Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Monday, April 04, 2011

Spamvertised DHL Notifications Scareware Campaign

Yet another currently spamvertised campaign is impersonating DHL for scareware serving purposes.

Sample subjects: DHL notification #random number
Sample message: Dear customer! The parcel was send your home address. And it will arrice within 7 bussness day. More information and the tracking number are attached in document below. Thank you. 2011 DHL International GmbH. All rights reserverd.
Sample filenames: DHL_tracking.zip; doc.zip; dhl.zip

Detection rates:
dhl.exe - Backdoor:Win32/Hostil.gen!A - Result: 22/40 (55.0%)
MD5 : 87d778169ae14d934b92ce628b5cfde4
SHA1 : 20787fde3b7fde64cc3892c4df9a4eb2a2515830
SHA256: 6b54ff520fa6ff504f5f2f0c33af8b92424f0b538a760f4eb983d76007d3fe54

Downloads additional binary from puskovayaustanovka.ru/pusk2.exe - 46.161.20.66 - Email: admin@puskovayaustanovka.ru

pusk2.exe - Trojan.Fakealert.20509 - Result: 11/41 (26.8%)
MD5 : a9be091eedea947f8626d11042e0d9be
SHA1 : 9c1d399d47a6ef6081553a101ab48fca61859db4
SHA256: d4f5802a392c0851d5e19118d56cc8b578f1a07085aa5772cbdcf484608ed094

Upon execution phones back to the following domains:
kynugypenihyf.com - Email: v8@ca4.ru
cylakydugudi.com - Email: acts@free-id.ru
fevahanybyvu.com - Email: fs@free-id.ru
gicyxepomer.com - Email: tabs@yourisp.ru
bemojewedowigo.com - Email: fs@free-id.ru
sakafiduzipame.com - Email: build@ca4.ru
wetotyger.com - Email: acts@free-id.ru
kytevaviqopoci.com - Email: fs@free-id.ru
wamojafadezy.com - Email: kilt@bz3.ru
tetagyjaj.com - Email: kilt@bz3.ru
jerakidukojoz.com - Email: wrap@cheapbox.ru
cixovatywo.com - Email: frenzy@ca4.ru
jafybobik.com - Email: force@ca4.ru
nizokatahinery.com - Email: foxy@cheapbox.ru
cujicaraso.com - Email: beret@ca4.ru
zuzosahule.com - Email: only@free-id.ru
gokuzajylot.com - Email: silks@ca4.ru
jumonevetode.com - Email: silks@ca4.ru
dafatesomyz.com - Email: zq@bz3.ru
lukofymela.com - Email: silks@ca4.ru
jebuponip.com - Email: lost@free-id.ru
quxovasuced.com - Email: hp@ppmail.ru
laqoduhisegu.com - Email: shot@bz3.ru
xyseditacif.com - Email: hart@free-id.ru
wylyxaqunowy.com - Email: mows@bz3.ru
qepovexidysopy.com - Email: byob@yourisp.ru
bebecebyt.com - Email: mows@bz3.ru
dihemehypuq.com - Email: shot@bz3.ru
rumesexyzobuz.com - Email: dawn@bz3.ru
gopilezavyxiro.com - Email: hush@bz3.ru
hyvijinymut.com/1017000312 - 99.198.114.189 - returns OK

Domains are respoding to the following ASs: AS18866; AS32097:
quxovasuced.com - 69.50.209.139
laqoduhisegu.com - 69.50.209.140
wylyxaqunowy.com - 69.50.209.148
qepovexidysopy.com - 69.50.209.149
fevahanybyvu.com - 69.50.209.182
bemojewedowigo.com - 69.50.209.183
gicyxepomer.com - 69.50.209.184
sakafiduzipame.com - 69.50.209.185
wamojafadezy.com - 69.50.209.186
kytevaviqopoci.com - 69.50.209.188
jebuponip.com - 69.50.209.223
cylakydugudi.com - 69.50.209.224
wetotyger.com - 69.50.209.225
nizokatahinery.com - 69.197.161.202
cujicaraso.com - 69.197.161.203
kynugypenihyf.com - 69.197.161.204
jafybobik.com - 69.197.161.205
tetagyjaj.com - 99.198.114.98
jerakidukojoz.com - 99.198.114.99
gopilezavyxiro.com - 99.198.114.100
cixovatywo.com - 99.198.114.101
hyvijinymut.com - 99.198.114.189
zuzosahule.com - 204.12.223.170
jumonevetode.com - 204.12.223.171
dafatesomyz.com - 204.12.223.172
gokuzajylot.com - 204.12.223.173
lukofymela.com - 204.12.223.174
rumesexyzobuz.com - 204.12.223.186
xyseditacif.com - 204.12.223.187
dihemehypuq.com - 204.12.223.188
bebecebyt.com - 204.12.223.189

Monitoring of the campaign is ongoing.

Related posts:
Spamvertised Post Office Express Mail (USPS) Emails Serving Malware
Spamvertised United Parcel Service notifications serve malware
Spamvertised FedEx Notifications Spread Malware
Spamvertised DHL Notification Malware Campaign
More Spamvertised DHL Notifications Spread Malware

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Thursday, March 31, 2011

Dissecting the Massive SQL Injection Attack Serving Scareware

A currently ongoing massive SQL injection attack has affected hundreds of thousands of web pages across the Web, to ultimately monetize the campaign through a scareware affiliate program. Such massive SQL injection attempts are usually conducted using mass vulnerability scanning tools, with the help of search engines which have already crawled the vulnerable sites.

What's particularly interesting about this campaign, is the fact that the used domains are all responding to the same IPs, including the portfolios of scareware domains, which the cybercriminals naturally rotate on a periodic basis. Let's dissect the campaign, expose the domain portfolios and the entire campaign structure.

UPDATED: Related SQL injected URLs courtsesy of WebSense:
online-stats201.info/ur.php - Email: tik0066@gmail.com
stats-master111.info/ur.php - Email: tik0066@gmail.com
agasi-story.info/ur.php - 91.217.162.45 - Email: tik0066@gmail.com
general-st.info/ur.php - Email: tik0066@gmail.com
extra-service.info/ur.php - Email: tik0066@gmail.com
sol-stats.info/ur.php - Email: tik0066@gmail.com
google-stats49.info/ur.php - Email: tik0066@gmail.com
google-stats45.info/ur.php - Email: tik0066@gmail.com
google-stats50.info/ur.php - Email: tik0066@gmail.com
google-server43.info/ur.php - Email: tik0066@gmail.com
stats-master88.info/ur.php - Email: tik0066@gmail.com
eva-marine.info/ur.php - 109.236.81.28 - Email: tik0066@gmail.com
stats-master99.info/ur.php - Email: tik0066@gmail.com
tzv-stats.info/ur.php - Email: tik0066@gmail.com
milapop.com/ur.php - Email: jamesnorthone@hotmailbox.com

SQL injected URLs:
lizamoon.com/ur.php (67,500 results) - 91.220.35.151 (AS3721); 91.213.29.182 (AS51786); 95.64.9.18 (AS50244) - Email: jamesnorthone@hotmailbox.com
alexblane.com/ur.php (3,920 results) - Email: jamesnorthone@hotmailbox.com
alisa-carter.com/ur.php (220,000 results) - Email: jamesnorthone@hotmailbox.com
alexblane.com/ur.php (3,920 results) - Email: jamesnorthone@hotmailbox.com
t6ryt56.info/ur.php (18 results) - Email: support@ruler-domains.com
tadygus.com/ur.php (100 results) - Email: jamesnorthone@hotmailbox.com
worid-of-books.com/ur.php (334,000 results) - Email: tik0066@gmail.com

Upon successful redirection, the campaign attempts to load the scareware domains defender-nibea.in/scan1b/237 - 46.252.130.200 - Email: jimwei2969@gmail.com

Detection rate:
freesystemscan.exe - Trojan/Win32.FakeAV - Result: 9/ 41 (22.0%)
MD5 : 815d77f8fca509dde1abeafabed30b65
SHA1 : 1b3c35afb76c53cd9507fffee46fb58c29e72bc1
SHA256: cd902b92042435c2d70d4bf59acc2de8229bfc367626961f76c03f75dcd7e95c

Responding to 46.252.130.200 (AS25190; KIS-AS UAB "Kauno Interneto Sistemos") are also:
antivirus-1091.co.cc
antivirus-1574.co.cc
antivirus-2051.co.cc
antivirus-2525.co.cc
antivirus-2932.co.cc
antivirus-3654.co.cc
antivirus-3833.co.cc
antivirus-4063.co.cc
antivirus-418.co.cc
antivirus-4303.co.cc
antivirus-4749.co.cc
antivirus-495.co.cc
antivirus-5216.co.cc
antivirus-5676.co.cc
antivirus-5802.co.cc
antivirus-6437.co.cc
antivirus-6703.co.cc
antivirus-7081.co.cc
antivirus-713.co.cc
antivirus-728.co.cc
antivirus-7357.co.cc
antivirus-8072.co.cc
antivirus-9009.co.cc
antivirus-9638.co.cc
antivirus-9667.co.cc
defender-aabv.in - Email: leonflanagan7681@gmail.com
defender-aqeu.co.cc
defender-asng.co.cc
defender-atio.in - Email: terriduverger3239@gmail.com
defender-atxo.in - Email: celineiebba9266@gmail.com
defender-bcvs.in - Email: martinefinklea5375@gmail.com
defender-bwuy.co.cc
defender-cron.in - Email: lisasuresh9147@gmail.com
defender-ddbr.in - Email: selenajohansson9195@gmail.com
defender-dteo.in - Email: giovannaraggio5417@gmail.com
defender-eahy.co.cc
defender-eklq.in - Email: sebastiensheppard8680@gmail.com
defender-endl.in - Email: adamgaylard1113@gmail.com
defender-ewum.co.cc
defender-eyde.co.cc
defender-fmof.in - Email: kamillamartin1237@gmail.com
defender-fola.co.cc
defender-gnva.in - Email: ananddaher7294@gmail.com
defender-grlt.in - Email: anthonygaylard9887@gmail.com
defender-hipw.in - Email: angiejohansen9730@gmail.com
defender-hjlk.in - Email: jennwrayford2124@gmail.com
defender-hmfu.in - Email: lynnbone8026@gmail.com
defender-hsug.in - Email: moniquetkarnopp3596@gmail.com
defender-htlu.in - Email: jerihamann4163@gmail.com
defender-iibk.co.cc
defender-iies.co.cc
defender-iksl.in - Email: amarasanders9974@gmail.com

defender-isde.co.cc
defender-iyrc.co.cc
defender-jgnl.in - Email: caseyalzen3316@gmail.com
defender-jihv.co.cc
defender-keod.in - Email: khashayarbirss4814@gmail.com
defender-kuts.in - Email: rogerfrancis3322@gmail.com
defender-kwwh.in - Email: tobyboisseau6505@gmail.com
defender-kzwu.co.cc
defender-labm.in - Email: gregorybradford1520@gmail.com
defender-lcoh.in - Email: timothythomas6924@gmail.com
defender-nhei.co.cc
defender-nrpr.in - Email: burtonalba8156@gmail.com
defender-ojbr.in - Email: fucknielsen8675@gmail.com
defender-osbi.in - Email: fidelslattum2159@gmail.com
defender-pakc.in - Email: sabrinawheelock7642@gmail.com
defender-ppdw.in - Email: divinakempton5670@gmail.com
defender-qfdx.in - Email: hokyeongyancey6369@gmail.com
defender-qotg.in - Email: franchescaili9704@gmail.com
defender-qpwo.in - Email: carlaadams@gmail.com
defender-qsko.co.cc
defender-qumf.in - Email: carlaadams@gmail.com
defender-rlag.in - Email: carmichaelmail@gmail.com
defender-rrin.in - Email: kevincharoenset5321@gmail.com
defender-thga.in - Email: youngantonio6055@gmail.com
defender-ueuv.co.cc
defender-uqko.in - Email: christinakaaikati5574@gmail.com
defender-vflq.in - Email: terriacuna2081@gmail.com
defender-vlmj.in - Email: lauriefreeman9930@gmail.com
defender-vqqn.in - Email: chrisjames4421@gmail.com
defender-vxgh.in - Email: griseldavelez5369@gmail.com
defender-wkiw.in - Email: otisvaladez7778@gmail.com
defender-wqga.in - Email: christodoulosglidden8856@gmail.com
defender-wrhw.in - Email: bradsuresh1406@gmail.com
defender-wtln.co.cc
defender-xcre.in - Email: pavelmayer4891@gmail.com
defender-xnnx.in - Email: pavelmayer4891@gmail.com
defender-ykym.co.cc
movie-iirg.in - Email: misslynn8546@gmail.com
movie-pblv.in - Email: judgewright4021@gmail.com
movies-live-tube-jeyq.co.cc
movie-tkhk.in - Email: terrymeally1288@gmail.com
movie-tube-beym.co.cc
movie-tube-juie.co.cc
movie-ueep.in - Email: celinekevin6179@gmail.com
movieway2011.com - Email: contact@privacyprotect.org
movie-xbtb.in - Email: sanfordross9242@gmail.com
movie-xxnl.in - Email: ianbalitsaris3201@gmail.com
softway2011.com - Email: contact@privacyprotect.org
system-scanner-boep.co.cc
system-scanner-eill.co.cc
system-scanner-eopa.co.cc
system-scanner-ewqq.co.cc
system-scanner-iaap.co.cc
system-scanner-ieyx.co.cc
system-scanner-lcyo.co.cc
system-scanner-ouny.co.cc
system-scanner-oypx.co.cc
system-scanner-qeap.co.cc
system-scanner-racv.co.cc
system-scanner-ryes.co.cc
system-scanner-tzii.co.cc
system-scanner-uemo.co.cc
system-scanner-uotu.co.cc
system-scanner-uyxt.co.cc
system-scanner-vpoo.co.cc
system-scanner-xtoi.co.cc
system-scanner-yoyx.co.cc
system-scanner-ytut.co.cc

Rotated scareware domains involved in the campaign, responding to 84.123.115.228 (AS6739; ONO-AS Cableuropa - ONO):
defender-thga.in - Email: youngantonio6055@gmail.com
defender-wqga.in - Email: christodoulosglidden8856@gmail.com
defender-gnva.in - Email: ananddaher7294@gmail.com
defender-rlob.in - Email: vasikaranfreudenburg2690@gmail.com
defender-abcc.in - Email: rubysmart5057@gmail.com
defender-pakc.in - Email: sabrinawheelock7642@gmail.com
defender-keod.in - Email: khashayarbirss4814@gmail.com
defender-xcre.in - Email: pavelmayer4891@gmail.com
defender-qumf.in - Email: rachelalba1891@gmail.com
defender-fmof.in - Email: kamillamartin1237@gmail.com
defender-uvag.in - Email: espenkeck7682@gmail.com
defender-hsug.in - Email: moniquetkarnopp3596@gmail.com
defender-vxgh.in - Email: griseldavelez5369@gmail.com
defender-lcoh.in - Email: timothythomas6924@gmail.com
defender-kwwh.in - Email: tobyboisseau6505@gmail.com
defender-osbi.in - Email: fidelslattum2159@gmail.com
defender-wbui.in - Email: carlosbuntschu1238@gmail.com
defender-vlmj.in - Email: lauriefreeman9930@gmail.com
defender-hjlk.in - Email: lauriefreeman9930@gmail.com
defender-endl.in - Email: adamgaylard1113@gmail.com
defender-jgnl.in - Email: caseyalzen3316@gmail.com
defender-iksl.in - Email: marasanders9974@gmail.com
defender-labm.in - Email: gregorybradford1520@gmail.com
defender-rrin.in - Email: kevincharoenset5321@gmail.com
defender-sxin.in - Email: taloupavlinovich7166@gmail.com
defender-cron.in - Email: lisasuresh9147@gmail.com
defender-vqqn.in - Email: chrisjames4421@gmail.com
defender-dteo.in - Email: giovannaraggio5417@gmail.com
defender-uqko.in - Email: christinakaaikati5574@gmail.com
defender-qpwo.in - Email: carlaadams@gmail.com
defender-atxo.in - Email: celineiebba9266@gmail.com
defender-rlfp.in - Email: latanyamuscatell9507@gmail.com
defender-vflq.in - Email: terriacuna2081@gmail.com
defender-eklq.in - Email: sebastiensheppard8680@gmail.com
defender-ddbr.in - Email: selenajohansson9195@gmail.com
defender-ojbr.in - Email: fucknielsen8675@gmail.com
defender-drnr.in - Email: sumanvcasquez2008@gmail.com
defender-nrpr.in - Email: burtonalba8156@gmail.com
defender-kuts.in - Email: rogerfrancis3322@gmail.com
defender-bcvs.in - Email: martinefinklea5375@gmail.com
defender-grlt.in - Email: anthonygaylard9887@gmail.com
defender-hmfu.in - Email: lynnbone8026@gmail.com
defender-htlu.in - Email: jerihamann4163@gmail.com
defender-aabv.in - Email: leonflanagan7681@gmail.com
defender-ppdw.in - Email: divinakempton5670@gmail.com
defender-wrhw.in - Email: bradsuresh1406@gmail.com
defender-wkiw.in - Email: otisvaladez7778@gmail.com
defender-hipw.in - Email: angiejohansen9730@gmail.com
defender-qfdx.in - Email: hokyeongyancey6369@gmail.com
defender-xnnx.in - Email: sylviawulff2140@gmail.com
defender-xkox.in - Email: ryanmartin7607@gmail.com

The scareware domains have been registered using automatically registered email accounts at Gmail, as a precaution in an attempt to make it harder to expose the campaign by using a single email only.

Monitoring of the campaign is ongoing.

Related posts:

This post has been reproduced from Dancho Danchev's blog.

Dancho Danchev

Dissecting the Massive SQL Injection Attack Serving Scareware

This post has been reproduced from Dancho Danchev's blog.

Dancho Danchev