Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Ukrainian "Fan Club" Features Malvertisement at NYTimes.com

September 14, 2009

If my Ukrainian "fan club" can exploit weaknesses in the online ad publishing model for scareware serving purposes, anyone else could.

Yesterday, the NYTimes.com posted a note to readers, confirming that a malvertisement campaign somehow made on their web site, resulting in the automatic exposure of users to scareware:

"Some nytimes.com readers have reported seeing a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software. We believe this was generated by an unauthorized advertisement and are working to prevent the problem from recurring. If you see such a warning, we suggest that you not click on it. Instead, quit and restart your Web browser."

Who's behind this malvertising campaign? Let the data speak for itself.

According to a published assessment of the campaign, the redirector and scareware domains involved in the malvertising incident are also in circulating in blackhat SEO campaigns courtesy of the Ukrainian gang (the post is updated daily with the very latest redirector and scareware domains pushed by the gang).

In the NYTimes.com malvertising attacks, that's sex-and-the-city .cn (parked at 94.102.48.29 where the rest of their redirectors are) acting as redirector leading to the protection-check07 .com scareware, parked on the very same IPs (91.212.107.5; 94.102.51.26; 88.198.107.25) like the rest of the new scareware domains systematically updated once or twice during a 24 hours period, again courtesy of the "fan club".

The last sample in circulation, phones back to windowsprotection-suite .net - Email: gertrudeedickens@text2re.com; mysecurityguru .cn - 64.86.16.170 - Email: andrew.fbecket@gmail.com also maintains secure-pro .cn; and to securemysystem .net - Email: gertrudeedickens@text2re.com

The NYTimes.com malvertisement assessment also highlights tradenton .com - 212.117.166.69 - Email: shawn@tradenton.com as the domain used in the ad rotation. Interestingly, related malvertisement domains managed by the same gang, have already been reported in related malvertising attacks, are also parked on the same IP:
relunas .com - Email: admin@relunas.com
kennedales .com - Email: admin@kennedales.com
harlingens .com - Email: admin@harlingens.com
newadsresults .com - Email: ritaj@gmail.com
waveadvert .com - Email: lindahg@yahoo.com

As always, what would originally seem as an isolated incident orchestrated by yet to be analyzed cybecrime gang, is in fact a great example of underground multitasking in action through the convergence of different attack tactics, courtesy of a single cybercrime enterprise.

Related malvertising posts:
Malicious Advertising (Malvertising) Increasing
MSN Norway serving Flash exploits through malvertising
Fake Antivirus XP pops-up at Cleveland.com
Scareware pops-up at FoxNews

This post has been reproduced from Dancho Danchev's blog.
Continue reading →

News Items Themed Blackhat SEO Campaign Still Active

September 07, 2009

According to a blog post at PandaLabs, a massive and very persistent blackhat SEO campaign exclusively hijacking "hot BBC and CNN news" related keywords has once again popped-up on their radars. The campaign itself has been active since April, when I last analyzed it.

What has changed?

Instead of relying on purely malicious domains, the Ukrainian fan club, the one with the Koobface connection, remains the most active blackhat SEO group on the Web, and due to the quality of the historical OSINT making it possible to detect their activity -- practice which prompts them to insult back -- they're also starting to put efforts into making it look like it's another group.

However, knowing the tools and tactics that they use, next to evident efficiency-centered mentality, they continue leaving minor leads that make it possible to establish a direct relationship between the group, the Koobface worm and the majority of blackhat SEO campaigns launched during the last couple of months across the entire Web.

The "News Items" themed blackhat SEO campaign is also serving scareware from the domains already participating in the U.S Federal Forms themed blackhat SEO campaign, what's new is the typical dynamic change of the redirectors in place.

Let's dissect a sample campaign currently parked at coolinc.info. Once the http referrer checks are met, bernie-madoff.coolinc .info/fox-25-news.html executes the campaign through a static images/ads.js located on all of the subdomains participating in campaign (bernie-madoff.coolinc .info/images/ads.js; eenadu-epaper.hmsite .net/images/ads.js) with generic detection triggered only by Sophos as Mal/ObfJS-CI.

Through a series of redirectors - usanews2009 .com/index.php - 78.46.129.170 - Email: derrick2@mail.ru; newscnn2009 .com/index.php - 193.9.28.62 - Email: derrick2@mail.ru; cnnnews2009 .com/index.php - 91.203.146.38 - EMail: derrick2@mail.ru; the user is redirected to the scareware domain through justintimberlakestream .com/?pid=95&sid=4e6ffe - 193.169.12.70; Email: info@zebrainvents.com.

The scareware itself (phones back to worldrolemodeling .com/?b=1s1 - 193.169.12.71) is dynamically served through 78.46.201.89; 193.169.12.70 and 92.241.177.207 with an diverse portfolio of fake security software domains parked there.

Parked at 92.241.177.207 are:
best-scanpc .com
bestscanpc .org
downloadavr2 .com
downloadavr3 .com
trucount3005 .com
antivirus-scan-2009 .com
antivirusxppro-2009 .com
advanced-virus-remover-2009 .com
advanced-virusremover-2009 .com
advanced-virus-remover2009 .com
advanced-virusremover2009 .com
best-scanpc .com
bestscanpc .com
xxx-white-tube .com
rude-xxx-tube .com
blue-xxx-tube .com
trucountme .com
10-open-davinci .com
vs-codec-pro .com
vscodec-pro .com
1-vscodec-pro .com
download-vscodec-pro .com
v-s-codecpro .com
antivirus-2009-ppro .com
onlinescanxppro .com
downloadavr .com
bestscanpc .info
bestscanpc .net
ns1.megahostname .biz
ns2.megahostname .biz

Parked at 78.46.201.89 (IP used in the U.S Federal Forms themed blackhat SEO campaign) are also:
virscan-online1 .com
virscan-live1 .com
antivirus-promo-scan1 .com
valueantivirusshop1 .com
megaspywarescan2 .com
worldbestonlinescanner2 .com
hqvirusscanner2 .com
warningmalwarealert2 .com
totalspywarescan3 .com
antivirus-promo-scanner3 .com
bewareofvirusattacks3 .com
totalspywarescan4 .com
worldbestonlinescan5 .com
megaspywarescan5 .com
totalspywarescan5 .com
hqvirusscanner5 .com
warningmalwarealert5 .com
hqvirusscanner8 .com
antivirus-promo-scan9 .com
worldbestonlinescan9 .com
antivir-scan-my-pc .com
antivir-scan-online .com

remove-all-pc-adware .com
antivir-my-pc-scan .com
leading-malware-scan .com
leading-antispyware-scan .com
antivirus-promo-scan .com
tryantivir-scan .com
leading-antivirus-scan .com
megaspywarescan .com
totalspywarescan .com
worldsbestantivirscan .com
awardantivirusscan .com
winningantivirusscan .com
tryantivirusscan .com
worldsbestscan .com
tryantivir-scanner .com
worldbestonlinescanner .com
tryantivirscanner .com
tryantivirusscanner .com
hqvirusscanner .com
worldsbestscanner .com
antivirscanmycomputer .com
warningvirusspreads .com
bewareofvirusattacks .com
secure.web-software-payments .com
warningmalwarealert .com
warningspywarealert .com
warningvirusalert .com

Parked at 193.169.12.70 are also more scareware domains/payment gateways/malware redirectors used in the campaign:
colonizemoon2010 .com
blastertroops2011 .com
virscan-online1 .com
virscan-live1 .com
antivirus-promo-scan1 .com
valueantivirusshop1 .com
megaspywarescan2 .com
worldbestonlinescanner2 .com
hqvirusscanner2 .com
warningmalwarealert2 .com
antivirus-promo-scanner3 .com
bewareofvirusattacks3 .com
totalspywarescan4 .com
worldbestonlinescan5 .com
megaspywarescan5 .com
totalspywarescan5 .com
hqvirusscanner5 .com
warningmalwarealert5 .com
hqvirusscanner8 .com
antivirus-promo-scan9 .com
worldbestonlinescan9 .com
antivir-scan-my-pc .com
becomemybestfriend .com
bravemousepride .com
antivir-scan-online .com
emphasis-online .com
justseethisonline .com
futureshortsonline .com

remove-all-pc-adware .com
waitforsunrise .com
funpictureslive .com
justintimberlakestream .com
antivir-my-pc-scan .com
leading-malware-scan .com
leading-antispyware-scan .com
antivirus-promo-scan .com
tryantivir-scan .com
leading-antivirus-scan .com
totalspywarescan .com
worldsbestantivirscan .com
awardantivirusscan .com
winningantivirusscan .com
tryantivirusscan .com
worldsbestscan .com
tryantivir-scanner .com
worldbestonlinescanner .com
tryantivirscanner .com
tryantivirusscanner .com
hqvirusscanner .com
worldsbestscanner .com
antivirscanmycomputer .com
obbeytheriver .com
obamanewterror .com
warningvirusspreads .com
watch2010movies .com
primeareanetworks .com
investmenttooltips .com
executive-officers .com
newsoverworldhot .com
management-overview .com
justthingsyouneedtoknow .com
criticalmentality .com

In between the central redirectors, counters from known domains affiliated with the Ukrainian fan club are also embedded as iFrames - sexualporno .ru/admin/red/counter2.html (74.54.176.50; Email: skypixre@nm.ru) leading to sexualporno .ru/admin/red/mwcounter.html. Parked on 74.54.176.50 are related domains that were once using the ddanchev-suck-my-dick.php redirection, such as sexerotika2009 .ru; celki2009 .ru; seximalinki .ru and videoxporno .ru, as well as the de-facto counter used by the gang - c.hit.ua/hit?i=6001.

Does this admin/red directory structure ring a bell? But, of course. In fact the ddanchev-suck-my-dick redirectors originally introduced by the Ukrainian fan club are still in circulation - for instance not only is videoxporno .ru/admin/red/ddanchev-suck-my-dick.php (parked at the very same 74.54.176.50) still active, but the gang has pushed an update to all of their campaigns, once again establishing a direct connection between previous ones and the ongoing "News Items" themed one.

The ddanchev-suck-my-dick.php file has a similar Mac, Firefox and Chrome check just like the U.S federal forms themed campaign, and the original "Hot News" themed campaigns - if (navigator.appVersion.indexOf("Mac")!=-1) window.location="http://www.zml.com/?did=5663";[. The script also includes a central iFrame from the now known malicious coolinf .info - dash-store.coolinc .info/images/levittpedofil.html which redirects to 1008.myhome .tv/888.php, popoz.wo .tc/p/go.php?sid=4 and 1009.wo .tc/8/ss.php to finally load the now known justintimberlakestream .com/?pid=42&sid=8f68b5.

The bottom line - the Ukrainian "fan club" is a very decent example of a multitasking cybecrime enterprise that is not only systematically abusing all the major Web 2.0 services, but is also directly involved with the Koobface botnet.

Monitoring of their campaigns, and take down actions would continue.

Related posts:
Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign
U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding
Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware
A Peek Inside the Managed Blackhat SEO Ecosystem

Historical OSINT of the group's blackhat SEO campaigns pushing Koobface samples, and the connections between the campaigns:
Movement on the Koobface Front - Part Two -- detailed account of the domain suspension and direct ISP take down actions against the gang during the last month
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot

This post has been reproduced from Dancho Danchev's blog. Continue reading →

SMS Ransomware Displays Persistent Inline Ads

September 03, 2009

SMS-based micro-payments are clearly becoming the monetization channel of choice for the majority of cybercriminals engaging in ransomware campaigns. The logic behind this emerging trend is fairly simple, and as everything else in the cybercrime underground these days, it has to do with efficiency.

Compared to micro-payments, the 2008's monetization channel used by GPcode in terms of E-gold and Liberty Reserve accounts communicated over email -- with cases where the gang wasn't even bothering to respond to infected victims looking for ways to pay the ransom -- looks like a time-consuming and largely inefficient way to "interact" with the victims.

Another recently released SMS-based ransomware showing persistent ads within the browser sessions of infected victims, and demanding a premium-rate SMS for removal, is the very latest indication of the micro-payment monetization channel trend.

The DIY ransomware is offered for sale at $100, with the typical "value-added" services in the form of managed undetected binaries through crypting. Since the command and control interface is web based (php+mysql), the author is actively experimenting with new features such as scheduled appearing of the ads, inventory of banners and affiliate program links, and the ability to use multiple SMS numbers next to multiple unlocking codes.

Are the currently active ransomware "vendors" trendsetters or are they still in experimental mode?

The business model of SMS-based ransomware is clearly lucrative, especially in situations where cybercriminals are known to combine two or three different monetization tactics. However, compared to the high profit-margins which cybecriminals earn through the scareware business model, SMS-based ransomware remains a developing market segment.

Related posts:
6th SMS Ransomware Variant Offered for Sale
5th SMS Ransomware Variant Offered for Sale
4th SMS Ransomware Variant Offered for Sale
3rd SMS Ransomware Variant Offered for Sale
SMS Ransomware Source Code Now Offered for Sale
New ransomware locks PCs, demands premium SMS for removal
Who's Behind the GPcode Ransomware?
Identifying the Gpcode Ransomware Author

This post has been reproduced from Dancho Danchev's blog. Continue reading →

SMS Ransomware Displays Persistent Inline Ads

September 03, 2009

SMS-based micro-payments are clearly becoming the monetization channel of choice for the majority of cybercriminals engaging in ransomware campaigns. The logic behind this emerging trend is fairly simple, and as everything else in the cybecrime underground these days, it has to do with efficiency.

Compared to micro-payments, the 2008's monetization channel used by GPcode in terms of E-gold and Liberty Reserve accounts communicated over email -- with cases where the gang wasn't even bothering to respond to infected victims looking for ways to pay the ransom -- looks like a time-consuming and largely inefficient way to "interact" with the victims.

Summarizing Zero Day's Posts for August

September 01, 2009

The following is a brief summary of all of my posts at ZDNet's Zero Day for August.

You can also go through previous summaries for July, June, May, April, March, February, January, December, November, October, September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed.

Notable articles include - Does Twitter's malware link filter really work?; IE8 outperforms competing browsers in malware protection -- again, and Research: 80% of Web users running unpatched versions of Flash/Acrobat

01. Dead-finger tech: 3G USB Modem, Prestigio Powerbank 501
02. Does Twitter's malware link filter really work?
03. Fake Microsoft patch malware campaign makes a comeback
04. Plugins compromised in SquirrelMail's web server hack
05. Absolute Software downplays BIOS rootkit claims
06. Federal forms themed blackhat SEO campaign serving scareware
07. Microsoft's Bing invaded by pharmaceutical scammers
08. Campaign Monitor hacked, accounts used for spamming
09. New Mac OS X DNS changer spreads through social engineering
10. IE8 outperforms competing browsers in malware protection -- again
11. Research: 80% of Web users running unpatched versions of Flash/Acrobat
12. The most dangerous celebrities to search for in 2009
13. Source code for Skype eavesdropping trojan in the wild
14. Snow Leopard's malware protection only scans for two trojans Continue reading →

6th SMS Ransomware Variant Offered for Sale

August 24, 2009

"Your copy of Windows has been blocked! You're using an unlicensed version of it! In order to continue using it, you must receive the unlock key. All you have to do is follow these steps: You must send a SMS message. You will receive an activation code once you do so. Enter the code and unlock your copy of Windows."

Anticipating the potential for monetization, cybercriminals are investing more time and resources into coming up with new features for their SMS based ransomware releases. Two of the very latest releases indicate their motivation and long-term ambitions into this newly emerged micro-payment ransomware channel.

What's new, is the social engineering element, the self-replication potential through removable media, and the contingency planning through the use of multiple SMS numbers in case one of the numbers gets shut down. Let's go through some of the features of two newly released SMS ransomware variants offered for $20, and $30 respectively.

What's worth emphasizing on in respect to the first release, is that it's Windows 7 compatible, and is the first SMS ransomware that allows scheduled lock down after infection -- presumably, the author included this feature in order to make it harder for the victim to recognize how he got infected at the first place -- as well as multiple SMS numbers for contingency planning.

Key features include:
- Clean interace
- Bypasses Safe Mode
- Locks down the taskbar or any combination of keys that could allow a user to close the application
- The error message can be customized
- Ability to use multiple-unlock codes
- Ability to use multiple SMS numbers from where the activation code will be obtained
- Ability to lock the system immediately upon infection, or after a given period of tim
- Auto-starting features, self-removal upon entering the correct activation code, and ensuring that the victim would no longer be infected with this release through the use of mutex-es.
- This SMS ransomware is Windows 7 compatible

The majority of SMS based ransomware is relying on the "Unlicensed Windows Copy" theme, but the first self-replicating through removable media propagation such ransomware is signaling a trend to come - social engineering throuhg impersonation in a typical scareware style. This release can be easily described as the first scareware with micro-payment ransom element offered for sale.

Basically, it attempts to impersonate Kaspersky Lab Antivirus Online and trick the infected user into thinking that Kaspersky has detected a piece of malware, has blocked it but since the malware changes its encryption algorithm the user has to send a SMS costing 150 rubles in order to receive the SMS that will block the malware.

This release also includes a timer, and a message explaining that re-installing Windows wouldn't change the situation in an attempt to further trick the user into sending the messsage. The release is exclusively released for Windows XP and is not Windows Vista compatible.

Cybercriminals are known to understand the benefits of converging different successful and well proven tactics across different propagation/infection vectors. Now that we've seen scareware with elements of ransomware, as well as hijacking a browser session's ads and demanding ransom to remove the adult content, it's only a matter of time to witness a micro-payment driven scareware campaign distributed through blackhat SEO and the usual channels.

Related posts:
5th SMS Ransomware Variant Offered for Sale
4th SMS Ransomware Variant Offered for Sale
3rd SMS Ransomware Variant Offered for Sale
SMS Ransomware Source Code Now Offered for Sale
New ransomware locks PCs, demands premium SMS for removal

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Movement on the Koobface Front - Part Two

August 19, 2009

UPDATE13: The domain snimka31082009 .com has been suspended. Just like the domains listed in UPDATE11, it's worth pointing out that once the PrivacyProtect.org whois records return to their original state, all of the domains are registered using the name Rancho Ranchev -- from Ukraine with typosquatting.

UPDATE12: A new Koobface domain is in circulation across Facebook - snimka31082009 .com -- snimka means photo -- which redirects to the Chinese IP (China Railcom Guangdong Shenzhen Subbranch) offering hosting services for the Koobface gang as of last week - 61.235.117.83 /redirectsoft/go/fb_w.php. The snimka31082009.com domain is in a process of getting shut down.

UPDATE11: The latest Koobface domains masa31082009 .com - Email: yxlvpewoztjox@gmail.com; pari270809 .com - Email: baoyshzrcwmraq@gmail.com; rect08242009 .com and suz11082009 .com have been suspended.

The Koobface gang has also changed the C&C domain in their latest updated pushed throughout the past couple of days. Interestingly, it's a subdomain used in the Twitter campaign from July - cubman32 .net.ua/.sys/?action=ldgen&v=14 and cubman32 .net.ua/.sys/?action=ldgen&f=0&a=-531027389&lang=&v=14&c=0&s=ld&l=1000&ck=0&c_fb=0&c_ms=0&c_hi=0&c_tw=0&c_be=0&c_fr=-2&c_yb=-2&c_tg=0&c_nl=0&c_fu=-2.

UPDATE10: Two new Koobface domains, and a new redirector are in circulation across Facebook - rect08242009 .com (61.235.117.83) and pari270809 .com, which redirects to masa31082009 .com/go/fb_w.php. The "fan club" has also introduced updated the malware - web.reg .md/1/v2prx.exe.

The domains, pari270809 .com, rect08242009 .com and masa31082009 .com are in a process of getting shut down.

UPDATE9: Domain zadnik270809 .com - Email: baoyshzrcwmraq@gmail.com has been suspended.

UPDATE8: Koobface reactivated itself once again at 61.235.117.83 - China Railcom Guangdong Shenzhen Subbranch - a well known Zeus crimeware C&C, which is also apparently used for automatic hacking of third-party sites through compromised FTP accounts.

The gang has also introduced a new domain, used exclusively for Facebook campaigns - zadnik270809 .com - in particular zadnik270809 .com/youtube.com/w/?video which loads zadnik270809 .com/youtube.com/w/ups.php and redirects to a well known Koobface redirector kiano-180809 .com/go/fb_w.php.

Zadnik means a**hole. Domain suspension and IP take down are in progress.

UPDATE7: Earlier today, TelosSolutions confirmed that "this customer has been removed from our network". Great news taking into consideration the fact that Directi's Abuse Desk has also suspended boomer-110809 .com, as well as upr200908013 .com.

The Koobface gang responded to the take down action by once again moving to China, 61.235.117.83 (China Railcom Guangdong Shenzhen Subbranch) in particular. The IP has been taken care of, with all of Koobface campaigns once again in an "inactive stage". It's worth pointing out that kallagoon13 .cn and allavers .org are also parked at this Chinese IP, with both domains clearly involved in Zeus crimeware campaigns.

UPDATE6: Following the 24 hours downtime, the Koobface gang has found a new home online, courtesy of Telos-Solutions-AS/Telos Solutions LTD, with an ongoing migration of the Koobface C&C and campaign domains to 91.212.127.140. Take down activities are in progress.

UPDATE5: Oc3 Networks & Web Solutions Llc abuse team took care of 67.215.238.178. All of Koobface worm's campaigns once again redirect to nowhere.

UPDATE4: Koobface has been kicked out of China -- again -- courtesy of China's CERT, and is no longer responding to 221.5.74.46. This is the second time that the Koobface gang is using the same IP for its central campaign domains, clearly indicating an ISP which "reserves its right to offer them services in the future once they stop receiving abuse notifications".

So which hosting provider's services is the Koobface botnet using for the time being? It's 67.215.238.178 - AS22298 - Netherlands Distinctio Ltd, which they were also using in the beginning of the month. A new domain is in circulation across social networks/micro blogging services - kiano-180809 .com/go/fb2.php (67.215.238.178) Email: bigvillyxxx@gmail.com. Take down activities are in progress.

UPDATE3: The entire portfolio of Koobface related domains is now parked at 221.5.74.46 - AS17816 - CHINA169-GZ CNCGROUP IP network China169 Guangzhou MAN. For instance, xtsd20090815 .com/youtube.com/xexe.php redirects to the actual IP 221.5.74.46 /redirectsoft/go/fb2.php with piupiu-110809.com/achcheck.php, web.reg.md /1/prx90.exe and web.reg.md/1 /prx90.exe as phone back locations. Two new components are dropped DDnsFilter.dll - MD5: 0x8904BCEBACB2B878FF46C5EB0C5C57EB and DnsFilter.sys - MD5: 0x30DD915396E46824DA92FE70485F7CF8 which prevent infected users from interacting with antivirus vendor sites.

UPDATE2: The gang has responded to the take down activities, by using the only IP that wasn't shut down 221.5.74.46, with piupiu-110809 .com, upr200908013 .com, and upr200908013 .com already moved there.

Interestingly, now that the gang's centralized domains used in the majority of campaigns are not responding thanks the quick reaction of BlueConnex, they've started embedding up to 15 iFrames directly loading IPs from the Koobface botnet. The script is detected as Trojan-Clicker.HTML.IFrame.a. The pattern? Each and every host is serving the fake Facebook page from a similar directory - /0x3E8/. 221.5.74.46 is in a process of getting shut down.

UPDATE: Three hours after notification, Blue Square Data Group Services Limited ensures that "the customer has been disconnected permanently". It's a fact. All of Koobface worm's campaigns currently redirect to nowhere. Let's see for how long.

Kuku Ruku Koobface! What does Koobface has to do with a legendary cocoa cream wafer Koukou Roukou sold in the 90's? It's one of new domains introduced over the past seven days (kukuruku-290709 .com now offline thanks to community efforts).

What is the Koobface gang up to anyway? Despite that they've randomized the automatically generated directories on the compromised sites (kimchistory.freevar .com/fantasticfi1ms; tastemasters .ca/freeem0vie; simonsoderberg .se/mmym0vies; ekespangs .se/meggavide0; akesheronline .com/privalesh0w; belljarstudio .com/bestttube), the gang continues relying on centralized hosting for its campaigns.

During the week, they've migrated from 67.215.238 .178/redirectsoft/go/fb_s.php (PacificRack.com) to 85.234.141 .92/redirectsoft/go/fb_s.php (BlueConnex Ltd), interestingly, they did so with all of the their currently active domains, the ones used as central redirection points on the thousands of legitimate/malicious sites participating in their campaigns. Interestingly, merely suspending a domain name wouldn't get you a personal greeting from the Koobface gang, since they'll basically register a new one. Getting them kicked out of several different hosting providers simultaneously would. Upon having their newly pushed domains shut down, the gang stopped using domains and switched to the original IP of their hosting provider, once again requiring a direct ISP action, instead of domain registar's one.

Koobface C&C, central malware campaign domains suspended through community efforts:
- glavnij20090809 .com - Email: bigvillyxxx@gmail.com was parked at 85.234.141.92
- kukuruku-290709 .com - Email: kuku.ruku.pam@gmail.com was parked at 85.234.141.92
- superturbo20090809 .com - Email: bigvillyxxx@gmail.com was parked at 85.234.141.92 (Super Turbo is yet another legendary product sold in the 90's)
- bombimbom20090809 .com - Email: bigvillyxxx@gmail.com was parked at 85.234.141.92 (Bombi Bom is also a classic chewing gum sold in the 90's in Europe/Eastern Europe)
- mishkigammy-060809.com - Email: kuku.ruku.pam@gmail.com was parked at 85.234.141.92

Currently active Koobface C&C domains, also participating in the CAPTCHA-solving, malware campaigns:
- piupiu-110809 .com - 85.234.141.92
- xtsd20090815 .com - 85.234.141.92 - Email: bigvillyxxx@gmail.com
- boomer-110809 .com - 85.234.141.92
- upr200908013 .com - 85.234.141.92 - Email: kfmnmkswrnkcxlgpfdxb68@gmail.com
- suz11082009 .com - 85.234.141.92 - Email: xxmgbtwgdhyv@gmail.com
- upr0306 .com - 221.5.74.46 China Unicom Guangdong province network - Email: bigvillyxxx@gmail.com
- findhereandnow .com - 85.234.141.92 - Email: bigvillyxxx@gmail.com

The CAPTCHA solving process on behalf of the infected victims, is exclusively targeting Google web properties (piupiu-110809 .com/cap/tempgoo/GOO8cdabdfe8d68013c6217ce754a519194.jpg). Koobface worm's captcha7.dll module is active at:
- glavnij20090809 .com/cap/?a=get&i=1&v=7
- suz11082009 .com/cap/?a=get&i=3&v=7
- boomer-110809 .com/cap/?a=get&i=4&v=7
- piupiu-110809 .com/cap/?a=get&i=2&v=7

BlueConnex Ltd has been notified. The Koobface gang continues enjoying the largest market share of systematic Web 2.0 abuse

Related posts:
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign
The Koobface Gang Mixing Social Engineering Vectors

Ukrainian "fan club" and the Koobface connection:
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Movement on the Koobface Front - Part Two

August 19, 2009

Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign

August 18, 2009

AltusHost Inc, the company whose services were exclusively used in the blackhat SEO campaign using U.S Federal Forms theme for scareware service purposes, has finally responded to the abuse notifications sent seven days ago stating that "the sites have been terminated". Such a slow response once again proves that dysfunctional abuse departments increase the lifecycle of a malware/spam/phishing campaign by not taking it down when it's most actively gaining momentum.

(For historical OSINT research, the following domains not previously listed were in circulating during the past week - thwovretgi .com - 91.214.44.239 - Email: joby47619@msn.com; shtifobpy .com - 91.214.44.210 - Email: hiraldo13686@hotmail.com; vodcotha .com - 91.214.44.203 - Email: jamarcus59884@yahoo.com; stromiko .com - Email: hyacinthiemccolman@gmail.com; ceslyemsof .com - 91.214.44.205 - Email: brisco68781@lycos.com; ejeifyevy .com - 91.214.44.208 - Email: brisco68781@lycos.com; kuhatjidd .com - 91.214.44.203 - Email: khrista12110@hotmail.com )

How did the cybercriminals respond? By proving that this blackhat SEO campaign has been well planed and coordinate a long time before it was executed in the wild. For the time being, it relies on a combination of legitimate U.K based sites, the result of a evident compromise of Web Hosting Mania due to the fact that all the affected legitimate sites are hosted there, a growing portfolio of .cc tld domains, automatic abuse of free services such as myftpsite.net; dns2go.com; dynodns.net; thebbs.org, and systematic pushing of new scareware variants/redirector and scareware domains, which explains the low generic detection rate of all the samples obtained.

Moreover, not only did the blackhat SEO themes expanding in the typical randomly generated junk that has naturally been crawled by public search engines, but also, according to publicly obtainable statistics, millions of users (collectively) have already visited the landing sites, with 42.80% of the referring site for a particular domain coming from thebbs.org and 31.97% from Google - their tactics are actively hijacking millions of users already.

Let's dissect the latest developments in the ongoing blackhat SEO campaign, list the participating scareware/blackhat SEO/redirection domains, the various monetization tactics going beyond scareware, as well as discuss some of the innovations used in the javascript obfuscation which makes it virtually impossible for a crawler to detect that the site is malicious.

Key summary points:

U.K based hosting provider Web Mania Hosting appears to be compromised due to the fact that all the abused legitimate sites are hosted there

the redirection and scareware domain/binary are updated two times during 24 hours period of time

the scareware has a very low generic detection rate due to their persistence in updating it

all the scareware samples continue phoning back to several domains parked at 78.46.201.90

the cybercriminals have introduced multiple monetization tactics through pay-per-click malware-friendly search engines

a central redirection point (a-n-d-the .com/wtr/router.php) used in this campaign was used by the RBN/customer of the RBN in massive iFrame injection attacks abusing input validation flaws within high profile sites over an year ago

sampled scareware adds the following registry entry [HKEY_LOCAL_MACHINE\SOFTWARE\6A36EA6E11EAAECDF5E540DEF2149079] plxxh = "Dujaq!!" - Dujaq!! means "Bl*w me!!"

the blackhat SEO gang is using a unique javascript obfuscation which I originally stumbled upon a couple of months ago while assessing another blackhat SEO courtesy of the Ukrainian "fan club", the one with the Koobface connection. It relies on dynamically generated code spoofing go.live.com and rds.yahoo.com random URLs for evasion purposes. The only vendor that detects it is McAfee-GW-Edition as Heuristic.BehavesLike.JS.CodeUnfolding.A

Compromised legitimate domains at Web Hosting Mania currently in circulation:
ladydestiny .com
marchbrook.co .uk
mgwooldridge.co .uk
midfleet .com
mikedz.co .uk
millypeds.co .uk
mitchameditorial.co .uk
moddeydhoomcc.co .uk
monkeyfist.co .uk
morita.co .uk
mosoul.co .uk
mrbuzzhard.co .uk
mtbpigs.co .uk
mysticspirals.co .uk
mythagostudios .com
neilwebsterhoundtrailing.co .uk
newmarskecricketclub.co .uk
oneintenrock.co .uk
pcook.co .uk
pengineer.co .uk

Blackhat SEO domains redirecting to scareware, currently in circulation using a .cc tld extension:

agjjgtfyi .cc - Email: susan@michiganfarms.com
ckckoo .cc - Email: briettamacpherson@gmail.com
eunlabkce .cc - 93.170.134.175 - Email: susan@michiganfarms.com
ewjwjiavg .cc - 74.206.242.22 - Email: susan@michiganfarms.com
fgodvsli .cc - 93.170.133.205 - Email: susan@michiganfarms.com
fgodvsli .cc - 93.170.133.205 - Email: susan@michiganfarms.com
fyecdizt .cc 93.170.156.119 - Email: susan@michiganfarms.com
hgzondsul .cc - 174.137.171.69 - Email: susan@michiganfarms.com
iiuuoo .cc - Email: briettamacpherson@gmail.com
ijnteqc .cc - 93.170.130.105 - Email: susan@michiganfarms.com
irolopl .cc - 93.170.134.203 - Email: susan@michiganfarms.com
jglcbngvu .cc - 93.170.130.217 - Email: susan@michiganfarms.com
jpydmee .cc - 93.170.133.247 - Email: susan@michiganfarms.com
kdwwwwon .cc - 93.170.134.231 - Email: susan@michiganfarms.com
kgowncgi .cc - 93.170.154.179 - Email: susan@michiganfarms.com
lmhhsnd .cc - 93.170.156.105 - Email: susan@michiganfarms.com

mezkopq .cc - 93.170.129.75 - Email: susan@michiganfarms.com
mvsoomw .cc - 93.170.131.66 - Email: susan@michiganfarms.com
njfgfbd .cc - 93.170.156.21 - Email: susan@michiganfarms.com
nsdgkrge .cc - 93.170.153.98 - Email: susan@michiganfarms.com
nselkss .cc - 93.170.130.245 - Email: susan@michiganfarms.com
owudfnay .cc - 93.170.131.178 - Email: susan@michiganfarms.com
pfjfsiunt .cc - 93.170.151.80 - Email: susan@michiganfarms.com
piqvrrugd .cc - 93.170.156.63 - Email: susan@michiganfarms.com
rroiqbznj .cc - 93.170.134.35 - Email: susan@michiganfarms.com
ssyydqyh .cc - 93.170.131.206 - Email: susan@michiganfarms.com
sucdugon .cc - 93.170.154.100 - Email: susan@michiganfarms.com
tftrwxlg .cc - 93.170.130.133 - Email: susan@michiganfarms.com
tirtop .cc - 188.72.198.21 - Email: elaynedangubic@gmail.com

uclrwpyp .cc - 93.170.131.38 - Email: susan@michiganfarms.com
uomfchbj .cc - 93.170.131.10 - Email: susan@michiganfarms.com
vrmmnicl .cc - 93.170.151.10 - Email: susan@michiganfarms.com
vtgisihjy .cc - 93.170.133.163 - Email: susan@michiganfarms.com
vwyldlbe .cc - 188.72.204.57 - Email: brigidadorion@gmail.com
vzlbamuvs .cc - 93.170.130.49 - Email: susan@michiganfarms.com
wgyxrmtld .cc - 93.170.152.226 - Email: susan@michiganfarms.com
xisuuzos .cc - 93.170.134.77 - Email: susan@michiganfarms.com
xlkzmqiw .cc - 93.170.131.234 - Email: susan@michiganfarms.com
zirtop .cc - Email: elaynedangubic@gmail.com
zmtkpugbz .cc - 93.170.130.189 - Email: susan@michiganfarms.com
zncutvk .cc - 174.137.171.117 - Email: susan@michiganfarms.com

New blackhat SEO domains portfolio using NOC4Hosts Inc's services:
rebuwe .net - 206.51.230.97
sivezo .net - 206.51.230.98
mipola .net - 206.51.230.95
kowipe .net - 206.51.230.92
kerobo .net - 206.51.230.90
gelupe .net - 206.51.230.104
fuquwe .net - 206.51.230.103
hyduve .net - 206.51.230.200
bisehu .net - 206.51.230.99
wypule .net - 206.51.230.95
xylucy .net - 206.51.230.97
xulady .net - 206.51.230.96
lyqyte .net - 206.51.230.94

nimygu .net - 206.51.230.96
zuziki .net - 206.51.230.98
symiza .net - 206.51.230.99
bisehu .net - 206.51.230.99
msrxdk .com - 188.72.192.78 - Email: charlenecrewshgkn@yahoo.com
kimuka .net - 188.72.192.78 - Email: charlenecrewshgkn@yahoo.com
ylkbin .com - 188.72.192.81

Portfolio of scareware domains participating in the blackhat SEO campaing, parked at 83.133.126.155; 88.198.107.25; 88.198.120.177; 91.212.107.5; 94.102.51.26; 188.40.61.236; 62.90.136.237; 91.212.127.200; 78.46.251.43; 91.212.107.5; 69.4.230.204; 78.46.251.43; 88.198.107.25; 88.198.105.149; 88.198.233.225; 93.158.114.132:
antispywaretotalscan9 .com - 213.163.89.60; 89.47.237.55; 89.248.174.61 - Email: info@siggy.com
antispywaretotalscan5 .com - Email: info@siggy.com
antispywaretotalscan6 .com - Email: info@siggy.com
antispywaretotalscan8 .com - Email: info@siggy.com
antispywaretotalscan9 .com - Email: info@siggy.com
delete-all-virus05 .com - Email: sales@naukrit.com
delete-all-virus07 .com - Email: sales@naukrit.com
delete-all-virus09 .com - Email: sales@naukrit.com
delete-all-virus03 .com - 213.163.89.60; 88.198.233.225; 91.213.126.100; 193.169.12.70 - Email: sales@naukrit.com
clean-all-spyware10 .com - Email: crbarnes@uvic.ca
remove-all-adware01 .com - Email: info@nco.com.cn
clean-all-spyware01 .com - Email: crbarnes@uvic.ca
fast-virus-scan2 .com - Email: courseinfo@greenwich.ac.uk
remove-all-spyware03 .com - Email: info@nco.com.cn
fast-virus-scan4 .com - Email: courseinfo@greenwich.ac.uk
clean-all-spyware05 .com - Email: crbarnes@uvic.ca
best-virus-scanner5 .com - Email: info@ecomsol.com
remove-all-spyware07 .com - Email: info@nco.com.cn
fast-virus-scan7 .com - Email: courseinfo@greenwich.ac.uk
005threats-scanner .com
09computerquickscan .com
005yourprivatescanner .com
online-systemscan .net - Email: gertrudeedickens@text2re.com
best-spyware-scan01 .com - Email: info@viter-media.com
online-antivir-scan09 .com - Email: contacts@stevens-media.com
checkviruszone .com - Email: gertrudeedickens@text2re.com

guardsearch .net - Email: gertrudeedickens@text2re.com
protection-check07 .com - Email: info@democraticyouth.com
malwareinternetscanner03 .com - Email: kathy@nj-steams.com
best-spyware-scan03 .com - Email: info@viter-media.com
antispywarescanner08 .com - Email: info@cpehn.org
antivirusonlinescan03 .com - Email: kathy@nj-steams.com
quick-virus-scanner02 .com - Email: info@person.k112.nc.us
securedlivescan .com
superb-virus-scan09 .com - Email: tours@admiralgroup.co.uk
superb-antivir-scan01 .com - Email: tours@admiralgroup.co.uk
intellectual-vir-scan09 .com - Email: info@worldlifehencey.com
intellectual-vir-scan08 .com - Email: info@worldlifehencey.com
private-antivirus-scannerv2 .com - Email: webmaster@parun.co.kr
reliable-scanner01 .com - Email: info@cansupply.com
superb-virus-scan07 .com - Email: tours@admiralgroup.co.uk
antivirus-online-scan8 .com - Email: webmaster@TangoDance.cn
best-antivirus3 .com - Email: info@legtimeprime.com
live-virus-scanner5 .com - Email: info@infy-tasks.com
antivirus-online-scan4 .com - Email: pranky-marie@yahoo.com
antispyware-scanner5 .com - Email: janny.mar123@yahoo.com
antivirus-online-scan5 .com - Email: pranky-marie@yahoo.com
live-virus-scanner7 .com - Email: info@infy-tasks.com

clean-all-spyware .com - Email: jdemagis@rocheste.ganet.com
getyoursecuritynowv2 .com - Email: info@meat-beaf.com.cn
getyourantivirusv3 .com - Email: info@meat-beaf.com.cn
getyourpcsecurev3 .com - Email: info@meat-beaf.com.cn
antivirus-scannerv12 .com - Email: info@chinatownnetwork.com.cn
safeonlinescannerv4 .com - Email: steg.greg1992@yahoo.com
check-for-malwarev3 .com - Email: al@bis-solutions.com
check-your-pc-onlinev3 .com - Email: al@bis-solutions.com
searchurlguide .com - 64.86.16.9 - Email:powell.john11@gmail.com
securitypad .net - 206.53.61.70 - Email: gertrudeedickens@text2re.com
prestotunerst .cn - 64.86.16.210 - Email: unitedisystems@gmail.com
officesecuritysupply .com - Email: Ronald.T.Samora@spambob.com
securityread .com - Email: Anna.R.Helm@dodgit.com
scanasite .com - Email: Carol.J.Hipp@mailinator.com
cheapsecurityscan .com - Email: Kevin.L.Linkous@trashymail.com
securitysupplycenter .com - Email: Janet.R.Vasquez@spambob.com
best-folder-scanv3 .com - Email: info@best-util-til.com
online-best-scanv3 .com - Email: public@cropfactor.in
online-defenderv9 .com - Email: public@cropfactor.in
antispyware-live-scanv3 .com - Email: ervin1981rolf@yahoo.com
antispywarelivescanv5 .com - Email: sales.in@bauhmerhhs.com

antispyware-online-scanv7 .com - Email: ervin1981rolf@yahoo.com
basicsystemscannerv8 .com - Email: changhong@corpdefence.cn
bestpersonalprotectionv2 .com - Email: cfaa1996@yahoo.com.cn
bestpersonalprotectionv7 .com - Email: cfaa1996@yahoo.com.cn
computer-antivirus-scanv9 .com - Email: melaniestarmelanie@yahoo.com
fastvirusscanv6 .com - Email: info@rasystems.com
govirusscanner .com - Email: contact@demoninchina.com
mysafecomputerscan .com - Email: acurtis@stevens.com
onlineantispywarescanv6 .com - Email: czoao@hotmail.com
online-antivir-scanv2 .com - Email: iren.g@sysintern.in
onlinebestscannerv3 .com - Email: info@srilanka.cn
onlinepersonalscanner .com - Email: info@srilanka.cn
onlineproantivirusscan .com - Email: addworld@freebbmail.com
online-pro-antivirus-scan .com - Email: findz@freebbmail.com

onlineproantivirusscanner .com - Email: findz@freebbmail.com
online-secure-scannerv2 .com - Email: iren.g@sysintern.in
personalantivirusprotection .com - Email: info@Wholesaler.cn
personalfolderscanv2 .com - Email: hfbeauty@yahoo.com
premium-antispy-scanv3 .com - Email: Ktrivedi@go2uti.com
premium-antispy-scanv7 .com - Email: Ktrivedi@go2uti.com
premium-antivirus-scanv6 .com - Email: Ktrivedi@go2uti.com
private-antivirus-scannerv2 .com - Email: webmaster@parun.co.kr
privatevirusscannerv8 .com - Email: info@rasystems.com
secure-antispyware-scanv3 .com - Email: info@prrp.de
securepersonalscanner .com - Email: info@prrp.de
secure-spyware-scannerv3 .com - Email: info@prrp.de
secure-virus-scannerv5 .com - Email: info@prrp.de
securityfolderprotection .com - Email: info@Wholesaler.cn
spyware-scannerv2 .com - Email: hanan.abdelrazek@bibalexy.org
spywarescannerv4 .com - Email: hanan.abdelrazek@bibalexy.org

Sampled scareware from the last 24 hours phones back to mineralwaterfilter .com - 78.46.201.90. Parked there are also: june-crossover .com; goldmine-sachs .com; momentstohaveyou .cn. More sampled scareware phones back to a new domain Phones back to pencil-netwok .com (94.102.48.31), parked there are the rest of the phone back locations for the rest of the scareware such as mineralwaterfilter .com; june-crossover .com; goldmine-sachs .com; bestparishotelsnow .com

A second sampled scareware phones back to a different location - 92.241.176.188. Parked there are the rest of the domains in their scareware portfolio:
bestscanpc .org
bestscanpc .biz
downloadavr2 .com
downloadavr3 .com
trucount3005 .com
antivirus-scan-2009 .com
antivirusxppro-2009 .com
advanced-virus-remover-2009 .com
advanced-virus-remover2009 .com
advanced-virusremover2009 .com
bestscanpc .com
xxx-white-tube .com
blue-xxx-tube .com
trucountme .com
10-open-davinci .com
vs-codec-pro .com
vscodec-pro .com
download-vscodec-pro .com
v-s-codecpro .com
antivirus-2009-ppro .com
onlinescanxppro .com
downloadavr .com
bestscanpc .info
bestscanpc .net
bestscanpc .biz

New/historical redirection domains used in the campaign, this time parked at 78.46.201.89/94.102.48.29/different locations as noted:
cnn-bcc2 .com - 89.248.174.61 - Email: mail@sccits.com.cn
issuenews1 .com - Email: mail@sccits.com.cn
headlinenews2 .com - Email: mail@sccits.com.cn
usdisturbed .cn - Email: info@brandbanks.com
milesdavisorland .cn - Email: info@brandbanks.com
usaworkinghard .cn - Email: info@brandbanks.com
nationaltreasure .cn - Email: info@brandbanks.com
milesdavisorland .cn - 91.213.126.101 - Email: info@brandbanks.com
we-accepted .cn - Email: info@rcusan.org
myth-busters .cn - Email: info@rcusan.org
russell-brand .cn - Email: info@sciencesdemo.com
willsmithinc .cn - Email: contact@oregonvma.org
dirty-dancing .cn - Email: allisonh@soeconline.org
sex-and-the-city .cn - Email: oregon.artscomm@state.or.us
clicksick .cn - 67.215.245.187 - Email: webmaster@clicksick.cn
doubleclicknet .cn - 67.215.245.187 - Email: webmaster@doubleclicknet.cn
shrekmovie .cn - Email: oregon.artscomm@state.or.us
radioheadicon .cn - Email: contact@oregonvma.org
batman-comics .cn - Email: contact@oregonvma.org
beststarwars .cn - Email: allisonh@soeconline.org
mashroomtheory .cn - Email: webmaster@TangoDance.cn
space2009city .cn - Email: webmaster@TangoDance.cn
messengerinfo .cn - Email: allisonh@soeconline.org
greattime2009 .cn - Email: webmaster@seniorstuds.com.ar
iwanttowin .cn - Email: webmaster@seniorstuds.com.ar
hardnut .cn - Email: tan.mei.sie@monash.com.my
sitemechanics .cn - info@powertrackers.com
exceldocumentsinfo .cn - Email: info@powertrackers.com
chinafavorites .cn - Email: cmo@ci.springfields.or.us
best-live-lottery .cn - Email: info@powertrackers.com
adeptofmastery .cn - Email: info@powertrackers.com
trytowintoday .cn - Email: info@powertrackers.com
bulkdvdreader .cn - 94.102.48.29 - Email: info@powertrackers.com
style-everywhere .com - 88.198.105.145 - Email: angy.helm21@yahoo.com
clicksick .cn - 67.215.245.187 - Email: webmaster@clicksick.cn
supportyourcountry .cn - Email: cmo@ci.springfields.or.us
wheels-on-fire .cn - 94.102.48.29 - Email: epron.sales@epron.com.hk
stillphotoshots .cn - 94.102.48.29 - Email: epron.sales@epron.com.hk
delayyouranswer .cn - Email: info@globaltechs.com.cn
getbestsales .cn - Email: info@globaltechs.com.cn
library-presents .cn - Email: hanzellandgretell@googlemail.com
in-t-h-e .cn - 72.21.41.198 (Layered Technologies, Inc.) - Email: admin@in-t-h-e.cn
bestwishestoyou .cn - 94.102.48.29 - Email: hanzellandgretell@googlemail.com
library-presents .cn - 94.102.48.29 - Email: hanzellandgretell@googlemail.com
getbestsales .cn - 94.102.48.29 - Email: info@globaltechs.com.cn
aware-of-future .cn - Email: info@globaltechs.com.cn
nothing-to-wear .cn - Email: steg.greg1992@yahoo.com
newsmediaone .com - 72.21.41.198 - Email: advertizers@newsmediaone.com
bapoka .net - 87.118.96.6
stylestats1 .net - 94.102.63.16 - Email: grem@yahoo.com
luckystats .org - Email: director@climbing-games.com
luckystats1 .com - Email: grem@yahoo.com
lifewepromote .cn - Email: ruixiang.guo@yahoo.com
securecommercialnews .cn - Email: contacts@swedbank.com.cn
snowboard2009 .cn - Email: weinwein2@yahoo.com
nothern-ireland .cn - Email: accabj@cn.accaglobal.com
goldensunshine .cn - Email: info@tartirtar.com
steplessculture .cn - Email: info@myfibernetworks.cn
vipsoccermanager .cn - Email: opressor1992@yahoo.com
b2b-forums .cn - Email: weinwein2@yahoo.com
rondo-trips .cn - Email: acurtis@stevens.com
mywatermakrs .cn - Email: shanghaihuny@yahoo.com
gazsnippets .cn - Email: acurtis@stevens.com
bestvanillaresorts .cn - Email: opressor1992@yahoo.com
personalrespect .cn - Email: weinwein2@yahoo.com
consensualart .cn - Email: shanghaihuny@yahoo.com
yourholidaytoday .cn - Email: opressor1992@yahoo.com
guidetogalaxy .cn - Email: stp9014@yahoo.com

Among the new monetization tactics used are the typical pay-per-click malware-friendly search engines which act as both, redirectors to phony sites/scams, as well as keyword blackholes which help them assess the popularity for a particular keyword, and therefore start pushing it more aggressively through a process called synonymization.

Interestingly, they're exclusively using the compromised .co.uk, as well as purely malicious blackhat SEO domains for scareware serving purposes, but continue using the ones they operate under the free DNS service providers for monetization through the bogus search engines. The domains used in this monetization approach are as follows:

rivasearchpage .com - 64.27.21.5 - Email: support@ruler-domains.com
triwoperl .com - 95.168.191.19 - Email: florenzaluwemba@gmail.com
tropysearch .us - 74.52.216.46 - Email: tech@add-manager.com
glorys .info (glorys .info/red/cube.js) - - 78.159.97.186 - Email: kor4seo@rambler.ru
funnyblogetc .info/go.php - - Email: tigerwood1@nm.ru

triwoperl.com's front page is currently relying on the go.live.com javascript obfuscation. Deobfuscated it redirects to fi97 .net/jsr.php?uid=dir&group=ggl&keyword=&okw=&query=", deja vu again - fi97 .net was used in the Ukrainian "fan club's" blackhat SEO campaign in June.

Monitoring of the campaign and takedown actions would continue, with an emphasis on the RBN connection from a related blackhat SEO campaign from last year. The gang is not going away anytime soon, but their campaigns definitely are.

Related posts:
A Peek Inside the Managed Blackhat SEO Ecosystem
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Ukrainian "Fan Club" Features Malvertisement at NYTimes.com

News Items Themed Blackhat SEO Campaign Still Active

SMS Ransomware Displays Persistent Inline Ads

SMS Ransomware Displays Persistent Inline Ads

Summarizing Zero Day's Posts for August

6th SMS Ransomware Variant Offered for Sale

Movement on the Koobface Front - Part Two

Movement on the Koobface Front - Part Two

Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign

RSS Feed

About Me

Blog Archive

Tags

Popular Posts