I’ve been contemplating a title for this post for a long time, eventually I decided to merge two of my favorites (and leave the third alone: looking for the cuckoo’s egg). Basically, after a couple of weeks of almost nonstop work on a major research project (hence the relatively quiet blog), and some major news outbreak following this research (1, 2, 3, 4, 5, 6, 7, 8, 9, and more…), it’s time for a quick recap and a preview.

Recap: so, we saw that Neosploit was back, even after the group’s demise in July, we clearly saw that its activity has not subsided and that a build, dated August, is pretty much active and doing its rounds on the net (see older post). We didn’t just sit there trying to watch where the server would go next (which it did in fact – from Argentine to sunny Florida), but also had the chance to do some digging around it, and take a peek into one of the largest cybercrime operations uncovered in the wild, considering the fact that it is being run from a single server.

You are probably familiar with the numbers; over 200,000 credentials to servers around the world (mainly focused on western Europe and the US), tons of back-end applications that the criminals used to manage their operations, and even a brief encounter with a person logged on to the server… (for that, you’ll have to wait for our monthly threat report!).

As part of this activity, CERT has been working days and nights to help us contact all the affected parties. These guys are amazing! They’ve been sorting through the data and figuring out how to communicate securely with the 86 different countries affected is a major operation, (in addition to handling law enforcement communications in the US), so huge kudos to them (you know who I’m referring to NI…).

Nevertheless, we are talking about hundreds of thousands of compromised credentials – we never imagine these could all be contacted by law enforcement or the local CERTs and CSIRTs, so we have set up a page on our site where all you have to do is enter some basic contact info and the domain in your responsibility, and we’ll check to see if they have been compromised or not. Spam free, no commitments – just because we are nice ;-)

The preview, well, the heaps of data that we managed to pull from the criminal server is going to make for quite an interesting read on our next monthly threat report, so stay tuned and watch our brand new AIRC homepage for updates! As I mentioned, backend applications and even a look through the peeping hole to see the attackers on the other side.

That’s it for this time, I'm off to get ready for my talk at BlueHat later this week (more info is also available here).

Despite being reported as “out of business” in late July/August, (see this blog, and this article as well), Neosploit, one of the most widely used tools by cybercriminals, clearly hasn't ceased to exist . In fact, we have recently confirmed a highly enhanced Neosploit 3.1 installation to be out and about, and serving Malweb to hundreds of legitimate Web sites worldwide. We are currently working with law enforcement from around the globe to identify infections and inform organizations.

It’s clear that Neospolit actually planned to create Neosploit 3.1 and has actually made it available for at least the last few weeks on a significant scale. It’s clear that Neospolit actually planned to create Neosploit 3.1 and has actually made it available for at least the last few weeks on a significant scale.

Another interesting thing to note here is that the recent increase in PDF exploits can hardly be attributed to some new toolkit or older kits attempting to capitalize on the toolkit market, but actually the work of this new 3.1 version. See statistics from an active neosploit attack server below:

What does all this mean? It’s a truly notable instance where the actual business side of running cybercrime operations pulled a fast one on the thousands of experts tasked with following the latest Web threats. They not only see the profitability of investing in development of newer versions – releasing cybercrime tools much like that of a typical software company. And it’s all proven by their greatly enhanced version of Neosploit 3.1 that was never anticipated by even the largest of security vendors. Instead, security vendors thought newly enhanced PDF exploits (actually a large part of Neosploit’s punch) was actually a new trend within itself – when actually it’s direct from Neosploit.

I would keep an eye on developments in the eCrime business market, for the rock-star of the Malweb toolkits to just disappear one day and declare retirement – does not really fit in to what is really happening in the business. Although the attempt to go under the radar has been greatly aided by reports of security researchers that the group has disbanded, it was hard to believe that they really went under with such a successful brand name and business behind it.

I’ll be covering some of the developments in Neosploit 3.1 at the upcoming BlueHat conference at Redmond next month, so if you are fortunate enough to get there – look for the opening talk.

I Ran into this on Slashdot: http://tech.slashdot.org/tech/08/09/21/1827209.shtml. It seems like the Google filter for malicious sites was blocking a whole domain name - including all sub-domains, which happened to be a dynamic DNS provider. A Big false positive, and a big problem to all the legitimate sites that were hosted using this domain. Disclosure - I used to run my personal domain using the services provided by DynDNS as well.

The root of the problem here lies in the concept that someone (even if it's Google) presumes that providing a list of "bad" sites can be used to provide security to users. It's just not going to work no matter how fast the list is updated, and no matter how "real-time" the scanning and categorizing of the sites are. Unless the real-time is applied to where it is supposed to be applied - when a user requests content from a site, scanning in real-time the content that this user receives. No more, no less. Remember that content differs from user to user, and malicious code may be delivered to one but not to another user!.

Following the recent news on how an anonymous group has managed to take over Sarah Palin's Yahoo! email account; we have noticed some interesting happenings. As wikileaks which was the original posting location of the images taken from Palin's yahoo inbox was unavailable for some time, copies of the wikileaks post started to appear on other sites.

Our assumptions are that as users  found  the original site unavailable, they started resorting to deepening their searches to try and find other copies of the original images. It seems that e-Criminals are just in-tune with the latest news and browsing habits, and have managed to publish (or alter an already published) zip archive of the original wikileaks post with a small alteration that included a malicious script appended to the html content. Users that are eager to take a look at the leaked images finally found themselves looking at an archive copy of the original wikileaks page, but without having any clue about the malicious script running on their PC at the same time.

The script used is the usual obfuscated JavaScript that is designed to evade detection, which exploits a couple of vulnerabilities in QuickTime and Microsoft's WMV components. The exploits are designed such that once successful, a Trojan is installed on the local machine with the pretence of an Anti-Virus application. The specific Trojan that is being used in this incident is similar to other related attacks covered in our latest security research findings that traced sites connected to recent news as well.

Attackers are at a position where they can choose the kinds of malicious software running on victims machines, as Malweb is allowing them to run any kind of code on them.

In conclusion - although it may be hard to stop on your tracks when the original site hosting breaking news is down, it seems like a wise decision to try and really look into alternate copies of the evidence that are being posted on other locations. Some may be legit and just have carbon copies of the content, some may have a slight addition to the news in order to serve less legitimate purposes.

Update: Further information on the technique itself used to obtain access to Palin's account is covered here.

In a somewhat below-the-radar report, the anti-phishing working group (APWG) Q1 report is for the first time in its report showing a decrease in the number of phishing reports towards the end of the quarter.

In a startling (although expected) contrast – reports on crimeware, malware, Trojans and other malicious code (all delivered by Malweb!) is on the rise as the attack vector that uses Malweb is proving to be the most efficient ROI-wise.

Our view on this – obvious!. Phishing is a one-off that targets a single institution. It may be efficient for a short time, as these sites are being detected and brought down rather quickly. Malweb on the other hand is a long term investment. It brings in the ability to install more persistent rootkit/Trojan on the victim’s system, which would provide a more configurable platform for financial fraud than a phishing scam would.

The report is available at http://apwg.org/reports/apwg_report_Q1_2008.pdf.