I’ve been contemplating a title for this post for a long time, eventually I decided to merge two of my favorites (and leave the third alone: looking for the cuckoo’s egg). Basically, after a couple of weeks of almost nonstop work on a major research project (hence the relatively quiet blog), and some major news outbreak following this research (1, 2, 3, 4, 5, 6, 7, 8, 9, and more…), it’s time for a quick recap and a preview.

Recap: so, we saw that Neosploit was back, even after the group’s demise in July, we clearly saw that its activity has not subsided and that a build, dated August, is pretty much active and doing its rounds on the net (see older post). We didn’t just sit there trying to watch where the server would go next (which it did in fact – from Argentine to sunny Florida), but also had the chance to do some digging around it, and take a peek into one of the largest cybercrime operations uncovered in the wild, considering the fact that it is being run from a single server.

You are probably familiar with the numbers; over 200,000 credentials to servers around the world (mainly focused on western Europe and the US), tons of back-end applications that the criminals used to manage their operations, and even a brief encounter with a person logged on to the server… (for that, you’ll have to wait for our monthly threat report!).

As part of this activity, CERT has been working days and nights to help us contact all the affected parties. These guys are amazing! They’ve been sorting through the data and figuring out how to communicate securely with the 86 different countries affected is a major operation, (in addition to handling law enforcement communications in the US), so huge kudos to them (you know who I’m referring to NI…).

Nevertheless, we are talking about hundreds of thousands of compromised credentials – we never imagine these could all be contacted by law enforcement or the local CERTs and CSIRTs, so we have set up a page on our site where all you have to do is enter some basic contact info and the domain in your responsibility, and we’ll check to see if they have been compromised or not. Spam free, no commitments – just because we are nice

The preview, well, the heaps of data that we managed to pull from the criminal server is going to make for quite an interesting read on our next monthly threat report, so stay tuned and watch our brand new AIRC homepage for updates! As I mentioned, backend applications and even a look through the peeping hole to see the attackers on the other side.

That’s it for this time, I’m off to get ready for my talk at BlueHat later this week (more info is also available here).

Related posts:

1. Down the rabbit hole all the way to Miami
2. Hosting provider crackdown?
3. Taking down a malicious site – the good, the bad, and the ugly…

Despite being reported as “out of business” in late July/August, (see this blog, and this article as well), Neosploit, one of the most widely used tools by cybercriminals, clearly hasn’t ceased to exist . In fact, we have recently confirmed a highly enhanced Neosploit 3.1 installation to be out and about, and serving Malweb to hundreds of legitimate Web sites worldwide. We are currently working with law enforcement from around the globe to identify infections and inform organizations.

It’s clear that Neospolit actually planned to create Neosploit 3.1 and has actually made it available for at least the last few weeks on a significant scale.

Another interesting thing to note here is that the recent increase in PDF exploits can hardly be attributed to some new toolkit or older kits attempting to capitalize on the toolkit market, but actually the work of this new 3.1 version. See statistics from an active Neosploit attack server below:

What does all this mean? It’s a truly notable instance where the actual business side of running cybercrime operations pulled a fast one on the thousands of experts tasked with following the latest Web threats. They not only see the profitability of investing in development of newer versions – releasing cybercrime tools much like that of a typical software company. And it’s all proven by their greatly enhanced version of Neosploit 3.1 that was never anticipated by even the largest of security vendors. Instead, security vendors thought newly enhanced PDF exploits (actually a large part of Neosploit’s punch) was actually a new trend within itself – when actually it’s direct from Neosploit.

I would keep an eye on developments in the eCrime business market, for the rock-star of the Malweb toolkits to just disappear one day and declare retirement – does not really fit in to what is really happening in the business. Although the attempt to go under the radar has been greatly aided by reports of security researchers that the group has disbanded, it was hard to believe that they really went under with such a successful brand name and business behind it.

I’ll be covering some of the developments in Neosploit 3.1 at the upcoming BlueHat conference at Redmond next month, so if you are fortunate enough to get there – look for the opening talk.

Related posts:

1. Obama Leads in US Presidential Election Poll – the eCrime Way
2. Credit cards on a clearance sale and your internet security
3. Less phish, more meat? Malweb proving to be more efficient than phishing scams.

Obviously, no business or personal data was safe; we found logs with business information on shipments, intellectual property, pension funds, legal cases, patients, marketing strategies etc. but also personal information that criminal elements could use to their own benefit.

Following are some of the records that were on that server for grabs.
We changed/blurred information to protect people’s and companies’ privacy.

Medical record:

Email communications:

Outlook with email communications:

Bank customer’s credit card details:

We were especially curious how these user data for grabs were managed by the cybercriminals, and we found a C&C application that they used for that purpose.
The administration of this Command & Control (C&C) function consists of a PHP based web application. It managed the infected machines, and enabled the criminal to address specific groups of “users” –by country, by IP, by type of logs, you name it!

The administrator could also issue commands, instructing the Crimeware on the infected machines to perform certain actions:

The server we investigated hosted multiple “attack campaigns”.
Each campaign had its own logged data from the infected users, as well as an administrative interface to the attack Crimeware toolkit that was used to infect the users (in this case the “AdPack” toolkit).

The administrative (statistics) interface to these AdPack toolkits showed how effective each campaign was, and provided statistical information on the geographical location of the infections, and of course, referral statistics to accurately measure where did the infections come from.

With user data services as described above, we now see that Crimeware has reached a new level of sophistication – again!
We see that Command & Control applications enable administrators to manage the actions and performance of their Crimeware. It gives them also control over the users of the Crimeware as well as its victims. Most scarily of all – it also allows easy access to user data.
The full research is captured in our MPOM April 2008.
We would like to emphasize, that due to restrictions set by law, the research discloses only a fraction of the amount and type of data that we found on the crime server.

Related posts:

1. Crimeware server and the international man of mystery
2. Snooping into Palin emails? Watch out for the criminals snooping on you!
3. Neosploit – The rumors of my demise have been greatly exaggerated

–quote–

On investigating on your complaint , we have determined that the domain name “SPYWARESAFE.NET ” is in violation of the terms of usage of the Privacy Protect service. We have therefore,

1. disabled the Privacy Protect service for the domain name, such that it now displays the putative contact details of the domain name holder, and
2. notified the sponsoring Registrar about the complaint, who shall act upon the complaint in accordance with their policies.

For any further updates on this matter, you can contact ESTDOMAINS, INC.  , the sponsoring Registrar for “SPYWARESAFE.NET”.

We are extremely particular about preventing misuse of our services in any manner. Should you encounter any other such instances, please feel free to notify us immediately.

–quote–

It’s interesting to note how a little exposure, combined with an email pointing out that the privacy protection is in direct violation of the service terms, gets some gears in motion. Don’t expect though to get complete verifiable details on the domain owner… The known issue with whois data is not limited to hideouts such as privacyprotect.org, but to the entire scheme of how domain registration works, and the accountability (or lack of) of the registrars to make sure that the details of domain owners are at least somewhat relevant. As you can see from the below data, trying to find a “Pavel” that lives in Russia, is like trying to find a “Mohammad” in Saudi-Arabia, or a “Mr. Smith” back in the states…

–quote–

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: SPYWARESAFE.NET

Registrant:
N/A
Pavel        (linkwork@mail.ru)
kremlin st. 1
Moscow
Moskovskaya oblast,123456
RU
Tel. +495.1231212

Creation Date: 05-Dec-2007
Expiration Date: 05-Dec-2008

–quote–

At least the onion is starting to peel off and maybe hopefully law-enforcement can get better details on the owner, or work with the registrar to track him/her down.

Off to Amasterdam now – see you in BlackHat EU (Friday the 28th, track 2, 10am)!

Related posts:

1. Taking down a malicious site – the good, the bad, and the ugly…

Meoryprof.info was the first to buckle (probably under the press exposure), but spywaresafe.net have managed to stay afloat for quite a while. The problem with such domains these days, is that they are usually designed to hide the true owner in the best possible way.

Spywaresafe.net has been running in full-steam for only a short period of time, but has managed to rack up quite a track record of user visits and infections (see the below screenshot from its NeoSploit admin page)

(note that this screenshot is rather old and contains data on the first half of February only… nevertheless, almost 300k visits were logged to the main user and 150k more on the second user)

Looking into the whois record for spywaresafe.net would yield a disappointment – it is hidden using a service provided by privacyprotect.org. This service allows domain owners to hide behind an entity that would provide them “privacy”. The practice itself may seem questionable, but privacyprotect.org has a nice website with easy to access forms for requesting the disclosure of a domain owner in case there is some kind of “abuse” done by it.

Well… that didn’t really work. Sending a couple of these forms in the past month got us absolutely nowhere. No response, not even a decline for our request. These guys must be doing a too good of a job protecting something (definitely not internet users, but something…).

On the bright side, when we contacted the hosting company that was associated with the IP address for spywaresafe.net (78.109.18.130), the response was surprisingly quick, and the security guys there took the offending site down (p.s. – always use email, trying to call in brought an unbridgeable language barrier):

—quote—

…

The actions accepted by us:

Server IP: 78.109.18.130 it is disconnected and formatted.

…

—quote—

Although the company policy there is not to disclose details about the client who paid for this service (can’t blame us for trying ).

Moral of the story – undecided (hence – good, bad, ugly?). Seems like the law enforcement efforts does work, on targeted incidents (no follow up on the second domain). Trying to be the good samaritan does not always play well, and you get to hurdles such as these privacy protection schemes (which in my opinion have no place on the internet), and to surprises such as the guys in hosting.ua (Ukraine’s national hosting) who diligently stepped up to the plate. One has to admit that there really is no place for discrimination on the net…

In hope that we won’t have to do any more of this and have law enforcement and CERTs kick in for those cases, I’ll sign off for this time

Related posts:

1. On the (dis)merits of privacy
2. Taking the Red Pill Down the Rabbit Hole
3. Crimeware server and the international man of mystery

Obviously, this is a daunting task by itself, and although sometimes security researchers are able to point at specific people as the ones running the criminal activity, it does not always help that much (remember the RBN case where multiple law enforcement agencies were notified, but the people behind the scenes were never arrested or indicted).

Well then, back to our little server – the domain name hosting the crimeware (Neosploit 2.0.13) was hosted in Hong-Kong (see below)

So that does not bring us any closer to who is this – as the address is located at a hosting company. Fortunately, our research brought in some additional IP addresses. We managed to grab these from the web server just like we have uncovered the 8,700 FTP account credentials that the research paper talks about (no exploits or attacks were used to do so – simply thinking outside the box sufficed).

Tracking these down proved to be a nice tour around the globe (long whois info deprecated for clarity):

Putting all these guys on the map results in a very interesting “international man of mystery” cross-continent network of connections:

Obviously we are looking at some eastern-bloc oriented operation, with some access to resources in the Netherlands and the US (either other people, or just computers from which access could have been made).

Now that law enforcement agencies are involved with this, maybe we would see some developments on the matter, although from the looks of these pins on the map, I expect some really interesting multi-lingual cop-speak to spur out soon…

Related posts:

1. Crimeware server catering to “grab and run” criminals
2. Taking down a malicious site – the good, the bad, and the ugly…
3. On the (dis)merits of privacy