Transmitter.C Mobile Malware in the Wild

0
July 08, 2009
A currently spreading mobile malware known as Transmitter.C (sexySpace.sisx; MD5: 3e9b026a92583c77e7360cd2206fbfcd), has brandjacked a legitimate application in an attempt to infect the initial number of devices that would later on further disseminate it by aggressively SMS-ing messaged to the web site hosting it - megac1jck .com (64.22.120.235) Email: weijiang198@hotmail.com.

Upon execution it drops the following files in an attempt to infect S60 3rd Edition devices:
"c_sys\bin\Installer_0x20026CA6.exe"-"c:\sys\bin\Installer_0x20026CA6.exe", FR, RI, RW
"c_sys\bin\AcsServer.exe"-"c:\sys\bin\AcsServer.exe", FR, RI
"c_private\101f875a\import\[20026CA5].rsc"-"c:\private\101f875a\import\[20026CA5].rsc"

What's sad is that just like the majority of mobile malware incidents, this one is also digitally signed using a certificate issued by Symbian to the name of XinZhongLi Kemao Co. Ltd or vendor name "Play Boy".

The sample (Sexy Space or SYMBOS_YXES.B) has been distributed to vendors, and the ISP hosting it has been informed.

Related posts:
Proof of Concept Symbian Malware Courtesy of the Academic World
Commercializing Mobile Malware
Mobile Malware Scam iSexPlayer Wants Your Money
SMS Ransomware Source Code Now Offered for Sale
3rd SMS Ransomware Variant Offered for Sale

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Legitimate Software Typosquatted in SMS Micro-Payment Scam

0
July 07, 2009
Operating since 2008, the fraudulent tactics applied by Soletto Group, S.A also known as Netlink Network Corp, greatly remind of those applied by Interactive Brands also known as IBSOFTWARE CYPRUS; IB Softwares and most recently Euclid Networks Ltd -- you have to appreciate the irony here since they too multitask on multiple fronts through their official phone number since 2007 -- in particular their massive typosquatted domain farms where they'd would change and repeatedly charge without permission once someone falls victim into the fraudulent practice.

What Soletto Group, S.A or Netlink Network Corp (phone (0) 2071939823) does differently is the use of micro sms payment scam having operated the SMS numbers 78881 and 81039 in the past in order to offer a download service for legitimate software in the following way:

"WARNING: ACCESS TO THE PREMIUM SERVICE SHALL REQUIRE SENDING ONE SMS PER DOWNLOAD, AND YOU WILL RECEIVE TWO SMS. THE PRICE OF EACH SMS IS THREE POUNDS EACH. TOTAL COST OF SERVICE SIX POUNDS."

Who's typosquatted anyway? Pretty much each and every popular piece of software there is. From Kaspersky, NOD32, Malware Bytes, Avira, AVAST, BitDefender, to Firefox, BitTorrent, Microsoft Office, Winzip, Winrar, and Internet Explorer - for starters.

Here's a complete list of their domains farm, with hosting services courtesy of Rapidswitch Ltd:

nod32soft .info
malware-bytes .info
www-avasthome .com
www.www-avasthome .com
kaspersky-full .info
www-kaspersky .info
malware-bytes .info
www.avira-antivir .info
bitdefender-plus .info
office2007-full .info
sopcast-full .info
lphant-plus .info

adobeacrobat-plus .info
bitcomet-plus .info
bitdefender-plus .info
bittorrent-plus .info
elisoft-plus .info
mediaplayer-plus .info
messenger-msn-9 .com
messenger-msn-9 .info
messenger-msn-9 .org
messenger-msn .org
messenger-plus .net
moviemaker-plus .info
msn-messenger-9 .com
msn-messenger-9 .info
msn-messenger-9 .net
msn-messenger-9 .org
openoffice-plus .info
photoscape-plus .info
sopcast-plus .info
utorrent-plus .info
3gpconverter-plus .info
3gpconvertersoft .info
ares-2008 .org
ares-2009 .com

ares-2009 .net
ares-net .org
avira-net .info
bitcomet-plus .info
bitorrent .cc
bittorrent-net .info
bittorrent-plus .info
direct-x .cc
divx-player-plus .info
e-mule .nu
elisoft-plus .info
emule-2008 .net
emule-proyect .info
emulenet .net
iexplorer-full .info
iphonefull .com
javaruntime .net
lyrics2 .me
malware-bytes .info
mediaplayer-full .info
mediaplayer-plus .info
mesengerplus .org
messenger-9 .net
messenger-plus .net
messenger-soft .info

moviemaker-plus .info
msn-messenger-9 .net
msn-messenger-9 .org
nero-2008 .com
nerohome .net
nod-32 .net
nod32-net .info
office2007-ful l.info
openoffice-plus .info
photoscape-plus .info
photoscapesoft .info
pspvideo9 .info
sorpresor .com
spybotsearch-full .info
utorrent-net .info
virtualdj-soft .info
vlc-full .info
vvinrar .com

vvinrar .info
winamp-2009 .net
winamp .ws
windows-movie-maker .info
winrar-2008 .com
wiinzip .info
cdburnerxpsoft .info
www-emule .us
ultradefrag .us
bearflix .us
guitar-pro .us
messenger-2009 .us
emule-telecharger .us
aresnet .us
emulenet .us
emulepro .us
nerohome .us
vvinrar .us
aresfull .us
avastt .us
biaze .us
e-bitdefender .us

e-bitorrent .us
e-mule .us
flrefox .us
messengerhome .us
utorent .us
utorren .us
winzipp .us
cccpcodecs .org
ares-2008 .org
pdf-creator .org
limevvire .org
mesengerplus .org
w-ares .org
w-emule .org
www-3gpconverter .org
www-advanced .org
www-emule .org
www-messenger .org
www-realplayer .org
www-windowsmediaplayer .org
ares-3 .org
ares-net .org
chroome .org
emule-pro .org
messenger-msn-9 .org

A similar fraudulent Google AdWords scheme was exposed and taken care of in January. The fraudster back then was using a legitimate third-party revenue sharing toolbar installation program which was bundled within the legitimate software. In Soletto Group, S.A's case they aim to cut any intermediaries on their way to generate profit.

Rapidswitch Ltd has been informed of Soletto Group, S.A's brandjacking activities.

This post has been reproduced from Dancho Danchev's blog. Continue reading →

The Multitasking Fast-Flux Botnet that Wants to Bank With You

0
July 07, 2009
From a Chase phishing campaign, to a bogus Microsoft update, and an exploit serving spam campaign using a "Who Killed Michael Jackson?" theme prior to his death (go through related Michael Jackson malware campaigns), to a currently ongoing phishing campaign impersonating the United Services Automobile Association (USAA), the gang behind this botnet has been actively multitasking during the past two months.

The spam message is as follows:
"Michael Jackson Was Killed... But Who Killed Michael Jackson? Visit X-Files to see the answer: MJackson.kilijj .com/x-files", upon clicking on it the user is redirected to two exploit serving domains - ogzhnsltk .com/plugins/index.php (94.199.200.125 Email: osaltik@windowslive.com); and dogankomurculuk .com/stil/index.php (91.191.164.100 - Email: by.yasin@msn.com).

Through the use of an Office Snapshot Viewer exploit the user is the exposed to a downloader (x-file-MJacksonsKiller.exe) which attempts to drop a copy of the Zeus malware from labormi .com/lbrc/lbr.bin (91.206.201.6). The following is an extensive list of the participating domains, as well as the currently active and fast-fluxing DNS servers part of the botnet:

List of participating domains:
kilij1 .com
ilkil1 .com
ilkifi .com
kili1j .com
kil1jj .com
ki1ijj .com
kikijj .com
k1lijj .com
kilijj .com
1ilikj .com
ilki1k .com
ilk1lk .com
i1kilk .com
ilkilk .com

kilij1 .net
ilkil1 .net
kili1j .net
kil1jj .net
ki1ijj .net
k1lijj .net
kilijj .net
1ilikj .net
ilki1k .net
ilk1lk .net
i1kilk .net
ilkilk .net
ilifi.com .mx
1ffli.com .mx
iljihli.com .mx
hhili.com .mx
hilli.com .mx
kiffil.com .mx

Michael Jackson related subdomains:
mjackson.ijjik1 .com
mjackson.ijjil1. com
mjackson.kjjil1 .com
mjackson.ikjil1 .com
mjackson.ijkil1 .com
mjackson.ijjkl1 .com
mjackson.ikilij .com
mjackson.ikklij .com
mjackson.ikilkj .com
mjackson.ikilfk .com

mjackson.ijjilk .com
mjackson.ijjill .com
mjackson.ijjik1 .net
mjackson.ijjil1 .net
mjackson.ikjil1 .net
mjackson.ijkil1 .net
mjackson.ijjkl1 .net
mail.ikilij .net
mjackson.ikilij .net
mjackson.ilifi .com.mx
mjackson.iljihli .com.mx
mjackson.hhili .com.mx
mjackson.hilli .com.mx

Microsoft related subdomains:
update.microsoft.com .h1hili.com
update.microsoft.com .ijlk1j.com
update.microsoft.com .hillij.com
update.microsoft.com .hillkj.com
update.microsoft.com .ikillif.net
update.microsoft.com .jikikji.net
update.microsoft.com .hillij.net
update.microsoft.com .hillik.net
update.microsoft.com .ikihill.net
update.microsoft.com .ilifi.com.mx
update.microsoft.com .iljihli.com.mx
update.microsoft.com .hilli.com.mx
update.microsoft.com .kiffil.com.mx

USAA.com related phishing subdomains:
www.usaa.com.kihhif .com
www.usaa.com.kihhih .com
www.usaa.com.kihhik .com
www.usaa.com.kihhil .com
www.usaa.com.kihhik .net
www.usaa.com.kihhil .net
www.usaa.com.hilli.com .mx
www.usaa.com.frtll.com .mx
www.usaa.com.mrtll.com .mx

DNS Servers of notice:
ns1.vine-prad .com
ns2.vine-prad .com
ns1.blacklard .com
ns1.fax-multi .com
ns2.fax-multi .com
ns1.rondonman .com
ns2.rondonman .com
ns1.host-fren .com
ns2.host-fren .com
ns1.hotboxnet .com
ns2.hotboxnet .com
ns1.free-domainhost .com
ns2.free-domainhost .com
ns1.sunthemoow .com

ns2.sunthemoow .com
ns1.high-daily .com
ns2.high-daily .com
ns1.otorvald .net
ns1.red-bul .net
ns2.red-bul .net
ns1.footdoor .net
ns1.bestdodgeros .net
ns2.bestdodgeros .net
ns1.azdermen .com
ns2.azdermen .com
ns1.departconsult .com
ns2.departconsult .com
ns1.torentwest .com
ns2.torentwest .com
ns1.downlloadfile .net
ns2.downlloadfile .net

Due to this botnet's involvement with several other malware campaigns of notice, as well as its evident connection with the ongoing monitoring of several particular cybecrime groups, analysis and updates will be posted as soon as they emerge.

Related posts:
Money Mule Recruiters use ASProx's Fast Fluxing Services
Managed Fast Flux Provider - Part Two
Managed Fast Flux Provider
Storm Worm's Fast Flux Networks
Fast Flux Spam and Scams Increasing
Fast Fluxing Yet Another Pharmacy Spam
Obfuscating Fast Fluxed SQL Injected Domains
Storm Worm Hosting Pharmaceutical Scams
Fast-Fluxing SQL injection attacks executed from the Asprox botnet

This post has been reproduced from Dancho Danchev's blog. Continue reading →

A Diverse Portfolio of Fake Security Software - Part Twenty Two

0
July 03, 2009
Part twenty two of the diverse portfolio of fake security software series will summarize the typosquatted scareware serving domains currently in circulation, pushed through the usual distribution channels, but will also emphasize on the "money trail", namely the payment processing gateways used in the scareware campaigns.

In this particular case the scareware front-ends ultimately leading to ChronoPay, which Germany-based Pandora Software has been abusing since 2008 under its countless number of aliases such as Meyrocorp for instance.

The scareware domains are as follows:
atomscan6 .info - 38.105.19.27 - Email: donboset@gmail.com
listscan6 .com - Email: loiskiltz@gmail.com
goscanedge .com - Email: subtenda@gmail.com
goscanfine. com - Email: chirelqas@gmail.com
in6ch .com - Email: relgetn@gmail.com
goscanrich .com - Email: pathstals@gmail.com
goscanrank .com - Email: alcnafuch@gmail.com
ina6sk .com - Email: equatelepi@gmail.com
in6sk .com - Email: thomas.truby@gmail.com
goscanslim .com - Email: chinrfi@gmail.com
gowidescan .com - Email: alcnafuch@gmail.com
goedgescan .com - Email: subtenda@gmail.com
gofinescan .com - Email: alcnafuch@gmail.com
goelitescan .com - Email: funully@gmail.com
gorichscan .com - Email: pathstals@gmail.com
goslimscan .com - Email: chinrfi@gmail.com
gosoonscan .com - Email: aloxier@gmail.com
goironscan .com - Email: aloxier@gmail.com
goflexscan .com - Email: alcnafuch@gmail.com
gomanyscan .com - Email: alcnafuch@gmail.com
goscaniron .com - Email: aloxier@gmail.com
ina6co .com - Email: equatelepi@gmail.com
in6co .com - Email: thomas.truby@gmail.com
goscantop .com - Email: funully@gmail.com
ina6iq .com - Email: equatelepi@gmail.com
goscanstar .com - Email: stgeyman@gmail.com
goscanflex .com - Email: chirelqas@gmail.com
goscanmany .com - Email: chirelqas@gmail.com
scantrue6 .info - Email: jokinzer@gmail.com
scantool6 .info - Email: jokinzer@gmail.com
scanzoom6 .info - Email: jokinzer@gmail.com
litescan6 .info - Email: litescan6.info
truescan6 .info - Email: jokinzer@gmail.com
toolscan6 .info - Email: jokinzer@gmail.com

atomscan6 .info - Email: donboset@gmail.com
genscan6 .info - Email: imendegal@gmail.com
luxscan6 .info - Email: donboset@gmail.com
wayscan6 .info - Email: jokinzer@gmail.com
scanuser6 .info - Email: jokinzer@gmail.com
scanway6 .info - Email: jokinzer@gmail.com
scan6line .info - Email: jokinzer@gmail.com
scan6note .info - Email: jokinzer@gmail.com
scan6true .info - Email: jokinzer@gmail.com
scan6tool .info - Email: jokinzer@gmail.com
true6scan .info - Email: jokinzer@gmail.com
tool6scan .info - Email: jokinzer@gmail.com
top6scan .info - Email: jokinzer@gmail.com
user6scan .info - Email: jokinzer@gmail.com
list6scan .info - Email: jokinzer@gmail.com
way6scan .info - Email: jokinzer@gmail.com
scan6user .info - Email: jokinzer@gmail.com
scan6list .info - Email: jokinzer@gmail.com
scan6fix .info - Email: jokinzer@gmail.com
scan6way .info - Email: jokinzer@gmail.com

It's pretty obvious case demonstrating the dynamics of the underground ecosystem. A thousand bogus accounts purchased for $10 used in a bulk registration of scareware serving domains on a revenue sharing affiliate model ends up in a win-win-win situation for the cybercriminals involved in these processes. The practice is becoming rather popular not only due to their interest in less centralization of the domain control under a single email address -- cross checking reveals the entire portfolio managed under it -- but due to the availability of the service.

clean-pc-now .net -  94.75.233.162 - Email: robertsimonkroon@gmail.com
fast-spyware-cleaner .org - Email: robertsimonkroon@gmail.com
spyware-scaner .com - Email: robertsimonkroon@gmail.com
scan-pc-now .com - Email: robertsimonkroon@gmail.com
free-tube-porn .biz - Email: robertsimonkroon@gmail.com
spyware-killer .biz - Email: robertsimonkroon@gmail.com

softportal-extrafiles .com - 64.20.38.172
exe-profile .com - Email: kimwerner92@yahoo.com
extrafiles-softportal .com - Email: opipkl@googlemail.com
softportal-files .com - Email: kimwerner92@yahoo.com
softportal-extrafiles .com
load-exe-soft .com - Email: kimwerner92@yahoo.com
exe-box .com - Email: normtroup@yahoo.com
hot-exe-area .net - Email: josepetie@gmail.com

spywarecomputerscanv2 .com - 69.10.59.35 - Email: huang@bark.edu.hk
1live-antimalware-pro-scan .com - Email: hongkong@campusparis.org
1live-antimalware-scanner .com - Email: hongkong@campusparis.org
folderantispywarescanner .com - Email: xinhuawuhan@yahoo.com
antivirushelpscanner .com - Email: info@brandturkey.com
fastfolderscanner .com - Email: info@brandturkey.com
mycomputerscanner .com - Email: vanmullem@yahoo.com

restricteddomainhelp .com - 83.133.124.81 - Email: franklinnig@yahoo.com
msncoreupdate .com - Email: jen@parallelslive.cn
world-payment-system .com - Email: info@yashitaindian.com
liveinternetupdates .com - Email: kuzya77@freebbmail.com
onlineantivirusmarket .com Email: podbisb@hotmail.com

threats-scanner .com - 69.4.230.204 - Email: vanmullem@yahoo.com
securitypcscanner2 .com - Email: office@actionaidinusa.org
anti-virussecurity3 .com - Email:  office@actionaidinusa.org
private-online-scan .com - Email: info@kianah.org
liveantivirusproscan .com - Email: second@freebbmail.com
no1virusscan .com - Email: info@kianah.org
my-private-protection .com - Email: info@kianah.org
scanmyfolders .com - Email: info@kianah.org
scanmycomputerforvirus .com - Email: vanmullem@yahoo.com

onlinescan-ultraantivirus2009  .com - 206.53.61.76
relevantwebsearches .com
virussweeper-scanvirus .com
guardincorp  .info
mainsecsys .info - Email: andrew.fbecket@gmail.com
guardsecurity .info - Email: poljaykop@gmail.com
virusalarm-scanvirus .net

best-protect .info - 174.142.113.205 - Email: chainadmin@gmail.com
best-protect-av1 .info - Email: chainadmin@gmail.com
best-antivirus-pc   .info - Email: chainadmin@gmail.com
best-av1-protect .info - Email: chainadmin@gmail.com
av1-protect .info - Email: chainadmin@gmail.com
av1-best-protect .info - Email: chainadmin@gmail.com
best-protect .info - Email: chainadmin@gmail.com
best-av .info - Email: chainadmin@gmail.com

pay-virusshield .cn - 64.213.140.70 - Email: unitedisystems@gmail.com
shieldinc .info
systemprotectinc .info
ironshield .info
myofficeguard .info
protectionurl .info
my-protection .info
antivirus09  .net
fast-antivirus.net

virusshieldpro  .com - 64.86.16.127 - Email: unitedisystems@gmail.com
prestotuneup .com - Email: hycderxvur@whoisservices.cn
virussweeper-scanvirus .com
virusmelt .com - Email: nuhuarrczq@whoisservices.cn
systemsec .info
shieldinc .info
myofficeguard .info
protect-online .info
protectionlol .info
protectionurl .info
virussweeper-scan .net

advanced-virus-remover2009 .com - 92.241.176.188 - Email: masle@masle.kz
trucount3005 .com - Email: chen.poon1732646@yahoo.com
antivirus-scan-2009 .com - Email: cheng2009@yahoo.com
antivirusxppro-2009 .com - Email: u@sochi.ru
advanced-virusremover2009 .com - Email: giogr@ua.fm
bestscanpc .com
trucountme .com - Email: valentin@gergiea.kz
vs-codec-pro .com - Email:  bhtjnjhggn@googlemail.com
vscodec-pro .com - Email: cyber38462@hotmail.com
antivirus-2009-ppro .com - Email: cheng2009@yahoo.com
onlinescanxppro .com - Email: chen.poon1732646@yahoo.com
downloadavr .com - Email: gorbun@ua.fm
bestscanpc .net

activation-antivirus-software .com - 208.43.124.83 - Email: matlee@fsuk.edu
fxantispy .com - Email: TycoonMichael@googlemail.com
my-protection .info - 64.213.140.70 - Email: hop.davis@gmail.com
protectonline .info - 64.86.17.47 - Email: hop.davis@gmail.com
safetywwwtools .com - 209.44.126.36 - Email: martin.s.johnson@spambob.com
defenderupdates2 .com - 89.248.168.46 - Email: china@seban.se
securitytoolsdirect .com - 209.44.126.22 - Email: RuthMMarcotte@text2re.com
best-antivirus-security .com - 84.16.237.52 - Email: valentinyermolaev@gmail.com
malwaresdestructor .com - 206.53.61.74
suprotect .com - 89.149.212.218 - uuuuu@ua.fm
threatpcscanner .com - 63.223.110.177 ; 78.47.132.216 ; 78.47.172.66 - Email: vanmullem@yahoo.com
antimalwareliveproscannerv3 .com - Email: vanmullem@yahoo.com
antivirus-online-pro-scan .com - Email: vanmullem@yahoo.com
avpro-labs .com - 213.182.197.229
avprotectionstat .com - 74.50.99.236
explorerfilescan .com - 63.223.110.178; 78.47.132.221; 78.47.172.68 Email: xinhuawuhan@yahoo.com
antivirushelpscanner .com  A  83.133.125.116; 69.10.59.35; 83.133.125.116 - Email: info@brandturkey.com
fastfolderscanner .com - Email: info@brandturkey.com
mycomputerscanner .com - Email: info@brandturkey.com
mal-warexls .net - 72.9.108.26 - Email: joehugardo@ya.ru
internetware-safe .com - Email: candikeller@ya.ru

scanonlinesite .info - 66.148.74.126
scanonlineblog .info
scanonlineshop .info
scanonlinenow .info

youravprotection .com - 74.50.98.162 - Email: armandgregory3@gmail.com
registerantivirus .com Email: ed.areyra@gmail.com
avprotectionstat .com

avagent-pro .com - 83.133.126.46 - Email: dwrdcardenas95@gmail.com
downloads-123 .com - Email: dwrdcardenas95@gmail.com
soft-process .com - Email: dwrdcardenas95@gmail.com
download-123 .cn - Email: dwrdcardenas95@gmail.com
actupdate .net - Email: dwrdcardenas95@gmail.com

Now the emphasis on the payment gateways, currently active and processing the scareware transactions:
softwaresecuredbilling .com - 209.8.45.122 - TemchenkoViktor@googlemail.com
softsales-discount .com - Email: daunrwwciq@whoisservices.cn
best-internet-payments  .com - 209.8.45.148 - Email: specsupport@gmail.com
adioro .com - 213.174.152.32 - Email: xyhsbjlrl@whoisprivacyprotect.com
secure-plus-payments .com - 209.8.25.204 - Email: sparck000@mail.com
secure.pnm-software .com - 209.8.45.124 - Email: pnm-software.com@liveinternetmarketingltd.com
soft-process .com - 83.133.126.46 - Email: XtPbtP@privacypost.com
privatesecuredpayments .com - 78.46.216.238 - Email: TemchenkoViktor@googlemail.com

These payment processing gateways are sometimes front-end to the original and often legitimate payment processors. In this particular case, the the legitimate processor is Netherlands-based ChronoPay, which is known to have been used in the past by affiliates in the scareware affiliate model in the past, with several complaints for repeated credit card billing, which in reality is included in the scareware's Terms of Service.

Upon a successful purchase - the customer is told that "This charge will appear on your card statement as CHRPay.com/ducforceide". Interestingly, Pandora Software has also been using the following ChronoPay accounts for over an year - Chrpay.com/meyrocorp; CHrpay.com/pnra using disconnected numbers, CallerID's of scareware operations, desperate attempts to contact the alias for the front-end payment processor, ultimately resulting in several hundred ChronoPay related complaints.

Next to scareware, ChronoPay (Pavel Vrublevsky acting as CEO) is also known to have been used in a mobile application scam dissected here, as well as being a victim of a DDoS attack in 2008, which is pretty logical since if ChronoPay is the payment processor of choice for the hundreds of thousands of scareware generated revenues on daily basis, the commissions ChronoPay takes from cybercriminals would be more than welcome in the competing payment processor's network.

Related posts:
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot

A Diverse Portfolio of Fake Security Software - Part Twenty One
A Diverse Portfolio of Fake Security Software - Part Twenty
A Diverse Portfolio of Fake Security Software - Part Nineteen
A Diverse Portfolio of Fake Security Software - Part Eighteen
A Diverse Portfolio of Fake Security Software - Part Seventeen
A Diverse Portfolio of Fake Security Software - Part Sixteen
A Diverse Portfolio of Fake Security Software - Part Fifteen
A Diverse Portfolio of Fake Security Software - Part Fourteen
A Diverse Portfolio of Fake Security Software - Part Thirteen
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Summarizing Zero Day's Posts for June

0
July 01, 2009
The following is a brief summary of all of my posts at ZDNet's Zero Day for June.

You can also go through previous summaries for May, April, March, February, January, December, November, October, September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed.

Notable articles include: Microsoft study debunks profitability of the underground economy; Overall spam volume unaffected by 3FN/Pricewert's ISP shutdown and Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites

01. Email service provider: 'Hack into our CEO's email, win $10k'
02. 419 scammers using NYTimes.com 'email this feature'
03. Microsoft study debunks profitability of the underground economy
04. Malware poses as fake Yellowsn0w iPhone unlocker
05. Cybercriminals hijack Twitter trending topics to serve malware
06. Overall spam volume unaffected by 3FN/Pricewert's ISP shutdown
07. Mac OS X malware posing as fake video codec discovered
08. Researchers demo wireless keyboard sniffer for Microsoft 27Mhz keyboards
09. China confirms security flaws in Green Dam, rushes to release a patch
10. Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites
11. Fake Microsoft patches themed malware campaigns spreading
12. Remote code execution exploit for Green Dam in the wild
13. Secunia: Average insecure program per PC rate remains high
14. Michael Jackson's death themed malware campaigns spreading Continue reading →

Ethiopian Embassy in Washington D.C Serving Malware - Part Two

0
June 25, 2009
Can a lightning strike the same place twice? In the world of cybercrime, there's no such thing as a coincidence especially when it comes to multiple malware embedded embassy web sites during the past couple of months courtesy of a single group, with soft-drinks themed redirectors establishing a direct connection with a well known RBN domain from the not so distance past.






Related posts:
Embassy of Portugal in India Serving Malware

Ethiopian Embassy in Washington D.C Serving Malware
USAID.gov compromised, malware and exploits served
Azerbaijanian Embassies in Pakistan and Hungary Serving Malware
Embassy of India in Spain Serving Malware
Embassy of Brazil in India Compromised
The Dutch Embassy in Moscow Serving Malware
U.S Consulate in St. Petersburg Serving Malware
Syrian Embassy in London Serving Malware
French Embassy in Libya Serving Malware Continue reading →

A Peek Inside the Managed Blackhat SEO Ecosystem

0
June 24, 2009
Ever wondered how are thousands of bogus accounts across multiple Web services, automatically generated with built-in monetization channels consisting of scareware, malware to the use of legitimate affiliate links from major ad networks?

Through several clicks or if complete automation and experience count, through outsourcing the process to a managed blackhat SEO provider that wouldn't charge you for the product, but for the service offered. Let's take a peek at some of the currently available DIY tools, and what a managed blackhat SEO service provider has to offer.

Take for instance the "professional blackhat SEO" expert featured here. His ongoing Twitter spam campaigns are in fact so successfully hijacking trending topics that at first they looked like your typical scareware serving campaign. What both sides have in common are spamming techniques used.

However, the tactics vary and indicate an interesting shift from the typical outsourcing of CAPTCHA recognition for the purpose of storing the blackhat SEO content on the legitimate provider's services. In order to scale more efficiently, several currently active managed blackhat SEO providers that have vertically integrated to the point where they manage their own blackhat SEO friendly ISP.

By doing so, their bogus account generating platforms are capable of achieving speeds that would be otherwise either impossible or impractical to set as objectives through outsourced CAPTCHA-recognition - 2,931 bogus Wordpress accounts with template based blackhat SEO content generated in 1 second using their own managed infrastructure. The following screenshots provide an inside peek into one of the products offered by the "professional blackhat SEO expert" :



What took place in one second, was the generation of thousands of bogus accounts with descriptive blackhat SEO subdomains, with the bogus content pulled/scrapped from legitimate and real-time news providers, with the entire operation run as a managed service, or the tool itself offered for sale. As in every other managed underground service, customization plays a major role that is often the key benchmark for judging a particular product next to another. Customization in respect to this particular tool comes under the form of numerous Wordpress templates that can be randomly used during the registration process:
Static customization is one thing, dynamic customization is entirely another. The product, and consequently the managed service are offering the ability to automatically add Ebay and Amazon listings with the user's unique affiliate code posted within the bogus content:

The practice of affiliate network fraud -- excluding the cybersquatting as a prerequisite for it success -- was recently mentioned as a much more lucrative fraudulent practice than the pay-per-click model, which entirely depends on the fraudster's knowledge of which is the monetization model with the highest pay-out rates:

"Some companies offer legitimate affiliate programs that allow third-party Web site owners to post links and banners with the company’s branded content on their site or to send traffic to the company’s site directly through domain forwards. In return, the owner of the site hosting the link receives a commission for every click-through that results in a purchase. This lucrative commission structure has enticed cybercriminals to take advantage of affiliate programs by registering typo domains that redirect to legitimate content and enable them to collect affiliate fees."

Next to the malware/scareware serving Twitter campaigns, affiliate network fraud is also very common at the ever-growing micro-blogging service, whose lack of common sense account registration practices -- Twitter doesn't require a valid email, neither does it require an email confirmation upon registrating an account -- makes the practice of generating bogus accounts a child's play.

The bottom line - is the managed blackhat SEO hosting service ($500 per month and $5000 for one year for unlimited domains/subdomains/traffic/disk space package) the future, or are we going to continue seeing the systematic abuse of legitimate service's infrastructure through outsourced CAPTCHA recognition? I'd go for the second due to a simple reason - it's more cost-effective than the managed service at least for the time being. In the long term, once it achieves its logical "malicious economies of scale" the hosting and process would become cheaper thereby attracting more customers.

Recommended reading -
Outsourced CAPTCHA recognition:
Community-driven Revenue Sharing Scheme for CAPTCHA Breaking
The Unbreakable CAPTCHA
Spammers attacking Microsoft's CAPTCHA -- again
Spam coming from free email providers increasing
Gmail, Yahoo and Hotmail’s CAPTCHA broken by spammers
Microsoft’s CAPTCHA successfully broken
Vladuz's Ebay CAPTCHA Populator
Spammers and Phishers Breaking CAPTCHAs
DIY CAPTCHA Breaking Service
Which CAPTCHA Do You Want to Decode Today?

Managed Cybercrime-facilitating services/tools:
Commercial Twitter spamming tool hits the market
Zeus Crimeware as a Service Going Mainstream
Managed Fast-Flux Provider
Managed Fast Flux Provider - Part Two
76Service - Cybercrime as a Service Going Mainstream
Inside (Yet Another) Managed Spam Service
Inside a DIY Image Spam Generating Traffic Management Kit
Quality Assurance in a Managed Spamming Service
Managed Spamming Appliances - The Future of Spam
Dissecting a Managed Spamming Service
Inside a Managed Spam Service
Spamming vendor launches managed spamming service

Cybersquatting/Per Pay Click Fraud:
Exposing a Fraudulent Google AdWords Scheme
Botnets committing click fraud observed
Click Fraud, Botnets and Parked Domains - All Inclusive
Cybersquatting Security Vendors for Fraudulent Purposes
Cybersquatting Symantec's Norton AntiVirus
The State of Typosquatting - 2007

This post has been reproduced from Dancho Danchev's blog. Continue reading →

From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms

0
June 17, 2009
UPDATE: In less than half an hour upon notification, Twitter and LinkedIn have already removed the bogus accounts.

UPDATE2: Forty five minutes later Scribd removes the bogus accounts.

As usual, persistence must be met with persistence. A single blackhat SEO group -- if well analyzed and monitored -- has the potential to provide an insight into some of the current monetization tactics which cybecriminals use, as well as directly demonstrate the (automatic) impact they have across different Web 2.0 services.

What is my "fan club" up to anyway? Covering up their weekend's Twitter campaign that was serving scareware by using a new template, and once again diversifying - this time by managing a bogus LinkedIn accounts campaign, another one on Scribd, followed by another another currently active one on Twitter, in between increasing the size of their blackhat SEO farm at is-the-boss.com.

Moreover, for the first time ever, the group is starting to serve live exploits based on a bit.ly URL shortening service referrer, like the ones used in the latest Twitter campaign. The use of Arbitrary file download via the Microsoft Data Access Components (MDAC) exploits is done to ultimately drop a new Koobface variant, making this the second time the group is pushing Koobface variants beyond Facebook.

Let's summarize their activities during the past six days starting with the weekend's campaign across Twitter.

Upon clicking on the TinyURL, the user is redirected through their well known 66.199.229 .253/etds (66.199.229 .253/etds/go.php?sid=41; 66.199.229 .253/etds/got.php?sid=41; 66.199.229 .253/etds/go.php?sid=43; 66.199.229 .253/etds/got.php?sid=43) traffic management location, to end up at the scareware av4best .net (64.86.17.47) with a new template is served (FakeAlert-EA).

Parked on the same IP are also well known scareware domains known from their previous campaigns, namely fast-antivirus .com and viruscatcher .net. The scareware message used in the new template takes you back to the good old school MS-DOS days :

"A problem has been detected and windows has been shut down to prevent damage to your computer.

Initialization_failed C:\WINDOWS\system32\himem.sys

If this is the first time you've seen this Stop error screen, restart the computer. If this screen appears again, read information below: The reason why this might happen is the newest malicious software which blocks access to the system libraries. Check to make sure any new antivirus software is properly installed. We suggest you to download and install antivirus, new up-to-date software which specializes on detection and removal of malicious and suspicious software."

The messaged used in the weekend's Twitter campaign, as well as a graph on the peaks and downds for a particular keyword:

"Competitions video; What do you think about video; I know why Percent Of Accounts; Between food and gay; movie Trailler!; Sun eclipce free; Air France extreem; Tetris long and sweet; Take sex under control; alcohol long and sweet; Between food and SATs; What do you think about Autotune; Gotcha!, Palm Pre!; Goodnight high in the sky; What do you think about Hangover; Death of Autotune crack addict; Amazing. movie from MSFT; Amazing. Air France from MSFT; Sims 3, It's Cool!; video, It's Cool!; Manage Air France; Amazing. porn from MSFT; alcohol unbroken; Them girls Honduras; Between food and phish; Between food and Detroit; Tetris high in the sky; I know why iPhone; Futurama unbroken; Balls to the Woman Who Missed Air; alcohol high in the sky; follow the video"

Sample (now suspended) automatically registered accounts used in the weekend's campaign:
twitter .com/wenning351
twitter .com/ula475
twitter .com/escher338
twitter .com/ochs40
twitter .com/karlen131
twitter .com/cordes904
twitter .com/hecker905
twitter .com/bohl566
twitter .com/sattler649
twitter .com/hildegard115
twitter .com/andreas281
twitter .com/wassermann38
twitter .com/rummel980
twitter .com/guilaine896
twitter .com/orlowski781
twitter .com/rupette972
twitter .com/holzner473
twitter .com/dumke576
twitter .com/hilgers465
twitter .com/heese157
twitter .com/meier679
twitter .com/habel896
twitter .com/holzinger567
twitter .com/wilhelm578
twitter .com/dearg450
twitter .com/habicht717
twitter .com/ferde373
twitter.com/hass323
twitter .com/heckmann918
twitter .com/bruna555
twitter .com/wilbert25
twitter .com/eckart412
twitter .com/sperlich374
twitter .com/jahn562
twitter .com/ludvig30
twitter .com/bing274
twitter .com/fett628
twitter .com/brock93
twitter .com/mally981
twitter .com/merle752
twitter .com/axmann101
twitter .com/pelz478
twitter .com/renaud687
twitter .com/wienke879
twitter .com/hartinger619
twitter .com/chriselda988
twitter .com/kloos267
twitter .com/dreyer15
twitter .com/herta740
twitter .com/brauer427
twitter .com/nadina732
twitter .com/wenda245
twitter .com/rieken434
twitter.com/reinhard192
twitter .com/plath132
twitter .com/bick497
twitter .com/johannsen747
twitter .com/tacke432

Besides the TinyURL links used, they've also returned to temporarily using their original .us domains such as twitter .8w8.us - 82.146.51.126 - Email: ambersurman@gmail.com; 5us .us - 82.146.51.25 - Email: elchip0707@mail.ru, and girlstubes .cn  82.146.52.158 - Email: alexvasiliev1987@cocainmail.com with Alex Vasiliev's emails first noticed in the Diverse Portfolio of Fake Security Software - Part Nine and again in Part Twenty.

Now it's time to assess their currently active campaigns across Twitter, LinkedIn and Scribd, and connect the dots in the face of the single URL acting as a counter across all the campaigns - counteringate .com (194.165.4.77) which has already been profiled in their original massive blackhat SEO campaign, and still remains active.

The automatically registered and currently active Twitter accounts participating in the campaign are as follows, it's also worth pointing out that compared to their previous campaigns, in this way they've included relevant backgrounds and avatars to the Twitter accounts:
twitter .com/AshleyTisdal1
twitter .com/AnnaNicoleSmit
twitter .com/ParisHiltonjpg1
twitter .com/ParisHiltonmov1
twitter .com/ParisHiltonNake
twitter .com/ParisHiltonSex1
twitter .com/ParisHiltonNud2
twitter .com/ParisSexTape2
twitter .com/Britneynipslip1
twitter .com/Britneywomani
twitter .com/Britneystrip1
twitter .com/BritneySex
twitter .com/Britneycomix
twitter .com/Britneywomaniz
twitter .com/BritneyNaked2
twitter .com/britneysextape
twitter .com/BritneyxSpears1
twitter .com/Britneydesnuda1

twitter .com/LopezAss
twitter .com/jennifermorriso
twitter .com/JenniferTilly2
twitter .com/AnistonSexscen
twitter .com/AnistonBangs
twitter .com/JenniferTilly1
twitter .com/Jennifernude
twitter .com/JenniferConnel
twitter .com/JenniferGarner1
twitter .com/LopezNaked
twitter .com/AnistonSexiest
twitter .com/JenniferAnisto4
twitter .com/JenniferToastee

twitter .com/JenniferAnisto2
twitter .com/LoveHewitt1
twitter .com/JenniferLoveH1
twitter .com/JenniferGreyn
twitter .com/1JenniferAnisto
twitter .com/2JenniferAnisto
twitter .com/1JenniferLopez
twitter .com/Lopedesnuda1
twitter .com/ElishaCuthbert3

twitter .com/ElishaCuthbert1
twitter .com/AlysonHannigan2
twitter .com/AliciaMachado
twitter .com/AliLarterNaked
/twitter .com/AliLarterNude
twitter .com/MelissaJoanha
twitter .com/AishwaryaRaiN1

Upon clicking on bit .ly/Je2Sd, the user is redirected to oymomahon .com/mirolim-video/3.html - 216.32.86.106 Email: StaceyGuerreroSF@gmail.com, redirecting to myhealtharea .cn/in.cgi?13 and then to oymoma-tube .freehostia.com/x-tube.htm where the fake codec/scareware is served, downloaded from totalsitesarchive .com/error.php?id=62 - Trojan.Win32.FakeAV.nz which once executed phones back to bestyourtrust .com/in.php?url=5&affid=00262 (209.44.126.241) parked at the same IP are also the following scareware domains:

uniqtrustedweb .com
hortshieldpc .com
securetopshield .com
gisecurityshield .com
ourbestsecurityshield .com
intellectsecfind .com
thesecuritytree .com
godsecurityarchive .com
besecurityguardian .com
thefirstupper .com
securityshieldcenter .com
bitsecuritycenter .com
joinsecuritytools .com
hupersecuritydot .com
bestyourtrust .com
thetrueshiledsecurity .com
souptotalsecurity .com
scantrustsecurity .com
 
The second bit .ly/1a5ZsY link used in the Twitter campaign, is redirecting to showmealltube .com/paqi-video/7.html - 64.92.170.135 Email: zbestgotterflythe@gmail.com.

From there, the redirector myhealtharea .cn/in.cgi?12 - 216.32.83.110 - zbest2008@mail.ru again loads oymoma-tube.freehostia .com/tube.htm and most importantly the counter counteringate .com/count.php?id=186 which is using an IP known from their previous campaign (194.165.4.77).

Time to move on to the LinkedIn campaign, and establish a direct connection with the Twitter one, both maintained by the same group of cybercriminals.

Currently active and participating LinkedIn accounts:
linkedin .com/in/rihannanude
linkedin .com/in/rihannanude2
linkedin .com/in/nudecelebs
linkedin .com/in/britneyspearsnudee
linkedin .com/in/pamelaandersonnudee
linkedin .com/in/nudepreteen2
linkedin .com/in/tilatequilanudee
linkedin .com/pub/beyonce-nude/14/b/952
linkedin .com/pub/child-nude/13/b4b/a16
linkedin .com/in/nudemodels

linkedin .com/in/preteennude
linkedin .com/in/mariahcareynude3
linkedin .com/in/nudeboys
linkedin .com/in/evamendesnude2
linkedin .com/in/nudebeaches
linkedin .com/in/nudebabes

linkedin .com/in/nudewomen2
linkedin .com/pub/ashley-tisdale-nude/13/b4b/762
linkedin .com/pub/mila-kunis-nude/13/b4a/b99
linkedin .com/pub/nude-kids/13/b4b/aa
linkedin .com/pub/young-nude-girls/13/b4a/6a
 
The LinkedIn campaign is linking to the delshikandco .com, from where the user is redirected to the same domains used in the Twitter campaign, sharing the same celebrity theme - delshikandco .com/mirolim-video/3.html/delshikandco .com/paqi-video/1.html - 216.32.83.104 leads to myhealtharea .cn/in.cgi?12 to finally serve the codec at ymoma-tube.freehostia.com/xxxtube.htm or at tubes-portal.com/xplaymovie.php?id=40012 - 216.240.143.7, another IP that has already been profiled part of their previous campaigns.


Yet another nude themed campaign is operated by the same group at Scribd, linking to the already profiled delshikandco .com, used in both, Twitter's and LinkedIn's campaigns.

Currently active and participating Scribd accounts:
scribd .com/Stacy%20Keibler-nude
scribd .com/Vanessa_Hudgens%20nude
scribd .com/Jessica%20%20Simpson%20%20nude
scribd .com/MileyCyrus%20nude
scribd .com/KimKardashian%20%E2%80%98nude%E2%80%99
scribd .com/Carmen%20%20Electra%20nude
scribd .com/Jennifer%20Anistonnude
scribd .com/Paris-Hilton-nude3
scribd .com/Vida%20%20Guerra%20%20nude
scribd .com/nude2
scribd .com/Kim%20%20Kardashian%20nude
scribd .com/ZacEfron%20nude
scribd .com/BritneySpears%20nude
scribd .com/Hilary-Duff-nude%202
scribd .com/Angelina-Jolie-nude11
scribd .com/Vanessa-Hudgens-nude2
scribd .com/Natalie-Portman-nude2
scribd .com/JessicaAlba%20nude
scribd .com/Jennifer-Love-Hewitt-nude11

scribd .com/Kim-Kardashian-nude2
scribd .com/Jessica-Alba-nude11s
scribd .com/JENNIFER%20LOPEZ%20NUDE3
scribd .com/Elisha%20%20Cuthbert%20%20nude
scribd .com/Paris-Hilton-nude1
scribd .com/HilaryDuff%20nude
scribd .com/Megan-Fox-nude2
scribd .com/Britney-Spears-nude1
scribd .com/Candice%20%20Michelle%20nude
scribd .com/Lindsay-Lohan-nude3
scribd .com/Mila-Kunis-nude2
scribd .com/Miley%20Cyrus%20nude
scribd .com/Vanessa%20%20Anne%20%20Hudgens%20nude
scribd .com/rihanna-nude2
scribd .com/Jenny%20Mccarthy%20nude
scribd .com/Kim%20%20Kardashian%20%20nude
scribd .com/Olsen-Twins-nude2
scribd .com/Brooke-Hogan-nude2

scribd .com/DeniseRichardsnude2
scribd .com/Scarlett%20Johansson%20nude
scribd .com/miley-cyrus-nude
scribd .com/Celebrity%20%20nude
scribd .com/Lindsay-Lohan-nude2
scribd .com/Tila%20Tequila%20nude
scribd .com/Ashley%20Tisdale%20nude
scribd.com/Angelina-Jolie-nude2
scribd .com/Denise-Richards-nude-2
scribd .com/Britney%20Spears%20nude
scribd .com/Hayden%20Panettiere%20nude
scribd .com/Carmen-Electra-nude1
scribd .com/Brooke-Burke-nude2
scribd .com/Megan%20Fox%20nude
scribd .com/JessicaSimpson%20nude
scribd .com/Kendra-Wilkinson-nude2
scribd .com/DeniseRichardsnude
scribd.com/AngelinaJolie%20nude
scribd.com/Kate%20Mara%20nude
scribd .com/Eva%20Green%20nude
scribd .com/Mariah%20Carey%20nude

scribd .com/Britney-Spears-nude2
scribd .com/Paris%20Hilton%20nude
scribd .com/CHristina%20Applegate%20nude
scribd .com/Billie%20Piper%20nude
scribd .com/Rosario%20Dawson%20nude
scribd .com/Anna%20Kournikova%20nude
scribd .com/Jennifer-Love-Hewitt-nude2
scribd .com/Kate%20Winslet%20nude
scribd .com/Carmen%20Electra%20nude
scribd .com/Jennifer%20Love%20Hewitt%20nude
scribd .com/Vida%20Guerra%20nude
scribd .com/AnneHathaway%20nude
scribd .com/JenniferLopez_nude
scribd .com/Trish%20Stratus%20nude
scribd .com/Lindsay_Lohannude
scribd .com/Pamela%20Anderson%20nude3
scribd .com/Jessica-Simpson-nude3

scribd .com/JENNIFER%20LOPEZ%20NUDE
scribd .com/CHristina%20Aguilera%20nude
scribd .com/hilary%20duff%20nude
scribd .com/MariahCarey%20nude
scribd .com/JohnCena%20nude
scribd .com/Halle%20Berry%20nude
scribd .com/Amanda%20%20Beard%20%20nude
scribd .com/Patricia%20%20Heaton%20%20nude
scribd .com/Madonna%20nude
scribd .com/JenniferLopez%20nude
scribd .com/DeniseRichards%20nude

scribd .com/PatriciaHeaton%20nude
scribd .com/Celebrity%20nude
scribd .com/TilaTequila_nude
scribd .com/Hayden-Panettiere-nude2
scribd .com/Brenda-Song-nude2
scribd .com/Demi%20Moore%20nude
scribd .com/celebrity%20nude%201
scribd .com/JenniferLove%20Hewitt%20nude
scribd .com/Ashley_Harkleroad%20nude
scribd .com/AudrinaPatridge%20nude
scribd .com/PamelaAnderson%20nude
scribd .com/Anna%20Nicole%20Smithnude
scribd .com/Meg%20Ryan%20nude
scribd .com/Kate%20Hudsonnude

Now that all the campaigns are exposed in the naked fashion of their themes, it's worth emphasizing on the live exploits serving Koobface samples based on a bit.ly referrer - in this case the process takes place through myhealtharea .cn/in.cgi?13, which instead of redirecting to scareware domain as analyzed above, is redirecting to fast-fluxed set of IPs serving identical Koobface binary - myhealtharea .cn/in.cgi?13 loads r-cg100609 .com/go/?pid=30455&type=videxp (92.38.0.69) which redirectss to the live exploits/Koobface.

Parked on 92.38.0.69 are also the following domains:
er20090515 .com
upr0306 .com
cgpay0406 .com
r-cgpay-15062009 .com
r-cg100609 .com
trisem .com
uprtrishest .com
upr15may .com
rd040609-cgpay .net

Dynamic redirectors from r-cg100609 .com/go/?pid=30455&type=videxp on per session basis:
92.255.131 .217/pid=30455/type=videxp/?ch=&ea=
92.255.131 .217/pid=30455/type=videxp/setup.exe
76.229.152 .148/pid=30455/type=videxp/?ch=&ea=
76.229.152 .148/pid=30455/type=videxp/?ch=&ea=/setup.exe
189.97.106 .121/pid=30455/type=videxp/?ch=&ea=
189.97.106 .121/pid=30455/type=videxp/setup.exe
117.198.91 .99/pid=30455/type=videxp/?ch=&ea=
117.198.91 .99/pid=30455/type=videxp/setup.exe
79.18.18 .29/pid=30455/type=videxp/?ch=&ea=
79.18.18 .29/pid=30455/type=videxp/setup.exe
85.253.62 .53/pid=30455/type=videxp/?ch=&ea=
85.253.62 .53/pid=30455/type=videxp/setup.exe
79.164.220 .170/pid=30455/type=videxp/?ch=&ea=
79.164.220 .170/pid=30455/type=videxp/setup.exe
59.98.104 .129/pid=30455/type=videxp/?ch=&ea=
59.98.104 .129/pid=30455/type=videxp/setup.exe
78.43.24 .211/pid=30455/type=videxp/?ch=&ea=
78.43.24 .211/pid=30455/type=videxp/setup.exe
62.98.63 .254/pid=30455/type=videxp/?ch=&ea=
62.98.63 .254/pid=30455/type=videxp/setup.exe
84.176.74 .231/pid=30455/type=videxp/?ch=&ea=
84.176.74 .231/pid=30455/type=videxp/setup.exe
panmap .in/html/3003/25ee551429fcbfd75fe7bcfeba4a9cb8/ - 114.80.67.32 - charicard@googlemail.com

Parked on 114.80.67.32 are also:
managesystem32.com
napipsec.in
trialoc.in
pbcofig.in
pclxl.in
ifxcardm.in
ifmon.in
panmap.in
moricons.in
oeimport.in
ncprov.in

The served setup.exe (Win32/Koobface.BC; Worm:Win32/Koobface.gen!D;) samples phone back to a single location:- upr15may .com/achcheck.php; upr15may .com/ld/gen.php - 92.38.0.69; 61.235.117 .71/files/pdrv.exe

To further demonstrate the group's involvement in these campaigns, two active campaigns at is-the-boss.com indicate that they're also using the newly introduced counteringate.com, however, parked on the same IP as a previously analyzed redirector maintained bot the group.

A sample campaign is using the engseo .net/sutra/in.cgi?4&parameter=bravoerotica - 84.16.230.38 - Email: popkadyp@gmail.com as well as the warwork .info/cgi-bin/counter?id=945706&k=independent&ref= - 91.207.61.48 redirectors to load free-porn-video-free-porn .com/1/index.php?q=bravoerotica - 84.16.230.38 - Email: popkadyp@gmail.com serving a fake codec, and is also using the universal counter serving maintained by group counteringate .com/count.php?id=308.

A second sampled campaign at is-the-boss.com points to a new domain that is once again parked at a well known IP mainted by the gang - goldeninternetsites .com/go.php?id=2022&key=4c69e59ac&p=1 - 83.133.123.140 - known from previous campaigns.

The redirectors lead to anti-virussecurity3 .com - 69.4.230.204; 69.10.59.34; 83.133.115.9; 91.212.65.125 with more typosquatted "Personal Antivirus" scareware parked at these multiple IPs aimed to increase the life cycle of the campaign:
bestantiviruscheck2 .com
securitypcscanner2 .com
fastpcscan3 .com
goodantivirusprotection3 .com
antimalware-online-scanv3 .com
anti-malware-internet-scanv3 .com
antimalwareinternetproscanv3 .com
antimalwareonlinescannerv3 .com
anti-virussecurity3 .com
bestantispywarescanner4 .com
fastsecurityupdateserver .com

Personal Antivirus then phones back to startupupdates .com - 83.133.123.140 where more scareware is parked, with the domains known from previous campaigns:
bestwebsitesin2009 .com
live-payment-system .com
bestbuysoftwaresystem .com
antiviruspaymentsystem .com
bestbuysystem .com
homeandofficefun .com
advanedmalwarescanner .com
allinternetfreebies .com
goldeninternetsites .com
primetimeworldnews .com
liveavantbrowser2 .cn
momentstohaveyou .cn
worldofwarcry .cn
awardspacelooksbig .us

The affected services have been notified, blacklisting and take down of the participating domains is in progress.

This post has been reproduced from Dancho Danchev's blog. Continue reading →
Subscribe to: Comments (Atom)