Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign

August 18, 2009

AltusHost Inc, the company whose services were exclusively used in the blackhat SEO campaign using U.S Federal Forms theme for scareware service purposes, has finally responded to the abuse notifications sent seven days ago stating that "the sites have been terminated". Such a slow response once again proves that dysfunctional abuse departments increase the lifecycle of a malware/spam/phishing campaign by not taking it down when it's most actively gaining momentum.

(For historical OSINT research, the following domains not previously listed were in circulating during the past week - thwovretgi .com - 91.214.44.239 - Email: joby47619@msn.com; shtifobpy .com - 91.214.44.210 - Email: hiraldo13686@hotmail.com; vodcotha .com - 91.214.44.203 - Email: jamarcus59884@yahoo.com; stromiko .com - Email: hyacinthiemccolman@gmail.com; ceslyemsof .com - 91.214.44.205 - Email: brisco68781@lycos.com; ejeifyevy .com - 91.214.44.208 - Email: brisco68781@lycos.com; kuhatjidd .com - 91.214.44.203 - Email: khrista12110@hotmail.com )

How did the cybercriminals respond? By proving that this blackhat SEO campaign has been well planed and coordinate a long time before it was executed in the wild. For the time being, it relies on a combination of legitimate U.K based sites, the result of a evident compromise of Web Hosting Mania due to the fact that all the affected legitimate sites are hosted there, a growing portfolio of .cc tld domains, automatic abuse of free services such as myftpsite.net; dns2go.com; dynodns.net; thebbs.org, and systematic pushing of new scareware variants/redirector and scareware domains, which explains the low generic detection rate of all the samples obtained.

Moreover, not only did the blackhat SEO themes expanding in the typical randomly generated junk that has naturally been crawled by public search engines, but also, according to publicly obtainable statistics, millions of users (collectively) have already visited the landing sites, with 42.80% of the referring site for a particular domain coming from thebbs.org and 31.97% from Google - their tactics are actively hijacking millions of users already.

Let's dissect the latest developments in the ongoing blackhat SEO campaign, list the participating scareware/blackhat SEO/redirection domains, the various monetization tactics going beyond scareware, as well as discuss some of the innovations used in the javascript obfuscation which makes it virtually impossible for a crawler to detect that the site is malicious.

Key summary points:

U.K based hosting provider Web Mania Hosting appears to be compromised due to the fact that all the abused legitimate sites are hosted there

the redirection and scareware domain/binary are updated two times during 24 hours period of time

the scareware has a very low generic detection rate due to their persistence in updating it

all the scareware samples continue phoning back to several domains parked at 78.46.201.90

the cybercriminals have introduced multiple monetization tactics through pay-per-click malware-friendly search engines

a central redirection point (a-n-d-the .com/wtr/router.php) used in this campaign was used by the RBN/customer of the RBN in massive iFrame injection attacks abusing input validation flaws within high profile sites over an year ago

sampled scareware adds the following registry entry [HKEY_LOCAL_MACHINE\SOFTWARE\6A36EA6E11EAAECDF5E540DEF2149079] plxxh = "Dujaq!!" - Dujaq!! means "Bl*w me!!"

the blackhat SEO gang is using a unique javascript obfuscation which I originally stumbled upon a couple of months ago while assessing another blackhat SEO courtesy of the Ukrainian "fan club", the one with the Koobface connection. It relies on dynamically generated code spoofing go.live.com and rds.yahoo.com random URLs for evasion purposes. The only vendor that detects it is McAfee-GW-Edition as Heuristic.BehavesLike.JS.CodeUnfolding.A

Compromised legitimate domains at Web Hosting Mania currently in circulation:
ladydestiny .com
marchbrook.co .uk
mgwooldridge.co .uk
midfleet .com
mikedz.co .uk
millypeds.co .uk
mitchameditorial.co .uk
moddeydhoomcc.co .uk
monkeyfist.co .uk
morita.co .uk
mosoul.co .uk
mrbuzzhard.co .uk
mtbpigs.co .uk
mysticspirals.co .uk
mythagostudios .com
neilwebsterhoundtrailing.co .uk
newmarskecricketclub.co .uk
oneintenrock.co .uk
pcook.co .uk
pengineer.co .uk

Blackhat SEO domains redirecting to scareware, currently in circulation using a .cc tld extension:

agjjgtfyi .cc - Email: susan@michiganfarms.com
ckckoo .cc - Email: briettamacpherson@gmail.com
eunlabkce .cc - 93.170.134.175 - Email: susan@michiganfarms.com
ewjwjiavg .cc - 74.206.242.22 - Email: susan@michiganfarms.com
fgodvsli .cc - 93.170.133.205 - Email: susan@michiganfarms.com
fgodvsli .cc - 93.170.133.205 - Email: susan@michiganfarms.com
fyecdizt .cc 93.170.156.119 - Email: susan@michiganfarms.com
hgzondsul .cc - 174.137.171.69 - Email: susan@michiganfarms.com
iiuuoo .cc - Email: briettamacpherson@gmail.com
ijnteqc .cc - 93.170.130.105 - Email: susan@michiganfarms.com
irolopl .cc - 93.170.134.203 - Email: susan@michiganfarms.com
jglcbngvu .cc - 93.170.130.217 - Email: susan@michiganfarms.com
jpydmee .cc - 93.170.133.247 - Email: susan@michiganfarms.com
kdwwwwon .cc - 93.170.134.231 - Email: susan@michiganfarms.com
kgowncgi .cc - 93.170.154.179 - Email: susan@michiganfarms.com
lmhhsnd .cc - 93.170.156.105 - Email: susan@michiganfarms.com

mezkopq .cc - 93.170.129.75 - Email: susan@michiganfarms.com
mvsoomw .cc - 93.170.131.66 - Email: susan@michiganfarms.com
njfgfbd .cc - 93.170.156.21 - Email: susan@michiganfarms.com
nsdgkrge .cc - 93.170.153.98 - Email: susan@michiganfarms.com
nselkss .cc - 93.170.130.245 - Email: susan@michiganfarms.com
owudfnay .cc - 93.170.131.178 - Email: susan@michiganfarms.com
pfjfsiunt .cc - 93.170.151.80 - Email: susan@michiganfarms.com
piqvrrugd .cc - 93.170.156.63 - Email: susan@michiganfarms.com
rroiqbznj .cc - 93.170.134.35 - Email: susan@michiganfarms.com
ssyydqyh .cc - 93.170.131.206 - Email: susan@michiganfarms.com
sucdugon .cc - 93.170.154.100 - Email: susan@michiganfarms.com
tftrwxlg .cc - 93.170.130.133 - Email: susan@michiganfarms.com
tirtop .cc - 188.72.198.21 - Email: elaynedangubic@gmail.com

uclrwpyp .cc - 93.170.131.38 - Email: susan@michiganfarms.com
uomfchbj .cc - 93.170.131.10 - Email: susan@michiganfarms.com
vrmmnicl .cc - 93.170.151.10 - Email: susan@michiganfarms.com
vtgisihjy .cc - 93.170.133.163 - Email: susan@michiganfarms.com
vwyldlbe .cc - 188.72.204.57 - Email: brigidadorion@gmail.com
vzlbamuvs .cc - 93.170.130.49 - Email: susan@michiganfarms.com
wgyxrmtld .cc - 93.170.152.226 - Email: susan@michiganfarms.com
xisuuzos .cc - 93.170.134.77 - Email: susan@michiganfarms.com
xlkzmqiw .cc - 93.170.131.234 - Email: susan@michiganfarms.com
zirtop .cc - Email: elaynedangubic@gmail.com
zmtkpugbz .cc - 93.170.130.189 - Email: susan@michiganfarms.com
zncutvk .cc - 174.137.171.117 - Email: susan@michiganfarms.com

New blackhat SEO domains portfolio using NOC4Hosts Inc's services:
rebuwe .net - 206.51.230.97
sivezo .net - 206.51.230.98
mipola .net - 206.51.230.95
kowipe .net - 206.51.230.92
kerobo .net - 206.51.230.90
gelupe .net - 206.51.230.104
fuquwe .net - 206.51.230.103
hyduve .net - 206.51.230.200
bisehu .net - 206.51.230.99
wypule .net - 206.51.230.95
xylucy .net - 206.51.230.97
xulady .net - 206.51.230.96
lyqyte .net - 206.51.230.94

nimygu .net - 206.51.230.96
zuziki .net - 206.51.230.98
symiza .net - 206.51.230.99
bisehu .net - 206.51.230.99
msrxdk .com - 188.72.192.78 - Email: charlenecrewshgkn@yahoo.com
kimuka .net - 188.72.192.78 - Email: charlenecrewshgkn@yahoo.com
ylkbin .com - 188.72.192.81

Portfolio of scareware domains participating in the blackhat SEO campaing, parked at 83.133.126.155; 88.198.107.25; 88.198.120.177; 91.212.107.5; 94.102.51.26; 188.40.61.236; 62.90.136.237; 91.212.127.200; 78.46.251.43; 91.212.107.5; 69.4.230.204; 78.46.251.43; 88.198.107.25; 88.198.105.149; 88.198.233.225:
reliable-scanner01 .com - Email: info@cansupply.com
superb-virus-scan07 .com - Email: tours@admiralgroup.co.uk
antivirus-online-scan8 .com - Email: webmaster@TangoDance.cn
best-antivirus3 .com - Email: info@legtimeprime.com
live-virus-scanner5 .com - Email: info@infy-tasks.com
antivirus-online-scan4 .com - Email: pranky-marie@yahoo.com
antispyware-scanner5 .com - Email: janny.mar123@yahoo.com
antivirus-online-scan5 .com - Email: pranky-marie@yahoo.com
live-virus-scanner7 .com - Email: info@infy-tasks.com
clean-all-spyware .com - Email: jdemagis@rocheste.ganet.com
getyoursecuritynowv2 .com - Email: info@meat-beaf.com.cn
getyourantivirusv3 .com - Email: info@meat-beaf.com.cn
getyourpcsecurev3 .com - Email: info@meat-beaf.com.cn
antivirus-scannerv12 .com - Email: info@chinatownnetwork.com.cn
safeonlinescannerv4 .com - Email: steg.greg1992@yahoo.com
check-for-malwarev3 .com - Email: al@bis-solutions.com
check-your-pc-onlinev3 .com - Email: al@bis-solutions.com
searchurlguide .com - 64.86.16.9 - Email:powell.john11@gmail.com
securitypad .net - 206.53.61.70 - Email: gertrudeedickens@text2re.com
prestotunerst .cn - 64.86.16.210 - Email: unitedisystems@gmail.com
officesecuritysupply .com - Email: Ronald.T.Samora@spambob.com
securityread .com - Email: Anna.R.Helm@dodgit.com
scanasite .com - Email: Carol.J.Hipp@mailinator.com
cheapsecurityscan .com - Email: Kevin.L.Linkous@trashymail.com
securitysupplycenter .com - Email: Janet.R.Vasquez@spambob.com
best-folder-scanv3 .com - Email: info@best-util-til.com
online-best-scanv3 .com - Email: public@cropfactor.in
online-defenderv9 .com - Email: public@cropfactor.in
antispyware-live-scanv3 .com - Email: ervin1981rolf@yahoo.com
antispywarelivescanv5 .com - Email: sales.in@bauhmerhhs.com

antispyware-online-scanv7 .com - Email: ervin1981rolf@yahoo.com
basicsystemscannerv8 .com - Email: changhong@corpdefence.cn
bestpersonalprotectionv2 .com - Email: cfaa1996@yahoo.com.cn
bestpersonalprotectionv7 .com - Email: cfaa1996@yahoo.com.cn
computer-antivirus-scanv9 .com - Email: melaniestarmelanie@yahoo.com
fastvirusscanv6 .com - Email: info@rasystems.com
govirusscanner .com - Email: contact@demoninchina.com
mysafecomputerscan .com - Email: acurtis@stevens.com
onlineantispywarescanv6 .com - Email: czoao@hotmail.com
online-antivir-scanv2 .com - Email: iren.g@sysintern.in
onlinebestscannerv3 .com - Email: info@srilanka.cn
onlinepersonalscanner .com - Email: info@srilanka.cn
onlineproantivirusscan .com - Email: addworld@freebbmail.com
online-pro-antivirus-scan .com - Email: findz@freebbmail.com

onlineproantivirusscanner .com - Email: findz@freebbmail.com
online-secure-scannerv2 .com - Email: iren.g@sysintern.in
personalantivirusprotection .com - Email: info@Wholesaler.cn
personalfolderscanv2 .com - Email: hfbeauty@yahoo.com
premium-antispy-scanv3 .com - Email: Ktrivedi@go2uti.com
premium-antispy-scanv7 .com - Email: Ktrivedi@go2uti.com
premium-antivirus-scanv6 .com - Email: Ktrivedi@go2uti.com
private-antivirus-scannerv2 .com - Email: webmaster@parun.co.kr
privatevirusscannerv8 .com - Email: info@rasystems.com
secure-antispyware-scanv3 .com - Email: info@prrp.de
securepersonalscanner .com - Email: info@prrp.de
secure-spyware-scannerv3 .com - Email: info@prrp.de
secure-virus-scannerv5 .com - Email: info@prrp.de
securityfolderprotection .com - Email: info@Wholesaler.cn
spyware-scannerv2 .com - Email: hanan.abdelrazek@bibalexy.org
spywarescannerv4 .com - Email: hanan.abdelrazek@bibalexy.org

Sampled scareware from the last 24 hours phones back to mineralwaterfilter .com - 78.46.201.90. Parked there are also: june-crossover .com; goldmine-sachs .com; momentstohaveyou .cn. More sampled scareware phones back to a new domain Phones back to pencil-netwok .com (94.102.48.31), parked there are the rest of the phone back locations for the rest of the scareware such as mineralwaterfilter .com; june-crossover .com; goldmine-sachs .com; bestparishotelsnow .com

A second sampled scareware phones back to a different location - 92.241.176.188. Parked there are the rest of the domains in their scareware portfolio:
bestscanpc .org
bestscanpc .biz
downloadavr2 .com
downloadavr3 .com
trucount3005 .com
antivirus-scan-2009 .com
antivirusxppro-2009 .com
advanced-virus-remover-2009 .com
advanced-virus-remover2009 .com
advanced-virusremover2009 .com
bestscanpc .com
xxx-white-tube .com
blue-xxx-tube .com
trucountme .com
10-open-davinci .com
vs-codec-pro .com
vscodec-pro .com
download-vscodec-pro .com
v-s-codecpro .com
antivirus-2009-ppro .com
onlinescanxppro .com
downloadavr .com
bestscanpc .info
bestscanpc .net
bestscanpc .biz

New/historical redirection domains used in the campaign, this time parked at 78.46.201.89/94.102.48.29/different locations as noted:
beststarwars .cn - Email: allisonh@soeconline.org
mashroomtheory .cn - Email: webmaster@TangoDance.cn
space2009city .cn - Email: webmaster@TangoDance.cn
messengerinfo .cn - Email: allisonh@soeconline.org
greattime2009 .cn - Email: webmaster@seniorstuds.com.ar
iwanttowin .cn - Email: webmaster@seniorstuds.com.ar
hardnut .cn - Email: tan.mei.sie@monash.com.my
sitemechanics .cn - info@powertrackers.com
exceldocumentsinfo .cn - Email: info@powertrackers.com
chinafavorites .cn - Email: cmo@ci.springfields.or.us
best-live-lottery .cn - Email: info@powertrackers.com
adeptofmastery .cn - Email: info@powertrackers.com
trytowintoday .cn - Email: info@powertrackers.com
bulkdvdreader .cn - 94.102.48.29 - Email: info@powertrackers.com
style-everywhere .com - 88.198.105.145 - Email: angy.helm21@yahoo.com
clicksick .cn - 67.215.245.187 - Email: webmaster@clicksick.cn
supportyourcountry .cn - Email: cmo@ci.springfields.or.us
wheels-on-fire .cn - 94.102.48.29 - Email: epron.sales@epron.com.hk
stillphotoshots .cn - 94.102.48.29 - Email: epron.sales@epron.com.hk
delayyouranswer .cn - Email: info@globaltechs.com.cn
getbestsales .cn - Email: info@globaltechs.com.cn
library-presents .cn - Email: hanzellandgretell@googlemail.com
in-t-h-e .cn - 72.21.41.198 (Layered Technologies, Inc.) - Email: admin@in-t-h-e.cn
bestwishestoyou .cn - 94.102.48.29 - Email: hanzellandgretell@googlemail.com
library-presents .cn - 94.102.48.29 - Email: hanzellandgretell@googlemail.com
getbestsales .cn - 94.102.48.29 - Email: info@globaltechs.com.cn
aware-of-future .cn - Email: info@globaltechs.com.cn
nothing-to-wear .cn - Email: steg.greg1992@yahoo.com
newsmediaone .com - 72.21.41.198 - Email: advertizers@newsmediaone.com
bapoka .net - 87.118.96.6
stylestats1 .net - 94.102.63.16 - Email: grem@yahoo.com
luckystats .org - Email: director@climbing-games.com
luckystats1 .com - Email: grem@yahoo.com
lifewepromote .cn - Email: ruixiang.guo@yahoo.com
securecommercialnews .cn - Email: contacts@swedbank.com.cn
snowboard2009 .cn - Email: weinwein2@yahoo.com
nothern-ireland .cn - Email: accabj@cn.accaglobal.com
goldensunshine .cn - Email: info@tartirtar.com
steplessculture .cn - Email: info@myfibernetworks.cn
vipsoccermanager .cn - Email: opressor1992@yahoo.com
b2b-forums .cn - Email: weinwein2@yahoo.com
rondo-trips .cn - Email: acurtis@stevens.com
mywatermakrs .cn - Email: shanghaihuny@yahoo.com
gazsnippets .cn - Email: acurtis@stevens.com
bestvanillaresorts .cn - Email: opressor1992@yahoo.com
personalrespect .cn - Email: weinwein2@yahoo.com
consensualart .cn - Email: shanghaihuny@yahoo.com
yourholidaytoday .cn - Email: opressor1992@yahoo.com
guidetogalaxy .cn - Email: stp9014@yahoo.com

Among the new monetization tactics used are the typical pay-per-click malware-friendly search engines which act as both, redirectors to phony sites/scams, as well as keyword blackholes which help them assess the popularity for a particular keyword, and therefore start pushing it more aggressively through a process called synonymization.

Interestingly, they're exclusively using the compromised .co.uk, as well as purely malicious blackhat SEO domains for scareware serving purposes, but continue using the ones they operate under the free DNS service providers for monetization through the bogus search engines. The domains used in this monetization approach are as follows:

rivasearchpage .com - 64.27.21.5 - Email: support@ruler-domains.com
triwoperl .com - 95.168.191.19 - Email: florenzaluwemba@gmail.com
tropysearch .us - 74.52.216.46 - Email: tech@add-manager.com
glorys .info (glorys .info/red/cube.js) - - 78.159.97.186 - Email: kor4seo@rambler.ru
funnyblogetc .info/go.php - - Email: tigerwood1@nm.ru

triwoperl.com's front page is currently relying on the go.live.com javascript obfuscation. Deobfuscated it redirects to fi97 .net/jsr.php?uid=dir&group=ggl&keyword=&okw=&query=", deja vu again - fi97 .net was used in the Ukrainian "fan club's" blackhat SEO campaign in June.

Monitoring of the campaign and takedown actions would continue, with an emphasis on the RBN connection from a related blackhat SEO campaign from last year. The gang is not going away anytime soon, but their campaigns definitely are.

Related posts:
A Peek Inside the Managed Blackhat SEO Ecosystem
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot

This post has been reproduced from Dancho Danchev's blog. Continue reading →

U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding

August 10, 2009

UPDATE2: New scareware domain is in rotation - antispywarelivescanv5 .com - 83.133.123.174; 83.133.126.155; 91.212.107.5; 94.102.48.29; 94.102.51.26; 188.40.61.236 - Email: sales.in@bauhmerhhs.com. Redirection takes place through consensualart .cn - 78.46.201.89 - Email: shanghaihuny@yahoo.com.

UPDATE: Four new domains have been introduced, again using the services of AltusHost Inc. (AS44042):

thwovretgi .com - 91.214.44.239 - Email: joby47619@msn.com
hernewdy .com - 91.214.44.152 - Email: jacub26887@lycos.com
shtifobpy .com - 91.214.44.210 - Email: hiraldo13686@hotmail.com
vodcotha .com - 91.214.44.203 - Email: jamarcus59884@yahoo.com

The redirection takes place through mywatermakrs .cn - 78.46.201.89 - Email: shanghaihuny@yahoo.com

In response to the takedown of the blackhat SEO domains used in the campaign dissected lat week, the group has responded by introducing new domains next to new redirectors and most interestingly, has started using compromised/mis-configured legitimate sites in an attempt to increase the lifecycle of the campaign by making it takedown-proof.

New blackhat SEO domains again using AS44042 ROOT-AS root eSolutions/ALTUSHOST-NET/AltusHost Inc hosting services:
fifiopod .com - 91.214.44.204 - Email: florenzaluwemba@gmail.com
trodlocho .com - 91.214.44.204 - Email: alie57575@lycos.com
ickgetaph .com - 91.214.44.209 - Email: alie57575@lycos.com
igecanneg .com - 91.214.44.205 - Email: baxter18314@yahoo.com
somveots .com - 91.214.44.203 - Email: frieda24482@msn.com
memodreydi .com - 91.214.44.240 - Email: frieda24482@msn.com
jejnahob .com - 91.214.44.206 - Email: alie57575@lycos.com
nuwofteuz .com - 91.214.44.206 - Email: frieda24482@msn.com
hyhoppeo .com - 91.214.44.239 - Email: jamarcus59884@yahoo.com
egnegvufvu .com - 91.214.44.239 - Email: ehetere29006@yahoo.com
lauzpeog .com - 91.214.44.208 - Email: ehetere29006@yahoo.com
sniozeanvo .com - 91.214.44.239 - Email: ehetere29006@yahoo.com
hebmipenn .com - 91.214.44.207 - Email: adanne43906@rocketmail.com

The cybercriminals are also attempting to use a well proven tactic - occupying as many search engine results as possible for a particular hijacked word by using identical blackhat SEO junk content at multiple domains. A similar attempt was successfully executed in January, 2009's search results poisoning campaign at Google Video, where the first ten results for a particular keyword were all malicious in their nature.

The compromised/misconfigured legitimate sites used in the campaign are serving dynamic javascript obfuscations. Here's a list of ones currently in use:
ali.zaher.101main .com
averder.cwsurf .de
beaver-cub-scout.co .uk
bebbinbears.co .uk
britishbaits .com
cancerselfhelp.org .uk
carolineengland.co .uk
casanickel.co .uk
catspro-northants.org .uk
ceiec.co .uk
cheritontennisclub.co .uk
childrenofthedrone .net
chirnside.org .uk
chris-hillman .com
chris-hillman-photography.co .uk
christine-pearson .com
cicatrixonline.co .uk
cinta.co .uk
classic-pizza.co .uk
crewshillgolfclub.co .uk
cs-photo.co .uk
dak.crep01.linux-site .net
darkhorsegraphics.co .uk
divagoddess.co .uk
fet.jujas.myftpsite .net
tferh.mi-website .es

The campaign continues switching between different redirectors parked at 83.133.123.113 for instance:
rondo-trips .cn
gazsnippets .cn
besthockeyteams .cn
allfootballmanager .cn
rollerskatesadvise .cn
honda-recycle .cn - used in the previous campaign
nothern-ireland .cn
discovernewchina .cn

An updated portfolio of scareware/fake security software, parked at 94.102.51.26; 188.40.61.236; 83.133.126.155; 91.212.107.5; 94.102.48.29 has been introduced:
bestpersonalprotectionv2 .com
onlinesecurescannerv3 .com
basicsystemscannerv3 .com
onlinebestscannerv3 .com
basicsystemscannerv6 .com
bestpersonalprotectionv7 .com
basicsystemscannerv8 .com
thankyouforscan .com
onlinepersonalscanner .com
basicsystemscanner .com
onlineproantivirusscanner .com
personalantivirusprotection .com
internetantivirusscanner .com
govirusscanner .com
iwantsweepviruses .com
personalfoldertest .com

Sampled scareware once again phones back to the thebigben .cn - Email: chu-thi-huong@giang.com and june-crossover .com - 78.46.201.90 Email: doru@sattenis.com, with more scareware parked there - purchuase-premium-software .com - Email: nagappan.krishnan@persons.us; livepaymentssystem .com - Email: mike12haro@yahoo.com; secure.livepaymentssystem .com - Email: mike12haro@yahoo.com; purchuasepremiumprotection .com - Email: Malcolm@partypants.com.

Evasion techniques are in again in place, however, this time they end up in a Russian Business Network deja vu moment from 2008. In March, 2008, ZDNet Asia and TorrentReactor followed by a large number of other high profile, high pagerank sites started activing as intermediaries to scareware campaigns, among the first such abuse of legitimate sites for scareware serving purposes.

The compromised/mis-configured web sites participating in this latest blackhat SEO campaign are surprisingly redirecting to a-n-d-the.com /wtr/router.php - 95.168.177.35 - Email: bulk@spam.lv - AS28753 NETDIRECT AS NETDIRECT Frankfurt, DE if the http referrer condition isn't met. This very same domain -- back then parked at INTERCAGE-NETWORK-GROUP2 -- was also used in the same fashion in March, 2008's massive blackhat SEO campaigns serving scareware.

This post has been reproduced from Dancho Danchev's blog.
Continue reading →

Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware

August 06, 2009

During the past 24 hours, a blackhat SEO campaign has been hijacking U.S Federal Forms related keywords in an attempt to serve scareware.

What's particularly interesting about the campaign is that the Ukrainian fan club behind it -- you didn't even think for a second that there's no connection with their previous campaigns, did you? -- are using basic segmentation principles since the tax form keywords poisoning is attempting to hijack U.S traffic. Evasive practices are also in place through the usual http referrer check, which would only serve the scareware if the visitor is coming from Google.com, if not a 404 error message will appear.

Upon clicking on the link, the user is redirected through a centralized location responsible for managing the traffic from the thousands of subdomains/keywords used - honda-recycle .cn/go.php?id=2017&key=cbafb5cb2&p=1 - 83.133.123.113 Email: accabj@cn.accaglobal.com. Parked on the same IP are also related malware/scareware domains:

winsoftwareupdatev2 .com - Email: webmaster@kaity.or.kr
much-in-love .com - Email: krebikim@kanmail.net
i-dont-care-much .com - Email: krebikim@kanmail.net
malwareurlblock .com - Email: Qinrui971@hotmail.com
bennysaintscathedral .com - Email: gayaomila@yahoo.com
browsersecurityinfo .com - Email: visor@elcomtech.com
windowssecurityinfo .com - Email: arziw12@freebbmail.com
ringtone-radio .com - Email: bobbyer@iofc.org
events-team-manager .com - Email: krebikim@kanmail.net
1worldupdatesserver .com - Email: tapias.andres@hdtvspain.org
discovernewchina .cn - Email: leijun.ma@unifem.org
rollerskatesadvise .cn - Email: info@chinaeuropaforum.net
allfootballmanager .cn - Email: info@chinaeuropaforum.net
hardwarefactories .cn - Email: leijun.ma@unifem.org
besthockeyteams .cn - Email: info@chinaeuropaforum.net
gowildtours .cn - Email: leijun.ma@unifem.org

The malicious domains used -- with two exceptions -- are all parked at AltusHost Inc./ALTUSHOST-NET. Here's the complete list:
tebdigasbi .com - 91.214.44.205 - Email: martin94304@yahoo.com
kraijfaw .com - 91.214.44.240 - Email: argantael31869@msn.com
reychohica .com - 91.214.44.209 - Email: martin94304@yahoo.com
fequervo .com - 91.214.44.239 - Email: orla53111@hotmail.com
ukaszohat .com - 91.214.44.205 - Email: argantael31869@msn.com
buwrynko .com - 91.214.44.204 - Email: keallach84256@yahoo.com
fetholye .com - 91.214.44.208 - Email: martin94304@yahoo.com
pasbirrada .com - 91.214.44.204 - Email: martin94304@yahoo.com
dynodns.net - legitimate
thebbs.org - legitimate

The people behind the campaign have also taken contingency planning in mind since the scareware domain portfolio is parked on five different IPs - no-spyware-thanks .com - 94.102.48.29; 94.102.51.26; 188.40.61.236; 83.133.126.155; 91.212.107.5 Email: Paul.Saydak@lovellis.com. The complete list:

fast-scan-your-pcv3 .com - Email: info@valeros.com
basicsystemscannerv3 .com - Email: changhong@corpdefence.cn
antivirus-quickscanv5 .com - Email: diana1982@yahoo.com
basicsystemscannerv6 .com - Email: changhong@corpdefence.cn
basicsystemscannerv8 .com - Email: changhong@corpdefence.cn
privatevirusscannerv8 .com - Email: info@rasystems.com
spywarefastscannerv9 .com - Email: info@rasystems.com
online-pro-antivirus-scan .com - Email: findz@freebbmail.com
onlineproscan .com - Email: addworld@freebbmail.com
onlineproantivirusscan .com - Email: addworld@freebbmail.com
online-pro-scanner .com - Email: addworld@freebbmail.com
basicsystemscanner .com - Email: changhong@corpdefence.cn
onlineproantivirusscanner .com - Email: findz@freebbmail.com
iwantsweepviruses .com - Email: leesten@fedexnow.com

Two sampled scareware samples during the past 24 hours phone back to goldmine-sachs .com (Goldman Sachs typosquatting) - 83.133.122.211; 89.47.237.52 - Email: rodriguez.dallas@romehotels.com and to june-crossover .com - 83.133.123.109 - Email: doru@sattenis.com. In regard to 89.47.237.52, the "fan club" used it to host scareware in their June's campaigns.

AltusHost Inc./ALTUSHOST-NET is expected to take action shortly.

This post has been reproduced from Dancho Danchev's blog.
Continue reading →

Scareware Template Localized to Arabic

August 05, 2009

A "new tactic" is supposedly being used as a Blue Screen of Death scareware template with a single missing fact "for the record" - the template is old, I came across it on June 17th, with Marshal8e6 featuring it even earlier on the 12th of June.

What's new on the template front in respect to scareware is what will inevitably start taking place across all the market segments within the underground economy in the long term - market segmentation and localization, namely, translating the malware/spam/phishing templates to the native language of the prospective victims.

A decent example is the first ever template of the popular "My Computer Online Scan" fake scanning screen localized to Arabic - scan-online .co.cc/arabic.php (67.222.148.26).

The last time localization of fake security software was actively taking place was in April, 2008, and the campaigners back then also localized the domain names next to the actual content.

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Movement on the Koobface Front

August 04, 2009

Now that the Koobface gang is no longer expressing its gratitude for the takedown of its command and control servers, the group has put its contingency planning in action thanks to the on purposely slow reaction of UKSERVERS-MNT's (78.110.175.15) abuse department.

Next to the regular updates (web.reg .md/1/websrvx2.exe; web.reg.md/1/ prx.exe), the group introduced two new domains and started taking advantage of two more IPs for its main command and control server. upr0306 .com now responds to:

67.215.238.178 - AS22298 - Netherlands Distinctio Ltd
78.110.175.15 - AS42831 UKSERVERS-AS UK Dedicated Servers Limited UK Dedicated Servers
221.5.74.46 - AS17816 - CHINA169-GZ CNCGROUP IP network China169 Guangzhou MAN

and that includes the two new domains introduced - pam-220709 .com; ram-220709 .com, with ram-220709 .com/go/?pid=30909&type=videxpgo.php?sid=4&sref= redirecting to the Koobface botnet.

Interestingly, 67.215.238.178 (hosted.by.pacificrack.com) was also used in the blackhat SEO campaigns from June/July, with warwork .info and tangoing .info parked there.

Related posts:
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign
The Koobface Gang Mixing Social Engineering Vectors

Ukrainian "fan club" and the Koobface connection:
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Movement on the Koobface Front

August 04, 2009

Managed Polymorphic Script Obfuscation Services

August 04, 2009

Cybecriminals understand the value of quality assurance, and have been actively running business models on the top of it for the past two years.

From the multiple offline antivirus scanners using pirated software, the online detection rate checking services allowing scheduled URL scan and notification upon detection by antivirus vendors, to the underground alternatives of VirusTotal in the form of multiple firewalls bypass verification checks - cybercriminals are actively benchmarking and optimizing their releases before launching yet another campaign.

A newly launched service aims to port a universal managed malware feature on the web - the polymorphic obfuscation of malicious scripts in an attempt to increase the lifecycle of a particular campaign.

Interestingly, due to the obvious software piracy within the cybercrime ecosystem which allowed proprietary malware tools to leak in the wild, the service is using a particular malware kit's javascript obfuscation routines and is running a business model on it.

For the time being, it relies on three obfuscation algorithms, HTMLCryptor olnly - used 56 times, TextUnescape - used 109 times, and PolyLite - already used 177 times. The DIY obfuscation service, also checks and notifies the cybercriminal over ICQ in cases when his IPs and domain names have been blacklisted by Google's Safebrowsing, as well as Spamhaus, and more checks against public malware domain/IP databases are on the developer's to-do list.

The price? $20 for monthly access and $5 for weekly. Despite the fact that the service is attempting to monetize a commodity feature available to cybecriminals through the managed updates that come with the purchase of a proprietary web malware exploitation kit, it's not a fad since it fills in the DIY niche where the variety of the algorithms offered and their actual quality will either spell the doom or the rise of the service.

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Summarizing Zero Day's Posts for July

August 03, 2009

The following is a brief summary of all of my posts at ZDNet's Zero Day for July.

You can also go through previous summaries for June, May, April, March, February, January, December, November, October, September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed.

Notable articles include - Manchester City Council pays $2.4m in Conficker clean up costs; Transmitter.C mobile malware spreading in the wild and Does free antivirus offer a false feeling of security?

01. Manchester City Council pays $2.4m in Conficker clean up costs
02. EyeWonder malware incident affects popular web sites
03. Koobface worm joins the Twittersphere
04. Transmitter.C mobile malware spreading in the wild
05. ImageShack hacked by anti-full disclosure movement
06. Does free antivirus offer a false feeling of security?
07. Remote code execution exploit for Firefox 3.5 in the wild
08. Adobe ships insecure version of Reader from official site
09. The future of mobile malware - digitally signed by Symbian?
10. 419 scammers using Dilbert.com
11. Spammers go multilingual, use automatic translation services

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Social Engineering Driven Web Malware Exploitation Kit

July 30, 2009

The standardization through template-ization of bogus codec/flash player/video pages, taking place during the past two years, has exponentially increased the efficiency levels of malware campaigns relying exclusively on social engineering.

Just like phishing pages being commodity, these commodity spoofs of legitimate software/plugins relying on "visual social engineering" represent a market segment by themselves, one that some cybercriminals have been attempting to monetize for a while.

Case in point - their latest attempt to do so comes in the form of the first social engineering driven web malware exploitation kit.

Despite that the kit's author has ripped off a well known exploits-serving malware kit's statistics interface, what's unique about this release is the fact that the exploit modules come in the form of "Missing Flash Player", "Outdated Flash Player", "Missing Video Codec", "Outdated Video Codec", "Codec Required" modules.

These very same modules represent the dominant social engineering attack vector on the Internet due to the quality of the spoofs and the end users' gullibility while self-infecting themselves. For the time being, the author appears to be an opportunist rather than someone interested in setting new benchmarks for standardization social engineering by using the efficiency and delivery methods offered by a web malware exploitation kit.

Interestingly, a huge number of fake codec serving web sites are already detecting the OS/Browser of the visitor, and serving Mac OS X based malware or Windows based malware based on the detection. This fact, as well as the fact that visual spoofs of OS X like dialogs are also getting template-ized are not a coincidence - it's a signal for an efficient and social engineering driven malware delivery mechanism in the works. The development of the kit will be monitored and updates posted - if any.

Meanwhile, the recent blackhat SEO campaign which attempted to hijack 'Harry Potter and the Half-Blood Prince' related traffic is a good example on how despite the magnitude of the campaign -- hundreds of thousands of indexed and malware serving pages -- due to the manual campaign management, its centralized nature makes it easier to shut down.

Upon clicking on a link, the end user was redirected to usa-top-news .info - 67.228.147.71 - Email: fullhdvid@gmail.com, then to world-news-scandals .com Email: wnscandals@gmail.com, and finally to tubesbargain .com/xplay.php?id=40018 - 216.240.143.7 - j0cqware@gmail.com where the codec was served from exefreefiles .com - 95.211.8.20 - Email: case0ns@gmail.com. More coded serving domains are parked on the same IPs:

216.240.143.7

sunny-tube-world .com - Email: briashou@gmail.com
the-blue-tube .com - Email: malccrome@gmail.com
onlysteeltube.com - Email: briashou@gmail.com
thecooltube .com - Email: malccrome@gmail.com
etesttube .com - Email: katschezz@gmail.com
thegrouttube .com - Email: katschezz@gmail.com
fllcorp .com

95.211.8.20

exe-load-2009 .com - Email: robeshur@gmail.com
exefiledata .com - Email: robeshur@gmail.com
exereload .com - Email: robeshur@gmail.com
load-exe-world .com - Email: robeshur@gmail.com
cool-exe-file .com - Email: robeshur@gmail.com
last-home-exe .com - Email: robeshur@gmail.com
exefreefiles .com - Email: case0ns@gmail.com
boardexefiles .com - Email: case0ns@gmail.com
exeloadsite .com - Email: j0cqware@gmail.com

The gang maintains another domain portfolio with pretty descriptive nature for phone back, direct fake codec serving purposes:

agro-files-archive .com
alkbbs-files .com
all-tube-world .com
best-light-search .com
besttubetech .com
chamitron .com
cheappharmaad .com
dipexe .com
downloadnativeexe .com
ebooks-archive .org
etesttube .com
exedownloadfull .com
exefiledata .com
exe-paste .com
exe-soft-development .com
exe-xxx-file .com
eyeexe .com
go-exe-go .com
greattubeamp .com
green-tube-site .com
hotexedownload .com
hot-exe-load .com
imagescopybetween .com
isyouimageshere .com
labsmedcom .com
last-exe-portal .com
lost-exe-site .com
lyy-exe .com
main-exe-home .com
mchedlishvili .name
metro-tube .net
my-exe-load .com
newfileexe .com
protectionimage .com
robo-exe .com
rube-exe .com
securetaxexe .com
softportal-extrafiles .com
softportal-files .com
storeyourimagehere .com
super0tube .com
super-exe-home .com
supertubetop .com
sysreport1 .com
sysreport2 .com
testtubefilms .com
texasimages2009 .com
the-blue-tube.com
thecooltube .com
thegrouttube .com
thetubeamps .com
thetubesmovie .com
tiaexe .com
tube-best-4free .com
tube-collection .com
tvtesttube .com
yourtubetop .com

Who's behind these domains and the Harry Potter blackhat SEO campaign? But, "of course", it's the "fan club" with the Koobface connection, continuing to use the same phone back locations that they've been using during the past couple of months - myart-gallery .com/senm.php - 64.27.5.202 - Email: jnthndnl@gmail.com; robert-art .com/senm.php - 66.199.229.229 - Email: robesha@gmail.com; superarthome .com/senm.php - 216.240.146.119 - Email: chucjack@gmail.com.

This post has been reproduced from Dancho Danchev's blog.

Continue reading →

Social Engineering Driven Web Malware Exploitation Kit

July 30, 2009

Case in point - their latest attempt to do so comes in the form of the first social engineering driven web malware exploitation kit.

216.240.143.7

The gang maintains another domain portfolio with pretty descriptive nature for phone back, direct fake codec serving purposes:

agro-files-archive .com
alkbbs-files .com
all-tube-world .com
best-light-search .com
besttubetech .com
chamitron .com
cheappharmaad .com
dipexe .com
downloadnativeexe .com
ebooks-archive .org
etesttube .com
exedownloadfull .com
exefiledata .com
exe-paste .com
exe-soft-development .com
exe-xxx-file .com
eyeexe .com
go-exe-go .com
greattubeamp .com
green-tube-site .com
hotexedownload .com
hot-exe-load .com
imagescopybetween .com
isyouimageshere .com
labsmedcom .com
last-exe-portal .com
lost-exe-site .com
lyy-exe .com
main-exe-home .com
mchedlishvili .name
metro-tube .net
my-exe-load .com
newfileexe .com
protectionimage .com
robo-exe .com
rube-exe .com
securetaxexe .com
sk1project .org
softportal-extrafiles .com
softportal-files .com
storeyourimagehere .com
super0tube .com
super-exe-home .com
supertubetop .com
sysreport1 .com
sysreport2 .com
testtubefilms .com
texasimages2009 .com
the-blue-tube.com
thecooltube .com
thegrouttube .com
thetubeamps .com
thetubesmovie .com
tiaexe .com
tube-best-4free .com
tube-collection .com
tvtesttube .com
yourtubetop .com

Continue reading →

5th SMS Ransomware Variant Offered for Sale

July 29, 2009

"Your system has been blocked because it is running a pirated copy of Windows. In order to unblock it, enter the activation code sent to you by SMS-ing the following number."

Demand and emerging business models based on micro-payment ransom meet supply, with yet another SMS-based ransomware variant offered for sale ($25). Just like in previous underground market propositions, this one comes with a value-added service in the form of managed undetected binaries on a daily basis for an extra $5 for an undetected copy. It's worth pointing out that due to the customization offered, their original layouts and the error messages will look a lot different once their customers get hold of the ransomware.

Key features include:
- protecting against repeated infection through Mutex
- pops-up on the top of all windows
- disables safe mode, as well as possible key combinations attempting to bypass the window
- adds itself as a trusted executable/excluded one in Windows Firewall
- variety of non-intrusive auto-starting/executable injecting capabilities
- Rotx encryption for the activation codes
- ability to embedd more than one activation code
- monitors and automatically blocks process names of tools that could allow removal
- complete removal of the code from the system once the correct activation code is entered
- zero detection rate of a sampled binary -- of course the advertiser is biased and he didn't bother including reference to the service he used (Virustotal, NoVirusThanks.org etc.)

Despite several isolated cases where the originally Russian-based ransomware is affecting international English-speaking users, the campaigns are primarily targeting Russian speaking users -- at least for the time being until the malware authors or their customers start localizing it. This emerging micro-payment ransomware business model is the direct result of largely unregulated market segments allowing literally anyone to get hold of a premium and automatically managed number in order to facilitate it.

Related posts:
4th SMS Ransomware Variant Offered for Sale
3rd SMS Ransomware Variant Offered for Sale
SMS Ransomware Source Code Now Offered for Sale
New ransomware locks PCs, demands premium SMS for removal

This post has been reproduced from Dancho Danchev's blog. Continue reading →

A Diverse Portfolio of Fake Security Software - Part Twenty Three

July 27, 2009

Part twenty three of the diverse portfolio of fake security software series, will once again summarize the scareware domains currently in circulation, delivered through the usual channels - blackhat SEO, compromises of legitimate web sites, comment spam and bogus adult web sites, with an emphasis on a yet another bogus company acting as a front-end to an affiliate network - AK Network Commerce Ltd.

Scareware remains the dominant monetization tactic applied by cybercriminals automatically abusing Web 2.0 properties.

The latest scareware domains are as follows:
scanyourcomputeronlinev1 .com - 78.46.251.41; 83.133.126.155; 91.212.107.5; 94.102.48.29; 78.46.251.41 - Email: info@chinainindia.org.in
promalwarescannerv2 .com - Email: info@researchcmr.com
spywarefolderscannerv2 .com Email: willpan@glamoxcon.com
antivirusscannerv10 .com - Email: mohammed32@yahoo.com
scanyourcomputeronlinev1 .com - Email: info@chinainindia.org.in
folder-antivirus-scanv1 .com - Email: info@duebamet.com
personalfolderscanv2 .com - Email: hfbeauty@yahoo.com
spywarefolderscannerv2 .com - Email: willpan@glamoxcon.com
privatevirusscannerv2 .com - Email: hfbeauty@yahoo.com
secure-antivirus-scanv3 .com - Email: info@duebamet.com
bestfoldervirusscanv3 .com - Email: alfonso-li@sohun.com
antispyware-scannerv3 .com - Email: willpan@glamoxcon.com
liveantimalwarescannerv3 .com - Email: hongkong@campusparis.org
onlinespywarescannerv3 .com - Email: Peng@pradac.cn
onlineantivirusscanv4 .com - Email: Peng@pradac.cn
onlineantispywarescanv6 .com - Email: czoao@hotmail.com
antivirus-scannerv6 .com - Email: paul.smith@acdc.cn
antivirusonlinescanv9 .com - Email: info@chinainindia.org.in
antimalwarescannerv9 .com - Email: mohammed32@yahoo.com
antispywarescannerv9 .com - Email: mohammed32@yahoo.com
bestcomputerscanv7 .com - Email: cgrenier@reclamation.com

in5id .com - 67.212.71.196 - Email: getoony@gmail.com
goscantune .com - Email: canrcnad@gmail.com
in5ch .com - Email: getoony@gmail.com
goscanback .com - Email: alcnafuch@gmail.com
goscanlook .com - Email: chinrfi@gmail.com
gotunescan .com - Email: canrcnad@gmail.com
gofatescan .com - Email: alcnafuch@gmail.com
gobackscan .com - Email: alcnafuch@gmail.com
goparkscan .com - Email: canrcnad@gmail.com
in5st .com - Email: getoony@gmail.com
gagtemple .info - Email: tiermity@gmail.com
strelyk .info - Email: tiermity@gmail.com
mixsoul .info - Email: tiermity@gmail.com
loacher .info - Email: tiermity@gmail.com
unvelir .info - Email: tiermity@gmail.com
lendshaft .info - Email: tiermity@gmail.com

goironscan .com - 209.44.126.152 - Email: aloxier@gmail.com
metascan4 .com - Email: exmcon@gmail.com
notescan4 .com - Email: exmcon@gmail.com
genscan4 .com - Email: exmcon@gmail.com
scanlist6 .com - Email: exmcon@gmail.com
goscanpark .com - Email: exmcon@gmail.com
gobackscan .com - Email: exmcon@gmail.com
gomapscan .com - Email: exmcon@gmail.com
scan4gen .com - Email: exmcon@gmail.com
namearra .info - Email: stnorvel@gmail.com
xtraroom .info - Email: stnorvel@gmail.com
sundalet .info - Email: stnorvel@gmail.com

privacy-centre .org - 89.208.136.91 - Email: acapz@freebbmail.com
prvacy-centre .org - Email: acapz@freebbmail.com
privacy-centar .org - Email: acapz@freebbmail.com
prvacy-centar .org - Email: acapz@freebbmail.com
privacy-ceter .org - Email: acapz@freebbmail.com
prvacy-ceter .org - Email: acapz@freebbmail.com
privacy-center .org - Email: acapz@freebbmail.com
prvacy-center .org - Email: acapz@freebbmail.com
privacy-centor .org - Email: acapz@freebbmail.com
privacy-centr .org - Email: acapz@freebbmail.com
prvacy-centr .org - Email: acapz@freebbmail.com
pcenter56 .com
privacyupdate447 .com - Email: prv54@lycos.com
pcenter57 .com

personalonlinescanv3 .com - 78.46.251.41 - Email: vms@hellofm.in
antivirusfolderscanv5. com - Email: Bush.Mussar@yahoo.com
antivirusfolderscannerv5 .com - Email: Bush.Mussar@yahoo.com
privatevirusscannerv5 .com - Email: cs@pakoil.com.pk
antivirusforcomputrerv5 .com - Email: Bush.Mussar@yahoo.com
spywarefastscannerv6 .com - Email: cs@pakoil.com.pk
antimalwarescanv7 .com - Email: Bush.Mussar@yahoo.com
antimalwareproscannerv8 .com - Email: Bush.Mussar@yahoo.com
antimalwareproscannerv9 .com - Email: Bush.Mussar@yahoo.com
antivirusscannerv9 .com - Email: Bush.Mussar@yahoo.com
advanedspywarescan .com - Email: xors678@freebbmail.com
securedvirusscan .com - Email: adsff@freebbmail.com
secured-virus-scanner .com - Email: adsff@freebbmail.com

free-spyware-cleaner .com - 212.117.160.18 - Email: robertsimonkroon@gmail.com
free-spyware-checker .org - Email: robertsimonkroon@gmail.com
fast-spyware-cleaner .org - Email: robertsimonkroon@gmail.com
clean-pc-now .org - Email: robertsimonkroon@gmail.com
spyware-scaner .com - Email: robertsimonkroon@gmail.com
free-spyware-cleaner .com - Email: robertsimonkroon@gmail.com
free-tube-orgasm .net - Email: robertsimonkroon@gmail.com
free-spyware-cleaner .net - Email: robertsimonkroon@gmail.com
clean-pc-now .net - Email: robertsimonkroon@gmail.com
spyware-killer .biz - Email: robertsimonkroon@gmail.com

protectionsystemlab .com - 89.149.254.174; 91.212.198.36
ez-scanner-online .com
smart-antivirus-online .com
uptodatesystem .com
checks-files-now .com
download-filez-now .us
files-download-now .net
check-files-now .net

antispyware2009 .com - 75.125.241.58
remover .org
antispyware .com
regsweep .com
registryclear .com
adwarebot .com

cleanmalwarefree .com - 218.93.205.244 - Email: IvanMaltzev@gmail.com
killlabs .com - Email: ad6@safe-mail.net
cleanmalwarefast .com - Email: ad6@safe-mail.net
cleanmalwareeasy .com - Email: ad6@safe-mail.net

adware-2010 .com - 67.211.161.49
adware-2009.comantispyware2013 .com - 98.124.199.1; 98.124.198.1
antispyware2012 .com
securityscanweb .com - 209.44.126.22 - Email: Gerald.A.Flowers@trashymail.com
securitytestavailable .com - 209.44.126.81 - Email: Roy.M.Tucker@pookmail.com
liveantivirusinfov2 .com - 78.47.132.222; 78.47.172.69 - Email: cgrenier@reclamation.com
antivirus-scannerv9 .com - Email: paul.smith@acdc.cn
purchuaseonlinedefence .com - 78.47.91.154 - Email: jenny@allbestmarine.com.sg
purchuaseliveprotection .com - Email: jenny@allbestmarine.com.sg

windowssecurityinfo .com - 83.133.123.113 - Email: arziw12@freebbmail.com
antimalwarescanner-v2 .com - Email: tareen@yahoo.com
maliciousbaseupdates .com - Email: freight@beds.com
ieprotectionlist .com - Email: vanmullem@yahoo.com

personalcleaner2009 .com - 88.208.19.4 - Email: personalcleaner2009.com@liveinternetmarketingltd.com
ak-networkcommerce .com - Email: ak-networkcommerce.com@liveinternetmarketingltd.com
pc-antimalwaresuite .com - Email: pc-antimalwaresuite.com@liveinternetmarketingltd.com
basepayment .com - Email: basepayment.com@liveinternetmarketingltd.com

Sampled malware phones back to od32qjx6meqos .cn/ua.php, more phone back locations are also parked there:
0ni9o1s3feu60 .cn - 220.196.59.23 - Email: robertsimonkroon@gmail.com
mf6gy4lj79ny5 .cn - Email: robertsimonkroon@gmail.com
84u9wb2hsh4p6 .cn - Email: robertsimonkroon@gmail.com
7bs5nfzfkp8q8 .cn - Email: robertsimonkroon@gmail.com
kt4lwumfhjb7a .cn - Email: robertsimonkroon@gmail.com
q2bf0fzvjb5ca .cn - Email: robertsimonkroon@gmail.com
rncocnspr44va .cn - Email: robertsimonkroon@gmail.com
t1eayoft9226b .cn - Email: robertsimonkroon@gmail.com
4go4i9n76ttwd .cn - Email: robertsimonkroon@gmail.com
kzvi4iiutr11e .cn - Email: robertsimonkroon@gmail.com
hxc7jitg7k57e .cn - Email: robertsimonkroon@gmail.com
mt3pvkfmpi7de .cn - Email: robertsimonkroon@gmail.com
fyivbrl3b0dyf .cn - Email: robertsimonkroon@gmail.com
z6ailnvi94jgg .cn - Email: robertsimonkroon@gmail.com
p7keflvui9fkl .cn - Email: robertsimonkroon@gmail.com
f1uq1dfi3qkcm .cn - Email: robertsimonkroon@gmail.com
p0umob9k2g7mp .cn - Email: robertsimonkroon@gmail.com
7zju2l82i2zhz .cn - Email: robertsimonkroon@gmail.com

One of the latest front-ends to scareware affiliate networks is AK Network Commerce Ltd (ak-networkcommerce .com) :

"Implementing latest anti-hacker technology based on expert and user reviews AK Network Commerce Ltd enables hacker-proof defense, blocks unauthorized access to your private information, and hides your identity. Having combined latest features of cutting-edge privacy protection technologies our knowledgeable team designed products to easily and effectively fight perilous cyber attempts. Thorough selection and step-by-step application of elements and tools required for comprehensive protection of your personal data helped us achieve success and become industry leading representatives. We did our best to prove that the time has come to leave behind worries about private data theft."

The company is the very latest attempt of a bogus company to build legitimacy into their "latest anti-hacker technology". Meanwhile, the blacklisting , sample distribution, and shutting down the scareware domains not only undermines the effectiveness of their largely centralized malware campaigns, costs them missed revenue projections, but also, it increases the opportunity costs for the gang.

Related posts:
A Diverse Portfolio of Fake Security Software - Part Twenty Two
A Diverse Portfolio of Fake Security Software - Part Twenty One
A Diverse Portfolio of Fake Security Software - Part Twenty
A Diverse Portfolio of Fake Security Software - Part Nineteen
A Diverse Portfolio of Fake Security Software - Part Eighteen
A Diverse Portfolio of Fake Security Software - Part Seventeen
A Diverse Portfolio of Fake Security Software - Part Sixteen
A Diverse Portfolio of Fake Security Software - Part Fifteen
A Diverse Portfolio of Fake Security Software - Part Fourteen
A Diverse Portfolio of Fake Security Software - Part Thirteen
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software

This post has been reproduced from Dancho Danchev's blog.
Continue reading →

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign

U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding

Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware

Scareware Template Localized to Arabic

Movement on the Koobface Front

Movement on the Koobface Front

Managed Polymorphic Script Obfuscation Services

Summarizing Zero Day's Posts for July

Social Engineering Driven Web Malware Exploitation Kit

Social Engineering Driven Web Malware Exploitation Kit

5th SMS Ransomware Variant Offered for Sale

A Diverse Portfolio of Fake Security Software - Part Twenty Three

RSS Feed

About Me

Blog Archive

Tags

Popular Posts