Thursday, July 30, 2009

Social Engineering Driven Web Malware Exploitation Kit


The standardization through template-ization of bogus codec/flash player/video pages, taking place during the past two years, has exponentially increased the efficiency levels of malware campaigns relying exclusively on social engineering.

Just like phishing pages being commodity, these commodity spoofs of legitimate software/plugins relying on "visual social engineering" represent a market segment by themselves, one that some cybercriminals have been attempting to monetize for a while.

Case in point - their latest attempt to do so comes in the form of the first social engineering driven web malware exploitation kit.
 

Despite that the kit's author has ripped off a well known exploits-serving malware kit's statistics interface, what's unique about this release is the fact that the exploit modules come in the form of "Missing Flash Player", "Outdated Flash Player", "Missing Video Codec", "Outdated Video Codec", "Codec Required" modules.

These very same modules represent the dominant social engineering attack vector on the Internet due to the quality of the spoofs and the end users' gullibility while self-infecting themselves. For the time being, the author appears to be an opportunist rather than someone interested in setting new benchmarks for standardization social engineering by using the efficiency and delivery methods offered by a web malware exploitation kit.

Interestingly, a huge number of fake codec serving web sites are already detecting the OS/Browser of the visitor, and serving Mac OS X based malware or Windows based malware based on the detection. This fact, as well as the fact that visual spoofs of OS X like dialogs are also getting template-ized are not a coincidence - it's a signal for an efficient and social engineering driven malware delivery mechanism in the works. The development of the kit will be monitored and updates posted - if any.

Meanwhile, the recent blackhat SEO campaign which attempted to hijack 'Harry Potter and the Half-Blood Prince' related traffic is a good example on how despite the magnitude of the campaign -- hundreds of thousands of indexed and malware serving pages -- due to the manual campaign management, its centralized nature makes it easier to shut down.

Upon clicking on a link, the end user was redirected to usa-top-news .info - 67.228.147.71 - Email: fullhdvid@gmail.com, then to world-news-scandals .com Email: wnscandals@gmail.com, and finally to tubesbargain .com/xplay.php?id=40018 - 216.240.143.7 - j0cqware@gmail.com where the codec was served from exefreefiles .com - 95.211.8.20 - Email: case0ns@gmail.com.  More coded serving domains are parked on the same IPs:

216.240.143.7
sunny-tube-world .com - Email: briashou@gmail.com
the-blue-tube  .com - Email: malccrome@gmail.com
onlysteeltube.com - Email: briashou@gmail.com
thecooltube .com - Email: malccrome@gmail.com
etesttube .com - Email: katschezz@gmail.com
thegrouttube .com - Email: katschezz@gmail.com
fllcorp .com

95.211.8.20
exe-load-2009 .com - Email: robeshur@gmail.com
exefiledata .com - Email: robeshur@gmail.com
exereload .com - Email: robeshur@gmail.com
load-exe-world .com - Email: robeshur@gmail.com
cool-exe-file .com - Email: robeshur@gmail.com
last-home-exe .com - Email: robeshur@gmail.com
exefreefiles .com - Email: case0ns@gmail.com
boardexefiles .com - Email: case0ns@gmail.com
exeloadsite .com - Email: j0cqware@gmail.com


The gang maintains another domain portfolio with pretty descriptive nature for phone back, direct fake codec serving purposes:
agro-files-archive .com
alkbbs-files .com
all-tube-world .com
best-light-search .com
besttubetech .com
chamitron .com
cheappharmaad .com
dipexe .com
downloadnativeexe .com
ebooks-archive .org
etesttube .com
exedownloadfull .com
exefiledata .com
exe-paste .com
exe-soft-development .com
exe-xxx-file .com
eyeexe .com
go-exe-go .com
greattubeamp .com
green-tube-site .com
hotexedownload .com
hot-exe-load .com
imagescopybetween .com
isyouimageshere .com
labsmedcom .com
last-exe-portal .com
lost-exe-site .com
lyy-exe .com
main-exe-home .com
mchedlishvili .name
metro-tube .net
my-exe-load .com
newfileexe .com
protectionimage .com
robo-exe .com
rube-exe .com
securetaxexe .com
softportal-extrafiles .com
softportal-files .com
storeyourimagehere .com
super0tube .com
super-exe-home .com
supertubetop .com
sysreport1 .com
sysreport2 .com
testtubefilms .com
texasimages2009 .com
the-blue-tube.com
thecooltube .com
thegrouttube .com
thetubeamps .com
thetubesmovie .com
tiaexe .com
tube-best-4free .com
tube-collection .com
tvtesttube .com
yourtubetop .com


Who's behind these domains and the Harry Potter blackhat SEO campaign? But, "of course", it's the "fan club" with the Koobface connection, continuing to use the same phone back locations that they've been using during the past couple of months - myart-gallery .com/senm.php - 64.27.5.202 - Email: jnthndnl@gmail.com; robert-art .com/senm.php - 66.199.229.229 - Email: robesha@gmail.com; superarthome .com/senm.php - 216.240.146.119 - Email: chucjack@gmail.com.

This post has been reproduced from Dancho Danchev's blog.

Social Engineering Driven Web Malware Exploitation Kit

The standardization through template-ization of bogus codec/flash player/video pages, taking place during the past two years, has exponentially increased the efficiency levels of malware campaigns relying exclusively on social engineering.

Just like phishing pages being commodity, these commodity spoofs of legitimate software/plugins relying on "visual social engineering" represent a market segment by themselves, one that some cybercriminals have been attempting to monetize for a while.

Case in point - their latest attempt to do so comes in the form of the first social engineering driven web malware exploitation kit.
 
Despite that the kit's author has ripped off a well known exploits-serving malware kit's statistics interface, what's unique about this release is the fact that the exploit modules come in the form of "Missing Flash Player", "Outdated Flash Player", "Missing Video Codec", "Outdated Video Codec", "Codec Required" modules.

These very same modules represent the dominant social engineering attack vector on the Internet due to the quality of the spoofs and the end users' gullibility while self-infecting themselves. For the time being, the author appears to be an opportunist rather than someone interested in setting new benchmarks for standardization social engineering by using the efficiency and delivery methods offered by a web malware exploitation kit.

Interestingly, a huge number of fake codec serving web sites are already detecting the OS/Browser of the visitor, and serving Mac OS X based malware or Windows based malware based on the detection. This fact, as well as the fact that visual spoofs of OS X like dialogs are also getting template-ized are not a coincidence - it's a signal for an efficient and social engineering driven malware delivery mechanism in the works. The development of the kit will be monitored and updates posted - if any.

Meanwhile, the recent blackhat SEO campaign which attempted to hijack 'Harry Potter and the Half-Blood Prince' related traffic is a good example on how despite the magnitude of the campaign -- hundreds of thousands of indexed and malware serving pages -- due to the manual campaign management, its centralized nature makes it easier to shut down.

Upon clicking on a link, the end user was redirected to usa-top-news .info - 67.228.147.71 - Email: fullhdvid@gmail.com, then to world-news-scandals .com Email: wnscandals@gmail.com, and finally to tubesbargain .com/xplay.php?id=40018 - 216.240.143.7 - j0cqware@gmail.com where the codec was served from exefreefiles .com - 95.211.8.20 - Email: case0ns@gmail.com.  More coded serving domains are parked on the same IPs:

216.240.143.7
sunny-tube-world .com - Email: briashou@gmail.com
the-blue-tube  .com - Email: malccrome@gmail.com
onlysteeltube.com - Email: briashou@gmail.com
thecooltube .com - Email: malccrome@gmail.com
etesttube .com - Email: katschezz@gmail.com
thegrouttube .com - Email: katschezz@gmail.com
fllcorp .com

95.211.8.20
exe-load-2009 .com - Email: robeshur@gmail.com
exefiledata .com - Email: robeshur@gmail.com
exereload .com - Email: robeshur@gmail.com
load-exe-world .com - Email: robeshur@gmail.com
cool-exe-file .com - Email: robeshur@gmail.com
last-home-exe .com - Email: robeshur@gmail.com
exefreefiles .com - Email: case0ns@gmail.com
boardexefiles .com - Email: case0ns@gmail.com
exeloadsite .com - Email: j0cqware@gmail.com

The gang maintains another domain portfolio with pretty descriptive nature for phone back, direct fake codec serving purposes:
agro-files-archive .com
alkbbs-files .com
all-tube-world .com
best-light-search .com
besttubetech .com
chamitron .com
cheappharmaad .com
dipexe .com
downloadnativeexe .com
ebooks-archive .org
etesttube .com
exedownloadfull .com
exefiledata .com
exe-paste .com
exe-soft-development .com
exe-xxx-file .com
eyeexe .com
go-exe-go .com
greattubeamp .com
green-tube-site .com
hotexedownload .com
hot-exe-load .com
imagescopybetween .com
isyouimageshere .com
labsmedcom .com
last-exe-portal .com
lost-exe-site .com
lyy-exe .com
main-exe-home .com
mchedlishvili .name
metro-tube .net
my-exe-load .com
newfileexe .com
protectionimage .com
robo-exe .com
rube-exe .com
securetaxexe .com
sk1project .org
softportal-extrafiles .com
softportal-files .com
storeyourimagehere .com
super0tube .com
super-exe-home .com
supertubetop .com
sysreport1 .com
sysreport2 .com
testtubefilms .com
texasimages2009 .com
the-blue-tube.com
thecooltube .com
thegrouttube .com
thetubeamps .com
thetubesmovie .com
tiaexe .com
tube-best-4free .com
tube-collection .com
tvtesttube .com
yourtubetop .com


Who's behind these domains and the Harry Potter blackhat SEO campaign? But, "of course", it's the "fan club" with the Koobface connection, continuing to use the same phone back locations that they've been using during the past couple of months - myart-gallery .com/senm.php - 64.27.5.202 - Email: jnthndnl@gmail.com; robert-art .com/senm.php - 66.199.229.229 - Email: robesha@gmail.com; superarthome .com/senm.php - 216.240.146.119 - Email: chucjack@gmail.com.

This post has been reproduced from Dancho Danchev's blog.

Wednesday, July 29, 2009

5th SMS Ransomware Variant Offered for Sale

"Your system has been blocked because it is running a pirated copy of Windows. In order to unblock it, enter the activation code sent to you by SMS-ing the following number."

Demand and emerging business models based on micro-payment ransom meet supply, with yet another SMS-based ransomware variant offered for sale ($25). Just like in previous underground market propositions, this one comes with a value-added service in the form of managed undetected binaries on a daily basis for an extra $5 for an undetected copy. It's worth pointing out that due to the customization offered, their original layouts and the error messages will look a lot different once their customers get hold of the ransomware.

Key features include:
- protecting against repeated infection through Mutex
- pops-up on the top of all windows
- disables safe mode, as well as possible key combinations attempting to bypass the window
- adds itself as a trusted executable/excluded one in Windows Firewall
- variety of non-intrusive auto-starting/executable injecting capabilities
- Rotx encryption for the activation codes
- ability to embedd more than one activation code
- monitors and automatically blocks process names of tools that could allow removal
- complete removal of the code from the system once the correct activation code is entered
- zero detection rate of a sampled binary -- of course the advertiser is biased and he didn't bother including reference to the service he used (Virustotal, NoVirusThanks.org etc.)

Despite several isolated cases where the originally Russian-based ransomware is affecting international English-speaking users, the campaigns are primarily targeting Russian speaking users -- at least for the time being until the malware authors or their customers start localizing it. This emerging micro-payment ransomware business model is the direct result of largely unregulated market segments allowing literally anyone to get hold of a premium and automatically managed number in order to facilitate it.

Related posts:
4th SMS Ransomware Variant Offered for Sale
3rd SMS Ransomware Variant Offered for Sale
SMS Ransomware Source Code Now Offered for Sale
New ransomware locks PCs, demands premium SMS for removal

This post has been reproduced from Dancho Danchev's blog.

Monday, July 27, 2009

A Diverse Portfolio of Fake Security Software - Part Twenty Three

Part twenty three of the diverse portfolio of fake security software series, will once again summarize the scareware domains currently in circulation, delivered through the usual channels - blackhat SEO, compromises of legitimate web sites, comment spam and bogus adult web sites, with an emphasis on a yet another bogus company acting as a front-end to an affiliate network - AK Network Commerce Ltd.

Scareware remains the dominant monetization tactic applied by cybercriminals automatically abusing Web 2.0 properties.

The latest scareware domains are as follows:
scanyourcomputeronlinev1 .com - 78.46.251.41; 83.133.126.155; 91.212.107.5; 94.102.48.29; 78.46.251.41 - Email: info@chinainindia.org.in
promalwarescannerv2 .com - Email: info@researchcmr.com
spywarefolderscannerv2 .com Email: willpan@glamoxcon.com
antivirusscannerv10 .com - Email: mohammed32@yahoo.com
scanyourcomputeronlinev1 .com - Email: info@chinainindia.org.in
folder-antivirus-scanv1 .com - Email: info@duebamet.com
personalfolderscanv2 .com - Email: hfbeauty@yahoo.com
spywarefolderscannerv2 .com - Email: willpan@glamoxcon.com
privatevirusscannerv2 .com - Email: hfbeauty@yahoo.com
secure-antivirus-scanv3 .com - Email: info@duebamet.com
bestfoldervirusscanv3 .com - Email: alfonso-li@sohun.com
antispyware-scannerv3 .com - Email: willpan@glamoxcon.com
liveantimalwarescannerv3 .com - Email: hongkong@campusparis.org
onlinespywarescannerv3 .com - Email: Peng@pradac.cn
onlineantivirusscanv4 .com - Email: Peng@pradac.cn
onlineantispywarescanv6 .com - Email: czoao@hotmail.com
antivirus-scannerv6 .com - Email: paul.smith@acdc.cn
antivirusonlinescanv9 .com - Email: info@chinainindia.org.in
antimalwarescannerv9 .com - Email: mohammed32@yahoo.com
antispywarescannerv9 .com - Email: mohammed32@yahoo.com
bestcomputerscanv7 .com - Email: cgrenier@reclamation.com

in5id .com - 67.212.71.196 - Email: getoony@gmail.com
goscantune .com - Email: canrcnad@gmail.com
in5ch .com - Email: getoony@gmail.com
goscanback .com - Email: alcnafuch@gmail.com
goscanlook .com - Email: chinrfi@gmail.com
gotunescan .com - Email: canrcnad@gmail.com
gofatescan .com - Email: alcnafuch@gmail.com
gobackscan .com - Email: alcnafuch@gmail.com
goparkscan .com - Email: canrcnad@gmail.com
in5st .com - Email: getoony@gmail.com
gagtemple .info - Email: tiermity@gmail.com
strelyk .info - Email: tiermity@gmail.com
mixsoul .info - Email: tiermity@gmail.com
loacher .info - Email: tiermity@gmail.com
unvelir .info - Email: tiermity@gmail.com
lendshaft .info - Email: tiermity@gmail.com

goironscan .com - 209.44.126.152 - Email: aloxier@gmail.com
metascan4 .com - Email: exmcon@gmail.com
notescan4 .com - Email: exmcon@gmail.com
genscan4 .com - Email: exmcon@gmail.com
scanlist6 .com - Email: exmcon@gmail.com
goscanpark .com - Email: exmcon@gmail.com
gobackscan .com - Email: exmcon@gmail.com
gomapscan .com - Email: exmcon@gmail.com
scan4gen .com - Email: exmcon@gmail.com
namearra .info - Email: stnorvel@gmail.com
xtraroom .info - Email: stnorvel@gmail.com
sundalet .info - Email: stnorvel@gmail.com

privacy-centre .org - 89.208.136.91 - Email: acapz@freebbmail.com
prvacy-centre .org - Email: acapz@freebbmail.com
privacy-centar .org - Email: acapz@freebbmail.com
prvacy-centar .org - Email: acapz@freebbmail.com
privacy-ceter .org - Email: acapz@freebbmail.com
prvacy-ceter .org - Email: acapz@freebbmail.com
privacy-center .org - Email: acapz@freebbmail.com
prvacy-center .org - Email: acapz@freebbmail.com
privacy-centor .org - Email: acapz@freebbmail.com
privacy-centr .org - Email: acapz@freebbmail.com
prvacy-centr .org - Email: acapz@freebbmail.com
pcenter56 .com
privacyupdate447 .com - Email: prv54@lycos.com
pcenter57 .com

personalonlinescanv3 .com - 78.46.251.41 - Email: vms@hellofm.in
antivirusfolderscanv5. com - Email: Bush.Mussar@yahoo.com
antivirusfolderscannerv5 .com - Email: Bush.Mussar@yahoo.com
privatevirusscannerv5 .com - Email: cs@pakoil.com.pk
antivirusforcomputrerv5 .com - Email: Bush.Mussar@yahoo.com
spywarefastscannerv6 .com - Email: cs@pakoil.com.pk
antimalwarescanv7 .com - Email: Bush.Mussar@yahoo.com
antimalwareproscannerv8 .com - Email: Bush.Mussar@yahoo.com
antimalwareproscannerv9 .com - Email: Bush.Mussar@yahoo.com
antivirusscannerv9 .com - Email: Bush.Mussar@yahoo.com
advanedspywarescan .com - Email: xors678@freebbmail.com
securedvirusscan .com - Email: adsff@freebbmail.com
secured-virus-scanner .com - Email: adsff@freebbmail.com

free-spyware-cleaner .com - 212.117.160.18 - Email: robertsimonkroon@gmail.com
free-spyware-checker .org - Email: robertsimonkroon@gmail.com
fast-spyware-cleaner .org - Email: robertsimonkroon@gmail.com
clean-pc-now .org - Email: robertsimonkroon@gmail.com
spyware-scaner .com - Email: robertsimonkroon@gmail.com
free-spyware-cleaner .com - Email: robertsimonkroon@gmail.com
free-tube-orgasm .net - Email: robertsimonkroon@gmail.com
free-spyware-cleaner .net - Email: robertsimonkroon@gmail.com
clean-pc-now .net - Email: robertsimonkroon@gmail.com
spyware-killer .biz - Email: robertsimonkroon@gmail.com

protectionsystemlab .com - 89.149.254.174; 91.212.198.36
ez-scanner-online .com
smart-antivirus-online .com
uptodatesystem .com
checks-files-now .com
download-filez-now .us
files-download-now .net
check-files-now .net


antispyware2009 .com - 75.125.241.58
remover .org
antispyware  .com
regsweep .com
registryclear .com
adwarebot .com


cleanmalwarefree .com - 218.93.205.244 - Email: IvanMaltzev@gmail.com
killlabs .com - Email: ad6@safe-mail.net
cleanmalwarefast .com - Email: ad6@safe-mail.net
cleanmalwareeasy .com - Email: ad6@safe-mail.net

adware-2010 .com - 67.211.161.49
adware-2009.comantispyware2013 .com - 98.124.199.1; 98.124.198.1
antispyware2012 .com
securityscanweb .com - 209.44.126.22 - Email: Gerald.A.Flowers@trashymail.com
securitytestavailable .com - 209.44.126.81 - Email: Roy.M.Tucker@pookmail.com
liveantivirusinfov2 .com - 78.47.132.222; 78.47.172.69 - Email: cgrenier@reclamation.com
antivirus-scannerv9 .com - Email: paul.smith@acdc.cn
purchuaseonlinedefence .com - 78.47.91.154 - Email: jenny@allbestmarine.com.sg
purchuaseliveprotection .com - Email: jenny@allbestmarine.com.sg

windowssecurityinfo .com - 83.133.123.113 - Email: arziw12@freebbmail.com
antimalwarescanner-v2 .com - Email: tareen@yahoo.com
maliciousbaseupdates .com - Email: freight@beds.com
ieprotectionlist .com - Email: vanmullem@yahoo.com

personalcleaner2009 .com - 88.208.19.4 - Email: personalcleaner2009.com@liveinternetmarketingltd.com
ak-networkcommerce .com - Email: ak-networkcommerce.com@liveinternetmarketingltd.com
pc-antimalwaresuite .com - Email: pc-antimalwaresuite.com@liveinternetmarketingltd.com
basepayment .com - Email: basepayment.com@liveinternetmarketingltd.com

Sampled malware phones back to od32qjx6meqos .cn/ua.php, more phone back locations are also parked there:
0ni9o1s3feu60 .cn - 220.196.59.23 - Email: robertsimonkroon@gmail.com
mf6gy4lj79ny5 .cn - Email: robertsimonkroon@gmail.com
84u9wb2hsh4p6 .cn - Email: robertsimonkroon@gmail.com
7bs5nfzfkp8q8 .cn - Email: robertsimonkroon@gmail.com
kt4lwumfhjb7a .cn - Email: robertsimonkroon@gmail.com
q2bf0fzvjb5ca .cn - Email: robertsimonkroon@gmail.com
rncocnspr44va .cn - Email: robertsimonkroon@gmail.com
t1eayoft9226b .cn - Email: robertsimonkroon@gmail.com
4go4i9n76ttwd .cn - Email: robertsimonkroon@gmail.com
kzvi4iiutr11e .cn - Email: robertsimonkroon@gmail.com
hxc7jitg7k57e .cn - Email: robertsimonkroon@gmail.com
mt3pvkfmpi7de .cn - Email: robertsimonkroon@gmail.com
fyivbrl3b0dyf .cn - Email: robertsimonkroon@gmail.com
z6ailnvi94jgg .cn - Email: robertsimonkroon@gmail.com
p7keflvui9fkl .cn - Email: robertsimonkroon@gmail.com
f1uq1dfi3qkcm .cn - Email: robertsimonkroon@gmail.com
p0umob9k2g7mp .cn - Email: robertsimonkroon@gmail.com
7zju2l82i2zhz .cn - Email: robertsimonkroon@gmail.com

One of the latest front-ends to scareware affiliate networks is AK Network Commerce Ltd (ak-networkcommerce .com) :

"Implementing latest anti-hacker technology based on expert and user reviews AK Network Commerce Ltd enables hacker-proof defense, blocks unauthorized access to your private information, and hides your identity. Having combined latest features of cutting-edge privacy protection technologies our knowledgeable team designed products to easily and effectively fight perilous cyber attempts. Thorough selection and step-by-step application of elements and tools required for comprehensive protection of your personal data helped us achieve success and become industry leading representatives. We did our best to prove that the time has come to leave behind worries about private data theft."

The company is the very latest attempt of a bogus company to build legitimacy into their "latest anti-hacker technology". Meanwhile, the blacklisting , sample distribution, and shutting down the scareware domains not only undermines the effectiveness of their largely centralized malware campaigns, costs them missed revenue projections, but also, it increases the opportunity costs for the gang.

Related posts:
A Diverse Portfolio of Fake Security Software - Part Twenty Two
A Diverse Portfolio of Fake Security Software - Part Twenty One
A Diverse Portfolio of Fake Security Software - Part Twenty
A Diverse Portfolio of Fake Security Software - Part Nineteen
A Diverse Portfolio of Fake Security Software - Part Eighteen
A Diverse Portfolio of Fake Security Software - Part Seventeen
A Diverse Portfolio of Fake Security Software - Part Sixteen
A Diverse Portfolio of Fake Security Software - Part Fifteen
A Diverse Portfolio of Fake Security Software - Part Fourteen
A Diverse Portfolio of Fake Security Software - Part Thirteen
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software

This post has been reproduced from Dancho Danchev's blog.

Wednesday, July 22, 2009

Koobface - Come Out, Come Out, Wherever You Are

UPDATE2: New binaries are hosted at web.reg .md/1/pdrv.exe; web.reg .md/1/pp.10.exe and at web.reg .md/1/fb.49.exe.

UPDATE: The Koobface gang is upgrading the command and control infrastructure in response to the positive ROI out of the takedown activities. This of course doesn't mean that enough evidence on "who's who" behind Koobface and a huge percentage of the currently active malware campaigns targeting Web 2.0 properties hasn't been gathered already.

Especially now that it's apparent we know each other's names. A recent Koobface update includes the following message: (thanks to TrendMicro for pinging me) : 

We express our high gratitude to Dancho Danchev (http://ddanchev.blogspot.com) for the help in bug fixing, researches and documentation for our software.

The ROI of several abuse notices during the weekend, quick response from China's CERT which took care of 61.235.117.71 (thanks Patrick!), and Oc3 Networks & Web Solutions Llc abuse team which took care of the Koobface activity at 98.143.159.138 -- cgpay-re-230609 .com still responds to the IP -- looks pretty positive and managed to increase the opportunity cost for the Koobface gang since it caused them some troubles during the weekend.

With Koobface worm's Twitter campaign currently in a stand by mode due to the publicity it attracted, as well as the fact that the central redirection points used in the campaign are down, let's assess the current Koobface hosting infrastructure, with an emphasis on UKSERVERS-MNT (AS42831) which stopped responding to abuse notifications as of Sunday.

How did the Koobface gang/fan club responded to the downtime anyway? By introducing several new domains, and parking them at 78.110.175.15 - UKSERVERS-MNT (AS42831), whose abuse department remains unreachable ever since.

Following the first abuse notice sent to UKSERVERS-MNT the company temporarily closed the account (78.110.175.15) of the "customer", then brought it back online. Asked why, they responded that the "customer" claimed he's been compromised and that he needs to clean up the mess and secure the server.  In reality that means "give us some time to smoothly update DNS records and migrate operations now that all of our command and control locations are offline".

Since they presumed I don't take lying personally, half an hour later I checked again and the Koobface command and control servers were operational again. The company forwarded the responsibility to the customer and said they closed down the account.

However, what the Koobface gang did was to register a new domain and use it as Koobface C&C again parked at the same IP, which remains active - zaebalinax .com Email: krotreal@gmail.com - 78.110.175.15 - in particular zaebalinax .com/the/?pid=14010 which is redirecting to the Koobface botnet. Two more domains were also registered and parked there, u15jul .com and umidsummer .com - Email: 2009polevandrey@mail.ru which remain in stand by mode at least for the time being.

Upon execution the Koobface binary phones back to upr0306 .com/achcheck.php; upr0306 .com/ld/gen.php (78.110.175.15) and attempts to download upload.octopus-multimedia .be/1/pdrv.exe; upload.octopus-multimedia .be/1/pp.10.exe.

UKSERVERS-MNT (AS42831) is also known with its connections to gumblar.cn malware campaigns, as well as having hosted a domain (supernerd.org) part of a Photobucket malvertising campaign.

Related posts:
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors

This post has been reproduced from Dancho Danchev's blog.

Koobface - Come Out, Come Out, Wherever You Are

UPDATE2: New binaries are hosted at web.reg .md/1/pdrv.exe; web.reg .md/1/pp.10.exe and at web.reg .md/1/fb.49.exe.

UPDATE: The Koobface gang is upgrading the command and control infrastructure in response to the positive ROI out of the takedown activities. This of course doesn't mean that enough evidence on "who's who" behind Koobface and a huge percentage of the currently active malware campaigns targeting Web 2.0 properties hasn't been gathered already.

Especially now that it's apparent we know each other's names. A recent Koobface update includes the following message: (thanks to TrendMicro for pinging me) : 

We express our high gratitude to Dancho Danchev (http://ddanchev.blogspot.com) for the help in bug fixing, researches and documentation for our software.

The ROI of several abuse notices during the weekend, quick response from China's CERT which took care of 61.235.117.71 (thanks Patrick!), and Oc3 Networks & Web Solutions Llc abuse team which took care of the Koobface activity at 98.143.159.138 -- cgpay-re-230609 .com still responds to the IP -- looks pretty positive and managed to increase the opportunity cost for the Koobface gang since it caused them some troubles during the weekend.

With Koobface worm's Twitter campaign currently in a stand by mode due to the publicity it attracted, as well as the fact that the central redirection points used in the campaign are down, let's assess the current Koobface hosting infrastructure, with an emphasis on UKSERVERS-MNT (AS42831) which stopped responding to abuse notifications as of Sunday.

How did the Koobface gang/fan club responded to the downtime anyway? By introducing several new domains, and parking them at 78.110.175.15 - UKSERVERS-MNT (AS42831), whose abuse department remains unreachable ever since.

Following the first abuse notice sent to UKSERVERS-MNT the company temporarily closed the account (78.110.175.15) of the "customer", then brought it back online. Asked why, they responded that the "customer" claimed he's been compromised and that he needs to clean up the mess and secure the server.  In reality that means "give us some time to smoothly update DNS records and migrate operations now that all of our command and control locations are offline".

Since they presumed I don't take lying personally, half an hour later I checked again and the Koobface command and control servers were operational again. The company forwarded the responsibility to the customer and said they closed down the account.

However, what the Koobface gang did was to register a new domain and use it as Koobface C&C again parked at the same IP, which remains active - zaebalinax .com Email: krotreal@gmail.com - 78.110.175.15 - in particular zaebalinax .com/the/?pid=14010 which is redirecting to the Koobface botnet. Two more domains were also registered and parked there, u15jul .com and umidsummer .com - Email: 2009polevandrey@mail.ru which remain in stand by mode at least for the time being.

Upon execution the Koobface binary phones back to upr0306 .com/achcheck.php; upr0306 .com/ld/gen.php (78.110.175.15) and attempts to download upload.octopus-multimedia .be/1/pdrv.exe; upload.octopus-multimedia .be/1/pp.10.exe.

UKSERVERS-MNT (AS42831) is also known with its connections to gumblar.cn malware campaigns, as well as having hosted a domain (supernerd.org) part of a Photobucket malvertising campaign.

Related posts:
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors

This post has been reproduced from Dancho Danchev's blog.

Thursday, July 16, 2009

From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts

Could a dysfunctional abuse department facilitate cybercrime? Appreciate my rhetoric with an emphasis on Layered Technologies, Inc.

Exactly one month ago, the Ukrainian gang that I've been extensively monitoring due to their apparent involvement in literally each and every malware campaign targeting Web 2.0 properties -- that's of course next to the Koobface connection in general -- intensified their automatic abuse of Twitter, Scribd and LinkedIn using plain simple social engineering tactics.

Since the campaign seems to be ongoing, it's time to spill some coffee on their latest scareware domains, see how the campaign's quality degraded upon notifying the affected parties, and emphasize on the fact that since Layered Technologies, Inc. abuse department wasn't available for comment prior to this post, the Ukrainian "fan club" continues using their services.

Bogus Twitter accounts serving scareware part of their campaign:
twitter .com/carmenelectrapn
twitter .com/LilKimUncensord
twitter .com/KimKardashian11
twitter .com/KateWinsletNude
twitter .com/DeniseRichardsK
twitter .com/KendraWilkinso1
twitter .com/CHristinaRicciN
twitter .com/Shakira_nude

twitter .com/BritneySpears11
twitter .com/PamelaAnderson0
twitter .com/kimkardashian3
twitter .com/BritneySpearse
twitter .com/LindsayLohannn
twitter .com/KatieHolmesNud
twitter .com/LilKimUncensord
twitter .com/britneyspearst
twitter .com/LindsayLohanee
twitter .com/JenniferLovew
twitter .com/AnnaFarisNnude
twitter .com/MileyCyrusnud
twitter .com/carmenelectrasx
twitter .com/adulttrishstrat


As in previous campaign, their redirectors continue working -- excluding oymomahon .com which is down -- and serving newly typosquatted scareware domains. For instance showmealltube .com/fathulla/13.html (64.92.170.135; 216.32.83.110) which is exclusively used on all the bogus accounts redirects to myhealtharea .cn/in.cgi?14 (64.92.170.135; 216.32.83.110), again Layered Technologies, Inc.

The same goes for the second domain, delshikandco .com/paqi-video/30.html (216.32.83.104) Email: alexeyvas@safe-mail.net (multiple scareware domains registered under the same email) as well as another redirector maintained by them used in previous campaign, ntlligent .info/tds/in.cgi (72.232.163.171) also both hosted at Layered Technologies, Inc..

The new scareware domains used in the first redirection:
nusecurityshields .com - 91.213.29.252 - FakeAlert-WinwebSecurity.gen
besecurepctrue .com
wesecurepcs .com
securityverpcs .com
allsecuredpcshields .com
myrealsecuritys .com
realsecurityspot .com
allentruesecurity .com


The second redirection leads to thetubesmovie .com/xplaymovie.php?id=40012 - 216.240.143.7 - Email: queeziegl@gmail.com where onlinemovies.40012.exe (Trojan.Crypt.ZPACK.Gen) is served, which upon execution phones back to myart-gallery .com/senm.php?data= (64.27.5.202) Email: jnthndnl@gmail.com; robert-art .com/senm.php?data= (66.199.229.229) Email: robesha@gmail.com; and superarthome .com/senm.php?data= (216.240.146.119) Email: chucjack@gmail.com. Yet another redirector at showmeall-tube-xx .com/xtube.htm - 78.159.98.70 - Email: crashtestdanger@mail.ru attempts to download more scareware from showmeall-tube-xx .com/setup.exe - Trojan:Win32/Winwebsec.

Parked on 216.240.143.7 are also:
go-go-tube.com - Email: consanch@gmail.com
thetubesmovie.com - Email: queeziegl@gmail.com
tubessite.com - Email: roberkimb@gmail.com
besttubetech.com - Email: tashcham@gmail.com
supertubetop.com - Email: queeziegl@gmail.com
yourtubetop.com - Email: tashcham@gmail.com
greattubetop.com - Email: roberkimb@gmail.com
fllcorp.com
my-tube-dot.com -
Email: consanch@gmail.com

The newly registered Scribd and LinkedIn accounts also point to these very same domains. Bogus Scribd accounts -- approximately a thousand -- participating in the campaign:
scribd .com/Eva_Mendes%20naked
scribd .com/Kim_Kardashian%20sex%20tape%20free
scribd .com/Nude%20wrestling
scribd .com/KimKardashianSex%20Tape
scribd .com/BritneySpears%20Sex%20Tape
scribd .com/HollyMadison_Naked
scribd .com/Free%20Animal%20Sex%20Videos
scribd.com/BritneySpearsCircus
scribd .com/Emma%20Watson%20kissingsomeone
scribd .com/Paris%20Hilton%20%20sex%20tape
scribd .com/Ellen%20degeneresgay
scribd .com/Gallery%20of%20Lindsay_Lohan
scribd .com/Amy_Smart%20nude
scribd .com/Stacy_Keibler%20in%20a%20bikini
scribd .com/Jennifer%20Aniston%20sexiest1
scribd .com/HelenMirren%20nudity
scribd .com/Vida_Guerra%20butt
scribd .com/Paris%20Hilton%20in%20bed


scribd .com/Paris%20Hilton%20sex%20video
scribd .com/Paris%20Hilton%20%20movie
scribd .com/ParisHiltonnaked1
scribd .com/Jessica%20Rabbitadult

scribd .com/Maria_Kanellis%20playboy
scribd .com/Anna_Nicole_uncensored
scribd .com/Kim+Kardashian%20sex%20video
scribd .com/keeleyhazellsextape
scribd .com/Britney-Spears-womanizer2
scribd .com/BRITNEY%20SPEARS%20DESNUDA%201
scribd.com/Age%20of%20EmmaWatson
scribd .com/JenniferLopez%20desnuda
scribd .com/BritneySpears%20comix
scribd .com/MUJERES%20NEGRAS%20DESNUDAS%201
scribd .com/John%20Cena's%20%20dick
scribd .com/Hilary%20Duff%20naked%201


scribd .com/MaribelGuardia%20desnuda
scribd .com/Jessica%20Simpsonnude

scribd .com/Amanda-Bynes-nip-slip1
scribd .com/Tara-Reid-desnuda1
scribd .com/Jessica%20Albanude
scribd .com/Mujeres%20famosas%20%20desnudas
scribd .com/AngelinaJolie%20Naked
scribd .com/Lindsay_Lohan%20naked
scribd .com/Niurka_Marcos%20desnuda

scribd .com/FOTOS%20DE%20MARIBEL%20GUARDIA%20DESNUDA
scribd .com/INGRID%20CORONADO%20DESNUDA%201
scribd .com/NINEL%20CONDE%20DESNUDA1


scribd .com/Paris%20Hilton%20movie%201
scribd .com/Free%20Kim%20Kardashian%20%20Sex%20%20Tape
scribd .com/Pamela%20anderson%20nude
scribd .com/Vanessa-Williams-Penthouse-pictorial2
scribd .com/Natalie%20Portman%20sunbathing%201
scribd .com/Anne%20Hathaway%20naked%201
scribd .com/Stacy_Keibler%20nude
scribd .com/Scarlett_Johansson%20galleryx


Bogus LinkedIn accounts participating in the campaign:
linkedin .com/pub/anneliese-van-der-pol-nude/14/150/371
linkedin .com/pub/disney-s-raven-symone-nude/14/150/604
linkedin .com/pub/jennifer-love-hewitt/13/ab6/396
linkedin .com/pub/free-nude-celebs/14/6b/65b
linkedin .com/in/nudetubee
linkedin .com/in/nudepics2
linkedin .com/in/freenudecelebrities1
linkedin .com/in/nudecelebrities1
linkedin .com/in/nudephotos1
linkedin .com/pub/nude-art/14/6b/6a


The statistics from two of the bit.ly URLs showcase how the campaign scaled due to the number of bogus accounts, and they virtually disappeared upon notifying the affected parties which removed the accounts in less than an hour. The gang keeps making a point that I made a while ago - a single group can dominate the entire Web 2.0 threatscape, automatically if they want to.

This post has been reproduced from Dancho Danchev's blog.

4th SMS Ransomware Variant Offered for Sale

Locking down an infected Windows-based host and demanding a premium rate SMS message for the unlock code (SMS Ransomware Source Code Now Offered for Sale; New ransomware locks PCs, demands premium SMS for removal; 3rd SMS Ransomware Variant Offered for Sale), is slowly becoming a trend, that despite its current geographical prevalence evident in Russia, it could easily become an international issue due to the cost-effective localization services available on demand these days.

Yet another SMS-based ransomware variant is offered for sale ($10), making this the 3rd such variant available for purchase during the past couple of months. The author appears to be a Moscow-based opportunist, clearly interested in making a quick buck and lacking any long-term ambitions - at least for the time being. Despite that the message and the visual interface can be changed on request, the default version is once again insisting that Microsoft locked down this copy of Windows because it detected it as pirated copy, and in order to unlock it the user has to send an SMS in order to receive the unlock code.

What bothers me is not the potential "spread-ibility" of his campaigns that is if he turns into a user of his own code, but how easily and cost-effectively his customers can push the ransomware to a huge number of already infected malware hosts.

This post has been reproduced from Dancho Danchev's blog.

Wednesday, July 15, 2009

Dissecting Koobface Worm's Twitter Campaign

My "fan club" is at it again - abusing Web 2.0 in an automated fashion. A new Koobface variant, modified by a Cyrillic-aware cybercriminal going under the handle of "floppy" -- it has also been injected within legitimate sites -- has started using Twitter as a distribution channel for the group as of last week.

Hundreds of users infected with Koobface and using Twitter, are now automatically tweeting links to their followers in an attempt by the Koobface gang -- evidence on my fan club's involvement keeps popping up like mushrooms -- to abuse the much more insecure micro-blogging service in comparison with their original traffic acquisition Facebook, where they had to adapt and outsource the CAPTCHA-solving process.

The Twitter campaign is different in the sense that the Koobface serving URLs generate random strings in an attempt to defeat generic detection which is still possible due to the template-ization of malware serving sites.

The Koobface serving links themselves are a combination of purely malicious and compromised legitimate web sites, serving a slightly modified fake YouTube page, and using a well known -- maintained by the fan club -- command and control/redirector domains (119.110.107 .137/redirectsoft/go/tw.php; 61.235.117 .71/redirectsoft/go/tw.php) found in their previous campaigns. This particular campaign provided factual evidence on the direct connection between the group and several Twitter, LinkedIn and Scribd malware campaigns, where scareware and Koobface variants were served.

The following is a complete list of the Koobface URLs used in the Twitter campaign:
64.37.106 .170/myfilm/
66.206.9 .169/privateaction/index.php
asachi.evolink .ro/bestdvd/
aspompierul.zzl .org/freeperformans/
aspompierul.zzl .org/publicclips/
bit.ly/ w4ITQ
bodegasjalisco .com/bestfilms/
brentsmusic .com/publicaction/
cadcam.tecnoceram .it/privatedvd/
carolslinks .com/fantastictube/
caruso89.netsons .org/bestaction/
celaneotest.fun-domain .com/uncensoredvids/
chaps.com .my/besttube/
chriscubed .com/cooldemonstration/
costafarilya .com/extrimetv/
cubman32.net .ua/extrimevids/
dalaa3.110mb .com/extrimeaction/
deathschildren .com/extrimeclips/
divya.com .au/megatube/
download.rmes .ru/uncensoredclip/
dplive.webserwer .pl/besttv/
dramat.ilive .ro/extrimeclips/


filipicsr .biz/youtube/
flaviusrize .com/uncensoredclips/index.php
gandhiinternational. in/extrimetv/
igorbrasil .com/freetv/
itprospecialists .com/cooldvd/
kawalkimp3.yoyo .pl/yourtv/
kuzmi4.110mb .com/yourshow/index.php
lemujeme .cz/myshow/
lepk.yoyo .pl/privatevids/
matt.freehost .pl/privatefilms/
nataly.org .ua/extrimedemonstration/
oceanacompany .com/bestvids/
oceanacompany .com/yourshow/
piuk-chow .dk/megafilms/
promo-door .ru/mymovie/
reprographic .co.in/fantasticaction/
reprographic .co.in/megaperformans/
rksrouby .cz/funnyaction/
sekurpaslanmaz .com/amaizingdvd/


sekurpaslanmaz .com/bestfilms/
siam9 .com/bestfilms/
siam9 .com/coolclip/
siam9 .com/publicmovies/
skywebupload.freeweb7 .com/funnyclips/
srbijafest .org/privatefilm/
subject.freehost .pl/extrimefilms/
subject.freehost .pl/publicvids/
supreeme .com/megademonstration/
teatrall.dramat.ilive .ro/extrimeclips/


tenminutemedia .com/funnyclip/
thegoodhand .com/yourmovie/
thelambda.php5 .cz/privatemovies/
tinyurl .com/l48o9v
webxtreme.evolink .ro/uncensoredtube/
wiedzmin06.lua .pl/myvids/
xpertfill.com .mx/megafilm/
yarentextil .com/funnyvideo/
yasarturu.com .tr/yourvideo/
zoomtox .com/youtube/


Interestingly, I was able to take a peek at the statistics used exclusively for the Twitter campaign on two of the command and control/redirectors domains maintained by the gang. The results? Thankfully, pretty modest as you can see in the attached screenshots.

What all of these URLs have in common are the Koobface command and control/redirector (r-d-cgpay-090709 .com/go/tw.php) domains that they point to, including several new additions prior to their original ones described in previous posts.

Command and control domains sharing the same IPs - 98.143.159.138; 78.110.175.15; 61.235.117.71; 119.110.107.137:
upr0306 .com - Email: bigvillyxxx@gmail.com
red-dir-cgpay-0307 .com
cgpay-re-230609 .com
r-d-cgpay-090709 .com
rjulythree .com
trisem .com - Email: 2009polevandrey@mail.ru
uprtrishest .com - Email: 2009polevandrey@mail.ru
uthreejuly .com
rd040609-cgpay .net
newcounters .cn - Email: madarkipun@yandex.ru
rd040609-cgpay .net
r2606 .com
er20090515 .com
redir2404 .com
wn20090504 .com - Email: bigvillyxxx@gmail.com
redir0705 .com
redir0805 .com
er20090515 .com

On the these very same command and control domains, we can also also seen Koobface worm's captcha7.dll component in action:
rd040609-cgpay .net/cap/?a=get&i=1&v=7
upr0306 .com/cap/?a=get&i=2&v=7
rjulythree .com/cap/?a=get&i=3&v=7
uthreejuly .com/cap/?a=get&i=4&v=7
er20090515 .com/cap/?a=get&i=0&v=7 


In this particular case, obtaining the CAPTCHA image from nua06032009 .biz/cap/temp - 218.93.202.50 Email: kfmnmkswrnkcxlgpfdxb68@gmail.com.

A complete list of command and control domains courtesy of FireEye, is once again emphasizing on the fact that the Koobface gang may be aware of each and every malicious traffic acquisition tactic there is, but has centralized their infrastructure making it easy to deal with it.

Who's providing them with the hosting infrastructure?
218.93.202.50 - China Beijing Chinanet Jiangsu Province Network
98.143.159.138 - United States Los Angeles Oc3 Networks & Web Solutions Llc
78.110.175.15 - Russian Federation Limit-surehost-ip/UK Dedicated Servers Limited
61.235.117.71 - China Shenzhen China Railcom Guangdong Shenzhen Subbranch
119.110.107.137 - Malaysia Kuala Lumpur Tm Net Sdn Bhd

Compared to the money they make out of scareware, since they diversify on multiple revenue-generation fronts, they money they pay for the anti-abuse hosting looks like pocket change.

Related posts:
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors

Ukrainian "fan club" and the Koobface connection:
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot

This post has been reproduced from Dancho Danchev's blog.