Friday, September 25, 2009

Dissecting September's Twitter Scareware Campaign

UPDATE:  4 hours after notification, Twitter has suspended the remaining bogus accounts. Until the next time, when the reCAPTCHA recognition gets cost-effectively outsourced for automatic scareware-serving purposes.

Over the last couple of days, my Ukrainian "fan club" -- fan club in a sarcastic sense due to the love, more love, even more love and gratitude shown so far -- has once against started abusing Twitter by automatically generating bogus accounts tweeting scareware serving links by syndicating Twitter's trending topics.

This traffic acquisition tactic is in fact nothing new, and in the case of this Ukrainian cybercrime enterprise, is done "in between" the rest of their malicious activities. What's worth pointing out is that just like the most recent malvertising campaign at NYTimes.com, the Ukrainian gang keeps using domains already in circulation within their blackhat SEO campaigns, making it fairly easy to establish connections between these and the ongoing Twitter campaign.


By the time Twitter suspends the automatically registered bogus accounts, on average, 70 to 80 tweets have been published per single account. Here's the most recent list of currently active Twitter accounts tweeting scareware links:
twitter.com /verina1238
twitter.com /knab190
twitter.com /zastrow994
twitter.com /gustave12
twitter.com /trautwein9975
twitter.com /reinke341
twitter.com /ordella509
twitter.com /lysa380
twitter.com /weinhold344
twitter.com /wachsmann1541

twitter.com /weishaupt917
twitter.com /scheid1265
twitter.com /fitz1677
twitter.com /falkner425
twitter.com /opel1409
twitter.com /rasche1401
twitter.com /schlecht1581
twitter.com /verina1238
twitter.com /perahta985



The accounts are relying on identical short URLs, with the following ones still active and in circulation:
tinyurl.com /lyby2r
tinyurl.com /nx39k8
tinyurl.com /lyby2r
tinyurl.com /mnbfox
tinyurl.com /msjjv8
tinyurl.com /mj5wju
tinyurl.com /mxg2vo
tinyurl.com /m656h7
tinyurl.com /nffkly
xrl.us /bfnpv7
xrl.us /bfnsa8
xrl.us /bfny8e
xrl.us /bfnnu4
xrl.us /bfnzkk
a.gd/ 6af3fe
a.gd/ 649be
a.gd/ f6b7f5
a.gd/ 0abe74
is.gd/ 3AoRZ
is.gd/ 3A5DD
is.gd/ 3AUVc
is.gd/ 3BZqa
is.gd/ 3C4lU


The short URLs rely on several redirectors to finally land the end user on a scareware site, such as securityland .cn and imagination-1 .com:

securityland .cn - 64.86.25.201 - Email: keithdgetz@gmail.com. Parked on the same IP are also:
abclllab .com
0lenfo .com
ynoubfa .cn
protectinstructor .cn
immitations-all .net
1limbo .net

imagination-1 .com- 64.86.25.202 - Email: gertrudeedickens@text2re.com. Parked on the same IP are also:
bombas10 .com
graves111 .com
iriskas .com
yvicawo .cn


Where do we know the gertrudeedickens@text2re.com email from? Several of the scareware domains pushed in the ongoing U.S Federal Forms Themed Blackhat SEO Campaign have been registered using it, that very same blackhat SEO whose central redirector a-n-d-the .com/wtr/router.php - 95.168.177.35 - and in-t-h-e.cn - 72.21.41.198 - (hosted by Layered Technologies, Inc.) mimics the campaign structure of 2008's massive input validation abuse attack using iFrames, courtesy of the RBN and the very first scareware campaigns.

Moreover, the same email has been used to register two of the "phone-back" domains for the scareware pushed in the blackhat SEO campaign and the NYTimes.com malvertising attack - windowsprotection-suite .net - Email: gertrudeedickens@text2re.com and securemysystem .net - Email: gertrudeedickens@text2re.com.

The following scareware domains are not just used within the Twitter campaign, some of them have also been detected as part of blackhat SEO campaigns:
ekevuc .cn - 64.213.140.68
windowspcdefender .com
smart-virus-eliminator .com
fast-systemguard .net
opyhila .cn
riwryse .cn
adijef .cn
dunhah .cn
idisuan .cn
wobcyn .cn
upuoro .cn
ucyilwo .cn
ogywuep .cn
adaengu .cn
taziqow .cn
zerkauz .cn


ejavone .cn - 64.213.140.69
fastsystem-guard .com
windowsguardsuite .com
windowssystemsuite .com
winsecuritysuite-pro .com
windows-protectionsuite .net
malwarecatcher .net
fast-scan-protect .net
fastscansecure .net
goryhe .cn
pyzuhme .cn
zydfaqe .cn
ahoize .cn
abonyag .cn
abenapi .cn
otobym .cn
abicoym .cn
nepsoym .cn
byzfalo .cn
pywudar .cn
qucgyit .cn
dahokxu .cn
lylbaov .cn
cusryw .cn



fast-scanandprotect .net
fastscanonline .com
fastsearch-secure .com
fast-systemguard .net
go-scanandsecure .net
goscan-protect .com
go-searchandscan .com
guardmyzone .net
mynewprotection .net
my-newprotection .net
my-officeguard .com
my-officeguard .net
myprotectedsystem .com
myprotected-system .com
my-protectedzone .net
myprotectionshield .com
myprotectionzone .com
my-protectionzone .com
my-protectionzone .net
myprotection-zone .net
my-saerchsecure .com
my-safetyprotection .com
my-systemprotection .net
mysystemsafety .com
my-systemscan .com
my-systemscanner .com
mysystemsecurity .com
new-scanandprotect .com



newscan-andprotect .net
new-systemprotection .com
online-scanandsecure .net
online-securescanner .net
online-systemscan .com
onlinesystemscan .net
protectand-secure .com
protectionsearch .com
safetyshield .net
safetysystem-guard .com
scanonline-protect .com
scan-system .net
scanvirus-online .net
searchandscan .net
search-scanonline .net
searchsecureguard .net
secure-systemguard .net
system-guard .net
systemguard-zone .com
systemguard-zone .net
systemprotected .net
systemscan-secure .net
trust-systemprotect .com
trust-systemprotect .net
trustsystem-protection .com
trust-systemprotection .net
windows-protectionsuite .net
windows-systemguard .net
windows-virusscan .net
winprotection-suite .com


Sampled scareware also phones-back to mysecurityguru .cn - 64.86.16.170 - Email: andrew.fbecket@gmail.com, the same phone-back domain was used in the scareware sampled from the NYTimes.com malvertising attack, with the same email also belonging to a scareware domain (mainsecsys .info) listed in the Diverse Portfolio of Fake Security Software - Part Twenty Two for July.

The cybercrime powerhouse behind all these attacks, continues maintaining the largest market share of systematic Web 2.0 abuse, and that includes their involvement in the Koobface botnet.

Related posts:
Dissecting Koobface Worm's Twitter Campaign
Twitter Worm Mikeyy Keywords Hijacked to Serve Scareware
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
The Twitter Malware Campaign Wants to Bank With You
Does Twitter’s malware link filter really work?
Commercial Twitter spamming tool hits the market
Cybercriminals hijack Twitter trending topics to serve malware
Spammers harvesting emails from Twitter - in real time
Twitter hit by multiple variants of XSS worm

This post has been reproduced from Dancho Danchev's blog.

Friday, September 18, 2009

The Ultimate Guide to Scareware Protection



Throughout the last two years, scareware (fake security software), quickly emerged as the single most profitable monetization strategy for cybercriminals to take advantage of. Due to the aggressive advertising practices applied by the cybercrime gangs, thousands of users fall victim to the scam on a daily basis, with the gangs themselves earning hundreds of thousands of dollars in the process.

This end user-friendly guide aims to educate the Internet user on what scareware is, the risks posed by installing it, how it looks like, its delivery channels, and most importantly, how to recognize, avoid and report it to the security community taking into consideration the fact that 99% of the current releases rely on social engineering tactics.

This post has been reproduced from Dancho Danchev's blog.

Wednesday, September 16, 2009

Koobface Botnet's Scareware Business Model

UPDATE1: TrendMicro just confirmed the ongoing double-layer monetization of Koobface. Meanwhile, the gang is rotating the scareware domains with new ones pushed by popup.php, followd by two recently updated Koobface components.

The new scareware domains kjremover .info; lrxsoft .info - 212.117.160.21 - Email: niclas@i.ua actually download it from the well known q2bf0fzvjb5ca .cn portfolio, which phones back to the same domains listed previously, with only a slight change in the filename - urodinam .net/8732489273.php. The generic detection rate for the updated components (61.235.117.83 /bin/get.exe; 61.235.117.83 /bin/v2webserver.exe) with get.exe phoning back to a domain parked at the takedown-proof, China-based 61.235.117.83, in particular gdehochesh .com/adm/index.php.
 
Just like Conficker, the Koobface botnet is no stranger to the scareware business model and the potential for monetization of the hundreds of thousands of infected hosts.

However, changes made in the campaign structure of the Koobface botnet during the last couple of days, indicate that the Koobface gang has embedded a pop-up at each and every host that's automatically rotation different scareware brands. They're now officially monetizing the botnet using a scareware business model.

Let's analyze the latest changes introduced by the Koobface gang over the last couple of days and emphasize on the monetization tactics introduced by the gang.

Next to insulting, showing gratitude, the Koobface gang also has a (black) sense of humor - within one of the directories at the takedown-proof command and control used by the gang in China (61.235.117.83; at 61.235.117.83/bin in particular) they've left the following message "2008 ali baba and 40, LLC". Ali Baba and the Forty Thieves is a 1944 film based on the original Ali Baba character.

Compared to previous campaigns relying on centralized command and control and redirection points -- making them easy to shut down -- the ongoing Facebook campaigns are dynamically redirecting to IPs within the Koobface network, which combined with their use of compromised legitimate sites is supposed to make the take down of their campaigns a bit more time consuming.

That's, of course, not the case since undermining their monetization approaches undermines the monetary value of their campaigns, which is what they're after this time. The Koobface gang has now embedded a single line within each and every infected host used in the campaign, in order to not only attempt to infect new visitors with the Koobface malware itself, but to also trick them into installing the scareware which is rotated as usual.

dangerWindAdr = 61.235.117.83/ popup.php loads on each and every Facebook spoof page part of the botnet and is then redirecting the most popular scareware template, the My computer Online Scan.

The first scareware domain used in the last 48 ryacleaner .info/hitin.php?affid=02979 (212.117.160.21l parked there as also eljupdate .info Email: niclas@i.ua and dercleaner .info Email: niclas@i.ua) was serving setup.exe which is downloading the actual scareware executable from mt3pvkfmpi7de .cn/get.php?id=02979 (220.196.59.23).

What's so special about this domain? It was last profiled in the A Diverse Portfolio of Fake Security Software - Part Twenty Three with the entire portfolio of .cn domains parked at the same IP registered under the same email - robertsimonkroon@gmail.com.

The second scareware domain pushed by the Koobface during the last 24 hours, gotrioscan .com/?uid=13301 - 91.212.107.103 - momorule@gmail.com redirects to plazec .info/22/?uid=13301 - 91.212.107.103 - Email: bebrashe@gmail.com where the scareware is served. Parked at the same IP is the rest of thescareware domains portfolio pushed by Koobface:

in5id .com
in5ch .com
goscanback .com
goscanlook .com
gofatescan .com
goeachscan .com
gobackscan .com
goironscan .com
gotrioscan .com
ia-pro .com
iantivirus-pro .com
iantiviruspro .com
windoptimizer .com
woptimizer .com
in5cs .com
wopayment .com
in5st .com
zussia .info

plazec .info
gaudad .info
voided .info
gelded .info
tithed .info
botled .info
tented .info
fatted .info
unowed .info
wzand .info
searce .info
prarie .info
meyrie .info


pittie .info
penvie .info
figgle .info
sawme .info
droope .info
haere .info
scarre .info
undeaf .info
adjudg .info
wiving .info
slatch .info


bedash .info
dolchi .info
sighal .info
devicel .info
knivel .info
freckl .info
scrowl .info
usicam .info
spelem .info
vagrom .info
numben .info
speen .info
krapen .info
atwain .info
declin .info
inclin .info
unclin .info
towton .info
grumio .info
stampo .info
extrip .info


polear .info
benber .info
kedder .info
erpeer .info
argier .info
fulier .info
lavyer .info
inquir .info
orodes .info
faites .info
beeves .info
quoifs .info
filths .info
broths .info
nevils .info
swoons .info
sallat .info
apalet .info


reglet .info
camlet .info
plamet .info
hownet .info
fosset .info
cuplift .info
raught .info
holdit .info
unroot .info
unwept .info
anmast .info
ticedu .info
outliv .info
onclew .info
froday .info
mayray .info
tenshy .info
steepy .info
miloty .info
debuty .info
fifthz .info
potinz .info
caretz .info
narowz .info


What do these two scareware executables have in common? Its the phone back locations that the Koobface gang is using, reveling its participation in a scareware affiliate network called Crusade Affiliates.

The first phone back location urodinam.net /dfgsdfsdf .php - 122.224.9.67 adds a .bat file which would attempt to obtain mshta.exe from urodinam.net/33t .php?stime=1253063118 on hourly basis. The second phone back location is the Crusade Affiliates network that shares revenue with the Koobface gang whenever a scareware pushed by the gang is purchased - crusade-affiliates .com/install.php?id=02979 - 85.17.139.149.

The third phone back location is a direct download attempt of FraudTool.Win32.SecretService; RogueAntiSpyware.PrivacyCenter.AJ from 0ni9o1s3feu60 .cn/u4.exe - 220.196.59.23. It's pretty evident that the Koobface botnet is now relying on multiple layers of monetization approaches.

The Koobface gang has been pretty during the last couple of days. The following list of Koobface malware spreading domains are in circulation across social networking sites since the last 48 hours, consisting of a combination of purely malicious and compromised legitimate sites:
3sss .com/youtube.com 
4bond .it/youtube.com 
ac2j .com/freeem0vies
aced1979 .freehostia.com/y0urfi1m
alexandrialocksmith .net/uncens0redvide0 
alpha.kei .pl/amalzlngfi1ms
alruwaithy .com/extrlmeperf0rmans
astoundeddesign .com/privaledem0nstrati0n
awwfuck .me/fuunnyacti0n
baddog.me .uk/uncens0redc1ip
bbckzoo .com/extrlmedwd 
bbckzoo .com/mmyperf0rmans 
be. la/freeefi1ms
bencaputoprinting .com/c00lfi1m 
bicentenario.sc49 .info/mmyfi1m
bighornrivercabins .com/c00lvlds
biskopsto .fo/fantasticm0vie
bloch-data .dk/c00lvlds
bokongerslev .dk/amalzlngm0vie 
bokongerslev .dk/extrlmeacti0n 
book-dalmose .dk/extrlmeperf0rmans
campionariadigalatina .it/youtube.com 
carlamo .com/extrlmec1ip
centerforyourhealth .com/extrlmem0vies 
centralbaptist.org .au/fantasticvide0



certtiletechs .com/fuunnym0vies
cisaimpianti .net/youtube.com 
claykelley .net/extrlmevlds 
claykelley .net/mmyvide0 
clubatleticigualada .com/y0urc1ip
connoro .com/bestsh0w
consignbuydesign .com/fuunnyttube
dkflyt .dk/mmytw
downingfarms .com/bestacti0n
eminfinity.com .au/amalzlngc1ips 
eminfinity.com .au/uncens0redsh0w 
endurancesportscar .com/extrlmem0vies 
epicent .dk/pub1icfi1m 
evaracollin .be/mmyfi1ms
exceleronmedical .com/amalzlngc1ips 
exceleronmedical .com/c00lperf0rmans 
exceleronmedical .com/privalettube/?youtube.com
finolog .com/privalem0vie
fitslim .com/fantasticdem0nstrati0n
gacogop .org/fuunnyc1ips
gamlabodens .se/privaletw 
garagedoorsnow .com/meggadem0nstrati0n
garlicworld .com/mmym0vie 
garlicworld .com/uncens0redperf0rmans


gcillustration .com/extrlmevide0 
germanamericantax .com/pub1icm0vie 
happyholidaychristmastrees .com/uncens0redperf0rmans
horaexata.com .br/c00lc1ip
huffmanfarms .com/fantasticfi1ms
imagequest360 .com/fantasticm0vies 
inartdesigns .com/extrlmevide0
interception .dk/mmyttube
kalender.sttmedia .se/amalzlngdem0nstrati0n 
kartingclubsourdsnamur .be/besttw
kiding.users.digital-crocus .com/mmym0vies
kloerfem .dk/amalzlngsh0w
kracl .com/freeesh0w
kreativdizajn .com/amalzlngvlds

ktvsongs .com/pub1icacti0n 
lonestargcs .com/mmydwd
losangelesfurniture .com/fantasticdem0nstrati0n
lr-online .dk/c00lfi1ms 
lr-online .dk/y0ursh0w 
marketmarkj .com/privalem0vies
martinhorngren .com/privalettube 
meetingpacket .com/youtube.com 
microscoop .net/fantasticttube
momentsbypat .com/pub1icm0vie
mtn-ejendomme .dk/mmyacti0n

nadiottawa .org/pub1icc1ips
naestved-sportscollege .dk/amalzlngacti0n
nicalandnow .com/uncens0redvlds
odyssey-consultants .com/amalzlngvide0 
odyssey-consultants .com/mmym0vie 
onlyfun .se/extrlmec1ip
pridesoccer .com/privalec1ips
quicksilver-direct .com/amalzlngfi1m 
reddoorchina .com/mmyvlds 
relivery .com/extrlmesh0w

ristorocasanova .it/youtube.com 
sanfranciscocookie .com/fantasticfi1ms
sarkos .ch/fuunnyperf0rmans
saudiclubs .org/fantasticvlds
sauipeswimwear .com/c00lm0vie
schoolofhiphop .no/freeefi1ms
senegalinfoservices .com/bestacti0n


squashigualada .com/extrlmevlds
starcraftdream .com/fuunnyvlds
stm.frihost .org/freeefi1m
stringer .no/uncens0redacti0n
sttmedia .se/fantastictw 
taia.com .br/uncens0reddwd
thefurniturewarehouse .net/mmym0vies
theidusshop .com/pub1ictw
thepinflow .com/meggash0w
thorsen-meyer .dk/bestc1ips
tivity .dk/amalzlngm0vie 
tivity .dk/fantasticfi1ms 
tizianamaniezzo .com/fantasticc1ips 
tohva .org/bestacti0n
troop270 .nwsc.org/fuunnydwd
txmurphys .com/c00lfi1m 
tybjerglillebakkervand .dk/privalem0vie
vagnpfisk .dk/privalem0vie
vivaipirovano .com/youtube.com 
xanchise .com/c00lc1ip
yurafting .com/amalzlngvlds


Sampled Koobface binary now phones back to bianca.trinityonline .biz/.sys/?action=ldgen&v=14 and bianca.trinityonline .biz/.sys/?action=ldgen&a=590837698&v=14&l=1000&c_fb=0&c_ms=0&c_hi=0&c_tw=0&c_be=0&c_tg=0&c_nl=0. 69.163.147.203 - Email: email@darrenjames.net, with the latest Koobfae update modules detected as follows - 61.235.117.83 /bin/v2prx.exe; 61.235.117.83 /bin/pp.12.exe

The "Koobface botnet and the 40 cybercriminals" (2008 ali baba and 40 , LLC) have not just started monetizing the infected hosts, they're using multiple layers of monetization to do so.

Related posts:
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors 

This post has been reproduced from Dancho Danchev's blog.

Monday, September 14, 2009

Ukrainian "Fan Club" Features Malvertisement at NYTimes.com

If my Ukrainian "fan club" can exploit weaknesses in the online ad publishing model for scareware serving purposes, anyone else could.

Yesterday, the NYTimes.com posted a note to readers, confirming that a malvertisement campaign somehow made on their web site, resulting in the automatic exposure of users to scareware:

"Some nytimes.com readers have reported seeing a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software. We believe this was generated by an unauthorized advertisement and are working to prevent the problem from recurring. If you see such a warning, we suggest that you not click on it. Instead, quit and restart your Web browser."

Who's behind this malvertising campaign? Let the data speak for itself.

According to a published assessment of the campaign, the redirector and scareware domains involved in the malvertising incident are also in circulating in blackhat SEO campaigns courtesy of the Ukrainian gang (the post is updated daily with the very latest redirector and scareware domains pushed by the gang).

In the NYTimes.com malvertising attacks, that's sex-and-the-city .cn (parked at 94.102.48.29 where the rest of their redirectors are) acting as redirector leading to the protection-check07 .com scareware, parked on the very same IPs (91.212.107.5; 94.102.51.26; 88.198.107.25) like the rest of the new scareware domains systematically updated once or twice during a 24 hours period, again courtesy of the "fan club".

The last sample in circulation, phones back to windowsprotection-suite .net - Email: gertrudeedickens@text2re.com; mysecurityguru .cn - 64.86.16.170 - Email: andrew.fbecket@gmail.com also maintains secure-pro .cn; and to securemysystem .net - Email: gertrudeedickens@text2re.com

The NYTimes.com malvertisement assessment also highlights tradenton .com - 212.117.166.69 - Email: shawn@tradenton.com as the domain used in the ad rotation. Interestingly, related malvertisement domains managed by the same gang, have already been reported in related malvertising attacks, are also parked on the same IP:
relunas .com - Email: admin@relunas.com
kennedales .com - Email: admin@kennedales.com
harlingens .com - Email: admin@harlingens.com
newadsresults .com - Email: ritaj@gmail.com
waveadvert .com - Email: lindahg@yahoo.com

As always, what would originally seem as an isolated incident orchestrated by yet to be analyzed cybecrime gang, is in fact a great example of underground multitasking in action through the convergence of different attack tactics, courtesy of a single cybercrime enterprise.

Related malvertising posts:
Malicious Advertising (Malvertising) Increasing
MSN Norway serving Flash exploits through malvertising
Fake Antivirus XP pops-up at Cleveland.com
Scareware pops-up at FoxNews

This post has been reproduced from Dancho Danchev's blog.

Monday, September 07, 2009

News Items Themed Blackhat SEO Campaign Still Active

According to a blog post at PandaLabs, a massive and very persistent blackhat SEO campaign exclusively hijacking "hot BBC and CNN news" related keywords has once again popped-up on their radars. The campaign itself has been active since April, when I last analyzed it.

What has changed?

Instead of relying on purely malicious domains, the Ukrainian fan club, the one with the Koobface connection, remains the most active blackhat SEO group on the Web, and due to the quality of the historical OSINT making it possible to detect their activity -- practice which prompts them to insult back -- they're also starting to put efforts into making it look like it's another group.

However, knowing  the tools and tactics that they use, next to evident efficiency-centered mentality, they continue leaving minor leads that make it possible to establish a direct relationship between the group, the Koobface worm and the majority of blackhat SEO campaigns launched during the last couple of months across the entire Web.

The "News Items" themed blackhat SEO campaign is also serving scareware from the domains already participating in the U.S Federal Forms themed blackhat SEO campaign, what's new is the typical dynamic change of the redirectors in place.

Let's dissect a sample campaign currently parked at coolinc.info. Once the http referrer checks are met, bernie-madoff.coolinc .info/fox-25-news.html executes the campaign through a static images/ads.js located on all of the subdomains participating in campaign (bernie-madoff.coolinc .info/images/ads.js; eenadu-epaper.hmsite .net/images/ads.js) with generic detection triggered only by Sophos as Mal/ObfJS-CI.

Through a series of redirectors - usanews2009 .com/index.php - 78.46.129.170 - Email: derrick2@mail.ru; newscnn2009 .com/index.php - 193.9.28.62 - Email: derrick2@mail.ru; cnnnews2009 .com/index.php - 91.203.146.38 - EMail: derrick2@mail.ru; the user is redirected to the scareware domain through justintimberlakestream .com/?pid=95&sid=4e6ffe - 193.169.12.70; Email: info@zebrainvents.com.

The scareware itself (phones back to worldrolemodeling .com/?b=1s1 - 193.169.12.71) is dynamically served through 78.46.201.89; 193.169.12.70 and 92.241.177.207 with an diverse portfolio of fake security software domains parked there.

Parked at 92.241.177.207 are:
best-scanpc .com
bestscanpc .org
downloadavr2 .com
downloadavr3 .com
trucount3005 .com
antivirus-scan-2009 .com
antivirusxppro-2009 .com
advanced-virus-remover-2009 .com
advanced-virusremover-2009 .com
advanced-virus-remover2009 .com
advanced-virusremover2009 .com
best-scanpc .com
bestscanpc .com
xxx-white-tube .com
rude-xxx-tube .com
blue-xxx-tube .com
trucountme .com
10-open-davinci .com
vs-codec-pro .com
vscodec-pro .com
1-vscodec-pro .com
download-vscodec-pro .com
v-s-codecpro .com
antivirus-2009-ppro .com
onlinescanxppro .com
downloadavr .com
bestscanpc .info
bestscanpc .net
ns1.megahostname .biz
ns2.megahostname .biz


Parked at 78.46.201.89 (IP used in the U.S Federal Forms themed blackhat SEO campaign) are also:
virscan-online1 .com
virscan-live1 .com
antivirus-promo-scan1 .com
valueantivirusshop1 .com
megaspywarescan2 .com
worldbestonlinescanner2 .com
hqvirusscanner2 .com
warningmalwarealert2 .com
totalspywarescan3 .com
antivirus-promo-scanner3 .com
bewareofvirusattacks3 .com
totalspywarescan4 .com
worldbestonlinescan5 .com
megaspywarescan5 .com
totalspywarescan5 .com
hqvirusscanner5 .com
warningmalwarealert5 .com
hqvirusscanner8 .com
antivirus-promo-scan9 .com
worldbestonlinescan9 .com
antivir-scan-my-pc .com
antivir-scan-online .com


remove-all-pc-adware .com
antivir-my-pc-scan .com
leading-malware-scan .com
leading-antispyware-scan .com
antivirus-promo-scan .com
tryantivir-scan .com
leading-antivirus-scan .com
megaspywarescan .com
totalspywarescan .com
worldsbestantivirscan .com
awardantivirusscan .com
winningantivirusscan .com
tryantivirusscan .com
worldsbestscan .com
tryantivir-scanner .com
worldbestonlinescanner .com
tryantivirscanner .com
tryantivirusscanner .com
hqvirusscanner .com
worldsbestscanner .com
antivirscanmycomputer .com
warningvirusspreads .com
bewareofvirusattacks .com
secure.web-software-payments .com
warningmalwarealert .com
warningspywarealert .com
warningvirusalert .com


Parked at 193.169.12.70 are also more scareware domains/payment gateways/malware redirectors used in the campaign:
colonizemoon2010 .com
blastertroops2011 .com
virscan-online1 .com
virscan-live1 .com
antivirus-promo-scan1 .com
valueantivirusshop1 .com
megaspywarescan2 .com
worldbestonlinescanner2 .com
hqvirusscanner2 .com
warningmalwarealert2 .com
antivirus-promo-scanner3 .com
bewareofvirusattacks3 .com
totalspywarescan4 .com
worldbestonlinescan5 .com
megaspywarescan5 .com
totalspywarescan5 .com
hqvirusscanner5 .com
warningmalwarealert5 .com
hqvirusscanner8 .com
antivirus-promo-scan9 .com
worldbestonlinescan9 .com
antivir-scan-my-pc .com
becomemybestfriend .com
bravemousepride .com
antivir-scan-online .com
emphasis-online .com
justseethisonline .com
futureshortsonline .com


remove-all-pc-adware .com
waitforsunrise .com
funpictureslive .com
justintimberlakestream .com
antivir-my-pc-scan .com
leading-malware-scan .com
leading-antispyware-scan .com
antivirus-promo-scan .com
tryantivir-scan .com
leading-antivirus-scan .com
totalspywarescan .com
worldsbestantivirscan .com
awardantivirusscan .com
winningantivirusscan .com
tryantivirusscan .com
worldsbestscan .com
tryantivir-scanner .com
worldbestonlinescanner .com
tryantivirscanner .com
tryantivirusscanner .com
hqvirusscanner .com
worldsbestscanner .com
antivirscanmycomputer .com
obbeytheriver .com
obamanewterror .com
warningvirusspreads .com
watch2010movies .com
primeareanetworks .com
investmenttooltips .com
executive-officers .com
newsoverworldhot .com
management-overview .com
justthingsyouneedtoknow .com
criticalmentality .com


In between the central redirectors, counters from known domains affiliated with the Ukrainian fan club are also embedded as iFrames - sexualporno .ru/admin/red/counter2.html (74.54.176.50; Email: skypixre@nm.ru) leading to sexualporno .ru/admin/red/mwcounter.html. Parked on 74.54.176.50 are related domains that were once using the ddanchev-suck-my-dick.php redirection, such as sexerotika2009 .ru; celki2009 .ru; seximalinki .ru and videoxporno .ru, as well as the de-facto counter used by the gang - c.hit.ua/hit?i=6001.

Does this admin/red directory structure ring a bell? But, of course. In fact the ddanchev-suck-my-dick redirectors originally introduced by the Ukrainian fan club are still in circulation - for instance not only is videoxporno .ru/admin/red/ddanchev-suck-my-dick.php (parked at the very same 74.54.176.50) still active, but the gang has pushed an update to all of their campaigns, once again establishing a direct connection between previous ones and the ongoing "News Items" themed one.

The ddanchev-suck-my-dick.php file has a similar Mac, Firefox and Chrome check just like the U.S federal forms themed campaign, and the original "Hot News" themed campaigns - if (navigator.appVersion.indexOf("Mac")!=-1) window.location="http://www.zml.com/?did=5663";[. The script also includes a central iFrame from the now known malicious coolinf .info - dash-store.coolinc .info/images/levittpedofil.html which redirects to 1008.myhome .tv/888.php, popoz.wo .tc/p/go.php?sid=4 and 1009.wo .tc/8/ss.php to finally load the now known justintimberlakestream .com/?pid=42&sid=8f68b5.

The bottom line - the Ukrainian "fan club" is a very decent example of a multitasking cybecrime enterprise that is not only systematically abusing all the major Web 2.0 services, but is also directly involved with the Koobface botnet.

Monitoring of their campaigns, and take down actions would continue.

Related posts:
Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign
U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding
Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware
A Peek Inside the Managed Blackhat SEO Ecosystem

Historical OSINT of the group's blackhat SEO campaigns pushing Koobface samples, and the connections between the campaigns:
Movement on the Koobface Front - Part Two -- detailed account of the domain suspension and direct ISP take down actions against the gang during the last month
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot

This post has been reproduced from Dancho Danchev's blog.

Thursday, September 03, 2009

SMS Ransomware Displays Persistent Inline Ads


SMS-based micro-payments are clearly becoming the monetization channel of choice for the majority of cybercriminals engaging in ransomware campaigns. The logic behind this emerging trend is fairly simple, and as everything else in the cybercrime underground these days, it has to do with efficiency.

Compared to micro-payments, the 2008's monetization channel used by GPcode in terms of E-gold and Liberty Reserve accounts communicated over email -- with cases where the gang wasn't even bothering to respond to infected victims looking for ways to pay the ransom -- looks like a time-consuming and largely inefficient way to "interact" with the victims.


Another recently released SMS-based ransomware showing persistent ads within the browser sessions of infected victims, and demanding a premium-rate SMS for removal, is the very latest indication of the micro-payment monetization channel trend.

The DIY ransomware is offered for sale at $100, with the typical "value-added" services in the form of managed undetected binaries through crypting. Since the command and control interface is web based (php+mysql), the author is actively experimenting with new features such as scheduled appearing of the ads, inventory of banners and affiliate program links, and the ability to use multiple SMS numbers next to multiple unlocking codes.

Are the currently active ransomware "vendors" trendsetters or are they still in experimental mode?

The business model of SMS-based ransomware is clearly lucrative, especially in situations where cybercriminals are known to combine two or three different monetization tactics. However, compared to the high profit-margins which cybecriminals earn through the scareware business model, SMS-based ransomware remains a developing market segment.

Related posts:
6th SMS Ransomware Variant Offered for Sale
5th SMS Ransomware Variant Offered for Sale
4th SMS Ransomware Variant Offered for Sale
3rd SMS Ransomware Variant Offered for Sale
SMS Ransomware Source Code Now Offered for Sale
New ransomware locks PCs, demands premium SMS for removal
Who's Behind the GPcode Ransomware?
Identifying the Gpcode Ransomware Author

This post has been reproduced from Dancho Danchev's blog.