Thursday, February 25, 2010

Don't Play Poker on an Infected Table - Part Two


Over the past week and a half, cybercriminals have been aggressively spamvertising a growing portfolio of domains, relying on deceptive advertising for nonexistent and fraudulent online gambling web sites, serving the well known Win32.GAMECasino.
What's particularly interesting about the campaign, is the fact that all of the domains serve identical template, with the SmartDownload.exe binary hosted "in the cloud" thanks to Amazon's Web Services (anat.s3.amazonaws.com/dir4/ SmartDownload.exe).

Detecting rate for SmartDownload.exe - Win32.GAMECasino - Result: 10/42 (23.81%). Sample phones back the following domain - download.realtimegaming.com /cdn/goldvipclub/package_list.ini.zip?fakeParam=1 - 212.201.100.144 - Email: admin@REALTIMEGAMING.COM; RealTime Gaming Holding Company, LLC, registered under the following address according to the information published on their web site:
  • For Licensing opportunities or Company Information,please submit request to Hasting B.V. Click Here.Hastings International B.V.New Haven Office CenterEmancipatie Boulevard 31 – P.O. Box 6052Curacao Netherlands Antilles
Here are the spavertised domains in question, including the name servers involved.

Spamvertised domains parked on 116.123.221.17; 112.159.237.58:
aerojackpot.net - Email: dfgdfgvcsx12@foxmail.com
compujackpot.net - Email: dfgdfgvcsx12@foxmail.com
jackpotadvance.net - Email: dfgdfgvcsx12@foxmail.com
jackpotalist.net - Email: dfgdfgvcsx12@foxmail.com
jackpotbee.net - Email: dfgdfgvcsx12@foxmail.com
jackpotbuzz.net - Email: dfgdfgvcsx12@foxmail.com
jackpotcanyon.net - Email: dfgdfgvcsx12@foxmail.com
jackpotclubs.net - Email: dfgdfgvcsx12@foxmail.com
jackpotfairy.net - Email: dfgdfgvcsx12@foxmail.com
jackpotfan.net - Email: dfgdfgvcsx12@foxmail.com
jackpotflag.net - Email: dfgdfgvcsx12@foxmail.com
jackpoticity.net - Email: dfgdfgvcsx12@foxmail.com
jackpotjets.net - Email: dfgdfgvcsx12@foxmail.com
jackpotlodge.net - Email: dfgdfgvcsx12@foxmail.com
jackpotlodge.net - Email: dfgdfgvcsx12@foxmail.com
jackpotmoment.net - Email: dfgdfgvcsx12@foxmail.com
jackpotpair.net - Email: dfgdfgvcsx12@foxmail.com
jackpotrocket.net - Email: dfgdfgvcsx12@foxmail.com
jackpotthink.net - Email: dfgdfgvcsx12@foxmail.com
jackpottodoor.net - Email: dfgdfgvcsx12@foxmail.com
jackpotwire.net - Email: dfgdfgvcsx12@foxmail.com
jacpotcongress.net - Email: dfgdfgvcsx12@foxmail.com
linejackpot.net - Email: dfgdfgvcsx12@foxmail.com
lux777cazino.net - Email: efghfgbvghfgh@qq.com
majicjackpot.net - Email: dfgdfgvcsx12@foxmail.com
midjackpot.net - Email: dfgdfgvcsx12@foxmail.com
mixerjackpot.net - Email: dfgdfgvcsx12@foxmail.com
needjackpot.net - Email: dfgdfgvcsx12@foxmail.com
nestjackpot.net - Email: dfgdfgvcsx12@foxmail.com
shopjackpot.net - Email: dfgdfgvcsx12@foxmail.com
smart-nest.net - Email: dfgdsfvcb@163.com
structjackpot.net - Email: dfgdfgvcsx12@foxmail.com
the-cash.net - Email: dfgdsfvcb@163.com
thejackpots.net - Email: dfgdfgvcsx12@foxmail.com
windowjackpots.net - Email: dfgdfgvcsx12@foxmail.com
win-vox.net - Email: dfgdsfvcb@163.com

aerowin.net - Email: dfgdsfvcb@163.com
beach-jackpot.net - Email: dfgdsfvcb@163.com
beautyselite.net - Email: dfgdsfvcb@163.com
binwin.net - Email: dfgdsfvcb@163.com
clashflash.net - Email: dfgdsfvcb@163.com
couldwin.net - Email: dfgdsfvcb@163.com
dinwin.net - Email: dfgdsfvcb@163.com
eliteclasss.net - Email: dfgdsfvcb@163.com
eliteorder.net - Email: dfgdsfvcb@163.com
eliteplaza.net - Email: dfgdsfvcb@163.com
elitescoop.net - Email: dfgdsfvcb@163.com
eliteweird.net - Email: dfgdsfvcb@163.com
ezelite.net - Email: dfgdsfvcb@163.com
flashapex.net - Email: dfgdsfvcb@163.com
flashbrook.net - Email: dfgdsfvcb@163.com
flashbuzzs.net - Email: dfgdsfvcb@163.com
flashcensus.net - Email: dfgdsfvcb@163.com
flashclashs.net - Email: dfgdsfvcb@163.com
flashlasch.net - Email: dfgdsfvcb@163.com
flashlash.net - Email: dfgdsfvcb@163.com
flashmoment.net - Email: dfgdsfvcb@163.com
flashnest.net - Email: dfgdsfvcb@163.com
flashpixie.net - Email: dfgdsfvcb@163.com
flashslash.net - Email: dfgdsfvcb@163.com
flashspark.net - Email: dfgdsfvcb@163.com
flashspell.net - Email: dfgdsfvcb@163.com
flashzap.net - Email: dfgdsfvcb@163.com
free-smart.net - Email: dfgdsfvcb@163.com
ginwin.net - Email: dfgdsfvcb@163.com

goingtowins.net - Email: dfgdsfvcb@163.com
hitecwinner.net - Email: dfgdsfvcb@163.com
innerwinner.net - Email: dfgdsfvcb@163.com
interelite.net - Email: dfgdsfvcb@163.com
jackpot-direct.net - Email: dfgdsfvcb@163.com
jackpot-fire.net - Email: dfgdsfvcb@163.com
jackpot-help.net - Email: dfgdsfvcb@163.com
jackpot-infinity.net - Email: dfgdsfvcb@163.com
jackpot-mind.net - Email: dfgdsfvcb@163.com
jackpot-minute.net - Email: dfgdsfvcb@163.com
jackpot-phone.net - Email: dfgdsfvcb@163.com
jackpot-reunion.net - Email: dfgdsfvcb@163.com
jackpot-senate.net - Email: dfgdsfvcb@163.com
jackpot-talk.net - Email: dfgdsfvcb@163.com
jackpot-taven.net - Email: dfgdsfvcb@163.com
jackpot-topia.net - Email: dfgdsfvcb@163.com
jackpot-wire.net - Email: dfgdsfvcb@163.com
laschflash.net - Email: dfgdsfvcb@163.com
learn-jackpot.net - Email: dfgdsfvcb@163.com
magicwinner.net - Email: dfgdsfvcb@163.com
mapwinner.net - Email: dfgdsfvcb@163.com
mediaselite.net - Email: dfgdsfvcb@163.com
mindelite.net - Email: dfgdsfvcb@163.com
mrelite.net - Email: dfgdsfvcb@163.com
needwin.net - Email: dfgdsfvcb@163.com
pixiewinner.net - Email: dfgdsfvcb@163.com
powerwinners.net - Email: dfgdsfvcb@163.com

predict-jackpot.net - Email: dfgdsfvcb@163.com
pushelite.net - Email: dfgdsfvcb@163.com
reseachelite.net - Email: dfgdsfvcb@163.com
sellelite.net - Email: dfgdsfvcb@163.com
sgameelite.net - Email: dfgdsfvcb@163.com
sharpwinner.net - Email: dfgdsfvcb@163.com
smart-enough.net - Email: dfgdsfvcb@163.com
smart-fire.net - Email: dfgdsfvcb@163.com
smart-log.net - Email: dfgdsfvcb@163.com
smart-nest.net - Email: dfgdsfvcb@163.com
smart-spree.net - Email: dfgdsfvcb@163.com
steelites.net - Email: dfgdsfvcb@163.com
surveylite.net - Email: dfgdsfvcb@163.com
targetelite.net - Email: dfgdsfvcb@163.com
theelites.net - Email: dfgdsfvcb@163.com
theflashers.net - Email: dfgdsfvcb@163.com
theywin.net - Email: dfgdsfvcb@163.com
velowinner.net - Email: dfgdsfvcb@163.com
vote-smart.net - Email: dfgdsfvcb@163.com
wanttowin.net - Email: dfgdsfvcb@163.com
winbot.net - Email: dfgdsfvcb@163.com
winnercrest.net - Email: dfgdsfvcb@163.com
winnerfast.net - Email: dfgdsfvcb@163.com
winnerhut.net - Email: dfgdsfvcb@163.com
winnerincumbent.net - Email: dfgdsfvcb@163.com
winnermass.net - Email: dfgdsfvcb@163.com
winnerpub.net - Email: dfgdsfvcb@163.com
winnerrocket.net - Email: dfgdsfvcb@163.com
winnersalon.net - Email: dfgdsfvcb@163.com
winnerscan.net - Email: dfgdsfvcb@163.com
winnertake.net - Email: dfgdsfvcb@163.com
winnertal.net - Email: dfgdsfvcb@163.com
winnertoyou.net - Email: dfgdsfvcb@163.com
zap-smart.net - Email: dfgdsfvcb@163.com

Name servers of notice:
ns1.bb6ns.com - 58.83.8.45 - Email: li-zhenshu@163.com
ns1.bedws.com - 218.61.126.28 - Email: guoxiufenghy@163.com
ns1.catdogns.com - 218.61.126.28 - Email: li-zhenshu@163.com
ns1.cebht.com - 218.61.126.28 - Email: li-zhenshu@163.com
ns1.dd5ns.com - 61.191.191.61 - Email: li-zhenshu@163.com
ns1.dogmens.com - 208.78.242.185 - Email: hmr@data99.com
ns1.euromarketorder.com - 218.61.126.28
ns1.fesws.com - 218.61.126.28 - Email: info2@data99.com
ns1.goatdns.com - 218.61.126.28 - Email: li-zhenshu@163.com
ns1.hh7ns.com - 218.61.126.28 - Email: li-zhenshu@163.com
ns1.kindball.com - 218.61.126.28 - Email: zhaokaijunlp@163.com
ns1.mm8ns.com - 218.61.126.28 - Email: li-zhenshu@163.com
ns1.nn4ns.com - 218.61.126.28 - Email: li-zhenshu@163.com
ns1.ss6ns.com - 61.191.191.61 - Email: shirley9127@hotmail.com
ns1.wildnn.com - 208.78.242.185 - Email: hmr@data99.com
ns2.gg9ns.com - 218.61.126.28 - Email: li-zhenshu@163.com
ns2.sruisorehoes.com - 218.61.126.28 - Email: li-zhenshu@163.com
ns2.zz8ns.com - 218.61.126.28 - Email: li-zhenshu@163.com
ns3.bavns.com - 218.61.126.28 - Email: shirley9127@hotmail.com
ns3.bawns.com - 218.61.126.28 - Email: li-zhenshu@163.com
ns3.becns.com - 218.61.126.28 - Email: li-zhenshu@163.com
ns3.bojns.com - 218.61.126.28 - Email: li-zhenshu@163.com

The campaign is a great example of cybercrime-friendly affiliate networks, with the cybercriminals in this case investing a modest amount of money for the actual spamming process, and then earning 30% flat rate, which can also be scaling between 20% to 45% depending on their choice.


The practice has been around for years. Here are three monetizations strategies seeing within the last two years, all of which remain an active tactic for fraudsters to take advantage of:
You may want to reconsider using an online gambling application that's being spammed using a botnet, with the actual application crypted using a tool exclusively used by malware authors in an attempt to bypass signatures based antivirus scanning.

Amazon's Web Services are aware of this campaign. Action against it should be taken shortly.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Monday, February 15, 2010

IRS/PhotoArchive Themed Zeus/Client-Side Exploits Serving Campaign in the Wild


SECOND UPDATE for Wednesday, February 24, 2010 - Another portfolio of new domains is being spamvertised, using the old PhotoArchive theme. The client-side exploits serving iFrame directory has been changed to 91.201.196.101 /usasp33/in.php currently serving CVE-2007-5659; CVE-2008-2992;     CVE-2008-0015; CVE-2009-0927 and CVE-2009-4324.

Sample detection rates: update.exe - Trojan-Spy.Win32.Zbot.gen - Result: 10/42 (23.81%); file.exe - Trojan-Spy.Win32.Zbot.gen - Result: 10/42 (23.81%). Samples phone back to the same C&C where samples from previous campaigns were also phoning back to - trollar.ru /cnf/trl.jpg - 109.95.114.133 - Email: bernardo_pr@inbox.ru.

Domains portfolio:
reda.kr - Email: ClarenceN62412@hotmail.com
redb.kr - Email: ClarenceN62412@hotmail.com
reda.ne.kr - Email: ClarenceN62412@hotmail.com
redb.ne.kr - Email: ClarenceN62412@hotmail.com
redn.ne.kr - Email: ClarenceN62412@hotmail.com
redv.ne.kr - Email: ClarenceN62412@hotmail.com
redn.kr - Email: ClarenceN62412@hotmail.com
reda.co.kr - Email: ClarenceN62412@hotmail.com
redv.co.kr - Email: ClarenceN62412@hotmail.com
reda.or.kr - Email: ClarenceN62412@hotmail.com
redb.or.kr - Email: ClarenceN62412@hotmail.com
redn.or.kr - Email: ClarenceN62412@hotmail.com
redv.or.kr - Email: ClarenceN62412@hotmail.com
redv.kr - Email: ClarenceN62412@hotmail.com

Name server of notice:
ns1.skcstaffing.com - 87.117.245.9 - Email: hr@department.com

UPDATED: Wednesday, February 24, 2010 Another portfolio of typosquatted domains has been spamvertised. The already suspended domains are listed for historical OSINT analysis of this gang's activities.

Interestingly, their campaigns are lacking the quality assurance I'm used to see. For instance, the iFrame IP (109.95.114.251 /usa50/in.php) is currently down, with the malware itself, including the one that would have been dropped given the exploitation took place - have over 90% detectio rate, since the binaries were first analyzed a month ago - tax-statement.exe - Trojan-Spy.Win32.Zbot - 40/42 (95.24%); abs.exe - Packed:W32/Mufanom.A - Result: 38/42 (90.48%). The directory structure also remains the same - irs.gov.yrxc.kr/fraud.applications /application/statement.php

Domains portfolio, including name servers of notice are as follows:
erdca.co.kr - Email: WeedDame16427@hotmail.com
erdca.kr - Email: WeedDame16427@hotmail.com
erdca.ne.kr - Email: WeedDame16427@hotmail.com
erdca.or.kr - Email: WeedDame16427@hotmail.com
erdcb.kr - Email: WeedDame16427@hotmail.com
erdcd.kr - Email: WeedDame16427@hotmail.com
erdce.co.kr - Email: WeedDame16427@hotmail.com
erdce.kr - Email: WeedDame16427@hotmail.com
erdce.ne.kr - Email: WeedDame16427@hotmail.com
erdce.or.kr - Email: WeedDame16427@hotmail.com
erdcq.kr - Email: WeedDame16427@hotmail.com
erdcu.co.kr - Email: WeedDame16427@hotmail.com
erdcu.kr - Email: WeedDame16427@hotmail.com
erdcu.ne.kr - Email: WeedDame16427@hotmail.com
erdcu.or.kr - Email: WeedDame16427@hotmail.com
yrxc.co.kr - Email: WeedDame16427@hotmail.com
yrxc.kr - Email: WeedDame16427@hotmail.com
yrxc.or.kr - Email: WeedDame16427@hotmail.com
yrxo.co.kr - Email: WeedDame16427@hotmail.com
yrxo.kr - Email: WeedDame16427@hotmail.com
yrxo.ne.kr - Email: WeedDame16427@hotmail.com
yrxo.or.kr - Email: WeedDame16427@hotmail.com
yrxs.co.kr - Email: WeedDame16427@hotmail.com
yrxs.kr - Email: WeedDame16427@hotmail.com
yrxs.ne.kr - Email: WeedDame16427@hotmail.com
yrxs.or.kr - Email: WeedDame16427@hotmail.com

rts1e3en.me.uk
rts1e3eq.me.uk
rts1e3ew.me.uk
rts1e3ex.me.uk
rts1e3ey.me.uk
rts1e3ez.me.uk
rts1e3eb.co.uk
rts1e3en.co.uk
rts1e3eq.co.uk
rts1e3er.co.uk
rts1e3ew.co.uk
rts1e3ex.co.uk
rts1e3ey.co.uk
rts1e3ez.co.uk


Name servers of notice:
ns1.skc-realty.com - 89.238.165.195 - Email: skc@realty.net
ns1.chinafromasia.com

UPDATED: Monday, February 22, 2010 - Another typosquatted domains portfolio is being spamvertised, including two new name servers, parked on the same IP where name servers from previous campaigns were hosted.

Typosquatted domains, and name servers of notice are as follows:
dese.co.kr - Email: asondrapgt@hotmail.com
dese.kr - Email: asondrapgt@hotmail.com
dese.ne.kr - Email: asondrapgt@hotmail.com
dese.or.kr - Email: asondrapgt@hotmail.com
desr.co.kr - Email: asondrapgt@hotmail.com
desr.kr - Email: asondrapgt@hotmail.com
desr.or.kr - Email: asondrapgt@hotmail.com
desv.co.kr - Email: asondrapgt@hotmail.com
desv.kr - Email: asondrapgt@hotmail.com
desv.ne.kr - Email: asondrapgt@hotmail.com
desv.or.kr - Email: asondrapgt@hotmail.com
desx.co.kr - Email: asondrapgt@hotmail.com
desx.kr - Email: asondrapgt@hotmail.com
desx.ne.kr - Email: asondrapgt@hotmail.com
desx.or.kr - Email: asondrapgt@hotmail.com
edasa.co.kr
edasa.kr
edasa.ne.kr
edasa.or.kr
edase.co.kr
edase.kr
edase.ne.kr
edase.or.kr
edasn.kr
edasn.ne.kr
edasn.or.kr
edasq.co.kr
edasq.kr
edasq.ne.kr
edasq.or.kr


Name servers of notice:
ns1.silverbrend.net - 87.117.245.9 - Email: klincz@aol.com
ns1.hourscanine.com - 87.117.245.9 - Email: carruawau@gmail.com

UPDATED: Sunday, February 21, 2010 - The gang is currently spamming a phishing campaign -- no client-side serving iFrames found so far -- attempting to steal Google account and Blogspot accounting data. Given the fact that the gang is capable of generating hundreds of thousands of bogus accounts on their own, as well as buy them in bulk orders from vendors that have already built such an inventory across multiple social networking sites, the only logical reason for attempting to phish for such data would be to attempt to maliciously monetize the traffic of legitimate blogs.

The newly spamvertised domains, including a new name server are as follows:
esub.co.kr - Email: osamplerl61@hotmail.com
esub.kr - Email: osamplerl61@hotmail.com
esub.ne.kr - Email: osamplerl61@hotmail.com
esug.co.kr - Email: osamplerl61@hotmail.com
esug.kr - Email: osamplerl61@hotmail.com
esug.ne.kr - Email: osamplerl61@hotmail.com
esuk.kr - Email: osamplerl61@hotmail.com
esuk.ne.kr - Email: osamplerl61@hotmail.com
esuk.or.kr - Email: osamplerl61@hotmail.com
esus.co.kr - Email: osamplerl61@hotmail.com
esus.kr - Email: osamplerl61@hotmail.com
esus.ne.kr - Email: osamplerl61@hotmail.com
esut.co.kr - Email: osamplerl61@hotmail.com
esut.kr - Email: osamplerl61@hotmail.com
esut.ne.kr - Email: osamplerl61@hotmail.com
ns1.nitroexcel.com - 89.238.165.195 (the same IP was also hosting the name server domains from previous campaigns) - Email: rackmodule@writemail.com

UPDATED: Saturday, February 20, 2010 - The client-side exploit serving iFrame directory has been changed to 91.201.196.101 /usasp11/in.php, with another typosquatted portfolio of domains currently being spamvertised.

Detection rates: update.exe - Trojan.Zbot - Result: 25/40 (62.5%) (phones back to trollar.ru /cnf/trl.jpg - 109.95.114.133 - Email: bernardo_pr@inbox.ru); file.exe - Trojan.Spy.ZBot.12544.1 - Result: 26/41 (63.42%);  ie.js - JS:CVE-2008-0015-G - Result: 14/40 (35%); ie2.js - Exploit:JS/CVE-2008-0015 - Result: 17/40 (42.5%); nowTrue.swf - Trojan.SWF.Dropper.E - Result: 24/41 (58.54%); pdf.pdf - Exploit.JS.Pdfka.bln - Result: 11/41 (26.83%); swf.swf - SWF/Exploit.Agent.BS - Result: 8/40 (20%).

Domain portfolio, name server of notice - ns1.vektoroils.net - 74.117.63.218 - Email: admin@forsyte.info :
desa.co.kr - Email: hjfeasey@yahoo.co.uk
desa.kr - Email: hjfeasey@yahoo.co.uk
desa.ne.kr - Email: hjfeasey@yahoo.co.uk
desa.or.kr - Email: hjfeasey@yahoo.co.uk
desb.co.kr - Email: hjfeasey@yahoo.co.uk
desb.kr - Email: hjfeasey@yahoo.co.uk
desb.ne.kr - Email: hjfeasey@yahoo.co.uk
desb.or.kr - Email: hjfeasey@yahoo.co.uk
deso.kr - Email: hjfeasey@yahoo.co.uk
deso.or.kr - Email: hjfeasey@yahoo.co.uk
desv.kr - Email: hjfeasey@yahoo.co.uk
desz.co.kr - Email: hjfeasey@yahoo.co.uk
desz.kr - Email: hjfeasey@yahoo.co.uk
desz.ne.kr - Email: hjfeasey@yahoo.co.uk
desz.or.kr - Email: hjfeasey@yahoo.co.uk

UPDATED: Wednesday, February 17, 2010 - The iFrame directory has been changed to 91.201.196.101 /usasp/in.php, detection rate for update.exe - Trojan-Spy.Win32.Zbot.gen - Result: 17/40 (42.5%).

Currently active and spamvertised domains include:
saqwk.co.kr - Email: Camerc05@yahoo.com
saqwk.kr - Email: Camerc05@yahoo.com
saqwk.ne.kr - Email: Camerc05@yahoo.com
saqwk.or.kr - Email: Camerc05@yahoo.com
saqwm.co.kr - Email: Camerc05@yahoo.com
saqwm.kr - Email: Camerc05@yahoo.com
saqwm.ne.kr - Email: Camerc05@yahoo.com
saqwq.co.kr - Email: Camerc05@yahoo.com
saqwq.kr - Email: Camerc05@yahoo.com
saqwq.ne.kr - Email: Camerc05@yahoo.com
saqwq.or.kr - Email: Camerc05@yahoo.com
saqwz.co.kr - Email: Camerc05@yahoo.com
saqwz.kr - Email: Camerc05@yahoo.com
saqwz.ne.kr - Email: Camerc05@yahoo.com
saqwz.or.kr - Email: Camerc05@yahoo.com

As anticipated, the botnet masters behind the systematically rotated campaigns dissected in previous posts, kick off the week with multiple campaigns parked on the newly introduced fast-fluxed domains.
In a typical multitasking fashion, two campaigns are currently active on different sub domains introduced at the typosquatted fast-flux ones, impersonating the U.S IRS with "Unreported/Underreported Income (Fraud Application) theme", as well as a variation of the already profiled PhotoArchive campaign, using a well known "You don't have the latest version of Macromedia Flash Player" error message.
Let's dissect both campaigns, sharing the same fast-flux infrastructure, and currently spammed in the wild.

Sample campaign URLs from the PhotoArchive, SecretArchives themed campaign:
- archive .repok.or.kr/archive0714/?id=test@test.com
- secretarchives .renyn.kr/archive0714/?id=test@test.com
- secretfiles .repo1it.me.uk/archive0714/?id=test@test.com
- secretarchives .renyn.ne.kr/archive0714/?id=test@test.com
- postcards .repo1ix.co.uk/archive0714/?id=test@test.com 

Sample sub domain structure:
anonymousfiles .repo1i2.me.uk
archive .repo1iq.me.uk
archive .repo1it.me.uk
archives .repo1i1.me.uk
filearchive .repo1i1.me.uk
files .repo1it.me.uk
files .repo1ix.me.uk
files4friends .repo1it.me.uk
secretarchives .repo1iq.me.uk
secretarchives .repo1iw.me.uk
secretarchives .repo1ix.me.uk
secretfiles .repo1iq.me.uk
sendspace .repo1i2.me.uk

archive .repo1ix.co.uk
archives .repo1iq.co.uk
archives .repo1ix.co.uk
files .repo1iq.co.uk
files4friends .repo1ix.co.uk
incognito .repo1iq.co.uk
postcard .repo1iq.co.uk
postcard .repo1iw.co.uk
secretarchives .repo1iw.co.uk
www.irs.gov .repo1ix.co.uk


Embedded iFrame - 91.201.196.101 /ukasp/in.php (AS42229 (MARIAM-AS PP Mariam) attempts to exploit CVE-2007-5659; CVE-2008-2992; CVE-2008-0015; CVE-2009-0927 and CVE-2009-4324. Upon successful exploitation, file.exe - Trojan-Spy.Win32.Zbot.gen - Result: 12/41 (29.27%) is served. Just like the original update.exe - Trojan.Zbot - Result: 13/40 (32.50%) available as a manual download from the pages, both samples phone back to the well known elnasa.ru /asd/elnasa.ble - 109.95.114.71 - Email: kievsk@yandex.ru - Aleksey V Kijanskiy.

Naturally, AS42229 (MARIAM-AS PP Mariam) is a cybercrime-friendly AS, with the following currently active Zeus C&Cs parked there:
91.201.196.35
91.201.196.75
91.201.196.76
91.201.196.38
91.201.196.34
91.201.196.37


Sample URL from the IRS-themed campaign:
- irs.gov .renyn.kr/fraud.applications/application/statement.php

Sample iFrame from the IRS-themed campaign - 109.95.114.251 /usa50/in.php is currently down. The same IP was used to serve client-side exploits in a previous campaign - "Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams".

Detection rate for tax-statement.exe - Trojan-Spy.Win32.Zbot.gen - Result: 37/41 (90.25%), which upon execution phones back to the well known nekovo.ru /cbd/ nekovo.br - 109.95.115.18 - Email: kievsk@yandex.ru - Aleksey V Kijanskiy

Active and spamvertised fast-fluxed domains part of the campaign:
renya.co.kr - Email: Sethdc77@yahoo.co.uk
renya.kr - Email: Sethdc77@yahoo.co.uk
renya.ne.kr - Email: Sethdc77@yahoo.co.uk
renya.or.kr - Email: Sethdc77@yahoo.co.uk
renyn.kr - Email: Sethdc77@yahoo.co.uk
renyn.ne.kr - Email: Sethdc77@yahoo.co.uk
renyn.or.kr - Email: Sethdc77@yahoo.co.uk
renyo.co.kr - Email: Sethdc77@yahoo.co.uk
renyo.kr - Email: Sethdc77@yahoo.co.uk
renyo.ne.kr - Email: Sethdc77@yahoo.co.uk
renyo.or.kr - Email: Sethdc77@yahoo.co.uk
renyx.co.kr - Email: Sethdc77@yahoo.co.uk
renyx.kr - Email: Sethdc77@yahoo.co.uk
renyx.ne.kr - Email: Sethdc77@yahoo.co.uk
renyx.or.kr - Email: Sethdc77@yahoo.co.uk

rep021.co.kr - Email: DRendell3407@hotmail.com
rep021.kr - Email: DRendell3407@hotmail.com
rep021.ne.kr - Email: DRendell3407@hotmail.com
rep021.or.kr - Email: DRendell3407@hotmail.com
rep022.co.kr - Email: DRendell3407@hotmail.com
rep022.kr - Email: DRendell3407@hotmail.com
rep022.ne.kr - Email: DRendell3407@hotmail.com
rep022.or.kr - Email: DRendell3407@hotmail.com
rep023.co.kr - Email: DRendell3407@hotmail.com 
rep023.kr - Email: DRendell3407@hotmail.com
rep023.or.kr - Email: DRendell3407@hotmail.com
rep024.kr - Email: DRendell3407@hotmail.com
rep071.co.kr - Email: KantuM37690@hotmail.com
rep071.kr - Email: KantuM37690@hotmail.com
rep071.ne.kr - Email: KantuM37690@hotmail.com

rep071.or.kr - Email: KantuM37690@hotmail.com
rep072.co.kr - Email: KantuM37690@hotmail.com
rep072.kr - Email: KantuM37690@hotmail.com
rep072.ne.kr - Email: KantuM37690@hotmail.com
rep072.or.kr - Email: KantuM37690@hotmail.com
rep073.co.kr - Email: KantuM37690@hotmail.com
rep073.kr - Email: KantuM37690@hotmail.com
rep073.ne.kr - Email: KantuM37690@hotmail.com
rep073.or.kr - Email: KantuM37690@hotmail.com
rep074.co.kr - Email: KantuM37690@hotmail.com
rep074.ne.kr - Email: KantuM37690@hotmail.com
rep074.or.kr - Email: KantuM37690@hotmail.com
rep1051.co.uk
rep1051.me.uk
rep1051.org.uk
rep1051.uk.com
repak.co.kr - Email: limhomeslm@yahoo.co.uk
repak.kr - Email: limhomeslm@yahoo.co.uk

repak.ne.kr - Email: limhomeslm@yahoo.co.uk
repak.or.kr - Email: limhomeslm@yahoo.co.uk
repaz.co.kr - Email: Olb55768@yahoo.co.uk
repaz.kr - Email: Olb55768@yahoo.co.uk
repaz.or.kr - Email: Olb55768@yahoo.co.uk
repek.co.kr - Email: limhomeslm@yahoo.co.uk
repek.ne.kr - Email: limhomeslm@yahoo.co.uk
repek.or.kr - Email: limhomeslm@yahoo.co.uk
repey.co.kr - Email: Olb55768@yahoo.co.uk
repey.kr - Email: Olb55768@yahoo.co.uk
repey.ne.kr - Email: Olb55768@yahoo.co.uk
repey.or.kr - Email: Olb55768@yahoo.co.uk
repia.co.kr - Email: Olb55768@yahoo.co.uk
repia.kr - Email: Olb55768@yahoo.co.uk
repia.ne.kr - Email: Olb55768@yahoo.co.uk
repia.or.kr - Email: Olb55768@yahoo.co.uk
repik.co.kr - Email: limhomeslm@yahoo.co.uk

repik.kr - Email: limhomeslm@yahoo.co.uk
repik.or.kr - Email: limhomeslm@yahoo.co.uk
repok.co.kr - Email: limhomeslm@yahoo.co.uk
repok.kr - Email: limhomeslm@yahoo.co.uk
repok.ne.kr - Email: limhomeslm@yahoo.co.uk
repok.or.kr - Email: limhomeslm@yahoo.co.uk
repoy.co.kr - Email: Olb55768@yahoo.co.uk
repoy.kr - Email: Olb55768@yahoo.co.uk
repoy.ne.kr - Email: Olb55768@yahoo.co.uk
repoy.or.kr - Email: Olb55768@yahoo.co.uk
repo1i1.co.uk
repo1i1.me.uk
repo1i2.co.uk
repo1i2.me.uk
repo1i3.co.uk
repo1ie.co.uk
repo1io.co.uk
repo1iq.co.uk
repo1iq.me.uk
repo1it.me.uk
repo1iw.co.uk
repo1iw.me.uk
repo1ix.co.uk
repo1ix.me.uk


Name servers of notice:
ns1 .skcrealestate.net - 89.238.165.195 - Email: support@skrealty.net
ns1 .addressway.net - 89.238.165.195 - Email: poolbill@hotmail.com
ns1 .skcpanel.com - 64.20.42.235 - Email: support@sk.com
ns1 .holdinglory.com - 64.20.42.235 - Email: greysy@gmx.com
ns1 .skcres.com - 64.20.42.235 - Email: hr@skc.net
ns1 .x-videocovers.net - 64.20.42.235 - Email: storylink@live.com

Interestingly, researchers from M86 Security gained access to the web malware exploitation kit used in a previous campaign:

"It has been up and running and serving exploits for nearly a day. In this time almost 40,000 unique users have been exposed to these exploits, and the Zeus file has been downloaded over 5000 times. These downloads do not include the PhotoArchive.exe file downloads that a user may be tricked into downloading and executing themselves."
 
Updated will be posted as soon as new developments emerge.

Related coverage of the gang's previous campaigns:
Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild
PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild
Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Friday, February 12, 2010

Dissecting an Ongoing Money Mule Recruitment Campaign

Money mule recruiters can be sometimes described as mass-marketing zombies, who have absolutely no idea who they're trying to recruit. Cefin Consulting & Finance - cefincf .com - 195.190.13.106 - Email: flier@infotorrent.ru is the very latest example of such a campaign, trying to recruit, well, me.

The initial recruitment email was spammed from maximumsxz78@roulottesste-anne.com with IP 221.154.76.195:
"Cefin Consulting & Finanace is one of the leading providers of consulting services in the world. Our success depends both on high quality of services and on professionally managed and reliable business processes. This is the reason why quality is our main concern. However, the only way to reach top-notch quality in our business is permanent struggle for quality and engineering of stable procedures. It is not possible to reach high quality standards without dedicated personnel striving for flawless operation of processes and projects in their daily life. 

Currently we have a Financial Manager opening. No deadlines for applications are set. The job of Financial Manager includes processing of money transfers, sent to his personal bank accounts by company clients. Upon receiving a transfer the Financial Manager has to redirect it to the account specified by our dispatchers. All you need for this job are: 3-4 free hours a day, your wish, ability to work in a team and responsibility. The initial wages will equal 5% of total monthly turnover.

Requirements to Candidates:

- 20 years old and more
- Be able to check your email several times a day
- Should have personal (or business) bank account
- Have a skill to communicate and access to the Internet.
- Foreign language (English is preferable).
- To have an opportunity in any working hours to go to closest Western Union location and make money transfer .

What we offer:

- Generous wages - (Your earnings will originally make 5 % from each payment. Your earnings will originally make 5 % from each payment. After 5 remittances if you will operatively work and correctly, your earnings raises up to 10 %. )
- Opportunity of increase in your earnings.
- Free seminars and training courses (After 6 months of great work).

2010 © Cefin Consulting & FinanaceIf you are interested in this opening, don't hesitate to send your CV at our e-mail:  cefincfss@yahoo.com All right reserved.
"

Response received from cefincfss@yahoo.com with IP 91.207.4.162, asking for the following details, althrough the DIY money-mule recruitment management interface automates the entire process, thereby allowing it to scale:
"If you have understood the meaning of work and ready to begin working with us, please send us your INFO in the following format:

1) First name; 2) Last name; 3) Country; 4) City; 5) Zip code; 6) Home Phone number, Work Phone number, Mobile Phone number; 7) Bank account info:; a) Bank name; b) Account name; c) Account number; d) Sort code; 8) Scan you passport or driver license
"

The CV forwarding email provided is mynesco@yahoo.com, although they'll even recruit you without sending them the required CV.

What's special about the bogus company, is not the new template layout that they've purchased from a vendor offering creative for money-mule recruitment campaign, but their attempt to establish themselves as a trusted brand by featuring fake certificates issued by easily recognizable brands, such as Western Union, Money Gram, Investors in People, the World Business Community and even an award from the Chamber Awards for 2004 in the category - "Most Promising New Business".


Moreover, parked on the very same IP where the money mule recruitment is, are also domains currently serving live exploits, as well as a DIY interface for a spamming service known as "OS-CORP".

The certificates in question:




Cefin Consulting & Finance describes itself as:
"Cefin consulting & Finance was founded at the beginning of 1990. The emerged structure united specialists with unique background in management consulting, marketing research, business evaluation and stock-exchange operations.The following two companies constitute Cefin consulting & Finance:
 

- Omega Financial Dept. - the dedicated company in the field of securities operations;
- Omega Consult - the dedicated consulting company, rendering services in strategic planning and corporate management.

Activity of Cefin consulting & Finance is focused on generation of balanced solutions for active development of the company and minimization of business risks.

Cefin consulting & Finance offers successful managerial solutions through consulting support to projects in various spheres, namely: comprehensive restructuring and organizational development, generation of managing companies, engineering of tailored management systems for corporate clients, implementation of project management methods, business development financial and economic simulation. 

Top-notch dedicated professionals with key competence in various consulting fields constitute our rigorous staff. We boast to have management consulting and business strategy development experts, certified securities dealers, assessment and registration, marketing and financial specialists, corporate law and anti-monopoly legislation gurus. Address: Cefin consulting & Finance is located at 510 East 80th Street, New York, New York 10021 , United States 786-475-3994; 786-475-3994 (FAX)"

The money mule recruitment domain cefincf .com - 195.190.13.106 - Email: flier@infotorrent.ru remains active. Parked on the same IP are also the following domains, currently hosting live exploit kits:
384756783900 .cn - Email: abuse@domainsreg.cn
109438129432 .cn - Email: abuse@domainsreg.cn
234273849543 .cn - Email: abuse@domainsreg.cn
783456788839 .cn - Email: abuse@domainsreg.cn
odnaklasniki .cn - Email: Michell.Gregory2009@yahoo.com - Email profiled in December 2009's "Celebrity-Themed Scareware Campaign Abusing DocStoc" - money mule recruitment connection
mynes-consultings .cn - Email: grishanizov@gmail.com
mynes-consult .cn - Email: grishanizov@gmail.com


Sample live exploit structure, currently active at these domains:
- mynes-consult .cn -> if exploitation is not possible, the user is redirected to the legitimate newegg.com
    - mynes-consult .cn/load.php?spl=mdac
    - mynes-consult .cn/load.php?spl=buddy
    - mynes-consult .cn/load.php?spl=myspace
    - mynes-consult .cn/load.php?spl=vml2
    - mynes-consult .cn/load.php?spl=ymj
    - mynes-consult .cn/load.php?spl=zango1
    - mynes-consult .cn/load.php?spl=zango2

All of these exploits drop load.exe - TrojanDownloader:Win32/Cutwail.gen!C - Result: 41/41 (100.00%), which upon execution phones back to 69.162.86.210.

With cybercriminals actively multi-tasking these days, this money mule recruitment gang doesn't make an exception. On one of the domains listed above, a low-profile DIY spamming service known as OS-CORP is offering its services.
The DIY spam service, also has Terms of Service and offers basic spamming recommendations. The following is a roughly translated version of them:
"- No child Porno spamming!
- Do not offer me affiliate program (% of sales), I do not care!
- ICQ almost always online, but this does not mean that I always present! If you have not received an answer immediately have patience, I will answer as soon as appearing!
- Mailing lists on bases of certain subjects are more expensive!
- I am not responsible for your campaigns and sites sites that are sometimes nailed in the process of spam! Use anti-abuse hosting!
- I'm not offering anti-abuse hosting services!
- I don't offer recommendations for such services. I give only the services that spam!
- Campaign's size should be UP TO 50 kb! 

Recommendations for the preparation of material for delivery! 
- Do not always send the same text messages, ideally, to change the text after each mailing, the effect of there!
- Do not use themes in writing (headers) words such as EARN, OFFER, do not put a lot of exclamation marks and other (better do without them), just one!
- For a good response from countries whose native language is not English (eg Sweden, Spain, Denmark, etc.) is highly desirable to use the native language of the text distributed to countries, it gives a wonderful effect, and should not be mistaken, in countries such not everyone knows English, verified repeatedly!
- Do not write too long texts on a number of reasons this does not give a positive effect, but not limited to one sentence worth! Ideally, make the text in a few not particularly bulky paragraphs!
"

The deeper your analyze, the more malicious, and most importantly, inter-connected it gets.

Related coverage of money laundering in the context of cybercrime:
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002
Inside a Money Laundering Group's Spamming Operations

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Thursday, February 11, 2010

Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild


A currently ongoing malware campaign courtesy of the gang that's been busy rotation themes over the past few weeks, has changed the theme to "You are in a higher tax bracket", and continues serving client-side exploits next to a Zeus crimeware sample using a bogus "You don't have the latest version of Macromedia Flash Player" error message.

- Sample URL: rep1031 .be/reports/getreport.php?email=email - Email: souchuck@yahoo.com. The following currently suspended domains are also involved - rep1032 .be; rep1030.me .uk; rep1031.me .uk; rep1032.me .uk; rep1030.co .uk; rep1031.co .uk; rep1032.co .uk; rep1043.me .uk; rep1041.co .uk; rep1032.co .uk

- UPDATED: The most recently spamvertised domains include:
rep1041 .kr - Email: Souchuck@yahoo.com
rep1042 .kr - Email: Souchuck@yahoo.com
rep1043 .kr - Email: Souchuck@yahoo.com
rep1044 .kr - Email: Souchuck@yahoo.com
rep1041.ne .kr - Email: Souchuck@yahoo.com
rep1042.ne .kr - Email: Souchuck@yahoo.com
rep1043.ne .kr - Email: Souchuck@yahoo.com
rep1041.co .kr - Email: Souchuck@yahoo.com
rep1042.co .kr - Email: Souchuck@yahoo.com
rep1043.co .kr - Email: Souchuck@yahoo.com
rep1044.co .kr - Email: Souchuck@yahoo.com
rep1041.or .kr - Email: Souchuck@yahoo.com
rep1042.or .kr - Email: Souchuck@yahoo.com
rep1043.or .kr - Email: Souchuck@yahoo.com
rep1044.or .kr - Email: Souchuck@yahoo.com

- Sample detection rate:
update.exe - PWS:Win32/Zbot.RS - Result: 8/41 (19.52%); MD5: 44028f0e2fa3ec70507992cb0684ff58

- Name servers of notice:
ns1.socialworc .net - 87.117.245.9 - Email:  storylink@live.com
ns1.trihtmens .net - 87.117.245.9
ns1.inserthelping .net - suspended
ns1.citysatellites .net - down

- Sample message: "Dear taxpayer, The Federal income tax is a progressive tax, meaning that the more you earn, the higher your tax rate. Your tax rate depends not just upon your taxable income, but also upon your filing status (single, married filing jointly, etc.). You're in a higher tax bracket because: - your annual income for the last tax year has increased. Please review your annual tax report immediately at: get report."

- Sample iFrame used: 109.95.115.36 /uzs/in.php also used in last week's PhotoArchive campaign; - AS50215 - Troyak-as Starchenko Roman Fedorovich - akanyovskiy@troyak.org; akanyovskiy@vishclub.net and serving CVE-2007-5659; CVE-2008-2992; CVE-2009-0927; CVE-2009-4324.

- Sample malware detection rate/phone back C&Cs: update.exe - Trojan-Spy.Win32.Zbot.gen - Result: 8/41 (19.52%), MD5: f15d88ac3e381aeb6b3779b0dd7042ce.

Upon execution phones back to trollar .ru/cnf/trl.jpg - 109.95.114.133 - Email: bernardo_pr@inbox.ru; AS50369 - VISHCLUB-AS Kanyovskiy Andriy Yuriyovich. Email was also used to register the Zeus C&C from last week's "PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild" campaign.

- Name servers of notice: ns1.gompley .net - 74.117.63.218 - Email: storylink@live.com; ns1.hoocky .net - 74.117.63.218 - Email: footboolfan7@aol.com, also known to have been parked on the same IP are ns1.allhostinfo .com - Email: line@metalfan.com; ns1.helpgoldbank .net - Email: glonders@gmail.com and ns1.drowthdb .com.

- Second portfolio of related name servers: the second portfolio is parked at 62.19.3.2 - ns1.faktorypro .com - Email: poolbill@hotmail.com; ns1.x-videocovers .net - Email: storylink@live.com; ns1.serwisezone .net - Email: line@metalfan.com; ns1.guarantexpres .com; ns1.respectiveowners .net

Updates will be posted as soon as new developments emerge.

Related coverage of the gang's previous campaigns:
PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild
Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Tuesday, February 09, 2010

Keeping Money Mule Recruiters on a Short Leash - Part Two

With money mule recruitment syndicates continuing to expand their geographically diverse inventories of gullible mules, keeping their operations on a short leash is becoming a tradition. What the non-existent organizations profiled in this post have in common with the non-existent organizations profiled before, is the vendor of money mule recruitment creative, thanks to whose standardization of the recruitment process, everyone willing to invest a modest amount of money can start recruiting.

Despite the ongoing mix of abusing legitimate infrastructure (Web 2.0 services, dedicated hosting within legitimate ISPs - Tweet 1; Tweet 2; Tweet 3; Tweet 4; Tweet 5; Tweet 6) and using purely malicious infrastructure, centralization is cybecrime operations is still an inseparable part of the cybercrime ecosystem.

Case in point is AS47560 - VESTEH-NET-as Vesteh LLC, where the cybercriminals have not only chosen to host their money mule recruitment domain portfolio, but also, the actual Zeus crimeware command and control servers. Pretty convenient indeed, however a minimalistic OPSEC attitude leading to increased exposure.

The newly introduced money mule recruitment domains, rely on the same DIY web interface, and the same "payment processing agent" agreement seen in previous campaigns. What's naturally changing are the web page layouts combined with a new description of the non-existent company. Here's a sample from the currently active ones:

"Welcome to the world of Outsourcing. Never has a phenomenon been so all encompassing and empowering like outsourcing. Transcending beyond an industry's vertical segments, outsourcing has become the "by default" strategy for all profit conscious organizations that struggle to retain their winning streak and high profitability. Today's scenario in the business world is more competitive than what it was in the past. There is a growing realization that wisdom lies in consolidating the core competency functions and outsourcing the supplement. We are an online services marketplace in USA and Australia. Our goal is to empower businesses with the absolute freedom to choose where to outsource their business needs to maximize their competitive advantage. We believe that "money saved due to outsourcing can be effectively and successfully utilized to focus more on strategic and core businesses functions".

The fact that money mule recruiters aggregate contact details from career building web sites, isn't new -- see "Major career web sites hit by spammers attack". Here are the sample letters emailed to a prospective money mule, which spotted the scam and avoided it:


"After reviewing your resume online we have decided to propose you a Payment Processing Agent vacancy.

My name is Sarah Forbes and I'm working at SUCCESS Group Inc. Our company is a well-known one. It was founded in the USA and deals mainly with recruitment of IT professionals. The job we offer is a part-time position with a flexible schedule. On average the working hours are 2-3 hours a day (Monday through Friday). Our job requirements: Internet access and e-mail. Successful applicants are offered a probationary period (30 days). All agents get a training and online support. We evaluate the employees at least one week prior to the end of their trial period. NOTE: During the probationary period termination can be recommended by the supervisor.

The pay is $2,300 per month during the Trial Period + 8% commission from each successfully handled payment. Total income is about $4,500 per month. After the first 30 days your base salary will be increased up to $3,000 a month. NOTE: After the probationary period you may request additional assignments or proceed a full-time. If you are interested in the offer, please, contact me at success.sarah.forbes@googlemail.com for the details.

_________FORM_______FORM________FORM_________
First name:______________________
Last name:___________________
Country of residence:___________________
Contact phone:_______________
Preferred catime: _______________
_________FORM_______FORM________FORM____________

Our representatives will reply within 48 hours. NOTE: This is not a sales position.

Sincerely,

Sarah Forbes
SUCCESS Group Inc
job@success-groupinc.tw
Phone: 1-585-267-5988
Fax: 1-585-672-6137"


Let's expose the domain portfolios in question.

Active money mule recruitment sites parked within AS47560 - VESTEH-NET-as Vesteh LLC, at 91.200.164.18; 91.200.164.19; 91.200.164.20; 91.200.164.21; and 91.200.164.22 in particular:
aurora-groupco .tw - Email: dodo@fastermail.ru
aurora-groupco .ws - Email: info@gtec.ru
aurora-groupinc .tw - Email: cents@qx8.ru
aurora-groupinc .ws - Email: info@gtec.ru
bear-groupco .ws - Email: info@gtec.ru
bear-groupinc .ws - Email: info@gtec.ru
citizen-groupco .tw - Email: sane@qx8.ru
citizen-groupco .ws - Email: info@gtec.ru
citizengroupinc .ws - Email: info@gtec.ru
citizen-groupsvc .tw - Email: frown@fastermail.ru
classic-groupco .ws - Email: info@gtec.ru
classicgroupinc .ws - Email: info@gtec.ru
classic-groupsvc .tw - Email: haste@fastermail.ru
excel-groupco .tw - Email: thaws@bigmailbox.ru
excel-groupinc .tw - Email: thaws@bigmailbox.ru
excel-groupinc .ws - Email: info@gtec.ru
financial-groupco .tw - Email: think@maillife.ru
financial-groupco .ws - Email: info@gtec.ru
financial-groupinc .tw - Email: sane@qx8.ru
financial-groupsvc .ws - Email: info@gtec.ru
market-vision .tw - Email: place@bigmailbox.ru
market-visioninc .ws - Email: info@gtec.ru
measure-groupco .tw - Email: cents@qx8.ru
measure-groupco .ws - Email: info@gtec.ru
measure-groupinc .tw - Email: cents@qx8.ru
measure-groupinc .ws - Email: info@gtec.ru
millennium-groupco .tw - Email: thaws@bigmailbox.ru
millennium-groupinc .ws - Email: info@gtec.ru
millennium-groupsvc .tw - Email: thaws@bigmailbox.ru
millennium-groupsvc .ws - Email: info@gtec.ru
nuris-groupco .tw - Email: rips@fastermail.ru
nuris-groupco .ws - Email: info@gtec.ru
nuris-groupinc .tw - Email: rips@fastermail.ru
nuris-groupinc .ws - Email: info@gtec.ru
render-groupco .tw - Email: muggy@freenetbox.ru
success-groupco .ws - Email: info@gtec.ru

Naturally, it gets even more interesting with AS47560 - VESTEH-NET-as Vesteh LLC acting as a good example of cybercrime-friendly virtual neighborhood. Not only are the cybercriminals hosting the money mule recruitment sites there, but also, a decent number of Zeus crimeware C&Cs, client-side exploit serving campaigns are currently active there.

Zeus C&Cs active at 91.200.164.44, front pages return "dsfkgjk rgkj" :
justinnew1 .com - Email: 3242dswewrf@yahoo.com
justinnew2 .com - Email: 3242dswewrf@yahoo.com
justinnew3 .com - Email: 3242dswewrf@yahoo.com
justinnew4 .com - Email: 3242dswewrf@yahoo.com
justinnew5 .com - Email: 3242dswewrf@yahoo.com
justinnew6 .com - Email: 3242dswewrf@yahoo.com
justinnew7 .com - Email: 3242dswewrf@yahoo.com
justinnew8 .com - Email: 3242dswewrf@yahoo.com
justinnew9 .com - Email: 3242dswewrf@yahoo.com
justinnew10 .com - Email: 3242dswewrf@yahoo.com
justinnew11 .com - Email: 3242dswewrf@yahoo.com
justinnew12 .com - Email: 3242dswewrf@yahoo.com
justinnew12 .com - Email: 3242dswewrf@yahoo.com
justinnew13 .com - Email: 3242dswewrf@yahoo.com
justinnew14 .com - Email: 3242dswewrf@yahoo.com
justinnew15 .com - Email: 3242dswewrf@yahoo.com
justinnew16 .com - Email: 3242dswewrf@yahoo.com
justinnew17 .com - Email: 3242dswewrf@yahoo.com
justinnew18 .com - Email: 3242dswewrf@yahoo.com
justinnew19 .com - Email: 3242dswewrf@yahoo.com
justinnew20 .com - Email: 3242dswewrf@yahoo.com
justinnew21 .com - Email: 3242dswewrf@yahoo.com
justinnew22 .com - Email: 3242dswewrf@yahoo.com
justinnew23 .com - Email: 3242dswewrf@yahoo.com
justinnew24 .com - Email: 3242dswewrf@yahoo.com

Historical OSINT of live exploit serving, malware phone back locations parked at 91.200.164.44:
abecedarian .in - Email: jobmasterx@yahoo.com
absinthial .in - Email: jobmasterx@yahoo.com
acarine .in - Email: jobmasterx@yahoo.com
aeruginous .in - Email: jobmasterx@yahoo.com
agrestic .in - Email: jobmasterx@yahoo.com
alveolate .in - Email: jobmasterx@yahoo.com
anaclastic .in - Email: jobmasterx@yahoo.com
anatine .in - Email: jobmasterx@yahoo.com
anconoid .in - Email: jobmasterx@yahoo.com
ancoral .in - Email: jobmasterx@yahoo.com
anserine .in - Email: jobmasterx@yahoo.com
archididascalian .in - Email: jobmasterx@yahoo.com
arietine .in - Email: jobmasterx@yahoo.com
babied .in - Email: jobmasterx@yahoo.com
baffled .in - Email: jobmasterx@yahoo.com
banal .in - Email: jobmasterx@yahoo.com
barren .in - Email: jobmasterx@yahoo.com
battle-worn .in - Email: jobmasterx@yahoo.com
bawled .in - Email: jobmasterx@yahoo.com
beatific .in - Email: jobmasterx@yahoo.com
beckoned .in - Email: jobmasterx@yahoo.com
betonomeshalkatraktor .in - Email: ynetsw@gmail.com
fcaliber65 .in - Email: wert32@rambler.ru
humpiii1 .in - Email: wert32@rambler.ru
izyvecheniy0tragladit .in - Email: ynetsw@gmail.com
lifeberyt .in - Email: wert32@rambler.ru
marrychristmasforyou .com - ACTIVE
marrychristmasforyou .net - ACTIVE
my1stdomain .in - Email: wert32@rambler.ru
pingcrews .in - Email: jobmasterx@yahoo.com
razymniygluk .in - Email: ynetsw@gmail.com
rescservuce .in - Email: wert32@rambler.ru

Name servers of notice:
dns1.yekt.net - 67.15.47.189
ns1.trythisok.cn - 89.248.166.45 - chunk@qx8.ru
ns1.basilkey.ws - 89.248.166.45 - info@gtec.ru
ns2.maninwhite.cc - 38.99.169.210 - duly@fastermail.ru
ns2.mythinregion.ws - Email: info@gtec.ru
ns2.partytimee.cn - 38.99.169.208 - Email: chunk@qx8.ru
ns3.cnnandpizza.cc - 195.182.57.36 - Email: bears@fastermail.ru
ns3.partymorning.ws - 94.23.114.71 - Email: info@gtec.ru

Take a look at the routing graph for a moment. Who do we have here? Our "dear friends" at AS5577 ROOT eSolutions (also seen here; here; here; here; here and here) acting as a node to an ever expanding portfolio of malicious customers, with AS50215 Troyak-as Starchenko Roman Fedorovich part of the Pushdo crimeware and client-side exploit serving campaigns, second in the list.

AS47560 - VESTEH-NET-as Vesteh LLC has been notified, awaiting response/take down reaction. Or the lack of such.

Related coverage of money laundering in the context of cybercrime:
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002
Inside a Money Laundering Group's Spamming Operations

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Wednesday, February 03, 2010

A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang


With scareware/rogueware/fake security software continuing to be the cash-cow choice for the Koobface gang, keeping them on a short leash in order to become the biggest opportunity cost for the gang's business model is crucial. The following are currently active blackhat SEO redirectors/Koobface-infected hosts redirectors and actual scareware domains courtesy of the gang.

Blackhat SEO redirectors, also embedded at Koobface-infected hosts, with identical redirector ID (?pid=312s02&sid=4db12f):
freeticketwin.com - 91.212.226.25 - Email: test@now.net.cn
lotteryvideowin.com - Email: test@now.net.cn
videohototplaypoker.com - Email: test@now.net.cn
financetopsecrets.com - Email: test@now.net.cn
how2winforex.com - 91.212.226.136 - Email: test@now.net.cn
2money4money.com - Email: test@now.net.cn
get-money-quickly.com - Email: test@now.net.cn
fordusedsales .com - 193.104.106.250 - Email: test@now.net.cn
buylexuscustoms .com - 91.212.226.185 - Email: test@now.net.cn
tracegirlsonline .com - 89.248.168.22 - Email: test@now.net.cn
skypetollfree .com - 96.44.128.245 - Email: test@now.net.cn
dendy-trens .com - Email: test@now.net.cn
pretendtolove .com - Email: test@now.net.cn
bewareoffreebies .com - Email: test@now.net.cn
harry-the-potter .com - Email: test@now.net.cn
getlancomediscount .com - Email: baldwinnere@yahoo.co.uk
vincentvangoghsite .com - Email: contacts@ferra.hu
jacksonpollocksite .com - Email: contacts@ferra.hu
lady2gaga .com - Email: contacts@designt.de
nigeriaworldtours .com  Email: info@montever.de
americanpiemusicvideo .com - Email: mail@suvtrip.hu
superstitionmusicvideo .com - Email: mail@suvtrip.hu
umbrellamusicvideo .com - Email: mail@suvtrip.hu
discounts-org .com - Email: mail@haselbladtour.com
littlediscounts .com - Email: mail@haselbladtour.com
winterdiscounts5 .com - Email: mail@haselbladtour.com

chevroletvmodeltoys .com - Email: CourtneyRWebb@aol.com
volvomodeltoys .com - Email: CourtneyRWebb@aol.com
manilawebcamera .com - Email: monkey22@live.com
mumbaiwebcamera .com - Email: monkey22@live.com
karachiwebcamera .com - Email: monkey22@live.com
delhiwebcamera .com - Email: monkey22@live.com
istanbulwebcamera .com - Email: monkey22@live.com
lexusmodeltoys .com - Email: monkey22@live.com
chevroletvmodeltoys .com - Email: CourtneyRWebb@aol.com
bmwmodeltoys .com - Email: CourtneyRWebb@aol.com

Upon redirection, the scareware is served from malware-b-scan .com - 96.44.128.245; 91.212.226.97; 91.212.226.185; 91.121.45.67, 91.212.226.203, 94.228.209.195 - Email: mail@bristonnews.com.

Sample detection rate for newly introduced scareware samples: Setup_312s2.exe - Result: 3/40 (7.5%), Setup_312s2.exe - Result: 4/39, Setup_312s22.exe - Result: 2/39 (5.13%), Setup_312s2.exe - Result: 6/39 (15.39%), Setup_312s2.exe - Result: 1/40 (2.5%), Setup_312s2.exe - Result: 1/39 (2.56%), Setup_312s2.exe - Result: 3/39 (7.7%). Setup_312s2.exe - Result: 4/40 (10%), Setup_312s2.exe - Result: 1/40 (2.5%), Setup_312s2.exe - Result: 4/40 (10%), Setup_312s2.exe - Result: 5/41 (12.2%), Setup_312s2.exe - Result: 5/41 (12.2%), Setup_312s2.exe - Result: 5/41 (12.2%), Setup_312s2.exe - Result: 4/41 (9.76%), Setup_312s2.exe - Result: 4/41 (9.76%), Setup_312s2.exe - Result: 5/41 (12.2%), Setup_312s2.exe - Result: 4/41 (9.76%), Setup_312s2.exe - Result: 3/41 (7.32%), Setup_312s2.exe - Result: 6/41 (14.63%), Setup_312s2.exe - Result: 11/41 (26.83%), Setup_312s2.exe - Result: 4/42 (9.53%).

Upon execution the sample phones back to winxp7server .com/download/winlogo.bmp - 94.228.208.57; rescuesysupdate .com/?b=312s2 - 83.133.125.216. The most recent samples (Wednesday, February 10, 2010) phone back to wintimeserver .com/?b=312s2 - 91.212.226.125 and firmwaredownloadserver .com/download/winlogo.bmp - 94.228.208.57. The most recent samples (Sunday, February 21, 2010) phone back to firmwaredownloadserver.com /download/winlogo.bmp - 94.228.208.57; shifustserver.com /download/winlogo.bmp - 94.228.208.5/94.228.208.57 - Email: viinzer@hotmail.com

The most recent samples (Friday, February 12, 2010) phone back to firmwaredownloadserver .com/download/winlogo.bmp - 94.228.208.57; checklatestversion .com/?b=312s - 109.232.225.75.

The most recent samples (Wednesday, February 24, 2010) phone back to shifustserver.com/download/winlogo.bmp - 94.228.208.57 - Email: viinzer@hotmail.com and version-upgrade.com/?b=312s12 - 89.248.168.21. Parked on the same IP are also checklatestversion.com and fastwinupdates.com.

Parked on the same IPs are more scareware domains part of the portfolio:
inter1antivirus.com - 87.98.130.232- Email: test@now.net.cn
virus-scan-d.com - 87.98.130.232 - Email: test@now.net.cn
bl9-virus-scanner.com - 87.98.130.232 - Email: test@now.net.cn
intera-antivirus.com - 87.98.130.232 - Email: test@now.net.cn
interc-antivirus.com - 87.98.130.232 - Email: test@now.net.cn
interd-antivirus.com - 87.98.130.232 - Email: test@now.net.cn
intere-antivirus.com - 87.98.130.232 - Email: test@now.net.cn
inter-antivirus.com - 87.98.130.232 - Email: test@now.net.cn
inter1antivirus.com - 87.98.130.232 - Email: test@now.net.cn
195.5.161.107/psx1/?vih==RANDOM_STRINGS - no domain name
91.212.132.241 /psx1/?vih==RANDOM_STRINGS
195.5.161.105 /psx1/?vih==RANDOM_STRINGS
non-antivirus-scan .com - Email: test@now.net.cn
zin-antivirus-scan .com - Email: test@now.net.cn
nextgen-scannert .com - Email: test@now.net.cn
protection15scan .com - Email: test@now.net.cn
nitro-antispyware .com - Email: test@now.net.cn
z2-antispyware .com - Email: test@now.net.cn
spy-detectore .com - Email: admin@clossingt.com
dis7-antivirus .com - Email: admin@vertigosmart.com
v2comp-scanner .com - Email: admin@vertigosmart.com
new-av-scannere .com - Email: missbarlingmail@aol.com
smartvirus-scan6 .com - Email: info@terranova.com
spywaremaxscan4 .com - Email: out@trialzoom.com
super6antispyware .com - Email: mail@ordercom.com
spyware-max-scan3 .com - Email: out@trialzoom.com
max-antivirus-security5 .com - Email: mail@dynadoter.com
winterdiscounts5 .com - Email: mail@haselbladtour.com
11-antivirus .com - Email: call555call@live.com
1-antivirus .com - Email: call555call@live.com
1m-online-scanner .com - Email: stellar2@yahoo.com
2m-online-scanner .com - Email: stellar2@yahoo.com
2pro-antispyware .com - Email: mail@yahoo.com
3pro-antispyware .com - Email: mail@yahoo.com
6-antivirus .com - Email: call555call@live.com
7-antivirus .com - Email: call555call@live.com
9-antivirus .com - Email: call555call@live.com
a0-online-scanner .com - Email: stellar2@yahoo.com
a9-online-scanner .com - Email: stellar2@yahoo.com
aa-antivirus .com - Email: call555call@live.com
aa-online-scanner .com - Email: call555call@live.com
ab-antivirus .com - Email: call555call@live.com
ac-antivirus .com - Email: call555call@live.com
ad-antivirus .com - Email: call555call@live.com
adv1-system-scanner .com - Email: JayRKibbe@live.com
adv2-system-scanner .com - Email: JayRKibbe@live.com
ae-antivirus .com - Email: call555call@live.com
antivirus-expert-a .com - Email: 900ekony@live.com
antivirus-expert-i .com - Email: 900ekony@live.com
antivirus-expert-r .com - Email: 900ekony@live.com
antivirus-expert-y .com - Email: 900ekony@live.com
antivirussystemscan1 .com - Email: 900ekony@live.com
antivirussystemscana .com - Email: 900ekony@live.com
army-antispywarea .com - Email: beliec99@yahoo.com
army-antispywarei .com - Email: beliec99@yahoo.com
army-antispywarel .com - Email: beliec99@yahoo.com
army-antispywarep .com - Email: beliec99@yahoo.com
army-antivirusa .com - Email: beliec99@yahoo.com
army-antivirusd .com - Email: beliec99@yahoo.com
army-antivirust .com - Email: beliec99@yahoo.com
army-antivirusv .com - Email: beliec99@yahoo.com
army-antivirusy .com - Email: beliec99@yahoo.com

b1-online-scanner .com - Email: stellar2@yahoo.com
best-antivirusk0 .com
bestpd-virusscanner .com - Email: SusanCWagner@yahoo.com
bestpr-virusscanner .com - Email: SusanCWagner@yahoo.com
crystal-antimalware .com - Email: mail@vertigocats.com
crystal-antivirus .com - Email: mail@vertigocats.com
crystal-pro-scan .com - Email: mail@vertigocats.com
crystal-pro-scanner .com - Email: mail@vertigocats.com
crystal-spyscanner .com - Email: mail@vertigocats.com
crystal-threatscanner .com - Email: mail@vertigocats.com
crystal-virusscanner .com - Email: mail@vertigocats.com
extra-spyware-defencea .com - Email: fabula8@live.com
extra-spyware-defenceb .com - Email: fabula8@live.com
malware-a-scan .com - Email: mail@bristonnews.com
malware-b-scan .com - Email: mail@bristonnews.com
malware-c-scan .com - Email: mail@bristonnews.com
malware-d-scan .com - Email: mail@bristonnews.com
malware-t-scan .com - Email: mail@bristonnews.com
mega-antispywarea .com - Email: fabula8@live.com
mega-antispywareb .com - Email: fabula8@live.com
mm-online-scanner .com - Email: stellar2@yahoo.com
my-computer-antivirusa .com - Email: dillinzer1@yahoo.com
my-computer-antivirusb .com - Email: dillinzer1@yahoo.com
my-computer-antiviruse .com - Email: dillinzer1@yahoo.com
my-computer-antivirusq .com - Email: dillinzer1@yahoo.com
my-computer-antivirusw .com - Email: dillinzer1@yahoo.com
my-computer-scanc .com - Email: clintommail2@yahoo.com
my-computer-scane .com - Email: clintommail2@yahoo.com
my-computer-scanl .com - Email: clintommail2@yahoo.com
my-computer-scannera .com - Email: clintommail2@yahoo.com
my-computer-scannerl .com - Email: clintommail2@yahoo.com
my-computer-scannerm .com - Email: clintommail2@yahoo.com
my-computer-scannern .com - Email: clintommail2@yahoo.com
my-computer-scannerv .com - Email: clintommail2@yahoo.com

my-computer-scanw .com - Email: clintommail2@yahoo.com
my-pc-online-scanm .com - Email: dillinzer1@yahoo.com
my-pc-online-scann .com - Email: dillinzer1@yahoo.com
my-pc-online-scanr .com - Email: dillinzer1@yahoo.com
my-pc-online-scanv .com - Email: dillinzer1@yahoo.com
n1-system-scanner .com - Email: JayRKibbe@live.com
n2-system-scanner .com - Email: JayRKibbe@live.com
nasa-antivirus1 .com - Email: call555call@live.com
nasa-antivirus3 .com - Email: call555call@live.com
nasa-antivirusa .com - Email: call555call@live.com
nasa-antivirusb .com - Email: call555call@live.com
nasa-antiviruso .com - Email: call555call@live.com
pc1-system-scanner .com - Email: JayRKibbe@live.com
pc2-system-scanner .com - Email: JayRKibbe@live.com
pro0-antivirus .com - Email: mail@yahoo.com
pro0-system-scanner .com - Email: JayRKibbe@live.com
pro1-system-scanner .com - Email: JayRKibbe@live.com
pro2-antivirus .com - Email: mail@yahoo.com
pro4-antivirus .com - Email: mail@yahoo.com
pro6-antivirus .com - Email: mail@yahoo.com
pro8-antivirus .com - Email: mail@yahoo.com
remote-antispywarec .com - Email: teresa2mail.me@live.com
remote-antispywared .com - Email: teresa2mail.me@live.com
remote-antispywaree .com - Email: teresa2mail.me@live.com
remote-antispywarey .com - Email: teresa2mail.me@live.com
remote-pc1-scanner .com - Email: teresa2mail.me@live.com
remote-pc-scannera .com - Email: teresa2mail.me@live.com
remote-pc-scannerr .com - Email: teresa2mail.me@live.com
remote-pc-scannerv .com - Email: teresa2mail.me@live.com
remote-pc-scannery .com - Email: teresa2mail.me@live.com

scan3antispyware .com - Email: o@mozzilastuf.com
scan6antispyware .com - Email: o@mozzilastuf.com
scan8antispyware .com - Email: o@mozzilastuf.com
scan-antispywarea .com - Email: o@mozzilastuf.com
scan-antispywarec .com - Email: o@mozzilastuf.com
scan-antispywared .com - Email: o@mozzilastuf.com
scan-antispywarez .com - Email: o@mozzilastuf.com
spyware-01-scanner .com - Email: mail@bristonnews.com
spyware-03-scanner .com - Email: mail@bristonnews.com
spyware-05-scanner .com - Email: mail@bristonnews.com
spyware-06-scanner .com - Email: mail@bristonnews.com
spyware-07-scanner .com - Email: mail@bristonnews.com
stcanning-your-computerc .com - Email: mitra66@yahoo.com
stcanning-your-computerd .com - Email: mitra66@yahoo.com
stcanning-your-computerq .com - Email: mitra66@yahoo.com
stcanning-your-computerr .com - Email: mitra66@yahoo.com
stcanning-your-computert .com - Email: mitra66@yahoo.com
stcanning-your-pca .com - Email: mitra66@yahoo.com
stcanning-your-pcb .com - Email: mitra66@yahoo.com
stcanning-your-pcc .com - Email: mitra66@yahoo.com
stcanning-your-pcd .com - Email: mitra66@yahoo.com
stcanning-your-pce .com - Email: mitra66@yahoo.com
stealthv1-antispyware .com - Email: SteveLCartwright@yahoo.com
stealthv2-antispyware .com - Email: SteveLCartwright@yahoo.com
stealthv7-antispyware .com - Email: SteveLCartwright@yahoo.com
stealthv8-antispyware .com - Email: SteveLCartwright@yahoo.com
stealthv9-antispyware .com - Email: SteveLCartwright@yahoo.com
ver1-system-scanner .com - Email: JayRKibbe@live.com
ver2-system-scanner .com - Email: JayRKibbe@live.com

virus-a1-scanner .com - Email: mail@bristonnews.com
virus-a1-scanner .com - Email: mail@bristonnews.com
virus-b1-scanner .com - Email: mail@bristonnews.com
virus-b1-scanner .com - Email: mail@bristonnews.com
virus-c1-scanner .com - Email: mail@bristonnews.com
virus-c1-scanner .com - Email: mail@bristonnews.com
virus-d1-scanner .com - Email: mail@bristonnews.com
virus-d1-scanner .com - Email: mail@bristonnews.com
virus-e2-scanner .com - Email: mail@bristonnews.com
virus-e2-scanner .com - Email: mail@bristonnews.com
windowsv5-antispyware .com - Email: SteveLCartwright@yahoo.com
windowsv6-antispyware .com - Email: SteveLCartwright@yahoo.com
windowsv7-antispyware .com - Email: SteveLCartwright@yahoo.com
windowsv8-antispyware .com - Email: SteveLCartwright@yahoo.com
windowsv9-antispyware .com - Email: SteveLCartwright@yahoo.com
z0-online-scanner .com - Email: stellar2@yahoo.com
z1-online-scanner .com - Email: stellar2@yahoo.com

Active scareware domains portfolio (blackhat SEO/Koobface pushed) parked at 212.150.164.190 - AS1680 - NV-ASN 013 NetVision Ltd :
antispy-download .org - Email: robertsimonkroon@gmail.com
scanner-virus-free .org - Email: robertsimonkroon@gmail.com
tube-best-porn .org - Email: robertsimonkroon@gmail.com
tube-sex-porn .org - Email: robertsimonkroon@gmail.com
download-free-files .org - Email: robertsimonkroon@gmail.com
tube-porn-best .org - Email: robertsimonkroon@gmail.com
scan-your-pc-now .org - Email: michaeltycoon@gmail.com
scanner-virus-free .com - Email: robertsimonkroon@gmail.com
tube-sex-porn .com - Email: robertsimonkroon@gmail.com
scanner-free-virus .com - Email: robertsimonkroon@gmail.com
tube-porn-best .com - Email: robertsimonkroon@gmail.com
antispy-download .info - Email: robertsimonkroon@gmail.com
soft-download-free .info - Email: robertsimonkroon@gmail.com
scanner-virus-free .info - Email: robertsimonkroon@gmail.com
scanner-free-virus .info - Email: robertsimonkroon@gmail.com
scan-your-pc-now .info - Email: michaeltycoon@gmail.com

adult-tube-free .net - Email: michaeltycoon@gmail.com
scanner-virus-free .net - Email: robertsimonkroon@gmail.com
tube-sex-porn .net - Email: robertsimonkroon@gmail.com
download-free-files .net - Email: michaeltycoon@gmail.com
scanner-free-virus .net - Email: robertsimonkroon@gmail.com
tube-porn-best .net - Email: robertsimonkroon@gmail.com
ekjsoft .eu - Email: robertsimonkroon@gmail.com
antispy-download .biz - Email: robertsimonkroon@gmail.com
soft-download-free .biz - Email: robertsimonkroon@gmail.com
scanner-virus-free .biz - Email: robertsimonkroon@gmail.com
free-malware-scan .biz - Email: robertsimonkroon@gmail.com
tube-best-porn .biz - Email: robertsimonkroon@gmail.com
tube-sex-porn .biz - Email: robertsimonkroon@gmail.com
download-free-files .biz - Email: michaeltycoon@gmail.com

scanner-free-virus .biz - Email: robertsimonkroon@gmail.com
download-free-soft .biz - Email: robertsimonkroon@gmail.com
tube-porn-best .biz - Email: robertsimonkroon@gmail.com
scan-your-pc-now .biz - Email: michaeltycoon@gmail.com
porn-tube-sex .biz - Email: robertsimonkroon@gmail.com
alrzsoft .in - Email: petrenko.kolia@yandex.ru
antispy-download .biz - Email: robertsimonkroon@gmail.com
cool-tube-porn .net - Email: robertsimonkroon@gmail.com
cool-tube-porn .org - Email: robertsimonkroon@gmail.com
download-free-now .net - Email: robertsimonkroon@gmail.com
download-free-now .org - Email: robertsimonkroon@gmail.com
download-free-soft .com - Email: robertsimonkroon@gmail.com
download-free-soft .net - Email: robertsimonkroon@gmail.com
download-scaner-free .com - Email: robertsimonkroon@gmail.com
ekjsoft .eu
fdglsoft .in - Email: petrenko.kolia@yandex.ru
free-virus-scanner .net - Email: robertsimonkroon@gmail.com
kleqsoft .in - Email: petrenko.kolia@yandex.ru
kltysoft .in - Email: petrenko.kolia@yandex.ru
ktyjsoft .in - Email: petrenko.kolia@yandex.ru

kyezsoft .in - Email: petrenko.kolia@yandex.ru
lkrjsoft .in - Email: petrenko.kolia@yandex.ru
lkrtsoft .in - Email: petrenko.kolia@yandex.ru
mgtlsoft .in - Email: petrenko.kolia@yandex.ru
porn-sex-tube .net - Email: robertsimonkroon@gmail.com
porn-sex-tube .org - Email: robertsimonkroon@gmail.com
scan-free-malware .net - Email: robertsimonkroon@gmail.com
scan-free-malware .org - Email: robertsimonkroon@gmail.com
spyware-scaner-free .com - Email: robertsimonkroon@gmail.com
spyware-scaner-free .info - Email: robertsimonkroon@gmail.com
spyware-scaner-free .net - Email: robertsimonkroon@gmail.com
spyware-scaner-free .org - Email: robertsimonkroon@gmail.com
tube-best-porn .biz - Email: robertsimonkroon@gmail.com
tube-best-porn .com - Email: robertsimonkroon@gmail.com
tube-best-porn .net - Email: robertsimonkroon@gmail.com
tube-best-porn .org - Email: robertsimonkroon@gmail.com
tube-porn-sex .info - Email: robertsimonkroon@gmail.com
tube-porn-sex .net - Email: robertsimonkroon@gmail.com
tube-porn-sex .org - Email: robertsimonkroon@gmail.com

What's so special about the robertsimonkroon@gmail.com email anyway? It's the fact that not only was the email was once again used to register scareware domains two times in July, 2009, but also, as pointed out in November 2009's "Koobface Botnet's Scareware Business Model - Part Two", the same email was used to register the following download locations for scareware domains pushed by the Koobface botnet:

0ni9o1s3feu60 .cn - Email: robertsimonkroon@gmail.com
6j5aq93iu7yv4 .cn - Email: robertsimonkroon@gmail.com
mf6gy4lj79ny5 .cn - Email: robertsimonkroon@gmail.com
84u9wb2hsh4p6 .cn - Email: robertsimonkroon@gmail.com
6pj2h8rqkhfw7 .cn - Email: robertsimonkroon@gmail.com
7cib5fzf462g8 .cn - Email: robertsimonkroon@gmail.com
7bs5nfzfkp8q8 .cn - Email: robertsimonkroon@gmail.com
kt4lwumfhjb7a .cn - Email: robertsimonkroon@gmail.com
q2bf0fzvjb5ca .cn - Email: robertsimonkroon@gmail.com
rncocnspr44va .cn - Email: robertsimonkroon@gmail.com
t1eayoft9226b .cn - Email: robertsimonkroon@gmail.com
4go4i9n76ttwd .cn - Email: robertsimonkroon@gmail.com
kzvi4iiutr11e .cn - Email: robertsimonkroon@gmail.com
hxc7jitg7k57e .cn - Email: robertsimonkroon@gmail.com
mfbj6pquvjv8e .cn - Email: robertsimonkroon@gmail.com
mt3pvkfmpi7de .cn - Email: robertsimonkroon@gmail.com
fb7pxcqyb45oe .cn - Email: robertsimonkroon@gmail.com
fyivbrl3b0dyf .cn - Email: robertsimonkroon@gmail.com
z6ailnvi94jgg .cn - Email: robertsimonkroon@gmail.com
ue4x08f5myqdl .cn - Email: robertsimonkroon@gmail.com
p7keflvui9fkl .cn - Email: robertsimonkroon@gmail.com
gjpwsc5p7oe3m .cn - Email: robertsimonkroon@gmail.com
f1uq1dfi3qkcm .cn - Email: robertsimonkroon@gmail.com
7mx1z5jq0nt3o .cn - Email: robertsimonkroon@gmail.com
3uxyctrlmiqeo .cn - Email: robertsimonkroon@gmail.com
p0umob9k2g7mp .cn - Email: robertsimonkroon@gmail.com
od32qjx6meqos .cn - Email: robertsimonkroon@gmail.com
bnfdxhae1rgey .cn - Email: robertsimonkroon@gmail.com
7zju2l82i2zhz .cn - Email: robertsimonkroon@gmail.com


Stay tuned for a massive Koobface related activities update, analyzing the gang's multi-tasking throughout the entire January, 2010 -- descriptive historical OSINT offers long-term value in cross-checking for connections.

Related Koobface gang/botnet research:
How the Koobface Gang Monetizes Mac OS X Traffic
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

The Diverse Portfolio of Fake Security Software Series:
A Diverse Portfolio of Fake Security Software - Part Twenty Four
A Diverse Portfolio of Fake Security Software - Part Twenty Three
A Diverse Portfolio of Fake Security Software - Part Twenty Two
A Diverse Portfolio of Fake Security Software - Part Twenty One
A Diverse Portfolio of Fake Security Software - Part Twenty
A Diverse Portfolio of Fake Security Software - Part Nineteen
A Diverse Portfolio of Fake Security Software - Part Eighteen
A Diverse Portfolio of Fake Security Software - Part Seventeen
A Diverse Portfolio of Fake Security Software - Part Sixteen
A Diverse Portfolio of Fake Security Software - Part Fifteen
A Diverse Portfolio of Fake Security Software - Part Fourteen
A Diverse Portfolio of Fake Security Software - Part Thirteen
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.