RBN - Atrivo: Cyber Crime USA

In a new study entitled "Atrivo - Cyber Crime USA", the authors have extensively tracked and documented ongoing cyber criminal activity from within the Internet servers controlled by the California-based Atrivo, and other associated entities. Atrivo is one of the Internet's Autonomous Systems and controls a large number of IP addresses, which web sites must use to reach consumers.

Produced by cyber crime researcher Jart Armin, in association with Matt Jonkman and James McQuaid, the first of its kind Open Source Security study set out to quantify and continuously track cyber crime using numerous methods of measurement. It focuses specifically on the notorious Atrivo, which has been seen by many over several years as a main conduit for financial scams, identity theft, spam and malware. This study although fully self contained is the first of a series of reports, on a monthly basis there will be a follow up to report on the community response, the efforts of the cyber criminals to evade exposure, listings to assist in blocking the risks to Internet users, and hopefully efforts to stop them.

In addition to original quantitative research conducted by Armin, Jonkman and McQuaid, the study draws upon the findings of other research efforts, including StopBadware, EmergingThreats, Knujon, Sunbelt, CastleCops, Spamhaus, and many others. What emerges is a picture of a front for ruthless cyber criminals, who have specifically targeted consumers in the United States and elsewhere. The study provides hard data regarding specific current activity within Atrivo, explains how consumers are targeted, describes Atrivo's virtual network structure, organizational modeling, and cites Atrivo's collusive failure to respond to abuse complaints from 2004 to the present. The study includes three dimensional charts, diagrams, and a YouTube video which make it easy to grasp the statistics or processes discussed.

Document available for download from hostexploit.com

Video of the Exploitation of a PC User - YouTube

RBN – Out with the New and in with the Old – Mebroot

The Russian Business Network (RBN) is using one of their usual deceptive approaches of confusing by the use of old domains and recycling exploit techniques, this is the case with Mebroot. There has rightly been a great deal of press (see links below) concerning Mebroot as identified by Symantec on Jan 8th 08. This is a rootkit exploit that overwrites part of a computer's hard drive called the Master Boot Record (MBR). This is still deadly and a difficult exploit with is its ability, once established and undetected it confound most anti-virus software, the purpose is to hijack the user’s PC which will then redirect to download other exploits to steal banking information and ID theft. Good news is there are some straight forward detection and removal tools e.g. GMER – also see on their website a great write up of how a rootkit actually works.




So what is new? Well the exploit sites are now using a fast-flux P2P botnet and the exploit is polymorphic i.e. the ability to alter its form and mutate. But this approach is the same old stuff by a different name, it is: Torpig, Anserin, Gromozon, etc……even using some of the old domains for distribution. So where does the “new” exploit names come from, unfortunately us. Our constant reductionist approach to BadWare is utilized by RBN to confound and we play right into their hands, every time we rename their stuff it makes it easier for them to blend into the confusion. The old is forgotten or not reported and they reuse the old stuff all over again, when we all start using a commonly accepted holistic linguistic approach to the problem, we may win this war.

For details a “small” sample, especially for our Italian Gromozon readers:

This particular example callsolutions(dot)biz is on one of our old friends Pilosoft AS26627, with a bunch of RBN’s “very young” erotic sites sharing the name server – a(dot)ns(dot)joker(dot)com.

As a comparative link, and no RBN blog article would be complete without mention of the RBN’s US division – kopythian(dot)com - Atrivo AS27595; AKA Inhoster, Intercage, and pecb(dot)cc at Atrivo’s Cernal AS36445.

Also just so no-one could say we are picking on Atrivo or where is the RBN link? See the following “joining up the dots” of a very small sample out of 100’s of exploit domains on the same Atrivo name server managedns1.estboxes.com:

2007postcards(dot)com (Storm),
malwareburn(dot)com (rogue anti-virus),
procodec(dot)com (fake codec),
virusheal(dot)com (rogue anti-virus),
xxl-cash(dot)com (RBN payment site) –
plus a cryptic graphic for our readers from the RBN so they know this is not guesswork.

IP figures:







Gmer - anti-rootkit download

Gmer - how a rootkit works

Symantec - Mebroot article

BBC - Mebroot

RBN - Storm Botnet, the Changing Chessboard

In a follow up to the earlier Russian Business Network (RBN) "New and Improved Storm Botnet for 2008" the chessboard changes yet again. In this game of chess our opponents started over Christmas with a full frontal attack, but have already now switched to a flanking moves. Perhaps on this occasion the community may be able to slow down the advance to force a draw or maybe even win this particular game of chess?

The key is to understand and combat the Storm 2008's innovative elements and attempt to quantify progress of the game. With the aid of early analysis by Thorsten Holz / The German Honeynet Project and based on limited initial data we have attempted to produce a predictive trend analysis of the Storm Botnet to rebuild and reach 1 million PCs. This is shown in figure 1, given current analysis shows a growth from say 10,000 on Dec-22 to 30/40,000 by Jan-03, on a conservative analysis Storm should reach 1 million by Mid Feb 08.

So at least a we now have a potential game progress definition; for the RBN it would be a disappointment if they did not easily clear this target, for the community the aim is to limit the target. Game on?

To play this game we all better know the rules of deception, on a current assessment of progress against the innovative Storm elements:

# First the good news so far 2,147 fake and or infected Blogspots have been detected and are flagged by Google as shown in the StopBadWare clearing house.

# Further good news on checking most of the Storm attack domains (see list below) are either SBL or XBL listed on Spamhaus et. al.

# Some confusion in the ranks as assumptions are made as to locations or even selective attacks. As described elsewhere the botnet control panel(s) are now much more sophisticated, with the ability to decide which geographic region and areas to attack. Interestingly if the PC still subject to earlier infection there will be no further re-infection. # As noted the polymorphic nature is clearly present to confuse i.e. the virus or exploits have the ability to alter its signature in an attempt to combat anti-virus tools.

# Most worrying is the constant stream of domains and the "fast-flux" technique used to avoid detection as mentioned in this case is actually “double-flux” characterized by multiple nodes within the network registering and de-registering their addresses. This implies as fast as IPs are block listed, it would seem "Snort" which is capable of performing packet logging and real-time traffic analysis on IP networks, may at last demonstrate its earlier promise.

# Finally it is fairly safe to predict there will be further attacks on the search engines and via social engineering i.e. Face Book, etc.


The current Storm attack domains and related fakes (also ref links below: Malwaredomains, Emerging Threats, honeywall blog, and US Cert) although of limited number to begin with are now:
10000xing(dot)cn - 222360(dot)com - adslooks(dot)info - bnably(dot)com - eqcorn(dot)com - familypostcards2008(dot)com - freshcards2008(dot)com -happy2008toyou(dot)com - happysantacards(dot)com - hellosanta2008(dot)com - hohoho2008(dot)com - kqfloat(dot)com - ltbrew(dot)com - mymetavids(dot)com - obebos(dot)cn - parentscards(dot)com - postcards-2008(dot)com - ptowl(dot)com - qavoter(dot)com - santapcards(dot)com - santawishes2008(dot)com - siski(dot)cn - snbane(dot)com - snlilac(dot)com - tibeam(dot)com - tushove(dot)com - wxtaste(dot)com - yxbegan(dot)com

The specific Storm exploits have overlapped with fake anti-malware and fake codecs which are polymorphic in their nature: ArcadeWorld(dot)exe - ArcadeWorldGame(dot)exe - ClickHere(dot)exe - codecnice1126(dot)dmg - codecnice1126(dot)exe - codecultra1123(dot)dmg - codecultra1123(dot)exe - ecard(dot)exe - fck2008(dot)exe - Flash_Postcard(dot)exe - FlashPostcard(dot)exe - Full Story(dot)exe - FullClip(dot)exe - FullNews(dot)exe - FullVideo(dot)exe - GreetingCard(dot)exe - GreetingPostcard(dot)exe - happy_2008(dot)exe - happy2008(dot)exe - Install_video_3913230(dot)exe - MoreHere(dot)exe - NflStatTracker(dot)exe - Postcard(dot)exe - Read_More(dot)exe - ReadMore(dot)exe - sony(dot)exe - stripshow(dot)exe - Video(dot)exe - VideoAccessCodecInstall(dot)exe - virusranger(dot)exe - vrsvc(dot)exe

Storm Growth analysis - German HoneyNet
Malwaredomains
Emerging Threats
US Cert

RBN – New and Improved Storm Botnet for 2008

Obviously the Russian Business Network (RBN) is working overtime during the Christmas and New Year holiday, no doubt planning for many in the ISP security and anti-spam arena to be on skeleton staff.

Many will now have already seen reports of the Storm Botnet outbreak which started on December 24th “MerryChristmasDude” with good write up at ComputerWorld and for technical details at ISC Sans or HolisticInfoSec (links on footer). This picture is changing rapidly and by December 26th there were new web sites “Uhavepostcard” , “HappyCards2008” and no doubt more to come over the next few days.


Three of the key web sites have the following registrant information, all registered via “ANO REGIONAL NETWORK INFORMATION CENTER DBA RU (Russia)” in chronological order:
Domain Name: MERRYCHRISTMASDUDE.COM - Creation Date: Nov 27 2007
Domain Name: UHAVEPOSTCARD.COM - Creation Date: Dec 23 2007
Domain Name: HAPPYCARDS2008.COM - Creation Date: Dec 26 2007


The key objective for the RBN is to rebuild the Storm Botnet which is shown in various reports over the last few months, from a few million enslaved PCs to more recently a few 100,000’s. One can only further guess as to what the RBN’s main goal is to use a rebuilt Storm Botnet for, e.g. earlier DDOS (Denial of Service attack) on Estonia.


There are some interesting elements concerning which make this attack innovative:

# Although much of that detected is conventional spam, however there is also a large amount of spam which is getting through many anti-spam defenses due to the use of “fake” BlogSpot (Blogger) links for example on a small sample;

hxxp://dantipXXXX.blogspot.com/?soapwerzpordeecaspewtkk153trajspeak hxxp://isakovkapitonXXXX.blogspot.com/?harkwerzpordeecaspewtkk153trajfloor

The common part of the suffix is “pewtkk153traj” which redirects to Geocities web sites and then a further redirect to the Storm exploit domains.


# Although most have identified as the Zhelatin Storm email worm or variant, it is also as the more recent fake codec downloads, dependent upon where the unfortunate user has come from. This now shows a “polymorphic” format, i.e. the virus or exploit has the ability to alter its signature in an attempt to combat anti-virus tools.


# The fast-flux technique used to avoid detection in this case is actually “double-flux” characterized by multiple nodes within the network registering and de-registering their addresses (see sample maps below taken within one hour periods and show the fast-flux DNS changes). It is also safe to say this newer Storm Network has now also has improved defense mechanisms, if examined too closely.

Computerworld - Storm Worm Christmas
Computerworld - Storm New Year
ISC Sans - Anticipated Storm
HolisticInfoSec

RBN – Fake Codecs

With the ongoing tracking of “fake” software websites related to the Russian Business Network (RBN) and their associates it is important to note the growth of the fake codec websites. A codec is a small program that's allows an operating system or a program to properly play audio or video in a particular format, e.g. MP3, WAV, Xvid, MPEG, Indeo and Cinepak.









Figure 1. Sample “fake” codec site - Gamecodec.com



This article is cumulative snapshot report based upon current and historical community reporting from; Zlob Watch (peki.blogspot), Sunbelt, and the excellent earlier work of Jahewi's Fake Codec Information (unfortunately last updated Jan 20th 07). The key issues are:

• Currently shown here (see fig. 2 below) 53 active, with the 60 earlier reported mostly dormant domains (see fig. 3 below) provides for a total of at least 113 “fake” codec web sites operational over an 18 month period. It would appear many of the active domains alternate on a regular basis from being non resolvable (apparently offline) to online.

• The prime exploits from these sites are (a) Zlob - shows fake error messages and silently installs fake anti-spyware products. (b) DNSChanger silently adds rogue DNS name servers to your PC or Mac. These name servers will resolve non-existing domains (typo-squatting) to IP addresses associated with the authors to generate revenue and could potentially re-routes traffic from legitimate web sites to other suspicious web sites. Ref peki.blogspot
  

Note: We should clarify that the Mac fake codecs are only for the DNS changing trojans and that not all the sites listed will spawn Mac stuff.

• These exploits are designed for Mac and Windows users; with the attack vector similar to the “fake” anti-spywares however the technique is varied by constantly emerging new domains but mostly to a singular web landing page interface.

• Most importantly all 113 domains are or were registered with Estdomains, similarly all of the active 53 domains in fig. 2 are hosted by AS27595 by Atrivo; AKA – Intercage, Inhoster, Cernal, etc. Also added should be AS 36445 a newer Autonomous Server apparently used by Cernal. For blocking purposes the following IP ranges should be incorporated:

64.28.176.0/20 AS27595 INTERCAGE
85.255.118.0/20 AS27595 INTERCAGE
85.255.112.0/20 AS36445 CERNEL

Figure 4 - Sample IP Map - Zerocodec