Monday, May 17, 2010

Koobface Gang Responds to the "10 Things You Didn't Know About the Koobface Gang Post"


UPDATED Moday, May 24, 2010: The scareware domains/redirectors pushed by the Koobface botnet, have been included at the bottom of this post, including detection rates and phone back URLs.

On May 13th, 2010, the Koobface gang responded to my "10 things you didn't know about the Koobface gang" post published in February, 2010, by including the following message within Koobface-infected hosts, serving bogus video players, and, of course, scareware:
  •  regarding this article By Dancho Danchev | February 23, 2010, 9:30am PST

    1. no connection
    2. what's reason to buy software just for one screenshot?
    3. no connection
    4. :)
    5. :)
    6. :)
    7. it was 'ali baba & 4' originally. you should be more careful
    8. heh
    9. strange error. there're no experiments on that
    10. maybe. not 100% sure

    Ali Baba
    13 may 2010
This is the second individual message left by the botnet masters for me, and the third one in general where I'm referenced.

What makes an impression is their/his attempt to distance themselves/himself from major campaigns affecting high profile U.S based web properties, fraudulent activities such as click fraud, and their/his attempt to legitimize their/his malicious activities by emphasizing on the fact that they/he are not involved in crimeware campaigns, and have never stolen any credit card details.

01. The gang is connected to, probably maintaining the click-fraud facilitating Bahama botnet
- Koobface gang: no connection

You wish, you wish. ClickForensics pointed it out, I confirmed it, and at a later stage reproduced it.

Among the many examples of this activities, is MD5: 0fbf1a9f8e6e305138151440da58b4f1 modifying the HOSTS file on the infected PCs to redirect all the Google and Yahoo search traffic to 89.149.210.109, whereas, in between phoning back to well known Koobface scareware C&Cs at the time, such as 212.117.160.18, and urodinam .net/8732489273.php at the time.

In May, 2010, parked on the very same IP to which urodinam.net (91.188.59.10) is currently responding to, is an active client-side exploits serving campaign using the YES malware exploitation kit (1zabslwvn538n4i5tcjl.com - Email: michaeltycoon@gmail.com).

I can go on forever.


02. Despite their steady revenue flow from sales of scareware, the gang once used trial software to take a screenshot of a YouTube video
- Koobface gang: what's reason to buy software just for one screenshot?

No reason at all, I guess that's also the reason behind the temporary change in scareware URls to include GREED within the file name.

03. The Koobface gang was behind the malvertising attack the hit the web site of the New York Times in September
- Koobface gang: no connection

You wish, you wish.

In fact, several of the recent high-profile malvertising campaigns that targeted major Web 2.0 properties, can be also traced back to their infrastructure. Now, whether they are aware of the true impact of the malvertisement campaign, and whether they are intentionally pushing it at a particular web site remains unknown.

The fact is that, the exact same domain that was used in the NYTimes redirection, was also back then embedded on all of the Koobface infected hosts, in order to serve scareware.

04. The gang conducted a several hours experiment in November, 2009 when for the first time ever client-side exploits were embedded on Koobface-serving compromised hosts
- Koobface gang: :)

He who smiles last, smiles best.

05. The Koobface gang was behind the massive (1+ million affected web sites) scareware serving campaign in November, 2009
- Koobface gang: :)

Since they're admitting their involvement in point 5, they also don't know/forget that one of the many ways the connection between the Koobface gang and massive blackhat SEO campaign was established in exactly the same way as the one in their involvement in the NYTimes malvertising campaign. Convenient denial of involvement in high-profile campaigns means nothing when collected data speaks for itself.

06. The Koobface Gang Monetizes Mac OS X Traffic through adult dating/Russian online movie marketplaces
- Koobface gang: :)

Read more on the practice - "How the Koobface Gang Monetizes Mac OS X Traffic".


07. Ali Baba and 40 LLC a.k.a the Koobface gang greeted the security community on Christmas
- Koobface gang: it was 'ali baba & 4' originally. you should be more careful

Since the original Ali Baba had 40 thieves with him, not 4, the remaining 36 can be best described as the cybecrime ecosystem's stakeholders earning revenues and having their business models scaling, thanks to the involvement of the Koobface botnet.


08. The Koobface gang once redirected Facebook’s IP space to my personal blog
- Koobface gang: heh

Read more on the topic - "Koobface Botnet Redirects Facebook's IP Space to my Blog".

09. The gang is experimenting with alternative propagation strategies, such as for instance Skype
- Koobface gang: strange error. there're no experiments on that

Hmm, who should I trust? SophosLabs and TrendMicro or the Koobface gang? SophosLabs and TrendMicro or the Koobface gang? Sophos Labs and TrendMicro or....well you get the point. Of course there isn't, now that's is publicly known it's in the works.


10. The gang is monetizing traffic through the Crusade Affiliates scareware network
- Koobface gang: maybe. not 100% sure

They don't know where they get all the money by being pushing scareware? How convenient.

When data and facts talk, even "Cyber Jesus" listens. Read more on the monetization model - "Koobface Botnet's Scareware Business Model"; "Koobface Botnet's Scareware Business Model - Part Two".

The Koobface botnet is currently pushing scareware through 2gig-antivirus.com?mid=312&code=4db12f&d=1&s=2 - 195.5.161.210 - Email: test@now.net.cn


Parked on the same IP (195.5.161.210, AS31252, STARNET-AS StarNet Moldova) are also:
0web-antispyware.com - Email: test@now.net.cn
12netantispy.com - Email: test@now.net.cn
13netantispy.com - Email: test@now.net.cn
14netantispy.com - Email: test@now.net.cn
16netantispy.com - Email: test@now.net.cn
1anetantispy.com - Email: test@now.net.cn
1bnetantispy.com - Email: test@now.net.cn
1gb-scanner.com - Email: test@now.net.cn
1gig-antivirus.com - Email: test@now.net.cn
1webantivirus.com - Email: test@now.net.cn
20gb-antivirus.com - Email: test@now.net.cn
2gb-scanner.com - Email: test@now.net.cn
2gig-antivirus.com - Email: test@now.net.cn
2mb-scanner.com - Email: test@now.net.cn
2web-antispy.com - Email: test@now.net.cn
2webantivirus.com - Email: test@now.net.cn
30gb-antivirus.com - Email: test@now.net.cn
3gb-scanner.com - Email: test@now.net.cn
3gig-antivirus.com - Email: test@now.net.cn
3mb-scanner.com - Email: test@now.net.cn
3web-antispy.com - Email: test@now.net.cn
3web-antispyware.com - Email: test@now.net.cn
3webantivirus.com - Email: test@now.net.cn
40gb-antivirus.com - Email: test@now.net.cn
4gb-scanner.com - Email: test@now.net.cn
4gig-antivirus.com - Email: test@now.net.cn
4mb-scanner.com - Email: test@now.net.cn
4web-antispy.com - Email: test@now.net.cn
4webantivirus.com - Email: test@now.net.cn
50gb-antivirus.com - Email: test@now.net.cn
5gb-scanner.com - Email: test@now.net.cn
5gig-antivirus.com - Email: test@now.net.cn
5mb-scanner.com - Email: test@now.net.cn
5web-antispy.com - Email: test@now.net.cn
5webantivirus.com - Email: test@now.net.cn
60gb-antivirus.com - Email: test@now.net.cn
6mb-scanner.com - Email: test@now.net.cn
6web-antispy.com - Email: test@now.net.cn
7web-antispyware.com - Email: test@now.net.cn
aweb-antispyware.com - Email: test@now.net.cn
awebantivirus.com - Email: test@now.net.cn
cwebantivirus.com - Email: test@now.net.cn
dwebantivirus.com - Email: test@now.net.cn
ewebantivirus.com - Email: test@now.net.cn
novascanner4.com - Email: test@now.net.cn

- setup.exe - Gen:Variant.Koobface.2; W32.Koobface - Result: 15/40 (37.5%)
- MalvRem_312s2.exe - W32/FakeAlert.5!Maximus; Trojan.Win32.FakeAV - Result: 10/41 (24.4%) which once executed phones back to:

- s1system.com/download/winlogo.bmp - 91.213.157.104, AS13618, CARONET-AS - Email: contact@privacy-protect.cn
- networki10.com - 91.213.217.106, AS42473, ANEXIA-AS - Email: contact@privacy-protect.cn

UPDATED: Wednesday, May 19, 2010:
The current redirection taking place through the embedded link on Koobface infected hosts, takes place through:
www3.coantys-48td.xorg.pl - 188.124.5.66 - AS44565, VITAL TEKNOLOJI
    - www1.fastsearch.cz.cc - 207.58.177.96 - AS25847, SERVINT ServInt Corporation

Detection rates:
- setup.exe - Win32/Koobface.NCX; Gen:Variant.Koobface.2 - Result: 13/41 (31.71%)
- packupdate_build107_2039.exe - W32/FakeAV.AM!genr; Mal/FakeAV-AX - Result: 8/41 (19.52%)

Upon execution, the scareware sample phones back to:
update1.myownguardian.com - 94.228.209.223, AS47869, NETROUTING-AS - Email: gkook@checkjemail.nl
update2.myownguardian.net - 93.186.124.92, AS44565, VITAL TEKNOLOJI - Email: gkook@checkjemail.nl

UPDATED Moday, May 24, 2010 The following Koobface scareware domains/redirectors have been pushed by the Koobface gang over the pat 7 days. All of them continue using the services of AS31252, STARNET-AS StarNet Moldova at 195.5.161.210 and 195.5.161.211.


0web-antispyware.com - Email: test@now.net.cn
12netantispy.com - Email: test@now.net.cn
13netantispy.com - Email: test@now.net.cn
14netantispy.com - Email: test@now.net.cn
15netantispy.com - Email: test@now.net.cn
16netantispy.com - Email: test@now.net.cn
1anetantispy.com - Email: test@now.net.cn
1bnetantispy.com - Email: test@now.net.cn
1cnetantispy.com - Email: test@now.net.cn
1dnetantispy.com - Email: test@now.net.cn
1eliminatemalware.com - Email: test@now.net.cn
1eliminatespy.com - Email: test@now.net.cn
1eliminatethreats.com - Email: test@now.net.cn
1eliminatevirus.com - Email: test@now.net.cn
1enetantispy.com - Email: test@now.net.cn
1webantivirus.com - Email: test@now.net.cn
1webfilter1000.com - Email: test@now.net.cn
1www-antispyware.com - Email: test@now.net.cn
1www-antivirus.com - Email: test@now.net.cn
20gb-antivirus.com - Email: test@now.net.cn
2eliminatemalware.com - Email: test@now.net.cn
2eliminatevirus.com - Email: test@now.net.cn
2web-antispy.com - Email: test@now.net.cn
2webantivirus.com - Email: test@now.net.cn
2www-antispyware.com - Email: test@now.net.cn
2www-antivirus.com - Email: test@now.net.cn
30gb-antivirus.com - Email: test@now.net.cn
3web-antispy.com - Email: test@now.net.cn
3web-antispyware.com - Email: test@now.net.cn
3webantivirus.com - Email: test@now.net.cn
3www-antispyware.com - Email: test@now.net.cn
3www-antivirus.com - Email: test@now.net.cn
40gb-antivirus.com - Email: test@now.net.cn
4web-antispy.com - Email: test@now.net.cn
4webantivirus.com - Email: test@now.net.cn
4www-antispyware.com - Email: test@now.net.cn
4www-antivirus.com - Email: test@now.net.cn
5web-antispy.com - Email: test@now.net.cn
5webantivirus.com - Email: test@now.net.cn
5www-antispyware.com - Email: test@now.net.cn
5www-antivirus.com - Email: test@now.net.cn
60gb-antivirus.com - Email: test@now.net.cn
6web-antispy.com - Email: test@now.net.cn
7web-antispyware.com - Email: test@now.net.cn
a30windows-scan.com - Email: test@now.net.cn
a40windows-scan.com - Email: test@now.net.cn
a50windows-scan.com - Email: test@now.net.cn
a50windows-scan.com - Email: test@now.net.cn
a60windows-scan.com - Email: test@now.net.cn
americanscanner.com - Email: test@now.net.cn
aresearchsecurity.com - Email: test@now.net.cn
awebantivirus.com - Email: test@now.net.cn
barracuda10.com - Email: test@now.net.cn
beguardsystem.com - Email: test@now.net.cn
beguardsystem2.com - Email: test@now.net.cn
bewareofthreat.com - Email: test@now.net.cn
bewareofydanger.com - Email: test@now.net.cn
bprotectsystem.com - Email: test@now.net.cn
bwebantivirus.com - Email: test@now.net.cn
choclatescanner2.com - Email: test@now.net.cn
cleanerscanner2.com - Email: test@now.net.cn
cnn2scanner.com - Email: test@now.net.cn
cprotectsystem.com - Email: test@now.net.cn
cwebantivirus.com - Email: test@now.net.cn
dacota4security.com - Email: test@now.net.cn
defencyresearch.com - Email: test@now.net.cn
defenseacquisitions.com - Email: test@now.net.cn
defenseacquisitions.com - Email: test@now.net.cn
defensecapability.com - Email: test@now.net.cn
dprotectsystem.com - Email: test@now.net.cn
dwebantivirus.com - Email: test@now.net.cn
eliminatespy.com - Email: test@now.net.cn
eliminatethreat.com - Email: test@now.net.cn
eliminatethreats.com - Email: test@now.net.cn
eprotectsystem.com - Email: test@now.net.cn
ewebantivirus.com - Email: test@now.net.cn
fantasticscan2.com - Email: test@now.net.cn
fortescanner.com - Email: test@now.net.cn
four4defence.com - Email: test@now.net.cn
fprotectsystem.com - Email: test@now.net.cn
house2call.com - Email: test@now.net.cn
house4call.com - Email: test@now.net.cn
ibewareofdanger.com - Email: test@now.net.cn
iresearchdefence.com - Email: test@now.net.cn
ldefenceresearch.com - Email: test@now.net.cn
micro2smart.com - Email: test@now.net.cn
micro4smart.com - Email: test@now.net.cn
micro6smart.com - Email: test@now.net.cn
necessitydefense.com - Email: test@now.net.cn
nolongerthreat.com - Email: test@now.net.cn
nova3-antispyware.com - Email: test@now.net.cn
nova4-antispyware.com - Email: test@now.net.cn
nova5-antispyware.com - Email: test@now.net.cn
nova7-antispyware.com - Email: test@now.net.cn
nova8-antispyware.com - Email: test@now.net.cn
nova-antivirus1.com - Email: test@now.net.cn
nova-antivirus2.com - Email: test@now.net.cn
novascanner2.com - Email: test@now.net.cn
nova-scanner2.com - Email: test@now.net.cn
novascanner3.com - Email: test@now.net.cn
nova-scanner3.com - Email: test@now.net.cn
novascanner4.com - Email: test@now.net.cn
nova-scanner4.com - Email: test@now.net.cn
novascanner5.com - Email: test@now.net.cn
nova-scanner5.com - Email: test@now.net.cn
novascanner7.com - Email: test@now.net.cn
nova-scanner7.com - Email: test@now.net.cn
onguardsystem2.com - Email: test@now.net.cn
over11scanner.com - Email: test@now.net.cn
pcguardsystem2.com - Email: test@now.net.cn
pcguardsystems.com - Email: test@now.net.cn
pcpiscanner.com - Email: test@now.net.cn
pitstopscan.com - Email: test@now.net.cn
protectionfunctions.com - Email: test@now.net.cn
protectionmeasure.com - Email: test@now.net.cn
protectionmethods.com - Email: test@now.net.cn
protectionoffices.com - Email: test@now.net.cn
protectionprinciples.com - Email: test@now.net.cn
protectsystema.com - Email: test@now.net.cn
protectsystemc.com - Email: test@now.net.cn
protectsystemd.com - Email: test@now.net.cn
protectsysteme.com - Email: test@now.net.cn
protectsystemf.com - Email: test@now.net.cn
researchdefence.com - Email: test@now.net.cn
researchysecurity.com - Email: test@now.net.cn
spywarekillera.com - Email: test@now.net.cn
spywarekillerc.com - Email: test@now.net.cn
spywarekillerd.com - Email: test@now.net.cn
spywarekillere.com - Email: test@now.net.cn
spywarekillerr.com - Email: test@now.net.cn
spywarekillerz5.com - Email: test@now.net.cn
stainsscanner2.com - Email: test@now.net.cn
stop20attack.com - Email: test@now.net.cn
tendefender2.com - Email: test@now.net.cn
thelosers2010.com - Email: test@now.net.cn
trivalsoftware.com - Email: test@now.net.cn
unstoppable2010.com - Email: test@now.net.cn
unstoppable2010.com - Email: test@now.net.cn
use6defence.com - Email: test@now.net.cn
viruskiller3a.com - Email: test@now.net.cn
viruskiller4a.com - Email: test@now.net.cn
viruskiller5a.com - Email: test@now.net.cn
viruskiller6a.com - Email: test@now.net.cn
webfilter100.com - Email: test@now.net.cn
webfilter999.com - Email: test@now.net.cn
winguardsystem.com - Email: test@now.net.cn 
yourguardsystem.com - Email: test@now.net.cn
yourguardsystem2.com - Email: test@now.net.cn
z22windows-scan.com - Email: test@now.net.cn
z23windows-scan.com - Email: test@now.net.cn
z25windows-scan.com - Email: test@now.net.cn
z27windows-scan.com - Email: test@now.net.cn
zaresearchsecurity.com - Email: test@now.net.cn

Detection rates:
- setup.exe - Net-Worm:W32/Koobface.HN; Mal/Koobface-D - Result: 11/41 (26.83%)
- avdistr_312.exe - Trojan.FakeAV!gen24; Trojan.FakeAV - Result: 8/41 (19.52%)

Upon execution phones back to:
s1system.com/download/winlogo.bmp - 91.213.157.104 - Email: contact@privacy-protect.cn
accsupdate.com/?b=103s1 - 193.105.134.115 - Email: contact@privacy-protect.cn

Previous parked on 91.213.217.106, AS42473, ANEXIA-AS now responding to 193.105.134.115, AS42708, PORTLANE:
networki10.com - Email: contact@privacy-protect.cn
winsecuresoftorder.com - Email: contact@privacy-protect.cn
time-zoneserver.com - Email: contact@privacy-protect.cn
1blacklist.com - Email: contact@privacy-protect.cn

In order to understand the importance of profiling Koobface gang's activities, consider going their their underground multitasking campaigns in the related posts.

Related Koobface botnet/Koobface gang research:
From the Koobface Gang with Scareware Serving Compromised Sites
Dissecting Koobface Gang's Latest Facebook Spreading Campaign
Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova
10 things you didn't know about the Koobface gang
A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang
How the Koobface Gang Monetizes Mac OS X Traffic
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.