Fake 'Rihanna & Chris Brown S3X Video' Spam Campaign Spreading Across Facebook, Monetized Through Adf Dot Ly PPC Links

June 22, 2013

A currently ongoing, click-jacking driven spam campaign is circulating across Facebook, with the affected users further spreading the adf.ly links on the Walls of their friends, in between tagging them, with the cybercriminal/cybercriminals behind the campaign, earning revenue through the adf.ly pay-per-click (PPC) monetization scheme.

Redirection chain:
hxxp://adf.ly/Qrd2f?cid=51c3e798aff9a -> hxxp://rihannaofficialvideo.blogspot.de/?231514 -> hxxp://www.smilegags.com/watch/jack.php?action=connect&cid=51c3e798aff9a -> hxxp://lolzbestpic.com


MD5s for the Facebook spamming/click-jacking scripts:
MD5: fe97840bd2af654acdb63fd80b094531
MD5: f8a360728a896d40bbb0f190375fb6f6
MD5: bae32ffd43ac2f518dafeedb8901e2de
MD5: 90fa366b8affac24fe182b7b5de51b16


Domain name reconnaissance:
smilegags.com - 184.107.164.158
lolzbestpic.com - 64.79.76.226

Name servers used:
Name Server: NS1.PYARISHQ.INFO
Name Server: NS2.PYARISHQ.INFO
Name Server: NS1.HOSTING.XLHOST.COM
Name Server: NS2.HOSTING.XLHOST.COM

Responding to the same IP (184.107.164.158) are also the following domains:
amasave.com
wikilieaksvideo.com
ns1.pyarishq.info
ns2.pyarishq.info

Known to have responded to the same IP (184.107.164.158) in the past are also the following domains:
costcochristmas.com
costcogives.com
giftcardgratis.com
icagivings.com
lomanako.com
picknpaygives.com
remabilaget.com
rewegives.com
vodkaforyou.info
topvideosweden.com

Responding to (64.79.76.226) is also the following domain:
silali.info

Known to have responded to the same IP (64.79.76.226) is also the following domain:
promvideo.pw

Related posts:
Koobface Botnet Redirects Facebook's IP Space to my Blog
Malware-Serving "Who's Viewed Your Facebook Profile" Campaign Spreading Across Facebook
Fake 'Facebook Profile Spy Application' Campaign Spreading Across Facebook
Phishing Campaign Spreading Across Facebook
Facebook Malware Campaigns Rotating Tactics
MySpace Phishers Now Targeting Facebook
Facebook Photo Album Themed Malware Campaign, Mass SQL Injection Attacks Courtesy of AS42560
Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Fake 'Rihanna & Chris Brown S3X Video' Spam Campaign Spreading Across Facebook, Monetized Through Adf Dot Ly PPC Links

June 22, 2013

A currently ongoing, click-jacking driven spam campaign is circulating across Facebook, with the affected users further spreading the adf.ly links on the Walls of their friends, in between tagging them, with the cybercriminal/cybercriminals behind the campaign, earning revenue through the adf.ly pay-per-click (PPC) monetization scheme.

Redirection chain:
hxxp://adf.ly/Qrd2f?cid=51c3e798aff9a -> hxxp://rihannaofficialvideo.blogspot.de/?231514 -> hxxp://www.smilegags.com/watch/jack.php?action=connect&cid=51c3e798aff9a -> hxxp://lolzbestpic.com


MD5s for the Facebook spamming/click-jacking scripts:
MD5: fe97840bd2af654acdb63fd80b094531
MD5: f8a360728a896d40bbb0f190375fb6f6
MD5: bae32ffd43ac2f518dafeedb8901e2de
MD5: 90fa366b8affac24fe182b7b5de51b16


Domain name reconnaissance:
smilegags.com - 184.107.164.158
lolzbestpic.com - 64.79.76.226

Name servers used:
Name Server: NS1.PYARISHQ.INFO
Name Server: NS2.PYARISHQ.INFO
Name Server: NS1.HOSTING.XLHOST.COM
Name Server: NS2.HOSTING.XLHOST.COM

Responding to the same IP (184.107.164.158) are also the following domains:
amasave.com
wikilieaksvideo.com
ns1.pyarishq.info
ns2.pyarishq.info

Known to have responded to the same IP (184.107.164.158) in the past are also the following domains:
costcochristmas.com
costcogives.com
giftcardgratis.com
icagivings.com
lomanako.com
picknpaygives.com
remabilaget.com
rewegives.com
vodkaforyou.info
topvideosweden.com

Responding to (64.79.76.226) is also the following domain:
silali.info

Known to have responded to the same IP (64.79.76.226) is also the following domain:
promvideo.pw

Related posts:
Koobface Botnet Redirects Facebook's IP Space to my Blog
Malware-Serving "Who's Viewed Your Facebook Profile" Campaign Spreading Across Facebook
Fake 'Facebook Profile Spy Application' Campaign Spreading Across Facebook
Phishing Campaign Spreading Across Facebook
Facebook Malware Campaigns Rotating Tactics
MySpace Phishers Now Targeting Facebook
Facebook Photo Album Themed Malware Campaign, Mass SQL Injection Attacks Courtesy of AS42560
Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits

'Anonymous' Group's DDoS Operation Titstorm

June 12, 2013
With last months 'Anonymous' Group's DDoS Operation Titstorm campaign a clear success based on the real-time monitoring of the crowdsourcing-driven attack, it's time to take a brief retrospective on the tools and tactics used, and relate
Why is Operation Titstorm an important one to profile? Not only because it worked compared to Operation Didgeridie, but also, due to the fact that crowdsourcing driven (malicious culture of participation) DDoS attacks have proven themselves throughout the past several years, as an alternative to DDoS for hire attacks.


- DIY ICMP flooders
- Web based multiple iFrame loaders to consume server CPU
- Web based email bombing tools+predefined lists of emails belonging to government officials/employees




Go through related posts on crowdsourcing DDoS attacks/malicious culture of participation:
Coordinated Russia vs Georgia cyber attack in progress
Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites
People's Information Warfare Concept
Electronic Jihad v3.0 - What Cyber Jihad Isn't
Electronic Jihad's Targets List
The DDoS Attack Against CNN.com
Chinese Hacktivists Waging People's Information Warfare Against CNN
The Russia vs Georgia Cyber Attack
Real-Time OSINT vs Historical OSINT in Russia/Georgia Cyberattacks
Pro-Israeli (Pseudo) Cyber Warriors Want your Bandwidth
Iranian Opposition DDoS-es pro-Ahmadinejad Sites

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Malware-Serving "Who's Viewed Your Facebook Profile" Campaign Spreading Across Facebook

June 10, 2013

A currently ongoing Facebook spreading malware-serving campaign, entices users into downloading and executing a malicious executable, pretending to be a "Who's Viewed Your Facebook Profile" extension. In reality though, the executable, part of a campaign that's been ongoing for several months, will steal private information from local browsers, will auto-start on Windows starup, and will attempt to infect all of the victim's friends across Facebook.

The executable, including several other related executables part of the campaign, are currently hosted on Google Code, and according to Google Code's statistics, one of the malicious files has already been downloaded 1,870,788 times. Surprisingly, the Coode Project is called "Project Don't Download". Very interesting self-contradicting social engineering attempt.

Let's dissect the campaign, list the domain's portfolio used in it, provide detection rates for the malicious executables, and connect the campaign to multiple other campaigns observed in the wild over the last couple of weeks.


Sample redirection chain:
hxxp://cnlz3.tk/?2959858 -> hxxp://profilelo.8c1.net/ -> hxxp://profileste.uni.me/?skuwjjsadsuquwhdas -> hxxps://project-dont-download.googlecode.com/files/Profile%20View%20-%205v2.exe

Subdomain reconnaissance:
profilelo.8c1.net - 82.208.40.3
profileste.uni.me - 198.23.52.98
project-dont-download.googlecode.com - Email: mergimi14@live.com

Detection rate for the malicious executable: MD5: c5b2247a37a8d26063af55c6c975782d - detected by 23 out of 47 antivirus scanners as JS:Clicker-P [Trj]; RDN/Generic.dx!chs

Once executed, the sample drops the following MD5s on the affected hosts:
MD5: 3729796a618de670128e80bb750dba35
MD5: bc5ea93000fd79cf3d874567068adfc5
MD5: 3448d5a74e86fdc88569df99dbc19c55
MD5: c3c67c3df487390dfdfa4890832b8a46
MD5: 161fff31429f1fcd99a56208cf9d2b58
MD5: c8dfbeb2e89a9557523b5a57619a9c44
MD5: b83d2283066c68e8cc448c578dd121aa
MD5: 0e254726843ed308ca142333ea0c5d28
MD5: cbb6e03d0b08ba4a8eeac1467921b7dd
MD5: a3ef72a0345a564bde3df2654f384a21
MD5: 123c9d897b74548aa6ce65b456a8b732
MD5: 181f01156f23d4e732a414eaa2f6b870
MD5: 74d4b4298bc6fe8871ad1aa654d347c6




Download statistics for the malicious executables hosted on Google Code:
Profile Viewer - 5.exe - 1,870,788 downloads
Profile Stalker - V.exe - 45983 downloads
Profile View - 5v2.exe - 9496 downloads
Profile Stalker - D.exe - 2 downloads

Detection rates for the malicious executables hosted on Google Code:
Profile Stalker - D.exe - MD5: c9220176786fe074de210529570959c5 - detected by 3 out of 47 antivirus scanners as Trojan.AVKill.30538; JS/TrojanClicker.Agent.NDL
Profile Stalker - V.exe - MD5: a6073378d764e3af4cb289cac91b3f97 - detected by 24 out of 47 antivirus scanners as JS/TrojanClicker.Agent.NDL; Trojan.Win32.Clicker!BT
Profile Viewer - 5.exe - MD5: 814837294bc34f288e31637bab955e6c - detected by 24 out of 47 antivirus scanners as Troj/Agent-ABOE

Samples phone back to the followind URLs/domains:
hxxp://stats.app-data.net/installer.gif?action=started&browser=ie6&ver=1_26_153&bic=00A473047B09414785A7A54908970321IE&app=30413&appver=0&verifier=d3459d462f931be10f76456d86fe24d5&srcid=0&subid=0&zdata=0&ff=0&ch=0&default=ie&os=XP32&admin=1&type=1&asw=0

stats.app-data.net - 207.171.163.139
app-static.crossrider.com - 69.16.175.10
errors.app-data.net - 207.171.163.139

Facebook and Google have been notified.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Malware-Serving "Who's Viewed Your Facebook Profile" Campaign Spreading Across Facebook

June 10, 2013

A currently ongoing Facebook spreading malware-serving campaign, entices users into downloading and executing a malicious executable, pretending to be a "Who's Viewed Your Facebook Profile" extension. In reality though, the executable, part of a campaign that's been ongoing for several months, will steal private information from local browsers, will auto-start on Windows starup, and will attempt to infect all of the victim's friends across Facebook.

The executable, including several other related executables part of the campaign, are currently hosted on Google Code, and according to Google Code's statistics, one of the malicious files has already been downloaded 1,870,788 times. Surprisingly, the Coode Project is called "Project Don't Download". Very interesting self-contradicting social engineering attempt.

Let's dissect the campaign, list the domain's portfolio used in it, provide detection rates for the malicious executables, and connect the campaign to multiple other campaigns observed in the wild over the last couple of weeks.

 

Sample redirection chain:
hxxp://cnlz3.tk/?2959858 -> hxxp://profilelo.8c1.net/ -> hxxp://profileste.uni.me/?skuwjjsadsuquwhdas -> hxxps://project-dont-download.googlecode.com/files/Profile%20View%20-%205v2.exe

Subdomain reconnaissance:
profilelo.8c1.net - 82.208.40.3
profileste.uni.me - 198.23.52.98
project-dont-download.googlecode.com - Email: mergimi14@live.com

Detection rate for the malicious executable: MD5: c5b2247a37a8d26063af55c6c975782d - detected by 23 out of 47 antivirus scanners as JS:Clicker-P [Trj]; RDN/Generic.dx!chs

Once executed, the sample drops the following MD5s on the affected hosts:
MD5: 3729796a618de670128e80bb750dba35
MD5: bc5ea93000fd79cf3d874567068adfc5
MD5: 3448d5a74e86fdc88569df99dbc19c55
MD5: c3c67c3df487390dfdfa4890832b8a46
MD5: 161fff31429f1fcd99a56208cf9d2b58
MD5: c8dfbeb2e89a9557523b5a57619a9c44
MD5: b83d2283066c68e8cc448c578dd121aa
MD5: 0e254726843ed308ca142333ea0c5d28
MD5: cbb6e03d0b08ba4a8eeac1467921b7dd
MD5: a3ef72a0345a564bde3df2654f384a21
MD5: 123c9d897b74548aa6ce65b456a8b732
MD5: 181f01156f23d4e732a414eaa2f6b870
MD5: 74d4b4298bc6fe8871ad1aa654d347c6




Download statistics for the malicious executables hosted on Google Code:
Profile Viewer - 5.exe - 1,870,788 downloads
Profile Stalker - V.exe - 45983 downloads
Profile View - 5v2.exe - 9496 downloads
Profile Stalker - D.exe - 2 downloads

Detection rates for the malicious executables hosted on Google Code:
Profile Stalker - D.exe - MD5: c9220176786fe074de210529570959c5 - detected by 3 out of 47 antivirus scanners as Trojan.AVKill.30538; JS/TrojanClicker.Agent.NDL
Profile Stalker - V.exe - MD5: a6073378d764e3af4cb289cac91b3f97 - detected by 24 out of 47 antivirus scanners as JS/TrojanClicker.Agent.NDL; Trojan.Win32.Clicker!BT
Profile Viewer - 5.exe - MD5: 814837294bc34f288e31637bab955e6c - detected by 24 out of 47 antivirus scanners as Troj/Agent-ABOE

Samples phone back to the followind URLs/domains:
hxxp://stats.app-data.net/installer.gif?action=started&browser=ie6&ver=1_26_153&bic=00A473047B09414785A7A54908970321IE&app=30413&appver=0&verifier=d3459d462f931be10f76456d86fe24d5&srcid=0&subid=0&zdata=0&ff=0&ch=0&default=ie&os=XP32&admin=1&type=1&asw=0

stats.app-data.net - 207.171.163.139
app-static.crossrider.com - 69.16.175.10
errors.app-data.net - 207.171.163.139

Facebook and Google have been notified.

Updates will be posted as soon as new developments take place.

Summarizing Webroot's Threat Blog Posts for May

June 04, 2013

The following is a brief summary of all of my posts at Webroot's Threat Blog for May, 2013. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:

01. FedWire ‘Your Wire Transfer’ themed emails lead to malware
02. A peek inside a CVE-2013-0422 exploiting DIY malicious Java applet generating tool
03. New IRC/HTTP based DDoS bot wipes out competing malware
04. New version of DIY Google Dorks based mass website hacking tool spotted in the wild
05. Citibank ‘Merchant Billing Statement’ themed emails lead to malware
06. Fake Amazon ‘Your Kindle E-Book Order’ themed emails circulating in the wild, lead to client-side exploits and malware
07. Cybercriminals impersonate New York State’s Department of Motor Vehicles (DMV), serve malware
08. Cybercriminals offer HTTP-based keylogger for sale, accept Bitcoin
09. Newly launched E-shop for hacked PCs charges based on malware ‘executions’
10. New subscription-based ‘stealth Bitcoin miner’ spotted in the wild
11. Fake ‘Free Media Player’ distributed via rogue ‘Adobe Flash Player HD’ advertisement
12. Newly launched ‘Magic Malware’ spam campaign relies on bogus ‘New MMS’ messages
13. Commercial ‘form grabbing’ rootkit spotted in the wild
14. DIY malware cryptor as a Web service spotted in the wild – part two
15. CVs and sensitive info soliciting email campaign impersonates NATO
16. New commercially available DIY invisible Bitcoin miner spotted in the wild
17. Fake ‘Export License/Payment Invoice’ themed emails lead to malware
18. Compromised Indian government Web site leads to Black Hole Exploit Kit
19. Cybercriminals resume spamvertising Citibank ‘Merchant Billing Statement’ themed emails, serve malware
20. Marijuana-themed DDoS for hire service spotted in the wild
21. Fake ‘Vodafone U.K Images’ themed malware serving spam campaign circulating in the wild

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.