Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-11-17 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

"Careerbuilder Job Application" email scam with Dynamic DNS

Published: 2005-11-17
Last Updated: 2005-11-17 23:30:25 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
This morning I received a "Careerbuilder Job Application" email (below) asking me to reply to an email address at sarcony.com, looking at information on the domain it turned out that nsX.makesoulbraives.com are the registered DNS provider for sarkony.com. The odd part is that nsX.makesoulbraives.com does not appear to be a legitimate dynamic dns provider .... This appears to me to be a "more" sophisticated than usual scam and service abuse. ymmv.

Both sarcony.com and NsX.makesoulbraives.com have had a number of IP addresses today, sarcony.com was obviously utilizing Dynamic DNS. This morning sarcony.com had the IP addresses of;

"83.243.33.25
69.192.206.42
84.135.28.52
152.66.214.90"

Currently, sarcony.com doesn't resolve ( ; ^ ).

Public Records indicate that sarcony.com had an;
Updated Date: 13-nov-2005
Creation Date: 13-nov-2005
Expiration Date: 13-nov-2006

Public Records indicated that DNS was provided by:
ns1.makesoulbraives.com
ns2.makesoulbraives.com

During the day DNS records for those registered nameservers has pointed to;

ns1.makesoulbraives.com at  66.227.144.196
ns1.makesoulbraives.com at 151.198.140.186
ns1.makesoulbraives.com at 213.211.243.10

ns2.makesoulbraives.com at  68.105.15.143
ns2.makesoulbraives.com at 172.178.188.31 <==AOL address

There was a third service provider for sarcony.com, email service at mail.makesoulbraives.com, 67.159.5.191, records for DNS pointed to ns1 and ns2 makesoulbraives.com. Currently, mail.makesoulbraives.com doesn't resolve ( ; ^ ).

Public Records indicate that makesoulbraives.com and mail.makesoulbraives.com had;
Updated Date: 16-nov-2005
Creation Date: 04-nov-2005
Expiration Date: 04-nov-2006

The abuse of dynamic DNS service for sarcony.com in this type of apparent scam allowed the domain sarcony.com to exist at any IP registering with the dynamic DNS service. In this case DNS service appears to be dynamically located too, DNS service has been provided by a registered domain that has had multiple IP's throughout the day;

ns1.makesoulbraives.com at  66.227.144.196
ns1.makesoulbraives.com at 151.198.140.186
ns1.makesoulbraives.com at 213.211.243.10

ns2.makesoulbraives.com at  68.105.15.143
ns2.makesoulbraives.com.at 172.178.188.31 <==AOL address

Typically dynamic DNS is provided by one of the well known dynamic DNS service providers. In this case registration and resolution records point at an interesting set up here, first enrolling the IP's of sarcony.com systems utilizing dynamic DNS, and then DNS services are from registered "name servers" with IP addresses that appear dynamic in nature.

Typically, the abuse of legitimate dynamic DNS service providers in a situation like this is intended to keep the destination domain (in this case sarcony.com) hopping from one exploited system to another in an attempt to stay ahead of and avoid shutdown by legitimate service providers who receive complaints. This can be highly effective in avoiding shutdown. However, there are those changing public registration records pointing to new DNS server IP's, an indication that there may actually be DNS service provided by DNS servers that are hopping around by more dynamic DNS abuse.

Got correlations anyone?

The most effective method of combating abuse/scams such as this is to eliminate the dynamic DNS support. sarcony.com and mail.makesoulbraives.com disappeared quite soon after the abuse email went out. I'll post the results of other efforts when, hopefully, they generate results.

ns1 and ns2 makesoulbraives.com are also mentioned in a post at dslreports.com - "SPAM from Korea; (links hobbled)".
http://www.dslreports.com/forum/remark,14742535

The email;

Thu, 17 Nov 2005 02:23:41 -0500

Date: Thu, 17 Nov 2005 02:23:41 -0500

From: Careerbuilder <yumpy@dbzmail.com>

Subject: Careerbuilder Job Application

To: me

Message-id: <6.0.0.22.1.20051117022341.d58f1ab5@dbzmail.com>

MIME-version: 1.0

X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22

Content-type: text/plain; format=flowed

Content-transfer-encoding: 7bit

Original-recipient: rfc822;me
 
Sarkony Incorporated can help you make your dreams come true while getting a monthly wage working on the Internet.

As everything you need to work with Swiport Incorporated is:

being a United States, United Kingdom, Italy or Spain citizen having a
bank account (paypal account) having a computer connected to the Internet a little of your spare time

How it works:

Working for us as a Payment Processing Manager, you will become a part
of the new trend in the world banking system. Duties of the position are simple, and income depends only on your efforts. All you have to do is transfer payments between our clients getting your interest from each operation.

Basically it will be 5-10%, with each transfer your interest will grow.

If want to work with us, contact your personal manager Ms. Pamela Watkins, e-mail: Pamela@sarkony.com

Sarkony Incorporated cares about your prosperity. Make your life better together with Sarkony Incorporated"

Keywords:
0 comment(s)

Major Cogent outage

Published: 2005-11-17
Last Updated: 2005-11-17 18:43:04 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Thanks to Bill P. for calling in about a major outage at Cogent.
Looks like it affects all of their major peering points:
keynote internet status

Cogent Network Status Page (currently not responding).

Brian Krebs (Washington Post) was able to confirm the dual cut with Cogent. See his blog for details.

Update (13:30 EST, 18:30 UTC): Keynote now reports some improvement. But traffic within the Cogent network appears still to be out for the most part. Note that 'cogent.com' is not associated with Cogent Communication. The official website is 'cogentco.com'.

The Cogent network got cut at two different locations. One around New Orleans and a second in  Washington DC. Appears that only the New Orleans issue is a fiber cut, while the Washington DC outage is caused by faulty networking equipment inside a data center.


Keywords:
0 comment(s)

MS Windows Memory Allocation Denial of Service Via RPC

Published: 2005-11-17
Last Updated: 2005-11-17 13:12:33 UTC
by Kevin Hong (Version: 1)
0 comment(s)
Today, Microsoft release new security advisory for Memory allocation denial of service attack via RPC.

The proof of concept code is publicly available but no patch yet.

Only Microsoft Windows 2000 service pack 4 and Windows XP SP1 are affected  by this vulnerability.
Windows XP SP2 and Windows 2003 are not affected by this vulnerability.
Following the MS security advisory, the vulnerability could allow an attacker to levy a denial of service attack of limited duration.
For succeed exploit attack, the attacker needs valid logon credentials.
If anyone who use Windows 2000 SP4 and Windows XP SP1, need to block unnecessary ports which are recommended by MS security advisory.

If you have any more information with public POC, please contact to us.

You can find more information from following MS Security Advisory.
-->  http://www.microsoft.com/technet/security/advisory/911052.mspx
Keywords:
0 comment(s)

New ISC PGP Key

Published: 2005-11-17
Last Updated: 2005-11-17 12:22:48 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Our current PGP key is about to expire.  You can find the new key on our
contact page or the new key, plus a number of related keys are posted here.

We also try to upload the key to various PGP keyservers (let us know if we forgot one).

The new keys keyid is 0x9C0EC441. It expires on November 27th 2007 and its
fingerprint is
FBBF 76CC 51D5 D4F5 504E  7368 085E B5C1 9C0E C441



Keywords:
0 comment(s)

Mail Call Time: More Sony Info and Snort Signatures

Published: 2005-11-17
Last Updated: 2005-11-17 07:40:53 UTC
by Lorna Hutcheson (Version: 2)
0 comment(s)
Sony is in the still spotlight with their latest endevours.  Here is some more info and some Snort rules to try.

Here is an interesting tidbit from Juha-Matti Laurio:
It seems that SecurityFocus database has assigned Sony BMG's DRM uninstallation utility from First 4 as software vulnerability at their new BID 15430:

http://www.securityfocus.com/bid/15430

"The CodeSupport package can be told to download, and then execute arbitrary content from remote Web sites. As it fails to verify that the source of the remote content is from a trusted source, attackers may utilize it to download and execute malicious code from arbitrary sources, facilitating the remote compromise of targeted computers."

Two interesting articles (another is blog entry of BID's reporter) at

http://www.securityfocus.com/brief/48

and

http://www.freedom-to-tinker.com/?p=926

(including demonstration too) available too.


Matt Jonkman let us know that Bleeding Snort had the following signatures available.  Thanks everyone for your hard work at Bleeding Snort!

#By Michael Ligh
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg: "BLEEDING-EDGE MALWARE Sony DRM Reporting 1";
flow: to_server,established; uricontent:"/toc/Connect?type=redirect"; nocase;
uricontent:"&uId="; nocase; classtype:trojan-activity;
reference:url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html;
sid:2002675; rev:3;)


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg: "BLEEDING-EDGE MALWARE Sony DRM Reporting 2";
 flow: to_server,established; content:"sonymusic.com"; nocase;
 pcre:"User-Agent:[^
]+SecureNet[^
]+Xtra/i"; classtype:trojan-activity;
reference:url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html;
 sid:2002674; rev:2;)


#by Blake Hartstein
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE Malware Sony DRM Related --
CodeSupport ActiveX Attempt"; flow:from_server,established; content:"CLSID"; nocase;
content:"4EA7C4C5-C5C0-4F5C-A008-8293505F71CC"; nocase; distance:0;
reference:url,www.frsirt.com/english/advisories/2005/2454;
reference:url,www.hack.fi/~muzzy/sony-drm/; classtype:web-application-attack;
sid:2002679; rev:3;)



Link to rules on "Bleeding Snort"








Keywords:
0 comment(s)
Diary Archives