This summary is not available. Please
click here to view the post.
Continue reading →
Showing posts with label Mac OS X. Show all posts
- Go through related web shell backdoors, monetization posts: A Compilation of Web Backdoors; Monetizing Web Site Defacements; Underground Multitasking in Action; Monetizing Compromised Web Sites, Web Site Defacement Groups Going Phishing
Moreover, this China-based IP (it even has a modest Alexa pagerank) was also the centralized redirection point in Koobface 1.0's scareware business model using popup.php to redirect to a systematically updated portfolio of scareware domains, and the first time ever that I came across to what the gang is now publicly acknowledging as the "2008 ali baba and 40, LLC" team.AS9394 (CRNET) itself is currently hosting the following active Zeus crimeware campaigns:
6alava .com - 61.235.117.70 - Email: necks@corporatemail.ru
sicha-linna .com - 61.235.117.77 - Email: stay@bigmailbox.ru
stopspaming .com - 61.235.117.70 - Email: bunco@e2mail.ru
ubojnajasila .net - 61.235.117.87 - Email: ubojnajasila.net@contactprivacy.com
Here's how the experiment looks like in its current form. Once the OS is detected, the redirection takes place through 61.235.117.83 /mac.php -> 61.235.117.83 /vvv.htm loading the following pages, using the gang's unique campaign IDs at AdultFriendFinder:
- BestDatingDirect .com/page_hot.php?page=random&did=14029
- adultfriendfinder .com/go/page/ad_ffadult_gonzo?pid=p291351.sub2w954&lang=english
- adultfriendfinder .com/go/page/landing_page_geobanner?pid=g227362-ppc
Parked on 63.218.226.67 - AS3491; PCCWGlobal-ASN PCCW Global is the rest of the dating site redirectors:bestdatingdirect .com
bestnetdate .com
currentdating .com
datefunclub .com
enormousdating .com
giantdating .com
onlinelovedating .com
worldbestdate .com
worlddatinghere .com
This isn't the first time that the Koobface gang is attempting to monetize traffic through dating affiliate networks. In fact, in November's "Koobface Botnet's Scareware Business Model - Part Two" post emphasizing on the gang's connection with blackhat SEO campaigns, the Bahama botnet and the malvertising attacks at the web site of the New York Times, I also pointed out on their connection with an Ukrainian dating scam agency profiled before, whose botnet was also linked to money mule recruitment campaigns in May, 2009.
An excerpt is worth a thousand words:
The historical OSINT paragraph mentioned that several of the scareware domains pushed during the past two weeks were responding to 62.90.136.237. This very same 62.90.136.207 IP was hosting domains part of an Ukrainian dating scam agency known as Confidential Connections earlier this year, whose spamming operations were linked to a botnet involved in money mule recruitment activities.
For the time being, the following dating scam domains are responding to the same IP: healthe-lovesite .com - Email: potenciallio@safe-mail.net
love-isaclick .com - Email: potenciallio@safe-mail.net
love-is-special .com - Email: potenciallio@safe-mail.net
only-loveall .com - Email: potenciallio@safe-mail.net
and-i-loveyoutoo .com - Email: potenciallio@safe-mail.net
andiloveyoutoo .com - Email: menorst10@yahoo.com
romantic-love-forever .com - Email: potenciallio@safe-mail.net
love-youloves .com - Email: potenciallio@safe-mail.net
love-galaxys .com - Email: potenciallio@safe-mail.net
love-formeandyou .com - Email: potenciallio@safe-mail.net
ifound-thelove .net - Email: potenciallio@safe-mail.net
findloveon .net - Email: wersers@yahoo.com
love-isexcellent .net - Email: potenciallio@safe-mail.net
Could it get even more malicious and fraudulent than that? Appreciate my rhetoric. The same email (potenciallio@safe-mail.net) that was used to register the dating scam domains was also used to register exploit serving domains at 195.88.190.247, participate in phishing campaigns, and register a money mule recruitment site for the non-existent Allied Insurance LLC. (Allied Group, Inc.).
Of course, the money made in process looks like pocket change compared to the money they gang makes through blackhat SEO, click fraud and scareware in general -- go through the related posts at the bottom of the article. But since they've previously indicated what I originally anticipated they'll do sooner or later, namely, start diversifying and experimenting due to the ever-growing compromised infrastructure, what they'll do next on the Mac front is an issue worth keeping an eye on.
Related Koobface gang/botnet research:
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →
Apple's OS X has always been positioned as a juicy target even though it's market share is almost non-existent compared to Microsoft's domination. And while converting iPod customers into MAC users hasn't shown any progress so far and I doubt it would, malware authors are as always actively experimenting or diversifying the threatscape. One question remains unclear, why would someone want to own a MAC, compared to owning hundreds of thousands of Windows PCs out there? To me, it's not about achieving the scale necessary for a Botnet, rather, experiment, show that it's possible through POC releases, or basically start attacking the living in a safe heaven until for now, MAC users.
Recently, an OS X trojan appeared, second (nice attitude from Apple on embracing the inevitable!), one followed, and besides "worming" a vulnerability and experimenting with propagation methods, I don't really think it's the big trend everyone is waiting for, a standard POC(Cabir), whose core function would empower a generation of variants for years to come.
I just came across this from Trifinite's blog :
"Trifinite.group member Kevin has published a paper detailing the techniques he used in the development of the InqTana Bluetooth worm that targets vulnerable Mac OS X systems. There has been significant confusion surrounding this worm, so here are some salient points:
- The concurrent release of the OS X Leap.A and InqTana.A worms is coincidental
- There is no conspiracy, AV vendors and Apple were notified about Kevin's progress in developing this worm in advance of making details publicly available
- Both 10.3 and 10.4 systems are vulnerable until patched with APPLE-SA-2005-05-03 and APPLE-SA-2005-06-08
- InqTana prompts before infecting *by design*, Kevin was just trying to be nice, but the worm could easily spread silently
Kevin's paper is available at http://www.digitalmunition.com/InqTanaThroughTheEyes.txt. Comments can be directed to the BlueTraq mailing list. Our sympathies to those organizations who were affected by the false-positive signatures published by overzealous AV companies."
It clarifies a lot I think, mostly that, while architecture and OS popularity have a lot to do with security and incentives for attacks, "InqTana.A itself has absolutely nothing to do with Leap.A. My work was done completely independent of the author of Leap. The day after I sent out queries to the AV companies about my code I was shocked to see another OSX worm had already been in the news. While my worm sat in the mail spools of several AV companies they were busy writing about the "First Trojan/Worm for OSX"."
Leakage of IP, or I'm being a paranoid in here? Wired also has some nice comments.
Technorati tags :
Security, Information Security, Apple, Malware, Leap, InqTana, Anti Virus Continue reading →
Recently, an OS X trojan appeared, second (nice attitude from Apple on embracing the inevitable!), one followed, and besides "worming" a vulnerability and experimenting with propagation methods, I don't really think it's the big trend everyone is waiting for, a standard POC(Cabir), whose core function would empower a generation of variants for years to come.
I just came across this from Trifinite's blog :
"Trifinite.group member Kevin has published a paper detailing the techniques he used in the development of the InqTana Bluetooth worm that targets vulnerable Mac OS X systems. There has been significant confusion surrounding this worm, so here are some salient points:
- The concurrent release of the OS X Leap.A and InqTana.A worms is coincidental
- There is no conspiracy, AV vendors and Apple were notified about Kevin's progress in developing this worm in advance of making details publicly available
- Both 10.3 and 10.4 systems are vulnerable until patched with APPLE-SA-2005-05-03 and APPLE-SA-2005-06-08
- InqTana prompts before infecting *by design*, Kevin was just trying to be nice, but the worm could easily spread silently
Kevin's paper is available at http://www.digitalmunition.com/InqTanaThroughTheEyes.txt. Comments can be directed to the BlueTraq mailing list. Our sympathies to those organizations who were affected by the false-positive signatures published by overzealous AV companies."
It clarifies a lot I think, mostly that, while architecture and OS popularity have a lot to do with security and incentives for attacks, "InqTana.A itself has absolutely nothing to do with Leap.A. My work was done completely independent of the author of Leap. The day after I sent out queries to the AV companies about my code I was shocked to see another OSX worm had already been in the news. While my worm sat in the mail spools of several AV companies they were busy writing about the "First Trojan/Worm for OSX"."
Leakage of IP, or I'm being a paranoid in here? Wired also has some nice comments.
Technorati tags :
Security, Information Security, Apple, Malware, Leap, InqTana, Anti Virus Continue reading →
Subscribe to:
Comments (Atom)
RSS Feed