Storm seems to have seized the Warezov gang's mojo. They just don't make as much noise as they once did…
But recently they've been noticeable enough to prompt Toni into doing some research on their registered domains. And the results are kind of frightening.
Using his "patented" data mining techniques, Toni turned up 2039 domains connected to the Warezov gang as of 12:00 today.
Of those, 810 domains resolved as a fast flux. 1229 do not currently resolve. They're dead. (Or are they undead?)
These domains are used for both malware downloads and for pushing spam.
The next step is to get them taken down. No small task that.
On a Halloween related note, check out this silly website created by our Swedish office — UnitedViruses.org And our PR folks have put together a few "costumes" of their own as well.
The website of the Ukrainian President Viktor Yushchenko has been under a DDoS attack for a while. Russian groups are currently being blamed for the attack.
New tactics from the Storm gang can be seen as they celebrate with Halloween. Below is the look of the latest Storm site:
With an unpatched system, visiting the site will trigger an exploit to automatically download and execute a malicious file. The new filename is halloween.exe. We already detect this as Email-Worm.Win32.Zhelatin.LJ
This may be a Trick, and a bad Threat from the Storm gang, so be sure to keep your databases updated.
A malicious PDF file called report.pdf, debt.2007.pdf, overdraft.2007.10.26.pdf, or similar, has been massively spammed through e-mail. The PDF is spiced with exploit CVE-2007-5020 that downloads ms32.exe, which in turn downloads more components.
Massive spamming did not eventually lead to major problems, since the secondary download location was swiftly taken down preventing the downloader from functioning.
The subjects for the spam messages include:
Your credit report Your credit points Your balance report Personal Financial Statement Personal Credit Points Personal Balance Report Your Credit File Balance Report
More information is available in our full description.
More on the scope of the vulnerability is available via a ZDNet article.
We've been monitoring some spam runs lately advertising "legal herbs" for smoking purposes.
Here's an example:
This link takes you to a website called thebudshop.hk (not to be mistaken with thebodyshop.com):
Now, it is quite curious that this joint shop is located in Hong Kong (.hk), of all places.
Let's see where the actual server is hosted:
Oh, I see. The address keeps changing every few minutes. And, quite curiously, the IPs point to individual DSL boxes, i.e. home computers. Sounds like a botnet to me.
Lets take a closer look at the WHOIS record of thebudshop.hk:
Boy, don't those nameservers look weird. In fact, we've seen these before. There's a whole range of similar nameservers, including:
All of them are registered to Chinese addresses and they are criss-crossed to provide DNS for earch other.
We've seen Citibank and Myspace phishing sites hosted under these domains before. But this is the first time we've seen a smoke shop hosted there. It's quite likely the whole site is fake and only built to collect credit card numbers.
Most of the day-to-day malware that we currently analyze has a financial motive. Such malware typically doesn't do anything noticeably malicious as it doesn't want to tip-off the victim.
But every now and then, we see something that's just plain nasty. Yesterday, Marko analyzed such a sample that we now detect as Trojan:W32/Agent.DPL.
This particular piece of malware appears to have a political rather than financial motive. A system infected with Agent.DPL displays the following message when Windows starts:
And it attempts to connect to www.kalonzomusyokaforpresident.com.
The website is the official presidential campaign page of Kenyan politician Stephen Kalonzo Musyoka. He launched his presidential campaign on October 14, 2007. Kenyan elections will be held in December. Note that the malware quotes Francis rather than Stephen.
Agent.DPL hacks the registry so that the user is unable to locate key Windows functions. This image shows the missing Control Panel icon as well as a few other things.
If any Control Panel apps are launched from another location, they'll be shut down by the malware.
Our guess is that by making the computer next to useless, Musyoka's detractors hope to shift the blame to him. But then again we don't know that much about the political situation in Kenya…
Our description — Trojan:W32/Agent.DPL — provides additional details, including an unusually easy way to disable it.
Greetings from the RSA Europe conference. This year it's being held in the Excel Conference Center in London.
The conference has many different tracks: authentication, business trends and impact, deployment strategies, developing with security, enterprise defense, hackers and threats, and a few others.
Several leading security experts including Bruce Schneier are participating in the keynote sessions. And to crown it all off, the closing keynote session is hosted by Frank W. Abagnale, the world's famous authority on fraud and identity theft. This name rings the bell, doesn't it? Indeed, Frank was the subject of the major motion picture "Catch Me If You Can", directed by Steven Spielberg and starring Leonardo DiCaprio and Tom Hanks.
Here's the given address for the later half of 2006:
The 555 reminded us of the fake phone numbers used in Hollywood movies so we decided to do a search on the address. There were lots of results. It was when we searched for "555 8th Ave" and e-gold that we discovered an interesting case from the past.
On February 22nd of 2006, the Manhattan District Attorney's office indicted three people for laundering $25 million via their business called Western Express:
Western Express was hosted at Paycard200.com. Here's the page courtesy of the Wayback Machine:
Shortly after the incitement there's a message informing their customers that they have hired attorneys to fight the charges:
And then the case drops off the radar… Being curious, we called the District Attorney's office in New York for a follow-up. The couple running the website plead guilty to the charges against them and received 2 to 6 (Vadim), and 1 to 3 (Yelena) years in prison. Their son is apparently still a fugitive.
Recently, Mikko was interviewed by Gary McGraw of the Silver Bullet Security Podcast. Show #19 was posted yesterday.
From McGraw's site: "For the 19th episode of The Silver Bullet Security Podcast, Gary interviews Mikko Hypp�nen, Chief Research Officer at F-Secure. During this show, Gary and Mikko discuss Helsinki and Finnish pronunciation, whether mobile viruses are all hype or a legitimate threat, if the iPhone as a closed system is good or bad for security, and Mikko�s prediction for the appearance of the first mobile botnet. They also chat about Finnish hip-hop."
A new Storm site advertises a networking application. That site looks like this:
However, a mere visit to the site using an unpatched system will trigger an exploit to automatically download and execute a malicious file. Patched systems are protected but only if the users do not choose to download the file (with filename krackin.exe) and execute it themselves.
The webpage is detected as Trojan-Downloader.JS.Agent.KD while the file is detected as Email-Worm.Win32.Zhelatin.KE.
This is one network you wouldn't want to join, so make sure to keep your databases updated.
Yesterday we added detection for a Trojan-Spy password stealer targeting Skype. The malware bills itself as Skype Defender, which sounds like a security plug-in.
Running the malware produces this dialog:
Once "installed", what looks like the Skype logon screen is displayed:
Attempting to use the logon screen produces an error message:
Note that the real Skype's sign in button is different than the malware's:
An unknown group has caused quite a hassle by publicly posting information about tens of thousands of user accounts.
A 4.5MB text file (passlist.txt) was uploaded to a Finnish website earlier today. The file contains usernames, e-mail addresses, passwords and uncracked password hashes of almost 79,000 user accounts. These accounts are mostly from different Finnish web forums.
It's quite trivial to find the correct password based on the password hash, assuming the password is "easy" and can be found from a password dictionary. The passlist.txt file claims that the hack was done by two Swedish hackers but this has already been disputed.
The case exhibits some resemblance to an incident six weeks ago, where Swedish hacker Dan Egerstad published hundred passwords to different embassies and government organisations. However, in that case the information was stolen by Mr. Egerstad by running rogue TOR exit node servers.
In today's case, the information has been stolen by unknown parties – most likely by hacking the servers of several Finnish web forums: that's pretty much the only way to gain access to the password hashes.
Bobbear fights money transfer frauds. Bobbear.co.uk lists many of the sites used by the bad guys attempting to recruit money mules.
Well — The bad guys have struck back. The fraudsters have attacked the site's reputation and Bobbear is currently offline. Earlier today, it was also unavailable via Google's cache.
Today we also happened to receive some spam that caught our interest. It was a job recruitment from Next Level — one of the fraud sites listed at Bobbear.
We examined the Next Level scam site until we made the connection to the real world company whose web design was being ripped off by the fraudsters. They're Solutions Inc.
We discuss some of the details in this video, available from our YouTube Channel.
We'll follow-up next week with some additional details…
After a few weeks of low activity from the Storm gang they restarted their activities earlier this week. The mails and website were the same as from September but yesterday they changed the e-mail messages and also the website:
All the links points to SuperLaugh.exe which we detect as Email-Worm.Win32.Zhelatin.KI
Below are the lists of critical and important updates Microsoft has for this month.
These updates involve applications including Kodak Image Viewer, Outlook Express and Windows Mail, Internet Explorer, and a vulnerability in Microsoft Word. All of these could allow remote code execution and elevation of privileges. For more details on these updates, here's the link to Microsoft's Security Bulletin.
Most of the new phishing we see is done with phishing kits, like the Rock Phish kit.
But every now and then we run into "old skool" phishing. Like the site we're looking at today, servicecenter-us-eu.dk. This domain was registered to Mr. "Asger Trier Bing" in Copenhagen three weeks ago. Quite surprisingly, the site is even hosted in Denmark.
When visiting the front page of the site, you get redirected to a standard PayPal phishing site. Once you log in (with any credentials), you get redirected to a page for some "additional security checks".
Now, take a look at the list of questions they're asking.
It's quite astonishing that anybody would be gullible enough to go through the full form and type in all the required information. Like your e-mail password? Your father's day of birth? Your PIN? Then again… somebody will fall for this. Someone always does.
Sorry for the big screenshot. The site has been reported and should be down soon.
Editor's Note: The registrant noted above, Mr. Bing, is the victim of identity theft.
One of the difficulties with spy tool applications is that even if they are legitimately used – the application vendor still has the problem of properly handling confidential data.
Case in point: Mobile-Spy for Windows Mobile.
Until recently (the last 48 hours or so) they had an issue with their web interface. The issue potentially allowed access to any communication data collected by their software.
Now that they've resolved the issue, we'll explain…
By using their Demo account to log onto their system, you were only supposed to be able to access demo messages. The logon is found at the following URL:
This URL is from one of the demo messages that you're supposed to be able to view. Notice that the message ID is plainly visible in the URL. So, what happened if you changed the ID number in the URL?
We used 34841 as an example:
Last week the result of adjusting the URL was this:
And now the result is this:
So, Mobile Spy has corrected the potential problem. You can read more details from ZDNet.
This seems to have been the other vendor's solution: ignore reporters asking questions, fix the problem, then speak with the reporters and deny any knowledge of the issue.
With this approach to security – we wonder just how secure the rest of such spy tool applications are.
Updated to Add: We've received some communication from our readers that while Mobile-Spy's web interface issue has been addressed, the site may still be vulnerable to an SQL injection attack. We have not confirmed this, but if true, this means that all of the customer information is still accessible to anyone using the Demo account.