Movement on the Koobface Front

Now that the Koobface gang is no longer expressing its gratitude for the takedown of its command and control servers, the group has put its contingency planning in action thanks to the on purposely slow reaction of UKSERVERS-MNT's (78.110.175.15) abuse department.

Next to the regular updates (web.reg .md/1/websrvx2.exe; web.reg.md/1/ prx.exe), the group introduced two new domains and started taking advantage of two more IPs for its main command and control server. upr0306 .com now responds to:

67.215.238.178 - AS22298 - Netherlands Distinctio Ltd
78.110.175.15 - AS42831 UKSERVERS-AS UK Dedicated Servers Limited UK Dedicated Servers
221.5.74.46 - AS17816 - CHINA169-GZ CNCGROUP IP network China169 Guangzhou MAN

and that includes the two new domains introduced - pam-220709 .com; ram-220709 .com, with ram-220709 .com/go/?pid=30909&type=videxpgo.php?sid=4&sref= redirecting to the Koobface botnet.

Interestingly, 67.215.238.178 (hosted.by.pacificrack.com) was also used in the blackhat SEO campaigns from June/July, with warwork .info and tangoing .info parked there.

Related posts:
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors

Ukrainian "fan club" and the Koobface connection:
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot  

This post has been reproduced from Dancho Danchev's blog.

Movement on the Koobface Front

Now that the Koobface gang is no longer expressing its gratitude for the takedown of its command and control servers, the group has put its contingency planning in action thanks to the on purposely slow reaction of UKSERVERS-MNT's (78.110.175.15) abuse department.

Next to the regular updates (web.reg .md/1/websrvx2.exe; web.reg.md/1/ prx.exe), the group introduced two new domains and started taking advantage of two more IPs for its main command and control server. upr0306 .com now responds to:

67.215.238.178 - AS22298 - Netherlands Distinctio Ltd
78.110.175.15 - AS42831 UKSERVERS-AS UK Dedicated Servers Limited UK Dedicated Servers
221.5.74.46 - AS17816 - CHINA169-GZ CNCGROUP IP network China169 Guangzhou MAN

and that includes the two new domains introduced - pam-220709 .com; ram-220709 .com, with ram-220709 .com/go/?pid=30909&type=videxpgo.php?sid=4&sref= redirecting to the Koobface botnet.

Interestingly, 67.215.238.178 (hosted.by.pacificrack.com) was also used in the blackhat SEO campaigns from June/July, with warwork .info and tangoing .info parked there.

Related posts:
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors

Ukrainian "fan club" and the Koobface connection:
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot  

This post has been reproduced from Dancho Danchev's blog.

Managed Polymorphic Script Obfuscation Services

Cybecriminals understand the value of quality assurance, and have been actively running business models on the top of it for the past two years.

From the multiple offline antivirus scanners using pirated software, the online detection rate checking services allowing scheduled URL scan and notification upon detection by antivirus vendors, to the underground alternatives of VirusTotal in the form of multiple firewalls bypass verification checks - cybercriminals are actively benchmarking and optimizing their releases before launching yet another campaign.

A newly launched service aims to port a universal managed malware feature on the web - the polymorphic obfuscation of malicious scripts in an attempt to increase the lifecycle of a particular campaign.

Interestingly, due to the obvious software piracy within the cybercrime ecosystem which allowed proprietary malware tools to leak in the wild, the service is using a particular malware kit's javascript obfuscation routines and is running a business model on it.

For the time being, it relies on three obfuscation algorithms, HTMLCryptor olnly - used 56 times, TextUnescape - used 109 times, and PolyLite - already used 177 times. The DIY obfuscation service, also checks and notifies the cybercriminal over ICQ in cases when his IPs and domain names have been blacklisted by Google's Safebrowsing, as well as Spamhaus, and more checks against public malware domain/IP databases are on the developer's to-do list.

The price? $20 for monthly access and $5 for weekly. Despite the fact that the service is attempting to monetize a commodity feature available to cybecriminals through the managed updates that come with the purchase of a proprietary web malware exploitation kit, it's not a fad since it fills in the DIY niche where the variety of the algorithms offered and their actual quality will either spell the doom or the rise of the service.

This post has been reproduced from Dancho Danchev's blog.