|
Another week at KU come and gone. We’re already almost 1/3 (6 out of 18 weeks)
of the way through the first semester (for all you K-12 kiddies, almost to the
end of the first ¼) Didn’t do to hot on the first ECON 142 test (31/50) despite
having all A’s on the worksheets and attending all the discussions and
such. At least I think I know a little
more of what to look for next time.
Programming I threw me for a loop as well with the first non-lab
programming assignment and handling text input (using cin to gather a one line
statement, apply a Caesar cipher and spit out the encrypted message) Although I had a version that worked, it didn’t
use modulus (it was required) (%26) and the one I wrote up to use modulus didn’t
work.
The website
is (mostly) back up and running. Because
we were moving I had to move my site files, elsewhere, and get that server up
and working, so now, parts of ryanmetcalf.net
are back to working (such as the blog,
the im, and the photos)
Back to Counter Strike. After
realizing I was an idiot and that a lost retail CD didn't mean I couldn't play,
I logged onto Steam and used it to re-download my CS 1.6 (though I greatly miss
1.5 and before), along with my half-life game. What's still rediculous
though, is that I bought a CS retail copy a long time ago, lost it, and bought
a half-life retail copy and then downloaded the CS mod, and now I can't find
either disk, and next to no one has Half-Life 1 discs on sale online (I don't
want the "Anthology" version, it requires Steam).
Finally got internet in at the new
house. Comcast took their sweet time. But we also got Digital Cable
instead of Expanded Basic (Analog) which we got the same number of channels,
but now have the set-top box, Music channels, and those other things you end up
with.
This story taken from: http://blog.spywareguide.com/2006/09/aim_pipeline_worm_uses_modular.html
Pipeline Worm Floods AIM with Botnet Drones
Proactive research on security threats is the key to catching hidden
threats before they can collect confidential data, deliver adware, or
take down a network. When researchers grab a threat, it's usually been
doing the rounds for some time. Here, we've caught them in early in the
act of assembling what looks like a very sophisticated operation - in
fact, we've caught it so early that many of the domains called by the
first infection file aren't hosting infectious files yet.
How does this infection start off? As always, it begins with a
seemingly innocent web address passed to you via Instant Messaging.
Click the link and allow the file to execute and your day will quickly
go bad.
Click to Enlarge
At this point, the command file downloads a file called csts.exe - and this is where things get interesting.
The file starts making calls to many, many domains - one of which is related to the Cuebot Worm that posed as the Windows Genuine Advantage Validation Notification.
Repeated calls are made to a domain (freewebsites.com) that offers
"free webhosting" in return for them placing what they call a small
advert on your website. You can read more about this "small advert" here
- I'd write more about it, but it's not relevant to this story so I'm
keeping it separate. As you'll see a little later on, the reason this
particular domain is constantly lighting up on the radar is due to the
Botnet activity involved in this particular infection.
The final port of call is a number of servers located in Korea, which are repeatedly connected to by the infection:
One of these servers has a single mention in Google. As fortune
would have it, and we aren't surprised, this server seems to have
something of a Spam-related linkfarm going on:
Click to Enlarge
...as you might have guessed, all of those blue links lead to what
are effectively spam pages. It's worth mentioning that some of the
Korean servers pinged by the various infection files have been
blacklisted due to spam. Is there a financial motive at work here? Hard
to say, though hopefully they won't be able to get very far as they've
been caught out before they could really get things moving.
Eventually, a randomly named executable is created in the System32
Folder and at this point, if the user is running AIM they will fire the
following message at their contacts, the hackers using IRC channels to
achieve this:
Click to Enlarge
Anyone that clicks the link and runs the file will end up continuing
the cycle of infections. This attack is very well structured and
"modular" in concept, so the people behind it can shuffle their
executables around, download new infections to target PCs and do pretty
much anything else they feel like doing.
As an example of the modular behaviour of this attack, here are just three of the many scenarios we encountered during analysis.
Scenario One
1) "hey would it be ok if i upload this picture of
you to my blog?" downloads the image18.com file (disguised as a jpeg).
Running the file results in csts.exe being created in your system32
Folder. At this point, you may well be part of a Botnet (though not in
all cases) and the infection has the potential to call down new files
onto your PC, which are randomly selected from the numerous files
waiting in "storage" that have been spread around the Net.
Scenario Two
1) "hey would it be ok if i upload this picture of
you to my blog?" downloads the image18.com file (disguised as a jpeg).
Running the file results in csts.exe being created in your system32
Folder.
2) The infection has the potential to call numerous
other files, such as files with fixed, unchanging names and randomly
named executables which are constantly being updated. Depending on what
files you end up with, the infection may create an unwanted service
named RPCDB, opens up smtp port 25 (mail) and attempts to connect to a
file upload site. In addition, some files attempt to exploit ADS
(alternate data streams).
Scenario Three
1) "hey would it be ok if i upload this picture of
you to my blog?" downloads the image18.com file (disguised as a jpeg).
Running the file results in csts.exe being created in your system32
Folder.
2) The infection has the potential to call numerous
other files, such as d227_seven2.exe and randomly named executables
which are constantly being updated. Depending on what files you end up
with, the infection may create an unwanted service named RPCDB, opens
up smtp port 25 (mail) and attempts to connect to a file upload site.
In addition, some files attempt to exploit ADS (alternate data
streams). You will also potentially end up with a Rootkit on your PC as
a result of this particular scenario.
3) At this point, the infected PC is a Botnet drone and can be commanded to send new infection messages via AIM such as:
"hey is it alright if i put this picture of you on my egallery
album? ", which will download the image22.com file (again, disguised as
a jpeg).
4) At this point, the cycle begins again and they can look to infect fresh victims with this exploit.
As you can see, the emphasis here is not so much on the files
themselves, but on the way these files are deposited onto the system.
Previous Instant Messaging attacks have tended to focus on the damage
done by the files, with little thought on the method of delivery, save
for the quickest way to get those files onto a PC. Here, the thrill for
the bad guys seems to be in lining up as many of these "install chains"
as possible - I keep thinking of a ten move combo on a fighting game
such as Tekken...not a bad way to describe it, actually. What's smart
about this attack is that it doesn't matter if you get a file "out of
step" - if you start off with a particular file out of sequence, you'll
just end up somewhere else in the chain instead. There is no right or
wrong place to start with this one - the hackers will make sure you get
your fill of infection files! The amount of effort that's gone into
this kind of attack hints at a level of planning we've previously only
seen here. And we're not done yet...
The Botnet Connection
Earlier I mentioned one of the domains pinged by this infection was
a webhost called Freewebsites.com - well, the bad guys are actively
running a Botnet via their network...in this case, "b0x.com", a
subdomain of the Freewebsites.com hosting service. You can see a
screenshot of some traces from the Botnet below:
Click to Enlarge
Some things to note - along with their inventive use of positioning
numerous downloads to hit infected machines, they also have a
better-than-most idea of how to lock down their Botnet. For one thing,
they won't allow you to enter the channel using a "standard" IRC
client. This prevents people from snooping around. Nice idea, though
there's numerous ways around this if you have an ace or two up your
sleeve.
They also have various aspects password protected, though you can
still obtain these here by the usual method - simply running the
executables and sniffing the traffic. They also force infected machines
into various channels on a regular basis - effectively herding them
into new channels where they can push new installers, send out new
infection messages...pretty much whatever the Botnet owners feel like
doing. As always, the only limits are greed and imagination.
Though it's always exciting to catch somebody in the final stages of
putting their "Masterplan" together, it's also a touch worrying as you
know that they're not quite done yet. Will we see more developments
from this case, much like we did with the drawn-out saga
of the AIM Rootkit from the tail-end of 2005? That particular story
started with Instant Messaging Rootkits, diverted down the path of a
group of hackers based in the Middle-East and finished up with fake BitTorrent clients and Mr Bean movies.
We think this particular group have many more executable files ready
and waiting to go live, so where this one will end up is anyone's guess.
...did I mention this infection would give you a very bad day? | 
), so I'll be writing and reading e-mails from the appt in Lawrence and work.