Monday, December 21, 2009

A Diverse Portfolio of Fake Security Software - Part Twenty Four



Good traditions are not meant to be broken, in particular the "Diverse Portfolio of Fake Security Software" series. And with scareware losses to customers already (conservatively) estimated at $150 million, combined with the overwhelming evidence of scareware becoming the monetization method of choice for the majority of cybercriminals gathered throughout the entire year - in 2010 we'll see the peak of a fully matured business model that's offering one of the highest payout rates within the underground marketplace.

How can this underground business model be undermined? By hitting the"beehive" rather than hitting the campaign of particular "bee", and by disrupting the monetization flow ultimately leaving the "beehive" with hundreds of thousands of "bees" actively infecting without the opportunity to collect the cash flaw, thereby putting them in a position where the "beehive" becomes unable to pay the commissions to the "bees" at the first place.

Moreover, raising awareness on the most efficient and profitable monetization tactic used by cybecriminals in the face of scareware (The Ultimate Guide to Scareware Protection), is crucial for filling in the gaps, since in its current form, scareware is driven exclusively by social engineering tactics and aggressive traffic hijacking campaigns.

What's to come in 2010 anyway? It's the culmination of an year and half research. Stay tuned folks!

The following scareware domains have been recently observed in active campaigns online:

78.46.254.18/96.9.180.102 - AS24940 -HETZNER-AS Hetzner Online AG RZ/AS21788 BurstNet Technologies, Inc.
3-scanner .com
5-scanner .com
9-scanner .com
aa-scan .com
antispy-microsoft0 .cn
antispy-microsoft2 .cn
aspywarescan .com
av-scannerr .com
av-scannerw .com
av-scannerx .com
av-scannery .com
av-scannerz .com
bb-scan .com
bspywarescan .com
cspywarescan .com
fspywarescan .com
internetdefencei .com
ispywarescan .com
malware-destroy01 .com
malware-destroy03 .com
malware-destroy09.com
malwarescannere. com
malwarescannerq .com
malwarescannerr .com
malwarescannert .com
malwarescannerw .com
pc-securityv .com
pc-securityv2 .com
pc-securityv4 .com
removespywared .com
removespywarek .com
removespywarel .com
removespywarem .com
removespywaren .com


securitybugfixv9 .com
spyware-remove0 .com
spyware-remove9 .com
spyware-removeb .com
spyware-removee .com
spyware-removen .com
titan-antivirus .com
titan-antivirusv .com
titan-antivirusy .com
titan-antivirusz .com
titan-scanner .com
trustedmicrosoftscan0 .com
trustedmicrosoftscan8 .com
ultimatepcscanb .com
ultimatepcscano .com
ultimatepcscanp .com
ultimatepcscanr .com
windows-antivirus0 .com
windows-antivirus11 .com
windows-antivirus2 .com
windows-antivirus4 .com
windows-antivirus8 .com
win-pro-update .cn


The scareware domains portfolio profiled in the "Celebrity-Themed Scareware Campaign Abusing DocStoc and Scribd" post parked at 193.104.110.50, has many new typosquatted additions to it:

193.104.110.50 - AS50073/SOFTNET Software Service Prague s.r.o.
10-open-davinci .com
advanced-virusremover2009 .com
advancedvirus-remover2009 .com
advanced-virus-remover2009 .com
advancedvirusremover-2009 .com
advanced-virusremover-2009 .com
advanced-virus-remover-2009 .com
advanced-virus-remover2010 .com
advanced-virus-remover-2010 .com
advanced-virus-remover2011 .com
advanced-virus-remover-2011 .com
avrdownnew6 .com
avrdownnew8 .com
avrdownnew9 .com
bastaproject .com
buy-internet-security2010 .com
coolcount1 .com
coolcount2 .com
coolprojectnew .com
downloadavr10 .com
downloadavr11 .com
downloadavr12 .com
downloadavr13 .com
downloadavr14 .com


downloadavr15 .com
downloadavr20 .com
downloadavr5 .com
downloadavr6 .com
downloadavr7 .com
downloadavr8 .com
downloadavr9 .com
greatcrypt .com
megacryptnew .com
pc-scanner2010 .biz
pc-scanner-2010 .biz
pcscanner2010 .com
pc-scanner2010 .com
pcscanner-2010 .com
pc-scanner-2010 .com
pc-scanner2010 .net
pc-scanner2010 .org
pc-scanner-2010 .org
pc-scanner-2011 .biz
pc-scanner-2011 .org
pc-scanner-2012 .com
pc-scanner-2012 .net
pc-scanner-2012 .org
testavrdown .com
vscodec-pro .net
vsproject .net
white-xxx-tube .com
white-xxxx-tube .com
xxx-white-tube .net


The Koobface gang has not only migrated the domains the weren't suspended from the previous "Koobface Botnet's Scareware Business Model - Part Two" post, but has also introduced new ones on the new IPs:

193.169.235.5/93.174.95.191 - AS32181/ASN-CQ-GIGENET ColoQuest/GigeNet ASN
goboldscan .com - Email: gleyersth@gmail.com
godeckscan .com - Email: quetotator@gmail.com
godirscan .com - Email: momorule@gmail.com
godotscan .com - Email: gleyersth@gmail.com
gopullscan .com - Email: stgeyman@gmail.com
gorootscan .com - Email: stgeyman@gmail.com
goscanbold .com - Email: gleyersth@gmail.com
goscandot .com - Email: gleyersth@gmail.com
goscanhand .com - Email: quetotator@gmail.com
goscanmend .com - Email: gleyersth@gmail.com
goscanmoth .com - Email: gleyersth@gmail.com
goscanpull .com - Email: stgeyman@gmail.com
goscanref .com - Email: quetotator@gmail.com
goscanrest .com - Email: quetotator@gmail.com
goscanroom .com - Email: gleyersth@gmail.com
goscanroot .com - Email: stgeyman@gmail.com
goscantype .com - Email: stgeyman@gmail.com

Some of these are actively redirecting to another recently updated .cn portfolio, once again maintained by the Koobface gang, parked at 193.169.235.6 - AS32181 - ASN-CQ-GIGENET ColoQuest/GigeNet ASN:
193.169.235.6 - AS32181 - ASN-CQ-GIGENET ColoQuest/GigeNet ASN
diwehym .cn - Email: spscript@hotmail.com
dizymhe .cn - Email: spscript@hotmail.com
docigpe .cn - Email: spscript@hotmail.com
dofawi .cn - Email: spscript@hotmail.com
domreha .cn - Email: spscript@hotmail.com
donlaci .cn - Email: spscript@hotmail.com
donqaw .cn - Email: spscript@hotmail.com
dopelsi .cn - Email: spscript@hotmail.com
doquza .cn - Email: spscript@hotmail.com
doqypku .cn - Email: spscript@hotmail.com
egikap .cn - Email: spscript@hotmail.com
enegoys .cn - Email: spscript@hotmail.com
eneybis .cn - Email: spscript@hotmail.com
enoihup .cn - Email: spscript@hotmail.com
enygoji .cn - Email: spscript@hotmail.com
enyuwip .cn - Email: spscript@hotmail.com
epafij .cn - Email: spscript@hotmail.com
epaumow .cn - Email: spscript@hotmail.com
epiadyl .cn - Email: spscript@hotmail.com
epiecgy .cn - Email: spscript@hotmail.com
g-antivirus .com - Email: mhbilate@gmail.com
iantiviruspro .com - Email: broderma@gmail.com
iantivirus-pro .com - Email: feetecho@gmail.com
iav-pro .com - Email: mcgettel@gmail.com
in4iv .com - Email: momaust@gmail.com
inb6ct .com - Email: jobumb@gmail.com
inb6ik .com - Email: jobumb@gmail.com
jyqhoki .cn - Email: spscript@hotmail.com
jyseny .cn - Email: spscript@hotmail.com
jywmer .cn - Email: spscript@hotmail.com
jyzixme .cn - Email: spscript@hotmail.com
jyzuju .cn - Email: spscript@hotmail.com
kabivu .cn - Email: spscript@hotmail.com
kacupyb .cn - Email: spscript@hotmail.com
kajefu .cn - Email: spscript@hotmail.com

Another portfolio is parked at 193.169.13.200, our "dear friends" AS5577 - ROOT eSolutions:
antivirusonlinegames .com - Email: saracbrown@dodgit.com
antivirussoftblog .com - Email: sharonldixon@trashymail.com
antyflutool .net - Email: joycerfriley@dodgit.com
an-ty-virusnow .net - Email: carriedlawrence@gmail.com
an-ty-virus-tool .com - Email: marydgallo@pookmail.com
bigvirusscan .com - Email: marydgallo@pookmail.com
freeantyvirusservice .com - Email: alejandrojmckinney@gmail.com
mysecuritysoft .net - Email: mildredkbaker@mailinator.com
nationalsecuritydirect .com - Email: loisjstillings@trashymail.com
newantispywaresoft .com - Email: junejbrubaker@trashymail.com
newantyvirus .net - Email: johneponder@gmail.com
progressmovement .com - Email: christinegcarroll@trashymail.com
readonlinestories .com - Email: lawrencemtimms@dodgit.com
removevirusgadget .com - Email: benjaminmdickerson@gmail.com
scannetradio .com - Email: robertcle@dodgit.com
securityonlinecopy .net - Email: saraldillard@trashymail.com
securitysoftstore .com - Email: anthonybpierce@trashymail.com
securitytoolsuser .com - Email: kyongabrantner@gmail.com
securitytoolsuser .net - Email: jamessvaughn@dodgit.com
securityutilityshop .net - Email: fletchererodriguez@gmail.com
spacetrafficsafety .com - Email: bettycyeates@pookmail.com
superprotectionact .com - Email: darnellbhouse@pookmail.com
supersafetysolutions .com - Email: georgekhorn@pookmail.com
thebillingaol .com - Email: justindsmith@trashymail.com
theprogressclub .com - Email: jerrysfinlayson@pookmail.com
theremovevirustool .com - Email: dalemharman@dodgit.com
virusread .com - Email: robertcjones@pookmail.com
yourfraudprotection .com - Email: michelledglover@dodgit.com
yoursafetysearch .com - Email: michelledglover@dodgit.com

193.104.153.245 - AS5577 - ROOT eSolutions
antivirusonlinecasino .com - Email: alfonzomhopps@mailinator.com
anti-virustoday .net - Email: elishaebeauregard@pookmail.com
an-ty-flu-service .com - Email: edwinwmartinez@trashymail.com
bereadonline .com - Email: jeanvfriddle@trashymail.com
bestantyspyware .net - Email: ralphyjackson@pookmail.com
bodyscanllc .com - Email: ralphyjackson@pookmail.com
contraspywaresoft .com - Email: josephinetmarenco@dodgit.com
newantyvirustool .net - Email: josephinetmarenco@dodgit.com
remove-virus-tool .com - Email: maryprobinson@pookmail.com
scaninternetradio .com - Email: maryprobinson@pookmail.com
securityonlinegames .net - Email: clementeanderson@pookmail.com

89.248.160.153 - AS29073/ECATEL-AS , Ecatel Network
do-fastscannow .net - Email: gkook@checkjemail.nl
do-speedscan .net - Email: gkook@checkjemail.nl
do-speedscan-search .com - Email: gkook@checkjemail.nl
iwillcheck-it .com - Email: gkook@checkjemail.nl
systemscan-check .net - Email: gkook@checkjemail.nl
zguarddata .com - Email: gkook@checkjemail.nl

193.106.32.10 - TELECOMPO, spol. s r.o.
antyspywaretoday .net - Email: willistbatiste@dodgit.com
an-ty-virusblog .net - Email: brendapwhite@dodgit.com
securitysoftshop .net - Email: milagrosrporter@pookmail.com
theantispywaresoft .com - Email: danhjones@gmail.com

88.198.103.129 - AS24940/HETZNER-AS Hetzner Online AG RZ
antispyscanb4 .com
onlinescanner70 .com
onlinescanner80 .com
pro-antivir03 .com
scannerintheinternet0 .com
windowscanner21 .com
windowscanner51 .com


88.198.160.57 - AS24940/HETZNER-AS Hetzner Online AG RZ
a7bestdefence .com
antispyscanb4 .com
best-antivirus99 .com
onlinescanner70 .com
onlinescanner80 .com
pro-antivir03 .com
pro-antivirus99 .com
scannerintheinternet0 .com
top10defenceb .com
top10defencef .com
windowscanner21 .com
windowscanner51 .com


Sample detection rate: SetupAdvancedVirusRemover.exe; Install.exe; Install(1).exe

Upon execution the samples phone back to:
downloadavr20 .com/loads.php?code=000NULL
downloadavr20 .com/dfghfghgfj.dll
downloadavr20 .com/cgi-bin/download.pl?code=000NULL
testavrdown .com/cgi-bin/get.pl?l=000NULL


Sample detection rate for the dropped files: SetupIS2010.exe; dfghfghgfj.dll

Hitting them where it hurts most -- the monetization flow -- since 2007. Domain suspension is in progress, the ISPs have been notified as usual.

Related posts:
The Ultimate Guide to Scareware Protection
A Diverse Portfolio of Fake Security Software - Part Twenty Three
A Diverse Portfolio of Fake Security Software - Part Twenty Two
A Diverse Portfolio of Fake Security Software - Part Twenty One
A Diverse Portfolio of Fake Security Software - Part Twenty
A Diverse Portfolio of Fake Security Software - Part Nineteen
A Diverse Portfolio of Fake Security Software - Part Eighteen
A Diverse Portfolio of Fake Security Software - Part Seventeen
A Diverse Portfolio of Fake Security Software - Part Sixteen
A Diverse Portfolio of Fake Security Software - Part Fifteen
A Diverse Portfolio of Fake Security Software - Part Fourteen
A Diverse Portfolio of Fake Security Software - Part Thirteen
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software

This post has been reproduced from Dancho Danchev's blog.

No comments:

Post a Comment