Wednesday, September 16, 2009

Koobface Botnet's Scareware Business Model

UPDATE1: TrendMicro just confirmed the ongoing double-layer monetization of Koobface. Meanwhile, the gang is rotating the scareware domains with new ones pushed by popup.php, followd by two recently updated Koobface components.

The new scareware domains kjremover .info; lrxsoft .info - 212.117.160.21 - Email: niclas@i.ua actually download it from the well known q2bf0fzvjb5ca .cn portfolio, which phones back to the same domains listed previously, with only a slight change in the filename - urodinam .net/8732489273.php. The generic detection rate for the updated components (61.235.117.83 /bin/get.exe; 61.235.117.83 /bin/v2webserver.exe) with get.exe phoning back to a domain parked at the takedown-proof, China-based 61.235.117.83, in particular gdehochesh .com/adm/index.php.
 
Just like Conficker, the Koobface botnet is no stranger to the scareware business model and the potential for monetization of the hundreds of thousands of infected hosts.

However, changes made in the campaign structure of the Koobface botnet during the last couple of days, indicate that the Koobface gang has embedded a pop-up at each and every host that's automatically rotation different scareware brands. They're now officially monetizing the botnet using a scareware business model.

Let's analyze the latest changes introduced by the Koobface gang over the last couple of days and emphasize on the monetization tactics introduced by the gang.

Next to insulting, showing gratitude, the Koobface gang also has a (black) sense of humor - within one of the directories at the takedown-proof command and control used by the gang in China (61.235.117.83; at 61.235.117.83/bin in particular) they've left the following message "2008 ali baba and 40, LLC". Ali Baba and the Forty Thieves is a 1944 film based on the original Ali Baba character.

Compared to previous campaigns relying on centralized command and control and redirection points -- making them easy to shut down -- the ongoing Facebook campaigns are dynamically redirecting to IPs within the Koobface network, which combined with their use of compromised legitimate sites is supposed to make the take down of their campaigns a bit more time consuming.

That's, of course, not the case since undermining their monetization approaches undermines the monetary value of their campaigns, which is what they're after this time. The Koobface gang has now embedded a single line within each and every infected host used in the campaign, in order to not only attempt to infect new visitors with the Koobface malware itself, but to also trick them into installing the scareware which is rotated as usual.

dangerWindAdr = 61.235.117.83/ popup.php loads on each and every Facebook spoof page part of the botnet and is then redirecting the most popular scareware template, the My computer Online Scan.

The first scareware domain used in the last 48 ryacleaner .info/hitin.php?affid=02979 (212.117.160.21l parked there as also eljupdate .info Email: niclas@i.ua and dercleaner .info Email: niclas@i.ua) was serving setup.exe which is downloading the actual scareware executable from mt3pvkfmpi7de .cn/get.php?id=02979 (220.196.59.23).

What's so special about this domain? It was last profiled in the A Diverse Portfolio of Fake Security Software - Part Twenty Three with the entire portfolio of .cn domains parked at the same IP registered under the same email - robertsimonkroon@gmail.com.

The second scareware domain pushed by the Koobface during the last 24 hours, gotrioscan .com/?uid=13301 - 91.212.107.103 - momorule@gmail.com redirects to plazec .info/22/?uid=13301 - 91.212.107.103 - Email: bebrashe@gmail.com where the scareware is served. Parked at the same IP is the rest of thescareware domains portfolio pushed by Koobface:

in5id .com
in5ch .com
goscanback .com
goscanlook .com
gofatescan .com
goeachscan .com
gobackscan .com
goironscan .com
gotrioscan .com
ia-pro .com
iantivirus-pro .com
iantiviruspro .com
windoptimizer .com
woptimizer .com
in5cs .com
wopayment .com
in5st .com
zussia .info

plazec .info
gaudad .info
voided .info
gelded .info
tithed .info
botled .info
tented .info
fatted .info
unowed .info
wzand .info
searce .info
prarie .info
meyrie .info


pittie .info
penvie .info
figgle .info
sawme .info
droope .info
haere .info
scarre .info
undeaf .info
adjudg .info
wiving .info
slatch .info


bedash .info
dolchi .info
sighal .info
devicel .info
knivel .info
freckl .info
scrowl .info
usicam .info
spelem .info
vagrom .info
numben .info
speen .info
krapen .info
atwain .info
declin .info
inclin .info
unclin .info
towton .info
grumio .info
stampo .info
extrip .info


polear .info
benber .info
kedder .info
erpeer .info
argier .info
fulier .info
lavyer .info
inquir .info
orodes .info
faites .info
beeves .info
quoifs .info
filths .info
broths .info
nevils .info
swoons .info
sallat .info
apalet .info


reglet .info
camlet .info
plamet .info
hownet .info
fosset .info
cuplift .info
raught .info
holdit .info
unroot .info
unwept .info
anmast .info
ticedu .info
outliv .info
onclew .info
froday .info
mayray .info
tenshy .info
steepy .info
miloty .info
debuty .info
fifthz .info
potinz .info
caretz .info
narowz .info


What do these two scareware executables have in common? Its the phone back locations that the Koobface gang is using, reveling its participation in a scareware affiliate network called Crusade Affiliates.

The first phone back location urodinam.net /dfgsdfsdf .php - 122.224.9.67 adds a .bat file which would attempt to obtain mshta.exe from urodinam.net/33t .php?stime=1253063118 on hourly basis. The second phone back location is the Crusade Affiliates network that shares revenue with the Koobface gang whenever a scareware pushed by the gang is purchased - crusade-affiliates .com/install.php?id=02979 - 85.17.139.149.

The third phone back location is a direct download attempt of FraudTool.Win32.SecretService; RogueAntiSpyware.PrivacyCenter.AJ from 0ni9o1s3feu60 .cn/u4.exe - 220.196.59.23. It's pretty evident that the Koobface botnet is now relying on multiple layers of monetization approaches.

The Koobface gang has been pretty during the last couple of days. The following list of Koobface malware spreading domains are in circulation across social networking sites since the last 48 hours, consisting of a combination of purely malicious and compromised legitimate sites:
3sss .com/youtube.com 
4bond .it/youtube.com 
ac2j .com/freeem0vies
aced1979 .freehostia.com/y0urfi1m
alexandrialocksmith .net/uncens0redvide0 
alpha.kei .pl/amalzlngfi1ms
alruwaithy .com/extrlmeperf0rmans
astoundeddesign .com/privaledem0nstrati0n
awwfuck .me/fuunnyacti0n
baddog.me .uk/uncens0redc1ip
bbckzoo .com/extrlmedwd 
bbckzoo .com/mmyperf0rmans 
be. la/freeefi1ms
bencaputoprinting .com/c00lfi1m 
bicentenario.sc49 .info/mmyfi1m
bighornrivercabins .com/c00lvlds
biskopsto .fo/fantasticm0vie
bloch-data .dk/c00lvlds
bokongerslev .dk/amalzlngm0vie 
bokongerslev .dk/extrlmeacti0n 
book-dalmose .dk/extrlmeperf0rmans
campionariadigalatina .it/youtube.com 
carlamo .com/extrlmec1ip
centerforyourhealth .com/extrlmem0vies 
centralbaptist.org .au/fantasticvide0



certtiletechs .com/fuunnym0vies
cisaimpianti .net/youtube.com 
claykelley .net/extrlmevlds 
claykelley .net/mmyvide0 
clubatleticigualada .com/y0urc1ip
connoro .com/bestsh0w
consignbuydesign .com/fuunnyttube
dkflyt .dk/mmytw
downingfarms .com/bestacti0n
eminfinity.com .au/amalzlngc1ips 
eminfinity.com .au/uncens0redsh0w 
endurancesportscar .com/extrlmem0vies 
epicent .dk/pub1icfi1m 
evaracollin .be/mmyfi1ms
exceleronmedical .com/amalzlngc1ips 
exceleronmedical .com/c00lperf0rmans 
exceleronmedical .com/privalettube/?youtube.com
finolog .com/privalem0vie
fitslim .com/fantasticdem0nstrati0n
gacogop .org/fuunnyc1ips
gamlabodens .se/privaletw 
garagedoorsnow .com/meggadem0nstrati0n
garlicworld .com/mmym0vie 
garlicworld .com/uncens0redperf0rmans


gcillustration .com/extrlmevide0 
germanamericantax .com/pub1icm0vie 
happyholidaychristmastrees .com/uncens0redperf0rmans
horaexata.com .br/c00lc1ip
huffmanfarms .com/fantasticfi1ms
imagequest360 .com/fantasticm0vies 
inartdesigns .com/extrlmevide0
interception .dk/mmyttube
kalender.sttmedia .se/amalzlngdem0nstrati0n 
kartingclubsourdsnamur .be/besttw
kiding.users.digital-crocus .com/mmym0vies
kloerfem .dk/amalzlngsh0w
kracl .com/freeesh0w
kreativdizajn .com/amalzlngvlds

ktvsongs .com/pub1icacti0n 
lonestargcs .com/mmydwd
losangelesfurniture .com/fantasticdem0nstrati0n
lr-online .dk/c00lfi1ms 
lr-online .dk/y0ursh0w 
marketmarkj .com/privalem0vies
martinhorngren .com/privalettube 
meetingpacket .com/youtube.com 
microscoop .net/fantasticttube
momentsbypat .com/pub1icm0vie
mtn-ejendomme .dk/mmyacti0n

nadiottawa .org/pub1icc1ips
naestved-sportscollege .dk/amalzlngacti0n
nicalandnow .com/uncens0redvlds
odyssey-consultants .com/amalzlngvide0 
odyssey-consultants .com/mmym0vie 
onlyfun .se/extrlmec1ip
pridesoccer .com/privalec1ips
quicksilver-direct .com/amalzlngfi1m 
reddoorchina .com/mmyvlds 
relivery .com/extrlmesh0w

ristorocasanova .it/youtube.com 
sanfranciscocookie .com/fantasticfi1ms
sarkos .ch/fuunnyperf0rmans
saudiclubs .org/fantasticvlds
sauipeswimwear .com/c00lm0vie
schoolofhiphop .no/freeefi1ms
senegalinfoservices .com/bestacti0n


squashigualada .com/extrlmevlds
starcraftdream .com/fuunnyvlds
stm.frihost .org/freeefi1m
stringer .no/uncens0redacti0n
sttmedia .se/fantastictw 
taia.com .br/uncens0reddwd
thefurniturewarehouse .net/mmym0vies
theidusshop .com/pub1ictw
thepinflow .com/meggash0w
thorsen-meyer .dk/bestc1ips
tivity .dk/amalzlngm0vie 
tivity .dk/fantasticfi1ms 
tizianamaniezzo .com/fantasticc1ips 
tohva .org/bestacti0n
troop270 .nwsc.org/fuunnydwd
txmurphys .com/c00lfi1m 
tybjerglillebakkervand .dk/privalem0vie
vagnpfisk .dk/privalem0vie
vivaipirovano .com/youtube.com 
xanchise .com/c00lc1ip
yurafting .com/amalzlngvlds


Sampled Koobface binary now phones back to bianca.trinityonline .biz/.sys/?action=ldgen&v=14 and bianca.trinityonline .biz/.sys/?action=ldgen&a=590837698&v=14&l=1000&c_fb=0&c_ms=0&c_hi=0&c_tw=0&c_be=0&c_tg=0&c_nl=0. 69.163.147.203 - Email: email@darrenjames.net, with the latest Koobfae update modules detected as follows - 61.235.117.83 /bin/v2prx.exe; 61.235.117.83 /bin/pp.12.exe

The "Koobface botnet and the 40 cybercriminals" (2008 ali baba and 40 , LLC) have not just started monetizing the infected hosts, they're using multiple layers of monetization to do so.

Related posts:
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors 

This post has been reproduced from Dancho Danchev's blog.