Tuesday, May 11, 2010
Dissecting the Mass DreamHost Sites Compromise
Yet another mass sites compromise is currently taking place, this time targeting DreamHost customers, courtesy of the same gang behind the U.S Treasury/GoDaddy/NetworkSolutions mass compromise campaigns.
What's particularly interesting about the campaign, is not just the Hilary Kneber connection, but also, the fact that a key command and control domain part of the Koobface botnet, is residing within the same AS where the nameservers, and one of actual domains (kdjkfjskdfjlskdjf.com/ kp.php - 22.214.171.124 - AS6851, BKCNET "SIA" IZZI) used in previous campaigns are.
These gangs are either aware of one another's existence, are the exact same gang doing basic evasive practices on multiple fronts, or are basically customers of the same cybercrime-friendly hosting service provider.
The DreamHost campaign structure, including the detection rates, phone back locations, is as follows:
- zettapetta.com/js.php - 126.96.36.199 - Email: email@example.com
- www4.suitcase52td.net/?p= - 188.8.131.52 - Email: firstname.lastname@example.org
- www1.realsafe-23.net - 184.108.40.206 - Email: email@example.com
Active client-side exploits serving, redirector domains parked on the same IP 220.127.116.11:
zettapetta.com - 18.104.22.168, AS39150, VLTELECOM-AS VLineTelecom LLC Moscow, Russia - Email: firstname.lastname@example.org
yahoo-statistic.com - Email: email@example.com
primusdns.ru - Email: firstname.lastname@example.org
freehost21.tw - Email: email@example.com
alert35.com.tw - Email: firstname.lastname@example.org
indesignstudioinfo.com - Email: email@example.com
Historically, the following domains were also parked on the same IP 22.214.171.124:
bananajuice21.net - Email: firstname.lastname@example.org
winrar392.net - Email: email@example.com
best-soft-free.com - Email: firstname.lastname@example.org
setyupdate.com - Email: email@example.com
Detection rate for the scareware pushed in the campaign:
- packupdate_build107_2060.exe - TROJ_FRAUD.SMDV; Packed.Win32.Krap.an - Result: 8/41 (19.52%) with the sample phoning back to:
update2.keep-insafety.net - 126.96.36.199 - Email: firstname.lastname@example.org
update1.myownguardian.com - 188.8.131.52 - Email: email@example.com
secure1.saefty-guardian.com - 184.108.40.206 - Email: firstname.lastname@example.org
report.zoneguardland.net - 220.127.116.11 - Email: email@example.com
report.land-protection.com - 18.104.22.168 - Email: firstname.lastname@example.org
www5.our-security-engine.net - 22.214.171.124 - Email: email@example.com
Name servers of notice parked at 126.96.36.199, AS6851, BKCNET "SIA" IZZI:
What's so special about AS6851, BKCNET "SIA" IZZI anyway? It's the Koobface gang connection in the face of urodinam.net, which is also hosted within AS6851, currently responding to 188.8.131.52. More details on urodinam.net:
Detection rates for the malware pushed from the same IP where a key Koobface botnet's C&C is hosted:
- 55.pdf - JS:Pdfka-gen; Exploit.JS.Pdfka.blf - Result: 23/41 (56.1%)
- dm.exe - Trojan:Win32/Alureon.CT; Mal/TDSSPack-Q - Result: 36/41 (87.81%)
- wsc.exe - Net-Worm.Win32.Koobface; Trojan.FakeAV - Result: 36/41 (87.81%)
The same firstname.lastname@example.org used to register 1zabslwvn538n4i5tcjl.com, was also profiled in the "Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang" assessment.
Given that enough historical OSINT is available, the cybercrime ecosystem can be a pretty small place.
U.S. Treasury Site Compromise Linked to the NetworkSolutions Mass WordPress Blogs Compromise
GoDaddy's Mass WordPress Blogs Compromise Serving Scareware
Dissecting the WordPress Blogs Compromise at Network Solutions
Hilary Kneber related activity:
The Kneber botnet - FAQ
Celebrity-Themed Scareware Campaign Abusing DocStoc
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Four
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.