Friday, September 25, 2009

Dissecting September's Twitter Scareware Campaign

UPDATE:  4 hours after notification, Twitter has suspended the remaining bogus accounts. Until the next time, when the reCAPTCHA recognition gets cost-effectively outsourced for automatic scareware-serving purposes.

Over the last couple of days, my Ukrainian "fan club" -- fan club in a sarcastic sense due to the love, more love, even more love and gratitude shown so far -- has once against started abusing Twitter by automatically generating bogus accounts tweeting scareware serving links by syndicating Twitter's trending topics.

This traffic acquisition tactic is in fact nothing new, and in the case of this Ukrainian cybercrime enterprise, is done "in between" the rest of their malicious activities. What's worth pointing out is that just like the most recent malvertising campaign at NYTimes.com, the Ukrainian gang keeps using domains already in circulation within their blackhat SEO campaigns, making it fairly easy to establish connections between these and the ongoing Twitter campaign.

By the time Twitter suspends the automatically registered bogus accounts, on average, 70 to 80 tweets have been published per single account. Here's the most recent list of currently active Twitter accounts tweeting scareware links:
twitter.com /verina1238
twitter.com /knab190
twitter.com /zastrow994
twitter.com /gustave12
twitter.com /trautwein9975
twitter.com /reinke341
twitter.com /ordella509
twitter.com /lysa380
twitter.com /weinhold344
twitter.com /wachsmann1541

twitter.com /weishaupt917
twitter.com /scheid1265
twitter.com /fitz1677
twitter.com /falkner425
twitter.com /opel1409
twitter.com /rasche1401
twitter.com /schlecht1581
twitter.com /verina1238
twitter.com /perahta985



The accounts are relying on identical short URLs, with the following ones still active and in circulation:
tinyurl.com /lyby2r
tinyurl.com /nx39k8
tinyurl.com /lyby2r
tinyurl.com /mnbfox
tinyurl.com /msjjv8
tinyurl.com /mj5wju
tinyurl.com /mxg2vo
tinyurl.com /m656h7
tinyurl.com /nffkly
xrl.us /bfnpv7
xrl.us /bfnsa8
xrl.us /bfny8e
xrl.us /bfnnu4
xrl.us /bfnzkk
a.gd/ 6af3fe
a.gd/ 649be
a.gd/ f6b7f5
a.gd/ 0abe74
is.gd/ 3AoRZ
is.gd/ 3A5DD
is.gd/ 3AUVc
is.gd/ 3BZqa
is.gd/ 3C4lU


The short URLs rely on several redirectors to finally land the end user on a scareware site, such as securityland .cn and imagination-1 .com:

securityland .cn - 64.86.25.201 - Email: keithdgetz@gmail.com. Parked on the same IP are also:
abclllab .com
0lenfo .com
ynoubfa .cn
protectinstructor .cn
immitations-all .net
1limbo .net

imagination-1 .com- 64.86.25.202 - Email: gertrudeedickens@text2re.com. Parked on the same IP are also:
bombas10 .com
graves111 .com
iriskas .com
yvicawo .cn


Where do we know the gertrudeedickens@text2re.com email from? Several of the scareware domains pushed in the ongoing U.S Federal Forms Themed Blackhat SEO Campaign have been registered using it, that very same blackhat SEO whose central redirector a-n-d-the .com/wtr/router.php - 95.168.177.35 - and in-t-h-e.cn - 72.21.41.198 - (hosted by Layered Technologies, Inc.) mimics the campaign structure of 2008's massive input validation abuse attack using iFrames, courtesy of the RBN and the very first scareware campaigns.

Moreover, the same email has been used to register two of the "phone-back" domains for the scareware pushed in the blackhat SEO campaign and the NYTimes.com malvertising attack - windowsprotection-suite .net - Email: gertrudeedickens@text2re.com and securemysystem .net - Email: gertrudeedickens@text2re.com.

The following scareware domains are not just used within the Twitter campaign, some of them have also been detected as part of blackhat SEO campaigns:
ekevuc .cn - 64.213.140.68
windowspcdefender .com
smart-virus-eliminator .com
fast-systemguard .net
opyhila .cn
riwryse .cn
adijef .cn
dunhah .cn
idisuan .cn
wobcyn .cn
upuoro .cn
ucyilwo .cn
ogywuep .cn
adaengu .cn
taziqow .cn
zerkauz .cn


ejavone .cn - 64.213.140.69
fastsystem-guard .com
windowsguardsuite .com
windowssystemsuite .com
winsecuritysuite-pro .com
windows-protectionsuite .net
malwarecatcher .net
fast-scan-protect .net
fastscansecure .net
goryhe .cn
pyzuhme .cn
zydfaqe .cn
ahoize .cn
abonyag .cn
abenapi .cn
otobym .cn
abicoym .cn
nepsoym .cn
byzfalo .cn
pywudar .cn
qucgyit .cn
dahokxu .cn
lylbaov .cn
cusryw .cn



fast-scanandprotect .net
fastscanonline .com
fastsearch-secure .com
fast-systemguard .net
go-scanandsecure .net
goscan-protect .com
go-searchandscan .com
guardmyzone .net
mynewprotection .net
my-newprotection .net
my-officeguard .com
my-officeguard .net
myprotectedsystem .com
myprotected-system .com
my-protectedzone .net
myprotectionshield .com
myprotectionzone .com
my-protectionzone .com
my-protectionzone .net
myprotection-zone .net
my-saerchsecure .com
my-safetyprotection .com
my-systemprotection .net
mysystemsafety .com
my-systemscan .com
my-systemscanner .com
mysystemsecurity .com
new-scanandprotect .com



newscan-andprotect .net
new-systemprotection .com
online-scanandsecure .net
online-securescanner .net
online-systemscan .com
onlinesystemscan .net
protectand-secure .com
protectionsearch .com
safetyshield .net
safetysystem-guard .com
scanonline-protect .com
scan-system .net
scanvirus-online .net
searchandscan .net
search-scanonline .net
searchsecureguard .net
secure-systemguard .net
system-guard .net
systemguard-zone .com
systemguard-zone .net
systemprotected .net
systemscan-secure .net
trust-systemprotect .com
trust-systemprotect .net
trustsystem-protection .com
trust-systemprotection .net
windows-protectionsuite .net
windows-systemguard .net
windows-virusscan .net
winprotection-suite .com


Sampled scareware also phones-back to mysecurityguru .cn - 64.86.16.170 - Email: andrew.fbecket@gmail.com, the same phone-back domain was used in the scareware sampled from the NYTimes.com malvertising attack, with the same email also belonging to a scareware domain (mainsecsys .info) listed in the Diverse Portfolio of Fake Security Software - Part Twenty Two for July.

The cybercrime powerhouse behind all these attacks, continues maintaining the largest market share of systematic Web 2.0 abuse, and that includes their involvement in the Koobface botnet.

Related posts:
Dissecting Koobface Worm's Twitter Campaign
Twitter Worm Mikeyy Keywords Hijacked to Serve Scareware
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
The Twitter Malware Campaign Wants to Bank With You
Does Twitter’s malware link filter really work?
Commercial Twitter spamming tool hits the market
Cybercriminals hijack Twitter trending topics to serve malware
Spammers harvesting emails from Twitter - in real time
Twitter hit by multiple variants of XSS worm

This post has been reproduced from Dancho Danchev's blog.

Wednesday, September 16, 2009

Koobface Botnet's Scareware Business Model

UPDATE1: TrendMicro just confirmed the ongoing double-layer monetization of Koobface. Meanwhile, the gang is rotating the scareware domains with new ones pushed by popup.php, followd by two recently updated Koobface components.

The new scareware domains kjremover .info; lrxsoft .info - 212.117.160.21 - Email: niclas@i.ua actually download it from the well known q2bf0fzvjb5ca .cn portfolio, which phones back to the same domains listed previously, with only a slight change in the filename - urodinam .net/8732489273.php. The generic detection rate for the updated components (61.235.117.83 /bin/get.exe; 61.235.117.83 /bin/v2webserver.exe) with get.exe phoning back to a domain parked at the takedown-proof, China-based 61.235.117.83, in particular gdehochesh .com/adm/index.php.
 
Just like Conficker, the Koobface botnet is no stranger to the scareware business model and the potential for monetization of the hundreds of thousands of infected hosts.

However, changes made in the campaign structure of the Koobface botnet during the last couple of days, indicate that the Koobface gang has embedded a pop-up at each and every host that's automatically rotation different scareware brands. They're now officially monetizing the botnet using a scareware business model.

Let's analyze the latest changes introduced by the Koobface gang over the last couple of days and emphasize on the monetization tactics introduced by the gang.

Next to insulting, showing gratitude, the Koobface gang also has a (black) sense of humor - within one of the directories at the takedown-proof command and control used by the gang in China (61.235.117.83; at 61.235.117.83/bin in particular) they've left the following message "2008 ali baba and 40, LLC". Ali Baba and the Forty Thieves is a 1944 film based on the original Ali Baba character.

Compared to previous campaigns relying on centralized command and control and redirection points -- making them easy to shut down -- the ongoing Facebook campaigns are dynamically redirecting to IPs within the Koobface network, which combined with their use of compromised legitimate sites is supposed to make the take down of their campaigns a bit more time consuming.

That's, of course, not the case since undermining their monetization approaches undermines the monetary value of their campaigns, which is what they're after this time. The Koobface gang has now embedded a single line within each and every infected host used in the campaign, in order to not only attempt to infect new visitors with the Koobface malware itself, but to also trick them into installing the scareware which is rotated as usual.

dangerWindAdr = 61.235.117.83/ popup.php loads on each and every Facebook spoof page part of the botnet and is then redirecting the most popular scareware template, the My computer Online Scan.

The first scareware domain used in the last 48 ryacleaner .info/hitin.php?affid=02979 (212.117.160.21l parked there as also eljupdate .info Email: niclas@i.ua and dercleaner .info Email: niclas@i.ua) was serving setup.exe which is downloading the actual scareware executable from mt3pvkfmpi7de .cn/get.php?id=02979 (220.196.59.23).

What's so special about this domain? It was last profiled in the A Diverse Portfolio of Fake Security Software - Part Twenty Three with the entire portfolio of .cn domains parked at the same IP registered under the same email - robertsimonkroon@gmail.com.

The second scareware domain pushed by the Koobface during the last 24 hours, gotrioscan .com/?uid=13301 - 91.212.107.103 - momorule@gmail.com redirects to plazec .info/22/?uid=13301 - 91.212.107.103 - Email: bebrashe@gmail.com where the scareware is served. Parked at the same IP is the rest of thescareware domains portfolio pushed by Koobface:

in5id .com
in5ch .com
goscanback .com
goscanlook .com
gofatescan .com
goeachscan .com
gobackscan .com
goironscan .com
gotrioscan .com
ia-pro .com
iantivirus-pro .com
iantiviruspro .com
windoptimizer .com
woptimizer .com
in5cs .com
wopayment .com
in5st .com
zussia .info

plazec .info
gaudad .info
voided .info
gelded .info
tithed .info
botled .info
tented .info
fatted .info
unowed .info
wzand .info
searce .info
prarie .info
meyrie .info


pittie .info
penvie .info
figgle .info
sawme .info
droope .info
haere .info
scarre .info
undeaf .info
adjudg .info
wiving .info
slatch .info


bedash .info
dolchi .info
sighal .info
devicel .info
knivel .info
freckl .info
scrowl .info
usicam .info
spelem .info
vagrom .info
numben .info
speen .info
krapen .info
atwain .info
declin .info
inclin .info
unclin .info
towton .info
grumio .info
stampo .info
extrip .info


polear .info
benber .info
kedder .info
erpeer .info
argier .info
fulier .info
lavyer .info
inquir .info
orodes .info
faites .info
beeves .info
quoifs .info
filths .info
broths .info
nevils .info
swoons .info
sallat .info
apalet .info


reglet .info
camlet .info
plamet .info
hownet .info
fosset .info
cuplift .info
raught .info
holdit .info
unroot .info
unwept .info
anmast .info
ticedu .info
outliv .info
onclew .info
froday .info
mayray .info
tenshy .info
steepy .info
miloty .info
debuty .info
fifthz .info
potinz .info
caretz .info
narowz .info


What do these two scareware executables have in common? Its the phone back locations that the Koobface gang is using, reveling its participation in a scareware affiliate network called Crusade Affiliates.

The first phone back location urodinam.net /dfgsdfsdf .php - 122.224.9.67 adds a .bat file which would attempt to obtain mshta.exe from urodinam.net/33t .php?stime=1253063118 on hourly basis. The second phone back location is the Crusade Affiliates network that shares revenue with the Koobface gang whenever a scareware pushed by the gang is purchased - crusade-affiliates .com/install.php?id=02979 - 85.17.139.149.

The third phone back location is a direct download attempt of FraudTool.Win32.SecretService; RogueAntiSpyware.PrivacyCenter.AJ from 0ni9o1s3feu60 .cn/u4.exe - 220.196.59.23. It's pretty evident that the Koobface botnet is now relying on multiple layers of monetization approaches.

The Koobface gang has been pretty during the last couple of days. The following list of Koobface malware spreading domains are in circulation across social networking sites since the last 48 hours, consisting of a combination of purely malicious and compromised legitimate sites:
3sss .com/youtube.com 
4bond .it/youtube.com 
ac2j .com/freeem0vies
aced1979 .freehostia.com/y0urfi1m
alexandrialocksmith .net/uncens0redvide0 
alpha.kei .pl/amalzlngfi1ms
alruwaithy .com/extrlmeperf0rmans
astoundeddesign .com/privaledem0nstrati0n
awwfuck .me/fuunnyacti0n
baddog.me .uk/uncens0redc1ip
bbckzoo .com/extrlmedwd 
bbckzoo .com/mmyperf0rmans 
be. la/freeefi1ms
bencaputoprinting .com/c00lfi1m 
bicentenario.sc49 .info/mmyfi1m
bighornrivercabins .com/c00lvlds
biskopsto .fo/fantasticm0vie
bloch-data .dk/c00lvlds
bokongerslev .dk/amalzlngm0vie 
bokongerslev .dk/extrlmeacti0n 
book-dalmose .dk/extrlmeperf0rmans
campionariadigalatina .it/youtube.com 
carlamo .com/extrlmec1ip
centerforyourhealth .com/extrlmem0vies 
centralbaptist.org .au/fantasticvide0



certtiletechs .com/fuunnym0vies
cisaimpianti .net/youtube.com 
claykelley .net/extrlmevlds 
claykelley .net/mmyvide0 
clubatleticigualada .com/y0urc1ip
connoro .com/bestsh0w
consignbuydesign .com/fuunnyttube
dkflyt .dk/mmytw
downingfarms .com/bestacti0n
eminfinity.com .au/amalzlngc1ips 
eminfinity.com .au/uncens0redsh0w 
endurancesportscar .com/extrlmem0vies 
epicent .dk/pub1icfi1m 
evaracollin .be/mmyfi1ms
exceleronmedical .com/amalzlngc1ips 
exceleronmedical .com/c00lperf0rmans 
exceleronmedical .com/privalettube/?youtube.com
finolog .com/privalem0vie
fitslim .com/fantasticdem0nstrati0n
gacogop .org/fuunnyc1ips
gamlabodens .se/privaletw 
garagedoorsnow .com/meggadem0nstrati0n
garlicworld .com/mmym0vie 
garlicworld .com/uncens0redperf0rmans


gcillustration .com/extrlmevide0 
germanamericantax .com/pub1icm0vie 
happyholidaychristmastrees .com/uncens0redperf0rmans
horaexata.com .br/c00lc1ip
huffmanfarms .com/fantasticfi1ms
imagequest360 .com/fantasticm0vies 
inartdesigns .com/extrlmevide0
interception .dk/mmyttube
kalender.sttmedia .se/amalzlngdem0nstrati0n 
kartingclubsourdsnamur .be/besttw
kiding.users.digital-crocus .com/mmym0vies
kloerfem .dk/amalzlngsh0w
kracl .com/freeesh0w
kreativdizajn .com/amalzlngvlds

ktvsongs .com/pub1icacti0n 
lonestargcs .com/mmydwd
losangelesfurniture .com/fantasticdem0nstrati0n
lr-online .dk/c00lfi1ms 
lr-online .dk/y0ursh0w 
marketmarkj .com/privalem0vies
martinhorngren .com/privalettube 
meetingpacket .com/youtube.com 
microscoop .net/fantasticttube
momentsbypat .com/pub1icm0vie
mtn-ejendomme .dk/mmyacti0n

nadiottawa .org/pub1icc1ips
naestved-sportscollege .dk/amalzlngacti0n
nicalandnow .com/uncens0redvlds
odyssey-consultants .com/amalzlngvide0 
odyssey-consultants .com/mmym0vie 
onlyfun .se/extrlmec1ip
pridesoccer .com/privalec1ips
quicksilver-direct .com/amalzlngfi1m 
reddoorchina .com/mmyvlds 
relivery .com/extrlmesh0w

ristorocasanova .it/youtube.com 
sanfranciscocookie .com/fantasticfi1ms
sarkos .ch/fuunnyperf0rmans
saudiclubs .org/fantasticvlds
sauipeswimwear .com/c00lm0vie
schoolofhiphop .no/freeefi1ms
senegalinfoservices .com/bestacti0n


squashigualada .com/extrlmevlds
starcraftdream .com/fuunnyvlds
stm.frihost .org/freeefi1m
stringer .no/uncens0redacti0n
sttmedia .se/fantastictw 
taia.com .br/uncens0reddwd
thefurniturewarehouse .net/mmym0vies
theidusshop .com/pub1ictw
thepinflow .com/meggash0w
thorsen-meyer .dk/bestc1ips
tivity .dk/amalzlngm0vie 
tivity .dk/fantasticfi1ms 
tizianamaniezzo .com/fantasticc1ips 
tohva .org/bestacti0n
troop270 .nwsc.org/fuunnydwd
txmurphys .com/c00lfi1m 
tybjerglillebakkervand .dk/privalem0vie
vagnpfisk .dk/privalem0vie
vivaipirovano .com/youtube.com 
xanchise .com/c00lc1ip
yurafting .com/amalzlngvlds


Sampled Koobface binary now phones back to bianca.trinityonline .biz/.sys/?action=ldgen&v=14 and bianca.trinityonline .biz/.sys/?action=ldgen&a=590837698&v=14&l=1000&c_fb=0&c_ms=0&c_hi=0&c_tw=0&c_be=0&c_tg=0&c_nl=0. 69.163.147.203 - Email: email@darrenjames.net, with the latest Koobfae update modules detected as follows - 61.235.117.83 /bin/v2prx.exe; 61.235.117.83 /bin/pp.12.exe

The "Koobface botnet and the 40 cybercriminals" (2008 ali baba and 40 , LLC) have not just started monetizing the infected hosts, they're using multiple layers of monetization to do so.

Related posts:
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors 

This post has been reproduced from Dancho Danchev's blog.