Mot-clé - cybercrime

Fil des billets

mardi 31 mars 2009

Forum International Cybercriminalité 2009

Je me suis rendu au FIC (Forum International Cybercriminalité) le 24 mars dernier. J'ai posté un compte-rendu de cet évènement sur le blog du CERT Lexsi ici.

Je tiens à saluer et remercier tous mes amis présents à cet évènement, en particulier mes amis belges Serge H, Christophe M, Olivier B, ainsi que David B, Franck V, Marc O (et ses anecdotes savoureuses), Solange B.F., David C, Georges L, Nicolas B, ainsi que toutes les autres personnes présentes avec lesquelles j'ai eu plaisir à discuter. A bientôt au FIC 2010, ou avant à Solutions Linux ! ;-)

lundi 5 janvier 2009


Youpi, MISC 41 est sorti.

Ce numéro fête les 7 ans du magazine et comprend un dossier très intéressant : "La Cybercriminalité ... Où quand le net se met au crime organisé"

Vous y trouverez un de mes articles, intitulé "Blanchiment d'argent sur Internet". Je n'en dis pas plus ... ;-)


jeudi 13 novembre 2008

McColo exposed

Here is the link to an article I just wrote for CERT Lexsi. It's about the fraudulent hosting company McColo, and my own investigations about it.

mardi 7 octobre 2008

Atrivo, botnet, spam ...

On m'a *un peu* reproché de favoriser l'anglais sur ce blog, sachant que j'avais annoncé au départ que la proportion d'articles FR/EN serait à peu près respectée... Est-ce ma faute si je dispose majoritairement de flux RSS en anglais, et que les seules mailing-lists que je trouve intéressantes le sont également ? :-)

Bref, ce post n'est pas là pour blablater sur cet aspect linguistique, mais bien pour faire un peu le point sur le cas Atrivo/Intercage.

Pour rappel, cet hébergeur localisé aux US sur lequel j'ai déjà bloggé ici et hébergeait apparemment 100% de données illicites telles que de la pédopornographie, des consoles d'administration de malware, du phishing, des faux sites, j'en passe et des meilleures...

Suite à l'étude de Jart Armin (lien dans mon premier post sur Atrivo, *flemme*) et au mouvement d'ensemble de la communauté de lutte contre la cybercriminalité, Atrivo se retrouvait sans connexion, après quelques épisodes de changement de peer etc.

Un nouvel article, cette fois-ci d'Ars Technica, apporte de l'eau au moulin. L'article nous indique ainsi que selon Messagelabs, qui est entre autre je le rappelle un *énorme* gestionnaire de trafic e-mail, l'activité globale des botnets s'est vue baisser de façon significative à la fermeture d'Atrivo :

L'impact a été de courte durée, puisqu'Atrivo est revenu online après sa première fermeture du 21 septembre 2008, et que certains de leurs clients ont probablement commencé à migrer rapidement toutes leurs données illicites et leurs command&control vers d'autres hébergeurs bulletproof.

Le spam quant à lui, malgré le fait que d'autres facteurs soient à prendre en compte, a baissé de 8,1% pour septembre 2008.

La fermeture d'Atrivo depuis le 21 septembre a fait couler beaucoup d'encre, et la communauté des professionnels de la sécurité informatique et de la lutte contre la cybercriminalité semble actuellement sur un mode de réflexion un peu plus mature que simplement vouloir fermer de nouveaux hébergeurs bulletproof, et dieu sait qu'il y en a encore un bon paquet. Les réflexions sur une meilleure collaboration avec les services judiciaires font partie intégrante de cette réflexion, de laquelle il émergera peut-être de nouvelles méthodes de lutte contre ce type d'hébergeurs. Time will tell.

mercredi 24 septembre 2008

Cernel Panic

This is just a quick update on my post concerning Atrivo/Intercage.

A lot has been happening during the last few days. Atrivo lost all its upstreams providers, then came back, finding one provider, UnitedLayer, as can be seen on cidr-report. Anyway, while this was happening, some of the malware having its c&c servers hosted by Atrivo suddenly moved to another hosting company, namely CERNEL (.net).

It is interesting to see that has been registered through EstDomains.

Update (2008-09-25) : is unreachable at the moment. The domain is pointing Intercage IP address. Need I say more ? :-)

vendredi 29 août 2008

Atrivo bulletproof host thrown under the spots

A new article from the excellent Brian Krebs has been published today on the Washington Post.

The article is spreading Jart Armin's whitepaper about ATRIVO, a famous hosting company ... Well when I say "famous" I should say famous to fraudsters and computer security researchers.

The case is quite similar to the RBN case at the end of last year : a bulletproof hosting company, acting for years, suddenly gets in the spotlights. Several things have been said concerning RBN. Having studied the organisation for a while, I have to say some releases about RBN have been upsetting me. According to almost the whole security community, RBN had disappeared...Only to be spotted and mentionned everywhere for any fraudulent action taking place in the malware/phishing/fraud world. RBN has spread all worldwide malware, has done every phishing case, has hosted all illegal content worldwide, and has attacked Georgia... Crap.

It just seems that most researchers have simply forgotten one thing: RBN had customers. When RBN "died", I heard shouts that they had gone to "AbdAllah" host for example. I think that's totally untrue ; people noticed fraudulent domains had moved from ex-RBN to AbdAllah, and claimed it was a RBN move, which wasn't, in my opinion.
Instead, it was only a move from customers, from one bulletproof hoster to another.

Now Atrivo is "following" the RBN case, being shown as an evil host. Emil K, its founder, is declaring just like Tim Jaret did for RBN, that he is responding to the abuse requests. But he doesn't. He's quite following the same politic of communication than Jaret.

As for Jart's paper, I don't agree totally with him, thought I respect his work. I won't say more, and let you read his paper. What will Atrivo's future be, now that all eyes are on them ? Will they vanish just like RBN did ? Time will tell...

Edit: (2008-09-01) It seems that some people are reacting fast (speaking of GLBX). Read this excellent article from Jose Nazario.
Edit: (2008-09-05) An excellent investigation from Knujon about Directi can be read here. Excellent work.
Edit: (2008-09-08) It seems that everyone is running away from Atrivo :
Edit: (2008-09-09) Another striking article from Brian about EstDomains this time. Brian is very active recently against cybercrime hosting companies and registrar, and it seems to work fine. This shows us all the power of the press... But it shouldn't go too far, since it could ruin some LE investigations. I hope it will not be the case.

Update: (2008-09-15): EstDomains declares global war against malware... Can you really believe it ? Article here.

Update (2008-09-15): Thanks to Communautech for a nice french article here.

Update (2008-09-17): Gary Warner has done a great work, showing us a huge amount of domain names pointing to Intercage. Here is the result.
Update (2008-09-22): Atrivo seems to be down for the moment. link here and here.
Update (2008-09-22): Atrivo is back tonight. Some new peering appeared, as can be seen here:

Report for AS27595
INTERCAGE - InterCage, Inc.
AS Adjancency Report
In the context of this report "Upstream" indicates that there is an adjacent AS that lines between the BGP table collection point (in this case at AS2.0) and the specified AS. Similarly, "Downstream" refers to an adjacent AS that lies beyond the specified AS. This upstream / downstream categorisation is strictly a description relative topology, and should not be confused with provider / customer / peer inter-AS relationships.
27595 INTERCAGE - InterCage, Inc.
Adjacency: 1 Upstream: 1 Downstream: 0
Upstream Adjacent AS list
AS23342 UNITEDLAYER - Unitedlayer, Inc.

Thanks to as usual for the info :-)

mardi 11 mars 2008

ZeuS and his thunderbolts !

Once again, I had no time to post anything here for the last couple of weeks, so I am shamelessly linking to a new post I wrote on CERT Lexsi's blog here.

I am preparing a big post for this blog (in french), but I am lacking time... Anyway, thanks to all friends and readers ! :-)

dimanche 22 juillet 2007

MPack developer interview

Damn... Has this week been the week of the interview ?

I found a very interesting one, the guy being interviewed is one of the developer of the world-famous MPack kit.

Here is the article from Security Focus.

Again, it shows that fraudsters behind this kind of illegal activities are just taking it as a usual business.

samedi 21 juillet 2007

Spammer Interview

Macworld released an interesting spammer interview this week ... It is just confirming what I always thought : spammers became real business men...

Original link is here, but I'll copy/paste you the content here anyway :

“Ed,” a retired spammer, built a considerable fortune sending e-mails that promoted pills, porn and casinos. At the peak of his power, Ed says he pulled in $10,000 to $15,000 a week, storing the money in $20 bills in stacks of boxes.

It was a life of greed and excess, one that preyed especially on vulnerable people hoping to score drugs or win money gambling on the Internet. From when he was expelled from high school at 17 until he quit his spam career at 22, Ed — who does not reveal his full name but sometimes goes by SpammerX — was part of an electronic underworld profiting from the Internet via spam.

“Yes, I know I’m going to hell,” said Ed, who spoke in London on Wednesday at an event hosted by IronPort Systems, a security vendor now owned by Cisco Systems. “I’m actually a really nice guy. Trust me.”

A quick-witted and affable guy who wears an earring and casual clothes, there was a time when Ed wasn’t so nice. He sent spam to recovering gambling addicts enticing them to gambling Web sites. He used e-mail addresses of people known to have bought antianxiety medication or antidepressants and targeted them with pharmaceutical spam.

In short, Ed said he was “basically what people hate about the Internet.”

He spent 10 hours a day, seven days a week studying how to send spam and avoid filtering technologies in security software designed to weed out garbage e-mail. Most spam filters are effective 99 percent of the time; he aimed for that remaining window, using tricks such as including slightly different images in his spam, which can fool filters into thinking the e-mail is legitimate.

“The better I got at spam, the more money I made,” Ed said.

He would start a spam run by finding an online merchant who wanted to sell a product. Then he’d acquire a list of e-mail addresses — another commodity that has spawned its own market in the world of spam. He’d also set up a domain name, included as a link in a spam message, that, if clicked, would redirect the recipient to the merchant’s Web site, enabling Ed to get credit for the referral.

The spam would then be sent from a network of hacker-controlled computers, called botnets. Those machines are often consumer PCs infected with malicious software that a hacker can control. Ed would “rent” time on those computers from another group of hackers that specialized in creating botnets.

If one of the spam recipients bought something, Ed would get a percentage of the sale. For pharmaceuticals the commission was around 50 percent, he said.

Response rates to spam tend to be a fraction of 1 percent. But Ed said he once got a 30 percent response rate for a campaign. The product? A niche type of adult entertainment: photos of fully clothed women popping balloons.

To track the money, merchants set up a “referral sales page” where spammers can see how much they make from a spam run. Ed would log in frequently, watching the money increase. He was paid into electronic payment transfer accounts, such as e-gold or PayPal, or into his debit card account, which he could cash out in $20 bills.

That became problematic when the cash became voluminous. He says he made $480,000 his last year of spamming. But the lifestyle of being a spammer was taking a toll. In essence, he had no life.

It’s hard to go into a bar and explain your job to a woman by saying “I advertise penis enlargement pills online,” Ed said. “It doesn’t go down very well.”

He rationalized his actions by saying spamming is not like robbing someone, although the lurid impact of spam was clear. Some nine million Americans have some dependence on prescription drugs, Ed said, and he noticed that the same people were buying different drugs each month. “These were addicts,” he said.

Additionally, “the product is always counterfeit to some degree. If you’re lucky, sometimes it’s a diluted version of the real thing,” he said. Viagra is cut with amphetamines, and homemade pills are common from sketchy labs in countries such as China, India and Fiji, Ed said.

So Ed got out of the business. He’s written a book, “Inside the Spam Cartel: Trade Secrets from the Dark Side,” which he said has had some take-up in law enforcement circles eager to learn more about the spam business, which he projects will only get worse.

As broadband speeds increase, spammers will increasingly look to market goods by making VOIP (voice over Internet Protocol) calls or sending out videos, Ed said. The ultimate unsolvable problem is users, who continue to buy products marketed by spam, making the industry possible.

“I think in 10 years we’ll still get spam,” Ed said. “Be prepared to be bombarded.”

jeudi 7 juin 2007

Malserver ...

Google published an interesting study about web servers and malware...

The link is here.

It is very interesting to see the differences between the different web servers, according to the country they are hosted on.
And then, even more, to see which of these servers are hosting the biggest amount of malware.
For example, in China, nearly all malware are running on IIS, while in Germany there's almost only malware on Apache.

What also astonishes me is the growth of nginx, knowing it's a very young product (first public version had been released in october 2004) ... Of course, it's mostly used in Russia, as it is a russian product, but still, I would have thought it wasn't so spread worldwide already ...

Cyber attack against Estonian government

You might have been surprised not seeing any reference on my Webl0g about the cyberwar that took place between Russia and Estonia for about three weeks recently. (it began at the end of April)

Well, I have to admit I haven't been having much time recently to spend here, and then, well ... I guess you've read about it in plenty different websites...
To be honest, I thought such kind of things would happen years ago. After all, botnets have always been able to DDoS (even a few old eggdrops are enough sometimes...) and it wouldn't have been surprising to see successfull DDos against some special networks earlier...

Anyway, what happened in Estonia is definitely alarming ... Enough for NATO to study it at least ...And for Bruno Kerouanton to speak about it during his rump session at SSTIC 2007...

As usual, mainly because I'm missing time, I found a good article on the web about it, and it's HERE, coming from Counterterrorism Blog

dimanche 13 mai 2007

LdPinch and its parser, Zunker bot administration

Here is a post from F-Secure about a new LdPinch variant ...

It is very interesting, because it also shows us something we're usually not seeing : the GUI used by the fraudster, called Pinch Parser PRO. You can see it here

It definitely looks very professional ...

Panda Software also brings us some nice screenshots of frontends, showing us how a big botnet can be administrated here

The whole Panda article is here.

mercredi 2 mai 2007

E-Gold & Justice...

I've read an interesting article from Securityfocus ...
The article is about a two and a half year investigation from the FBI, leading to charging the famous E-Gold with four counts of violating the U.S. laws restricting funds transfers and money laundering.

I think I'm not the only one thinking it would be great if E-Gold, and all other "companies" of this kind, would definitely close... But I know, I'm a dreamer sometimes... ;-)

vendredi 27 avril 2007

Free Phish For All :-p

As said on CERT LEXSI's Weblog in THIS article from Nicolas WOIRHAYE, the french ISP "FREE" (aka FREE PROXAD) has got its own dedicated phishing kit now.

It was quite a long time I was expecting this kind of phishing, but I had seen none yet impacting a french ISP.
Of course, to phish such company is a nice way for fraudsters to collect personnal data, FTP accesses, mails, big storage capacities, and so on...
Waiting to see one for "WannaDo" :-P

mardi 13 mars 2007


I know, I'd better post personnal stuff/comments on the blog instead of other people's articles, but... I'm lazy and have few time at the moment for it ;-)

Anyway, here's another interesting article about playing with numbers ... Written by Dr. Neal Krawetz, it tells us about laptop losses and about spam/phishing ...

To bounce on this topic, I'm amazed by the number of employees who are allowed to take home their professional laptop, and who are having no idea of what computer security is.
They are taking the laptop home, storing personnal and professional infos without any encryption, connecting the machine to Internet, and so on...

All of this is driving me quite mad, to stay polite ;-)

samedi 10 mars 2007

Le social engineering a de beaux jours devant lui...

J'utilise parfois à mauvais escient l'expression "plus rien ne m'étonne".
A mauvais escient, parce qu'évidemment, je suis fréquemment étonné par de nombreuses choses, et heureusement.
Mais revenons-en à nos moutons, ou plutôt dans le cas précis, à nos *pigeons* ...

Voici un article nous expliquant qu'un escroc a réussi à se faire verser pas mal d'argent, en démarchant des dames célibataires sur divers sites de rencontres.

Rien de bouleversant, on imagine très bien qu'il doit exister différentes méthodes pour arnaquer les gens sur ce genre de site.

Par contre, se faire donner 150 000 $ par une femme, en la faisant croire que c'est pour acheter une ferme en commun, c'est fortiche...

Envoyez-moi chacun 5 euros par pitié, mes chats ont une maladie très rare qui fait qu'ils ne peuvent manger que des truffes... :-P

mercredi 28 février 2007

Trashing Inc.

Here's an article I've just read ...

This article is about the old known technic of "trashing" to get crucial informations about companies, or about their users, or network, or security... Anything you can think of that could be found in your trash.
This technic has often proven to be efficient in the years of 90, used widely by malicious hackers to get user names and passwords from companies.
Well I was smiling seeing this article, because I am still naïve enough to think almost all companies actually *are* recycling their trash in secure ways.
I might change my mind ;-)

Différentes faces... de déface :-p

Ces dernières années ont vu augmenter de façon considérable le nombre de défacements.
Considérés en fonction des points de vue comme "amusants" ou au contraire comme "énervants", ces défacements n'en sont pas moins générateurs d'interrogations, que ce soit du néophyte ou du professionnel de la sécurité informatique.

Why the hell ?
Les motifs premiers de ces pirates étaient la plupart du temps égocentriques : pénétrer un serveur web, revendiquer le piratage sous son pseudonyme auprès d'un maximum de personnes, se faire connaitre sur zone-h ou zataz, bref, augmenter sa popularité dans ce milieu...
La sensibilisation des administrateurs des systèmes compromis est un autre mobile. De nombreux défacements sont commis, puis l'administrateur du système est contacté par un mail dans lequel le pirate lui explique comment il a procédé, afin de pouvoir corriger la faille ou le manque de sécurité du site.
Depuis quelques temps, d'autres motifs sont apparus : revendications politiques, religieuses, haine de certains administrateurs...

Who the hell ?
Différentes catégories de pirates sont auteurs de ce type d'actes, mais la plupart du temps il s'agit de script kiddies.
Ces pirates se contentent d'utiliser des logiciels préexistants, et de se tenir plus ou moins au courant de vulnérabilités pouvant affecter un maximum de serveurs. Ils se servent ensuite de scripts/logiciels pour commettre leurs méfaits en masse. (Différents types de recherches Google leur permettent souvent de trouver un nombre conséquent de sites présentant les même failles.)
D'autres pirates plus compétents défacent parfois des sites, mais pour indiquer qu'ils ont compromis beaucoup plus que le seul serveur web hébergeant un site.

A l'heure actuelle, il est inquiétant de constater que de plus en plus de défacements véhiculent non seulement un message à caractère de plus en plus violent, mais également du code malicieux.
Evidemment, de nombreuses personnes veulent constater de visu les défacements, et se rendent sur le "lieu du crime", permettant ainsi à un éventuel code malicieux d'exploiter une vulnérabilité sur leur propre système et de les infecter.
D'autres compromissions, plus vicieuses encore, ne se "montrent" pas sur la page d'accueil du site piraté, mais se contentent d'agir "dans l'ombre" et de propager du code malicieux.
Ainsi, le nombre de piratages de pages d'accueil de sites à fort potentiel (en terme de nombre de visiteurs) augmentent. Dernier en date, celui du site des Dolphins, une équipe de football américain ... Dont voici l'article de Websense.

vendredi 23 février 2007

Apophish :p

Après les Haxdoor et autres trojans particulièrement utilisés en 2006, voici venir... Apophis ... Vendu en fonction des fonctionnalités jusqu'à 1200 Euros, et qui possède une très belle console d'administration comme nous le montre le CERT-LEXSI :


page 2 de 2 -