Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Keeping Reshipping Mule Recruiters on a Short Leash

December 07, 2009

Following my previous "Keeping Money Mule Recruiters on a Short Leash" and "Standardizing the Money Mule Recruitment Process" posts, the campaigners behind the previously exposed money-mule recruitment domains looking for "payment processing assistant", are now also looking for "mailing assistants" to reship the fraudulently purchased items using stolen financial data.

What happens once they standardize the practice? The network of reshipping mules ends up as as a web-based command and control interface, allowing the customers of the mule recruitment syndicate to easily monitor the activity regarding their fraudulently purchased goods. In both of these models, the single most evident benefit for the cybercriminal remains the risk-forwarding of the entire process to the unknowingly participating in the cybercrime ecosystem employee.

Some of the new and currently active reshipping mule recruitment brands include - Total River Goods, Fargo River Goods, Irish River Goods and Parcel Alliance. Here's how they describe themselves:

"As an independent logistics provider, Total River Goods offers supply logistics management and transportation management services including: freight forwarding, packages forwarding, parcel forwarding, postal services and other postal services. Total River Goods is the world’s active developer of retail shipping, business and postal online service centers. Since development begun in 2000 we listened to our clients and developed our services based on feedback we have received. Our service evolved through the years and at this moment of time looks and feels how our customers want.

After many years of development and testing, in 2008 we released our online shipping service. With the new online service Total River Goods is true virtual mail service. We are constantly adding to our services ensuring that we will stay the market leader. Please feel free to contact us if you have any questions or comments. Unlike many other online organizations, we have a goal to reply to all queries within 24 to 48 hours, including business days and weekends."

Domains involved:
totalrivergoods .com - 94.103.90.130 - Email: justin_dickerson@ymail.com - used in money-mule recruitment domain registration
fargorivergoods .com - 94.103.90.130 - Email: williamashley40@yahoo.com
parcelalliance .com - 94.103.90.200 - domainprivate@communigal.com
irishrivergoods .com - 94.103.90.130 - Email: MarcusStraker909@gmail.com - used in money-mule recruitment domain registration

Thanks to Derek from aa419.org for the ping.

Related posts:
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002
Inside a Money Laundering Group's Spamming Operations

This post has been reproduced from Dancho Danchev's blog.
Continue reading →

Celebrity-Themed Scareware Campaign Abusing DocStoc and Scribd

December 03, 2009

UPDATED: DocStoc has removed all the participating profiles and their documents.

A currently ongoing scareware campaign is using celebrity-themed blackhat SEO tactics in order to hijack legitimate traffic by abusing the popular DocStoc and Scribd document-sharing services. What's the single most interesting thing about this campaign anyway? It's fact that one of the domains parked on the same IP that the rest of the malware and exploit serving ones are -- they naturally multitask and engage in drive-by attacks -- newsoff .net has been registered with the same email pvcprotect@gmail.com as the original gumblar .cn domain.

Once the user clicks on the bogus video window embedded as an active document, which as matter of fact doesn't issue any warning that the user is leaving the site, a redirection takes place through shurus .net/in.cgi?3 -> b.corlock .net/main.html - 188.165.65.173 - Email: jessica357ass@gmail.com where the user is asked to download load.exe.

Parked on the same IP is the rest of the domains portfolio, which is also involved in separate drive-by campaigns:
offnews .cn - Email: cuitiankai@googlemail.com
newsoff .net - Email: pvcprotect@gmail.com - Ooh la la, the original gumblar .cn has been registered with the same email
curah .net - Email: jessica357ass@gmail.com
corlock .net - Email: jessica357ass@gmail.com
klirok .net - Email: jessica357ass@gmail.com
murrr .net - Email: jessica357ass@gmail.com
shurus .net - Email: jessica357ass@gmail.com

Sample Scribd activity per username:
lupan13 - 1,148 documents; 3,301 total reads
jess357 - 877 documents; 15,202 total reads
mumukan - 875 documents; 19,791 total reads
cekalo - 874 documents; 2,926 total reads

Sample Docstoc activity per username:
valaman - Docs: 460; Views: 13224
zalupa - Docs: 407; Views: 14397
monilit - Docs: 871; Views: 5265
babaka - Docs: 252; Views: 183
namaska - Docs: 139; Views: 8
rumaska - Docs: 829; Views: 172
zuzya - Docs: 748; Views: 280
malina13 - Docs: 66; Views: 15377
yoqeojegu - Docs: 9; Views: 3284
ryjokoleqayebi - Docs: 10; Views: 326
jopan13 - Docs: 397; Views: 43876
iculyodysocehi - Docs: 10; Views: 3721
lupan13 - Docs: 414; Views: 29275

Upon execution it drops the Home AntiVirus 2010 scareware which features a "Spyware Alert!" security warning explaining the dangers of Worm.Win32.NetSky. The scareware (SetupAdvancedVirusRemover.exe) is downloaded from downloadavr13 .com - 193.104.110.50 - Email: noxim@maidsf.ru. Parked on the same IP is a well known portfolio of scareware domains, first observed in July and most recently in September:

10-open-davinci .com
advanced-virusremover2009 .com - Email: giogr@ua.fm
advancedvirus-remover2009 .com - Email: jopa@gmail.com
advanced-virus-remover2009 .com - Email: masle@masle.kz - seen in July, 2009
advancedvirusremover-2009 .com - Email: eptit@eptit.us
advanced-virusremover-2009 .com - Email: support@antivirus-xp-pro2009.com
advancedvirus-remover-2009 .com - Email: tt1@ua.fm
advanced-virus-remover-2009 .com - Email: ubiv@i.ua
advancedvirusremover-2010 .com - Email: noxim@maidsf.ru
advanced-virus-remover-2010 .com - Email: noxim@maidsf.ru
anti-virus-xp-pro2009 .com - Email: chen.poon1732646@yahoo.com
best-scan .biz - Email: noxim@maidsf.ru
best-scan .com - Email: noxim@maidsf.ru
best-scan-pc .biz - Email: noxim@maidsf.ru
best-scanpc .com - Email: alex@mail.ge
best-scan-pc .com
best-scanpc .net
best-scan-pc .net
coolcount1 .com - Email: noxim@maidsf.ru
coolcount2 .com - Email: noxim@maidsf.ru
downloadavr10 .com - Email: noxim@maidsf.ru
downloadavr11 .com - Email: noxim@maidsf.ru
downloadavr12 .com - Email: noxim@maidsf.ru

downloadavr13 .com - Email: noxim@maidsf.ru
downloadavr3 .com - Email: support@antivirus-xp-pro2009.com
downloadavr4 .com - Email: tt1@ua.fm
downloadavr5 .com - Email: vs@ua.km
downloadavr6 .com - Email: alex@i.ua
downloadavr7 .com - Email: noxim@maidsf.ru
downloadavr8 .com - Email: noxim@maidsf.ru
downloadavr9 .com - Email: noxim@maidsf.ru
hard-xxx-tube .com
malware-scan .net - Email: noxim@maidsf.ru
malware-scaner .net - Email: noxim@maidsf.ru
masterhost.co .in - Email: pricklyy@mail.ru
onlinescanxppro .com - Email: chen.poon1732646@yahoo.com
pc-scanner .info - Email: noxim@maidsf.ru
pc-scanner-2010 .net - Email: noxim@maidsf.ru
pc-scannerr .biz - Email: noxim@maidsf.ru
pc-scannerr .com - Email: noxim@maidsf.ru
pc-scannerr .info - Email: noxim@maidsf.ru
pc-scannerr .net - Email: noxim@maidsf.ru
pc-scannerr .us - Email: noxim@maidsf.ru
testavrdown .com - Email: support@antivirus-xp-pro2009.com
testavrdownnew .com - Email: mamed@i.ua
trucount3005 .com - Email: chen.poon1732646@yahoo.com - money-mule recruitment connection
trucountme .com - Email: valentin@gergiea.kz - already profiled
white-xxx-tube .com - Email: noxim@maidsf.ru
xxx-white-tube .biz - Email: noxim@maidsf.ru
xxx-white-tube .net - Email: gnom@gnom.ge

DocStoc and Scribd have been notified.

Related posts:
The Ultimate Guide to Scareware Protection
Scareware Campaign Using Google Sponsored Links
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign
U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding
Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware
A Peek Inside the Managed Blackhat SEO Ecosystem
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot

This post has been reproduced from Dancho Danchev's blog.
Continue reading →

Pushdo Injecting Bogus Swine Flu Vaccine

December 02, 2009

In the spirit of systematically introducing new themes in order to serve the ubiquitous crimeware releases, the Pushdo botnet has now switched to a State Vaccination H1N1 Program campaign, serving vacc_profile.exe sample.

Sample subject: State Vaccination Program; Governmental registration program on the H1N1 vaccination
Sample message: "You have received this e-mail because of the launching of State Vaccination H1N1 Program. You need to create your personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website. The Vaccination is not obligatory, but every person that has reached the age of 18 has to have his personal Vaccination Profile on the cdc.gov site. This profile has to be created both for the vaccinated people and the not-vaccinated ones. This profile is used for the registering system of vaccinated and not-vaccinated people. Create your Personal H1N1 Vaccination Profile using the link."

Subdomain structure used:

online.cdc.gov .lykasf.be
online.cdc.gov .lykasm.be
online.cdc.gov .lykasv.be
online.cdc.gov .lykasz.be
online.cdc.gov .nyugewc.be
online.cdc.gov .nyugewd.be
online.cdc.gov .nyugewm.be
online.cdc.gov .nyugewn.be
online.cdc.gov .nyugewq.be
online.cdc.gov .nyugewt.be
online.cdc.gov .nyugeww.be
online.cdc.gov .nyugewy.be
online.cdc.gov .nyugewz.be
online.cdc.gov .yhnbad.co.im
online.cdc.gov .yhnbad.com.im
online.cdc.gov .yhnbad.im
online.cdc.gov .yhnbad.net.im
online.cdc.gov .yhnbad.org.im
online.cdc.gov .yhnbak.co.im
online.cdc.gov .yhnbak.com.im
online.cdc.gov .yhnbak.im
online.cdc.gov .yhnbak.net.im
online.cdc.gov .yhnbak.org.im
online.cdc.gov .yhnbam.co.im
online.cdc.gov .yhnbam.com.im
online.cdc.gov .yhnbam.im
online.cdc.gov .yhnbam.net.im
online.cdc.gov .yhnbam.org.im

Actual domains involved:

feccxz.co .uk; feccxz.me .uk; ficcxz.co .uk; gerfase .be; gerfasi .be; gerfaso .be; gerfasq .be; gerfasr .be; gerfast .be; gerfasu .be; gerfasw .be; gerfasx .be; gerfasy .be; hssaze .be; hssazg .be; hssazh .be; hssazi .be; hssaz j.be; hssazl .be; hssazo .be; hssazp .be; hssazq .be; hssazr .be; hssazt .be; hssazu .be; hssazw .be; hssazy .be; kioooj1 .be; kioooj2 .be; kioooj3 .be; kioooja .be; kiooojb .be; kiooojc .be; kiooojf .be; kiooojg .be; kiooojh .be; kiooojn .be; kiooojq .be; kiooojv .be; kiooojx .be; kiooojz .be; yhnbad.co .im; yhnbad.com .im; yhnbad .im; yhnbad.net .im; yhnbad.org .im; yhnbak.co .im; yhnbak .com.im; yhnbak .im; yhnbak.net .im; yhnbak.org .im; yhnbam.co .im; yhnbam.com .im; yhnbam .im; yhnbam.net .im; yhnbam.org .im; yurbzc.co .im; yurbzc.com .im; yurbzc .im; yurbzc.net .im; yurbzc.org .im; yurtzc .im; yuvtzc.co .im; yuvtzc.com .im; yuvtzc .im; yuvtzc.net .im

DNS SERVERS OF NOTICE:
ns1.elkins-realty .org - Email: HR2000@gmail.com
ns1.a-personalhire .com - Email: personalhire@mail.com
ns1.iceagestrem .com
ns1.poolandmonster .com
ns1.autotanscorp .net
ns1.shuzmen .com

Upon execution, the sample phones back to 193.104.41.75/kissme /rec.php and 193.104.41.75 /ip.php, while attempting to download promed-net .com/css/absderce2.exe and 193.104.41.75/ cbd/75.bro, with the IP itself already blacklisted by the Zeus Tracker, as well as related activity on the same netblock - AS49934 (VVPN-AS PE Voronov Evgen Sergiyovich).

Related posts:
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

This post has been reproduced from Dancho Danchev's blog.
Continue reading →

Summarizing Zero Day's Posts for November

November 30, 2009

The following is a brief summary of all of my posts at ZDNet's Zero Day for November.

You can also go through previous summaries, as well as subscribe to my personal RSS feed, Zero Day's main feed, or follow all of ZDNet's blogs on Twitter.

Notable articles include: Windows 7's default UAC bypassed by 8 out of 10 malware samples and Man-in-the-middle attacks demoed on 4 smartphones.

01. iHacked: jailbroken iPhones compromised, $5 ransom demanded
02. Which antivirus is best at removing malware?
03. Windows 7's default UAC bypassed by 8 out of 10 malware samples
04. Source code for ikee iPhone worm in the wild
05. Commercial spying app for Android devices released
06. Man-in-the-middle attacks demoed on 4 smartphones
07. Thousands of web sites compromised, redirect to scareware -- the latest virtual smoking gun of the Koobface gang

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Koobface Botnet Starts Serving Client-Side Exploits

November 25, 2009

UPDATED, Wednesday, December 02, 2009: The systematic rotation of new redirectors and scareware domains remains ongoing, with no signs of resuming the use of client-side exploits.

Some of the latest ones include inviteerverwhere .cn - Email: box@cethcuples.com -> scanner-infoa .com - Email: inout@celestia.com, scareware detection rate; 1economyguide .cn - Email: contact@berussa.de -> superdefenceaj .com - Email: inout@celestia.com, scareware detection rate; slip-stream .cn - Email: info@mercedess.de -> getsafeantivirusa .com - Email: morrison2g@yahoo.com, scareware detection rate.

The complete list of redirectors introduced over the past week is as follows: 1economyguide .cn; 1monocline .cn; 1nonsensical .cn; 1onlinestarter .cn; 1political-news .cn; argentinastyle .cn; australiagold .cn; austriamoney .cn; beatupmean2 .cn; belgiumnation .cn; brazilcountry .cn; firefoxfowner .cn; inviteerverwhere .cn; iraqcontacts .cn; makenodifference2 .cn; manualgreese .cn; overmerit3 .cn; powerhelms2 .cn; secretalltrue2 .cn; separator2009 .cn; slip-stream .cn; solidresistance .cn; wallgreensmart .cn; windowsclone .cn; womenregrets .cn; womenregrets2 .cn

UPDATED, Saturday, November 28, 2009: Following yesterday's experiment with bit.ly redirectors, relying on a "visual social engineering element" by adding descriptive domains after the original link -- bit.ly/588dmE?YOUTUBE.COM/ea05981d43, which works with any generated bit.ly link, the gang is now spamvertising links using Google News redirection to automatically registered Blogspot accounts, whose CAPTCHA challenge has been solved by the already infected with Koobface victims, a feature that is now mainstream, compared to the gang's previous use of commercial CAPTCHA solving services, where the price for a thousand solved CAPTCHAs varies between $1 and $2:

- news.google.com/news/url?url=http://pierrickcastoe .blogspot.com/
- news.google.com/news/url?url=http://biilybiilybangert .blogspot.com/
- news.google.com/news/url?url=http://majdimajdinoordijk .blogspot.com/
- news.google.com/news/url?url=http://vassellpelovska .blogspot.com/
- news.google.com/news/url?url=http://troitroiweinbrenner .blogspot.com/
- news.google.com/news/url?url=http://keyserefrain .blogspot.com/

New redirectors introduced include:
overmerit3 .cn - Email: admin@cryzisday.com
belgiumnation .cn - Email: vesta@greaselive.au
iraqcontacts .cn - Email: admin@resemm.de
womenregrets .cn - Email: admin@resemm.de
wallgreensmart .cn - Email: admin@cryzisday.com
brazilcountry .cn - Email: vesta@greaselive.au
womenregrets2 .cn - Email: in@groovezone.com

News scareware domains introduced include:
internetdefencesystem .com - Email: admin@wyverny.com
royalsecure-a1 .com - Email: in@groovezone.com
royaldefencescan1 .com - Email: in@groovezone.com
royaldefensescan1 .com - Email: in@groovezone.com
royaldefencescan .com - Email: contacts@esseys.au
royaldefensescan .com - Email: contacts@esseys.au
royalprotectionscan .com - Email: contacts@esseys.au

Sampled copy phones back to a new domain (austin2reed .com/?b=1s1; austin2reed .com/?b=1) using the same IP (92.48.119.36) as the previous phone-back domain.

UPDATED, Thursday, November 26, 2009: The gang has currently suspended the use of client-side exploits, let's see if it's only for the time being or indefinitely. Scareware is whatsoever, introduced with periodically registered new domains - argentinastyle .cn - Email: vesta@greaselive.au and australiagold .cn - Email: vesta@greaselive.au, redirect to bestscan066 .com - Email: fransysles2@yahoo.com and to bestscan044 .com - Email: fransysles2@yahoo.com - detection rate.

The exploit serving domains (el3x .cn; kiano-180809 .com and ttt20091124 .info) remain active.

The Koobface botnet, a case study on propagation relying exclusively on social engineering tactics and systematic abuse of legitimate Web 2.0 services, has introduced a second "game-changer" next to the migration to distributed command and control infrastructure once its centralized operations got shut down.

Next to the embedded and automatically rotating scareware redirects placed on each and every infected host part of the Koobface botnet, the gang behind it has now started officially using client-side exploits (VBS/Psyme.BM; Exploit.Pidief.EX; Exploit.Win32.IMG-WMF etc.) by embedding two iFrames on all the Koobface-infected hosts (Underground Molotov - function molot (m)), which connect to a well known (average) web malware exploitation kit's interface. Not only would a user that clicks on the Koobface URL be exposed to the Koobface binary itself, now pushed through client-side exploits, but also, to the periodically changed scareware domains.

Let's dissect the campaign, expose the entire domains portfolio involved or introduced since the beginning of the week, and once again establish a connection between the Koobface gang and money mule recruitment scams followed by scareware domains (Inst_312s2.exe; Inst_312s2.exe from today, both of them phone back to angle-meter .com/?b=1), all registered using the same emails.

Scareware redirectors seen during the past couple of the days, parked at 91.213.126.250:
solidresistance .cn - Email: admin@cryzisday.com
separator2009 .cn - Email: admin@cryzisday.com
zapotec2 .cn - Email: admin@cryzisday.com
befree2 .cn - Email: gmk2000@yahoo.com
entombing2009 .cn - Email: info@grindsteal.fr
economyguide .cn - Email: info@plaguegr.de
smile-life .cn - Email: gmk2000@yahoo.com
everlastmovie .cn - Email: gmk2000@yahoo.com
monocline .cn - Email: info@plaguegr.de
mozzillaclone .cn - Email: sanbeans6@yahoo.com
monkey-greese .cn - Email: sanbeans6@yahoo.com
surgingnurse .cn - Email: info@grindsteal.fr
mailboxinvite .cn - Email: sanbeans6@yahoo.com
flatletkick .cn - Email: info@plaguegr.de
nonsensical .cn - Email: info@grindsteal.fr
moralisefilm .cn - Email: info@grindsteal.fr
firefoxavatar .cn - Email: sanbeans6@yahoo.com
onlinestarter .cn - Email: info@plaguegr.de
clowncirus .cn - Email: sanbeans6@yahoo.com
political-news .cn - Email: info@plaguegr.de
harry-pott .cn - Email: gmk2000@yahoo.com
repeatability .cn - Email: info@grindsteal.fr

New scareware domains portfolio parked at 95.143.192.51; 83.133.119.84; 91.213.126.103:
valuewebscana .com - Email: lynd.stafford@yahoo.com
valuescana .com - Email: lynd.stafford@yahoo.com
cyber-scan-1 .com - Email: admin@dedicatezoom.com
yourantispy-1 .com - Email: shah_indigo@googlemail.com
cyber-scan011 .com - Email: admin@dedicatezoom.com
cyber-scan-2 .com - Email: admin@dedicatezoom.com
antimalware-3 .com - Email: shah_indigo@googlemail.com
yourmalwarescan3 .com - Email: shah_indigo@googlemail.com
antimalwarescana4 .com - Email: j.wirth@smsdetective.com
today-scan4 .com - Email: millercall413@yahoo.com
antispy-scan5 .com - Email: shah_indigo@googlemail.com
yourantivira7 .com - Email: j.wirth@smsdetective.com
yourmalwarescan7 .com - Email: info@bellyn.com
yourantispy-8 .com - Email: info@bellyn.com
cyber-scan08 .com - Email: admin@dedicatezoom.com
cyber-scan09 .com - Email: admin@dedicatezoom.com
beprotected9 .com - Email: essi@calinsella.eu
spyware-scan9 .com - Email: info@bellyn.com
yourantispy-a .com - Email: shah_indigo@googlemail.com
checkforspywarea .com - Email: sanbeans6@yahoo.com
checkfilesherea .com - Email: sanbeans6@yahoo.com
scanfilesherea .com - Email: sanbeans6@yahoo.com
findprotectiona .com - Email: admin@wyverny.com
checkfilesnowa .com - Email: sanbeans6@yahoo.com
web-scanm .com - Email: essi@calinsella.eu
today-scann .com - Email: essi@calinsella.eu
4eay-protection .com - Email: millercall413@yahoo.com

The client-side exploit redirection takes place through three separate domains, all involved in previous Zeus crimeware campaigns, parked on the same IP in a cybercrime-friendly ASN. For instance, el3x.cn/test13/index.php - 210.51.166.119 - Email: Exmanoize@qip.ru redirects to el3x.cn/test13/x.x -> el3x.cn/test13/pdf.php -> el3x.cn/test13/load.php?spl=javad -> el3x.cn/test13/soc.php using VBS/Psyme.BM; Exploit.Pidief.EX; Exploit.Win32.IMG-WMF etc. pushing load.exe, which phones back to a well known "leftover" from Koobface botnet's centralized infrastructure - xtsd20090815 .com/adm/index.php.

Now it gets even more interesting, with the Koobface gang clearly rubbing shoulders with authors of actual web malware exploitation kits, who diversify their cybercrime operations by participating in money mule recruitment scams, zeus crimeware serving campaigns, and scareware.

Parked on 210.51.166.119 where the first iFrame is hosted, are also the following domains participating in related campaigns:
amer0test0 .cn - Email: abusehostserver@gmail.com -> money mule recruitment
antivirusfreec0 .cn - Email: abusehostserver@gmail.com -> money mule recruitment
arendanomer2 .cn - Email: Exmanoize@qip.ru
dom0cn .cn - Email: Exmanoize@qip.ru
dom1cn .cn - Email: Exmanoize@qip.ru
dom2cn .cn - Email: Exmanoize@qip.ru
domx0 .cn - Email: Exmanoize@qip.ru
domx1 .cn - Email: Exmanoize@qip.ru
domx2 .cn - Email: Exmanoize@qip.ru
dox0 .cn - Email: Exmanoize@qip.ru
dox1 .cn - Email: Exmanoize@qip.ru
dox2 .cn - Email: Exmanoize@qip.ru
dox3 .cn - Email: Exmanoize@qip.ru
edit2china .cn - Email: Exmanoize@qip.ru
edit3china .cn - Email: Exmanoize@qip.ru
el1x .cn - Email: Exmanoize@qip.ru
el2x .cn - Email: Exmanoize@qip.ru
el3x .cn - Email: Exmanoize@qip.ru
gym0replace .cn - Email: chen.poon1732646@yahoo.com -> scareware domain registration
herosima1yet .cn - Email: Exmanoize@qip.ru
herosima1yet00g .cn - Email: abusehostserver@gmail.com
otherchina .cn - Email: Exmanoize@qip.ru
parliament .tk - Email: royalddos@gmail.com
privet1 .cn - Email: Exmanoize@qip.ru
privet2 .cn - Email: Exmanoize@qip.ru
privet3 .cn - Email: Exmanoize@qip.ru
sport-lab .cn - Email: abuseemaildhcp@gmail.com -> money mule recruitment domain registrations
trafdomins .cn - Email: Exmanoize@qip.ru

The second iFrame domain parked at 61.235.117.83 redirects in the following way - kiano-180809 .com/oko/help.html - 61.235.117.83 - Email: bigvillyxxx@gmail.com leads to kiano-180809 .com/oko/dyna_soc.html -> kiano-180809 .com/oko/tomato_guy_13.html -> kiano-180809 .com/oko/update.vbe -> kiano-180809 .com/oko/dyna_wm.wmf.

The same exploitation structure is valid for the third iFrame domain - ttt20091124 .info/oko/help.html which is again, parked at 61.235.117.83 and was embedded at Koobface-infected hosts over the past 24 hours.

What prompted this shift on behalf of the Koobface gang? Declining infection rates -- I'm personally not seeing a decline in the click-through rate, with over 500 clicks on a spamvertised Kooobface URL over a period of 24 hours -- or their obsession with traffic optimization? In terms of social engineering, the periodic introduction of new templates proved highly successful for the gang, but the newly introduced outdated client-side exploits can in fact generate more noise than they originally anticipated, if they were to continue relying on social engineering vectors only.

One thing's certain - the Koobface gang is now on the offensive, and it would be interesting to see whether they'd introduce a new exploits set, or continue relying on the one offered by the web exploitation kit.

Related posts:
Secunia: Average insecure program per PC rate remains high
Research: 80% of Web users running unpatched versions of Flash/Acrobat
Fake Security Software Domains Serving Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Koobface Botnet's Scareware Business Model
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign
The Koobface Gang Mixing Social Engineering Vectors

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Koobface Botnet Starts Serving Client-Side Exploits

November 25, 2009

Scareware Campaign Using Google Sponsored Links

November 18, 2009

A scareware campaign is currently using Google sponsored ads, and by hijacking a decent number of well positioned keywords, is attempting to trick visitors into installing scareware featuring several new templates. This is, of course, not the first and definitely not the last time scareware campaigners are using highly targeted legitimate networks in order to reach potential audience by making an investment into the traffic acquisition practice.

However, compared to the "long tail centered" blackhat SEO, the use of legitimate ad networks would never reach a positive ROI, like the one achieved by dynamic syndication of legitimate content and monetizing it through scareware.

Scareware domains seen in circulation:
adwarealert .com - 75.125.200.226
adware-pro-2009 .com - 209.216.193.113
adwareprosite .com - 188.121.46.1 - Email: pedrocanas75@gmail.com
adwarepro-site .com - 209.216.193.101 - Email: pedrocanas75@gmail.com
antimalwarenow .com - 173.201.0.128
anti-malware-pro .org - 209.216.193.103 - Email: pedrocanas75@gmail.com

antimalware-software .com - 209.216.193.11
antimalware-software .org - 209.216.193.106 - Email: pedrocanas75@gmail.com
get-spyware-destroyer .com - 63.243.188.37 - Email: admin@upclick.com
macrovirus .com - 75.125.152.58
malwareprofessional .com - 74.205.8.6

theantimalware .com - 173.201.0.12
adware-pro-live .com - 209.216.193.9
antivirus-live-pro .com - 209.216.193.9
antivirus-live-pro .org
antivirus-live-software .com
antivirus-pro-live .com
antiviruspro-live .com

Sample detection rates: anti-malware-application.exe; malware_professional.exe; macro_virus.exe; antimalware_pro.exe; spyware_destroyer.exe; AdwarePro_Setup.exe; AdwarePro_Setup06.exe; AdwarePro_Setup2305.exe.

Consider going through the The Ultimate Guide to Scareware Protection detailing alternative traffic acquisition approaches used by scareware campaigners, as well as the related posts dissecting recent blackhat SEO campaigns.

Related posts:
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign
U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding
Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware
A Peek Inside the Managed Blackhat SEO Ecosystem
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot

This post has been reproduced from Dancho Danchev's blog.

Continue reading →

"Your mailbox has been deactivated" Spam Campaign Serving Crimeware

November 17, 2009

An ongoing "Your mailbox has been deactivated" themed spam campaign is pushing crimeware as an attached utility.zip archive.

Subject: your mailbox has been deactivated
Message: "We are contacting you in regards to an unusual activity that was identified in your mailbox. As a result, your mailbox has been deactivated. To restore your mailbox, you are required to extract and run the attached mailbox utility. Best regards, hush.com technical support."
Different signatures used: "From Webmail Help Desk; From hush.com technical support; From msmvps.com technical support; From ahnlab.com technical support; From symantec.com technical support"

Sampled obtained phones back to 193.104.27 .91/limpopo/bb.php?id=636608811&v=200&tm=2&b=4316315581; 193.104.27 .91/limpopo/bb.php?id=554275088&v=200&tm=8&b=4316315581&tid=11&r=1, from where it downloads promed-net .com/css/abs.exe (97.74.144.118; Email: ninemed@ninemedical.com ) which phones back to 231307d91138.bauhath.com/get.php?c=QPTUDBSV&d=, downloading 91.213.72 .51/ldr7.exe which phones back to 193.104.27 .42/lcc/ip2.gif which is TrojWare.Win32.TrojanSpy.Zbot.Gen

All of these IPs are not surprisingly known Zeus crimeware hosts.

Related phone-back locations parked on the same IP - 94.75.221.76:
koralda .com - Email: owner@koralda.com
antiona .com - Email: owner@antiona.com
lambrie .com - Email: owner@lambrie.com
bauhath .com - Email: owner@bauhath.com
agulhal .com - Email: owner@agulhal.com
lantzel .com - Email: owner@lantzel.com
bourgum .com - Email: owner@bourgum.com

101607d91120.koralda .com
141607d91121.koralda .com
121607d91122.koralda .com
161607d91123.koralda .com
141607d91124.koralda .com
181607d91125.koralda .com
011607d91106.koralda .com
171507d91116.koralda .com
161607d91126.koralda .com
231507d91107.koralda .com
201607d91127.koralda .com
031607d91108.koralda .com
191507d91118.koralda .com
011607d91109.koralda .com
171507d91119.koralda .com
221607d91129.koralda .com
201607d9112a.koralda .com
031607d9110b.koralda .com
191507d9111b.koralda .com
081607d9111b.koralda .com
221607d9112c.koralda .com
101607d9111d.koralda .com
081607d9111e.koralda .com
121607d9111f.koralda .com
211507d91131.antiona .com
231507d91133.antiona .com
081207d91134.antiona .com
121607d91115.antiona .com
001307d91106.antiona .com
201307d91108.antiona .com
121107d91128.antiona .com
021107d91129.antiona .com
221307d9110a.antiona .com

231107d9111a.antiona .com
230907d9111b.antiona .com
041107d9112b.antiona .com
011207d9111c.antiona .com
081307d9110d.antiona .com
061107d9112d.antiona .com
191407d9112d.antiona .com
171307d9111f.antiona .com
211407d9112f.antiona .com
042707d90914.agrigid .com
101607d91121.lambrie .com
121607d91122.lambrie .com
141607d91124.lambrie .com
161607d91126.lambrie .com
231507d91107.lambrie .com
181607d91128.lambrie .com
011607d91109.lambrie .com
171507d91119.lambrie .com
201607d9112a.lambrie .com
031607d9110b.lambrie .com
191507d9111b.lambrie .com
221607d9112c.lambrie .com
081607d9111e.lambrie .com
081607d91100.bauhath .com
071607d91130.bauhath .com
121607d91101.bauhath .com
201607d91111.bauhath .com
221307d91102.bauhath .com
051107d91122.bauhath .com
141607d91103.bauhath .com

151207d91113.bauhath .com
221607d91113.bauhath .com
221307d91104.bauhath .com
071107d91124.bauhath .com
171207d91115.bauhath .com
051007d91126.bauhath .com
091107d91126.bauhath .com
101607d91107.bauhath .com
191207d91117.bauhath .com
051207d91127.bauhath .com
071007d91128.bauhath .com
071207d91128.bauhath .com
121607d91109.bauhath .com
211207d91119.bauhath .com
091007d9112a.bauhath .com
131107d9112a.bauhath .com
091207d9112a.bauhath .com
051607d9113a.bauhath .com
231207d9111b.bauhath .com
091607d9113b.bauhath .com
141607d9110c.bauhath .com
111007d9112c.bauhath .com
111207d9112c.bauhath .com
161607d9110d.bauhath .com
071607d9112d.bauhath .com
181607d9110f.bauhath .com
181007d91132.edvehal .com
181007d91135.edvehal .com
181207d91110.agulhal .com
091007d91120.agulhal .com
211007d91130.agulhal .com
041307d91130.agulhal .com

111007d91122.agulhal .com
061307d91132.agulhal .com
131207d91123.agulhal .com
131007d91124.agulhal .com
151207d91125.agulhal .com
230907d91116.agulhal .com
151007d91126.agulhal .com
061207d91127.agulhal .com
011007d91118.agulhal .com
171007d91128.agulhal .com
031007d9111a.agulhal .com
021207d9111b.agulhal .com
121107d9113b.agulhal .com
051007d9111c.agulhal .com
011107d9110d.agulhal .com
041207d9111d.agulhal .com
191007d9112d.agulhal .com
161207d9110e.agulhal .com
071007d9111e.agulhal .com
141607d91100.lantzel .com
081607d91100.lantzel .com
221607d91110.lantzel .com
121607d91101.lantzel .com
171207d91111.lantzel .com
201607d91111.lantzel .com
071107d91121.lantzel .com
051107d91122.lantzel .com
141607d91103.lantzel .com
151207d91113.lantzel .com
191207d91113.lantzel .com
221607d91113.lantzel .com
051007d91123.lantzel .com

091107d91123.lantzel .com
051207d91123.lantzel .com
101607d91104.lantzel .com
071107d91124.lantzel .com
211207d91115.lantzel .com
171207d91115.lantzel .com
071007d91125.lantzel .com
111107d91125.lantzel .com
071207d91125.lantzel .com
121607d91106.lantzel .com
051007d91126.lantzel .com
091107d91126.lantzel .com
051207d91126.lantzel .com
101607d91107.lantzel .com
231207d91117.lantzel .com
191207d91117.lantzel .com
091007d91127.lantzel .com
131107d91127.lantzel .com
091207d91127.lantzel .com
051607d91137.lantzel .com
141607d91108.lantzel .com
071007d91128.lantzel .com
111107d91128.lantzel .com
071207d91128.lantzel .com
091607d91138.lantzel .com
121607d91109.lantzel .com
211207d91119.lantzel .com
111007d91129.lantzel .com
111207d91129.lantzel .com

071607d91139.lantzel .com
161607d9110a.lantzel .com
091007d9112a.lantzel .com
131107d9112a.lantzel .com
091207d9112a.lantzel .com
111607d9113a.lantzel .com
051607d9113a.lantzel .com
141607d9110b.lantzel .com
231207d9111b.lantzel .com
091607d9113b.lantzel .com
181607d9110c.lantzel .com
111007d9112c.lantzel .com
111207d9112c.lantzel .com
161607d9110d.lantzel .com
201607d9110e.lantzel .com
151207d9110f.lantzel .com
181607d9110f.lantzel .com
051107d9111f.lantzel .com
131507d91100.bourgum .com
231507d91130.bourgum .com
221207d91101.bourgum .com

211507d91131.bourgum .com
001307d91103.bourgum .com
231507d91133.bourgum .com
001107d91124.bourgum .com
081207d91134.bourgum .com
201307d91105.bourgum .com
121607d91115.bourgum .com
001307d91106.bourgum .com
021107d91126.bourgum .com
091207d91107.bourgum .com
221307d91107.bourgum .com
231107d91117.bourgum .com
201307d91108.bourgum .com
230907d91118.bourgum .com
121107d91128.bourgum .com
041107d91128.bourgum .com
211007d91138.bourgum .com
011207d91119.bourgum .com
021107d91129.bourgum .com

Naturally, the campaign isn't an isolated incident, with previous "Facebook updated account agreement" themed ones, using the same phone back locations as the currently ongoing one.

Related posts:
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

This post has been reproduced from Dancho Danchev's blog.
Continue reading →

Massive Scareware Serving Blackhat SEO, the Koobface Gang Style

November 17, 2009

Ali Baba and the 40 thieves LLC are once again multi-tasking, this time compromising hundreds of thousands of web sites, and redirecting Google visitors -- through the standard http referrer check -- to scareware serving domains.

What's so special about the domains mentioned in Cyveillance's post, as well as the ones currently active on this campaign? It's the Koobface connection.

For instance, the ionisationtools .cn or moored2009 .cn redirectors, as well as the scareware serving premium-protection6 .com; file-antivirus3.com; checkalldata .com; foryoumalwarecheck4 .com; antispy-scan1 .com mentioned in post, are the same scareware redirectors and domains analyzed in part two of the Koobface Botnet's Scareware Business Model series. The identical structure on a sampled Koobface infected host and a sampled compromised site can be seen in the attached screenshots.

The redirection "magic" takes place through a what looks like a static css.js (Trojan-Downloader.JS.FraudLoad) uploaded on all of the affected sites. The very latest blackhat SEO once again puts the Koobface gang in the spotlight of the ongoing underground multi-tasking that the majority of cybercriminals engage in these days.

Related posts:
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Koobface Botnet's Scareware Business Model
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign
The Koobface Gang Mixing Social Engineering Vectors

This post has been reproduced from Dancho Danchev's blog.
Continue reading →

Massive Scareware Serving Blackhat SEO, the Koobface Gang Style

November 17, 2009

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Keeping Reshipping Mule Recruiters on a Short Leash

Celebrity-Themed Scareware Campaign Abusing DocStoc and Scribd

Pushdo Injecting Bogus Swine Flu Vaccine

Summarizing Zero Day's Posts for November

Koobface Botnet Starts Serving Client-Side Exploits

Koobface Botnet Starts Serving Client-Side Exploits

Scareware Campaign Using Google Sponsored Links

"Your mailbox has been deactivated" Spam Campaign Serving Crimeware

Massive Scareware Serving Blackhat SEO, the Koobface Gang Style

Massive Scareware Serving Blackhat SEO, the Koobface Gang Style

RSS Feed

About Me

Blog Archive

Tags

Popular Posts