Tuesday, February 02, 2010

How the Koobface Gang Monetizes Mac OS X Traffic

Mac users appear to have a special place in the heart of the Koobface gang, since they've recently started experimenting with a monetization strategy especially for them - by compromising legitimate sites for the sole purpose of embedding them with the popular PHP backdoor shell C99 (Synsta mod), in an attempt to redirect all the Mac OS X traffic to affiliate dating programs, such as for instance AdultFriendFinder.

The use of Synsta's C99 mod is not a novel approach, the gang has been using for over an year and a half now. The original KROTEG injected script, is now including a "hey rogazi" message. "Hey rogazi" appears to be some kind of slang word (rogatstsi) for scooter driving Italian people. What's also interesting to point out is that the Mac OS X redirection takes place through one of the few currently active centralized IPs from Koobface 1.0's infrastructure -

This very same IP (profiled in August, 2009 and then in September, 2009) was once brought offline thanks to the folks at China CERT, but quickly resumed operation, with Koobface 1.0's "leftovers" xtsd20090815 .com and kiano-180809 .com (domain was serving client-side exploits in November 2009's experiment by the Koobfae gang, followed by another one again hosted at still parked there.
Moreover, this China-based IP (it even has a modest Alexa pagerank) was also the centralized redirection point in Koobface 1.0's scareware business model using popup.php to redirect to a systematically updated portfolio of scareware domains, and the first time ever that I came across to what the gang is now publicly acknowledging as the "2008 ali baba and 40, LLC" team.

AS9394 (CRNET) itself is currently hosting the following active Zeus crimeware campaigns:
6alava .com - - Email: necks@corporatemail.ru
sicha-linna .com - - Email: stay@bigmailbox.ru
stopspaming .com - - Email: bunco@e2mail.ru
ubojnajasila .net - - Email: ubojnajasila.net@contactprivacy.com

Here's how the experiment looks like in its current form. Once the OS is detected, the redirection takes place through /mac.php -> /vvv.htm loading the following pages, using the gang's unique campaign IDs at AdultFriendFinder:

- BestDatingDirect .com/page_hot.php?page=random&did=14029
- adultfriendfinder .com/go/page/ad_ffadult_gonzo?pid=p291351.sub2w954&lang=english
- adultfriendfinder .com/go/page/landing_page_geobanner?pid=g227362-ppc

Parked on - AS3491; PCCWGlobal-ASN PCCW Global is the rest of the dating site redirectors:
bestdatingdirect .com
bestnetdate .com
currentdating .com
datefunclub .com
enormousdating .com
giantdating .com
onlinelovedating .com 
worldbestdate .com
worlddatinghere .com

This isn't the first time that the Koobface gang is attempting to monetize traffic through dating affiliate networks. In fact, in November's "Koobface  Botnet's Scareware Business Model - Part Two" post emphasizing on the gang's connection with blackhat SEO campaigns, the Bahama botnet and the malvertising attacks at the web site of the New York Times, I also pointed out on their connection with an Ukrainian dating scam agency profiled before, whose botnet was also linked to money mule recruitment campaigns in May, 2009.

An excerpt is worth a thousand words:
The historical OSINT paragraph mentioned that several of the scareware domains pushed during the past two weeks were responding to This very same IP was hosting domains part of an Ukrainian dating scam agency known as Confidential Connections earlier this year, whose spamming operations were linked to a botnet involved in money mule recruitment activities.

For the time being, the following dating scam domains are responding to the same IP:
healthe-lovesite .com - Email: potenciallio@safe-mail.net
love-isaclick .com - Email: potenciallio@safe-mail.net
love-is-special .com - Email: potenciallio@safe-mail.net
only-loveall .com - Email: potenciallio@safe-mail.net
and-i-loveyoutoo .com - Email: potenciallio@safe-mail.net
andiloveyoutoo .com - Email: menorst10@yahoo.com
romantic-love-forever .com - Email: potenciallio@safe-mail.net

love-youloves .com - Email: potenciallio@safe-mail.net
love-galaxys .com - Email: potenciallio@safe-mail.net
love-formeandyou .com - Email: potenciallio@safe-mail.net
ifound-thelove .net - Email: potenciallio@safe-mail.net
findloveon .net - Email: wersers@yahoo.com
love-isexcellent .net - Email: potenciallio@safe-mail.net

Could it get even more malicious and fraudulent than that? Appreciate my rhetoric. The same email (potenciallio@safe-mail.net) that was used to register the dating scam domains was also used to register exploit serving domains at, participate in phishing campaigns, and register a money mule recruitment site for the non-existent Allied Insurance LLC. (Allied Group, Inc.).

Of course, the money made in process looks like pocket change compared to the money they gang makes through blackhat SEO, click fraud and scareware in general -- go through the related posts at the bottom of the article. But since they've previously indicated what I originally anticipated they'll do sooner or later, namely, start diversifying and experimenting due to the ever-growing compromised infrastructure, what they'll do next on the Mac front is an issue worth keeping an eye on.

Related Koobface gang/botnet research:
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.