Monday, May 17, 2010

Koobface Gang Responds to the "10 Things You Didn't Know About the Koobface Gang Post"


UPDATED Moday, May 24, 2010: The scareware domains/redirectors pushed by the Koobface botnet, have been included at the bottom of this post, including detection rates and phone back URLs.

On May 13th, 2010, the Koobface gang responded to my "10 things you didn't know about the Koobface gang" post published in February, 2010, by including the following message within Koobface-infected hosts, serving bogus video players, and, of course, scareware:
  •  regarding this article By Dancho Danchev | February 23, 2010, 9:30am PST

    1. no connection
    2. what's reason to buy software just for one screenshot?
    3. no connection
    4. :)
    5. :)
    6. :)
    7. it was 'ali baba & 4' originally. you should be more careful
    8. heh
    9. strange error. there're no experiments on that
    10. maybe. not 100% sure

    Ali Baba
    13 may 2010
This is the second individual message left by the botnet masters for me, and the third one in general where I'm referenced.

What makes an impression is their/his attempt to distance themselves/himself from major campaigns affecting high profile U.S based web properties, fraudulent activities such as click fraud, and their/his attempt to legitimize their/his malicious activities by emphasizing on the fact that they/he are not involved in crimeware campaigns, and have never stolen any credit card details.

01. The gang is connected to, probably maintaining the click-fraud facilitating Bahama botnet
- Koobface gang: no connection

You wish, you wish. ClickForensics pointed it out, I confirmed it, and at a later stage reproduced it.

Among the many examples of this activities, is MD5: 0fbf1a9f8e6e305138151440da58b4f1 modifying the HOSTS file on the infected PCs to redirect all the Google and Yahoo search traffic to 89.149.210.109, whereas, in between phoning back to well known Koobface scareware C&Cs at the time, such as 212.117.160.18, and urodinam .net/8732489273.php at the time.

In May, 2010, parked on the very same IP to which urodinam.net (91.188.59.10) is currently responding to, is an active client-side exploits serving campaign using the YES malware exploitation kit (1zabslwvn538n4i5tcjl.com - Email: michaeltycoon@gmail.com).

I can go on forever.


02. Despite their steady revenue flow from sales of scareware, the gang once used trial software to take a screenshot of a YouTube video
- Koobface gang: what's reason to buy software just for one screenshot?

No reason at all, I guess that's also the reason behind the temporary change in scareware URls to include GREED within the file name.

03. The Koobface gang was behind the malvertising attack the hit the web site of the New York Times in September
- Koobface gang: no connection

You wish, you wish.

In fact, several of the recent high-profile malvertising campaigns that targeted major Web 2.0 properties, can be also traced back to their infrastructure. Now, whether they are aware of the true impact of the malvertisement campaign, and whether they are intentionally pushing it at a particular web site remains unknown.

The fact is that, the exact same domain that was used in the NYTimes redirection, was also back then embedded on all of the Koobface infected hosts, in order to serve scareware.

04. The gang conducted a several hours experiment in November, 2009 when for the first time ever client-side exploits were embedded on Koobface-serving compromised hosts
- Koobface gang: :)

He who smiles last, smiles best.

05. The Koobface gang was behind the massive (1+ million affected web sites) scareware serving campaign in November, 2009
- Koobface gang: :)

Since they're admitting their involvement in point 5, they also don't know/forget that one of the many ways the connection between the Koobface gang and massive blackhat SEO campaign was established in exactly the same way as the one in their involvement in the NYTimes malvertising campaign. Convenient denial of involvement in high-profile campaigns means nothing when collected data speaks for itself.

06. The Koobface Gang Monetizes Mac OS X Traffic through adult dating/Russian online movie marketplaces
- Koobface gang: :)

Read more on the practice - "How the Koobface Gang Monetizes Mac OS X Traffic".


07. Ali Baba and 40 LLC a.k.a the Koobface gang greeted the security community on Christmas
- Koobface gang: it was 'ali baba & 4' originally. you should be more careful

Since the original Ali Baba had 40 thieves with him, not 4, the remaining 36 can be best described as the cybecrime ecosystem's stakeholders earning revenues and having their business models scaling, thanks to the involvement of the Koobface botnet.


08. The Koobface gang once redirected Facebook’s IP space to my personal blog
- Koobface gang: heh

Read more on the topic - "Koobface Botnet Redirects Facebook's IP Space to my Blog".

09. The gang is experimenting with alternative propagation strategies, such as for instance Skype
- Koobface gang: strange error. there're no experiments on that

Hmm, who should I trust? SophosLabs and TrendMicro or the Koobface gang? SophosLabs and TrendMicro or the Koobface gang? Sophos Labs and TrendMicro or....well you get the point. Of course there isn't, now that's is publicly known it's in the works.


10. The gang is monetizing traffic through the Crusade Affiliates scareware network
- Koobface gang: maybe. not 100% sure

They don't know where they get all the money by being pushing scareware? How convenient.

When data and facts talk, even "Cyber Jesus" listens. Read more on the monetization model - "Koobface Botnet's Scareware Business Model"; "Koobface Botnet's Scareware Business Model - Part Two".

The Koobface botnet is currently pushing scareware through 2gig-antivirus.com?mid=312&code=4db12f&d=1&s=2 - 195.5.161.210 - Email: test@now.net.cn


Parked on the same IP (195.5.161.210, AS31252, STARNET-AS StarNet Moldova) are also:
0web-antispyware.com - Email: test@now.net.cn
12netantispy.com - Email: test@now.net.cn
13netantispy.com - Email: test@now.net.cn
14netantispy.com - Email: test@now.net.cn
16netantispy.com - Email: test@now.net.cn
1anetantispy.com - Email: test@now.net.cn
1bnetantispy.com - Email: test@now.net.cn
1gb-scanner.com - Email: test@now.net.cn
1gig-antivirus.com - Email: test@now.net.cn
1webantivirus.com - Email: test@now.net.cn
20gb-antivirus.com - Email: test@now.net.cn
2gb-scanner.com - Email: test@now.net.cn
2gig-antivirus.com - Email: test@now.net.cn
2mb-scanner.com - Email: test@now.net.cn
2web-antispy.com - Email: test@now.net.cn
2webantivirus.com - Email: test@now.net.cn
30gb-antivirus.com - Email: test@now.net.cn
3gb-scanner.com - Email: test@now.net.cn
3gig-antivirus.com - Email: test@now.net.cn
3mb-scanner.com - Email: test@now.net.cn
3web-antispy.com - Email: test@now.net.cn
3web-antispyware.com - Email: test@now.net.cn
3webantivirus.com - Email: test@now.net.cn
40gb-antivirus.com - Email: test@now.net.cn
4gb-scanner.com - Email: test@now.net.cn
4gig-antivirus.com - Email: test@now.net.cn
4mb-scanner.com - Email: test@now.net.cn
4web-antispy.com - Email: test@now.net.cn
4webantivirus.com - Email: test@now.net.cn
50gb-antivirus.com - Email: test@now.net.cn
5gb-scanner.com - Email: test@now.net.cn
5gig-antivirus.com - Email: test@now.net.cn
5mb-scanner.com - Email: test@now.net.cn
5web-antispy.com - Email: test@now.net.cn
5webantivirus.com - Email: test@now.net.cn
60gb-antivirus.com - Email: test@now.net.cn
6mb-scanner.com - Email: test@now.net.cn
6web-antispy.com - Email: test@now.net.cn
7web-antispyware.com - Email: test@now.net.cn
aweb-antispyware.com - Email: test@now.net.cn
awebantivirus.com - Email: test@now.net.cn
cwebantivirus.com - Email: test@now.net.cn
dwebantivirus.com - Email: test@now.net.cn
ewebantivirus.com - Email: test@now.net.cn
novascanner4.com - Email: test@now.net.cn

- setup.exe - Gen:Variant.Koobface.2; W32.Koobface - Result: 15/40 (37.5%)
- MalvRem_312s2.exe - W32/FakeAlert.5!Maximus; Trojan.Win32.FakeAV - Result: 10/41 (24.4%) which once executed phones back to:

- s1system.com/download/winlogo.bmp - 91.213.157.104, AS13618, CARONET-AS - Email: contact@privacy-protect.cn
- networki10.com - 91.213.217.106, AS42473, ANEXIA-AS - Email: contact@privacy-protect.cn

UPDATED: Wednesday, May 19, 2010:
The current redirection taking place through the embedded link on Koobface infected hosts, takes place through:
www3.coantys-48td.xorg.pl - 188.124.5.66 - AS44565, VITAL TEKNOLOJI
    - www1.fastsearch.cz.cc - 207.58.177.96 - AS25847, SERVINT ServInt Corporation

Detection rates:
- setup.exe - Win32/Koobface.NCX; Gen:Variant.Koobface.2 - Result: 13/41 (31.71%)
- packupdate_build107_2039.exe - W32/FakeAV.AM!genr; Mal/FakeAV-AX - Result: 8/41 (19.52%)

Upon execution, the scareware sample phones back to:
update1.myownguardian.com - 94.228.209.223, AS47869, NETROUTING-AS - Email: gkook@checkjemail.nl
update2.myownguardian.net - 93.186.124.92, AS44565, VITAL TEKNOLOJI - Email: gkook@checkjemail.nl

UPDATED Moday, May 24, 2010 The following Koobface scareware domains/redirectors have been pushed by the Koobface gang over the pat 7 days. All of them continue using the services of AS31252, STARNET-AS StarNet Moldova at 195.5.161.210 and 195.5.161.211.


0web-antispyware.com - Email: test@now.net.cn
12netantispy.com - Email: test@now.net.cn
13netantispy.com - Email: test@now.net.cn
14netantispy.com - Email: test@now.net.cn
15netantispy.com - Email: test@now.net.cn
16netantispy.com - Email: test@now.net.cn
1anetantispy.com - Email: test@now.net.cn
1bnetantispy.com - Email: test@now.net.cn
1cnetantispy.com - Email: test@now.net.cn
1dnetantispy.com - Email: test@now.net.cn
1eliminatemalware.com - Email: test@now.net.cn
1eliminatespy.com - Email: test@now.net.cn
1eliminatethreats.com - Email: test@now.net.cn
1eliminatevirus.com - Email: test@now.net.cn
1enetantispy.com - Email: test@now.net.cn
1webantivirus.com - Email: test@now.net.cn
1webfilter1000.com - Email: test@now.net.cn
1www-antispyware.com - Email: test@now.net.cn
1www-antivirus.com - Email: test@now.net.cn
20gb-antivirus.com - Email: test@now.net.cn
2eliminatemalware.com - Email: test@now.net.cn
2eliminatevirus.com - Email: test@now.net.cn
2web-antispy.com - Email: test@now.net.cn
2webantivirus.com - Email: test@now.net.cn
2www-antispyware.com - Email: test@now.net.cn
2www-antivirus.com - Email: test@now.net.cn
30gb-antivirus.com - Email: test@now.net.cn
3web-antispy.com - Email: test@now.net.cn
3web-antispyware.com - Email: test@now.net.cn
3webantivirus.com - Email: test@now.net.cn
3www-antispyware.com - Email: test@now.net.cn
3www-antivirus.com - Email: test@now.net.cn
40gb-antivirus.com - Email: test@now.net.cn
4web-antispy.com - Email: test@now.net.cn
4webantivirus.com - Email: test@now.net.cn
4www-antispyware.com - Email: test@now.net.cn
4www-antivirus.com - Email: test@now.net.cn
5web-antispy.com - Email: test@now.net.cn
5webantivirus.com - Email: test@now.net.cn
5www-antispyware.com - Email: test@now.net.cn
5www-antivirus.com - Email: test@now.net.cn
60gb-antivirus.com - Email: test@now.net.cn
6web-antispy.com - Email: test@now.net.cn
7web-antispyware.com - Email: test@now.net.cn
a30windows-scan.com - Email: test@now.net.cn
a40windows-scan.com - Email: test@now.net.cn
a50windows-scan.com - Email: test@now.net.cn
a50windows-scan.com - Email: test@now.net.cn
a60windows-scan.com - Email: test@now.net.cn
americanscanner.com - Email: test@now.net.cn
aresearchsecurity.com - Email: test@now.net.cn
awebantivirus.com - Email: test@now.net.cn
barracuda10.com - Email: test@now.net.cn
beguardsystem.com - Email: test@now.net.cn
beguardsystem2.com - Email: test@now.net.cn
bewareofthreat.com - Email: test@now.net.cn
bewareofydanger.com - Email: test@now.net.cn
bprotectsystem.com - Email: test@now.net.cn
bwebantivirus.com - Email: test@now.net.cn
choclatescanner2.com - Email: test@now.net.cn
cleanerscanner2.com - Email: test@now.net.cn
cnn2scanner.com - Email: test@now.net.cn
cprotectsystem.com - Email: test@now.net.cn
cwebantivirus.com - Email: test@now.net.cn
dacota4security.com - Email: test@now.net.cn
defencyresearch.com - Email: test@now.net.cn
defenseacquisitions.com - Email: test@now.net.cn
defenseacquisitions.com - Email: test@now.net.cn
defensecapability.com - Email: test@now.net.cn
dprotectsystem.com - Email: test@now.net.cn
dwebantivirus.com - Email: test@now.net.cn
eliminatespy.com - Email: test@now.net.cn
eliminatethreat.com - Email: test@now.net.cn
eliminatethreats.com - Email: test@now.net.cn
eprotectsystem.com - Email: test@now.net.cn
ewebantivirus.com - Email: test@now.net.cn
fantasticscan2.com - Email: test@now.net.cn
fortescanner.com - Email: test@now.net.cn
four4defence.com - Email: test@now.net.cn
fprotectsystem.com - Email: test@now.net.cn
house2call.com - Email: test@now.net.cn
house4call.com - Email: test@now.net.cn
ibewareofdanger.com - Email: test@now.net.cn
iresearchdefence.com - Email: test@now.net.cn
ldefenceresearch.com - Email: test@now.net.cn
micro2smart.com - Email: test@now.net.cn
micro4smart.com - Email: test@now.net.cn
micro6smart.com - Email: test@now.net.cn
necessitydefense.com - Email: test@now.net.cn
nolongerthreat.com - Email: test@now.net.cn
nova3-antispyware.com - Email: test@now.net.cn
nova4-antispyware.com - Email: test@now.net.cn
nova5-antispyware.com - Email: test@now.net.cn
nova7-antispyware.com - Email: test@now.net.cn
nova8-antispyware.com - Email: test@now.net.cn
nova-antivirus1.com - Email: test@now.net.cn
nova-antivirus2.com - Email: test@now.net.cn
novascanner2.com - Email: test@now.net.cn
nova-scanner2.com - Email: test@now.net.cn
novascanner3.com - Email: test@now.net.cn
nova-scanner3.com - Email: test@now.net.cn
novascanner4.com - Email: test@now.net.cn
nova-scanner4.com - Email: test@now.net.cn
novascanner5.com - Email: test@now.net.cn
nova-scanner5.com - Email: test@now.net.cn
novascanner7.com - Email: test@now.net.cn
nova-scanner7.com - Email: test@now.net.cn
onguardsystem2.com - Email: test@now.net.cn
over11scanner.com - Email: test@now.net.cn
pcguardsystem2.com - Email: test@now.net.cn
pcguardsystems.com - Email: test@now.net.cn
pcpiscanner.com - Email: test@now.net.cn
pitstopscan.com - Email: test@now.net.cn
protectionfunctions.com - Email: test@now.net.cn
protectionmeasure.com - Email: test@now.net.cn
protectionmethods.com - Email: test@now.net.cn
protectionoffices.com - Email: test@now.net.cn
protectionprinciples.com - Email: test@now.net.cn
protectsystema.com - Email: test@now.net.cn
protectsystemc.com - Email: test@now.net.cn
protectsystemd.com - Email: test@now.net.cn
protectsysteme.com - Email: test@now.net.cn
protectsystemf.com - Email: test@now.net.cn
researchdefence.com - Email: test@now.net.cn
researchysecurity.com - Email: test@now.net.cn
spywarekillera.com - Email: test@now.net.cn
spywarekillerc.com - Email: test@now.net.cn
spywarekillerd.com - Email: test@now.net.cn
spywarekillere.com - Email: test@now.net.cn
spywarekillerr.com - Email: test@now.net.cn
spywarekillerz5.com - Email: test@now.net.cn
stainsscanner2.com - Email: test@now.net.cn
stop20attack.com - Email: test@now.net.cn
tendefender2.com - Email: test@now.net.cn
thelosers2010.com - Email: test@now.net.cn
trivalsoftware.com - Email: test@now.net.cn
unstoppable2010.com - Email: test@now.net.cn
unstoppable2010.com - Email: test@now.net.cn
use6defence.com - Email: test@now.net.cn
viruskiller3a.com - Email: test@now.net.cn
viruskiller4a.com - Email: test@now.net.cn
viruskiller5a.com - Email: test@now.net.cn
viruskiller6a.com - Email: test@now.net.cn
webfilter100.com - Email: test@now.net.cn
webfilter999.com - Email: test@now.net.cn
winguardsystem.com - Email: test@now.net.cn 
yourguardsystem.com - Email: test@now.net.cn
yourguardsystem2.com - Email: test@now.net.cn
z22windows-scan.com - Email: test@now.net.cn
z23windows-scan.com - Email: test@now.net.cn
z25windows-scan.com - Email: test@now.net.cn
z27windows-scan.com - Email: test@now.net.cn
zaresearchsecurity.com - Email: test@now.net.cn

Detection rates:
- setup.exe - Net-Worm:W32/Koobface.HN; Mal/Koobface-D - Result: 11/41 (26.83%)
- avdistr_312.exe - Trojan.FakeAV!gen24; Trojan.FakeAV - Result: 8/41 (19.52%)

Upon execution phones back to:
s1system.com/download/winlogo.bmp - 91.213.157.104 - Email: contact@privacy-protect.cn
accsupdate.com/?b=103s1 - 193.105.134.115 - Email: contact@privacy-protect.cn

Previous parked on 91.213.217.106, AS42473, ANEXIA-AS now responding to 193.105.134.115, AS42708, PORTLANE:
networki10.com - Email: contact@privacy-protect.cn
winsecuresoftorder.com - Email: contact@privacy-protect.cn
time-zoneserver.com - Email: contact@privacy-protect.cn
1blacklist.com - Email: contact@privacy-protect.cn

In order to understand the importance of profiling Koobface gang's activities, consider going their their underground multitasking campaigns in the related posts.

Related Koobface botnet/Koobface gang research:
From the Koobface Gang with Scareware Serving Compromised Sites
Dissecting Koobface Gang's Latest Facebook Spreading Campaign
Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova
10 things you didn't know about the Koobface gang
A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang
How the Koobface Gang Monetizes Mac OS X Traffic
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Thursday, May 13, 2010

The Avalanche Botnet and the TROYAK-AS Connection


According to the latest APWG Global Phishing Survey:
  • But by mid-2009, phishing was dominated by one player as never before the Avalanche phishing operation. This criminal entity is one of the most sophisticated and damaging on the Internet, and perfected a mass-production system for deploying phishing sites and "crimeware" - malware designed specifically to automate identity theft and facilitate unauthorized transactions from consumer bank accounts. Avalanche was responsible for two-thirds (66%) of all phishing attacks launched in the second half of 2009, and was responsible for the overall increase in phishing attacks recorded across the Internet."
The Avalanche botnet's ecosystem is described by PhishLabs as:
  • "Cutwail aka PushDo is a spamming trojan being used to send out massive amounts of spam with links (or lures) to phishing pages or pages that ask the users to download and run programs. Those programs invariably turn out to be instances of the Zeus/ZBot/WNSPOEM banking Trojan. There are also unrelated criminals that also use Zeus Trojans to steal online banking information that are not related to this set of scams.

    The Avalanche botnet is the middle-step between the spamming botnet and Trojans that steal banking information. It is basically a hosting platform used by the attackers. Because the Avalanche bots act as a simple proxy, and there are thousands of them, it has been exceedingly difficult to shutdown the phish pages. Instead most Anti-Phishing organizations have focused on shutting down the domain names that were used in the phishing URLs."
One of the most notable facts about the botnet, is their persistent interaction with the TROYAK-AS cybercrime-friendly ISP, where they used to host a huge percentage of their ZeuS C&Cs, next to the actual client-side exploit serving iFrame domains/IPs, found on each and every of their phishing pages. The following chronology, exclusively details their client-side exploits/ZeuS crimeware serving campaigns.

The Avalanche Botnet's ZeuS crimeware/client-side exploit serving campaigns, in chronological order:
Zeus Crimeware/Client-Side Exploits Serving Campaign in the Wild
Scareware, Sinowal, Client-Side Exploits Serving Spam Campaign in the Wild
IRS/PhotoArchive Themed Zeus/Client-Side Exploits Serving Campaign in the Wild
Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild
PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild
Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

Related articles on TROYAK-AS, and various cybercrime trends:
TROYAK-AS: the cybercrime-friendly ISP that just won't go away
AS-Troyak Exposes a Large Cybercrime Infrastructure
The current state of the crimeware threat - Q&A
Report: ZeuS crimeware kit, malicious PDFs drive growth of cybercrime
Report: Malicious PDF files comprised 80 percent of all exploits for 2009

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Tuesday, May 11, 2010

Dissecting the Mass DreamHost Sites Compromise


Yet another mass sites compromise is currently taking place, this time targeting DreamHost customers, courtesy of the same gang behind the U.S Treasury/GoDaddy/NetworkSolutions mass compromise campaigns.

What's particularly interesting about the campaign, is not just the Hilary Kneber connection, but also, the fact that a key command and control domain part of the Koobface botnet, is residing within the same AS where the nameservers, and one of actual domains (kdjkfjskdfjlskdjf.com/ kp.php - 91.188.59.98 - AS6851, BKCNET "SIA" IZZI) used in previous campaigns are.

These gangs are either aware of one another's existence, are the exact same gang doing basic evasive practices on multiple fronts, or are basically customers of the same cybercrime-friendly hosting service provider.


The DreamHost campaign structure, including the detection rates, phone back locations, is as follows:
- zettapetta.com/js.php - 109.196.143.56 - Email: hilarykneber@yahoo.com
    - www4.suitcase52td.net/?p= - 78.46.218.249 - Email: gkook@checkjemail.nl
        - www1.realsafe-23.net - 209.212.149.17 - Email: gkook@checkjemail.nl


Active client-side exploits serving, redirector domains parked on the same IP 109.196.143.56:
zettapetta.com - 109.196.143.56, AS39150, VLTELECOM-AS VLineTelecom LLC Moscow, Russia - Email: hilarykneber@yahoo.com
yahoo-statistic.com - Email: hilarykneber@yahoo.com
primusdns.ru - Email: samm_87@email.com
freehost21.tw - Email: hilarykneber@yahoo.com
alert35.com.tw - Email: admin@zalert35.com.tw
indesignstudioinfo.com - Email: hilarykneber@yahoo.com

Historically, the following domains were also parked on the same IP 109.196.143.56:
bananajuice21.net - Email: hilarykneber@yahoo.com
winrar392.net - Email: lacyjerry1958@gmail.com
best-soft-free.com - Email: lacyjerry1958@gmail.com
setyupdate.com - Email: admin@setyupdate.com

Detection rate for the scareware pushed in the campaign:
- packupdate_build107_2060.exe - TROJ_FRAUD.SMDV; Packed.Win32.Krap.an - Result: 8/41 (19.52%) with the sample phoning back to:
update2.keep-insafety.net - 94.228.209.221 - Email: gkook@checkjemail.nl
update1.myownguardian.com - 74.118.194.78 - Email: gkook@checkjemail.nl
secure1.saefty-guardian.com - 94.228.220.112 - Email: gkook@checkjemail.nl
report.zoneguardland.net - 91.207.192.25 - Email: gkook@checkjemail.nl
report.land-protection.com - 91.207.192.24 - Email: gkook@checkjemail.nl
www5.our-security-engine.net - 94.228.220.111 - Email: gkook@checkjemail.nl
report1.stat-mx.xorg.pl
update1.securepro.xorg.pl

Name servers of notice parked at 91.188.59.98, AS6851, BKCNET "SIA" IZZI:
ns1.oklahomacitycom.com
ns2.oklahomacitycom.com


What's so special about AS6851, BKCNET "SIA" IZZI anyway? It's the Koobface gang connection in the face of urodinam.net, which is also hosted within AS6851, currently responding to 91.188.59.10. More details on urodinam.net:
Moreover, on the exact same IP where Koobface gang's urodinam.net is parked, we also have the currently active 1zabslwvn538n4i5tcjl.com - Email: michaeltycoon@gmail.com, serving client side exploits using the Yes Malware Exploitation kit - 91.188.59.10 /temp/cache/PDF.php; admin panel at: 1zabslwvn538n4i5tcjl.com /temp/admin/index.php


Detection rates for the malware pushed from the same IP where a key Koobface botnet's C&C is hosted:
- 55.pdf - JS:Pdfka-gen; Exploit.JS.Pdfka.blf - Result: 23/41 (56.1%)
- dm.exe - Trojan:Win32/Alureon.CT; Mal/TDSSPack-Q - Result: 36/41 (87.81%)
- wsc.exe - Net-Worm.Win32.Koobface; Trojan.FakeAV - Result: 36/41 (87.81%)

The same michaeltycoon@gmail.com used to register 1zabslwvn538n4i5tcjl.com, was also profiled in the "Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang" assessment.

Given that enough historical OSINT is available, the cybercrime ecosystem can be a pretty small place.

Related posts:
U.S. Treasury Site Compromise Linked to the NetworkSolutions Mass WordPress Blogs Compromise
GoDaddy's Mass WordPress Blogs Compromise Serving Scareware
Dissecting the WordPress Blogs Compromise at Network Solutions

Hilary Kneber related activity:
The Kneber botnet - FAQ
Celebrity-Themed Scareware Campaign Abusing DocStoc
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Four

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

TorrentReactor.net Serving Crimeware, Client-Side Exploits Through a Malicious Ad

 Deja vu!

Jerome Segura at the Malware Diaries is reporting that TorrentReactor.net, a high-trafficked torrents tracker, is currently serving live-exploits through a malicious ad served by "Fulldls.com  - Your source for daily torrent downloads".

Why deja vu? It's because the TorrentReactor.net malware campaign takes me back to 2008, among the very first extensive profiling of Russian Business Network activity, with their mass "input validation abuse" campaign back then, successfully appearing on numerous high-trafficked web sites, serving guess what? Scareware.

Moreover, despite the surprisingly large number of people still getting impressed by the use of http referrers as an evasive practice applied by the cybercriminals, these particular campaigns (ZDNet Asia and TorrentReactor IFRAME-ed; Wired.com and History.com Getting RBN-ed; Massive IFRAME SEO Poisoning Attack Continuing) are a great example of this practice in use back then:
  • So the malicious parties are implementing simple referrer techniques to verify that the end users coming to their IP, are the ones they expect to come from the campaign, and not client-side honeypots or even security researchers. And if you're not coming from you're supposed to come, you get a 404 error message, deceptive to the very end of it.
The most recent compromise of TorrentReactor.net appears to be taking place through a malicioud ad serving exploits using the NeoSploit kit, which ultimately drops a ZeuS crimeware sample hosted within a fast-flux botnet.


The campaign structure, including detection rates, phone back locations and ZeuS crimeware fast-flux related data is as follows:
- ads.fulldls.com /phpadsnew/www/delivery/afr.php?zoneid=1&cb=291476
    - ad.leet.la /stats?ref=~.*ads\.fulldls\.com$ - 208.111.34.38 - Email: bertrand.crevin@brutele.com (leet.la - 212.68.193.197 - AS12392, ASBRUTELE AS Object for Brutele SC)
    - lo.dep.lt /info/us1.html - 91.212.127.110 - lo.dep.lt - 91.212.127.110 - AS49087, Telos-Solutions-AS Telos Solutions LTD
        - 91.216.3.108 /de1/index.php; 91.216.3.108 /ca1/main.php - AS50896, PROXIEZ-AS PE Nikolaev Alexey Valerievich
            - 91.216.3.108 responding to gaihooxaefap.com - Nikolay Vukolov, Email: woven@qx8.ru

Upon successful exploitation, the following malicious pdf is served:
- eac27d.pdf - Exploit.PDF-JS.Gen (v); JS:Pdfka-AET; - Result: 6/40 (15%) which when executed phones back to 91.216.3.108 /ca1/banner.php/1fda161dab1edd2f385d43c705a541d3?spl=pdf_30apr and drops:
- myexebr.exe - TSPY_QAKBOT.SMG - Result: 17/41 (41.47%) which then phones back to the ZeuS crimeware C&C: saiwoofeutie.com /bin/ahwohn.bin - 78.9.77.158 - Email: spasm@maillife.ru


Fast-fluxed domains sharing the same infrastructure:
demiliawes.com - Email: bust@qx8.ru
jademason.com - 213.156.118.221; 217.201.4.95; 24.139.152.4; 83.10.238.182; 85.176.73.211; 112.201.223.129; 119.228.44.124; 170.51.231.93 - Email: blare@bigmailbox.ru
laxahngeezoh.com - 190.135.224.89; 213.156.118.221; 217.201.4.95; 24.139.152.4; 83.10.238.182; 85.176.73.211; 112.201.223.129; 119.228.44.124 - Email: zig@fastermail.ru
line-ace.com - Email: greysy@gmx.com
xareemudeixa.com - 112.201.223.129; 119.228.44.124; 170.51.231.93; 190.135.224.89; 213.156.118.221; 217.201.4.95; 24.139.152.4; 85.176.73.211 - Email: writhe@fastermail.ru
zeferesds.com - 190.135.224.89; 213.156.118.221; 217.201.4.95; 24.139.152.4; 83.10.238.182; 85.176.73.211; 112.201.223.129; 119.228.44.124 - Email: mated@freemailbox.ru

Name servers of notice:
ns1.rexonna.net - 202.60.74.39 - Email: aquvafrog@animail.net
ns2.rexonna.net - 25.120.19.23
ns1.line-ace.com - 202.60.74.39 - Email: greysy@gmx.com
ns2.line-ace.com - 67.15.223.219
ns1.growthproperties.net - 62.19.3.2 - Email: growth@support.net
ns2.growthproperties.net - 15.94.34.196
ns1.tropic-nolk.com - 62.19.3.2 - Email: greysy@gmx.com
ns2.tropic-nolk.com - 171.103.51.158

These particular iFrame injection Russian Business Network's campaigns from 2008, used to rely on the following URL for their malicious purposes - a-n-d-the.com/wtr/router.php (216.255.185.82 - INTERCAGE-NETWORK-GROUP2). Why am I highlighting it? Excerpts from previous profiled campaigns, including one that is directly linked to the Koobface gang's blackhat SEO operations.

U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding:
  • The compromised/mis-configured web sites participating in this latest blackhat SEO campaign are surprisingly redirecting to a-n-d-the.com /wtr/router.php - 95.168.177.35 - Email: bulk@spam.lv - AS28753 NETDIRECT AS NETDIRECT Frankfurt, DE if the http referrer condition isn't met. This very same domain -- back then parked at INTERCAGE-NETWORK-GROUP2 -- was also used in the same fashion in March, 2008's massive blackhat SEO campaigns serving scareware.
Not only is a-n-d-the.com /wtr/router.php (95.168.177.35) (Web sessions of the URL acting as a redirector), the exact same URL that was in circulating in 2008, residing on the Russian Business Network's netblock back then, still active, but also, it's currently redirecting to -- if the campaign's evasive conditions are met -- to www4.zaikob8.xorg.pl/?uid=213&pid=3&ttl=31345701120 - 217.149.251.12.

What this proves is fairly simple - with or without the Russian Business Network the way we used to know it, it's customers simply moved on to the competition, whereas the original Russian Business Network simply diversified its netblocks ownership.

Related posts:
ZDNet Asia and TorrentReactor IFRAME-ed
Wired.com and History.com Getting RBN-ed
Massive IFRAME SEO Poisoning Attack Continuing

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Saturday, May 08, 2010

From the Koobface Gang with Scareware Serving Compromised Sites


Following last month's "Dissecting Koobface Gang's Latest Facebook Spreading Campaign" Koobface gang coverage, it's time to summarize some of their botnet spreading activities, from the last couple of days.

Immediately after the suspension of their automatically registered Blogspot accounts, the gang once again proved that it has contingency plans in place, and started pushing links to compromises sites, in a combination with an interesting "visual social engineering trick", across Facebook, which sadly works pretty well, in the sense that it completely undermines the "don't click on links pointing to unknown sites" type of security tips.
The diverse set of activities courtesy of the Koobface gang -- consider going through the related posts in order to understand their underground multitasking mentality beyond the Koobface botnet itself -- are a case study on the abuse of legitimate infrastructure with clean IP/AS reputation, for purely malicious purposes.

This active use of the "trusted reputation chain", just like the majority of social engineering centered tactics of the gang, aim to exploit the ubiquitous weak link in the face of the average Internet user. Here's an example of the most recent campaign.

The spreading of fully working links such as the following ones across Facebook:
facebook.com/l/6e7e5;bit.ly/9QjjSk
facebook.com/l/cdfb;bit.ly/9QjjSk
facebook.com/l/f3c29;bit.ly/9QjjSk



aims to trick the infected user's friends, that this is a Facebook.com related link. Clicking on this link inside Facebook leads to the "Be careful" window showing just the bit.ly redirector, to finally redirect to 198.65.28.86/swamt/ where a Koobface bogus video has already been seen by 2,601 users which have already clicked on the link.

The scareware redirectors/actual serving domains are parked at 195.5.161.126, AS31252, STARNET-AS StarNet Moldova:
1nasa-test.com - Email: test@now.net.cn
1online-test.com - Email: test@now.net.cn
1www2scanner.com - Email: test@now.net.cn
2a-scanner.com - Email: test@now.net.cn
2nasa-test.com - Email: test@now.net.cn
2online-test.com - Email: test@now.net.cn
2www2scanner.com - Email: test@now.net.cn
3a-scanner.com - Email: test@now.net.cn
3nasa-test.com - Email: test@now.net.cn
3online-test.com - Email: test@now.net.cn
3www2scanner.com - Email: test@now.net.cn
4a-scanner.com - Email: test@now.net.cn
4check-computer.com - Email: test@now.net.cn
4nasa-test.com - Email: test@now.net.cn
4online-test.com - Email: test@now.net.cn
4www2scanner.com - Email: test@now.net.cn
5a-scanner.com - Email: test@now.net.cn
5nasa-test.com - Email: test@now.net.cn
5online-test.com - Email: test@now.net.cn
6a-scanner.com - Email: test@now.net.cn
defence-status6.com - Email: test@now.net.cn
defence-status7.com - Email: test@now.net.cn
mega-scan2.com - Email: test@now.net.cn
protection-status2.com - Email: test@now.net.cn
protection-status4.com - Email: test@now.net.cn
protection-status6.com - Email: test@now.net.cn
security-status1.com - Email: test@now.net.cn
security-status3.com - Email: test@now.net.cn
security-status4.com - Email: test@now.net.cn
security-status6.com - Email: test@now.net.cn
securitystatus7.com - Email: test@now.net.cn
securitystatus8.com - Email: test@now.net.cn
securitystatus9.com - Email: test@now.net.cn
security-status9.com - Email: test@now.net.cn


Detection rates:
- setup.exe - Mal/Koobface-E; W32/VBTroj.CXNF - Result: 7/41 (17.08%)
- RunAV_312s2.exe - VirTool.Win32.Obfuscator.hg!b (v); High Risk Cloaked Malware - Result: 4/41 (9.76%)

The scareware sample phones back to:
- windows32-sys.com/download/winlogo.bmp - 91.213.157.104, AS13618 CARONET-ASN - Email: contact@privacy-protect.cn
- sysdllupdates.com/?b=312s2 - 87.98.134.197, AS16276, OVH Paris - Email: contact@privacy-protect.cn

The complete list of compromised sites distributed by Koobface-infected Facebook users:
02f32e3.netsolhost.com /o492dc/
abskupina.si /cclq/
adi-agencement.fr /8r2twm/
agilitypower.dk /ko2/
aguasdomondego.com /d5yodi/
alabasta.homeip.net /e8/
alankaye.info /2cgg/
alpenhaus.com.ar /al5zvf5/
animationstjo.fr /5c/
artwork.drayton.co.uk /k5wz/
beachfishingwa.org.au /u8g98ai/
bildtuben.se /l9jg/
chalet.se /srb/
charlepoeng.be /i0twbt/
christchurchgastonia.org /1hkq/
chunkbait.com /gb4i6ak/
cityangered.se /besttube/
clarkecasa.net /rhk6/
clr.dsfm.mb.ca /2964/
codeditor.awardspace.biz /uncensoredclip/
coloridellavita.com /sc/
cpvs.org /6eobh0n/
danieletranchita.com /yourvids/
dennis-leah.zzl.org /m95/
doctorsorchestra.com /qw/
dueciliguria.it /zircu/
ediltermo.com /p4zhvj0/
emmedici.net /2pg46mk/
eurobaustoff.marketing-generator.de /52649an/



euskorock.es /p4zm/
explicitflavour.freeiz.com /qk3r/
f9phx.net /svr/
fatucci.it /l04s8m2/
forwardmarchministries.org /1bc/
fotoplanet.it /bnog6s/
frenchbean.co.uk /zwr/
furius.comoj.com /1azl/
geve.be /oj4ex4/
gite-maison-pyrenees-luchon.com /jox/
googleffffffffa0ac4d9f.omicronrecords.com /me/
gosin.be /ist63z/
grimslovsms.se /cutetube/
guest.worldviewproduction.com /m2f/
hanssen-racing.com /j15/
helpbt.com /nqo40uq/
helpdroid.omicronrecords.com /7h/
hoganjobs.com /jrepsp/
holustravel.cz /5j5/
hoperidge.com /fltwizy/
hottesttomato.com /6b/
iglesiabetania1.com /7y7/
ihostu.co.uk /jic9v/
ilterrazzoallaveneziana.it /4vxaq5/
integratek.omicronrecords.com /to4u2bd/
irisjard.o2switch.net /lb/
islandmusicexport.com /hbi2ut9/
isteinaudi.it /h2a/
johnphelan.com /uynv4/



jsacm.com /z6/
kabchicago.info /1cgko/
katia-paliotti.com /0baktz/
kennethom.net /l20/
kleppcc.com /aliendemonstration/
klimentglass.cz /vwalp/
kvarteretekorren.se /60/
lanavabadajoz.com /cg/
langstoncorp.com /o2072c/
libermann.phpnet.org /madu8p/
lineapapel.com /8l20up/
longting.nl /6ch/
mainteck-fr.com /qjbo5v/
majesticdance.com /v1g/
mia-nilsson.se /cmc/
microstart.fr /lzu1/
migdal.org.il /y952eo/
mindbodyandsolemt.com /pnbn/
musicomm.ca /a5z/
nassnig.org /z1/
neweed.org /x4t/
nosneezes.com /5hjkdjo/
nottinghamdowns.com /m7ec/
nutman-group.com /92m/
omicronsystems.inc.md /eho0/
on3la.be /bgfhclg/
onlineadmin.net /b7uccx/
ornskoldskatten.se /m1u/
oxhalsobygg.se /amaizingmovies/

partenaires-particuliers.fr /uo/
pegasolavoro.it /3l6/
peteknightdays.com /4ok4/
pheromoneforum.org /ds/
pilatescenter.se /bgx8e/
plymouth-tuc.org.uk /xhaq/
popeur.fr /m7yaw/
pro-du-bio.com /af6xtp/
prousaudio.com /4isg/
puertohurraco.org /q3a1gz/
radioluz900am.com /3i993/
reporsenna.netsons.org /zvz/
rhigar.nu /6v/
richmondpowerboat.com /tifax5/
rmg360.co.cc /22i/
roninwines.com /wonderfulvids/
rrmaps.com /j6o/
rvl.it /bv6k/
scarlett-oharas.com /my0333/
secure.tourinrome.org /qyp/
servicehandlaren.se /yq9ahw0/
servicehandlaren.spel-service.com /q9q115/
sgottnerivers.com /y0j16rw/
shofarcall.com /zi/
sirius-expedition.com /x4yab/



slcsc.co.uk /0kem/
soderback.eu /xvg9/
spel-service.com /xm/
sporthal.msolutions.be /vyx3yu/
steelstoneind.com /yzp/
stgeorgesteel.com /ji/
stgeorgesteel.com /ylnwlr/
stubbieholderking.com /dyarx1/
sweet-peasdog.se /0rcjo/
taekwondovelden.nl /mhnskk/
testjustin.comze.com /oafxzy/
the-beehive.com /r8x3cm/
the-beehive.com /weqw7e/
thedallestransmission.com /rjsg2/
therealmagnets.comuv.com /3wn19n/
thestrategicfrog.110mb.com /66vv/
tizianozanella.it/ k2cei/
trustonecorp.com /mabmpp/
unna.nu /6lie/
uroloki.omicronrecords.com /9t/
vaxjoff.com /4fpu/
veerle-frank.be /l01/
verdiverdi.net /3tt/
visionministerial.com /p191/
waffotis.se /yufi3u/
watsonspipingandheating.com /krda/
welplandeast.com /6q/
WESTCOASTPERFORMANCECOATINGS.COM /1tw4/
williamarias.us /na9mq/
woodworksbyjamie.com /90mrjb/
wowparis2000.com /rtsz/
yin-art.be /a75ble/
youniverse.site50.net /4a9r/


Due to the diversity of its cybercrime operations, the Koobface gang is always worth keeping an eye on. Best of all - it's done semi-automatically these days.

The best is yet to come, stay tuned!

Related Koobface gang/botnet research:
Dissecting Koobface Gang's Latest Facebook Spreading Campaign
Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova
10 things you didn't know about the Koobface gang
A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang
How the Koobface Gang Monetizes Mac OS X Traffic
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Tuesday, May 04, 2010

U.S. Treasury Site Compromise Linked to the NetworkSolutions Mass WordPress Blogs Compromise

UPDATED: Saturday, May 08, 2010: 5 new domains have been introduced by the same gang, once again parked at 217.23.14.14, AS49981, WorldStream.

jumpsearches.com - 217.23.14.14 - Email: alex1978a@bigmir.net
ingeniosearch.net - 217.23.14.14 - Email: alex1978a@bigmir.net
searchnations.com - 217.23.14.14 - Email: alex1978a@bigmir.net
mainssearch.com - 217.23.14.14 - Email: alex1978a@bigmir.net
bigsearchinc.com - 217.23.14.14 - Email: alex1978a@bigmir.net

Sample exploitation structure:
- jumpsearches.com/bing.com /load.php?spl=mdac
    - jumpsearches.com/bing.com /error.js.php
        - jumpsearches.com/bing.com /pdf.php
            - jumpsearches.com/bing.com /?spl=2&br=MSIE&vers=7.0&s=
                - jumpsearches.com/bing.com /load.php?spl=pdf_2030
                    - jumpsearches.com/bing.com /load.php?spl=MS09-002

UPDATED: Thursday, May 06, 2010: The cybercriminals behind this ongoing campaign continue introducing new domains -- all of which are currently in a cover-up phrase pointing to 127.0.0.1 -- over the past 24 hours. What's particularly interesting, is that all of them reside within AS49981, WorldStream = Transit Imports = -CAIW-, Netherlands.

- twcorps.com/tv/ - 217.23.14.15 - Email: alex1978a@bigmir.net, Prokopenko Aleksey
    - MD5: ebcfaa2f595ccea81176f6f125b31ac7
- jobsatdoor.com/plain/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko Aleksey
    - MD5: ebcfaa2f595ccea81176f6f125b31ac7
- oficla.com/plain/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko Aleksey
    - MD5: ebcfaa2f595ccea81176f6f125b31ac7
- organization-b.com/mail/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko Aleksey
- dilingdiling.com/router/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko Aleksey

All the samples phone back to mazcostrol.com/inst.php?aid=blackout now responding to 95.143.193.61, AS49770, SERVERCONNECT-AS ServerConnect Sweden AB, from the previously known IP 188.124.16.134. 

mazcostrol.com is not just a phone back location. It's also actively serving client-side exploits. Sample update obtained from the same domain:
- update4303.exe - Trojan.Win32.VBKrypt - Result: 5/41 (12.2%)

Not surprisingly, AS44565 and AS49770 where mazcostrol.com was hosted, are also the home of currently active ZeuS crimeware C&Cs.

AS49770 (SERVERCONNECT-AS ServerConnect Sweden AB)
brunongino.com
slavenkad.com
frondircass.cn
pradsuyz.cn


AS44565 (VITAL VITAL TEKNOLOJI)
spacebuxer.com
odboe.info
212.252.32.69
jokersimson.net
whoismak.net
188.124.7.247
www.bumagajet.net
barmatuxa.info
barmatuxa.net


UPDATED: A researcher just pinged me with details on something that I should be flattered with. Apparently grepad.com /in.cgi?4 redirects to 217.23.14.14 /in_t.php which then redirects to my Blogger profile.

In fact, 217.23.14.14 the IP of the client-side exploit serving domains also redirects there, with the actual campaign in a cover-up phrase, with the original domain now responding 127.0.0.1.

Let's see for how long, until then, The Beatles - You Know My Name seems to be the appropriate music choice.


AVG and PandaLabs are reporting that the web sites of the U.S. Bureau of Engraving and Printing (bep.treas.gov; moneyfactory.gov) are serving client-side vulnerabilities that ultimately expose the visitor to scareware (The Ultimate Guide to Scareware Protection).

What's particularly interesting about this campaign is that, it's part of last month's NetworkSolutions mass WordPress blogs compromise, in the sense that not only is the iFrame-d domain registered using the same email as the client-side exploits serving domains from the NetworkSolutions campaign -- alex1978a@bigmir.net -- but also, the dropped scareware's phone back location -- mazcostrol.com/inst.php?aid=blackout - 188.124.16.134 - Email: alex1978a@bigmir.net -- is identical to the one used in the same campaign, including the affiliate ID used by the original cybercriminal.

The client-side exploit serving domain used in the the U.S Treasury site compromise, has also been reported by a large number of NetworkSolutions customers in the most recent campaign affecting WordPress blogs.

The exploit-serving structure, including the detection rates for the dropped scareware and exploits used in the U.S Treasury compromise campaign, is as follows:

- grepad.com /in.cgi?3 - 188.124.16.133, AS44565, VITAL TEKNOLOJI - Email: alex1978a@bigmir.net
    - thejustb.com /just/ - 217.23.14.14 (dyndon.com), AS49981 - Email: alex1978a@bigmir.net
        - thejustb.com /just/pdf.php
            - thejustb.com /just/1.pdf
                - thejustb.com /just/load.php?spl=javas
                    - thejustb.com /just/j1_893d.jar
                        - thejustb.com /just/j2_079.jar

- 1.pdf - Exploit.PDF-JS.Gen (v) - Result: 1/41 (2.44%)
- j1_893d.jar - Trojan-Downloader:Java/Agent.DJDN - Result: 5/41 (12.20%)
- j2_079.jar - EXP/Java.CVE-2009-3867.C.2; Exploit.Java.Agent.a - Result: 9/41 (21.96%)
- grepad.exe - Trojan.Generic.KD.10339; a variant of Win32/Injector.BNG - Result: 8/41 (19.51%)

Upon successful exploitation the dropped grepad.exe, phones back to to mazcostrol.com/inst.php?aid=blackout - 188.124.16.134, AS44565, VITAL TEKNOLOJI - Email: alex1978a@bigmir.net, with the same phone back location also used in the NetworkSolutions mass compromise campaign. 

Known MD5's used by the same campaigner from previous campaigns, phoning back to the same domain+identical affiliate ID:
MD5=4734162bb33eff7af7e18243821b397e
MD5=1c9ce1e5f4c2f3ec1791554a349bf456
MD5=d11d76c6ecf6a9a87dcd510294104a66
MD5=c33750c553e6d6bdc7dac6886f65b51d
MD5=74cdadfb15181a997b15083f033644d0
MD5=3c7d8cdc73197edd176167cd069878bd

Attempting to interact with the campaign's directories often results in a "nice try, idiot." message. Lovely!

Related posts:
GoDaddy's Mass WordPress Blogs Compromise Serving Scareware
Dissecting the WordPress Blogs Compromise at Network Solutions

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.