Last week, Josh Kirkwood, Network Engineer at Blue Square Data Group Services Limited, with whom I've been keeping in touch regarding the blackhat SEO activity courtesy of the Koobface gang, and actual Koobface botnet activity that's been taking place there for months, pinged me with an interesting email - "Riccom are now gone" (AS29550). He also pinged the folks at hpHosts in response to their posts once again emphasizing on the malicious activity taking place there.
Since I've been analyzing Riccom LTD activity in the context of "in-the-wild" blackhat SEO campaigns launched by the Koobface gang, followed by establishing direct Koobace botnet connections, as well as sharing data with Josh, Riccom LTD clearly deserves a brief retrospective of the malicious activity that took place there.
Malicious activity I've been analyzing since August, 2009:
- August 06 - scareware parked at 184.108.40.206 analyzed in "Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware"
- August 10 - more scareware introduced at 220.127.116.11 analyzed in "U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding"
- August 18 - scareware domains continue getting introduced at 18.104.22.168, analyzed in "Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign"
- August 19 - Actual Koobface command and control server parked within BlueConnex's ASN, they take action against 22.214.171.124 - "Three hours after notification, Blue Square Data Group Services Limited ensures that "the customer has been disconnected permanently". It's a fact. All of Koobface worm's campaigns currently redirect to nowhere."
- September 14 - the malvertising attack at the web site of the New York Times, not only used a redirector that was simultaneously pushed by Koobface-infected host hosted on an IP known to be managed by the gang's blackhat SEO team ,but also, the actual scareware domain used relied on Riccom LTD hosting again at 126.96.36.199
- September 16 - 188.8.131.52 remains the most widely abused IP hosting scareware served by the Koobface botnet. Action is taken again the entire .info tld domain portfolio, the domains are suspended within a 48 hours period of time courtesy of AFILIAS.
- November 11 - cat and mouse game between the company, me, and the Koobface gang is taking place, now that a connection between the Koobface gang and the Bahama botnet has been clearly established. New scareware domains are introduced at 184.108.40.206, as well as at the still active AS44042 ROOT eSolutions. The Koobface gang once again proves it "knows my name" by typosquatting domains and registering them with typosquatted variants of my name (pancho-2807 .com is registered to Pancho Panchev, email@example.com, followed by rdr20090924 .info registered to Vancho Vanchev, firstname.lastname@example.org). Upon notification 220.127.116.11 has been taken offline courtesy of Blue Square Data Group Services Limited.
- November 17 - A week later the gang resumes operations at the same Riccom LTD IP - "Tuesday, November 17, 2009: Koobface is resuming scareware (Inst_312s2.exe) operations at 18.104.22.168 which was taken offline for a short period of time. ISP has been notified again".
Image courtesy of TrendMicro's The Heart of Koobface - C&C and Social Network Propagation report.
Related Koobface research published in 2009:
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
This post has been reproduced from Dancho Danchev's blog.