Thursday, March 31, 2011

Dissecting the Massive SQL Injection Attack Serving Scareware


A currently ongoing massive SQL injection attack has affected hundreds of thousands of web pages across the Web, to ultimately monetize the campaign through a scareware affiliate program. Such massive SQL injection attempts are usually conducted using mass vulnerability scanning tools, with the help of search engines which have already crawled the vulnerable sites.

What's particularly interesting about this campaign, is the fact that the used domains are all responding to the same IPs, including the portfolios of scareware domains, which the cybercriminals naturally rotate on a periodic basis. Let's dissect the campaign, expose the domain portfolios and the entire campaign structure.

UPDATED: Related SQL injected URLs courtsesy of WebSense:
online-stats201.info/ur.php - Email: tik0066@gmail.com
stats-master111.info/ur.php - Email: tik0066@gmail.com
agasi-story.info/ur.php - 91.217.162.45 - Email: tik0066@gmail.com
general-st.info/ur.php - Email: tik0066@gmail.com
extra-service.info/ur.php - Email: tik0066@gmail.com
sol-stats.info/ur.php - Email: tik0066@gmail.com
google-stats49.info/ur.php - Email: tik0066@gmail.com
google-stats45.info/ur.php - Email: tik0066@gmail.com
google-stats50.info/ur.php - Email: tik0066@gmail.com
google-server43.info/ur.php - Email: tik0066@gmail.com
stats-master88.info/ur.php - Email: tik0066@gmail.com
eva-marine.info/ur.php - 109.236.81.28 - Email: tik0066@gmail.com
stats-master99.info/ur.php - Email: tik0066@gmail.com
tzv-stats.info/ur.php - Email: tik0066@gmail.com
milapop.com/ur.php - Email: jamesnorthone@hotmailbox.com

SQL injected URLs:
lizamoon.com/ur.php (67,500 results) - 91.220.35.151 (AS3721); 91.213.29.182 (AS51786); 95.64.9.18 (AS50244) - Email: jamesnorthone@hotmailbox.com
alexblane.com/ur.php (3,920 results) - Email: jamesnorthone@hotmailbox.com
alisa-carter.com/ur.php (220,000 results) - Email: jamesnorthone@hotmailbox.com
alexblane.com/ur.php (3,920 results) - Email: jamesnorthone@hotmailbox.com
t6ryt56.info/ur.php (18 results) - Email: support@ruler-domains.com
tadygus.com/ur.php (100 results) - Email: jamesnorthone@hotmailbox.com
worid-of-books.com/ur.php (334,000 results) - Email: tik0066@gmail.com

Upon successful redirection, the campaign attempts to load the scareware domains defender-nibea.in/scan1b/237 - 46.252.130.200 - Email: jimwei2969@gmail.com

Detection rate:
freesystemscan.exe - Trojan/Win32.FakeAV - Result: 9/ 41 (22.0%)
MD5   : 815d77f8fca509dde1abeafabed30b65
SHA1  : 1b3c35afb76c53cd9507fffee46fb58c29e72bc1
SHA256: cd902b92042435c2d70d4bf59acc2de8229bfc367626961f76c03f75dcd7e95c

Responding to 46.252.130.200 (AS25190; KIS-AS UAB "Kauno Interneto Sistemos") are also:
antivirus-1091.co.cc
antivirus-1574.co.cc
antivirus-2051.co.cc
antivirus-2525.co.cc
antivirus-2932.co.cc
antivirus-3654.co.cc
antivirus-3833.co.cc
antivirus-4063.co.cc
antivirus-418.co.cc
antivirus-4303.co.cc
antivirus-4749.co.cc
antivirus-495.co.cc
antivirus-5216.co.cc
antivirus-5676.co.cc
antivirus-5802.co.cc
antivirus-6437.co.cc
antivirus-6703.co.cc
antivirus-7081.co.cc
antivirus-713.co.cc
antivirus-728.co.cc
antivirus-7357.co.cc
antivirus-8072.co.cc
antivirus-9009.co.cc
antivirus-9638.co.cc
antivirus-9667.co.cc
defender-aabv.in - Email: leonflanagan7681@gmail.com
defender-aqeu.co.cc
defender-asng.co.cc
defender-atio.in - Email: terriduverger3239@gmail.com
defender-atxo.in - Email: celineiebba9266@gmail.com
defender-bcvs.in - Email: martinefinklea5375@gmail.com
defender-bwuy.co.cc
defender-cron.in - Email: lisasuresh9147@gmail.com
defender-ddbr.in - Email: selenajohansson9195@gmail.com
defender-dteo.in - Email: giovannaraggio5417@gmail.com
defender-eahy.co.cc
defender-eklq.in - Email: sebastiensheppard8680@gmail.com
defender-endl.in - Email: adamgaylard1113@gmail.com
defender-ewum.co.cc
defender-eyde.co.cc
defender-fmof.in - Email: kamillamartin1237@gmail.com
defender-fola.co.cc
defender-gnva.in - Email: ananddaher7294@gmail.com
defender-grlt.in - Email: anthonygaylard9887@gmail.com
defender-hipw.in - Email: angiejohansen9730@gmail.com
defender-hjlk.in - Email: jennwrayford2124@gmail.com
defender-hmfu.in - Email: lynnbone8026@gmail.com
defender-hsug.in - Email: moniquetkarnopp3596@gmail.com
defender-htlu.in - Email: jerihamann4163@gmail.com
defender-iibk.co.cc
defender-iies.co.cc
defender-iksl.in - Email: amarasanders9974@gmail.com


defender-isde.co.cc
defender-iyrc.co.cc
defender-jgnl.in - Email: caseyalzen3316@gmail.com
defender-jihv.co.cc
defender-keod.in - Email: khashayarbirss4814@gmail.com
defender-kuts.in - Email: rogerfrancis3322@gmail.com
defender-kwwh.in - Email: tobyboisseau6505@gmail.com
defender-kzwu.co.cc
defender-labm.in - Email: gregorybradford1520@gmail.com
defender-lcoh.in - Email: timothythomas6924@gmail.com
defender-nhei.co.cc
defender-nrpr.in - Email: burtonalba8156@gmail.com
defender-ojbr.in - Email: fucknielsen8675@gmail.com
defender-osbi.in - Email: fidelslattum2159@gmail.com
defender-pakc.in - Email: sabrinawheelock7642@gmail.com
defender-ppdw.in - Email: divinakempton5670@gmail.com
defender-qfdx.in - Email: hokyeongyancey6369@gmail.com
defender-qotg.in - Email: franchescaili9704@gmail.com
defender-qpwo.in - Email: carlaadams@gmail.com
defender-qsko.co.cc
defender-qumf.in - Email: carlaadams@gmail.com
defender-rlag.in - Email: carmichaelmail@gmail.com
defender-rrin.in - Email: kevincharoenset5321@gmail.com
defender-thga.in - Email: youngantonio6055@gmail.com
defender-ueuv.co.cc
defender-uqko.in - Email: christinakaaikati5574@gmail.com
defender-vflq.in - Email: terriacuna2081@gmail.com
defender-vlmj.in - Email: lauriefreeman9930@gmail.com
defender-vqqn.in - Email: chrisjames4421@gmail.com
defender-vxgh.in - Email: griseldavelez5369@gmail.com
defender-wkiw.in - Email: otisvaladez7778@gmail.com
defender-wqga.in - Email: christodoulosglidden8856@gmail.com
defender-wrhw.in - Email: bradsuresh1406@gmail.com
defender-wtln.co.cc
defender-xcre.in - Email: pavelmayer4891@gmail.com
defender-xnnx.in - Email: pavelmayer4891@gmail.com
defender-ykym.co.cc
movie-iirg.in - Email: misslynn8546@gmail.com
movie-pblv.in - Email: judgewright4021@gmail.com
movies-live-tube-jeyq.co.cc
movie-tkhk.in - Email: terrymeally1288@gmail.com
movie-tube-beym.co.cc
movie-tube-juie.co.cc

movie-ueep.in - Email: celinekevin6179@gmail.com
movieway2011.com - Email: contact@privacyprotect.org
movie-xbtb.in - Email: sanfordross9242@gmail.com
movie-xxnl.in - Email: ianbalitsaris3201@gmail.com
softway2011.com - Email: contact@privacyprotect.org
system-scanner-boep.co.cc
system-scanner-eill.co.cc
system-scanner-eopa.co.cc
system-scanner-ewqq.co.cc
system-scanner-iaap.co.cc
system-scanner-ieyx.co.cc
system-scanner-lcyo.co.cc
system-scanner-ouny.co.cc
system-scanner-oypx.co.cc
system-scanner-qeap.co.cc
system-scanner-racv.co.cc
system-scanner-ryes.co.cc
system-scanner-tzii.co.cc
system-scanner-uemo.co.cc
system-scanner-uotu.co.cc
system-scanner-uyxt.co.cc
system-scanner-vpoo.co.cc
system-scanner-xtoi.co.cc
system-scanner-yoyx.co.cc
system-scanner-ytut.co.cc


Rotated scareware domains involved in the campaign, responding to 84.123.115.228 (AS6739; ONO-AS Cableuropa - ONO):
defender-thga.in - Email: youngantonio6055@gmail.com
defender-wqga.in - Email: christodoulosglidden8856@gmail.com
defender-gnva.in - Email: ananddaher7294@gmail.com
defender-rlob.in - Email: vasikaranfreudenburg2690@gmail.com
defender-abcc.in - Email: rubysmart5057@gmail.com
defender-pakc.in - Email: sabrinawheelock7642@gmail.com
defender-keod.in - Email: khashayarbirss4814@gmail.com
defender-xcre.in - Email: pavelmayer4891@gmail.com
defender-qumf.in - Email: rachelalba1891@gmail.com
defender-fmof.in - Email: kamillamartin1237@gmail.com
defender-uvag.in - Email: espenkeck7682@gmail.com
defender-hsug.in - Email: moniquetkarnopp3596@gmail.com
defender-vxgh.in - Email: griseldavelez5369@gmail.com
defender-lcoh.in - Email: timothythomas6924@gmail.com
defender-kwwh.in - Email: tobyboisseau6505@gmail.com
defender-osbi.in - Email: fidelslattum2159@gmail.com
defender-wbui.in - Email: carlosbuntschu1238@gmail.com
defender-vlmj.in - Email: lauriefreeman9930@gmail.com
defender-hjlk.in - Email: lauriefreeman9930@gmail.com
defender-endl.in - Email: adamgaylard1113@gmail.com
defender-jgnl.in - Email: caseyalzen3316@gmail.com
defender-iksl.in - Email: marasanders9974@gmail.com
defender-labm.in - Email: gregorybradford1520@gmail.com
defender-rrin.in - Email: kevincharoenset5321@gmail.com
defender-sxin.in - Email: taloupavlinovich7166@gmail.com
defender-cron.in - Email: lisasuresh9147@gmail.com
defender-vqqn.in - Email: chrisjames4421@gmail.com
defender-dteo.in - Email: giovannaraggio5417@gmail.com
defender-uqko.in - Email: christinakaaikati5574@gmail.com
defender-qpwo.in - Email: carlaadams@gmail.com
defender-atxo.in - Email: celineiebba9266@gmail.com
defender-rlfp.in - Email: latanyamuscatell9507@gmail.com
defender-vflq.in - Email: terriacuna2081@gmail.com
defender-eklq.in - Email: sebastiensheppard8680@gmail.com
defender-ddbr.in - Email: selenajohansson9195@gmail.com
defender-ojbr.in - Email: fucknielsen8675@gmail.com
defender-drnr.in - Email: sumanvcasquez2008@gmail.com
defender-nrpr.in - Email: burtonalba8156@gmail.com
defender-kuts.in - Email: rogerfrancis3322@gmail.com
defender-bcvs.in - Email: martinefinklea5375@gmail.com
defender-grlt.in - Email: anthonygaylard9887@gmail.com
defender-hmfu.in - Email: lynnbone8026@gmail.com
defender-htlu.in - Email: jerihamann4163@gmail.com
defender-aabv.in - Email: leonflanagan7681@gmail.com
defender-ppdw.in - Email: divinakempton5670@gmail.com
defender-wrhw.in - Email: bradsuresh1406@gmail.com
defender-wkiw.in - Email: otisvaladez7778@gmail.com
defender-hipw.in - Email: angiejohansen9730@gmail.com
defender-qfdx.in - Email: hokyeongyancey6369@gmail.com
defender-xnnx.in - Email: sylviawulff2140@gmail.com
defender-xkox.in - Email: ryanmartin7607@gmail.com

The scareware domains have been registered using automatically registered email accounts at Gmail, as a precaution in an attempt to make it harder to expose the campaign by using a single email only.

Monitoring of the campaign is ongoing.

Related posts:
This post has been reproduced from Dancho Danchev's blog.

Thursday, March 10, 2011

Keeping Money Mule Recruiters on a Short Leash - Part Six


Following my previous post on "Keeping Money Mule Recruiters on a Short Leash - Part Five", in this post we're once again going to expose a portfolio of money mule recruitment domains, their related ASs and name servers of notice, including some additional SpyEye activity within one of the ASs.

What's particularly interesting is the ongoing use of similar templates, including fake "certified by" documents aiming to boost the visitor's confidence in the mule recruitment company. Sample "certified by" documents include:

Money mule recruitment web sites:
ACOON-GROUPLLC.CC - Email: bombay@yourisp.ru - seen here 
ANTIQUEE-CORP.INFO - Email: admin@antiquee-corp.info
ARAMATEGROUP-INT.INFO - Email: admin@aramategroup-int.info
art-marketllc.cc - Email: hear@ppmail.ru
ARTSOLVE-LTD.AT - Email: admin@artsolve-ltd.at
ARTSOLVELTD.CC - Email: admin@artsolveltd.cc
artsolveltd.cc - Email: admin@artsolveltd.cc
ARTSOLVELTDCO.AT - Email: admin@artsolveltd.cc
artsolveltdco.at - Email: admin@artsolveltd.cc
ASTECH-GROUPDE.CC - Email: admin@i-compass-group.cc
atlant-groupinc.cc - Email: bombay@yourisp.ru - seen here
Atlant-usainc.net - Email: admin@atlant-usainc.net
BREDGARCORP-ANT.BE
CREATENCE-GROUPLLC.AT - Email: admin@creatence-groupllc.at
CREATENCE-GROUPLLC.CC - Email: hunt@bz3.ru
CREATENCEGROUP-LLC.CO - Email: px@bz3.ru
DEVAS-LLC.CO - Email: gate@ppmail.ru
DRYSDALE-ANTCORP.AT - Email: admin@drysdale-antcorp.at
DRYSDALE-ANTCORP.BIZ - Email: admin@drysdale-antcorp.biz
DRYSDALE-GROUP-INC.CC - Email: atomic@bz3.ru
DUNCROFT-ANTTEAM.ORG - Email: admin@drysdale-antcorp.biz
FINTEC-UKLTD.WS
fintec-ukltd.ws
fourthgroup-ltd.cc - Email: rots@cheapbox.ru
generalabbrialgroup-ltd.net - Email: admin@generalabbrialgroup-ltd.net
generation-groupltd.cc - Email: jz@ppmail.ru
I-COMPASS-GROUP.AT - Email: admin@i-compass-group.at
katemdutkins.co.cc
LILAC-GROUPLLC.CC - Email: lane@free-id.ru
LILACGROUP-LLC.CO - Email: baggy@bz3.ru
MIMOSA-INCGROUP.INFO - Email: admin@mimosa-incgroup.info
moneyvisual-ukllc.com - Email: admin@moneyvisual-ukllc.com
nimrodltd-uk.net - Email: admin@nimrodltd-uk.net
OLIVER-ANTCORP.NET - Email: admin@oliver-antcorp.net
qead-groupllc.net - Email: admin@qead-groupllc.net
RENAISSANCELLC.BE
renaissancellc.be
renaissance-llc.cc - Email: admin@renaissance-llc.cc
ROYALTHELMAS-GROUP-LLC.CC - Email: zap@ca4.ru
ROYALTHELMAS-TEAMANT.ASIA - Email: admin@royalthelmas-teamant.asia
SCHWARTZBROTHERSANT-CORP.COM - Email: admin@schwartzbrothersant-corp.com
STRATEGICGROUP-LLC.CO - Email: flute@free-id.ru
THRONE-GROUPLLC.CC - Email: lane@free-id.ru
THRONEGROUP-LLC.CO - Email: floyd@ca4.ru
THRONE-UK.AT - Email: admin@throne-uk.at
TINASSANSERVICEANT-ANTTEAM.NET - Email: admin@tinassanserviceant-antteam.net
TINASSANSERVICE-GROUPLLC.CC - Email: six@yourisp.ru
westerntrust.co.uk
westview-art.net - Email: admin@westview-art.net


Domains responding to:
78.46.105.205 - AS24940, HETZNER-AS Hetzner Online AG RZ
98.141.220.116 - AS29713, INTERPLEXINC Interplex LLC.
98.141.220.117 - AS29713, INTERPLEXINC Interplex LLC.
114.207.244.143 - AS9318, HANARO-AS Hanaro Telecom Inc.
114.207.244.144 - AS9318, HANARO-AS Hanaro Telecom Inc.
114.207.244.145 - AS9318, HANARO-AS Hanaro Telecom Inc.
114.207.244.146 - AS9318, HANARO-AS Hanaro Telecom Inc.
193.105.134.230 - AS42708, PORTLANE Network
193.105.134.231 - AS42708, PORTLANE Network
193.105.134.232 - AS42708, PORTLANE Network
193.105.134.233 - AS42708, PORTLANE Network
193.105.134.234 - AS42708, PORTLANE Network
195.182.57.84 - AS47311, Cerannics-AS Cerannics llp
195.182.57.91 - AS47311, Cerannics-AS Cerannics llp
204.45.118.54 - 204.45.118.48/29/INSIGHT-INVESTMENTS-LLC

More malicious activity within AS24940, HETZNER-AS Hetzner Online AG RZ, courtesy of the SpyEye tracker:
188.40.198.185
188.40.87.88
www.privathosting.eu
spl.privathosting.eu
46.4.194.162
188.40.87.91
88.198.36.61


Name servers of notice:
ns1.uknamo.com - 69.10.44.188 - Email: morph@ppmail.ru
ns2.uknamo.com - 178.162.181.11
ns3.uknamo.com - 66.199.236.116
ns1.ukansnami.com - 178.162.181.11 - Email: glide@yourisp.ru
ns2.ukansnami.com - 178.162.181.11
ns3.ukansnami.com - 66.199.236.117
ns3.dnsukrect.com - 66.199.236.118 - Email: code@yourisp.ru
NS1.LIBUNITAU.CC - 178.162.152.76 - Email: ached@yourisp.ru - seen here 
NS2.LIBUNITAU.CC - 66.199.236.115
NS3.LIBUNITAU.CC - 178.162.181.11
NS1.AUSTDEC.CC - 178.162.152.75 - Email: bold@yourisp.ru - seen here
NS2.AUSTDEC.CC - 66.199.236.114
NS3.AUSTDEC.CC - 178.162.181.11
NS1.SURPLUSUSA.CC - 209.159.156.162 - Email: skulk@ppmail.ru - seen here 
NS2.SURPLUSUSA.CC - 76.73.47.26
NS3.SURPLUSUSA.CC - 69.50.192.97
NS1.USABONDS.CC - Email: bart@cheapbox.ru - seen here 
NS2.USABONDS.CC
NS3.USABONDS.CC

The cybercriminals have also switched from using unique emails for registrations to default admin@money-mule-recruitment domain type of structure. Monitoring of their money mule recruitment activities is ongoing.

Related posts:
Keeping Money Mule Recruiters on a Short Leash - Part Five
The DNS Infrastructure of the Money Mule Recruitment Ecosystem
Keeping Money Mule Recruiters on a Short Leash - Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog.