Tuesday, March 30, 2010

Money Mule Recruitment Campaign Serving Client-Side Exploits

Remember Cefin Consulting & Finance, the bogus, money mule recruitment company that ironically tried to recruit me last month?

They are back, with a currently ongoing money mule recruitment campaign, this time not just attempting to recruit gullible users, but also, serving client-side exploits (CVE-2009-1492; CVE-2007-5659) through an embedded javascript on each and every page within the recruitment site.
Let's dissect the campaign, expose the client-side exploits serving domains, the Zeus-crimeware serving domains parked within the same netblock as the mule recruitment site itself, to ultimately expose a bogus company for furniture hosting a pretty descriptive cv.exe that is dropped on the infected host.

Initial recruitment email sent from financialcefin@aol.com:
Hello, Our Company is ready to offer full and part time job in your region. It is possible to apply for a well-paid part time job from your state. More information regarding working and cooperation opportunities will be sent upon request. Please send all further correspondence ONLY to Company's email address: james.mynes.cf@gmail.com Best regards 

Response received:
Greetings,

Cefin Consulting & Finanace company thanks you for being interested in our offer. All additional information about our company you may read at our official site. www.ceffincfin.com Below the details of vacancy operational scheme:


1. The payment notice and the details of the beneficiary for further payment transfer will be e-mailed to your box. All necessary instructions regarding the payment will be enclosed.
2. As a next step, you'll have to withdraw cash from our account.
3. Afterwards you shall find the nearest Western Union office and make a transfer. Important: Only your first and last names shall be mentioned in the Western Union Form! No middle name (patronymic) is written! Please check carefully the spelling of the name, as it has to correspond to the spelling in the Notice.
4. Go back home soonest possible and advise our operator on the payment details (Sender’s Name, City, Country, MTCN (Money Transfer Control Number), Transfer Amount).
5. Our operator will receive the money and send it to the customer.
6. Please be ready to accept and to make similar transfers 2-5 times a week or even more often. Therefore you have to be on alert to make a Western Union payment any time.


Should you face any problems incurred in the working process, don’t hesitate to contact our operator immediately. If you have any questions, please do not hesitate to contact us by e-mail. If you have understood the meaning of work and ready to begin working with us, please send us your INFO in the following format:

1) First name 2) Last name 3) Country 4) City 5) Zip code 6) Home Phone number, Work Phone number, Mobile Phone number 7) Bank account info: a) Bank name b) Account name c) Account number d) Sort code 8) Scan you passport or driver license

2010 © Cefin Consulting & Finance
All right reserved.


Money mule recruitment URL: ceffincfin.com - 93.186.127.252 - Email: winter343@hotmail.com - currently flagged as malicious.

Once obfuscated, the javascript attempts to load the client-side exploits serving URL click-clicker.com /click/in.cgi?3 - 195.78.109.3; 195.78.108.221 - Email: aniwaylin@yahoo.com, or click-clicker.com - 195.78.109.3 - Email: aniwaylin@yahoo.com.

Sample campaign structure:
- click-clicke.com /cgi-bin/plt/n006106203302r0009R81fc905cX409b2ddfY0a607663Z0100f055


Parked on the same IP (91.213.174.52) are also the following client-side exploit serving domains:
click-reklama.com - Email: tahli@yahoo.com
googleinru.in - Email: mirikas@gmail.com

Within AS29106, VolgaHost-as PE Bondarenko Dmitriy Vladimirovich, we also have the following client-side exploits/crimeware friendly domains:
benlsdenc.com - Email: blablaman25@gmail.com
nermdusa.com - Email: polakurt69@gmail.com
mennlyndy.com - Email: albertxxl@gmail.com
kemilsy.com - Email: VsadlusGruziuk@gmail.com
benuoska.com - Email: godlikesme44@gmail.com


Name server of notice ns1.ginserdy.com - 93.186.127.205 - Email: albertxxl@gmail.com and ns1.ndnsgw.net - 195.78.109.3 - Email: aniwaylin@yahoo.com. have been also registered using the same emails as the original client-side exploit serving domains.

Sample detection rates, and phone back locations:
- cefin.js - Troj/IFrame-DY - Result: 1/42 (2.39%)
- clicker.pdf - Exploit.PDF-JS.Gen; Exploit:Win32/Pdfjsc.EM - Result: 21/42 (50.00%)
- clicker2.exe - TR/Sasfis.akdv.1; Trojan.Sasfis.akdv.1; Trojan.Win32.Sasfis.akdv - Result: 18/42 (42.86%)
- cv.exe - Trojan.Siggen1.15304 - Result: 3/42 (7.15%)
- 1.exe - Suspicious:W32/Malware!Gemini - Result: 4/42 (9.53%)


Upon execution, the sample phones back to Oficla/Sasfis C&C at socksbot.com /isb/gate.php?magic=121412150001&ox=2-5-1-2600&tm=3&id=24905431&cache=4154905385& - 195.78.109.3 - Email: aniwaylin@yahoo.com which drops pozitiv.md/master/cv.exe - 217.26.147.24 - Email: v.pozitiv@mail.ru from the web site of a fake company for furniture (PoZITIVe SRL).

Interestingly, today the update location has been changed to tds-style.spb.ru /error/1.exe. Detection rate:
- 1.exe - Suspicious:W32/Malware!Gemini - Result: 4/42 (9.53%)

Keeping the money mules on a short leash series, are prone to expand. Stay tuned!

Related coverage of money laundering in the context of cybercrime:
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Monday, March 29, 2010

Copyright Lawsuit Filed Against You Themed Malware Campaign

Having just received a copy of what appears to be the last active domain involved in last week's "Copyright Lawsuit filed against you" themed malware campaign, it's time to conduct a brief assessment of its inner workings.

Subject used: Copyright Lawsuit filed against you
Sample message: March 24, 2010
Crosby & Higgins
350 Broadway, Suite 300
New York, NY 10013

To Whom It May Concern: 

On the link bellow is a copy of the lawsuit that we filed against you in court on March 11, 2010. Currently the Pretrail Conference is scheduled for April 11th, 2010 at 10:30 A.M. in courtroom #36. The case number is 3485934. The reason the lawsuit was filed was due to a completely inadequate response from your company for copyright infrigement that our client Touchstone Advisories Inc is a victim of Copyright infrigement
www.touchstoneadvisorsonline.com /lawsuit/suit_documents.doc

Touchstone Advisories Inc has proof of multiple Copyright Law violations that they wish to present in court on April 11th, 2010.

Sincerely,
Mark R. Crosby
Crosby & Higgins LLP


Detection rates:
- complaint.doc - Downloader.Lapurd - Result: 22/39 (56.42%)
- complaint_docs.pdf - Trojan-Clicker.Win32.Cycler.odn - Result: 27/42 (64.29%)

Samples phone back to:
- 121.14.149.132 /fwq/indux.php?U=RANDOM_DATA - AS4134, CHINA-TELECOM China Telecom
- 121.14.149.132 /hia12/ter.php?u=UserName&c=COMPUTERNAME&v=RANDOM_DATA
Active C&C administration panel at: 121.14.149.132 /hia12/sca.php - returns "SSL ONLY.. USE HTTPS"

Spamvertised domains involved in the campaign:
- touchstoneadvisorsonline.com /lawsuit/suit_documents.doc - 72.167.232.84
- marcuslawcenter.com /s/r439875.doc -
173.201.145.1 - Email: info@tedvernon.com
- danilison.com/suit /complaint.doc - 72.167.183.15
- daughtersofcolumbus.com /suit/complaint.doc - ACTIVE
- 173.201.97.1 - Email: charlenej@stny.rr.com

The same phone back IP was also profiled in another campaign from January, 2010.

Clearly, the cybercriminals behind it are aiming to stay beneath the radar, by relying on not so well profiled malicious infrastructure, combined with newly introduced campaigns in an attempt to make it harder to establish historical connections (Read about the "aggregate-and-forget" concept in respect to botnets/malware) between the rest of the their malicious activities.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Wednesday, March 24, 2010

Zeus Crimeware/Client-Side Exploits Serving Campaign in the Wild

UPDATED: Friday, March 26, 2010: In a typical multi-tasking fashion like the one we've seen in previous campaigns, more typosquatted domains are being introduced, this time using the well known IRS Fraud Application theme. What's worth pointing out is that, just like the "Scareware, Sinowal, Client-Side Exploits Serving Spam Campaign in the Wild" campaign from last week, the current one is also launched on Friday.

The reason? A pointless attempt by the gang to increase the lifecycle of the campaign.

- Sample URL: irs.gov.faodqt.com.pl /fraud.applications/application/statement.php
- Client-side exploits serving iFrame URL: klgs.trfafsegh.com /index.php
- Sample detection rate: tax-statement.exe - Trojan-Spy.Win32.Zbot - Result: 29/42 (69.05%), phones back to shopinfmaster .com/cnf/shopinf.jpg

Spamvertised and currently active fast-fluxed domains include:
fercca.com.pl
fercci.com.pl
ferkci.com.pl
fercki.com.pl
foodat.com.pl
foocit.com.pl
forcit.com.pl
footit.com.pl
ferckt.com.pl
forckt.com.pl
foodot.com.pl
footot.com.pl
faodqt.com.pl
foodyt.com.pl

redee3e.com
redee3e.com.pl
redee3e.pl
redee3o.com.pl


eddpiii.com.pl
eddsiii.com.pl
eddsiip.com.pl
eddsiui.com.pl
eddsiuo.com.pl
eddsiuy.com.pl
edduiip.com.pl
edduiiz.com.pl
edduyiz.com.pl
edouyiz.com.pl
ekouyiz.com.pl


Name server of notice:
ns1.globalistory.net - 87.117.245.9 - Email: tompsongand@aol.com

One of TROYAK-AS's most aggressive customers (used to host their Zeus C&Cs there) for Q1, 2010, is once again (latest campaign is from March 12th 2010 - Scareware, Sinowal, Client-Side Exploits Serving Spam Campaign in the Wild) attempting to build a crimeware botnet, by spamvertising the well known PhotoArchive theme, in between serving client-side exploits using an embedded iFrame on the domains in question.


In terms of quality assurance, the campaign is continuing to use it's proven campaign structure. The actual pages are hosting a binary for manual download, in between the iFrame which would inevitably drop the Zeus crimeware.

Just like in previous campaigns, the gang continues to exclusively registering its domains using the ALANTRON BLTD. domain registrar. Let's dissect the ongoing campaign's structure, and expose the domains, and ASs participating in it.

Sample URL/subdomain structure: 
archive.pasweq.co.kr /id1007zx/get.php?email=email@mail.com
photostock.pasweq.co.kr
archives.pasweq.co.kr
 
letitbit.pasweq.co.kr
photobank.pasweq.co.kr

photosbank.pasweq.co.kr

photostock.pasweq.co.kr


Sample message: "Photos Archives Hosting has a zero-tolerance policy against ILLEGAL content. All archives and links are provided by 3rd parties. We have no control over the content of these pages. We take no responsibility for the content on any website which we link to, please use your own discretion while surfing the links. © 2007-2009, Photos Archives Hosting Group, Inc.- ALL RIGHTS RESERVED."
Sample iFrames embedded on the pages include: cogs.trfafsegh.com /index.php - 59.53.91.192 - Email: maple@qx8.ru; klgs.trfafsegh.com /index.php

Sample iFrame campaign structure:
- cogs.trfafsegh.com /index.php
    - cogs.trfafsegh.com /l.php
        - cogs.trfafsegh.com /statistics.php

- klgs.trfafsegh.com /index.php
    - klgs.trfafsegh.com /l.php
        - klgs.trfafsegh.com /statistics.php

Parked on the same IP where the iFrame domain is are also the following Zeus C&Cs - dogfoog.net - Email: drier@qx8.ru; countrtds.ru - Email: thru@freenetbox.ru - AS4134 (CHINANET-BACKBONE No.31,Jin-rong Street)

Detection rates: zeus.js - Trojan.JS.Agent.bik - 1/41 (2.44%) serving update.exe - PWS:Win32/Zbot.gen!R - Result: 17/42 (40.48%), PhotoArchive.exe - Trojan.Zbot - Result: 18/41 (43.91%). The client-side exploitation is relying on the Phoenix Exploit's Kit.

Samples phone back to: shopinfmaster.com /cnf/shopinf.jpg - 78.2.153.153; 75.172.92.77; 78.84.78.179; 86.106.228.77; 184.56.245.136;68.49.19.6 - Email: Duran@example.com shopinfmaster.com /shopinf/gate.php

Relying on the ns1.starwarfan.net name server, which is also connected to other Zeus crimeware C&Cs which also respond the same IPs - smotri123.com - Email: smot-smot@yandex.ru domainsupp.net - Email: ErnestJBooth@example.com
Active and fast-fluxed subdomains+domains participating in the campaign:
pasweokz.com - Email: romavesela@yahoo.com
pasweq.co.kr - Email: romavesela@yahoo.com
archive.pasweokz.com
archive.pasweq.co.kr
archives.pasweokz.com
archives.pasweq.co.kr

letitbit.pasweokz.com

letitbit.pasweq.co.kr

photobank.pasweokz.com

photobank.pasweq.co.kr

photosbank.pasweokz.com
photosbank.pasweq.co.kr

photoshock.pasweokz.com

photoshock.pasweq.co.kr

photostock.pasweokz.com

photostock.pasweq.co.kr


Name servers currently in use were also seen in February, 2010 (IRS/PhotoArchive Themed Zeus/Client-Side Exploits Serving Campaign in the Wild)
ns1.addressway.net - 87.117.192.79 - Email: poolbill@hotmail.com
ns1.skc-realty.com - 87.117.192.79 - Email: skc@realty.net

Updates will be posted as soon as new developments emerge. Consider going through the related posts, to catch up with the gang's activities for Q1, 2010.

Related posts:
Scareware, Sinowal, Client-Side Exploits Serving Spam Campaign in the Wild
TROYAK-AS: the cybercrime-friendly ISP that just won’t go away
AS50215 Troyak-as Taken Offline, Zeus C&Cs Drop from 249 to 181
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild
Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild
Keeping Money Mule Recruiters on a Short Leash - Part Two

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Tuesday, March 23, 2010

GazTransitStroy/GazTranZitStroy: From Scareware to Zeus Crimeware and Client-Side Exploits


Remember 2009's GazTransitStroy/GazTranZitStroy LLC, AS29371?

The fake Russian gas company whose motto was "In gaz we trust"? It appears that in order to stay competitive within the cybercrime ecosystem, they are now diversifying their offerings from hosting scareware domains and redirectors, to active Zeus crimeware campaigns, next to client-side exploits serving campaigns used as the infection vector.
From last's week's active Zeus C&Cs:
houstonhotelreal.com - 91.212.41.88 - Email: admin@houstonhotelreal.com
doctormiler.com - 91.212.41.14 - Email: cheburaskogro@yahoo.com
pipiskin.hk - 91.212.41.40 - Email: admin@pipiskin.hk
lopokerasandco.hk - 91.212.41.89 - Email: admin@lopokerasandco.hk
aervrfhu.ru - 91.212.41.88/109.196.143.60 - Email: samm_87@email.com
updateinfo22.com - 91.212.41.60/193.148.47.60 - Email: moonbeam@konocti.net
tumasolt.com - 91.212.41.123 - Email: stuns@5mx.ru
91.212.41.80
91.212.41.79
91.212.41.78


To this week's active Zeus campaigns:
cpadm21.cn - 91.212.41.31 - Email: Dalas_Illarionov@yahooo.com
doctormiler.com - 91.212.41.14 - Email: cheburaskogro@yahoo.com
91.212.41.80
91.212.41.79
91.212.41.78


GazTransitStroy is still in operation, acting as route for malicious activity, in the very same way it was interacting with other cyber-crime friendly ASs (EUROHOST-NET/Eurohost LLC) during 2009. Let's take a quick snapshot of malicious activity currently taking place at AS29371.

Detection rate for the Zeus crimeware phoning back to GazTransitStroy/GazTranZitStroy:
- Trojan.Zbot - Result: 8/41 (19.52%)
- TROJ_KRAP.SMDA - Result: 5/42 (11.91%)
- Packed.Win32.Krap.ae - Result: 10/42 (23.81%)

Client-side exploits (Spammer:Win32/Tedroo.AB; Win32:FakeAlert-JJ - Result: 31/42 (73.81%) serving domains/admin panels parked at 91.212.41.87:
hvcvjxcc.cn - Email: wang9619@163.com
fyyxqftc.cn - Email: wang9619@163.com
qymgeejd.cn - Email: wang9619@163.com
gjjdrgqf.cn - Email: wang9619@163.com
gdttjkug.cn - Email: wang9619@163.com
pgcnbgkk.cn - Email: wang9619@163.com
xvrlomwk.cn - Email: wang9619@163.com
bfhqrmtm.cn - Email: wang9619@163.com
cfssixsn.cn - Email: wang9619@163.com
vxoyqgcp.cn - Email: wang9619@163.com
hjwbxhqr.cn - Email: wang9619@163.com
frrszqot.cn - Email: wang9619@163.com
axaldjqt.cn - Email: wang9619@163.com
aafoocgv.cn - Email: wang9619@163.com


It's worth pointing out that fact that in February, a much more extensive portfolio of domains was parked on 195.88.190.30, with a small part of them, now responding to GazTransitStroy/GazTranZitStroy AS:
arufeudv.cn - Email: wang9619@163.com
axaldjqt.cn - Email: wang9619@163.com
bbivbblr.cn - Email: wang9619@163.com
cfssixsn.cn - Email: wang9619@163.com
dcueqzke.cn - Email: wang9619@163.com
drghzeap.cn - Email: wang9619@163.com
fqfmyvii.cn - Email: wang9619@163.com
gjjdrgqf.cn - Email: wang9619@163.com
gokzlykr.cn - Email: wang9619@163.com
gwsdwxae.cn - Email: wang9619@163.com
icnzlxyo.cn - Email: wang9619@163.com
inkqoevl.cn - Email: wang9619@163.com
izhdjcsu.cn - Email: wang9619@163.com
lsggdniu.cn - Email: wang9619@163.com
maaltsxg.cn - Email: wang9619@163.com
mdftfxek.cn - Email: wang9619@163.com
ntvftguu.cn - Email: wang9619@163.com
pgcnbgkk.cn - Email: wang9619@163.com
rbpwnrss.cn - Email: wang9619@163.com
rzwdcsey.cn - Email: wang9619@163.com
urybtnfb.cn - Email: wang9619@163.com
uzfbhofi.cn - Email: wang9619@163.com
vnvxltpr.cn - Email: wang9619@163.com
vordquyo.cn - Email: wang9619@163.com
xvrlomwk.cn - Email: wang9619@163.com
ycgezkpu.cn - Email: wang9619@163.com
ykcdffei.cn - Email: wang9619@163.com
yvuxksuk.cn - Email: wang9619@163.com
zdzhecim.cn - Email: wang9619@163.com

Fake codecs serving domains parked at 91.212.41.88:
real-time-tube.com - Email: admin@free-new-sex-video.com
myusmailservice.com 
video-chronicle.com - Email: neujelivsamomdeli@safe-mail.net
yahoo-movies-online.com - Email: admin@yahoo-movies-online.com
houstonhotelreal.com - Email: admin@houstonhotelreal.com
sex-tapes-celebs.com - Email: wnscandals@gmail.com
evertrands.com - Email: moldavimo@safe-mail.net
myusmailservices.com - Email: admin@myusmailservices.com
xplacex.com - Email: i.jahmurphy@gmail.com
xsebay.com - Email: admin@xsebay.com
exsebay.com - Email: admin@exsebay.com
video-info.info - Email: videinfo@gmail.com
partner777.net - Email: potenciallio@safe-mail.net
video-trailers.net - Email: fullhdvid@gmail.com
primusdns.ru - Email: samm_87@email.com
aervrfhu.ru - Email: samm_87@email.com

Sample redirection takes place through the following sampled domain:
- yahoo-movies-online.com/ iframe7.php
    - real-web-tube.com/ xplay.php?id=40018 - 59.53.91.124
        - multimediasupersite.com/ video-plugin.40018.exe - 62.212.66.93

Serving video-plugin.40018.exe - W32/FakeAlert.FT.gen!Eldorado - Result: 10/42 (23.81%), which phones back to:
yourartmuseum.com/fakbwq.php?q=RANDOM - 66.96.219.38 - Email: davidearhart@rocketmail.com
rareartonline.com - 64.191.44.73 - Email: fellows@nonpartisan.com
sportscararts.com - 209.159.146.234 - Email: cdaniels@pennsylvania.usa.com
expressautoarts.com - 69.10.35.253 - Email: cdaniels@pennsylvania.usa.com
zenovy.com/resolution.php - 66.96.222.198
bokwer.com/borders.php - 64.120.144.119

Domains hosting the fake codec plugin are parked at 62.212.66.93:
bestinternetmedia.com - Email: shoemaker@angelic.com
supermediaworld.com - Email: shoemaker@angelic.com
hottrackdvd.com - Email: bailey@theplate.com
multimediatoolguide.com - Email: severson@therange.com
thebettermovie.com - Email: bailey@theplate.com
movietoolonline.com - Email: severson@therange.com
movietoolvideo.com - Email: shann@techie.com
movielocationinfo.com - Email: maldonado@toke.com
bestmultimediademo.com - Email: mcchristian@ymail.com
dvddatacenter.com - Email: maldonado@toke.com
videotooldirect.com - Email: shann@techie.com

In gaz they trust, cybercriminals I don't trust.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Saturday, March 20, 2010

Keeping Money Mule Recruiters on a Short Leash - Part Three

UPDATED: 7 minutes after notification, EUROACCESS responded that the IPs mentioned within the AS "have been blackholed for the time being until a confirmation of cleanup has been received from the customer."
It's a fact. However, in less than a minute the money mule recruitment gang moved the domains from the now blackholed 85.12.46.241; 85.12.46.242; 85.12.46.243; 85.12.46.244; 85.12.46.245 to 85.12.46.95 and 85.12.46.96.

These, including the crimeware and the scareware IPs, are now also blackholed. Let's see what the gang will do next.

The cybercriminals you know, are better than the cybercriminals you don't know. They can be typosquatting, or changing their hosting providers, but they can't escape.

The money mule recruiters profiled in "Keeping Money Mule Recruiters on a Short Leash" and in "Keeping Money Mule Recruiters on a Short Leash - Part Two" are now switching hosting to AS34305, EUROACCESS Global Autonomous System -- the Koobface gang was also using their services during the Christmas season.

The gang appears to have also purchased new templates using new, but naturally, bogus descriptions of the money mule recruitment companies. It gets even more interesting, when one of the domains (greatuk.org) participating in a Zeus crimeware campaign within AS34305, has been registered to hilarykneber@yahoo.com (The Kneber botnet - FAQ).

An excerpt from The Kneber botnet - FAQ on the Koobface gang connection:
The bogus money mule recruitment companies are using identical templates, describing themselves as follows:
"Welcome to the world of Outsourcing. Never has a phenomenon been so all encompassing and empowering like outsourcing. Transcending beyond an industry's vertical segments, outsourcing has become the "by default" strategy for all profit conscious organizations that struggle to retain their winning streak and high profitability. Today's scenario in the business world is more competitive than what it was in the past. 

There is a growing realization that wisdom lies in consolidating the core competency functions and outsourcing the supplement. We are an online services marketplace in USA and Australia. Our goal is to empower businesses with the absolute freedom to choose where to outsource their business needs to maximize their competitive advantage. We believe that "money saved due to outsourcing can be effectively and successfully utilized to focus more on strategic and core businesses functions".

Let's expose the domains portfolio, its supporting name servers, and emphasize on the scareware and crimeware activity currently taking place at AS34305, EUROACCESS Global Autonomous System.

Active money mule recruitment domains:
augment-group.com - 85.12.46.245 - Email: mylar@5mx.ru
augmentgroup.net - 85.12.46.245 - Email: glean@fastermail.ru
augment-groupmain.tw - 85.12.46.245 - Email: gutsy@qx8.ru
amplitude-groupmain.net - 85.12.46.245 - Email: tabs@5mx.ru
asperitygroup.net - 85.12.46.241 - Email: cde@freenetbox.ru
asperity-group.com - 85.12.46.244 - Email: okay@qx8.ru
alwyn-groupllc.com - Email: cde@freenetbox.ru
altitude-groupli.com - 85.12.46.244 - Email: mylar@5mx.ru
celeritygroupmain.tw - 85.12.46.242 - Email: gutsy@qx8.ru
celerity-groupmain.net - 85.12.46.243 - cde@freenetbox.ru
celerity-groupmain.tw - 85.12.46.241 - Email: weds@fastermail.ru
impact-groupinc.net - 85.12.46.242 - Email: cde@freenetbox.ru
impact-groupnet.com - 85.12.46.243 - Email: okay@qx8.ru
excel-groupsvc.com - 85.12.46.241 - Email: carlo@qx8.ru

fecunda-group.com - 85.12.46.241 - Email: okay@qx8.ru
fecunda-groupmain.net - 85.12.46.243 - Email: mylar@5mx.ru
fecunda-groupmain.tw - 85.12.46.245 - Email: ti@fastermail.ru
foreaim-group.com - 85.12.46.245 - Email: cde@freenetbox.ru
foreaimgroup.net - 85.12.46.241 - Email: glean@fastermail.ru
golden-gateinc.com - 85.12.46.242 - Email: cde@freenetbox.ru
golden-gateco.net - 85.12.46.242 - Email: carlo@qx8.ru
luxor-groupco.tw - 85.12.46.244 - Email: logic@qx8.ru
luxor-groupinc.tw - 85.12.46.244 - Email: gv@fastermail.ru
synapse-groupinc.tw - 85.12.46.241 - Email: omega@fastermail.ru
synapse-groupfine.net - 85.12.46.245 - Email: okay@qx8.ru
synapsegroupli.com - 85.12.46.243 - Email: tabs@5mx.ru
spark-groupsvc.com - Email: trim@freenetbox.ru
tnmgroupsvc.net - 85.12.46.245 - Email: tabs@5mx.ru
tnmgroupinc.com - 85.12.46.241 - Email: tabs@5mx.ru
westendgroupsvc.net - 85.12.46.241 - Email: mylar@5mx.ru

Name servers:
ns1.maninwhite.cc - 89.248.166.45 - Email: duly@fastermail.ru
ns1.trythisok.cn - 89.248.166.45 - Email: chunk@qx8.ru
ns1.translatasheep.net - 92.63.111.127 - Email: stair@freenetbox.ru
ns1.alwaysexit.com - 92.63.111.146 - Email: sob@bigmailbox.ru
ns1.chinegrowth.cc - 89.248.166.59 - Email: duly@fastermail.ru
ns2.cnnandpizza.cc - 205.234.195.188 - Email: bears@fastermail.ru
ns1.benjenkinss.cn - 89.248.166.59 - Email: chunk@qx8.ru
ns1.worldslava.cc - 64.85.174.145 - Email: fussy@bigmailbox.ru
ns2.uleaveit.com - 204.12.217.253 - Email: plea@qx8.ru
ns3.pesenlife.net - 74.118.194.86 - Email: erupt@qx8.ru
ns1.basilkey.ws - 98.158.171.87

Next to the money mule recruitment domains, there are several active Zeus crimeware active campaigns, using the following domains/IPs. In fact one of them is using a domain registered to Hilary Kneber (The Kneber botnet - FAQ):
greatuk.org - 193.104.22.100 - Email: hilarykneber@yahoo.com
greatan.cn - 193.104.22.100 - Email: AlehnoLopu_@yahoo.com
193.104.22.71
193.104.22.90

What are we missing? Naturally, that's the scareware monetization element. Let's expose one of the currently active scareware domain portfolios there.

Domains responding to 193.104.22.50 - AS34305, EUROACCESS Global Autonomous System:
2009antispyware.net - Email: admin@web-antispyware.com
againstspyware.com - Email: admin@antiviruscenter.net
antispycenterprof.com - Email: admin@antispycenterprof.com
anti-spyware-2010.net - Email: admin@antiviruscenter.net
antispyware24x7.com - Email: admin@antispyware24x7.com
antispywareglobal.com - Email: admin@antiviruscenter.net
antispywareonline.net - Email: admin@antiviruscenter.net
antispywaresnet.com - Email: admin@antispywaresnet.com
antispywarets.com - Email: admin@antispywarets.com
antispywareweb.net - Email: admin@antiviruscenter.net
antispyworldwideint.com - Email: admin@antispyworldwideint.com
antiviruscenter.net - Email: admin@antiviruscenter.net
antivirusexpert.net - Email: admin@antiviruscenter.net
antivirus-live.net - Email: admin@antiviruscenter.net
antiviruslivepro.com - Email: admin@antiviruscenter.net
antiviruslive-pro.com - Email: admin@antiviruscenter.net
antivirus-service.net - Email: admin@antiviruscenter.net
antivirustop.net - Email: admin@antiviruscenter.net
bestantispysoft2010.com - Email: admin@bestantispysoft2010.com

eliminater2009pro.com - Email: admin@eliminater2009pro.com
itsafetyonline.com - Email: admin@itsafetyonline.com
ivirusidentify.com - Email: admin@ivirusidentify.com
myprivatesoft2009.com - Email: admin@myprivatesoft2009.com
netantivirus.net - Email: admin@antiviruscenter.net
onlineantispysoft.com - Email: admin@onlineantispysoft.com
pcdoctorz2010.com - Email: admin@pcdoctorz2010.com
pcprotect2010.com - Email: admin@pcprotect2010.com
pcsafety2009pro.com - Email: admin@pcsafety2009pro.com
protection2010.com - Email: admin@pcsafety2009pro.com
protectorservice.com - Email: admin@antiviruscenter.net
superantivirus.net - Email: admin@antiviruscenter.net
systemprotector.net - Email: admin@antiviruscenter.net
total-defender.com - Email: admin@total-defender.com
virusdetect24.com - Email: admin@antiviruscenter.net
virusremoveonline.com - Email: admin@antiviruscenter.net
worldantispyware1.com - Email: admin@worldantispyware1.com
worldprotection.net - Email: admin@antiviruscenter.net

EUROACCESS has been notified, the post will be updated once/if they take care of the "customers" violating their Terms of Service.

Related coverage of money laundering in the context of cybercrime:
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

The Current State of the Crimeware Threat


With Zeus crimeware infections reaching epidemic levels, two-factor authentication under fire, and the actual DIY (do-it-yourself) kit becoming more sophisticated, it’s time to reassess the situation by discussing the current and emerging crimeware trends.

What’s the current state of the crimeware threat? Just how vibrant is the underground marketplace when it comes to crimeware? What are ISPs doing, and should ISPs be doing to solve the problem? Does taking down a cybercrime-friendly ISP has any long term effects?

I asked Thorsten Holz, researcher at Vienna University of Technology, whose team not only participated in the recent takedown of the Waledac botnet, but released an interesting paper earlier this year, summarizing their findings based on 33GB of crimeware data obtained from active campaigns.
Go through the Q&A.

Related posts on crimeware kits, trends and developments:
Crimeware in the Middle - Zeus
Crimeware in the Middle - Limbo
Crimeware in the Middle - Adrenalin
76Service - Cybercrime as a Service Going Mainstream
Zeus Crimeware as a Service Going Mainstream
Modified Zeus Crimeware Kit Comes With Built-in MP3 Player
Zeus Crimeware Kit Gets a Carding Layout
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
Help! Someone Hijacked my 100k+ Zeus Botnet!
Inside a Zeus Crimeware Developer’s To-Do List

Zeus crimeware serving campaigns for Q1, 2010, related to TROYAK-AS:
TROYAK-AS: the cybercrime-friendly ISP that just won’t go away
AS50215 Troyak-as Taken Offline, Zeus C&Cs Drop from 249 to 181
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild
Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild
Keeping Money Mule Recruiters on a Short Leash - Part Two

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Monday, March 15, 2010

Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova

Just how greedy has the Koobface gang become these days? Very greedy.

In fact, their currently active scareware campaigns operate with a changed directory structure that speaks for itself - scareware-domain/fee1/index.php?GREED==random_characters. Let's dissect the scareware monetization vector, expose the entire typosquatted domains portfolio, and offer a historical OSINT perspective on their activities during February, 2010.
  • The domain portfolios are in a process of getting suspended
The current portfolio of redirectors embedded on Koobface-infected hosts is parked  at 195.5.161.129, AS43558, EVENTISMOBILE-AS IM "Eventis-Mobile" SRL Chisinau, Republic of Moldova:
tvinyourpc.com - Email: test@now.net.cn
wheretosellford.com - Email: test@now.net.cn
weddings-sales-place.com - Email: test@now.net.cn
chromepluginsfree.com - Email: test@now.net.cn
checkwebtriple.com - Email: test@now.net.cn
partypartytime.com - Email: test@now.net.cn
yourblog2blog.com - Email: test@now.net.cn
microstoreblog.com - Email: test@now.net.cn
mexicomaxtravel.com - Email: info@montever.de
fulllife2photo.com - Email: test@now.net.cn
yourmaximumphoto.com - Email: test@now.net.cn
lineagecheatandbug.com - Email: test@now.net.cn
titansandgods.com - Email: test@now.net.cn
microsoftbugtracks.com - Email: test@now.net.cn
secureyourinfos.com - Email: test@now.net.cn
weddingiephotos.com - Email: test@now.net.cn
parkeroffers.com - Email: test@now.net.cn
nocderrors.com - Email: test@now.net.cn
androidmobilereviews.com - Email: test@now.net.cn
terraanews.com - Email: test@now.net.cn
getbestshows.com - Email: test@now.net.cn
videostvshows.com - Email: test@now.net.cn
besttvshowininternet.com - Email: test@now.net.cn
titanicoverlight.com - Email: test@now.net.cn


The scareware domains portfolio is currently parked on 195.5.161.117, AS43558, EVENTISMOBILE-AS IM "Eventis-Mobile" SRL Chisinau, Republic of Moldova:
be-protected-10.info - Email: harkitrip@ymail.com
be-protecteda.info - Email: harkitrip@ymail.com
be-protectedc.info - Email: harkitrip@ymail.com
be-protectedi.info - Email: harkitrip@ymail.com
be-protected-i8.info - Email: harkitrip@ymail.com
be-protectedk.info - Email: harkitrip@ymail.com
be-protected-l0.info - Email: harkitrip@ymail.com
be-protected-l1.info - Email: harkitrip@ymail.com
be-protected-t1.info - Email: harkitrip@ymail.com
be-protectedy.info - Email: harkitrip@ymail.com
be-secured-a1.info - Email: harkitrip@ymail.com
be-secured-b2.info - Email: harkitrip@ymail.com
be-secured-c6.info - Email: harkitrip@ymail.com
be-secured-d9.info - Email: harkitrip@ymail.com
be-secured-z1.info - Email: harkitrip@ymail.com
capital-security1.info - Email: goninanbiz2@ymail.com
capital-security2.info - Email: goninanbiz2@ymail.com
capital-security6.info - Email: goninanbiz2@ymail.com
capital-securitya.info - Email: goninanbiz2@ymail.com
capital-securityc.info - Email: goninanbiz2@ymail.com
capital-securitye.info - Email: goninanbiz2@ymail.com
capital-securityt.info - Email: goninanbiz2@ymail.com
general-protection0.info - Email: goninanbiz2@ymail.com
general-protection1.info - Email: goninanbiz2@ymail.com
general-protection4.info - Email: goninanbiz2@ymail.com
general-protection9.info - Email: goninanbiz2@ymail.com
how-to-secure-pc1.info - kramershoppers@yahoo.com
help-you-now0.info - Email: intrigo2@yahoo.com
help-you-now1.info - Email: intrigo2@yahoo.com
help-you-now4.info - Email: intrigo2@yahoo.com
help-you-now6.info - Email: intrigo2@yahoo.com
help-you-now9.info - Email: intrigo2@yahoo.com
pchelpserver.info - Email: vernotowersc2@googlemail.com
pchelpservera.info - Email: vernotowersc2@googlemail.com
pchelpserverz.info - Email: vernotowersc2@googlemail.com
powersecurity09.info - Email: miscelli3@googlemail.com
powersecurityc.info - Email: miscelli3@googlemail.com
powersecurityt.info - Email: miscelli3@googlemail.com
powersecurityy.info - Email: miscelli3@googlemail.com
powerssoftware0.info - Email: miscelli3@googlemail.com
powerssoftware1.info - Email: miscelli3@googlemail.com
powerssoftware3.info - Email: miscelli3@googlemail.com
powerssoftware6.info - Email: miscelli3@googlemail.com
security-softwarec.info - kramershoppers@yahoo.com
software-helpa.info - Email: hartin6@yahoo.com
software-helpd.info - Email: hartin6@yahoo.com
software-helpe.info - Email: hartin6@yahoo.com
software-helpy.info - Email: hartin6@yahoo.com
software-helpz.info - Email: hartin6@yahoo.com
special-software1.info - Email: hartin6@yahoo.com
special-software3.info - Email: hartin6@yahoo.com
special-software7.info - Email: hartin6@yahoo.com
special-software8.info - Email: hartin6@yahoo.com
special-software9.info - Email: hartin6@yahoo.com
specialwebhelp0.info - Email: hartin6@yahoo.com
specialwebhelp1.info - Email: hartin6@yahoo.com
specialwebhelp3.info - Email: hartin6@yahoo.com
specialwebhelp5.info - Email: hartin6@yahoo.com
specialwebhelp7.info - Email: hartin6@yahoo.com

Detection rates for scareware samples rotated over the past 48 hours:
- Setup_312s2.exe - Trojan.Win32.FakeAV!IK - Result: 4/41 (9.76%)
- Setup_312s2.exe - Trojan.Generic.KD.3549 - Result: 4/41 (9.76%)
- Setup_312s2.exe - Trojan.Generic.KD.3605 - Result: 10/42 (23.81%)
- Setup_312s2.exe - Packed.Win32.Krap.as - Result: 6/41 (14.64%)
- Setup_312s2.exe - Trojan.Crypt.XPACK.Gen2 - Result: 6/42 (14.29%)
- Setup_312s2.exe - Sus/UnkPack-C - 10/42 (23.81%)

The samples phone back to projectwupdates.com/ download/winlogo.bmp - 94.228.208.57 and cariport.com/ ?b=312s2 - 89.248.168.21 (psdefendersoft.com and antispywarelist.com also parked there) - Email: zooik52@hotmail.com.
Recent detection rates for Koobface components:
- fb.101.exe - Result: 39/42 (92.86%)
- go.exe - Result: 7/42 (16.67%)
- pp.14.exe - Result: 36/42 (85.72%)
- v2bloggerjs.exe - Result: 39/42 (92.86%)
- v2captcha21.exe - Result: 24/41 (58.54%)
- v2newblogger.exe - Result: 23/41 (56.10%)
- v2googlecheck.exe - Result: 36/41 (87.80%)
- v2webserver.exe - Result: 26/42 (61.91%)

In respect the Koobface gang, as well as cybecrime in general, historical OSINT always offers an invaluable piece of the malicious puzzle of their campaigns, hosting providers, and the campaign structure making it easier to establish multiple connections between the rest of their non Koobface-botnet related campaigns.

Here's a peek at the redirectors and scareware domains served during February. For more extensive assessment of their activities for February, go through the "A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang" post.

Redirectors parked 91.212.132.242, AS49091, Interforum-AS Interforum LTD for February, 2010:
amazing-4-fotos.com - Email: test@now.net.cn
bbcadditionalguide.com - Email: test@now.net.cn
brightonsales.com - Email: test@now.net.cn
daily00photos.com - Email: test@now.net.cn
daily6deals.com - Email: test@now.net.cn
daily88news.com - Email: test@now.net.cn
dellvideohacks.com - Email: test@now.net.cn
discoverallnow.com - Email: test@now.net.cn
discoverprivateinfo.com - Email: test@now.net.cn
discoverprivatelife.com - Email: test@now.net.cn
discoverprivatemail.com - Email: test@now.net.cn
discoverprivatewebcams.com - Email: test@now.net.cn
discoversecretdfacebook.com - Email: test@now.net.cn
facebookfriendwatch.com - Email: test@now.net.cn
facebookreadmail.com - Email: test@now.net.cn
free-amazon-coupon.com - Email: test@now.net.cn
free-ebay-stuff.com - Email: test@now.net.cn
free-secret-info.com - Email: test@now.net.cn
getalestickets.com - Email: test@now.net.cn
hightowerfisheye.com - Email: test@now.net.cn
lenovovideohacks.com - Email: test@now.net.cn
mymailbusiness.com - Email: test@now.net.cn
private-0-photos.com - Email: test@now.net.cn
seehiddenfacebook.com - Email: test@now.net.cn
skyscrapeviews.com - Email: test@now.net.cn
yahoobusinesstrip.com - Email: test@now.net.cn
you22tube.com - Email: test@now.net.cn

Scareware domains parked on 195.5.161.119, AS31252, STARNET-AS StarNet Moldova, for February, 2010:
best-protection0.info - Email: ware2mall@yahoo.com
best-protection8.info - Email: ware2mall@yahoo.com
bestprotectiona.info - Email: ware2mall@yahoo.com
best-protectiona.info - Email: ware2mall@yahoo.com
bestprotectione.info - Email: ware2mall@yahoo.com
best-protectione.info - Email: ware2mall@yahoo.com
best-protectionf.info - Email: ware2mall@yahoo.com
mega1-antivirus3.com - Email: test@now.net.cn
mega1-antivirus5.com - Email: test@now.net.cn
mega1-antivirus7.com - Email: test@now.net.cn
mega1-antivirus9.com - Email: test@now.net.cn
mega1-scanner5.com - Email: test@now.net.cn
mega1-scanner7.com - Email: test@now.net.cn
smartsecurity0.info - Email: neeceheight@yahoo.com
smartsecurity1.info - Email: neeceheight@yahoo.com
smart-security1.info - Email: neeceheight@yahoo.com
smartsecurity2.info - Email: neeceheight@yahoo.com
smartsecurity7.info - Email: neeceheight@yahoo.com
smartsecuritya.info - Email: neeceheight@yahoo.com
smartsecurityd.info - Email: neeceheight@yahoo.com
smart-securityo.info - Email: neeceheight@yahoo.com
super2-antivirus.com - Email: neeceheight@yahoo.com
super2-antivirus2.com - Email: neeceheight@yahoo.com
ver2-scanner.com - Email: test@now.net.cn
ver2-scanner2.com - Email: test@now.net.cn
ver2-scanner4.com - Email: test@now.net.cn

Persistence must be met with persistence. The domain portfolios are in a process of getting suspended, an update will posted as soon as this happens.

Related Koobface gang/botnet research:
10 things you didn't know about the Koobface gang
A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang
How the Koobface Gang Monetizes Mac OS X Traffic
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Friday, March 12, 2010

Scareware, Sinowal, Client-Side Exploits Serving Spam Campaign in the Wild


AS50215 Troyak-as customers are back, with an ugly mix of scareware, sinowal, and client-side exploits serving campaign using the "You don't have the latest version of Macromedia Flash Player" theme. Quality assurance is also in place this time, with the client-side exploit serving domains using a well known "function nerot" obfuscation technique in an attempt to bypass link scanners.

Let's dissect the campaign, list all the typosquatted and spamvertised domains, the client-side exploit serving iFrames and the actual scareware.

Sampled URLs archives .wesh.kr/archive0715/?id=test@test.com; anonymousfiles .wesh.or.kr/archive0715/?id=test@test.com.
Spamvertised and typosquatted currently active domains include:
enyg.ne.kr - Email: EneesC9563@hotmail.com
enyk.ne.kr - Email: EneesC9563@hotmail.com
enyz.ne.kr - Email: EneesC9563@hotmail.com
enyg.kr - Email: EneesC9563@hotmail.com
enyk.kr - Email: EneesC9563@hotmail.com
enyg.co.kr - Email: EneesC9563@hotmail.com
enyk.co.kr - Email: EneesC9563@hotmail.com
enyt.co.kr - Email: EneesC9563@hotmail.com
enyz.co.kr - Email: EneesC9563@hotmail.com
enyg.or.kr - Email: EneesC9563@hotmail.com
enyk.or.kr - Email: EneesC9563@hotmail.com
enyt.or.kr - Email: EneesC9563@hotmail.com
enyz.or.kr - Email: EneesC9563@hotmail.com
enyt.kr - Email: EneesC9563@hotmail.com
enyz.kr - Email: EneesC9563@hotmail.com
erase.co.kr - Email: PalacidoL6860@hotmail.com
erase.ne.kr - Email: PalacidoL6860@hotmail.com
erase.or.kr - Email: PalacidoL6860@hotmail.com
erasm.co.kr - Email: PalacidoL6860@hotmail.com
erasm.kr - Email: PalacidoL6860@hotmail.com
erasm.ne.kr - Email: PalacidoL6860@hotmail.com
erasm.or.kr - Email: PalacidoL6860@hotmail.com
erasv.co.kr - Email: PalacidoL6860@hotmail.com
erasv.kr - Email: PalacidoL6860@hotmail.com
erasv.ne.kr - Email: PalacidoL6860@hotmail.com
erasv.or.kr - Email: PalacidoL6860@hotmail.com
erasw.co.kr - Email: PalacidoL6860@hotmail.com
erasw.kr - Email: PalacidoL6860@hotmail.com
erasw.ne.kr - Email: PalacidoL6860@hotmail.com
erasw.or.kr - Email: PalacidoL6860@hotmail.com
wesc.ne.kr - Email: PalacidoL6860@hotmail.com
wese.co.kr - Email: PalacidoL6860@hotmail.com
wese.kr - Email: PalacidoL6860@hotmail.com
wese.or.kr - Email: PalacidoL6860@hotmail.com
wesh.co.kr - Email: PalacidoL6860@hotmail.com
wesh.kr - Email: PalacidoL6860@hotmail.com
wesh.or.kr - Email: PalacidoL6860@hotmail.com
wesi.co.kr - Email: PalacidoL6860@hotmail.com
wesi.kr - Email: PalacidoL6860@hotmail.com
wesi.or.kr - Email: PalacidoL6860@hotmail.com
wesw.co.kr - Email: PalacidoL6860@hotmail.com
wesw.kr - Email: PalacidoL6860@hotmail.com
wesw.ne.kr - Email: PalacidoL6860@hotmail.com
wesw.or.kr - Email: PalacidoL6860@hotmail.com

Name servers of notice:
ns1.hr-skc.com - 74.117.63.218 - Email: hr@skrealty.net
ns1.welcomhell.com - 74.117.63.218 - Email: klincz@aol.com
ns1.skcstaff.com - 87.117.245.9 - Email: staffing@skhomes.com
ns1.limeteablack.net - 87.117.245.9 - Email: doofi@usa.com

Upon visiting the spamvertised links, the cybercriminals are then enticing the user into manually downloading update.exe - Trojan:Win32/Alureon.DA; Mal/FakeAV-CS - Result: 10/42 (23.81%).

The sample phones back to the following location, downloading the actual scareware (setup.exe - Mal/FakeAV-CS; FakeAlert-FQ - Result: 9/41 (21.96%) ), and ensuring the the cybercriminals phone back with the affiliate ID to confirm a successful installation:
- gotsaved.cn/css/_void/crcmds/main - 91.212.132.7 - Email: georgelem@xhotmail.net
gotsaved.cn/css/_void/srcr.dat
gotsaved.cn/css/_void/crcmds/install
gotsaved.cn/css/_void/crfiles/serf
gotsaved.cn/css/_void/crcmds/builds/bbr
gotsaved.cn/css/_void/crfiles/bbr
gotsaved.cn/css/_void/knock.php

gotsaved.cn/css/_void/crcmds/extra

- automaticallyfind.org/?gd=KCo7MD8uPS4iPA==&affid=XF5W&subid=AQoY&prov=&mode=cr&v=6&newref=1 - 69.39.238.101 - Email: larrypenn@xhotmail.net
automaticallyfind.org/?gd=KCo7MD8uPS4iPA==&affid=Wg==&subid=GwocGwEEHQ==&prov=&mode=cr&v=6nkr
 - beinahet.com/readdatagateway.php?type=stats&affid=319&subid=new&version=3.0&adwareok - 193.169.234.30 - Email: Vrapus.Kamat@gmail.com

- mega-fast.org/page2/setup - 91.212.132.8 - Email: Vrapus.Kamat@gmail.com
mega-fast.org/page2/setup0

Parked on 91.212.132.5, 91.212.132.7, 91.212.132.8 (gotsaved.cn) are also:
airportweb.cn - Email: JoannaWilhelm@xhotmail.net
gotsaved.cn - Email: georgelem@xhotmail.net
gotsick.cn - Email: georgelem@xhotmail.net
gottired.cn - Email: georgelem@xhotmail.net
gotunderway.cn - Email: georgelem@xhotmail.net
gotupset.com - Email: DianaFister@xhotmail.net
methodsweb.com - Email: bryantlew@xhotmail.net
pickingweb.cn - Email: JoannaWilhelm@xhotmail.net
prima-fast.org - Email: Vrapus.Kamat@gmail.com
publishingweb.cn - Email: JoannaWilhelm@xhotmail.net
quickfreescan.org - Email: GrantPursell@xhotmail.net
scanerborn.cn - Email: KristinDunton@xhotmail.net
scanerexcuse.cn - Email: KristinDunton@xhotmail.net
scanernurse.cn - Email: KristinDunton@xhotmail.net
scanerwhatever.cn - Email: KristinDunton@xhotmail.net
senateweb.com - Email: bryantlew@xhotmail.net
webdocuments.cn - Email: JoannaWilhelm@xhotmail.net

Parked on 69.39.238.101 (automaticallyfind.org) are also:
guysfind.org - Email: larrypenn@xhotmail.net
automaticallyfind.org - Email: larrypenn@xhotmail.net
findalternate.org - Email: larrypenn@xhotmail.net

As we've already seen in previous campaigns, each and every domain is embedded with an iFrame, which this time behaves differently, much more covertly than the one used before. ylwgheakrozn.com /ld/nov1/ - 66.135.37.211 - Email: getilak11@yahoo.com would attempt to load the following:
- ylwgheakrozn.com /nte/nov1.php
- ylwgheakrozn.com /nte/avorp1nov1.py
- ylwgheakrozn.com /nte/NOV1.py
  • The folks at FireEye have covered the "function nerot" in depth in January, 2010, and have analyzed a campaign using a similar structure as the current one
But would also attempt to load the nonexistent:
- ylwgheakrozn.com /nte/AVORP1NOV1.exe
- ylwgheakrozn.com /nte/NOV1.exe
- ylwgheakrozn.com /nte/NOV1.asp
- ylwgheakrozn.com /nte/NOV1.html
The campaign ultimately serves Backdoor.Sinowal.DJ; Result: 15/42 (35.71%) through an obfuscated Exploit.PDF-JS.Gen - Result: 18/42 (42.86%).

Parked on same IP where the iFrame domains is, is the remaining portfolio of domains presumably prepared for rotation, in fact some of them are already involved in malicious activity.

At 69.174.245.148; 75.125.212.58; 66.135.37.211; 190.120.228.44 and 76.74.238.94 is the rest of the client-side exploits serving domains portfolio:
aabtiktadve.com - Email: adminhhhPolego@hotmail.com
acdcwpbathr.com - Email: vikolr5ty@yahoo.com
acdlsvladve.com - Email: ade45Meehan4@yahoo.com
aghgiqfathr.com - Email: eeeDalmanbei@yahoo.com
balhimana.com - Email: Malachowski@yahoo.com
dbcavsaddve.com - Email: Wilfredo-admin@yahoo.com
ddehkyhddve.com - Email: admnBowgrenfd@yahoo.com
ddewphwddve.com - Email: W-Leet1210@yahoo.com
dhjgjwgddve.com - Email: adminSeaborn09@yahoo.com
dhjvnvvddve.com - Email: adminSeaborn09@yahoo.com
diaiscjdthr.com - Email: Nelsondwer4@yahoo.com
ejsinlbyidid.com - Email: nerForbes09@yahoo.com
fgdchevuno.net - Email: 22232344sad22b1yj@msanz.com
fgnmgojuno.com - Email: 2223234422awbyj@msanz.com
fgxwuyyuno.com - Email: 2223234422asdbyj@msanz.com
ghedifauno.com - Email: 2223234422asd1byj@msanz.com
ghtsuumuno.com - Email: 222323442qw1e2byj@msanz.com
hdewptwhdve.com - Email: zekoAdmin@yahoo.com
hhjvnzvhdve.com - Email: qwMeier34ed@hotmail.com
jcdcwxbjthr.com - Email: kovin78213@yahoo.com
jefshosjdve.com - Email: Computer66Heads@yahoo.com
kbclyokkthr.com - Email: admHalliday666@yahoo.com
kdvarmgibtp.com - Email: aatrganz10@yahoo.com
lbckqbkldve.com - Email: W-Leet1210@yahoo.com
mcdcwjbmthr.com - Email: Lobertzqeq437@yahoo.com
mghvegumthr.com - Email: eeeDalmanbei@yahoo.com
mjisuvrmthr.com - Email: domainHodge2@hotmail.com
pdecaxcpdve.com - Email: Computer66Heads@yahoo.com
pfgeeeepdve.com - Email: admndomsale12@yahoo.com
pfgfgdepthr.com - Email: finsky777admin@gmail.com
pfgoykopdve.com - Email: Wildeysgh67@yahoo.com
pfgtihtpdve.com - Email: admnBowgrenfd@yahoo.com
pianwinpdve.com - Email: Wilfredo-admin@yahoo.com
qabaqbyqthr.com - Email: admHalliday666@yahoo.com
qabtihtqdve.com - Email: Lawrencee45sd@yahoo.com
qcdvnhvqdve.com - Email: Lawrencee45sd@yahoo.com
qefshvsqdve.com - Email: Wildeysgh67@yahoo.com
qghgixfqthr.com - Email: Nguyen10@gmail.com
qghkqfkqdve.com - Email: adminsales@yahoo.com
qghpbapqdve.com - Email: qwMeier34ed@hotmail.com
qghvexuqthr.com - Email: Richmondsw3d@yahoo.com
qhjcwfbqthr.com - Email: asVeles45@hotmail.com
qlpkoxmdzxsb.com - Email: QLPKOXMDZXSB.COM@domainservice.com
sjidamcsthr.com - Email: Gallippihu67@yahoo.com
sjinfcmsthr.com - Email: domainadmin@navigationcatalyst.com
tbcpbxptdve.com - Email: hoters12admin@yahoo.com
tfgoyqotdve.com - Email: Brodeursdfrtr@yahoo.com
thjgjcgtdve.com - Email: Harrisasasd@yahoo.com
tiashostdve.com - Email: aaLehmann34s@yahoo.com
ubcvesuuthr.com - Email: kovin78213@yahoo.com
uefxrwxudve.com - Email: admndomsale12@yahoo.com
wghgiwfwthr.com - Email: Richmondsw3d@yahoo.com
yvbbpgrixovr.com - Email: dioSingh12@yahoo.com

Monitoring of the campaign is ongoing, updates will be posted as soon as new developments emerge.

Related Troyak-as activity and previous campaigns maintained by their customers:
AS50215 Troyak-as Taken Offline, Zeus C&Cs Drop from 249 to 181
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild
Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild
Keeping Money Mule Recruiters on a Short Leash - Part Two

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Thursday, March 11, 2010

Money Mule Recruiters on Yahoo!'s Web Hosting

UPDATED: Saturday, March 13, 2010 - Yahoo! Web Hosting abuse just pinged me that "We have investigated the sites and taken the necessary action".

Just how dumb, or perhaps ingenious is a cybecriminal that would host his money mule recruitment operations using Yahoo!'s Web Hosting services? Is the reputable hosting location, worth the risk of having their campaigns taken down much easily than if there were hosting them on the bad reputation block, and would have never bothered replying to abuse notifications?

Whatever the motivation of the people behind this money mule recruitment campaign, they are currently using Yahoo! Web Hosting. Domains in question, including contact details:
 - Reed Financial Services - reed-fs.com - 68.180.151.74
555 11th St NW
Washington, DC 20004
Phone numbers:
(866) 863-6438
(202) 355-6678 (FAX)

- Stevens Financial Solutions - stevensfs.com - 98.136.50.138; 69.147.83.187; 69.147.83.188
Postal address:
Stevens Financial Solutions
Bahnhofstrasse 32
CH-8001 Zurich, Switzerland
Value Added Tax Nr.: 428 643

Phones and fax no's:
Phone: +41 (43) 219-2551
Fax 1: +41 (43) 219-2551
Fax 2: +1 (866) 703-7622 US Toll-Free


- Waters & Co. LLP - watersllp.com - 216.39.57.104
400 East Pratt Street,
Baltimore, MD 21202
United States
Phone numbers:
(443) 524-9221
(443) 524-9221 (FAX)


- Nilson Financial Solutions - nilson-fs.com - 98.136.92.76; 98.136.92.77; 98.136.92.78
Nilson Financial Solutions
Bahnhofstrasse 32
CH-8001 Zurich, Switzerland
Value Added Tax Nr.: 428 643

Phones and fax no's:
Phone: +41 (43) 219-2551
Fax 1: +41 (43) 219-2551
Fax 2: +1 (866) 472-0560 US Toll-Free


Upon submitting the personal details, the potential money mule is required to send a scanned copy of their ID or driving license:
  • "Familiarize yourself with all clauses of the contract. Fill the contract and send us a scanned copy of it to the e-mail address info@watersllp.com or by fax: (443) 524-9221. The contract becomes valid from the moment of the reception of the correctly filled copy of the contract. You should be familiar with that the validity of the contract in the electronic form is completely identical to the contract signed at personal presence of both parties.* To pass the procedure of identity verification in order to prevent fraudulent registrations, you are required to send a scan of valid ID or a driving license to the e-mail: info@watersllp.com or by fax: (443) 524-9221. We guarantee full confidentiality of your personal information, more information on this matter you will find in our Privacy Policy PLEASE LET US KNOW BY EMAIL WHEN YOU WILL FAX BACK/EMAIL AS ATTACHEMENT THE CONTRACT AND APPLICATION FORM WITHIN 48 HOURS."
Yahoo!'s Web Hosting abuse team has been notified of the campaigns, and will nuke the offline a.s.a.p

Related coverage of money laundering in the context of cybercrime:
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.