A few days ago, I wrote about what appears to be a massive breach at Ning, a social networking platform that allows people to create their own niche social networking sites. The Ning security appears to be compromised, and the social networking sites they host are overrun with automated spam advertising links and redirectors to computer viruses–over a million of them, in fact.

As a good Internet citizen, I dropped an email to Ning alerting them to the problem. I’ve since received back what appears to be a stock form email in response:

Hi there,

Thanks for bringing this to our attention. As you may already know, Ning is a platform that enables individuals to build their own social networks. We aren’t involved in the decisions relating to content uploaded or published by Network Creators or members. In addition, we aren’t involved in the management of the social networks on our platform, or in any of the decisions relating to the focus of social networks created on our platform. That said, we’ll look into this and take action if we determine that our Terms of Service have been violated.

Thanks again!
The Ning Team

ref:00D8cCLt.5004AJJb9:ref

I’ve checked, and the problem still exists. Google is delisting the virus redirectors pretty quickly, but they’re being added even more quickly. Right now, Google shows about 600,000 virus redirectors on various Ning-hosted sites, with many more existing but not listed in Google.

It seems that Ning either does not understand or does not care about the scope of the problem they face.

In a way, I’m not surprised. iPower Web took over a year to fix their security when they were hit with a massive, ongoing server security breach, for example.

But it is disappointing. An executive at Verizon recently wrote an essay deriding security researchers who talk about security issues publicly as “narcissistic vulnerability pimps” who “solely for the purpose of self-glorification and self-gratification – harms business and society by irresponsibly disclosing information that makes things less secure.”

But considering how poorly ISPs and software vendors tend to respond to security problems, and how cavalier they seem to be with the safeguarding of their users’ data, it’s hard to see this essay as anything more than the whining of a crybaby managers who would rather play Quake III Arena than take care of fixing gaping security holes in their systems.

Meantime, I still suggest that anyone hosted on Ning seek hosting elsewhere.

Note: followup to this post at http://tacit.livejournal.com/325770.html

I run quite a number of WordPress blogs: weeklysextips.com, the Whispers blog at symtoys.com, the Skeptical Pervert blog (which I haven’t actually started doing anything yet, as I haven’t started my podcast yet), and so on.

These blogs all run comment spam filtering software, because automated WordPress comment spam is a big problem with any WordPress blog. A lot of the automated comment spam contains, of course, redirectors to malware, mostly disguised as porn links.

I occasionally trawl through the spam comments on my blogs; it’s an amazing early warning system to see what the malware writers are up to these days. Recently, I found a spate of malware spam advertising URLs hosted on a Web site called nashville.net; the spam promised all sorts of free sexual delights if I would but go to such Web addresses as

http://www.nashville.net/profile/3nz5lxzvocvcd
and
http://www.nashville.net/profile/jetttoland59

and so on.

I did some poking around on Nashville.net and discovered that it has been compromised like a Senator with a gambling addiction; at the moment, it’s hosting somewhere around 4,200 phony profiles, all of which are redirectors to sites that try to download malware. Each phony profile leads to the same place: a URL at

http://sexsuite.ru/stds/go.php?sid=14

which is a traffic handling Web site that works the same way that the traffic redirector sites used by malware networks I’ve talked about before do.

So I decided to be a good citizen and drop a line to the owner of nashville.net, and his Web host, letting him know he’d been massively breached.

That’s when things got interesting.

The Web site nashville.net is a “community site,” a small niche social networking site hosted by an outfit called Ning.

Parsing input: nashville.net
Routing details for 8.6.19.68
“whois NET-8-6-19-0-1@whois.arin.net” (Getting contact from whois.arin.net )
Found AbuseEmail in whois abuse@ning.com
8.6.19.0 – 8.6.19.255:abuse@ning.com
Using abuse net on abuse@ning.com
abuse net ning.com = postmaster@ning.com, abuse@ning.com, abuse@level3.com

Ning is a personal social networking site founded by the guy who started Netscape, Marc Andreessen. It basically lets you create your own mini MySpace or LiveJournal or whatever you like–a small social networking platform aimed at whatever niche you want. It’s had a checkered past, and has struggled to make money; three days ago, Ning announced that it would become pay only and would cancel its free services. It also fired 40% of its staff.

But that’s not the really interesting part.

The really interesting part is that it looks like all of Ning, with all the social networks and online forums it hosts, has been pwn3d from balls to bones.

A search for some of the exact words and phrases used by the virus redirectors on nashville.net, one of Ning’s social networking sites, produces 1,060,000 results…and as near as I can tell, they are all on Ning.

Now, a conspiracy theorist might come up with all kinds of conspiracies to explain this–disgruntled employees, knowing what was coming, leaving the back door open; executives of a foundering company, desperate for cash, turning a blind eye to Russian malware writers; whatever. I suspect that the reality is what it always is–incompetence, someone asleep at the switch, management that doesn’t appreciate security and doesn’t want to pay for it…the same sorts of things that seem to be behind this sort of thing almost every time.

But if you use Ning, or you know someone who does, my advice is to leave.

If you’ve ever run a small business, or done any accounting, you’re probably familiar with Intuit, the company that makes the popular QuickBooks accounting software.

Intuit does a lot of things other than QuickBooks, of course. They are also a business Web hosting company, a payroll tax service, a credit card merchant account company, a computer virus distribution network, and a marketing company, among other things. Not everyone knows about all the services they offer; in particular, their marketing and computer virus distribution services appear to be underrated.

Yep, you read that right. They distribute computer viruses.

Oh, not on purpose, I’m sure. They simply appear to run Web sites whose Webmasters don’t really seem to know a lot about Web security. Which would seem to be about par for the course these days, except that they..err, specialize in software that handles business financial information.

Which is a wee bit concerning, if you use Intuit and would like to feel reassured that they take the security of their network and servers seriously.

Now, to be fair, it’s not actually their main site that has the problem, at least not that I’ve seen so far. Instead, they run many “community” sites, and on some of these sites they appear to have a…relaxed approach to security and best practices.

*** WARNING *** WARNING *** WARNING ***
The URLs listed below are live as of the time of this writing. They WILL try to redirect you to sites that attempt to download malware onto your computer. DO NOT visit these URLs if you don’t know what you’re doing!

While cleaning out the contents of the spam trap on one of the WordPress sites I run, I spotted a large number of spam-trapped comments advertising FREE NUDE PICTURES with URLs of an Intuit-owned property, community.quickbooks.co.uk. Now, I see these spam posts all the time, usually made from machines in Eastern Europe and usualy pointing to sites that try to download the Asprox or Zlob malware.

This particular site, though, is overrun to a large degree even for sites that have security problems. The site itself allows users to create their own profiles, but it does not appear to sanitize the user-supplied profiles for things like JavaScript and it allows users to embed links and images in their profiles.

Which is, when you get right down to it, a recipe for disaster.

Anyway, the community.quickbooks.co.uk Web site is currently home to a large number of fake, automatically-generated profiles which redirect through a series of intermediates to malware sites that use a cocktail of browser exploits and social engineering tricks to try to slip malware onto visitors’ computers.

A smattering of these profiles includes:

http://community.quickbooks.co.uk/discussion/index.php?showuser=57944

http://community.quickbooks.co.uk/discussion/index.php?showuser=58063

http://community.quickbooks.co.uk/discussion/index.php?showuser=58395

http://community.quickbooks.co.uk/discussion/index.php?showuser=57939

Some of these profile sites, unusually, redirect through TinyURL to to destination payload site; others redirect more conventionally, through traffic loader sites in a manner similar to the ones I’ve written about before.

The sites redirect through TinyURL or another traffic loader to several intermediates and eventually end up at a place such as

http://stereotube.net/xfreeporn.php?id=45035

which offers free porn if you download a movie-player codec…which is, of course, a virus. (No free porn for YOU!)

Unsurprisingly, the payload site stereotube.net is registered with bogus information belonging to an identity theft victim; also unsurprisingly, it’s hosted on black-hat Web hosting company Calpop, a California Web host that has a long and ignoble history of knowingly hosing malware sites for Russian organized crime, as I’ve mentioned before.

In basic scope and layout, this is nothing but yet another Russian malware distribution network. There are only a few things about it that deviate at all from the bog-standard run-of-the-mill compromises I see every day. The first is that the compromised site is owned by Intuit, which makes me very nervous about how seriously they take computer security.

The second is that the phony profile pages that redirect to malware hide some of the redirection steps behind TinyURL redirectors such as http://tinyurl.com/25avirua rather than relying 100% on their own redirector network (the TinyURL address redirects to a more conventional traffic redirector at http://arhetector.com/in.cgi?3&parameter=25aug, hosted by Worldstream.nl, which itself redirects to one of several sites such as stereotube.net or to http://tinyurl.com/stereotubeonline-boom-03, which redirects to http://stereotubeonline.com/xplays.php?id=48034 also hosted by Calpop.

The third is that the phony profile pages are pulling images from various real porn sites. For example,

http://community.quickbooks.co.uk/discussion/index.php?showuser=57939

is grabbing a picture from http://www.pink4free.com/blogs/wp-content/uploads/Pink4Free/Cecash/BigTits/AllFreePorn.gif. The Web site pink4free.com used to run a WordPress blog–it appears to be defunct now–but that WordPress blog still has an open image directory, and it contains advertising banners that the Russian hackers are drawing from in a bid to make the redirectors look more convincing.

When I go to my taxes next year, I don’t think I’ll use Intuit.

There appears to be a new social engineering attack making the rounds of registered owners of Web sites that have SSL encryption certificates. I have a large number of Web sites, and so far I’ve only received emails to the technical address of sites which have SSL (security) certificates on them.

*** WARNING *** WARNING *** WARNING ***
This attack is currently live. DO NOT attempt to visit the URLS in this email if you do not know what you are doing!

The emails come from a phony From: address that is system@[thewebsitename.com]. Each email takes the form:

Attention!

System Administrator

So for example if you have a Web site called “theweaselstore.com” and your email address is “headweasel@theweaselstore.com” you may receive an email claiming to be from: system@theweaselstore.com, which tells you to click a link that looks like

http://updates.theweaselstore.com.secure.ssl-datacontrol.com/ssl/id=712571016-headweasel@theweaselstore.com-patch257675.aspx

Needless to say, the “patch” you download from this address is a computer virus.

This is one of the most sophisticated social engineering attempts I’ve seen to date. It seems to be going after a very specific group of people: people who own secure Web sites. The email itself is custom-tailored to look as much as possible like it comes from the system operators of the Web site in question, and the payload is delivered from a hostile server with a URL that has the address of the target site owner’s Web site embedded within it.

My suspicion, though I have not taken the time to analyze the payload, is that it is a key logger, and that the virus writers are attempting to get FTP credentials for the target Web site.

Being able to hack secure Web sites would offer the hacker a treasure trove of advantages. First, secure Web sites may contain customer information, transaction records, payment histories, and credit card numbers for the site’s customers.

Second, a phony bank or eBay site placed on a secure server is more convincing, because the phony site can be accessed using “https://” and will have the browser padlock indicating that the site is secure, which may help it to fool more people.

I’ve mentioned in this post how a Web address can be designed to fool people. It does not matter what’s in the address except for the part in front of the very first / character; so for example if you see a Web address that looks like

http://www.ebay.com.ws.eBayISAPI.dll.signin.ru/?SignIn&ru=12345

you are not on eBay. You can see where you are by looking at the part just before the first / which in this case is

http://www.ebay.com.ws.eBayISAPI.dll.signin.ru/?SignIn&ru=12345

a site called signin.ru in Russia.

Similarly, in the URLs in these hacker emails, the key part of the URL is

http://updates.theweaselstore.com.secure.ssl-datacontrol.com/ssl/id=712571016-headweasel@theweaselstore.com-patch257675.aspx

The computer virus is being distributed from a site called “ssl-datacontrol.com”.

ssl-datacontrol.com lives on servers belonging to an ISP called trouble-free.net, which is now a subsidiary of another ISP called interserver.net.

Trouble-free.net is an ISP I’m very familiar with. As near as I can tell, the “trouble” they are free of is meddling trouble such as legal issues, or those pesky problems you might have with having your spam or phish site shut down; they have, in my experience, a long and ignoble history of hosting viruses, spammers, pirate software sites (notorious credit card fraudster and pirate Art Schwartz has been hosted on trouble-free.net for over five years), and other criminal content.

The whois for ssl-datacontrol.com is, unsurprisingly, Russian:

whois ssl-datacontrol.com

Whois Server Version 2.0

Domain Name: SSL-DATACONTROL.COM
Registrar: ANO REGIONAL NETWORK INFORMATION CENTER DBA RU
Whois Server: whois.nic.ru
Referral URL: http://www.nic.ru
Name Server: NS1.CEDNS.RU
Name Server: NS2.CEDNS.RU
Status: clientTransferProhibited
Updated Date: 05-oct-2009
Creation Date: 05-oct-2009
Expiration Date: 05-oct-2010

>>> Last update of whois database: Mon, 12 Oct 2009 21:44:52 UTC <<< Registrant ID: HEIGAAS-RU Registrant Name: Elena V Zhuravlyova Registrant Organization: Elena V Zhuravlyova Registrant Street1: Orekhovyi boulevard Registrant Street1: d.31 kv.72 Registrant City: Moscow Registrant State: Moscow Registrant Postal Code: 115573 Registrant Country: RU Administrative, Technical Contact Contact ID: HEIGAAS-RU Contact Name: Elena V Zhuravlyova Contact Organization: Elena V Zhuravlyova Contact Street1: Orekhovyi boulevard Contact Street1: d.31 kv.72 Contact City: Moscow Contact State: Moscow Contact Postal Code: 115573 Contact Country: RU Contact Phone: +7 499 2678638 Contact E-mail: awoke@co5.ru Registrar: ANO Regional Network Information Center dba RU-CENTER

So in short what we have is a very sophisticated, highly directed attack targeted at Web site owners who are using SSL security certificates on their Web sites, being conducted through emails which create a custom From address and custom attack URL for each specific victim.

The same rules apply to this as to all emails:

– DO NOT believe the From: address of an email. Ever.

– DO NOT respond to ANY security alert, question, or prompt you receive in ANY email. Ever. No matter who it appears to be from.

– Learn to read Web site URLs. DO NOT trust any part of a URL except the part immediately in front of the first slash.

I blame the_xtina for the fact that I discovered this evening what appears to be a large, coordinated, and widespread attack on multiple Web hosting providers.

I hadn’t actually intended to do any computer security stuff today; my plans for the evening involved playing WoW. the_xtina speculated during an IM conversation this evening about the existence of Viking porn, so naturally I did a Google search, and got rather more than I expected.

A Google search for “viking porn” turns up a few hits with a Google “this site may harm your computer” tag. Both of the first two I looked at–because I can’t stay away from the “this site may harm your computer” tag–had a couple of interesting things in common: they were hosted on iPower Web, the notoriously insecure Web host I’ve written about on several occasions in the past; both had malicious redirection files in a directory named /backup/, both used a complex series of traffic redirectors before ending up at the malware site proper, and both were heavily seeded throughout Google using a very large number of popular pornographic and non-pornographic keywords.

In other words, all the hallmarks of the Russian Zlob gang. God, how I hate those people.

I widened the Google search using both common keywords (like “porn”) and keywords I know the Zlob gang favors, and specifying inurl:/backup/ as part of the search.

What I ended up with was a VERY long list of compromised Web sites, each with a directory named /backup/ containing large numbers of files stuffed full of keywords and each of which redirects through a series of redirectors to a site that attempts a drive-by malware download.

Click here for more technical details (down the rabbit hole we go!)

Michael Jackson is scarcely a few days dead and the malware writers are hard at work using the news of his death to spread computer viruses.

This morning I received an email telling me (in Spanish) that there was a YouTube video of Michael’s death on the Internet, and I could see it (oh boy!) by visiting

http://youtubemichaelj.com

*** WARNING *** WARNING *** WARNING ***
This site is live as of the time of this writing. DO NOT visit this site if you don’t know what you’re doing. This site WILL attempt to download a Windows virus onto your computer.

The Web site looks just like YouTube, and presents a phony blank movie player image with a “An error occurred, please try again later” message in it, then attempts a drive-by download from

http://youtubemichaelj.com/Codec/120.exe

The download is a bit unwieldy for malware (1.8 MB in size)–much too large to be a variant on Zlob, Asprox, or any of the other malware commonly distributed as phony movie-player CODECs. I don’t believe I’ve seen this particular malware before.

The registration information is most likely bogus. The site was registered yesterday:

whois youtubemichaelj.com

Whois Server Version 2.0

Domain Name: YOUTUBEMICHAELJ.COM
Registrar: DOMAINPEOPLE, INC.
Whois Server: whois.domainpeople.com
Referral URL: http://www.domainpeople.com
Name Server: A.DNS.HOSTWAY.NET
Name Server: B.DNS.HOSTWAY.NET
Status: clientTransferProhibited
Updated Date: 29-jun-2009
Creation Date: 29-jun-2009
Expiration Date: 29-jun-2010

Registrant:
T—- G—- (youtubemichaelj.com)
(WHOIS information redacted)
US

Registrar: DomainPeople Inc.

Domain Name: youtubemichaelj.com
Created on ………….2009-06-29-14.36.03.127000
Expires on ………….2010-06-29-14.36.03.000000
Record last updated on .
Status ……………..ACTIVE

Administrative Contact:
T—- G—-
(WHOIS information redacted)

The site’s hosted on Hostway. Hostway is an unusual choice for a virus dropping site; they’re fairly clean, and a bit pricey. I suspect that the site will be disabled soon.

Given the choice of hosting companies and the size of the malware download, I am wondering if the people responsible for this malware aren’t fairly new to the game. More experienced malware and virus writers, like the Zlob gang, prefer to host on hacked sites, screen their hosts behind a network of redirectors, and store the actual payload itself on servers in Eastern Europe.

Mac users, we had a three-month respite. The Russian Zlob gang, which last September lost its servers that were distributing the Mac DNSchanger malware when the corrupt hosting company EST Hosts went dark, are back after Macs again.

Just discovered a server being used to spread Mac malware from

http://brakeplayer.net/download/get7003.dmg
*** WARNING *** WARNING *** WARNING *** This link is live as of the time of this writing. The payload, named get7003.dmg, contains a new version of the Mac DNSchanger, aka OSX.RSplug.A, OSX.RSplugin.A, or OSX/Zlob, computer malware.

The malicious server brakeplayer.net is brand new and is hosted in Latvia, on an ISP called “zlkon.lv”.

whois brakeplayer.net

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: BRAKEPLAYER.NET
Registrar: REGTIME LTD.
Whois Server: whois.regtime.net
Referral URL: http://www.webnames.ru
Name Server: NS1.BRAKEPLAYER.NET
Name Server: NS2.BRAKEPLAYER.NET
Status: ok
Updated Date: 26-dec-2008
Creation Date: 15-dec-2008
Expiration Date: 15-dec-2009
Name servers:
ns1.brakeplayer.net
ns2.brakeplayer.net

Registrar: Regtime Ltd.
Creation date: 2008-12-15
Expiration date: 2009-12-15

Registrant:
Nikolaj Selivestrov
Email: paul.aspen111@gmail.com
Organization: Private person
Address: ul. kosmonavtov, 132-13
City: Moskva
State: Moskovskaya
ZIP: 129301
Country: RU
Phone: +7.4957854978

I’ve also noticed an uptick in the number of hacked Web sites hosted by iPower Web lately. As I’ve talked about extensively here, here, here, and here, iPower is basically a mess. For more than a year now, hackers have been walking all over their servers, planting virus redirectors in sites that are hosted by iPower or their subsidiaries.

For a while, the number of attacks against iPower dropped to next to nothing, and I thought that they’d fixed their security problem. Now, Im not so sure–now, I think that iPower is as compromised as it always has been, but the hackers toned down the attacks when they started getting attention. Can’t prove it, but my hunch is there’s a long-standing zero-day exploit in vDeck, iPower Web’s home-grown Web control panel software.

I think we’re going to be seeing more Mac malware in the near future.

I’ve spent quite a lot of time in this journal posting about a particular group of Russian computer virus writers, starting from when I first discovered last year that my name was being used to poison Google keyword searches and drive traffic to Web sites that attempt to download malware onto computers. (Does that make me an official net.celebrity?) I’ve made it something of a hobby to follow this particular group, and have written about how they have repeatedly hacked an ISP called iPower Web to spread viruses, and how they’ve built an elaborate underground computer network to funnel traffic to virus-infected Web sites.

Along the way, they’ve changed tactics a number of times. The hacks against iPowerWeb are still ongoing, though they seem to have slowed; at the height of the attack, iPower was hosting tens of thousands of newly-hacked Web sites per day, though now it’s slowed to a paltry trickle…at any given time these days, there are only a couple hundred hacked Web sites living on iPower’s servers. When the post about iPower first went live last December, I was flooded with emails from folks saying “My Web site is hosted by iPower and I’ve been hacked!” and I even got two phone calls from iPowewr customers whose Web sites had been penetrated. (Yes, my phone number is out there, for folks who want to dig it up. No, I’m not gonna tell you what it is.)

The interesting thing about this particular computer gang is their adaptability. They’re constantly changing targets, and as time goes on their underground network grows larger and more resilient.

In the past, they’ve planted redirectors to malware sites on hacked Web servers, they’ve exploited security flaws in software like phpBB and WordPress to redirect traffic to virus droppers, they’ve set up fake FaceBook profiles that redirect visitors to virus-infected sites, and they’ve even created fake Google Groups to direct traffic to virus sites.

In the past couple of weeks, though, I’ve seen a whole new approach, and it’s all about exploiting open redirectors.

We’re going to get technical under here!

…and not even twelve hours after Obama’s acceptance speech, Eastern European organized crime are using America’s feelings about this historic moment to spread computer viruses.

A little while ago, I posted about a gang of computer criminals who, while building a network of hacked computers to use to spread viruses and fake bank sites, had hacked a system belonging to the US Department of Defense.

Those very same criminals are now hitting my inbox with messages attempting me to visit a server that downloads a computer virus disguised as a news story about Barack Obama’s victory.

I’ve received two of the emails so far. Both are formatted the same way, and are identical in formatting to the phish emails that masqueraded as a bank “security update.” The first carries a subject line reading “Obama win sets stage for showdown;” the second, “Priorities for the New President – TIME”. Both come from the forged email address “news@unitedstates.com”.

First, the technical stuff about how this computer virus is being spread.