Koobface Botnet's Scareware Business Model - Part Two

November 11, 2009
UPDATED - Wednesday, November 18, 2009: A new update is pushed to the hundreds of thousands infected hosts, which is now performing the redirection using dynamically generated .swf files, with every page using the same title "Wonderful Video". The redirection is also a relatively static process.

For instance, if the original koobface redirector is koobface.infected.host/301, followed by the .swf redirection it will output koobface.infected.host/301/?go.

New redirectors and scareware domains pushed within the past few hours include - everlastmovie .cn - Email: gmk2000@yahoo.com; smile-life .cn - Email: gmk2000@yahoo.com ; harry-pott .cn - Email: gmk2000@yahoo.com, beprotected9 .com - Email: essi@calinsella.eu and antivir3 .com - Email: essi@calinsella.eu.

UPDATED - Tuesday, November 17, 2009: Koobface is resuming scareware (Inst_312s2.exe) operations at 91.212.107.103 which was taken offline for a short period of time. ISP has been notified again, action should be taken shortly. The current domain portfolio including new ones parked there: 

ereuqba .cn - Email: spscript@hotmail.com
eqoxyda .cn - Email: spscript@hotmail.com
evouga .cn - Email: spscript@hotmail.com
edivuka .cn - Email: spscript@hotmail.com
ebeama .cn - Email: spscript@hotmail.com
kebugac .cn - Email: spscript@hotmail.com
eqoabce .cn - Email: spscript@hotmail.com
kixyhce .cn - Email: spscript@hotmail.com
cecyde .cn - Email: spscript@hotmail.com
evybine .cn - Email: spscript@hotmail.com
eqaone .cn - Email: spscript@hotmail.com
dyqunre .cn - Email: spscript@hotmail.com
byzivte .cn - Email: spscript@hotmail.com
dovzyag .cn - Email: spscript@hotmail.com
ebeozag .cn - Email: spscript@hotmail.com
cafgouh .cn - Email: spscript@hotmail.com
kebfoki .cn - Email: spscript@hotmail.com
ebogumi .cn - Email: spscript@hotmail.com
dyzani .cn - Email: spscript@hotmail.com
dybapi .cn - Email: spscript@hotmail.com
dusyti .cn - Email: spscript@hotmail.com
dutsyvi .cn - Email: spscript@hotmail.com
dutfij .cn - Email: spscript@hotmail.com
bysivak .cn - Email: spscript@hotmail.com
eqiovak .cn - Email: spscript@hotmail.com

cecxoyk .cn - Email: spscript@hotmail.com
dyqkuam .cn - Email: spscript@hotmail.com
edamym .cn - Email: spscript@hotmail.com
eqibuym .cn - Email: spscript@hotmail.com
ducyqan .cn - Email: spscript@hotmail.com
duzebyn .cn - Email: spscript@hotmail.com
etyawjo .cn - Email: spscript@hotmail.com
cerdiko .cn - Email: spscript@hotmail.com
erauso .cn - Email: spscript@hotmail.com
etuacwo .cn - Email: spscript@hotmail.com
etuexyp .cn - Email: spscript@hotmail.com
etywuq .cn - Email: spscript@hotmail.com
ebejar .cn - Email: spscript@hotmail.com
ebiuhas .cn - Email: spscript@hotmail.com
dozabes .cn - Email: spscript@hotmail.com
eqoybu .cn - Email: spscript@hotmail.com
eviyzru .cn - Email: spscript@hotmail.com
evaopsu .cn - Email: spscript@hotmail.com
ebaetu .cn - Email: spscript@hotmail.com
dytrevu .cn - Email: spscript@hotmail.com
eboezu .cn - Email: spscript@hotmail.com
eruqav .cn - Email: spscript@hotmail.com
eqoumiv .cn - Email: spscript@hotmail.com
epuneyv .cn - Email: spscript@hotmail.com
etykauw .cn - Email: spscript@hotmail.com
ebeoxuw .cn - Email: spscript@hotmail.com
eqidax .cn - Email: spscript@hotmail.com
evaolux .cn - Email: spscript@hotmail.com
cafropy .cn - Email: spscript@hotmail.com
etyupy .cn - Email: spscript@hotmail.com
kebquty .cn - Email: spscript@hotmail.com
cakevy .cn - Email: spscript@hotmail.com
eqouwy .cn - Email: spscript@hotmail.com
epuvyiz .cn - Email: spscript@hotmail.com 

UPDATED - Monday, November 16, 2009: The Koobface gang is pushing a new update, followed by a new portfolio of scareware redirectors and actual scareware serving domains.

New portfolio of redirectors parked at 91.213.126.250:
befree2 .cn - Email: gmk2000@yahoo.com
scandinavianmall .cn - Email: admin@calen.be 
densityoze .cn - Email: admin@calen.be
moored2009 .cn - Email: cael@newstile.it
pica-pica .cn - Email: cael@newstile.it
stroboscopicmovie .cn - Email: cael@newstile.it
comedienne .cn - Email: admin@calen.be
densityoze .cn - Email: admin@calen.be
furorcorner .cn - Email: cael@newstile.it
ionisationtools .cn - Email: guzimi@brendymail.de
wax-max .cn - Email: cael@newstile.it
plate-tracery .cn - Email: guzimi@brendymail.de
little-bitty .cn - Email: admin@calen.be
night-whale .cn - Email: admin@calen.be
scary-scary .cn - Email: gmk2000@yahoo.com

Second redirectors portfolio at 91.213.126.102:
disorganization000 .cn - Email: guzimi@brendymail.de
rainbowlike .cn - Email: HuiYingTsui@airways.au
skewercall .cn - Email: HuiYingTsui@airways.au
wegenerinfo .cn - Email: guzimi@brendymail.de
kangaroocar .cn - Email: HuiYingTsui@airways.au
pericallis .cn - Email: HuiYingTsui@airways.au
treasure-planet .cn - Email: guzimi@brendymail.de
genusbiz .cn - Email: HuiYingTsui@airways.au

Currently pushing scareware from primescan1 .com - 83.133.124.149; 91.213.126.103; 83.133.119.84; 85.12.24.13. Sampled scareware phones back to windowsupdate8 .com/download/timesroman.tif - 88.198.105.145 and angle-meter .com/?b=1 (safewebnetwork .com) - 92.48.119.36.

More scareware domains are parked on the same IPs:
yourantivira7 .com - Email: j.wirth@smsdetective.com - detection rate
web-scanm .com - Email: essi@calinsella.eu - detection rate
yourantivira3 .com (wwwsecurescana1 .com) - Email: j.wirth@smsdetective.com
primescan8 .com
online-check-v11 .com
antivir-scan1 .com - Email: contact@armadastate.us
antispy-scan1 .com - Email: contact@armadastate.us
primescan1 .com
checkforspyware2 .com - Email: admin@calen.be
pc-antispyware3 .com - Email: contact@spaintours.com
premium-protection6 .com - Email: contact@spaintours.com
antivir7 .com - Email: admin@maternitycloth.eu
online-check-v7 .com
beprotected8 .com - Email: admin@maternitycloth.eu
pc-antispyware9 .com - Email: contact@spaintours.com
online-check-v9 .com
checkfileshere .com - Email: admin@calen.be
scanfileshere .com - Email: admin@calen.be
antivir-scano .com - Email: contact@armadastate.us
check-files-now .com - Email: admin@calen.be
antivir-scanz .com - Email: contact@armadastate.us
antispy-scanz .com - Email: contact@armadastate.us

ISP's contributing the the monetization of Koobface have been notified.

UPDATE: 91.212.107.103 has been taken offline courtesy of Blue Square Data Group Services Limited -- previous cooperation took place within a 3 hour period -- with the Koobface gang migrating scareware operations to 93.174.95.191 (AS29073 ECATEL-AS , Ecatel Network) and 188.40.52.181; 188.40.52.180 - (AS24940, HETZNER-AS Hetzner Online AG RZ) - ISPs have been notified.

The .info scareware domain portfolio will be suspended within the next 24 hours.

Ali Baba and the 40 thieves LLC a.k.a my Ukrainian "fan club", the one with the Bahama botnet connection, the recent malvertising attacks connection, and the current market leader of black hat search engine optimization campaigns, has been keeping themselves busy over the past couple of weeks, continuing to add additional layers of legitimacy into their campaigns (bit.ly redirectors to blogspot.com accounts leading to compromised hosts), proving that if a cybercrime enterprise wants to, it can run its malicious operations on the shoulders of legitimate service providers using them as "virtual human shield" in order to continue its operations without fear of retribution.
Over the past two weeks, the Koobface gang once again indicated that it reads my blog, "appreciates" the ways I undermine the monetization element of their campaigns, and next to redirecting Facebook's entire IP space to my blog, they've also, for the first time ever, moved from using my name in their redirectors, to typosquatting it.

For instance, the -- now suspended -- Koobface domain pancho-2807 .com is registered to Pancho Panchev, pancho.panchev@gmail.com, followed by rdr20090924 .info registered to Vancho Vanchev, vanchovanchev@mail.ru. As always, I'm totally flattered, and I'm still in a "stay tuned" mode for my very own branded scareware release - the Advanced Pro-Danchev Premium Live Mega Professional Anti-Spyware Online Cleaning Cyber Protection Scanner 2010.

It's time to summarize some of the Koobface gang's recent activities, establish a direct connection with the Bahama botnet, the Ukrainian dating scam agency Confidential Connections whose botnet operations were linked to money-mule recruitment scams, with active domains part of their affiliate network parked at a Koobface-connected scareware serving domains, followed by the fact that they're all responding to an IP involved in the ongoing U.S Federal Forms themed blackhat SEO campaign. It couldn't get any uglier.

As of recently the gang has migrated to a triple-layer of legitimate infrastructure, consisting of bit.ly redirectors, leading to automatically registered Blogspot account which redirect to Koobface infected hosts serving the Koobface binary and the redirecting to a periodically updated scareware domain. Here are some of the domains involved.

Ongoing campaing dynamically generating bit.ly URLs redirecting to automatically registered Blogspot accounts, using the following URLs:
bit.ly /VumFK -> drbryanferazzoli .blogspot.com
bit.ly /lJcK3 -> toyetoyebalnaja .blogspot.com
bit.ly /3mFyzs -> raimeishelkowitz .blogspot.com
bit.ly /2wuSPj -> kelakelamccovery .blogspot.com
bit.ly /2Pnn8l -> pattyedevero .blogspot.com
bit.ly /2wuSPj -> kelakelamccovery .blogspot.com
bit.ly /1HDmbm -> malinegainey-green. blogspot.com
bit.ly /2xf5vB -> advaadvarukuni .blogspot.com
bit.ly /3mFyzs -> raimeishelkowitz .blogspot.com
bit.ly /2xf5vB -> advaadvarukuni .blogspot.com
bit.ly /46pcCI -> paulangelogaetano .blogspot.com
bit.ly /1HDmbm -> malinegainey-green .blogspot.com
bit.ly /3JZsDD -> derieuwsdarrius .blogspot.com
bit.ly /lJcK3 -> toyetoyebalnaja .blogspot.com
bit.ly /2h7XRU -> shunnarahamandla .blogspot.com
bit.ly /3JZsDD -> derieuwsdarrius .blogspot.com
bit.ly /3Zj98G -> schubachmarquis .blogspot.com
bit.ly /1sXgRH -> nicnicmiralles .blogspot.com
bit.ly /3eijza -> froneksaxxon .blogspot.com
bit.ly /1I3rr7 -> attreechappy .blogspot.com
bit.ly /2m3wP4 -> bilsboroughkebrom .blogspot.com
bit.ly /30wcJn -> raheelanucci .blogspot.com
bit.ly /2U7jYM -> orvelorvelblues .blogspot.com
bit.ly /1CWOlZ -> kondrackinehemias .blogspot.com
bit.ly /2m3wP4 -> bilsboroughkebrom .blogspot.com
bit.ly /1qbXsi -> lizzamottymotty .blogspot.com
bit.ly /79ONz -> rayvongonsalves .blogspot.com
bit.ly /22Jyex -> klaartjebjorgvinsson .blogspot.com
bit.ly /p07jC -> humphriesteelateela .blogspot.com
bit.ly /2lpZXx -> kalandraaleisha .blogspot.com

The Blogspot accounts consist of a single post of automatically syndicated news item, which compared to previous campaign which relied on 25+ Koobface infected IPs directly embedded at Blogspot itself, this time relies on a single URL which attempts to connect to any of the Koobface infected IPs embedded on it. The currently active campaign redirects to rainbowlike cn/?pid=312s02&sid=4db12f, which then redirects to the scareware domain secure-your-files .com, with the sample phoning back to forbes-2009 .com/?b=1s1 - 113.105.152.230, with another domain parked there activate-antivirus .com - Email: support@personal-solutions.com.

Time to expose the entire portfolio of scareware domains pushed by the gang, and offer some historical OSINT data on their activities which were not publicly released until enough connections between multiple campaigns were established.Which ISPs are currently offering hosting services for the scareware domains portfolio pushed by the Koobface gang? The current portfolio is parked at 206.217.201.245 (AS36351 SOFTLAYER Technologies Inc. surprise, surprise!); 212.117.174.19 (AS44042 ROOT eSolutions surprise, surprise part two) and at 91.212.226.155 (AS44042 ROOT eSolutions).

Scareware redirectors parked at 91.213.126.102:
rainbowlike .cn - Email: HuiYingTsui@airways.au
authorized-payments .com - Email: degrysemario@googlemail.com
poltergeist2000 .cn - Email: nfrank@flamcon.com.cn
sestiad2 .cn - Email: PietroToscani@celli.it
uninformed2 .cn - Email: PietroToscani@celli.it
retrocession2 .cn - Email: PietroToscani@celli.it
unimpressible3 .cn - Email: PietroToscani@celli.it
uncrown3 .cn - Email: PietroToscani@celli.it
sneak-peak .cn - Email: info@Milwaukee911.com
cellostuck .cn - Email: info@Milwaukee911.com
stinkingthink .cn - Email: nfrank@flamcon.com.cn
skewercall .cn - Email: HuiYingTsui@airways.au
be-spoken .cn - Email: info@Milwaukee911.com
transmitteron .cn - Email: nfrank@flamcon.com.cn
kangaroocar .cn - Email: HuiYingTsui@airways.au
pericallis .cn - Email: HuiYingTsui@airways.au
exponentials .cn - Email: info@Milwaukee911.com
triforms .cn - Email: info@Milwaukee911.com
outperformoly .cn - Email: nfrank@flamcon.com.cn
genusbiz .cn - Email: HuiYingTsui@airways.au

Scareware domains parked at 206.217.201.245; 212.117.174.19 and 91.212.226.155:
anti-malware-scan-for-you .com - Email: information@brunter.sw
available-scanner .com - Email: m.smith@Recruiters.com
bewareofspyware .com - Email: m.smith@Recruiters.com
defender-scan-for-you .com - Email: information@brunter.sw
defender-scan-for-you3 .com - Email: informatio@belize.ca
foryoumalwarecheck .com - Email: information@brunter.sw
friends-protection .com - Email: m.smith@Recruiters.com
further-scan .com - Email: m.smith@Recruiters.com
goodonlineprotection .com - Email: info@time.co.uk
good-scans .com - Email: m.smith@Recruiters.com
guidetosecurity3 .com - Email: info@time.co.uk
howtocleanpc2 .com - Email: admin@gnar-star.com
howtoprotectpc3 .com - Email: admin@gnar-star.com
howtosecure2 .com - Email: admin@gnar-star.com
howtosecurea .com - Email: admin@gnar-star.com
how-to-secure-pc2 .com - Email: admin@gnar-star.com
protection-secrets .com - Email: info@time.co.uk
scan-for-you .com - Email: information@brunter.sw
scannerantimalware2 .com
scannerantimalware4 .com
scannerantimalware6 .com
secure-your-data0 .com - Email: spradlin@carrental.com
secure-your-files .com - Email: spradlin@carrental.com
security-guide5 .com - Email: JohnnySMcmillan@yahoo.com
security-info1 .com - Email: JohnnySMcmillan@yahoo.com
security-tips3 .com - Email: info@time.co.uk
security-tools4 .com - Email: JohnnySMcmillan@yahoo.com
webviruscheck1 .com
webviruscheck-4 .com
webviruscheck5 .com

Let us further expand the portfolio by listing the newly introduced scareware domains at 91.212.107.103, which was first mentioned in part one of the Koobface Botnet's Scareware Business Model as a centralized hosting location for the gang's portfolio.

Scareware domains parked at 91.212.107.103:
g-antivirus .com - Email: mhbilate@gmail.com
generalantivirus com - Email: compalso@gmail.com
general-antivirus .com - Email: abuse@domaincp.net.cn
general-av .com - Email: mhbilate@gmail.com
generalavs .com - Email: mhbilate@gmail.com
gobackscan .com - Email: alcnafuch@gmail.com
gobarscan .com - Email: jowimpee@gmail.com
godeckscan .com - Email: quetotator@gmail.com
godirscan .com - Email: momorule@gmail.com
godoerscan .com - Email: geofishe@gmail.com
goeachscan .com - Email: momorule@gmail.com
goeasescan .com - Email: geofishe@gmail.com
gofatescan .com - Email: alcnafuch@gmail.com
gofowlscan .com - Email: stinfins@gmail.com
gohandscan .com - Email: quetotator@gmail.com
goherdscan .com - Email: jowimpee@gmail.com
goironscan. com - Email: aloxier@gmail.com
gojestscan. com - Email: jowimpee@gmail.com
golimpscan. com - Email: stinfins@gmail.com
golookscan. com - Email: stinfins@gmail.com
gomendscan. com - Email: gleyersth@gmail.com
gomutescan. com - Email: momorule@gmail.com
gonamescan. com - Email: geofishe@gmail.com

goneatscan .com - Email: momorule@gmail.com
gopickscan. com - Email: momorule@gmail.com
gorestscan. com - Email: quetotator@gmail.com
goroomscan. com - Email: gleyersth@gmail.com
gosakescan. com - Email: stinfins@gmail.com
goscanadd. com - Email: momorule@gmail.com
goscanback .com - Email: alcnafuch@gmail.com
goscanbar .com - Email: jowimpee@gmail.com
goscancode .com - Email: geofishe@gmail.com
goscandeck. com - Email: geofishe@gmail.com
goscandir. com - Email: crschuma@gmail.com
goscandoer .com - Email: crschuma@gmail.com
goscanease. com - Email: crschuma@gmail.com
goscanfowl. com - Email: stinfins@gmail.com
goscanhand. com - Email: quetotator@gmail.com
goscanherd. com - Email: jowimpee@gmail.com
goscanjest. com - Email: jowimpee@gmail.com
goscanlike. com - Email: geofishe@gmail.com
goscanlimp. com - Email: stinfins@gmail.com
goscanmend .com - Email: gleyersth@gmail.com
goscanname. com - Email: crschuma@gmail.com
goscanneat .com - Email: crschuma@gmail.com
goscanpick. com - Email: crschuma@gmail.com

goscanref. com - Email: quetotator@gmail.com
goscanrest .com - Email: quetotator@gmail.com
goscanroom .com - Email: gleyersth@gmail.com
goscansake. com - Email: stinfins@gmail.com
goscanslip. com - Email: jowimpee@gmail.com
goscansole .com - Email: crschuma@gmail.com

goscantoil. com - Email: jowimpee@gmail.com
goscantrio. com - Email: crschuma@gmail.com
goscanxtra. com - Email: crschuma@gmail.com
gosolescan. com - Email: geofishe@gmail.com
gotoilscan. com - Email: jowimpee@gmail.com
gotrioscan. com - Email: momorule@gmail.com
gowellscan. com - Email: stinfins@gmail.com
goxtrascan. com - Email: momorule@gmail.com
iantiviruspro .com - Email: broderma@gmail.com
iantivirus-pro .com - Email: feetecho@gmail.com
ia-pro .com - Email: abuse@domaincp.net.cn
iav-pro .com - Email: mcgettel@gmail.com
in5ch .com - Email: getoony@gmail.com
in5cs .com - Email: getoony@gmail.com
in5ct .com - Email: phounkey@gmail.com
in5id .com - Email: getoony@gmail.com
in5it .com - Email: phounkey@gmail.com
in5iv .com - Email: phounkey@gmail.com
in5st .com - Email: getoony@gmail.com
inavpro .com - Email: thdunnag@gmail.com
scanatom6 .com - Email: sckimbro@gmail.com
windoptimizer .com - Email: wousking@gmail.com
wopayment .com - Email: broderma@gmail.com
woptimizer .com - Email: broderma@gmail.com

cafropy .cn - Email: spscript@hotmail.com
cakevy .cn - Email: spscript@hotmail.com
dotqyuw .cn - Email: spscript@hotmail.com
dovnaji .cn - Email: spscript@hotmail.com
dovzyag .cn - Email: spscript@hotmail.com
dozabes .cn - Email: spscript@hotmail.com
ducyqan .cn - Email: spscript@hotmail.com
duvaba .cn - Email: spscript@hotmail.com
duvegy .cn - Email: spscript@hotmail.com
duwbiec .cn - Email: spscript@hotmail.com
duxsoez .cn - Email: spscript@hotmail.com
duzebyn .cn - Email: spscript@hotmail.com
dybapi .cn - Email: spscript@hotmail.com
dyqkuam .cn - Email: spscript@hotmail.com
dyqunre .cn - Email: spscript@hotmail.com
dytrevu .cn - Email: spscript@hotmail.com
dyzani .cn - Email: spscript@hotmail.com
ebaetu .cn - Email: spscript@hotmail.com
ebeoxuw .cn - Email: spscript@hotmail.com
ebeozag .cn - Email: spscript@hotmail.com
edoqeg .cn - Email: spscript@hotmail.com
epuneyv .cn - Email: spscript@hotmail.com
epuvyiz .cn - Email: spscript@hotmail.com

eqadozu .cn - Email: spscript@hotmail.com
eqaofed .cn - Email: spscript@hotmail.com
eqaone .cn - Email: spscript@hotmail.com
eqayweh .cn - Email: spscript@hotmail.com
eqibuym .cn - Email: spscript@hotmail.com
eqidax .cn - Email: spscript@hotmail.com
eqiovak .cn - Email: spscript@hotmail.com
eqoabce .cn - Email: spscript@hotmail.com
eqoumiv .cn - Email: spscript@hotmail.com
erauso .cn - Email: spscript@hotmail.com
ereuqba .cn - Email: spscript@hotmail.com
erujale .cn - Email: spscript@hotmail.com
eruqav .cn - Email: spscript@hotmail.com
esuteyb .cn - Email: spscript@hotmail.com
etuacwo .cn - Email: spscript@hotmail.com
etuexyp .cn - Email: spscript@hotmail.com
etyawjo .cn - Email: spscript@hotmail.com
etykauw .cn - Email: spscript@hotmail.com
evaolux .cn - Email: spscript@hotmail.com
evaopsu .cn - Email: spscript@hotmail.com
keturma .cn - Email: spscript@hotmail.com
kevsopi .cn - Email: spscript@hotmail.com
kijxayt .cn - Email: spscript@hotmail.com
kiluxso .cn - Email: spscript@hotmail.com
kipuxo .cn - Email: spscript@hotmail.com
kirdabe .cn - Email: spscript@hotmail.com
kiwraux .cn - Email: spscript@hotmail.com
kixyhce .cn - Email: spscript@hotmail.com

adjudg .info - Email: deciable@gmail.com
afront .info - Email: calexing@gmail.com
anprun .info - Email: deciable@gmail.com
apalet .info - Email: deciable@gmail.com
argier .info - Email: stthatch@gmail.com
asbro .info - Email: recuscon@gmail.com
atquit .info - Email: recuscon@gmail.com
atwain .info - Email: deciable@gmail.com
bagse .info - Email: calexing@gmail.com
bedaub .info - Email: jaohra@gmail.com
bedrid .info - Email: magoetzim@gmail.com
beeves .info - Email: piproux@gmail.com
besort .info - Email: jaohra@gmail.com
bettev .info - Email: recuscon@gmail.com
bettre .info - Email: phvandiv@gmail.com
birnam .info - Email: jaohra@gmail.com
botled .info - Email: deciable@gmail.com
brawns .info - Email: calexing@gmail.com
brisky .info - Email: recuscon@gmail.com
camlet .info - Email: enomman@gmail.com
caretz .info - Email: piproux@gmail.com
cheir .info - Email: jaohra@gmail.com
cuique .info - Email: calexing@gmail.com
daphni .info - Email: calexing@gmail.com

deble .info - Email: bebrashe@gmail.com
debuty .info - Email: stthatch@gmail.com
declin. info - Email: stthatch@gmail.com
devicel .info - Email:stthatch@gmail.com
dislik. info - Email: krharbou@gmail.com
dolchi. info - Email: stthatch@gmail.com
dolet. info - Email: magoetzim@gmail.com
dolet. info - Email: magoetzim@gmail.com
droope .info - Email: deciable@gmail.com
empery .info - Email: phvandiv@gmail.com
engirt .info - Email: jaohra@gmail.com
eratile .info - Email: magoetzim@gmail.com
erpeer .info - Email: deciable@gmail.com
evyns. info - Email: magoetzim@gmail.com
exampl .info - Email: krharbou@gmail.com
extrip .info - Email: piproux@gmail.com
fatted .info - Email: stthatch@gmail.com
fedar. info - Email: phvandiv@gmail.com
fifthz .info - Email: stthatch@gmail.com
figgle .info - Email: deciable@gmail.com
fliht .info - Email: krharbou@gmail.com
fosset .info - Email: deciable@gmail.com
freckl .info - Email: stthatch@gmail.com
freiny. info - Email: krharbou@gmail.com

froday. info - Email: deciable@gmail.com
fulier. info - Email: deciable@gmail.com
gaudad .info - Email: enomman@gmail.com
gelded. info - Email: stthatch@gmail.com
gicke .info - Email: magoetzim@gmail.com
girded .info - Email: jaohra@gmail.com
goterm .info - Email: calexing@gmail.com
guiany. info - Email: krharbou@gmail.com
haere .info - Email: deciable@gmail.com
hilloa. info - Email: phvandiv@gmail.com
holdit. info - Email: stthatch@gmail.com
hownet .info - Email: stthatch@gmail.com
ignomy. info - Email: jaohra@gmail.com
implor. info - Email: jaohra@gmail.com
inclin. info - Email: grattab@gmail.com
inquir .info - Email: stthatch@gmail.com
jorgan .info - Email: bebrashe@gmail.com
kedder .info - Email: enomman@gmail.com
knivel .info - Email: deciable@gmail.com
krapen .info - Email: deciable@gmail.com
lavolt .info - Email: jaohra@gmail.com
lavyer .info - Email: bebrashe@gmail.com

lequel .info - Email: acjspain@gmail.com
lowatt .info - Email: krharbou@gmail.com
meanly.info - Email: krharbou@gmail.com
meyrie.info - Email: piproux@gmail.com
midid .info - Email: magoetzim@gmail.com
miloty .info - Email: stthatch@gmail.com
mobled .info - Email: magoetzim@gmail.com
monast. info - Email: phvandiv@gmail.com
moont. info - Email: magoetzim@gmail.com
narowz .info - Email: enomman@gmail.com
nevils .info - Email: stthatch@gmail.com
nnight .info - Email: piproux@gmail.com
nroof .info - Email: krharbou@gmail.com
numben .info - Email: deciable@gmail.com
obsque .info - Email: jaohra@gmail.com
octian .info - Email: jaohra@gmail.com
odest. info - Email: phvandiv@gmail.com
onclew .info - Email: phvandiv@gmail.com
orifex .info - Email: krharbou@gmail.com
orodes .info - Email: deciable@gmail.com
outliv .info - Email: stthatch@gmail.com

pante .info - Email: jaohra@gmail.com
pasio .info - Email: jaohra@gmail.com
pittie. info - Email: stthatch@gmail.com
plamet .info - Email: stthatch@gmail.com
plazec. info - Email: bebrashe@gmail.com
potinz. info - Email: stthatch@gmail.com
pplay. info - Email: jaohra@gmail.com
pretia .info - Email: krharbou@gmail.com
quoifs. info - Email: enomman@gmail.com
qward. info - Email: enomman@gmail.com
raught .info - Email: piproux@gmail.com
realfly .info - Email: phvandiv@gmail.com
reglet. info - Email: stthatch@gmail.com
rogero .info - Email: stthatch@gmail.com
sallut. info - Email: deciable@gmail.com
sawme .info - Email: stthatch@gmail.com
scarre .info - Email: enomman@gmail.com
scrowl. info - Email: enomman@gmail.com
sigeia. info - Email: krharbou@gmail.com
sighal. info - Email: stthatch@gmail.com
speen. info - Email: enomman@gmail.com
spelem .info - Email: bebrashe@gmail.com
spinge. info - Email: krharbou@gmail.com
squach. info - Email: krharbou@gmail.com

stampo. info - Email: enomman@gmail.com
steepy. info - Email: stthatch@gmail.com
strawy. info - Email: jaohra@gmail.com
suivez. info - Email: krharbou@gmail.com
sundery .info - Email: phvandiv@gmail.com
surnam. info - Email: krharbou@gmail.com
swoln. info - Email: acjspain@gmail.com
swoons .info - Email: enomman@gmail.com
taulus. info - Email: jaohra@gmail.com
tenshy. info - Email: stthatch@gmail.com
tented. info - Email: deciable@gmail.com
ticedu. info - Email: enomman@gmail.com
tithed. info - Email: bebrashe@gmail.com
topful. info - Email: jaohra@gmail.com
unclin. info - Email: stthatch@gmail.com
undeaf. info - Email: enomman@gmail.com
unowed. info - Email: enomman@gmail.com
unwept. info - Email: stthatch@gmail.com
usicam. info - Email: stthatch@gmail.com
vagrom. info - Email: bebrashe@gmail.com
veldun. info - Email: jaohra@gmail.com
vipren. info - Email: calexing@gmail.com
voided. info - Email: krharbou@gmail.com
volsce. info - Email: krharbou@gmail.com
washy. info - Email: phvandiv@gmail.com
wincot. info - Email: enomman@gmail.com
wiving. info - Email: enomman@gmail.com
wooer. info - Email: jaohra@gmail.com
xonker. info - Email: jaohra@gmail.com 

Historical OSINT of Koobface scareware activity over a period of two weeks
The following is a snapshot of Koobface scareware activity during the last two weeks, establishing a direct connection between the Koobface botnet, the ongoing blackhat SEO campaigns, the Bahama botnet with scareware samples modifying HOSTS files, and an Ukrainian dating scam agency where the gang appears to be part of an affiliate network.

Scareware samples pushed by Koobface, with associated detection rates:
mexcleaner .in - Email: niclas@i.ua
safetyscantool .com - 62.90.136.237 - Email: Suzanne.R.Muniz@trashymail.com
stabilitytoolsonline .com - Email: Brent.I.Purnell@pookmail.com
securitytestnetonline .com - 62.90.136.237 - Email: Dianne.T.Whitley@pookmail.com
securityprogramguide .com - Email: Kiyoko.T.Johnson@mailinator.com
cheapsecurityscan .com - Email: Kevin.L.Linkous@trashymail.com
securitycheckwest .com; webbiztest .com - Email: Ruthie.R.Wilcox@mailinator.com
securitycodereviews .com - 62.90.136.237 - Email: Darwin.L.Mcgowan@trashymail.com
netmedtest .com - 62.90.136.237 - Email: Irene.D.Snow@trashymail.com
toolsdirectnow .com - Email: Frank.J.Bullard@trashymail.com
(ratspywawe .in; wqdefender .in; pivocleaner .in; mexcleaner .in; sapesoft .in; alsoft .in; samosoft .in; jastaspy .in; lastspy .in; felupdate .info; inkoclear .info; drlcleaner .info; tiposoft .info; fkupd .eu; piremover .eu; igsoft .eu; sersoft .eu) - detection rate

Download locations of the actual scareware binary used over the past two weeks:
0ni9o1s3feu60 .cn - Email: robertsimonkroon@gmail.com
6j5aq93iu7yv4 .cn - Email: robertsimonkroon@gmail.com
mf6gy4lj79ny5 .cn - Email: robertsimonkroon@gmail.com
84u9wb2hsh4p6 .cn - Email: robertsimonkroon@gmail.com
6pj2h8rqkhfw7 .cn - Email: robertsimonkroon@gmail.com
7cib5fzf462g8 .cn - Email: robertsimonkroon@gmail.com
7bs5nfzfkp8q8 .cn - Email: robertsimonkroon@gmail.com
kt4lwumfhjb7a .cn - Email: robertsimonkroon@gmail.com
q2bf0fzvjb5ca .cn - Email: robertsimonkroon@gmail.com
rncocnspr44va .cn - Email: robertsimonkroon@gmail.com
t1eayoft9226b .cn - Email: robertsimonkroon@gmail.com
4go4i9n76ttwd .cn - Email: robertsimonkroon@gmail.com
kzvi4iiutr11e .cn - Email: robertsimonkroon@gmail.com
hxc7jitg7k57e .cn - Email: robertsimonkroon@gmail.com
mfbj6pquvjv8e .cn - Email: robertsimonkroon@gmail.com
mt3pvkfmpi7de .cn - Email: robertsimonkroon@gmail.com
fb7pxcqyb45oe .cn - Email: robertsimonkroon@gmail.com
fyivbrl3b0dyf .cn - Email: robertsimonkroon@gmail.com
z6ailnvi94jgg .cn - Email: robertsimonkroon@gmail.com
ue4x08f5myqdl .cn - Email: robertsimonkroon@gmail.com
p7keflvui9fkl .cn - Email: robertsimonkroon@gmail.com
gjpwsc5p7oe3m .cn - Email: robertsimonkroon@gmail.com
f1uq1dfi3qkcm .cn - Email: robertsimonkroon@gmail.com
7mx1z5jq0nt3o .cn - Email: robertsimonkroon@gmail.com
3uxyctrlmiqeo .cn - Email: robertsimonkroon@gmail.com
p0umob9k2g7mp .cn - Email: robertsimonkroon@gmail.com
od32qjx6meqos .cn - Email: robertsimonkroon@gmail.com
bnfdxhae1rgey .cn - Email: robertsimonkroon@gmail.com
7zju2l82i2zhz .cn - Email: robertsimonkroon@gmail.com

What's the deal with the historical OSINT and why wasn't this data communicated right away? Keep reading.

The Bahama Botnet Connection
During September, the folks at ClickForensics made an interesting observation regarding my Ukrainian "fan club" and the ad revenue stealing/click-fraud committing botnet Bahama - some of the scareware samples were modifying the HOSTS file and presenting the victim with "one of those cybecrime-friendly search engines" stealing revenue in the process.

Once the connection was also established by me at a later stage, data released in regard to the New York Times malvertising attack once again revealed a connection between all campaigns - the very same domains used to serve the scareware, were also used in a blackhat SEO campaign which I analyzed a week before the incident took place. Basically, the scareware pushed by the Koobface botnet, as well as the scareware pushed by the blackhat SEO campaigns maintained by the gangs is among the several propagation approaches used for the DNS records poisoning to take place:

"However, in the case of the Bahama Botnet, this DNS translation method gets corrupted.  The Bahama botnet malware causes the infected computer to mistranslate a domain name.  Instead of translating “Google.com” as 74.125.155.99, an infected computer will translate it as 64.86.17.56. That number doesn’t represent any computer owned by Google.  Instead, it represents a computer located in Canada.  When a user with an infected machine performs a search on what they think is google.com, the query actually goes to the Canadian computer, which pulls real search results directly from Google, fiddles with them a bit, and displays them to the searcher.  

Now the searcher is looking at a page that looks exactly like the Google search results page, but it’s not.  A click on the apparently “organic” results will redirect as a paid click through several ad networks or parked domains — some complicit, some not.  Regardless, cost per click (CPC) fees are generated, advertisers pay, and click fraud has occurred."

The 64.86.17.56 mentioned is actually AS30407 (Velcom), which has also been used in recent campaigns.

ISP and domain registrars have been notified, action should be taken shortly. What was particularly interesting to observe was scareware pushed by the Koobface botnet phoning back to its well known urodinam .net/8732489273.php domain, was also modifying the HOSTS file in the following way. Sample HOSTS modification of scareware (MD5: 0x0FBF1A9F8E6E305138151440DA58B4F1) pushed by Koobface:
89.149.210.109 www.google.com
89.149.210.109 www.google.de
89.149.210.109 www.google.fr
89.149.210.109 www.google.co.uk
89.149.210.109 www.google.com.br
89.149.210.109 www.google.it
89.149.210.109 www.google.es
89.149.210.109 www.google.co.jp
89.149.210.109 www.google.com.mx
89.149.210.109 www.google.ca
89.149.210.109 www.google.com.au
89.149.210.109 www.google.nl
89.149.210.109 www.google.co.za
89.149.210.109 www.google.be
89.149.210.109 www.google.gr
89.149.210.109 www.google.at
89.149.210.109 www.google.se
89.149.210.109 www.google.ch
89.149.210.109 www.google.pt
89.149.210.109 www.google.dk
89.149.210.109 www.google.fi
89.149.210.109 www.google.ie
89.149.210.109 www.google.no
89.149.210.109 search.yahoo.com
89.149.210.109 us.search.yahoo.com
89.149.210.109 uk.search.yahoo.com

Sample HOSTS modification of scareware (MD5: 0x0FBF1A9F8E6E305138151440DA58B4F1) pushed by blackhat SEO:
74.125.45.100 4-open-davinci.com
74.125.45.100 securitysoftwarepayments.com
74.125.45.100 privatesecuredpayments.com
74.125.45.100 secure.privatesecuredpayments.com
74.125.45.100 getantivirusplusnow.com
74.125.45.100 secure-plus-payments.com
74.125.45.100 www.getantivirusplusnow.com
74.125.45.100 www.secure-plus-payments.com
74.125.45.100 www.getavplusnow.com
74.125.45.100 www.securesoftwarebill.com
74.125.45.100 secure.paysecuresystem.com
74.125.45.100 paysoftbillsolution.com
64.86.16.97 google.ae
64.86.16.97 google.as
64.86.16.97 google.at
64.86.16.97 google.az
64.86.16.97 google.ba
64.86.16.97 google.be
64.86.16.97 google.bg
64.86.16.97 google.bs
64.86.16.97 google.ca
64.86.16.97 google.cd
64.86.16.97 google.com.gh
64.86.16.97 google.com.hk
64.86.16.97 google.com.jm
64.86.16.97 google.com.mx
64.86.16.97 google.com.my
64.86.16.97 google.com.na
64.86.16.97 google.com.nf
64.86.16.97 google.com.ng
64.86.16.97 google.ch
64.86.16.97 google.com.np
64.86.16.97 google.com.pr
64.86.16.97 google.com.qa
64.86.16.97 google.com.sg
64.86.16.97 google.com.tj
64.86.16.97 google.com.tw
64.86.16.97 google.dj
64.86.16.97 google.de
64.86.16.97 google.dk
64.86.16.97 google.dm
64.86.16.97 google.ee

64.86.16.97 google.fi
64.86.16.97 google.fm
64.86.16.97 google.fr
64.86.16.97 google.ge
64.86.16.97 google.gg
64.86.16.97 google.gm
64.86.16.97 google.gr
64.86.16.97 google.ht
64.86.16.97 google.ie
64.86.16.97 google.im
64.86.16.97 google.in
64.86.16.97 google.it
64.86.16.97 google.ki
64.86.16.97 google.la
64.86.16.97 google.li
64.86.16.97 google.lv
64.86.16.97 google.ma
64.86.16.97 google.ms
64.86.16.97 google.mu
64.86.16.97 google.mw
64.86.16.97 google.nl
64.86.16.97 google.no
64.86.16.97 google.nr
64.86.16.97 google.nu
64.86.16.97 google.pl
64.86.16.97 google.pn
64.86.16.97 google.pt
64.86.16.97 google.ro
64.86.16.97 google.ru

64.86.16.97 google.rw
64.86.16.97 google.sc
64.86.16.97 google.se
64.86.16.97 google.sh
64.86.16.97 google.si
64.86.16.97 google.sm
64.86.16.97 google.sn
64.86.16.97 google.st
64.86.16.97 google.tl
64.86.16.97 google.tm
64.86.16.97 google.tt
64.86.16.97 google.us
64.86.16.97 google.vu
64.86.16.97 google.ws
64.86.16.97 google.co.ck
64.86.16.97 google.co.id
64.86.16.97 google.co.il
64.86.16.97 google.co.in
64.86.16.97 google.co.jp
64.86.16.97 google.co.kr
64.86.16.97 google.co.ls
64.86.16.97 google.co.ma
64.86.16.97 google.co.nz
64.86.16.97 google.co.tz
64.86.16.97 google.co.ug
64.86.16.97 google.co.uk
64.86.16.97 google.co.za
64.86.16.97 google.co.zm
64.86.16.97 google.com

The historical OSINT paragraph mentioned that several of the scareware domains pushed during the past two weeks were responding to 62.90.136.237. This very same 62.90.136.207 IP was hosting domains part of an Ukrainian dating scam agency known as Confidential Connections earlier this year, whose spamming operations were linked to a botnet involved in money mule recruitment activities.

For the time being, the following dating scam domains are responding to the same IP:
healthe-lovesite .com - Email: potenciallio@safe-mail.net
love-isaclick .com - Email: potenciallio@safe-mail.net
love-is-special .com - Email: potenciallio@safe-mail.net
only-loveall .com - Email: potenciallio@safe-mail.net
and-i-loveyoutoo .com - Email: potenciallio@safe-mail.net
andiloveyoutoo .com - Email: menorst10@yahoo.com
romantic-love-forever .com - Email: potenciallio@safe-mail.net


love-youloves .com - Email: potenciallio@safe-mail.net
love-galaxys .com - Email: potenciallio@safe-mail.net
love-formeandyou .com - Email: potenciallio@safe-mail.net
ifound-thelove .net - Email: potenciallio@safe-mail.net
findloveon .net - Email: wersers@yahoo.com
love-isexcellent .net - Email: potenciallio@safe-mail.net

Could it get even more malicious and fraudulent than that? Appreciate my thetoric. The same email (potenciallio@safe-mail.net) that was used to register the dating scam domains was also used to register exploit serving domains at 195.88.190.247, participate in phishing campaigns, and register a money mule recruitment site for the non-existent Allied Insurance LLC. (Allied Group, Inc.).

Now that's a multi-tasking underground enterprise, isn't it? The ISPs have been notified, domains suspension is pending.

Related posts:
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Koobface Botnet's Scareware Business Model
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors

This post has been reproduced from Dancho Danchev's blog.
 Continue reading →

Pricing Scheme for a DDoS Extortion Attack

0
November 03, 2009

With the average price for a DDoS attack on demand decreasing due to the evident over-supply of malware infected hosts, it should be fairly logical to assume that the "on demand DDoS" business model run by the cybercriminals performing such services is blossoming.

Interestingly, what used to be a group that was exclusively specializing in DDoS attacks, is today's cybercrime enterprise "vertically integrating" in order to occupy as many underground market segments as possible, all of which originally developed thanks to the "malicious economies of scale" (massive SQL injections through search engines' reconnaissance, standardizing the social engineering process, the money mule recruitment process, diversifying the standardized and well proven propagation/infection vectors etc.) offered by a botnet.

What if their DDoS for hire business model is experiencing a decline? Would penetration pricing save them? What if they start enforcing a differentiated pricing model for their services through DDoS extortion?

Let's discuss one of those groups that's been actively attempting to extort money from Russian web sites since the middle of this summer. From penalty fees, to 30% discount if they want to request DDoS for hire against their competitors, a discount only available if they've actually paid the 10,000 rubles monthly extortion fee at the first place - this gang is also including links to the web sites of Russian's Federal Security Service (FSB) and Russia's Ministry of the Interior stating "in order to make it easy for the victims to contact law enforcement".

Sample DDOS extortion letter:
"Hello. If you want to continue having your site operational, you must pay us 10 000 rubles monthly. Attention! Starting as of DATE your site will be a subject to a DDoS attack. Your site will remain unavailable until you pay us.

The first attack will involve 2,000 bots. If you contact the companies involved in the protection of DDoS-attacks and they begin to block our bots, we will increase the number of bots to 50 000, and the protection of 50 000 bots is very, very expensive.

1-st payment (10 000 rubles) Must be made no later than DATE. All subsequent payments (10 000 rubles) Must be committed no later than 31 (30) day of each month starting from August 31. Late payment penalties will be charged 100% for each day of delay.

For example, if you do not have time to make payment on the last day of the month, then 1 day of you will have to pay a fine 100%, for instance 20 000 rubles. If you pay only the 2 nd date of the month, it will be for 30 000 rubles etc. Please pay on time, and then the initial 10 000 rubles offer will not change. Penalty fees apply to your first payment - no later than DATE"

You will also receive several bonuses.
1. 30% discount if you request DDoS attack on your competitors/enemies. Fair market value ddos attacks a simple site is about $ 100 per night, for you it will cost only 70 $ per day.
2. If we turn to your competitors / enemies, to make an attack on your site, then we deny them.

Payment must be done on our purse Yandex-money number 41001474323733. Every month the number will be a new purse, be careful. About how to use Yandex-money read on www.money.yandex.ru. If you want to apply to law enforcement agencies, we will not discourage you. We even give you their contacts: www.fsb.ru, www.mvd.ru"

It's also worth pointing out that a huge number of "boutique vendors" of DDoS services remain reluctant to initiate DDoS attacks against government or political parties, in an attempt to stay beneath the radar. This mentality prompted the inevitable development of "aggregate-and-forget" type of botnets exclusively aggregated for customer-tailored propositions who would inevitably get detected, shut down, but end up harder to trace back to the original source compared to a situation where they would be DDoS the requested high-profile target from the very same botnet that is closely monitored by the security community.

The future of DDoS extortion attacks, however, looks a bit grey due the numerous monetization models that cybercriminals developed - for instance ransomware, which attempts to scale by extorting significant amounts of money from thousands of infected users in an automated and much more efficient way than the now old-fashioned DDoS extortion model.

Related posts:
Botnet Communication Platforms
Custom DDoS Capabilities Within a Malware
A New DDoS Malware Kit in the Wild
Botnet on Demand Service
The DDoS Attack Against CNN.com
A Botnet Master's To-Do List
Custom DDoS Attacks Within Popular Malware Diversifying
Using Market Forces to Disrupt Botnets
Web Based Botnet Command and Control Kit 2.0
DDoS Attack Graphs from Russia vs Georgia's Cyberattacks
The DDoS Attack Against Bobbear.co.uk
Russian Homosexual Sites Under (Commissioned) DDoS Attack

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Summarizing Zero Day's Posts for October

0
November 02, 2009
The following is a brief summary of all of my posts at ZDNet's Zero Day for October.

You can also go through previous summaries, as well as subscribe to my personal RSS feed or Zero Day's main feed.

Notable articles include: Does software piracy lead to higher malware infection rates? and New LoroBot ransomware encrypts files, demands $100 for decryption.

01. MS Security Essentials test shows 98% detection rate for 545k malware samples
02. Weak passwords dominate statistics for Hotmail's phishing scheme leak
03. Click fraud facilitating Bahama botnet steals ad revenue from Google
04. New Koobface campaign spoofs Adobe's Flash updater
05. Does software piracy lead to higher malware infection rates?
06. Commonwealth fined $100k for not mandating antivirus software
07. 'Evil Maid' USB stick attack keylogs TrueCrypt passphrases
08. Fake 'Conflicker.B Infection Alert' spam campaign drops scareware
09. Gawker Media tricked into featuring malicious Suzuki ads
10. New LoroBot ransomware encrypts files, demands $100 for decryption
11. Spooky Halloween - scareware or crimeware?
12. Phishing experiment sneaks through all anti-spam filters

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Ongoing FDIC Spam Campaign Serves Zeus Crimeware

0
October 27, 2009
UPDATED - Wednesday, October 28, 2009: A "New Facebook Login System" spam campaign is in circulation, launched by the same botnet. Sampled updatetool.exe once again interacts with the Zeus command and control at 193.104.27.42.

Message sample 01: "In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security. Before you are able to use the new login system, you will be required to update your account. A new Facebook Update Tool has been released for your account. Please download and install the tool using the link below."

Message sample 02: "Dear Facebook user, In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security. Before you are able to use the new login system, you will be required to update your account. Click here to update your account online now. If you have any questions, reference our New User Guide. Thanks, The Facebook Team"


Participating fast-fluxed domains include:
easder1e.co .uk
easder1g.co .uk
easder1l.co .uk
easder1m.co .uk
easder1q.co .uk
nytre4rt.co .uk
nytre4ru.co .uk
nyuy12qwa.co .uk
nyuy12qwf.co .uk
nyuy12qwg.co .uk
nyuy12qws.co .uk
nyuy12qwz.co .uk
ololii.co .uk
ololiw.co .uk
ololiy.co .uk
ololiz.co .uk
tygerah.co .uk
tygerak.co .uk
tygeraw.co .uk
tygeraz.co .uk
yh1qak.co .uk
yh1qal.co .uk
yh1qao.co .uk
yhaqwe1a.co .uk
yhaqwe1q.co .uk
yhaqwe1r.co .uk
yhaqwi1g.co .uk
yhaqwi1h.co .uk
yhaqwi1l.co .uk
yhaqwi1m.co .uk
yhaqwi1p.co .uk
yhhherasde.co .uk
yhhherasdp.co .uk
yhhheraski.co .uk
yhhheraskog.co .uk
yhhheraskol.co .uk
yhhheraskoy.co .uk

n111sae .eu
n111sak .eu
n111sap .eu
n111saq .eu
n111say .eu
n111saz .eu
nyuh1awa .eu
nyuh1awb .eu
nyuh1awc .eu
nyuh1awd .eu
nyuh1awe .eu
nyuh1awf .eu
nyuh1awg .eu
nyuh1awh .eu
nyuh1awm .eu
nyuh1awn .eu
nyuh1aws .eu
nyuh1awt .eu
nyuh1awv .eu
nyuh1awx .eu
nyuh1awz .eu
nyuy12qwf .eu
nyuy12qwg .eu
nyuy12qws .eu

nyuy12qws .eu
ololii .eu
ololiw .eu
ololiy .eu
ololiz .eu
rrref1aaz .eu
rrref1akz .eu
rrref1okz .eu
rrref1ykz.eu
rrrefjokz .eu
saaasak .eu
saaasav .eu
tygerah .eu
tygerak .eu
tygeraw .eu
ujihkei .eu
ujihkni .eu
ujihkoi .eu
ujihkui .eu
yh1qao .eu
yh1qaz .eu
yy1azsva .eu
yy1azsvq .eu
yy1azsvz .eu
yyy1asvf .eu
yyy1azsy .eu
yyy1azvg .eu
yyy1zsve .eu

New DNS servers of notice:
ns1.a-recruitmnt .com
ns1.applesilver .com
ns1.cheryks .com
ns1.barbaos .net
ns1.laktocountry .net

An ongoing spam campaign impersonating The Federal Deposit Insurance Corporation, is attempting to drop zeus samples by enticing users into installing pdf.exe and word.exe.

"Subject: FDIC has officially named your bank a failed bank

Body: You have received this message because you are a holder of a FDIC-insured bank account. Recently FDIC has officially named the bank you have opened your account with as a failed bank, thus, taking control of its assets. You need to visit the official FDIC website and perform the following steps to check your Deposit Insurance Coverage."

Sampled malware obtains a Zeus crimeware from a known command and control location (193.104.27.42), already blacklisted by the Zeus Tracker. The campaign is related to the periodical "Microsoft Outlook Update" campaigns, since both campaigns have been sharing fast-flux infrastructure under the same infected hosts, using identical domains.

Fast-fluxed domains participating in the FDIC spam campaign:
bbttyak.co .uk
bbttyak.org .uk
bbttyam.co .uk
bbttyam.me .uk
bbttyap.co .uk
bbttyap.me .uk
bbttyaz.co .uk
bbttyaz.me .uk
gerrahawa .eu
gerrahowa .eu
gerrakawa .eu
gerrakowa .eu
gerralowa .eu
gerraoowa .eu
gerraoowa .eu
gerrasasa .eu
gerrasase .eu
gerrasasq .eu
h1erfae .eu
h1erfai .eu
h1erfaj .eu
h1erfaq .eu
h1erfar .eu
h1erfat .eu
h1erfau .eu
h1erfaw.eu
h1erfay .eu
heiiikok .eu
heiiikoy .eu
heiiikul .eu
heiiikum .eu

heiiikuv .eu
heiiikuy .eu
idllsit .com
ij1tli .net
immikiut1 .cz
j1t1iil .com
j1t1iil .eu
j1t1iil .net
lj1tli .com
lj1tli .net
lj1tll .com
lj1tll .net
ltlil1 .com
ltlil1 .net
modesftp .eu
nniuji1 .eu
nniujih .eu
nniujo1 .eu
nniukif .eu
nniukih .eu
nniukik .eu
nniukiw .eu
nniukiz .eu
nniuxih .eu
nniuxiw .eu
pouikib .eu
pouikic .eu
pouikie .eu
pouikif .eu
pouikig .eu
pouikir .eu
pouikis .eu
pouikit .eu
pouikiv .eu
pouikiw .eu
pouikix .eu
pouikiy .eu
t1fliil .tc
tj1fiil.co .nz
tj1fiil .com
tj1fiil .net
tj1fiil .tc

DNS servers of notice:
ns1.doctor-tomb .com
ns1.sortyn .com
ns1.asthomes .com
ns1.sunriseliny .com
ns1.racing-space .net
ns1.cerezit .net

The phoneback location 193.104.27.42 at AS12604 maintained by Kamushnoy Vladimir Vasulyovich (info@ctgm.info; vla.kam@ctgm.info with ctgm.info responding to 91.213.72.1) is the second Zeus command and control IP within the netblock, followed by 193.104.27.90.

Related posts:
Fake Microsoft patches themed malware campaigns spreading
Fake Microsoft patch malware campaign makes a comeback
The Multitasking Fast-Flux Botnet that Wants to Bank With You
Money Mule Recruiters use ASProx's Fast Fluxing Services
Managed Fast Flux Provider - Part Two
Managed Fast Flux Provider
Storm Worm's Fast Flux Networks
Fast Flux Spam and Scams Increasing
Fast Fluxing Yet Another Pharmacy Spam
Obfuscating Fast Fluxed SQL Injected Domains
Storm Worm Hosting Pharmaceutical Scams
Fast-Fluxing SQL injection attacks executed from the Asprox botnet

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Koobface Botnet Redirects Facebook's IP Space to my Blog

0
October 21, 2009


Love me, love me, say that you love me. You know you're cherished when the Koobface botnet redirects Facebook Inc's entire IP space to your blog using HTTP Error 302 - Moved temporarily messages in an attempt to have Facebook's anti-malware crawlers hit my blog every time they visit a Koobface URL posted on the social networking site.


The result? Earlier this morning, I've noticed over 7,000 unique visits coming from Facebook Inc's IP space using active and automatically blogspot accounts part of the Koobface botnet as http referrers (New Koobface campaign spoofs Adobe's Flash updater), which is now officially relying on already infected hosts for the CAPTCHA recognition process. At first, I thought the Koobface gang has embedded an iFrame in order to achieve the effect, but the requests were coming from Facebook's IP space only.

A representative from Facebook's Security Incident Response Team just confirmed the development, and commented that they've added an exception, which is now visible since IPs from Facebook's IP space are no longer visiting my blog:

"Thanks for bringing this to our attention. I'm on the Security Incident Response team at Facebook and we just finished looking into this issue. We visit all links posted to Facebook as part of our link preview feature. We also take the opportunity to do some additional security screening to filter out bad content. Koobface in particular is fond of redirecting our requests to legitimate websites, and you seem to have done something to piss Koobface off. All visits to Koobface URLs from our IP space are currently being redirected to your blog."

The compete list of the automatically registered blogspot accounts, of whose existence Google's security team has already been notified are as follows:
1rykutviklingibtvedmongstad-vgnett .blogspot.com/
40-nrg .blogspot.com/
anyauujteykbrlzyt .blogspot.com/
bctdnvxyubozkute336 .blogspot.com/
bjfzibzxpjwfsri.blogspot .com/
bopscfmfdfkdcdk.blogspot .com/
bpucrtkuigcvuzd.blogspot .com/
dcljxlmkdpfyadlmk014.blogspot .com/
driwnhtqcifnewwy.blogspot .com/
fffgxdpmrhzepmwc172.blogspot .com/
frjutygrfzkfmumr.blogspot .com/
gbmasakrnbvduky-mhopomuytpmeo46.blogspot .com/
hmxmjrdpzncnania.blogspot .com/
hryuickbrfxpgkiqc-wnyohlytffli526.blogspot .com/
hxsdrjrbiesmulbp-mp775012.blogspot .com/
hz560607.blogspot .com/
irfwgrbghyzrnaajs-npqpnvzqrqqeziywhx8.blogspot .com/
isaqwpccpkvmmnffx.blogspot .com/
iunvrafuvbgykpap819.blogspot .com/
ixqowmtgwfvkaapq.blogspot .com/
jocdniqudpnszswn936.blogspot .com/
jxpxhokysarhvnfw-wvtbfawtlocf932 .blogspot.com/
kayaafwlllybvydpu.blogspot .com/
kfddbjhalrqkmqtoa.blogspot .com/
kutlvtfxkxbismwpci.blogspot .com/
kyqyiplztbsiwogx-hfnrmfxbkjzswjq964.blogspot .com/

kzbcbzhlgcnmmaveusdt2.blogspot .com/
lbwhvnvfmiwqypft-gt34676.blogspot .com/
lgjxsfcwkviythet.blogspot .com/
lvlcauoimpklqoj.blogspot .com/
moruokuamhtobznhwx.blogspot .com/
nfnnialisemtirdcq.blogspot .com/
pfmrjjvolrxsthdl.blogspot .com/
pywkyzxqcslnqyz907.blogspot .com/
qmhbxydgxfitnaosp.blogspot .com/
rfsnkstagwfwlkgr.blogspot .com/
rykutviklingibtvedmongstad-vgnett .blogspot.com/
scjftnvmcqiarvt-ni242558.blogspot .com/
skpjwfruzkzujvw.blogspot .com/
spfymrxnfiotvtrknf.blogspot .com/
sxcfugyjtvtwgxzvi.blogspot .com/
tbgkfbllzdtrcslpc741.blogspot .com/
unrrldfyuanstafa.blogspot .com/
vstikrflawgquztcn.blogspot .com/
wjfpuoiolcjvecszeb.blogspot .com/
wlaafuebvmdkaiavh.blogspot .com/
wnejhokyqkazwpu898.blogspot.com/
wqqcknikrlnowgri.blogspot .com/
xlmwrzdmywbibfwi742.blogspot .com/
yanksroadwinchangesalcsoutlook-mlbcom .blogspot.com/
yeqhabdnabhndbt.blogspot .com/
yzyweidzwor-cxgwufvosfam .blogspot.com/
zafxzlatzsmwysk.blogspot .com/
znfnxeaoiqhxldvmqo-atcsqbrkobwi408 .blogspot.com/
zqsvjeoqccknkfubc.blogspot .com/


The Koobface gang's use of basic blackhat SEO principles such as content cloaking are identical to their previous attempts to cover-up their malicious activities relying on pre-defined sets of http referrers of public search engines, or particular redirectors in order for their infections to take place.

Stay tuned for more developments on the Ali Baba and the 40 thieves LLC front, a.k.a as my Ukrainian "fan club". The circle is almost complete, a lot of recent events will be summarized shortly.

Related posts:
Koobface Botnet Dissected in a TrendMicro Report
Koobface Botnet's Scareware Business Model
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors 

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Koobface Botnet Redirects Facebook's IP Space to my Blog

October 21, 2009

Love me, love me, say that you love me. You know you're cherished when the Koobface botnet redirects Facebook Inc's entire IP space to your blog using HTTP Error 302 - Moved temporarily messages in an attempt to have Facebook's anti-malware crawlers hit my blog every time they visit a Koobface URL posted on the social networking site.

The result? Earlier this morning, I've noticed over 7,000 unique visits coming from Facebook Inc's IP space using active and automatically blogspot accounts part of the Koobface botnet as http referrers (New Koobface campaign spoofs Adobe's Flash updater), which is now officially relying on already infected hosts for the CAPTCHA recognition process. At first, I thought the Koobface gang has embedded an iFrame in order to achieve the effect, but the requests were coming from Facebook's IP space only.

A representative from Facebook's Security Incident Response Team just confirmed the development, and commented that they've added an exception, which is now visible since IPs from Facebook's IP space are no longer visiting my blog:

"Thanks for bringing this to our attention. I'm on the Security Incident Response team at Facebook and we just finished looking into this issue. We visit all links posted to Facebook as part of our link preview feature. We also take the opportunity to do some additional security screening to filter out bad content. Koobface in particular is fond of redirecting our requests to legitimate websites, and you seem to have done something to piss Koobface off. All visits to Koobface URLs from our IP space are currently being redirected to your blog."

The compete list of the automatically registered blogspot accounts, of whose existence Google's security team has already been notified are as follows:
1rykutviklingibtvedmongstad-vgnett .blogspot.com/
40-nrg .blogspot.com/
anyauujteykbrlzyt .blogspot.com/
bctdnvxyubozkute336 .blogspot.com/
bjfzibzxpjwfsri.blogspot .com/
bopscfmfdfkdcdk.blogspot .com/
bpucrtkuigcvuzd.blogspot .com/
dcljxlmkdpfyadlmk014.blogspot .com/
driwnhtqcifnewwy.blogspot .com/
fffgxdpmrhzepmwc172.blogspot .com/
frjutygrfzkfmumr.blogspot .com/
gbmasakrnbvduky-mhopomuytpmeo46.blogspot .com/
hmxmjrdpzncnania.blogspot .com/
hryuickbrfxpgkiqc-wnyohlytffli526.blogspot .com/
hxsdrjrbiesmulbp-mp775012.blogspot .com/
hz560607.blogspot .com/
irfwgrbghyzrnaajs-npqpnvzqrqqeziywhx8.blogspot .com/
isaqwpccpkvmmnffx.blogspot .com/
iunvrafuvbgykpap819.blogspot .com/
ixqowmtgwfvkaapq.blogspot .com/
jocdniqudpnszswn936.blogspot .com/
jxpxhokysarhvnfw-wvtbfawtlocf932 .blogspot.com/
kayaafwlllybvydpu.blogspot .com/
kfddbjhalrqkmqtoa.blogspot .com/
kutlvtfxkxbismwpci.blogspot .com/
kyqyiplztbsiwogx-hfnrmfxbkjzswjq964.blogspot .com/

kzbcbzhlgcnmmaveusdt2.blogspot .com/
lbwhvnvfmiwqypft-gt34676.blogspot .com/
lgjxsfcwkviythet.blogspot .com/
lvlcauoimpklqoj.blogspot .com/
moruokuamhtobznhwx.blogspot .com/
nfnnialisemtirdcq.blogspot .com/
pfmrjjvolrxsthdl.blogspot .com/
pywkyzxqcslnqyz907.blogspot .com/
qmhbxydgxfitnaosp.blogspot .com/
rfsnkstagwfwlkgr.blogspot .com/
rykutviklingibtvedmongstad-vgnett .blogspot.com/
scjftnvmcqiarvt-ni242558.blogspot .com/
skpjwfruzkzujvw.blogspot .com/
spfymrxnfiotvtrknf.blogspot .com/
sxcfugyjtvtwgxzvi.blogspot .com/
tbgkfbllzdtrcslpc741.blogspot .com/
unrrldfyuanstafa.blogspot .com/
vstikrflawgquztcn.blogspot .com/
wjfpuoiolcjvecszeb.blogspot .com/
wlaafuebvmdkaiavh.blogspot .com/
wnejhokyqkazwpu898.blogspot.com/
wqqcknikrlnowgri.blogspot .com/
xlmwrzdmywbibfwi742.blogspot .com/
yanksroadwinchangesalcsoutlook-mlbcom .blogspot.com/
yeqhabdnabhndbt.blogspot .com/
yzyweidzwor-cxgwufvosfam .blogspot.com/
zafxzlatzsmwysk.blogspot .com/
znfnxeaoiqhxldvmqo-atcsqbrkobwi408 .blogspot.com/
zqsvjeoqccknkfubc.blogspot .com/


The Koobface gang's use of basic blackhat SEO principles such as content cloaking are identical to their previous attempts to cover-up their malicious activities relying on pre-defined sets of http referrers of public search engines, or particular redirectors in order for their infections to take place.

Stay tuned for more developments on the Ali Baba and the 40 thieves LLC front, a.k.a as my Ukrainian "fan club". The circle is almost complete, a lot of recent events will be summarized shortly.

Related posts:
Koobface Botnet Dissected in a TrendMicro Report
Koobface Botnet's Scareware Business Model
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors 

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Scareware Serving Conficker.B Infection Alerts Spam Campaign

0
October 20, 2009
A fake "conficker.b infection alert" spam campaign first observed in April, 2009 (using the following scareware domains antivirus-av-ms-check .com; antivirus-av-ms-checker .com; ms-anti-vir-scan .com; mega-antiviral-ms .com back then) is once again circulating in an attempt to trick users into installing "antispyware application", in this case the Antivirus Pro 2010 scareware.

This campaign is directly related to last week's Microsoft Outlook update campaign, with both of these using identical download locations for the scareware.

The following is an extensive list of the domains involved in the campaigns:
abumaso3tkamid .com - Email: drawn@ml3.ru
afedodevascevo .com - Email: sixty@8081.ru
alertonabert .com - Email: flop@infotorrent.ru
alertonbgabert .com - Email: vale@e2mail.ru
alioneferkilo .com - Email: va@blogbuddy.ru
anobalukager .com - Email: chalkov@co5.ru
anobhalukager .com - Email: humps@infotorrent.ru
bufertongamoda .com - Email: kurt@8081.ru
buhafertadosag .com - Email: bias@co5.ru
buhervadonuska .com - Email: vale@e2mail.ru
bulakeskatorad .com - Email: bias@co5.ru
bulerkoseddasko .com - Email: bias@co5.ru
buleropihertan .com - Email: def@co5.ru
celiminerkariota .com - Email: morse@corporatemail.ru
certovalionas .com - Email: kurt@8081.ru
dabertugaburav .com - Email: def@co5.ru
elxolisdonave .com - Email: curb@cheapmail.ru
enkafuleskohuj .com - Email: kerry@freemailbox.ru
ertanueskayert .com - Email: xmas@co5.ru
ertonaferdogalo .com - Email: kerry@freemailbox.ru
ertu6nagertos .com - Email: recipe@isprovider.ru
ertubedewse .com - Email: weak@infotorrent.ru
ertugasedumil .com - Email: chalkov@co5.ru
ertugaskedumil .com - Email: humps@infotorrent.ru
ertunagertos .com - Email: def@co5.ru
erubamerkadolo .com - Email: kerry@freemailbox.ru

fedostalonkah .com - Email: bias@co5.ru
ftahulabedaso .com - Email: raced@corporatemail.ru
gumertagionader .com - Email: seize@e2mail.ru
huladopkaert .com - Email: chute@infotorrent.ru
iobacebauiler .com - Email: roy@corporatemail.ru
itorkalione .com - Email: pygmy@8081.ru
julionejurmon .com - Email: jacob@freemailbox.ru
julionermon .com - Email: pygmy@8081.ru
konitorsabure .com - Email: chalkov@co5.ru
konitorswabure .com - Email: humps@infotorrent.ru
lersolamaderg .com - Email: chalkov@co5.ru
lersolamgaderg .com - Email: humps@infotorrent.ru
linkertagubert .com - Email: kerry@freemailbox.ru
lionglenhrvoa .com - Email: sixty@8081.ru
liposdakoferda .com - Email: leaf@corporatemail.ru
lopastionertu .com - Email: cues@e2mail.ru
nebrafsofertu .com - Email: humps@infotorrent.ru
nuherfodaverta .com - Email: morse@corporatemail.ru
nulerotkabelast .com - Email: dealt@8081.ru
nulkersonatior .com - Email: dealt@8081.ru
obuleskinrodab .com - Email: xmas@co5.ru
ofaderhabewuit .com - Email: kerry@freemailbox.ru
okavanubares .com - Email: chalkov@co5.ru
okaveanubares .com - Email: humps@infotorrent.ru

onagerfadusak .com - Email: cues@e2mail.ru
orav4abustorabe .com - Email: drawn@ml3.ru
oscaviolaner .com - Email: larks@freemailbox.ru
ovuiobvipolak .com - Email: sixty@8081.ru
ovuioipolak .com - Email: bias@co5.ru
paferbasedos .com - Email: chalkov@co5.ru
pafersbasedos .com - Email: humps@infotorrent.ru
polanermogalios .com - Email: dealt@8081.ru
rdafergfvacex .com - Email: jacob@freemailbox.ru
rtugamer5tobes .com - Email: drawn@ml3.ru
rtugamertobes .com - Email: kw@co5.ru
scukonherproger .com - Email: kazoo@isprovider.ru
shuretrobaniso .com - Email: frail@infotorrent.ru
tarhujelafert .com - Email: raced@corporatemail.ru
tavakulio5nkab .com - Email: recipe@isprovider.ru
tavakulionkab .com - Email: def@co5.ru
tertunavogav .com - Email: la@freemailbox.ru
tertunwavogav .com - Email: drawn@ml3.ru
tsabunerkadosa .com - Email: humps@infotorrent.ru

tsarbunerkadosa .com - Email: humps@infotorrent.ru
tubanerdavaf .com - Email: chalkov@co5.ru
tubanerdavjaf .com - Email: halkov@co5.ru
uhajokalesko .com - Email: flop@infotorrent.ru
uhajokvfalesko .com - Email: flop@infotorrent.ru
ulioperdanogad .com - Email: vale@e2mail.ru
uliopewrdanogad .com - Email: kerry@freemailbox.ru
uplaserdunavats .com - Email: dealt@8081.ru
utka3merdosubor .com - Email: drawn@ml3.ru
utkamerdosubor .com - Email: kw@co5.ru
utorganedoskaw .com - Email: kerry@freemailbox.ru
utorgtanedoskaw .com - Email: xmas@co5.ru
uvgaderbotario .com - Email: def@co5.ru
vudermaguliermot .com - Email: leaf@corporatemail.ru
vuilerdomegase .com - Email: leaf@corporatemail.ru
vuilleskomandar .com - Email: seize@e2mail.ru
vulertagulermos .com - Email: dealt@8081.ru
vuretronulevka .com - Email: dealt@8081.ru
weragumasekasuke .com - Email: kazoo@isprovider.ru
werynaherdobas .com - Email: dealt@8081.ru

Despite the comprehensive portfolio of domains used, relying on spam to increase revenue from scareware sales is prone to fail, in this specific case due to the lack of event-based social engineering theme, something that was present in the first campaign.

Related posts:
Conficker's Scareware/Fake Security Software Business Model
Koobface Botnet's Scareware Business Model

This post has been reproduced from Dancho Danchev's blog. Continue reading →
Subscribe to: Comments (Atom)