Tuesday, May 11, 2010

Dissecting the Mass DreamHost Sites Compromise

Yet another mass sites compromise is currently taking place, this time targeting DreamHost customers, courtesy of the same gang behind the U.S Treasury/GoDaddy/NetworkSolutions mass compromise campaigns.

What's particularly interesting about the campaign, is not just the Hilary Kneber connection, but also, the fact that a key command and control domain part of the Koobface botnet, is residing within the same AS where the nameservers, and one of actual domains (kdjkfjskdfjlskdjf.com/ kp.php - - AS6851, BKCNET "SIA" IZZI) used in previous campaigns are.

These gangs are either aware of one another's existence, are the exact same gang doing basic evasive practices on multiple fronts, or are basically customers of the same cybercrime-friendly hosting service provider.

The DreamHost campaign structure, including the detection rates, phone back locations, is as follows:
- zettapetta.com/js.php - - Email: hilarykneber@yahoo.com
    - www4.suitcase52td.net/?p= - - Email: gkook@checkjemail.nl
        - www1.realsafe-23.net - - Email: gkook@checkjemail.nl

Active client-side exploits serving, redirector domains parked on the same IP
zettapetta.com -, AS39150, VLTELECOM-AS VLineTelecom LLC Moscow, Russia - Email: hilarykneber@yahoo.com
yahoo-statistic.com - Email: hilarykneber@yahoo.com
primusdns.ru - Email: samm_87@email.com
freehost21.tw - Email: hilarykneber@yahoo.com
alert35.com.tw - Email: admin@zalert35.com.tw
indesignstudioinfo.com - Email: hilarykneber@yahoo.com

Historically, the following domains were also parked on the same IP
bananajuice21.net - Email: hilarykneber@yahoo.com
winrar392.net - Email: lacyjerry1958@gmail.com
best-soft-free.com - Email: lacyjerry1958@gmail.com
setyupdate.com - Email: admin@setyupdate.com

Detection rate for the scareware pushed in the campaign:
- packupdate_build107_2060.exe - TROJ_FRAUD.SMDV; Packed.Win32.Krap.an - Result: 8/41 (19.52%) with the sample phoning back to:
update2.keep-insafety.net - - Email: gkook@checkjemail.nl
update1.myownguardian.com - - Email: gkook@checkjemail.nl
secure1.saefty-guardian.com - - Email: gkook@checkjemail.nl
report.zoneguardland.net - - Email: gkook@checkjemail.nl
report.land-protection.com - - Email: gkook@checkjemail.nl
www5.our-security-engine.net - - Email: gkook@checkjemail.nl

Name servers of notice parked at, AS6851, BKCNET "SIA" IZZI:

What's so special about AS6851, BKCNET "SIA" IZZI anyway? It's the Koobface gang connection in the face of urodinam.net, which is also hosted within AS6851, currently responding to More details on urodinam.net:
Moreover, on the exact same IP where Koobface gang's urodinam.net is parked, we also have the currently active 1zabslwvn538n4i5tcjl.com - Email: michaeltycoon@gmail.com, serving client side exploits using the Yes Malware Exploitation kit - /temp/cache/PDF.php; admin panel at: 1zabslwvn538n4i5tcjl.com /temp/admin/index.php

Detection rates for the malware pushed from the same IP where a key Koobface botnet's C&C is hosted:
- 55.pdf - JS:Pdfka-gen; Exploit.JS.Pdfka.blf - Result: 23/41 (56.1%)
- dm.exe - Trojan:Win32/Alureon.CT; Mal/TDSSPack-Q - Result: 36/41 (87.81%)
- wsc.exe - Net-Worm.Win32.Koobface; Trojan.FakeAV - Result: 36/41 (87.81%)

The same michaeltycoon@gmail.com used to register 1zabslwvn538n4i5tcjl.com, was also profiled in the "Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang" assessment.

Given that enough historical OSINT is available, the cybercrime ecosystem can be a pretty small place.

Related posts:
U.S. Treasury Site Compromise Linked to the NetworkSolutions Mass WordPress Blogs Compromise
GoDaddy's Mass WordPress Blogs Compromise Serving Scareware
Dissecting the WordPress Blogs Compromise at Network Solutions

Hilary Kneber related activity:
The Kneber botnet - FAQ
Celebrity-Themed Scareware Campaign Abusing DocStoc
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Four

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.