Thursday, April 30, 2009

419 Scam Artists Using 'Email this' Feature

In times when more and more scammers/spammers are getting DomainKeys verified, others are finding adaptive ways to increase the probability of bypassing antispam filters.

Take for instance this 419s scam artist, that's been pretty active in his scamming attempts as of recently.

Basically, he's exploiting the fact that he's allowed to enter a message within's 'Email this" feature, whereas it will successfully reach the potential victim based on clean IP reputation of NYTimes - and sadly, he's right since he's already sending scam messages through the following accounts registered at the site:

His excuse for using - "Based on the bank high sensitiveness and security i have decided to contact you outside the bank's sever IP for a beneficial transaction."

Another scam that I've been tracking for a while is using a new "Hand bag stolen at Barcelona air port" social engineering attempt, and is attaching scanned copies of real baggage loss documents in order to improve the truthfulness of the scam. Pretty catchy if you don't know what advance fee fraud is.

Wednesday, April 29, 2009

Massive SQL Injections Through Search Engine's Reconnaissance - Part Two

From the lone Chinese SQL injectors empowered with point'n'click tools for massive SQL injection attacks, to the much more efficient and automated botnet approach courtesy of the, for instance, ASProx botnet the process of automatically fetching URLs from public search engines in order to build hit lists for verifying against remote file inclusion attacks and potential SQL injections, remains a commodity feature in a great number of newly released malware bots.

In 2004, the Santy worm advertised the feature to the not so efficiently centered hordes of script kiddies back then. Due to its simplicity, but huge potential for abuse, the concept of SQL injections through search engines reconnaissance has not only reached a real-time syndication with the latest remotely exploitable web application vulnerabilities, but has also converged with remote file inclusion checks, local file inclusion checks, and ip2geolocation to unethically pen-test a particular country going beyond its designated domain extension.

A recently released malware bot is once again empowering the average script kiddie with the possibility to take advantage of the window of opportunity for each and every remotely exploitable web application flaw featured at Milworm, based on its real-time syndication of the exploits. Moreover, the IRC based bot is also featuring a console which allows manual exploitation or intelligence gathering for a particular site.

Some of the features include:
- Remote file inclusion
- Local file inclusion checks ()
- MySQL database details
- Extract all database names
- Data dumping from column and table
- Notification issued when Google bans the infected host for automatically using it

The commoditization of these features results in a situation where the window of opportunity for abusing a partcular web application flaw is abused much more efficiently due to the fact that reconnaissance data about its potential exploitability is already crawled by a public search engine - often in real time.

The concept, as well as the features within the bot are not rocket science - that's what makes it so easy to use.

Related posts:
Massive SQL Injection Attacks - the Chinese Way
Yet Another Massive SQL Injection Spotted in the Wild
Obfuscating Fast-fluxed SQL Injected Domains
Smells Like a Copycat SQL Injection In the Wild
SQL Injecting Malicious Doorways to Serve Malware
SQL Injection Through Search Engines Reconnaissance
Stealing Sensitive Databases Online - the SQL Style
Fast-Fluxing SQL injection attacks executed from the Asprox botnet
Sony PlayStation's site SQL injected, redirecting to rogue security software
Redmond Magazine Successfully SQL Injected by Chinese Hacktivists

Tuesday, April 28, 2009

Spamvertised Swine Flu Domains

The people behind the ongoing swine flu spam campaign have either missed their marketing lectures, haven't been to any at all, or are simply too lazy -- their processing order is not even using SSL -- to fully exploit the marketing window opened by the viral oubreak - the majority of spamvertised domains are redirecting to your typical Canadian Pharmacy scam, instead of swine flu related templates.

Swine flu spamvertised domains:;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

Happy blacklisting/cross-checking!

Related posts:
Inside an Affiliate Spam Program for Pharmaceuticals
Love is a Psychedelic, Too
Pharmaceutical Spammers Targeting LinkedIn
Fast-Flux Spam and Scams Increasing
Storm Worm Hosting Pharmaceutical Scams
Over 80 percent of Storm Worm Spam Sent by Pharmaceutical Spam Kings
Incentives Model for Pharmaceutical Scams

Wednesday, April 22, 2009

Massive Blackhat SEO Campaign Serving Scareware

Over the past couple of days, I've been monitoring yet another massive blackhat SEO campaign consisting of the typical hundreds of thousands of already crawled bogus pages serving scareware/fake security software.

Later on Google detected the campaign and removed all the blackhat SEO farms from its index, which during the time of assessment were close to a hundred domains with hundreds of subdomains, and thousands of pages within.

And despite that the abuse notifications for some of the central redirection domains proved effective,  it took the cybercriminals approximately 24 hours to catch up, and once again start hijacking search queries, in a combination of scareware, and pay per click redirections.

It's worth pointing out that this very latest campaign is directly related to last's week's keywords hijacking blackhat SEO campaign, with both campaigns relying on identical redirection domains, and serving the same malware. Who's behind these search engine poisoning attacks? An Ukranian gang monetizing the hijacked traffic through the usual channels - scareware and reselling of the anticipated traffic.

The first stage of the campaign was relying on mainstream media titles within its pages such as USA News; BBC News; CNN News as well as Hottest info!; HOT NEWS; Official Website and Official Site, thereby making it fairly easy to expose their portfolio of domains.

Interestingly, the cybercriminals appear to have detected the activity -- certain traffic management kits can log attempts of wandering around -- and removed the titles, which combined with the typical referrer checking made the campaign a bit more evasive :

""var ref,i,is_se=0; var se = new Array("google.","msn.","yahoo.","comcast.","aol.","dead"); if(document.referrer)ref=document.referrer; else ref=""; for(i=0;i<5;i++""

Once the user visits any of the domains within the portfolio, with a referrer check confirming he used a search engine to do so, two javascripts load, one dynamically redirecting to the portfolio of fake security software, and the other logging the visit using an Ukrainian web site counter service (')

The most recent list of of domains on popular DNS services is as follows. Sub-domains within are excluded since there are several hundred currently active per domain:
0kfzzl .us - -  Email:
52ubih .us - - Email:
5nw8b3 .us - - Email:
60mptk .us - - Email:
6ry4nv .us - - Email:
77m8uh .us - - Email:
axnwpy .us - - Email:
bumgli .us - Email:
cqxuhk .us - - Email:
dfkghdf .us - - Email:
dfwdowrly .us - Email:
edtbcm .us - - Email:
edu4life .us - Email -

fc4oih .us - - Email:
fcbcwo .us - - Email:
fpq58z .us - - Email:
fzjt82 .us - -
gfor8g .us - Email:
gotpig .us - Email:
hhjsuuy .us - - Email:
hk2april .us - - Email:
hk3april .us - - Email:
hno6sh .us - - Email:
i2u6nr .us - - Email:
ik3trends .us - - Email:
itn92j .us -  Email:
j4vre4 .us -
kzq2i2 .us - - Email:

l5ykp6 .us - - Email:
lh85uk .us - - Email:
lp24april .us - - Email:
m9nvzp .us - - Email:
mm00april .us - - Email:
mm99april .us - - Email:
n5y3m8 .us - - Email:
na8nw2 .us - - Email:
oag3h8 .us - - Email:
po1april .us - - Email:
po3april .us - - Email:
pp6sqo .us - - Email:
pr061r .us - - Email:
qdhccy .us - Email:
qq338p .us - - Email:

repszp .us - - Email:
rrgtnm .us - - Email:
rt658y .us - - Email:
rzi6rj .us - - Email:
scsrn8 .us - - Email:
t9xu44 .us - - Email:
trfddp .us - - Email:
up3xv7 .us - Email:
vecy5r .us - Email:
vlj5jn .us - - Email:
vr31qo .us - - Email:
wk7iie .us - - Email:
x2ar3e .us - Email:
xe24py .us - - Email:
xecuk8 .us - - Email:
yl8ais .us - - Email:
yqfvp4 .us - - Email:
zvlewrms .us - Email: 
zxe11d .us - - Email:
zy7itf .us - - Email:

13news.doesntexist .com
13news.hobby-site .com
17news.endofinternet .net
18news.homeftp .org
19news.blogdns .com
19news.dnsdojo .org
19news.gotdns .com
19news.kicks-ass .org
19news.servebbs .com
22news.blogdns .com
isa-geek .org

The rotated scareware/fake security software domains include: scan-antispyware-4pc .com - parked at the same portfolio of fake security software domains which I warned that by blocking you would proactively protect your customers from black hat SEO campaigns - like this one for instance 
pcvistaxpcodec .com
onlinevirus-scannerv2 .com
av-antispyware .com
scan-antispy-4pc .com
fastviruscleaner .com
securityhelpcenter .com
scan-antispy-4pc .com
scanner-work-av .com
scanner-antispy-av-files .com
adwarealert .com
proantispyware .com

Download locations/related fake codec redirections:
winpcdown10 .com (
suckitnow1 .com
winpcdown99 .com
loyaldown99 .com
codecxpvista .com
wincodecupdate .com
velzevuladmin .com

tubeloyaln .com
wedare.tubeloyaln .com
lamer.tubeloyaln .com
billingpayment.netcodecs.tubeloyaln .com
videosz.tubeloyaln .com

loyal-porno .com - the same domain was recently exposed in the same blackhat  SEO campaign
win-pc-defender .com
codecvistaz .com
loyalvideoz .com

Sample detection rates:
litetubevideoz .net/codec/277.exe - detection rate
winpcdown99 .com/pcdef.exe - detection rate
winpcdown99 .com/file.exe - detection rate
setup.adwarealert .com/setupxv.exe - detection rate
files.scanner-antispy-av-files .com/exe/setup_200093_1_1.exe - detection rate

Monitoring of the campaign would continue.

Related posts:
Dissecting the Bogus LinkedIn Profiles Malware Campaign
Bogus LinkedIn Profiles Redirect to Malware and Rogue Security Software
Blackhat SEO Redirects to Malware and Rogue Software
The Invisible Blackhat SEO Campaign
Attack of the SEO Bots on the .EDU Domain - The Ongoing Blackhat SEO Operation
The Continuing .Gov Blackat SEO Campaign
The Continuing .Gov Blackhat SEO Campaign - Part Two
Rogue RBN Software Pushed Through Blackhat SEO
Massive Blackhat SEO Targeting Blogspot
Blackhat SEO Campaign at The Millennium Challenge Corporation

Thursday, April 16, 2009

A CCDCOE Report on the Cyber Attacks Against Georgia

Following the coverage of my "Coordinated Russia vs Georgia cyber attack in progress" research in the Georgian government's official report "Russian Cyberwar on Georgia" (on page 4), I was very excited to find out that a report by NATO's Cooperative Cyber Defense Centre of Excellence entitled "Cyber Attacks Against Georgia: Legal Lessons Identified" and authored by Eneken Tikk, Kadri Kaska, Kristel R√ľnnimeri, Mari Kert, Anna-Maria Talih√§rm, Liis Vihul, is not only quoting me extensively, but  has also reproduced the entire research within the Annexes.

Looks great!

Recommended reading:
DDoS Attack Graphs from Russia vs Georgia's Cyberattacks
The Russia vs Georgia Cyber Attack
Pro-Israeli (Pseudo) Cyber Warriors Want your Bandwidth
People's Information Warfare Concept
Combating Unrestricted Warfare
The Cyber Storm II Cyber Exercise
Chinese Hacktivists Waging People's Information Warfare Against CNN
The DDoS Attacks Against
China's Cyber Espionage Ambitions
North Korea's Cyber Warfare Unit 121
Chinese Hackers Attacking U.S Department of Defense Networks

A Diverse Portfolio of Fake Security Software - Part Nineteen

You know things are getting out of hand when the scareware ecosystem scales to the point when typosquatted scareware domains offering removal services for the very same scareware distributed under multiple brands.

In response to the potential Conficker-ization of the scareware business, part nineteen of the Diverse Portfolio of Fake Security Software is the most massive update since the series started, and with a reason - to squeeze the cybercrime ecosystem, and ruin their malicious economies of scale revenue generation approaches.

Here are the most recent additions, with their associated registrant emails for clustering, cross-checking, and case building purposes:

vundofixtool .com (
remove-winpc-defender .com
remove-virus-melt .com
remove-ultra-antivir-2009 .com
remove-ultra-antivirus-2009 .com
remove-total-security .com
remove-system-guard .com
remove-spyware-protect-2009 .com
remove-spyware-protect .com
remove-spyware-guard .com
remove-personal-defender .com
remove-ms-antispyware .com
remove-malware-defender .com
remove-ie-security .com
remove-av360 .com
remove-antivirus-360 .com
remove-a360 .com
av360removaltool .com
antivirus360remover .com
remove-winpc-defender .com
remove-virus-melt .com
remove-virus-alarm .com
remove-ultra-antivirus-2009 .com
remove-ultra-antivir-2009 .com
remove-total-security .com

gotipscan .com ( Robert Sampson Email:
scanline6 .com
scanstep6 .com
scanbest6 .com
goscandata .com
goscanhigh .com
true6scan .com
any6scan .com
golitescan .com
gofanscan .com
gotipscan .com
gostarscan .com
goluxscan .com
goonlyscan .com
scan6step .com
goscanstep .com
scan6fast .com
scanline6 .info
scanlog6 .info
linescan6 .info
mainscan6 .info
log6scan .info
main6scan .info

addedantiviruslive .com ( Administrative Email:
searchrizotto .com
easyaddedantivirus .com
yourcountedantivirus .com
av-plus-support .com
yourguardonline .cn
easydefenseonline .cn
bestprotectiononline .cn
yourguardstore .cn
examinepoisonstore .cn
freecoverstore .cn
myexaminevirusstore .cn
bestexaminedisease .cn
yourfriskdisease .cn
friskdiseaselive .cn
bestdefenselive .cn
bigprotectionlive .cn
bigcoverlive .cn
easyserviceprotection .cn
easypersonalprotection .cn
myascertainpoison .cn
yourguardpro .cn
refugepro .cn
mycheckdiseasepro .cn
yourcheckpoisonpro .cn
bigdefense2u .cn
newguard4u .cn
mydefense4u .cn
bestcover4u .cn

fullsecurityshield .com ( Gregory Bershk Email:
greatsecurityshield .com
trustsecurityshield .com
anytoplikedsite .com
topsecurityapp .com
inetsecuritycenter .com
securitytopagent .com
thebestsecurityspot .com
topsecurity4you .com
fullandtotalsecurity .com ( is a traffic management domain for the campaign (e.g seresult .com/go.php?id=3466)

greatstabilitytraceonline .com ( Jacquelyn Jain Email:
beststabilityscan .com
beststabilityscans .com
esnetscanonline .com
greatstabilitytraceonline .com
greatvirusscan .com
networkstabilitytrace .com
onlinestabilityscanada .com
protectionexamine .com
quickstabilityscan .com
safetyexamine .com
stabilityinetscan .com
stabilitysolutionslook .com
swiftsafetyexamine .com
webprotectionscan .com
webwidesecurity .com

scanmix4 .com ( Clifford Barton Email:
bestscan7 .com
goscandata .com
scan7live .com
new7scan .com
godatascan .com
gosidescan .com
goluxscan .com
goonlyscan .com
goscanstep .com
scantool4 .info
newscan4 .info
scannew4 .info
tool4scan .info

exstra-av-scanner .net ( Joan Oglesby Email:
msantivir-storage .com
ms-antivirus-storage .com
goodproantispyware .com
ms-antivir-scan .com
anispy-storage-ms .com
ms-av-storage-best .com
antivir-scanner-ms-av .com

msscan-files-antivir .com (
hot-girl-sex-tube .com
msscan-files-antivir .com
msscanner-top-av .com
msscanner-files-av .com
antivir-4pc-ms-av .com

ultraantivirus2009 .com (
virusalarmpro .com
vmfastscanner .com
mysuperviser .com
pay-virusdoctor .com
virusmelt .com
payvirusmelt .com
mysupervisor .net

msscanner-top-av .com (
msscanner-files-av .com
antivir-4pc-ms-av .com
hot-girl-sex-tube .com

antivirus-av-ms-check .com (
antivirus-av-ms-checker .com
ms-anti-vir-scan .com
mega-antiviral-ms .com

extremetube09 .com ( Mariya Latinina Email:
softupdate09 .com
extrafastdownload .com
myrealtube .net

extraantivir .com (
no-as-scanner .com ( Roy Latoya Email:
pro-scanner-av-pc .com
tantispyware .com (;
webantispy .com
pantispyware09 .com

fastantivirus09 .com (

Blacklisting --until the domains themselves get suspended -- the scareware domains proactively protects your customers from the "final output" of a huge percentage of attacks taking advantage of blackhat SEO, SQL injection, site compromise, malvertising, and automatic abuse of Web 2.0 services through human-based CAPTCHA solving such as Digg; LinkedIn, Bebo, Picasa and ImageShack, YouTube and Google Video.

Related posts:
A Diverse Portfolio of Fake Security Software - Part Eighteen
A Diverse Portfolio of Fake Security Software - Part Seventeen
A Diverse Portfolio of Fake Security Software - Part Sixteen
A Diverse Portfolio of Fake Security Software - Part Fifteen
A Diverse Portfolio of Fake Security Software - Part Fourteen
A Diverse Portfolio of Fake Security Software - Part Thirteen
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software

Wednesday, April 15, 2009

Twitter Worm Mikeyy Keywords Hijacked to Serve Scareware

Not necessarily in real-time (Syndicating Google Trends Keywords for Blackhat SEO) but scareware/fake security software distributors quickly attempted to capitalize on the anticipated traffic related to this weekend's Twitter XSS worm StalkDaily/Mikeyy.

What's particularly interesting about this campaign, is not the fact that all of the currently active domains are operated by the same individual/group of individuals or that their blackhat SEO farms are growing to cover a much wider portfolio of keywords.

It's a tiny usa.js script (e.g my1.dynalias .org/usa.js) hosted on all of the domains, which takes advantage of a simple evasive practice - referrer checking in order to serve or not to serve the malicious content.

For instance, deobfuscated the script checks whether the user is coming from the following search engines var se = new Array("google", "msn", "", "yahoo", " comcast"); if (document.referrer)ref = document.referrer;. If the user/researcher is basically wandering around, a blackhat SEO page with no malicious redirections would be served.

The following are all of the currently active and participating domains/subdomains: .de
actual.homelinux .com .de
aprln.getmyip .com
east.homeftp .org 
my1.dynalias .org
my2.dynalias .org
my3.dnsalias .org
my5.webhop .org

The redirection process consists of two layers. The first one is redirecting to hjgf .ru/go.php?sid=5 ( and then to msscan-files-antivir .com (, and the second one takes place through a well known malicious doorway redirecting domain hqtube .com/to_traf_holder.html ( that either serves a fake codec that's dropping the scareware, or the scareware itself from .com. The rest of the scareware/fake security software domains participating in the campaigns are as follows:

msscan-files-antivir .com ( - Coi Carol Email:
hot-girl-sex-tube .com - Erica Thomas Email:
msscan-files-antivir .com
msscanner-top-av .com -
Mui Arnold Email:
msscanner-files-av .com
antivir-4pc-ms-av .com
- Jason Munguia Email:

The bottom line - the campaign looks like a typical event-based blackhat SEO portfolio diversification practice.

Tuesday, April 14, 2009

Conficker's Scareware/Fake Security Software Business Model

It doesn't take a rocket scientist to conclude that sooner or later the people behind the Conficker botnet had to switch to monetization phase, and start earning revenue by using well proven business models within the cybercrime ecosystem.

Interestingly -- at least for the time being -- there's no indication of mainstream advertising propositions offering partitioned pieces of the botnet, managed fast-fluxing services (Managed Fast Flux Provider; Managed Fast Flux Provider - Part Two), hosting of scams and spam, examples of which we've already seen related cases where a money mule recruitment agency was using ASProx's fast-flux network services, next to Srizbi's botnet managed spam service propositions.

How come? Pretty simple, starting from the fact that scareware/fake security software as a monetization process remains the most liquid and efficiently monetized asset the underground economy has at its disposal. The scheme is so efficient that the money circulating within the affiliate networks are often an easy way for cybercriminals to quickly money launder large amounts of money in a typical win-win revenue sharing scheme.

The Conficker gang is monetization-aware, that's for sure. But they forget a simple fact - that in a cybercrime ecosystem visibility is not just proportional with decreased OPSEC (Violating OPSEC for Increasing the Probability of Malware Infection), but also, that despite their risk-decreasing revenue sharing model, the "follow the money trail" practice becomes more and more relevant.

The most recent variant (Net-Worm.Win32.Kido.js) is the group's second attempt to monetize the botnet, following by the original Conficker variant's traffic converter connection pushing fake security software. According to Aleks Gostev at Kaspersky Labs:

"One of the files is a rogue antivirus app, which we detect as FraudTool.Win32.SpywareProtect2009.s. The first version of Kido, detected back in November 2008, also tried to download fake antivirus to the infected machine. And once again, six months later, we’ve got unknown cybercriminals using the same trick. The rogue software, SpywareProtect2009, can be found on,,"

Regular researchers/law enforcement followers of the Diverse Portfolio of Fake Security Software series are pretty familiar with the SpywareProtect brand. Therefore, it's time to familiarize ourselves with the rogue SpywareProtect through the revenue earning scheme the latest Conficker variant is using. Among the currently active/recently registered SpywareProtect portfolios are managed by Geraldevich Viktus Email: and conveniently just like Kaspersky states, are all parked in Ukraine.

In case you remember according to SRI International's Analysis of the Conficker worm, the authors did signal a national preference since the first release "randomly generates IP addresses to search for additional victims, filtering Ukraine IPs based on the GeoIP database." and also "Conficker A incorporates a Ukraine-avoidance routine that causes the process to suicide if the keyboard language layout has been set to Ukrainian." followed by a third Ukrainian lead, namely the fact that "on 27 December 2008 we stumbled upon two highly suspicious connection attempts that might link us to the malware authors.  Specifically,  we observed two Conficker B URL requests sent to a Conficker A Internet rendezvous point: * Connection 1: 81.23.XX.XX -, Kiev, Ukraine; Connection 2: 200.68.XX.XXX -, Buenos Aires, Argentina."

SpywareProtect's current portfolio is hosted in Ukraine as follows:
spy-wareprotector2009 .com ( Ukraine Bastion Trade Group, AS48841, EUROHOST-AS Eurohost LLC
spyware-protector-2009 .com
spy-protect-2009 .com
spywprotect .com

The second portfolio is also parked in Ukraine as follows:
sysguard2009 .com ( AS34187, RENOME-AS Renome-Service: Joint Multimedia Cable Network Odessa, Ukraine
swp2009 .com
spwrpr2009 .com
alsterstore .com
adwareguard .net

In a typical multitasking fashion, a connection between some of these very latest SpywareProtect portfolios (e.g spywrprotect-2009 .com) can be established with Zeus crimeware campaigns, since particular droppers have been known to have been installing the scareware next to Zeus crimeware used to be hosted at the following locations:

capitalex .ws/adv.bin (
cashtor .net/tor22/tor.bin (
goldarea .biz/adv.bin (

It's also worth pointing out that every time the Conficker authors claim their payments from the affiliate network in question, they expose themselves which makes me wonder one thing. Are the hardcore Conficker authors directly earning revenue out of the scareware, or are they basically partitioning the botnet and selling it to someone who's monetizing it and naturally breaking-even out of their investment?

In a network whose activities will inevitably start converging with the rest of the cybercrime ecosystem's participants' activities -- the Waledac connection -- it's crucual to keep the track-down-and-prosecute process as simple as possible. In this case - the Conficker authors'/customers of their botnet services asset liquidity obsession, may easily end up in someone's $250k reward claim. Patience is a virtue.

Wednesday, April 08, 2009

A Diverse Portfolio of Fake Security Software - Part Eighteen

With Microsoft's latest Security Intelligence Report indicating that scareware/fake security software continues growing, it's worth exposing some of the currently circulating rogue security software domains, their registrants, and the usual "Deja Vu" moment putting the spotlight on well-known RBN web properties, whose exposure demonstrates that some of the groups that I've been tracking are still alive and kicking, but this time are much more actively monetizing their cybercrime committing capabilities.

avs-online-scan .org ( Oleg Bajenov Email:
av-lookup .org
am-scan .com
system-scan-1 .biz
sys-scanner-1 .biz
sys-scan-wiz .biz
scanner-wiz-1 .com

webwidesecurity .com ( Rosalind Lewis Email:
webprotectionscan .com
greatvirusscan .com
beststabilityscans .com

todaybestscan .com (;; Elliott Cameron Email:; Anatolij Andreev Email:
thebestsecurityspot .com
securitytopagent .com
inetsecuritycenter .com
fullandtotalsecurity .com   
activesecurityshield .com
getpcguard .com
websecurityvoice .com
onlinescanservice .com
scanalertspage .com
scanbaseonline .com
bestsecurityupdate .com
getsecuritywall .com
bestfiresfull .com
initialsecurityscan .com
websecuritymaster .com
runpcscannow .com
thegreatsecurity .com
truescansecurity .com
checkonlinesecurity .com
spy-protector-pro .com

DNS servers of notice:
ns1.ahuliard .com
ns2.ahuliard .com
ns1.fuckmoneycash .com
ns2.fuckmoneycash .com
ns1.zitodns .com
ns2.zitodns .com

Now comes the deja vu moment. At and we also have parked ilovemyloves .com one of the domains used in the iFrame attack during the "Possibility Media's Malware Fiasco" back in 2007 which was then parked at the RBN's HostFresh ifrastructure ( Behind the malware campaign back then was the New Media Malware Gang" (Part Three; Part Two and Part One) which was not only using RBN services, but was directly cooperating with the Storm Worm authors. Among their most recent campaigns was the groups direct involvement in the malware campaigns at the Azerbaijanian Embassies in Pakistan and Hungary.

It gets even more interesting to see what they're up to in 2009, considering the fact that they have also parked domains used ( and in currently ongoing Facebook phishing campaign, which is switching themes from to :

The group has clearly diversified its activities, but continues relying on its well known portfolio of domains as a foundation.

Related posts:
A Diverse Portfolio of Fake Security Software - Part Seventeen
A Diverse Portfolio of Fake Security Software - Part Sixteen
A Diverse Portfolio of Fake Security Software - Part Fifteen
A Diverse Portfolio of Fake Security Software - Part Fourteen
A Diverse Portfolio of Fake Security Software - Part Thirteen
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software

Inside a Zeus Crimeware Developer's To-Do List

Every then and now I get asked a similar question in regard to crimeware kits - which is the latest version of a particular crimeware/web malware exploitation kit?

The short answer is - I don't know. And I don't know not because I'm a victim of an outdated situational awareness, but due to the fact that nowadays third-party developers are so actively tweaking it that coming up with a version number would be inaccurate from my perspective. Therefore, whenever I provide such a version number, I try to emphasize and provide practical examples of how the current decentralization of coding from the core authors to third-party developers and, of course, scammers brand jacking the Zeus brand, is making the answer a little bit more complex than it may seem at the first place.

For instance, cybercriminals themselves have been capitalizing on this situation during the last two quarters, by speculating with the version numbers and offering backdoored copies of non-existent Zeus releases, in a attempt to hijack their Zeus botnets at a later stage -- a practice that phishers have been taking advantage of for a while. Anyway, once I'm able to sort of cluster a particular third-party developer's persistence in tweaking the Zeus crimeware kit, an interesting picture emerges. For instance, a team member from a third-party developer of backend systems for botnets that came up with the built-in MP3 player in a Zeus release, is also directly involved in developing the backend system and GUI for the Chimera botnet which the British Broadcasting Corporation purchased last month.

Let's discuss the way the version number system in the Zeus crimeware, before we take a peek at a recent CHANGELOG, and a future TO-DO list from one of the third-party developers. Zeus version a.b.c.d means that change in A stands for a complete change in the bot, B stands for major changes that make previous bot versions incompatible, C stands for modifications and performance boosting, and D is a prophylactic change in order to avoid antivirus solutions from detecting it.

The Q&A applied in Zeus can be easily seen by taking a peek at some of the changes that took place in December, 2008 :

"Change 10.12.2008
- Documentation will no longer be available in a CHM format, instead in a plain-text format
- The bot is a now able to receive commands not only by using the send command function, but also during requests for files and logs changes
- Local data requests to the server and the configuration file can be encrypted with RC4 key depending on your choice
- In order to decrease the load on the server, a fully updated bot-to-server and server-to-bot communication protocol is introduced

Change 20.12.2008
- Small error fixed when sending reports
- The size of the report cannot exceed 550 characters
- Error fixed in the bot due to low timeout for sending POST requests resulting in dropping requests for log files bigger than 1 MB

Change 2.03.2009
- Changed the default cryptor routines
- Updated process of building the bot
- Optimized compressed of the binary
- Rewritten the process of assembling the configuration file
- Changed the MyMSQL tables
- Fixed fonts in the panel due to bogus displaying of characters
- Updated Geolocation database"

The following "To-Do" list, pretty similar to another one which I discussed last year (A Botnet Master's To-Do List). What's to come in the Zeus crimeware kit, at least courtesy of a sampled third-party developer? The following features have been in the works for several months now:

"- Compatibility with Windows Vista and Windows 7
- Improved WinAPI hooking
- Random generation of configuration files to avoid generic detection"
- Console-based builder
- Version supporing x86 processors
- Full IPv6 support
- Detailed statistics on antivirus software and firewalls installed on the infected machines"

The Zeus crimeware is not going away from the radar anytime soon, and the main reason for that is not the fact that its exclusive features outperform the ones in the Limbo crimeware and the Adrenalin crimeware, but due to the fact that Zeus has a much bigger fan base, and well established third-party community around it.

Image courtesy of's Zeus Tracker -- the one that got DDoS-ed in February due to its apparent usefulness.

Related posts:
Crimeware in the Middle - Limbo
Crimeware in the Middle - Adrenalin
Crimeware in the Middle - Zeus
76Service - Cybercrime as a Service Going Mainstream
Zeus Crimeware as a Service Going Mainstream
Modified Zeus Crimeware Kit Gets a Performance Boost
Modified Zeus Crimeware Kit Comes With Built-in MP3 Player
Zeus Crimeware Kit Gets a Carding Layout
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw

Wednesday, April 01, 2009

Bogus LinkedIn Profiles Redirect to Malware and Rogue Security Software

From the automatically registered bogus LinkedIn profiles promoting pharmaceuticals campaign in February, to January's malware campaign redirecting to malware Zlob variants and rogue security software, the malware gang behind both of these campaigns is once again showcasing its persistence.

It gets even more interesting when a direct connection between January's, this very latest campaign, and the most recent massive comment-spam attack at, is established since the very same malware domains are participating in all of the campaigns (e.g funkytube .net)

Bogus LinkedIn profiles for March:
linkedin .com/in/keeleyhazellsextape
linkedin .com/in/minimesextape
linkedin .com/in/lindsaylohansextape1
linkedin .com/in/vernetroyersextape
linkedin .com/in/parishiltonsextapeq
linkedin .com/in/britneyspearssextapeq
linkedin .com/in/carmenelectra
linkedin .com/in/halleberrysexscene
linkedin .com/pub/dir/tila tequila/sex
linkedin .com/in/carmenelectrasex1
linkedin .com/in/carmenelectrasexscene1
linkedin .com/pub/dir/jennifer%20aniston/sex%20scene
linkedin .com/in/lindsaylohansex1 watson/wearing degeneres/gay tequila/porn watson/porn's raven/symone  nude
linkedin .com/pub/dir/olsen twins/camel toe
linkedin .com/in/aliciamachadodesnuda
linkedin .com/pub/dir/leighton meester/nude
linkedin .com/in/katehudsonnude
linkedin .com/in/jenniferanistonbangs1
linkedin .com/in/hilaryduffnude2
linkedin .com/in/adriennebailonnaked
linkedin .com/in/jennifermorrisonnude1
linkedin .com/in/jenniferlopezdesnuda
linkedin .com/in/jennifergarnernude1
linkedin .com/in/aishwaryaraiwearingnothing
linkedin .com/in/isprinceharrygay
linkedin .com/in/vanessahudgensnude
linkedin .com/in/mariahcareynude1
linkedin .com/pub/dir/olsen twins/nudity
linkedin .com/pub/dir/denise richards/naked
linkedin .com/pub/dir/kate mara/naked
linkedin .com/in/carmencocks1
linkedin .com/in/ravensymonebreast
linkedin .com/in/adriennebailonnudephotos
linkedin .com/pub/dir/shakira/nude
linkedin .com/in/jenniferanistonnude
linkedin .com/in/emmawatsonkissingsomeone

Using a celebrities theme, all of these bogus accounts are linking to the same malware serving domains. The following central redirectors :
oymomahon .com/fathulla/11.html
oymomahon .com/mirolim-video/3.html
oymomahon .com/paqi-video/28.html
muse.100-celebrities .com/paqi-video/1.html
nahyu .org/xxxx/
1k .pl/nufexz

are then redirecting to another set of fake codec domains :
xretrotube .com
globextubes .com
globalstube2009 .com
globerstube .com
spywareremover21 .com
antispyscanner13 .com
privacyscanner15 .com
easywinscanner17 .com
systemscanner19 .com
sgviralscan .com

to ultimately direct the visitor to the actual binaries:
nahyu .org/xxx/video/teens_fuck_orgy11.mpeg.exe - detection rate
loyaldown99 .com/codec/186.exe - detection rate
kol-development .com/viewtubesoftware.40012.exe - detection rate

Despite the fact that real-time/event-based blackhat search engine optimization is gaining popularity these days, blackhat SEO in its very nature relies on huge bogsus content farms, using a diverse theme-based set of content, usually generated in an automated fashion. Real-time blackhat SEO or standard volume-based blackhat SEO as a tactic of choice? Does it really matter given that from the perspective of tactical warfare, combining well proven tactics results in high click-through/infection rates for the campaigns in question.

Related posts:
Blackhat SEO Redirects to Malware and Rogue Software
The Invisible Blackhat SEO Campaign
Attack of the SEO Bots on the .EDU Domain - The Ongoing Blackhat SEO Operation
The Continuing .Gov Blackat SEO Campaign
The Continuing .Gov Blackhat SEO Campaign - Part Two
Rogue RBN Software Pushed Through Blackhat SEO
Massive Blackhat SEO Targeting Blogspot
Blackhat SEO Campaign at The Millennium Challenge Corporation

Fake Porn Sites Serving Malware
Fake Porn Sites Serving Malware - Part Two
Fake Celebrity Video Sites Serving Malware
Fake Celebrity Video Sites Serving Malware - Part Two
Fake Celebrity Video Sites Serving Malware - Part Three
The Template-ization of Malware Serving Sites
The Template-ization of Malware Serving Sites - Part Two
A Portfolio of Fake Video Codecs