Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Showing posts sorted by date for query zlkon. Sort by relevance Show all posts

Tuesday, March 31, 2009

Diverse Portfolio of Fake Security Software - Part Seventeen

The following are some of the currently active/about to go online rogue security software domains, and their associated payment gateways exposed in the spirit of the Diverse Portfolio of Fake Security Software series. During the past two months, an obvious migration of well known Russian Business Network customers continues taking place, with their portfolios of malicious campaigns currently parked several ISPs. zlkon.lv (DATORU EXPRESS SERVISS Ltd (AS12553 PCEXPRESS-AS) remaining the ISP of choice for the time being, in the context of rogue security software.

mydwnld .com (94.102.51.14; 88.198.8.15; 94.102.51.14)
desktoprepairpackage .com
malwareremovingtool .com
spywareprotectiontool .com
pcantimalwaresolution .com
pcsolutionshelp .com
removespywarethreats .com

yournetcheckonline .com (94.247.2.215)
bestnetcheckonline .com
easynetcheckonline .com
yourwebexamine .com
bestwebexamine .com
easywebexamine .com
yourinternetexamine .com
myinternetexamine .com
linkcanlive .com
yourwebscanlive .com
easywebscanlive .com
internethomecheck .com
websecurecheck .com
websportscheck .com
websmartcheck .com
yournetascertain .com
yournetcheckpro .com
bestwebscanpro .com
security-check-center .com
downloadantivirusplus .com
theantivirusplus .com
myantivirusplus .com
safeyouthnet .com
av-plus-support .com

antispywareproupdates .com (94.76.213.227) Jeanne M Bartels Email: dev@angelespd.com
microsoft.infosecuritycenter .com
microsoft.softwaresecurityhelp .com
professionalupdateservice .com
platinumsecurityupdate .com
platinumsecurityupdate .com
antispywarequickupdates .com (78.137.168.33)

paymentsystemonline .com (213.239.210.54) Jerom M Collins Email: admin@routerpayments.com
liveupdatesoftware .com
royalsoftwareupdate .com
protectionsoftwarecheck .com
securitysoftwarecheck .com
privateupdatesystem .com
updatesoftwarecenter .com
updateprotectioncenter .com
updatepcsecuritycenter .com
powerdownloadserver .com
rapidsoftwareupdates .com
professionalsoftwareupdates .com
allsoftwarepayments .com
powerfullantivirusproduct .com
securedprostatsupdates .cn

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Monday, February 02, 2009

The Template-ization of Malware Serving Sites - Part Two

The growing use of "visual social engineering" in the form of legitimately looking codecs, flash player error screens, adult web sites, and YouTube windows in order to forward the infection process to the end use himself, is the direct result of the ongoing template-ization of malware serving sites. This standardizing is all about achieving efficiency, in this case, coming up with high-quality and legitimately looking templates impersonating the average Internet user by enjoying the clean reputation of the impersonated service in question.

The attached screenshot of very latest DIY windows media player with pretty straightforward instructions on how to modify the timing of the "missing codec" pop-up, is a great example of how cybercriminals rarely value the intellectual property of their fellow colleagues. The DIY template has in fact been ripped-off from a competing affiliate network participant (currently active xxxporn-tube .com/123/2/FFFFFF/3127/TestCodec/Best), its images hosted at ImageShack, and the codec released for everyone in the ecosystem to use -- and so they will.

Interestingly, within the mirrored copy now tweaked and distributed for free using free image hosting services as infrastructure provider for the layout, there are also leftovers from the original campaign template that they mirrored - which ultimately leads us to DATORU EXPRESS SERVISS Ltd (AS12553 PCEXPRESS-AS) or zlkon.lv In the wake of UkrTeleGroup Ltd's demise -- don't pop the corks just yet since the revenues they've been generating for the past several years will make it much less painful -- a significant number of UkrTeleGroup customer, of course under domains, have been generating quite some malicious activity at zlkon.lv for a while.

Portfolio of fake codecs serving domains parked at the original mirrored domain's IP :
xxxporn-tube .com (93.190.140.56)
uporntube-07 .com
tubeporn08 .com
porn-tube09 .com
tubeporn09 .com
xxxporn-tube .com
allsoft-free .com
all-softfree .com
lsoftfree .com
porntubenew .com

Download locations :
brakeextra .com/download/FlashPlayer.v..exe (94.247.2.183)
brakeextra .com/download/TestCodec.v.3.127.exe

Entire portfolio of domains parked at (94.247.2.183) :
brakeextra .com
thebestporndump2 .com
fire-extra .com
xp-extra .com
delfiextra .com
qazextra .com
track-end .com
fire-movie .com
extrabrake .com
crack-serial-keygen-online .com
extra-turbo .com
extra-nitro .com
apple-player .com
meggauploads .com
soft-free-updates .com
quicktimesoft .com
cleanmovie .net
nitromovie .net
trackgame .net
quotre .net
rexato .net
spacekeys .net

Dots, dots dots, trackgame .net is once again proving the multitasking mentality of cybercriminals these days - it's one of the download locations participating in the recent Google Video search queries poisoning attacks.

Dancho Danchev