Inside a Commercial Chinese DIY DDoS Platform

With China in the focus of international fiasco (consider going through the Google-China cyber espionage saga - FAQ)


Related Chinese hacking/hacktivism coverage:
Localizing Open Source Malware
Custom DDoS Capabilities Within a Malware
Custom DDoS Attacks Within Popular Malware Diversifying

The FirePack Exploitation Kit Localized to Chinese
MPack and IcePack Localized to Chinese
Massive SQL Injection Attacks - the Chinese Way
A Chinese DIY Multi-Feature Malware
DIY Chinese Passwords Stealer
A Chinese Malware Downloader in the Wild
Chinese Hackers Attacking U.S Department of Defense Networks
Chinese Hacktivists Waging People's Information Warfare Against CNN
The DDoS Attack Against CNN.com

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Inside a Commercial Chinese DIY DDoS Platform

With China in the focus of international fiasco (consider going through the Google-China cyber espionage saga - FAQ)



Related Chinese hacking/hacktivism coverage:
Localizing Open Source Malware
Custom DDoS Capabilities Within a Malware
Custom DDoS Attacks Within Popular Malware Diversifying

The FirePack Exploitation Kit Localized to Chinese
MPack and IcePack Localized to Chinese
Massive SQL Injection Attacks - the Chinese Way
A Chinese DIY Multi-Feature Malware
DIY Chinese Passwords Stealer
A Chinese Malware Downloader in the Wild
Chinese Hackers Attacking U.S Department of Defense Networks
Chinese Hacktivists Waging People's Information Warfare Against CNN
The DDoS Attack Against CNN.com

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits

Continuing the Pushdo coverage from last week, the "Your AOL Instant Messenger account is flagged as inactive" "or the latest update for the AIM" themed campaign from the weekend, has once again returned to a well known theme, namely, the "Facebook Update Tool" spam campaign.

The botnet masters have introduced several new name servers -- domain suspension is pending -- but continue using the same IP embedded on all the pages, for serving the client-side exploits, with a slight change in the directory structure.

- Sample subject: Facebook Update Tool
- Sample body: "Dear Facebook user, In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security. Before you are able to use the new login system, you will be required to update your account. Click here to update your account online now. If you have any questions, reference our New User Guide. Thanks, The Facebook Team"
- Sample URL: facebook.com.ddeassrq .vc/usr/LoginFacebook.php?ref
- Detection rates for scripts/crimeware/exploits: File.exe (phones back to the currently down nekovo .ru/cbd/nekovo.bri); IE.js; IE2.js; nowTrue.swf; pdf.pdf
- Sample iFrame exploitation structure: 109.95.114 .251/us01d/in.php
    - 109.95.114 .251/us01d/jquery.jxx
        - 109.95.114 .251/us01d/xd/pdf.pdf
            - 109.95.114 .251/us01d/load.php
                - 109.95.114 .251/us01d/file.exe

- Sample typosquatted and currently active domains: 
ddeasaeq .vc - Email: mspspaceki@mad.scientist.com
ddeasuqq .vc - Email: mspspaceki@mad.scientist.com
ddeassrq .vc - Email: mspspaceki@mad.scientist.com
ddeasutq .vc - Email: mspspaceki@mad.scientist.com
ddeasauq .vc - Email: mspspaceki@mad.scientist.com
ddeasqwq .vc - Email: mspspaceki@mad.scientist.com
ddeasqyq .vc - Email: mspspaceki@mad.scientist.com

reeesassf .la - Email: palatalizefxt@popstar.com
ukgedsa.com .hn - Email: zmamarc689@witty.com
ukgedsc.com .vc - Email: zmamarc689@witty.com
ukgedse.com .hn - Email: zmamarc689@witty.com
ukgedsg.com .vc - Email: zmamarc689@witty.com
ukgedsh.com .vc - Email: zmamarc689@witty.com
ukgedsi .hn - Email: zmamarc689@witty.com

ukgedsq.com .hn - Email: zmamarc689@witty.com
ukgedsr.com .sc - Email: zmamarc689@witty.com
ukgedst.com .sc - Email: zmamarc689@witty.com
ukgedsu.com .vc - Email: zmamarc689@witty.com
ukgedsv.com .vc - Email: zmamarc689@witty.com
ukgedsy.com .vc - Email: zmamarc689@witty.com

- Name servers of notice:
ns1.availname .net - 204.12.229.89 - Email: Larimore@yahoo.com
ns1.sorbauto .com - 204.12.229.89 - Email: xtrai@email.com
ns1.worldkinofest .com - Email: tolosa1965@snail-mail.net
ns1.pdsproperties .net - 92.84.23.138 - Email: PDSProperties@yahoo.com
ns1.drinckclub .com - 94.23.177.147 - Email: excins@iname.com
ns1.transsubmit .net - 94.23.177.147 - Email: Alaniz@gmail.com
ns1.theautocompany .net - suspended
ns1.24stophours .com - suspended
ns1.disksilver .net - suspended

Thankfully, quality assurance is not taken into consideration in this campaign - the iFrame's IP is already heavily blacklisted, and the crimeware sample itself attempts to phone back to a C&C that has been down for several days.

The gang's activities will be updated as they happen.

Related posts:
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Follow Me on Twitter!

Are you on Twitter? If so, consider following my tweets, or if you're not using it you can always subscribe to the RSS feed. Continue reading →

Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams

UPDATED, Friday, 15, 2010: The gang continues rotating the campaigns by targeting different brands. Over the 24 hours they've spamming the well known "Notice of Underreported Income" theme this time targeting HM Revenue and Customs (HMRC), and have also introduced new portfolios of typosquatted domains next to changing the client-side exploits serving iFrame embedded on each and every page.

- Sample message: "Filing and paying your federal taxes correctly and on time is an important part of living and working in the United Kingdom. Please review (download and execute) your tax statement. If the statement is incorrect, contact our Taxpayer Advocate Service."
- Sample URL: online.hmrc.gov.uk.olpiku5v .com.pl/SecurityWebApp/httpsmode/statement.php

Detection rates for tax-statement.exe (Trojan-Spy.Win32.Zbot.gen) and file.exe (Trojan-Spy.Win32.Zbot.gen). Upon execution, the samples attempt to connect to elnasa .ru/asd/elnasa.ble (109.95.114 .71/asd/elnasa.ble).

The structure of the iFrame, now using an IP address instead of a domain name, remains the same:
- 109.95.114.251 /uks1/in.php - 109.95.114.251 - AS50369 - VISHCLUB-as Kanyovskiy Andriy Yuriyovich - akanyovskiy@troyak.org
    - 109.95.114.251 /uks1/jquery.jxx
            - 109.95.114.251 /uks1/xd/pdf.pdf
                - 109.95.114.251 /uks1/load.php
                    - 109.95.114.251 /uks1/file.exe

DNS servers of notice:
ns1.pds-properties .com - 89.238.165.195
ns1.noeproperties .com - 84.243.201.159
ns1.densondatabase .com - 94.23.177.147
ns1.dogsgrem .net - 89.238.165.195 - Email: glonders@gmail.com - Email seen in previous domain registrations

Typosquatted domains spammed over the past 24 hours:
olpiku5a .com.pl
olpiku5b .com.pl
olpiku5c .com.pl
olpiku5d .com.pl
olpiku5e .com.pl
olpiku5f .com.pl
olpiku5g .com.pl
olpiku5q .com.pl
olpiku5r .com.pl
olpiku5s .com.pl
olpiku5t .com.pl
olpiku5v .com.pl
olpiku5w .com.pl
olpiku5x .com.pl
olpiku5z .com.pl

ujo9ia .com.pl
ujo9id .com.pl
ujo9ie .com.pl
ujo9if .com.pl
ujo9ig .com.pl
ujo9ih .com.pl
ujo9im .com.pl
ujo9in .com.pl
ujo9iq .com.pl
ujo9ir .com.pl
ujo9is .com.pl
ujo9it .com.pl
ujo9iw .com.pl
ujo9iy .com.pl
ujo9iz .com.pl

t111ut .me.uk
t111uy .me.uk
t111uz .me.uk
t111uk .org.uk
t111ut .org.uk
t111uz .org.uk
t111uk .co.uk
t111uy .co.uk

okio1h .ne.kr
okio1w .ne.kr
okio1h .kr
okio1h .co.kr
okio1u .co.kr
okio1v .co.kr
okio1w .co.kr
okio1h .or.kr
okio1u .or.kr
okio1v .or.kr
okio1w .or.kr
okio1u .kr
okio1v .kr
okio1w .kr

proterp1 .im
virtdit1 .im
virtdit2 .im
virtdit3 .im
virtdit4 .im
virtdit5 .im
virtdit6 .im
virtdit7 .im
virtdit8 .im

UPDATED: Gary Warner offers additional insights into the latest campaigns - This Week in Avalanche / Zbot / Zeus Bot: HSBC & eBay.

What the botnet masters forget is that with each and every campaign, based on a number of factors, they reveal more about themselves and their affiliations within the cybercrime ecosystem. The degree of monetization is proportional with the loss of OPSEC (operational security), and this remains valid for any fraudulent campaign, botnet or cybercrime community in general.

UPDATED: To clarify, in this campaign Pushdo acts as the spam platform for the Avalanche/MS-Redirect botnet.

In need of a good example why you shouldn't be interacting with spam/phishing emails in any other way but reporting/deleting them, unless of course you're in the business of analyzing them?

Last week's OWA-themed Zeus-serving spam campaign courtesy of the Pushdo botnet, has not just resumed, but is continuing to serve client-side exploits (CVE-2007-5659; CVE-2008-2992; CVE-2009-0927) to anyone visiting the spammed web sites through an iFrame embedded on all of them. Such traffic optimization tactics are nothing new, since the botnet master is anticipating the fact that the visitor that clicked on the link, may not be that stupid the next time, so attempting to serve the malware without any kind of interaction on his behalf through client-side exploits is the tactic of choice.

Let's dissect the campaign, list all of the currently active fast-fluxed domains, the name servers of notice, the client-side exploit serving structure, and the Russian Brides scam domains spamvertised over the last few days.

Active fast-fluxed domains part of the campaign:
leptprs.co .kr - Email: wawddhaepny@yahoo.com
leptprs .kr - Email: wawddhaepny@yahoo.com
leptprs.ne .kr - Email: wawddhaepny@yahoo.com
leptprs.or .kr - Email: wawddhaepny@yahoo.com
oki8uuu.co .kr - Email: wawddhaepny@yahoo.com
ui7772.co .kr - Email: jn.hadler@jkh.org.uk
ui7772 .kr - Email: jn.hadler@jkh.org.uk
ui7772.ne .kr - Email: jn.hadler@jkh.org.uk
ui7772.or .kr - Email: jn.hadler@jkh.org.uk
ui777f .kr - Email: jn.hadler@jkh.org.uk
ui777f.ne .kr - Email: jn.hadler@jkh.org.uk
ui777f.or .kr - Email: jn.hadler@jkh.org.uk
ui777fne .kr - Email: jn.hadler@jkh.org.uk
ui777l.co .kr - Email: jn.hadler@jkh.org.uk
ui777p.co .kr - Email: jn.hadler@jkh.org.uk
ui777p .kr - Email: jn.hadler@jkh.org.uk
ui777p.ne .kr - Email: jn.hadler@jkh.org.uk
ui777p.or .kr - Email: jn.hadler@jkh.org.uk

DNS servers of notice:
ns1.raddoor .com - Email: figarro77@gmail.com
ns1.snup-up .net - Email: dietsnak@socialworker.net
ns1.aj-realty .net - Email: support@aj-realty.net
ns1.aj-administration .com - Email: manager@mack.net
ns1.aj-talentsearch .com - Email: supp@mail.net
ns1.eurobankfinance .net - Email: termer@counsellor.com
ns1.hetn91 .com - Email: astrix@aol.com
ns1.personnel-aj .com - Email: KimMIngram@aol.com
ns1.nitroexcel .net
ns1.fredoms .com
ns1.ajstaffing .net
ns1.angel-death .net
ns1.aj-estate .com
ns1.aj-realtors .com
ns1.pdsproperties .com
ns1.groupswat .com

Upon execution, settings-file.exe (Trojan-Spy.Win32.Zbot.adsy), phones back to 109.123.70 .97/fh3245sq/config.bin. Detection rate for pdf.pdf (Exploit-PDF.ac) and file.exe (Trojan.Win32.Riern). The structure of the iFrame is as follows:
- atthisstage .com/uksp/in.php - 84.45.45.135 - Email: soakes@soakes.com
    - atthisstage .com/uksp/jquery.jxx
        - atthisstage .com/uksp/xd/pdf.pdf
            - atthisstage .com/uksp/load.php
                - atthisstage .com/uksp/file.exe

Russian Brides spamvertised domains part of an affiliate network:
toolbarsunited .com - Email: soft.tj@gmail.com
2006jubilee .com - Email: soft.tj@gmail.com
avtofo .org - Email: flarnes@gmail.com
lovesexdatings .com - Email: kauplus@li.ru
stars-dating .com - Email: kauplus@li.ru
avtofo.com .ua
dinenyc .net

cid-f5f40ef1f5210d08.spaces .live.com
cid-c1b015ffe1b44573.spaces .live.com
cid-b78f4f23e27d2b45.spaces .live.com
cid-8d3413073f537740.spaces .live.com
cid-205046cf66900102.spaces .live.com

If you want to know more the inner workings of the Pushdo/Cutwail botnet, consider going through the Pushdo / Cutwail - An Indepth Analysis report.

Related posts:
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

This post has been reproduced from Dancho Danchev's blog.
Continue reading →

Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware

UPDATED: Sunday, January 10, 2010 - The post has been updated with the latest domains spammed within the past 24 hours.

UPDATED: Saturday, January 09, 2010 - The post has been updated with the latest domains spammed within the past 24 hours. The spam campaign is ongoing.

A currently ongoing spam campaign is using the "Your default mailbox settings have changed" theme, in order to infect gullible users into executing Trojan-Spy.Win32.Zbot (settings-file.exe).

Sample message:
"The default settings of your mailbox were automatically changed. Please download and launch a file with a new set of settings for your e-mail account:fx-settings-file.exe.

We constantly work on the quality level of our service, as well as on the development of its security and protection. During the last upgrade several essential improvements were adopted, such as new ports for the POP3 & SMTP protocols, plus the SMTP autentification. The new settings are necessary for those who use the mailings clients (for ex. Microsoft Outlook, The Bat!, Mozilla Thunderbird etc.) or those who use our service via the web-interface."

Sample campaign structure: molendf.co .kr/owa/service_directory/settings.php?email=fx@yahoo.com&from=yahoo.com&fromname=fx

Fast-fluxed seed IPs:
61.64.170.232
77.126.141.142
188.56.139.174
189.110.244.68
189.179.13.36
190.82.217.255
195.174.109.241
200.169.71.144
201.232.187.200
201.236.48.117
210.106.80.90
218.153.64.25
221.26.184.25
59.92.58.166
61.20.133.88

DNS servers of notice:
ns1.moorcargo .net
ns1.aj-realtors .com - Email: support@ajr.com
ns1.groupswat .com
ns1.elkins-realty .net - Email: BO.la@yahoo.com
ns1.nocksold .com - Email: termer@counsellor.com
ns1.seldomservice .net - 89.238.165.195 - Email: pp0271@gmail.com
ns1.viking-gave .net - 89.238.165.195 - Email: glonders@gmail.com
ns1.controlpanellsolutions .com - 212.95.50.175 - Email: jobwes@clerk.com

Hundreds of typosquatted subdomains reside within the following currently active domains:
ujjiks.co .im
ujjiks.com .im
ujjiks.org .im
ujjikx.co .im
ujjikx.com .im
ujjikx.org .im
molendf.co .kr
molendf .com
molendf .kr
molendf.ne .kr
molendf.or .kr
vcrssd1 .cc
vcrssd1 .eu
vfrtssd .com
vsmprot.co .uk
vsmprot .com
vsmprot .eu
vsmprot.me .uk
vsmprot.org .uk

ikuu8a .com - Email: bjnjnsls@technologist.com
ikuu8d .com - Email: bjnjnsls@technologist.com
ikuu8e .com - Email: bjnjnsls@technologist.com
ikuu8q .com - Email: bjnjnsls@technologist.com
ikuu8s .com - Email: bjnjnsls@technologist.com
ikuu8w .com - Email: bjnjnsls@technologist.com
ikuu8x .com - Email: bjnjnsls@technologist.com
ikuu8z .com - Email: bjnjnsls@technologist.com
ikuu8a .net - Email: bjnjnsls@technologist.com
ikuu8e .net - Email: bjnjnsls@technologist.com
ikuu8q .net - Email: bjnjnsls@technologist.com
ikuu8s .net - Email: bjnjnsls@technologist.com
ikuu8w .net - Email: bjnjnsls@technologist.com
ikuu8x .net - Email: bjnjnsls@technologist.com
ikuu8z .net - Email: bjnjnsls@technologist.com

yhuttte.ne .kr - Email: scepterpdg@chemist.com
yhuttti.ne .kr - Email: scepterpdg@chemist.com
yhutttu.ne .kr - Email: scepterpdg@chemist.com
yhuttte .kr - Email: scepterpdg@chemist.com
yhuttti .kr - Email: scepterpdg@chemist.com
yhuttte.co .kr - Email: scepterpdg@chemist.com
yhuttti.co .kr - Email: scepterpdg@chemist.com
yhutttr.co .kr - Email: scepterpdg@chemist.com
yhutttu.co .kr - Email: scepterpdg@chemist.com
yhuttte.or .kr - Email: scepterpdg@chemist.com
yhuttti.or .kr - Email: scepterpdg@chemist.com
yhutttr.or .kr - Email: scepterpdg@chemist.com
yhutttu.or .kr - Email: scepterpdg@chemist.com
yhutttr .kr - Email: scepterpdg@chemist.com
yhutttu .kr - Email: scepterpdg@chemist.com

ujyhl.ne .kr - Email: combinetct@financier.com
ujyho.ne .kr - Email: combinetct@financier.com
ujyhf .kr - Email: combinetct@financier.com
ujyhl .kr - Email: combinetct@financier.com
ujyhf.co .kr - Email: combinetct@financier.com
ujyhl.co .kr - Email: combinetct@financier.com
ujyho.co .kr - Email: combinetct@financier.com
ujyhs.co .kr - Email: combinetct@financier.com
ujyho .kr - Email: combinetct@financier.com
ujyhf.or .kr - Email: combinetct@financier.com
ujyhl.or .kr - Email: combinetct@financier.com
ujyho.or .kr - Email: combinetct@financier.com
ujyhs.or .kr - Email: combinetct@financier.com
ujyhs .kr - Email: combinetct@financier.com

Seen within the past 24 hours, now offline domains part of the campaign:
yhe3essa .com.pl
yhe3essd .com.pl
yhe3esse .com.pl
yhe3essf .com.pl
yhe3essg .com.pl
yhe3essi .com.pl
yhe3esso .com.pl
yhe3essp .com.pl
yhe3essq .com.pl
yhe3essr .com.pl
yhe3esss .com.pl
yhe3esst .com.pl
yhe3essu .com.pl
yhe3essw .com.pl
yhe3essy .com.pl
ok9iio1 .com
ok9iio2 .com
ok9iio3 .com
ok9iio4 .com
ok9iio5 .com
ok9iio6 .com
ok9iio7 .com
ok9iio8 .com
ok9iio1 .net
ok9iio2 .net
ok9iio3 .net
ok9iio4 .net
ok9iio5 .net
ok9iio6 .net
ok9iio7 .net

Upon execution the sample phones back to the already blacklisted by the Zeus Tracker nekovo .ru:
nekovo .ru/cbd/nekovo.bri; nekovo .ru/ip.php - 109.95.114.70 - Email: kievsk@yandex.ru - AS50215 - Troyak-as Starchenko Roman Fedorovich.

Related Zeus crimeware name servers respond to the same IP:
- ns1.trust-service .cn - (domain itself responds to 193.104.41.133) - Email: olezhiosapiel@yahoo.es
- ns1.elnasa .ru - (domain itself responds to 91.200.164.12) - Email: kievsk@yandex.ru
- ns1.recessa .ru - (domain itself responds to 193.104.41.69) - Email: kievsk@yandex.ru
- ns1.stomaid .ru - (domain itself responds to 91.200.164.10) - Email: kievsk@yandex.ru

Parked withn the same AS, are also the following currently active Zeus crimeware serving domains:
web-information-services .com - 91.198.109.69 - Email: pita@bigmailbox.ru
erthjuyt44u .com - 91.198.109.19 - Email: rails@qx8.ru
excellenthostingservice .com - 91.198.109.48 - Email: xm@qx8.ru
goldhostingservice .com - 91.198.109.32 - Email: clod@qx8.ru

Pretty much your typical cybercrime-friendly virtual neighborhood.

Related posts:
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

This post has been reproduced from Dancho Danchev's blog.
Continue reading →

Scareware, Blackhat SEO, Spam and Google Groups Abuse, Courtesy of the Koobface Gang

The Koobface gang is known to have embraced the potential of the "underground multi-tasking" model a long time ago, in order to achieve the "malicious economies of scale" effect. This "underground multi-tasking" most commonly comes in the form of multiple monetization campaigns, which upon closer analysis always lead back to the Koobface gang's infrastructure. In fact, the gang is so obsessed with efficiency, that particular redirectors and key malicious domains for a particular campaign, are also, simultaneously rotated across all the campaigns that they manage.

For instance, throughout the past half an year, a huge percentage of the malicious infrastructure used simultaneously in multiple campaigns, was parked on the now shut down Riccom LTD - AS29550. From the massive blackhat SEO campaigns affecting millions of legitimate web sites managed by the gang,  to the malvertising attack at the New York Times web site, and the click-fraud facilitating Bahama botnet, the Koobface botnet is only the tip of the iceberg for the efficient and fraudulent money machine that the gang operates.

In this analysis, I'll once again establish a connection between the ongoing blackhat SEO campaigns managed by the gang (Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware; U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding; Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign), with a spam campaign that's also syndicated across multiple Google Groups, and the Koobface botnet itself, with a particular emphasis on the scareware monetization taking place across all the campaigns.





Related Koobface research and analysis:
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Top Ten Must-Read DDanchev Posts For 2009

The following ten posts have been featured due to their insightful content, comprehensiveness of the topic covered, and due to plain simple exclusivity in the time of publishing, and not necessarily based on page views.

Thank you for being a regular reader of my personal blog. Feel free to subscribe to my RSS feed, keep track of my posts at ZDNet's Zero Day, or follow me on Twitter.

01. Conficker's Scareware/Fake Security Software Business Model
02. Koobface Botnet's Scareware Business Model - Part One and Part Two
03. Inside a Money Laundering Group's Spamming Operations
04. A Peek Inside the Managed Blackhat SEO Ecosystem
05. Iranian Opposition DDoS-es pro-Ahmadinejad Sites
06. Koobface Botnet Redirects Facebook's IP Space to my Blog
07. Standardizing the Money Mule Recruitment Process
08. Koobface Botnet Starts Serving Client-Side Exploits
09. The SMS Ransomware series - SMS Ransomware Displays Persistent Inline Ads; SMS Ransomware Source Code Now Offered for Sale; 3rd SMS Ransomware Variant Offered for Sale; 4th SMS Ransomware Variant Offered for Sale; 5th SMS Ransomware Variant Offered for Sale; 6th SMS Ransomware Variant Offered for Sale
10. The Koobface Gang Wishes the Industry "Happy Holidays"

This post has been reproduced from Dancho Danchev's blog.
Continue reading →

Top Ten Must-Read Posts at ZDNet's Zero Day for 2009

The end of the year naturally means a rush to come up with 'best of the best' top lists consisting of your finest content. However, based on personal observations, during the holidays season the short attention span of the average reader becomes even shorter with everyone looking forward to taking a well-deserved break. Therefore, the first working week of the new year appears to be the perfect moment to summarize some of my most insightful posts/analysis published at ZDNet's Zero Day for 2009.

The following ten posts have been featured due to their insightful content, comprehensiveness of the topic covered, and due to plain simple exclusivity in the time of their publishing. You will be, of course, missing the big picture if you don't keep track of Ryan Naraine's coverage.

Thank you for being a Zero Day reader!

01. Microsoft study debunks phishing profitability
02. Inside BBC's Chimera botnet
03. China's 'secure' OS Kylin - a threat to U.S offsensive cyber capabilities?
04. Microsoft study debunks profitability of the underground economy
05. Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites - Related coverage
06. The Ultimate Guide to Scareware Protection
07. 'Anonymous' group attempts DDoS attack against Australian government (Operation Didgeridie)
08. Google's CAPTCHA experiment and the human factor
09. Does software piracy lead to higher malware infection rates?
10. Koobface botnet enters the Xmas season

Related posts:
Summarizing Zero Day's Posts for January, 2009
Summarizing Zero Day's Posts for February, 2009
Summarizing Zero Day's Posts for March, 2009
Summarizing Zero Day's Posts for April, 2009
Summarizing Zero Day's Posts for May, 2009
Summarizing Zero Day's Posts for June, 2009
Summarizing Zero Day's Posts for July, 2009
Summarizing Zero Day's Posts for August, 2009
Summarizing Zero Day's Posts for September, 2009
Summarizing Zero Day's Posts for October, 2009
Summarizing Zero Day's Posts for November, 2009
Summarizing Zero Day's Posts for December, 2009

This post has been reproduced from Dancho Danchev's blog.
Continue reading →

Summarizing Zero Day's Posts for December

The following is a brief summary of all of my posts at ZDNet's Zero Day for December, 2009.

You can also go through previous summaries, as well as subscribe to my personal RSS feed, Zero Day's main feed, or follow all of ZDNet's blogs on Twitter.

01. Koobface botnet enters the Xmas season
02. How many people fall victim to phishing attacks?
03. Zeus crimeware using Amazon's EC2 as command and control server
04. Report: Google's reCAPTCHA flawed
05. FBI: Scareware distributors stole $150M

This post has been reproduced from Dancho Danchev's blog. Continue reading →

The Koobface Gang Wishes the Industry "Happy Holidays"

Oops, they did it again - the Koobface gang, which is now officially self-describing itself as Ali Baba and the 40 Thieves LLC, has not only included a Koobface-themed -- notice the worm in the name -- background on Koobface-infected hosts, but it has also included a "Wish Koobface Happy Holidays" script -- last time I checked there were 10,000 people who clicked it -- followed by the most extensive message ever left by the gang, which is amusingly attempting to legitimize the activities of the gang.

In short, the message with clear elements of PSYOPS, attempts to position the Koobface worm as a software, where the new features are requested by users, and that by continuing its development, the authors are actually improving Facebook's security systems. For the record, the Koobface botnet itself is only the tip of the iceberg for the malicious activities the group itself is involved in. Consider going through the related Koobface research posts featured at the bottom of the post, in order to grasp the importance of how widespread and high-profile the activities of this group are. The exact message, screenshot of which is attached reads:

Our team, so often called "Koobface Gang", expresses high gratitude for the help in bug fixing, researches and documentation for our software to:

• Kaspersky Lab for the name of Koobface and 25 millionth malicious program award;
• Dancho Danchev (http://ddanchev.blogspot.com) who worked hard every day especially on our First Software & Architecture version, writing lots of e-mails to different hosting companies and structures to take down our Command-and-Control (C&C) servers, and of course analyzing software under VM Ware;
• Trend Micro (http://trendmicro.com), especially personal thanks to Jonell Baltazar, Joey Costoya, and Ryan Flores who had released a very cool document (with three parts!) describing all our mistakes we've ever made;
• Cisco for their 3rd place to our software in their annual "working groups awards";
• Soren Siebert with his great article; 
• Hundreds of users who send us logs, crash reports, and wish-lists.

In fact, it was a really hard year. We've made many efforts to improve our software. Thanks to Facebook's security team - the guys made us move ahead. And we've moved. And will move. Improving their security system.

By the way, we did not have a cent using Twitter's traffic. But many security issues tell the world we did. They are wrong. As many people know, "virus" is something awful, which crashes computers, steals credential information as good as all passwords and credit cards. Our software did not ever steal credit card or online bank information, passwords or any other confidential data. And WILL NOT EVER. As for the crashes... We are really sorry. We work on it :) Wish you a good luck in new year and... Merry Christmas to you!

Always yours, "Koobface Gang".

For the record, in case you were living on the other side of the universe, and weren't interested in the raw details taking place within the underground ecosystem, in July, 2009, I was the only individual ever mentioned by the Koobface gang, which back then included the following message within the command and control infrastructure for 9 days:

• "We express our high gratitude to Dancho Danchev (http://ddanchev.blogspot.com) for the help in bug fixing, researches and documentation for our software."

Next to the folks at TrendMicro, the DHS also featured the event in DHS Daily Open Source Infrastructure Report for 3 September 2009 at page 18:

• "This individual is an independent security consultant who plays an active role in tracking and shutting down botnets and other illegal operations."

It got ever more personal when the Koobface gang redirected Facebook's entire IP space to my blog in October, 2009, resulting in thousands of Facebook visits every time their crawlers were visiting a Koobface-infected host. Thankfully, Facebook's Security Incident Response Team quickly took care of the issue.

In the spirit of Christmas, I'd also like to wish the Koobface gang happy holidays, and promise them that the cherry on the top of the research pie will see daylight anytime soon. First of all, I'd like to wish them happy holidays with Frank Sinatra - "I've got you under my skin". They'll get the point.



And now comes my Christmas present, systematic take-down, blacklisting, and domain suspension of Koobface scareware operations.

Sample detection rates by Koobface binaries - go.exe; fb.79.exe; fblanding.exe; v2captcha.exe; v2webserver.exe; pack_312s3.exe (the scareware). The currently active artificial2010 .com/?pid=312s02&sid=4db12f - Email: Josefinat@yahoo.com - 193.104.22.200 - AS34305; EUROACCESS Global Autonomous System acts as a redirector to the scareware domain portfolio.

Currently active portfolio of scareware domains pushed by the Koobface botnet, parked at 193.104.22.200/91.212.226.95:
2010scannera1 .com - Email: NathanHSchafer@yahoo.com
artificial2010 .com - Email: Josefinat@yahoo.com
bestdiscounts2010 .com - Email: FrancesHAustin@yahoo.com
bestparty2009 .com - Email: FrancesHAustin@yahoo.com
bestparty2010 .com - Email: FrancesHAustin@yahoo.com
bestpffers2010 .com - Email: FrancesHAustin@yahoo.com
best-wishes-design .com - Email: FrancesHAustin@yahoo.com
bestyearparty .com - Email: FrancesHAustin@yahoo.com
celebrate2009year .com - Email: FrancesHAustin@yahoo.com
celebrate-designs .com - Email: FrancesHAustin@yahoo.com
happy-newyear2010 .com - Email: JerryHWallace@yahoo.com
internetproscanm .com - Email: JacquelynMRyan@yahoo.com
internetproscanq .com - Email: JacquelynMRyan@yahoo.com
internetproscanr .com - Email: JacquelynMRyan@yahoo.com
internetproscanw .com - Email: JacquelynMRyan@yahoo.com
internetproscany .com - Email: JacquelynMRyan@yahoo.com
megascannera .com - Email: MichaelDFranklin@yahoo.com
megasecurityl .com - Email: MichaelDFranklin@yahoo.com
megasecurityp .com - Email: MichaelDFranklin@yahoo.com
megasecurityq .com - Email: MichaelDFranklin@yahoo.com
newholidaydesigns .com - Email: FrancesHAustin@yahoo.com
newyearandsanta .com - Email: JerryHWallace@yahoo.com
newyeardesgings .com - Email: FrancesHAustin@yahoo.com
onlinesecurityn1 .com - Email: LucyGBrown@yahoo.com
onlinesecurityn2 .com - Email: LucyGBrown@yahoo.com
onlinesecurityn3 .com - Email: LucyGBrown@yahoo.com
onlinesecurityn4 .com - Email: LucyGBrown@yahoo.com
onlinesecurityn5 .com - Email: LucyGBrown@yahoo.com
online-securtiyv1 .com - Email: LucyGBrown@yahoo.com
online-securtiyv4 .com - Email: LucyGBrown@yahoo.com
online-securtiyv5 .com - Email: LucyGBrown@yahoo.com
onlineviruskilla0 .com - Email: JacquelynMRyan@yahoo.com
onlineviruskilla2 .com - Email: JacquelynMRyan@yahoo.com
onlineviruskilla4 .com - Email: JacquelynMRyan@yahoo.com
onlineviruskilla6 .com - Email: JacquelynMRyan@yahoo.com
onlineviruskilla8 .com - Email: JacquelynMRyan@yahoo.com
santa-christmas2010 .com - Email: JerryHWallace@yahoo.com
snowandchristmas .com - Email: JerryHWallace@yahoo.com
thebestantispys .com - Email: ThomasLRoy@yahoo.com

Christmas-themed scareware serving domains:
happy-newyear2010 .com
celebrate2009year .com
newyearandsanta .com
newyeardesgings .com
santa-christmas2010 .com
snowandchristmas .com

Speaking of AS34305; EUROACCESS Global Autonomous System, they're also hosting scareware campaigns at another IP - 193.104.22.50 in particular:
pcprotect2010 .com - Email: admin@pcprotect2010.com
bestantispysoft2010 .com - Email: admin@bestantispysoft2010.com
worldantispyware1 .com - Email: admin@worldantispyware1.com
antispyware24x7 .com - Email: admin@antispyware24x7.com
spydetector2009 .com - Email: admin@spydetector2009.com
myprivatesoft2009 .com - Email: admin@myprivatesoft2009.com
itsafetyonline .com - Email: admin@itsafetyonline.com
antispycenterprof .com - Email: admin@antispycenterprof.com
webspydetectunlim .com - Email: admin@webspydetectunlim.com
pcsafetyplatinum .com - Email: admin@webspydetectunlim.com
spywaredetect24pro .com - Email: admin@spywaredetect24pro.com
eliminater2009pro .com - Email: admin@eliminater2009pro.com
pcsafety2009pro .com - Email: admin@pcsafety2009pro.com
securityztop .com - Email: admin@securityztop.com
antisspywarescenter .com - Email: admin@antisspywarescenter.com
viridentifycenter .com - Email: molda444vimo@safe-mail.net
antispywarets .com - Email: admin@antispywarets.com
winvantivirus .com - Email: admin@winvantivirus.com
antispywaresnet .com - Email: admin@antispywaresnet.com
securityprosoft .com - Email: admin@securityprosoft.com
onlineantispysoft .com - Email: admin@onlineantispysoft.com
worldsantispysoft .com - Email: admin@worldsantispysoft.com
antispyworldwideint .com - Email: admin@antispyworldwideint.com
ivirusidentify .com - Email: admin@ivirusidentify.com

Within the same ASN, we can also find the following Zeus crimeware serving domains, courtesy of the Zeus Tracker:
print-design .cn - Email: alexsundren@gmail.com
backup2009 .com - Email: tahli@yahoo.com - association with money mule recruitment domain registration
1211news .com - Email: tahli@yahoo.com
tuttakto .com - Email: tahli@yahoo.com
filatok .com - Email: tahli@yahoo.com
wwwldr .com - Email: tahli@yahoo.com
bbbboom .com - Email: tahli@yahoo.com
fant1k .com - Email: tahli@yahoo.com
hoooools .com - Email: tahli@yahoo.com
ianndex .com - Email: tahli@yahoo.com
vklom .com - Email: tahli@yahoo.com
wwwbypost .com - Email: tahli@yahoo.com
wwwudacha .com - Email: tahli@yahoo.com

Sampled scareware phones back to:
ardeana-couture .com/?b=1s1 - 204.12.252.99, parked there is also windowssp3download .com - Email: contact@subarutechs.com
winrescueupdate .com/download/winlogo.bmp - 89.248.162.147

Historically, 89.248.162.147 (AS29073-ECATEL-AS, Ecatel Network) used to host the following scareware domains:
attention-scanner .com - Email: khouri@atomtech.cc
be-secured2 .com - Email: info@scholarnyc.com
best-scanner-f .com - Email: LouisALeavitt@yahoo.com
get-secure2 .com - Email: info@scholarnyc.com
installprotection2 .com - Email: info@scholarnyc.com
online-defense7 .com - Email: contacts@manipadni.com.br
scan-spyware2 .com - Email: info@paristours.fr
topscan2 .com - Email: LouisALeavitt@yahoo.com
topscan3 .com - Email: LouisALeavitt@yahoo.com
virus-pcscan .com - Email: admin@rewards.de
win-scan05 .com - Email: katia@salsat.eu
win-scan07 .com - Email: katia@salsat.eu
win-scan09 .com - Email: katia@salsat.eu
winrescueupdate .com
winscanner01 .com - Email: contacts@crunchiesb.com
winscanner18 .com - Email: contacts@crunchiesb.com
your-protection8 .com - Email: admin@Relocation.it

Happy Holidays, too!

Related Koobface research published in 2009:
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog.  Continue reading →

The Koobface Gang Wishes the Industry "Happy Holidays"

Oops, they did it again - the Koobface gang, which is now officially self-describing itself as Ali Baba and the 40 Thieves LLC, has not only included a Koobface-themed -- notice the worm in the name -- background on Koobface-infected hosts, but it has also included a "Wish Koobface Happy Holidays" script -- last time I checked there were 10,000 people who clicked it -- followed by the most extensive message ever left by the gang, which is amusingly attempting to legitimize the activities of the gang.

In short, the message with clear elements of PSYOPS, attempts to position the Koobface worm as a software, where the new features are requested by users, and that by continuing its development, the authors are actually improving Facebook's security systems. For the record, the Koobface botnet itself is only the tip of the iceberg for the malicious activities the group itself is involved in. Consider going through the related Koobface research posts featured at the bottom of the post, in order to grasp the importance of how widespread and high-profile the activities of this group are. The exact message, screenshot of which is attached reads:

Our team, so often called "Koobface Gang", expresses high gratitude for the help in bug fixing, researches and documentation for our software to:

• Kaspersky Lab for the name of Koobface and 25 millionth malicious program award;
• Dancho Danchev (http://ddanchev.blogspot.com) who worked hard every day especially on our First Software & Architecture version, writing lots of e-mails to different hosting companies and structures to take down our Command-and-Control (C&C) servers, and of course analyzing software under VM Ware;
• Trend Micro (http://trendmicro.com), especially personal thanks to Jonell Baltazar, Joey Costoya, and Ryan Flores who had released a very cool document (with three parts!) describing all our mistakes we've ever made;
• Cisco for their 3rd place to our software in their annual "working groups awards";
• Soren Siebert with his great article; 
• Hundreds of users who send us logs, crash reports, and wish-lists.

In fact, it was a really hard year. We've made many efforts to improve our software. Thanks to Facebook's security team - the guys made us move ahead. And we've moved. And will move. Improving their security system.

By the way, we did not have a cent using Twitter's traffic. But many security issues tell the world we did. They are wrong. As many people know, "virus" is something awful, which crashes computers, steals credential information as good as all passwords and credit cards. Our software did not ever steal credit card or online bank information, passwords or any other confidential data. And WILL NOT EVER. As for the crashes... We are really sorry. We work on it :) Wish you a good luck in new year and... Merry Christmas to you!

Always yours, "Koobface Gang".

For the record, in case you were living on the other side of the universe, and weren't interested in the raw details taking place within the underground ecosystem, in July, 2009, I was the only individual ever mentioned by the Koobface gang, which back then included the following message within the command and control infrastructure for 9 days:

• "We express our high gratitude to Dancho Danchev (http://ddanchev.blogspot.com) for the help in bug fixing, researches and documentation for our software."

Next to the folks at TrendMicro, the DHS also featured the event in DHS Daily Open Source Infrastructure Report for 3 September 2009 at page 18:

• "This individual is an independent security consultant who plays an active role in tracking and shutting down botnets and other illegal operations."

It got ever more personal when the Koobface gang redirected Facebook's entire IP space to my blog in October, 2009, resulting in thousands of Facebook visits every time their crawlers were visiting a Koobface-infected host. Thankfully, Facebook's Security Incident Response Team quickly took care of the issue.

In the spirit of Christmas, I'd also like to wish the Koobface gang happy holidays, and promise them that the cherry on the top of the research pie will see daylight anytime soon. First of all, I'd like to wish them happy holidays with Frank Sinatra - "I've got you under my skin". They'll get the point.

And now comes my Christmas present, systematic take-down, blacklisting, and domain suspension of Koobface scareware operations.

Sample detection rates by Koobface binaries - go.exe; fb.79.exe; fblanding.exe; v2captcha.exe; v2webserver.exe; pack_312s3.exe (the scareware). The currently active artificial2010 .com/?pid=312s02&sid=4db12f - Email: Josefinat@yahoo.com - 193.104.22.200 - AS34305; EUROACCESS Global Autonomous System acts as a redirector to the scareware domain portfolio.

Currently active portfolio of scareware domains pushed by the Koobface botnet, parked at 193.104.22.200/91.212.226.95:
2010scannera1 .com - Email: NathanHSchafer@yahoo.com
artificial2010 .com - Email: Josefinat@yahoo.com
bestdiscounts2010 .com - Email: FrancesHAustin@yahoo.com
bestparty2009 .com - Email: FrancesHAustin@yahoo.com
bestparty2010 .com - Email: FrancesHAustin@yahoo.com
bestpffers2010 .com - Email: FrancesHAustin@yahoo.com
best-wishes-design .com - Email: FrancesHAustin@yahoo.com
bestyearparty .com - Email: FrancesHAustin@yahoo.com
celebrate2009year .com - Email: FrancesHAustin@yahoo.com
celebrate-designs .com - Email: FrancesHAustin@yahoo.com
happy-newyear2010 .com - Email: JerryHWallace@yahoo.com
internetproscanm .com - Email: JacquelynMRyan@yahoo.com
internetproscanq .com - Email: JacquelynMRyan@yahoo.com
internetproscanr .com - Email: JacquelynMRyan@yahoo.com
internetproscanw .com - Email: JacquelynMRyan@yahoo.com
internetproscany .com - Email: JacquelynMRyan@yahoo.com
megascannera .com - Email: MichaelDFranklin@yahoo.com
megasecurityl .com - Email: MichaelDFranklin@yahoo.com
megasecurityp .com - Email: MichaelDFranklin@yahoo.com
megasecurityq .com - Email: MichaelDFranklin@yahoo.com
newholidaydesigns .com - Email: FrancesHAustin@yahoo.com
newyearandsanta .com - Email: JerryHWallace@yahoo.com
newyeardesgings .com - Email: FrancesHAustin@yahoo.com
onlinesecurityn1 .com - Email: LucyGBrown@yahoo.com
onlinesecurityn2 .com - Email: LucyGBrown@yahoo.com
onlinesecurityn3 .com - Email: LucyGBrown@yahoo.com
onlinesecurityn4 .com - Email: LucyGBrown@yahoo.com
onlinesecurityn5 .com - Email: LucyGBrown@yahoo.com
online-securtiyv1 .com - Email: LucyGBrown@yahoo.com
online-securtiyv4 .com - Email: LucyGBrown@yahoo.com
online-securtiyv5 .com - Email: LucyGBrown@yahoo.com
onlineviruskilla0 .com - Email: JacquelynMRyan@yahoo.com
onlineviruskilla2 .com - Email: JacquelynMRyan@yahoo.com
onlineviruskilla4 .com - Email: JacquelynMRyan@yahoo.com
onlineviruskilla6 .com - Email: JacquelynMRyan@yahoo.com
onlineviruskilla8 .com - Email: JacquelynMRyan@yahoo.com
santa-christmas2010 .com - Email: JerryHWallace@yahoo.com
snowandchristmas .com - Email: JerryHWallace@yahoo.com
thebestantispys .com - Email: ThomasLRoy@yahoo.com

Christmas-themed scareware serving domains:
happy-newyear2010 .com
celebrate2009year .com
newyearandsanta .com
newyeardesgings .com
santa-christmas2010 .com
snowandchristmas .com

Speaking of AS34305; EUROACCESS Global Autonomous System, they're also hosting scareware campaigns at another IP - 193.104.22.50 in particular:
pcprotect2010 .com - Email: admin@pcprotect2010.com
bestantispysoft2010 .com - Email: admin@bestantispysoft2010.com
worldantispyware1 .com - Email: admin@worldantispyware1.com
antispyware24x7 .com - Email: admin@antispyware24x7.com
spydetector2009 .com - Email: admin@spydetector2009.com
myprivatesoft2009 .com - Email: admin@myprivatesoft2009.com
itsafetyonline .com - Email: admin@itsafetyonline.com
antispycenterprof .com - Email: admin@antispycenterprof.com
webspydetectunlim .com - Email: admin@webspydetectunlim.com
pcsafetyplatinum .com - Email: admin@webspydetectunlim.com
spywaredetect24pro .com - Email: admin@spywaredetect24pro.com
eliminater2009pro .com - Email: admin@eliminater2009pro.com
pcsafety2009pro .com - Email: admin@pcsafety2009pro.com
securityztop .com - Email: admin@securityztop.com
antisspywarescenter .com - Email: admin@antisspywarescenter.com
viridentifycenter .com - Email: molda444vimo@safe-mail.net
antispywarets .com - Email: admin@antispywarets.com
winvantivirus .com - Email: admin@winvantivirus.com
antispywaresnet .com - Email: admin@antispywaresnet.com
securityprosoft .com - Email: admin@securityprosoft.com
onlineantispysoft .com - Email: admin@onlineantispysoft.com
worldsantispysoft .com - Email: admin@worldsantispysoft.com
antispyworldwideint .com - Email: admin@antispyworldwideint.com
ivirusidentify .com - Email: admin@ivirusidentify.com

Within the same ASN, we can also find the following Zeus crimeware serving domains, courtesy of the Zeus Tracker:
print-design .cn - Email: alexsundren@gmail.com
backup2009 .com - Email: tahli@yahoo.com - association with money mule recruitment domain registration
1211news .com - Email: tahli@yahoo.com
tuttakto .com - Email: tahli@yahoo.com
filatok .com - Email: tahli@yahoo.com
wwwldr .com - Email: tahli@yahoo.com
bbbboom .com - Email: tahli@yahoo.com
fant1k .com - Email: tahli@yahoo.com
hoooools .com - Email: tahli@yahoo.com
ianndex .com - Email: tahli@yahoo.com
vklom .com - Email: tahli@yahoo.com
wwwbypost .com - Email: tahli@yahoo.com
wwwudacha .com - Email: tahli@yahoo.com

Sampled scareware phones back to:
ardeana-couture .com/?b=1s1 - 204.12.252.99, parked there is also windowssp3download .com - Email: contact@subarutechs.com
winrescueupdate .com/download/winlogo.bmp - 89.248.162.147

Historically, 89.248.162.147 (AS29073-ECATEL-AS, Ecatel Network) used to host the following scareware domains:
attention-scanner .com - Email: khouri@atomtech.cc
be-secured2 .com - Email: info@scholarnyc.com
best-scanner-f .com - Email: LouisALeavitt@yahoo.com
get-secure2 .com - Email: info@scholarnyc.com
installprotection2 .com - Email: info@scholarnyc.com
online-defense7 .com - Email: contacts@manipadni.com.br
scan-spyware2 .com - Email: info@paristours.fr
topscan2 .com - Email: LouisALeavitt@yahoo.com
topscan3 .com - Email: LouisALeavitt@yahoo.com
virus-pcscan .com - Email: admin@rewards.de
win-scan05 .com - Email: katia@salsat.eu
win-scan07 .com - Email: katia@salsat.eu
win-scan09 .com - Email: katia@salsat.eu
winrescueupdate .com
winscanner01 .com - Email: contacts@crunchiesb.com
winscanner18 .com - Email: contacts@crunchiesb.com
your-protection8 .com - Email: admin@Relocation.it

Happy Holidays, too!

Related Koobface research published in 2009:
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog.  Continue reading →