Recently, there has been a lot of focus from the security research community on a hosting provider named McColo corporation (out of San Jose, CA). Reports on spam, phishing and connections to Malweb distribution amongst other have been accumulating (including our own malicious server analysis which has been spotted to be administered from a McColo address).

It seems like the combination of law enforcement investigations with a recent story by the Washington Post have made their mark and McColo IP addresses have gone silent since yesterday. We’ll be looking forward to additional coverage on this in the coming days, as we are finalizing our own threat report on the eCrime server that has been analyzed, and on which we found the 200,000 compromised FTP credentials.

The Secret Crush invites Facebook users to find out which of their friends is latently in love with them. Users who would click the link would find out that it is actually an adware application that’s targeting them.

This malicious widget made its first appearance early January 2008.  It played on the popularity of Facebook and managed to entice millions of Facebook users to download the infamous Zango adware. Recently, this malicious widget has reappeared and has been infecting users with additional adware such as Zwinky. Facebook users receive an invitation that says: “Someone has a secret crush on you. Find Out Who!” Clicking the “Find Out Who!” link randomly redirects the browser to a number of websites. The target websites may range from hosted ads to adware serving domains.

Here is how the application’s invitation message would look like:

And here are the adware websites that users get redirected to:

 

And the leader according to the highly non-scientific research done using Google for a specific attack vector is: Barack Obama. Obama related sites have managed to get infected in such a way that they attack their visitors in 364 separate instances, while McCain is right behind with 230 instances.

As always, and as we have reported in the past, those behind eCrime are watching the news as diligently as the rest of us and are “affected” by current affairs in terms of the ways they tune their attack vector to achieve maximum exposure to their target market. The financial situation, jobs, housing, and now the US elections are causing a shift in the context of the sites targeted to carry malicious code and perform web attacks in order to gain as many “eyeballs” as possible.

Now, given that this example is just the tip of the iceberg, and only gives a general idea on one specific attack vector, the conclusion is pretty obvious in terms of the global magnitude of having relevant sites infected with Malweb. Do the math, Google’s own tools enable some pretty insightful data into the search trends (and thus the chances that a site that comes up in one of the first 100 results of such search terms) both for sociological and technological studies, as well as for eCrime market reach optimization.

(Image showing Google’s trends search volume for the phrases “john mccain” and “barack obama”)

Now that’s why security research is a little more than just playing cat-and-mouse with a technological attack or a new vulnerability. Security research is also the understanding of how the motive and MO of the attackers work in order to be prepared for the next wave and the next technological advancements.

Despite being reported as “out of business” in late July/August, (see this blog, and this article as well), Neosploit, one of the most widely used tools by cybercriminals, clearly hasn't ceased to exist . In fact, we have recently confirmed a highly enhanced Neosploit 3.1 installation to be out and about, and serving Malweb to hundreds of legitimate Web sites worldwide. We are currently working with law enforcement from around the globe to identify infections and inform organizations.

It’s clear that Neospolit actually planned to create Neosploit 3.1 and has actually made it available for at least the last few weeks on a significant scale. It’s clear that Neospolit actually planned to create Neosploit 3.1 and has actually made it available for at least the last few weeks on a significant scale.

Another interesting thing to note here is that the recent increase in PDF exploits can hardly be attributed to some new toolkit or older kits attempting to capitalize on the toolkit market, but actually the work of this new 3.1 version. See statistics from an active neosploit attack server below:

What does all this mean? It’s a truly notable instance where the actual business side of running cybercrime operations pulled a fast one on the thousands of experts tasked with following the latest Web threats. They not only see the profitability of investing in development of newer versions – releasing cybercrime tools much like that of a typical software company. And it’s all proven by their greatly enhanced version of Neosploit 3.1 that was never anticipated by even the largest of security vendors. Instead, security vendors thought newly enhanced PDF exploits (actually a large part of Neosploit’s punch) was actually a new trend within itself – when actually it’s direct from Neosploit.

I would keep an eye on developments in the eCrime business market, for the rock-star of the Malweb toolkits to just disappear one day and declare retirement – does not really fit in to what is really happening in the business. Although the attempt to go under the radar has been greatly aided by reports of security researchers that the group has disbanded, it was hard to believe that they really went under with such a successful brand name and business behind it.

I’ll be covering some of the developments in Neosploit 3.1 at the upcoming BlueHat conference at Redmond next month, so if you are fortunate enough to get there – look for the opening talk.

I Ran into this on Slashdot: http://tech.slashdot.org/tech/08/09/21/1827209.shtml. It seems like the Google filter for malicious sites was blocking a whole domain name - including all sub-domains, which happened to be a dynamic DNS provider. A Big false positive, and a big problem to all the legitimate sites that were hosted using this domain. Disclosure - I used to run my personal domain using the services provided by DynDNS as well.

The root of the problem here lies in the concept that someone (even if it's Google) presumes that providing a list of "bad" sites can be used to provide security to users. It's just not going to work no matter how fast the list is updated, and no matter how "real-time" the scanning and categorizing of the sites are. Unless the real-time is applied to where it is supposed to be applied - when a user requests content from a site, scanning in real-time the content that this user receives. No more, no less. Remember that content differs from user to user, and malicious code may be delivered to one but not to another user!.