Tuesday, April 27, 2010

GoDaddy's Mass WordPress Blogs Compromise Serving Scareware


UPDATED: Thursday, May 13, 2010: Go Daddy posted the following update "What’s Up with Go Daddy, WordPress, PHP Exploits and Malware?".

UPDATED: Thursday, May 06, 2010: The following is a brief update of the campaign's structure, the changed IPs, and the newly introduced scareware samples+phone back locations over the past few days.

Sample structure from last week:
- kdjkfjskdfjlskdjf.com/kp.php - 94.23.242.40 - AS16276, OVH Paris
    - www3.workfree36-td.xorg.pl/?p= - 95.169.186.25 - AS31103, KEYWEB-AS Keyweb AG
        - www1.protectsys28-pd.xorg.pl - 94.228.209.182 - AS47869, NETROUTING-AS Netrouting Data Facilities

Detection rate:
- packupdate_build107_2045.exe - Gen:Variant.Ursnif.8; TrojanDownloader:Win32/FakeVimes - Result: 23/41 (56.1%) Phones back to update2.safelinkhere.net and update1.safelinkhere.net.

Sample structure from this week:
- kdjkfjskdfjlskdjf.com/kp.php - 91.188.59.98 - AS6851, BKCNET "SIA" IZZI
    - www4.suitcase52td.net/?p= - 78.46.218.249 - AS24940, HETZNER-AS Hetzner Online AG RZ
        - www1.safetypcwork5.net/?p= - 209.212.147.244 - AS32181, ASN-CQ-GIGENET ColoQuest/GigeNet ASN
        - www1.safeyourpc22-pr.com - 209.212.147.246 - Email: gkook@checkjemail.nl

Detection rate:
- packupdate_build9_2045.exe - Trojan.Fakealert.7869; Mal/FakeAV-BW - Result: 9/41 (21.95%)

Sample phones back to:
- update2.keepinsafety.net /?jbjyhxs=kdjf0tXm1J2a0Nei2Mrh24U%3D
- www5.my-security-engine.net
- report.land-protection.com /Reports/SoftServiceReport.php?verint
- 91.207.192.24 - Email: gkook@checkjemail.nl
- secure2.securexzone.net/?abbr=MSE&pid=3 - 78.159.108.170 - Emaikl: gkook@checkjemail.nl
- 173.232.149.92 /chrome/report.html?uid=2045&wv=wvXP&
- 74.118.193.47 /report.html?wv=wvXP&uid=50&lng=
- 74.125.45.100
- update1.keepinsafety.net
- 94.228.209.223 - Email: gkook@checkjemail.nl

Related scareware domains part of the ongoing campaign are also parked on the following IPs:
78.46.218.249
www3.workfree20-td.xorg.pl
www3.nojimba52-td.xorg.pl
www3.workfree25-td.xorg.pl



209.212.147.244
www1.newsys-scanner.com - Email: gkook@checkjemail.nl
www2.securesys-scan2.net - Email: gkook@checkjemail.nl
www1.new-sys-scanner3.net - Email: gkook@checkjemail.nl
www1.safetypcwork5.net - Email: gkook@checkjemail.nl
www1.securesyscare9.net - Email: gkook@checkjemail.nl
www1.freeguard35-pr.net - Email: gkook@checkjemail.nl

95.169.186.25
www4.ararat23.xorg.pl
www3.sdfhj40-td.xorg.pl
www3.nojimba45-td.xorg.pl
www3.workfree36-td.xorg.pl
www3.nojimba46-td.xorg.pl
www4.fiting58td.xorg.pl
www4.birbinsof.net


94.228.209.182
www1.protectsys25-pd.xorg.pl
www1.protectsys26-pd.xorg.pl
www1.protectsys27-pd.xorg.pl
www1.protectsys28-pd.xorg.pl
www1.protectsys29-pd.xorg.pl
www1.soptvirus32-pr.xorg.pl
www1.soptvirus34-pr.xorg.pl



209.212.147.246
www2.securesys-scan2.com - Email: gkook@checkjemail.nl
www1.newsys-scanner1.com - Email: gkook@checkjemail.nl

UPDATED: Thursday, April 29, 2010: kdjkfjskdfjlskdjf.com/js.php remains active and is currently redirecting to www3.workfree36-td.xorg.pl/?p= - 95.169.186.25 and www1.protectsys28-pd.xorg.pl?p= - 94.228.209.182.

Detection rate: packupdate_build107_2045.exe - Suspicious:W32/Malware!Gemini; Trojan.Win32.Generic.pak!cobra - Result: 6/41 (14.64%) phoning back to new domains:
safelinkhere.net - 94.228.209.223 - Email: gkook@checkjemail.nl
update2.safelinkhere.net - 93.186.124.93 - Email: gkook@checkjemail.nl
update1.safelinkhere.net - 94.228.209.222 - Email: gkook@checkjemail.nl
    - ns1.safelinkhere.net - 74.118.192.23 - Email: gkook@checkjemail.nl
    - ns2.safelinkhere.net - 93.174.92.225 - Email: gkook@checkjemail.nl

The gkook@checkjemail.nl email was used for scareware registrations in December 2009's "A Diverse Portfolio of Fake Security Software - Part Twenty Four".

Parked on 74.118.192.23, AS46664, VolumeDrive (ns1.safelinkhere.net) are also:
ns1.birbins-of.com
ns1.cleanupantivirus.com
ns1.createpc-pcscan-korn.net
ns1.fhio22nd.net
ns1.letme-guardyourzone.com
ns1.letprotectsystem.net
ns1.my-softprotect4.net
ns1.new-pc-protection.com
ns1.payment-safety.net
ns1.romsinkord.com
ns1.safelinkhere.net
ns1.safetyearth.net
ns1.safetypayments.net
ns1.save-secure.com
ns1.search4vir.net
ns1.systemmdefender.com
ns1.upscanyourpc-now.com


Parked on 93.174.92.225, AS29073, ECATEL-AS , Ecatel Network (ns2.safelinkhere.net) are also:
marmarams.com
ns2.cleanupantivirus.com
ns2.dodtorsans.net
ns2.fastsearch-protection.com
ns2.go-searchandscan.net
ns2.guardsystem-scanner.net
ns2.hot-cleanofyourpc.com
ns2.marfilks.net
ns2.my-systemprotection.net
ns2.myprotected-system.com
ns2.myprotection-zone.net
ns2.mysystemprotection.com
ns2.new-systemprotection.com
ns2.newsystem-guard.com
ns2.onguard-zone.net
ns2.pcregrtuy.net
ns2.plotguardto-mypc.com
ns2.protected-field.com
ns2.safelinkhere.net
ns2.scanmypc-online.com
ns2.search-systemprotect.net
ns2.searchscan-online.net
ns2.securemyzone.com
ns2.systemcec7.com
ns2.trust-systemprotect.net
ns2.trustscan-onmyzone.com
ns2.trustsystemguard.net
ns2.upscanyour-pcnow.com
ns2.windows-systemshield.net
ns2.windows-virusscan.com
ns2.windowsadditionalguard.net



Following last week's Network Solutions mass compromise of WordPress blogs (Dissecting the WordPress Blogs Compromise at Network Solutions), over the weekend a similar incident took place GoDaddy, according to WPSecurityLock.

Since the campaign's URLs still active, and given the fact that based on historical OSINT, we can get even more insights into known operations of cybercriminals profiled before (one of the key domains used in the campaign is registered to hilarykneber@yahoo.com. Yes, that Hilary Kneber.), it's time to connect the dots.
One of the domains used cechirecom.com/js.php - 61.4.82.212 - Email: lee_gerstein@yahoo.co.uk was redirecting to www3.sdfhj40-td.xorg.pl?p= - 95.169.186.25 and from there to www2.burnvirusnow34.xorg.pl?p= - 217.23.5.51. The front page of the currently not responding cechirecom.com was returning the following message:
  • "Welcome. Site will be open shortly. Signup, question or abuse please send to larisadolina@yahoo.com"
Registered with the same email, larisadolina@yahoo.com,  is also another domain known have been used in similar attacks from February, 2010 - iss9w8s89xx.org.


Parked on 217.23.5.51 are related scareware domains part of the campaign:
www2.burnvirusnow31.xorg.pl
www2.burnvirusnow33.xorg.pl
www2.burnvirusnow34.xorg.pl
www2.trueguardscaner30-p.xorg.pl
www2.trueguardscaner33-p.xorg.pl
www1.savesysops30p.xorg.pl
www1.suaguardprotect11p.xorg.pl
www2.realsafepc32p.xorg.pl
www1.suaguardprotect13p.xorg.pl
www1.suaguardprotect14p.xorg.pl


Detection rate for the scareware:
- packupdate_build107_2045.exe - VirusDoctor; Mal/FakeAV-BW - Result: 14/41 (34.15%) with the sample phoning back to the following URLs:
- update2.savecompnow.com/index.php?controller=hash - 91.207.192.25 - Email: gkook@checkjemail.nl
- update2.savecompnow.com/index.php?controller=microinstaller
- update1.savecompnow.com/index.php?controller=microinstaller - 94.228.209.223 - Email: gkook@checkjemail.nl

The same email was originally seen in December 2009's "A Diverse Portfolio of Fake Security Software - Part Twenty Four". Parked on these IPs are also related phone back locations:

Parked on 188.124.7.156:
savecompnow.com - Email: gkook@checkjemail.nl
securemyfield.com - Email: gkook@checkjemail.nl
update1.securepro.xorg.pl

Parked on 91.207.192.25:
update2.savecompnow.com - Email: gkook@checkjemail.nl
update2.xorg.pl
update2.winsystemupdates.com - Email: gkook@checkjemail.nl
report.zoneguardland.net - Email: gkook@checkjemail.nl

Parked on 94.228.209.223:
update1.savecompnow.com - Email: gkook@checkjemail.nl
update1.winsystemupdates.com


Although the cechirecom.com/js.php is not currently responding, parked on the same IP 61.4.82.212, is another currently active domain, which is registered to hilarykneber@yahoo.com.

Parked on 61.4.82.212, AS17964, DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd.:
kdjkfjskdfjlskdjf.com - Email: hilarykneber@yahoo.com
ns1.stablednsstuff.com - Email: lee_gerstein@yahoo.co.uk
js.ribblestone.com - Email: skeletor71@comcast.net - includes a link pointing to panelscansecurity.org/?affid=320&subid=landing - 91.212.127.19 - Email: bobarter@xhotmail.net

The currently active campaign domain redirection is as follows:
kdjkfjskdfjlskdjf.com/js.php - 61.4.82.212 - Email: hilarykneber@yahoo.com
    - www3.sdfhj40-td.xorg.pl?p=
        - www1.soptvirus42-pr.xorg.pl?p= - 209.212.149.19


Parked on 209.212.149.19:
www2.burnvirusnow43.xorg.pl
www2.trueguardscaner42-p.xorg.pl
www1.suaguardprotect23p.xorg.pl
www2.realsafepc27p.xorg.pl
www1.fastfullfind27p.xorg.pl
www1.yesitssafe-now-forsure.in


Detection rate for the scareware:
- packupdate_build106_2045.exe - TrojanDownloader:Win32/FakeVimes; High Risk Cloaked Malware - Result: 7/41 (17.08%)

Just like in Network Solution's case (Dissecting the WordPress Blogs Compromise at Network Solutions) the end user always has to be protected from himself using basic security auditing practices in regard to default WordPress installations. The rest is wishful thinking, that the end user would self-audit himself.

It seems that hilarykneber@yahoo.com related activities are not going to go away anytime soon.

Related WordPress security resources:
20 Wordpress Security Plug-ins And Tips To keep Hackers Away
11 Best Ways to Improve WordPress Security
20+ Powerful Wordpress Security Plugins and Some Tips and Tricks

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dissecting Koobface Gang's Latest Facebook Spreading Campaign

UPDATED: Thursday, April 29, 2010: Google is aware of these Blogspot accounts, and is currently suspending them.

During the weekend, our "dear friends" from the Koobface gang -- folks, you're so not forgotten, with the scale of diversification for your activities to be publicly summarized within the next few days -- launched another spreading attempt across Facebook, with Koobface-infected users posting bogus video links on their walls.
What's particularly interesting about the campaign, is that the gang is now start to publicly acknowledge its connections with xorg.pl (Malicious software includes 40706 scripting exploit(s), 4119 trojan(s), 1897 exploit(s), with an actual subdomain residing there embedded on Koobface-serving compromised hosts.

Moreover, the majority of scareware domains, including the redirectors continue using hosting services in Moldova, AS31252, STARNET-AS StarNet Moldova in particular.
With the campaign still ongoing it's time to dissect it, expose the scareware domains portfolio and the AS29073, ECATEL-AS connection, with the Koobface gang a loyal customer of their services since November, 2009. AS29073, ECATEL-AS Koobface gang connections:

Automatically registered Blogspot accounts used as bogus video links across Facebook:
aashikamorsing.blogspot.com
alpezajeromie.blogspot.com
andcoldjackey.blogspot.com
asiaasiabenzaidi.blogspot.com
atalaygraciani.blogspot.com
barsheshetshakirat.blogspot.com
battittastelzer.blogspot.com
beckermasico.blogspot.com
biedlerharjit.blogspot.com
britainudobot.blogspot.com
bruchnadirnadir.blogspot.com
bryonbryonhofhenke.blogspot.com
ceceliaverner.blogspot.com
centofantiaviran.blogspot.com
codeycodeymarcott.blogspot.com
cottinghamginnyginny.blogspot.com
courtenayharry.blogspot.com
dalton-daviesheinee.blogspot.com
dipietroaudrea.blogspot.com
ericssonbrigid.blogspot.com
ervinervinturnquest.blogspot.com
fashingbauerkylerkyler.blogspot.com
felicetanae.blogspot.com
friedamignogna.blogspot.com
friedlamiraslani.blogspot.com
garthgarthheal.blogspot.com
gavin-williamslielie.blogspot.com
ginnoviaharbottle.blogspot.com
grinolsisanna.blogspot.com
hamiltondesantis.blogspot.com
hananhananmoros-hanley.blogspot.com
heberheberdellinger.blogspot.com
iftikharkacykacy.blogspot.com
imtiazzimmer.blogspot.com
ireneirenejasmen.blogspot.com
jacojacowintermeyer.blogspot.com
jameishaleninger.blogspot.com
jhalaagustin.blogspot.com
johnathenmirani.blogspot.com
kassablynnelle.blogspot.com
kaycieazoni.blogspot.com
keeferjeneejenee.blogspot.com
keibakeibaclarembeaux.blogspot.com
kieroncrowdus.blogspot.com
kilcullenheadhead.blogspot.com
kreuzaavins.blogspot.com
labbatoalphaj.blogspot.com
lellpeyton.blogspot.com
marleenmckoi.blogspot.com
mccarlbargin.blogspot.com
mendizabalnayranayra.blogspot.com
mitranoshaghayegh.blogspot.com
momoneybeltz.blogspot.com
mushenkolirian.blogspot.com
navarretemcarthur.blogspot.com
nekolnekoltasler.blogspot.com
nightrasteyn.blogspot.com
nushnushcave.blogspot.com
ortiz-maynardyvreene.blogspot.com
padalinodarcydarcy.blogspot.com
pantslalala.blogspot.com
papsteinhatemwahsh.blogspot.com
pavanpavandekelver.blogspot.com
pencekleighan.blogspot.com
puzderdenzel.blogspot.com
rabiarabiacarruth.blogspot.com
raeferaefejhanmmat.blogspot.com
raheelolu.blogspot.com
ranaranakundu.blogspot.com
sabeenhunjan.blogspot.com
serroukhshymia.blogspot.com
sertimamislay.blogspot.com
shannonschronce.blogspot.com
sheridanpaltiel.blogspot.com
slomovitzvaughna.blogspot.com
soccicoitcoit.blogspot.com
stengel-bohneinaveinav.blogspot.com
suedeglenna.blogspot.com
sylvainbarnes-rivers.blogspot.com
tammeybutenko.blogspot.com
tartagliatrayvis.blogspot.com
tasunanette.blogspot.com
teddiedommasch.blogspot.com
temitopetodorova.blogspot.com
terranovataiwan.blogspot.com
torneyatsushi.blogspot.com
trovatohaiahaia.blogspot.com
tuncelintrieri.blogspot.com
vislayovadovad.blogspot.com
wellkensie.blogspot.com
yabsleyjessajessa.blogspot.com
zedzedmorelle.blogspot.com


UPDATED: Thursday, April 29, 2010: Another update on Blogspot Accounts courtesy of the Koobface gang:
aaslehnekaya.blogspot.com
aimanaimanpaulis.blogspot.com
altonaltonbruyninckx.blogspot.com
annemiekenorford.blogspot.com
asghardch.blogspot.com
atencioishmael.blogspot.com
ativanichayaphongdionysios.blogspot.com
ayorindesavoia.blogspot.com
bagnoandreae.blogspot.com
bakalarczykmaipumaipu.blogspot.com
baribarithulin.blogspot.com
beavordawnedawne.blogspot.com
boninidivandivan.blogspot.com
cabooterfinne.blogspot.com
chakkarinlehnertz.blogspot.com
chavarriaarumugam.blogspot.com
coleirolenaylenay.blogspot.com
colkittmogens.blogspot.com
crummittgerhardt.blogspot.com
dahmeialeveque.blogspot.com
dalmolinparamparam.blogspot.com
danaedanaemadan.blogspot.com
danmakumaak.blogspot.com
dauntazusaazusa.blogspot.com
devrimmasaimasai.blogspot.com
dicksdeplancke.blogspot.com
dormiedyismael.blogspot.com
dremadremareany.blogspot.com
duffinflippen.blogspot.com
eliyahneubecker.blogspot.com
eloragiogio.blogspot.com
faubertmacarena.blogspot.com
friedlamiraslani.blogspot.com
gallianinijanija.blogspot.com
gandolphscootscoot.blogspot.com
garbsayrinayrin.blogspot.com
geerbergpovlpovl.blogspot.com
gennygennytjoeng.blogspot.com
gianiniomegalmegal.blogspot.com
griffithlampack-layton.blogspot.com
guerrettebrchibrchi.blogspot.com
guillemineauramyaramya.blogspot.com
gunheedomenick.blogspot.com
haisedymond.blogspot.com
halahalafales.blogspot.com
hamidoujacijaci.blogspot.com
hamminganoush.blogspot.com
honamisouliotis.blogspot.com
japeriagoding.blogspot.com
jaymeecleto.blogspot.com
jinghuamarmorale.blogspot.com
kadeemrebsamen.blogspot.com
karokaroliney.blogspot.com
kashmirahoeger.blogspot.com
kasidasaugust.blogspot.com
kattylaitia.blogspot.com
kaynatferetos.blogspot.com
kimberlikohlmann.blogspot.com
kissikshaney.blogspot.com
kjerstisatterwhite-landry.blogspot.com
korbessamessam.blogspot.com
kozubmarshand.blogspot.com
kruthjancijanci.blogspot.com
krystellecahoon.blogspot.com
kuroiwadelphdelph.blogspot.com
laakkokimkim.blogspot.com
labbatoalphaj.blogspot.com
leichtmarjmarj.blogspot.com
leludis-matarangasdeyonna.blogspot.com
lescailletpetopeto.blogspot.com
letsongrover.blogspot.com
liermanramadan.blogspot.com
lindingrajkishan.blogspot.com
linsjerchell.blogspot.com
lorrilorrihosgor.blogspot.com
maglifitfit.blogspot.com
matsumarudeserae.blogspot.com
mcsteinniecey.blogspot.com
melitalynnelynne.blogspot.com
menezeswendywendy.blogspot.com
mimosepalazon.blogspot.com
mottmottzengel.blogspot.com
naysanmutton.blogspot.com
nicolenabershon.blogspot.com
nidonidobuetow.blogspot.com
ninaninalottin.blogspot.com
nonziodarasha.blogspot.com
pandushalmon.blogspot.com
pawelpawelpoti.blogspot.com
paytonbeegle.blogspot.com
phillipoeleaseleas.blogspot.com
philpottlurelle.blogspot.com
pipenhagennguyen.blogspot.com
plattsdatoria.blogspot.com
plomaritislaurylaury.blogspot.com
polmantameltamel.blogspot.com
polopoloangulo.blogspot.com
porrettifarmers.blogspot.com
radieradiecatalina.blogspot.com
raenellegreathouse.blogspot.com
ranaeranaerossy.blogspot.com
reidreidmiele-crifo.blogspot.com
rickyrickydonis.blogspot.com
roselinegilvin.blogspot.com
russobriarbriar.blogspot.com
salizaguayanilla.blogspot.com
samuelesedere.blogspot.com
sanchepascasie.blogspot.com
sangyoungpadalecki.blogspot.com
scarthscrewlie.blogspot.com
schaumburgirishirish.blogspot.com
schubringdheledhele.blogspot.com
scorahchreechree.blogspot.com
shakehcoletto.blogspot.com
shaqareqninette.blogspot.com
shaw-zorichemmanemman.blogspot.com
shortalgerongeron.blogspot.com
singhoffertymisha.blogspot.com
sinnathuraiperminas.blogspot.com
skjutarevikram.blogspot.com
spataforaannamay.blogspot.com
staats-meliaahronahron.blogspot.com
tagantagankissane.blogspot.com
tamietamiedemirkol.blogspot.com
tamillecavitt.blogspot.com
tommiekerstetter.blogspot.com
tosunsangbum.blogspot.com
treechadacoppage.blogspot.com
treziajoanjoan.blogspot.com
triadorlachauna.blogspot.com
tukellyaburrage.blogspot.com
tyrisaoverly.blogspot.com
ulrikaraithatha.blogspot.com
valericlarissa.blogspot.com
ventronejokerjoker.blogspot.com
victorinomeharmehar.blogspot.com
vikvikruaut.blogspot.com
vlrajanrajan.blogspot.com
wasonmarilynn.blogspot.com
wendewendeschyma.blogspot.com
whitwhitmontoure.blogspot.com
wynnhannan.blogspot.com
xochitlvillenurve.blogspot.com
yaoskalongthorne.blogspot.com
youyoustreit.blogspot.com
zickkirrakirra.blogspot.com



The Blogspot accounts redirect to the following compromised Koobface and scareware serving domains:
cartujo.org /private-clips/main.php?87bb8f2
cerclewalloncouillet.be /main.movie/main.php?28d
cseajudiciary.org /animateddvd/main.php?c8
de-nachtegaele.be /main/main.php?b04ebb
ediltermo.com /common.film/main.php?deccfd
forwardmarchministries.org /candid_movie/main.php?42d1
highway77truckservice.com /pretty-clip/main.php?7bb2
kcresale.com /crazyvids/main.php?2ee
libermann.phpnet.org /comicperformans/main.php?9b5a5a
lode-willems.be /cute_clip/main.php?be2
lunaairforlife.com /crucial-clips/main.php?d3d6ccfe
mainteck-fr.com /complete-movie/main.php?f6
nottinghamdowns.com /criminaltube/main.php?2388d
programs.ppbsa.org /crazy_video/main.php?0ea1969
richmondpowerboat.com /yourtv/main.php?89fb0
scheron.com /delightful_demonstration/main.php?e2f92
Training.ppbsa.org /comic_dvd/main.php?f9261f
vangecars.it /crazy-films/main.php?827da


Detection rates for Koobface samples and a sampled scareware:
- setup.exe - Trojan.Generic.KD.8890 - Result: 9/40 (22.50%) phones back to:
- proelec-dpt.fr/.85rfs/?action=ldgen&a=-1394498804&v=108&c_fb=0&ie=7.0.5730.13
    - proelec-dpt.fr/.85rfs/?action=fbgen&v=108&crc=669
        - proelec-dpt.fr/.85rfs/?getexe=p.exe

- p.exe - Trojan.Drop.Koobface.J; W32/Koobface.GUB - Result: 5/41 (12.2%)
- koob.js - Trojan:JS/Redirector - Result: 1/41 (2.44%)


The scareware serving domain embedded on all of the Koobface-serving compromised hosts is internet-scanner.xorg.pl?mid=312&code=4db12f&d=1&s=2 - 195.5.161.125 - AS31252, STARNET-AS StarNet Moldova.

Parked on 195.5.161.125 is the rest of the scareware domains portfolio:
antispy-detectn1.com - Email: test@now.net.cn
antispy-detectn2.com - Email: test@now.net.cn
antispy-detectn3.com - Email: test@now.net.cn
antispy-detectn5.com - Email: test@now.net.cn
antispy-detectn7.com - Email: test@now.net.cn
antispy-detectz2.com - Email: test@now.net.cn
antispy-detectz4.com - Email: test@now.net.cn
antispy-detectz5.com - Email: test@now.net.cn
antispy-detectz7.com - Email: test@now.net.cn
antispy-detectz9.com - Email: test@now.net.cn
antispy-scan4i.com - Email: test@now.net.cn
antispy-scan5i.com - Email: test@now.net.cn
antispy-scan6i.com - Email: test@now.net.cn
antispy-scan7i.com - Email: test@now.net.cn
antispyscan85.com - Email: test@now.net.cn
antispyscan89.com - Email: test@now.net.cn
antispyscan91.com - Email: test@now.net.cn
antispyscan92.com - Email: test@now.net.cn
antispyscan93.com - Email: test@now.net.cn
antispy-scan9i.com - Email: test@now.net.cn
antispyware-no1.com - Email: test@now.net.cn
antispyware-no3.com - Email: test@now.net.cn

antivir1a.com.xorg.pl
antivirus-detect21.com - Email: test@now.net.cn
antivirus-detect23.com - Email: test@now.net.cn
antivirus-detect25.com - Email: test@now.net.cn
antivirus-detect27.com - Email: test@now.net.cn
antivirus-detect29.com - Email: test@now.net.cn
antivirus-detectz1.com - Email: test@now.net.cn
antivirus-detectz2.com - Email: test@now.net.cn
antivirus-detectz5.com - Email: test@now.net.cn
antivirus-detectz7.com - Email: test@now.net.cn
antivirus-detectz9.com - Email: test@now.net.cn
antivirus-lv1.com - Email: test@now.net.cn
antivirus-lv2.com - Email: test@now.net.cn
antivirus-lv3.com - Email: test@now.net.cn
antivirus-lv5.com - Email: test@now.net.cn
antivirus-lv8.com - Email: test@now.net.cn
antivirus-top1.com - Email: test@now.net.cn
antivirus-top2.com - Email: test@now.net.cn
antivirus-top6.com - Email: test@now.net.cn
antivirus-top8.com - Email: test@now.net.cn
be-secured.xorg.pl

bestantivirus1.com.xorg.pl
bestscanmalware.com.xorg.pl
best-security.xorg.pl
defender20.xorg.pl
fastantivirusscanner15.com.xorg.pl
fastmalwarescan15.com.xorg.pl
fast-scan.xorg.pl
fastweb-scanner.com.xorg.pl
get-protection.xorg.pl
my-computers.xorg.pl
protection100.xorg.pl
protection-center1.xorg.pl
protector10.xorg.pl
secure10.xorg.pl
security1.xorg.pl
security100.xorg.pl
spy-defender1.com
spydefender1.com.xorg.pl
spydefender11.com.xorg.pl

spy-defender1a.com - Email: test@now.net.cn
spy-defender2.com - Email: test@now.net.cn
spy-defender2a.com - Email: test@now.net.cn
spy-defender4a.com - Email: test@now.net.cn
spy-defender5.com - Email: test@now.net.cn
spy-defender6a.com - Email: test@now.net.cn
spy-defender8a.com - Email: test@now.net.cn
spy-defender9.com - Email: test@now.net.cn

spy-protection01.com - Email: test@now.net.cn
spy-protection1.com - Email: test@now.net.cn
spy-protection14.com - Email: test@now.net.cn
spy-protection17.com - Email: test@now.net.cn
spy-protection19.com - Email: test@now.net.cn
spy-protection3.com - Email: test@now.net.cn
spy-protection4.com - Email: test@now.net.cn
spy-protection6.com - Email: test@now.net.cn
spy-protection8.com - Email: test@now.net.cn
spy-scanner2i.com - Email: test@now.net.cn
spy-scanner6i.com - Email: test@now.net.cn
spy-scanner8i.com - Email: test@now.net.cn
spyware-sweep1.com - Email: test@now.net.cn
spyware-sweep1i.com - Email: test@now.net.cn
spyware-sweep2i.com - Email: test@now.net.cn
spyware-sweep3.com - Email: test@now.net.cn
spyware-sweep3i.com - Email: test@now.net.cn
spyware-sweep4i.com - Email: test@now.net.cn
spyware-sweep5.com - Email: test@now.net.cn
spyware-sweep7.com - Email: test@now.net.cn


spyware-sweep8.com - Email: test@now.net.cn
spyware-sweep9i.com - Email: test@now.net.cn
virus-sweeper0i.com - Email: test@now.net.cn
virus-sweeper1.com - Email: test@now.net.cn
virus-sweeper2.com - Email: test@now.net.cn
virus-sweeper2i.com - Email: test@now.net.cn
virus-sweeper3.com - Email: test@now.net.cn
virus-sweeper4i.com - Email: test@now.net.cn
virus-sweeper6.com - Email: test@now.net.cn
virus-sweeper7i.com - Email: test@now.net.cn
virus-sweeper8.com - Email: test@now.net.cn
virus-sweeper8i.com - Email: test@now.net.cn
win-antispyware10.com.xorg.pl
windefender1.xorg.pl
windows-secure.xorg.pl
win-security.xorg.pl
winwebscanner10.com.xorg.pl


Parked within AS31252, STARNET-AS StarNet Moldova are also: 195.5.161.11; 195.5.161.145
spy-scanner20.com - Email: test@now.net.cn
spy-scanner30.com - Email: test@now.net.cn
spy-scanner3i.com - Email: test@now.net.cn
spy-scanner40.com - Email: test@now.net.cn
spy-scanner4i.com - Email: test@now.net.cn
spy-scanner60.com - Email: test@now.net.cn
spy-scanner80.com - Email: test@now.net.cn
virscanner-done4.com - Email: test@now.net.cn
virscanner-done5.com - Email: test@now.net.cn

- Detection rate for the scareware sample: Setup_312s2.exe - Heuristic.BehavesLike.Win32.Trojan.H - Result: 5/40 (12.50%) phones back to windows-mode.com/?b=1s1 - 89.248.168.21, AS29073, ECATEL-AS , Ecatel Network - Email: contact@privacy-protect.cn


Parked on the phone-back IP are also the following domains:
firewall-rules2.com - Email: contact@privacy-protect.cn
version-upgrade.com - Email: contact@privacy-protect.cn
2accommodation.com - Email: ttvmail12@hotmail.com
systemreserves.com - Email: contact@privacy-protect.cn
cariport.com - Email: contact@privacy-protect.cn
spyblocktest.com - Email: contact@privacy-protect.cn
antispywarelist.com - Email: contact@privacy-protect.cn
checkwhitelist.com - Email: contact@privacy-protect.cn
chekmalwarelist.com - Email: contact@privacy-protect.cn

Stay tuned for more updates on recent Koobface gang activities, beyond the Koobface botnet.

Related Koobface gang/botnet research:
Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova
10 things you didn't know about the Koobface gang
A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang
How the Koobface Gang Monetizes Mac OS X Traffic
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Sunday, April 18, 2010

Dissecting the WordPress Blogs Compromise at Network Solutions

UPDATED: Network Solutions issued an update to the situation.

The folks at Sucuri Security have posted an update on the reemergence of  mass site compromises at Network Solutions, following last week's WordPress attack.

What has changed since last week's campaign? Several new domains were introduced, including new phone back locations, with the majority of new domains once again parked on the same IP as they were last week - 64.50.165.169 - AS15244, LUNARPAGES proxy aut-num for Lunarpages by MZIMA.

The exploitation chain of the currently embedded domain is as follows:
- corpadsinc.com/grep /?spl=3&br=MSIE&vers=7.0&s=
        - corpadsinc.com /grep/soc.php
            - corpadsinc.com /grep/load.php?spl=ActiveX_pack
                - corpadsinc.com /grep/load.php?spl=pdf_2020
                    - corpadsinc.com /grep/load.php?spl=javal
                        - corpadsinc.com /grep/j2_079.jar

Detection rates for some of the obtained exploits:
- update.vbe - VBS:Encrypted-gen; Trojan-Downloader.VBS.Agent.yw - Result: 11/40 (27.5%)
- j2_079.jar - Exploit.Java.29; Exploit.Java.CVE-2009-3867.c; JAVA/Byteverify.O - Result: 5/40 (12.5%)


Responding to 64.50.165.169 - AS15244, LUNARPAGES proxy aut-num for Lunarpages by MZIMA are also:
binglbalts.com - Email: alex1978a@bigmir.net
corpadsinc.com - Email: alex1978a@bigmir.net
fourkingssports.com - Email: alex1978a@bigmir.net
networkads.net - Email: alex1978a@bigmir.net
mainnetsoll.com - Email: alex1978a@bigmir.net
lasvegastechreport.com
mauiexperts.com
mauisportsinsider.com

Upon successful exploitation from corpadsinc.com the campaigns drops load.exe - Trojan:Win32/Meredrop; Trojan.Win32.Sasfis.a (v) - Result: 7/40 (17.50%).

The sample load.exe also phones back to the following locations:
- nonstopacc.com/tmp /bb.php?v=200&id=130306319&b=7231522200&tm=8 - 188.124.16.95 - Email: alex1978a@bigmir.net
- nonstopacc.com/tmp /bb.php?v=200&id=130306319&tid=6&b=7231522200&r=1&tm=9
- 188.124.16.96 /blackout_dem.exe

Detection rate for blackout_dem.exe - Trojan-Dropper - Result: 7/40 (17.5%) which phones back to mazcostrol.com/inst.php ?aid=blackout - 188.124.16.103 - Email: alex1978a@bigmir.net.

Interestingly, the sample attempts to install a Firefox add-on in the following way:
- %ProgramFiles%\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul - MD5: 963136ADAA2B1C823F6C0E355800CE02 Detected by different vendors as IRC/Flood.gen.h or TROJ_BUZUS.ZYX;

It's also worth pointing out that the campaign's admin panel is pointing to a third-party -- cybercrime friendly IP that's currently offline -- corpadsinc.com/grep/stats.php -> HTTP/1.1 302 Found at 217.23.14.25, AS49981, WorldStream = Transit Imports = -CAIW.

The bottom line - although Network Solutions criticized the media last week, for blaming this on Network Solutions, or WordPress itself, the company should realize that for the sake of its reputation it should always use the following mentality - "protect the end user from himself" when offering any of its services.

Related WordPress security resources:
20 Wordpress Security Plug-ins And Tips To keep Hackers Away
11 Best Ways to Improve WordPress Security
20+ Powerful Wordpress Security Plugins and Some Tips and Tricks

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.