Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Monday, May 09, 2011

Don't Play Poker on an Infected Table - Part Five

A currently spamvertised campaign is enticing end users into downloading a fraudulent online gambling application KingSpinEN.exe. The campaign is part of last month's Don't Play Poker on an Infected Table - Part Four series.

Detection rate:
KingSpinEN.exe - W32/Casino.F.gen!Eldorado - Result:16/43 (37.2%)
MD5   : ead8156a838842bc8463995a91eee08b
SHA1 : 239594a514c461c63dc8da69b08b9b63baaf2579
SHA256: 491c291eaed67268d14a36470e5d6f6d4ed829055fe4a2897ac5f050b50a2e36

Upon execution phones back to:
- download.thepalacegroupgaming.com /tracking.aspx?ul=en&casino=spinpalace&banner_tag=a20337&uuid=%7b9F9E0585-9340-45C0-9EC7-46FBE5E7127F%7d&state=100
- spinpalace.mgsmup.com /mupp/spinpalace/spinpalace_install.cab
- spinpalace.mgsmup.com /mupp/spinpalace/spinpalace.cab
- download.thepalacegroupgaming.com /tracking.aspx?ul=en&casino=spinpalace&banner_tag=a20337&uuid=%7b9F9E0585-9340-45C0-9EC7-46FBE5E7127F%7d&state=422
- marketing.valueactive.eu /VIP/animations/en/movies_en.htm

Portfolio of fraudulent online gambling domains part of the campaign. The majority are hosted within AS49130, ARNET-AS SC ArNet Connection SRL:
casino-elit-super.ru - 89.45.14.12
casinogoldsuper.ru - 89.45.14.12
casinokingsuper.ru - 89.45.14.12
casino-king-super.ru - 89.45.14.12
casinolabsuper.ru - 89.45.14.12
casino-lux-super.ru - 89.45.14.12
casinomultisuper.ru - 89.45.14.12
casinonetsuper.ru - 89.45.14.12
casino-net-super.ru - 89.45.14.12
casinonextvip.ru - 89.45.14.12
casino-online-super.ru - 90.182.175.234
casinopartysuper.ru - 90.182.175.234
casino-party-super.ru - 90.182.175.234
casinoplazasuper.ru - 90.182.175.234
1casinostarsuper.ru - 90.182.175.234
casinosuperelit.ru - 89.45.14.12
casino-super-elit.ru - 89.45.14.12
casinosuperking.ru - 89.45.14.12
casino-super-king.ru - 89.45.14.12
casinosupermulti.ru - 89.45.14.12
casinosupernet.ru - 89.45.14.12
casino-super-net.ru - 89.45.14.12
casino-super-online.ru - 90.182.175.234
casinosupervip.ru - 89.45.14.12
casino-super-vip.ru - 89.45.14.12
casinosuperweb.ru - 89.45.14.12
casino-super-web.ru - 89.45.14.12
casinosuperwin.ru - 89.45.14.12
casino-super-win.ru - 89.45.14.12
casinovipsuper.ru - 89.45.14.12
casino-vip-super.ru - 89.45.14.12
casino-win-super.ru - 89.45.14.12
cazino-cash-multi.ru - 89.45.14.12
3cazino-party-royal.ru - 89.45.14.12
cazinopartyweb.ru - 89.45.14.12
cazino-party-web.ru - 89.45.14.12
cazinopartywin.ru - 89.45.14.12
cazino-party-win.ru - 89.45.14.12
cazinoplazawin.ru - 89.45.14.12
cazinoplazaworld.ru - 89.45.14.12
cazino-plaza-world.ru - 89.45.14.12
cazinowinplaza.ru - 89.45.14.12
cazino-win-plaza.ru - 89.45.14.12
cazinoworldplaza.ru - 89.45.14.12
cazino-world-plaza.ru - 89.45.14.12
4elitcasinosuper.ru - 89.45.14.12
elit-casino-super.ru - 89.45.14.12
elitsupercasino.ru - 89.45.14.12
elit-super-casino.ru - 89.45.14.12
gamelabonline.ru - 78.46.105.205
gameonlinelab.ru - 78.46.105.205
game-party-royal.ru - 78.46.105.205
gamezlabonline.ru - 89.45.14.12
gamezmultilab.ru - 89.45.14.12
gamez-net-online.ru - 89.45.14.12
gamezonlinenet.ru - 89.45.14.12
gamez-party-royal.ru - 89.45.14.12
gamez-party-web.ru - 89.45.14.12

gamezpartywin.ru - 89.45.14.12
gamez-party-win.ru - 89.45.14.12
gamez-plaza-win.ru - 89.45.14.12
gamezplazaworld.ru - 89.45.14.12
gamez-plaza-world.ru - 89.45.14.12
gamez-vegas-web.ru - 89.45.14.12
gamezweblab.ru - 89.45.14.12
gamezwinplaza.ru - 89.45.14.12
gamez-win-plaza.ru - 89.45.14.12
gamezworldplaza.ru - 89.45.14.12
joker-gamez-web.ru - 89.45.14.12
kingcasinosuper.ru - 89.45.14.12
king-casino-super.ru - 89.45.14.12
kinggagnerr.net - 90.182.175.234
kingsupercasino.ru - 89.45.14.12
king-super-casino.ru - 89.45.14.12
lab-cazino-multi.ru - 89.45.14.12
lab-cazino-online.ru - 89.45.14.12
labgamezonline.ru - 89.45.14.12
lab-gamez-web.ru - 89.45.14.12
labonlinecazino.ru - 89.45.14.12
labonlinegame.ru - 78.46.105.205
labvegascazino.ru - 89.45.14.12
luxcasinosuper.ru - 89.45.14.12
luxnextcasino.ru - 89.45.14.12
lux-next-casino.ru - 89.45.14.12
multicasinosuper.ru - 89.45.14.12
multilabgame.ru - 78.46.105.205
multisupercasino.ru - 89.45.14.12
netcasinosuper.ru - 89.45.14.12
net-casino-super.ru - 89.45.14.12
netpartycazino.ru - 89.45.14.12
netsupercasino.ru - 89.45.14.12
net-super-casino.ru - 89.45.14.12
nextcasinovip.ru - 89.45.14.12
next-casino-vip.ru - 89.45.14.12
next-lux-casino.ru - 89.45.14.12
nextvipcasino.ru - 89.45.14.12
onlinecasinosuper.ru - 90.182.175.234
online-casino-super.ru - 90.182.175.234
online-cazino-lab.ru - 89.45.14.12
onlinegameznet.ru - 89.45.14.12
online-gamez-vip.ru - 89.45.14.12
onlinelabcazino.ru - 89.45.14.12
onlinesupercasino.ru - 90.182.175.234
online-super-casino.ru - 90.182.175.234
partycasinosuper.ru - 90.182.175.234
party-casino-web.ru - 78.46.105.205
partycazinonet.ru - 89.45.14.12
party-cazino-royal.ru - 89.45.14.12
partycazinoweb.ru - 89.45.14.12
partycazinowin.ru - 89.45.14.12
partygamezroyal.ru - 89.45.14.12
party-gamez-royal.ru - 89.45.14.12
partygamezwin.ru - 89.45.14.12
party-gamez-win.ru - 89.45.14.12
partynetcazino.ru - 89.45.14.12
party-royal-cazino.ru - 89.45.14.12
party-super-casino.ru - 89.45.14.12
partywebcasino.ru - 78.46.105.205
partywebcazino.ru - 89.45.14.12
partywincazino.ru - 89.45.14.12
party-win-cazino.ru - 89.45.14.12
play-multi-casino.ru - 89.45.14.12
plazacazinowin.ru - 89.45.14.12
plaza-cazino-win.ru - 89.45.14.12
plazacazinoworld.ru - 89.45.14.12
plaza-cazino-world.ru - 89.45.14.12
plaza-gamez-win.ru - 89.45.14.12
plazagamezworld.ru - 89.45.14.12
plaza-gamez-world.ru - 89.45.14.12
plazawincazino.ru - 89.45.14.12
plaza-win-cazino.ru - 89.45.14.12
plazaworldcazino.ru - 89.45.14.12
plaza-world-cazino.ru - 89.45.14.12
royal-party-cazino.ru - 89.45.14.12
star-casino-super.ru - 90.182.175.234
star-super-casino.ru - 90.182.175.234
super-casino-elit.ru - 89.45.14.12
supercasinoking.ru - 89.45.14.12
super-casino-king.ru - 89.45.14.12
supercasinolab.ru - 89.45.14.12
super-casino-land.ru - 90.182.175.234
supercasinomulti.ru - 89.45.14.12
supercasinonet.ru - 89.45.14.12
super-casino-net.ru - 89.45.14.12
supercasinoonline.ru - 90.182.175.234
super-casino-online.ru - 90.182.175.234
super-casino-star.ru - 90.182.175.234
supercasinovip.ru - 89.45.14.12
super-casino-vip.ru - 89.45.14.12
super-casino-web.ru - 89.45.14.12
super-casino-west.ru - 90.182.175.234
supercasinowin.ru - 89.45.14.12
super-casino-win.ru - 89.45.14.12
super-elit-casino.ru - 89.45.14.12
superkingcasino.ru - 89.45.14.12
super-king-casino.ru - 89.45.14.12
super-land-casino.ru - 90.182.175.234
super-multi-casino.ru - 89.45.14.12
supernetcasino.ru - 89.45.14.12
super-net-casino.ru - 89.45.14.12
superonlinecasino.ru - 90.182.175.234
super-online-casino.ru - 90.182.175.234
superpartycasino.ru - 90.182.175.234
super-party-casino.ru - 89.45.14.12
superstarcasino.ru - 90.182.175.234
super-star-casino.ru - 90.182.175.234
super-vip-casino.ru - 89.45.14.12
super-web-casino.ru - 89.45.14.12
super-west-casino.ru - 90.182.175.234
superwincasino.ru - 89.45.14.12
vegas-game-web.ru - 78.46.105.205
vegas-gamez-multi.ru - 89.45.14.12
vegasgamezweb.ru - 89.45.14.12
vipcasinosuper.ru - 89.45.14.12
vip-casino-super.ru - 89.45.14.12
vipnextcasino.ru - 89.45.14.12
vipsupercasino.ru - 89.45.14.12
vip-super-casino.ru - 89.45.14.12
web-casino-super.ru - 89.45.14.12
web-cazino-royal.ru - 89.45.14.12
webgamezroyal.ru - 89.45.14.12
webpartycazino.ru - 89.45.14.12
web-super-casino.ru - 89.45.14.12
west-super-casino.ru - 90.182.175.234
wincasinosuper.ru - 89.45.14.12
win-casino-super.ru - 89.45.14.12
win-cazino-plaza.ru - 89.45.14.12
win-gamez-plaza.ru - 89.45.14.12
winpartycazino.ru - 89.45.14.12
win-party-cazino.ru - 89.45.14.12
winplazacazino.ru - 89.45.14.12
win-plaza-cazino.ru - 89.45.14.12
winsupercasino.ru - 89.45.14.12
win-super-casino.ru - 89.45.14.12
worldcazinoplaza.ru - 89.45.14.12
world-cazino-plaza.ru - 89.45.14.12
worldgamezplaza.ru - 89.45.14.12
world-gamez-plaza.ru - 89.45.14.12
world-plaza-cazino.ru - 89.45.14.12

Monitoring of the campaign is ongoing.

Related posts:
Don't Play Poker on an Infected Table - Part Four
Don't Play Poker on an Infected Table - Part Three
Don't Play Poker on an Infected Table - Part Two
Don't Play Poker on an Infected Table

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Summarizing ZDNet's Zero Day Posts for April

The following is a brief summary of all of my posts at ZDNet's Zero Day for April. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

Thursday, April 28, 2011

Spamvertised "Successfull Order 977132" Leads to Scareware

A currently ongoing malware campaign is impersonating Bobijou Inc for malware-serving purposes.

Sample subject: "Successfull Order 977132"
Sample message: "Thank you for ordering from Bobijou Inc.This message is to inform you that your order has been received and is currently being processed.

Your order reference is 901802. You will need this in all correspondence. This receipt is NOT proof of purchase. We will send a printed invoice by mail to your billing address.

You have chosen to pay by credit card. Your card will be charged for the amount of 262.00 USD and “Bobijou Inc.” will appear next to the charge on your statement.You will receive a separate email confirming your order has been despatched.Your purchase and delivery information appears below in attached file.

Thanks again for shopping at Bobijou Inc."
Sample attachments: Order_details.zip

Detection rates:
Order details.exe - Trojan.FakeAV - Result: 24/40 (60.0%)
MD5 : 7c810cbb47c9f937b5f663b51ab7ee50
SHA1 : b4faf8c724727381abb11c44b71605ff6e65cbbf
SHA256: 0bda3bdcffdda0fee31fe35cfea2fb644ff8e549a0a83632faa19cd43e02b904

Upon execution phones back to :
kkojjors.net/f/g.php - 95.64.9.15 - Email: admin@firtryt.biz
variantov.com/pusk.exe - 94.63.149.26 - Email: admin@variantov.com

Detection rate for the scareware variant pusk.exe
pusk.exe - Suspicious.Cloud.5 - Result: 4/41 (9.8%)
MD5 : bbd466a67586003776e295eaf3d2976c
SHA1 : 6a8e1d84157c76b4c9238fc23d28686244f6650f
SHA256: ee008f9039534f062bd277860060461064e760bdaa90a36595b9780be54a5a05

Upon execution phones back to:
jyluzovunevu.com - 209.160.45.33 - Email: gray@fxmail.net
sesokiqufikeg.com - 209.160.45.34 - Email: gray@fxmail.net
qyqinisope.com - 64.46.38.207 - Email: gray@fxmail.net
hijocyragap.com - 64.46.38.81 - Email: robin@cutemail.org
puhigygapyhi.com - 64.46.38.81 - Email: gray@fxmail.net
zavewuzykubo.com - 64.46.38.80 - Email: robin@cutemail.org
fepigixypo.com - 64.46.38.29 - Email: pyre@cutemail.org
tozibapah.com - 76.73.16.182 - Email: lays@fxmail.net
qebinehuh.com - 76.73.14.182 - Email: lays@fxmail.net
gygipikalyn.com - 76.73.17.242 - Email: ss@cutemail.org
xygorinazecit.com - 76.73.17.70 - Email: ss@cutemail.org
walireqoxyxyt.com - 64.46.39.185 - Email: orbit@fxmail.net
moririnejuf.com - 64.46.39.184 - Email: purse@mail13.com
jydosucin.com - 64.46.39.200 - Email: arm@fxmail.net
libynozegokido.com - 64.46.39.186 - Email: orbit@fxmail.net
zidacofodafur.com - 64.46.39.212 - Email: gown@cutemail.org
fequxukovo.com - 67.196.15.136 - Email: arm@fxmail.net
gyxyqimacik.com - 67.196.15.138 - Email: purse@mail13.com
wizyvopyla.com - 67.196.15.137 - Email: arm@fxmail.net
gyricehagupy.com - 67.196.15.139 - Email: purse@mail13.com
punemipaqatyc.com - 67.196.15.141 - Email: ulcer@mailae.com
gehotigyry.com - 67.196.15.140 - Email: hp@mail13.com
vufekihoto.com - 67.196.15.105 - Email: arm@fxmail.net
huzomohidid.com - 67.196.15.104 - Email: arm@fxmail.net
posufejez.com - 67.196.15.107 - Email: purse@mail13.com
gewexyvunokyk.com - 67.196.15.106 - Email: purse@mail13.com
fowyqypacytucy.com - 209.160.45.32 - Email: soup@fastermail.ru
koduzuwobow.com - 209.160.45.130 - Email: pyre@cutemail.org
ciluvekypomow.com - 78.46.105.205 - Email: hips@cutemail.org
7hitaxodupi.com - 64.46.38.30

Monitoring of the campaign is ongoing.

Related posts:
Spamvertised "Reqest Rejected" Campaign Serving Scareware
Spamvertised DHL Notifications Scareware Campaign
Spamvertised Post Office Express Mail (USPS) Emails Serving Malware
Spamvertised United Parcel Service notifications serve malware
Spamvertised FedEx Notifications Spread Malware
Spamvertised DHL Notification Malware Campaign
More Spamvertised DHL Notifications Spread Malware

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev