Wednesday, November 25, 2009

Koobface Botnet Starts Serving Client-Side Exploits

UPDATED, Wednesday, December 02, 2009: The systematic rotation of new redirectors and scareware domains remains ongoing, with no signs of resuming the use of client-side exploits.

Some of the latest ones include inviteerverwhere .cn - Email: box@cethcuples.com -> scanner-infoa .com - Email: inout@celestia.com, scareware detection rate; 1economyguide .cn - Email: contact@berussa.de -> superdefenceaj .com - Email: inout@celestia.com, scareware detection rate; slip-stream .cn - Email: info@mercedess.de -> getsafeantivirusa .com - Email: morrison2g@yahoo.com, scareware detection rate.

The complete list of redirectors introduced over the past week is as follows: 1economyguide .cn; 1monocline .cn; 1nonsensical .cn; 1onlinestarter .cn; 1political-news .cn; argentinastyle .cn; australiagold .cn; austriamoney .cn; beatupmean2 .cn; belgiumnation .cn; brazilcountry .cn; firefoxfowner .cn; inviteerverwhere .cn; iraqcontacts .cn; makenodifference2 .cn; manualgreese .cn; overmerit3 .cn; powerhelms2 .cn; secretalltrue2 .cn; separator2009 .cn; slip-stream .cn; solidresistance .cn; wallgreensmart .cn; windowsclone .cn; womenregrets .cn; womenregrets2 .cn

UPDATED, Saturday, November 28, 2009: Following yesterday's experiment with bit.ly redirectors, relying on a "visual social engineering element" by adding descriptive domains after the original link -- bit.ly/588dmE?YOUTUBE.COM/ea05981d43, which works with any generated bit.ly link, the gang is now spamvertising links using Google News redirection to automatically registered Blogspot accounts, whose CAPTCHA challenge has been solved by the already infected with Koobface victims, a feature that is now mainstream, compared to the gang's previous use of commercial CAPTCHA solving services, where the price for a thousand solved CAPTCHAs varies between $1 and $2:

- news.google.com/news/url?url=http://pierrickcastoe .blogspot.com/
- news.google.com/news/url?url=http://biilybiilybangert .blogspot.com/
- news.google.com/news/url?url=http://majdimajdinoordijk .blogspot.com/
- news.google.com/news/url?url=http://vassellpelovska .blogspot.com/
- news.google.com/news/url?url=http://troitroiweinbrenner .blogspot.com/
- news.google.com/news/url?url=http://keyserefrain .blogspot.com/


New redirectors introduced include:
overmerit3 .cn - Email: admin@cryzisday.com
belgiumnation .cn - Email: vesta@greaselive.au
iraqcontacts .cn - Email: admin@resemm.de
womenregrets .cn - Email: admin@resemm.de
wallgreensmart .cn - Email: admin@cryzisday.com
brazilcountry .cn - Email: vesta@greaselive.au
womenregrets2 .cn - Email: in@groovezone.com

News scareware domains introduced include:
internetdefencesystem .com - Email: admin@wyverny.com
royalsecure-a1 .com - Email: in@groovezone.com
royaldefencescan1 .com - Email: in@groovezone.com
royaldefensescan1 .com - Email: in@groovezone.com
royaldefencescan .com - Email: contacts@esseys.au
royaldefensescan .com - Email: contacts@esseys.au
royalprotectionscan .com - Email: contacts@esseys.au

Sampled copy phones back to a new domain (austin2reed .com/?b=1s1; austin2reed .com/?b=1) using the same IP (92.48.119.36) as the previous phone-back domain.

UPDATED, Thursday, November 26, 2009: The gang has currently suspended the use of client-side exploits, let's see if it's only for the time being or indefinitely. Scareware is whatsoever, introduced with periodically registered new domains - argentinastyle .cn - Email: vesta@greaselive.au and australiagold .cn - Email: vesta@greaselive.au, redirect to bestscan066 .com - Email: fransysles2@yahoo.com and to bestscan044 .com - Email: fransysles2@yahoo.com - detection rate.

The exploit serving domains (el3x .cn; kiano-180809 .com and ttt20091124 .info) remain active.

The Koobface botnet, a case study on propagation relying exclusively on social engineering tactics and systematic abuse of legitimate Web 2.0 services, has introduced a second "game-changer" next to the migration to distributed command and control infrastructure once its centralized operations got shut down.

Next to the embedded and automatically rotating scareware redirects placed on each and every infected host part of the Koobface botnet, the gang behind it has now started officially using client-side exploits (VBS/Psyme.BM; Exploit.Pidief.EX; Exploit.Win32.IMG-WMF etc.) by embedding two iFrames on all the Koobface-infected hosts (Underground Molotov - function molot (m)), which connect to a well known (average) web malware exploitation kit's interface. Not only would a user that clicks on the Koobface URL be exposed to the Koobface binary itself, now pushed through client-side exploits, but also, to the periodically changed scareware domains.

Let's dissect the campaign, expose the entire domains portfolio involved or introduced since the beginning of the week, and once again establish a connection between the Koobface gang and money mule recruitment scams followed by scareware domains (Inst_312s2.exe; Inst_312s2.exe from today, both of them phone back to angle-meter .com/?b=1), all registered using the same emails.

Scareware redirectors seen during the past couple of the days, parked at 91.213.126.250:
solidresistance .cn - Email: admin@cryzisday.com
separator2009 .cn - Email: admin@cryzisday.com
zapotec2 .cn - Email: admin@cryzisday.com
befree2 .cn - Email: gmk2000@yahoo.com
entombing2009 .cn - Email: info@grindsteal.fr
economyguide .cn - Email: info@plaguegr.de
smile-life .cn - Email: gmk2000@yahoo.com
everlastmovie .cn - Email: gmk2000@yahoo.com
monocline .cn - Email: info@plaguegr.de
mozzillaclone .cn - Email: sanbeans6@yahoo.com
monkey-greese .cn - Email: sanbeans6@yahoo.com
surgingnurse .cn - Email: info@grindsteal.fr
mailboxinvite .cn - Email: sanbeans6@yahoo.com
flatletkick .cn - Email: info@plaguegr.de
nonsensical .cn - Email: info@grindsteal.fr
moralisefilm .cn - Email: info@grindsteal.fr
firefoxavatar .cn - Email: sanbeans6@yahoo.com
onlinestarter .cn - Email: info@plaguegr.de
clowncirus .cn - Email: sanbeans6@yahoo.com
political-news .cn - Email: info@plaguegr.de
harry-pott .cn - Email: gmk2000@yahoo.com
repeatability .cn - Email: info@grindsteal.fr

New scareware domains portfolio parked at 95.143.192.51; 83.133.119.84; 91.213.126.103:
valuewebscana .com - Email: lynd.stafford@yahoo.com
valuescana .com - Email: lynd.stafford@yahoo.com
cyber-scan-1 .com - Email: admin@dedicatezoom.com
yourantispy-1 .com - Email: shah_indigo@googlemail.com
cyber-scan011 .com - Email: admin@dedicatezoom.com
cyber-scan-2 .com - Email: admin@dedicatezoom.com
antimalware-3 .com - Email: shah_indigo@googlemail.com
yourmalwarescan3 .com - Email: shah_indigo@googlemail.com
antimalwarescana4 .com - Email: j.wirth@smsdetective.com
today-scan4 .com - Email: millercall413@yahoo.com
antispy-scan5 .com - Email: shah_indigo@googlemail.com
yourantivira7 .com - Email: j.wirth@smsdetective.com
yourmalwarescan7 .com - Email: info@bellyn.com
yourantispy-8 .com - Email: info@bellyn.com
cyber-scan08 .com - Email: admin@dedicatezoom.com
cyber-scan09 .com - Email: admin@dedicatezoom.com
beprotected9 .com - Email: essi@calinsella.eu
spyware-scan9 .com - Email: info@bellyn.com
yourantispy-a .com - Email: shah_indigo@googlemail.com
checkforspywarea .com - Email: sanbeans6@yahoo.com
checkfilesherea .com - Email: sanbeans6@yahoo.com
scanfilesherea .com - Email: sanbeans6@yahoo.com
findprotectiona .com - Email: admin@wyverny.com
checkfilesnowa .com - Email: sanbeans6@yahoo.com
web-scanm .com - Email: essi@calinsella.eu
today-scann .com - Email: essi@calinsella.eu
4eay-protection .com - Email: millercall413@yahoo.com

The client-side exploit redirection takes place through three separate domains, all involved in previous Zeus crimeware campaigns, parked on the same IP in a cybercrime-friendly ASN. For instance, el3x.cn/test13/index.php - 210.51.166.119 - Email: Exmanoize@qip.ru redirects to el3x.cn/test13/x.x -> el3x.cn/test13/pdf.php -> el3x.cn/test13/load.php?spl=javad -> el3x.cn/test13/soc.php using VBS/Psyme.BM; Exploit.Pidief.EX; Exploit.Win32.IMG-WMF etc. pushing load.exe, which phones back to a well known "leftover" from Koobface botnet's centralized infrastructure - xtsd20090815 .com/adm/index.php.

Now it gets even more interesting, with the Koobface gang clearly rubbing shoulders with authors of actual web malware exploitation kits, who diversify their cybercrime operations by participating in money mule recruitment scams, zeus crimeware serving campaigns, and scareware.

Parked on 210.51.166.119 where the first iFrame is hosted, are also the following domains participating in related campaigns:
amer0test0 .cn - Email: abusehostserver@gmail.com -> money mule recruitment
antivirusfreec0 .cn - Email: abusehostserver@gmail.com -> money mule recruitment 
arendanomer2 .cn - Email: Exmanoize@qip.ru
dom0cn .cn - Email: Exmanoize@qip.ru
dom1cn .cn - Email: Exmanoize@qip.ru
dom2cn .cn - Email: Exmanoize@qip.ru
domx0 .cn - Email: Exmanoize@qip.ru
domx1 .cn - Email: Exmanoize@qip.ru
domx2 .cn - Email: Exmanoize@qip.ru
dox0 .cn - Email: Exmanoize@qip.ru
dox1 .cn - Email: Exmanoize@qip.ru
dox2 .cn - Email: Exmanoize@qip.ru
dox3 .cn - Email: Exmanoize@qip.ru
edit2china .cn - Email: Exmanoize@qip.ru
edit3china .cn - Email: Exmanoize@qip.ru
el1x .cn - Email: Exmanoize@qip.ru
el2x .cn - Email: Exmanoize@qip.ru
el3x .cn - Email: Exmanoize@qip.ru
gym0replace .cn - Email: chen.poon1732646@yahoo.com -> scareware domain registration
herosima1yet .cn - Email: Exmanoize@qip.ru
herosima1yet00g .cn - Email: abusehostserver@gmail.com
otherchina .cn - Email: Exmanoize@qip.ru
parliament .tk - Email: royalddos@gmail.com
privet1 .cn - Email: Exmanoize@qip.ru
privet2 .cn - Email: Exmanoize@qip.ru
privet3 .cn - Email: Exmanoize@qip.ru
sport-lab .cn - Email: abuseemaildhcp@gmail.com -> money mule recruitment domain registrations
trafdomins .cn - Email: Exmanoize@qip.ru

The second iFrame domain parked at 61.235.117.83 redirects in the following way - kiano-180809 .com/oko/help.html - 61.235.117.83 - Email: bigvillyxxx@gmail.com leads to kiano-180809 .com/oko/dyna_soc.html -> kiano-180809 .com/oko/tomato_guy_13.html -> kiano-180809 .com/oko/update.vbe -> kiano-180809 .com/oko/dyna_wm.wmf.

The same exploitation structure is valid for the third iFrame domain - ttt20091124 .info/oko/help.html which is again, parked at 61.235.117.83 and was embedded at Koobface-infected hosts over the past 24 hours.

What prompted this shift on behalf of the Koobface gang? Declining infection rates -- I'm personally not seeing a decline in the click-through rate, with over 500 clicks on a spamvertised Kooobface URL over a period of 24 hours -- or their obsession with traffic optimization? In terms of social engineering, the periodic introduction of new templates proved highly successful for the gang, but the newly introduced outdated client-side exploits can in fact generate more noise than they originally anticipated, if they were to continue relying on social engineering vectors only.

One thing's certain - the Koobface gang is now on the offensive, and it would be interesting to see whether they'd introduce a new exploits set, or continue relying on the one offered by the web exploitation kit.

Related posts:
Secunia: Average insecure program per PC rate remains high
Research: 80% of Web users running unpatched versions of Flash/Acrobat
Fake Security Software Domains Serving Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Koobface Botnet's Scareware Business Model
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors

This post has been reproduced from Dancho Danchev's blog.