Wednesday, June 16, 2010

Dissecting the Exploits/Scareware Serving Twitter Spam Campaign


Yesterday's exploits-serving campaign spreading across Twitter, using automatically registered accounts "pinging" random Twitter users with links to the campaign, is worth profiling due to its state of maliciousness - if the end user is exploitable, exploits are served ultimately leading to scareware, and if he isn't, the cybercriminals behind it attempt to monetize through the same network used by the Koobface gang on Mac OS X hosts - zml.com.

Let's dissect the campaign, and once again emphasize on the fact just how small the cybercrime ecosystem could be, given enough historical data is gathered on who's who, who's what, and what's when.

Sample exploitation structure:
- qtoday.info /ttds/doit.php?ckey=12&schema=1&f=wF - 94.228.209.73 (AS47869), 75.125.222.242 (AS21844)
    - qtoday.info /ttds/jump.php
        - fqsmydkvsffz.com /tre/vena.html/RANDOM - 69.174.242.21 (AS13768); 75.125.222.242 (AS21844)


The scareware installed interacts with AS18866:
69.50.197.241 /up/e1.dat
69.50.197.241 /up/e2.dat
69.50.197.241 /data/upd6.dat
69.50.197.241 /data/upd7.dat
69.50.197.241 /data/upd1.dat
69.50.197.241 /data/upd2.dat


Responding to 69.50.197.241 (AS18866) are:
radarixo.com - Email: moldavimo@safe-mail.net - profiled here
cyberduck.ru - Email: samm_87@email.com - profiled here
livejasment.com - Email: moldavimo@safe-mail.net
linksandz.com - Email: moldavimo@safe-mail.net - profiled here

Detection rates:
- e1.dat - 11 on 17 (65%) - Trojan.MulDrop1.21645; Win32/Lukicsel.P
MD5 hash: 2566c11a9cd2226b59d226e76bae9f64
SHA1 hash: 6a1fd405f547ed33f7cfe3abad4f423a33c0e281

- e2.dat - 8 on 17 (47%) - W32/Witkinat.A.gen!Eldorado; Win32/Witkinat.R
MD5 hash: 8daaa96ba059e6b1d5108c314f160175
SHA1 hash: b43d26bb2583d9057cb343c10d5db79c846ed895

- upd1.dat - 11 on 17 (65%) - TR/Lukicsel.EB; Trojan.Win32.Delf.aaxw A
MD5 hash: 7b2534536cdf168f50d63845b13af8ba
SHA1 hash: 306f5199c3f91cd28c634914a6478bcbc5c4e9c0

- upd2.dat - 11 on 17 (65%) - TR/Lukicsel.EB; Trojan.Win32.Delf.aaxw A
MD5 hash: 323a1a2429467b3891cc20a26b82f851
SHA1 hash: ae3fe6b442521d95631703ab530213e897e4f8ea

- upd6.dat - 9 on 17 (53%) - Win32/Lukicsel.P; Trojan-Dropper.Win32.Delf.frm
MD5 hash: d05d89bdadd8a23c2ceb0b016d49550a
SHA1 hash: 366db3c2cd64a57587376b416c42960ad1f28ea3

- upd7.dat - 11 on 17 (65%) - SHeur3.AAEI; Trojan-Dropper.Win32.Delf.frq
MD5 hash: 1a582b50d82fb57bec036e1962e5da2e
SHA1 hash: 15a9540927f64dec23e625e140dfde7ce3d23df7


The rest of the exploits-serving domains portfolio parked at 69.174.242.21 (AS13768); 75.125.222.242 (AS21844):
danenskgela.com - Email: strohmeiera@yahoo.com
aghoxekaoxk.com - Email: tavsadr5r5@yahoo.com
xfgswsoxoxk.com - Email: tavsadr5r5@yahoo.com
directinmixem.com - Email: strohmeiera@yahoo.com
carsmazda6.in - Email: valeriyku@gmail.com
danenskgela.com - Email: strohmeiera@yahoo.com
tfyxffnacsc.com - Email: edb.ri871@gmail.com
sfkemlymeywk.com - Email: admin@overseedomainmanagement.com
aghoxekaoxk.com - Email: tavsadr5r5@yahoo.com
aghtdkpaoxk.com - Email: skdhdjfg7s@yahoo.com
aghtdqpaoxk.com - Email: njgf555dfdsa@yahoo.com
dhjftzbdoxk.com - Email: skdhdjfg7s@yahoo.com
dbcyjnudoxk.com - Email: njgf555dfdsa@yahoo.com
mcduimqmoxk.com - Email: fresadmsn7y@yahoo.com
piamlzjpoxk.com - Email: fresadmsn7y@yahoo.com
pfgswlopoxk.com - Email: 7uwy7letel@yahoo.com
qjigaicqoxk.com - Email: 7uwy7letel@yahoo.com
directinmixem.com - Email: strohmeiera@yahoo.com
etyet.com - Email: zubakova2@rambler.ru
grantgarant.com - Email: naumann_heikens@yahoo.it
carsmazda6.in - Email: valeriyku@gmail.com
civichonda.in - Email: valeriyku@gmail.com
drotalflow.in - Email: johns2249@googlemail.com
carsinfinity.in - Email: valeriyku@gmail.com


3m70.cn - Email: abuseemaildhcp@gmail.com - money mule registrations, rubbing shoulders with Koobface
mueypflglvlx.com
mbhcnjyyykpr.com
ozkifomzaaqd.com
dqcnefigaefg.com
vtmxgwnpjvib.com
jcfkprwasnaj.com
qgwyinsxlox.com
tsusiwpmzuqz.com
fqsmydkvsffz.com

qcell.info
q-fever.infovmspl.in
keirun.in
iscobar.in
loncer.in
jcfkprwasnaj.com


The complete list of automatically registered bogus Twitter accounts, now suspended:
twitter.com/AbbottMarleneGY
twitter.com/AnsonJamesJs
twitter.com/BandaPaul51
twitter.com/BarkleyTracy52
twitter.com/BoserJames74
twitter.com/BradleySheilaTt
twitter.com/BravoMartinUT
twitter.com/BrownTammyaM
twitter.com/BurlingameStek2
twitter.com/BurtonPauliC
twitter.com/CallowayEileemb
twitter.com/CardilloLilli8I
twitter.com/CareyJocelynXY
twitter.com/CarpenterJameG1
twitter.com/CarterErnieBj
twitter.com/CarterNanGM
twitter.com/CharltonRober1Y
twitter.com/ClausenJillRC
twitter.com/CochranLindajB
twitter.com/CruzShawnjI
twitter.com/DanielClintonqO
twitter.com/DeanLuigi7B
twitter.com/DeleonChristiDb
twitter.com/DickensRitaS6
twitter.com/EllisonCortezCC
twitter.com/FernandezRobekc
twitter.com/FieldsRichardrx
twitter.com/FryePhilipAx
twitter.com/GarrisonMiltoP9
twitter.com/GilfordSarahqo
twitter.com/GilleyJennifeST
twitter.com/GiordanoHelenxy
twitter.com/GishCharlesCy
twitter.com/GreenDonaldbt
twitter.com/GriffinRay5v
twitter.com/GuzmanEloise5u
twitter.com/HakalaSteve9e



twitter.com/HammonsLeonarW3
twitter.com/HarmonRaymondMH
twitter.com/HartHeatherS0
twitter.com/HaynesCharlesxo
twitter.com/HendricksonKi6F
twitter.com/JonesAndrewUG
twitter.com/JonesNickolasYx
twitter.com/KendallNormaWS
twitter.com/KroegerAngeliu0
twitter.com/LeeJerroldRk
twitter.com/LevittKevin9e
twitter.com/LewisMaryL8
twitter.com/LimonMargaretgn
twitter.com/MarvelThomasaO
twitter.com/McbeeMelissabu
twitter.com/MillerFranceswe
twitter.com/MitchellDeborvl
twitter.com/MooreJoanut
twitter.com/MorrisMary2n
twitter.com/MorrisonJack0s
twitter.com/NealReginaldbH
twitter.com/NickellGloriad8
twitter.com/PhelpsRichardKL
twitter.com/PittsTommyyy
twitter.com/PlummerAthenawn
twitter.com/PowellMarie94
twitter.com/PradoDonaldG8
twitter.com/RealeBernicegR
twitter.com/ReeseVeronicaFx
twitter.com/RievesShirleyYv
twitter.com/RobinsonAprilrI
twitter.com/RobinsonLisa8e
twitter.com/RoblesRicardoWh
twitter.com/RubioLanaj9
twitter.com/SavardAnthonyoU
twitter.com/SayersWendellVc
twitter.com/SchmidtLynnk7
twitter.com/ShankleKathleor
twitter.com/SieversDarlee1D
twitter.com/SmithGeorgieMq
twitter.com/SteinAshleyuQ
twitter.com/StoughKelseyqt
twitter.com/TrejoLisaOO
twitter.com/TullosHowardGo
twitter.com/WeberSteven6r
twitter.com/WhiteMichellevj
twitter.com/WilkinsonPaulTd
twitter.com/WillettErnestCR
twitter.com/WilliamsMichaB1
twitter.com/WoodsThelmay0
twitter.com/WynnRichard4m
twitter.com/YoungMelanieSZ
twitter.com/CooleyFrancescG
twitter.com/SchneiderKim6h
twitter.com/DobsonElsiequ
twitter.com/PeelLouise9q
twitter.com/WhiteYolanda0P
twitter.com/FrostAngeloY2
twitter.com/MorrisMary2n
twitter.com/MillerMaryx1


PDF exploits, binaries streaming from the domain portfolio at 69.174.242.21 (AS13768); 75.125.222.242 (AS21844):
MD5: 5d42bb346601ba456b52edd3c3e59d1b
MD5: ba19c971edefffb22d44e43a91a7d9a9
MD5: e7a354f58bfe21c815ddb8faf00bd08c
MD5: 4a13b96dd056c0075c553588f0211c44
MD5: 29e71e291a31ea8f1cddbf7d96f7de86
MD5: 29e71e291a31ea8f1cddbf7d96f7de86
MD5: 3bb6bdaf8d4e2822da86ef9a614a04ea
MD5: f41470c7b9ad2260625d2a62b6db158f
MD5: 3987c92c20c3f17b5892f84069d816d1
MD5: 87a95ec041b2432727336f0cdeee123a
MD5: 5d497e1841f5627a1b77dbc336da1594
MD5: 5ba1aafcef9ea7516f1ae7082424e83d
MD5: 5268f85902c7064b393bbbb3dbc094f9
SHA1: 79526ca9579420cb46c15fe94b282868c1e7fbbd
SHA1: f70f6a9aa0aa092511894f7c89defc64637504a1
SHA1: 5175b38dfca3dc7dd6ad56bed34a543f14702bea
SHA1: 2f2c88e0b950cd91ad1e49be73e885b07f401f68
SHA1: b92d1268d06c8ba427beefc1ee7b064873694a47
SHA1: 5ba7ba0dc08a3d0cd3feb363394d295637a64e10
SHA1: 7ecb2679cd23e6c6973c57092b1cae46f60db97e
SHA1: 66ed858043d6d022823b16956f416e3080e618a1
SHA1: 0fdd1de26d5902d4a21b053a212a21c2760d8aee
SHA1: 5ba7ba0dc08a3d0cd3feb363394d295637a64e10
SHA1: 3a7daa60389f463df795b78f16030dcc6fc1ff23
SHA1: 3054b48186f5e0981c41f200b3492caa0941f889
SHA1: 0e49c7656bec1ed43efb19187541d20c3ecb293b

This isn't the first time Twitter's been abused for malicious purposes, and is definitely not the last. Quick community response and take down actions hit them where it hurts most - the monetization vector.

Related assessments of Twitter malware campaigns:
Twitter Malware Campaign Wants to Bank With You
Dissecting Koobface Worm's Twitter Campaign
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Twitter Worm Mikeyy Keywords Hijacked to Serve Scareware
Dissecting September's Twitter Scareware Campaign

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

No comments:

Post a Comment