Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: 10/28/22

Friday, October 28, 2022

Exposing a Portfolio of YaBucks Pay Per Install Affiliate Network Scareware Serving Domains - An Analysis

NOTE:

I took these screenshots in 2009.

It used to be a moment in time when scareware and pay per install affiliate-based revenue sharing fraudulent and malicious networks used to dominate the threat landscape as the primary monetization vector courtesy of the bad guys where they've managed to successfully steal basically tens of thousands in fraudulent revenue by enticing users into installing and interacting with rogue and fake security software.

In this post I'll take a deeper look inside the YaBucks rogue and affiliate-network based scareware serving network that managed to affect thousands of users globally largely based on the number of affiliates that participated in it including to also provide technical details on its Internet-connected infrastructure with the idea to assist everyone in their cyber attack and cyber campaign attribution efforts.

Sample screenshots include:

Sample domains known to have been involved in the campaign include:

hxxp://pontesmedia.com - 74.54.241.100

hxxp://matelab.com

hxxp://legochild.com

hxxp://imzee.com

hxxp://mustmake.com

hxxp://ovobundle.com

hxxp://emulehome.com

hxxp://skyaffiliate.com

hxxp://vivosearch.com

hxxp://ovocash.com

hxxp://p2passion.com

hxxp://datingnoon.com

hxxp://profilissimo.com

hxxp://flipero.com

hxxp://adware-help.com

hxxp://spacextender.com

hxxp://mybuckler.com

hxxp://iframr.com

hxxp://glintgames.com

hxxp://justares.com

hxxp://ppitalks.com

hxxp://theinstalls.com

hxxp://adwaredollars.com

hxxp://funtarget.com

hxxp://theimageoutlet.com

hxxp://petduet.com

hxxp://tivisoft.com

hxxp://softpont.com

hxxp://blogency.com

hxxp://wiiactivity.com

hxxp://bnetworks.us

hxxp://gorasoft.us

hxxp://camerabid.net

hxxp://freemediashare.net

hxxp://germek.net

hxxp://imupdates.net

hxxp://allworldstars.net

hxxp://gorasoft.net

Sample responding IPs known to have been involved in the campaign include:

hxxp://54.208.174.161

hxxp://154.72.193.28

hxxp://54.165.156.210

hxxp://54.200.75.96

hxxp://52.72.89.116

hxxp://199.184.144.27

hxxp://74.208.236.241

hxxp://74.208.21.90

hxxp://207.148.248.143

hxxp://50.63.202.104

hxxp://184.168.221.39

hxxp://52.202.22.6

hxxp://54.209.32.212

hxxp://54.208.74.215

hxxp://45.40.140.6

hxxp://68.178.213.203

hxxp://213.186.33.18

hxxp://3.223.115.185

hxxp://52.71.210.200

hxxp://23.20.239.12

hxxp://54.80.72.81

hxxp://34.102.136.180

hxxp://146.112.61.107

hxxp://204.11.56.48

hxxp://23.202.231.167

hxxp://23.217.138.108

hxxp://107.23.198.240

hxxp://35.171.109.224

hxxp://52.7.6.73

hxxp://52.71.185.125

hxxp://54.174.212.152

hxxp://52.6.224.208

hxxp://54.209.58.131

hxxp://3.224.108.191

hxxp://34.206.145.143

hxxp://18.119.154.66

hxxp://217.160.0.202

hxxp://72.32.183.55

hxxp://13.70.194.134

hxxp://52.50.218.98

hxxp://52.19.184.19

hxxp://156.245.122.96

hxxp://154.38.221.164

hxxp://180.215.252.181

hxxp://52.16.207.139

hxxp://192.163.249.115

hxxp://54.183.99.63

hxxp://46.249.46.67

hxxp://146.112.61.106

hxxp://23.202.231.168

hxxp://23.195.69.108

hxxp://185.230.63.171

hxxp://185.230.63.186

hxxp://109.234.109.84

hxxp://192.232.231.38

hxxp://50.63.202.47

hxxp://50.63.202.49

hxxp://50.63.202.59

hxxp://198.105.244.11

hxxp://184.168.221.57

hxxp://185.230.61.173

hxxp://184.168.221.36

hxxp://104.239.213.7

hxxp://34.117.168.233

hxxp://85.13.164.142

hxxp://185.230.60.173

hxxp://199.34.228.59

hxxp://103.224.182.244

hxxp://36.86.63.182

hxxp://184.168.221.65

hxxp://185.205.210.23

hxxp://204.16.144.135

hxxp://172.93.51.245

hxxp://76.223.65.111

hxxp://184.168.221.53

hxxp://218.93.250.18

hxxp://184.168.221.40

hxxp://93.89.226.17

hxxp://54.72.11.253

hxxp://198.105.254.11

hxxp://18.211.9.206

hxxp://185.53.179.7

hxxp://91.237.88.232

hxxp://52.15.160.167

hxxp://3.140.179.210

hxxp://3.141.79.17

hxxp://198.61.166.153

hxxp://69.56.252.44

hxxp://143.95.87.47

hxxp://104.24.126.199

hxxp://50.63.202.43

hxxp://23.246.252.106

hxxp://141.8.226.19

hxxp://3.143.123.90

hxxp://3.138.54.87

Sample malicious MD5s known to have been involved in the campaign include:

MD5: d3081abe4e1c1808e5e8a83a3bc1eaa2

MD5: 1aadbc70670bc05875c04c9e86c0356e

MD5: f18c7a4fed30371a0eba7eef3051234f

MD5: b492493154482d9bb6e24340d8866dec

MD5: 72e5a2dadc0711f36e84f636b7267b1b

MD5: eab74844a9b34edc1b7b3d4e84aab5ec

MD5: 322367ea2f686916a44181bf72c49726

MD5: d9f6bf40003d44ecf7b2fa697a9e73dd

Sample malicious and fraudulent C&C server domains known to have been involved in the campaign include:

hxxp://skyaffiliate.com/count.php

hxxp://funtarget.com/?m&id=61fbd50a-ef75-11e8-bc2f-00c0a8850c2a&ver=9

Stay tuned!

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

CAPTCHA is Dead! - Here's the Proof

Dear blog readers,

It's a public secret that the majority of today's modern Web sites rely on the use of CAPTCHA for proper user vs bot or automated software detection which in reality is a flawed and an outdated approach to protect a Web site and its visitors as in 2022 we continue to live in a world where CAPTCHA-solving as a service that also includes reCAPTCHA solving as a service continues to proliferate with possible thousands of users across the globe processing hundreds of thousands of CAPTCHAs courtesy of popular CAPTCHA services for the purpose of empowering Russian or international cybercriminals on their way to properly and automatically register new accounts on major Web properties and social networks internationally.

In this post I'll detail the activities of several known CAPTCHA-solving services and discuss in-depth their functionalities with the idea to raise awareness on the concept including the systematic and automatic CAPTCHA solving courtesy of humans and their affiliate-based networks.

Sample URLs known to have been involved in the campaign include:

hxxp://captchasolver.com - 69.172.201.208; 52.73.71.92; 52.73.115.80; 172.64.138.13; 172.67.184.21

hxxp://captchaocr.com - 172.93.194.59; 172.93.194.58; 3.130.204.160; 103.224.212.221; 3.19.116.195

hxxp://typethat.biz - once executed the sample phones back to hxxp://5fc.info - 184.168.192.116; 45.40.164.140; 209.99.40.222; 208.91.199.225; 50.62.160.53

Sample MD5 known to have been involved in the campaign include:

MD5: eb1ef93dcf2e9fd747ea2b80dd0c2619

Related URLs known to have been involved in similar campaigns include:

hxxp://captchasolver.com/

hxxp://216.55.132.15/captchas

hxxp://64.34.161.26:8888/type/typer.html

hxxp://panel.6ew.pl/index.php

hxxp://www.geocities.com/workcaptcha/magic.bolobomb.htm

hxxp://magic.bolobomb.com/lepricon/index.php

hxxp://www.geocities.com/workcaptcha/destination.work.htm

hxxp://nagic.bolobomb.com/lepricon/index.php?A=STATS

hxxp://www.destination-server.com/bulletinpics/entry.cgi

hxxp://www.destination-server.com/bulletinpics/server-slow.cgi

hxxp://74.55.167.90:8546/entry/type.php?

hxxp://www.lovecolony.com/captchasetup.exe

hxxp://www.captchaocr.com/human/index.php

hxxp://bpoworld.awardspace.com/

Stay tuned!

Dancho Danchev

Mobile Malware - Hype or Threat? - An Analysis

NOTE:

I wrote this article in 2006.

You've definitely witnessed the ongoing speculations on whether or not mobile malware represents the type of threat some vendors got accused of hyping. Malware authors have this unique position to follow the trend, understand when an approach gets mature enough to think of how to reset it, and then all of a sudden completely shift their techniques -- which results in P2P, IM, Email, and yes, Skype as the "next big thing" on the malware scene type of weekly media articles.

It's all cyclical, and not a rocket science needing a reverse engineer to explain and dazzle you with advanced Assembly experience.

There are incentives for malware authors to code mobile malware, namely the commercialization of mobile malware itself, which happened in the middle of 2006 with the release of the RedBrowser. Among the key point I indicated in my "Malware - Future Trends" research that I released in the beginning of 2006. The ugliest things are the easiest to emerge as always.

The very nature of a mobile phone's voting and purchasing power, let's not mention could literally provoke your imagination on the possible abuses.

Why would an end user start asking a mobile operator's representative on the availability of mobile anti virus scanners? Because he or she would have been a victim the art of market development, viral

The industry's main points:

- more people have mobile phones then they own a personal computer -- which doesn't mean they're all smart phones running Symbian or Windows Mobile

- over 300 generically detected malware samples, reminds of the concept of a malware family in PC malware world. These are all the Cabir family, spread to code on the Internet and have ordes of script kiddies fueling the FUD while watching Takedown and inspiring themselves to eavesdrop on someone's mobile communication while "commuting" in the park

The reality

- Anti virus vendors suffer from marketing myopia, they've simply fallen in love with their products, and we all know that once you fall in love it's hard to become as pragmatic as you used to be before -- sweet pain

- the majority of known mobile malware comes out of a Cabir Proof of Concept (PoC) publicly available code, that is the spreading routine within. Namely the current threat represents nothing more than a mobile malware family, and there's no such thing as a perfect family

- Malware authors are too busy to efficiently play cat and mouse game and taking advantage of the about to reach 1B world wide Internet population.

- the end user MUST confirm the unknown Bluetooth connection, if she's in discoverable mode, must confirm the execution of the executable from unknown source

- given that Symbian and Windows Mobile dominate the mobile OS space, a vulnerability in the systems is crucial

- Anti virus signatures are basically a reactive security protection

I once argued on the myth of anti virus vendors sharing every malware sample they came across, in between the "usefulness" of virus signatures in today's open source malware, and malware on demand world

How to protect yourself?

- be aware of the basics of mobile malware

- don't install applications from untrusted on-the-go sources

Do you need a personal anti-virus scanner for your mobile phone? No, you don't, but mobile operators need them on the gateway level, the rest is just your mobile operator differentiating its offering, positioning itself as a conscious one, and further fueling growth into the market -- whether revenues are about to get spent on further R&D on mobile malware, or market development with other products is up to the vendors themselves.

It's your network operator who should be responsible for limiting the spread of potential epidemics, and charging a buck for a slight modification of Cabir's PoC spreading module, brings us back to the same old issue with open source malware, or malware of demand and anti virus signatures usefulness and recency of updates. My point, the responsibility for dealing with general and family based mobile malware, the one we're seeing today, should go to my mobile operator, not to myself getting infected and spreading the decease even further.

The average mobile phone user would start enjoying a provider's brand even more, if he's been talked into the huge dangers posed by mobile malware -- from a marketing point of view he would even spread the word further while trying to let the other perceive him/her as a tech savvy individual with a fancy AV scanner on his couple hundred.

Targeted attacks have a huge potential though, while a mass sending of mobile malware would result in the mobile operator directly blocking it, and merely relaying on the end user to take care of their responsibilities. All you need is a wide spread mobile malware dissemination attempt, and then you'll witness your operator using his ownership powers to shock and awe you with its know how.

Wise investments are not always those that seems the most proactive ones, but the ones taking advantage of the momentum.

Remember, the best marketers don't just respond profitably to the consumer's needs, they create new markets. It's the unspoken rule of the game.

What's next? Anti virus software for your gaming device and music player, as well as for your IPv6 compatible fridge? For sure, but in the very, very long run. Meanwhile, be aware, don't panic, and try to base your concerns on objective and unbiased sources only.

Stay tuned!

Dancho Danchev