Last Friday, I started some analysis on fast-flux techniques. I stopped my discussion with single-flux so today I will improve on the camouflage!! To do this, the fake site’s IP addresses are varying as well as the IP addresses of the name servers that define them in the DNS architecture. This is double-flux.

Here, the criminal has a genuine control and monitoring workstation. These machines are no longer just for relaying http traffic; they simulate the domain name servers and resend the various IP addresses for the connection which – as before – are valid only for a moment.

When the victim tries to reach the site he would like to visit, a request is sent to the name server with authority over the zone. Just like with single-flux, the short lifespan of the address leads the name server request to the criminal network. First used at this level, the fast-flux technique causes the request to be redirected to a first zombie machine inside the botnet (fast-flux on name servers – IP_A to IP_E). This machine requests the response from the C&C workstation and forwards it to the requestor by using the same method a second time (fast_flux on web site – IP_1 to IP_9).

In return, the IP address of another zombie machine is sent to the victim. This second bot relays the traffic, preserving the criminal’s anonymity.

As the hereafter blurred image suggests, this third example deals with an adult site that tries to remain discreet about its origins. Two dig commands launched a few minutes apart show us the result.

On the web site side, the expiration dates are reduced to 10 minutes (600 seconds), and the site’s IP addresses are very varied (fast-flux on web site). It’s the same for the domain name servers, which changed within a short period of time (fast-flux on name servers).

Combining the three previous methods gives a major headache . But as result, we obtain the scheme used in the mysterious RockPhish structures. The ingredients are:

• lots of domain names,
• a fast-flux botnet network in double-flux mode,
• specialized software that is responsible for sending out phishing e-mails, where each recipient is assigned an index. This is used as a parameter in the URL, and again within the mirror site as long as the victim gets connected.

I won’t bore you with the final synoptic for the network traffic. Simply seeing the next URLs collected in the phishing e-mails collection gives you an idea of the complexity of the attack.

The host domain name varies, as do the domain name servers. The control and monitoring workstation manages the structure of the network in real time. Let’s not forget that this is primarily a network of compromised machines (a botnet). The index is there to ensure proper redirection according to victims, banks, machines to be activated, and the group of fraudsters profiting from the attack.

I hope this dissection interested you. It demonstrates that attacks are more and more sophisticated. To be sure, groups like the ones using RockPhish with so much energy to improve their network resilience and stealth are doing so because it is very profitable for them.

Tis the season to be shopping, tra la la la la but don’t get had.

I’ve stumbled upon a scam where search engine product listings are being (ab)used for the classic (”#1 auction site”) +postage scam. Most auction sites have some jokers with good value items with ridiculous postage or compulsory insurance to even the score. Credit where it is due, the big boys are clamping down on unfair charges, but it’s still pretty common for listings to include excessive additional charges; £13 to post a memory stick locally (almost twice the price of the item itself), or £38 to post a Wii.

The scam works like this:

You search for a gadget on your favorite search engine’s products section and as normal you’ll see those highly relevant and usually high commission links on the first page. Like most people, I’m sure you’d have gone to the high street to pay hight-street prices, so the first click is to sort by price. Scrolling past the pages of adapters and cases (if you wanted a case or adapter you’d have searched for it after all) you’ll eventually find the holy grail, the page containing the lowest price actual product you searched for.

It is not uncommon to find many web-based storefronts for the same white label box-shipper, so new stores with juicy offers crop up every day. Since you’re an astute shopper, you’d investigate the first couple of links, knowing that your about to save about 20% or so.

When visiting the site indicated we see that the price is invitingly lower still than the one displayed by the search engine. Bargain!

^{[ Click for full image - This site is flagged by SiteAdvisor due to misleading offers ]}

…along with the somewhat unusual text “Subject to change”, anyway £4.20 is £4.20 so we decide to click to buy now.

^{[ Click for full image ]}

£300 is the total, right up there in the top right of the PayPal page. If your PayPal credentials were stored in your browser that login button would be your destination. If you happened to be logged in to PayPal the blanks in the form would have been all filled in too. If you were in a rush (and who isn’t at this time of year) I’m sure that would have been easily missed.

“Subject to change” hardly covers this one. Just to pour salt on the wound, the actual Post and Packing sting comes on the last page, and after you’ve logged in.

^{[ Click for full image ]}

£1200! Caveat Emptor people…”Let The Buyer Beware”
- Merry Christmas one and all.*

I’m currently monitoring a high volume pharmacy spam campaign where the spammers have dropped a file onto many small legitimate country TLD websites. So far I’ve seen 150+ domains from all over the world being abused.

http://[legitimate domain].co.il/redir.html
http://[legitimate domain].de/redir.html
http://[legitimate domain].si/redir.html
http://[legitimate domain].es/redir.html
http://[legitimate domain].com.tw/redir.html

The file is called redir.html and simply redirects your browser to the spammers website.

Clicking on the link brings you to a Canadian Pharmacy website:

The majority are small business websites, personal websites and blogs. These are probably the least secure making it easier for the spammer to get the redirect file onto the site. Country tld domains are more likely to have a higher percentage of smaller local websites making it easier for the spammer to find ones that are not properly secured.

This is by no means a new technique but something I’d associate more with phishing. As a colleague just said, “the spammers are following the phishers for a change”. It highlights the need for properly secured websites no matter how big or small.

A few weeks ago, while catching up on Internet pop culture videos, I stumbled upon a few 2girls1cup-reaction videos on Ebaumsworld. Having watched the reaction videos, I was naturally curious what the actual 2girls1cup video was about. A quick Google search revealed 740,000 results for “2girls1cup”–seems everyone’s already watched it except for me.

I quickly found the video and like everyone else in the reaction videos, my eyes were glued to the screen. After watching some more reaction videos, I came across a blog comment that promises 2girls1finger is even better–and it links us to the site (http://us-private-[BLOCKED].blogspot.com). Awesome! Let’s check it out…

Here’s a screenshot of the linked site:

The site wants me to download this “codec”:

Looking at the download dialog, the .exe seems to be from http://powerm[BLOCKED].com. (Sounds legit, I guess.) I went ahead and downloaded the codec. (Note: Don’t try this at home, folks; I’m a professional. You should never download content from untrusted sources.)

After downloading the “codec,” I clicked the Continue button on the video screen. This action just popped up the download tab again. I don’t understand why–I had already downloaded it. Next, I clicked the Cancel button; that action threw me into a loop between the following two pop-ups (how’s that for annoying?):

It turns out this codec wasn’t so much a codec as a Trojan. Here’s a write-up from McAfee.

Don’t forget that downloading content from untrusted sources often means downloading malware. Keep this in mind while searching for the next bizarre fetish clip or its reaction videos. Here’s a similar blog entry posted last year. Same attack vector, just a different video.

Spammers have been abusing free hosting for a long time. Yahoos’ Geocities was pretty heavily targeted in its day and more recently Googles’ Googlepages and blogspot are the abused services of choice. The general idea being spammers can get 1-20+ thousand accounts a day with unique urls and point them at a handful of spammed domains that they had to pay for.^[1] It’s improbable that any external party can compile a complete list of the abused accounts, report them to the host and the host engage somebody cluefull 24/7 to take-down the sites in any reasonable time period to make the spammers campaign ineffective.^[2]

I know, I’ve tried!

Those of you that read this blog a year and a quarter ago will remember that the metric truckload of accounts are often provided as a paid service to spammers if they are not able to perform the required tasks in house.

- Spammers have also been abusing the free blog services for a long time. (and setting up their own fakes)

- Spammers have also been abusing the free tiny url services for a long time. (and setting up their own fakes)

There is a common theme here! Free services that allow or facilitate blind redirection. It’s all about getting emails through and links in front of victims and as a rule of thumb, the more popular the service you abuse the less likely it is to blocked by the blacklists. Surbl have an open letter to redirection services, if you want some more education on the subject from the blacklist prospective. ^[3]

It’s no surprise that the next popular service to be abused is the search engines. To be clear, I’m not talking about Spamdexing (manipulating text for high search index rankings) or SEO dirty tricks, but (ab)using a search provider as a redirector by using the more advanced search options combined with “Feeling lucky” features that take you to the top search result.

I’ll dissect this mornings sample for you noting one additional point:
- Spammers have also been abusing the free webmail services for a long time.

A quantity of Yahoo webmail spam kindly deposited its self in one of our many millions of spamtraps, DKIM signed, SPF passed Etc, Etc. Inside it was a link to a “feeling lucky” link c/o rival search giant Google.

Abused Search Host: http://www.google.com/
Search Function: search?q=
Search Feature Text in the URL: inurl:games-pro
Search Feature Text int he page: intext: won1 million megabet from casino online ^[4]
Search Invisible Redirect Feature: btnI=Lucky

If you put this lot back together you’ll get an invisible redirect (302) to casino-games-pro that’ll try and auto-install the CasOnline PUP. Charming.
I’d like to point out here that if you try to send a spammy link out via yahoo webmail they captcha test the sender. (but they also did that when the accounts were setup, right?) The trick here is the fact that there is nothing spammy about a search link. I have no doubt that /btnl=Lucky/ will be hitting the filters at Yahoos webmail HQ very shortly if it hasn’t already.

The “Feeling Lucky” spam technique is not particularly new, but this webmail twist does show the relentless diversity of spammers abuse of free services provided by the big players alongside their abuse of the smaller fish that Kevin blogged about the other day. As he pointed out, the spammers are using the phishers techniques, how long before we see “btnI=Lucky” in phish.

All of these methods are popular because it’s not really possible for RBLs’ or URIBLs’ to block them without collateral damage to innocent sites making it more likely that spammers links will get through to the inbox. Though when the abuse is more than background noise things do happen.^[5]

^{[1] Lets assume for ease they actually do pay, in reality it’s stolen card & credentials sample from some carder IRC channel.
[2] Testing a random Googlepages link spam from last month shows that everything is still working.
[3]For the record many shorter-link services took notice rapidly!
[4] Yes I linked ” won1 million megabet from casino online “ – so what? I really do hope this blog helps.
[5] Tale a look at SBL60999.}

Avert Labs recently discovered a worm subsequently named W32/Heiku (http://vil.nai.com/vil/content/v_143663.htm). Written in Visual Basic, the worm behaves much like any other piece of malware:

• It creates numerous copies of itself in the file system and creates registry entries to ensure those copies run at startup.
• It has a destructive payload – deleting files/directories.
• It causes the usual annoyances – modifies IE start page, adds shorcuts to porn sites in the IE Favorites.

One interesting thing about the worm that you don’t see very often is that it attempts to create copies of itself on a floppy drive!! It must be at least 2 years since I last saw a floppy, and that was when I was cleaning out an pile old junk. The worm must be an old relic of the days when the motivation for virus writing was simply to cause destruction. Another giveaway to this worm’s age is that it’s payload uses the command “deltree”, an old DOS command that is no longer included in Windows 2000 and later.

But even back when floppies were more commonplace, a worm copying itself there would be a weak attempt at spreading unless it could get itself to run automatically from the floppy, without the user explicitly running it. The more obvious technique would be to place an autorun.inf file on the floppy, same as the way to get cd-rom’s and other removable drives automatically run programs. But this sample had no traces of that filename in it’s body. Digging further, I found that the worm solves the autorun problem using a technique that was new to me – that is to use Windows’ Active desktop to get it to run. It’s been years since I analyzed malware on a daily basis, so pardon me if this is old news to many of you.

Active desktop allows the user to customize the way Windows Explorer displays the contents of a folder. These customization settings are stored in the file desktop.ini. The contents of a folder are essentially displayed in an HTML page that is based on a hypertext template (htt). This page is just like any other HTML page, and can contain text, links, ActiveX controls and script.

Along with the executable copies W32/Heiku creates on the floppy drive, it creates the files Folder.htt and Desktop.ini. Folder.htt contains encrypted vbscript whose function is simply to run the file a:\drvspace.com, which is one of the worm copies on the floppy drive. So the idea is that when a user views the contents of the infected floppy in Windows Explorer, the worm will automatically run (assuming active desktop is enabled).

With the flood of bots and generic mass-mailers out there, it’s interesting to find something different and new. Even if it was new a long time ago.

You may have seen a number of news reports in the past day or two on the active exploitation of a Microsoft Access vulnerability. Here is one story by PC World.

The US-CERT’s current activity Web page, “a regularly updated summary of the most frequent, high-impact types of security incidents currently being reported to the US-CERT,” warned about this active exploitation on December 10.

It is rumored that the vulnerability being exploited is CVE-2007-6026.

Avert Labs is working to find out more. As they say in the press, watch this space!

While we wait, here’s what we know about CVE-2007-6026. It’s a stack overflow in Access. A user would have to open a specially crafted Access database for an attack to take place. Although user assistance is required for exploitation, an exploit could be delivered over various attack vectors, including the Web, e-mail, and IM. Attacks could be coupled with well-establishing social engineering techniques. And now for the rub: This vulnerability is currently unpatched.

Recently, I had some friends complain about problems with Real Media files (*.rm/*.rmvb). According to them, after downloading and playing rmvb files, the Real Media Player launched a malicious webpage without prompting. Later, they noticed their OS running noticeably slower. And later still, they found their IM account passwords modified and online gaming accounts stolen.

It appears that the media files they downloaded were created by a hacker and designed to open malicious webpages. I investigated this and found it is quite easy to add a malicious webpage to rmvb files. The hacker used freely available software. These programs include applications which can be used to add events to rmvb files. A time and URL is specified in a text file, then imported into the rmvb file using these programs, and that’s it!. When the rmvb file is opened in RealPlayer, the URL will automatically be opened after the specified time has elapsed. My advice was to scan any downloaded media files with antivirus software before playing it. Another option is to use a different player other than RealPlayer.

Hope you can enjoy Real Media without the malicious webpages!!!

For a long time, we spoke regularly about IFRAME injection. This year, many pages belonging to legitimate sites were secretly modified. Many will remember the Italian Job and the thousands of infected sites in the realm of tourism, the car industry, movies and music.

The people behind these attacks love to use highly topical issues in order to attract as many people as possible. This week in my country, the visit by Libyan President Muammar Khadafi is stirring controversy. It has made many headlines in France. No doubt this is why the French Embassy Web Site is now infected by malicious code. Please do not attempt to reach the site, it is still dangerous.

This first iframe, routes the victim to sites hosted through Hong Kong provider. Two further links then redirect the visitor.

From Hong Kong, we move to Russia and Ukraine where exploit and downloaders are used (Exploit-YIMCAM and downloader-AUD).

Once again, we can see how people involved in such attacks use dedicated malicious web sites in various countries to make it difficult to defeat them. It is especially difficult when an ISP accepts to host web sites without verifying the lesser data the criminals enters when they register. The following example I found when I looked at this attack fully demonstrates this:

This is what we at Avert Labs hope will happen after the 27th of December 2007. In fact, on the date in question, General Elections in the country of Kenya will be held, including presidential and parliamentary.

With the elections gone, we hope to see the disappearance of the W32/Voterai family of worms. As you will remember, the Voterais are pretty damaging worms that, with the excuse of promoting this or that candidate, made infected machines almost completely unusable. The last variant of this family was discovered some days ago, and is detected by McAfee as W32/Voterai.worm.f.

Wishing the best to the Kenyan citizens for their elections, we are sure nobody will miss the Voterai family!