Friday, November 30, 2012

Summarizing Webroot's Threat Blog Posts for November


The following is a brief summary of all of my posts at Webroot's Threat Blog for November, 2012. You can subscribe to my Webroot's Threat Blog RSS Feed or follow me on Twitter:


01. BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and malware
02. ‘ADP Immediate Notification’ themed emails lead to Black Hole Exploit Kit
03. USPS ‘Postal Notification’ themed emails lead to malware
04. ‘Fwd: Scan from a Xerox W. Pro’ themed emails lead to Black Hole Exploit Kit
05. ‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware
06. ‘Payroll Account Holded by Intuit’ themed emails lead to Black Hole Exploit Kit
07. ‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits and malware
08. Cybercriminals abuse major U.S SMS gateways, release DIY Mail-to-SMS flooders
09. ‘PayPal Account Modified’ themed emails lead to Black Hole Exploit Kit
10. Bogus Better Business Bureau themed notifications serve client-side exploits and malware
11. Cybercriminals spamvertise bogus eFax Corporate delivery messages, serve multiple malware variants
12. Bogus IRS ‘Your tax return appeal is declined’ themed emails lead to malware
13. ‘Copies of Missing EPLI Policies’ themed emails lead to Black Hole Exploit Kit
14. Cybercriminals spamvertise bogus ‘Microsoft License Orders’ serve client-side exploits and malware
15. Cybercriminals resume spamvertising ‘Payroll Account Cancelled by Intuit’ themed emails, serve client-side exploits and malware
16. Cybercriminals spamvertise millions of FDIC ‘Your activity is discontinued’ themed emails, serve client-side exploits and malware
17. Cybercriminals release stealthy DIY mass iFrame injecting Apache 2 modules
18. Multiple ‘Inter-company’ invoice themed campaigns serve malware and client-side exploits
19. Bogus Facebook ‘pending notifications’ themed emails serve client-side exploits and malware
20. Cybercriminals target U.K users with bogus ‘Pay by Phone Parking Receipts’ serve malware
21. Bogus DHL ‘Express Delivery Notifications’ serve malware
22. Cybercriminals impersonate Vodafone U.K, spread malicious MMS notifications
23. Cybercriminals impersonate T-Mobile U.K, serve malware
24. Bogus ‘Meeting Reminder” themed emails serve malware
25. Bogus 'Intuit Software Order Confirmations' lead to Black Hole Exploit Kit
26. Bogus 'End of August Invoices' themed emails serve malware and client-side exploits

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Summarizing ZDNet's Zero Day Posts for November


The following is a brief summary of all of my posts at ZDNet's Zero Day for November, 2012. You can subscribe to Zero Day's main feed, or follow me on Twitter:


01. Opera for Mac OS X patches six security vulnerabilities
02. Cybercriminals start spamvertising Xmas themed scams and malware campaigns
03. Apple releases QuickTime 7.7.3 for Windows, patches critical security vulnerabilities
04. Active XSS flaw discovered on eBay
05. A patched browser - false feeling of security or a security utopia that actually exists?

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Monday, November 26, 2012

Koobface Botnet Master KrotReal Back in Business, Distributes Ransomware And Promotes BHSEO Service/Product

On January 09, 2012 I exposed Koobface botnet master KrotReal. On January 16, 2012, The New York Times went public with data from Facebook Inc. exposing the identities of the rest of the group. What happened? With the botnet masters still at large, and the Koobface botnet currently offline, a logical question emerges - what are these cybercriminals up to now that they're no longer involved in managing Koobface?

Cybercrime as usual!

Continuing to squeeze the cybercrime ecosystem, and keep known bad actors on a short leash, in this intelligence brief I'll expose Anton Nikolaevich Korotchenko a.k.a KrotReal's s latest activities, indicating that he's currently busy experimenting with two projects:
  • A Black Hat (SEO) Search Engine Optimization related service/product
  • Underground traffic exchange/pay-pay-install network currently distributing localized Ransomware
Just like the case when KrotReal's real life identity was revealed due to a single mistake he made over a period of several years, namely to register a Koobface command and control server using his personal GMail account, in this intelligence brief I'll once again expose his malicious and fraudulent activities by profiling two of the most recently domains he once again registered with his personal GMail account.

Let's start by profiling his Black Hat SEO service/product, currently hosted on one of the domains he registered in 2011.

trafficconverter.in - 176.9.146.78 - Email: krotreal@gmail.com
Created On:28-Jul-2011 12:37:45 UTC
Last Updated On:28-Jun-2012 08:11:43 UTC
Expiration Date:28-Jul-2013 12:37:45 UTC

The service/produce apparently allows the systematic abuse of legitimate blogging platforms such as Google's Blogger and Wordpress, next to Yoom CMS. KrotReal himself might be using the tool, or sell/offer access to it as a managed service. Does this mean he's not using it by himself to monetize the hijacked legitimate traffic that he's able to obtain through his Black Hat SEO campaigns? Not at all.

More domains presumably to be used for Black Hat SEO purposes registered with KrotReal's personal email account (krotreal@gmail.com):
superstarfind.com
celeb-search.com
myown-search.com
myfindstuff.com
network-find.com
coolfind200309.com
experimentsearch.com
fashion-overview.com
krotpong.com
adultpartypics.com
findhunt.com


How is he actually monetizing the hijacked traffic? Keep reading. Now it's time to expose his malicious activities in the form of spreading localized Ransomware variants. For the record, the Koobface gang distributed primarly scareware -- there's evidence that the group was also involved in other malicious campaigns -- and even bragged about the fact that they're not damaging infected user PCs.

What's particularly interesting about profiling this campaign, is that it's a great example of double-layer monetization, as KrotReal is earning revenue through the Traffic Holder Adult Affiliate Program, in between serving client-side exploits and ultimately dropping Ransomware on the affected host using the same redirection chain.


Sample malicious domain name reconnaissance:
traffictracker.in - 176.9.146.78 (AS24940) - Email: krotreal@gmail.com
Created On:22-Nov-2011 13:42:53 UTC
Last Updated On:22-Nov-2012 22:33:25 UTC
Expiration Date:22-Nov-2013 13:42:53 UTC

Responding to the same IP 176.9.146.78 (AS24940):
allcelebrity.ru
easypereezd.ru


Sample malicious activity redirection chain: hxxp://traffictracker.in/in.cgi?11&parameter=nude+girls&CS=1 -> hxxp://celeb-search.com/in.php?source=th&q=nude+girls -> hxxp://celeb-search.com/in3.php?source=th&q=nude+girls -> hxxp://www.trafficholder.com/in/in2.php?ppillow-pics_erotic -> hxxp://hit.trafficholder.com/cgi-bin/traffic/process.fcgi?a=ppillow&c=1&n=pics_erotic&r= ->  hxxp://gravityexp.com/go.php?sid=12 -> hxxp://nosnowfevere.com/ZqRqk (exploiting CVE-2008-5353) -> hxxp://nosnowfevere.com/oxsXAE?KpDzQ=61 -> hxxp://nosnowfevere.com/ZqRqk -> hxxp://nosnowfevere.com/EHSvFc -> hxxp://nosnowfevere.com/XMDrkH

KrotReal's Traffic Holder Adult Affiliate Network ID is ppillow-pics_erotic.


Malicious domain names reconnaissance:
gravityexp.com - returns "Digital River GmbH" on its home page - 46.163.117.144 - Email: francesca.muglia.130@istruzione.it
Updated Date: 30-aug-2012
Creation Date: 30-aug-2012
Expiration Date: 30-aug-2013

nosnowfevere.com - 91.211.119.32 - Email: djbroning@definefm.com
Updated Date: 25-nov-2012
Creation Date: 25-nov-2012
Expiration Date: 25-nov-2013

Upon successful client-side exploitation, the campaign drops MD5: d234a238eb8686d08cd4e0b8b705da14 - detected by 10 out of 43 antivirus scanners as Trojan.Winlock.7431

Sample screenshot displayed to users from geolocated countries:
Second screenshot of a sample page displayed to affected U.K users:
Additional malicious payload obtained from the campaign:
MD5: fd47fe3659d7604d93c3ce0c0581fed7 - detected by 4 out of 44 antivirus scanners as Exploit:Java/CVE-2012-5076.BBW
MD5: e47991d7f172e893317f44ee8afe3811 - detected by 5 out of 44 antivirus scanners as JS:Pdfka-gen [Expl]
MD5: 7e58703026c7ffba05ac0d2ae4d3c62f - detected by 5 out of 44 antivirus scanners as Exploit:Java/CVE-2012-1723!generic

Ransomware C&C malicious domain name reconnaissance:
sarscowoy.com - currently responds to 176.28.22.32 (AS20773); 176.28.14.42 (AS20773) - Email: rmasela@ymail.com

On 2012-06-21 the domain responded to 204.13.160.28 (AS33626), then on 2012-07-01 it changed IPs to 46.163.113.79 (AS20773), then again on 2012-11-14 it changed IP to 176.28.14.42 (AS20773), followed by one last change on 2012-11-24 to 176.28.22.32 (AS20773)

One more MD5 is known to have phoned back to the same Ransomware C&C URL - MD5: 1600577edece1efe11c75158f9dd24db - detected by 28 out of 38 antivirus scanners as Trojan:Win32/Tobfy.H

Interestingly, the cybercriminals behind the Ransomware left the administration panel open to anyone who wants to take a look at the way the whole process works. 

Sample screenshot of the administration panel:
Second screenshot of the administration panel, showing a directory listing, including unique and localized files for potential victims from multiple countries:

More domains are currently responding to the same IPs (176.28.22.32; 176.28.14.42):
bussinesmail.org - Email: belov28@gmail.com
elitesecuritynet.com - Email: pescifabio83@yahoo.fi
ideasdeunion.com - Email: esbornikk@aol.com
ineverworrynet.com - pescifabio83@yahoo.fi
testcitycheckers.com - pescifabio83@yahoo.fi
uneugroup.com - Email: anders_christensen@yahoo.com
winntegroups.eu - Email: robertobona69@yahoo.com
sexchatvideo.org - Email: daddario.maria@virgilio.it
quasarnet.co - Email: valter.bars@venezia.pecavvocati.it
bestconsultingoffice.com
apaineal.ru

What we've got here is a great example of the following - when you don't fear legal prosecution for your fraudulent activities over a period of several years, earning you potentially hundreds of thousands of dollars, you just launch new projects, continuing to cause more harm and fraudulently obtain funds from infected victims.
 
For those who are interested in more details on the technical side of this Ransomware, you should consider going through this research.

Hat tip to Steven Adair from Shadowserver for the additional input.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Koobface Botnet Master KrotReal Back in Business, Distributes Ransomware And Promotes BHSEO Service/Product

On January 09, 2012 I exposed Koobface botnet master KrotReal. On January 16, 2012, The New York Times went public with data from Facebook Inc. exposing the identities of the rest of the group. What happened? With the botnet masters still at large, and the Koobface botnet currently offline, a logical question emerges - what are these cybercriminals up to now that they're no longer involved in managing Koobface?

Cybercrime as usual!

Continuing to squeeze the cybercrime ecosystem, and keep known bad actors on a short leash, in this intelligence brief I'll expose Anton Nikolaevich Korotchenko a.k.a KrotReal's s latest activities, indicating that he's currently busy experimenting with two projects:
  • A Black Hat (SEO) Search Engine Optimization related service/product
  • Underground traffic exchange/pay-pay-install network currently distributing localized Ransomware
Just like the case when KrotReal's real life identity was revealed due to a single mistake he made over a period of several years, namely to register a Koobface command and control server using his personal GMail account, in this intelligence brief I'll once again expose his malicious and fraudulent activities by profiling two of the most recently domains he once again registered with his personal GMail account.

Let's start by profiling his Black Hat SEO service/product, currently hosted on one of the domains he registered in 2011.

trafficconverter.in - 176.9.146.78 - Email: krotreal@gmail.com
Created On:28-Jul-2011 12:37:45 UTC
Last Updated On:28-Jun-2012 08:11:43 UTC
Expiration Date:28-Jul-2013 12:37:45 UTC

The service/produce apparently allows the systematic abuse of legitimate blogging platforms such as Google's Blogger and Wordpress, next to Yoom CMS. KrotReal himself might be using the tool, or sell/offer access to it as a managed service. Does this mean he's not using it by himself to monetize the hijacked legitimate traffic that he's able to obtain through his Black Hat SEO campaigns? Not at all.

More domains presumably to be used for Black Hat SEO purposes registered with KrotReal's personal email account (krotreal@gmail.com):
superstarfind.com
celeb-search.com
myown-search.com
myfindstuff.com
network-find.com
coolfind200309.com
experimentsearch.com
fashion-overview.com
krotpong.com
adultpartypics.com
findhunt.com


How is he actually monetizing the hijacked traffic? Keep reading. Now it's time to expose his malicious activities in the form of spreading localized Ransomware variants. For the record, the Koobface gang distributed primarly scareware -- there's evidence that the group was also involved in other malicious campaigns -- and even bragged about the fact that they're not damaging infected user PCs.

What's particularly interesting about profiling this campaign, is that it's a great example of double-layer monetization, as KrotReal is earning revenue through the Traffic Holder Adult Affiliate Program, in between serving client-side exploits and ultimately dropping Ransomware on the affected host using the same redirection chain.


Sample malicious domain name reconnaissance:
traffictracker.in - 176.9.146.78 (AS24940) - Email: krotreal@gmail.com
Created On:22-Nov-2011 13:42:53 UTC
Last Updated On:22-Nov-2012 22:33:25 UTC
Expiration Date:22-Nov-2013 13:42:53 UTC

Responding to the same IP 176.9.146.78 (AS24940):
allcelebrity.ru
easypereezd.ru


Sample malicious activity redirection chain: hxxp://traffictracker.in/in.cgi?11&parameter=nude+girls&CS=1 -> hxxp://celeb-search.com/in.php?source=th&q=nude+girls -> hxxp://celeb-search.com/in3.php?source=th&q=nude+girls -> hxxp://www.trafficholder.com/in/in2.php?ppillow-pics_erotic -> hxxp://hit.trafficholder.com/cgi-bin/traffic/process.fcgi?a=ppillow&c=1&n=pics_erotic&r= ->  hxxp://gravityexp.com/go.php?sid=12 -> hxxp://nosnowfevere.com/ZqRqk (exploiting CVE-2008-5353) -> hxxp://nosnowfevere.com/oxsXAE?KpDzQ=61 -> hxxp://nosnowfevere.com/ZqRqk -> hxxp://nosnowfevere.com/EHSvFc -> hxxp://nosnowfevere.com/XMDrkH

KrotReal's Traffic Holder Adult Affiliate Network ID is ppillow-pics_erotic.


Malicious domain names reconnaissance:
gravityexp.com - returns "Digital River GmbH" on its home page - 46.163.117.144 - Email: francesca.muglia.130@istruzione.it
Updated Date: 30-aug-2012
Creation Date: 30-aug-2012
Expiration Date: 30-aug-2013

nosnowfevere.com - 91.211.119.32 - Email: djbroning@definefm.com
Updated Date: 25-nov-2012
Creation Date: 25-nov-2012
Expiration Date: 25-nov-2013

Upon successful client-side exploitation, the campaign drops MD5: d234a238eb8686d08cd4e0b8b705da14 - detected by 10 out of 43 antivirus scanners as Trojan.Winlock.7431

Sample screenshot displayed to users from geolocated countries:
Second screenshot of a sample page displayed to affected U.K users:
Additional malicious payload obtained from the campaign:
MD5: fd47fe3659d7604d93c3ce0c0581fed7 - detected by 4 out of 44 antivirus scanners as Exploit:Java/CVE-2012-5076.BBW
MD5: e47991d7f172e893317f44ee8afe3811 - detected by 5 out of 44 antivirus scanners as JS:Pdfka-gen [Expl]
MD5: 7e58703026c7ffba05ac0d2ae4d3c62f - detected by 5 out of 44 antivirus scanners as Exploit:Java/CVE-2012-1723!generic

Ransomware C&C malicious domain name reconnaissance:
sarscowoy.com - currently responds to 176.28.22.32 (AS20773); 176.28.14.42 (AS20773) - Email: rmasela@ymail.com

On 2012-06-21 the domain responded to 204.13.160.28 (AS33626), then on 2012-07-01 it changed IPs to 46.163.113.79 (AS20773), then again on 2012-11-14 it changed IP to 176.28.14.42 (AS20773), followed by one last change on 2012-11-24 to 176.28.22.32 (AS20773)

One more MD5 is known to have phoned back to the same Ransomware C&C URL - MD5: 1600577edece1efe11c75158f9dd24db - detected by 28 out of 38 antivirus scanners as Trojan:Win32/Tobfy.H

Interestingly, the cybercriminals behind the Ransomware left the administration panel open to anyone who wants to take a look at the way the whole process works. 

Sample screenshot of the administration panel:
Second screenshot of the administration panel, showing a directory listing, including unique and localized files for potential victims from multiple countries:

More domains are currently responding to the same IPs (176.28.22.32; 176.28.14.42):
bussinesmail.org - Email: belov28@gmail.com
elitesecuritynet.com - Email: pescifabio83@yahoo.fi
ideasdeunion.com - Email: esbornikk@aol.com
ineverworrynet.com - pescifabio83@yahoo.fi
testcitycheckers.com - pescifabio83@yahoo.fi
uneugroup.com - Email: anders_christensen@yahoo.com
winntegroups.eu - Email: robertobona69@yahoo.com
sexchatvideo.org - Email: daddario.maria@virgilio.it
quasarnet.co - Email: valter.bars@venezia.pecavvocati.it
bestconsultingoffice.com
apaineal.ru

What we've got here is a great example of the following - when you don't fear legal prosecution for your fraudulent activities over a period of several years, earning you potentially hundreds of thousands of dollars, you just launch new projects, continuing to cause more harm and fraudulently obtain funds from infected victims.
 
For those who are interested in more details on the technical side of this Ransomware, you should consider going through this research.

Hat tip to Steven Adair from Shadowserver for the additional input.

Friday, November 23, 2012

Managed Embedding of Malicious iFrames Through Compromised Accounts as a Service


a

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Friday, November 02, 2012

Summarizing Webroot's Threat Blog Posts for October


The following is a brief summary of all of my posts at Webroot's Threat Blog for October, 2012. You can subscribe to my Webroot's Threat Blog RSS Feed or follow me on Twitter:

 
01. Russian cybercriminals release new DIY SMS flooder
02. Upcoming Webroot presentation on Cyber Jihad and Cyberterrorism at RSA Europe 2012
03. Recently launched E-shop sells access to hundreds of hacked PayPal accounts
04. New Russian service sells access to compromised Steam accounts
05. ‘Vodafone Europe: Your Account Balance’ themed emails serve malware
06. Cybercriminals impersonate UPS, serve client-side exploits and malware
07. ‘Your video may have illegal content’ themed emails serve malware
08. Cybercriminals spamvertise ‘Amazon Shipping Confirmation’ themed emails, serve client-side exploits and malware
09. American Airlines themed emails lead to the Black Hole Exploit Kit
10. Bogus Facebook notifications lead to malware
11. Spamvertised ‘KLM E-ticket’ themed emails serve malware
12. ‘Intuit Payroll Confirmation inquiry’ themed emails lead to the Black Hole exploit kit
13. Malware campaign spreading via Facebook direct messages spotted in the wild
14. ‘Regarding your Friendster password’ themed emails lead to Black Hole exploit kit
15. Russian cybercriminals release new DIY DDoS malware loader
16. PayPal ‘Notification of payment received’ themed emails serve malware
17. Cybercriminals impersonate Delta Airlines, serve malware
18. ‘Your UPS Invoice is Ready’ themed emails serve malware
19. Bogus Skype ‘Password successfully changed’ notifications lead to malware
20. RSA Conference Europe 2012 – recap
21. Cybercriminals impersonate Verizon Wireless, serve client-side exploits and malware
22. Spamvertised ‘BT Business Direct Order’ themed emails lead to malware
23. Cybercriminals spamvertise millions of British Airways themed e-ticket receipts, serve malware
24. Cybercriminals spamvertise millions of bogus Facebook notifications, serve malware
25. Nuclear Exploit Pack goes 2.0

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Summarizing ZDNet's Zero Day Posts for October


The following is a brief summary of all of my posts at ZDNet's Zero Day for October, 2012. You can subscribe to Zero Day's main feed, or follow me on Twitter:


01. Report: Large US bank hit by 20 different crimeware families
02. Localized Dorkbot malware variant spreading across Skype
03. Sopelka botnet drops Citadel, Feodo, and Tatanga crimeware variants
04. Adobe patches 6 critical security flaws in Shockwave

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.