Friday, March 30, 2012

On-Going Dynamic FakeAV Campaign

Looking back on traffic from this week, I noticed a large spike in the number of companies accessing free TLD / Dynamic DNS related sites.  Digging deeper it appears that a malware campaign tied to massive WordPress compromises was the culprit.  This is a very widespread malware campaign that remains live / on-going and is currently redirecting to FakeAV websites.  The campaign is making use of auto-domain generation and auto-updating of infected sites to change the embedded link with every visit.  Some major infected sites that remain live include: psoftsearch.com and sql-plus.com (careful if you visit these sites as they are currently infected).  We are in the process of reaching out to victim sites and assisting with handling the incident.  Here are the initial details:

There were over 100 of our customers attempting to access a large number of websites on a handful of IPs with domains matching the pattern:
[3-6 random letters][2 digits][3-6 random letters].rr.nu
Given the very, very large number of domains used, this has to be some auto-domain generation/registration algorithm used in this campaign.

The pages accessed in the campaign includes:
/n.php?h=1&s=mm
/mm.php?d=x1
/nl.php?p=d

Tracing referrer strings in our logs, here is one live example:
www.psoftsearch.com/peoplebooks/  (infected PeopleSoft search site)
-->
tank95ersfl.rr.nu/mm.php?d=x1
-->
tank95ersfl.rr.nu/n.php?h=1&s=mm
-->
protectcustodianmonitor.info/39f678a0d39279b6/3/
-->
protectcustodianmonitor.info/39f678a0d39279b6/3/setup.exe

FakeAV page that dropped setup.exe:
MD5: 153ae4d1813c6d29a7809a62ff23f84c
VirusTotal reports 2/42 A/V vendors detect (very, very poor detection)

I re-downloaded the malware sample a few seconds later and the MD5 was immediately different.
Also a few seconds later, I re-visited the above site and the embedded link had already changed:
I refreshed the page, and sure enough the embedded link changed again.  Aside from the hosting IPs, this appears to be a dynamic FakeAV campaign.

protectcustodianmonitor.info resolves to 64.120.207.106 (HostNOC)
Based on other domains on this IP, this will be an IP that you'll want to blacklist - there are numerous other FakeAV sites hosted here (see list below).

It looks like the primary hosting IP of the ".rr.nu" redirect changes each day, for example:
194.28.114.103 and 194.28.114.102 used in an earlier Sucuri post on this.
March 27 it was: 195.88.181.112
March 30 (today) it is: 91.230.147.204

A number of pages on sites have been compromised to drive this campaign.  For example:
www.psoftsearch.com
www.sql-plus.com
www.frozencodebase.com
www.megafuentes.com
www.sdamned.com
genaud.net
www.pumpkinpatchdaycare.in
indianmuslims.in

Infected websites have injected "eval(base64_decode(...));" statements in their wp-config.php and other WordPress .php files to communicate back to a command and control to retrieve a list of websites to inject these ".rr.nu" site inclusions into pages.

---

195.88.181.112 hosting information:

inetnum:  195.88.181.0 - 195.88.181.255
netname:  INET4YOU
descr:       PE Bogaturev Sergey Anatolievich
country:    RU

person:          Bogaturev Sergey
address:         RU, Gornuy Shit, Komsomolskiy str.
phone:           +7(495) 324-35-69

route:           195.88.181.0/24
descr:           Subnet for servers and VPS
origin:          AS57621
mnt-by:          INET4YOURU-MNT

route:           195.88.181.0/24
descr:           Client_TC_WIFI
origin:          AS57189
mnt-by:          COMCORNET-MNT

---

91.230.147.204 hosting information:

inetnum:         91.230.147.0 - 91.230.147.255
netname:         zuzu-net
descr:           OOO "Aldevir Invest"
country:         RU

person:          Krutko Evgeni Yurevich
address:         192012, St.-Petersburg, Chernova ul., 25, office 12
phone:           +7812850202
e-mail:          aldevirinvest@lenta.ru

route:           91.230.147.0/24
descr:           Route for DC
origin:          AS5508
mnt-by:          zuzu-mnt

---

protectcustodianmonitor.info domain information:

Registrant Name:Leah  Carandini
Registrant Street1:54 Ridge Road
Registrant City:Cordalba
Registrant State/Province:QLD
Registrant Postal Code:4660
Registrant Country:AU
Registrant Phone:+61.733106403
Registrant Phone: gapes@cutemail.org

---

Other related FakeAV sites that resolve / resolved to 64.120.207.106:

agentcleanerrescue.info
agentkeeprisks.info
agentonlineinspector.info
areon-linescan.info
avdefendqueerprocess.info
cleanavcenter.info
cleanerspywaresecurity.info
cleanprotectionspyware.info
computerinformationthreat.info
controlpcon-line.info
controlsafetystability.info
datasaverprotect.info
debuggerrisksfirewall.info
debugscannerhazard.info
debugvulnerabilityfirewall.info
defenderoptimizermonitor.info
defendtasksspyware.info
delivererdangerkeep.info
delivereron-linepc.info
delivererpreventionthreat.info
delivererworms.info
detectdeliverertrojans.info
detectionprotection.info
efficiencyprotectordefender.info
guarantorthreatcenter.info
guarantorwarderdata.info
highcleantasks.info
inspectionprotectprotection.info
keepcenteron-line.info
keeperdetectormonitor.info
lowhighworry.info
lowwormstesting.info
microsoftdatacenter.info
optimizerscanningpc.info
perilsthreatworry.info
preventiondebuggercenter.info
protectcustodianmonitor.info
protectionvulnerabilityantivirus.info
protectorsolutionav.info
protectsecurityanalysis.info
protectwarderav.info
queerprocesscentersolution.info
queerprocessdetectionon-line.info
queerprocesshazardmonitor.info
reliabilitydefenderon-line.info
remedyscannerprevention.info
risksbrittlenesssafety.info
scannerfirewallrescue.info
scansupervisionprotection.info
securityavdebugger.info
solverqueerprocessinformation.info
solverremedylow.info
spywareantivirusworry.info
stabilitydatadetection.info
systemminimizeranalysis.info
taskssafetyremedy.info
testersolutionperils.info
warderdetectionkeeper.info
warderinspectionantivirus.info
warderrescuescan.info
windowsservantdefend.info
windowssolutionprotect.info
wormsdefenderagent.info
wormsminimizerdanger.info
wreckminimizerprotection.info

Wednesday, March 28, 2012

Anatomy of an on-going Malvertising Campaign

During the course of investigating an open incident ticket with a customer, we uncovered what is a common occurrence on the web - legitimate sites linking in third-party content (often advertisements or banners) that ultimately drives the victim browser to an exploit kit.

Here is the chain of events that we observed:
  1. User browsed to: www.thenewsvault.com
  2. The site included content from: www.tvshark.com/read/?art=arc8755
  3. Which included content from: www.tvshark.com/abritebtm300.html
  4. Which linked in what appears to be an advertisement iframe: ads-svx.httpads.com/adserver/cached_iframe?guid=16ce4035-ded0-49c8-8515-8e234cbb2b8b
  5. That loaded the "advertisement" rotator from: c1.zxxds.net, which includes a number of pages, the main one being: /jsc/c1/ff2.html?n=1721;c=3;s=4;d=9;w=300;h=250. Some online references show c1.zxxds.net as having a poor reputation, including involvement with adware.
  6. The c1.zxxds.net site then loaded: chgdjk.info/nw87b6rh/counter.php?id=5 and a number of other pages on this domain which are allegedly exploit kit driven.
  7. From the response size in the logs, we can see that the exploit kit payload page was: chgdjk.info/nw87b6rh/?11ecfa793c76017554490058535a0301030355535d5555090a05035456510f0a00;1;10
At the time of the transactions, chgdjk.info resolved to 208.76.54.210. Doing some Google searching, we found that the site TheTVDB.com linked in content (probably in the same way) to an exploit kit hosted on behtyg.info (208.76.54.210) - the same IP, reported March 12, 2012.

Looking up other domains that resolved to this same IP shows an interesting history of this recent, on-going campaign. These are some of the domains that resolved to this IP - most/all registered within the last few days, all have the same registrant info, but the emails vary (presumably to get around bulk registration checks):

DomainRegistrant Email
behtyg.infosrtyhe@mail.com
beokjr.infoafety@mail.com
bikegf.infomoyde@mail.com
byjeik.infoafety@mail.com
cehrty.infocentner@mail.com
cekioj.infosrtyhe@mail.com
cekuij.infofendihy@mail.com
chertyu.infoqdesa@mail.com
chgdjk.infozfert@mail.com
chtygf.infonelius@mail.us
cmuijy.infozfert@mail.com
dgeryt.infoqdesa@mail.com
ggtyut.infosrtyhe@mail.com
nehuikj.infosrtyhe@mail.com
nuekhg.infozfert@mail.com
vejuyt.infonelius@mail.us
zehryu.infodrijed@mail.com

Registrant Information:
Registrant Name:Filippovskiy Aleksandr
Registrant Organization:DOM
Registrant Street1:ylica Baymana. dom 9.korpys A. kvartira 106
Registrant Street2:
Registrant Street3:
Registrant City:yoshkar ola
Registrant State/Province:yoshkar ola
Registrant Postal Code:42400
Registrant Country:RU
Registrant Phone:+7.79276827596
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:

DomainTools shows that there have been about 1200 domains registered with this whois information (e.g., search by phone number). We're now seeing 199.59.166.86 used for resolution of the chgdjk.info domain (part of a Black Lotus Communications /24 netblock). Clearly a decent-sized and dynamic malware campaign currently leveraging malvertising to redirect to exploit kit sites.

Unfortunately our replay attempts have been unsuccessful at pulling down the malware content- to include using forged headers (such as user-agent and referrer) as well as beginning from the initial transaction chain. This is a common problem when analyzing malvertising incidents - since the malware is injected as part of an advertisement rotator site, it is difficult to replay as the advertisements and key variables used to drive the advertisement (in this case malware) may change. We will update if there are additional details.

Tuesday, March 27, 2012

My experience wirting an add-on for Internet Explorer

I've released my first add-on for Internet Explorer and I've almost finished a second one. Developing for Internet Explorer was a very different experience than developing for the other browsers I've worked with before - Firefox, Firefox Mobile, Google Chrome, Safari and Opera.

Overall Architecture

Internet Explorer extensions are called Browser Helper Objects (BHO). They are libraries (DLL) implementing a specific interface. They must be registered as a BHO through a registry key in order to be used by Internet Explorer.

The BHO is loaded per tab or window, meaning there is no built-in communication between tabs/windows. BHOs can interact with the browser and the document through native code or injected JavaScript.

BHOs can be written in C++, C# or VB.Net. Since I'm most familiar with C#, this is the language I've used. Unfortunately, there are many limitations with .Net based BHOs:
  • The BHO name, displayed in the Internet Explorer "Manage Add-on" page, displays the namespace of the application. I could not therefore display "Zscaler Safe Shopping", so I had to cheat and use Zscaler as the namespace, and SafeShopping as the main class name to display "Zscaler.SafeShopping". (see DUcer's comment below)
  • Many important functions are not implemented in C# and unmanaged C++ code has to be imported.
  • Internet Explorer is very picky about performance - if an add-on takes more then 0.20 seconds to load, IE suggests to users that they disable the plugin (see more details below). Due to the fact that .Net add-ons require IE to load the .Net framework, it is pretty much impossible to stay below this limit.
Because the extensions are comprised of compiled code, I could not download extensions to check out their source code as examples, unlike extensions for other browsers, which are written in JavaScript. In addition, Microsoft has only high-level documentation about BHOs and very few code examples (with most leveraging C++).

Protected mode

Starting with Windows Vista and Internet Explorer 7, Internet Explorer works in Protected Mode by default. This means BHOs are limited in the places they can read/write to disk and read/write to the registry. You need to call special functions to know where you are allowed to write to the disk, but these functions are available in C++ only. I had to use a mix of hardcoded values and unmanaged C++ DLL import to add all necessary functionality.

Because there are no built-in debugging functions to understand what is going on inside the extension, and limited documentation from Microsoft, it took me quite a while to understand how to deal with Protected Mode.

Inconsistent environments

On other platforms, extensions are relatively compatible between browser versions and operating systems. With Firefox extensions, for example, it doesn't matter if the browser is running on Linux, Windows 95 or Mac OS X. These browsers are also very good at maintaining forward compatibility: extensions working on one version usually work fine on newer versions of the same browser. Internet Explorer is a different beast.

Some of the API belongs to the Windows OS, while other portions belong to Internet Explorer. For example, Protected Mode exists on IE 7 on Windows Vista, but not on Windows XP. The API to manage disk access is also different on the two OSs. Calling Windows Vista's API will crash Internet Explorer on Windows XP, for example. Add-ons are definitely not forward compatible.

Some API calls also get "randomly" broken. For example, the event BeforeNavigate2 is broken on Windows 7. This was reported during for Release Candidates, but never fixed and the event is not triggered anymore.

No love for extensions

Microsoft does not seem to have much love for browser extensions. In fact, I think they actually hate them!

There is no good website to download IE extensions. The official Microsoft website, Internet Explorer Gallery, contains very few extensions. Add-ons are not even shown on the front page, instead they promote pinned sites (introduced with IE 9)

Developers don't get much love either. In addition to the problems and limitations listed above, the add-on infrastructure in Internet Explorer is very weak. Developers have to write their own installer to install and register their BHOs. They also have to write the uninstaller, as IE lets users disabled BHOs, but not uninstall them. There is no simple way of adding an option page for to configure the extension either.

If this was not enough to discourage add-on developers, IE regularly asks users whether they want to uninstall add-ons. Even if all add-ons are loading under 0.200 seconds, Internet Explorer still suggests that the add-ons be disabled to improve the start up time!

A Bad Reputation

BHO is a dirty word. If you look for BHO in Google, most search results are about how to remove malware installed as a BHO.

Users are also more wary, as they should be, of downloading executables that must be executed outside of their browser, and require Admin rights to register themselves, as opposed to Firefox .xpi files, which are handled entirely inside the browser.

References

If I have not yet discouraged you to write a .Net BHO, here are a couple of references I used:

Tuesday, March 20, 2012

"Super Bowl" and "March Madness" in the Enterprise

3/26 Update: I was approached and asked to run stats to do a bit of comparison and contrast with Sports traffic from last year - with the goal in mind to identify if there was a noticeable percentage increase in Sports (March Madness) this year compared to last year. There was a two day difference from March 2011 to 2012 for the tournament dates - these are noticeable in the tracked stats. The data shows only a slight increase (<1%) in March Madness traffic this year compared to last year - in general this appears to be a fairly static and expected event within Enterprise traffic.




With the Super Bowl in early February and the NCAA basketball tournament ("March Madness") sports are a major focus of attention in Quarter 1. That means a lot of bandwidth consumed by the enterprise and time spent by employees on this subject. One report calculated that an estimated $1.7B is to be lost in productivity at the office during this March Madness. Even if sports are not your thing, you may find yourself participating in an office pool surrounding the Super Bowl or March Madness. When I was filling out my bracket this year, I found myself on some "gambling" web-sites to do some quick research on team odds in the tournament (not that it helped my bracket any). I was curious how much bandwidth we saw across our enterprise customers related to sports and gambling for these major Q1 sporting events and to also see if there was any correlation. For those interested in tracking this subject, here are my findings from our large, diverse, enterprise customers:

The above blue line represents gambling traffic as a percentage of its total seen thus far for the quarter, and the red line is sports traffic as a percentage of its total seen thus far for the quarter. The cyclic nature of our data-set is because this is from our enterprise customers -many of which have less employees working on weekends. (Date periods are related to PST time)

There were not large noticeable spikes in sports or gambling traffic observed in the enterprise during the NFL playoffs or Super Bowl - likely due to the fact that the NFL games are on the weekend and toward the end of the season may have a more regional versus global fan base.

However, there was a very noticeable increase in traffic surrounding March Madness - particularly during the 2nd round of games, several of which are televised during US work hours. Specifically the start of March Madness had about a 74% increase in sports related traffic from the Super Bowl.

Throughout our Q1 data-set we see that gambling closely follows the traffic patterns related to sports. In the case of the noticeable spike in sports traffic, we see a similar related pattern increases in gambling traffic. One major exception related to gambling was the period of Feb 20 -22. While most of the baseline gambling traffic are online casinos and gambling affiliates -- looking more closely at the website paths visited related to gambling within this period determined that this anomaly was caused due to the ICC Cricket World Cup in which many of our Australian and Indian customers were following the games.

Chances are that traffic from your enterprise participated in one or more of these events during this Q1.

Monday, March 19, 2012

Zscaler Safe Shopping for Internet Explorer

Zscaler Safe Shopping, the browser extension that warns users when they visit a fake store or compromised store, was Firefox, Google Chrome, Safari and Opera. It is now available for Internet Explorer 6 to 9 (Windows XP, Vista and 7). This is the first extension we released for Internet Explorer, and hopefully not the last one. You can download it here.

Zscaler Safe Shopping warning in Internet Explorer

Fake stores are still prevalent in Google searches for buying software online. If you get redirected to one of the fake store, a banner will be displayed at the top of the page to let you know the the website is not safe. We update the blacklist of fake and compromised stores regularly.


Browser Helper Object

Internet Explorer extensions are called Browser Helper Object (BHO). Unlike all the other major browsers, the add-on infrastructure in Internet Explorer is very incomplete. Internet Explorer does not offer a way to easily install add-ons, to update them, or to configure them. Instead, add-ons are treated as regular Windows program. Zscaler Safe Shopping comes in the form of executable to install and register the BHO. You can disable add-ons from within Internet Explorer, but you have to use the Control Panel to remove them completely from your system.

Zscaler Safe Shopping installer

Zscaler Safe Shopping installed


The executable required administration rights to register itself as an Internet Explorer add-on by modifying the registry. Although the add-on appears in Internet Explorer right after the installation, a restart of Internet Explorer is required to activate the plugin.

You can download Zscaler Safe Shopping from our website.

I will talk more about developing BHO in later posts.

Wednesday, March 14, 2012

Malware campaign targeting Opera Mobile

I've stumbled upon hundreds of links targeting Opera Mobile users, to trick them into installing a malware on the device.

The links are in the form of:


hxxp://geqe.net/opera_mini/1965/opera_mini.auto#phpsessid=85cfe7f19a08b6387d0441a9d949bb95

Each has a different phpsessid value. The domain was registered last month (02/12/2012) and does not seem to host any legitimate content.

These pages redirect to another domain, mskmarkets.ru (hxxp://mskmarkets.ru/l.php?l=o4&r=2695&a=29#phpsessid=afe9720a74a56800a2bd682b171e9914) where users are warned in Russian that their browser is out of date:

WARNING! An update your browser!
Your browser version is outdated, your phone is at risk of infection by dangerous virus!
We strongly recommend that you upgrade your browser. To update, click Update.



hxxp://geqe.net/opera_mini/1965/opera_mini.auto#phpsessid=85cfe7f19a08b6387d0441a9d949bb95
Note that a Google Chrome favicon is used and the page leverages the same theme and icons as Opera Mobile. The source code has multiple references to Opera (CSS, links, etc.) and targets WAP-enabled devices.


When the user clicks on the Refresh button, the file browser_update.jar gets downloaded (and possibly installed, I don't have the right device to test). This malicious Java application is currently flagged by 8 of 43 AV engines as an SMS sender. This type of malware is very common on mobile devices. They are used for spam or contact surcharged phone numbers.


According to Wikipedia, Opera has a huge market share in Russia and Eastern Europe, with more than 36% of the browser market (only 2.7% world-wide).


With the lack of effective AV and other security tools on smartphones, especially on low-end devices, mobile users must be very careful about downloading and installing applications, especially outside of the official app stores.

Tuesday, March 13, 2012

Free provider x90x.net hosting numerous Facebook phishing sites

In the long history of free hosting and DNS providers abused (co.cc, pastehtml.com, etc.), x90x.net can now be added to the list, as it is being used to host many Facebook Phishing sites in a variety of languages:
  • faceb000k.x90x.net
  • jebemtakra-pisdfa-asdasdsds-ddfs.x90x.net
  • mesnaindustrija-goranovic-m-e-s-n-a.x90x.net
  • dft3.x90x.net/fbcd.html
  • d3xt0pcr3w.x90x.net
  • etc.
www.mesnaindustrija-goranovic-m-e-s-n-a.x90x.net
d3xt0pcr3w.x90x.net
dft3.x90x.net/fbcd.html
x90x provides free hosting on their sub-domain
A little bit more research showed that many other types of scams and spam content are hosted on x90x.net sub-domains. Here are a few of them:

  • Fake Google page
mygoogle.x90x.net
 This site does not appear to be functional.
  • Links to Canadian Pharmacies
vmdygoa.x90x.net
  •  forex.com phishing site
jasf.x90x.net/tag/chase/
  • Porn (no screenshot!)
  • and much more....
The hosting provider is also used by legitimate sites.  It is very risky to host any important website with a free provider which is going to get abused over and over. co.cc has been blacklisted by Google Safe Browsing in the past, meaning all Firefox/Safari/Chrome users were prevented from visiting any of the websites hosted under co.cc. I believe that a $10/year domain name is really a must for any website. Do not rely on a free domain such as those provided by x90x.net that could soon be blacklisted.

Wednesday, March 7, 2012

"Check who is visiting your profile" scam on Russian social network Vkontakte

Vkontakte is the Russian equivalent of Facebook and has been criticized for being a direct "clone". Well, scammers are "cloning" the most popular Facebook scams and porting them to this Russian platform as well.

One recurring scam, used to trick people into giving up credentials to their Facebook account, or executing a cross-site scripting attack against themselves, has it's equivalent at Vkontakte: hxxp://gosti-vk.p7h.in/?r=3262.

Here is a screenshot of the page translated into English:

Scam site
The site claims to be an official Vkontakte application (with a .in TLD!). The page uses the same logo, layout and colors as the official site. The fake user testimonials explain that they have found likely lovers checking out your profile.

You need to give your ID or profile link (no password required) to let the "app" figure out who is viewing your profile:

Form (translated in English) to enter user ID
I inserted a fake name (in English) and the app miraculously found 7 people who had looked at my profile!

Name of people who visited by non-existent profile
Before I had time to click on any links, I was also asked to enter my cell phone number to ensure that I was indeed a human:

Phone number must be entered

This is where the Russian scam differs from the Facebook scam. In the US, scammers try to get users to fill out surveys, install spyware or try "free" offers. In Russia, as shown in other scams, scammers make money by sending SMS messages with a surcharge.

Monday, March 5, 2012

Are Pinterest "Pin it" going the way of Facebook "Like"?

Pinterest is a new social network that has been getting a lot of press lately. Basically, Pinterest is a virtual board, where users can pin things they like online. They can share the content with their friends, follow other people, etc.

My Pinterest board
Like Facebook, Pinterest users can add items to their board from the website, but also by clicking on "Pin it" widgets set up by webmasters on any website, which are equivalent of the Facebook "like" widgets. Any new pin shows up as a notification for all people following you. Although Pinterest is very new (you need to first apply for an invitation to get your login after a couple of days) and has a small number of users, spammers are already abusing the "Pin it" widget.

This week, I found spam campaigns at pinterestpromo.info and giftinterest.com that use Pinterest as the main tool to propagate scams.

pinterestpromo.com
The scam is very similar to some previous Facebook spam campaigns: users have to click on the "Pin it" widget in order to receive a free iPhone or iPad. On these two sites, scammers have used a fake "Pin it" widget rather than the official widget code.


After clicking on the widget, the site redirects to another website, such as:
http://www.giftsforshoppers.com/aseg-1142?trkSessID=195212565&dLID=5084&pRdrTrkID=667421271&skipExit=[skipExit]&pLeadEmailAddress=[pLeadEmailAddress].

www.giftsforshoppers.com

The scam is the same as one that I described last week for a Groupon scam: the visitor has to fill out surveys or trial offers in the hope of getting a gift card or some other gadget.

Any website with features to spread links quickly to a trusted group of people is doomed to be abused by spammers.