Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

The DNS Infrastructure of the Money Mule Recruitment Ecosystem

April 20, 2010

What's the most static element of the vibrant money mule recruitment ecosystem? It's the DNS infrastructure that the the cybercriminals behind the campaigns repeatedly use to push new scams.

This post aims to expose the name servers involved, the associates ASs, using the research previously conducted on their recruitment campaigns, and their affiliations with multiple other cybercrime activities.

Moreover, it's main objective is the emphasize on the fact that - cybercrime should stop being treated as a country/region specific problem, instead it should be treated as an international problem, with each and every country having its own share of cybercrime activity.

"The whole is greater than the sum of its parts" - Aristotle

With money mule recruitment available as-a-service (Standardizing the Money Mule Recruitment Process) the post will only detail the activities of what's referred to as a "mule recruitment syndicate", in short, one of the most prolific syndicates with direct connections to numerous related cybercrime campaigns profiled over the past 6 months.

What makes an impression is the geographical distribution of the name servers. 11 of them are based in the Netherlands, another 11 are based in China, followed by 11 more based in the United States. Here's the list of the related ASs and their occurrences:

AS34305, EUROACCESS Global Autonomous System - The Netherlands - 11 name servers
AS38356, TimeNet - China - 11 name servers
AS46664, VolumeDrive - United States - 11 name servers
AS30517, Great Lakes Comnet, Inc. - United States - 9 name servers
AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity - United States - 9 name servers
AS29182, ISPSYSTEM-AS ISPsystem Autonomous System - Belgium - 8 name servers
AS31103, KEYWEB-AS Keyweb AG - Germany - 1 name servers

Moreover, this persistent money mule recruitment syndicate has a domain registrar of choice in the face of the Turkish, ALATRON BLTD., which is seen in the majority of domain registrations.

The following active name servers have been gathered from the money mule recruitment campaigns profiled in previous posts:

ns1.alwaysexit.com - 92.63.111.146 - Email: sob@bigmailbox.ru - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.alwaysexit.com - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System
ns3.alwaysexit.com - 222.35.143.112 - AS38356, TimeNet

ns1.benjenkinss.cn - 92.63.110.85 - Email: chunk@qx8.ru - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.benjenkinss.cn - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System
ns3.benjenkinss.cn - 222.35.143.112 - AS38356, TimeNet

ns1.bizrestroom.cc - 92.63.110.85 - Email: hook@5mx.ru - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.bizrestroom.cc - 193.104.106.30 - AS34305, EUROACCESS Global Autonomous System
ns3.bizrestroom.cc - 222.35.143.234 - AS38356, TimeNet

ns1.chinegrowth.cc - 92.63.111.196 - Email: duly@fastermail.ru - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.chinegrowth.cc - 85.12.46.4 - AS34305, EUROACCESS Global Autonomous System
ns3.chinegrowth.cc - 222.35.143.112 - AS38356, TimeNet

ns1.cnnandpizza.cc - 87.118.81.75 - Email: bears@fastermail.ru - AS31103, KEYWEB-AS Keyweb AG
ns2.cnnandpizza.cc - 193.104.106.30 - AS34305, EUROACCESS Global Autonomous System
ns3.cnnandpizza.cc - 222.35.143.236 - AS38356, TimeNet

ns1.greezly.net - 64.85.174.143 - Email: erupt@qx8.ru - 64.85.160.0/20, AS30517, Great Lakes Comnet, Inc.
ns2.greezly.net - 204.12.217.250 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.greezly.net - 204.124.182.151 - AS46664, VolumeDrive

ns1.maninwhite.cc - 92.63.111.146 - Email: duly@fastermail.ru - 92.63.110.0/23 - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.maninwhite.cc - 85.12.46.3 - AS34305, EUROACCESS Global Autonomous System
ns3.maninwhite.cc - 222.35.143.234 - AS38356, TimeNet

ns1.partytimee.cn - 92.63.111.146 - Email: chunk@qx8.ru - 92.63.110.0/23 - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.partytimee.cn - 85.12.46.4 - AS34305, EUROACCESS Global Autonomous System
ns3.partytimee.cn - 222.35.143.235 - AS38356, TimeNet

ns1.sandhouse.cc - 64.85.174.146 - Email: taunt@freenetbox.ru - 64.85.160.0/20 - AS30517, Great Lakes Comnet, Inc.
ns2.sandhouse.cc - 204.12.217.253 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.sandhouse.cc - 74.118.194.82 - AS46664, VolumeDrive

ns1.translatasheep.net - 92.63.111.127 - Email: stair@freenetbox.ru - 92.63.110.0/23 - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.translatasheep.net - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System
ns3.translatasheep.net - 222.35.143.112 - AS38356, TimeNet

ns1.trythisok.cn - 92.63.111.127 - Email: chunk@qx8.ru - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.trythisok.cn - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System
ns3.trythisok.cn - 222.35.143.235 - AS38356, TimeNet

ns1.viewdreamer.com - 64.85.174.143 - free@freenetbox.ru - 64.85.160.0/20, AS30517, Great Lakes Comnet, Inc.
ns2.viewdreamer.com - 204.12.217.250 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.viewdreamer.com - 74.118.194.82 - AS46664, VolumeDrive

ns1.volcanotime.com - 64.85.174.144 - Email: hs@bigmailbox.ru - AS30517, Great Lakes Comnet, Inc.
ns2.volcanotime.com - 204.12.217.251 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.volcanotime.com - 74.118.194.88 - AS46664, VolumeDrive

ns1.weathernot.net - 64.85.174.145 - Email: bowls@5mx.ru - AS30517, Great Lakes Comnet, Inc.
ns2.weathernot.net - 204.12.217.252 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.weathernot.net - 74.118.194.89 - AS46664, VolumeDrive

ns1.worldslava.cc - 64.85.174.145 - Email: fussy@bigmailbox.ru - AS30517, Great Lakes Comnet, Inc.
ns2.worldslava.cc - 204.12.217.252 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.worldslava.cc - 74.118.194.84 - AS46664, VolumeDrive

ns1.jockscreamer.net - 64.85.174.144 - Email: free@freenetbox.ru - AS30517, Great Lakes Comnet, Inc.
ns2.jockscreamer.net - 204.12.217.251 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.jockscreamer.net - 74.118.194.83 - AS46664, VolumeDrive

ns1.uleaveit.com - 64.85.174.146 - Email: plea@qx8.ru - AS30517, Great Lakes Comnet, Inc.
ns2.uleaveit.com - 204.12.217.253 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.uleaveit.com - 74.118.194.85 - AS46664, VolumeDrive

ns1.bergamoto.com - 74.118.194.84 - Email: nine@freenetbox.ru - AS46664, VolumeDrive
ns2.bergamoto.com - 222.35.143.235 - AS38356, TimeNet
ns3.bergamoto.com - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System

ns1.diunar.cc - 74.118.194.82 - Email: yuck@maillife.ru - AS46664, VolumeDrive
ns2.diunar.cc - 222.35.143.112 - AS38356, TimeNet
ns3.diunar.cc - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System

ns1.pesenlife.net - 64.85.174.147 - Email: erupt@qx8.ru - AS30517, Great Lakes Comnet, Inc.
ns2.pesenlife.net - 204.12.217.254 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.pesenlife.net - 74.118.194.86 - AS46664, VolumeDrive

The business model if this syndicate can be easily compared to the business model of the much hyped Russian Business Network in the sense that, they are either managing the infrastructure for someone else as a service, are directly involved in the recruitment and utilization of money mules for their own purposes, or a basically building inventory of mules to offer as a service to a large number of cybercriminals.

The basic fact that these folks are not campaign-centered, but continue maintaining their ecosystem, puts them on the top of watch list for months to come.

Related coverage of money laundering in the context of cybercrime:
Keeping Money Mule Recruiters on a Short Leash - Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Dissecting the WordPress Blogs Compromise at Network Solutions

April 18, 2010

UPDATED: Network Solutions issued an update to the situation.

The folks at Sucuri Security have posted an update on the reemergence of mass site compromises at Network Solutions, following last week's WordPress attack.

What has changed since last week's campaign? Several new domains were introduced, including new phone back locations, with the majority of new domains once again parked on the same IP as they were last week - 64.50.165.169 - AS15244, LUNARPAGES proxy aut-num for Lunarpages by MZIMA.

The exploitation chain of the currently embedded domain is as follows:
- corpadsinc.com/grep /?spl=3&br=MSIE&vers=7.0&s=
        - corpadsinc.com /grep/soc.php
            - corpadsinc.com /grep/load.php?spl=ActiveX_pack
                - corpadsinc.com /grep/load.php?spl=pdf_2020
                    - corpadsinc.com /grep/load.php?spl=javal
                        - corpadsinc.com /grep/j2_079.jar

Detection rates for some of the obtained exploits:
- update.vbe - VBS:Encrypted-gen; Trojan-Downloader.VBS.Agent.yw - Result: 11/40 (27.5%)
- j2_079.jar - Exploit.Java.29; Exploit.Java.CVE-2009-3867.c; JAVA/Byteverify.O - Result: 5/40 (12.5%)

Responding to 64.50.165.169 - AS15244, LUNARPAGES proxy aut-num for Lunarpages by MZIMA are also:
binglbalts.com - Email: alex1978a@bigmir.net
corpadsinc.com - Email: alex1978a@bigmir.net
fourkingssports.com - Email: alex1978a@bigmir.net
networkads.net - Email: alex1978a@bigmir.net
mainnetsoll.com - Email: alex1978a@bigmir.net
lasvegastechreport.com
mauiexperts.com
mauisportsinsider.com

Upon successful exploitation from corpadsinc.com the campaigns drops load.exe - Trojan:Win32/Meredrop; Trojan.Win32.Sasfis.a (v) - Result: 7/40 (17.50%).

The sample load.exe also phones back to the following locations:
- nonstopacc.com/tmp /bb.php?v=200&id=130306319&b=7231522200&tm=8 - 188.124.16.95 - Email: alex1978a@bigmir.net
- nonstopacc.com/tmp /bb.php?v=200&id=130306319&tid=6&b=7231522200&r=1&tm=9
- 188.124.16.96 /blackout_dem.exe

Detection rate for blackout_dem.exe - Trojan-Dropper - Result: 7/40 (17.5%) which phones back to mazcostrol.com/inst.php ?aid=blackout - 188.124.16.103 - Email: alex1978a@bigmir.net.

Interestingly, the sample attempts to install a Firefox add-on in the following way:
- %ProgramFiles%\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul - MD5: 963136ADAA2B1C823F6C0E355800CE02 Detected by different vendors as IRC/Flood.gen.h or TROJ_BUZUS.ZYX;

It's also worth pointing out that the campaign's admin panel is pointing to a third-party -- cybercrime friendly IP that's currently offline -- corpadsinc.com/grep/stats.php -> HTTP/1.1 302 Found at 217.23.14.25, AS49981, WorldStream = Transit Imports = -CAIW.

The bottom line - although Network Solutions criticized the media last week, for blaming this on Network Solutions, or WordPress itself, the company should realize that for the sake of its reputation it should always use the following mentality - "protect the end user from himself" when offering any of its services.

Related WordPress security resources:
20 Wordpress Security Plug-ins And Tips To keep Hackers Away
11 Best Ways to Improve WordPress Security
20+ Powerful Wordpress Security Plugins and Some Tips and Tricks

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Dissecting the WordPress Blogs Compromise at Network Solutions

April 18, 2010

Facebook FarmTown Malvertising Campaign Courtesy of the Koobface Gang

April 16, 2010

Earlier this week, another malvertising campaign affected a popular community, in the face of Facebook's FarmTown.

You have to analyze, and cross-check it to believe it.

Key summary points:

the email test@now.net.cn used to register all the domains involved in the malvertising campaign, is exclusively used by the Koobface gang for numerous scareware registrations seen -

a Continue reading →

iPhone Unlocking Themed Malware Campaign Spamvertised

April 14, 2010

UPDATED: Sunday, April 18, 2010: The folks at EmergingThreats pinged me on the fact that immediately after the brief assessment went public, the cybercriminals moved iphone-iphone.info to 174.37.172.68 (SoftLayer Technologies Inc.) Currently responding to the same IP are also the following domains known to have been connected with previous malware campaigns - startexag.com - Email: venterprize@gmail.com; exposingpics.com, and animezhd.com.

Researchers from BitDefender are reporting on a currently spamvertised malware campaign, using a "Unlock, Jailbrake and "hack"tivate iPhone 3.1.3" theme.

The spamvertised domain iphone-iphone.info - 188.210.236.181 - Email: iphone-iphone.info@protecteddomainservices.com, is enticing the end user into download the malware from pepd.org/blackra1n.exe - 188.210.236.109 - Email: pepd.org@protecteddomainservices.com.

Detection rate: blackra1n.exe - Trojan.BAT.AACL - Result: 10/40 (25%), with the malware itself attempting to change the default DNS settings on the infected hosts to the following IP - 188.210.236.250 (188-210-236-250.hotnet.ro), AS39443, HOTNET-AS SC Hot Net SRL Baia de Aries, Nr 3, Bl 5B, Sc A, Ap 39, Bucuresti, 6.

- Creates the following registry entry in an attempt to change default DNS settings:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5D19E473-BE30-416B-B5C7-D8A091C41D2F} "NameServer" = 188.210.236.250

- Creates Process - Filename () CommandLine:
(C:\WINDOWS\system32\NETSH.EXE: interface ip set dns "Local Area Connection" static 188.210.236.250) As User: () Creation Flags: (CREATE_DEFAULT_ERROR_MODE CREATE_SUSPENDED) interface ip set dns "wireles network connection" static 188.210.236.250) As User: () Creation Flags: (CREATE_DEFAULT_ERROR_MODE CREATE_SUSPENDED)

From Romania, with DNS changing malware.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Copyright Violation Alert Themed Ransomware in the Wild

April 12, 2010

The copyright violation alert themed ransomware campaign (Copyright violation alert ransomware in the wild; ICPP Copyright Foundation is Fake) is not just a novel approach for extortion of the highest amount of money seen in ransomware variants so far, but also, offers interesting clues into the multitasking mentality of the cybercriminals whose campaigns have already been profiled.

The bogus ICPP Foundation (icpp-online.com - 193.33.114.77 - Email: ovenersbox@yahoo.com) describes itself as:

"We are a law firm which specialises in assisting intellectual property rights holders exploit and enforce their rights globally. Illegal file sharing costs the creative industries billions of pounds every year. The impact of this is huge, resulting in job losses, declining profit margins and reduced investment in product development. Action needs to be taken and we believe a coordinated effort is needed now, before irreparable damage is done.

We have developed effective and unique methods for organisations to enforce their intellectual rights. By working effectively with forensic IT experts, law firms and anti-piracy organisations, we seek to eliminate the illegal distribution of copyrighted material through our revolutionary business model. Whilst many companies offer anti-piracy measures, these are often costly and ineffective. Our approach is quite the opposite, it generates revenue for rights holders and effectively decreases copyright infringement in a measurable and sustainable way. We offer high quality advice and excellent client care by delivering a thorough and reliable service. If you are interested in our services, please contact us for a no obligation consultation."

Responding to the same IP (193.33.114.77) are also:
green-stat.com - Email: tahli@yahoo.com
media-magnats.com - Email: tahli@yahoo.com

Where do we know the tahli@yahoo.com email from? From the "The Koobface Gang Wishes the Industry "Happy Holidays" where it was used to register Zeus C&Cs as well as money mule recruitment domains, from the "Money Mule Recruitment Campaign Serving Client-Side Exploits" where it was used to register the client-side exploit serving mule recruitment site, and most recently from "Keeping Money Mule Recruiters on a Short Leash - Part Four" used in another mule recruitment site registration.

What's particularly interesting about the ransomware variant, is the fact that it has been localized to the following languages: Czech, Danish, Dutch, English, French, German, Italian, Portuguese, Slovak and Spanish, as well as the fact that it will attempt to build its torrents list from actual torrent files it is able to locate within the victim's hard drive.

Detection rates, for the ransomware:
- mm.exe - Win32/Adware.Antipiracy - Result: 2/39 (5.13%)
- iqmanager.exe - Rogue:W32/DotTorrent.A - Result: 5/39 (12.83%)
- uninstall.exe - Reser.Reputation.1 - Result: 1/39 (2.57%)

Upon execution, the sample phones back to 91.209.238.2/m5install/774/1 (AS48671, GROZA-AS Cyber Internet Bunker) with the actual affiliate ID "afid=774" found in the settings.ini file. Active on the same IP are also related phone back directories, from different campaigns"
91.209.238.2/r2newinstall/freemen/1
91.209.238.2/r2newinstall/02937/1
91.209.238.2/r2hit/7/0/0

This is perhaps the first recorded case of cybercriminals ignoring the basics of micro-payments, and emphasizing on profit margins by attempting to extort the amount of $400.

Related ransomware posts:
Mac OS X SMS ransomware - hype or real threat?
iHacked: jailbroken iPhones compromised, $5 ransom demanded
New LoroBot ransomware encrypts files, demands $100 for decryption
New ransomware locks PCs, demands premium SMS for removal
Scareware meets ransomware: “Buy our fake product and we’ll decrypt the files”
Who’s behind the GPcode ransomware?
How to recover GPcode encrypted files?

SMS Ransomware Displays Persistent Inline Ads
SMS Ransomware Source Code Now Offered for Sale
3rd SMS Ransomware Variant Offered for Sale
4th SMS Ransomware Variant Offered for Sale
5th SMS Ransomware Variant Offered for Sale
6th SMS Ransomware Variant Offered for Sale

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Copyright Violation Alert Themed Ransomware in the Wild

April 12, 2010

UPDATED: Wednesday, April 28, 2010: The universal license code required in the "Enter a previously purchased license code" window is RFHM2-TPX47-YD6RT-H4KDM

The copyright violation alert themed ransomware campaign (Copyright violation alert ransomware in the wild; ICPP Copyright Foundation is Fake) is not just a novel approach for extortion of the highest amount of money seen in ransomware variants so far, but also, offers interesting clues into the multitasking mentality of the cybercriminals whose campaigns have already been profiled.

The bogus ICPP Foundation (icpp-online.com - 193.33.114.77 - Email: ovenersbox@yahoo.com) describes itself as:

"We are a law firm which specialises in assisting intellectual property rights holders exploit and enforce their rights globally. Illegal file sharing costs the creative industries billions of pounds every year. The impact of this is huge, resulting in job losses, declining profit margins and reduced investment in product development. Action needs to be taken and we believe a coordinated effort is needed now, before irreparable damage is done.

Dissecting Northwestern Bank's Client-Side Exploits Serving Site Compromise

April 12, 2010

It's one thing to indirectly target a bank's reputation by brand-jacking it for phishing or malware servince purposes, and entirely another when the front page of the bank (NorthWesternBankOnline.com) itself is embedded with an iFrame leading to client-side exploits, to ultimately serve a copy of Backdoor.DMSpammer.

Go through an assessment of a similar incident from 2007 - Bank of India Serving Malware

This is exactly what happened on Friday, with the front page of the Northwestern Bank of Orange City and Sheldon, Iowa acting as an infection vector. And although the site is now clean, the compromise offers some interesting insights into the multitasking on behalf of some of the most prolific malware spreaders for Q1, 2010.

Go through assessments of their previous campaigns: Scareware, Sinowal, Client-Side Exploits Serving Spam Campaign in the Wild; AS50215 Troyak-as Taken Offline, Zeus C&Cs Drop from 249 to 181; Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware; Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams; PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild; Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild; IRS/PhotoArchive Themed Zeus/Client-Side Exploits Serving Campaign in the Wild)

How come? The iFrame domain used in the Northwestern Bank's campaign, is parked on the very same IP (59.53.91.192 - AS4134, CHINA-TELECOM China Telecom) that is still active, and was profiled in last month's spamvertised "Zeus Crimeware/Client-Side Exploits Serving Campaign in the Wild" campaign.

The iFrame embedded on the front page of Northwestern Bank's web site, mumukafes.net /trf/index.php - 59.53.91.192 - Email: mated@freemailbox.ru, redirects through the following directories, to ultimately attempt to serve client-side exploits through the copycat Phoenix Exploit Kit web malware exploitation kit:

- mumukafes.net /trf/index.php - 59.53.91.192 - Email: mated@freemailbox.ru
    - sobakozgav.net /index.php - 59.53.91.192
        - sobakozgav.net /tmp/newplayer.pdf - CVE-2009-4324
            - sobakozgav.net /l.php?i=16
                - sobakozgav.net /statistics.php

Parked on the same IP (59.53.91.192) are also the following domains, all of which have been seen serving client-side exploits in previous campaigns:
aaa.fozdegen.com - Email: mated@freemailbox.ru
bbb.fozdegen.com - Email: mated@freemailbox.ru
cogs.trfafsegh.com - Email: maple@qx8.ru
countrtds.ru - Email: thru@freenetbox.ru
dogfoog.net - Email: drier@qx8.ru
eee.fozdegen.com - Email: mated@freemailbox.ru
fff.sobakozgav.net - Email: mated@freemailbox.ru
fozdegen.com - Email: mated@freemailbox.ru
lll.sobakozgav.net - Email: mated@freemailbox.ru
mumukafes.net - Email: mated@freemailbox.ru
sobakozgav.net - Email: mated@freemailbox.ru
trfafsegh.com - Email: maple@qx8.ru

Moreover, there are also active ZeuS C&Cs on the same IP - 59.53.91.192, with the following detection rates for the currently active binaries:
- exe1.exe - Trojan/Win32.Zbot.gen; Trojan-Spy.Win32.Zbot - Result: 32/38 (84.22%)
- exe.exe - Backdoor.DMSpammer - Result: 23/39 (58.97%)
- svhost.exe - Trojan.Win32.Swisyn; Trojan.Win32.Swisyn.acfo - Result: 33/38 (86.85%)
- vot.exe - Trojan.Spy.ZBot.EOR; TSPY_ZBOT.SMG - Result: 15/38 (39.48%)

Detection rates for the campaign files obtained through Northwestern Bank's client-side exploit serving campaign:
- js.js - Mal/ObfJS-CT; JS/Crypted.CV.gen - Result: 3/39 (7.7%)
- newplayer.pdf - Exploit.PDF-JS.Gen; Exploit:Win32/Pdfjsc.EP - Result: 22/39 (56.42%)
- update.exe - Backdoor.DMSpammer - Result: 24/39 (61.54%)

The sampled update.exe phones back to the following locations:
usrdomainn.net /n2/checkupdate.txt - 122.70.149.12, AS38356, TimeNet - Email: paulapruyne13@gmail.com
usrdomainn.net /n2/tuktuk.php
usrdomainn.net /n2/getemails.php
usrdomainnertwesar.net /n2/getemails.php
usrdomainnertwesar.net /n2/checkupdate.txt
usrdomainnertwesar.net /n2/tuktuk.php

AS38356, TimeNet is most recently seen in the migration of the money mule recruiters "Keeping Money Mule Recruiters on a Short Leash - Part Four", with tuktuk.php literally translated as herehere.php.

The site is now clean, however, the iFrame domains and ZeuS C&Cs remain active.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Keeping Money Mule Recruiters on a Short Leash - Part Four

April 09, 2010

UPDATED: Saturday, April 10, 2010: Some of the mule recruitment sites appear to be interested in something else, rather than recruiting mules -- must be the oversupply of people unknowingly participating in the cybercrime ecosystem.

Several of the domains (for instance ortex-gourpinc.tw and augmentgroupinc.tw) are not accepting registrations, instead, but are attempting to trick the visitor into downloading and executing a bogus psychological test.

"Below is a test prepared by professional psychologists and is required in order to be considered a competent candidate for the offered position. After successful completion of your test, you will be asked to register on our web site. If you are not ready to register right away, please wait to take the test at a later point. To REGISTER, simply run the test and you will be prompted to click on the "Register Now" button at any time and you will be redirected to the login page, without having to take the test again.

*This test is under development and we are grateful for all comments and suggestions." *If you are having trouble running the test and your computer is requesting administrative rights, download the test and simply right-click on the Test icon and select "Run As Administrator" from the menu."

- testAugmentInc.exe - Result: 3/38 (7.9%) - Trojan/Win32.Chifrax.gen; Reser.Reputation.1
- testOrtexGroup.exe - Result: 3/39 (7.7%) - Trojan/Win32.Chifrax.gen; Reser.Reputation.1

UPDATED: AS34305, EUROACCESS has taken down the IPs within their network. The money mule recruiters naturally have a contingency plan in place, and have migrated to AS38356 - TimeNet (222.35.143.112; 222.35.143.234; 222.35.143.235; 222.35.143.237) and AS21793 - GOGAX (76.76.100.2; 76.76.100.4; 76.76.100.5).

Based on the already established patterns of this group, it was only a matter of time until they re-introduced yet another portfolio of money mule recruitment domains, combining them with spamvertised recruitment messages, and forum postings.

Just like their campaign from last month (Keeping Money Mule Recruiters on a Short Leash - Part Three) the current one is once again interacting exclusively with AS34305, EUROACCESS Global Autonomous System, including the newly introduced name servers.

What has changed? It's the migration towards the use of fast-flux infrastructure for ZeuS crimeware serving campaigns, and in an isolated incident profiled in this post, a money mule recruitment campaign that's also sharing the same fast-flux infrastructure. Combined with the BIZCN.COM, INC. domain registrar's practice of accepting domain registrations using example.com emails, next to ignoring domain suspension requests - you end up with the perfect safe haven for a cybercrime operation.

In March, 2010, it took EUROACCESS less then 10 minutes to undermine their campaigns, including ones residing within the AS of a cyber-crime friendly customer known as 193.104.22.0/24 KratosRoute. However, it's interesting to observe their return to the same ISP, given that they were within a much more cybercrime-friendly neighborhood once EUROACCESS kicked them out last month.

Although the take down activities from last month may seem to have a short-lived effect, now that they're not only back, but are once again abusing EUROACCESS, the loss of OPSEC (operational security) did happen, just like it happened in the wake of the TROYAK-AS takedown.

Let's dissect the currently ongoing campaign, and emphasize on a second money mule recruitment campaign, that's not just using a fast-flux infrastructure, but is also connected to hilarykneber@yahoo.com (The Kneber botnet - FAQ).

Spamvertised, and parked domains on 85.12.46.3; 85.12.46.2; 193.104.106.30 - AS34305, EUROACCESS Global Autonomous System are as follows:
altitudegroupinc.tw - Email: weds@fastermail.ru
altitude-groupli.com - Email: mylar@5mx.ru
altitude-groupmain.tw - Email: gutsy@qx8.ru
amplitude-groupmain.net - Email: tabs@5mx.ru
arvina-groupco.tw - Email: hv@qx8.ru
arvina-groupinc.tw - Email: jerks@5mx.ru
arvina-groupnet.cc - Email: mat.mat@yahoo.com
asperity-group.com - Email: okay@qx8.ru
asperitygroup.net - Email: cde@freenetbox.ru
asperitygroupinc.tw - Email: ti@fastermail.ru
asperity-groupmain.tw - Email: gutsy@qx8.ru
astra-groupnet.tw - Email: logic@qx8.ru
astra-groupinc.tw - Email: gv@fastermail.ru
augment-group.com - Email: mylar@5mx.ru
augmentgroup.net - Email: glean@fastermail.ru
augmentgroupinc.tw - Email: weds@fastermail.ru
augment-groupmain.tw - Email: gutsy@qx8.ru
celerity-groupmain.net - Email: cde@freenetbox.ru
celerity-groupmain.tw - Email: weds@fastermail.ru
excel-groupco.tw - Email: thaws@bigmailbox.ru
excel-groupsvc.com - Email: carlo@qx8.ru
fincore-groupllc.tw - Email: jerks@5mx.ru
fecunda-group.com - Email: okay@qx8.ru
fecundagroupllc.tw - Email: omega@fastermail.ru
fecunda-groupmain.net - Email: mylar@5mx.ru
fecunda-groupmain.tw - Email: ti@fastermail.ru
foreaim-group.com - Email: cde@freenetbox.ru
foreaimgroup.net - Email: glean@fastermail.ru

foreaimgroupinc.tw - Email: gutsy@qx8.ru
foreaim-groupmain.tw - Email: weds@fastermail.ru
impact-groupinc.net - Email: cde@freenetbox.ru
impact-groupnet.com - Email: okay@qx8.ru
luxor-groupco.tw - Email: logic@qx8.ru
luxor-groupinc.cc - Email: mat.mat@yahoo.com
luxor-groupinc.tw - Email: gv@fastermail.ru
magnet-groupco.tw - Email: gv@fastermail.ru
magnet-groupinc.cc - Email: mat.mat@yahoo.com
millennium-groupco.tw - Email: thaws@bigmailbox.ru
millennium-groupsvc.tw - Email: thaws@bigmailbox.ru
optimusgroupnet.cc - Email: mat.mat@yahoo.com
optimus-groupsvc.tw - Email: jerks@5mx.ru
ortex-gourpinc.tw - Email: clad@bigmailbox.ru
ortex-groupinc.cc - Email: mat.mat@yahoo.com
pacer-groupnet.tw - Email: omega@fastermail.ru
point-groupco.tw - Email: wxy@qx8.ru
point-groupinc.cc - Email: mat.mat@yahoo.com
spark-groupco.tw - Email: clad@bigmailbox.ru
spark-groupsv.tw - Email: clad@bigmailbox.ru
spark-groupsvc.com - Email: trim@freenetbox.ru
synapse-groupfine.net - Email: okay@qx8.ru
synapse-groupinc.tw - Email: omega@fastermail.ru
synapsegroupli.com - Email: tabs@5mx.ru
target-groupinc.cc - Email: mat.mat@yahoo.com
tnm-group.tw - Email: troop@bigmailbox.ru
tnmgroupinc.com - Email: tabs@5mx.ru
tnmgroupsvc.net - Email: tabs@5mx.ru
starlingbusinessgroup.com - 212.150.164.201 - Email: tahli@yahoo.com (spamvertised separately from the campaign)

Newly introduced name servers:
ns3.sandhouse.cc - 74.118.194.82 - Email: taunt@freenetbox.ru
ns1.volcanotime.com (Parked on the same IP is also ns1.jockscreamer.net Email: free@freenetbox.ru) - 64.85.174.144 - Email: hs@bigmailbox.ru
ns2.weathernot.net - (Parked on the same IP is also ns2.worldslava.cc Email: fussy@bigmailbox.ru) 204.12.217.252 - Email: bowls@5mx.ru
ns1.uleaveit.com - 64.85.174.146 - Email: plea@qx8.ru
ns2.pesenlife.net - 204.12.217.254 - Email: erupt@qx8.ru
ns3.greezly.net - 204.124.182.151 - Email: erupt@qx8.ru

Name servers known from previous campaigns remain active, using AS34305:
ns1.chinegrowth.cc - 92.63.111.196 - Email: duly@fastermail.ru
ns1.partytimee.cn - 92.63.111.196 - Email: chunk@qx8.ru
ns1.benjenkinss.cn - 92.63.110.85 - Email: chunk@qx8.ru
ns1.translatasheep.net - 92.63.111.127 - Email: stair@freenetbox.ru
ns1.bizrestroom.cc - 92.63.110.85 - Email: hook@5mx.ru
ns2.alwaysexit.com - 85.12.46.2 - Email: sob@bigmailbox.ru
ns2.trythisok.cn - 85.12.46.2 - Emaik: chunk@qx8.ru

It's been a while, since I came across a money mule recruitment campaign using fast-flux infrastructure (Money Mule Recruiters use ASProx's Fast Fluxing Services) that's also currently being used by domains registered using the same emails as the original Hilary Kneber campaigns (Celebrity-Themed Scareware Campaign Abusing DocStoc) from December, 2009, as well as related mule recruitment campaigns (Dissecting an Ongoing Money Mule Recruitment Campaign) from February, 2010.

Moreover, one of the domains sharing the fast-flux infrastructure with the money mule recruitment site asapfinancialgroup.com - Email: admin@asapfinancialgroup.com, was also profiled in last month's "Zeus Crimeware/Client-Side Exploits Serving Campaign in the Wild".

The following ZeuS crimeware, client-side exploits service, and malware phone back C&C domains, all share the same fast-flux infrastructure:
allaboutc0ntrol.cc - Email: HilaryKneber@yahoo.com
agreement52.com - Email: Davenport@example.com
smotri123.com - Email: smot-smot@yandex.ru - C&C profiled last month
jdhyh1230jh.net - Email: None@aol.com
mabtion.cn - Email: Michell.Gregory2009@yahoo.com
wooobo.cn - Email: Michell.Gregory2009@yahoo.com
mmjl3l45lkjbdb.ru - Email: none@none.com
domainsupp.net - Email: ErnestJBooth@example.com

first-shockabsorbers.com - Email: ring.redlink@yandex.ru
this-all-clean.info - Email: ring.redlink@yandex.ru
f45rugfj98hj9hjkfrnk.com - Email: holsauto@live.com
financialdeposit.com - Email: crWright@gmail.com
connectanalyst.com - Email: Mildred44@gmail.com - NOT ACTIVE
vmnrjiknervir.com - Email: holsauto@live.com - NOT ACTIVE
longtermrelations.com - Email: admin@schumachercomeback.com - NOT ACTIVE, SUSPENDED

Name servers of the fast-fluxed domains include:
ns1.hollwear.com - 87.239.22.240 - Email: kymboll@rocketmail.com
ns1.kentinsert.net - 64.120.135.214 - Email: rackmodule@writemail.com
ns1.dimplemolar.net - 207.126.161.29 - Emaik: carruawau@gmail.com
ns1.megapricelist.net - 66.249.23.63 - Email: jobwes@clerk.com
ns1.bighelpdesk.net - 76.10.203.46 - Email: galaxegalaxe@gmail.com
ns1.linejeans.com - 95.211.86.140 - Email: palmatorz@aol.com
ns1.ceberlin.com - 204.12.210.235

EUROACCESS have been notified, an updated will be posted as soon as they take care of the campaign.

Related coverage of money laundering in the context of cybercrime:
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Summarizing Zero Day's Posts for March

April 01, 2010

The following is a brief summary of all of my posts at ZDNet's Zero Day for March, 2010.

You can also go through previous summaries, as well as subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

Money Mule Recruitment Campaign Serving Client-Side Exploits

March 30, 2010

Remember Cefin Consulting & Finance, the bogus, money mule recruitment company that ironically tried to recruit me last month?

They are back, with a currently ongoing money mule recruitment campaign, this time not just attempting to recruit gullible users, but also, serving client-side exploits (CVE-2009-1492; CVE-2007-5659) through an embedded javascript on each and every page within the recruitment site.

Let's dissect the campaign, expose the client-side exploits serving domains, the Zeus-crimeware serving domains parked within the same netblock as the mule recruitment site itself, to ultimately expose a bogus company for furniture hosting a pretty descriptive cv.exe that is dropped on the infected host.

Initial recruitment email sent from financialcefin@aol.com:
Hello, Our Company is ready to offer full and part time job in your region. It is possible to apply for a well-paid part time job from your state. More information regarding working and cooperation opportunities will be sent upon request. Please send all further correspondence ONLY to Company's email address: james.mynes.cf@gmail.com Best regards

Response received:
Greetings,

Cefin Consulting & Finanace company thanks you for being interested in our offer. All additional information about our company you may read at our official site. www.ceffincfin.com Below the details of vacancy operational scheme:

1. The payment notice and the details of the beneficiary for further payment transfer will be e-mailed to your box. All necessary instructions regarding the payment will be enclosed.
2. As a next step, you'll have to withdraw cash from our account.
3. Afterwards you shall find the nearest Western Union office and make a transfer. Important: Only your first and last names shall be mentioned in the Western Union Form! No middle name (patronymic) is written! Please check carefully the spelling of the name, as it has to correspond to the spelling in the Notice.
4. Go back home soonest possible and advise our operator on the payment details (Sender’s Name, City, Country, MTCN (Money Transfer Control Number), Transfer Amount).
5. Our operator will receive the money and send it to the customer.
6. Please be ready to accept and to make similar transfers 2-5 times a week or even more often. Therefore you have to be on alert to make a Western Union payment any time.

Should you face any problems incurred in the working process, don’t hesitate to contact our operator immediately. If you have any questions, please do not hesitate to contact us by e-mail. If you have understood the meaning of work and ready to begin working with us, please send us your INFO in the following format:

1) First name 2) Last name 3) Country 4) City 5) Zip code 6) Home Phone number, Work Phone number, Mobile Phone number 7) Bank account info: a) Bank name b) Account name c) Account number d) Sort code 8) Scan you passport or driver license

2010 © Cefin Consulting & Finance
All right reserved.

Money mule recruitment URL: ceffincfin.com - 93.186.127.252 - Email: winter343@hotmail.com - currently flagged as malicious.

Once obfuscated, the javascript attempts to load the client-side exploits serving URL click-clicker.com /click/in.cgi?3 - 195.78.109.3; 195.78.108.221 - Email: aniwaylin@yahoo.com, or click-clicker.com - 195.78.109.3 - Email: aniwaylin@yahoo.com.

Sample campaign structure:
- click-clicke.com /cgi-bin/plt/n006106203302r0009R81fc905cX409b2ddfY0a607663Z0100f055

Parked on the same IP (91.213.174.52) are also the following client-side exploit serving domains:
click-reklama.com - Email: tahli@yahoo.com
googleinru.in - Email: mirikas@gmail.com

Within AS29106, VolgaHost-as PE Bondarenko Dmitriy Vladimirovich, we also have the following client-side exploits/crimeware friendly domains:
benlsdenc.com - Email: blablaman25@gmail.com
nermdusa.com - Email: polakurt69@gmail.com
mennlyndy.com - Email: albertxxl@gmail.com
kemilsy.com - Email: VsadlusGruziuk@gmail.com
benuoska.com - Email: godlikesme44@gmail.com

Name server of notice ns1.ginserdy.com - 93.186.127.205 - Email: albertxxl@gmail.com and ns1.ndnsgw.net - 195.78.109.3 - Email: aniwaylin@yahoo.com. have been also registered using the same emails as the original client-side exploit serving domains.

Sample detection rates, and phone back locations:
- cefin.js - Troj/IFrame-DY - Result: 1/42 (2.39%)
- clicker.pdf - Exploit.PDF-JS.Gen; Exploit:Win32/Pdfjsc.EM - Result: 21/42 (50.00%)
- clicker2.exe - TR/Sasfis.akdv.1; Trojan.Sasfis.akdv.1; Trojan.Win32.Sasfis.akdv - Result: 18/42 (42.86%)
- cv.exe - Trojan.Siggen1.15304 - Result: 3/42 (7.15%)
- 1.exe - Suspicious:W32/Malware!Gemini - Result: 4/42 (9.53%)

Upon execution, the sample phones back to Oficla/Sasfis C&C at socksbot.com /isb/gate.php?magic=121412150001&ox=2-5-1-2600&tm=3&id=24905431&cache=4154905385& - 195.78.109.3 - Email: aniwaylin@yahoo.com which drops pozitiv.md/master/cv.exe - 217.26.147.24 - Email: v.pozitiv@mail.ru from the web site of a fake company for furniture (PoZITIVe SRL).

Interestingly, today the update location has been changed to tds-style.spb.ru /error/1.exe. Detection rate:
- 1.exe - Suspicious:W32/Malware!Gemini - Result: 4/42 (9.53%)

Keeping the money mules on a short leash series, are prone to expand. Stay tuned!

Related coverage of money laundering in the context of cybercrime:
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

The DNS Infrastructure of the Money Mule Recruitment Ecosystem

Dissecting the WordPress Blogs Compromise at Network Solutions

Dissecting the WordPress Blogs Compromise at Network Solutions

Facebook FarmTown Malvertising Campaign Courtesy of the Koobface Gang

iPhone Unlocking Themed Malware Campaign Spamvertised

Copyright Violation Alert Themed Ransomware in the Wild

Copyright Violation Alert Themed Ransomware in the Wild

Dissecting Northwestern Bank's Client-Side Exploits Serving Site Compromise

Keeping Money Mule Recruiters on a Short Leash - Part Four

Summarizing Zero Day's Posts for March

Money Mule Recruitment Campaign Serving Client-Side Exploits

RSS Feed

About Me

Blog Archive

Tags

Popular Posts