It's 2010 and I've recently intercepted a currently circulating malicious and fraudulent scareware-serving campaign courtesy of the Koobface Gang this time successfully typosquatting my name within its command and control infrastructure.
In this post I'll provide actionable intelligence behind the campaign and will discuss in-depth the infrastructure behind it.
Sample malicious and fraudulent domains known to have participated in the campaign:
hxxp://qjcleaner.eu/hitin.php?affid=02979
Sample malicious MD5 known to have participated in the campaign:
MD5: 8df3e9c50bb4756f4434a9b7d6c23c8c
Once executed a sample malware phones back to:
hxxp://212.117.160.18/install.php?id=02979
which is basically our dear friends at AS44042 ROOT-AS root eSolutions
Parked at the same IP where Crusade Affiliates continue serving a diverse set of fake security software are also more scareware domains.
It's also worth pointing out that the Koobface gang has recently started typosquatting various domains using my name. Koobface gang is typosquatting my name for registering domains (for instance Rancho Ranchev; Pancho Panchev etc.) including hxxp://mayernews.com - which is registered to Danchev Danch (1andruh.a1@gmail.com).