Blog update after 2.5 years!

Wow, I can’t believe it’s been 2.5 years since my last post on this blog. A lot has happened since December 2009! First of all, I took a new job at my same employer as a Senior Security Consultant. The new job had me performing risk assessments and 3rd party vendor reviews for our Technology and Internet facing business units.

I assessed many projects for security concerns and worked with the project teams to help them with their security needs and provide guidance on any issues identified. I performed assessments on Online Banking/Brokerage systems, mobile devices, CRM tools, new software upgrades for off the shelf software, social media initiatives and numerous custom build internal only applications. A big part of the job was translating technical security issues into risks that senior management and executives would be able to understand and act on.

So with all these projects on the go I decided to put the blog to rest since consulting projects aren’t as sexy as investigating and responding to immediate threats!

After 2 years or so doing consulting it was time for a break to enjoy more of what life has to offer. I am now traveling the world and will be looking for work in the near future in the UK!

 

The Top 50 Bad Hosts – Another Report by HostExploit

Jart and Scott from HostExploit (http://hostexploit.com/) have put together another paper on bad hosting providers, this time giving an overview of 50 that host a great deal of malicious code. The ranking is based on a mathematical calculation, which is included in the report. To be absolutely clear, these providers are not knowingly acting as hubs of cybercrime like McColo, Real Host, etc were. These are hosts that would benefit greatly by improving their security posture. The report also highlights the top 10 good hosts, so readers can get a feel for the differences between the two.

View the top 50

Download the report

Here’s a brief look at the top 10 bad hosts:

HE Rank HE Index AS Number Name Country
1 269.9 AS30407 VELCOM – Rcp.net CANADA
2 225.7 AS23522 IPNAP-ES – GigeNET UNITED STATES
3 179.7 AS16276 OVH OVH FRANCE
4 159.5 AS41665 HOSTING-AS National Hosting Provider, Hosting.UA UKRAINE
5 158.7 AS4134 CHINANET – BACKBONE No.31,Jin-rong Street CHINA
6 151.7 AS49637 ZHM-AS PE Zavalnuk Vladislav Mihailovich KAZAKHSTAN
7 147.9 AS32613 IWEB-AS – iWeb Technologies Inc. CANADA
8 142.2 AS10929 Netelligent Hosting Services Inc CANADA
9 140.3 AS28753 NETDIRECT AS NETDIRECT Frankfurt, DE GERMANY
10 135.4 AS49314 NEVAL PE Nevedomskiy Alexey Alexeevich RUSSIAN FEDERATION

Major Stealthy Malware Campaign – 711 Domains Taken Down

Starting sometime around November 6th, many attacks were observed coming from strangely named domains such as us.bf9.info, us.bp0.info, us.bn3.info, etc. The attackers employed some code splitting techniques to make their scripts more stealthy by moving suspicious shellcode from inside the primary exploit script to a secondary script. The attacks were being delivered through advertisements which also made investigating the source a pain. Performing some searches on the domains strangely did not yield any information from common sources such as malwareurl, malwaredomainlist, McAfee Site Adviser, etc.

To get to the root of the problem, Afilias (the company responsible for .info domains) and GoDaddy (the registrar) were involved to investigate. They quickly blocked the offending domains once it was clear they were hostile. What was very surprising was the end result, GoDaddy removed 711 domains that were affiliated with this attack!

Attack scripts:

hxxp://us.hn0.info/f/1/ie.html

http://www.virustotal.com/analisis/a53300db52ccf8a236348995c0480aed05fa4419d1eb5c471808a6ae2fd0d9b6-1259947372

hxxp://us.hn0.info/f/1/ff.html

http://www.virustotal.com/analisis/1d3778247739c072cb435e3b11a0592503cb71f6a03cce24af85ca20ba110f00-1259947360

hxxp://us.hn0.info/f/1/cosplay.swf
http://wepawet.iseclab.org/view.php?hash=8e2a2167a9f34c1c0b9d7ac456aff807&type=swf

Shellcode:
http://www.virustotal.com/analisis/71d15b19cc00d4ddb8cd9152f071671abe398fb6da7b0517b1d6a0e0c3e61995-1259948262

The domains:

FK0.INFO AC0.INFO KD8.INFO JZ5.INFO
FK6.INFO AE0.INFO KD9.INFO JZ6.INFO
FK7.INFO AE6.INFO CUUB.INFO JZ7.INFO
FK8.INFO AE9.INFO CXXB.INFO JZ8.INFO
FK9.INFO AF0.INFO DRRB.INFO KA0.INFO
FL0.INFO AF5.INFO DTTB.INFO KB0.INFO
FL7.INFO AF8.INFO DYYB.INFO KB8.INFO
FL8.INFO AF9.INFO GJGJ.INFO KC5.INFO
FM0.INFO AG0.INFO RFVT.INFO KC6.INFO
FM9.INFO AG7.INFO TGBY.INFO KC8.INFO
FN3.INFO AG8.INFO UJMI.INFO KD3.INFO
FN4.INFO AG9.INFO YHNU.INFO KD4.INFO
FN5.INFO AH0.INFO DT0.INFO KD7.INFO
FN6.INFO AH5.INFO DV0.INFO HX0.INFO
FN7.INFO AH7.INFO DV6.INFO HY2.INFO
FN8.INFO AI0.INFO DV7.INFO HY3.INFO
FO0.INFO AJ3.INFO DW0.INFO HY6.INFO
FO5.INFO AJ4.INFO DW9.INFO HY7.INFO
FO6.INFO AJ5.INFO DX6.INFO HZ0.INFO
FO7.INFO AJ7.INFO DX7.INFO HZ3.INFO
FP4.INFO AJ9.INFO DX8.INFO HZ4.INFO
FP5.INFO AK0.INFO DY2.INFO HZ5.INFO
FP9.INFO AN0.INFO DY5.INFO HZ7.INFO
FQ0.INFO AO0.INFO DZ4.INFO HZ8.INFO
FQ3.INFO AO3.INFO DZ5.INFO IA0.INFO
FQ4.INFO AO8.INFO EA0.INFO IB0.INFO
FQ6.INFO AP3.INFO EA2.INFO IB4.INFO
FQ7.INFO AP9.INFO EA4.INFO IB5.INFO
FR0.INFO AQ0.INFO EA5.INFO IB6.INFO
FS0.INFO AQ3.INFO EA6.INFO IB7.INFO
FS4.INFO AQ9.INFO EA7.INFO IB8.INFO
FS6.INFO AR0.INFO EA8.INFO IB9.INFO
FS7.INFO AT4.INFO EB0.INFO IC5.INFO
FT0.INFO AU0.INFO EB4.INFO IF4.INFO
FT5.INFO AW0.INFO ED0.INFO IF5.INFO
FT9.INFO AX0.INFO ED3.INFO IF6.INFO
FU0.INFO AX3.INFO EF2.INFO IF7.INFO
FU4.INFO AY0.INFO EH4.INFO IF8.INFO
FU8.INFO AZ5.INFO EH7.INFO IF9.INFO
FV4.INFO AZ6.INFO EI4.INFO IG5.INFO
FV6.INFO AZ7.INFO EI5.INFO IG6.INFO
FV7.INFO AZ8.INFO EI6.INFO IG9.INFO
FV8.INFO AZ9.INFO EI8.INFO IH0.INFO
FV9.INFO BC0.INFO EI9.INFO IH2.INFO
FW0.INFO BC6.INFO EK0.INFO IH3.INFO
FW5.INFO BC8.INFO EK2.INFO IH4.INFO
FW6.INFO BC9.INFO EK4.INFO IH5.INFO
FW8.INFO BD3.INFO EK5.INFO IH6.INFO
FW9.INFO BF0.INFO EK7.INFO IJ2.INFO
FY0.INFO BF4.INFO EL0.INFO IJ4.INFO
FY2.INFO BF6.INFO EL6.INFO IJ5.INFO
FY5.INFO BF8.INFO EM5.INFO IJ6.INFO
FY6.INFO BF9.INFO EM8.INFO IJ7.INFO
FZ0.INFO BG0.INFO EM9.INFO IK3.INFO
FZ3.INFO BH0.INFO EN8.INFO IK4.INFO
FZ4.INFO BH2.INFO EO0.INFO IK5.INFO
FZ5.INFO BI6.INFO EO3.INFO IK6.INFO
FZ7.INFO BI7.INFO EO5.INFO IK7.INFO
FZ8.INFO BJ4.INFO EO6.INFO IK8.INFO
GB0.INFO BK2.INFO EO7.INFO IK9.INFO
GC0.INFO BL0.INFO EO8.INFO IL0.INFO
GC6.INFO BL8.INFO EO9.INFO IL7.INFO
GC7.INFO BL9.INFO EP6.INFO IL8.INFO
GC8.INFO BM3.INFO EP7.INFO IO2.INFO
GC9.INFO BM5.INFO EP8.INFO IO3.INFO
GD0.INFO BM8.INFO EQ4.INFO IO5.INFO
GD4.INFO BN0.INFO EQ7.INFO IO6.INFO
GD5.INFO BN3.INFO ER9.INFO IQ9.INFO
GD6.INFO BN5.INFO ES7.INFO IR0.INFO
GD7.INFO BN7.INFO ES8.INFO IR6.INFO
GD8.INFO BN8.INFO ES9.INFO IR7.INFO
GF3.INFO BP0.INFO EU0.INFO IR9.INFO
GH4.INFO BP5.INFO EV9.INFO IU0.INFO
GH5.INFO BP6.INFO EW0.INFO IU2.INFO
GH6.INFO BP7.INFO EW4.INFO IV2.INFO
GH7.INFO BP8.INFO EY0.INFO IV4.INFO
GI0.INFO BQ0.INFO EZ0.INFO IV5.INFO
GI3.INFO BQ2.INFO EZ9.INFO IV6.INFO
GI6.INFO BQ3.INFO FA0.INFO IW0.INFO
GI8.INFO BQ4.INFO FC0.INFO IW2.INFO
GJ0.INFO BQ5.INFO FC5.INFO IW4.INFO
GJ7.INFO BQ6.INFO FC7.INFO IW5.INFO
GJ8.INFO BQ7.INFO FC9.INFO IW6.INFO
GJ9.INFO BQ8.INFO FD0.INFO IX4.INFO
GK0.INFO BQ9.INFO FD5.INFO IX5.INFO
GK3.INFO BR5.INFO FD8.INFO IX6.INFO
GK5.INFO BR6.INFO FD9.INFO IX7.INFO
GK6.INFO BR7.INFO FE0.INFO IY0.INFO
GK8.INFO BR9.INFO FE4.INFO IY2.INFO
GL3.INFO BS3.INFO FE7.INFO IY3.INFO
GL4.INFO BS5.INFO FG0.INFO IY4.INFO
GL9.INFO BT0.INFO FG3.INFO IY6.INFO
GM8.INFO BU0.INFO FG5.INFO IY8.INFO
GM9.INFO BU9.INFO FG8.INFO IY9.INFO
GN0.INFO BV0.INFO FH0.INFO IZ0.INFO
GN5.INFO BV2.INFO FH4.INFO IZ2.INFO
GN6.INFO BV5.INFO FH5.INFO IZ3.INFO
GN7.INFO BV7.INFO FH6.INFO IZ7.INFO
GN9.INFO BV8.INFO FH7.INFO IZ8.INFO
GP8.INFO BV9.INFO FH8.INFO IZ9.INFO
BX2.INFO WGREATDREAM.COM FH9.INFO JA0.INFO
BX7.INFO GP0.INFO FI4.INFO JB0.INFO
BX9.INFO GQ0.INFO FJ0.INFO JC2.INFO
BY5.INFO GQ2.INFO FJ2.INFO JC5.INFO
BZ9.INFO GQ3.INFO FJ3.INFO JC6.INFO
CB0.INFO GQ4.INFO FJ4.INFO JD2.INFO
CB6.INFO GQ5.INFO FJ5.INFO JD3.INFO
CE3.INFO GQ9.INFO FJ6.INFO JD4.INFO
CE7.INFO GR6.INFO FJ7.INFO KE2.INFO
CF0.INFO GR9.INFO FJ8.INFO KF3.INFO
CF3.INFO GS0.INFO FJ9.INFO KF4.INFO
CF4.INFO GS3.INFO FK2.INFO KF5.INFO
CF5.INFO GS6.INFO JD0.INFO KF7.INFO
CF6.INFO GS9.INFO JD6.INFO
CF7.INFO GU0.INFO JD7.INFO
CG3.INFO GU4.INFO JD9.INFO
CI0.INFO GV0.INFO JE2.INFO
CJ0.INFO GV2.INFO JE4.INFO
CJ3.INFO GV3.INFO JF0.INFO
CJ8.INFO GV4.INFO JF2.INFO
CL0.INFO GV5.INFO JF3.INFO
CL5.INFO GV9.INFO JG0.INFO
CL9.INFO GW0.INFO JG2.INFO
CM9.INFO GX0.INFO JG3.INFO
CO0.INFO GX2.INFO JG7.INFO
CP0.INFO GX4.INFO JG8.INFO
CP5.INFO GX5.INFO JG9.INFO
CP7.INFO GX6.INFO JH0.INFO
CQ0.INFO GY0.INFO JH4.INFO
CQ5.INFO GY2.INFO JH5.INFO
CQ7.INFO GY4.INFO JH7.INFO
CQ8.INFO GY5.INFO JI0.INFO
CQ9.INFO GY6.INFO JI1.INFO
CS0.INFO GY7.INFO JI2.INFO
CS7.INFO GY9.INFO JI7.INFO
CT0.INFO HB7.INFO JI9.INFO
CT6.INFO HB8.INFO JK7.INFO
CT8.INFO HC0.INFO JK8.INFO
CU3.INFO HC4.INFO JL2.INFO
CU4.INFO HC8.INFO JL3.INFO
CU5.INFO HD0.INFO JL4.INFO
CV0.INFO HE4.INFO JL5.INFO
CV8.INFO HE5.INFO JL7.INFO
CV9.INFO HE7.INFO JL9.INFO
CW0.INFO HF0.INFO JM0.INFO
CW4.INFO HF6.INFO JM3.INFO
CW5.INFO HF7.INFO JM6.INFO
CW8.INFO HF8.INFO JM7.INFO
CW9.INFO HF9.INFO JN2.INFO
CX0.INFO HG3.INFO JN7.INFO
CX5.INFO HG4.INFO JN8.INFO
CX6.INFO HG5.INFO JN9.INFO
CY2.INFO HG6.INFO JO0.INFO
CY3.INFO HG8.INFO JQ1.INFO
CY6.INFO HG9.INFO JQ2.INFO
CY7.INFO HJ2.INFO JQ3.INFO
CZ0.INFO HJ3.INFO JQ4.INFO
CZ7.INFO HJ5.INFO JQ5.INFO
CZ9.INFO HJ6.INFO JQ6.INFO
DA3.INFO HJ7.INFO JQ7.INFO
DA6.INFO HJ8.INFO JQ8.INFO
DA7.INFO HJ9.INFO JR0.INFO
DB5.INFO HK0.INFO JS3.INFO
DB6.INFO HK3.INFO JS4.INFO
DE4.INFO HK4.INFO JS5.INFO
DE5.INFO HL0.INFO JS8.INFO
DE6.INFO HL6.INFO JS9.INFO
DE8.INFO HL9.INFO JT0.INFO
DF5.INFO HM4.INFO JT3.INFO
DF6.INFO HN0.INFO JT4.INFO
DG0.INFO HN3.INFO JT5.INFO
DH3.INFO HN4.INFO JT9.INFO
DH9.INFO HN5.INFO JU0.INFO
DI0.INFO HN6.INFO JU2.INFO
DI3.INFO HN9.INFO JV0.INFO
DI4.INFO HO0.INFO JV3.INFO
DI8.INFO HP0.INFO JV4.INFO
DJ3.INFO HR6.INFO JV5.INFO
DJ7.INFO HS0.INFO JV6.INFO
DK0.INFO HS7.INFO JV8.INFO
DK5.INFO HS8.INFO JW4.INFO
DK7.INFO HS9.INFO JW7.INFO
DK8.INFO HT6.INFO JW8.INFO
DL0.INFO HU0.INFO JW9.INFO
DM0.INFO HU3.INFO JX1.INFO
DM4.INFO HU4.INFO JX2.INFO
DP0.INFO HU6.INFO JX3.INFO
DP3.INFO HU7.INFO JX5.INFO
DP6.INFO HV0.INFO JX8.INFO
DP7.INFO HW4.INFO JY0.INFO
DQ0.INFO HW6.INFO JY2.INFO
DQ2.INFO HW7.INFO JY4.INFO
DR0.INFO HW8.INFO JY5.INFO
DS7.INFO HX3.INFO JY6.INFO
DT3.INFO HX5.INFO JY7.INFO
DT5.INFO HX6.INFO JY9.INFO
DT6.INFO HX7.INFO JZ2.INFO
DT7.INFO HX9.INFO JZ3.INFO
DT8.INFO KD0.INFO JZ4.INFO
DT9.INFO
FK0.INFO AC0.INFO KD8.INFO
FK6.INFO AE0.INFO KD9.INFO
FK7.INFO AE6.INFO CUUB.INFO
FK8.INFO AE9.INFO CXXB.INFO
FK9.INFO AF0.INFO DRRB.INFO
FL0.INFO AF5.INFO DTTB.INFO
FL7.INFO AF8.INFO DYYB.INFO
FL8.INFO AF9.INFO GJGJ.INFO
FM0.INFO AG0.INFO RFVT.INFO
FM9.INFO AG7.INFO TGBY.INFO
FN3.INFO AG8.INFO UJMI.INFO
FN4.INFO AG9.INFO YHNU.INFO
FN5.INFO AH0.INFO DT0.INFO
FN6.INFO AH5.INFO DV0.INFO
FN7.INFO AH7.INFO DV6.INFO
FN8.INFO AI0.INFO DV7.INFO
FO0.INFO AJ3.INFO DW0.INFO
FO5.INFO AJ4.INFO DW9.INFO
FO6.INFO AJ5.INFO DX6.INFO
FO7.INFO AJ7.INFO DX7.INFO
FP4.INFO AJ9.INFO DX8.INFO
FP5.INFO AK0.INFO DY2.INFO
FP9.INFO AN0.INFO DY5.INFO
FQ0.INFO AO0.INFO DZ4.INFO
FQ3.INFO AO3.INFO DZ5.INFO
FQ4.INFO AO8.INFO EA0.INFO
FQ6.INFO AP3.INFO EA2.INFO
FQ7.INFO AP9.INFO EA4.INFO
FR0.INFO AQ0.INFO EA5.INFO
FS0.INFO AQ3.INFO EA6.INFO
FS4.INFO AQ9.INFO EA7.INFO
FS6.INFO AR0.INFO EA8.INFO
FS7.INFO AT4.INFO EB0.INFO
FT0.INFO AU0.INFO EB4.INFO
FT5.INFO AW0.INFO ED0.INFO
FT9.INFO AX0.INFO ED3.INFO
FU0.INFO AX3.INFO EF2.INFO
FU4.INFO AY0.INFO EH4.INFO
FU8.INFO AZ5.INFO EH7.INFO
FV4.INFO AZ6.INFO EI4.INFO
FV6.INFO AZ7.INFO EI5.INFO
FV7.INFO AZ8.INFO EI6.INFO
FV8.INFO AZ9.INFO EI8.INFO
FV9.INFO BC0.INFO EI9.INFO
FW0.INFO BC6.INFO EK0.INFO
FW5.INFO BC8.INFO EK2.INFO
FW6.INFO BC9.INFO EK4.INFO
FW8.INFO BD3.INFO EK5.INFO
FW9.INFO BF0.INFO EK7.INFO
FY0.INFO BF4.INFO EL0.INFO
FY2.INFO BF6.INFO EL6.INFO
FY5.INFO BF8.INFO EM5.INFO
FY6.INFO BF9.INFO EM8.INFO
FZ0.INFO BG0.INFO EM9.INFO
FZ3.INFO BH0.INFO EN8.INFO
FZ4.INFO BH2.INFO EO0.INFO
FZ5.INFO BI6.INFO EO3.INFO
FZ7.INFO BI7.INFO EO5.INFO
FZ8.INFO BJ4.INFO EO6.INFO
GB0.INFO BK2.INFO EO7.INFO
GC0.INFO BL0.INFO EO8.INFO
GC6.INFO BL8.INFO EO9.INFO
GC7.INFO BL9.INFO EP6.INFO
GC8.INFO BM3.INFO EP7.INFO
GC9.INFO BM5.INFO EP8.INFO
GD0.INFO BM8.INFO EQ4.INFO
GD4.INFO BN0.INFO EQ7.INFO
GD5.INFO BN3.INFO ER9.INFO
GD6.INFO BN5.INFO ES7.INFO
GD7.INFO BN7.INFO ES8.INFO
GD8.INFO BN8.INFO ES9.INFO
GF3.INFO BP0.INFO EU0.INFO
GH4.INFO BP5.INFO EV9.INFO
GH5.INFO BP6.INFO EW0.INFO
GH6.INFO BP7.INFO EW4.INFO
GH7.INFO BP8.INFO EY0.INFO
GI0.INFO BQ0.INFO EZ0.INFO
GI3.INFO BQ2.INFO EZ9.INFO
GI6.INFO BQ3.INFO FA0.INFO
GI8.INFO BQ4.INFO FC0.INFO
GJ0.INFO BQ5.INFO FC5.INFO
GJ7.INFO BQ6.INFO FC7.INFO
GJ8.INFO BQ7.INFO FC9.INFO
GJ9.INFO BQ8.INFO FD0.INFO
GK0.INFO BQ9.INFO FD5.INFO
GK3.INFO BR5.INFO FD8.INFO
GK5.INFO BR6.INFO FD9.INFO
GK6.INFO BR7.INFO FE0.INFO
GK8.INFO BR9.INFO FE4.INFO
GL3.INFO BS3.INFO FE7.INFO
GL4.INFO BS5.INFO FG0.INFO
GL9.INFO BT0.INFO FG3.INFO
GM8.INFO BU0.INFO FG5.INFO
GM9.INFO BU9.INFO FG8.INFO
GN0.INFO BV0.INFO FH0.INFO
GN5.INFO BV2.INFO FH4.INFO
GN6.INFO BV5.INFO FH5.INFO
GN7.INFO BV7.INFO FH6.INFO
GN9.INFO BV8.INFO FH7.INFO
GP8.INFO BV9.INFO FH8.INFO
BX2.INFO WGREATDREAM.COM FH9.INFO
BX7.INFO GP0.INFO FI4.INFO
BX9.INFO GQ0.INFO FJ0.INFO
BY5.INFO GQ2.INFO FJ2.INFO
BZ9.INFO GQ3.INFO FJ3.INFO
CB0.INFO GQ4.INFO FJ4.INFO
CB6.INFO GQ5.INFO FJ5.INFO
CE3.INFO GQ9.INFO FJ6.INFO
CE7.INFO GR6.INFO FJ7.INFO
CF0.INFO GR9.INFO FJ8.INFO
CF3.INFO GS0.INFO FJ9.INFO
CF4.INFO GS3.INFO FK2.INFO
CF5.INFO GS6.INFO JD0.INFO
CF6.INFO GS9.INFO JD6.INFO
CF7.INFO GU0.INFO JD7.INFO
CG3.INFO GU4.INFO JD9.INFO
CI0.INFO GV0.INFO JE2.INFO
CJ0.INFO GV2.INFO JE4.INFO
CJ3.INFO GV3.INFO JF0.INFO
CJ8.INFO GV4.INFO JF2.INFO
CL0.INFO GV5.INFO JF3.INFO
CL5.INFO GV9.INFO JG0.INFO
CL9.INFO GW0.INFO JG2.INFO
CM9.INFO GX0.INFO JG3.INFO
CO0.INFO GX2.INFO JG7.INFO
CP0.INFO GX4.INFO JG8.INFO
CP5.INFO GX5.INFO JG9.INFO
CP7.INFO GX6.INFO JH0.INFO
CQ0.INFO GY0.INFO JH4.INFO
CQ5.INFO GY2.INFO JH5.INFO
CQ7.INFO GY4.INFO JH7.INFO
CQ8.INFO GY5.INFO JI0.INFO
CQ9.INFO GY6.INFO JI1.INFO
CS0.INFO GY7.INFO JI2.INFO
CS7.INFO GY9.INFO JI7.INFO
CT0.INFO HB7.INFO JI9.INFO
CT6.INFO HB8.INFO JK7.INFO
CT8.INFO HC0.INFO JK8.INFO
CU3.INFO HC4.INFO JL2.INFO
CU4.INFO HC8.INFO JL3.INFO
CU5.INFO HD0.INFO JL4.INFO
CV0.INFO HE4.INFO JL5.INFO
CV8.INFO HE5.INFO JL7.INFO
CV9.INFO HE7.INFO JL9.INFO
CW0.INFO HF0.INFO JM0.INFO
CW4.INFO HF6.INFO JM3.INFO
CW5.INFO HF7.INFO JM6.INFO
CW8.INFO HF8.INFO JM7.INFO
CW9.INFO HF9.INFO JN2.INFO
CX0.INFO HG3.INFO JN7.INFO
CX5.INFO HG4.INFO JN8.INFO
CX6.INFO HG5.INFO JN9.INFO
CY2.INFO HG6.INFO JO0.INFO
CY3.INFO HG8.INFO JQ1.INFO
CY6.INFO HG9.INFO JQ2.INFO
CY7.INFO HJ2.INFO JQ3.INFO
CZ0.INFO HJ3.INFO JQ4.INFO
CZ7.INFO HJ5.INFO JQ5.INFO
CZ9.INFO HJ6.INFO JQ6.INFO
DA3.INFO HJ7.INFO JQ7.INFO
DA6.INFO HJ8.INFO JQ8.INFO
DA7.INFO HJ9.INFO JR0.INFO
DB5.INFO HK0.INFO JS3.INFO
DB6.INFO HK3.INFO JS4.INFO
DE4.INFO HK4.INFO JS5.INFO
DE5.INFO HL0.INFO JS8.INFO
DE6.INFO HL6.INFO JS9.INFO
DE8.INFO HL9.INFO JT0.INFO
DF5.INFO HM4.INFO JT3.INFO
DF6.INFO HN0.INFO JT4.INFO
DG0.INFO HN3.INFO JT5.INFO
DH3.INFO HN4.INFO JT9.INFO
DH9.INFO HN5.INFO JU0.INFO
DI0.INFO HN6.INFO JU2.INFO
DI3.INFO HN9.INFO JV0.INFO
DI4.INFO HO0.INFO JV3.INFO
DI8.INFO HP0.INFO JV4.INFO
DJ3.INFO HR6.INFO JV5.INFO
DJ7.INFO HS0.INFO JV6.INFO
DK0.INFO HS7.INFO JV8.INFO
DK5.INFO HS8.INFO JW4.INFO
DK7.INFO HS9.INFO JW7.INFO
DK8.INFO HT6.INFO JW8.INFO
DL0.INFO HU0.INFO JW9.INFO
DM0.INFO HU3.INFO JX1.INFO
DM4.INFO HU4.INFO JX2.INFO
DP0.INFO HU6.INFO JX3.INFO
DP3.INFO HU7.INFO JX5.INFO
DP6.INFO HV0.INFO JX8.INFO
DP7.INFO HW4.INFO JY0.INFO
DQ0.INFO HW6.INFO JY2.INFO
DQ2.INFO HW7.INFO JY4.INFO
DR0.INFO HW8.INFO JY5.INFO
DS7.INFO HX3.INFO JY6.INFO
DT3.INFO HX5.INFO JY7.INFO
DT5.INFO HX6.INFO JY9.INFO
DT6.INFO HX7.INFO JZ2.INFO
DT7.INFO HX9.INFO JZ3.INFO
DT8.INFO KD0.INFO JZ4.INFO
DT9.INFO

Introducing MalFI – Another Report From HostExploit

I’m a few days late for posting this but the HostExploit team has produced another report, this time on an attack dubbed “MalFI” for malicious file inclusion. This encompasses remote file inclusion (RFI), local file inclusion (LFI) and Cross Server Attack (XSA). The report had been in the works for quite some time and while I was not a main author this time, Jart Armin and Scott Logan worked with me to interpret and use my honeypot data that I’ve been collecting over the last several months.

Rather than rehash the purpose for the report, here’s an excerpt from the abstract:

MALfi “A Silent Threat”

What is it all about, MALfi? A blended threat currently detected on around 350,000 websites &
Internet servers. One major purpose is to establish, “use once and throw away” disposable
botnets for spam, phishing, DDoS and exploits.
Full Report (public version) download PDF – hostexploit Download page = http://bit.ly/eoO4C

Abstract / Press Release

MALfi is a holistic and descriptive term applied to adequately describe the recent blended attack
utilized by hackers and cyber criminals to compromise websites and servers. This is
combination of RFI (remote file inclusion), LFI (local file inclusion), XSA (cross server attack),
and RCE (remote code execution).

Conservative estimates over recent months indicate around 350,000 affected websites and
servers worldwide. hostexploit and associated researchers have tracked 103,351 attacks,
involving 2,743 unique IP addresses, with 85 countries involved in RFI scanning and 911 ASNs
involved.

Check out the report for our research and findings. A more detailed version will also be made available to key members of the security and law enforcement communities.

Recruiting Chinese Attackers

With all the talk about Chinese malware authors and groups of attackers supposedly sponsored by governments out there, I thought I would publish a find of mine from back in 2007. Excellent research has been done on this topic with one of the most interesting events being the discovery of GhostNet.

The following message was discovered in a HTML comment section inside a hostile script. I found the page hosting the script by searching for a string inside an ANI exploit on Google in May 2007.

天高云淡,正宜一马奔腾,青春年少,我自纵横驰骋,这是一个只承认强者的时代,然而学习正是赋予了我们作强者的资本,物竟天择,适者生存,只有不断的学习我们才不会被社所会淘汰,我们才会逐渐变强,珍惜你生命中的每一分钟无学习,你会发现平凡的你一样很优秀,当你在风烛残年的那一刻时,面对你的朋友,爱人,儿子,不会因碌碌无为而羞耻,不会因年华虚度而悔恨,你会发现当你,把你的你的青春变的更加劲直和充满活力的时候,曾经无奈与迷茫的你,现在是那样的精彩与辉煌黑域战盟一个,和平,博爱,互助,不会有任何的技术歧视的技术团体,诚心邀请您的加盟楚蓝枫QQ4998XXXXX

This translates to:

It is a clear day, suitable for horse gallops.  The youth is young; he can advance freely and quickly.

This is the era which appreciates only the strong, the survival of the fittest; yet study is the capital which empowers us to become strong. Only through continuous learning we will not be eliminated, we will become stronger and stronger. Cherish every minute of life with learning, you will find yourself as extraordinary as others. When you become old, in the face of your friends, wife, son, you will not feel shame and regret because you did not waste time when you were young; you will find yourself so wonderful when you contributed your vibrant youth into something meaningful, and changed yourself from once a helpless and confused you to someone brilliant.QQ4998XXXXX

Interesting message they were trying to get across isn’t it? :)

SPAM Briefly Drops 38% Due To Real Host Shutdown

MessageLabs wrote a nice report summarizing key events from August and it turns out our work was more widely felt than believed. Apparently part of Cutwail’s C&C infrastructure resided inside Real Host’s network. When they got cut off, SPAM levels dropped but only briefly since there were more C&Cs elsewhere to pick up the slack.

Here’s an excerpt from the report, to bad they didn’t credit our work :)

“Real Host was disconnected by its upstream providers on 1 August 2009. The impact was immediately felt, as can be seen in Figure 1, where spam volumes dropped briefly by as much as 38% in the subsequent 48-hour period.

Much of this spam was linked to the Cutwail botnet, currently one of the largest botnets and responsible for approximately 15-20% of all spam. Its activity levels fell by as much as 90% when Real Host was taken offline, but quickly recovered in a matter of days.”