Tuesday, May 11, 2010
Dissecting the Mass DreamHost Sites Compromise
Yet another mass sites compromise is currently taking place, this time targeting DreamHost customers, courtesy of the same gang behind the U.S Treasury/GoDaddy/NetworkSolutions mass compromise campaigns.
What's particularly interesting about the campaign, is not just the Hilary Kneber connection, but also, the fact that a key command and control domain part of the Koobface botnet, is residing within the same AS where the nameservers, and one of actual domains (kdjkfjskdfjlskdjf.com/ kp.php - 22.214.171.124 - AS6851, BKCNET "SIA" IZZI) used in previous campaigns are.
These gangs are either aware of one another's existence, are the exact same gang doing basic evasive practices on multiple fronts, or are basically customers of the same cybercrime-friendly hosting service provider.
The DreamHost campaign structure, including the detection rates, phone back locations, is as follows:
- zettapetta.com/js.php - 126.96.36.199 - Email: firstname.lastname@example.org
- www4.suitcase52td.net/?p= - 188.8.131.52 - Email: email@example.com
- www1.realsafe-23.net - 184.108.40.206 - Email: firstname.lastname@example.org
Active client-side exploits serving, redirector domains parked on the same IP 220.127.116.11:
zettapetta.com - 18.104.22.168, AS39150, VLTELECOM-AS VLineTelecom LLC Moscow, Russia - Email: email@example.com
yahoo-statistic.com - Email: firstname.lastname@example.org
primusdns.ru - Email: email@example.com
freehost21.tw - Email: firstname.lastname@example.org
alert35.com.tw - Email: email@example.com
indesignstudioinfo.com - Email: firstname.lastname@example.org
Historically, the following domains were also parked on the same IP 22.214.171.124:
bananajuice21.net - Email: email@example.com
winrar392.net - Email: firstname.lastname@example.org
best-soft-free.com - Email: email@example.com
setyupdate.com - Email: firstname.lastname@example.org
Detection rate for the scareware pushed in the campaign:
- packupdate_build107_2060.exe - TROJ_FRAUD.SMDV; Packed.Win32.Krap.an - Result: 8/41 (19.52%) with the sample phoning back to:
update2.keep-insafety.net - 126.96.36.199 - Email: email@example.com
update1.myownguardian.com - 188.8.131.52 - Email: firstname.lastname@example.org
secure1.saefty-guardian.com - 184.108.40.206 - Email: email@example.com
report.zoneguardland.net - 220.127.116.11 - Email: firstname.lastname@example.org
report.land-protection.com - 18.104.22.168 - Email: email@example.com
www5.our-security-engine.net - 22.214.171.124 - Email: firstname.lastname@example.org
Name servers of notice parked at 126.96.36.199, AS6851, BKCNET "SIA" IZZI:
What's so special about AS6851, BKCNET "SIA" IZZI anyway? It's the Koobface gang connection in the face of urodinam.net, which is also hosted within AS6851, currently responding to 188.8.131.52. More details on urodinam.net:
Detection rates for the malware pushed from the same IP where a key Koobface botnet's C&C is hosted:
- 55.pdf - JS:Pdfka-gen; Exploit.JS.Pdfka.blf - Result: 23/41 (56.1%)
- dm.exe - Trojan:Win32/Alureon.CT; Mal/TDSSPack-Q - Result: 36/41 (87.81%)
- wsc.exe - Net-Worm.Win32.Koobface; Trojan.FakeAV - Result: 36/41 (87.81%)
The same email@example.com used to register 1zabslwvn538n4i5tcjl.com, was also profiled in the "Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang" assessment.
Given that enough historical OSINT is available, the cybercrime ecosystem can be a pretty small place.
U.S. Treasury Site Compromise Linked to the NetworkSolutions Mass WordPress Blogs Compromise
GoDaddy's Mass WordPress Blogs Compromise Serving Scareware
Dissecting the WordPress Blogs Compromise at Network Solutions
Hilary Kneber related activity:
The Kneber botnet - FAQ
Celebrity-Themed Scareware Campaign Abusing DocStoc
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Four
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.