A BOZO way of advertising your website
I received a message today with a link to hxxp://201[.]3[.]192[.]61/~compras/postcard[.]jpg[.]exe.
Postcard.jpg.exe has been identified as Hoax.Phiscop.A by various anti-virus vendors, and contains the following hashes:
MD5: 7f283acb3ce6a004697c2ada3c0da539
SHA1: c8cd13b4232942ef64114e90795f8d6f7ca82aeb
Once launched, the binary performs a DNS lookup for www.phishcop.net, and attempts to get star.gif from the website.
The application then pops up an alert window insulting the user:
Or for those who prefer, the screenshot of the actual window:
PhishCop's website shows that just over 5700 visitors have visited their website. Approximately 4288 unique IPs have run their mostly harmless executable. It appears the counter started in 2005. By all standards, this would be the smallest botnet I've ever seen.
I've always been a big fan of user education - however I beleive this is taking it too far. Whois reports show that the domain was registered in 2005, and it does not appear there is anything malicious with the domain or the binary. Still, this is an irresponsible way to educate users not to click links in email.
Furthermore, visiting http://201[.]3[.]192[.]61/~compras/ shows the following page:
Looking back through the Phishcop site, I noticed: Total unique IP addresses that have visited a fixed phishing site: 70465.
This suggests to me that the individual(s) behind www.phishcop.com have placed files on the remote server. A remote server that they may not control. By doing so, they have damaged forensic data, accessed and modified data that did not belong to them, and depending on the phish, could have stolen private data. After several years working as a incident investigator and even more working in the botnet scene, I find it hard to believe the owner of the site would authorize "phishcop" make these modifications on their behalf.
Looking through my webspider history, it looks like Phishcop has been very active over the last few months. Dozens of phishing sites have redirects to Phishcop.
In the event you come across a phish or malware hosted site -- please be careful what you do with the information. You have no rights to hack a server that does not belong to you - even if it is spewing illegal or malicious data. In fact, you may damage any chance of investigation by doing so. Report phishing, malware, and other such activities to your governments CERT team, law enforcement, the victims hosting provider or well known anti-malware/phishing teams like Shadowserver. These individuals are more likely to be trained in proper incident handling and forensic gathering procedures. Additionally, this gives the victim the best chance to fix the code that allowed the attacker in.
Please report any PhishCop modified websites as well. If you feel uncomfortable speaking with the above mentioned groups - you may report them to me. I will contact the proper authorities and victims for you.
UPDATE:
Threat Expert has something up on this as well: http://www.threatexpert.com/report.aspx?md5=7f283acb3ce6a004697c2ada3c0da539
This Google Search shows other sites with "PhishCop" pages:
http://www.google.com/search?q=%22This+has+been+a+public+service+of+http://www.phishcop.net%22+-site:www.phishcop.net&hl=en&filter=0
Note the ftp.klos.com hit is actually the guy who owns Phishcop. The FTP server also has some PHP shells/backdoors that could be used to further compromise a server.
If your site contains any of the following files, it may indicate that PhishCop was there:
7f283acb3ce6a004697c2ada3c0da539 bozo.exe
5277986a08f49d19b97ab501479b73ac CAUTION.jpg
87e023db582e9fa341f1620d77e72895 fix
5f56f34fba5556a6ca8eb7090a494c42 scamfiles.zip
80e62bbd9942b9db626833a3c50abe3b scam.html
80e62bbd9942b9db626833a3c50abe3b scam.html.txt
a9a49a861cf1408fdc8c6da2c9f6a58b scam.php
c539a96344c50d65107ce7cd563a7166 scam.php.txt
1a003f76318f6d3e3d2ae110ff7901cc tools2.php
509ef4118b930fe08e92f5136caeed6d tools.php
Postcard.jpg.exe has been identified as Hoax.Phiscop.A by various anti-virus vendors, and contains the following hashes:
MD5: 7f283acb3ce6a004697c2ada3c0da539
SHA1: c8cd13b4232942ef64114e90795f8d6f7ca82aeb
Once launched, the binary performs a DNS lookup for www.phishcop.net, and attempts to get star.gif from the website.
The application then pops up an alert window insulting the user:
Or for those who prefer, the screenshot of the actual window:
PhishCop's website shows that just over 5700 visitors have visited their website. Approximately 4288 unique IPs have run their mostly harmless executable. It appears the counter started in 2005. By all standards, this would be the smallest botnet I've ever seen.
I've always been a big fan of user education - however I beleive this is taking it too far. Whois reports show that the domain was registered in 2005, and it does not appear there is anything malicious with the domain or the binary. Still, this is an irresponsible way to educate users not to click links in email.
Furthermore, visiting http://201[.]3[.]192[.]61/~compras/ shows the following page:
Looking back through the Phishcop site, I noticed: Total unique IP addresses that have visited a fixed phishing site: 70465.
This suggests to me that the individual(s) behind www.phishcop.com have placed files on the remote server. A remote server that they may not control. By doing so, they have damaged forensic data, accessed and modified data that did not belong to them, and depending on the phish, could have stolen private data. After several years working as a incident investigator and even more working in the botnet scene, I find it hard to believe the owner of the site would authorize "phishcop" make these modifications on their behalf.
Looking through my webspider history, it looks like Phishcop has been very active over the last few months. Dozens of phishing sites have redirects to Phishcop.
In the event you come across a phish or malware hosted site -- please be careful what you do with the information. You have no rights to hack a server that does not belong to you - even if it is spewing illegal or malicious data. In fact, you may damage any chance of investigation by doing so. Report phishing, malware, and other such activities to your governments CERT team, law enforcement, the victims hosting provider or well known anti-malware/phishing teams like Shadowserver. These individuals are more likely to be trained in proper incident handling and forensic gathering procedures. Additionally, this gives the victim the best chance to fix the code that allowed the attacker in.
Please report any PhishCop modified websites as well. If you feel uncomfortable speaking with the above mentioned groups - you may report them to me. I will contact the proper authorities and victims for you.
UPDATE:
Threat Expert has something up on this as well: http://www.threatexpert.com/report.aspx?md5=7f283acb3ce6a004697c2ada3c0da539
This Google Search shows other sites with "PhishCop" pages:
http://www.google.com/search?q=%22This+has+been+a+public+service+of+http://www.phishcop.net%22+-site:www.phishcop.net&hl=en&filter=0
Note the ftp.klos.com hit is actually the guy who owns Phishcop. The FTP server also has some PHP shells/backdoors that could be used to further compromise a server.
If your site contains any of the following files, it may indicate that PhishCop was there:
7f283acb3ce6a004697c2ada3c0da539 bozo.exe
5277986a08f49d19b97ab501479b73ac CAUTION.jpg
87e023db582e9fa341f1620d77e72895 fix
5f56f34fba5556a6ca8eb7090a494c42 scamfiles.zip
80e62bbd9942b9db626833a3c50abe3b scam.html
80e62bbd9942b9db626833a3c50abe3b scam.html.txt
a9a49a861cf1408fdc8c6da2c9f6a58b scam.php
c539a96344c50d65107ce7cd563a7166 scam.php.txt
1a003f76318f6d3e3d2ae110ff7901cc tools2.php
509ef4118b930fe08e92f5136caeed6d tools.php
Labels: Botnet monitoring, fake malware, hack-backs, Mailbag, phishcop, phishing, trickery
posted by Nicholas at
03:13
2 Comments:
I don't see why you are chastising Phishcop for (1) preventing people from running a trojan on their computer, and (2) educating these people about what they were just about to do?? You also write "By all standards, this would be the smallest botnet I've ever seen", which completely ignores your own definition of "bot", since that implies something installed without one's knowledge that awaits commands from some "master". And your description of "mostly harmless" is misleading. The program is COMPLETELY HARMLESS.
You say "Still, this is an irresponsible way to educate users not to click links in email", but you don't say how else to directly reach out to those people who received the email and were willing to click on the link and execute the program on their computer?!? Should the trojan have been simply deleted off of the hacked server that was hosting it?? That might prevent infection, but it won't stop many of the potential victims from doing the same thing next time they get a similar email.
Further on, you write "You have no rights to hack a server that does not belong to you - even if it is spewing illegal or malicious data.", yet your own guidelines for "Shadowserver" states "Another standard of operation is that Shadowserver does not exceed the authority on any system that would normally be allowed for the malware that we reverse or analyze. We only do what the malware would have normally have done as a part of its communication." That sure sounds like a vague way of saying "we don't hack worse than the original hackers did".
I don't know what you have against Phishcop (also a completely volunteer organization) except that we seem to be effective at what we do, even if it means crossing the line a little?
@Phishcop Admin:
Thanks for your response -
Are you confirming or denying that your application is a bot? I certainly didn't ignore my own definition of a botnet, I just advised that yours was weak.
The program you advertise may or may not be harmless - that is not the point of this entry. Fact is you are sharing an executable that is by your own admission placed on the server for which you have no control.
As for my method of education - join a local users group, share samples of phished sites, get a clue. If you can't do this job legally, you have no place doing it at all.
You have NO RIGHT to those servers, so you simply can not make the choice with regards to how the phish or binary is handled. The law is clear, and you are violating it.
Regarding Shadowserver guidelines, you conveniently twisted things to suit you best. The Shadowserver botnet tracking application will connect to the server, and passively listen for commands. At no time does the tracking application attempt to compromise a server or infected clients. I am one of the guys who may eventually have to clean up your mess.
You clearly admit to breaking the law. The data I've collected so far shows that you have done it on repeated occasions. I recommend you stop hiding behind the "We are just trying to do the right thing" attitude and figure out a legal way to get your message out. Other Anti-Phishing groups have done a great job - take a clue from them.
Now that you've admitted to crossing that legal line, I intend to treat you with no more reservation than any other criminal. Your attacks will be reported to the authorities and system owners. I will do everything in my power to make sure you are charged for any crimes you commit in pursuit of your fantasy.
Post a Comment
Subscribe to Post Comments [Atom]
<< Home