[SecurityRatty] tag: worm

Managed Fast Flux Provider - Part Two

Thu, 02 Oct 2008 08:39:01 +0000

We're slowly entering into a stage where RBN bullet proof hosting franchises are vertically integrating, and due to the requests from their customers are starting to offer that they refer to as "mirrored hosting" which in practice is plain simple fast flux network consisting of RBN-alike purchased netblocks, and naturally, botnet infected hosts.

Managed fast-fluxing is only starting to go mainstream, for instance, in July I found evidence that money mule recruiters were using ASProx's infected hosts as hosting infrastructure, and in November, 2007, an infamous spamming software vendor was also found to have been offering fast-flux services in the past.

In this most recent fast-flux service, we have a known spammer and botnet master that in between self-serving himself on is way to ensure his portfolio of scammy domains remains online for a "little longer", is commercializing fast-fluxing and is offered a DIY service :

"Finally after hardwork and great appreciation from our normal bullet proof hosting/server clients we are able to launch Mirrored hosting. What is Mirrored hosting ?

================
Mirrored hosting is a powerful mirrored web hosting management, uses multiple Virtual servers to host website with 100% uptime. Mirrored hosting is a combination of two things, which are:

1. Specially Designed Virtual Servers
2. Powerful Automated Control Panel

How does it work ?
===============

Mirrored hosting uses specially configured Virtual Servers making them link with the Mirrored hosting Control Panel which is then controlled by our own control panel allowing us to provide smooth streamline hosting with no downtime. No one is able to trace original IP of the server or the place where the files are hosted so the websites/domains hosted have a 100% Uptime. This is achieved by unique customisation of our Virtual Servers.

Actually, it takes ips around the world and our powerful control panel just rotates the ips every 15 minutes. though all these ips you will see will be fake no one can trace the orignal ip where files are hosted. Sometimes the ip is from China, Korea, USA, UK, Japan, Lithuania etc."

The concept has always been there for cybercriminals to take advantage of, but once it matures into a managed service it would undoubtedly lower down the entry barriers allowing yesterday's average phishers to take advantage of what only the "pros" were used to.

Related posts:
Storm Worm's Fast Flux Networks
Managed Fast Flux Provider
Fast Flux Spam and Scams Increasing
Fast Fluxing Yet Another Pharmacy Spam
Obfuscating Fast Fluxed SQL Injected Domains
Storm Worm Hosting Pharmaceutical Scams
Fast-Fluxing SQL injection attacks executed from the Asprox botnet

Malware Uses GDI Local Elevation Of Privilege Vulnerability To Install Untraceable Rootkit

Tue, 30 Sep 2008 18:46:47 +0000

Security researchers from F-Secure have discovered one of the most subtle and sophisticated examples of Windows rootkit software known to date. The AutoRun-NOX worm extends the standard VXer trick of using software vulnerabilities to infect systems, by including functionality that allows the worm to exploit Windows security bugs to hook into parts of the Windows [...]

EstDomains & Intercage: A Perfect Couple in Crime

Mon, 15 Sep 2008 17:32:00 +0000

If you track malware issues as readily as I do, you're likely aware of the failings of clownpacks like EstDomains and their hosting buddies Atrivo/Intercage. You need only follow Sunbelt's take on the topic, or search Emergingthreats to come up to speed.
Yesterday, EstDomains posted the most inept, ridiculous response ever issued to the endless and worthy criticism, largely leveled by Brian Krebs at the Washington Post.
Not only can't these morons from EstDomains write, they're either so deeply clueless or flagrantly malicious (likely both), it's beyond laughable. This section sums it up best:
"The company also has a reliable ally in its battle against malware in a face of Intercage, Inc which provides company with the hosting services of the highest quality. But the outstanding performance of hosting services is not the sole reason why EstDomains, Inc appreciates this partnership so greatly. Intercage, Inc generously provides EstDomains, Inc specialists with reports regarding discovered malware vehicles. As the main database for additional domain name management services is located in Intercage Data Center, EstDomains, Inc has the perfect opportunity to get notifications of the slightest mark of malware presence in the shortest time and take measures in advance."
What? Really?
Again, aside from the absolute butchery of the language, did they just say "The company also has a reliable ally in its battle against malware in a face of Intercage, Inc which provides company with the hosting services of the highest quality."? SIGH...yes, they did.

Allow me to exemplify just how ridiculous a claim that is.
Following is content from a packet capture I took during a recent Storm worm analysis.

Using the ip2asn module included in NSM-console availabe in HeX, we find:
27595 | 216.255.189.211 | INTERCAGE - InterCage, Inc.

Using Etherape, also included in HeX, we see:

Using Eric Hjelmvik's NetworkMiner, we see:

See the recurring theme? Intercage, EstDomain's "reliable ally in its battle against malware".
Nice work, guys...keep it up.

I'm submitting this to The Daily WTF as we speak.

del.icio.us | digg

Malware Infects Space Station Laptop

Mon, 01 Sep 2008 03:33:24 +0000

NASA has confirmed that malware has managed to get aboard the International Space Station and that it's not the first time a worm has been discovered on space station computers.

Computer Worm Infects International Space Station Laptops

Wed, 27 Aug 2008 12:10:19 +0000

NASA has confirmed that a computer worm that steals passwords managed to finds its way into laptops aboard the International Space Station. It is not the first time a NASA computer has become infected. SpaceReg.com identified the infection as W32.TGammima.AG, a worm that spreads by copying itself to removable media devices. Once in place, it steals [...]

Virus Infects the Space Station

Wed, 27 Aug 2008 09:27:27 +0000

Laptops aboard the International Space Station have been infected with the W32.Gammima.AG worm. And it's not the first time this sort of thing has happened.

Malware infects space station laptops

Wed, 27 Aug 2008 09:00:00 +0000

Malware has managed to get onto the International Space Station, NASA confirmed today. And it's not the first time that a worm or virus has made it into space.

NASA infected with W32.TGammima.AG

Wed, 27 Aug 2008 08:26:18 +0000

A computer worm that ferrets out passwords managed to stow away on laptops aboard the International Space Station, NASA has confirmed. It is not the first time a NASA computer has become infected.

Malware infects space station laptops

Tue, 26 Aug 2008 20:00:00 +0000

Malware has managed to get off the planet and onto the International Space Station, NASA confirmed today. And it's not the first time that a worm or virus has stowed away on a trip into orbit.

Facebook Worm Still Going Strong

Mon, 25 Aug 2008 05:57:04 +0000

A colleague of mine had a private message sent to them on Facebook yesterday from the account of a friend. The message is related (of course) to the recent Facebook worm:

Click the link, and you'll see something like this:

Click to Enlarge

Yes, it's Ye Olde Fake Codec installer, hosted on what appears to be a hacked website. As always, pay close attention to what you're being sent from your friends. If it doesn't seem like something they'd send you, that's probably because they didn't...