Scareware, Blackhat SEO, Spam and Google Groups Abuse, Courtesy of the Koobface Gang

The Koobface gang is known to have embraced the potential of the "underground multi-tasking" model a long time ago, in order to achieve the "malicious economies of scale" effect. This "underground multi-tasking" most commonly comes in the form of multiple monetization campaigns, which upon closer analysis always lead back to the Koobface gang's infrastructure. In fact, the gang is so obsessed with efficiency, that particular redirectors and key malicious domains for a particular campaign, are also, simultaneously rotated across all the campaigns that they manage.

For instance, throughout the past half an year, a huge percentage of the malicious infrastructure used simultaneously in multiple campaigns, was parked on the now shut down Riccom LTD - AS29550. From the massive blackhat SEO campaigns affecting millions of legitimate web sites managed by the gang,  to the malvertising attack at the New York Times web site, and the click-fraud facilitating Bahama botnet, the Koobface botnet is only the tip of the iceberg for the efficient and fraudulent money machine that the gang operates.

In this analysis, I'll once again establish a connection between the ongoing blackhat SEO campaigns managed by the gang (Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware; U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding; Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign), with a spam campaign that's also syndicated across multiple Google Groups, and the Koobface botnet itself, with a particular emphasis on the scareware monetization taking place across all the campaigns.





Related Koobface research and analysis:
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Facebook FarmTown Malvertising Campaign Courtesy of the Koobface Gang

Earlier this week, another malvertising campaign affected a popular community, in the face of Facebook's FarmTown.

You have to analyze,  and cross-check it to believe it.

Key summary points:

• the email test@now.net.cn used to register all the domains involved in the malvertising campaign, is exclusively used by the Koobface gang for numerous scareware registrations seen -

a Continue reading →

Malicious Script Artifacts at China Green Dot Gov Dot Cn - A Reminiscence of Asprox's Multi-Tasking Activities

Malware artifacts, abandoned mass iframe embedded/injected campaigns, and low Quality Assurance (QA) campaigns, continue popping up on everyone's radar, raising eyebrows as to the extend of incompetence, possible evasive tactics, plain simple lack of applied QA when maintaining these campaigns, or the end of a campaign's life cycle.

What's the value of assessing such a non-active campaign? Can the analysis provide any clues into related currently active malicious campaigns that typically for such type of campaigns, continue relying on the same malicious infrastructure? But of course.

Let's assess the malicious artifacts at hxxp://chinagreen.gov.cn, connect them to the multi-tasking activities conducted on behalf of the Asprox botnet, as well as several spamvertised malware campaigns circa 2010, and most importantly provide actionable intelligence on currently active campaigns that continue using the very same infrastructure for command and control purposes.

Malicious scripts at China Green Dot Gov Dot CN:
update.webserviceftp.ru/js.js - seen in "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign"
gdi.webserviceftp.ru/js.js - seen in "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign"
ver.webserivcekota.ru/js.js - seen in "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign"
batch.webserviceaan.ru/js.js - seen in "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign"
nemohuildiin.ru/tds/go.php?sid=1 - seen in "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign"
parkperson.ru:8080/index.php?pid=13 - seen in "Spamvertised Best Buy, Macy's, Evite and Target Themed Scareware/Exploits Serving Campaign"
nutcountry.ru:8080/index.php?pid=13 - seen in "Spamvertised Best Buy, Macy's, Evite and Target Themed Scareware/Exploits Serving Campaign"

What's so special about the spamvertised XeroxWorkCentre Pro campaign is that, back in 2010, it used to drop an Asprox sample, naturally phoning back to well known Asprox C&Cs at the time.

nemohuildiin.ru is known to have responded to 31.31.204.61 and most recently to 5.63.152.19

Known to have responded to the same IP (31.31.204.61) are also the following malicious domains:
000sstd.com
02143.ru
03111991.ru
0414.ru
0424.ru
050175.ru
054ru.ru
06140.ru
0664346910.ru
0801.ru
08108.ru
087474.ru
08755.ru
0925.ru
0go.ru
1-androds.ru
10000taxi.ru
1001domains.ru
100yss.ru
124k.ru

Moreover, we also got a decent number of malicious MD5s known to have used the same IP as C&C ove the last couple of months, indicating that the artifact is still part of the C&C infrastructure of active campaigns.

The following malicious MD5s are also known to have phoned back to the same IP over the last couple of months:
MD5: 3e3d249c43950ac8bedb937f1ea347f5
MD5: 398b5f0c4b8f9adb1db8420801b52562
MD5: 9a1602a2693ae510339ef5f0d25be0b3
MD5: 9bc423773de47d95de1718173ec8485f
MD5: 637db36286b3e300c37e99a0b4772548
MD5: 9829c64613909fbb13fc402f23baff1b
MD5: f23562bafd94f7b836633f1fb7f9e18f
MD5: 7d263c93829447b2399c2e981d66c9df
MD5: 6ee37ead84906711cb2eed6d7f2fcc88
MD5: 54eb099176e7d65817d1b9789845ee4e
MD5: 723618efbd0d3627da09a770e5fd28c2
MD5: 151030c819209af9b7b2ecf2f5c31aa0
MD5: 279d390b9116f0f8ac80321e5fa43453
MD5: f78ff547ce388a403f5ba979025cd556
MD5: afa7090479ac49a3547931fe249c52e3
MD5: a2565684ae4c0af5a99214da83664927
MD5: ce4f032a3e478f4d4cac959b2e999b5a

Known to have responded to 5.63.152.19 are also the following malicious domains:
6tn.ru
azosi.ru
bi-news.ru
buygroup.ru
dnpsirius.ru
enterplus.ru
nemohuildiin.ru
nfs-worlds.ru
rassylka-na-doski.ru
santehnikaoptom.ru
v-odnoklassniki.ru

In a cybercrime ecosystem dominated by leaked DIY mass Web site hacking tools, and sophisticated iframe-ing platforms, malicious artifacts are a great reminder that as long as the Web site remains susceptible to remote exploitation, it's only a matter of time before a potential cybercriminal embeds/injects malicious script on it. That's cybercrime-friendly common sense.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Malicious Script Artifacts at China Green Dot Gov Dot Cn - A Reminiscence of Asprox's Multi-Tasking Activities

Malware artifacts, abandoned mass iframe embedded/injected campaigns, and low Quality Assurance (QA) campaigns, continue popping up on everyone's radar, raising eyebrows as to the extend of incompetence, possible evasive tactics, plain simple lack of applied QA when maintaining these campaigns, or the end of a campaign's life cycle.

What's the value of assessing such a non-active campaign? Can the analysis provide any clues into related currently active malicious campaigns that typically for such type of campaigns, continue relying on the same malicious infrastructure? But of course.

Let's assess the malicious artifacts at hxxp://chinagreen.gov.cn, connect them to the multi-tasking activities conducted on behalf of the Asprox botnet, as well as several spamvertised malware campaigns circa 2010, and most importantly provide actionable intelligence on currently active campaigns that continue using the very same infrastructure for command and control purposes.

Malicious scripts at China Green Dot Gov Dot CN:
update.webserviceftp.ru/js.js - seen in "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign"
gdi.webserviceftp.ru/js.js - seen in "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign"
ver.webserivcekota.ru/js.js - seen in "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign"
batch.webserviceaan.ru/js.js - seen in "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign"
nemohuildiin.ru/tds/go.php?sid=1 - seen in "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign"
parkperson.ru:8080/index.php?pid=13 - seen in "Spamvertised Best Buy, Macy's, Evite and Target Themed Scareware/Exploits Serving Campaign"
nutcountry.ru:8080/index.php?pid=13 - seen in "Spamvertised Best Buy, Macy's, Evite and Target Themed Scareware/Exploits Serving Campaign"

What's so special about the spamvertised XeroxWorkCentre Pro campaign is that, back in 2010, it used to drop an Asprox sample, naturally phoning back to well known Asprox C&Cs at the time.

nemohuildiin.ru is known to have responded to 31.31.204.61 and most recently to 5.63.152.19

Known to have responded to the same IP (31.31.204.61) are also the following malicious domains:
000sstd.com
02143.ru
03111991.ru
0414.ru
0424.ru
050175.ru
054ru.ru
06140.ru
0664346910.ru
0801.ru
08108.ru
087474.ru
08755.ru
0925.ru
0go.ru
1-androds.ru
10000taxi.ru
1001domains.ru
100yss.ru
124k.ru

Moreover, we also got a decent number of malicious MD5s known to have used the same IP as C&C ove the last couple of months, indicating that the artifact is still part of the C&C infrastructure of active campaigns.

The following malicious MD5s are also known to have phoned back to the same IP over the last couple of months:
MD5: 3e3d249c43950ac8bedb937f1ea347f5
MD5: 398b5f0c4b8f9adb1db8420801b52562
MD5: 9a1602a2693ae510339ef5f0d25be0b3
MD5: 9bc423773de47d95de1718173ec8485f
MD5: 637db36286b3e300c37e99a0b4772548
MD5: 9829c64613909fbb13fc402f23baff1b
MD5: f23562bafd94f7b836633f1fb7f9e18f
MD5: 7d263c93829447b2399c2e981d66c9df
MD5: 6ee37ead84906711cb2eed6d7f2fcc88
MD5: 54eb099176e7d65817d1b9789845ee4e
MD5: 723618efbd0d3627da09a770e5fd28c2
MD5: 151030c819209af9b7b2ecf2f5c31aa0
MD5: 279d390b9116f0f8ac80321e5fa43453
MD5: f78ff547ce388a403f5ba979025cd556
MD5: afa7090479ac49a3547931fe249c52e3
MD5: a2565684ae4c0af5a99214da83664927
MD5: ce4f032a3e478f4d4cac959b2e999b5a

Known to have responded to 5.63.152.19 are also the following malicious domains:
6tn.ru
azosi.ru
bi-news.ru
buygroup.ru
dnpsirius.ru
enterplus.ru
nemohuildiin.ru
nfs-worlds.ru
rassylka-na-doski.ru
santehnikaoptom.ru
v-odnoklassniki.ru

In a cybercrime ecosystem dominated by leaked DIY mass Web site hacking tools, and sophisticated iframe-ing platforms, malicious artifacts are a great reminder that as long as the Web site remains susceptible to remote exploitation, it's only a matter of time before a potential cybercriminal embeds/injects malicious script on it. That's cybercrime-friendly common sense.

Updates will be posted as soon as new developments take place. Continue reading →

Summarizing Webroot's Threat Blog Posts for October

The following is a brief summary of all of my posts at Webroot's Threat Blog for October, 2013. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:

01. A peek inside a Blackhat SEO/cybercrime-friendly doorways management platform
02. Newly launched ‘HTTP-based botnet setup as a service’ empowers novice cybercriminals with bulletproof hosting capabilities – part two
03. ‘T-Mobile MMS message has arrived’ themed emails lead to malware
04. DDoS for hire vendor ‘vertically integrates’ starts offering TDoS attack capabilities
05. Commercially available Blackhat SEO enabled multi-third-party product licenses empowered VPSs spotted in the wild
06. New cybercrime-friendly iFrames-based E-shop for traffic spotted in the wild
07. Cybercriminals offer spam-friendly SMTP servers for rent – part two
08. Newly launched VDS-based cybercrime-friendly hosting provider helps facilitate fraudulent/malicious online activity
09. Fake ‘You have missed emails’ GMail themed emails lead to pharmaceutical scams
10. Compromised Turkish Government Web site leads to malware
11. Novice cyberciminals offer commercial access to five mini botnets
12. Spamvertised T-Mobile ‘Picture ID Type:MMS” themed emails lead to malware
13. Yet another Bitcoin accepting E-shop offering access to thousands of hacked PCs spotted in the wild
14. Malicious ‘FW: File’ themed emails lead to malware
15. Mass iframe injection campaign leads to Adobe Flash exploits
16. Rogue ads lead to the ‘Mipony Download Accelerator/FunMoods Toolbar’ PUA (Potentially Unwanted Application)
17. A peek inside the administration panel of a standardized E-shop for compromised accounts
18. U.K users targeted with fake ‘Confirming your Sky offer’ malware serving emails
19. New DIY compromised hosts/proxies syndicating tool spotted in the wild
20. Rogue ads lead to the ‘EzDownloaderpro’ PUA (Potentially Unwanted Application)
21. Fake ‘Scanned Image from a Xerox WorkCentre’ themed emails lead to malware
22. Fake ‘Important: Company Reports’ themed emails lead to malware
23. Cybercriminals release new commercially available Android/BlackBerry supporting mobile malware bot
24. Fake WhatsApp ‘Voice Message Notification/1 New Voicemail’ themed emails lead to malware

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Summarizing Webroot's Threat Blog Posts for September

The following is a brief summary of all of my posts at Webroot's Threat Blog for September, 2013. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:

01. DIY malicious Android APK generating ‘sensitive information stealer’ spotted in the wild
02. Scammers pop up in Android’s Calendar App
03. Web-based DNS amplification DDoS attack mode supporting PHP script spotted in the wild
04. Managed Malicious Java Applets Hosting Service Spotted in the Wild
05. Affiliate network for mobile malware impersonates Google Play, tricks users into installing premium-rate SMS sending rogue apps
06. 419 advance fee fraudsters abuse CNN’s ‘Email This’ Feature, spread Syrian Crisis themed scams
07. Cybercriminals offer anonymous mobile numbers for ‘SMS activation’, video tape the destruction of the SIM card on request
08. Yet another ‘malware-infected hosts as anonymization stepping stones’ service offering access to hundreds of compromised hosts spotted in the wild
09. Cybercriminals experiment with ‘Socks4/Socks5/HTTP’ malware-infected hosts based DIY DoS tool
10. Cybercriminals sell access to tens of thousands of malware-infected Russian hosts
11. Spamvertised “FDIC: Your business account” themed emails serve client-side exploits and malware
12. Cybercriminals experiment with Android compatible, Python-based SQL injecting releases
13. Newly launched E-shop offers access to hundreds of thousands of compromised accounts
14. DIY commercial CAPTCHA-solving automatic email account registration tool available on the underground market since 2008
15. Yet another subscription-based stealth Bitcoin mining tool spotted in the wild

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →