Nice catch, in the sense that LinkedIn was among the very few social networking sites left untouched by cybercriminals in 2008. With LinkedIn's staff actively removing the close to a hundred bogus profiles, let's dissect the campaign by exposing all the participating malware domains, the redirectors, the droppers' detection rates and the rest of the domains in their portfolio.
Domains used on the bogus profiles :
sextapegirls .net (88.214.200.5)
celebsvids .net (216.195.57.47)
katynude .com (216.195.57.47)
delshikandco .com (82.103.132.114)
All the internal pages at sextapegirls .net (sextapegirls .net/1.html; sextapegirls .net/2.html; sextapegirls .net/3.html; sextapegirls .net/4.html; sextapegirls .net/5.html) redirect to hotvidz .info/5.html (88.214.200.5) as well as all the internal pages at celebsvids .net where TubePlayer.ver.6.20885.exe is served as a fake video player.
Among the rest of the domains used, katynude .com/1.html (216.195.57.47) redirects to quickly-porn-tube .net/get.php?id=20885&p=74 (69.59.21.247) which then redirects to tube-4you-best .com/xxplay.php?id=20885 (69.59.21.247) where 2009download-best-soft .com/TubePlayer.ver.6.20885.exe (94.247.3.228) is again served.
The fourth domain used on the bogus LinkedIn profiles, delshikandco .com/movies/linkedin.html (82.103.132.114) once deobfuscated leads to delshiktds .com/in.cgi?6 (64.27.28.225), a traffic management kit's redirection point which redirects to delshiktds .com/in.cgi?11, celebs-online2009 .com/video.php (64.27.28.225) and megaporntubesonline .com/xplays.php?id=88 where codecdownload.filesstorage4you .com/exclusivemovie.88.exe is served next to codecdownload.viewersoftwarearchive .com/exclusivemovie.0.exe (94.247.3.232) which a copy of Win32/Renos.
The downloader then phones back to :
dasgdasg .net (91.205.96.12)
new-york-images .com (89.149.207.114)
future-pictures .com (94.247.2.117)
download-everything.com (69.46.16.99)
archiveviewsoftware.com
193.142.244.17
Naturally, the people behind this malware campaign have centralized the rest of the malicious domains by parking them at the very same IPs used in the redirectors. The domains are pretty descriptive themselves, and it's also worth pointing out that they intend to start introducing newly registered fake security software ones:
94.247.3.228
files-upload-21 .com
downloabsecurehere1 .com
downloabsecurehere2 .com
downloabsecurehere3 .com
downloabsecurehere4 .com
fast-download-base-free .com
download-all4free .com
download-softarch .com
dwnld-files .com
get-frsh-files .com
download-fls.com
downloadall-soft-now .com
downloadallsoft-now. com
download-allsoftnow .com
downloadallsoftnow .com
soft-4-you-download .net
get-files-4free .net
download-top-software .net
files-download-arch .net
download-files-bak .net
download-files-plus .net
pure-download-new .net
69.59.21.247
uni-tube-911 .com
bestmytubeonilne1 .com
bestmytubeonilne2 .com
bestmytubeonilne3 .com
mybest-pov-tube .com
my-bestpov-tube .com
u-tube-verse .com
tubeger .com
tube-4-free-center .com
tube-4you-best .com
tube-hu .com
tube-more-sex .com
quickly-porn-tube .net
fast-xxx-tube .net
tube-chick .net
tube-free-4-adult .net
antivir-av-toolz .net
scanner-pc-toolz .net
av-scan-soft .net
av-scan-here .net
anti-vir-toolz .com
freenonline-scannerw .com
freenonline-scanner .com
av-mc-antivir-checker .com
freenonline-scannera .com
bestmyscanneronilne3 .com
bestmytubeonilne3 .com
bestmyscanneronilne2 .com
bestmytubeonilne2 .com
94.247.3.232
viewerdownload2009 .com
freedownload2009 .com
filesstorage2009 .com
exefileshere2009 .com
bestfilesarchive2009 .com
softwareviewers2009 .com
filesinnet4you2009 .com
downloadfilesservice .com
jetexestorage .com
clickandgetfile .com
secretfilesstoragehere .com
x-filesstorehere .com
filesportalhere .com
exefileshere .com
extrafilesonlyhere .com
pornexearchive .com
viewerarchive .com
crystalfilesarchive .com
download2009exe .com
3d-softwareportal .com
downloadfilesportal .com
exesoftportal .com
softwareportalexefiles .com
becollectionoffiles .com
extracoolfiles .com
freepornclips2u .com
filesstorage4you.com
downloadexenow .com
The same people, the same tactics, different domains and netblocks used.
Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Wednesday, January 07, 2009
Dissecting the Bogus LinkedIn Profiles Malware Campaign
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment