[SecurityRatty] tag: redirection

Embassy of Brazil in India Compromised

Thu, 13 Nov 2008 06:47:45 +0000

Only an amateur or unethical competition would embedd malicious links at the Embassy of Brazil in India's site, referencing their online community. With the chances of an Embassy involvement into the fake antivirus software industry close to zero,

The compromise is a great example of a mixed use of pure malicious domains in a combination with compromised legitimate ones and on purposely registered accounts at free web space providers, hosting the blackhat SEO content. However, digging deeper we expose the entire malicious doorways ecosystem pushing PDF exploits, banker malware and Zlob variants. The malicious attackers embedded links to their blackhat SEO farms advertising fake security software, and also a link to a traffic redirection doorway

epmwckme.dex1.com
htkobaf.dex1.com
ogbucof.dex1.com
segundomuelle.com/mex/antivirus
jgzleaa.dex1.com
igpran.ru/services/tolstye

The active and redirecting traff .asia (89.149.251.203) is currently serving a fake account suspended notice - "This account has been suspended. Either the domain has been overused, or the reseller ran out of resources." but is whatsoever redirecting us to antimalware09 .net. This particular traffic redirection doorway is actively redirecting us to a command and control server running a well known web malware exploitation kit which is currently serving PDF exploits.

google-analyze .com/socket/index.php (216.195.59.77) from where we're redirected to google-analyze.com/tracker/load.php which is serving system.exe (Trojan-Spy.Win32.Zbot.ehk; Win32.TrojanSpy.Zbot.gen!C.5), and google-analyze .com/tracker/pdf.php (Exploit:Win32/Pdfjsc.G; Exploit.JS.Pdfka.w; Bloodhound.Exploit.196). Naturally, within the live exploit URLs there are multiple IFRAMEs redirecting us to more of this group's campaigns. google-analyze .com has multiple IFRAMEs pointing to google-analystic .net (209.160.67.56), yet another traffic redirection doorway further exposing their campaigns.

For instance, google-analystic .net/in.cgi?20 loads google-analystic.net/tea.php (209.160.67.56) where google-analystic .net/in.cgi?8 is redirecting to 91.203.93.61 /in.cgi?2 taking us to 91.203.93.61 /25/2/ where we deobfuscate the javascript leading us to the exact location of the PDF exploit - 91.203.93.61 /25/2/getfile.php?f=pdf. This is just for starters. google-analystic .net/in.cgi?9 redirects to mangust32 .cn/pod/index.php (218.93.202.102) where they serve load.exe (Backdoor:Win32/Koceg.gen!A) at
mangust32 .cn/pod2/load.php and load.exe at mangust32 .cn/eto2/load.php, moreover, google-analystic .net/in.cgi?10 leads us to mmcounter .com/in.cgi?id194 (94.102.50.130) a traffic management login which is no longer responding. The last IFRAME found within google-analystic points to busyhere .ru/in.cgi?pipka which redirects to beshragos .com/work/index.php (79.135.187.38) where once we
deobfuscate the script, we get to see the PDF exploit location beshragos.com /work/getfile.php?f=pdf.

What's contributing to the increase of PDF exploits durin the last month? It's an updated version of a web based malware exploitation tool, which despite the fact that it remains proprietary for the time being, will leak in the next couple of weeks causing the usual short-lived epidemic.

Related posts:
The Dutch Embassy in Moscow Serving Malware
U.S Consulate in St. Petersburg Serving Malware
Syrian Embassy in London Serving Malware
French Embassy in Libya Serving Malware

A Diverse Portfolio of Fake Security Software - Part Twelve

Mon, 03 Nov 2008 13:11:25 +0000

These very latest rogue security software domains have been in circulation -- blackhat SEO, SQL injections, traffic redirection scripts -- since Friday and remain active :

premium-pc-scan .com (78.159.118.217; 89.149.253.215; 91.203.92.47)
antivirus-pc-scan .com (208.72.169.100)
securityfullscan .com (84.243.197.184)
antivirus-live-scan .com (84.243.196.136; 89.149.227.196)
windefender-2009 .com - (200.63.45.55)
windefender2009 .com

What these domains have in common, excluding the last two WinDefender ones, is the domain registrant, the DNS servers used, and that despite the fact that it has already been featured in several malicious doorways, meaning these are receiving traffic already, they forgot to upload the binaries on all of the active domains :

"Not Found. The requested URL /2009/download/trial/A9installer_.exe was not found on this server."

Registrant:
Vladimir Polilov
Email: gpdomains@yahoo.com
Organization: Private person
Address: ul. Bauma 13-76
City: Moskva
State: Moskovskaya oblast
ZIP: 112621
Country: RU
Phone: +7.9031609536

DNS servers used - ns1.freefastdns.com; ns2.freefastdns.com

Moreover, the following domains are also parked at the same IPs, but are currently in stand-by mode, yet they're also using the same DNS servers with the only difference in the registrant who seems to have been running a very extensive portfolio of bogus domains, potentially making hundreds of thousands in the process :

save-my-pc-now .com
real-antivirus .com
liveantivirustest .com
antiviruspctest .com
premium-live-scan .com
liveantivirustest .com
antiviruspersonaltest .com
mysecuritysupport .com
updateyourprotection .com
antivirus-premiumscan .com
securitylivescan .com
security-full-scan .com
secured-liveupdate .com
livepcupdate .com
protection-update .com
antivirus-scan-online .com
xpsoftupgrade .com
live-virus-defence .com

A Diverse Portfolio of Fake Security Software - Part Eleven

Tue, 28 Oct 2008 09:15:59 +0000

The following portfolio of fake security software appear to have been integrated within traffic redirection doorways during the weekend, consequently redirecting hundreds of thousands of users acquired from blackhat hat SEO, malvertising, email spam and SQL injections, to non-existent security vendors and their non-existent security products. Here's an excerpt from one of the templates that they're using :

"Since its first establishement in 2001, Antivirus V.I.P consistently maintained its position as one of the world's leading companies in antivirus research and product development. Antivirus V.I.P is known mostly for Antivirus V.I.P, its powerful mix of Anti-Malware, Anti-Virus, Anti-Trojan, Anti-Backdoor, Anti-Worm and Anti-PornoDial in one program. Antivirus V.I.P scans and removes trojans and other malware, which can be placed on a computer without the owner's knowledge.

Antivirus V.I.P is a powerful and easy-to-use Trojan horses, Viruses and all types of Malware removal software, which detects and eliminates more than 100'000 Trojan Horses and Spywares. It also detects viruses, trojans, worms, spyware, malicious ActiveX controls and Java applets. The latest version of Antivirus V.I.P features outstanding detection abilities, together with high performance. Antivirus V.I.P creates best anti-virus, anti-trojan and anti-spyware security solutions that protect computer users from ever-increasing cyber threats and all the dangers of the new century."

And the domains and their associated IPs :

antivirus-freescan .com (208.72.169.100)
defendyourpc .com
mycupupdate .com
secureupdatecenter .com
secureupdateserver .com
webscannertools .com
secureyourpayments .com
protection-overview .com

save-my-pc-now .com (84.243.196.136; 89.149.227.196; 89.149.227.232)
antivirus-pcscan .com
hiqualityscan .com
active-scanner .com
perfectscanner .com

livesecurityinfo .com (216.240.134.208)
protection-freescan .com
antvirushelp .com
prosecurity-audit .com

scan-my-pc .com (89.149.251.56)
securedclickhere .com

Open Redirects and Common Weakness Enumeration

Thu, 16 Oct 2008 10:58:00 +0000

Hopefully, you're more than familiar with CVE (Common Vulnerabilities and Exposures), but perhaps you're less familiar with CWE (Common Weaknesses Enumeration). Both are significant efforts, international in scope, and the excellent products of The MITRE Corporation, sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.
Approximately six months ago I was discussing open redirect vulnerabilities with Steven Christey of MITRE, who mentioned that that CWE entry for open redirects was sparse and dated, with little reference material. In particular, he pointed out the lack of defining papers. I accepted this information as a challenge and produced an article that was published in (IN)SECURE Issue 17. Soon after Issue 17 went live, I also took note of an excellent academic paper specific to the topic of open redirect vulnerabilities; Shue, Kalafut and Gupta's Exploitable Redirects on the Web: Identification, Prevalence, and Defense. Complete with these two papers as references, as well as two current CVE identifiers for popular web applications suffering from open redirect vulnerabilities (discovered by yours truly), CVE-2008-2052 & 2951, CWE-601: URL Redirection to Untrusted Site (aka 'Open Redirect') is now current and complete.
As open redirects are undoubtedly one of my biggest pet peeves, I am pleased to no end. Hopefully CWE-601 will help drive more application vendors and site operators to put an end to this easily mitigated vulnerability.

CWE:
"International in scope and free for public use, CWE™ provides a unified, measurable set of software weaknesses that is enabling more effective discussion, description, selection, and use of software security tools and services that can find these weaknesses in source code and operational systems as well as better understanding and management of software weaknesses related to architecture and design."

del.icio.us | digg | Submit to Slashdot

Syndicating Google Trends Keywords for Blackhat SEO

Fri, 03 Oct 2008 00:19:24 +0000

Several hundred Windows Live Spaces and AOL Journals, are currently syndicating the most popular keywords provided by Google Trends, and are consequently hijacking the top search queries exposing users to Zlob codecs.

Here are some same bogus blogs used in the campaign, naturally pre-registered long before they executed it :

vinniedigg18 .spaces.live.com
journals.aol .com/iolatour16
fredabreak02 .spaces.live.com
thedaalerts01 .spaces.live.com
allisonpolls08 .spaces.live.com
rheabreak18 .spaces.live.com
racquellog17 .spaces.live.com
monikavideo11 .spaces.live.com
journals.aol .com/shelvakill27
tomekadigg26 .spaces.live.com
ivahnet19 .spaces.live.com
journals.aol .com/louisathere13
allisonpolls08 .spaces.live.com
valericatch03 .spaces.live.com
journals.aol .com/iolatour16
hadleycue01 .spaces.live.com
journals.aol .com/staceyliving01
collettebreak17 .spaces.live.com
journals.aol .com/nataliablog16
natalymore26 .spaces.live.com

A comprehensive listing of the blogs involved can be downloaded here.

What do all of these bogus blogs have in common? The fact that they are all being abused by a single malware campaign, and the Keep it Simple Stupid mentality only a lazy malware campaigner can take advantage of. All of the blogs as using a central redirection domain, shutting it down or blocking it renders the number of bogus blogs is circulation irrelevant. In this case, the domain in question is video.xmancer.org (216.195.59.75).

Here are the the rest of the domains participating in the campaign, as well as the parked ones at the corresponding IPs :

video.xmancer .org (216.195.59.75)
buynowbe .com
loveniche .com
antivirus-freecheck .com
jetelephone .cn
reducki .cn
woteenhas .cn
lilaloft .cn

clipztimes .com (78.157.143.235)
imagelized .com
vidzdaily .com

gotmovz .com (78.108.177.91)
dwnld-clips .com

movwmstream .com (77.91.231.183)
newwmpupdate .com
zaeplugin .com
movaccelerator .com
optimwares .com
piterserv .com

moviesportal2008p .com (72.232.183.154)
movieportal2008a .com
funnyportal2008l .com
starsportal2008p .com
softportal2008p .com
movieportal2008q .com

In short, despite that the campaign is poised to attract generic search traffic, it's a self-exposing blackhat SEO campaign since each and every blog participating is also linking to the rest of the ones within the ecosystem.

Related posts:
Blackhat SEO Redirects to Malware and Rogue Software
Blackhat SEO Campaign at The Millennium Challenge Corporation
Massive IFRAME SEO Poisoning Attack Continuing
Massive Blackhat SEO Targeting Blogspot
The Invisible Blackhat SEO Campaign
Attack of the SEO Bots on the .EDU Domain
p0rn.gov - The Ongoing Blackhat SEO Operation
The Continuing .Gov Blackat SEO Campaign
The Continuing .Gov Blackhat SEO Campaign - Part Two
Compromised Sites Serving Malware and Spam

Summarizing August's Threatscape

Wed, 10 Sep 2008 02:57:32 +0000

Following the previous summaries of June's and July's threatscape based on all the research published during the month, it's time to summarize August's threatscape.

August's threatscape was dominated by a huge increase of rogue security software domains made possible due to the easily obtainable templates for the sites, several malware campaigns targeting popular social networking sites, Russian's organized cyberattack against Georgia with evidence on who's behind it pointing to "everyone" and a few botnets dedicated to the attack making the whole process easy to outsource and turn responsibility into an "open topic", several new web based botnet management kits and tools found in the wild, evidence that the 76service may in fact be going mainstream since the concept of cybercrime as a service is already emerging, and, of course, a peek at India's CAPTCHA solving economy, where the best comment I've received so far is that every site should embrace reCAPTCHA, so that while solving CAPTCHAs and participating in the abuse of these services in question, they would be also digitizing books. As usual, August was a pretty dynamic month for the middle of summer, with everyone excelling in their own malicious field.

01. McAfee's Site Advisor Blocking n.runs AG - "for starters"
False positives are rather common, especially when you're aiming to protect the end user from himself and not let him gain access to "hacking tools", but you're flagging security tools as badware and missing over half the SQL injected domains currently in the wild due to the fact that SiteAdvisor's community still haven't reviewed them - that's not good

02. The Twitter Malware Campaign Wants to Bank With You
Twitter, just like every Web 2.0 application, isn't and shouldn't be treated as a unique platform for dissemination of malware, since it's dissemination of malware "as usual". This particular malware campaign was not just executed by a lone gunman, but also, was taking advantage of a flaw allowing the author to add new followers potentially exposing them to the malicious links serving banker malware. For the the time being, MySpace, Facebook and Twitter accounts are the very last thing a malicious attacker is interesting in puchasing accounting data for, but how come? It's all due to the oversupply of automatically registered accounts at other popular services, whose ecosystem of Internet properties empower cybercriminals with the ability to launch, host and distribute malware in between abusing the very same company's services for the blackhat SEO campaign and redirection services. Theoretically, a distributed network build upon the services provided by a single company is faily easy to accomplish due to the single login authentication applied everywhere. A singly bogus Gmail account results in a blackhat SEO hosting blogspot account, flash based redirector hosted at Picasa, and a couple of thousands of spam emails sent automatically sent through Gmail in order to abuse it's trusted email reputation

03. Compromised Web Servers Serving Fake Flash Players
If aggressiveness matter, this campaign consisting of remotely injected redirection scripts at legitimate sites next to on purposely introduced malware oriented domains, was perhaps the most aggressive one during the month. Fake flash players, fake windows media players and fake youtube players are prone to increase as a social engineering tactic of choice due to the template-ization of malware serving sites for the sake of efficiency

04. Pinch Vulnerable to Remotely Exploitable Flaw
With Zeus vulnerable to a remotely exploitable flaw allowing cybercriminals to hijack other cybercriminal's Zeus botnet, private exploits targeting the still rather popular at least in respect to usefulness Pinch malware are leaking, allowing everyone including security researchers to take a peek at a particular campaign running unpatched Pinch gateway

05. Phishers Backdooring Phishing Pages to Scam One Another
Backdooring phishing pages is perhaps the most minimalistic approach a cybercriminal wanting to scam another cybercriminal is going to take. The far more beneficial approach that I've encountered on a couple of occassions so far, would be to backdoor a proprietary web malware exploitation kit, release it in the wild, let them put the time and efforts into launching the campaigns, then hijack their botnet. In fact, the possibilities for backdooring copycat web malware exploitation kits in order to take advantage of the momentum while introducing a non-existent kit has always been there at the disposal of malicious attackers. One thing's for sure - there's no such thing as a free web malware exploitation kit, just like there isn't such thing as a free phishing page

06. Email Hacking Going Commercial - Part Two
In between the scammers promising the Moon and asking for anything between $20 to $250 to hack into an email account, there are "legitimate" services taking advantage of web email hacking kits consisting of each and every known XSS vulnerability for a particular service in an attempt to increase the chances of the attacker. And given that the majority of these have been patched a long time ago, social engineering comes into play. Do these services have a future? Definitely as more and more people are in fact looking for and requesting such services, in fact, they're willing to pay a bonus considering how exotic it is for them to have any email that they provide hacked into and the accounting data sent back to them

07. The Russia vs Georgia Cyber Attack
Event of the month? Could be, but just like every "event of the moth" everyone seems to be once again restating their "selective retention" preferences. What is selective retention anyway? Selective retention is basically a situation where once Russian is attacking another country's infrastructure, you would automatically conclude that it's Russian FSB behind the attacks and consciously and subconsciously ignore all the research and articles telling you otherwise, namely that the FSB wouldn't even bother acknowledging Georgia's online presence, at least not directly. Moreover, talking about the FSB as the agency behind the cyberattacks indicates "selective retention", talking about FAPSI indicates better understanding of the subject.

In times when cybercrime is getting ever easier to outsource, anyone following the news could basically orchestrate a large scale DDoS attack against a particular country in order to forward the responsibility to any country that they want to. In Russia vs Georgia, you have a combination of a collectivist society that's possessing the capabilities to launch DDoS attacks, knows where and how to order them, and that in times when your country is engaged in a war conflict drinking beer instead of DDoS-sing the major government sites of the adversary is not an option.

Selective retention when combined with a typical mainstream media's mentality to "slice the threat on pieces" instead of turning the page as soon as possible, is perhaps the worst possible combination. Furthermore, coming up with Social Network analysis of the cyberattacks would produce nothing more but a few fancy graphs of over enthusiastic Russian netizen's distributing the static list of the targets. The real conversations, as always, are happening in the "Dark Web" limiting the possibilities for open source intelligence using a data mining software. Things changed, OPSEC is slowly emerging as a concept among malicious parties, whenever some of the "calls for action" in the DDoS attacks were posted at mainstream forums, they were immediately removed so that they don't show up in such academic initiatives

08. 76Service - Cybercrime as a Service Going Mainstream
The reappearance of the 76Service allowing everyone to log into a web based interface and collect all the accounting and financial data coming from malware infected hosts across the globe for the period of time for which they've bought access, indicates that what used to be proprietary services which were supposedly no longer available, are now being operated in a do-it-yourself fashion. Goods and products mature into services, so from a cost-benefit analysis perspective, outsourcing is naturally most beneficial even when it comes to cybercrime

09. Who's Behind the Georgia Cyber Attacks?
If it's the botnets used in the attacks, they are known, if it's about who's providing the hosting for the command and control, it's the "usual suspects", but just like previous discussion of the Russian Business Network, it remains questionable on whether or not they work on a revenue-sharing basis, are simply providing the anti-abuse hosting, or are the shady conspirators that every newly born RBN expert is positioning them to be.

Cheap conversation regarding the RBN ultimately serves the RBN, and just for the record, there's a RBN alternative in every country, but the only thing that remains the same are the customers, tracking the customers means exposing the RBN and the international franchises of their services, making it harder to identify their international operations. And given that the "tip of the iceberg", namely RBN's U.S operations remain in tact, talking about taking actions against their international operations in countries where cybercrime law is still pending, is yet another quality research into the topic building up the pile of research into the very same segments of the very same ISPs.

Just for the record - these "very same ISPs" are regular readers of my blog, and if you analyze their activities, they're definitely reading yours too, ironically, surfing through gateways residing within their netblock that are so heavily blacklisted due to the guestbook and forum spamming activities that their bad reputation usually ends up in another massive blackhat SEO campaign exposed.

10. Guerilla Marketing for a Conspiracy Site
Conspiracy theorists may in fact have a new wallpaper to show off with

11. Banker Malware Targeting Brazilian Banks in the Wild
When misinformed and not knowing anything about a particular underground segment, a potential cybercriminal would stick to using such primitive compared to the sophisticated banker malware kits currently in the wild. These sophisticated banker malware kits are often coming in a customer-tailored proposition, with their price increasing or decreasing based on the specific module to be included or excluded. For instance, a module targeting all the U.S banks that has been put in a "learning mode" long before it was made available to the customers can be requested and is often available with the business model build around the customer's wants

12. Compromised Cpanel Accounts For Sale
Despite the massive SQL injection attacks, accounting data for Cpanel accounts coming from malware infected hosts seems to be once again coming into play, which isn't surprising given the filtering capabilities and log parsing tools today's botnet masters are empowered with. These very same compromised Cpanel accounts and the associated domains often end up so heavility abused that it's tactics like these that are driving the underground multitasking mentality, namely, abusing a single compromised account for each and every malicious online activity you can think of - even hosting banners for their blackhat SEO services

13. A Diverse Portfolio of Fake Security Software - Part Two
In August we saw a peek of fake security software, neatly typosquatted domains whose authors earn revenue each and every time someone installs the software. The vendors behind this software are forwarding the entire process of driving traffic to those excelling in aggregating traffic and abusing it. As anticipated, underground multitasking started taking place within the fake security software domains, with the people behind them introducing client-side exploits in order to improve the monetization of the traffic coming to the sites

14. DIY Botnet Kit Promising Eternal Updates
There's no such thing as a (quality) free botnet kit. What's for free is often the leftovers from a single feature of a more sophisticated proprietary botnet kit. This one in particular is however trying to demonstrate that even a plain simple GUI botnet command and control software can achieve the results desired by an average script kiddie, and not necessarily satisfy the needs of the experienced botnet master

15. A Diverse Portfolio of Fake Security Software - Part Three
As far as trends and fads are concerned, the majority of the domains are currently parked at up to four different IPs, with most of them going into a stand by mode once they get detected and reappear back couple of weeks later

16. Fake Celebrity Video Sites Serving Malware - Part Two
Due to the template-ization of fake celebrity video sites, and simple traffic management tools combined with blackhat SEO tactics, these sites are also prone to increase in the next couple of months

17. Web Based Botnet Command and Control Kit 2.0
It's releases like these that remind us of the amount of time, efforts and personal touch that a malicious attacker would put into such a management kit, currently acting as a personal benchmark as far as complexity and features indicating the coder's experience with botnets is concerned. What's he's failing to anticipate is that this kit is sooner or later going to turn into the "MPack of botnet management"

18. A Diverse Portfolio of Fake Security Software - Part Four
Keep it coming, we'll keep it exposing until we end up getting down to the "fake software vendor" itself

19. Automatic Email Harvesting 2.0
Email harvesting is slowly maturing into a vertically integrated service provided by vendors of managed spamming services. This email harvesting module is aiming to close the page on text obfuscation in respect to fighting spam, and is successfully recognizing and collecting such publicly available emails. From a psychological perspective though, the end users who bothered to obfuscate their emails are less likely to fall victims into phishing scams, with the obfuscation speaking for a relatively decent situational awareness on how they emails end up in a spammer's campaign

20. Fake Porn Sites Serving Malware - Part Three
As a firm believer in sampling in order to draw conclusions on the big picture, an approach that has proven highly accurate in modeling historical and upcoming tactics and behavior, a single fake porn site serving malware campaign usually exposes a dozen of misconfigured redirectors, which thanks to their misconfiguration despite the evasive features available within the kits, expose another dozen of malware campaigns

21. Facebook Malware Campaigns Rotating Tactics
With no particular flaw exploited other than the social engineering tactic of using already compromised Facebook accounts who would automatically spam all their friends with links to flash files hosted at legitimate services, the more persistent the campaign is, the higher the chance that it will scale enough. This campaign in particular is mainly relying on rotation of tactics, namely different messages, different services and file extensions used in order to trick someone's friend into visiting the URL. With the number of users increasing, the most popular social networking sites are naturally going to be permanently under attacks from cybercriminals

22. Fake Security Software Domains Serving Exploits
Despite that it's a single brand, namely the International Virus Research Lab that's introducing client-side exploits within it's portfolio of domains, the opportunity for abuse may be noticed by the rest of the brands pretty fast

23. Exposing India’s CAPTCHA Solving Economy
Taking into consideration the mentality surrounding a particular country's cybercriminals, how they think, how they operate, what do they define as an opportunity, and how much personal efforts are they willing to put into their campaigns, I wouldn't be surpised if a Russian vendor offering 100,000 bogus Gmail accounts for sale has in fact outsourcing the account registration process to Indian workers, paid them pocket change and is then reselling them ten to twenty times higher than the price he originally paid for them.

The text based CAPTCHAs used at the major Internet portals and services, are so efficiently abused by this approach that continuing to use is directly undermining the trust these email providers and services often come with as granted

Scammers Avoid Spam Detection By Using Redirection In Adobe Flash Files And ImageShack.com Free Hosting

Thu, 04 Sep 2008 15:59:04 +0000

Anti-spam service MessageLabs reports a new way found by scammers to bypass anti-spam filters. This time scammers are utilizing Adobe Flash files and free websites hosting services. Spam messages with harmless-looking content contain links to Flash-based files on free image hosting services like ImageShack.com. The commands embedded in flash files redirect the recipient to sites that [...]

A Diverse Portfolio of Fake Security Software - Part Four

Mon, 25 Aug 2008 01:58:02 +0000

Thanks to the affiliate based business model that's driving the increase of fake security software and rogue codecs serving domains, the very same templates, but with different domain names, continue appearing in blackhat SEO, spam, and malicious doorways redirection campaigns.

Moreover, with the "time-to-market" of a fake security software decreasing due to the efficiency approach introduced in the form of tips for abuse-free hosting services provided by the "known suspects", and the freely available templates, we're slowly starting to see the upcoming peak of this approach.

In a true proactive spirit, the domains parked at 216.195.56.88 are all upcoming fake security software, to be introduced anytime soon.

fast-pc-scanner-online .com - (92.62.101.41; 91.203.92.48; 91.203.92.106; 58.65.238.171)
top-pc-scanner .com
buy-secure-protection .com
security-scan-pc .com
pc-scanner-online .com
viruses-scanonline .com
virus-scanonline .com
antivirus-scanonline .com
topvirusscan .com
virusbestscan .com
best-security-protection .com
infectionscanner .com
virusbestscanner .com
full-protection-now .com

Pwrantivirus .com - 91.208.0.246
vav-x-scanner .com
vav-scanner .com
scanner.vavscan .com
malware-scan .com
Scanner-Pwrantivirus .com
Xpertantivirus .com
Scanner-xpertantivirus .com

spyware-quickscan-2008 .com - (216.195.56.88)
virus-quickscan-2008 .com
spyware-quickscan-2009 .com
virus-quickscan-2009 .com
winmalwarecontrol .com
antispyware-quick-scan .com
virus-quick-scan .com
antivirus-quick-scan .com
winprivacytool .com

topantispyware2008 .com - (216.195.56.86)
cleanermaster .com - (216.195.56.85)
antivirus777 .com - (67.228.120.3)
pcsecuritynotice .com - (67.228.120.3)

Whereas the average Internet users are falling victims into this type of fraud, what I'm more concerned about is the large traffic the malicious domains receive in general due to all the different traffic acquisition tactics the people behind them apply. This anticipated traffic can then be greatly used as valuable metrics for the many other malicious ways in which it can be monetized.

Ironically, the participant in the affiliate program whose original objective was to drive traffic to the fake security software's site, may in fact start receiving so much traffic due to the combination of traffic acquisition tactics, that introducing client-side exploits courtesy of a third-party affiliate network, may in fact prove more profitable then the revenue sharing partnership with the rogue security software's vendor at the first place.

Related posts:
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Localized Fake Security Software
Diverse Portfolio of Fake Security Software
Got Your XPShield Up and Running?
Fake PestPatrol Security Software
RBN's Fake Security Software
Lazy Summer Days at UkrTeleGroup Ltd
Geolocating Malicious ISPs
The Malicious ISPs You Rarely See in Any Report

Cyberattack Against Georgia Preceded Real Attack

Mon, 18 Aug 2008 09:11:09 +0000

This is interesting:

Exactly who was behind the cyberattack is not known. The Georgian government blamed Russia for the attacks, but the Russian government said it was not involved. In the end, Georgia, with a population of just 4.6 million and a relative latecomer to the Internet, saw little effect beyond inaccessibility to many of its government Web sites, which limited the government's ability to spread its message online and to connect with sympathizers around the world during the fighting with Russia.
[...]

In Georgia, media, communications and transportation companies were also attacked, according to security researchers. Shadowserver saw the attack against Georgia spread to computers throughout the government after Russian troops entered the Georgian province of South Ossetia. The National Bank of Georgia's Web site was defaced at one point. Images of 20th-century dictators as well as an image of Georgia's president, Mr. Saakashvili, were placed on the site. "Could this somehow be indirect Russian action? Yes, but considering Russia is past playing nice and uses real bombs, they could have attacked more strategic targets or eliminated the infrastructure kinetically," said Gadi Evron, an Israeli network security expert. "The nature of what's going on isn't clear," he said.

[...]

In addition to D.D.O.S. attacks that crippled Georgia's limited Internet infrastructure, researchers said there was evidence of redirection of Internet traffic through Russian telecommunications firms beginning last weekend. The attacks continued on Tuesday, controlled by software programs that were located in hosting centers controlled by a Russian telecommunications firms. A Russian-language Web site, stopgeorgia.ru, also continued to operate and offer software for download used for D.D.O.S. attacks.

Welcome to 21st century warfare.

"It costs about 4 cents per machine," Mr. Woodcock said. "You could fund an entire cyberwarfare campaign for the cost of replacing a tank tread, so you would be foolish not to."

Security Through Visibility - Montego, Lancope and NetFlow

Wed, 30 Jul 2008 17:57:06 +0000

We've probably all heard that you can't secure what you can't see and that statement is even more profound when it comes to virtual environments. This is because it is extremely challenging to see what is going on at a micro vs. macro level within a virtual environments network. The virtualization vendors such as VMWare and Citrix have provided embedded tools into their management consoles that show a macro level of visibility but its not enough to identify security events in the environment. Take a look at the attached picture. It simply shows VMWare's ability to monitor virtual network performance statistics from a bits per second perspective.

<-Click To Enlarge

With only this level of detail how can one determine which network applications are causing spikes. Is it FTP traffic that is occuring at a high volume at an unuseal time of day? If that were occuring, could that be indicative of either a breach or some sort of problem? What if FTP isn't even an authorized service in the virtual environment but there is a high volume of it? Did someone install a rouge FTP service so they could steal information from the server at will?

These types of questions can't really be answered without a micro level of detail into the packets flowing in, out and within the virtual environment. Now, what I am highlighting is not security in the traditional sense of prevention but using visibility as a means to first identify, then pin point the source of an issue so that it can properly be mitigated. Having constant visibility can also ensure that other security products in the environment are performing as expected. What if a Montego HyperSwitch with firewalling enabled is configured with many policies but someone forgot to create an FTP block policy. One could think they are protected from rouge FTP services transmiting data out of the network, but without constant visibility monitoring, can you be certain?

Some vendors, namely Reflex Security will get you to believe that their IPS / IDS solution that is inline and running in the virtual environment is the right and only approach. Or they will tell you to hang a virtual IDS off a span port in the virtual environment and you will at least have visibility into the attacks that are taking place. Well, sure... You now have attack visibility but at the performance cost of your virtual environment. Signature matching technologies are great, I'm a huge believer; however they don't scale very well in shared computing environments such as virtual ones. IDS systems also don't typically track protocol and network service (FTP, HTTP, etc.) utilizations; which is another important part of visibility.

So, what do we do to gain visibility without the performance headache? Well, for starters its probably best to put your IDS/IPS solutions in the physical environment where performance will be less of a concern. In fact, you can span a virtual switch's traffic out to a physical NIC as easy as you can to a virtual one. So why do it virtual and have to pay a 60% CPU utilization tax? Another solution is to IDS inspect only the things you care about. Why IDS inspect SSL traffic if you know your solution can't unencrypt SSL. Its just a waste of compute cycles isnt it? Policy based switching helps you with directing only the things you care about to an IDS (attack visualization product). Montego's HyperSwitch also can help you with the traffic redirection of only the things you care about.

Another method of visibility which I tend to be a fan of is one of packet analysis (aka NetFlow). NetFlow was invented by Cisco some time ago and has gained popularity in the physical world and definately has a use in the virtual world. NetFlow is lightweight. Let me say that again, its light weight! It only sends a summation of packet detail to an analytical engine which can do some number crunching, packet comparison, etc. etc. to make some sense out of whats going on. Lancope, an Atlanta based visibility company that provides Network Visibility, Security Visibility and User Visibility has this tool on their website that is a Netflow Bandwidth calculator. You'll see from playing with this ( http://www.lancope.com/netflowcalculator.aspx ) calculator that it doesn't consume a lot of network bandwidth to transmit these network accounting records. It also doesn't cause a lot of CPU overhead to send these records to an analytical engine sitting somewhere in the network.

Lancope's analytical engines have the ability to do the following for you within your virtual environment:

<p><p>Slide 3</p></p>

•Monitor and Alert network behavior of VMs
•Track Vmotion movement of VMs accross physical servers
•Monitor and Alert on communication between VMs
•Identify users accessing VMs
•Identify unauthorized or rouge VMs
•Monitor and Alert when VM’s go online or offline
•Identify network services running on VMs
•Monitor Network / Application performance of VMs
Display active hosts accessing VMs

...and probably a slew of other things I'm not aware of. A screen shot of their product is bellow:

<- Click to enlarge

You'll notice from the screenshot that you are able to visualize who is talking to who, how much traffic they have sent and received and something called a concern index (not seen on this screenshot).

Now, a concern index is a number that increases as Lancopes analytical engines monitor suspicious activity on a session. A high counter can be indicative of a security problem. Its another way of identifying (visualizing) compromised hosts (virtual machines) without having to do signature matching like a heavy weight IPS engine. Example: Lets say you have a VM that has a BOT on it and is "owned". The Lancope product is monitoring this long life session. Let's say that session is established for several hours or maybe even days or months. Lets also say that the conversation appears to be mostly unidirectional from a public ip address not belonging to your enterprise. Lancope would increase a the concern index on this since this server hasn't typically had this type of behavior. Once the concern index reached a certain level it could then fire off an email, send you a text message or something saying: Warning, Warning, Danger, Danger Will Robinson!!! You're virtual server may be infected with a BOT, please investigate immediately!!!

This example is VISIBILITY which helps you with SECURITY. There are a number of other things you can do with NetFlow and Lancope products that have less to do with security and more to do with operational efficiencies. Things like, helping you answer questions of: How do I know what network applications are taking up the most bandwidth? When should I move those applications over to a server with more horsepower? When did these VM's vmotion over here and was there a traffic condition / CPU condition that caused that to occur? I could go on and on but thats a topic for another blog entry.

So, my suggestion is to take a look at what NetFlow has to offer. Montego Networks supports NetFlow transmission and Lancope supports NetFlow analytics and with both you can regain what was lost visibility.

I hope this was helpful to you all!

-John Peterson