Wednesday, May 06, 2009
Spamvertised Swine Flu Domains - Part Two
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Dissecting a Swine Flu Black SEO Campaign
Remember the Ukrainian group of cyber criminals that was responsible for last week's massive blackhat SEO campaign that was serving scareware, followed by the timely hijacking of Mickeyy worm keywords a week earlier to once again serve rogue security software?They are back with new blackhat SEO farms which they continue monetizing through rogue security software. Time to dissect their latest campaign and expose their malicious practices.
Once having most of their previous domains blacklisted/shut down, the group naturally introduced new ones, and changed the search engine optimization theme to swine flu, in between a variation of their previous one relying on catchy titles such as USA News; BBC News; CNN News as well as Hottest info!; HOT NEWS; Official Website and Official Site.
Upon visiting the site, an obfuscated iFrame statically hosted on all of the participating domains in the form of 2qnews.07x .net/images/menu.js redirects the user to sexerotika2009 .ru/admin/red/en.php (74.54.176.50; Email: rebsdtis@land.ru). Are you noticing the directory structure similarities? Appreciate my rhetoric, it's last month's blackhat SEO gang with a new portfolio of domains.
What follows is the usual referrer check : "var ref,i,is_se=0; var se = new Array("google.","msn.","yahoo.","comcast.","aol.");" from where the user is redirected to liveavantbrowser2 .cn/go.php?id=2022&key=4c69e59ac&p=1 (83.133.123.140) acting as central redirection point to the typosquatted portfolio of rogue security software domains.The original scareware domain vrusstatuscheck .com/1/?id=2022&smersh=a9fd94859&back=%3DjQ51TT1MUQMMI%3DN - (69.4.230.204; 38.99.170.209; 78.47.172.66; 78.47.91.153; 94.76.212.239; 94.102.48.28) is exposing the rest of the scareware (detection rate) portfolio with the following domains parked at these IPs:
antivirusbestscannerv1 .com
antivirus-powerful-scanv2 .com
antivirus-powerful-scannerv2 .com
virusinfocheck .com
vrusstatuscheck .com
adware-removal-tool .com
1quickpcscanner .com
1spywareonlinescanner .com
1computeronlinescanner .com
1bestprotectionscanner .com
securityhelpcenter .com
antivirus-online-pro-scan .com
securedonlinecomputerscan .com
antispywarepcscanner .com
securedvirusscanner .com
virusinfocheck .com
antivirusbestscannerv1 .com
antispywareupdateservice .com
platinumsecurityupdate .com
antispywareupdatesystem .com
onlineupdatessystem .com
softwareupdatessystem .com
securedpaymentsystem .com
infosecuritycenter .com
antispywareproupdates .com
securedsoftwareupdate .cn
securedupdateslive .cn
thankyouforinstall .cn
securityupdatessystem .cn
securedsystemresources .cn
securedosupdates .cn
windowssecurityupdates .cn
Once executed it downloads Microsoft's original thank you note (update.microsoft.com/windowsupdate/v6/thanks.aspx), and confirms the installation so that the blackhat SEO campaigners will receive a piece of the pie at securedliveuploads .com/?act=fb&1=0&2=0&3=kfddnffaffihlcoemdkedcaefcfaffedhfmdmboc&4=eebajfjafekaifnbddghoclg&5=22&6=1&7=63&8=31&9=0&10=1
Related phone-back locations:
liveavantbrowser2 .cn - (83.133.123.140)
securedliveuploads .com
liveavantbrowser2 .cn
awardspacelooksbig .us
crytheriver .biz
softwareupdatessystem .com
securedsoftwareupdate .cn
securedupdateslive .cn
securedosupdates .cn
Blackhat SEO subdomains at the free web site hosting services:2qnews.07x .net
2rnews.07x .net
1news.07x .net
1knews.07x .net
1xnews.07x .net
gerandong.07x .net
kort.07x .net
30newsx.07x .net
4dnews.07x .net
4dnews.07x .net
laptop.07x .net
30newsf.07x .net
Blackhat SEO domains participating in the second multi-theme campaign:
01may2009 .us
m1m18test .us
m1m17test .us
m1m21test .us
m1m11test .us
m1m16test .us
m1m20test .us
m1m15test .us
m1m14test .us
m1m13test .us
m1m11test .us
m1m15test .us
m1m19test .us
f9o852test .us
f9o851test .us
f9o87test .us
f9o86test .us
f9o5test .us
f9o8test .us
ff7test5 .us
g2g1test .us
Blackhat SEO domains participating in the third campaign:greg-page-boxing.6may2009 .com - 212.95.58.156
dualsaw.06may2009 .com
craigslist-killer.5may2009 .com
Upon clicking, the user is redirected to berusimcom .com/t.php?s=18&pk=, then to the SEO keyword logger at berusimcom .com/in.cgi?18&seoref=¶meter=$keyword&se=$se&ur=1&HTTP_REFERER=nfl-draft.5may2009 .com&ppckey=, and then exposed to another portfolio of rogue security software (detection rate) at hot-porn-tubes.com/promo3/?aid=1361&vname=antivirus - 78.129.166.166; 91.212.132.12, with the following domains parked at the same IPs:
xxxtube-for-xxxtube .com
youporn-for-free .com
xtube-xmovie .com
free-xxx-central .com
xtube-downloads .com
porn-tube-movies .com
my-fuck-movies .com
niche-tube-videos-here .net
free-tube-video-central .net
tubezzz-boobezzz .net
hot-tube-tuberzzz .net
Persistence must be met with persistence.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Friday, May 01, 2009
Summarizing Zero Day's Posts for April
The following is a brief summary of all of my posts at ZDNet's Zero Day for April. You can also go through previous summaries for March, February, January, December, November, October, September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed.Notable articles include: Google's CAPTCHA experiment and the human factor; Conficker's estimated economic cost? $9.1 billion and Twitter hit by multiple variants of XSS worm.
01. Conficker worm's copycat Neeris spreading over IM
02. Paul McCartney's official site serving malware
03. Fake "Conficker Infection Alert" spam campaign circulating
04. Twitter hit by multiple variants of XSS worm
05. Scareware pops-up at FoxNews
06. Waledac botnet spamming fake SMS spying tool
07. Twitter worm author gets a job at exqSoft Solutions
08. Google's CAPTCHA experiment and the human factor
09. Hackers hijack DNS records of high profile New Zealand sites
10. New ransomware locks PCs, demands premium SMS for removal
11. Conficker's estimated economic cost? $9.1 billion
12. Swine flu email scams circulating
13. Online broker CommSec criticised for weak passwords, lack of SSL
14. Survey: 37% of employees would become insiders given the right incentive
15. French hacker gains access to Twitter's admin panel
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Thursday, April 30, 2009
419 Scam Artists Using NYTimes.com 'Email this' Feature
In times when more and more scammers/spammers are getting DomainKeys verified, others are finding adaptive ways to increase the probability of bypassing antispam filters.Take for instance this 419s scam artist, that's been pretty active in his scamming attempts as of recently.
Basically, he's exploiting the fact that he's allowed to enter a message within NYTimes.com's 'Email this" feature, whereas it will successfully reach the potential victim based on clean IP reputation of NYTimes - and sadly, he's right since he's already sending scam messages through the following accounts registered at the site:douglas_999@live.fr
douglas77@live.fr
mamadou_sanou@live.fr
markkabore0@yahoo.fr
abdelk11@hotmail.fr
sulem_musa@live.fr
davidbchirot@hotmail.com
His excuse for using NYTimes.com? - "Based on the bank high sensitiveness and security i have decided to contact you outside the bank's sever IP for a beneficial transaction."Another scam that I've been tracking for a while is using a new "Hand bag stolen at Barcelona air port" social engineering attempt, and is attaching scanned copies of real baggage loss documents in order to improve the truthfulness of the scam. Pretty catchy if you don't know what advance fee fraud is.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Wednesday, April 29, 2009
Massive SQL Injections Through Search Engine's Reconnaissance - Part Two
From the lone Chinese SQL injectors empowered with point'n'click tools for massive SQL injection attacks, to the much more efficient and automated botnet approach courtesy of the, for instance, ASProx botnet the process of automatically fetching URLs from public search engines in order to build hit lists for verifying against remote file inclusion attacks and potential SQL injections, remains a commodity feature in a great number of newly released malware bots.
In 2004, the Santy worm advertised the feature to the not so efficiently centered hordes of script kiddies back then. Due to its simplicity, but huge potential for abuse, the concept of SQL injections through search engines reconnaissance has not only reached a real-time syndication with the latest remotely exploitable web application vulnerabilities, but has also converged with remote file inclusion checks, local file inclusion checks, and ip2geolocation to unethically pen-test a particular country going beyond its designated domain extension.A recently released malware bot is once again empowering the average script kiddie with the possibility to take advantage of the window of opportunity for each and every remotely exploitable web application flaw featured at Milworm, based on its real-time syndication of the exploits. Moreover, the IRC based bot is also featuring a console which allows manual exploitation or intelligence gathering for a particular site.
Some of the features include:- Remote file inclusion
- Local file inclusion checks ()
- MySQL database details
- Extract all database names
- Data dumping from column and table
- Notification issued when Google bans the infected host for automatically using it
The commoditization of these features results in a situation where the window of opportunity for abusing a partcular web application flaw is abused much more efficiently due to the fact that reconnaissance data about its potential exploitability is already crawled by a public search engine - often in real time.
The concept, as well as the features within the bot are not rocket science - that's what makes it so easy to use.
Related posts:
Massive SQL Injection Attacks - the Chinese Way
Yet Another Massive SQL Injection Spotted in the Wild
Obfuscating Fast-fluxed SQL Injected Domains
Smells Like a Copycat SQL Injection In the Wild
SQL Injecting Malicious Doorways to Serve Malware
SQL Injection Through Search Engines Reconnaissance
Stealing Sensitive Databases Online - the SQL Style
Fast-Fluxing SQL injection attacks executed from the Asprox botnet
Sony PlayStation's site SQL injected, redirecting to rogue security software
Redmond Magazine Successfully SQL Injected by Chinese Hacktivists
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Tuesday, April 28, 2009
Spamvertised Swine Flu Domains
The people behind the ongoing swine flu spam campaign have either missed their marketing lectures, haven't been to any at all, or are simply too lazy -- their processing order is not even using SSL -- to fully exploit the marketing window opened by the viral oubreak - the majority of spamvertised domains are redirecting to your typical Canadian Pharmacy scam, instead of swine flu related templates.Swine flu spamvertised domains:
lijgihab.cn; jihkohab.cn; litgukab.cn; namyalab.cn; waytipab.cn; ritlarab.cn; bersoxab.cn; xaqkabeb.cn; jamnibeb.cn; pahdeheb.cn; qeqyukeb.cn; qiwqoreb.cn; zajbaveb.cn; zacniyeb.cn; baqnubib.cn; zephecib.cn; texlocib.cn; fedpijib.cn;meysujib.cn; qoltujib.cn; mukwujib.cn; buljakib.cn; cutcurib.cn; bejdasib.cn; xikgosib.cn; bacnaxib.cn; kuskuzib.cn; juvyidob.cn; sowgugob.cn; buhbulob.cn; tonjotob.cn; kozgewob.cn; gasfexob.cn; pocdiyob.cn; kujroyob.cn; mirlacub.cn; kixqucub.cn; rovjudub.cn; jokrogub.cn; tusyajub.cn; gixxukub.cn; mospomub.cn; hixmipub.cn; zismerub.cn; cegfasub.cn; dimfevub.cn; qebhuvub.cn; duvlixub.cn; tiqceyub.cn; cogwibac.cn; minkucac.cn; dadwafac.cn; dilpogac.cn; jovsogac.cn; juwcolac.cn; wefmunac.cn; cexfopac.cn; wejpopac.cn; dovniqac.cn; mulsatac.cn; labwewac.cn; lirquwac.cn; latzoyac.cn; tuwbazac.cn; motjudec.cn; jicmefec.cn; qujqugec.cn; fajnahec.cn; wobfojec.cn; saybilec.cn; siyjoqec.cn; gehgixec.cn; gajdezec.cn; sgytubic.cn; cabfecic.cn; nedsicic.cn; xorpilic.cn; bulxopic.cn; kisniric.cn; beszesic.cn; hiwdosic.cn; linrudoc.cn; rijnakoc.cn; mahhekoc.cn; hahwikoc.cn; labniloc.cn; zocwoloc.cn; gommupoc.cn; yubbaqoc.cn; mefbuqoc.cn; xeclaroc.cn; qurburoc.cn; wupqatoc.cn; capjebuc.cn; wofmufuc.cn; boxxiguc.cn; zeffehuc.cn; pegvijuc.cn; bubkenuc.cn; fixfunuc.cn;
Happy blacklisting/cross-checking!
Related posts:
Inside an Affiliate Spam Program for Pharmaceuticals
Love is a Psychedelic, Too
Pharmaceutical Spammers Targeting LinkedIn
Fast-Flux Spam and Scams Increasing
Storm Worm Hosting Pharmaceutical Scams
Over 80 percent of Storm Worm Spam Sent by Pharmaceutical Spam Kings
Incentives Model for Pharmaceutical Scams
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Posts (Atom)