Wednesday, May 27, 2009
The very latest one is once again offered for sale, with a social engineering theme attempting to trick the infected user that as of 1st of May Microsoft is launching a new anti-pirates initiative, and that unless a $1 SMS is sent in order to receive the deactivation code back, their copy of Windows will remain locked.
Support for Windows 98/Vista
- Blocks the entire desktop
- Locks system key combinations attempting to remove it
- Copied to the system folder (the file is almost impossible to find)
- Can be put in the startup
- Launches the blocking system before the desktop appears upon reboot
- Blocks all windows including the Task Manager
- Upon entering the secret code, the ransomware is removed from the system folder and autorun
The price for a custom-made version with the customer's own SMS data is $10, with $5 per new (undetected) copy, as well as the complete source code available for $50 again from the same vendor.
From a "visual social engineering" perspective, the one that make scareware what it is as product -- a product which would have scaled so fast if it wasn't the distribution channel in the form of web site compromises and blackhat SEO at the first place -- the latest SMS ransomware variant lacks any significant key visual features which can compete with for instance, the DIY fake Windows XP activation trojan and its 2.0 version.
With the emerging localization on demand services offering translations for phishing, spam and malware campaigns into popular international languages, it wouldn't take long before the SMS ransomware starts targeting English-speaking users next to the hardcoded Russian speaking ones for the time being.
Posted by Dancho Danchev at Wednesday, May 27, 2009
Tuesday, May 26, 2009
Next to the efficiency and cost-effectiveness centered cybercriminals having anticipated the outsourcing (Cybercrime-as-a-Service) model a long time ago, there are those self-serving groups of cybercriminals which engage in literally each and every aspect of cybercrime - money mule recruiters in this very specific case.
What do the known money laundering aliases such as Value Trans Financial Group, Inc. (valuetrans.biz); Advance Finance Group LLC (af-g.net); ABP Capital (abpcapital.com); Premium Financial Services (advance-financial-products.org); eTop Group Inc. (etop-groupli.cc); Liberty Group Inc. (libertygroup.cc); Eagle Group Inc. (eaglegroupmain.cn); Star Group Inc. (eagle-group.net); DBS Group Inc. (dbs-group.cn); FB&B Group Inc. (fbb-groupli.cc); Advance Finance Group LLC (af-g.net); DC Group Inc. (dc-group.cn); IBS Group Inc. (ibsgroup.cc; ibsgroupli.cn) and FCB Group Inc. (fcb-group.cc) have in common?
It's a 31,000 infected hosts botnet which they use exclusively for spamming.
The money laundering organization describes itself as:
"The company was set up in 1990 in New York, the USA by three enthusiasts who have financial education. The head of the company was Karl Schick. At the very beginning of its business activity the company provided fairly narrow range of services at the investment market. Within 15 years of hard work the company has acquired international standing and managed to develop into a global financial holding with the staff of 3,000 people and headquarters in more than 100 countries of the world."
Interestingly, on the majority of occasions cybercriminals tend to undermine the level of operational security that they could have achieved at the first place, and this is one of those cases where their misconfigured botnet command and control allows other cybercriminals to hijack their botnet, and security researchers to shut it down effectively.
The people behind this money laundering organization are either lazy, or ignorant to the point where the botnet's command and control interface would be using the very same web server that they use for recruitment purposes.
Here are some screenshots of their command and control interface used exclusively for spam campaigns:
The domain is registered to firstname.lastname@example.org and the DNS services are courtesy of one.goldwonderful9.info; ns.partnergreatest8.net; back.partnergreatest8.net; two.goldwonderful9.info which are the de-facto DNS servers for a huge number of related and separate money laundering brand portfolios (the quality of the historical CYBERINT on behalf of Bobbear is the main reason why commissioned DDoS attacks were hitting the site last year).
Taking down the group's command and control domain is in progress.
Posted by Dancho Danchev at Tuesday, May 26, 2009
Tuesday, May 19, 2009
AS29371 - gaztranzitstroyinfo LLC - 184.108.40.206/24 based in Russia, Sankt Peterburg, Kropotkina 1, office 299, is one of them. Let's "drill" for some malicious activity at GazTranzitStroyInfo, and demonstrate how cybercriminals are converging different hosting providers to increase the lifecycle of their campaigns.
The recent peak of fake codecs (for instance video-info .info and sex-tapes-celebs .com serving softwarefortubeview.40018.exe) puts the spotlight on GazTranzitStroyInfo and its connections with another rogue hosting provider in the face of AS48841, EUROHOST-AS Eurohost LLC, which was providing hosting infrastructure to the scareware domains part of Conficker's Scareware Monetization strategy, and continues to do so for a great deal of exploits/malware serving domains, next to AS10929 NETELLIGENT Hosting Services Inc. where the infrastructure of the three hosting providers has converged.
Let's detail some malicious activity found at GazTranzitStroyInfo. The following are redirectors to live exploits/zeus config files/scareware found within AS29371 and pushed through blackhat SEO and web site compromises:
peopleopera .cn - 220.127.116.11
softwaresupport-group .com - 18.104.22.168
nicdaheb .cn - 22.214.171.124
Rogue security software:
addedantivirusonline .com - 126.96.36.199
For instance, a sampled domain such as housedomainname .cn/in.cgi?6 redirects us to securityonlinedirect .com/scan.php?affid=02083 which is serving scareware with hosting courtesy of AS10929 Netelligent Hosting Services Inc, which in case you remember popped-up in the Diverse Portfolio of Fake Security Software - Part Twenty. At securityonlineworld .com (188.8.131.52) we also have a portfolio of scareware domains:
The fake codec at video-info .info (AS29371 - gaztranzitstroyinfo LLC) is in fact downloaded from kir-fileplanet .com - 184.108.40.206 (AS48841; EUROHOST-NET) where more malicious activity is easily detected at:
downloadmax .org - 220.127.116.11
trucount3000 .com - 18.104.22.168; 22.214.171.124
In cybercriminals I don't trust.
Fake Codec Serving Domains from Digg.com's Comment Spam Attack
Lazy Summer Days at UkrTeleGroup Ltd
Bogus LinkedIn Profiles Redirect to Malware and Rogue Security Software
Massive Blackhat SEO Campaign Serving Scareware
EstDomains and Intercage VS Cybercrime
The Template-ization of Malware Serving Sites
The Template-ization of Malware Serving Sites - Part Two
Malware campaign at YouTube uses social engineering tricks
Poisoned Search Queries at Google Video Serving Malware
Syndicating Google Trends Keywords for Blackhat SEO
Related Russian Business Network coverage:
The New Media Malware Gang - Part Four
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
Rogue RBN Software Pushed Through Blackhat SEO
RBN's Phishing Activities
RBN's Puppets Need Their Master
RBN's Fake Account Suspended Notices
A Diverse Portfolio of Fake Security Software
Go to Sleep, Go to Sleep my Little RBN
Exposing the Russian Business Network
Detecting the Blocking the Russian Business Network
Over 100 Malwares Hosted on a Single RBN IP
RBN's Fake Security Software
The Russian Business Network
Posted by Dancho Danchev at Tuesday, May 19, 2009
Thursday, May 14, 2009
Following the "aggressive" piece of scareware with elements of ransomware discovered in March, a new version of the rogue security software is once again holding an infected system's assets hostage until a license is purchased.
This tactic is however a great example of the dynamics of underground ecosystem (The Dynamics of the Malware Industry - Proprietary Malware Tools; The Underground Economy's Supply of Goods; 76Service - Cybercrime as a Service Going Mainstream; Zeus Crimeware as a Service Going Mainstream; Will Code Malware for Financial Incentives; The Cost of Anonymizing a Cybercriminal's Internet Activities - Part Two; Using Market Forces to Disrupt Botnets; E-crime and Socioeconomic Factors; Price Discrimination in the Market for Stolen Credit Cards; Are Stolen Credit Card Details Getting Cheaper?).
Despite the fact that it's the network of cybercriminals that pays and motivates other cybercriminals to SQL inject legitimate sites, send spam, embedd malicious code through compromised accounts and launch blackhat SEO campaigns, it cannot exist without the traffic that they provide, and is therefore competing with other affiliate networks for it.
For your blacklisting, case-building and cross-checking pleasure, currently active blackhat SEO and Koobface campaigns monetize the traffic through the following rogue domains:
yourpcshield .com (126.96.36.199) - AS10929 NETELLIGENT Hosting Services Inc. Email: email@example.com
freeforscanpc .com (188.8.131.52) - AS10929 NETELLIGENT Hosting Services Inc.
antimalware-scannerv2 .com (184.108.40.206) - AS16265 LeaseWeb AS Amsterdam, Netherlands Email: firstname.lastname@example.org
safeinternettoolv1 .com (220.127.116.11; 18.104.22.168; 22.214.171.124; 126.96.36.199) - AS36351 SOFTLAYER Technologies Inc; AS24940 HETZNER-AS Hetzner Online AG RZ-Nuernberg; AS44042 ROOT-AS root eSolutions; AS174 COGENT /PSI Email: email@example.com
ms-scan .org (188.8.131.52) - AS31103 KEYWEB-AS Keyweb AG, Email: firstname.lastname@example.org
bitcoreguard .net (184.108.40.206) AS22576 LAYEREDTECH Layered Technologies, Email: email@example.com
coreguard2009 .com (220.127.116.11) - AS24940 HETZNER-AS Hetzner Online AG RZ-Nuernberg Email: firstname.lastname@example.org
coreguardlab2009 .biz (18.104.22.168) - AS16265 LeaseWeb AS Amsterdam, Netherlands, Email: email@example.com
guardlab .com (22.214.171.124) - AS22576 LAYEREDTECH Layered Technologies Email: firstname.lastname@example.org
guardlab2009 .biz (126.96.36.199) - AS21548 MTO Telecom Inc. Email: email@example.com
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
A Diverse Portfolio of Fake Security Software - Part Nineteen
A Diverse Portfolio of Fake Security Software - Part Eighteen
A Diverse Portfolio of Fake Security Software - Part Seventeen
A Diverse Portfolio of Fake Security Software - Part Sixteen
A Diverse Portfolio of Fake Security Software - Part Fifteen
A Diverse Portfolio of Fake Security Software - Part Fourteen
A Diverse Portfolio of Fake Security Software - Part Thirteen
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software
Posted by Dancho Danchev at Thursday, May 14, 2009
Tuesday, May 12, 2009
In an attempt to further monetize the "innovative" practice of converging Windows-based malware and premium SMS numbers operated by the cybercriminals, a do-it-yourself version of the ransomware is currently offered for sale for a mere $15.
Here are some of its features:
- When executed presents the uset with a Blue Screen of Death style error message
- A simple auto-loading feature ensuring it will load every time the host is rebooted, completely disables the startup shell in order to become the first application to appear upon reboot
- Disables Windows Task Manager, Registry Editor, default shortcuts for terminating a program
The vendor would also like to remind its customers that "the application is for educational purposes only", next to a comment on how all of their current customers are fully satisfied with the money they're making by locking infected user's PCs. This piece of ransomware has been spreading across the Russian web space since April, and with its source code now offered for sale, it's only a matter of time before the error messages get localized to multiple languages courtesy of localization on demand cybercrime-friendly services breaking any language barrier for a spam/malware campaign.
However, from an operational security (OPSEC) perspective which I often emphasize on in order to demonstrate how efficient cybercrime facilitating tactics increase the probability of successfully tracking down the people behind a particular attack, this premium SMS based ransomware tactic is exposing the people behind the campaign much easily due to its reliance on a mobile operator, compared to GPCode's virtual money exchange approach (Who's behind the GPcode ransomware?) which given they put enought efforts, the process can be virtually untraceable.
Despite the fact that vendors have already released unlock code generators for the SMS ransomware, taking into consideration the potential for widespread ransomware campaigns through the now ubiqitous revenue generator in the form of scareware (Scareware meets ransomware: "Buy our fake product and we'll decrypt the files"), the concept is not going away anytime soon.
Mobile Malware Scam iSexPlayer Wants Your Money
New mobile malware silently transfers account credit
New Symbian-based mobile worm circulating in the wild
Posted by Dancho Danchev at Tuesday, May 12, 2009
Wednesday, May 06, 2009
A recently spammed dating campaign exposes the fraudulent practices of a well known such agency (Confidential Connections) that has been changing its name, typosquatting new domains in order to remain beneath the radar, a bit of an awkward practice given their noisy spamming approach of attracting visitors.
The spam's message:
"Good day, my gentleman!
All love is probationary, a fact which frightens women and exhilarates men. I believe that unarmed truth and unconditional love will have the final word in reality. I was born in a friendly, cultured family and would like to have the same family in my own life. I love nature, flowers, music, dancing. I like to receive guests at home and spend time with friends. I always try to use opportunity to travel and see new places in the world. I have a good, quite and merry character, don't like argues and rows. I hope to meet a white man, Christian, clever. Besides I would like to meet a good person with a good sense of humor, who wants to create a good strong family. If you would be loved, love and be lovable. I am waiting for you http://iam-waiting4love .com/infinity/
Waiting for your mail
The user is then asked to register at hifor-you .com/register.php followed by an email confirmation explaining how the agency/scam at ualadys .com (188.8.131.52 Email: Tyom13@aol.com) works:
"We view ourselves as more of MATCHMAKERS than a mere Introduction Company. We DO NOT BUY OR SELL addresses of Ladies from other agents. Rather, we take the time and effort to meet each Lady referred to us in person, interview her at length, checkout her credentials to make sure her intentions are proper, before she gets hosted as our client. It is this knowledge of the Ladies that allows us to select the right persons to introduce to each man.
Compatibility is the KEY. Our formula is simple, yet highly productive:
1. You fill out our profile, same as the Ladies
2. Select the Ladies you would like to meet
3. Until you have a predetermined amount of Ladies reply with a yes
4. During your trip meetings are scheduled on a private, one-on-one setting, with an interpreter to assist you (if you require one) We know that your time is limited when you go on trip. This is a very efficient selections process that saves your time and, in fact, allows you the extra time to really get to know the Ladies.
All meetings are one-on-one. We do not organize socials that do not work. Our service is usually based upon a male clients access to time and his available budget. The normal procedure is for a client to look through our gallery of Ladies, select the Ladies for pre-qualification, and correspond with them by e-mail or phone, than arrange a one-on-one visit. Still others, after viewing the Ladies, decide that the best overall approach would be to simply go there and meet as many women as we can arrange for them to meet, and spend time with them before making a decision.
Also experiencing first-hand their environment and culture gives the man a future understanding of his future bride. OUR PERSONAL INTRODUCTION TRIP HAS BEEN YEILDING A 95% SUCCESS RATE! Again, the reason for this is the growing frustration among the Ladies about the lack of follow through the men, Consequently, many Ladies do not respond to letters, knowing that few ever follow through. They simply wait to meet the men who go there. THUS, THE SITUATION HAS BECOME A DREAM FOR THE MAN WHO ARE SERIOUS.
During our Special Photoshoot Trips (e-mail for dates); you will get an opportunity to watch and meet new Ladies. Many times, clients pick these new Ladies because they are fresh and no one has ever met them before. We have quite a few Ladies who have never made it to the gallery because they got engaged immediately to the men who went no trips."
The agency is also reserving the right to forward the responsibility for any fraudulent activities to the girls, the majority of which do not exist at the first place in the following way:
All scam patterns have similarities that are very easy to spot if you know what to watch out for:
- Usually the contact originates from a personals site where anyone can place his/her ad for free. Most often it was not you who initiated the acquaintance; you received a letter from a lovely Russian female who was interested in you. *Her* description of the partner is always very broad that will fit anybody - "kind intelligent man, age and race don't matter".
- Sometimes *she* places a real nice discription and lovely, INNOCENT pictures, with honest eyes and kind smile. You will initiate the acquaintance.
- It is always email correspondence; and letters are sent regularly, often every day; a new picture is sent with almost every letter.
love-f-emale .com - 184.108.40.206
There's something "ingenious" about this type of dating scams, since the bogus dating agency can forward the scam responsibility to the non-existent girls at the first place. Moreover, despite the countless number of email credits, flowers and photos that you've purchased by using the agency's commercial services, the non-existent girl can always reserve the right not to meet or interact with you in any way. And even if there are actual girls working for the ad agency on a revenue-sharing basis, the agency silently makes money by reserving its right to ruin your return on investment no matter how much and what you spend on their site.
Now, that's a business model scamming the gullible and the lonely, which from a legal perspective -- excluding the spamming -- can in fact be legal in the country of operation due to the eventual mis-matching of characters.
The people from "Confidential Connections" have a long history of spamming/scamming activities. Here are more related resources:
A first-person account:
"..ualadies... I work as a guide and translator for guys seeking a wife in Ukraine, and a client just came to me who was due to meet a girl from this agency. Im so wound up by the actions of this agency that i am going to post this thread in every scam forum i know about. Here is a short list of what they did:
1) Put him in a taxi to pick up the girl and take her to the restaurant, then charged him $80 for what should have been a $10 journey
2) Charged him $60 for a one hour translation, saying that they take a minimum charge of 4 hours ($15 an hour)..this they told him only after the meeting
3) After my client had payed (a very steep $50) to meet the girl, he got her address and decided to send her some flowers (at the local rate of 2 dollars for 1 rose, as apposed to 10 dollars a rose at the agency). The agency, upon finding out about this, called him up and shouted at him for daring to send her roses not through them (!)
4) It turned out that the girl hadn't written most of the letters the client had shared with her over a period of a year, and in fact that the agency themselves had written them, earning good money in the proccess!
5) The agency lied about the upper age limit for a guy the girl was willing to meet - they put down 60 when she had indicated 40.
6) There is more!...but i think ive written enough for you to get the idea.
Be aware of this agency! In all my time as a guide/translator i have never seen an agency that works so shambolicaly. Agencies like this ruin the reputation of the business, in which there are number of hard working honest agencies that suffer as a result."
More comments from the same person, presumably working there:
"Beware of ualadys. I live in Ukraine and know someone who works in one of the branches. Word has it that they churn out letters factory-style and often write themselves. They do not allow their girls to turn down a man who has requested to communicate with them, even if they dont want to. They did not allow me to go to their office to check them out and ask them questions. They scare the girls so that they dont get in personal contact with a guy or go to another agency. Beware!"
Exclusive photo gallery from what appears to be a scammed customer -- wedding rings are in place. The guy was initially spammed:
"On June 23rd of 2008 (that was 5 months after I gave up my relationship with my ex girlfriend), I received one email from UAladys which stated it was translated for a lady in Ukraine. Her name is Anastasia R. (ID 5008) Her introduction letter went as follows"
Thankfully, he's preserved the achive of the correspondence, exposing their practices.
Posted by Dancho Danchev at Wednesday, May 06, 2009
They are back with new blackhat SEO farms which they continue monetizing through rogue security software. Time to dissect their latest campaign and expose their malicious practices.
Once having most of their previous domains blacklisted/shut down, the group naturally introduced new ones, and changed the search engine optimization theme to swine flu, in between a variation of their previous one relying on catchy titles such as USA News; BBC News; CNN News as well as Hottest info!; HOT NEWS; Official Website and Official Site.
Upon visiting the site, an obfuscated iFrame statically hosted on all of the participating domains in the form of 2qnews.07x .net/images/menu.js redirects the user to sexerotika2009 .ru/admin/red/en.php (220.127.116.11; Email: firstname.lastname@example.org). Are you noticing the directory structure similarities? Appreciate my rhetoric, it's last month's blackhat SEO gang with a new portfolio of domains.
What follows is the usual referrer check : "var ref,i,is_se=0; var se = new Array("google.","msn.","yahoo.","comcast.","aol.");" from where the user is redirected to liveavantbrowser2 .cn/go.php?id=2022&key=4c69e59ac&p=1 (18.104.22.168) acting as central redirection point to the typosquatted portfolio of rogue security software domains.
The original scareware domain vrusstatuscheck .com/1/?id=2022&smersh=a9fd94859&back=%3DjQ51TT1MUQMMI%3DN - (22.214.171.124; 126.96.36.199; 188.8.131.52; 184.108.40.206; 220.127.116.11; 18.104.22.168) is exposing the rest of the scareware (detection rate) portfolio with the following domains parked at these IPs:
Once executed it downloads Microsoft's original thank you note (update.microsoft.com/windowsupdate/v6/thanks.aspx), and confirms the installation so that the blackhat SEO campaigners will receive a piece of the pie at securedliveuploads .com/?act=fb&1=0&2=0&3=kfddnffaffihlcoemdkedcaefcfaffedhfmdmboc&4=eebajfjafekaifnbddghoclg&5=22&6=1&7=63&8=31&9=0&10=1
Related phone-back locations:
liveavantbrowser2 .cn - (22.214.171.124)
Blackhat SEO subdomains at the free web site hosting services:
Blackhat SEO domains participating in the second multi-theme campaign:
Blackhat SEO domains participating in the third campaign:
greg-page-boxing.6may2009 .com - 126.96.36.199
Upon clicking, the user is redirected to berusimcom .com/t.php?s=18&pk=, then to the SEO keyword logger at berusimcom .com/in.cgi?18&seoref=¶meter=$keyword&se=$se&ur=1&HTTP_REFERER=nfl-draft.5may2009 .com&ppckey=, and then exposed to another portfolio of rogue security software (detection rate) at hot-porn-tubes.com/promo3/?aid=1361&vname=antivirus - 188.8.131.52; 184.108.40.206, with the following domains parked at the same IPs:
Persistence must be met with persistence.
Posted by Dancho Danchev at Wednesday, May 06, 2009
Friday, May 01, 2009
Notable articles include: Google's CAPTCHA experiment and the human factor; Conficker's estimated economic cost? $9.1 billion and Twitter hit by multiple variants of XSS worm.
01. Conficker worm's copycat Neeris spreading over IM
02. Paul McCartney's official site serving malware
03. Fake "Conficker Infection Alert" spam campaign circulating
04. Twitter hit by multiple variants of XSS worm
05. Scareware pops-up at FoxNews
06. Waledac botnet spamming fake SMS spying tool
07. Twitter worm author gets a job at exqSoft Solutions
08. Google's CAPTCHA experiment and the human factor
09. Hackers hijack DNS records of high profile New Zealand sites
10. New ransomware locks PCs, demands premium SMS for removal
11. Conficker's estimated economic cost? $9.1 billion
12. Swine flu email scams circulating
13. Online broker CommSec criticised for weak passwords, lack of SSL
14. Survey: 37% of employees would become insiders given the right incentive
15. French hacker gains access to Twitter's admin panel
Posted by Dancho Danchev at Friday, May 01, 2009