Thursday, July 30, 2009

Social Engineering Driven Web Malware Exploitation Kit


The standardization through template-ization of bogus codec/flash player/video pages, taking place during the past two years, has exponentially increased the efficiency levels of malware campaigns relying exclusively on social engineering.

Just like phishing pages being commodity, these commodity spoofs of legitimate software/plugins relying on "visual social engineering" represent a market segment by themselves, one that some cybercriminals have been attempting to monetize for a while.

Case in point - their latest attempt to do so comes in the form of the first social engineering driven web malware exploitation kit.
 

Despite that the kit's author has ripped off a well known exploits-serving malware kit's statistics interface, what's unique about this release is the fact that the exploit modules come in the form of "Missing Flash Player", "Outdated Flash Player", "Missing Video Codec", "Outdated Video Codec", "Codec Required" modules.

These very same modules represent the dominant social engineering attack vector on the Internet due to the quality of the spoofs and the end users' gullibility while self-infecting themselves. For the time being, the author appears to be an opportunist rather than someone interested in setting new benchmarks for standardization social engineering by using the efficiency and delivery methods offered by a web malware exploitation kit.

Interestingly, a huge number of fake codec serving web sites are already detecting the OS/Browser of the visitor, and serving Mac OS X based malware or Windows based malware based on the detection. This fact, as well as the fact that visual spoofs of OS X like dialogs are also getting template-ized are not a coincidence - it's a signal for an efficient and social engineering driven malware delivery mechanism in the works. The development of the kit will be monitored and updates posted - if any.

Meanwhile, the recent blackhat SEO campaign which attempted to hijack 'Harry Potter and the Half-Blood Prince' related traffic is a good example on how despite the magnitude of the campaign -- hundreds of thousands of indexed and malware serving pages -- due to the manual campaign management, its centralized nature makes it easier to shut down.

Upon clicking on a link, the end user was redirected to usa-top-news .info - 67.228.147.71 - Email: fullhdvid@gmail.com, then to world-news-scandals .com Email: wnscandals@gmail.com, and finally to tubesbargain .com/xplay.php?id=40018 - 216.240.143.7 - j0cqware@gmail.com where the codec was served from exefreefiles .com - 95.211.8.20 - Email: case0ns@gmail.com.  More coded serving domains are parked on the same IPs:

216.240.143.7
sunny-tube-world .com - Email: briashou@gmail.com
the-blue-tube  .com - Email: malccrome@gmail.com
onlysteeltube.com - Email: briashou@gmail.com
thecooltube .com - Email: malccrome@gmail.com
etesttube .com - Email: katschezz@gmail.com
thegrouttube .com - Email: katschezz@gmail.com
fllcorp .com

95.211.8.20
exe-load-2009 .com - Email: robeshur@gmail.com
exefiledata .com - Email: robeshur@gmail.com
exereload .com - Email: robeshur@gmail.com
load-exe-world .com - Email: robeshur@gmail.com
cool-exe-file .com - Email: robeshur@gmail.com
last-home-exe .com - Email: robeshur@gmail.com
exefreefiles .com - Email: case0ns@gmail.com
boardexefiles .com - Email: case0ns@gmail.com
exeloadsite .com - Email: j0cqware@gmail.com


The gang maintains another domain portfolio with pretty descriptive nature for phone back, direct fake codec serving purposes:
agro-files-archive .com
alkbbs-files .com
all-tube-world .com
best-light-search .com
besttubetech .com
chamitron .com
cheappharmaad .com
dipexe .com
downloadnativeexe .com
ebooks-archive .org
etesttube .com
exedownloadfull .com
exefiledata .com
exe-paste .com
exe-soft-development .com
exe-xxx-file .com
eyeexe .com
go-exe-go .com
greattubeamp .com
green-tube-site .com
hotexedownload .com
hot-exe-load .com
imagescopybetween .com
isyouimageshere .com
labsmedcom .com
last-exe-portal .com
lost-exe-site .com
lyy-exe .com
main-exe-home .com
mchedlishvili .name
metro-tube .net
my-exe-load .com
newfileexe .com
protectionimage .com
robo-exe .com
rube-exe .com
securetaxexe .com
softportal-extrafiles .com
softportal-files .com
storeyourimagehere .com
super0tube .com
super-exe-home .com
supertubetop .com
sysreport1 .com
sysreport2 .com
testtubefilms .com
texasimages2009 .com
the-blue-tube.com
thecooltube .com
thegrouttube .com
thetubeamps .com
thetubesmovie .com
tiaexe .com
tube-best-4free .com
tube-collection .com
tvtesttube .com
yourtubetop .com


Who's behind these domains and the Harry Potter blackhat SEO campaign? But, "of course", it's the "fan club" with the Koobface connection, continuing to use the same phone back locations that they've been using during the past couple of months - myart-gallery .com/senm.php - 64.27.5.202 - Email: jnthndnl@gmail.com; robert-art .com/senm.php - 66.199.229.229 - Email: robesha@gmail.com; superarthome .com/senm.php - 216.240.146.119 - Email: chucjack@gmail.com.

This post has been reproduced from Dancho Danchev's blog.