A Diverse Portfolio of Fake Security Software

Friday, December 07, 2007

A Diverse Portfolio of Fake Security Software

The recently exposed RBN's fake security software was literally just the tip of the iceberg in this ongoing practice of distributing spyware and malware under the shadow of software that's positioned as anti-spyware and anti-malware one. The domain farm of fake security software which I'll assess in this post is worth discussing due to the size of its portfolio, how they've spread the scammy ecosystem on different networks, as well as the directory structure they take advantage of, one whose predictability makes it faily easy to efficiency obtain all the fake applications. This particular case is also a great example of the typical for a Rock Phish kit efficiency vs quality trade off, namely, all the binaries dispersed through the different domains are actually hosted on a single IP, and are identical.

Who's hosting the malware and what directory structure per campaign do they use?

It seems as content.onerateld.com (87.248.197.26) which is hosted at Limelight Networks is used in all the domains as the central download location. The directory structure is as follows :

content.onerateld.com/antiworm2008.com/AntiWorm2008/install_en.exe
content.onerateld.com/avsystemcare.com/AVSystemCare/install_en.exe
content.onerateld.com/winsecureav.com/WinSecureAv/install_en.exe
content.onerateld.com/goldenantispy.com/GoldenAntiSpy/install_en.exe
content.onerateld.com/menacerescue.com/MenaceRescue/install_en.exe
content.onerateld.com/antispywaresuite.com/AntiSpywareSuite/install_en.exe
content.onerateld.com/trojansfilter.com/TrojansFilter/install_en.exe
content.onerateld.com/bestsellerantivirus.com/BestsellerAntivirus/install_en.exe

Therefore, if you have secureyourpc.com the directory structure would be /SecureYourPC.com/SecureYourPC/install_en.exe

Sample domains portfolio of digitally alike samples of each of these :

antivirusfiable.com
antivirusmagique.com
bastioneantivirus.com
gubbishremover.com
pchealthkeeper.com
securepccleaner.com
storageprotector.com
trustedprotection.com
yourprivacyguard.com

DNS servers further expanding the domains portfolio :

ns1.bestsellerantivirus.com
ns2.bestsellerantivirus.com
ns3.bestsellerantivirus.com
ns4.bestsellerantivirus.com
ns1.onerateld.com
ns2.onerateld.com

Main portfolio domain farm IPs :

- 87.117.252.11
- 85.12.60.22
- 85.12.60.11
- 85.12.60.30

Laziness on behalf of the malicious parties in this campaign, leads to better detection rate, thus, they didn't hedge the risks of having their releases detected by diversifying not just the domains portfolio, but the actual binaries themselves.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Friday, December 07, 2007

A Diverse Portfolio of Fake Security Software

No comments:

Post a Comment