[SecurityRatty] tag: rogue

How to Protect Your Network from Rogue IT Employees

Fri, 18 Jul 2008 20:00:00 +0000

Terry Childs, a network administrator for the City of San Francisco is accused of creating a super-password on the switches and routers in the city's Fibre WAN and using it to block everyone else's access to administrative functions. According to reports, Childs had been detected tampering with the network and had reacted with hostility when disciplined after a confrontation with a supervisor.

Obfuscating Fast-fluxed SQL Injected Domains

Thu, 17 Jul 2008 11:31:06 +0000

It's all a matter of how you put it, and putting it like represents a good example of tactical warfare, namely, combining different tactics for the sake of making it harder to keep track of the impact of a particular SQL injection campaign. Consider the following examples of obfuscated domains, naturally being in a fast-flux in the time of the SQL injection that several Chinese script kiddies were taking advantage of :

%6b%6b%36%2e%75%73 - kk6.us
%73%61%79%38%2E%75%73 - s.see9.us
%66%75%63%6B%75%75%2E%75%73 - fuckuu.us
%61%2E%6B%61%34%37%2E%75%73 - a.ka47.us
%61%31%38%38%2E%77%73 - a188.ws
%33%2E%74%72%6F%6A%61%6E%38%2E%63%6F%6D - 3.trojan8.com
%6D%31%31%2E%33%33%32%32%2E%6F%72%67 - m11.3322.org

As always, these obfuscations are just the tip of the iceberg considering the countless number of other URL obfuscations techniques that spammers and phishers used to take advantage of on a large scale. For the time being, one of the main reasons we're not seeing massive SQL injections using such obfuscations is mostly because the feature hasn't been implemented in popular SQL injectors for copycat script kiddies to take advantage of. However, with the potential for evasion of common detection approaches, it's only a matter of personal will for someone to add this extra layer to ensure the survivability of the campaign.

The folks behind these obfuscations are naturally multitasking on several different underground fronts. Take for instance 3.trojan8.com (58.18.33.248) also responding to w2.xnibi.com which is also injected at several domains, w2.xnibi.com/index.gif to be precise. The fake .gif file in the spirit of fake directory listings for acquiring traffic in order to serve malware, is actually attempting to exploit a RealPlayer vulnerability - JS/RealPlr.LB!exploit. The deeper you go, the uglier it gets.

Related posts:
Yet Another Massive SQL Injection Spotted in the Wild
Malware Domains Used in the SQL Injection Attacks
SQL Injection Through Search Engines Reconnaissance
Google Hacking for Vulnerabilities
Fast-Fluxing SQL injection attacks executed from the Asprox botnet
Sony PlayStation's site SQL injected, redirecting to rogue security software
Redmond Magazine Successfully SQL Injected by Chinese Hacktivists

Monetizing Compromised Web Sites

Sun, 13 Jul 2008 23:26:24 +0000

Despite that pure patriotic hacktivism is still alive and kicking, compromised sites are largely getting monetized these days, starting from hosting blackhat SEO junk pages, to redirecting to live exploit URLs and fake codecs where revenue is earned through their participation in an affiliate business model.

With The Africa Middle Market Fund's site monetized by web site defacers who defaced it "in between" the blackhat SEO infrastructure they were hosting internally, in this I'll comment on the currently compromised and redirection to a fake porn sites, Camara Municipal de Amparo (camaraamparo.sp.gov.br/r.html). Basically, it's homepage is heavily linking to the Zlob variant (camaraamparo.sp.gov.br/ video.exe) in between loading an IFRAME to 61.162.230.12/ index.php. As always, upon uploading their redirector, they've build enough confidence into their new hosting provider that the link to the redirector was instantly spammed across the web. The site is so heavily linking to the internal redirector itself, that upon clicking on the majority of links the user will inevitably come across it.

Speaking of fake porn sites redirecting to Zlob variants, here are the very latest additions spammed across the web through blackhat SEO practices :

just-tube .com
mypornmovies .net
moms-galls .net
porntubefilms .com
porntubedot .com
hot-porntube .com
landmovieblog .com
sexvidtube .com
freelifevideo .com
getyourfreemovie .com
iubat .com
sweetyjoly .com
hardbizarre .com
freeworldvideo .net
hot-porntube .net
qualitymovies .net
porntube1con .net
video-info .net
videocityblog .com
fuckedolder .com
highpro1 .com
max-graf.com .pl
grandsupertds .info
hot-porn-tube .net
hot-porntube .com
terryschulz .com
show-sextube .com
qualitymovies .net
clubvideos .net

No matter the high profile site that's been exploited in order to participate in such malicious operations, for the time being, crunching out new domain names and using the hosting services of the well known ISPs neglecting their removal, seems to be the tactic of choice. The long tail of SQL injected sites is however, clearly replacing the plain simple blackhat SEO web spamming, so that traffic to these rogue sites is driven through redirection of the the traffic from legitimate sites.

Violating OPSEC for Increasing the Probability of Malware Infection

Fri, 11 Jul 2008 15:39:32 +0000

Are malware authors and the rest of the participants in fact willing to violate their OPSEC (operational security) for the sake of increasing the probability of successful malware infection by on purposely lowering down the security settings of Internet Explorer, by adding their malicious netblocks and domains into "Trusted Sites"? You bet.

The infamous Smitfraud or PSGuard Desktop Hijacker, has been cooperating with known malicious parties for over an year now, a cooperation which exposes interesting relatinships between the usual suspects. Starting from the basic fact that a malware infected host is infected with many other totally unrelated to one another pieces of malware, Smitfraud's "pre-infection foreplay" demonstrates that they are willing to sacrifice operational security in order to increaes the probabilty of future infections on the same host.

Rogue software added as trusted sites upon Smitfraud infection :
about-adult .net
antivirus-scanner .com
best-porncollection .com
getadultaccess .com
getavideonow .com
ieantivirus .com
malwarebell .com
mega-soft-2008 .com
mooncodec .com
movsonline .com
ruler-cash .com
s-freeware .com
sexysoftwaredom .com
supersoft21freeware .com
the-programsportal .com
vwwredtube .com
wetsoftwares .com
youpornztube .com
securewebinfo .com
safetyincludes .com
securemanaging .com
myflydirect .com
onlinevideosoftex .com
scanner.malwscan .com
scanner.shredderscan .com
sex18tube2008 .com
spywareisolator .com
virus-scanner-online .com
security-scanner-online .com
virus-scanonline .com
antivirus-scanonline .com
topantivirus-scan .com
topvirusscan .com
virus-detection-scanner .com
antivirus-scanner .com
infectionscanner .com
internet-security-antivirus .com
hotvid44 .com
opaadownload .com
somenudefuck .com

Rogue netblocks and IPs added as trusted IP ranges upon Smitfraud infection :
"69.50.*.*"
"69.31.*.*"
"66.235.*.*"
"66.230.*.*"
"216.239.*.*"
"205.188.*.*"
"205.177.*.*"
"195.225.*.*"
"216.195.*.*"
"82.179.*.*"
"81.95.*.*"
"70.84.*.*"
"195.95.*.*"
"194.187.*.*"
"78.129.158.*"
"78.129.166.*"
"89.149.226.*"
"195.93.218.*"
"72.21.53.*
"81.9.3.*"
"213.189.27.*"
"88.255.74.*"
"79.143.178.*"
"202.71.102.*"
"64.202.189.170"
"217.170.77.150"

The second hardcoded trusted IP is also responding to :
virusisolator .com
virus-isolator .org
virus-isolator .net
soft-collections .com
viruswebprotect .com
virus-isolator .us
codecvideo2008-18 .com
sextubecodec55 .com
sextubecodec67 .com
soft-archives .com
soft-collections .com
codecreviews .com
codecvideo2008-18 .com

Such practices leave a great deal of malicious creativity, for instance, once rented a botnet's already infected malware PCs could start trusting the majority of sites in their scammy ecosystem. What's great is that by doing this they expose their affiliations with these affiliate based rogue security software programs, next to their infrastructure on which they may be that easily claiming ownership.

The Template-ization of Malware Serving Sites

Thu, 10 Jul 2008 12:59:13 +0000

Just like web malware exploitation kits and phishing pages turned into a commodity underground good, allowing easy localization to different languages, and of course, the natural lowering of entry barriers into web malware and phishing in general, the very same thing is happening with fake ActiveX templates like the ones used on the majority of fake porn and celebrity sites I've been assessing recently.

The increase of these bogus ActiveX templates is due to the fact that despite they are currently available for sale, buyers appear to be leaking them for everyone to use so that they can continue maintaining their current business models, namely, the services they offer with the ActiveX templates. Unethical competitive practices among cybercriminals and scammers are only to starting to take place with one another trying to ruin or extend the lifecycle of their services.

Talking about prevalence, the TonsOfPorn ActiveX remains the most widely used rogue ActiveX in the majority of fake codec campaigns for the last couple of months. The ActiveX is largely abused by using another fake porn site template for PornTube, which in combination result in nothing more than huge domain portfolios with no content at all if we exclude the Zlob variants.

And while template-tization means more efficient malware campaigns, it also results in a common pattern for generic detection of such sites. For instance, the folks at Finjan did an experiment by verifying the signature based detection of the common javascript file that was used in the ongoing waves of SQL injection attacks. Their conclusion :

"Can it be that Anti-virus products are now holding more signatures for domains and URLs rather than trying to identify a malicious code they never inspected before? As my research found, just by changing the domain names, some AVs did not find this code as malicious...... surprisingly enough."

When assessing malware campaigns in general, I usually do the same for the record. Storm Worm's use of ind.php for executing its set of exploits has the same detection rate - scanners result: 10/33 (30.30%) and is detected as JS.Zhelatin.zb.

Getting back to the TonsOfPorn ActiveX, it's structure is more static than a Red Army statue in Estonia, making it easy to proactively protect against, no matter the domain, no matter the exploits served. It's detection rate is close to the javascript from the SQL injection attacks - Scanners Result: 9/33 (27.28%) and is detected as Trojan.HTML.Zlob.L.

From my personal experience, blocking an IP address where a couple of hundred malicious domains remain parked, is just as useful as blocking a single domain acting as the main redirector behind a huge domains portfolio of malicious domains. However, the most beneficial approach on a large scale remains the practice of taking care of the most obvious patterns that still remain faily easy to detect, at least for the time being, due to the efficiency the people behind them aim to achieve, making them easily susceptible to generic detection approaches.

Fake Porn Sites Serving Malware - Part Two

Mon, 07 Jul 2008 23:24:00 +0000

What we've go here is the same malware gang using the very same malicious ISP among the ones you rarely see in any report, continuing to crunch out domain redirectors using the same templates for fake porn sites. And since some of the fake sites are actual redirectors, periodically revisting them leads to more fake codecs and even more actionable intelligence into the nature of their practices, and which are the ISPs proving them with hosting services for several consecutive years.

The main redirector in this campaign popular-adult.com is also responding to :

basic-adult .com
business-adult .com
center-adult .com
comp-adult .com
compadult .com
controladult .com
cruiseporn .com
drive-adult .com
ebony-adult-video .com

ebony-pornmovie .com

ebony-video-xxx .com
engine-adult .com
fat-adult-video .com
fat-pornmovie .com
fat-video-xxx .com
global-adult .com
inc-adult .com
name-adult .com
nameadult .com
other-adult .com
partadult .com
pleasureadult .com
porn-abc .com
porn-contact .com
porn-global .net
porn-go .net
porn-group .net
porn-party .net
porn-play .net
porn-plus .net
porn-power .net
porn-room .net
pornabout .com
porndrive .net
pornhelp .net
pornname .net
pornstar-adult-video .com
pornstar-pornmovie .com
pornstar-video-xxx .com
room-adult .com
scan-adult .com
seek-adult .com
u-adult .com

The secondary redirectors going out of popular-adult.com :

pornname .net/ted/382634557/1/
porn-abc .com/ike/1666520193/1/
pornhelp .net/dense/876421348/1/
porn-play .net/cristina/1970565499/1/
porn-global .net/percival/330780624/1/
porn-contact .com/cisse/854714304/1/
porn-play .net/honora/888715608/1/
pornname .net/deidre/1964468519/1/
pornhelp .net/pip/1977382266/1/
porndrive .net/shelton/767217618/1/
pornhelp .net/mat/354381578/1/
pornabout .com/tobe/1436617289/1/
porn-go .net/samson/7633197/1/
porn-contact .com/teresa/409084583/1/
porn-party .net/basil/1305549820/1/
porn-contact .com/ed/1067772053/1/
porn-contact .com/frish/1287341391/1/
pornname .net/mariah/53967973/1/
pornname .net/jacobus/291129748/1/
porn-plus .net/beverly/2122167311/1/
porn-party .net/lulu/917088357/1/
pornabout .com/boetius/1991451664/1/
cruiseporn .com/padde/1296397392/1/
porn-power .net/arch/334137732/1/
cruiseporn .com/meta/377489795/1/
porn-room .net/lynette/1518855371/1/
porn-play .net/link/1975737157/1/
hporn-global .net/vin/1241430020/1/
porndrive .net/dunk/1245242641/1/
porn-go .net/louisa/1685718172/1/
pornhelp .net/dunk/1859215260/1/
porn-contact .com/celia/1805798677/1/
porn-play .net/anabelle/987641695/1/
porn-room .net/rille/815076192/1/
pornabout.com/hodge/1040019816/1/
porn-abc .com/claes/1130748100/1/
pornabout .com/frederick/1987458246/1/
porn-go .net/fredde/1153431432/1/
porn-party .net/felicity/705720374/1/
porndrive .net/ginne/1183690031/1/
porn-group .net/kimberle/706468800/1/
porn-room .net/helen/565953612/1/
porn-party .net/arche/1387111363/1/
porn-contact .com/kingston/232354071/1/
pornhelp .net/mima/1024064014/1/
porn-power .net/gretchen/152347961/1/
porn-contact .com/ophelia/840853119/1/
porn-play .net/eleanor/88926029/1/
porn-power .net/bella/1712681771/1/
porn-global .net/melchizedek/1823498218/1/
pornabout .com/gabbe/1478560492/1/
porn-party .net/obedience/1540587230/1/
porndrive .net/rod/1177331120/1/
porn-play .net/gee/1314369182/1/
pornname .net/phineas/975226015/1/
porn-global .net/reynold/131075998/1/
porndrive .net/bat/1542809624/1/
porn-global .net/hans/400396810/1/
porn-contact .com/mock/1738069316/1/
porn-plus .net/tryphosia/354085313/1/
porn-room .net/bazaleel/1417267786/1/
porn-contact .com/joyce/353938308/1/
porn-power .net/laine/780004499/1/
pornhelp .net/mille/988856007/1/
cruiseporn .com/dare/258399427/1/
porn-global .net/nat/2039108680/1/
pornname .net/eudora/2132399934/1/
porn-go .net/ana/277211595/1/
pornhelp .net/auge/1990287956/1/
porn-contact .com/danial/1195423348/1/
porn-abc .com/teresa/1787982397/1/
porn-go .net/lawrence/1575543567/1/
porn-go .net/sherre/1066718744/1/
porn-contact .com/jack/657185819/1/
porn-abc .com/manda/216390544/1/
porn-party .net/chuck/1533427157/1/
porndrive .net/lucille/215841052/1/
cruiseporn .com/rodney/1024994863/1/
pornname .net/sheldon/669324635/1/
porn-global .net/janet/1677642355/1/
porn-global .net/basil/635902337/1/
porn-party .net/adela/980553444/1/
cruiseporn .com/charles/2038221862/1/
pornabout .com/sid/644600064/1/
porn-abc .com/eloise/1882289515/1/
porndrive .net/bryant/724023427/1/
porn-party .net/bonne/305120344/1/
porn-play .net/susan/826151266/1/
porn-room .net/sheila/439221958/1/
porn-go .net/valere/1498454342/1/
porn-contact .com/asenath/1036530205/1/
porn-plus .net/marcus/51947065/1/
porn-party .net/bridgit/518065759/1/
porn-plus.net/shawn/1427002427/1/
cruiseporn.com/alicia/1252994155/1/
porn-abc.com/arminda/975985679/1/
porn-party.net/lionel/929052416/1/
porn-contact .com/ande/1755833202/1/
porn-power .net/cyrus/732691977/1/
aboutadultsex .com/heloise/1008109638/1/
adultzoneworld .com/barne/506956701/1/
superporncity .com/roberta/1239682918/1/
pornhelp .net/eurydice/1944564451/1/
theadultpost .com/volodia/543769984/1/
porn-play .net/bird/760635633/1/
coolbestporn .com/bradford/578099145/1/
porn-plus .net/delilah/465854735/1/
porn-power .net/pheney/698426424/1/
porn-party .net/cristina/940229631/1/
porn-party .net/justin/1913395886/1/
porn-contact .com/lotte/1794233444/1/
porn-party .net/nowell/850070721/1/
worldbestadult .com/parthenia/1858633626/1/
funpornsite .com/patience/188018581/1/
adultsexpro .com/isse/1981168802/1/
adultsexpro .com/isabelle/683364151/1/
porndrive .net/erne/906935790/1/
porn-power .net/delpha/178727494/1/
porn-plus .net/chesley/1261676752/1/
porn-plus .net/selina/11889629/1/
porntimeguide .com/arnold/1555784224/1/
aboutadultsex .com/doug/1975246767/1/
porn-global .net/clum/1615653087/1/
funxxxporn .com/kym/739810260/1/
porn-plus .net/roxane/2022633909/1/
worldbestadult .com/vicke/955775101/1/
porn-play .net/jane/1396714471/1/
pornname .net/nicole/1695768032/1/
adultvideodot .com/bela/96070992/1/
porn-room .net/carre/1310194786/1/
adultsexpro .com/azubah/141802741/1/
theadulteye .com/pheney/1077328499/1/
porn-party .net/chick/1522449297/1/
aboutadultsex .com/elbert/1300176621/1/
findadultsex .com/lorre/2057361400/1/
teenporntop .com/aristotle/901956477/1/
coolbestporn .com/bartel/94175118/1/
porn-plus .net/deanne/70540201/1/
coolbestporn .com/appe/1679745028/1/
findadultsex .com/asaph/1439353641/1/
pornxxxfilm .com/tone/904077420/1/
funxxxporn .com/india/476477713/1/
adultvideodot .com/ed/879863981/1/
bestpriceporn .com/babbe/1457040435/1/
superliveporn .com/russell/56570486/1/

More fake porn video sites using similar site templates, and using the same redirection infrastructure :

porntubev20 .com
clearpornurlssite .com
mypornmovies .net
getyourfreemovie .com
tubescollection .com
free-best-porn .com/videos/
pornmovieshare .com
clipslab .com
mybestvideosite .com
avwav .com

The fake codecs download locations in this campaign :

aviutility .com
18x-adult2008 .com
2008x-adult-2008 .com
best-codec .com
hq-codec .net
mpegsystem .com
bestsoft-ware08 .com

The registrant and hosting provider :

Cernel Inc, Legal Department (support@cernel.net)
23404 W. Lyons Ave #223, Santa Clarita, Ca,91321
US, Tel. +1.6613470577

Historically, the same gang has been using the same hosting provider for many other fake codecs, which remain parked on the same netblock in a standby mode :

Fire-ticket .com - 64.28.184.162
Fire-codec .com - 64.28.184.163
Light-ticket .com - 64.28.184.163
Braketicket .com - 64.28.184.164
Mooncodec .net - 64.28.184.164
Light-codec .com - 64.28.184.165
Turbo-ticket .com - 64.28.184.165
Space-codec .com - 64.28.184.166
Ultra-ticket .com - 64.28.184.166
Brakecodec .com - 64.28.184.167
Demo-ticket .com - 64.28.184.167
Demoticket .net - 64.28.184.168
Hq-ticket .com - 64.28.184.168
Turbo-codec .com - 64.28.184.168
Hqticket .com - 64.28.184.169
End-ticket .com - 64.28.184.169
Nitro-codec .com - 64.28.184.169
Hqticket .net - 64.28.184.170
Clean-ticket .com - 64.28.184.170
Red-codec .com - 64.28.184.170
Black-codec .com - 64.28.184.171
Viva-ticket .com - 64.28.184.171
Niceticket .net - 64.28.184.171
Endticket .com - 64.28.184.172
Ultra-codec .com - 64.28.184.172
Wot-ticket .com - 64.28.184.172
Mega-codec .net - 64.28.184.173
Storm-ticket .com - 64.28.184.173
Megaz-ticket .com - 64.28.184.174
Vipcodec .net - 64.28.184.174
Democodec .net - 64.28.184.175
Giga-ticket .com - 64.28.184.175
Demo-codec .net - 64.28.184.176
Uin-ticket .com - 64.28.184.176
Hopeticket .com - 64.28.184.177
Hq-codec .net - 64.28.184.177
Best-codec .com - 64.28.184.178
Hope-ticket .com - 64.28.184.178
Endcodec .net - 64.28.184.179
Zero-ticket .com - 64.28.184.179
End-codec .net - 64.28.184.180
Pop-ticket .com - 64.28.184.180
Cleancodec .net - 64.28.184.181
Yupticket .com - 64.28.184.181

The deeper you go the more interesting it gets, malware command and controls located on the same network, fake banks, money mule recruitment sites, pharmaceutical scams and spam hosting - they or their customers if they are to forward the responsibility are definitely multitasking.

Related posts:
Fake Porn Sites Serving Malware
Underground Multitasking in Action
Fake Celebrity Video Sites Serving Malware
Blackhat SEO Redirects to Malware and Rogue Software
Malicious Doorways Redirecting to Malware
A Portfolio of Fake Video Codecs

U.S. Arms Dealer Tests Legal Bounds in Middle East Arms Bazaar

Thu, 03 Jul 2008 18:00:00 +0000

Former congressman Curt Weldon is helping broker deals between Russian and Ukranian weapons suppliers and the Iraqi and Libyan governments as part of his new job with a private American defense consulting firm, Wired.com has learned.

Weldon, who is currently being investigated by the FBI over alleged corruption during his time in office, visited Libya in March to discuss a possible military deal, according to a letter describing the trip from Weldon to Defense Solutions CEO Timothy Ringgold. In May, Weldon, together with Ringgold and another company representative, traveled to Moscow to discuss working with Russia's weapons-export agency on arms sales to the Middle East.

Both trips were part of the company's effort to tap into the growing -- and often legally murky -- market for selling weapons from former Eastern Bloc countries to the Middle East and Afghanistan.

Ex-Rep. Curt Weldon, R-Penn., is helping broker deals between Russian weapons suppliers and the Iraqi and Libyan governments through his company, Defense Solutions.
Photo: H. Rumph Jr/AP

The Russians want to sell weapons to Iraq directly, but "must go slow on Iraq because of political reasons" and want to work with an "intermediary" like Defense Solutions, CEO Ringgold subsequently wrote to colleagues. "They have not spoken with any American company that can offer the quid pro quo that we can or that has the connections in Russia that we have," he boasted.

A few years ago, an American company proposing to sell weapons to Libya might have triggered a congressional hearing. So, too, would have a proposal to conduct arms deals with Russia, which the United States has accused of selling high-tech weapons to Syria and Iran.

However, U.S. government efforts to rapidly equip countries like Afghanistan and Iraq -- which have largely Soviet-origin weapons -- have created legal ambiguities and loopholes in export controls that didn't exist in years past and given rise to a new class of arms trade middlemen. So, even though both Libya and the Russian arms export agency are on official U.S. blacklists, government officials and analysts involved in weapons sales say the rules have become unclear as the push to equip allies in the global war on terror has blazed new but uncertain legal ground.

Eagerly stepping into that virgin territory is Defense Solutions, a Pennsylvania-based company that is carving out a small but lucrative niche in a new international arms bazaar. The firm boasts as its advisors a number of influential Washington insiders, such as retired General Barry McCaffrey, the former White House drug czar.

Helping the firm make key connections is Curt Weldon, a former Republican congressman from Pennsylvania at the center of an FBI investigation into alleged conflicts of interest during his time in office. Weldon, now a key executive at Defense Solutions, is working with the company to set up these weapons deals.

Defense Solutions has also proposed refurbishing Libya's BTR-60 armored personnel carriers, according to a sales proposal seen by Wired.com. Defense Solutions denies drafting a sales proposal to Libya.

It's an unusual, if not an entirely unexpected chapter for Weldon, whose time in office included frequent trips to Russia. As an influential member of the House Armed Services Committee, Weldon pushed for multibillion-dollar defense programs, like ballistic missile defense, and earned a reputation as a foreign policy gadfly, boasting of his contacts with officials in nations labeled by the administration as "rogue states" such as Libya and North Korea. Weldon's wild claims about a 9/11 cover-up and his sensationalist book warning of an Iranian terror plot, sometimes earned him official scorn and public ridicule, but it was accusations that he steered contracts to Eastern European businesses linked to his daughter's lobbying firm that drew the government's attention.

Weldon was voted out of office in 2006 just weeks after the FBI raided his daughter's home, and that of one of her associates.

Weldon did not respond to e-mails and phone requests to be interviewed or comment for this article. But in a 2006 interview, before the FBI probe was public, Weldon spoke enthusiastically about setting up a "front company" to work with the Russian arms agency, Rosoboronexport. Weldon hoped this company could sell weapons to the Middle East, and other regions, particularly to countries where the U.S. has strained relations. He claimed the director of Rosoboronexport approached him to work with "an American company that would act as a front for weapons these nations want to buy."

Weldon called the proposal an "unbelievable offer."

The administration, he acknowledged at the time, did not welcome the idea of an American company selling Russian weapons to potentially unfriendly countries. But two years later, Weldon, now a private citizen and chief strategic officer for Defense Solutions, appears to be working on precisely that sort of deal. And whether illegal or not, Defense Solutions' business represents a new phenomenon in the international arms trade business.

In years past arms brokers -- firms or individuals who serve as middlemen to facilitate weapons sales between countries -- were largely the stuff of spy thrillers. Unlike traditional American defense companies, like Lockheed Martin or Boeing, which typically sell weapons directly to NATO countries or other governments regarded as friendly to the United States, brokers are often small outfits run by people with sometimes questionable experience and reputations they will sell to anyone. One of the most infamous arms brokers, a Russian named Viktor Bout, is charged by the United States, United Nations, Interpol and others of funneling arms to terrorists and rebels around the world. He was recently arrested in Thailand. The United States is requesting his extradition on charges of supplying arms to a terrorist organization.

Two Marines lower the trim vane on the front of an Iraqi BMP-1 mechanized infantry combat vehicle that was captured during Operation Desert Storm. The American defense consulting firm Defense Solutions has proposed refurbishing Libya's aging fleet of BMP-1s. Defense Solutions denies drafting a sales proposal to Libya.

But ironically, Iraq has fueled a new market for these professional middlemen; the United States is funneling billions of dollars into modernizing Iraq's army so that the country's government can fend for itself after coalition troops withdraw. And Iraq's largely Soviet-equipped military is a natural market for Eastern European countries brimming with old or out-of-date equipment they would like to unload. The middlemen, in these cases, serve a key role by allowing the U.S. government to do business with an American company, which in turn buys equipment from Eastern Bloc countries in deals worth hundreds of millions of dollars, much of it financed with U.S. taxpayer dollars.

One of Defense Solutions' sales -- a deal to sell Hungarian-owed T-72 tanks to Iraq in 2005 -- was typical of these new foreign military sales. But on the more questionable side is the company's plans to work with Rosoboronexport, which is barred from doing business with the U.S. government, and Libya, which is still on the State Department's arms embargo list.

The Eastern European-Middle East arms-brokering business, while in some cases sanctioned by the U.S. government, has run into problems, including outright corruption and quality. Defense contractor Dale Stoffel, the president of Wye Oak Technology, and another American were gunned down in Iraq in December 2004 after Stoffel alleged that the Iraqi Ministry of Defense was involved in a kickback scheme. Like Defense Solutions, the company Stoffel worked for was refurbishing the Iraq's army Eastern Bloc equipment.

Another problem is quality. Weapons from the former Soviet Bloc, which the U.S. military euphemistically calls "nonstandard equipment," have been flagged as substandard, acknowledges Brigadier General Charles Luckey, who is in charge of security assistance at Multi-National Security Transition Command-Iraq. In an interview from Iraq, Brigadier General Luckey said: "One of the frustrating things about buying nonstandard [weapons], is that I'm the guy who has to deal with the fact that some broker I've never heard of allowed weapons to get to Iraq before they were inspected."

Defense Solutions is carving a new niche in the arms trade, selling Soviet-made weapons to Middle Eastern countries like Afghanistan and Iraq. Defense Solutions sold Hungarian-owed T-72 tanks to Iraq in 2005.

In one high-profile case, Iraqi officials alleged that a corrupt firm sold them $400 million in shoddy helicopters from Poland. More recently, a company led by a 21-year-old and a former masseur was offered a U.S. government contract worth nearly $300 million to sell ammunition to Afghanistan. The ammunition turned out to be outdated and of dubious origin and several people connected with the company have been indicted. A congressional investigation concluded that the company, which was on a State Department watch list, was able to take advantage of regulatory loopholes by using middlemen.

For those concerned about illicit arms trade, this new wave of weapons deals is rife with the potential for corruption and abuse, but for companies eager to pursue markets once regarded as dubious, it represents a lucrative business opportunity. The problem in these cases, according to those familiar with arms sales, is that it's no longer clear what's legal and what's not.

Rachel Stohl, an expert on international arms trade and a senior analyst at Center for Defense Information, says that in many ways, the rush to equip Iraq has led the United States to throw caution to the wind. She points to a report by the Government Accountability Office last year that found that some 190,000 weapons sold to Iraq have gone missing. "I think the reality is we won't know, until way after the fact, about all of these irregularities with the Iraq weapons provision program," she said. "We were providing them all these assault rifles that have gone missing. Why? They were not following the standard procedures that were in place."

But Iraq and Afghanistan aren't the only markets available to arms brokers like Defense Solutions. The gradual normalization of relations with Libya opens another door into a quasi-legal area of sales.

Like Iraq, Libya has a substantial arsenal of Soviet-origin military weapons, offering a potential market for brokers working with Russia and other former Soviet states. But even when there's not an outright ban, sales to the Middle East are often fraught with controversy, particularly to countries like Libya, which was under international sanction for more than a decade. Even as sanctions against it have been lifted, European companies proposing to sell arms to Libya have faced steep criticism, particularly since the country is still ruled by dictator Muammar Gaddafi, who took power in a military coup in 1969.

While the United States lifted Libya's "state sponsor of terrorism" designation in 2006, other restrictions, such as on the sale of arms, remain in place. A State Department spokesperson confirmed that exports of "lethal munitions" to Libya, such as tanks or related equipment, are still banned, although sales of nonlethal equipment are now allowed on a case-by-case basis.

In late March, Weldon traveled to Libya for a weeklong trip at the invitation of the Gaddafi Foundation, a group run by the son of Libya's leader, and the chairman of Libya's foreign affairs committee, according to the report he sent to Defense Solutions (.pdf), a copy of which was obtained by Wired.com. The trip reports states: "Agreement reached for Weldon to quickly return to Libya for meetings with son [of Libyan leader Gaddafi] Morti regarding defense and security cooperation."

A document dated April 16, just two weeks after Weldon's trip, outlines Defense Solutions' proposal to Libya to refurbish the country's fleet of armored vehicles, including its T-72 tanks, BMP-1 infantry fighting vehicles, and BTR-60 armored personnel carriers. A copy of the sales proposal, also provided to Wired.com, is on Defense Solutions' letterhead, appears to bear the signature of company CEO Timothy Ringgold, and is addressed to Libya's defense procurement council. "Defense Solutions is committed to delivering a full end-to-end solution to its clients," the proposal states. "Besides refurbishing these vehicles, we are capable of providing a full logistics support package, including a two year supply of spare parts, maintenance and repair services, and operator, maintenance, and repair training."

In an interview with Wired.com, Ringgold admitted that he's interested in doing business in Libya and confirms receiving Weldon's trip report from Libya, but denies drafting or signing an arms-sale proposal. "I've never made such a document to Libya," Ringgold insisted, after being read the proposal, and told that his signature is on it.

In addition to the Libyan arms-deal document, Wired.com has also reviewed copies of e-mails from Ringgold discussing the Libyan deal.

While Ringgold denies proposing an arms sale to Libya, he is open about speaking with Rosoboronexport, which has been on a U.S. government sanctions list since 2006, after the Russian state agency allegedly violated the Iran and Syria Nonproliferation Act. An April e-mail provided to Wired.com describes Ringgold, Weldon and Stephan Minikes, a senior advisor to Defense Solutions and a former ambassador, meeting with Rosoboronexport. The conversations included a number of potential deals, including supplying Mi-17 helicopters to Afghanistan and spare parts for Iraq's infantry fighting vehicles. Ringgold wrote to colleagues following the visit, describing the meetings as a "spectacular success," saying the Russian agency "has the ability to undercut all cost proposals from brokers."

Ringgold confirmed those discussions and said that his company has sought to do business with Rosoboronexport. Asked whether Ringgold considers his dealings with Russia to be legal, he argued that U.S. companies could work with Rosoboronexport on a "case-by-case" basis. "The particular purpose of the meeting we had -- and I want to be crystal clear -- was in response to a U.S. government requirement," he said.

A number of officials at the State Department and in the Pentagon, when contacted for this article, could not say whether working with Rosoboronexport is legal or not. A Pentagon spokeswoman said she was familiar with the issue, but deferred the question to the State Department. When asked about Rosoboronexport's status on the blacklist, John Herzberg, a State Department spokesman replied: "What's on there is on there."

Asked whether, given the ban, there was any way a company could legally work with Rosoboronexport, as Ringgold suggested, Herzberg provided an equivocal answer. "At the stage of the process we're at, I'm unable to give you an answer," he said. "You can try elsewhere in government, and maybe they'll be braver than me."

In an interview from Iraq, General Luckey conceded it was a murky area, but said, "My understanding is they are currently on our no-go list."

The confusion over debarred parties has even led the U.S. government into its own legal tangles, according to Jim McAleese, a Washington attorney who specializes in government contracting and foreign military sales. Because the Russian government violated U.S. nonproliferation laws, even NASA had to go to Congress to ensure it could work with Russia on Soyuz flights to the international space station. "What I'm warning you about is, don't be surprised by the confusion," McAleese said. "There are a whole bunch of different statutes that were adopted piecemeal and were never intended to be reconciled."

But it's the very ambiguity of the law that troubles those who monitor export control. "It's highly unusual to do anything with the Russians, particularly Rosoboronexport," said Scott Jones, director of Export Control Programs at the Center for International Trade and Security at the University of Georgia.

Legal or not, reputable American companies simply don't want to work with banned entities, Jones said, for fear of risking their reputations and business. "Even if it's not an outright prohibition, most companies don't want to put themselves in a liability situation that has really bad PR … and they stay away from it," Jones said. "But if that's your business, pimping out arms from the U.S. or Russia, that's the way it works, and you push as much as possible."

Finding any U.S. defense company working with the Russian government at this point would be "remarkable," Jones added.

In the meantime, the future for Weldon is unclear. The FBI investigation continues and Weldon's former chief of staff recently pleaded guilty to a conspiracy charge and is cooperating with the government, notes Melanie Sloan, the executive director of Citizens for Responsibility and Ethics in Washington, which filed a complaint against Weldon in 2004. Sloan speculated that Weldon may be charged with "honest service fraud" for misusing his office for personal gain. "It's an easier standard than bribery," she said. "I wouldn't be surprised [if he's charged] with bribery, but I think it will be honest services fraud."

Ringgold insists that he and Weldon are on the right side of the law. "Everything we do is in strict compliance with international and U.S. law and we operate only in the best interests of the U.S. government," he said. "I didn't serve 30 years in the United States Army to throw that away on a whim."

Asked if Weldon is still working for the company, Ringgold replied: "Absolutely, proudly so."

Fast Track to Botnet Central

Tue, 01 Jul 2008 05:41:45 +0000

Its true, you too can finally get into the botnet you always wanted. Finally the ability to be a zombie computer under some losers control is yours!

Seriously though, becoming a victim to a hacker's botnet is incredibly easy. These attacks are not typical to other forms of destruction found on the internet. There true intent is usually to remain hidden from view until called upon. In the case of FastTrackBot however there is a new objective. FastTrackBot downloads several executable files that keep your computer clicking on the attacker's affiliate links. These executable files keep the webpages in hidden iexplore.exe windows in order to hide the application from suspicious eyes. If you're using X-cleaner, I suggest you take a look at the Expert Tab. The Show All Hidden Windows function is great for showing you exactly what is open at the time.

FastTrackBot phones home to several of these sites in order to keep the user clicks through affiliate links.

Aside from creating invisible windows to hog your bandwidth up, it also attempts to install a rogue anti-spyware application. This is a popular technique when attempting to fraud the victim into leaking credit card information when actually attempting to purchase the fake product. FastTrackBot inserts a fake security center that appears identical to the one found in Windows XP.

As you can see in the address bar, this is not the actual security center. Clicking anywhere on this window means almost certain doom in the worst way possible...a never ending stream of fake "YOU ARE INFECTED!!!!" alerts.

In order to kill the actual application, you have to remove it from memory first, then remove its autostart which is found in 5 different locations - or simply remove with our free Microscanner.

Summarizing June's Threatscape

Tue, 01 Jul 2008 03:05:01 +0000

June's threatscape that I'll summarize in this post based on all the research conducted during the month, was a very vibrant one. With the return of GPcode, a remotely exploitable flaw in the Zeus crimeware kit allowing both, researchers and malicious parties to assess the severity of a particular banker malware campaign, the increasing use of malicious doorways next to ICANN and IANA's DNS hijacking, all speak for themselves and how diverse the threats and, of course, the abilities to maintain a decent situatiational awareness about what's going on have become.

01. U.K's Crime Reduction Portal Hosting Phishing Pages - nothing new here since vulnerable sites are to be "remotely file included" and SQL injected to locally host anything on behalf of a malicious party. Risk and responsibility forwarding is one thing, but having a crime reduction portal hosting phishing pages is entirely another. The phishing pages was shut down in less than 12 hours upon notification

02. Price Discrimination in the Market for Stolen Credit Cards - Tracking down "yet another stolen credit cards for sale" service in the wild, the price discremination that they applied greatly reflects the current lack of transpararency for a potential buyer of stolen credit cards, and how higher profit margins are driving the entire business model. With script kiddies running their own botnets and undermining the sophisticated botnet master's high profit margin business model by undercutting their prices, stolen credit cards are not what they used to be - an exclussive good. Nowadays, they are a commodity good and often a bargain

03. Blackhat SEO Redirects to Malware and Rogue Software - Sampling an active blackhat SEO campaign out of the hundreds of thousands currently active online, releaved a large portfolio of domains serving Zlob variants by pitching them as fake codecs that the end user should download if they are to view the non existent adult content at the sites. Where's the OSINT mean? It's in the fact that the codecs and the fake security software phone back to UkrTeleGroup Ltd's network

04. Using Market Forces to Disrupt Botnets - With the current oversupply of malware infected hosts, and botnet masters embracing the services model for anything malicious, in this post I discussed the radical security approach of puchasing already infected malware hosts on a per country basis, disinfecting them and forcing them to update all the software on the infected PCs. Of course, on an opt-in basis. The possibility to directly provide incentives for botnet hunters to shut down whatever they come across to on a daily basis, and that's a lot of botnets, is also there

05. Who's Behind the GPcode Ransomware? - The title speaks for itself, the research with enough actionable intelligence gathered in the shortest timeframe possible is already proving accurate and highly valuable. How come? Stay tuned for more developments

06. ImageShack Typosquatted to Serve Malware - In a rare instance of a creative attack combining typosquatting in order to impersonate ImageShack and serve malware by redirecting users to an image file that is actually forwarding to the binary, I was recently tipped by the folks at TrendMicro who are also following this that the site is up and running again. Not for long

07. Fake YouTube Site Serving Flash Exploits - Next to using the usual set of exploits courtesy of a commodity web malware exploitation kit, this campaign was also using flash exploits. Even more interesting is the fact that the password stealer obtained was attempting to phone back to a misconfigured malware command and control interface, basically allowing you to assess the campaign from the eyes of the "campaigner"

08. Monetizing Web Site Defacements - Web site defacements are getting monetized just like SQL injections are in order to locally host a blackhat search engine optimization campaign on a vulnerable site with a high page rank. In this post I've assessed such monetization courtesy of a web site defacer at The Africa Middle Market Fund

09. Malicious Doorways Redirecting to Malware - Yet another large domains portfolio exposed though a malicious doorway redirecting to fake porn and video sites serving Zlob variants, tracking down the initial spamming of the malicious doorways across multiple vulnerable forums and guestbooks

10. The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw - When cyber criminals get advised to patch their vulnerable versons of the Zeus Crimeware Kit, you know there's a monoculture in the crimeware market. This flaw released publicly in May, 2008, not just allows others to hijack someone's ebanking botnet, but also, vendors and researchers to better assess a vulnerable Zeus command and control location

11. Fake Celebrity Video Sites Serving Malware - When templates for fake video and adult sites are just as available as they are now, anyone can take advantage of this cheap social engineering track that seems to work just fine. Compared to relying on blackhat search optimization to acquire traffic, some of the campaigns were SQL injected at vulnerable sites in order to drive traffic to them, next to several other tactics which when combined can result in a lot of people unknowingly visiting the sites

12. Phishing Campaign Spreading Across Facebook - An internal phishing campaign was circulating across Facebook, which got taken care of thanks to coordinated efforts with Facebook's security folks. There's also an indicating tha they are currently typosquatting other social networking sites like Hi5 for instance

13. Underground Multitasking in Action - As a firm believed in taking a random sample for a particular threat segment, this was once of these cases confirming the confidence I've built into anticipating upcoming tactics and strategies to be used

14. An Update to Photobucket's DNS Hijacking - Despite that Photobucket didn't oficially acknowledge the DNS hijacking, the hosting provider the NetDevilz hacking team used issued a statement. Ironically, the Turkish hacking group used the same provider weeks later to redirect ICANN and IANA's domains to Atspace.com

15. Fake Porn Sites Serving Malware - Among the largest domains portfolio of malware serving porn sites I've exposed in a while, all of them naturally remain active since they are hosted on a partition of RBN's diverse network. Visualizing a malicious doorway or the entire ecosystem provides a better understanding at how structured the ecosystems are

16. Backdoording Cyber Jihadist Ebooks for Surveillance Purposes - Despite that in this case we have a cyber jihadist backdoording his own released books, the international intelligence community next to law enforcement are known to have expressed interest in backdooring suspect's PCs, so why not SQL inject the cyber jihadist forums themselves?
17. Right Wing Israeli Hackers Deface Hamas's Site - When you read that Hamas's site is hacked, you ask yourself the following, do they even have a web site that's up the running? The answer to which would be the fact that even Hezbollah has been maintaining an Internet infrastructure since 1998
18. ICANN and IANA's Domain Names Hijacked by the NetDevilz Hacking Group - A fact is a fact, no comment here, go through all the technical details of the hijacking, including some actionable intelligence on who's behind the hijacking
19. The Malicious ISPs You Rarely See in Any Report - Who's tolerating malicious activities on their network, and how is the RBN related to all this? Well, when combined, the tiny parts of these ISPs represent a tiny part of the Russian Business Network itself

The Malicious ISPs You Rarely See in Any Report

Mon, 30 Jun 2008 05:31:08 +0000

The recently released badware report entitled “May 2008 Badware Websites Report" lists several Chinese netblocks tolerating malicious sites on their networks. As always, these are just the tip of the iceberg out of a relatively good sample that the folks at Stopbadware.org used for the purposes of their report. In the long term however, with the increasing prelevance of fast-fluxing, a country's malicious rating could become a variable based on the degree of dynamic fast-fluxing abusing its infrastructure in a particular moment in time. Moreover, forwarding the risk and the malicious infrastructure to malware infected hosts, and exploited web servers, creates a "twisted reality" where the countries with the most disperse infrastructure act as a front end to the countries abusing it, ones that make it in any report, since they are the abusers.

The report lists the following malicious netblocks, a great update to a previous post on "Geolocating Malicious ISPs" :

- CHINANET-BACKBONE No.31,Jin-rong Street
- CHINA169-BACKBONE CNCGROUP China169
- CHINANET-SH-AP China Telecom (Group)
- CNCNET-CN China Netcom Corp.
- GOOGLE - Google Inc.
- DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd.
- SOFTLAYER - SoftLayer Technologies Inc.
- THEPLANET-AS - ThePlanet.com Internet Services, Inc.
- INETWORK-AS IEUROP AS
- CHINANET-IDC-BJ-AP IDC, China

With some minor exceptions though, in the face of the following ISPs you rarely see in any report - InterCage, Inc., Softlayer Technologies, Layered Technologies, Inc., Ukrtelegroup Ltd, Turkey Abdallah Internet Hizmetleri, and Hostfresh. Ignoring for a second the fact that the "the whole is greater than the sum of it's parts", in this case, the parts represent RBN's split network. Since it's becoming increasingly common for any of these ISPs to provide standard abuse replies and make it look like there's a shutdown in process, the average time it takes to shut down a malware command and control, or a malicious domain used in a high-profile web malware attack is enough for the campaign to achieve its objective. The evasive tactics applied by the malicious parties in order to make it harder to assess and prove there's anything malicious going on, unless of course you have access to multiple sources of information in cases when OSINT isn't enough, are getting even more sophisticated these days. For instance, the Russian Business Network has always been taking advantage of "fake account suspended notices" on the front indexes of its domains, whereas the live exploit URLs and the malware command and controls remained active.

And while misconfigured web malware exploitation kits and malicious doorways continue supplying good samples of malicious activity, we will inevitable start witnessing more evasive practices applied in the very short term.

Related posts:
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
HACKED BY THE RBN!
Rogue RBN Software Pushed Through Blackhat SEO
RBN's Phishing Activities
RBN's Puppets Need Their Master
RBN's Fake Account Suspended Notices
A Diverse Portfolio of Fake Security Software
Go to Sleep, Go to Sleep my Little RBN
Exposing the Russian Business Network
Detecting the Blocking the Russian Business Network
Over 100 Malwares Hosted on a Single RBN IP
RBN's Fake Security Software
The Russian Business Network