[SecurityRatty] tag: underground

Monetizing Infected Hosts by Hijacking Search Results

Thu, 02 Oct 2008 03:33:00 +0000

When logs with accounting data are no longer of interest due to low liquidity on the underground market, monetization of the infected hosts comes into play.

This web based malware seems like an early BETA aiming to scale, however it's only unique features are its ability to hijack the infected user's searches and server relevant ads courtesy of the affiliate networks the administrator participates in, and also, an integrated DDoS module that the author simply stole from another kit. Strangely, it's 2008 yet the author also included the ability to turn on the telnet service on an infected host.

With the search queries feature easy to duplicate by other kits, this web based malware is a great example of how the time-to-market mentality lacking any kind of personal experience -- the malware cannot intercept SSL sessions compared to the majority of crimeware kits that can -- ends up in a weird hybrid of random features.

Customerization will inevitably prevail over the product concept mentality.

A Diverse Portfolio of Fake Security Software - Part Seven

Tue, 30 Sep 2008 12:35:15 +0000

In case you haven't heard - Microsoft and the Washington state are suing a U.S based -- naturally -- "scareware" vendor Branch Software :

"We won't tolerate the use of alarmist warnings or deceptive 'free scans' to trick consumers into buying software to fix a problem that doesn't even exist," Washington Attorney General Rob McKenna said. "We've repeatedly proven that Internet companies that prey on consumers' anxieties are within our reach."

Sadly, Branch Software is the tip of the iceberg on the top of the affiliates participating in different affiliation based programs, which similar to IBSOFTWARE CYPRUS and Interactivebrands, which I've been tracking down for a while, are the aggregators of scareware that popped up on the radars due to their extensive portfolios. These three companies offering software bundles or plain simple fake software, are somewhere in between the food chain of this ecosystem, with the real vendors paying out the commissions on a per installation basis slowly starting to issue invitation codes that they've distributed only across invite-only forums/sections of particular forums.

Behind these brands is everyone that is participating in the franchise and is putting personal efforts into monetizing the high payout rates that the fake security software vendor is paying for successful installation. These high payout rates -- with the financing naturally coming straight from other criminal activities online -- are in fact so high, that I can easily say that the last two quarters we've witnesses the largest increase of such domains ever, and they're only heating up since the typosquatting possibilities are countless and they seem to know that as well.

It's important to point out that their business model of acquiring traffic is outsourced to all the affiliates that do the blackhat SEO, SQL injections, web sessions hijacking of malware infected hosts in order to monetize, so basically, you have an affiliates network whose actions are directly driving the growth into all these areas. Throwing money into the underground marketplace as a "financial injection", is proving itself as a growth factor, and incentive for innovation on behalf of all the participants.

Here are some of the most recent fake security software domains, a "deja vu" moment with a known RBN domain from a "previous life" that is also parked at one of the servers, and evidence that typosquatting for fraudulent purposes is still pretty active with a dozen of Norton Antivirus related domains, some of which have already started issuing "fake security notices" by brandjacking the vendor for traffic acquisition purposes.

Antivirus-Alert .com (203.117.111.47) where pepato .org a domain that was used in the Wired.com and History.com IFRAME injections, which back in March was also hosted at Hostfresh (58.65.238.59).

softload2008name .com (78.157.143.250)
softload2008nm .com
softload2008n .com
softload2008jq .com

microantivir-2009 .com (91.208.0.223)
scanner.microantivir-2009 .com
microantivir2009 .com
microantivirus-2009 .com
microantivirus2009 .com

ms-scan .com (91.208.0.228)
msscanner .com
ms-scanner .com

Personalantispy .com (93.190.139.197)
freepcsecure .com
quickinstallpack .com
quickdownloadpro .com
advancedcleaner .com
performanceoptimizer .com
internetanonymizer .com

ieprogramming .com (92.62.101.83)
uptodatepage .com
fileliveupdate .com
qwertypages .com
sharedupdates .com
ierenewals .com

norton-antivirus-alert .com
norton-anti-virus-2007 .com
norton-antivirus-2007 .com
norton-antivirus2007 .com
nortonantivirus2007 .com
norton-antivirus-2008 .com
nortonantivirus2008 .com
nortonantivirus2008freedownload .com
norton-antivirus-2009 .com
nortonantivirus2009 .com
norton-antivirus-2010 .com
nortonantivirus2010 .com
nortonantivirus360 .com
nortonantivirus8 .com
nortonantivirusa .com
nortonantivirusactivation .com
norton-antivirus-alert .com
nortonantivirusalerts .com
norton--anti-virus .com
norton-anti-virus .com
norton-antivirus .com
nortonanti-virus .com
nortonantivirus.com
nortonantiviruscom .com
nortonantiviruscorporate .com
nortonantiviruscorporateedition .com
nortonantiviruscoupon .com
nortonantivirusdefinition .com
nortonantivirusdefinitions .com
nortonantivirusdirect .com

Fake Antivirus Inc. is not going away as long as the affiliate based model remains active. If the real vendors were greedy enough not to share the revenues with others, they would have been the one popping up on the radar, compared to the situation where it's the affiliate network's participations greed that's increasing their visibility online.

Related posts:
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software
Cybersquatting Symantec's Norton AntiVirus
Cybersquatting Security Vendors for Fraudulent Purposes
Fake Porn Sites Serving Malware - Part Three
Fake Porn Sites Serving Malware - Part Two
Fake Porn Sites Serving Malware
EstDomains and Intercage VS Cybercrime
Fake Security Software Domains Serving Exploits
Localized Fake Security Software
Got Your XPShield Up and Running?
Fake PestPatrol Security Software
RBN's Fake Security Software
Lazy Summer Days at UkrTeleGroup Ltd
Geolocating Malicious ISPs
The Malicious ISPs You Rarely See in Any Report

23 things I wish would just go away

Mon, 29 Sep 2008 20:00:00 +0000

It's list season here at PC World, so I may as well join in--with something that resembles the "little list" made famous by Ko-Ko, Lord High Executioner in Gilbert and Sullivan's classic The Mikado. He sings of "offenders who might well be underground, and who never would be missed." Me, too.

The Commercialization of Anti Debugging Tactics in Malware

Mon, 29 Sep 2008 12:55:54 +0000

Commoditization or commercialization, Themida or Code Virtualizer, individually crypting or outsourcing to an experienced malware crypting service offering discounts on a volume basis next to detection rates of the crypted binary offered by a trusted online scanner that is NOT distributing the samples to the vendors? These are just some of the questions malware authors often ask themselves, while others distribute pirated copies of Code Virtualizer urging everyone to start taking advantage of commercial anti-reverse engineering tools to make their malware harder to analyze. Once again, just like we've seen before, a legitimate commercial application can come handy in the hands of the wrong people :

"Code Virtualizer will convert your original code (Intel x86 instructions) into Virtual Opcodes that will only be understood by an internal Virtual Machine. Those Virtual Opcodes and the Virtual Machine itself are unique for every protected application, avoiding a general attack over Code Virtualizer. Code Virtualizer can protect your sensitive code areas in any x32 and x64 native PE files (like executable files/EXEs, system services, DLLs , OCXs , ActiveX controls, screen savers and device drivers).

Code Virtualizer can generate multiple types of virtual machines with a different instruction set for each one. This means that a specific block of Intel x86 instructions can be converted into different instruction set for each machine, preventing an attacker from recognizing any generated virtual opcode after the transformation from x86 instructions. The following picture represents how a block of Intel x86 instructions is converted into different kinds of virtual opcodes, which could be emulated by different virtual machines.

When an attacker tries to decompile a block of code that was protected by Code Virtualizer, he will not find the original x86 instructions. Instead, he will find a completely new instruction set which is not recognized by him or any other special decompiler. This will force the attacker to go through the extremely hard work of identifying how each opcode is executed and how the specific virtual machine works for each protected application. Code Virtualizer totally obfuscates the execution of the virtual opcodes and the study of each unique virtual machine in order to prevent someone from studying how the virtual opcodes are executed."

With Cyber-as-a-Service business model becoming increasingly common, the entire quality assurance model in respect to malware is slowly maturing from individual malware crypting propositions, where the seller of the service is basically taking advantage of a diverse set of public/private tools, into DIY web services offering crypting discounts on a volume basis, and perhaps most importantly - improving the customer's experience by letting him take advantage of the inventory of crypting tools and bypassing verification services. Within the tool's inventory are naturally lots of (pirated) commercial anti-reverse engineering tools.

As we've seen before, whenever someone starts commercializing what used to be a self-selving process, others will either follow, or disintermediate their services by persistently releasing crypting tools for free in the wild. At the end of the day, it's all a matter of how serious they're about commercializing this market segment, and taking into consideration that a spamming vendor is offering malware crypting services "in between" the rest of the services in their portfolio, this underground cash cow is yet to prove itself in the long term.

250k of Harvested Hotmail Emails Go For?

Thu, 25 Sep 2008 08:13:08 +0000

$50 in this particular case, however, keeping in mind that the email harvester is anything but ethical, this very same database will be sold and re-sold more times than the original buyer would like to know about. Moreover, what someone is offering for sale, may in fact be already available as a value-added addition to a managed spamming service.

With metrics and quality assurance applied in a growing number of spam and phishing campaigns, filling in the niche of email harvesting by distinguishing between different types of obfuscated emails by releasing an easily embeddable module, was an anticipated move. What's to come? Spam and malware campaigns across social networks "as usual" will propagate faster thanks to the ongoing harvesting of usernames within social networks, that would later on get imported in Web 2.0 "marketing" tools targeting the high-trafficked sites and automatically spamming them.

From a spammer's perspective, geolocating these 250k emails could increase their selling prices since the buyers would be able to launch localized attacks with messages in the native languages of the receipts. Is the demand for quality email databases fueling the developments of this market segment, or are the spammers self-serving themselves and cashing-in by reselling what they've already abused a log time ago? That seems to be the case, since there's no way a buyer could verify the freshness of the harvested emails database and whether or not it has already been abused.

For the time being, we've got several developed and many other developing market segments within spamming and phishing as different markets with different players. On one hand are the legitimately looking spamming providers offering "direct marketing services" working with lone spammers who find a reliable business partner in the face of the spamming vendor whose customers drive both side's business models. On the other hand, you've got the spammers excelling in outsourcing the automatic account registration process, coming up with ways to build a spamming infrastructure -- already available as a module to integrate in managed spamming services -- using legitimate services as a provider of the infrastructure.

Despite that the arms race seems to be going on at several different fronts, spammers VS the industry and spammers VS spammers fighting for market share, the entire underground ecosystem is clearly allocating a lot of resources for research and development in order to ensure that they are always a step ahead of the industry.

Related posts:
Harvesting Youtube Usernames for Spamming
Thousands of IM Screen Names in the Wild
Automatic Email Harvesting 2.0
Dissecting a Managed Spamming Service
Managed Spamming Appliances - the Future of Spam
Inside an Email Harvester's Configuration File
Segmenting and Localizing Spam Campaigns
Shots from the Malicious Wild West - Sample Four

EstDomains and Intercage VS Cybercrime

Tue, 16 Sep 2008 05:09:44 +0000

Surreal, especially when you get to read that EstDomains has "ruthlessly suspended over five thousand domains only for last week", and also, that it "has a reliable ally in its battle against malware in a face of Intercage, Inc".

Here's the press release :

"The EstDomains, Inc management does not deny the fact that no one is secured from having a customer who uses provided services for delinquent purposes. But it must be noted that the carefully planned infrastructure of EstDomains, Inc makes the special provision for the cases of malware distribution that may originate from the domain name registered under the company's name. Such domain names are suspended immediately along with domain holder's account if there is an evidence of malware presence on the web site. According to the most recent statistics over five thousand domain names were detected and ruthlessly suspended by EstDomains, Inc specialists only last week.

The company also has a reliable ally in its battle against malware in a face of Intercage, Inc which provides company with the hosting services of the highest quality. But the outstanding performance of hosting services is not the sole reason why EstDomains, Inc appreciates this partnership so greatly. Intercage, Inc generously provides EstDomains, Inc specialists with reports regarding discovered malware vehicles. As the main database for additional domain name management services is located in Intercage Data Center, EstDomains, Inc has the perfect opportunity to get notifications of the slightest mark of malware presence in the shortest time and take measures in advance. "

The press release reminds me of RBN's defacement of my blog posted on the 1st of April, and despite that EstDomains started "performing for the community" as of recently, thanks to the collective intelligence and persistence of everyone turning their research into actionable intelligence against them, this performance aiming to minimize the effect of the negative PR is more or less futile considering all the cybercrime activities that they've been tolerating or ignoring for the past couple of years. For future generations to see, this is how EstDomains "performs for the community" :

"We've suspended all the domains listed in this topic. But please don't make posting these domains on this forum a habit. We have a 24/7 online tech support which can be contacted at https://support.estdomains.com

Best regards,
EstDomains Team

EstMate says : Ihatemondayand.com and antispycheck.com - both suspended. If any of the suspended websites are still active to you it maybe be because of your computer's or ISP's DNS-cache, others won't be able to access these websites

googlescanners-360.com isn't registered with us. As for other domains, the ones, which were registered through us, have been suspended. Regarding our preventive measures, the fact that you don't see them doesn't mean there isn't any. Yes, we don't write about them but in most cases we suspend whole accounts with problematic domains and look for connections to other accounts etc. During the last week we've suspended over 15000 different domains."

What's more disturbing regarding this particular domain registrar is that it's a U.S based operation, namely, using the lack of international cybercrime cooperation as an excuse for not taking actions earlier doesn't fit into the picture. Moreover, this is just the tip of the iceberg, and taking into consideration a personal mentality that the cybercriminals you know are better than the cybercriminals you don't know, the RBN or any of its "leftovers" aren't fully taking advantage of the tactics they could be using in order to make it harder to shut them down, but how come? Simply, they don't have to put extra efforts and would once again remain online for years to come, which is perhaps more disturbing at the first place.

What in the world is the Russian Business Network, is it still alive and kicking, are the same people that used to maintain my favorite netblock ever, still the ones running it, and what tactics are they taking advantage of in order to make it harder for the community to establish direct links with a particular netblock and the RBN itself?

With RBN's "leftovers" -- InterCage, Inc., Softlayer Technologies, Layered Technologies, Inc., Ukrtelegroup Ltd, Turkey Abdallah Internet Hizmetleri, and Hostfresh -- making headlines just like the way it should be, what I've been researching for the past couple of months is how they've migrated from the centralized hosting provider to what appears to be a fully operational franchise. The business model is very simple, the RBN through its extensive underground networking skills supplies to customers to franchisers operating small anti-abuse netblocks across the globe, where they offer dedicated hosting and share revenue with the RBN. Anyone trusted enough and capable of supplying such netblocks starts running the RBN anti-abuse franchise. It's also worth pointing out that these franchises are in fact starting to cut the middle man, and disintermediate the RBN by actively advertising their services in order for them to create a self-sustainable business model without having to rely on the RBN connecting them with customers.

What used to be a centralized cybercrime powerhouse operating several highly visible anti-abuse netblocks, is today's decentralized infrastructure, with the profit margins for the anti-abuse services that it's logically capable to break-even and earn profits even with a few high profile dedicated hosting customers. Anyone can be the Russian Business Network, gain experience into the market segment, then disintermediate them by starting to advertise their own services. From a powerhouse to a franchise model, what the RBN had to offer can be easily duplicated by a countless number of local RBN's, and this is only starting to take place.

Related posts:
Lazy Summer Days at UkrTeleGroup Ltd.
The Malicious ISPs you Rarely See in Any Report
Geolocationg Malicious ISPs
The New Media Malware Gang - Part Four
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
RBN's Fake Account Suspended Notices
HACKED BY THE RBN!
Rogue RBN Software Pushed Through Blackhat SEO
RBN's Phishing Activities
RBN's Puppets Need Their Master
RBN's Fake Account Suspended Notices
A Diverse Portfolio of Fake Security Software
Go to Sleep, Go to Sleep my Little RBN
Exposing the Russian Business Network
Detecting the Blocking the Russian Business Network
Over 100 Malwares Hosted on a Single RBN IP
RBN's Fake Security Software
The Russian Business Network

Adult Network of 1448 Domains Compromised

Mon, 15 Sep 2008 03:54:19 +0000

With millions of malware infected PCs participating in a botnet, the probability that a high profile end user whose domain portfolio consisting of over 1,400 high trafficked adult web sites, would end up having his accounting data stolen, is gradually increasing.

That seems to be the case with the CPanel of the Bang Bros network of adult web sites, the accounting data for which was obtained through a botnet in which the administrator seems to have been unknowingly participating in. None of the sites have been embedded with malware so far, however, taking into consideration the high traffic this adult network attracts as well as the fact that he person managing the domains portfolio is part of a botnet, that may change pretty fast.

A single malware infection always triggers the entire malicious effect, from the malware automatically SQL injection vulnerable sites, and providing infrastructure for scams and fraudulent activities, to allowing the botnet master to parse the huge log of stolen accounting data and look for Cpanels and anything allowing him to efficiently compromise a network of sites he wouldn't have been able to compromise if it wasn't the "weakest link" centralizing the entire portfolio in a single location.

And whereas for the time being, propositions for selling compromised CPanel accounts are mostly random, in the long term, fueled by the demand for compromised domains, we may witness the emergence of yet another market segment in the underground economy, with price ranges based on the pagerank of the domain in question, the type of browsers and the traffic sources visiting it. Until then, SQL injections through search engines reconnaissance executed through a botnet, will remain the efficient tactic of choice for abusing legitimate domains as redirectors to malicious ones.

Summarizing August's Threatscape

Wed, 10 Sep 2008 02:57:32 +0000

Following the previous summaries of June's and July's threatscape based on all the research published during the month, it's time to summarize August's threatscape.

August's threatscape was dominated by a huge increase of rogue security software domains made possible due to the easily obtainable templates for the sites, several malware campaigns targeting popular social networking sites, Russian's organized cyberattack against Georgia with evidence on who's behind it pointing to "everyone" and a few botnets dedicated to the attack making the whole process easy to outsource and turn responsibility into an "open topic", several new web based botnet management kits and tools found in the wild, evidence that the 76service may in fact be going mainstream since the concept of cybercrime as a service is already emerging, and, of course, a peek at India's CAPTCHA solving economy, where the best comment I've received so far is that every site should embrace reCAPTCHA, so that while solving CAPTCHAs and participating in the abuse of these services in question, they would be also digitizing books. As usual, August was a pretty dynamic month for the middle of summer, with everyone excelling in their own malicious field.

01. McAfee's Site Advisor Blocking n.runs AG - "for starters"
False positives are rather common, especially when you're aiming to protect the end user from himself and not let him gain access to "hacking tools", but you're flagging security tools as badware and missing over half the SQL injected domains currently in the wild due to the fact that SiteAdvisor's community still haven't reviewed them - that's not good

02. The Twitter Malware Campaign Wants to Bank With You
Twitter, just like every Web 2.0 application, isn't and shouldn't be treated as a unique platform for dissemination of malware, since it's dissemination of malware "as usual". This particular malware campaign was not just executed by a lone gunman, but also, was taking advantage of a flaw allowing the author to add new followers potentially exposing them to the malicious links serving banker malware. For the the time being, MySpace, Facebook and Twitter accounts are the very last thing a malicious attacker is interesting in puchasing accounting data for, but how come? It's all due to the oversupply of automatically registered accounts at other popular services, whose ecosystem of Internet properties empower cybercriminals with the ability to launch, host and distribute malware in between abusing the very same company's services for the blackhat SEO campaign and redirection services. Theoretically, a distributed network build upon the services provided by a single company is faily easy to accomplish due to the single login authentication applied everywhere. A singly bogus Gmail account results in a blackhat SEO hosting blogspot account, flash based redirector hosted at Picasa, and a couple of thousands of spam emails sent automatically sent through Gmail in order to abuse it's trusted email reputation

03. Compromised Web Servers Serving Fake Flash Players
If aggressiveness matter, this campaign consisting of remotely injected redirection scripts at legitimate sites next to on purposely introduced malware oriented domains, was perhaps the most aggressive one during the month. Fake flash players, fake windows media players and fake youtube players are prone to increase as a social engineering tactic of choice due to the template-ization of malware serving sites for the sake of efficiency

04. Pinch Vulnerable to Remotely Exploitable Flaw
With Zeus vulnerable to a remotely exploitable flaw allowing cybercriminals to hijack other cybercriminal's Zeus botnet, private exploits targeting the still rather popular at least in respect to usefulness Pinch malware are leaking, allowing everyone including security researchers to take a peek at a particular campaign running unpatched Pinch gateway

05. Phishers Backdooring Phishing Pages to Scam One Another
Backdooring phishing pages is perhaps the most minimalistic approach a cybercriminal wanting to scam another cybercriminal is going to take. The far more beneficial approach that I've encountered on a couple of occassions so far, would be to backdoor a proprietary web malware exploitation kit, release it in the wild, let them put the time and efforts into launching the campaigns, then hijack their botnet. In fact, the possibilities for backdooring copycat web malware exploitation kits in order to take advantage of the momentum while introducing a non-existent kit has always been there at the disposal of malicious attackers. One thing's for sure - there's no such thing as a free web malware exploitation kit, just like there isn't such thing as a free phishing page

06. Email Hacking Going Commercial - Part Two
In between the scammers promising the Moon and asking for anything between $20 to $250 to hack into an email account, there are "legitimate" services taking advantage of web email hacking kits consisting of each and every known XSS vulnerability for a particular service in an attempt to increase the chances of the attacker. And given that the majority of these have been patched a long time ago, social engineering comes into play. Do these services have a future? Definitely as more and more people are in fact looking for and requesting such services, in fact, they're willing to pay a bonus considering how exotic it is for them to have any email that they provide hacked into and the accounting data sent back to them

07. The Russia vs Georgia Cyber Attack
Event of the month? Could be, but just like every "event of the moth" everyone seems to be once again restating their "selective retention" preferences. What is selective retention anyway? Selective retention is basically a situation where once Russian is attacking another country's infrastructure, you would automatically conclude that it's Russian FSB behind the attacks and consciously and subconsciously ignore all the research and articles telling you otherwise, namely that the FSB wouldn't even bother acknowledging Georgia's online presence, at least not directly. Moreover, talking about the FSB as the agency behind the cyberattacks indicates "selective retention", talking about FAPSI indicates better understanding of the subject.

In times when cybercrime is getting ever easier to outsource, anyone following the news could basically orchestrate a large scale DDoS attack against a particular country in order to forward the responsibility to any country that they want to. In Russia vs Georgia, you have a combination of a collectivist society that's possessing the capabilities to launch DDoS attacks, knows where and how to order them, and that in times when your country is engaged in a war conflict drinking beer instead of DDoS-sing the major government sites of the adversary is not an option.

Selective retention when combined with a typical mainstream media's mentality to "slice the threat on pieces" instead of turning the page as soon as possible, is perhaps the worst possible combination. Furthermore, coming up with Social Network analysis of the cyberattacks would produce nothing more but a few fancy graphs of over enthusiastic Russian netizen's distributing the static list of the targets. The real conversations, as always, are happening in the "Dark Web" limiting the possibilities for open source intelligence using a data mining software. Things changed, OPSEC is slowly emerging as a concept among malicious parties, whenever some of the "calls for action" in the DDoS attacks were posted at mainstream forums, they were immediately removed so that they don't show up in such academic initiatives

08. 76Service - Cybercrime as a Service Going Mainstream
The reappearance of the 76Service allowing everyone to log into a web based interface and collect all the accounting and financial data coming from malware infected hosts across the globe for the period of time for which they've bought access, indicates that what used to be proprietary services which were supposedly no longer available, are now being operated in a do-it-yourself fashion. Goods and products mature into services, so from a cost-benefit analysis perspective, outsourcing is naturally most beneficial even when it comes to cybercrime

09. Who's Behind the Georgia Cyber Attacks?
If it's the botnets used in the attacks, they are known, if it's about who's providing the hosting for the command and control, it's the "usual suspects", but just like previous discussion of the Russian Business Network, it remains questionable on whether or not they work on a revenue-sharing basis, are simply providing the anti-abuse hosting, or are the shady conspirators that every newly born RBN expert is positioning them to be.

Cheap conversation regarding the RBN ultimately serves the RBN, and just for the record, there's a RBN alternative in every country, but the only thing that remains the same are the customers, tracking the customers means exposing the RBN and the international franchises of their services, making it harder to identify their international operations. And given that the "tip of the iceberg", namely RBN's U.S operations remain in tact, talking about taking actions against their international operations in countries where cybercrime law is still pending, is yet another quality research into the topic building up the pile of research into the very same segments of the very same ISPs.

Just for the record - these "very same ISPs" are regular readers of my blog, and if you analyze their activities, they're definitely reading yours too, ironically, surfing through gateways residing within their netblock that are so heavily blacklisted due to the guestbook and forum spamming activities that their bad reputation usually ends up in another massive blackhat SEO campaign exposed.

10. Guerilla Marketing for a Conspiracy Site
Conspiracy theorists may in fact have a new wallpaper to show off with

11. Banker Malware Targeting Brazilian Banks in the Wild
When misinformed and not knowing anything about a particular underground segment, a potential cybercriminal would stick to using such primitive compared to the sophisticated banker malware kits currently in the wild. These sophisticated banker malware kits are often coming in a customer-tailored proposition, with their price increasing or decreasing based on the specific module to be included or excluded. For instance, a module targeting all the U.S banks that has been put in a "learning mode" long before it was made available to the customers can be requested and is often available with the business model build around the customer's wants

12. Compromised Cpanel Accounts For Sale
Despite the massive SQL injection attacks, accounting data for Cpanel accounts coming from malware infected hosts seems to be once again coming into play, which isn't surprising given the filtering capabilities and log parsing tools today's botnet masters are empowered with. These very same compromised Cpanel accounts and the associated domains often end up so heavility abused that it's tactics like these that are driving the underground multitasking mentality, namely, abusing a single compromised account for each and every malicious online activity you can think of - even hosting banners for their blackhat SEO services

13. A Diverse Portfolio of Fake Security Software - Part Two
In August we saw a peek of fake security software, neatly typosquatted domains whose authors earn revenue each and every time someone installs the software. The vendors behind this software are forwarding the entire process of driving traffic to those excelling in aggregating traffic and abusing it. As anticipated, underground multitasking started taking place within the fake security software domains, with the people behind them introducing client-side exploits in order to improve the monetization of the traffic coming to the sites

14. DIY Botnet Kit Promising Eternal Updates
There's no such thing as a (quality) free botnet kit. What's for free is often the leftovers from a single feature of a more sophisticated proprietary botnet kit. This one in particular is however trying to demonstrate that even a plain simple GUI botnet command and control software can achieve the results desired by an average script kiddie, and not necessarily satisfy the needs of the experienced botnet master

15. A Diverse Portfolio of Fake Security Software - Part Three
As far as trends and fads are concerned, the majority of the domains are currently parked at up to four different IPs, with most of them going into a stand by mode once they get detected and reappear back couple of weeks later

16. Fake Celebrity Video Sites Serving Malware - Part Two
Due to the template-ization of fake celebrity video sites, and simple traffic management tools combined with blackhat SEO tactics, these sites are also prone to increase in the next couple of months

17. Web Based Botnet Command and Control Kit 2.0
It's releases like these that remind us of the amount of time, efforts and personal touch that a malicious attacker would put into such a management kit, currently acting as a personal benchmark as far as complexity and features indicating the coder's experience with botnets is concerned. What's he's failing to anticipate is that this kit is sooner or later going to turn into the "MPack of botnet management"

18. A Diverse Portfolio of Fake Security Software - Part Four
Keep it coming, we'll keep it exposing until we end up getting down to the "fake software vendor" itself

19. Automatic Email Harvesting 2.0
Email harvesting is slowly maturing into a vertically integrated service provided by vendors of managed spamming services. This email harvesting module is aiming to close the page on text obfuscation in respect to fighting spam, and is successfully recognizing and collecting such publicly available emails. From a psychological perspective though, the end users who bothered to obfuscate their emails are less likely to fall victims into phishing scams, with the obfuscation speaking for a relatively decent situational awareness on how they emails end up in a spammer's campaign

20. Fake Porn Sites Serving Malware - Part Three
As a firm believer in sampling in order to draw conclusions on the big picture, an approach that has proven highly accurate in modeling historical and upcoming tactics and behavior, a single fake porn site serving malware campaign usually exposes a dozen of misconfigured redirectors, which thanks to their misconfiguration despite the evasive features available within the kits, expose another dozen of malware campaigns

21. Facebook Malware Campaigns Rotating Tactics
With no particular flaw exploited other than the social engineering tactic of using already compromised Facebook accounts who would automatically spam all their friends with links to flash files hosted at legitimate services, the more persistent the campaign is, the higher the chance that it will scale enough. This campaign in particular is mainly relying on rotation of tactics, namely different messages, different services and file extensions used in order to trick someone's friend into visiting the URL. With the number of users increasing, the most popular social networking sites are naturally going to be permanently under attacks from cybercriminals

22. Fake Security Software Domains Serving Exploits
Despite that it's a single brand, namely the International Virus Research Lab that's introducing client-side exploits within it's portfolio of domains, the opportunity for abuse may be noticed by the rest of the brands pretty fast

23. Exposing India’s CAPTCHA Solving Economy
Taking into consideration the mentality surrounding a particular country's cybercriminals, how they think, how they operate, what do they define as an opportunity, and how much personal efforts are they willing to put into their campaigns, I wouldn't be surpised if a Russian vendor offering 100,000 bogus Gmail accounts for sale has in fact outsourcing the account registration process to Indian workers, paid them pocket change and is then reselling them ten to twenty times higher than the price he originally paid for them.

The text based CAPTCHAs used at the major Internet portals and services, are so efficiently abused by this approach that continuing to use is directly undermining the trust these email providers and services often come with as granted

Movie Plot Threats in The Guardian

Thu, 04 Sep 2008 01:56:57 +0000

We spend far more effort defending our countries against specific movie-plot threats, rather than the real, broad threats. In the US during the months after the 9/11 attacks, we feared terrorists with scuba gear, terrorists with crop dusters and terrorists contaminating our milk supply. Both the UK and the US fear terrorists with small bottles of liquid. Our imaginations run wild with vivid specific threats. Before long, we're envisioning an entire movie plot, without Bruce Willis saving the day. And we're scared.

It's not just terrorism; it's any rare risk in the news. The big fear in Canada right now, following a particularly gruesome incident, is random decapitations on intercity buses. In the US, fears of school shootings are much greater than the actual risks. In the UK, it's child predators. And people all over the world mistakenly fear flying more than driving. But the very definition of news is something that hardly ever happens. If an incident is in the news, we shouldn't worry about it. It's when something is so common that its no longer news - car crashes, domestic violence - that we should worry. But that's not the way people think.

Psychologically, this makes sense. We are a species of storytellers. We have good imaginations and we respond more emotionally to stories than to data. We also judge the probability of something by how easy it is to imagine, so stories that are in the news feel more probable - and ominous - than stories that are not. As a result, we overreact to the rare risks we hear stories about, and fear specific plots more than general threats.

The problem with building security around specific targets and tactics is that its only effective if we happen to guess the plot correctly. If we spend billions defending the Underground and terrorists bomb a school instead, we've wasted our money. If we focus on the World Cup and terrorists attack Wimbledon, we've wasted our money.

It's this fetish-like focus on tactics that results in the security follies at airports. We ban guns and knives, and terrorists use box-cutters. We take away box-cutters and corkscrews, so they put explosives in their shoes. We screen shoes, so they use liquids. We take away liquids, and they're going to do something else. Or they'll ignore airplanes entirely and attack a school, church, theatre, stadium, shopping mall, airport terminal outside the security area, or any of the other places where people pack together tightly.

These are stupid games, so let's stop playing. Some high-profile targets deserve special attention and some tactics are worse than others. Airplanes are particularly important targets because they are national symbols and because a small bomb can kill everyone aboard. Seats of government are also symbolic, and therefore attractive, targets. But targets and tactics are interchangeable.

The following three things are true about terrorism. One, the number of potential terrorist targets is infinite. Two, the odds of the terrorists going after any one target is zero. And three, the cost to the terrorist of switching targets is zero.

We need to defend against the broad threat of terrorism, not against specific movie plots. Security is most effective when it doesn't require us to guess. We need to focus resources on intelligence and investigation: identifying terrorists, cutting off their funding and stopping them regardless of what their plans are. We need to focus resources on emergency response: lessening the impact of a terrorist attack, regardless of what it is. And we need to face the geopolitical consequences of our foreign policy.

In 2006, UK police arrested the liquid bombers not through diligent airport security, but through intelligence and investigation. It didn't matter what the bombers' target was. It didn't matter what their tactic was. They would have been arrested regardless. That's smart security. Now we confiscate liquids at airports, just in case another group happens to attack the exact same target in exactly the same way. That's just illogical.

This essay originally appeared in The Guardian. Nothing I haven't already said elsewhere.

Copycat Web Malware Exploitation Kits are Faddish

Wed, 03 Sep 2008 03:18:08 +0000

For the cheap cybercriminals not wanting to invest a couple of thousand dollars into purchasing a cutting edge web malware exploitation kit -- a pirated copy of which they would ironically obtained several moths later -- with all the related and royalty free updates coming with it, there are always the copycat malware kits like this one offered for $100.

Taking into consideration the proprietary nature of some of the kits, the business model of malware kits was mostly relying on their exclusive nature next to the number, and diversity of the exploits included in order to improve the infection rate. This simplistic assumption on behalf of the coders totally ignored the possibility of their kits leaking to the general public, or copies of the kits ending up as a bargain in particular underground deal where the once highly exclusive kit was offered as a bonus.

"Me too" web malware kits were a faddish way to enjoy the popularity of web malware kits like MPack and Icepack and try to cash in on that popularity by coming up average kits lacking any significant differentiation factors in the process. But just like the original and proprietary kits, whose authors didn't envision the long term growth strategy of integrating different services into their propositions or the kits themselves, the authors of copycat malware kits didn't bother considering the lack of long-term growth strategy for their releases. Branding in respect to releasing a Firepack malware kit to compete with Icepack which was originally released to compete with Mpack, has failed to achieve the desired results as well.

And with malware kits now a commodity, and underground vendors excelling in a particular practice with the long term objective to vertically integrate in their area of expertise -- think spammers offering localization of messages into different languages and segmented email databases from a specific country -- would we witness the emergence of managed cybercrime services charging a premium for providing fresh dumps of credit card numbers, PayPal, Ebay accounts or whatever the buyer is requesting?

That may well be the case in the long term.

Related posts:
Web Based Botnet Command and Control Kit 2.0
DIY Botnet Kit Promising Eternal Updates
Pinch Vulnerable to Remotely Exploitable Flaw
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
The Small Pack Web Malware Exploitation Kit
Crimeware in the Middle - Zeus
The Nuclear Grabber Kit
The Apophis Kit
The FirePack Exploitation Kit Localized to Chinese
MPack and IcePack Localized to Chinese
The Icepack Exploitation Kit Localized to French
The FirePack Exploitation Kit - Part Two
The FirePack Web Malware Exploitation Kit
The WebAttacker in Action
Nuclear Malware Kit
The Random JS Malware Exploitation Kit
Metaphisher Malware Kit Spotted in the Wild
The Black Sun Bot
The Cyber Bot
Google Hacking for MPacks, Zunkers and WebAttackers
The IcePack Malware Kit in Action