Monday, May 31, 2010

Summarizing Zero Day's Posts for May


The following is a brief summary of all of my posts at ZDNet's Zero Day for May, 2010. You can also go through previous summaries, as well as subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:


Recommended reading: 

01. Foxit Reader intros new Safe Reading feature
02. Should a targeted country strike back at the cyber attackers?
03. Malware Watch: iTunes gift certificates, Skype worm, fake CVs and greeting cards
04. Wardriving police: password protect your wireless, or face a fine
05. Research: 1.3 million malicious ads viewed daily
06. Malware Watch: Rogue Facebook apps, fake Amazon orders, and bogus Adobe updates
07. Hotmail's new security features vs Gmail's old security features
08. Study finds the average price for renting a botnet
09. 5 reasons why the proposed ID scheme for Internet users is a bad idea

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Friday, May 28, 2010

Spamvertised Client-Side Exploits Serving Adult Content Themed Campaign


There's no such thing as free porn, unless there are client-side exploits in the unique value proposition's mix.

A currently spamvertised campaign is doing exactly the same, in between relying on the recent CVE-2010-0886 vulnerability. Let's dissect the campaign, and combine the assessment with historical OSINT data, given the fact that the 2nd phone back location, including the binary hosted there are currently down.
  • Key summary point: although the exploitation is taking place, the campaign is currently failing to drop actual binary, returning NOEXEFILE error message. The post will be updated once the situation changes.
a

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Wednesday, May 26, 2010

Inside a Commercial Chinese DIY DDoS Tool


One of the most commonly used tactics by shady online enterprises wanting to position themselves as legitimate ones (Shark2 - RAT or Malware?), is to promote malicious software or Denial of Service attack tooks, as remote access control tools/stress testing tools.

Chinese "vendors" of such releases are particularly interesting, since their front pages always position the tool as a 100% legitimate one, whereas going through the documentation, and actually testing its features reveals its true malicious nature. Moreover, once the vendor starts trusting you -- like the one whose DDoS tool is profiled in this post -- you're given access to the private section of their forum, where they are directly pitching you with DDoS for hire propositions, starting from $100 for 24 hours of non-stop flood.
 In this post I'll review what's currently being promoted as "The World's Leading DDoS Testing System", which is basically an improved version of a well known "Netbot Attacker", an old school release whose source code (Localizing Open Source Malware; Custom DDoS Capabilities Within a Malware; Custom DDoS Attacks Within Popular Malware Diversifying) is greatly favored by Chinese hacktivists and script kiddies, based on the multiple modifications they've introduced in it using the original source code.

Interestingly, the "vendor" is offering value-added services in the form of managed command and control server changes, the typical managed binary obfuscation, as well as custom features, removal of features in an attempt to decrease the size of the binary, but most importantly, they use differentiated pricing methods for their tool. Educational institutions, small businesses and home office clients can get special prices.
  • Why would the vendor include anti sandboxing capabilities in the latest version of the tool?
  • Why would the vendor also include P2P spreading and USB spreading modules?
Because the tool is anything but your typical stress testing tool.

Perhaps, one of the most important developments regarding this vendor, is that this is among the few examples that I'm aware of where Chinese hackers known not to care about anything else but virtual goods, are vertically integrating by experimenting with early-state banking malware.

An excerpt from the banking experiment:
"MS-recorder to wear all the safety test shows the major B2C online banking security controls. Received after the first test colt extracting file, which has ma.exe procedures. As the tests are over. Please turn off antivirus software and security software testing. . .

Wear all safety major B2C online banking security controls currently supports more than can be intercepted more than 160 online online payment platform And major online banking. After running ma.exe can log on to the respective online banking program Alipay paypal or procedures to test, test and test interception of information stored in the pony

The same directory, Test will generate Jlz-1, Jlz-2, Jlz-3 ... folder, such files in the folder will be 1.bmp, 2.bmp, 3.bmp ... picture, or there txt Notepad, view the. txt and picture, get the interception of data and information. Test window will prompt pony run, test interception of information larger, there is no written function. To solve the above problem, please purchase the official version, run silent, run automatically delete itself, no process at startup, had all killed, the interception of information

Expected small size, with letters function. VIP version of the generator purchase one year of free updates, free to kill three months to buy the colt package. Set the FTP transmission method to send the interception of STMP FTP. Perfect information theft can steal all the passwords and related information, such as: QQ, ICQ, Yahoo Messenger, Vicq, OutLook, FlashFXP, PayPal, E-mail and paypal (no security control), Legend, mercenary legend, Journey to the West, etc. (include account number, area and other relevant information), of course, the same information on the page steal, such as: mail, forums, close protection, and other (including user name, password and other related information), or even playing in the diagram, Password chip can, because it can record the keyboard and mouse actions. It is worth mentioning that, no matter what way you enter the password (such as Paste from somewhere, then paste the part of the input part, the number before the 0, deliberately enter the wrong password first and then delete the wrong part, etc.) Adopted the "filters" which makes stealing the contents do not appear out of "junk" in precise steal ... The correct password
."

Clearly, these folks are not just inspired to continue introducing new features within the tool, but are starting to realize the potential of the crimeware market, with the vendor itself representing a good example on how once it was allowed to continue operations, it's naturally evolving in the worst possible direction. The author of ZeuS, however, shouldn't feel endangered in any way. 

Screenshots of the DIY DDoS Platform, including the multiple versions offers, VIP, sample custom made etc.:



Detection rates for the publicly obtainable builders of multiple versions:
- MS.exe - Backdoor.Hupigon.AAAH - Result: 26/40 (65%)
- msn.exe - Win32.BDSPoison.Cpd - Result: 36/41 (87.81%)
- test.exe (crimeware experiment) - Hacktool.Rootkit - Result: 24/41 (58.54%)
- ms1.exe - Backdoor.Win32.BlackHole - Result: 13/41 (31.71%)
- ms1.exe - W32/Hupigon.gen227; Backdoor.Hupigon.AAAH - Result: 35/41 (85.37%)

Based on the profiling the localization of this tool to Chinese since 2007, the diversification of the DDoS attacks introduced in it by Chinese coders (Localizing Open Source Malware; Custom DDoS Capabilities Within a Malware; Custom DDoS Attacks Within Popular Malware Diversifying), perhaps the most important conclusion that can be drawn is that, tolerating their activities in the long term results in the development of more sophisticated capabilities which can now be offered to a well established customer base.

If Chinese hacktivists managed to take CNN.com offline (The DDoS Attack Against CNN.com; Chinese Hacktivists Waging People's Information Warfare Against CNN) using nothing else but ping flooders/iFrames loading multiple copies of the site, the collectivist response in a future incident using these much more sophisticated tools -- sophisticated in sense of the diverse set of DDoS attacks offered -- is prone to be much more effective.

Related Chinese hacking scene/hacktivism coverage:
Localizing Open Source Malware
Custom DDoS Capabilities Within a Malware
Custom DDoS Attacks Within Popular Malware Diversifying
The FirePack Exploitation Kit Localized to Chinese
MPack and IcePack Localized to Chinese
Massive SQL Injection Attacks - the Chinese Way
A Chinese DIY Multi-Feature Malware
DIY Chinese Passwords Stealer
A Chinese Malware Downloader in the Wild
Chinese Hackers Attacking U.S Department of Defense Networks
Chinese Hacktivists Waging People's Information Warfare Against CNN
The DDoS Attack Against CNN.com

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Monday, May 17, 2010

Koobface Gang Responds to the "10 Things You Didn't Know About the Koobface Gang Post"


UPDATED Moday, May 24, 2010: The scareware domains/redirectors pushed by the Koobface botnet, have been included at the bottom of this post, including detection rates and phone back URLs.

On May 13th, 2010, the Koobface gang responded to my "10 things you didn't know about the Koobface gang" post published in February, 2010, by including the following message within Koobface-infected hosts, serving bogus video players, and, of course, scareware:
  •  regarding this article By Dancho Danchev | February 23, 2010, 9:30am PST

    1. no connection
    2. what's reason to buy software just for one screenshot?
    3. no connection
    4. :)
    5. :)
    6. :)
    7. it was 'ali baba & 4' originally. you should be more careful
    8. heh
    9. strange error. there're no experiments on that
    10. maybe. not 100% sure

    Ali Baba
    13 may 2010
This is the second individual message left by the botnet masters for me, and the third one in general where I'm referenced.

What makes an impression is their/his attempt to distance themselves/himself from major campaigns affecting high profile U.S based web properties, fraudulent activities such as click fraud, and their/his attempt to legitimize their/his malicious activities by emphasizing on the fact that they/he are not involved in crimeware campaigns, and have never stolen any credit card details.

01. The gang is connected to, probably maintaining the click-fraud facilitating Bahama botnet
- Koobface gang: no connection

You wish, you wish. ClickForensics pointed it out, I confirmed it, and at a later stage reproduced it.

Among the many examples of this activities, is MD5: 0fbf1a9f8e6e305138151440da58b4f1 modifying the HOSTS file on the infected PCs to redirect all the Google and Yahoo search traffic to 89.149.210.109, whereas, in between phoning back to well known Koobface scareware C&Cs at the time, such as 212.117.160.18, and urodinam .net/8732489273.php at the time.

In May, 2010, parked on the very same IP to which urodinam.net (91.188.59.10) is currently responding to, is an active client-side exploits serving campaign using the YES malware exploitation kit (1zabslwvn538n4i5tcjl.com - Email: michaeltycoon@gmail.com).

I can go on forever.


02. Despite their steady revenue flow from sales of scareware, the gang once used trial software to take a screenshot of a YouTube video
- Koobface gang: what's reason to buy software just for one screenshot?

No reason at all, I guess that's also the reason behind the temporary change in scareware URls to include GREED within the file name.

03. The Koobface gang was behind the malvertising attack the hit the web site of the New York Times in September
- Koobface gang: no connection

You wish, you wish.

In fact, several of the recent high-profile malvertising campaigns that targeted major Web 2.0 properties, can be also traced back to their infrastructure. Now, whether they are aware of the true impact of the malvertisement campaign, and whether they are intentionally pushing it at a particular web site remains unknown.

The fact is that, the exact same domain that was used in the NYTimes redirection, was also back then embedded on all of the Koobface infected hosts, in order to serve scareware.

04. The gang conducted a several hours experiment in November, 2009 when for the first time ever client-side exploits were embedded on Koobface-serving compromised hosts
- Koobface gang: :)

He who smiles last, smiles best.

05. The Koobface gang was behind the massive (1+ million affected web sites) scareware serving campaign in November, 2009
- Koobface gang: :)

Since they're admitting their involvement in point 5, they also don't know/forget that one of the many ways the connection between the Koobface gang and massive blackhat SEO campaign was established in exactly the same way as the one in their involvement in the NYTimes malvertising campaign. Convenient denial of involvement in high-profile campaigns means nothing when collected data speaks for itself.

06. The Koobface Gang Monetizes Mac OS X Traffic through adult dating/Russian online movie marketplaces
- Koobface gang: :)

Read more on the practice - "How the Koobface Gang Monetizes Mac OS X Traffic".


07. Ali Baba and 40 LLC a.k.a the Koobface gang greeted the security community on Christmas
- Koobface gang: it was 'ali baba & 4' originally. you should be more careful

Since the original Ali Baba had 40 thieves with him, not 4, the remaining 36 can be best described as the cybecrime ecosystem's stakeholders earning revenues and having their business models scaling, thanks to the involvement of the Koobface botnet.


08. The Koobface gang once redirected Facebook’s IP space to my personal blog
- Koobface gang: heh

Read more on the topic - "Koobface Botnet Redirects Facebook's IP Space to my Blog".

09. The gang is experimenting with alternative propagation strategies, such as for instance Skype
- Koobface gang: strange error. there're no experiments on that

Hmm, who should I trust? SophosLabs and TrendMicro or the Koobface gang? SophosLabs and TrendMicro or the Koobface gang? Sophos Labs and TrendMicro or....well you get the point. Of course there isn't, now that's is publicly known it's in the works.


10. The gang is monetizing traffic through the Crusade Affiliates scareware network
- Koobface gang: maybe. not 100% sure

They don't know where they get all the money by being pushing scareware? How convenient.

When data and facts talk, even "Cyber Jesus" listens. Read more on the monetization model - "Koobface Botnet's Scareware Business Model"; "Koobface Botnet's Scareware Business Model - Part Two".

The Koobface botnet is currently pushing scareware through 2gig-antivirus.com?mid=312&code=4db12f&d=1&s=2 - 195.5.161.210 - Email: test@now.net.cn


Parked on the same IP (195.5.161.210, AS31252, STARNET-AS StarNet Moldova) are also:
0web-antispyware.com - Email: test@now.net.cn
12netantispy.com - Email: test@now.net.cn
13netantispy.com - Email: test@now.net.cn
14netantispy.com - Email: test@now.net.cn
16netantispy.com - Email: test@now.net.cn
1anetantispy.com - Email: test@now.net.cn
1bnetantispy.com - Email: test@now.net.cn
1gb-scanner.com - Email: test@now.net.cn
1gig-antivirus.com - Email: test@now.net.cn
1webantivirus.com - Email: test@now.net.cn
20gb-antivirus.com - Email: test@now.net.cn
2gb-scanner.com - Email: test@now.net.cn
2gig-antivirus.com - Email: test@now.net.cn
2mb-scanner.com - Email: test@now.net.cn
2web-antispy.com - Email: test@now.net.cn
2webantivirus.com - Email: test@now.net.cn
30gb-antivirus.com - Email: test@now.net.cn
3gb-scanner.com - Email: test@now.net.cn
3gig-antivirus.com - Email: test@now.net.cn
3mb-scanner.com - Email: test@now.net.cn
3web-antispy.com - Email: test@now.net.cn
3web-antispyware.com - Email: test@now.net.cn
3webantivirus.com - Email: test@now.net.cn
40gb-antivirus.com - Email: test@now.net.cn
4gb-scanner.com - Email: test@now.net.cn
4gig-antivirus.com - Email: test@now.net.cn
4mb-scanner.com - Email: test@now.net.cn
4web-antispy.com - Email: test@now.net.cn
4webantivirus.com - Email: test@now.net.cn
50gb-antivirus.com - Email: test@now.net.cn
5gb-scanner.com - Email: test@now.net.cn
5gig-antivirus.com - Email: test@now.net.cn
5mb-scanner.com - Email: test@now.net.cn
5web-antispy.com - Email: test@now.net.cn
5webantivirus.com - Email: test@now.net.cn
60gb-antivirus.com - Email: test@now.net.cn
6mb-scanner.com - Email: test@now.net.cn
6web-antispy.com - Email: test@now.net.cn
7web-antispyware.com - Email: test@now.net.cn
aweb-antispyware.com - Email: test@now.net.cn
awebantivirus.com - Email: test@now.net.cn
cwebantivirus.com - Email: test@now.net.cn
dwebantivirus.com - Email: test@now.net.cn
ewebantivirus.com - Email: test@now.net.cn
novascanner4.com - Email: test@now.net.cn

- setup.exe - Gen:Variant.Koobface.2; W32.Koobface - Result: 15/40 (37.5%)
- MalvRem_312s2.exe - W32/FakeAlert.5!Maximus; Trojan.Win32.FakeAV - Result: 10/41 (24.4%) which once executed phones back to:

- s1system.com/download/winlogo.bmp - 91.213.157.104, AS13618, CARONET-AS - Email: contact@privacy-protect.cn
- networki10.com - 91.213.217.106, AS42473, ANEXIA-AS - Email: contact@privacy-protect.cn

UPDATED: Wednesday, May 19, 2010:
The current redirection taking place through the embedded link on Koobface infected hosts, takes place through:
www3.coantys-48td.xorg.pl - 188.124.5.66 - AS44565, VITAL TEKNOLOJI
    - www1.fastsearch.cz.cc - 207.58.177.96 - AS25847, SERVINT ServInt Corporation

Detection rates:
- setup.exe - Win32/Koobface.NCX; Gen:Variant.Koobface.2 - Result: 13/41 (31.71%)
- packupdate_build107_2039.exe - W32/FakeAV.AM!genr; Mal/FakeAV-AX - Result: 8/41 (19.52%)

Upon execution, the scareware sample phones back to:
update1.myownguardian.com - 94.228.209.223, AS47869, NETROUTING-AS - Email: gkook@checkjemail.nl
update2.myownguardian.net - 93.186.124.92, AS44565, VITAL TEKNOLOJI - Email: gkook@checkjemail.nl

UPDATED Moday, May 24, 2010 The following Koobface scareware domains/redirectors have been pushed by the Koobface gang over the pat 7 days. All of them continue using the services of AS31252, STARNET-AS StarNet Moldova at 195.5.161.210 and 195.5.161.211.


0web-antispyware.com - Email: test@now.net.cn
12netantispy.com - Email: test@now.net.cn
13netantispy.com - Email: test@now.net.cn
14netantispy.com - Email: test@now.net.cn
15netantispy.com - Email: test@now.net.cn
16netantispy.com - Email: test@now.net.cn
1anetantispy.com - Email: test@now.net.cn
1bnetantispy.com - Email: test@now.net.cn
1cnetantispy.com - Email: test@now.net.cn
1dnetantispy.com - Email: test@now.net.cn
1eliminatemalware.com - Email: test@now.net.cn
1eliminatespy.com - Email: test@now.net.cn
1eliminatethreats.com - Email: test@now.net.cn
1eliminatevirus.com - Email: test@now.net.cn
1enetantispy.com - Email: test@now.net.cn
1webantivirus.com - Email: test@now.net.cn
1webfilter1000.com - Email: test@now.net.cn
1www-antispyware.com - Email: test@now.net.cn
1www-antivirus.com - Email: test@now.net.cn
20gb-antivirus.com - Email: test@now.net.cn
2eliminatemalware.com - Email: test@now.net.cn
2eliminatevirus.com - Email: test@now.net.cn
2web-antispy.com - Email: test@now.net.cn
2webantivirus.com - Email: test@now.net.cn
2www-antispyware.com - Email: test@now.net.cn
2www-antivirus.com - Email: test@now.net.cn
30gb-antivirus.com - Email: test@now.net.cn
3web-antispy.com - Email: test@now.net.cn
3web-antispyware.com - Email: test@now.net.cn
3webantivirus.com - Email: test@now.net.cn
3www-antispyware.com - Email: test@now.net.cn
3www-antivirus.com - Email: test@now.net.cn
40gb-antivirus.com - Email: test@now.net.cn
4web-antispy.com - Email: test@now.net.cn
4webantivirus.com - Email: test@now.net.cn
4www-antispyware.com - Email: test@now.net.cn
4www-antivirus.com - Email: test@now.net.cn
5web-antispy.com - Email: test@now.net.cn
5webantivirus.com - Email: test@now.net.cn
5www-antispyware.com - Email: test@now.net.cn
5www-antivirus.com - Email: test@now.net.cn
60gb-antivirus.com - Email: test@now.net.cn
6web-antispy.com - Email: test@now.net.cn
7web-antispyware.com - Email: test@now.net.cn
a30windows-scan.com - Email: test@now.net.cn
a40windows-scan.com - Email: test@now.net.cn
a50windows-scan.com - Email: test@now.net.cn
a50windows-scan.com - Email: test@now.net.cn
a60windows-scan.com - Email: test@now.net.cn
americanscanner.com - Email: test@now.net.cn
aresearchsecurity.com - Email: test@now.net.cn
awebantivirus.com - Email: test@now.net.cn
barracuda10.com - Email: test@now.net.cn
beguardsystem.com - Email: test@now.net.cn
beguardsystem2.com - Email: test@now.net.cn
bewareofthreat.com - Email: test@now.net.cn
bewareofydanger.com - Email: test@now.net.cn
bprotectsystem.com - Email: test@now.net.cn
bwebantivirus.com - Email: test@now.net.cn
choclatescanner2.com - Email: test@now.net.cn
cleanerscanner2.com - Email: test@now.net.cn
cnn2scanner.com - Email: test@now.net.cn
cprotectsystem.com - Email: test@now.net.cn
cwebantivirus.com - Email: test@now.net.cn
dacota4security.com - Email: test@now.net.cn
defencyresearch.com - Email: test@now.net.cn
defenseacquisitions.com - Email: test@now.net.cn
defenseacquisitions.com - Email: test@now.net.cn
defensecapability.com - Email: test@now.net.cn
dprotectsystem.com - Email: test@now.net.cn
dwebantivirus.com - Email: test@now.net.cn
eliminatespy.com - Email: test@now.net.cn
eliminatethreat.com - Email: test@now.net.cn
eliminatethreats.com - Email: test@now.net.cn
eprotectsystem.com - Email: test@now.net.cn
ewebantivirus.com - Email: test@now.net.cn
fantasticscan2.com - Email: test@now.net.cn
fortescanner.com - Email: test@now.net.cn
four4defence.com - Email: test@now.net.cn
fprotectsystem.com - Email: test@now.net.cn
house2call.com - Email: test@now.net.cn
house4call.com - Email: test@now.net.cn
ibewareofdanger.com - Email: test@now.net.cn
iresearchdefence.com - Email: test@now.net.cn
ldefenceresearch.com - Email: test@now.net.cn
micro2smart.com - Email: test@now.net.cn
micro4smart.com - Email: test@now.net.cn
micro6smart.com - Email: test@now.net.cn
necessitydefense.com - Email: test@now.net.cn
nolongerthreat.com - Email: test@now.net.cn
nova3-antispyware.com - Email: test@now.net.cn
nova4-antispyware.com - Email: test@now.net.cn
nova5-antispyware.com - Email: test@now.net.cn
nova7-antispyware.com - Email: test@now.net.cn
nova8-antispyware.com - Email: test@now.net.cn
nova-antivirus1.com - Email: test@now.net.cn
nova-antivirus2.com - Email: test@now.net.cn
novascanner2.com - Email: test@now.net.cn
nova-scanner2.com - Email: test@now.net.cn
novascanner3.com - Email: test@now.net.cn
nova-scanner3.com - Email: test@now.net.cn
novascanner4.com - Email: test@now.net.cn
nova-scanner4.com - Email: test@now.net.cn
novascanner5.com - Email: test@now.net.cn
nova-scanner5.com - Email: test@now.net.cn
novascanner7.com - Email: test@now.net.cn
nova-scanner7.com - Email: test@now.net.cn
onguardsystem2.com - Email: test@now.net.cn
over11scanner.com - Email: test@now.net.cn
pcguardsystem2.com - Email: test@now.net.cn
pcguardsystems.com - Email: test@now.net.cn
pcpiscanner.com - Email: test@now.net.cn
pitstopscan.com - Email: test@now.net.cn
protectionfunctions.com - Email: test@now.net.cn
protectionmeasure.com - Email: test@now.net.cn
protectionmethods.com - Email: test@now.net.cn
protectionoffices.com - Email: test@now.net.cn
protectionprinciples.com - Email: test@now.net.cn
protectsystema.com - Email: test@now.net.cn
protectsystemc.com - Email: test@now.net.cn
protectsystemd.com - Email: test@now.net.cn
protectsysteme.com - Email: test@now.net.cn
protectsystemf.com - Email: test@now.net.cn
researchdefence.com - Email: test@now.net.cn
researchysecurity.com - Email: test@now.net.cn
spywarekillera.com - Email: test@now.net.cn
spywarekillerc.com - Email: test@now.net.cn
spywarekillerd.com - Email: test@now.net.cn
spywarekillere.com - Email: test@now.net.cn
spywarekillerr.com - Email: test@now.net.cn
spywarekillerz5.com - Email: test@now.net.cn
stainsscanner2.com - Email: test@now.net.cn
stop20attack.com - Email: test@now.net.cn
tendefender2.com - Email: test@now.net.cn
thelosers2010.com - Email: test@now.net.cn
trivalsoftware.com - Email: test@now.net.cn
unstoppable2010.com - Email: test@now.net.cn
unstoppable2010.com - Email: test@now.net.cn
use6defence.com - Email: test@now.net.cn
viruskiller3a.com - Email: test@now.net.cn
viruskiller4a.com - Email: test@now.net.cn
viruskiller5a.com - Email: test@now.net.cn
viruskiller6a.com - Email: test@now.net.cn
webfilter100.com - Email: test@now.net.cn
webfilter999.com - Email: test@now.net.cn
winguardsystem.com - Email: test@now.net.cn 
yourguardsystem.com - Email: test@now.net.cn
yourguardsystem2.com - Email: test@now.net.cn
z22windows-scan.com - Email: test@now.net.cn
z23windows-scan.com - Email: test@now.net.cn
z25windows-scan.com - Email: test@now.net.cn
z27windows-scan.com - Email: test@now.net.cn
zaresearchsecurity.com - Email: test@now.net.cn

Detection rates:
- setup.exe - Net-Worm:W32/Koobface.HN; Mal/Koobface-D - Result: 11/41 (26.83%)
- avdistr_312.exe - Trojan.FakeAV!gen24; Trojan.FakeAV - Result: 8/41 (19.52%)

Upon execution phones back to:
s1system.com/download/winlogo.bmp - 91.213.157.104 - Email: contact@privacy-protect.cn
accsupdate.com/?b=103s1 - 193.105.134.115 - Email: contact@privacy-protect.cn

Previous parked on 91.213.217.106, AS42473, ANEXIA-AS now responding to 193.105.134.115, AS42708, PORTLANE:
networki10.com - Email: contact@privacy-protect.cn
winsecuresoftorder.com - Email: contact@privacy-protect.cn
time-zoneserver.com - Email: contact@privacy-protect.cn
1blacklist.com - Email: contact@privacy-protect.cn

In order to understand the importance of profiling Koobface gang's activities, consider going their their underground multitasking campaigns in the related posts.

Related Koobface botnet/Koobface gang research:
From the Koobface Gang with Scareware Serving Compromised Sites
Dissecting Koobface Gang's Latest Facebook Spreading Campaign
Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova
10 things you didn't know about the Koobface gang
A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang
How the Koobface Gang Monetizes Mac OS X Traffic
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Koobface Gang Responds to the "10 Things You Didn't Know About the Koobface Gang Post"


UPDATED Moday, May 24, 2010: The scareware domains/redirectors pushed by the Koobface botnet, have been included at the bottom of this post, including detection rates and phone back URLs.

On May 13th, 2010, the Koobface gang responded to my "10 things you didn't know about the Koobface gang" post published in February, 2010, by including the following message within Koobface-infected hosts, serving bogus video players, and, of course, scareware:
  •  regarding this article By Dancho Danchev | February 23, 2010, 9:30am PST

    1. no connection
    2. what's reason to buy software just for one screenshot?
    3. no connection
    4. :)
    5. :)
    6. :)
    7. it was 'ali baba & 4' originally. you should be more careful
    8. heh
    9. strange error. there're no experiments on that
    10. maybe. not 100% sure

    Ali Baba
    13 may 2010
This is the second individual message left by the botnet masters for me, and the third one in general where I'm referenced.

What makes an impression is their/his attempt to distance themselves/himself from major campaigns affecting high profile U.S based web properties, fraudulent activities such as click fraud, and their/his attempt to legitimize their/his malicious activities by emphasizing on the fact that they/he are not involved in crimeware campaigns, and have never stolen any credit card details.

01. The gang is connected to, probably maintaining the click-fraud facilitating Bahama botnet
- Koobface gang: no connection

You wish, you wish. ClickForensics pointed it out, I confirmed it, and at a later stage reproduced it.

Among the many examples of this activities, is MD5: 0fbf1a9f8e6e305138151440da58b4f1 modifying the HOSTS file on the infected PCs to redirect all the Google and Yahoo search traffic to 89.149.210.109, whereas, in between phoning back to well known Koobface scareware C&Cs at the time, such as 212.117.160.18, and urodinam .net/8732489273.php at the time.

In May, 2010, parked on the very same IP to which urodinam.net (91.188.59.10) is currently responding to, is an active client-side exploits serving campaign using the YES malware exploitation kit (1zabslwvn538n4i5tcjl.com - Email: michaeltycoon@gmail.com).

I can go on forever.


02. Despite their steady revenue flow from sales of scareware, the gang once used trial software to take a screenshot of a YouTube video
- Koobface gang: what's reason to buy software just for one screenshot?

No reason at all, I guess that's also the reason behind the temporary change in scareware URls to include GREED within the file name.

03. The Koobface gang was behind the malvertising attack the hit the web site of the New York Times in September
- Koobface gang: no connection

You wish, you wish.

In fact, several of the recent high-profile malvertising campaigns that targeted major Web 2.0 properties, can be also traced back to their infrastructure. Now, whether they are aware of the true impact of the malvertisement campaign, and whether they are intentionally pushing it at a particular web site remains unknown.

The fact is that, the exact same domain that was used in the NYTimes redirection, was also back then embedded on all of the Koobface infected hosts, in order to serve scareware.

04. The gang conducted a several hours experiment in November, 2009 when for the first time ever client-side exploits were embedded on Koobface-serving compromised hosts
- Koobface gang: :)

He who smiles last, smiles best.

05. The Koobface gang was behind the massive (1+ million affected web sites) scareware serving campaign in November, 2009
- Koobface gang: :)

Since they're admitting their involvement in point 5, they also don't know/forget that one of the many ways the connection between the Koobface gang and massive blackhat SEO campaign was established in exactly the same way as the one in their involvement in the NYTimes malvertising campaign. Convenient denial of involvement in high-profile campaigns means nothing when collected data speaks for itself.

06. The Koobface Gang Monetizes Mac OS X Traffic through adult dating/Russian online movie marketplaces
- Koobface gang: :)

Read more on the practice - "How the Koobface Gang Monetizes Mac OS X Traffic".


07. Ali Baba and 40 LLC a.k.a the Koobface gang greeted the security community on Christmas
- Koobface gang: it was 'ali baba & 4' originally. you should be more careful

Since the original Ali Baba had 40 thieves with him, not 4, the remaining 36 can be best described as the cybecrime ecosystem's stakeholders earning revenues and having their business models scaling, thanks to the involvement of the Koobface botnet.


08. The Koobface gang once redirected Facebook’s IP space to my personal blog
- Koobface gang: heh

Read more on the topic - "Koobface Botnet Redirects Facebook's IP Space to my Blog".

09. The gang is experimenting with alternative propagation strategies, such as for instance Skype
- Koobface gang: strange error. there're no experiments on that

Hmm, who should I trust? SophosLabs and TrendMicro or the Koobface gang? SophosLabs and TrendMicro or the Koobface gang? Sophos Labs and TrendMicro or....well you get the point. Of course there isn't, now that's is publicly known it's in the works.


10. The gang is monetizing traffic through the Crusade Affiliates scareware network
- Koobface gang: maybe. not 100% sure

They don't know where they get all the money by being pushing scareware? How convenient.

When data and facts talk, even "Cyber Jesus" listens. Read more on the monetization model - "Koobface Botnet's Scareware Business Model"; "Koobface Botnet's Scareware Business Model - Part Two".

The Koobface botnet is currently pushing scareware through 2gig-antivirus.com?mid=312&code=4db12f&d=1&s=2 - 195.5.161.210 - Email: test@now.net.cn


Parked on the same IP (195.5.161.210, AS31252, STARNET-AS StarNet Moldova) are also:
0web-antispyware.com - Email: test@now.net.cn
12netantispy.com - Email: test@now.net.cn
13netantispy.com - Email: test@now.net.cn
14netantispy.com - Email: test@now.net.cn
16netantispy.com - Email: test@now.net.cn
1anetantispy.com - Email: test@now.net.cn
1bnetantispy.com - Email: test@now.net.cn
1gb-scanner.com - Email: test@now.net.cn
1gig-antivirus.com - Email: test@now.net.cn
1webantivirus.com - Email: test@now.net.cn
20gb-antivirus.com - Email: test@now.net.cn
2gb-scanner.com - Email: test@now.net.cn
2gig-antivirus.com - Email: test@now.net.cn
2mb-scanner.com - Email: test@now.net.cn
2web-antispy.com - Email: test@now.net.cn
2webantivirus.com - Email: test@now.net.cn
30gb-antivirus.com - Email: test@now.net.cn
3gb-scanner.com - Email: test@now.net.cn
3gig-antivirus.com - Email: test@now.net.cn
3mb-scanner.com - Email: test@now.net.cn
3web-antispy.com - Email: test@now.net.cn
3web-antispyware.com - Email: test@now.net.cn
3webantivirus.com - Email: test@now.net.cn
40gb-antivirus.com - Email: test@now.net.cn
4gb-scanner.com - Email: test@now.net.cn
4gig-antivirus.com - Email: test@now.net.cn
4mb-scanner.com - Email: test@now.net.cn
4web-antispy.com - Email: test@now.net.cn
4webantivirus.com - Email: test@now.net.cn
50gb-antivirus.com - Email: test@now.net.cn
5gb-scanner.com - Email: test@now.net.cn
5gig-antivirus.com - Email: test@now.net.cn
5mb-scanner.com - Email: test@now.net.cn
5web-antispy.com - Email: test@now.net.cn
5webantivirus.com - Email: test@now.net.cn
60gb-antivirus.com - Email: test@now.net.cn
6mb-scanner.com - Email: test@now.net.cn
6web-antispy.com - Email: test@now.net.cn
7web-antispyware.com - Email: test@now.net.cn
aweb-antispyware.com - Email: test@now.net.cn
awebantivirus.com - Email: test@now.net.cn
cwebantivirus.com - Email: test@now.net.cn
dwebantivirus.com - Email: test@now.net.cn
ewebantivirus.com - Email: test@now.net.cn
novascanner4.com - Email: test@now.net.cn

- setup.exe - Gen:Variant.Koobface.2; W32.Koobface - Result: 15/40 (37.5%)
- MalvRem_312s2.exe - W32/FakeAlert.5!Maximus; Trojan.Win32.FakeAV - Result: 10/41 (24.4%) which once executed phones back to:

- s1system.com/download/winlogo.bmp - 91.213.157.104, AS13618, CARONET-AS - Email: contact@privacy-protect.cn
- networki10.com - 91.213.217.106, AS42473, ANEXIA-AS - Email: contact@privacy-protect.cn

UPDATED: Wednesday, May 19, 2010:
The current redirection taking place through the embedded link on Koobface infected hosts, takes place through:
www3.coantys-48td.xorg.pl - 188.124.5.66 - AS44565, VITAL TEKNOLOJI
    - www1.fastsearch.cz.cc - 207.58.177.96 - AS25847, SERVINT ServInt Corporation

Detection rates:
- setup.exe - Win32/Koobface.NCX; Gen:Variant.Koobface.2 - Result: 13/41 (31.71%)
- packupdate_build107_2039.exe - W32/FakeAV.AM!genr; Mal/FakeAV-AX - Result: 8/41 (19.52%)

Upon execution, the scareware sample phones back to:
update1.myownguardian.com - 94.228.209.223, AS47869, NETROUTING-AS - Email: gkook@checkjemail.nl
update2.myownguardian.net - 93.186.124.92, AS44565, VITAL TEKNOLOJI - Email: gkook@checkjemail.nl

UPDATED Moday, May 24, 2010 The following Koobface scareware domains/redirectors have been pushed by the Koobface gang over the pat 7 days. All of them continue using the services of AS31252, STARNET-AS StarNet Moldova at 195.5.161.210 and 195.5.161.211.


0web-antispyware.com - Email: test@now.net.cn
12netantispy.com - Email: test@now.net.cn
13netantispy.com - Email: test@now.net.cn
14netantispy.com - Email: test@now.net.cn
15netantispy.com - Email: test@now.net.cn
16netantispy.com - Email: test@now.net.cn
1anetantispy.com - Email: test@now.net.cn
1bnetantispy.com - Email: test@now.net.cn
1cnetantispy.com - Email: test@now.net.cn
1dnetantispy.com - Email: test@now.net.cn
1eliminatemalware.com - Email: test@now.net.cn
1eliminatespy.com - Email: test@now.net.cn
1eliminatethreats.com - Email: test@now.net.cn
1eliminatevirus.com - Email: test@now.net.cn
1enetantispy.com - Email: test@now.net.cn
1webantivirus.com - Email: test@now.net.cn
1webfilter1000.com - Email: test@now.net.cn
1www-antispyware.com - Email: test@now.net.cn
1www-antivirus.com - Email: test@now.net.cn
20gb-antivirus.com - Email: test@now.net.cn
2eliminatemalware.com - Email: test@now.net.cn
2eliminatevirus.com - Email: test@now.net.cn
2web-antispy.com - Email: test@now.net.cn
2webantivirus.com - Email: test@now.net.cn
2www-antispyware.com - Email: test@now.net.cn
2www-antivirus.com - Email: test@now.net.cn
30gb-antivirus.com - Email: test@now.net.cn
3web-antispy.com - Email: test@now.net.cn
3web-antispyware.com - Email: test@now.net.cn
3webantivirus.com - Email: test@now.net.cn
3www-antispyware.com - Email: test@now.net.cn
3www-antivirus.com - Email: test@now.net.cn
40gb-antivirus.com - Email: test@now.net.cn
4web-antispy.com - Email: test@now.net.cn
4webantivirus.com - Email: test@now.net.cn
4www-antispyware.com - Email: test@now.net.cn
4www-antivirus.com - Email: test@now.net.cn
5web-antispy.com - Email: test@now.net.cn
5webantivirus.com - Email: test@now.net.cn
5www-antispyware.com - Email: test@now.net.cn
5www-antivirus.com - Email: test@now.net.cn
60gb-antivirus.com - Email: test@now.net.cn
6web-antispy.com - Email: test@now.net.cn
7web-antispyware.com - Email: test@now.net.cn
a30windows-scan.com - Email: test@now.net.cn
a40windows-scan.com - Email: test@now.net.cn
a50windows-scan.com - Email: test@now.net.cn
a50windows-scan.com - Email: test@now.net.cn
a60windows-scan.com - Email: test@now.net.cn
americanscanner.com - Email: test@now.net.cn
aresearchsecurity.com - Email: test@now.net.cn
awebantivirus.com - Email: test@now.net.cn
barracuda10.com - Email: test@now.net.cn
beguardsystem.com - Email: test@now.net.cn
beguardsystem2.com - Email: test@now.net.cn
bewareofthreat.com - Email: test@now.net.cn
bewareofydanger.com - Email: test@now.net.cn
bprotectsystem.com - Email: test@now.net.cn
bwebantivirus.com - Email: test@now.net.cn
choclatescanner2.com - Email: test@now.net.cn
cleanerscanner2.com - Email: test@now.net.cn
cnn2scanner.com - Email: test@now.net.cn
cprotectsystem.com - Email: test@now.net.cn
cwebantivirus.com - Email: test@now.net.cn
dacota4security.com - Email: test@now.net.cn
defencyresearch.com - Email: test@now.net.cn
defenseacquisitions.com - Email: test@now.net.cn
defenseacquisitions.com - Email: test@now.net.cn
defensecapability.com - Email: test@now.net.cn
dprotectsystem.com - Email: test@now.net.cn
dwebantivirus.com - Email: test@now.net.cn
eliminatespy.com - Email: test@now.net.cn
eliminatethreat.com - Email: test@now.net.cn
eliminatethreats.com - Email: test@now.net.cn
eprotectsystem.com - Email: test@now.net.cn
ewebantivirus.com - Email: test@now.net.cn
fantasticscan2.com - Email: test@now.net.cn
fortescanner.com - Email: test@now.net.cn
four4defence.com - Email: test@now.net.cn
fprotectsystem.com - Email: test@now.net.cn
house2call.com - Email: test@now.net.cn
house4call.com - Email: test@now.net.cn
ibewareofdanger.com - Email: test@now.net.cn
iresearchdefence.com - Email: test@now.net.cn
ldefenceresearch.com - Email: test@now.net.cn
micro2smart.com - Email: test@now.net.cn
micro4smart.com - Email: test@now.net.cn
micro6smart.com - Email: test@now.net.cn
necessitydefense.com - Email: test@now.net.cn
nolongerthreat.com - Email: test@now.net.cn
nova3-antispyware.com - Email: test@now.net.cn
nova4-antispyware.com - Email: test@now.net.cn
nova5-antispyware.com - Email: test@now.net.cn
nova7-antispyware.com - Email: test@now.net.cn
nova8-antispyware.com - Email: test@now.net.cn
nova-antivirus1.com - Email: test@now.net.cn
nova-antivirus2.com - Email: test@now.net.cn
novascanner2.com - Email: test@now.net.cn
nova-scanner2.com - Email: test@now.net.cn
novascanner3.com - Email: test@now.net.cn
nova-scanner3.com - Email: test@now.net.cn
novascanner4.com - Email: test@now.net.cn
nova-scanner4.com - Email: test@now.net.cn
novascanner5.com - Email: test@now.net.cn
nova-scanner5.com - Email: test@now.net.cn
novascanner7.com - Email: test@now.net.cn
nova-scanner7.com - Email: test@now.net.cn
onguardsystem2.com - Email: test@now.net.cn
over11scanner.com - Email: test@now.net.cn
pcguardsystem2.com - Email: test@now.net.cn
pcguardsystems.com - Email: test@now.net.cn
pcpiscanner.com - Email: test@now.net.cn
pitstopscan.com - Email: test@now.net.cn
protectionfunctions.com - Email: test@now.net.cn
protectionmeasure.com - Email: test@now.net.cn
protectionmethods.com - Email: test@now.net.cn
protectionoffices.com - Email: test@now.net.cn
protectionprinciples.com - Email: test@now.net.cn
protectsystema.com - Email: test@now.net.cn
protectsystemc.com - Email: test@now.net.cn
protectsystemd.com - Email: test@now.net.cn
protectsysteme.com - Email: test@now.net.cn
protectsystemf.com - Email: test@now.net.cn
researchdefence.com - Email: test@now.net.cn
researchysecurity.com - Email: test@now.net.cn
spywarekillera.com - Email: test@now.net.cn
spywarekillerc.com - Email: test@now.net.cn
spywarekillerd.com - Email: test@now.net.cn
spywarekillere.com - Email: test@now.net.cn
spywarekillerr.com - Email: test@now.net.cn
spywarekillerz5.com - Email: test@now.net.cn
stainsscanner2.com - Email: test@now.net.cn
stop20attack.com - Email: test@now.net.cn
tendefender2.com - Email: test@now.net.cn
thelosers2010.com - Email: test@now.net.cn
trivalsoftware.com - Email: test@now.net.cn
unstoppable2010.com - Email: test@now.net.cn
unstoppable2010.com - Email: test@now.net.cn
use6defence.com - Email: test@now.net.cn
viruskiller3a.com - Email: test@now.net.cn
viruskiller4a.com - Email: test@now.net.cn
viruskiller5a.com - Email: test@now.net.cn
viruskiller6a.com - Email: test@now.net.cn
webfilter100.com - Email: test@now.net.cn
webfilter999.com - Email: test@now.net.cn
winguardsystem.com - Email: test@now.net.cn 
yourguardsystem.com - Email: test@now.net.cn
yourguardsystem2.com - Email: test@now.net.cn
z22windows-scan.com - Email: test@now.net.cn
z23windows-scan.com - Email: test@now.net.cn
z25windows-scan.com - Email: test@now.net.cn
z27windows-scan.com - Email: test@now.net.cn
zaresearchsecurity.com - Email: test@now.net.cn

Detection rates:
- setup.exe - Net-Worm:W32/Koobface.HN; Mal/Koobface-D - Result: 11/41 (26.83%)
- avdistr_312.exe - Trojan.FakeAV!gen24; Trojan.FakeAV - Result: 8/41 (19.52%)

Upon execution phones back to:
s1system.com/download/winlogo.bmp - 91.213.157.104 - Email: contact@privacy-protect.cn
accsupdate.com/?b=103s1 - 193.105.134.115 - Email: contact@privacy-protect.cn

Previous parked on 91.213.217.106, AS42473, ANEXIA-AS now responding to 193.105.134.115, AS42708, PORTLANE:
networki10.com - Email: contact@privacy-protect.cn
winsecuresoftorder.com - Email: contact@privacy-protect.cn
time-zoneserver.com - Email: contact@privacy-protect.cn
1blacklist.com - Email: contact@privacy-protect.cn

In order to understand the importance of profiling Koobface gang's activities, consider going their their underground multitasking campaigns in the related posts.

Related Koobface botnet/Koobface gang research:
From the Koobface Gang with Scareware Serving Compromised Sites
Dissecting Koobface Gang's Latest Facebook Spreading Campaign
Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova
10 things you didn't know about the Koobface gang
A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang
How the Koobface Gang Monetizes Mac OS X Traffic
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Thursday, May 13, 2010

The Avalanche Botnet and the TROYAK-AS Connection


According to the latest APWG Global Phishing Survey:
  • But by mid-2009, phishing was dominated by one player as never before the Avalanche phishing operation. This criminal entity is one of the most sophisticated and damaging on the Internet, and perfected a mass-production system for deploying phishing sites and "crimeware" - malware designed specifically to automate identity theft and facilitate unauthorized transactions from consumer bank accounts. Avalanche was responsible for two-thirds (66%) of all phishing attacks launched in the second half of 2009, and was responsible for the overall increase in phishing attacks recorded across the Internet."
The Avalanche botnet's ecosystem is described by PhishLabs as:
  • "Cutwail aka PushDo is a spamming trojan being used to send out massive amounts of spam with links (or lures) to phishing pages or pages that ask the users to download and run programs. Those programs invariably turn out to be instances of the Zeus/ZBot/WNSPOEM banking Trojan. There are also unrelated criminals that also use Zeus Trojans to steal online banking information that are not related to this set of scams.

    The Avalanche botnet is the middle-step between the spamming botnet and Trojans that steal banking information. It is basically a hosting platform used by the attackers. Because the Avalanche bots act as a simple proxy, and there are thousands of them, it has been exceedingly difficult to shutdown the phish pages. Instead most Anti-Phishing organizations have focused on shutting down the domain names that were used in the phishing URLs."
One of the most notable facts about the botnet, is their persistent interaction with the TROYAK-AS cybercrime-friendly ISP, where they used to host a huge percentage of their ZeuS C&Cs, next to the actual client-side exploit serving iFrame domains/IPs, found on each and every of their phishing pages. The following chronology, exclusively details their client-side exploits/ZeuS crimeware serving campaigns.

The Avalanche Botnet's ZeuS crimeware/client-side exploit serving campaigns, in chronological order:
Zeus Crimeware/Client-Side Exploits Serving Campaign in the Wild
Scareware, Sinowal, Client-Side Exploits Serving Spam Campaign in the Wild
IRS/PhotoArchive Themed Zeus/Client-Side Exploits Serving Campaign in the Wild
Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild
PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild
Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

Related articles on TROYAK-AS, and various cybercrime trends:
TROYAK-AS: the cybercrime-friendly ISP that just won't go away
AS-Troyak Exposes a Large Cybercrime Infrastructure
The current state of the crimeware threat - Q&A
Report: ZeuS crimeware kit, malicious PDFs drive growth of cybercrime
Report: Malicious PDF files comprised 80 percent of all exploits for 2009

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

The Avalanche Botnet and the TROYAK-AS Connection


According to the latest APWG Global Phishing Survey:
  • But by mid-2009, phishing was dominated by one player as never before the Avalanche phishing operation. This criminal entity is one of the most sophisticated and damaging on the Internet, and perfected a mass-production system for deploying phishing sites and "crimeware" - malware designed specifically to automate identity theft and facilitate unauthorized transactions from consumer bank accounts. Avalanche was responsible for two-thirds (66%) of all phishing attacks launched in the second half of 2009, and was responsible for the overall increase in phishing attacks recorded across the Internet."
The Avalanche botnet's ecosystem is described by PhishLabs as:
  • "Cutwail aka PushDo is a spamming trojan being used to send out massive amounts of spam with links (or lures) to phishing pages or pages that ask the users to download and run programs. Those programs invariably turn out to be instances of the Zeus/ZBot/WNSPOEM banking Trojan. There are also unrelated criminals that also use Zeus Trojans to steal online banking information that are not related to this set of scams.

    The Avalanche botnet is the middle-step between the spamming botnet and Trojans that steal banking information. It is basically a hosting platform used by the attackers. Because the Avalanche bots act as a simple proxy, and there are thousands of them, it has been exceedingly difficult to shutdown the phish pages. Instead most Anti-Phishing organizations have focused on shutting down the domain names that were used in the phishing URLs."
One of the most notable facts about the botnet, is their persistent interaction with the TROYAK-AS cybercrime-friendly ISP, where they used to host a huge percentage of their ZeuS C&Cs, next to the actual client-side exploit serving iFrame domains/IPs, found on each and every of their phishing pages. The following chronology, exclusively details their client-side exploits/ZeuS crimeware serving campaigns.

The Avalanche Botnet's ZeuS crimeware/client-side exploit serving campaigns, in chronological order:
Zeus Crimeware/Client-Side Exploits Serving Campaign in the Wild
Scareware, Sinowal, Client-Side Exploits Serving Spam Campaign in the Wild
IRS/PhotoArchive Themed Zeus/Client-Side Exploits Serving Campaign in the Wild
Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild
PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild
Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

Related articles on TROYAK-AS, and various cybercrime trends:
TROYAK-AS: the cybercrime-friendly ISP that just won't go away
AS-Troyak Exposes a Large Cybercrime Infrastructure
The current state of the crimeware threat - Q&A
Report: ZeuS crimeware kit, malicious PDFs drive growth of cybercrime
Report: Malicious PDF files comprised 80 percent of all exploits for 2009

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.