Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts

July 16, 2009

Could a dysfunctional abuse department facilitate cybercrime? Appreciate my rhetoric with an emphasis on Layered Technologies, Inc.

Exactly one month ago, the Ukrainian gang that I've been extensively monitoring due to their apparent involvement in literally each and every malware campaign targeting Web 2.0 properties -- that's of course next to the Koobface connection in general -- intensified their automatic abuse of Twitter, Scribd and LinkedIn using plain simple social engineering tactics.

Since the campaign seems to be ongoing, it's time to spill some coffee on their latest scareware domains, see how the campaign's quality degraded upon notifying the affected parties, and emphasize on the fact that since Layered Technologies, Inc. abuse department wasn't available for comment prior to this post, the Ukrainian "fan club" continues using their services.

Bogus Twitter accounts serving scareware part of their campaign:
twitter .com/carmenelectrapn
twitter .com/LilKimUncensord
twitter .com/KimKardashian11
twitter .com/KateWinsletNude
twitter .com/DeniseRichardsK
twitter .com/KendraWilkinso1
twitter .com/CHristinaRicciN
twitter .com/Shakira_nude

twitter .com/BritneySpears11
twitter .com/PamelaAnderson0
twitter .com/kimkardashian3
twitter .com/BritneySpearse
twitter .com/LindsayLohannn
twitter .com/KatieHolmesNud
twitter .com/LilKimUncensord
twitter .com/britneyspearst
twitter .com/LindsayLohanee
twitter .com/JenniferLovew
twitter .com/AnnaFarisNnude
twitter .com/MileyCyrusnud
twitter .com/carmenelectrasx
twitter .com/adulttrishstrat

As in previous campaign, their redirectors continue working -- excluding oymomahon .com which is down -- and serving newly typosquatted scareware domains. For instance showmealltube .com/fathulla/13.html (64.92.170.135; 216.32.83.110) which is exclusively used on all the bogus accounts redirects to myhealtharea .cn/in.cgi?14 (64.92.170.135; 216.32.83.110), again Layered Technologies, Inc.

The same goes for the second domain, delshikandco .com/paqi-video/30.html (216.32.83.104) Email: alexeyvas@safe-mail.net (multiple scareware domains registered under the same email) as well as another redirector maintained by them used in previous campaign, ntlligent .info/tds/in.cgi (72.232.163.171) also both hosted at Layered Technologies, Inc..

The new scareware domains used in the first redirection:
nusecurityshields .com - 91.213.29.252 - FakeAlert-WinwebSecurity.gen
besecurepctrue .com
wesecurepcs .com
securityverpcs .com
allsecuredpcshields .com
myrealsecuritys .com
realsecurityspot .com
allentruesecurity .com

The second redirection leads to thetubesmovie .com/xplaymovie.php?id=40012 - 216.240.143.7 - Email: queeziegl@gmail.com where onlinemovies.40012.exe (Trojan.Crypt.ZPACK.Gen) is served, which upon execution phones back to myart-gallery .com/senm.php?data= (64.27.5.202) Email: jnthndnl@gmail.com; robert-art .com/senm.php?data= (66.199.229.229) Email: robesha@gmail.com; and superarthome .com/senm.php?data= (216.240.146.119) Email: chucjack@gmail.com. Yet another redirector at showmeall-tube-xx .com/xtube.htm - 78.159.98.70 - Email: crashtestdanger@mail.ru attempts to download more scareware from showmeall-tube-xx .com/setup.exe - Trojan:Win32/Winwebsec.

Parked on 216.240.143.7 are also:
go-go-tube.com - Email: consanch@gmail.com
thetubesmovie.com - Email: queeziegl@gmail.com
tubessite.com - Email: roberkimb@gmail.com
besttubetech.com - Email: tashcham@gmail.com
supertubetop.com - Email: queeziegl@gmail.com
yourtubetop.com - Email: tashcham@gmail.com
greattubetop.com - Email: roberkimb@gmail.com
fllcorp.com
my-tube-dot.com - Email: consanch@gmail.com

The newly registered Scribd and LinkedIn accounts also point to these very same domains. Bogus Scribd accounts -- approximately a thousand -- participating in the campaign:
scribd .com/Eva_Mendes%20naked
scribd .com/Kim_Kardashian%20sex%20tape%20free
scribd .com/Nude%20wrestling
scribd .com/KimKardashianSex%20Tape
scribd .com/BritneySpears%20Sex%20Tape
scribd .com/HollyMadison_Naked
scribd .com/Free%20Animal%20Sex%20Videos
scribd.com/BritneySpearsCircus
scribd .com/Emma%20Watson%20kissingsomeone
scribd .com/Paris%20Hilton%20%20sex%20tape
scribd .com/Ellen%20degeneresgay
scribd .com/Gallery%20of%20Lindsay_Lohan
scribd .com/Amy_Smart%20nude
scribd .com/Stacy_Keibler%20in%20a%20bikini
scribd .com/Jennifer%20Aniston%20sexiest1
scribd .com/HelenMirren%20nudity
scribd .com/Vida_Guerra%20butt
scribd .com/Paris%20Hilton%20in%20bed

scribd .com/Paris%20Hilton%20sex%20video
scribd .com/Paris%20Hilton%20%20movie
scribd .com/ParisHiltonnaked1
scribd .com/Jessica%20Rabbitadult
scribd .com/Maria_Kanellis%20playboy
scribd .com/Anna_Nicole_uncensored
scribd .com/Kim+Kardashian%20sex%20video
scribd .com/keeleyhazellsextape
scribd .com/Britney-Spears-womanizer2
scribd .com/BRITNEY%20SPEARS%20DESNUDA%201
scribd.com/Age%20of%20EmmaWatson
scribd .com/JenniferLopez%20desnuda
scribd .com/BritneySpears%20comix
scribd .com/MUJERES%20NEGRAS%20DESNUDAS%201
scribd .com/John%20Cena's%20%20dick
scribd .com/Hilary%20Duff%20naked%201

scribd .com/MaribelGuardia%20desnuda
scribd .com/Jessica%20Simpsonnude
scribd .com/Amanda-Bynes-nip-slip1
scribd .com/Tara-Reid-desnuda1
scribd .com/Jessica%20Albanude
scribd .com/Mujeres%20famosas%20%20desnudas
scribd .com/AngelinaJolie%20Naked
scribd .com/Lindsay_Lohan%20naked
scribd .com/Niurka_Marcos%20desnuda
scribd .com/FOTOS%20DE%20MARIBEL%20GUARDIA%20DESNUDA
scribd .com/INGRID%20CORONADO%20DESNUDA%201
scribd .com/NINEL%20CONDE%20DESNUDA1

scribd .com/Paris%20Hilton%20movie%201
scribd .com/Free%20Kim%20Kardashian%20%20Sex%20%20Tape
scribd .com/Pamela%20anderson%20nude
scribd .com/Vanessa-Williams-Penthouse-pictorial2
scribd .com/Natalie%20Portman%20sunbathing%201
scribd .com/Anne%20Hathaway%20naked%201
scribd .com/Stacy_Keibler%20nude
scribd .com/Scarlett_Johansson%20galleryx

Bogus LinkedIn accounts participating in the campaign:
linkedin .com/pub/anneliese-van-der-pol-nude/14/150/371
linkedin .com/pub/disney-s-raven-symone-nude/14/150/604
linkedin .com/pub/jennifer-love-hewitt/13/ab6/396
linkedin .com/pub/free-nude-celebs/14/6b/65b
linkedin .com/in/nudetubee
linkedin .com/in/nudepics2
linkedin .com/in/freenudecelebrities1
linkedin .com/in/nudecelebrities1
linkedin .com/in/nudephotos1
linkedin .com/pub/nude-art/14/6b/6a

The statistics from two of the bit.ly URLs showcase how the campaign scaled due to the number of bogus accounts, and they virtually disappeared upon notifying the affected parties which removed the accounts in less than an hour. The gang keeps making a point that I made a while ago - a single group can dominate the entire Web 2.0 threatscape, automatically if they want to.

This post has been reproduced from Dancho Danchev's blog.
Continue reading →

4th SMS Ransomware Variant Offered for Sale

July 16, 2009

Locking down an infected Windows-based host and demanding a premium rate SMS message for the unlock code (SMS Ransomware Source Code Now Offered for Sale; New ransomware locks PCs, demands premium SMS for removal; 3rd SMS Ransomware Variant Offered for Sale), is slowly becoming a trend, that despite its current geographical prevalence evident in Russia, it could easily become an international issue due to the cost-effective localization services available on demand these days.

Yet another SMS-based ransomware variant is offered for sale ($10), making this the 3rd such variant available for purchase during the past couple of months. The author appears to be a Moscow-based opportunist, clearly interested in making a quick buck and lacking any long-term ambitions - at least for the time being. Despite that the message and the visual interface can be changed on request, the default version is once again insisting that Microsoft locked down this copy of Windows because it detected it as pirated copy, and in order to unlock it the user has to send an SMS in order to receive the unlock code.

What bothers me is not the potential "spread-ibility" of his campaigns that is if he turns into a user of his own code, but how easily and cost-effectively his customers can push the ransomware to a huge number of already infected malware hosts.

This post has been reproduced from Dancho Danchev's blog.
Continue reading →

Dissecting Koobface Worm's Twitter Campaign

July 15, 2009

My "fan club" is at it again - abusing Web 2.0 in an automated fashion. A new Koobface variant, modified by a Cyrillic-aware cybercriminal going under the handle of "floppy" -- it has also been injected within legitimate sites -- has started using Twitter as a distribution channel for the group as of last week.

Hundreds of users infected with Koobface and using Twitter, are now automatically tweeting links to their followers in an attempt by the Koobface gang -- evidence on my fan club's involvement keeps popping up like mushrooms -- to abuse the much more insecure micro-blogging service in comparison with their original traffic acquisition Facebook, where they had to adapt and outsource the CAPTCHA-solving process.

The Twitter campaign is different in the sense that the Koobface serving URLs generate random strings in an attempt to defeat generic detection which is still possible due to the template-ization of malware serving sites.

The Koobface serving links themselves are a combination of purely malicious and compromised legitimate web sites, serving a slightly modified fake YouTube page, and using a well known -- maintained by the fan club -- command and control/redirector domains (119.110.107 .137/redirectsoft/go/tw.php; 61.235.117 .71/redirectsoft/go/tw.php) found in their previous campaigns. This particular campaign provided factual evidence on the direct connection between the group and several Twitter, LinkedIn and Scribd malware campaigns, where scareware and Koobface variants were served.

The following is a complete list of the Koobface URLs used in the Twitter campaign:
64.37.106 .170/myfilm/
66.206.9 .169/privateaction/index.php
asachi.evolink .ro/bestdvd/
aspompierul.zzl .org/freeperformans/
aspompierul.zzl .org/publicclips/
bit.ly/ w4ITQ
bodegasjalisco .com/bestfilms/
brentsmusic .com/publicaction/
cadcam.tecnoceram .it/privatedvd/
carolslinks .com/fantastictube/
caruso89.netsons .org/bestaction/
celaneotest.fun-domain .com/uncensoredvids/
chaps.com .my/besttube/
chriscubed .com/cooldemonstration/
costafarilya .com/extrimetv/
cubman32.net .ua/extrimevids/
dalaa3.110mb .com/extrimeaction/
deathschildren .com/extrimeclips/
divya.com .au/megatube/
download.rmes .ru/uncensoredclip/
dplive.webserwer .pl/besttv/
dramat.ilive .ro/extrimeclips/

filipicsr .biz/youtube/
flaviusrize .com/uncensoredclips/index.php
gandhiinternational. in/extrimetv/
igorbrasil .com/freetv/
itprospecialists .com/cooldvd/
kawalkimp3.yoyo .pl/yourtv/
kuzmi4.110mb .com/yourshow/index.php
lemujeme .cz/myshow/
lepk.yoyo .pl/privatevids/
matt.freehost .pl/privatefilms/
nataly.org .ua/extrimedemonstration/
oceanacompany .com/bestvids/
oceanacompany .com/yourshow/
piuk-chow .dk/megafilms/
promo-door .ru/mymovie/
reprographic .co.in/fantasticaction/
reprographic .co.in/megaperformans/
rksrouby .cz/funnyaction/
sekurpaslanmaz .com/amaizingdvd/

sekurpaslanmaz .com/bestfilms/
siam9 .com/bestfilms/
siam9 .com/coolclip/
siam9 .com/publicmovies/
skywebupload.freeweb7 .com/funnyclips/
srbijafest .org/privatefilm/
subject.freehost .pl/extrimefilms/
subject.freehost .pl/publicvids/
supreeme .com/megademonstration/
teatrall.dramat.ilive .ro/extrimeclips/

tenminutemedia .com/funnyclip/
thegoodhand .com/yourmovie/
thelambda.php5 .cz/privatemovies/
tinyurl .com/l48o9v
webxtreme.evolink .ro/uncensoredtube/
wiedzmin06.lua .pl/myvids/
xpertfill.com .mx/megafilm/
yarentextil .com/funnyvideo/
yasarturu.com .tr/yourvideo/
zoomtox .com/youtube/

Interestingly, I was able to take a peek at the statistics used exclusively for the Twitter campaign on two of the command and control/redirectors domains maintained by the gang. The results? Thankfully, pretty modest as you can see in the attached screenshots.

What all of these URLs have in common are the Koobface command and control/redirector (r-d-cgpay-090709 .com/go/tw.php) domains that they point to, including several new additions prior to their original ones described in previous posts.

Command and control domains sharing the same IPs - 98.143.159.138; 78.110.175.15; 61.235.117.71; 119.110.107.137:
upr0306 .com - Email: bigvillyxxx@gmail.com
red-dir-cgpay-0307 .com
cgpay-re-230609 .com
r-d-cgpay-090709 .com
rjulythree .com
trisem .com - Email: 2009polevandrey@mail.ru
uprtrishest .com - Email: 2009polevandrey@mail.ru
uthreejuly .com
rd040609-cgpay .net
newcounters .cn - Email: madarkipun@yandex.ru
rd040609-cgpay .net
r2606 .com
er20090515 .com
redir2404 .com
wn20090504 .com - Email: bigvillyxxx@gmail.com
redir0705 .com
redir0805 .com
er20090515 .com

On the these very same command and control domains, we can also also seen Koobface worm's captcha7.dll component in action:
rd040609-cgpay .net/cap/?a=get&i=1&v=7
upr0306 .com/cap/?a=get&i=2&v=7
rjulythree .com/cap/?a=get&i=3&v=7
uthreejuly .com/cap/?a=get&i=4&v=7
er20090515 .com/cap/?a=get&i=0&v=7

In this particular case, obtaining the CAPTCHA image from nua06032009 .biz/cap/temp - 218.93.202.50 Email: kfmnmkswrnkcxlgpfdxb68@gmail.com.

A complete list of command and control domains courtesy of FireEye, is once again emphasizing on the fact that the Koobface gang may be aware of each and every malicious traffic acquisition tactic there is, but has centralized their infrastructure making it easy to deal with it.

Who's providing them with the hosting infrastructure?
218.93.202.50 - China Beijing Chinanet Jiangsu Province Network
98.143.159.138 - United States Los Angeles Oc3 Networks & Web Solutions Llc
78.110.175.15 - Russian Federation Limit-surehost-ip/UK Dedicated Servers Limited
61.235.117.71 - China Shenzhen China Railcom Guangdong Shenzhen Subbranch
119.110.107.137 - Malaysia Kuala Lumpur Tm Net Sdn Bhd

Compared to the money they make out of scareware, since they diversify on multiple revenue-generation fronts, they money they pay for the anti-abuse hosting looks like pocket change.

Related posts:
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign
The Koobface Gang Mixing Social Engineering Vectors

Ukrainian "fan club" and the Koobface connection:
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Transmitter.C Mobile Malware in the Wild

July 08, 2009

A currently spreading mobile malware known as Transmitter.C (sexySpace.sisx; MD5: 3e9b026a92583c77e7360cd2206fbfcd), has brandjacked a legitimate application in an attempt to infect the initial number of devices that would later on further disseminate it by aggressively SMS-ing messaged to the web site hosting it - megac1jck .com (64.22.120.235) Email: weijiang198@hotmail.com.

Upon execution it drops the following files in an attempt to infect S60 3rd Edition devices:

"c_sys\bin\Installer_0x20026CA6.exe"-"c:\sys\bin\Installer_0x20026CA6.exe", FR, RI, RW
"c_sys\bin\AcsServer.exe"-"c:\sys\bin\AcsServer.exe", FR, RI
"c_private\101f875a\import\[20026CA5].rsc"-"c:\private\101f875a\import\[20026CA5].rsc"

What's sad is that just like the majority of mobile malware incidents, this one is also digitally signed using a certificate issued by Symbian to the name of XinZhongLi Kemao Co. Ltd or vendor name "Play Boy".

The sample (Sexy Space or SYMBOS_YXES.B) has been distributed to vendors, and the ISP hosting it has been informed.

Related posts:
Proof of Concept Symbian Malware Courtesy of the Academic World
Commercializing Mobile Malware
Mobile Malware Scam iSexPlayer Wants Your Money
SMS Ransomware Source Code Now Offered for Sale
3rd SMS Ransomware Variant Offered for Sale

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Legitimate Software Typosquatted in SMS Micro-Payment Scam

July 07, 2009

Operating since 2008, the fraudulent tactics applied by Soletto Group, S.A also known as Netlink Network Corp, greatly remind of those applied by Interactive Brands also known as IBSOFTWARE CYPRUS; IB Softwares and most recently Euclid Networks Ltd -- you have to appreciate the irony here since they too multitask on multiple fronts through their official phone number since 2007 -- in particular their massive typosquatted domain farms where they'd would change and repeatedly charge without permission once someone falls victim into the fraudulent practice.

What Soletto Group, S.A or Netlink Network Corp (phone (0) 2071939823) does differently is the use of micro sms payment scam having operated the SMS numbers 78881 and 81039 in the past in order to offer a download service for legitimate software in the following way:

"WARNING: ACCESS TO THE PREMIUM SERVICE SHALL REQUIRE SENDING ONE SMS PER DOWNLOAD, AND YOU WILL RECEIVE TWO SMS. THE PRICE OF EACH SMS IS THREE POUNDS EACH. TOTAL COST OF SERVICE SIX POUNDS."

Who's typosquatted anyway? Pretty much each and every popular piece of software there is. From Kaspersky, NOD32, Malware Bytes, Avira, AVAST, BitDefender, to Firefox, BitTorrent, Microsoft Office, Winzip, Winrar, and Internet Explorer - for starters.

Here's a complete list of their domains farm, with hosting services courtesy of Rapidswitch Ltd:

nod32soft .info
malware-bytes .info
www-avasthome .com
www.www-avasthome .com
kaspersky-full .info
www-kaspersky .info
malware-bytes .info
www.avira-antivir .info
bitdefender-plus .info
office2007-full .info
sopcast-full .info
lphant-plus .info

adobeacrobat-plus .info
bitcomet-plus .info
bitdefender-plus .info
bittorrent-plus .info
elisoft-plus .info
mediaplayer-plus .info
messenger-msn-9 .com
messenger-msn-9 .info
messenger-msn-9 .org
messenger-msn .org
messenger-plus .net
moviemaker-plus .info
msn-messenger-9 .com
msn-messenger-9 .info
msn-messenger-9 .net
msn-messenger-9 .org
openoffice-plus .info
photoscape-plus .info
sopcast-plus .info
utorrent-plus .info
3gpconverter-plus .info
3gpconvertersoft .info
ares-2008 .org
ares-2009 .com

ares-2009 .net
ares-net .org
avira-net .info
bitcomet-plus .info
bitorrent .cc
bittorrent-net .info
bittorrent-plus .info
direct-x .cc
divx-player-plus .info
e-mule .nu
elisoft-plus .info
emule-2008 .net
emule-proyect .info
emulenet .net
iexplorer-full .info
iphonefull .com
javaruntime .net
lyrics2 .me
malware-bytes .info
mediaplayer-full .info
mediaplayer-plus .info
mesengerplus .org
messenger-9 .net
messenger-plus .net
messenger-soft .info

moviemaker-plus .info
msn-messenger-9 .net
msn-messenger-9 .org
nero-2008 .com
nerohome .net
nod-32 .net
nod32-net .info
office2007-ful l.info
openoffice-plus .info
photoscape-plus .info
photoscapesoft .info
pspvideo9 .info
sorpresor .com
spybotsearch-full .info
utorrent-net .info
virtualdj-soft .info
vlc-full .info
vvinrar .com

vvinrar .info
winamp-2009 .net
winamp .ws
windows-movie-maker .info
winrar-2008 .com
wiinzip .info
cdburnerxpsoft .info
www-emule .us
ultradefrag .us
bearflix .us
guitar-pro .us
messenger-2009 .us
emule-telecharger .us
aresnet .us
emulenet .us
emulepro .us
nerohome .us
vvinrar .us
aresfull .us
avastt .us
biaze .us
e-bitdefender .us

e-bitorrent .us
e-mule .us
flrefox .us
messengerhome .us
utorent .us
utorren .us
winzipp .us
cccpcodecs .org
ares-2008 .org
pdf-creator .org
limevvire .org
mesengerplus .org
w-ares .org
w-emule .org
www-3gpconverter .org
www-advanced .org
www-emule .org
www-messenger .org
www-realplayer .org
www-windowsmediaplayer .org
ares-3 .org
ares-net .org
chroome .org
emule-pro .org
messenger-msn-9 .org

A similar fraudulent Google AdWords scheme was exposed and taken care of in January. The fraudster back then was using a legitimate third-party revenue sharing toolbar installation program which was bundled within the legitimate software. In Soletto Group, S.A's case they aim to cut any intermediaries on their way to generate profit.

Rapidswitch Ltd has been informed of Soletto Group, S.A's brandjacking activities.

This post has been reproduced from Dancho Danchev's blog. Continue reading →

The Multitasking Fast-Flux Botnet that Wants to Bank With You

July 07, 2009

From a Chase phishing campaign, to a bogus Microsoft update, and an exploit serving spam campaign using a "Who Killed Michael Jackson?" theme prior to his death (go through related Michael Jackson malware campaigns), to a currently ongoing phishing campaign impersonating the United Services Automobile Association (USAA), the gang behind this botnet has been actively multitasking during the past two months.

The spam message is as follows:
"Michael Jackson Was Killed... But Who Killed Michael Jackson? Visit X-Files to see the answer: MJackson.kilijj .com/x-files", upon clicking on it the user is redirected to two exploit serving domains - ogzhnsltk .com/plugins/index.php (94.199.200.125 Email: osaltik@windowslive.com); and dogankomurculuk .com/stil/index.php (91.191.164.100 - Email: by.yasin@msn.com).

Through the use of an Office Snapshot Viewer exploit the user is the exposed to a downloader (x-file-MJacksonsKiller.exe) which attempts to drop a copy of the Zeus malware from labormi .com/lbrc/lbr.bin (91.206.201.6). The following is an extensive list of the participating domains, as well as the currently active and fast-fluxing DNS servers part of the botnet:

List of participating domains:
kilij1 .com
ilkil1 .com
ilkifi .com
kili1j .com
kil1jj .com
ki1ijj .com
kikijj .com
k1lijj .com
kilijj .com
1ilikj .com
ilki1k .com
ilk1lk .com
i1kilk .com
ilkilk .com

kilij1 .net
ilkil1 .net
kili1j .net
kil1jj .net
ki1ijj .net
k1lijj .net
kilijj .net
1ilikj .net
ilki1k .net
ilk1lk .net
i1kilk .net
ilkilk .net
ilifi.com .mx
1ffli.com .mx
iljihli.com .mx
hhili.com .mx
hilli.com .mx
kiffil.com .mx

Michael Jackson related subdomains:
mjackson.ijjik1 .com
mjackson.ijjil1. com
mjackson.kjjil1 .com
mjackson.ikjil1 .com
mjackson.ijkil1 .com
mjackson.ijjkl1 .com
mjackson.ikilij .com
mjackson.ikklij .com
mjackson.ikilkj .com
mjackson.ikilfk .com

mjackson.ijjilk .com
mjackson.ijjill .com
mjackson.ijjik1 .net
mjackson.ijjil1 .net
mjackson.ikjil1 .net
mjackson.ijkil1 .net
mjackson.ijjkl1 .net
mail.ikilij .net
mjackson.ikilij .net
mjackson.ilifi .com.mx
mjackson.iljihli .com.mx
mjackson.hhili .com.mx
mjackson.hilli .com.mx

Microsoft related subdomains:
update.microsoft.com .h1hili.com
update.microsoft.com .ijlk1j.com
update.microsoft.com .hillij.com
update.microsoft.com .hillkj.com
update.microsoft.com .ikillif.net
update.microsoft.com .jikikji.net
update.microsoft.com .hillij.net
update.microsoft.com .hillik.net
update.microsoft.com .ikihill.net
update.microsoft.com .ilifi.com.mx
update.microsoft.com .iljihli.com.mx
update.microsoft.com .hilli.com.mx
update.microsoft.com .kiffil.com.mx

USAA.com related phishing subdomains:
www.usaa.com.kihhif .com
www.usaa.com.kihhih .com
www.usaa.com.kihhik .com
www.usaa.com.kihhil .com
www.usaa.com.kihhik .net
www.usaa.com.kihhil .net
www.usaa.com.hilli.com .mx
www.usaa.com.frtll.com .mx
www.usaa.com.mrtll.com .mx

DNS Servers of notice:
ns1.vine-prad .com
ns2.vine-prad .com
ns1.blacklard .com
ns1.fax-multi .com
ns2.fax-multi .com
ns1.rondonman .com
ns2.rondonman .com
ns1.host-fren .com
ns2.host-fren .com
ns1.hotboxnet .com
ns2.hotboxnet .com
ns1.free-domainhost .com
ns2.free-domainhost .com
ns1.sunthemoow .com

ns2.sunthemoow .com
ns1.high-daily .com
ns2.high-daily .com
ns1.otorvald .net
ns1.red-bul .net
ns2.red-bul .net
ns1.footdoor .net
ns1.bestdodgeros .net
ns2.bestdodgeros .net
ns1.azdermen .com
ns2.azdermen .com
ns1.departconsult .com
ns2.departconsult .com
ns1.torentwest .com
ns2.torentwest .com
ns1.downlloadfile .net
ns2.downlloadfile .net

Due to this botnet's involvement with several other malware campaigns of notice, as well as its evident connection with the ongoing monitoring of several particular cybecrime groups, analysis and updates will be posted as soon as they emerge.

Related posts:
Money Mule Recruiters use ASProx's Fast Fluxing Services
Managed Fast Flux Provider - Part Two
Managed Fast Flux Provider
Storm Worm's Fast Flux Networks
Fast Flux Spam and Scams Increasing
Fast Fluxing Yet Another Pharmacy Spam
Obfuscating Fast Fluxed SQL Injected Domains
Storm Worm Hosting Pharmaceutical Scams
Fast-Fluxing SQL injection attacks executed from the Asprox botnet

This post has been reproduced from Dancho Danchev's blog. Continue reading →

A Diverse Portfolio of Fake Security Software - Part Twenty Two

July 03, 2009

Part twenty two of the diverse portfolio of fake security software series will summarize the typosquatted scareware serving domains currently in circulation, pushed through the usual distribution channels, but will also emphasize on the "money trail", namely the payment processing gateways used in the scareware campaigns.

In this particular case the scareware front-ends ultimately leading to ChronoPay, which Germany-based Pandora Software has been abusing since 2008 under its countless number of aliases such as Meyrocorp for instance.

The scareware domains are as follows:
atomscan6 .info - 38.105.19.27 - Email: donboset@gmail.com
listscan6 .com - Email: loiskiltz@gmail.com
goscanedge .com - Email: subtenda@gmail.com
goscanfine. com - Email: chirelqas@gmail.com
in6ch .com - Email: relgetn@gmail.com
goscanrich .com - Email: pathstals@gmail.com
goscanrank .com - Email: alcnafuch@gmail.com
ina6sk .com - Email: equatelepi@gmail.com
in6sk .com - Email: thomas.truby@gmail.com
goscanslim .com - Email: chinrfi@gmail.com
gowidescan .com - Email: alcnafuch@gmail.com
goedgescan .com - Email: subtenda@gmail.com
gofinescan .com - Email: alcnafuch@gmail.com
goelitescan .com - Email: funully@gmail.com
gorichscan .com - Email: pathstals@gmail.com
goslimscan .com - Email: chinrfi@gmail.com
gosoonscan .com - Email: aloxier@gmail.com
goironscan .com - Email: aloxier@gmail.com
goflexscan .com - Email: alcnafuch@gmail.com
gomanyscan .com - Email: alcnafuch@gmail.com
goscaniron .com - Email: aloxier@gmail.com
ina6co .com - Email: equatelepi@gmail.com
in6co .com - Email: thomas.truby@gmail.com
goscantop .com - Email: funully@gmail.com
ina6iq .com - Email: equatelepi@gmail.com
goscanstar .com - Email: stgeyman@gmail.com
goscanflex .com - Email: chirelqas@gmail.com
goscanmany .com - Email: chirelqas@gmail.com
scantrue6 .info - Email: jokinzer@gmail.com
scantool6 .info - Email: jokinzer@gmail.com
scanzoom6 .info - Email: jokinzer@gmail.com
litescan6 .info - Email: litescan6.info
truescan6 .info - Email: jokinzer@gmail.com
toolscan6 .info - Email: jokinzer@gmail.com

atomscan6 .info - Email: donboset@gmail.com
genscan6 .info - Email: imendegal@gmail.com
luxscan6 .info - Email: donboset@gmail.com
wayscan6 .info - Email: jokinzer@gmail.com
scanuser6 .info - Email: jokinzer@gmail.com
scanway6 .info - Email: jokinzer@gmail.com
scan6line .info - Email: jokinzer@gmail.com
scan6note .info - Email: jokinzer@gmail.com
scan6true .info - Email: jokinzer@gmail.com
scan6tool .info - Email: jokinzer@gmail.com
true6scan .info - Email: jokinzer@gmail.com
tool6scan .info - Email: jokinzer@gmail.com
top6scan .info - Email: jokinzer@gmail.com
user6scan .info - Email: jokinzer@gmail.com
list6scan .info - Email: jokinzer@gmail.com
way6scan .info - Email: jokinzer@gmail.com
scan6user .info - Email: jokinzer@gmail.com
scan6list .info - Email: jokinzer@gmail.com
scan6fix .info - Email: jokinzer@gmail.com
scan6way .info - Email: jokinzer@gmail.com

It's pretty obvious case demonstrating the dynamics of the underground ecosystem. A thousand bogus accounts purchased for $10 used in a bulk registration of scareware serving domains on a revenue sharing affiliate model ends up in a win-win-win situation for the cybercriminals involved in these processes. The practice is becoming rather popular not only due to their interest in less centralization of the domain control under a single email address -- cross checking reveals the entire portfolio managed under it -- but due to the availability of the service.

clean-pc-now .net - 94.75.233.162 - Email: robertsimonkroon@gmail.com
fast-spyware-cleaner .org - Email: robertsimonkroon@gmail.com
spyware-scaner .com - Email: robertsimonkroon@gmail.com
scan-pc-now .com - Email: robertsimonkroon@gmail.com
free-tube-porn .biz - Email: robertsimonkroon@gmail.com
spyware-killer .biz - Email: robertsimonkroon@gmail.com

softportal-extrafiles .com - 64.20.38.172
exe-profile .com - Email: kimwerner92@yahoo.com
extrafiles-softportal .com - Email: opipkl@googlemail.com
softportal-files .com - Email: kimwerner92@yahoo.com
softportal-extrafiles .com
load-exe-soft .com - Email: kimwerner92@yahoo.com
exe-box .com - Email: normtroup@yahoo.com
hot-exe-area .net - Email: josepetie@gmail.com

spywarecomputerscanv2 .com - 69.10.59.35 - Email: huang@bark.edu.hk
1live-antimalware-pro-scan .com - Email: hongkong@campusparis.org
1live-antimalware-scanner .com - Email: hongkong@campusparis.org
folderantispywarescanner .com - Email: xinhuawuhan@yahoo.com
antivirushelpscanner .com - Email: info@brandturkey.com
fastfolderscanner .com - Email: info@brandturkey.com
mycomputerscanner .com - Email: vanmullem@yahoo.com

restricteddomainhelp .com - 83.133.124.81 - Email: franklinnig@yahoo.com
msncoreupdate .com - Email: jen@parallelslive.cn
world-payment-system .com - Email: info@yashitaindian.com
liveinternetupdates .com - Email: kuzya77@freebbmail.com
onlineantivirusmarket .com Email: podbisb@hotmail.com

threats-scanner .com - 69.4.230.204 - Email: vanmullem@yahoo.com
securitypcscanner2 .com - Email: office@actionaidinusa.org
anti-virussecurity3 .com - Email: office@actionaidinusa.org
private-online-scan .com - Email: info@kianah.org
liveantivirusproscan .com - Email: second@freebbmail.com
no1virusscan .com - Email: info@kianah.org
my-private-protection .com - Email: info@kianah.org
scanmyfolders .com - Email: info@kianah.org
scanmycomputerforvirus .com - Email: vanmullem@yahoo.com

onlinescan-ultraantivirus2009 .com - 206.53.61.76
relevantwebsearches .com
virussweeper-scanvirus .com
guardincorp .info
mainsecsys .info - Email: andrew.fbecket@gmail.com
guardsecurity .info - Email: poljaykop@gmail.com
virusalarm-scanvirus .net

best-protect .info - 174.142.113.205 - Email: chainadmin@gmail.com
best-protect-av1 .info - Email: chainadmin@gmail.com
best-antivirus-pc .info - Email: chainadmin@gmail.com
best-av1-protect .info - Email: chainadmin@gmail.com
av1-protect .info - Email: chainadmin@gmail.com
av1-best-protect .info - Email: chainadmin@gmail.com
best-protect .info - Email: chainadmin@gmail.com
best-av .info - Email: chainadmin@gmail.com

pay-virusshield .cn - 64.213.140.70 - Email: unitedisystems@gmail.com
shieldinc .info
systemprotectinc .info
ironshield .info
myofficeguard .info
protectionurl .info
my-protection .info
antivirus09 .net
fast-antivirus.net

virusshieldpro .com - 64.86.16.127 - Email: unitedisystems@gmail.com
prestotuneup .com - Email: hycderxvur@whoisservices.cn
virussweeper-scanvirus .com
virusmelt .com - Email: nuhuarrczq@whoisservices.cn
systemsec .info
shieldinc .info
myofficeguard .info
protect-online .info
protectionlol .info
protectionurl .info
virussweeper-scan .net

advanced-virus-remover2009 .com - 92.241.176.188 - Email: masle@masle.kz
trucount3005 .com - Email: chen.poon1732646@yahoo.com
antivirus-scan-2009 .com - Email: cheng2009@yahoo.com
antivirusxppro-2009 .com - Email: u@sochi.ru
advanced-virusremover2009 .com - Email: giogr@ua.fm
bestscanpc .com
trucountme .com - Email: valentin@gergiea.kz
vs-codec-pro .com - Email: bhtjnjhggn@googlemail.com
vscodec-pro .com - Email: cyber38462@hotmail.com
antivirus-2009-ppro .com - Email: cheng2009@yahoo.com
onlinescanxppro .com - Email: chen.poon1732646@yahoo.com
downloadavr .com - Email: gorbun@ua.fm
bestscanpc .net

activation-antivirus-software .com - 208.43.124.83 - Email: matlee@fsuk.edu
fxantispy .com - Email: TycoonMichael@googlemail.com
my-protection .info - 64.213.140.70 - Email: hop.davis@gmail.com
protectonline .info - 64.86.17.47 - Email: hop.davis@gmail.com
safetywwwtools .com - 209.44.126.36 - Email: martin.s.johnson@spambob.com
defenderupdates2 .com - 89.248.168.46 - Email: china@seban.se
securitytoolsdirect .com - 209.44.126.22 - Email: RuthMMarcotte@text2re.com
best-antivirus-security .com - 84.16.237.52 - Email: valentinyermolaev@gmail.com
malwaresdestructor .com - 206.53.61.74
suprotect .com - 89.149.212.218 - uuuuu@ua.fm
threatpcscanner .com - 63.223.110.177 ; 78.47.132.216 ; 78.47.172.66 - Email: vanmullem@yahoo.com
antimalwareliveproscannerv3 .com - Email: vanmullem@yahoo.com
antivirus-online-pro-scan .com - Email: vanmullem@yahoo.com
avpro-labs .com - 213.182.197.229
avprotectionstat .com - 74.50.99.236
explorerfilescan .com - 63.223.110.178; 78.47.132.221; 78.47.172.68 Email: xinhuawuhan@yahoo.com
antivirushelpscanner .com A 83.133.125.116; 69.10.59.35; 83.133.125.116 - Email: info@brandturkey.com
fastfolderscanner .com - Email: info@brandturkey.com
mycomputerscanner .com - Email: info@brandturkey.com
mal-warexls .net - 72.9.108.26 - Email: joehugardo@ya.ru
internetware-safe .com - Email: candikeller@ya.ru

scanonlinesite .info - 66.148.74.126
scanonlineblog .info
scanonlineshop .info
scanonlinenow .info

youravprotection .com - 74.50.98.162 - Email: armandgregory3@gmail.com
registerantivirus .com Email: ed.areyra@gmail.com
avprotectionstat .com

avagent-pro .com - 83.133.126.46 - Email: dwrdcardenas95@gmail.com
downloads-123 .com - Email: dwrdcardenas95@gmail.com
soft-process .com - Email: dwrdcardenas95@gmail.com
download-123 .cn - Email: dwrdcardenas95@gmail.com
actupdate .net - Email: dwrdcardenas95@gmail.com

Now the emphasis on the payment gateways, currently active and processing the scareware transactions:
softwaresecuredbilling .com - 209.8.45.122 - TemchenkoViktor@googlemail.com
softsales-discount .com - Email: daunrwwciq@whoisservices.cn
best-internet-payments .com - 209.8.45.148 - Email: specsupport@gmail.com
adioro .com - 213.174.152.32 - Email: xyhsbjlrl@whoisprivacyprotect.com
secure-plus-payments .com - 209.8.25.204 - Email: sparck000@mail.com
secure.pnm-software .com - 209.8.45.124 - Email: pnm-software.com@liveinternetmarketingltd.com
soft-process .com - 83.133.126.46 - Email: XtPbtP@privacypost.com
privatesecuredpayments .com - 78.46.216.238 - Email: TemchenkoViktor@googlemail.com