Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova

Just how greedy has the Koobface gang become these days? Very greedy.

In fact, their currently active scareware campaigns operate with a changed directory structure that speaks for itself - scareware-domain/fee1/index.php?GREED==random_characters. Let's dissect the scareware monetization vector, expose the entire typosquatted domains portfolio, and offer a historical OSINT perspective on their activities during February, 2010.

• The domain portfolios are in a process of getting suspended

The current portfolio of redirectors embedded on Koobface-infected hosts is parked  at 195.5.161.129, AS43558, EVENTISMOBILE-AS IM "Eventis-Mobile" SRL Chisinau, Republic of Moldova:
tvinyourpc.com - Email: test@now.net.cn
wheretosellford.com - Email: test@now.net.cn
weddings-sales-place.com - Email: test@now.net.cn
chromepluginsfree.com - Email: test@now.net.cn
checkwebtriple.com - Email: test@now.net.cn
partypartytime.com - Email: test@now.net.cn
yourblog2blog.com - Email: test@now.net.cn
microstoreblog.com - Email: test@now.net.cn
mexicomaxtravel.com - Email: info@montever.de
fulllife2photo.com - Email: test@now.net.cn
yourmaximumphoto.com - Email: test@now.net.cn
lineagecheatandbug.com - Email: test@now.net.cn
titansandgods.com - Email: test@now.net.cn
microsoftbugtracks.com - Email: test@now.net.cn
secureyourinfos.com - Email: test@now.net.cn
weddingiephotos.com - Email: test@now.net.cn
parkeroffers.com - Email: test@now.net.cn
nocderrors.com - Email: test@now.net.cn
androidmobilereviews.com - Email: test@now.net.cn
terraanews.com - Email: test@now.net.cn
getbestshows.com - Email: test@now.net.cn
videostvshows.com - Email: test@now.net.cn
besttvshowininternet.com - Email: test@now.net.cn
titanicoverlight.com - Email: test@now.net.cn

The scareware domains portfolio is currently parked on 195.5.161.117, AS43558, EVENTISMOBILE-AS IM "Eventis-Mobile" SRL Chisinau, Republic of Moldova:
be-protected-10.info - Email: harkitrip@ymail.com
be-protecteda.info - Email: harkitrip@ymail.com
be-protectedc.info - Email: harkitrip@ymail.com
be-protectedi.info - Email: harkitrip@ymail.com
be-protected-i8.info - Email: harkitrip@ymail.com
be-protectedk.info - Email: harkitrip@ymail.com
be-protected-l0.info - Email: harkitrip@ymail.com
be-protected-l1.info - Email: harkitrip@ymail.com
be-protected-t1.info - Email: harkitrip@ymail.com
be-protectedy.info - Email: harkitrip@ymail.com
be-secured-a1.info - Email: harkitrip@ymail.com
be-secured-b2.info - Email: harkitrip@ymail.com
be-secured-c6.info - Email: harkitrip@ymail.com
be-secured-d9.info - Email: harkitrip@ymail.com
be-secured-z1.info - Email: harkitrip@ymail.com
capital-security1.info - Email: goninanbiz2@ymail.com
capital-security2.info - Email: goninanbiz2@ymail.com
capital-security6.info - Email: goninanbiz2@ymail.com
capital-securitya.info - Email: goninanbiz2@ymail.com
capital-securityc.info - Email: goninanbiz2@ymail.com
capital-securitye.info - Email: goninanbiz2@ymail.com
capital-securityt.info - Email: goninanbiz2@ymail.com
general-protection0.info - Email: goninanbiz2@ymail.com
general-protection1.info - Email: goninanbiz2@ymail.com
general-protection4.info - Email: goninanbiz2@ymail.com
general-protection9.info - Email: goninanbiz2@ymail.com
how-to-secure-pc1.info - kramershoppers@yahoo.com
help-you-now0.info - Email: intrigo2@yahoo.com
help-you-now1.info - Email: intrigo2@yahoo.com
help-you-now4.info - Email: intrigo2@yahoo.com
help-you-now6.info - Email: intrigo2@yahoo.com
help-you-now9.info - Email: intrigo2@yahoo.com

•  Consider going through "The ultimate guide to scareware protection" and a gallery of popular scareware/fake security software brands

pchelpserver.info - Email: vernotowersc2@googlemail.com
pchelpservera.info - Email: vernotowersc2@googlemail.com
pchelpserverz.info - Email: vernotowersc2@googlemail.com
powersecurity09.info - Email: miscelli3@googlemail.com
powersecurityc.info - Email: miscelli3@googlemail.com
powersecurityt.info - Email: miscelli3@googlemail.com
powersecurityy.info - Email: miscelli3@googlemail.com
powerssoftware0.info - Email: miscelli3@googlemail.com
powerssoftware1.info - Email: miscelli3@googlemail.com
powerssoftware3.info - Email: miscelli3@googlemail.com
powerssoftware6.info - Email: miscelli3@googlemail.com
security-softwarec.info - kramershoppers@yahoo.com
software-helpa.info - Email: hartin6@yahoo.com
software-helpd.info - Email: hartin6@yahoo.com
software-helpe.info - Email: hartin6@yahoo.com
software-helpy.info - Email: hartin6@yahoo.com
software-helpz.info - Email: hartin6@yahoo.com
special-software1.info - Email: hartin6@yahoo.com
special-software3.info - Email: hartin6@yahoo.com
special-software7.info - Email: hartin6@yahoo.com
special-software8.info - Email: hartin6@yahoo.com
special-software9.info - Email: hartin6@yahoo.com
specialwebhelp0.info - Email: hartin6@yahoo.com
specialwebhelp1.info - Email: hartin6@yahoo.com
specialwebhelp3.info - Email: hartin6@yahoo.com
specialwebhelp5.info - Email: hartin6@yahoo.com
specialwebhelp7.info - Email: hartin6@yahoo.com

Detection rates for scareware samples rotated over the past 48 hours:
- Setup_312s2.exe - Trojan.Win32.FakeAV!IK - Result: 4/41 (9.76%)
- Setup_312s2.exe - Trojan.Generic.KD.3549 - Result: 4/41 (9.76%)
- Setup_312s2.exe - Trojan.Generic.KD.3605 - Result: 10/42 (23.81%)
- Setup_312s2.exe - Packed.Win32.Krap.as - Result: 6/41 (14.64%)
- Setup_312s2.exe - Trojan.Crypt.XPACK.Gen2 - Result: 6/42 (14.29%)
- Setup_312s2.exe - Sus/UnkPack-C - 10/42 (23.81%)

The samples phone back to projectwupdates.com/ download/winlogo.bmp - 94.228.208.57 and cariport.com/ ?b=312s2 - 89.248.168.21 (psdefendersoft.com and antispywarelist.com also parked there) - Email: zooik52@hotmail.com.

• Consider going through the "10 things you didn't know about the Koobface gang" article

Recent detection rates for Koobface components:
- fb.101.exe - Result: 39/42 (92.86%)
- go.exe - Result: 7/42 (16.67%)
- pp.14.exe - Result: 36/42 (85.72%)
- v2bloggerjs.exe - Result: 39/42 (92.86%)
- v2captcha21.exe - Result: 24/41 (58.54%)
- v2newblogger.exe - Result: 23/41 (56.10%)
- v2googlecheck.exe - Result: 36/41 (87.80%)
- v2webserver.exe - Result: 26/42 (61.91%)

In respect the Koobface gang, as well as cybecrime in general, historical OSINT always offers an invaluable piece of the malicious puzzle of their campaigns, hosting providers, and the campaign structure making it easier to establish multiple connections between the rest of their non Koobface-botnet related campaigns.

Here's a peek at the redirectors and scareware domains served during February. For more extensive assessment of their activities for February, go through the "A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang" post.

Redirectors parked 91.212.132.242, AS49091, Interforum-AS Interforum LTD for February, 2010:
amazing-4-fotos.com - Email: test@now.net.cn
bbcadditionalguide.com - Email: test@now.net.cn
brightonsales.com - Email: test@now.net.cn
daily00photos.com - Email: test@now.net.cn
daily6deals.com - Email: test@now.net.cn
daily88news.com - Email: test@now.net.cn
dellvideohacks.com - Email: test@now.net.cn
discoverallnow.com - Email: test@now.net.cn
discoverprivateinfo.com - Email: test@now.net.cn
discoverprivatelife.com - Email: test@now.net.cn
discoverprivatemail.com - Email: test@now.net.cn
discoverprivatewebcams.com - Email: test@now.net.cn
discoversecretdfacebook.com - Email: test@now.net.cn
facebookfriendwatch.com - Email: test@now.net.cn
facebookreadmail.com - Email: test@now.net.cn
free-amazon-coupon.com - Email: test@now.net.cn
free-ebay-stuff.com - Email: test@now.net.cn
free-secret-info.com - Email: test@now.net.cn
getalestickets.com - Email: test@now.net.cn
hightowerfisheye.com - Email: test@now.net.cn
lenovovideohacks.com - Email: test@now.net.cn
mymailbusiness.com - Email: test@now.net.cn
private-0-photos.com - Email: test@now.net.cn
seehiddenfacebook.com - Email: test@now.net.cn
skyscrapeviews.com - Email: test@now.net.cn
yahoobusinesstrip.com - Email: test@now.net.cn
you22tube.com - Email: test@now.net.cn

Scareware domains parked on 195.5.161.119, AS31252, STARNET-AS StarNet Moldova, for February, 2010:
best-protection0.info - Email: ware2mall@yahoo.com
best-protection8.info - Email: ware2mall@yahoo.com
bestprotectiona.info - Email: ware2mall@yahoo.com
best-protectiona.info - Email: ware2mall@yahoo.com
bestprotectione.info - Email: ware2mall@yahoo.com
best-protectione.info - Email: ware2mall@yahoo.com
best-protectionf.info - Email: ware2mall@yahoo.com
mega1-antivirus3.com - Email: test@now.net.cn
mega1-antivirus5.com - Email: test@now.net.cn
mega1-antivirus7.com - Email: test@now.net.cn
mega1-antivirus9.com - Email: test@now.net.cn
mega1-scanner5.com - Email: test@now.net.cn
mega1-scanner7.com - Email: test@now.net.cn
smartsecurity0.info - Email: neeceheight@yahoo.com
smartsecurity1.info - Email: neeceheight@yahoo.com
smart-security1.info - Email: neeceheight@yahoo.com
smartsecurity2.info - Email: neeceheight@yahoo.com
smartsecurity7.info - Email: neeceheight@yahoo.com
smartsecuritya.info - Email: neeceheight@yahoo.com
smartsecurityd.info - Email: neeceheight@yahoo.com
smart-securityo.info - Email: neeceheight@yahoo.com
super2-antivirus.com - Email: neeceheight@yahoo.com
super2-antivirus2.com - Email: neeceheight@yahoo.com
ver2-scanner.com - Email: test@now.net.cn
ver2-scanner2.com - Email: test@now.net.cn
ver2-scanner4.com - Email: test@now.net.cn

Persistence must be met with persistence. The domain portfolios are in a process of getting suspended, an update will posted as soon as this happens.

Related Koobface gang/botnet research:
10 things you didn't know about the Koobface gang
A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang
How the Koobface Gang Monetizes Mac OS X Traffic
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Scareware, Sinowal, Client-Side Exploits Serving Spam Campaign in the Wild

AS50215 Troyak-as customers are back, with an ugly mix of scareware, sinowal, and client-side exploits serving campaign using the "You don't have the latest version of Macromedia Flash Player" theme. Quality assurance is also in place this time, with the client-side exploit serving domains using a well known "function nerot" obfuscation technique in an attempt to bypass link scanners.

Let's dissect the campaign, list all the typosquatted and spamvertised domains, the client-side exploit serving iFrames and the actual scareware.

Sampled URLs archives .wesh.kr/archive0715/?id=test@test.com; anonymousfiles .wesh.or.kr/archive0715/?id=test@test.com.

Spamvertised and typosquatted currently active domains include:

enyg.ne.kr - Email: EneesC9563@hotmail.com
enyk.ne.kr - Email: EneesC9563@hotmail.com
enyz.ne.kr - Email: EneesC9563@hotmail.com
enyg.kr - Email: EneesC9563@hotmail.com
enyk.kr - Email: EneesC9563@hotmail.com
enyg.co.kr - Email: EneesC9563@hotmail.com
enyk.co.kr - Email: EneesC9563@hotmail.com
enyt.co.kr - Email: EneesC9563@hotmail.com
enyz.co.kr - Email: EneesC9563@hotmail.com
enyg.or.kr - Email: EneesC9563@hotmail.com
enyk.or.kr - Email: EneesC9563@hotmail.com
enyt.or.kr - Email: EneesC9563@hotmail.com
enyz.or.kr - Email: EneesC9563@hotmail.com
enyt.kr - Email: EneesC9563@hotmail.com
enyz.kr - Email: EneesC9563@hotmail.com
erase.co.kr - Email: PalacidoL6860@hotmail.com
erase.ne.kr - Email: PalacidoL6860@hotmail.com
erase.or.kr - Email: PalacidoL6860@hotmail.com
erasm.co.kr - Email: PalacidoL6860@hotmail.com
erasm.kr - Email: PalacidoL6860@hotmail.com
erasm.ne.kr - Email: PalacidoL6860@hotmail.com
erasm.or.kr - Email: PalacidoL6860@hotmail.com
erasv.co.kr - Email: PalacidoL6860@hotmail.com

erasv.kr - Email: PalacidoL6860@hotmail.com
erasv.ne.kr - Email: PalacidoL6860@hotmail.com
erasv.or.kr - Email: PalacidoL6860@hotmail.com
erasw.co.kr - Email: PalacidoL6860@hotmail.com
erasw.kr - Email: PalacidoL6860@hotmail.com
erasw.ne.kr - Email: PalacidoL6860@hotmail.com
erasw.or.kr - Email: PalacidoL6860@hotmail.com
wesc.ne.kr - Email: PalacidoL6860@hotmail.com
wese.co.kr - Email: PalacidoL6860@hotmail.com
wese.kr - Email: PalacidoL6860@hotmail.com
wese.or.kr - Email: PalacidoL6860@hotmail.com
wesh.co.kr - Email: PalacidoL6860@hotmail.com
wesh.kr - Email: PalacidoL6860@hotmail.com
wesh.or.kr - Email: PalacidoL6860@hotmail.com
wesi.co.kr - Email: PalacidoL6860@hotmail.com
wesi.kr - Email: PalacidoL6860@hotmail.com
wesi.or.kr - Email: PalacidoL6860@hotmail.com
wesw.co.kr - Email: PalacidoL6860@hotmail.com
wesw.kr - Email: PalacidoL6860@hotmail.com
wesw.ne.kr - Email: PalacidoL6860@hotmail.com
wesw.or.kr - Email: PalacidoL6860@hotmail.com

Name servers of notice:
ns1.hr-skc.com - 74.117.63.218 - Email: hr@skrealty.net
ns1.welcomhell.com - 74.117.63.218 - Email: klincz@aol.com
ns1.skcstaff.com - 87.117.245.9 - Email: staffing@skhomes.com
ns1.limeteablack.net - 87.117.245.9 - Email: doofi@usa.com

Upon visiting the spamvertised links, the cybercriminals are then enticing the user into manually downloading update.exe - Trojan:Win32/Alureon.DA; Mal/FakeAV-CS - Result: 10/42 (23.81%).

The sample phones back to the following location, downloading the actual scareware (setup.exe - Mal/FakeAV-CS; FakeAlert-FQ - Result: 9/41 (21.96%) ), and ensuring the the cybercriminals phone back with the affiliate ID to confirm a successful installation:
- gotsaved.cn/css/_void/crcmds/main - 91.212.132.7 - Email: georgelem@xhotmail.net
gotsaved.cn/css/_void/srcr.dat
gotsaved.cn/css/_void/crcmds/install
gotsaved.cn/css/_void/crfiles/serf
gotsaved.cn/css/_void/crcmds/builds/bbr
gotsaved.cn/css/_void/crfiles/bbr
gotsaved.cn/css/_void/knock.php
gotsaved.cn/css/_void/crcmds/extra

- automaticallyfind.org/?gd=KCo7MD8uPS4iPA==&affid=XF5W&subid=AQoY&prov=&mode=cr&v=6&newref=1 - 69.39.238.101 - Email: larrypenn@xhotmail.net
automaticallyfind.org/?gd=KCo7MD8uPS4iPA==&affid=Wg==&subid=GwocGwEEHQ==&prov=&mode=cr&v=6nkr

 - beinahet.com/readdatagateway.php?type=stats&affid=319&subid=new&version=3.0&adwareok - 193.169.234.30 - Email: Vrapus.Kamat@gmail.com

- mega-fast.org/page2/setup - 91.212.132.8 - Email: Vrapus.Kamat@gmail.com
mega-fast.org/page2/setup0

Parked on 91.212.132.5, 91.212.132.7, 91.212.132.8 (gotsaved.cn) are also:
airportweb.cn - Email: JoannaWilhelm@xhotmail.net
gotsaved.cn - Email: georgelem@xhotmail.net
gotsick.cn - Email: georgelem@xhotmail.net
gottired.cn - Email: georgelem@xhotmail.net
gotunderway.cn - Email: georgelem@xhotmail.net
gotupset.com - Email: DianaFister@xhotmail.net
methodsweb.com - Email: bryantlew@xhotmail.net
pickingweb.cn - Email: JoannaWilhelm@xhotmail.net
prima-fast.org - Email: Vrapus.Kamat@gmail.com
publishingweb.cn - Email: JoannaWilhelm@xhotmail.net
quickfreescan.org - Email: GrantPursell@xhotmail.net
scanerborn.cn - Email: KristinDunton@xhotmail.net
scanerexcuse.cn - Email: KristinDunton@xhotmail.net
scanernurse.cn - Email: KristinDunton@xhotmail.net
scanerwhatever.cn - Email: KristinDunton@xhotmail.net
senateweb.com - Email: bryantlew@xhotmail.net
webdocuments.cn - Email: JoannaWilhelm@xhotmail.net

Parked on 69.39.238.101 (automaticallyfind.org) are also:
guysfind.org - Email: larrypenn@xhotmail.net
automaticallyfind.org - Email: larrypenn@xhotmail.net
findalternate.org - Email: larrypenn@xhotmail.net

As we've already seen in previous campaigns, each and every domain is embedded with an iFrame, which this time behaves differently, much more covertly than the one used before. ylwgheakrozn.com /ld/nov1/ - 66.135.37.211 - Email: getilak11@yahoo.com would attempt to load the following:
- ylwgheakrozn.com /nte/nov1.php
- ylwgheakrozn.com /nte/avorp1nov1.py
- ylwgheakrozn.com /nte/NOV1.py

• The folks at FireEye have covered the "function nerot" in depth in January, 2010, and have analyzed a campaign using a similar structure as the current one

But would also attempt to load the nonexistent:
- ylwgheakrozn.com /nte/AVORP1NOV1.exe
- ylwgheakrozn.com /nte/NOV1.exe
- ylwgheakrozn.com /nte/NOV1.asp
- ylwgheakrozn.com /nte/NOV1.html

The campaign ultimately serves Backdoor.Sinowal.DJ; Result: 15/42 (35.71%) through an obfuscated Exploit.PDF-JS.Gen - Result: 18/42 (42.86%).

Parked on same IP where the iFrame domains is, is the remaining portfolio of domains presumably prepared for rotation, in fact some of them are already involved in malicious activity.

At 69.174.245.148; 75.125.212.58; 66.135.37.211; 190.120.228.44 and 76.74.238.94 is the rest of the client-side exploits serving domains portfolio:
aabtiktadve.com - Email: adminhhhPolego@hotmail.com
acdcwpbathr.com - Email: vikolr5ty@yahoo.com
acdlsvladve.com - Email: ade45Meehan4@yahoo.com
aghgiqfathr.com - Email: eeeDalmanbei@yahoo.com
balhimana.com - Email: Malachowski@yahoo.com
dbcavsaddve.com - Email: Wilfredo-admin@yahoo.com
ddehkyhddve.com - Email: admnBowgrenfd@yahoo.com
ddewphwddve.com - Email: W-Leet1210@yahoo.com
dhjgjwgddve.com - Email: adminSeaborn09@yahoo.com
dhjvnvvddve.com - Email: adminSeaborn09@yahoo.com
diaiscjdthr.com - Email: Nelsondwer4@yahoo.com
ejsinlbyidid.com - Email: nerForbes09@yahoo.com

fgdchevuno.net - Email: 22232344sad22b1yj@msanz.com
fgnmgojuno.com - Email: 2223234422awbyj@msanz.com
fgxwuyyuno.com - Email: 2223234422asdbyj@msanz.com
ghedifauno.com - Email: 2223234422asd1byj@msanz.com
ghtsuumuno.com - Email: 222323442qw1e2byj@msanz.com
hdewptwhdve.com - Email: zekoAdmin@yahoo.com
hhjvnzvhdve.com - Email: qwMeier34ed@hotmail.com
jcdcwxbjthr.com - Email: kovin78213@yahoo.com
jefshosjdve.com - Email: Computer66Heads@yahoo.com
kbclyokkthr.com - Email: admHalliday666@yahoo.com
kdvarmgibtp.com - Email: aatrganz10@yahoo.com
lbckqbkldve.com - Email: W-Leet1210@yahoo.com
mcdcwjbmthr.com - Email: Lobertzqeq437@yahoo.com
mghvegumthr.com - Email: eeeDalmanbei@yahoo.com
mjisuvrmthr.com - Email: domainHodge2@hotmail.com

pdecaxcpdve.com - Email: Computer66Heads@yahoo.com
pfgeeeepdve.com - Email: admndomsale12@yahoo.com
pfgfgdepthr.com - Email: finsky777admin@gmail.com
pfgoykopdve.com - Email: Wildeysgh67@yahoo.com
pfgtihtpdve.com - Email: admnBowgrenfd@yahoo.com
pianwinpdve.com - Email: Wilfredo-admin@yahoo.com
qabaqbyqthr.com - Email: admHalliday666@yahoo.com
qabtihtqdve.com - Email: Lawrencee45sd@yahoo.com
qcdvnhvqdve.com - Email: Lawrencee45sd@yahoo.com
qefshvsqdve.com - Email: Wildeysgh67@yahoo.com
qghgixfqthr.com - Email: Nguyen10@gmail.com
qghkqfkqdve.com - Email: adminsales@yahoo.com
qghpbapqdve.com - Email: qwMeier34ed@hotmail.com
qghvexuqthr.com - Email: Richmondsw3d@yahoo.com
qhjcwfbqthr.com - Email: asVeles45@hotmail.com
qlpkoxmdzxsb.com - Email: QLPKOXMDZXSB.COM@domainservice.com
sjidamcsthr.com - Email: Gallippihu67@yahoo.com
sjinfcmsthr.com - Email: domainadmin@navigationcatalyst.com
tbcpbxptdve.com - Email: hoters12admin@yahoo.com
tfgoyqotdve.com - Email: Brodeursdfrtr@yahoo.com
thjgjcgtdve.com - Email: Harrisasasd@yahoo.com
tiashostdve.com - Email: aaLehmann34s@yahoo.com
ubcvesuuthr.com - Email: kovin78213@yahoo.com
uefxrwxudve.com - Email: admndomsale12@yahoo.com
wghgiwfwthr.com - Email: Richmondsw3d@yahoo.com
yvbbpgrixovr.com - Email: dioSingh12@yahoo.com

Monitoring of the campaign is ongoing, updates will be posted as soon as new developments emerge.

Related Troyak-as activity and previous campaigns maintained by their customers:
AS50215 Troyak-as Taken Offline, Zeus C&Cs Drop from 249 to 181
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild
Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild
Keeping Money Mule Recruiters on a Short Leash - Part Two

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Money Mule Recruiters on Yahoo!'s Web Hosting

UPDATED: Saturday, March 13, 2010 - Yahoo! Web Hosting abuse just pinged me that "We have investigated the sites and taken the necessary action".

Just how dumb, or perhaps ingenious is a cybecriminal that would host his money mule recruitment operations using Yahoo!'s Web Hosting services? Is the reputable hosting location, worth the risk of having their campaigns taken down much easily than if there were hosting them on the bad reputation block, and would have never bothered replying to abuse notifications?

Whatever the motivation of the people behind this money mule recruitment campaign, they are currently using Yahoo! Web Hosting. Domains in question, including contact details:

 - Reed Financial Services - reed-fs.com - 68.180.151.74
555 11th St NW
Washington, DC 20004
Phone numbers:
(866) 863-6438
(202) 355-6678 (FAX)

- Stevens Financial Solutions - stevensfs.com - 98.136.50.138; 69.147.83.187; 69.147.83.188
Postal address:
Stevens Financial Solutions
Bahnhofstrasse 32
CH-8001 Zurich, Switzerland
Value Added Tax Nr.: 428 643

Phones and fax no's:
Phone: +41 (43) 219-2551
Fax 1: +41 (43) 219-2551
Fax 2: +1 (866) 703-7622 US Toll-Free

- Waters & Co. LLP - watersllp.com - 216.39.57.104
400 East Pratt Street,
Baltimore, MD 21202
United States
Phone numbers:
(443) 524-9221
(443) 524-9221 (FAX)

- Nilson Financial Solutions - nilson-fs.com - 98.136.92.76; 98.136.92.77; 98.136.92.78
Nilson Financial Solutions
Bahnhofstrasse 32
CH-8001 Zurich, Switzerland
Value Added Tax Nr.: 428 643

Phones and fax no's:
Phone: +41 (43) 219-2551
Fax 1: +41 (43) 219-2551
Fax 2: +1 (866) 472-0560 US Toll-Free

Upon submitting the personal details, the potential money mule is required to send a scanned copy of their ID or driving license:

• "Familiarize yourself with all clauses of the contract. Fill the contract and send us a scanned copy of it to the e-mail address info@watersllp.com or by fax: (443) 524-9221. The contract becomes valid from the moment of the reception of the correctly filled copy of the contract. You should be familiar with that the validity of the contract in the electronic form is completely identical to the contract signed at personal presence of both parties.* To pass the procedure of identity verification in order to prevent fraudulent registrations, you are required to send a scan of valid ID or a driving license to the e-mail: info@watersllp.com or by fax: (443) 524-9221. We guarantee full confidentiality of your personal information, more information on this matter you will find in our Privacy Policy PLEASE LET US KNOW BY EMAIL WHEN YOU WILL FAX BACK/EMAIL AS ATTACHEMENT THE CONTRACT AND APPLICATION FORM WITHIN 48 HOURS."

Yahoo!'s Web Hosting abuse team has been notified of the campaigns, and will nuke the offline a.s.a.p

Related coverage of money laundering in the context of cybercrime:
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

AS50215 Troyak-as Taken Offline, Zeus C&Cs Drop from 249 to 181

2nd update for Friday, March, 12, 2010 - Troyak-AS is down again - "This AS is not currently used to announce prefixes in the global routing table, nor is it used as a visible transit AS."

UPDATED: Friday, March, 12, 2010 - Troyak-AS peering courtesy of AS25189 - NLINE-AS JSC Nline. Since the entire Troyak-as takedown campaign is turning into an infinite loop, it's time for a "terminating condition".

2nd update for Thursday, March 11, 2010: Troyak-AS is back from the dead. Upstream courtesy of AS8342 - RTCOMM-AS RTComm.RU Autonomous System. The good news? Troyak's Zeus C&Cs are still offline.

UPDATED: Thursday, March 11, 2010 - TROYAK-AS Starchenko Roman Fedorovich is dead again - "This AS is not currently used to announce prefixes in the global routing table, nor is it used as a visible transit AS."

UPDATED: Troyak-as is now AS44051 YA-AS Professional Communication Systems.

AS50215 Troyak-as, the cybercrime-friendly virtual neighborhood that was a key component in the hosting infrastructure for all of the Zeus-crimeware serving campaigns during Q1 of 2010, has been taken offline, resulting in a pretty evident drop in Zeus C&Cs, according to this graph courtesy of the ZeusTracker.

AS50215 Troyak-as (ctlan.net; prombd.net) was of course the tip of the iceberg, directly or indirectly interacting with the following ASs:

• AS31366 - smallshop-as Stebluk Vladimir Vladimirovich 
• AS44107 - PROMBUDDETAL-AS Prombuddetal LLC 
• AS50369 - VISHCLUB-as Kanyovskiy Andriy 
• AS49934 - VVPN-AS PE Voronov Evgen Sergiyovich 
• AS47560 - VESTEH-NET-as Vesteh LLC

Don't pop the corks just yet, their customers, in particular their money mule recruitment customers are already migrating to the competition.

From a cybercriminal's perspective, such minor operational glitches don't undermine the business model. Sadly, it's more cost-effective to build a new botnet, compared to trying to gain access to the old one. What truly undermines their business model is their inability to utilize the monetization vector.

AS50215 TROYAK-AS Starchenko Roman Fedorovich activity during Q1, 2010:
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild
Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild
Keeping Money Mule Recruiters on a Short Leash - Part Two

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Don't Play Poker on an Infected Table - Part Three

The monetization of phony online gambling networks -- clearly tolerating systematic violation of their TOS -- is continuing with the scammers behind last month's campaign (Don't Play Poker on an Infected Table - Part Two) spamvertising another portfolio of domains using new templates.

It's worth pointing out that the spammers don't just earn revenue every time someone installs the application, but also, every time the, now converted visitor, interacts financially with the service, a monetization approach you'll see in the attached screenshots.

Detection rates for the spamvertised binaries (downloaded from gamez-lux.com and we3tt.com) : StarsVIPCasino_Setup.exe - Result: 14/42 (33.33%); GoldenMummyEN.exe - Result: 9/42 (21.43%); RubyRoyaleEN.exe - Result: 11/42 (26.19%). Sample phone back locations: download.thepalacegroupgaming.com; pcm3.valueactive.eu; rubyfortune.mgsmup.com

Spamvertised domains include:
adrembovesttes.net - Email: pengjiajie222@163.com
bonuscasinoslux.net - Email: fgsdvbbvd@qq.com
bonusgameslux.net - Email: fgsdvbbvd@qq.com
bonusluxcasinos.net - Email: fgsdvbbvd@qq.com
bonusluxplays.net - Email: fgsdvbbvd@qq.com
bonusplayslux.net - Email: fgsdvbbvd@qq.com
casinosbonuslux.net - Email: fgsdvbbvd@qq.com
casinosluxclub.net - Email: fgsdvbbvd@qq.com
casinosluxstar.net - Email: fgsdvbbvd@qq.com
clopelinesutes.net - Email: fgsdvbbvd@qq.com
clubgameslux.net - Email: fgsdvbbvd@qq.com
clubluxgames.net - Email: fgsdvbbvd@qq.com
club-of-lux.net - Email: fgsdvbbvd@qq.com
clubs-play.net - Email: fgsdvbbvd@qq.com
clubvegas-games.net - Email: fgsdvbbvd@qq.com
gameclubviva.net - Email: fgsdvbbvd@qq.com
game-lux-club.net - Email: fgsdvbbvd@qq.com
gamesbonuslux.net - Email: fgsdvbbvd@qq.com
games-gold.net - Email: fgsdvbbvd@qq.com
gameslux.net - Email: fgsdvbbvd@qq.com
gamesstarlux.net - Email: fgsdvbbvd@qq.com
gamevivagold.net - Email: fgsdvbbvd@qq.com
gorxshop.net - Email: sdfxckj@msn.com
hannoweramtes.net - Email: ftyughsere@qq.com
lutiok.net - Email: ftgy23fge@126.com
luxbonusgames.net - Email: fgsdvbbvd@qq.com
luxbonusplays.net - Email: fgsdvbbvd@qq.com
luxcasinosbonus.net - Email: fgsdvbbvd@qq.com
luxclubcasinos.net - Email: fgsdvbbvd@qq.com

luxclubplays.net - Email: fgsdvbbvd@qq.com
luxgamesbonus.net - Email: fgsdvbbvd@qq.com
luxgamesstar.net - Email: fgsdvbbvd@qq.com
luxplaysclub.net - Email: fgsdvbbvd@qq.com
luxplaysstar.net - Email: fgsdvbbvd@qq.com
luxs-games.net - Email: fgsdvbbvd@qq.com
luxstarplays.net - Email: fgsdvbbvd@qq.com
mollehoukutes.net - Email: guoaiwense@163.com
murgadobarotes.net - Email: guoaiwense@163.com
namedosaras.net - Email: ftyughsere@qq.com
pay3500win.net - Email: dfgdvbcv@sina.com
playeuro777.net - Email: fghvvbcfgds@tom.com
playeuro888.net - Email: fghvvbcfgds@tom.com
playglobal777.net - Email: dfhhjg4ee@163.com
playsclublux.net - Email: fgsdvbbvd@qq.com
playsluxclub.net - Email: fgsdvbbvd@qq.com
realcash-mine.net - Email: dfgdvbcv@sina.com
realcash-offer.net - Email: dfgdvbcv@sina.com
realcash-wins.net - Email: dfgdvbcv@sina.com
regal-jackpot.net - Email: dfgdvbcv@sina.com
regalvegas-online.net - Email: dfgdvbcv@sina.com
royalcasino777.net - Email: edwfrsdf@126.com
royalcasino888.net - Email: edwfrsdf@126.com
royalvegas-play.net - Email: dfgdvbcv@sina.com
satregonovates.net - Email: pengjiajie222@163.com
softaserutes.net - Email: ftyughsere@qq.com
softoutnertes.net - Email: ftyughsere@qq.com
softuoplowtes.net - Email: ftyughsere@qq.com
stargameslux.net - Email: ftyughsere@qq.com
starluxcasinos.net - Email: ftyughsere@qq.com
sundowutortes.net - Email: guoaiwense@163.com
vegasclubsgame.net - Email: fgsdvbbvd@qq.com
vegasgamesclub.net - Email: fgsdvbbvd@qq.com

Sample monetization in action:

Phony affiliate networks are reserve the right to forward the responsibility for the malicious activity to participants violating their Terms or Service. A violation that earned both parties significant amounts of money, in between

The "don't play poker on an infected table" series are prone to expand.

Related posts:
Don't Play Poker on an Infected Table - Part Two
Don't Play Poker on an Infected Table
Malware Serving Online Casinos

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Summarizing Zero Day's Posts for February

The following is a brief summary of all of my posts at ZDNet's Zero Day for February, 2010. You can also go through previous summaries, as well as subscribe to my personal RSS feed, Zero Day's main feed, follow me or all of ZDNet's blogs on Twitter.

Recommended reading - Reports: SQL injection attacks and malware led to most data breaches; Report: Malicious PDF files comprised 80 percent of all exploits for 2009 and 10 things you didn't know about the Koobface gang

01. Does Blippy really pose a security risk? 
02. Reports: SQL injection attacks and malware led to most data breaches
03. Scammers phishing for sensitive iPhone data
04. Report: Malicious PDF files comprised 80 percent of all exploits for 2009
05. The Kneber botnet - FAQ
06. 10 things you didn't know about the Koobface gang

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Fotolog's FTLog Malware Campaign Serves Bogus Video Codecs

Continue reading →

Don't Play Poker on an Infected Table - Part Two

Over the past week and a half, cybercriminals have been aggressively spamvertising a growing portfolio of domains, relying on deceptive advertising for nonexistent and fraudulent online gambling web sites, serving the well known Win32.GAMECasino.

• Go through related posts: Don't Play Poker on an Infected Table; Malware(Client-Side Exploits) Serving Online Casinos

What's particularly interesting about the campaign, is the fact that all of the domains serve identical template, with the SmartDownload.exe binary hosted "in the cloud" thanks to Amazon's Web Services (anat.s3.amazonaws.com/dir4/ SmartDownload.exe).

Detecting rate for SmartDownload.exe - Win32.GAMECasino - Result: 10/42 (23.81%). Sample phones back the following domain - download.realtimegaming.com /cdn/goldvipclub/package_list.ini.zip?fakeParam=1 - 212.201.100.144 - Email: admin@REALTIMEGAMING.COM; RealTime Gaming Holding Company, LLC, registered under the following address according to the information published on their web site:

• For Licensing opportunities or Company Information,please submit request to Hasting B.V. Click Here.Hastings International B.V.New Haven Office CenterEmancipatie Boulevard 31 – P.O. Box 6052Curacao Netherlands Antilles

Here are the spavertised domains in question, including the name servers involved.

Spamvertised domains parked on 116.123.221.17; 112.159.237.58:
aerojackpot.net - Email: dfgdfgvcsx12@foxmail.com
compujackpot.net - Email: dfgdfgvcsx12@foxmail.com
jackpotadvance.net - Email: dfgdfgvcsx12@foxmail.com
jackpotalist.net - Email: dfgdfgvcsx12@foxmail.com
jackpotbee.net - Email: dfgdfgvcsx12@foxmail.com
jackpotbuzz.net - Email: dfgdfgvcsx12@foxmail.com
jackpotcanyon.net - Email: dfgdfgvcsx12@foxmail.com
jackpotclubs.net - Email: dfgdfgvcsx12@foxmail.com
jackpotfairy.net - Email: dfgdfgvcsx12@foxmail.com
jackpotfan.net - Email: dfgdfgvcsx12@foxmail.com
jackpotflag.net - Email: dfgdfgvcsx12@foxmail.com
jackpoticity.net - Email: dfgdfgvcsx12@foxmail.com
jackpotjets.net - Email: dfgdfgvcsx12@foxmail.com
jackpotlodge.net - Email: dfgdfgvcsx12@foxmail.com
jackpotlodge.net - Email: dfgdfgvcsx12@foxmail.com
jackpotmoment.net - Email: dfgdfgvcsx12@foxmail.com
jackpotpair.net - Email: dfgdfgvcsx12@foxmail.com
jackpotrocket.net - Email: dfgdfgvcsx12@foxmail.com
jackpotthink.net - Email: dfgdfgvcsx12@foxmail.com
jackpottodoor.net - Email: dfgdfgvcsx12@foxmail.com
jackpotwire.net - Email: dfgdfgvcsx12@foxmail.com
jacpotcongress.net - Email: dfgdfgvcsx12@foxmail.com
linejackpot.net - Email: dfgdfgvcsx12@foxmail.com
lux777cazino.net - Email: efghfgbvghfgh@qq.com
majicjackpot.net - Email: dfgdfgvcsx12@foxmail.com
midjackpot.net - Email: dfgdfgvcsx12@foxmail.com
mixerjackpot.net - Email: dfgdfgvcsx12@foxmail.com
needjackpot.net - Email: dfgdfgvcsx12@foxmail.com
nestjackpot.net - Email: dfgdfgvcsx12@foxmail.com
shopjackpot.net - Email: dfgdfgvcsx12@foxmail.com
smart-nest.net - Email: dfgdsfvcb@163.com
structjackpot.net - Email: dfgdfgvcsx12@foxmail.com
the-cash.net - Email: dfgdsfvcb@163.com
thejackpots.net - Email: dfgdfgvcsx12@foxmail.com
windowjackpots.net - Email: dfgdfgvcsx12@foxmail.com
win-vox.net - Email: dfgdsfvcb@163.com

aerowin.net - Email: dfgdsfvcb@163.com
beach-jackpot.net - Email: dfgdsfvcb@163.com
beautyselite.net - Email: dfgdsfvcb@163.com
binwin.net - Email: dfgdsfvcb@163.com
clashflash.net - Email: dfgdsfvcb@163.com
couldwin.net - Email: dfgdsfvcb@163.com
dinwin.net - Email: dfgdsfvcb@163.com
eliteclasss.net - Email: dfgdsfvcb@163.com
eliteorder.net - Email: dfgdsfvcb@163.com
eliteplaza.net - Email: dfgdsfvcb@163.com
elitescoop.net - Email: dfgdsfvcb@163.com
eliteweird.net - Email: dfgdsfvcb@163.com
ezelite.net - Email: dfgdsfvcb@163.com
flashapex.net - Email: dfgdsfvcb@163.com
flashbrook.net - Email: dfgdsfvcb@163.com
flashbuzzs.net - Email: dfgdsfvcb@163.com
flashcensus.net - Email: dfgdsfvcb@163.com
flashclashs.net - Email: dfgdsfvcb@163.com
flashlasch.net - Email: dfgdsfvcb@163.com
flashlash.net - Email: dfgdsfvcb@163.com
flashmoment.net - Email: dfgdsfvcb@163.com
flashnest.net - Email: dfgdsfvcb@163.com
flashpixie.net - Email: dfgdsfvcb@163.com
flashslash.net - Email: dfgdsfvcb@163.com
flashspark.net - Email: dfgdsfvcb@163.com
flashspell.net - Email: dfgdsfvcb@163.com
flashzap.net - Email: dfgdsfvcb@163.com
free-smart.net - Email: dfgdsfvcb@163.com
ginwin.net - Email: dfgdsfvcb@163.com

goingtowins.net - Email: dfgdsfvcb@163.com
hitecwinner.net - Email: dfgdsfvcb@163.com
innerwinner.net - Email: dfgdsfvcb@163.com
interelite.net - Email: dfgdsfvcb@163.com
jackpot-direct.net - Email: dfgdsfvcb@163.com
jackpot-fire.net - Email: dfgdsfvcb@163.com
jackpot-help.net - Email: dfgdsfvcb@163.com
jackpot-infinity.net - Email: dfgdsfvcb@163.com
jackpot-mind.net - Email: dfgdsfvcb@163.com
jackpot-minute.net - Email: dfgdsfvcb@163.com
jackpot-phone.net - Email: dfgdsfvcb@163.com
jackpot-reunion.net - Email: dfgdsfvcb@163.com
jackpot-senate.net - Email: dfgdsfvcb@163.com
jackpot-talk.net - Email: dfgdsfvcb@163.com
jackpot-taven.net - Email: dfgdsfvcb@163.com
jackpot-topia.net - Email: dfgdsfvcb@163.com
jackpot-wire.net - Email: dfgdsfvcb@163.com
laschflash.net - Email: dfgdsfvcb@163.com
learn-jackpot.net - Email: dfgdsfvcb@163.com
magicwinner.net - Email: dfgdsfvcb@163.com
mapwinner.net - Email: dfgdsfvcb@163.com
mediaselite.net - Email: dfgdsfvcb@163.com
mindelite.net - Email: dfgdsfvcb@163.com
mrelite.net - Email: dfgdsfvcb@163.com
needwin.net - Email: dfgdsfvcb@163.com
pixiewinner.net - Email: dfgdsfvcb@163.com
powerwinners.net - Email: dfgdsfvcb@163.com

predict-jackpot.net - Email: dfgdsfvcb@163.com
pushelite.net - Email: dfgdsfvcb@163.com
reseachelite.net - Email: dfgdsfvcb@163.com
sellelite.net - Email: dfgdsfvcb@163.com
sgameelite.net - Email: dfgdsfvcb@163.com
sharpwinner.net - Email: dfgdsfvcb@163.com
smart-enough.net - Email: dfgdsfvcb@163.com
smart-fire.net - Email: dfgdsfvcb@163.com
smart-log.net - Email: dfgdsfvcb@163.com
smart-nest.net - Email: dfgdsfvcb@163.com
smart-spree.net - Email: dfgdsfvcb@163.com
steelites.net - Email: dfgdsfvcb@163.com
surveylite.net - Email: dfgdsfvcb@163.com
targetelite.net - Email: dfgdsfvcb@163.com
theelites.net - Email: dfgdsfvcb@163.com
theflashers.net - Email: dfgdsfvcb@163.com
theywin.net - Email: dfgdsfvcb@163.com
velowinner.net - Email: dfgdsfvcb@163.com
vote-smart.net - Email: dfgdsfvcb@163.com
wanttowin.net - Email: dfgdsfvcb@163.com
winbot.net - Email: dfgdsfvcb@163.com
winnercrest.net - Email: dfgdsfvcb@163.com
winnerfast.net - Email: dfgdsfvcb@163.com
winnerhut.net - Email: dfgdsfvcb@163.com
winnerincumbent.net - Email: dfgdsfvcb@163.com
winnermass.net - Email: dfgdsfvcb@163.com
winnerpub.net - Email: dfgdsfvcb@163.com
winnerrocket.net - Email: dfgdsfvcb@163.com
winnersalon.net - Email: dfgdsfvcb@163.com
winnerscan.net - Email: dfgdsfvcb@163.com
winnertake.net - Email: dfgdsfvcb@163.com
winnertal.net - Email: dfgdsfvcb@163.com
winnertoyou.net - Email: dfgdsfvcb@163.com
zap-smart.net - Email: dfgdsfvcb@163.com

Name servers of notice:
ns1.bb6ns.com - 58.83.8.45 - Email: li-zhenshu@163.com
ns1.bedws.com - 218.61.126.28 - Email: guoxiufenghy@163.com
ns1.catdogns.com - 218.61.126.28 - Email: li-zhenshu@163.com
ns1.cebht.com - 218.61.126.28 - Email: li-zhenshu@163.com
ns1.dd5ns.com - 61.191.191.61 - Email: li-zhenshu@163.com
ns1.dogmens.com - 208.78.242.185 - Email: hmr@data99.com
ns1.euromarketorder.com - 218.61.126.28
ns1.fesws.com - 218.61.126.28 - Email: info2@data99.com
ns1.goatdns.com - 218.61.126.28 - Email: li-zhenshu@163.com
ns1.hh7ns.com - 218.61.126.28 - Email: li-zhenshu@163.com
ns1.kindball.com - 218.61.126.28 - Email: zhaokaijunlp@163.com
ns1.mm8ns.com - 218.61.126.28 - Email: li-zhenshu@163.com
ns1.nn4ns.com - 218.61.126.28 - Email: li-zhenshu@163.com
ns1.ss6ns.com - 61.191.191.61 - Email: shirley9127@hotmail.com
ns1.wildnn.com - 208.78.242.185 - Email: hmr@data99.com
ns2.gg9ns.com - 218.61.126.28 - Email: li-zhenshu@163.com
ns2.sruisorehoes.com - 218.61.126.28 - Email: li-zhenshu@163.com
ns2.zz8ns.com - 218.61.126.28 - Email: li-zhenshu@163.com
ns3.bavns.com - 218.61.126.28 - Email: shirley9127@hotmail.com
ns3.bawns.com - 218.61.126.28 - Email: li-zhenshu@163.com
ns3.becns.com - 218.61.126.28 - Email: li-zhenshu@163.com
ns3.bojns.com - 218.61.126.28 - Email: li-zhenshu@163.com

The campaign is a great example of cybercrime-friendly affiliate networks, with the cybercriminals in this case investing a modest amount of money for the actual spamming process, and then earning 30% flat rate, which can also be scaling between 20% to 45% depending on their choice.

The practice has been around for years. Here are three monetizations strategies seeing within the last two years, all of which remain an active tactic for fraudsters to take advantage of:

• Brandjacking and monetizing through pseudo-value added crapware applications- this practice has been profiled in a previous analysis "Cybersquatting Security Vendors for Fraudulent Purposes". PandaSecurity's reaction back then? Immediate notification of their legal department.
• SMS micro-payment scams through typosquatting and brandjacking - this tactic has already been profiled in "Legitimate Software Typosquatted in SMS Micro-Payment Scam" analysis. Compared to the typosquatting in the previous scheme, this campaign was monetizing freely available software.
• Abuse of legitimate affiliate networks - In January, 2009, I profiled and took down a campaign that has typosquatted domains for popular applications and was advertising them through Google's AdSense in an attempt to earn money from a legitimate affiliate network - Conduit's Rewards Program. The abuse of these networks can be easily taken care of, since the cybercriminal that's violating their Terms of Service is exposing himself as a legitimate user, with his very own CampaignID.

You may want to reconsider using an online gambling application that's being spammed using a botnet, with the actual application crypted using a tool exclusively used by malware authors in an attempt to bypass signatures based antivirus scanning.

Amazon's Web Services are aware of this campaign. Action against it should be taken shortly.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

IRS/PhotoArchive Themed Zeus/Client-Side Exploits Serving Campaign in the Wild

UPDATED: Monday, February 22, 2010 - Another typosquatted domains portfolio is being spamvertised, including two new name servers, parked on the same IP where name servers from previous campaigns were hosted.

Typosquatted domains, and name servers of notice are as follows:
dese.co.kr - Email: asondrapgt@hotmail.com
dese.kr - Email: asondrapgt@hotmail.com
dese.ne.kr - Email: asondrapgt@hotmail.com
dese.or.kr - Email: asondrapgt@hotmail.com
desr.co.kr - Email: asondrapgt@hotmail.com
desr.kr - Email: asondrapgt@hotmail.com
desr.or.kr - Email: asondrapgt@hotmail.com
desv.co.kr - Email: asondrapgt@hotmail.com
desv.kr - Email: asondrapgt@hotmail.com
desv.ne.kr - Email: asondrapgt@hotmail.com
desv.or.kr - Email: asondrapgt@hotmail.com
desx.co.kr - Email: asondrapgt@hotmail.com
desx.kr - Email: asondrapgt@hotmail.com
desx.ne.kr - Email: asondrapgt@hotmail.com
desx.or.kr - Email: asondrapgt@hotmail.com
edasa.co.kr
edasa.kr
edasa.ne.kr
edasa.or.kr
edase.co.kr
edase.kr
edase.ne.kr
edase.or.kr
edasn.kr
edasn.ne.kr
edasn.or.kr
edasq.co.kr
edasq.kr
edasq.ne.kr
edasq.or.kr

Name servers of notice:
ns1.silverbrend.net - 87.117.245.9 - Email: klincz@aol.com
ns1.hourscanine.com - 87.117.245.9 - Email: carruawau@gmail.com

UPDATED: Sunday, February 21, 2010 - The gang is currently spamming a phishing campaign -- no client-side serving iFrames found so far -- attempting to steal Google account and Blogspot accounting data. Given the fact that the gang is capable of generating hundreds of thousands of bogus accounts on their own, as well as buy them in bulk orders from vendors that have already built such an inventory across multiple social networking sites, the only logical reason for attempting to phish for such data would be to attempt to maliciously monetize the traffic of legitimate blogs.

The newly spamvertised domains, including a new name server are as follows:
esub.co.kr - Email: osamplerl61@hotmail.com
esub.kr - Email: osamplerl61@hotmail.com
esub.ne.kr - Email: osamplerl61@hotmail.com
esug.co.kr - Email: osamplerl61@hotmail.com
esug.kr - Email: osamplerl61@hotmail.com
esug.ne.kr - Email: osamplerl61@hotmail.com
esuk.kr - Email: osamplerl61@hotmail.com
esuk.ne.kr - Email: osamplerl61@hotmail.com
esuk.or.kr - Email: osamplerl61@hotmail.com
esus.co.kr - Email: osamplerl61@hotmail.com
esus.kr - Email: osamplerl61@hotmail.com
esus.ne.kr - Email: osamplerl61@hotmail.com
esut.co.kr - Email: osamplerl61@hotmail.com
esut.kr - Email: osamplerl61@hotmail.com
esut.ne.kr - Email: osamplerl61@hotmail.com
ns1.nitroexcel.com - 89.238.165.195 (the same IP was also hosting the name server domains from previous campaigns) - Email: rackmodule@writemail.com

UPDATED: Saturday, February 20, 2010 - The client-side exploit serving iFrame directory has been changed to 91.201.196.101 /usasp11/in.php, with another typosquatted portfolio of domains currently being spamvertised.

Detection rates: update.exe - Trojan.Zbot - Result: 25/40 (62.5%) (phones back to trollar.ru /cnf/trl.jpg - 109.95.114.133 - Email: bernardo_pr@inbox.ru); file.exe - Trojan.Spy.ZBot.12544.1 - Result: 26/41 (63.42%);  ie.js - JS:CVE-2008-0015-G - Result: 14/40 (35%); ie2.js - Exploit:JS/CVE-2008-0015 - Result: 17/40 (42.5%); nowTrue.swf - Trojan.SWF.Dropper.E - Result: 24/41 (58.54%); pdf.pdf - Exploit.JS.Pdfka.bln - Result: 11/41 (26.83%); swf.swf - SWF/Exploit.Agent.BS - Result: 8/40 (20%).

Domain portfolio, name server of notice - ns1.vektoroils.net - 74.117.63.218 - Email: admin@forsyte.info :
desa.co.kr - Email: hjfeasey@yahoo.co.uk
desa.kr - Email: hjfeasey@yahoo.co.uk
desa.ne.kr - Email: hjfeasey@yahoo.co.uk
desa.or.kr - Email: hjfeasey@yahoo.co.uk
desb.co.kr - Email: hjfeasey@yahoo.co.uk
desb.kr - Email: hjfeasey@yahoo.co.uk
desb.ne.kr - Email: hjfeasey@yahoo.co.uk
desb.or.kr - Email: hjfeasey@yahoo.co.uk
deso.kr - Email: hjfeasey@yahoo.co.uk
deso.or.kr - Email: hjfeasey@yahoo.co.uk
desv.kr - Email: hjfeasey@yahoo.co.uk
desz.co.kr - Email: hjfeasey@yahoo.co.uk
desz.kr - Email: hjfeasey@yahoo.co.uk
desz.ne.kr - Email: hjfeasey@yahoo.co.uk
desz.or.kr - Email: hjfeasey@yahoo.co.uk

UPDATED: Wednesday, February 17, 2010 - The iFrame directory has been changed to 91.201.196.101 /usasp/in.php, detection rate for update.exe - Trojan-Spy.Win32.Zbot.gen - Result: 17/40 (42.5%).

Currently active and spamvertised domains include:
saqwk.co.kr - Email: Camerc05@yahoo.com
saqwk.kr - Email: Camerc05@yahoo.com
saqwk.ne.kr - Email: Camerc05@yahoo.com
saqwk.or.kr - Email: Camerc05@yahoo.com
saqwm.co.kr - Email: Camerc05@yahoo.com
saqwm.kr - Email: Camerc05@yahoo.com
saqwm.ne.kr - Email: Camerc05@yahoo.com
saqwq.co.kr - Email: Camerc05@yahoo.com
saqwq.kr - Email: Camerc05@yahoo.com
saqwq.ne.kr - Email: Camerc05@yahoo.com
saqwq.or.kr - Email: Camerc05@yahoo.com
saqwz.co.kr - Email: Camerc05@yahoo.com
saqwz.kr - Email: Camerc05@yahoo.com
saqwz.ne.kr - Email: Camerc05@yahoo.com
saqwz.or.kr - Email: Camerc05@yahoo.com

As anticipated, the botnet masters behind the systematically rotated campaigns dissected in previous posts, kick off the week with multiple campaigns parked on the newly introduced fast-fluxed domains.

In a typical multitasking fashion, two campaigns are currently active on different sub domains introduced at the typosquatted fast-flux ones, impersonating the U.S IRS with "Unreported/Underreported Income (Fraud Application) theme", as well as a variation of the already profiled PhotoArchive campaign, using a well known "You don't have the latest version of Macromedia Flash Player" error message.

Let's dissect both campaigns, sharing the same fast-flux infrastructure, and currently spammed in the wild.

Sample campaign URLs from the PhotoArchive, SecretArchives themed campaign:
- archive .repok.or.kr/archive0714/?id=test@test.com
- secretarchives .renyn.kr/archive0714/?id=test@test.com
- secretfiles .repo1it.me.uk/archive0714/?id=test@test.com
- secretarchives .renyn.ne.kr/archive0714/?id=test@test.com
- postcards .repo1ix.co.uk/archive0714/?id=test@test.com 

Sample sub domain structure:
anonymousfiles .repo1i2.me.uk
archive .repo1iq.me.uk
archive .repo1it.me.uk
archives .repo1i1.me.uk
filearchive .repo1i1.me.uk
files .repo1it.me.uk
files .repo1ix.me.uk
files4friends .repo1it.me.uk
secretarchives .repo1iq.me.uk
secretarchives .repo1iw.me.uk
secretarchives .repo1ix.me.uk
secretfiles .repo1iq.me.uk
sendspace .repo1i2.me.uk

archive .repo1ix.co.uk
archives .repo1iq.co.uk
archives .repo1ix.co.uk
files .repo1iq.co.uk
files4friends .repo1ix.co.uk
incognito .repo1iq.co.uk
postcard .repo1iq.co.uk
postcard .repo1iw.co.uk
secretarchives .repo1iw.co.uk
www.irs.gov .repo1ix.co.uk

Embedded iFrame - 91.201.196.101 /ukasp/in.php (AS42229 (MARIAM-AS PP Mariam) attempts to exploit CVE-2007-5659; CVE-2008-2992; CVE-2008-0015; CVE-2009-0927 and CVE-2009-4324. Upon successful exploitation, file.exe - Trojan-Spy.Win32.Zbot.gen - Result: 12/41 (29.27%) is served. Just like the original update.exe - Trojan.Zbot - Result: 13/40 (32.50%) available as a manual download from the pages, both samples phone back to the well known elnasa.ru /asd/elnasa.ble - 109.95.114.71 - Email: kievsk@yandex.ru - Aleksey V Kijanskiy.

Naturally, AS42229 (MARIAM-AS PP Mariam) is a cybercrime-friendly AS, with the following currently active Zeus C&Cs parked there:
91.201.196.35
91.201.196.75
91.201.196.76
91.201.196.38
91.201.196.34
91.201.196.37

Sample URL from the IRS-themed campaign:
- irs.gov .renyn.kr/fraud.applications/application/statement.php

Sample iFrame from the IRS-themed campaign - 109.95.114.251 /usa50/in.php is currently down. The same IP was used to serve client-side exploits in a previous campaign - "Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams".

Detection rate for tax-statement.exe - Trojan-Spy.Win32.Zbot.gen - Result: 37/41 (90.25%), which upon execution phones back to the well known nekovo.ru /cbd/ nekovo.br - 109.95.115.18 - Email: kievsk@yandex.ru - Aleksey V Kijanskiy

Active and spamvertised fast-fluxed domains part of the campaign:
renya.co.kr - Email: Sethdc77@yahoo.co.uk
renya.kr - Email: Sethdc77@yahoo.co.uk
renya.ne.kr - Email: Sethdc77@yahoo.co.uk
renya.or.kr - Email: Sethdc77@yahoo.co.uk
renyn.kr - Email: Sethdc77@yahoo.co.uk
renyn.ne.kr - Email: Sethdc77@yahoo.co.uk
renyn.or.kr - Email: Sethdc77@yahoo.co.uk
renyo.co.kr - Email: Sethdc77@yahoo.co.uk
renyo.kr - Email: Sethdc77@yahoo.co.uk
renyo.ne.kr - Email: Sethdc77@yahoo.co.uk
renyo.or.kr - Email: Sethdc77@yahoo.co.uk
renyx.co.kr - Email: Sethdc77@yahoo.co.uk
renyx.kr - Email: Sethdc77@yahoo.co.uk
renyx.ne.kr - Email: Sethdc77@yahoo.co.uk
renyx.or.kr - Email: Sethdc77@yahoo.co.uk

rep021.co.kr - Email: DRendell3407@hotmail.com
rep021.kr - Email: DRendell3407@hotmail.com
rep021.ne.kr - Email: DRendell3407@hotmail.com
rep021.or.kr - Email: DRendell3407@hotmail.com
rep022.co.kr - Email: DRendell3407@hotmail.com
rep022.kr - Email: DRendell3407@hotmail.com
rep022.ne.kr - Email: DRendell3407@hotmail.com
rep022.or.kr - Email: DRendell3407@hotmail.com
rep023.co.kr - Email: DRendell3407@hotmail.com 
rep023.kr - Email: DRendell3407@hotmail.com
rep023.or.kr - Email: DRendell3407@hotmail.com
rep024.kr - Email: DRendell3407@hotmail.com
rep071.co.kr - Email: KantuM37690@hotmail.com
rep071.kr - Email: KantuM37690@hotmail.com
rep071.ne.kr - Email: KantuM37690@hotmail.com

rep071.or.kr - Email: KantuM37690@hotmail.com
rep072.co.kr - Email: KantuM37690@hotmail.com
rep072.kr - Email: KantuM37690@hotmail.com
rep072.ne.kr - Email: KantuM37690@hotmail.com
rep072.or.kr - Email: KantuM37690@hotmail.com
rep073.co.kr - Email: KantuM37690@hotmail.com
rep073.kr - Email: KantuM37690@hotmail.com
rep073.ne.kr - Email: KantuM37690@hotmail.com
rep073.or.kr - Email: KantuM37690@hotmail.com
rep074.co.kr - Email: KantuM37690@hotmail.com
rep074.ne.kr - Email: KantuM37690@hotmail.com
rep074.or.kr - Email: KantuM37690@hotmail.com
rep1051.co.uk
rep1051.me.uk
rep1051.org.uk
rep1051.uk.com
repak.co.kr - Email: limhomeslm@yahoo.co.uk
repak.kr - Email: limhomeslm@yahoo.co.uk

repak.ne.kr - Email: limhomeslm@yahoo.co.uk
repak.or.kr - Email: limhomeslm@yahoo.co.uk
repaz.co.kr - Email: Olb55768@yahoo.co.uk
repaz.kr - Email: Olb55768@yahoo.co.uk
repaz.or.kr - Email: Olb55768@yahoo.co.uk
repek.co.kr - Email: limhomeslm@yahoo.co.uk
repek.ne.kr - Email: limhomeslm@yahoo.co.uk
repek.or.kr - Email: limhomeslm@yahoo.co.uk
repey.co.kr - Email: Olb55768@yahoo.co.uk
repey.kr - Email: Olb55768@yahoo.co.uk
repey.ne.kr - Email: Olb55768@yahoo.co.uk
repey.or.kr - Email: Olb55768@yahoo.co.uk
repia.co.kr - Email: Olb55768@yahoo.co.uk
repia.kr - Email: Olb55768@yahoo.co.uk
repia.ne.kr - Email: Olb55768@yahoo.co.uk
repia.or.kr - Email: Olb55768@yahoo.co.uk
repik.co.kr - Email: limhomeslm@yahoo.co.uk

repik.kr - Email: limhomeslm@yahoo.co.uk
repik.or.kr - Email: limhomeslm@yahoo.co.uk
repok.co.kr - Email: limhomeslm@yahoo.co.uk
repok.kr - Email: limhomeslm@yahoo.co.uk
repok.ne.kr - Email: limhomeslm@yahoo.co.uk
repok.or.kr - Email: limhomeslm@yahoo.co.uk
repoy.co.kr - Email: Olb55768@yahoo.co.uk
repoy.kr - Email: Olb55768@yahoo.co.uk
repoy.ne.kr - Email: Olb55768@yahoo.co.uk
repoy.or.kr - Email: Olb55768@yahoo.co.uk
repo1i1.co.uk
repo1i1.me.uk
repo1i2.co.uk
repo1i2.me.uk
repo1i3.co.uk
repo1ie.co.uk
repo1io.co.uk
repo1iq.co.uk
repo1iq.me.uk
repo1it.me.uk
repo1iw.co.uk
repo1iw.me.uk
repo1ix.co.uk
repo1ix.me.uk

Name servers of notice:
ns1 .skcrealestate.net - 89.238.165.195 - Email: support@skrealty.net
ns1 .addressway.net - 89.238.165.195 - Email: poolbill@hotmail.com
ns1 .skcpanel.com - 64.20.42.235 - Email: support@sk.com
ns1 .holdinglory.com - 64.20.42.235 - Email: greysy@gmx.com
ns1 .skcres.com - 64.20.42.235 - Email: hr@skc.net
ns1 .x-videocovers.net - 64.20.42.235 - Email: storylink@live.com

Interestingly, researchers from M86 Security gained access to the web malware exploitation kit used in a previous campaign:

"It has been up and running and serving exploits for nearly a day. In this time almost 40,000 unique users have been exposed to these exploits, and the Zeus file has been downloaded over 5000 times. These downloads do not include the PhotoArchive.exe file downloads that a user may be tricked into downloading and executing themselves."
 
Updated will be posted as soon as new developments emerge.

Related coverage of the gang's previous campaigns:
Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild
PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild
Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →