Monday, August 24, 2009

6th SMS Ransomware Variant Offered for Sale

"Your copy of Windows has been blocked! You're using an unlicensed version of it! In order to continue using it, you must receive the unlock key. All you have to do is follow these steps: You must send a SMS message. You will receive an activation code once you do so. Enter the code and unlock your copy of Windows."

Anticipating the potential for monetization, cybercriminals are investing more time and resources into coming up with new features for their SMS based ransomware releases. Two of the very latest releases indicate their motivation and long-term ambitions into this newly emerged micro-payment ransomware channel.

What's new, is the social engineering element, the self-replication potential through removable media, and the contingency planning through the use of multiple SMS numbers in case one of the numbers gets shut down. Let's go through some of the features of two newly released SMS ransomware variants offered for $20, and $30 respectively.

What's worth emphasizing on in respect to the first release, is that it's Windows 7 compatible, and is the first SMS ransomware that allows scheduled lock down after infection -- presumably, the author included this feature in order to make it harder for the victim to recognize how he got infected at the first place -- as well as multiple SMS numbers for contingency planning.

Key features include:
- Clean interace
- Bypasses Safe Mode
- Locks down the taskbar or any combination of keys that could allow a user to close the application
- The error message can be customized
- Ability to use multiple-unlock codes
- Ability to use multiple SMS numbers from where the activation code will be obtained
- Ability to lock the system immediately upon infection, or after a given period of tim
- Auto-starting features, self-removal upon entering the correct activation code, and ensuring that the victim would no longer be infected with this release through the use of mutex-es.
- This SMS ransomware is Windows 7 compatible

The majority of SMS based ransomware is relying on the "Unlicensed Windows Copy" theme, but the first self-replicating through removable media propagation such ransomware is signaling a trend to come - social engineering throuhg impersonation in a typical scareware style. This release can be easily described as the first scareware with micro-payment ransom element offered for sale.

Basically, it attempts to impersonate Kaspersky Lab Antivirus Online and trick the infected user into thinking that Kaspersky has detected a piece of malware, has blocked it but since the malware changes its encryption algorithm the user has to send a SMS costing 150 rubles in order to receive the SMS that will block the malware.

This release also includes a timer, and a message explaining that re-installing Windows wouldn't change the situation in an attempt to further trick the user into sending the messsage. The release is exclusively released for Windows XP and is not Windows Vista compatible.

Cybercriminals are known to understand the benefits of converging different successful and well proven tactics across different propagation/infection vectors. Now that we've seen scareware with elements of ransomware, as well as hijacking a browser session's ads and demanding ransom to remove the adult content, it's only a matter of time to witness a micro-payment driven scareware campaign distributed through blackhat SEO and the usual channels.

Related posts:
5th SMS Ransomware Variant Offered for Sale
4th SMS Ransomware Variant Offered for Sale
3rd SMS Ransomware Variant Offered for Sale
SMS Ransomware Source Code Now Offered for Sale
New ransomware locks PCs, demands premium SMS for removal

This post has been reproduced from Dancho Danchev's blog.

Wednesday, August 19, 2009

Movement on the Koobface Front - Part Two

UPDATE13: The domain snimka31082009 .com has been suspended. Just like the domains listed in UPDATE11, it's worth pointing out that once the whois records return to their original state, all of the domains are registered using the name Rancho Ranchev -- from Ukraine with typosquatting.

UPDATE12: A new Koobface domain is in circulation across Facebook - snimka31082009 .com -- snimka means photo -- which redirects to the Chinese IP (China Railcom Guangdong Shenzhen Subbranch) offering hosting services for the Koobface gang as of last week - /redirectsoft/go/fb_w.php. The domain is in a process of getting shut down. 

UPDATE11: The latest Koobface domains masa31082009 .com - Email:; pari270809 .com - Email:; rect08242009 .com and suz11082009 .com have been suspended.

The Koobface gang has also changed the C&C domain in their latest updated pushed throughout the past couple of days. Interestingly, it's a subdomain used in the Twitter campaign from July - cubman32 and cubman32 

UPDATE10: Two new Koobface domains, and a new redirector are in circulation across Facebook - rect08242009 .com ( and pari270809 .com, which redirects to masa31082009 .com/go/fb_w.php. The "fan club" has also introduced updated the malware - web.reg .md/1/v2prx.exe.

The domains, pari270809 .com, rect08242009 .com and masa31082009 .com are in a process of getting shut down.

UPDATE9: Domain zadnik270809 .com - Email: has been suspended.

UPDATE8 Koobface reactivated itself once again at - China Railcom Guangdong Shenzhen Subbranch - a well known Zeus crimeware C&C, which is also apparently used for automatic hacking of third-party sites through compromised FTP accounts.

The gang has also introduced a new domain, used exclusively for Facebook campaigns - zadnik270809 .com - in particular zadnik270809 .com/ which loads zadnik270809 .com/ and redirects to a well known Koobface redirector kiano-180809 .com/go/fb_w.php.

Zadnik means a**hole. Domain suspension and IP take down are in progress.

UPDATE7: Earlier today, TelosSolutions confirmed that "this customer has been removed from our network". Great news taking into consideration the fact that Directi's Abuse Desk has also suspended boomer-110809 .com, as well as upr200908013 .com.

The Koobface gang responded to the take down action by once again moving to China, (China Railcom Guangdong Shenzhen Subbranch) in particular. The IP has been taken care of, with all of Koobface campaigns once again in an "inactive stage". It's worth pointing out that kallagoon13 .cn and allavers .org are also parked at this Chinese IP, with both domains clearly involved in Zeus crimeware campaigns. 

UPDATE6: Following the 24 hours downtime, the Koobface gang has found a new home online, courtesy of Telos-Solutions-AS/Telos Solutions LTD, with an ongoing migration of the Koobface C&C and campaign domains to Take down activities are in progress.

UPDATE5: Oc3 Networks & Web Solutions Llc abuse team took care of All of Koobface worm's campaigns once again redirect to nowhere.

UPDATE4: Koobface has been kicked out of China -- again -- courtesy of China's CERT, and is no longer responding to This is the second time that the Koobface gang is using the same IP for its central campaign domains, clearly indicating an ISP which "reserves its right to offer them services in the future once they stop receiving abuse notifications".

So which hosting provider's services is the Koobface botnet using for the time being? It's - AS22298 - Netherlands Distinctio Ltd, which they were also using in the beginning of the month. A new domain is in circulation across social networks/micro blogging services - kiano-180809 .com/go/fb2.php ( Email: Take down activities are in progress.

UPDATE3: The entire portfolio of Koobface related domains is now parked at - AS17816 - CHINA169-GZ CNCGROUP IP network China169 Guangzhou MAN. For instance, xtsd20090815 .com/ redirects to the actual IP /redirectsoft/go/fb2.php with, /1/prx90.exe and /prx90.exe as phone back locations. Two new components are dropped DDnsFilter.dll - MD5: 0x8904BCEBACB2B878FF46C5EB0C5C57EB and DnsFilter.sys - MD5: 0x30DD915396E46824DA92FE70485F7CF8 which prevent infected users from interacting with antivirus vendor sites.

UPDATE2: The gang has responded to the take down activities, by using the only IP that wasn't shut down, with piupiu-110809 .com, upr200908013 .com, and upr200908013 .com already moved there.

Interestingly, now that the gang's centralized domains used in the majority of campaigns are not responding thanks the quick reaction of BlueConnex, they've started embedding up to 15 iFrames directly loading IPs from the Koobface botnet. The script is detected as Trojan-Clicker.HTML.IFrame.a. The pattern? Each and every host is serving the fake Facebook page from a similar directory - /0x3E8/. is in a process of getting shut down.

UPDATE: Three hours after notification, Blue Square Data Group Services Limited ensures that "the customer has been disconnected permanently". It's a fact. All of Koobface worm's campaigns currently redirect to nowhere. Let's see for how long.

Kuku Ruku Koobface! What does Koobface has to do with a legendary cocoa cream wafer Koukou Roukou sold in the 90's? It's one of new domains introduced over the past seven days (kukuruku-290709 .com now offline thanks to community efforts).

What is the Koobface gang up to anyway? Despite that they've randomized the automatically generated directories on the compromised sites (kimchistory.freevar .com/fantasticfi1ms; tastemasters .ca/freeem0vie; simonsoderberg .se/mmym0vies; ekespangs .se/meggavide0; akesheronline .com/privalesh0w; belljarstudio .com/bestttube), the gang continues relying on centralized hosting for its campaigns.

During the week, they've migrated from 67.215.238 .178/redirectsoft/go/fb_s.php ( to 85.234.141 .92/redirectsoft/go/fb_s.php (BlueConnex Ltd), interestingly, they did so with all of the their currently active domains, the ones used as central redirection points on the thousands of legitimate/malicious sites participating in their campaigns. Interestingly, merely suspending a domain name wouldn't get you a personal greeting from the Koobface gang, since they'll basically register a new one. Getting them kicked out of several different hosting providers simultaneously would. Upon having their newly pushed domains shut down, the gang stopped using domains and switched to the original IP of their hosting provider, once again requiring a direct ISP action, instead of domain registar's one.

Koobface C&C, central malware campaign domains suspended through community efforts:
- glavnij20090809 .com - Email: was parked at
- kukuruku-290709 .com - Email: was parked at
- superturbo20090809 .com - Email: was parked at (Super Turbo is yet another legendary product sold in the 90's)
- bombimbom20090809 .com - Email: was parked at (Bombi Bom is also a classic chewing gum sold in the 90's in Europe/Eastern Europe)
- - Email: was parked at

Currently active Koobface C&C domains, also participating in the CAPTCHA-solving, malware campaigns:
- piupiu-110809 .com -
- xtsd20090815 .com - - Email:
- boomer-110809 .com -
- upr200908013 .com - - Email:
- suz11082009 .com - - Email:
- upr0306 .com - China Unicom Guangdong province network - Email:
- findhereandnow .com - - Email:

The CAPTCHA solving  process on behalf of the infected victims, is exclusively targeting Google web properties (piupiu-110809 .com/cap/tempgoo/GOO8cdabdfe8d68013c6217ce754a519194.jpg). Koobface worm's captcha7.dll module is active at:
- glavnij20090809 .com/cap/?a=get&i=1&v=7
- suz11082009 .com/cap/?a=get&i=3&v=7
- boomer-110809 .com/cap/?a=get&i=4&v=7
- piupiu-110809 .com/cap/?a=get&i=2&v=7

BlueConnex Ltd has been notified. The Koobface gang continues enjoying the largest market share of systematic Web 2.0 abuse

Related posts:
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors

Ukrainian "fan club" and the Koobface connection:
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot 

This post has been reproduced from Dancho Danchev's blog.

Tuesday, August 18, 2009

Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign

AltusHost Inc, the company whose services were exclusively used in the blackhat SEO campaign using U.S Federal Forms theme for scareware service purposes, has finally responded to the abuse notifications sent seven days ago stating that "the sites have been terminated". Such a slow response once again proves that dysfunctional abuse departments increase the lifecycle of a malware/spam/phishing campaign by not taking it down when it's most actively gaining momentum.

(For historical OSINT research, the following domains not previously listed were in circulating during the past week - thwovretgi .com - - Email:; shtifobpy .com - - Email:; vodcotha .com - - Email:; stromiko .com - Email:; ceslyemsof .com - - Email:;  ejeifyevy .com - - Email:; kuhatjidd .com - - Email: )

How did the cybercriminals respond? By proving that this blackhat SEO campaign has been well planed and coordinate a long time before it was executed in the wild. For the time being, it relies on a combination of legitimate U.K based sites, the result of a evident compromise of Web Hosting Mania due to the fact that all the affected legitimate sites are hosted there, a growing portfolio of .cc tld domains, automatic abuse of free services such as;;;, and systematic pushing of new scareware variants/redirector and scareware domains, which explains the low generic detection rate of all the samples obtained.

Moreover, not only did the blackhat SEO themes expanding in the typical randomly generated junk that has naturally been crawled by public search engines, but also, according to publicly obtainable statistics, millions of users (collectively) have already visited the landing sites, with 42.80% of the referring site for a particular domain coming from and 31.97% from Google - their tactics are actively hijacking millions of users already.

Let's dissect the latest developments in the ongoing blackhat SEO campaign, list the participating scareware/blackhat SEO/redirection domains, the various monetization tactics going beyond scareware, as well as discuss some of the innovations used in the javascript obfuscation which makes it virtually impossible for a crawler to detect that the site is malicious.

Key summary points:
  • U.K based hosting provider Web Mania Hosting appears to be compromised due to the fact that all the abused legitimate sites are hosted there
  • the redirection and scareware domain/binary are updated two times during 24 hours period of time
  • all the scareware samples continue phoning back to several domains parked at
  • the cybercriminals have introduced multiple monetization tactics through pay-per-click malware-friendly search engines
  • sampled scareware adds the following registry entry [HKEY_LOCAL_MACHINE\SOFTWARE\6A36EA6E11EAAECDF5E540DEF2149079] plxxh = "Dujaq!!" - Dujaq!! means "Bl*w me!!"

Compromised legitimate domains at Web Hosting Mania currently in circulation:
ladydestiny .com .uk .uk
midfleet .com .uk .uk .uk .uk .uk .uk .uk .uk .uk .uk
mythagostudios .com .uk .uk .uk .uk .uk

Blackhat SEO domains redirecting to scareware, currently in circulation using a .cc tld extension:
agjjgtfyi .cc - Email:
ckckoo .cc - Email:
eunlabkce .cc - - Email:
ewjwjiavg .cc - - Email:
fgodvsli .cc - - Email:
fgodvsli .cc - - Email:
fyecdizt .cc - Email:
hgzondsul .cc - - Email:
iiuuoo .cc - Email:
ijnteqc .cc - - Email:
irolopl .cc - - Email:
jglcbngvu .cc - - Email:
jpydmee .cc - - Email:
kdwwwwon .cc - - Email:
kgowncgi .cc - - Email:
lmhhsnd .cc - - Email:

mezkopq .cc - - Email:
mvsoomw .cc - - Email:
njfgfbd .cc - - Email:
nsdgkrge .cc - - Email:
nselkss .cc - - Email:
owudfnay .cc - - Email:
pfjfsiunt .cc - - Email:
piqvrrugd .cc - - Email:
rroiqbznj .cc - - Email:
ssyydqyh .cc - - Email:
sucdugon .cc - - Email:
tftrwxlg .cc - - Email:
tirtop .cc - - Email:

uclrwpyp .cc - - Email:
uomfchbj .cc - - Email:
vrmmnicl .cc - - Email:
vtgisihjy .cc - - Email:
vwyldlbe .cc - - Email:
vzlbamuvs .cc - - Email:
wgyxrmtld .cc - - Email:
xisuuzos .cc - - Email:
xlkzmqiw .cc - - Email:
zirtop .cc - Email:
zmtkpugbz .cc - - Email:
zncutvk .cc - - Email:

New blackhat SEO domains portfolio using NOC4Hosts Inc's services:
rebuwe .net -
sivezo .net -
mipola .net -
kowipe .net -
kerobo .net -
gelupe .net -
fuquwe .net -
hyduve .net -
bisehu .net -
wypule .net -
xylucy .net -
xulady .net -
lyqyte .net -

nimygu .net -
zuziki .net -
symiza .net -
bisehu .net -
msrxdk .com - - Email:
kimuka .net - - Email:
ylkbin .com -

Portfolio of scareware domains participating in the blackhat SEO campaing, parked at;;;;;;;;;;;;;;;
antispywaretotalscan9 .com -;; - Email:
antispywaretotalscan5 .com - Email:
antispywaretotalscan6 .com - Email:
antispywaretotalscan8 .com - Email:
antispywaretotalscan9 .com - Email:
delete-all-virus05 .com - Email:
delete-all-virus07 .com - Email:
delete-all-virus09 .com - Email:
delete-all-virus03 .com -;;; - Email:
clean-all-spyware10 .com - Email:
remove-all-adware01 .com - Email:
clean-all-spyware01 .com - Email:
fast-virus-scan2 .com - Email:
remove-all-spyware03 .com - Email:
fast-virus-scan4 .com - Email:
clean-all-spyware05 .com - Email:
best-virus-scanner5 .com - Email:
remove-all-spyware07 .com - Email:
fast-virus-scan7 .com - Email:  
005threats-scanner .com
09computerquickscan .com
005yourprivatescanner .com
online-systemscan .net - Email: 
best-spyware-scan01 .com - Email:
online-antivir-scan09 .com - Email:
checkviruszone .com - Email:

guardsearch .net - Email:
protection-check07 .com - Email:
malwareinternetscanner03 .com - Email:
best-spyware-scan03 .com - Email:
antispywarescanner08 .com - Email:
antivirusonlinescan03 .com - Email:
quick-virus-scanner02 .com - Email:
securedlivescan .com
superb-virus-scan09 .com - Email:
superb-antivir-scan01 .com
- Email:
intellectual-vir-scan09 .com
- Email:
intellectual-vir-scan08 .com
- Email:
private-antivirus-scannerv2 .com
- Email: 
reliable-scanner01 .com - Email:
superb-virus-scan07 .com - Email:
antivirus-online-scan8 .com - Email:
best-antivirus3 .com - Email:
live-virus-scanner5 .com - Email:
antivirus-online-scan4 .com - Email:
antispyware-scanner5 .com - Email:
antivirus-online-scan5 .com - Email:
live-virus-scanner7 .com - Email:

clean-all-spyware .com - Email: 
getyoursecuritynowv2 .com - Email:
getyourantivirusv3 .com - Email:
getyourpcsecurev3 .com - Email:
antivirus-scannerv12 .com - Email:
safeonlinescannerv4 .com - Email:
check-for-malwarev3 .com - Email:
check-your-pc-onlinev3 .com - Email:
searchurlguide .com - -
securitypad .net - - Email:
prestotunerst .cn - - Email:
officesecuritysupply .com - Email:
securityread .com - Email:
scanasite .com - Email:
cheapsecurityscan .com - Email:
securitysupplycenter .com - Email:
best-folder-scanv3 .com - Email:
online-best-scanv3 .com - Email:
online-defenderv9 .com - Email:
antispyware-live-scanv3 .com - Email:
antispywarelivescanv5 .com - Email:

antispyware-online-scanv7 .com - Email:
basicsystemscannerv8 .com - Email:
bestpersonalprotectionv2 .com - Email:
bestpersonalprotectionv7 .com - Email:
computer-antivirus-scanv9 .com - Email:
fastvirusscanv6 .com - Email:
govirusscanner .com - Email:
mysafecomputerscan .com - Email:
onlineantispywarescanv6 .com - Email:
online-antivir-scanv2 .com - Email:
onlinebestscannerv3 .com - Email:
onlinepersonalscanner .com - Email:
onlineproantivirusscan .com - Email:
online-pro-antivirus-scan .com - Email:

onlineproantivirusscanner .com - Email:
online-secure-scannerv2 .com - Email:
personalantivirusprotection .com - Email:
personalfolderscanv2 .com - Email:
premium-antispy-scanv3 .com - Email:
premium-antispy-scanv7 .com - Email:
premium-antivirus-scanv6 .com - Email:
private-antivirus-scannerv2 .com - Email:
privatevirusscannerv8 .com - Email:
secure-antispyware-scanv3 .com - Email:
securepersonalscanner .com - Email:
secure-spyware-scannerv3 .com - Email:
secure-virus-scannerv5 .com - Email:
securityfolderprotection .com - Email:
spyware-scannerv2 .com - Email:
spywarescannerv4 .com - Email:

Sampled scareware from the last 24 hours phones back to mineralwaterfilter .com - Parked there are also: june-crossover .com; goldmine-sachs .com; momentstohaveyou .cn. More sampled scareware phones back to a new domain Phones back to pencil-netwok .com (, parked there are the rest of the phone back locations for the rest of the scareware such as mineralwaterfilter .com; june-crossover .com; goldmine-sachs .com; bestparishotelsnow .com

A second sampled scareware phones back to a different location - Parked there are the rest of the domains in their scareware portfolio:
bestscanpc .org
bestscanpc .biz
downloadavr2 .com
downloadavr3 .com
trucount3005 .com
antivirus-scan-2009 .com
antivirusxppro-2009 .com
advanced-virus-remover-2009 .com
advanced-virus-remover2009 .com
advanced-virusremover2009 .com
bestscanpc .com
xxx-white-tube .com
blue-xxx-tube .com
trucountme .com
10-open-davinci .com
vs-codec-pro .com
vscodec-pro .com
download-vscodec-pro .com
v-s-codecpro .com
antivirus-2009-ppro .com
onlinescanxppro .com
downloadavr .com
bestscanpc .info
bestscanpc .net
bestscanpc .biz

New/historical redirection domains used in the campaign, this time parked at locations as noted:
cnn-bcc2 .com - - Email:
issuenews1 .com - Email:
headlinenews2 .com - Email:
usdisturbed .cn - Email:
milesdavisorland .cn - Email:
usaworkinghard .cn - Email:
nationaltreasure .cn - Email:
milesdavisorland .cn - - Email: 
we-accepted .cn - Email:
myth-busters .cn - Email:
russell-brand .cn - Email:
willsmithinc .cn - Email:
dirty-dancing .cn - Email:
sex-and-the-city .cn - Email: 
clicksick .cn - - Email:
doubleclicknet .cn - - Email: 
shrekmovie .cn - Email:
radioheadicon .cn - Email:
batman-comics .cn - Email:
beststarwars .cn - Email:
mashroomtheory .cn - Email:
space2009city .cn - Email:
messengerinfo .cn - Email:
greattime2009 .cn - Email:
iwanttowin .cn - Email:
hardnut .cn - Email:
sitemechanics .cn -
exceldocumentsinfo .cn - Email:
chinafavorites .cn - Email:
best-live-lottery .cn - Email:
adeptofmastery .cn - Email:
trytowintoday .cn - Email:
bulkdvdreader .cn - - Email:
style-everywhere .com - - Email: 
clicksick .cn - - Email: 
supportyourcountry .cn - Email:
wheels-on-fire .cn - - Email:
stillphotoshots .cn - - Email:
delayyouranswer .cn - Email:
getbestsales .cn - Email:
library-presents .cn - Email:
in-t-h-e .cn - (Layered Technologies, Inc.) - Email:
bestwishestoyou .cn - - Email:
library-presents .cn - - Email:
getbestsales .cn - - Email: 
aware-of-future .cn - Email: 
nothing-to-wear .cn - Email:
newsmediaone .com - - Email:
bapoka .net -
stylestats1 .net - - Email:
luckystats .org - Email:
luckystats1 .com - Email:
lifewepromote .cn - Email:
securecommercialnews .cn - Email:
snowboard2009 .cn - Email:
nothern-ireland .cn - Email:
goldensunshine .cn - Email:
steplessculture .cn - Email:
vipsoccermanager .cn - Email:
b2b-forums .cn - Email:
rondo-trips .cn - Email:
mywatermakrs .cn - Email:
gazsnippets .cn - Email:
bestvanillaresorts .cn - Email:
personalrespect .cn - Email:
consensualart .cn - Email:
yourholidaytoday .cn - Email:
guidetogalaxy .cn - Email:

Among the new monetization tactics used are the typical pay-per-click malware-friendly search engines which act as both, redirectors to phony sites/scams, as well as keyword blackholes which help them assess the popularity for a particular keyword, and therefore start pushing it more aggressively through a process called synonymization.

Interestingly, they're exclusively using the compromised, as well as purely malicious blackhat SEO domains for scareware serving purposes, but continue using the ones they operate under the free DNS service providers for monetization through the bogus search engines. The domains used in this monetization approach are as follows:

rivasearchpage .com - - Email:
triwoperl .com - - Email:
tropysearch .us - - Email:
glorys .info (glorys .info/red/cube.js) - - - Email:
funnyblogetc .info/go.php -  - Email:'s front page is currently relying on the javascript obfuscation. Deobfuscated it redirects to fi97 .net/jsr.php?uid=dir&group=ggl&keyword=&okw=&query=", deja vu again - fi97 .net was used in the Ukrainian "fan club's" blackhat SEO campaign in June.

Monitoring of the campaign and takedown actions would continue, with an emphasis on the RBN connection from a related blackhat SEO campaign from last year. The gang is not going away anytime soon, but their campaigns definitely are.

Related posts:
A Peek Inside the Managed Blackhat SEO Ecosystem
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot 

This post has been reproduced from Dancho Danchev's blog.

Monday, August 10, 2009

U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding

UPDATE2: New scareware domain is in rotation - antispywarelivescanv5 .com -;;;;; - Email: Redirection takes place through consensualart .cn - - Email: 

UPDATE: Four new domains have been introduced, again using the services of AltusHost Inc. (AS44042):

thwovretgi .com - - Email:
hernewdy .com - - Email:
shtifobpy .com - - Email:
vodcotha .com - - Email:

The redirection takes place through mywatermakrs .cn - - Email:

In response to the takedown of the blackhat SEO domains used in the campaign dissected lat week, the group has responded by introducing new domains next to new redirectors and most interestingly, has started using compromised/mis-configured legitimate sites in an attempt to increase the lifecycle of the campaign by making it takedown-proof.

New blackhat SEO domains again using AS44042 ROOT-AS root eSolutions/ALTUSHOST-NET/AltusHost Inc hosting services:
fifiopod .com - - Email:
trodlocho .com - - Email:
ickgetaph .com - - Email:
igecanneg .com - - Email:
somveots .com - - Email:
memodreydi .com - - Email:
jejnahob .com - - Email:
nuwofteuz .com - - Email:
hyhoppeo .com - - Email:
egnegvufvu .com - - Email:
lauzpeog .com - - Email:
sniozeanvo .com - - Email:
hebmipenn .com - - Email:

The cybercriminals are also attempting to use a well proven tactic - occupying as many search engine results as possible for a particular hijacked word by using identical blackhat SEO junk content at multiple domains. A similar attempt was successfully executed in January, 2009's search results poisoning campaign at Google Video, where the first ten results for a particular keyword were all malicious in their nature.

The compromised/misconfigured legitimate sites used in the campaign are serving dynamic javascript obfuscations. Here's a list of ones currently in use:
ali.zaher.101main .com
averder.cwsurf .de .uk .uk
britishbaits .com .uk .uk .uk .uk .uk .uk
childrenofthedrone .net .uk
chris-hillman .com .uk
christine-pearson .com .uk .uk .uk .uk .uk
dak.crep01.linux-site .net .uk .uk
fet.jujas.myftpsite .net
tferh.mi-website .es

The campaign continues switching between different redirectors parked at for instance:
rondo-trips .cn
gazsnippets .cn
besthockeyteams .cn
allfootballmanager .cn
rollerskatesadvise .cn

honda-recycle .cn - used in the previous campaign
nothern-ireland .cn
discovernewchina .cn

An updated portfolio of scareware/fake security software, parked at;;;; has been introduced:
bestpersonalprotectionv2 .com
onlinesecurescannerv3 .com
basicsystemscannerv3 .com
onlinebestscannerv3 .com
basicsystemscannerv6 .com
bestpersonalprotectionv7 .com
basicsystemscannerv8 .com
thankyouforscan .com
onlinepersonalscanner .com
basicsystemscanner .com
onlineproantivirusscanner .com

personalantivirusprotection .com
internetantivirusscanner .com
govirusscanner .com
iwantsweepviruses .com
personalfoldertest .com

Sampled scareware once again phones back to the thebigben .cn - Email: and june-crossover .com - Email:, with more scareware parked there - purchuase-premium-software .com - Email:; livepaymentssystem .com - Email:; secure.livepaymentssystem .com - Email:; purchuasepremiumprotection .com - Email:

Evasion techniques are in again in place, however, this time they end up in a Russian Business Network deja vu moment from 2008. In March, 2008, ZDNet Asia and TorrentReactor followed by a large number of other high profile, high pagerank sites started activing as intermediaries to scareware campaigns, among the first such abuse of legitimate sites for scareware serving purposes.

The compromised/mis-configured web sites participating in this latest blackhat SEO campaign are surprisingly redirecting to /wtr/router.php - - Email: - AS28753 NETDIRECT AS NETDIRECT Frankfurt, DE if the http referrer condition isn't met. This very same domain -- back then parked at INTERCAGE-NETWORK-GROUP2 -- was also used in the same fashion in March, 2008's massive blackhat SEO campaigns serving scareware.

This post has been reproduced from Dancho Danchev's blog.

Thursday, August 06, 2009

Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware

During the past 24 hours, a blackhat SEO campaign has been hijacking U.S Federal Forms related keywords in an attempt to serve scareware.

What's particularly interesting about the campaign is that the Ukrainian fan club behind it -- you didn't even think for a second that there's no connection with their previous campaigns, did you? -- are using basic segmentation principles since the tax form keywords poisoning is attempting to hijack U.S traffic. Evasive practices are also in place through the usual http referrer check, which would only serve the scareware if the visitor is coming from, if not a 404 error message will appear.

Upon clicking on the link, the user is redirected through a centralized location responsible for managing the traffic from the thousands of subdomains/keywords used - honda-recycle .cn/go.php?id=2017&key=cbafb5cb2&p=1 - Email: Parked on the same IP are also related malware/scareware domains:

winsoftwareupdatev2 .com - Email:
much-in-love .com - Email:
i-dont-care-much .com - Email:
malwareurlblock .com - Email:
bennysaintscathedral .com - Email:
browsersecurityinfo .com - Email:
windowssecurityinfo .com - Email:
ringtone-radio .com - Email:
events-team-manager .com - Email:
1worldupdatesserver .com - Email:
discovernewchina .cn - Email:
rollerskatesadvise .cn - Email:
allfootballmanager .cn - Email:
hardwarefactories .cn - Email:
besthockeyteams .cn - Email:
gowildtours .cn - Email:

The malicious domains used -- with two exceptions -- are all parked at AltusHost Inc./ALTUSHOST-NET. Here's the complete list:
tebdigasbi .com - - Email:
kraijfaw .com - - Email:
reychohica .com - - Email:
fequervo .com - - Email:
ukaszohat .com - - Email:
buwrynko .com - - Email:
fetholye .com - - Email:
pasbirrada .com - - Email: - legitimate - legitimate

The people behind the campaign have also taken contingency planning in mind since the scareware domain portfolio is parked on five different IPs - no-spyware-thanks .com -;;;; Email: The complete list:

fast-scan-your-pcv3 .com - Email:
basicsystemscannerv3 .com - Email:
antivirus-quickscanv5 .com - Email:
basicsystemscannerv6 .com - Email:
basicsystemscannerv8 .com - Email:
privatevirusscannerv8 .com - Email:
spywarefastscannerv9 .com - Email:
online-pro-antivirus-scan .com - Email:
onlineproscan .com - Email:
onlineproantivirusscan .com - Email:
online-pro-scanner .com - Email:
basicsystemscanner .com - Email:
onlineproantivirusscanner .com - Email:
iwantsweepviruses .com - Email:

Two sampled scareware samples during the past 24 hours phone back to goldmine-sachs .com (Goldman Sachs typosquatting) -; - Email: and to june-crossover .com - - Email: In regard to, the "fan club" used it to host scareware in their June's campaigns.

AltusHost Inc./ALTUSHOST-NET is expected to take action shortly.

This post has been reproduced from Dancho Danchev's blog.

Wednesday, August 05, 2009

Scareware Template Localized to Arabic

A "new tactic" is supposedly being used as a Blue Screen of Death scareware template with a single missing fact "for the record" - the template is old, I came across it on June 17th, with Marshal8e6 featuring it even earlier on the 12th of June.

What's new on the template front in respect to scareware is what will inevitably start taking place across all the market segments within the underground economy in the long term - market segmentation and localization, namely, translating the malware/spam/phishing templates to the native language of the prospective victims.
A decent example is the first ever template of the popular "My Computer Online Scan" fake scanning screen localized to Arabic - scan-online (

The last time localization of fake security software was actively taking place was in April, 2008, and the campaigners back then also localized the domain names next to the actual content.

This post has been reproduced from Dancho Danchev's blog.

Tuesday, August 04, 2009

Movement on the Koobface Front

Now that the Koobface gang is no longer expressing its gratitude for the takedown of its command and control servers, the group has put its contingency planning in action thanks to the on purposely slow reaction of UKSERVERS-MNT's ( abuse department.

Next to the regular updates (web.reg .md/1/websrvx2.exe; prx.exe), the group introduced two new domains and started taking advantage of two more IPs for its main command and control server. upr0306 .com now responds to: - AS22298 - Netherlands Distinctio Ltd - AS42831 UKSERVERS-AS UK Dedicated Servers Limited UK Dedicated Servers - AS17816 - CHINA169-GZ CNCGROUP IP network China169 Guangzhou MAN

and that includes the two new domains introduced - pam-220709 .com; ram-220709 .com, with ram-220709 .com/go/?pid=30909&type=videxpgo.php?sid=4&sref= redirecting to the Koobface botnet.

Interestingly, ( was also used in the blackhat SEO campaigns from June/July, with warwork .info and tangoing .info parked there.

Related posts:
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors

Ukrainian "fan club" and the Koobface connection:
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot  

This post has been reproduced from Dancho Danchev's blog.

Managed Polymorphic Script Obfuscation Services

Cybecriminals understand the value of quality assurance, and have been actively running business models on the top of it for the past two years.

From the multiple offline antivirus scanners using pirated software, the online detection rate checking services allowing scheduled URL scan and notification upon detection by antivirus vendors, to the underground alternatives of VirusTotal in the form of multiple firewalls bypass verification checks - cybercriminals are actively benchmarking and optimizing their releases before launching yet another campaign.

A newly launched service aims to port a universal managed malware feature on the web - the polymorphic obfuscation of malicious scripts in an attempt to increase the lifecycle of a particular campaign.

Interestingly, due to the obvious software piracy within the cybercrime ecosystem which allowed proprietary malware tools to leak in the wild, the service is using a particular malware kit's javascript obfuscation routines and is running a business model on it.

For the time being, it relies on three obfuscation algorithms, HTMLCryptor olnly - used 56 times, TextUnescape - used 109 times, and PolyLite - already used 177 times. The DIY obfuscation service, also checks and notifies the cybercriminal over ICQ in cases when his IPs and domain names have been blacklisted by Google's Safebrowsing, as well as Spamhaus, and more checks against public malware domain/IP databases are on the developer's to-do list.

The price? $20 for monthly access and $5 for weekly. Despite the fact that the service is attempting to monetize a commodity feature available to cybecriminals through the managed updates that come with the purchase of a proprietary web malware exploitation kit, it's not a fad since it fills in the DIY niche where the variety of the algorithms offered and their actual quality will either spell the doom or the rise of the service.

This post has been reproduced from Dancho Danchev's blog.