Thursday, March 31, 2011

Dissecting the Massive SQL Injection Attack Serving Scareware


A currently ongoing massive SQL injection attack has affected hundreds of thousands of web pages across the Web, to ultimately monetize the campaign through a scareware affiliate program. Such massive SQL injection attempts are usually conducted using mass vulnerability scanning tools, with the help of search engines which have already crawled the vulnerable sites.

What's particularly interesting about this campaign, is the fact that the used domains are all responding to the same IPs, including the portfolios of scareware domains, which the cybercriminals naturally rotate on a periodic basis. Let's dissect the campaign, expose the domain portfolios and the entire campaign structure.

UPDATED: Related SQL injected URLs courtsesy of WebSense:
online-stats201.info/ur.php - Email: tik0066@gmail.com
stats-master111.info/ur.php - Email: tik0066@gmail.com
agasi-story.info/ur.php - 91.217.162.45 - Email: tik0066@gmail.com
general-st.info/ur.php - Email: tik0066@gmail.com
extra-service.info/ur.php - Email: tik0066@gmail.com
sol-stats.info/ur.php - Email: tik0066@gmail.com
google-stats49.info/ur.php - Email: tik0066@gmail.com
google-stats45.info/ur.php - Email: tik0066@gmail.com
google-stats50.info/ur.php - Email: tik0066@gmail.com
google-server43.info/ur.php - Email: tik0066@gmail.com
stats-master88.info/ur.php - Email: tik0066@gmail.com
eva-marine.info/ur.php - 109.236.81.28 - Email: tik0066@gmail.com
stats-master99.info/ur.php - Email: tik0066@gmail.com
tzv-stats.info/ur.php - Email: tik0066@gmail.com
milapop.com/ur.php - Email: jamesnorthone@hotmailbox.com

SQL injected URLs:
lizamoon.com/ur.php (67,500 results) - 91.220.35.151 (AS3721); 91.213.29.182 (AS51786); 95.64.9.18 (AS50244) - Email: jamesnorthone@hotmailbox.com
alexblane.com/ur.php (3,920 results) - Email: jamesnorthone@hotmailbox.com
alisa-carter.com/ur.php (220,000 results) - Email: jamesnorthone@hotmailbox.com
alexblane.com/ur.php (3,920 results) - Email: jamesnorthone@hotmailbox.com
t6ryt56.info/ur.php (18 results) - Email: support@ruler-domains.com
tadygus.com/ur.php (100 results) - Email: jamesnorthone@hotmailbox.com
worid-of-books.com/ur.php (334,000 results) - Email: tik0066@gmail.com

Upon successful redirection, the campaign attempts to load the scareware domains defender-nibea.in/scan1b/237 - 46.252.130.200 - Email: jimwei2969@gmail.com

Detection rate:
freesystemscan.exe - Trojan/Win32.FakeAV - Result: 9/ 41 (22.0%)
MD5   : 815d77f8fca509dde1abeafabed30b65
SHA1  : 1b3c35afb76c53cd9507fffee46fb58c29e72bc1
SHA256: cd902b92042435c2d70d4bf59acc2de8229bfc367626961f76c03f75dcd7e95c

Responding to 46.252.130.200 (AS25190; KIS-AS UAB "Kauno Interneto Sistemos") are also:
antivirus-1091.co.cc
antivirus-1574.co.cc
antivirus-2051.co.cc
antivirus-2525.co.cc
antivirus-2932.co.cc
antivirus-3654.co.cc
antivirus-3833.co.cc
antivirus-4063.co.cc
antivirus-418.co.cc
antivirus-4303.co.cc
antivirus-4749.co.cc
antivirus-495.co.cc
antivirus-5216.co.cc
antivirus-5676.co.cc
antivirus-5802.co.cc
antivirus-6437.co.cc
antivirus-6703.co.cc
antivirus-7081.co.cc
antivirus-713.co.cc
antivirus-728.co.cc
antivirus-7357.co.cc
antivirus-8072.co.cc
antivirus-9009.co.cc
antivirus-9638.co.cc
antivirus-9667.co.cc
defender-aabv.in - Email: leonflanagan7681@gmail.com
defender-aqeu.co.cc
defender-asng.co.cc
defender-atio.in - Email: terriduverger3239@gmail.com
defender-atxo.in - Email: celineiebba9266@gmail.com
defender-bcvs.in - Email: martinefinklea5375@gmail.com
defender-bwuy.co.cc
defender-cron.in - Email: lisasuresh9147@gmail.com
defender-ddbr.in - Email: selenajohansson9195@gmail.com
defender-dteo.in - Email: giovannaraggio5417@gmail.com
defender-eahy.co.cc
defender-eklq.in - Email: sebastiensheppard8680@gmail.com
defender-endl.in - Email: adamgaylard1113@gmail.com
defender-ewum.co.cc
defender-eyde.co.cc
defender-fmof.in - Email: kamillamartin1237@gmail.com
defender-fola.co.cc
defender-gnva.in - Email: ananddaher7294@gmail.com
defender-grlt.in - Email: anthonygaylard9887@gmail.com
defender-hipw.in - Email: angiejohansen9730@gmail.com
defender-hjlk.in - Email: jennwrayford2124@gmail.com
defender-hmfu.in - Email: lynnbone8026@gmail.com
defender-hsug.in - Email: moniquetkarnopp3596@gmail.com
defender-htlu.in - Email: jerihamann4163@gmail.com
defender-iibk.co.cc
defender-iies.co.cc
defender-iksl.in - Email: amarasanders9974@gmail.com


defender-isde.co.cc
defender-iyrc.co.cc
defender-jgnl.in - Email: caseyalzen3316@gmail.com
defender-jihv.co.cc
defender-keod.in - Email: khashayarbirss4814@gmail.com
defender-kuts.in - Email: rogerfrancis3322@gmail.com
defender-kwwh.in - Email: tobyboisseau6505@gmail.com
defender-kzwu.co.cc
defender-labm.in - Email: gregorybradford1520@gmail.com
defender-lcoh.in - Email: timothythomas6924@gmail.com
defender-nhei.co.cc
defender-nrpr.in - Email: burtonalba8156@gmail.com
defender-ojbr.in - Email: fucknielsen8675@gmail.com
defender-osbi.in - Email: fidelslattum2159@gmail.com
defender-pakc.in - Email: sabrinawheelock7642@gmail.com
defender-ppdw.in - Email: divinakempton5670@gmail.com
defender-qfdx.in - Email: hokyeongyancey6369@gmail.com
defender-qotg.in - Email: franchescaili9704@gmail.com
defender-qpwo.in - Email: carlaadams@gmail.com
defender-qsko.co.cc
defender-qumf.in - Email: carlaadams@gmail.com
defender-rlag.in - Email: carmichaelmail@gmail.com
defender-rrin.in - Email: kevincharoenset5321@gmail.com
defender-thga.in - Email: youngantonio6055@gmail.com
defender-ueuv.co.cc
defender-uqko.in - Email: christinakaaikati5574@gmail.com
defender-vflq.in - Email: terriacuna2081@gmail.com
defender-vlmj.in - Email: lauriefreeman9930@gmail.com
defender-vqqn.in - Email: chrisjames4421@gmail.com
defender-vxgh.in - Email: griseldavelez5369@gmail.com
defender-wkiw.in - Email: otisvaladez7778@gmail.com
defender-wqga.in - Email: christodoulosglidden8856@gmail.com
defender-wrhw.in - Email: bradsuresh1406@gmail.com
defender-wtln.co.cc
defender-xcre.in - Email: pavelmayer4891@gmail.com
defender-xnnx.in - Email: pavelmayer4891@gmail.com
defender-ykym.co.cc
movie-iirg.in - Email: misslynn8546@gmail.com
movie-pblv.in - Email: judgewright4021@gmail.com
movies-live-tube-jeyq.co.cc
movie-tkhk.in - Email: terrymeally1288@gmail.com
movie-tube-beym.co.cc
movie-tube-juie.co.cc

movie-ueep.in - Email: celinekevin6179@gmail.com
movieway2011.com - Email: contact@privacyprotect.org
movie-xbtb.in - Email: sanfordross9242@gmail.com
movie-xxnl.in - Email: ianbalitsaris3201@gmail.com
softway2011.com - Email: contact@privacyprotect.org
system-scanner-boep.co.cc
system-scanner-eill.co.cc
system-scanner-eopa.co.cc
system-scanner-ewqq.co.cc
system-scanner-iaap.co.cc
system-scanner-ieyx.co.cc
system-scanner-lcyo.co.cc
system-scanner-ouny.co.cc
system-scanner-oypx.co.cc
system-scanner-qeap.co.cc
system-scanner-racv.co.cc
system-scanner-ryes.co.cc
system-scanner-tzii.co.cc
system-scanner-uemo.co.cc
system-scanner-uotu.co.cc
system-scanner-uyxt.co.cc
system-scanner-vpoo.co.cc
system-scanner-xtoi.co.cc
system-scanner-yoyx.co.cc
system-scanner-ytut.co.cc


Rotated scareware domains involved in the campaign, responding to 84.123.115.228 (AS6739; ONO-AS Cableuropa - ONO):
defender-thga.in - Email: youngantonio6055@gmail.com
defender-wqga.in - Email: christodoulosglidden8856@gmail.com
defender-gnva.in - Email: ananddaher7294@gmail.com
defender-rlob.in - Email: vasikaranfreudenburg2690@gmail.com
defender-abcc.in - Email: rubysmart5057@gmail.com
defender-pakc.in - Email: sabrinawheelock7642@gmail.com
defender-keod.in - Email: khashayarbirss4814@gmail.com
defender-xcre.in - Email: pavelmayer4891@gmail.com
defender-qumf.in - Email: rachelalba1891@gmail.com
defender-fmof.in - Email: kamillamartin1237@gmail.com
defender-uvag.in - Email: espenkeck7682@gmail.com
defender-hsug.in - Email: moniquetkarnopp3596@gmail.com
defender-vxgh.in - Email: griseldavelez5369@gmail.com
defender-lcoh.in - Email: timothythomas6924@gmail.com
defender-kwwh.in - Email: tobyboisseau6505@gmail.com
defender-osbi.in - Email: fidelslattum2159@gmail.com
defender-wbui.in - Email: carlosbuntschu1238@gmail.com
defender-vlmj.in - Email: lauriefreeman9930@gmail.com
defender-hjlk.in - Email: lauriefreeman9930@gmail.com
defender-endl.in - Email: adamgaylard1113@gmail.com
defender-jgnl.in - Email: caseyalzen3316@gmail.com
defender-iksl.in - Email: marasanders9974@gmail.com
defender-labm.in - Email: gregorybradford1520@gmail.com
defender-rrin.in - Email: kevincharoenset5321@gmail.com
defender-sxin.in - Email: taloupavlinovich7166@gmail.com
defender-cron.in - Email: lisasuresh9147@gmail.com
defender-vqqn.in - Email: chrisjames4421@gmail.com
defender-dteo.in - Email: giovannaraggio5417@gmail.com
defender-uqko.in - Email: christinakaaikati5574@gmail.com
defender-qpwo.in - Email: carlaadams@gmail.com
defender-atxo.in - Email: celineiebba9266@gmail.com
defender-rlfp.in - Email: latanyamuscatell9507@gmail.com
defender-vflq.in - Email: terriacuna2081@gmail.com
defender-eklq.in - Email: sebastiensheppard8680@gmail.com
defender-ddbr.in - Email: selenajohansson9195@gmail.com
defender-ojbr.in - Email: fucknielsen8675@gmail.com
defender-drnr.in - Email: sumanvcasquez2008@gmail.com
defender-nrpr.in - Email: burtonalba8156@gmail.com
defender-kuts.in - Email: rogerfrancis3322@gmail.com
defender-bcvs.in - Email: martinefinklea5375@gmail.com
defender-grlt.in - Email: anthonygaylard9887@gmail.com
defender-hmfu.in - Email: lynnbone8026@gmail.com
defender-htlu.in - Email: jerihamann4163@gmail.com
defender-aabv.in - Email: leonflanagan7681@gmail.com
defender-ppdw.in - Email: divinakempton5670@gmail.com
defender-wrhw.in - Email: bradsuresh1406@gmail.com
defender-wkiw.in - Email: otisvaladez7778@gmail.com
defender-hipw.in - Email: angiejohansen9730@gmail.com
defender-qfdx.in - Email: hokyeongyancey6369@gmail.com
defender-xnnx.in - Email: sylviawulff2140@gmail.com
defender-xkox.in - Email: ryanmartin7607@gmail.com

The scareware domains have been registered using automatically registered email accounts at Gmail, as a precaution in an attempt to make it harder to expose the campaign by using a single email only.

Monitoring of the campaign is ongoing.

Related posts:
This post has been reproduced from Dancho Danchev's blog.

Friday, March 25, 2011

Spamvertised Post Office Express Mail (USPS) Emails Serving Malware

A currently spamvertised malware campaign is impersonating the USPS for malware-serving purposes.

Sample subject: Post Express Information. Your package is available for pick up. NR[random number]
Sample attachment: Post_Express_Label_ID_[random number].zip; Post_Express_Label.exe
Sample message:
Dear client, Email notice number.[random number]. Your package has been returned to the Post Express office. The reason of the return is "Error in the delivery address" Important message! Attached to the letter mailing label contains the details of the package delivery. You have to print mailing label, and come in the Post Express office in order to receive the packages! Thank you for using our services. Post Express Support.

Detection rate:
Post_Express_Label.exe - Medium Risk Malware Dropper - Result: 1/ 41 (2.4%)
MD5   : 3c05dd68ee0bfb9b290b9c034f836833
SHA1  : 8a1a00da04c96c8e67b9921652de60463118ea9f
SHA256: 57d58165c79158a42c3e45670aa4176aaae393f371188f91d0ac46022bd3e7c0


Upon execution phones back to:
mialepromo.ru/7Pe8ORoIxs/document.doc
mialepromo.ru/7Pe8ORoIxs/load.php?file=0
mialepromo.ru/7Pe8ORoIxs/load.php?file=1
mialepromo.ru/7Pe8ORoIxs/load.php?file=2
mialepromo.ru/7Pe8ORoIxs/load.php?file=3
mialepromo.ru/7Pe8ORoIxs/load.php?file=4
mialepromo.ru/7Pe8ORoIxs/load.php?file=5
mialepromo.ru/7Pe8ORoIxs/load.php?file=6
mialepromo.ru/7Pe8ORoIxs/load.php?file=7
mialepromo.ru/7Pe8ORoIxs/load.php?file=8
mialepromo.ru/7Pe8ORoIxs/load.php?file=9
mialepromo.ru/7Pe8ORoIxs/load.php?file=uploader
mialepromo.ru/7Pe8ORoIxs/load.php?file=grabbers


mialepromo.ru - 89.208.149.204 (AS12695); 109.94.220.51 (AS47860); 109.94.220.50 (AS47860); 91.199.75.77 (AS44301) 178.17.164.131 (AS43289) 193.22.81.104 (AS28920) - Email: salam@ica.org

Monitoring of the campaign is ongoing.

Related posts:
Spamvertised United Parcel Service notifications serve malware
Spamvertised FedEx Notifications Spread Malware
Spamvertised DHL Notification Malware Campaign
More Spamvertised DHL Notifications Spread Malware

This post has been reproduced from Dancho Danchev's blog.

Wednesday, March 23, 2011

Spamvertised United Parcel Service notifications serve malware

A currently ongoing spam campaign is impersonating UPS for malware-serving purposes.

Sample subject: United Parcel Service notification
Sample attachments: UPSnotify.rar; UPSnotify.exe; UnitedParcelServicedocument.exe
Sample message: Dear customer.

The parcel was sent your home address. And it will arrive within 7 business day. More information and the tracking number are attached in document below. Thank you. © 1994-2011 United Parcel Service of America, Inc.


Detection rates:

UnitedParcelServicedocument.exe - Mal/Bredo-K - Result: 7/ 41 (17.1%)
MD5   : b60e95b42106989bc39e175efcc031db
SHA1  : 0fb63dff83db643c9ee42efe617bdd539a5ffb8f
SHA256: 65f14438c3154a74767131a427fbdc50c28a6cbcdcf47f3d418b92c4c168696a

UPS notify.exe - Mal/Bredo-K - Result: 17/ 40 (42.5%)
MD5   : cc040e69121bc19f23ef4a32dbb8a80e
SHA1  : da65b7b277540b88918076949a28e8307ad7e41a
SHA256: ef5f76e1b20c2083469fbe7e4de4ec9c06689ee105274b1a79c9cadbd23d54ae

Upon execution downloads additional binaries from:
193.105.121.33/lol2.exe
193.105.121.33/pod.exe
193.105.121.33/spm.exe

Responding to 193.105.121.33 are undeardarling.com - Email: admin@undearhappydear.com  and undearhappydear.com - Email: admin@undearhappydear.com

Detection rates:
lol2.exe - Trojan.FakeAV!gen39- Result: 14/ 43 (32.6%)
MD5   : 747431a2a4a29f1bfc136e674af99ad0
SHA1  : 8349fc3f5f299d0ca6473e748276ec2b50019330
SHA256: 6009e7f5cbc55e6acb060d9fb33a39a978168a32a0a8c6a24f201106056cc0db

pod.exe - Backdoor.Win32.Gbot!IK - Result: 33/ 42 (78.6%)
MD5   : f403afdbe4c4c859c8ab018a7ded694c
SHA1  : 1915a46cbb43fcaf8da90af95856d7524b24f129
SHA256: eddfff99df316669191be0b61a5ae06ee811bbd27110111e69cbd212881fa494

Upon execution phones back to:
healthylifenow.com - 208.109.223.193 - Email: HEALTHYLIFENOW.COM@domainsbyproxy.com
bigbeerclubonline.com - Email: contact@privacyprotect.org
zonetf.com - 96.9.169.85 - Email: janeob@126.com

spm.exe - W32.Pilleuz - 10/ 42 (23.8%)
MD5   : de55498b9f9195f1733df62c7026cf5f
SHA1  : 5520c1220cdd03a64f9b782c2393697ebab154b9
SHA256: dc2a797e5be968f9d36d4510988fa242c042a3e315fb50a3f9325cae6a1d779d

Upon execution phones back to:
ponel.biz - 46.4.62.17 - Email: web_raskrutka@pochta.ru
itisformebaby.biz - 46.4.10.7; 88.198.46.151; 178.63.63.208 - Email: web_raskrutka@pochta.ru
gmail.com
yahoo.com
hotmail.com


As speculated, cybercriminals have started feeding legitimate sites into their C&C communication patterns in an attempt to undermine community efforts aimed at tracking their malicious activities.

Related posts:
Spamvertised FedEx Notifications Spread Malware
Spamvertised DHL Notification Malware Campaign
More Spamvertised DHL Notifications Spread Malware

This post has been reproduced from Dancho Danchev's blog.

Wednesday, March 16, 2011

Compromised Universities Leads to Fraudulent Pharmaceutical Ads


Continuing the "Compromised University Leads to Fraudulent Pharmaceutical Ads"; "Compromised University Leads to Fraudulent Google Brand-jacked Pharmaceutical Ads" series, in this post we'll discuss two more compromised web servers of educational institutions leading to pharmaceutical ads. Affected Universities are:

Rutgets Energy Institute:
ruei.rutgers.edu/documents/chin.php?adv=cialis20-mg
ruei.rutgers.edu/documents/chin.php?adv=viagra-ratings
ruei.rutgers.edu/documents/chin.php?adv=viagra-999
ruei.rutgers.edu/documents/chin.php?adv=viagra-expired
ruei.rutgers.edu/documents/chin.php?adv=viagra-kako-se


Uploaded redirectors:
ruei.rutgers.edu/documents/chin.php
ruei.rutgers.edu/documents/roar.php
ruei.rutgers.edu/documents/ost.php


Computer Music Center at Columbia University
music.columbia.edu/cmc/pills/index.php?adv=how-to-try-viagra
music.columbia.edu/cmc/pills/index.php?adv=damaskviagra
music.columbia.edu/cmc/pills/index.php?adv=brandlevitra
music.columbia.edu/cmc/pills/index.php?adv=vegetalviagra
music.columbia.edu/cmc/pills/index.php?adv=vviagra



The sampled URLs redirect to the following fraudulent pharmaceutical sites:
pillsedonline.com - 93.170.104.53 - Email: stavros1929@hotmail.com; stavroscomodromos@yahoo.com
buyperfecthealth.com - 93.170.104.53 - Email: stavros1929@hotmail.com
safedrugstock.com - 93.170.104.53 - Email: stavros1929@hotmail.com
securedrugstock.com - 93.170.104.53 - Email: stavros1929@hotmail.com
europharmas.com - 93.170.104.53 - Email: glockner546@hotmail.com
requestpills.com - 93.170.104.53 - Email: stavros1929@hotmail.com; stavroscomodromos@yahoo.com
online-doc.us - 93.170.104.53 - Email: cool_gamer90@mail.ru
pills4sex.eu - 93.170.104.53
securetablets.com - 93.170.104.53 - Email: stavros1929@hotmail.com
alledtablets.com - 93.170.104.53 - Email: stavros1929@hotmail.com; stavroscomodromos@yahoo.com
canadian-refills.com - 178.239.60.214 - Email: privacy-829911@domainprivacygroup.com

Cybercriminals continue purchasing web shells/and stolen FTP credentials to high page rank-ed web sites such as educational institutions. Monitoring of their operations will continue.

This post has been reproduced from Dancho Danchev's blog.

Spamvertised FedEx Notifications Spread Malware

A currently ongoing spamvertised campaign is brand-jacking FedEx for malware serving purposes.

Sample attachments: FedEx letter.zip; FedEx letter.exe
Sample subject: FedEx notification #random number
Sample message: Dear customer. The parcel was sent your home address. And it will arrive within 7 business day. More information and the tracking number are attached in document below.

Thank you.
© FedEx 1995-2011


Detection rate: FedEx letter.exe - Trojan.FakeAV - Result: 24/ 43 (55.8%)
MD5   : 90bef5dff5809682249813fd63b67da4
SHA1  : 2418c01a30a19a2d76b693474a852092e3de4a32
SHA256: a38848786528d235b51fed3adf20050f5c1906d066e0282311b8bce37d8163a0

Phones back to AS30890 (EVOLVA Evolva Telecom s.r.l.)
94.63.244.56/lol2.exe
94.63.244.56/pod.exe


with 94.63.244.56/allftp.txt; 94.63.244.56/ftp/db_grab.txt hosting the sniffed FTP credentials.

Responding to 94.63.244.56 are d34ghqarfrgad.com and erherg34gsafwe.com, phone back URLs which we've seen from last week's spamvertised DHL Notifications campaigns, with the use of the IP best described as a desperate attempt to maintain a C&C infrastructure:
This post has been reproduced from Dancho Danchev's blog.

Friday, March 11, 2011

More Spamvertised DHL Notifications Spread Malware

Yesterday's campaign is still ongoing, with new MD5's in the wild. Here are the details.

Sample subjects: DHL notification #random number
Sample message: Dear customer! The parcel was send your home address. And it will arrice within 7 bussness day. More information and the tracking number are attached in document below. Thank you. 2011 DHL International GmbH. All rights reserverd.
Sample filenames: DHL_tracking.zip; doc.zip

doc.exe - Trojan-Spy.SpyEy!IK - Result: 18/ 43 (41.9%)
MD5: 83db662187dd7cd58fc4a368ea27775d
SHA1  : 4edb2d95c0570a36f6cb992e55111cdd7c3eda69
SHA256: 99f1e003bbf1025b0bbe257ece65d1704852fd1ba48e6cc79bd39cde6e6d14c3

DHL_tracking.exe - Win-Trojan/Spyeyes.45568 - Result: 29/ 43 (67.4%)
MD5   : 81fc09b014617bce59f678374b486512
SHA1  : 3d92a768f58b2900b98c9f97ce2753d27a4749ae
SHA256: 24b23bf7ebd03bf5feb0c637ea1e64661e27c78c66684dd49f074af2b2505bb7

Upon execution phones back to:
adobe.com/geo/productid.php
elsoplongt.com/rk`,jopbh/qwq - Email: redaccion@elsoplongt.com
accuratefiles.com/rk`,jopbh/qwq
lulango.com/rk`,jopbh/qwq - Email: lulango@gmail.com
erherg34gsafwe.com/xgate.php - AS49469,  Email: admin@erherg34gsafwe.com
    - erherg34gsafwe.com/ftp/base.bin
        - erherg34gsafwe.com/ftp/ftpplug2.dll
            - erherg34gsafwe.com/ftp/base.bin

Domains responding to:
192.150.16.117
72.41.115.170
74.117.180.216
87.106.193.21
94.63.244.56

Additional malicious activity within AS49469 (SA-NOVA-TELECOM-GRUP-SRL Sa Nova Telecom Grup SRL, courtesy of the ZeusTracker and the SpyEye Tracker:

bigupdate.ru - Email: admin@hotupdaters.ru
bigupdatings.ru - Email: admin@bigupdatings.ru
bigupdater.ru - Email: admin@bigupdater.ru
bigupdates.ru - Email: admin@istuplenie.ru
bigupdating.ru - Email: admin@bigupdating.ru
bigupdaters.ru - Email: admin@bigupdaters.ru
94.63.244.30
metamphcrystal.com - Email: admin@metamphcrystal.com

Related malware-serving domains within AS49469, SA-NOVA-TELECOM-GRUP-SRL Sa Nova Telecom Grup SRL
xppclapgirl.com - 89.114.9.33
natnatraoi.com - 12.211.117.127 - Email: barbarasorber@yahoo.com
d34ghqarfrgad.com - 94.63.244.56 - Email: admin@d34ghqarfrgad.com
g3u4g.net - 89.114.9.33 - Email: G3U4G.NET@domainservice.com
suhi4hr.net - 89.114.9.60 - Email: SUHI4HR.NET@domainservice.com
mialedot.ru - 94.63.244.44 -  Email: abuse@mialedot.ru
blackmemoso.com - Email: grasp@yourisp.ru

This post has been reproduced from Dancho Danchev's blog.

Thursday, March 10, 2011

Compromised University Leads to Fraudulent Pharmaceutical Ads


Continuing the Compromised University Leads to Fraudulent Google Brand-jacked Pharmaceutical Ads series, yet another university has been compromised by pharmaceutical scammers, part of an affiliate network.

In this very latest example of this tactic, seeking to abuse the high pagerank of the web site in question, the web site of the Department of Mathematics at Rutgers University (math.rutgers.edu/mdnews/) appears to have been compromised by pharmaceutical scammers.

Included URLs:
math.rutgers.edu/mdnews/levitraline.html
math.rutgers.edu/mdnews/levitrastory.html
math.rutgers.edu/mdnews/cialis-pills.html
math.rutgers.edu/mdnews/levitradosage.html
math.rutgers.edu/mdnews/viagra-buy-online.html



Redirects to:
worldselectshop.com/?id=abamos - 95.211.1.82 - Email: worldselectshop.com@protecteddomainservices.com

The same affiliate ID is also active at:
usadrugstorenow.com/products/diflucan.htm?id=abamos - 212.117.185.19 - Email: usadrugstorenow.com@protecteddomainservices.com

This post has been reproduced from Dancho Danchev's blog.

Spamvertised DHL Notification Malware Campaign

A currently spamvertised malware campaign is brand-jacking DHL for malware-serving purposes.

Sample filename: document.zip => DHL_notification.exe
Sample message: Dear customer. The parcel was send your home address. And it will arrice within 7 bussness day. More information and the tracking number are attached in document below. Thank you. 2011 DHL International GmbH. All rights reserverd - notice the typo.

DHL_notification.exe - Trojan-Spy.Win32.SpyEyes - Result: 27 /43 (62.8%)
MD5   : bda72e57d263241d52b1fe2ef014cba9
SHA1  : fa9dc14b100f1bf5124cd23c322c109b38a70675
SHA256: 199f2357c24e71d955a4e6c2d07645aa04d9474e0c8c914a1edd69a02e3f8a70

Upon execution phones back to:
adobe.com/geo/productid.php
elsoplongt.com/rk`,jopbh/qwq - Email: redaccion@elsoplongt.com
accuratefiles.com/rk`,jopbh/qwq
lulango.com/rk`,jopbh/qwq - Email: lulango@gmail.com
erherg34gsafwe.com/xgate.php - AS49469,  Email: admin@erherg34gsafwe.com
    - erherg34gsafwe.com/ftp/base.bin
    - erherg34gsafwe.com/ftp/ftpplug2.dll
    -     erherg34gsafwe.com/ftp/base.bin

Domains responding to:
192.150.16.117
72.41.115.170
74.117.180.216
87.106.193.21
94.63.244.56

This post has been reproduced from Dancho Danchev's blog.

Keeping Money Mule Recruiters on a Short Leash - Part Six


Following my previous post on "Keeping Money Mule Recruiters on a Short Leash - Part Five", in this post we're once again going to expose a portfolio of money mule recruitment domains, their related ASs and name servers of notice, including some additional SpyEye activity within one of the ASs.

What's particularly interesting is the ongoing use of similar templates, including fake "certified by" documents aiming to boost the visitor's confidence in the mule recruitment company. Sample "certified by" documents include:

Money mule recruitment web sites:
ACOON-GROUPLLC.CC - Email: bombay@yourisp.ru - seen here 
ANTIQUEE-CORP.INFO - Email: admin@antiquee-corp.info
ARAMATEGROUP-INT.INFO - Email: admin@aramategroup-int.info
art-marketllc.cc - Email: hear@ppmail.ru
ARTSOLVE-LTD.AT - Email: admin@artsolve-ltd.at
ARTSOLVELTD.CC - Email: admin@artsolveltd.cc
artsolveltd.cc - Email: admin@artsolveltd.cc
ARTSOLVELTDCO.AT - Email: admin@artsolveltd.cc
artsolveltdco.at - Email: admin@artsolveltd.cc
ASTECH-GROUPDE.CC - Email: admin@i-compass-group.cc
atlant-groupinc.cc - Email: bombay@yourisp.ru - seen here
Atlant-usainc.net - Email: admin@atlant-usainc.net
BREDGARCORP-ANT.BE
CREATENCE-GROUPLLC.AT - Email: admin@creatence-groupllc.at
CREATENCE-GROUPLLC.CC - Email: hunt@bz3.ru
CREATENCEGROUP-LLC.CO - Email: px@bz3.ru
DEVAS-LLC.CO - Email: gate@ppmail.ru
DRYSDALE-ANTCORP.AT - Email: admin@drysdale-antcorp.at
DRYSDALE-ANTCORP.BIZ - Email: admin@drysdale-antcorp.biz
DRYSDALE-GROUP-INC.CC - Email: atomic@bz3.ru
DUNCROFT-ANTTEAM.ORG - Email: admin@drysdale-antcorp.biz
FINTEC-UKLTD.WS
fintec-ukltd.ws
fourthgroup-ltd.cc - Email: rots@cheapbox.ru
generalabbrialgroup-ltd.net - Email: admin@generalabbrialgroup-ltd.net
generation-groupltd.cc - Email: jz@ppmail.ru
I-COMPASS-GROUP.AT - Email: admin@i-compass-group.at
katemdutkins.co.cc
LILAC-GROUPLLC.CC - Email: lane@free-id.ru
LILACGROUP-LLC.CO - Email: baggy@bz3.ru
MIMOSA-INCGROUP.INFO - Email: admin@mimosa-incgroup.info
moneyvisual-ukllc.com - Email: admin@moneyvisual-ukllc.com
nimrodltd-uk.net - Email: admin@nimrodltd-uk.net
OLIVER-ANTCORP.NET - Email: admin@oliver-antcorp.net
qead-groupllc.net - Email: admin@qead-groupllc.net
RENAISSANCELLC.BE
renaissancellc.be
renaissance-llc.cc - Email: admin@renaissance-llc.cc
ROYALTHELMAS-GROUP-LLC.CC - Email: zap@ca4.ru
ROYALTHELMAS-TEAMANT.ASIA - Email: admin@royalthelmas-teamant.asia
SCHWARTZBROTHERSANT-CORP.COM - Email: admin@schwartzbrothersant-corp.com
STRATEGICGROUP-LLC.CO - Email: flute@free-id.ru
THRONE-GROUPLLC.CC - Email: lane@free-id.ru
THRONEGROUP-LLC.CO - Email: floyd@ca4.ru
THRONE-UK.AT - Email: admin@throne-uk.at
TINASSANSERVICEANT-ANTTEAM.NET - Email: admin@tinassanserviceant-antteam.net
TINASSANSERVICE-GROUPLLC.CC - Email: six@yourisp.ru
westerntrust.co.uk
westview-art.net - Email: admin@westview-art.net


Domains responding to:
78.46.105.205 - AS24940, HETZNER-AS Hetzner Online AG RZ
98.141.220.116 - AS29713, INTERPLEXINC Interplex LLC.
98.141.220.117 - AS29713, INTERPLEXINC Interplex LLC.
114.207.244.143 - AS9318, HANARO-AS Hanaro Telecom Inc.
114.207.244.144 - AS9318, HANARO-AS Hanaro Telecom Inc.
114.207.244.145 - AS9318, HANARO-AS Hanaro Telecom Inc.
114.207.244.146 - AS9318, HANARO-AS Hanaro Telecom Inc.
193.105.134.230 - AS42708, PORTLANE Network
193.105.134.231 - AS42708, PORTLANE Network
193.105.134.232 - AS42708, PORTLANE Network
193.105.134.233 - AS42708, PORTLANE Network
193.105.134.234 - AS42708, PORTLANE Network
195.182.57.84 - AS47311, Cerannics-AS Cerannics llp
195.182.57.91 - AS47311, Cerannics-AS Cerannics llp
204.45.118.54 - 204.45.118.48/29/INSIGHT-INVESTMENTS-LLC

More malicious activity within AS24940, HETZNER-AS Hetzner Online AG RZ, courtesy of the SpyEye tracker:
188.40.198.185
188.40.87.88
www.privathosting.eu
spl.privathosting.eu
46.4.194.162
188.40.87.91
88.198.36.61


Name servers of notice:
ns1.uknamo.com - 69.10.44.188 - Email: morph@ppmail.ru
ns2.uknamo.com - 178.162.181.11
ns3.uknamo.com - 66.199.236.116
ns1.ukansnami.com - 178.162.181.11 - Email: glide@yourisp.ru
ns2.ukansnami.com - 178.162.181.11
ns3.ukansnami.com - 66.199.236.117
ns3.dnsukrect.com - 66.199.236.118 - Email: code@yourisp.ru
NS1.LIBUNITAU.CC - 178.162.152.76 - Email: ached@yourisp.ru - seen here 
NS2.LIBUNITAU.CC - 66.199.236.115
NS3.LIBUNITAU.CC - 178.162.181.11
NS1.AUSTDEC.CC - 178.162.152.75 - Email: bold@yourisp.ru - seen here
NS2.AUSTDEC.CC - 66.199.236.114
NS3.AUSTDEC.CC - 178.162.181.11
NS1.SURPLUSUSA.CC - 209.159.156.162 - Email: skulk@ppmail.ru - seen here 
NS2.SURPLUSUSA.CC - 76.73.47.26
NS3.SURPLUSUSA.CC - 69.50.192.97
NS1.USABONDS.CC - Email: bart@cheapbox.ru - seen here 
NS2.USABONDS.CC
NS3.USABONDS.CC

The cybercriminals have also switched from using unique emails for registrations to default admin@money-mule-recruitment domain type of structure. Monitoring of their money mule recruitment activities is ongoing.

Related posts:
Keeping Money Mule Recruiters on a Short Leash - Part Five
The DNS Infrastructure of the Money Mule Recruitment Ecosystem
Keeping Money Mule Recruiters on a Short Leash - Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog.

Monday, March 07, 2011

Compromised University Leads to Fraudulent Google Brand-jacked Pharmaceutical Ads


An exploited web application vulnerability within Cochise County Online University CMS (moodle.cochise.az.gov/user), is currently resulting in a blackhat SEO campaign (1,890 pages) leading to fraudulent Google brand-jacked pharmaceutical pages.

Naturally, once the compromise took place, the cybercriminals started considering the blackhat SEO content farm themed for pharmaceutical scams, as parts of their infrastructure and spamvertised links to it across multiple web forums.

Ther redirection chain is as follows:
- moodle.cochise.az.gov/user - random pharmaceutical content
    - goodmedk.com
        - gooqpilly.com
        - 50.22.28.50

goodmedk.com/whftltyixallwke6hoqstgzsiq.html -     77.67.80.48, AS3257 - Email: jognbroownn@usa.com
goodmedk.com/kavglmapejes7bdfg6mf8d.py
goodmedk.com/hxinlaresbnzbikmnatmck.py
goodmedk.com/huvtleikspann6hoqstgzsiq.html
goodmedk.com/txajlatev0egij9pi-g.pl
goodmedk.com/tldhlaoet8cegh7ng9e.html



Redirectors used:
gooqpilly.com
- 77.67.80.42, AS3257 - Email: jognbroownn@usa.com
50.22.28.50/c.php - 50.22.28.50-static.reverse.softlayer.com


Redirects to the following currently active fraudulent online pharmacies:
pillshealthmedsplus.net - 89.114.9.82 - Email: acquit@bz3.ru
allrxtabs.com - 91.212.135.69 - Email: rxrevenue@gmail.com
canadianselect.net - 89.149.196.197 - Email: canadianselect.net@protecteddomainservices.com
worldselectshop.com - 95.211.1.82 - Email: worldselectshop.com@protecteddomainservices.com
generic-pills-online.eu - 95.163.15.207
menhealth-pharmacy.co.uk - 109.237.213.194
4rx.com - 174.127.67.233 - Email: webmaster@4rx.com

The hijacking of a trusted brand such as Google shouldn't be surprising, as it's an inseparable part of social engineering driven abuse of the trust-chain. From Google's name to the visual impersonation of Google Search this campaign demonstrates exactly the same.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.