Tuesday, April 27, 2010

GoDaddy's Mass WordPress Blogs Compromise Serving Scareware


UPDATED: Thursday, May 13, 2010: Go Daddy posted the following update "What’s Up with Go Daddy, WordPress, PHP Exploits and Malware?".

UPDATED: Thursday, May 06, 2010: The following is a brief update of the campaign's structure, the changed IPs, and the newly introduced scareware samples+phone back locations over the past few days.

Sample structure from last week:
- kdjkfjskdfjlskdjf.com/kp.php - 94.23.242.40 - AS16276, OVH Paris
    - www3.workfree36-td.xorg.pl/?p= - 95.169.186.25 - AS31103, KEYWEB-AS Keyweb AG
        - www1.protectsys28-pd.xorg.pl - 94.228.209.182 - AS47869, NETROUTING-AS Netrouting Data Facilities

Detection rate:
- packupdate_build107_2045.exe - Gen:Variant.Ursnif.8; TrojanDownloader:Win32/FakeVimes - Result: 23/41 (56.1%) Phones back to update2.safelinkhere.net and update1.safelinkhere.net.

Sample structure from this week:
- kdjkfjskdfjlskdjf.com/kp.php - 91.188.59.98 - AS6851, BKCNET "SIA" IZZI
    - www4.suitcase52td.net/?p= - 78.46.218.249 - AS24940, HETZNER-AS Hetzner Online AG RZ
        - www1.safetypcwork5.net/?p= - 209.212.147.244 - AS32181, ASN-CQ-GIGENET ColoQuest/GigeNet ASN
        - www1.safeyourpc22-pr.com - 209.212.147.246 - Email: gkook@checkjemail.nl

Detection rate:
- packupdate_build9_2045.exe - Trojan.Fakealert.7869; Mal/FakeAV-BW - Result: 9/41 (21.95%)

Sample phones back to:
- update2.keepinsafety.net /?jbjyhxs=kdjf0tXm1J2a0Nei2Mrh24U%3D
- www5.my-security-engine.net
- report.land-protection.com /Reports/SoftServiceReport.php?verint
- 91.207.192.24 - Email: gkook@checkjemail.nl
- secure2.securexzone.net/?abbr=MSE&pid=3 - 78.159.108.170 - Emaikl: gkook@checkjemail.nl
- 173.232.149.92 /chrome/report.html?uid=2045&wv=wvXP&
- 74.118.193.47 /report.html?wv=wvXP&uid=50&lng=
- 74.125.45.100
- update1.keepinsafety.net
- 94.228.209.223 - Email: gkook@checkjemail.nl

Related scareware domains part of the ongoing campaign are also parked on the following IPs:
78.46.218.249
www3.workfree20-td.xorg.pl
www3.nojimba52-td.xorg.pl
www3.workfree25-td.xorg.pl



209.212.147.244
www1.newsys-scanner.com - Email: gkook@checkjemail.nl
www2.securesys-scan2.net - Email: gkook@checkjemail.nl
www1.new-sys-scanner3.net - Email: gkook@checkjemail.nl
www1.safetypcwork5.net - Email: gkook@checkjemail.nl
www1.securesyscare9.net - Email: gkook@checkjemail.nl
www1.freeguard35-pr.net - Email: gkook@checkjemail.nl

95.169.186.25
www4.ararat23.xorg.pl
www3.sdfhj40-td.xorg.pl
www3.nojimba45-td.xorg.pl
www3.workfree36-td.xorg.pl
www3.nojimba46-td.xorg.pl
www4.fiting58td.xorg.pl
www4.birbinsof.net


94.228.209.182
www1.protectsys25-pd.xorg.pl
www1.protectsys26-pd.xorg.pl
www1.protectsys27-pd.xorg.pl
www1.protectsys28-pd.xorg.pl
www1.protectsys29-pd.xorg.pl
www1.soptvirus32-pr.xorg.pl
www1.soptvirus34-pr.xorg.pl



209.212.147.246
www2.securesys-scan2.com - Email: gkook@checkjemail.nl
www1.newsys-scanner1.com - Email: gkook@checkjemail.nl

UPDATED: Thursday, April 29, 2010: kdjkfjskdfjlskdjf.com/js.php remains active and is currently redirecting to www3.workfree36-td.xorg.pl/?p= - 95.169.186.25 and www1.protectsys28-pd.xorg.pl?p= - 94.228.209.182.

Detection rate: packupdate_build107_2045.exe - Suspicious:W32/Malware!Gemini; Trojan.Win32.Generic.pak!cobra - Result: 6/41 (14.64%) phoning back to new domains:
safelinkhere.net - 94.228.209.223 - Email: gkook@checkjemail.nl
update2.safelinkhere.net - 93.186.124.93 - Email: gkook@checkjemail.nl
update1.safelinkhere.net - 94.228.209.222 - Email: gkook@checkjemail.nl
    - ns1.safelinkhere.net - 74.118.192.23 - Email: gkook@checkjemail.nl
    - ns2.safelinkhere.net - 93.174.92.225 - Email: gkook@checkjemail.nl

The gkook@checkjemail.nl email was used for scareware registrations in December 2009's "A Diverse Portfolio of Fake Security Software - Part Twenty Four".

Parked on 74.118.192.23, AS46664, VolumeDrive (ns1.safelinkhere.net) are also:
ns1.birbins-of.com
ns1.cleanupantivirus.com
ns1.createpc-pcscan-korn.net
ns1.fhio22nd.net
ns1.letme-guardyourzone.com
ns1.letprotectsystem.net
ns1.my-softprotect4.net
ns1.new-pc-protection.com
ns1.payment-safety.net
ns1.romsinkord.com
ns1.safelinkhere.net
ns1.safetyearth.net
ns1.safetypayments.net
ns1.save-secure.com
ns1.search4vir.net
ns1.systemmdefender.com
ns1.upscanyourpc-now.com


Parked on 93.174.92.225, AS29073, ECATEL-AS , Ecatel Network (ns2.safelinkhere.net) are also:
marmarams.com
ns2.cleanupantivirus.com
ns2.dodtorsans.net
ns2.fastsearch-protection.com
ns2.go-searchandscan.net
ns2.guardsystem-scanner.net
ns2.hot-cleanofyourpc.com
ns2.marfilks.net
ns2.my-systemprotection.net
ns2.myprotected-system.com
ns2.myprotection-zone.net
ns2.mysystemprotection.com
ns2.new-systemprotection.com
ns2.newsystem-guard.com
ns2.onguard-zone.net
ns2.pcregrtuy.net
ns2.plotguardto-mypc.com
ns2.protected-field.com
ns2.safelinkhere.net
ns2.scanmypc-online.com
ns2.search-systemprotect.net
ns2.searchscan-online.net
ns2.securemyzone.com
ns2.systemcec7.com
ns2.trust-systemprotect.net
ns2.trustscan-onmyzone.com
ns2.trustsystemguard.net
ns2.upscanyour-pcnow.com
ns2.windows-systemshield.net
ns2.windows-virusscan.com
ns2.windowsadditionalguard.net



Following last week's Network Solutions mass compromise of WordPress blogs (Dissecting the WordPress Blogs Compromise at Network Solutions), over the weekend a similar incident took place GoDaddy, according to WPSecurityLock.

Since the campaign's URLs still active, and given the fact that based on historical OSINT, we can get even more insights into known operations of cybercriminals profiled before (one of the key domains used in the campaign is registered to hilarykneber@yahoo.com. Yes, that Hilary Kneber.), it's time to connect the dots.
One of the domains used cechirecom.com/js.php - 61.4.82.212 - Email: lee_gerstein@yahoo.co.uk was redirecting to www3.sdfhj40-td.xorg.pl?p= - 95.169.186.25 and from there to www2.burnvirusnow34.xorg.pl?p= - 217.23.5.51. The front page of the currently not responding cechirecom.com was returning the following message:
  • "Welcome. Site will be open shortly. Signup, question or abuse please send to larisadolina@yahoo.com"
Registered with the same email, larisadolina@yahoo.com,  is also another domain known have been used in similar attacks from February, 2010 - iss9w8s89xx.org.


Parked on 217.23.5.51 are related scareware domains part of the campaign:
www2.burnvirusnow31.xorg.pl
www2.burnvirusnow33.xorg.pl
www2.burnvirusnow34.xorg.pl
www2.trueguardscaner30-p.xorg.pl
www2.trueguardscaner33-p.xorg.pl
www1.savesysops30p.xorg.pl
www1.suaguardprotect11p.xorg.pl
www2.realsafepc32p.xorg.pl
www1.suaguardprotect13p.xorg.pl
www1.suaguardprotect14p.xorg.pl


Detection rate for the scareware:
- packupdate_build107_2045.exe - VirusDoctor; Mal/FakeAV-BW - Result: 14/41 (34.15%) with the sample phoning back to the following URLs:
- update2.savecompnow.com/index.php?controller=hash - 91.207.192.25 - Email: gkook@checkjemail.nl
- update2.savecompnow.com/index.php?controller=microinstaller
- update1.savecompnow.com/index.php?controller=microinstaller - 94.228.209.223 - Email: gkook@checkjemail.nl

The same email was originally seen in December 2009's "A Diverse Portfolio of Fake Security Software - Part Twenty Four". Parked on these IPs are also related phone back locations:

Parked on 188.124.7.156:
savecompnow.com - Email: gkook@checkjemail.nl
securemyfield.com - Email: gkook@checkjemail.nl
update1.securepro.xorg.pl

Parked on 91.207.192.25:
update2.savecompnow.com - Email: gkook@checkjemail.nl
update2.xorg.pl
update2.winsystemupdates.com - Email: gkook@checkjemail.nl
report.zoneguardland.net - Email: gkook@checkjemail.nl

Parked on 94.228.209.223:
update1.savecompnow.com - Email: gkook@checkjemail.nl
update1.winsystemupdates.com


Although the cechirecom.com/js.php is not currently responding, parked on the same IP 61.4.82.212, is another currently active domain, which is registered to hilarykneber@yahoo.com.

Parked on 61.4.82.212, AS17964, DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd.:
kdjkfjskdfjlskdjf.com - Email: hilarykneber@yahoo.com
ns1.stablednsstuff.com - Email: lee_gerstein@yahoo.co.uk
js.ribblestone.com - Email: skeletor71@comcast.net - includes a link pointing to panelscansecurity.org/?affid=320&subid=landing - 91.212.127.19 - Email: bobarter@xhotmail.net

The currently active campaign domain redirection is as follows:
kdjkfjskdfjlskdjf.com/js.php - 61.4.82.212 - Email: hilarykneber@yahoo.com
    - www3.sdfhj40-td.xorg.pl?p=
        - www1.soptvirus42-pr.xorg.pl?p= - 209.212.149.19


Parked on 209.212.149.19:
www2.burnvirusnow43.xorg.pl
www2.trueguardscaner42-p.xorg.pl
www1.suaguardprotect23p.xorg.pl
www2.realsafepc27p.xorg.pl
www1.fastfullfind27p.xorg.pl
www1.yesitssafe-now-forsure.in


Detection rate for the scareware:
- packupdate_build106_2045.exe - TrojanDownloader:Win32/FakeVimes; High Risk Cloaked Malware - Result: 7/41 (17.08%)

Just like in Network Solution's case (Dissecting the WordPress Blogs Compromise at Network Solutions) the end user always has to be protected from himself using basic security auditing practices in regard to default WordPress installations. The rest is wishful thinking, that the end user would self-audit himself.

It seems that hilarykneber@yahoo.com related activities are not going to go away anytime soon.

Related WordPress security resources:
20 Wordpress Security Plug-ins And Tips To keep Hackers Away
11 Best Ways to Improve WordPress Security
20+ Powerful Wordpress Security Plugins and Some Tips and Tricks

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dissecting Koobface Gang's Latest Facebook Spreading Campaign

UPDATED: Thursday, April 29, 2010: Google is aware of these Blogspot accounts, and is currently suspending them.

During the weekend, our "dear friends" from the Koobface gang -- folks, you're so not forgotten, with the scale of diversification for your activities to be publicly summarized within the next few days -- launched another spreading attempt across Facebook, with Koobface-infected users posting bogus video links on their walls.
What's particularly interesting about the campaign, is that the gang is now start to publicly acknowledge its connections with xorg.pl (Malicious software includes 40706 scripting exploit(s), 4119 trojan(s), 1897 exploit(s), with an actual subdomain residing there embedded on Koobface-serving compromised hosts.

Moreover, the majority of scareware domains, including the redirectors continue using hosting services in Moldova, AS31252, STARNET-AS StarNet Moldova in particular.
With the campaign still ongoing it's time to dissect it, expose the scareware domains portfolio and the AS29073, ECATEL-AS connection, with the Koobface gang a loyal customer of their services since November, 2009. AS29073, ECATEL-AS Koobface gang connections:

Automatically registered Blogspot accounts used as bogus video links across Facebook:
aashikamorsing.blogspot.com
alpezajeromie.blogspot.com
andcoldjackey.blogspot.com
asiaasiabenzaidi.blogspot.com
atalaygraciani.blogspot.com
barsheshetshakirat.blogspot.com
battittastelzer.blogspot.com
beckermasico.blogspot.com
biedlerharjit.blogspot.com
britainudobot.blogspot.com
bruchnadirnadir.blogspot.com
bryonbryonhofhenke.blogspot.com
ceceliaverner.blogspot.com
centofantiaviran.blogspot.com
codeycodeymarcott.blogspot.com
cottinghamginnyginny.blogspot.com
courtenayharry.blogspot.com
dalton-daviesheinee.blogspot.com
dipietroaudrea.blogspot.com
ericssonbrigid.blogspot.com
ervinervinturnquest.blogspot.com
fashingbauerkylerkyler.blogspot.com
felicetanae.blogspot.com
friedamignogna.blogspot.com
friedlamiraslani.blogspot.com
garthgarthheal.blogspot.com
gavin-williamslielie.blogspot.com
ginnoviaharbottle.blogspot.com
grinolsisanna.blogspot.com
hamiltondesantis.blogspot.com
hananhananmoros-hanley.blogspot.com
heberheberdellinger.blogspot.com
iftikharkacykacy.blogspot.com
imtiazzimmer.blogspot.com
ireneirenejasmen.blogspot.com
jacojacowintermeyer.blogspot.com
jameishaleninger.blogspot.com
jhalaagustin.blogspot.com
johnathenmirani.blogspot.com
kassablynnelle.blogspot.com
kaycieazoni.blogspot.com
keeferjeneejenee.blogspot.com
keibakeibaclarembeaux.blogspot.com
kieroncrowdus.blogspot.com
kilcullenheadhead.blogspot.com
kreuzaavins.blogspot.com
labbatoalphaj.blogspot.com
lellpeyton.blogspot.com
marleenmckoi.blogspot.com
mccarlbargin.blogspot.com
mendizabalnayranayra.blogspot.com
mitranoshaghayegh.blogspot.com
momoneybeltz.blogspot.com
mushenkolirian.blogspot.com
navarretemcarthur.blogspot.com
nekolnekoltasler.blogspot.com
nightrasteyn.blogspot.com
nushnushcave.blogspot.com
ortiz-maynardyvreene.blogspot.com
padalinodarcydarcy.blogspot.com
pantslalala.blogspot.com
papsteinhatemwahsh.blogspot.com
pavanpavandekelver.blogspot.com
pencekleighan.blogspot.com
puzderdenzel.blogspot.com
rabiarabiacarruth.blogspot.com
raeferaefejhanmmat.blogspot.com
raheelolu.blogspot.com
ranaranakundu.blogspot.com
sabeenhunjan.blogspot.com
serroukhshymia.blogspot.com
sertimamislay.blogspot.com
shannonschronce.blogspot.com
sheridanpaltiel.blogspot.com
slomovitzvaughna.blogspot.com
soccicoitcoit.blogspot.com
stengel-bohneinaveinav.blogspot.com
suedeglenna.blogspot.com
sylvainbarnes-rivers.blogspot.com
tammeybutenko.blogspot.com
tartagliatrayvis.blogspot.com
tasunanette.blogspot.com
teddiedommasch.blogspot.com
temitopetodorova.blogspot.com
terranovataiwan.blogspot.com
torneyatsushi.blogspot.com
trovatohaiahaia.blogspot.com
tuncelintrieri.blogspot.com
vislayovadovad.blogspot.com
wellkensie.blogspot.com
yabsleyjessajessa.blogspot.com
zedzedmorelle.blogspot.com


UPDATED: Thursday, April 29, 2010: Another update on Blogspot Accounts courtesy of the Koobface gang:
aaslehnekaya.blogspot.com
aimanaimanpaulis.blogspot.com
altonaltonbruyninckx.blogspot.com
annemiekenorford.blogspot.com
asghardch.blogspot.com
atencioishmael.blogspot.com
ativanichayaphongdionysios.blogspot.com
ayorindesavoia.blogspot.com
bagnoandreae.blogspot.com
bakalarczykmaipumaipu.blogspot.com
baribarithulin.blogspot.com
beavordawnedawne.blogspot.com
boninidivandivan.blogspot.com
cabooterfinne.blogspot.com
chakkarinlehnertz.blogspot.com
chavarriaarumugam.blogspot.com
coleirolenaylenay.blogspot.com
colkittmogens.blogspot.com
crummittgerhardt.blogspot.com
dahmeialeveque.blogspot.com
dalmolinparamparam.blogspot.com
danaedanaemadan.blogspot.com
danmakumaak.blogspot.com
dauntazusaazusa.blogspot.com
devrimmasaimasai.blogspot.com
dicksdeplancke.blogspot.com
dormiedyismael.blogspot.com
dremadremareany.blogspot.com
duffinflippen.blogspot.com
eliyahneubecker.blogspot.com
eloragiogio.blogspot.com
faubertmacarena.blogspot.com
friedlamiraslani.blogspot.com
gallianinijanija.blogspot.com
gandolphscootscoot.blogspot.com
garbsayrinayrin.blogspot.com
geerbergpovlpovl.blogspot.com
gennygennytjoeng.blogspot.com
gianiniomegalmegal.blogspot.com
griffithlampack-layton.blogspot.com
guerrettebrchibrchi.blogspot.com
guillemineauramyaramya.blogspot.com
gunheedomenick.blogspot.com
haisedymond.blogspot.com
halahalafales.blogspot.com
hamidoujacijaci.blogspot.com
hamminganoush.blogspot.com
honamisouliotis.blogspot.com
japeriagoding.blogspot.com
jaymeecleto.blogspot.com
jinghuamarmorale.blogspot.com
kadeemrebsamen.blogspot.com
karokaroliney.blogspot.com
kashmirahoeger.blogspot.com
kasidasaugust.blogspot.com
kattylaitia.blogspot.com
kaynatferetos.blogspot.com
kimberlikohlmann.blogspot.com
kissikshaney.blogspot.com
kjerstisatterwhite-landry.blogspot.com
korbessamessam.blogspot.com
kozubmarshand.blogspot.com
kruthjancijanci.blogspot.com
krystellecahoon.blogspot.com
kuroiwadelphdelph.blogspot.com
laakkokimkim.blogspot.com
labbatoalphaj.blogspot.com
leichtmarjmarj.blogspot.com
leludis-matarangasdeyonna.blogspot.com
lescailletpetopeto.blogspot.com
letsongrover.blogspot.com
liermanramadan.blogspot.com
lindingrajkishan.blogspot.com
linsjerchell.blogspot.com
lorrilorrihosgor.blogspot.com
maglifitfit.blogspot.com
matsumarudeserae.blogspot.com
mcsteinniecey.blogspot.com
melitalynnelynne.blogspot.com
menezeswendywendy.blogspot.com
mimosepalazon.blogspot.com
mottmottzengel.blogspot.com
naysanmutton.blogspot.com
nicolenabershon.blogspot.com
nidonidobuetow.blogspot.com
ninaninalottin.blogspot.com
nonziodarasha.blogspot.com
pandushalmon.blogspot.com
pawelpawelpoti.blogspot.com
paytonbeegle.blogspot.com
phillipoeleaseleas.blogspot.com
philpottlurelle.blogspot.com
pipenhagennguyen.blogspot.com
plattsdatoria.blogspot.com
plomaritislaurylaury.blogspot.com
polmantameltamel.blogspot.com
polopoloangulo.blogspot.com
porrettifarmers.blogspot.com
radieradiecatalina.blogspot.com
raenellegreathouse.blogspot.com
ranaeranaerossy.blogspot.com
reidreidmiele-crifo.blogspot.com
rickyrickydonis.blogspot.com
roselinegilvin.blogspot.com
russobriarbriar.blogspot.com
salizaguayanilla.blogspot.com
samuelesedere.blogspot.com
sanchepascasie.blogspot.com
sangyoungpadalecki.blogspot.com
scarthscrewlie.blogspot.com
schaumburgirishirish.blogspot.com
schubringdheledhele.blogspot.com
scorahchreechree.blogspot.com
shakehcoletto.blogspot.com
shaqareqninette.blogspot.com
shaw-zorichemmanemman.blogspot.com
shortalgerongeron.blogspot.com
singhoffertymisha.blogspot.com
sinnathuraiperminas.blogspot.com
skjutarevikram.blogspot.com
spataforaannamay.blogspot.com
staats-meliaahronahron.blogspot.com
tagantagankissane.blogspot.com
tamietamiedemirkol.blogspot.com
tamillecavitt.blogspot.com
tommiekerstetter.blogspot.com
tosunsangbum.blogspot.com
treechadacoppage.blogspot.com
treziajoanjoan.blogspot.com
triadorlachauna.blogspot.com
tukellyaburrage.blogspot.com
tyrisaoverly.blogspot.com
ulrikaraithatha.blogspot.com
valericlarissa.blogspot.com
ventronejokerjoker.blogspot.com
victorinomeharmehar.blogspot.com
vikvikruaut.blogspot.com
vlrajanrajan.blogspot.com
wasonmarilynn.blogspot.com
wendewendeschyma.blogspot.com
whitwhitmontoure.blogspot.com
wynnhannan.blogspot.com
xochitlvillenurve.blogspot.com
yaoskalongthorne.blogspot.com
youyoustreit.blogspot.com
zickkirrakirra.blogspot.com



The Blogspot accounts redirect to the following compromised Koobface and scareware serving domains:
cartujo.org /private-clips/main.php?87bb8f2
cerclewalloncouillet.be /main.movie/main.php?28d
cseajudiciary.org /animateddvd/main.php?c8
de-nachtegaele.be /main/main.php?b04ebb
ediltermo.com /common.film/main.php?deccfd
forwardmarchministries.org /candid_movie/main.php?42d1
highway77truckservice.com /pretty-clip/main.php?7bb2
kcresale.com /crazyvids/main.php?2ee
libermann.phpnet.org /comicperformans/main.php?9b5a5a
lode-willems.be /cute_clip/main.php?be2
lunaairforlife.com /crucial-clips/main.php?d3d6ccfe
mainteck-fr.com /complete-movie/main.php?f6
nottinghamdowns.com /criminaltube/main.php?2388d
programs.ppbsa.org /crazy_video/main.php?0ea1969
richmondpowerboat.com /yourtv/main.php?89fb0
scheron.com /delightful_demonstration/main.php?e2f92
Training.ppbsa.org /comic_dvd/main.php?f9261f
vangecars.it /crazy-films/main.php?827da


Detection rates for Koobface samples and a sampled scareware:
- setup.exe - Trojan.Generic.KD.8890 - Result: 9/40 (22.50%) phones back to:
- proelec-dpt.fr/.85rfs/?action=ldgen&a=-1394498804&v=108&c_fb=0&ie=7.0.5730.13
    - proelec-dpt.fr/.85rfs/?action=fbgen&v=108&crc=669
        - proelec-dpt.fr/.85rfs/?getexe=p.exe

- p.exe - Trojan.Drop.Koobface.J; W32/Koobface.GUB - Result: 5/41 (12.2%)
- koob.js - Trojan:JS/Redirector - Result: 1/41 (2.44%)


The scareware serving domain embedded on all of the Koobface-serving compromised hosts is internet-scanner.xorg.pl?mid=312&code=4db12f&d=1&s=2 - 195.5.161.125 - AS31252, STARNET-AS StarNet Moldova.

Parked on 195.5.161.125 is the rest of the scareware domains portfolio:
antispy-detectn1.com - Email: test@now.net.cn
antispy-detectn2.com - Email: test@now.net.cn
antispy-detectn3.com - Email: test@now.net.cn
antispy-detectn5.com - Email: test@now.net.cn
antispy-detectn7.com - Email: test@now.net.cn
antispy-detectz2.com - Email: test@now.net.cn
antispy-detectz4.com - Email: test@now.net.cn
antispy-detectz5.com - Email: test@now.net.cn
antispy-detectz7.com - Email: test@now.net.cn
antispy-detectz9.com - Email: test@now.net.cn
antispy-scan4i.com - Email: test@now.net.cn
antispy-scan5i.com - Email: test@now.net.cn
antispy-scan6i.com - Email: test@now.net.cn
antispy-scan7i.com - Email: test@now.net.cn
antispyscan85.com - Email: test@now.net.cn
antispyscan89.com - Email: test@now.net.cn
antispyscan91.com - Email: test@now.net.cn
antispyscan92.com - Email: test@now.net.cn
antispyscan93.com - Email: test@now.net.cn
antispy-scan9i.com - Email: test@now.net.cn
antispyware-no1.com - Email: test@now.net.cn
antispyware-no3.com - Email: test@now.net.cn

antivir1a.com.xorg.pl
antivirus-detect21.com - Email: test@now.net.cn
antivirus-detect23.com - Email: test@now.net.cn
antivirus-detect25.com - Email: test@now.net.cn
antivirus-detect27.com - Email: test@now.net.cn
antivirus-detect29.com - Email: test@now.net.cn
antivirus-detectz1.com - Email: test@now.net.cn
antivirus-detectz2.com - Email: test@now.net.cn
antivirus-detectz5.com - Email: test@now.net.cn
antivirus-detectz7.com - Email: test@now.net.cn
antivirus-detectz9.com - Email: test@now.net.cn
antivirus-lv1.com - Email: test@now.net.cn
antivirus-lv2.com - Email: test@now.net.cn
antivirus-lv3.com - Email: test@now.net.cn
antivirus-lv5.com - Email: test@now.net.cn
antivirus-lv8.com - Email: test@now.net.cn
antivirus-top1.com - Email: test@now.net.cn
antivirus-top2.com - Email: test@now.net.cn
antivirus-top6.com - Email: test@now.net.cn
antivirus-top8.com - Email: test@now.net.cn
be-secured.xorg.pl

bestantivirus1.com.xorg.pl
bestscanmalware.com.xorg.pl
best-security.xorg.pl
defender20.xorg.pl
fastantivirusscanner15.com.xorg.pl
fastmalwarescan15.com.xorg.pl
fast-scan.xorg.pl
fastweb-scanner.com.xorg.pl
get-protection.xorg.pl
my-computers.xorg.pl
protection100.xorg.pl
protection-center1.xorg.pl
protector10.xorg.pl
secure10.xorg.pl
security1.xorg.pl
security100.xorg.pl
spy-defender1.com
spydefender1.com.xorg.pl
spydefender11.com.xorg.pl

spy-defender1a.com - Email: test@now.net.cn
spy-defender2.com - Email: test@now.net.cn
spy-defender2a.com - Email: test@now.net.cn
spy-defender4a.com - Email: test@now.net.cn
spy-defender5.com - Email: test@now.net.cn
spy-defender6a.com - Email: test@now.net.cn
spy-defender8a.com - Email: test@now.net.cn
spy-defender9.com - Email: test@now.net.cn

spy-protection01.com - Email: test@now.net.cn
spy-protection1.com - Email: test@now.net.cn
spy-protection14.com - Email: test@now.net.cn
spy-protection17.com - Email: test@now.net.cn
spy-protection19.com - Email: test@now.net.cn
spy-protection3.com - Email: test@now.net.cn
spy-protection4.com - Email: test@now.net.cn
spy-protection6.com - Email: test@now.net.cn
spy-protection8.com - Email: test@now.net.cn
spy-scanner2i.com - Email: test@now.net.cn
spy-scanner6i.com - Email: test@now.net.cn
spy-scanner8i.com - Email: test@now.net.cn
spyware-sweep1.com - Email: test@now.net.cn
spyware-sweep1i.com - Email: test@now.net.cn
spyware-sweep2i.com - Email: test@now.net.cn
spyware-sweep3.com - Email: test@now.net.cn
spyware-sweep3i.com - Email: test@now.net.cn
spyware-sweep4i.com - Email: test@now.net.cn
spyware-sweep5.com - Email: test@now.net.cn
spyware-sweep7.com - Email: test@now.net.cn


spyware-sweep8.com - Email: test@now.net.cn
spyware-sweep9i.com - Email: test@now.net.cn
virus-sweeper0i.com - Email: test@now.net.cn
virus-sweeper1.com - Email: test@now.net.cn
virus-sweeper2.com - Email: test@now.net.cn
virus-sweeper2i.com - Email: test@now.net.cn
virus-sweeper3.com - Email: test@now.net.cn
virus-sweeper4i.com - Email: test@now.net.cn
virus-sweeper6.com - Email: test@now.net.cn
virus-sweeper7i.com - Email: test@now.net.cn
virus-sweeper8.com - Email: test@now.net.cn
virus-sweeper8i.com - Email: test@now.net.cn
win-antispyware10.com.xorg.pl
windefender1.xorg.pl
windows-secure.xorg.pl
win-security.xorg.pl
winwebscanner10.com.xorg.pl


Parked within AS31252, STARNET-AS StarNet Moldova are also: 195.5.161.11; 195.5.161.145
spy-scanner20.com - Email: test@now.net.cn
spy-scanner30.com - Email: test@now.net.cn
spy-scanner3i.com - Email: test@now.net.cn
spy-scanner40.com - Email: test@now.net.cn
spy-scanner4i.com - Email: test@now.net.cn
spy-scanner60.com - Email: test@now.net.cn
spy-scanner80.com - Email: test@now.net.cn
virscanner-done4.com - Email: test@now.net.cn
virscanner-done5.com - Email: test@now.net.cn

- Detection rate for the scareware sample: Setup_312s2.exe - Heuristic.BehavesLike.Win32.Trojan.H - Result: 5/40 (12.50%) phones back to windows-mode.com/?b=1s1 - 89.248.168.21, AS29073, ECATEL-AS , Ecatel Network - Email: contact@privacy-protect.cn


Parked on the phone-back IP are also the following domains:
firewall-rules2.com - Email: contact@privacy-protect.cn
version-upgrade.com - Email: contact@privacy-protect.cn
2accommodation.com - Email: ttvmail12@hotmail.com
systemreserves.com - Email: contact@privacy-protect.cn
cariport.com - Email: contact@privacy-protect.cn
spyblocktest.com - Email: contact@privacy-protect.cn
antispywarelist.com - Email: contact@privacy-protect.cn
checkwhitelist.com - Email: contact@privacy-protect.cn
chekmalwarelist.com - Email: contact@privacy-protect.cn

Stay tuned for more updates on recent Koobface gang activities, beyond the Koobface botnet.

Related Koobface gang/botnet research:
Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova
10 things you didn't know about the Koobface gang
A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang
How the Koobface Gang Monetizes Mac OS X Traffic
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Tuesday, April 20, 2010

The DNS Infrastructure of the Money Mule Recruitment Ecosystem

What's the most static element of the vibrant money mule recruitment ecosystem? It's the DNS infrastructure that the the cybercriminals behind the campaigns repeatedly use to push new scams.

This post aims to expose the name servers involved, the associates ASs, using the research previously conducted on their recruitment campaigns, and their affiliations with multiple other cybercrime activities.

Moreover, it's main objective is the emphasize on the fact that - cybercrime should stop being treated as a country/region specific problem, instead it should be treated as an international problem, with each and every country having its own share of cybercrime activity.
  • "The whole is greater than the sum of its parts" - Aristotle
With money mule recruitment available as-a-service (Standardizing the Money Mule Recruitment Process) the post will only detail the activities of what's referred to as a "mule recruitment syndicate", in short, one of the most prolific syndicates with direct connections to numerous related cybercrime campaigns profiled over the past 6 months.

What makes an impression is the geographical distribution of the name servers. 11 of them are based in the Netherlands, another 11 are based in China, followed by 11 more based in the United States. Here's the list of the related ASs and their occurrences:
  • AS34305, EUROACCESS Global Autonomous System - The Netherlands - 11 name servers
  • AS38356, TimeNet - China - 11 name servers
  • AS46664, VolumeDrive - United States - 11 name servers
  • AS30517, Great Lakes Comnet, Inc. - United States - 9 name servers
  • AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity - United States - 9 name servers
  • AS29182, ISPSYSTEM-AS ISPsystem Autonomous System - Belgium - 8 name servers
  • AS31103, KEYWEB-AS Keyweb AG - Germany - 1 name servers

Moreover, this persistent money mule recruitment syndicate has a domain registrar of choice in the face of the Turkish,  ALATRON BLTD., which is seen in the majority of domain registrations.

The following active name servers have been gathered from the money mule recruitment campaigns profiled in previous posts:

ns1.alwaysexit.com - 92.63.111.146 - Email: sob@bigmailbox.ru - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.alwaysexit.com - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System
ns3.alwaysexit.com - 222.35.143.112 - AS38356, TimeNet


ns1.benjenkinss.cn - 92.63.110.85 - Email: chunk@qx8.ru - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.benjenkinss.cn - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System
ns3.benjenkinss.cn - 222.35.143.112 - AS38356, TimeNet


ns1.bizrestroom.cc - 92.63.110.85 - Email: hook@5mx.ru - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.bizrestroom.cc - 193.104.106.30 - AS34305, EUROACCESS Global Autonomous System
ns3.bizrestroom.cc - 222.35.143.234 - AS38356, TimeNet



ns1.chinegrowth.cc - 92.63.111.196 - Email: duly@fastermail.ru - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.chinegrowth.cc - 85.12.46.4 - AS34305, EUROACCESS Global Autonomous System
ns3.chinegrowth.cc - 222.35.143.112 - AS38356, TimeNet


ns1.cnnandpizza.cc - 87.118.81.75 - Email: bears@fastermail.ru - AS31103, KEYWEB-AS Keyweb AG
ns2.cnnandpizza.cc - 193.104.106.30 - AS34305, EUROACCESS Global Autonomous System
ns3.cnnandpizza.cc - 222.35.143.236 - AS38356, TimeNet


ns1.greezly.net - 64.85.174.143 - Email: erupt@qx8.ru - 64.85.160.0/20, AS30517, Great Lakes Comnet, Inc.
ns2.greezly.net - 204.12.217.250 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.greezly.net - 204.124.182.151 - AS46664, VolumeDrive


ns1.maninwhite.cc - 92.63.111.146 - Email: duly@fastermail.ru - 92.63.110.0/23 - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.maninwhite.cc - 85.12.46.3 - AS34305, EUROACCESS Global Autonomous System
ns3.maninwhite.cc - 222.35.143.234 - AS38356, TimeNet


ns1.partytimee.cn - 92.63.111.146 - Email: chunk@qx8.ru - 92.63.110.0/23 - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.partytimee.cn - 85.12.46.4 - AS34305, EUROACCESS Global Autonomous System
ns3.partytimee.cn - 222.35.143.235 - AS38356, TimeNet


ns1.sandhouse.cc - 64.85.174.146 - Email: taunt@freenetbox.ru - 64.85.160.0/20 - AS30517, Great Lakes Comnet, Inc.
ns2.sandhouse.cc - 204.12.217.253 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.sandhouse.cc - 74.118.194.82 - AS46664, VolumeDrive


ns1.translatasheep.net - 92.63.111.127 - Email: stair@freenetbox.ru - 92.63.110.0/23 - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.translatasheep.net - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System
ns3.translatasheep.net - 222.35.143.112 - AS38356, TimeNet


ns1.trythisok.cn - 92.63.111.127 - Email: chunk@qx8.ru - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.trythisok.cn - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System
ns3.trythisok.cn - 222.35.143.235 - AS38356, TimeNet


ns1.viewdreamer.com - 64.85.174.143 - free@freenetbox.ru - 64.85.160.0/20, AS30517, Great Lakes Comnet, Inc.
ns2.viewdreamer.com - 204.12.217.250 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.viewdreamer.com - 74.118.194.82 - AS46664, VolumeDrive


ns1.volcanotime.com - 64.85.174.144 - Email: hs@bigmailbox.ru - AS30517, Great Lakes Comnet, Inc.
ns2.volcanotime.com - 204.12.217.251 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.volcanotime.com - 74.118.194.88 - AS46664, VolumeDrive


ns1.weathernot.net - 64.85.174.145 - Email: bowls@5mx.ru - AS30517, Great Lakes Comnet, Inc.
ns2.weathernot.net - 204.12.217.252 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.weathernot.net - 74.118.194.89 - AS46664, VolumeDrive


ns1.worldslava.cc - 64.85.174.145 - Email: fussy@bigmailbox.ru - AS30517, Great Lakes Comnet, Inc.
ns2.worldslava.cc - 204.12.217.252 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.worldslava.cc - 74.118.194.84 - AS46664, VolumeDrive


ns1.jockscreamer.net - 64.85.174.144 - Email: free@freenetbox.ru - AS30517, Great Lakes Comnet, Inc.
ns2.jockscreamer.net - 204.12.217.251 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.jockscreamer.net - 74.118.194.83 - AS46664, VolumeDrive


ns1.uleaveit.com - 64.85.174.146 - Email: plea@qx8.ru - AS30517, Great Lakes Comnet, Inc.
ns2.uleaveit.com - 204.12.217.253 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.uleaveit.com - 74.118.194.85 - AS46664, VolumeDrive


ns1.bergamoto.com - 74.118.194.84 - Email: nine@freenetbox.ru - AS46664, VolumeDrive
ns2.bergamoto.com - 222.35.143.235 - AS38356, TimeNet
ns3.bergamoto.com - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System

ns1.diunar.cc - 74.118.194.82 - Email: yuck@maillife.ru - AS46664, VolumeDrive
ns2.diunar.cc - 222.35.143.112 - AS38356, TimeNet
ns3.diunar.cc - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System


ns1.pesenlife.net - 64.85.174.147 - Email: erupt@qx8.ru - AS30517, Great Lakes Comnet, Inc.
ns2.pesenlife.net - 204.12.217.254 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.pesenlife.net - 74.118.194.86 - AS46664, VolumeDrive

The business model if this syndicate can be easily compared to the business model of the much hyped Russian Business Network in the sense that, they are either managing the infrastructure for someone else as a service, are directly involved in the recruitment and utilization of money mules for their own purposes, or a basically building inventory of mules to offer as a service to a large number of cybercriminals.

The basic fact that these folks are not campaign-centered, but continue maintaining their ecosystem, puts them on the top of watch list for months to come.

Related coverage of money laundering in the context of cybercrime:
Keeping Money Mule Recruiters on a Short Leash - Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Sunday, April 18, 2010

Dissecting the WordPress Blogs Compromise at Network Solutions

UPDATED: Network Solutions issued an update to the situation.

The folks at Sucuri Security have posted an update on the reemergence of  mass site compromises at Network Solutions, following last week's WordPress attack.

What has changed since last week's campaign? Several new domains were introduced, including new phone back locations, with the majority of new domains once again parked on the same IP as they were last week - 64.50.165.169 - AS15244, LUNARPAGES proxy aut-num for Lunarpages by MZIMA.

The exploitation chain of the currently embedded domain is as follows:
- corpadsinc.com/grep /?spl=3&br=MSIE&vers=7.0&s=
        - corpadsinc.com /grep/soc.php
            - corpadsinc.com /grep/load.php?spl=ActiveX_pack
                - corpadsinc.com /grep/load.php?spl=pdf_2020
                    - corpadsinc.com /grep/load.php?spl=javal
                        - corpadsinc.com /grep/j2_079.jar

Detection rates for some of the obtained exploits:
- update.vbe - VBS:Encrypted-gen; Trojan-Downloader.VBS.Agent.yw - Result: 11/40 (27.5%)
- j2_079.jar - Exploit.Java.29; Exploit.Java.CVE-2009-3867.c; JAVA/Byteverify.O - Result: 5/40 (12.5%)


Responding to 64.50.165.169 - AS15244, LUNARPAGES proxy aut-num for Lunarpages by MZIMA are also:
binglbalts.com - Email: alex1978a@bigmir.net
corpadsinc.com - Email: alex1978a@bigmir.net
fourkingssports.com - Email: alex1978a@bigmir.net
networkads.net - Email: alex1978a@bigmir.net
mainnetsoll.com - Email: alex1978a@bigmir.net
lasvegastechreport.com
mauiexperts.com
mauisportsinsider.com

Upon successful exploitation from corpadsinc.com the campaigns drops load.exe - Trojan:Win32/Meredrop; Trojan.Win32.Sasfis.a (v) - Result: 7/40 (17.50%).

The sample load.exe also phones back to the following locations:
- nonstopacc.com/tmp /bb.php?v=200&id=130306319&b=7231522200&tm=8 - 188.124.16.95 - Email: alex1978a@bigmir.net
- nonstopacc.com/tmp /bb.php?v=200&id=130306319&tid=6&b=7231522200&r=1&tm=9
- 188.124.16.96 /blackout_dem.exe

Detection rate for blackout_dem.exe - Trojan-Dropper - Result: 7/40 (17.5%) which phones back to mazcostrol.com/inst.php ?aid=blackout - 188.124.16.103 - Email: alex1978a@bigmir.net.

Interestingly, the sample attempts to install a Firefox add-on in the following way:
- %ProgramFiles%\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul - MD5: 963136ADAA2B1C823F6C0E355800CE02 Detected by different vendors as IRC/Flood.gen.h or TROJ_BUZUS.ZYX;

It's also worth pointing out that the campaign's admin panel is pointing to a third-party -- cybercrime friendly IP that's currently offline -- corpadsinc.com/grep/stats.php -> HTTP/1.1 302 Found at 217.23.14.25, AS49981, WorldStream = Transit Imports = -CAIW.

The bottom line - although Network Solutions criticized the media last week, for blaming this on Network Solutions, or WordPress itself, the company should realize that for the sake of its reputation it should always use the following mentality - "protect the end user from himself" when offering any of its services.

Related WordPress security resources:
20 Wordpress Security Plug-ins And Tips To keep Hackers Away
11 Best Ways to Improve WordPress Security
20+ Powerful Wordpress Security Plugins and Some Tips and Tricks

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Wednesday, April 14, 2010

iPhone Unlocking Themed Malware Campaign Spamvertised


UPDATED: Sunday, April 18, 2010: The folks at EmergingThreats pinged me on the fact that  immediately after the brief assessment went public, the cybercriminals moved iphone-iphone.info to 174.37.172.68 (SoftLayer Technologies Inc.) Currently responding to the same IP are also the following domains known to have been connected with previous malware campaigns - startexag.com - Email: venterprize@gmail.com; exposingpics.com, and animezhd.com.

Researchers from BitDefender are reporting on a currently spamvertised malware campaign, using a "Unlock, Jailbrake and "hack"tivate iPhone 3.1.3" theme.

The spamvertised domain iphone-iphone.info - 188.210.236.181 - Email: iphone-iphone.info@protecteddomainservices.com, is enticing the end user into download the malware from pepd.org/blackra1n.exe - 188.210.236.109 - Email: pepd.org@protecteddomainservices.com.


Detection rate: blackra1n.exe - Trojan.BAT.AACL - Result: 10/40 (25%), with the malware itself attempting to change the default DNS settings on the infected hosts to the following IP - 188.210.236.250 (188-210-236-250.hotnet.ro), AS39443, HOTNET-AS SC Hot Net SRL Baia de Aries, Nr 3, Bl 5B, Sc A, Ap 39, Bucuresti, 6.

- Creates the following registry entry in an attempt to change default DNS settings:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5D19E473-BE30-416B-B5C7-D8A091C41D2F} "NameServer" = 188.210.236.250

- Creates Process - Filename () CommandLine: 
(C:\WINDOWS\system32\NETSH.EXE: interface ip set dns "Local Area Connection" static 188.210.236.250) As User: () Creation Flags: (CREATE_DEFAULT_ERROR_MODE CREATE_SUSPENDED) interface ip set dns "wireles network connection" static 188.210.236.250) As User: () Creation Flags: (CREATE_DEFAULT_ERROR_MODE CREATE_SUSPENDED)

From Romania, with DNS changing malware. 

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Monday, April 12, 2010

Copyright Violation Alert Themed Ransomware in the Wild


UPDATED: Wednesday, April 28, 2010: The universal license code required in the "Enter a previously purchased license code" window is RFHM2-TPX47-YD6RT-H4KDM

The copyright violation alert themed ransomware campaign (Copyright violation alert ransomware in the wild; ICPP Copyright Foundation is Fake) is not just a novel approach for extortion of the highest amount of money seen in ransomware variants so far, but also, offers interesting clues into the multitasking mentality of the cybercriminals whose campaigns have already been profiled.

The bogus ICPP Foundation (icpp-online.com - 193.33.114.77 - Email: ovenersbox@yahoo.com) describes itself as:

"We are a law firm which specialises in assisting intellectual property rights holders exploit and enforce their rights globally. Illegal file sharing costs the creative industries billions of pounds every year. The impact of this is huge, resulting in job losses, declining profit margins and reduced investment in product development. Action needs to be taken and we believe a coordinated effort is needed now, before irreparable damage is done.


We have developed effective and unique methods for organisations to enforce their intellectual rights. By working effectively with forensic IT experts, law firms and anti-piracy organisations, we seek to eliminate the illegal distribution of copyrighted material through our revolutionary business model. Whilst many companies offer anti-piracy measures, these are often costly and ineffective. Our approach is quite the opposite, it generates revenue for rights holders and effectively decreases copyright infringement in a measurable and sustainable way. We offer high quality advice and excellent client care by delivering a thorough and reliable service. If you are interested in our services, please contact us for a no obligation consultation."


Responding to the same IP (193.33.114.77) are also:
green-stat.com - Email: tahli@yahoo.com
media-magnats.com - Email: tahli@yahoo.com

Where do we know the tahli@yahoo.com email from? From the "The Koobface Gang Wishes the Industry "Happy Holidays" where it was used to register Zeus C&Cs as well as money mule recruitment domains, from the "Money Mule Recruitment Campaign Serving Client-Side Exploits" where it was used to register the client-side exploit serving mule recruitment site, and most recently from "Keeping Money Mule Recruiters on a Short Leash - Part Four" used in another mule recruitment site registration.

What's particularly interesting about the ransomware variant, is the fact that it has been localized to the following languages: Czech, Danish, Dutch, English, French, German, Italian, Portuguese, Slovak and Spanish, as well as the fact that it will attempt to build its torrents list from actual torrent files it is able to locate within the victim's hard drive.

Detection rates, for the ransomware:
- mm.exe - Win32/Adware.Antipiracy - Result: 2/39 (5.13%)
- iqmanager.exe - Rogue:W32/DotTorrent.A - Result: 5/39 (12.83%)
- uninstall.exe - Reser.Reputation.1 - Result: 1/39 (2.57%)

Upon execution, the sample phones back to 91.209.238.2/m5install/774/1 (AS48671, GROZA-AS Cyber Internet Bunker) with the actual affiliate ID "afid=774" found in the settings.ini file. Active on the same IP are also related phone back directories, from different campaigns"
91.209.238.2/r2newinstall/freemen/1
91.209.238.2/r2newinstall/02937/1
91.209.238.2/r2hit/7/0/0


This is perhaps the first recorded case of cybercriminals ignoring the basics of micro-payments, and emphasizing on profit margins by attempting to extort the amount of $400.

Related ransomware posts:
Mac OS X SMS ransomware - hype or real threat?
iHacked: jailbroken iPhones compromised, $5 ransom demanded
New LoroBot ransomware encrypts files, demands $100 for decryption
New ransomware locks PCs, demands premium SMS for removal
Scareware meets ransomware: “Buy our fake product and we’ll decrypt the files”
Who’s behind the GPcode ransomware?
How to recover GPcode encrypted files?

SMS Ransomware Displays Persistent Inline Ads
SMS Ransomware Source Code Now Offered for Sale
3rd SMS Ransomware Variant Offered for Sale
4th SMS Ransomware Variant Offered for Sale
5th SMS Ransomware Variant Offered for Sale
6th SMS Ransomware Variant Offered for Sale

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.