The New York Times reported on the developing challenges in confronting cybersecurity challenges with government bodies in an article about the differing approaches between Russia and the U.S.: “The United States and Russia are locked in a fundamental dispute over how to counter the growing threat of cyberwar attacks that could wreak havoc on computer systems and the Internet. ” The countries’ political leaders will meet later this week, which may result in higher levels of cooperation between law enforcement agencies on an international level, more discussion around treaties, or absolutely nothing at all. We’ll be watching.
Archive for June, 2009
Russia and U.S. Cybersecurity Efforts
Tuesday, June 30th, 2009Podmena, podmena.dll and podmena.sys = spoof, spoof.dll, spoof.sys
Thursday, June 18th, 2009We have been investigating and analyzing a variety of malicious components delivered from some recent downloaders. Some of the filenames stand out as unusual. In particular, “podmena”,
which translates from russian to english as “Substitution or replacement made in a covert way (”pod” – “sub” or “under”, sort of under cover; “mena” – the root of word exchange); thus, it often stands for “spoof”, “fake”, etc. “Spoof”. It is fitting.
The two “podmena” files dropped by the phony codec/viewer installs seem to be gathering much interest and gaining prevalence. They’ll be discussed here and the post itself will be updated with new information as it is uncovered.
First off, the files are dropped as one of the may payloads during the phony codec downloader attacks described in previous posts here, here and here. The components seem to be a part of a click fraud scheme and a way to generate potentially artificial traffic volume to several search engines, including bee-find.com, missngpage.com, 102.123bounce.com, and www.search.pro.
Podmena.dll gets registered as a ServiceDll to be run via svchost.exe -k podmena.dll.
Podmena.sys is installed as a kernel driver to run at startup and attaches to \Device\Tcp, intercepting all tcp related IRPs.
The Dll upon startup sends a DeviceIoControl() request to the driver opened on \\.\podmena\. The initial IO control code tells the driver to monitor outbound tcp port 80, and redirect all packets to 127.0.0.1:8085. Then, the dll sends a second io control code to the driver, which activates the forwarding.
The Dll will create a bound listening port on 8085 which now acts as an HTTP proxy for all outbout port 80 traffic. Upon packet reception (after it is redirected by the driver), the Dll will scan the requested url for search keywords based on the domain name of the request. (ie: search.yahoo, google, youtube, yahooapis, metacafe, sugg.search, aolcdn, etc)
When a keyword is found, it will submit the text to its parent controller (the binaries that we have seen hard code “zz-dn.com”, which is unavailable, and then falls back to 85.13.236.134, an ip hosted in London). Depending on some timing randomization, the Dll will then load up and send the web browser to urls based on the response it receives back from this parent controller.
In our lab, subsequent requests were sent to a variety of sites, with all of these sites hosting a variety of ads, even without visiting a search engine. The svchost process loaded up with podmena.dll can visit hundreds of sites approximately every ten minutes, depending on the instruction response it receives.
Oddly, we have not seen higher target moneymakers like banking userid’s and passwords stolen by these components.
Wanna See Harry Potter and the Half-Blood Prince?
Thursday, June 18th, 2009You’re going to have to wait for it to come out. And if you don’t, you may be sorry you didn’t wait.
The group pushing blackhat SEO tactics to abuse the most popular networks, including digg.com, blogspot.com and others, continues to prey on those interested in upcoming movie releases.
First, a user most likely will come across popularized phony links within the blogosphere. Here is an example of the group’s digg.com abuse, where they entice Harry Potter fans with text: ‘Watch “Harry Potter and the Half-Blood Prince” online free’, and fill up the digg comment list with related keywords to attract more search engines:
This link redirects to a blogspot post that contains more images from the movie itself, intensifying the anticipation and convincing the user that the movie is only one click away ‘Watch “Harry Potter and the Half-Blood Prince” movie 2009 online for free’. See an example of the blog post here:
Clicking on any one of these links on the blog post redirects the user to the standard phony video offer:
It is here that the user is prompted to download and install the additional “streamviewer” malicious downloader component from exe-center .com at 64.20.38.171, which we have been monitoring. This phony viewer is really a downloader component that has been installing all sorts of malware, changing its selection of malware on a daily basis: Koobface (the digg user most likely is into social networking), adware, scareware, click fraud components, spambots, spyware and more. Missing out on an early peek at Harry Potter is then the least of the user’s worries.
This theme predictably will be used over p2p networks and other vectors of delivery in the coming weeks. Stay tuned.
