Hacking & Security
We're looking for any info or packets that target port 51616. After witnessing a sp ...(more)...
I put together a simple .deb package to install our DShield iptables client on Ubuntu ...(more)...
Memorial Day is celebrated on May 27 and it is a day for memorializing the men and women who have died in military service for the United States. It is a common practice for cybercriminals to take advantage of events and holidays. This year, various spam messages related to Memorial Day have begun flowing into the Symantec Probe Network. We have observed that most of the spam samples encourage users to take advantage of clearance sales on cars and trucks. Clicking the URL will automatically redirect the user to a website containing some bogus offer.
Figure 1: Memorial Day financial spam
A variety of subject lines have been observed related to the clearance sale spam attacks for Memorial Day:
- Subject: Memorial Day Auto Special On Every New Truck
- Subject: Memorial Day Celebration - Half Off xxx Vehicles
- Subject: Memorial Day Special, All Auto Models On-Sale
- Subject: Memorial Day Savings on all new vehicles
- Subject: Memorial Day xxx Clearance Sale
- Subject: Huge new car Memorial Day Clearance!
Other spam samples have encouraged users to take advantage of bogus offers on weight loss and pharmaceutical products. After clicking the URL, users are taken to a web page where the fake products are sold. Users should be wary of spam attacks offering deals like these.
Figure 2: Memorial Day weight loss spam
Figure 3: Fake pharmaceutical web page for Memorial Day
Symantec advises our readers to be cautious when handling unsolicited or unexpected emails. We, at Symantec, are constantly monitoring spam attacks to ensure that readers are kept up-to-date with information on the latest threats.
Criminal commerce on the Internet would mostly grind to a halt were it not for the protection offered by so-called “bulletproof hosting” providers – the online equivalent of offshore havens where shady dealings go ignored. Last month I had an opportunity to interview a provider of bulletproof services for one of the Web’s most notorious cybercrime forums, and who appears to have been at least partly responsible for launching what’s been called the largest cyber attack the Internet has ever seen.
Earlier this year, the closely-guarded English-language crime forum darkode.com was compromised and came under a series of heavy distributed denial-of-service (DDoS) attacks aimed at keeping it offline. Around that same time, darkode.com welcomed a new member — a bulletproof hosting broker aptly named “Off-sho.re” — who promised to defend the site from future DDoS attacks.
Off-sho.re also said he could offer more robust and crime-friendly hosting services than darkode’s previous provider — Santrex, literally an offshore hosting facility located in the Seychelles, a 115-island country that spans an archipelago in the Indian Ocean. Off-sho.re’s timing was perfect: Darkode desperately needed both, and Off-sho.re seemed to know his stuff, so he was admitted to the forum and given stewardship of the site’s defense and hosting.
STOPHAUS V. SPAMHAUS
Of course, to successfully defend a network against DDoS attacks one must know a great deal about how to launch such assaults. Indeed, Off-sho.re was an integral member of Stophaus, an upstart group of bulletproof hosters that banded together in March to launch a massive Internet attack against anti-spam group Spamhaus.org.
Hundreds of ISPs route or deny traffic based in part on Spamhaus’s blacklists of known, cybercrime-friendly ISPs, and Stophaus formed in response to Spamhaus’s listing of bulletproof hosting provider in particular: A network known alternatively as CB3ROB, a.k.a. “Cyberbunker” because it operated from a heavily fortified NATO bunker in The Netherlands.
Off-sho.re is moderator of the Stophaus forum, and not long after joining darkode.com, he was recruiting fellow darkode members for the Stophaus cause. Stophaus’s records show that another core member was “0ptik,” a competing bulletproof hosting provider. Spamhaus had listed dozens of Optik’s domains, as well as virtually all of the IP address ranges Off-sho.re had rented at abuse-friendly Romanian hosting provider Voxility. It was payback time.
In late March, Spamhaus became the target of what experts called one of the largest computer attacks on the Internet. The method of attack — a DNS amplification attack — was similar to that first seen used in attacks more than a decade ago that targeted the heart of the Internet’s routing system, except that it was by most accounts much larger.
“DNS amplification attacks can bring up to 140 Gbps to a single resource from a single controller,” Off-sho.re wrote in a darkode.com posting less than 24 hours after the attack on Spamhaus began. “The beauty of it [is] that the ‘bots’ are just open DNS resolvers in the world.” Linking to a writeup from Cloudflare.com about the attack, Off-sho.re stated that “Some BP hosters were lately united, check out our latest prank.”
Last month, authorities in Spain arrested Sven Kamphuis, a 35-year-old Dutch man, thought to be responsible for coordinating the unprecedented attack on Spamhaus. According to Spamhaus, Kamphuis made claims about being his own independent country in the Republic of Cyberbunker. But according to Off-Sho.re, Kamphuis was just the public face of the movement. “Sven didn’t attack anyone,” Off-Sho.re wrote in an online chat with KrebsOnSecurity.
If Kamphuis was just a mouthpiece, who was responsible for the attack? What is interesting about the Stophaus movement is that Off-sho.re very well may have prompted Spamhaus to finally place CB3ROB/Cyberbunker at the top of its World’s Worst Spam-Support ISPs list, a move that helped to precipitate this conflict.
According to Spamhaus, while Cyberbunker and Spamhaus certainly have a bit of a history together, Cyberbunker wasn’t really a focus of Spamhaus’s blocking efforts until the fall of 2012. That’s when Spamhaus began noticing a large number of malware and botnet control servers being stood up inside of Cyberbunker’s Internet address ranges.
“We didn’t really notice these guys at CB3ROB much until last fall, when they started hosting botnet controllers, malware droppers and a lot of pharma spam stuff,” said a Spamhaus member who would only give his name as “Barry.” “Before that, it was mainly routing for some Chinese guys – Vincent Chan – fake Chinese products.”
Oddly enough, this coincides with Off-sho.re’s entrance on the bulletproof hosting scene (at least as advertised on crime forums). In his introduction post to Darkode, Off-sho.re referenced his bulletproof hosting sales threads at two Russian-language forums — expoit.in and damagelab.org. In these threads, which began in Sept. 2012, Off-sho.re advertised the ability to host ZeuS and SpyEye botnet command and control networks for between $99 and $199 per month, and bulletproof domain registration from $30 per month. More importantly, Off-sho.re proudly announced that he was offering a premiere BP hosting service for $400 a month that was housed in an old NATO bunker in Holland and that used IP addresses assigned to CB3ROB (see screenshot to left).
The attack that hit Spamhaus — known as a DNS reflection and amplification attack — leveraged unmanaged DNS servers on the Web to create huge traffic floods. DNS servers act as the white pages of the Internet, transforming or “resolving” human-friendly domain names into numerical network addresses used by computers. Typically, DNS servers only provide services to machines within a trusted domain. But DNS reflection attacks rely on consumer and business routers equipped with DNS servers that are (mis)configured to accept queries from anywhere on the Web. Attackers can send spoofed DNS queries to these so-called “open recursive” DNS servers, forging the request so that it appears to come from the target’s network. That way, when the DNS servers respond, they reply to the spoofed (target) address.
The amplification part of the attack takes advantage of the ability to craft DNS queries so that the responses are much bigger than the requests; they do this by leveraging an extension to the DNS protocol that enables large DNS messages. For example, an attacker could compose a DNS request of less than 100 bytes, prompting a response that is 60-70 times as large. This “amplification” effect is especially pronounced if the perpetrators query dozens of DNS servers with these spoofed requests simultaneously.
I reached out to Off-sho.re via instant message to ask why he thought it was okay to hijack servers that belonged to someone else for use in attacks on third-parties.
“No one launched or abused any attack, all DNS resolvers were machines that had this option open,” Off-sho.re explained. “No bots were used and no one was infected. The individuals who did the attack, didn’t harm any computer in order to launch it. So your question about the legal aspect of this thing is not relevant.”
Rodney Joffe, vice president and senior technologist at Neustar, a Sterling, Va. based security company that helps firms defend against large cyberattacks, said such attitudes are common criminal delusion.
“If you want real world analogues you can say, hey, that car was left open so I broke into it,” Joffe said. “That’s like saying, hey, all I did was open the car door, put a brick on the gas pedal and let the car run down the road and smash into someone’s house, but the guy who owned the car shouldn’t have left it unlocked. Put another way, just because I have a non-functioning lock on my door doesn’t give you permission to use my property.”
Off-sho.re insisted he did not directly participate in launching the attacks on Spamhaus. But as I discovered in my reporting, he had no qualms about ordering his minions to attack my site prior to our chat conversation. A few days before I reached out to him, Off-sho.re orchestrated an attack against KrebsOnSecurity.com as a means of vetting a new darkode.com member.
That assault was part of the initiation process for “Abscond,” a hacker who was seeking admittance to darkode.com and who’d claimed his specialty was providing DDoS services. To prove his firepower, Abscond was told to knock one of three sites offline: Darkode.com, krebsonsecurity.com, or xylibox.com (the blog for a French security researcher who goes by the pseudonym “Xylitol”). The conversation below took place between Off-sho.re and Abscond after the latter’s botnet failed to bring down Darkode.com.
[00:01:51] <Off-sho.re> You can try on DK enemy sites as well, that will give you my vouch as well
[00:01:56] <email@example.com> ok
[00:01:58] <firstname.lastname@example.org> ill try that
[00:02:04] <email@example.com> let me try attack first
[00:02:09] <Off-sho.re> Ok.
[00:02:10] <firstname.lastname@example.org> and a few mins for bots to come back
[00:02:14] <email@example.com> so im at full power
[00:04:26] <firstname.lastname@example.org> whats the enemy site?
[00:04:33] <Off-sho.re> there are 2, choose any
[00:04:40] <Off-sho.re> krebsonsecurity.com, xylibox.com
[00:04:47] <email@example.com> haha
[00:04:49] <firstname.lastname@example.org> krebs
[00:04:52] <email@example.com> fkin fagt
[00:05:10] <Off-sho.re> Krebs is on Prolexic
[00:05:15] <firstname.lastname@example.org> ok.
[00:05:53] <email@example.com> darkode got some good ddos protection
[00:08:26] <firstname.lastname@example.org> krebs down?
[00:08:30] <Off-sho.re> Checking
[00:10:13] <Off-sho.re> Krebs is down, well done this time
“I confirm that Abscond can provide DDoS services,” Off-sho.re wrote to the darkode community.
Asked about the incident in a private chat via Jabber, Off-sho.re said the attack on my site was just a “stress test”.
“Regarding the site stress test – nothing personal,” Off-sho.re wrote.
By the way, “stress testing” is the new euphemism for launching DDoS attacks. If you aren’t yet familiar with this term as it relates to online attacks, see DDoS Services Advertise Openly, Take PayPal, and Ragebooter: ‘Legit’ DDoS Service, or Fed Backdoor?
Off-sho.re’s attitudes about ownership and what’s legal and acceptable online seems common in denizens of groups like Stophaus and other grey- and black-hat hacking collectives: that if something can be done then it is must be legal, allowable and otherwise okay. The governing mantra of these folks seems to be, “what’s-mine-is-mine and what’s-your-is-mine, too.”
Today Norman and the Shadowserver Foundation released a joint detailed report dubbed Operation Hangover, which relates to a recently released ESET blog about a targeted cyber/espionage attack that appears to be originating from India. Symantec released a brief blog around this incident last week and this Q&A will provide additional information relevant to Symantec around this group.
Q: Do Symantec and Norton products protect against threats used by this group?
Yes. Symantec confirms protection for attacks associated with Operation Hangover through our antivirus and IPS signatures, as well as STAR malware protection technologies such as our reputation and behavior-based technologies. Symantec.cloud also detects the targeted emails used by this group.
Q: Has Symantec been aware of the activities of Operation Hangover?
Yes. As called out in our initial blog, multiple security vendors have been tracking this group. Symantec has been privy to information surrounding this group for a period of time and has been actively tracking their work while ensuring that the best possible protection was in place for the various threats used by them.
Q: Where does the name Operation Hangover come from?
Norman and Shadowserver derived the name Operation Hangover, as one of the most prevalent malwares used by this group contains a project debug path containing this name.
Q: How does a victim get infected?
The initial compromise occurs through a spear phishing email sent to the target. The email contains an attachment using a theme relevant to the target. Figure 1 shows the different stages in the Operation Hangover attack.
Figure 1. Operation Hangover attack
The email contains a malicious attachment that, if opened, infects the victims system or attempts to use an exploit against the target victim's system. If successful, the first stage malware is loaded onto the victim’s system. This malware, in the most part, is from a family of Visual Basic downloaders known as Smackdown.
Following reconnaissance of the infected system by the attacker, they can then decide whether to download the second stage of malware that consists of information stealers mostly written in C++ from a malware family known as HangOve. There are several possible modules from the HangOve family downloaded, which can perform the following taks:
- Screen grabber
- System gathering
Q: Does Symantec know who this group is targeting?
Yes. Symantec telemetry has identified Pakistan as being the main target of this attack. With defense documents being used as a lure in these attacks, it would suggest the targets of interest are government security agencies. Symantec has however also observed this group taking part in industrial espionage in countries outside of Pakistan.
Q: How widespread is the threat?
As seen in figure 2 and 3, Symantec telemetry is reporting Pakistan as being the main country impacted by this group. These findings correspond to other researcher’s findings in relation to this group. As previously stated, it is also evident that the operations of this group does not solely focus on one target or region.
Figure 2. Heat map of Symantec telemetry for Operation Hangover related detections
Figure 3. Top 10 countries showing Symantec telemetry for Operation Hangover detections
Q: What name does Symantec give to threats used by this group?
Symantec has detection in place for the threats used by this group under the following detection names:
For Symantec customers to identify this group, we are remapping the main components of this campaign to the following:
The following Intrusion Prevention Signature (IPS) is also in place.
- System Infected: Trojan.Hangove Activity
Q: Do Symantec/Norton products protect against known exploits used in this campaign?
Yes. The known vulnerabilities being used by this group are listed below along with the Symantec protections. At this time there is no evidence to suggest that the group are using, or have at any time used, a zero-day vulnerability in their attacks.
Q: How will this report affect the group orchestrating Operation Hangover?
Similar to other cases, despite the exposure of the Operation Hangover group, Symantec believes they will continue their activities. Symantec will continue to monitor their activities and provide protection against these attacks. As always, we advise customers to use the latest Symantec technologies and incorporate layered defenses to best protect against attacks by groups of this kind.
Go on to the site to read the full article
Go on to the site to read the full article