An Official Malware Research Blog of SecNiche Security Labs. Analysis, straight from the hidden and underground.
Sunday, August 24, 2014
BlackHat 2014 - Botnet C&C Panel Talk
Whitepaper: http://secniche.org/blackhat-2014/blackhat_2014_briefings_whitepaper_exp_cc_flaws_adityaks.pdf
Tuesday, April 15, 2014
Targeted Cyber Attacks Book - Syngress !
Update: A very insightful review of the book published in Network Security.
I started sketching this book about a year ago when I was invited by Syngress for this project based on my previous work on crimeware research. Thanks to the Syngress and Elsevier team for this step. Due to my ongoing job and commitments, the project got delayed but eventually the book is about to be published on 18th April. The first edition of the book is dedicated to the readers who are interested in understanding the artifacts of targeted cyber-attacks and associated components. Personally, I would like to thank all the researchers and journalists who reviewed the book and provided positive feedback.
Introduction: Cyber-crime increasingly impacts both the online and offline world, and targeted attacks play a significant role in disrupting services in both. Targeted attacks are those that are aimed at a particular individual, group, or type of site or service. Unlike worms and viruses that usually attack indiscriminately, targeted attacks involve intelligence-gathering and planning to a degree that drastically changes its profile.
Individuals, corporations, and even governments are facing new threats from targeted attacks. Targeted Cyber Attacks examines real-world examples of directed attacks and provides insight into what techniques and resources are used to stage these attacks so that you can counter them more effectively.
The book is available to be ordered at following places:
- Amazon: http://www.amazon.com/Targeted-Cyber-Attacks-Multi-staged-Exploits/dp/0128006048
- Kindle Edition: http://www.amazon.com/Targeted-Cyber-Attacks-Multi-staged-Exploits-ebook/dp/B00JRVB3UY
- Elsevier: http://store.elsevier.com/Targeted-Cyber-Attacks/Aditya-Sood/isbn-9780128006047/
- Barnes and Noble: http://www.barnesandnoble.com/w/targeted-cyber-attacks-aditya-sood/1118602703?ean=9780128006047
Enjoy !
Thursday, February 27, 2014
Gmail Phishing Attack - Why the Anti-spam Solutions Fail to Trigger ?
Update: 5th March, 2014
Note: I am concerned because it got delivered to my personal gmail inbox -:)
It looks like the phishing attack discussed earlier (a week ago) on gmail users is still underway. Although, the attack is public now, the endpoint security solutions deployed by Google still fails to mark the emails as phished. The latest snapshot of this attack is presented below:
Links:
- hxxp://croydon.com.br/phpthumb/serv/serv/Login.htm
- hxxp://croydon.com.br/phpthumb/serv/serv/badu.php
The host has a malice history though : https://www.virustotal.com/en/ip-address/187.17.98.129/information/
It is not a reliable way to depend heavily on safe-browsing all the time for blacklisting the phishing websites rather the prevention has to be triggered at the time of origin. Let's see how long this continues.
-------------------------------
A recent targeted phishing attack has been launched against gmail.com users. Interestingly, the email slipped through Google end point security solution which fails to detect the spam email and served it properly to the user's inbox.
Visiting the link results in the following webpage showing the same layout as of Gmail.
Malicious Check:
- The domain resolves to an IP address which has a history of being potential malice: https://www.virustotal.com/en/ip-address/79.170.44.127/information/. The virtual hosting server has been used for compromised WordPress websites.
Overall, basic steps:
- The user is redirected and served with a gmail.com webpage here: hxxp://www.nusurgix.com/virtusite/phpthumb/serv/Login.htm
- The form submission sends all the POST data to: hxxp://www.nusurgix.com/virtusite/phpthumb/serv/badu.php
- The user redirects successfully to legitimate gmail.com webpage: hxxps://accounts.google.com/
The website is hosted on a CMS hosting server as shown below:
Overall, it might not be that sophisticated attack, but a few inferences:
- Smart user would have detected that this is a trick even it is delivered to inbox.
- Big issue, the anti-spam solutions in Google's network fails to detect it and mark it as phished.
- There might be a possibility that a few users would have fallen to this trick but we cannot be sure.
- The attacker used a compromised network infrastructure to execute this attack. A healthcare provider hosting account is compromised.
- This type of attack if remains active for only few minutes could have already garnered a good set of accounts.
Do not fall for this trap !
Sunday, January 12, 2014
Virus Bulletin - NiFramer Iframer Injector - CPanel
A couple of months earlier, we released a paper on the design of NiFramer, a bash tool to automate the Iframe injections on the compromised servers. It has been used widely by attackers. However, in coming time, we will be covering different variants of automated Iframe injection tools.
You can download the paper at: http://secniche.org/released/VB_CPANEL_IFRAME_INJECT.pdf
Labels:
CPanel Infection,
Iframe injector,
Malware,
Server Infections
Subscribe to:
Posts (Atom)