It doesn't take a rocket scientist to conclude that sooner or later the people behind
the Conficker botnet had to switch to monetization phase, and start earning revenue by using well proven business models within the cybercrime ecosystem.
Interestingly -- at least for the time being -- there's no indication of mainstream advertising propositions offering partitioned pieces of the botnet, managed fast-fluxing services (
Managed Fast Flux Provider;
Managed Fast Flux Provider - Part Two), hosting of
scams and
spam, examples of which we've already seen related cases where a
money mule recruitment agency was using ASProx's fast-flux network services, next to
Srizbi's botnet managed spam service propositions.
How come? Pretty simple, starting from the fact that
scareware/fake security software as a monetization process remains
the most liquid and efficiently monetized asset the underground economy has at its disposal. The scheme is so efficient that the money circulating within the affiliate networks are often an easy way for cybercriminals to quickly money launder large amounts of money in a typical win-win revenue sharing scheme.
The
Conficker gang is monetization-aware, that's for sure. But they forget a simple fact - that in a cybercrime ecosystem visibility is not just proportional with decreased OPSEC (
Violating OPSEC for Increasing the Probability of Malware Infection), but also, that despite their risk-decreasing revenue sharing model, the "
follow the money trail" practice becomes more and more relevant.
The most recent variant (
Net-Worm.Win32.Kido.js) is the group's second attempt to monetize the botnet, following by the original Conficker variant's traffic converter connection
pushing fake security software. According to Aleks Gostev at Kaspersky Labs:
"
One of the files is a rogue antivirus app, which we detect as FraudTool.Win32.SpywareProtect2009.s. The first version of Kido, detected back in November 2008, also tried to download fake antivirus to the infected machine. And once again, six months later, we’ve got unknown cybercriminals using the same trick. The rogue software, SpywareProtect2009, can be found on spy-protect-2009.com., spywrprotect-2009.com, spywareprotector-2009.com."
Regular researchers/law enforcement followers of
the Diverse Portfolio of Fake Security Software series are pretty familiar with the SpywareProtect brand. Therefore, it's time to familiarize ourselves with the rogue SpywareProtect through the revenue earning scheme the latest Conficker variant is using. Among the currently active/recently registered SpywareProtect portfolios are managed by
Geraldevich Viktus Email:
krutoymen2009@inbox.ru and conveniently just like Kaspersky states, are all parked in Ukraine.
In case you remember according to SRI International's
Analysis of the Conficker worm, the authors did signal a national preference since the first release "
randomly generates IP addresses to search for additional victims, filtering Ukraine IPs based on the GeoIP database." and also "
Conficker A incorporates a Ukraine-avoidance routine that causes the process to suicide if the keyboard language layout has been set to Ukrainian." followed by a third Ukrainian lead, namely the fact that "
on 27 December 2008 we stumbled upon two highly suspicious connection attempts that might link us to the malware authors. Specifically, we observed two Conficker B URL requests sent to a Conficker A Internet rendezvous point: * Connection 1: 81.23.XX.XX - Kyivstar.net, Kiev, Ukraine; Connection 2: 200.68.XX.XXX - Alternativagratis.com, Buenos Aires, Argentina."
SpywareProtect's current portfolio is hosted in Ukraine as follows:
spy-wareprotector2009 .com (94.232.248.53) Ukraine Bastion Trade Group, AS48841, EUROHOST-AS Eurohost LLC
spyware-protector-2009 .com
spy-protect-2009 .com
spywprotect .comThe second portfolio is also parked in Ukraine as follows:
sysguard2009 .com (195.245.119.131) AS34187, RENOME-AS Renome-Service: Joint Multimedia Cable Network Odessa, Ukraine
swp2009 .com
spwrpr2009 .com
alsterstore .com
adwareguard .netIn a typical multitasking fashion, a connection between some of these very latest SpywareProtect portfolios (e.g
spywrprotect-2009 .com) can be established with Zeus crimeware campaigns, since particular droppers have been known to have been installing the scareware next to Zeus crimeware used to be hosted at the following locations:
capitalex .ws/adv.bin (213.155.10.176)
cashtor .net/tor22/tor.bin (91.193.108.222)
goldarea .biz/adv.bin (91.197.130.39)
It's also worth pointing out that every time the Conficker authors claim their payments from the affiliate network in question, they expose themselves which makes me wonder one thing. Are the hardcore Conficker authors directly earning revenue out of the scareware, or are they basically partitioning the botnet and selling it to someone who's monetizing it and naturally breaking-even out of their investment?
In a network whose activities will inevitably start converging with the rest of the cybercrime ecosystem's participants' activities --
the Waledac connection -- it's crucual to keep the track-down-and-prosecute process as simple as possible. In this case - the Conficker authors'/customers of their botnet services
asset liquidity obsession, may easily end up in someone's $250k reward claim. Patience is a virtue.
Continue reading →
Not necessarily in real-time (Syndicating Google Trends Keywords for Blackhat SEO) but scareware/fake security software distributors quickly attempted to capitalize on the anticipated traffic related to this weekend's Twitter XSS worm StalkDaily/Mikeyy.
It's a tiny usa.js script (e.g my1.dynalias .org/usa.js) hosted on all of the domains, which takes advantage of a simple evasive practice - referrer checking in order to serve or not to serve the malicious content.
For instance, deobfuscated the script checks whether the user is coming from the following search engines var se = new Array("google", "msn", "aol.com", "yahoo", " comcast"); if (document.referrer)ref = document.referrer;. If the user/researcher is basically wandering around, a blackhat SEO page with no malicious redirections would be served.
The following are all of the currently active and participating domains/subdomains:
The redirection process consists of two layers. The first one is redirecting to hjgf .ru/go.php?sid=5 (88.214.198.25) and then to msscan-files-antivir .com (195.88.81.93), and the second one takes place through a well known malicious doorway redirecting domain hqtube .com/to_traf_holder.html (88.85.66.116) that either serves a fake codec that's dropping the scareware, or the scareware itself from files.ms-load-av .com. The rest of the scareware/fake security software domains participating in the campaigns are as follows:
RSS Feed