Wednesday, February 03, 2010

A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang


With scareware/rogueware/fake security software continuing to be the cash-cow choice for the Koobface gang, keeping them on a short leash in order to become the biggest opportunity cost for the gang's business model is crucial. The following are currently active blackhat SEO redirectors/Koobface-infected hosts redirectors and actual scareware domains courtesy of the gang.

Blackhat SEO redirectors, also embedded at Koobface-infected hosts, with identical redirector ID (?pid=312s02&sid=4db12f):
freeticketwin.com - 91.212.226.25 - Email: test@now.net.cn
lotteryvideowin.com - Email: test@now.net.cn
videohototplaypoker.com - Email: test@now.net.cn
financetopsecrets.com - Email: test@now.net.cn
how2winforex.com - 91.212.226.136 - Email: test@now.net.cn
2money4money.com - Email: test@now.net.cn
get-money-quickly.com - Email: test@now.net.cn
fordusedsales .com - 193.104.106.250 - Email: test@now.net.cn
buylexuscustoms .com - 91.212.226.185 - Email: test@now.net.cn
tracegirlsonline .com - 89.248.168.22 - Email: test@now.net.cn
skypetollfree .com - 96.44.128.245 - Email: test@now.net.cn
dendy-trens .com - Email: test@now.net.cn
pretendtolove .com - Email: test@now.net.cn
bewareoffreebies .com - Email: test@now.net.cn
harry-the-potter .com - Email: test@now.net.cn
getlancomediscount .com - Email: baldwinnere@yahoo.co.uk
vincentvangoghsite .com - Email: contacts@ferra.hu
jacksonpollocksite .com - Email: contacts@ferra.hu
lady2gaga .com - Email: contacts@designt.de
nigeriaworldtours .com  Email: info@montever.de
americanpiemusicvideo .com - Email: mail@suvtrip.hu
superstitionmusicvideo .com - Email: mail@suvtrip.hu
umbrellamusicvideo .com - Email: mail@suvtrip.hu
discounts-org .com - Email: mail@haselbladtour.com
littlediscounts .com - Email: mail@haselbladtour.com
winterdiscounts5 .com - Email: mail@haselbladtour.com

chevroletvmodeltoys .com - Email: CourtneyRWebb@aol.com
volvomodeltoys .com - Email: CourtneyRWebb@aol.com
manilawebcamera .com - Email: monkey22@live.com
mumbaiwebcamera .com - Email: monkey22@live.com
karachiwebcamera .com - Email: monkey22@live.com
delhiwebcamera .com - Email: monkey22@live.com
istanbulwebcamera .com - Email: monkey22@live.com
lexusmodeltoys .com - Email: monkey22@live.com
chevroletvmodeltoys .com - Email: CourtneyRWebb@aol.com
bmwmodeltoys .com - Email: CourtneyRWebb@aol.com

Upon redirection, the scareware is served from malware-b-scan .com - 96.44.128.245; 91.212.226.97; 91.212.226.185; 91.121.45.67, 91.212.226.203, 94.228.209.195 - Email: mail@bristonnews.com.

Sample detection rate for newly introduced scareware samples: Setup_312s2.exe - Result: 3/40 (7.5%), Setup_312s2.exe - Result: 4/39, Setup_312s22.exe - Result: 2/39 (5.13%), Setup_312s2.exe - Result: 6/39 (15.39%), Setup_312s2.exe - Result: 1/40 (2.5%), Setup_312s2.exe - Result: 1/39 (2.56%), Setup_312s2.exe - Result: 3/39 (7.7%). Setup_312s2.exe - Result: 4/40 (10%), Setup_312s2.exe - Result: 1/40 (2.5%), Setup_312s2.exe - Result: 4/40 (10%), Setup_312s2.exe - Result: 5/41 (12.2%), Setup_312s2.exe - Result: 5/41 (12.2%), Setup_312s2.exe - Result: 5/41 (12.2%), Setup_312s2.exe - Result: 4/41 (9.76%), Setup_312s2.exe - Result: 4/41 (9.76%), Setup_312s2.exe - Result: 5/41 (12.2%), Setup_312s2.exe - Result: 4/41 (9.76%), Setup_312s2.exe - Result: 3/41 (7.32%), Setup_312s2.exe - Result: 6/41 (14.63%), Setup_312s2.exe - Result: 11/41 (26.83%), Setup_312s2.exe - Result: 4/42 (9.53%).

Upon execution the sample phones back to winxp7server .com/download/winlogo.bmp - 94.228.208.57; rescuesysupdate .com/?b=312s2 - 83.133.125.216. The most recent samples (Wednesday, February 10, 2010) phone back to wintimeserver .com/?b=312s2 - 91.212.226.125 and firmwaredownloadserver .com/download/winlogo.bmp - 94.228.208.57. The most recent samples (Sunday, February 21, 2010) phone back to firmwaredownloadserver.com /download/winlogo.bmp - 94.228.208.57; shifustserver.com /download/winlogo.bmp - 94.228.208.5/94.228.208.57 - Email: viinzer@hotmail.com

The most recent samples (Friday, February 12, 2010) phone back to firmwaredownloadserver .com/download/winlogo.bmp - 94.228.208.57; checklatestversion .com/?b=312s - 109.232.225.75.

The most recent samples (Wednesday, February 24, 2010) phone back to shifustserver.com/download/winlogo.bmp - 94.228.208.57 - Email: viinzer@hotmail.com and version-upgrade.com/?b=312s12 - 89.248.168.21. Parked on the same IP are also checklatestversion.com and fastwinupdates.com.

Parked on the same IPs are more scareware domains part of the portfolio:
inter1antivirus.com - 87.98.130.232- Email: test@now.net.cn
virus-scan-d.com - 87.98.130.232 - Email: test@now.net.cn
bl9-virus-scanner.com - 87.98.130.232 - Email: test@now.net.cn
intera-antivirus.com - 87.98.130.232 - Email: test@now.net.cn
interc-antivirus.com - 87.98.130.232 - Email: test@now.net.cn
interd-antivirus.com - 87.98.130.232 - Email: test@now.net.cn
intere-antivirus.com - 87.98.130.232 - Email: test@now.net.cn
inter-antivirus.com - 87.98.130.232 - Email: test@now.net.cn
inter1antivirus.com - 87.98.130.232 - Email: test@now.net.cn
195.5.161.107/psx1/?vih==RANDOM_STRINGS - no domain name
91.212.132.241 /psx1/?vih==RANDOM_STRINGS
195.5.161.105 /psx1/?vih==RANDOM_STRINGS
non-antivirus-scan .com - Email: test@now.net.cn
zin-antivirus-scan .com - Email: test@now.net.cn
nextgen-scannert .com - Email: test@now.net.cn
protection15scan .com - Email: test@now.net.cn
nitro-antispyware .com - Email: test@now.net.cn
z2-antispyware .com - Email: test@now.net.cn
spy-detectore .com - Email: admin@clossingt.com
dis7-antivirus .com - Email: admin@vertigosmart.com
v2comp-scanner .com - Email: admin@vertigosmart.com
new-av-scannere .com - Email: missbarlingmail@aol.com
smartvirus-scan6 .com - Email: info@terranova.com
spywaremaxscan4 .com - Email: out@trialzoom.com
super6antispyware .com - Email: mail@ordercom.com
spyware-max-scan3 .com - Email: out@trialzoom.com
max-antivirus-security5 .com - Email: mail@dynadoter.com
winterdiscounts5 .com - Email: mail@haselbladtour.com
11-antivirus .com - Email: call555call@live.com
1-antivirus .com - Email: call555call@live.com
1m-online-scanner .com - Email: stellar2@yahoo.com
2m-online-scanner .com - Email: stellar2@yahoo.com
2pro-antispyware .com - Email: mail@yahoo.com
3pro-antispyware .com - Email: mail@yahoo.com
6-antivirus .com - Email: call555call@live.com
7-antivirus .com - Email: call555call@live.com
9-antivirus .com - Email: call555call@live.com
a0-online-scanner .com - Email: stellar2@yahoo.com
a9-online-scanner .com - Email: stellar2@yahoo.com
aa-antivirus .com - Email: call555call@live.com
aa-online-scanner .com - Email: call555call@live.com
ab-antivirus .com - Email: call555call@live.com
ac-antivirus .com - Email: call555call@live.com
ad-antivirus .com - Email: call555call@live.com
adv1-system-scanner .com - Email: JayRKibbe@live.com
adv2-system-scanner .com - Email: JayRKibbe@live.com
ae-antivirus .com - Email: call555call@live.com
antivirus-expert-a .com - Email: 900ekony@live.com
antivirus-expert-i .com - Email: 900ekony@live.com
antivirus-expert-r .com - Email: 900ekony@live.com
antivirus-expert-y .com - Email: 900ekony@live.com
antivirussystemscan1 .com - Email: 900ekony@live.com
antivirussystemscana .com - Email: 900ekony@live.com
army-antispywarea .com - Email: beliec99@yahoo.com
army-antispywarei .com - Email: beliec99@yahoo.com
army-antispywarel .com - Email: beliec99@yahoo.com
army-antispywarep .com - Email: beliec99@yahoo.com
army-antivirusa .com - Email: beliec99@yahoo.com
army-antivirusd .com - Email: beliec99@yahoo.com
army-antivirust .com - Email: beliec99@yahoo.com
army-antivirusv .com - Email: beliec99@yahoo.com
army-antivirusy .com - Email: beliec99@yahoo.com

b1-online-scanner .com - Email: stellar2@yahoo.com
best-antivirusk0 .com
bestpd-virusscanner .com - Email: SusanCWagner@yahoo.com
bestpr-virusscanner .com - Email: SusanCWagner@yahoo.com
crystal-antimalware .com - Email: mail@vertigocats.com
crystal-antivirus .com - Email: mail@vertigocats.com
crystal-pro-scan .com - Email: mail@vertigocats.com
crystal-pro-scanner .com - Email: mail@vertigocats.com
crystal-spyscanner .com - Email: mail@vertigocats.com
crystal-threatscanner .com - Email: mail@vertigocats.com
crystal-virusscanner .com - Email: mail@vertigocats.com
extra-spyware-defencea .com - Email: fabula8@live.com
extra-spyware-defenceb .com - Email: fabula8@live.com
malware-a-scan .com - Email: mail@bristonnews.com
malware-b-scan .com - Email: mail@bristonnews.com
malware-c-scan .com - Email: mail@bristonnews.com
malware-d-scan .com - Email: mail@bristonnews.com
malware-t-scan .com - Email: mail@bristonnews.com
mega-antispywarea .com - Email: fabula8@live.com
mega-antispywareb .com - Email: fabula8@live.com
mm-online-scanner .com - Email: stellar2@yahoo.com
my-computer-antivirusa .com - Email: dillinzer1@yahoo.com
my-computer-antivirusb .com - Email: dillinzer1@yahoo.com
my-computer-antiviruse .com - Email: dillinzer1@yahoo.com
my-computer-antivirusq .com - Email: dillinzer1@yahoo.com
my-computer-antivirusw .com - Email: dillinzer1@yahoo.com
my-computer-scanc .com - Email: clintommail2@yahoo.com
my-computer-scane .com - Email: clintommail2@yahoo.com
my-computer-scanl .com - Email: clintommail2@yahoo.com
my-computer-scannera .com - Email: clintommail2@yahoo.com
my-computer-scannerl .com - Email: clintommail2@yahoo.com
my-computer-scannerm .com - Email: clintommail2@yahoo.com
my-computer-scannern .com - Email: clintommail2@yahoo.com
my-computer-scannerv .com - Email: clintommail2@yahoo.com

my-computer-scanw .com - Email: clintommail2@yahoo.com
my-pc-online-scanm .com - Email: dillinzer1@yahoo.com
my-pc-online-scann .com - Email: dillinzer1@yahoo.com
my-pc-online-scanr .com - Email: dillinzer1@yahoo.com
my-pc-online-scanv .com - Email: dillinzer1@yahoo.com
n1-system-scanner .com - Email: JayRKibbe@live.com
n2-system-scanner .com - Email: JayRKibbe@live.com
nasa-antivirus1 .com - Email: call555call@live.com
nasa-antivirus3 .com - Email: call555call@live.com
nasa-antivirusa .com - Email: call555call@live.com
nasa-antivirusb .com - Email: call555call@live.com
nasa-antiviruso .com - Email: call555call@live.com
pc1-system-scanner .com - Email: JayRKibbe@live.com
pc2-system-scanner .com - Email: JayRKibbe@live.com
pro0-antivirus .com - Email: mail@yahoo.com
pro0-system-scanner .com - Email: JayRKibbe@live.com
pro1-system-scanner .com - Email: JayRKibbe@live.com
pro2-antivirus .com - Email: mail@yahoo.com
pro4-antivirus .com - Email: mail@yahoo.com
pro6-antivirus .com - Email: mail@yahoo.com
pro8-antivirus .com - Email: mail@yahoo.com
remote-antispywarec .com - Email: teresa2mail.me@live.com
remote-antispywared .com - Email: teresa2mail.me@live.com
remote-antispywaree .com - Email: teresa2mail.me@live.com
remote-antispywarey .com - Email: teresa2mail.me@live.com
remote-pc1-scanner .com - Email: teresa2mail.me@live.com
remote-pc-scannera .com - Email: teresa2mail.me@live.com
remote-pc-scannerr .com - Email: teresa2mail.me@live.com
remote-pc-scannerv .com - Email: teresa2mail.me@live.com
remote-pc-scannery .com - Email: teresa2mail.me@live.com

scan3antispyware .com - Email: o@mozzilastuf.com
scan6antispyware .com - Email: o@mozzilastuf.com
scan8antispyware .com - Email: o@mozzilastuf.com
scan-antispywarea .com - Email: o@mozzilastuf.com
scan-antispywarec .com - Email: o@mozzilastuf.com
scan-antispywared .com - Email: o@mozzilastuf.com
scan-antispywarez .com - Email: o@mozzilastuf.com
spyware-01-scanner .com - Email: mail@bristonnews.com
spyware-03-scanner .com - Email: mail@bristonnews.com
spyware-05-scanner .com - Email: mail@bristonnews.com
spyware-06-scanner .com - Email: mail@bristonnews.com
spyware-07-scanner .com - Email: mail@bristonnews.com
stcanning-your-computerc .com - Email: mitra66@yahoo.com
stcanning-your-computerd .com - Email: mitra66@yahoo.com
stcanning-your-computerq .com - Email: mitra66@yahoo.com
stcanning-your-computerr .com - Email: mitra66@yahoo.com
stcanning-your-computert .com - Email: mitra66@yahoo.com
stcanning-your-pca .com - Email: mitra66@yahoo.com
stcanning-your-pcb .com - Email: mitra66@yahoo.com
stcanning-your-pcc .com - Email: mitra66@yahoo.com
stcanning-your-pcd .com - Email: mitra66@yahoo.com
stcanning-your-pce .com - Email: mitra66@yahoo.com
stealthv1-antispyware .com - Email: SteveLCartwright@yahoo.com
stealthv2-antispyware .com - Email: SteveLCartwright@yahoo.com
stealthv7-antispyware .com - Email: SteveLCartwright@yahoo.com
stealthv8-antispyware .com - Email: SteveLCartwright@yahoo.com
stealthv9-antispyware .com - Email: SteveLCartwright@yahoo.com
ver1-system-scanner .com - Email: JayRKibbe@live.com
ver2-system-scanner .com - Email: JayRKibbe@live.com

virus-a1-scanner .com - Email: mail@bristonnews.com
virus-a1-scanner .com - Email: mail@bristonnews.com
virus-b1-scanner .com - Email: mail@bristonnews.com
virus-b1-scanner .com - Email: mail@bristonnews.com
virus-c1-scanner .com - Email: mail@bristonnews.com
virus-c1-scanner .com - Email: mail@bristonnews.com
virus-d1-scanner .com - Email: mail@bristonnews.com
virus-d1-scanner .com - Email: mail@bristonnews.com
virus-e2-scanner .com - Email: mail@bristonnews.com
virus-e2-scanner .com - Email: mail@bristonnews.com
windowsv5-antispyware .com - Email: SteveLCartwright@yahoo.com
windowsv6-antispyware .com - Email: SteveLCartwright@yahoo.com
windowsv7-antispyware .com - Email: SteveLCartwright@yahoo.com
windowsv8-antispyware .com - Email: SteveLCartwright@yahoo.com
windowsv9-antispyware .com - Email: SteveLCartwright@yahoo.com
z0-online-scanner .com - Email: stellar2@yahoo.com
z1-online-scanner .com - Email: stellar2@yahoo.com

Active scareware domains portfolio (blackhat SEO/Koobface pushed) parked at 212.150.164.190 - AS1680 - NV-ASN 013 NetVision Ltd :
antispy-download .org - Email: robertsimonkroon@gmail.com
scanner-virus-free .org - Email: robertsimonkroon@gmail.com
tube-best-porn .org - Email: robertsimonkroon@gmail.com
tube-sex-porn .org - Email: robertsimonkroon@gmail.com
download-free-files .org - Email: robertsimonkroon@gmail.com
tube-porn-best .org - Email: robertsimonkroon@gmail.com
scan-your-pc-now .org - Email: michaeltycoon@gmail.com
scanner-virus-free .com - Email: robertsimonkroon@gmail.com
tube-sex-porn .com - Email: robertsimonkroon@gmail.com
scanner-free-virus .com - Email: robertsimonkroon@gmail.com
tube-porn-best .com - Email: robertsimonkroon@gmail.com
antispy-download .info - Email: robertsimonkroon@gmail.com
soft-download-free .info - Email: robertsimonkroon@gmail.com
scanner-virus-free .info - Email: robertsimonkroon@gmail.com
scanner-free-virus .info - Email: robertsimonkroon@gmail.com
scan-your-pc-now .info - Email: michaeltycoon@gmail.com

adult-tube-free .net - Email: michaeltycoon@gmail.com
scanner-virus-free .net - Email: robertsimonkroon@gmail.com
tube-sex-porn .net - Email: robertsimonkroon@gmail.com
download-free-files .net - Email: michaeltycoon@gmail.com
scanner-free-virus .net - Email: robertsimonkroon@gmail.com
tube-porn-best .net - Email: robertsimonkroon@gmail.com
ekjsoft .eu - Email: robertsimonkroon@gmail.com
antispy-download .biz - Email: robertsimonkroon@gmail.com
soft-download-free .biz - Email: robertsimonkroon@gmail.com
scanner-virus-free .biz - Email: robertsimonkroon@gmail.com
free-malware-scan .biz - Email: robertsimonkroon@gmail.com
tube-best-porn .biz - Email: robertsimonkroon@gmail.com
tube-sex-porn .biz - Email: robertsimonkroon@gmail.com
download-free-files .biz - Email: michaeltycoon@gmail.com

scanner-free-virus .biz - Email: robertsimonkroon@gmail.com
download-free-soft .biz - Email: robertsimonkroon@gmail.com
tube-porn-best .biz - Email: robertsimonkroon@gmail.com
scan-your-pc-now .biz - Email: michaeltycoon@gmail.com
porn-tube-sex .biz - Email: robertsimonkroon@gmail.com
alrzsoft .in - Email: petrenko.kolia@yandex.ru
antispy-download .biz - Email: robertsimonkroon@gmail.com
cool-tube-porn .net - Email: robertsimonkroon@gmail.com
cool-tube-porn .org - Email: robertsimonkroon@gmail.com
download-free-now .net - Email: robertsimonkroon@gmail.com
download-free-now .org - Email: robertsimonkroon@gmail.com
download-free-soft .com - Email: robertsimonkroon@gmail.com
download-free-soft .net - Email: robertsimonkroon@gmail.com
download-scaner-free .com - Email: robertsimonkroon@gmail.com
ekjsoft .eu
fdglsoft .in - Email: petrenko.kolia@yandex.ru
free-virus-scanner .net - Email: robertsimonkroon@gmail.com
kleqsoft .in - Email: petrenko.kolia@yandex.ru
kltysoft .in - Email: petrenko.kolia@yandex.ru
ktyjsoft .in - Email: petrenko.kolia@yandex.ru

kyezsoft .in - Email: petrenko.kolia@yandex.ru
lkrjsoft .in - Email: petrenko.kolia@yandex.ru
lkrtsoft .in - Email: petrenko.kolia@yandex.ru
mgtlsoft .in - Email: petrenko.kolia@yandex.ru
porn-sex-tube .net - Email: robertsimonkroon@gmail.com
porn-sex-tube .org - Email: robertsimonkroon@gmail.com
scan-free-malware .net - Email: robertsimonkroon@gmail.com
scan-free-malware .org - Email: robertsimonkroon@gmail.com
spyware-scaner-free .com - Email: robertsimonkroon@gmail.com
spyware-scaner-free .info - Email: robertsimonkroon@gmail.com
spyware-scaner-free .net - Email: robertsimonkroon@gmail.com
spyware-scaner-free .org - Email: robertsimonkroon@gmail.com
tube-best-porn .biz - Email: robertsimonkroon@gmail.com
tube-best-porn .com - Email: robertsimonkroon@gmail.com
tube-best-porn .net - Email: robertsimonkroon@gmail.com
tube-best-porn .org - Email: robertsimonkroon@gmail.com
tube-porn-sex .info - Email: robertsimonkroon@gmail.com
tube-porn-sex .net - Email: robertsimonkroon@gmail.com
tube-porn-sex .org - Email: robertsimonkroon@gmail.com

What's so special about the robertsimonkroon@gmail.com email anyway? It's the fact that not only was the email was once again used to register scareware domains two times in July, 2009, but also, as pointed out in November 2009's "Koobface Botnet's Scareware Business Model - Part Two", the same email was used to register the following download locations for scareware domains pushed by the Koobface botnet:

0ni9o1s3feu60 .cn - Email: robertsimonkroon@gmail.com
6j5aq93iu7yv4 .cn - Email: robertsimonkroon@gmail.com
mf6gy4lj79ny5 .cn - Email: robertsimonkroon@gmail.com
84u9wb2hsh4p6 .cn - Email: robertsimonkroon@gmail.com
6pj2h8rqkhfw7 .cn - Email: robertsimonkroon@gmail.com
7cib5fzf462g8 .cn - Email: robertsimonkroon@gmail.com
7bs5nfzfkp8q8 .cn - Email: robertsimonkroon@gmail.com
kt4lwumfhjb7a .cn - Email: robertsimonkroon@gmail.com
q2bf0fzvjb5ca .cn - Email: robertsimonkroon@gmail.com
rncocnspr44va .cn - Email: robertsimonkroon@gmail.com
t1eayoft9226b .cn - Email: robertsimonkroon@gmail.com
4go4i9n76ttwd .cn - Email: robertsimonkroon@gmail.com
kzvi4iiutr11e .cn - Email: robertsimonkroon@gmail.com
hxc7jitg7k57e .cn - Email: robertsimonkroon@gmail.com
mfbj6pquvjv8e .cn - Email: robertsimonkroon@gmail.com
mt3pvkfmpi7de .cn - Email: robertsimonkroon@gmail.com
fb7pxcqyb45oe .cn - Email: robertsimonkroon@gmail.com
fyivbrl3b0dyf .cn - Email: robertsimonkroon@gmail.com
z6ailnvi94jgg .cn - Email: robertsimonkroon@gmail.com
ue4x08f5myqdl .cn - Email: robertsimonkroon@gmail.com
p7keflvui9fkl .cn - Email: robertsimonkroon@gmail.com
gjpwsc5p7oe3m .cn - Email: robertsimonkroon@gmail.com
f1uq1dfi3qkcm .cn - Email: robertsimonkroon@gmail.com
7mx1z5jq0nt3o .cn - Email: robertsimonkroon@gmail.com
3uxyctrlmiqeo .cn - Email: robertsimonkroon@gmail.com
p0umob9k2g7mp .cn - Email: robertsimonkroon@gmail.com
od32qjx6meqos .cn - Email: robertsimonkroon@gmail.com
bnfdxhae1rgey .cn - Email: robertsimonkroon@gmail.com
7zju2l82i2zhz .cn - Email: robertsimonkroon@gmail.com


Stay tuned for a massive Koobface related activities update, analyzing the gang's multi-tasking throughout the entire January, 2010 -- descriptive historical OSINT offers long-term value in cross-checking for connections.

Related Koobface gang/botnet research:
How the Koobface Gang Monetizes Mac OS X Traffic
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

The Diverse Portfolio of Fake Security Software Series:
A Diverse Portfolio of Fake Security Software - Part Twenty Four
A Diverse Portfolio of Fake Security Software - Part Twenty Three
A Diverse Portfolio of Fake Security Software - Part Twenty Two
A Diverse Portfolio of Fake Security Software - Part Twenty One
A Diverse Portfolio of Fake Security Software - Part Twenty
A Diverse Portfolio of Fake Security Software - Part Nineteen
A Diverse Portfolio of Fake Security Software - Part Eighteen
A Diverse Portfolio of Fake Security Software - Part Seventeen
A Diverse Portfolio of Fake Security Software - Part Sixteen
A Diverse Portfolio of Fake Security Software - Part Fifteen
A Diverse Portfolio of Fake Security Software - Part Fourteen
A Diverse Portfolio of Fake Security Software - Part Thirteen
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.