Keeping Money Mule Recruiters on a Short Leash - Part Two

With money mule recruitment syndicates continuing to expand their geographically diverse inventories of gullible mules, keeping their operations on a short leash is becoming a tradition. What the non-existent organizations profiled in this post have in common with the non-existent organizations profiled before, is the vendor of money mule recruitment creative, thanks to whose standardization of the recruitment process, everyone willing to invest a modest amount of money can start recruiting.

Despite the ongoing mix of abusing legitimate infrastructure (Web 2.0 services, dedicated hosting within legitimate ISPs - Tweet 1; Tweet 2; Tweet 3; Tweet 4; Tweet 5; Tweet 6) and using purely malicious infrastructure, centralization is cybecrime operations is still an inseparable part of the cybercrime ecosystem.

Case in point is AS47560 - VESTEH-NET-as Vesteh LLC, where the cybercriminals have not only chosen to host their money mule recruitment domain portfolio, but also, the actual Zeus crimeware command and control servers. Pretty convenient indeed, however a minimalistic OPSEC attitude leading to increased exposure.

The newly introduced money mule recruitment domains, rely on the same DIY web interface, and the same "payment processing agent" agreement seen in previous campaigns. What's naturally changing are the web page layouts combined with a new description of the non-existent company. Here's a sample from the currently active ones:

"Welcome to the world of Outsourcing. Never has a phenomenon been so all encompassing and empowering like outsourcing. Transcending beyond an industry's vertical segments, outsourcing has become the "by default" strategy for all profit conscious organizations that struggle to retain their winning streak and high profitability. Today's scenario in the business world is more competitive than what it was in the past. There is a growing realization that wisdom lies in consolidating the core competency functions and outsourcing the supplement. We are an online services marketplace in USA and Australia. Our goal is to empower businesses with the absolute freedom to choose where to outsource their business needs to maximize their competitive advantage. We believe that "money saved due to outsourcing can be effectively and successfully utilized to focus more on strategic and core businesses functions".

The fact that money mule recruiters aggregate contact details from career building web sites, isn't new -- see "Major career web sites hit by spammers attack". Here are the sample letters emailed to a prospective money mule, which spotted the scam and avoided it:

"After reviewing your resume online we have decided to propose you a Payment Processing Agent vacancy.

My name is Sarah Forbes and I'm working at SUCCESS Group Inc. Our company is a well-known one. It was founded in the USA and deals mainly with recruitment of IT professionals. The job we offer is a part-time position with a flexible schedule. On average the working hours are 2-3 hours a day (Monday through Friday). Our job requirements: Internet access and e-mail. Successful applicants are offered a probationary period (30 days). All agents get a training and online support. We evaluate the employees at least one week prior to the end of their trial period. NOTE: During the probationary period termination can be recommended by the supervisor.

The pay is $2,300 per month during the Trial Period + 8% commission from each successfully handled payment. Total income is about $4,500 per month. After the first 30 days your base salary will be increased up to $3,000 a month. NOTE: After the probationary period you may request additional assignments or proceed a full-time. If you are interested in the offer, please, contact me at success.sarah.forbes@googlemail.com for the details.

_________FORM_______FORM________FORM_________
First name:______________________
Last name:___________________
Country of residence:___________________
Contact phone:_______________
Preferred catime: _______________
_________FORM_______FORM________FORM____________

Our representatives will reply within 48 hours. NOTE: This is not a sales position.

Sincerely,

Sarah Forbes
SUCCESS Group Inc
job@success-groupinc.tw
Phone: 1-585-267-5988
Fax: 1-585-672-6137"

Let's expose the domain portfolios in question.

Active money mule recruitment sites parked within AS47560 - VESTEH-NET-as Vesteh LLC, at 91.200.164.18; 91.200.164.19; 91.200.164.20; 91.200.164.21; and 91.200.164.22 in particular:
aurora-groupco .tw - Email: dodo@fastermail.ru
aurora-groupco .ws - Email: info@gtec.ru
aurora-groupinc .tw - Email: cents@qx8.ru
aurora-groupinc .ws - Email: info@gtec.ru
bear-groupco .ws - Email: info@gtec.ru
bear-groupinc .ws - Email: info@gtec.ru
citizen-groupco .tw - Email: sane@qx8.ru
citizen-groupco .ws - Email: info@gtec.ru
citizengroupinc .ws - Email: info@gtec.ru
citizen-groupsvc .tw - Email: frown@fastermail.ru
classic-groupco .ws - Email: info@gtec.ru
classicgroupinc .ws - Email: info@gtec.ru
classic-groupsvc .tw - Email: haste@fastermail.ru
excel-groupco .tw - Email: thaws@bigmailbox.ru
excel-groupinc .tw - Email: thaws@bigmailbox.ru
excel-groupinc .ws - Email: info@gtec.ru
financial-groupco .tw - Email: think@maillife.ru
financial-groupco .ws - Email: info@gtec.ru
financial-groupinc .tw - Email: sane@qx8.ru
financial-groupsvc .ws - Email: info@gtec.ru
market-vision .tw - Email: place@bigmailbox.ru
market-visioninc .ws - Email: info@gtec.ru
measure-groupco .tw - Email: cents@qx8.ru
measure-groupco .ws - Email: info@gtec.ru
measure-groupinc .tw - Email: cents@qx8.ru
measure-groupinc .ws - Email: info@gtec.ru
millennium-groupco .tw - Email: thaws@bigmailbox.ru
millennium-groupinc .ws - Email: info@gtec.ru
millennium-groupsvc .tw - Email: thaws@bigmailbox.ru
millennium-groupsvc .ws - Email: info@gtec.ru
nuris-groupco .tw - Email: rips@fastermail.ru
nuris-groupco .ws - Email: info@gtec.ru
nuris-groupinc .tw - Email: rips@fastermail.ru
nuris-groupinc .ws - Email: info@gtec.ru
render-groupco .tw - Email: muggy@freenetbox.ru
success-groupco .ws - Email: info@gtec.ru

Naturally, it gets even more interesting with AS47560 - VESTEH-NET-as Vesteh LLC acting as a good example of cybercrime-friendly virtual neighborhood. Not only are the cybercriminals hosting the money mule recruitment sites there, but also, a decent number of Zeus crimeware C&Cs, client-side exploit serving campaigns are currently active there.

Zeus C&Cs active at 91.200.164.44, front pages return "dsfkgjk rgkj" :
justinnew1 .com - Email: 3242dswewrf@yahoo.com
justinnew2 .com - Email: 3242dswewrf@yahoo.com
justinnew3 .com - Email: 3242dswewrf@yahoo.com
justinnew4 .com - Email: 3242dswewrf@yahoo.com
justinnew5 .com - Email: 3242dswewrf@yahoo.com
justinnew6 .com - Email: 3242dswewrf@yahoo.com
justinnew7 .com - Email: 3242dswewrf@yahoo.com
justinnew8 .com - Email: 3242dswewrf@yahoo.com
justinnew9 .com - Email: 3242dswewrf@yahoo.com
justinnew10 .com - Email: 3242dswewrf@yahoo.com
justinnew11 .com - Email: 3242dswewrf@yahoo.com
justinnew12 .com - Email: 3242dswewrf@yahoo.com
justinnew12 .com - Email: 3242dswewrf@yahoo.com
justinnew13 .com - Email: 3242dswewrf@yahoo.com
justinnew14 .com - Email: 3242dswewrf@yahoo.com
justinnew15 .com - Email: 3242dswewrf@yahoo.com
justinnew16 .com - Email: 3242dswewrf@yahoo.com
justinnew17 .com - Email: 3242dswewrf@yahoo.com
justinnew18 .com - Email: 3242dswewrf@yahoo.com
justinnew19 .com - Email: 3242dswewrf@yahoo.com
justinnew20 .com - Email: 3242dswewrf@yahoo.com
justinnew21 .com - Email: 3242dswewrf@yahoo.com
justinnew22 .com - Email: 3242dswewrf@yahoo.com
justinnew23 .com - Email: 3242dswewrf@yahoo.com
justinnew24 .com - Email: 3242dswewrf@yahoo.com

Historical OSINT of live exploit serving, malware phone back locations parked at 91.200.164.44:
abecedarian .in - Email: jobmasterx@yahoo.com
absinthial .in - Email: jobmasterx@yahoo.com
acarine .in - Email: jobmasterx@yahoo.com
aeruginous .in - Email: jobmasterx@yahoo.com
agrestic .in - Email: jobmasterx@yahoo.com
alveolate .in - Email: jobmasterx@yahoo.com
anaclastic .in - Email: jobmasterx@yahoo.com
anatine .in - Email: jobmasterx@yahoo.com
anconoid .in - Email: jobmasterx@yahoo.com
ancoral .in - Email: jobmasterx@yahoo.com
anserine .in - Email: jobmasterx@yahoo.com
archididascalian .in - Email: jobmasterx@yahoo.com
arietine .in - Email: jobmasterx@yahoo.com
babied .in - Email: jobmasterx@yahoo.com
baffled .in - Email: jobmasterx@yahoo.com
banal .in - Email: jobmasterx@yahoo.com
barren .in - Email: jobmasterx@yahoo.com
battle-worn .in - Email: jobmasterx@yahoo.com
bawled .in - Email: jobmasterx@yahoo.com
beatific .in - Email: jobmasterx@yahoo.com
beckoned .in - Email: jobmasterx@yahoo.com
betonomeshalkatraktor .in - Email: ynetsw@gmail.com
fcaliber65 .in - Email: wert32@rambler.ru
humpiii1 .in - Email: wert32@rambler.ru
izyvecheniy0tragladit .in - Email: ynetsw@gmail.com
lifeberyt .in - Email: wert32@rambler.ru
marrychristmasforyou .com - ACTIVE
marrychristmasforyou .net - ACTIVE
my1stdomain .in - Email: wert32@rambler.ru
pingcrews .in - Email: jobmasterx@yahoo.com
razymniygluk .in - Email: ynetsw@gmail.com
rescservuce .in - Email: wert32@rambler.ru

Name servers of notice:
dns1.yekt.net - 67.15.47.189
ns1.trythisok.cn - 89.248.166.45 - chunk@qx8.ru
ns1.basilkey.ws - 89.248.166.45 - info@gtec.ru
ns2.maninwhite.cc - 38.99.169.210 - duly@fastermail.ru
ns2.mythinregion.ws - Email: info@gtec.ru
ns2.partytimee.cn - 38.99.169.208 - Email: chunk@qx8.ru
ns3.cnnandpizza.cc - 195.182.57.36 - Email: bears@fastermail.ru
ns3.partymorning.ws - 94.23.114.71 - Email: info@gtec.ru

Take a look at the routing graph for a moment. Who do we have here? Our "dear friends" at AS5577 ROOT eSolutions (also seen here; here; here; here; here and here) acting as a node to an ever expanding portfolio of malicious customers, with AS50215 Troyak-as Starchenko Roman Fedorovich part of the Pushdo crimeware and client-side exploit serving campaigns, second in the list.

AS47560 - VESTEH-NET-as Vesteh LLC has been notified, awaiting response/take down reaction. Or the lack of such.

Related coverage of money laundering in the context of cybecrime:
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002
Inside a Money Laundering Group's Spamming Operations

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang

With scareware/rogueware/fake security software continuing to be the cash-cow choice for the Koobface gang, keeping them on a short leash in order to become the biggest opportunity cost for the gang's business model is crucial. The following are currently active blackhat SEO redirectors/Koobface-infected hosts redirectors and actual scareware domains courtesy of the gang.

Blackhat SEO redirectors, also embedded at Koobface-infected hosts, with identical redirector ID (?pid=312s02&sid=4db12f):
vincentvangoghsite .com - 96.44.128.245 - Email: contacts@ferra.hu
jacksonpollocksite .com - Email: contacts@ferra.hu
lady2gaga .com - Email: contacts@designt.de
nigeriaworldtours .com  Email: info@montever.de
americanpiemusicvideo .com - Email: mail@suvtrip.hu
superstitionmusicvideo .com - Email: mail@suvtrip.hu
umbrellamusicvideo .com - Email: mail@suvtrip.hu
discounts-org .com - Email: mail@haselbladtour.com
littlediscounts .com - Email: mail@haselbladtour.com
winterdiscounts5 .com - Email: mail@haselbladtour.com
chevroletvmodeltoys .com - Email: CourtneyRWebb@aol.com
volvomodeltoys .com - Email: CourtneyRWebb@aol.com
manilawebcamera .com - Email: monkey22@live.com
mumbaiwebcamera .com - Email: monkey22@live.com
karachiwebcamera .com - Email: monkey22@live.com
delhiwebcamera .com - Email: monkey22@live.com
istanbulwebcamera .com - Email: monkey22@live.com
lexusmodeltoys .com - Email: monkey22@live.com
chevroletvmodeltoys .com - Email: CourtneyRWebb@aol.com
bmwmodeltoys .com - Email: CourtneyRWebb@aol.com

Upon redirection, the scareware is served from malware-b-scan .com - 96.44.128.245; 91.212.226.97; 91.212.226.185; 91.121.45.67, 91.212.226.203, 94.228.209.195 - Email: mail@bristonnews.com.

Sample detection rate for newly introduced scareware samples: Setup_312s2.exe - Result: 3/40 (7.5%), Setup_312s2.exe - Result: 4/39, Setup_312s22.exe - Result: 2/39 (5.13%), Setup_312s2.exe - Result: 6/39 (15.39%), Setup_312s2.exe - Result: 1/40 (2.5%), Setup_312s2.exe - Result: 1/39 (2.56%), Setup_312s2.exe - Result: 3/39 (7.7%). Setup_312s2.exe - Result: 4/40 (10%), Setup_312s2.exe - Result: 1/40 (2.5%), Setup_312s2.exe - Result: 4/40 (10%). Upon execution the sample phones back to winxp7server .com/download/winlogo.bmp - 94.228.208.57; rescuesysupdate .com/?b=312s2 - 83.133.125.216

Parked on the same IPs are more scareware domains part of the portfolio:
spy-detectore .com - Email: admin@clossingt.com
dis7-antivirus .com - Email: admin@vertigosmart.com
v2comp-scanner .com - Email: admin@vertigosmart.com
new-av-scannere .com - Email: missbarlingmail@aol.com
smartvirus-scan6 .com - Email: info@terranova.com
spywaremaxscan4 .com - Email: out@trialzoom.com
super6antispyware .com - Email: mail@ordercom.com
spyware-max-scan3 .com - Email: out@trialzoom.com
max-antivirus-security5 .com - Email: mail@dynadoter.com
winterdiscounts5 .com - Email: mail@haselbladtour.com
11-antivirus .com - Email: call555call@live.com
1-antivirus .com - Email: call555call@live.com
1m-online-scanner .com - Email: stellar2@yahoo.com
2m-online-scanner .com - Email: stellar2@yahoo.com
2pro-antispyware .com - Email: mail@yahoo.com
3pro-antispyware .com - Email: mail@yahoo.com
6-antivirus .com - Email: call555call@live.com
7-antivirus .com - Email: call555call@live.com
9-antivirus .com - Email: call555call@live.com
a0-online-scanner .com - Email: stellar2@yahoo.com
a9-online-scanner .com - Email: stellar2@yahoo.com
aa-antivirus .com - Email: call555call@live.com
aa-online-scanner .com - Email: call555call@live.com
ab-antivirus .com - Email: call555call@live.com
ac-antivirus .com - Email: call555call@live.com
ad-antivirus .com - Email: call555call@live.com
adv1-system-scanner .com - Email: JayRKibbe@live.com
adv2-system-scanner .com - Email: JayRKibbe@live.com
ae-antivirus .com - Email: call555call@live.com
antivirus-expert-a .com - Email: 900ekony@live.com
antivirus-expert-i .com - Email: 900ekony@live.com
antivirus-expert-r .com - Email: 900ekony@live.com
antivirus-expert-y .com - Email: 900ekony@live.com
antivirussystemscan1 .com - Email: 900ekony@live.com
antivirussystemscana .com - Email: 900ekony@live.com
army-antispywarea .com - Email: beliec99@yahoo.com
army-antispywarei .com - Email: beliec99@yahoo.com
army-antispywarel .com - Email: beliec99@yahoo.com
army-antispywarep .com - Email: beliec99@yahoo.com
army-antivirusa .com - Email: beliec99@yahoo.com
army-antivirusd .com - Email: beliec99@yahoo.com
army-antivirust .com - Email: beliec99@yahoo.com
army-antivirusv .com - Email: beliec99@yahoo.com
army-antivirusy .com - Email: beliec99@yahoo.com

b1-online-scanner .com - Email: stellar2@yahoo.com
best-antivirusk0 .com
bestpd-virusscanner .com - Email: SusanCWagner@yahoo.com
bestpr-virusscanner .com - Email: SusanCWagner@yahoo.com
crystal-antimalware .com - Email: mail@vertigocats.com
crystal-antivirus .com - Email: mail@vertigocats.com
crystal-pro-scan .com - Email: mail@vertigocats.com
crystal-pro-scanner .com - Email: mail@vertigocats.com
crystal-spyscanner .com - Email: mail@vertigocats.com
crystal-threatscanner .com - Email: mail@vertigocats.com
crystal-virusscanner .com - Email: mail@vertigocats.com
extra-spyware-defencea .com - Email: fabula8@live.com
extra-spyware-defenceb .com - Email: fabula8@live.com
malware-a-scan .com - Email: mail@bristonnews.com
malware-b-scan .com - Email: mail@bristonnews.com
malware-c-scan .com - Email: mail@bristonnews.com
malware-d-scan .com - Email: mail@bristonnews.com
malware-t-scan .com - Email: mail@bristonnews.com
mega-antispywarea .com - Email: fabula8@live.com
mega-antispywareb .com - Email: fabula8@live.com
mm-online-scanner .com - Email: stellar2@yahoo.com
my-computer-antivirusa .com - Email: dillinzer1@yahoo.com
my-computer-antivirusb .com - Email: dillinzer1@yahoo.com
my-computer-antiviruse .com - Email: dillinzer1@yahoo.com
my-computer-antivirusq .com - Email: dillinzer1@yahoo.com
my-computer-antivirusw .com - Email: dillinzer1@yahoo.com
my-computer-scanc .com - Email: clintommail2@yahoo.com
my-computer-scane .com - Email: clintommail2@yahoo.com
my-computer-scanl .com - Email: clintommail2@yahoo.com
my-computer-scannera .com - Email: clintommail2@yahoo.com
my-computer-scannerl .com - Email: clintommail2@yahoo.com
my-computer-scannerm .com - Email: clintommail2@yahoo.com
my-computer-scannern .com - Email: clintommail2@yahoo.com
my-computer-scannerv .com - Email: clintommail2@yahoo.com

my-computer-scanw .com - Email: clintommail2@yahoo.com
my-pc-online-scanm .com - Email: dillinzer1@yahoo.com
my-pc-online-scann .com - Email: dillinzer1@yahoo.com
my-pc-online-scanr .com - Email: dillinzer1@yahoo.com
my-pc-online-scanv .com - Email: dillinzer1@yahoo.com
n1-system-scanner .com - Email: JayRKibbe@live.com
n2-system-scanner .com - Email: JayRKibbe@live.com
nasa-antivirus1 .com - Email: call555call@live.com
nasa-antivirus3 .com - Email: call555call@live.com
nasa-antivirusa .com - Email: call555call@live.com
nasa-antivirusb .com - Email: call555call@live.com
nasa-antiviruso .com - Email: call555call@live.com
pc1-system-scanner .com - Email: JayRKibbe@live.com
pc2-system-scanner .com - Email: JayRKibbe@live.com
pro0-antivirus .com - Email: mail@yahoo.com
pro0-system-scanner .com - Email: JayRKibbe@live.com
pro1-system-scanner .com - Email: JayRKibbe@live.com
pro2-antivirus .com - Email: mail@yahoo.com
pro4-antivirus .com - Email: mail@yahoo.com
pro6-antivirus .com - Email: mail@yahoo.com
pro8-antivirus .com - Email: mail@yahoo.com
remote-antispywarec .com - Email: teresa2mail.me@live.com
remote-antispywared .com - Email: teresa2mail.me@live.com
remote-antispywaree .com - Email: teresa2mail.me@live.com
remote-antispywarey .com - Email: teresa2mail.me@live.com
remote-pc1-scanner .com - Email: teresa2mail.me@live.com
remote-pc-scannera .com - Email: teresa2mail.me@live.com
remote-pc-scannerr .com - Email: teresa2mail.me@live.com
remote-pc-scannerv .com - Email: teresa2mail.me@live.com
remote-pc-scannery .com - Email: teresa2mail.me@live.com

scan3antispyware .com - Email: o@mozzilastuf.com
scan6antispyware .com - Email: o@mozzilastuf.com
scan8antispyware .com - Email: o@mozzilastuf.com
scan-antispywarea .com - Email: o@mozzilastuf.com
scan-antispywarec .com - Email: o@mozzilastuf.com
scan-antispywared .com - Email: o@mozzilastuf.com
scan-antispywarez .com - Email: o@mozzilastuf.com
spyware-01-scanner .com - Email: mail@bristonnews.com
spyware-03-scanner .com - Email: mail@bristonnews.com
spyware-05-scanner .com - Email: mail@bristonnews.com
spyware-06-scanner .com - Email: mail@bristonnews.com
spyware-07-scanner .com - Email: mail@bristonnews.com
stcanning-your-computerc .com - Email: mitra66@yahoo.com
stcanning-your-computerd .com - Email: mitra66@yahoo.com
stcanning-your-computerq .com - Email: mitra66@yahoo.com
stcanning-your-computerr .com - Email: mitra66@yahoo.com
stcanning-your-computert .com - Email: mitra66@yahoo.com
stcanning-your-pca .com - Email: mitra66@yahoo.com
stcanning-your-pcb .com - Email: mitra66@yahoo.com
stcanning-your-pcc .com - Email: mitra66@yahoo.com
stcanning-your-pcd .com - Email: mitra66@yahoo.com
stcanning-your-pce .com - Email: mitra66@yahoo.com
stealthv1-antispyware .com - Email: SteveLCartwright@yahoo.com
stealthv2-antispyware .com - Email: SteveLCartwright@yahoo.com
stealthv7-antispyware .com - Email: SteveLCartwright@yahoo.com
stealthv8-antispyware .com - Email: SteveLCartwright@yahoo.com
stealthv9-antispyware .com - Email: SteveLCartwright@yahoo.com
ver1-system-scanner .com - Email: JayRKibbe@live.com
ver2-system-scanner .com - Email: JayRKibbe@live.com

virus-a1-scanner .com - Email: mail@bristonnews.com
virus-a1-scanner .com - Email: mail@bristonnews.com
virus-b1-scanner .com - Email: mail@bristonnews.com
virus-b1-scanner .com - Email: mail@bristonnews.com
virus-c1-scanner .com - Email: mail@bristonnews.com
virus-c1-scanner .com - Email: mail@bristonnews.com
virus-d1-scanner .com - Email: mail@bristonnews.com
virus-d1-scanner .com - Email: mail@bristonnews.com
virus-e2-scanner .com - Email: mail@bristonnews.com
virus-e2-scanner .com - Email: mail@bristonnews.com
windowsv5-antispyware .com - Email: SteveLCartwright@yahoo.com
windowsv6-antispyware .com - Email: SteveLCartwright@yahoo.com
windowsv7-antispyware .com - Email: SteveLCartwright@yahoo.com
windowsv8-antispyware .com - Email: SteveLCartwright@yahoo.com
windowsv9-antispyware .com - Email: SteveLCartwright@yahoo.com
z0-online-scanner .com - Email: stellar2@yahoo.com
z1-online-scanner .com - Email: stellar2@yahoo.com

Active scareware domains portfolio (blackhat SEO/Koobface pushed) parked at 212.150.164.190 - AS1680 - NV-ASN 013 NetVision Ltd :
antispy-download .org - Email: robertsimonkroon@gmail.com
scanner-virus-free .org - Email: robertsimonkroon@gmail.com
tube-best-porn .org - Email: robertsimonkroon@gmail.com
tube-sex-porn .org - Email: robertsimonkroon@gmail.com
download-free-files .org - Email: robertsimonkroon@gmail.com
tube-porn-best .org - Email: robertsimonkroon@gmail.com
scan-your-pc-now .org - Email: michaeltycoon@gmail.com
scanner-virus-free .com - Email: robertsimonkroon@gmail.com
tube-sex-porn .com - Email: robertsimonkroon@gmail.com
scanner-free-virus .com - Email: robertsimonkroon@gmail.com
tube-porn-best .com - Email: robertsimonkroon@gmail.com
antispy-download .info - Email: robertsimonkroon@gmail.com
soft-download-free .info - Email: robertsimonkroon@gmail.com
scanner-virus-free .info - Email: robertsimonkroon@gmail.com
scanner-free-virus .info - Email: robertsimonkroon@gmail.com
scan-your-pc-now .info - Email: michaeltycoon@gmail.com

adult-tube-free .net - Email: michaeltycoon@gmail.com
scanner-virus-free .net - Email: robertsimonkroon@gmail.com
tube-sex-porn .net - Email: robertsimonkroon@gmail.com
download-free-files .net - Email: michaeltycoon@gmail.com
scanner-free-virus .net - Email: robertsimonkroon@gmail.com
tube-porn-best .net - Email: robertsimonkroon@gmail.com
ekjsoft .eu - Email: robertsimonkroon@gmail.com
antispy-download .biz - Email: robertsimonkroon@gmail.com
soft-download-free .biz - Email: robertsimonkroon@gmail.com
scanner-virus-free .biz - Email: robertsimonkroon@gmail.com
free-malware-scan .biz - Email: robertsimonkroon@gmail.com
tube-best-porn .biz - Email: robertsimonkroon@gmail.com
tube-sex-porn .biz - Email: robertsimonkroon@gmail.com
download-free-files .biz - Email: michaeltycoon@gmail.com

scanner-free-virus .biz - Email: robertsimonkroon@gmail.com
download-free-soft .biz - Email: robertsimonkroon@gmail.com
tube-porn-best .biz - Email: robertsimonkroon@gmail.com
scan-your-pc-now .biz - Email: michaeltycoon@gmail.com
porn-tube-sex .biz - Email: robertsimonkroon@gmail.com
alrzsoft .in - Email: petrenko.kolia@yandex.ru
antispy-download .biz - Email: robertsimonkroon@gmail.com
cool-tube-porn .net - Email: robertsimonkroon@gmail.com
cool-tube-porn .org - Email: robertsimonkroon@gmail.com
download-free-now .net - Email: robertsimonkroon@gmail.com
download-free-now .org - Email: robertsimonkroon@gmail.com
download-free-soft .com - Email: robertsimonkroon@gmail.com
download-free-soft .net - Email: robertsimonkroon@gmail.com
download-scaner-free .com - Email: robertsimonkroon@gmail.com
ekjsoft .eu
fdglsoft .in - Email: petrenko.kolia@yandex.ru
free-virus-scanner .net - Email: robertsimonkroon@gmail.com
kleqsoft .in - Email: petrenko.kolia@yandex.ru
kltysoft .in - Email: petrenko.kolia@yandex.ru
ktyjsoft .in - Email: petrenko.kolia@yandex.ru

kyezsoft .in - Email: petrenko.kolia@yandex.ru
lkrjsoft .in - Email: petrenko.kolia@yandex.ru
lkrtsoft .in - Email: petrenko.kolia@yandex.ru
mgtlsoft .in - Email: petrenko.kolia@yandex.ru
porn-sex-tube .net - Email: robertsimonkroon@gmail.com
porn-sex-tube .org - Email: robertsimonkroon@gmail.com
scan-free-malware .net - Email: robertsimonkroon@gmail.com
scan-free-malware .org - Email: robertsimonkroon@gmail.com
spyware-scaner-free .com - Email: robertsimonkroon@gmail.com
spyware-scaner-free .info - Email: robertsimonkroon@gmail.com
spyware-scaner-free .net - Email: robertsimonkroon@gmail.com
spyware-scaner-free .org - Email: robertsimonkroon@gmail.com
tube-best-porn .biz - Email: robertsimonkroon@gmail.com
tube-best-porn .com - Email: robertsimonkroon@gmail.com
tube-best-porn .net - Email: robertsimonkroon@gmail.com
tube-best-porn .org - Email: robertsimonkroon@gmail.com
tube-porn-sex .info - Email: robertsimonkroon@gmail.com
tube-porn-sex .net - Email: robertsimonkroon@gmail.com
tube-porn-sex .org - Email: robertsimonkroon@gmail.com

What's so special about the robertsimonkroon@gmail.com email anyway? It's the fact that not only was the email was once again used to register scareware domains two times in July, 2009, but also, as pointed out in November 2009's "Koobface Botnet's Scareware Business Model - Part Two", the same email was used to register the following download locations for scareware domains pushed by the Koobface botnet:

0ni9o1s3feu60 .cn - Email: robertsimonkroon@gmail.com
6j5aq93iu7yv4 .cn - Email: robertsimonkroon@gmail.com
mf6gy4lj79ny5 .cn - Email: robertsimonkroon@gmail.com
84u9wb2hsh4p6 .cn - Email: robertsimonkroon@gmail.com
6pj2h8rqkhfw7 .cn - Email: robertsimonkroon@gmail.com
7cib5fzf462g8 .cn - Email: robertsimonkroon@gmail.com
7bs5nfzfkp8q8 .cn - Email: robertsimonkroon@gmail.com
kt4lwumfhjb7a .cn - Email: robertsimonkroon@gmail.com
q2bf0fzvjb5ca .cn - Email: robertsimonkroon@gmail.com
rncocnspr44va .cn - Email: robertsimonkroon@gmail.com
t1eayoft9226b .cn - Email: robertsimonkroon@gmail.com
4go4i9n76ttwd .cn - Email: robertsimonkroon@gmail.com
kzvi4iiutr11e .cn - Email: robertsimonkroon@gmail.com
hxc7jitg7k57e .cn - Email: robertsimonkroon@gmail.com
mfbj6pquvjv8e .cn - Email: robertsimonkroon@gmail.com
mt3pvkfmpi7de .cn - Email: robertsimonkroon@gmail.com
fb7pxcqyb45oe .cn - Email: robertsimonkroon@gmail.com
fyivbrl3b0dyf .cn - Email: robertsimonkroon@gmail.com
z6ailnvi94jgg .cn - Email: robertsimonkroon@gmail.com
ue4x08f5myqdl .cn - Email: robertsimonkroon@gmail.com
p7keflvui9fkl .cn - Email: robertsimonkroon@gmail.com
gjpwsc5p7oe3m .cn - Email: robertsimonkroon@gmail.com
f1uq1dfi3qkcm .cn - Email: robertsimonkroon@gmail.com
7mx1z5jq0nt3o .cn - Email: robertsimonkroon@gmail.com
3uxyctrlmiqeo .cn - Email: robertsimonkroon@gmail.com
p0umob9k2g7mp .cn - Email: robertsimonkroon@gmail.com
od32qjx6meqos .cn - Email: robertsimonkroon@gmail.com
bnfdxhae1rgey .cn - Email: robertsimonkroon@gmail.com
7zju2l82i2zhz .cn - Email: robertsimonkroon@gmail.com

Stay tuned for a massive Koobface related activities update, analyzing the gang's multi-tasking throughout the entire January, 2010 -- descriptive historical OSINT offers long-term value in cross-checking for connections.

Related Koobface gang/botnet research:
How the Koobface Gang Monetizes Mac OS X Traffic
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

The Diverse Portfolio of Fake Security Software Series:
A Diverse Portfolio of Fake Security Software - Part Twenty Four
A Diverse Portfolio of Fake Security Software - Part Twenty Three
A Diverse Portfolio of Fake Security Software - Part Twenty Two
A Diverse Portfolio of Fake Security Software - Part Twenty One
A Diverse Portfolio of Fake Security Software - Part Twenty
A Diverse Portfolio of Fake Security Software - Part Nineteen
A Diverse Portfolio of Fake Security Software - Part Eighteen
A Diverse Portfolio of Fake Security Software - Part Seventeen
A Diverse Portfolio of Fake Security Software - Part Sixteen
A Diverse Portfolio of Fake Security Software - Part Fifteen
A Diverse Portfolio of Fake Security Software - Part Fourteen
A Diverse Portfolio of Fake Security Software - Part Thirteen
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild

Pushdo/Cutwail's customers, or perhaps the botnet masters themselves, continue rotating the malware campaigns, with the very latest one using a "Photo Archive #2070735" theme, and continuing to server client-side exploits hosted within crimeware-friendly networks it's time we profile and expose.

•  Extensive list of the domains/subdomains involved at Gary Warner's blog.

Photo Archives Hosting describes itself as:
"Photos Archives Hosting has a zero-tolerance policy against ILLEGAL content. All archives and links are provided by 3rd parties. We have no control over the content of these pages. We take no responsibility for the content on any website which we link to, please use your own discretion while surfing the links. © 2007-2009, Photos Archives Hosting Group, Inc.- ALL RIGHTS RESERVED."

- Sample URL: photoshock.MalwareDomain/id1073bv/get.php?email=
- Sample iFrame from this week's campaign: 109.95.115.36 /usasp22/in.php 
- Sample iFrame from last week: 109.95.114 .251 /us01d/; 109.95.115.36 /usasp/in.php 
- Sample iFrame used two weeks ago: 109.95.114 .251/uks1/in.php
- Detection rate: PhotoArchive.exe (Trojan-Spy.Win32.Zbot); dropped file.exe (Trojan-Spy.Win32.Zbot)

Upon execution, it drops C:\WINDOWS\system32\sdra64.exe; C:\WINDOWS\system32\lowsec\user.ds.lll and phones back to the Zeus-crimeware serving: horosta .ru/cbd/nekovo.bri ; horosta .ru/ip.php - 109.95.115.19 Email: bernardo_pr@inbox.ru

Who's offering the hosting infrastructure for the actual domains/malware binaries and nameservers?
- AS50215 (TROYAK-AS Starchenko Roman Fedorovich) - profiled here
- 109.95.112.0/22 - AS50369 - VISHCLUB-as Kanyovskiy Andriy Yuriyovich
- 193.104.41.0/24 - AS49934 - VVPN-AS PE Voronov Evgen Sergiyovich
- 91.200.164.0/22 - AS47560 - VESTEH-NET-as Vesteh LLC

What's worth pointing out is that "TROYAK-AS Starchenko Roman Fedorovich" is positioning itself as Ethernet,home,LAN,net,provider,ISP,Homenet provider at ctlan.net. Just like the "Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot" and "GazTranzitStroyInfo - a Fake Russian Gas Company Facilitating Cybercrime"

All of the involved domains have already been blacklisted by the Zeus Tracker. However, with the campaigners at large, what's TROYAK-AS today, will be yet another cybecrime-friendly AS tomorrow. 

Related posts:
Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

How the Koobface Gang Monetizes Mac OS X Traffic

Mac users appear to have a special place in the heart of the Koobface gang, since they've recently started experimenting with a monetization strategy especially for them - by compromising legitimate sites for the sole purpose of embedding them with the popular PHP backdoor shell C99 (Synsta mod), in an attempt to redirect all the Mac OS X traffic to affiliate dating programs, such as for instance AdultFriendFinder.

The use of Synsta's C99 mod is not a novel approach, the gang has been using for over an year and a half now. The original KROTEG injected script, is now including a "hey rogazi" message. "Hey rogazi" appears to be some kind of slang word (rogatstsi) for scooter driving Italian people. What's also interesting to point out is that the Mac OS X redirection takes place through one of the few currently active centralized IPs from Koobface 1.0's infrastructure - 61.235.117.83.

 

 

This very same IP (profiled in August, 2009 and then in September, 2009) was once brought offline thanks to the folks at China CERT, but quickly resumed operation, with Koobface 1.0's "leftovers" xtsd20090815 .com and kiano-180809 .com (domain was serving client-side exploits in November 2009's experiment by the Koobfae gang, followed by another one again hosted at 61.235.117.83) still parked there.

•  Go through related web shell backdoors, monetization posts: A Compilation of Web Backdoors; Monetizing Web Site Defacements; Underground Multitasking in Action; Monetizing Compromised Web Sites, Web Site Defacement Groups Going Phishing

Moreover, this China-based IP (it even has a modest Alexa pagerank) was also the centralized redirection point in Koobface 1.0's scareware business model using popup.php to redirect to a systematically updated portfolio of scareware domains, and the first time ever that I came across to what the gang is now publicly acknowledging as the "2008 ali baba and 40, LLC" team.

AS9394 (CRNET) itself is currently hosting the following active Zeus crimeware campaigns:
6alava .com - 61.235.117.70 - Email: necks@corporatemail.ru
sicha-linna .com - 61.235.117.77 - Email: stay@bigmailbox.ru
stopspaming .com - 61.235.117.70 - Email: bunco@e2mail.ru
ubojnajasila .net - 61.235.117.87 - Email: ubojnajasila.net@contactprivacy.com

Here's how the experiment looks like in its current form. Once the OS is detected, the redirection takes place through 61.235.117.83 /mac.php -> 61.235.117.83 /vvv.htm loading the following pages, using the gang's unique campaign IDs at AdultFriendFinder:

- BestDatingDirect .com/page_hot.php?page=random&did=14029
- adultfriendfinder .com/go/page/ad_ffadult_gonzo?pid=p291351.sub2w954&lang=english
- adultfriendfinder .com/go/page/landing_page_geobanner?pid=g227362-ppc

Parked on 63.218.226.67 - AS3491; PCCWGlobal-ASN PCCW Global is the rest of the dating site redirectors:
bestdatingdirect .com
bestnetdate .com
currentdating .com
datefunclub .com
enormousdating .com
giantdating .com
onlinelovedating .com 
worldbestdate .com
worlddatinghere .com

This isn't the first time that the Koobface gang is attempting to monetize traffic through dating affiliate networks. In fact, in November's "Koobface  Botnet's Scareware Business Model - Part Two" post emphasizing on the gang's connection with blackhat SEO campaigns, the Bahama botnet and the malvertising attacks at the web site of the New York Times, I also pointed out on their connection with an Ukrainian dating scam agency profiled before, whose botnet was also linked to money mule recruitment campaigns in May, 2009.

An excerpt is worth a thousand words:
The historical OSINT paragraph mentioned that several of the scareware domains pushed during the past two weeks were responding to 62.90.136.237. This very same 62.90.136.207 IP was hosting domains part of an Ukrainian dating scam agency known as Confidential Connections earlier this year, whose spamming operations were linked to a botnet involved in money mule recruitment activities.


For the time being, the following dating scam domains are responding to the same IP:
healthe-lovesite .com - Email: potenciallio@safe-mail.net
love-isaclick .com - Email: potenciallio@safe-mail.net
love-is-special .com - Email: potenciallio@safe-mail.net
only-loveall .com - Email: potenciallio@safe-mail.net
and-i-loveyoutoo .com - Email: potenciallio@safe-mail.net
andiloveyoutoo .com - Email: menorst10@yahoo.com
romantic-love-forever .com - Email: potenciallio@safe-mail.net
love-youloves .com - Email: potenciallio@safe-mail.net
love-galaxys .com - Email: potenciallio@safe-mail.net
love-formeandyou .com - Email: potenciallio@safe-mail.net
ifound-thelove .net - Email: potenciallio@safe-mail.net
findloveon .net - Email: wersers@yahoo.com
love-isexcellent .net - Email: potenciallio@safe-mail.net

Could it get even more malicious and fraudulent than that? Appreciate my rhetoric. The same email (potenciallio@safe-mail.net) that was used to register the dating scam domains was also used to register exploit serving domains at 195.88.190.247, participate in phishing campaigns, and register a money mule recruitment site for the non-existent Allied Insurance LLC. (Allied Group, Inc.).

Of course, the money made in process looks like pocket change compared to the money they gang makes through blackhat SEO, click fraud and scareware in general -- go through the related posts at the bottom of the article. But since they've previously indicated what I originally anticipated they'll do sooner or later, namely, start diversifying and experimenting due to the ever-growing compromised infrastructure, what they'll do next on the Mac front is an issue worth keeping an eye on.

Related Koobface gang/botnet research:
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Summarizing Zero Day's Posts for January

The following is a brief summary of all of my posts at ZDNet's Zero Day for January, 2010. You can also go through previous summaries, as well as subscribe to my personal RSS feed, Zero Day's main feed, follow me or all of ZDNet's blogs on Twitter.

Recommended reading - Google-China cyber espionage saga - FAQ.

01. Baidu DNS records hijacked by Iranian Cyber Army
02. Haiti earthquake themed blackhat SEO campaigns serving scareware
03. Google-China cyber espionage saga - FAQ
04. And the most popular password is...
05. Bogus IQ test with destructive payload in the wild
06. Report: 48% of 22 million scanned computers infected with malware

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits

Continuing the Pushdo coverage from last week, the "Your AOL Instant Messenger account is flagged as inactive" "or the latest update for the AIM" themed campaign from the weekend, has once again returned to a well known theme, namely, the "Facebook Update Tool" spam campaign.

The botnet masters have introduced several new name servers -- domain suspension is pending -- but continue using the same IP embedded on all the pages, for serving the client-side exploits, with a slight change in the directory structure.

- Sample subject: Facebook Update Tool
- Sample body: "Dear Facebook user, In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security. Before you are able to use the new login system, you will be required to update your account. Click here to update your account online now. If you have any questions, reference our New User Guide. Thanks, The Facebook Team"
- Sample URL: facebook.com.ddeassrq .vc/usr/LoginFacebook.php?ref
- Detection rates for scripts/crimeware/exploits: File.exe (phones back to the currently down nekovo .ru/cbd/nekovo.bri); IE.js; IE2.js; nowTrue.swf; pdf.pdf
- Sample iFrame exploitation structure: 109.95.114 .251/us01d/in.php
    - 109.95.114 .251/us01d/jquery.jxx
        - 109.95.114 .251/us01d/xd/pdf.pdf
            - 109.95.114 .251/us01d/load.php
                - 109.95.114 .251/us01d/file.exe

- Sample typosquatted and currently active domains: 
ddeasaeq .vc - Email: mspspaceki@mad.scientist.com
ddeasuqq .vc - Email: mspspaceki@mad.scientist.com
ddeassrq .vc - Email: mspspaceki@mad.scientist.com
ddeasutq .vc - Email: mspspaceki@mad.scientist.com
ddeasauq .vc - Email: mspspaceki@mad.scientist.com
ddeasqwq .vc - Email: mspspaceki@mad.scientist.com
ddeasqyq .vc - Email: mspspaceki@mad.scientist.com

reeesassf .la - Email: palatalizefxt@popstar.com
ukgedsa.com .hn - Email: zmamarc689@witty.com
ukgedsc.com .vc - Email: zmamarc689@witty.com
ukgedse.com .hn - Email: zmamarc689@witty.com
ukgedsg.com .vc - Email: zmamarc689@witty.com
ukgedsh.com .vc - Email: zmamarc689@witty.com
ukgedsi .hn - Email: zmamarc689@witty.com

ukgedsq.com .hn - Email: zmamarc689@witty.com
ukgedsr.com .sc - Email: zmamarc689@witty.com
ukgedst.com .sc - Email: zmamarc689@witty.com
ukgedsu.com .vc - Email: zmamarc689@witty.com
ukgedsv.com .vc - Email: zmamarc689@witty.com
ukgedsy.com .vc - Email: zmamarc689@witty.com

- Name servers of notice:
ns1.availname .net - 204.12.229.89 - Email: Larimore@yahoo.com
ns1.sorbauto .com - 204.12.229.89 - Email: xtrai@email.com
ns1.worldkinofest .com - Email: tolosa1965@snail-mail.net
ns1.pdsproperties .net - 92.84.23.138 - Email: PDSProperties@yahoo.com
ns1.drinckclub .com - 94.23.177.147 - Email: excins@iname.com
ns1.transsubmit .net - 94.23.177.147 - Email: Alaniz@gmail.com
ns1.theautocompany .net - suspended
ns1.24stophours .com - suspended
ns1.disksilver .net - suspended

Thankfully, quality assurance is not taken into consideration in this campaign - the iFrame's IP is already heavily blacklisted, and the crimeware sample itself attempts to phone back to a C&C that has been down for several days.

The gang's activities will be updated as they happen.

Related posts:
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

This post has been reproduced from Dancho Danchev's blog.

Follow Me on Twitter!

Are you on Twitter? If so, consider following my tweets, or if you're not using it you can always subscribe to the RSS feed.

Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams

UPDATED, Friday, 15, 2010: The gang continues rotating the campaigns by targeting different brands. Over the 24 hours they've spamming the well known "Notice of Underreported Income" theme this time targeting HM Revenue and Customs (HMRC), and have also introduced new portfolios of typosquatted domains next to changing the client-side exploits serving iFrame embedded on each and every page.

- Sample message: "Filing and paying your federal taxes correctly and on time is an important part of living and working in the United Kingdom. Please review (download and execute) your tax statement. If the statement is incorrect, contact our Taxpayer Advocate Service."
- Sample URL: online.hmrc.gov.uk.olpiku5v .com.pl/SecurityWebApp/httpsmode/statement.php

Detection rates for tax-statement.exe (Trojan-Spy.Win32.Zbot.gen) and file.exe (Trojan-Spy.Win32.Zbot.gen). Upon execution, the samples attempt to connect to elnasa .ru/asd/elnasa.ble (109.95.114 .71/asd/elnasa.ble).

The structure of the iFrame, now using an IP address instead of a domain name, remains the same:
- 109.95.114.251 /uks1/in.php - 109.95.114.251 - AS50369 - VISHCLUB-as Kanyovskiy Andriy Yuriyovich - akanyovskiy@troyak.org
    - 109.95.114.251 /uks1/jquery.jxx
            - 109.95.114.251 /uks1/xd/pdf.pdf
                - 109.95.114.251 /uks1/load.php
                    - 109.95.114.251 /uks1/file.exe

DNS servers of notice:
ns1.pds-properties .com - 89.238.165.195
ns1.noeproperties .com - 84.243.201.159
ns1.densondatabase .com - 94.23.177.147
ns1.dogsgrem .net - 89.238.165.195 - Email: glonders@gmail.com - Email seen in previous domain registrations

Typosquatted domains spammed over the past 24 hours:
olpiku5a .com.pl
olpiku5b .com.pl
olpiku5c .com.pl
olpiku5d .com.pl
olpiku5e .com.pl
olpiku5f .com.pl
olpiku5g .com.pl
olpiku5q .com.pl
olpiku5r .com.pl
olpiku5s .com.pl
olpiku5t .com.pl
olpiku5v .com.pl
olpiku5w .com.pl
olpiku5x .com.pl
olpiku5z .com.pl

ujo9ia .com.pl
ujo9id .com.pl
ujo9ie .com.pl
ujo9if .com.pl
ujo9ig .com.pl
ujo9ih .com.pl
ujo9im .com.pl
ujo9in .com.pl
ujo9iq .com.pl
ujo9ir .com.pl
ujo9is .com.pl
ujo9it .com.pl
ujo9iw .com.pl
ujo9iy .com.pl
ujo9iz .com.pl

t111ut .me.uk
t111uy .me.uk
t111uz .me.uk
t111uk .org.uk
t111ut .org.uk
t111uz .org.uk
t111uk .co.uk
t111uy .co.uk

okio1h .ne.kr
okio1w .ne.kr
okio1h .kr
okio1h .co.kr
okio1u .co.kr
okio1v .co.kr
okio1w .co.kr
okio1h .or.kr
okio1u .or.kr
okio1v .or.kr
okio1w .or.kr
okio1u .kr
okio1v .kr
okio1w .kr

proterp1 .im
virtdit1 .im
virtdit2 .im
virtdit3 .im
virtdit4 .im
virtdit5 .im
virtdit6 .im
virtdit7 .im
virtdit8 .im

UPDATED: Gary Warner offers additional insights into the latest campaigns - This Week in Avalanche / Zbot / Zeus Bot: HSBC & eBay.

What the botnet masters forget is that with each and every campaign, based on a number of factors, they reveal more about themselves and their affiliations within the cybercrime ecosystem. The degree of monetization is proportional with the loss of OPSEC (operational security), and this remains valid for any fraudulent campaign, botnet or cybercrime community in general.

UPDATED: To clarify, in this campaign Pushdo acts as the spam platform for the Avalanche/MS-Redirect botnet.

In need of a good example why you shouldn't be interacting with spam/phishing emails in any other way but reporting/deleting them, unless of course you're in the business of analyzing them?

Last week's OWA-themed Zeus-serving spam campaign courtesy of the Pushdo botnet, has not just resumed, but is continuing to serve client-side exploits (CVE-2007-5659; CVE-2008-2992; CVE-2009-0927) to anyone visiting the spammed web sites through an iFrame embedded on all of them. Such traffic optimization tactics are nothing new, since the botnet master is anticipating the fact that the visitor that clicked on the link, may not be that stupid the next time, so attempting to serve the malware without any kind of interaction on his behalf through client-side exploits is the tactic of choice.

Let's dissect the campaign, list all of the currently active fast-fluxed domains, the name servers of notice, the client-side exploit serving structure, and the Russian Brides scam domains spamvertised over the last few days.

Active fast-fluxed domains part of the campaign:
leptprs.co .kr - Email: wawddhaepny@yahoo.com
leptprs .kr - Email: wawddhaepny@yahoo.com
leptprs.ne .kr - Email: wawddhaepny@yahoo.com
leptprs.or .kr - Email: wawddhaepny@yahoo.com
oki8uuu.co .kr - Email: wawddhaepny@yahoo.com
ui7772.co .kr - Email: jn.hadler@jkh.org.uk
ui7772 .kr - Email: jn.hadler@jkh.org.uk
ui7772.ne .kr - Email: jn.hadler@jkh.org.uk
ui7772.or .kr - Email: jn.hadler@jkh.org.uk
ui777f .kr - Email: jn.hadler@jkh.org.uk
ui777f.ne .kr - Email: jn.hadler@jkh.org.uk
ui777f.or .kr - Email: jn.hadler@jkh.org.uk
ui777fne .kr - Email: jn.hadler@jkh.org.uk
ui777l.co .kr - Email: jn.hadler@jkh.org.uk
ui777p.co .kr - Email: jn.hadler@jkh.org.uk
ui777p .kr - Email: jn.hadler@jkh.org.uk
ui777p.ne .kr - Email: jn.hadler@jkh.org.uk
ui777p.or .kr - Email: jn.hadler@jkh.org.uk

DNS servers of notice:
ns1.raddoor .com - Email: figarro77@gmail.com
ns1.snup-up .net - Email: dietsnak@socialworker.net
ns1.aj-realty .net - Email: support@aj-realty.net
ns1.aj-administration .com - Email: manager@mack.net
ns1.aj-talentsearch .com - Email: supp@mail.net
ns1.eurobankfinance .net - Email: termer@counsellor.com
ns1.hetn91 .com - Email: astrix@aol.com
ns1.personnel-aj .com - Email: KimMIngram@aol.com
ns1.nitroexcel .net
ns1.fredoms .com
ns1.ajstaffing .net
ns1.angel-death .net
ns1.aj-estate .com
ns1.aj-realtors .com
ns1.pdsproperties .com
ns1.groupswat .com

Upon execution, settings-file.exe (Trojan-Spy.Win32.Zbot.adsy), phones back to 109.123.70 .97/fh3245sq/config.bin. Detection rate for pdf.pdf (Exploit-PDF.ac) and file.exe (Trojan.Win32.Riern). The structure of the iFrame is as follows:
- atthisstage .com/uksp/in.php - 84.45.45.135 - Email: soakes@soakes.com
    - atthisstage .com/uksp/jquery.jxx
        - atthisstage .com/uksp/xd/pdf.pdf
            - atthisstage .com/uksp/load.php
                - atthisstage .com/uksp/file.exe

Russian Brides spamvertised domains part of an affiliate network:
toolbarsunited .com - Email: soft.tj@gmail.com
2006jubilee .com - Email: soft.tj@gmail.com
avtofo .org - Email: flarnes@gmail.com
lovesexdatings .com - Email: kauplus@li.ru
stars-dating .com - Email: kauplus@li.ru
avtofo.com .ua
dinenyc .net

cid-f5f40ef1f5210d08.spaces .live.com
cid-c1b015ffe1b44573.spaces .live.com
cid-b78f4f23e27d2b45.spaces .live.com
cid-8d3413073f537740.spaces .live.com
cid-205046cf66900102.spaces .live.com

If you want to know more the inner workings of the Pushdo/Cutwail botnet, consider going through the Pushdo / Cutwail - An Indepth Analysis report.

Related posts:
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

This post has been reproduced from Dancho Danchev's blog.

Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware

UPDATED: Sunday, January 10, 2010 - The post has been updated with the latest domains spammed within the past 24 hours.

UPDATED: Saturday, January 09, 2010 - The post has been updated with the latest domains spammed within the past 24 hours. The spam campaign is ongoing.

A currently ongoing spam campaign is using the "Your default mailbox settings have changed" theme, in order to infect gullible users into executing Trojan-Spy.Win32.Zbot (settings-file.exe).

Sample message:
"The default settings of your mailbox were automatically changed. Please download and launch a file with a new set of settings for your e-mail account:fx-settings-file.exe.

We constantly work on the quality level of our service, as well as on the development of its security and protection. During the last upgrade several essential improvements were adopted, such as new ports for the POP3 & SMTP protocols, plus the SMTP autentification. The new settings are necessary for those who use the mailings clients (for ex. Microsoft Outlook, The Bat!, Mozilla Thunderbird etc.) or those who use our service via the web-interface."

Sample campaign structure: molendf.co .kr/owa/service_directory/settings.php?email=fx@yahoo.com&from=yahoo.com&fromname=fx

Fast-fluxed seed IPs:
61.64.170.232
77.126.141.142
188.56.139.174
189.110.244.68
189.179.13.36
190.82.217.255
195.174.109.241
200.169.71.144
201.232.187.200
201.236.48.117
210.106.80.90
218.153.64.25
221.26.184.25
59.92.58.166
61.20.133.88

DNS servers of notice:
ns1.moorcargo .net
ns1.aj-realtors .com - Email: support@ajr.com
ns1.groupswat .com
ns1.elkins-realty .net - Email: BO.la@yahoo.com
ns1.nocksold .com - Email: termer@counsellor.com
ns1.seldomservice .net - 89.238.165.195 - Email: pp0271@gmail.com
ns1.viking-gave .net - 89.238.165.195 - Email: glonders@gmail.com
ns1.controlpanellsolutions .com - 212.95.50.175 - Email: jobwes@clerk.com

Hundreds of typosquatted subdomains reside within the following currently active domains:
ujjiks.co .im
ujjiks.com .im
ujjiks.org .im
ujjikx.co .im
ujjikx.com .im
ujjikx.org .im
molendf.co .kr
molendf .com
molendf .kr
molendf.ne .kr
molendf.or .kr
vcrssd1 .cc
vcrssd1 .eu
vfrtssd .com
vsmprot.co .uk
vsmprot .com
vsmprot .eu
vsmprot.me .uk
vsmprot.org .uk

ikuu8a .com - Email: bjnjnsls@technologist.com
ikuu8d .com - Email: bjnjnsls@technologist.com
ikuu8e .com - Email: bjnjnsls@technologist.com
ikuu8q .com - Email: bjnjnsls@technologist.com
ikuu8s .com - Email: bjnjnsls@technologist.com
ikuu8w .com - Email: bjnjnsls@technologist.com
ikuu8x .com - Email: bjnjnsls@technologist.com
ikuu8z .com - Email: bjnjnsls@technologist.com
ikuu8a .net - Email: bjnjnsls@technologist.com
ikuu8e .net - Email: bjnjnsls@technologist.com
ikuu8q .net - Email: bjnjnsls@technologist.com
ikuu8s .net - Email: bjnjnsls@technologist.com
ikuu8w .net - Email: bjnjnsls@technologist.com
ikuu8x .net - Email: bjnjnsls@technologist.com
ikuu8z .net - Email: bjnjnsls@technologist.com

yhuttte.ne .kr - Email: scepterpdg@chemist.com
yhuttti.ne .kr - Email: scepterpdg@chemist.com
yhutttu.ne .kr - Email: scepterpdg@chemist.com
yhuttte .kr - Email: scepterpdg@chemist.com
yhuttti .kr - Email: scepterpdg@chemist.com
yhuttte.co .kr - Email: scepterpdg@chemist.com
yhuttti.co .kr - Email: scepterpdg@chemist.com
yhutttr.co .kr - Email: scepterpdg@chemist.com
yhutttu.co .kr - Email: scepterpdg@chemist.com
yhuttte.or .kr - Email: scepterpdg@chemist.com
yhuttti.or .kr - Email: scepterpdg@chemist.com
yhutttr.or .kr - Email: scepterpdg@chemist.com
yhutttu.or .kr - Email: scepterpdg@chemist.com
yhutttr .kr - Email: scepterpdg@chemist.com
yhutttu .kr - Email: scepterpdg@chemist.com

ujyhl.ne .kr - Email: combinetct@financier.com
ujyho.ne .kr - Email: combinetct@financier.com
ujyhf .kr - Email: combinetct@financier.com
ujyhl .kr - Email: combinetct@financier.com
ujyhf.co .kr - Email: combinetct@financier.com
ujyhl.co .kr - Email: combinetct@financier.com
ujyho.co .kr - Email: combinetct@financier.com
ujyhs.co .kr - Email: combinetct@financier.com
ujyho .kr - Email: combinetct@financier.com
ujyhf.or .kr - Email: combinetct@financier.com
ujyhl.or .kr - Email: combinetct@financier.com
ujyho.or .kr - Email: combinetct@financier.com
ujyhs.or .kr - Email: combinetct@financier.com
ujyhs .kr - Email: combinetct@financier.com

Seen within the past 24 hours, now offline domains part of the campaign:
yhe3essa .com.pl
yhe3essd .com.pl
yhe3esse .com.pl
yhe3essf .com.pl
yhe3essg .com.pl
yhe3essi .com.pl
yhe3esso .com.pl
yhe3essp .com.pl
yhe3essq .com.pl
yhe3essr .com.pl
yhe3esss .com.pl
yhe3esst .com.pl
yhe3essu .com.pl
yhe3essw .com.pl
yhe3essy .com.pl
ok9iio1 .com
ok9iio2 .com
ok9iio3 .com
ok9iio4 .com
ok9iio5 .com
ok9iio6 .com
ok9iio7 .com
ok9iio8 .com
ok9iio1 .net
ok9iio2 .net
ok9iio3 .net
ok9iio4 .net
ok9iio5 .net
ok9iio6 .net
ok9iio7 .net

Upon execution the sample phones back to the already blacklisted by the Zeus Tracker nekovo .ru:
nekovo .ru/cbd/nekovo.bri; nekovo .ru/ip.php - 109.95.114.70 - Email: kievsk@yandex.ru - AS50215 - Troyak-as Starchenko Roman Fedorovich.

Related Zeus crimeware name servers respond to the same IP:
- ns1.trust-service .cn - (domain itself responds to 193.104.41.133) - Email: olezhiosapiel@yahoo.es
- ns1.elnasa .ru - (domain itself responds to 91.200.164.12) - Email: kievsk@yandex.ru
- ns1.recessa .ru - (domain itself responds to 193.104.41.69) - Email: kievsk@yandex.ru
- ns1.stomaid .ru - (domain itself responds to 91.200.164.10) - Email: kievsk@yandex.ru

Parked withn the same AS, are also the following currently active Zeus crimeware serving domains:
web-information-services .com - 91.198.109.69 - Email: pita@bigmailbox.ru
erthjuyt44u .com - 91.198.109.19 - Email: rails@qx8.ru
excellenthostingservice .com - 91.198.109.48 - Email: xm@qx8.ru
goldhostingservice .com - 91.198.109.32 - Email: clod@qx8.ru

Pretty much your typical cybercrime-friendly virtual neighborhood.

Related posts:
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

This post has been reproduced from Dancho Danchev's blog.

Top Ten Must-Read DDanchev Posts For 2009

The following ten posts have been featured due to their insightful content, comprehensiveness of the topic covered, and due to plain simple exclusivity in the time of publishing, and not necessarily based on page views.

Thank you for being a regular reader of my personal blog. Feel free to subscribe to my RSS feed, keep track of my posts at ZDNet's Zero Day, or follow me on Twitter.

01. Conficker's Scareware/Fake Security Software Business Model
02. Koobface Botnet's Scareware Business Model - Part One and Part Two
03. Inside a Money Laundering Group's Spamming Operations
04. A Peek Inside the Managed Blackhat SEO Ecosystem
05. Iranian Opposition DDoS-es pro-Ahmadinejad Sites
06. Koobface Botnet Redirects Facebook's IP Space to my Blog
07. Standardizing the Money Mule Recruitment Process
08. Koobface Botnet Starts Serving Client-Side Exploits
09. The SMS Ransomware series - SMS Ransomware Displays Persistent Inline Ads; SMS Ransomware Source Code Now Offered for Sale; 3rd SMS Ransomware Variant Offered for Sale; 4th SMS Ransomware Variant Offered for Sale; 5th SMS Ransomware Variant Offered for Sale; 6th SMS Ransomware Variant Offered for Sale
10. The Koobface Gang Wishes the Industry "Happy Holidays"

This post has been reproduced from Dancho Danchev's blog.

Top Ten Must-Read Posts at ZDNet's Zero Day for 2009

The end of the year naturally means a rush to come up with 'best of the best' top lists consisting of your finest content. However, based on personal observations, during the holidays season the short attention span of the average reader becomes even shorter with everyone looking forward to taking a well-deserved break. Therefore, the first working week of the new year appears to be the perfect moment to summarize some of my most insightful posts/analysis published at ZDNet's Zero Day for 2009.

The following ten posts have been featured due to their insightful content, comprehensiveness of the topic covered, and due to plain simple exclusivity in the time of their publishing. You will be, of course, missing the big picture if you don't keep track of Ryan Naraine's coverage.

Thank you for being a Zero Day reader!

01. Microsoft study debunks phishing profitability
02. Inside BBC's Chimera botnet
03. China's 'secure' OS Kylin - a threat to U.S offsensive cyber capabilities?
04. Microsoft study debunks profitability of the underground economy
05. Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites - Related coverage
06. The Ultimate Guide to Scareware Protection
07. 'Anonymous' group attempts DDoS attack against Australian government (Operation Didgeridie)
08. Google's CAPTCHA experiment and the human factor
09. Does software piracy lead to higher malware infection rates?
10. Koobface botnet enters the Xmas season

Related posts:
Summarizing Zero Day's Posts for January, 2009
Summarizing Zero Day's Posts for February, 2009
Summarizing Zero Day's Posts for March, 2009
Summarizing Zero Day's Posts for April, 2009
Summarizing Zero Day's Posts for May, 2009
Summarizing Zero Day's Posts for June, 2009
Summarizing Zero Day's Posts for July, 2009
Summarizing Zero Day's Posts for August, 2009
Summarizing Zero Day's Posts for September, 2009
Summarizing Zero Day's Posts for October, 2009
Summarizing Zero Day's Posts for November, 2009
Summarizing Zero Day's Posts for December, 2009

This post has been reproduced from Dancho Danchev's blog.

Summarizing Zero Day's Posts for December

The following is a brief summary of all of my posts at ZDNet's Zero Day for December, 2009.

You can also go through previous summaries, as well as subscribe to my personal RSS feed, Zero Day's main feed, or follow all of ZDNet's blogs on Twitter.

01. Koobface botnet enters the Xmas season
02. How many people fall victim to phishing attacks?
03. Zeus crimeware using Amazon's EC2 as command and control server
04. Report: Google's reCAPTCHA flawed
05. FBI: Scareware distributors stole $150M

This post has been reproduced from Dancho Danchev's blog.

The Koobface Gang Wishes the Industry "Happy Holidays"

Oops, they did it again - the Koobface gang, which is now officially self-describing itself as Ali Baba and the 40 Thieves LLC, has not only included a Koobface-themed -- notice the worm in the name -- background on Koobface-infected hosts, but it has also included a "Wish Koobface Happy Holidays" script -- last time I checked there were 10,000 people who clicked it -- followed by the most extensive message ever left by the gang, which is amusingly attempting to legitimize the activities of the gang.

In short, the message with clear elements of PSYOPS, attempts to position the Koobface worm as a software, where the new features are requested by users, and that by continuing its development, the authors are actually improving Facebook's security systems. For the record, the Koobface botnet itself is only the tip of the iceberg for the malicious activities the group itself is involved in. Consider going through the related Koobface research posts featured at the bottom of the post, in order to grasp the importance of how widespread and high-profile the activities of this group are. The exact message, screenshot of which is attached reads:

Our team, so often called "Koobface Gang", expresses high gratitude for the help in bug fixing, researches and documentation for our software to:

• Kaspersky Lab for the name of Koobface and 25 millionth malicious program award;
• Dancho Danchev (http://ddanchev.blogspot.com) who worked hard every day especially on our First Software & Architecture version, writing lots of e-mails to different hosting companies and structures to take down our Command-and-Control (C&C) servers, and of course analyzing software under VM Ware;
• Trend Micro (http://trendmicro.com), especially personal thanks to Jonell Baltazar, Joey Costoya, and Ryan Flores who had released a very cool document (with three parts!) describing all our mistakes we've ever made;
• Cisco for their 3rd place to our software in their annual "working groups awards";
• Soren Siebert with his great article; 
• Hundreds of users who send us logs, crash reports, and wish-lists.

In fact, it was a really hard year. We've made many efforts to improve our software. Thanks to Facebook's security team - the guys made us move ahead. And we've moved. And will move. Improving their security system.

By the way, we did not have a cent using Twitter's traffic. But many security issues tell the world we did. They are wrong. As many people know, "virus" is something awful, which crashes computers, steals credential information as good as all passwords and credit cards. Our software did not ever steal credit card or online bank information, passwords or any other confidential data. And WILL NOT EVER. As for the crashes... We are really sorry. We work on it :) Wish you a good luck in new year and... Merry Christmas to you!

Always yours, "Koobface Gang".

For the record, in case you were living on the other side of the universe, and weren't interested in the raw details taking place within the underground ecosystem, in July, 2009, I was the only individual ever mentioned by the Koobface gang, which back then included the following message within the command and control infrastructure for 9 days:

• "We express our high gratitude to Dancho Danchev (http://ddanchev.blogspot.com) for the help in bug fixing, researches and documentation for our software."

Next to the folks at TrendMicro, the DHS also featured the event in DHS Daily Open Source Infrastructure Report for 3 September 2009 at page 18:

• "This individual is an independent security consultant who plays an active role in tracking and shutting down botnets and other illegal operations."

It got ever more personal when the Koobface gang redirected Facebook's entire IP space to my blog in October, 2009, resulting in thousands of Facebook visits every time their crawlers were visiting a Koobface-infected host. Thankfully, Facebook's Security Incident Response Team quickly took care of the issue.

In the spirit of Christmas, I'd also like to wish the Koobface gang happy holidays, and promise them that the cherry on the top of the research pie will see daylight anytime soon. First of all, I'd like to wish them happy holidays with Frank Sinatra - "I've got you under my skin". They'll get the point.



And now comes my Christmas present, systematic take-down, blacklisting, and domain suspension of Koobface scareware operations.

Sample detection rates by Koobface binaries - go.exe; fb.79.exe; fblanding.exe; v2captcha.exe; v2webserver.exe; pack_312s3.exe (the scareware). The currently active artificial2010 .com/?pid=312s02&sid=4db12f - Email: Josefinat@yahoo.com - 193.104.22.200 - AS34305; EUROACCESS Global Autonomous System acts as a redirector to the scareware domain portfolio.

Currently active portfolio of scareware domains pushed by the Koobface botnet, parked at 193.104.22.200/91.212.226.95:
2010scannera1 .com - Email: NathanHSchafer@yahoo.com
artificial2010 .com - Email: Josefinat@yahoo.com
bestdiscounts2010 .com - Email: FrancesHAustin@yahoo.com
bestparty2009 .com - Email: FrancesHAustin@yahoo.com
bestparty2010 .com - Email: FrancesHAustin@yahoo.com
bestpffers2010 .com - Email: FrancesHAustin@yahoo.com
best-wishes-design .com - Email: FrancesHAustin@yahoo.com
bestyearparty .com - Email: FrancesHAustin@yahoo.com
celebrate2009year .com - Email: FrancesHAustin@yahoo.com
celebrate-designs .com - Email: FrancesHAustin@yahoo.com
happy-newyear2010 .com - Email: JerryHWallace@yahoo.com
internetproscanm .com - Email: JacquelynMRyan@yahoo.com
internetproscanq .com - Email: JacquelynMRyan@yahoo.com
internetproscanr .com - Email: JacquelynMRyan@yahoo.com
internetproscanw .com - Email: JacquelynMRyan@yahoo.com
internetproscany .com - Email: JacquelynMRyan@yahoo.com
megascannera .com - Email: MichaelDFranklin@yahoo.com
megasecurityl .com - Email: MichaelDFranklin@yahoo.com
megasecurityp .com - Email: MichaelDFranklin@yahoo.com
megasecurityq .com - Email: MichaelDFranklin@yahoo.com
newholidaydesigns .com - Email: FrancesHAustin@yahoo.com
newyearandsanta .com - Email: JerryHWallace@yahoo.com
newyeardesgings .com - Email: FrancesHAustin@yahoo.com
onlinesecurityn1 .com - Email: LucyGBrown@yahoo.com
onlinesecurityn2 .com - Email: LucyGBrown@yahoo.com
onlinesecurityn3 .com - Email: LucyGBrown@yahoo.com
onlinesecurityn4 .com - Email: LucyGBrown@yahoo.com
onlinesecurityn5 .com - Email: LucyGBrown@yahoo.com
online-securtiyv1 .com - Email: LucyGBrown@yahoo.com
online-securtiyv4 .com - Email: LucyGBrown@yahoo.com
online-securtiyv5 .com - Email: LucyGBrown@yahoo.com
onlineviruskilla0 .com - Email: JacquelynMRyan@yahoo.com
onlineviruskilla2 .com - Email: JacquelynMRyan@yahoo.com
onlineviruskilla4 .com - Email: JacquelynMRyan@yahoo.com
onlineviruskilla6 .com - Email: JacquelynMRyan@yahoo.com
onlineviruskilla8 .com - Email: JacquelynMRyan@yahoo.com
santa-christmas2010 .com - Email: JerryHWallace@yahoo.com
snowandchristmas .com - Email: JerryHWallace@yahoo.com
thebestantispys .com - Email: ThomasLRoy@yahoo.com

Christmas-themed scareware serving domains:
happy-newyear2010 .com
celebrate2009year .com
newyearandsanta .com
newyeardesgings .com
santa-christmas2010 .com
snowandchristmas .com

Speaking of AS34305; EUROACCESS Global Autonomous System, they're also hosting scareware campaigns at another IP - 193.104.22.50 in particular:
pcprotect2010 .com - Email: admin@pcprotect2010.com
bestantispysoft2010 .com - Email: admin@bestantispysoft2010.com
worldantispyware1 .com - Email: admin@worldantispyware1.com
antispyware24x7 .com - Email: admin@antispyware24x7.com
spydetector2009 .com - Email: admin@spydetector2009.com
myprivatesoft2009 .com - Email: admin@myprivatesoft2009.com
itsafetyonline .com - Email: admin@itsafetyonline.com
antispycenterprof .com - Email: admin@antispycenterprof.com
webspydetectunlim .com - Email: admin@webspydetectunlim.com
pcsafetyplatinum .com - Email: admin@webspydetectunlim.com
spywaredetect24pro .com - Email: admin@spywaredetect24pro.com
eliminater2009pro .com - Email: admin@eliminater2009pro.com
pcsafety2009pro .com - Email: admin@pcsafety2009pro.com
securityztop .com - Email: admin@securityztop.com
antisspywarescenter .com - Email: admin@antisspywarescenter.com
viridentifycenter .com - Email: molda444vimo@safe-mail.net
antispywarets .com - Email: admin@antispywarets.com
winvantivirus .com - Email: admin@winvantivirus.com
antispywaresnet .com - Email: admin@antispywaresnet.com
securityprosoft .com - Email: admin@securityprosoft.com
onlineantispysoft .com - Email: admin@onlineantispysoft.com
worldsantispysoft .com - Email: admin@worldsantispysoft.com
antispyworldwideint .com - Email: admin@antispyworldwideint.com
ivirusidentify .com - Email: admin@ivirusidentify.com

Within the same ASN, we can also find the following Zeus crimeware serving domains, courtesy of the Zeus Tracker:
print-design .cn - Email: alexsundren@gmail.com
backup2009 .com - Email: tahli@yahoo.com - association with money mule recruitment domain registration
1211news .com - Email: tahli@yahoo.com
tuttakto .com - Email: tahli@yahoo.com
filatok .com - Email: tahli@yahoo.com
wwwldr .com - Email: tahli@yahoo.com
bbbboom .com - Email: tahli@yahoo.com
fant1k .com - Email: tahli@yahoo.com
hoooools .com - Email: tahli@yahoo.com
ianndex .com - Email: tahli@yahoo.com
vklom .com - Email: tahli@yahoo.com
wwwbypost .com - Email: tahli@yahoo.com
wwwudacha .com - Email: tahli@yahoo.com

Sampled scareware phones back to:
ardeana-couture .com/?b=1s1 - 204.12.252.99, parked there is also windowssp3download .com - Email: contact@subarutechs.com
winrescueupdate .com/download/winlogo.bmp - 89.248.162.147

Historically, 89.248.162.147 (AS29073-ECATEL-AS, Ecatel Network) used to host the following scareware domains:
attention-scanner .com - Email: khouri@atomtech.cc
be-secured2 .com - Email: info@scholarnyc.com
best-scanner-f .com - Email: LouisALeavitt@yahoo.com
get-secure2 .com - Email: info@scholarnyc.com
installprotection2 .com - Email: info@scholarnyc.com
online-defense7 .com - Email: contacts@manipadni.com.br
scan-spyware2 .com - Email: info@paristours.fr
topscan2 .com - Email: LouisALeavitt@yahoo.com
topscan3 .com - Email: LouisALeavitt@yahoo.com
virus-pcscan .com - Email: admin@rewards.de
win-scan05 .com - Email: katia@salsat.eu
win-scan07 .com - Email: katia@salsat.eu
win-scan09 .com - Email: katia@salsat.eu
winrescueupdate .com
winscanner01 .com - Email: contacts@crunchiesb.com
winscanner18 .com - Email: contacts@crunchiesb.com
your-protection8 .com - Email: admin@Relocation.it

Happy Holidays, too!

Related Koobface research published in 2009:
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog. 

Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline

Last week, Josh Kirkwood, Network Engineer at Blue Square Data Group Services Limited, with whom I've been keeping in touch regarding the blackhat SEO activity courtesy of the Koobface gang, and actual Koobface botnet activity that's been taking place there for months, pinged me with an interesting email - "Riccom are now gone" (AS29550). He also pinged the folks at hpHosts in response to their posts once again emphasizing on the malicious activity taking place there.

Since I've been analyzing Riccom LTD activity in the context of "in-the-wild" blackhat SEO campaigns launched by the Koobface gang, followed by establishing direct Koobace botnet connections, as well as sharing data with Josh, Riccom LTD clearly deserves a brief  retrospective of the malicious activity that took place there.

Malicious activity I've been analyzing since August, 2009:

• August 06 - scareware parked at 91.212.107.5 analyzed in "Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware"
• August 10 - more scareware introduced at 91.212.107.5 analyzed in "U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding"
• August 18 - scareware domains continue getting introduced at 91.212.107.5, analyzed in "Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign"
• August 19 - Actual Koobface command and control server parked within BlueConnex's ASN, they take action against 85.234.141.92 - "Three hours after notification, Blue Square Data Group Services Limited ensures that "the customer has been disconnected permanently". It's a fact. All of Koobface worm's campaigns currently redirect to nowhere."
• September 14 - the malvertising attack at the web site of the New York Times, not only used a redirector that was simultaneously pushed by Koobface-infected host hosted on an IP known to be managed by the gang's blackhat SEO team ,but also, the actual scareware domain used relied on Riccom LTD hosting again at 91.212.107.103
• September 16 - 91.212.107.103 remains the most widely abused IP hosting scareware served by the Koobface botnet. Action is taken again the entire .info tld domain portfolio, the domains are suspended within a 48 hours period of time courtesy of AFILIAS.
• November 11 - cat and mouse game between the company, me, and the Koobface gang is taking place, now that a connection between the Koobface gang and the Bahama botnet has been clearly established. New scareware domains are introduced at 91.212.107.103, as well as at the still active AS44042 ROOT eSolutions. The Koobface gang once again proves it "knows my name" by typosquatting domains and registering them with typosquatted variants of my name (pancho-2807 .com is registered to Pancho Panchev, pancho.panchev@gmail.com, followed by rdr20090924 .info registered to Vancho Vanchev, vanchovanchev@mail.ru). Upon notification 91.212.107.103 has been taken offline courtesy of Blue Square Data Group Services Limited.
• November 17 - A week later the gang resumes operations at the same Riccom LTD IP - "Tuesday, November 17, 2009: Koobface is resuming scareware (Inst_312s2.exe) operations at 91.212.107.103 which was taken offline for a short period of time. ISP has been notified again".
  

Clearly, in terms of cybercrime, especially one that's monetizing an asset with high liquidity such as scareware, "better late than never" doesn't seem to sound very appropriate.

Image courtesy of TrendMicro's The Heart of Koobface - C&C and Social Network Propagation report.

Related Koobface research published in 2009:
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog.

A Diverse Portfolio of Fake Security Software - Part Twenty Four

Good traditions are not meant to be broken, in particular the "Diverse Portfolio of Fake Security Software" series. And with scareware losses to customers already (conservatively) estimated at $150 million, combined with the overwhelming evidence of scareware becoming the monetization method of choice for the majority of cybercriminals gathered throughout the entire year - in 2010 we'll see the peak of a fully matured business model that's offering one of the highest payout rates within the underground marketplace.

How can this underground business model be undermined? By hitting the"beehive" rather than hitting the campaign of particular "bee", and by disrupting the monetization flow ultimately leaving the "beehive" with hundreds of thousands of "bees" actively infecting without the opportunity to collect the cash flaw, thereby putting them in a position where the "beehive" becomes unable to pay the commissions to the "bees" at the first place.

Moreover, raising awareness on the most efficient and profitable monetization tactic used by cybecriminals in the face of scareware (The Ultimate Guide to Scareware Protection), is crucial for filling in the gaps, since in its current form, scareware is driven exclusively by social engineering tactics and aggressive traffic hijacking campaigns.

What's to come in 2010 anyway? It's the culmination of an year and half research. Stay tuned folks!

The following scareware domains have been recently observed in active campaigns online:

78.46.254.18/96.9.180.102 - AS24940 -HETZNER-AS Hetzner Online AG RZ/AS21788 BurstNet Technologies, Inc.
3-scanner .com
5-scanner .com
9-scanner .com
aa-scan .com
antispy-microsoft0 .cn
antispy-microsoft2 .cn
aspywarescan .com
av-scannerr .com
av-scannerw .com
av-scannerx .com
av-scannery .com
av-scannerz .com
bb-scan .com
bspywarescan .com
cspywarescan .com
fspywarescan .com
internetdefencei .com
ispywarescan .com
malware-destroy01 .com
malware-destroy03 .com
malware-destroy09.com
malwarescannere. com
malwarescannerq .com
malwarescannerr .com
malwarescannert .com
malwarescannerw .com
pc-securityv .com
pc-securityv2 .com
pc-securityv4 .com
removespywared .com
removespywarek .com
removespywarel .com
removespywarem .com
removespywaren .com

securitybugfixv9 .com
spyware-remove0 .com
spyware-remove9 .com
spyware-removeb .com
spyware-removee .com
spyware-removen .com
titan-antivirus .com
titan-antivirusv .com
titan-antivirusy .com
titan-antivirusz .com
titan-scanner .com
trustedmicrosoftscan0 .com
trustedmicrosoftscan8 .com
ultimatepcscanb .com
ultimatepcscano .com
ultimatepcscanp .com
ultimatepcscanr .com
windows-antivirus0 .com
windows-antivirus11 .com
windows-antivirus2 .com
windows-antivirus4 .com
windows-antivirus8 .com
win-pro-update .cn

The scareware domains portfolio profiled in the "Celebrity-Themed Scareware Campaign Abusing DocStoc and Scribd" post parked at 193.104.110.50, has many new typosquatted additions to it:

193.104.110.50 - AS50073/SOFTNET Software Service Prague s.r.o.
10-open-davinci .com
advanced-virusremover2009 .com
advancedvirus-remover2009 .com
advanced-virus-remover2009 .com
advancedvirusremover-2009 .com
advanced-virusremover-2009 .com
advanced-virus-remover-2009 .com
advanced-virus-remover2010 .com
advanced-virus-remover-2010 .com
advanced-virus-remover2011 .com
advanced-virus-remover-2011 .com
avrdownnew6 .com
avrdownnew8 .com
avrdownnew9 .com
bastaproject .com
buy-internet-security2010 .com
coolcount1 .com
coolcount2 .com
coolprojectnew .com
downloadavr10 .com
downloadavr11 .com
downloadavr12 .com
downloadavr13 .com
downloadavr14 .com

downloadavr15 .com
downloadavr20 .com
downloadavr5 .com
downloadavr6 .com
downloadavr7 .com
downloadavr8 .com
downloadavr9 .com
greatcrypt .com
megacryptnew .com
pc-scanner2010 .biz
pc-scanner-2010 .biz
pcscanner2010 .com
pc-scanner2010 .com
pcscanner-2010 .com
pc-scanner-2010 .com
pc-scanner2010 .net
pc-scanner2010 .org
pc-scanner-2010 .org
pc-scanner-2011 .biz
pc-scanner-2011 .org
pc-scanner-2012 .com
pc-scanner-2012 .net
pc-scanner-2012 .org
testavrdown .com
vscodec-pro .net
vsproject .net
white-xxx-tube .com
white-xxxx-tube .com
xxx-white-tube .net

The Koobface gang has not only migrated the domains the weren't suspended from the previous "Koobface Botnet's Scareware Business Model - Part Two" post, but has also introduced new ones on the new IPs:

193.169.235.5/93.174.95.191 - AS32181/ASN-CQ-GIGENET ColoQuest/GigeNet ASN
goboldscan .com - Email: gleyersth@gmail.com
godeckscan .com - Email: quetotator@gmail.com
godirscan .com - Email: momorule@gmail.com
godotscan .com - Email: gleyersth@gmail.com
gopullscan .com - Email: stgeyman@gmail.com
gorootscan .com - Email: stgeyman@gmail.com
goscanbold .com - Email: gleyersth@gmail.com
goscandot .com - Email: gleyersth@gmail.com
goscanhand .com - Email: quetotator@gmail.com
goscanmend .com - Email: gleyersth@gmail.com
goscanmoth .com - Email: gleyersth@gmail.com
goscanpull .com - Email: stgeyman@gmail.com
goscanref .com - Email: quetotator@gmail.com
goscanrest .com - Email: quetotator@gmail.com
goscanroom .com - Email: gleyersth@gmail.com
goscanroot .com - Email: stgeyman@gmail.com
goscantype .com - Email: stgeyman@gmail.com

Some of these are actively redirecting to another recently updated .cn portfolio, once again maintained by the Koobface gang, parked at 193.169.235.6 - AS32181 - ASN-CQ-GIGENET ColoQuest/GigeNet ASN:
193.169.235.6 - AS32181 - ASN-CQ-GIGENET ColoQuest/GigeNet ASN
diwehym .cn - Email: spscript@hotmail.com
dizymhe .cn - Email: spscript@hotmail.com
docigpe .cn - Email: spscript@hotmail.com
dofawi .cn - Email: spscript@hotmail.com
domreha .cn - Email: spscript@hotmail.com
donlaci .cn - Email: spscript@hotmail.com
donqaw .cn - Email: spscript@hotmail.com
dopelsi .cn - Email: spscript@hotmail.com
doquza .cn - Email: spscript@hotmail.com
doqypku .cn - Email: spscript@hotmail.com
egikap .cn - Email: spscript@hotmail.com
enegoys .cn - Email: spscript@hotmail.com
eneybis .cn - Email: spscript@hotmail.com
enoihup .cn - Email: spscript@hotmail.com
enygoji .cn - Email: spscript@hotmail.com
enyuwip .cn - Email: spscript@hotmail.com
epafij .cn - Email: spscript@hotmail.com
epaumow .cn - Email: spscript@hotmail.com
epiadyl .cn - Email: spscript@hotmail.com
epiecgy .cn - Email: spscript@hotmail.com
g-antivirus .com - Email: mhbilate@gmail.com
iantiviruspro .com - Email: broderma@gmail.com
iantivirus-pro .com - Email: feetecho@gmail.com
iav-pro .com - Email: mcgettel@gmail.com
in4iv .com - Email: momaust@gmail.com
inb6ct .com - Email: jobumb@gmail.com
inb6ik .com - Email: jobumb@gmail.com
jyqhoki .cn - Email: spscript@hotmail.com
jyseny .cn - Email: spscript@hotmail.com
jywmer .cn - Email: spscript@hotmail.com
jyzixme .cn - Email: spscript@hotmail.com
jyzuju .cn - Email: spscript@hotmail.com
kabivu .cn - Email: spscript@hotmail.com
kacupyb .cn - Email: spscript@hotmail.com
kajefu .cn - Email: spscript@hotmail.com

Another portfolio is parked at 193.169.13.200, our "dear friends" AS5577 - ROOT eSolutions:
antivirusonlinegames .com - Email: saracbrown@dodgit.com
antivirussoftblog .com - Email: sharonldixon@trashymail.com
antyflutool .net - Email: joycerfriley@dodgit.com
an-ty-virusnow .net - Email: carriedlawrence@gmail.com
an-ty-virus-tool .com - Email: marydgallo@pookmail.com
bigvirusscan .com - Email: marydgallo@pookmail.com
freeantyvirusservice .com - Email: alejandrojmckinney@gmail.com
mysecuritysoft .net - Email: mildredkbaker@mailinator.com
nationalsecuritydirect .com - Email: loisjstillings@trashymail.com
newantispywaresoft .com - Email: junejbrubaker@trashymail.com
newantyvirus .net - Email: johneponder@gmail.com
progressmovement .com - Email: christinegcarroll@trashymail.com
readonlinestories .com - Email: lawrencemtimms@dodgit.com
removevirusgadget .com - Email: benjaminmdickerson@gmail.com
scannetradio .com - Email: robertcle@dodgit.com
securityonlinecopy .net - Email: saraldillard@trashymail.com
securitysoftstore .com - Email: anthonybpierce@trashymail.com
securitytoolsuser .com - Email: kyongabrantner@gmail.com
securitytoolsuser .net - Email: jamessvaughn@dodgit.com
securityutilityshop .net - Email: fletchererodriguez@gmail.com
spacetrafficsafety .com - Email: bettycyeates@pookmail.com
superprotectionact .com - Email: darnellbhouse@pookmail.com
supersafetysolutions .com - Email: georgekhorn@pookmail.com
thebillingaol .com - Email: justindsmith@trashymail.com
theprogressclub .com - Email: jerrysfinlayson@pookmail.com
theremovevirustool .com - Email: dalemharman@dodgit.com
virusread .com - Email: robertcjones@pookmail.com
yourfraudprotection .com - Email: michelledglover@dodgit.com
yoursafetysearch .com - Email: michelledglover@dodgit.com

193.104.153.245 - AS5577 - ROOT eSolutions
antivirusonlinecasino .com - Email: alfonzomhopps@mailinator.com
anti-virustoday .net - Email: elishaebeauregard@pookmail.com
an-ty-flu-service .com - Email: edwinwmartinez@trashymail.com
bereadonline .com - Email: jeanvfriddle@trashymail.com
bestantyspyware .net - Email: ralphyjackson@pookmail.com
bodyscanllc .com - Email: ralphyjackson@pookmail.com
contraspywaresoft .com - Email: josephinetmarenco@dodgit.com
newantyvirustool .net - Email: josephinetmarenco@dodgit.com
remove-virus-tool .com - Email: maryprobinson@pookmail.com
scaninternetradio .com - Email: maryprobinson@pookmail.com
securityonlinegames .net - Email: clementeanderson@pookmail.com

89.248.160.153 - AS29073/ECATEL-AS , Ecatel Network
do-fastscannow .net - Email: gkook@checkjemail.nl
do-speedscan .net - Email: gkook@checkjemail.nl
do-speedscan-search .com - Email: gkook@checkjemail.nl
iwillcheck-it .com - Email: gkook@checkjemail.nl
systemscan-check .net - Email: gkook@checkjemail.nl
zguarddata .com - Email: gkook@checkjemail.nl

193.106.32.10 - TELECOMPO, spol. s r.o.
antyspywaretoday .net - Email: willistbatiste@dodgit.com
an-ty-virusblog .net - Email: brendapwhite@dodgit.com
securitysoftshop .net - Email: milagrosrporter@pookmail.com
theantispywaresoft .com - Email: danhjones@gmail.com

88.198.103.129 - AS24940/HETZNER-AS Hetzner Online AG RZ
antispyscanb4 .com
onlinescanner70 .com
onlinescanner80 .com
pro-antivir03 .com
scannerintheinternet0 .com
windowscanner21 .com
windowscanner51 .com

88.198.160.57 - AS24940/HETZNER-AS Hetzner Online AG RZ
a7bestdefence .com
antispyscanb4 .com
best-antivirus99 .com
onlinescanner70 .com
onlinescanner80 .com
pro-antivir03 .com
pro-antivirus99 .com
scannerintheinternet0 .com
top10defenceb .com
top10defencef .com
windowscanner21 .com
windowscanner51 .com

Sample detection rate: SetupAdvancedVirusRemover.exe; Install.exe; Install(1).exe

Upon execution the samples phone back to:
downloadavr20 .com/loads.php?code=000NULL
downloadavr20 .com/dfghfghgfj.dll
downloadavr20 .com/cgi-bin/download.pl?code=000NULL
testavrdown .com/cgi-bin/get.pl?l=000NULL

Sample detection rate for the dropped files: SetupIS2010.exe; dfghfghgfj.dll

Hitting them where it hurts most -- the monetization flow -- since 2007. Domain suspension is in progress, the ISPs have been notified as usual.

Related posts:
The Ultimate Guide to Scareware Protection
A Diverse Portfolio of Fake Security Software - Part Twenty Three
A Diverse Portfolio of Fake Security Software - Part Twenty Two
A Diverse Portfolio of Fake Security Software - Part Twenty One
A Diverse Portfolio of Fake Security Software - Part Twenty
A Diverse Portfolio of Fake Security Software - Part Nineteen
A Diverse Portfolio of Fake Security Software - Part Eighteen
A Diverse Portfolio of Fake Security Software - Part Seventeen
A Diverse Portfolio of Fake Security Software - Part Sixteen
A Diverse Portfolio of Fake Security Software - Part Fifteen
A Diverse Portfolio of Fake Security Software - Part Fourteen
A Diverse Portfolio of Fake Security Software - Part Thirteen
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software

This post has been reproduced from Dancho Danchev's blog.

Celebrity-Themed Scareware Campaign Abusing DocStoc

UPDATE: Docstoc has removed all the participating accounts in this campaign, and is applying additional filtering to undermine its effectiveness.

Last week's "Celebrity-Themed Scareware Campaign Abusing DocStoc and Scribd" is now exclusively targeting the popular Docstoc document-sharing service. Naturally, this very latest campaign once again offers overwhelming evidence on the inner workings of the cybercrime ecosystem, in this particular case, the connection between the Koobface gang and money mule recruitment campaigns.

So let's cut to the chase before we expose the entire campaign, and have all the involved profiles removed. One of the most popular bogus video site link embedded in these documents, wildyourvideo .com - 188.130.250.246 - gevtone@gmail.com, is using NS1.FUCKABUSE .BIZ - abusehostserver@gmail.com - as its nameserver. The same email was also used to registered some of the client-side exploit serving domains part of the Koobface drive-by download experiment, and is also known to have been used in registering money-mule recruitment domains.

Automatically registered Docstoc accounts involved:
docstoc .com/profile/abefugymyu16261
docstoc .com/profile/acihofabulobe4403
docstoc .com/profile/adisareiecij23245
docstoc .com/profile/apyauputy10168
docstoc .com/profile/aqoqulicumisah16835
docstoc .com/profile/aqypycapytu4493
docstoc .com/profile/atirogesepuioh10057
docstoc .com/profile/atolageleraru
docstoc .com/profile/ayluleasyte37
docstoc .com/profile/bacuqelufukone
docstoc .com/profile/bibiemymiea12218
docstoc .com/profile/bonituhibo18350
docstoc .com/profile/bypopopihebyguk15216
docstoc .com/profile/byqaocopymyn
docstoc .com/profile/cubaaacanejof26562
docstoc .com/profile/daaqajyceqehi21058
docstoc .com/profile/deuymyhocapaqu2971
docstoc .com/profile/dorusefykylam
docstoc .com/profile/dyahucybofuk
docstoc .com/profile/eaahuigu
docstoc .com/profile/eduobecoyy23483
docstoc .com/profile/efifyybiciga21903
docstoc .com/profile/efodotoodyga7522
docstoc .com/profile/eheahakyydat
docstoc .com/profile/ekysihyracihapi2534

docstoc .com/profile/eqitulesarasimi10237
docstoc .com/profile/fukepeojened16595
docstoc .com/profile/fuosupoqeseta
docstoc .com/profile/gicorukucyqa
docstoc .com/profile/goibidukejeany
docstoc .com/profile/gupapegesia
docstoc .com/profile/gydohesypero
docstoc .com/profile/holoadybyila
docstoc .com/profile/hysygususedi17619
docstoc .com/profile/idejyetyoibi
docstoc .com/profile/ierycyceda
docstoc .com/profile/igikapuheac979
docstoc .com/profile/imaemesaoker321
docstoc .com/profile/imaqaybyqero16774
docstoc .com/profile/ineigysatu
docstoc .com/profile/isajetedisucadop
docstoc .com/profile/joqajerulehuyb
docstoc .com/profile/loufahysimirotu16153
docstoc .com/profile/lunyikajek
docstoc .com/profile/macugysie9926
docstoc .com/profile/myrosejilur
docstoc .com/profile/oboduqumufo
docstoc .com/profile/ocetiiuq

docstoc .com/profile/oijaobymegapob4072
docstoc .com/profile/ojujutauguqe16712
docstoc .com/profile/okytokydogu
docstoc .com/profile/omipasudeo19398
docstoc .com/profile/onobytadiny7825
docstoc .com/profile/pugihutoaqi8884
docstoc .com/profile/pygylipuhisupe1787
docstoc .com/profile/pymuhaqyretok23088
docstoc .com/profile/qouuebepy22520
docstoc .com/profile/quqadekytel
docstoc .com/profile/qynucehae15146
docstoc .com/profile/roonusohigi25266
docstoc .com/profile/ryjisuuuha
docstoc .com/profile/sujiloyhiimiq6675
docstoc .com/profile/tumofeukirilida9561
docstoc .com/profile/tydiidugaoga
docstoc .com/profile/uacalobyj24600
docstoc .com/profile/uaekihygua

docstoc .com/profile/ugadofauuy17774
docstoc .com/profile/ukylapytijun
docstoc .com/profile/unobahamor27750
docstoc .com/profile/upyeudufyye5432
docstoc .com/profile/uykulylyki10195
docstoc .com/profile/yahypiger
docstoc .com/profile/ybonyoeo
docstoc .com/profile/ydajyqeylaqun14519
docstoc .com/profile/yhonalejuboha
docstoc .com/profile/yjacilehybatage29784
docstoc .com/profile/ynefyjopam
docstoc .com/profile/yodulafiy8856
docstoc .com/profile/ypybifaboaqy22695
docstoc .com/profile/ysofaerabyqafi22465
docstoc .com/profile/zalupa

Sampled accounts are currently advertising some of the following domains - wildyourvideo .com - 188.130.250.246 - gevtone@gmail.com - where the malware is obtained from technologyplayer .com/xvidplayer.45206.exe which phones back to:

central-arts-gallery .com - 216.240.146.126 - aproctor@who.net
gold-ballade-art .com - 66.199.229.230 - madkins@outgun.com
global-arts-area .com - 64.27.5.204 - tcrotts@safrica.com

Related Docstoc accounts also link to two Blogspot accounts - carrie-prejean-sex-tapes .blogspot.com; carrie-prejean-sextape-video-free .blogspot.com advertising tv-world-online .net - 58.218.199.186 - breathy3@gmail.com with the malware obtained from freebigutilites .com/install_ActiveX.45171.exe.

Parked on 58.218.199.186 are also related domains, with money-mule recruitment domain involvement:
0n-china .cn - Email: abusehostserver@gmail.com
bigitube .com - Email: lastomarino@gmail.com
free-video-portal1 .info - Email: kokishpoki@gmail.com
free-video-portal4 .info - Email: kokishpoki@gmail.com
greatmagice .com
i-finally-found .cn - Email: Michell.Gregory2009@yahoo.com
relevant-information .cn - Email: steven_lucas_2000@yahoo.com
search-results .cn - Email: hilarykneber@yahoo.com
share-video-portal1 .info - Email: kokishpoki@gmail.com
share-video-portal4 .info - Email: kokishpoki@gmail.com
spainsn .com - Email: ijushdf@gmail.com
usworkingspace .com - Email: ijushdf@gmail.com
web-paradise .cn - Email: steven_lucas_2000@yahoo.com
wed-bew .cn - Email: Michell.Gregory2009@yahoo.com

The domain location domain freebigutilites.com responds to 69.10.41.147, parked on the same IP are the rest of the domains used in this and related campaigns:
bbflashplugin .com - Email: davidg@representative.com 
bestflashplugins .com - Email: rcuthbertson@witty.com
digitalmultimediasoftware .com - Email: cperry@wallet.com
frashflashplugins .com - Email: rcuthbertson@witty.com
freebigutilites .com - Email: sybarra@yours.com
freemegautilites .com - Email: sybarra@yours.com
globaltechsoftware .com - Email: cperry@wallet.com
loadmoviesoft .com - Email: virgilm@disciples.com
mediaarchive2009 .com - Email: mmerchant@priest.com
mediadatastorage .net - Email: patrickf@loveable.com
mediagroup2009 .com - Email: mmerchant@priest.com
multimediafact .com - Email: patrickf@loveable.com
multimediafiles .net - Email: mcastillo@mindless.com
setmoviesoft .net - Email: virgilm@disciples.com
soft-multimedia .com - Email: terryl@dbzmail.com
super0multimedia .com - Email: terryl@dbzmail.com
technewdata .com - Email: mcastillo@mindless.com
technologyplayer .com - Email: amcdaniel@witty.com
thebbflashplugin .com - Email: davidg@representative.com

Docstoc has been notified of the involved usernames, and should take action against them quickly. Naturally, the attacks would continue due to the apparent outsourcing of the CAPTCHA solving process.

Related posts:
The Ultimate Guide to Scareware Protection
Celebrity-Themed Scareware Campaign Abusing DocStoc and Scribd
Scareware Campaign Using Google Sponsored Links
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign
U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding
Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware
A Peek Inside the Managed Blackhat SEO Ecosystem 
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot  

This post has been reproduced from Dancho Danchev's blog.

Keeping Reshipping Mule Recruiters on a Short Leash

Following my previous "Keeping Money Mule Recruiters on a Short Leash" and "Standardizing the Money Mule Recruitment Process" posts, the campaigners behind the previously exposed money-mule recruitment domains looking for "payment processing assistant", are now also looking for "mailing assistants" to reship the fraudulently purchased items using stolen financial data.

What happens once they standardize the practice? The network of reshipping mules ends up as as a web-based command and control interface, allowing the customers of the mule recruitment syndicate to easily monitor the activity regarding their fraudulently purchased goods. In both of these models, the single most evident benefit for the cybercriminal remains the risk-forwarding of the entire process to the unknowingly participating in the cybercrime ecosystem employee.

Some of the new and currently active reshipping mule recruitment brands include - Total River Goods, Fargo River Goods, Irish River Goods and Parcel Alliance. Here's how they describe themselves:

"As an independent logistics provider, Total River Goods offers supply logistics management and transportation management services including: freight forwarding, packages forwarding, parcel forwarding, postal services and other postal services. Total River Goods is the world’s active developer of retail shipping, business and postal online service centers. Since development begun in 2000 we listened to our clients and developed our services based on feedback we have received. Our service evolved through the years and at this moment of time looks and feels how our customers want.

After many years of development and testing, in 2008 we released our online shipping service. With the new online service Total River Goods is true virtual mail service. We are constantly adding to our services ensuring that we will stay the market leader. Please feel free to contact us if you have any questions or comments. Unlike many other online organizations, we have a goal to reply to all queries within 24 to 48 hours, including business days and weekends."

Domains involved:
totalrivergoods .com - 94.103.90.130 - Email: justin_dickerson@ymail.com - used in money-mule recruitment domain registration
fargorivergoods .com - 94.103.90.130 - Email: williamashley40@yahoo.com
parcelalliance .com - 94.103.90.200 - domainprivate@communigal.com
irishrivergoods .com - 94.103.90.130 - Email: MarcusStraker909@gmail.com - used in money-mule recruitment domain registration

Thanks to Derek from aa419.org for the ping. 

Related posts:
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002
Inside a Money Laundering Group's Spamming Operations

This post has been reproduced from Dancho Danchev's blog.

Celebrity-Themed Scareware Campaign Abusing DocStoc and Scribd

UPDATED: DocStoc has removed all the participating profiles and their documents.

A currently ongoing scareware campaign is using celebrity-themed blackhat SEO tactics in order to hijack legitimate traffic by abusing the popular DocStoc and Scribd document-sharing services. What's the single most interesting thing about this campaign anyway? It's fact that one of the domains parked on the same IP that the rest of the malware and exploit serving ones are -- they naturally multitask and engage in drive-by attacks -- newsoff .net has been registered with the same email pvcprotect@gmail.com as the original gumblar .cn domain.

Once the user clicks on the bogus video window embedded as an active document, which as matter of fact doesn't issue any warning that the user is leaving the site, a redirection takes place through shurus .net/in.cgi?3 -> b.corlock .net/main.html - 188.165.65.173 - Email: jessica357ass@gmail.com where the user is asked to download load.exe.

Parked on the same IP is the rest of the domains portfolio, which is also involved in separate drive-by campaigns:
offnews .cn - Email: cuitiankai@googlemail.com
newsoff .net - Email: pvcprotect@gmail.com - Ooh la la, the original gumblar .cn has been registered with the same email
curah .net - Email: jessica357ass@gmail.com
corlock .net - Email: jessica357ass@gmail.com
klirok .net - Email: jessica357ass@gmail.com
murrr .net - Email: jessica357ass@gmail.com
shurus .net - Email: jessica357ass@gmail.com

Sample Scribd activity per username:
lupan13 - 1,148 documents; 3,301 total reads
jess357 - 877 documents; 15,202 total reads
mumukan - 875 documents; 19,791 total reads
cekalo - 874 documents; 2,926 total reads

Sample Docstoc activity per username:
valaman - Docs: 460; Views: 13224
zalupa - Docs: 407; Views: 14397
monilit - Docs: 871; Views: 5265
babaka - Docs: 252; Views: 183
namaska - Docs: 139; Views: 8
rumaska - Docs: 829; Views: 172
zuzya - Docs: 748; Views: 280
malina13 - Docs: 66; Views: 15377
yoqeojegu - Docs: 9; Views: 3284
ryjokoleqayebi - Docs: 10; Views: 326
jopan13 - Docs: 397; Views: 43876
iculyodysocehi - Docs: 10; Views: 3721
lupan13 - Docs: 414; Views: 29275

Upon execution it drops the Home AntiVirus 2010 scareware which features a "Spyware Alert!" security warning explaining the dangers of Worm.Win32.NetSky. The scareware (SetupAdvancedVirusRemover.exe) is downloaded from downloadavr13 .com - 193.104.110.50 - Email: noxim@maidsf.ru. Parked on the same IP is a well known portfolio of scareware domains, first observed in July and most recently in September:

10-open-davinci .com
advanced-virusremover2009 .com - Email: giogr@ua.fm
advancedvirus-remover2009 .com - Email: jopa@gmail.com
advanced-virus-remover2009 .com - Email: masle@masle.kz - seen in July, 2009
advancedvirusremover-2009 .com - Email: eptit@eptit.us
advanced-virusremover-2009 .com - Email: support@antivirus-xp-pro2009.com
advancedvirus-remover-2009 .com - Email: tt1@ua.fm
advanced-virus-remover-2009 .com - Email: ubiv@i.ua
advancedvirusremover-2010 .com - Email: noxim@maidsf.ru
advanced-virus-remover-2010 .com - Email: noxim@maidsf.ru
anti-virus-xp-pro2009 .com - Email: chen.poon1732646@yahoo.com
best-scan .biz - Email: noxim@maidsf.ru
best-scan .com - Email: noxim@maidsf.ru
best-scan-pc .biz - Email: noxim@maidsf.ru
best-scanpc .com - Email: alex@mail.ge
best-scan-pc .com
best-scanpc .net
best-scan-pc .net
coolcount1 .com - Email: noxim@maidsf.ru
coolcount2 .com - Email: noxim@maidsf.ru
downloadavr10 .com - Email: noxim@maidsf.ru
downloadavr11 .com - Email: noxim@maidsf.ru
downloadavr12 .com - Email: noxim@maidsf.ru

downloadavr13 .com - Email: noxim@maidsf.ru
downloadavr3 .com - Email: support@antivirus-xp-pro2009.com
downloadavr4 .com - Email: tt1@ua.fm
downloadavr5 .com - Email: vs@ua.km
downloadavr6 .com - Email: alex@i.ua
downloadavr7 .com - Email: noxim@maidsf.ru
downloadavr8 .com - Email: noxim@maidsf.ru
downloadavr9 .com - Email: noxim@maidsf.ru
hard-xxx-tube .com
malware-scan .net - Email: noxim@maidsf.ru
malware-scaner .net - Email: noxim@maidsf.ru
masterhost.co .in - Email: pricklyy@mail.ru
onlinescanxppro .com - Email: chen.poon1732646@yahoo.com
pc-scanner .info - Email: noxim@maidsf.ru
pc-scanner-2010 .net - Email: noxim@maidsf.ru
pc-scannerr .biz - Email: noxim@maidsf.ru
pc-scannerr .com - Email: noxim@maidsf.ru
pc-scannerr .info - Email: noxim@maidsf.ru
pc-scannerr .net - Email: noxim@maidsf.ru
pc-scannerr .us - Email: noxim@maidsf.ru
testavrdown .com - Email: support@antivirus-xp-pro2009.com
testavrdownnew .com - Email: mamed@i.ua
trucount3005 .com - Email: chen.poon1732646@yahoo.com - money-mule recruitment connection
trucountme .com - Email: valentin@gergiea.kz - already profiled
white-xxx-tube .com - Email: noxim@maidsf.ru
xxx-white-tube .biz - Email: noxim@maidsf.ru
xxx-white-tube .net - Email: gnom@gnom.ge

DocStoc and Scribd have been notified.

Related posts:
The Ultimate Guide to Scareware Protection
Scareware Campaign Using Google Sponsored Links
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign
U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding
Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware
A Peek Inside the Managed Blackhat SEO Ecosystem 
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot  

This post has been reproduced from Dancho Danchev's blog.

Pushdo Injecting Bogus Swine Flu Vaccine

In the spirit of systematically introducing new themes in order to serve the ubiquitous crimeware releases, the Pushdo botnet has now switched to a State Vaccination H1N1 Program campaign, serving vacc_profile.exe sample.

Sample subject: State Vaccination Program; Governmental registration program on the H1N1 vaccination
Sample message: "You have received this e-mail because of the launching of State Vaccination H1N1 Program. You need to create your personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website. The Vaccination is not obligatory, but every person that has reached the age of 18 has to have his personal Vaccination Profile on the cdc.gov site. This profile has to be created both for the vaccinated people and the not-vaccinated ones. This profile is used for the registering system of vaccinated and not-vaccinated people. Create your Personal H1N1 Vaccination Profile using the link."

Subdomain structure used:

online.cdc.gov .lykasf.be
online.cdc.gov .lykasm.be
online.cdc.gov .lykasv.be
online.cdc.gov .lykasz.be
online.cdc.gov .nyugewc.be
online.cdc.gov .nyugewd.be
online.cdc.gov .nyugewm.be
online.cdc.gov .nyugewn.be
online.cdc.gov .nyugewq.be
online.cdc.gov .nyugewt.be
online.cdc.gov .nyugeww.be
online.cdc.gov .nyugewy.be
online.cdc.gov .nyugewz.be
online.cdc.gov .yhnbad.co.im
online.cdc.gov .yhnbad.com.im
online.cdc.gov .yhnbad.im
online.cdc.gov .yhnbad.net.im
online.cdc.gov .yhnbad.org.im
online.cdc.gov .yhnbak.co.im
online.cdc.gov .yhnbak.com.im
online.cdc.gov .yhnbak.im
online.cdc.gov .yhnbak.net.im
online.cdc.gov .yhnbak.org.im
online.cdc.gov .yhnbam.co.im
online.cdc.gov .yhnbam.com.im
online.cdc.gov .yhnbam.im
online.cdc.gov .yhnbam.net.im
online.cdc.gov .yhnbam.org.im

Actual domains involved:

feccxz.co .uk; feccxz.me .uk; ficcxz.co .uk; gerfase .be; gerfasi .be; gerfaso .be; gerfasq .be; gerfasr .be; gerfast .be; gerfasu .be; gerfasw .be; gerfasx .be; gerfasy  .be; hssaze .be; hssazg .be; hssazh .be; hssazi  .be; hssaz j.be; hssazl .be; hssazo .be; hssazp .be; hssazq .be; hssazr .be; hssazt .be; hssazu .be; hssazw .be; hssazy .be; kioooj1 .be; kioooj2 .be; kioooj3 .be; kioooja .be; kiooojb .be; kiooojc .be; kiooojf .be; kiooojg .be; kiooojh .be; kiooojn .be; kiooojq .be; kiooojv .be; kiooojx .be; kiooojz .be; yhnbad.co .im; yhnbad.com .im; yhnbad .im; yhnbad.net .im; yhnbad.org .im; yhnbak.co .im; yhnbak .com.im; yhnbak .im; yhnbak.net .im; yhnbak.org .im; yhnbam.co .im; yhnbam.com .im; yhnbam .im; yhnbam.net .im; yhnbam.org .im; yurbzc.co .im; yurbzc.com .im; yurbzc .im; yurbzc.net .im; yurbzc.org .im; yurtzc .im; yuvtzc.co .im; yuvtzc.com .im; yuvtzc .im; yuvtzc.net .im

DNS SERVERS OF NOTICE:
ns1.elkins-realty .org - Email: HR2000@gmail.com
ns1.a-personalhire .com - Email: personalhire@mail.com
ns1.iceagestrem .com
ns1.poolandmonster .com
ns1.autotanscorp .net
ns1.shuzmen .com

Upon execution, the sample phones back to 193.104.41.75/kissme /rec.php and 193.104.41.75 /ip.php, while attempting to download promed-net .com/css/absderce2.exe and 193.104.41.75/ cbd/75.bro, with the IP itself already blacklisted by the Zeus Tracker, as well as related activity on the same netblock - AS49934 (VVPN-AS PE Voronov Evgen Sergiyovich).

Related posts:
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

This post has been reproduced from Dancho Danchev's blog.

Summarizing Zero Day's Posts for November

The following is a brief summary of all of my posts at ZDNet's Zero Day for November.

You can also go through previous summaries, as well as subscribe to my personal RSS feed, Zero Day's main feed, or follow all of ZDNet's blogs on Twitter.

Notable articles include: Windows 7's default UAC bypassed by 8 out of 10 malware samples and Man-in-the-middle attacks demoed on 4 smartphones.

01. iHacked: jailbroken iPhones compromised, $5 ransom demanded
02. Which antivirus is best at removing malware?
03. Windows 7's default UAC bypassed by 8 out of 10 malware samples
04. Source code for ikee iPhone worm in the wild
05. Commercial spying app for Android devices released
06. Man-in-the-middle attacks demoed on 4 smartphones
07. Thousands of web sites compromised, redirect to scareware -- the latest virtual smoking gun of the Koobface gang

This post has been reproduced from Dancho Danchev's blog.