UPDATE2: Forty five minutes later Scribd removes the bogus accounts.
As usual, persistence must be met with persistence. A single blackhat SEO group -- if well analyzed and monitored -- has the potential to provide an insight into some of the current monetization tactics which cybecriminals use, as well as directly demonstrate the (automatic) impact they have across different Web 2.0 services.
Moreover, for the first time ever, the group is starting to serve live exploits based on a bit.ly URL shortening service referrer, like the ones used in the latest Twitter campaign. The use of Arbitrary file download via the Microsoft Data Access Components (MDAC) exploits is done to ultimately drop a new Koobface variant, making this the second time the group is pushing Koobface variants beyond Facebook.
Let's summarize their activities during the past six days starting with the weekend's campaign across Twitter.
Upon clicking on the TinyURL, the user is redirected through their well known 66.199.229 .253/etds (66.199.229 .253/etds/go.php?sid=41; 66.199.229 .253/etds/got.php?sid=41; 66.199.229 .253/etds/go.php?sid=43; 66.199.229 .253/etds/got.php?sid=43) traffic management location, to end up at the scareware av4best .net (126.96.36.199) with a new template is served (FakeAlert-EA).
Parked on the same IP are also well known scareware domains known from their previous campaigns, namely fast-antivirus .com and viruscatcher .net. The scareware message used in the new template takes you back to the good old school MS-DOS days :
"A problem has been detected and windows has been shut down to prevent damage to your computer.
If this is the first time you've seen this Stop error screen, restart the computer. If this screen appears again, read information below: The reason why this might happen is the newest malicious software which blocks access to the system libraries. Check to make sure any new antivirus software is properly installed. We suggest you to download and install antivirus, new up-to-date software which specializes on detection and removal of malicious and suspicious software."
The messaged used in the weekend's Twitter campaign, as well as a graph on the peaks and downds for a particular keyword:
"Competitions video; What do you think about video; I know why Percent Of Accounts; Between food and gay; movie Trailler!; Sun eclipce free; Air France extreem; Tetris long and sweet; Take sex under control; alcohol long and sweet; Between food and SATs; What do you think about Autotune; Gotcha!, Palm Pre!; Goodnight high in the sky; What do you think about Hangover; Death of Autotune crack addict; Amazing. movie from MSFT; Amazing. Air France from MSFT; Sims 3, It's Cool!; video, It's Cool!; Manage Air France; Amazing. porn from MSFT; alcohol unbroken; Them girls Honduras; Between food and phish; Between food and Detroit; Tetris high in the sky; I know why iPhone; Futurama unbroken; Balls to the Woman Who Missed Air; alcohol high in the sky; follow the video"
Sample (now suspended) automatically registered accounts used in the weekend's campaign:
Besides the TinyURL links used, they've also returned to temporarily using their original .us domains such as twitter .8w8.us - 188.8.131.52 - Email: firstname.lastname@example.org; 5us .us - 184.108.40.206 - Email: email@example.com, and girlstubes .cn 220.127.116.11 - Email: firstname.lastname@example.org with Alex Vasiliev's emails first noticed in the Diverse Portfolio of Fake Security Software - Part Nine and again in Part Twenty.
Now it's time to assess their currently active campaigns across Twitter, LinkedIn and Scribd, and connect the dots in the face of the single URL acting as a counter across all the campaigns - counteringate .com (18.104.22.168) which has already been profiled in their original massive blackhat SEO campaign, and still remains active.
The automatically registered and currently active Twitter accounts participating in the campaign are as follows, it's also worth pointing out that compared to their previous campaigns, in this way they've included relevant backgrounds and avatars to the Twitter accounts:
Upon clicking on bit .ly/Je2Sd, the user is redirected to oymomahon .com/mirolim-video/3.html - 22.214.171.124 Email: StaceyGuerreroSF@gmail.com, redirecting to myhealtharea .cn/in.cgi?13 and then to oymoma-tube .freehostia.com/x-tube.htm where the fake codec/scareware is served, downloaded from totalsitesarchive .com/error.php?id=62 - Trojan.Win32.FakeAV.nz which once executed phones back to bestyourtrust .com/in.php?url=5&affid=00262 (126.96.36.199) parked at the same IP are also the following scareware domains:
The second bit .ly/1a5ZsY link used in the Twitter campaign, is redirecting to showmealltube .com/paqi-video/7.html - 188.8.131.52 Email: email@example.com.
From there, the redirector myhealtharea .cn/in.cgi?12 - 184.108.40.206 - firstname.lastname@example.org again loads oymoma-tube.freehostia .com/tube.htm and most importantly the counter counteringate .com/count.php?id=186 which is using an IP known from their previous campaign (220.127.116.11).
Time to move on to the LinkedIn campaign, and establish a direct connection with the Twitter one, both maintained by the same group of cybercriminals.
Currently active and participating LinkedIn accounts:
The LinkedIn campaign is linking to the delshikandco .com, from where the user is redirected to the same domains used in the Twitter campaign, sharing the same celebrity theme - delshikandco .com/mirolim-video/3.html/delshikandco .com/paqi-video/1.html - 18.104.22.168 leads to myhealtharea .cn/in.cgi?12 to finally serve the codec at ymoma-tube.freehostia.com/xxxtube.htm or at tubes-portal.com/xplaymovie.php?id=40012 - 22.214.171.124, another IP that has already been profiled part of their previous campaigns.
Yet another nude themed campaign is operated by the same group at Scribd, linking to the already profiled delshikandco .com, used in both, Twitter's and LinkedIn's campaigns.
Currently active and participating Scribd accounts:
Now that all the campaigns are exposed in the naked fashion of their themes, it's worth emphasizing on the live exploits serving Koobface samples based on a bit.ly referrer - in this case the process takes place through myhealtharea .cn/in.cgi?13, which instead of redirecting to scareware domain as analyzed above, is redirecting to fast-fluxed set of IPs serving identical Koobface binary - myhealtharea .cn/in.cgi?13 loads r-cg100609 .com/go/?pid=30455&type=videxp (126.96.36.199) which redirectss to the live exploits/Koobface.
Parked on 188.8.131.52 are also the following domains:
Dynamic redirectors from r-cg100609 .com/go/?pid=30455&type=videxp on per session basis:
panmap .in/html/3003/25ee551429fcbfd75fe7bcfeba4a9cb8/ - 184.108.40.206 - email@example.com
Parked on 220.127.116.11 are also:
The served setup.exe (Win32/Koobface.BC; Worm:Win32/Koobface.gen!D;) samples phone back to a single location:- upr15may .com/achcheck.php; upr15may .com/ld/gen.php - 18.104.22.168; 61.235.117 .71/files/pdrv.exe
To further demonstrate the group's involvement in these campaigns, two active campaigns at is-the-boss.com indicate that they're also using the newly introduced counteringate.com, however, parked on the same IP as a previously analyzed redirector maintained bot the group.
A sample campaign is using the engseo .net/sutra/in.cgi?4¶meter=bravoerotica - 22.214.171.124 - Email: firstname.lastname@example.org as well as the warwork .info/cgi-bin/counter?id=945706&k=independent&ref= - 126.96.36.199 redirectors to load free-porn-video-free-porn .com/1/index.php?q=bravoerotica - 188.8.131.52 - Email: email@example.com serving a fake codec, and is also using the universal counter serving maintained by group counteringate .com/count.php?id=308.
A second sampled campaign at is-the-boss.com points to a new domain that is once again parked at a well known IP mainted by the gang - goldeninternetsites .com/go.php?id=2022&key=4c69e59ac&p=1 - 184.108.40.206 - known from previous campaigns.
The redirectors lead to anti-virussecurity3 .com - 220.127.116.11; 18.104.22.168; 22.214.171.124; 126.96.36.199 with more typosquatted "Personal Antivirus" scareware parked at these multiple IPs aimed to increase the life cycle of the campaign:
Personal Antivirus then phones back to startupupdates .com - 188.8.131.52 where more scareware is parked, with the domains known from previous campaigns:
The affected services have been notified, blacklisting and take down of the participating domains is in progress.
This post has been reproduced from Dancho Danchev's blog.