Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

From the Koobface Gang with Scareware Serving Compromised Sites

May 08, 2010

Following last month's "Dissecting Koobface Gang's Latest Facebook Spreading Campaign" Koobface gang coverage, it's time to summarize some of their botnet spreading activities, from the last couple of days.

Immediately after the suspension of their automatically registered Blogspot accounts, the gang once again proved that it has contingency plans in place, and started pushing links to compromises sites, in a combination with an interesting "visual social engineering trick", across Facebook, which sadly works pretty well, in the sense that it completely undermines the "don't click on links pointing to unknown sites" type of security tips.

Recommended reading: 10 things you didn't know about the Koobface gang

The diverse set of activities courtesy of the Koobface gang -- consider going through the related posts in order to understand their underground multitasking mentality beyond the Koobface botnet itself -- are a case study on the abuse of legitimate infrastructure with clean IP/AS reputation, for purely malicious purposes.

This active use of the "trusted reputation chain", just like the majority of social engineering centered tactics of the gang, aim to exploit the ubiquitous weak link in the face of the average Internet user. Here's an example of the most recent campaign.

The spreading of fully working links such as the following ones across Facebook:
facebook.com/l/6e7e5;bit.ly/9QjjSk
facebook.com/l/cdfb;bit.ly/9QjjSk
facebook.com/l/f3c29;bit.ly/9QjjSk

aims to trick the infected user's friends, that this is a Facebook.com related link. Clicking on this link inside Facebook leads to the "Be careful" window showing just the bit.ly redirector, to finally redirect to 198.65.28.86/swamt/ where a Koobface bogus video has already been seen by 2,601 users which have already clicked on the link.

The scareware redirectors/actual serving domains are parked at 195.5.161.126, AS31252, STARNET-AS StarNet Moldova:
1nasa-test.com - Email: test@now.net.cn
1online-test.com - Email: test@now.net.cn
1www2scanner.com - Email: test@now.net.cn
2a-scanner.com - Email: test@now.net.cn
2nasa-test.com - Email: test@now.net.cn
2online-test.com - Email: test@now.net.cn
2www2scanner.com - Email: test@now.net.cn
3a-scanner.com - Email: test@now.net.cn
3nasa-test.com - Email: test@now.net.cn
3online-test.com - Email: test@now.net.cn
3www2scanner.com - Email: test@now.net.cn
4a-scanner.com - Email: test@now.net.cn
4check-computer.com - Email: test@now.net.cn
4nasa-test.com - Email: test@now.net.cn
4online-test.com - Email: test@now.net.cn
4www2scanner.com - Email: test@now.net.cn
5a-scanner.com - Email: test@now.net.cn
5nasa-test.com - Email: test@now.net.cn
5online-test.com - Email: test@now.net.cn
6a-scanner.com - Email: test@now.net.cn
defence-status6.com - Email: test@now.net.cn
defence-status7.com - Email: test@now.net.cn
mega-scan2.com - Email: test@now.net.cn
protection-status2.com - Email: test@now.net.cn
protection-status4.com - Email: test@now.net.cn
protection-status6.com - Email: test@now.net.cn
security-status1.com - Email: test@now.net.cn
security-status3.com - Email: test@now.net.cn
security-status4.com - Email: test@now.net.cn
security-status6.com - Email: test@now.net.cn
securitystatus7.com - Email: test@now.net.cn
securitystatus8.com - Email: test@now.net.cn
securitystatus9.com - Email: test@now.net.cn
security-status9.com - Email: test@now.net.cn

Detection rates:
- setup.exe - Mal/Koobface-E; W32/VBTroj.CXNF - Result: 7/41 (17.08%)
- RunAV_312s2.exe - VirTool.Win32.Obfuscator.hg!b (v); High Risk Cloaked Malware - Result: 4/41 (9.76%)

The scareware sample phones back to:
- windows32-sys.com/download/winlogo.bmp - 91.213.157.104, AS13618 CARONET-ASN - Email: contact@privacy-protect.cn
- sysdllupdates.com/?b=312s2 - 87.98.134.197, AS16276, OVH Paris - Email: contact@privacy-protect.cn

The complete list of compromised sites distributed by Koobface-infected Facebook users:

02f32e3.netsolhost.com /o492dc/
abskupina.si /cclq/
adi-agencement.fr /8r2twm/
agilitypower.dk /ko2/
aguasdomondego.com /d5yodi/
alabasta.homeip.net /e8/
alankaye.info /2cgg/
alpenhaus.com.ar /al5zvf5/
animationstjo.fr /5c/
artwork.drayton.co.uk /k5wz/
beachfishingwa.org.au /u8g98ai/
bildtuben.se /l9jg/
chalet.se /srb/
charlepoeng.be /i0twbt/
christchurchgastonia.org /1hkq/
chunkbait.com /gb4i6ak/
cityangered.se /besttube/
clarkecasa.net /rhk6/
clr.dsfm.mb.ca /2964/
codeditor.awardspace.biz /uncensoredclip/
coloridellavita.com /sc/
cpvs.org /6eobh0n/
danieletranchita.com /yourvids/
dennis-leah.zzl.org /m95/
doctorsorchestra.com /qw/
dueciliguria.it /zircu/
ediltermo.com /p4zhvj0/
emmedici.net /2pg46mk/
eurobaustoff.marketing-generator.de /52649an/

euskorock.es /p4zm/
explicitflavour.freeiz.com /qk3r/
f9phx.net /svr/
fatucci.it /l04s8m2/
forwardmarchministries.org /1bc/
fotoplanet.it /bnog6s/
frenchbean.co.uk /zwr/
furius.comoj.com /1azl/
geve.be /oj4ex4/
gite-maison-pyrenees-luchon.com /jox/
googleffffffffa0ac4d9f.omicronrecords.com /me/
gosin.be /ist63z/
grimslovsms.se /cutetube/
guest.worldviewproduction.com /m2f/
hanssen-racing.com /j15/
helpbt.com /nqo40uq/
helpdroid.omicronrecords.com /7h/
hoganjobs.com /jrepsp/
holustravel.cz /5j5/
hoperidge.com /fltwizy/
hottesttomato.com /6b/
iglesiabetania1.com /7y7/
ihostu.co.uk /jic9v/
ilterrazzoallaveneziana.it /4vxaq5/
integratek.omicronrecords.com /to4u2bd/
irisjard.o2switch.net /lb/
islandmusicexport.com /hbi2ut9/
isteinaudi.it /h2a/
johnphelan.com /uynv4/

jsacm.com /z6/
kabchicago.info /1cgko/
katia-paliotti.com /0baktz/
kennethom.net /l20/
kleppcc.com /aliendemonstration/
klimentglass.cz /vwalp/
kvarteretekorren.se /60/
lanavabadajoz.com /cg/
langstoncorp.com /o2072c/
libermann.phpnet.org /madu8p/
lineapapel.com /8l20up/
longting.nl /6ch/
mainteck-fr.com /qjbo5v/
majesticdance.com /v1g/
mia-nilsson.se /cmc/
microstart.fr /lzu1/
migdal.org.il /y952eo/
mindbodyandsolemt.com /pnbn/
musicomm.ca /a5z/
nassnig.org /z1/
neweed.org /x4t/
nosneezes.com /5hjkdjo/
nottinghamdowns.com /m7ec/
nutman-group.com /92m/
omicronsystems.inc.md /eho0/
on3la.be /bgfhclg/
onlineadmin.net /b7uccx/
ornskoldskatten.se /m1u/
oxhalsobygg.se /amaizingmovies/

Recommended reading: Dissecting Koobface Gang's Latest Facebook Spreading Campaign

partenaires-particuliers.fr /uo/
pegasolavoro.it /3l6/
peteknightdays.com /4ok4/
pheromoneforum.org /ds/
pilatescenter.se /bgx8e/
plymouth-tuc.org.uk /xhaq/
popeur.fr /m7yaw/
pro-du-bio.com /af6xtp/
prousaudio.com /4isg/
puertohurraco.org /q3a1gz/
radioluz900am.com /3i993/
reporsenna.netsons.org /zvz/
rhigar.nu /6v/
richmondpowerboat.com /tifax5/
rmg360.co.cc /22i/
roninwines.com /wonderfulvids/
rrmaps.com /j6o/
rvl.it /bv6k/
scarlett-oharas.com /my0333/
secure.tourinrome.org /qyp/
servicehandlaren.se /yq9ahw0/
servicehandlaren.spel-service.com /q9q115/
sgottnerivers.com /y0j16rw/
shofarcall.com /zi/
sirius-expedition.com /x4yab/

slcsc.co.uk /0kem/
soderback.eu /xvg9/
spel-service.com /xm/
sporthal.msolutions.be /vyx3yu/
steelstoneind.com /yzp/
stgeorgesteel.com /ji/
stgeorgesteel.com /ylnwlr/
stubbieholderking.com /dyarx1/
sweet-peasdog.se /0rcjo/
taekwondovelden.nl /mhnskk/
testjustin.comze.com /oafxzy/
the-beehive.com /r8x3cm/
the-beehive.com /weqw7e/
thedallestransmission.com /rjsg2/
therealmagnets.comuv.com /3wn19n/
thestrategicfrog.110mb.com /66vv/
tizianozanella.it/ k2cei/
trustonecorp.com /mabmpp/
unna.nu /6lie/
uroloki.omicronrecords.com /9t/
vaxjoff.com /4fpu/
veerle-frank.be /l01/
verdiverdi.net /3tt/
visionministerial.com /p191/
waffotis.se /yufi3u/
watsonspipingandheating.com /krda/
welplandeast.com /6q/
WESTCOASTPERFORMANCECOATINGS.COM /1tw4/
williamarias.us /na9mq/
woodworksbyjamie.com /90mrjb/
wowparis2000.com /rtsz/
yin-art.be /a75ble/
youniverse.site50.net /4a9r/

Due to the diversity of its cybercrime operations, the Koobface gang is always worth keeping an eye on. Best of all - it's done semi-automatically these days.

The best is yet to come, stay tuned!

Related Koobface gang/botnet research:
Dissecting Koobface Gang's Latest Facebook Spreading Campaign
Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova
10 things you didn't know about the Koobface gang
A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang
How the Koobface Gang Monetizes Mac OS X Traffic
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

From the Koobface Gang with Scareware Serving Compromised Sites

May 08, 2010

Recommended reading: 10 things you didn't know about the Koobface gang

Recommended reading: Dissecting Koobface Gang's Latest Facebook Spreading Campaign

U.S. Treasury Site Compromise Linked to the NetworkSolutions Mass WordPress Blogs Compromise

May 04, 2010

UPDATED: Saturday, May 08, 2010: 5 new domains have been introduced by the same gang, once again parked at 217.23.14.14, AS49981, WorldStream.

jumpsearches.com - 217.23.14.14 - Email: alex1978a@bigmir.net
ingeniosearch.net - 217.23.14.14 - Email: alex1978a@bigmir.net
searchnations.com - 217.23.14.14 - Email: alex1978a@bigmir.net
mainssearch.com - 217.23.14.14 - Email: alex1978a@bigmir.net
bigsearchinc.com - 217.23.14.14 - Email: alex1978a@bigmir.net

Sample exploitation structure:
- jumpsearches.com/bing.com /load.php?spl=mdac
    - jumpsearches.com/bing.com /error.js.php
        - jumpsearches.com/bing.com /pdf.php
            - jumpsearches.com/bing.com /?spl=2&br=MSIE&vers=7.0&s=
                - jumpsearches.com/bing.com /load.php?spl=pdf_2030
                    - jumpsearches.com/bing.com /load.php?spl=MS09-002

UPDATED: Thursday, May 06, 2010: The cybercriminals behind this ongoing campaign continue introducing new domains -- all of which are currently in a cover-up phrase pointing to 127.0.0.1 -- over the past 24 hours. What's particularly interesting, is that all of them reside within AS49981, WorldStream = Transit Imports = -CAIW-, Netherlands.

- twcorps.com/tv/ - 217.23.14.15 - Email: alex1978a@bigmir.net, Prokopenko Aleksey
    - MD5: ebcfaa2f595ccea81176f6f125b31ac7
- jobsatdoor.com/plain/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko Aleksey
    - MD5: ebcfaa2f595ccea81176f6f125b31ac7
- oficla.com/plain/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko Aleksey
    - MD5: ebcfaa2f595ccea81176f6f125b31ac7
- organization-b.com/mail/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko Aleksey
- dilingdiling.com/router/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko Aleksey

All the samples phone back to mazcostrol.com/inst.php?aid=blackout now responding to 95.143.193.61, AS49770, SERVERCONNECT-AS ServerConnect Sweden AB, from the previously known IP 188.124.16.134.

mazcostrol.com is not just a phone back location. It's also actively serving client-side exploits. Sample update obtained from the same domain:
- update4303.exe - Trojan.Win32.VBKrypt - Result: 5/41 (12.2%)

Not surprisingly, AS44565 and AS49770 where mazcostrol.com was hosted, are also the home of currently active ZeuS crimeware C&Cs.

AS49770 (SERVERCONNECT-AS ServerConnect Sweden AB)
brunongino.com
slavenkad.com
frondircass.cn
pradsuyz.cn

AS44565 (VITAL VITAL TEKNOLOJI)
spacebuxer.com
odboe.info
212.252.32.69
jokersimson.net
whoismak.net
188.124.7.247
www.bumagajet.net
barmatuxa.info
barmatuxa.net

UPDATED: A researcher just pinged me with details on something that I should be flattered with. Apparently grepad.com /in.cgi?4 redirects to 217.23.14.14 /in_t.php which then redirects to my Blogger profile.

In fact, 217.23.14.14 the IP of the client-side exploit serving domains also redirects there, with the actual campaign in a cover-up phrase, with the original domain now responding 127.0.0.1.

Let's see for how long, until then, The Beatles - You Know My Name seems to be the appropriate music choice.

AVG and PandaLabs are reporting that the web sites of the U.S. Bureau of Engraving and Printing (bep.treas.gov; moneyfactory.gov) are serving client-side vulnerabilities that ultimately expose the visitor to scareware (The Ultimate Guide to Scareware Protection).

What's particularly interesting about this campaign is that, it's part of last month's NetworkSolutions mass WordPress blogs compromise, in the sense that not only is the iFrame-d domain registered using the same email as the client-side exploits serving domains from the NetworkSolutions campaign -- alex1978a@bigmir.net -- but also, the dropped scareware's phone back location -- mazcostrol.com/inst.php?aid=blackout - 188.124.16.134 - Email: alex1978a@bigmir.net -- is identical to the one used in the same campaign, including the affiliate ID used by the original cybercriminal.

The client-side exploit serving domain used in the the U.S Treasury site compromise, has also been reported by a large number of NetworkSolutions customers in the most recent campaign affecting WordPress blogs.

The exploit-serving structure, including the detection rates for the dropped scareware and exploits used in the U.S Treasury compromise campaign, is as follows:

- grepad.com /in.cgi?3 - 188.124.16.133, AS44565, VITAL TEKNOLOJI - Email: alex1978a@bigmir.net
    - thejustb.com /just/ - 217.23.14.14 (dyndon.com), AS49981 - Email: alex1978a@bigmir.net
        - thejustb.com /just/pdf.php
            - thejustb.com /just/1.pdf
                - thejustb.com /just/load.php?spl=javas
                    - thejustb.com /just/j1_893d.jar
                        - thejustb.com /just/j2_079.jar

- 1.pdf - Exploit.PDF-JS.Gen (v) - Result: 1/41 (2.44%)
- j1_893d.jar - Trojan-Downloader:Java/Agent.DJDN - Result: 5/41 (12.20%)
- j2_079.jar - EXP/Java.CVE-2009-3867.C.2; Exploit.Java.Agent.a - Result: 9/41 (21.96%)
- grepad.exe - Trojan.Generic.KD.10339; a variant of Win32/Injector.BNG - Result: 8/41 (19.51%)

Upon successful exploitation the dropped grepad.exe, phones back to to mazcostrol.com/inst.php?aid=blackout - 188.124.16.134, AS44565, VITAL TEKNOLOJI - Email: alex1978a@bigmir.net, with the same phone back location also used in the NetworkSolutions mass compromise campaign.

Known MD5's used by the same campaigner from previous campaigns, phoning back to the same domain+identical affiliate ID:
MD5=4734162bb33eff7af7e18243821b397e
MD5=1c9ce1e5f4c2f3ec1791554a349bf456
MD5=d11d76c6ecf6a9a87dcd510294104a66
MD5=c33750c553e6d6bdc7dac6886f65b51d
MD5=74cdadfb15181a997b15083f033644d0
MD5=3c7d8cdc73197edd176167cd069878bd

Attempting to interact with the campaign's directories often results in a "nice try, idiot." message. Lovely!

Related posts:
GoDaddy's Mass WordPress Blogs Compromise Serving Scareware
Dissecting the WordPress Blogs Compromise at Network Solutions

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

U.S. Treasury Site Compromise Linked to the NetworkSolutions Mass WordPress Blogs Compromise

May 04, 2010

Summarizing Zero Day's Posts for April

April 29, 2010

The following is a brief summary of all of my posts at ZDNet's Zero Day for April, 2010. You can also go through previous summaries, as well as subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

GoDaddy's Mass WordPress Blogs Compromise Serving Scareware

April 27, 2010

UPDATED: Thursday, May 13, 2010: Go Daddy posted the following update "What’s Up with Go Daddy, WordPress, PHP Exploits and Malware?".

UPDATED: Thursday, May 06, 2010: The following is a brief update of the campaign's structure, the changed IPs, and the newly introduced scareware samples+phone back locations over the past few days.

Sample structure from last week:
- kdjkfjskdfjlskdjf.com/kp.php - 94.23.242.40 - AS16276, OVH Paris
- www3.workfree36-td.xorg.pl/?p= - 95.169.186.25 - AS31103, KEYWEB-AS Keyweb AG
- www1.protectsys28-pd.xorg.pl - 94.228.209.182 - AS47869, NETROUTING-AS Netrouting Data Facilities

Detection rate:
- packupdate_build107_2045.exe - Gen:Variant.Ursnif.8; TrojanDownloader:Win32/FakeVimes - Result: 23/41 (56.1%) Phones back to update2.safelinkhere.net and update1.safelinkhere.net.

Sample structure from this week:
- kdjkfjskdfjlskdjf.com/kp.php - 91.188.59.98 - AS6851, BKCNET "SIA" IZZI
    - www4.suitcase52td.net/?p= - 78.46.218.249 - AS24940, HETZNER-AS Hetzner Online AG RZ
        - www1.safetypcwork5.net/?p= - 209.212.147.244 - AS32181, ASN-CQ-GIGENET ColoQuest/GigeNet ASN
        - www1.safeyourpc22-pr.com - 209.212.147.246 - Email: gkook@checkjemail.nl

Detection rate:
- packupdate_build9_2045.exe - Trojan.Fakealert.7869; Mal/FakeAV-BW - Result: 9/41 (21.95%)

Sample phones back to:
- update2.keepinsafety.net /?jbjyhxs=kdjf0tXm1J2a0Nei2Mrh24U%3D
- www5.my-security-engine.net
- report.land-protection.com /Reports/SoftServiceReport.php?verint - 91.207.192.24 - Email: gkook@checkjemail.nl
- secure2.securexzone.net/?abbr=MSE&pid=3 - 78.159.108.170 - Emaikl: gkook@checkjemail.nl
- 173.232.149.92 /chrome/report.html?uid=2045&wv=wvXP&
- 74.118.193.47 /report.html?wv=wvXP&uid=50&lng=
- 74.125.45.100
- update1.keepinsafety.net - 94.228.209.223 - Email: gkook@checkjemail.nl

Related scareware domains part of the ongoing campaign are also parked on the following IPs:
78.46.218.249
www3.workfree20-td.xorg.pl
www3.nojimba52-td.xorg.pl
www3.workfree25-td.xorg.pl

209.212.147.244
www1.newsys-scanner.com - Email: gkook@checkjemail.nl
www2.securesys-scan2.net - Email: gkook@checkjemail.nl
www1.new-sys-scanner3.net - Email: gkook@checkjemail.nl
www1.safetypcwork5.net - Email: gkook@checkjemail.nl
www1.securesyscare9.net - Email: gkook@checkjemail.nl
www1.freeguard35-pr.net - Email: gkook@checkjemail.nl

95.169.186.25
www4.ararat23.xorg.pl
www3.sdfhj40-td.xorg.pl
www3.nojimba45-td.xorg.pl
www3.workfree36-td.xorg.pl
www3.nojimba46-td.xorg.pl
www4.fiting58td.xorg.pl
www4.birbinsof.net

94.228.209.182
www1.protectsys25-pd.xorg.pl
www1.protectsys26-pd.xorg.pl
www1.protectsys27-pd.xorg.pl
www1.protectsys28-pd.xorg.pl
www1.protectsys29-pd.xorg.pl
www1.soptvirus32-pr.xorg.pl
www1.soptvirus34-pr.xorg.pl

209.212.147.246
www2.securesys-scan2.com - Email: gkook@checkjemail.nl
www1.newsys-scanner1.com - Email: gkook@checkjemail.nl

UPDATED: Thursday, April 29, 2010: kdjkfjskdfjlskdjf.com/js.php remains active and is currently redirecting to www3.workfree36-td.xorg.pl/?p= - 95.169.186.25 and www1.protectsys28-pd.xorg.pl?p= - 94.228.209.182.

Detection rate: packupdate_build107_2045.exe - Suspicious:W32/Malware!Gemini; Trojan.Win32.Generic.pak!cobra - Result: 6/41 (14.64%) phoning back to new domains:
safelinkhere.net - 94.228.209.223 - Email: gkook@checkjemail.nl
update2.safelinkhere.net - 93.186.124.93 - Email: gkook@checkjemail.nl
update1.safelinkhere.net - 94.228.209.222 - Email: gkook@checkjemail.nl
- ns1.safelinkhere.net - 74.118.192.23 - Email: gkook@checkjemail.nl
- ns2.safelinkhere.net - 93.174.92.225 - Email: gkook@checkjemail.nl

The gkook@checkjemail.nl email was used for scareware registrations in December 2009's "A Diverse Portfolio of Fake Security Software - Part Twenty Four".

Parked on 74.118.192.23, AS46664, VolumeDrive (ns1.safelinkhere.net) are also:
ns1.birbins-of.com
ns1.cleanupantivirus.com
ns1.createpc-pcscan-korn.net
ns1.fhio22nd.net
ns1.letme-guardyourzone.com
ns1.letprotectsystem.net
ns1.my-softprotect4.net
ns1.new-pc-protection.com
ns1.payment-safety.net
ns1.romsinkord.com
ns1.safelinkhere.net
ns1.safetyearth.net
ns1.safetypayments.net
ns1.save-secure.com
ns1.search4vir.net
ns1.systemmdefender.com
ns1.upscanyourpc-now.com

Parked on 93.174.92.225, AS29073, ECATEL-AS , Ecatel Network (ns2.safelinkhere.net) are also:
marmarams.com
ns2.cleanupantivirus.com
ns2.dodtorsans.net
ns2.fastsearch-protection.com
ns2.go-searchandscan.net
ns2.guardsystem-scanner.net
ns2.hot-cleanofyourpc.com
ns2.marfilks.net
ns2.my-systemprotection.net
ns2.myprotected-system.com
ns2.myprotection-zone.net
ns2.mysystemprotection.com
ns2.new-systemprotection.com
ns2.newsystem-guard.com
ns2.onguard-zone.net
ns2.pcregrtuy.net
ns2.plotguardto-mypc.com
ns2.protected-field.com
ns2.safelinkhere.net
ns2.scanmypc-online.com
ns2.search-systemprotect.net
ns2.searchscan-online.net
ns2.securemyzone.com
ns2.systemcec7.com
ns2.trust-systemprotect.net
ns2.trustscan-onmyzone.com
ns2.trustsystemguard.net
ns2.upscanyour-pcnow.com
ns2.windows-systemshield.net
ns2.windows-virusscan.com
ns2.windowsadditionalguard.net

Following last week's Network Solutions mass compromise of WordPress blogs (Dissecting the WordPress Blogs Compromise at Network Solutions), over the weekend a similar incident took place GoDaddy, according to WPSecurityLock.

Since the campaign's URLs still active, and given the fact that based on historical OSINT, we can get even more insights into known operations of cybercriminals profiled before (one of the key domains used in the campaign is registered to hilarykneber@yahoo.com. Yes, that Hilary Kneber.), it's time to connect the dots.

Related Hilary Kneber posts: The Kneber botnet - FAQ; Celebrity-Themed Scareware Campaign Abusing DocStoc; Dissecting an Ongoing Money Mule Recruitment Campaign; Keeping Money Mule Recruiters on a Short Leash - Part Four

One of the domains used cechirecom.com/js.php - 61.4.82.212 - Email: lee_gerstein@yahoo.co.uk was redirecting to www3.sdfhj40-td.xorg.pl?p= - 95.169.186.25 and from there to www2.burnvirusnow34.xorg.pl?p= - 217.23.5.51. The front page of the currently not responding cechirecom.com was returning the following message:

"Welcome. Site will be open shortly. Signup, question or abuse please send to larisadolina@yahoo.com"

Registered with the same email, larisadolina@yahoo.com, is also another domain known have been used in similar attacks from February, 2010 - iss9w8s89xx.org.

Parked on 217.23.5.51 are related scareware domains part of the campaign:
www2.burnvirusnow31.xorg.pl
www2.burnvirusnow33.xorg.pl
www2.burnvirusnow34.xorg.pl
www2.trueguardscaner30-p.xorg.pl
www2.trueguardscaner33-p.xorg.pl
www1.savesysops30p.xorg.pl
www1.suaguardprotect11p.xorg.pl
www2.realsafepc32p.xorg.pl
www1.suaguardprotect13p.xorg.pl
www1.suaguardprotect14p.xorg.pl

Detection rate for the scareware:
- packupdate_build107_2045.exe - VirusDoctor; Mal/FakeAV-BW - Result: 14/41 (34.15%) with the sample phoning back to the following URLs:
- update2.savecompnow.com/index.php?controller=hash - 91.207.192.25 - Email: gkook@checkjemail.nl
- update2.savecompnow.com/index.php?controller=microinstaller
- update1.savecompnow.com/index.php?controller=microinstaller - 94.228.209.223 - Email: gkook@checkjemail.nl

The same email was originally seen in December 2009's "A Diverse Portfolio of Fake Security Software - Part Twenty Four". Parked on these IPs are also related phone back locations:

Parked on 188.124.7.156:
savecompnow.com - Email: gkook@checkjemail.nl
securemyfield.com - Email: gkook@checkjemail.nl
update1.securepro.xorg.pl

Parked on 91.207.192.25:
update2.savecompnow.com - Email: gkook@checkjemail.nl
update2.xorg.pl
update2.winsystemupdates.com - Email: gkook@checkjemail.nl
report.zoneguardland.net - Email: gkook@checkjemail.nl

Parked on 94.228.209.223:
update1.savecompnow.com - Email: gkook@checkjemail.nl
update1.winsystemupdates.com

Although the cechirecom.com/js.php is not currently responding, parked on the same IP 61.4.82.212, is another currently active domain, which is registered to hilarykneber@yahoo.com.

Parked on 61.4.82.212, AS17964, DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd.:
kdjkfjskdfjlskdjf.com - Email: hilarykneber@yahoo.com
ns1.stablednsstuff.com - Email: lee_gerstein@yahoo.co.uk
js.ribblestone.com - Email: skeletor71@comcast.net - includes a link pointing to panelscansecurity.org/?affid=320&subid=landing - 91.212.127.19 - Email: bobarter@xhotmail.net

The currently active campaign domain redirection is as follows:
kdjkfjskdfjlskdjf.com/js.php - 61.4.82.212 - Email: hilarykneber@yahoo.com
- www3.sdfhj40-td.xorg.pl?p=
- www1.soptvirus42-pr.xorg.pl?p= - 209.212.149.19

Parked on 209.212.149.19:
www2.burnvirusnow43.xorg.pl
www2.trueguardscaner42-p.xorg.pl
www1.suaguardprotect23p.xorg.pl
www2.realsafepc27p.xorg.pl
www1.fastfullfind27p.xorg.pl
www1.yesitssafe-now-forsure.in

Detection rate for the scareware:
- packupdate_build106_2045.exe - TrojanDownloader:Win32/FakeVimes; High Risk Cloaked Malware - Result: 7/41 (17.08%)

Just like in Network Solution's case (Dissecting the WordPress Blogs Compromise at Network Solutions) the end user always has to be protected from himself using basic security auditing practices in regard to default WordPress installations. The rest is wishful thinking, that the end user would self-audit himself.

It seems that hilarykneber@yahoo.com related activities are not going to go away anytime soon.

Related WordPress security resources:
20 Wordpress Security Plug-ins And Tips To keep Hackers Away
11 Best Ways to Improve WordPress Security
20+ Powerful Wordpress Security Plugins and Some Tips and Tricks

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

GoDaddy's Mass WordPress Blogs Compromise Serving Scareware

April 27, 2010

Related Hilary Kneber posts: The Kneber botnet - FAQ; Celebrity-Themed Scareware Campaign Abusing DocStoc; Dissecting an Ongoing Money Mule Recruitment Campaign; Keeping Money Mule Recruiters on a Short Leash - Part Four

"Welcome. Site will be open shortly. Signup, question or abuse please send to larisadolina@yahoo.com"

Registered with the same email, larisadolina@yahoo.com, is also another domain known have been used in similar attacks from February, 2010 - iss9w8s89xx.org.

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

From the Koobface Gang with Scareware Serving Compromised Sites

From the Koobface Gang with Scareware Serving Compromised Sites

U.S. Treasury Site Compromise Linked to the NetworkSolutions Mass WordPress Blogs Compromise

U.S. Treasury Site Compromise Linked to the NetworkSolutions Mass WordPress Blogs Compromise

Summarizing Zero Day's Posts for April

GoDaddy's Mass WordPress Blogs Compromise Serving Scareware

GoDaddy's Mass WordPress Blogs Compromise Serving Scareware

RSS Feed

About Me

Blog Archive

Tags

Popular Posts