Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Tuesday, May 11, 2010

Dissecting the Mass DreamHost Sites Compromise

Yet another mass sites compromise is currently taking place, this time targeting DreamHost customers, courtesy of the same gang behind the U.S Treasury/GoDaddy/NetworkSolutions mass compromise campaigns.

What's particularly interesting about the campaign, is not just the Hilary Kneber connection, but also, the fact that a key command and control domain part of the Koobface botnet, is residing within the same AS where the nameservers, and one of actual domains (kdjkfjskdfjlskdjf.com/ kp.php - 91.188.59.98 - AS6851, BKCNET "SIA" IZZI) used in previous campaigns are.

These gangs are either aware of one another's existence, are the exact same gang doing basic evasive practices on multiple fronts, or are basically customers of the same cybercrime-friendly hosting service provider.

The DreamHost campaign structure, including the detection rates, phone back locations, is as follows:
- zettapetta.com/js.php - 109.196.143.56 - Email: hilarykneber@yahoo.com
- www4.suitcase52td.net/?p= - 78.46.218.249 - Email: gkook@checkjemail.nl
- www1.realsafe-23.net - 209.212.149.17 - Email: gkook@checkjemail.nl

Active client-side exploits serving, redirector domains parked on the same IP 109.196.143.56:
zettapetta.com - 109.196.143.56, AS39150, VLTELECOM-AS VLineTelecom LLC Moscow, Russia - Email: hilarykneber@yahoo.com
yahoo-statistic.com - Email: hilarykneber@yahoo.com
primusdns.ru - Email: samm_87@email.com
freehost21.tw - Email: hilarykneber@yahoo.com
alert35.com.tw - Email: admin@zalert35.com.tw
indesignstudioinfo.com - Email: hilarykneber@yahoo.com

Historically, the following domains were also parked on the same IP 109.196.143.56:
bananajuice21.net - Email: hilarykneber@yahoo.com
winrar392.net - Email: lacyjerry1958@gmail.com
best-soft-free.com - Email: lacyjerry1958@gmail.com
setyupdate.com - Email: admin@setyupdate.com

Detection rate for the scareware pushed in the campaign:
- packupdate_build107_2060.exe - TROJ_FRAUD.SMDV; Packed.Win32.Krap.an - Result: 8/41 (19.52%) with the sample phoning back to:
update2.keep-insafety.net - 94.228.209.221 - Email: gkook@checkjemail.nl
update1.myownguardian.com - 74.118.194.78 - Email: gkook@checkjemail.nl
secure1.saefty-guardian.com - 94.228.220.112 - Email: gkook@checkjemail.nl
report.zoneguardland.net - 91.207.192.25 - Email: gkook@checkjemail.nl
report.land-protection.com - 91.207.192.24 - Email: gkook@checkjemail.nl
www5.our-security-engine.net - 94.228.220.111 - Email: gkook@checkjemail.nl
report1.stat-mx.xorg.pl
update1.securepro.xorg.pl

Name servers of notice parked at 91.188.59.98, AS6851, BKCNET "SIA" IZZI:
ns1.oklahomacitycom.com
ns2.oklahomacitycom.com

What's so special about AS6851, BKCNET "SIA" IZZI anyway? It's the Koobface gang connection in the face of urodinam.net, which is also hosted within AS6851, currently responding to 91.188.59.10. More details on urodinam.net:

Moreover, on the exact same IP where Koobface gang's urodinam.net is parked, we also have the currently active 1zabslwvn538n4i5tcjl.com - Email: michaeltycoon@gmail.com, serving client side exploits using the Yes Malware Exploitation kit - 91.188.59.10 /temp/cache/PDF.php; admin panel at: 1zabslwvn538n4i5tcjl.com /temp/admin/index.php

Detection rates for the malware pushed from the same IP where a key Koobface botnet's C&C is hosted:
- 55.pdf - JS:Pdfka-gen; Exploit.JS.Pdfka.blf - Result: 23/41 (56.1%)
- dm.exe - Trojan:Win32/Alureon.CT; Mal/TDSSPack-Q - Result: 36/41 (87.81%)
- wsc.exe - Net-Worm.Win32.Koobface; Trojan.FakeAV - Result: 36/41 (87.81%)

The same michaeltycoon@gmail.com used to register 1zabslwvn538n4i5tcjl.com, was also profiled in the "Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang" assessment.

Given that enough historical OSINT is available, the cybercrime ecosystem can be a pretty small place.

Related posts:
U.S. Treasury Site Compromise Linked to the NetworkSolutions Mass WordPress Blogs Compromise
GoDaddy's Mass WordPress Blogs Compromise Serving Scareware
Dissecting the WordPress Blogs Compromise at Network Solutions

Hilary Kneber related activity:
The Kneber botnet - FAQ
Celebrity-Themed Scareware Campaign Abusing DocStoc
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Four

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Dissecting the Mass DreamHost Sites Compromise

Dancho Danchev

TorrentReactor.net Serving Crimeware, Client-Side Exploits Through a Malicious Ad

Deja vu!

Jerome Segura at the Malware Diaries is reporting that TorrentReactor.net, a high-trafficked torrents tracker, is currently serving live-exploits through a malicious ad served by "Fulldls.com - Your source for daily torrent downloads".

Why deja vu? It's because the TorrentReactor.net malware campaign takes me back to 2008, among the very first extensive profiling of Russian Business Network activity, with their mass "input validation abuse" campaign back then, successfully appearing on numerous high-trafficked web sites, serving guess what? Scareware.

Moreover, despite the surprisingly large number of people still getting impressed by the use of http referrers as an evasive practice applied by the cybercriminals, these particular campaigns (ZDNet Asia and TorrentReactor IFRAME-ed; Wired.com and History.com Getting RBN-ed; Massive IFRAME SEO Poisoning Attack Continuing) are a great example of this practice in use back then:

So the malicious parties are implementing simple referrer techniques to verify that the end users coming to their IP, are the ones they expect to come from the campaign, and not client-side honeypots or even security researchers. And if you're not coming from you're supposed to come, you get a 404 error message, deceptive to the very end of it.

The most recent compromise of TorrentReactor.net appears to be taking place through a malicioud ad serving exploits using the NeoSploit kit, which ultimately drops a ZeuS crimeware sample hosted within a fast-flux botnet.

The campaign structure, including detection rates, phone back locations and ZeuS crimeware fast-flux related data is as follows:
- ads.fulldls.com /phpadsnew/www/delivery/afr.php?zoneid=1&cb=291476
    - ad.leet.la /stats?ref=~.*ads\.fulldls\.com$ - 208.111.34.38 - Email: bertrand.crevin@brutele.com (leet.la - 212.68.193.197 - AS12392, ASBRUTELE AS Object for Brutele SC)
    - lo.dep.lt /info/us1.html - 91.212.127.110 - lo.dep.lt - 91.212.127.110 - AS49087, Telos-Solutions-AS Telos Solutions LTD
        - 91.216.3.108 /de1/index.php; 91.216.3.108 /ca1/main.php - AS50896, PROXIEZ-AS PE Nikolaev Alexey Valerievich
            - 91.216.3.108 responding to gaihooxaefap.com - Nikolay Vukolov, Email: woven@qx8.ru

Upon successful exploitation, the following malicious pdf is served:
- eac27d.pdf - Exploit.PDF-JS.Gen (v); JS:Pdfka-AET; - Result: 6/40 (15%) which when executed phones back to 91.216.3.108 /ca1/banner.php/1fda161dab1edd2f385d43c705a541d3?spl=pdf_30apr and drops:
- myexebr.exe - TSPY_QAKBOT.SMG - Result: 17/41 (41.47%) which then phones back to the ZeuS crimeware C&C: saiwoofeutie.com /bin/ahwohn.bin - 78.9.77.158 - Email: spasm@maillife.ru

Fast-fluxed domains sharing the same infrastructure:
demiliawes.com - Email: bust@qx8.ru
jademason.com - 213.156.118.221; 217.201.4.95; 24.139.152.4; 83.10.238.182; 85.176.73.211; 112.201.223.129; 119.228.44.124; 170.51.231.93 - Email: blare@bigmailbox.ru
laxahngeezoh.com - 190.135.224.89; 213.156.118.221; 217.201.4.95; 24.139.152.4; 83.10.238.182; 85.176.73.211; 112.201.223.129; 119.228.44.124 - Email: zig@fastermail.ru
line-ace.com - Email: greysy@gmx.com
xareemudeixa.com - 112.201.223.129; 119.228.44.124; 170.51.231.93; 190.135.224.89; 213.156.118.221; 217.201.4.95; 24.139.152.4; 85.176.73.211 - Email: writhe@fastermail.ru
zeferesds.com - 190.135.224.89; 213.156.118.221; 217.201.4.95; 24.139.152.4; 83.10.238.182; 85.176.73.211; 112.201.223.129; 119.228.44.124 - Email: mated@freemailbox.ru

Name servers of notice:
ns1.rexonna.net - 202.60.74.39 - Email: aquvafrog@animail.net
ns2.rexonna.net - 25.120.19.23
ns1.line-ace.com - 202.60.74.39 - Email: greysy@gmx.com
ns2.line-ace.com - 67.15.223.219
ns1.growthproperties.net - 62.19.3.2 - Email: growth@support.net
ns2.growthproperties.net - 15.94.34.196
ns1.tropic-nolk.com - 62.19.3.2 - Email: greysy@gmx.com
ns2.tropic-nolk.com - 171.103.51.158

These particular iFrame injection Russian Business Network's campaigns from 2008, used to rely on the following URL for their malicious purposes - a-n-d-the.com/wtr/router.php (216.255.185.82 - INTERCAGE-NETWORK-GROUP2). Why am I highlighting it? Excerpts from previous profiled campaigns, including one that is directly linked to the Koobface gang's blackhat SEO operations.

U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding:

The compromised/mis-configured web sites participating in this latest blackhat SEO campaign are surprisingly redirecting to a-n-d-the.com /wtr/router.php - 95.168.177.35 - Email: bulk@spam.lv - AS28753 NETDIRECT AS NETDIRECT Frankfurt, DE if the http referrer condition isn't met. This very same domain -- back then parked at INTERCAGE-NETWORK-GROUP2 -- was also used in the same fashion in March, 2008's massive blackhat SEO campaigns serving scareware.

Not only is a-n-d-the.com /wtr/router.php (95.168.177.35) (Web sessions of the URL acting as a redirector), the exact same URL that was in circulating in 2008, residing on the Russian Business Network's netblock back then, still active, but also, it's currently redirecting to -- if the campaign's evasive conditions are met -- to www4.zaikob8.xorg.pl/?uid=213&pid=3&ttl=31345701120 - 217.149.251.12.

What this proves is fairly simple - with or without the Russian Business Network the way we used to know it, it's customers simply moved on to the competition, whereas the original Russian Business Network simply diversified its netblocks ownership.

Related posts:
ZDNet Asia and TorrentReactor IFRAME-ed
Wired.com and History.com Getting RBN-ed
Massive IFRAME SEO Poisoning Attack Continuing

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

TorrentReactor.net Serving Crimeware, Client-Side Exploits Through a Malicious Ad

So the malicious parties are implementing simple referrer techniques to verify that the end users coming to their IP, are the ones they expect to come from the campaign, and not client-side honeypots or even security researchers. And if you're not coming from you're supposed to come, you get a 404 error message, deceptive to the very end of it.

The compromised/mis-configured web sites participating in this latest blackhat SEO campaign are surprisingly redirecting to a-n-d-the.com /wtr/router.php - 95.168.177.35 - Email: bulk@spam.lv - AS28753 NETDIRECT AS NETDIRECT Frankfurt, DE if the http referrer condition isn't met. This very same domain -- back then parked at INTERCAGE-NETWORK-GROUP2 -- was also used in the same fashion in March, 2008's massive blackhat SEO campaigns serving scareware.

Dancho Danchev

Saturday, May 08, 2010

From the Koobface Gang with Scareware Serving Compromised Sites

Following last month's "Dissecting Koobface Gang's Latest Facebook Spreading Campaign" Koobface gang coverage, it's time to summarize some of their botnet spreading activities, from the last couple of days.

Immediately after the suspension of their automatically registered Blogspot accounts, the gang once again proved that it has contingency plans in place, and started pushing links to compromises sites, in a combination with an interesting "visual social engineering trick", across Facebook, which sadly works pretty well, in the sense that it completely undermines the "don't click on links pointing to unknown sites" type of security tips.

Recommended reading: 10 things you didn't know about the Koobface gang

The diverse set of activities courtesy of the Koobface gang -- consider going through the related posts in order to understand their underground multitasking mentality beyond the Koobface botnet itself -- are a case study on the abuse of legitimate infrastructure with clean IP/AS reputation, for purely malicious purposes.

This active use of the "trusted reputation chain", just like the majority of social engineering centered tactics of the gang, aim to exploit the ubiquitous weak link in the face of the average Internet user. Here's an example of the most recent campaign.

The spreading of fully working links such as the following ones across Facebook:
facebook.com/l/6e7e5;bit.ly/9QjjSk
facebook.com/l/cdfb;bit.ly/9QjjSk
facebook.com/l/f3c29;bit.ly/9QjjSk

aims to trick the infected user's friends, that this is a Facebook.com related link. Clicking on this link inside Facebook leads to the "Be careful" window showing just the bit.ly redirector, to finally redirect to 198.65.28.86/swamt/ where a Koobface bogus video has already been seen by 2,601 users which have already clicked on the link.

The scareware redirectors/actual serving domains are parked at 195.5.161.126, AS31252, STARNET-AS StarNet Moldova:
1nasa-test.com - Email: test@now.net.cn
1online-test.com - Email: test@now.net.cn
1www2scanner.com - Email: test@now.net.cn
2a-scanner.com - Email: test@now.net.cn
2nasa-test.com - Email: test@now.net.cn
2online-test.com - Email: test@now.net.cn
2www2scanner.com - Email: test@now.net.cn
3a-scanner.com - Email: test@now.net.cn
3nasa-test.com - Email: test@now.net.cn
3online-test.com - Email: test@now.net.cn
3www2scanner.com - Email: test@now.net.cn
4a-scanner.com - Email: test@now.net.cn
4check-computer.com - Email: test@now.net.cn
4nasa-test.com - Email: test@now.net.cn
4online-test.com - Email: test@now.net.cn
4www2scanner.com - Email: test@now.net.cn
5a-scanner.com - Email: test@now.net.cn
5nasa-test.com - Email: test@now.net.cn
5online-test.com - Email: test@now.net.cn
6a-scanner.com - Email: test@now.net.cn
defence-status6.com - Email: test@now.net.cn
defence-status7.com - Email: test@now.net.cn
mega-scan2.com - Email: test@now.net.cn
protection-status2.com - Email: test@now.net.cn
protection-status4.com - Email: test@now.net.cn
protection-status6.com - Email: test@now.net.cn
security-status1.com - Email: test@now.net.cn
security-status3.com - Email: test@now.net.cn
security-status4.com - Email: test@now.net.cn
security-status6.com - Email: test@now.net.cn
securitystatus7.com - Email: test@now.net.cn
securitystatus8.com - Email: test@now.net.cn
securitystatus9.com - Email: test@now.net.cn
security-status9.com - Email: test@now.net.cn

Detection rates:
- setup.exe - Mal/Koobface-E; W32/VBTroj.CXNF - Result: 7/41 (17.08%)
- RunAV_312s2.exe - VirTool.Win32.Obfuscator.hg!b (v); High Risk Cloaked Malware - Result: 4/41 (9.76%)

The scareware sample phones back to:
- windows32-sys.com/download/winlogo.bmp - 91.213.157.104, AS13618 CARONET-ASN - Email: contact@privacy-protect.cn
- sysdllupdates.com/?b=312s2 - 87.98.134.197, AS16276, OVH Paris - Email: contact@privacy-protect.cn

The complete list of compromised sites distributed by Koobface-infected Facebook users:

02f32e3.netsolhost.com /o492dc/
abskupina.si /cclq/
adi-agencement.fr /8r2twm/
agilitypower.dk /ko2/
aguasdomondego.com /d5yodi/
alabasta.homeip.net /e8/
alankaye.info /2cgg/
alpenhaus.com.ar /al5zvf5/
animationstjo.fr /5c/
artwork.drayton.co.uk /k5wz/
beachfishingwa.org.au /u8g98ai/
bildtuben.se /l9jg/
chalet.se /srb/
charlepoeng.be /i0twbt/
christchurchgastonia.org /1hkq/
chunkbait.com /gb4i6ak/
cityangered.se /besttube/
clarkecasa.net /rhk6/
clr.dsfm.mb.ca /2964/
codeditor.awardspace.biz /uncensoredclip/
coloridellavita.com /sc/
cpvs.org /6eobh0n/
danieletranchita.com /yourvids/
dennis-leah.zzl.org /m95/
doctorsorchestra.com /qw/
dueciliguria.it /zircu/
ediltermo.com /p4zhvj0/
emmedici.net /2pg46mk/
eurobaustoff.marketing-generator.de /52649an/

euskorock.es /p4zm/
explicitflavour.freeiz.com /qk3r/
f9phx.net /svr/
fatucci.it /l04s8m2/
forwardmarchministries.org /1bc/
fotoplanet.it /bnog6s/
frenchbean.co.uk /zwr/
furius.comoj.com /1azl/
geve.be /oj4ex4/
gite-maison-pyrenees-luchon.com /jox/
googleffffffffa0ac4d9f.omicronrecords.com /me/
gosin.be /ist63z/
grimslovsms.se /cutetube/
guest.worldviewproduction.com /m2f/
hanssen-racing.com /j15/
helpbt.com /nqo40uq/
helpdroid.omicronrecords.com /7h/
hoganjobs.com /jrepsp/
holustravel.cz /5j5/
hoperidge.com /fltwizy/
hottesttomato.com /6b/
iglesiabetania1.com /7y7/
ihostu.co.uk /jic9v/
ilterrazzoallaveneziana.it /4vxaq5/
integratek.omicronrecords.com /to4u2bd/
irisjard.o2switch.net /lb/
islandmusicexport.com /hbi2ut9/
isteinaudi.it /h2a/
johnphelan.com /uynv4/

jsacm.com /z6/
kabchicago.info /1cgko/
katia-paliotti.com /0baktz/
kennethom.net /l20/
kleppcc.com /aliendemonstration/
klimentglass.cz /vwalp/
kvarteretekorren.se /60/
lanavabadajoz.com /cg/
langstoncorp.com /o2072c/
libermann.phpnet.org /madu8p/
lineapapel.com /8l20up/
longting.nl /6ch/
mainteck-fr.com /qjbo5v/
majesticdance.com /v1g/
mia-nilsson.se /cmc/
microstart.fr /lzu1/
migdal.org.il /y952eo/
mindbodyandsolemt.com /pnbn/
musicomm.ca /a5z/
nassnig.org /z1/
neweed.org /x4t/
nosneezes.com /5hjkdjo/
nottinghamdowns.com /m7ec/
nutman-group.com /92m/
omicronsystems.inc.md /eho0/
on3la.be /bgfhclg/
onlineadmin.net /b7uccx/
ornskoldskatten.se /m1u/
oxhalsobygg.se /amaizingmovies/

Recommended reading: Dissecting Koobface Gang's Latest Facebook Spreading Campaign

partenaires-particuliers.fr /uo/
pegasolavoro.it /3l6/
peteknightdays.com /4ok4/
pheromoneforum.org /ds/
pilatescenter.se /bgx8e/
plymouth-tuc.org.uk /xhaq/
popeur.fr /m7yaw/
pro-du-bio.com /af6xtp/
prousaudio.com /4isg/
puertohurraco.org /q3a1gz/
radioluz900am.com /3i993/
reporsenna.netsons.org /zvz/
rhigar.nu /6v/
richmondpowerboat.com /tifax5/
rmg360.co.cc /22i/
roninwines.com /wonderfulvids/
rrmaps.com /j6o/
rvl.it /bv6k/
scarlett-oharas.com /my0333/
secure.tourinrome.org /qyp/
servicehandlaren.se /yq9ahw0/
servicehandlaren.spel-service.com /q9q115/
sgottnerivers.com /y0j16rw/
shofarcall.com /zi/
sirius-expedition.com /x4yab/