Lightning Crashes

statistical chart from

Zeus is undoubtedly one of the most prevalent malware being used for web based criminal activity. It has compromised thousands of systems and, though an exact count is unknown, an example like the Kneber/Zeus botnet reported by Netwitness showed that one collection of infected computers consisted of “75,000 systems in 2,500 organizations around the world.” There have certainly been larger botnets concentrated on data theft, but with fluxing configurations, binaries and the domains used for hosting, the array of zeus botnets have remained both widespread and dangerous. Then, on March 9th 2010, Zeus took a big hit to its infrastructure., who runs the ZeusTracker project, reported a significant drop in the active number of Zeus command and control servers, falling from 249 to 181 overnight. What they discovered was that the ISP Troyak (AS50215), and its dependent networks, had essentially been taken offline. These networks had been considered bulletproof hosting for Zeus domains, which means the hosting groups involved were believed to actively protect the malicious activity, ignore requests for ending it, or otherwise assumed by its users to be a safe zone for malicious domains.

While disconnecting thousands of compromised systems from their C&C domains is a great win, though likely a temporary one, no one knows who to congratulate. Security researchers assume it was an external takedown, but no one has stepped forward to be recognized. What is even more interesting, as mentioned by Brian Krebs, is that, 11 days prior to the Troyak switch-off, spam promoting Zeus also went into decline. On February 27th, as stated in Kreb’s blog, a large Zeus spamming gang stopped sending new spam.

For now we’ll just have to wonder who is behind this mysterious crusade against Zeus. It seems unlikely that it was the work of any security group or company as it is generally in our favor to promote such efforts. Perhaps a rival gang was involved and the “Zeus killer” feature in SpyEye wasn’t enough for them, or maybe somebody just thought to quit while they were ahead. That would be a novel idea.

Matt Sully
Threat Research & Analysis

Moments after posting this, Troyak found a new upstream provider and got back online. They have since moved to yet another provider, trying to evade a second disruption of “services.” Some would say they’re on the run.

Related articles by Zemanta

Reblog this post [with Zemanta]


PepsiImage by elmada via FlickrGumblar, the massive iframe injection attack that made and sustained front page security news in early 2009, appears to still be going strong. Only slightly altered in its approach, the ongoing attack is still injecting malicious domains into sites on a fairly large scale, each site having the intention of spreading malware to the end user.

Gumblar domains were previously injected into iframes of otherwise benign sites using stolen FTP credentials. The new domains are likely still injected using stolen credentials but are now using obfuscated scripts to generate a formulaic Russian domain. The obfuscated scripts are appended to javascript files and html files within script tags and create rather lengthy domain names.

The second level domains for these are plentiful. Amazingly, the following list is incomplete and will likely remain so with the constant generation of new redirection domains:

Though the groupings here are obviously all .ru domains, other researchers indicate countless other domains being used in the same way. Many are using dynamic dns 2lds while others have a similar structure to the domains above, only with .cn TLDs, as was the original Others appear to have no theme and are using .cz, .dk, .de, .nl, and several other country code TLDs. The IPs behind these domains are just as widespread and varied. This list is also likely incomplete:

The full unobfuscated domains look something like this, containing popular domain name snippets in an effort to appear legitimate:

The full URLs will include file requests similar to:
:8080/ts/in.cgi?pepsi[variable numbers]

The files are designed to exploit vulnerabilities in Acrobat, Flash, and Office, and redirect to the final domain for download of the actual malware, which consistently appears to be Bredolab.

The Bredolab downloader has been tied to Gumblar from the beginning and is still being served by the malicious domains, ultimately serving up rogue AV and information theft end-goal malware. The information theft malware is to grab the FTP credentials to perpetuate the whole cycle. Bredolab has also been found in mass spam campaigns since late last year, attached to emails purporting to represent DHL, UPS, Facebook, Western Union, ISPs fake ecard senders and “potential girlfriends.”

You may have come across one like:

Subject: Facebook Password Reset Confirmation.

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

The Facebook Team

If many benign sites are hosting the final malware download due to the highjacking mechanism, blocking the redirection attempts would to be the best course of action. It is necessary for the owners of the highjacked sites to clean up the injected redirection domains or malicious files, and the end user to keep their software updated in an effort to negate exploits.

The Pepsi Challenge
Many of the files requested on the redirect domains have something similar to

I just find this amusing, because one of the Gumblar sites reported here hosted “/rimages/coke.php”. It’s nice that we have a choice of malicious beverage and, while I prefer Coke, it seems Pepsi is the choice of the new “Rumblar” generation of domains.

Matt Sully
Threat Research & Analysis

Reblog this post [with Zemanta]

AV Plays Catch Up

No security or AV company is equipped with a procedure, independent of hardware or personnel requirements, that can easily keep up with the daily barrage of newborn threats. Shadowserver shows they receive daily unique binaries numbering in the tens of thousands. With the mass amount of malware being created and distributed across the internet, each security company is left with the burden of being unable to “catch ’em all.”

They must then employ a prioritization method of analysis, often leaving data too long in the queue, some collecting dust. Some security companies concentrate on searching for malicious domains and IPs while others concentrate on binary identification, many using a hybrid approach. All, however, are in search of a way to efficiently label these variables as malicious or benign, trying desperately to keep pace with the release of new malware.

AV companies have of course felt the strain of keeping up with the Joneses and for fear of looking inferior have made the choice to often “borrow” the conclusions made by other AV groups.

According to this “Analyst’s Diary” entry at Kaspersky Lab, an experiment was used to show just how often AV groups rely on one another to categorize samples as malicious in order to appear up to date. From the blog:

“We created 20 clean files and added a fake detection for 10 of them. Over the next few days we re-uploaded all twenty files to VirusTotal to see what would happen. After ten days, all of our detected (but not actually malicious) files were detected by up to 14 other AV companies…”

I can’t exactly blame those copycat AV companies for trying to stay on par with others. There is constant pressure, of which all security groups are aware, to try and balance reputation, integrity, and effectiveness. Trying to avoid false positives means evil may slip by unnoticed, while avoiding false negatives means sacrifices in accuracy. A series of check systems could be put in place but often there is insufficient detail or time for quality assurance, and delays in the conviction process detracts from the goal of real-time protection.

Security researchers often collaborate in some way, perhaps only in certain circles, but we do so because each performs their own independent analysis in their own area of expertise, bringing unique input to the table. Our products should behave no differently. Only shared information that meets certain quality requirements should be used, according to the individual company’s ruleset. If a company or security product has nothing to contribute and only relies on the work of others then it has little purpose in this industry, (yet may find success with the right marketing). However, a company will struggle greatly if they dismiss or completely separate themselves from the security zeitgeist.

In recognition of this need for both dependence and originality, Defence Intelligence is working to bring security and internet architecture groups together to create something new and more complete. We want to make a product that takes a more global approach to the threats we’re facing, but also bring a confidence and purpose back to our industry that seems to have waned. A strong offence may rely on a good defence but we need both if we’re ever going to make real advancement on this battleground.

Matt Sully
Threat Research & Analysis

Reblog this post [with Zemanta]

Rumor has it.

Facebook users are being targeted again, but in a more roundabout manner. Rumors are spreading, as rumors do, that an “unnamed app” is integrated into user accounts which is responsible for slowing down facebook and is being used to spy on user activity. (These rumors have not been proven true.)

Users are then advised in the form of ALERTS to delete this unnamed app. The interesting part is that user suspicion of these messages is what gives them their malicious power. A Facebook user would then Google the alert or the keywords “unnamed app” and be directed through several sites to ones serving rogue AV. Using SEO techniques many of the top sites listed are the key redirection sites in this process.

One such site, at the number three spot in our google search:

The domain is found at

Using javascript redirection, we are taken to:

It looks like the referrer might be necessary for the redirection: “Referer:” Otherwise a page comes up with the multiple facebook and SEO terms planted throughout, including some of the original instigating Facebook alert phrases:

“Has your facebook been slow today? Check your application settings, go into ” added to profile”. If you see one in there called “unnamed app” delete it.”

“There is a ” Unnamed App ” spybot on facebook and it may be slowing down Facebook applications or it may be work as a Spyware.”

The page then uses another javascript to direct us to

Looking up comes back with the location of: “”

and “hitin.php?land=20&affid=94801”
is said to be at the location:

This is where we finally download the beginnings of the Rogue AV. A pop up window tells us that “Your computer contaigns various signs of viruses and malware programs presence….” Our browser window has also seemingly disappeared but if you move the warning slightly you can see it resized to hide behind the pop up.

Agreeing to the scan displays the fake scan of our system, going back to for the necessary visual items.

A few more agreements to clean up our system advises us to download “install.exe”, currently only detected by 7 of 41 AV groups.

Other researchers have indicated different redirection paths being taken and different end result fake security tools.

As for the unnamed app it is said to just be the “boxes” tab on your Facebook profile.
“The Boxes tab contains application profile boxes. A user or Page will have a Boxes tab added to their new profile by default if they currently have application boxes that do not support integration with the main profile/Page left column or if they have more profile boxes than can fit into the main profile/Page left column (more than 5).” (

Removing it seems to be both nondestructive and reversible. According to
“to put back your boxes tab:

1. go back to the page where you removed the Unnamed App from.
2. select “edit settings” for an app under the “added profile boxes” section
3. click remove, then click add when it appears.”

Matt Sully
Threat Research & Analysis

Reblog this post [with Zemanta]

Blogspot Whammies

Slot machines in the Trump Taj MahalImage via WikipediaI enjoy seeing what the world has to say from time to time and to give everyone’s voice a fair shake I will often click “Next Blog” in Blogspot’s standard blog header. I know that Blogspot pages are now a popular point of redirection for initiating malware download, especially with Koobface. I also know that rogue AV is the gravy train of scam software and is now being promoted through Koobface. Now when I go gambling I never win anything, but it appears the Blogspot “Next Blog” slot machine has shown up all cherries. Well, maybe lemons.

In a very swift redirection I was brought to “”. This was supposed to perform a “scan” of my computer as is customary with rogue AV, but Firefox was kind enough to report this as a “Reported Attack Site!”
Let’s take a peek at “” and see what this family of rogue AV looks like. Maybe I know some of your relatives. A A NS NS NS NS

Name: Lian S Richard
Address: Overhogdal 25
Province/state: MOLNLYCKE
Country: SE
Postal Code: 43510

Administrative Contact:
Name: Lian S Richard
Organization: n/a
Address: Overhogdal 25
Province/state: MOLNLYCKE
Country: SE
Postal Code: 43510
Phone: +5.3017560166
Fax: +5.3017560166

Technical Contact:
Name: Lian S Richard
Organization: n/a
Address: Overhogdal 25
Province/state: MOLNLYCKE
Country: SE
Postal Code: 43510

Nameserver Information:

Create: 2009-10-28 18:44:36
Update: 2009-10-29
Expired: 2010-10-28

What else is going on at these IPs?

Passive DNS over at reveals the following: A A A A A A A A A A A A A A A A A A A A A A A A A PTR A A A A A A A A

And we find another IP: A A A A A A A A A A A A A A A A A A A A A A A A A

Well, rogue AV is obviously the name of the game here. Let’s look on a larger scale at the AS level. is under AS13237 (LAMBDANET) reports 200 domains under Lambdanet, the majority of which relate to rogue AV. points to AS34305 (EUROACCESS)

They are small time with only 23 domains reported by They consist of rogue AV and Zbot.

The big guy comes with AS49038 (RICCOM) which was over the IP

326 Riccom domains were reported by, and only about seven were unrelated to rogue software.

There’s a dozen other IPs mixed in here going back to March, but most notable is which also comes up under AS29550 (EUROCONNEX). This IP gem has hundreds of domains pointed to it in relation to rogue software, such as: A A A A A A A A A A A A A A

just to list a few. This also leads back to Koobface and the “2008 ali baba and 40, LLC” which you can read about in Dancho’s blog from September. It looks like was part of a large family after all. No surprise there. I’m sure I’ll be bumping into you again.

Matt Sully
Threat Research & Analysis

Related articles by Zemanta

Reblog this post [with Zemanta]


Something is rotten in the state of security.

Users of Symantec’s Norton AV have been reporting instances of a file named PIFTS.exe trying to connect out to the Norton updates.

This wouldn’t be news in and of itself, but it seems that Symantec doesn’t want to discuss the issue. All questions regarding PIFTS are removed from the message board within minutes of being posted. Some users have been banned after attempting to repost.

Since they can’t turn to Symantec for answers, many users have turned to the communal knowledge of the web. Unfortunately, the bad guys have also noticed the influx of searches for PIFTS.exe and some of the top results in Google are actually malicious, attempting to infect any visitors with rogue anti-virus Malware. DO NOT DOWNLOAD ANYTHING from those sites.

ThreatExpert has a breakdown of PIFTS and its attempt to phone home here

VirusTotal shows no hits

Brian Krebs @ The Washington Post is trying to get some answers.

SANS Internet Storm Center writes that they’ve been contacted by a Symantec employee who claimed ownership of the file and tried to make clear that it isn’t intended to do any harm.

Nice of them to respond…

But won’t they let people talk about it on the msg boards?

Why the secrecy Symantec?

**Update** (courtesy of Brian Krebs @ The Washington Post)

“David Cole, senior director of product management at Symantec, said the PIFTS file was part of a ‘diagnostics patch’ shipped to Norton customers on Monday evening. The purpose of the update, Cole said, was to help determine how many customers would need to be migrated to newer versions of its software as more Windows users upgrade to Windows 7.”

As to why Symantec was deleting forums posts and banning users for mentioning PIFTS, Cole says, “hundreds of new users began registering on the forum, leaving inane and sometimes abusive comments.”

This is a lame excuse. Though the forums do seem to have been hit by the 4chan crowd, the first people to ask questions were very polite and straightforward. They asked simple questions, like ‘hey, how come part of your software wants to access the Internet?’

Not exactly ban-worthy behaviour.

A forum moderator could have simply (easily!) answered the question and closed the thread. Wouldn’t that have saved everyone a lot of trouble?

Coin Toss

Go. Read the article.

Anti-virus software vendors like to proclaim that their products achieve success rates in the 90%+ range. This is false and misleading.

It is inconceivable that end users (and many corporate entities) still believe that AV software is the catch all for security.

A 50% success rate is unacceptable. It is a coin toss – 50/50 chance – that your network is secure.

“The average delay in detection and remediation was 54 days.”

54 days?! Two months?!

The bottom line here is that Malware created for non-commercial purposes simply does not exist anymore. It hasn’t in over two years.

Modern Malware is specifically designed to operate quietly and unobtrusively for as long as possible. The bad guys are after our social insurance numbers, credit card numbers, bank account details, credit equity, customer lists, a jump on the quarterly earnings, our emails, online payment accounts, access to our social network of friends, ANYTHING they can get their hands on.

Think about it: the average delay in detection is 54 days. For almost two months the bad guys have access to your system.

This isn’t like having your house robbed.

It’s like having your house broken into and the robbers moving in and hiding in your closet for two months.

From home users to large corporate networks, we must – MUST – move beyond our tired notions of network security. The bad guys are always evolving, adapting their Malware to evade detection and improve levels of compromise. Why haven’t the good guys evolved?

The numbers speak for themselves:

“About 3 to 5 percent of all systems in an enterprise are infected with bot-related malware — even within organizations running up-to-date antimalware tools.”

“Antivirus software immediately discovered only 53 percent of malware samples.”

“Another 32 percent were found later on, and 15 percent were not detected at all.”

Now you may be thinking that 15% doesn’t sound like a lot, that maybe that’s an acceptable level of risk. Consider this:

Security researchers around the world analyze anywhere from 20-30,000 pieces of Malware every day. Every day!

The Shadowserver Foundation has analyzed over 19 million Malware samples in the past 12 months alone.

15% of 19 million is a big number.

You really want to take that chance?

The Enemy Within

Two weeks ago, users of AVG’s virus scanner awoke to a nasty surprise: their supposed security software had been updated to identify the file named user32.dll as malicious. Those people most keen to protect their computer systems followed the instructions as directed and deleted the file – only to find that they were now stuck in an endless cycle of reboots.

User32.dll is a core Windows file; and not, as identified by AVG, a Trojan Horse named PSW.Banker4.APSA or Generic9TBN. This is not the first time AVG has struggled with misidentifying Malware, nor is it the first time an Anti Virus company has recommended users remove core Windows files.

In December of last year, Anti Virus company Kaspersky Labs decided that a Virus existed within Windows Explorer, the graphical user interface for Windows itself. Thankfully, Kaspersky managed to catch the error before the damage was too widespread; though, I imagine the employees at the UK enterprise that was affected would tell a different story.

Even Microsoft is guilty of such casual coding. In 2007, Microsoft’s OneCare, an Anti Virus product, when used with Internet Explorer 7, was flagging Google’s Gmail as a Virus. Even Microsoft’s own product weren’t safe, with OneCare regularly quarantining or deleting all of the email in a user’s inbox.

AV companies tout their wares as the silver bullet for personal protection. You know this isn’t true. I know this isn’t true. So, why doesn’t everybody else?

It was bad enough that the generic, non-technical computer user didn’t know that his Anti Virus software is only protecting him from a small percentage of modern threats. Now we also have to let them in on the secret that their “protection” might sometimes do more harm than good.

Cyber Security Event for the Government of Canada and IT Industry

Dear Friends and Colleagues:

On behalf of the Canadian Internet Registration Authority (CIRA), I am pleased to invite you to attend a special Cyber Security meeting to be held at the Crown Plaza Ottawa, September 23, 2008.

Cyber Security is critical to ensuring the integrity of the network infrastructure of the federal government. This Cyber Security meeting offers an opportunity to discuss, share and learn what we can do and what we should do to respond to modern Cyber Security threats. It will be comprised of four sessions ranging from cyber-attacks, evolution of the modern malware, latest updates on the Kaminsky DNS Vulnerability and Electronic Espionage. Is the Government of Canada well safeguarded against these threats?

Topics include:

Update on the Kaminsky DNS Vulnerability

Christopher Davis, CEO Defence Intelligence

The Evolution of the Threat: From Fun to Profit

Christopher Davis, CEO Defence Intelligence

Meaghan Molloy, Threat Analyst Defence Intelligence

Information Protection Capability Gap

Aron Feuer/Wayne Boone, Cygnos IT Security

Cyber-Attacks: Experiences From the Trenches

Bill Woodcock, Packet Clearing House

We are delighted to welcome Mr. Bill Woodcockto this meeting. Bill Woodcock is research director of Packet Clearing House, a non-profit research institute dedicated to understanding and supporting Internet traffic exchange technology, policy, and economics. Bill has operated national and international Internet service provision and content delivery networks since 1989, and currently spends most of his time building Internet exchanges in developing countries.

This is a meeting not to be missed!

This CIRA Cyber Security event is limited to 60 participants. We urge you to register!


Norm Ritchie

Chief Information Officer
Canadian Internet Registration Authority (CIRA)