The "New Media" Malware Gang

Since Possibility Media's Malware Fiasco, I've been successfully tracking the group behind the malware embedded attack at each and every online publication of Possibility Media. Successfully tracking mostly because of their lack of interest in putting any kind of effort of making them harder to trace back, namely, maintaining a static web presence, but one with diversifying set of malware and exploits used. Possibility Media's main IFRAME used was 208.72.168.176/e-Sr1pt2210/index.php, and at 208.72.168.176 we have a great deal of parked domains in standby mode such as :

repairhddtech.com
granddslp.net
prevedltd.net
stepling.net
softoneveryday.com
samsntafox.com
himpax.com
grimpex.org
trakror.org
dpsmob.com
besotrix.net
gotizon.net
besttanya.com
carsent.com
heliosab.info
gipperlox.info
leader-invest.net
fiderfox.info
potec.net

However, the latest IPs and domains related to the group are dispersed on different netblocks and are actively serving malware through exploit URLs :

78.109.16.242/us3/index.php
x-victory.ru/forum/index.php (85.255.114.170)
asechka.cn/traff/out.php (78.109.18.154)
trafika.info/stools/index.php (203.223.159.92)

What's so special about this group? It's the connection with the Russian Business Network. As I've already pointed out, the malware attack behind Possibility Media's was using IPs rented on behalf of RBN customers from their old netblock, here are two such examples of RBN IPs used by this group as well :

81.95.149.236/us3/index.php
81.95.148.162/e202/

In case you also remember, some of this group's URLs were also used as communication vehicle with a downloader that was hosted on a RBN IP, that very same RBN IP that was behind Bank of India's main IFRAME. Now that's a mutually beneficial malicious ecosystem for both sides. Here are more comments on other ecosystems.

But of Course I'm Infected With Spyware

Remember those old school fake hard drive erasers where a status bar that's basically doing a directory listing is shown, and HDD activity is stimulated so that the end user gets the false feeling of witnessing the process? Fake anti spyware and anti virus software, like the ones courtesy of the now fast-moving RBN, have been using this tactic for a while, and adding an additional layer of social engineering tricks by obtaining the PCs details with simple javascript. The folks behind online-scan.com; spyware.online-scan.com; antivirus.online-scan.com own a far more deceptive domain name compared to RBN's ones. In fact, even an anti virus vendor could envy them for not picking it up earlier and integrating it in upcoming marketing campaign or service to come. SpywareSoftStop's statements :

"At present the Internet is stuffed with viruses of any kind. Every PC is at risk and most probably IS infected. Anti-viruses can detect viruses only, but spyware, installed surreptitiously on a PC without the user's informed consent, is modified each day and solely particularized software can help to detect and remove it. However, a spyware program is rarely alone on a computer: an affected machine can rapidly be infected by many other components. In some infections, the spyware is not even evident; moreover, some types of spyware disable software firewalls and anti-virus software, and/or reduce browser security settings, thus opening the system to further opportunistic infections, much like an immune deficiency disease. Right now your system is going to be scanned and spyware, if any, will be detected."

The name servers preved.spywaresoftstop-support.com and medved.spywaresoftstop-support.com serve : spywaresoftstop.com; spywaresoftstop-cash.com; spywaresoftstop-support.com. The popup at online-scan.com that's now returning a 404 error for ldr.exe (downloadfilesldr.com/download/2/ldr.exe) will even appear if you try to close the window while your PC is "being scanned". What's ldr.exe? It's the default output of a DIY malware courtesy of Pinch.