Monday, February 28, 2011

Summarizing Zero Day's Posts for February


The following is a brief summary of all of my posts at ZDNet's Zero Day for February. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

Recommend reading:

01. Researcher demos SMS-based smartphone botnet
02. 500,000 stolen email passwords discovered in Waledac's cache
03. Study: US tops ZeuS hosting infrastructure chart
04. Spamvertised Xerox document themed malware campaign spreading
05. New report details the prices within the cybercrime market
06. Report: AV users still get infected with malware
07. Microsoft disables AutoRun on Windows XP/Vista to prevent malware infections
08. Google intros advanced sign-in feature
09. Malware Watch: UPS/FDIC; Mobile app; Infected ambulance dispatch
10. Report: Patched vulnerabilities remain prime exploitation vector
11. Bogus Android apps lead to malware
12. ZeuS crimeware variant targets Symbian and BlackBerry users
13. Researchers spot new Mac OS X malware

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Monday, February 21, 2011

Sampling 419 Advance Fee Scams Activity - Part Two


Part two of the Sampling 419 Advance Fee Scams Activity series, once again aims to provide actionable real-time threat intelligence on a fraudulent segment that continues tricking hundreds of thousands of average Internet users into thinking that they have pending payments, have won the lottery, or someone is basically interested in doing multi-million dollar business with them.

The format of the data obtained over the past 24 hours, is return email plus the original IP of the sender, most of which can be geolocated to African countries.

hsuehyun@ncut.edu.tw - 116.206.139.254
peterjohnson299@yahoo.co.jp - 41.218.232.158
ekwesa@aol.com - 41.138.164.52
info.hsbcbanktransfer@gmail.com - 41.218.251.239
SarinaJensB@web.de - 77.70.128.160
paulmohammed37@yahoo.com - 41.155.81.129
henriondaniellepaulette@yahoo.fr - 81.91.228.78
mainstreamfirm001@gmail.com - 41.155.72.26
wilson201105@hotmail.com - 187.16.224.70
westernun888union@hotmail.com - 41.191.85.209
bt.telecomsgroup@live.co.uk - 202.137.234.123
eco.bankplc.ecobankpl@gmail.com - 41.216.50.26
kwameowus@aol.com - 41.218.233.50
richardjsphs@yahoo.co.jp - 190.213.185.93
mainstreamfirm001@gmail.com - 212.76.68.39
benardodigor@yahoo.com - 41.211.229.23
groupbanofafrica@hotmail.com - 189.86.87.204
wellcometrustloans@post.com - 182.63.1.192
lindominic04@rediffmail.com - 41.28.113.153
rep_leonbecker@yahoo.cn - 41.218.197.240
agwa_james@yahoo.it - 82.128.1.217
mrsmarriogloria@yahoo.co.jp - 41.66.8.132
ralphkoon@yahoo.co.jp - 124.120.130.145
directorofremittance.centralba@gmail.com - 89.221.175.11
legalclaimsdepartment2@lankaemail.com - 41.58.67.161
drbbs@live.com - 111.172.36.231
pn2812768@gmail.com - 77.246.67.82
husainali40@gmail.com - 212.52.152.113
bensonibori@yahoo.com.hk - 82.128.36.25
mraabull@att.net - 41.210.43.36
info@westernu.co.uk - 199.255.209.74
claim_dptupdate@live.com - 82.128.88.173
alhussein.raisin@yahoo.co.nz - 86.97.120.18
adrianyrann5@att.net - 70.39.119.122
dr_larry_west1970@qatar.io - 41.222.192.89
mrgarypalmercode@gmail.com - 41.71.147.248
diplomaticericb78@globomail.com - 81.91.230.137
treasuryoffice@cantv.net - 41.0.52.62
infoun19@oued.org - 41.189.2.105
fbi_54327@hotmail.com - 82.128.109.76
s.b.mail@web.de - 74.115.3.69
maria200495@hotmail.com - 115.132.173.171
ceckamokai@gmail.com - 41.241.148.81
ff123ff69@yahoo.co.nz - 75.126.137.6
mr.colesify@yahoo.co.uk - 115.118.239.95
benkofi003@aol.com - 41.218.239.140
investigationcommite2011@gmail.com - 41.211.229.26
wiesner.heiko@web.de - 41.138.167.198
kwameowus@aol.com - 41.218.245.220
kamaruddinabdullah@w.cn - 120.141.67.94
benobiego@rediffmail.com - 67.247.201.204

See also:

Historical OSINT remains an inseparable part of the CYBERINT gathering practices, hence the continuation of the Sampling 419 Advance Fee Scams Activity series.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Wednesday, February 16, 2011

Bogus Adult Content SPIM-ed Over ICQ

This summary is not available. Please click here to view the post.

Tuesday, February 15, 2011

A Diverse Portfolio of Fake Security Software - Part Twenty Five


Scarewere continues occupying the top spots for malicious monetization tactics courtesy of the cybercrime ecosystem. Disruption of this monetization chain can take place through multiple processes. For instance:
  • Share data with the affected ISP whose customers participate in the black hat SEO campaign
  • Target the payment processing gateways, or inform the legitimate one
  • Target the the redirector URLs of the campaign
  • Target the affiliate network itself
  • Target the "final output" in the form of scareware domains
In this we'll expose a portfolio of scaware domains, and will target the "final output" of the campaign, in between sharing data with community members. As always, what originally looks like a low profile campaign, always turns into a piece of puzzle from the massive blackhat SEO "picture".

- Detecrion rate for systemwrecksavertingsystem.com /scan1/92/freesystemscan.exe
freesystemscan.exe - Trojan.Win32.FakeAV
Result: 17/ 43 (39.5%)
MD5   : a69a7f1992ed4607ac0a163d66984f56
SHA1  : ef089f92881ff6835b76562febdcbc3328340adb
SHA256: 993026853e2bbc8846dbda5a90c4f06a9a18b83c9f97fe7b1557b03975ebeaff

- Detection rate for pornhugevideo.com /video3/88/freevideoplugin.exe
freevideoplugin.exe -  Rogue:Win32/FakePAV
Result: 4/ 42 (9.5%)
MD5   : 8a688d6ebb838f66f16720f4066cf6c6
SHA1  : 845e43ad946048346b3d9150ae41fd8f7766ac53
SHA256: db6e3e7a72305d8b36861ed90753555d519bdca5a36aa0581ed363ac264cfbce

Responding to 94.23.105.248 (AS16276): One active ZeuS C&C within the AS monasteriodeboltana.es
accidentspreventingcenter.com - Email: contact@privacyprotect.org
antibreakingsystem.com - Email: contact@privacyprotect.org
antivirusesshield.com - Email: contact@privacyprotect.org
bigvideocams.com - Email: contact@privacyprotect.org
componentsprotector.com - Email: contact@privacyprotect.org
hugebigpornmovie.com - Email: contact@privacyprotect.org
hugebigred.com - Email: contact@privacyprotect.org
hugemoviecams.com - Email: contact@privacyprotect.org
pcactivitydebugger.com - Email: contact@privacyprotect.org
pcautomaticproblemssolver.com - Email: contact@privacyprotect.org
pccustodianutility.com - Email: contact@privacyprotect.org
pcinspectionutility.com - Email: contact@privacyprotect.org
pcprecautionscenter.com - Email: contact@privacyprotect.org
pcprotectionservant.com - Email: contact@privacyprotect.org
pcriskspreventionscenter.com - Email: contact@privacyprotect.org
pcstabilitymaximizer.com - Email: contact@privacyprotect.org
pctroublessolver.com - Email: contact@privacyprotect.org
pcwardingsystem.com - Email: contact@privacyprotect.org
pornhugevideo.com - Email: contact@privacyprotect.org
systemanticrashesutility.com - Email: contact@privacyprotect.org
systemattentionutility.com - Email: contact@privacyprotect.org
systemshieldingutility.com - Email: contact@privacyprotect.org
systemsupervisioncenter.com - Email: contact@privacyprotect.org
systemtasksoptimizer.com - Email: contact@privacyprotect.org
systemwrecksavertingsystem.com - Email: contact@privacyprotect.org
taskstweakingutility.com - Email: contact@privacyprotect.org
tubemovievideo.com - Email: contact@privacyprotect.org


Responding to 76.76.117.101 (AS21793); 78.46.105.205 (AS24940); 207.58.177.96 (AS25847) and 64.64.3.125 (AS25847)
212156dnfgdn.co.cc - Email: audiodius@hotmail.com
32fdsg3gsg.vv.cc
androlhala.cz.cc
bdfnfebne3nf.vv.cc
bfbf3bfb.vv.cc
cebandis.cz.cc
centrihelm.cz.cc
drelagda.vv.cc
f23f21fafae.vv.cc
fdf2fafaf.vv.cc
gdezdeskto.co.cc
gdsg342gsgs.vv.cc

gewheheh4.co.cc - Email: audiodius@hotmail.com
gfsdg4gs.co.cc - Email: audiodius@hotmail.com
graninis.cz.cc
gsdg24gshgr.vv.cc

gsdg43hsweh.co.cc - Email: audiodius@hotmail.com
gsegf3gstg3g.vv.cc
gsg3gsdgseg.co.cc - Email: audiodius@hotmail.com
gsgsv2vds.vv.cc
gsgwegweg23g.vv.cc

hdfg43hshf.co.cc - Email: audiodius@hotmail.com
hdfh34hdrfhf.co.cc - Email: audiodius@hotmail.com
hdhfdhdfhdfhdfh.vv.cc
hfehe3hdfhf.co.cc - Email: audiodius@hotmail.com
hh3hfdnfdh.co.cc - Email: audiodius@hotmail.com
hndfdfnfdnxdnf.vv.cc
ht4hdfgjcjgt.vv.cc
hu587tiugi.vv.cc
malakelv.cz.cc
maridora.vv.cc
morlunaya.vv.cc
nvmtymvm.vv.cc
oghmalak.vv.cc

oijqujnnnsu1.co.cc - Email: audiodius@hotmail.com
shalillador.cz.cc
vsegwgewg.vv.cc
wefge3g1tg1g.vv.cc
yeryeshsdhdhjfdhj.vv.cc


This post has been reproduced from Dancho Danchev's blog.

Related posts on scareware and blackhat SEO monetization:
A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang
Dissecting a Scareware-Serving Black Hat SEO Campaign Using Compromised .NL/.CH Sites
Dissecting the 100,000+ Scareware Serving Fake YouTube Pages Campaign
Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign - Part Two
Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware
U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding
Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign
The ultimate guide to scareware protection
A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
A Peek Inside the Managed Blackhat SEO Ecosystem
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot 

The Ultimate Guide to Scareware Protection
A Diverse Portfolio of Fake Security Software - Part Twenty Four
A Diverse Portfolio of Fake Security Software - Part Twenty Three
A Diverse Portfolio of Fake Security Software - Part Twenty Two
A Diverse Portfolio of Fake Security Software - Part Twenty One
A Diverse Portfolio of Fake Security Software - Part Twenty
A Diverse Portfolio of Fake Security Software - Part Nineteen
A Diverse Portfolio of Fake Security Software - Part Eighteen
A Diverse Portfolio of Fake Security Software - Part Seventeen
A Diverse Portfolio of Fake Security Software - Part Sixteen
A Diverse Portfolio of Fake Security Software - Part Fifteen
A Diverse Portfolio of Fake Security Software - Part Fourteen
A Diverse Portfolio of Fake Security Software - Part Thirteen
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software

Monday, February 14, 2011

Spamvertised Portfolio of Fraudulent/Pharmaceutical Domains


Just in time for Saint Valentin's days, pharmaceutical scammers have switched their localized templates to a more romantic theme.

The domains have been registered using three separate Yahoo! Mail accounts, and are all responding to a single IP - 115.239.229.196; AS4134, CHINA-TELECOM China Telecom with four currently active ZeuS C&Cs within the same AS - aiyanxinxi.com; wawnet.net; www.zuihouyi.com; nascetur.com.

abpillsw.ru - Email: nikitapetuhov@yahoo.com
alpillsw.ru - Email: nikitapetuhov@yahoo.com
alypillsw.ru - Email: nikitapetuhov@yahoo.com
annpillsp.ru - Email: muzalevskayaekaterina@yahoo.com
asapillsm.ru - Email: alexeycheremisinov@yahoo.com
barpillsw.ru - Email: nikitapetuhov@yahoo.com
bazpillso.ru - Email: muzalevskayaekaterina@yahoo.com
bupillsp.ru - Email: muzalevskayaekaterina@yahoo.com
capillso.ru - Email:  muzalevskayaekaterina@yahoo.com
carpillsw.ru - Email: nikitapetuhov@yahoo.com
celpillsw.ru - Email: nikitapetuhov@yahoo.com
chapillsm.ru - Email: alexeycheremisinov@yahoo
chapillso.ru - Email: muzalevskayaekaterina@yahoo.com
chpillso.ru - Email: muzalevskayaekaterina@yahoo.com
cinpillsp.ru - Email: nikitapetuhov@yahoo.com
conpillsw.ru - Email: alexeycheremisinov@yahoo.com
copillsm.ru - Email: alexeycheremisinov@yahoo.com
copillsp.ru - Email: muzalevskayaekaterina@yahoo.com
corpillsp.ru - Email: muzalevskayaekaterina@yahoo.com
crpillsm.ru - Email: alexeycheremisinov@yahoo.com
depillsm.ru - Email: alexeycheremisinov@yahoo.com
depillso.ru - Email: muzalevskayaekaterina@yahoo.com
despillsw.ru - Email: nikitapetuhov@yahoo,cim
dipillsm.ru - Email: alexeycheremisinov@yahoo.com
dipillsw.ru - Email: nikitapetuhov@yahoo.com
duppillsp.ru - Email: muzalevskayaekaterina@yahoo.com
enkpillsp.ru - Email: muzalevskayaekaterina@yahoo.com
estpillsm.ru - Email: alexeycheremisinov@yahoo.com
ethpillsm.ru - Email: alexeycheremisinov@yahoo.com
exapillsw.ru - Email: nikitapetuhov@yahoo.com
flipillso.ru - Email: alexeycheremisinov@yahoo.com
flpillso.ru - Email: alexeycheremisinov@yahoo.com
funpills.ru - Email: muzalevskayaekaterina@yahoo.com
glpillso.ru - Email: alexeycheremisinov@yahoo.com
haupillso.ru - Email: alexeycheremisinov@yahoo.com
hipills.ru - Email: muzalevskayaekaterina@yahoo.com


invpillso.ru - Email: alexeycheremisinov@yahoo.com
isapillsp.ru - Email: muzalevskayaekaterina@yahoo.com
itepillsw.ru - Email: nikitapetuhov@yahoo.com
jopillso.ru - Email: alexeycheremisinov@yahoo.com
kipillsp.ru - Email: muzalevskayaekaterina@yahoo.com
kipillsw.ru - Email: nikitapetuhov@yahoo.com
krpillsw.ru - Email: nikitapetuhov@yahoo.com
lopillso.ru - Email: alexeycheremisinov@yahoo.com
lopillsw.ru - Email: nikitapetuhov@yahoo.com
mapillso.ru - Email: alexeycheremisinov@yahoo.com
marpillsw.ru - Email: nikitapetuhov@yahoo.com
metpillso.ru - Email: alexeycheremisinov@yahoo.com
monpillsp.ru - Email: muzalevskayaekaterina@yahoo.com
nopillsp.ru - Email: muzalevskayaekaterina@yahoo.com
odpillsw.ru - Email: nikitapetuhov@yahoo.com
panpillsw.ru - Email: nikitapetuhov@yahoo.com
phpillsp.ru - Email: muzalevskayaekaterina@yahoo.com
pillsbi.ru - Email:  simakovs@yahoo.com
pillsly.ru - Email: alexeycheremisinov@yahoo.com
pillsnk.ru - Email: alexeycheremisinov@yahoo.com
pillsoep.ru - Email: alexeycheremisinov@yahoo.com
pillsoes.ru - Email: alexeycheremisinov@yahoo.com
pillsoff.ru - Email: alexeycheremisinov@yahoo.com
pillsogn.ru - Email: alexeycheremisinov@yahoo.com
pillsois.ru - Email: alexeycheremisinov@yahoo.com
pillsoke.ru - Email: alexeycheremisinov@yahoo.com
pillsokt.ru - Email: alexeycheremisinov@yahoo.com
pillsong.ru - Email: alexeycheremisinov@yahoo.com


pillsont.ru - Email: alexeycheremisinov@yahoo.com
pillsooc.ru - Email: alexeycheremisinov@yahoo.com
pillsopa.ru - Email: alexeycheremisinov@yahoo.com
pillsore.ru - Email: alexeycheremisinov@yahoo.com
pillsosa.ru - Email: alexeycheremisinov@yahoo.com
pillsosl.ru - Email: alexeycheremisinov@yahoo.com
pillsoti.ru - Email: alexeycheremisinov@yahoo.com
pillsouc.ru - Email: alexeycheremisinov@yahoo.com
pillsove.ru - Email: alexeycheremisinov@yahoo.com
pillspba.ru - Email: muzalevskayaekaterina@yahoo.com
pillsper.ru - Email: muzalevskayaekaterina@yahoo.com
pillspiz.ru - Email: muzalevskayaekaterina@yahoo.com
pillspnc.ru - Email: muzalevskayaekaterina@yahoo.com
pillspne.ru - Email: muzalevskayaekaterina@yahoo.com
pillspno.ru - Email: muzalevskayaekaterina@yahoo.com
pillspns.ru - Email: muzalevskayaekaterina@yahoo.com
pillsppp.ru - Email: muzalevskayaekaterina@yahoo.com
pillsppt.ru - Email: muzalevskayaekaterina@yahoo.com
pillspra.ru - Email: muzalevskayaekaterina@yahoo.com
pillspre.ru - Email: muzalevskayaekaterina@yahoo.com
pillsprg.ru - Email: muzalevskayaekaterina@yahoo.com
pillspsa.ru - Email: muzalevskayaekaterina@yahoo.com
pillspss.ru - Email: muzalevskayaekaterina@yahoo.com
pillspst.ru - Email: muzalevskayaekaterina@yahoo.com
pillspti.ru - Email: muzalevskayaekaterina@yahoo.com
pillsqu.ru - Email: alexeycheremisinov@yahoo.com

pillswal.ru - Email: nikitapetuhov@yahoo.com
pillswam.ru - Email: nikitapetuhov@yahoo.com
pillswar.ru - Email: nikitapetuhov@yahoo.com
pillswau.ru - Email: nikitapetuhov@yahoo.com
pillswcu.ru - Email: nikitapetuhov@yahoo.com
pillswed.ru - Email: nikitapetuhov@yahoo.com
pillswep.ru - Email: nikitapetuhov@yahoo.com
pillswer.ru - Email: nikitapetuhov@yahoo.com
pillswet.ru - Email: nikitapetuhov@yahoo.com
pillswey.ru - Email: nikitapetuhov@yahoo.com
pillswis.ru - Email: nikitapetuhov@yahoo.com
pillswng.ru - Email: nikitapetuhov@yahoo.com
pillswol.ru - Email: nikitapetuhov@yahoo.com

See also:
pillswre.ru - Email: nikitapetuhov@yahoo.com
pillswss.ru - Email: nikitapetuhov@yahoo.com
pillswti.ru - Email: nikitapetuhov@yahoo.com
pillswtt.ru - Email: nikitapetuhov@yahoo.com
pillswwa.ru - Email: nikitapetuhov@yahoo.com
pillszva.ru - Email: nikitapetuhov@yahoo.com
pillszzi.ru - Email: nikitapetuhov@yahoo.com
propillsp.ru - Email: muzalevskayaekaterina@yahoo.com
puppillso.ru - Email: alexeycheremisinov@yahoo.com
rempillso.ru - Email: alexeycheremisinov@yahoo.com
repillso.ru - Email: alexeycheremisinov@yahoo.com
sipillsw.ru - Email: nikitapetuhov@yahoo.com
stapillso.ru - Email: alexeycheremisinov@yahoo.com
supillsp.ru - Email: muzalevskayaekaterina@yahoo.com
tilpillso.ru - Email: alexeycheremisinov@yahoo.com
tilpillsw.ru - Email: nikitapetuhov@yahoo.com
towpillsp.ru - Email: muzalevskayaekaterina@yahoo.com
trpillsp.ru - Email: muzalevskayaekaterina@yahoo.com
uncpillso.ru - Email: alexeycheremisinov@yahoo.com
vipillsp.ru - Email: muzalevskayaekaterina@yahoo.com
whapillsw.ru - Email: nikitapetuhov@yahoo.com


Name servers of notice, respoding to 115.239.229.196 (AS4134); 113.23.142.119 (AS38182) and 78.46.105.205 (AS24940 - active SpyEye C&Cs at www.privathosting.eu; spl.privathosting.eu)   
ns1.advidns.ru
ns1.alemedicp.ru
ns1.annudns.com
ns1.bacdns.ru
ns1.bacmedicp.ru
ns1.bestworlddns.com
ns1.botedns.com
ns1.boxdns.ru
ns1.camdns.ru
ns1.cashdns.ru
ns1.caulsdns.com
ns1.comtdns.com
ns1.crouadns.ru
ns1.culldns.com
ns1.delmedicv.ru
ns1.dns4work.ru
ns1.dnsbest.ru
ns1.dnsbestfind.com
ns1.dnsoper.com
ns1.dnsorbi.com
ns1.dnsroomo.ru
ns1.dnswork.ru
ns1.doctorci.ru
ns1.doctorngee.ru
ns1.doctorrfix.com
ns1.doctorude.ru
ns1.doctorxst.ru
ns1.doctorxve.ru
ns1.drdoctorx.ru
ns1.dromedicp.ru
ns1.eagreadns.ru
ns1.elmendns.ru
ns1.feldns.ru
ns1.glisdns.com
ns1.gurndns.ru
ns1.hardns.ru
ns1.psidns.com
ns1.rxshopsmor.ru
ns1.sighost.ru
ns1.standns.com
ns1.subrdns.ru
ns1.tiodns.com
ns1.twdoctor.com
ns1.vodoctorx.ru


This post has been reproduced from Dancho Danchev's blog.

Wednesday, February 09, 2011


Whatever the cybercrime marketplace demands, the cybercrime marketplace supplies.