Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-11-28 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Phishing by proxy

Published: 2006-11-28
Last Updated: 2006-11-28 23:42:21 UTC
by William Salusky (Version: 1)
0 comment(s)
Phixies, Phoxies, Phishoxies, Proxishing, reverse-proxy phishing, reverse-prophixing, reverse phoxy prish, ahhh PHOOEY!!! 

It is likely already old hand to security researchers that the evolution of phishing attacks are using a black velvet paint by numbers board of increasing complexity, but I personally have recently been witness to an increase in something *new to me* which is Phishing by Proxy...  and now quickly being followed closely by Money Mule recruitment by proxy.

I had been investigating reports of phishing and miscreant web sites being hosted in specific user land network IP space, only to discover they were not in fact malicious users and in fact innocent users who had somehow been duped and computers compromised, resulting in a proxybot infection that would phone home announcing the availability of anonymous proxy redirect services offering controllable port TCP port 80 and 443 redirects to an upstream mothership.  These bots/agents also offer DNS service at the phishers whim in acting as authoritative NS targets with fast flux domain resolution techniques often found used in short lived phishing attacks or by any other type of garbageware pushers.  All that functionality [in this variant] comes in an 11k footprint, and hasn't been well detected by AV vendors either.  The AV vendors that do offer detection [for this specific variant I am referring to] unfortunately offer only innocuous names like "Trojan-Downloader.Win32.Small.dho", or "W32/Malware" which does nothing to improve awareness of the threat.  I am in the process of beating on the vendors that still do not offer detection of this simple sample.

So getting back to the story.  I had received notice of various european financial services being proxied via these proxybotted agents, but by the time I had acquired malware samples the proxying for phishing sites had ceased and in it's stead came a wave of Money Mule recruitment sites being redirected via these proxies.  I suppose that upstream phishers ran out of individuals they could abuse in financial fraud, hence had to go on a recruitment/hiring binge.

What I have found that works reasonably well in my situation to identify these infection types going forward, is to search DNS cache dumps/logs for DNS A records that point into dynamically provisioned IP space for host domain records not belonging to any typical dynamic DNS provisioning services.  More often than not, an isolated and suspiciously named A record association pointing into wildly dynamic IP space [in my experience] implies that something wicked that way goes.  I looked at alerting based on discovered target ip/hostname phone home destinations, but that seems to me to be a game that only the running man can play.

It's an obviously serious issue when it comes to combatting the phish problem where a successful takedown of a reported phish site that is only proxy will just be removing one node from the farm, while the upstream mothership continues with a typically long shelf life due to the effective anonymity offered by proxybotted hosts.  Did I mention that I'm a master of the run-on sentance?

Do we have any collective experience out there with this particular threat type?  Any experiences to share?

William Salusky 
"Painting Phish Pictures"
Handler on Duty   Geotagged: nearby
Keywords:
0 comment(s)

New and Improved Honeynet Tools availability

Published: 2006-11-28
Last Updated: 2006-11-28 20:24:50 UTC
by William Salusky (Version: 1)
0 comment(s)

It's time to update your Honeynet technologies toolbelt!

While the Storm Center handlers make an effort in the timely reporting and dissemination of information regarding malware and distributed threats as they occur to keep our readers in tune with the beat of things, we can't *always* be at the cutting edge.  If you have the capability of deploying new tools and infrastructure you might consider extending your efforts to grow your organizations insight and visibility into the nefarious workings of the net.  Provided you choose to do so, or already have such efforts underway I suggest sharing with us any significant findings!

While this year has personally seemed a bit slow in the tools development and release arena, there has been a considerable flurry of activity in new tools and update releases in the publicly available and commonly used Honeynet tool suites.  I'm suddenly having trouble keeping up my own infrastructure with building and deploying these releases.  Here are a few of the recent significant updates.

Honeynet Project - HoneySnap tool

  • The python based honeysnap client is making a fresh debut at v1.0.1 and offers some reasonably nice post-processing and text based reporting on packet capture.  The Honeysnap tool can be used standalone outside of a Honeynet environment or blends nicely with any pre-existing Honeywall deployments.  I 'like' it.

Nepenthes update release from the MWCollect project

  • A favorite is the Nepenthes malware collector that grew up with mwcollect, and after combined efforts this year we've been bestowed with the recent point release of v.20.

Honeynet Project - Upcoming Honeywall improvements

  • While the Honeywall has not released updates lately, there has been some significant development effort exerted this year within the project.  I'm personally hoping the next generation makes a public release very soon.

Mitre Honeyclient project

  • There has not been any fanfare lately but there has been some motion in the Mitre Honeyclient project.  Honeyclient code has been made available for download and a fair amount of documentation is published in the project wiki. 
  • Of note, but with no insight into why it may have occurred, the Mitre honeyclient project has just recently migrated from away from the mitre.org domain out to new hosting. 
  • You should really consider deploying this type of technology if you'd like to 'literally' drive your browser crazy.  Go find some some new badness and make sure to report back on your findings.

And then there's your flow data

William Salusky 
"A Human Honeyclient"
Handler on Duty   Geotagged: nearby
Keywords:
0 comment(s)
Diary Archives