Monday, March 15, 2010

Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova

Just how greedy has the Koobface gang become these days? Very greedy.

In fact, their currently active scareware campaigns operate with a changed directory structure that speaks for itself - scareware-domain/fee1/index.php?GREED==random_characters. Let's dissect the scareware monetization vector, expose the entire typosquatted domains portfolio, and offer a historical OSINT perspective on their activities during February, 2010.
  • The domain portfolios are in a process of getting suspended
The current portfolio of redirectors embedded on Koobface-infected hosts is parked  at 195.5.161.129, AS43558, EVENTISMOBILE-AS IM "Eventis-Mobile" SRL Chisinau, Republic of Moldova:
tvinyourpc.com - Email: test@now.net.cn
wheretosellford.com - Email: test@now.net.cn
weddings-sales-place.com - Email: test@now.net.cn
chromepluginsfree.com - Email: test@now.net.cn
checkwebtriple.com - Email: test@now.net.cn
partypartytime.com - Email: test@now.net.cn
yourblog2blog.com - Email: test@now.net.cn
microstoreblog.com - Email: test@now.net.cn
mexicomaxtravel.com - Email: info@montever.de
fulllife2photo.com - Email: test@now.net.cn
yourmaximumphoto.com - Email: test@now.net.cn
lineagecheatandbug.com - Email: test@now.net.cn
titansandgods.com - Email: test@now.net.cn
microsoftbugtracks.com - Email: test@now.net.cn
secureyourinfos.com - Email: test@now.net.cn
weddingiephotos.com - Email: test@now.net.cn
parkeroffers.com - Email: test@now.net.cn
nocderrors.com - Email: test@now.net.cn
androidmobilereviews.com - Email: test@now.net.cn
terraanews.com - Email: test@now.net.cn
getbestshows.com - Email: test@now.net.cn
videostvshows.com - Email: test@now.net.cn
besttvshowininternet.com - Email: test@now.net.cn
titanicoverlight.com - Email: test@now.net.cn


The scareware domains portfolio is currently parked on 195.5.161.117, AS43558, EVENTISMOBILE-AS IM "Eventis-Mobile" SRL Chisinau, Republic of Moldova:
be-protected-10.info - Email: harkitrip@ymail.com
be-protecteda.info - Email: harkitrip@ymail.com
be-protectedc.info - Email: harkitrip@ymail.com
be-protectedi.info - Email: harkitrip@ymail.com
be-protected-i8.info - Email: harkitrip@ymail.com
be-protectedk.info - Email: harkitrip@ymail.com
be-protected-l0.info - Email: harkitrip@ymail.com
be-protected-l1.info - Email: harkitrip@ymail.com
be-protected-t1.info - Email: harkitrip@ymail.com
be-protectedy.info - Email: harkitrip@ymail.com
be-secured-a1.info - Email: harkitrip@ymail.com
be-secured-b2.info - Email: harkitrip@ymail.com
be-secured-c6.info - Email: harkitrip@ymail.com
be-secured-d9.info - Email: harkitrip@ymail.com
be-secured-z1.info - Email: harkitrip@ymail.com
capital-security1.info - Email: goninanbiz2@ymail.com
capital-security2.info - Email: goninanbiz2@ymail.com
capital-security6.info - Email: goninanbiz2@ymail.com
capital-securitya.info - Email: goninanbiz2@ymail.com
capital-securityc.info - Email: goninanbiz2@ymail.com
capital-securitye.info - Email: goninanbiz2@ymail.com
capital-securityt.info - Email: goninanbiz2@ymail.com
general-protection0.info - Email: goninanbiz2@ymail.com
general-protection1.info - Email: goninanbiz2@ymail.com
general-protection4.info - Email: goninanbiz2@ymail.com
general-protection9.info - Email: goninanbiz2@ymail.com
how-to-secure-pc1.info - kramershoppers@yahoo.com
help-you-now0.info - Email: intrigo2@yahoo.com
help-you-now1.info - Email: intrigo2@yahoo.com
help-you-now4.info - Email: intrigo2@yahoo.com
help-you-now6.info - Email: intrigo2@yahoo.com
help-you-now9.info - Email: intrigo2@yahoo.com
pchelpserver.info - Email: vernotowersc2@googlemail.com
pchelpservera.info - Email: vernotowersc2@googlemail.com
pchelpserverz.info - Email: vernotowersc2@googlemail.com
powersecurity09.info - Email: miscelli3@googlemail.com
powersecurityc.info - Email: miscelli3@googlemail.com
powersecurityt.info - Email: miscelli3@googlemail.com
powersecurityy.info - Email: miscelli3@googlemail.com
powerssoftware0.info - Email: miscelli3@googlemail.com
powerssoftware1.info - Email: miscelli3@googlemail.com
powerssoftware3.info - Email: miscelli3@googlemail.com
powerssoftware6.info - Email: miscelli3@googlemail.com
security-softwarec.info - kramershoppers@yahoo.com
software-helpa.info - Email: hartin6@yahoo.com
software-helpd.info - Email: hartin6@yahoo.com
software-helpe.info - Email: hartin6@yahoo.com
software-helpy.info - Email: hartin6@yahoo.com
software-helpz.info - Email: hartin6@yahoo.com
special-software1.info - Email: hartin6@yahoo.com
special-software3.info - Email: hartin6@yahoo.com
special-software7.info - Email: hartin6@yahoo.com
special-software8.info - Email: hartin6@yahoo.com
special-software9.info - Email: hartin6@yahoo.com
specialwebhelp0.info - Email: hartin6@yahoo.com
specialwebhelp1.info - Email: hartin6@yahoo.com
specialwebhelp3.info - Email: hartin6@yahoo.com
specialwebhelp5.info - Email: hartin6@yahoo.com
specialwebhelp7.info - Email: hartin6@yahoo.com

Detection rates for scareware samples rotated over the past 48 hours:
- Setup_312s2.exe - Trojan.Win32.FakeAV!IK - Result: 4/41 (9.76%)
- Setup_312s2.exe - Trojan.Generic.KD.3549 - Result: 4/41 (9.76%)
- Setup_312s2.exe - Trojan.Generic.KD.3605 - Result: 10/42 (23.81%)
- Setup_312s2.exe - Packed.Win32.Krap.as - Result: 6/41 (14.64%)
- Setup_312s2.exe - Trojan.Crypt.XPACK.Gen2 - Result: 6/42 (14.29%)
- Setup_312s2.exe - Sus/UnkPack-C - 10/42 (23.81%)

The samples phone back to projectwupdates.com/ download/winlogo.bmp - 94.228.208.57 and cariport.com/ ?b=312s2 - 89.248.168.21 (psdefendersoft.com and antispywarelist.com also parked there) - Email: zooik52@hotmail.com.
Recent detection rates for Koobface components:
- fb.101.exe - Result: 39/42 (92.86%)
- go.exe - Result: 7/42 (16.67%)
- pp.14.exe - Result: 36/42 (85.72%)
- v2bloggerjs.exe - Result: 39/42 (92.86%)
- v2captcha21.exe - Result: 24/41 (58.54%)
- v2newblogger.exe - Result: 23/41 (56.10%)
- v2googlecheck.exe - Result: 36/41 (87.80%)
- v2webserver.exe - Result: 26/42 (61.91%)

In respect the Koobface gang, as well as cybecrime in general, historical OSINT always offers an invaluable piece of the malicious puzzle of their campaigns, hosting providers, and the campaign structure making it easier to establish multiple connections between the rest of their non Koobface-botnet related campaigns.

Here's a peek at the redirectors and scareware domains served during February. For more extensive assessment of their activities for February, go through the "A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang" post.

Redirectors parked 91.212.132.242, AS49091, Interforum-AS Interforum LTD for February, 2010:
amazing-4-fotos.com - Email: test@now.net.cn
bbcadditionalguide.com - Email: test@now.net.cn
brightonsales.com - Email: test@now.net.cn
daily00photos.com - Email: test@now.net.cn
daily6deals.com - Email: test@now.net.cn
daily88news.com - Email: test@now.net.cn
dellvideohacks.com - Email: test@now.net.cn
discoverallnow.com - Email: test@now.net.cn
discoverprivateinfo.com - Email: test@now.net.cn
discoverprivatelife.com - Email: test@now.net.cn
discoverprivatemail.com - Email: test@now.net.cn
discoverprivatewebcams.com - Email: test@now.net.cn
discoversecretdfacebook.com - Email: test@now.net.cn
facebookfriendwatch.com - Email: test@now.net.cn
facebookreadmail.com - Email: test@now.net.cn
free-amazon-coupon.com - Email: test@now.net.cn
free-ebay-stuff.com - Email: test@now.net.cn
free-secret-info.com - Email: test@now.net.cn
getalestickets.com - Email: test@now.net.cn
hightowerfisheye.com - Email: test@now.net.cn
lenovovideohacks.com - Email: test@now.net.cn
mymailbusiness.com - Email: test@now.net.cn
private-0-photos.com - Email: test@now.net.cn
seehiddenfacebook.com - Email: test@now.net.cn
skyscrapeviews.com - Email: test@now.net.cn
yahoobusinesstrip.com - Email: test@now.net.cn
you22tube.com - Email: test@now.net.cn

Scareware domains parked on 195.5.161.119, AS31252, STARNET-AS StarNet Moldova, for February, 2010:
best-protection0.info - Email: ware2mall@yahoo.com
best-protection8.info - Email: ware2mall@yahoo.com
bestprotectiona.info - Email: ware2mall@yahoo.com
best-protectiona.info - Email: ware2mall@yahoo.com
bestprotectione.info - Email: ware2mall@yahoo.com
best-protectione.info - Email: ware2mall@yahoo.com
best-protectionf.info - Email: ware2mall@yahoo.com
mega1-antivirus3.com - Email: test@now.net.cn
mega1-antivirus5.com - Email: test@now.net.cn
mega1-antivirus7.com - Email: test@now.net.cn
mega1-antivirus9.com - Email: test@now.net.cn
mega1-scanner5.com - Email: test@now.net.cn
mega1-scanner7.com - Email: test@now.net.cn
smartsecurity0.info - Email: neeceheight@yahoo.com
smartsecurity1.info - Email: neeceheight@yahoo.com
smart-security1.info - Email: neeceheight@yahoo.com
smartsecurity2.info - Email: neeceheight@yahoo.com
smartsecurity7.info - Email: neeceheight@yahoo.com
smartsecuritya.info - Email: neeceheight@yahoo.com
smartsecurityd.info - Email: neeceheight@yahoo.com
smart-securityo.info - Email: neeceheight@yahoo.com
super2-antivirus.com - Email: neeceheight@yahoo.com
super2-antivirus2.com - Email: neeceheight@yahoo.com
ver2-scanner.com - Email: test@now.net.cn
ver2-scanner2.com - Email: test@now.net.cn
ver2-scanner4.com - Email: test@now.net.cn

Persistence must be met with persistence. The domain portfolios are in a process of getting suspended, an update will posted as soon as this happens.

Related Koobface gang/botnet research:
10 things you didn't know about the Koobface gang
A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang
How the Koobface Gang Monetizes Mac OS X Traffic
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

No comments:

Post a Comment