Tuesday, June 29, 2010

Money Mule Recruiters Trick Mules Into Installing Fake Transaction Certificates

What is more flattering than Ukrainian blackhat SEO gangs using name as redirectors, including offensive messages, the Koobface gang redirecting Facebook's IP space to your blog, or a plain simple danchodanchev admin panel within a Crime Pack kit?

It's the money mule recruiters who modify the HOSTS file of gullible mules to redirect ddanchev.blogspot.com and bobbear.co.uk to 127.0.0.1. Now that's flattering, considering the fact that my public money mule ecosystem related research represents a tiny percentage of the real profiling/activities taking place behind the curtains.







a

Related coverage of money laundering/recruitment in the context of cybercrime:
Keeping Money Mule Recruiters on a Short Leash - Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Thursday, June 17, 2010

Sampling 419 Advance Fee Scams Activity

Lottery Winning Notifications, Western Union payment notifications, dead relatives, advance fee schemes impersonating law enforcement agencies - their arsenal of themes is endless, their IPs, however, aren't, taking into consideration the fact that the majority of 419 scams are not sent using botnets, but manually, and in a targeted fashion.

In fact, some of their spamming techniques (419 scammers using Dilbert.com; 419 scammers using NYTimes.com 'email this feature') are so primitive compared to the financial impact, a successful advance fee has in the long term, that their KISS (Keep it Simple Stupid) mentality reflects the current situation within the cybercrime ecosystem - they all KISS it to a certain extend - "Report: Malicious PDF files comprised 80 percent of all exploits for 2009"; "Reports: SQL injection attacks and malware led to most data breaches".

For the purpose of an experiment, and related reasons. Here's a raw snapshot of some 419-ers that just kept popping up, over and over again.

Persistent 419 advance fee scammers (over the last 7 days), the originating IPs, and the "reply to" email:
- a_chenchen@yahoo.cn - 218.17.239.18
- abdulkadera_maroofomar@hotmail.com - 41.138.180.86
- alfredmorris.m@btinternet.com - 211.101.13.230
- atmdept_serv001@yahoo.cn - 193.252.22.152
- austinalan@wanadoo.co.uk - 193.252.22.190
- avocat_doukoure@yahoo.fr - 78.229.212.4
- barpaulaffum@live.com - 41.210.31.214
- barr.rolandken1@gmail.com - 221.235.112.210
- barristerhenryivanlooconsult02@yahoo.co.jp - 60.48.104.88
- barteddywill01@googlemail.com - 200.13.249.119
- cocacolaofficialprize19@yahoo.com.hk - 194.79.134.37
- courfed@aim.com - 79.123.210.10
- crichardchambers@rediff.com - 212.242.42.50
- curiehenria@yahoo.com, barr09amorisq1@gmail.com - 123.176.96.137
- dr.austenobigwe008@gmail.com - 41.211.228.112
- drabejohn2009@aol.com - 217.72.192.242
- duncan.macdonald@9.cn, barr_duncan_macdonald@yahoo.co.uk - 86.43.60.104
- ecowascounsellordept@gmail.com - 115.242.97.173
- efccantigraft.nigeria077@gmail.com - 24.166.97.40
- Email.jmwilliams66@gmail.com, misteredwin22@gmail.com - 89.144.96.52
- fedex.courerservices1@hotmail.com, richardjohson@live.com - 87.194.255.145
- fedpeters07@aim.com - 81.31.115.2
- henryanthonyloanfirm@gmail.com - 200.40.197.69, 41.219.152.78
- icpcmistrynig@yahoo.com, fedeministrynig@gmail.com - 91.198.227.49
- janefugar2.u@hotmail.com - 82.196.5.120
- jimovia8787@gmail.com - 216.222.201.201
- john_chan3030@yahoo.com.hk - 200.171.215.2
- loannationwide2010@windowslive.com - 222.124.26.155
- mailesq.charlesstanley@gmail.com - 163.20.186.1
- maroofomar_abdulkader@yahoo.com - 62.193.229.238
- martha_ikobopayment@yahoo.com.hk - 41.138.172.81
- microwin2010@hotmail.co.uk - 200.105.120.151
- ministerdeliveryofficer@yahoo.cn - 193.252.22.190
- miss.kajat@googlemail.com - 67.15.16.31
- missblessing@sify.com - 196.28.250.53
- mr.parady700@hotmail.com - 80.200.242.17
- mrabdulhaleem@gmail.com - 66.11.225.183
- MRANNOLDSMITH2010@gmail.com - 82.128.17.211
- mrderekpaulatm405@gmail.com - 86.209.83.68
- Mrperentochaplain@rocketmail.com; Mrperentochalion@gmail.com - 112.110.186.25
- mrsabueke@cantv.net - 200.11.173.131
- niceme1970@yahoo.com - 80.12.242.27
- ntai_jerry7775@yahoo.com.hk - 125.141.17.158
- ochuko_baba1@hotmail.fr - 65.55.111.159
- ochukobaba1@gmail.com - 65.55.111.85
- officereplybackmaill@yahoo.com - 82.128.17.211
- organlotoint39l@yahoo.com.hk - 207.194.87.105
- promoskllotto@rocketmail.com - 90.183.38.130
- realexchanges@aim.com - 212.225.181.101
- rev.sistermaryx31@gmail.com - 41.211.228.112
- robinkelley1967@hotmail.com - 85.214.37.73
- rpatmcard@hotmail.com - 195.83.9.36
- s.leel@yahoo.com, westernunionoffice99@gmail.com - 41.191.85.45
- shopperconsultant@live.co.uk - 195.137.70.240
- talkdelata3@gmail.com, mdelataecobank@gala.net - 116.255.152.124
- thefordfoundation.award0010@yahoo.co.uk - 222.124.9.54
- ubanigeria.nig65@gmail.com - 202.132.123.106
- vex.pressd2009@gmail.com - 66.48.81.131
- waziriefccng@live.com - 193.252.22.191
- worldbpr@9.cn - 41.204.224.19
- www.cn_western_union@w.cn - 41.222.192.82
- zakiawilo101@yahoo.co.uk - 202.132.123.106
- zongo.ben177@gmail.com, mr_hiiu60@msn.com - 212.52.146.118
- bog_officemail@yahoo.co.jp - 82.128.2.78
- atmfinanceibc@web2mail.com - 41.218.237.202
- mrjohnsmith70@hotmail.com - 213.171.218.33
- junhuan9@yahoo.cn - 218.91.39.165

Nothing hurts as much as a decent historical OSINT regarding the activities of any cybercriminal. Moreover, this historical OSINT not only contributes to a more efficient case building, but also, helps to establish some pretty interesting connections within the cybercrime ecosystem. As practice and experience has shown, this very same ecosystem is not necessarily as big as originally assumed.

Consider going through the related fraudulent schemes/malicious campaigns currently taking advantage of FIFA's World Cup - Protection tips for the upcoming FIFA World Cup themed cybercrime campaigns.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Wednesday, June 16, 2010

Dissecting the Exploits/Scareware Serving Twitter Spam Campaign


Yesterday's exploits-serving campaign spreading across Twitter, using automatically registered accounts "pinging" random Twitter users with links to the campaign, is worth profiling due to its state of maliciousness - if the end user is exploitable, exploits are served ultimately leading to scareware, and if he isn't, the cybercriminals behind it attempt to monetize through the same network used by the Koobface gang on Mac OS X hosts - zml.com.

Let's dissect the campaign, and once again emphasize on the fact just how small the cybercrime ecosystem could be, given enough historical data is gathered on who's who, who's what, and what's when.

Sample exploitation structure:
- qtoday.info /ttds/doit.php?ckey=12&schema=1&f=wF - 94.228.209.73 (AS47869), 75.125.222.242 (AS21844)
    - qtoday.info /ttds/jump.php
        - fqsmydkvsffz.com /tre/vena.html/RANDOM - 69.174.242.21 (AS13768); 75.125.222.242 (AS21844)


The scareware installed interacts with AS18866:
69.50.197.241 /up/e1.dat
69.50.197.241 /up/e2.dat
69.50.197.241 /data/upd6.dat
69.50.197.241 /data/upd7.dat
69.50.197.241 /data/upd1.dat
69.50.197.241 /data/upd2.dat


Responding to 69.50.197.241 (AS18866) are:
radarixo.com - Email: moldavimo@safe-mail.net - profiled here
cyberduck.ru - Email: samm_87@email.com - profiled here
livejasment.com - Email: moldavimo@safe-mail.net
linksandz.com - Email: moldavimo@safe-mail.net - profiled here

Detection rates:
- e1.dat - 11 on 17 (65%) - Trojan.MulDrop1.21645; Win32/Lukicsel.P
MD5 hash: 2566c11a9cd2226b59d226e76bae9f64
SHA1 hash: 6a1fd405f547ed33f7cfe3abad4f423a33c0e281

- e2.dat - 8 on 17 (47%) - W32/Witkinat.A.gen!Eldorado; Win32/Witkinat.R
MD5 hash: 8daaa96ba059e6b1d5108c314f160175
SHA1 hash: b43d26bb2583d9057cb343c10d5db79c846ed895

- upd1.dat - 11 on 17 (65%) - TR/Lukicsel.EB; Trojan.Win32.Delf.aaxw A
MD5 hash: 7b2534536cdf168f50d63845b13af8ba
SHA1 hash: 306f5199c3f91cd28c634914a6478bcbc5c4e9c0

- upd2.dat - 11 on 17 (65%) - TR/Lukicsel.EB; Trojan.Win32.Delf.aaxw A
MD5 hash: 323a1a2429467b3891cc20a26b82f851
SHA1 hash: ae3fe6b442521d95631703ab530213e897e4f8ea

- upd6.dat - 9 on 17 (53%) - Win32/Lukicsel.P; Trojan-Dropper.Win32.Delf.frm
MD5 hash: d05d89bdadd8a23c2ceb0b016d49550a
SHA1 hash: 366db3c2cd64a57587376b416c42960ad1f28ea3

- upd7.dat - 11 on 17 (65%) - SHeur3.AAEI; Trojan-Dropper.Win32.Delf.frq
MD5 hash: 1a582b50d82fb57bec036e1962e5da2e
SHA1 hash: 15a9540927f64dec23e625e140dfde7ce3d23df7


The rest of the exploits-serving domains portfolio parked at 69.174.242.21 (AS13768); 75.125.222.242 (AS21844):
danenskgela.com - Email: strohmeiera@yahoo.com
aghoxekaoxk.com - Email: tavsadr5r5@yahoo.com
xfgswsoxoxk.com - Email: tavsadr5r5@yahoo.com
directinmixem.com - Email: strohmeiera@yahoo.com
carsmazda6.in - Email: valeriyku@gmail.com
danenskgela.com - Email: strohmeiera@yahoo.com
tfyxffnacsc.com - Email: edb.ri871@gmail.com
sfkemlymeywk.com - Email: admin@overseedomainmanagement.com
aghoxekaoxk.com - Email: tavsadr5r5@yahoo.com
aghtdkpaoxk.com - Email: skdhdjfg7s@yahoo.com
aghtdqpaoxk.com - Email: njgf555dfdsa@yahoo.com
dhjftzbdoxk.com - Email: skdhdjfg7s@yahoo.com
dbcyjnudoxk.com - Email: njgf555dfdsa@yahoo.com
mcduimqmoxk.com - Email: fresadmsn7y@yahoo.com
piamlzjpoxk.com - Email: fresadmsn7y@yahoo.com
pfgswlopoxk.com - Email: 7uwy7letel@yahoo.com
qjigaicqoxk.com - Email: 7uwy7letel@yahoo.com
directinmixem.com - Email: strohmeiera@yahoo.com
etyet.com - Email: zubakova2@rambler.ru
grantgarant.com - Email: naumann_heikens@yahoo.it
carsmazda6.in - Email: valeriyku@gmail.com
civichonda.in - Email: valeriyku@gmail.com
drotalflow.in - Email: johns2249@googlemail.com
carsinfinity.in - Email: valeriyku@gmail.com


3m70.cn - Email: abuseemaildhcp@gmail.com - money mule registrations, rubbing shoulders with Koobface
mueypflglvlx.com
mbhcnjyyykpr.com
ozkifomzaaqd.com
dqcnefigaefg.com
vtmxgwnpjvib.com
jcfkprwasnaj.com
qgwyinsxlox.com
tsusiwpmzuqz.com
fqsmydkvsffz.com

qcell.info
q-fever.infovmspl.in
keirun.in
iscobar.in
loncer.in
jcfkprwasnaj.com


The complete list of automatically registered bogus Twitter accounts, now suspended:
twitter.com/AbbottMarleneGY
twitter.com/AnsonJamesJs
twitter.com/BandaPaul51
twitter.com/BarkleyTracy52
twitter.com/BoserJames74
twitter.com/BradleySheilaTt
twitter.com/BravoMartinUT
twitter.com/BrownTammyaM
twitter.com/BurlingameStek2
twitter.com/BurtonPauliC
twitter.com/CallowayEileemb
twitter.com/CardilloLilli8I
twitter.com/CareyJocelynXY
twitter.com/CarpenterJameG1
twitter.com/CarterErnieBj
twitter.com/CarterNanGM
twitter.com/CharltonRober1Y
twitter.com/ClausenJillRC
twitter.com/CochranLindajB
twitter.com/CruzShawnjI
twitter.com/DanielClintonqO
twitter.com/DeanLuigi7B
twitter.com/DeleonChristiDb
twitter.com/DickensRitaS6
twitter.com/EllisonCortezCC
twitter.com/FernandezRobekc
twitter.com/FieldsRichardrx
twitter.com/FryePhilipAx
twitter.com/GarrisonMiltoP9
twitter.com/GilfordSarahqo
twitter.com/GilleyJennifeST
twitter.com/GiordanoHelenxy
twitter.com/GishCharlesCy
twitter.com/GreenDonaldbt
twitter.com/GriffinRay5v
twitter.com/GuzmanEloise5u
twitter.com/HakalaSteve9e



twitter.com/HammonsLeonarW3
twitter.com/HarmonRaymondMH
twitter.com/HartHeatherS0
twitter.com/HaynesCharlesxo
twitter.com/HendricksonKi6F
twitter.com/JonesAndrewUG
twitter.com/JonesNickolasYx
twitter.com/KendallNormaWS
twitter.com/KroegerAngeliu0
twitter.com/LeeJerroldRk
twitter.com/LevittKevin9e
twitter.com/LewisMaryL8
twitter.com/LimonMargaretgn
twitter.com/MarvelThomasaO
twitter.com/McbeeMelissabu
twitter.com/MillerFranceswe
twitter.com/MitchellDeborvl
twitter.com/MooreJoanut
twitter.com/MorrisMary2n
twitter.com/MorrisonJack0s
twitter.com/NealReginaldbH
twitter.com/NickellGloriad8
twitter.com/PhelpsRichardKL
twitter.com/PittsTommyyy
twitter.com/PlummerAthenawn
twitter.com/PowellMarie94
twitter.com/PradoDonaldG8
twitter.com/RealeBernicegR
twitter.com/ReeseVeronicaFx
twitter.com/RievesShirleyYv
twitter.com/RobinsonAprilrI
twitter.com/RobinsonLisa8e
twitter.com/RoblesRicardoWh
twitter.com/RubioLanaj9
twitter.com/SavardAnthonyoU
twitter.com/SayersWendellVc
twitter.com/SchmidtLynnk7
twitter.com/ShankleKathleor
twitter.com/SieversDarlee1D
twitter.com/SmithGeorgieMq
twitter.com/SteinAshleyuQ
twitter.com/StoughKelseyqt
twitter.com/TrejoLisaOO
twitter.com/TullosHowardGo
twitter.com/WeberSteven6r
twitter.com/WhiteMichellevj
twitter.com/WilkinsonPaulTd
twitter.com/WillettErnestCR
twitter.com/WilliamsMichaB1
twitter.com/WoodsThelmay0
twitter.com/WynnRichard4m
twitter.com/YoungMelanieSZ
twitter.com/CooleyFrancescG
twitter.com/SchneiderKim6h
twitter.com/DobsonElsiequ
twitter.com/PeelLouise9q
twitter.com/WhiteYolanda0P
twitter.com/FrostAngeloY2
twitter.com/MorrisMary2n
twitter.com/MillerMaryx1


PDF exploits, binaries streaming from the domain portfolio at 69.174.242.21 (AS13768); 75.125.222.242 (AS21844):
MD5: 5d42bb346601ba456b52edd3c3e59d1b
MD5: ba19c971edefffb22d44e43a91a7d9a9
MD5: e7a354f58bfe21c815ddb8faf00bd08c
MD5: 4a13b96dd056c0075c553588f0211c44
MD5: 29e71e291a31ea8f1cddbf7d96f7de86
MD5: 29e71e291a31ea8f1cddbf7d96f7de86
MD5: 3bb6bdaf8d4e2822da86ef9a614a04ea
MD5: f41470c7b9ad2260625d2a62b6db158f
MD5: 3987c92c20c3f17b5892f84069d816d1
MD5: 87a95ec041b2432727336f0cdeee123a
MD5: 5d497e1841f5627a1b77dbc336da1594
MD5: 5ba1aafcef9ea7516f1ae7082424e83d
MD5: 5268f85902c7064b393bbbb3dbc094f9
SHA1: 79526ca9579420cb46c15fe94b282868c1e7fbbd
SHA1: f70f6a9aa0aa092511894f7c89defc64637504a1
SHA1: 5175b38dfca3dc7dd6ad56bed34a543f14702bea
SHA1: 2f2c88e0b950cd91ad1e49be73e885b07f401f68
SHA1: b92d1268d06c8ba427beefc1ee7b064873694a47
SHA1: 5ba7ba0dc08a3d0cd3feb363394d295637a64e10
SHA1: 7ecb2679cd23e6c6973c57092b1cae46f60db97e
SHA1: 66ed858043d6d022823b16956f416e3080e618a1
SHA1: 0fdd1de26d5902d4a21b053a212a21c2760d8aee
SHA1: 5ba7ba0dc08a3d0cd3feb363394d295637a64e10
SHA1: 3a7daa60389f463df795b78f16030dcc6fc1ff23
SHA1: 3054b48186f5e0981c41f200b3492caa0941f889
SHA1: 0e49c7656bec1ed43efb19187541d20c3ecb293b

This isn't the first time Twitter's been abused for malicious purposes, and is definitely not the last. Quick community response and take down actions hit them where it hurts most - the monetization vector.

Related assessments of Twitter malware campaigns:
Twitter Malware Campaign Wants to Bank With You
Dissecting Koobface Worm's Twitter Campaign
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Twitter Worm Mikeyy Keywords Hijacked to Serve Scareware
Dissecting September's Twitter Scareware Campaign

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Tuesday, June 15, 2010

Facebook Photo Album Themed Malware Campaign, Mass SQL Injection Attacks Courtesy of AS42560


A spamvertised through Facebook personal messages, Photo Album themed campaign, with the domain IP responding to ZeuS C&Cs, combined with an indirect connection between this campaign and the "100,000+ Scareware Serving Fake YouTube Pages Campaign", followed by a domain portfolio used in a currently active mass SQL injection attack serving CVE-2007-5659 exploits, parked within the same AS as the Facebook's campaign itself.

What else is missing? The details of course.

DM spamvertised URL: online-photo-albums.org - 77.78.239.4, AS42560, BA-GLOBALNET-AS - Email: protect@privacy.com.ua

Detection rate: album.exe - Win32.DownloaderReno; Backdoor.Win32.Kbot.anj - Result: 12/41 (29.27%)
MD5: d24aa2c364d4b86f75a09362c952a838
SHA1: 3973c547b64d166ae807eec494c373efd53ac04c

Creates 1.exe; 2.exe and the self-destructing 3.exe. Detection rates:
- 1.exe - Result: 0/41 (0.00%)
MD5: fbd0a495d3409123d0e90a9a734cbbc1
SHA1: ce527267f50b433c622e5da0db5515a4d2e4ae9c

- 2.exe - Win32.DownloaderReno; Sus/UnkPacker - Result: 10/41 (24.39%)
MD5: 7a4feaf8d9acf982d0cbeb437e4f7c3d
SHA1: 39b280d0d2ec505a94415f7a9468a547fee51c66

with 3.exe phoning back to the following domain, also responding to the original campaign's IP 77.78.239.4
spmfb3309.com /ab/setup.php?act=filters&id=BWKJD0NWLt3pn2Vh6YIhhBe3&ver=2

inetnum:        77.78.239.0 - 77.78.240.255
netname:        MAXIMUS-NET-SERVICES
remarks: ### in case of abuse please contact: godaccs@gmail.com ###
descr:          Maximus hosting services
country:        MD
admin-c:        JB1004
tech-c:         JB1004
status:         ASSIGNED PA
mnt-by:         BA-GLOBALNET
changed:        bosko@globalnet.ba 20100528
source:         RIPE

person:         Jerkovic Bosko
address:        Josipa Vancasa 10
address:        71000 Sarajevo
address:        Bosnia and Herzegovina
phone:          +387 33 221093
e-mail:         bosko@globalnet.ba
nic-hdl:        JB1004
mnt-by:         BA-GLOBALNET
changed:        bosko@globalnet.ba 20070309
source:         RIPE


Surprise, surprise, where do we know that godaccs@gmail.com abuse email from? From the previously profiled "Dissecting the 100,000+ Scareware Serving Fake YouTube Pages Campaign". In particular:

- AS43134, Donstroy Ltd; Emails: donstroitel@mail.com; godaccs@gmail.com
- AS42560, MAXIMUS-NET-SERVICES; Emails: godaccs@gmail.com

Responding to 77.78.239.4 (online-photo-albums.org) are also the following domains:
hyporesist.com - Email: Kyle.MoodyAl@yahoo.com - Used to register ever52592g.com; miror-counter.org; mnfrekjivr.com
newsbosnia.org - Email: qggrvpvwiw@whoisservices.cn - ZeuS crimeware C&C
online-photo-albums.org - Email: protect@privacy.com.ua
search-static.org - Email: Kyle.MoodyAl@yahoo.com
spmfb2299.com - Email: laycxpqguk@whoisservices.cn
spmfb3309.com - Email: qhyfafvqyh@whoisservices.cn
vostokgear.org - Email: afgjvubuym@whoisservices.cn

Where's the mass SQL injection attack connection? Within AS42560, responding to 77.78.239.56 are also the following domains, part of the campaign:



google-server09.info - Email: kit00066@gmail.com
google-server10.info - Email: kit00066@gmail.com
google-server11.info - Email: kit00066@gmail.com
google-server12.info - Email: kit00066@gmail.com
google-server14.info - Email: kit00066@gmail.com
google-server29.info - Email: kit00066@gmail.com
google-server31.info - Email: kit00066@gmail.com
jhuiuhxfgxhlfkjhjth.info - Email: kit00066@gmail.com
jhuiuhxfgxhtfkjhjth.info - Email: kit00066@gmail.com
jhuluhxfgxhlfkjhjth.info - Email: kit00066@gmail.com
top-teen-porn.info - Email: kit00066@gmail.com

Sample mass injection URLs:
google-server09.info/ urchin.js
google-server10.info/ urchin.js
google-server11.info/ urchin.js
google-server12.info/ urchin.js
google-server14.info/ urchin.js
google-server29.info/ urchin.js
google-server31.info/ urchin.js
jhuiuhxfgxhlfkjhjth.info/ urchin.js
jhuiuhxfgxhtfkjhjth.info/ urchin.js
jhuluhxfgxhlfkjhjth.info/ urchin.js


Detection rate:
- urchin.js - Trojan.JS.Redirector.ca (v); JS:Downloader-LP - Result: 4/41 (9.76%)
MD5: 3f2bc50c30ed8e7997b3de3d528d0ed5
SHA1: 66d6edef711516201f20fce676175ad16777e162

Sample exploitation structure from the mass SQL injection campaign:
- google-server31.info /urchin.js
        - Scanner-Album.com/?affid=382&subid=landing - 91.212.127.19, AS49087, Telos-Solutions-AS - Email: systemman_mk@gmail.com
            - websitecoolgo.com/cgi-bin /158 - 91.188.59.220 - AS6851, BKCNET "SIA" IZZI - Email: marcomarcian@hotmailbox.com
                - websitecoolgo.com /cgi-bin/random content leading to CVE-2007-5659


Parked on 91.212.127.19 (Scanner-Album.com), AS49087, Telos-Solutions-AS:
automaticsecurityscan.com - Email: robertwatkins@hotmailbox.com
bigsecurityscan.com - Email: robertwatkins@hotmailbox.com
bigsecurityscan.com - Email: robertwatkins@hotmailbox.com
blacksecurityscan.com - Email: robertwatkins@hotmailbox.com
edscorpor.com - Email: leonschmura@hotmailbox.com
edsctrum.com - Email: admin@edsfiles.com
edsfiles.com - Email: leonschmura@hotmailbox.com
edsfilles.com - Email: leonschmura@hotmailbox.com
edsletter.com - Email: leonschmura@hotmailbox.com
edslgored.com - Email: leonschmura@hotmailbox.com
edsnewter.com - Email: leonschmura@hotmailbox.com
edsogos.com - Email: leonschmura@hotmailbox.com
edsspectr.com - Email: leonschmura@hotmailbox.com
edstoox.com - Email: leonschmura@hotmailbox.com
findsecurityscan.com - Email: robertwatkins@hotmailbox.com
memory-scanner.com - Email: systemman_mk@gmail.com
onefindup.org - Email: JamesHying@xhotmail.net
scanner-album.com - Email: systemman_mk@gmail.com
scanner-definition.com - Email: rutkowski_m3@gmail.com
scanner-hardware.com - Email: systemman_mk@gmail.com
scanner-master.com - Email: systemman_mk@gmail.com
scanner-models.com - Email: systemman_mk@gmail.com
scanner-profile.com - Email: systemman_mk@gmail.com
scanner-programming.com - Email: systemman_mk@gmail.com
scanner-supplies.com - Email: rutkowski_m3@gmail.com
scanner-tips.com - Email: systemman_mk@gmail.com
searchdubles.org - Email: MerleMeisin@xhotmail.net
searchmartiup.org - Email: MerleMeisin@xhotmail.net
searchprasup.org - Email: MerleMeisin@xhotmail.net
searchprodinc.org - Email: MerleMeisin@xhotmail.net
searchprodinc.org - Email: MerleMeisin@xhotmail.net
searchtanup.org - Email: MerleMeisin@xhotmail.net


Responding to 91.188.59.220 and 91.188.59.221 (websitecoolgo.com) within AS6851, BKCNET "SIA" IZZI are also the following domains participation in different campaigns:
internetgotours.com - Email: marcomarcian@hotmailbox.com
mediaboomgo.com - Email: paulalameda@hotmailbox.com
mediagotech.com - Email: marcomarcian@hotmailbox.com
mediaracinggo.com - Email: paulalameda@hotmailbox.com
netgozero.com - Email: marcomarcian@hotmailbox.com
nethealthcarego.com - Email: marcomarcian@hotmailbox.com
networkget.com - Email: marcomarcian@hotmailbox.com
networksportsgo.com - Email: marcomarcian@hotmailbox.com
patricknetgo.com - Email: paulalameda@hotmailbox.com
webaliveget.com - Email: paulalameda@hotmailbox.com
webcoolgo.com - Email: paulalameda@hotmailbox.com
webgettraffic.com - Email: paulalameda@hotmailbox.com
webgetwisdom.com - Email: marcomarcian@hotmailbox.com
webgetwise.com - Email: marcomarcian@hotmailbox.com
webgoengine.com - Email: paulalameda@hotmailbox.com
webgosolutions.com - Email: paulalameda@hotmailbox.com
webmagicgo.com - Email: paulalameda@hotmailbox.com
websitecoolgo.com - Email: marcomarcian@hotmailbox.com
websiteget.com - Email: marcomarcian@hotmailbox.com


The rise of custom abuse emails, conveniently offered to cybercrime-friendly dedicated customers?

It's worth pointing out that godaccs@gmail.com a.k.a Complife, Ltd is conveniently responsible for- AS42560, BA-GLOBALNET-AS; AS43134, Donstroy Ltd; and AS42560, MAXIMUS-NET-SERVICES, followed by piotrek89@gmail.com responsible for AS6851, BKCNET "SIA" IZZI (used by the Koobface gang, also seen in the following campaigns Spamvertised iTunes Gift Certificates and CV Themed Malware Campaigns; GoDaddy's Mass WordPress Blogs Compromise Serving Scareware).

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Tuesday, June 08, 2010

Dissecting the 100,000+ Scareware Serving Fake YouTube Pages Campaign

Researchers from eSoft are reporting on 135,000 Fake YouTube pages currently serving scareware, in between using multiple monetization/traffic optimization tactics for the hijacked traffic.

Based on the campaign's structure, it's pretty clear that the template-ization of malware serving sites (Part Two) is not dead. Let's dissect the campaign, it's structure, the monetization/traffic optimization tactics used, list all the domains+URLs involved, and establish multiple connections (in the face of AS6851, BKCNET "SIA" IZZI) to recent malware campaigns -- cybercriminals are often customers of the same cybercrime-friendly provider.


The campaign is relying on a typical mix of compromised and purely malicious sites, but is using not just an identical template, but identical campaign structure, which remains pretty static for the time being. Upon visiting one of the sites and meeting the referrer requirement -- Google works fine -- the hardcoded preload.php loads, which is always pointing to the same IP, using a randomly generated  code, which changes over time - 91.188.60.126/?q=jzhaf - AS6851, BKCNET "SIA" IZZI

-------------------
inetnum:        91.188.60.0 - 91.188.60.255
netname:        ATECH-SAGADE
descr:          Sagade Ltd.
descr:          Latvia, Rezekne, Darzu 21
descr:          +371 20034981
remarks:        abuse-mailbox: piotrek89@gmail.com
country:        LV
admin-c:        TMCD111-RIPE
tech-c:         TMCD111-RIPE
status:         ASSIGNED PA
mnt-by:         AS6851-MNT
changed:        taner@bkc.lv 20100423
source:         RIPE

role:           TMCD Admin Contacts
address:        Ieriku 67a, Riga, LV-1084
org:            ORG-TMDA1-RIPE
e-mail:         bkc@bkc.lv
admin-c:        AS1606-RIPE
admin-c:        TP422-RIPE
tech-c:         RF2443-RIPE
tech-c:         IR106-RIPE
nic-hdl:        TMCD111-RIPE
changed:        taner@bkc.lv 20081023
source:         RIPE
-------------------


Moreover, the second traffic optimization strategy takes place by loading two different subdomains from byethost4.com, where another redirection takes place, this time loading the bogus mybookface.net - 209.51.195.115 - Email: hostorgadmin@googlemail.com

Sample campaign structure:
- compromised_site.com
    - compromised_site.com/preload.php
        - 91.188.60.126/?q=jzhaf
        - popal.byethost4.com/mlk.php?sub=2&r=google.com
        - trash.byethost14.com/tick.php?sub=1&r=google.com
            - cnbutterfly.com/contact.php?uid=2034 - 74.81.93.227
            - simulshop.com/contact.php?uid=2034 - 88.198.177.74
                - www3.smartbestav10.co.cc - 74.118.194.78


Domains involved in the campaign:
action-force.net
anytimeopen.com
atomizer.net
auto.ideazzz.ru
avmarket.com.ua
baby-car.ru
babystart.eu
badlhby.com
bestseller4you.at
butikk.losnaspelet.no
clubshirts.info
companions411.biz
egeoptik.com
e-life.com.mxl
eshop.mr-servis.cz
evage.biz
eventhorizon.biz
fliq.de
freestyle-shop.ch
gameartisans.org
gawex.com.pl
gct.ro
geraeuschwelten.de
ignitionlb.info
imalaya.eu
indovic.net
irpen.biz
jasoncorrick.co.uk
lojavirtual.versameta.pt
machineinterface.net
nitmail.com
olek.co.uk
opco.co.ir



pahomefinance.net
pcmall.ro
prozoomhosting.net
rcchina.com.cn
recoverinstyle.net
relogio-de-ponto.com.pt
rhodiola.com.mx
shop.ullihome.de
shopzone.ir
sink-o-mania.com
sklep.autorud.pl
sklep1.vinylove.pl
snews.com.tw
soposhinvitations.com
standrite.com
teoflowerbulbs.ro
triominos.ru
webmas.ca
wesellmac.com
wireandthewood.com
1classfilter.be
24shopping.nl
9mama.pl
apwireless.ca
bazarnet.com.mx
bead.shop-in-hk.com
bicigrino.info
bridezion.de
buenapetito.net
calicompras.com
candjconsulting.us
carpcompany.nl
casacristorey.com.mx
cheekybrats.com.au
chiri-junior.nl
corporate-pc.com
deesis.com.pl
derise.ee
digitalelectronicsolutions.biz
dj1stop.com
firsaturunlerim.com
gentian.no
guihua.com.hk
hydromasaze.com
iranagrishop.com
issanni.net

jasoncorrick.co.uk
klimuszko.net
krasevka.si
kundalinibooks.com.au
kuub.com
lanpower.se
leathershop.be
ludf.net
marinestores.biz
microdermals.com
mingfai.info
minitar.com.tw
msproductions.be
murgiaintavola.it
mvchorus.org
nettohoffnung.de
paketic.com
parisa.lt
pentruacasa.com
promotechmexico.com.mx
pursuitspt1.com
quadroufo.com
quecumbar.co.uk
rotas.lt
sammlereck.info
sensicacciaepesca.com
skintwo.biz
sklep.af.com.pl
sklep.kafti.com
sklep.mago.com.pl
skleplotniczy.pl
skriptorium.at
smscom.nl
spine.com.br
szemuvegkeret.com
teldatawarehouse.com
tiouw.nl
uptowntrellis.co.nz
viasapia.com.br
vita-bhv.nl
widlak-market.com
wscll2.net
xfour.es
yeti.com.pl


Detection for the scareware, and the manual install binary:
- install.exe - Trojan.FakeAlert.CCS; FraudTool.Win32.SecurityTool (v) - Result: 16/40 (40%) - MD5: 3562be54671a1326eeef8bcfc85bd2a0
- packupdate107_2034.exe - Packed.Win32.Krap.an; TrojWare.Win32.Trojan.Fakealert.4193280 - Result: 10/41 (24.4%) - MD5: 991bba541e1872191ec5eb88c7de1f30

Upon execution the sample phones back to:
update2.protect-helper.com - 95.169.186.25 - Email: gkook@checkjemail.nl
update1.free-guard.com - 95.169.186.25 - Email: gkook@checkjemail.nl

- install.48728.exe - Trojan.FakeAV; TrojanDownloader:Win32/Renos.KX - Result: 26/41 (63.42%) - MD5: 15281c3f3fac1ccdaf43e2b26d32a887

Upon execution the sample phones back to:
movieartsworld.com - 216.240.146.119 - Email: elaynecroft@ymail.com
firstnationarts.com - 66.96.219.38 (redskeltonarts.com, southard_cheryl@yahoo.com) - Email: harold_ward@ymail.com
sportfishingarts.com - 66.199.229.230 (greenbeearts.com, heiserdenise@ymail.com) - Email: rodericknovak@rocketmail.com
bestgreatarts.com - 64.191.44.73 (freesurrealarts.com, ghuertas@rocketmail.com) - Email: jeffreyespey@ymail.com
spacevisionarts.com - 69.10.35.253 (picturegraffitoarts.com, ganthony46@rocketmail.com) - Email: mosleyjason@rocketmail.com
smallspacearts.com - 64.20.35.3 (dvdvideoarts.com, ganthony46@rocketmail.com) - Email: mosleyjason@rocketmail.com

Based on cross-checking across different data sets, 91.188.60.126 - AS6851, BKCNET "SIA" IZZI is also known to have been used by at least 4 other members of the affiliate network. Naturally, their "signature" can be seen across multiple ASs as well.

Same scareware affiliate program is seen on the following IPs, using a different set of affiliate partners:
194.8.250.154/news.php?land=20&affid=12400 - AS43134, Donstroy Ltd; Emails: donstroitel@mail.com; godaccs@gmail.com
194.8.250.155./news.php?land=20&affid=12400
194.8.250.157/news.php?land=20&affid=42500
194.8.250.158./news.php?land=20&affid=42500

91.188.60.118/news.php?land=20&affid=50900 - AS6851, Sagade Ltd.; Emails: piotrek89@gmail.com;
91.188.60.124/news.php?land=20&affid=12800
91.188.60.126/news.php?land=20&affid=15600
91.188.60.146/news.php?land=20&affid=20102
91.188.60.147/news.php?land=20&affid=20102
91.188.60.147/news.php?land=20&affid=20102

91.213.157.165/news.php?land=20&affid=50900 - AS13618, PE "Sattelecom"; Emails: tt@sattelecom.biz
77.78.239.71/news.php?land=20&affid=12400 - AS42560, MAXIMUS-NET-SERVICES; Emails: godaccs@gmail.com; bosko@globalnet.ba
77.78.239.76/news.php?land=20&affid=12400
77.78.239.77/news.php?land=20&affid=15603


As for AS6851, BKCNET "SIA" IZZI, the same AS is also seen in the following campaigns, find below an excerpt from a previous post, emphasizing on the Koobface gang connection, in the sense that they're both customers of the same cybecrime-friendly ISP.
What's so special about AS6851, BKCNET "SIA" IZZI anyway? It's the Koobface gang connection in the face of urodinam.net, which is also hosted within AS6851, currently responding to 91.188.59.10. More details on urodinam.net:
Moreover, on the exact same IP where Koobface gang's urodinam.net is parked, we also have the currently active 1zabslwvn538n4i5tcjl.com - Email: michaeltycoon@gmail.com, serving client side exploits using the Yes Malware Exploitation kit - 91.188.59.10 /temp/cache/PDF.php; admin panel at: 1zabslwvn538n4i5tcjl.com /temp/admin/index.php


For the time being, the following domains, IPs are all active within AS6851, BKCNET "SIA" IZZI:
1zabslwvn538n4i5tcjl.com - 91.188.59.10 - Email: michaeltycoon@gmail.com
hotxxxtubevideo.com - 91.188.59.74
ruexp1.ru - Email: krahil@mail.ru
hotxtube.in - 91.188.59.74 - Email: lordjok@gmail.com
get-money-now.net - 91.188.59.211 - Email: noxim@maidsf.ru
easy-ns-server.org - 91.188.60.3 - Email: russell1985@hotmail.com
fast-scanerr-online.org - 91.188.60.3 - Email: roberson@hotmail.com
my-antivirusplus.org - 91.188.60.3 - Email: FranciscoPGeorge@hotmail.com
myprotectonline.org - 91.188.60.3 - Email: FranciscoPGeorge@hotmail.com
sys-protect-online.org - 91.188.60.3 - Email: FranciscoPGeorge@hotmail.com
av-scaner-onlinemachine.com - 91.188.60.3 - Email: gershatv07@gmail.com
domen-zaibisya.com - 91.188.59.211 - Email: security2guard@gmail.com
directupdate.info - 91.188.60.10 - Email: MichaelBCarlson@gmail.com
91.188.59.50
91.188.60.3
91.188.59.112


Name servers of notice:
ns1.iil10oil0.com - 91.188.59.70
ns2.iil10oil0.com - 91.188.59.71


Domains using their services:
allforil1i.com - Email: lordjok@gmail.com
allforyouplus.net - Email: leshapopovi@gmail.com
alltubeforfree.com - Email: lordjok@gmail.com
allxtubevids.net - Email: lordjok@gmail.com
downloadfreenow.in - Email: lordjok@gmail.com
enteri1llisec.in - Email: leshapopovi@gmail.com
freeanalsextubemovies.com - Email: lordjok@gmail.com
freetube06.com - Email: lordjok@gmail.com
freeviewgogo.com - Email: leshapopovi@gmail.com
homeamateurclips.com - Email: lordjok@gmail.com
hotfilesfordownload.com
hotxtube.in - Email: lordjok@gmail.com
porntube2000.com - Email: welolseeees@gmail.com
porntubefast.com - Email: welolseeees@gmail.com
porn-tube-video.com - Email: welolseeees@gmail.com
skachivay.com
visiocarii1l.net - Email: leshapopovi@gmail.com
xhuilil1ii.com - Email: lordjok@gmail.com
yourbestway.cn - Email: haucheng@yahoo.com
youvideoxxx.com - Email: jonnytrade@gmail.com

Take down actions are in place, meanwhile, consider going through the "Ultimate Guide to Scareware Protection".

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Thursday, June 03, 2010

Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign - Part Two

UPDATED: Sunday, June 06, 2010.
The new redirections currently take place through www4.greatav40-td.co.cc/?uid=213&pid=3&ttl=51545746f5c (93.190.141.40) and www1.avscaner-40pr.co.cc (217.23.5.52).

Parked on 93.190.141.40, AS49981, WorldStream are also:
www3.justsoft12-td.co.cc
www3.donrart55-td.co.cc
www3.donrart57-td.co.cc
www3.donrart59-td.co.cc
www4.swintermz.cz.cc
www3.goldvox-50td.xorg.pl
www3.goldvox-60td.xorg.pl
www3.goldvox-52td.xorg.pl
www3.goldvox-54td.xorg.pl
www3.goldvox-64td.xorg.pl
www3.goldvox-56td.xorg.pl
www3.goldvox-58td.xorg.pl
www1.check-saveyour-pc-now.in
www1.in-safe-keepmyzone.in
www1.makesafe-scan-forsure.com


Detection rate:
- packupdate107_213.exe - Trojan.Fakealert.origin; Mal/FakeAV-BW - Result: 12/41 (29.27%)


Upon execution, the sample phones back to:
update1.free-guard.com - 95.169.186.25; 188.124.5.64 - Email: gkook@checkjemail.nl
update2.protect-helper.com - 78.159.108.170 - Email: gkook@checkjemail.nl
secure2.protectzone.net - 91.207.192.24 - Email: gkook@checkjemail.nl
secure1.protect-zone.com - 209.212.147.241 - Email: gkook@checkjemail.nl
secure1.protect-zone.com - 209.212.147.241 - Email: gkook@checkjemail.nl
www5.securitymasterav.com - 91.207.192.25 - Email: gkook@checkjemail.nl
update2.free-guard.net - Email: gkook@checkjemail.nl
report.land-protection.com - 188.124.7.156 - Email: gkook@checkjemail.nl
report.goodguardz.com - 93.186.124.94 - Email: gkook@checkjemail.nl
report.zoneguardland.com - 93.186.124.91 - Email: gkook@checkjemail.nl
report1.stat-mx.xorg.pl - 109.196.132.41 - Email: gkook@checkjemail.nl
secure1.protect-zone.com - 209.212.147.241 - Email: gkook@checkjemail.nl
74.125.45.100
74.82.216.3


Parked on 95.169.186.25 (AS31103, KEYWEB-AS); 188.124.5.64 (AS44565, VITAL TEKNOLOJI) are also:
www3.justsoft11-td.co.cc
www3.justsoft12-td.co.cc
www4.swintermz.cz.cc
www4.trustzone17-td.xorg.pl
www3.coantys-41td.xorg.pl
www3.coantys-42td.xorg.pl
www3.coantys-46td.xorg.pl
www4.miymiy3.com
update1.free-guard.com
useguard.com
update1.useguard.com
www2.avcleaner30-pd.co.cc
www1.favoritav30-pd.co.cc
www2.avcleaner32-pd.co.cc
www2.avcleaner34-pd.co.cc
www1.favoritav34-pd.co.cc
www2.avcleaner36-pd.co.cc
www1.favoritav36-pd.co.cc
www3.avprotector54-td.xorg.pl
www3.avprotector56-td.xorg.pl
update1.free-guard.com
update1.winsystemupdates.com


Remember the massive blackhat SEO campaign using U.S Federal Forms themed keywords, which was extensively profiled in August, 2009?
The cybercriminals behind it, never really stopped feeding new domains, including compromised ones, naturally diversifying the set of topics in order to serve scareware. Now that enough data is gathered, naturally exposing connections within the cybercrime ecosystem which would be communicated using the "perfect timing, perfect channel" philosophy, it's time to dissect the online campaign, expose the entire portfolio of domains involved, and, of course, take it down.


What particularly interesting about this gang, is their clear understanding of QA (quality assurance) for the sake of increase OPSEC (operational security). Just like the previous campaigns, each individual domain involved in the campaign is registered using a separate email, in the majority of cases it's an automatically registered one. With or without the QA, there's no escape from the monetization vector - in this case, and like many other - scareware.

Domains used in the blackhat SEO campaign, none of these are currently flagged as harmful:
1ip5p8h.co.cc - Email: mijkzh@gmail.com
1us51n.co.cc - Email: mqxd2r2@gmail.com
aifmydpuhv.co.cc - Email: kent.attonis9140@yahoo.com
amquijycpntb.co.cc - Email: volf.aittala1388@yahoo.com
aqejhilmvb.co.cc - Email: amandeep.terrisse8102@yahoo.com
arnepqjya.co.cc - Email: vkpnzxn@gmail.com
bekqjcra.co.cc - Email: yaala.benardos7911@yahoo.com
benyd.co.cc - Email: lexyb610@gmail.com
bestdesision.co.cc - Email: an9020@bk.ru
bipilyqomyusvuhy.co.cc - Email: eeclllw3xqu19tr9wb@gmail.com
bjalumericz.co.cc - Email: diamond.aittala4367@yahoo.com
chammaope.co.cc - Email: wefergss@ukr.net
coebfjqmkhsn.co.cc - Email: kent.attonis9140@yahoo.com
comp-s.co.cc - Email: stas14423321@mail.ru
eynuqacjrtiz.co.cc - Email: ketina.tomsic2552@yahoo.com
getmoney4me.co.cc - Email: finalizer12@mail.ru
goumucnypuxuhyikzi.co.cc - Email: ekx7roq8p5hrd61tah@gmail.com
hiokirygohxinugohu.co.cc - Email: q88zh7dwshibteg05l@gmail.com
hryjhuklo.co.cc - Email: fgyuhedgdrfghhio@ymail.com
ibdumycp.co.cc - Email: madelyn.ajai1243@yahoo.com
ifohviwihuuxitqoil.co.cc - Email: bsowez9usp1u8cjyxp@gmail.com
ifyfgybyuxisoffu.co.cc - Email: 5nrg2bgm2og0cloxpf@gmail.com
ihquyrvutyridyuwyj.co.cc - Email: wh1p9c5f0jwlvn5jlq@gmail.com
ijojinhuxifykygysu.co.cc - Email: lq7s26llpq2sxbcyd9@gmail.com
imdjrsfybnav.co.cc - Email: sarig.ajaye7737@yahoo.com
incom-sale.co.cc - Email: wisha700_5@yahoo.com
inoltoumydonulijuk.co.cc - Email: e6pgu8mamts6fco5ik@gmail.com
iroqimcuohubizgooh.co.cc - Email: sku0cthz7ttgzwaqzw@gmail.com
iwanti.co.cc - Email: justtobebeauty@gmail.com
iyqvogx.co.cc - Email: do.co.lo.k.oh.o.ngo.v.o@gmail.com
jepabhto.co.cc - Email: festas.mcilsey1646@yahoo.com
kiaxmh4.co.cc - Email: kiaxmh@kiaxmh.com
kiboinikixuvquliro.co.cc - Email: 5k2j7bnpxzgkoyibb0@gmail.com
krghiqyiht.co.cc - Email: ouhegtlx@yahoo.com
kyogpylymypusulojo.co.cc - Email: rrykuqs44ilgf2xd6q@gmail.com
ltcsi0.co.cc - Email: v9xodcm@gmail.com
omsuimuhysjoujiqip.co.cc - Email: nattyxbfpvcaivauf6@gmail.com
opimuzxiyrxigoiwur.co.cc - Email: ebiy9hwt817zs5m0wa@gmail.com
ostozuorypofitjuti.co.cc - Email: 2rdo8uwh14y5mqckkh@gmail.com

pqusrzycd.co.cc - Email: adalricus.aijala4749@yahoo.com
ptvibnrjeayh.co.cc - Email: miliani.mccomrick3922@yahoo.com
pubaxj.co.cc - Email: runuk8976@gmail.com
pucrsnihoqy.co.cc - Email: dalila.babusek8958@yahoo.com
qbhomskuine.co.cc - Email: keona.canose6839@yahoo.com
qcumoyh.co.cc - Email: bethiah.mcglasky5891@yahoo.com
qyczejdlita.co.cc - Email: abegail.woitkoski3075@yahoo.com
ridcamybv.co.cc - Email: laurentius.diamandoglou5401@yahoo.com
rithubmolnda.co.cc - Email: adalynn.aiololo3070@yahoo.com
riyvroiqfoydcilifo.co.cc - Email: irjghmpq7w9t0ah6rz@gmail.com
rnoqzydjuia.co.cc - Email: ieuan.calcutt9416@yahoo.com
rpdkjuaft.co.cc - Email: worley.biernacka1945@yahoo.com
rybidlzck.co.cc - Email: ander.airwyk9339@yahoo.com
ryliydulivuvdojo.co.cc - Email: b5657927wcdn48k3u2@gmail.com
rywutydymoxyodygyt.co.cc - Email: e8fzpd2yzy4w8hf7t4@gmail.com
sdemfjotuc.co.cc - Email: annemarie.bichan3685@yahoo.com
search-portal.co.cc - Email: akhmadarroyan@gmail.com
siycugufryyrkoylky.co.cc - Email: v5o71m4qiy5is0zcs3@gmail.com
sounluolvuoxyqixky.co.cc - Email: ay2643zdi8kywwu444@gmail.com
sprqucoatz.co.cc - Email: vindhya.perilean5722@yahoo.com
ucywmuziboytylwi.co.cc - Email: m45267tiipj7xk9n71@gmail.com
unotufukujygugusto.co.cc - Email: qe2m9s1abdvw02g1p3@gmail.com
upykhogupiybuwojyz.co.cc - Email: 7ea7iulbkzmfp0grso@gmail.com
usbokuycryocyjykqi.co.cc - Email: 5fnuzbof36ug19ly7f@gmail.com
vobyumfoodzygubuyv.co.cc - Email: mjkexe0d9gaqkzihlo@gmail.com
xepepele969.co.cc - Email: bemumoro6654@gmail.com
xodovumuycguhyujip.co.cc - Email: zeqa6hr6kltwpt6eis@gmail.com
yfwiiwoqwipihovo.co.cc - Email: 87koy5ljr5j4oe9dcm@gmail.com
ygitysbocysokuujok.co.cc - Email: qa0gvqsa8t3dr5u3yr@gmail.com
ykraivec.co.cc - Email: wergr@ukr.net
ynywyvtioxiloghoin.co.cc - Email: g955emcus8z0dbfebs@gmail.com
yourbestchose.co.cc - Email: daan900@bk.ru
yzirukwoilokocpohi.co.cc - Email: scqnbtps908moi8rgx@gmail.com

The .co.cc domains portfolio responds to the following IPs, parked on them are also related malicious domains:
69.163.236.70
78.159.114.244
82.146.50.101
82.146.54.111
82.146.50.156
82.146.54.116
82.146.54.118
82.146.54.119
82.146.54.122
82.146.54.129
82.146.50.183
82.146.54.143
82.146.50.184
82.146.50.188
82.146.54.150
82.146.50.193
82.146.50.194
82.146.50.213
82.146.54.177
82.146.51.237
82.146.53.244
82.146.54.62
82.146.54.69
82.146.54.84
84.16.236.31
84.16.236.32
84.16.229.42
89.149.202.106
89.149.226.127
89.149.201.224
89.149.255.174
89.149.255.20
89.149.238.225
89.149.255.21
89.149.200.47
89.149.237.83
92.63.105.179
92.63.105.191
92.63.98.239
94.76.205.176
94.76.205.177
94.76.205.178
94.76.205.180
94.76.205.182
94.76.205.183
94.76.205.184
174.121.196.227
174.120.128.62
188.120.231.249
205.234.222.169
212.95.56.102
212.95.56.104
212.95.56.89
212.95.56.92
212.95.56.93
212.95.56.95
212.95.56.96



Compromised sites part of the blackhat SEO campaign:
kleertjesenmooi.nl
knapadvies.nl
kruidendreef60.nl
kruijspunt.nl
ktf-texel.nl
lali.nl
laplanchette.nl
lenzfilm.nl
leuveld.nl
liana-makeup.com
lidavanvelzensportmassage.nl
lief4kids.com
logamklusmaster.nl
lookingblueeye.nl
luccie-007.nl
lucmeubelbouw.nl
lukasart.nl
maakkennismetkennis.nl
magisoft.be
magnetenspecialist.nl
mahu-services.nl
maismoe.nl
makaroni.info
malena-team.nl
maliebaanutrecht.nl


Once the end user clicks on a link found within Google's index, a tiny .js checks the referrers (compromised_site.nl/directory/randomcontent.js) and the redirection takes place. For instance:
- www3.donrart58-td.co.cc/ ?uid=213&pid=3&ttl=21f4e73673b - 93.190.141.41 - Email: mailwork.abc@gmail.com
    - www2.uberguardzz6.com - 94.228.220.114 - Email: gkook@checkjemail.nl
        - www1.favoritav31-pd.co.cc - 188.124.5.66 - Email: mailwork.abc@gmail.com
            - www2.avcleaner44-pd.co.cc - 93.190.139.214 - Email: mailwork.abc@gmail.com

Where do we know the same campaigner (?uid=213&pid=3&ttl=21f4e73673b) from? From related campaigns.

Parked on 93.190.141.41, donrart58-td.co.cc, AS49981 WorldStream are also:
www3.justsoft11-td.co.cc
www3.donrart56-td.co.cc
www1.newav31-pr.co.cc
www3.goldvox-51td.xorg.pl
www3.goldvox-61td.xorg.pl
www3.goldvox-53td.xorg.pl
www3.goldvox-55td.xorg.pl
www3.goldvox-57td.xorg.pl
www3.goldvox-59td.xorg.pl
www1.bestdefender-58p.xorg.pl
www4.miymiy3.com -
93.190.141.41 - Email: gkook@checkjemail.nl
www3.ruboidmon-60td.com - 93.190.141.41 - Email: gkook@checkjemail.nl

Parked on 188.124.5.66, favoritav31-pd.co.cc, AS44565 VITAL TEKNOLOJI are also:
www2.avcleaner31-pd.co.cc
www2.avcleaner35-pd.co.cc
www3.avprotector51-td.xorg.pl
www3.avprotector53-td.xorg.pl
www3.avprotector55-td.xorg.pl
www3.avprotector57-td.xorg.pl
www3.omgsaveit4.com -
74.118.194.76 - Email: gkook@checkjemail.nl
useguard.com - 95.169.186.25 - Email: gkook@checkjemail.nl
update1.useguard.com - 95.169.186.25 - Email: gkook@checkjemail.nl
www4.miymiy2.net - Email: gkook@checkjemail.nl

Parked on 95.169.186.25, AS31103, KEYWEB-AS are also:
www3.justsoft10-td.co.cc
www4.freewarez10-td.co.cc
www3.justsoft11-td.co.cc
www3.justsoft12-td.co.cc
www3.avforyou23-td.co.cc
www4.swintermz.cz.cc
www4.trustzone16-td.xorg.pl
www4.trustzone17-td.xorg.pl
www4.trustzone19-td.xorg.pl
www3.coantys-41td.xorg.pl
www3.vointuas-81td.xorg.pl
www3.coantys-42td.xorg.pl
www3.coantys-46td.xorg.pl
www4.miymiy3.com
useguard.com


Detection rate:
- packupdate_107_213.exe - TROJ_FRAUD.SMAF; Mal/FakeAV-AX - Result: 28/40 (70%)

Phones back to:
update1.useguard.com - 95.169.186.25 - Email: gkook@checkjemail.nl
update2.guardinuse.net - 78.159.108.171 - Email: gkook@checkjemail.nl
secure1.protect-zone.com - 209.212.147.241 - Email: gkook@checkjemail.nl
secure2.protectzone.net - 91.207.192.24 - Email: gkook@checkjemail.nl
report.goodguardz.com - 93.186.124.94 - Email: gkook@checkjemail.nl
74.82.216.3/ncr - interesting HOSTS file modification

O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 http://www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 http://www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 http://www.getavplusnow.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 http://www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 74.82.216.3 http://www.google.com
O1 - Hosts: 74.82.216.3 google.com
O1 - Hosts: 74.82.216.3 google.com.au
O1 - Hosts: 74.82.216.3 http://www.google.com.au
O1 - Hosts: 74.82.216.3 google.be
O1 - Hosts: 74.82.216.3 http://www.google.be
O1 - Hosts: 74.82.216.3 google.com.br
O1 - Hosts: 74.82.216.3 http://www.google.com.br
O1 - Hosts: 74.82.216.3 google.ca
O1 - Hosts: 74.82.216.3 http://www.google.ca
O1 - Hosts: 74.82.216.3 google.ch
O1 - Hosts: 74.82.216.3 http://www.google.ch
O1 - Hosts: 74.82.216.3 google.de
O1 - Hosts: 74.82.216.3 http://www.google.de
O1 - Hosts: 74.82.216.3 google.dk
O1 - Hosts: 74.82.216.3 http://www.google.dk
O1 - Hosts: 74.82.216.3 google.fr
O1 - Hosts: 74.82.216.3 http://www.google.fr
O1 - Hosts: 74.82.216.3 google.ie
O1 - Hosts: 74.82.216.3 http://www.google.ie
O1 - Hosts: 74.82.216.3 google.it
O1 - Hosts: 74.82.216.3 http://www.google.it
O1 - Hosts: 74.82.216.3 google.co.jp
O1 - Hosts: 74.82.216.3 http://www.google.co.jp
O1 - Hosts: 74.82.216.3 google.nl
O1 - Hosts: 74.82.216.3 http://www.google.nl
O1 - Hosts: 74.82.216.3 google.no
O1 - Hosts: 74.82.216.3 http://www.google.no
O1 - Hosts: 74.82.216.3 google.co.nz
O1 - Hosts: 74.82.216.3 http://www.google.co.nz
O1 - Hosts: 74.82.216.3 google.pl
O1 - Hosts: 74.82.216.3 http://www.google.pl
O1 - Hosts: 74.82.216.3 google.se
O1 - Hosts: 74.82.216.3 http://www.google.se
O1 - Hosts: 74.82.216.3 google.co.uk
O1 - Hosts: 74.82.216.3 http://www.google.co.uk
O1 - Hosts: 74.82.216.3 google.co.za
O1 - Hosts: 74.82.216.3 http://www.google.co.za
O1 - Hosts: 74.82.216.3 http://www.google-analytics.com
O1 - Hosts: 74.82.216.3 http://www.bing.com
O1 - Hosts: 74.82.216.3 search.yahoo.com
O1 - Hosts: 74.82.216.3 http://www.search.yahoo.com
O1 - Hosts: 74.82.216.3 uk.search.yahoo.com
O1 - Hosts: 74.82.216.3 ca.search.yahoo.com
O1 - Hosts: 74.82.216.3 de.search.yahoo.com
O1 - Hosts: 74.82.216.3 fr.search.yahoo.com
O1 - Hosts: 74.82.216.3 au.search.yahoo.com


What's so interesting about it anyway? Exact same modification was seen in "Koobface Botnet's Scareware Business Model - Part Two", in regard to the Google IP 74.125.45.100.

Take down actions are already taking place, updated will be posted as soon as new developments emerge.

Related research on blackhat SEO campaigns:
The ultimate guide to scareware protection
A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang 
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
A Peek Inside the Managed Blackhat SEO Ecosystem
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot 

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Vendor of Mobile Spying Apps Drives Biz Model Through DIY Generators


It's always worth monitoring the developments in the commercial mobile spying apps space. In particular, the inevitable customerization/customization of their services.

A shady vendor of such applications, is attempting to migrate from the mass market model of competing vendors, by offering its potential customers to ability to generate their own .sis files, for the spying app targeting Symbian 0S 9 platform. The DIY features also include the ability to self sign their own certificates. The price tag? A hefty price tag of £3000, and no refunds offered.


What's their true motivation behind the release of the DIY generation tool? It appears that they are primarily interested with scaling their business operations, allowing potential resellers the option to automatically generate the spying apps. Although the self-signing certificate option is interesting, mobile malware authors continue abusing Symbian Foundation's certificate signing process, surprisingly, by using bogus company names with no public reference of their existence.

Thanks to the improving monetization models for mobile malware (e.g. calling/SMSing premium rate numbers), mobile malware authors are only starting to realize/abuse the potential of the micro payments market segment.

Related posts on mobile malware:
The future of mobile malware - digitally signed by Symbian?
Commercial spying app for Android devices released
iHacked: jailbroken iPhones compromised, $5 ransom demanded
New Symbian-based mobile worm circulating in the wild
New mobile malware silently transfers account credit
Transmitter.C mobile malware spreading in the wild
Transmitter.C Mobile Malware in the Wild
Proof of Concept Symbian Malware Courtesy of the Academic World
Commercializing Mobile Malware
Mobile Malware Scam iSexPlayer Wants Your Money

Related posts on SMS Ransomware:
New ransomware locks PCs, demands premium SMS for removal
Mac OS X SMS ransomware - hype or real threat?
SMS Ransomware Displays Persistent Inline Ads
6th SMS Ransomware Variant Offered for Sale
5th SMS Ransomware Variant Offered for Sale
4th SMS Ransomware Variant Offered for Sale
3rd SMS Ransomware Variant Offered for Sale
SMS Ransomware Source Code Now Offered for Sale

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.