Thursday, April 29, 2010

Summarizing Zero Day's Posts for April


The following is a brief summary of all of my posts at ZDNet's Zero Day for April, 2010. You can also go through previous summaries, as well as subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

Recommended reading: Attack of the Opt-In Botnets; Hundreds of high profile sites unprotected from domain hijacking and Copyright violation alert ransomware in the wild

01. Facebook phishing campaign serving ZeuS crimeware
02. Researchers expose complex cyber espionage network
03. Copyright violation alert ransomware in the wild
04. Do teens hack? Survey says 1 in 6 do
05. Google: Scareware accounts for 15 percent of all malware
06. New Mac OS X malware variant spotted
07. Hundreds of high profile sites unprotected from domain hijacking
08. Report: ZeuS crimeware kit, malicious PDFs drive growth of cybercrime
09. Attack of the Opt-In Botnets
10. 1.5 million Facebook accounts offered for sale - FAQ
11. How to remove the ICPP Copyright Violation Alert ransomware

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Tuesday, April 27, 2010

GoDaddy's Mass WordPress Blogs Compromise Serving Scareware


UPDATED: Thursday, May 13, 2010: Go Daddy posted the following update "What’s Up with Go Daddy, WordPress, PHP Exploits and Malware?".

UPDATED: Thursday, May 06, 2010: The following is a brief update of the campaign's structure, the changed IPs, and the newly introduced scareware samples+phone back locations over the past few days.

Sample structure from last week:
- kdjkfjskdfjlskdjf.com/kp.php - 94.23.242.40 - AS16276, OVH Paris
    - www3.workfree36-td.xorg.pl/?p= - 95.169.186.25 - AS31103, KEYWEB-AS Keyweb AG
        - www1.protectsys28-pd.xorg.pl - 94.228.209.182 - AS47869, NETROUTING-AS Netrouting Data Facilities

Detection rate:
- packupdate_build107_2045.exe - Gen:Variant.Ursnif.8; TrojanDownloader:Win32/FakeVimes - Result: 23/41 (56.1%) Phones back to update2.safelinkhere.net and update1.safelinkhere.net.

Sample structure from this week:
- kdjkfjskdfjlskdjf.com/kp.php - 91.188.59.98 - AS6851, BKCNET "SIA" IZZI
    - www4.suitcase52td.net/?p= - 78.46.218.249 - AS24940, HETZNER-AS Hetzner Online AG RZ
        - www1.safetypcwork5.net/?p= - 209.212.147.244 - AS32181, ASN-CQ-GIGENET ColoQuest/GigeNet ASN
        - www1.safeyourpc22-pr.com - 209.212.147.246 - Email: gkook@checkjemail.nl

Detection rate:
- packupdate_build9_2045.exe - Trojan.Fakealert.7869; Mal/FakeAV-BW - Result: 9/41 (21.95%)

Sample phones back to:
- update2.keepinsafety.net /?jbjyhxs=kdjf0tXm1J2a0Nei2Mrh24U%3D
- www5.my-security-engine.net
- report.land-protection.com /Reports/SoftServiceReport.php?verint
- 91.207.192.24 - Email: gkook@checkjemail.nl
- secure2.securexzone.net/?abbr=MSE&pid=3 - 78.159.108.170 - Emaikl: gkook@checkjemail.nl
- 173.232.149.92 /chrome/report.html?uid=2045&wv=wvXP&
- 74.118.193.47 /report.html?wv=wvXP&uid=50&lng=
- 74.125.45.100
- update1.keepinsafety.net
- 94.228.209.223 - Email: gkook@checkjemail.nl

Related scareware domains part of the ongoing campaign are also parked on the following IPs:
78.46.218.249
www3.workfree20-td.xorg.pl
www3.nojimba52-td.xorg.pl
www3.workfree25-td.xorg.pl



209.212.147.244
www1.newsys-scanner.com - Email: gkook@checkjemail.nl
www2.securesys-scan2.net - Email: gkook@checkjemail.nl
www1.new-sys-scanner3.net - Email: gkook@checkjemail.nl
www1.safetypcwork5.net - Email: gkook@checkjemail.nl
www1.securesyscare9.net - Email: gkook@checkjemail.nl
www1.freeguard35-pr.net - Email: gkook@checkjemail.nl

95.169.186.25
www4.ararat23.xorg.pl
www3.sdfhj40-td.xorg.pl
www3.nojimba45-td.xorg.pl
www3.workfree36-td.xorg.pl
www3.nojimba46-td.xorg.pl
www4.fiting58td.xorg.pl
www4.birbinsof.net


94.228.209.182
www1.protectsys25-pd.xorg.pl
www1.protectsys26-pd.xorg.pl
www1.protectsys27-pd.xorg.pl
www1.protectsys28-pd.xorg.pl
www1.protectsys29-pd.xorg.pl
www1.soptvirus32-pr.xorg.pl
www1.soptvirus34-pr.xorg.pl



209.212.147.246
www2.securesys-scan2.com - Email: gkook@checkjemail.nl
www1.newsys-scanner1.com - Email: gkook@checkjemail.nl

UPDATED: Thursday, April 29, 2010: kdjkfjskdfjlskdjf.com/js.php remains active and is currently redirecting to www3.workfree36-td.xorg.pl/?p= - 95.169.186.25 and www1.protectsys28-pd.xorg.pl?p= - 94.228.209.182.

Detection rate: packupdate_build107_2045.exe - Suspicious:W32/Malware!Gemini; Trojan.Win32.Generic.pak!cobra - Result: 6/41 (14.64%) phoning back to new domains:
safelinkhere.net - 94.228.209.223 - Email: gkook@checkjemail.nl
update2.safelinkhere.net - 93.186.124.93 - Email: gkook@checkjemail.nl
update1.safelinkhere.net - 94.228.209.222 - Email: gkook@checkjemail.nl
    - ns1.safelinkhere.net - 74.118.192.23 - Email: gkook@checkjemail.nl
    - ns2.safelinkhere.net - 93.174.92.225 - Email: gkook@checkjemail.nl

The gkook@checkjemail.nl email was used for scareware registrations in December 2009's "A Diverse Portfolio of Fake Security Software - Part Twenty Four".

Parked on 74.118.192.23, AS46664, VolumeDrive (ns1.safelinkhere.net) are also:
ns1.birbins-of.com
ns1.cleanupantivirus.com
ns1.createpc-pcscan-korn.net
ns1.fhio22nd.net
ns1.letme-guardyourzone.com
ns1.letprotectsystem.net
ns1.my-softprotect4.net
ns1.new-pc-protection.com
ns1.payment-safety.net
ns1.romsinkord.com
ns1.safelinkhere.net
ns1.safetyearth.net
ns1.safetypayments.net
ns1.save-secure.com
ns1.search4vir.net
ns1.systemmdefender.com
ns1.upscanyourpc-now.com


Parked on 93.174.92.225, AS29073, ECATEL-AS , Ecatel Network (ns2.safelinkhere.net) are also:
marmarams.com
ns2.cleanupantivirus.com
ns2.dodtorsans.net
ns2.fastsearch-protection.com
ns2.go-searchandscan.net
ns2.guardsystem-scanner.net
ns2.hot-cleanofyourpc.com
ns2.marfilks.net
ns2.my-systemprotection.net
ns2.myprotected-system.com
ns2.myprotection-zone.net
ns2.mysystemprotection.com
ns2.new-systemprotection.com
ns2.newsystem-guard.com
ns2.onguard-zone.net
ns2.pcregrtuy.net
ns2.plotguardto-mypc.com
ns2.protected-field.com
ns2.safelinkhere.net
ns2.scanmypc-online.com
ns2.search-systemprotect.net
ns2.searchscan-online.net
ns2.securemyzone.com
ns2.systemcec7.com
ns2.trust-systemprotect.net
ns2.trustscan-onmyzone.com
ns2.trustsystemguard.net
ns2.upscanyour-pcnow.com
ns2.windows-systemshield.net
ns2.windows-virusscan.com
ns2.windowsadditionalguard.net



Following last week's Network Solutions mass compromise of WordPress blogs (Dissecting the WordPress Blogs Compromise at Network Solutions), over the weekend a similar incident took place GoDaddy, according to WPSecurityLock.

Since the campaign's URLs still active, and given the fact that based on historical OSINT, we can get even more insights into known operations of cybercriminals profiled before (one of the key domains used in the campaign is registered to hilarykneber@yahoo.com. Yes, that Hilary Kneber.), it's time to connect the dots.
One of the domains used cechirecom.com/js.php - 61.4.82.212 - Email: lee_gerstein@yahoo.co.uk was redirecting to www3.sdfhj40-td.xorg.pl?p= - 95.169.186.25 and from there to www2.burnvirusnow34.xorg.pl?p= - 217.23.5.51. The front page of the currently not responding cechirecom.com was returning the following message:
  • "Welcome. Site will be open shortly. Signup, question or abuse please send to larisadolina@yahoo.com"
Registered with the same email, larisadolina@yahoo.com,  is also another domain known have been used in similar attacks from February, 2010 - iss9w8s89xx.org.


Parked on 217.23.5.51 are related scareware domains part of the campaign:
www2.burnvirusnow31.xorg.pl
www2.burnvirusnow33.xorg.pl
www2.burnvirusnow34.xorg.pl
www2.trueguardscaner30-p.xorg.pl
www2.trueguardscaner33-p.xorg.pl
www1.savesysops30p.xorg.pl
www1.suaguardprotect11p.xorg.pl
www2.realsafepc32p.xorg.pl
www1.suaguardprotect13p.xorg.pl
www1.suaguardprotect14p.xorg.pl


Detection rate for the scareware:
- packupdate_build107_2045.exe - VirusDoctor; Mal/FakeAV-BW - Result: 14/41 (34.15%) with the sample phoning back to the following URLs:
- update2.savecompnow.com/index.php?controller=hash - 91.207.192.25 - Email: gkook@checkjemail.nl
- update2.savecompnow.com/index.php?controller=microinstaller
- update1.savecompnow.com/index.php?controller=microinstaller - 94.228.209.223 - Email: gkook@checkjemail.nl

The same email was originally seen in December 2009's "A Diverse Portfolio of Fake Security Software - Part Twenty Four". Parked on these IPs are also related phone back locations:

Parked on 188.124.7.156:
savecompnow.com - Email: gkook@checkjemail.nl
securemyfield.com - Email: gkook@checkjemail.nl
update1.securepro.xorg.pl

Parked on 91.207.192.25:
update2.savecompnow.com - Email: gkook@checkjemail.nl
update2.xorg.pl
update2.winsystemupdates.com - Email: gkook@checkjemail.nl
report.zoneguardland.net - Email: gkook@checkjemail.nl

Parked on 94.228.209.223:
update1.savecompnow.com - Email: gkook@checkjemail.nl
update1.winsystemupdates.com


Although the cechirecom.com/js.php is not currently responding, parked on the same IP 61.4.82.212, is another currently active domain, which is registered to hilarykneber@yahoo.com.

Parked on 61.4.82.212, AS17964, DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd.:
kdjkfjskdfjlskdjf.com - Email: hilarykneber@yahoo.com
ns1.stablednsstuff.com - Email: lee_gerstein@yahoo.co.uk
js.ribblestone.com - Email: skeletor71@comcast.net - includes a link pointing to panelscansecurity.org/?affid=320&subid=landing - 91.212.127.19 - Email: bobarter@xhotmail.net

The currently active campaign domain redirection is as follows:
kdjkfjskdfjlskdjf.com/js.php - 61.4.82.212 - Email: hilarykneber@yahoo.com
    - www3.sdfhj40-td.xorg.pl?p=
        - www1.soptvirus42-pr.xorg.pl?p= - 209.212.149.19


Parked on 209.212.149.19:
www2.burnvirusnow43.xorg.pl
www2.trueguardscaner42-p.xorg.pl
www1.suaguardprotect23p.xorg.pl
www2.realsafepc27p.xorg.pl
www1.fastfullfind27p.xorg.pl
www1.yesitssafe-now-forsure.in


Detection rate for the scareware:
- packupdate_build106_2045.exe - TrojanDownloader:Win32/FakeVimes; High Risk Cloaked Malware - Result: 7/41 (17.08%)

Just like in Network Solution's case (Dissecting the WordPress Blogs Compromise at Network Solutions) the end user always has to be protected from himself using basic security auditing practices in regard to default WordPress installations. The rest is wishful thinking, that the end user would self-audit himself.

It seems that hilarykneber@yahoo.com related activities are not going to go away anytime soon.

Related WordPress security resources:
20 Wordpress Security Plug-ins And Tips To keep Hackers Away
11 Best Ways to Improve WordPress Security
20+ Powerful Wordpress Security Plugins and Some Tips and Tricks

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

GoDaddy's Mass WordPress Blogs Compromise Serving Scareware


UPDATED: Thursday, May 13, 2010: Go Daddy posted the following update "What’s Up with Go Daddy, WordPress, PHP Exploits and Malware?".

UPDATED: Thursday, May 06, 2010: The following is a brief update of the campaign's structure, the changed IPs, and the newly introduced scareware samples+phone back locations over the past few days.

Sample structure from last week:
- kdjkfjskdfjlskdjf.com/kp.php - 94.23.242.40 - AS16276, OVH Paris
    - www3.workfree36-td.xorg.pl/?p= - 95.169.186.25 - AS31103, KEYWEB-AS Keyweb AG
        - www1.protectsys28-pd.xorg.pl - 94.228.209.182 - AS47869, NETROUTING-AS Netrouting Data Facilities

Detection rate:
- packupdate_build107_2045.exe - Gen:Variant.Ursnif.8; TrojanDownloader:Win32/FakeVimes - Result: 23/41 (56.1%) Phones back to update2.safelinkhere.net and update1.safelinkhere.net.

Sample structure from this week:
- kdjkfjskdfjlskdjf.com/kp.php - 91.188.59.98 - AS6851, BKCNET "SIA" IZZI
    - www4.suitcase52td.net/?p= - 78.46.218.249 - AS24940, HETZNER-AS Hetzner Online AG RZ
        - www1.safetypcwork5.net/?p= - 209.212.147.244 - AS32181, ASN-CQ-GIGENET ColoQuest/GigeNet ASN
        - www1.safeyourpc22-pr.com - 209.212.147.246 - Email: gkook@checkjemail.nl

Detection rate:
- packupdate_build9_2045.exe - Trojan.Fakealert.7869; Mal/FakeAV-BW - Result: 9/41 (21.95%)

Sample phones back to:
- update2.keepinsafety.net /?jbjyhxs=kdjf0tXm1J2a0Nei2Mrh24U%3D
- www5.my-security-engine.net
- report.land-protection.com /Reports/SoftServiceReport.php?verint
- 91.207.192.24 - Email: gkook@checkjemail.nl
- secure2.securexzone.net/?abbr=MSE&pid=3 - 78.159.108.170 - Emaikl: gkook@checkjemail.nl
- 173.232.149.92 /chrome/report.html?uid=2045&wv=wvXP&
- 74.118.193.47 /report.html?wv=wvXP&uid=50&lng=
- 74.125.45.100
- update1.keepinsafety.net
- 94.228.209.223 - Email: gkook@checkjemail.nl

Related scareware domains part of the ongoing campaign are also parked on the following IPs:
78.46.218.249
www3.workfree20-td.xorg.pl
www3.nojimba52-td.xorg.pl
www3.workfree25-td.xorg.pl



209.212.147.244
www1.newsys-scanner.com - Email: gkook@checkjemail.nl
www2.securesys-scan2.net - Email: gkook@checkjemail.nl
www1.new-sys-scanner3.net - Email: gkook@checkjemail.nl
www1.safetypcwork5.net - Email: gkook@checkjemail.nl
www1.securesyscare9.net - Email: gkook@checkjemail.nl
www1.freeguard35-pr.net - Email: gkook@checkjemail.nl

95.169.186.25
www4.ararat23.xorg.pl
www3.sdfhj40-td.xorg.pl
www3.nojimba45-td.xorg.pl
www3.workfree36-td.xorg.pl
www3.nojimba46-td.xorg.pl
www4.fiting58td.xorg.pl
www4.birbinsof.net


94.228.209.182
www1.protectsys25-pd.xorg.pl
www1.protectsys26-pd.xorg.pl
www1.protectsys27-pd.xorg.pl
www1.protectsys28-pd.xorg.pl
www1.protectsys29-pd.xorg.pl
www1.soptvirus32-pr.xorg.pl
www1.soptvirus34-pr.xorg.pl



209.212.147.246
www2.securesys-scan2.com - Email: gkook@checkjemail.nl
www1.newsys-scanner1.com - Email: gkook@checkjemail.nl

UPDATED: Thursday, April 29, 2010: kdjkfjskdfjlskdjf.com/js.php remains active and is currently redirecting to www3.workfree36-td.xorg.pl/?p= - 95.169.186.25 and www1.protectsys28-pd.xorg.pl?p= - 94.228.209.182.

Detection rate: packupdate_build107_2045.exe - Suspicious:W32/Malware!Gemini; Trojan.Win32.Generic.pak!cobra - Result: 6/41 (14.64%) phoning back to new domains:
safelinkhere.net - 94.228.209.223 - Email: gkook@checkjemail.nl
update2.safelinkhere.net - 93.186.124.93 - Email: gkook@checkjemail.nl
update1.safelinkhere.net - 94.228.209.222 - Email: gkook@checkjemail.nl
    - ns1.safelinkhere.net - 74.118.192.23 - Email: gkook@checkjemail.nl
    - ns2.safelinkhere.net - 93.174.92.225 - Email: gkook@checkjemail.nl

The gkook@checkjemail.nl email was used for scareware registrations in December 2009's "A Diverse Portfolio of Fake Security Software - Part Twenty Four".

Parked on 74.118.192.23, AS46664, VolumeDrive (ns1.safelinkhere.net) are also:
ns1.birbins-of.com
ns1.cleanupantivirus.com
ns1.createpc-pcscan-korn.net
ns1.fhio22nd.net
ns1.letme-guardyourzone.com
ns1.letprotectsystem.net
ns1.my-softprotect4.net
ns1.new-pc-protection.com
ns1.payment-safety.net
ns1.romsinkord.com
ns1.safelinkhere.net
ns1.safetyearth.net
ns1.safetypayments.net
ns1.save-secure.com
ns1.search4vir.net
ns1.systemmdefender.com
ns1.upscanyourpc-now.com


Parked on 93.174.92.225, AS29073, ECATEL-AS , Ecatel Network (ns2.safelinkhere.net) are also:
marmarams.com
ns2.cleanupantivirus.com
ns2.dodtorsans.net
ns2.fastsearch-protection.com
ns2.go-searchandscan.net
ns2.guardsystem-scanner.net
ns2.hot-cleanofyourpc.com
ns2.marfilks.net
ns2.my-systemprotection.net
ns2.myprotected-system.com
ns2.myprotection-zone.net
ns2.mysystemprotection.com
ns2.new-systemprotection.com
ns2.newsystem-guard.com
ns2.onguard-zone.net
ns2.pcregrtuy.net
ns2.plotguardto-mypc.com
ns2.protected-field.com
ns2.safelinkhere.net
ns2.scanmypc-online.com
ns2.search-systemprotect.net
ns2.searchscan-online.net
ns2.securemyzone.com
ns2.systemcec7.com
ns2.trust-systemprotect.net
ns2.trustscan-onmyzone.com
ns2.trustsystemguard.net
ns2.upscanyour-pcnow.com
ns2.windows-systemshield.net
ns2.windows-virusscan.com
ns2.windowsadditionalguard.net



Following last week's Network Solutions mass compromise of WordPress blogs (Dissecting the WordPress Blogs Compromise at Network Solutions), over the weekend a similar incident took place GoDaddy, according to WPSecurityLock.

Since the campaign's URLs still active, and given the fact that based on historical OSINT, we can get even more insights into known operations of cybercriminals profiled before (one of the key domains used in the campaign is registered to hilarykneber@yahoo.com. Yes, that Hilary Kneber.), it's time to connect the dots.
One of the domains used cechirecom.com/js.php - 61.4.82.212 - Email: lee_gerstein@yahoo.co.uk was redirecting to www3.sdfhj40-td.xorg.pl?p= - 95.169.186.25 and from there to www2.burnvirusnow34.xorg.pl?p= - 217.23.5.51. The front page of the currently not responding cechirecom.com was returning the following message:
  • "Welcome. Site will be open shortly. Signup, question or abuse please send to larisadolina@yahoo.com"
Registered with the same email, larisadolina@yahoo.com,  is also another domain known have been used in similar attacks from February, 2010 - iss9w8s89xx.org.


Parked on 217.23.5.51 are related scareware domains part of the campaign:
www2.burnvirusnow31.xorg.pl
www2.burnvirusnow33.xorg.pl
www2.burnvirusnow34.xorg.pl
www2.trueguardscaner30-p.xorg.pl
www2.trueguardscaner33-p.xorg.pl
www1.savesysops30p.xorg.pl
www1.suaguardprotect11p.xorg.pl
www2.realsafepc32p.xorg.pl
www1.suaguardprotect13p.xorg.pl
www1.suaguardprotect14p.xorg.pl


Detection rate for the scareware:
- packupdate_build107_2045.exe - VirusDoctor; Mal/FakeAV-BW - Result: 14/41 (34.15%) with the sample phoning back to the following URLs:
- update2.savecompnow.com/index.php?controller=hash - 91.207.192.25 - Email: gkook@checkjemail.nl
- update2.savecompnow.com/index.php?controller=microinstaller
- update1.savecompnow.com/index.php?controller=microinstaller - 94.228.209.223 - Email: gkook@checkjemail.nl

The same email was originally seen in December 2009's "A Diverse Portfolio of Fake Security Software - Part Twenty Four". Parked on these IPs are also related phone back locations:

Parked on 188.124.7.156:
savecompnow.com - Email: gkook@checkjemail.nl
securemyfield.com - Email: gkook@checkjemail.nl
update1.securepro.xorg.pl

Parked on 91.207.192.25:
update2.savecompnow.com - Email: gkook@checkjemail.nl
update2.xorg.pl
update2.winsystemupdates.com - Email: gkook@checkjemail.nl
report.zoneguardland.net - Email: gkook@checkjemail.nl

Parked on 94.228.209.223:
update1.savecompnow.com - Email: gkook@checkjemail.nl
update1.winsystemupdates.com


Although the cechirecom.com/js.php is not currently responding, parked on the same IP 61.4.82.212, is another currently active domain, which is registered to hilarykneber@yahoo.com.

Parked on 61.4.82.212, AS17964, DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd.:
kdjkfjskdfjlskdjf.com - Email: hilarykneber@yahoo.com
ns1.stablednsstuff.com - Email: lee_gerstein@yahoo.co.uk
js.ribblestone.com - Email: skeletor71@comcast.net - includes a link pointing to panelscansecurity.org/?affid=320&subid=landing - 91.212.127.19 - Email: bobarter@xhotmail.net

The currently active campaign domain redirection is as follows:
kdjkfjskdfjlskdjf.com/js.php - 61.4.82.212 - Email: hilarykneber@yahoo.com
    - www3.sdfhj40-td.xorg.pl?p=
        - www1.soptvirus42-pr.xorg.pl?p= - 209.212.149.19


Parked on 209.212.149.19:
www2.burnvirusnow43.xorg.pl
www2.trueguardscaner42-p.xorg.pl
www1.suaguardprotect23p.xorg.pl
www2.realsafepc27p.xorg.pl
www1.fastfullfind27p.xorg.pl
www1.yesitssafe-now-forsure.in


Detection rate for the scareware:
- packupdate_build106_2045.exe - TrojanDownloader:Win32/FakeVimes; High Risk Cloaked Malware - Result: 7/41 (17.08%)

Just like in Network Solution's case (Dissecting the WordPress Blogs Compromise at Network Solutions) the end user always has to be protected from himself using basic security auditing practices in regard to default WordPress installations. The rest is wishful thinking, that the end user would self-audit himself.

It seems that hilarykneber@yahoo.com related activities are not going to go away anytime soon.

Related WordPress security resources:
20 Wordpress Security Plug-ins And Tips To keep Hackers Away
11 Best Ways to Improve WordPress Security
20+ Powerful Wordpress Security Plugins and Some Tips and Tricks

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dissecting Koobface Gang's Latest Facebook Spreading Campaign

UPDATED: Thursday, April 29, 2010: Google is aware of these Blogspot accounts, and is currently suspending them.

During the weekend, our "dear friends" from the Koobface gang -- folks, you're so not forgotten, with the scale of diversification for your activities to be publicly summarized within the next few days -- launched another spreading attempt across Facebook, with Koobface-infected users posting bogus video links on their walls.
What's particularly interesting about the campaign, is that the gang is now start to publicly acknowledge its connections with xorg.pl (Malicious software includes 40706 scripting exploit(s), 4119 trojan(s), 1897 exploit(s), with an actual subdomain residing there embedded on Koobface-serving compromised hosts.

Moreover, the majority of scareware domains, including the redirectors continue using hosting services in Moldova, AS31252, STARNET-AS StarNet Moldova in particular.
With the campaign still ongoing it's time to dissect it, expose the scareware domains portfolio and the AS29073, ECATEL-AS connection, with the Koobface gang a loyal customer of their services since November, 2009. AS29073, ECATEL-AS Koobface gang connections:

Automatically registered Blogspot accounts used as bogus video links across Facebook:
aashikamorsing.blogspot.com
alpezajeromie.blogspot.com
andcoldjackey.blogspot.com
asiaasiabenzaidi.blogspot.com
atalaygraciani.blogspot.com
barsheshetshakirat.blogspot.com
battittastelzer.blogspot.com
beckermasico.blogspot.com
biedlerharjit.blogspot.com
britainudobot.blogspot.com
bruchnadirnadir.blogspot.com
bryonbryonhofhenke.blogspot.com
ceceliaverner.blogspot.com
centofantiaviran.blogspot.com
codeycodeymarcott.blogspot.com
cottinghamginnyginny.blogspot.com
courtenayharry.blogspot.com
dalton-daviesheinee.blogspot.com
dipietroaudrea.blogspot.com
ericssonbrigid.blogspot.com
ervinervinturnquest.blogspot.com
fashingbauerkylerkyler.blogspot.com
felicetanae.blogspot.com
friedamignogna.blogspot.com
friedlamiraslani.blogspot.com
garthgarthheal.blogspot.com
gavin-williamslielie.blogspot.com
ginnoviaharbottle.blogspot.com
grinolsisanna.blogspot.com
hamiltondesantis.blogspot.com
hananhananmoros-hanley.blogspot.com
heberheberdellinger.blogspot.com
iftikharkacykacy.blogspot.com
imtiazzimmer.blogspot.com
ireneirenejasmen.blogspot.com
jacojacowintermeyer.blogspot.com
jameishaleninger.blogspot.com
jhalaagustin.blogspot.com
johnathenmirani.blogspot.com
kassablynnelle.blogspot.com
kaycieazoni.blogspot.com
keeferjeneejenee.blogspot.com
keibakeibaclarembeaux.blogspot.com
kieroncrowdus.blogspot.com
kilcullenheadhead.blogspot.com
kreuzaavins.blogspot.com
labbatoalphaj.blogspot.com
lellpeyton.blogspot.com
marleenmckoi.blogspot.com
mccarlbargin.blogspot.com
mendizabalnayranayra.blogspot.com
mitranoshaghayegh.blogspot.com
momoneybeltz.blogspot.com
mushenkolirian.blogspot.com
navarretemcarthur.blogspot.com
nekolnekoltasler.blogspot.com
nightrasteyn.blogspot.com
nushnushcave.blogspot.com
ortiz-maynardyvreene.blogspot.com
padalinodarcydarcy.blogspot.com
pantslalala.blogspot.com
papsteinhatemwahsh.blogspot.com
pavanpavandekelver.blogspot.com
pencekleighan.blogspot.com
puzderdenzel.blogspot.com
rabiarabiacarruth.blogspot.com
raeferaefejhanmmat.blogspot.com
raheelolu.blogspot.com
ranaranakundu.blogspot.com
sabeenhunjan.blogspot.com
serroukhshymia.blogspot.com
sertimamislay.blogspot.com
shannonschronce.blogspot.com
sheridanpaltiel.blogspot.com
slomovitzvaughna.blogspot.com
soccicoitcoit.blogspot.com
stengel-bohneinaveinav.blogspot.com
suedeglenna.blogspot.com
sylvainbarnes-rivers.blogspot.com
tammeybutenko.blogspot.com
tartagliatrayvis.blogspot.com
tasunanette.blogspot.com
teddiedommasch.blogspot.com
temitopetodorova.blogspot.com
terranovataiwan.blogspot.com
torneyatsushi.blogspot.com
trovatohaiahaia.blogspot.com
tuncelintrieri.blogspot.com
vislayovadovad.blogspot.com
wellkensie.blogspot.com
yabsleyjessajessa.blogspot.com
zedzedmorelle.blogspot.com


UPDATED: Thursday, April 29, 2010: Another update on Blogspot Accounts courtesy of the Koobface gang:
aaslehnekaya.blogspot.com
aimanaimanpaulis.blogspot.com
altonaltonbruyninckx.blogspot.com
annemiekenorford.blogspot.com
asghardch.blogspot.com
atencioishmael.blogspot.com
ativanichayaphongdionysios.blogspot.com
ayorindesavoia.blogspot.com
bagnoandreae.blogspot.com
bakalarczykmaipumaipu.blogspot.com
baribarithulin.blogspot.com
beavordawnedawne.blogspot.com
boninidivandivan.blogspot.com
cabooterfinne.blogspot.com
chakkarinlehnertz.blogspot.com
chavarriaarumugam.blogspot.com
coleirolenaylenay.blogspot.com
colkittmogens.blogspot.com
crummittgerhardt.blogspot.com
dahmeialeveque.blogspot.com
dalmolinparamparam.blogspot.com
danaedanaemadan.blogspot.com
danmakumaak.blogspot.com
dauntazusaazusa.blogspot.com
devrimmasaimasai.blogspot.com
dicksdeplancke.blogspot.com
dormiedyismael.blogspot.com
dremadremareany.blogspot.com
duffinflippen.blogspot.com
eliyahneubecker.blogspot.com
eloragiogio.blogspot.com
faubertmacarena.blogspot.com
friedlamiraslani.blogspot.com
gallianinijanija.blogspot.com
gandolphscootscoot.blogspot.com
garbsayrinayrin.blogspot.com
geerbergpovlpovl.blogspot.com
gennygennytjoeng.blogspot.com
gianiniomegalmegal.blogspot.com
griffithlampack-layton.blogspot.com
guerrettebrchibrchi.blogspot.com
guillemineauramyaramya.blogspot.com
gunheedomenick.blogspot.com
haisedymond.blogspot.com
halahalafales.blogspot.com
hamidoujacijaci.blogspot.com
hamminganoush.blogspot.com
honamisouliotis.blogspot.com
japeriagoding.blogspot.com
jaymeecleto.blogspot.com
jinghuamarmorale.blogspot.com
kadeemrebsamen.blogspot.com
karokaroliney.blogspot.com
kashmirahoeger.blogspot.com
kasidasaugust.blogspot.com
kattylaitia.blogspot.com
kaynatferetos.blogspot.com
kimberlikohlmann.blogspot.com
kissikshaney.blogspot.com
kjerstisatterwhite-landry.blogspot.com
korbessamessam.blogspot.com
kozubmarshand.blogspot.com
kruthjancijanci.blogspot.com
krystellecahoon.blogspot.com
kuroiwadelphdelph.blogspot.com
laakkokimkim.blogspot.com
labbatoalphaj.blogspot.com
leichtmarjmarj.blogspot.com
leludis-matarangasdeyonna.blogspot.com
lescailletpetopeto.blogspot.com
letsongrover.blogspot.com
liermanramadan.blogspot.com
lindingrajkishan.blogspot.com
linsjerchell.blogspot.com
lorrilorrihosgor.blogspot.com
maglifitfit.blogspot.com
matsumarudeserae.blogspot.com
mcsteinniecey.blogspot.com
melitalynnelynne.blogspot.com
menezeswendywendy.blogspot.com
mimosepalazon.blogspot.com
mottmottzengel.blogspot.com
naysanmutton.blogspot.com
nicolenabershon.blogspot.com
nidonidobuetow.blogspot.com
ninaninalottin.blogspot.com
nonziodarasha.blogspot.com
pandushalmon.blogspot.com
pawelpawelpoti.blogspot.com
paytonbeegle.blogspot.com
phillipoeleaseleas.blogspot.com
philpottlurelle.blogspot.com
pipenhagennguyen.blogspot.com
plattsdatoria.blogspot.com
plomaritislaurylaury.blogspot.com
polmantameltamel.blogspot.com
polopoloangulo.blogspot.com
porrettifarmers.blogspot.com
radieradiecatalina.blogspot.com
raenellegreathouse.blogspot.com
ranaeranaerossy.blogspot.com
reidreidmiele-crifo.blogspot.com
rickyrickydonis.blogspot.com
roselinegilvin.blogspot.com
russobriarbriar.blogspot.com
salizaguayanilla.blogspot.com
samuelesedere.blogspot.com
sanchepascasie.blogspot.com
sangyoungpadalecki.blogspot.com
scarthscrewlie.blogspot.com
schaumburgirishirish.blogspot.com
schubringdheledhele.blogspot.com
scorahchreechree.blogspot.com
shakehcoletto.blogspot.com
shaqareqninette.blogspot.com
shaw-zorichemmanemman.blogspot.com
shortalgerongeron.blogspot.com
singhoffertymisha.blogspot.com
sinnathuraiperminas.blogspot.com
skjutarevikram.blogspot.com
spataforaannamay.blogspot.com
staats-meliaahronahron.blogspot.com
tagantagankissane.blogspot.com
tamietamiedemirkol.blogspot.com
tamillecavitt.blogspot.com
tommiekerstetter.blogspot.com
tosunsangbum.blogspot.com
treechadacoppage.blogspot.com
treziajoanjoan.blogspot.com
triadorlachauna.blogspot.com
tukellyaburrage.blogspot.com
tyrisaoverly.blogspot.com
ulrikaraithatha.blogspot.com
valericlarissa.blogspot.com
ventronejokerjoker.blogspot.com
victorinomeharmehar.blogspot.com
vikvikruaut.blogspot.com
vlrajanrajan.blogspot.com
wasonmarilynn.blogspot.com
wendewendeschyma.blogspot.com
whitwhitmontoure.blogspot.com
wynnhannan.blogspot.com
xochitlvillenurve.blogspot.com
yaoskalongthorne.blogspot.com
youyoustreit.blogspot.com
zickkirrakirra.blogspot.com



The Blogspot accounts redirect to the following compromised Koobface and scareware serving domains:
cartujo.org /private-clips/main.php?87bb8f2
cerclewalloncouillet.be /main.movie/main.php?28d
cseajudiciary.org /animateddvd/main.php?c8
de-nachtegaele.be /main/main.php?b04ebb
ediltermo.com /common.film/main.php?deccfd
forwardmarchministries.org /candid_movie/main.php?42d1
highway77truckservice.com /pretty-clip/main.php?7bb2
kcresale.com /crazyvids/main.php?2ee
libermann.phpnet.org /comicperformans/main.php?9b5a5a
lode-willems.be /cute_clip/main.php?be2
lunaairforlife.com /crucial-clips/main.php?d3d6ccfe
mainteck-fr.com /complete-movie/main.php?f6
nottinghamdowns.com /criminaltube/main.php?2388d
programs.ppbsa.org /crazy_video/main.php?0ea1969
richmondpowerboat.com /yourtv/main.php?89fb0
scheron.com /delightful_demonstration/main.php?e2f92
Training.ppbsa.org /comic_dvd/main.php?f9261f
vangecars.it /crazy-films/main.php?827da


Detection rates for Koobface samples and a sampled scareware:
- setup.exe - Trojan.Generic.KD.8890 - Result: 9/40 (22.50%) phones back to:
- proelec-dpt.fr/.85rfs/?action=ldgen&a=-1394498804&v=108&c_fb=0&ie=7.0.5730.13
    - proelec-dpt.fr/.85rfs/?action=fbgen&v=108&crc=669
        - proelec-dpt.fr/.85rfs/?getexe=p.exe

- p.exe - Trojan.Drop.Koobface.J; W32/Koobface.GUB - Result: 5/41 (12.2%)
- koob.js - Trojan:JS/Redirector - Result: 1/41 (2.44%)


The scareware serving domain embedded on all of the Koobface-serving compromised hosts is internet-scanner.xorg.pl?mid=312&code=4db12f&d=1&s=2 - 195.5.161.125 - AS31252, STARNET-AS StarNet Moldova.

Parked on 195.5.161.125 is the rest of the scareware domains portfolio:
antispy-detectn1.com - Email: test@now.net.cn
antispy-detectn2.com - Email: test@now.net.cn
antispy-detectn3.com - Email: test@now.net.cn
antispy-detectn5.com - Email: test@now.net.cn
antispy-detectn7.com - Email: test@now.net.cn
antispy-detectz2.com - Email: test@now.net.cn
antispy-detectz4.com - Email: test@now.net.cn
antispy-detectz5.com - Email: test@now.net.cn
antispy-detectz7.com - Email: test@now.net.cn
antispy-detectz9.com - Email: test@now.net.cn
antispy-scan4i.com - Email: test@now.net.cn
antispy-scan5i.com - Email: test@now.net.cn
antispy-scan6i.com - Email: test@now.net.cn
antispy-scan7i.com - Email: test@now.net.cn
antispyscan85.com - Email: test@now.net.cn
antispyscan89.com - Email: test@now.net.cn
antispyscan91.com - Email: test@now.net.cn
antispyscan92.com - Email: test@now.net.cn
antispyscan93.com - Email: test@now.net.cn
antispy-scan9i.com - Email: test@now.net.cn
antispyware-no1.com - Email: test@now.net.cn
antispyware-no3.com - Email: test@now.net.cn

antivir1a.com.xorg.pl
antivirus-detect21.com - Email: test@now.net.cn
antivirus-detect23.com - Email: test@now.net.cn
antivirus-detect25.com - Email: test@now.net.cn
antivirus-detect27.com - Email: test@now.net.cn
antivirus-detect29.com - Email: test@now.net.cn
antivirus-detectz1.com - Email: test@now.net.cn
antivirus-detectz2.com - Email: test@now.net.cn
antivirus-detectz5.com - Email: test@now.net.cn
antivirus-detectz7.com - Email: test@now.net.cn
antivirus-detectz9.com - Email: test@now.net.cn
antivirus-lv1.com - Email: test@now.net.cn
antivirus-lv2.com - Email: test@now.net.cn
antivirus-lv3.com - Email: test@now.net.cn
antivirus-lv5.com - Email: test@now.net.cn
antivirus-lv8.com - Email: test@now.net.cn
antivirus-top1.com - Email: test@now.net.cn
antivirus-top2.com - Email: test@now.net.cn
antivirus-top6.com - Email: test@now.net.cn
antivirus-top8.com - Email: test@now.net.cn
be-secured.xorg.pl

bestantivirus1.com.xorg.pl
bestscanmalware.com.xorg.pl
best-security.xorg.pl
defender20.xorg.pl
fastantivirusscanner15.com.xorg.pl
fastmalwarescan15.com.xorg.pl
fast-scan.xorg.pl
fastweb-scanner.com.xorg.pl
get-protection.xorg.pl
my-computers.xorg.pl
protection100.xorg.pl
protection-center1.xorg.pl
protector10.xorg.pl
secure10.xorg.pl
security1.xorg.pl
security100.xorg.pl
spy-defender1.com
spydefender1.com.xorg.pl
spydefender11.com.xorg.pl

spy-defender1a.com - Email: test@now.net.cn
spy-defender2.com - Email: test@now.net.cn
spy-defender2a.com - Email: test@now.net.cn
spy-defender4a.com - Email: test@now.net.cn
spy-defender5.com - Email: test@now.net.cn
spy-defender6a.com - Email: test@now.net.cn
spy-defender8a.com - Email: test@now.net.cn
spy-defender9.com - Email: test@now.net.cn

spy-protection01.com - Email: test@now.net.cn
spy-protection1.com - Email: test@now.net.cn
spy-protection14.com - Email: test@now.net.cn
spy-protection17.com - Email: test@now.net.cn
spy-protection19.com - Email: test@now.net.cn
spy-protection3.com - Email: test@now.net.cn
spy-protection4.com - Email: test@now.net.cn
spy-protection6.com - Email: test@now.net.cn
spy-protection8.com - Email: test@now.net.cn
spy-scanner2i.com - Email: test@now.net.cn
spy-scanner6i.com - Email: test@now.net.cn
spy-scanner8i.com - Email: test@now.net.cn
spyware-sweep1.com - Email: test@now.net.cn
spyware-sweep1i.com - Email: test@now.net.cn
spyware-sweep2i.com - Email: test@now.net.cn
spyware-sweep3.com - Email: test@now.net.cn
spyware-sweep3i.com - Email: test@now.net.cn
spyware-sweep4i.com - Email: test@now.net.cn
spyware-sweep5.com - Email: test@now.net.cn
spyware-sweep7.com - Email: test@now.net.cn


spyware-sweep8.com - Email: test@now.net.cn
spyware-sweep9i.com - Email: test@now.net.cn
virus-sweeper0i.com - Email: test@now.net.cn
virus-sweeper1.com - Email: test@now.net.cn
virus-sweeper2.com - Email: test@now.net.cn
virus-sweeper2i.com - Email: test@now.net.cn
virus-sweeper3.com - Email: test@now.net.cn
virus-sweeper4i.com - Email: test@now.net.cn
virus-sweeper6.com - Email: test@now.net.cn
virus-sweeper7i.com - Email: test@now.net.cn
virus-sweeper8.com - Email: test@now.net.cn
virus-sweeper8i.com - Email: test@now.net.cn
win-antispyware10.com.xorg.pl
windefender1.xorg.pl
windows-secure.xorg.pl
win-security.xorg.pl
winwebscanner10.com.xorg.pl


Parked within AS31252, STARNET-AS StarNet Moldova are also: 195.5.161.11; 195.5.161.145
spy-scanner20.com - Email: test@now.net.cn
spy-scanner30.com - Email: test@now.net.cn
spy-scanner3i.com - Email: test@now.net.cn
spy-scanner40.com - Email: test@now.net.cn
spy-scanner4i.com - Email: test@now.net.cn
spy-scanner60.com - Email: test@now.net.cn
spy-scanner80.com - Email: test@now.net.cn
virscanner-done4.com - Email: test@now.net.cn
virscanner-done5.com - Email: test@now.net.cn

- Detection rate for the scareware sample: Setup_312s2.exe - Heuristic.BehavesLike.Win32.Trojan.H - Result: 5/40 (12.50%) phones back to windows-mode.com/?b=1s1 - 89.248.168.21, AS29073, ECATEL-AS , Ecatel Network - Email: contact@privacy-protect.cn


Parked on the phone-back IP are also the following domains:
firewall-rules2.com - Email: contact@privacy-protect.cn
version-upgrade.com - Email: contact@privacy-protect.cn
2accommodation.com - Email: ttvmail12@hotmail.com
systemreserves.com - Email: contact@privacy-protect.cn
cariport.com - Email: contact@privacy-protect.cn
spyblocktest.com - Email: contact@privacy-protect.cn
antispywarelist.com - Email: contact@privacy-protect.cn
checkwhitelist.com - Email: contact@privacy-protect.cn
chekmalwarelist.com - Email: contact@privacy-protect.cn

Stay tuned for more updates on recent Koobface gang activities, beyond the Koobface botnet.

Related Koobface gang/botnet research:
Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova
10 things you didn't know about the Koobface gang
A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang
How the Koobface Gang Monetizes Mac OS X Traffic
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dissecting Koobface Gang's Latest Facebook Spreading Campaign

UPDATED: Thursday, April 29, 2010: Google is aware of these Blogspot accounts, and is currently suspending them.

During the weekend, our "dear friends" from the Koobface gang -- folks, you're so not forgotten, with the scale of diversification for your activities to be publicly summarized within the next few days -- launched another spreading attempt across Facebook, with Koobface-infected users posting bogus video links on their walls.
What's particularly interesting about the campaign, is that the gang is now start to publicly acknowledge its connections with xorg.pl (Malicious software includes 40706 scripting exploit(s), 4119 trojan(s), 1897 exploit(s), with an actual subdomain residing there embedded on Koobface-serving compromised hosts.

Moreover, the majority of scareware domains, including the redirectors continue using hosting services in Moldova, AS31252, STARNET-AS StarNet Moldova in particular.
With the campaign still ongoing it's time to dissect it, expose the scareware domains portfolio and the AS29073, ECATEL-AS connection, with the Koobface gang a loyal customer of their services since November, 2009. AS29073, ECATEL-AS Koobface gang connections:

Automatically registered Blogspot accounts used as bogus video links across Facebook:
aashikamorsing.blogspot.com
alpezajeromie.blogspot.com
andcoldjackey.blogspot.com
asiaasiabenzaidi.blogspot.com
atalaygraciani.blogspot.com
barsheshetshakirat.blogspot.com
battittastelzer.blogspot.com
beckermasico.blogspot.com
biedlerharjit.blogspot.com
britainudobot.blogspot.com
bruchnadirnadir.blogspot.com
bryonbryonhofhenke.blogspot.com
ceceliaverner.blogspot.com
centofantiaviran.blogspot.com
codeycodeymarcott.blogspot.com
cottinghamginnyginny.blogspot.com
courtenayharry.blogspot.com
dalton-daviesheinee.blogspot.com
dipietroaudrea.blogspot.com
ericssonbrigid.blogspot.com
ervinervinturnquest.blogspot.com
fashingbauerkylerkyler.blogspot.com
felicetanae.blogspot.com
friedamignogna.blogspot.com
friedlamiraslani.blogspot.com
garthgarthheal.blogspot.com
gavin-williamslielie.blogspot.com
ginnoviaharbottle.blogspot.com
grinolsisanna.blogspot.com
hamiltondesantis.blogspot.com
hananhananmoros-hanley.blogspot.com
heberheberdellinger.blogspot.com
iftikharkacykacy.blogspot.com
imtiazzimmer.blogspot.com
ireneirenejasmen.blogspot.com
jacojacowintermeyer.blogspot.com
jameishaleninger.blogspot.com
jhalaagustin.blogspot.com
johnathenmirani.blogspot.com
kassablynnelle.blogspot.com
kaycieazoni.blogspot.com
keeferjeneejenee.blogspot.com
keibakeibaclarembeaux.blogspot.com
kieroncrowdus.blogspot.com
kilcullenheadhead.blogspot.com
kreuzaavins.blogspot.com
labbatoalphaj.blogspot.com
lellpeyton.blogspot.com
marleenmckoi.blogspot.com
mccarlbargin.blogspot.com
mendizabalnayranayra.blogspot.com
mitranoshaghayegh.blogspot.com
momoneybeltz.blogspot.com
mushenkolirian.blogspot.com
navarretemcarthur.blogspot.com
nekolnekoltasler.blogspot.com
nightrasteyn.blogspot.com
nushnushcave.blogspot.com
ortiz-maynardyvreene.blogspot.com
padalinodarcydarcy.blogspot.com
pantslalala.blogspot.com
papsteinhatemwahsh.blogspot.com
pavanpavandekelver.blogspot.com
pencekleighan.blogspot.com
puzderdenzel.blogspot.com
rabiarabiacarruth.blogspot.com
raeferaefejhanmmat.blogspot.com
raheelolu.blogspot.com
ranaranakundu.blogspot.com
sabeenhunjan.blogspot.com
serroukhshymia.blogspot.com
sertimamislay.blogspot.com
shannonschronce.blogspot.com
sheridanpaltiel.blogspot.com
slomovitzvaughna.blogspot.com
soccicoitcoit.blogspot.com
stengel-bohneinaveinav.blogspot.com
suedeglenna.blogspot.com
sylvainbarnes-rivers.blogspot.com
tammeybutenko.blogspot.com
tartagliatrayvis.blogspot.com
tasunanette.blogspot.com
teddiedommasch.blogspot.com
temitopetodorova.blogspot.com
terranovataiwan.blogspot.com
torneyatsushi.blogspot.com
trovatohaiahaia.blogspot.com
tuncelintrieri.blogspot.com
vislayovadovad.blogspot.com
wellkensie.blogspot.com
yabsleyjessajessa.blogspot.com
zedzedmorelle.blogspot.com


UPDATED: Thursday, April 29, 2010: Another update on Blogspot Accounts courtesy of the Koobface gang:
aaslehnekaya.blogspot.com
aimanaimanpaulis.blogspot.com
altonaltonbruyninckx.blogspot.com
annemiekenorford.blogspot.com
asghardch.blogspot.com
atencioishmael.blogspot.com
ativanichayaphongdionysios.blogspot.com
ayorindesavoia.blogspot.com
bagnoandreae.blogspot.com
bakalarczykmaipumaipu.blogspot.com
baribarithulin.blogspot.com
beavordawnedawne.blogspot.com
boninidivandivan.blogspot.com
cabooterfinne.blogspot.com
chakkarinlehnertz.blogspot.com
chavarriaarumugam.blogspot.com
coleirolenaylenay.blogspot.com
colkittmogens.blogspot.com
crummittgerhardt.blogspot.com
dahmeialeveque.blogspot.com
dalmolinparamparam.blogspot.com
danaedanaemadan.blogspot.com
danmakumaak.blogspot.com
dauntazusaazusa.blogspot.com
devrimmasaimasai.blogspot.com
dicksdeplancke.blogspot.com
dormiedyismael.blogspot.com
dremadremareany.blogspot.com
duffinflippen.blogspot.com
eliyahneubecker.blogspot.com
eloragiogio.blogspot.com
faubertmacarena.blogspot.com
friedlamiraslani.blogspot.com
gallianinijanija.blogspot.com
gandolphscootscoot.blogspot.com
garbsayrinayrin.blogspot.com
geerbergpovlpovl.blogspot.com
gennygennytjoeng.blogspot.com
gianiniomegalmegal.blogspot.com
griffithlampack-layton.blogspot.com
guerrettebrchibrchi.blogspot.com
guillemineauramyaramya.blogspot.com
gunheedomenick.blogspot.com
haisedymond.blogspot.com
halahalafales.blogspot.com
hamidoujacijaci.blogspot.com
hamminganoush.blogspot.com
honamisouliotis.blogspot.com
japeriagoding.blogspot.com
jaymeecleto.blogspot.com
jinghuamarmorale.blogspot.com
kadeemrebsamen.blogspot.com
karokaroliney.blogspot.com
kashmirahoeger.blogspot.com
kasidasaugust.blogspot.com
kattylaitia.blogspot.com
kaynatferetos.blogspot.com
kimberlikohlmann.blogspot.com
kissikshaney.blogspot.com
kjerstisatterwhite-landry.blogspot.com
korbessamessam.blogspot.com
kozubmarshand.blogspot.com
kruthjancijanci.blogspot.com
krystellecahoon.blogspot.com
kuroiwadelphdelph.blogspot.com
laakkokimkim.blogspot.com
labbatoalphaj.blogspot.com
leichtmarjmarj.blogspot.com
leludis-matarangasdeyonna.blogspot.com
lescailletpetopeto.blogspot.com
letsongrover.blogspot.com
liermanramadan.blogspot.com
lindingrajkishan.blogspot.com
linsjerchell.blogspot.com
lorrilorrihosgor.blogspot.com
maglifitfit.blogspot.com
matsumarudeserae.blogspot.com
mcsteinniecey.blogspot.com
melitalynnelynne.blogspot.com
menezeswendywendy.blogspot.com
mimosepalazon.blogspot.com
mottmottzengel.blogspot.com
naysanmutton.blogspot.com
nicolenabershon.blogspot.com
nidonidobuetow.blogspot.com
ninaninalottin.blogspot.com
nonziodarasha.blogspot.com
pandushalmon.blogspot.com
pawelpawelpoti.blogspot.com
paytonbeegle.blogspot.com
phillipoeleaseleas.blogspot.com
philpottlurelle.blogspot.com
pipenhagennguyen.blogspot.com
plattsdatoria.blogspot.com
plomaritislaurylaury.blogspot.com
polmantameltamel.blogspot.com
polopoloangulo.blogspot.com
porrettifarmers.blogspot.com
radieradiecatalina.blogspot.com
raenellegreathouse.blogspot.com
ranaeranaerossy.blogspot.com
reidreidmiele-crifo.blogspot.com
rickyrickydonis.blogspot.com
roselinegilvin.blogspot.com
russobriarbriar.blogspot.com
salizaguayanilla.blogspot.com
samuelesedere.blogspot.com
sanchepascasie.blogspot.com
sangyoungpadalecki.blogspot.com
scarthscrewlie.blogspot.com
schaumburgirishirish.blogspot.com
schubringdheledhele.blogspot.com
scorahchreechree.blogspot.com
shakehcoletto.blogspot.com
shaqareqninette.blogspot.com
shaw-zorichemmanemman.blogspot.com
shortalgerongeron.blogspot.com
singhoffertymisha.blogspot.com
sinnathuraiperminas.blogspot.com
skjutarevikram.blogspot.com
spataforaannamay.blogspot.com
staats-meliaahronahron.blogspot.com
tagantagankissane.blogspot.com
tamietamiedemirkol.blogspot.com
tamillecavitt.blogspot.com
tommiekerstetter.blogspot.com
tosunsangbum.blogspot.com
treechadacoppage.blogspot.com
treziajoanjoan.blogspot.com
triadorlachauna.blogspot.com
tukellyaburrage.blogspot.com
tyrisaoverly.blogspot.com
ulrikaraithatha.blogspot.com
valericlarissa.blogspot.com
ventronejokerjoker.blogspot.com
victorinomeharmehar.blogspot.com
vikvikruaut.blogspot.com
vlrajanrajan.blogspot.com
wasonmarilynn.blogspot.com
wendewendeschyma.blogspot.com
whitwhitmontoure.blogspot.com
wynnhannan.blogspot.com
xochitlvillenurve.blogspot.com
yaoskalongthorne.blogspot.com
youyoustreit.blogspot.com
zickkirrakirra.blogspot.com



The Blogspot accounts redirect to the following compromised Koobface and scareware serving domains:
cartujo.org /private-clips/main.php?87bb8f2
cerclewalloncouillet.be /main.movie/main.php?28d
cseajudiciary.org /animateddvd/main.php?c8
de-nachtegaele.be /main/main.php?b04ebb
ediltermo.com /common.film/main.php?deccfd
forwardmarchministries.org /candid_movie/main.php?42d1
highway77truckservice.com /pretty-clip/main.php?7bb2
kcresale.com /crazyvids/main.php?2ee
libermann.phpnet.org /comicperformans/main.php?9b5a5a
lode-willems.be /cute_clip/main.php?be2
lunaairforlife.com /crucial-clips/main.php?d3d6ccfe
mainteck-fr.com /complete-movie/main.php?f6
nottinghamdowns.com /criminaltube/main.php?2388d
programs.ppbsa.org /crazy_video/main.php?0ea1969
richmondpowerboat.com /yourtv/main.php?89fb0
scheron.com /delightful_demonstration/main.php?e2f92
Training.ppbsa.org /comic_dvd/main.php?f9261f
vangecars.it /crazy-films/main.php?827da


Detection rates for Koobface samples and a sampled scareware:
- setup.exe - Trojan.Generic.KD.8890 - Result: 9/40 (22.50%) phones back to:
- proelec-dpt.fr/.85rfs/?action=ldgen&a=-1394498804&v=108&c_fb=0&ie=7.0.5730.13
    - proelec-dpt.fr/.85rfs/?action=fbgen&v=108&crc=669
        - proelec-dpt.fr/.85rfs/?getexe=p.exe

- p.exe - Trojan.Drop.Koobface.J; W32/Koobface.GUB - Result: 5/41 (12.2%)
- koob.js - Trojan:JS/Redirector - Result: 1/41 (2.44%)


The scareware serving domain embedded on all of the Koobface-serving compromised hosts is internet-scanner.xorg.pl?mid=312&code=4db12f&d=1&s=2 - 195.5.161.125 - AS31252, STARNET-AS StarNet Moldova.

Parked on 195.5.161.125 is the rest of the scareware domains portfolio:
antispy-detectn1.com - Email: test@now.net.cn
antispy-detectn2.com - Email: test@now.net.cn
antispy-detectn3.com - Email: test@now.net.cn
antispy-detectn5.com - Email: test@now.net.cn
antispy-detectn7.com - Email: test@now.net.cn
antispy-detectz2.com - Email: test@now.net.cn
antispy-detectz4.com - Email: test@now.net.cn
antispy-detectz5.com - Email: test@now.net.cn
antispy-detectz7.com - Email: test@now.net.cn
antispy-detectz9.com - Email: test@now.net.cn
antispy-scan4i.com - Email: test@now.net.cn
antispy-scan5i.com - Email: test@now.net.cn
antispy-scan6i.com - Email: test@now.net.cn
antispy-scan7i.com - Email: test@now.net.cn
antispyscan85.com - Email: test@now.net.cn
antispyscan89.com - Email: test@now.net.cn
antispyscan91.com - Email: test@now.net.cn
antispyscan92.com - Email: test@now.net.cn
antispyscan93.com - Email: test@now.net.cn
antispy-scan9i.com - Email: test@now.net.cn
antispyware-no1.com - Email: test@now.net.cn
antispyware-no3.com - Email: test@now.net.cn

antivir1a.com.xorg.pl
antivirus-detect21.com - Email: test@now.net.cn
antivirus-detect23.com - Email: test@now.net.cn
antivirus-detect25.com - Email: test@now.net.cn
antivirus-detect27.com - Email: test@now.net.cn
antivirus-detect29.com - Email: test@now.net.cn
antivirus-detectz1.com - Email: test@now.net.cn
antivirus-detectz2.com - Email: test@now.net.cn
antivirus-detectz5.com - Email: test@now.net.cn
antivirus-detectz7.com - Email: test@now.net.cn
antivirus-detectz9.com - Email: test@now.net.cn
antivirus-lv1.com - Email: test@now.net.cn
antivirus-lv2.com - Email: test@now.net.cn
antivirus-lv3.com - Email: test@now.net.cn
antivirus-lv5.com - Email: test@now.net.cn
antivirus-lv8.com - Email: test@now.net.cn
antivirus-top1.com - Email: test@now.net.cn
antivirus-top2.com - Email: test@now.net.cn
antivirus-top6.com - Email: test@now.net.cn
antivirus-top8.com - Email: test@now.net.cn
be-secured.xorg.pl

bestantivirus1.com.xorg.pl
bestscanmalware.com.xorg.pl
best-security.xorg.pl
defender20.xorg.pl
fastantivirusscanner15.com.xorg.pl
fastmalwarescan15.com.xorg.pl
fast-scan.xorg.pl
fastweb-scanner.com.xorg.pl
get-protection.xorg.pl
my-computers.xorg.pl
protection100.xorg.pl
protection-center1.xorg.pl
protector10.xorg.pl
secure10.xorg.pl
security1.xorg.pl
security100.xorg.pl
spy-defender1.com
spydefender1.com.xorg.pl
spydefender11.com.xorg.pl

spy-defender1a.com - Email: test@now.net.cn
spy-defender2.com - Email: test@now.net.cn
spy-defender2a.com - Email: test@now.net.cn
spy-defender4a.com - Email: test@now.net.cn
spy-defender5.com - Email: test@now.net.cn
spy-defender6a.com - Email: test@now.net.cn
spy-defender8a.com - Email: test@now.net.cn
spy-defender9.com - Email: test@now.net.cn

spy-protection01.com - Email: test@now.net.cn
spy-protection1.com - Email: test@now.net.cn
spy-protection14.com - Email: test@now.net.cn
spy-protection17.com - Email: test@now.net.cn
spy-protection19.com - Email: test@now.net.cn
spy-protection3.com - Email: test@now.net.cn
spy-protection4.com - Email: test@now.net.cn
spy-protection6.com - Email: test@now.net.cn
spy-protection8.com - Email: test@now.net.cn
spy-scanner2i.com - Email: test@now.net.cn
spy-scanner6i.com - Email: test@now.net.cn
spy-scanner8i.com - Email: test@now.net.cn
spyware-sweep1.com - Email: test@now.net.cn
spyware-sweep1i.com - Email: test@now.net.cn
spyware-sweep2i.com - Email: test@now.net.cn
spyware-sweep3.com - Email: test@now.net.cn
spyware-sweep3i.com - Email: test@now.net.cn
spyware-sweep4i.com - Email: test@now.net.cn
spyware-sweep5.com - Email: test@now.net.cn
spyware-sweep7.com - Email: test@now.net.cn


spyware-sweep8.com - Email: test@now.net.cn
spyware-sweep9i.com - Email: test@now.net.cn
virus-sweeper0i.com - Email: test@now.net.cn
virus-sweeper1.com - Email: test@now.net.cn
virus-sweeper2.com - Email: test@now.net.cn
virus-sweeper2i.com - Email: test@now.net.cn
virus-sweeper3.com - Email: test@now.net.cn
virus-sweeper4i.com - Email: test@now.net.cn
virus-sweeper6.com - Email: test@now.net.cn
virus-sweeper7i.com - Email: test@now.net.cn
virus-sweeper8.com - Email: test@now.net.cn
virus-sweeper8i.com - Email: test@now.net.cn
win-antispyware10.com.xorg.pl
windefender1.xorg.pl
windows-secure.xorg.pl
win-security.xorg.pl
winwebscanner10.com.xorg.pl


Parked within AS31252, STARNET-AS StarNet Moldova are also: 195.5.161.11; 195.5.161.145
spy-scanner20.com - Email: test@now.net.cn
spy-scanner30.com - Email: test@now.net.cn
spy-scanner3i.com - Email: test@now.net.cn
spy-scanner40.com - Email: test@now.net.cn
spy-scanner4i.com - Email: test@now.net.cn
spy-scanner60.com - Email: test@now.net.cn
spy-scanner80.com - Email: test@now.net.cn
virscanner-done4.com - Email: test@now.net.cn
virscanner-done5.com - Email: test@now.net.cn

- Detection rate for the scareware sample: Setup_312s2.exe - Heuristic.BehavesLike.Win32.Trojan.H - Result: 5/40 (12.50%) phones back to windows-mode.com/?b=1s1 - 89.248.168.21, AS29073, ECATEL-AS , Ecatel Network - Email: contact@privacy-protect.cn


Parked on the phone-back IP are also the following domains:
firewall-rules2.com - Email: contact@privacy-protect.cn
version-upgrade.com - Email: contact@privacy-protect.cn
2accommodation.com - Email: ttvmail12@hotmail.com
systemreserves.com - Email: contact@privacy-protect.cn
cariport.com - Email: contact@privacy-protect.cn
spyblocktest.com - Email: contact@privacy-protect.cn
antispywarelist.com - Email: contact@privacy-protect.cn
checkwhitelist.com - Email: contact@privacy-protect.cn
chekmalwarelist.com - Email: contact@privacy-protect.cn

Stay tuned for more updates on recent Koobface gang activities, beyond the Koobface botnet.

Related Koobface gang/botnet research:
Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova
10 things you didn't know about the Koobface gang
A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang
How the Koobface Gang Monetizes Mac OS X Traffic
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Tuesday, April 20, 2010

The DNS Infrastructure of the Money Mule Recruitment Ecosystem

What's the most static element of the vibrant money mule recruitment ecosystem? It's the DNS infrastructure that the the cybercriminals behind the campaigns repeatedly use to push new scams.

This post aims to expose the name servers involved, the associates ASs, using the research previously conducted on their recruitment campaigns, and their affiliations with multiple other cybercrime activities.

Moreover, it's main objective is the emphasize on the fact that - cybercrime should stop being treated as a country/region specific problem, instead it should be treated as an international problem, with each and every country having its own share of cybercrime activity.
  • "The whole is greater than the sum of its parts" - Aristotle
With money mule recruitment available as-a-service (Standardizing the Money Mule Recruitment Process) the post will only detail the activities of what's referred to as a "mule recruitment syndicate", in short, one of the most prolific syndicates with direct connections to numerous related cybercrime campaigns profiled over the past 6 months.

What makes an impression is the geographical distribution of the name servers. 11 of them are based in the Netherlands, another 11 are based in China, followed by 11 more based in the United States. Here's the list of the related ASs and their occurrences:
  • AS34305, EUROACCESS Global Autonomous System - The Netherlands - 11 name servers
  • AS38356, TimeNet - China - 11 name servers
  • AS46664, VolumeDrive - United States - 11 name servers
  • AS30517, Great Lakes Comnet, Inc. - United States - 9 name servers
  • AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity - United States - 9 name servers
  • AS29182, ISPSYSTEM-AS ISPsystem Autonomous System - Belgium - 8 name servers
  • AS31103, KEYWEB-AS Keyweb AG - Germany - 1 name servers

Moreover, this persistent money mule recruitment syndicate has a domain registrar of choice in the face of the Turkish,  ALATRON BLTD., which is seen in the majority of domain registrations.

The following active name servers have been gathered from the money mule recruitment campaigns profiled in previous posts:

ns1.alwaysexit.com - 92.63.111.146 - Email: sob@bigmailbox.ru - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.alwaysexit.com - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System
ns3.alwaysexit.com - 222.35.143.112 - AS38356, TimeNet


ns1.benjenkinss.cn - 92.63.110.85 - Email: chunk@qx8.ru - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.benjenkinss.cn - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System
ns3.benjenkinss.cn - 222.35.143.112 - AS38356, TimeNet


ns1.bizrestroom.cc - 92.63.110.85 - Email: hook@5mx.ru - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.bizrestroom.cc - 193.104.106.30 - AS34305, EUROACCESS Global Autonomous System
ns3.bizrestroom.cc - 222.35.143.234 - AS38356, TimeNet



ns1.chinegrowth.cc - 92.63.111.196 - Email: duly@fastermail.ru - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.chinegrowth.cc - 85.12.46.4 - AS34305, EUROACCESS Global Autonomous System
ns3.chinegrowth.cc - 222.35.143.112 - AS38356, TimeNet


ns1.cnnandpizza.cc - 87.118.81.75 - Email: bears@fastermail.ru - AS31103, KEYWEB-AS Keyweb AG
ns2.cnnandpizza.cc - 193.104.106.30 - AS34305, EUROACCESS Global Autonomous System
ns3.cnnandpizza.cc - 222.35.143.236 - AS38356, TimeNet


ns1.greezly.net - 64.85.174.143 - Email: erupt@qx8.ru - 64.85.160.0/20, AS30517, Great Lakes Comnet, Inc.
ns2.greezly.net - 204.12.217.250 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.greezly.net - 204.124.182.151 - AS46664, VolumeDrive


ns1.maninwhite.cc - 92.63.111.146 - Email: duly@fastermail.ru - 92.63.110.0/23 - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.maninwhite.cc - 85.12.46.3 - AS34305, EUROACCESS Global Autonomous System
ns3.maninwhite.cc - 222.35.143.234 - AS38356, TimeNet


ns1.partytimee.cn - 92.63.111.146 - Email: chunk@qx8.ru - 92.63.110.0/23 - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.partytimee.cn - 85.12.46.4 - AS34305, EUROACCESS Global Autonomous System
ns3.partytimee.cn - 222.35.143.235 - AS38356, TimeNet


ns1.sandhouse.cc - 64.85.174.146 - Email: taunt@freenetbox.ru - 64.85.160.0/20 - AS30517, Great Lakes Comnet, Inc.
ns2.sandhouse.cc - 204.12.217.253 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.sandhouse.cc - 74.118.194.82 - AS46664, VolumeDrive


ns1.translatasheep.net - 92.63.111.127 - Email: stair@freenetbox.ru - 92.63.110.0/23 - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.translatasheep.net - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System
ns3.translatasheep.net - 222.35.143.112 - AS38356, TimeNet


ns1.trythisok.cn - 92.63.111.127 - Email: chunk@qx8.ru - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.trythisok.cn - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System
ns3.trythisok.cn - 222.35.143.235 - AS38356, TimeNet


ns1.viewdreamer.com - 64.85.174.143 - free@freenetbox.ru - 64.85.160.0/20, AS30517, Great Lakes Comnet, Inc.
ns2.viewdreamer.com - 204.12.217.250 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.viewdreamer.com - 74.118.194.82 - AS46664, VolumeDrive


ns1.volcanotime.com - 64.85.174.144 - Email: hs@bigmailbox.ru - AS30517, Great Lakes Comnet, Inc.
ns2.volcanotime.com - 204.12.217.251 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.volcanotime.com - 74.118.194.88 - AS46664, VolumeDrive


ns1.weathernot.net - 64.85.174.145 - Email: bowls@5mx.ru - AS30517, Great Lakes Comnet, Inc.
ns2.weathernot.net - 204.12.217.252 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.weathernot.net - 74.118.194.89 - AS46664, VolumeDrive


ns1.worldslava.cc - 64.85.174.145 - Email: fussy@bigmailbox.ru - AS30517, Great Lakes Comnet, Inc.
ns2.worldslava.cc - 204.12.217.252 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.worldslava.cc - 74.118.194.84 - AS46664, VolumeDrive


ns1.jockscreamer.net - 64.85.174.144 - Email: free@freenetbox.ru - AS30517, Great Lakes Comnet, Inc.
ns2.jockscreamer.net - 204.12.217.251 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.jockscreamer.net - 74.118.194.83 - AS46664, VolumeDrive


ns1.uleaveit.com - 64.85.174.146 - Email: plea@qx8.ru - AS30517, Great Lakes Comnet, Inc.
ns2.uleaveit.com - 204.12.217.253 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.uleaveit.com - 74.118.194.85 - AS46664, VolumeDrive


ns1.bergamoto.com - 74.118.194.84 - Email: nine@freenetbox.ru - AS46664, VolumeDrive
ns2.bergamoto.com - 222.35.143.235 - AS38356, TimeNet
ns3.bergamoto.com - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System

ns1.diunar.cc - 74.118.194.82 - Email: yuck@maillife.ru - AS46664, VolumeDrive
ns2.diunar.cc - 222.35.143.112 - AS38356, TimeNet
ns3.diunar.cc - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System


ns1.pesenlife.net - 64.85.174.147 - Email: erupt@qx8.ru - AS30517, Great Lakes Comnet, Inc.
ns2.pesenlife.net - 204.12.217.254 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.pesenlife.net - 74.118.194.86 - AS46664, VolumeDrive

The business model if this syndicate can be easily compared to the business model of the much hyped Russian Business Network in the sense that, they are either managing the infrastructure for someone else as a service, are directly involved in the recruitment and utilization of money mules for their own purposes, or a basically building inventory of mules to offer as a service to a large number of cybercriminals.

The basic fact that these folks are not campaign-centered, but continue maintaining their ecosystem, puts them on the top of watch list for months to come.

Related coverage of money laundering in the context of cybercrime:
Keeping Money Mule Recruiters on a Short Leash - Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.