Facebook Photo Album Themed Malware Campaign, Mass SQL Injection Attacks Courtesy of AS42560

A spamvertised through Facebook personal messages, Photo Album themed campaign, with the domain IP responding to ZeuS C&Cs, combined with an indirect connection between this campaign and the "100,000+ Scareware Serving Fake YouTube Pages Campaign", followed by a domain portfolio used in a currently active mass SQL injection attack serving CVE-2007-5659 exploits, parked within the same AS as the Facebook's campaign itself.

What else is missing? The details of course.

DM spamvertised URL: online-photo-albums.org - 77.78.239.4, AS42560, BA-GLOBALNET-AS - Email: protect@privacy.com.ua

Detection rate: album.exe - Win32.DownloaderReno; Backdoor.Win32.Kbot.anj - Result: 12/41 (29.27%)
MD5: d24aa2c364d4b86f75a09362c952a838
SHA1: 3973c547b64d166ae807eec494c373efd53ac04c

Creates 1.exe; 2.exe and the self-destructing 3.exe. Detection rates:
- 1.exe - Result: 0/41 (0.00%)
MD5: fbd0a495d3409123d0e90a9a734cbbc1
SHA1: ce527267f50b433c622e5da0db5515a4d2e4ae9c

- 2.exe - Win32.DownloaderReno; Sus/UnkPacker - Result: 10/41 (24.39%)
MD5: 7a4feaf8d9acf982d0cbeb437e4f7c3d
SHA1: 39b280d0d2ec505a94415f7a9468a547fee51c66

with 3.exe phoning back to the following domain, also responding to the original campaign's IP 77.78.239.4
spmfb3309.com /ab/setup.php?act=filters&id=BWKJD0NWLt3pn2Vh6YIhhBe3&ver=2

inetnum:        77.78.239.0 - 77.78.240.255
netname:        MAXIMUS-NET-SERVICES
remarks: ### in case of abuse please contact: godaccs@gmail.com ###
descr:          Maximus hosting services
country:        MD
admin-c:        JB1004
tech-c:         JB1004
status:         ASSIGNED PA
mnt-by:         BA-GLOBALNET
changed:        bosko@globalnet.ba 20100528
source:         RIPE

person:         Jerkovic Bosko
address:        Josipa Vancasa 10
address:        71000 Sarajevo
address:        Bosnia and Herzegovina
phone:          +387 33 221093
e-mail:         bosko@globalnet.ba
nic-hdl:        JB1004
mnt-by:         BA-GLOBALNET
changed:        bosko@globalnet.ba 20070309
source:         RIPE

Surprise, surprise, where do we know that godaccs@gmail.com abuse email from? From the previously profiled "Dissecting the 100,000+ Scareware Serving Fake YouTube Pages Campaign". In particular:

- AS43134, Donstroy Ltd; Emails: donstroitel@mail.com; godaccs@gmail.com
- AS42560, MAXIMUS-NET-SERVICES; Emails: godaccs@gmail.com

Responding to 77.78.239.4 (online-photo-albums.org) are also the following domains:
hyporesist.com - Email: Kyle.MoodyAl@yahoo.com - Used to register ever52592g.com; miror-counter.org; mnfrekjivr.com
newsbosnia.org - Email: qggrvpvwiw@whoisservices.cn - ZeuS crimeware C&C
online-photo-albums.org - Email: protect@privacy.com.ua
search-static.org - Email: Kyle.MoodyAl@yahoo.com
spmfb2299.com - Email: laycxpqguk@whoisservices.cn
spmfb3309.com - Email: qhyfafvqyh@whoisservices.cn
vostokgear.org - Email: afgjvubuym@whoisservices.cn

Where's the mass SQL injection attack connection? Within AS42560, responding to 77.78.239.56 are also the following domains, part of the campaign:

google-server09.info - Email: kit00066@gmail.com
google-server10.info - Email: kit00066@gmail.com
google-server11.info - Email: kit00066@gmail.com
google-server12.info - Email: kit00066@gmail.com
google-server14.info - Email: kit00066@gmail.com
google-server29.info - Email: kit00066@gmail.com
google-server31.info - Email: kit00066@gmail.com
jhuiuhxfgxhlfkjhjth.info - Email: kit00066@gmail.com
jhuiuhxfgxhtfkjhjth.info - Email: kit00066@gmail.com
jhuluhxfgxhlfkjhjth.info - Email: kit00066@gmail.com
top-teen-porn.info - Email: kit00066@gmail.com

Sample mass injection URLs:
google-server09.info/ urchin.js
google-server10.info/ urchin.js
google-server11.info/ urchin.js
google-server12.info/ urchin.js
google-server14.info/ urchin.js
google-server29.info/ urchin.js
google-server31.info/ urchin.js
jhuiuhxfgxhlfkjhjth.info/ urchin.js
jhuiuhxfgxhtfkjhjth.info/ urchin.js
jhuluhxfgxhlfkjhjth.info/ urchin.js

Detection rate:
- urchin.js - Trojan.JS.Redirector.ca (v); JS:Downloader-LP - Result: 4/41 (9.76%)
MD5: 3f2bc50c30ed8e7997b3de3d528d0ed5
SHA1: 66d6edef711516201f20fce676175ad16777e162

Sample exploitation structure from the mass SQL injection campaign:
- google-server31.info /urchin.js
        - Scanner-Album.com/?affid=382&subid=landing - 91.212.127.19, AS49087, Telos-Solutions-AS - Email: systemman_mk@gmail.com
            - websitecoolgo.com/cgi-bin /158 - 91.188.59.220 - AS6851, BKCNET "SIA" IZZI - Email: marcomarcian@hotmailbox.com
                - websitecoolgo.com /cgi-bin/random content leading to CVE-2007-5659

Parked on 91.212.127.19 (Scanner-Album.com), AS49087, Telos-Solutions-AS:
automaticsecurityscan.com - Email: robertwatkins@hotmailbox.com
bigsecurityscan.com - Email: robertwatkins@hotmailbox.com
bigsecurityscan.com - Email: robertwatkins@hotmailbox.com
blacksecurityscan.com - Email: robertwatkins@hotmailbox.com
edscorpor.com - Email: leonschmura@hotmailbox.com
edsctrum.com - Email: admin@edsfiles.com
edsfiles.com - Email: leonschmura@hotmailbox.com
edsfilles.com - Email: leonschmura@hotmailbox.com
edsletter.com - Email: leonschmura@hotmailbox.com
edslgored.com - Email: leonschmura@hotmailbox.com
edsnewter.com - Email: leonschmura@hotmailbox.com
edsogos.com - Email: leonschmura@hotmailbox.com
edsspectr.com - Email: leonschmura@hotmailbox.com
edstoox.com - Email: leonschmura@hotmailbox.com
findsecurityscan.com - Email: robertwatkins@hotmailbox.com
memory-scanner.com - Email: systemman_mk@gmail.com
onefindup.org - Email: JamesHying@xhotmail.net
scanner-album.com - Email: systemman_mk@gmail.com
scanner-definition.com - Email: rutkowski_m3@gmail.com
scanner-hardware.com - Email: systemman_mk@gmail.com
scanner-master.com - Email: systemman_mk@gmail.com
scanner-models.com - Email: systemman_mk@gmail.com
scanner-profile.com - Email: systemman_mk@gmail.com
scanner-programming.com - Email: systemman_mk@gmail.com
scanner-supplies.com - Email: rutkowski_m3@gmail.com
scanner-tips.com - Email: systemman_mk@gmail.com
searchdubles.org - Email: MerleMeisin@xhotmail.net
searchmartiup.org - Email: MerleMeisin@xhotmail.net
searchprasup.org - Email: MerleMeisin@xhotmail.net
searchprodinc.org - Email: MerleMeisin@xhotmail.net
searchprodinc.org - Email: MerleMeisin@xhotmail.net
searchtanup.org - Email: MerleMeisin@xhotmail.net

Responding to 91.188.59.220 and 91.188.59.221 (websitecoolgo.com) within AS6851, BKCNET "SIA" IZZI are also the following domains participation in different campaigns:
internetgotours.com - Email: marcomarcian@hotmailbox.com
mediaboomgo.com - Email: paulalameda@hotmailbox.com
mediagotech.com - Email: marcomarcian@hotmailbox.com
mediaracinggo.com - Email: paulalameda@hotmailbox.com
netgozero.com - Email: marcomarcian@hotmailbox.com
nethealthcarego.com - Email: marcomarcian@hotmailbox.com
networkget.com - Email: marcomarcian@hotmailbox.com
networksportsgo.com - Email: marcomarcian@hotmailbox.com
patricknetgo.com - Email: paulalameda@hotmailbox.com
webaliveget.com - Email: paulalameda@hotmailbox.com
webcoolgo.com - Email: paulalameda@hotmailbox.com
webgettraffic.com - Email: paulalameda@hotmailbox.com
webgetwisdom.com - Email: marcomarcian@hotmailbox.com
webgetwise.com - Email: marcomarcian@hotmailbox.com
webgoengine.com - Email: paulalameda@hotmailbox.com
webgosolutions.com - Email: paulalameda@hotmailbox.com
webmagicgo.com - Email: paulalameda@hotmailbox.com
websitecoolgo.com - Email: marcomarcian@hotmailbox.com
websiteget.com - Email: marcomarcian@hotmailbox.com

The rise of custom abuse emails, conveniently offered to cybercrime-friendly dedicated customers?

It's worth pointing out that godaccs@gmail.com a.k.a Complife, Ltd is conveniently responsible for- AS42560, BA-GLOBALNET-AS; AS43134, Donstroy Ltd; and AS42560, MAXIMUS-NET-SERVICES, followed by piotrek89@gmail.com responsible for AS6851, BKCNET "SIA" IZZI (used by the Koobface gang, also seen in the following campaigns Spamvertised iTunes Gift Certificates and CV Themed Malware Campaigns; GoDaddy's Mass WordPress Blogs Compromise Serving Scareware).

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Dissecting the 100,000+ Scareware Serving Fake YouTube Pages Campaign

Researchers from eSoft are reporting on 135,000 Fake YouTube pages currently serving scareware, in between using multiple monetization/traffic optimization tactics for the hijacked traffic.

Based on the campaign's structure, it's pretty clear that the template-ization of malware serving sites (Part Two) is not dead. Let's dissect the campaign, it's structure, the monetization/traffic optimization tactics used, list all the domains+URLs involved, and establish multiple connections (in the face of AS6851, BKCNET "SIA" IZZI) to recent malware campaigns -- cybercriminals are often customers of the same cybercrime-friendly provider.

The campaign is relying on a typical mix of compromised and purely malicious sites, but is using not just an identical template, but identical campaign structure, which remains pretty static for the time being. Upon visiting one of the sites and meeting the referrer requirement -- Google works fine -- the hardcoded preload.php loads, which is always pointing to the same IP, using a randomly generated  code, which changes over time - 91.188.60.126/?q=jzhaf - AS6851, BKCNET "SIA" IZZI

-------------------
inetnum:        91.188.60.0 - 91.188.60.255
netname:        ATECH-SAGADE
descr:          Sagade Ltd.
descr:          Latvia, Rezekne, Darzu 21
descr:          +371 20034981
remarks:        abuse-mailbox: piotrek89@gmail.com
country:        LV
admin-c:        TMCD111-RIPE
tech-c:         TMCD111-RIPE
status:         ASSIGNED PA
mnt-by:         AS6851-MNT
changed:        taner@bkc.lv 20100423
source:         RIPE

role:           TMCD Admin Contacts
address:        Ieriku 67a, Riga, LV-1084
org:            ORG-TMDA1-RIPE
e-mail:         bkc@bkc.lv
admin-c:        AS1606-RIPE
admin-c:        TP422-RIPE
tech-c:         RF2443-RIPE
tech-c:         IR106-RIPE
nic-hdl:        TMCD111-RIPE
changed:        taner@bkc.lv 20081023
source:         RIPE
-------------------

Moreover, the second traffic optimization strategy takes place by loading two different subdomains from byethost4.com, where another redirection takes place, this time loading the bogus mybookface.net - 209.51.195.115 - Email: hostorgadmin@googlemail.com

Sample campaign structure:
- compromised_site.com
    - compromised_site.com/preload.php
        - 91.188.60.126/?q=jzhaf
        - popal.byethost4.com/mlk.php?sub=2&r=google.com
        - trash.byethost14.com/tick.php?sub=1&r=google.com
            - cnbutterfly.com/contact.php?uid=2034 - 74.81.93.227
            - simulshop.com/contact.php?uid=2034 - 88.198.177.74
                - www3.smartbestav10.co.cc - 74.118.194.78

Domains involved in the campaign:
action-force.net
anytimeopen.com
atomizer.net
auto.ideazzz.ru
avmarket.com.ua
baby-car.ru
babystart.eu
badlhby.com
bestseller4you.at
butikk.losnaspelet.no
clubshirts.info
companions411.biz
egeoptik.com
e-life.com.mxl
eshop.mr-servis.cz
evage.biz
eventhorizon.biz
fliq.de
freestyle-shop.ch
gameartisans.org
gawex.com.pl
gct.ro
geraeuschwelten.de
ignitionlb.info
imalaya.eu
indovic.net
irpen.biz
jasoncorrick.co.uk
lojavirtual.versameta.pt
machineinterface.net
nitmail.com
olek.co.uk
opco.co.ir

pahomefinance.net
pcmall.ro
prozoomhosting.net
rcchina.com.cn
recoverinstyle.net
relogio-de-ponto.com.pt
rhodiola.com.mx
shop.ullihome.de
shopzone.ir
sink-o-mania.com
sklep.autorud.pl
sklep1.vinylove.pl
snews.com.tw
soposhinvitations.com
standrite.com
teoflowerbulbs.ro
triominos.ru
webmas.ca
wesellmac.com
wireandthewood.com
1classfilter.be
24shopping.nl
9mama.pl
apwireless.ca
bazarnet.com.mx
bead.shop-in-hk.com
bicigrino.info
bridezion.de
buenapetito.net
calicompras.com
candjconsulting.us
carpcompany.nl
casacristorey.com.mx
cheekybrats.com.au
chiri-junior.nl
corporate-pc.com
deesis.com.pl
derise.ee
digitalelectronicsolutions.biz
dj1stop.com
firsaturunlerim.com
gentian.no
guihua.com.hk
hydromasaze.com
iranagrishop.com
issanni.net

• Complete list of the actual URLs involved in the campaign; Pastebin

jasoncorrick.co.uk
klimuszko.net
krasevka.si
kundalinibooks.com.au
kuub.com
lanpower.se
leathershop.be
ludf.net
marinestores.biz
microdermals.com
mingfai.info
minitar.com.tw
msproductions.be
murgiaintavola.it
mvchorus.org
nettohoffnung.de
paketic.com
parisa.lt
pentruacasa.com
promotechmexico.com.mx
pursuitspt1.com
quadroufo.com
quecumbar.co.uk
rotas.lt
sammlereck.info
sensicacciaepesca.com
skintwo.biz
sklep.af.com.pl
sklep.kafti.com
sklep.mago.com.pl
skleplotniczy.pl
skriptorium.at
smscom.nl
spine.com.br
szemuvegkeret.com
teldatawarehouse.com
tiouw.nl
uptowntrellis.co.nz
viasapia.com.br
vita-bhv.nl
widlak-market.com
wscll2.net
xfour.es
yeti.com.pl

Detection for the scareware, and the manual install binary:
- install.exe - Trojan.FakeAlert.CCS; FraudTool.Win32.SecurityTool (v) - Result: 16/40 (40%) - MD5: 3562be54671a1326eeef8bcfc85bd2a0
- packupdate107_2034.exe - Packed.Win32.Krap.an; TrojWare.Win32.Trojan.Fakealert.4193280 - Result: 10/41 (24.4%) - MD5: 991bba541e1872191ec5eb88c7de1f30

Upon execution the sample phones back to:
update2.protect-helper.com - 95.169.186.25 - Email: gkook@checkjemail.nl
update1.free-guard.com - 95.169.186.25 - Email: gkook@checkjemail.nl

- install.48728.exe - Trojan.FakeAV; TrojanDownloader:Win32/Renos.KX - Result: 26/41 (63.42%) - MD5: 15281c3f3fac1ccdaf43e2b26d32a887

Upon execution the sample phones back to:
movieartsworld.com - 216.240.146.119 - Email: elaynecroft@ymail.com
firstnationarts.com - 66.96.219.38 (redskeltonarts.com, southard_cheryl@yahoo.com) - Email: harold_ward@ymail.com
sportfishingarts.com - 66.199.229.230 (greenbeearts.com, heiserdenise@ymail.com) - Email: rodericknovak@rocketmail.com
bestgreatarts.com - 64.191.44.73 (freesurrealarts.com, ghuertas@rocketmail.com) - Email: jeffreyespey@ymail.com
spacevisionarts.com - 69.10.35.253 (picturegraffitoarts.com, ganthony46@rocketmail.com) - Email: mosleyjason@rocketmail.com
smallspacearts.com - 64.20.35.3 (dvdvideoarts.com, ganthony46@rocketmail.com) - Email: mosleyjason@rocketmail.com

Based on cross-checking across different data sets, 91.188.60.126 - AS6851, BKCNET "SIA" IZZI is also known to have been used by at least 4 other members of the affiliate network. Naturally, their "signature" can be seen across multiple ASs as well.

Same scareware affiliate program is seen on the following IPs, using a different set of affiliate partners:
194.8.250.154/news.php?land=20&affid=12400 - AS43134, Donstroy Ltd; Emails: donstroitel@mail.com; godaccs@gmail.com
194.8.250.155./news.php?land=20&affid=12400
194.8.250.157/news.php?land=20&affid=42500
194.8.250.158./news.php?land=20&affid=42500
91.188.60.118/news.php?land=20&affid=50900 - AS6851, Sagade Ltd.; Emails: piotrek89@gmail.com;
91.188.60.124/news.php?land=20&affid=12800
91.188.60.126/news.php?land=20&affid=15600
91.188.60.146/news.php?land=20&affid=20102
91.188.60.147/news.php?land=20&affid=20102
91.188.60.147/news.php?land=20&affid=20102
91.213.157.165/news.php?land=20&affid=50900 - AS13618, PE "Sattelecom"; Emails: tt@sattelecom.biz
77.78.239.71/news.php?land=20&affid=12400 - AS42560, MAXIMUS-NET-SERVICES; Emails: godaccs@gmail.com; bosko@globalnet.ba
77.78.239.76/news.php?land=20&affid=12400
77.78.239.77/news.php?land=20&affid=15603

As for AS6851, BKCNET "SIA" IZZI, the same AS is also seen in the following campaigns, find below an excerpt from a previous post, emphasizing on the Koobface gang connection, in the sense that they're both customers of the same cybecrime-friendly ISP.

• Spamvertised iTunes Gift Certificates and CV Themed Malware Campaigns
• GoDaddy's Mass WordPress Blogs Compromise Serving Scareware
• Dissecting the Mass DreamHost Sites Compromise

What's so special about AS6851, BKCNET "SIA" IZZI anyway? It's the Koobface gang connection in the face of urodinam.net, which is also hosted within AS6851, currently responding to 91.188.59.10. More details on urodinam.net:

• Koobface Botnet's Scareware Business Model
• Koobface Botnet's Scareware Business Model - Part Two

Moreover, on the exact same IP where Koobface gang's urodinam.net is parked, we also have the currently active 1zabslwvn538n4i5tcjl.com - Email: michaeltycoon@gmail.com, serving client side exploits using the Yes Malware Exploitation kit - 91.188.59.10 /temp/cache/PDF.php; admin panel at: 1zabslwvn538n4i5tcjl.com /temp/admin/index.php

For the time being, the following domains, IPs are all active within AS6851, BKCNET "SIA" IZZI:
1zabslwvn538n4i5tcjl.com - 91.188.59.10 - Email: michaeltycoon@gmail.com
hotxxxtubevideo.com - 91.188.59.74
ruexp1.ru - Email: krahil@mail.ru
hotxtube.in - 91.188.59.74 - Email: lordjok@gmail.com
get-money-now.net - 91.188.59.211 - Email: noxim@maidsf.ru
easy-ns-server.org - 91.188.60.3 - Email: russell1985@hotmail.com
fast-scanerr-online.org - 91.188.60.3 - Email: roberson@hotmail.com
my-antivirusplus.org - 91.188.60.3 - Email: FranciscoPGeorge@hotmail.com
myprotectonline.org - 91.188.60.3 - Email: FranciscoPGeorge@hotmail.com
sys-protect-online.org - 91.188.60.3 - Email: FranciscoPGeorge@hotmail.com
av-scaner-onlinemachine.com - 91.188.60.3 - Email: gershatv07@gmail.com
domen-zaibisya.com - 91.188.59.211 - Email: security2guard@gmail.com
directupdate.info - 91.188.60.10 - Email: MichaelBCarlson@gmail.com
91.188.59.50
91.188.60.3
91.188.59.112

Name servers of notice:
ns1.iil10oil0.com - 91.188.59.70
ns2.iil10oil0.com - 91.188.59.71

Domains using their services:
allforil1i.com - Email: lordjok@gmail.com
allforyouplus.net - Email: leshapopovi@gmail.com
alltubeforfree.com - Email: lordjok@gmail.com
allxtubevids.net - Email: lordjok@gmail.com
downloadfreenow.in - Email: lordjok@gmail.com
enteri1llisec.in - Email: leshapopovi@gmail.com
freeanalsextubemovies.com - Email: lordjok@gmail.com
freetube06.com - Email: lordjok@gmail.com
freeviewgogo.com - Email: leshapopovi@gmail.com
homeamateurclips.com - Email: lordjok@gmail.com
hotfilesfordownload.com
hotxtube.in - Email: lordjok@gmail.com
porntube2000.com - Email: welolseeees@gmail.com
porntubefast.com - Email: welolseeees@gmail.com
porn-tube-video.com - Email: welolseeees@gmail.com
skachivay.com
visiocarii1l.net - Email: leshapopovi@gmail.com
xhuilil1ii.com - Email: lordjok@gmail.com
yourbestway.cn - Email: haucheng@yahoo.com
youvideoxxx.com - Email: jonnytrade@gmail.com

Take down actions are in place, meanwhile, consider going through the "Ultimate Guide to Scareware Protection".

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign - Part Two

UPDATED: Sunday, June 06, 2010.
The new redirections currently take place through www4.greatav40-td.co.cc/?uid=213&pid=3&ttl=51545746f5c (93.190.141.40) and www1.avscaner-40pr.co.cc (217.23.5.52).

Parked on 93.190.141.40, AS49981, WorldStream are also:
www3.justsoft12-td.co.cc
www3.donrart55-td.co.cc
www3.donrart57-td.co.cc
www3.donrart59-td.co.cc
www4.swintermz.cz.cc
www3.goldvox-50td.xorg.pl
www3.goldvox-60td.xorg.pl
www3.goldvox-52td.xorg.pl
www3.goldvox-54td.xorg.pl
www3.goldvox-64td.xorg.pl
www3.goldvox-56td.xorg.pl
www3.goldvox-58td.xorg.pl
www1.check-saveyour-pc-now.in
www1.in-safe-keepmyzone.in
www1.makesafe-scan-forsure.com

Detection rate:
- packupdate107_213.exe - Trojan.Fakealert.origin; Mal/FakeAV-BW - Result: 12/41 (29.27%)

Upon execution, the sample phones back to:
update1.free-guard.com - 95.169.186.25; 188.124.5.64 - Email: gkook@checkjemail.nl
update2.protect-helper.com - 78.159.108.170 - Email: gkook@checkjemail.nl
secure2.protectzone.net - 91.207.192.24 - Email: gkook@checkjemail.nl
secure1.protect-zone.com - 209.212.147.241 - Email: gkook@checkjemail.nl
secure1.protect-zone.com - 209.212.147.241 - Email: gkook@checkjemail.nl
www5.securitymasterav.com - 91.207.192.25 - Email: gkook@checkjemail.nl
update2.free-guard.net - Email: gkook@checkjemail.nl
report.land-protection.com - 188.124.7.156 - Email: gkook@checkjemail.nl
report.goodguardz.com - 93.186.124.94 - Email: gkook@checkjemail.nl
report.zoneguardland.com - 93.186.124.91 - Email: gkook@checkjemail.nl
report1.stat-mx.xorg.pl - 109.196.132.41 - Email: gkook@checkjemail.nl
secure1.protect-zone.com - 209.212.147.241 - Email: gkook@checkjemail.nl
74.125.45.100
74.82.216.3

Parked on 95.169.186.25 (AS31103, KEYWEB-AS); 188.124.5.64 (AS44565, VITAL TEKNOLOJI) are also:
www3.justsoft11-td.co.cc
www3.justsoft12-td.co.cc
www4.swintermz.cz.cc
www4.trustzone17-td.xorg.pl
www3.coantys-41td.xorg.pl
www3.coantys-42td.xorg.pl
www3.coantys-46td.xorg.pl
www4.miymiy3.com
update1.free-guard.com
useguard.com
update1.useguard.com
www2.avcleaner30-pd.co.cc
www1.favoritav30-pd.co.cc
www2.avcleaner32-pd.co.cc
www2.avcleaner34-pd.co.cc
www1.favoritav34-pd.co.cc
www2.avcleaner36-pd.co.cc
www1.favoritav36-pd.co.cc
www3.avprotector54-td.xorg.pl
www3.avprotector56-td.xorg.pl
update1.free-guard.com
update1.winsystemupdates.com

Remember the massive blackhat SEO campaign using U.S Federal Forms themed keywords, which was extensively profiled in August, 2009?

• Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware
• U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding
• Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign
• Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline - multiple connections

The cybercriminals behind it, never really stopped feeding new domains, including compromised ones, naturally diversifying the set of topics in order to serve scareware. Now that enough data is gathered, naturally exposing connections within the cybercrime ecosystem which would be communicated using the "perfect timing, perfect channel" philosophy, it's time to dissect the online campaign, expose the entire portfolio of domains involved, and, of course, take it down.

What particularly interesting about this gang, is their clear understanding of QA (quality assurance) for the sake of increase OPSEC (operational security). Just like the previous campaigns, each individual domain involved in the campaign is registered using a separate email, in the majority of cases it's an automatically registered one. With or without the QA, there's no escape from the monetization vector - in this case, and like many other - scareware.

Domains used in the blackhat SEO campaign, none of these are currently flagged as harmful:
1ip5p8h.co.cc - Email: mijkzh@gmail.com
1us51n.co.cc - Email: mqxd2r2@gmail.com
aifmydpuhv.co.cc - Email: kent.attonis9140@yahoo.com
amquijycpntb.co.cc - Email: volf.aittala1388@yahoo.com
aqejhilmvb.co.cc - Email: amandeep.terrisse8102@yahoo.com
arnepqjya.co.cc - Email: vkpnzxn@gmail.com
bekqjcra.co.cc - Email: yaala.benardos7911@yahoo.com
benyd.co.cc - Email: lexyb610@gmail.com
bestdesision.co.cc - Email: an9020@bk.ru
bipilyqomyusvuhy.co.cc - Email: eeclllw3xqu19tr9wb@gmail.com
bjalumericz.co.cc - Email: diamond.aittala4367@yahoo.com
chammaope.co.cc - Email: wefergss@ukr.net
coebfjqmkhsn.co.cc - Email: kent.attonis9140@yahoo.com
comp-s.co.cc - Email: stas14423321@mail.ru
eynuqacjrtiz.co.cc - Email: ketina.tomsic2552@yahoo.com
getmoney4me.co.cc - Email: finalizer12@mail.ru
goumucnypuxuhyikzi.co.cc - Email: ekx7roq8p5hrd61tah@gmail.com
hiokirygohxinugohu.co.cc - Email: q88zh7dwshibteg05l@gmail.com
hryjhuklo.co.cc - Email: fgyuhedgdrfghhio@ymail.com
ibdumycp.co.cc - Email: madelyn.ajai1243@yahoo.com
ifohviwihuuxitqoil.co.cc - Email: bsowez9usp1u8cjyxp@gmail.com
ifyfgybyuxisoffu.co.cc - Email: 5nrg2bgm2og0cloxpf@gmail.com
ihquyrvutyridyuwyj.co.cc - Email: wh1p9c5f0jwlvn5jlq@gmail.com
ijojinhuxifykygysu.co.cc - Email: lq7s26llpq2sxbcyd9@gmail.com
imdjrsfybnav.co.cc - Email: sarig.ajaye7737@yahoo.com
incom-sale.co.cc - Email: wisha700_5@yahoo.com
inoltoumydonulijuk.co.cc - Email: e6pgu8mamts6fco5ik@gmail.com
iroqimcuohubizgooh.co.cc - Email: sku0cthz7ttgzwaqzw@gmail.com
iwanti.co.cc - Email: justtobebeauty@gmail.com
iyqvogx.co.cc - Email: do.co.lo.k.oh.o.ngo.v.o@gmail.com
jepabhto.co.cc - Email: festas.mcilsey1646@yahoo.com
kiaxmh4.co.cc - Email: kiaxmh@kiaxmh.com
kiboinikixuvquliro.co.cc - Email: 5k2j7bnpxzgkoyibb0@gmail.com
krghiqyiht.co.cc - Email: ouhegtlx@yahoo.com
kyogpylymypusulojo.co.cc - Email: rrykuqs44ilgf2xd6q@gmail.com
ltcsi0.co.cc - Email: v9xodcm@gmail.com
omsuimuhysjoujiqip.co.cc - Email: nattyxbfpvcaivauf6@gmail.com
opimuzxiyrxigoiwur.co.cc - Email: ebiy9hwt817zs5m0wa@gmail.com
ostozuorypofitjuti.co.cc - Email: 2rdo8uwh14y5mqckkh@gmail.com

pqusrzycd.co.cc - Email: adalricus.aijala4749@yahoo.com
ptvibnrjeayh.co.cc - Email: miliani.mccomrick3922@yahoo.com
pubaxj.co.cc - Email: runuk8976@gmail.com
pucrsnihoqy.co.cc - Email: dalila.babusek8958@yahoo.com
qbhomskuine.co.cc - Email: keona.canose6839@yahoo.com
qcumoyh.co.cc - Email: bethiah.mcglasky5891@yahoo.com
qyczejdlita.co.cc - Email: abegail.woitkoski3075@yahoo.com
ridcamybv.co.cc - Email: laurentius.diamandoglou5401@yahoo.com
rithubmolnda.co.cc - Email: adalynn.aiololo3070@yahoo.com
riyvroiqfoydcilifo.co.cc - Email: irjghmpq7w9t0ah6rz@gmail.com
rnoqzydjuia.co.cc - Email: ieuan.calcutt9416@yahoo.com
rpdkjuaft.co.cc - Email: worley.biernacka1945@yahoo.com
rybidlzck.co.cc - Email: ander.airwyk9339@yahoo.com
ryliydulivuvdojo.co.cc - Email: b5657927wcdn48k3u2@gmail.com
rywutydymoxyodygyt.co.cc - Email: e8fzpd2yzy4w8hf7t4@gmail.com
sdemfjotuc.co.cc - Email: annemarie.bichan3685@yahoo.com
search-portal.co.cc - Email: akhmadarroyan@gmail.com
siycugufryyrkoylky.co.cc - Email: v5o71m4qiy5is0zcs3@gmail.com
sounluolvuoxyqixky.co.cc - Email: ay2643zdi8kywwu444@gmail.com
sprqucoatz.co.cc - Email: vindhya.perilean5722@yahoo.com
ucywmuziboytylwi.co.cc - Email: m45267tiipj7xk9n71@gmail.com
unotufukujygugusto.co.cc - Email: qe2m9s1abdvw02g1p3@gmail.com
upykhogupiybuwojyz.co.cc - Email: 7ea7iulbkzmfp0grso@gmail.com
usbokuycryocyjykqi.co.cc - Email: 5fnuzbof36ug19ly7f@gmail.com
vobyumfoodzygubuyv.co.cc - Email: mjkexe0d9gaqkzihlo@gmail.com
xepepele969.co.cc - Email: bemumoro6654@gmail.com
xodovumuycguhyujip.co.cc - Email: zeqa6hr6kltwpt6eis@gmail.com
yfwiiwoqwipihovo.co.cc - Email: 87koy5ljr5j4oe9dcm@gmail.com
ygitysbocysokuujok.co.cc - Email: qa0gvqsa8t3dr5u3yr@gmail.com
ykraivec.co.cc - Email: wergr@ukr.net
ynywyvtioxiloghoin.co.cc - Email: g955emcus8z0dbfebs@gmail.com
yourbestchose.co.cc - Email: daan900@bk.ru
yzirukwoilokocpohi.co.cc - Email: scqnbtps908moi8rgx@gmail.com

The .co.cc domains portfolio responds to the following IPs, parked on them are also related malicious domains:
69.163.236.70
78.159.114.244
82.146.50.101
82.146.54.111
82.146.50.156
82.146.54.116
82.146.54.118
82.146.54.119
82.146.54.122
82.146.54.129
82.146.50.183
82.146.54.143
82.146.50.184
82.146.50.188
82.146.54.150
82.146.50.193
82.146.50.194
82.146.50.213
82.146.54.177
82.146.51.237
82.146.53.244
82.146.54.62
82.146.54.69
82.146.54.84
84.16.236.31
84.16.236.32
84.16.229.42
89.149.202.106
89.149.226.127
89.149.201.224
89.149.255.174
89.149.255.20
89.149.238.225
89.149.255.21
89.149.200.47
89.149.237.83
92.63.105.179
92.63.105.191
92.63.98.239
94.76.205.176
94.76.205.177
94.76.205.178
94.76.205.180
94.76.205.182
94.76.205.183
94.76.205.184
174.121.196.227
174.120.128.62
188.120.231.249
205.234.222.169
212.95.56.102
212.95.56.104
212.95.56.89
212.95.56.92
212.95.56.93
212.95.56.95
212.95.56.96

Compromised sites part of the blackhat SEO campaign:
kleertjesenmooi.nl
knapadvies.nl
kruidendreef60.nl
kruijspunt.nl
ktf-texel.nl
lali.nl
laplanchette.nl
lenzfilm.nl
leuveld.nl
liana-makeup.com
lidavanvelzensportmassage.nl
lief4kids.com
logamklusmaster.nl
lookingblueeye.nl
luccie-007.nl
lucmeubelbouw.nl
lukasart.nl
maakkennismetkennis.nl
magisoft.be
magnetenspecialist.nl
mahu-services.nl
maismoe.nl
makaroni.info
malena-team.nl
maliebaanutrecht.nl

Once the end user clicks on a link found within Google's index, a tiny .js checks the referrers (compromised_site.nl/directory/randomcontent.js) and the redirection takes place. For instance:
- www3.donrart58-td.co.cc/ ?uid=213&pid=3&ttl=21f4e73673b - 93.190.141.41 - Email: mailwork.abc@gmail.com
    - www2.uberguardzz6.com - 94.228.220.114 - Email: gkook@checkjemail.nl
        - www1.favoritav31-pd.co.cc - 188.124.5.66 - Email: mailwork.abc@gmail.com
            - www2.avcleaner44-pd.co.cc - 93.190.139.214 - Email: mailwork.abc@gmail.com

Where do we know the same campaigner (?uid=213&pid=3&ttl=21f4e73673b) from? From related campaigns.

Parked on 93.190.141.41, donrart58-td.co.cc, AS49981 WorldStream are also:
www3.justsoft11-td.co.cc
www3.donrart56-td.co.cc
www1.newav31-pr.co.cc
www3.goldvox-51td.xorg.pl
www3.goldvox-61td.xorg.pl
www3.goldvox-53td.xorg.pl
www3.goldvox-55td.xorg.pl
www3.goldvox-57td.xorg.pl
www3.goldvox-59td.xorg.pl
www1.bestdefender-58p.xorg.pl
www4.miymiy3.com - 93.190.141.41 - Email: gkook@checkjemail.nl
www3.ruboidmon-60td.com - 93.190.141.41 - Email: gkook@checkjemail.nl

Parked on 188.124.5.66, favoritav31-pd.co.cc, AS44565 VITAL TEKNOLOJI are also:
www2.avcleaner31-pd.co.cc
www2.avcleaner35-pd.co.cc
www3.avprotector51-td.xorg.pl
www3.avprotector53-td.xorg.pl
www3.avprotector55-td.xorg.pl
www3.avprotector57-td.xorg.pl
www3.omgsaveit4.com - 74.118.194.76 - Email: gkook@checkjemail.nl
useguard.com - 95.169.186.25 - Email: gkook@checkjemail.nl
update1.useguard.com - 95.169.186.25 - Email: gkook@checkjemail.nl
www4.miymiy2.net - Email: gkook@checkjemail.nl

Parked on 95.169.186.25, AS31103, KEYWEB-AS are also:
www3.justsoft10-td.co.cc
www4.freewarez10-td.co.cc
www3.justsoft11-td.co.cc
www3.justsoft12-td.co.cc
www3.avforyou23-td.co.cc
www4.swintermz.cz.cc
www4.trustzone16-td.xorg.pl
www4.trustzone17-td.xorg.pl
www4.trustzone19-td.xorg.pl
www3.coantys-41td.xorg.pl
www3.vointuas-81td.xorg.pl
www3.coantys-42td.xorg.pl
www3.coantys-46td.xorg.pl
www4.miymiy3.com
useguard.com

Detection rate:
- packupdate_107_213.exe - TROJ_FRAUD.SMAF; Mal/FakeAV-AX - Result: 28/40 (70%)

Phones back to:
update1.useguard.com - 95.169.186.25 - Email: gkook@checkjemail.nl
update2.guardinuse.net - 78.159.108.171 - Email: gkook@checkjemail.nl
secure1.protect-zone.com - 209.212.147.241 - Email: gkook@checkjemail.nl
secure2.protectzone.net - 91.207.192.24 - Email: gkook@checkjemail.nl
report.goodguardz.com - 93.186.124.94 - Email: gkook@checkjemail.nl
74.82.216.3/ncr - interesting HOSTS file modification

O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 http://www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 http://www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 http://www.getavplusnow.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 http://www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 74.82.216.3 http://www.google.com
O1 - Hosts: 74.82.216.3 google.com
O1 - Hosts: 74.82.216.3 google.com.au
O1 - Hosts: 74.82.216.3 http://www.google.com.au
O1 - Hosts: 74.82.216.3 google.be
O1 - Hosts: 74.82.216.3 http://www.google.be
O1 - Hosts: 74.82.216.3 google.com.br
O1 - Hosts: 74.82.216.3 http://www.google.com.br
O1 - Hosts: 74.82.216.3 google.ca
O1 - Hosts: 74.82.216.3 http://www.google.ca
O1 - Hosts: 74.82.216.3 google.ch
O1 - Hosts: 74.82.216.3 http://www.google.ch
O1 - Hosts: 74.82.216.3 google.de
O1 - Hosts: 74.82.216.3 http://www.google.de
O1 - Hosts: 74.82.216.3 google.dk
O1 - Hosts: 74.82.216.3 http://www.google.dk
O1 - Hosts: 74.82.216.3 google.fr
O1 - Hosts: 74.82.216.3 http://www.google.fr
O1 - Hosts: 74.82.216.3 google.ie
O1 - Hosts: 74.82.216.3 http://www.google.ie
O1 - Hosts: 74.82.216.3 google.it
O1 - Hosts: 74.82.216.3 http://www.google.it
O1 - Hosts: 74.82.216.3 google.co.jp
O1 - Hosts: 74.82.216.3 http://www.google.co.jp
O1 - Hosts: 74.82.216.3 google.nl
O1 - Hosts: 74.82.216.3 http://www.google.nl
O1 - Hosts: 74.82.216.3 google.no
O1 - Hosts: 74.82.216.3 http://www.google.no
O1 - Hosts: 74.82.216.3 google.co.nz
O1 - Hosts: 74.82.216.3 http://www.google.co.nz
O1 - Hosts: 74.82.216.3 google.pl
O1 - Hosts: 74.82.216.3 http://www.google.pl
O1 - Hosts: 74.82.216.3 google.se
O1 - Hosts: 74.82.216.3 http://www.google.se
O1 - Hosts: 74.82.216.3 google.co.uk
O1 - Hosts: 74.82.216.3 http://www.google.co.uk
O1 - Hosts: 74.82.216.3 google.co.za
O1 - Hosts: 74.82.216.3 http://www.google.co.za
O1 - Hosts: 74.82.216.3 http://www.google-analytics.com
O1 - Hosts: 74.82.216.3 http://www.bing.com
O1 - Hosts: 74.82.216.3 search.yahoo.com
O1 - Hosts: 74.82.216.3 http://www.search.yahoo.com
O1 - Hosts: 74.82.216.3 uk.search.yahoo.com
O1 - Hosts: 74.82.216.3 ca.search.yahoo.com
O1 - Hosts: 74.82.216.3 de.search.yahoo.com
O1 - Hosts: 74.82.216.3 fr.search.yahoo.com
O1 - Hosts: 74.82.216.3 au.search.yahoo.com

What's so interesting about it anyway? Exact same modification was seen in "Koobface Botnet's Scareware Business Model - Part Two", in regard to the Google IP 74.125.45.100.

Take down actions are already taking place, updated will be posted as soon as new developments emerge.

Related research on blackhat SEO campaigns:
The ultimate guide to scareware protection
A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang 
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
A Peek Inside the Managed Blackhat SEO Ecosystem
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot 

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Vendor of Mobile Spying Apps Drives Biz Model Through DIY Generators

It's always worth monitoring the developments in the commercial mobile spying apps space. In particular, the inevitable customerization/customization of their services.

A shady vendor of such applications, is attempting to migrate from the mass market model of competing vendors, by offering its potential customers to ability to generate their own .sis files, for the spying app targeting Symbian 0S 9 platform. The DIY features also include the ability to self sign their own certificates. The price tag? A hefty price tag of £3000, and no refunds offered.

What's their true motivation behind the release of the DIY generation tool? It appears that they are primarily interested with scaling their business operations, allowing potential resellers the option to automatically generate the spying apps. Although the self-signing certificate option is interesting, mobile malware authors continue abusing Symbian Foundation's certificate signing process, surprisingly, by using bogus company names with no public reference of their existence.

Thanks to the improving monetization models for mobile malware (e.g. calling/SMSing premium rate numbers), mobile malware authors are only starting to realize/abuse the potential of the micro payments market segment.

Related posts on mobile malware:
The future of mobile malware - digitally signed by Symbian?
Commercial spying app for Android devices released
iHacked: jailbroken iPhones compromised, $5 ransom demanded
New Symbian-based mobile worm circulating in the wild
New mobile malware silently transfers account credit
Transmitter.C mobile malware spreading in the wild
Transmitter.C Mobile Malware in the Wild
Proof of Concept Symbian Malware Courtesy of the Academic World
Commercializing Mobile Malware
Mobile Malware Scam iSexPlayer Wants Your Money

Related posts on SMS Ransomware:
New ransomware locks PCs, demands premium SMS for removal
Mac OS X SMS ransomware - hype or real threat?
SMS Ransomware Displays Persistent Inline Ads
6th SMS Ransomware Variant Offered for Sale
5th SMS Ransomware Variant Offered for Sale
4th SMS Ransomware Variant Offered for Sale
3rd SMS Ransomware Variant Offered for Sale
SMS Ransomware Source Code Now Offered for Sale

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Summarizing Zero Day's Posts for May

The following is a brief summary of all of my posts at ZDNet's Zero Day for May, 2010. You can also go through previous summaries, as well as subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

Recommended reading: 

• Should a targeted country strike back at the cyber attackers?  
• Hotmail's new security features vs Gmail's old security features  
• Study finds the average price for renting a botnet
• 5 reasons why the proposed ID scheme for Internet users is a bad idea

01. Foxit Reader intros new Safe Reading feature
02. Should a targeted country strike back at the cyber attackers?
03. Malware Watch: iTunes gift certificates, Skype worm, fake CVs and greeting cards
04. Wardriving police: password protect your wireless, or face a fine
05. Research: 1.3 million malicious ads viewed daily
06. Malware Watch: Rogue Facebook apps, fake Amazon orders, and bogus Adobe updates
07. Hotmail's new security features vs Gmail's old security features
08. Study finds the average price for renting a botnet
09. 5 reasons why the proposed ID scheme for Internet users is a bad idea

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Spamvertised Client-Side Exploits Serving Adult Content Themed Campaign

There's no such thing as free porn, unless there are client-side exploits in the unique value proposition's mix.

A currently spamvertised campaign is doing exactly the same, in between relying on the recent CVE-2010-0886 vulnerability. Let's dissect the campaign, and combine the assessment with historical OSINT data, given the fact that the 2nd phone back location, including the binary hosted there are currently down.

• Key summary point: although the exploitation is taking place, the campaign is currently failing to drop actual binary, returning NOEXEFILE error message. The post will be updated once the situation changes.

a

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Inside a Commercial Chinese DIY DDoS Tool

One of the most commonly used tactics by shady online enterprises wanting to position themselves as legitimate ones (Shark2 - RAT or Malware?), is to promote malicious software or Denial of Service attack tooks, as remote access control tools/stress testing tools.

Chinese "vendors" of such releases are particularly interesting, since their front pages always position the tool as a 100% legitimate one, whereas going through the documentation, and actually testing its features reveals its true malicious nature. Moreover, once the vendor starts trusting you -- like the one whose DDoS tool is profiled in this post -- you're given access to the private section of their forum, where they are directly pitching you with DDoS for hire propositions, starting from $100 for 24 hours of non-stop flood.

• Related post: Massive SQL Injection Attacks - the Chinese Way

 In this post I'll review what's currently being promoted as "The World's Leading DDoS Testing System", which is basically an improved version of a well known "Netbot Attacker", an old school release whose source code (Localizing Open Source Malware; Custom DDoS Capabilities Within a Malware; Custom DDoS Attacks Within Popular Malware Diversifying) is greatly favored by Chinese hacktivists and script kiddies, based on the multiple modifications they've introduced in it using the original source code.

Interestingly, the "vendor" is offering value-added services in the form of managed command and control server changes, the typical managed binary obfuscation, as well as custom features, removal of features in an attempt to decrease the size of the binary, but most importantly, they use differentiated pricing methods for their tool. Educational institutions, small businesses and home office clients can get special prices.

• Why would the vendor include anti sandboxing capabilities in the latest version of the tool?
• Why would the vendor also include P2P spreading and USB spreading modules?

Because the tool is anything but your typical stress testing tool.

Perhaps, one of the most important developments regarding this vendor, is that this is among the few examples that I'm aware of where Chinese hackers known not to care about anything else but virtual goods, are vertically integrating by experimenting with early-state banking malware.

An excerpt from the banking experiment:
"MS-recorder to wear all the safety test shows the major B2C online banking security controls. Received after the first test colt extracting file, which has ma.exe procedures. As the tests are over. Please turn off antivirus software and security software testing. . .

Wear all safety major B2C online banking security controls currently supports more than can be intercepted more than 160 online online payment platform And major online banking. After running ma.exe can log on to the respective online banking program Alipay paypal or procedures to test, test and test interception of information stored in the pony

The same directory, Test will generate Jlz-1, Jlz-2, Jlz-3 ... folder, such files in the folder will be 1.bmp, 2.bmp, 3.bmp ... picture, or there txt Notepad, view the. txt and picture, get the interception of data and information. Test window will prompt pony run, test interception of information larger, there is no written function. To solve the above problem, please purchase the official version, run silent, run automatically delete itself, no process at startup, had all killed, the interception of information

Expected small size, with letters function. VIP version of the generator purchase one year of free updates, free to kill three months to buy the colt package. Set the FTP transmission method to send the interception of STMP FTP. Perfect information theft can steal all the passwords and related information, such as: QQ, ICQ, Yahoo Messenger, Vicq, OutLook, FlashFXP, PayPal, E-mail and paypal (no security control), Legend, mercenary legend, Journey to the West, etc. (include account number, area and other relevant information), of course, the same information on the page steal, such as: mail, forums, close protection, and other (including user name, password and other related information), or even playing in the diagram, Password chip can, because it can record the keyboard and mouse actions. It is worth mentioning that, no matter what way you enter the password (such as Paste from somewhere, then paste the part of the input part, the number before the 0, deliberately enter the wrong password first and then delete the wrong part, etc.) Adopted the "filters" which makes stealing the contents do not appear out of "junk" in precise steal ... The correct password."

Clearly, these folks are not just inspired to continue introducing new features within the tool, but are starting to realize the potential of the crimeware market, with the vendor itself representing a good example on how once it was allowed to continue operations, it's naturally evolving in the worst possible direction. The author of ZeuS, however, shouldn't feel endangered in any way. 

Screenshots of the DIY DDoS Platform, including the multiple versions offers, VIP, sample custom made etc.:

Detection rates for the publicly obtainable builders of multiple versions:
- MS.exe - Backdoor.Hupigon.AAAH - Result: 26/40 (65%)
- msn.exe - Win32.BDSPoison.Cpd - Result: 36/41 (87.81%)
- test.exe (crimeware experiment) - Hacktool.Rootkit - Result: 24/41 (58.54%)
- ms1.exe - Backdoor.Win32.BlackHole - Result: 13/41 (31.71%)
- ms1.exe - W32/Hupigon.gen227; Backdoor.Hupigon.AAAH - Result: 35/41 (85.37%)

Based on the profiling the localization of this tool to Chinese since 2007, the diversification of the DDoS attacks introduced in it by Chinese coders (Localizing Open Source Malware; Custom DDoS Capabilities Within a Malware; Custom DDoS Attacks Within Popular Malware Diversifying), perhaps the most important conclusion that can be drawn is that, tolerating their activities in the long term results in the development of more sophisticated capabilities which can now be offered to a well established customer base.

If Chinese hacktivists managed to take CNN.com offline (The DDoS Attack Against CNN.com; Chinese Hacktivists Waging People's Information Warfare Against CNN) using nothing else but ping flooders/iFrames loading multiple copies of the site, the collectivist response in a future incident using these much more sophisticated tools -- sophisticated in sense of the diverse set of DDoS attacks offered -- is prone to be much more effective.

Related Chinese hacking scene/hacktivism coverage:
Localizing Open Source Malware
Custom DDoS Capabilities Within a Malware
Custom DDoS Attacks Within Popular Malware Diversifying
The FirePack Exploitation Kit Localized to Chinese
MPack and IcePack Localized to Chinese
Massive SQL Injection Attacks - the Chinese Way
A Chinese DIY Multi-Feature Malware
DIY Chinese Passwords Stealer
A Chinese Malware Downloader in the Wild
Chinese Hackers Attacking U.S Department of Defense Networks
Chinese Hacktivists Waging People's Information Warfare Against CNN
The DDoS Attack Against CNN.com

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Koobface Gang Responds to the "10 Things You Didn't Know About the Koobface Gang Post"

UPDATED Moday, May 24, 2010: The scareware domains/redirectors pushed by the Koobface botnet, have been included at the bottom of this post, including detection rates and phone back URLs.

On May 13th, 2010, the Koobface gang responded to my "10 things you didn't know about the Koobface gang" post published in February, 2010, by including the following message within Koobface-infected hosts, serving bogus video players, and, of course, scareware:

•  regarding this article By Dancho Danchev | February 23, 2010, 9:30am PST
  
  1. no connection
  2. what's reason to buy software just for one screenshot?
  3. no connection
  4. :)
  5. :)
  6. :)
  7. it was 'ali baba & 4' originally. you should be more careful
  8. heh
  9. strange error. there're no experiments on that
  10. maybe. not 100% sure
  
  Ali Baba
  13 may 2010

This is the second individual message left by the botnet masters for me, and the third one in general where I'm referenced.

What makes an impression is their/his attempt to distance themselves/himself from major campaigns affecting high profile U.S based web properties, fraudulent activities such as click fraud, and their/his attempt to legitimize their/his malicious activities by emphasizing on the fact that they/he are not involved in crimeware campaigns, and have never stolen any credit card details.

01. The gang is connected to, probably maintaining the click-fraud facilitating Bahama botnet
- Koobface gang: no connection

You wish, you wish. ClickForensics pointed it out, I confirmed it, and at a later stage reproduced it.

Among the many examples of this activities, is MD5: 0fbf1a9f8e6e305138151440da58b4f1 modifying the HOSTS file on the infected PCs to redirect all the Google and Yahoo search traffic to 89.149.210.109, whereas, in between phoning back to well known Koobface scareware C&Cs at the time, such as 212.117.160.18, and urodinam .net/8732489273.php at the time.

In May, 2010, parked on the very same IP to which urodinam.net (91.188.59.10) is currently responding to, is an active client-side exploits serving campaign using the YES malware exploitation kit (1zabslwvn538n4i5tcjl.com - Email: michaeltycoon@gmail.com).

I can go on forever.

02. Despite their steady revenue flow from sales of scareware, the gang once used trial software to take a screenshot of a YouTube video
- Koobface gang: what's reason to buy software just for one screenshot?

No reason at all, I guess that's also the reason behind the temporary change in scareware URls to include GREED within the file name.

03. The Koobface gang was behind the malvertising attack the hit the web site of the New York Times in September
- Koobface gang: no connection

You wish, you wish.

In fact, several of the recent high-profile malvertising campaigns that targeted major Web 2.0 properties, can be also traced back to their infrastructure. Now, whether they are aware of the true impact of the malvertisement campaign, and whether they are intentionally pushing it at a particular web site remains unknown.

The fact is that, the exact same domain that was used in the NYTimes redirection, was also back then embedded on all of the Koobface infected hosts, in order to serve scareware.

04. The gang conducted a several hours experiment in November, 2009 when for the first time ever client-side exploits were embedded on Koobface-serving compromised hosts
- Koobface gang: :)

He who smiles last, smiles best.

05. The Koobface gang was behind the massive (1+ million affected web sites) scareware serving campaign in November, 2009
- Koobface gang: :)

Since they're admitting their involvement in point 5, they also don't know/forget that one of the many ways the connection between the Koobface gang and massive blackhat SEO campaign was established in exactly the same way as the one in their involvement in the NYTimes malvertising campaign. Convenient denial of involvement in high-profile campaigns means nothing when collected data speaks for itself.

06. The Koobface Gang Monetizes Mac OS X Traffic through adult dating/Russian online movie marketplaces
- Koobface gang: :)

Read more on the practice - "How the Koobface Gang Monetizes Mac OS X Traffic".

07. Ali Baba and 40 LLC a.k.a the Koobface gang greeted the security community on Christmas
- Koobface gang: it was 'ali baba & 4' originally. you should be more careful

Since the original Ali Baba had 40 thieves with him, not 4, the remaining 36 can be best described as the cybecrime ecosystem's stakeholders earning revenues and having their business models scaling, thanks to the involvement of the Koobface botnet.

08. The Koobface gang once redirected Facebook’s IP space to my personal blog
- Koobface gang: heh

Read more on the topic - "Koobface Botnet Redirects Facebook's IP Space to my Blog".

09. The gang is experimenting with alternative propagation strategies, such as for instance Skype
- Koobface gang: strange error. there're no experiments on that

Hmm, who should I trust? SophosLabs and TrendMicro or the Koobface gang? SophosLabs and TrendMicro or the Koobface gang? Sophos Labs and TrendMicro or....well you get the point. Of course there isn't, now that's is publicly known it's in the works.

10. The gang is monetizing traffic through the Crusade Affiliates scareware network
- Koobface gang: maybe. not 100% sure

They don't know where they get all the money by being pushing scareware? How convenient.

When data and facts talk, even "Cyber Jesus" listens. Read more on the monetization model - "Koobface Botnet's Scareware Business Model"; "Koobface Botnet's Scareware Business Model - Part Two".

The Koobface botnet is currently pushing scareware through 2gig-antivirus.com?mid=312&code=4db12f&d=1&s=2 - 195.5.161.210 - Email: test@now.net.cn

Parked on the same IP (195.5.161.210, AS31252, STARNET-AS StarNet Moldova) are also:
0web-antispyware.com - Email: test@now.net.cn
12netantispy.com - Email: test@now.net.cn
13netantispy.com - Email: test@now.net.cn
14netantispy.com - Email: test@now.net.cn
16netantispy.com - Email: test@now.net.cn
1anetantispy.com - Email: test@now.net.cn
1bnetantispy.com - Email: test@now.net.cn
1gb-scanner.com - Email: test@now.net.cn
1gig-antivirus.com - Email: test@now.net.cn
1webantivirus.com - Email: test@now.net.cn
20gb-antivirus.com - Email: test@now.net.cn
2gb-scanner.com - Email: test@now.net.cn
2gig-antivirus.com - Email: test@now.net.cn
2mb-scanner.com - Email: test@now.net.cn
2web-antispy.com - Email: test@now.net.cn
2webantivirus.com - Email: test@now.net.cn
30gb-antivirus.com - Email: test@now.net.cn
3gb-scanner.com - Email: test@now.net.cn
3gig-antivirus.com - Email: test@now.net.cn
3mb-scanner.com - Email: test@now.net.cn
3web-antispy.com - Email: test@now.net.cn
3web-antispyware.com - Email: test@now.net.cn
3webantivirus.com - Email: test@now.net.cn
40gb-antivirus.com - Email: test@now.net.cn
4gb-scanner.com - Email: test@now.net.cn
4gig-antivirus.com - Email: test@now.net.cn
4mb-scanner.com - Email: test@now.net.cn
4web-antispy.com - Email: test@now.net.cn
4webantivirus.com - Email: test@now.net.cn
50gb-antivirus.com - Email: test@now.net.cn
5gb-scanner.com - Email: test@now.net.cn
5gig-antivirus.com - Email: test@now.net.cn
5mb-scanner.com - Email: test@now.net.cn
5web-antispy.com - Email: test@now.net.cn
5webantivirus.com - Email: test@now.net.cn
60gb-antivirus.com - Email: test@now.net.cn
6mb-scanner.com - Email: test@now.net.cn
6web-antispy.com - Email: test@now.net.cn
7web-antispyware.com - Email: test@now.net.cn
aweb-antispyware.com - Email: test@now.net.cn
awebantivirus.com - Email: test@now.net.cn
cwebantivirus.com - Email: test@now.net.cn
dwebantivirus.com - Email: test@now.net.cn
ewebantivirus.com - Email: test@now.net.cn
novascanner4.com - Email: test@now.net.cn

- setup.exe - Gen:Variant.Koobface.2; W32.Koobface - Result: 15/40 (37.5%)
- MalvRem_312s2.exe - W32/FakeAlert.5!Maximus; Trojan.Win32.FakeAV - Result: 10/41 (24.4%) which once executed phones back to:

- s1system.com/download/winlogo.bmp - 91.213.157.104, AS13618, CARONET-AS - Email: contact@privacy-protect.cn
- networki10.com - 91.213.217.106, AS42473, ANEXIA-AS - Email: contact@privacy-protect.cn

UPDATED: Wednesday, May 19, 2010:
The current redirection taking place through the embedded link on Koobface infected hosts, takes place through:
www3.coantys-48td.xorg.pl - 188.124.5.66 - AS44565, VITAL TEKNOLOJI
    - www1.fastsearch.cz.cc - 207.58.177.96 - AS25847, SERVINT ServInt Corporation

Detection rates:
- setup.exe - Win32/Koobface.NCX; Gen:Variant.Koobface.2 - Result: 13/41 (31.71%)
- packupdate_build107_2039.exe - W32/FakeAV.AM!genr; Mal/FakeAV-AX - Result: 8/41 (19.52%)

Upon execution, the scareware sample phones back to:
update1.myownguardian.com - 94.228.209.223, AS47869, NETROUTING-AS - Email: gkook@checkjemail.nl
update2.myownguardian.net - 93.186.124.92, AS44565, VITAL TEKNOLOJI - Email: gkook@checkjemail.nl

UPDATED Moday, May 24, 2010:  The following Koobface scareware domains/redirectors have been pushed by the Koobface gang over the pat 7 days. All of them continue using the services of AS31252, STARNET-AS StarNet Moldova at 195.5.161.210 and 195.5.161.211.

0web-antispyware.com - Email: test@now.net.cn
12netantispy.com - Email: test@now.net.cn
13netantispy.com - Email: test@now.net.cn
14netantispy.com - Email: test@now.net.cn
15netantispy.com - Email: test@now.net.cn
16netantispy.com - Email: test@now.net.cn
1anetantispy.com - Email: test@now.net.cn
1bnetantispy.com - Email: test@now.net.cn
1cnetantispy.com - Email: test@now.net.cn
1dnetantispy.com - Email: test@now.net.cn
1eliminatemalware.com - Email: test@now.net.cn
1eliminatespy.com - Email: test@now.net.cn
1eliminatethreats.com - Email: test@now.net.cn
1eliminatevirus.com - Email: test@now.net.cn
1enetantispy.com - Email: test@now.net.cn
1webantivirus.com - Email: test@now.net.cn
1webfilter1000.com - Email: test@now.net.cn
1www-antispyware.com - Email: test@now.net.cn
1www-antivirus.com - Email: test@now.net.cn
20gb-antivirus.com - Email: test@now.net.cn
2eliminatemalware.com - Email: test@now.net.cn
2eliminatevirus.com - Email: test@now.net.cn
2web-antispy.com - Email: test@now.net.cn
2webantivirus.com - Email: test@now.net.cn
2www-antispyware.com - Email: test@now.net.cn
2www-antivirus.com - Email: test@now.net.cn
30gb-antivirus.com - Email: test@now.net.cn
3web-antispy.com - Email: test@now.net.cn
3web-antispyware.com - Email: test@now.net.cn
3webantivirus.com - Email: test@now.net.cn
3www-antispyware.com - Email: test@now.net.cn
3www-antivirus.com - Email: test@now.net.cn
40gb-antivirus.com - Email: test@now.net.cn
4web-antispy.com - Email: test@now.net.cn
4webantivirus.com - Email: test@now.net.cn
4www-antispyware.com - Email: test@now.net.cn
4www-antivirus.com - Email: test@now.net.cn
5web-antispy.com - Email: test@now.net.cn
5webantivirus.com - Email: test@now.net.cn
5www-antispyware.com - Email: test@now.net.cn
5www-antivirus.com - Email: test@now.net.cn
60gb-antivirus.com - Email: test@now.net.cn
6web-antispy.com - Email: test@now.net.cn
7web-antispyware.com - Email: test@now.net.cn
a30windows-scan.com - Email: test@now.net.cn
a40windows-scan.com - Email: test@now.net.cn
a50windows-scan.com - Email: test@now.net.cn
a50windows-scan.com - Email: test@now.net.cn
a60windows-scan.com - Email: test@now.net.cn
americanscanner.com - Email: test@now.net.cn
aresearchsecurity.com - Email: test@now.net.cn
awebantivirus.com - Email: test@now.net.cn
barracuda10.com - Email: test@now.net.cn
beguardsystem.com - Email: test@now.net.cn
beguardsystem2.com - Email: test@now.net.cn
bewareofthreat.com - Email: test@now.net.cn
bewareofydanger.com - Email: test@now.net.cn
bprotectsystem.com - Email: test@now.net.cn
bwebantivirus.com - Email: test@now.net.cn
choclatescanner2.com - Email: test@now.net.cn
cleanerscanner2.com - Email: test@now.net.cn
cnn2scanner.com - Email: test@now.net.cn
cprotectsystem.com - Email: test@now.net.cn
cwebantivirus.com - Email: test@now.net.cn
dacota4security.com - Email: test@now.net.cn
defencyresearch.com - Email: test@now.net.cn
defenseacquisitions.com - Email: test@now.net.cn
defenseacquisitions.com - Email: test@now.net.cn
defensecapability.com - Email: test@now.net.cn
dprotectsystem.com - Email: test@now.net.cn
dwebantivirus.com - Email: test@now.net.cn
eliminatespy.com - Email: test@now.net.cn
eliminatethreat.com - Email: test@now.net.cn
eliminatethreats.com - Email: test@now.net.cn
eprotectsystem.com - Email: test@now.net.cn
ewebantivirus.com - Email: test@now.net.cn
fantasticscan2.com - Email: test@now.net.cn
fortescanner.com - Email: test@now.net.cn
four4defence.com - Email: test@now.net.cn
fprotectsystem.com - Email: test@now.net.cn
house2call.com - Email: test@now.net.cn
house4call.com - Email: test@now.net.cn
ibewareofdanger.com - Email: test@now.net.cn
iresearchdefence.com - Email: test@now.net.cn
ldefenceresearch.com - Email: test@now.net.cn
micro2smart.com - Email: test@now.net.cn
micro4smart.com - Email: test@now.net.cn
micro6smart.com - Email: test@now.net.cn
necessitydefense.com - Email: test@now.net.cn
nolongerthreat.com - Email: test@now.net.cn
nova3-antispyware.com - Email: test@now.net.cn
nova4-antispyware.com - Email: test@now.net.cn
nova5-antispyware.com - Email: test@now.net.cn
nova7-antispyware.com - Email: test@now.net.cn
nova8-antispyware.com - Email: test@now.net.cn
nova-antivirus1.com - Email: test@now.net.cn
nova-antivirus2.com - Email: test@now.net.cn
novascanner2.com - Email: test@now.net.cn
nova-scanner2.com - Email: test@now.net.cn
novascanner3.com - Email: test@now.net.cn
nova-scanner3.com - Email: test@now.net.cn
novascanner4.com - Email: test@now.net.cn
nova-scanner4.com - Email: test@now.net.cn
novascanner5.com - Email: test@now.net.cn
nova-scanner5.com - Email: test@now.net.cn
novascanner7.com - Email: test@now.net.cn
nova-scanner7.com - Email: test@now.net.cn
onguardsystem2.com - Email: test@now.net.cn
over11scanner.com - Email: test@now.net.cn
pcguardsystem2.com - Email: test@now.net.cn
pcguardsystems.com - Email: test@now.net.cn
pcpiscanner.com - Email: test@now.net.cn
pitstopscan.com - Email: test@now.net.cn
protectionfunctions.com - Email: test@now.net.cn
protectionmeasure.com - Email: test@now.net.cn
protectionmethods.com - Email: test@now.net.cn
protectionoffices.com - Email: test@now.net.cn
protectionprinciples.com - Email: test@now.net.cn
protectsystema.com - Email: test@now.net.cn
protectsystemc.com - Email: test@now.net.cn
protectsystemd.com - Email: test@now.net.cn
protectsysteme.com - Email: test@now.net.cn
protectsystemf.com - Email: test@now.net.cn
researchdefence.com - Email: test@now.net.cn
researchysecurity.com - Email: test@now.net.cn
spywarekillera.com - Email: test@now.net.cn
spywarekillerc.com - Email: test@now.net.cn
spywarekillerd.com - Email: test@now.net.cn
spywarekillere.com - Email: test@now.net.cn
spywarekillerr.com - Email: test@now.net.cn
spywarekillerz5.com - Email: test@now.net.cn
stainsscanner2.com - Email: test@now.net.cn
stop20attack.com - Email: test@now.net.cn
tendefender2.com - Email: test@now.net.cn
thelosers2010.com - Email: test@now.net.cn
trivalsoftware.com - Email: test@now.net.cn
unstoppable2010.com - Email: test@now.net.cn
unstoppable2010.com - Email: test@now.net.cn
use6defence.com - Email: test@now.net.cn
viruskiller3a.com - Email: test@now.net.cn
viruskiller4a.com - Email: test@now.net.cn
viruskiller5a.com - Email: test@now.net.cn
viruskiller6a.com - Email: test@now.net.cn
webfilter100.com - Email: test@now.net.cn
webfilter999.com - Email: test@now.net.cn
winguardsystem.com - Email: test@now.net.cn 
yourguardsystem.com - Email: test@now.net.cn
yourguardsystem2.com - Email: test@now.net.cn
z22windows-scan.com - Email: test@now.net.cn
z23windows-scan.com - Email: test@now.net.cn
z25windows-scan.com - Email: test@now.net.cn
z27windows-scan.com - Email: test@now.net.cn
zaresearchsecurity.com - Email: test@now.net.cn

Detection rates:
- setup.exe - Net-Worm:W32/Koobface.HN; Mal/Koobface-D - Result: 11/41 (26.83%)
- avdistr_312.exe - Trojan.FakeAV!gen24; Trojan.FakeAV - Result: 8/41 (19.52%)

Upon execution phones back to:
s1system.com/download/winlogo.bmp - 91.213.157.104 - Email: contact@privacy-protect.cn
accsupdate.com/?b=103s1 - 193.105.134.115 - Email: contact@privacy-protect.cn

Previous parked on 91.213.217.106, AS42473, ANEXIA-AS now responding to 193.105.134.115, AS42708, PORTLANE:
networki10.com - Email: contact@privacy-protect.cn
winsecuresoftorder.com - Email: contact@privacy-protect.cn
time-zoneserver.com - Email: contact@privacy-protect.cn
1blacklist.com - Email: contact@privacy-protect.cn

In order to understand the importance of profiling Koobface gang's activities, consider going their their underground multitasking campaigns in the related posts.

Related Koobface botnet/Koobface gang research:
From the Koobface Gang with Scareware Serving Compromised Sites
Dissecting Koobface Gang's Latest Facebook Spreading Campaign
Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova
10 things you didn't know about the Koobface gang
A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang
How the Koobface Gang Monetizes Mac OS X Traffic
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →