From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms

0
June 17, 2009
UPDATE: In less than half an hour upon notification, Twitter and LinkedIn have already removed the bogus accounts.

UPDATE2: Forty five minutes later Scribd removes the bogus accounts.

As usual, persistence must be met with persistence. A single blackhat SEO group -- if well analyzed and monitored -- has the potential to provide an insight into some of the current monetization tactics which cybecriminals use, as well as directly demonstrate the (automatic) impact they have across different Web 2.0 services.

What is my "fan club" up to anyway? Covering up their weekend's Twitter campaign that was serving scareware by using a new template, and once again diversifying - this time by managing a bogus LinkedIn accounts campaign, another one on Scribd, followed by another another currently active one on Twitter, in between increasing the size of their blackhat SEO farm at is-the-boss.com.

Moreover, for the first time ever, the group is starting to serve live exploits based on a bit.ly URL shortening service referrer, like the ones used in the latest Twitter campaign. The use of Arbitrary file download via the Microsoft Data Access Components (MDAC) exploits is done to ultimately drop a new Koobface variant, making this the second time the group is pushing Koobface variants beyond Facebook.

Let's summarize their activities during the past six days starting with the weekend's campaign across Twitter.

Upon clicking on the TinyURL, the user is redirected through their well known 66.199.229 .253/etds (66.199.229 .253/etds/go.php?sid=41; 66.199.229 .253/etds/got.php?sid=41; 66.199.229 .253/etds/go.php?sid=43; 66.199.229 .253/etds/got.php?sid=43) traffic management location, to end up at the scareware av4best .net (64.86.17.47) with a new template is served (FakeAlert-EA).

Parked on the same IP are also well known scareware domains known from their previous campaigns, namely fast-antivirus .com and viruscatcher .net. The scareware message used in the new template takes you back to the good old school MS-DOS days :

"A problem has been detected and windows has been shut down to prevent damage to your computer.

Initialization_failed C:\WINDOWS\system32\himem.sys

If this is the first time you've seen this Stop error screen, restart the computer. If this screen appears again, read information below: The reason why this might happen is the newest malicious software which blocks access to the system libraries. Check to make sure any new antivirus software is properly installed. We suggest you to download and install antivirus, new up-to-date software which specializes on detection and removal of malicious and suspicious software."

The messaged used in the weekend's Twitter campaign, as well as a graph on the peaks and downds for a particular keyword:

"Competitions video; What do you think about video; I know why Percent Of Accounts; Between food and gay; movie Trailler!; Sun eclipce free; Air France extreem; Tetris long and sweet; Take sex under control; alcohol long and sweet; Between food and SATs; What do you think about Autotune; Gotcha!, Palm Pre!; Goodnight high in the sky; What do you think about Hangover; Death of Autotune crack addict; Amazing. movie from MSFT; Amazing. Air France from MSFT; Sims 3, It's Cool!; video, It's Cool!; Manage Air France; Amazing. porn from MSFT; alcohol unbroken; Them girls Honduras; Between food and phish; Between food and Detroit; Tetris high in the sky; I know why iPhone; Futurama unbroken; Balls to the Woman Who Missed Air; alcohol high in the sky; follow the video"

Sample (now suspended) automatically registered accounts used in the weekend's campaign:
twitter .com/wenning351
twitter .com/ula475
twitter .com/escher338
twitter .com/ochs40
twitter .com/karlen131
twitter .com/cordes904
twitter .com/hecker905
twitter .com/bohl566
twitter .com/sattler649
twitter .com/hildegard115
twitter .com/andreas281
twitter .com/wassermann38
twitter .com/rummel980
twitter .com/guilaine896
twitter .com/orlowski781
twitter .com/rupette972
twitter .com/holzner473
twitter .com/dumke576
twitter .com/hilgers465
twitter .com/heese157
twitter .com/meier679
twitter .com/habel896
twitter .com/holzinger567
twitter .com/wilhelm578
twitter .com/dearg450
twitter .com/habicht717
twitter .com/ferde373
twitter.com/hass323
twitter .com/heckmann918
twitter .com/bruna555
twitter .com/wilbert25
twitter .com/eckart412
twitter .com/sperlich374
twitter .com/jahn562
twitter .com/ludvig30
twitter .com/bing274
twitter .com/fett628
twitter .com/brock93
twitter .com/mally981
twitter .com/merle752
twitter .com/axmann101
twitter .com/pelz478
twitter .com/renaud687
twitter .com/wienke879
twitter .com/hartinger619
twitter .com/chriselda988
twitter .com/kloos267
twitter .com/dreyer15
twitter .com/herta740
twitter .com/brauer427
twitter .com/nadina732
twitter .com/wenda245
twitter .com/rieken434
twitter.com/reinhard192
twitter .com/plath132
twitter .com/bick497
twitter .com/johannsen747
twitter .com/tacke432

Besides the TinyURL links used, they've also returned to temporarily using their original .us domains such as twitter .8w8.us - 82.146.51.126 - Email: ambersurman@gmail.com; 5us .us - 82.146.51.25 - Email: elchip0707@mail.ru, and girlstubes .cn  82.146.52.158 - Email: alexvasiliev1987@cocainmail.com with Alex Vasiliev's emails first noticed in the Diverse Portfolio of Fake Security Software - Part Nine and again in Part Twenty.

Now it's time to assess their currently active campaigns across Twitter, LinkedIn and Scribd, and connect the dots in the face of the single URL acting as a counter across all the campaigns - counteringate .com (194.165.4.77) which has already been profiled in their original massive blackhat SEO campaign, and still remains active.

The automatically registered and currently active Twitter accounts participating in the campaign are as follows, it's also worth pointing out that compared to their previous campaigns, in this way they've included relevant backgrounds and avatars to the Twitter accounts:
twitter .com/AshleyTisdal1
twitter .com/AnnaNicoleSmit
twitter .com/ParisHiltonjpg1
twitter .com/ParisHiltonmov1
twitter .com/ParisHiltonNake
twitter .com/ParisHiltonSex1
twitter .com/ParisHiltonNud2
twitter .com/ParisSexTape2
twitter .com/Britneynipslip1
twitter .com/Britneywomani
twitter .com/Britneystrip1
twitter .com/BritneySex
twitter .com/Britneycomix
twitter .com/Britneywomaniz
twitter .com/BritneyNaked2
twitter .com/britneysextape
twitter .com/BritneyxSpears1
twitter .com/Britneydesnuda1

twitter .com/LopezAss
twitter .com/jennifermorriso
twitter .com/JenniferTilly2
twitter .com/AnistonSexscen
twitter .com/AnistonBangs
twitter .com/JenniferTilly1
twitter .com/Jennifernude
twitter .com/JenniferConnel
twitter .com/JenniferGarner1
twitter .com/LopezNaked
twitter .com/AnistonSexiest
twitter .com/JenniferAnisto4
twitter .com/JenniferToastee

twitter .com/JenniferAnisto2
twitter .com/LoveHewitt1
twitter .com/JenniferLoveH1
twitter .com/JenniferGreyn
twitter .com/1JenniferAnisto
twitter .com/2JenniferAnisto
twitter .com/1JenniferLopez
twitter .com/Lopedesnuda1
twitter .com/ElishaCuthbert3

twitter .com/ElishaCuthbert1
twitter .com/AlysonHannigan2
twitter .com/AliciaMachado
twitter .com/AliLarterNaked
/twitter .com/AliLarterNude
twitter .com/MelissaJoanha
twitter .com/AishwaryaRaiN1

Upon clicking on bit .ly/Je2Sd, the user is redirected to oymomahon .com/mirolim-video/3.html - 216.32.86.106 Email: StaceyGuerreroSF@gmail.com, redirecting to myhealtharea .cn/in.cgi?13 and then to oymoma-tube .freehostia.com/x-tube.htm where the fake codec/scareware is served, downloaded from totalsitesarchive .com/error.php?id=62 - Trojan.Win32.FakeAV.nz which once executed phones back to bestyourtrust .com/in.php?url=5&affid=00262 (209.44.126.241) parked at the same IP are also the following scareware domains:

uniqtrustedweb .com
hortshieldpc .com
securetopshield .com
gisecurityshield .com
ourbestsecurityshield .com
intellectsecfind .com
thesecuritytree .com
godsecurityarchive .com
besecurityguardian .com
thefirstupper .com
securityshieldcenter .com
bitsecuritycenter .com
joinsecuritytools .com
hupersecuritydot .com
bestyourtrust .com
thetrueshiledsecurity .com
souptotalsecurity .com
scantrustsecurity .com
 
The second bit .ly/1a5ZsY link used in the Twitter campaign, is redirecting to showmealltube .com/paqi-video/7.html - 64.92.170.135 Email: zbestgotterflythe@gmail.com.

From there, the redirector myhealtharea .cn/in.cgi?12 - 216.32.83.110 - zbest2008@mail.ru again loads oymoma-tube.freehostia .com/tube.htm and most importantly the counter counteringate .com/count.php?id=186 which is using an IP known from their previous campaign (194.165.4.77).

Time to move on to the LinkedIn campaign, and establish a direct connection with the Twitter one, both maintained by the same group of cybercriminals.

Currently active and participating LinkedIn accounts:
linkedin .com/in/rihannanude
linkedin .com/in/rihannanude2
linkedin .com/in/nudecelebs
linkedin .com/in/britneyspearsnudee
linkedin .com/in/pamelaandersonnudee
linkedin .com/in/nudepreteen2
linkedin .com/in/tilatequilanudee
linkedin .com/pub/beyonce-nude/14/b/952
linkedin .com/pub/child-nude/13/b4b/a16
linkedin .com/in/nudemodels

linkedin .com/in/preteennude
linkedin .com/in/mariahcareynude3
linkedin .com/in/nudeboys
linkedin .com/in/evamendesnude2
linkedin .com/in/nudebeaches
linkedin .com/in/nudebabes

linkedin .com/in/nudewomen2
linkedin .com/pub/ashley-tisdale-nude/13/b4b/762
linkedin .com/pub/mila-kunis-nude/13/b4a/b99
linkedin .com/pub/nude-kids/13/b4b/aa
linkedin .com/pub/young-nude-girls/13/b4a/6a
 
The LinkedIn campaign is linking to the delshikandco .com, from where the user is redirected to the same domains used in the Twitter campaign, sharing the same celebrity theme - delshikandco .com/mirolim-video/3.html/delshikandco .com/paqi-video/1.html - 216.32.83.104 leads to myhealtharea .cn/in.cgi?12 to finally serve the codec at ymoma-tube.freehostia.com/xxxtube.htm or at tubes-portal.com/xplaymovie.php?id=40012 - 216.240.143.7, another IP that has already been profiled part of their previous campaigns.


Yet another nude themed campaign is operated by the same group at Scribd, linking to the already profiled delshikandco .com, used in both, Twitter's and LinkedIn's campaigns.

Currently active and participating Scribd accounts:
scribd .com/Stacy%20Keibler-nude
scribd .com/Vanessa_Hudgens%20nude
scribd .com/Jessica%20%20Simpson%20%20nude
scribd .com/MileyCyrus%20nude
scribd .com/KimKardashian%20%E2%80%98nude%E2%80%99
scribd .com/Carmen%20%20Electra%20nude
scribd .com/Jennifer%20Anistonnude
scribd .com/Paris-Hilton-nude3
scribd .com/Vida%20%20Guerra%20%20nude
scribd .com/nude2
scribd .com/Kim%20%20Kardashian%20nude
scribd .com/ZacEfron%20nude
scribd .com/BritneySpears%20nude
scribd .com/Hilary-Duff-nude%202
scribd .com/Angelina-Jolie-nude11
scribd .com/Vanessa-Hudgens-nude2
scribd .com/Natalie-Portman-nude2
scribd .com/JessicaAlba%20nude
scribd .com/Jennifer-Love-Hewitt-nude11

scribd .com/Kim-Kardashian-nude2
scribd .com/Jessica-Alba-nude11s
scribd .com/JENNIFER%20LOPEZ%20NUDE3
scribd .com/Elisha%20%20Cuthbert%20%20nude
scribd .com/Paris-Hilton-nude1
scribd .com/HilaryDuff%20nude
scribd .com/Megan-Fox-nude2
scribd .com/Britney-Spears-nude1
scribd .com/Candice%20%20Michelle%20nude
scribd .com/Lindsay-Lohan-nude3
scribd .com/Mila-Kunis-nude2
scribd .com/Miley%20Cyrus%20nude
scribd .com/Vanessa%20%20Anne%20%20Hudgens%20nude
scribd .com/rihanna-nude2
scribd .com/Jenny%20Mccarthy%20nude
scribd .com/Kim%20%20Kardashian%20%20nude
scribd .com/Olsen-Twins-nude2
scribd .com/Brooke-Hogan-nude2

scribd .com/DeniseRichardsnude2
scribd .com/Scarlett%20Johansson%20nude
scribd .com/miley-cyrus-nude
scribd .com/Celebrity%20%20nude
scribd .com/Lindsay-Lohan-nude2
scribd .com/Tila%20Tequila%20nude
scribd .com/Ashley%20Tisdale%20nude
scribd.com/Angelina-Jolie-nude2
scribd .com/Denise-Richards-nude-2
scribd .com/Britney%20Spears%20nude
scribd .com/Hayden%20Panettiere%20nude
scribd .com/Carmen-Electra-nude1
scribd .com/Brooke-Burke-nude2
scribd .com/Megan%20Fox%20nude
scribd .com/JessicaSimpson%20nude
scribd .com/Kendra-Wilkinson-nude2
scribd .com/DeniseRichardsnude
scribd.com/AngelinaJolie%20nude
scribd.com/Kate%20Mara%20nude
scribd .com/Eva%20Green%20nude
scribd .com/Mariah%20Carey%20nude

scribd .com/Britney-Spears-nude2
scribd .com/Paris%20Hilton%20nude
scribd .com/CHristina%20Applegate%20nude
scribd .com/Billie%20Piper%20nude
scribd .com/Rosario%20Dawson%20nude
scribd .com/Anna%20Kournikova%20nude
scribd .com/Jennifer-Love-Hewitt-nude2
scribd .com/Kate%20Winslet%20nude
scribd .com/Carmen%20Electra%20nude
scribd .com/Jennifer%20Love%20Hewitt%20nude
scribd .com/Vida%20Guerra%20nude
scribd .com/AnneHathaway%20nude
scribd .com/JenniferLopez_nude
scribd .com/Trish%20Stratus%20nude
scribd .com/Lindsay_Lohannude
scribd .com/Pamela%20Anderson%20nude3
scribd .com/Jessica-Simpson-nude3

scribd .com/JENNIFER%20LOPEZ%20NUDE
scribd .com/CHristina%20Aguilera%20nude
scribd .com/hilary%20duff%20nude
scribd .com/MariahCarey%20nude
scribd .com/JohnCena%20nude
scribd .com/Halle%20Berry%20nude
scribd .com/Amanda%20%20Beard%20%20nude
scribd .com/Patricia%20%20Heaton%20%20nude
scribd .com/Madonna%20nude
scribd .com/JenniferLopez%20nude
scribd .com/DeniseRichards%20nude

scribd .com/PatriciaHeaton%20nude
scribd .com/Celebrity%20nude
scribd .com/TilaTequila_nude
scribd .com/Hayden-Panettiere-nude2
scribd .com/Brenda-Song-nude2
scribd .com/Demi%20Moore%20nude
scribd .com/celebrity%20nude%201
scribd .com/JenniferLove%20Hewitt%20nude
scribd .com/Ashley_Harkleroad%20nude
scribd .com/AudrinaPatridge%20nude
scribd .com/PamelaAnderson%20nude
scribd .com/Anna%20Nicole%20Smithnude
scribd .com/Meg%20Ryan%20nude
scribd .com/Kate%20Hudsonnude

Now that all the campaigns are exposed in the naked fashion of their themes, it's worth emphasizing on the live exploits serving Koobface samples based on a bit.ly referrer - in this case the process takes place through myhealtharea .cn/in.cgi?13, which instead of redirecting to scareware domain as analyzed above, is redirecting to fast-fluxed set of IPs serving identical Koobface binary - myhealtharea .cn/in.cgi?13 loads r-cg100609 .com/go/?pid=30455&type=videxp (92.38.0.69) which redirectss to the live exploits/Koobface.

Parked on 92.38.0.69 are also the following domains:
er20090515 .com
upr0306 .com
cgpay0406 .com
r-cgpay-15062009 .com
r-cg100609 .com
trisem .com
uprtrishest .com
upr15may .com
rd040609-cgpay .net

Dynamic redirectors from r-cg100609 .com/go/?pid=30455&type=videxp on per session basis:
92.255.131 .217/pid=30455/type=videxp/?ch=&ea=
92.255.131 .217/pid=30455/type=videxp/setup.exe
76.229.152 .148/pid=30455/type=videxp/?ch=&ea=
76.229.152 .148/pid=30455/type=videxp/?ch=&ea=/setup.exe
189.97.106 .121/pid=30455/type=videxp/?ch=&ea=
189.97.106 .121/pid=30455/type=videxp/setup.exe
117.198.91 .99/pid=30455/type=videxp/?ch=&ea=
117.198.91 .99/pid=30455/type=videxp/setup.exe
79.18.18 .29/pid=30455/type=videxp/?ch=&ea=
79.18.18 .29/pid=30455/type=videxp/setup.exe
85.253.62 .53/pid=30455/type=videxp/?ch=&ea=
85.253.62 .53/pid=30455/type=videxp/setup.exe
79.164.220 .170/pid=30455/type=videxp/?ch=&ea=
79.164.220 .170/pid=30455/type=videxp/setup.exe
59.98.104 .129/pid=30455/type=videxp/?ch=&ea=
59.98.104 .129/pid=30455/type=videxp/setup.exe
78.43.24 .211/pid=30455/type=videxp/?ch=&ea=
78.43.24 .211/pid=30455/type=videxp/setup.exe
62.98.63 .254/pid=30455/type=videxp/?ch=&ea=
62.98.63 .254/pid=30455/type=videxp/setup.exe
84.176.74 .231/pid=30455/type=videxp/?ch=&ea=
84.176.74 .231/pid=30455/type=videxp/setup.exe
panmap .in/html/3003/25ee551429fcbfd75fe7bcfeba4a9cb8/ - 114.80.67.32 - charicard@googlemail.com

Parked on 114.80.67.32 are also:
managesystem32.com
napipsec.in
trialoc.in
pbcofig.in
pclxl.in
ifxcardm.in
ifmon.in
panmap.in
moricons.in
oeimport.in
ncprov.in

The served setup.exe (Win32/Koobface.BC; Worm:Win32/Koobface.gen!D;) samples phone back to a single location:- upr15may .com/achcheck.php; upr15may .com/ld/gen.php - 92.38.0.69; 61.235.117 .71/files/pdrv.exe

To further demonstrate the group's involvement in these campaigns, two active campaigns at is-the-boss.com indicate that they're also using the newly introduced counteringate.com, however, parked on the same IP as a previously analyzed redirector maintained bot the group.

A sample campaign is using the engseo .net/sutra/in.cgi?4&parameter=bravoerotica - 84.16.230.38 - Email: popkadyp@gmail.com as well as the warwork .info/cgi-bin/counter?id=945706&k=independent&ref= - 91.207.61.48 redirectors to load free-porn-video-free-porn .com/1/index.php?q=bravoerotica - 84.16.230.38 - Email: popkadyp@gmail.com serving a fake codec, and is also using the universal counter serving maintained by group counteringate .com/count.php?id=308.

A second sampled campaign at is-the-boss.com points to a new domain that is once again parked at a well known IP mainted by the gang - goldeninternetsites .com/go.php?id=2022&key=4c69e59ac&p=1 - 83.133.123.140 - known from previous campaigns.

The redirectors lead to anti-virussecurity3 .com - 69.4.230.204; 69.10.59.34; 83.133.115.9; 91.212.65.125 with more typosquatted "Personal Antivirus" scareware parked at these multiple IPs aimed to increase the life cycle of the campaign:
bestantiviruscheck2 .com
securitypcscanner2 .com
fastpcscan3 .com
goodantivirusprotection3 .com
antimalware-online-scanv3 .com
anti-malware-internet-scanv3 .com
antimalwareinternetproscanv3 .com
antimalwareonlinescannerv3 .com
anti-virussecurity3 .com
bestantispywarescanner4 .com
fastsecurityupdateserver .com

Personal Antivirus then phones back to startupupdates .com - 83.133.123.140 where more scareware is parked, with the domains known from previous campaigns:
bestwebsitesin2009 .com
live-payment-system .com
bestbuysoftwaresystem .com
antiviruspaymentsystem .com
bestbuysystem .com
homeandofficefun .com
advanedmalwarescanner .com
allinternetfreebies .com
goldeninternetsites .com
primetimeworldnews .com
liveavantbrowser2 .cn
momentstohaveyou .cn
worldofwarcry .cn
awardspacelooksbig .us

The affected services have been notified, blacklisting and take down of the participating domains is in progress.

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Iranian Opposition DDoS-es pro-Ahmadinejad Sites

0
June 16, 2009
By utilizing the people's information warfare concept, Iranian opposition has managed to successfully organize a cyber attack against Tehran's regime (complete analysis) by using Twitter, web forums, and localization (translation) of the recruitment messages in order to seek assistance from foreigners.

So far, their rather simplistic denial of service tools has managed to disrupt access to key government web sites, and the intensity of the attacks is prone to increase since the opposition appears to be in a "learning mode".

What does "learning mode" stand for here? It's their current stage of experimentation clearly indicating their inexperience with such campaigns and DDoS attacks in general. The opposition's de-centralized chain of command isn't even speculating on the use of botnets, since the primitive multi-threaded Iranian connections hitting Iranian sites seems to achieve their effect.

From a strategic perspective, this internal unrest resulting in the disruption of key government web sites, the de-facto propaganda vehicles of the current government, is directly denying their ability to influence the population and the media, which on its way to find information is inevitably going to visit the working opposition web sites.

Moreover, the majority of people's information warfare driven cyber attacks we've seen during the past two years, have all been orbiting around the scenario where a foreign adversary is attacking your infrastructure from all over the world. But in the current situation, it's Iran's internal network that's self-eating itself, where the trade off for denying all the traffic would be the traffic which could be potentially influenced through PSYOPs (psychological operations).

What has changed since yesterday's real-time OSINT analysis?  The web based "Page Rebooter" tool heavily advertised by the opposition has decided to stop offering the service due to the massive abuse:

"Unfortunately I have had to take the site down temporarily. The site was being used to attack other websites, until I can determine the source of these attacks, I have decided to keep it offline. My apologies to everyone who uses this site for it's intended purpose, hopefully we'll be back soon. I have now received several emails regarding this. Unfortunately, last night's spike in traffic cost me a lot of money in server costs, I therefore cannot afford to keep it online - even if the use is just. I have therefore decided to release the code for this site, so that you may create your own copies."

Meanwhile, the opposition has come up with a segmented targets list including hardline news portals, official Ahmadinejad sites, Iranian law enforcement sites, banks, judiciary and transportation sites, aiming to recruit international supporters:

"ALL PEOPLE AROUND THE WORLD:

Please help us in a full-scale cyberwar againts the dictatorial brutal government of Ahmadinjead! Help Iranians to earn back their votes per instructions below:
 
Simply click on few of the following links (better too choose your selections from different categories); it opens the site in a new tab. It will not stop you from browsing but by sending a refresh signal to the target site will saturate it. By doing so, we can block Ahmadinjead's governments flow of information in many of its key components as shown below. Please help us and yourself from this lunatic who will push the world to world war III."

Following the updated list of targets, a new LOIC.exe DoS tool is being advertised. The tool is however, anything but sophisticated (it's been around since 6 Jul 2008) compared to even the average Russian DDoS bot. Combined, the simplistic nature of the opposition's attack tools indicates the lack of any in-depth understanding of information warfare principles, in times when other countries are already going beyond cyber warfare and aiming for the unrestricted warfare stage.


The Conspiracy Theory and the Facts
How is the Iranian government/regime responding to these attacks, is it striking back to the fullest extend speculated in a countless number of cyber warfare research papers? Moreover, can it actually attack the "adversaries" which in this case reside within the country's own network? Can we easily compare this unpleasant situation from an information warfare perspective to the ongoing discussions whether or not the Should the US Go Offensive In Cyberwarfare?, and "go offensive" against who at the first place? The hundreds of thousands of U.S based malware infected hosts operated by a foreign entity as the adversary while using the targeted country's infrastructure as a human shield?

That's a dilemma that Iran's government is currently facing, but let's connect the dots and prove that the Fars News Agency which is pro-Ahmadinejad, and maintains ties to the Iranian judiciary, has in fact participated in this "cyber warfare attack with sticks and stones".

The Fars News Agency has been under attack since the beginning of the campaign, approximately 48 hours ago, prompting the site -- just like many others -- to switch to "lite" versions taking into consideration the ongoing attacks wasting the sites' bandwidth.

In a desperate attempt to influence the outcome of the DDoS attack, Fars News included iFrames pointing to opposition and anti-Ahmadinejad news sites (balatarin.com; ghalamnews.com and mirhussein.com) in order to redirect some of the attack traffic to them. The campaigners noticed the change, but upon confirming that the opposition's web sites remain online even with the iFrames in place, decided to continue the attack.

The bottom line - when your very own infrastructure hates you, you become nothing else but an observer to the declining propaganda exposure projections that you've once set, failing to anticipate the fully realistic scenario when the adversary that you've been fortifying to protect from, or have build sophisticated offensive capabilities to deal with, is in fact residing within your own infrastructure. Attempting to attack him or shut him down will only multiply the effect of his original campaign.

The net is vast and infinite.

Recommended reading:
A CCDCOE Report on the Cyber Attacks Against Georgia
DDoS Attack Graphs from Russia vs Georgia's Cyberattacks
The Russia vs Georgia Cyber Attack
Pro-Israeli (Pseudo) Cyber Warriors Want your Bandwidth
People's Information Warfare Concept
Combating Unrestricted Warfare
The Cyber Storm II Cyber Exercise
Chinese Hacktivists Waging People's Information Warfare Against CNN
The DDoS Attacks Against CNN.com
China's Cyber Espionage Ambitions
North Korea's Cyber Warfare Unit 121
Chinese Hackers Attacking U.S Department of Defense Networks
Electronic Jihad v3.0 - What Cyber Jihad Isn't
Continue reading →

From Ukrainian Blackhat SEO Gang With Love - Part Two

0
June 09, 2009
It seems that the portfolio of redirectors using my name part of an ongoing Ukrainian blackhat SEO is expanding, with seximalinki .ru/images/ddanchev-sock-my-dick.php, as the latest addition. This brings up the number of redirectors to three, at least for the time being:
  • seximalinki.ru/images/ddanchev-sock-my-dick.php - active - 74.54.176.50; Email: Hippacmc@land.ru
  • seo.hostia .ru/ddanchev-sock-my-dick.php - active - 213.155.2.37
  • HiDancho.mine .nu/login.js - active - 64.21.86.16
Let's dissect the latest campaigns, including several related ones not necessarily serving scareware, moreover, let's also establish a connection between this gang and the ongoing hijacking of Twitter trending topics for malware serving purposes, shall we?

The redirector takes the user to antimalwareonlinescannerv3 .com - 83.133.115.9; 91.212.65.125; 69.4.230.204 - Email: immigration.beijing@footer.cn where the scareware is served.

The campaign is also relying on three more scareware domains antimalware-live-scanv3 .com; antimalwareliveproscanv3 .com ;fastsecurityupdateserver .com, with ns1.futureselfdeeds .com ensuring that the rest of the portfolio remains in tact :

premiumlivescanv1 .com
advanedmalwarescanner .com
advanedpromalwarescanner .com
antiviruspcscannerv1 .com
antiviruspremiumscanv2 .com
malware-live-pro-scanv1 .com
malwareliveproscanv1 .com
malwareliveproscannerv1 .com
malwareinternetscannerv1 .com
anti-spyware-scan-v1 .com
antimalwarescanner-v2 .com
freeantispywarescan2 .com
antivirus-scanner-v1 .com
internetotherwise .com
macrosoftwarego .com
world-payment-system .com
paymentonlinesystem .com
livewwwupdates .com
liveinternetupdates .com
livesecurityupdate .com
securitysoftwarepayments .com
antiviruspaymentsystem .com
systemsecurityupdates .com
networksecurityadvice .com
systeminternetupdates .com
protectionsystemupdates .com
updateinternetserver2 .com
protectionupdates2 .com
proantivirusscannerv2 .com
proantivirusscanv2 .com
powerantivirusscanv2 .com

These blackhat SEO-ers have been actively multitasking during the past couple of months. For instance, another campaign maintained by them at Lycos Tripod's is-the-boss.com is using the redirector ntlligent .info/tds/in.cgi?11&seoref=&parameter=$keyword&se=$se&ur=1&HTTP_REFERER= (72.232.163.171), hosted by Layered Technologies, Inc., in order to serve a a Koobface sample located at 91.212.65.35/view/1/1416/0, which upon execution phones back to upr15may .com/achcheck.php; upr15may .com/ld/gen.php (119.110.107.137) as well as to i-site .ph/1/6244.exe; i-site .ph/1/nfr.exe with the second binary phoning back to 85.13.236 .154/v50/?v=71&s=I&uid=1824245000&p=14160&ip=&q=.

Another campaign maintained by them at is-the-boss.com is using three redirectors kurinah.freehostia .com/in.cgi?8&seoref=&parameter=$keyword&se=&ur=1&HTTP_REFERER=; promodomain .info/in.cgi?8&seoref=&parameter=$keyword&se=&ur=1&HTTP_REFERER= - 66.40.52.63 - Email: support@ruler-domains.com and thetrafficcontrol .net/in.cgi?8&seoref=&parameter=$keyword&se=&ur=1&HTTP_REFERER=, until the user is finally redirected to a fake PornTube portal big-tube-list .com/teens/xmovie.php?id=45048 - 216.240.143.7 - isaacdonn@gmail.com where malware is served from my-exe-profile .com/streamviewer.45048.exe - 66.197.171.6 - Email: michalevd@gmail.com.

Upon execution, streamviewer phones back to reportsystem32 .com/senm.php?data= - 216.240.146.119 -, terradataweb .com/senm.php?data=v22 - 66.199.229.229 -, and dvdisorapid .com/senm.php?data=v22 - 64.27.5.202.

Several related fake codec serving domains parked at 216.240.143.7 are also currently active:
get-mega-tube .com - Email: raymgnw95@gmail.com
best-crystal-tube .com - Email: raymgnw95@gmail.com
the-lost-tube .com - Email: hilachow@gmail.com
sunny-tube-house .com - Email: hilachow@gmail.com
proper-tube-site .com - Email: hilachow@gmail.com
tube-xxx-work .com - Email: hilachow@gmail.com
big-tube-list .com - Email: isaacdonn@gmail.com

A third campaign is using a single redirector to tangoing .info/cgi-bin/analytics?id=917304&k= - 91.207.61.48 - Email: dophshli@gmail.com to dynamically redirect visitors to pretty much all the scareware domains listed in part twenty one of the diverse portfolio of fake security software series. Moreover, the very same email used to register the redirecting domain was also used to register a payment processing gateway for scareware transactions in January, 2009.

Yet another blackhat SEO operation maintained by the same group since February, 2009 is fi97 .net/jsr.php?uid=dir&group=ggl&keyword=&okw=&query="+query+" referer="+escape(document.referrer)+"&href="+escape(location.href)+"&r="+rzz+"'><"+"/scr"+"ipt>", which according to publicly obtainable statistics received approximately 138, 000 unique visitors in April, with 30.23% coming from Google.

The traffic hijacking of for the purpose of serving malware, using over a hundred different .us domains was in fact so successful that several webmasters reported loosing their organic search traffic due to the content within the sites. The campaign then switched to a pharmaceutical theme using a Google search engine theme, with several static links to pharma scams, once again using the already established traffic redirections tactics.

The redirectors in question petrenko .biz - 88.214.200.150 - Email: olegoff@yandex.ru and myseobiz .net - 67.225.158.16 - Email: 3bd864dddbe4421ab1112a6ebc6df4fb.protect@whoisguard.com remain in operation. The bogus Google front page is advertising the following pharma domains:

theusdrugs .com - 78.140.132.11, parked at the same IP are also more pharma domains:
medscompany .org
canadian-rxpill .com
bestyourpills .com
rx-drugs-support .com
payment-rx .com
genericdrugs .in
mendrugsshop .com
healthrefill .com

It gets even more inter-connected and malicious since this very same gang is also the one responsible for the ongoing malware campaign spreading scareware by using Twitter's trending topics. Let's establish a direct connection between the Ukrainian gang and the campaign.

The TinyURL links used redirect to an identical domain - 00freewebhost .cn - 211.95.79.115 - Email: louisgreenfield@gmail.com, where an iFrame is loading happy-tube-video .com/xplays.php?id=40030 - 216.240.143.7 - Email: isaacdonn@gmail.com where Mal/FakeAV-AY (streamviewer.40030.exe) is served, this time from exe-soft-files .com/streamviewer.40030.exe - 66.197.171.6 - Email: michalevd@gmail.com.

This very same domain (happy-tube-video .com registered to isaacdonn@gmail.com) is part of the second PornTube fake codec campaign which I assessed above, this time pushed through the gang's blackhat SEO campaigns.

Moreover, in a typical cybercrime-friendly style, the main malicious domain operated by the gang and used in the Twitter campaign - 00freewebhost .cn - continues to load the malware serving domain despite that it's main index is serving a fake account suspended notice - "This Account Has Been Suspended, This includes, but is not limited to overusing server resources, publishing adult content, or unauthorized posting of copyrighted material. Please contact our Support Team for more information." Which is pretty amusing, since despite the fact that they're using an iFrame to point to a different location, they've left an animated GIF image of a fake codec hosted there - 00freewebhost .cn/shmo/pl.gif.

A second connection between the Ukraininan black SEO gang, Twitter's ongoing campaign and the fake web hosting provider which I profiled yesterday can also be made.

For instance, the URL shortening service used in last week's campaign at Twitter a.gd/2524d9/ redirects to 66.199.229 .253/etds/go.php?sid=43 and then to av-guard .net/?uid=27&pid=3 as well as to fast-antivirus .com which are the scareware domains exposed in the recent "Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot" post. The scareware obtained from it, as well as the scareware from the above-exposed PornTube campaign streamviewer.40030.exe also share the same phone back locations.

Coming across yet another operation managed by them, namely, the ongoing Twitter trending topics hijacking attack, clearly demonstrates the impact this single group of individuals can have while multitasking at different fronts. And despite the numerous traffic acquisition tactics used, the monetization approach remains virtually the same - scareware. Continue reading →

GazTransitStroy/GazTranZitStroy Rubbing Shoulders with Petersburg Internet Network LLC

0
June 08, 2009

Following the GazTransitStroy/GazTranZitStroy (gaztranzitstroyinfo.ru; 67.15.253.241) coverage, the gang behind the bogus gas company drilling for insecure PCs across the Web has returned to its roots - St. Petersburg, Russia, with routing services courtesy of PIN-AS Petersburg Internet Network LLC (AS44050) (internet-spb.ru) :

"descr: Petersburg Internet Network LLC
address: Sedova 80
address: St.-Petersburg, Russia
e-mail:         support@internet-spb.ru
phone:          +7 812 4483863
fax-no:         +7 812 4483863
person:         Metluk Nikolay Valeryevich
address:        korp. 1a 40 Slavy ave.,
address:        St.-Petersburg, Russia
e-mail:         nm@internet-spb.ru
phone:          +7 812 4483863
fax-no:         +7 812 2683113
PIN LLC
Sedova 80
+7 812 4483863
support@internet-spb.ru
 
Metluk Nikolay Valeryevich
korp. 1a 40 Slavy ave.,
St.-Petersburg, Russia
+7 812 4483863
nm@internet-spb.ru

Ladoha Anton Vladimirovich
korp. 1a 40 Slavy ave.,
St. Petersburg, Russia
+7 812 4483863
admin@internet-spb.ru

Strukov Evgeny Olegovich
korp. 1a 40 Slavy ave.,
St.-Petersburg, Russia
+7 812 4483863
admin2@internet-spb.ru
e.strukov@pinspb.ru

Prefixes 91.212.41.0/24; 95.215.0.0/22; 194.11.16.0/24; 194.11.20.0/23; 195.2.240.0/23"

What's also worth pointing out that is a huge number of of domains operated by GazTransitStroy's customers, and, of course, GazTranzitStroy themselves not only traceroute back to Petersburg Internet Network LLC's network, but also, there's an evident migration to the legitimate NETDIRECT-NET - 89.149.206.0 - 89.149.207.255 - AS2875, as well as to CHINANET-SH CHINANET shanghai province network - 222.64.0.0 - 222.73.255.255.

Combined with the fact that EUROHOST-NET/Eurohost LLC (eurohost.biz.ua) 91.212.65.0 - 91.212.65.255 - AS48841 remain an inseparable part of GazTransitStroy's info, clearly indicates the presence of a well known cybercrime powerhouse - the RBN itself.

The following domains (crimeware, live exploits, scareware, you name it they engage in it) maintained by GazTranzitStroy have migrated as follows. From 91.212.41.96 to CHINANET-SH CHINANET shanghai province network - 222.64.0.0 - 222.73.255.255:

loshadinet .com
roselambda .cn
use-sena .cn
peopleopera .cn
forexsec .cn
symphonygold .cn
dreamlitediamond .cn
vilihood .cn
bookadorable .cn
drawingstyle .cn
housedomainname .cn
roomsme .cn
vilasse .cn
workfuse .cn
stakeshouse .cn
financeimprove .cn
lifenaming .cn
travetbeach .cn
schoolh .cn
rainfinish .cn
housevisual .cn
kvk.housevisual .cn
xfln.housevisual .cn
worksean .cn
blogtransaction .cn
liteauction .cn
seamodern .cn
smilecasino .cn
newtransfer .cn
oceandealer .cn
pub.oceandealer .cn
musicdomainer .cn
wowregister .cn
websiteflower .cn
travets .cn
designroots .cn
teamwows .cn
startgetaways .cn
moulitehat .cn
caxf.moulitehat .cn
islandtravet .cn
weekendtravet .cn
resorttravet .cn
litefront .cn
palaceyou .cn
youbonusnew .cn
clubmillionswow .cn
rainjukebox .cn
xuyxuyxuy .cn

From 91.212.41.114 to NETDIRECT-NET - 89.149.206.0 - 89.149.207.255 - AS28753, interestingly, the DNS servers for the following domains ns1.pubilcnameserver7.com/ns1.pubilcnameserver7.com are diversifying at 89.149.207.56 and 91.212.41.114:

freeantivirusplus09 .com
realantivirusplus09 .com
getantivirusplus09 .com
smartantivirusplus09 .com
addedantivirusonline .com
addedantivirusstore .com
addedantiviruslive .com
addedantiviruspro .com
countedantiviruspro .com
plusantiviruspro .com
myplusantiviruspro .com
addedantivirus .com
youraddedantivirus .com
bestaddedantivirus .com
easyaddedantivirus .com
yourcountedantivirus .com
bestcountedantivirus .com
yourplusantivirus .com
easyplusantivirus .com
yourguardonline .cn
easydefenseonline .cn
bestprotectiononline .cn
freecoveronline .cn
atioqe .cn
yourguardstore .cn
mycheckdiseasestore .cn
examinepoisonstore .cn
freecoverstore .cn
myexaminevirusstore .cn
bestexaminedisease .cn
yourfriskdisease .cn
easyfriskdisease .cn
friskdiseaselive .cn
bestdefenselive .cn
bigprotectionlive .cn
bigcoverlive .cn
examineillnesslive .cn
exodih .cn
suxpymi .cn
aciazi .cn
yourfriskinfection .cn
easyserviceprotection .cn
easyincomeprotection .cn
easypersonalprotection .cn
easybestprotection .cn
myascertainpoison .cn
yourguardpro .cn
refugepro .cn
mycheckdiseasepro .cn
ascertaindiseasepro .cn
yourcheckpoisonpro .cn
easycheckpoisonpro .cn
yourfriskviruspro .cn
myascertainviruspro .cn
fegbywo .cn
feptuaq .cn
myexamineillness .cn
exousyt .cn
newguard2u .cn
freedefense2u .cn
bigdefense2u .cn
bestcover2u .cn
newguard4u .cn
mydefense4u .cn
bestcover4u .cn
newguard4you .cn
mydefense4you .cn
bestcover4you .cn
yourguardforyou .cn
newguardforyou .cn
myguardforyou .cn
freedefenseforyou .cn
mydefenseforyou .cn
bestcoverforyou .cn

The ongoing affiliation with EUROHOST-NET/Eurohost LLC (eurohost.biz.ua) 91.212.65.0 - 91.212.65.255 - AS48841, and the migration of domains (scareware, live exploits, crimeware etc.) as follows. From 91.212.41.119 to 91.212.65.7 EUROHOST-NET/Eurohost LLC:

nicdaheb .cn
sehmadac .cn
ralcofic .cn
bikpakoc .cn
xidsasuc .cn
koqsuyod .cn
tozxiqud .cn
bowselaf .cn
cuzlumif .cn
porgacig .cn
hifgejig .cn
rogkadej .cn
sipcojeq .cn
silzefos .cn
popyodiw .cn
hayboxiw .cn
peskufex .cn
ridmoyey .cn
cakpapaz .cn

What kind of an ISP be maintaining a permanent Under Construction page and engage in Zeus and live exploit serving activities on the same IP as its web server? EUROHOST-NET/Eurohost LLC is one of them:

"person: Mikhail Ignatyev
address: off. 1, 81 Frunze str.,
phone: +38 093 079 00 32
address: Evpatoria, Crimea, Ukraine
e-mail: ipadmin@eurohost.biz.ua"

At eurohost.biz.ua (91.212.65.5) we also have parked 123-service.ru, serving a deja-vu account suspended message - "This account has been suspended. Either the domain has been overused, or the reseller ran out of resources." as well as ramshanabc.ru, with another account suspended message despite its previous involvement in Zeus crimeware campaigns in January, 2009 (ramshanabc .ru/ferrari/main.bin; ramshanabc .ru/ferrari/main.bin).

Besides these domains, several others, again registered to kirilboltovnet@yandex.ru are known to have been maintaining running Zeus crimeware campaigns as well:

grafjasqq .ru/kiew/kiew.cfg
heliskamm .ru/kiew5.cfg
mamaloki .ru/dir2.cfg489
mamaloki .ru/kiew3.cfg
nionalku .ru/dir5.cfg
nionalku .ru/kiew6.cfg

Still not convinced in how malicious their intentions really are? The phone number (+7 928 7867612) used in the registrations of these domains was most recently used in a spammed Zeus crimeware campaign impersonating Western Union. Continue reading →
Subscribe to: Comments (Atom)