Archive for February, 2008

« Older Entries
Newer Entries »

cDc Hacktivist Tool Release

Thursday, February 21st, 2008

The Cult of the Dead Cow is a group that has been around for over a decade, presented by its members as an underground hacker/do-it-yourself media group. Every now and then, they release another “tool” as a result of their research. They are known mostly for their Back Orifice tool release in the late 1990’s. Unfortunately, it was only a taste of what was to come from the world of “RAT” development, or so-called remote administration tools. These sorts of tools were often used to maintain botnets and control over compromised systems for malicious purposes.

This new tool, the Goolag Scanner, is a stab at using Google’s technologies for security research (open to definitions of white, grey, or black hat), and a part of the cDc hacktivist response “to Google’s decision to comply with China’s Internet censorship policy and censor search results in the mainland-Chinese version of its search engine.” Its interface is similar to the popular Nessus vulnerability scanner. While use of the scanner most likely violates every contractual licensing agreement in the Google’s terms of service, it provides an automated method of evaluating web sites for vulnerabilities using “Google Hacks”, or “Dorks” that were popularized by “Johnny Hack” and his “Google Hacking Database“.

In line with their generally dark humor, this version of the scanner is being released as the “Stanley Kowalski” version, most likely in reference to an awful character from Tennessee Williams’ “Streetcar Named Desire”, along with a tough love usage statement:
“If this software does something bad to your computer or network or provides information that you have no legal right to see, then that’s your problem. In some countries this software might be illegal. Don’t be stupid, and don’t come whining to us if you get into trouble. You’ve been warned.”

Discussions on various security mailing lists wager on how long the site will remain up. It seems that the cDc presents the site as a parody of the google site itself:
It isn’t even a particularly good parody. As such, it is protected by the First Amendment.” It most likely will be up for a while:

Web admins should be sure to attend to the security needs of their servers.

Posted in Exploit, RAT | No Comments »

What’s in a name? — Adclicker agent spambots

Friday, February 8th, 2008

Sometimes family names from various AV products don’t really fit the behavior of samples that we are seeing. The naming conundrum has been an ongoing challenge for the AV industry. One serious attempt at a naming standard put forth by CARO in 1991 has been casually used for some time. But no product has been absolutely compliant over the past 17 years, and a message at the group’s site makes it seem that the group, and its half-used standards, is running out of steam:

Some leaders in the industry have called the latest attempt, the CME naming standard, dead. That is arguable, but the question remains, how effective is the CME standard at helping consumers of security software understand what they are being protected against and reducing the public’s confusion in referencing threats during “malware incidents”? Has it improved communication and information sharing between vendors and the rest of the community?

Currently, we are looking at a surge in malicious binaries in our user community that either are currently undetected by the major AV scanners or have been misnamed altogether. The file names for these binaries are random, but look like:
ciocrw.exe
fhydx.exe

The files are custom packed to make reversing more difficult. Most of these samples use an interesting encoded series of communication that would be described as botlike activity. This morning, they are pulling down “install_cn.exe” from a variety of sites, and then go on to spam out messages with sex-themed content from the infected host (links below intentionally modified):

You really can make your wife more gratified!
You dont know what to do? It’s more than simply
Follow this link to learn more
http://kfc< >esa.com/
Have an impassionedzealous love!

You have a nice chance to say goodbye to your sexual troubles
You dont know what to do? Here a recipe for you….
Use link to learn more…
http://dontw< >forsizes.com/
Have a passionate nights!

Make your lady-love satisfied!
You dont know how? It’s simply!
All details are here:
http://www.incr< >esizesnow.com/
Have a fervent love!

Related malware reports of previously detected and undetected samples, dating back to the end of November, show that the effort to release this stuff exhibiting similar behaviors and communicating with the same domains is not entirely new, and that family names provided by scanners differ across all the samples when they are first released.

Unfortunately, this leads us to believe that 2008 is becoming another banner year for spam and rogueware (the new adware).
So what to call it? We’ll see updates and modifications for this one, and it blurs the lines of the adclicker, spambot, zlob family characteristics and more. Right now, you might see this one prevented by ThreatFire as Trojan.ClizxkBot or Trojan.AdClicker. We hope not.

Posted in Adware, Bot, Spam | No Comments »

Infested stock message boards and a quick response

Wednesday, February 6th, 2008

Sometimes, surprising events in the financial news draw users to the message boards. On Yahoo!, individual stock message boards are usually a safe haven for posting and browsing.
Right now, one stock at the Yahoo finance site appeared to have an almost 60% drop for the day. Instead, the company might be performing a reverse split with little notice. There is no news headline about a reverse split for the company, so the next logical step would be to check out the message boards and see what other users might be sharing.

Once on the message boards, a user may fall for friendly advice like “This Video Forecast should help“”(link intentionally removed). DO NOT FOLLOW THESE LINKS RIGHT NOW. We decided to follow these links once we saw them. After following one of them, our goat lab systems became totally infected by malware and completely unusable. Adware, worms, multiple processes and more were overloading the system’s capacity. We can only post an image at this point of the link to the infecting site (DO NOT VISIT THESE LINKS). These attackers are acting quickly on the confusing financial news:

UPDATE: It seems that the web links spammed to the message boards may be linked to a handful of web servers that were compromised. For example, here is a list of spammed links to another message board. We highlight one in particular in red:

Here is the web page at the highlighted link’s destination, apparently revealing a compromised site. Most likely, the malware and exploits served up at these sites were the result of compromised servers:

The operators of these sites seem to be on top of the problem, and almost all of the links we’re visiting are now cleaned up.

These short lived and effective attacks can ruin your day. They lurk in the most unexpected of places, not just the adult and warez sites. Be sure to keep your security solutions updated.

Posted in Adware, Exploit, Social Engineering | No Comments »

« Older Entries
Newer Entries »