This summary is not available. Please
click here to view the post.
Continue reading →
Yet another mass sites compromise is currently taking place, this time targeting DreamHost customers, courtesy of the same gang behind the U.S Treasury/GoDaddy/NetworkSolutions mass compromise campaigns.
What's particularly interesting about the campaign, is not just the Hilary Kneber connection, but also, the fact that a key command and control domain part of the Koobface botnet, is residing within the same AS where the nameservers, and one of actual domains (kdjkfjskdfjlskdjf.com/ kp.php - 91.188.59.98 - AS6851, BKCNET "SIA" IZZI) used in previous campaigns are.
These gangs are either aware of one another's existence, are the exact same gang doing basic evasive practices on multiple fronts, or are basically customers of the same cybercrime-friendly hosting service provider.
The DreamHost campaign structure, including the detection rates, phone back locations, is as follows:
- zettapetta.com/js.php - 109.196.143.56 - Email: hilarykneber@yahoo.com
- www4.suitcase52td.net/?p= - 78.46.218.249 - Email: gkook@checkjemail.nl
- www1.realsafe-23.net - 209.212.149.17 - Email: gkook@checkjemail.nl
Active client-side exploits serving, redirector domains parked on the same IP 109.196.143.56:
zettapetta.com - 109.196.143.56, AS39150, VLTELECOM-AS VLineTelecom LLC Moscow, Russia - Email: hilarykneber@yahoo.com
yahoo-statistic.com - Email: hilarykneber@yahoo.com
primusdns.ru - Email: samm_87@email.com
freehost21.tw - Email: hilarykneber@yahoo.com
alert35.com.tw - Email: admin@zalert35.com.tw
indesignstudioinfo.com - Email: hilarykneber@yahoo.com
Historically, the following domains were also parked on the same IP 109.196.143.56:
bananajuice21.net - Email: hilarykneber@yahoo.com
winrar392.net - Email: lacyjerry1958@gmail.com
best-soft-free.com - Email: lacyjerry1958@gmail.com
setyupdate.com - Email: admin@setyupdate.com
Detection rate for the scareware pushed in the campaign:
- packupdate_build107_2060.exe - TROJ_FRAUD.SMDV; Packed.Win32.Krap.an - Result: 8/41 (19.52%) with the sample phoning back to:
update2.keep-insafety.net - 94.228.209.221 - Email: gkook@checkjemail.nl
update1.myownguardian.com - 74.118.194.78 - Email: gkook@checkjemail.nl
secure1.saefty-guardian.com - 94.228.220.112 - Email: gkook@checkjemail.nl
report.zoneguardland.net - 91.207.192.25 - Email: gkook@checkjemail.nl
report.land-protection.com - 91.207.192.24 - Email: gkook@checkjemail.nl
www5.our-security-engine.net - 94.228.220.111 - Email: gkook@checkjemail.nl
report1.stat-mx.xorg.pl
update1.securepro.xorg.pl
Name servers of notice parked at 91.188.59.98, AS6851, BKCNET "SIA" IZZI:
ns1.oklahomacitycom.com
ns2.oklahomacitycom.com
What's so special about AS6851, BKCNET "SIA" IZZI anyway? It's the Koobface gang connection in the face of urodinam.net, which is also hosted within AS6851, currently responding to 91.188.59.10. More details on urodinam.net:
Moreover, on the exact same IP where Koobface gang's urodinam.net is parked, we also have the currently active 1zabslwvn538n4i5tcjl.com - Email: michaeltycoon@gmail.com, serving client side exploits using the Yes Malware Exploitation kit - 91.188.59.10 /temp/cache/PDF.php; admin panel at: 1zabslwvn538n4i5tcjl.com /temp/admin/index.php
Detection rates for the malware pushed from the same IP where a key Koobface botnet's C&C is hosted:
- 55.pdf - JS:Pdfka-gen; Exploit.JS.Pdfka.blf - Result: 23/41 (56.1%)
- dm.exe - Trojan:Win32/Alureon.CT; Mal/TDSSPack-Q - Result: 36/41 (87.81%)
- wsc.exe - Net-Worm.Win32.Koobface; Trojan.FakeAV - Result: 36/41 (87.81%)
The same michaeltycoon@gmail.com used to register 1zabslwvn538n4i5tcjl.com, was also profiled in the "Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang" assessment.
Given that enough historical OSINT is available, the cybercrime ecosystem can be a pretty small place.
Related posts:
U.S. Treasury Site Compromise Linked to the NetworkSolutions Mass WordPress Blogs Compromise
GoDaddy's Mass WordPress Blogs Compromise Serving Scareware
Dissecting the WordPress Blogs Compromise at Network Solutions
Hilary Kneber related activity:
The Kneber botnet - FAQ
Celebrity-Themed Scareware Campaign Abusing DocStoc
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Four
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →
Yet another mass sites compromise is currently taking place, this time targeting DreamHost customers, courtesy of the same gang behind the U.S Treasury/GoDaddy/NetworkSolutions mass compromise campaigns.
What's particularly interesting about the campaign, is not just the Hilary Kneber connection, but also, the fact that a key command and control domain part of the Koobface botnet, is residing within the same AS where the nameservers, and one of actual domains (kdjkfjskdfjlskdjf.com/ kp.php - 91.188.59.98 - AS6851, BKCNET "SIA" IZZI) used in previous campaigns are.
These gangs are either aware of one another's existence, are the exact same gang doing basic evasive practices on multiple fronts, or are basically customers of the same cybercrime-friendly hosting service provider.
The DreamHost campaign structure, including the detection rates, phone back locations, is as follows:
- zettapetta.com/js.php - 109.196.143.56 - Email: hilarykneber@yahoo.com
- www4.suitcase52td.net/?p= - 78.46.218.249 - Email: gkook@checkjemail.nl
- www1.realsafe-23.net - 209.212.149.17 - Email: gkook@checkjemail.nl
Active client-side exploits serving, redirector domains parked on the same IP 109.196.143.56:
zettapetta.com - 109.196.143.56, AS39150, VLTELECOM-AS VLineTelecom LLC Moscow, Russia - Email: hilarykneber@yahoo.com
yahoo-statistic.com - Email: hilarykneber@yahoo.com
primusdns.ru - Email: samm_87@email.com
freehost21.tw - Email: hilarykneber@yahoo.com
alert35.com.tw - Email: admin@zalert35.com.tw
indesignstudioinfo.com - Email: hilarykneber@yahoo.com
Historically, the following domains were also parked on the same IP 109.196.143.56:
bananajuice21.net - Email: hilarykneber@yahoo.com
winrar392.net - Email: lacyjerry1958@gmail.com
best-soft-free.com - Email: lacyjerry1958@gmail.com
setyupdate.com - Email: admin@setyupdate.com
Detection rate for the scareware pushed in the campaign:
- packupdate_build107_2060.exe - TROJ_FRAUD.SMDV; Packed.Win32.Krap.an - Result: 8/41 (19.52%) with the sample phoning back to:
update2.keep-insafety.net - 94.228.209.221 - Email: gkook@checkjemail.nl
update1.myownguardian.com - 74.118.194.78 - Email: gkook@checkjemail.nl
secure1.saefty-guardian.com - 94.228.220.112 - Email: gkook@checkjemail.nl
report.zoneguardland.net - 91.207.192.25 - Email: gkook@checkjemail.nl
report.land-protection.com - 91.207.192.24 - Email: gkook@checkjemail.nl
www5.our-security-engine.net - 94.228.220.111 - Email: gkook@checkjemail.nl
report1.stat-mx.xorg.pl
update1.securepro.xorg.pl
Name servers of notice parked at 91.188.59.98, AS6851, BKCNET "SIA" IZZI:
ns1.oklahomacitycom.com
ns2.oklahomacitycom.com
What's so special about AS6851, BKCNET "SIA" IZZI anyway? It's the Koobface gang connection in the face of urodinam.net, which is also hosted within AS6851, currently responding to 91.188.59.10. More details on urodinam.net:
Moreover, on the exact same IP where Koobface gang's urodinam.net is parked, we also have the currently active 1zabslwvn538n4i5tcjl.com - Email: michaeltycoon@gmail.com, serving client side exploits using the Yes Malware Exploitation kit - 91.188.59.10 /temp/cache/PDF.php; admin panel at: 1zabslwvn538n4i5tcjl.com /temp/admin/index.php
Detection rates for the malware pushed from the same IP where a key Koobface botnet's C&C is hosted:
- 55.pdf - JS:Pdfka-gen; Exploit.JS.Pdfka.blf - Result: 23/41 (56.1%)
- dm.exe - Trojan:Win32/Alureon.CT; Mal/TDSSPack-Q - Result: 36/41 (87.81%)
- wsc.exe - Net-Worm.Win32.Koobface; Trojan.FakeAV - Result: 36/41 (87.81%)
The same michaeltycoon@gmail.com used to register 1zabslwvn538n4i5tcjl.com, was also profiled in the "Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang" assessment.
Given that enough historical OSINT is available, the cybercrime ecosystem can be a pretty small place.
Related posts:
U.S. Treasury Site Compromise Linked to the NetworkSolutions Mass WordPress Blogs Compromise
GoDaddy's Mass WordPress Blogs Compromise Serving Scareware
Dissecting the WordPress Blogs Compromise at Network Solutions
Hilary Kneber related activity:
The Kneber botnet - FAQ
Celebrity-Themed Scareware Campaign Abusing DocStoc
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Four
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →
Jerome Segura at the Malware Diaries is reporting that TorrentReactor.net, a high-trafficked torrents tracker, is currently serving live-exploits through a malicious ad served by "Fulldls.com - Your source for daily torrent downloads".
Why deja vu? It's because the TorrentReactor.net malware campaign takes me back to 2008, among the very first extensive profiling of Russian Business Network activity, with their mass "input validation abuse" campaign back then, successfully appearing on numerous high-trafficked web sites, serving guess what? Scareware.
Moreover, despite the surprisingly large number of people still getting impressed by the use of http referrers as an evasive practice applied by the cybercriminals, these particular campaigns (ZDNet Asia and TorrentReactor IFRAME-ed; Wired.com and History.com Getting RBN-ed; Massive IFRAME SEO Poisoning Attack Continuing) are a great example of this practice in use back then:
- So the malicious parties are implementing simple referrer techniques to verify that the end users coming to their IP, are the ones they expect to come from the campaign, and not client-side honeypots or even security researchers. And if you're not coming from you're supposed to come, you get a 404 error message, deceptive to the very end of it.
The campaign structure, including detection rates, phone back locations and ZeuS crimeware fast-flux related data is as follows:
- ads.fulldls.com /phpadsnew/www/delivery/afr.php?zoneid=1&cb=291476
- ad.leet.la /stats?ref=~.*ads\.fulldls\.com$ - 208.111.34.38 - Email: bertrand.crevin@brutele.com (leet.la - 212.68.193.197 - AS12392, ASBRUTELE AS Object for Brutele SC)
- lo.dep.lt /info/us1.html - 91.212.127.110 - lo.dep.lt - 91.212.127.110 - AS49087, Telos-Solutions-AS Telos Solutions LTD
- 91.216.3.108 /de1/index.php; 91.216.3.108 /ca1/main.php - AS50896, PROXIEZ-AS PE Nikolaev Alexey Valerievich
- 91.216.3.108 responding to gaihooxaefap.com - Nikolay Vukolov, Email: woven@qx8.ru
Upon successful exploitation, the following malicious pdf is served:
- eac27d.pdf - Exploit.PDF-JS.Gen (v); JS:Pdfka-AET; - Result: 6/40 (15%) which when executed phones back to 91.216.3.108 /ca1/banner.php/1fda161dab1edd2f385d43c705a541d3?spl=pdf_30apr and drops:
- myexebr.exe - TSPY_QAKBOT.SMG - Result: 17/41 (41.47%) which then phones back to the ZeuS crimeware C&C: saiwoofeutie.com /bin/ahwohn.bin - 78.9.77.158 - Email: spasm@maillife.ru
Fast-fluxed domains sharing the same infrastructure:
demiliawes.com - Email: bust@qx8.ru
jademason.com - 213.156.118.221; 217.201.4.95; 24.139.152.4; 83.10.238.182; 85.176.73.211; 112.201.223.129; 119.228.44.124; 170.51.231.93 - Email: blare@bigmailbox.ru
laxahngeezoh.com - 190.135.224.89; 213.156.118.221; 217.201.4.95; 24.139.152.4; 83.10.238.182; 85.176.73.211; 112.201.223.129; 119.228.44.124 - Email: zig@fastermail.ru
line-ace.com - Email: greysy@gmx.com
xareemudeixa.com - 112.201.223.129; 119.228.44.124; 170.51.231.93; 190.135.224.89; 213.156.118.221; 217.201.4.95; 24.139.152.4; 85.176.73.211 - Email: writhe@fastermail.ru
zeferesds.com - 190.135.224.89; 213.156.118.221; 217.201.4.95; 24.139.152.4; 83.10.238.182; 85.176.73.211; 112.201.223.129; 119.228.44.124 - Email: mated@freemailbox.ru
Name servers of notice:
ns1.rexonna.net - 202.60.74.39 - Email: aquvafrog@animail.net
ns2.rexonna.net - 25.120.19.23
ns1.line-ace.com - 202.60.74.39 - Email: greysy@gmx.com
ns2.line-ace.com - 67.15.223.219
ns1.growthproperties.net - 62.19.3.2 - Email: growth@support.net
ns2.growthproperties.net - 15.94.34.196
ns1.tropic-nolk.com - 62.19.3.2 - Email: greysy@gmx.com
ns2.tropic-nolk.com - 171.103.51.158
These particular iFrame injection Russian Business Network's campaigns from 2008, used to rely on the following URL for their malicious purposes - a-n-d-the.com/wtr/router.php (216.255.185.82 - INTERCAGE-NETWORK-GROUP2). Why am I highlighting it? Excerpts from previous profiled campaigns, including one that is directly linked to the Koobface gang's blackhat SEO operations.
U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding:
- The compromised/mis-configured web sites participating in this latest blackhat SEO campaign are surprisingly redirecting to a-n-d-the.com /wtr/router.php - 95.168.177.35 - Email: bulk@spam.lv - AS28753 NETDIRECT AS NETDIRECT Frankfurt, DE if the http referrer condition isn't met. This very same domain -- back then parked at INTERCAGE-NETWORK-GROUP2 -- was also used in the same fashion in March, 2008's massive blackhat SEO campaigns serving scareware.
What this proves is fairly simple - with or without the Russian Business Network the way we used to know it, it's customers simply moved on to the competition, whereas the original Russian Business Network simply diversified its netblocks ownership.
Related posts:
ZDNet Asia and TorrentReactor IFRAME-ed
Wired.com and History.com Getting RBN-ed
Massive IFRAME SEO Poisoning Attack Continuing
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →
Jerome Segura at the Malware Diaries is reporting that TorrentReactor.net, a high-trafficked torrents tracker, is currently serving live-exploits through a malicious ad served by "Fulldls.com - Your source for daily torrent downloads".
Why deja vu? It's because the TorrentReactor.net malware campaign takes me back to 2008, among the very first extensive profiling of Russian Business Network activity, with their mass "input validation abuse" campaign back then, successfully appearing on numerous high-trafficked web sites, serving guess what? Scareware.
Moreover, despite the surprisingly large number of people still getting impressed by the use of http referrers as an evasive practice applied by the cybercriminals, these particular campaigns (ZDNet Asia and TorrentReactor IFRAME-ed; Wired.com and History.com Getting RBN-ed; Massive IFRAME SEO Poisoning Attack Continuing) are a great example of this practice in use back then:
- So the malicious parties are implementing simple referrer techniques to verify that the end users coming to their IP, are the ones they expect to come from the campaign, and not client-side honeypots or even security researchers. And if you're not coming from you're supposed to come, you get a 404 error message, deceptive to the very end of it.
The campaign structure, including detection rates, phone back locations and ZeuS crimeware fast-flux related data is as follows:
- ads.fulldls.com /phpadsnew/www/delivery/afr.php?zoneid=1&cb=291476
- ad.leet.la /stats?ref=~.*ads\.fulldls\.com$ - 208.111.34.38 - Email: bertrand.crevin@brutele.com (leet.la - 212.68.193.197 - AS12392, ASBRUTELE AS Object for Brutele SC)
- lo.dep.lt /info/us1.html - 91.212.127.110 - lo.dep.lt - 91.212.127.110 - AS49087, Telos-Solutions-AS Telos Solutions LTD
- 91.216.3.108 /de1/index.php; 91.216.3.108 /ca1/main.php - AS50896, PROXIEZ-AS PE Nikolaev Alexey Valerievich
- 91.216.3.108 responding to gaihooxaefap.com - Nikolay Vukolov, Email: woven@qx8.ru
Upon successful exploitation, the following malicious pdf is served:
- eac27d.pdf - Exploit.PDF-JS.Gen (v); JS:Pdfka-AET; - Result: 6/40 (15%) which when executed phones back to 91.216.3.108 /ca1/banner.php/1fda161dab1edd2f385d43c705a541d3?spl=pdf_30apr and drops:
- myexebr.exe - TSPY_QAKBOT.SMG - Result: 17/41 (41.47%) which then phones back to the ZeuS crimeware C&C: saiwoofeutie.com /bin/ahwohn.bin - 78.9.77.158 - Email: spasm@maillife.ru
Fast-fluxed domains sharing the same infrastructure:
demiliawes.com - Email: bust@qx8.ru
jademason.com - 213.156.118.221; 217.201.4.95; 24.139.152.4; 83.10.238.182; 85.176.73.211; 112.201.223.129; 119.228.44.124; 170.51.231.93 - Email: blare@bigmailbox.ru
laxahngeezoh.com - 190.135.224.89; 213.156.118.221; 217.201.4.95; 24.139.152.4; 83.10.238.182; 85.176.73.211; 112.201.223.129; 119.228.44.124 - Email: zig@fastermail.ru
line-ace.com - Email: greysy@gmx.com
xareemudeixa.com - 112.201.223.129; 119.228.44.124; 170.51.231.93; 190.135.224.89; 213.156.118.221; 217.201.4.95; 24.139.152.4; 85.176.73.211 - Email: writhe@fastermail.ru
zeferesds.com - 190.135.224.89; 213.156.118.221; 217.201.4.95; 24.139.152.4; 83.10.238.182; 85.176.73.211; 112.201.223.129; 119.228.44.124 - Email: mated@freemailbox.ru
Name servers of notice:
ns1.rexonna.net - 202.60.74.39 - Email: aquvafrog@animail.net
ns2.rexonna.net - 25.120.19.23
ns1.line-ace.com - 202.60.74.39 - Email: greysy@gmx.com
ns2.line-ace.com - 67.15.223.219
ns1.growthproperties.net - 62.19.3.2 - Email: growth@support.net
ns2.growthproperties.net - 15.94.34.196
ns1.tropic-nolk.com - 62.19.3.2 - Email: greysy@gmx.com
ns2.tropic-nolk.com - 171.103.51.158
These particular iFrame injection Russian Business Network's campaigns from 2008, used to rely on the following URL for their malicious purposes - a-n-d-the.com/wtr/router.php (216.255.185.82 - INTERCAGE-NETWORK-GROUP2). Why am I highlighting it? Excerpts from previous profiled campaigns, including one that is directly linked to the Koobface gang's blackhat SEO operations.
U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding:
- The compromised/mis-configured web sites participating in this latest blackhat SEO campaign are surprisingly redirecting to a-n-d-the.com /wtr/router.php - 95.168.177.35 - Email: bulk@spam.lv - AS28753 NETDIRECT AS NETDIRECT Frankfurt, DE if the http referrer condition isn't met. This very same domain -- back then parked at INTERCAGE-NETWORK-GROUP2 -- was also used in the same fashion in March, 2008's massive blackhat SEO campaigns serving scareware.
What this proves is fairly simple - with or without the Russian Business Network the way we used to know it, it's customers simply moved on to the competition, whereas the original Russian Business Network simply diversified its netblocks ownership.
Related posts:
ZDNet Asia and TorrentReactor IFRAME-ed
Wired.com and History.com Getting RBN-ed
Massive IFRAME SEO Poisoning Attack Continuing
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →
Following last month's "Dissecting Koobface Gang's Latest Facebook Spreading Campaign" Koobface gang coverage, it's time to summarize some of their botnet spreading activities, from the last couple of days.
Immediately after the suspension of their automatically registered Blogspot accounts, the gang once again proved that it has contingency plans in place, and started pushing links to compromises sites, in a combination with an interesting "visual social engineering trick", across Facebook, which sadly works pretty well, in the sense that it completely undermines the "don't click on links pointing to unknown sites" type of security tips.
- Recommended reading: 10 things you didn't know about the Koobface gang
The spreading of fully working links such as the following ones across Facebook:
facebook.com/l/6e7e5;bit.ly/9QjjSk
facebook.com/l/cdfb;bit.ly/9QjjSk
facebook.com/l/f3c29;bit.ly/9QjjSk
aims to trick the infected user's friends, that this is a Facebook.com related link. Clicking on this link inside Facebook leads to the "Be careful" window showing just the bit.ly redirector, to finally redirect to 198.65.28.86/swamt/ where a Koobface bogus video has already been seen by 2,601 users which have already clicked on the link.
The scareware redirectors/actual serving domains are parked at 195.5.161.126, AS31252, STARNET-AS StarNet Moldova:
1nasa-test.com - Email: test@now.net.cn
1online-test.com - Email: test@now.net.cn
1www2scanner.com - Email: test@now.net.cn
2a-scanner.com - Email: test@now.net.cn
2nasa-test.com - Email: test@now.net.cn
2online-test.com - Email: test@now.net.cn
2www2scanner.com - Email: test@now.net.cn
3a-scanner.com - Email: test@now.net.cn
3nasa-test.com - Email: test@now.net.cn
3online-test.com - Email: test@now.net.cn
3www2scanner.com - Email: test@now.net.cn
4a-scanner.com - Email: test@now.net.cn
4check-computer.com - Email: test@now.net.cn
4nasa-test.com - Email: test@now.net.cn
4online-test.com - Email: test@now.net.cn
4www2scanner.com - Email: test@now.net.cn
5a-scanner.com - Email: test@now.net.cn
5nasa-test.com - Email: test@now.net.cn
5online-test.com - Email: test@now.net.cn
6a-scanner.com - Email: test@now.net.cn
defence-status6.com - Email: test@now.net.cn
defence-status7.com - Email: test@now.net.cn
mega-scan2.com - Email: test@now.net.cn
protection-status2.com - Email: test@now.net.cn
protection-status4.com - Email: test@now.net.cn
protection-status6.com - Email: test@now.net.cn
security-status1.com - Email: test@now.net.cn
security-status3.com - Email: test@now.net.cn
security-status4.com - Email: test@now.net.cn
security-status6.com - Email: test@now.net.cn
securitystatus7.com - Email: test@now.net.cn
securitystatus8.com - Email: test@now.net.cn
securitystatus9.com - Email: test@now.net.cn
security-status9.com - Email: test@now.net.cn
Detection rates:
- setup.exe - Mal/Koobface-E; W32/VBTroj.CXNF - Result: 7/41 (17.08%)
- RunAV_312s2.exe - VirTool.Win32.Obfuscator.hg!b (v); High Risk Cloaked Malware - Result: 4/41 (9.76%)
The scareware sample phones back to:
- windows32-sys.com/download/winlogo.bmp - 91.213.157.104, AS13618 CARONET-ASN - Email: contact@privacy-protect.cn
- sysdllupdates.com/?b=312s2 - 87.98.134.197, AS16276, OVH Paris - Email: contact@privacy-protect.cn
The complete list of compromised sites distributed by Koobface-infected Facebook users:
02f32e3.netsolhost.com /o492dc/
abskupina.si /cclq/
adi-agencement.fr /8r2twm/
agilitypower.dk /ko2/
aguasdomondego.com /d5yodi/
alabasta.homeip.net /e8/
alankaye.info /2cgg/
alpenhaus.com.ar /al5zvf5/
animationstjo.fr /5c/
artwork.drayton.co.uk /k5wz/
beachfishingwa.org.au /u8g98ai/
bildtuben.se /l9jg/
chalet.se /srb/
charlepoeng.be /i0twbt/
christchurchgastonia.org /1hkq/
chunkbait.com /gb4i6ak/
cityangered.se /besttube/
clarkecasa.net /rhk6/
clr.dsfm.mb.ca /2964/
codeditor.awardspace.biz /uncensoredclip/
coloridellavita.com /sc/
cpvs.org /6eobh0n/
danieletranchita.com /yourvids/
dennis-leah.zzl.org /m95/
doctorsorchestra.com /qw/
dueciliguria.it /zircu/
ediltermo.com /p4zhvj0/
emmedici.net /2pg46mk/
eurobaustoff.marketing-generator.de /52649an/
euskorock.es /p4zm/
explicitflavour.freeiz.com /qk3r/
f9phx.net /svr/
fatucci.it /l04s8m2/
forwardmarchministries.org /1bc/
fotoplanet.it /bnog6s/
frenchbean.co.uk /zwr/
furius.comoj.com /1azl/
geve.be /oj4ex4/
gite-maison-pyrenees-luchon.com /jox/
googleffffffffa0ac4d9f.omicronrecords.com /me/
gosin.be /ist63z/
grimslovsms.se /cutetube/
guest.worldviewproduction.com /m2f/
hanssen-racing.com /j15/
helpbt.com /nqo40uq/
helpdroid.omicronrecords.com /7h/
hoganjobs.com /jrepsp/
holustravel.cz /5j5/
hoperidge.com /fltwizy/
hottesttomato.com /6b/
iglesiabetania1.com /7y7/
ihostu.co.uk /jic9v/
ilterrazzoallaveneziana.it /4vxaq5/
integratek.omicronrecords.com /to4u2bd/
irisjard.o2switch.net /lb/
islandmusicexport.com /hbi2ut9/
isteinaudi.it /h2a/
johnphelan.com /uynv4/
jsacm.com /z6/
kabchicago.info /1cgko/
katia-paliotti.com /0baktz/
kennethom.net /l20/
kleppcc.com /aliendemonstration/
klimentglass.cz /vwalp/
kvarteretekorren.se /60/
lanavabadajoz.com /cg/
langstoncorp.com /o2072c/
libermann.phpnet.org /madu8p/
lineapapel.com /8l20up/
longting.nl /6ch/
mainteck-fr.com /qjbo5v/
majesticdance.com /v1g/
mia-nilsson.se /cmc/
microstart.fr /lzu1/
migdal.org.il /y952eo/
mindbodyandsolemt.com /pnbn/
musicomm.ca /a5z/
nassnig.org /z1/
neweed.org /x4t/
nosneezes.com /5hjkdjo/
nottinghamdowns.com /m7ec/
nutman-group.com /92m/
omicronsystems.inc.md /eho0/
on3la.be /bgfhclg/
onlineadmin.net /b7uccx/
ornskoldskatten.se /m1u/
oxhalsobygg.se /amaizingmovies/
- Recommended reading: Dissecting Koobface Gang's Latest Facebook Spreading Campaign
pegasolavoro.it /3l6/
peteknightdays.com /4ok4/
pheromoneforum.org /ds/
pilatescenter.se /bgx8e/
plymouth-tuc.org.uk /xhaq/
popeur.fr /m7yaw/
pro-du-bio.com /af6xtp/
prousaudio.com /4isg/
puertohurraco.org /q3a1gz/
radioluz900am.com /3i993/
reporsenna.netsons.org /zvz/
rhigar.nu /6v/
richmondpowerboat.com /tifax5/
rmg360.co.cc /22i/
roninwines.com /wonderfulvids/
rrmaps.com /j6o/
rvl.it /bv6k/
scarlett-oharas.com /my0333/
secure.tourinrome.org /qyp/
servicehandlaren.se /yq9ahw0/
servicehandlaren.spel-service.com /q9q115/
sgottnerivers.com /y0j16rw/
shofarcall.com /zi/
sirius-expedition.com /x4yab/
slcsc.co.uk /0kem/
soderback.eu /xvg9/
spel-service.com /xm/
sporthal.msolutions.be /vyx3yu/
steelstoneind.com /yzp/
stgeorgesteel.com /ji/
stgeorgesteel.com /ylnwlr/
stubbieholderking.com /dyarx1/
sweet-peasdog.se /0rcjo/
taekwondovelden.nl /mhnskk/
testjustin.comze.com /oafxzy/
the-beehive.com /r8x3cm/
the-beehive.com /weqw7e/
thedallestransmission.com /rjsg2/
therealmagnets.comuv.com /3wn19n/
thestrategicfrog.110mb.com /66vv/
tizianozanella.it/ k2cei/
trustonecorp.com /mabmpp/
unna.nu /6lie/
uroloki.omicronrecords.com /9t/
vaxjoff.com /4fpu/
veerle-frank.be /l01/
verdiverdi.net /3tt/
visionministerial.com /p191/
waffotis.se /yufi3u/
watsonspipingandheating.com /krda/
welplandeast.com /6q/
WESTCOASTPERFORMANCECOATINGS.COM /1tw4/
williamarias.us /na9mq/
woodworksbyjamie.com /90mrjb/
wowparis2000.com /rtsz/
yin-art.be /a75ble/
youniverse.site50.net /4a9r/
Due to the diversity of its cybercrime operations, the Koobface gang is always worth keeping an eye on. Best of all - it's done semi-automatically these days.
The best is yet to come, stay tuned!
Related Koobface gang/botnet research:
Dissecting Koobface Gang's Latest Facebook Spreading Campaign
Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova
10 things you didn't know about the Koobface gang
A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang
How the Koobface Gang Monetizes Mac OS X Traffic
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →
Following last month's "Dissecting Koobface Gang's Latest Facebook Spreading Campaign" Koobface gang coverage, it's time to summarize some of their botnet spreading activities, from the last couple of days.
Immediately after the suspension of their automatically registered Blogspot accounts, the gang once again proved that it has contingency plans in place, and started pushing links to compromises sites, in a combination with an interesting "visual social engineering trick", across Facebook, which sadly works pretty well, in the sense that it completely undermines the "don't click on links pointing to unknown sites" type of security tips.
- Recommended reading: 10 things you didn't know about the Koobface gang
The spreading of fully working links such as the following ones across Facebook:
facebook.com/l/6e7e5;bit.ly/9QjjSk
facebook.com/l/cdfb;bit.ly/9QjjSk
facebook.com/l/f3c29;bit.ly/9QjjSk
aims to trick the infected user's friends, that this is a Facebook.com related link. Clicking on this link inside Facebook leads to the "Be careful" window showing just the bit.ly redirector, to finally redirect to 198.65.28.86/swamt/ where a Koobface bogus video has already been seen by 2,601 users which have already clicked on the link.
The scareware redirectors/actual serving domains are parked at 195.5.161.126, AS31252, STARNET-AS StarNet Moldova:
1nasa-test.com - Email: test@now.net.cn
1online-test.com - Email: test@now.net.cn
1www2scanner.com - Email: test@now.net.cn
2a-scanner.com - Email: test@now.net.cn
2nasa-test.com - Email: test@now.net.cn
2online-test.com - Email: test@now.net.cn
2www2scanner.com - Email: test@now.net.cn
3a-scanner.com - Email: test@now.net.cn
3nasa-test.com - Email: test@now.net.cn
3online-test.com - Email: test@now.net.cn
3www2scanner.com - Email: test@now.net.cn
4a-scanner.com - Email: test@now.net.cn
4check-computer.com - Email: test@now.net.cn
4nasa-test.com - Email: test@now.net.cn
4online-test.com - Email: test@now.net.cn
4www2scanner.com - Email: test@now.net.cn
5a-scanner.com - Email: test@now.net.cn
5nasa-test.com - Email: test@now.net.cn
5online-test.com - Email: test@now.net.cn
6a-scanner.com - Email: test@now.net.cn
defence-status6.com - Email: test@now.net.cn
defence-status7.com - Email: test@now.net.cn
mega-scan2.com - Email: test@now.net.cn
protection-status2.com - Email: test@now.net.cn
protection-status4.com - Email: test@now.net.cn
protection-status6.com - Email: test@now.net.cn
security-status1.com - Email: test@now.net.cn
security-status3.com - Email: test@now.net.cn
security-status4.com - Email: test@now.net.cn
security-status6.com - Email: test@now.net.cn
securitystatus7.com - Email: test@now.net.cn
securitystatus8.com - Email: test@now.net.cn
securitystatus9.com - Email: test@now.net.cn
security-status9.com - Email: test@now.net.cn
Detection rates:
- setup.exe - Mal/Koobface-E; W32/VBTroj.CXNF - Result: 7/41 (17.08%)
- RunAV_312s2.exe - VirTool.Win32.Obfuscator.hg!b (v); High Risk Cloaked Malware - Result: 4/41 (9.76%)
The scareware sample phones back to:
- windows32-sys.com/download/winlogo.bmp - 91.213.157.104, AS13618 CARONET-ASN - Email: contact@privacy-protect.cn
- sysdllupdates.com/?b=312s2 - 87.98.134.197, AS16276, OVH Paris - Email: contact@privacy-protect.cn
The complete list of compromised sites distributed by Koobface-infected Facebook users:
abskupina.si /cclq/
adi-agencement.fr /8r2twm/
agilitypower.dk /ko2/
aguasdomondego.com /d5yodi/
alabasta.homeip.net /e8/
alankaye.info /2cgg/
alpenhaus.com.ar /al5zvf5/
animationstjo.fr /5c/
artwork.drayton.co.uk /k5wz/
beachfishingwa.org.au /u8g98ai/
bildtuben.se /l9jg/
chalet.se /srb/
charlepoeng.be /i0twbt/
christchurchgastonia.org /1hkq/
chunkbait.com /gb4i6ak/
cityangered.se /besttube/
clarkecasa.net /rhk6/
clr.dsfm.mb.ca /2964/
codeditor.awardspace.biz /uncensoredclip/
coloridellavita.com /sc/
cpvs.org /6eobh0n/
danieletranchita.com /yourvids/
dennis-leah.zzl.org /m95/
doctorsorchestra.com /qw/
dueciliguria.it /zircu/
ediltermo.com /p4zhvj0/
emmedici.net /2pg46mk/
eurobaustoff.marketing-generator.de /52649an/
euskorock.es /p4zm/
explicitflavour.freeiz.com /qk3r/
f9phx.net /svr/
fatucci.it /l04s8m2/
forwardmarchministries.org /1bc/
fotoplanet.it /bnog6s/
frenchbean.co.uk /zwr/
furius.comoj.com /1azl/
geve.be /oj4ex4/
gite-maison-pyrenees-luchon.com /jox/
googleffffffffa0ac4d9f.omicronrecords.com /me/
gosin.be /ist63z/
grimslovsms.se /cutetube/
guest.worldviewproduction.com /m2f/
hanssen-racing.com /j15/
helpbt.com /nqo40uq/
helpdroid.omicronrecords.com /7h/
hoganjobs.com /jrepsp/
holustravel.cz /5j5/
hoperidge.com /fltwizy/
hottesttomato.com /6b/
iglesiabetania1.com /7y7/
ihostu.co.uk /jic9v/
ilterrazzoallaveneziana.it /4vxaq5/
integratek.omicronrecords.com /to4u2bd/
irisjard.o2switch.net /lb/
islandmusicexport.com /hbi2ut9/
isteinaudi.it /h2a/
johnphelan.com /uynv4/
jsacm.com /z6/
kabchicago.info /1cgko/
katia-paliotti.com /0baktz/
kennethom.net /l20/
kleppcc.com /aliendemonstration/
klimentglass.cz /vwalp/
kvarteretekorren.se /60/
lanavabadajoz.com /cg/
langstoncorp.com /o2072c/
libermann.phpnet.org /madu8p/
lineapapel.com /8l20up/
longting.nl /6ch/
mainteck-fr.com /qjbo5v/
majesticdance.com /v1g/
mia-nilsson.se /cmc/
microstart.fr /lzu1/
migdal.org.il /y952eo/
mindbodyandsolemt.com /pnbn/
musicomm.ca /a5z/
nassnig.org /z1/
neweed.org /x4t/
nosneezes.com /5hjkdjo/
nottinghamdowns.com /m7ec/
nutman-group.com /92m/
omicronsystems.inc.md /eho0/
on3la.be /bgfhclg/
onlineadmin.net /b7uccx/
ornskoldskatten.se /m1u/
oxhalsobygg.se /amaizingmovies/
- Recommended reading: Dissecting Koobface Gang's Latest Facebook Spreading Campaign
pegasolavoro.it /3l6/
peteknightdays.com /4ok4/
pheromoneforum.org /ds/
pilatescenter.se /bgx8e/
plymouth-tuc.org.uk /xhaq/
popeur.fr /m7yaw/
pro-du-bio.com /af6xtp/
prousaudio.com /4isg/
puertohurraco.org /q3a1gz/
radioluz900am.com /3i993/
reporsenna.netsons.org /zvz/
rhigar.nu /6v/
richmondpowerboat.com /tifax5/
rmg360.co.cc /22i/
roninwines.com /wonderfulvids/
rrmaps.com /j6o/
rvl.it /bv6k/
scarlett-oharas.com /my0333/
secure.tourinrome.org /qyp/
servicehandlaren.se /yq9ahw0/
servicehandlaren.spel-service.com /q9q115/
sgottnerivers.com /y0j16rw/
shofarcall.com /zi/
sirius-expedition.com /x4yab/
slcsc.co.uk /0kem/
soderback.eu /xvg9/
spel-service.com /xm/
sporthal.msolutions.be /vyx3yu/
steelstoneind.com /yzp/
stgeorgesteel.com /ji/
stgeorgesteel.com /ylnwlr/
stubbieholderking.com /dyarx1/
sweet-peasdog.se /0rcjo/
taekwondovelden.nl /mhnskk/
testjustin.comze.com /oafxzy/
the-beehive.com /r8x3cm/
the-beehive.com /weqw7e/
thedallestransmission.com /rjsg2/
therealmagnets.comuv.com /3wn19n/
thestrategicfrog.110mb.com /66vv/
tizianozanella.it/ k2cei/
trustonecorp.com /mabmpp/
unna.nu /6lie/
uroloki.omicronrecords.com /9t/
vaxjoff.com /4fpu/
veerle-frank.be /l01/
verdiverdi.net /3tt/
visionministerial.com /p191/
waffotis.se /yufi3u/
watsonspipingandheating.com /krda/
welplandeast.com /6q/
WESTCOASTPERFORMANCECOATINGS.COM /1tw4/
williamarias.us /na9mq/
woodworksbyjamie.com /90mrjb/
wowparis2000.com /rtsz/
yin-art.be /a75ble/
youniverse.site50.net /4a9r/
Due to the diversity of its cybercrime operations, the Koobface gang is always worth keeping an eye on. Best of all - it's done semi-automatically these days.
The best is yet to come, stay tuned!
Related Koobface gang/botnet research:
Dissecting Koobface Gang's Latest Facebook Spreading Campaign
Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova
10 things you didn't know about the Koobface gang
A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang
How the Koobface Gang Monetizes Mac OS X Traffic
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →
jumpsearches.com - 217.23.14.14 - Email: alex1978a@bigmir.net
ingeniosearch.net - 217.23.14.14 - Email: alex1978a@bigmir.net
searchnations.com - 217.23.14.14 - Email: alex1978a@bigmir.net
mainssearch.com - 217.23.14.14 - Email: alex1978a@bigmir.net
bigsearchinc.com - 217.23.14.14 - Email: alex1978a@bigmir.net
Sample exploitation structure:
- jumpsearches.com/bing.com /load.php?spl=mdac
- jumpsearches.com/bing.com /error.js.php
- jumpsearches.com/bing.com /pdf.php
- jumpsearches.com/bing.com /?spl=2&br=MSIE&vers=7.0&s=
- jumpsearches.com/bing.com /load.php?spl=pdf_2030
- jumpsearches.com/bing.com /load.php?spl=MS09-002
UPDATED: Thursday, May 06, 2010: The cybercriminals behind this ongoing campaign continue introducing new domains -- all of which are currently in a cover-up phrase pointing to 127.0.0.1 -- over the past 24 hours. What's particularly interesting, is that all of them reside within AS49981, WorldStream = Transit Imports = -CAIW-, Netherlands.
- twcorps.com/tv/ - 217.23.14.15 - Email: alex1978a@bigmir.net, Prokopenko Aleksey
- MD5: ebcfaa2f595ccea81176f6f125b31ac7
- jobsatdoor.com/plain/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko Aleksey
- MD5: ebcfaa2f595ccea81176f6f125b31ac7
- oficla.com/plain/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko Aleksey
- MD5: ebcfaa2f595ccea81176f6f125b31ac7
- organization-b.com/mail/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko Aleksey
- dilingdiling.com/router/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko Aleksey
All the samples phone back to mazcostrol.com/inst.php?aid=blackout now responding to 95.143.193.61, AS49770, SERVERCONNECT-AS ServerConnect Sweden AB, from the previously known IP 188.124.16.134.
mazcostrol.com is not just a phone back location. It's also actively serving client-side exploits. Sample update obtained from the same domain:
- update4303.exe - Trojan.Win32.VBKrypt - Result: 5/41 (12.2%)
Not surprisingly, AS44565 and AS49770 where mazcostrol.com was hosted, are also the home of currently active ZeuS crimeware C&Cs.
AS49770 (SERVERCONNECT-AS ServerConnect Sweden AB)
brunongino.com
slavenkad.com
frondircass.cn
pradsuyz.cn
AS44565 (VITAL VITAL TEKNOLOJI)
spacebuxer.com
odboe.info
212.252.32.69
jokersimson.net
whoismak.net
188.124.7.247
www.bumagajet.net
barmatuxa.info
barmatuxa.net
UPDATED: A researcher just pinged me with details on something that I should be flattered with. Apparently grepad.com /in.cgi?4 redirects to 217.23.14.14 /in_t.php which then redirects to my Blogger profile.
In fact, 217.23.14.14 the IP of the client-side exploit serving domains also redirects there, with the actual campaign in a cover-up phrase, with the original domain now responding 127.0.0.1.
Let's see for how long, until then, The Beatles - You Know My Name seems to be the appropriate music choice.
AVG and PandaLabs are reporting that the web sites of the U.S. Bureau of Engraving and Printing (bep.treas.gov; moneyfactory.gov) are serving client-side vulnerabilities that ultimately expose the visitor to scareware (The Ultimate Guide to Scareware Protection).
What's particularly interesting about this campaign is that, it's part of last month's NetworkSolutions mass WordPress blogs compromise, in the sense that not only is the iFrame-d domain registered using the same email as the client-side exploits serving domains from the NetworkSolutions campaign -- alex1978a@bigmir.net -- but also, the dropped scareware's phone back location -- mazcostrol.com/inst.php?aid=blackout - 188.124.16.134 - Email: alex1978a@bigmir.net -- is identical to the one used in the same campaign, including the affiliate ID used by the original cybercriminal.
The client-side exploit serving domain used in the the U.S Treasury site compromise, has also been reported by a large number of NetworkSolutions customers in the most recent campaign affecting WordPress blogs.
The exploit-serving structure, including the detection rates for the dropped scareware and exploits used in the U.S Treasury compromise campaign, is as follows:
- grepad.com /in.cgi?3 - 188.124.16.133, AS44565, VITAL TEKNOLOJI - Email: alex1978a@bigmir.net
- thejustb.com /just/ - 217.23.14.14 (dyndon.com), AS49981 - Email: alex1978a@bigmir.net
- thejustb.com /just/pdf.php
- thejustb.com /just/1.pdf
- thejustb.com /just/load.php?spl=javas
- thejustb.com /just/j1_893d.jar
- thejustb.com /just/j2_079.jar
- 1.pdf - Exploit.PDF-JS.Gen (v) - Result: 1/41 (2.44%)
- j1_893d.jar - Trojan-Downloader:Java/Agent.DJDN - Result: 5/41 (12.20%)
- j2_079.jar - EXP/Java.CVE-2009-3867.C.2; Exploit.Java.Agent.a - Result: 9/41 (21.96%)
- grepad.exe - Trojan.Generic.KD.10339; a variant of Win32/Injector.BNG - Result: 8/41 (19.51%)
Known MD5's used by the same campaigner from previous campaigns, phoning back to the same domain+identical affiliate ID:
MD5=4734162bb33eff7af7e18243821b397e
MD5=1c9ce1e5f4c2f3ec1791554a349bf456
MD5=d11d76c6ecf6a9a87dcd510294104a66
MD5=c33750c553e6d6bdc7dac6886f65b51d
MD5=74cdadfb15181a997b15083f033644d0
MD5=3c7d8cdc73197edd176167cd069878bd
Attempting to interact with the campaign's directories often results in a "nice try, idiot." message. Lovely!
Related posts:
GoDaddy's Mass WordPress Blogs Compromise Serving Scareware
Dissecting the WordPress Blogs Compromise at Network Solutions
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →
jumpsearches.com - 217.23.14.14 - Email: alex1978a@bigmir.net
ingeniosearch.net - 217.23.14.14 - Email: alex1978a@bigmir.net
searchnations.com - 217.23.14.14 - Email: alex1978a@bigmir.net
mainssearch.com - 217.23.14.14 - Email: alex1978a@bigmir.net
bigsearchinc.com - 217.23.14.14 - Email: alex1978a@bigmir.net
Sample exploitation structure:
- jumpsearches.com/bing.com /load.php?spl=mdac
- jumpsearches.com/bing.com /error.js.php
- jumpsearches.com/bing.com /pdf.php
- jumpsearches.com/bing.com /?spl=2&br=MSIE&vers=7.0&s=
- jumpsearches.com/bing.com /load.php?spl=pdf_2030
- jumpsearches.com/bing.com /load.php?spl=MS09-002
UPDATED: Thursday, May 06, 2010: The cybercriminals behind this ongoing campaign continue introducing new domains -- all of which are currently in a cover-up phrase pointing to 127.0.0.1 -- over the past 24 hours. What's particularly interesting, is that all of them reside within AS49981, WorldStream = Transit Imports = -CAIW-, Netherlands.
- twcorps.com/tv/ - 217.23.14.15 - Email: alex1978a@bigmir.net, Prokopenko Aleksey
- MD5: ebcfaa2f595ccea81176f6f125b31ac7
- jobsatdoor.com/plain/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko Aleksey
- MD5: ebcfaa2f595ccea81176f6f125b31ac7
- oficla.com/plain/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko Aleksey
- MD5: ebcfaa2f595ccea81176f6f125b31ac7
- organization-b.com/mail/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko Aleksey
- dilingdiling.com/router/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko Aleksey
All the samples phone back to mazcostrol.com/inst.php?aid=blackout now responding to 95.143.193.61, AS49770, SERVERCONNECT-AS ServerConnect Sweden AB, from the previously known IP 188.124.16.134.
mazcostrol.com is not just a phone back location. It's also actively serving client-side exploits. Sample update obtained from the same domain:
- update4303.exe - Trojan.Win32.VBKrypt - Result: 5/41 (12.2%)
Not surprisingly, AS44565 and AS49770 where mazcostrol.com was hosted, are also the home of currently active ZeuS crimeware C&Cs.
AS49770 (SERVERCONNECT-AS ServerConnect Sweden AB)
brunongino.com
slavenkad.com
frondircass.cn
pradsuyz.cn
AS44565 (VITAL VITAL TEKNOLOJI)
spacebuxer.com
odboe.info
212.252.32.69
jokersimson.net
whoismak.net
188.124.7.247
www.bumagajet.net
barmatuxa.info
barmatuxa.net
UPDATED: A researcher just pinged me with details on something that I should be flattered with. Apparently grepad.com /in.cgi?4 redirects to 217.23.14.14 /in_t.php which then redirects to my Blogger profile.
In fact, 217.23.14.14 the IP of the client-side exploit serving domains also redirects there, with the actual campaign in a cover-up phrase, with the original domain now responding 127.0.0.1.
Let's see for how long, until then, The Beatles - You Know My Name seems to be the appropriate music choice.
AVG and PandaLabs are reporting that the web sites of the U.S. Bureau of Engraving and Printing (bep.treas.gov; moneyfactory.gov) are serving client-side vulnerabilities that ultimately expose the visitor to scareware (The Ultimate Guide to Scareware Protection).
What's particularly interesting about this campaign is that, it's part of last month's NetworkSolutions mass WordPress blogs compromise, in the sense that not only is the iFrame-d domain registered using the same email as the client-side exploits serving domains from the NetworkSolutions campaign -- alex1978a@bigmir.net -- but also, the dropped scareware's phone back location -- mazcostrol.com/inst.php?aid=blackout - 188.124.16.134 - Email: alex1978a@bigmir.net -- is identical to the one used in the same campaign, including the affiliate ID used by the original cybercriminal.
The client-side exploit serving domain used in the the U.S Treasury site compromise, has also been reported by a large number of NetworkSolutions customers in the most recent campaign affecting WordPress blogs.
The exploit-serving structure, including the detection rates for the dropped scareware and exploits used in the U.S Treasury compromise campaign, is as follows:
- grepad.com /in.cgi?3 - 188.124.16.133, AS44565, VITAL TEKNOLOJI - Email: alex1978a@bigmir.net
- thejustb.com /just/ - 217.23.14.14 (dyndon.com), AS49981 - Email: alex1978a@bigmir.net
- thejustb.com /just/pdf.php
- thejustb.com /just/1.pdf
- thejustb.com /just/load.php?spl=javas
- thejustb.com /just/j1_893d.jar
- thejustb.com /just/j2_079.jar
- 1.pdf - Exploit.PDF-JS.Gen (v) - Result: 1/41 (2.44%)
- j1_893d.jar - Trojan-Downloader:Java/Agent.DJDN - Result: 5/41 (12.20%)
- j2_079.jar - EXP/Java.CVE-2009-3867.C.2; Exploit.Java.Agent.a - Result: 9/41 (21.96%)
- grepad.exe - Trojan.Generic.KD.10339; a variant of Win32/Injector.BNG - Result: 8/41 (19.51%)
Known MD5's used by the same campaigner from previous campaigns, phoning back to the same domain+identical affiliate ID:
MD5=4734162bb33eff7af7e18243821b397e
MD5=1c9ce1e5f4c2f3ec1791554a349bf456
MD5=d11d76c6ecf6a9a87dcd510294104a66
MD5=c33750c553e6d6bdc7dac6886f65b51d
MD5=74cdadfb15181a997b15083f033644d0
MD5=3c7d8cdc73197edd176167cd069878bd
Attempting to interact with the campaign's directories often results in a "nice try, idiot." message. Lovely!
Related posts:
GoDaddy's Mass WordPress Blogs Compromise Serving Scareware
Dissecting the WordPress Blogs Compromise at Network Solutions
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →
Subscribe to:
Comments (Atom)
RSS Feed