?

Log in

No account? Create an account

Previous Entry | Next Entry

Anatomy of computer crime

Note: Followup to this entry at http://tacit.livejournal.com/240750.html

So apparently, Macintosh users are now the targets of Eastern European organized crime.

First, a bit of backstory. Last December, I wrote an article about how I had done a Google search for my name and uncovered a massive hacking attack against a Web hosting company called iPowerWeb. iPower, a company in Phoenix, Arizona, has trouble securing their Web servers, and Russian organized crime can hack any Web site hosted by iPower completely at will.

That was last December. Today, as I write this, iPower still has not fixed their server security; each day, a whole crop of new Web sites hosted by iPower is hacked, and the hackers plant redirectors on the site that are designed to snare unwary visitors and send them to servers in Eastern Europe that attempt to infect users with computer viruses.

For the past couple of months, I have been emailing iPower every day with new lists of hacked Web sites they're hosting. Each day, I bug them to fix their computer security. Each day, they remove the virus redirectors that I tell them about, but they do not fix their server security; so the next day, more of their Web sites are hacked. Some poor sots who host Web sites with iPower have had their sites hacked over and over again.

In the past 48 hours, the nature of the hacks has changed. Between December and now, the hacks were all the same; the hackers would penetrate an iPower Web site, create a directory on the site named /her, create a directory on the site named /bad, and then create a directory with a one or two digit number as a name. The redirector pages would go in the numered directory. This made spotting hacked iPower Web sites trivially easy.

About two days ago, the hackers began changing the naming scheme of the directory. This led me on a path to discovering an entire network of compomised Web sites, feeding into an elaborate underground network of computers used to distribute computer viruses.

And they're distributing Mac viruses now, too.



If you haven't read the earlier post that I linked to above, now would be a good time to do so. It's OK, I'll wait.

Back? Good. Until a couple days ago, finding the hacked sites on iPower was a breeze, because the directory structure was always the same and the hackers used the same keywords to try to poison Google searches. Now, however, the hackers have changed the naming structure of the directories, and they are no longer using the same keywords to try to snare Google searches. They're not using my name often any more, for example.

They are using a number of sex and porn-related keywords, though, some of whihc are very unusual. The Google cache of hacked iPower Web sites provides an easy way to compile lists of words and phrases that are common to all the hacked sites, and searching on Google for these words and phrases yields a treasure trove of Web sites that have been hacked.

Interestingly, these words and phrases also show up in many, many forum posts, almost all of them on forums running phpBB or phpNuke software, and invariably old, insecure versions of this software.

It also produces lists of domains with strange names, such as http://6.bgmww-news.info and http://3.vxwzj-news.info,

WARNING *** WARNING *** WARNING

The links here and elsewhere in this post are live. As of the time of this writing, they redirect to active virus distributors which can and will infect unpatched Windows computers, and in one case will try to infect Mac computers, with a virus. DO NOT click on these links if you don't know what you're doing. DO NOT allow any of these sites to download or install software onto your computer.

So we see a pattern: certain words and phrases, appearing over and over again in hacked Web sites hosted by iPowerWeb, and also appearing in messages placed on hacked phpBB and phpNuke forums, and also appearing in domains with strange names.

In each case, visiting one of the hacked iPower Web sites, reading one of the messages in a hacked forum, or visiting one of the strange domains does the same thing. And, interestingly, it reveals an elaborate network of computers all intended to transmit viruses while obscuring the source of the viruses. Ready to go down the rabbit hole? Here we go!




The central lynchpin of the entire network is a site called traffloader.info. Traffloader.info is a Web site hosted by an outfit called leaseweb.com (Edit: As of April 8, 2008, traffloader.info is off Leaseweb and is now being hosted in the country of Moldovia), which also hosts the sites with strange domains. If you visit traffloader.info in your browser, you'll see nothing but a blank page; it sends back no HTML code at all. There appears to be nothing there.

But all the hacked iPower Web sites, all the messages placed on hacked forums,a nd all the strange domains that are hosted by leaseweb.com all redirect to traffloader.info. Specifically, they redirect to a script on traffloader.info called "go.php". Here's how it works.

A person does a Google search for certain comon, popular keywords. It might be my name, or "free sex movies," or "build ultralight helicopters"--they create hundreds of thousands of lists of popular keywords, which they place on hacked Web sites, into hacked message board posts, or onto domains they either create or hack.

The person sees one of the attack pages in Google and clicks on the Google result. The page or message board post redirects the user to http://traffloader.info/go.php, and usually includes information about where the user came from, presumably so the hackers can tell which particular hacked sites are most effective. The information passed to the script varies, but often includes the name of the hacked site the user came from, and the Google keywords used.

Traffloader.info then redirects the user to any one of a bunch of other sites. These other sites might look like porn sites, and try to download a virus disguised as movie player software. They might look like virus scanner sites,and try to download a virus disguised as antivirus software. Sometimes, the sites have embedded iFrames or redirectors that will try to download additional files to the user's computer.

I've spent hours tracing the way the system works. Here's a bird's eye overview:

Russian Business Network virus downloader system


A user clicks on a Google search that leads to a hacked iPower site, a hacked forum post, or a domain hosted by leaseweb.com. The user is redirected to traffloader.info, which records information about where the user came from and what keywords he used. The script at traffloader.info then sends the user to a site such as

adult-youtube-8.com/freemovie/234/0

or

xpantivirus.com/2008/3/_freescan.php

which attempts to download a virus.

The site that the user ends up on seems to be chosen more or less at random (at least if there's a system behind it, I haven't been able to figure out what that system is yet). Some of the sites are more sophisticated than others; some of the sites redirect the user to other sites. For example, traffloader.info will sometimes send the user to a script hosted at chillyclips.com/movie1.php which will in turn send the user to movstube.com/movie1.php.

Now, movstube.com is a particularly interesting payload site. Unlike all the other sites, it attempts to attack both Mac and Windows machines; all the other sites host Windows-specific attacks.

The script at movstube.com checks the browser's "user agent". For folks who don't know a lot about how browsers work, each time your Web browser accesses a Web site, it tells the site what it is and what kind of computer you have. When you go to a Web site, your browser might say "Hi there! I'm Internet Explorer 7 running on Windows XP" or "Hello! I'm Safari running on an Intel Mac".

The script at movstube.com looks at this user agent. If it sees a Windows user agent, it attempts to download a Windows virus pretending to be movie viewer software, just like many of the other sites do.

But...

But if the script sees a Mac user agent, it sends the browser to

http://64.28.178.27/download/1023.dmg

The file 1023.dmg is a Macintosh disk image file. It contains an installer that attempts to install a piece of Mac malware variously called OSX/DNSChanger or OSX.RSPlug.A. This is a Trojan horse that attempts to modify the Mac's domain name server settings so that a Mac user who surfs the Web can be secretly redirected to sites controlled by the Russian malware writers, without knowing it.

The good news is that the Mac malware can not infect a computer without help. You must choose to install it and you must type your administrator password in order to be infected. The bad news: clearly, the Mac is now on the radar of malware writers.




Some of the sites in the network controlled by traffloader.info are believed or known to be associated with the Russian Business Network, an organized group of Eastern European criminals. The fact that the attacks on iPower use payload sites known or believed to be controlled by RBN suggests strongly that RBN is behind the iPower hacks. It also suggests strongly that RBN is either responsible for or associated with the people responsible for the Mac malware.

I first notified iPower that their Web server security had been breached last December. As of today, there are still new hacked sites appearing on their servers daily.

The whois information shows something very interesting, as well. All of these computers associated with virus distribution -- traffloader.info, movstube.com, xpantivirus.com, chillyclips.com, magicporntube.com, and so on--every one, without exception, is registered by the same registrar: a place called estdomains.com. Each of these Web sites is known to be associated with virus distribution on behalf of organized crime, yet each of them is still active and resolving, and each has the same registrar.

Yep, that's estdomains.com - the choice of organized crime.


Comments

( 113 comments — Leave a comment )
Page 1 of 4
<<[1] [2] [3] [4] >>
gushi
Mar. 26th, 2008 07:29 pm (UTC)
Well Done.

Now, the question is: what can IPowerWeb (and other hosts) do to fix their security?

How can other hosts be affected by the same kinds of problems?

I have my own theories, here.

-Dan
tacit
Mar. 31st, 2008 04:27 pm (UTC)
I don't know what iPower can do to fix their security; they seem not to care about the problem at all, and they have taken no action save for deleting specific URLs I inform them about.

The owners of phpBB and phpNuke sites need only update their software as new patches come out; the phpBB systems that have been compromised in particular are generally running very old versions of phpBB, and in a lot of cases the sites seem to have been abandoned entirely.

At this point, given that no ISP save for iPower seems to have suffered the large-scale, systematic breach iPower has encountered, I am beginning to believe that someone within iPower is responsible for, or at least complicit in, the attack.
(Deleted comment)
tacit
Mar. 26th, 2008 07:38 pm (UTC)
Re: What happens if you click on a similar link in Firefox?
No. You'll still be in danger of an infection.

The "scripts" here are PHP scripts living on the servers, not Javascripts that are run inside the browser; disabling Javascript in Firefox won't prevent a server-side PHP script from running.

The virus dropper Web sites attempt a number of different exploits, mostly targeted at Explorer vulnerabilities. I don't know if they target Firefox vulnerabilities; I haven't analyzed their behavior using Firefox. In any event, if the attempted exploits don't work, the virus droppers try to trick you into downloading the virus manually; this is a social engineering attack and it doesn't matter what browser you use.
(Deleted comment)
sharq
Mar. 26th, 2008 07:36 pm (UTC)
That's positively craptastic. Thanks for posting that, I submitted it to digg and reddit too, hopefully it'll do some good, and warn people properly.

Edited at 2008-03-26 07:41 pm (UTC)
tanisnikana
Mar. 27th, 2008 12:35 am (UTC)
Do I remember you from somewhere?
(no subject) - sharq - Mar. 27th, 2008 09:27 am (UTC) - Expand
C! - visudo - Mar. 27th, 2008 08:10 pm (UTC) - Expand
Re: C! - sharq - Mar. 28th, 2008 09:43 am (UTC) - Expand
Re: C! - visudo - Mar. 28th, 2008 03:29 pm (UTC) - Expand
ivymcallister
Mar. 26th, 2008 07:57 pm (UTC)
A perfectly innocent looking video link to "adult-youtube-8.com/freemovie/234/0" has popped up on at least three of my LJ groups. It's been deleted each time, but god only knows how many people clicked on it before it was....
marchenland
Mar. 27th, 2008 09:43 pm (UTC)
I (and about 200 other people, many of them my friends) were added by an unknown person today with that link in his user profile. Researching it led me here. (I wouldn't call something with "adult" in it "perfectly innocent looking," ha ha...)

Seems a rather 2-bit operation, though. Makes sense to add people who know each other, since that's how trust-based things like LJ (and Google) work, but why only 200? Why not 2000?
"innocent-looking" - ivymcallister - Mar. 27th, 2008 09:58 pm (UTC) - Expand
Re: "innocent-looking" - marchenland - Mar. 27th, 2008 10:13 pm (UTC) - Expand
(no subject) - azurelunatic - Apr. 1st, 2008 03:12 am (UTC) - Expand
(no subject) - marchenland - Apr. 1st, 2008 03:19 am (UTC) - Expand
(no subject) - azurelunatic - Apr. 1st, 2008 03:32 am (UTC) - Expand
(no subject) - tacit - Mar. 31st, 2008 04:28 pm (UTC) - Expand
(no subject) - ivymcallister - Mar. 31st, 2008 05:15 pm (UTC) - Expand
merovingian
Mar. 26th, 2008 08:43 pm (UTC)
Your kung fu is very strong.
griffen
Mar. 26th, 2008 10:22 pm (UTC)
If you've accidentally clicked on a link (there's one in academics_anon), how do you check for malware if you realized immediately and shut the window? It redirected to the adult_youtube_8 site; I closed it immediately. I'm on a Mac.

For those who may not know; the trick it's using right now is posting a "podcast video" with a spinning line wheel in the center, imitating "video loading" from YouTube; if you click on the supposed "stop" button it takes you to the new site. The entire thing is only an image which is hiding the link.

Edited at 2008-03-26 10:31 pm (UTC)
tacit
Mar. 26th, 2008 10:42 pm (UTC)
If you're on a Mac, you are not infected unless you see a file called "1023.dmg" get downloaded, then appear on your desktop, then a program runs and asks you to type your Mac administrator password in.

The Mac version of this malware can not infect you if you do not type your password. However, if you're still nervous, there's an easy way to check for it.

Open your hard drive. On the top level of your hard drive, you will see a folder called Library. Open it. Inside, look for the folder called Internet Plugins. Open the Internet Plugins folder and see if you can find a file called plugins.settings; if you can, you are infected and if you can't you are not.

If you are infected:

1. Drag the plugins.settings file to the trash and empty the trash.

2. Open the Terminal. It is in your Applications folder, in a folder called Utilities.

3. In the Terminal window, type

sudo crontab -l

and hit return. (Note, the thing after the dash is the lowercase letter L, not the number 1.) You will be asked for an administrator password. Enter it.

4. If it says "crontab: no crontab for root" when you enter your password, you are no longer infected and you can stop here. If it says anything else besides "crontab: no crontab for root" then go on to the next step.

5. Type

sudo crontab -r

in the terminal and press Return. When you are asked for your password, enter it.

6. Restart your Mac. That should take care of it.
(no subject) - griffen - Mar. 26th, 2008 10:45 pm (UTC) - Expand
(no subject) - muse_books - Mar. 26th, 2008 11:02 pm (UTC) - Expand
(no subject) - serenadesha - Mar. 26th, 2008 11:11 pm (UTC) - Expand
(no subject) - tacit - Mar. 26th, 2008 11:32 pm (UTC) - Expand
(no subject) - tacit - Mar. 26th, 2008 11:11 pm (UTC) - Expand
(no subject) - muse_books - Mar. 27th, 2008 04:50 am (UTC) - Expand
(no subject) - tacit - Mar. 31st, 2008 04:30 pm (UTC) - Expand
1023.dmg - (Anonymous) - Mar. 30th, 2008 11:12 am (UTC) - Expand
Re: 1023.dmg - tacit - Mar. 30th, 2008 02:48 pm (UTC) - Expand
Re: 1023.dmg - (Anonymous) - Mar. 30th, 2008 06:22 pm (UTC) - Expand
Re: 1023.dmg - (Anonymous) - Apr. 5th, 2008 09:16 pm (UTC) - Expand
Re: 1023.dmg - (Anonymous) - Apr. 5th, 2008 09:23 pm (UTC) - Expand
Re: 1023.dmg - tacit - Apr. 5th, 2008 10:11 pm (UTC) - Expand
Re: 1023.dmg - siriciryon - Apr. 21st, 2008 05:04 am (UTC) - Expand
Re: 1023.dmg - (Anonymous) - Apr. 25th, 2008 08:35 pm (UTC) - Expand
Re: 1023.dmg - (Anonymous) - May. 16th, 2008 04:40 am (UTC) - Expand
Re: 1023.dmg - (Anonymous) - Jul. 13th, 2008 07:41 am (UTC) - Expand
Re: 1023.dmg - (Anonymous) - Jul. 13th, 2008 07:59 am (UTC) - Expand
(no subject) - green_knight - Mar. 26th, 2008 10:50 pm (UTC) - Expand
(no subject) - tacit - Mar. 26th, 2008 10:54 pm (UTC) - Expand
haradachi
Mar. 26th, 2008 11:07 pm (UTC)
That's really interesting. How long did it take you to find all of that information?
tacit
Mar. 26th, 2008 11:14 pm (UTC)
I've pieced it together over a period of many hours, usually working on it about half an hour a day. At first, I was only looking for compromised iPower sites; I'm trying to nudge them to fix their site security (and I think if they're still massively compromised next week, I'll start emailing the site owners directly rather than emailing iPower abuse). When the pattern of the attack pages changed a couple days ago, I started looking into it further, and putting together a more comprehensive picture of how the network works.
tanisnikana
Mar. 27th, 2008 12:40 am (UTC)
I've had a good look at this for a couple hours now, and all I can say is that I'm impressed.

I'm currently running my damn-near-bulletproof investigatory DreamLinux 2, having a look at page sources and such.

It shouldn't be too hard to get the physical location of these servers, I don't think.
tacit
Mar. 31st, 2008 04:32 pm (UTC)
Some of the payload servers appear to be hosted in the Eastern European country of Moldavia, which puts them safely outside the reach of law enforcement in Western countries.
jtroutman
Mar. 27th, 2008 01:17 am (UTC)
Very nice. If you were ever interested in getting any computer security certs, the work you have done would certainly qualify.
(Deleted comment)
tacit
Mar. 27th, 2008 01:40 am (UTC)
Oooohhhh....awesome icon! Mind if I steal it?
polylizzy
Mar. 27th, 2008 01:44 am (UTC)
Again I only understood about HALF of what you described. but every time you post this stuff I learn more.

how in the world do you have time for your LIFE???!!!???


goose_entity
Mar. 27th, 2008 02:48 am (UTC)
*pets my linux laptop*

Nice penguin, *good* penguin!
redtheda
Mar. 27th, 2008 06:12 am (UTC)
I happened to drive past IPower the other day, and I thought of you.
tacit
Mar. 31st, 2008 04:33 pm (UTC)
Heh. Next time, you should drop by to tell them I said "hi," and that their server security is a disgrace and an embarrassment. :)
(Anonymous)
Mar. 27th, 2008 08:02 pm (UTC)
Leaseweb.com. Hosting and Ip addressing. ¿a hackers network?
Recently we've got a annoying problem. I noticed same behaviour and iframe exploits as well as redirection to webs hosted at leaseweb.com to scripts also like go.php. To be more accurate, bubamubanches.info . I wonder how a commercial hosting located at amsterdam allows this kind of hosts on their networks. Also i noticed redirections from this sites (using badware mathematical logic) to several of chinese hosts (.cn) as lotrain.cn (also known as rabegin.cn).

I was reading a lot about Russian and chinese networks been a complete hard to track networks as they seems like the far west (no law). Also we notices Turkey AIH networks as potentially damaging networks but, leaseweb.com seems to be a amsterdam network,. I can´t understand why an european network like that can have that kind of stuff and allows that kind of hosts on their networks, Do we have here also another potential network like RBN / CN or AIH networks? are leaseweb.com aware of this kind of criminal issues, more complex, are they allowing intentionally this kind of exploits???

I need to know if there is a relationship between RBN Networks, CN, AIH, and leaseweb.com Can we confirm this point?

Good job with the explanation. I was little bit confused with the complexity but now i see it clear...

Do you know which people can be involved on such things like this? any hackers group behind? any fake "security company"?

I would like if there's somebody who can give as much information of their observations as they can to be prepared and to allow us to defend ourselves from this hustlers....

Thanks again and Good Job !




tacit
Mar. 31st, 2008 04:34 pm (UTC)
Re: Leaseweb.com. Hosting and Ip addressing. ¿a hackers network?
Interesting. At the moment, bubamubanches.info does not appear to be resolving, and dig shows no IP address assigned to it.
Re: Leaseweb.com. Hosting and Ip addressing. ¿a hackers network? - (Anonymous) - Apr. 10th, 2008 05:50 pm (UTC) - Expand
visudo
Mar. 27th, 2008 08:11 pm (UTC)
Hey Franklin, perhaps instead of hounding the idiots at IPowerWeb, you should report the URLs as spam using Google's tool. At least that might cause them to put up a "dangerous website" warning.
tacit
Mar. 31st, 2008 04:39 pm (UTC)
I've been doing that, and cc'ing Google security on many of the emails I send iPower. Google can't keep up, though. They flag the URLs usually a few days after each site is compromised, by which time there's several days' worth of fresh compromises to deal with.
(no subject) - visudo - Mar. 31st, 2008 07:59 pm (UTC) - Expand
(no subject) - tacit - Mar. 31st, 2008 08:17 pm (UTC) - Expand
(no subject) - icedrake - Apr. 6th, 2008 05:19 am (UTC) - Expand
(no subject) - tacit - Apr. 6th, 2008 04:40 pm (UTC) - Expand
(no subject) - icedrake - Apr. 6th, 2008 10:48 pm (UTC) - Expand
Page 1 of 4
<<[1] [2] [3] [4] >>
( 113 comments — Leave a comment )