Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

A Diverse Portfolio of Fake Security Software - Part Twenty One

June 05, 2009

The ongoing abuse of AS10929; NETELLIGENT Hosting Services Inc. for scareware distribution purposes is peaking once again, which combined with the well-proven traffic acquisition tactics the campaigners take advantage of, prompts me to proactively undermine the effectiveness of the campaigns by ruining the monetization factor.

Next to listing the scareware domains currently in circulation, in part twenty one of the Diverse Portfolio of Fake Security Software series, it's time we put the spotlight on the so called payment processors mainted by phony in-house operations.

The following scareware domains are parked exclusively within AS10929; NETELLIGENT Hosting Services Inc's network, 209.44.126.102 in particular :

fanscan4 .com 209.44.126.102 Email: brmargul@gmail.com

rayscan4 .com Email: brmargul@gmail.com
scantop4 .com Email: ansouthe@gmail.com
scanlist6 .com Email: metamant@gmail.com
goscanfine .com Email: chirelqas@gmail.com
goscanone .com Email: canrcnad@gmail.com
scan4note .com Email: ansouthe@gmail.com
in4ck .com Email: taboussybr@gmail.com
goscanwork .com Email: govemati@gmail.com
in4tk .com Email: skeltonrw@gmail.com
goscanatom .com Email: gleyersth@gmail.com
top4scan .com Email: ansouthe@gmail.com
slot6scan .com Email: metamant@gmail.com
gometascan .com Email: ricboin@gmail.com
gopagescan .com Email: tanehen@gmail.com
gofinescan .com Email: alcnafuch@gmail.com
goelitescan .com Email: funully@gmail.com
gorankscan .com Email: canrcnad@gmail.com
goworkscan .com Email: govemati@gmail.com
gogoalscan .com Email: chinrfi@gmail.com
gogenscan .com Email: tanehen@gmail.com
goautoscan .com Email: tanehen@gmail.com
goflexscan .com Email: alcnafuch@gmail.com
goscanauto .com Email: canrcnad@gmail.com
scan6slot .com Emaik: telerdomb@gmail.com
in4st .com Email: skeltonrw@gmail.com
scan6list .com Email: telerdomb@gmail.com
goscanflex .com Email: chirelqas@gmail.com

goscankey .com Email: ricboin@gmail.com
scanmeta4 .info Email: sitintu@gmail.com
scannote4 .info Email: sitintu@gmail.com
metascan4 .info Email: finewnrk@gmail.com
zonescan4 .info Email: mexnacc@gmail.com
notescan4 .info Email: finewnrk@gmail.com
miniscan4 .info Email: finewnrk@gmail.com
rankscan4 .info Email: mexnacc@gmail.com
atomscan4 .info Email: finewnrk@gmail.com
fanscan4 .info Email: finewnrk@gmail.com
genscan4 .info Email: finewnrk@gmail.com
autoscan4 .info Email: sitintu@gmail.com
topscan4 .info Email: finewnrk@gmail.com
starscan4 .info Email: finewnrk@gmail.com
fixscan4 .info Email: sitintu@gmail.com
mixscan4 .info Email: finewnrk@gmail.com
luxscan4 .info Email: finewnrk@gmail.com
rayscan4 .info Email: finewnrk@gmail.com
keyscan4 .info Email: sitintu@gmail.com
scangen4 .info Email: sitintu@gmail.com
scanauto4 .info Email: mexnacc@gmail.com

scantop4 .info Email: finewnrk@gmail.com
scanflex4 .info Email: mexnacc@gmail.com
scan4meta .info Email: finewnrk@gmail.com
scan6meta .info Email: donboset@gmail.com
scan4fine .info Email: mexnacc@gmail.com
meta4scan .info Email: finewnrk@gmail.com
note4scan .info Email: finewnrk@gmail.com
gen4scan .info Email: finewnrk@gmail.com
flex4scan .info Email: mexnacc@gmail.com
fix4scan .info Email: sitintu@gmail.com
key4scan .info Email: mexnacc@gmail.com
meta6scan .info Email: donboset@gmail.com
note6scan .info Email: donboset@gmail.com
scan4gen .info Email: finewnrk@gmail.com
scan6gen .info Email: donboset@gmail.com
scan4auto .info Email: sitintu@gmail.com
scan4top .info Email: finewnrk@gmail.com
scan4fix .info Email: sitintu@gmail.com
scan4key .info Email: sitintu@gmail.com
fine4scan .info Email: beelriel@gmail.com
scanmega4 .info Email: bnntnkmn@gmail.com
zonescan4 .info Email: mexnacc@gmail.com
rankscan4 .info Email: mexnacc@gmail.com
scanauto4 .info Email: mexnacc@gmail.com
scan4fine .info Email: mexnacc@gmail.com
way4scan .info Email: bnntnkmn@gmail.com
key4scan .info Email: mexnacc@gmail.com
scan4fan .info Email: myscarbe@gmail.com

Exceptions out of AS10929; NETELLIGENT Hosting Services Inc.:

ia-pro .com - 194.165.4.41; 200.63.45.224; 209.44.126.104; 200.63.45.224 Email: abuse@domaincp.net.cn
generalantivirus .com Email: compalso@gmail.com
genpayment .com Email: seeingrud@gmail.com
livestopbadware .com Email: producergrom@gmail.com
av-payment .com Email: abuse@domaincp.net.cn
antimalware-live-scanv3 .com - 38.99.170.9; 78.47.91.153; 83.133.115.9; 89.47.237.52;91.212.65.125; Email: immigration.beijing@footer.cn
antivirus-scanner-v1 .com Email: tareen@yahoo.com
proantivirusscannerv2 .com Email: ecindia@hotmail.com

Who's processing the payments made by the scammed customers? These are the major payment processors of scareware software that have been changing aliases for a while now, with Pandora Software being the most persistent one:

easybillhere .com - 200.63.45.221; Email: myerysin@gmail.com
secure.softwaresecuredbilling .com - 209.8.45.122; Viktor Temchenko Email: TemchenkoViktor@googlemail.com
secure.propayments .org - 78.46.152.8; Oleg Bajenov Email: oleg.bajenov@gmail.com
secure.soft-transaction .com - 77.91.228.155; Riabokon, Igor; rw6rr69n7z2@networksolutionsprivateregistration.com
secure-plus-payments .com - 209.8.25.204; John Sparck; Email: sparck000@mail.com
secure.pnm-software .com - 209.8.45.124; Live Internet Marketing Limited; pnm-software.com@liveinternetmarketingltd.com
secure.thepaymentonline .com Email: Sergey Ryabov director@climbing-games.com

What is Pandoware Software, and who's behind Pandora Software (pandora-software .com; pandora-software .info; pandoraxxl .com - 209.8.45.121; Live Internet Marketing Limited; Email: pandoraxxl.com@liveinternetmarketingltd.com)?

The payment processor describes itself as :

"PandoraXXL is a company which provides the best adult entertainment online and is the managing company of the adult websites of the group. The concept itself is the carefull creation of websites which are different from the average vanilla adult production. We create them, we run them and we provide customer care to our customers!If You are a customer and would like to know more about our websites please click on Our Websites above. PandoraXXL.com and all sites which listed on PandoraXXL.com owned by Oleg Dvoretskiy Varzinerstr. 127, 44369 Dortmund, Germany"

Upon "doing business" with them they include their very latest domain within the the credit card statement:

"Your credit card statement may show any of the following names: WWW.PANDORAXXL.COM If so , than You have made a purchase on one of our websites! This form on the right will help You to locate these transactions! Absolutely sure You have never ever purchased anything with us? Contact us immediately then! Due to our knowledge we are one of a VERY few adult paysites companies out there providing INHOUSE live support along with telephone support. Please call only when You are sure that this site was not ab to help You with Your transactions. You may call with technical questions as well but You must read all our site's FAQs first."

Going through the terms of service for several scareware domains, there's a contact support image saying "Copyright 2008 Oleg Dvorezky, Dortmund, Germany". Why an image and not a text? Cybercriminals sometimes ensure that sensitive info potentially undermining their OPSEC doesn't get crawled by public search engines. It's gets even more interesting as Oleg Dvorezky, whose activities as payment processor for scareware go beyond the support desk has also included his address - Varzinerstr. 127. 44369 Dortmund, Germany and another phone, again as an image +1(636)549-8103, followed by two more numbers +18669997851 (USA) +33179972633 (France) listed as contact details.

Moreover, despite the fact that they've active affiliates distribution scareware and earning money in the process, next to managing the processing of payments, one should not exclude the possibility that they may also be engaging in customer relationship management for other scareware affiliate partners. For instance, the following support emails are all managed by them :

support@supportdeska.com
support@msantispyware2009.com
support@pandora-software.com
support@pandoraxl.com
support@data-saver.org
support@generalantivirus.com

Fo the time being, scareware remains the single most efficient, managed and high liquidity asset used for monetization cybercrime campaigns. Continue reading →

From Ukrainian Blackhat SEO Gang With Love

June 04, 2009

UPDATE: My name is now an integral part of the scareware business model.

Yet another redirector used in the ongoing blackhat SEO campaign is using it, this time saying just "hi" - hidancho.mine .nu/login.js redirects to privateaolemail .cn/go.php?id=2010-10&key=b8c7c33ca&p=1 and then to antimalwareliveproscanv3 .com where the scareware is served -- catch up with the Diverse Portfolio of Fake Security Software series.

What's next? The release of Advanced Pro-Danchev Premium Live Mega Professional Anti-Spyware Online Cleaning Scanner 2010?

You know you have a fan club, as well as positive ROI out of your research, when one of the most active blackhat SEO groups for the time being starts cursing you in its multiple redirectors, in this particular case that's seo.hostia .ru/ddanchev-sock-my-dick.php.

Back in 2007, it used to be the polite form of get lost or "ai siktir vee" courtesy of the New Media Malware Gang, a customer of the Russian Business Network.

Upon hijacking legitimate traffic and verifying that the visitor is coming from var se = new Array("google.","msn.","yahoo.","comcast.","aol", the redirector then takes us to macrosoftwarego .com; live-payment-system .com - 83.133.123.140 Email: fabian@ingenovate.com, and to antimalware-live-scanv3 .com - 38.99.170.9; 78.47.91.153; 83.133.115.9; 89.47.237.52; 91.212.65.125 Email: immigration.beijing@footer.cn where the scareware is served.

Scareware domains (delegated) part of their campaigns which as of recently diversity to Lycos owned is-the-boss.com:
anti-spyware-scan-v1 .com - ns1.futureselfdeeds .com (78.47.88.217)
malware-live-pro-scanv1 .com
premiumlivescanv1 .com
malwareliveproscanv1 .com
antiviruspcscannerv1 .com
malwareliveproscannerv1 .com
freeantispywarescan2 .com
antiviruspremiumscanv2 .com
proantivirusscanv2 .com
antiviruspaymentsystem .com
macrosoftwarego .com
advanedmalwarescanner .com
advanedpromalwarescanner .com
futureselfdeeds .com
allinternetfreebies .com
liveinternetupdates .com
momentstohaveyou .cn

Rephrasing the Cardigans Love Fool song - Common sense tells me I shouldn't bother, and I ought to stick to another blackhat SEO campaign, a blackhat SEO campaign that surely deserves me, but I think you folks do.

Thanks to Sean-Paul Correll from PandaLabs for the tip. Continue reading →

Summarizing Zero Day's Posts for May

June 02, 2009

The following is a brief summary of all of my posts at ZDNet's Zero Day for May.

You can also go through previous summaries for April, March, February, January, December, November, October, September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed.

Notable articles include: Inside the botnets that never make the news - a gallery; China's 'secure' OS Kylin - a threat to U.S offsensive cyber capabilities? and The Web's most dangerous keywords to search for.

01. Cybercriminals promoting malware-friendly search engines
02. New Mac OS X email worm discovered
03. China's 'secure' OS Kylin - a threat to U.S offsensive cyber capabilities?
04. Spammers harvesting emails from Twitter - in real time
05. 56th variant of the Koobface worm detected
06. Study: password resetting 'security questions' easily guessed
07. D-Link router's CAPTCHA flawed, WPA passphrase retrieved
08. Inside the botnets that never make the news - a gallery
09. The Web's most dangerous keywords to search for Continue reading →

Dating Spam Campaign Promotes Bogus Dating Agency - Part Two

June 02, 2009

Your future template-based wife is here, waiting not only for you, but also, for the hundreds of thousands of spammed gullible future husbands.

Our "dear friends" at Confidential Connections are at it again - spamming out bogus dating profiles, introducing new domains and inevitably exposing the phony company's connections with managed spam services operated by money mules, and sharing DNS servers with more cybercrime-facilitating parties.

As in their previous campaigns, they're spamming from LRouen-152-82-6-202.w80-13.abo.wanadoo.fr [80.13.101.202], and here's the most recent portfolio of domains used in the spam campaigns parked at 62.90.136.207:

dating-forin-loved .com - Email: deolserdo@safe-mail.net
matchwithworld .com - Email: esheodin@safe-mail.net
love-f-emale .com - Email: lo3664570460504@absolutee.com
i-amsingle .com - Email: i-3685838623704@absolutee.com
for-you-from-me .com - Email: PabloStantonXW@gmail.com
love-me-long-time .com - Email: lo3685839114104@absolutee.com
destinycombine .com - Email: esheodin@safe-mail.net
you-isnot-alone .com - Email: SamNilsenson@gmail.com
find-some-love .com - Email: SamNilsenson@gmail.com
find-thereal-love .com - Email: deolserdo@safe-mail.net

all-hot-love .com - Email: sup3portne3west@safe-mail.net
find-the-reallove .com - Email: fi3653005547304@absolutee.com
sweet-hearts-dating .com - Email: SamNilsenson@gmail.com
my-great-dating .com - Email: SamNilsenson@gmail.com
yourmatchwith .com - Email: esheodin@safe-mail.net
loking-for-aman .com - Email: lo3653004406804@absolutee.com
myloving-heart .com - Email: my3685835605504@absolutee.com
beautiful-prettywoman .com - Email: JosiahMillerTP@gmail.com
buildyour-happylove .net - Email: bu3664569267104@absolutee.com
adorelovewon .com - Email: supportnewest@safe-mail.net
andiloveyoutoo .com - Email: enorst10@yahoo.com

myloveamour .com - Email: supportnewest@safe-mail.net
luckyheatrs .com - Email: neujelivsamomdeli@gmail.com
just-waiting-foryou .com - Email: SamNilsenson@gmail.com
dreams-about-lady .com - Email: JosiahMillerTP@gmail.com
inspiredlove .net - Email: antonkovalchukk@gmail.com
make-family .net - Email: JosiahMillerTP@gmail.com
createyourlove .net
fillinglove .net

Let's connect the dots, shall we? Notice some of the registrant's emails, namely supportnewest@safe-mail.net and sup3portne3west@safe-mail.net. It gets even more interesting taking into consideration the fact that the money laundering group's botnet command and control domain was registered to supp3ortnewest@safe-mail.net. Moreover, among the unique usernames used exclusively by this botnet, was in fact the one used in Confidential Connections spam campaigns, confirming their connection.

Naturally, Confidential Connections are also rubbing shoulders with more cybercrime facilitating domains sharing the same DNS infrastructure (ns1.srv .com).

For instance, superfuturebiz .com/maingovermnfer5 .com (Trojan-Spy.Win32.Zbot.uyn) where a Trojan-Spy.Win32.Zbot.uyn is hosted at maingovermnfer5 .com/anyfldr/demo.exe which once executed attempts to download Zeus crimeware from maingovermnfer5 .com/anyfldr/cfg.bin.

Moreover, carder-shop .com which is an ex-Atrivo darling, yourmagicpills .com which is a typical pharmaceutical scam, zaikib .in a malware command and control, and eefs .info which is a phony "East Europe Financial System" and looks like a typical money mule recruitment operation. Continue reading →

3rd SMS Ransomware Variant Offered for Sale

May 27, 2009

The concept of ransomware is clearly making a comeback. During the past two months, scareware met the ransomware business model in the face of File Fix Professional 2009 and FakeAlert-CO or System Security, followed by two separate SMS-based ransomware variants Trj/SMSlock.A and a modified version of it.

The very latest one is once again offered for sale, with a social engineering theme attempting to trick the infected user that as of 1st of May Microsoft is launching a new anti-pirates initiative, and that unless a $1 SMS is sent in order to receive the deactivation code back, their copy of Windows will remain locked.

Key features:
Support for Windows 98/Vista
- Blocks the entire desktop
- Locks system key combinations attempting to remove it
- Copied to the system folder (the file is almost impossible to find)
- Can be put in the startup
- Launches the blocking system before the desktop appears upon reboot
- Blocks all windows including the Task Manager
- Upon entering the secret code, the ransomware is removed from the system folder and autorun

The price for a custom-made version with the customer's own SMS data is $10, with $5 per new (undetected) copy, as well as the complete source code available for $50 again from the same vendor.

From a "visual social engineering" perspective, the one that make scareware what it is as product -- a product which would have scaled so fast if it wasn't the distribution channel in the form of web site compromises and blackhat SEO at the first place -- the latest SMS ransomware variant lacks any significant key visual features which can compete with for instance, the DIY fake Windows XP activation trojan and its 2.0 version.

With the emerging localization on demand services offering translations for phishing, spam and malware campaigns into popular international languages, it wouldn't take long before the SMS ransomware starts targeting English-speaking users next to the hardcoded Russian speaking ones for the time being. Continue reading →

Inside a Money Laundering Group's Spamming Operations

May 26, 2009

UPDATE: The command and control domain has been taken care of courtesy of the brisk response of OC3 Networks Abuse Team.

Next to the efficiency and cost-effectiveness centered cybercriminals having anticipated the outsourcing (Cybercrime-as-a-Service) model a long time ago, there are those self-serving groups of cybercriminals which engage in literally each and every aspect of cybercrime - money mule recruiters in this very specific case.

What do the known money laundering aliases such as Value Trans Financial Group, Inc. (valuetrans.biz); Advance Finance Group LLC (af-g.net); ABP Capital (abpcapital.com); Premium Financial Services (advance-financial-products.org); eTop Group Inc. (etop-groupli.cc); Liberty Group Inc. (libertygroup.cc); Eagle Group Inc. (eaglegroupmain.cn); Star Group Inc. (eagle-group.net); DBS Group Inc. (dbs-group.cn); FB&B Group Inc. (fbb-groupli.cc); Advance Finance Group LLC (af-g.net); DC Group Inc. (dc-group.cn); IBS Group Inc. (ibsgroup.cc; ibsgroupli.cn) and FCB Group Inc. (fcb-group.cc) have in common?

It's a 31,000 infected hosts botnet which they use exclusively for spamming.

The money laundering organization describes itself as:
"The company was set up in 1990 in New York, the USA by three enthusiasts who have financial education. The head of the company was Karl Schick. At the very beginning of its business activity the company provided fairly narrow range of services at the investment market. Within 15 years of hard work the company has acquired international standing and managed to develop into a global financial holding with the staff of 3,000 people and headquarters in more than 100 countries of the world."

Interestingly, on the majority of occasions cybercriminals tend to undermine the level of operational security that they could have achieved at the first place, and this is one of those cases where their misconfigured botnet command and control allows other cybercriminals to hijack their botnet, and security researchers to shut it down effectively.

The people behind this money laundering organization are either lazy, or ignorant to the point where the botnet's command and control interface would be using the very same web server that they use for recruitment purposes.

Here are some screenshots of their command and control interface used exclusively for spam campaigns:

The domain is registered to supp3ortnewest@safe-mail.net and the DNS services are courtesy of one.goldwonderful9.info; ns.partnergreatest8.net; back.partnergreatest8.net; two.goldwonderful9.info which are the de-facto DNS servers for a huge number of related and separate money laundering brand portfolios (the quality of the historical CYBERINT on behalf of Bobbear is the main reason why commissioned DDoS attacks were hitting the site last year).

Taking down the group's command and control domain is in progress. Continue reading →

Inside a Money Laundering Group's Spamming Operations

May 26, 2009

GazTranzitStroyInfo - a Fake Russian Gas Company Facilitating Cybercrime

May 19, 2009

"In gaz we trust"? I'd rather change GazTranzitStroyInfo's vision to HangUp Team's infamous - "in fraud we trust". It is somehow weird to what lengths would certain cybercriminals go to create a feeling of legitimacy of their enterprise.

AS29371 - gaztranzitstroyinfo LLC - 91.212.41.0/24 based in Russia, Sankt Peterburg, Kropotkina 1, office 299, is one of them. Let's "drill" for some malicious activity at GazTranzitStroyInfo, and demonstrate how cybercriminals are converging different hosting providers to increase the lifecycle of their campaigns.

The recent peak of fake codecs (for instance video-info .info and sex-tapes-celebs .com serving softwarefortubeview.40018.exe) puts the spotlight on GazTranzitStroyInfo and its connections with another rogue hosting provider in the face of AS48841, EUROHOST-AS Eurohost LLC, which was providing hosting infrastructure to the scareware domains part of Conficker's Scareware Monetization strategy, and continues to do so for a great deal of exploits/malware serving domains, next to AS10929 NETELLIGENT Hosting Services Inc. where the infrastructure of the three hosting providers has converged.

Let's detail some malicious activity found at GazTranzitStroyInfo. The following are redirectors to live exploits/zeus config files/scareware found within AS29371 and pushed through blackhat SEO and web site compromises:

peopleopera .cn - 91.212.41.96
forexsec .cn
vitamingood .cn
bookadorable .cn
drawingstyle .cn
housedomainname .cn
workfuse .cn
schoolh .cn
rainfinish .cn
housevisual .cn
worksean .cn
liteauction .cn
newtransfer .cn
oceandealer .cn
musicdomainer .cn
websiteflower .cn
designroots .cn
islandtravet .cn
litefront .cn
clubmillionswow .cn

softwaresupport-group .com - 91.212.41.91
bestfindahome .cn
dastrealworld .ru
elantrasantrope .ru
borishoffbibi .ru
sandiiegoexpo .ru
nightplayauto .ru
startdontstop .ru

nicdaheb .cn - 91.212.41.119
sehmadac .cn
vavgurac .cn
tixleloc .cn
xidsasuc .cn
cuzlumif .cn
teyrebuf .cn
hifgejig .cn
tukhemaj .cn
rogkadej .cn
wuhwasum .cn
sipcojeq .cn
tixwagoq .cn
silzefos .cn
popyodiw .cn
cakpapaz .cn

Rogue security software:
addedantivirusonline .com - 91.212.41.114
addedantivirusstore .com
addedantiviruslive.com
addedantiviruspro.com
countedantiviruspro.com
myplusantiviruspro.com
easyaddedantivirus.com
yourcountedantivirus.com
bestcountedantivirus.com
yourplusantivirus.com

For instance, a sampled domain such as housedomainname .cn/in.cgi?6 redirects us to securityonlinedirect .com/scan.php?affid=02083 which is serving scareware with hosting courtesy of AS10929 Netelligent Hosting Services Inc, which in case you remember popped-up in the Diverse Portfolio of Fake Security Software - Part Twenty. At securityonlineworld .com (209.44.126.22) we also have a portfolio of scareware domains:

thestabilityweb .com
securityonlineworld .com
websecuritypolice .com
wwwsafeexamine .com
dynamicstabilityexamine .com
networkstabilityexamine .com
safetyscansite .com
onlinesafetyscansite .com
securityscansite .com
stabilityonlineskim .com
socialsecurityscan .com
securityexamination .com
internetsecuritymetrics .com
onlinebrandsecuritys .com
securityonlinedirect .com
scanstabilityinternet .com
stabilityaudit .com
websecuritybureau .com
safewebsecurity .com
webbrowsersecurity .com
futureinternetsecurity .com
superiorinternetsecurity .com

The fake codec at video-info .info (AS29371 - gaztranzitstroyinfo LLC) is in fact downloaded from kir-fileplanet .com - 91.212.65.54 (AS48841; EUROHOST-NET) where more malicious activity is easily detected at:

downloadmax .org - 91.212.65.19
hd-codec .com
shotgol .com
kauitour .com
coecount .com
countbiz .com
videoaaa .net
7stepsmedia .net
ispartof .net
amoretour .net
browardcount .net

trucount3000 .com - 91.212.65.10; 91.212.65.29
trucount3001 .com
trucount3002 .com
antivirus-xppro-2009.com
onlinescanxppp .com
onlinescanxpp .com
onlinescanxp .com
free-webscaners .com

In cybercriminals I don't trust.

Related posts:
Fake Codec Serving Domains from Digg.com's Comment Spam Attack
Lazy Summer Days at UkrTeleGroup Ltd
Bogus LinkedIn Profiles Redirect to Malware and Rogue Security Software
Massive Blackhat SEO Campaign Serving Scareware
EstDomains and Intercage VS Cybercrime
The Template-ization of Malware Serving Sites
The Template-ization of Malware Serving Sites - Part Two
Malware campaign at YouTube uses social engineering tricks
Poisoned Search Queries at Google Video Serving Malware
Syndicating Google Trends Keywords for Blackhat SEO

Related Russian Business Network coverage:
The New Media Malware Gang - Part Four
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
Rogue RBN Software Pushed Through Blackhat SEO
RBN's Phishing Activities
RBN's Puppets Need Their Master
RBN's Fake Account Suspended Notices
A Diverse Portfolio of Fake Security Software
Go to Sleep, Go to Sleep my Little RBN
Exposing the Russian Business Network
Detecting the Blocking the Russian Business Network
Over 100 Malwares Hosted on a Single RBN IP
RBN's Fake Security Software
The Russian Business Network Continue reading →

GazTranzitStroyInfo - a Fake Russian Gas Company Facilitating Cybercrime

May 19, 2009

A Diverse Portfolio of Fake Security Software - Part Twenty

May 14, 2009

Has the cloudy economic climate hit the scareware business model, the single most efficient and high-liquidity monetization practice that's driving the majority of blackhat SEO and malware attacks? The affiliate networks are either experiencing a slow Q2, or are basically experimenting with profit optimization strategies.

Following the "aggressive" piece of scareware with elements of ransomware discovered in March, a new version of the rogue security software is once again holding an infected system's assets hostage until a license is purchased.

This tactic is however a great example of the dynamics of underground ecosystem (The Dynamics of the Malware Industry - Proprietary Malware Tools; The Underground Economy's Supply of Goods; 76Service - Cybercrime as a Service Going Mainstream; Zeus Crimeware as a Service Going Mainstream; Will Code Malware for Financial Incentives; The Cost of Anonymizing a Cybercriminal's Internet Activities - Part Two; Using Market Forces to Disrupt Botnets; E-crime and Socioeconomic Factors; Price Discrimination in the Market for Stolen Credit Cards; Are Stolen Credit Card Details Getting Cheaper?).

Despite the fact that it's the network of cybercriminals that pays and motivates other cybercriminals to SQL inject legitimate sites, send spam, embedd malicious code through compromised accounts and launch blackhat SEO campaigns, it cannot exist without the traffic that they provide, and is therefore competing with other affiliate networks for it.

For your blacklisting, case-building and cross-checking pleasure, currently active blackhat SEO and Koobface campaigns monetize the traffic through the following rogue domains:

yourpcshield .com (209.44.126.14) - AS10929 NETELLIGENT Hosting Services Inc. Email: bershkapull@gmail.com
virustopshield .com
totalvirushield .com
pcguardscan .com
topwinsystemscan .com
basevirusscan .com
systemvirusscan .com
bastvirusscan .com
myfirstsecurityscan .com
fastviruscleaner .com
allvirusscannow .com

freeforscanpc .com (209.44.126.241) - AS10929 NETELLIGENT Hosting Services Inc.
truevirusshield .com
totalvirusshield .com
hypersecurityshield .com
scanyourpconline .com
allowedwebsurfing .com
xvirusdescan .com
securitytrustscan .com
fullsecurityaction .com
fullvirusprotection .com
fullsecuritydefender .com
hupersecuritydot .com
trustedwebsecurity .com
greatscansecurity .com
updateyoursecurity .com

antimalware-scannerv2 .com (78.46.88.202) - AS16265 LeaseWeb AS Amsterdam, Netherlands Email: basni@lewispr.com
onlinevirusbusterv2 .com
xpvirusprotection2009 .com
total-malwareprotection .com
total-virusprotection .com
xpvirusprotection .com
bestbillingpro .com
truconv .com

safeinternettoolv1 .com (212.117.165.126; 38.99.170.9; 69.4.230.204; 78.47.91.153) - AS36351 SOFTLAYER Technologies Inc; AS24940 HETZNER-AS Hetzner Online AG RZ-Nuernberg; AS44042 ROOT-AS root eSolutions; AS174 COGENT /PSI Email: info@dmf.com.tr
antivirusquickscanv1 .com
computerscanv1 .com
antivirusbestscannerv1 .com
antiviruslivescanv3 .com
proantivirusscanv3 .com
fullantispywarescan .com
webscannertools .com
approved-payments .com

SMS Ransomware Source Code Now Offered for Sale

May 12, 2009

Remember the ransomware variant that was locking down user's PCs and demanding a premium SMS in order for them to receive the unlocking code?

In an attempt to further monetize the "innovative" practice of converging Windows-based malware and premium SMS numbers operated by the cybercriminals, a do-it-yourself version of the ransomware is currently offered for sale for a mere $15.

Here are some of its features:
- When executed presents the uset with a Blue Screen of Death style error message
- A simple auto-loading feature ensuring it will load every time the host is rebooted, completely disables the startup shell in order to become the first application to appear upon reboot
- Disables Windows Task Manager, Registry Editor, default shortcuts for terminating a program

The vendor would also like to remind its customers that "the application is for educational purposes only", next to a comment on how all of their current customers are fully satisfied with the money they're making by locking infected user's PCs. This piece of ransomware has been spreading across the Russian web space since April, and with its source code now offered for sale, it's only a matter of time before the error messages get localized to multiple languages courtesy of localization on demand cybercrime-friendly services breaking any language barrier for a spam/malware campaign.

However, from an operational security (OPSEC) perspective which I often emphasize on in order to demonstrate how efficient cybercrime facilitating tactics increase the probability of successfully tracking down the people behind a particular attack, this premium SMS based ransomware tactic is exposing the people behind the campaign much easily due to its reliance on a mobile operator, compared to GPCode's virtual money exchange approach (Who's behind the GPcode ransomware?) which given they put enought efforts, the process can be virtually untraceable.

Despite the fact that vendors have already released unlock code generators for the SMS ransomware, taking into consideration the potential for widespread ransomware campaigns through the now ubiqitous revenue generator in the form of scareware (Scareware meets ransomware: "Buy our fake product and we'll decrypt the files"), the concept is not going away anytime soon.

Related posts:
Mobile Malware Scam iSexPlayer Wants Your Money
New mobile malware silently transfers account credit
New Symbian-based mobile worm circulating in the wild Continue reading →

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

A Diverse Portfolio of Fake Security Software - Part Twenty One

From Ukrainian Blackhat SEO Gang With Love

Summarizing Zero Day's Posts for May

Dating Spam Campaign Promotes Bogus Dating Agency - Part Two

3rd SMS Ransomware Variant Offered for Sale

Inside a Money Laundering Group's Spamming Operations

Inside a Money Laundering Group's Spamming Operations

GazTranzitStroyInfo - a Fake Russian Gas Company Facilitating Cybercrime

GazTranzitStroyInfo - a Fake Russian Gas Company Facilitating Cybercrime

A Diverse Portfolio of Fake Security Software - Part Twenty

SMS Ransomware Source Code Now Offered for Sale

RSS Feed

About Me

Blog Archive

Tags

Popular Posts