Digital Degenerate

We Have Moved

noreply@blogger.com (...phread) — Thu, 03 Dec 2009 18:57:00 +0000

Yes, it's true, we have relocated the blog. From now all of our new posts can be found here --> blogs.appriver.com . We're having some issues importing all of these older posts, so feel free to check back here to enjoy or tear apart our previous posts. Thanks, see you at the new site!

Bots Using H1N1 Fear to Distribute Malware

noreply@blogger.com (Troy Gill) — Tue, 01 Dec 2009 15:38:00 +0000

At about 8:15 (cst) this morning we began seeing a strikingly large malware campaign attempting to make it's passage to our users' inboxes. The social engineering tactic du jour is a ploy pretending to be an alert from the Center for Disease Control (CDC). The fake alert tries to convince the recipient that they are part of a “State Wide H1N1 Vaccination Program” and that they are required to create a vaccination profile on the CDC website. The link provided in the email takes you to a very convincing imitation of a CDC web page where you are given a temporary ID and a link to your “vaccination profile”. The link is in fact to an executable file that contains a copy of a Trojan most commonly identified as Zbot. This Trojan once installed on your PC, this Trojan will create a security-free gateway on your system and will proceed to download and install additional malware without your authorization. It also enables a remote hacker to take complete control of your computer. This malware can log your typed keystrokes and send confidential personal and financial data (including banking information, credit card numbers, and website passwords) to a remote hacker.
As of 9:15 (cst) we are seeing these messages at the extremely high rate of nearly 18,000 messages per minute netting over 1 million of these messages in the first hour alone. It is now officially flu season and considering the recent concerns over the H1N1 vaccine, I expect this to be a highly effective campaign against those who are not protected from this cyber-threat. Below is an example of the message along with a screenshot of the fake CDC webpage. (click image to enlarge)

Things Not to be Thankful For

noreply@blogger.com (...phread) — Wed, 25 Nov 2009 17:43:00 +0000

The holidays are a favorite time for malware authors to strike. They figure everyone's on vacation and they'll have an easier time getting into inboxes. Well, they were wrong about AppRiver, here's the latest Thanksgiving offering from the ZBot or Zeus trojan.
As you can see it's using the same ploy it tried a week or so ago, pretending to be from the IRS with a claim that you have under-paid your taxes. The email arrives with a link that brings you to this website.
As you can see, Zeus did a good job of dressing up the site to make it appear to be legit. They've customized both the email and the link on the landing page to include the domain to which the email was sent through the use of tokens. If you'll notice in the address bar however, the site your on may appear to be the IRS, but the actual domain you've encountered is a little further in - not the IRS.
Remain vigilant over the holidays, and don't go wily nily clicking on links in your emails when you get back to work on Monday.

Zbots Newest Strain

noreply@blogger.com (Troy Gill) — Tue, 24 Nov 2009 18:03:00 +0000

Just over an hour ago we began seeing the latest incarnation of the Zbot virus being spammed out to millions of email users. Today’s adaptation employs a common but effective social engineering tactic. The email alleges to be from a friend of yours warning you that someone has posted compromising pictures of you on the web and distributed said pictures to “all of your friends. One obvious flaw is that the random name that they sign the email with should be an unknown to you (unless they get really lucky). The link provided in the message takes you to a website where you can view these photos of yourself. The website contains a download for “PhotoArchive.exe” which is in fact a copy of the Zbot banking Trojan. In the first hour we have seen over 250,000 of these messages. Here is a list of domains that are hosting the malicious payload.

· salikuv.eu
· salikue.eu
· salikuy.eu
· salikuk.eu
· salikuc.eu
· salikui.eu
· salikuf.eu
· salikuh.eu
· salikuu.eu
· salikur.eu
· salikub.eu
· salikus.eu
· salikuj.eu

Here is the message and landing page:

Targeted Spam Marketing

noreply@blogger.com (...phread) — Tue, 24 Nov 2009 17:34:00 +0000

Here is another classic example of the result of some very specific directory harvest attacks. A directory harvest attack is preformed with the sole purpose of collecting email addresses either to use or to collect and sell on the black market. Normally the sale of these addresses is done on fly by night forums to "trusted" individuals, but sometimes you'll run across an example such as this one. Apparently they got sick of trying to sell these one by one, and decided a mass marketing approach would be better for business. This campaign is specializing in physician email addresses for the very reasonable price of $195.

More ZBot

noreply@blogger.com (...phread) — Fri, 20 Nov 2009 15:30:00 +0000

The banking trojan known as ZBot has been relentless these past couple of months. Just a few moments ago we began seeing its latest offering, and this time it was delivered addressed to us(as well as others), well sort of. Aside from the fact that these emails were addressed to invalid users at AppRiver's domain, they were heavily customized to appear as if they were coming from within the security center of AppRiver[dot]com. As you can see, the sender is alerts@[recipient domain], and the link in the email is appended with the recipient domain as well in an attempt to obfuscate the actual landing pages which currently number less than 10, but are coming in at around 800 pieces per minute, per domain.If the victim falls for the lure and clicks on the link, they are taken to a page that informs them that they need to update their Adobe Flash player and provides a second link. This link downloads another copy of the ZBot trojan, this time disguised as flashinstaller.exe. This campaign is currently active, so be careful as they add more domains, currently we have all of these blocked.

Fake Microsoft Updates Invoke Conficker

noreply@blogger.com (Troy Gill) — Fri, 13 Nov 2009 17:18:00 +0000

Exactly one year after infection of the Conficker worm began spreading like wildfire, Malware distributers are still trying to capitalize on public knowledge of this infection. Back in November of 2008, countless organizations took notice as news of the Conficker worm soared in popularity (including public school networks and US military systems as they, too, found Conficker on machines).
Today we are seeing a slew of fake “Microsoft update” emails that are pretending to be a warning that your “ISP has detected that you network has been infected” with the Conficker worm. The attached file (3YMH6JJY.zip) is supposed to be a courtesy of Microsoft that will clean the malware from your machine. In reality the file contains a Trojan the serves to do just the opposite. Here is a look at the message:

Notice Of Underreported Taxes: Regenerated

noreply@blogger.com (Troy Gill) — Wed, 11 Nov 2009 17:05:00 +0000

Late Tuesday night and throughout the morning today we have been seeing the latest virus push from the Pushdo bot gang. After spending the past few weeks pushing the fake Facebook update angle, it looks like they have decided to go back to something familiar. They are again using fake Tax Statements alleging to be from the IRS to con you into downloading their Zbot Banking Trojan. These messages are identical to the ones that we were seeing from them back in September. This campaign must have had some success back in September for them to be committing to it again. It starts with a message alerting you that you have “Underreported your Income” and has a link to your “Tax Statement”. Here is what the message looks like:

The link in the message takes you to a fake IRS page, where an executable file awaits you for downloading. The page and file are identical to those from September (they have not bothered to change the file name). At this time there appears to be about fifty different domains that are hosting these malicious web pages and links. The Trojan download awaits you in the “tax-statement.exe”. Here is a look at the payload web page:

As of 10:30am(CST) we have blocked nearly 3 million of these malicious emails. The actual volume of this campaign is exponentially larger since 3 million represents just those [messages] sent to our Hosted Exchange and Spam Filtering customers. At this time we are seeing around 5,100 messages per minute. As I have said before many times, the IRS will NOT attempt to contact you in this manner so do not fall victim to these scams.

More Facebook Malware

noreply@blogger.com (...phread) — Wed, 04 Nov 2009 16:47:00 +0000

I guess the crew behind Bredo has found something they like because they have been on a fake Facebook malware campaign for quite a while now. This morning they've been hitting us with a couple more variants of the Bredo Trojan delivered in emails that pretend to be from the Facebook staff. These, much like the others from these guys, are trying to look like security upgrades. These inform you that your password has been changed and you can find the new one in the zipped up attachment, but of course, it's malware instead. Inside the zip is actually an executable that sports a Excel icon. I'd expect a password to come in a text document of some sort, wouldn't you?!
Be very careful about opening any attachment in your email especially if it appears to come from Facebook, or Twitter, or anything else that's currently popular.

It's Beginning to Look Alot Like Christmas

noreply@blogger.com (...phread) — Wed, 04 Nov 2009 15:40:00 +0000

Of course it didn't take long for the spammers to shed their Jack-o-Lantern costumes, and get wrapped up in their Christmas wrapping paper. It's not in full swing yet, but the fake watch guys have really come out swinging.

Who Says No One Uses MySpace Anymore?

noreply@blogger.com (...phread) — Thu, 29 Oct 2009 17:15:00 +0000

So as to not leave any hard feelings, Zeus runs what appears to be an impromptu malware campaign pretending to be from MySpace this time. I say "impromptu" because if this truly is an offering from Zeus it lacks the good looking graphics that normally accompany its offerings. This to me looks more like a Bredo campaign, complete with the .zip attachment that comes right in the email. Zeus normally hosts its malware in the cloud and rarely brings it right to your inbox doorstep. I have yet to analyze it to give my personal findings however 9 other AV companies are detecting the sample as Zbot, so I'll go with that for now. It's not the first time Zeus has done a slimmed down plain text campaign, but it has been a good while.

Zeus Botnet Targets Facebook

noreply@blogger.com (...phread) — Wed, 28 Oct 2009 14:00:00 +0000

This morning a rather aggressive one two punch started coming into our filters, and is currently still very active attempting to deliver Facebook phshing emails at a rate of about 1000 messages per minute per domain used with about 30 domains being utilized. That's 30,000 messages per minute from this botnet, or 500 per second. On top of that we've already seen about 1.65 million messages from this campaign.As we've come to expect from Zbot, the phishing email is well crafted and could easily trick the unsuspecting recipient into falling for its ruse. The graphics are well done and all look like something you would see from Facebook. The email informs users that Facebook is updating their log-in system to, of course, make things more secure, and it urges people to click on the update button in the email. First of all, this should be enough anyone needs to see considering Facebook, your bank or anyone else, doesn't need every one of their users' participation in order to update their product.
After the unfortunate victim clicks on the link, they are taken to a false Facebook log-on screen where their user name is kindly filled in for them, they only need to supply their password. But this isn't where this attack ends. Not being simply happy with having had stolen your Facebook account, the Zbot crew wants more. After "Logging in", victims are then taken to a page that takes it one step further and actually offers what it touts as an "Update Tool", specifically updatetool.exe. So after claiming a new Facebook account, they're also going to infect the victims' PCs as well with the Zeus trojan. This trojan is known for targeting banking accounts and other financial and personal data from its targets.
Stay away from these emails, Zeus or Zbot spares no effort in making their attacks appear to be genuine. It is very important for you to protect yourself by being vigilant. Know that threats are out there, and they are indiscriminant. If you don't personally know the sender, I'd avoid clicking any links in emails, especially when the term "your account" appears anywhere in the email.

UPDATE: When this phishing email is received on a smart phone with a Facebook application installed it appears as an actual Facebook notification complete with Facebook icon. It will be received in your inbox as well as under the Facebook "Notification section" in the application itself.

Zeus Trojan Strikes Again

noreply@blogger.com (Troy Gill) — Tue, 27 Oct 2009 21:36:00 +0000

What appears to be an alert from the FDIC is really the latest installment of the Zbot Banking Trojan. The message claims to have come from the FDIC to inform you that your Bank has failed and the FDIC has taken control of its assets. These messages come with such subjects as you need to check your ”Bank Deposit Insurance Coverage” or “FDIC has officially named your bank a failed bank”. You are then directed to a link that would allegedly allow you to check your deposit insurance coverage. This link takes you to a page that alleges to contain your “personal insurance file” in your choice of a PDF or Word document, the only catch is that they are both executable files named pdf.exe and word.exe. The fake FDIC websites that contain the payload are being hosted on a variety of .eu domains. Here is an example of the message and landing page:

Contained in both of these links is your very own fresh new copy of the Zbot trojan. This is has become a very prolific infection in recent months. Also known as Zeus this piece of malware is a key-logging trojan designed to steal your logins and more importantly your banking credentials. These guys are well known for their social engineering tactics having most recently brought some fake “IRS Alerts” and “mailbox related server upgrades”. This is a common technique in malware distribution to provide an air of fear and couple that with a relevant news headline to provide legitimacy. All of our Hosted Exchange and Spam filtering customers are currently protected from all known variants.

Facebook Themed Malware

noreply@blogger.com (...phread) — Mon, 26 Oct 2009 20:43:00 +0000

Not too long ago we began to see a virus campaign shuffling through posing as Facebook notifications. The email states " Because of the measures taken to provide safety to our clients, your password has been changed. You can find your new password in the attached document. Thanks, The Facebook Team" This wasn't from Facebook, but instead from the Bredo botnet attempting to expand its numbers. The past couple of month's virus activities have really been ruled by two major botnets, Bredo and Zeus, and both of them have been relentless. Zeus focuses mainly on phishing and banking trojans and arrives posing as a money related institution such as banks, both foreign and domestic, or government agencies such as the IRS or HMRC. Zeus emails are colorful and mimic the organization they're targeting complete with logos and graphics. Bredo tends to stick with plain text emails pretending to be FedEx, DHL, or as in this case Facebook.

One Account to Rule Them All

noreply@blogger.com (...phread) — Thu, 22 Oct 2009 14:09:00 +0000

Today we've been seeing a new comer on the phishing scene. This one is attempting to steal the accounts of a service that I was not yet aware of, that's because this service is UK based and I am not. This phishing attack is going after One Account - accounts. This is apparently a service that helps you to pay down your mortgage by combining your savings account, mortgage, and your income in one account. I didn't read enough to tell you exactly how it works because it was making me sleepy, but I can tell you how this phishing campaign works -
First an email campaign began early this morning touting a new updated version of the banking software. This being complete with a link to the malicious websites, which there were relatively few of in this case.Once at the website you are prompted for your account log in info.
After giving up this information, the false site tries for a little more asking for your name, address and email address. On a side note, none of these fields bothers checking for proper formatting, it just accepts the info you put in, and continues. On a side side note, my new email address is "fdhgdhgdt".
After entering this information a dialog box pops up thanking you for your information and that you will now be logged out?? Strange, that's usually the opposite of what I'm going for when I log-in to something, but ok. Next it redirects you to the actual One Account site where you get to log in all over again to see that your account is now empty.If it's in regards to your livelihood, your life savings, your identity, or anything else important to you, and it arrives in an email from a stranger, throw it away, it's fraudulent. Your bank will never contact you via email to make account changes, maybe you'll get a monthly newsletter or factoid from them, but that is it. I'm almost to the point to say, ignore it all unless you were expecting it, but that may be a little above and beyond, but not by much.

This Isn't It!

noreply@blogger.com (...phread) — Wed, 14 Oct 2009 19:16:00 +0000

Attention Michael Jackson fans, as you may know, MJ, following in Tupac's footsteps, released a brand new single, even after his death a couple of months ago. The single entitled "This is It" was released online at his website michaeljackson.com at midnight on the 12th. Well just a day or so later, we began seeing fake CNN breaking news reports hitting our filters.
The email came in with the subject "CNN Breaking News" and a brief story of how the single had been partially leaked on YouTube the day before its release. The "Breaking News" also contained a large link where you could "Listen Online Now". Once the link was clicked you were taken to a webpage that would simply try to get you to download malware that pretended to be the song. The file was titled Michael_Jackson-The_brand_new_song.hta . The file itself would load an .html page with the CNN logo and the YouTube video in question, however, behind the scenes the malware would secretly begin installing a backdoor into your PC.

Say No to OWA Security Upgrade

noreply@blogger.com (...phread) — Wed, 14 Oct 2009 13:52:00 +0000

Today we began seeing a large malware campaign from the Storm Worm. Yes, I said it, the Storm Worm. We haven't really seen much from this variant lately, unless you count its rebirth under the Waledac moniker, but not everybody does. I do believe these are written by the same team, however. Though I was under the impression that the old version had been ditched for the new, but I guess they've swept the dust off and gave it another go.This campaign is very similar to one we saw two days ago from the same worm with subtle differences in the body of the email that delivers the link to the malicious payload. On Monday, the emails pretended to be from your domain's engineering team informing you of "Server Upgrades" that were taking place and provided you with a link to expedite the process. Today's attack utilizes tokens to personalize the email to make it appear as if it is also coming from within your domain. This time apparently our technical support team made some security changes in "my" mailbox and I need to click the provided link to apply them. If they want changes made, I think they should just apply them themselves, heck, they've got the uber admin passwords already, but ok whatever, I'll bite - "click".Next I find myself on a webpage that mimics an Outlook Web Access sign on page, once again personalized to appear to be specifically for my domain, though I will say it looks slightly odd. Instead of giving you the normal log in and password fields, they are replaced by a link to download the file settings-file.exe. Once executed the host computer is then infected with Nuwar.
The Storm Worm is a mass mailing worm that harvests email addresses and mails itself to every address it finds. Once a PC is infected it becomes part of the botnet, and detection and sterilization becomes very difficult. Avoid these.

Underreported Taxes:The British Invasion

noreply@blogger.com (Troy Gill) — Tue, 13 Oct 2009 16:50:00 +0000

Back on September 9th we began seeing an IRS themed malware distributing email campaign that played on people’s innate fear of everything IRS. Messages with the subject line "Notice of Underreported Income" were coming in mass quantities. Most often when we see a campaign invoking the IRS it is a phishing message that tries to trick you into giving out your personal financial information. This one was different as it was attempting to deliver a malicious payload to the unsuspecting user. A more detailed account of this IRS malware campaign can be found here in my colleagues September blog entry. The IRS malware campaign continued for over one month until yesterday when it changed. Here is an example of one of the landing pages from the IRS campaign.

Yesterday, we began seeing the very same campaign shift their strategy and point their attack at our friends “across the pond”. The new variant of these messages target her majesty’s loyal subjects via the HMRC. They use the exact same technique to the “T” as far as the message goes, simply replacing the IRS with the HMRC. The landing pages of course look exactly like the page would, if it actually existed on the HMRC website. If you follow their instructions and click the link provided, you are promted to run an executable file aptly named “tax-statement.exe”. This file contains [Trojan-Spy.Win32.Zbot.gen] an infection that carries a very high threat level. This infection will not only attempt to log and steal all of your personal information (logins, passwords, credit card info, mail server access codes, etc.) but it does not stop there. It also opens gateways for other malware to make its way onto your machine, most reportedly, rogue anti-virus programs (Scareware). This piece of malware has also proved very tricky to remove. Here is an example of the current message and landing page:

Operation Phish Phry

noreply@blogger.com (...phread) — Fri, 09 Oct 2009 13:27:00 +0000

In a first time collaboration, Egyptian and US authorities work together to indict 100 suspects in a major international phishing ring. All of the defendants have been charged with bank fraud, aggravated identity theft, conspiracy to commit computer fraud, specifically unauthorized access to protected computers in connection with fraudulent bank transfers; and domestic and international money laundering. If convicted they could face a maximum of 20 years in a federal penitentiary. According to the indictment, the Egyptian attackers stole bank account information and related personal information from an unknown number of victims and then hacked into accounts at two separate banks. The names of these banks have not been released. The American co-conspirators would then work to collect and transfer funds from victims' accounts, all of which were also American, to fraudulent accounts where the money was to be distributed . The Egyptian's involved would have their share of the take wired to them.

Fake Microsoft Updates

noreply@blogger.com (...phread) — Tue, 29 Sep 2009 15:29:00 +0000

A technique I see every now and again is the fake Microsoft update these use a social engineering technique that seems to work more than others simply because people feel that they’re being proactive and safe when they install updates, which is true, but what happens when you get an unexpected update from someone like Microsoft. Well, that could turn into another matter entirely. Oftentimes malware authors will watch for recent patches made by companies such as Microsoft and rush out an exploit hoping to catch late patchers, other times they’ll find their own before the official disclosure. Regardless users need a trained eye and a little common sense to avoid these malicious attacks. If you are a Windows user, it is a lways a good idea to have your automatic updates turned on, which is the default setting. This was, Windows will push down and install updates as they become available utilizing their BITS interface, which is the Background Intelligent Transfer Service. This way you don’t have to worry about it as much, and you’d know immediately upon receipt of an executable from “Microsoft”, that this is a scam, besides the fact that when you download any sort of update from Microsoft’s download center, you’ll also realize that the file format is an .Msi, and not an .Exe. The updates came to inboxes with several different subject lines including: Important Security Update for Windows, Get the latest updates available for your computer’s operating system from Microsoft, Get Microsoft Windows XP for your PC, etc etc.

From Africa With Love

noreply@blogger.com (Troy Gill) — Tue, 29 Sep 2009 14:38:00 +0000

Over the past few days we have been seeing an increase in 419 scam letters. These are historically known to be sent largely from Nigeria but lately South Africa has been the most popular point of origin. I know it is hard to believe that anyone would still fall for a scam like this but believe it or not they still do. This scam usually begins with a letter or e-mail seemingly sent to a selected recipient but actually sent to thousands, making an offer that would result in a large payoff for you (the victim). The e-mail's subject line often says something like "I require your assistance ", "Claim Your Winnings!!". The details vary, but the usual story is that a person, often a government or bank employee, knows of a large amount of unclaimed money or gold which he cannot access directly, usually because he has no right to it. Others popular variations are the UK lottery winnings that you need only claim or the Millions of dollars that have been bequeathed to you. During the course of the scam the scammer will ask for you to provide you bank account information and this will lead to them requesting that you send a wire transfer(which is conveniently untraceable) to the scammer. There is literally no limit to the amount of unique reasons that the scammer will tell you to justify you handing your money over to them, these guys are quite imaginative when seeing dollar signs. Most of these have come in attachments lately tow of these were in PDF format and the other an RTF.

Here are some of the letters we have quarantined in the past few days: (click image to enlarge)

I decided that it was high time for me to speak to one of these individuals on the telephone, so I called Mr. Dada Williams who was alleging to work with the Department of Minerals & Energy, South Africa. He answered the phone and I instantly knew the he was operating out of some type of call center (there was tons of background noise from other conversations and the sounds of typing). He was very polite and professional. He instructed me to send him my personal information consisting of full name, address, telephone number, occupation and age. He said he wanted to make sure that I would be a trustworthy candidate for this transaction. Next he asked if I would be able to come to South Africa, of course I can I told him. He said that would be excellent and that this should take no longer than three days (and good thing because I have a four day rule on transactions that would net me less than 5 million dollars). Once I got there I would be meeting with the Bank Director and his Lawyers to go over some documents. I told him to be expecting my information and I left it at that. If you are reading this story I am sure that you are aware of these scams and are not at risk but remember there are thousands of people that will fall or have fallen for these scams, just remember “There’s no such thing as a free lunch”.

Bounty Offered for Every Mac Infected

noreply@blogger.com (...phread) — Fri, 25 Sep 2009 13:44:00 +0000

Sophos Researcher Dmitry Samosseikko recently presented some interesting news in the world of malware at Geneva's 2009 VB Conference. As Ryan Naraine reports in his blog ones & zeros, Dmitry lead conference attendees on a journey into the world of the Partnerka, a Russian network of spam and malware affiliates. The network is made up of thousands of "webmasters" who work to constantly drive web traffic to one another's sites where they sell fake watches and fake pills. He pointed out the shift in focus from the PC to the ever-growing popularity of the Mac world. Through a site called Mac-codec.com the Partnerka was offering $0.43 for every Mac infected. The group even offered tools to help on their site. Tools such as the name would imply, fake video codecs, and fake security software.
This certainly reflects Apple's growth in market share. Soon even the most naive of Mac users will realize that there was a reason why the new Snow Leopard OS shipped with Apple's new AV engine. Also, I've said it before, I'm not a Mac hater, more of a Mac FanBoy/Girl disliker. I would certainly own a Mac if I could afford one. I am currently accepting donations.

More Trouble in Twitter-town

noreply@blogger.com (...phread) — Thu, 24 Sep 2009 19:34:00 +0000

Becoming popular makes you a big target as Twitter has certainly found out first hand. They may have been dealing with many more issues than a lot of the previous big dogs had to simply because the start-up was so small, and the holes were many. Twitter has grown exponentially recently, and it's security infrastructure has grown up a lot too - necessity is the mother...
Unfortunately for them, and who use Twitter, there are still issues that come up, and the latest is a new phishing scheme that poses as an actual friend/follower/followee. This technique is no different than similar campaigns that have been seen attempting to socially engineer MySpace and Facebook users out of their log-in credentials. I'd imagine it started with a single account, and branched out to the friends of the compromised account, then on to friends of friends, and on and on until he we are, talking about it.
This phishing attack arrives as a direct message to your Twitter account from someone you know (whose account has recently been hijacked). The message itself says "ROFL Is this you on here?" with a link to a supposed video. The link takes the victim to a false log-in screen where the log-in credentials are stolen. Any user that is on their toes will realize that they were already logged-in and this is kinda phishy (pun intended - re: fail whale).

And the Hackers Get Hacked

noreply@blogger.com (...phread) — Mon, 21 Sep 2009 15:15:00 +0000

Recently a hacker's site that I monitor had the tables turned on them. This site contains phishing kits and techniques, Exploits and tools, mischievous (at best) tutorials, and even forums where users can brag about the recent defacements and conquests. Well, over the past week the site has been mostly unreachable thanks to someone who obviously doesn't believe in what's going on over there. This user who calls themselves "Catch Them If You Can" set out to dole out a little vigilante justice to these practicing cybercriminals by not only launching a DDoS attack against the site, but also hacked into the site's database in order to obtain the sites user list, email addresses and passwords which they passed on to Insecure.org's Full Disclosure List with the quote
"As you may know these are mostly based in Pakistan involved in illegal activities which include carding, hacking, cracking etc.

I am including this list of their users for law enforcement agencies to investigate and take action where neccessary. Currently their site is hosted in pacificrack.com's server.

WAR Against Cyber Crime
Catch Them If you can."

On the website one of the moderators posted a brief explanation as to why the site had been down, I found this little exchange to be quite humorous.

The admin was obviously trying to avoid mentioning anything about their users list being obtained until Codeslayer1 pointed it out to him. To which Zombie_KsA immediately places blame and bans the user. Good stuff, he also calls these people n00bs which is kinda funny as they were the ones that were pwned in this case. It's also kind of funny to think that Catch Them if You Can may even have been coached by tutorials on their site, some are pretty detailed.

As is the case with most of these sites, the "tools" are often trojans themselves, and the users are comprised of probably 5% security professionals monitoring these guys and 95% criminals. It's not a good place to hang out. Luckily the lifespan of many of these sites is usually short, and incidents like these will often force the users to evacuate, and admins to pack up shop and wait for things to cool down.

Kanye: Stealing the Microphone and Your PC

noreply@blogger.com (Troy Gill) — Tue, 15 Sep 2009 21:07:00 +0000

The last couple of days have yielded a strong surge in headlines aiding to serve Scareware. We first noticed this resurgence with headlines regarding the anniversary of the 9/11 attacks, next was the Serena Williams meltdown. Today there were a whole new slew of pages serving malware reporting to be legitimate news stories. This morning Patrick Swayze’s death and this afternoon I came across Kanye West VMA 2009 the most recent target of poisoned search engine results serving up Malware/Scareware.

In many of these instances the attackers are simply hacking sites that are already yielding high rankings in Google’s index for a particular search term. Then the attackers insert their malicious scripts that redirect users onto the Scareware payload sites. When the unsuspecting person uses a search engine to find related stories some of the search results contain these "poisoned" links.This technique is used in tandem at times with a more intricate approach. In many instances (instead of hacking a legit domain) the attacker will create their own domain. They will then employ some shady SEO practices to boost their domain high in search rankings thus leading the unsuspecting user to click on the link to the malicious site.

By the time I had returned to the latest page serving the “Kanye West” scareware it had already been labeled by Google to be malicious and was being blocked. Google was identifying the following domains that were being used to distibute the malware on this site as: getfreediscounts.com, usdisturbed.cn, try-your-destiny.com. Google issued a statement on Monday stating: "Using any Google product to serve or host malware is a violation of our product policies. In all cases, we actively work to detect and remove sites that serve malware from our search index and our ad network, and we immediately suspend accounts found to contain ads pointing to sites that install malware. To do this, we have manual and automated processes in place to enforce our policies."

Search result poisoning and SEO manipulation for serving malware is nothing new but it is seldom seen with such frequency. This just goes to show that when browsing the web now days one must exercise more caution than ever. It would also be a good idea to utilize some sort of URL filtering to keep you protected from these zero day attacks.