Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware

January 08, 2010

UPDATED: Sunday, January 10, 2010 - The post has been updated with the latest domains spammed within the past 24 hours.

UPDATED: Saturday, January 09, 2010 - The post has been updated with the latest domains spammed within the past 24 hours. The spam campaign is ongoing.

A currently ongoing spam campaign is using the "Your default mailbox settings have changed" theme, in order to infect gullible users into executing Trojan-Spy.Win32.Zbot (settings-file.exe).

Sample message:
"The default settings of your mailbox were automatically changed. Please download and launch a file with a new set of settings for your e-mail account:fx-settings-file.exe.

We constantly work on the quality level of our service, as well as on the development of its security and protection. During the last upgrade several essential improvements were adopted, such as new ports for the POP3 & SMTP protocols, plus the SMTP autentification. The new settings are necessary for those who use the mailings clients (for ex. Microsoft Outlook, The Bat!, Mozilla Thunderbird etc.) or those who use our service via the web-interface."

Sample campaign structure: molendf.co .kr/owa/service_directory/settings.php?email=fx@yahoo.com&from=yahoo.com&fromname=fx

Fast-fluxed seed IPs:
61.64.170.232
77.126.141.142
188.56.139.174
189.110.244.68
189.179.13.36
190.82.217.255
195.174.109.241
200.169.71.144
201.232.187.200
201.236.48.117
210.106.80.90
218.153.64.25
221.26.184.25
59.92.58.166
61.20.133.88

DNS servers of notice:
ns1.moorcargo .net
ns1.aj-realtors .com - Email: support@ajr.com
ns1.groupswat .com
ns1.elkins-realty .net - Email: BO.la@yahoo.com
ns1.nocksold .com - Email: termer@counsellor.com
ns1.seldomservice .net - 89.238.165.195 - Email: pp0271@gmail.com
ns1.viking-gave .net - 89.238.165.195 - Email: glonders@gmail.com
ns1.controlpanellsolutions .com - 212.95.50.175 - Email: jobwes@clerk.com

Hundreds of typosquatted subdomains reside within the following currently active domains:
ujjiks.co .im
ujjiks.com .im
ujjiks.org .im
ujjikx.co .im
ujjikx.com .im
ujjikx.org .im
molendf.co .kr
molendf .com
molendf .kr
molendf.ne .kr
molendf.or .kr
vcrssd1 .cc
vcrssd1 .eu
vfrtssd .com
vsmprot.co .uk
vsmprot .com
vsmprot .eu
vsmprot.me .uk
vsmprot.org .uk

ikuu8a .com - Email: bjnjnsls@technologist.com
ikuu8d .com - Email: bjnjnsls@technologist.com
ikuu8e .com - Email: bjnjnsls@technologist.com
ikuu8q .com - Email: bjnjnsls@technologist.com
ikuu8s .com - Email: bjnjnsls@technologist.com
ikuu8w .com - Email: bjnjnsls@technologist.com
ikuu8x .com - Email: bjnjnsls@technologist.com
ikuu8z .com - Email: bjnjnsls@technologist.com
ikuu8a .net - Email: bjnjnsls@technologist.com
ikuu8e .net - Email: bjnjnsls@technologist.com
ikuu8q .net - Email: bjnjnsls@technologist.com
ikuu8s .net - Email: bjnjnsls@technologist.com
ikuu8w .net - Email: bjnjnsls@technologist.com
ikuu8x .net - Email: bjnjnsls@technologist.com
ikuu8z .net - Email: bjnjnsls@technologist.com

yhuttte.ne .kr - Email: scepterpdg@chemist.com
yhuttti.ne .kr - Email: scepterpdg@chemist.com
yhutttu.ne .kr - Email: scepterpdg@chemist.com
yhuttte .kr - Email: scepterpdg@chemist.com
yhuttti .kr - Email: scepterpdg@chemist.com
yhuttte.co .kr - Email: scepterpdg@chemist.com
yhuttti.co .kr - Email: scepterpdg@chemist.com
yhutttr.co .kr - Email: scepterpdg@chemist.com
yhutttu.co .kr - Email: scepterpdg@chemist.com
yhuttte.or .kr - Email: scepterpdg@chemist.com
yhuttti.or .kr - Email: scepterpdg@chemist.com
yhutttr.or .kr - Email: scepterpdg@chemist.com
yhutttu.or .kr - Email: scepterpdg@chemist.com
yhutttr .kr - Email: scepterpdg@chemist.com
yhutttu .kr - Email: scepterpdg@chemist.com

ujyhl.ne .kr - Email: combinetct@financier.com
ujyho.ne .kr - Email: combinetct@financier.com
ujyhf .kr - Email: combinetct@financier.com
ujyhl .kr - Email: combinetct@financier.com
ujyhf.co .kr - Email: combinetct@financier.com
ujyhl.co .kr - Email: combinetct@financier.com
ujyho.co .kr - Email: combinetct@financier.com
ujyhs.co .kr - Email: combinetct@financier.com
ujyho .kr - Email: combinetct@financier.com
ujyhf.or .kr - Email: combinetct@financier.com
ujyhl.or .kr - Email: combinetct@financier.com
ujyho.or .kr - Email: combinetct@financier.com
ujyhs.or .kr - Email: combinetct@financier.com
ujyhs .kr - Email: combinetct@financier.com

Seen within the past 24 hours, now offline domains part of the campaign:
yhe3essa .com.pl
yhe3essd .com.pl
yhe3esse .com.pl
yhe3essf .com.pl
yhe3essg .com.pl
yhe3essi .com.pl
yhe3esso .com.pl
yhe3essp .com.pl
yhe3essq .com.pl
yhe3essr .com.pl
yhe3esss .com.pl
yhe3esst .com.pl
yhe3essu .com.pl
yhe3essw .com.pl
yhe3essy .com.pl
ok9iio1 .com
ok9iio2 .com
ok9iio3 .com
ok9iio4 .com
ok9iio5 .com
ok9iio6 .com
ok9iio7 .com
ok9iio8 .com
ok9iio1 .net
ok9iio2 .net
ok9iio3 .net
ok9iio4 .net
ok9iio5 .net
ok9iio6 .net
ok9iio7 .net

Upon execution the sample phones back to the already blacklisted by the Zeus Tracker nekovo .ru:
nekovo .ru/cbd/nekovo.bri; nekovo .ru/ip.php - 109.95.114.70 - Email: kievsk@yandex.ru - AS50215 - Troyak-as Starchenko Roman Fedorovich.

Related Zeus crimeware name servers respond to the same IP:
- ns1.trust-service .cn - (domain itself responds to 193.104.41.133) - Email: olezhiosapiel@yahoo.es
- ns1.elnasa .ru - (domain itself responds to 91.200.164.12) - Email: kievsk@yandex.ru
- ns1.recessa .ru - (domain itself responds to 193.104.41.69) - Email: kievsk@yandex.ru
- ns1.stomaid .ru - (domain itself responds to 91.200.164.10) - Email: kievsk@yandex.ru

Parked withn the same AS, are also the following currently active Zeus crimeware serving domains:
web-information-services .com - 91.198.109.69 - Email: pita@bigmailbox.ru
erthjuyt44u .com - 91.198.109.19 - Email: rails@qx8.ru
excellenthostingservice .com - 91.198.109.48 - Email: xm@qx8.ru
goldhostingservice .com - 91.198.109.32 - Email: clod@qx8.ru

Pretty much your typical cybercrime-friendly virtual neighborhood.

Related posts:
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

This post has been reproduced from Dancho Danchev's blog.
Continue reading →

Scareware, Blackhat SEO, Spam and Google Groups Abuse, Courtesy of the Koobface Gang

January 08, 2010

The Koobface gang is known to have embraced the potential of the "underground multi-tasking" model a long time ago, in order to achieve the "malicious economies of scale" effect. This "underground multi-tasking" most commonly comes in the form of multiple monetization campaigns, which upon closer analysis always lead back to the Koobface gang's infrastructure. In fact, the gang is so obsessed with efficiency, that particular redirectors and key malicious domains for a particular campaign, are also, simultaneously rotated across all the campaigns that they manage.

For instance, throughout the past half an year, a huge percentage of the malicious infrastructure used simultaneously in multiple campaigns, was parked on the now shut down Riccom LTD - AS29550. From the massive blackhat SEO campaigns affecting millions of legitimate web sites managed by the gang, to the malvertising attack at the New York Times web site, and the click-fraud facilitating Bahama botnet, the Koobface botnet is only the tip of the iceberg for the efficient and fraudulent money machine that the gang operates.

In this analysis, I'll once again establish a connection between the ongoing blackhat SEO campaigns managed by the gang (Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware; U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding; Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign), with a spam campaign that's also syndicated across multiple Google Groups, and the Koobface botnet itself, with a particular emphasis on the scareware monetization taking place across all the campaigns.

Related Koobface research and analysis:
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Summarizing Zero Day's Posts for December

January 04, 2010

The following is a brief summary of all of my posts at ZDNet's Zero Day for December, 2009.

You can also go through previous summaries, as well as subscribe to my personal RSS feed, Zero Day's main feed, or follow all of ZDNet's blogs on Twitter.

01. Koobface botnet enters the Xmas season
02. How many people fall victim to phishing attacks?
03. Zeus crimeware using Amazon's EC2 as command and control server
04. Report: Google's reCAPTCHA flawed
05. FBI: Scareware distributors stole $150M

This post has been reproduced from Dancho Danchev's blog. Continue reading →

The Koobface Gang Wishes the Industry "Happy Holidays"

December 26, 2009

Oops, they did it again - the Koobface gang, which is now officially self-describing itself as Ali Baba and the 40 Thieves LLC, has not only included a Koobface-themed -- notice the worm in the name -- background on Koobface-infected hosts, but it has also included a "Wish Koobface Happy Holidays" script -- last time I checked there were 10,000 people who clicked it -- followed by the most extensive message ever left by the gang, which is amusingly attempting to legitimize the activities of the gang.

In short, the message with clear elements of PSYOPS, attempts to position the Koobface worm as a software, where the new features are requested by users, and that by continuing its development, the authors are actually improving Facebook's security systems. For the record, the Koobface botnet itself is only the tip of the iceberg for the malicious activities the group itself is involved in. Consider going through the related Koobface research posts featured at the bottom of the post, in order to grasp the importance of how widespread and high-profile the activities of this group are. The exact message, screenshot of which is attached reads:

Our team, so often called "Koobface Gang", expresses high gratitude for the help in bug fixing, researches and documentation for our software to:

Kaspersky Lab for the name of Koobface and 25 millionth malicious program award;
Dancho Danchev (http://ddanchev.blogspot.com) who worked hard every day especially on our First Software & Architecture version, writing lots of e-mails to different hosting companies and structures to take down our Command-and-Control (C&C) servers, and of course analyzing software under VM Ware;
Trend Micro (http://trendmicro.com), especially personal thanks to Jonell Baltazar, Joey Costoya, and Ryan Flores who had released a very cool document (with three parts!) describing all our mistakes we've ever made;
Cisco for their 3rd place to our software in their annual "working groups awards";
Soren Siebert with his great article;
Hundreds of users who send us logs, crash reports, and wish-lists.

In fact, it was a really hard year. We've made many efforts to improve our software. Thanks to Facebook's security team - the guys made us move ahead. And we've moved. And will move. Improving their security system.

By the way, we did not have a cent using Twitter's traffic. But many security issues tell the world we did. They are wrong. As many people know, "virus" is something awful, which crashes computers, steals credential information as good as all passwords and credit cards. Our software did not ever steal credit card or online bank information, passwords or any other confidential data. And WILL NOT EVER. As for the crashes... We are really sorry. We work on it :) Wish you a good luck in new year and... Merry Christmas to you!

Always yours, "Koobface Gang".

For the record, in case you were living on the other side of the universe, and weren't interested in the raw details taking place within the underground ecosystem, in July, 2009, I was the only individual ever mentioned by the Koobface gang, which back then included the following message within the command and control infrastructure for 9 days:

"We express our high gratitude to Dancho Danchev (http://ddanchev.blogspot.com) for the help in bug fixing, researches and documentation for our software."

Next to the folks at TrendMicro, the DHS also featured the event in DHS Daily Open Source Infrastructure Report for 3 September 2009 at page 18:

"This individual is an independent security consultant who plays an active role in tracking and shutting down botnets and other illegal operations."

It got ever more personal when the Koobface gang redirected Facebook's entire IP space to my blog in October, 2009, resulting in thousands of Facebook visits every time their crawlers were visiting a Koobface-infected host. Thankfully, Facebook's Security Incident Response Team quickly took care of the issue.

In the spirit of Christmas, I'd also like to wish the Koobface gang happy holidays, and promise them that the cherry on the top of the research pie will see daylight anytime soon. First of all, I'd like to wish them happy holidays with Frank Sinatra - "I've got you under my skin". They'll get the point.

And now comes my Christmas present, systematic take-down, blacklisting, and domain suspension of Koobface scareware operations.

Sample detection rates by Koobface binaries - go.exe; fb.79.exe; fblanding.exe; v2captcha.exe; v2webserver.exe; pack_312s3.exe (the scareware). The currently active artificial2010 .com/?pid=312s02&sid=4db12f - Email: Josefinat@yahoo.com - 193.104.22.200 - AS34305; EUROACCESS Global Autonomous System acts as a redirector to the scareware domain portfolio.

Currently active portfolio of scareware domains pushed by the Koobface botnet, parked at 193.104.22.200/91.212.226.95:
2010scannera1 .com - Email: NathanHSchafer@yahoo.com
artificial2010 .com - Email: Josefinat@yahoo.com
bestdiscounts2010 .com - Email: FrancesHAustin@yahoo.com
bestparty2009 .com - Email: FrancesHAustin@yahoo.com
bestparty2010 .com - Email: FrancesHAustin@yahoo.com
bestpffers2010 .com - Email: FrancesHAustin@yahoo.com
best-wishes-design .com - Email: FrancesHAustin@yahoo.com
bestyearparty .com - Email: FrancesHAustin@yahoo.com
celebrate2009year .com - Email: FrancesHAustin@yahoo.com
celebrate-designs .com - Email: FrancesHAustin@yahoo.com
happy-newyear2010 .com - Email: JerryHWallace@yahoo.com
internetproscanm .com - Email: JacquelynMRyan@yahoo.com
internetproscanq .com - Email: JacquelynMRyan@yahoo.com
internetproscanr .com - Email: JacquelynMRyan@yahoo.com
internetproscanw .com - Email: JacquelynMRyan@yahoo.com
internetproscany .com - Email: JacquelynMRyan@yahoo.com
megascannera .com - Email: MichaelDFranklin@yahoo.com
megasecurityl .com - Email: MichaelDFranklin@yahoo.com
megasecurityp .com - Email: MichaelDFranklin@yahoo.com
megasecurityq .com - Email: MichaelDFranklin@yahoo.com
newholidaydesigns .com - Email: FrancesHAustin@yahoo.com
newyearandsanta .com - Email: JerryHWallace@yahoo.com
newyeardesgings .com - Email: FrancesHAustin@yahoo.com
onlinesecurityn1 .com - Email: LucyGBrown@yahoo.com
onlinesecurityn2 .com - Email: LucyGBrown@yahoo.com
onlinesecurityn3 .com - Email: LucyGBrown@yahoo.com
onlinesecurityn4 .com - Email: LucyGBrown@yahoo.com
onlinesecurityn5 .com - Email: LucyGBrown@yahoo.com
online-securtiyv1 .com - Email: LucyGBrown@yahoo.com
online-securtiyv4 .com - Email: LucyGBrown@yahoo.com
online-securtiyv5 .com - Email: LucyGBrown@yahoo.com
onlineviruskilla0 .com - Email: JacquelynMRyan@yahoo.com
onlineviruskilla2 .com - Email: JacquelynMRyan@yahoo.com
onlineviruskilla4 .com - Email: JacquelynMRyan@yahoo.com
onlineviruskilla6 .com - Email: JacquelynMRyan@yahoo.com
onlineviruskilla8 .com - Email: JacquelynMRyan@yahoo.com
santa-christmas2010 .com - Email: JerryHWallace@yahoo.com
snowandchristmas .com - Email: JerryHWallace@yahoo.com
thebestantispys .com - Email: ThomasLRoy@yahoo.com

Christmas-themed scareware serving domains:
happy-newyear2010 .com
celebrate2009year .com
newyearandsanta .com
newyeardesgings .com
santa-christmas2010 .com
snowandchristmas .com

Speaking of AS34305; EUROACCESS Global Autonomous System, they're also hosting scareware campaigns at another IP - 193.104.22.50 in particular:
pcprotect2010 .com - Email: admin@pcprotect2010.com
bestantispysoft2010 .com - Email: admin@bestantispysoft2010.com
worldantispyware1 .com - Email: admin@worldantispyware1.com
antispyware24x7 .com - Email: admin@antispyware24x7.com
spydetector2009 .com - Email: admin@spydetector2009.com
myprivatesoft2009 .com - Email: admin@myprivatesoft2009.com
itsafetyonline .com - Email: admin@itsafetyonline.com
antispycenterprof .com - Email: admin@antispycenterprof.com
webspydetectunlim .com - Email: admin@webspydetectunlim.com
pcsafetyplatinum .com - Email: admin@webspydetectunlim.com
spywaredetect24pro .com - Email: admin@spywaredetect24pro.com
eliminater2009pro .com - Email: admin@eliminater2009pro.com
pcsafety2009pro .com - Email: admin@pcsafety2009pro.com
securityztop .com - Email: admin@securityztop.com
antisspywarescenter .com - Email: admin@antisspywarescenter.com
viridentifycenter .com - Email: molda444vimo@safe-mail.net
antispywarets .com - Email: admin@antispywarets.com
winvantivirus .com - Email: admin@winvantivirus.com
antispywaresnet .com - Email: admin@antispywaresnet.com
securityprosoft .com - Email: admin@securityprosoft.com
onlineantispysoft .com - Email: admin@onlineantispysoft.com
worldsantispysoft .com - Email: admin@worldsantispysoft.com
antispyworldwideint .com - Email: admin@antispyworldwideint.com
ivirusidentify .com - Email: admin@ivirusidentify.com

Within the same ASN, we can also find the following Zeus crimeware serving domains, courtesy of the Zeus Tracker:
print-design .cn - Email: alexsundren@gmail.com
backup2009 .com - Email: tahli@yahoo.com - association with money mule recruitment domain registration
1211news .com - Email: tahli@yahoo.com
tuttakto .com - Email: tahli@yahoo.com
filatok .com - Email: tahli@yahoo.com
wwwldr .com - Email: tahli@yahoo.com
bbbboom .com - Email: tahli@yahoo.com
fant1k .com - Email: tahli@yahoo.com
hoooools .com - Email: tahli@yahoo.com
ianndex .com - Email: tahli@yahoo.com
vklom .com - Email: tahli@yahoo.com
wwwbypost .com - Email: tahli@yahoo.com
wwwudacha .com - Email: tahli@yahoo.com

Sampled scareware phones back to:
ardeana-couture .com/?b=1s1 - 204.12.252.99, parked there is also windowssp3download .com - Email: contact@subarutechs.com
winrescueupdate .com/download/winlogo.bmp - 89.248.162.147

Historically, 89.248.162.147 (AS29073-ECATEL-AS, Ecatel Network) used to host the following scareware domains:
attention-scanner .com - Email: khouri@atomtech.cc
be-secured2 .com - Email: info@scholarnyc.com
best-scanner-f .com - Email: LouisALeavitt@yahoo.com
get-secure2 .com - Email: info@scholarnyc.com
installprotection2 .com - Email: info@scholarnyc.com
online-defense7 .com - Email: contacts@manipadni.com.br
scan-spyware2 .com - Email: info@paristours.fr
topscan2 .com - Email: LouisALeavitt@yahoo.com
topscan3 .com - Email: LouisALeavitt@yahoo.com
virus-pcscan .com - Email: admin@rewards.de
win-scan05 .com - Email: katia@salsat.eu
win-scan07 .com - Email: katia@salsat.eu
win-scan09 .com - Email: katia@salsat.eu
winrescueupdate .com
winscanner01 .com - Email: contacts@crunchiesb.com
winscanner18 .com - Email: contacts@crunchiesb.com
your-protection8 .com - Email: admin@Relocation.it

Happy Holidays, too!

Related Koobface research published in 2009:
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog. Continue reading →

The Koobface Gang Wishes the Industry "Happy Holidays"

December 26, 2009

Kaspersky Lab for the name of Koobface and 25 millionth malicious program award;
Dancho Danchev (http://ddanchev.blogspot.com) who worked hard every day especially on our First Software & Architecture version, writing lots of e-mails to different hosting companies and structures to take down our Command-and-Control (C&C) servers, and of course analyzing software under VM Ware;
Trend Micro (http://trendmicro.com), especially personal thanks to Jonell Baltazar, Joey Costoya, and Ryan Flores who had released a very cool document (with three parts!) describing all our mistakes we've ever made;
Cisco for their 3rd place to our software in their annual "working groups awards";
Soren Siebert with his great article;
Hundreds of users who send us logs, crash reports, and wish-lists.

"We express our high gratitude to Dancho Danchev (http://ddanchev.blogspot.com) for the help in bug fixing, researches and documentation for our software."

Next to the folks at TrendMicro, the DHS also featured the event in DHS Daily Open Source Infrastructure Report for 3 September 2009 at page 18:

"This individual is an independent security consultant who plays an active role in tracking and shutting down botnets and other illegal operations."

Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline

December 22, 2009

Last week, Josh Kirkwood, Network Engineer at Blue Square Data Group Services Limited, with whom I've been keeping in touch regarding the blackhat SEO activity courtesy of the Koobface gang, and actual Koobface botnet activity that's been taking place there for months, pinged me with an interesting email - "Riccom are now gone" (AS29550). He also pinged the folks at hpHosts in response to their posts once again emphasizing on the malicious activity taking place there.

Since I've been analyzing Riccom LTD activity in the context of "in-the-wild" blackhat SEO campaigns launched by the Koobface gang, followed by establishing direct Koobace botnet connections, as well as sharing data with Josh, Riccom LTD clearly deserves a brief retrospective of the malicious activity that took place there.

Malicious activity I've been analyzing since August, 2009:

August 06 - scareware parked at 91.212.107.5 analyzed in "Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware"
August 10 - more scareware introduced at 91.212.107.5 analyzed in "U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding"
August 18 - scareware domains continue getting introduced at 91.212.107.5, analyzed in "Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign"
August 19 - Actual Koobface command and control server parked within BlueConnex's ASN, they take action against 85.234.141.92 - "Three hours after notification, Blue Square Data Group Services Limited ensures that "the customer has been disconnected permanently". It's a fact. All of Koobface worm's campaigns currently redirect to nowhere."
September 14 - the malvertising attack at the web site of the New York Times, not only used a redirector that was simultaneously pushed by Koobface-infected host hosted on an IP known to be managed by the gang's blackhat SEO team ,but also, the actual scareware domain used relied on Riccom LTD hosting again at 91.212.107.103
September 16 - 91.212.107.103 remains the most widely abused IP hosting scareware served by the Koobface botnet. Action is taken again the entire .info tld domain portfolio, the domains are suspended within a 48 hours period of time courtesy of AFILIAS.
November 11 - cat and mouse game between the company, me, and the Koobface gang is taking place, now that a connection between the Koobface gang and the Bahama botnet has been clearly established. New scareware domains are introduced at 91.212.107.103, as well as at the still active AS44042 ROOT eSolutions. The Koobface gang once again proves it "knows my name" by typosquatting domains and registering them with typosquatted variants of my name (pancho-2807 .com is registered to Pancho Panchev, pancho.panchev@gmail.com, followed by rdr20090924 .info registered to Vancho Vanchev, vanchovanchev@mail.ru). Upon notification 91.212.107.103 has been taken offline courtesy of Blue Square Data Group Services Limited.
November 17 - A week later the gang resumes operations at the same Riccom LTD IP - "Tuesday, November 17, 2009: Koobface is resuming scareware (Inst_312s2.exe) operations at 91.212.107.103 which was taken offline for a short period of time. ISP has been notified again".

Clearly, in terms of cybercrime, especially one that's monetizing an asset with high liquidity such as scareware, "better late than never" doesn't seem to sound very appropriate.

Image courtesy of TrendMicro's The Heart of Koobface - C&C and Social Network Propagation report.

Related Koobface research published in 2009:
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline

December 22, 2009

August 06 - scareware parked at 91.212.107.5 analyzed in "Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware"
August 10 - more scareware introduced at 91.212.107.5 analyzed in "U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding"
August 18 - scareware domains continue getting introduced at 91.212.107.5, analyzed in "Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign"
August 19 - Actual Koobface command and control server parked within BlueConnex's ASN, they take action against 85.234.141.92 - "Three hours after notification, Blue Square Data Group Services Limited ensures that "the customer has been disconnected permanently". It's a fact. All of Koobface worm's campaigns currently redirect to nowhere."
September 14 - the malvertising attack at the web site of the New York Times, not only used a redirector that was simultaneously pushed by Koobface-infected host hosted on an IP known to be managed by the gang's blackhat SEO team ,but also, the actual scareware domain used relied on Riccom LTD hosting again at 91.212.107.103
September 16 - 91.212.107.103 remains the most widely abused IP hosting scareware served by the Koobface botnet. Action is taken again the entire .info tld domain portfolio, the domains are suspended within a 48 hours period of time courtesy of AFILIAS.
November 11 - cat and mouse game between the company, me, and the Koobface gang is taking place, now that a connection between the Koobface gang and the Bahama botnet has been clearly established. New scareware domains are introduced at 91.212.107.103, as well as at the still active AS44042 ROOT eSolutions. The Koobface gang once again proves it "knows my name" by typosquatting domains and registering them with typosquatted variants of my name (pancho-2807 .com is registered to Pancho Panchev, pancho.panchev@gmail.com, followed by rdr20090924 .info registered to Vancho Vanchev, vanchovanchev@mail.ru). Upon notification 91.212.107.103 has been taken offline courtesy of Blue Square Data Group Services Limited.
November 17 - A week later the gang resumes operations at the same Riccom LTD IP - "Tuesday, November 17, 2009: Koobface is resuming scareware (Inst_312s2.exe) operations at 91.212.107.103 which was taken offline for a short period of time. ISP has been notified again".

A Diverse Portfolio of Fake Security Software - Part Twenty Four

December 21, 2009

Good traditions are not meant to be broken, in particular the "Diverse Portfolio of Fake Security Software" series. And with scareware losses to customers already (conservatively) estimated at $150 million, combined with the overwhelming evidence of scareware becoming the monetization method of choice for the majority of cybercriminals gathered throughout the entire year - in 2010 we'll see the peak of a fully matured business model that's offering one of the highest payout rates within the underground marketplace.

How can this underground business model be undermined? By hitting the"beehive" rather than hitting the campaign of particular "bee", and by disrupting the monetization flow ultimately leaving the "beehive" with hundreds of thousands of "bees" actively infecting without the opportunity to collect the cash flaw, thereby putting them in a position where the "beehive" becomes unable to pay the commissions to the "bees" at the first place.

Moreover, raising awareness on the most efficient and profitable monetization tactic used by cybecriminals in the face of scareware (The Ultimate Guide to Scareware Protection), is crucial for filling in the gaps, since in its current form, scareware is driven exclusively by social engineering tactics and aggressive traffic hijacking campaigns.

What's to come in 2010 anyway? It's the culmination of an year and half research. Stay tuned folks!

The following scareware domains have been recently observed in active campaigns online:

78.46.254.18/96.9.180.102 - AS24940 -HETZNER-AS Hetzner Online AG RZ/AS21788 BurstNet Technologies, Inc.
3-scanner .com
5-scanner .com
9-scanner .com
aa-scan .com
antispy-microsoft0 .cn
antispy-microsoft2 .cn
aspywarescan .com
av-scannerr .com
av-scannerw .com
av-scannerx .com
av-scannery .com
av-scannerz .com
bb-scan .com
bspywarescan .com
cspywarescan .com
fspywarescan .com
internetdefencei .com
ispywarescan .com
malware-destroy01 .com
malware-destroy03 .com
malware-destroy09.com
malwarescannere. com
malwarescannerq .com
malwarescannerr .com
malwarescannert .com
malwarescannerw .com
pc-securityv .com
pc-securityv2 .com
pc-securityv4 .com
removespywared .com
removespywarek .com
removespywarel .com
removespywarem .com
removespywaren .com

securitybugfixv9 .com
spyware-remove0 .com
spyware-remove9 .com
spyware-removeb .com
spyware-removee .com
spyware-removen .com
titan-antivirus .com
titan-antivirusv .com
titan-antivirusy .com
titan-antivirusz .com
titan-scanner .com
trustedmicrosoftscan0 .com
trustedmicrosoftscan8 .com
ultimatepcscanb .com
ultimatepcscano .com
ultimatepcscanp .com
ultimatepcscanr .com
windows-antivirus0 .com
windows-antivirus11 .com
windows-antivirus2 .com
windows-antivirus4 .com
windows-antivirus8 .com
win-pro-update .cn

The scareware domains portfolio profiled in the "Celebrity-Themed Scareware Campaign Abusing DocStoc and Scribd" post parked at 193.104.110.50, has many new typosquatted additions to it:

193.104.110.50 - AS50073/SOFTNET Software Service Prague s.r.o.
10-open-davinci .com
advanced-virusremover2009 .com
advancedvirus-remover2009 .com
advanced-virus-remover2009 .com
advancedvirusremover-2009 .com
advanced-virusremover-2009 .com
advanced-virus-remover-2009 .com
advanced-virus-remover2010 .com
advanced-virus-remover-2010 .com
advanced-virus-remover2011 .com
advanced-virus-remover-2011 .com
avrdownnew6 .com
avrdownnew8 .com
avrdownnew9 .com
bastaproject .com
buy-internet-security2010 .com
coolcount1 .com
coolcount2 .com
coolprojectnew .com
downloadavr10 .com
downloadavr11 .com
downloadavr12 .com
downloadavr13 .com
downloadavr14 .com

downloadavr15 .com
downloadavr20 .com
downloadavr5 .com
downloadavr6 .com
downloadavr7 .com
downloadavr8 .com
downloadavr9 .com
greatcrypt .com
megacryptnew .com
pc-scanner2010 .biz
pc-scanner-2010 .biz
pcscanner2010 .com
pc-scanner2010 .com
pcscanner-2010 .com
pc-scanner-2010 .com
pc-scanner2010 .net
pc-scanner2010 .org
pc-scanner-2010 .org
pc-scanner-2011 .biz
pc-scanner-2011 .org
pc-scanner-2012 .com
pc-scanner-2012 .net
pc-scanner-2012 .org
testavrdown .com
vscodec-pro .net
vsproject .net
white-xxx-tube .com
white-xxxx-tube .com
xxx-white-tube .net

The Koobface gang has not only migrated the domains the weren't suspended from the previous "Koobface Botnet's Scareware Business Model - Part Two" post, but has also introduced new ones on the new IPs:

193.169.235.5/93.174.95.191 - AS32181/ASN-CQ-GIGENET ColoQuest/GigeNet ASN
goboldscan .com - Email: gleyersth@gmail.com
godeckscan .com - Email: quetotator@gmail.com
godirscan .com - Email: momorule@gmail.com
godotscan .com - Email: gleyersth@gmail.com
gopullscan .com - Email: stgeyman@gmail.com
gorootscan .com - Email: stgeyman@gmail.com
goscanbold .com - Email: gleyersth@gmail.com
goscandot .com - Email: gleyersth@gmail.com
goscanhand .com - Email: quetotator@gmail.com
goscanmend .com - Email: gleyersth@gmail.com
goscanmoth .com - Email: gleyersth@gmail.com
goscanpull .com - Email: stgeyman@gmail.com
goscanref .com - Email: quetotator@gmail.com
goscanrest .com - Email: quetotator@gmail.com
goscanroom .com - Email: gleyersth@gmail.com
goscanroot .com - Email: stgeyman@gmail.com
goscantype .com - Email: stgeyman@gmail.com

Some of these are actively redirecting to another recently updated .cn portfolio, once again maintained by the Koobface gang, parked at 193.169.235.6 - AS32181 - ASN-CQ-GIGENET ColoQuest/GigeNet ASN:
193.169.235.6 - AS32181 - ASN-CQ-GIGENET ColoQuest/GigeNet ASN
diwehym .cn - Email: spscript@hotmail.com
dizymhe .cn - Email: spscript@hotmail.com
docigpe .cn - Email: spscript@hotmail.com
dofawi .cn - Email: spscript@hotmail.com
domreha .cn - Email: spscript@hotmail.com
donlaci .cn - Email: spscript@hotmail.com
donqaw .cn - Email: spscript@hotmail.com
dopelsi .cn - Email: spscript@hotmail.com
doquza .cn - Email: spscript@hotmail.com
doqypku .cn - Email: spscript@hotmail.com
egikap .cn - Email: spscript@hotmail.com
enegoys .cn - Email: spscript@hotmail.com
eneybis .cn - Email: spscript@hotmail.com
enoihup .cn - Email: spscript@hotmail.com
enygoji .cn - Email: spscript@hotmail.com
enyuwip .cn - Email: spscript@hotmail.com
epafij .cn - Email: spscript@hotmail.com
epaumow .cn - Email: spscript@hotmail.com
epiadyl .cn - Email: spscript@hotmail.com
epiecgy .cn - Email: spscript@hotmail.com
g-antivirus .com - Email: mhbilate@gmail.com
iantiviruspro .com - Email: broderma@gmail.com
iantivirus-pro .com - Email: feetecho@gmail.com
iav-pro .com - Email: mcgettel@gmail.com
in4iv .com - Email: momaust@gmail.com
inb6ct .com - Email: jobumb@gmail.com
inb6ik .com - Email: jobumb@gmail.com
jyqhoki .cn - Email: spscript@hotmail.com
jyseny .cn - Email: spscript@hotmail.com
jywmer .cn - Email: spscript@hotmail.com
jyzixme .cn - Email: spscript@hotmail.com
jyzuju .cn - Email: spscript@hotmail.com
kabivu .cn - Email: spscript@hotmail.com
kacupyb .cn - Email: spscript@hotmail.com
kajefu .cn - Email: spscript@hotmail.com

Another portfolio is parked at 193.169.13.200, our "dear friends" AS5577 - ROOT eSolutions:
antivirusonlinegames .com - Email: saracbrown@dodgit.com
antivirussoftblog .com - Email: sharonldixon@trashymail.com
antyflutool .net - Email: joycerfriley@dodgit.com
an-ty-virusnow .net - Email: carriedlawrence@gmail.com
an-ty-virus-tool .com - Email: marydgallo@pookmail.com
bigvirusscan .com - Email: marydgallo@pookmail.com
freeantyvirusservice .com - Email: alejandrojmckinney@gmail.com
mysecuritysoft .net - Email: mildredkbaker@mailinator.com
nationalsecuritydirect .com - Email: loisjstillings@trashymail.com
newantispywaresoft .com - Email: junejbrubaker@trashymail.com
newantyvirus .net - Email: johneponder@gmail.com
progressmovement .com - Email: christinegcarroll@trashymail.com
readonlinestories .com - Email: lawrencemtimms@dodgit.com
removevirusgadget .com - Email: benjaminmdickerson@gmail.com
scannetradio .com - Email: robertcle@dodgit.com
securityonlinecopy .net - Email: saraldillard@trashymail.com
securitysoftstore .com - Email: anthonybpierce@trashymail.com
securitytoolsuser .com - Email: kyongabrantner@gmail.com
securitytoolsuser .net - Email: jamessvaughn@dodgit.com
securityutilityshop .net - Email: fletchererodriguez@gmail.com
spacetrafficsafety .com - Email: bettycyeates@pookmail.com
superprotectionact .com - Email: darnellbhouse@pookmail.com
supersafetysolutions .com - Email: georgekhorn@pookmail.com
thebillingaol .com - Email: justindsmith@trashymail.com
theprogressclub .com - Email: jerrysfinlayson@pookmail.com
theremovevirustool .com - Email: dalemharman@dodgit.com
virusread .com - Email: robertcjones@pookmail.com
yourfraudprotection .com - Email: michelledglover@dodgit.com
yoursafetysearch .com - Email: michelledglover@dodgit.com

193.104.153.245 - AS5577 - ROOT eSolutions
antivirusonlinecasino .com - Email: alfonzomhopps@mailinator.com
anti-virustoday .net - Email: elishaebeauregard@pookmail.com
an-ty-flu-service .com - Email: edwinwmartinez@trashymail.com
bereadonline .com - Email: jeanvfriddle@trashymail.com
bestantyspyware .net - Email: ralphyjackson@pookmail.com
bodyscanllc .com - Email: ralphyjackson@pookmail.com
contraspywaresoft .com - Email: josephinetmarenco@dodgit.com
newantyvirustool .net - Email: josephinetmarenco@dodgit.com
remove-virus-tool .com - Email: maryprobinson@pookmail.com
scaninternetradio .com - Email: maryprobinson@pookmail.com
securityonlinegames .net - Email: clementeanderson@pookmail.com

89.248.160.153 - AS29073/ECATEL-AS , Ecatel Network
do-fastscannow .net - Email: gkook@checkjemail.nl
do-speedscan .net - Email: gkook@checkjemail.nl
do-speedscan-search .com - Email: gkook@checkjemail.nl
iwillcheck-it .com - Email: gkook@checkjemail.nl
systemscan-check .net - Email: gkook@checkjemail.nl
zguarddata .com - Email: gkook@checkjemail.nl

193.106.32.10 - TELECOMPO, spol. s r.o.
antyspywaretoday .net - Email: willistbatiste@dodgit.com
an-ty-virusblog .net - Email: brendapwhite@dodgit.com
securitysoftshop .net - Email: milagrosrporter@pookmail.com
theantispywaresoft .com - Email: danhjones@gmail.com

88.198.103.129 - AS24940/HETZNER-AS Hetzner Online AG RZ
antispyscanb4 .com
onlinescanner70 .com
onlinescanner80 .com
pro-antivir03 .com
scannerintheinternet0 .com
windowscanner21 .com
windowscanner51 .com

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware

Scareware, Blackhat SEO, Spam and Google Groups Abuse, Courtesy of the Koobface Gang

Top Ten Must-Read DDanchev Posts For 2009

Top Ten Must-Read Posts at ZDNet's Zero Day for 2009

Summarizing Zero Day's Posts for December

The Koobface Gang Wishes the Industry "Happy Holidays"

The Koobface Gang Wishes the Industry "Happy Holidays"

Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline

Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline

A Diverse Portfolio of Fake Security Software - Part Twenty Four

RSS Feed

Search This Blog

About Me

Blog Archive

Tags

Popular Posts