Mime Sniffing and Phishing

By: Jose -

Friday and today I got a very interesting URL highlighted by our spam traps. The URL looks like a JPG, and so I went to see what it was. I figured it’d be stock spam or pill spam or something. What I didn’t expect was what I got.


So, it turns out that the URL is designed for IE4+ users, and it takes advantage of mime sniffing. The Heise site described mime sniffing as:

Internet Explorer 4 introduced a fourth method, known as MIME sniffing, or mime type detection. So no version of IE now automatically assumes that a file taken from the web has the same content type as that stated by the server in the HTTP header. Nor does it trust the file name extension, or signature, on their own. Instead, Internet Explorer also examines the first 256 bytes of the file to determine its type

So that URL renders as a broken image in FireFox and Safari but OK in IE. You can see that the server response below. It sets “Content-Type: image/jpeg” but then serves up dynamic HTML. The browser, IE in this case, renders the phish.

mime_sniffing and phishing.png

The site, widutr67e8ds63e7dsz3edsx.land.ru has been blacklisted by a couple of sites. I don’t know how many correctly – or incorrectly – catch the phishing attack. The site uses a GMail drop, and Google’s been alerted, too.

Thanks Alex and N for cluing me in to what was afoot. These are the first phishing attacks I’ve seen using them, I don’t know how many I’ve missed over the months.

Research Paper: Phishing Just Doesn’t Pay!

By: Jose -

A very interesting paper came out a few days ago by MSFT researchers Cormac Herley and Dinei Florencio exploring the economics of phishing. In a nutshell they systematically analyze phishing, both in terms of losses and in terms of gains, and find that the dollars in the phenomenon are widely overstated. In a nutshell: too many phishers chasing too few victims for too small a gain, a classic “tragedy of the commons” problem. Value added services are where it’s at. This jives well with anecdotal experience for many of us.

Some of my favorite parts:

But consistent reports of easy money may encourage him to think that he’s doing something wrong and that his returns will improve with time.

Indeed one explanation of the thriving trade in phishing related services reported in [23, 17] is that phishers with more experience prey upon those with less. That is, those who have tried phishing and found it unprofitable or marginally profitable find it better to sell services to those who havent reached that conclusion yet.

We think that this economic analysis has important implications in addressing the problem on a macro level. If we are correct that large phishing dollar losses are an exaggeration, an important conclusion is that repeating those claims feeds the beast, perpetuates the myth of the infinitely capable superuser attacker [21], and attracts poorly-informed new entrants to phishing.

I find the research and analysis compelling. A lot of it fits with the model outlined by levitt and dubner in “freakonomics” in chapter 3, Why Do Drug Dealers Still Live with Their Moms? Granted the organization in phishing is far more unstructured but the premise still stands: that the lure is far greater than the reality.

The paper is online here on slideshare or available in PDF A Profitless Endeavor: Phishing as Tragedy of the Commons.

Busy Little Phishing Botnet

By: Jose -

Today it’s an American Express phish. In the past few weeks it’s been JPMorgan Chase, Bank of America, CitiGroup, Colonial Bank, and many others. All of them are using fast flux hosting techniques on the same hosts. I don’t know the name of this botnet (either the malcode or the coloquial name) but it sure is busy. Here’s a list of domain names they have been using for their activities (gathered using passive DNS techniques, most of them are now suspended domains):

  • dir10.cz
  • adobeflasplayer10.com
  • isapid.cz
  • es-pos1.es
  • es-pos0.es
  • frankiezfunz.com
  • sofia16-online18.com
  • es-pos3.es
  • idsrv1.es
  • serverdemobank.com
  • idsrv2.es
  • id-rt01.cz
  • aktien-news-online24.com
  • id-rt04.cz
  • flashplayercolonial.com
  • srv-3id.cz
  • clrtemp.cz
  • file033.cz
  • file11.cz
  • sofia16-online24.com
  • ref-id.es
  • idsrv4.es
  • player10update.com
  • bankamericademo.com
  • dir017.cz
  • idrtd.cz
  • 0177.es
  • id-ref.cz
  • serversupdates.com
  • srv-1id.cz
  • 72.in-addr.arpa
  • id0.cz
  • bmspeedlab.org
  • id-rt03.cz
  • democolonialbank.com
  • refid73.es
  • refid70.es
  • identify-3.cz
  • colonialshow.com
  • demobankofamerica.com
  • cs03.cz
  • isapi10.cz
  • es-pos2.es
  • id-ref.be
  • 0104.es
  • idsrv10.es
  • bumospo.com
  • hawaiiantel.net
  • isdir.cz
  • cs07.cz
  • cs01.cz
  • identify-4.cz
  • ptil.cz
  • sofia18-online.com
  • idsrv11.es
  • installadobeplayer.com
  • es-pos7.es
  • colonialdemo.com
  • bmspeedlab.com
  • id-rt02.cz
  • srv-4id.cz
  • fasttrk.cz
  • bumotor.org
  • srv-7id.cz
  • bumotor.net
  • identify-1.cz
  • bumospe.tk
  • onlineserverdownload.com
  • clasmatessup.com
  • everettzfunz.com
  • file17.cz
  • demoversions10.com
  • tempdir.cz
  • demoservers1.com

Unlike some other fast flux users, these guys seem to go to different gTLDs as needed:

  • 1 — be
  • 23 — com
  • 29 — cz
  • 15 — es
  • 2 — net
  • 2 — org
  • 1 — tk

The hosts have largely been the same over this time so you can track them using passive DNS to discover their new names. Almost all of these are detected using standard anti-phishing tools.

This BofA Demo Thing Got Big Fast

By: Jose -

The Obama spam and malcode gang is back at it with a new fast flux phishing and malcode ruse. This time it’s a demo from the Bank of America that requires the classic “Flash Upgrade”.


At the peak I was seeing 400 unique URLs for this run an hour. The URLs were unique strings, possibly for tracking purposes or possibly to stress URL blacklists. But, when you look more closely you see they are just a handful of domain names. This is a lot like the Rock Phish of old.

Let’s have a look at the domains and their associated name server via the BFK passive DNS system:

onlineservices777.com	 NS 	ns1.directclieck.com
directclieck.com	 NS 	ns1.directclieck.com
ns1.directclieck.com	 A
ns1.directclieck.com	 A
ieenttio.com	 NS 	ns1.directclieck.com
inyans.com	 NS 	ns1.directclieck.com
frerins.com	 NS 	ns1.directclieck.com
neeunt.com	 NS 	ns1.directclieck.com

So, no more domains at present associated with these name servers.

The malcode download routine is very typical. If you don’t follow the lure, a meta-refresh will get ya.


Nothing special here, just the usual crap. Here’s some of the info about one of the samples we saw here:

FILE TYPE: 	application/x-ms-dos-executable
FILE SIZE: 	3225 bytes
FSG v2.0 -> bart/xt
MD5: 		2ef0de5993873f26529ac34012eb97d9
SHA1: 		4e9aa725fa887cf65d9f6d1cebbd0a13d48320ab
PEHash: 	a8c73378f9c4a2fb57a5658e09d69bbf4bae0998

SCANNER: VScanner                      VIRUS: Unknown, file is "suspicious"
SCANNER: AVG                           VIRUS: No virus found.
SCANNER: ClamAV                        VIRUS: Trojan.OnlineGames-1517
SCANNER: BDC                           VIRUS: No virus found.

The malcode is tiny, but downloads hxxp://silviocash.com/usp.exe, aka Paparus or Urlsnif. Driver file, rootkitted, and now the box will send info from IE (ie form data) to the hacker. Owned.

Gary Warner has a nice writeup on his blog worth reading.

Economic Crisis: A Phishing and Malcode Opportunity

By: Jose -

In the past few weeks as a flurry of global financial institutions have suffered, a lot of names have been bandied about. Some banks have merged, some banks have faltered, and some government programs have been highlighted. It turns out that this is giving some enterprising phishers and malcode authors an opportunity. They’re preying on fears and name recognition.

The latest scam I just got was a Goldun spyware delivery scheme claiming to be a statement for your account. The emails look like this:

From: Federal Deposit Insurance Corporation
 To: jose@arbor.net
 Subject: funds wired into your account are stolen                                                        

 Dear bank account owner,                                                      

 Funds wired into your account are stolen from innocent account holders
 through Identity Theft. Please check your account statement (the statement
 is attached to this letter) and contact your bank account manager.            

 Federal Deposit Insurance Corporation

The attachment has the name “statement.exe” and is a UPX packed executable with the MD5 b6883affd9296b11145f6a0dce7056c3. It drops three files:


Goldun’s then try to download other malcode. This malcode has been around for a while, this is just the latest scheme to entice you to run the file.

In the past few days we’ve also seen combined phishing and malcode attacks against Wachovia, Merril Lynch, and other financial institutions. They usually use fast flux domains to host the attack. Some of the enticements are around banking changes, and these institutions have recently merged with other firms, so users may fall for the “we are upgrading our systems, please install this new SSL certificate” scheme. When you visit the site you get a phishing page and malcode dropped onto you box.

One of the Wachovia emails making the rounds right now looks like this:

WACHOVIA CORPORATION NOTICE.                                                                                                                                    

Citigroup announced a buyout of Wachovia brokered by the FDIC moments ago.
All Wachovia bank locations will be in the Citigroup merger to prevent
failure of Wachovia. The Citigroup/Wachovia would focus on upgrading
banks' security certificates. All Wachovia customers must fill the forms
and complete installation of new Citigroup Standard digital signatures
during 48 hours. Please follow the installation steps below:                                                                                                    

Read more here>>                                                                                                                                                

Sincerely, Rodrick Baird.
 2008 Wachovia Corporation.
All rights reserved.

Here’s what this campaign’s website looks like:

We’ve been tracking these fast flux domains and will continue to do so, and we will continue to work with the anti-phishing community to identify and shut down such phishing attacks.


The US FTC has issued a consumer bulletin on this subject: Bank Failures, Mergers and Takeovers: A “Phish-erman’s Special”.

Paper: As the Net Churns: Fast-Flux Botnet Observations

By: Jose -

Together with the esteemed Thorsten Holz, I have a paper at MALWARE 2008 on fast flux botnets. The paper uses the data from our ATLAS platform, specifically the fast flux tracking we added in Q1 of this year, to gather a global perspective on fast flux operations. What we found can be summarized as:

  • most fast flux domains are dormant for more than 30 days before their use in a flux operation; domain name tasting is not an issue, it seems
  • the gTLD distribution is now wider than originally reports by Holz et al at NDSS; this issue affects more registrars
  • we can identify clusters of IPs and associated hostnames, showing how many botnets use how many names. We find only a handful of distinct botnets using fast flux methods.
  • fast flux supports a wide variety of online crime activity, such as phishing, malcode delivery, casino advertisements, illegal or questionable pharmacy sites, and other activities
  • fast flux is smaller than is widely assumed, and only a few thousand hosts globally are involved at any one time
  • involved hosts are extremely “promiscuous”, sometimes having hundreds of domain names associated with them
  • active DNS probing does not appear to be an effective, reliable measure of a botnet’s size. We found only about 1% visibility into the storm worm botnet, and we have not been able to get size estimates of other botnets for comparison

This paper came out of a presentation I did for a conference this summer. We’ve shared this data with groups such as FIRST and ICANN, and now we’re sharing this work with the larger world with this publication. The analysis done in the paper is more or less ongoing in our ATLAS fast flux summary report. We have found far more fast flux domains since our original analysis, but it’s still a small problem (only a few thousand hosts and a few thousand domain names active at any one time).

Fast flux botnets are gathering a great deal of attention, and for good reason. Several groups have been working on similar research questions and have found similar results, ours is just the first study around these specific questions to get published. The paper abstract is below:

While botnets themselves provide a rich platform for financial gain for the botnet master, the use of the infected hosts as webservers can provide an additional botnet use. Botnet herders often use fast-flux DNS techniques to host unwanted or illegal content within a botnet. These techniques change the mapping of the domain name to different bots within the botnet with constant shifting, while the bots simply relay content back to a central server. This can give the attackers additional stepping stones to thwart takedown and can obscure their true origins.

Evidence suggests that more attackers are adopting fast-flux techniques, but very little data has been gathered to discover what these botnets are being used for. To address this gap in understanding, we have been mining live traffic to discover new fast-flux domains and then tracking those botnets with active measurements for several months. We have identified over 900 fast-flux domain names from early to mid 2008 and monitored their use across the Internet to discern fast-flux botnet behaviors. We found that the active lifetimes of fast-flux botnets vary from less than one day to months, domains that are used in fast-flux operations are often registered but dormant for months prior to activation, that these botnets are associated with a broad range of online fraud and crime including pharmacy sites, phishing and malware distribution, and that we can identify distinct botnets across multiple domain names. We support our findings through an in-depth examination of an Internet-scale data continuously collected for hundreds of domain names over several months.

The full paper in PDF format is now available. I am unable to attend MALWARE 2008 myself as something came up, but we’re still releasing the paper.

Atrivo/Intercage Called Out as US RBN

By: Jose -

A report from a trio of known open source security analysts is out and covers the US-based Atrivo, aka Intercage. Dubbed the “US RBN” by some, Atrivo has been, to quote someone in the business:

“At almost every Internet security conference, or law enforcement seminar on cyber-crime, a presentation will detail some attack, exploit, phish or financial crime that has some nexus at Atrivo/Intercage.”

Source: Vincent Hanna, Spamhaus.org.

After the research article’s publication, Global Exchange de-peered with them after only a day or two (GBLX had been a BGP peer providing transit, one of two or three distinct ASNs doing so). It’s unknown what debates went on inside GBLX before this action, but the suggestion is pretty clear: public analysis of overtly hostile networks with a long history of security issues can lead to changes. Last year’s collection of reports on RBN (from iDefense, Shadowserver, and others) lead to the dissolution of RBN.

On my team, we’ve been seeing a lot of Atrivo over the years: rogue DNS servers that will send the user to a malicious website if they should typo, configured through DnsChanger malware; lots of fake AV product hosting lately; malcode drops and pickups. Our database is full of these droppings of information.

The fact that this network is supposedly hosted in the US – in the bay area, in fact – is especially surprising. It is unclear to me why they were permitted to operate without any significant investigation by law enforcement. Perhaps it was a lack of priority, or a lack of complaints. Ultimately this is a drop in the bucket in the battle against malicious network operations. We can’t be naïve and think that they’ll simply cease operations, we should expect that they’ll be back and relocate. The question is where.

New Twist in IRS Phishing Scams

By: Jose -

Earlier today I got a new phishing scam in my inbox, this one for the IRS. I’d love a tax refund, but I don’t think this is how they normally notify you. The lure email is shown below, and is quite standard in its formatting. It even threatens you with criminal prosecution if you lie.

Date: Thu, 28 Feb 2008 15:10:22 -0500
From: Internal Revenue Service
Subject: Your Tax Refund (Message ID FV028T3)
A Secure Way to Receive Your Tax Refund
After the last annual calculations of your fiscal activity we have
determined that you are eligible to receive a tax refund of $746.35.
Please submit the tax refund request and allow us 3-9 days in order
to process it.
A refund can be delayed for a variety of reasons. For example
submitting invalid records or applying after the deadline.
To access the form for your tax refund, please click here
Note: For security reasons, we will record your ip-address, the date
and time. Deliberate wrong inputs are criminally pursued and indicated.
Internal Revenue Service
Copyright 2008, Internal Revenue Service U.S.A. All rights reserved.

So far nothing special, until you click the link. It’s to an EXE, not to a website. When you download that and look, what you get is a locally hosted website with the phishing site shown below (broken in IE7):

IRS Phish_exe_screen.jpg

Analysis reveals that the executable will take your data and send it to at least two different server:

  • 3comport.sytes.net TCP port 5184
  • TCP port 80

This is a new twist in phishing attacks that can bypass the normal URL filtering bar for malicious sites. It requires that the mechanism that determines if it’s a phishing site recognize that EXEs can also be used in phishing. It makes sense that this would evolve, I suspect we’ll see more of this soon.

I ran the sample through VirusTotal for an overview of the AV detection and saw that it’s not as well detected as it could be. See for yourself.

Complete scanning result of “IRS-Refunds.doc.exe”, processed in VirusTotal at 02/28/2008 22:01:41 (CET).

[ file data ]

  • name: IRS-Refunds.doc.exe
  • size: 363622
  • md5.: 1cc5d1aaf624829e76a149014ab00f27
  • sha1: 17ad552b164c4ce5c4b5ef899d43f575abe8db10
  • peid..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

[ scan result ]

AhnLab-V3 2008.2.28.2/20080228 found nothing
AntiVir found nothing
Authentium 4.93.8/20080228 found nothing
Avast 4.7.1098.0/20080228 found nothing
AVG found nothing
BitDefender 7.2/20080228 found [DeepScan:Generic.Malware.SFL!dld!g.AA140EE3]
CAT-QuickHeal 9.50/20080228 found [(Suspicious) - DNAScan]
ClamAV 0.92.1/20080228 found nothing
DrWeb found nothing
eSafe found [suspicious Trojan/Worm]
eTrust-Vet 31.3.5571/20080228 found nothing
Ewido 4.0/20080228 found nothing
F-Prot found nothing
F-Secure 6.70.13260.0/20080228 found [Suspicious:W32/Malware!Gemini]
FileAdvisor 1/20080228 found nothing
Fortinet found nothing
Ikarus T3.1.1.20/20080228 found [Win32.SuspectCrc]
Kaspersky found [Backdoor.Win32.Nuclear.cu]
McAfee 5241/20080228 found nothing
Microsoft 1.3301/20080228 found nothing
NOD32v2 2909/20080228 found nothing
Norman 5.80.02/20080228 found nothing
Panda found [Suspicious file]
Prevx1 V2/20080228 found nothing
Rising found nothing
Sophos 4.27.0/20080228 found nothing
Sunbelt 3.0.906.0/20080228 found [Trojan-PSW.Win32.Hooker.24.c (vf)]
Symantec 10/20080228 found nothing
TheHacker found nothing
VBA32 found nothing
VirusBuster 4.3.26:9/20080228 found nothing
Webwasher-Gateway 6.6.2/20080228 found nothing

[ notes ]

  • packers: UPX

In the time between getting this sample, notifying people, and analyzing the sample, it was shut down. Good.

Active Storm Worm Domains – Christmas, New Year’s Campaign

By: Jose -

Based on a bunch of sources:


All of these are worth blocking by DNS methods (become the local SOA, NXDOMAIN them) and looking for in your emails (look for a simple URL with those domain names near the end of a very short email).

Many thanks to the few dozen or so researchers working in this field to help continuously track and report on this new campaign.

UPDATE Added parentscards.com, which is now in use.

Botconomics: The Monetization of YOUR Digital Assets

By: Danny McPherson -

A decade ago IF your PC was compromised it was usually just taken for a joy ride. Today, with the monetization of bots, ease of compromise, prevalence of malware, and increasing connectedness of endpoints on the Internet, WHEN your assets are compromised they’re subjected to something more akin to a chop shop.

To follow this vein (purely for amusement):

  • Seat belt == AV; If you’re hit, you’re a whooping 50% (note that that 50% number is pretty accurate, at least in the case of AV) less likely to get injured
  • Overhead and side curtain airbags == Good AV (or HIPS?); might suffocate you or rip your head off, but there to make you safer!
  • Alarm system == IDS; is anyone listening?
  • Anti-lock Braking System == NAC; a parking pass in the console and you’re in the building
  • CD case in the glove box == lift some CD license keys
  • Office Badge/ID == Paypal & ebay account credentials
  • Used in hit & run == DDoS attack
  • LoJack == IP reputation services –> subscription required
  • The Club == HIPS (pita)
  • Turning your car into one of those rolling advertisements.. Or towing one of those billboard trailers? Leaving a cloud of smoke and soot in your wake? == Why Spam, of course… (ok, really weak)
  • Body stuffed in the trunk, used for high-dollar drug or arms deal and dumped in the river == drop site
  • Wallet with some cash or CCs == score!; keylogger streaming PIN numbers, login credentials and secret question answers, mother’s maiden name, birth date, national ID number, etc.. to one of the aforementioned drop sites
  • Garage door opener and vehicle registration w/home address in the car — hrmmm…
  • Car thief picks up your girlfriend == phishing…? :-)

OK, OK, enough of the bad analogies, I suspect you get the point or have stopped reading by now.

Ahh, but folks aren’t driving cars across the country anymore, they’re flying jet planes – Good thing we’ve got seat belts! And for you skeptics – not to worry, we’ve now got floatation devices if things get really ugly…

The point is, if you or anyone you do business with online is compromised, you’re at risk. Further – if anyone you do business with is online, you’re at risk. Need more? Someone that has you’re personal information does something with a networked system, and as a result, you’re at risk.

Think AV is protecting you? An IDS? Malware today is explicitly engineered around leading AV engines (e.g., ++580 Agobot variants), engines for which auto-update functions are disabled upon compromise via any of a number of techniques, from removing the programs or making them non-executable, to adding hosts.txt entries pointing to a local interface (e.g., update.youravdude.com — for the Internet address of the AV signature update server.

Entire bot systems exist with load-balanced command and control, real-time dynamic paritioning and multi-mode monetization capabilities based on the bot services consumer’s needs, etc..

The GOOD News for those bot services consumer:

[Taken verbatim from a recent spam message I received boasting 'bullet proof [bp]‘ hosting services:]

    • IPs that change every 10 minutes (with different ISPs)
    • Excellent ping and uptime
    • 100 uptime guarantee
    • Easy Control Panel to add or delete domains thru webinterfaces
    • …..

Bot herders have heard the public’s outcry for multi-mode bots, responding with SLAs, intuitive user interfaces, ISP redundancy and even excellent ping times! Heck, several pieces of malware perform speed tests to ‘top Internet sites’, indexing and allocating our resources based on availability and connectedness.

Need a turn-key phishing solution? For a small fee you can get a botnet partitioned to do all these things and more:

  • compromise based on exploit of your choice
  • patch owned hosts for exploit that was used to compromise, and perhaps a few other low-hanging vulnerabilities
  • allocate bot resources (control, drop, lift, host, spam, attack) based on connectedness
  • lift CD keys, install key loggers, lift passwords, account info, email addys, etc
  • setup a couple bots as drop sites
  • setup a couple bots as phishing site web servers
  • setup a couple sites as phishing email relays
  • setup a couple open proxies for access to any of the above
  • want to take it for a test drive, not a problem

and voila, you’re in business!

Ohh, and don’t forget the special operations bots at the ready in the event that an anti-{spam,bot,phishing} company actually impacts your operations.. Don’t believe me? Go ask BlueSecurity (note the link still doesn’t work), or our friends at CastleCops, or… Six months of DoS attack observation across 30 ISPs here at Arbor yielded well over one hundred days with at least one ISP reporting an attack of one million packets per second or better. Some trivial math (1,000,000 * 60 bytes per packet * 8 bits per byte == 480 Mbps), enough to take 99%++ of the enterprises on the Internet offline today.

I’m not knocking any of the solutions above, they’re all necessary (well, most of them) and serve some purpose. It’s little more than an arms race today and there is no Silver Bullet, it’s all about layered security and awareness. As good-minded security folk continue to innovate, so to do the miscreants. As they find more ways to pull more money from more compromised assets, the problem will continue to grow. You CAN and WILL be affected, whether directly or implicitly, whether you bank and buy stuff online or not – the merchants you deal with surely have networks of some sort. A good many of those merchants do make concerted efforts to protect their consumers – perhaps others see things like any of the slew of compliance standards as ‘I tried, get out of jail free’ waivers when they do get compromised.

Being aware that the problem exists is the first step towards making it suck less, or so one would hope.. Let’s just hope that the Internet’s open any-to-any connectivity, as molested today as it may be (much in the name of security, mind you), isn’t entirely lost in the process.

Bots and widespread compromise affect every aspect of our economy today, directly or implicitly. Therein enters our amalgamation; botconomics.

Go Back In Time →