Wednesday, December 11, 2013

Continuing Facebook "Who's Viewed Your Profile" Campaign Affects Another 190k+ Users, Exposes Malicious Cybercrime Ecosystem


Last week, immediately after I published the initial analysis detailing a massive privacy-violating "Who's Viewed Your Profile" campaign, that was circulating across Facebook, the cybercriminals behind it, supposedly took it offline, with one of the main redirectors now pointing to 127.0.0.1.

Not surprisingly, the primary campaign has multiple sub-campaigns still in circulation, which based on the latest statistics -- embedded within the campaign on the same day they supposedly shut it down -- has already exposed another 190,000+ of the social network's users -- the original campaign appears to have been launched in 2011 having already exposed 800,000+ users -- to more rogue, privacy violating apps -- JS.Febipos, Mindspark Interactive Network's MyImageConverter and Trojan-Ransomer.CLE, in this particular case.

Let's dissect the still circulating campaign, expose the entire infrastructure supporting it, establish direct connections with it to related malicious campaigns, indicating that someone's either multi-tasking, or that their malicious/fraudulent activities share the same infrastructure, provide MD5s for the currently served privacy-violating apps, as well as list the actual -- currently live -- hosting locations.


Sample redirection chain:
hxxp://NXJXBMQ.tk/?12358289 - 93.170.52.21; 93.170.52.33 -> hxxp://p2r0f3rviewer9890.co.nf/?sdk222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
222222222222222222222222222222222222222222222222222222222222222222222222222ajsklfjasl
fkjasfklja -> hxxp://prostats.vf1.us - 192.157.201.42 -> hxxp://whoviewsfb.uni.me/ch/profile.html - 82.208.40.11

Redirection chain domain name reconnaissance:
NXJXBMQ.tk - 93.170.52.21; 93.170.52.33
p2r0f3rviewer9890.co.nf - 83.125.22.192
whoviewsfb.uni.me - 82.208.40.11
prostats.vf1.us - 192.157.201.42
wh0stalks.uni.me - 192.157.201.42
cracks4free.info - 192.157.201.42

Known to have responded to 93.170.52.21 are also the following fraudulent domains:
0.facebook.com.fpama.tk
001200133184123129811.tk
00wwebhost.tk
01203313441.tk
01prof86841.tk
029m821t9fs.4ieiii.tk
031601.tk
0333.tk
0571baidu.tk
05pr0f1le21200.tk
05pr0file214741.tk
060uty80w.tk
06emu.tk
0886.tk
0akleycityn.tk
0ao0grecu.tk
0fcf7.chantaljltaste.tk
0lod1lmt1.tk
0love.tk

The following malicious MD5s are also known to have phoned back to 93.170.52.21 in the past:
MD5: ee78fe57ad8dbac96b31f41f77eb5877
MD5: bed006372fc76ec261dc9b223b178438
MD5: 58f9cbec80d1dc3a5afbb7339d200e66
MD5: fd0c6b284f7700d59199c55fdcd5bd8a
MD5: 4bfeb3c882d816d37c3e6cbb749e44af
MD5: 97ec866ac26e961976e050591f49fec3
MD5: aba1720b1a6747de5d5345b5893ba2f5
MD5: de5e1f6f137ecb903a018976fc04e110
MD5: a9669b65cabd6b25a32352ccf6c6c09a
MD5: 003f4d9dafba9ee6e358b97b8026e354
MD5: bab313e031b0c54d50fd82d221f7defc
MD5: e6b766f627b91fd420bd93fab4bc323f
MD5: d63656d9b051bf762203b0c4ac728231
MD5: 935440d970ee5a6640418574f4569dab
MD5: 2524e3b4ed3663f5650563c1e431b05c
MD5: f726646a41f95b12ec26cf01f1c89cf9
MD5: a5af6c04d28fcea476827437caf4c681
MD5: c7346327f86298fa5dad160366a0cf26
MD5: 912ed9ef063ae5b6b860fd34f3e8b83a
MD5: b33aaa98ad706ced23d7c64aed0fcad6

Known to have responded to 93.170.52.33 are also the following fraudulent domains:
0lwwa.tk
0msms.tk
122.72.0.7sierra-web-www.szjlc-pcb.tk
1z8dz.tk
4f1wz8.ga
777898.ga
888234.ml
8eld7.tk
abmomre.tk
accountupdateinformation.tk
ahram-org-eg.tk
alex-fotos.tk
allycam.tk
amerdz.ml
angelsmov.tk
apis-drives-google.tk
apis-googledrive.tk
apple-idss.tk
appleid.apple.com.cgi-bin.myappleid.woa.apple-idss.tk
avtoshina.tk

The following malicious MD5s are also known to have phoned back to 93.170.52.33 in the past:
MD5: 2d951e649a8bbcbfa468f7916e188f9f
MD5: dbe2c0788e74916eba251194ef783452
MD5: 4bfeb3c882d816d37c3e6cbb749e44af
MD5: dc01c1db51e26b585678701a64c94437
MD5: 61cc3de4e9a9865e0d239759ed3c7d5a
MD5: 64505b7ca1ce3c1c0c4892abe8d86321
MD5: 0b98356395b2463ea0f339572b9c95ef
MD5: 9e87c189d3cbf2fc2414934bef6e661b
MD5: 48964a66bdc81b48f2fe7a31088c041b
MD5: f81c85bea0e2251655b7112b352f302e

The following MD5s are also known to have phoned back to 83.125.22.192 in the past:
MD5: 3935b6efa7e5ee995f410f4ef1e613ab
MD5: 64c1496e1ba2b7cb5c54a33c20be3e95
MD5: 08f76a1ed5996d7dfdcf8226fe3f66b9
MD5: f508d8034223c4ce233f1bdbed265a3a

Known to have responded to 82.208.40.11 are the following fraudulent domains:
000e0062fb44cd5b277591349e070277.cz.cc
003bc1b16c548efbc4f30790e0bc17be.cz.cc
0057ab88a8febe310f94107137731424.cz.cc
008447a58c242b52cb69fe7dceea9a0b.cz.cc
00a47e5e57323f23c66f2c2d5bc1debc.cz.cc
00a9a591d1e7aaf65639781bc73199d4.cz.cc
00ad3353e0ba865a521da380ba4e0cc4.cz.cc
00d55beb792962f7a04c66b85f2c6082.cz.cc
00e3b9ece447187da3f43f98ab619a28.cz.cc
00eb52dbc4331a64e4fd96fdca890d9c.cz.cc
00f59cfa33cd097e943a38a8f2e343ee.cz.cc
00fbdb49398f0e5fd9d5572044d8934e.cz.cc
010ab81241856dfca44dd9ade4489fbc.cz.cc
011622fb7752328ebb60bd2c075f1fe6.cz.cc
011fbf88cff1c18e05c2afb53d6e5ffd.cz.cc
0133147433aeef23bbe60df0cbc4eac9.cz.cc
013f98b7157ae3754d463e9d2346a549.cz.cc
013fa3e9db6e476282b8e9f1bac6d68e.cz.cc
017c2bd33744c2d423a2a7598a0c0a4e.cz.cc
019368b1f3b364c0d3ec412680638f04.cz.cc

The following malicious MD5s are also known to have phoned back to 82.208.40.11 in the past:
MD5: 2c89dfc1706b31ba7de1c14e229279e5
MD5: 6719d3e8606d91734cde25b8dfc4156f
MD5: 61dcea6fbf15b68be831bff8c5eb0c1d
MD5: 3875fa91f060d02bddd43ff8e0046588
MD5: 929b72813bae47f78125ec30c58f3165
MD5: 96fa2ea6db2e4e9f00605032723e1777
MD5: c46968386138739c81e219da6fb3ead5
MD5: 3d627e0dbc5ac51761fa7cc7b202ec49
MD5: d9714a0f7f881d3643125aa0461a30be
MD5: 81171015a95073748994e463142ddcc7

Known to have responded to 192.157.201.42 are also the following fraudulent domains:
cracks4free.info
pr0lotra.p9.org
prostats.vf1.us
wh0prof.uni.me
cracks4free.info

Time to provide the actual, currently live, hosting locations for the served privacy-violating content.


Mindspark Interactive Network's MyImageConverter served URL:
hxxp://download.myimageconverter.com/index.jhtml?partner=^AZ0^xdm081

Google Store served URLs:
hxxps://chrome.google.com/webstore/detail/miapmjacmjonmofofflhnbafpbmfapac - currently active
hxxps://chrome.google.com/webstore/detail/dllaajjfgpigkeblmlbamflggfjkgbej

Dropbox Accounts serving the Android app (offline due to heavy usage), and the Firefox extension:
hxxps://dl.dropboxusercontent.com/s/rueyn3owrrpsbw4/whoviews5.xpi - currently online
hxxps://dl.dropboxusercontent.com/s/so3vm50w298qkto/WhoViewsYourProfile.apk

Facebook App URL:
hxxp://apps.facebook.com/dislike___button/

Google Docs served privacy-violating apps:
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFljUDBnTjFHdVE&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqRXBMLWZ4cVZJV2s&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqOXlyNko0VFBOdnM&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqZm5yeUFudFhqclU&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqbWpfNW5FalJmRGM&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqS3V1ZkZBQjJGbjQ&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqX2xXbEJLbEY0Q3M&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqMU5RVkJSWURxME0&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFljUDBnTjFHdVE&export=download

GA Account IDs: UA-23441223-3; UA-12798017-1
MyImageConverter Affiliate Network ID: ^AZ0^xdm081

Detection rate for the served apps/extensions:
MD5: 30cf98d7dc97cae57f8d72487966d20b - detected by 19 out of 49 antivirus scanners as Trojan-Ransomer.CLE; Troj/Mdrop-FNZ
MD5: 88dd376527c18639d3f8bf23f77b480e - detected by 8 out of 49 antivirus scanners as JS:Febipos-N [Trj]; JS/Febipos

Once executed, MD5: 30cf98d7dc97cae57f8d72487966d20b also drops MD5: 106320fc1282421f8f6cf5eb0206abee and MD5: 43b20dc1b437e0e3af5ae7b9965e0392 on the affected hosts. It then phones back to 195.167.11.4:

Two more MD5s from different malware campaigns, are known to have phoned back to 195.167.11.4:
MD5: 8192c574b8e96605438753c49510cd97
MD5: d55de5e9ec25a80ddfecfb34d417b098


The Privacy Policy (hxxp://prostats.vf1.us/firefox/pp.html) and the EULA (hxxp://prostats.vf1.us/firefox/eula.html) point to hxxp://dislikeIt.com - 176.74.176.179. Not surprisingly, multiple malicious MD5s are also known to have previously interacted with the same IP:
MD5: d366088e4823829798bd59a4d456a3df
MD5: 3c73db8202d084f33ab32069f40f58c8
MD5: d7fce1ec777c917f72530f79363fc6d3
MD5: 83568d744ab226a0642233b93bfc7de6
MD5: c84b1bd7c2063f34900bbc9712d66e0f
MD5: 58baa919900656dacaf39927bb614cf1
MD5: a86e97246a98206869be78fd451029a0
MD5: 70a0894397ac6f65c64693f1606f1231
MD5: f9166237199133b24cd866b61d0f6cca
MD5: 0f24ad046790ee863fd03d19dbba7ea5


Based on the latest performance metrics for the campaign, over 190,000 users have already interacted with this sub-campaign, since 4th of December, when I initially analyzed the primary campaign.


Monitoring of the campaign is naturally in progress. Updates will be posted as soon as new developments take place.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Continuing Facebook "Who's Viewed Your Profile" Campaign Affects Another 190k+ Users, Exposes Malicious Cybercrime Ecosystem


Last week, immediately after I published the initial analysis detailing a massive privacy-violating "Who's Viewed Your Profile" campaign, that was circulating across Facebook, the cybercriminals behind it, supposedly took it offline, with one of the main redirectors now pointing to 127.0.0.1.

Not surprisingly, the primary campaign has multiple sub-campaigns still in circulation, which based on the latest statistics -- embedded within the campaign on the same day they supposedly shut it down -- has already exposed another 190,000+ of the social network's users -- the original campaign appears to have been launched in 2011 having already exposed 800,000+ users -- to more rogue, privacy violating apps -- JS.Febipos, Mindspark Interactive Network's MyImageConverter and Trojan-Ransomer.CLE, in this particular case.

Let's dissect the still circulating campaign, expose the entire infrastructure supporting it, establish direct connections with it to related malicious campaigns, indicating that someone's either multi-tasking, or that their malicious/fraudulent activities share the same infrastructure, provide MD5s for the currently served privacy-violating apps, as well as list the actual -- currently live -- hosting locations.


Sample redirection chain:
hxxp://NXJXBMQ.tk/?12358289 - 93.170.52.21; 93.170.52.33 -> hxxp://p2r0f3rviewer9890.co.nf/?sdk222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
222222222222222222222222222222222222222222222222222222222222222222222222222ajsklfjasl
fkjasfklja -> hxxp://prostats.vf1.us - 192.157.201.42 -> hxxp://whoviewsfb.uni.me/ch/profile.html - 82.208.40.11

Redirection chain domain name reconnaissance:
NXJXBMQ.tk - 93.170.52.21; 93.170.52.33
p2r0f3rviewer9890.co.nf - 83.125.22.192
whoviewsfb.uni.me - 82.208.40.11
prostats.vf1.us - 192.157.201.42
wh0stalks.uni.me - 192.157.201.42
cracks4free.info - 192.157.201.42

Known to have responded to 93.170.52.21 are also the following fraudulent domains:
0.facebook.com.fpama.tk
001200133184123129811.tk
00wwebhost.tk
01203313441.tk
01prof86841.tk
029m821t9fs.4ieiii.tk
031601.tk
0333.tk
0571baidu.tk
05pr0f1le21200.tk
05pr0file214741.tk
060uty80w.tk
06emu.tk
0886.tk
0akleycityn.tk
0ao0grecu.tk
0fcf7.chantaljltaste.tk
0lod1lmt1.tk
0love.tk

The following malicious MD5s are also known to have phoned back to 93.170.52.21 in the past:
MD5: ee78fe57ad8dbac96b31f41f77eb5877
MD5: bed006372fc76ec261dc9b223b178438
MD5: 58f9cbec80d1dc3a5afbb7339d200e66
MD5: fd0c6b284f7700d59199c55fdcd5bd8a
MD5: 4bfeb3c882d816d37c3e6cbb749e44af
MD5: 97ec866ac26e961976e050591f49fec3
MD5: aba1720b1a6747de5d5345b5893ba2f5
MD5: de5e1f6f137ecb903a018976fc04e110
MD5: a9669b65cabd6b25a32352ccf6c6c09a
MD5: 003f4d9dafba9ee6e358b97b8026e354
MD5: bab313e031b0c54d50fd82d221f7defc
MD5: e6b766f627b91fd420bd93fab4bc323f
MD5: d63656d9b051bf762203b0c4ac728231
MD5: 935440d970ee5a6640418574f4569dab
MD5: 2524e3b4ed3663f5650563c1e431b05c
MD5: f726646a41f95b12ec26cf01f1c89cf9
MD5: a5af6c04d28fcea476827437caf4c681
MD5: c7346327f86298fa5dad160366a0cf26
MD5: 912ed9ef063ae5b6b860fd34f3e8b83a
MD5: b33aaa98ad706ced23d7c64aed0fcad6

Known to have responded to 93.170.52.33 are also the following fraudulent domains:
0lwwa.tk
0msms.tk
122.72.0.7sierra-web-www.szjlc-pcb.tk
1z8dz.tk
4f1wz8.ga
777898.ga
888234.ml
8eld7.tk
abmomre.tk
accountupdateinformation.tk
ahram-org-eg.tk
alex-fotos.tk
allycam.tk
amerdz.ml
angelsmov.tk
apis-drives-google.tk
apis-googledrive.tk
apple-idss.tk
appleid.apple.com.cgi-bin.myappleid.woa.apple-idss.tk
avtoshina.tk

The following malicious MD5s are also known to have phoned back to 93.170.52.33 in the past:
MD5: 2d951e649a8bbcbfa468f7916e188f9f
MD5: dbe2c0788e74916eba251194ef783452
MD5: 4bfeb3c882d816d37c3e6cbb749e44af
MD5: dc01c1db51e26b585678701a64c94437
MD5: 61cc3de4e9a9865e0d239759ed3c7d5a
MD5: 64505b7ca1ce3c1c0c4892abe8d86321
MD5: 0b98356395b2463ea0f339572b9c95ef
MD5: 9e87c189d3cbf2fc2414934bef6e661b
MD5: 48964a66bdc81b48f2fe7a31088c041b
MD5: f81c85bea0e2251655b7112b352f302e

The following MD5s are also known to have phoned back to 83.125.22.192 in the past:
MD5: 3935b6efa7e5ee995f410f4ef1e613ab
MD5: 64c1496e1ba2b7cb5c54a33c20be3e95
MD5: 08f76a1ed5996d7dfdcf8226fe3f66b9
MD5: f508d8034223c4ce233f1bdbed265a3a

Known to have responded to 82.208.40.11 are the following fraudulent domains:
000e0062fb44cd5b277591349e070277.cz.cc
003bc1b16c548efbc4f30790e0bc17be.cz.cc
0057ab88a8febe310f94107137731424.cz.cc
008447a58c242b52cb69fe7dceea9a0b.cz.cc
00a47e5e57323f23c66f2c2d5bc1debc.cz.cc
00a9a591d1e7aaf65639781bc73199d4.cz.cc
00ad3353e0ba865a521da380ba4e0cc4.cz.cc
00d55beb792962f7a04c66b85f2c6082.cz.cc
00e3b9ece447187da3f43f98ab619a28.cz.cc
00eb52dbc4331a64e4fd96fdca890d9c.cz.cc
00f59cfa33cd097e943a38a8f2e343ee.cz.cc
00fbdb49398f0e5fd9d5572044d8934e.cz.cc
010ab81241856dfca44dd9ade4489fbc.cz.cc
011622fb7752328ebb60bd2c075f1fe6.cz.cc
011fbf88cff1c18e05c2afb53d6e5ffd.cz.cc
0133147433aeef23bbe60df0cbc4eac9.cz.cc
013f98b7157ae3754d463e9d2346a549.cz.cc
013fa3e9db6e476282b8e9f1bac6d68e.cz.cc
017c2bd33744c2d423a2a7598a0c0a4e.cz.cc
019368b1f3b364c0d3ec412680638f04.cz.cc

The following malicious MD5s are also known to have phoned back to 82.208.40.11 in the past:
MD5: 2c89dfc1706b31ba7de1c14e229279e5
MD5: 6719d3e8606d91734cde25b8dfc4156f
MD5: 61dcea6fbf15b68be831bff8c5eb0c1d
MD5: 3875fa91f060d02bddd43ff8e0046588
MD5: 929b72813bae47f78125ec30c58f3165
MD5: 96fa2ea6db2e4e9f00605032723e1777
MD5: c46968386138739c81e219da6fb3ead5
MD5: 3d627e0dbc5ac51761fa7cc7b202ec49
MD5: d9714a0f7f881d3643125aa0461a30be
MD5: 81171015a95073748994e463142ddcc7

Known to have responded to 192.157.201.42 are also the following fraudulent domains:
cracks4free.info
pr0lotra.p9.org
prostats.vf1.us
wh0prof.uni.me
cracks4free.info

Time to provide the actual, currently live, hosting locations for the served privacy-violating content.


Mindspark Interactive Network's MyImageConverter served URL:
hxxp://download.myimageconverter.com/index.jhtml?partner=^AZ0^xdm081

Google Store served URLs:
hxxps://chrome.google.com/webstore/detail/miapmjacmjonmofofflhnbafpbmfapac - currently active
hxxps://chrome.google.com/webstore/detail/dllaajjfgpigkeblmlbamflggfjkgbej

Dropbox Accounts serving the Android app (offline due to heavy usage), and the Firefox extension:
hxxps://dl.dropboxusercontent.com/s/rueyn3owrrpsbw4/whoviews5.xpi - currently online
hxxps://dl.dropboxusercontent.com/s/so3vm50w298qkto/WhoViewsYourProfile.apk

Facebook App URL:
hxxp://apps.facebook.com/dislike___button/

Google Docs served privacy-violating apps:
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFljUDBnTjFHdVE&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqRXBMLWZ4cVZJV2s&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqOXlyNko0VFBOdnM&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqZm5yeUFudFhqclU&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqbWpfNW5FalJmRGM&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqS3V1ZkZBQjJGbjQ&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqX2xXbEJLbEY0Q3M&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqMU5RVkJSWURxME0&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFljUDBnTjFHdVE&export=download

GA Account IDs: UA-23441223-3; UA-12798017-1
MyImageConverter Affiliate Network ID: ^AZ0^xdm081

Detection rate for the served apps/extensions:
MD5: 30cf98d7dc97cae57f8d72487966d20b - detected by 19 out of 49 antivirus scanners as Trojan-Ransomer.CLE; Troj/Mdrop-FNZ
MD5: 88dd376527c18639d3f8bf23f77b480e - detected by 8 out of 49 antivirus scanners as JS:Febipos-N [Trj]; JS/Febipos

Once executed, MD5: 30cf98d7dc97cae57f8d72487966d20b also drops MD5: 106320fc1282421f8f6cf5eb0206abee and MD5: 43b20dc1b437e0e3af5ae7b9965e0392 on the affected hosts. It then phones back to 195.167.11.4:

Two more MD5s from different malware campaigns, are known to have phoned back to 195.167.11.4:
MD5: 8192c574b8e96605438753c49510cd97
MD5: d55de5e9ec25a80ddfecfb34d417b098


The Privacy Policy (hxxp://prostats.vf1.us/firefox/pp.html) and the EULA (hxxp://prostats.vf1.us/firefox/eula.html) point to hxxp://dislikeIt.com - 176.74.176.179. Not surprisingly, multiple malicious MD5s are also known to have previously interacted with the same IP:
MD5: d366088e4823829798bd59a4d456a3df
MD5: 3c73db8202d084f33ab32069f40f58c8
MD5: d7fce1ec777c917f72530f79363fc6d3
MD5: 83568d744ab226a0642233b93bfc7de6
MD5: c84b1bd7c2063f34900bbc9712d66e0f
MD5: 58baa919900656dacaf39927bb614cf1
MD5: a86e97246a98206869be78fd451029a0
MD5: 70a0894397ac6f65c64693f1606f1231
MD5: f9166237199133b24cd866b61d0f6cca
MD5: 0f24ad046790ee863fd03d19dbba7ea5


Based on the latest performance metrics for the campaign, over 190,000 users have already interacted with this sub-campaign, since 4th of December, when I initially analyzed the primary campaign.


Monitoring of the campaign is naturally in progress. Updates will be posted as soon as new developments take place.

Wednesday, December 04, 2013

Facebook Circulating 'Who's Viewed Your Profile' Campaign Exposes 800k+ Users to CrossRider PUA/Rogue Firefox Add-ons/Android Adware AirPush

A massive privacy-violating, Facebook circulating "Who's Viewed Your Profile" campaign, has been operating beneath the radar, exposing over 800,000 users internationally, to a cocktail of PUAs (Potentially Unwanted Applications), rogue Firefox Add-ons impersonating Adobe's Flash Player, as well as the Android based adware AirPush.

Relying on a proven social engineering tactic of "offering what's not being offered in general", next to hosting the rogue files on legitimate service providers -- Google Docs and Dropbox in this particular case -- the campaign is a great example that the ubiquitous for the social network social engineering scheme, continues to trick gullible and uninformed users into installing privacy-violating applications on their hosts/mobile devices.

Let's dissect the campaign, expose its infrastructure, (conservatively) assess the damage, and provide fresh MD5s for the currently served privacy-violating PUAs, Firefox add-ons, and Android adware.

Primary spamvertised Facebook URL: FCOSYUC.tk/?15796422
Redirection chain: p2r0f3rviewer9890.co.nf -> bit.ly/1bZCeNv?vsdvc -> wh0prof.uni.me/?sdvsjka -> wh0prof.uni.me/ch/
Rogue Google Store Extension URL (currently offline): hxxps://chrome.google.com/webstore/detail/dllaajjfgpigkeblmlbamflggfjkgbej
Campaign's GA Account ID: UA-12798017-1


Domain name reconnaissance:
wh0prof.uni.me - 192.157.201.42

Known to have responded to the same IP are also the following domains:
cracks4free.info
pr0lotra.p9.org


Google Docs Hosted PUA URLs:
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFljUDBnTjFHdVE&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqRXBMLWZ4cVZJV2s&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqUjllLWc4MVFRQUk&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqOXlyNko0VFBOdnM&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqZm5yeUFudFhqclU&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqbWpfNW5FalJmRGM&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqS3V1ZkZBQjJGbjQ&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqX2xXbEJLbEY0Q3M&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqMU5RVkJSWURxME0&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFljUDBnTjFHdVE&export=download


Dropbox Firefox Add-on/Android APK Hosted URLs:
hxxps://dl.dropboxusercontent.com/s/so3vm50w298qkto/WhoViewsYourProfile.apk
hxxps://dl.dropboxusercontent.com/s/kor9c2mqv49esva/kkadobe-ff.xpi



Detection rate for the served PUAs, the Android adware and the rogue Firefox Add-on:
MD5: c7fcf7078597ea752b8d54e406c266a7 - detected by 5 out of 48 antivirus scanners as PUP.Optional.CrossRider
MD5: 30cf98d7dc97cae57f8d72487966d20b - detected by 6 out of 48 antivirus scanners as Trojan.Dropper.FB
MD5: f2459b6bde1d662399a3df725bf8891b - detected by 13 out of 48 antivirus scanners as Adware/AirPush!Android; Android Airpush; Adware/ANDR.Airpush.G.Gen
MD5: 3fb95e1ed77d1b545cf7385b4521b9ae - detected by 18 out of 48 antivirus scanners as JS/TrojanClicker.Agent.NDL

Once executed MD5: 30cf98d7dc97cae57f8d72487966d20b phones back to 195.167.11.4.

Time to (conservatively) assess the campaign's damage over the year(s):





The click-through rate should be considered conservative, and it remains unknown whether the URL shortening service was used by the cybercriminal(s) since day one of the campaign.




The campaign remains active, and is just the tip of the iceberg in terms of similar campaigns tricking Facebook's users into thinking that they can eventually see who's viewed their profile. Facebook users who stumble across such campaigns on their own, or their friends' Walls, are advised to consider reporting the campaign back to Facebook, immediately.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Facebook Circulating 'Who's Viewed Your Profile' Campaign Exposes 800k+ Users to CrossRider PUA/Rogue Firefox Add-ons/Android Adware AirPush


A massive privacy-violating, Facebook circulating "Who's Viewed Your Profile" campaign, has been operating beneath the radar, exposing over 800,000 users internationally, to a cocktail of PUAs (Potentially Unwanted Applications), rogue Firefox Add-ons impersonating Adobe's Flash Player, as well as the Android based adware AirPush.

Relying on a proven social engineering tactic of "offering what's not being offered in general", next to hosting the rogue files on legitimate service providers -- Google Docs and Dropbox in this particular case -- the campaign is a great example that the ubiquitous for the social network social engineering scheme, continues to trick gullible and uninformed users into installing privacy-violating applications on their hosts/mobile devices.

Let's dissect the campaign, expose its infrastructure, (conservatively) assess the damage, and provide fresh MD5s for the currently served privacy-violating PUAs, Firefox add-ons, and Android adware.

Primary spamvertised Facebook URL: FCOSYUC.tk/?15796422
Redirection chain: p2r0f3rviewer9890.co.nf -> bit.ly/1bZCeNv?vsdvc -> wh0prof.uni.me/?sdvsjka -> wh0prof.uni.me/ch/
Rogue Google Store Extension URL (currently offline): hxxps://chrome.google.com/webstore/detail/dllaajjfgpigkeblmlbamflggfjkgbej
Campaign's GA Account ID: UA-12798017-1


Domain name reconnaissance:
wh0prof.uni.me - 192.157.201.42

Known to have responded to the same IP are also the following domains:
cracks4free.info
pr0lotra.p9.org


Google Docs Hosted PUA URLs:
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFljUDBnTjFHdVE&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqRXBMLWZ4cVZJV2s&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqUjllLWc4MVFRQUk&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqOXlyNko0VFBOdnM&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqZm5yeUFudFhqclU&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqbWpfNW5FalJmRGM&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqS3V1ZkZBQjJGbjQ&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqX2xXbEJLbEY0Q3M&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqMU5RVkJSWURxME0&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFljUDBnTjFHdVE&export=download


Dropbox Firefox Add-on/Android APK Hosted URLs:
hxxps://dl.dropboxusercontent.com/s/so3vm50w298qkto/WhoViewsYourProfile.apk
hxxps://dl.dropboxusercontent.com/s/kor9c2mqv49esva/kkadobe-ff.xpi



Detection rate for the served PUAs, the Android adware and the rogue Firefox Add-on:
MD5: c7fcf7078597ea752b8d54e406c266a7 - detected by 5 out of 48 antivirus scanners as PUP.Optional.CrossRider
MD5: 30cf98d7dc97cae57f8d72487966d20b - detected by 6 out of 48 antivirus scanners as Trojan.Dropper.FB
MD5: f2459b6bde1d662399a3df725bf8891b - detected by 13 out of 48 antivirus scanners as Adware/AirPush!Android; Android Airpush; Adware/ANDR.Airpush.G.Gen
MD5: 3fb95e1ed77d1b545cf7385b4521b9ae - detected by 18 out of 48 antivirus scanners as JS/TrojanClicker.Agent.NDL

Once executed MD5: 30cf98d7dc97cae57f8d72487966d20b phones back to 195.167.11.4.

Time to (conservatively) assess the campaign's damage over the year(s):





The click-through rate should be considered conservative, and it remains unknown whether the URL shortening service was used by the cybercriminal(s) since day one of the campaign.




The campaign remains active, and is just the tip of the iceberg in terms of similar campaigns tricking Facebook's users into thinking that they can eventually see who's viewed their profile. Facebook users who stumble across such campaigns on their own, or their friends' Walls, are advised to consider reporting the campaign back to Facebook, immediately.

Tuesday, December 03, 2013

Summarizing Webroot's Threat Blog Posts for November


The following is a brief summary of all of my posts at Webroot's Threat Blog for November, 2013. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:


01. Google-dorks based mass Web site hacking/SQL injecting tool helps facilitate malicious online activity
02. Deceptive ads lead to the SpyAlertApp PUA (Potentially Unwanted Application)
03. Cybercriminals differentiate their ‘access to compromised PCs’ service proposition, emphasize on the prevalence of ‘female bot slaves’
04. New vendor of ‘professional DDoS for hire service’ spotted in the wild
05. Source code for proprietary spam bot offered for sale, acts as force multiplier for cybercrime-friendly activity
06. Low Quality Assurance (QA) iframe campaign linked to May’s Indian government Web site compromise spotted in the wild
07. Popular French torrent portal tricks users into installing the BubbleDock/Downware/DownloadWare PUA (Potentially Unwanted Application)
08. Web site of Brazilian ‘Prefeitura Municipal de Jaqueira’ compromised, leads to fake Adobe Flash player
09. Malicious multi-hop iframe campaign affects thousands of Web sites, leads to a cocktail of client-side exploits
10. Vendor of TDoS products/services releases new multi-threaded SIP-based TDoS tool
11. Cybercriminals spamvertise tens of thousands of fake ‘Sent from my iPhone’ themed emails, expose users to malware
12. Fake ‘Annual Form (STD-261) – Authorization to Use Privately Owned Vehicle on State Business’ themed emails lead to malware
13. ‘Newly released proxy-supporting Origin brute-forcing tools targets users with weak passwords’
14. Fake WhatsApp ‘Voice Message Notification’ themed emails expose users to malware
15. Cybercriminals impersonate HSBC through fake ‘payment e-Advice’ themed emails, expose users to malware
16. Fake ‘MMS Gallery’ notifications impersonate T-Mobile U.K, expose users to malware
17. Fake ‘October’s Billing Address Code’ (BAC) form themed spam campaign leads to malware

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Thursday, November 14, 2013

Fake Chrome/Firefox/Internet Explorer/Safari Updates Expose Users to Android Malware

A currently ongoing malicious campaign using compromised sites as the primary traffic acquisition tactic, is attempting to socially engineer users (English and Russian speaking) into thinking that they're using an outdated version of their browser, and need to apply a bogus (security/antivirus) update. In reality though, the update is a variant of Trojan:Android/Fakeinst.EQ/Android.SmsSend.

Sample screenshots of the fake browser update landing pages:




Social engineering redirection chain: hxxp://france-leasebacks.com/includes/domit/1.php -> hxxp://advertcliks.net/ir/28/1405/56e9ca1335c2773445a79d5ddf75a755/ (93.115.82.239; Email: maxaxaha@gmail.com) -> hxxp://newupdateronline.org (109.163.230.182; Email: vbistrih@yandex.com).

Known to have responded to 109.163.230.182 are also the following domains:
1mc8.asia
anglecultivatep.in
appallinglyndiscoveries.in
bilious-6biros.in
boathire.pw
cvwv87.pro
dlsdcncnew1.pw
efuv77.pro
familye-perspex.in
farting-meagre.in
flvupdate.in
fringeclamberedk.in
hopefully-great8.in
investment-growsa.asia
money-tree.pw
moon-media.pw
moontree.pw
mountainlake.pw
movingv-relation.in
new-updateronline.org

Sample Android samples pushed by the campaign:
MD5: da7fffa08bdeb945ca8237c2894aedd0 - detected by 11 out of 46 antivirus scanners as Android.SmsSend.809.origin; Android.Trojan.FakeInst.HE
MD5: 1e1f57f6c8c9fb39da8965275548174f - detected by 17 out of 46 antivirus scanners as HEUR:Trojan-SMS.AndroidOS.FakeInst.fe; Andr/RuSms-AL
MD5: b0f597636859b7f5b2c1574d7a8bbbbb - detected by 13 out of 47 antivirus scanners as HEUR:Trojan-SMS.AndroidOS.FakeInst.fe; Andr/RuSms-AL
MD5: b40aebc327e1bc6aabe5ccb4f18e8ea4 - detected by 16 out of 48 antivirus scanners as Android:FakeIns-AF; Trojan:Android/Fakeinst.EQ

All samples phone back to dlsdcncnew.net (109.163.230.182; Email: constantin.zawyalov@yandex.ru). Responding to the same IP is also newapk-flv.org.

The same email is also known to have been previously used to register the following domains:
downloader8days.in
open-filedownload4.in (known to have responded to 188.95.159.30)
upweight.in
bestnewbrowsers.in
bestowedcomedyb.org (known to have responded to 109.163.230.180)
expandload.in
2012internet-load.in
4interfilefolder.in
99030.in
admitted-6crept.org
rufileserver.in

It appears that the traffic is not segmented -- to affect mobile device users only -- at any point of the redirection chain, an indication of what I believe is a boutique cybercrime-friendly operation. In comparison, the relatively more sophisticated ones would segment the traffic, usually acquired through the active exploitation of tens of thousands of legitimate Web sites, or the direct purchase of segmented mobile traffic.

Interestingly, both novice players in this market segment, and the experienced ones, are implementing basic evasive tactics, such as, for instance, the need to provide a valid mobile number, where a potential victim will receive a confirmation code for accessing the inventory of rogue games and applications, thereby preventing automatic acquisition of the apps for further analysis. Moreover, providing a valid mobile number to the cybercriminals behind the campaign, is naturally prone to be abused in ways largely based on the preferences of those who obtained them through such a way, therefore users are advised not to treat their mobile number in a privacy conscious way.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Fake Chrome/Firefox/Internet Explorer/Safari Updates Expose Users to Android Malware

A currently ongoing malicious campaign using compromised sites as the primary traffic acquisition tactic, is attempting to socially engineer users (English and Russian speaking) into thinking that they're using an outdated version of their browser, and need to apply a bogus (security/antivirus) update. In reality though, the update is a variant of Trojan:Android/Fakeinst.EQ/Android.SmsSend.

Sample screenshots of the fake browser update landing pages:




Social engineering redirection chain: hxxp://france-leasebacks.com/includes/domit/1.php -> hxxp://advertcliks.net/ir/28/1405/56e9ca1335c2773445a79d5ddf75a755/ (93.115.82.239; Email: maxaxaha@gmail.com) -> hxxp://newupdateronline.org (109.163.230.182; Email: vbistrih@yandex.com).

Known to have responded to 109.163.230.182 are also the following domains:
1mc8.asia
anglecultivatep.in
appallinglyndiscoveries.in
bilious-6biros.in
boathire.pw
cvwv87.pro
dlsdcncnew1.pw
efuv77.pro
familye-perspex.in
farting-meagre.in
flvupdate.in
fringeclamberedk.in
hopefully-great8.in
investment-growsa.asia
money-tree.pw
moon-media.pw
moontree.pw
mountainlake.pw
movingv-relation.in
new-updateronline.org

Sample Android samples pushed by the campaign:
MD5: da7fffa08bdeb945ca8237c2894aedd0 - detected by 11 out of 46 antivirus scanners as Android.SmsSend.809.origin; Android.Trojan.FakeInst.HE
MD5: 1e1f57f6c8c9fb39da8965275548174f - detected by 17 out of 46 antivirus scanners as HEUR:Trojan-SMS.AndroidOS.FakeInst.fe; Andr/RuSms-AL
MD5: b0f597636859b7f5b2c1574d7a8bbbbb - detected by 13 out of 47 antivirus scanners as HEUR:Trojan-SMS.AndroidOS.FakeInst.fe; Andr/RuSms-AL
MD5: b40aebc327e1bc6aabe5ccb4f18e8ea4 - detected by 16 out of 48 antivirus scanners as Android:FakeIns-AF; Trojan:Android/Fakeinst.EQ

All samples phone back to dlsdcncnew.net (109.163.230.182; Email: constantin.zawyalov@yandex.ru). Responding to the same IP is also newapk-flv.org.

The same email is also known to have been previously used to register the following domains:
downloader8days.in
open-filedownload4.in (known to have responded to 188.95.159.30)
upweight.in
bestnewbrowsers.in
bestowedcomedyb.org (known to have responded to 109.163.230.180)
expandload.in
2012internet-load.in
4interfilefolder.in
99030.in
admitted-6crept.org
rufileserver.in

It appears that the traffic is not segmented -- to affect mobile device users only -- at any point of the redirection chain, an indication of what I believe is a boutique cybercrime-friendly operation. In comparison, the relatively more sophisticated ones would segment the traffic, usually acquired through the active exploitation of tens of thousands of legitimate Web sites, or the direct purchase of segmented mobile traffic.

Interestingly, both novice players in this market segment, and the experienced ones, are implementing basic evasive tactics, such as, for instance, the need to provide a valid mobile number, where a potential victim will receive a confirmation code for accessing the inventory of rogue games and applications, thereby preventing automatic acquisition of the apps for further analysis.

Moreover, providing a valid mobile number to the cybercriminals behind the campaign, is naturally prone to be abused in ways largely based on the preferences of those who obtained them through such a way, therefore users are advised not to treat their mobile number in a privacy conscious way.

Updates will be posted as soon as new developments take place.

Tuesday, November 12, 2013

New Commercially Available Modular Malware Platform Released On the Underground Marketplace

Cybercriminals have recently released a new (v3 to be more precise indicating possible beneath the radar operation until now), commercially available, modular malware platform, including such cybercrime-friendly features like DNS Changer, Loaders, Injects, and Ransomware features -- completely blocking the Internet access of the affected user in this particular case -- with several upcoming modules such as stealth VNC, and Remote IE (a feature which would allow them to completely hijack any sort of encrypted session taking place on the affected host, naturally including the cookies).

Sample screenshots of the command and control interface+DNS Changer in action:

With prices for the standard package starting from $1,500, I expect that the malware bot will quickly gain market share thanks to its compatibility with existing/working crimeware concepts/releases, as well as thanks to the general availability of 24/7/365 managed malware crypting services, applying the necessary degree of QA (Quality Assurance) to a potential campaign before launching it. Moreover, yet another factor that would greatly contribute to the success of such type of newly released platforms is the the ease of acquisition of legitimate traffic -- think blackhat SEO, compromised FTP accounts, or mass SQL injection campaigns -- to be later on converted into malware-infected hosts, most commonly through social engineering, or the client-side exploitation of outdated and already patched vulnerabilities in browser plugins/third-party applications.

Furthermore, with or without the full scale modularity in place -- some of the modules are currently in the works, as well as the lack of built-in renting/reselling/traffic acquisition/affiliate network type of monetization elements, typical for what can be best described as platform type of underground market release compared to a standalone modular malware bot, the bot's worth keeping an eye on.

The DNS Changer IP seen in the screenshot 62.76.176.214 (62-76-176-214.clodo.ru), can also be connected to related malicious activity. For instance, MD5: cef012fb4fa7cd55f04558ecee04cd4e is known to have previously phoned back to 62.76.176.214.

And most interestingly, according to this assessment, next to phoning back to 62.76.176.214, the following malicious domains are also known to have been used as C&Cs by the same sample:
6r3u8874dfd9.com - known to have responded to 31.170.179.179
r55u87799hd39.com - known to have responded to 31.170.179.179
r95u8114dfd9.com

The following malicious MD5s are also known to have phoned back to the same C&C IP (31.170.179.179) since the beginning of the month:
MD5: 56f05611ec91f010d015536b7e9fe1a5
MD5: 49aeaa9fad5649d20a9c56e611e81d96
MD5: bf4fa138741ec4af0a0734b28142f7ae
MD5: cd92df2172a40ebb507fa701dcb14fea
MD5: 1d51cde1ab7a1d3d725e507089d3ba5e
MD5: a00695df0a50b3d3ffeb3454534d97a8
MD5: ea8340c95589ca522dac1e04839a9ab9
MD5: f2933ca59e8453a2b50f6d38a9ad9709
MD5: dd9c4ba82de8dcf0f3e440b302e223e8
MD5: d92ad37168605579319c3dff4d6e8c26
MD5: 004bf3f6b7f49d5c650642dde3255b16
MD5: deb8bcd6c7987ee4e0a95273e76feccd
MD5: 1791cb3e3da28aec11416978f415dcd3
MD5: 7eae6322c9dcaa0f12a99f2c52b70224
MD5: 0027511d25a820bcdc7565257fd61ba4
MD5: 294edcdaab9ce21cb453dc40642f1561
MD5: b414d9f54a723e8599593503fe0de4f1
MD5: 20ee0617e7dc03c571ce7d5c2ee6a0a0
MD5: e1059ae3fb9c62cf3272eb6449de23cf

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

New Commercially Available Modular Malware Platform Released On the Underground Marketplace

Cybercriminals have recently released a new (v3 to be more precise indicating possible beneath the radar operation until now), commercially available, modular malware platform, including such cybercrime-friendly features like DNS Changer, Loaders, Injects, and Ransomware features -- completely blocking the Internet access of the affected user in this particular case -- with several upcoming modules such as stealth VNC, and Remote IE (a feature which would allow them to completely hijack any sort of encrypted session taking place on the affected host, naturally including the cookies).

Sample screenshots of the command and control interface+DNS Changer in action:

With prices for the standard package starting from $1,500, I expect that the malware bot will quickly gain market share thanks to its compatibility with existing/working crimeware concepts/releases, as well as thanks to the general availability of 24/7/365 managed malware crypting services, applying the necessary degree of QA (Quality Assurance) to a potential campaign before launching it. Moreover, yet another factor that would greatly contribute to the success of such type of newly released platforms is the the ease of acquisition of legitimate traffic -- think blackhat SEO, compromised FTP accounts, or mass SQL injection campaigns -- to be later on converted into malware-infected hosts, most commonly through social engineering, or the client-side exploitation of outdated and already patched vulnerabilities in browser plugins/third-party applications.

Furthermore, with or without the full scale modularity in place -- some of the modules are currently in the works, as well as the lack of built-in renting/reselling/traffic acquisition/affiliate network type of monetization elements, typical for what can be best described as platform type of underground market release compared to a standalone modular malware bot, the bot's worth keeping an eye on.

The DNS Changer IP seen in the screenshot 62.76.176.214 (62-76-176-214.clodo.ru), can also be connected to related malicious activity. For instance, MD5: cef012fb4fa7cd55f04558ecee04cd4e is known to have previously phoned back to 62.76.176.214.

And most interestingly, according to this assessment, next to phoning back to 62.76.176.214, the following malicious domains are also known to have been used as C&Cs by the same sample:
6r3u8874dfd9.com - known to have responded to 31.170.179.179
r55u87799hd39.com - known to have responded to 31.170.179.179
r95u8114dfd9.com

The following malicious MD5s are also known to have phoned back to the same C&C IP (31.170.179.179) since the beginning of the month:
MD5: 56f05611ec91f010d015536b7e9fe1a5
MD5: 49aeaa9fad5649d20a9c56e611e81d96
MD5: bf4fa138741ec4af0a0734b28142f7ae
MD5: cd92df2172a40ebb507fa701dcb14fea
MD5: 1d51cde1ab7a1d3d725e507089d3ba5e
MD5: a00695df0a50b3d3ffeb3454534d97a8
MD5: ea8340c95589ca522dac1e04839a9ab9
MD5: f2933ca59e8453a2b50f6d38a9ad9709
MD5: dd9c4ba82de8dcf0f3e440b302e223e8
MD5: d92ad37168605579319c3dff4d6e8c26
MD5: 004bf3f6b7f49d5c650642dde3255b16
MD5: deb8bcd6c7987ee4e0a95273e76feccd
MD5: 1791cb3e3da28aec11416978f415dcd3
MD5: 7eae6322c9dcaa0f12a99f2c52b70224
MD5: 0027511d25a820bcdc7565257fd61ba4
MD5: 294edcdaab9ce21cb453dc40642f1561
MD5: b414d9f54a723e8599593503fe0de4f1
MD5: 20ee0617e7dc03c571ce7d5c2ee6a0a0
MD5: e1059ae3fb9c62cf3272eb6449de23cf

Updates will be posted as soon as new developments take place.

A Peek Inside a Customer-ized API-enabled DIY Online Lab for Generating Multi-OS Mobile Malware


The exponential growth of mobile malware over the last couple of years, can be attributed to a variety of 'growth factors', the majority of which continue playing an inseparable role in the overall success and growth of the cybercrime ecosystem in general.

Tactics like standardization, efficiency-oriented monetization, systematic bypassing of industry accepted/massively adopted security measures like signatures-based antivirus scanning, affiliate networks helping cybercriminals secure revenue streams for their malicious/fraudulent tactics, techniques and procedures (TTPs), as well as pseudo legal distribution of deceptive software -- think scaware with long EULAs and ToS-es -- as well as mobile applications -- think subscription based premium rate SMS malware with long EULAs and ToS-es -- continue dominating the arsenal of tactics that any cybercriminal aspiring the occupy a market share in any market segment within the cybercrime ecosystem, can easily take advantage of in 2013.

What has changed over the last couple of years, in terms of concepts? A lot. For instance, back in 2007, approximately one year after I (publicly) anticipated the upcoming and inevitable monetization of mobile malware, the Red Browser started making its rounds, proving that I was sadly wrong, and once again, money and greed -- or plain simple profit maximization to others -- would play a crucial role in this emerging back then, cybercrime ecosystem market segment for mobile malware. Similar monetization attempts on behalf of cybercriminals, then followed, to further strengthen the ambitions of cybercriminals into this emerging market segment.

With "malicious economies of scale" just starting to materialize at the time, it didn't take long before the concept started getting embedded into virtually each and every cybercrime-friendly product/service advertised on the market. Thanks to Symbian OS dominating the mobile operating system at the time, opportunistic cybercriminals quickly adapted to steal a piece of the pie, by releasing multiple Symbian based malware variants. Sharing is caring, therefore, here are some MD5s from the Symbian malicious code that used to dominate the threat landscape, back then.

Symbian OS malware MD5s from that period of time, for historical OSINT purposes:
MD5: a4a70d9c3dbe955dd88ea6975dd909d8
MD5: 98f7cfd42df4a01e2c4f2ed6d38c1af1
MD5: 6fd6b68ed3a83b2850fe293c6db8d78d
MD5: 38837c60e2d87991c6c754f8a6fb5c2d
MD5: ace9c6c91847b29aefa0a50d3b54bac5
MD5: 3f1828f58d676d874a3473c1cd01a431
MD5: 2163ef88da9bd31f471087a55f49d1b1
MD5: 0a04f6fed68dec7507d7bf246aa265eb
MD5: ad4a9c68f631d257bd76490029227e41
MD5: 7a4639488b4698f131e42de56ceeb45d
MD5: fa3de591d3a7353080b724a294dca394
MD5: 5ba5fad8923531784cd06a1edc6e0001
MD5: 66abbd9a965b2213f895e297f40552e5
MD5: 92b069ef1fd9a5d9c78a2d3682c16b8f
MD5: a494da11f47a853308bfdb3c0705f4e1
MD5: 9f38eff6c58667880d1ff9feb9093dcb
MD5: a8a3ac5f7639d82b24e9eb4f9ec5981c
MD5: 0ebc8e9f5ec72a0ff73a73d81dc6807d
MD5: a3cd8f8302a69e786425e51467ad5f7c
MD5: 38837c60e2d87991c6c754f8a6fb5c2d
MD5: 522a8efdc382b38e336d4735a73e6b23
MD5: 052abb9b41f07192e8a02f0746e80280
MD5: 712a1184c5fc1811192cba5cc7feda51
MD5: bdae8a51d4f12762b823e42aa6c3fa0a
MD5: aec4b95aa8d80ee9a57d11cb16ce75ba
MD5: 6b854f2171cca50f49d1ace2d454065a
MD5: 945279ce239d2370e4a65b4f109b533b
MD5: cde433d371228fb7310849c03792479e
MD5: 957265e799246225e078a6d65bde5717
MD5: cde433d371228fb7310849c03792479e
MD5: 1f1074b709736fe4504302cbc06fd0f6
MD5: 1cd241a5ea55eb25baf50af25629af27
MD5: 60d9a75b5d3320635f9e33fe76b9b836
MD5: e23f69eea5fa000f259e417b64210d42
MD5: 36503b8a9e2c39508a50eb0bdbb66370
MD5: 1f1074b709736fe4504302cbc06fd0f6
MD5: da13e08a8778fa4ea1d60e8b126e27be
MD5: 642495185b4b22d97869007fcbc0e00f
MD5: 9af5d82f330bbc03f35436b3cc2fba3a
MD5: 6099516a39abb73f9d7f99167157d957
MD5: 6c75b3e9bf4625dc1b754073a2d0c4f1
MD5: e23f69eea5fa000f259e417b64210d42
MD5: ffb37b431ed1f0ac5764b57fa8d4cced
MD5: 1cd241a5ea55eb25baf50af25629af27
MD5: b3055e852b47979a774575c09978981a
MD5: 9f38eff6c58667880d1ff9feb9093dcb
MD5: 945279ce239d2370e4a65b4f109b533b
MD5: 66a0bbebbe14939706093aa5831b53a7
MD5: 30a2797f33ecb66524e01a63e49485dd
MD5: 785e921ea686c2fc8514fac94dd8a9cd
MD5: 69a68bdcbad227d5d8d1a27dd9c30ce7
MD5: f246b101bc66fe36448d0987a36c3e0a
MD5: 4fd086a236c2f3c70b7aa869fa73f762
MD5: 642495185b4b22d97869007fcbc0e00f
MD5: fd8b784df4bbb8082a7534841aa02f0e
MD5: 3ee70d31d0a3b6fab562c51d8ff70e6d
MD5: 3381d21f476d123dcf3b5cbc27b22ae1
MD5: 006b32148ce6747fddb6d89e5725573e
MD5: 7a4639488b4698f131e42de56ceeb45d
MD5: b9667e23bd400edcafde58b61ac05f96
MD5: 12527fd41dd6b172f8e28049011ebd05
MD5: c9baecb122bb6d58f765aaca800724d2
MD5: 799531e06e6aa19d569595d32d16f7cc
MD5: e301c2135724db49f4dd5210151e8ae9
MD5: 29d7c73bd737d5bb48f272468a98d673

In 2013, we can easily differentiate between the botnet building type of two-factor authentication bypassing mobile trojans, and the ubiquitous for the market segment, subscription based premium rate SMS malware, relying on deceptive advertising and successful 'visual social engineering' campaigns. The second, continue getting largely monetized through one of the primary growth factors of the mobile market segment, namely, affiliate networks for mobile malware.

In this post, I'll profile what can be best described as a sophisticated, customer-ized, customization and efficiency oriented, API-supporting, DIY mobile "lab" for generating, managing and operating multi-mobile-operating systems type of mobile malware campaigns. The service's unique value proposition (UVP) in comparison to that of competing "labs" for managing, operating and converting mobile traffic -- acquisition and selling of mobile traffic is a commoditized underground market item in 2013 -- orbits around the feature rich interface, offering 100% customization, monitoring and generally operating the campaigns, while efficiently earning fraudulently obtained revenue from unsuspecting mobile device users.

Sample screenshots featuring the administration panel of an affiliate network participant:













Sample "system" domains used for hosting/rotating the generated mobile malware samples courtesy of the service:
jmobi.net - 91.202.63.75
omoby.net - 91.202.63.75
rrmobi.net - 91.202.63.75
moby-aa.ru - 91.202.63.75
mobyc.net - 91.202.63.75
mobi-files.com - 91.202.63.75
mobyw.net - 91.202.63.75
mobyy.net - 91.202.63.75
mobyc.net - 91.202.63.75
mobyz.net - 91.202.63.75

Known to have responsed to the same IP are also the following malicious domains:
doklameno1.ru
doklameno2.ru
downloadakpinstall.ru
mobiy.net
moby-aa.ru
moby-ae.ru
mobyc.net
mobyw.com
mobyw.net
mobyy.net
mobyz.net
omoby.net
rrmobi.net
system-update.ru
telefontown.pp.ua

Sample Web sites serving multi-mobile-operating-system premium rate mobile malware, relying on the service:



Samples generated and currently distributed in the wild using the service:
MD5: ac69514f9632539f9e8ad7b944556ed8 - detected by 15 out of 48 antivirus scanners as HEUR:Trojan-SMS.AndroidOS.Stealer.a
MD5: e62f97a095ca15747bb529ee9f1b5057 - detected by 2 out of 45 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: 0688dac2754cce01183655bbbe50a0b1 - detected by 2 out of 46 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: 4062a77bda6adf6094f4ab209c71b801 - detected by 2 out of 44 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: 42a6cf362dbff4fd1b5aa9e82c5b7b56 - detected by 2 out of 45 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: 3bcbe78a2fa8c050ee52675d9ec931ad - detected by 2 out of 46 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: 53d3d35cf896938e897de002db6ffc68 - detected by 2 out of 47 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: 2f66735b37738017385cc2fb56c21357 - detected by 2 out of 46 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: 0ec11bba4a6a86eb5171ecad89d78d05 - detected by 2 out of 47 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: 9f059c973637f105271d345a95787a5f - detected by 2 out of 45 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: f179a067580014b1e16900b90d90a872 - detected by 2 out of 47 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: aef4f659943cbc530e4e1b601e75b19e - detected by 2 out of 46 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: 8a00786ed6939a8ece2765d503c97ff8 - detected by 2 out of 45 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: 868fcf05827c092fa1939930c2f50016 - detected by 2 out of 45 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: a6ef49789845ed1a66f94fd7cc089e1b - detected by 2 out of 47 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: 22aa473772b2dfb0f019dac3b8749bb6 - detected by 2 out of 45 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: 52b74046d0c123772566d591524b3bf7 - detected by 2 out of 46 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: bbff61a2e3555a6675bc77621be19a73 - detected by 2 out of 46 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX

Cybercrime-friendly affiliate networks continue, and will continue to represent a major driving factor behind the growth of any market segment within the cybercrime system, as they result in a win-win-lose scenario for their operations, participants and the potential victims of the fraudulent/malicious propositions/releases courtesy of these networks. With mobile traffic acquisition available on demand based on any given preference a potential could have, cybercriminals would continue converting it into victims, cashing in on their overall lack of awareness of the TTPs of today's modern cybercriminals.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.