The Koobface Gang Wishes the Industry "Happy Holidays"

Oops, they did it again - the Koobface gang, which is now officially self-describing itself as Ali Baba and the 40 Thieves LLC, has not only included a Koobface-themed -- notice the worm in the name -- background on Koobface-infected hosts, but it has also included a "Wish Koobface Happy Holidays" script -- last time I checked there were 10,000 people who clicked it -- followed by the most extensive message ever left by the gang, which is amusingly attempting to legitimize the activities of the gang.

In short, the message with clear elements of PSYOPS, attempts to position the Koobface worm as a software, where the new features are requested by users, and that by continuing its development, the authors are actually improving Facebook's security systems. For the record, the Koobface botnet itself is only the tip of the iceberg for the malicious activities the group itself is involved in. Consider going through the related Koobface research posts featured at the bottom of the post, in order to grasp the importance of how widespread and high-profile the activities of this group are. The exact message, screenshot of which is attached reads:

Our team, so often called "Koobface Gang", expresses high gratitude for the help in bug fixing, researches and documentation for our software to:

• Kaspersky Lab for the name of Koobface and 25 millionth malicious program award;
• Dancho Danchev (http://ddanchev.blogspot.com) who worked hard every day especially on our First Software & Architecture version, writing lots of e-mails to different hosting companies and structures to take down our Command-and-Control (C&C) servers, and of course analyzing software under VM Ware;
• Trend Micro (http://trendmicro.com), especially personal thanks to Jonell Baltazar, Joey Costoya, and Ryan Flores who had released a very cool document (with three parts!) describing all our mistakes we've ever made;
• Cisco for their 3rd place to our software in their annual "working groups awards";
• Soren Siebert with his great article; 
• Hundreds of users who send us logs, crash reports, and wish-lists.

In fact, it was a really hard year. We've made many efforts to improve our software. Thanks to Facebook's security team - the guys made us move ahead. And we've moved. And will move. Improving their security system.

By the way, we did not have a cent using Twitter's traffic. But many security issues tell the world we did. They are wrong. As many people know, "virus" is something awful, which crashes computers, steals credential information as good as all passwords and credit cards. Our software did not ever steal credit card or online bank information, passwords or any other confidential data. And WILL NOT EVER. As for the crashes... We are really sorry. We work on it :) Wish you a good luck in new year and... Merry Christmas to you!

Always yours, "Koobface Gang".

For the record, in case you were living on the other side of the universe, and weren't interested in the raw details taking place within the underground ecosystem, in July, 2009, I was the only individual ever mentioned by the Koobface gang, which back then included the following message within the command and control infrastructure for 9 days:

• "We express our high gratitude to Dancho Danchev (http://ddanchev.blogspot.com) for the help in bug fixing, researches and documentation for our software."

Next to the folks at TrendMicro, the DHS also featured the event in DHS Daily Open Source Infrastructure Report for 3 September 2009 at page 18:

• "This individual is an independent security consultant who plays an active role in tracking and shutting down botnets and other illegal operations."

It got ever more personal when the Koobface gang redirected Facebook's entire IP space to my blog in October, 2009, resulting in thousands of Facebook visits every time their crawlers were visiting a Koobface-infected host. Thankfully, Facebook's Security Incident Response Team quickly took care of the issue.

In the spirit of Christmas, I'd also like to wish the Koobface gang happy holidays, and promise them that the cherry on the top of the research pie will see daylight anytime soon. First of all, I'd like to wish them happy holidays with Frank Sinatra - "I've got you under my skin". They'll get the point.



And now comes my Christmas present, systematic take-down, blacklisting, and domain suspension of Koobface scareware operations.

Sample detection rates by Koobface binaries - go.exe; fb.79.exe; fblanding.exe; v2captcha.exe; v2webserver.exe; pack_312s3.exe (the scareware). The currently active artificial2010 .com/?pid=312s02&sid=4db12f - Email: Josefinat@yahoo.com - 193.104.22.200 - AS34305; EUROACCESS Global Autonomous System acts as a redirector to the scareware domain portfolio.

Currently active portfolio of scareware domains pushed by the Koobface botnet, parked at 193.104.22.200/91.212.226.95:
2010scannera1 .com - Email: NathanHSchafer@yahoo.com
artificial2010 .com - Email: Josefinat@yahoo.com
bestdiscounts2010 .com - Email: FrancesHAustin@yahoo.com
bestparty2009 .com - Email: FrancesHAustin@yahoo.com
bestparty2010 .com - Email: FrancesHAustin@yahoo.com
bestpffers2010 .com - Email: FrancesHAustin@yahoo.com
best-wishes-design .com - Email: FrancesHAustin@yahoo.com
bestyearparty .com - Email: FrancesHAustin@yahoo.com
celebrate2009year .com - Email: FrancesHAustin@yahoo.com
celebrate-designs .com - Email: FrancesHAustin@yahoo.com
happy-newyear2010 .com - Email: JerryHWallace@yahoo.com
internetproscanm .com - Email: JacquelynMRyan@yahoo.com
internetproscanq .com - Email: JacquelynMRyan@yahoo.com
internetproscanr .com - Email: JacquelynMRyan@yahoo.com
internetproscanw .com - Email: JacquelynMRyan@yahoo.com
internetproscany .com - Email: JacquelynMRyan@yahoo.com
megascannera .com - Email: MichaelDFranklin@yahoo.com
megasecurityl .com - Email: MichaelDFranklin@yahoo.com
megasecurityp .com - Email: MichaelDFranklin@yahoo.com
megasecurityq .com - Email: MichaelDFranklin@yahoo.com
newholidaydesigns .com - Email: FrancesHAustin@yahoo.com
newyearandsanta .com - Email: JerryHWallace@yahoo.com
newyeardesgings .com - Email: FrancesHAustin@yahoo.com
onlinesecurityn1 .com - Email: LucyGBrown@yahoo.com
onlinesecurityn2 .com - Email: LucyGBrown@yahoo.com
onlinesecurityn3 .com - Email: LucyGBrown@yahoo.com
onlinesecurityn4 .com - Email: LucyGBrown@yahoo.com
onlinesecurityn5 .com - Email: LucyGBrown@yahoo.com
online-securtiyv1 .com - Email: LucyGBrown@yahoo.com
online-securtiyv4 .com - Email: LucyGBrown@yahoo.com
online-securtiyv5 .com - Email: LucyGBrown@yahoo.com
onlineviruskilla0 .com - Email: JacquelynMRyan@yahoo.com
onlineviruskilla2 .com - Email: JacquelynMRyan@yahoo.com
onlineviruskilla4 .com - Email: JacquelynMRyan@yahoo.com
onlineviruskilla6 .com - Email: JacquelynMRyan@yahoo.com
onlineviruskilla8 .com - Email: JacquelynMRyan@yahoo.com
santa-christmas2010 .com - Email: JerryHWallace@yahoo.com
snowandchristmas .com - Email: JerryHWallace@yahoo.com
thebestantispys .com - Email: ThomasLRoy@yahoo.com

Christmas-themed scareware serving domains:
happy-newyear2010 .com
celebrate2009year .com
newyearandsanta .com
newyeardesgings .com
santa-christmas2010 .com
snowandchristmas .com

Speaking of AS34305; EUROACCESS Global Autonomous System, they're also hosting scareware campaigns at another IP - 193.104.22.50 in particular:
pcprotect2010 .com - Email: admin@pcprotect2010.com
bestantispysoft2010 .com - Email: admin@bestantispysoft2010.com
worldantispyware1 .com - Email: admin@worldantispyware1.com
antispyware24x7 .com - Email: admin@antispyware24x7.com
spydetector2009 .com - Email: admin@spydetector2009.com
myprivatesoft2009 .com - Email: admin@myprivatesoft2009.com
itsafetyonline .com - Email: admin@itsafetyonline.com
antispycenterprof .com - Email: admin@antispycenterprof.com
webspydetectunlim .com - Email: admin@webspydetectunlim.com
pcsafetyplatinum .com - Email: admin@webspydetectunlim.com
spywaredetect24pro .com - Email: admin@spywaredetect24pro.com
eliminater2009pro .com - Email: admin@eliminater2009pro.com
pcsafety2009pro .com - Email: admin@pcsafety2009pro.com
securityztop .com - Email: admin@securityztop.com
antisspywarescenter .com - Email: admin@antisspywarescenter.com
viridentifycenter .com - Email: molda444vimo@safe-mail.net
antispywarets .com - Email: admin@antispywarets.com
winvantivirus .com - Email: admin@winvantivirus.com
antispywaresnet .com - Email: admin@antispywaresnet.com
securityprosoft .com - Email: admin@securityprosoft.com
onlineantispysoft .com - Email: admin@onlineantispysoft.com
worldsantispysoft .com - Email: admin@worldsantispysoft.com
antispyworldwideint .com - Email: admin@antispyworldwideint.com
ivirusidentify .com - Email: admin@ivirusidentify.com

Within the same ASN, we can also find the following Zeus crimeware serving domains, courtesy of the Zeus Tracker:
print-design .cn - Email: alexsundren@gmail.com
backup2009 .com - Email: tahli@yahoo.com - association with money mule recruitment domain registration
1211news .com - Email: tahli@yahoo.com
tuttakto .com - Email: tahli@yahoo.com
filatok .com - Email: tahli@yahoo.com
wwwldr .com - Email: tahli@yahoo.com
bbbboom .com - Email: tahli@yahoo.com
fant1k .com - Email: tahli@yahoo.com
hoooools .com - Email: tahli@yahoo.com
ianndex .com - Email: tahli@yahoo.com
vklom .com - Email: tahli@yahoo.com
wwwbypost .com - Email: tahli@yahoo.com
wwwudacha .com - Email: tahli@yahoo.com

Sampled scareware phones back to:
ardeana-couture .com/?b=1s1 - 204.12.252.99, parked there is also windowssp3download .com - Email: contact@subarutechs.com
winrescueupdate .com/download/winlogo.bmp - 89.248.162.147

Historically, 89.248.162.147 (AS29073-ECATEL-AS, Ecatel Network) used to host the following scareware domains:
attention-scanner .com - Email: khouri@atomtech.cc
be-secured2 .com - Email: info@scholarnyc.com
best-scanner-f .com - Email: LouisALeavitt@yahoo.com
get-secure2 .com - Email: info@scholarnyc.com
installprotection2 .com - Email: info@scholarnyc.com
online-defense7 .com - Email: contacts@manipadni.com.br
scan-spyware2 .com - Email: info@paristours.fr
topscan2 .com - Email: LouisALeavitt@yahoo.com
topscan3 .com - Email: LouisALeavitt@yahoo.com
virus-pcscan .com - Email: admin@rewards.de
win-scan05 .com - Email: katia@salsat.eu
win-scan07 .com - Email: katia@salsat.eu
win-scan09 .com - Email: katia@salsat.eu
winrescueupdate .com
winscanner01 .com - Email: contacts@crunchiesb.com
winscanner18 .com - Email: contacts@crunchiesb.com
your-protection8 .com - Email: admin@Relocation.it

Happy Holidays, too!

Related Koobface research published in 2009:
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog. 

Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline

Last week, Josh Kirkwood, Network Engineer at Blue Square Data Group Services Limited, with whom I've been keeping in touch regarding the blackhat SEO activity courtesy of the Koobface gang, and actual Koobface botnet activity that's been taking place there for months, pinged me with an interesting email - "Riccom are now gone" (AS29550). He also pinged the folks at hpHosts in response to their posts once again emphasizing on the malicious activity taking place there.

Since I've been analyzing Riccom LTD activity in the context of "in-the-wild" blackhat SEO campaigns launched by the Koobface gang, followed by establishing direct Koobace botnet connections, as well as sharing data with Josh, Riccom LTD clearly deserves a brief  retrospective of the malicious activity that took place there.

Malicious activity I've been analyzing since August, 2009:

• August 06 - scareware parked at 91.212.107.5 analyzed in "Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware"
• August 10 - more scareware introduced at 91.212.107.5 analyzed in "U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding"
• August 18 - scareware domains continue getting introduced at 91.212.107.5, analyzed in "Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign"
• August 19 - Actual Koobface command and control server parked within BlueConnex's ASN, they take action against 85.234.141.92 - "Three hours after notification, Blue Square Data Group Services Limited ensures that "the customer has been disconnected permanently". It's a fact. All of Koobface worm's campaigns currently redirect to nowhere."
• September 14 - the malvertising attack at the web site of the New York Times, not only used a redirector that was simultaneously pushed by Koobface-infected host hosted on an IP known to be managed by the gang's blackhat SEO team ,but also, the actual scareware domain used relied on Riccom LTD hosting again at 91.212.107.103
• September 16 - 91.212.107.103 remains the most widely abused IP hosting scareware served by the Koobface botnet. Action is taken again the entire .info tld domain portfolio, the domains are suspended within a 48 hours period of time courtesy of AFILIAS.
• November 11 - cat and mouse game between the company, me, and the Koobface gang is taking place, now that a connection between the Koobface gang and the Bahama botnet has been clearly established. New scareware domains are introduced at 91.212.107.103, as well as at the still active AS44042 ROOT eSolutions. The Koobface gang once again proves it "knows my name" by typosquatting domains and registering them with typosquatted variants of my name (pancho-2807 .com is registered to Pancho Panchev, pancho.panchev@gmail.com, followed by rdr20090924 .info registered to Vancho Vanchev, vanchovanchev@mail.ru). Upon notification 91.212.107.103 has been taken offline courtesy of Blue Square Data Group Services Limited.
• November 17 - A week later the gang resumes operations at the same Riccom LTD IP - "Tuesday, November 17, 2009: Koobface is resuming scareware (Inst_312s2.exe) operations at 91.212.107.103 which was taken offline for a short period of time. ISP has been notified again".
  

Clearly, in terms of cybercrime, especially one that's monetizing an asset with high liquidity such as scareware, "better late than never" doesn't seem to sound very appropriate.

Image courtesy of TrendMicro's The Heart of Koobface - C&C and Social Network Propagation report.

Related Koobface research published in 2009:
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog.

A Diverse Portfolio of Fake Security Software - Part Twenty Four

Good traditions are not meant to be broken, in particular the "Diverse Portfolio of Fake Security Software" series. And with scareware losses to customers already (conservatively) estimated at $150 million, combined with the overwhelming evidence of scareware becoming the monetization method of choice for the majority of cybercriminals gathered throughout the entire year - in 2010 we'll see the peak of a fully matured business model that's offering one of the highest payout rates within the underground marketplace.

How can this underground business model be undermined? By hitting the"beehive" rather than hitting the campaign of particular "bee", and by disrupting the monetization flow ultimately leaving the "beehive" with hundreds of thousands of "bees" actively infecting without the opportunity to collect the cash flaw, thereby putting them in a position where the "beehive" becomes unable to pay the commissions to the "bees" at the first place.

Moreover, raising awareness on the most efficient and profitable monetization tactic used by cybecriminals in the face of scareware (The Ultimate Guide to Scareware Protection), is crucial for filling in the gaps, since in its current form, scareware is driven exclusively by social engineering tactics and aggressive traffic hijacking campaigns.

What's to come in 2010 anyway? It's the culmination of an year and half research. Stay tuned folks!

The following scareware domains have been recently observed in active campaigns online:

78.46.254.18/96.9.180.102 - AS24940 -HETZNER-AS Hetzner Online AG RZ/AS21788 BurstNet Technologies, Inc.
3-scanner .com
5-scanner .com
9-scanner .com
aa-scan .com
antispy-microsoft0 .cn
antispy-microsoft2 .cn
aspywarescan .com
av-scannerr .com
av-scannerw .com
av-scannerx .com
av-scannery .com
av-scannerz .com
bb-scan .com
bspywarescan .com
cspywarescan .com
fspywarescan .com
internetdefencei .com
ispywarescan .com
malware-destroy01 .com
malware-destroy03 .com
malware-destroy09.com
malwarescannere. com
malwarescannerq .com
malwarescannerr .com
malwarescannert .com
malwarescannerw .com
pc-securityv .com
pc-securityv2 .com
pc-securityv4 .com
removespywared .com
removespywarek .com
removespywarel .com
removespywarem .com
removespywaren .com

securitybugfixv9 .com
spyware-remove0 .com
spyware-remove9 .com
spyware-removeb .com
spyware-removee .com
spyware-removen .com
titan-antivirus .com
titan-antivirusv .com
titan-antivirusy .com
titan-antivirusz .com
titan-scanner .com
trustedmicrosoftscan0 .com
trustedmicrosoftscan8 .com
ultimatepcscanb .com
ultimatepcscano .com
ultimatepcscanp .com
ultimatepcscanr .com
windows-antivirus0 .com
windows-antivirus11 .com
windows-antivirus2 .com
windows-antivirus4 .com
windows-antivirus8 .com
win-pro-update .cn

The scareware domains portfolio profiled in the "Celebrity-Themed Scareware Campaign Abusing DocStoc and Scribd" post parked at 193.104.110.50, has many new typosquatted additions to it:

193.104.110.50 - AS50073/SOFTNET Software Service Prague s.r.o.
10-open-davinci .com
advanced-virusremover2009 .com
advancedvirus-remover2009 .com
advanced-virus-remover2009 .com
advancedvirusremover-2009 .com
advanced-virusremover-2009 .com
advanced-virus-remover-2009 .com
advanced-virus-remover2010 .com
advanced-virus-remover-2010 .com
advanced-virus-remover2011 .com
advanced-virus-remover-2011 .com
avrdownnew6 .com
avrdownnew8 .com
avrdownnew9 .com
bastaproject .com
buy-internet-security2010 .com
coolcount1 .com
coolcount2 .com
coolprojectnew .com
downloadavr10 .com
downloadavr11 .com
downloadavr12 .com
downloadavr13 .com
downloadavr14 .com

downloadavr15 .com
downloadavr20 .com
downloadavr5 .com
downloadavr6 .com
downloadavr7 .com
downloadavr8 .com
downloadavr9 .com
greatcrypt .com
megacryptnew .com
pc-scanner2010 .biz
pc-scanner-2010 .biz
pcscanner2010 .com
pc-scanner2010 .com
pcscanner-2010 .com
pc-scanner-2010 .com
pc-scanner2010 .net
pc-scanner2010 .org
pc-scanner-2010 .org
pc-scanner-2011 .biz
pc-scanner-2011 .org
pc-scanner-2012 .com
pc-scanner-2012 .net
pc-scanner-2012 .org
testavrdown .com
vscodec-pro .net
vsproject .net
white-xxx-tube .com
white-xxxx-tube .com
xxx-white-tube .net

The Koobface gang has not only migrated the domains the weren't suspended from the previous "Koobface Botnet's Scareware Business Model - Part Two" post, but has also introduced new ones on the new IPs:

193.169.235.5/93.174.95.191 - AS32181/ASN-CQ-GIGENET ColoQuest/GigeNet ASN
goboldscan .com - Email: gleyersth@gmail.com
godeckscan .com - Email: quetotator@gmail.com
godirscan .com - Email: momorule@gmail.com
godotscan .com - Email: gleyersth@gmail.com
gopullscan .com - Email: stgeyman@gmail.com
gorootscan .com - Email: stgeyman@gmail.com
goscanbold .com - Email: gleyersth@gmail.com
goscandot .com - Email: gleyersth@gmail.com
goscanhand .com - Email: quetotator@gmail.com
goscanmend .com - Email: gleyersth@gmail.com
goscanmoth .com - Email: gleyersth@gmail.com
goscanpull .com - Email: stgeyman@gmail.com
goscanref .com - Email: quetotator@gmail.com
goscanrest .com - Email: quetotator@gmail.com
goscanroom .com - Email: gleyersth@gmail.com
goscanroot .com - Email: stgeyman@gmail.com
goscantype .com - Email: stgeyman@gmail.com

Some of these are actively redirecting to another recently updated .cn portfolio, once again maintained by the Koobface gang, parked at 193.169.235.6 - AS32181 - ASN-CQ-GIGENET ColoQuest/GigeNet ASN:
193.169.235.6 - AS32181 - ASN-CQ-GIGENET ColoQuest/GigeNet ASN
diwehym .cn - Email: spscript@hotmail.com
dizymhe .cn - Email: spscript@hotmail.com
docigpe .cn - Email: spscript@hotmail.com
dofawi .cn - Email: spscript@hotmail.com
domreha .cn - Email: spscript@hotmail.com
donlaci .cn - Email: spscript@hotmail.com
donqaw .cn - Email: spscript@hotmail.com
dopelsi .cn - Email: spscript@hotmail.com
doquza .cn - Email: spscript@hotmail.com
doqypku .cn - Email: spscript@hotmail.com
egikap .cn - Email: spscript@hotmail.com
enegoys .cn - Email: spscript@hotmail.com
eneybis .cn - Email: spscript@hotmail.com
enoihup .cn - Email: spscript@hotmail.com
enygoji .cn - Email: spscript@hotmail.com
enyuwip .cn - Email: spscript@hotmail.com
epafij .cn - Email: spscript@hotmail.com
epaumow .cn - Email: spscript@hotmail.com
epiadyl .cn - Email: spscript@hotmail.com
epiecgy .cn - Email: spscript@hotmail.com
g-antivirus .com - Email: mhbilate@gmail.com
iantiviruspro .com - Email: broderma@gmail.com
iantivirus-pro .com - Email: feetecho@gmail.com
iav-pro .com - Email: mcgettel@gmail.com
in4iv .com - Email: momaust@gmail.com
inb6ct .com - Email: jobumb@gmail.com
inb6ik .com - Email: jobumb@gmail.com
jyqhoki .cn - Email: spscript@hotmail.com
jyseny .cn - Email: spscript@hotmail.com
jywmer .cn - Email: spscript@hotmail.com
jyzixme .cn - Email: spscript@hotmail.com
jyzuju .cn - Email: spscript@hotmail.com
kabivu .cn - Email: spscript@hotmail.com
kacupyb .cn - Email: spscript@hotmail.com
kajefu .cn - Email: spscript@hotmail.com

Another portfolio is parked at 193.169.13.200, our "dear friends" AS5577 - ROOT eSolutions:
antivirusonlinegames .com - Email: saracbrown@dodgit.com
antivirussoftblog .com - Email: sharonldixon@trashymail.com
antyflutool .net - Email: joycerfriley@dodgit.com
an-ty-virusnow .net - Email: carriedlawrence@gmail.com
an-ty-virus-tool .com - Email: marydgallo@pookmail.com
bigvirusscan .com - Email: marydgallo@pookmail.com
freeantyvirusservice .com - Email: alejandrojmckinney@gmail.com
mysecuritysoft .net - Email: mildredkbaker@mailinator.com
nationalsecuritydirect .com - Email: loisjstillings@trashymail.com
newantispywaresoft .com - Email: junejbrubaker@trashymail.com
newantyvirus .net - Email: johneponder@gmail.com
progressmovement .com - Email: christinegcarroll@trashymail.com
readonlinestories .com - Email: lawrencemtimms@dodgit.com
removevirusgadget .com - Email: benjaminmdickerson@gmail.com
scannetradio .com - Email: robertcle@dodgit.com
securityonlinecopy .net - Email: saraldillard@trashymail.com
securitysoftstore .com - Email: anthonybpierce@trashymail.com
securitytoolsuser .com - Email: kyongabrantner@gmail.com
securitytoolsuser .net - Email: jamessvaughn@dodgit.com
securityutilityshop .net - Email: fletchererodriguez@gmail.com
spacetrafficsafety .com - Email: bettycyeates@pookmail.com
superprotectionact .com - Email: darnellbhouse@pookmail.com
supersafetysolutions .com - Email: georgekhorn@pookmail.com
thebillingaol .com - Email: justindsmith@trashymail.com
theprogressclub .com - Email: jerrysfinlayson@pookmail.com
theremovevirustool .com - Email: dalemharman@dodgit.com
virusread .com - Email: robertcjones@pookmail.com
yourfraudprotection .com - Email: michelledglover@dodgit.com
yoursafetysearch .com - Email: michelledglover@dodgit.com

193.104.153.245 - AS5577 - ROOT eSolutions
antivirusonlinecasino .com - Email: alfonzomhopps@mailinator.com
anti-virustoday .net - Email: elishaebeauregard@pookmail.com
an-ty-flu-service .com - Email: edwinwmartinez@trashymail.com
bereadonline .com - Email: jeanvfriddle@trashymail.com
bestantyspyware .net - Email: ralphyjackson@pookmail.com
bodyscanllc .com - Email: ralphyjackson@pookmail.com
contraspywaresoft .com - Email: josephinetmarenco@dodgit.com
newantyvirustool .net - Email: josephinetmarenco@dodgit.com
remove-virus-tool .com - Email: maryprobinson@pookmail.com
scaninternetradio .com - Email: maryprobinson@pookmail.com
securityonlinegames .net - Email: clementeanderson@pookmail.com

89.248.160.153 - AS29073/ECATEL-AS , Ecatel Network
do-fastscannow .net - Email: gkook@checkjemail.nl
do-speedscan .net - Email: gkook@checkjemail.nl
do-speedscan-search .com - Email: gkook@checkjemail.nl
iwillcheck-it .com - Email: gkook@checkjemail.nl
systemscan-check .net - Email: gkook@checkjemail.nl
zguarddata .com - Email: gkook@checkjemail.nl

193.106.32.10 - TELECOMPO, spol. s r.o.
antyspywaretoday .net - Email: willistbatiste@dodgit.com
an-ty-virusblog .net - Email: brendapwhite@dodgit.com
securitysoftshop .net - Email: milagrosrporter@pookmail.com
theantispywaresoft .com - Email: danhjones@gmail.com

88.198.103.129 - AS24940/HETZNER-AS Hetzner Online AG RZ
antispyscanb4 .com
onlinescanner70 .com
onlinescanner80 .com
pro-antivir03 .com
scannerintheinternet0 .com
windowscanner21 .com
windowscanner51 .com

88.198.160.57 - AS24940/HETZNER-AS Hetzner Online AG RZ
a7bestdefence .com
antispyscanb4 .com
best-antivirus99 .com
onlinescanner70 .com
onlinescanner80 .com
pro-antivir03 .com
pro-antivirus99 .com
scannerintheinternet0 .com
top10defenceb .com
top10defencef .com
windowscanner21 .com
windowscanner51 .com

Sample detection rate: SetupAdvancedVirusRemover.exe; Install.exe; Install(1).exe

Upon execution the samples phone back to:
downloadavr20 .com/loads.php?code=000NULL
downloadavr20 .com/dfghfghgfj.dll
downloadavr20 .com/cgi-bin/download.pl?code=000NULL
testavrdown .com/cgi-bin/get.pl?l=000NULL

Sample detection rate for the dropped files: SetupIS2010.exe; dfghfghgfj.dll

Hitting them where it hurts most -- the monetization flow -- since 2007. Domain suspension is in progress, the ISPs have been notified as usual.

Related posts:
The Ultimate Guide to Scareware Protection
A Diverse Portfolio of Fake Security Software - Part Twenty Three
A Diverse Portfolio of Fake Security Software - Part Twenty Two
A Diverse Portfolio of Fake Security Software - Part Twenty One
A Diverse Portfolio of Fake Security Software - Part Twenty
A Diverse Portfolio of Fake Security Software - Part Nineteen
A Diverse Portfolio of Fake Security Software - Part Eighteen
A Diverse Portfolio of Fake Security Software - Part Seventeen
A Diverse Portfolio of Fake Security Software - Part Sixteen
A Diverse Portfolio of Fake Security Software - Part Fifteen
A Diverse Portfolio of Fake Security Software - Part Fourteen
A Diverse Portfolio of Fake Security Software - Part Thirteen
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software

This post has been reproduced from Dancho Danchev's blog.

Celebrity-Themed Scareware Campaign Abusing DocStoc

UPDATE: Docstoc has removed all the participating accounts in this campaign, and is applying additional filtering to undermine its effectiveness.

Last week's "Celebrity-Themed Scareware Campaign Abusing DocStoc and Scribd" is now exclusively targeting the popular Docstoc document-sharing service. Naturally, this very latest campaign once again offers overwhelming evidence on the inner workings of the cybercrime ecosystem, in this particular case, the connection between the Koobface gang and money mule recruitment campaigns.

So let's cut to the chase before we expose the entire campaign, and have all the involved profiles removed. One of the most popular bogus video site link embedded in these documents, wildyourvideo .com - 188.130.250.246 - gevtone@gmail.com, is using NS1.FUCKABUSE .BIZ - abusehostserver@gmail.com - as its nameserver. The same email was also used to registered some of the client-side exploit serving domains part of the Koobface drive-by download experiment, and is also known to have been used in registering money-mule recruitment domains.

Automatically registered Docstoc accounts involved:
docstoc .com/profile/abefugymyu16261
docstoc .com/profile/acihofabulobe4403
docstoc .com/profile/adisareiecij23245
docstoc .com/profile/apyauputy10168
docstoc .com/profile/aqoqulicumisah16835
docstoc .com/profile/aqypycapytu4493
docstoc .com/profile/atirogesepuioh10057
docstoc .com/profile/atolageleraru
docstoc .com/profile/ayluleasyte37
docstoc .com/profile/bacuqelufukone
docstoc .com/profile/bibiemymiea12218
docstoc .com/profile/bonituhibo18350
docstoc .com/profile/bypopopihebyguk15216
docstoc .com/profile/byqaocopymyn
docstoc .com/profile/cubaaacanejof26562
docstoc .com/profile/daaqajyceqehi21058
docstoc .com/profile/deuymyhocapaqu2971
docstoc .com/profile/dorusefykylam
docstoc .com/profile/dyahucybofuk
docstoc .com/profile/eaahuigu
docstoc .com/profile/eduobecoyy23483
docstoc .com/profile/efifyybiciga21903
docstoc .com/profile/efodotoodyga7522
docstoc .com/profile/eheahakyydat
docstoc .com/profile/ekysihyracihapi2534

docstoc .com/profile/eqitulesarasimi10237
docstoc .com/profile/fukepeojened16595
docstoc .com/profile/fuosupoqeseta
docstoc .com/profile/gicorukucyqa
docstoc .com/profile/goibidukejeany
docstoc .com/profile/gupapegesia
docstoc .com/profile/gydohesypero
docstoc .com/profile/holoadybyila
docstoc .com/profile/hysygususedi17619
docstoc .com/profile/idejyetyoibi
docstoc .com/profile/ierycyceda
docstoc .com/profile/igikapuheac979
docstoc .com/profile/imaemesaoker321
docstoc .com/profile/imaqaybyqero16774
docstoc .com/profile/ineigysatu
docstoc .com/profile/isajetedisucadop
docstoc .com/profile/joqajerulehuyb
docstoc .com/profile/loufahysimirotu16153
docstoc .com/profile/lunyikajek
docstoc .com/profile/macugysie9926
docstoc .com/profile/myrosejilur
docstoc .com/profile/oboduqumufo
docstoc .com/profile/ocetiiuq

docstoc .com/profile/oijaobymegapob4072
docstoc .com/profile/ojujutauguqe16712
docstoc .com/profile/okytokydogu
docstoc .com/profile/omipasudeo19398
docstoc .com/profile/onobytadiny7825
docstoc .com/profile/pugihutoaqi8884
docstoc .com/profile/pygylipuhisupe1787
docstoc .com/profile/pymuhaqyretok23088
docstoc .com/profile/qouuebepy22520
docstoc .com/profile/quqadekytel
docstoc .com/profile/qynucehae15146
docstoc .com/profile/roonusohigi25266
docstoc .com/profile/ryjisuuuha
docstoc .com/profile/sujiloyhiimiq6675
docstoc .com/profile/tumofeukirilida9561
docstoc .com/profile/tydiidugaoga
docstoc .com/profile/uacalobyj24600
docstoc .com/profile/uaekihygua

docstoc .com/profile/ugadofauuy17774
docstoc .com/profile/ukylapytijun
docstoc .com/profile/unobahamor27750
docstoc .com/profile/upyeudufyye5432
docstoc .com/profile/uykulylyki10195
docstoc .com/profile/yahypiger
docstoc .com/profile/ybonyoeo
docstoc .com/profile/ydajyqeylaqun14519
docstoc .com/profile/yhonalejuboha
docstoc .com/profile/yjacilehybatage29784
docstoc .com/profile/ynefyjopam
docstoc .com/profile/yodulafiy8856
docstoc .com/profile/ypybifaboaqy22695
docstoc .com/profile/ysofaerabyqafi22465
docstoc .com/profile/zalupa

Sampled accounts are currently advertising some of the following domains - wildyourvideo .com - 188.130.250.246 - gevtone@gmail.com - where the malware is obtained from technologyplayer .com/xvidplayer.45206.exe which phones back to:

central-arts-gallery .com - 216.240.146.126 - aproctor@who.net
gold-ballade-art .com - 66.199.229.230 - madkins@outgun.com
global-arts-area .com - 64.27.5.204 - tcrotts@safrica.com

Related Docstoc accounts also link to two Blogspot accounts - carrie-prejean-sex-tapes .blogspot.com; carrie-prejean-sextape-video-free .blogspot.com advertising tv-world-online .net - 58.218.199.186 - breathy3@gmail.com with the malware obtained from freebigutilites .com/install_ActiveX.45171.exe.

Parked on 58.218.199.186 are also related domains, with money-mule recruitment domain involvement:
0n-china .cn - Email: abusehostserver@gmail.com
bigitube .com - Email: lastomarino@gmail.com
free-video-portal1 .info - Email: kokishpoki@gmail.com
free-video-portal4 .info - Email: kokishpoki@gmail.com
greatmagice .com
i-finally-found .cn - Email: Michell.Gregory2009@yahoo.com
relevant-information .cn - Email: steven_lucas_2000@yahoo.com
search-results .cn - Email: hilarykneber@yahoo.com
share-video-portal1 .info - Email: kokishpoki@gmail.com
share-video-portal4 .info - Email: kokishpoki@gmail.com
spainsn .com - Email: ijushdf@gmail.com
usworkingspace .com - Email: ijushdf@gmail.com
web-paradise .cn - Email: steven_lucas_2000@yahoo.com
wed-bew .cn - Email: Michell.Gregory2009@yahoo.com

The domain location domain freebigutilites.com responds to 69.10.41.147, parked on the same IP are the rest of the domains used in this and related campaigns:
bbflashplugin .com - Email: davidg@representative.com 
bestflashplugins .com - Email: rcuthbertson@witty.com
digitalmultimediasoftware .com - Email: cperry@wallet.com
frashflashplugins .com - Email: rcuthbertson@witty.com
freebigutilites .com - Email: sybarra@yours.com
freemegautilites .com - Email: sybarra@yours.com
globaltechsoftware .com - Email: cperry@wallet.com
loadmoviesoft .com - Email: virgilm@disciples.com
mediaarchive2009 .com - Email: mmerchant@priest.com
mediadatastorage .net - Email: patrickf@loveable.com
mediagroup2009 .com - Email: mmerchant@priest.com
multimediafact .com - Email: patrickf@loveable.com
multimediafiles .net - Email: mcastillo@mindless.com
setmoviesoft .net - Email: virgilm@disciples.com
soft-multimedia .com - Email: terryl@dbzmail.com
super0multimedia .com - Email: terryl@dbzmail.com
technewdata .com - Email: mcastillo@mindless.com
technologyplayer .com - Email: amcdaniel@witty.com
thebbflashplugin .com - Email: davidg@representative.com

Docstoc has been notified of the involved usernames, and should take action against them quickly. Naturally, the attacks would continue due to the apparent outsourcing of the CAPTCHA solving process.

Related posts:
The Ultimate Guide to Scareware Protection
Celebrity-Themed Scareware Campaign Abusing DocStoc and Scribd
Scareware Campaign Using Google Sponsored Links
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign
U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding
Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware
A Peek Inside the Managed Blackhat SEO Ecosystem 
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot  

This post has been reproduced from Dancho Danchev's blog.

Keeping Reshipping Mule Recruiters on a Short Leash

Following my previous "Keeping Money Mule Recruiters on a Short Leash" and "Standardizing the Money Mule Recruitment Process" posts, the campaigners behind the previously exposed money-mule recruitment domains looking for "payment processing assistant", are now also looking for "mailing assistants" to reship the fraudulently purchased items using stolen financial data.

What happens once they standardize the practice? The network of reshipping mules ends up as as a web-based command and control interface, allowing the customers of the mule recruitment syndicate to easily monitor the activity regarding their fraudulently purchased goods. In both of these models, the single most evident benefit for the cybercriminal remains the risk-forwarding of the entire process to the unknowingly participating in the cybercrime ecosystem employee.

Some of the new and currently active reshipping mule recruitment brands include - Total River Goods, Fargo River Goods, Irish River Goods and Parcel Alliance. Here's how they describe themselves:

"As an independent logistics provider, Total River Goods offers supply logistics management and transportation management services including: freight forwarding, packages forwarding, parcel forwarding, postal services and other postal services. Total River Goods is the world’s active developer of retail shipping, business and postal online service centers. Since development begun in 2000 we listened to our clients and developed our services based on feedback we have received. Our service evolved through the years and at this moment of time looks and feels how our customers want.

After many years of development and testing, in 2008 we released our online shipping service. With the new online service Total River Goods is true virtual mail service. We are constantly adding to our services ensuring that we will stay the market leader. Please feel free to contact us if you have any questions or comments. Unlike many other online organizations, we have a goal to reply to all queries within 24 to 48 hours, including business days and weekends."

Domains involved:
totalrivergoods .com - 94.103.90.130 - Email: justin_dickerson@ymail.com - used in money-mule recruitment domain registration
fargorivergoods .com - 94.103.90.130 - Email: williamashley40@yahoo.com
parcelalliance .com - 94.103.90.200 - domainprivate@communigal.com
irishrivergoods .com - 94.103.90.130 - Email: MarcusStraker909@gmail.com - used in money-mule recruitment domain registration

Thanks to Derek from aa419.org for the ping. 

Related posts:
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002
Inside a Money Laundering Group's Spamming Operations

This post has been reproduced from Dancho Danchev's blog.

Celebrity-Themed Scareware Campaign Abusing DocStoc and Scribd

UPDATED: DocStoc has removed all the participating profiles and their documents.

A currently ongoing scareware campaign is using celebrity-themed blackhat SEO tactics in order to hijack legitimate traffic by abusing the popular DocStoc and Scribd document-sharing services. What's the single most interesting thing about this campaign anyway? It's fact that one of the domains parked on the same IP that the rest of the malware and exploit serving ones are -- they naturally multitask and engage in drive-by attacks -- newsoff .net has been registered with the same email pvcprotect@gmail.com as the original gumblar .cn domain.

Once the user clicks on the bogus video window embedded as an active document, which as matter of fact doesn't issue any warning that the user is leaving the site, a redirection takes place through shurus .net/in.cgi?3 -> b.corlock .net/main.html - 188.165.65.173 - Email: jessica357ass@gmail.com where the user is asked to download load.exe.

Parked on the same IP is the rest of the domains portfolio, which is also involved in separate drive-by campaigns:
offnews .cn - Email: cuitiankai@googlemail.com
newsoff .net - Email: pvcprotect@gmail.com - Ooh la la, the original gumblar .cn has been registered with the same email
curah .net - Email: jessica357ass@gmail.com
corlock .net - Email: jessica357ass@gmail.com
klirok .net - Email: jessica357ass@gmail.com
murrr .net - Email: jessica357ass@gmail.com
shurus .net - Email: jessica357ass@gmail.com

Sample Scribd activity per username:
lupan13 - 1,148 documents; 3,301 total reads
jess357 - 877 documents; 15,202 total reads
mumukan - 875 documents; 19,791 total reads
cekalo - 874 documents; 2,926 total reads

Sample Docstoc activity per username:
valaman - Docs: 460; Views: 13224
zalupa - Docs: 407; Views: 14397
monilit - Docs: 871; Views: 5265
babaka - Docs: 252; Views: 183
namaska - Docs: 139; Views: 8
rumaska - Docs: 829; Views: 172
zuzya - Docs: 748; Views: 280
malina13 - Docs: 66; Views: 15377
yoqeojegu - Docs: 9; Views: 3284
ryjokoleqayebi - Docs: 10; Views: 326
jopan13 - Docs: 397; Views: 43876
iculyodysocehi - Docs: 10; Views: 3721
lupan13 - Docs: 414; Views: 29275

Upon execution it drops the Home AntiVirus 2010 scareware which features a "Spyware Alert!" security warning explaining the dangers of Worm.Win32.NetSky. The scareware (SetupAdvancedVirusRemover.exe) is downloaded from downloadavr13 .com - 193.104.110.50 - Email: noxim@maidsf.ru. Parked on the same IP is a well known portfolio of scareware domains, first observed in July and most recently in September:

10-open-davinci .com
advanced-virusremover2009 .com - Email: giogr@ua.fm
advancedvirus-remover2009 .com - Email: jopa@gmail.com
advanced-virus-remover2009 .com - Email: masle@masle.kz - seen in July, 2009
advancedvirusremover-2009 .com - Email: eptit@eptit.us
advanced-virusremover-2009 .com - Email: support@antivirus-xp-pro2009.com
advancedvirus-remover-2009 .com - Email: tt1@ua.fm
advanced-virus-remover-2009 .com - Email: ubiv@i.ua
advancedvirusremover-2010 .com - Email: noxim@maidsf.ru
advanced-virus-remover-2010 .com - Email: noxim@maidsf.ru
anti-virus-xp-pro2009 .com - Email: chen.poon1732646@yahoo.com
best-scan .biz - Email: noxim@maidsf.ru
best-scan .com - Email: noxim@maidsf.ru
best-scan-pc .biz - Email: noxim@maidsf.ru
best-scanpc .com - Email: alex@mail.ge
best-scan-pc .com
best-scanpc .net
best-scan-pc .net
coolcount1 .com - Email: noxim@maidsf.ru
coolcount2 .com - Email: noxim@maidsf.ru
downloadavr10 .com - Email: noxim@maidsf.ru
downloadavr11 .com - Email: noxim@maidsf.ru
downloadavr12 .com - Email: noxim@maidsf.ru

downloadavr13 .com - Email: noxim@maidsf.ru
downloadavr3 .com - Email: support@antivirus-xp-pro2009.com
downloadavr4 .com - Email: tt1@ua.fm
downloadavr5 .com - Email: vs@ua.km
downloadavr6 .com - Email: alex@i.ua
downloadavr7 .com - Email: noxim@maidsf.ru
downloadavr8 .com - Email: noxim@maidsf.ru
downloadavr9 .com - Email: noxim@maidsf.ru
hard-xxx-tube .com
malware-scan .net - Email: noxim@maidsf.ru
malware-scaner .net - Email: noxim@maidsf.ru
masterhost.co .in - Email: pricklyy@mail.ru
onlinescanxppro .com - Email: chen.poon1732646@yahoo.com
pc-scanner .info - Email: noxim@maidsf.ru
pc-scanner-2010 .net - Email: noxim@maidsf.ru
pc-scannerr .biz - Email: noxim@maidsf.ru
pc-scannerr .com - Email: noxim@maidsf.ru
pc-scannerr .info - Email: noxim@maidsf.ru
pc-scannerr .net - Email: noxim@maidsf.ru
pc-scannerr .us - Email: noxim@maidsf.ru
testavrdown .com - Email: support@antivirus-xp-pro2009.com
testavrdownnew .com - Email: mamed@i.ua
trucount3005 .com - Email: chen.poon1732646@yahoo.com - money-mule recruitment connection
trucountme .com - Email: valentin@gergiea.kz - already profiled
white-xxx-tube .com - Email: noxim@maidsf.ru
xxx-white-tube .biz - Email: noxim@maidsf.ru
xxx-white-tube .net - Email: gnom@gnom.ge

DocStoc and Scribd have been notified.

Related posts:
The Ultimate Guide to Scareware Protection
Scareware Campaign Using Google Sponsored Links
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign
U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding
Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware
A Peek Inside the Managed Blackhat SEO Ecosystem 
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot  

This post has been reproduced from Dancho Danchev's blog.

Pushdo Injecting Bogus Swine Flu Vaccine

In the spirit of systematically introducing new themes in order to serve the ubiquitous crimeware releases, the Pushdo botnet has now switched to a State Vaccination H1N1 Program campaign, serving vacc_profile.exe sample.

Sample subject: State Vaccination Program; Governmental registration program on the H1N1 vaccination
Sample message: "You have received this e-mail because of the launching of State Vaccination H1N1 Program. You need to create your personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website. The Vaccination is not obligatory, but every person that has reached the age of 18 has to have his personal Vaccination Profile on the cdc.gov site. This profile has to be created both for the vaccinated people and the not-vaccinated ones. This profile is used for the registering system of vaccinated and not-vaccinated people. Create your Personal H1N1 Vaccination Profile using the link."

Subdomain structure used:

online.cdc.gov .lykasf.be
online.cdc.gov .lykasm.be
online.cdc.gov .lykasv.be
online.cdc.gov .lykasz.be
online.cdc.gov .nyugewc.be
online.cdc.gov .nyugewd.be
online.cdc.gov .nyugewm.be
online.cdc.gov .nyugewn.be
online.cdc.gov .nyugewq.be
online.cdc.gov .nyugewt.be
online.cdc.gov .nyugeww.be
online.cdc.gov .nyugewy.be
online.cdc.gov .nyugewz.be
online.cdc.gov .yhnbad.co.im
online.cdc.gov .yhnbad.com.im
online.cdc.gov .yhnbad.im
online.cdc.gov .yhnbad.net.im
online.cdc.gov .yhnbad.org.im
online.cdc.gov .yhnbak.co.im
online.cdc.gov .yhnbak.com.im
online.cdc.gov .yhnbak.im
online.cdc.gov .yhnbak.net.im
online.cdc.gov .yhnbak.org.im
online.cdc.gov .yhnbam.co.im
online.cdc.gov .yhnbam.com.im
online.cdc.gov .yhnbam.im
online.cdc.gov .yhnbam.net.im
online.cdc.gov .yhnbam.org.im

Actual domains involved:

feccxz.co .uk; feccxz.me .uk; ficcxz.co .uk; gerfase .be; gerfasi .be; gerfaso .be; gerfasq .be; gerfasr .be; gerfast .be; gerfasu .be; gerfasw .be; gerfasx .be; gerfasy  .be; hssaze .be; hssazg .be; hssazh .be; hssazi  .be; hssaz j.be; hssazl .be; hssazo .be; hssazp .be; hssazq .be; hssazr .be; hssazt .be; hssazu .be; hssazw .be; hssazy .be; kioooj1 .be; kioooj2 .be; kioooj3 .be; kioooja .be; kiooojb .be; kiooojc .be; kiooojf .be; kiooojg .be; kiooojh .be; kiooojn .be; kiooojq .be; kiooojv .be; kiooojx .be; kiooojz .be; yhnbad.co .im; yhnbad.com .im; yhnbad .im; yhnbad.net .im; yhnbad.org .im; yhnbak.co .im; yhnbak .com.im; yhnbak .im; yhnbak.net .im; yhnbak.org .im; yhnbam.co .im; yhnbam.com .im; yhnbam .im; yhnbam.net .im; yhnbam.org .im; yurbzc.co .im; yurbzc.com .im; yurbzc .im; yurbzc.net .im; yurbzc.org .im; yurtzc .im; yuvtzc.co .im; yuvtzc.com .im; yuvtzc .im; yuvtzc.net .im

DNS SERVERS OF NOTICE:
ns1.elkins-realty .org - Email: HR2000@gmail.com
ns1.a-personalhire .com - Email: personalhire@mail.com
ns1.iceagestrem .com
ns1.poolandmonster .com
ns1.autotanscorp .net
ns1.shuzmen .com

Upon execution, the sample phones back to 193.104.41.75/kissme /rec.php and 193.104.41.75 /ip.php, while attempting to download promed-net .com/css/absderce2.exe and 193.104.41.75/ cbd/75.bro, with the IP itself already blacklisted by the Zeus Tracker, as well as related activity on the same netblock - AS49934 (VVPN-AS PE Voronov Evgen Sergiyovich).

Related posts:
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

This post has been reproduced from Dancho Danchev's blog.

Summarizing Zero Day's Posts for November

The following is a brief summary of all of my posts at ZDNet's Zero Day for November.

You can also go through previous summaries, as well as subscribe to my personal RSS feed, Zero Day's main feed, or follow all of ZDNet's blogs on Twitter.

Notable articles include: Windows 7's default UAC bypassed by 8 out of 10 malware samples and Man-in-the-middle attacks demoed on 4 smartphones.

01. iHacked: jailbroken iPhones compromised, $5 ransom demanded
02. Which antivirus is best at removing malware?
03. Windows 7's default UAC bypassed by 8 out of 10 malware samples
04. Source code for ikee iPhone worm in the wild
05. Commercial spying app for Android devices released
06. Man-in-the-middle attacks demoed on 4 smartphones
07. Thousands of web sites compromised, redirect to scareware -- the latest virtual smoking gun of the Koobface gang

This post has been reproduced from Dancho Danchev's blog.

Koobface Botnet Starts Serving Client-Side Exploits

UPDATED, Wednesday, December 02, 2009: The systematic rotation of new redirectors and scareware domains remains ongoing, with no signs of resuming the use of client-side exploits.

Some of the latest ones include inviteerverwhere .cn - Email: box@cethcuples.com -> scanner-infoa .com - Email: inout@celestia.com, scareware detection rate; 1economyguide .cn - Email: contact@berussa.de -> superdefenceaj .com - Email: inout@celestia.com, scareware detection rate; slip-stream .cn - Email: info@mercedess.de -> getsafeantivirusa .com - Email: morrison2g@yahoo.com, scareware detection rate.

The complete list of redirectors introduced over the past week is as follows: 1economyguide .cn; 1monocline .cn; 1nonsensical .cn; 1onlinestarter .cn; 1political-news .cn; argentinastyle .cn; australiagold .cn; austriamoney .cn; beatupmean2 .cn; belgiumnation .cn; brazilcountry .cn; firefoxfowner .cn; inviteerverwhere .cn; iraqcontacts .cn; makenodifference2 .cn; manualgreese .cn; overmerit3 .cn; powerhelms2 .cn; secretalltrue2 .cn; separator2009 .cn; slip-stream .cn; solidresistance .cn; wallgreensmart .cn; windowsclone .cn; womenregrets .cn; womenregrets2 .cn

UPDATED, Saturday, November 28, 2009: Following yesterday's experiment with bit.ly redirectors, relying on a "visual social engineering element" by adding descriptive domains after the original link -- bit.ly/588dmE?YOUTUBE.COM/ea05981d43, which works with any generated bit.ly link, the gang is now spamvertising links using Google News redirection to automatically registered Blogspot accounts, whose CAPTCHA challenge has been solved by the already infected with Koobface victims, a feature that is now mainstream, compared to the gang's previous use of commercial CAPTCHA solving services, where the price for a thousand solved CAPTCHAs varies between $1 and $2:

- news.google.com/news/url?url=http://pierrickcastoe .blogspot.com/
- news.google.com/news/url?url=http://biilybiilybangert .blogspot.com/
- news.google.com/news/url?url=http://majdimajdinoordijk .blogspot.com/
- news.google.com/news/url?url=http://vassellpelovska .blogspot.com/
- news.google.com/news/url?url=http://troitroiweinbrenner .blogspot.com/
- news.google.com/news/url?url=http://keyserefrain .blogspot.com/

New redirectors introduced include:
overmerit3 .cn - Email: admin@cryzisday.com
belgiumnation .cn - Email: vesta@greaselive.au
iraqcontacts .cn - Email: admin@resemm.de
womenregrets .cn - Email: admin@resemm.de
wallgreensmart .cn - Email: admin@cryzisday.com
brazilcountry .cn - Email: vesta@greaselive.au
womenregrets2 .cn - Email: in@groovezone.com

News scareware domains introduced include:
internetdefencesystem .com - Email: admin@wyverny.com
royalsecure-a1 .com - Email: in@groovezone.com
royaldefencescan1 .com - Email: in@groovezone.com
royaldefensescan1 .com - Email: in@groovezone.com
royaldefencescan .com - Email: contacts@esseys.au
royaldefensescan .com - Email: contacts@esseys.au
royalprotectionscan .com - Email: contacts@esseys.au

Sampled copy phones back to a new domain (austin2reed .com/?b=1s1; austin2reed .com/?b=1) using the same IP (92.48.119.36) as the previous phone-back domain.

UPDATED, Thursday, November 26, 2009: The gang has currently suspended the use of client-side exploits, let's see if it's only for the time being or indefinitely. Scareware is whatsoever, introduced with periodically registered new domains - argentinastyle .cn - Email: vesta@greaselive.au and australiagold .cn - Email: vesta@greaselive.au, redirect to bestscan066 .com - Email: fransysles2@yahoo.com and to bestscan044 .com - Email: fransysles2@yahoo.com - detection rate.

The exploit serving domains (el3x .cn; kiano-180809 .com and ttt20091124 .info) remain active.

The Koobface botnet, a case study on propagation relying exclusively on social engineering tactics and systematic abuse of legitimate Web 2.0 services, has introduced a second "game-changer" next to the migration to distributed command and control infrastructure once its centralized operations got shut down.

Next to the embedded and automatically rotating scareware redirects placed on each and every infected host part of the Koobface botnet, the gang behind it has now started officially using client-side exploits (VBS/Psyme.BM; Exploit.Pidief.EX; Exploit.Win32.IMG-WMF etc.) by embedding two iFrames on all the Koobface-infected hosts (Underground Molotov - function molot (m)), which connect to a well known (average) web malware exploitation kit's interface. Not only would a user that clicks on the Koobface URL be exposed to the Koobface binary itself, now pushed through client-side exploits, but also, to the periodically changed scareware domains.

Let's dissect the campaign, expose the entire domains portfolio involved or introduced since the beginning of the week, and once again establish a connection between the Koobface gang and money mule recruitment scams followed by scareware domains (Inst_312s2.exe; Inst_312s2.exe from today, both of them phone back to angle-meter .com/?b=1), all registered using the same emails.

Scareware redirectors seen during the past couple of the days, parked at 91.213.126.250:
solidresistance .cn - Email: admin@cryzisday.com
separator2009 .cn - Email: admin@cryzisday.com
zapotec2 .cn - Email: admin@cryzisday.com
befree2 .cn - Email: gmk2000@yahoo.com
entombing2009 .cn - Email: info@grindsteal.fr
economyguide .cn - Email: info@plaguegr.de
smile-life .cn - Email: gmk2000@yahoo.com
everlastmovie .cn - Email: gmk2000@yahoo.com
monocline .cn - Email: info@plaguegr.de
mozzillaclone .cn - Email: sanbeans6@yahoo.com
monkey-greese .cn - Email: sanbeans6@yahoo.com
surgingnurse .cn - Email: info@grindsteal.fr
mailboxinvite .cn - Email: sanbeans6@yahoo.com
flatletkick .cn - Email: info@plaguegr.de
nonsensical .cn - Email: info@grindsteal.fr
moralisefilm .cn - Email: info@grindsteal.fr
firefoxavatar .cn - Email: sanbeans6@yahoo.com
onlinestarter .cn - Email: info@plaguegr.de
clowncirus .cn - Email: sanbeans6@yahoo.com
political-news .cn - Email: info@plaguegr.de
harry-pott .cn - Email: gmk2000@yahoo.com
repeatability .cn - Email: info@grindsteal.fr

New scareware domains portfolio parked at 95.143.192.51; 83.133.119.84; 91.213.126.103:
valuewebscana .com - Email: lynd.stafford@yahoo.com
valuescana .com - Email: lynd.stafford@yahoo.com
cyber-scan-1 .com - Email: admin@dedicatezoom.com
yourantispy-1 .com - Email: shah_indigo@googlemail.com
cyber-scan011 .com - Email: admin@dedicatezoom.com
cyber-scan-2 .com - Email: admin@dedicatezoom.com
antimalware-3 .com - Email: shah_indigo@googlemail.com
yourmalwarescan3 .com - Email: shah_indigo@googlemail.com
antimalwarescana4 .com - Email: j.wirth@smsdetective.com
today-scan4 .com - Email: millercall413@yahoo.com
antispy-scan5 .com - Email: shah_indigo@googlemail.com
yourantivira7 .com - Email: j.wirth@smsdetective.com
yourmalwarescan7 .com - Email: info@bellyn.com
yourantispy-8 .com - Email: info@bellyn.com
cyber-scan08 .com - Email: admin@dedicatezoom.com
cyber-scan09 .com - Email: admin@dedicatezoom.com
beprotected9 .com - Email: essi@calinsella.eu
spyware-scan9 .com - Email: info@bellyn.com
yourantispy-a .com - Email: shah_indigo@googlemail.com
checkforspywarea .com - Email: sanbeans6@yahoo.com
checkfilesherea .com - Email: sanbeans6@yahoo.com
scanfilesherea .com - Email: sanbeans6@yahoo.com
findprotectiona .com - Email: admin@wyverny.com
checkfilesnowa .com - Email: sanbeans6@yahoo.com
web-scanm .com - Email: essi@calinsella.eu
today-scann .com - Email: essi@calinsella.eu
4eay-protection .com - Email: millercall413@yahoo.com

The client-side exploit redirection takes place through three separate domains, all involved in previous Zeus crimeware campaigns, parked on the same IP in a cybercrime-friendly ASN. For instance, el3x.cn/test13/index.php - 210.51.166.119 - Email: Exmanoize@qip.ru redirects to el3x.cn/test13/x.x -> el3x.cn/test13/pdf.php -> el3x.cn/test13/load.php?spl=javad -> el3x.cn/test13/soc.php using VBS/Psyme.BM; Exploit.Pidief.EX; Exploit.Win32.IMG-WMF etc. pushing load.exe, which phones back to a well known "leftover" from Koobface botnet's centralized infrastructure - xtsd20090815 .com/adm/index.php.

Now it gets even more interesting, with the Koobface gang clearly rubbing shoulders with authors of actual web malware exploitation kits, who diversify their cybercrime operations by participating in money mule recruitment scams, zeus crimeware serving campaigns, and scareware.

Parked on 210.51.166.119 where the first iFrame is hosted, are also the following domains participating in related campaigns:
amer0test0 .cn - Email: abusehostserver@gmail.com -> money mule recruitment
antivirusfreec0 .cn - Email: abusehostserver@gmail.com -> money mule recruitment 
arendanomer2 .cn - Email: Exmanoize@qip.ru
dom0cn .cn - Email: Exmanoize@qip.ru
dom1cn .cn - Email: Exmanoize@qip.ru
dom2cn .cn - Email: Exmanoize@qip.ru
domx0 .cn - Email: Exmanoize@qip.ru
domx1 .cn - Email: Exmanoize@qip.ru
domx2 .cn - Email: Exmanoize@qip.ru
dox0 .cn - Email: Exmanoize@qip.ru
dox1 .cn - Email: Exmanoize@qip.ru
dox2 .cn - Email: Exmanoize@qip.ru
dox3 .cn - Email: Exmanoize@qip.ru
edit2china .cn - Email: Exmanoize@qip.ru
edit3china .cn - Email: Exmanoize@qip.ru
el1x .cn - Email: Exmanoize@qip.ru
el2x .cn - Email: Exmanoize@qip.ru
el3x .cn - Email: Exmanoize@qip.ru
gym0replace .cn - Email: chen.poon1732646@yahoo.com -> scareware domain registration
herosima1yet .cn - Email: Exmanoize@qip.ru
herosima1yet00g .cn - Email: abusehostserver@gmail.com
otherchina .cn - Email: Exmanoize@qip.ru
parliament .tk - Email: royalddos@gmail.com
privet1 .cn - Email: Exmanoize@qip.ru
privet2 .cn - Email: Exmanoize@qip.ru
privet3 .cn - Email: Exmanoize@qip.ru
sport-lab .cn - Email: abuseemaildhcp@gmail.com -> money mule recruitment domain registrations
trafdomins .cn - Email: Exmanoize@qip.ru

The second iFrame domain parked at 61.235.117.83 redirects in the following way - kiano-180809 .com/oko/help.html - 61.235.117.83 - Email: bigvillyxxx@gmail.com leads to kiano-180809 .com/oko/dyna_soc.html -> kiano-180809 .com/oko/tomato_guy_13.html -> kiano-180809 .com/oko/update.vbe -> kiano-180809 .com/oko/dyna_wm.wmf.

The same exploitation structure is valid for the third iFrame domain - ttt20091124 .info/oko/help.html which is again, parked at 61.235.117.83 and was embedded at Koobface-infected hosts over the past 24 hours.

What prompted this shift on behalf of the Koobface gang? Declining infection rates -- I'm personally not seeing a decline in the click-through rate, with over 500 clicks on a spamvertised Kooobface URL over a period of 24 hours -- or their obsession with traffic optimization? In terms of social engineering, the periodic introduction of new templates proved highly successful for the gang, but the newly introduced outdated client-side exploits can in fact generate more noise than they originally anticipated, if they were to continue relying on social engineering vectors only.

One thing's certain - the Koobface gang is now on the offensive, and it would be interesting to see whether they'd introduce a new exploits set, or continue relying on the one offered by the web exploitation kit.

Related posts:
Secunia: Average insecure program per PC rate remains high
Research: 80% of Web users running unpatched versions of Flash/Acrobat
Fake Security Software Domains Serving Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Koobface Botnet's Scareware Business Model
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors

This post has been reproduced from Dancho Danchev's blog.

Scareware Campaign Using Google Sponsored Links

A scareware campaign is currently using Google sponsored ads, and by hijacking a decent number of well positioned keywords, is attempting to trick visitors into installing scareware featuring several new templates. This is, of course, not the first and definitely not the last time scareware campaigners are using highly targeted legitimate networks in order to reach potential audience by making an investment into the traffic acquisition practice.

However, compared to the "long tail centered" blackhat SEO, the use of legitimate ad networks would never reach a positive ROI, like the one achieved by dynamic syndication of legitimate content and monetizing it through scareware.

Scareware domains seen in circulation: 
adwarealert .com - 75.125.200.226
adware-pro-2009 .com - 209.216.193.113
adwareprosite .com - 188.121.46.1 - Email: pedrocanas75@gmail.com 
adwarepro-site .com - 209.216.193.101 - Email: pedrocanas75@gmail.com 
antimalwarenow .com - 173.201.0.128
anti-malware-pro .org - 209.216.193.103 - Email: pedrocanas75@gmail.com

antimalware-software .com - 209.216.193.11
antimalware-software .org - 209.216.193.106 - Email: pedrocanas75@gmail.com
get-spyware-destroyer .com - 63.243.188.37 - Email: admin@upclick.com
macrovirus .com - 75.125.152.58
malwareprofessional .com - 74.205.8.6

theantimalware .com - 173.201.0.12
adware-pro-live .com - 209.216.193.9
antivirus-live-pro .com - 209.216.193.9
antivirus-live-pro .org
antivirus-live-software .com
antivirus-pro-live .com
antiviruspro-live .com

Sample detection rates: anti-malware-application.exe; malware_professional.exe; macro_virus.exe; antimalware_pro.exe; spyware_destroyer.exe; AdwarePro_Setup.exe; AdwarePro_Setup06.exe; AdwarePro_Setup2305.exe.

Consider going through the The Ultimate Guide to Scareware Protection detailing alternative traffic acquisition approaches used by scareware campaigners, as well as the related posts dissecting recent blackhat SEO campaigns.

Related posts:
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign
U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding
Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware
A Peek Inside the Managed Blackhat SEO Ecosystem 
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot

This post has been reproduced from Dancho Danchev's blog.

"Your mailbox has been deactivated" Spam Campaign Serving Crimeware

An ongoing "Your mailbox has been deactivated" themed spam campaign is pushing crimeware as an attached utility.zip archive.

Subject: your mailbox has been deactivated
Message: "We are contacting you in regards to an unusual activity that was identified in your mailbox. As a result, your mailbox has been deactivated. To restore your mailbox, you are required to extract and run the attached mailbox utility. Best regards, hush.com technical support."
Different signatures used: "From Webmail Help Desk; From hush.com technical support; From msmvps.com technical support; From ahnlab.com technical support; From symantec.com technical support"

Sampled obtained phones back to 193.104.27 .91/limpopo/bb.php?id=636608811&v=200&tm=2&b=4316315581; 193.104.27 .91/limpopo/bb.php?id=554275088&v=200&tm=8&b=4316315581&tid=11&r=1, from where it downloads promed-net .com/css/abs.exe (97.74.144.118; Email: ninemed@ninemedical.com ) which phones back to 231307d91138.bauhath.com/get.php?c=QPTUDBSV&d=, downloading 91.213.72 .51/ldr7.exe which phones back to 193.104.27 .42/lcc/ip2.gif which is TrojWare.Win32.TrojanSpy.Zbot.Gen

All of these IPs are not surprisingly known Zeus crimeware hosts.

Related phone-back locations parked on the same IP - 94.75.221.76:
koralda .com - Email: owner@koralda.com
antiona .com - Email: owner@antiona.com
lambrie .com - Email: owner@lambrie.com
bauhath .com - Email: owner@bauhath.com
agulhal .com - Email: owner@agulhal.com
lantzel .com - Email: owner@lantzel.com
bourgum .com - Email: owner@bourgum.com

101607d91120.koralda .com
141607d91121.koralda .com
121607d91122.koralda .com
161607d91123.koralda .com
141607d91124.koralda .com
181607d91125.koralda .com
011607d91106.koralda .com
171507d91116.koralda .com
161607d91126.koralda .com
231507d91107.koralda .com
201607d91127.koralda .com
031607d91108.koralda .com
191507d91118.koralda .com
011607d91109.koralda .com
171507d91119.koralda .com
221607d91129.koralda .com
201607d9112a.koralda .com
031607d9110b.koralda .com
191507d9111b.koralda .com
081607d9111b.koralda .com
221607d9112c.koralda .com
101607d9111d.koralda .com
081607d9111e.koralda .com
121607d9111f.koralda .com
211507d91131.antiona .com
231507d91133.antiona .com
081207d91134.antiona .com
121607d91115.antiona .com
001307d91106.antiona .com
201307d91108.antiona .com
121107d91128.antiona .com
021107d91129.antiona .com
221307d9110a.antiona .com

231107d9111a.antiona .com
230907d9111b.antiona .com
041107d9112b.antiona .com
011207d9111c.antiona .com
081307d9110d.antiona .com
061107d9112d.antiona .com
191407d9112d.antiona .com
171307d9111f.antiona .com
211407d9112f.antiona .com
042707d90914.agrigid .com
101607d91121.lambrie .com
121607d91122.lambrie .com
141607d91124.lambrie .com
161607d91126.lambrie .com
231507d91107.lambrie .com
181607d91128.lambrie .com
011607d91109.lambrie .com
171507d91119.lambrie .com
201607d9112a.lambrie .com
031607d9110b.lambrie .com
191507d9111b.lambrie .com
221607d9112c.lambrie .com
081607d9111e.lambrie .com
081607d91100.bauhath .com
071607d91130.bauhath .com
121607d91101.bauhath .com
201607d91111.bauhath .com
221307d91102.bauhath .com
051107d91122.bauhath .com
141607d91103.bauhath .com

151207d91113.bauhath .com
221607d91113.bauhath .com
221307d91104.bauhath .com
071107d91124.bauhath .com
171207d91115.bauhath .com
051007d91126.bauhath .com
091107d91126.bauhath .com
101607d91107.bauhath .com
191207d91117.bauhath .com
051207d91127.bauhath .com
071007d91128.bauhath .com
071207d91128.bauhath .com
121607d91109.bauhath .com
211207d91119.bauhath .com
091007d9112a.bauhath .com
131107d9112a.bauhath .com
091207d9112a.bauhath .com
051607d9113a.bauhath .com
231207d9111b.bauhath .com
091607d9113b.bauhath .com
141607d9110c.bauhath .com
111007d9112c.bauhath .com
111207d9112c.bauhath .com
161607d9110d.bauhath .com
071607d9112d.bauhath .com
181607d9110f.bauhath .com
181007d91132.edvehal .com
181007d91135.edvehal .com
181207d91110.agulhal .com
091007d91120.agulhal .com
211007d91130.agulhal .com
041307d91130.agulhal .com

111007d91122.agulhal .com
061307d91132.agulhal .com
131207d91123.agulhal .com
131007d91124.agulhal .com
151207d91125.agulhal .com
230907d91116.agulhal .com
151007d91126.agulhal .com
061207d91127.agulhal .com
011007d91118.agulhal .com
171007d91128.agulhal .com
031007d9111a.agulhal .com
021207d9111b.agulhal .com
121107d9113b.agulhal .com
051007d9111c.agulhal .com
011107d9110d.agulhal .com
041207d9111d.agulhal .com
191007d9112d.agulhal .com
161207d9110e.agulhal .com
071007d9111e.agulhal .com
141607d91100.lantzel .com
081607d91100.lantzel .com
221607d91110.lantzel .com
121607d91101.lantzel .com
171207d91111.lantzel .com
201607d91111.lantzel .com
071107d91121.lantzel .com
051107d91122.lantzel .com
141607d91103.lantzel .com
151207d91113.lantzel .com
191207d91113.lantzel .com
221607d91113.lantzel .com
051007d91123.lantzel .com

091107d91123.lantzel .com
051207d91123.lantzel .com
101607d91104.lantzel .com
071107d91124.lantzel .com
211207d91115.lantzel .com
171207d91115.lantzel .com
071007d91125.lantzel .com
111107d91125.lantzel .com
071207d91125.lantzel .com
121607d91106.lantzel .com
051007d91126.lantzel .com
091107d91126.lantzel .com
051207d91126.lantzel .com
101607d91107.lantzel .com
231207d91117.lantzel .com
191207d91117.lantzel .com
091007d91127.lantzel .com
131107d91127.lantzel .com
091207d91127.lantzel .com
051607d91137.lantzel .com
141607d91108.lantzel .com
071007d91128.lantzel .com
111107d91128.lantzel .com
071207d91128.lantzel .com
091607d91138.lantzel .com
121607d91109.lantzel .com
211207d91119.lantzel .com
111007d91129.lantzel .com
111207d91129.lantzel .com

071607d91139.lantzel .com
161607d9110a.lantzel .com
091007d9112a.lantzel .com
131107d9112a.lantzel .com
091207d9112a.lantzel .com
111607d9113a.lantzel .com
051607d9113a.lantzel .com
141607d9110b.lantzel .com
231207d9111b.lantzel .com
091607d9113b.lantzel .com
181607d9110c.lantzel .com
111007d9112c.lantzel .com
111207d9112c.lantzel .com
161607d9110d.lantzel .com
201607d9110e.lantzel .com
151207d9110f.lantzel .com
181607d9110f.lantzel .com
051107d9111f.lantzel .com
131507d91100.bourgum .com
231507d91130.bourgum .com
221207d91101.bourgum .com

211507d91131.bourgum .com
001307d91103.bourgum .com
231507d91133.bourgum .com
001107d91124.bourgum .com
081207d91134.bourgum .com
201307d91105.bourgum .com
121607d91115.bourgum .com
001307d91106.bourgum .com
021107d91126.bourgum .com
091207d91107.bourgum .com
221307d91107.bourgum .com
231107d91117.bourgum .com
201307d91108.bourgum .com
230907d91118.bourgum .com
121107d91128.bourgum .com
041107d91128.bourgum .com
211007d91138.bourgum .com
011207d91119.bourgum .com
021107d91129.bourgum .com

Naturally, the campaign isn't an isolated incident, with previous "Facebook updated account agreement" themed ones, using the same phone back locations as the currently ongoing one. 

Related posts:
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

This post has been reproduced from Dancho Danchev's blog.

Massive Scareware Serving Blackhat SEO, the Koobface Gang Style

Ali Baba and the 40 thieves LLC are once again multi-tasking, this time compromising hundreds of thousands of web sites, and redirecting Google visitors -- through the standard http referrer check -- to scareware serving domains.

What's so special about the domains mentioned in Cyveillance's post, as well as the ones currently active on this campaign? It's the Koobface connection.

For instance, the ionisationtools .cn or moored2009 .cn redirectors, as well as the scareware serving premium-protection6 .com; file-antivirus3.com; checkalldata .com; foryoumalwarecheck4 .com; antispy-scan1 .com mentioned in post, are the same scareware redirectors and domains analyzed in part two of the Koobface Botnet's Scareware Business Model series. The identical structure on a sampled Koobface infected host and a sampled compromised site can be seen in the attached screenshots.

The redirection "magic" takes place through a what looks like a static css.js (Trojan-Downloader.JS.FraudLoad) uploaded on all of the affected sites. The very latest blackhat SEO once again puts the Koobface gang in the spotlight of the ongoing underground multi-tasking that the majority of cybercriminals engage in these days.

Related posts:
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Koobface Botnet's Scareware Business Model
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors

This post has been reproduced from Dancho Danchev's blog.

Keeping Money Mule Recruiters on a Short Leash

The money mule recruitment syndicate exposed in a previous post (Standardizing the Money Mule Recruitment Process), continues introducing new domains and re-branding the de-facto recruitment templates for a huge percentage of the currently active money mule recruitment scams.

Ironically, both the syndicate and its competition in the face of boutique money mule recruitment operations aiming to self-service the cybercriminal -- he doesn't want to share stolen revenue with a third-party service provider -- behind them, are using the copywriting and online brand management services courtesy of a single vendor.

It's time to expose the complete domains portfolio of one of their biggest customers, including both domains introduced since the middle of the summer, 2009, as well as the most recent ones, with all of them using/having used the services of AS:38356.

Parked at 222.35.137.234; 222.35.137.235; 222.35.137.236; 222.35.137.237; 222.35.137.238 as of Monday, November 18 are the following money mule recruitment domains:
affina-groupsvc .cc - Email: justin_dickerson@ymail.com
altgroupco .cn - Email: abuseemaildhcp@gmail.com
alt-groupco .net - Email: MarcusStraker909@gmail.com
annuity-groupnet .cc - Email: justin_dickerson@ymail.com
archway-groupinc .cn - Email: abuseemaildhcp@gmail.com
armor-groupco .cc - Email: defrankpo@gmail.com
ava-group .cc - Email: Gregory.Michell2009@yahoo.com
ava-group .cn - Email: Gregory.Michell2009@yahoo.com
ava-groupsvc .cc - Email: Gregory.Michell2009@yahoo.com
avagroupsvc .cn - Email: Gregory.Michell2009@yahoo.com
bfs-groupinc .cc - Email: defrankpo@gmail.com
braingroupmain .cn - Email: abuseemaildhcp@gmail.com
brain-groupsvc .cn - Email: abuseemaildhcp@gmail.com
ccn-groupco .cn - Email: Gregory.Michell2009@yahoo.com
cdi-groupmain .cn - Email: garry_honn@yahoo.com
cosco-groupmain .cn - Email: andrew_cc@yahoo.com
criscom-group .cc - Email: Gregory.Michell2009@yahoo.com
criscomgroupco .cn - Email: Gregory.Michell2009@yahoo.com
criscom-groupinc .cc - Email: Gregory.Michell2009@yahoo.com
cronos-group .net - Email: MarcusStraker909@gmail.com
cronos-groupinc .cn - Email: abuseemaildhcp@gmail.com
cronos-groupinc .com - Email: bias@co5.ru
cronosgroupsvc .cn - Email: abuseemaildhcp@gmail.com
dove-groupli .cn - Email: abuseemaildhcp@gmail.com
entrustgroup .cn - Email: moldavimo@safe-mail.net
extreme-groupinc .cn - Email: abuseemaildhcp@gmail.com
fairline-group .cn - Email: Gregory.Michell2009@yahoo.com
flatgroupfly .cc - Email: steven_lucas_2000@yahoo.com
full-controll .cc - Email: morgan.greg@yahoo.com

geniouspartner .cn - Email: morgan.greg@yahoo.com
holding-group .cn - Email: ronny.greg@yahoo.com
igt-groupco .cn - Email: abuseemaildhcp@gmail.com
igtgroupinc .cn - Email: abuseemaildhcp@gmail.com
igt-groupinc .com - Email: feet@freemailbox.ru
index-groupinc .cn - Email: abuseemaildhcp@gmail.com
index-groupinc .com - Email: taffy@blogbuddy.ru
indexgroupinc .net - Email: MarcusStraker909@gmail.com
index-groupmain .cn - Email: abuseemaildhcp@gmail.com
ing-groupsvc .cn - Email: admin@emerge-groupnet.cn
integrity-groupinc .cc - Email: justin_dickerson@ymail.com
invalda-groupli .cn - Email: rocco_invalda@yahoo.com
invalda-groupmain .cn - Email: rocco_invalda@yahoo.com
invalda-groupmain .com - Email: chum@cheapmail.ru
landgroupinc .cn - Email: abuseemaildhcp@gmail.com
landgroupinc .net - Email: MarcusStraker909@gmail.com
land-groupsvc .cn - Email: abuseemaildhcp@gmail.com
land-groupsvc .com - Email: bias@co5.ru
libertygroup .cc - Email: LindseyKimSI@gmail.com
lime-groupnet .cn - Email: abuseemaildhcp@gmail.com
lime-groupsvc .cn - Email: abuseemaildhcp@gmail.com
margin-groupco .cn - Email: Gregory.Michell2009@yahoo.com
margingroupinc .cn - Email: regory.Michell2009@yahoo.com
massivegroupsvc .cn - Email: abuseemaildhcp@gmail.com
mastergroupinc .cn - Email: abuseemaildhcp@gmail.com
master-groupinc .com - Email: taffy@blogbuddy.ru
master-groupsvc .cn - Email: taffy@blogbuddy.ru
mellis-group .cn - Email: abuseemaildhcp@gmail.com
mellis-groupmain .cn - Email: abuseemaildhcp@gmail.com

mena-groupsvc .cn - Email: abuseemaildhcp@gmail.com
nvidia-groupnet .cn - Email: Gregory.Michell2009@yahoo.com
nvidia-groupsvc .cn - Email: Gregory.Michell2009@yahoo.com
opm-groupli .com - Email: entrap@namebanana.net
phoenix-groupco .net - Email: MarcusStraker909@gmail.com
phoenix-groupmain .cn - Email: abuseemaildhcp@gmail.com
premier-groupinc .cn - Email: abuseemaildhcp@gmail.com
premier-groupinc .com - Email: gone@corporatemail.ru
premier-groupnet .cc - Email: justin_dickerson@ymail.com
prime-groupco .cn - Email: abuseemaildhcp@gmail.com
prime-groupinc .cn - Email: abuseemaildhcp@gmail.com
puritan-groupco .cc - Email: justin_dickerson@ymail.com
puritan-groupco .cn - Email: abuseemaildhcp@gmail.com
puritan-groupinc .cn - Email: abuseemaildhcp@gmail.com
puritan-groupinc .com - Email: gone@corporatemail.ru
realtek-groupnet .cn - Email: Gregory.Michell2009@yahoo.com
realtekgroupsvc .cn - Email: Gregory.Michell2009@yahoo.com
reddbutton .cn - Email: morgan.greg@yahoo.com
redeye-groupco .cn - Email: abuseemaildhcp@gmail.com
redeye-groupinc .cn - Email: abuseemaildhcp@gmail.com
regency-groupco .com - Email: gone@corporatemail.ru
regency-groupnet .cc - Email: justin_dickerson@ymail.com

regency-groupnet .cn - Email: abuseemaildhcp@gmail.com
safegroupsvc .cn - Email: Gregory.Michell2009@yahoo.com
saturn-groupsvc .cn - Email: darry_wisp@yahoo.com
scope-group .cn - Email: don.ram@yahoo.com
scope-groupmain .cc - Email: darry_wisp@yahoo.com
scope-groupmain .cn - Email: abuseemaildhcp@gmail.com
stargroupinc .cn - Email: abuseemaildhcp@gmail.com
star-groupinc .net - Email: MarcusStraker909@gmail.com
star-groupsvc .cn - Email: abuseemaildhcp@gmail.com
star-groupsvc .com - Email: taffy@blogbuddy.ru
summit-groupinc .cn - Email: Gregory.Michell2009@yahoo.com
theblackend .cn - Email: morgan.greg@yahoo.com
totallysmiled .cn - Email: morgan.greg@yahoo.com
vector-groupfine .cn - Email: justin_dickerson@ymail.com
vision-groupinc .cc - Email: vision-groupinc.cc
vision-groupsvc .com - Email: gone@corporatemail.ru
windcontrol .cc - Email: morgan.greg@yahoo.com

Nothing's isolated, everything's connected, and sadly orchestrated by a very distinct set of cybercrime enterprises, the market share leaders.

Related posts:
Standardizing the Money Mule Recruitment Process
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002
Inside a Money Laundering Group's Spamming Operations

This post has been reproduced from Dancho Danchev's blog.

Koobface Botnet's Scareware Business Model - Part Two

UPDATED - Wednesday, November 18, 2009: A new update is pushed to the hundreds of thousands infected hosts, which is now performing the redirection using dynamically generated .swf files, with every page using the same title "Wonderful Video". The redirection is also a relatively static process.

For instance, if the original koobface redirector is koobface.infected.host/301, followed by the .swf redirection it will output koobface.infected.host/301/?go.

New redirectors and scareware domains pushed within the past few hours include - everlastmovie .cn - Email: gmk2000@yahoo.com; smile-life .cn - Email: gmk2000@yahoo.com ; harry-pott .cn - Email: gmk2000@yahoo.com, beprotected9 .com - Email: essi@calinsella.eu and antivir3 .com - Email: essi@calinsella.eu.

UPDATED - Tuesday, November 17, 2009: Koobface is resuming scareware (Inst_312s2.exe) operations at 91.212.107.103 which was taken offline for a short period of time. ISP has been notified again, action should be taken shortly. The current domain portfolio including new ones parked there: 

ereuqba .cn - Email: spscript@hotmail.com
eqoxyda .cn - Email: spscript@hotmail.com
evouga .cn - Email: spscript@hotmail.com
edivuka .cn - Email: spscript@hotmail.com
ebeama .cn - Email: spscript@hotmail.com
kebugac .cn - Email: spscript@hotmail.com
eqoabce .cn - Email: spscript@hotmail.com
kixyhce .cn - Email: spscript@hotmail.com
cecyde .cn - Email: spscript@hotmail.com
evybine .cn - Email: spscript@hotmail.com
eqaone .cn - Email: spscript@hotmail.com
dyqunre .cn - Email: spscript@hotmail.com
byzivte .cn - Email: spscript@hotmail.com
dovzyag .cn - Email: spscript@hotmail.com
ebeozag .cn - Email: spscript@hotmail.com
cafgouh .cn - Email: spscript@hotmail.com
kebfoki .cn - Email: spscript@hotmail.com
ebogumi .cn - Email: spscript@hotmail.com
dyzani .cn - Email: spscript@hotmail.com
dybapi .cn - Email: spscript@hotmail.com
dusyti .cn - Email: spscript@hotmail.com
dutsyvi .cn - Email: spscript@hotmail.com
dutfij .cn - Email: spscript@hotmail.com
bysivak .cn - Email: spscript@hotmail.com
eqiovak .cn - Email: spscript@hotmail.com

cecxoyk .cn - Email: spscript@hotmail.com
dyqkuam .cn - Email: spscript@hotmail.com
edamym .cn - Email: spscript@hotmail.com
eqibuym .cn - Email: spscript@hotmail.com
ducyqan .cn - Email: spscript@hotmail.com
duzebyn .cn - Email: spscript@hotmail.com
etyawjo .cn - Email: spscript@hotmail.com
cerdiko .cn - Email: spscript@hotmail.com
erauso .cn - Email: spscript@hotmail.com
etuacwo .cn - Email: spscript@hotmail.com
etuexyp .cn - Email: spscript@hotmail.com
etywuq .cn - Email: spscript@hotmail.com
ebejar .cn - Email: spscript@hotmail.com
ebiuhas .cn - Email: spscript@hotmail.com
dozabes .cn - Email: spscript@hotmail.com
eqoybu .cn - Email: spscript@hotmail.com
eviyzru .cn - Email: spscript@hotmail.com
evaopsu .cn - Email: spscript@hotmail.com
ebaetu .cn - Email: spscript@hotmail.com
dytrevu .cn - Email: spscript@hotmail.com
eboezu .cn - Email: spscript@hotmail.com
eruqav .cn - Email: spscript@hotmail.com
eqoumiv .cn - Email: spscript@hotmail.com
epuneyv .cn - Email: spscript@hotmail.com
etykauw .cn - Email: spscript@hotmail.com
ebeoxuw .cn - Email: spscript@hotmail.com
eqidax .cn - Email: spscript@hotmail.com
evaolux .cn - Email: spscript@hotmail.com
cafropy .cn - Email: spscript@hotmail.com
etyupy .cn - Email: spscript@hotmail.com
kebquty .cn - Email: spscript@hotmail.com
cakevy .cn - Email: spscript@hotmail.com
eqouwy .cn - Email: spscript@hotmail.com
epuvyiz .cn - Email: spscript@hotmail.com 

UPDATED - Monday, November 16, 2009: The Koobface gang is pushing a new update, followed by a new portfolio of scareware redirectors and actual scareware serving domains.

New portfolio of redirectors parked at 91.213.126.250:
befree2 .cn - Email: gmk2000@yahoo.com
scandinavianmall .cn - Email: admin@calen.be 
densityoze .cn - Email: admin@calen.be
moored2009 .cn - Email: cael@newstile.it
pica-pica .cn - Email: cael@newstile.it
stroboscopicmovie .cn - Email: cael@newstile.it
comedienne .cn - Email: admin@calen.be
densityoze .cn - Email: admin@calen.be
furorcorner .cn - Email: cael@newstile.it
ionisationtools .cn - Email: guzimi@brendymail.de
wax-max .cn - Email: cael@newstile.it
plate-tracery .cn - Email: guzimi@brendymail.de
little-bitty .cn - Email: admin@calen.be
night-whale .cn - Email: admin@calen.be
scary-scary .cn - Email: gmk2000@yahoo.com

Second redirectors portfolio at 91.213.126.102:
disorganization000 .cn - Email: guzimi@brendymail.de
rainbowlike .cn - Email: HuiYingTsui@airways.au
skewercall .cn - Email: HuiYingTsui@airways.au
wegenerinfo .cn - Email: guzimi@brendymail.de
kangaroocar .cn - Email: HuiYingTsui@airways.au
pericallis .cn - Email: HuiYingTsui@airways.au
treasure-planet .cn - Email: guzimi@brendymail.de
genusbiz .cn - Email: HuiYingTsui@airways.au

Currently pushing scareware from primescan1 .com - 83.133.124.149; 91.213.126.103; 83.133.119.84; 85.12.24.13. Sampled scareware phones back to windowsupdate8 .com/download/timesroman.tif - 88.198.105.145 and angle-meter .com/?b=1 (safewebnetwork .com) - 92.48.119.36.

More scareware domains are parked on the same IPs:
yourantivira7 .com - Email: j.wirth@smsdetective.com - detection rate
web-scanm .com - Email: essi@calinsella.eu - detection rate
yourantivira3 .com (wwwsecurescana1 .com) - Email: j.wirth@smsdetective.com
primescan8 .com
online-check-v11 .com
antivir-scan1 .com - Email: contact@armadastate.us
antispy-scan1 .com - Email: contact@armadastate.us
primescan1 .com
checkforspyware2 .com - Email: admin@calen.be
pc-antispyware3 .com - Email: contact@spaintours.com
premium-protection6 .com - Email: contact@spaintours.com
antivir7 .com - Email: admin@maternitycloth.eu
online-check-v7 .com
beprotected8 .com - Email: admin@maternitycloth.eu
pc-antispyware9 .com - Email: contact@spaintours.com
online-check-v9 .com
checkfileshere .com - Email: admin@calen.be
scanfileshere .com - Email: admin@calen.be
antivir-scano .com - Email: contact@armadastate.us
check-files-now .com - Email: admin@calen.be
antivir-scanz .com - Email: contact@armadastate.us
antispy-scanz .com - Email: contact@armadastate.us

ISP's contributing the the monetization of Koobface have been notified.

UPDATE: 91.212.107.103 has been taken offline courtesy of Blue Square Data Group Services Limited -- previous cooperation took place within a 3 hour period -- with the Koobface gang migrating scareware operations to 93.174.95.191 (AS29073 ECATEL-AS , Ecatel Network) and 188.40.52.181; 188.40.52.180 - (AS24940, HETZNER-AS Hetzner Online AG RZ) - ISPs have been notified.

The .info scareware domain portfolio will be suspended within the next 24 hours.

Ali Baba and the 40 thieves LLC a.k.a my Ukrainian "fan club", the one with the Bahama botnet connection, the recent malvertising attacks connection, and the current market leader of black hat search engine optimization campaigns, has been keeping themselves busy over the past couple of weeks, continuing to add additional layers of legitimacy into their campaigns (bit.ly redirectors to blogspot.com accounts leading to compromised hosts), proving that if a cybercrime enterprise wants to, it can run its malicious operations on the shoulders of legitimate service providers using them as "virtual human shield" in order to continue its operations without fear of retribution.

•  Go through Koobface Botnet's Scareware Business Model - Part One
  

Over the past two weeks, the Koobface gang once again indicated that it reads my blog, "appreciates" the ways I undermine the monetization element of their campaigns, and next to redirecting Facebook's entire IP space to my blog, they've also, for the first time ever, moved from using my name in their redirectors, to typosquatting it.

For instance, the -- now suspended -- Koobface domain pancho-2807 .com is registered to Pancho Panchev, pancho.panchev@gmail.com, followed by rdr20090924 .info registered to Vancho Vanchev, vanchovanchev@mail.ru. As always, I'm totally flattered, and I'm still in a "stay tuned" mode for my very own branded scareware release - the Advanced Pro-Danchev Premium Live Mega Professional Anti-Spyware Online Cleaning Cyber Protection Scanner 2010.

It's time to summarize some of the Koobface gang's recent activities, establish a direct connection with the Bahama botnet, the Ukrainian dating scam agency Confidential Connections whose botnet operations were linked to money-mule recruitment scams, with active domains part of their affiliate network parked at a Koobface-connected scareware serving domains, followed by the fact that they're all responding to an IP involved in the ongoing U.S Federal Forms themed blackhat SEO campaign. It couldn't get any uglier.

As of recently the gang has migrated to a triple-layer of legitimate infrastructure, consisting of bit.ly redirectors, leading to automatically registered Blogspot account which redirect to Koobface infected hosts serving the Koobface binary and the redirecting to a periodically updated scareware domain. Here are some of the domains involved.

Ongoing campaing dynamically generating bit.ly URLs redirecting to automatically registered Blogspot accounts, using the following URLs:
bit.ly /VumFK -> drbryanferazzoli .blogspot.com
bit.ly /lJcK3 -> toyetoyebalnaja .blogspot.com
bit.ly /3mFyzs -> raimeishelkowitz .blogspot.com
bit.ly /2wuSPj -> kelakelamccovery .blogspot.com
bit.ly /2Pnn8l -> pattyedevero .blogspot.com
bit.ly /2wuSPj -> kelakelamccovery .blogspot.com
bit.ly /1HDmbm -> malinegainey-green. blogspot.com
bit.ly /2xf5vB -> advaadvarukuni .blogspot.com
bit.ly /3mFyzs -> raimeishelkowitz .blogspot.com
bit.ly /2xf5vB -> advaadvarukuni .blogspot.com
bit.ly /46pcCI -> paulangelogaetano .blogspot.com
bit.ly /1HDmbm -> malinegainey-green .blogspot.com
bit.ly /3JZsDD -> derieuwsdarrius .blogspot.com
bit.ly /lJcK3 -> toyetoyebalnaja .blogspot.com
bit.ly /2h7XRU -> shunnarahamandla .blogspot.com
bit.ly /3JZsDD -> derieuwsdarrius .blogspot.com
bit.ly /3Zj98G -> schubachmarquis .blogspot.com
bit.ly /1sXgRH -> nicnicmiralles .blogspot.com
bit.ly /3eijza -> froneksaxxon .blogspot.com
bit.ly /1I3rr7 -> attreechappy .blogspot.com
bit.ly /2m3wP4 -> bilsboroughkebrom .blogspot.com
bit.ly /30wcJn -> raheelanucci .blogspot.com
bit.ly /2U7jYM -> orvelorvelblues .blogspot.com
bit.ly /1CWOlZ -> kondrackinehemias .blogspot.com
bit.ly /2m3wP4 -> bilsboroughkebrom .blogspot.com
bit.ly /1qbXsi -> lizzamottymotty .blogspot.com
bit.ly /79ONz -> rayvongonsalves .blogspot.com
bit.ly /22Jyex -> klaartjebjorgvinsson .blogspot.com
bit.ly /p07jC -> humphriesteelateela .blogspot.com
bit.ly /2lpZXx -> kalandraaleisha .blogspot.com

The Blogspot accounts consist of a single post of automatically syndicated news item, which compared to previous campaign which relied on 25+ Koobface infected IPs directly embedded at Blogspot itself, this time relies on a single URL which attempts to connect to any of the Koobface infected IPs embedded on it. The currently active campaign redirects to rainbowlike cn/?pid=312s02&sid=4db12f, which then redirects to the scareware domain secure-your-files .com, with the sample phoning back to forbes-2009 .com/?b=1s1 - 113.105.152.230, with another domain parked there activate-antivirus .com - Email: support@personal-solutions.com.

Time to expose the entire portfolio of scareware domains pushed by the gang, and offer some historical OSINT data on their activities which were not publicly released until enough connections between multiple campaigns were established.Which ISPs are currently offering hosting services for the scareware domains portfolio pushed by the Koobface gang? The current portfolio is parked at 206.217.201.245 (AS36351 SOFTLAYER Technologies Inc. surprise, surprise!); 212.117.174.19 (AS44042 ROOT eSolutions surprise, surprise part two) and at 91.212.226.155 (AS44042 ROOT eSolutions).

Scareware redirectors parked at 91.213.126.102:
rainbowlike .cn - Email: HuiYingTsui@airways.au
authorized-payments .com - Email: degrysemario@googlemail.com
poltergeist2000 .cn - Email: nfrank@flamcon.com.cn
sestiad2 .cn - Email: PietroToscani@celli.it
uninformed2 .cn - Email: PietroToscani@celli.it
retrocession2 .cn - Email: PietroToscani@celli.it
unimpressible3 .cn - Email: PietroToscani@celli.it
uncrown3 .cn - Email: PietroToscani@celli.it
sneak-peak .cn - Email: info@Milwaukee911.com
cellostuck .cn - Email: info@Milwaukee911.com
stinkingthink .cn - Email: nfrank@flamcon.com.cn
skewercall .cn - Email: HuiYingTsui@airways.au
be-spoken .cn - Email: info@Milwaukee911.com
transmitteron .cn - Email: nfrank@flamcon.com.cn
kangaroocar .cn - Email: HuiYingTsui@airways.au
pericallis .cn - Email: HuiYingTsui@airways.au
exponentials .cn - Email: info@Milwaukee911.com
triforms .cn - Email: info@Milwaukee911.com
outperformoly .cn - Email: nfrank@flamcon.com.cn
genusbiz .cn - Email: HuiYingTsui@airways.au

Scareware domains parked at 206.217.201.245; 212.117.174.19 and 91.212.226.155:
anti-malware-scan-for-you .com - Email: information@brunter.sw
available-scanner .com - Email: m.smith@Recruiters.com
bewareofspyware .com - Email: m.smith@Recruiters.com
defender-scan-for-you .com - Email: information@brunter.sw
defender-scan-for-you3 .com - Email: informatio@belize.ca
foryoumalwarecheck .com - Email: information@brunter.sw
friends-protection .com - Email: m.smith@Recruiters.com
further-scan .com - Email: m.smith@Recruiters.com
goodonlineprotection .com - Email: info@time.co.uk
good-scans .com - Email: m.smith@Recruiters.com
guidetosecurity3 .com - Email: info@time.co.uk
howtocleanpc2 .com - Email: admin@gnar-star.com
howtoprotectpc3 .com - Email: admin@gnar-star.com
howtosecure2 .com - Email: admin@gnar-star.com
howtosecurea .com - Email: admin@gnar-star.com
how-to-secure-pc2 .com - Email: admin@gnar-star.com
protection-secrets .com - Email: info@time.co.uk
scan-for-you .com - Email: information@brunter.sw
scannerantimalware2 .com
scannerantimalware4 .com
scannerantimalware6 .com
secure-your-data0 .com - Email: spradlin@carrental.com
secure-your-files .com - Email: spradlin@carrental.com
security-guide5 .com - Email: JohnnySMcmillan@yahoo.com
security-info1 .com - Email: JohnnySMcmillan@yahoo.com
security-tips3 .com - Email: info@time.co.uk
security-tools4 .com - Email: JohnnySMcmillan@yahoo.com
webviruscheck1 .com
webviruscheck-4 .com
webviruscheck5 .com

Let us further expand the portfolio by listing the newly introduced scareware domains at 91.212.107.103, which was first mentioned in part one of the Koobface Botnet's Scareware Business Model as a centralized hosting location for the gang's portfolio.

Scareware domains parked at 91.212.107.103:
g-antivirus .com - Email: mhbilate@gmail.com
generalantivirus com - Email: compalso@gmail.com
general-antivirus .com - Email: abuse@domaincp.net.cn
general-av .com - Email: mhbilate@gmail.com
generalavs .com - Email: mhbilate@gmail.com
gobackscan .com - Email: alcnafuch@gmail.com
gobarscan .com - Email: jowimpee@gmail.com
godeckscan .com - Email: quetotator@gmail.com
godirscan .com - Email: momorule@gmail.com
godoerscan .com - Email: geofishe@gmail.com
goeachscan .com - Email: momorule@gmail.com
goeasescan .com - Email: geofishe@gmail.com
gofatescan .com - Email: alcnafuch@gmail.com
gofowlscan .com - Email: stinfins@gmail.com
gohandscan .com - Email: quetotator@gmail.com
goherdscan .com - Email: jowimpee@gmail.com
goironscan. com - Email: aloxier@gmail.com
gojestscan. com - Email: jowimpee@gmail.com
golimpscan. com - Email: stinfins@gmail.com
golookscan. com - Email: stinfins@gmail.com
gomendscan. com - Email: gleyersth@gmail.com
gomutescan. com - Email: momorule@gmail.com
gonamescan. com - Email: geofishe@gmail.com

goneatscan .com - Email: momorule@gmail.com
gopickscan. com - Email: momorule@gmail.com
gorestscan. com - Email: quetotator@gmail.com
goroomscan. com - Email: gleyersth@gmail.com
gosakescan. com - Email: stinfins@gmail.com
goscanadd. com - Email: momorule@gmail.com
goscanback .com - Email: alcnafuch@gmail.com
goscanbar .com - Email: jowimpee@gmail.com
goscancode .com - Email: geofishe@gmail.com
goscandeck. com - Email: geofishe@gmail.com
goscandir. com - Email: crschuma@gmail.com
goscandoer .com - Email: crschuma@gmail.com
goscanease. com - Email: crschuma@gmail.com
goscanfowl. com - Email: stinfins@gmail.com
goscanhand. com - Email: quetotator@gmail.com
goscanherd. com - Email: jowimpee@gmail.com
goscanjest. com - Email: jowimpee@gmail.com
goscanlike. com - Email: geofishe@gmail.com
goscanlimp. com - Email: stinfins@gmail.com
goscanmend .com - Email: gleyersth@gmail.com
goscanname. com - Email: crschuma@gmail.com
goscanneat .com - Email: crschuma@gmail.com
goscanpick. com - Email: crschuma@gmail.com

goscanref. com - Email: quetotator@gmail.com
goscanrest .com - Email: quetotator@gmail.com
goscanroom .com - Email: gleyersth@gmail.com
goscansake. com - Email: stinfins@gmail.com
goscanslip. com - Email: jowimpee@gmail.com
goscansole .com - Email: crschuma@gmail.com

goscantoil. com - Email: jowimpee@gmail.com
goscantrio. com - Email: crschuma@gmail.com
goscanxtra. com - Email: crschuma@gmail.com
gosolescan. com - Email: geofishe@gmail.com
gotoilscan. com - Email: jowimpee@gmail.com
gotrioscan. com - Email: momorule@gmail.com
gowellscan. com - Email: stinfins@gmail.com
goxtrascan. com - Email: momorule@gmail.com
iantiviruspro .com - Email: broderma@gmail.com
iantivirus-pro .com - Email: feetecho@gmail.com
ia-pro .com - Email: abuse@domaincp.net.cn
iav-pro .com - Email: mcgettel@gmail.com
in5ch .com - Email: getoony@gmail.com
in5cs .com - Email: getoony@gmail.com
in5ct .com - Email: phounkey@gmail.com
in5id .com - Email: getoony@gmail.com
in5it .com - Email: phounkey@gmail.com
in5iv .com - Email: phounkey@gmail.com
in5st .com - Email: getoony@gmail.com
inavpro .com - Email: thdunnag@gmail.com
scanatom6 .com - Email: sckimbro@gmail.com
windoptimizer .com - Email: wousking@gmail.com
wopayment .com - Email: broderma@gmail.com
woptimizer .com - Email: broderma@gmail.com

cafropy .cn - Email: spscript@hotmail.com
cakevy .cn - Email: spscript@hotmail.com
dotqyuw .cn - Email: spscript@hotmail.com
dovnaji .cn - Email: spscript@hotmail.com
dovzyag .cn - Email: spscript@hotmail.com
dozabes .cn - Email: spscript@hotmail.com
ducyqan .cn - Email: spscript@hotmail.com
duvaba .cn - Email: spscript@hotmail.com
duvegy .cn - Email: spscript@hotmail.com
duwbiec .cn - Email: spscript@hotmail.com
duxsoez .cn - Email: spscript@hotmail.com
duzebyn .cn - Email: spscript@hotmail.com
dybapi .cn - Email: spscript@hotmail.com
dyqkuam .cn - Email: spscript@hotmail.com
dyqunre .cn - Email: spscript@hotmail.com
dytrevu .cn - Email: spscript@hotmail.com
dyzani .cn - Email: spscript@hotmail.com
ebaetu .cn - Email: spscript@hotmail.com
ebeoxuw .cn - Email: spscript@hotmail.com
ebeozag .cn - Email: spscript@hotmail.com
edoqeg .cn - Email: spscript@hotmail.com
epuneyv .cn - Email: spscript@hotmail.com
epuvyiz .cn - Email: spscript@hotmail.com

eqadozu .cn - Email: spscript@hotmail.com
eqaofed .cn - Email: spscript@hotmail.com
eqaone .cn - Email: spscript@hotmail.com
eqayweh .cn - Email: spscript@hotmail.com
eqibuym .cn - Email: spscript@hotmail.com
eqidax .cn - Email: spscript@hotmail.com
eqiovak .cn - Email: spscript@hotmail.com
eqoabce .cn - Email: spscript@hotmail.com
eqoumiv .cn - Email: spscript@hotmail.com
erauso .cn - Email: spscript@hotmail.com
ereuqba .cn - Email: spscript@hotmail.com
erujale .cn - Email: spscript@hotmail.com
eruqav .cn - Email: spscript@hotmail.com
esuteyb .cn - Email: spscript@hotmail.com
etuacwo .cn - Email: spscript@hotmail.com
etuexyp .cn - Email: spscript@hotmail.com
etyawjo .cn - Email: spscript@hotmail.com
etykauw .cn - Email: spscript@hotmail.com
evaolux .cn - Email: spscript@hotmail.com
evaopsu .cn - Email: spscript@hotmail.com
keturma .cn - Email: spscript@hotmail.com
kevsopi .cn - Email: spscript@hotmail.com
kijxayt .cn - Email: spscript@hotmail.com
kiluxso .cn - Email: spscript@hotmail.com
kipuxo .cn - Email: spscript@hotmail.com
kirdabe .cn - Email: spscript@hotmail.com
kiwraux .cn - Email: spscript@hotmail.com
kixyhce .cn - Email: spscript@hotmail.com

adjudg .info - Email: deciable@gmail.com
afront .info - Email: calexing@gmail.com
anprun .info - Email: deciable@gmail.com
apalet .info - Email: deciable@gmail.com
argier .info - Email: stthatch@gmail.com
asbro .info - Email: recuscon@gmail.com
atquit .info - Email: recuscon@gmail.com
atwain .info - Email: deciable@gmail.com
bagse .info - Email: calexing@gmail.com
bedaub .info - Email: jaohra@gmail.com
bedrid .info - Email: magoetzim@gmail.com
beeves .info - Email: piproux@gmail.com
besort .info - Email: jaohra@gmail.com
bettev .info - Email: recuscon@gmail.com
bettre .info - Email: phvandiv@gmail.com
birnam .info - Email: jaohra@gmail.com
botled .info - Email: deciable@gmail.com
brawns .info - Email: calexing@gmail.com
brisky .info - Email: recuscon@gmail.com
camlet .info - Email: enomman@gmail.com
caretz .info - Email: piproux@gmail.com
cheir .info - Email: jaohra@gmail.com
cuique .info - Email: calexing@gmail.com
daphni .info - Email: calexing@gmail.com

deble .info - Email: bebrashe@gmail.com
debuty .info - Email: stthatch@gmail.com
declin. info - Email: stthatch@gmail.com
devicel .info - Email:stthatch@gmail.com
dislik. info - Email: krharbou@gmail.com
dolchi. info - Email: stthatch@gmail.com
dolet. info - Email: magoetzim@gmail.com
dolet. info - Email: magoetzim@gmail.com
droope .info - Email: deciable@gmail.com
empery .info - Email: phvandiv@gmail.com
engirt .info - Email: jaohra@gmail.com
eratile .info - Email: magoetzim@gmail.com
erpeer .info - Email: deciable@gmail.com
evyns. info - Email: magoetzim@gmail.com
exampl .info - Email: krharbou@gmail.com
extrip .info - Email: piproux@gmail.com
fatted .info - Email: stthatch@gmail.com
fedar. info - Email: phvandiv@gmail.com
fifthz .info - Email: stthatch@gmail.com
figgle .info - Email: deciable@gmail.com
fliht .info - Email: krharbou@gmail.com
fosset .info - Email: deciable@gmail.com
freckl .info - Email: stthatch@gmail.com
freiny. info - Email: krharbou@gmail.com

froday. info - Email: deciable@gmail.com
fulier. info - Email: deciable@gmail.com
gaudad .info - Email: enomman@gmail.com
gelded. info - Email: stthatch@gmail.com
gicke .info - Email: magoetzim@gmail.com
girded .info - Email: jaohra@gmail.com
goterm .info - Email: calexing@gmail.com
guiany. info - Email: krharbou@gmail.com
haere .info - Email: deciable@gmail.com
hilloa. info - Email: phvandiv@gmail.com
holdit. info - Email: stthatch@gmail.com
hownet .info - Email: stthatch@gmail.com
ignomy. info - Email: jaohra@gmail.com
implor. info - Email: jaohra@gmail.com
inclin. info - Email: grattab@gmail.com
inquir .info - Email: stthatch@gmail.com
jorgan .info - Email: bebrashe@gmail.com
kedder .info - Email: enomman@gmail.com
knivel .info - Email: deciable@gmail.com
krapen .info - Email: deciable@gmail.com
lavolt .info - Email: jaohra@gmail.com
lavyer .info - Email: bebrashe@gmail.com

lequel .info - Email: acjspain@gmail.com
lowatt .info - Email: krharbou@gmail.com
meanly.info - Email: krharbou@gmail.com
meyrie.info - Email: piproux@gmail.com
midid .info - Email: magoetzim@gmail.com
miloty .info - Email: stthatch@gmail.com
mobled .info - Email: magoetzim@gmail.com
monast. info - Email: phvandiv@gmail.com
moont. info - Email: magoetzim@gmail.com
narowz .info - Email: enomman@gmail.com
nevils .info - Email: stthatch@gmail.com
nnight .info - Email: piproux@gmail.com
nroof .info - Email: krharbou@gmail.com
numben .info - Email: deciable@gmail.com
obsque .info - Email: jaohra@gmail.com
octian .info - Email: jaohra@gmail.com
odest. info - Email: phvandiv@gmail.com
onclew .info - Email: phvandiv@gmail.com
orifex .info - Email: krharbou@gmail.com
orodes .info - Email: deciable@gmail.com
outliv .info - Email: stthatch@gmail.com

pante .info - Email: jaohra@gmail.com
pasio .info - Email: jaohra@gmail.com
pittie. info - Email: stthatch@gmail.com
plamet .info - Email: stthatch@gmail.com
plazec. info - Email: bebrashe@gmail.com
potinz. info - Email: stthatch@gmail.com
pplay. info - Email: jaohra@gmail.com
pretia .info - Email: krharbou@gmail.com
quoifs. info - Email: enomman@gmail.com
qward. info - Email: enomman@gmail.com
raught .info - Email: piproux@gmail.com
realfly .info - Email: phvandiv@gmail.com
reglet. info - Email: stthatch@gmail.com
rogero .info - Email: stthatch@gmail.com
sallut. info - Email: deciable@gmail.com
sawme .info - Email: stthatch@gmail.com
scarre .info - Email: enomman@gmail.com
scrowl. info - Email: enomman@gmail.com
sigeia. info - Email: krharbou@gmail.com
sighal. info - Email: stthatch@gmail.com
speen. info - Email: enomman@gmail.com
spelem .info - Email: bebrashe@gmail.com
spinge. info - Email: krharbou@gmail.com
squach. info - Email: krharbou@gmail.com

stampo. info - Email: enomman@gmail.com
steepy. info - Email: stthatch@gmail.com
strawy. info - Email: jaohra@gmail.com
suivez. info - Email: krharbou@gmail.com
sundery .info - Email: phvandiv@gmail.com
surnam. info - Email: krharbou@gmail.com
swoln. info - Email: acjspain@gmail.com
swoons .info - Email: enomman@gmail.com
taulus. info - Email: jaohra@gmail.com
tenshy. info - Email: stthatch@gmail.com
tented. info - Email: deciable@gmail.com
ticedu. info - Email: enomman@gmail.com
tithed. info - Email: bebrashe@gmail.com
topful. info - Email: jaohra@gmail.com
unclin. info - Email: stthatch@gmail.com
undeaf. info - Email: enomman@gmail.com
unowed. info - Email: enomman@gmail.com
unwept. info - Email: stthatch@gmail.com
usicam. info - Email: stthatch@gmail.com
vagrom. info - Email: bebrashe@gmail.com
veldun. info - Email: jaohra@gmail.com
vipren. info - Email: calexing@gmail.com
voided. info - Email: krharbou@gmail.com
volsce. info - Email: krharbou@gmail.com
washy. info - Email: phvandiv@gmail.com
wincot. info - Email: enomman@gmail.com
wiving. info - Email: enomman@gmail.com
wooer. info - Email: jaohra@gmail.com
xonker. info - Email: jaohra@gmail.com 

Historical OSINT of Koobface scareware activity over a period of two weeks
The following is a snapshot of Koobface scareware activity during the last two weeks, establishing a direct connection between the Koobface botnet, the ongoing blackhat SEO campaigns, the Bahama botnet with scareware samples modifying HOSTS files, and an Ukrainian dating scam agency where the gang appears to be part of an affiliate network.

Scareware samples pushed by Koobface, with associated detection rates:
mexcleaner .in - Email: niclas@i.ua
safetyscantool .com - 62.90.136.237 - Email: Suzanne.R.Muniz@trashymail.com
stabilitytoolsonline .com - Email: Brent.I.Purnell@pookmail.com
securitytestnetonline .com - 62.90.136.237 - Email: Dianne.T.Whitley@pookmail.com
securityprogramguide .com - Email: Kiyoko.T.Johnson@mailinator.com
cheapsecurityscan .com - Email: Kevin.L.Linkous@trashymail.com
securitycheckwest .com; webbiztest .com - Email: Ruthie.R.Wilcox@mailinator.com
securitycodereviews .com - 62.90.136.237 - Email: Darwin.L.Mcgowan@trashymail.com
netmedtest .com - 62.90.136.237 - Email: Irene.D.Snow@trashymail.com
toolsdirectnow .com - Email: Frank.J.Bullard@trashymail.com
(ratspywawe .in; wqdefender .in; pivocleaner .in; mexcleaner .in; sapesoft .in; alsoft .in; samosoft .in; jastaspy .in; lastspy .in; felupdate .info; inkoclear .info; drlcleaner .info; tiposoft .info; fkupd .eu; piremover .eu; igsoft .eu; sersoft .eu) - detection rate

Download locations of the actual scareware binary used over the past two weeks:
0ni9o1s3feu60 .cn - Email: robertsimonkroon@gmail.com
6j5aq93iu7yv4 .cn - Email: robertsimonkroon@gmail.com
mf6gy4lj79ny5 .cn - Email: robertsimonkroon@gmail.com
84u9wb2hsh4p6 .cn - Email: robertsimonkroon@gmail.com
6pj2h8rqkhfw7 .cn - Email: robertsimonkroon@gmail.com
7cib5fzf462g8 .cn - Email: robertsimonkroon@gmail.com
7bs5nfzfkp8q8 .cn - Email: robertsimonkroon@gmail.com
kt4lwumfhjb7a .cn - Email: robertsimonkroon@gmail.com
q2bf0fzvjb5ca .cn - Email: robertsimonkroon@gmail.com
rncocnspr44va .cn - Email: robertsimonkroon@gmail.com
t1eayoft9226b .cn - Email: robertsimonkroon@gmail.com
4go4i9n76ttwd .cn - Email: robertsimonkroon@gmail.com
kzvi4iiutr11e .cn - Email: robertsimonkroon@gmail.com
hxc7jitg7k57e .cn - Email: robertsimonkroon@gmail.com
mfbj6pquvjv8e .cn - Email: robertsimonkroon@gmail.com
mt3pvkfmpi7de .cn - Email: robertsimonkroon@gmail.com
fb7pxcqyb45oe .cn - Email: robertsimonkroon@gmail.com
fyivbrl3b0dyf .cn - Email: robertsimonkroon@gmail.com
z6ailnvi94jgg .cn - Email: robertsimonkroon@gmail.com
ue4x08f5myqdl .cn - Email: robertsimonkroon@gmail.com
p7keflvui9fkl .cn - Email: robertsimonkroon@gmail.com
gjpwsc5p7oe3m .cn - Email: robertsimonkroon@gmail.com
f1uq1dfi3qkcm .cn - Email: robertsimonkroon@gmail.com
7mx1z5jq0nt3o .cn - Email: robertsimonkroon@gmail.com
3uxyctrlmiqeo .cn - Email: robertsimonkroon@gmail.com
p0umob9k2g7mp .cn - Email: robertsimonkroon@gmail.com
od32qjx6meqos .cn - Email: robertsimonkroon@gmail.com
bnfdxhae1rgey .cn - Email: robertsimonkroon@gmail.com
7zju2l82i2zhz .cn - Email: robertsimonkroon@gmail.com

What's the deal with the historical OSINT and why wasn't this data communicated right away? Keep reading.

The Bahama Botnet Connection
During September, the folks at ClickForensics made an interesting observation regarding my Ukrainian "fan club" and the ad revenue stealing/click-fraud committing botnet Bahama - some of the scareware samples were modifying the HOSTS file and presenting the victim with "one of those cybecrime-friendly search engines" stealing revenue in the process.

Once the connection was also established by me at a later stage, data released in regard to the New York Times malvertising attack once again revealed a connection between all campaigns - the very same domains used to serve the scareware, were also used in a blackhat SEO campaign which I analyzed a week before the incident took place. Basically, the scareware pushed by the Koobface botnet, as well as the scareware pushed by the blackhat SEO campaigns maintained by the gangs is among the several propagation approaches used for the DNS records poisoning to take place:

"However, in the case of the Bahama Botnet, this DNS translation method gets corrupted.  The Bahama botnet malware causes the infected computer to mistranslate a domain name.  Instead of translating “Google.com” as 74.125.155.99, an infected computer will translate it as 64.86.17.56. That number doesn’t represent any computer owned by Google.  Instead, it represents a computer located in Canada.  When a user with an infected machine performs a search on what they think is google.com, the query actually goes to the Canadian computer, which pulls real search results directly from Google, fiddles with them a bit, and displays them to the searcher.  

Now the searcher is looking at a page that looks exactly like the Google search results page, but it’s not.  A click on the apparently “organic” results will redirect as a paid click through several ad networks or parked domains — some complicit, some not.  Regardless, cost per click (CPC) fees are generated, advertisers pay, and click fraud has occurred."

The 64.86.17.56 mentioned is actually AS30407 (Velcom), which has also been used in recent campaigns.

ISP and domain registrars have been notified, action should be taken shortly. What was particularly interesting to observe was scareware pushed by the Koobface botnet phoning back to its well known urodinam .net/8732489273.php domain, was also modifying the HOSTS file in the following way. Sample HOSTS modification of scareware (MD5: 0x0FBF1A9F8E6E305138151440DA58B4F1) pushed by Koobface:
89.149.210.109 www.google.com
89.149.210.109 www.google.de
89.149.210.109 www.google.fr
89.149.210.109 www.google.co.uk
89.149.210.109 www.google.com.br
89.149.210.109 www.google.it
89.149.210.109 www.google.es
89.149.210.109 www.google.co.jp
89.149.210.109 www.google.com.mx
89.149.210.109 www.google.ca
89.149.210.109 www.google.com.au
89.149.210.109 www.google.nl
89.149.210.109 www.google.co.za
89.149.210.109 www.google.be
89.149.210.109 www.google.gr
89.149.210.109 www.google.at
89.149.210.109 www.google.se
89.149.210.109 www.google.ch
89.149.210.109 www.google.pt
89.149.210.109 www.google.dk
89.149.210.109 www.google.fi
89.149.210.109 www.google.ie
89.149.210.109 www.google.no
89.149.210.109 search.yahoo.com
89.149.210.109 us.search.yahoo.com
89.149.210.109 uk.search.yahoo.com

Sample HOSTS modification of scareware (MD5: 0x0FBF1A9F8E6E305138151440DA58B4F1) pushed by blackhat SEO:
74.125.45.100 4-open-davinci.com
74.125.45.100 securitysoftwarepayments.com
74.125.45.100 privatesecuredpayments.com
74.125.45.100 secure.privatesecuredpayments.com
74.125.45.100 getantivirusplusnow.com
74.125.45.100 secure-plus-payments.com
74.125.45.100 www.getantivirusplusnow.com
74.125.45.100 www.secure-plus-payments.com
74.125.45.100 www.getavplusnow.com
74.125.45.100 www.securesoftwarebill.com
74.125.45.100 secure.paysecuresystem.com
74.125.45.100 paysoftbillsolution.com
64.86.16.97 google.ae
64.86.16.97 google.as
64.86.16.97 google.at
64.86.16.97 google.az
64.86.16.97 google.ba
64.86.16.97 google.be
64.86.16.97 google.bg
64.86.16.97 google.bs
64.86.16.97 google.ca
64.86.16.97 google.cd
64.86.16.97 google.com.gh
64.86.16.97 google.com.hk
64.86.16.97 google.com.jm
64.86.16.97 google.com.mx
64.86.16.97 google.com.my
64.86.16.97 google.com.na
64.86.16.97 google.com.nf
64.86.16.97 google.com.ng
64.86.16.97 google.ch
64.86.16.97 google.com.np
64.86.16.97 google.com.pr
64.86.16.97 google.com.qa
64.86.16.97 google.com.sg
64.86.16.97 google.com.tj
64.86.16.97 google.com.tw
64.86.16.97 google.dj
64.86.16.97 google.de
64.86.16.97 google.dk
64.86.16.97 google.dm
64.86.16.97 google.ee

64.86.16.97 google.fi
64.86.16.97 google.fm
64.86.16.97 google.fr
64.86.16.97 google.ge
64.86.16.97 google.gg
64.86.16.97 google.gm
64.86.16.97 google.gr
64.86.16.97 google.ht
64.86.16.97 google.ie
64.86.16.97 google.im
64.86.16.97 google.in
64.86.16.97 google.it
64.86.16.97 google.ki
64.86.16.97 google.la
64.86.16.97 google.li
64.86.16.97 google.lv
64.86.16.97 google.ma
64.86.16.97 google.ms
64.86.16.97 google.mu
64.86.16.97 google.mw
64.86.16.97 google.nl
64.86.16.97 google.no
64.86.16.97 google.nr
64.86.16.97 google.nu
64.86.16.97 google.pl
64.86.16.97 google.pn
64.86.16.97 google.pt
64.86.16.97 google.ro
64.86.16.97 google.ru

64.86.16.97 google.rw
64.86.16.97 google.sc
64.86.16.97 google.se
64.86.16.97 google.sh
64.86.16.97 google.si
64.86.16.97 google.sm
64.86.16.97 google.sn
64.86.16.97 google.st
64.86.16.97 google.tl
64.86.16.97 google.tm
64.86.16.97 google.tt
64.86.16.97 google.us
64.86.16.97 google.vu
64.86.16.97 google.ws
64.86.16.97 google.co.ck
64.86.16.97 google.co.id
64.86.16.97 google.co.il
64.86.16.97 google.co.in
64.86.16.97 google.co.jp
64.86.16.97 google.co.kr
64.86.16.97 google.co.ls
64.86.16.97 google.co.ma
64.86.16.97 google.co.nz
64.86.16.97 google.co.tz
64.86.16.97 google.co.ug
64.86.16.97 google.co.uk
64.86.16.97 google.co.za
64.86.16.97 google.co.zm
64.86.16.97 google.com

The historical OSINT paragraph mentioned that several of the scareware domains pushed during the past two weeks were responding to 62.90.136.237. This very same 62.90.136.207 IP was hosting domains part of an Ukrainian dating scam agency known as Confidential Connections earlier this year, whose spamming operations were linked to a botnet involved in money mule recruitment activities.

For the time being, the following dating scam domains are responding to the same IP:
healthe-lovesite .com - Email: potenciallio@safe-mail.net
love-isaclick .com - Email: potenciallio@safe-mail.net
love-is-special .com - Email: potenciallio@safe-mail.net
only-loveall .com - Email: potenciallio@safe-mail.net
and-i-loveyoutoo .com - Email: potenciallio@safe-mail.net
andiloveyoutoo .com - Email: menorst10@yahoo.com
romantic-love-forever .com - Email: potenciallio@safe-mail.net

love-youloves .com - Email: potenciallio@safe-mail.net
love-galaxys .com - Email: potenciallio@safe-mail.net
love-formeandyou .com - Email: potenciallio@safe-mail.net
ifound-thelove .net - Email: potenciallio@safe-mail.net
findloveon .net - Email: wersers@yahoo.com
love-isexcellent .net - Email: potenciallio@safe-mail.net

Could it get even more malicious and fraudulent than that? Appreciate my thetoric. The same email (potenciallio@safe-mail.net) that was used to register the dating scam domains was also used to register exploit serving domains at 195.88.190.247, participate in phishing campaigns, and register a money mule recruitment site for the non-existent Allied Insurance LLC. (Allied Group, Inc.).

Now that's a multi-tasking underground enterprise, isn't it? The ISPs have been notified, domains suspension is pending.

Related posts:
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Koobface Botnet's Scareware Business Model
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors

This post has been reproduced from Dancho Danchev's blog.

Pricing Scheme for a DDoS Extortion Attack

With the average price for a DDoS attack on demand decreasing due to the evident over-supply of malware infected hosts, it should be fairly logical to assume that the "on demand DDoS" business model run by the cybercriminals performing such services is blossoming.

Interestingly, what used to be a group that was exclusively specializing in DDoS attacks, is today's cybercrime enterprise "vertically integrating" in order to occupy as many underground market segments as possible, all of which originally developed thanks to the "malicious economies of scale" (massive SQL injections through search engines' reconnaissance, standardizing the social engineering process, the money mule recruitment process, diversifying the standardized and well proven propagation/infection vectors etc.) offered by a botnet.

What if their DDoS for hire business model is experiencing a decline? Would penetration pricing save them? What if they start enforcing a differentiated pricing model for their services through DDoS extortion?

Let's discuss one of those groups that's been actively attempting to extort money from Russian web sites since the middle of this summer. From penalty fees, to 30% discount if they want to request DDoS for hire against their competitors, a discount only available if they've actually paid the 10,000 rubles monthly extortion fee at the first place - this gang is also including links to the web sites of Russian's Federal Security Service (FSB) and Russia's Ministry of the Interior stating "in order to make it easy for the victims to contact law enforcement".

Sample DDOS extortion letter:
"Hello. If you want to continue having your site operational, you must pay us 10 000 rubles monthly. Attention! Starting as of DATE your site will be a subject to a DDoS attack. Your site will remain unavailable until you pay us.

The first attack will involve 2,000 bots. If you contact the companies involved in the protection of DDoS-attacks and they begin to block our bots, we will increase the number of bots to 50 000, and the protection of 50 000 bots is very, very expensive.

1-st payment (10 000 rubles) Must be made no later than DATE. All subsequent payments (10 000 rubles) Must be committed no later than 31 (30) day of each month starting from August 31. Late payment penalties will be charged 100% for each day of delay.

For example, if you do not have time to make payment on the last day of the month, then 1 day of you will have to pay a fine 100%, for instance 20 000 rubles. If you pay only the 2 nd date of the month, it will be for 30 000 rubles etc. Please pay on time, and then the initial 10 000 rubles offer will not change. Penalty fees apply to your first payment - no later than DATE"

You will also receive several bonuses.
1. 30% discount if you request DDoS attack on your competitors/enemies. Fair market value ddos attacks a simple site is about $ 100 per night, for you it will cost only 70 $ per day.
2. If we turn to your competitors / enemies, to make an attack on your site, then we deny them.

Payment must be done on our purse Yandex-money number 41001474323733. Every month the number will be a new purse, be careful. About how to use Yandex-money read on www.money.yandex.ru. If you want to apply to law enforcement agencies, we will not discourage you. We even give you their contacts: www.fsb.ru, www.mvd.ru"

It's also worth pointing out that a huge number of "boutique vendors" of DDoS services remain reluctant to initiate DDoS attacks against government or political parties, in an attempt to stay beneath the radar. This mentality prompted the inevitable development of "aggregate-and-forget" type of botnets exclusively aggregated for customer-tailored propositions who would inevitably get detected, shut down, but end up harder to trace back to the original source compared to a situation where they would be DDoS the requested high-profile target from the very same botnet that is closely monitored by the security community.

The future of DDoS extortion attacks, however, looks a bit grey due the numerous monetization models that cybercriminals developed - for instance ransomware, which attempts to scale by extorting significant amounts of money from thousands of infected users in an automated and much more efficient way than the now old-fashioned DDoS extortion model.

Related posts:
Botnet Communication Platforms
Custom DDoS Capabilities Within a Malware
A New DDoS Malware Kit in the Wild
Botnet on Demand Service
The DDoS Attack Against CNN.com
A Botnet Master's To-Do List
Custom DDoS Attacks Within Popular Malware Diversifying
Using Market Forces to Disrupt Botnets
Web Based Botnet Command and Control Kit 2.0
DDoS Attack Graphs from Russia vs Georgia's Cyberattacks
The DDoS Attack Against Bobbear.co.uk
Russian Homosexual Sites Under (Commissioned) DDoS Attack

This post has been reproduced from Dancho Danchev's blog.

Summarizing Zero Day's Posts for October

The following is a brief summary of all of my posts at ZDNet's Zero Day for October.

You can also go through previous summaries, as well as subscribe to my personal RSS feed or Zero Day's main feed.

Notable articles include: Does software piracy lead to higher malware infection rates? and New LoroBot ransomware encrypts files, demands $100 for decryption.

01. MS Security Essentials test shows 98% detection rate for 545k malware samples
02. Weak passwords dominate statistics for Hotmail's phishing scheme leak
03. Click fraud facilitating Bahama botnet steals ad revenue from Google
04. New Koobface campaign spoofs Adobe's Flash updater
05. Does software piracy lead to higher malware infection rates?
06. Commonwealth fined $100k for not mandating antivirus software
07. 'Evil Maid' USB stick attack keylogs TrueCrypt passphrases
08. Fake 'Conflicker.B Infection Alert' spam campaign drops scareware
09. Gawker Media tricked into featuring malicious Suzuki ads
10. New LoroBot ransomware encrypts files, demands $100 for decryption
11. Spooky Halloween - scareware or crimeware?
12. Phishing experiment sneaks through all anti-spam filters

This post has been reproduced from Dancho Danchev's blog.

Ongoing FDIC Spam Campaign Serves Zeus Crimeware

UPDATED - Wednesday, October 28, 2009: A "New Facebook Login System" spam campaign is in circulation, launched by the same botnet. Sampled updatetool.exe once again interacts with the Zeus command and control at 193.104.27.42.

Message sample 01: "In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security. Before you are able to use the new login system, you will be required to update your account. A new Facebook Update Tool has been released for your account. Please download and install the tool using the link below."

Message sample 02: "Dear Facebook user, In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security. Before you are able to use the new login system, you will be required to update your account. Click here to update your account online now. If you have any questions, reference our New User Guide. Thanks, The Facebook Team"

Participating fast-fluxed domains include:
easder1e.co .uk
easder1g.co .uk
easder1l.co .uk
easder1m.co .uk
easder1q.co .uk
nytre4rt.co .uk
nytre4ru.co .uk
nyuy12qwa.co .uk
nyuy12qwf.co .uk
nyuy12qwg.co .uk
nyuy12qws.co .uk
nyuy12qwz.co .uk
ololii.co .uk
ololiw.co .uk
ololiy.co .uk
ololiz.co .uk
tygerah.co .uk
tygerak.co .uk
tygeraw.co .uk
tygeraz.co .uk
yh1qak.co .uk
yh1qal.co .uk
yh1qao.co .uk
yhaqwe1a.co .uk
yhaqwe1q.co .uk
yhaqwe1r.co .uk
yhaqwi1g.co .uk
yhaqwi1h.co .uk
yhaqwi1l.co .uk
yhaqwi1m.co .uk
yhaqwi1p.co .uk
yhhherasde.co .uk
yhhherasdp.co .uk
yhhheraski.co .uk
yhhheraskog.co .uk
yhhheraskol.co .uk
yhhheraskoy.co .uk

n111sae .eu
n111sak .eu
n111sap .eu
n111saq .eu
n111say .eu
n111saz .eu
nyuh1awa .eu
nyuh1awb .eu
nyuh1awc .eu
nyuh1awd .eu
nyuh1awe .eu
nyuh1awf .eu
nyuh1awg .eu
nyuh1awh .eu
nyuh1awm .eu
nyuh1awn .eu
nyuh1aws .eu
nyuh1awt .eu
nyuh1awv .eu
nyuh1awx .eu
nyuh1awz .eu
nyuy12qwf .eu
nyuy12qwg .eu
nyuy12qws .eu

nyuy12qws .eu
ololii .eu
ololiw .eu
ololiy .eu
ololiz .eu
rrref1aaz .eu
rrref1akz .eu
rrref1okz .eu
rrref1ykz.eu
rrrefjokz .eu
saaasak .eu
saaasav .eu
tygerah .eu
tygerak .eu
tygeraw .eu
ujihkei .eu
ujihkni .eu
ujihkoi .eu
ujihkui .eu
yh1qao .eu
yh1qaz .eu
yy1azsva .eu
yy1azsvq .eu
yy1azsvz .eu
yyy1asvf .eu
yyy1azsy .eu
yyy1azvg .eu
yyy1zsve .eu

New DNS servers of notice:
ns1.a-recruitmnt .com
ns1.applesilver .com
ns1.cheryks .com
ns1.barbaos .net
ns1.laktocountry .net

An ongoing spam campaign impersonating The Federal Deposit Insurance Corporation, is attempting to drop zeus samples by enticing users into installing pdf.exe and word.exe.

"Subject: FDIC has officially named your bank a failed bank

Body: You have received this message because you are a holder of a FDIC-insured bank account. Recently FDIC has officially named the bank you have opened your account with as a failed bank, thus, taking control of its assets. You need to visit the official FDIC website and perform the following steps to check your Deposit Insurance Coverage."

Sampled malware obtains a Zeus crimeware from a known command and control location (193.104.27.42), already blacklisted by the Zeus Tracker. The campaign is related to the periodical "Microsoft Outlook Update" campaigns, since both campaigns have been sharing fast-flux infrastructure under the same infected hosts, using identical domains.

Fast-fluxed domains participating in the FDIC spam campaign:
bbttyak.co .uk
bbttyak.org .uk
bbttyam.co .uk
bbttyam.me .uk
bbttyap.co .uk
bbttyap.me .uk
bbttyaz.co .uk
bbttyaz.me .uk
gerrahawa .eu
gerrahowa .eu
gerrakawa .eu
gerrakowa .eu
gerralowa .eu
gerraoowa .eu
gerraoowa .eu
gerrasasa .eu
gerrasase .eu
gerrasasq .eu
h1erfae .eu
h1erfai .eu
h1erfaj .eu
h1erfaq .eu
h1erfar .eu
h1erfat .eu
h1erfau .eu
h1erfaw.eu
h1erfay .eu
heiiikok .eu
heiiikoy .eu
heiiikul .eu
heiiikum .eu

heiiikuv .eu
heiiikuy .eu
idllsit .com
ij1tli .net
immikiut1 .cz
j1t1iil .com
j1t1iil .eu
j1t1iil .net
lj1tli .com
lj1tli .net
lj1tll .com
lj1tll .net
ltlil1 .com
ltlil1 .net
modesftp .eu
nniuji1 .eu
nniujih .eu
nniujo1 .eu
nniukif .eu
nniukih .eu
nniukik .eu
nniukiw .eu
nniukiz .eu
nniuxih .eu
nniuxiw .eu
pouikib .eu
pouikic .eu
pouikie .eu
pouikif .eu
pouikig .eu
pouikir .eu
pouikis .eu
pouikit .eu
pouikiv .eu
pouikiw .eu
pouikix .eu
pouikiy .eu
t1fliil .tc
tj1fiil.co .nz
tj1fiil .com
tj1fiil .net
tj1fiil .tc

DNS servers of notice:
ns1.doctor-tomb .com
ns1.sortyn .com
ns1.asthomes .com
ns1.sunriseliny .com
ns1.racing-space .net
ns1.cerezit .net

The phoneback location 193.104.27.42 at AS12604 maintained by Kamushnoy Vladimir Vasulyovich (info@ctgm.info; vla.kam@ctgm.info with ctgm.info responding to 91.213.72.1) is the second Zeus command and control IP within the netblock, followed by 193.104.27.90.

Related posts:
Fake Microsoft patches themed malware campaigns spreading
Fake Microsoft patch malware campaign makes a comeback
The Multitasking Fast-Flux Botnet that Wants to Bank With You
Money Mule Recruiters use ASProx's Fast Fluxing Services
Managed Fast Flux Provider - Part Two
Managed Fast Flux Provider
Storm Worm's Fast Flux Networks
Fast Flux Spam and Scams Increasing
Fast Fluxing Yet Another Pharmacy Spam
Obfuscating Fast Fluxed SQL Injected Domains
Storm Worm Hosting Pharmaceutical Scams
Fast-Fluxing SQL injection attacks executed from the Asprox botnet

This post has been reproduced from Dancho Danchev's blog.

Koobface Botnet Redirects Facebook's IP Space to my Blog

Love me, love me, say that you love me. You know you're cherished when the Koobface botnet redirects Facebook Inc's entire IP space to your blog using HTTP Error 302 - Moved temporarily messages in an attempt to have Facebook's anti-malware crawlers hit my blog every time they visit a Koobface URL posted on the social networking site.

The result? Earlier this morning, I've noticed over 7,000 unique visits coming from Facebook Inc's IP space using active and automatically blogspot accounts part of the Koobface botnet as http referrers (New Koobface campaign spoofs Adobe's Flash updater), which is now officially relying on already infected hosts for the CAPTCHA recognition process. At first, I thought the Koobface gang has embedded an iFrame in order to achieve the effect, but the requests were coming from Facebook's IP space only.

A representative from Facebook's Security Incident Response Team just confirmed the development, and commented that they've added an exception, which is now visible since IPs from Facebook's IP space are no longer visiting my blog:

"Thanks for bringing this to our attention. I'm on the Security Incident Response team at Facebook and we just finished looking into this issue. We visit all links posted to Facebook as part of our link preview feature. We also take the opportunity to do some additional security screening to filter out bad content. Koobface in particular is fond of redirecting our requests to legitimate websites, and you seem to have done something to piss Koobface off. All visits to Koobface URLs from our IP space are currently being redirected to your blog."

The compete list of the automatically registered blogspot accounts, of whose existence Google's security team has already been notified are as follows:
1rykutviklingibtvedmongstad-vgnett .blogspot.com/
40-nrg .blogspot.com/
anyauujteykbrlzyt .blogspot.com/
bctdnvxyubozkute336 .blogspot.com/
bjfzibzxpjwfsri.blogspot .com/
bopscfmfdfkdcdk.blogspot .com/
bpucrtkuigcvuzd.blogspot .com/
dcljxlmkdpfyadlmk014.blogspot .com/
driwnhtqcifnewwy.blogspot .com/
fffgxdpmrhzepmwc172.blogspot .com/
frjutygrfzkfmumr.blogspot .com/
gbmasakrnbvduky-mhopomuytpmeo46.blogspot .com/
hmxmjrdpzncnania.blogspot .com/
hryuickbrfxpgkiqc-wnyohlytffli526.blogspot .com/
hxsdrjrbiesmulbp-mp775012.blogspot .com/
hz560607.blogspot .com/
irfwgrbghyzrnaajs-npqpnvzqrqqeziywhx8.blogspot .com/
isaqwpccpkvmmnffx.blogspot .com/
iunvrafuvbgykpap819.blogspot .com/
ixqowmtgwfvkaapq.blogspot .com/
jocdniqudpnszswn936.blogspot .com/
jxpxhokysarhvnfw-wvtbfawtlocf932 .blogspot.com/
kayaafwlllybvydpu.blogspot .com/
kfddbjhalrqkmqtoa.blogspot .com/
kutlvtfxkxbismwpci.blogspot .com/
kyqyiplztbsiwogx-hfnrmfxbkjzswjq964.blogspot .com/

kzbcbzhlgcnmmaveusdt2.blogspot .com/
lbwhvnvfmiwqypft-gt34676.blogspot .com/
lgjxsfcwkviythet.blogspot .com/
lvlcauoimpklqoj.blogspot .com/
moruokuamhtobznhwx.blogspot .com/
nfnnialisemtirdcq.blogspot .com/
pfmrjjvolrxsthdl.blogspot .com/
pywkyzxqcslnqyz907.blogspot .com/
qmhbxydgxfitnaosp.blogspot .com/
rfsnkstagwfwlkgr.blogspot .com/
rykutviklingibtvedmongstad-vgnett .blogspot.com/
scjftnvmcqiarvt-ni242558.blogspot .com/
skpjwfruzkzujvw.blogspot .com/
spfymrxnfiotvtrknf.blogspot .com/
sxcfugyjtvtwgxzvi.blogspot .com/
tbgkfbllzdtrcslpc741.blogspot .com/
unrrldfyuanstafa.blogspot .com/
vstikrflawgquztcn.blogspot .com/
wjfpuoiolcjvecszeb.blogspot .com/
wlaafuebvmdkaiavh.blogspot .com/
wnejhokyqkazwpu898.blogspot.com/
wqqcknikrlnowgri.blogspot .com/
xlmwrzdmywbibfwi742.blogspot .com/
yanksroadwinchangesalcsoutlook-mlbcom .blogspot.com/
yeqhabdnabhndbt.blogspot .com/
yzyweidzwor-cxgwufvosfam .blogspot.com/
zafxzlatzsmwysk.blogspot .com/
znfnxeaoiqhxldvmqo-atcsqbrkobwi408 .blogspot.com/
zqsvjeoqccknkfubc.blogspot .com/

The Koobface gang's use of basic blackhat SEO principles such as content cloaking are identical to their previous attempts to cover-up their malicious activities relying on pre-defined sets of http referrers of public search engines, or particular redirectors in order for their infections to take place.

Stay tuned for more developments on the Ali Baba and the 40 thieves LLC front, a.k.a as my Ukrainian "fan club". The circle is almost complete, a lot of recent events will be summarized shortly.

Related posts:
Koobface Botnet Dissected in a TrendMicro Report
Koobface Botnet's Scareware Business Model
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors 

This post has been reproduced from Dancho Danchev's blog.

Scareware Serving Conficker.B Infection Alerts Spam Campaign

A fake "conficker.b infection alert" spam campaign first observed in April, 2009 (using the following scareware domains antivirus-av-ms-check .com; antivirus-av-ms-checker .com; ms-anti-vir-scan .com; mega-antiviral-ms .com back then) is once again circulating in an attempt to trick users into installing "antispyware application", in this case the Antivirus Pro 2010 scareware.

This campaign is directly related to last week's Microsoft Outlook update campaign, with both of these using identical download locations for the scareware.

The following is an extensive list of the domains involved in the campaigns:
abumaso3tkamid .com - Email: drawn@ml3.ru
afedodevascevo .com - Email: sixty@8081.ru
alertonabert .com - Email: flop@infotorrent.ru
alertonbgabert .com - Email: vale@e2mail.ru
alioneferkilo .com - Email: va@blogbuddy.ru
anobalukager .com - Email: chalkov@co5.ru
anobhalukager .com - Email: humps@infotorrent.ru
bufertongamoda .com - Email: kurt@8081.ru
buhafertadosag .com - Email: bias@co5.ru
buhervadonuska .com - Email: vale@e2mail.ru
bulakeskatorad .com - Email: bias@co5.ru
bulerkoseddasko .com - Email: bias@co5.ru
buleropihertan .com - Email: def@co5.ru
celiminerkariota .com - Email: morse@corporatemail.ru
certovalionas .com - Email: kurt@8081.ru
dabertugaburav .com - Email: def@co5.ru
elxolisdonave .com - Email: curb@cheapmail.ru
enkafuleskohuj .com - Email: kerry@freemailbox.ru
ertanueskayert .com - Email: xmas@co5.ru
ertonaferdogalo .com - Email: kerry@freemailbox.ru
ertu6nagertos .com - Email: recipe@isprovider.ru
ertubedewse .com - Email: weak@infotorrent.ru
ertugasedumil .com - Email: chalkov@co5.ru
ertugaskedumil .com - Email: humps@infotorrent.ru
ertunagertos .com - Email: def@co5.ru
erubamerkadolo .com - Email: kerry@freemailbox.ru

fedostalonkah .com - Email: bias@co5.ru
ftahulabedaso .com - Email: raced@corporatemail.ru
gumertagionader .com - Email: seize@e2mail.ru
huladopkaert .com - Email: chute@infotorrent.ru
iobacebauiler .com - Email: roy@corporatemail.ru
itorkalione .com - Email: pygmy@8081.ru
julionejurmon .com - Email: jacob@freemailbox.ru
julionermon .com - Email: pygmy@8081.ru
konitorsabure .com - Email: chalkov@co5.ru
konitorswabure .com - Email: humps@infotorrent.ru
lersolamaderg .com - Email: chalkov@co5.ru
lersolamgaderg .com - Email: humps@infotorrent.ru
linkertagubert .com - Email: kerry@freemailbox.ru
lionglenhrvoa .com - Email: sixty@8081.ru
liposdakoferda .com - Email: leaf@corporatemail.ru
lopastionertu .com - Email: cues@e2mail.ru
nebrafsofertu .com - Email: humps@infotorrent.ru
nuherfodaverta .com - Email: morse@corporatemail.ru
nulerotkabelast .com - Email: dealt@8081.ru
nulkersonatior .com - Email: dealt@8081.ru
obuleskinrodab .com - Email: xmas@co5.ru
ofaderhabewuit .com - Email: kerry@freemailbox.ru
okavanubares .com - Email: chalkov@co5.ru
okaveanubares .com - Email: humps@infotorrent.ru

onagerfadusak .com - Email: cues@e2mail.ru
orav4abustorabe .com - Email: drawn@ml3.ru
oscaviolaner .com - Email: larks@freemailbox.ru
ovuiobvipolak .com - Email: sixty@8081.ru
ovuioipolak .com - Email: bias@co5.ru
paferbasedos .com - Email: chalkov@co5.ru
pafersbasedos .com - Email: humps@infotorrent.ru
polanermogalios .com - Email: dealt@8081.ru
rdafergfvacex .com - Email: jacob@freemailbox.ru
rtugamer5tobes .com - Email: drawn@ml3.ru
rtugamertobes .com - Email: kw@co5.ru
scukonherproger .com - Email: kazoo@isprovider.ru
shuretrobaniso .com - Email: frail@infotorrent.ru
tarhujelafert .com - Email: raced@corporatemail.ru
tavakulio5nkab .com - Email: recipe@isprovider.ru
tavakulionkab .com - Email: def@co5.ru
tertunavogav .com - Email: la@freemailbox.ru
tertunwavogav .com - Email: drawn@ml3.ru
tsabunerkadosa .com - Email: humps@infotorrent.ru

tsarbunerkadosa .com - Email: humps@infotorrent.ru
tubanerdavaf .com - Email: chalkov@co5.ru
tubanerdavjaf .com - Email: halkov@co5.ru
uhajokalesko .com - Email: flop@infotorrent.ru
uhajokvfalesko .com - Email: flop@infotorrent.ru
ulioperdanogad .com - Email: vale@e2mail.ru
uliopewrdanogad .com - Email: kerry@freemailbox.ru
uplaserdunavats .com - Email: dealt@8081.ru
utka3merdosubor .com - Email: drawn@ml3.ru
utkamerdosubor .com - Email: kw@co5.ru
utorganedoskaw .com - Email: kerry@freemailbox.ru
utorgtanedoskaw .com - Email: xmas@co5.ru
uvgaderbotario .com - Email: def@co5.ru
vudermaguliermot .com - Email: leaf@corporatemail.ru
vuilerdomegase .com - Email: leaf@corporatemail.ru
vuilleskomandar .com - Email: seize@e2mail.ru
vulertagulermos .com - Email: dealt@8081.ru
vuretronulevka .com - Email: dealt@8081.ru
weragumasekasuke .com - Email: kazoo@isprovider.ru
werynaherdobas .com - Email: dealt@8081.ru

Despite the comprehensive portfolio of domains used, relying on spam to increase revenue from scareware sales is prone to fail, in this specific case due to the lack of event-based social engineering theme, something that was present in the first campaign.

Related posts:
Conficker's Scareware/Fake Security Software Business Model
Koobface Botnet's Scareware Business Model

This post has been reproduced from Dancho Danchev's blog.

Koobface Botnet Dissected in a TrendMicro Report

I'd like to thank the folks at TrendMicro for mentioning the message inserted by the Koobface gang (more love on a first-name basis from them) within their command and control infrastructure for nine days, greeting me for systematically kicking them out of their ISPs, and suspending their command and control domains, in a new report entitled The Heart of Koobface - C&C and Social Network Propagation:

"This simplistic C&C approach is, of course, very vulnerable to takedowns. After several KOOBFACE C&C takedown attempts initiated by Internet service providers (ISPs) and members of the security industry, the KOOBFACE gang realized the need for a more robust C&C infrastructure. 

Thus, on July 19, 2009, the KOOBFACE writers implemented a new C&C architecture that involved the use of proxy nodes to provide redundancy and to improve the survivability of their C&C should another takedown be attempted. A few days after the new KOOBFACE C&C infrastructure was implemented, the botnet was seen inserting a message (see below) for one of the security researchers tracking the malware’s domain activities.

This message run lasted nine days from July 22 to July 30, 2009. Based on this incident, we can safely assume that the KOOBFACE gang has been monitoring blogs, articles, write-ups, and analyses about their handiwork and was probably also keeping tabs on the various solutions deployed to counter the botnet’s attacks. Second, these people were thus quick to act and fix their creation’s weaknesses, as evidenced by its change in infrastructure. Finally, the botnet’s creators were bold enough to send taunting messages to security researchers."

Having the Koobface gang kicked out of their ISPs in 48 hours through close cooperation with China's CERT; BlueConnex Ltd; PacificRack.com; Oc3 Networks & Web Solutions Llc; Telos-Solutions-AS/Telos Solutions LTD, resulted in a single command and control domain which was active and using the services of UKSERVERS-MNT (AS42831), 78.110.175.15 in particular. Simply put, the Koobface botnet and the hundreds of thousands of infected hosts were not just sitting ducks, but ducks who've fallen asleep in the middle of the hunting season.

It's important to point out that the company (UKSERVERS-MNT) on purposely lied that the customer has been taken offline, allowed the Koobface gang to access the server since the gang claimed "it's a compromised customer and needs to clean-up the mess", then on purposely stopped responding to the smoothly going data sharing process, thereby allowing the Koobface gang to put their contingency plan in place.

The bottom line - based on already published and to-be published assessments of this group's activities, the Koobface botnet appears to be only the tip of the iceberg for the Ali baba and the 40 thieves cybercrime enterprise -- a self-describing message included by the Koobface gang. Their activities also prove a point - a single cybercrime enterprise can efficiently and automatically dominate the entire Web 2.0 threatscape, if they want to.

Related posts:
Koobface Botnet's Scareware Business Model
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors 

This post has been reproduced from Dancho Danchev's blog.