New PPI Campaign

PPI being pay-per-install ...

This morning I saw some interesting transactions to:
hxxp://promoupdate.info/setup###.exe

where ### are numbers, for example, "519".

MD5: 1568edcd29629f577207d7396646b741

VirusTotal results 8/43 (report), detected as (among other names):
Win32:Hottrend-B

Turns out this is being spread through spammers, SEOers, etc. being financed in a PPI model, something that I have discussed before in the past. This time I have a screenshot to share related directly to the finance aspect of this particular PPI:


This post was created today. We can see from the PPI ad that those engaging in this particular campaign stand to make between $500 and $800 per 1000 installs (< $1 per install). The numbers in the executable, like "519" correspond to the account for the spammer/SEOer that is monetizing this. Domain: promoupdate.info Whois billing contact shows likely Russian affiliation: Here is the actual Affiliate Network setup by this guy:

Domain: twittre.net (private/masked Whois)
(note the RU nameservers)
Source of the twittre.net page actual reveals that the Affiliate website is loaded from rich-partners.com:
Domain: rich-partners.com
No surprise that the contact details are bogus, but the email address is legit, here's a past domain registered with these email credentials:
Robtex shows these other domains (all likely other PPI sites) on 91.188.60.10 (Sagade Ltd. <- not a surprise for some) in Latvia, hosting promoupdate.info:

Google Code hosting website used to spread malware again

Last year, there was discussion of Google Code, a site which allows developers to host their projects, being used to spread malware. We have now found yet another case where Google Code is being used to spread malware. According to Google Code site, “Project Hosting on Google Code provides a free collaborative development environment for open source projects. Each project comes with its own member controls, Subversion/Mercurial repository, issue tracker, wiki pages, and downloads section. Our project hosting service is simple, fast, reliable, and scalable, so that you can focus on your own open source development”. The malicious project in question has about 50+ executable stored in the download section of the project. Here is the screenshot of the malicious content:

Most of the files are executable files along with zipped “.rar” files. The time stamps show that the files have been uploaded over the course of the last month. This suggests that an attacker is actively using this free service to spread malware. Virustotal results for the first file, show that only 8 antivirus vendors out of 43 flagged the file as malicious. The detection ratio for second file is slightly better than that of the first file.

Let’s analyze first file which is “xin.exe”. When the first file is executed on the system, it will make several GET requests to download additional malware onto the system. Here is the first GET request,

A request for the “love.txt” file contains additional malware also stored on the Google Code site. Here is the link to an analysis of malware by Sunbelt security. The malware performs significant file, network and process activity to while infecting the system. Here is the packet capture of various requests to receive additional malware.

Further analysis of all files shows that they are all malicious threats including Trojans horses, backdoors, password stealing Keyloggers for online games such as “World of Warcraft” etc. Analysis of the file resources from ThreatExpert report indicates the possible country of origin is China. Interestingly, Google Code FAQ page says they will take down the whole project if they find malware being hosted on the project.

The question is how and when the Google Code team scans content hosted on their website to ensure that it’s not infected with malware? The first malicious file was uploaded on June 24, 2010, while this blog was written at the end of August – over a month has passed and still the malicious files are being hosted at the Google Code site. The attacker not only storing old malware but he is also actively uploading new malware on the site. The detection ration by AV vendors varies from reasonable to poor given the specific malware sample. As Google Code is free hosting website for developers, attackers are clearly taking advantage of the site to push their malware.

Have you hosted anything?

UPDATE: 2 September 2010

Google has immediately taken down the project and URL to that project is no longer accessible.

Umesh

Corporate Espionage for Dummies: HP Scanners

One Version of the WebScan interface on an HP scanner

Scanning functionality in
an alternate UI

Web servers have become commonplace on just about every hardware device from printers to switches. Such an addition makes sense as all devices require a management interface and making that interface web accessible is certainly more user friendly than requiring the installation of a new application. Despite typically being completely insecure, such web servers on printers/scanners are generally of little interest from a security perspective, even though they may be accessible over the web, due to network misconfigurations. Yes, you can see that someone neglected to replace the cyan ink cartridge but that's not of much value to an attacker. However, that's not always the case. I was recently looking at a newer model of an HP printer/scanner combo and something caught my eye. HP has for some time, embedded remote scanning capabilities into many of their network aware scanners, a functionality often referred to as Webscan. Webscan allows you to not only remotely trigger the scanning functionality, but also retrieve the scanned image, all via a web browser. To make things even more interesting, the feature is generally turned on by default with absolutely no security whatsoever.

The Insider Threat

With over $1B in printer sales in Q3 2010 alone, and with many of those devices being all-in-one printers, running across an HP scanner in the enterprise is certainly very common. What many enterprises don't realize, is that their scanners may by default allow anyone on the LAN to remotely connect to the scanner and if a document was left behind, scan and retrieve it using nothing more than a web browser. Ever left a confidential document on the scanner and sprinted back to retrieve it when you realized? Thought so.

Want to know if your office LAN has any wide open HP scanners running? Run this simple Perl script to to determine if there are any devices on the local network running HP web servers.

Download hpscannercheck.pl

As everything is web based, an enterprising but disgruntled employee could simply write a script to regularly run the scanner in the hopes of capturing an abandoned document. The URL used to send the web scanned documents to a remote browser is also completely predictable as shown:

http://[Scanner IP]/scan/image1.jpg?id=1&type=4&size=1&fmt=1&time=[epoch time]

A script could therefore also be written to run once per second to capture any documents scanned using the Webscan feature.

The External Threat

Status screen

It's bad enough that many enterprises are running scanners that are remotely accessible by rogue employees, but what if those same scanners were accessible to anyone on the Internet? Whether intentionally set up as such or more likely accidentally exposed via a misconfigured network, there are numerous scanners exposed on the Internet, the majority of which are not password protected. In fact, HP kindly lets you know on the home page if sensitive functionality is password protected, by displaying the Admin Password status alongside other status information such as printer ink levels and the current firmware version. Interestingly, based on the sample set examined, there was a greater likelihood that HP Photosmart scanners were not locked down as opposed to Officejet scanners. This finding actually makes sense, given that Officejet scanners tend to be marketed to corporate users, a group that is hopefully more likely to implement security protections on hardware/software.

Likelihood of Admin password being set
on scanner types identified

Example Google/Bing queries used to identify open scanners:

• "Estimate only. Actual ink levels may vary."
• inanchor:"page=printerInfo"
• "Estimated Ink Levels" "HP Photosmart" "Items Needing Attention"
• hp photosmart status "product serial number" "product model number"
• inurl:index.htm?cat=info&page=printerInfo
• inbody:"Estimated Black Ink Level"

The many variations of the HP web interface ensures that no single query will identify all exposed scanners, but as can be seen, with a little creativity, it is trivially easy to find exposed scanners.

The Wall of Shame

What sort of things do people leave on their scanners? In researching this blog, I saw checks, legal documents, completed ballot forms, phone numbers...and my personal favorite, Jim's diploma informing the world that he's now a Certified Mold Inspector - congratulations Jim!

Below are samples of documents remotely retrieved due to corporations using HP scanners that were not password protected, on misconfigured networks that exposed their scanners to the Web.

Signed documents

Voting Advice

Signed Checks

Technical Reports

Forms

Certificates

My advice - run the Perl script to see if you have any HP scanners on your network and if you do...lock 'em down quick, by setting the Admin password.

- michael

Beaconing Leads to Swarft Trojan & Suspicious Netblock

Often, open-source information helps to confirm our suspicion about certain web transactions being tied to an infection or download of something malicious. While conducting analysis on the results from some of my scripts that extract out potentially suspicious web transactions, I found web transactions that appear to be tied to a bot with keylogger / drop site functionality. Searching for open-source information reveals little to no information on the server or threat.

The infected host does an HTTP POST every 5 minutes to the URL:

hxxp://216.108.234.168/scr1p7-r5.php

The IP is part of a US netblock, Las Vegas NV Datacenter PREMIANET, swipt out to a customer in the Ukraine (UA):

Vladimir Miloserdov SERVERPOINT-CUSTOMER-SYNEJY (NET-216-108-234-166-1) 216.108.234.166 - 216.108.234.197

Here is the customer information for this small netblock:

CustName: Vladimir Miloserdov
Address: So,136
City: Donetsk
StateProv: DN
PostalCode: 83054
Country: UA
RegDate: 2009-05-24
Updated: 2009-05-24

Below is a snippet of the transactions seen.
Notice that the size of the POST is larger than the response from the server - over 20000 bytes compared to a very short response of 168 bytes. This means that the client is regularly pushing a fair amount of data somewhere and not receiving anything other than a very simple acknowledgment back. In the case of a normal web application, pushing data to a server usually has a larger response such as a webmail or blog interface.


Visiting 216.108.234.168 responds with the default Apache response “It works!”

Open-source searches show that the IP is blocked in a few block lists due to spam, e.g., Project Honeypot.

At a minimum this netblock is suspicious and should be alerted/blocked within your organization.

Reaching out to some colleagues, helped to reveal that this beaconing is likely tied to the Swarft Banking Trojan due to the “scr1pt7-r#.php” phone home URL path. This is a relatively new Trojan family, the Microsoft threat entry states, that the Trojan steals data that may “include credit card numbers, tax returns, login credentials or any other informed deemed to be of interest to the attacker. The collected data is then surreptitiously sent to the remote attacker via a variety of electronic means.” Technical details of the Trojan do not appear to be readily available in the open-source- I am in the process of back tracking and reaching out to the impacted customer to get additional information on the Trojan and the incident. Any new details will be shared in a follow-up post.

Also, if anyone has details on the above-mentioned netblock or Swarft Trojan, feel free to post a comment.

How many malicious "Hot Video" pages does Google show?

Last week I wrote about 3 million fake YouTube pages leading to fake antivirus pages. The day after the blog was published, they seemed to be gone from the Google index,  as search results were showing only 2 to 4 of the malicious pages. But now...they are back again.

After my last post, some questioned whether or not there were actually 3 million fake YouTube pages in the google index. In fact, Google contacted me to suggest that there were only 77 results. I disagree. Why isn't the total number of results straight forward? Although Google's search results may state that approximately 3 million results exist, the search engine won't actually deliver that number of raw results. Given that fact, how can we know the total number of pages currently indexed by Google for a particular query? Only Google know the exact number, but by issuing various different types of queries, we can make a reasonable estimate.

Attempt to get all pages

Since all the pages contain "page.php?page=" in the URL, and "Hot Video" in the title, we can try a single query to find all of them with: inurl:"page.php?page=" "hot video"

The Google search results currently show "About 2,990,000 results" (the number varied between 2.8 million and .4 million), but there are only 8 pages of results (90 links) shared, or 12 pages (121 links) if we click on " repeat the search with the omitted results included". 

3 million fake YouTube pages?

It may look like Google has indexed "only" 121 fake "Hot Video" pages (despite suggesting ~3 million results), but other queries paint a different picture.

Domain query

Let's take the first domain hosting malicious pages from the first query: addisonhouse.com.

To find out the number of fake YouTube pages hosted by this domain, we can try the following query: site:addisonhouse.com "hot video"

Google states that there are "About 7,850 results" but actually shares 51 pages of results (512 links).

For the domain memoryshack.net, Google indicates "About 204 results" and provides a total of 204 links for this search. For the domain theochristi.com, I get 245 results, etc.

"Hot Video" pages hosted on addisonhouse.com

A first estimate

An initial estimate can be obtained by multiplying the number of domains seen in the first query by an average of 250 pages. This gives an estimate of the minimum number of pages in Google's index. The real number is very likely much higher.

The 90 results form the first query show 90 different domains. This means there are at least 90 * 250 = 22,500 pages.

Many more domains

Are there only 90 domains infected with "Hot Video" pages as the first query suggested? Unfortunately, there are many more. Fake pages are being created for each search term found in Google Hot Trends.

For example, I checked a search that was popular 6 days ago: erica blasberg "hot video". On page 2, I found a fake YouTube page on a domain that is not listed in the first query: elijasalud.com.
On page 3 of the results, there is another domain not seen in the first query: sklep.aicom.com.pl.
etc.

New domain infected shown for a different search

Google has clearly indexed more than 90 infected domains, but it remains difficult to know the exact number.

How many could there be?

Attackers create one "Hot Video" pages for each popular search as shown in Google Hot Trends. There are 20 hot searches each day, but one search can be popular for several days. I've checked a few infected domains, and found pages created for searches popular on June 1st. So there are pages for at latest 90 days of popular trends on each domain.

That gives us 90 * 20 = 1,800 pages. Assuming that a few search terms that are popular over several days, we can use an estimate of 1,500 pages per domain. If Google indexed (only) 100 of these domains, that would be 150,000 fake Video pages.

Only Google knows the exact number of infected domains indexed, and the total number of malicious pages. We estimate that they have at the very least , 22,500 such malicious pages in their index. The number of 3 millions "Hot Video" page is not however inconceivable. It means Google would have indexed:

• 2,000 infected domains with 90 days worth of Google Hot Trends
• or 1,250 infected domains with 120 days worth of Google Hot Trends

"Hot Video" in action

Here is a video of a user browsing a "Hot Video" page, and being redirected to a fake AV page. Then I uploaded the malicious executable to VirusTotal - sadly, only 20% of the antivirus vendors detect the malware.

-- Julien

Help Contribute to the Cloud Security Alliance 'Top Threats' v2.0

In March of this year, at RSA 2010, the Cloud Security Alliance, officially unveiled the Top Threats to Cloud Computing. This was a collaborative effort that drew upon the expertise of some of the finest minds in the security industry to compile a list of threats facing both enterprises deploying cloud based solutions and the vendors providing the infrastructure. The original list took several months to compile with input from cloud vendors, consumers and researchers. In the end, the Top Threats to Cloud Computing v1.0 guidance was released, but it was always meant to be a starting point, not the end of the journey.

We're now working toward updating the Top Threats and plan to release the v2.0 list at the RSA Europe 2010 conference in October, but we need your help. You may have read v1.0 and thought "why did/didn't they include this particular threat", well now it's your chance to ensure that your voice heard. Whereas v1.0 was compiled by a closed group in the interest of 'putting a stake in the ground', we want v2.0 and future revisions to be a true open, collaborative effort with submissions from all those concerned.

Here's our plan:

1. Starting now, you have the ability to propose the inclusion of new threats to the Top Threats list by submitting them online.
2. We'll compile and summarize all submissions and present them to a judging panel
3. The panel will ultimately select the final v2.0 list, which will be released at RSA Europe 2010.

A summary of the v1.0 Top Threats to Cloud Computing is below, but please also see the detailed guidance, which is available here.

1. Abuse and Nefarious Use of Cloud Computing
• Service Models - IaaS & PaaS
• Description -  By abusing the relative anonymity behind these registration and usage models, spammers, malicious code authors, and other criminals have been able to conduct their activities with relative impunity.
2. Insecure Interfaces and APIs
• Service Models - IaaS, PaaS & SaaS
• Description - The security and availability of general cloud services is dependent upon proprietary APIs that may not have been adequately scrutinized.
3. Malicious Insiders
• Service Models - IaaS, PaaS & SaaS
• Description - The threat of a malicious insider is amplified for consumers of cloud services by the convergence of IT services and customers under a single management domain, combined with a general lack of transparency into provider process and procedure.
4. Shared Technology Issues
• Service Models - IaaS
• Description -  Vulnerabilities within components of the underlying cloud architecture or the virtualization hypervisor could lead to inappropriate levels of control or influence on the underlying platform and/or unauthorized data stores.
5. Data Loss or Leakage
• Service Models - IaaS, PaaS & SaaS
• Description -  The threat of data compromise increases in the cloud, due to the number of and interactions between risks and challenges which are either unique to cloud, or more dangerous because of the architectural or operational characteristics of the cloud environment.
6. Account or Service Hijacking
• Service Models - IaaS, PaaS & SaaS
• Description -  If an attacker gains access to the credentials of a cloud based platform, they can eavesdrop on activities and transactions, manipulate data, return falsified information, and redirect clients to illegitimate sites.
7. Unknown Risk Profile
• Service Models - IaaS, PaaS & SaaS
• Description -  When adopting a cloud service, details or compliance of the internal security procedures, configuration hardening, patching, auditing, and logging are often unknown, leaving customers with an unknown risk profile that may include serious threats.

See something you don't agree with? Then do something about it! Contribute to the v2.0 list.

- michael

66.220.17.200 A Haven For Swizzor

Update:
Based on a comment, I modified the title to be 66.220.17.200 versus DNSMADEEASY. Let me explain:

• DNSMADEEASY provides the resolution / name services for the domains in question
• Hurricane Electric / C2 Media provides the hosting / IP space (66.220.17.200)
• Tucows is the registrar for the registered domain names

When I was doing the analysis I was looking at free/cheap DNS services and their abuse, which was why I fixated on the name resolution services, DNSMADEEASY. However, there are multiple players supporting this Swizzor infrastructure and it should be explained as such.

Update 2:
Also, after I published the post, I checked and found that the hostname portion of the domain does not seem to matter / affect the ability to download the binary payload. For example,
hxxp://garbage.nb.host192-168-1-2.com/bins/int/9kgen_up.int
let's you download the binary (where "garbage" can be anything). It is likely that the hostname is used for tracking purposes to identify which sites / trojan packages are most successful. The listed fully-qualified domain names below are what was seen in the wild.

Post:
This may not be news for some of you, all it takes is a simple Google for something like host192-168-1-2.com malware. You’ll see a rich history of abuse from Trojan Swizzor ranging from 2009 to today:


host192-168-1-2.com is registered through Tucows and has resolution / name services provided through DNSMADEEASY. This robtex report shows the other related domains, each having a varying degree of abuse related to Swizzor:

adserver5.com
cidhelp.com
dns-look-up.com
host-domain-lookup.com
host127-0-0-1.com
host192-168-1-2.com
host255-255-255-0.com
lop.com
netbios-local.com
netbios-wait.com
range159-195.com
zone-media.com

Below is a brief list of recent domains used to host Trojan Swizzor payloads. Note the domains used / listed here include: host127-0-0-1.com, host192-168-1-2.com, host-domain-lookup.com, and host255-255-255-0.com:

All resolve to the Hurricane Electric IP: 66.220.17.200
Note, the above active/live list we provide is much more extensive that what is listed on MalwareURL for example. The URL paths to the malware within the above domains include:
/bins/int/9kgen_up.int
/bins/int/upd_admn.int
/bins/int/kr3.int
/bins/int/tp_map16.int


While they all have an "int" file extension, they are all PE32 executable files.

9kgen_up.int (Swizzor variant)
MD5: c79cd77012c848f93e0a8dfc28dee992
V/T (20/41)

upd_admn.int (Swizzor variant)
MD5: 43edfa7f55d4331ad2d3f5ca1bb4b999
V/T (22/42)

kr3.int (Swizzor variant)
MD5: ff7d4cbb6aa30bbf58d945e182700fb7
V/T (22/41)

tp_map16.int (Swizzor variant)
MD5: 599ebaed9e147ef8a0b6967dba2da040
V/T (24/42)

Swizzor is a Trojan that is typically installed via drive-by download or social engineering. It has the ability to interact with Internet Explorer through Browser Helper Objects (BHOs) to inject ads and to download/install other threats (for additional information see Microsoft's threat entry for Swizzor). In the particular variants that I downloaded, I saw C&C update activity to other related domains, e.g.,

hxxp://upd.host255-255-255-0.com/upd/check?version=0.1unk&fxp=614a69d6edf1b0f55a0a07bfd613edb3cceeefa1b7223878206dc7870f0307bf6e496e69
IP: 66.220.17.200

hxxp://ayb.host127-0-0-1.com/abt?udata=WWW_9WWW:5.60www:%20140445784:United%20States:program_started:1cb20aef0c84a243
IP: 66.220.17.154

I’m in the process of sending something along to Hurricane Electric / Tucows/ DNSMADEEASY now, but you may want to check the logs in your environment for systems connecting to the mentioned domains. Here's a continuation of the above list of recent Swizzor domains: