Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Wednesday, April 22, 2009

Massive Blackhat SEO Campaign Serving Scareware

Over the past couple of days, I've been monitoring yet another massive blackhat SEO campaign consisting of the typical hundreds of thousands of already crawled bogus pages serving scareware/fake security software.

Later on Google detected the campaign and removed all the blackhat SEO farms from its index, which during the time of assessment were close to a hundred domains with hundreds of subdomains, and thousands of pages within.

And despite that the abuse notifications for some of the central redirection domains proved effective, it took the cybercriminals approximately 24 hours to catch up, and once again start hijacking search queries, in a combination of scareware, and pay per click redirections.

It's worth pointing out that this very latest campaign is directly related to last's week's keywords hijacking blackhat SEO campaign, with both campaigns relying on identical redirection domains, and serving the same malware. Who's behind these search engine poisoning attacks? An Ukranian gang monetizing the hijacked traffic through the usual channels - scareware and reselling of the anticipated traffic.

The first stage of the campaign was relying on mainstream media titles within its pages such as USA News; BBC News; CNN News as well as Hottest info!; HOT NEWS; Official Website and Official Site, thereby making it fairly easy to expose their portfolio of domains.

Interestingly, the cybercriminals appear to have detected the activity -- certain traffic management kits can log attempts of wandering around -- and removed the titles, which combined with the typical referrer checking made the campaign a bit more evasive :

""var ref,i,is_se=0; var se = new Array("google.","msn.","yahoo.","comcast.","aol.","dead"); if(document.referrer)ref=document.referrer; else ref=""; for(i=0;i<5;i++""

Once the user visits any of the domains within the portfolio, with a referrer check confirming he used a search engine to do so, two javascripts load, one dynamically redirecting to the portfolio of fake security software, and the other logging the visit using an Ukrainian web site counter service (c.hit.ua/hit?i=6058&g=0&x=2&s=1&c=1&t=420&w=1024&h=768&d=24&0.5505934176708958&r=&u=http%3A//13news.hobby-site.com/counter.js')

The most recent list of of domains on popular DNS services is as follows. Sub-domains within are excluded since there are several hundred currently active per domain:
0kfzzl .us - 95.168.172.202 - Email: diannefostergcei@yahoo.com
52ubih .us - 95.168.172.198 - Email: joeminoryhjb@yahoo.com
5nw8b3 .us - 95.168.172.193 - Email: carolynfosteruwwi@yahoo.com
60mptk .us - 95.168.172.192 - Email: bernadettehockadayfedt@yahoo.com
6ry4nv .us - 95.168.172.191 - Email: markpackvesa@yahoo.com
77m8uh .us - 95.168.172.190 - Email: miguelbellhyes@yahoo.com
axnwpy .us - 95.168.172.204 - Email: hungsandfordoehx@yahoo.com
bumgli .us - Email: coobybrown3@gmail.com
cqxuhk .us - 95.168.172.203 - Email: michaelkoontzutae@yahoo.com
dfkghdf .us - 212.95.58.49 - Email: umora@live.com
dfwdowrly .us - Email: orest@hotmail.ru
edtbcm .us - 95.168.172.198 - Email: warrenskinnerumpi@yahoo.com
edu4life .us - Email - joh.n.ebrilo@gmail.com

fc4oih .us - 95.168.172.187 - Email: florencemclaughlinovpp@yahoo.com
fcbcwo .us - 89.149.216.146 - Email: dorisnaupkou@yahoo.com
fpq58z .us - 95.168.172.205 - Email: thomassoileautysz@yahoo.com
fzjt82 .us - 95.168.172.188 - maryevansarpl@yahoo.com
gfor8g .us - Email: christopherdockinsptdg@yahoo.com
gotpig .us - Email: BeatriceJBrown@text2re.com
hhjsuuy .us - 217.20.117.198 - Email: jarovv@gmail.com
hk2april .us - 78.159.122.123 - Email: zainez@gmail.com
hk3april .us - 78.159.122.137 - Email: zainez@gmail.com
hno6sh .us - 89.149.238.12 - Email: alfredmeadenzcy@yahoo.com
i2u6nr .us - 95.168.172.202 - Email: jameshendricksxuwg@yahoo.com
ik3trends .us - 88.214.198.14 - Email: akililewis@gmail.com
itn92j .us - Email: nicholasmanoicdmg@yahoo.com
j4vre4 .us - bettyfavorsiqzv@yahoo.com
kzq2i2 .us - 89.149.229.157 - Email: robertmitchellrswv@yahoo.com

l5ykp6 .us - 95.168.172.195 - Email: chrishuntpjzc@yahoo.com
lh85uk .us - 95.168.172.200 - Email: susannelsonggyp@yahoo.com
lp24april .us - 89.149.228.129 - Email: ramerod@gmail.com
m9nvzp .us - 89.149.216.50 - Email: jenniferduncanakcq@yahoo.com
mm00april .us - 212.95.55.115 - Email: brevno3@gmail.com
mm99april .us - 78.159.122.91 - Email: brevno3@gmail.com
n5y3m8 .us - 89.149.243.86 - Email: imogenegreenrqqr@yahoo.com
na8nw2 .us - 89.149.216.146 - Email: jeremyfitchcupl@yahoo.com
oag3h8 .us - 95.168.172.200 - Email: susanspidelesig@yahoo.com
po1april .us - 212.95.55.138 - Email: preadzz@gmail.com
po3april .us - 78.159.122.93 - Email: preadzz@gmail.com
pp6sqo .us - 95.168.172.197 - Email: connierobertsolni@yahoo.com
pr061r .us - 89.149.216.146 - Email: shirleywardauof@yahoo.com
qdhccy .us - Email: shark@nightmail.ru
qq338p .us - 89.149.221.36 - Email: debragonzalezyplu@yahoo.com

repszp .us - 89.149.221.36 - Email: christinamerrillzzhd@yahoo.com
rrgtnm .us - 95.168.172.203 - Email: josephelliskozc@yahoo.com
rt658y .us - 89.149.207.33 - Email: luannamcgeeiqwb@yahoo.com
rzi6rj .us - 95.168.172.189 - Email: leatriceporterlhbz@yahoo.com
scsrn8 .us - 95.168.172.201 - Email: donnabrownpgpa@yahoo.com
t9xu44 .us - 95.168.172.194 - Email: robertbissettezeub@yahoo.com
trfddp .us - 89.149.243.89 - Email: davidwilliamsqljt@yahoo.com
up3xv7 .us - Email: dennismontantecoco@yahoo.com
vecy5r .us - Email: merlynsmithsqxm@yahoo.com
vlj5jn .us - 95.168.172.196 - Email: angelostewartqfoq@yahoo.com
vr31qo .us - 95.168.172.199 - Email: christinearcherzhqz@yahoo.com
wk7iie .us - 95.168.172.204 - Email: jewellnakashimalgny@yahoo.com
x2ar3e .us - Email: bobbielopezeits@yahoo.com
xe24py .us - 89.149.243.138 - Email: johnbarberprfi@yahoo.com
xecuk8 .us - 95.168.172.194 - Email: lutheralfaronloz@yahoo.com
yl8ais .us - 89.149.216.147 - Email: meredithflackflub@yahoo.com
yqfvp4 .us - 78.159.96.84 - Email: julierussellnnro@yahoo.com
zvlewrms .us - Email: ygovoruhin@list.ru
zxe11d .us - 95.168.172.195 - Email: christopherlewisxghb@yahoo.com
zy7itf .us - 89.149.207.244 - Email: cindyruizixqr@yahoo.com

13news.doesntexist .com
13news.hobby-site .com
17news.endofinternet .net
18news.homeftp .org
19news.blogdns .com
19news.dnsdojo .org
19news.gotdns .com
19news.kicks-ass .org
19news.servebbs .com
22news.blogdns .com
creditratingguide. hobby-site.com
disneyearrings .hobby-site.com
flatbellydiet .hobby-site.com
hydrangacutflowers .hobby-site.com
isa-geek .org
mxzsaw .hobby-site.com
mysteryterms .hobby-site.com

The rotated scareware/fake security software domains include: scan-antispyware-4pc .com - parked at 195.88.81.93 the same portfolio of fake security software domains which I warned that by blocking you would proactively protect your customers from black hat SEO campaigns - like this one for instance
pcvistaxpcodec .com
onlinevirus-scannerv2 .com
av-antispyware .com
scan-antispy-4pc .com
fastviruscleaner .com
securityhelpcenter .com
scan-antispy-4pc .com
scanner-work-av .com
scanner-antispy-av-files .com
adwarealert .com
proantispyware .com

Download locations/related fake codec redirections:
winpcdown10 .com (194.165.4.77)
suckitnow1 .com
winpcdown99 .com
loyaldown99 .com
codecxpvista .com
wincodecupdate .com
velzevuladmin .com
tubeloyaln .com
wedare.tubeloyaln .com
lamer.tubeloyaln .com
billingpayment.netcodecs.tubeloyaln .com
videosz.tubeloyaln .com
loyal-porno .com - the same domain was recently exposed in the same blackhat SEO campaign
win-pc-defender .com
codecvistaz .com
loyalvideoz .com

Sample detection rates:
litetubevideoz .net/codec/277.exe - detection rate
winpcdown99 .com/pcdef.exe - detection rate
winpcdown99 .com/file.exe - detection rate
setup.adwarealert .com/setupxv.exe - detection rate
files.scanner-antispy-av-files .com/exe/setup_200093_1_1.exe - detection rate

Monitoring of the campaign would continue.

Related posts:
Dissecting the Bogus LinkedIn Profiles Malware Campaign
Bogus LinkedIn Profiles Redirect to Malware and Rogue Security Software
Blackhat SEO Redirects to Malware and Rogue Software
The Invisible Blackhat SEO Campaign
Attack of the SEO Bots on the .EDU Domain
p0rn.gov - The Ongoing Blackhat SEO Operation
The Continuing .Gov Blackat SEO Campaign
The Continuing .Gov Blackhat SEO Campaign - Part Two
Rogue RBN Software Pushed Through Blackhat SEO
Massive Blackhat SEO Targeting Blogspot
Blackhat SEO Campaign at The Millennium Challenge Corporation

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Thursday, April 16, 2009

A CCDCOE Report on the Cyber Attacks Against Georgia

Following the coverage of my "Coordinated Russia vs Georgia cyber attack in progress" research in the Georgian government's official report "Russian Cyberwar on Georgia" (on page 4), I was very excited to find out that a report by NATO's Cooperative Cyber Defense Centre of Excellence entitled "Cyber Attacks Against Georgia: Legal Lessons Identified" and authored by Eneken Tikk, Kadri Kaska, Kristel Rünnimeri, Mari Kert, Anna-Maria Talihärm, Liis Vihul, is not only quoting me extensively, but has also reproduced the entire research within the Annexes.

Looks great!

Recommended reading:
DDoS Attack Graphs from Russia vs Georgia's Cyberattacks
The Russia vs Georgia Cyber Attack
Pro-Israeli (Pseudo) Cyber Warriors Want your Bandwidth
People's Information Warfare Concept
Combating Unrestricted Warfare
The Cyber Storm II Cyber Exercise
Chinese Hacktivists Waging People's Information Warfare Against CNN
The DDoS Attacks Against CNN.com
China's Cyber Espionage Ambitions
North Korea's Cyber Warfare Unit 121
Chinese Hackers Attacking U.S Department of Defense Networks

Electronic Jihad v3.0 - What Cyber Jihad Isn't

Electronic Jihad's Targets List

A Cyber Jihadist DoS Tool

Teaching Cyber Jihadists How to Hack

Empowering the Script Kiddies

OSINT Through Botnets

Corporate Espionage Through Botnets

Malware Infected Hosts as Stepping Stones

Hacktivism Tensions - Israel vs Palestine Cyberwars

The Current, Emerging, and Future State of Hacktivism

Internet PSYOPS - Psychological Operations

Dancho Danchev

A Diverse Portfolio of Fake Security Software - Part Nineteen

You know things are getting out of hand when the scareware ecosystem scales to the point when typosquatted scareware domains offering removal services for the very same scareware distributed under multiple brands.

In response to the potential Conficker-ization of the scareware business, part nineteen of the Diverse Portfolio of Fake Security Software is the most massive update since the series started, and with a reason - to squeeze the cybercrime ecosystem, and ruin their malicious economies of scale revenue generation approaches.

Here are the most recent additions, with their associated registrant emails for clustering, cross-checking, and case building purposes:

vundofixtool .com (174.132.250.194)
remove-winpc-defender .com
remove-virus-melt .com
remove-ultra-antivir-2009 .com
remove-ultra-antivirus-2009 .com
remove-total-security .com
remove-system-guard .com
remove-spyware-protect-2009 .com
remove-spyware-protect .com
remove-spyware-guard .com
remove-personal-defender .com
remove-ms-antispyware .com
remove-malware-defender .com
remove-ie-security .com
remove-av360 .com
remove-antivirus-360 .com
remove-a360 .com
av360removaltool .com
antivirus360remover .com
remove-winpc-defender .com
remove-virus-melt .com
remove-virus-alarm .com
remove-ultra-antivirus-2009 .com
remove-ultra-antivir-2009 .com
remove-total-security .com

gotipscan .com (66.197.154.199) Robert Sampson Email: bausness@gmail.com
scanline6 .com
scanstep6 .com
scanbest6 .com
goscandata .com
goscanhigh .com
true6scan .com
any6scan .com
golitescan .com
gofanscan .com
gotipscan .com
gostarscan .com
goluxscan .com
goonlyscan .com
scan6step .com
goscanstep .com
scan6fast .com
scanline6 .info
scanlog6 .info
linescan6 .info
mainscan6 .info
log6scan .info
main6scan .info

addedantiviruslive .com (94.247.2.215) Administrative Email: werracruz99008@gmail.com
searchrizotto .com
easyaddedantivirus .com
yourcountedantivirus .com
av-plus-support .com
yourguardonline .cn
easydefenseonline .cn
bestprotectiononline .cn
yourguardstore .cn
examinepoisonstore .cn
freecoverstore .cn
myexaminevirusstore .cn
bestexaminedisease .cn
yourfriskdisease .cn
friskdiseaselive .cn
bestdefenselive .cn
bigprotectionlive .cn
bigcoverlive .cn
easyserviceprotection .cn
easypersonalprotection .cn
myascertainpoison .cn
yourguardpro .cn
refugepro .cn
mycheckdiseasepro .cn
yourcheckpoisonpro .cn
bigdefense2u .cn
newguard4u .cn
mydefense4u .cn
bestcover4u .cn

fullsecurityshield .com (209.44.126.14) Gregory Bershk Email: bershkapull@gmail.com
greatsecurityshield .com
trustsecurityshield .com
anytoplikedsite .com
topsecurityapp .com
inetsecuritycenter .com
securitytopagent .com
thebestsecurityspot .com
topsecurity4you .com
fullandtotalsecurity .com

extrantivirus.com (94.75.209.11)
rapid-antivir-2009.com
rapid-antivir2009.com
rapidantivirus2009.com
rapidantivirus09.com
rapidantivirus.com
ultraantivirus2009.com
soft-traffic.com
seresult.com is a traffic management domain for the campaign (e.g seresult .com/go.php?id=3466)

greatstabilitytraceonline .com (94.247.3.4) Jacquelyn Jain Email: jacquelynjjain@gmail.com
beststabilityscan .com
beststabilityscans .com
esnetscanonline .com
greatstabilitytraceonline .com
greatvirusscan .com
networkstabilitytrace .com
onlinestabilityscanada .com
protectionexamine .com
quickstabilityscan .com
safetyexamine .com
stabilityinetscan .com
stabilitysolutionslook .com
swiftsafetyexamine .com
webprotectionscan .com
webwidesecurity .com

scanmix4 .com (63.146.2.92) Clifford Barton Email: learnico@gmail.com

bestscan7 .com
goscandata .com
scan7live .com
new7scan .com
godatascan .com
gosidescan .com
goluxscan .com
goonlyscan .com
goscanstep .com
scantool4 .info
newscan4 .info
scannew4 .info
tool4scan .info

exstra-av-scanner .net (78.26.179.237) Joan Oglesby Email: extra.antivirus@gmail.com
msantivir-storage .com
ms-antivirus-storage .com
goodproantispyware .com
ms-antivir-scan .com
anispy-storage-ms .com
ms-av-storage-best .com
antivir-scanner-ms-av .com

msscan-files-antivir .com (195.88.81.93)
hot-girl-sex-tube .com
msscan-files-antivir .com
msscanner-top-av .com
msscanner-files-av .com
antivir-4pc-ms-av .com

Dancho Danchev

Wednesday, April 15, 2009

Twitter Worm Mikeyy Keywords Hijacked to Serve Scareware

Not necessarily in real-time (Syndicating Google Trends Keywords for Blackhat SEO) but scareware/fake security software distributors quickly attempted to capitalize on the anticipated traffic related to this weekend's Twitter XSS worm StalkDaily/Mikeyy.

What's particularly interesting about this campaign, is not the fact that all of the currently active domains are operated by the same individual/group of individuals or that their blackhat SEO farms are growing to cover a much wider portfolio of keywords.

It's a tiny usa.js script (e.g my1.dynalias .org/usa.js) hosted on all of the domains, which takes advantage of a simple evasive practice - referrer checking in order to serve or not to serve the malicious content.

For instance, deobfuscated the script checks whether the user is coming from the following search engines var se = new Array("google", "msn", "aol.com", "yahoo", " comcast"); if (document.referrer)ref = document.referrer;. If the user/researcher is basically wandering around, a blackhat SEO page with no malicious redirections would be served.

The following are all of the currently active and participating domains/subdomains:
tran.tr.ohost .de
actual.homelinux .com
achyutheil.ac.ohost .de
aprln.getmyip .com
east.homeftp .org
my1.dynalias .org
my2.dynalias .org
my3.dnsalias .org
my5.webhop .org

The redirection process consists of two layers. The first one is redirecting to hjgf .ru/go.php?sid=5 (88.214.198.25) and then to msscan-files-antivir .com (195.88.81.93), and the second one takes place through a well known malicious doorway redirecting domain hqtube .com/to_traf_holder.html (88.85.66.116) that either serves a fake codec that's dropping the scareware, or the scareware itself from files.ms-load-av .com. The rest of the scareware/fake security software domains participating in the campaigns are as follows:

msscan-files-antivir .com (195.88.81.93) - Coi Carol Email: car0sta0@gmail.com
hot-girl-sex-tube .com - Erica Thomas Email: gerrione@gmail.com
msscan-files-antivir .com
msscanner-top-av .com - Mui Arnold Email: arnoebr@gmail.com
msscanner-files-av .com
antivir-4pc-ms-av .com - Jason Munguia Email: jasmung@gmail.com

The bottom line - the campaign looks like a typical event-based blackhat SEO portfolio diversification practice.

Dancho Danchev

Tuesday, April 14, 2009

Conficker's Scareware/Fake Security Software Business Model

It doesn't take a rocket scientist to conclude that sooner or later the people behind the Conficker botnet had to switch to monetization phase, and start earning revenue by using well proven business models within the cybercrime ecosystem.

Interestingly -- at least for the time being -- there's no indication of mainstream advertising propositions offering partitioned pieces of the botnet, managed fast-fluxing services (Managed Fast Flux Provider; Managed Fast Flux Provider - Part Two), hosting of scams and spam, examples of which we've already seen related cases where a money mule recruitment agency was using ASProx's fast-flux network services, next to Srizbi's botnet managed spam service propositions.

How come? Pretty simple, starting from the fact that scareware/fake security software as a monetization process remains the most liquid and efficiently monetized asset the underground economy has at its disposal. The scheme is so efficient that the money circulating within the affiliate networks are often an easy way for cybercriminals to quickly money launder large amounts of money in a typical win-win revenue sharing scheme.

The Conficker gang is monetization-aware, that's for sure. But they forget a simple fact - that in a cybercrime ecosystem visibility is not just proportional with decreased OPSEC (Violating OPSEC for Increasing the Probability of Malware Infection), but also, that despite their risk-decreasing revenue sharing model, the "follow the money trail" practice becomes more and more relevant.

The most recent variant (Net-Worm.Win32.Kido.js) is the group's second attempt to monetize the botnet, following by the original Conficker variant's traffic converter connection pushing fake security software. According to Aleks Gostev at Kaspersky Labs:

"One of the files is a rogue antivirus app, which we detect as FraudTool.Win32.SpywareProtect2009.s. The first version of Kido, detected back in November 2008, also tried to download fake antivirus to the infected machine. And once again, six months later, we’ve got unknown cybercriminals using the same trick. The rogue software, SpywareProtect2009, can be found on spy-protect-2009.com., spywrprotect-2009.com, spywareprotector-2009.com."

Regular researchers/law enforcement followers of the Diverse Portfolio of Fake Security Software series are pretty familiar with the SpywareProtect brand. Therefore, it's time to familiarize ourselves with the rogue SpywareProtect through the revenue earning scheme the latest Conficker variant is using. Among the currently active/recently registered SpywareProtect portfolios are managed by Geraldevich Viktus Email: krutoymen2009@inbox.ru and conveniently just like Kaspersky states, are all parked in Ukraine.

In case you remember according to SRI International's Analysis of the Conficker worm, the authors did signal a national preference since the first release "randomly generates IP addresses to search for additional victims, filtering Ukraine IPs based on the GeoIP database." and also "Conficker A incorporates a Ukraine-avoidance routine that causes the process to suicide if the keyboard language layout has been set to Ukrainian." followed by a third Ukrainian lead, namely the fact that "on 27 December 2008 we stumbled upon two highly suspicious connection attempts that might link us to the malware authors. Specifically, we observed two Conficker B URL requests sent to a Conficker A Internet rendezvous point: * Connection 1: 81.23.XX.XX - Kyivstar.net, Kiev, Ukraine; Connection 2: 200.68.XX.XXX - Alternativagratis.com, Buenos Aires, Argentina."

SpywareProtect's current portfolio is hosted in Ukraine as follows:
spy-wareprotector2009 .com (94.232.248.53) Ukraine Bastion Trade Group, AS48841, EUROHOST-AS Eurohost LLC
spyware-protector-2009 .com
spy-protect-2009 .com
spywprotect .com

The second portfolio is also parked in Ukraine as follows:
sysguard2009 .com (195.245.119.131) AS34187, RENOME-AS Renome-Service: Joint Multimedia Cable Network Odessa, Ukraine
swp2009 .com
spwrpr2009 .com
alsterstore .com
adwareguard .net

In a typical multitasking fashion, a connection between some of these very latest SpywareProtect portfolios (e.g spywrprotect-2009 .com) can be established with Zeus crimeware campaigns, since particular droppers have been known to have been installing the scareware next to Zeus crimeware used to be hosted at the following locations:

capitalex .ws/adv.bin (213.155.10.176)
cashtor .net/tor22/tor.bin (91.193.108.222)
goldarea .biz/adv.bin (91.197.130.39)

It's also worth pointing out that every time the Conficker authors claim their payments from the affiliate network in question, they expose themselves which makes me wonder one thing. Are the hardcore Conficker authors directly earning revenue out of the scareware, or are they basically partitioning the botnet and selling it to someone who's monetizing it and naturally breaking-even out of their investment?

In a network whose activities will inevitably start converging with the rest of the cybercrime ecosystem's participants' activities -- the Waledac connection -- it's crucual to keep the track-down-and-prosecute process as simple as possible. In this case - the Conficker authors'/customers of their botnet services asset liquidity obsession, may easily end up in someone's $250k reward claim. Patience is a virtue.

Dancho Danchev

Wednesday, April 08, 2009

A Diverse Portfolio of Fake Security Software - Part Eighteen

With Microsoft's latest Security Intelligence Report indicating that scareware/fake security software continues growing, it's worth exposing some of the currently circulating rogue security software domains, their registrants, and the usual "Deja Vu" moment putting the spotlight on well-known RBN web properties, whose exposure demonstrates that some of the groups that I've been tracking are still alive and kicking, but this time are much more actively monetizing their cybercrime committing capabilities.

avs-online-scan .org (209.250.241.164) Oleg Bajenov Email: oleg.bajenov@gmail.com
av-lookup .org
am-scan .com
system-scan-1 .biz
sys-scanner-1 .biz
sys-scan-wiz .biz
scanner-wiz-1 .com

webwidesecurity .com (94.247.3.3) Rosalind Lewis Email: RosalindRLewis@text2re.com
webprotectionscan .com
greatvirusscan .com
beststabilityscans .com

todaybestscan .com (174.129.241.185; 174.129.244.106; 209.44.126.14) Elliott Cameron Email: support@zitoclick.com; Anatolij Andreev Email: yeep33@gmail.com
thebestsecurityspot .com
securitytopagent .com
inetsecuritycenter .com
fullandtotalsecurity .com
activesecurityshield .com
getpcguard .com
websecurityvoice .com
onlinescanservice .com
scanalertspage .com
scanbaseonline .com
bestsecurityupdate .com
getsecuritywall .com
bestfiresfull .com
initialsecurityscan .com
websecuritymaster .com
runpcscannow .com
thegreatsecurity .com
truescansecurity .com
checkonlinesecurity .com
spy-protector-pro .com

DNS servers of notice:
ns1.ahuliard .com
ns2.ahuliard .com
ns1.fuckmoneycash .com
ns2.fuckmoneycash .com
ns1.zitodns .com
ns2.zitodns .com

Now comes the deja vu moment. At 174.129.241.185 and 174.129.244.106 we also have parked ilovemyloves .com one of the domains used in the iFrame attack during the "Possibility Media's Malware Fiasco" back in 2007 which was then parked at the RBN's HostFresh ifrastructure (58.65.239.28). Behind the malware campaign back then was the New Media Malware Gang" (Part Three; Part Two and Part One) which was not only using RBN services, but was directly cooperating with the Storm Worm authors. Among their most recent campaigns was the groups direct involvement in the malware campaigns at the Azerbaijanian Embassies in Pakistan and Hungary.

It gets even more interesting to see what they're up to in 2009, considering the fact that they have also parked domains used (174.129.241.185 and 174.129.244.106) in currently ongoing Facebook phishing campaign, which is switching themes from Match.com to Classmates.com :

facebook.shared.id-pegxaaei62.emberuiweb .765access.com
facebook.shared.id-0izlud0w6j.launchpad .765access.com
facebook.shared.id-6oxyclcpus.initiated .765access.com
facebook.shared.id-6xcse5q79c.usermanage .765access.com
facebook.shared.id-9q0bfta8bf.login .765access.com
facebook.shared.id-l8rz3d87j7.processlogon .765access.com
facebook.shared.id-m071qcxkf3.version .765access.com
facebook.shared.id-ao7zx28bhw.identification .765access.com
facebook.shared.id-usxeye68vn.secureconnection .765access.com
facebook.shared.id-lc9i4p09yi.disbursements .765access.com
facebook.shared.id-6y8nzpemkx.securedocuments .765access.com
facebook.shared.id-0u1o0e9gyj.cebmainservlet .765access.com
facebook.shared.id-4b16kzpiuk.ceptservlet .765access.com
facebook.shared.id-xqa6odo94z.content .765access.com
facebook.shared.id-5u10q3vp8q.completeserv .765access.com
facebook.shared.id-ql2fzhydat.intvitation .9845account.com
facebook.shared.id-5ajv5861qd.securedocuments .9845account.com
facebook.shared.id-3dcznhmord.statement .9845account.com
facebook.shared.id-o6lo04atww.statement .9845account.com

The group has clearly diversified its activities, but continues relying on its well known portfolio of domains as a foundation.

Related posts:
A Diverse Portfolio of Fake Security Software - Part Seventeen
A Diverse Portfolio of Fake Security Software - Part Sixteen
A Diverse Portfolio of Fake Security Software - Part Fifteen
A Diverse Portfolio of Fake Security Software - Part Fourteen
A Diverse Portfolio of Fake Security Software - Part Thirteen
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software

Dancho Danchev