Monday, March 30, 2009

GhostNet or Gh0st RAT: The Cyber Persecution of Tibet

For many members of the non-security research community, the New York Times story this week was big news: "Vast Spy System Loots Computers in 103 Countries". This morning's Google News has more than 750 related articles, and I applaud the work of the University of Toronto's Citizen Lab at the Monk Centre for International Studies at Trinity College for the excellent research and for sharing this story with the general public.



What does it look like to a Security Researcher though? Unfortunately, its a very common story of a very simple case of Spear Phishing that can be accomplished with minimal effort and *IS* being accomplished on a daily basis against various special interests, including government agencies, military contractors, or just people who might have a lot of money to steal. As I've discussed in my presentations on Spear Phishing, including at the 2008 Department of Defense Cyber Crime conference, high-value targets deserve special targeting. But let's look at how special the targeting was in this situation.

The news that someone was creating specifically targeted spear phishing campaigns against Tibet and Tibetan sympathizers first came to my attention in March 24, 2008, when our friends at the SANS' Internet Storm Center released the article, Overview of cyber attacks against Tibetan communities by Maarten Van Horenbeek. This was an in-depth follow-up to Maarten's initial report on March 21, 2008, Cyber attacks against Tibetan communities.

In the original article, Maarten describes the case this way:


The attacks generally start with a very trustworthy looking e-mail, being spoofed as originating from a known contact, to someone within a community. Some impressive social engineering tricks are used:
  • Messages make a strong statement on a well known individual or group, but do not mention its name. The attachment is then named after that individual. A state of 'cognitive dissonance' is invoked between the reader's pre-existent beliefs and the statement. There's a natural urge to click on the attachment to confirm that belief;
  • The writing style of the purported sender is usually well researched to have the message look as believable as possible;
  • The content of the document actually matches closely what was discussed in the e-mail message;
  • Having legitimate, trusted, users actually forward along a message back into the community.


The messages contain an attachment which exploits a client side vulnerability. Generally these are:
  • CHM Help files with embedded objects;
  • Acrobat Reader PDF exploits;
  • Microsoft Office exploits;
  • LHA files exploiting vulnerabilities in WinRAR;
  • Exploitation of an ActiveX component through an attached HTML file.


At that time he showed how PowerPoint files with names such as "reports_of_violence_in_tibet.ppt" and or "China's Tibet.pdf" contained exploits and were delivered in emails designed to elicit a trust-response from the reader if they were sympathetic to the cause. Here's one email that Maarten shared:


All,

Attached here is the update Human Rights Report on Tibet issued by
Department of State of U.S.A on March 11, 2008.

You may also visit the site:

Tashi Deleg,

Sonam Dagpo

Secretary of International Relations
Department of Information & International Relations
Central Tibetan Administration
Dharamshala -176215
H.P., INDIA
Ph.: [obfuscated]
Fax: [obfuscated]
E-mail: [obfuscated]@gov.tibet.net or diir-pa@gov.tibet.net
Website: http://www.tibet.net/en/diir/


Maarten confirmed that the contact information was correct for a member of the Tibetan Government in exile in Dharamshala, India.

In the case of the Citizen Labs report, the name of the report was the first thing worth mentioning. The report was called "Tracking GhostNet: Investigating a Cyber Espionage Network". Why was it called GhostNet? Because the enabling technology in their investigation was a common Remote Administration Trojan called "Gh0st RAT" (that's Gh0st with a Zero).

It took about 30 seconds to find a copy of Gh0st RAT 3.6 in the Chinese underground community, complete with source code. The program is written in VC++ version 6.0. The source code makes clear that, as is the case with many Chinese distributed malware products, the current distributor is a Chinese speaker speaking to a Chinese audience, although the comments make it quite possible the code was originally authored and designed for English speakers. Here's an example Code Snippet:


/////////////////////////////////////////////////////////////////////////////
// CGh0stApp construction

CGh0stApp::CGh0stApp()
{
// TODO: add construction code here,
// Place all significant initialization in InitInstance

// 初始化本进程的图像列表, 为加载系统图标列表做准备
typedef BOOL (WINAPI * pfn_FileIconInit) (BOOL fFullInit);
pfn_FileIconInit FileIconInit = (pfn_FileIconInit) GetProcAddress(LoadLibrary("shell32.dll"), (LPCSTR)660);
FileIconInit(TRUE);

HANDLE hFile = CreateFile("QQwry.dat", 0, 0, NULL, OPEN_EXISTING, 0, NULL);
if (hFile != INVALID_HANDLE_VALUE)


(According to Google Translate, the Chinese here says roughly: 为加载系统图标列表做准备 = Initialize the image list of this process, and 为加载系统图标列表做准备 = Icon to load the system ready to do list

While many of the notes in the source code have been rendered in Chinese, it still reads as those these are after-thought comments, and not the original author's words.

Still, Gh0st RAT China has been in development as a Chinese tool for some time - the version that was popular in China in early 2008 was Beta 2.5. and seems to have been primarily distributed by members of the "C.Rufus Security Team" or "CRST" through their website wolfexp.net (which is suddently not online???). While wildenwolf's website seems offline, another CRST member, amxku, still has a great deal of notes available on his blog at amxku.net.

One of the main researchers in the Sec Dev project, Gregory Walton, previewed some of this report at a presentation he did in Dharamshala, India back in 26 August 2008 called "Year of the Gh0st Rat".

The Citizen Lab report investigates a large botnet which was enabled by the Gh0st Remote Administration Trojan. In their technical findings, they reveal that the members of the network of their investigation received emails with malicious attachments, very similar to what Maarten reported at ISC back in March. Here's one of the Citizen Lab report emails:






Something else very interesting emerges as we begin digging into some of the technical information shared in the Citizen Lab report.

For example, they mention two domain names used as Command & Control points for the by Gh0st machines they were tracking:

macfeeresponse.org and scratchindian.com

At the time the IP address they were tracking was 218.241.153.61, but now both of those domains are resolving to the IP 210.51.7.155, in China. Other domain names on that same IP address may be domain names of concern, including:

indexindian.com - opanpan@gmail.com
lookbytheway.com - losttemp33@hotmail.com
macfeeresponse.com - losttemp33@hotmail.com
macfeeresponse.org - losttemp33@hotmail.com
MSNxy.net - yglct@sina.com
MSNyf.net - yglct@sina.com
NetworkCIA.com - yglct@sina.com
ScratchIndian.com - opanpan@gmail.com
sysroots.net - yglct@sina.com
timeswindow.net - yglct@sina.com
womanld.com - yglct@sina.com
womannana.com - yglct@sina.com
ybbero.com - yglct@sina.com
yellowpaperofindia.com - losttemp33@hotmail.com
yfhomes.com - yglct@sina.com

A simple Google on most of these domain names will reveal that they are all known to be related to malicious software and botnet activity, but they are still sitting live in China.

The Citizens Lab report reveals that documents from a computer in the Dalai Lama's own office were being exfiltrated to "www.macafeeresponse.org" during the course of the investigation.

While their report focused on traffic related to this Tibet group, it is clear that there are many other groups, with covert traffic being sent back to China and elsewhere, and that it is trivial to create such an infection using commonly unpatched or underpatched exploits, easily downloadable malware, and hard-to-stop social engineering techniques.

If others are seeing data communicating with the domain names listed above, please take action. Report these communications so that we can learn what other groups, besides the Tibet group, may be losing intelligence and internal documents to these data stealing botnets.

Wednesday, March 25, 2009

Bank Hacking Exposed: The Analyzer Affadavit

One of my favorite twitter friends, InfraGard member and PCI expert Michael Dahn (@sfoak), sent his tweets a link today to the Affidavit of Darren Hafnet, a Calgary Police officer working on the Commercial Crime unit, with regards to the arrest of Ehud Tenenbaum (via this excellent WIRED ThreatLevel story). As we wrote back in September (see: Is The Analyzer Really Back?), Tenenbaum became a world-famous hacker for breaching more than 400 systems at the Pentagon, but was most recently picked up in Canada for master-minding a major bank heist via ATM cards.

An indictment, issued by Assistant US Attorney Melissa Marrus from the Eastern District of New York back in October, was extremely short on details, charging Tenenbaum, AKA Analyzer22@hotmail.com, with two counts - "Conspiracy to Commit Access Device Fraud" and "Access Device Fraud" "the aggregate value of which was equal to or greater than $1,000. (Title 18 Section 1029(a)(5), (b)(2), (c)(1)(A)(ii) and 3551) - although my PACER account shows there is a second "*Restricted*" document associated with case 1:2008cr00747.

The Canadian affidavit makes it clear how much greater than $1,000 we are talking about, and reveals quite a bit about the methods used by Tenenbaum and his gang.

The scam is referred to as a "PIN Cashout Conspiracy", and it works like this:

First, Tenenbaum uses SQL Injection techniques to break into a database-driven website which resides on a financial institution's network.

Then, he uses his access to the bank's systems to locate their ATM database.

If necessary, he alters the PIN for the cards he is planning to cash out.

Then he sells these card data to other criminals.

Those criminals create ATM cards using Tenenbaum's information, and drain the accounts. Tenenbaum receives a percentage of the proceeds - in this case "10-20%".

During January and February 2008, the US Secret Service has revealed that they were investigating two such breaches involving Tenenbaum - one against OmniAmerican Credit Union of Fort Worth, Texas, and the other against Global Cash Card in Irvine, California. In April and May of 2008, it is also known that there were breaches of this nature against Symmetrex, a transaction processor in Florida, and 1st Source Bank in Indiana. Symmetrex cards were used by MetaBank - with branches in Iowa and South Dakota. Actual losses of more than $4 Million were experienced just by those brands.

Those who follow computer crime will not be shocked at the location of the servers the criminals used to carry out their attacks. The affidavit says some of the servers were located at HopOne Internet Corp in McLean, Virginia while "much of the traffic going through the HopOne servers was originating from from the Dutch company LeaseWeb."

Through cooperative monitoring in the Netherlands and in the United States, Tenenbaum's MSN conversations have become part of the official court documents, including his confession to hacking the servers, and transactions where he sold many of the cards obtained. The cards were used by "cashiers" in Russia, Turkey, the United States, Canada, Sweden, Bulgaria, and Germany to drain the accounts. Tenenbaum charged between 10-20% of the total proceeds for his role, stating in one chat that he stood to earn between "350 - 400" - that's 400,000! (Unsure whether this was dollars or Euros).

On April 28, 2008 Tenenbaum chatted with another criminal boasting that he had made himself a Windows administrator on the 1st Source Bank network, and had granted himself the ability to modify PINs on debit cards used by the bank's customers. This solves an on-going problem for the criminals - as banks have locked down their Track 2 data on Debit cards, the criminals have had to find ways to break the encryption algorithms of the banks in order to modify the cards. With The Analyzer's method this is no longer necessary. While logged in to the Bank's system, Tenenbaum just set the PINs to whatever he desired and instructed his cohorts to burn cards that would use those PIN numbers.

In another chat, Tenenbaum boasts that he hacked the largest bank Greece (alpha.gr) and "has friends" working in their network.

Tenenbaum was located, according to the Affidavit, by using the IP address from his chats to locate his office in Montreal, where he was set up as the director of "Internet Labs Secure, Inc". The Montreal police confirmed that this was Tenenbaum's residence on July 25, 2008. The same IP address, 69.70.122.98, was also confirmed to have accessed Global Cash Card's network.

Based on this information, Tenenbaum was arrested on August 28, 2008 in Montreal, and charged with fraud by the Calgary Police Service. Tenenbaum had entered Canada legally on an Israeli passport on March 11, 2008, which granted him permission to visit for up to six months.

One of the challenges that I am frequently given by investigators is "surely the criminals would not hack from their own IP address!" In this case, we have evidence that one of the "super hackers" both chats and logs in to banks from an IP address originating at his residence.

Interesting . . .

I wonder how many other banks have criminals running their networks for them without their knowledge?

(The Affidavit, courtesy of WIRED)

Thursday, March 19, 2009

Stop the Rumors: Quit SMSing about WalMart Gang Initiations

My daughter and her teenage friend were sitting on the couch watching TV today when they began getting text messages on their phone. Here's one of them:


Fwd: Do not go to any walmart tonight. Gang initiation to shoot 3 women tonight. Not sure which walmart. And confirmd on tv. Forward 2 all girls on ur phone


At least three different friends sent the message in the space of thirty minutes. I reassured them that it was just a hoax, and pointed them to the Urban Legends sites to see that this rumor has been going around for at least four years:


July 2005 email version:
http://urbanlegends.about.com/library/bl_memphis_gang_initiations.htm

December 2007 email version:
http://urbanlegends.about.com/library/bl_memphis_gang_initiation.htm

March 2009 SMS version:
http://urbanlegends.about.com/b/2009/03/18/police-walmart-gang-initation-rumors-are-false.htm

What was interesting to me though was how widespread the event is, and how each area seems to be treating it as a stand-alone event. Googling up the news has chiefs of police saying there is nothing to worry about, while others are promising a "state-wide investigation".

Apparently the best way to send a rumor is to text it to a teenager and tell her to send it to all her girlfriends.

In Delaware, the State Police are being inundated with calls, and have shared a copy of their message:


i don't noe how tru dis is but here it is. Dont go 2 any walmarts 2nite ther will be a gang initiation n dey have 2 kill 3 women at each store. Tell ur love 1s.


The Greenwood, South Carolina sheriff's office Major Lonnie Smith is promising that there will be extra patrols at their WalMart's Thursday night "as a precaution".

In Portage, Indiana police were on hand at local WalMarts after they "received information from high school students that there was going to be a shooting at a Wal-Mart as a gang initiation."

In Georgia police put out extra patrols, earning the outrage of at least one blogger who says tax payer money was wasted because the police couldn't use Google.

The Jefferson Parish, New Orleans sheriff says these are nothing but rumors, but "As a precaution, Normand is assigning additional personnel to the area as needed", Col. John Fortunato said.

Officers in Murfreesboro Tennessee showed more restraint when the rumors were making their rounds in January -- “An e-mail being distributed in Nashville and Rutherford County about gang intitations is fabricated,” said Chief Deputy Virgil Gammon of the Rutherford County Sheriff’s Department in a Jan. 18, 2008 article.

In Chattanooga Tennessee a version is circulating which names a specific store - the Gunbarrel Road Wal-Mart near Hamilton Place. Chattanooga Police spokesperson Jeri Weary said, "This is not a situation that has occurred in Chattanooga and there have been no reported incidents at any of the Chattanooga area Walmarts."

Police in Findlay Ohio told the local ABC 13 News that they've been told the rumors originated in South Carolina.

Police in Birmingham, Alabama were also calm about the situation -- "They circulate that kind of stuff every year," said Sgt. S. White of the Birmingham Police Department's East Precinct, interviewed by the Birmingham News. "Usually there is nothing to it."

The rumors are being reported in almost every city with a newspaper! Yuma, Arizona, Moline, Illinois, Palm Beach, Florida, Greeley, Colorado . . .

You get the idea . . . all around the country a text message rumor storm has police and concerned parents buzzing about something that everyone is quite sure is a hoax.

Wednesday, March 18, 2009

Carders do battle through spam - carder.su

We've seen several cases in the past where Law Enforcement action is triggered by one criminal actively and publicly spreading information (or mis-information) about another criminal's activities.

That seems to be the case in what is happening now, as a spammer is using an existing spam botnet to send messages about the Russian credit card trading site "carder.su".

Beginning on the afternoon of March 16th, the UAB Spam Data Mine began to receive copies of this email message:



So far we have 142 copies of this email, which came from 138 different email addresses, and were sent to 122 of our unique trap accounts. The emails had 13 different subject lines, but were otherwise the same:

Carders attack
Carders here
Carders online
Carders threat
Hazardous site
How is it possible?
Sale Data
Stolen bank accounts
Stolen credit cards
Stolen data
Terrible site
The threat of credit card
Where is the police?

There were also 132 unique IP addresses in the email headers, corresponding to the 132 bot machines which were used to send us this spam. It would be interesting to know what other spam is coming from these same bot machines. Fortunately, when you have a Spam Data Mine sitting around, that's a pretty simple query to make.

(Full list of IPs at the end of this article . . . if you recognize the botnet please let me know.)

Unfortunately, some IP addresses are less helpful than others . . . is it valid to say that these emails came from the same botnet, for example, when we haven't seen other email from them since October?

Emails from 213.25.157.1 (in Poland):

Date Email Subject
-----------+---------------------------------
2008AUG10 | debt consolidation calculator
2008AUG13 | loans for debt consolidation
2008AUG15 | debt consolidation loans
2008AUG21 | unsecured debt consolidation loans
2008AUG31 | credit check
2008SEP06 | a debt consolidation loan
2008SEP06 | debt busters
2008SEP06 | debt consolidation advice
2008SEP09 | profit debt consolidation
2008SEP25 | clear debt
2008SEP29 | help me get out of debt
2008OCT01 | credit cards debt
2008OCT15 | help to get out of debt
2008OCT26 | horses for loan
2008OCT29 | student loan debt

Or these from 212.26.246.161 (in Russia)

Date | Email Subject
-----------+----------------------------------------------------
2008APR30 | Greetings, I have learned an interesting thing
2008MAY06 | Merrill Lynch Business Centre - Changing a website


The next one is far more useful, because although it shows a long history of spam from the computer at 203.197.115.82 (in India), it also has spam from two weeks ago, which we know by the subject is a sign of a Waledac infected computer.


message_id | subject
------------+-------------------------------------------
2008OCT04 | Hi! I wanna chat with you!
2008DEC08 | Watches
2008DEC13 | Hi sweety
2008DEC26 | Swiss Branded Watches
2009JAN01 | Swiss Branded Watches
2009JAN04 | Don't settle for less
2009JAN03 | Swiss Branded Watches
2009JAN04 | Swiss Branded Watches
2009JAN05 | Swiss Branded Watches
2009JAN06 | Attention: Important Information!
2009JAN08 | Re: Miley loves it huge
2009JAN16 | Swiss Branded Watches
2009JAN24 | Pharmacy Discount for (email)
2009JAN21 | Russian queens are waiting.
2009JAN30 | Turn your bedroom life into a volcano of pleasure.
2009FEB05 | Add floors to your skyscraper special offer for (email)
2009FEB14 | Facing a love-making problem? We will solve all yout problems in few minutes.
2009FEB17 | Have you heard about Viagra for women?
2009FEB27 | Pharma Discount for
2009MAR02 | Regards The day of Love
2009MAR06 | Regards The day of Love


Unfortunately, that was the only machine in our pool which seemed to be a Waledac box. Another coincidence only.

While many of the 132 computers were to be found sending other spam in the UAB Spam Data Mine, there were not enough which sent recent spam to draw any definite conclusions on the botnet.


Limiting our interest only to the most recent spam from the pool of IP addresses, we find that recently spammed sites from the same criminal include:

http://2009-film.ru/ - an illegal movie download site listing this contact information:

Tel: +7 (495) 504-14-43
ICQ: 431409065

As well as the Viagra-selling site, US HealthCare Inc, hosted in Korea and using the domain names:
bumpfold.com
blotcare.com
dunknew.com
dealrise.com
wallsdeals.com

A second set of recent Viagra sites, Canadian Healthcare, used Chinese auto-forwarding URLs in their spam, such as:

aqeakteny.giwhohov.cn
yzmjnq.giwhohov.cn

which forwarded to the Israeli hosted website:

maxitiny.com

A third set of pills was available from this Canadian Pharmacy website:

caringflattering.com

What about Carder.su?



What do we actually know about Carder.su? Not a whole lot truthfully. We know its a popular site - at its max there were more than 14,000 members logged in at the same time.

The WHOIS information for the domain says it is registered to "Private Person", but does give a phone number and an email address:

phone: +79164541122
e-mail: cardersu@ya.ru

A peek back at the WHOIS history shows it was originally registered by:

Maria A Ageeva
886824@mail.ru
+79124427798

From at least November 20, 2009 until March 10, 2009, "Private Person" used a gmail account of: cardersu@gmail.com

Their servers are hosted in Moscow on the 2x4.ru network, owned by Pavel Ivanov.
Ivanov has many interesting customers on his network 92.241.168.0/23. Fine folks like:

cyberterrorist.biz
bl4ckc4rd.ws (black card?)
unlimitedhack.cn
drugspurchase.com
seobiz.org
heihachi.net
coderz.ws
abuse-crew.cc
nukeuploads.com
glavforum.ru

I have to say, the 2x4.ru folks have suspended some of the porn sites that drop malware, so maybe they only cater to certain types of criminals. "gigatube.net" and "eroticzzz.info" were suspended for dropping malware, as was "swiss-warez.biz"



Do you recognize this botnet?



41.248.155.122
58.8.172.135
58.9.203.10
59.182.251.171
61.14.3.165
62.140.238.1
62.57.137.76
67.204.146.123
77.236.6.91
77.30.51.182
77.31.4.53
77.31.64.86
78.106.36.221
78.160.216.232
78.162.210.118
78.162.73.40
78.163.200.222
78.165.108.153
78.166.191.79
78.167.164.42
78.167.58.60
78.169.14.70
78.93.197.72
78.93.82.106
78.96.182.134
79.189.49.202
81.214.156.70
83.29.230.20
84.10.79.200
84.139.136.5
84.47.93.42
85.101.110.99
85.103.13.223
85.103.251.189
85.104.58.189
85.105.209.23
85.108.245.33
85.108.253.26
85.110.153.77
85.110.157.133
85.110.171.230
85.198.177.13
85.99.185.187
86.122.165.34
87.0.54.121
87.109.14.12
87.109.14.174
87.109.159.178
87.120.109.249
87.205.244.153
88.224.151.137
88.224.251.96
88.224.44.225
88.224.75.134
88.226.69.100
88.227.248.11
88.228.97.232
88.230.74.81
88.232.153.116
88.234.163.254
88.237.221.48
88.238.89.111
88.242.123.170
88.243.107.145
88.243.217.210
88.245.107.7
88.245.228.14
88.246.96.61
88.252.78.129
88.254.234.140
89.136.79.96
89.228.156.6
89.252.9.126
89.46.136.175
89.76.97.16
90.148.146.140
91.124.23.200
91.201.112.2
92.112.23.168
92.37.151.127
92.44.194.243
92.47.222.107
92.61.238.120
92.82.172.41
93.94.178.187
93.98.37.210
94.44.29.200
94.96.11.241
94.99.184.93
94.99.74.20
95.134.200.103
95.58.142.176
95.78.138.40
113.53.170.179
116.71.2.192
117.197.96.124
118.43.204.82
121.159.184.91
121.242.55.42
124.121.38.204
124.121.85.111
125.136.199.83
188.48.200.177
189.112.85.88
189.114.152.233
189.12.187.224
189.24.135.57
189.27.243.210
189.46.152.128
189.78.253.59
189.82.74.79
189.93.0.162
190.120.140.118
190.135.146.135
190.19.69.90
196.218.55.234
200.121.245.19
200.163.33.130
201.19.24.84
201.24.126.235
201.67.135.232
201.67.186.108
201.76.71.9
203.197.115.82
211.107.153.132
211.247.31.154
212.26.246.161
213.181.170.167
213.25.157.1
217.147.25.250
218.152.226.159
220.253.192.12

Monday, March 16, 2009

Waledac: Fake Dirty Bomb in Your City

In the February 25th edition of this Blog, Watch Out For Coupon Offers, we described how the Waledac malware family was being distributed in spam pretending to be from "The Couponizer". One of the unique additions to that campaign was that the criminal was using a GeoLocation service on his website to customize the website to reflect the location of your computer.



So, in my location, the headline reads "Powerful explosion burst in Birmingham this morning.", but that is because the criminal has resolved my originating IP and determined I was in Birmingham, Alabama.

In today's version of the Waledac spam, we see the same brief emails which were used in the Valentine's Day and Couponizer Waledac campaigns. A small phrase as the subject line, such as:

Haven't you been there?
I hope you are in good health
What a tragedy!
Take care about yourself!

and another small phrase in the body, such as:

Are you and your friends ok?
How do you feel?
I worry about you
We worry about you

followed by a link to a website, ending in "main.php" or "run.php" or "contact.php", or with no filename at all - just the path.

Clicking on the video controls will prompt for the download of an executable - "news.exe" in my case, which would join your computer to the spamming botnet.

VirusTotal gave a 7 of 39 detection rate for this malware.

click here for VirusTotal Report.

For whatever reason it seems that NOBODY is shutting down the Waledac domains. We reviewed 57 recent and current Waledac domains, and found that only six of them were not currently resolving.

Here is the list of domains associated with Waledac:

adorepoem.com
adoresong.com
adoresongs.com
bestadore.com
bestbreakingfree.com
bestcouponfree.com
bestgoodnews.com
bestlovehelp.com
bestlovelong.com
bluevalentineonline.com
breakingfreemichigan.com
breakinggoodnews.com
breakingkingnews.com
breakingnewsfm.com
breakingnewsltd.com
chatloveonline.com
cherishletter.com
cherishpoems.com
codecouponsite.com
extendedman.com
farboards.com
funloveonline.com
funnyvalentinessite.com
goodnewsdigital.com
goodnewsreview.com
greatcouponclub.com
greatsalesgroup.com
greatsalestax.com
greatsvalentine.com
greatvalentinepoems.com
linkworldnews.com
longballonline.com
lovecentralonline.com
lovelifeportal.com
reportradio.com
romanticsloving.com
smartsalesgroup.com
spacemynews.com
supersalesonline.com
thecoupondiscount.com
thevalentinelovers.com
thevalentineparty.com
tntbreakingnews.com
wapcitynews.com
whocherish.com
wirelessvalentineday.com
worldlovelife.com
worldnewsdot.com
worldnewseye.com
worldtracknews.com
worshiplove.com
youradore.com
yourbreakingnew.com
yourcountycoupon.com
yourgreatlove.com
yourlength.com
yourvalentinepoems.com

You can clearly see that some are "News", some "Coupon", and some "Valentine" related, but they are almost all still active and still infecting people's computers in an attempt to regrow the Waledac spamming botnet.

The domain names use only four different identities in their WHOIS data:

yanshi_ying@yeah.net (Yan Shi Ying)
ed30673637@126.com (Zhao Jun Hua)
meishengchang@163.com (LiPaul Kunshan Yunshu Gongsi)
wusong_ccc@126.com (Zhang Min)

We don't know the size of the Waledac spamming botnet right now, but we were able to quickly make a list of more than 1,200 machines which are currently "hosting" the webservers used by the malware. I've made a file available of 1,235 IP addresses currently hosting Waledac web proxy servers, but that is only a tiny sample of the overall population. Domain owners will find the IP addresses sorted by Country Code, then ASN/Organization, and then IP. Country codes of the bots include:

AR, AU, BA, BE, BG, BR, BS, BY, CA, CH, CI, CL, CN, CO, CS, CZ, DE, DK,
EE, ES, EU, FI, FR, GB, GE, HK, HU, IE, IL, IN, IR, IT, JP, KR, KZ, LT,
LV, MA, MD, MK, MY, NL, NO, PH, PL, PT, RO, RS, RU, SE, SI, SK, TH, TN,
TR, UA, US, UY, VN, and ZA.

(Quiz yourself - How many of those country codes do you know?
Need to cheat? - list of country codes)

The distribution of infected machines in my little snapshot is quite diverse. More than 300 networks from 60 different countries, with no network having more than 60 of the 1,235 machines on my list.

The top networks in my unscientific snapshot were:
59 machines - ComCast ASN 7922 (USA)
58 machines - Proxad ASN 12322 (France)
54 machines - Rogers Cable ASN 812 (Canada)
52 machines - AT&T ASN 7132 (USA)
51 machines - NTL Group ASN 5089 (Great Britain)
44 machines - Shaw Communications ASN 6327 (Canada)
34 machines - Charter Communications ASN 20115 (USA)
27 machines - ComCast ASN 33491 (USA)
26 machines - Road Runner ASN 11427 (USA)
20 machines - ComCast ASN 33278 (USA)

The full list is available as an Excel spreadsheet or as a CSV file.

Finding the Spam Before Its Spammed . . .

This morning I met with Brian Tanner, one of the UAB Malware Analysts, to determine what malware he should unpack for us this morning. I told him that I was interested in doing a quick check on the "Facebook" malware that we saw over the weekend. The only problem is that Ryan and the guys at Facebook had already had all those domains shut down. No problem. We'll just find the domains they are ABOUT to spam instead.

The UAB Spam Data Mine had received more than 500 emails yesterday in what we are calling the "Facebook Stripper" spam campaign.



The subject lines are each unique, having a suffix of "(Last rated by Random Name)", where Random Name has a first and last name randomly chosen. There are 32 base subjects though:

FaceBook message: Dancing Girl Drunk In The Pub- facebook Video
FaceBook message: Amateur Video - Perfect Girls striptease
FaceBook message: Art Of Exotic Dancing Striptease Series - video...
FaceBook message: Beautiful Girl Dancing Extrahard Striptease!
FaceBook message: Beautiful Girl Dancing Striptease! Cute!
FaceBook message: Beautiful girl hot dancing alone - video
FaceBook message: Beautiful Girls Dancing in the Club
FaceBook message: Dancing Girl loves herself - Amazing Clips
FaceBook message: Dancing girl oriental dance ...
FaceBook message: Dancing girls ... Funny and Hot Videos
FaceBook message: Erotic Dance Striptease
FaceBook message: Exotic Dance Video From facebook member.
FaceBook message: Extreme striptease dance video
FaceBook message: Facebook girl Striptease Beautiful dance
FaceBook message: facebook members Dancing In Striptease
FaceBook message: Girls Dancing on facebook Video
FaceBook message: Hot Girl Dancing At Striptease Dance Party
FaceBook message: Magnificent Exotic Dancing - video ...
FaceBook message: Magnificent girl dancing video clip
FaceBook message: Magnificent Girls dancing in front of camera
FaceBook message: Magnificent Girls dancing on stage
FaceBook message: Magnificent Girls extremely dancing
FaceBook message: Magnificent Striptease Dance
FaceBook message: Numerous of Magnificent Girls Dancing video
FaceBook message: Perfect Girl Dancing Video
FaceBook message: Perfect Girls Dancing - Video
FaceBook message: Smokin' and dancing girl
FaceBook message: These two girls are so... watch the video
FaceBook message: Two Magnificent Girls Dancing, More Info ...
FaceBook message: Two Magnificent Girls Dancing...
FaceBook message: Very Beautiful facebook girl Dance Video!
FaceBook message: Watch the Oooh! Super Beautiful Girl Dancing


Yesterday the domains used in the spam were:

53445player.com
5436player.com
7636player.com
4346player.com
867player.com

While these domains were hosted on a large number of botnet hosted machines, their nameserver actually had a static location. They all used the nameserver "ns1.pvthstonline.com" (8.12.160.183) and "ns2.pvthstonline.com" (205.1.190.113).

Using a Passive DNS Replication service (*wave* to Florian), we checked to see what other nameservers were hosted on 205.1.190.113.

ns2.insdcertificate.com and ns2.shortcuttingv.com were both hosted on that IP.

We knew that the domains served by insdcertificate.com were old - we saw those mostly on the 13th -- 342certificate.com, 234certificate.com, 656certificate.com, 767certificate.com and 867certificate.com -- so we decided to look for domains that were served by ns2.shortcuttingv.com.

Sure enough, we found five domains - all registered THIS MORNING (its only 10:40 AM here):

423adobe.com
545adobe.com
675adobe.com
685adobe.com
987adobe.com

We confirmed that 423adobe.com is being fast flux hosted -- its currently using the IP addresses:

71.195.128.169 (ComCast in Brandon, MA)
75.138.113.226 (Charter Cable in Ashville, NC)
96.32.130.151 (Charter Cable in Alpharetta, GA)
98.209.65.175 (ComCast in East Lansing, MI)
208.120.237.132 (Mindspring in Brooklyn, NY)

Looking at some history on these IPs, we can confirm that they have previously hosted Bank of America "video demo malware", on domains such as 867certificate.com and aheadfixpatch.com, as well as previous days of the Facebook stripper malware, on domains such as 5436player.com, and facebooketus.com.

When we put the "path" of "/home.htm" on one of the domains that we are predicting for today's host, we get the Facebook look-alike page, along with a popup telling us we have to download a new video player (which is actually the virus), now using the name "Flash_Adobe11.exe"



Uploading the malware to VirusTotal, we see that it is only detected by 4 of the 39 anti-virus products with which it is scanned. If you are relying on AVG, McAfee, Microsoft, Symantec, Trend, or pretty much anyone else to protect you from this virus, so far, they don't know about it. (Our report to VirusTotal causes a copy to be sent to them for analysis though - which is one of the reasons we love VirusTotal!)

Click for VirusTotal report

File size: 36352 bytes
MD5...: d17008513f2c93933b92a392260c5cda

Brian finished unpacking the malware and confirms that this copy still sends its stolen credentials to Hong Kong's HostFresh network to the IP address 58.65.232.17.

Afternoon Update


We've now seen more than 300 copies of the "predicted" facebook spam, and the criminals have now shifted again to another group of domain names:

2433module.com
3445module.com
3499module.com
5464module.com
9873module.com

We've seen less than 4 copies of each of these latest, which have a new malware piece as well, which you can find a VirusTotal report for here:

http://www.virustotal.com/analisis/aadd5db3b69580412041681ea3bb65e7

Wednesday, March 11, 2009

ClassMates.com spam keeps sucking passwords

Yesterday we received more than 800 copies of spam email messages using a ClassMates.com subject to trick people into infecting themselves with a password stealing program.



There were two separate groups of websites. The first group of five domains all used the nameserver ns1.boxingmital.com. The domain names were:

brloadvideo.com (34 emails)
coreadminclass.com (42 emails)
meetingclassmatesserver.com (37 emails)
servesonline.com (44 emails)
updateunionplayer.com (54 emails)

This one had 29 different subject lines:

Classmates personal message: - Help me decide please....
Classmates personal message: "Help me to decide which way to choose?"
Classmates personal message: Can you help me to choose my final woman?
Classmates personal message: Girls Help me to Decide? I want as many answers as Possible please ...
Classmates personal message: Help me decide please - Wife Guys!
Classmates personal message: HELP ME TO CHOOSE A GOOD WOMAN PLEASE!
Classmates personal message: Help me to choose....Wife Guys!
Classmates personal message: Help me to decide a good and with best woman
Classmates personal message: Help me to decide my wife! - family
Classmates personal message: Help me to decide on a woman and wife?
Classmates personal message: Help me to decide on a woman.
Classmates personal message: Help me to decide on my family.
Classmates personal message: Help me to decide please!
Classmates personal message: Help me to decide what kind of woman better!
Classmates personal message: Help me to decide whether or not to tell my friend that ...
Classmates personal message: Help me to decide which woman better
Classmates personal message: Help me to decide which woman to choose?
Classmates personal message: Help me to decide. Making decisions about my family can be confusing.
Classmates personal message: Hi all, i need your opinion and help for choosing woman
Classmates personal message: Hi Guys Please help me to choose between the two womans.
Classmates personal message: Please help me to decide which way to choose
Classmates personal message: Please, help me to choose right woman!
Classmates personal message: plz help me to choose what to do, Wife is a beast!
Classmates personal message: Re:can you help me to choose a wife
Classmates personal message: Who can help me to decide where is right way.
Classmates personal message: Wife Guys! Help Me To Decide WIfe!!!
Classmates personal message: Wife Guys! information to help me choose the right way
Classmates personal message: Wife Guys! Need to decide Quickly what to do, PLEASE HELP ME.
Classmates personal message: Wife is a beast! can any one help me to choose


The bodies of the emails in this group looked like this:


Special video report March 10, 2009
Message from your group member:

"Should I leave my Crazy Fat Wife for a younger woman? Please look video and Help me to decide, please ........I need your help, if possible - Write your opinion on the page wall"


Proceed to open full message text:

http://classmates.messagecenter.filetime.videomessageid-toa3dk6b1.coreadminclass.com/msg4829.htm?/boundary/LOGIN=bf96xidehi5oqtc


Sincerely, Velma Lacy.
2009 Classmates Message Center.


The second group of emails also came from five different domains, which all used the nameserver "ns1.clickforghost.com". The domains in this group were:

clieckfordownload.com (120 emails)
installserverversion10.com (125 emails)
unionmeetflash.com (131 emails)
updtadeyouwinplayer.com (121 emails)
videoplayer11version.com (128 emails)

And the subject lines from this group were:

2009 Classmates - 2009 Meeting
2009 Classmates - Annual Meeting
2009 Classmates - Getting Video
2009 Classmates - Ill have more to say about the specifics of the meeting soon
2009 Classmates - Meetings
2009 Classmates - Save video fragments from movies with the simplicity of pressing ...
2009 Classmates Annual Meeting
2009 Classmates Annual Meeting -- Coming Soon! - Modern ...
2009 Classmates Annual Meeting & Exposition
2009 Classmates ANNUAL MEETING March 11, 2009
2009 Classmates Annual Meeting.
2009 Classmates FREE VIDEO CONFERENCING,
2009 Classmates Meeting Registration, Registration information, coming soon. ...
2009 Classmates Online Meeting - Fast. Easy. Secure
2009 Classmates start searching for friends, classmates, family
2009 Classmates TOLL FREE AUDIO, ONLINE ...
2009 Classmates Video Conferencing and Online Meeting Services
2009 Classmates Videos
2009 Classmates WEB CONFERENCING,
Annual 2009 Classmates Meeting has become the premier meeting
Annual Meeting - 2009 Classmates
Classmates 2009 Annual Meeting March
Classmates annual meeting as soon as possible - invitation
Get to Know Your Classmates - What Works
Greetings fellow members of the 2009 Classmates
Helping Classmates Understand invitations 2009 Classmates
Invite Your Friends and Get invited! 2009 Classmates
Meet your classmates -- join our social network
News - 2009 Classmates Annual Meeting.
One of your classmates have 4 kids...
One of your classmates have airplan...
One of your classmates have limo...
One of your classmates invitation...
One of your classmates lost...
One of your classmates new photos...
One of your classmates sent invitation to you...
One of your classmates wedding...
Save The Date! 2009 Classmates Annual Meeting soon.
Video Clips- 2009 Classmates!
What are your ol' classmates up to? > General Family & Friends ...
What is an Annual Return? 2009 Classmates


Special video report March 10, 2009
One of your classmates has sent you a video invitation:

"Read the story and see photos of my wedding and our tour,Please discover our video invitation to your family. I hope to get back from you soon..."


Proceed to view full message:

http://classmates.messagecenter.asp.videomessageid-x0ajpo2vz1.updtadeyouwinplayer.com/msg4829.htm?/InterstitialControl/LOGIN=t8k6pqzb5azfjpw


Sincerely, Marion Lyon.
2009 Classmates Message Center.


In both examples, the name after the "Sincerely" was randomly selected from a huge list of possible first and last names.

Once infected, the malware steals passwords from FTP sessions, POP3 and IMAP email sessions, ICQ sessions, and any webpages that seem to be prompting for a login. The stolen data used to be sent to UKR Telecom in these cases, but we've had another update. The data is now sent to HostFresh in Hong Kong at the IP address 58.65.232.17

inetnum: 58.65.232.0 - 58.65.239.255
netname: HOSTFRESH
descr: HostFresh
descr: Internet Service Provider
country: HK
admin-c: PL466-AP
tech-c: PL466-AP
remarks: Please send Spam & Abuse report to
remarks: abuse@hostfresh.com

person: Piu Lo
nic-hdl: PL466-AP
e-mail: ipadmin@hostfresh.com
address: No. 500, Post Office, Tuen Mun, N.T., Hong Kong
phone: +852-35979788
fax-no: +852-24522539
country: HK
changed: 20071025


A virusTotal report on the malware, which was named "AdobeMedia10.exe" can be found at the following URL (9 of 39 anti-virus products now know this is a virus. Yesterday it was 6 of 39.)

http://www.virustotal.com/analisis/eec39a519bd12b2c654bc541fd3a2907



For malware analyst fans, I was out of the office so I used "Eureka" to unpack the malware. You can find strings from the unpacked executable here:

http://eureka.cyber-ta.org/OUTPUT/c26213f4a96b0c5b9b2f4c98813ca264/