The recently exposed RBN's fake security software was literally just the tip of the iceberg in this ongoing practice of distributing spyware and malware under the shadow of software that's positioned as anti-spyware and anti-malware one. The domain farm of fake security software which I'll assess in this post is worth discussing due to the size of its portfolio, how they've spread the scammy ecosystem on different networks, as well as the directory structure they take advantage of, one whose predictability makes it faily easy to efficiency obtain all the fake applications. This particular case is also a great example of the typical for a Rock Phish kit efficiency vs quality trade off, namely, all the binaries dispersed through the different domains are actually hosted on a single IP, and are identical.
Who's hosting the malware and what directory structure per campaign do they use?
It seems as content.onerateld.com (87.248.197.26) which is hosted at Limelight Networks is used in all the domains as the central download location. The directory structure is as follows :
content.onerateld.com/antiworm2008.com/AntiWorm2008/install_en.exe
content.onerateld.com/avsystemcare.com/AVSystemCare/install_en.exe
content.onerateld.com/winsecureav.com/WinSecureAv/install_en.exe
content.onerateld.com/goldenantispy.com/GoldenAntiSpy/install_en.exe
content.onerateld.com/menacerescue.com/MenaceRescue/install_en.exe
content.onerateld.com/antispywaresuite.com/AntiSpywareSuite/install_en.exe
content.onerateld.com/trojansfilter.com/TrojansFilter/install_en.exe
content.onerateld.com/bestsellerantivirus.com/BestsellerAntivirus/install_en.exe
Therefore, if you have secureyourpc.com the directory structure would be /SecureYourPC.com/SecureYourPC/install_en.exe
Sample domains portfolio of digitally alike samples of each of these :
antivirusfiable.com
antivirusmagique.com
bastioneantivirus.com
gubbishremover.com
pchealthkeeper.com
securepccleaner.com
storageprotector.com
trustedprotection.com
yourprivacyguard.com
DNS servers further expanding the domains portfolio :
ns1.bestsellerantivirus.com
ns2.bestsellerantivirus.com
ns3.bestsellerantivirus.com
ns4.bestsellerantivirus.com
ns1.onerateld.com
ns2.onerateld.com
Main portfolio domain farm IPs :
- 87.117.252.11
- 85.12.60.22
- 85.12.60.11
- 85.12.60.30
Laziness on behalf of the malicious parties in this campaign, leads to better detection rate, thus, they didn't hedge the risks of having their releases detected by diversifying not just the domains portfolio, but the actual binaries themselves.
No comments:
Post a Comment