Tuesday, May 10, 2011

Keeping Money Mule Recruiters on a Short Leash - Part Seven


Continuing the what has turned into a tradition, the "Keeping Money Mule Recruiters on a Short Leash" series, in this post we'll review currently active money mule recruitment sites, and provide vital OSINT data on what is currently acting as the the cornerstone of the monetization process that cybercriminals rely on - risk forwarding thanks to money mule recruitment for processing of fraudulently obtained funds.

Description used on the majority of templates:
"Looking to buy art? Sell art? Alternative Art Ltd is the first choice for artists and buyers alike! Alternative Art Ltd is an effective tool for the artist and emerging artist to market and promote their art in a professional and inexpensive manner. We will market your art to the international community of art buyers. Whether you are looking to buy or sell original art, Alternative Art Ltd is the premier art site for those seeking to buy or sell original art online.

NO COMMISSIONS! Whether you are looking to buy art or sell art, our site is fully optimized to get results FAST! Alternative Art Ltd is the future of buying and selling original art online. Artists who choose to sell their original art will receive maximum marketing exposure. For artists, selling your art has never been easier, faster, or more cost-effective. We will help you sell your original art DIRECTLY to buyers worldwide with NO COMMISSIONS. Those wishing to buy art online are invited to browse our extensive online galleries of original art. Never before has it been this easy for a buyer to select high-quality original art online. We update daily with new original art from our artist members.

Alternative Art Ltd offers casual collectors and serious connoisseurs alike an amazing collection of original art pieces from the world over. You'll enjoy unparalleled customer care from a knowledgeable and friendly staff of experts. For artists, the inconvenience and high costs of traditional galleries are completely eliminated. Our team of experts puts the latest technology to work for you, putting your original art in front of millions of potential art buyers!"

Money mule recruitment domains:
aimic-groupllc.at - Email: admin@aimic-groupllc.at
ALTERNATIVEART-LTD.COM
alternative-art-ltd.net - Email: ibsen@ppmail.ru
artby-gorup.net - Email: admin@artby-gorup.net
artby-group.biz - Email: blonde@bz3.ru
art-marketllc.cc - Email: hear@ppmail.ru - seen here 
artsolveltdco.at - Email: admin@artsolveltd.cc
aspecs-group.cc - Email: admin@aspecs-group.cc
ASPECS-GROUP.CC - Email: admin@aspecs-group.cc
callisto-ltdco.net - Email: admin@callisto-ltdco.net
collins-group.cc - Email: admin@megatechservicegroup-ltd.cc
collins-groupusa.com - Email: admin@collins-groupusa.com
COLLINS-GROUPUSA.COM - Email: admin@collins-groupusa.com
competitorgroup-ltd.com - Email: trek@cheapbox.ru
COMPETITOR-UK-GROUP.NET - Email: admin@competitor-uk-group.net
DERWART-GROUP.AT - Email: admin@derwart-group.at
derwart-group.com - Email: admin@ephesgroup-llc.biz
drawmade-group.com - Email: admin@drawmade-group.com
DURLEY-ARTAU.NET - Email: admin@durley-artau.net
DURLEY-ART-GROUP.CC - Email: admin@durley-art-group.cc
ephesgroup-llc.biz - Email: admin@ephesgroup-llc.biz
EPHES-GROUPLLC.CC - Email: admin@ephes-groupllc.cc
ephes-groupllc.net - Email: pious@ppmail.ru
fourthgroup-ltd.cc - Email: rots@cheapbox.ru - seen here
FOURTH-UKLTD.NET - Email: admin@fourth-ukltd.net
generalabbrialgroup-ltd.net - Email: admin@generalabbrialgroup-ltd.net
GENERATION-TEAM.NET - Email: luis@cheapbox.ru
groupinc-upland.biz - Email: admin@groupinc-upland.biz
HELBY-GROUPLTD.BIZ - Email: admin@helby-groupltd.biz
HELBY-GROUP-LTD.CC - Email: packet@bz3.ru
koertig-gmbh.com - Email: usieeobq0604@yahoo.com
kresko-group.biz - Email: admin@Kresko-group.biz
LILAC-ANTIQUE.CC - Email: admin@lilac-antique.cc
MASTERPIECE-GROUP.CC - Email: poop@ca4.ru
MASTERPIECE-GROUP.ORG - Email: admin@masterpiece-group.org
megatechservicegroup-ltd.cc - Email: admin@megatechservicegroup-ltd.cc
MEGATECHSERVICE-GROUP-LTD.COM - Email: admin@collins-groupusa.com
millennial-maingrop.net - Email: mock@free-id.ru
mitissanservice-group-ltd.cc - Email: berra@cutemail.org
mitissanservicegroup-ltd.com - Email: alibi@mailae.com
neoline-groupco.cc - Email: admin@neoline-groupco.cc
neoline-llc.net - Email: admin@neoline-llc.net
qead-groupllc.net
QEAD-LLC.BIZ - Email: admin@qead-llc.biz
RICHMOND-ART-GROUP.COM - Email: binary@ca4.ru
RICHMOND-ART-UK.BIZ - Email: admin@richmond-art-uk.biz
sevg-groupnet.com - Email: belle@ca4.ru
SEVG-GROUPNET.COM - Email: belle@ca4.ru
sevg-incgr.net - Email: admin@sevg-incgr.net
SQUIT-GROUP-LLC.BIZ - Email: swept@ca4.ru
SQUITGROUP-LLC.NET - Email: admin@squitgroup-llc.net
targetmarketgroup-llc.cc - Email: admin@targetmarketgroup-llc.cc
targetmarket-groupllc.net
tazprogltd-us.com - Email: admin@tazprogltd-us.com
TONSLEY-ART.COM - Email: pagan@ppmail.ru
tonsley-group-uk.net - Email: admin@tonsley-group-uk.net
WEST-VIEW-ART.CC - Email: knees@free-id.ru
westview-art.net - Email: admin@westview-art.net


Name servers of notice:
NS1.USDENNS.SU - 217.23.15.136
NS2.DNSUS.SU - 87.118.81.7
NS3.NAMEUSNS.SU - 84.19.161.10
ns1.pidnsku.org - 86.55.210.23
ns3.us1copy.ws - 95.64.9.101
ns2.us1copy.at - 78.46.105.205
ns2.stelsgid.net - 78.46.105.205
ns1.usolomio.cc - 86.55.210.23
ns2.usetmegold.su - 78.46.105.205
ns3.usiami.su - 78.46.105.205
ns1.ukansnami.com - 78.46.105.205
ns3.uknamo.com - 66.199.236.116
ns2.dnsukrect.com - 78.46.105.205


Currently active and responding money mule recruitment domains, residing within AS42708, PORTLANE Network; AS29713, INTERPLEXINC Interplex LLC.; AS24940, HETZNER-AS Hetzner Online AG RZ:
alternative-art-ltd.net - 193.105.134.234
westview-art.net - 193.105.134.233
RICHMOND-ART-UK.BIZ - 193.105.134.232
fourthgroup-ltd.cc - 193.105.134.230
artby-group.biz - 98.141.220.118
collins-group.cc - 98.141.220.118
aspecs-group.cc - 98.141.220.117
ASPECS-GROUP.CC - 98.141.220.117
callisto-ltdco.net - 98.141.220.117
drawmade-group.com - 98.141.220.117
ephes-groupllc.net - 98.141.220.117
targetmarketgroup-llc.cc - 98.141.220.117
artby-gorup.net - 98.141.220.116
tazprogltd-us.com - 98.141.220.116
groupinc-upland.biz - 98.141.220.115
neoline-llc.net - 98.141.220.115
DERWART-GROUP.AT - 98.141.220.114
ALTERNATIVEART-LTD.COM - 86.55.210.5
collins-groupusa.com - 78.46.105.205
COLLINS-GROUPUSA.COM - 78.46.105.205
derwart-group.com - 78.46.105.205
DURLEY-ARTAU.NET - 78.46.105.205
DURLEY-ART-GROUP.CC - 78.46.105.205
ephesgroup-llc.biz - 78.46.105.205
EPHES-GROUPLLC.CC - 78.46.105.205
kresko-group.biz - 78.46.105.205
MASTERPIECE-GROUP.CC - 78.46.105.205
QEAD-LLC.BIZ - 78.46.105.205
SEVG-GROUPNET.COM - 78.46.105.205
SQUITGROUP-LLC.NET - 78.46.105.205

Psychological evaluation tests found within AS29713, basically every domain name has its associated binary:
aimicgroupllc.exe
artbygorup.exe
aspecsgroup.exe
atlantgroupmain.exe
collinsgroupusa.exe
createncegroupllc.exe
derwartgroup.exe
dogogroup.exe
ephesgroupllc.exe
megatechservicegroupltd.exe
millennialartco.exe
sevggroupnet.exe
stilegroupllc.exe
vintagegroupinc.exe

Monitoring of money mule recruitment campaigns is ongoing.

Related posts:
Keeping Money Mule Recruiters on a Short Leash - Part Six
Keeping Money Mule Recruiters on a Short Leash - Part Five
The DNS Infrastructure of the Money Mule Recruitment Ecosystem
Keeping Money Mule Recruiters on a Short Leash - Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog.
- No comments:

Monday, May 09, 2011

A Peek Inside a New DDoS Bot - "Snap"


Sampling malicious activity through the eyes of the cybercriminal, is always beneficial in the context of timely spotting valuable trends and fads within the ecosystem, given a decent sample of malicious activity is obtained.

In this post, we'll review a new DDoS bot on the block - "Snap".

This modular bot differentiates itself by offering the ability to choose between different modules to be added to the final package, and by allowing to perform to "proprietary" DDoS functions, namely the TurboSYN, and TrafficDDoS. Next to its core DDoS functionality, the coder of the bot is differentiating by offering Form Grabbing; Reverse Socks; MailSpamming; IM-Spamming and Exploits launching functionality.


More details from the actual proposition:
[+] language the bot is coded in : mASM
[+] no external depencies, no run times , no frame works!
[+] Ability to work with roaming user accounts
[+] modularized structure of the bot
[+] Second Backup Service watch process Activity and restart bot on fail over
[+] User Mode r00tkit
-> [+] run's as a service and hides itself
-> [+] hides & protect root process
-> [+] hides & protect files
-> [+] hides the root processes
-> [+] hides already used local&remote TCP Port(s)
-> [+] hides already used local&remote UDP Port(s)
-> [+] hides already used regkey's
[+] semi polymorphic architecture
-> [+] uses random legit process, file & service names
-> [+] generates a unique stub every run
[+] bot doesn't use eof, has no import table, doesnt need relocation and tls section => very good crypter support
[+] Unicode support for Asian pcs
[+] detects common sandboxes, virtual OSs, emulators,  and analysis tools

[================[ Webpanel ]==--

[+] the webpanel is developed with dreamweaver cs5 and ajax framework using mysql and php
[+] multi theme support available
[+] multi command support => every victim can do as many threads as you want it to
[+] reliable protocol which creates the lowest possible server load
[+] modularized structure of the bot

[===[ Modules ]==--

[+] Base price (Core) for 250$

Loader:
[+] Load module (simple) +0$
[+] Load module (extended) for 50$

Proxy:
[+] Socks5 Deamon for 50$
[+] reverse Socks 4/Socks 4a/Socks 5/ HTTP(s) for 150$

DDoS:
[+] DDoS Module (http/syn) for 50$
[+] DDoS Module (full) for 100$

DDoS(full) + Load module (extended) + Socks5 Deamon for 400$

Related posts:
Coding Spyware and Malware for Hire
Will Code Malware for Financial Incentives
E-crime and Socioeconomic Factors

Web Based Botnet Command and Control Kit 2.0
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
- No comments:

Don't Play Poker on an Infected Table - Part Five


A currently spamvertised campaign is enticing end users into downloading a fraudulent online gambling application KingSpinEN.exe. The campaign is part of last month's Don't Play Poker on an Infected Table - Part Four series.

Detection rate:
KingSpinEN.exe - W32/Casino.F.gen!Eldorado - Result:16/43 (37.2%)
MD5   : ead8156a838842bc8463995a91eee08b
SHA1  : 239594a514c461c63dc8da69b08b9b63baaf2579
SHA256: 491c291eaed67268d14a36470e5d6f6d4ed829055fe4a2897ac5f050b50a2e36

Upon execution phones back to:
- download.thepalacegroupgaming.com /tracking.aspx?ul=en&casino=spinpalace&banner_tag=a20337&uuid=%7b9F9E0585-9340-45C0-9EC7-46FBE5E7127F%7d&state=100
- spinpalace.mgsmup.com /mupp/spinpalace/spinpalace_install.cab
- spinpalace.mgsmup.com /mupp/spinpalace/spinpalace.cab
- download.thepalacegroupgaming.com /tracking.aspx?ul=en&casino=spinpalace&banner_tag=a20337&uuid=%7b9F9E0585-9340-45C0-9EC7-46FBE5E7127F%7d&state=422
- marketing.valueactive.eu /VIP/animations/en/movies_en.htm

Portfolio of fraudulent online gambling domains part of the campaign. The majority are hosted within AS49130, ARNET-AS SC ArNet Connection SRL:
casino-elit-super.ru - 89.45.14.12
casinogoldsuper.ru - 89.45.14.12
casinokingsuper.ru - 89.45.14.12
casino-king-super.ru - 89.45.14.12
casinolabsuper.ru - 89.45.14.12   
casino-lux-super.ru - 89.45.14.12
casinomultisuper.ru - 89.45.14.12
casinonetsuper.ru - 89.45.14.12   
casino-net-super.ru - 89.45.14.12
casinonextvip.ru - 89.45.14.12
casino-online-super.ru - 90.182.175.234
casinopartysuper.ru - 90.182.175.234
casino-party-super.ru - 90.182.175.234
casinoplazasuper.ru - 90.182.175.234
1casinostarsuper.ru - 90.182.175.234
casinosuperelit.ru - 89.45.14.12
casino-super-elit.ru - 89.45.14.12
casinosuperking.ru - 89.45.14.12
casino-super-king.ru - 89.45.14.12
casinosupermulti.ru - 89.45.14.12
casinosupernet.ru - 89.45.14.12
casino-super-net.ru - 89.45.14.12
casino-super-online.ru - 90.182.175.234
casinosupervip.ru - 89.45.14.12
casino-super-vip.ru - 89.45.14.12
casinosuperweb.ru - 89.45.14.12
casino-super-web.ru - 89.45.14.12
casinosuperwin.ru - 89.45.14.12
casino-super-win.ru - 89.45.14.12
casinovipsuper.ru - 89.45.14.12   
casino-vip-super.ru - 89.45.14.12
casino-win-super.ru - 89.45.14.12
cazino-cash-multi.ru - 89.45.14.12
3cazino-party-royal.ru - 89.45.14.12
cazinopartyweb.ru - 89.45.14.12
cazino-party-web.ru - 89.45.14.12
cazinopartywin.ru - 89.45.14.12   
cazino-party-win.ru - 89.45.14.12
cazinoplazawin.ru - 89.45.14.12
cazinoplazaworld.ru - 89.45.14.12
cazino-plaza-world.ru - 89.45.14.12
cazinowinplaza.ru - 89.45.14.12
cazino-win-plaza.ru - 89.45.14.12
cazinoworldplaza.ru - 89.45.14.12
cazino-world-plaza.ru - 89.45.14.12
4elitcasinosuper.ru - 89.45.14.12
elit-casino-super.ru - 89.45.14.12
elitsupercasino.ru - 89.45.14.12
elit-super-casino.ru - 89.45.14.12
gamelabonline.ru - 78.46.105.205
gameonlinelab.ru - 78.46.105.205
game-party-royal.ru - 78.46.105.205
gamezlabonline.ru - 89.45.14.12
gamezmultilab.ru - 89.45.14.12
gamez-net-online.ru - 89.45.14.12
gamezonlinenet.ru - 89.45.14.12
gamez-party-royal.ru - 89.45.14.12
gamez-party-web.ru - 89.45.14.12



gamezpartywin.ru - 89.45.14.12   
gamez-party-win.ru - 89.45.14.12
gamez-plaza-win.ru - 89.45.14.12
gamezplazaworld.ru - 89.45.14.12
gamez-plaza-world.ru - 89.45.14.12
gamez-vegas-web.ru - 89.45.14.12
gamezweblab.ru - 89.45.14.12
gamezwinplaza.ru - 89.45.14.12
gamez-win-plaza.ru - 89.45.14.12
gamezworldplaza.ru - 89.45.14.12
joker-gamez-web.ru - 89.45.14.12
kingcasinosuper.ru - 89.45.14.12
king-casino-super.ru - 89.45.14.12
kinggagnerr.net - 90.182.175.234
kingsupercasino.ru - 89.45.14.12
king-super-casino.ru - 89.45.14.12
lab-cazino-multi.ru - 89.45.14.12
lab-cazino-online.ru - 89.45.14.12
labgamezonline.ru - 89.45.14.12
lab-gamez-web.ru - 89.45.14.12
labonlinecazino.ru - 89.45.14.12
labonlinegame.ru - 78.46.105.205
labvegascazino.ru - 89.45.14.12
luxcasinosuper.ru - 89.45.14.12
luxnextcasino.ru - 89.45.14.12
lux-next-casino.ru - 89.45.14.12
multicasinosuper.ru - 89.45.14.12
multilabgame.ru - 78.46.105.205
multisupercasino.ru - 89.45.14.12
netcasinosuper.ru - 89.45.14.12
net-casino-super.ru - 89.45.14.12
netpartycazino.ru - 89.45.14.12
netsupercasino.ru - 89.45.14.12
net-super-casino.ru - 89.45.14.12
nextcasinovip.ru - 89.45.14.12
next-casino-vip.ru - 89.45.14.12
next-lux-casino.ru - 89.45.14.12
nextvipcasino.ru - 89.45.14.12
onlinecasinosuper.ru - 90.182.175.234
online-casino-super.ru - 90.182.175.234
online-cazino-lab.ru - 89.45.14.12
onlinegameznet.ru - 89.45.14.12
online-gamez-vip.ru - 89.45.14.12
onlinelabcazino.ru - 89.45.14.12
onlinesupercasino.ru - 90.182.175.234
online-super-casino.ru - 90.182.175.234
partycasinosuper.ru - 90.182.175.234
party-casino-web.ru - 78.46.105.205
partycazinonet.ru - 89.45.14.12
party-cazino-royal.ru - 89.45.14.12
partycazinoweb.ru - 89.45.14.12
partycazinowin.ru - 89.45.14.12
partygamezroyal.ru - 89.45.14.12
party-gamez-royal.ru - 89.45.14.12
partygamezwin.ru - 89.45.14.12
party-gamez-win.ru - 89.45.14.12
partynetcazino.ru - 89.45.14.12
party-royal-cazino.ru - 89.45.14.12
party-super-casino.ru - 89.45.14.12
partywebcasino.ru - 78.46.105.205
partywebcazino.ru - 89.45.14.12
partywincazino.ru - 89.45.14.12
party-win-cazino.ru - 89.45.14.12
play-multi-casino.ru - 89.45.14.12
plazacazinowin.ru - 89.45.14.12
plaza-cazino-win.ru - 89.45.14.12
plazacazinoworld.ru - 89.45.14.12
plaza-cazino-world.ru - 89.45.14.12
plaza-gamez-win.ru - 89.45.14.12
plazagamezworld.ru - 89.45.14.12
plaza-gamez-world.ru - 89.45.14.12
plazawincazino.ru - 89.45.14.12
plaza-win-cazino.ru - 89.45.14.12
plazaworldcazino.ru - 89.45.14.12
plaza-world-cazino.ru - 89.45.14.12
royal-party-cazino.ru - 89.45.14.12
star-casino-super.ru - 90.182.175.234
star-super-casino.ru - 90.182.175.234
super-casino-elit.ru - 89.45.14.12
supercasinoking.ru - 89.45.14.12
super-casino-king.ru - 89.45.14.12
supercasinolab.ru - 89.45.14.12
super-casino-land.ru - 90.182.175.234
supercasinomulti.ru - 89.45.14.12
supercasinonet.ru - 89.45.14.12
super-casino-net.ru - 89.45.14.12
supercasinoonline.ru - 90.182.175.234
super-casino-online.ru - 90.182.175.234
super-casino-star.ru - 90.182.175.234
supercasinovip.ru - 89.45.14.12
super-casino-vip.ru - 89.45.14.12
super-casino-web.ru - 89.45.14.12
super-casino-west.ru - 90.182.175.234
supercasinowin.ru - 89.45.14.12
super-casino-win.ru - 89.45.14.12
super-elit-casino.ru - 89.45.14.12
superkingcasino.ru - 89.45.14.12
super-king-casino.ru - 89.45.14.12
super-land-casino.ru - 90.182.175.234
super-multi-casino.ru - 89.45.14.12
supernetcasino.ru - 89.45.14.12
super-net-casino.ru - 89.45.14.12
superonlinecasino.ru - 90.182.175.234
super-online-casino.ru - 90.182.175.234
superpartycasino.ru - 90.182.175.234
super-party-casino.ru - 89.45.14.12
superstarcasino.ru - 90.182.175.234
super-star-casino.ru - 90.182.175.234
super-vip-casino.ru - 89.45.14.12
super-web-casino.ru - 89.45.14.12
super-west-casino.ru - 90.182.175.234
superwincasino.ru - 89.45.14.12
vegas-game-web.ru - 78.46.105.205
vegas-gamez-multi.ru - 89.45.14.12
vegasgamezweb.ru - 89.45.14.12
vipcasinosuper.ru - 89.45.14.12
vip-casino-super.ru - 89.45.14.12
vipnextcasino.ru - 89.45.14.12
vipsupercasino.ru - 89.45.14.12   
vip-super-casino.ru - 89.45.14.12
web-casino-super.ru - 89.45.14.12
web-cazino-royal.ru - 89.45.14.12
webgamezroyal.ru - 89.45.14.12
webpartycazino.ru - 89.45.14.12
web-super-casino.ru - 89.45.14.12
west-super-casino.ru - 90.182.175.234
wincasinosuper.ru - 89.45.14.12
win-casino-super.ru - 89.45.14.12
win-cazino-plaza.ru - 89.45.14.12
win-gamez-plaza.ru - 89.45.14.12
winpartycazino.ru - 89.45.14.12
win-party-cazino.ru - 89.45.14.12
winplazacazino.ru - 89.45.14.12
win-plaza-cazino.ru - 89.45.14.12
winsupercasino.ru - 89.45.14.12
win-super-casino.ru - 89.45.14.12
worldcazinoplaza.ru - 89.45.14.12
world-cazino-plaza.ru - 89.45.14.12
worldgamezplaza.ru - 89.45.14.12
world-gamez-plaza.ru - 89.45.14.12
world-plaza-cazino.ru - 89.45.14.12

Monitoring of the campaign is ongoing.

Related posts:
Don't Play Poker on an Infected Table - Part Four
Don't Play Poker on an Infected Table - Part Three
Don't Play Poker on an Infected Table - Part Two
Don't Play Poker on an Infected Table

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
- No comments:

Summarizing ZDNet's Zero Day Posts for April


The following is a brief summary of all of my posts at ZDNet's Zero Day for April. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

Recommended reading:
01. Spamvertised "Reqest Rejected" campaign leads to scareware
02. Spamvertised 'Facebook. Your password has been changed!' emails lead to malware
03. Malware Watch: 'Spam is sent from your FaceBook account'; Spamvertised malicious photos
04. Spamvertised Easter Greetings lead to malware
05. Netcraft survey indicates slow adoption of Extended Validation SSL certificates
06. 'You've got a postcard' emails lead to exploits and scareware
07. Fake antivirus for mobile platform spotted

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
- No comments:

Thursday, April 28, 2011

Spamvertised "Successfull Order 977132" Leads to Scareware

A currently ongoing malware campaign is impersonating Bobijou Inc for malware-serving purposes.

Sample subject: "Successfull Order 977132"
Sample message: "Thank you for ordering from Bobijou Inc.This message is to inform you that your order has been received and is currently being processed.

Your order reference is 901802. You will need this in all correspondence. This receipt is NOT proof of purchase. We will send a printed invoice by mail to your billing address.

You have chosen to pay by credit card. Your card will be charged for the amount of 262.00 USD and “Bobijou Inc.” will appear next to the charge on your statement.You will receive a separate email confirming your order has been despatched.Your purchase and delivery information appears below in attached file.

Thanks again for shopping at Bobijou Inc."
Sample attachments: Order_details.zip

Detection rates:
Order details.exe - Trojan.FakeAV - Result: 24/40 (60.0%)
MD5   : 7c810cbb47c9f937b5f663b51ab7ee50
SHA1  : b4faf8c724727381abb11c44b71605ff6e65cbbf
SHA256: 0bda3bdcffdda0fee31fe35cfea2fb644ff8e549a0a83632faa19cd43e02b904

Upon execution phones back to :
kkojjors.net/f/g.php - 95.64.9.15 - Email: admin@firtryt.biz
variantov.com/pusk.exe - 94.63.149.26 - Email: admin@variantov.com

Detection rate for the scareware variant pusk.exe
pusk.exe - Suspicious.Cloud.5 - Result: 4/41 (9.8%)
MD5   : bbd466a67586003776e295eaf3d2976c
SHA1  : 6a8e1d84157c76b4c9238fc23d28686244f6650f
SHA256: ee008f9039534f062bd277860060461064e760bdaa90a36595b9780be54a5a05


Upon execution phones back to:
jyluzovunevu.com - 209.160.45.33 - Email: gray@fxmail.net
sesokiqufikeg.com - 209.160.45.34 - Email: gray@fxmail.net
qyqinisope.com - 64.46.38.207 - Email: gray@fxmail.net
hijocyragap.com - 64.46.38.81 - Email: robin@cutemail.org
puhigygapyhi.com - 64.46.38.81 - Email: gray@fxmail.net
zavewuzykubo.com - 64.46.38.80 - Email: robin@cutemail.org
fepigixypo.com - 64.46.38.29 - Email: pyre@cutemail.org
tozibapah.com - 76.73.16.182 - Email: lays@fxmail.net
qebinehuh.com - 76.73.14.182 - Email: lays@fxmail.net
gygipikalyn.com - 76.73.17.242 - Email: ss@cutemail.org
xygorinazecit.com - 76.73.17.70 - Email: ss@cutemail.org
walireqoxyxyt.com - 64.46.39.185 - Email: orbit@fxmail.net
moririnejuf.com - 64.46.39.184 - Email: purse@mail13.com
jydosucin.com - 64.46.39.200 - Email: arm@fxmail.net
libynozegokido.com - 64.46.39.186 - Email: orbit@fxmail.net
zidacofodafur.com - 64.46.39.212 - Email: gown@cutemail.org
fequxukovo.com - 67.196.15.136 - Email: arm@fxmail.net
gyxyqimacik.com - 67.196.15.138 - Email: purse@mail13.com
wizyvopyla.com - 67.196.15.137 - Email: arm@fxmail.net
gyricehagupy.com - 67.196.15.139 - Email: purse@mail13.com
punemipaqatyc.com - 67.196.15.141 - Email: ulcer@mailae.com
gehotigyry.com - 67.196.15.140 - Email: hp@mail13.com
vufekihoto.com - 67.196.15.105 - Email: arm@fxmail.net
huzomohidid.com - 67.196.15.104 - Email: arm@fxmail.net
posufejez.com - 67.196.15.107 - Email: purse@mail13.com
gewexyvunokyk.com - 67.196.15.106 - Email: purse@mail13.com
fowyqypacytucy.com - 209.160.45.32 - Email: soup@fastermail.ru
koduzuwobow.com - 209.160.45.130 - Email: pyre@cutemail.org
ciluvekypomow.com - 78.46.105.205 - Email: hips@cutemail.org
7hitaxodupi.com - 64.46.38.30

Monitoring of the campaign is ongoing.

Related posts:
Spamvertised "Reqest Rejected" Campaign Serving Scareware
Spamvertised DHL Notifications Scareware Campaign
Spamvertised Post Office Express Mail (USPS) Emails Serving Malware
Spamvertised United Parcel Service notifications serve malware
Spamvertised FedEx Notifications Spread Malware
Spamvertised DHL Notification Malware Campaign
More Spamvertised DHL Notifications Spread Malware

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
- No comments:

Tuesday, April 12, 2011

Spamvertised "Reqest Rejected" Campaign Serving Scareware


A currently spamvertised scareware-serving campaign is enticing end users into downloading and executing a malicious binary, which drops a scareware variant.

Sample subject: Reqest rejected
Sample message: "Dear Sirs, Thank you for your letter! Unfortunately we can not confirm your request! More information attached in document below. Thank you Best regards."
Sample attachments: EX-38463.pdf.zip; EX-38463.pdf.exe

Detection rate:
EX-38463.pdf.exe - TrojanDownloader:Win32/Chepvil.J - Result: 11/41 (26.8%)
MD5   : 5085794e6c283ebcfa3878805b9e7be7
SHA1  : 1fbd8d3b0a3479274d8f09543452bf724bcb245c
SHA256: c03711dbafae9b296daed8720f997d84caa5e5a5407a689926050a061d67b932

Upon execution downloads hdjfskh.net/ pusk.exe - 208.43.90.48 - Email: admin@firtryt.biz

Detection rate:
pusk.exe - FakeAlert-CN.gen.aa - Result: 13/42 (31.0%)
MD5   : a50a91176b5aeb96b8b77b99d587c485
SHA1  : c56b7ab2123dbd49902446ffcc0cf59d6a865857
SHA256: c912a975e3c2fc911d6550d86e8fd89dbd30e3d1e07d788b45aac0d6cf61e83c

Upon execution phones back to the following domains and ASs:


Phones back to : AS19875; AS8001; AS24940; AS32475; AS32097; AS19875
2bemojewedowigo.com - 78.46.105.205
bemolaqijicy.com - 99.198.114.206 - Email: vista@free-id.ru
celisesuho.com - 99.198.114.202 - Email: hush@bz3.ru
cixovatywo.com - 78.46.105.205 - Email: frenzy@ca4.ru
fytypoqywu.com - 64.46.38.94 - Email: fy4371215910301@domainidshield.com
gicyxepomer.com - 78.46.105.205 - Email: tabs@yourisp.ru
gopilezavyxiro.com - 78.46.105.205 - Email: hush@bz3.ru
hivanedak.com - 188.95.54.242 - Email: steps@ppmail.ru
hotilosire.com - 208.110.67.122 - Email: lathe@maillife.ru
jerakidukojoz.com - 78.46.105.205 - Email: wrap@cheapbox.ru
kupeqobujohaq.com - 64.46.38.145 - Email: soup@fastermail.ru
kytevaviqopoci.com - 78.46.105.205 - Email: fs@free-id.ru
pikilokykizanu.com - 65.254.54.77 - Email: dawn@free-id.ru
punajytapaci.com - 209.97.213.105 - Email: mire@maillife.ru
qisacugugu.com - 64.46.38.129 - Email: as@free-id.ru
qupajubica.com - 78.46.105.205 - Email: heard@bz3.ru
reruravobosila.com - 67.196.13.96 - Email: mon@ppmail.ru
rorodarof.com - 99.198.114.204 - Email: hush@bz3.ru
ruqydahec.com - 67.196.13.97 - Email: mon@ppmail.ru
sakafiduzipame.com - 78.46.105.205 - Email: build@ca4.ru
sykobodyducib.com - 208.110.67.102 - Email: lathe@maillife.ru
tetagyjaj.com - 78.46.105.205 - Email: kilt@bz3.ru
tibehewuk.com - 209.97.213.102 - Email: mon@ppmail.ru
tisatosyhimidy.com - 188.95.54.243 - Email: jan@free-id.ru
tyhiqymiwufuj.com - 208.110.67.121 - Email: dawn@free-id.ru
vakyditefo.com - 99.198.114.203 - Email: vista@free-id.ru
wamojafadezy.com - 78.46.105.205 - Email: acts@free-id.ru
wetotyger.com - 78.46.105.205 - Email: acts@free-id.ru
wixecyhobovy.com - 64.46.38.130 - Email: soup@fastermail.ru
wolycunanoqe.com - 72.9.233.98 - Email: lathe@maillife.ru
zajatimibuj.com - 208.110.67.119 - Email: bark@cheapbox.ru
zequcitamado.com - 99.198.114.205 - Email: vista@free-id.ru
punajytapaci.com/1017000412 - 209.97.213.105 - Email: mire@maillife.ru
tibehewuk.com/1017000412 - 209.97.213.102 - Email: mon@ppmail.ru

Monitoring of the campaign is ongoing.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
- No comments:
Subscribe to: Comments (Atom)