

Where's the connection? It's in the historical domains that used to respond to the IPs, in the Asprox case, a great deal of the original domain names used a couple of months ago are still in a fast-flux and further expose and connection between these IPs and Asprox. For instance, 62.233.145.45, is known to have been hosting xml52.com; www5.yahoo.american-greeting.ca.xml52.com; yahoo.americangreeting.ca.www05.net; bendigobank.com.au.tampost5.ws; among the domains used in some of the previous phishing domains. The rest of the IPs are also known to have participated in the fast-flux, and therefore, as long as they remain using some of their old domains, and fast-flux them in a way that can be compared to the data from previous months, monitoring the prevalence of Asprox phishing campaigns and making the connection between a phishing campaign and the botnet, would remain easy to do.

Related posts:
Fast-Fluxing SQL injection attacks executed from the Asprox botnet
Inside a Botnet's Phishing Activities
Fake Yahoo Greetings Malware Campaign Circulating
Phishing Emails Generating Botnet Scaling

]]> Tue, 27 May 2008 02:38:48 +0000 asprox botnet asprox botnet previous previous months historical domains ips months domains Asprox Phishing Campaigns Dominated in April <![CDATA[Stealing Sensitive Databases Online - the SQL Style]]> http://securityratty.com/article/6fd11fadd38d6753640de4546ce6057f http://securityratty.com/article/6fd11fadd38d6753640de4546ce6057f

In a perfect world from a malicious SQL-ers perspective, mom and pop E-shops filling market niches and generating modest but noticeable revenue streams, have their E-shops vulnerable and exploitable to web application vulnerabilities, with their SQL databases available for extraction in an unencrypted form.

In reality, reconnaissance through search engine's indexes to build a hit list of E-shops with a higher probability for exploitation, is what malicious attackers who lack the skills and capacity to build a botnet, even invest money into renting one on demand and collecting the output in the form of credit cards numbers and accounting data, have been doing for the past of couple of years. Moreover, as I've already pointed out and provided relevant examples, it's perhaps even more disturbing to see the automated process of building such hitlists, verifying that they're exploitable, remotely exploiting them by embedding malicious links within their pages, and of this made possible through the use of botnets.

The whole is greater than the sum of its parts, and while some are putting time and efforts into figuring out whether or not a specific vulnerability is exploited, and through the use of which hundreds of thousands web sites again end up injected with automatically loading links to malicious domains, the bad guys are keeping it simple, sometimes way too simple to end up with the most successful and efficient ways to achieve their objectives. Furthermore, waging verbal warfare on whether or not XSS are a greater security risk than currently perceived, is definitely making a lot of malicious attackers out there enjoy the lack of situational awareness of those who are supposed to have a better grasp of what they're up to, not what they might be up to.

The bottom line - from a malicious economies of scale perspective, are massive SQL injections attacks serving malware to a speculated number of hundreds of thousands susceptible to clien-side attacks exploitation site visitors, more effective, than obtaining the low-hanging databases in a site-specific vulnerability manner? Depends entirely on what the bad guys are trying to obtain, access to as many infected hosts as possible to be later on used for phishing, spamming, stepping stones, hosting and distribution of malware and conducting OSINT for corporate espionage by segmenting the infected population into organizations of importance, or access to "the whole" benefits package coming with having a complete access over an Internet connected host.

]]> Sun, 11 May 2008 21:13:00 +0000 databases pop e-shops e-shops site-specific vulnerability manner specific vulnerability complete access malicious attackers access bad guys Stealing Sensitive Databases Online - the SQL Style