May 31 2015

Malware Evolution Calls for Actor Attribution?

What makes one novel strain of malicious software more dangerous or noteworthy than another? Is it the sheer capability and feature set of the new malware, or are these qualities meaningless without also considering the skills, intentions and ingenuity of the person wielding it? Most experts probably would say it’s important to consider attribution insofar as it is knowable, but it’s remarkable how seldom companies that regularly publish reports on the latest criminal innovations go the extra mile to add context about the crooks apparently involved in deploying those tools.


Perhaps with some new malware samples, the associated actor attribution data is too inconclusive to publish —particularly when corporate lawyers are involved and such findings are juxtaposed to facts about a new code sample that can be demonstrated empirically. Maybe in other cases, the company publishing the research privately has concerns that airing their findings on attribution will somehow cause people to take them or the newfound threat less seriously?

I doubt many who are familiar with my reporting will have trouble telling where I come down on this subject, which explains why I’m fascinated by a bit of digging done into the actor behind a new malware sample that recently received quite a bit of media attention. That threat, known variously as “Rombertik” and “Carbon Grabber,” is financial crimeware that gained media attention because of a curious feature: it was apparently designed to overwrite key sections of the hard drive, rendering the host system unbootable.

News about Rombertik’s destructive ways was first published by Cisco, which posited that the feature was a defense mechanism built into the malware to frustrate security researchers who might be trying to unlock its secrets. Other security firms published competing theories about the purpose of the destructive component of the malware. Some argued it was the malware author’s way of enforcing licensing agreements with his customers: Those who tried to use the malware on Web addresses or domains that were not authorized as part of the original sale would be considered in violation of the software agreement — their malware infrastructure thus exposed to (criminal) a copyright enforcement regime of the most unforgiving kind.

Incredibly, none of these companies bothered to look more closely at the clues rather clumsily left behind by the person apparently responsible for spreading the malware sample that prompted Cisco to blog about Rombertik in the first place. Had they done so, they might have discovered that this ultra-sophisticated new malware strain was unearthed precisely because it was being wielded by a relatively unsophisticated actor who seems to pose more of a threat to himself than to others.


As much as I would love to take credit for this research, that glory belongs to the community which has sprung up around ThreatConnect, a company that specializes in threat attribution with a special focus on crowdsourcing raw actor data across a large community of users.

In this case, ThreatConnect dug deeper into centozos[dot]org[dot]in, the control server used in the Rombertik sample featured in the original Cisco report. The Web site registration records for that domain lists an individual in Lagos, Nigeria who used the email address For those unfamiliar with Dispostable, it is a free, throwaway email service that allows anyone to send and receive email without supplying a password for the account. While this kind of service relieves the user of having to remember their password, it also allows anyone who knows the username to read all of the mail associated with that account.

KallySky's inbox at Dispostable.

KallySky’s inbox at Dispostable.

Reviewing the messages in that account reveals that the account holder registered the domain centozos[dot]org[dot]in with registrar, and that he asked to be CC’d on another email address, “”. ThreatConnect found that same email address used to register a number of other domains associated with distributing malware, including kallyguru[dot]in, nimoru[dot]com, directxex[dot]net, and norqren[dot]com.

The email address is tied to a Facebook account for a 30-year-old Kayode Ogundokun from Lagos, Nigeria, who maintains a robust online presence from his personal and “business” Facebook accounts, Blogger, LinkedIn, Twitter and Youtube,” ThreatConnect wrote.


“In fact Ogundokun has done very little in the way of operational security (OPSEC). His efforts in covering tracks his tracks have been minimal to non-existent,” ThreatConnect continued. “Ogundokun’s skillset appears to be limited to using commodity RATs and botnets within email borne attacks and is motivated primarily on financial gain rather than espionage or ideological purposes. [We assess] that Ogundokun likely purchased a new version of Carbon Grabber from a much more capable and sophisticated tool author, where the author subsequently licensed it to a less capable operator. His particular sample of Carbon Grabber was simply caught up in a headline grabbing story.”


For several years until very recently, Kally/Koyode maintained, which thanks to we can still review in all its glory. In it, Kally’s site — which boldly and confidently displays the banner message “Revealing Internet Secrets to You” — links to dozens of video tutorials he produced and stars in on how to use various malware tools.

One of countless pages archived from Kallysky[dot]com

One of countless pages archived from Kallysky[dot]com

“He claims to offer services for Citadel Bot, Cybergate RAT, Darkcomet RAT with cpanel web services, ‘Fully Undetectable’ by anti-virus as well as other capabilities such as binders and file extension spoofers, all for educational purposes, of course,” ThreatConnect notes. “He also provides his phone number, BlackBerry Pin and the same kallysky@yahoo[dot]com email address that we observed earlier with the genhostkay@dispostable[dot]com norqren[dot]com domain expiration email.”

In an April 2014 video, Ogundokun provides a Carbon Form Grabber / Carbon Grabber tutorial. At the beginning of the video, he includes his kallysky@yahoo[dot]com contact details.

Sadly, Kally did not respond to requests for an interview about his work sent to his address. But his case and the initial industry writeups on Rombertik are illustrative of a trend within the security industry that’s become all-too-common: Threat reports that lack context — particularly on attribution that is so trivially discoverable, ThreatConnect observed.

“As news of Rombertik spread, we saw sensationalized reporting which used attention grabbing terms such as ‘terrifying,’ ‘deadly’ and ‘suicide bomber malware’ dominate the security news headlines,” the company wrote. “Now if we consider for a moment the man hours and ad hoc reprioritization for many security teams globally who were queried or tasked to determine if their organization was at risk to Rombertik – had the organizations also had adversary intelligence of Ogundokun’s rudimentary technical and operational sophistication, they would have seen a clearer comparison of the functional capabilities of the Rombertik/Carbon Grabber contrasted against the operator’s (Ogundokun) intent, and could have more effectively determined the level of risk.”

May 30 2015

OWASP Zed Attack Proxy – Integrated Penetration Testing Tool

The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as [...] The post OWASP Zed...

Read the full post at
May 29 2015

Lack of Prompt Revive Adserver Upgrades Reminder That Basic Web Security Precautions Still Not Being Taken

When it comes to keeping websites secure, what we see is that companies are trying to sell people services of limited to no security value while important security practices go undone in many cases. One of the basic measures that needs to be taken to do that is to keep software running on websites up to date as that prevents known security vulnerabilities from being exploited, unfortunately that often doesn’t happen. In the past we looked at data showing this was true for the likes of Drupal, Joomla, and others. Yesterday, Revive Adserver put out a post showing what versions of their software are in use and they tell a similar story.

About 56 percent of the active installations of Revive Adserver are running either version 3.0.2 or 3.0.5:


Version 3.0.5 contains two moderate severity security issues that were fixed in versions 3.0.6 and 3.1.0, which were released in December. Versions 3.0.2 contains an additional moderate severity security issue that was fixed version 3.0.5, which was released a year ago. We haven’t seen any major issues when upgrading from these versions so there isn’t any excuse not having done this by now.

If you haven’t been keeping Revive Adserver up to date now you should do that now (if need someone to do that for you, we can take care of that for you). For anyone who still hasn’t upgraded from OpenX you really need to do that now since that has more severe known security vulnerabilities in it at this point and the upgrade to Revive Adserver is relatively easy.

May 29 2015

Report: US tried Stuxnet variant on N. Korean nuke program, failed

It looks like North Korea's "hermit nation" status has paid off in at least one way: the US was unable to infect the systems controlling centrifuges for North Korea's nuclear program, even after using a variant of the Stuxnet virus designed specifically for Korean systems. According to an exclusive report by Reuters, the National Security Agency led an effort in parallel to the one that went after Iran's nuclear program, but the agency failed to get its malware into North Korea's nuclear labs because they were so isolated—both in a geographic and communications sense.

Reuters' Joseph Menn cites an unnamed US intelligence official as saying the same team that developed Stuxnet—which was reportedly a joint US-Israeli development effort called "Olympic Games"—also developed a similar set of malware that would activate itself only when it encountered Korean language settings on the computers it infected.

Like Iran, North Korea used centrifuges obtained from the Pakistani scientist, A.Q. Khan, who led his own country's nuclear weapons effort. The P-2 centrifuges used by Iran were controlled by supervisory control and data acquisition (SCADA) systems from Siemens, with control software running on the Windows operating system. It was believed that North Korea used similar software because of the similarity between the two research efforts, so the STUXNET malware could in theory be used with minor modifications.

Read 3 remaining paragraphs | Comments