Wednesday, June 17, 2009

From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms

UPDATE: In less than half an hour upon notification, Twitter and LinkedIn have already removed the bogus accounts.

UPDATE2: Forty five minutes later Scribd removes the bogus accounts.

As usual, persistence must be met with persistence. A single blackhat SEO group -- if well analyzed and monitored -- has the potential to provide an insight into some of the current monetization tactics which cybecriminals use, as well as directly demonstrate the (automatic) impact they have across different Web 2.0 services.

What is my "fan club" up to anyway? Covering up their weekend's Twitter campaign that was serving scareware by using a new template, and once again diversifying - this time by managing a bogus LinkedIn accounts campaign, another one on Scribd, followed by another another currently active one on Twitter, in between increasing the size of their blackhat SEO farm at is-the-boss.com.

Moreover, for the first time ever, the group is starting to serve live exploits based on a bit.ly URL shortening service referrer, like the ones used in the latest Twitter campaign. The use of Arbitrary file download via the Microsoft Data Access Components (MDAC) exploits is done to ultimately drop a new Koobface variant, making this the second time the group is pushing Koobface variants beyond Facebook.

Let's summarize their activities during the past six days starting with the weekend's campaign across Twitter.

Upon clicking on the TinyURL, the user is redirected through their well known 66.199.229 .253/etds (66.199.229 .253/etds/go.php?sid=41; 66.199.229 .253/etds/got.php?sid=41; 66.199.229 .253/etds/go.php?sid=43; 66.199.229 .253/etds/got.php?sid=43) traffic management location, to end up at the scareware av4best .net (64.86.17.47) with a new template is served (FakeAlert-EA).

Parked on the same IP are also well known scareware domains known from their previous campaigns, namely fast-antivirus .com and viruscatcher .net. The scareware message used in the new template takes you back to the good old school MS-DOS days :

"A problem has been detected and windows has been shut down to prevent damage to your computer.

Initialization_failed C:\WINDOWS\system32\himem.sys

If this is the first time you've seen this Stop error screen, restart the computer. If this screen appears again, read information below: The reason why this might happen is the newest malicious software which blocks access to the system libraries. Check to make sure any new antivirus software is properly installed. We suggest you to download and install antivirus, new up-to-date software which specializes on detection and removal of malicious and suspicious software.
"

The messaged used in the weekend's Twitter campaign, as well as a graph on the peaks and downds for a particular keyword:

"Competitions video; What do you think about video; I know why Percent Of Accounts; Between food and gay; movie Trailler!; Sun eclipce free; Air France extreem; Tetris long and sweet; Take sex under control; alcohol long and sweet; Between food and SATs; What do you think about Autotune; Gotcha!, Palm Pre!; Goodnight high in the sky; What do you think about Hangover; Death of Autotune crack addict; Amazing. movie from MSFT; Amazing. Air France from MSFT; Sims 3, It's Cool!; video, It's Cool!; Manage Air France; Amazing. porn from MSFT; alcohol unbroken; Them girls Honduras; Between food and phish; Between food and Detroit; Tetris high in the sky; I know why iPhone; Futurama unbroken; Balls to the Woman Who Missed Air; alcohol high in the sky; follow the video"

Sample (now suspended) automatically registered accounts used in the weekend's campaign:
twitter .com/wenning351
twitter .com/ula475
twitter .com/escher338
twitter .com/ochs40
twitter .com/karlen131
twitter .com/cordes904
twitter .com/hecker905
twitter .com/bohl566
twitter .com/sattler649
twitter .com/hildegard115
twitter .com/andreas281
twitter .com/wassermann38
twitter .com/rummel980
twitter .com/guilaine896
twitter .com/orlowski781
twitter .com/rupette972
twitter .com/holzner473
twitter .com/dumke576
twitter .com/hilgers465
twitter .com/heese157
twitter .com/meier679
twitter .com/habel896
twitter .com/holzinger567
twitter .com/wilhelm578
twitter .com/dearg450
twitter .com/habicht717
twitter .com/ferde373
twitter.com/hass323
twitter .com/heckmann918
twitter .com/bruna555
twitter .com/wilbert25
twitter .com/eckart412
twitter .com/sperlich374
twitter .com/jahn562
twitter .com/ludvig30
twitter .com/bing274
twitter .com/fett628
twitter .com/brock93
twitter .com/mally981
twitter .com/merle752
twitter .com/axmann101
twitter .com/pelz478
twitter .com/renaud687
twitter .com/wienke879
twitter .com/hartinger619
twitter .com/chriselda988
twitter .com/kloos267
twitter .com/dreyer15
twitter .com/herta740
twitter .com/brauer427

twitter .com/nadina732
twitter .com/wenda245
twitter .com/rieken434
twitter.com/reinhard192
twitter .com/plath132
twitter .com/bick497
twitter .com/johannsen747
twitter .com/tacke432

Besides the TinyURL links used, they've also returned to temporarily using their original .us domains such as twitter .8w8.us - 82.146.51.126 - Email: ambersurman@gmail.com; 5us .us - 82.146.51.25 - Email: elchip0707@mail.ru, and girlstubes .cn  82.146.52.158 - Email: alexvasiliev1987@cocainmail.com with Alex Vasiliev's emails first noticed in the Diverse Portfolio of Fake Security Software - Part Nine and again in Part Twenty.

Now it's time to assess their currently active campaigns across Twitter, LinkedIn and Scribd, and connect the dots in the face of the single URL acting as a counter across all the campaigns - counteringate .com (194.165.4.77) which has already been profiled in their original massive blackhat SEO campaign, and still remains active.

The automatically registered and currently active Twitter accounts participating in the campaign are as follows, it's also worth pointing out that compared to their previous campaigns, in this way they've included relevant backgrounds and avatars to the Twitter accounts:
twitter .com/AshleyTisdal1
twitter .com/AnnaNicoleSmit
twitter .com/ParisHiltonjpg1
twitter .com/ParisHiltonmov1
twitter .com/ParisHiltonNake
twitter .com/ParisHiltonSex1
twitter .com/ParisHiltonNud2
twitter .com/ParisSexTape2
twitter .com/Britneynipslip1
twitter .com/Britneywomani
twitter .com/Britneystrip1
twitter .com/BritneySex
twitter .com/Britneycomix
twitter .com/Britneywomaniz
twitter .com/BritneyNaked2
twitter .com/britneysextape
twitter .com/BritneyxSpears1
twitter .com/Britneydesnuda1


twitter .com/LopezAss
twitter .com/jennifermorriso
twitter .com/JenniferTilly2
twitter .com/AnistonSexscen
twitter .com/AnistonBangs
twitter .com/JenniferTilly1
twitter .com/Jennifernude
twitter .com/JenniferConnel
twitter .com/JenniferGarner1
twitter .com/LopezNaked
twitter .com/AnistonSexiest
twitter .com/JenniferAnisto4
twitter .com/JenniferToastee


twitter .com/JenniferAnisto2
twitter .com/LoveHewitt1
twitter .com/JenniferLoveH1
twitter .com/JenniferGreyn
twitter .com/1JenniferAnisto
twitter .com/2JenniferAnisto
twitter .com/1JenniferLopez
twitter .com/Lopedesnuda1
twitter .com/ElishaCuthbert3


twitter .com/ElishaCuthbert1
twitter .com/AlysonHannigan2
twitter .com/AliciaMachado
twitter .com/AliLarterNaked
/twitter .com/AliLarterNude
twitter .com/MelissaJoanha
twitter .com/AishwaryaRaiN1


Upon clicking on bit .ly/Je2Sd, the user is redirected to oymomahon .com/mirolim-video/3.html - 216.32.86.106 Email: StaceyGuerreroSF@gmail.com, redirecting to myhealtharea .cn/in.cgi?13 and then to oymoma-tube .freehostia.com/x-tube.htm where the fake codec/scareware is served, downloaded from totalsitesarchive .com/error.php?id=62 - Trojan.Win32.FakeAV.nz which once executed phones back to bestyourtrust .com/in.php?url=5&affid=00262 (209.44.126.241) parked at the same IP are also the following scareware domains:

uniqtrustedweb .com
hortshieldpc .com
securetopshield .com
gisecurityshield .com
ourbestsecurityshield .com
intellectsecfind .com
thesecuritytree .com
godsecurityarchive .com
besecurityguardian .com
thefirstupper .com
securityshieldcenter .com
bitsecuritycenter .com
joinsecuritytools .com
hupersecuritydot .com
bestyourtrust .com
thetrueshiledsecurity .com
souptotalsecurity .com
scantrustsecurity .com

 
The second bit .ly/1a5ZsY link used in the Twitter campaign, is redirecting to showmealltube .com/paqi-video/7.html - 64.92.170.135 Email: zbestgotterflythe@gmail.com.

From there, the redirector myhealtharea .cn/in.cgi?12 - 216.32.83.110 - zbest2008@mail.ru again loads oymoma-tube.freehostia .com/tube.htm and most importantly the counter counteringate .com/count.php?id=186 which is using an IP known from their previous campaign (194.165.4.77).

Time to move on to the LinkedIn campaign, and establish a direct connection with the Twitter one, both maintained by the same group of cybercriminals.

Currently active and participating LinkedIn accounts:
linkedin .com/in/rihannanude
linkedin .com/in/rihannanude2
linkedin .com/in/nudecelebs
linkedin .com/in/britneyspearsnudee
linkedin .com/in/pamelaandersonnudee
linkedin .com/in/nudepreteen2
linkedin .com/in/tilatequilanudee
linkedin .com/pub/beyonce-nude/14/b/952
linkedin .com/pub/child-nude/13/b4b/a16
linkedin .com/in/nudemodels

linkedin .com/in/preteennude
linkedin .com/in/mariahcareynude3
linkedin .com/in/nudeboys
linkedin .com/in/evamendesnude2
linkedin .com/in/nudebeaches
linkedin .com/in/nudebabes

linkedin .com/in/nudewomen2
linkedin .com/pub/ashley-tisdale-nude/13/b4b/762
linkedin .com/pub/mila-kunis-nude/13/b4a/b99
linkedin .com/pub/nude-kids/13/b4b/aa
linkedin .com/pub/young-nude-girls/13/b4a/6a
 
The LinkedIn campaign is linking to the delshikandco .com, from where the user is redirected to the same domains used in the Twitter campaign, sharing the same celebrity theme - delshikandco .com/mirolim-video/3.html/delshikandco .com/paqi-video/1.html - 216.32.83.104 leads to myhealtharea .cn/in.cgi?12 to finally serve the codec at ymoma-tube.freehostia.com/xxxtube.htm or at tubes-portal.com/xplaymovie.php?id=40012 - 216.240.143.7, another IP that has already been profiled part of their previous campaigns.


Yet another nude themed campaign is operated by the same group at Scribd, linking to the already profiled delshikandco .com, used in both, Twitter's and LinkedIn's campaigns.

Currently active and participating Scribd accounts:
scribd .com/Stacy%20Keibler-nude
scribd .com/Vanessa_Hudgens%20nude
scribd .com/Jessica%20%20Simpson%20%20nude
scribd .com/MileyCyrus%20nude
scribd .com/KimKardashian%20%E2%80%98nude%E2%80%99
scribd .com/Carmen%20%20Electra%20nude
scribd .com/Jennifer%20Anistonnude
scribd .com/Paris-Hilton-nude3
scribd .com/Vida%20%20Guerra%20%20nude
scribd .com/nude2
scribd .com/Kim%20%20Kardashian%20nude
scribd .com/ZacEfron%20nude
scribd .com/BritneySpears%20nude
scribd .com/Hilary-Duff-nude%202
scribd .com/Angelina-Jolie-nude11
scribd .com/Vanessa-Hudgens-nude2
scribd .com/Natalie-Portman-nude2
scribd .com/JessicaAlba%20nude
scribd .com/Jennifer-Love-Hewitt-nude11

scribd .com/Kim-Kardashian-nude2
scribd .com/Jessica-Alba-nude11s
scribd .com/JENNIFER%20LOPEZ%20NUDE3
scribd .com/Elisha%20%20Cuthbert%20%20nude
scribd .com/Paris-Hilton-nude1
scribd .com/HilaryDuff%20nude
scribd .com/Megan-Fox-nude2
scribd .com/Britney-Spears-nude1
scribd .com/Candice%20%20Michelle%20nude
scribd .com/Lindsay-Lohan-nude3
scribd .com/Mila-Kunis-nude2
scribd .com/Miley%20Cyrus%20nude
scribd .com/Vanessa%20%20Anne%20%20Hudgens%20nude
scribd .com/rihanna-nude2
scribd .com/Jenny%20Mccarthy%20nude
scribd .com/Kim%20%20Kardashian%20%20nude
scribd .com/Olsen-Twins-nude2
scribd .com/Brooke-Hogan-nude2

scribd .com/DeniseRichardsnude2
scribd .com/Scarlett%20Johansson%20nude

scribd .com/miley-cyrus-nude
scribd .com/Celebrity%20%20nude
scribd .com/Lindsay-Lohan-nude2
scribd .com/Tila%20Tequila%20nude
scribd .com/Ashley%20Tisdale%20nude
scribd.com/Angelina-Jolie-nude2
scribd .com/Denise-Richards-nude-2
scribd .com/Britney%20Spears%20nude
scribd .com/Hayden%20Panettiere%20nude
scribd .com/Carmen-Electra-nude1
scribd .com/Brooke-Burke-nude2

scribd .com/Megan%20Fox%20nude
scribd .com/JessicaSimpson%20nude
scribd .com/Kendra-Wilkinson-nude2
scribd .com/DeniseRichardsnude
scribd.com/AngelinaJolie%20nude
scribd.com/Kate%20Mara%20nude
scribd .com/Eva%20Green%20nude
scribd .com/Mariah%20Carey%20nude

scribd .com/Britney-Spears-nude2
scribd .com/Paris%20Hilton%20nude
scribd .com/CHristina%20Applegate%20nude
scribd .com/Billie%20Piper%20nude
scribd .com/Rosario%20Dawson%20nude

scribd .com/Anna%20Kournikova%20nude
scribd .com/Jennifer-Love-Hewitt-nude2
scribd .com/Kate%20Winslet%20nude
scribd .com/Carmen%20Electra%20nude
scribd .com/Jennifer%20Love%20Hewitt%20nude
scribd .com/Vida%20Guerra%20nude
scribd .com/AnneHathaway%20nude
scribd .com/JenniferLopez_nude
scribd .com/Trish%20Stratus%20nude
scribd .com/Lindsay_Lohannude
scribd .com/Pamela%20Anderson%20nude3
scribd .com/Jessica-Simpson-nude3

scribd .com/JENNIFER%20LOPEZ%20NUDE
scribd .com/CHristina%20Aguilera%20nude
scribd .com/hilary%20duff%20nude
scribd .com/MariahCarey%20nude
scribd .com/JohnCena%20nude
scribd .com/Halle%20Berry%20nude
scribd .com/Amanda%20%20Beard%20%20nude
scribd .com/Patricia%20%20Heaton%20%20nude
scribd .com/Madonna%20nude
scribd .com/JenniferLopez%20nude
scribd .com/DeniseRichards%20nude

scribd .com/PatriciaHeaton%20nude
scribd .com/Celebrity%20nude
scribd .com/TilaTequila_nude
scribd .com/Hayden-Panettiere-nude2
scribd .com/Brenda-Song-nude2
scribd .com/Demi%20Moore%20nude
scribd .com/celebrity%20nude%201
scribd .com/JenniferLove%20Hewitt%20nude
scribd .com/Ashley_Harkleroad%20nude
scribd .com/AudrinaPatridge%20nude
scribd .com/PamelaAnderson%20nude
scribd .com/Anna%20Nicole%20Smithnude
scribd .com/Meg%20Ryan%20nude
scribd .com/Kate%20Hudsonnude

Now that all the campaigns are exposed in the naked fashion of their themes, it's worth emphasizing on the live exploits serving Koobface samples based on a bit.ly referrer - in this case the process takes place through myhealtharea .cn/in.cgi?13, which instead of redirecting to scareware domain as analyzed above, is redirecting to fast-fluxed set of IPs serving identical Koobface binary - myhealtharea .cn/in.cgi?13 loads r-cg100609 .com/go/?pid=30455&type=videxp (92.38.0.69) which redirectss to the live exploits/Koobface.

Parked on 92.38.0.69 are also the following domains:
er20090515 .com
upr0306 .com
cgpay0406 .com
r-cgpay-15062009 .com
r-cg100609 .com
trisem .com
uprtrishest .com
upr15may .com
rd040609-cgpay .net


Dynamic redirectors from r-cg100609 .com/go/?pid=30455&type=videxp on per session basis:
92.255.131 .217/pid=30455/type=videxp/?ch=&ea=
92.255.131 .217/pid=30455/type=videxp/setup.exe
76.229.152 .148/pid=30455/type=videxp/?ch=&ea=
76.229.152 .148/pid=30455/type=videxp/?ch=&ea=/setup.exe
189.97.106 .121/pid=30455/type=videxp/?ch=&ea=
189.97.106 .121/pid=30455/type=videxp/setup.exe
117.198.91 .99/pid=30455/type=videxp/?ch=&ea=
117.198.91 .99/pid=30455/type=videxp/setup.exe
79.18.18 .29/pid=30455/type=videxp/?ch=&ea=
79.18.18 .29/pid=30455/type=videxp/setup.exe
85.253.62 .53/pid=30455/type=videxp/?ch=&ea=
85.253.62 .53/pid=30455/type=videxp/setup.exe
79.164.220 .170/pid=30455/type=videxp/?ch=&ea=
79.164.220 .170/pid=30455/type=videxp/setup.exe
59.98.104 .129/pid=30455/type=videxp/?ch=&ea=
59.98.104 .129/pid=30455/type=videxp/setup.exe
78.43.24 .211/pid=30455/type=videxp/?ch=&ea=
78.43.24 .211/pid=30455/type=videxp/setup.exe
62.98.63 .254/pid=30455/type=videxp/?ch=&ea=
62.98.63 .254/pid=30455/type=videxp/setup.exe
84.176.74 .231/pid=30455/type=videxp/?ch=&ea=
84.176.74 .231/pid=30455/type=videxp/setup.exe

panmap .in/html/3003/25ee551429fcbfd75fe7bcfeba4a9cb8/ - 114.80.67.32 - charicard@googlemail.com

Parked on 114.80.67.32 are also:
managesystem32.com
napipsec.in
trialoc.in
pbcofig.in
pclxl.in
ifxcardm.in
ifmon.in
panmap.in
moricons.in
oeimport.in
ncprov.in


The served setup.exe (Win32/Koobface.BC; Worm:Win32/Koobface.gen!D;) samples phone back to a single location:- upr15may .com/achcheck.php; upr15may .com/ld/gen.php - 92.38.0.69; 61.235.117 .71/files/pdrv.exe

To further demonstrate the group's involvement in these campaigns, two active campaigns at is-the-boss.com indicate that they're also using the newly introduced counteringate.com, however, parked on the same IP as a previously analyzed redirector maintained bot the group.

A sample campaign is using the engseo .net/sutra/in.cgi?4&parameter=bravoerotica - 84.16.230.38 - Email: popkadyp@gmail.com as well as the warwork .info/cgi-bin/counter?id=945706&k=independent&ref= - 91.207.61.48 redirectors to load free-porn-video-free-porn .com/1/index.php?q=bravoerotica - 84.16.230.38 - Email: popkadyp@gmail.com serving a fake codec, and is also using the universal counter serving maintained by group counteringate .com/count.php?id=308.

A second sampled campaign at is-the-boss.com points to a new domain that is once again parked at a well known IP mainted by the gang - goldeninternetsites .com/go.php?id=2022&key=4c69e59ac&p=1 - 83.133.123.140 - known from previous campaigns.

The redirectors lead to anti-virussecurity3 .com - 69.4.230.204; 69.10.59.34; 83.133.115.9; 91.212.65.125 with more typosquatted "Personal Antivirus" scareware parked at these multiple IPs aimed to increase the life cycle of the campaign:
bestantiviruscheck2 .com
securitypcscanner2 .com
fastpcscan3 .com
goodantivirusprotection3 .com
antimalware-online-scanv3 .com
anti-malware-internet-scanv3 .com
antimalwareinternetproscanv3 .com
antimalwareonlinescannerv3 .com
anti-virussecurity3 .com
bestantispywarescanner4 .com
fastsecurityupdateserver .com


Personal Antivirus then phones back to startupupdates .com - 83.133.123.140 where more scareware is parked, with the domains known from previous campaigns:
bestwebsitesin2009 .com
live-payment-system .com
bestbuysoftwaresystem .com
antiviruspaymentsystem .com
bestbuysystem .com
homeandofficefun .com
advanedmalwarescanner .com
allinternetfreebies .com
goldeninternetsites .com
primetimeworldnews .com
liveavantbrowser2 .cn
momentstohaveyou .cn
worldofwarcry .cn
awardspacelooksbig .us


The affected services have been notified, blacklisting and take down of the participating domains is in progress.

This post has been reproduced from Dancho Danchev's blog.

No comments:

Post a Comment