Based on the campaign's structure, it's pretty clear that the template-ization of malware serving sites (Part Two) is not dead. Let's dissect the campaign, it's structure, the monetization/traffic optimization tactics used, list all the domains+URLs involved, and establish multiple connections (in the face of AS6851, BKCNET "SIA" IZZI) to recent malware campaigns -- cybercriminals are often customers of the same cybercrime-friendly provider.
The campaign is relying on a typical mix of compromised and purely malicious sites, but is using not just an identical template, but identical campaign structure, which remains pretty static for the time being. Upon visiting one of the sites and meeting the referrer requirement -- Google works fine -- the hardcoded preload.php loads, which is always pointing to the same IP, using a randomly generated code, which changes over time - 91.188.60.126/?q=jzhaf - AS6851, BKCNET "SIA" IZZI
-------------------
inetnum: 91.188.60.0 - 91.188.60.255
netname: ATECH-SAGADE
descr: Sagade Ltd.
descr: Latvia, Rezekne, Darzu 21
descr: +371 20034981
remarks: abuse-mailbox: piotrek89@gmail.com
country: LV
admin-c: TMCD111-RIPE
tech-c: TMCD111-RIPE
status: ASSIGNED PA
mnt-by: AS6851-MNT
changed: taner@bkc.lv 20100423
source: RIPE
role: TMCD Admin Contacts
address: Ieriku 67a, Riga, LV-1084
org: ORG-TMDA1-RIPE
e-mail: bkc@bkc.lv
admin-c: AS1606-RIPE
admin-c: TP422-RIPE
tech-c: RF2443-RIPE
tech-c: IR106-RIPE
nic-hdl: TMCD111-RIPE
changed: taner@bkc.lv 20081023
source: RIPE
-------------------
Moreover, the second traffic optimization strategy takes place by loading two different subdomains from byethost4.com, where another redirection takes place, this time loading the bogus mybookface.net - 209.51.195.115 - Email: hostorgadmin@googlemail.com
Sample campaign structure:
- compromised_site.com
- compromised_site.com/preload.php
- 91.188.60.126/?q=jzhaf
- popal.byethost4.com/mlk.php?sub=2&r=google.com
- trash.byethost14.com/tick.php?sub=1&r=google.com
- cnbutterfly.com/contact.php?uid=2034 - 74.81.93.227
- simulshop.com/contact.php?uid=2034 - 88.198.177.74
- www3.smartbestav10.co.cc - 74.118.194.78
Domains involved in the campaign:
action-force.net
anytimeopen.com
atomizer.net
auto.ideazzz.ru
avmarket.com.ua
baby-car.ru
babystart.eu
badlhby.com
bestseller4you.at
butikk.losnaspelet.no
clubshirts.info
companions411.biz
egeoptik.com
e-life.com.mxl
eshop.mr-servis.cz
evage.biz
eventhorizon.biz
fliq.de
freestyle-shop.ch
gameartisans.org
gawex.com.pl
gct.ro
geraeuschwelten.de
ignitionlb.info
imalaya.eu
indovic.net
irpen.biz
jasoncorrick.co.uk
lojavirtual.versameta.pt
machineinterface.net
nitmail.com
olek.co.uk
opco.co.ir
pahomefinance.net
pcmall.ro
prozoomhosting.net
rcchina.com.cn
recoverinstyle.net
relogio-de-ponto.com.pt
rhodiola.com.mx
shop.ullihome.de
shopzone.ir
sink-o-mania.com
sklep.autorud.pl
sklep1.vinylove.pl
snews.com.tw
soposhinvitations.com
standrite.com
teoflowerbulbs.ro
triominos.ru
webmas.ca
wesellmac.com
wireandthewood.com
1classfilter.be
24shopping.nl
9mama.pl
apwireless.ca
bazarnet.com.mx
bead.shop-in-hk.com
bicigrino.info
bridezion.de
buenapetito.net
calicompras.com
candjconsulting.us
carpcompany.nl
casacristorey.com.mx
cheekybrats.com.au
chiri-junior.nl
corporate-pc.com
deesis.com.pl
derise.ee
digitalelectronicsolutions.biz
dj1stop.com
firsaturunlerim.com
gentian.no
guihua.com.hk
hydromasaze.com
iranagrishop.com
issanni.net
jasoncorrick.co.uk
klimuszko.net
krasevka.si
kundalinibooks.com.au
kuub.com
lanpower.se
leathershop.be
ludf.net
marinestores.biz
microdermals.com
mingfai.info
minitar.com.tw
msproductions.be
murgiaintavola.it
mvchorus.org
nettohoffnung.de
paketic.com
parisa.lt
pentruacasa.com
promotechmexico.com.mx
pursuitspt1.com
quadroufo.com
quecumbar.co.uk
rotas.lt
sammlereck.info
sensicacciaepesca.com
skintwo.biz
sklep.af.com.pl
sklep.kafti.com
sklep.mago.com.pl
skleplotniczy.pl
skriptorium.at
smscom.nl
spine.com.br
szemuvegkeret.com
teldatawarehouse.com
tiouw.nl
uptowntrellis.co.nz
viasapia.com.br
vita-bhv.nl
widlak-market.com
wscll2.net
xfour.es
yeti.com.pl
Detection for the scareware, and the manual install binary:
- install.exe - Trojan.FakeAlert.CCS; FraudTool.Win32.SecurityTool (v) - Result: 16/40 (40%) - MD5: 3562be54671a1326eeef8bcfc85bd2a0
- packupdate107_2034.exe - Packed.Win32.Krap.an; TrojWare.Win32.Trojan.Fakealert.4193280 - Result: 10/41 (24.4%) - MD5: 991bba541e1872191ec5eb88c7de1f30
Upon execution the sample phones back to:
update2.protect-helper.com - 95.169.186.25 - Email: gkook@checkjemail.nl
update1.free-guard.com - 95.169.186.25 - Email: gkook@checkjemail.nl
- install.48728.exe - Trojan.FakeAV; TrojanDownloader:Win32/Renos.KX - Result: 26/41 (63.42%) - MD5: 15281c3f3fac1ccdaf43e2b26d32a887
Upon execution the sample phones back to:
movieartsworld.com - 216.240.146.119 - Email: elaynecroft@ymail.com
firstnationarts.com - 66.96.219.38 (redskeltonarts.com, southard_cheryl@yahoo.com) - Email: harold_ward@ymail.com
sportfishingarts.com - 66.199.229.230 (greenbeearts.com, heiserdenise@ymail.com) - Email: rodericknovak@rocketmail.com
bestgreatarts.com - 64.191.44.73 (freesurrealarts.com, ghuertas@rocketmail.com) - Email: jeffreyespey@ymail.com
spacevisionarts.com - 69.10.35.253 (picturegraffitoarts.com, ganthony46@rocketmail.com) - Email: mosleyjason@rocketmail.com
smallspacearts.com - 64.20.35.3 (dvdvideoarts.com, ganthony46@rocketmail.com) - Email: mosleyjason@rocketmail.com
Based on cross-checking across different data sets, 91.188.60.126 - AS6851, BKCNET "SIA" IZZI is also known to have been used by at least 4 other members of the affiliate network. Naturally, their "signature" can be seen across multiple ASs as well.
Same scareware affiliate program is seen on the following IPs, using a different set of affiliate partners:
194.8.250.154/news.php?land=20&affid=12400 - AS43134, Donstroy Ltd; Emails: donstroitel@mail.com; godaccs@gmail.com
194.8.250.155./news.php?land=20&affid=12400
194.8.250.157/news.php?land=20&affid=42500
194.8.250.158./news.php?land=20&affid=42500
91.188.60.118/news.php?land=20&affid=50900 - AS6851, Sagade Ltd.; Emails: piotrek89@gmail.com;
91.188.60.124/news.php?land=20&affid=12800
91.188.60.126/news.php?land=20&affid=15600
91.188.60.146/news.php?land=20&affid=20102
91.188.60.147/news.php?land=20&affid=20102
91.188.60.147/news.php?land=20&affid=20102
91.213.157.165/news.php?land=20&affid=50900 - AS13618, PE "Sattelecom"; Emails: tt@sattelecom.biz
77.78.239.71/news.php?land=20&affid=12400 - AS42560, MAXIMUS-NET-SERVICES; Emails: godaccs@gmail.com; bosko@globalnet.ba
77.78.239.76/news.php?land=20&affid=12400
77.78.239.77/news.php?land=20&affid=15603
As for AS6851, BKCNET "SIA" IZZI, the same AS is also seen in the following campaigns, find below an excerpt from a previous post, emphasizing on the Koobface gang connection, in the sense that they're both customers of the same cybecrime-friendly ISP.
- Spamvertised iTunes Gift Certificates and CV Themed Malware Campaigns
- GoDaddy's Mass WordPress Blogs Compromise Serving Scareware
- Dissecting the Mass DreamHost Sites Compromise
Moreover, on the exact same IP where Koobface gang's urodinam.net is parked, we also have the currently active 1zabslwvn538n4i5tcjl.com - Email: michaeltycoon@gmail.com, serving client side exploits using the Yes Malware Exploitation kit - 91.188.59.10 /temp/cache/PDF.php; admin panel at: 1zabslwvn538n4i5tcjl.com /temp/admin/index.php
For the time being, the following domains, IPs are all active within AS6851, BKCNET "SIA" IZZI:
1zabslwvn538n4i5tcjl.com - 91.188.59.10 - Email: michaeltycoon@gmail.com
hotxxxtubevideo.com - 91.188.59.74
ruexp1.ru - Email: krahil@mail.ru
hotxtube.in - 91.188.59.74 - Email: lordjok@gmail.com
get-money-now.net - 91.188.59.211 - Email: noxim@maidsf.ru
easy-ns-server.org - 91.188.60.3 - Email: russell1985@hotmail.com
fast-scanerr-online.org - 91.188.60.3 - Email: roberson@hotmail.com
my-antivirusplus.org - 91.188.60.3 - Email: FranciscoPGeorge@hotmail.com
myprotectonline.org - 91.188.60.3 - Email: FranciscoPGeorge@hotmail.com
sys-protect-online.org - 91.188.60.3 - Email: FranciscoPGeorge@hotmail.com
av-scaner-onlinemachine.com - 91.188.60.3 - Email: gershatv07@gmail.com
domen-zaibisya.com - 91.188.59.211 - Email: security2guard@gmail.com
directupdate.info - 91.188.60.10 - Email: MichaelBCarlson@gmail.com
91.188.59.50
91.188.60.3
91.188.59.112
Name servers of notice:
ns1.iil10oil0.com - 91.188.59.70
ns2.iil10oil0.com - 91.188.59.71
Domains using their services:
allforil1i.com - Email: lordjok@gmail.com
allforyouplus.net - Email: leshapopovi@gmail.com
alltubeforfree.com - Email: lordjok@gmail.com
allxtubevids.net - Email: lordjok@gmail.com
downloadfreenow.in - Email: lordjok@gmail.com
enteri1llisec.in - Email: leshapopovi@gmail.com
freeanalsextubemovies.com - Email: lordjok@gmail.com
freetube06.com - Email: lordjok@gmail.com
freeviewgogo.com - Email: leshapopovi@gmail.com
homeamateurclips.com - Email: lordjok@gmail.com
hotfilesfordownload.com
hotxtube.in - Email: lordjok@gmail.com
porntube2000.com - Email: welolseeees@gmail.com
porntubefast.com - Email: welolseeees@gmail.com
porn-tube-video.com - Email: welolseeees@gmail.com
skachivay.com
visiocarii1l.net - Email: leshapopovi@gmail.com
xhuilil1ii.com - Email: lordjok@gmail.com
yourbestway.cn - Email: haucheng@yahoo.com
youvideoxxx.com - Email: jonnytrade@gmail.com
Take down actions are in place, meanwhile, consider going through the "Ultimate Guide to Scareware Protection".
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
No comments:
Post a Comment