Violating OPSEC for Increasing the Probability of Malware Infection

Are malware authors and the rest of the participants in fact willing to violate their OPSEC (operational security) for the sake of increasing the probability of successful malware infection by on purposely lowering down the security settings of Internet Explorer, by adding their malicious netblocks and domains into "Trusted Sites"? You bet.

The infamous Smitfraud or PSGuard Desktop Hijacker, has been cooperating with known malicious parties for over an year now, a cooperation which exposes interesting relatinships between the usual suspects. Starting from the basic fact that a malware infected host is infected with many other totally unrelated to one another pieces of malware, Smitfraud's "pre-infection foreplay" demonstrates that they are willing to sacrifice operational security in order to increaes the probabilty of future infections on the same host.

Rogue software added as trusted sites upon Smitfraud infection :

about-adult .net

antivirus-scanner .com

best-porncollection .com

getadultaccess .com

getavideonow .com

ieantivirus .com

malwarebell .com

mega-soft-2008 .com

mooncodec .com

movsonline .com

ruler-cash .com

s-freeware .com

sexysoftwaredom .com

supersoft21freeware .com

the-programsportal .com

vwwredtube .com

wetsoftwares .com

youpornztube .com

securewebinfo .com

safetyincludes .com

securemanaging .com

myflydirect .com

onlinevideosoftex .com

scanner.malwscan .com

scanner.shredderscan .com

sex18tube2008 .com

spywareisolator .com

virus-scanner-online .com

security-scanner-online .com

virus-scanonline .com

antivirus-scanonline .com

topantivirus-scan .com

topvirusscan .com

virus-detection-scanner .com

antivirus-scanner .com

infectionscanner .com

internet-security-antivirus .com   

hotvid44 .com

opaadownload .com

somenudefuck .com



Rogue netblocks and IPs added as trusted IP ranges upon Smitfraud infection :

"69.50.*.*"

"69.31.*.*"

"66.235.*.*"

"66.230.*.*"

"216.239.*.*"

"205.188.*.*"

"205.177.*.*"

"195.225.*.*"

"216.195.*.*"

"82.179.*.*"

"81.95.*.*"

"70.84.*.*"

"195.95.*.*"

"194.187.*.*"

"78.129.158.*"

"78.129.166.*"

"89.149.226.*"

"195.93.218.*"

"72.21.53.*

"81.9.3.*"

"213.189.27.*"

"88.255.74.*"

"79.143.178.*"

"202.71.102.*"

"64.202.189.170"

"217.170.77.150"

The second hardcoded trusted IP is also responding to :

virusisolator .com

virus-isolator .org

virus-isolator .net

soft-collections .com

viruswebprotect .com

virus-isolator .us

codecvideo2008-18 .com

sextubecodec55 .com

sextubecodec67 .com

soft-archives .com

soft-collections .com

codecreviews .com

codecvideo2008-18 .com



Such practices leave a great deal of malicious creativity, for instance, once rented a botnet's already infected malware PCs could start trusting the majority of sites in their scammy ecosystem. What's great is that by doing this they expose their affiliations with these affiliate based rogue security software programs, next to their infrastructure on which they may be that easily claiming ownership.