Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang

February 03, 2010

With scareware/rogueware/fake security software continuing to be the cash-cow choice for the Koobface gang, keeping them on a short leash in order to become the biggest opportunity cost for the gang's business model is crucial. The following are currently active blackhat SEO redirectors/Koobface-infected hosts redirectors and actual scareware domains courtesy of the gang.

Blackhat SEO redirectors, also embedded at Koobface-infected hosts, with identical redirector ID (?pid=312s02&sid=4db12f):
freeticketwin.com - 91.212.226.25 - Email: test@now.net.cn
lotteryvideowin.com - Email: test@now.net.cn
videohototplaypoker.com - Email: test@now.net.cn
financetopsecrets.com - Email: test@now.net.cn
how2winforex.com - 91.212.226.136 - Email: test@now.net.cn
2money4money.com - Email: test@now.net.cn
get-money-quickly.com - Email: test@now.net.cn
fordusedsales .com - 193.104.106.250 - Email: test@now.net.cn
buylexuscustoms .com - 91.212.226.185 - Email: test@now.net.cn
tracegirlsonline .com - 89.248.168.22 - Email: test@now.net.cn
skypetollfree .com - 96.44.128.245 - Email: test@now.net.cn
dendy-trens .com - Email: test@now.net.cn
pretendtolove .com - Email: test@now.net.cn
bewareoffreebies .com - Email: test@now.net.cn
harry-the-potter .com - Email: test@now.net.cn
getlancomediscount .com - Email: baldwinnere@yahoo.co.uk
vincentvangoghsite .com - Email: contacts@ferra.hu
jacksonpollocksite .com - Email: contacts@ferra.hu
lady2gaga .com - Email: contacts@designt.de
nigeriaworldtours .com Email: info@montever.de
americanpiemusicvideo .com - Email: mail@suvtrip.hu
superstitionmusicvideo .com - Email: mail@suvtrip.hu
umbrellamusicvideo .com - Email: mail@suvtrip.hu
discounts-org .com - Email: mail@haselbladtour.com
littlediscounts .com - Email: mail@haselbladtour.com
winterdiscounts5 .com - Email: mail@haselbladtour.com

chevroletvmodeltoys .com - Email: CourtneyRWebb@aol.com
volvomodeltoys .com - Email: CourtneyRWebb@aol.com
manilawebcamera .com - Email: monkey22@live.com
mumbaiwebcamera .com - Email: monkey22@live.com
karachiwebcamera .com - Email: monkey22@live.com
delhiwebcamera .com - Email: monkey22@live.com
istanbulwebcamera .com - Email: monkey22@live.com
lexusmodeltoys .com - Email: monkey22@live.com
chevroletvmodeltoys .com - Email: CourtneyRWebb@aol.com
bmwmodeltoys .com - Email: CourtneyRWebb@aol.com

Upon redirection, the scareware is served from malware-b-scan .com - 96.44.128.245; 91.212.226.97; 91.212.226.185; 91.121.45.67, 91.212.226.203, 94.228.209.195 - Email: mail@bristonnews.com.

Sample detection rate for newly introduced scareware samples: Setup_312s2.exe - Result: 3/40 (7.5%), Setup_312s2.exe - Result: 4/39, Setup_312s22.exe - Result: 2/39 (5.13%), Setup_312s2.exe - Result: 6/39 (15.39%), Setup_312s2.exe - Result: 1/40 (2.5%), Setup_312s2.exe - Result: 1/39 (2.56%), Setup_312s2.exe - Result: 3/39 (7.7%). Setup_312s2.exe - Result: 4/40 (10%), Setup_312s2.exe - Result: 1/40 (2.5%), Setup_312s2.exe - Result: 4/40 (10%), Setup_312s2.exe - Result: 5/41 (12.2%), Setup_312s2.exe - Result: 5/41 (12.2%), Setup_312s2.exe - Result: 5/41 (12.2%), Setup_312s2.exe - Result: 4/41 (9.76%), Setup_312s2.exe - Result: 4/41 (9.76%), Setup_312s2.exe - Result: 5/41 (12.2%), Setup_312s2.exe - Result: 4/41 (9.76%), Setup_312s2.exe - Result: 3/41 (7.32%), Setup_312s2.exe - Result: 6/41 (14.63%), Setup_312s2.exe - Result: 11/41 (26.83%), Setup_312s2.exe - Result: 4/42 (9.53%).

Upon execution the sample phones back to winxp7server .com/download/winlogo.bmp - 94.228.208.57; rescuesysupdate .com/?b=312s2 - 83.133.125.216. The most recent samples (Wednesday, February 10, 2010) phone back to wintimeserver .com/?b=312s2 - 91.212.226.125 and firmwaredownloadserver .com/download/winlogo.bmp - 94.228.208.57. The most recent samples (Sunday, February 21, 2010) phone back to firmwaredownloadserver.com /download/winlogo.bmp - 94.228.208.57; shifustserver.com /download/winlogo.bmp - 94.228.208.5/94.228.208.57 - Email: viinzer@hotmail.com

The most recent samples (Friday, February 12, 2010) phone back to firmwaredownloadserver .com/download/winlogo.bmp - 94.228.208.57; checklatestversion .com/?b=312s - 109.232.225.75.

The most recent samples (Wednesday, February 24, 2010) phone back to shifustserver.com/download/winlogo.bmp - 94.228.208.57 - Email: viinzer@hotmail.com and version-upgrade.com/?b=312s12 - 89.248.168.21. Parked on the same IP are also checklatestversion.com and fastwinupdates.com.

Parked on the same IPs are more scareware domains part of the portfolio:
inter1antivirus.com - 87.98.130.232- Email: test@now.net.cn
virus-scan-d.com - 87.98.130.232 - Email: test@now.net.cn
bl9-virus-scanner.com - 87.98.130.232 - Email: test@now.net.cn
intera-antivirus.com - 87.98.130.232 - Email: test@now.net.cn
interc-antivirus.com - 87.98.130.232 - Email: test@now.net.cn
interd-antivirus.com - 87.98.130.232 - Email: test@now.net.cn
intere-antivirus.com - 87.98.130.232 - Email: test@now.net.cn
inter-antivirus.com - 87.98.130.232 - Email: test@now.net.cn
inter1antivirus.com - 87.98.130.232 - Email: test@now.net.cn
195.5.161.107/psx1/?vih==RANDOM_STRINGS - no domain name
91.212.132.241 /psx1/?vih==RANDOM_STRINGS
195.5.161.105 /psx1/?vih==RANDOM_STRINGS
non-antivirus-scan .com - Email: test@now.net.cn
zin-antivirus-scan .com - Email: test@now.net.cn
nextgen-scannert .com - Email: test@now.net.cn
protection15scan .com - Email: test@now.net.cn
nitro-antispyware .com - Email: test@now.net.cn
z2-antispyware .com - Email: test@now.net.cn
spy-detectore .com - Email: admin@clossingt.com
dis7-antivirus .com - Email: admin@vertigosmart.com
v2comp-scanner .com - Email: admin@vertigosmart.com
new-av-scannere .com - Email: missbarlingmail@aol.com
smartvirus-scan6 .com - Email: info@terranova.com
spywaremaxscan4 .com - Email: out@trialzoom.com
super6antispyware .com - Email: mail@ordercom.com
spyware-max-scan3 .com - Email: out@trialzoom.com
max-antivirus-security5 .com - Email: mail@dynadoter.com
winterdiscounts5 .com - Email: mail@haselbladtour.com
11-antivirus .com - Email: call555call@live.com
1-antivirus .com - Email: call555call@live.com
1m-online-scanner .com - Email: stellar2@yahoo.com
2m-online-scanner .com - Email: stellar2@yahoo.com
2pro-antispyware .com - Email: mail@yahoo.com
3pro-antispyware .com - Email: mail@yahoo.com
6-antivirus .com - Email: call555call@live.com
7-antivirus .com - Email: call555call@live.com
9-antivirus .com - Email: call555call@live.com
a0-online-scanner .com - Email: stellar2@yahoo.com
a9-online-scanner .com - Email: stellar2@yahoo.com
aa-antivirus .com - Email: call555call@live.com
aa-online-scanner .com - Email: call555call@live.com
ab-antivirus .com - Email: call555call@live.com
ac-antivirus .com - Email: call555call@live.com
ad-antivirus .com - Email: call555call@live.com
adv1-system-scanner .com - Email: JayRKibbe@live.com
adv2-system-scanner .com - Email: JayRKibbe@live.com
ae-antivirus .com - Email: call555call@live.com
antivirus-expert-a .com - Email: 900ekony@live.com
antivirus-expert-i .com - Email: 900ekony@live.com
antivirus-expert-r .com - Email: 900ekony@live.com
antivirus-expert-y .com - Email: 900ekony@live.com
antivirussystemscan1 .com - Email: 900ekony@live.com
antivirussystemscana .com - Email: 900ekony@live.com
army-antispywarea .com - Email: beliec99@yahoo.com
army-antispywarei .com - Email: beliec99@yahoo.com
army-antispywarel .com - Email: beliec99@yahoo.com
army-antispywarep .com - Email: beliec99@yahoo.com
army-antivirusa .com - Email: beliec99@yahoo.com
army-antivirusd .com - Email: beliec99@yahoo.com
army-antivirust .com - Email: beliec99@yahoo.com
army-antivirusv .com - Email: beliec99@yahoo.com
army-antivirusy .com - Email: beliec99@yahoo.com

b1-online-scanner .com - Email: stellar2@yahoo.com
best-antivirusk0 .com
bestpd-virusscanner .com - Email: SusanCWagner@yahoo.com
bestpr-virusscanner .com - Email: SusanCWagner@yahoo.com
crystal-antimalware .com - Email: mail@vertigocats.com
crystal-antivirus .com - Email: mail@vertigocats.com
crystal-pro-scan .com - Email: mail@vertigocats.com
crystal-pro-scanner .com - Email: mail@vertigocats.com
crystal-spyscanner .com - Email: mail@vertigocats.com
crystal-threatscanner .com - Email: mail@vertigocats.com
crystal-virusscanner .com - Email: mail@vertigocats.com
extra-spyware-defencea .com - Email: fabula8@live.com
extra-spyware-defenceb .com - Email: fabula8@live.com
malware-a-scan .com - Email: mail@bristonnews.com
malware-b-scan .com - Email: mail@bristonnews.com
malware-c-scan .com - Email: mail@bristonnews.com
malware-d-scan .com - Email: mail@bristonnews.com
malware-t-scan .com - Email: mail@bristonnews.com
mega-antispywarea .com - Email: fabula8@live.com
mega-antispywareb .com - Email: fabula8@live.com
mm-online-scanner .com - Email: stellar2@yahoo.com
my-computer-antivirusa .com - Email: dillinzer1@yahoo.com
my-computer-antivirusb .com - Email: dillinzer1@yahoo.com
my-computer-antiviruse .com - Email: dillinzer1@yahoo.com
my-computer-antivirusq .com - Email: dillinzer1@yahoo.com
my-computer-antivirusw .com - Email: dillinzer1@yahoo.com
my-computer-scanc .com - Email: clintommail2@yahoo.com
my-computer-scane .com - Email: clintommail2@yahoo.com
my-computer-scanl .com - Email: clintommail2@yahoo.com
my-computer-scannera .com - Email: clintommail2@yahoo.com
my-computer-scannerl .com - Email: clintommail2@yahoo.com
my-computer-scannerm .com - Email: clintommail2@yahoo.com
my-computer-scannern .com - Email: clintommail2@yahoo.com
my-computer-scannerv .com - Email: clintommail2@yahoo.com

my-computer-scanw .com - Email: clintommail2@yahoo.com
my-pc-online-scanm .com - Email: dillinzer1@yahoo.com
my-pc-online-scann .com - Email: dillinzer1@yahoo.com
my-pc-online-scanr .com - Email: dillinzer1@yahoo.com
my-pc-online-scanv .com - Email: dillinzer1@yahoo.com
n1-system-scanner .com - Email: JayRKibbe@live.com
n2-system-scanner .com - Email: JayRKibbe@live.com
nasa-antivirus1 .com - Email: call555call@live.com
nasa-antivirus3 .com - Email: call555call@live.com
nasa-antivirusa .com - Email: call555call@live.com
nasa-antivirusb .com - Email: call555call@live.com
nasa-antiviruso .com - Email: call555call@live.com
pc1-system-scanner .com - Email: JayRKibbe@live.com
pc2-system-scanner .com - Email: JayRKibbe@live.com
pro0-antivirus .com - Email: mail@yahoo.com
pro0-system-scanner .com - Email: JayRKibbe@live.com
pro1-system-scanner .com - Email: JayRKibbe@live.com
pro2-antivirus .com - Email: mail@yahoo.com
pro4-antivirus .com - Email: mail@yahoo.com
pro6-antivirus .com - Email: mail@yahoo.com
pro8-antivirus .com - Email: mail@yahoo.com
remote-antispywarec .com - Email: teresa2mail.me@live.com
remote-antispywared .com - Email: teresa2mail.me@live.com
remote-antispywaree .com - Email: teresa2mail.me@live.com
remote-antispywarey .com - Email: teresa2mail.me@live.com
remote-pc1-scanner .com - Email: teresa2mail.me@live.com
remote-pc-scannera .com - Email: teresa2mail.me@live.com
remote-pc-scannerr .com - Email: teresa2mail.me@live.com
remote-pc-scannerv .com - Email: teresa2mail.me@live.com
remote-pc-scannery .com - Email: teresa2mail.me@live.com

scan3antispyware .com - Email: o@mozzilastuf.com
scan6antispyware .com - Email: o@mozzilastuf.com
scan8antispyware .com - Email: o@mozzilastuf.com
scan-antispywarea .com - Email: o@mozzilastuf.com
scan-antispywarec .com - Email: o@mozzilastuf.com
scan-antispywared .com - Email: o@mozzilastuf.com
scan-antispywarez .com - Email: o@mozzilastuf.com
spyware-01-scanner .com - Email: mail@bristonnews.com
spyware-03-scanner .com - Email: mail@bristonnews.com
spyware-05-scanner .com - Email: mail@bristonnews.com
spyware-06-scanner .com - Email: mail@bristonnews.com
spyware-07-scanner .com - Email: mail@bristonnews.com
stcanning-your-computerc .com - Email: mitra66@yahoo.com
stcanning-your-computerd .com - Email: mitra66@yahoo.com
stcanning-your-computerq .com - Email: mitra66@yahoo.com
stcanning-your-computerr .com - Email: mitra66@yahoo.com
stcanning-your-computert .com - Email: mitra66@yahoo.com
stcanning-your-pca .com - Email: mitra66@yahoo.com
stcanning-your-pcb .com - Email: mitra66@yahoo.com
stcanning-your-pcc .com - Email: mitra66@yahoo.com
stcanning-your-pcd .com - Email: mitra66@yahoo.com
stcanning-your-pce .com - Email: mitra66@yahoo.com
stealthv1-antispyware .com - Email: SteveLCartwright@yahoo.com
stealthv2-antispyware .com - Email: SteveLCartwright@yahoo.com
stealthv7-antispyware .com - Email: SteveLCartwright@yahoo.com
stealthv8-antispyware .com - Email: SteveLCartwright@yahoo.com
stealthv9-antispyware .com - Email: SteveLCartwright@yahoo.com
ver1-system-scanner .com - Email: JayRKibbe@live.com
ver2-system-scanner .com - Email: JayRKibbe@live.com

virus-a1-scanner .com - Email: mail@bristonnews.com
virus-a1-scanner .com - Email: mail@bristonnews.com
virus-b1-scanner .com - Email: mail@bristonnews.com
virus-b1-scanner .com - Email: mail@bristonnews.com
virus-c1-scanner .com - Email: mail@bristonnews.com
virus-c1-scanner .com - Email: mail@bristonnews.com
virus-d1-scanner .com - Email: mail@bristonnews.com
virus-d1-scanner .com - Email: mail@bristonnews.com
virus-e2-scanner .com - Email: mail@bristonnews.com
virus-e2-scanner .com - Email: mail@bristonnews.com
windowsv5-antispyware .com - Email: SteveLCartwright@yahoo.com
windowsv6-antispyware .com - Email: SteveLCartwright@yahoo.com
windowsv7-antispyware .com - Email: SteveLCartwright@yahoo.com
windowsv8-antispyware .com - Email: SteveLCartwright@yahoo.com
windowsv9-antispyware .com - Email: SteveLCartwright@yahoo.com
z0-online-scanner .com - Email: stellar2@yahoo.com
z1-online-scanner .com - Email: stellar2@yahoo.com

Active scareware domains portfolio (blackhat SEO/Koobface pushed) parked at 212.150.164.190 - AS1680 - NV-ASN 013 NetVision Ltd :
antispy-download .org - Email: robertsimonkroon@gmail.com
scanner-virus-free .org - Email: robertsimonkroon@gmail.com
tube-best-porn .org - Email: robertsimonkroon@gmail.com
tube-sex-porn .org - Email: robertsimonkroon@gmail.com
download-free-files .org - Email: robertsimonkroon@gmail.com
tube-porn-best .org - Email: robertsimonkroon@gmail.com
scan-your-pc-now .org - Email: michaeltycoon@gmail.com
scanner-virus-free .com - Email: robertsimonkroon@gmail.com
tube-sex-porn .com - Email: robertsimonkroon@gmail.com
scanner-free-virus .com - Email: robertsimonkroon@gmail.com
tube-porn-best .com - Email: robertsimonkroon@gmail.com
antispy-download .info - Email: robertsimonkroon@gmail.com
soft-download-free .info - Email: robertsimonkroon@gmail.com
scanner-virus-free .info - Email: robertsimonkroon@gmail.com
scanner-free-virus .info - Email: robertsimonkroon@gmail.com
scan-your-pc-now .info - Email: michaeltycoon@gmail.com

adult-tube-free .net - Email: michaeltycoon@gmail.com
scanner-virus-free .net - Email: robertsimonkroon@gmail.com
tube-sex-porn .net - Email: robertsimonkroon@gmail.com
download-free-files .net - Email: michaeltycoon@gmail.com
scanner-free-virus .net - Email: robertsimonkroon@gmail.com
tube-porn-best .net - Email: robertsimonkroon@gmail.com
ekjsoft .eu - Email: robertsimonkroon@gmail.com
antispy-download .biz - Email: robertsimonkroon@gmail.com
soft-download-free .biz - Email: robertsimonkroon@gmail.com
scanner-virus-free .biz - Email: robertsimonkroon@gmail.com
free-malware-scan .biz - Email: robertsimonkroon@gmail.com
tube-best-porn .biz - Email: robertsimonkroon@gmail.com
tube-sex-porn .biz - Email: robertsimonkroon@gmail.com
download-free-files .biz - Email: michaeltycoon@gmail.com

scanner-free-virus .biz - Email: robertsimonkroon@gmail.com
download-free-soft .biz - Email: robertsimonkroon@gmail.com
tube-porn-best .biz - Email: robertsimonkroon@gmail.com
scan-your-pc-now .biz - Email: michaeltycoon@gmail.com
porn-tube-sex .biz - Email: robertsimonkroon@gmail.com
alrzsoft .in - Email: petrenko.kolia@yandex.ru
antispy-download .biz - Email: robertsimonkroon@gmail.com
cool-tube-porn .net - Email: robertsimonkroon@gmail.com
cool-tube-porn .org - Email: robertsimonkroon@gmail.com
download-free-now .net - Email: robertsimonkroon@gmail.com
download-free-now .org - Email: robertsimonkroon@gmail.com
download-free-soft .com - Email: robertsimonkroon@gmail.com
download-free-soft .net - Email: robertsimonkroon@gmail.com
download-scaner-free .com - Email: robertsimonkroon@gmail.com
ekjsoft .eu
fdglsoft .in - Email: petrenko.kolia@yandex.ru
free-virus-scanner .net - Email: robertsimonkroon@gmail.com
kleqsoft .in - Email: petrenko.kolia@yandex.ru
kltysoft .in - Email: petrenko.kolia@yandex.ru
ktyjsoft .in - Email: petrenko.kolia@yandex.ru

kyezsoft .in - Email: petrenko.kolia@yandex.ru
lkrjsoft .in - Email: petrenko.kolia@yandex.ru
lkrtsoft .in - Email: petrenko.kolia@yandex.ru
mgtlsoft .in - Email: petrenko.kolia@yandex.ru
porn-sex-tube .net - Email: robertsimonkroon@gmail.com
porn-sex-tube .org - Email: robertsimonkroon@gmail.com
scan-free-malware .net - Email: robertsimonkroon@gmail.com
scan-free-malware .org - Email: robertsimonkroon@gmail.com
spyware-scaner-free .com - Email: robertsimonkroon@gmail.com
spyware-scaner-free .info - Email: robertsimonkroon@gmail.com
spyware-scaner-free .net - Email: robertsimonkroon@gmail.com
spyware-scaner-free .org - Email: robertsimonkroon@gmail.com
tube-best-porn .biz - Email: robertsimonkroon@gmail.com
tube-best-porn .com - Email: robertsimonkroon@gmail.com
tube-best-porn .net - Email: robertsimonkroon@gmail.com
tube-best-porn .org - Email: robertsimonkroon@gmail.com
tube-porn-sex .info - Email: robertsimonkroon@gmail.com
tube-porn-sex .net - Email: robertsimonkroon@gmail.com
tube-porn-sex .org - Email: robertsimonkroon@gmail.com

What's so special about the robertsimonkroon@gmail.com email anyway? It's the fact that not only was the email was once again used to register scareware domains two times in July, 2009, but also, as pointed out in November 2009's "Koobface Botnet's Scareware Business Model - Part Two", the same email was used to register the following download locations for scareware domains pushed by the Koobface botnet:

0ni9o1s3feu60 .cn - Email: robertsimonkroon@gmail.com
6j5aq93iu7yv4 .cn - Email: robertsimonkroon@gmail.com
mf6gy4lj79ny5 .cn - Email: robertsimonkroon@gmail.com
84u9wb2hsh4p6 .cn - Email: robertsimonkroon@gmail.com
6pj2h8rqkhfw7 .cn - Email: robertsimonkroon@gmail.com
7cib5fzf462g8 .cn - Email: robertsimonkroon@gmail.com
7bs5nfzfkp8q8 .cn - Email: robertsimonkroon@gmail.com
kt4lwumfhjb7a .cn - Email: robertsimonkroon@gmail.com
q2bf0fzvjb5ca .cn - Email: robertsimonkroon@gmail.com
rncocnspr44va .cn - Email: robertsimonkroon@gmail.com
t1eayoft9226b .cn - Email: robertsimonkroon@gmail.com
4go4i9n76ttwd .cn - Email: robertsimonkroon@gmail.com
kzvi4iiutr11e .cn - Email: robertsimonkroon@gmail.com
hxc7jitg7k57e .cn - Email: robertsimonkroon@gmail.com
mfbj6pquvjv8e .cn - Email: robertsimonkroon@gmail.com
mt3pvkfmpi7de .cn - Email: robertsimonkroon@gmail.com
fb7pxcqyb45oe .cn - Email: robertsimonkroon@gmail.com
fyivbrl3b0dyf .cn - Email: robertsimonkroon@gmail.com
z6ailnvi94jgg .cn - Email: robertsimonkroon@gmail.com
ue4x08f5myqdl .cn - Email: robertsimonkroon@gmail.com
p7keflvui9fkl .cn - Email: robertsimonkroon@gmail.com
gjpwsc5p7oe3m .cn - Email: robertsimonkroon@gmail.com
f1uq1dfi3qkcm .cn - Email: robertsimonkroon@gmail.com
7mx1z5jq0nt3o .cn - Email: robertsimonkroon@gmail.com
3uxyctrlmiqeo .cn - Email: robertsimonkroon@gmail.com
p0umob9k2g7mp .cn - Email: robertsimonkroon@gmail.com
od32qjx6meqos .cn - Email: robertsimonkroon@gmail.com
bnfdxhae1rgey .cn - Email: robertsimonkroon@gmail.com
7zju2l82i2zhz .cn - Email: robertsimonkroon@gmail.com

Stay tuned for a massive Koobface related activities update, analyzing the gang's multi-tasking throughout the entire January, 2010 -- descriptive historical OSINT offers long-term value in cross-checking for connections.

Related Koobface gang/botnet research:
How the Koobface Gang Monetizes Mac OS X Traffic
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

The Diverse Portfolio of Fake Security Software Series:
A Diverse Portfolio of Fake Security Software - Part Twenty Four
A Diverse Portfolio of Fake Security Software - Part Twenty Three
A Diverse Portfolio of Fake Security Software - Part Twenty Two
A Diverse Portfolio of Fake Security Software - Part Twenty One
A Diverse Portfolio of Fake Security Software - Part Twenty
A Diverse Portfolio of Fake Security Software - Part Nineteen
A Diverse Portfolio of Fake Security Software - Part Eighteen
A Diverse Portfolio of Fake Security Software - Part Seventeen
A Diverse Portfolio of Fake Security Software - Part Sixteen
A Diverse Portfolio of Fake Security Software - Part Fifteen
A Diverse Portfolio of Fake Security Software - Part Fourteen
A Diverse Portfolio of Fake Security Software - Part Thirteen
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang

February 03, 2010

PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild

February 03, 2010

Pushdo/Cutwail's customers, or perhaps the botnet masters themselves, continue rotating the malware campaigns, with the very latest one using a "Photo Archive #2070735" theme, and continuing to server client-side exploits hosted within crimeware-friendly networks it's time we profile and expose.

Extensive list of the domains/subdomains involved at Gary Warner's blog.

Photo Archives Hosting describes itself as:
"Photos Archives Hosting has a zero-tolerance policy against ILLEGAL content. All archives and links are provided by 3rd parties. We have no control over the content of these pages. We take no responsibility for the content on any website which we link to, please use your own discretion while surfing the links. © 2007-2009, Photos Archives Hosting Group, Inc.- ALL RIGHTS RESERVED."

- Sample URL: photoshock.MalwareDomain/id1073bv/get.php?email=
- Sample iFrame from this week's campaign: 109.95.115.36 /usasp22/in.php
- Sample iFrame from last week: 109.95.114 .251 /us01d/; 109.95.115.36 /usasp/in.php
- Sample iFrame used two weeks ago: 109.95.114 .251/uks1/in.php
- Detection rate: PhotoArchive.exe (Trojan-Spy.Win32.Zbot); dropped file.exe (Trojan-Spy.Win32.Zbot)

Upon execution, it drops C:\WINDOWS\system32\sdra64.exe; C:\WINDOWS\system32\lowsec\user.ds.lll and phones back to the Zeus-crimeware serving: horosta .ru/cbd/nekovo.bri ; horosta .ru/ip.php - 109.95.115.19 Email: bernardo_pr@inbox.ru

Who's offering the hosting infrastructure for the actual domains/malware binaries and nameservers?
- AS50215 (TROYAK-AS Starchenko Roman Fedorovich) - profiled here
- 109.95.112.0/22 - AS50369 - VISHCLUB-as Kanyovskiy Andriy Yuriyovich
- 193.104.41.0/24 - AS49934 - VVPN-AS PE Voronov Evgen Sergiyovich
- 91.200.164.0/22 - AS47560 - VESTEH-NET-as Vesteh LLC

What's worth pointing out is that "TROYAK-AS Starchenko Roman Fedorovich" is positioning itself as Ethernet,home,LAN,net,provider,ISP,Homenet provider at ctlan.net. Just like the "Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot" and "GazTranzitStroyInfo - a Fake Russian Gas Company Facilitating Cybercrime"

All of the involved domains have already been blacklisted by the Zeus Tracker. However, with the campaigners at large, what's TROYAK-AS today, will be yet another cybecrime-friendly AS tomorrow.

Related posts:
Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

How the Koobface Gang Monetizes Mac OS X Traffic

February 02, 2010

Mac users appear to have a special place in the heart of the Koobface gang, since they've recently started experimenting with a monetization strategy especially for them - by compromising legitimate sites for the sole purpose of embedding them with the popular PHP backdoor shell C99 (Synsta mod), in an attempt to redirect all the Mac OS X traffic to affiliate dating programs, such as for instance AdultFriendFinder.

The use of Synsta's C99 mod is not a novel approach, the gang has been using for over an year and a half now. The original KROTEG injected script, is now including a "hey rogazi" message. "Hey rogazi" appears to be some kind of slang word (rogatstsi) for scooter driving Italian people. What's also interesting to point out is that the Mac OS X redirection takes place through one of the few currently active centralized IPs from Koobface 1.0's infrastructure - 61.235.117.83.

This very same IP (profiled in August, 2009 and then in September, 2009) was once brought offline thanks to the folks at China CERT, but quickly resumed operation, with Koobface 1.0's "leftovers" xtsd20090815 .com and kiano-180809 .com (domain was serving client-side exploits in November 2009's experiment by the Koobfae gang, followed by another one again hosted at 61.235.117.83) still parked there.

Go through related web shell backdoors, monetization posts: A Compilation of Web Backdoors; Monetizing Web Site Defacements; Underground Multitasking in Action; Monetizing Compromised Web Sites, Web Site Defacement Groups Going Phishing

Moreover, this China-based IP (it even has a modest Alexa pagerank) was also the centralized redirection point in Koobface 1.0's scareware business model using popup.php to redirect to a systematically updated portfolio of scareware domains, and the first time ever that I came across to what the gang is now publicly acknowledging as the "2008 ali baba and 40, LLC" team.

AS9394 (CRNET) itself is currently hosting the following active Zeus crimeware campaigns:
6alava .com - 61.235.117.70 - Email: necks@corporatemail.ru
sicha-linna .com - 61.235.117.77 - Email: stay@bigmailbox.ru
stopspaming .com - 61.235.117.70 - Email: bunco@e2mail.ru
ubojnajasila .net - 61.235.117.87 - Email: ubojnajasila.net@contactprivacy.com

Here's how the experiment looks like in its current form. Once the OS is detected, the redirection takes place through 61.235.117.83 /mac.php -> 61.235.117.83 /vvv.htm loading the following pages, using the gang's unique campaign IDs at AdultFriendFinder:

- BestDatingDirect .com/page_hot.php?page=random&did=14029
- adultfriendfinder .com/go/page/ad_ffadult_gonzo?pid=p291351.sub2w954&lang=english
- adultfriendfinder .com/go/page/landing_page_geobanner?pid=g227362-ppc

Parked on 63.218.226.67 - AS3491; PCCWGlobal-ASN PCCW Global is the rest of the dating site redirectors:
bestdatingdirect .com
bestnetdate .com
currentdating .com
datefunclub .com
enormousdating .com
giantdating .com
onlinelovedating .com
worldbestdate .com
worlddatinghere .com

This isn't the first time that the Koobface gang is attempting to monetize traffic through dating affiliate networks. In fact, in November's "Koobface Botnet's Scareware Business Model - Part Two" post emphasizing on the gang's connection with blackhat SEO campaigns, the Bahama botnet and the malvertising attacks at the web site of the New York Times, I also pointed out on their connection with an Ukrainian dating scam agency profiled before, whose botnet was also linked to money mule recruitment campaigns in May, 2009.

An excerpt is worth a thousand words:
The historical OSINT paragraph mentioned that several of the scareware domains pushed during the past two weeks were responding to 62.90.136.237. This very same 62.90.136.207 IP was hosting domains part of an Ukrainian dating scam agency known as Confidential Connections earlier this year, whose spamming operations were linked to a botnet involved in money mule recruitment activities.

For the time being, the following dating scam domains are responding to the same IP:
healthe-lovesite .com - Email: potenciallio@safe-mail.net
love-isaclick .com - Email: potenciallio@safe-mail.net
love-is-special .com - Email: potenciallio@safe-mail.net
only-loveall .com - Email: potenciallio@safe-mail.net
and-i-loveyoutoo .com - Email: potenciallio@safe-mail.net
andiloveyoutoo .com - Email: menorst10@yahoo.com
romantic-love-forever .com - Email: potenciallio@safe-mail.net
love-youloves .com - Email: potenciallio@safe-mail.net
love-galaxys .com - Email: potenciallio@safe-mail.net
love-formeandyou .com - Email: potenciallio@safe-mail.net
ifound-thelove .net - Email: potenciallio@safe-mail.net
findloveon .net - Email: wersers@yahoo.com
love-isexcellent .net - Email: potenciallio@safe-mail.net

Could it get even more malicious and fraudulent than that? Appreciate my rhetoric. The same email (potenciallio@safe-mail.net) that was used to register the dating scam domains was also used to register exploit serving domains at 195.88.190.247, participate in phishing campaigns, and register a money mule recruitment site for the non-existent Allied Insurance LLC. (Allied Group, Inc.).

Of course, the money made in process looks like pocket change compared to the money they gang makes through blackhat SEO, click fraud and scareware in general -- go through the related posts at the bottom of the article. But since they've previously indicated what I originally anticipated they'll do sooner or later, namely, start diversifying and experimenting due to the ever-growing compromised infrastructure, what they'll do next on the Mac front is an issue worth keeping an eye on.

Related Koobface gang/botnet research:
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

How the Koobface Gang Monetizes Mac OS X Traffic

February 02, 2010

Go through related web shell backdoors, monetization posts: A Compilation of Web Backdoors; Monetizing Web Site Defacements; Underground Multitasking in Action; Monetizing Compromised Web Sites, Web Site Defacement Groups Going Phishing

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang

A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang

PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild

How the Koobface Gang Monetizes Mac OS X Traffic

How the Koobface Gang Monetizes Mac OS X Traffic

RSS Feed

About Me

Blog Archive

Tags

Popular Posts