Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Pricing Scheme for a DDoS Extortion Attack

dancho.danchev@gmail.com (Dancho Danchev) — Tue, 03 Nov 2009 04:07:31 PST

With the average price for a DDoS attack on demand decreasing due to the evident over-supply of malware infected hosts, it should be fairly logical to assume that the "on demand DDoS" business model run by the cybercriminals performing such services is blossoming.

Interestingly, what used to be a group that was exclusively specializing in DDoS attacks, is today's cybercrime enterprise "vertically integrating" in order to occupy as many underground market segments as possible, all of which originally developed thanks to the "malicious economies of scale" (massive SQL injections through search engines' reconnaissance, standardizing the social engineering process, the money mule recruitment process, diversifying the standardized and well proven propagation/infection vectors etc.) offered by a botnet.

What if their DDoS for hire business model is experiencing a decline? Would penetration pricing save them? What if they start enforcing a differentiated pricing model for their services through DDoS extortion?

Let's discuss one of those groups that's been actively attempting to extort money from Russian web sites since the middle of this summer. From penalty fees, to 30% discount if they want to request DDoS for hire against their competitors, a discount only available if they've actually paid the 10,000 rubles monthly extortion fee at the first place - this gang is also including links to the web sites of Russian's Federal Security Service (FSB) and Russia's Ministry of the Interior stating "in order to make it easy for the victims to contact law enforcement".

Sample DDOS extortion letter:
"Hello. If you want to continue having your site operational, you must pay us 10 000 rubles monthly. Attention! Starting as of DATE your site will be a subject to a DDoS attack. Your site will remain unavailable until you pay us.

The first attack will involve 2,000 bots. If you contact the companies involved in the protection of DDoS-attacks and they begin to block our bots, we will increase the number of bots to 50 000, and the protection of 50 000 bots is very, very expensive.

1-st payment (10 000 rubles) Must be made no later than DATE. All subsequent payments (10 000 rubles) Must be committed no later than 31 (30) day of each month starting from August 31. Late payment penalties will be charged 100% for each day of delay.

For example, if you do not have time to make payment on the last day of the month, then 1 day of you will have to pay a fine 100%, for instance 20 000 rubles. If you pay only the 2 nd date of the month, it will be for 30 000 rubles etc. Please pay on time, and then the initial 10 000 rubles offer will not change. Penalty fees apply to your first payment - no later than DATE"

You will also receive several bonuses.
1. 30% discount if you request DDoS attack on your competitors/enemies. Fair market value ddos attacks a simple site is about $ 100 per night, for you it will cost only 70 $ per day.
2. If we turn to your competitors / enemies, to make an attack on your site, then we deny them.

Payment must be done on our purse Yandex-money number 41001474323733. Every month the number will be a new purse, be careful. About how to use Yandex-money read on www.money.yandex.ru. If you want to apply to law enforcement agencies, we will not discourage you. We even give you their contacts: www.fsb.ru, www.mvd.ru"

It's also worth pointing out that a huge number of "boutique vendors" of DDoS services remain reluctant to initiate DDoS attacks against government or political parties, in an attempt to stay beneath the radar. This mentality prompted the inevitable development of "aggregate-and-forget" type of botnets exclusively aggregated for customer-tailored propositions who would inevitably get detected, shut down, but end up harder to trace back to the original source compared to a situation where they would be DDoS the requested high-profile target from the very same botnet that is closely monitored by the security community.

The future of DDoS extortion attacks, however, looks a bit grey due the numerous monetization models that cybercriminals developed - for instance ransomware, which attempts to scale by extorting significant amounts of money from thousands of infected users in an automated and much more efficient way than the now old-fashioned DDoS extortion model.

Related posts:
Botnet Communication Platforms
Custom DDoS Capabilities Within a Malware
A New DDoS Malware Kit in the Wild
Botnet on Demand Service
The DDoS Attack Against CNN.com
A Botnet Master's To-Do List
Custom DDoS Attacks Within Popular Malware Diversifying
Using Market Forces to Disrupt Botnets
Web Based Botnet Command and Control Kit 2.0
DDoS Attack Graphs from Russia vs Georgia's Cyberattacks
The DDoS Attack Against Bobbear.co.uk
Russian Homosexual Sites Under (Commissioned) DDoS Attack

This post has been reproduced from Dancho Danchev's blog.

Summarizing Zero Day's Posts for October

dancho.danchev@gmail.com (Dancho Danchev) — Mon, 02 Nov 2009 13:31:23 PST

The following is a brief summary of all of my posts at ZDNet's Zero Day for October.

You can also go through previous summaries, as well as subscribe to my personal RSS feed or Zero Day's main feed.

Notable articles include: Does software piracy lead to higher malware infection rates? and New LoroBot ransomware encrypts files, demands $100 for decryption.

01. MS Security Essentials test shows 98% detection rate for 545k malware samples
02. Weak passwords dominate statistics for Hotmail's phishing scheme leak
03. Click fraud facilitating Bahama botnet steals ad revenue from Google
04. New Koobface campaign spoofs Adobe's Flash updater
05. Does software piracy lead to higher malware infection rates?
06. Commonwealth fined $100k for not mandating antivirus software
07. 'Evil Maid' USB stick attack keylogs TrueCrypt passphrases
08. Fake 'Conflicker.B Infection Alert' spam campaign drops scareware
09. Gawker Media tricked into featuring malicious Suzuki ads
10. New LoroBot ransomware encrypts files, demands $100 for decryption
11. Spooky Halloween - scareware or crimeware?
12. Phishing experiment sneaks through all anti-spam filters

This post has been reproduced from Dancho Danchev's blog.

Ongoing FDIC Spam Campaign Serves Zeus Crimeware

dancho.danchev@gmail.com (Dancho Danchev) — Wed, 28 Oct 2009 12:20:28 PDT

UPDATED - Wednesday, October 28, 2009: A "New Facebook Login System" spam campaign is in circulation, launched by the same botnet. Sampled updatetool.exe once again interacts with the Zeus command and control at 193.104.27.42.

Message sample 01: "In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security. Before you are able to use the new login system, you will be required to update your account. A new Facebook Update Tool has been released for your account. Please download and install the tool using the link below."

Message sample 02: "Dear Facebook user, In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security. Before you are able to use the new login system, you will be required to update your account. Click here to update your account online now. If you have any questions, reference our New User Guide. Thanks, The Facebook Team"

Participating fast-fluxed domains include:
easder1e.co .uk
easder1g.co .uk
easder1l.co .uk
easder1m.co .uk
easder1q.co .uk
nytre4rt.co .uk
nytre4ru.co .uk
nyuy12qwa.co .uk
nyuy12qwf.co .uk
nyuy12qwg.co .uk
nyuy12qws.co .uk
nyuy12qwz.co .uk
ololii.co .uk
ololiw.co .uk
ololiy.co .uk
ololiz.co .uk
tygerah.co .uk
tygerak.co .uk
tygeraw.co .uk
tygeraz.co .uk
yh1qak.co .uk
yh1qal.co .uk
yh1qao.co .uk
yhaqwe1a.co .uk
yhaqwe1q.co .uk
yhaqwe1r.co .uk
yhaqwi1g.co .uk
yhaqwi1h.co .uk
yhaqwi1l.co .uk
yhaqwi1m.co .uk
yhaqwi1p.co .uk
yhhherasde.co .uk
yhhherasdp.co .uk
yhhheraski.co .uk
yhhheraskog.co .uk
yhhheraskol.co .uk
yhhheraskoy.co .uk

n111sae .eu
n111sak .eu
n111sap .eu
n111saq .eu
n111say .eu
n111saz .eu
nyuh1awa .eu
nyuh1awb .eu
nyuh1awc .eu
nyuh1awd .eu
nyuh1awe .eu
nyuh1awf .eu
nyuh1awg .eu
nyuh1awh .eu
nyuh1awm .eu
nyuh1awn .eu
nyuh1aws .eu
nyuh1awt .eu
nyuh1awv .eu
nyuh1awx .eu
nyuh1awz .eu
nyuy12qwf .eu
nyuy12qwg .eu
nyuy12qws .eu

nyuy12qws .eu
ololii .eu
ololiw .eu
ololiy .eu
ololiz .eu
rrref1aaz .eu
rrref1akz .eu
rrref1okz .eu
rrref1ykz.eu
rrrefjokz .eu
saaasak .eu
saaasav .eu
tygerah .eu
tygerak .eu
tygeraw .eu
ujihkei .eu
ujihkni .eu
ujihkoi .eu
ujihkui .eu
yh1qao .eu
yh1qaz .eu
yy1azsva .eu
yy1azsvq .eu
yy1azsvz .eu
yyy1asvf .eu
yyy1azsy .eu
yyy1azvg .eu
yyy1zsve .eu

New DNS servers of notice:
ns1.a-recruitmnt .com
ns1.applesilver .com
ns1.cheryks .com
ns1.barbaos .net
ns1.laktocountry .net

An ongoing spam campaign impersonating The Federal Deposit Insurance Corporation, is attempting to drop zeus samples by enticing users into installing pdf.exe and word.exe.

"Subject: FDIC has officially named your bank a failed bank

Body: You have received this message because you are a holder of a FDIC-insured bank account. Recently FDIC has officially named the bank you have opened your account with as a failed bank, thus, taking control of its assets. You need to visit the official FDIC website and perform the following steps to check your Deposit Insurance Coverage."

Sampled malware obtains a Zeus crimeware from a known command and control location (193.104.27.42), already blacklisted by the Zeus Tracker. The campaign is related to the periodical "Microsoft Outlook Update" campaigns, since both campaigns have been sharing fast-flux infrastructure under the same infected hosts, using identical domains.

Fast-fluxed domains participating in the FDIC spam campaign:
bbttyak.co .uk
bbttyak.org .uk
bbttyam.co .uk
bbttyam.me .uk
bbttyap.co .uk
bbttyap.me .uk
bbttyaz.co .uk
bbttyaz.me .uk
gerrahawa .eu
gerrahowa .eu
gerrakawa .eu
gerrakowa .eu
gerralowa .eu
gerraoowa .eu
gerraoowa .eu
gerrasasa .eu
gerrasase .eu
gerrasasq .eu
h1erfae .eu
h1erfai .eu
h1erfaj .eu
h1erfaq .eu
h1erfar .eu
h1erfat .eu
h1erfau .eu
h1erfaw.eu
h1erfay .eu
heiiikok .eu
heiiikoy .eu
heiiikul .eu
heiiikum .eu

heiiikuv .eu
heiiikuy .eu
idllsit .com
ij1tli .net
immikiut1 .cz
j1t1iil .com
j1t1iil .eu
j1t1iil .net
lj1tli .com
lj1tli .net
lj1tll .com
lj1tll .net
ltlil1 .com
ltlil1 .net
modesftp .eu
nniuji1 .eu
nniujih .eu
nniujo1 .eu
nniukif .eu
nniukih .eu
nniukik .eu
nniukiw .eu
nniukiz .eu
nniuxih .eu
nniuxiw .eu
pouikib .eu
pouikic .eu
pouikie .eu
pouikif .eu
pouikig .eu
pouikir .eu
pouikis .eu
pouikit .eu
pouikiv .eu
pouikiw .eu
pouikix .eu
pouikiy .eu
t1fliil .tc
tj1fiil.co .nz
tj1fiil .com
tj1fiil .net
tj1fiil .tc

DNS servers of notice:
ns1.doctor-tomb .com
ns1.sortyn .com
ns1.asthomes .com
ns1.sunriseliny .com
ns1.racing-space .net
ns1.cerezit .net

The phoneback location 193.104.27.42 at AS12604 maintained by Kamushnoy Vladimir Vasulyovich (info@ctgm.info; vla.kam@ctgm.info with ctgm.info responding to 91.213.72.1) is the second Zeus command and control IP within the netblock, followed by 193.104.27.90.

Related posts:
Fake Microsoft patches themed malware campaigns spreading
Fake Microsoft patch malware campaign makes a comeback
The Multitasking Fast-Flux Botnet that Wants to Bank With You
Money Mule Recruiters use ASProx's Fast Fluxing Services
Managed Fast Flux Provider - Part Two
Managed Fast Flux Provider
Storm Worm's Fast Flux Networks
Fast Flux Spam and Scams Increasing
Fast Fluxing Yet Another Pharmacy Spam
Obfuscating Fast Fluxed SQL Injected Domains
Storm Worm Hosting Pharmaceutical Scams
Fast-Fluxing SQL injection attacks executed from the Asprox botnet

This post has been reproduced from Dancho Danchev's blog.

Koobface Botnet Redirects Facebook's IP Space to my Blog

dancho.danchev@gmail.com (Dancho Danchev) — Wed, 21 Oct 2009 14:18:04 PDT

Love me, love me, say that you love me. You know you're cherished when the Koobface botnet redirects Facebook Inc's entire IP space to your blog using HTTP Error 302 - Moved temporarily messages in an attempt to have Facebook's anti-malware crawlers hit my blog every time they visit a Koobface URL posted on the social networking site.

The result? Earlier this morning, I've noticed over 7,000 unique visits coming from Facebook Inc's IP space using active and automatically blogspot accounts part of the Koobface botnet as http referrers (New Koobface campaign spoofs Adobe's Flash updater), which is now officially relying on already infected hosts for the CAPTCHA recognition process. At first, I thought the Koobface gang has embedded an iFrame in order to achieve the effect, but the requests were coming from Facebook's IP space only.

A representative from Facebook's Security Incident Response Team just confirmed the development, and commented that they've added an exception, which is now visible since IPs from Facebook's IP space are no longer visiting my blog:

"Thanks for bringing this to our attention. I'm on the Security Incident Response team at Facebook and we just finished looking into this issue. We visit all links posted to Facebook as part of our link preview feature. We also take the opportunity to do some additional security screening to filter out bad content. Koobface in particular is fond of redirecting our requests to legitimate websites, and you seem to have done something to piss Koobface off. All visits to Koobface URLs from our IP space are currently being redirected to your blog."

The compete list of the automatically registered blogspot accounts, of whose existence Google's security team has already been notified are as follows:
1rykutviklingibtvedmongstad-vgnett .blogspot.com/
40-nrg .blogspot.com/
anyauujteykbrlzyt .blogspot.com/
bctdnvxyubozkute336 .blogspot.com/
bjfzibzxpjwfsri.blogspot .com/
bopscfmfdfkdcdk.blogspot .com/
bpucrtkuigcvuzd.blogspot .com/
dcljxlmkdpfyadlmk014.blogspot .com/
driwnhtqcifnewwy.blogspot .com/
fffgxdpmrhzepmwc172.blogspot .com/
frjutygrfzkfmumr.blogspot .com/
gbmasakrnbvduky-mhopomuytpmeo46.blogspot .com/
hmxmjrdpzncnania.blogspot .com/
hryuickbrfxpgkiqc-wnyohlytffli526.blogspot .com/
hxsdrjrbiesmulbp-mp775012.blogspot .com/
hz560607.blogspot .com/
irfwgrbghyzrnaajs-npqpnvzqrqqeziywhx8.blogspot .com/
isaqwpccpkvmmnffx.blogspot .com/
iunvrafuvbgykpap819.blogspot .com/
ixqowmtgwfvkaapq.blogspot .com/
jocdniqudpnszswn936.blogspot .com/
jxpxhokysarhvnfw-wvtbfawtlocf932 .blogspot.com/
kayaafwlllybvydpu.blogspot .com/
kfddbjhalrqkmqtoa.blogspot .com/
kutlvtfxkxbismwpci.blogspot .com/
kyqyiplztbsiwogx-hfnrmfxbkjzswjq964.blogspot .com/

kzbcbzhlgcnmmaveusdt2.blogspot .com/
lbwhvnvfmiwqypft-gt34676.blogspot .com/
lgjxsfcwkviythet.blogspot .com/
lvlcauoimpklqoj.blogspot .com/
moruokuamhtobznhwx.blogspot .com/
nfnnialisemtirdcq.blogspot .com/
pfmrjjvolrxsthdl.blogspot .com/
pywkyzxqcslnqyz907.blogspot .com/
qmhbxydgxfitnaosp.blogspot .com/
rfsnkstagwfwlkgr.blogspot .com/
rykutviklingibtvedmongstad-vgnett .blogspot.com/
scjftnvmcqiarvt-ni242558.blogspot .com/
skpjwfruzkzujvw.blogspot .com/
spfymrxnfiotvtrknf.blogspot .com/
sxcfugyjtvtwgxzvi.blogspot .com/
tbgkfbllzdtrcslpc741.blogspot .com/
unrrldfyuanstafa.blogspot .com/
vstikrflawgquztcn.blogspot .com/
wjfpuoiolcjvecszeb.blogspot .com/
wlaafuebvmdkaiavh.blogspot .com/
wnejhokyqkazwpu898.blogspot.com/
wqqcknikrlnowgri.blogspot .com/
xlmwrzdmywbibfwi742.blogspot .com/
yanksroadwinchangesalcsoutlook-mlbcom .blogspot.com/
yeqhabdnabhndbt.blogspot .com/
yzyweidzwor-cxgwufvosfam .blogspot.com/
zafxzlatzsmwysk.blogspot .com/
znfnxeaoiqhxldvmqo-atcsqbrkobwi408 .blogspot.com/
zqsvjeoqccknkfubc.blogspot .com/

The Koobface gang's use of basic blackhat SEO principles such as content cloaking are identical to their previous attempts to cover-up their malicious activities relying on pre-defined sets of http referrers of public search engines, or particular redirectors in order for their infections to take place.

Stay tuned for more developments on the Ali Baba and the 40 thieves LLC front, a.k.a as my Ukrainian "fan club". The circle is almost complete, a lot of recent events will be summarized shortly.

Related posts:
Koobface Botnet Dissected in a TrendMicro Report
Koobface Botnet's Scareware Business Model
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign
The Koobface Gang Mixing Social Engineering Vectors

This post has been reproduced from Dancho Danchev's blog.

Scareware Serving Conficker.B Infection Alerts Spam Campaign

dancho.danchev@gmail.com (Dancho Danchev) — Tue, 20 Oct 2009 09:51:24 PDT

A fake "conficker.b infection alert" spam campaign first observed in April, 2009 (using the following scareware domains antivirus-av-ms-check .com; antivirus-av-ms-checker .com; ms-anti-vir-scan .com; mega-antiviral-ms .com back then) is once again circulating in an attempt to trick users into installing "antispyware application", in this case the Antivirus Pro 2010 scareware.

This campaign is directly related to last week's Microsoft Outlook update campaign, with both of these using identical download locations for the scareware.

The following is an extensive list of the domains involved in the campaigns:
abumaso3tkamid .com - Email: drawn@ml3.ru
afedodevascevo .com - Email: sixty@8081.ru
alertonabert .com - Email: flop@infotorrent.ru
alertonbgabert .com - Email: vale@e2mail.ru
alioneferkilo .com - Email: va@blogbuddy.ru
anobalukager .com - Email: chalkov@co5.ru
anobhalukager .com - Email: humps@infotorrent.ru
bufertongamoda .com - Email: kurt@8081.ru
buhafertadosag .com - Email: bias@co5.ru
buhervadonuska .com - Email: vale@e2mail.ru
bulakeskatorad .com - Email: bias@co5.ru
bulerkoseddasko .com - Email: bias@co5.ru
buleropihertan .com - Email: def@co5.ru
celiminerkariota .com - Email: morse@corporatemail.ru
certovalionas .com - Email: kurt@8081.ru
dabertugaburav .com - Email: def@co5.ru
elxolisdonave .com - Email: curb@cheapmail.ru
enkafuleskohuj .com - Email: kerry@freemailbox.ru
ertanueskayert .com - Email: xmas@co5.ru
ertonaferdogalo .com - Email: kerry@freemailbox.ru
ertu6nagertos .com - Email: recipe@isprovider.ru
ertubedewse .com - Email: weak@infotorrent.ru
ertugasedumil .com - Email: chalkov@co5.ru
ertugaskedumil .com - Email: humps@infotorrent.ru
ertunagertos .com - Email: def@co5.ru
erubamerkadolo .com - Email: kerry@freemailbox.ru

fedostalonkah .com - Email: bias@co5.ru
ftahulabedaso .com - Email: raced@corporatemail.ru
gumertagionader .com - Email: seize@e2mail.ru
huladopkaert .com - Email: chute@infotorrent.ru
iobacebauiler .com - Email: roy@corporatemail.ru
itorkalione .com - Email: pygmy@8081.ru
julionejurmon .com - Email: jacob@freemailbox.ru
julionermon .com - Email: pygmy@8081.ru
konitorsabure .com - Email: chalkov@co5.ru
konitorswabure .com - Email: humps@infotorrent.ru
lersolamaderg .com - Email: chalkov@co5.ru
lersolamgaderg .com - Email: humps@infotorrent.ru
linkertagubert .com - Email: kerry@freemailbox.ru
lionglenhrvoa .com - Email: sixty@8081.ru
liposdakoferda .com - Email: leaf@corporatemail.ru
lopastionertu .com - Email: cues@e2mail.ru
nebrafsofertu .com - Email: humps@infotorrent.ru
nuherfodaverta .com - Email: morse@corporatemail.ru
nulerotkabelast .com - Email: dealt@8081.ru
nulkersonatior .com - Email: dealt@8081.ru
obuleskinrodab .com - Email: xmas@co5.ru
ofaderhabewuit .com - Email: kerry@freemailbox.ru
okavanubares .com - Email: chalkov@co5.ru
okaveanubares .com - Email: humps@infotorrent.ru

onagerfadusak .com - Email: cues@e2mail.ru
orav4abustorabe .com - Email: drawn@ml3.ru
oscaviolaner .com - Email: larks@freemailbox.ru
ovuiobvipolak .com - Email: sixty@8081.ru
ovuioipolak .com - Email: bias@co5.ru
paferbasedos .com - Email: chalkov@co5.ru
pafersbasedos .com - Email: humps@infotorrent.ru
polanermogalios .com - Email: dealt@8081.ru
rdafergfvacex .com - Email: jacob@freemailbox.ru
rtugamer5tobes .com - Email: drawn@ml3.ru
rtugamertobes .com - Email: kw@co5.ru
scukonherproger .com - Email: kazoo@isprovider.ru
shuretrobaniso .com - Email: frail@infotorrent.ru
tarhujelafert .com - Email: raced@corporatemail.ru
tavakulio5nkab .com - Email: recipe@isprovider.ru
tavakulionkab .com - Email: def@co5.ru
tertunavogav .com - Email: la@freemailbox.ru
tertunwavogav .com - Email: drawn@ml3.ru
tsabunerkadosa .com - Email: humps@infotorrent.ru

tsarbunerkadosa .com - Email: humps@infotorrent.ru
tubanerdavaf .com - Email: chalkov@co5.ru
tubanerdavjaf .com - Email: halkov@co5.ru
uhajokalesko .com - Email: flop@infotorrent.ru
uhajokvfalesko .com - Email: flop@infotorrent.ru
ulioperdanogad .com - Email: vale@e2mail.ru
uliopewrdanogad .com - Email: kerry@freemailbox.ru
uplaserdunavats .com - Email: dealt@8081.ru
utka3merdosubor .com - Email: drawn@ml3.ru
utkamerdosubor .com - Email: kw@co5.ru
utorganedoskaw .com - Email: kerry@freemailbox.ru
utorgtanedoskaw .com - Email: xmas@co5.ru
uvgaderbotario .com - Email: def@co5.ru
vudermaguliermot .com - Email: leaf@corporatemail.ru
vuilerdomegase .com - Email: leaf@corporatemail.ru
vuilleskomandar .com - Email: seize@e2mail.ru
vulertagulermos .com - Email: dealt@8081.ru
vuretronulevka .com - Email: dealt@8081.ru
weragumasekasuke .com - Email: kazoo@isprovider.ru
werynaherdobas .com - Email: dealt@8081.ru

Despite the comprehensive portfolio of domains used, relying on spam to increase revenue from scareware sales is prone to fail, in this specific case due to the lack of event-based social engineering theme, something that was present in the first campaign.

Related posts:
Conficker's Scareware/Fake Security Software Business Model
Koobface Botnet's Scareware Business Model

This post has been reproduced from Dancho Danchev's blog.

Koobface Botnet Dissected in a TrendMicro Report

dancho.danchev@gmail.com (Dancho Danchev) — Wed, 14 Oct 2009 09:22:42 PDT

I'd like to thank the folks at TrendMicro for mentioning the message inserted by the Koobface gang (more love on a first-name basis from them) within their command and control infrastructure for nine days, greeting me for systematically kicking them out of their ISPs, and suspending their command and control domains, in a new report entitled The Heart of Koobface - C&C and Social Network Propagation:

"This simplistic C&C approach is, of course, very vulnerable to takedowns. After several KOOBFACE C&C takedown attempts initiated by Internet service providers (ISPs) and members of the security industry, the KOOBFACE gang realized the need for a more robust C&C infrastructure.

Thus, on July 19, 2009, the KOOBFACE writers implemented a new C&C architecture that involved the use of proxy nodes to provide redundancy and to improve the survivability of their C&C should another takedown be attempted. A few days after the new KOOBFACE C&C infrastructure was implemented, the botnet was seen inserting a message (see below) for one of the security researchers tracking the malware’s domain activities.

This message run lasted nine days from July 22 to July 30, 2009. Based on this incident, we can safely assume that the KOOBFACE gang has been monitoring blogs, articles, write-ups, and analyses about their handiwork and was probably also keeping tabs on the various solutions deployed to counter the botnet’s attacks. Second, these people were thus quick to act and fix their creation’s weaknesses, as evidenced by its change in infrastructure. Finally, the botnet’s creators were bold enough to send taunting messages to security researchers."

Having the Koobface gang kicked out of their ISPs in 48 hours through close cooperation with China's CERT; BlueConnex Ltd; PacificRack.com; Oc3 Networks & Web Solutions Llc; Telos-Solutions-AS/Telos Solutions LTD, resulted in a single command and control domain which was active and using the services of UKSERVERS-MNT (AS42831), 78.110.175.15 in particular. Simply put, the Koobface botnet and the hundreds of thousands of infected hosts were not just sitting ducks, but ducks who've fallen asleep in the middle of the hunting season.

It's important to point out that the company (UKSERVERS-MNT) on purposely lied that the customer has been taken offline, allowed the Koobface gang to access the server since the gang claimed "it's a compromised customer and needs to clean-up the mess", then on purposely stopped responding to the smoothly going data sharing process, thereby allowing the Koobface gang to put their contingency plan in place.

The bottom line - based on already published and to-be published assessments of this group's activities, the Koobface botnet appears to be only the tip of the iceberg for the Ali baba and the 40 thieves cybercrime enterprise -- a self-describing message included by the Koobface gang. Their activities also prove a point - a single cybercrime enterprise can efficiently and automatically dominate the entire Web 2.0 threatscape, if they want to.

Related posts:
Koobface Botnet's Scareware Business Model
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign
The Koobface Gang Mixing Social Engineering Vectors

This post has been reproduced from Dancho Danchev's blog.

Standardizing the Money Mule Recruitment Process

dancho.danchev@gmail.com (Dancho Danchev) — Tue, 06 Oct 2009 00:23:00 PDT

Ah, deja vu! How is it possible that the Scope Group money mule recruitment group acting as the employer for the interviewed mule has been "set up in 1990 in New York, the USA by three enthusiasts who have financial education" just like AF-GROUP LLC and its portfolio of brands, whose 30k botnet operations I exposed and took down in May, 2009, next to establishing a direct connection between the botnet and an Ukrainian dating scam agency known as "Confidential Connections"?

Pretty simple - just like the efficiency-centered mentality applied in the template-ization of malware, the ongoing standardization of the money mule recruitment business model is resulting in a bogus brand portfolios using identical web site layouts next to the same copy writing materials offered by a single vendor exclusively working with money mule recruitment organizations only. A couple of years ago, the money mule recruitment process was largely inefficient due to the operational security applied - not everyone could become a money mule unless certain criteria was met. A newly launched managed money mule recruitment design agency that I've been monitoring for a while, is poised to help cybercriminals achieve faster recruitment rates based on the cybercriminal-tailored services it's offering.

Whereas it's been operating beneath the radar for several years, exclusively serving known and trusted cybercriminals, it's recent mainstream business model is a great example of a timely underground market proposition due to the fact that the current economic climate best suits the money mule recruitment business model due to its high commissions for processing fraudulently obtained money.

Do you infiltrate the entire assembly line, or do you assess the final product? Appreciate my rhetoric as usual, it's full disclosure time, hence infiltrating the assembly line.

In this post, we'll take a look at five templates offered by the managed money mule recruitment vendor, assess several of their customers currently using them to launch targeted and localized to German spam campaigns aiming to recruit new money mules, expose their entire domains portfolio and associated emails used for correspondence with prospective money mules.

Moreover, we'll actually attempt to becoming a money mule by interacting with their market proposition, obtain the financial agent agreements, and expose little known facts about how sophisticated and social-engineering oriented the entire money mule recruitment process really is.

For starters, here's how the service describes itself, and what type of packages it offers to prospective money mule recruiters. The less sophisticated package is offered for $900 and the corporate version goes for $1700.

The first one offers the following:
- fake company site in English
- template-based correspondence letters for the entire process
- the entire document required for the process, custom forms, contracts, invoice applications etc.
- a teach-yourself manual including advice and recommendations - available in English and Russian
- sample spam letters in TXT and HTML, in English only

The corporate version offers the following:
- fake company site in several languages, for instance, Dutch, German, Bulgarian, Italian etc.
- fake signatures representing the CEO, accounts manager etc.
- multiple spam letters in different languages
- managed domain hosting
- answering machine number as well as a paid Skype subscription as a bonus

The following are some of the templates -- blurred by the vendor in order to protect the bogus brands portfolio - currently offered by the service. Three of the templates are already in circulation, that means active spamming in Italian and German "offering the Moon", and asking for your identity and financial reputation:

Upon purchasing any of the packages offered, a custom and non-existent brand logo and related company information will be used on the top of the templates currently offered.

Let's expose some of the bogus brands using these campaigns, whose spamming campaigns have been actively recruiting new money mules over the past couple of months. For instance, the last template -- see attached copy of the original one -- is currently being used by a company known as PanIn Real Estate - panestate .com - 194.0.200.15 - Email: disperswave@gmail.com. The site is currently localized to English; Italian (panestate .com/index_it.html); and Spanish (panestate .com/index_sp.html).

It gets even more interesting when we start analyzing their spam campaign, currently localized to German. For instance, it appears that the customer of the managed money mule recruitment service is using their basic package, since 99% of their spam emails are using Gmail accounts, in fact, one of the spam campaigns is relying on the very same email that the domain panestate .com has been registered with - disperswave@gmail.com.

A sample of the spammed recruitment email:
"Liebe Bewerber! Sind Sie schon mude von solchen Briefchen, in dem man Ihnen einen Arbeitsplatz anbietet? Ich weiss das. Deshalb mochte ich zuerst Sie um Verzeihung bitten. Ich habe aber eine freie Vakanz und mochte sie Ihnen anbieten.

Wenn Sie noch keinen Arbeitsplatz gefunden haben, schreiben Sie bitte mir an meine E-mail Adresse: Als eine Bestatigung brauche ich auch CV und Ihre Telefonnummer, damit ich mich mit Ihnen in Verbindung setzen konnte. Vielen Dank fur Ihre Zeit und Ihr Interesse! Alle weiteren Informationen bekommen Sie per E-Mail. Mit freundlichen Grusen"

Related Gmail accounts used by PanIn Real Estate money mule recruitment incorporated:
pancorporate @ gmail.com
paninwork @ gmail.com
paninde @ googlemail.com
panamajeld @ gmail.com
paninajob @ gmail.com
pananmakarriere @ gmail.com

The same spam template localized in German is also known to have been used with the following Gmail accounts, again operated by money-mule recruitment organizations:
trzzbuded @ gmail.com
robertojens @ gmail.com
gradtul @ gmail.com
hrmiket @ gmail.com
mike.torhr @ gmail.com
evkoreyds @ gmail.com
mike.torhr @ gmail.com
support @ oplusdevelopment.com -- the only exception

The second template used in the wild -- the site returns a 404 error message -- is called Green Star Services website, with the customer apparently still in a testing phrase.

This cannot be said for yet another customer of the same service standardizing the money mule recruitment process by template-izing it. The fifth template, is actually a bogus company called Brand Image Advertising Agency (internationalbrandimage .com - 91.213.72.142 - Email: Sergey Stepanov; userovsky@gmail.com describing itself as:

"Advertising agency “Brand Image” helps its clients to perform their products and services the right way. We never offer you anything additional that we didn’t discuss at the beginning. The motto of our work is honesty and we believe that this is a very important thing in advertising.

We were created to help you in selling products and services. “Brand Image” typically attempts to assist you in building your brand by persuading potential customers to purchase or to consume more of your brand of product or service. It is vivid from the name of our agency that we are doing a lot for your brand. Actually we are constantly working at brand management. It is known that the value of the brand is determined by the amount of profit it generates for the manufacturer. Advertising agency “Brand Image” clearly understands the main principles of brand name and will be glad to help you in choosing the right name for your company.

Advertising agency “Brand Image” proudly presents a great variety of services it provides. The main advantage of our work is that our management staff is always on-line and works 24/7 for your convenience. Moreover, our offices are located all over the Europe and in the USA that makes our work fast and comprehensive. First of all let us introduce you what exactly we offer our clients. However if you happen to have any questions in understanding what this or that service means, you can always find our contacts and use them in communicating with us concerning our advertising offers."

Sample spam message localized in Italian used to recruit for Brand Image Advertising Agency:
"Salary: 4,000 Euro; 10% di ciascuna operazione di pagamento - conto personale 10%; 15% di ciascuna operazione di pagamento - conto corporativo 15%; Location: Italy Accettazione dei pagamenti dai clienti nella vostra zona ? Accepting payments from customers in your area? favorire a realizzare gli obiettivi finanziarie di Compagnia.Le condizioni di lavoro. Il lavoro tranne internet - ufficio, e anche con le banche ei sistemi di trasferimenti veloci. Gli interessati ambosessi possono inviare CV con consenso al trattamento dei dati personali (art.13, d.lgs 196/03) e requisiti di contatto al e-mail. Se a Voi interessa questo lavoro, mandate il curriculum alla nostra: judicialHathawayv?@gmail.com Cordialmente, Sincerely, David De Simone David De Simone"

A second template is known known to have been used, this time offering different commission:
"Rappresentante finanziario Informazioni di posti di lavoro Post Date: 12/04/2009 Salario: 3.000 EUR/mese + 5% di ciascuna operazione di bonifico Location: Italia Generale Description Accettazione dei pagamenti dai clienti nella vostra zona e favorire a realizzare gli obiettivi finanziarie di Compagnia. Le condizioni di lavoro Il lavoro tranne internet - ufficio, e anche con le banche e i sistemi di trasferimenti veloci. Contact Details / Apply for this Job Se a Voi interessa questo lavoro, mandate il curriculum alla nostra individualpeoplecapitalgroup7@googlemail.com individualpeople .biz/go.php?sid=7 In attesa di Vostro riscontro, saluti manager HR Robert J. Wilson"

What we've got here is an identical spam template using a template offered by a managed money mule recruitent design vendor, that is advertising another bogus brand, with the domain name itself registered using the same detaisl as Brand Image Advertising Agency (internationalbrandimage .com - 91.213.72.142 - Email: Sergey Stepanov; userovsky@gmail.com). In the case of the localized to Italian spam message that's yet another bogus brand Individual People Capital Group, individualpeople .org - 91.213.72.142 - Email: Sergey Stepanov; userovsky@gmail.com.

Individual People Capital Group describes itself as:
"The Individual People Capital Group Companies is one of the world's most experienced and successful investment management organizations. Our companies manage investments for millions of individuals and thousands of corporations and institutions.

The Individual People Capital Group's largest components are:
• Individual People Funds, which ranks among the three largest mutual fund families in the U.S. - managed by Individual People Capital Research and Management Company, with assets under management of more than $750 billion
• Individual People Capital Guardian Trust Company and the Individual People Capital International companies — providers of global investment management services for institutional clients, consultants and individuals, with assets under management of approximately $300 billion

For 75 years, we have followed a consistent philosophy and approach to generate consistent long-term investment results for our investors around the world. At the heart of our success is a commitment to a number of core beliefs: the importance of long-term investing, the value of in-depth global research, adherence to a disciplined investment management philosophy, and a code of ethics that emphasizes honesty and integrity."

Known Gmail accounts participating in the money mule recruitment and exploit serving process courtesy of Individual People Capital Group:
groupindividualpeople @ gmail.com
newindividualpeople24 @ gmail.com
newworkgroupindividualpeople @ gmail.com
individualpeoplecapitalgroup9 @ googlemail.com
individualpeoplecapitalgroup8 @ googlemail.com
individualpeoplecapitalgroup7 @ googlemail.com
individualpeoplecapitalgroup6 @ googlemail.com
individualpeoplecapitalgr @ googlemail.com

As well as the following emails, once again maintained by the same customer:
individualpeoplecapitalgroup12 @ gmail.com
individualpeoplecapitalgroup13 @ gmail.com
individualpeoplecapitalgroup14 @ gmail.com
individualpeoplecapitalgroup12 @ gmail.com
individualpeoplecapitalgroup13 @ gmail.com
individualpeoplecapitalgroup14 @ gmail.com
individualpeoplecapitalgroup19 @ gmail.com
individualpeople.one @ gmail.com
people.individ @ gmail.com
individ.people @ gmail.com
individualpeople.too @ gmail.com
new.individualpeople @ gmail.com
individual.job.it @ gmail.com
info.individualpeople @ gmail.com
j.wilson.sup @ gmail.com
new.individualpeople @ gmail.com
people.individ @ gmail.com
robert.jwn @ gogglemail.com
robert.wilson.r1 @ gmail.com
robert.wil.r @ gmail.com
rob.wilson.r @ googlemail.com
wilson.wrt @ gmail.com
workgroupindividualpeople @ gmail.com

There are cases when money mule recruiters are interested in plain simple botnet building, case in point is a situation where a spammed money mule spam message advertising individualpeople .biz/go.php?sid=7 was actually serving a malicious PDF, next to linking to the recruitment site itself (individualpeople .org).

In order to further demonstrate the ongoing standardizing of the money mule recruitment process through template-ization, it's time to expose the bogus brands portfolio, and associated domains of a money mule recruitment organization that has been relying on an identical template over the past couple of years. In fact, in May, 2009, a botnet which was used by Ukrainian dating scam agency Confidential Connections was not only found to be directly related to the money mule recruitment gang, but the cybercriminals used one of the recruitment domains as a command and control server for their botnet spamming operations, with the domain itself and one of the sampled dating scam ones registered under the same email.

Brand names for Money Mule Organizations using a standardized template offered by a single vendor, all known to have been "set up in 1990 in New York, the USA by three enthusiasts who have financial education" : Affina Group Inc; Alliance Group Inc; Annuity Group Inc; Archway Group Inc; Armor Group Inc; Assurity Group Co; Assurity Group Inc; BFS Group Inc; CDI Group Inc; Cosco Group Inc; Dove Group Inc; Eagle Group Inc; Entrust Group Inc; Extreme Group Inc; Flat Group Inc; Holding Group Inc; Integrity Group Inc; Invalda Group Inc; Key Group Inc; Liberty Group Inc; Lime Group Inc; Massive Group Inc; Melson Group Inc; MENA Group Inc; O Pm Group Main; OPM Group Inc; Premier Group Inc; Prime Group Inc; Prospera Group Inc; Puritan Group Inc; Reach Group Inc; Redeye Group Inc; Regency Group Inc; Rengo Group Inc; River Group Inc; Saturn Group; Scope Group Inc; Stock Group Inc; Strol Group Inc; Summit Group Inc; Total Group Inc; Trans Group Inc; United Group Inc; Wescom Group Inc

Parked on 222.35.137.237 are the following domains all using the "set up in 1990 in New York, the USA by three enthusiasts who have financial education" template:
affina-groupnet .cn - Email: abuseemaildhcp@gmail.com
affina-groupnet .com - Email: jelly@infotorrent.ru
affina-groupsvc .cc - Email: justin_dickerson@ymail.com
affina-groupsvc .cn - Email: abuseemaildhcp@gmail.com
alliance-groupmain .cc - Email: stiv2009@yahoo.com
annuity-groupnet .cc - Email: justin_dickerson@ymail.com
assurity-groupco .cn - Email: realsupporters@yahoo.com
bfs-groupinc .cc - Email: defrankpo@gmail.com
cdi-groupmain .cn - Email: garry_honn@yahoo.com
cosco-groupmain .com - Email: 20090811112700@antispam.alantron.com
diamond-dream .cc - Email: morgan.greg@yahoo.com
dove-groupli .cn - Email: abuseemaildhcp@gmail.com
dummykeath .cc - Email: morgan.greg@yahoo.com
eagle-groupmain .cn - Email: AntwanHarringtonJI@gmail.com
extreme-groupinc .cn - Email: abuseemaildhcp@gmail.com
extreme-groupinc .com - Email: hell@e2mail.ru
flatgroupfly .cc - Email: steven_lucas_2000@yahoo.com
geniouspartner .cn - Email: morgan.greg@yahoo.com
holding-group .cn - Email: ronny.greg@yahoo.com
integrity-groupinc .cc - Email: justin_dickerson@ymail.com
integrity-groupsvc .cn - Email: abuseemaildhcp@gmail.com
keygroupmain .cn - Email: ErichSullivanKF@gmail.com
libertygroup .cc - Email: LindseyKimSI@gmail.com
lime-groupsvc .cn - Email: abuseemaildhcp@gmail.com
massive-groupsvc .cc - Email: chen.poon1732646@yahoo.com
massivegroupsvc .cn - Email: abuseemaildhcp@gmail.com
melson-groupmain .com - Email: enact@co5.ru
mena-groupsvc .cn - Email: abuseemaildhcp@gmail.com
mena-groupsvc .cn - Email: abuseemaildhcp@gmail.com
opm-group .cn - Email: AbdulStaffordEP@gmail.com
opm-groupli .com - Email: entrap@namebanana.net
premier-groupinc .cn - Email: abuseemaildhcp@gmail.com
prime-groupco .com - Email: Email: fuzz@ml3.ru
prime-groupinc .cc - Email: chen.poon1732646@yahoo.com
puritan-groupco .cc - Email: justin_dickerson@ymail.com
puritan-groupco .cn - Email: abuseemaildhcp@gmail.com
puritan-groupinc .cn - Email: abuseemaildhcp@gmail.com
reach-group .cc - Email: rick_morris@yahoo.com
redeye-groupinc .cc - Email: chen.poon1732646@yahoo.com
regency-groupco .cn - Email: abuseemaildhcp@gmail.com
regency-groupnet .cc - Email: justin_dickerson@ymail.com
regency-groupnet .cn - Email: abuseemaildhcp@gmail.com
rengo-groupli .com - Email: jaded@co5.ru
saturn-groupco .cn - Email: abuseemaildhcp@gmail.com
scope-group .cc - Email: don.ram@yahoo.com
scope-groupmain .cc - Email: don.ram@yahoo.com
strol-groupli .cn - Email: abuseemaildhcp@gmail.com
summit-groupinc .cc - Email: Gregory.Michell2009@yahoo.com
theblackend .cn - Email: morgan.greg@yahoo.com
vector-groupfine .cn - Email: abuseemaildhcp@gmail.com
vector-groupfly .cc - Email: mr.freeddyy@yahoo.com

Parked on 222.35.137.236:
affina-groupnet .cn - Email: abuseemaildhcp@gmail.com
affina-groupsvc .cc - Email: justin_dickerson@ymail.com
annuity-groupllc .cn - Email: abuseemaildhcp@gmail.com
annuity-groupllc .com - Email: jelly@infotorrent.ru
annuity-groupnet .cc - Email: justin_dickerson@ymail.com
annuity-groupnet .cn - Email: abuseemaildhcp@gmail.com
archway-groupinc .cn - Email: abuseemaildhcp@gmail.com
cosco-groupmain .com - Email: chug@freemailbox.ru
extreme-groupinc .cn - Email: abuseemaildhcp@gmail.com
integrity-groupinc .cc - Email: justin_dickerson@ymail.com
integrity-groupinc .cn - Email: abuseemaildhcp@gmail.com
integrity-groupsvc .com - Email: jelly@infotorrent.ru
invalda-groupmain .cn - Email: rocco_invalda@yahoo.com
lime-groupnet .cn - Email: abuseemaildhcp@gmail.com
massive-groupsvc .cc - Email: chen.poon1732646@yahoo.com

prime-groupco .cn - Email: abuseemaildhcp@gmail.com
prime-groupco .com - Email: fuzz@ml3.ru
prime-groupinc .cn - Email: abuseemaildhcp@gmail.com
puritan-groupinc .com - Email: gone@corporatemail.ru
redeye-groupco .cn - Email: abuseemaildhcp@gmail.com
redeye-groupinc .cc - Email: chen.poon1732646@yahoo.com
regency-groupnet .cc - Email: justin_dickerson@ymail.com
regency-groupnet .cn - Email: abuseemaildhcp@gmail.com
saturn-groupsvc .cn - Email: abuseemaildhcp@gmail.com
saturn-groupsvc .com - Email: jelly@infotorrent.ru
vision-groupinc .cn - Email: abuseemaildhcp@gmail.com
vision-groupsvc .com - Email: abuseemaildhcp@gmail.com

Parked on 222.35.137.235, registered with emails already covered:
affina-groupsvc .cn
annuity-groupnet .cn
archway-groupinc .cn
archway-groupinc .com
cosco-groupmain .cn
extreme-groupinc .cn
extreme-groupinc .com
integrity-groupinc .cc
invalda-groupmain .cn
prime-groupco .com
prime-groupinc .cc
puritan-groupco .cn
puritan-groupinc .cn
redeye-groupco .cn
redeye-groupco .com
redeye-groupinc .cc
regency-groupco .com
regency-groupnet .cn
saturn-groupco .cn
scope-group .cn
scope-groupmain .cn
vision-groupinc .cn
Parked on 222.35.137.234, registered with emails already covered:
affina-groupnet .cn
annuity-groupllc .cn
archway-groupinc .cn
cosco-groupmain .com
integrity-groupinc .cn
integrity-groupsvc .cn
massive-groupsvc .cc
premier-groupinc .cn
premier-groupnet .cn
prime-groupco .cn
prime-groupinc .cn
puritan-groupinc .com
redeye-groupco .cn
redeye-groupinc .cn
regency-groupco .cn
regency-groupco .com
regency-groupnet .cn
saturn-groupsvc .cn
saturn-groupsvc .com
vision-groupinc .cn

DNS servers of notice:
ns2.dummykeath .cc
ns2.theblackend .cn
ns1.full-controll .cc
ns3.geniouspartner .cn
ns3.theblackend .cn
ns1.party-reunite .cc
ns2.bubble-preorder .info
ns1.windcontrol .cc
ns3.diamond-dream .cc
ns.partnergreatest8 .net
one.goldwonderful9 .info - the command and control server used by the botnet managed by a money mule organization was using the same nameserver in May, 2009

Once the end user falls victim into the recruitment scam, the entire process of registration and communication with the bogus organization takes place through a web-based interface where the potential money mules has to not only provide detailed personal data, but also, as much information as possible that would help the cybercriminals better achieve their objectives. For instance, the template for the money mule registration process includes a self-answered question which even the average user can get suspicious about - Why are you gathering so much information about applicants? Such attention especially to bank account details puts me on guard.

The money mule recruitment organization is sticking to its professional tone, as usual, and explains that:
"In fact that modern financial system is a complex instrument, which controls financial streams. The problem is that any transfer may be delayed (from 1 to 5 days) but it is unacceptable for our business. Transaction should be completed by a financial manager the same day money is deposited into the bank account. Otherwise, we risk to lose money, clients, reputation. Analyzing all the details below we'll be able to prepare tasks for every agent individually. Please fill in all the fields carefully to avoid delays while working with your bank. The success of our cooperation depends on the accuracy of entered details! Please be serious."

It gets even more interesting when the recruitment organization starts starts exposing itself as a cybercrime-facilitating enterprise, asking questions that only such an organization needs to known the answers to, due to operational security (OPSEC) and due to their clear understanding of the time value of money (Microsoft study debunks profitability of the underground economy), well stolen money in particular. For instance, the built-in registration checks speak for themselves:

- We don't work with recently opened accounts. For safery reasons your bank account must be 90+ days
- Average number of operations per week required
- Unfortunately we don't work with prepaid bank accounts
- Maximum amount you can withdraw in branch daily

The recruitment organization is clearly aware of basic quality assurance concepts, due to its surprising tactic used for monitoring the transaction process for each and every money mule working with them. How do they achieve this? By offering a $100 financial incentive as a bonus for each and every money mule that provides the bogus company with access to their online banking account so that the organization can monitor the transaction process remotely. It doesn't take a rocket scientist to conclude that even with a two-factor authentication requirement there are ways in which the organization can hijack the entire financial identity of the money mule without his/her knowledge.

Again, they answer to a common question even the most gullible end user would have - I'm feeling uncomfortable giving you my online banking details. Why do you need it? I'm worrying about unauthorized access to my bank account. A question to which they answer by citing increasing bonus rating within their system, and that your supervisor will be checking your account, thereby improving your trust relationship with the organization:

"We require online banking access to monitor deposits coming from our clients. It saves you much time and increase your rating in our system:
- There is no need to check your bank account every hour during transactions, your personal supervisor will do it instead of you! You'll be informed the same minute funds arrive.
- No need to send us your bank account statement every week (maybe 2-3 times a week).
- We trust you much more, you'll receive money bonuses and more transactions!

It is absolutely safe and legal. We guarantee that all personal details will stay safe. Please read our Privacy Policy. NOTE: IT'S IMPOSSIBLE TO MAKE ANY TRANSFERS USING ONLINE ACCESS. If you have no online access to your bank account, you should contact your bank and activate this service. It will take less than 10 minutes."

The very idea that the money mule has reached the tipping point of its gullibility in order to provide the organization with access to their bank account is surreal, but clearly possible since having reached point of the registration process means they have absolutely no idea what they're doing.

The following are sample screenshots from the web interface used by the organization and the money mules themselves:

Moreover, sample agreement that each and every money mule has to accepted before becoming part of the money mule recruitment network. A second agreement contract containing unique (Photoshop-ed) signing seal for each of the bogus brands has to be also signed, scanned and uploaded through their interface. Both of these agreements, including localized copies in several different languages can be purchased from the managed money mule recruitment vendor from $30 to $70. Here's a sample of the agreement and tag clouds for the company description, the agreement itself and the FAQ:

DUTIES:
The Contractor undertakes the responsibility to receive payments from the Clients of the Company to his personal bank account, withdraw cash and to effect payments to the Company's partners by Western Union or MoneyGram money transfer system within one (1) day. He/she will report directly to the senior manager and to any other party designated by the senior manager in connection with the performance of the duties under this Agreement and shall fulfill any other duties reasonably requested by the Company and agreed to by the Contractor.

CONFIDENTIALITY:
The Contractor acknowledges that during the engagement he will have access to and become acquainted with various trade secrets, inventions, innovations, processes, information, records and specications owned or licensed by the Company and/or used by the Company in connection with the operation of its business including, without limitation, the Company's business and product processes, methods, customer lists, accounts and procedures. The Contractor agrees that he will not disclose any of the aforesaid, directly or indirectly, or use any of them in any manner, either during the term of this Agreement or at any time thereafter. All les, records, documents, blueprints, specications, information, letters, notes, media lists, original artwork/creative, notebooks, and similar items relating to the business of the Company, whether prepared by the Contractor or otherwise coming into his possession, shall remain the exclusive property of the Company.

The Contractor shall not retain any copies of the foregoing without the Company's prior written permission. The Contractor further agrees that he will not disclose his retention as an independent contractor or the terms of this. Agreement to any person without the prior written consent of the Company and shall at all times preserve the condential nature of his relationship to the Company and of the services hereunder. If the Contractor releases any of the above information to any parties outside of this company, such as personal friend, close relatives or other Financial Institutions such as a Bank or other Financial Firms, it could be grounds for immediate termination. If the Contractor is ever in doubt of what information can be released and when, the Contractor will contact their superior right away.

TERMS OF ENGAGEMENT
The Contractor is engaged by the Company on terms of thirty days (30) probationary period. During the probationary period the Company undertakes to pay to the Contractor the base salary amounting to 2300 USD per month plus 8% commission from each payment processing operation. After the probationary period the Company agrees to revise and raise the base salary up to 3000 USD. The Company has the right to cancel this Agreement at any time within the probationary period or refuse to extend it after that, should the Contractor refuses to fulfill his/her obligations under this Agreement or fulfills them not in good faith. The Contractor has the right to terminate the Agreement at any time on condition that he/she has processed all previous payments and has no new instructions.

COMPENSATION:
The Company undertakes to pay taxes accrued in connection with money transfer. The Company shall also reimburse part of expenses which are incurred in connection with money transfer by Western Union or MoneyGram systems (should money transfer charges exceed 3%, i.e. commission for payment processing operation). The above difference will be automatically added to the basic salary of the Contractor and paid once per month together with the basic salary. All reasonable and approved out-of-pocket expenses which are incurred in connection with the performance of the duties hereunder shall be reimbursed by the Company during the term of this Agreement, against the bill presented by the Contractor. The Company shall have the right to decrease the Contractor's commission in case the payment processing terms were violated by the Contractor.

Should the Contractor delays re-sending money accepted to his bank account for the period exceeding one (1) day without any explicit reason, the Company shall have the right to impose sanctions on the Contractor if only the delay has not been caused by the Force Majeur circumstances and to apply to the arbitration and claim for the reimburse of the amount transferred to his account or for compensation for other damage if any, evicted due to the delay. The Contractor may take days off at any time and at his/her option upon giving five (5) working days advance notice in writing to the Company in order that the latter may abstain from charging the Contractor with new instructions. However, salary for each day-off is deducted from the Contractor's base salary."

Sample agreement that each and every potential money mule has to upload through the web interface, interestingly, each and every of the bogus brands has a custom made seal, part of the services offered by the managed vendor:

With such a professional attitude towards their work, now a process that's easily outsourced to vendors specializing in quality design and bogus company creation services, their recruitment process is prone to reach new levels of efficiency, which is why standardization was applied at the first place. However, just like in the case of malware and scareware, template-ization undermines their operational security (OPSEC) a process which they're clearly aware, but do not fully utilize since money mule recruitment is currently in efficiency-mode.

Knowing the transactions pattern for a money mule recruitment, one which is clearly visible while going through their agreements, can in fact make it easier for financial institutions to protect their customers from themselves before it gets too late and they unknowingly dive deep into the money mule recruitment business model.

Related posts:
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002
Inside a Money Laundering Group's Spamming Operations

This post has been reproduced from Dancho Danchev's blog.

Summarizing Zero Day's Posts for September

dancho.danchev@gmail.com (Dancho Danchev) — Thu, 01 Oct 2009 06:38:25 PDT

The following is a brief summary of all of my posts at ZDNet's Zero Day for September.

You can also go through previous summaries for August, July, June, May, April, March, February, January, December, November, October, September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed.

Notable articles include: The ultimate guide to scareware protection + Gallery; 'Anonymous' group attempts DDoS attack against Australian government (Operation Didgeridie) and Modern banker malware undermines two-factor authentication.

01. Scareware goes Green
02. 'Anonymous' group attempts DDoS attack against Australian government
03. Cutwail botnet spamming 'IRS unreported income' themed malware
04. Citizens Financial sued for insufficient E-Banking security
05. iPhone's anti-phishing protection offers inconsistent results
06. 9/11 related keywords hijacked to serve scareware
07. The ultimate guide to scareware protection + Gallery
08. Phishers introduce 'Chat-in-the-Middle' fraud tactic
09. Scareware scammers hijack Twitter trending topics
10. Modern banker malware undermines two-factor authentication
11. Chinese hackers launch targeted attacks against foreign correspondents
12. Research: Small DIY botnets prevalent in enterprise networks

Dissecting September's Twitter Scareware Campaign

dancho.danchev@gmail.com (Dancho Danchev) — Fri, 25 Sep 2009 12:37:52 PDT

UPDATE: 4 hours after notification, Twitter has suspended the remaining bogus accounts. Until the next time, when the reCAPTCHA recognition gets cost-effectively outsourced for automatic scareware-serving purposes.

Over the last couple of days, my Ukrainian "fan club" -- fan club in a sarcastic sense due to the love, more love, even more love and gratitude shown so far -- has once against started abusing Twitter by automatically generating bogus accounts tweeting scareware serving links by syndicating Twitter's trending topics.

This traffic acquisition tactic is in fact nothing new, and in the case of this Ukrainian cybercrime enterprise, is done "in between" the rest of their malicious activities. What's worth pointing out is that just like the most recent malvertising campaign at NYTimes.com, the Ukrainian gang keeps using domains already in circulation within their blackhat SEO campaigns, making it fairly easy to establish connections between these and the ongoing Twitter campaign.

By the time Twitter suspends the automatically registered bogus accounts, on average, 70 to 80 tweets have been published per single account. Here's the most recent list of currently active Twitter accounts tweeting scareware links:
twitter.com /verina1238
twitter.com /knab190
twitter.com /zastrow994
twitter.com /gustave12
twitter.com /trautwein9975
twitter.com /reinke341
twitter.com /ordella509
twitter.com /lysa380
twitter.com /weinhold344
twitter.com /wachsmann1541

twitter.com /weishaupt917
twitter.com /scheid1265
twitter.com /fitz1677
twitter.com /falkner425
twitter.com /opel1409
twitter.com /rasche1401
twitter.com /schlecht1581
twitter.com /verina1238
twitter.com /perahta985

The accounts are relying on identical short URLs, with the following ones still active and in circulation:
tinyurl.com /lyby2r
tinyurl.com /nx39k8
tinyurl.com /lyby2r
tinyurl.com /mnbfox
tinyurl.com /msjjv8
tinyurl.com /mj5wju
tinyurl.com /mxg2vo
tinyurl.com /m656h7
tinyurl.com /nffkly
xrl.us /bfnpv7
xrl.us /bfnsa8
xrl.us /bfny8e
xrl.us /bfnnu4
xrl.us /bfnzkk
a.gd/ 6af3fe
a.gd/ 649be
a.gd/ f6b7f5
a.gd/ 0abe74
is.gd/ 3AoRZ
is.gd/ 3A5DD
is.gd/ 3AUVc
is.gd/ 3BZqa
is.gd/ 3C4lU

The short URLs rely on several redirectors to finally land the end user on a scareware site, such as securityland .cn and imagination-1 .com:

securityland .cn - 64.86.25.201 - Email: keithdgetz@gmail.com. Parked on the same IP are also:
abclllab .com
0lenfo .com
ynoubfa .cn
protectinstructor .cn
immitations-all .net
1limbo .net

imagination-1 .com- 64.86.25.202 - Email: gertrudeedickens@text2re.com. Parked on the same IP are also:
bombas10 .com
graves111 .com
iriskas .com
yvicawo .cn

Where do we know the gertrudeedickens@text2re.com email from? Several of the scareware domains pushed in the ongoing U.S Federal Forms Themed Blackhat SEO Campaign have been registered using it, that very same blackhat SEO whose central redirector a-n-d-the .com/wtr/router.php - 95.168.177.35 - and in-t-h-e.cn - 72.21.41.198 - (hosted by Layered Technologies, Inc.) mimics the campaign structure of 2008's massive input validation abuse attack using iFrames, courtesy of the RBN and the very first scareware campaigns.

Moreover, the same email has been used to register two of the "phone-back" domains for the scareware pushed in the blackhat SEO campaign and the NYTimes.com malvertising attack - windowsprotection-suite .net - Email: gertrudeedickens@text2re.com and securemysystem .net - Email: gertrudeedickens@text2re.com.

The following scareware domains are not just used within the Twitter campaign, some of them have also been detected as part of blackhat SEO campaigns:
ekevuc .cn - 64.213.140.68
windowspcdefender .com
smart-virus-eliminator .com
fast-systemguard .net
opyhila .cn
riwryse .cn
adijef .cn
dunhah .cn
idisuan .cn
wobcyn .cn
upuoro .cn
ucyilwo .cn
ogywuep .cn
adaengu .cn
taziqow .cn
zerkauz .cn

ejavone .cn - 64.213.140.69
fastsystem-guard .com
windowsguardsuite .com
windowssystemsuite .com
winsecuritysuite-pro .com
windows-protectionsuite .net
malwarecatcher .net
fast-scan-protect .net
fastscansecure .net
goryhe .cn
pyzuhme .cn
zydfaqe .cn
ahoize .cn
abonyag .cn
abenapi .cn
otobym .cn
abicoym .cn
nepsoym .cn
byzfalo .cn
pywudar .cn
qucgyit .cn
dahokxu .cn
lylbaov .cn
cusryw .cn

fast-scanandprotect .net
fastscanonline .com
fastsearch-secure .com
fast-systemguard .net
go-scanandsecure .net
goscan-protect .com
go-searchandscan .com
guardmyzone .net
mynewprotection .net
my-newprotection .net
my-officeguard .com
my-officeguard .net
myprotectedsystem .com
myprotected-system .com
my-protectedzone .net
myprotectionshield .com
myprotectionzone .com
my-protectionzone .com
my-protectionzone .net
myprotection-zone .net
my-saerchsecure .com
my-safetyprotection .com
my-systemprotection .net
mysystemsafety .com
my-systemscan .com
my-systemscanner .com
mysystemsecurity .com
new-scanandprotect .com

newscan-andprotect .net
new-systemprotection .com
online-scanandsecure .net
online-securescanner .net
online-systemscan .com
onlinesystemscan .net
protectand-secure .com
protectionsearch .com
safetyshield .net
safetysystem-guard .com
scanonline-protect .com
scan-system .net
scanvirus-online .net
searchandscan .net
search-scanonline .net
searchsecureguard .net
secure-systemguard .net
system-guard .net
systemguard-zone .com
systemguard-zone .net
systemprotected .net
systemscan-secure .net
trust-systemprotect .com
trust-systemprotect .net
trustsystem-protection .com
trust-systemprotection .net
windows-protectionsuite .net
windows-systemguard .net
windows-virusscan .net
winprotection-suite .com

Sampled scareware also phones-back to mysecurityguru .cn - 64.86.16.170 - Email: andrew.fbecket@gmail.com, the same phone-back domain was used in the scareware sampled from the NYTimes.com malvertising attack, with the same email also belonging to a scareware domain (mainsecsys .info) listed in the Diverse Portfolio of Fake Security Software - Part Twenty Two for July.

The cybercrime powerhouse behind all these attacks, continues maintaining the largest market share of systematic Web 2.0 abuse, and that includes their involvement in the Koobface botnet.

Related posts:
Dissecting Koobface Worm's Twitter Campaign
Twitter Worm Mikeyy Keywords Hijacked to Serve Scareware
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
The Twitter Malware Campaign Wants to Bank With You
Does Twitter’s malware link filter really work?
Commercial Twitter spamming tool hits the market
Cybercriminals hijack Twitter trending topics to serve malware
Spammers harvesting emails from Twitter - in real time
Twitter hit by multiple variants of XSS worm

This post has been reproduced from Dancho Danchev's blog.

The Ultimate Guide to Scareware Protection

dancho.danchev@gmail.com (Dancho Danchev) — Fri, 18 Sep 2009 10:03:47 PDT

Throughout the last two years, scareware (fake security software), quickly emerged as the single most profitable monetization strategy for cybercriminals to take advantage of. Due to the aggressive advertising practices applied by the cybercrime gangs, thousands of users fall victim to the scam on a daily basis, with the gangs themselves earning hundreds of thousands of dollars in the process.

This end user-friendly guide aims to educate the Internet user on what scareware is, the risks posed by installing it, how it looks like, its delivery channels, and most importantly, how to recognize, avoid and report it to the security community taking into consideration the fact that 99% of the current releases rely on social engineering tactics.

This post has been reproduced from Dancho Danchev's blog.

Koobface Botnet's Scareware Business Model

dancho.danchev@gmail.com (Dancho Danchev) — Fri, 25 Sep 2009 03:05:40 PDT

UPDATE1: TrendMicro just confirmed the ongoing double-layer monetization of Koobface. Meanwhile, the gang is rotating the scareware domains with new ones pushed by popup.php, followd by two recently updated Koobface components.

The new scareware domains kjremover .info; lrxsoft .info - 212.117.160.21 - Email: niclas@i.ua actually download it from the well known q2bf0fzvjb5ca .cn portfolio, which phones back to the same domains listed previously, with only a slight change in the filename - urodinam .net/8732489273.php. The generic detection rate for the updated components (61.235.117.83 /bin/get.exe; 61.235.117.83 /bin/v2webserver.exe) with get.exe phoning back to a domain parked at the takedown-proof, China-based 61.235.117.83, in particular gdehochesh .com/adm/index.php.

Just like Conficker, the Koobface botnet is no stranger to the scareware business model and the potential for monetization of the hundreds of thousands of infected hosts.

However, changes made in the campaign structure of the Koobface botnet during the last couple of days, indicate that the Koobface gang has embedded a pop-up at each and every host that's automatically rotation different scareware brands. They're now officially monetizing the botnet using a scareware business model.

Let's analyze the latest changes introduced by the Koobface gang over the last couple of days and emphasize on the monetization tactics introduced by the gang.

Next to insulting, showing gratitude, the Koobface gang also has a (black) sense of humor - within one of the directories at the takedown-proof command and control used by the gang in China (61.235.117.83; at 61.235.117.83/bin in particular) they've left the following message "2008 ali baba and 40, LLC". Ali Baba and the Forty Thieves is a 1944 film based on the original Ali Baba character.

Compared to previous campaigns relying on centralized command and control and redirection points -- making them easy to shut down -- the ongoing Facebook campaigns are dynamically redirecting to IPs within the Koobface network, which combined with their use of compromised legitimate sites is supposed to make the take down of their campaigns a bit more time consuming.

That's, of course, not the case since undermining their monetization approaches undermines the monetary value of their campaigns, which is what they're after this time. The Koobface gang has now embedded a single line within each and every infected host used in the campaign, in order to not only attempt to infect new visitors with the Koobface malware itself, but to also trick them into installing the scareware which is rotated as usual.

dangerWindAdr = 61.235.117.83/ popup.php loads on each and every Facebook spoof page part of the botnet and is then redirecting the most popular scareware template, the My computer Online Scan.

The first scareware domain used in the last 48 ryacleaner .info/hitin.php?affid=02979 (212.117.160.21l parked there as also eljupdate .info Email: niclas@i.ua and dercleaner .info Email: niclas@i.ua) was serving setup.exe which is downloading the actual scareware executable from mt3pvkfmpi7de .cn/get.php?id=02979 (220.196.59.23).

What's so special about this domain? It was last profiled in the A Diverse Portfolio of Fake Security Software - Part Twenty Three with the entire portfolio of .cn domains parked at the same IP registered under the same email - robertsimonkroon@gmail.com.

The second scareware domain pushed by the Koobface during the last 24 hours, gotrioscan .com/?uid=13301 - 91.212.107.103 - momorule@gmail.com redirects to plazec .info/22/?uid=13301 - 91.212.107.103 - Email: bebrashe@gmail.com where the scareware is served. Parked at the same IP is the rest of thescareware domains portfolio pushed by Koobface:

in5id .com
in5ch .com
goscanback .com
goscanlook .com
gofatescan .com
goeachscan .com
gobackscan .com
goironscan .com
gotrioscan .com
ia-pro .com
iantivirus-pro .com
iantiviruspro .com
windoptimizer .com
woptimizer .com
in5cs .com
wopayment .com
in5st .com
zussia .info
plazec .info
gaudad .info
voided .info
gelded .info
tithed .info
botled .info
tented .info
fatted .info
unowed .info
wzand .info
searce .info
prarie .info
meyrie .info

pittie .info
penvie .info
figgle .info
sawme .info
droope .info
haere .info
scarre .info
undeaf .info
adjudg .info
wiving .info
slatch .info

bedash .info
dolchi .info
sighal .info
devicel .info
knivel .info
freckl .info
scrowl .info
usicam .info
spelem .info
vagrom .info
numben .info
speen .info
krapen .info
atwain .info
declin .info
inclin .info
unclin .info
towton .info
grumio .info
stampo .info
extrip .info

polear .info
benber .info
kedder .info
erpeer .info
argier .info
fulier .info
lavyer .info
inquir .info
orodes .info
faites .info
beeves .info
quoifs .info
filths .info
broths .info
nevils .info
swoons .info
sallat .info
apalet .info

reglet .info
camlet .info
plamet .info
hownet .info
fosset .info
cuplift .info
raught .info
holdit .info
unroot .info
unwept .info
anmast .info
ticedu .info
outliv .info
onclew .info
froday .info
mayray .info
tenshy .info
steepy .info
miloty .info
debuty .info
fifthz .info
potinz .info
caretz .info
narowz .info

What do these two scareware executables have in common? Its the phone back locations that the Koobface gang is using, reveling its participation in a scareware affiliate network called Crusade Affiliates.

The first phone back location urodinam.net /dfgsdfsdf .php - 122.224.9.67 adds a .bat file which would attempt to obtain mshta.exe from urodinam.net/33t .php?stime=1253063118 on hourly basis. The second phone back location is the Crusade Affiliates network that shares revenue with the Koobface gang whenever a scareware pushed by the gang is purchased - crusade-affiliates .com/install.php?id=02979 - 85.17.139.149.

The third phone back location is a direct download attempt of FraudTool.Win32.SecretService; RogueAntiSpyware.PrivacyCenter.AJ from 0ni9o1s3feu60 .cn/u4.exe - 220.196.59.23. It's pretty evident that the Koobface botnet is now relying on multiple layers of monetization approaches.

The Koobface gang has been pretty during the last couple of days. The following list of Koobface malware spreading domains are in circulation across social networking sites since the last 48 hours, consisting of a combination of purely malicious and compromised legitimate sites:
3sss .com/youtube.com
4bond .it/youtube.com
ac2j .com/freeem0vies
aced1979 .freehostia.com/y0urfi1m
alexandrialocksmith .net/uncens0redvide0
alpha.kei .pl/amalzlngfi1ms
alruwaithy .com/extrlmeperf0rmans
astoundeddesign .com/privaledem0nstrati0n
awwfuck .me/fuunnyacti0n
baddog.me .uk/uncens0redc1ip
bbckzoo .com/extrlmedwd
bbckzoo .com/mmyperf0rmans
be. la/freeefi1ms
bencaputoprinting .com/c00lfi1m
bicentenario.sc49 .info/mmyfi1m
bighornrivercabins .com/c00lvlds
biskopsto .fo/fantasticm0vie
bloch-data .dk/c00lvlds
bokongerslev .dk/amalzlngm0vie
bokongerslev .dk/extrlmeacti0n
book-dalmose .dk/extrlmeperf0rmans
campionariadigalatina .it/youtube.com
carlamo .com/extrlmec1ip
centerforyourhealth .com/extrlmem0vies
centralbaptist.org .au/fantasticvide0

certtiletechs .com/fuunnym0vies
cisaimpianti .net/youtube.com
claykelley .net/extrlmevlds
claykelley .net/mmyvide0
clubatleticigualada .com/y0urc1ip
connoro .com/bestsh0w
consignbuydesign .com/fuunnyttube
dkflyt .dk/mmytw
downingfarms .com/bestacti0n
eminfinity.com .au/amalzlngc1ips
eminfinity.com .au/uncens0redsh0w
endurancesportscar .com/extrlmem0vies
epicent .dk/pub1icfi1m
evaracollin .be/mmyfi1ms
exceleronmedical .com/amalzlngc1ips
exceleronmedical .com/c00lperf0rmans
exceleronmedical .com/privalettube/?youtube.com
finolog .com/privalem0vie
fitslim .com/fantasticdem0nstrati0n
gacogop .org/fuunnyc1ips
gamlabodens .se/privaletw
garagedoorsnow .com/meggadem0nstrati0n
garlicworld .com/mmym0vie
garlicworld .com/uncens0redperf0rmans

gcillustration .com/extrlmevide0
germanamericantax .com/pub1icm0vie
happyholidaychristmastrees .com/uncens0redperf0rmans
horaexata.com .br/c00lc1ip
huffmanfarms .com/fantasticfi1ms
imagequest360 .com/fantasticm0vies
inartdesigns .com/extrlmevide0
interception .dk/mmyttube
kalender.sttmedia .se/amalzlngdem0nstrati0n
kartingclubsourdsnamur .be/besttw
kiding.users.digital-crocus .com/mmym0vies
kloerfem .dk/amalzlngsh0w
kracl .com/freeesh0w
kreativdizajn .com/amalzlngvlds
ktvsongs .com/pub1icacti0n
lonestargcs .com/mmydwd
losangelesfurniture .com/fantasticdem0nstrati0n
lr-online .dk/c00lfi1ms
lr-online .dk/y0ursh0w
marketmarkj .com/privalem0vies
martinhorngren .com/privalettube
meetingpacket .com/youtube.com
microscoop .net/fantasticttube
momentsbypat .com/pub1icm0vie
mtn-ejendomme .dk/mmyacti0n
nadiottawa .org/pub1icc1ips
naestved-sportscollege .dk/amalzlngacti0n
nicalandnow .com/uncens0redvlds
odyssey-consultants .com/amalzlngvide0
odyssey-consultants .com/mmym0vie
onlyfun .se/extrlmec1ip
pridesoccer .com/privalec1ips
quicksilver-direct .com/amalzlngfi1m
reddoorchina .com/mmyvlds
relivery .com/extrlmesh0w
ristorocasanova .it/youtube.com
sanfranciscocookie .com/fantasticfi1ms
sarkos .ch/fuunnyperf0rmans
saudiclubs .org/fantasticvlds
sauipeswimwear .com/c00lm0vie
schoolofhiphop .no/freeefi1ms
senegalinfoservices .com/bestacti0n

squashigualada .com/extrlmevlds
starcraftdream .com/fuunnyvlds
stm.frihost .org/freeefi1m
stringer .no/uncens0redacti0n
sttmedia .se/fantastictw
taia.com .br/uncens0reddwd
thefurniturewarehouse .net/mmym0vies
theidusshop .com/pub1ictw
thepinflow .com/meggash0w
thorsen-meyer .dk/bestc1ips
tivity .dk/amalzlngm0vie
tivity .dk/fantasticfi1ms
tizianamaniezzo .com/fantasticc1ips
tohva .org/bestacti0n
troop270 .nwsc.org/fuunnydwd
txmurphys .com/c00lfi1m
tybjerglillebakkervand .dk/privalem0vie
vagnpfisk .dk/privalem0vie
vivaipirovano .com/youtube.com
xanchise .com/c00lc1ip
yurafting .com/amalzlngvlds

Sampled Koobface binary now phones back to bianca.trinityonline .biz/.sys/?action=ldgen&v=14 and bianca.trinityonline .biz/.sys/?action=ldgen&a=590837698&v=14&l=1000&c_fb=0&c_ms=0&c_hi=0&c_tw=0&c_be=0&c_tg=0&c_nl=0. 69.163.147.203 - Email: email@darrenjames.net, with the latest Koobfae update modules detected as follows - 61.235.117.83 /bin/v2prx.exe; 61.235.117.83 /bin/pp.12.exe

The "Koobface botnet and the 40 cybercriminals" (2008 ali baba and 40 , LLC) have not just started monetizing the infected hosts, they're using multiple layers of monetization to do so.

Related posts:
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign
The Koobface Gang Mixing Social Engineering Vectors

This post has been reproduced from Dancho Danchev's blog.

Ukrainian "Fan Club" Features Malvertisement at NYTimes.com

dancho.danchev@gmail.com (Dancho Danchev) — Mon, 14 Sep 2009 12:25:21 PDT

If my Ukrainian "fan club" can exploit weaknesses in the online ad publishing model for scareware serving purposes, anyone else could.

Yesterday, the NYTimes.com posted a note to readers, confirming that a malvertisement campaign somehow made on their web site, resulting in the automatic exposure of users to scareware:

"Some nytimes.com readers have reported seeing a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software. We believe this was generated by an unauthorized advertisement and are working to prevent the problem from recurring. If you see such a warning, we suggest that you not click on it. Instead, quit and restart your Web browser."

Who's behind this malvertising campaign? Let the data speak for itself.

According to a published assessment of the campaign, the redirector and scareware domains involved in the malvertising incident are also in circulating in blackhat SEO campaigns courtesy of the Ukrainian gang (the post is updated daily with the very latest redirector and scareware domains pushed by the gang).

In the NYTimes.com malvertising attacks, that's sex-and-the-city .cn (parked at 94.102.48.29 where the rest of their redirectors are) acting as redirector leading to the protection-check07 .com scareware, parked on the very same IPs (91.212.107.5; 94.102.51.26; 88.198.107.25) like the rest of the new scareware domains systematically updated once or twice during a 24 hours period, again courtesy of the "fan club".

The last sample in circulation, phones back to windowsprotection-suite .net - Email: gertrudeedickens@text2re.com; mysecurityguru .cn - 64.86.16.170 - Email: andrew.fbecket@gmail.com also maintains secure-pro .cn; and to securemysystem .net - Email: gertrudeedickens@text2re.com

The NYTimes.com malvertisement assessment also highlights tradenton .com - 212.117.166.69 - Email: shawn@tradenton.com as the domain used in the ad rotation. Interestingly, related malvertisement domains managed by the same gang, have already been reported in related malvertising attacks, are also parked on the same IP:
relunas .com - Email: admin@relunas.com
kennedales .com - Email: admin@kennedales.com
harlingens .com - Email: admin@harlingens.com
newadsresults .com - Email: ritaj@gmail.com
waveadvert .com - Email: lindahg@yahoo.com

As always, what would originally seem as an isolated incident orchestrated by yet to be analyzed cybecrime gang, is in fact a great example of underground multitasking in action through the convergence of different attack tactics, courtesy of a single cybercrime enterprise.

Related malvertising posts:
Malicious Advertising (Malvertising) Increasing
MSN Norway serving Flash exploits through malvertising
Fake Antivirus XP pops-up at Cleveland.com
Scareware pops-up at FoxNews

This post has been reproduced from Dancho Danchev's blog.

News Items Themed Blackhat SEO Campaign Still Active

dancho.danchev@gmail.com (Dancho Danchev) — Mon, 07 Sep 2009 13:42:26 PDT

According to a blog post at PandaLabs, a massive and very persistent blackhat SEO campaign exclusively hijacking "hot BBC and CNN news" related keywords has once again popped-up on their radars. The campaign itself has been active since April, when I last analyzed it.

What has changed?

Instead of relying on purely malicious domains, the Ukrainian fan club, the one with the Koobface connection, remains the most active blackhat SEO group on the Web, and due to the quality of the historical OSINT making it possible to detect their activity -- practice which prompts them to insult back -- they're also starting to put efforts into making it look like it's another group.

However, knowing the tools and tactics that they use, next to evident efficiency-centered mentality, they continue leaving minor leads that make it possible to establish a direct relationship between the group, the Koobface worm and the majority of blackhat SEO campaigns launched during the last couple of months across the entire Web.

The "News Items" themed blackhat SEO campaign is also serving scareware from the domains already participating in the U.S Federal Forms themed blackhat SEO campaign, what's new is the typical dynamic change of the redirectors in place.

Let's dissect a sample campaign currently parked at coolinc.info. Once the http referrer checks are met, bernie-madoff.coolinc .info/fox-25-news.html executes the campaign through a static images/ads.js located on all of the subdomains participating in campaign (bernie-madoff.coolinc .info/images/ads.js; eenadu-epaper.hmsite .net/images/ads.js) with generic detection triggered only by Sophos as Mal/ObfJS-CI.

Through a series of redirectors - usanews2009 .com/index.php - 78.46.129.170 - Email: derrick2@mail.ru; newscnn2009 .com/index.php - 193.9.28.62 - Email: derrick2@mail.ru; cnnnews2009 .com/index.php - 91.203.146.38 - EMail: derrick2@mail.ru; the user is redirected to the scareware domain through justintimberlakestream .com/?pid=95&sid=4e6ffe - 193.169.12.70; Email: info@zebrainvents.com.

The scareware itself (phones back to worldrolemodeling .com/?b=1s1 - 193.169.12.71) is dynamically served through 78.46.201.89; 193.169.12.70 and 92.241.177.207 with an diverse portfolio of fake security software domains parked there.

Parked at 92.241.177.207 are:
best-scanpc .com
bestscanpc .org
downloadavr2 .com
downloadavr3 .com
trucount3005 .com
antivirus-scan-2009 .com
antivirusxppro-2009 .com
advanced-virus-remover-2009 .com
advanced-virusremover-2009 .com
advanced-virus-remover2009 .com
advanced-virusremover2009 .com
best-scanpc .com
bestscanpc .com
xxx-white-tube .com
rude-xxx-tube .com
blue-xxx-tube .com
trucountme .com
10-open-davinci .com
vs-codec-pro .com
vscodec-pro .com
1-vscodec-pro .com
download-vscodec-pro .com
v-s-codecpro .com
antivirus-2009-ppro .com
onlinescanxppro .com
downloadavr .com
bestscanpc .info
bestscanpc .net
ns1.megahostname .biz
ns2.megahostname .biz

Parked at 78.46.201.89 (IP used in the U.S Federal Forms themed blackhat SEO campaign) are also:
virscan-online1 .com
virscan-live1 .com
antivirus-promo-scan1 .com
valueantivirusshop1 .com
megaspywarescan2 .com
worldbestonlinescanner2 .com
hqvirusscanner2 .com
warningmalwarealert2 .com
totalspywarescan3 .com
antivirus-promo-scanner3 .com
bewareofvirusattacks3 .com
totalspywarescan4 .com
worldbestonlinescan5 .com
megaspywarescan5 .com
totalspywarescan5 .com
hqvirusscanner5 .com
warningmalwarealert5 .com
hqvirusscanner8 .com
antivirus-promo-scan9 .com
worldbestonlinescan9 .com
antivir-scan-my-pc .com
antivir-scan-online .com

remove-all-pc-adware .com
antivir-my-pc-scan .com
leading-malware-scan .com
leading-antispyware-scan .com
antivirus-promo-scan .com
tryantivir-scan .com
leading-antivirus-scan .com
megaspywarescan .com
totalspywarescan .com
worldsbestantivirscan .com
awardantivirusscan .com
winningantivirusscan .com
tryantivirusscan .com
worldsbestscan .com
tryantivir-scanner .com
worldbestonlinescanner .com
tryantivirscanner .com
tryantivirusscanner .com
hqvirusscanner .com
worldsbestscanner .com
antivirscanmycomputer .com
warningvirusspreads .com
bewareofvirusattacks .com
secure.web-software-payments .com
warningmalwarealert .com
warningspywarealert .com
warningvirusalert .com

Parked at 193.169.12.70 are also more scareware domains/payment gateways/malware redirectors used in the campaign:
colonizemoon2010 .com
blastertroops2011 .com
virscan-online1 .com
virscan-live1 .com
antivirus-promo-scan1 .com
valueantivirusshop1 .com
megaspywarescan2 .com
worldbestonlinescanner2 .com
hqvirusscanner2 .com
warningmalwarealert2 .com
antivirus-promo-scanner3 .com
bewareofvirusattacks3 .com
totalspywarescan4 .com
worldbestonlinescan5 .com
megaspywarescan5 .com
totalspywarescan5 .com
hqvirusscanner5 .com
warningmalwarealert5 .com
hqvirusscanner8 .com
antivirus-promo-scan9 .com
worldbestonlinescan9 .com
antivir-scan-my-pc .com
becomemybestfriend .com
bravemousepride .com
antivir-scan-online .com
emphasis-online .com
justseethisonline .com
futureshortsonline .com

remove-all-pc-adware .com
waitforsunrise .com
funpictureslive .com
justintimberlakestream .com
antivir-my-pc-scan .com
leading-malware-scan .com
leading-antispyware-scan .com
antivirus-promo-scan .com
tryantivir-scan .com
leading-antivirus-scan .com
totalspywarescan .com
worldsbestantivirscan .com
awardantivirusscan .com
winningantivirusscan .com
tryantivirusscan .com
worldsbestscan .com
tryantivir-scanner .com
worldbestonlinescanner .com
tryantivirscanner .com
tryantivirusscanner .com
hqvirusscanner .com
worldsbestscanner .com
antivirscanmycomputer .com
obbeytheriver .com
obamanewterror .com
warningvirusspreads .com
watch2010movies .com
primeareanetworks .com
investmenttooltips .com
executive-officers .com
newsoverworldhot .com
management-overview .com
justthingsyouneedtoknow .com
criticalmentality .com

In between the central redirectors, counters from known domains affiliated with the Ukrainian fan club are also embedded as iFrames - sexualporno .ru/admin/red/counter2.html (74.54.176.50; Email: skypixre@nm.ru) leading to sexualporno .ru/admin/red/mwcounter.html. Parked on 74.54.176.50 are related domains that were once using the ddanchev-suck-my-dick.php redirection, such as sexerotika2009 .ru; celki2009 .ru; seximalinki .ru and videoxporno .ru, as well as the de-facto counter used by the gang - c.hit.ua/hit?i=6001.

Does this admin/red directory structure ring a bell? But, of course. In fact the ddanchev-suck-my-dick redirectors originally introduced by the Ukrainian fan club are still in circulation - for instance not only is videoxporno .ru/admin/red/ddanchev-suck-my-dick.php (parked at the very same 74.54.176.50) still active, but the gang has pushed an update to all of their campaigns, once again establishing a direct connection between previous ones and the ongoing "News Items" themed one.

The ddanchev-suck-my-dick.php file has a similar Mac, Firefox and Chrome check just like the U.S federal forms themed campaign, and the original "Hot News" themed campaigns - if (navigator.appVersion.indexOf("Mac")!=-1) window.location="http://www.zml.com/?did=5663";[. The script also includes a central iFrame from the now known malicious coolinf .info - dash-store.coolinc .info/images/levittpedofil.html which redirects to 1008.myhome .tv/888.php, popoz.wo .tc/p/go.php?sid=4 and 1009.wo .tc/8/ss.php to finally load the now known justintimberlakestream .com/?pid=42&sid=8f68b5.

The bottom line - the Ukrainian "fan club" is a very decent example of a multitasking cybecrime enterprise that is not only systematically abusing all the major Web 2.0 services, but is also directly involved with the Koobface botnet.

Monitoring of their campaigns, and take down actions would continue.

Related posts:
Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign
U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding
Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware
A Peek Inside the Managed Blackhat SEO Ecosystem

Historical OSINT of the group's blackhat SEO campaigns pushing Koobface samples, and the connections between the campaigns:
Movement on the Koobface Front - Part Two -- detailed account of the domain suspension and direct ISP take down actions against the gang during the last month
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot

This post has been reproduced from Dancho Danchev's blog.

SMS Ransomware Displays Persistent Inline Ads

dancho.danchev@gmail.com (Dancho Danchev) — Thu, 24 Sep 2009 08:56:38 PDT

SMS-based micro-payments are clearly becoming the monetization channel of choice for the majority of cybercriminals engaging in ransomware campaigns. The logic behind this emerging trend is fairly simple, and as everything else in the cybercrime underground these days, it has to do with efficiency.

Compared to micro-payments, the 2008's monetization channel used by GPcode in terms of E-gold and Liberty Reserve accounts communicated over email -- with cases where the gang wasn't even bothering to respond to infected victims looking for ways to pay the ransom -- looks like a time-consuming and largely inefficient way to "interact" with the victims.

Another recently released SMS-based ransomware showing persistent ads within the browser sessions of infected victims, and demanding a premium-rate SMS for removal, is the very latest indication of the micro-payment monetization channel trend.

The DIY ransomware is offered for sale at $100, with the typical "value-added" services in the form of managed undetected binaries through crypting. Since the command and control interface is web based (php+mysql), the author is actively experimenting with new features such as scheduled appearing of the ads, inventory of banners and affiliate program links, and the ability to use multiple SMS numbers next to multiple unlocking codes.

Are the currently active ransomware "vendors" trendsetters or are they still in experimental mode?

The business model of SMS-based ransomware is clearly lucrative, especially in situations where cybercriminals are known to combine two or three different monetization tactics. However, compared to the high profit-margins which cybecriminals earn through the scareware business model, SMS-based ransomware remains a developing market segment.

Related posts:
6th SMS Ransomware Variant Offered for Sale
5th SMS Ransomware Variant Offered for Sale
4th SMS Ransomware Variant Offered for Sale
3rd SMS Ransomware Variant Offered for Sale
SMS Ransomware Source Code Now Offered for Sale
New ransomware locks PCs, demands premium SMS for removal
Who's Behind the GPcode Ransomware?
Identifying the Gpcode Ransomware Author

This post has been reproduced from Dancho Danchev's blog.

Summarizing Zero Day's Posts for August

dancho.danchev@gmail.com (Dancho Danchev) — Tue, 01 Sep 2009 06:46:11 PDT

The following is a brief summary of all of my posts at ZDNet's Zero Day for August.

You can also go through previous summaries for July, June, May, April, March, February, January, December, November, October, September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed.

Notable articles include - Does Twitter's malware link filter really work?; IE8 outperforms competing browsers in malware protection -- again, and Research: 80% of Web users running unpatched versions of Flash/Acrobat

01. Dead-finger tech: 3G USB Modem, Prestigio Powerbank 501
02. Does Twitter's malware link filter really work?
03. Fake Microsoft patch malware campaign makes a comeback
04. Plugins compromised in SquirrelMail's web server hack
05. Absolute Software downplays BIOS rootkit claims
06. Federal forms themed blackhat SEO campaign serving scareware
07. Microsoft's Bing invaded by pharmaceutical scammers
08. Campaign Monitor hacked, accounts used for spamming
09. New Mac OS X DNS changer spreads through social engineering
10. IE8 outperforms competing browsers in malware protection -- again
11. Research: 80% of Web users running unpatched versions of Flash/Acrobat
12. The most dangerous celebrities to search for in 2009
13. Source code for Skype eavesdropping trojan in the wild
14. Snow Leopard's malware protection only scans for two trojans

6th SMS Ransomware Variant Offered for Sale

dancho.danchev@gmail.com (Dancho Danchev) — Mon, 24 Aug 2009 09:14:06 PDT

"Your copy of Windows has been blocked! You're using an unlicensed version of it! In order to continue using it, you must receive the unlock key. All you have to do is follow these steps: You must send a SMS message. You will receive an activation code once you do so. Enter the code and unlock your copy of Windows."

Anticipating the potential for monetization, cybercriminals are investing more time and resources into coming up with new features for their SMS based ransomware releases. Two of the very latest releases indicate their motivation and long-term ambitions into this newly emerged micro-payment ransomware channel.

What's new, is the social engineering element, the self-replication potential through removable media, and the contingency planning through the use of multiple SMS numbers in case one of the numbers gets shut down. Let's go through some of the features of two newly released SMS ransomware variants offered for $20, and $30 respectively.

What's worth emphasizing on in respect to the first release, is that it's Windows 7 compatible, and is the first SMS ransomware that allows scheduled lock down after infection -- presumably, the author included this feature in order to make it harder for the victim to recognize how he got infected at the first place -- as well as multiple SMS numbers for contingency planning.

Key features include:
- Clean interace
- Bypasses Safe Mode
- Locks down the taskbar or any combination of keys that could allow a user to close the application
- The error message can be customized
- Ability to use multiple-unlock codes
- Ability to use multiple SMS numbers from where the activation code will be obtained
- Ability to lock the system immediately upon infection, or after a given period of tim
- Auto-starting features, self-removal upon entering the correct activation code, and ensuring that the victim would no longer be infected with this release through the use of mutex-es.
- This SMS ransomware is Windows 7 compatible

The majority of SMS based ransomware is relying on the "Unlicensed Windows Copy" theme, but the first self-replicating through removable media propagation such ransomware is signaling a trend to come - social engineering throuhg impersonation in a typical scareware style. This release can be easily described as the first scareware with micro-payment ransom element offered for sale.

Basically, it attempts to impersonate Kaspersky Lab Antivirus Online and trick the infected user into thinking that Kaspersky has detected a piece of malware, has blocked it but since the malware changes its encryption algorithm the user has to send a SMS costing 150 rubles in order to receive the SMS that will block the malware.

This release also includes a timer, and a message explaining that re-installing Windows wouldn't change the situation in an attempt to further trick the user into sending the messsage. The release is exclusively released for Windows XP and is not Windows Vista compatible.

Cybercriminals are known to understand the benefits of converging different successful and well proven tactics across different propagation/infection vectors. Now that we've seen scareware with elements of ransomware, as well as hijacking a browser session's ads and demanding ransom to remove the adult content, it's only a matter of time to witness a micro-payment driven scareware campaign distributed through blackhat SEO and the usual channels.

Related posts:
5th SMS Ransomware Variant Offered for Sale
4th SMS Ransomware Variant Offered for Sale
3rd SMS Ransomware Variant Offered for Sale
SMS Ransomware Source Code Now Offered for Sale
New ransomware locks PCs, demands premium SMS for removal

This post has been reproduced from Dancho Danchev's blog.

Movement on the Koobface Front - Part Two

dancho.danchev@gmail.com (Dancho Danchev) — Mon, 07 Sep 2009 07:06:18 PDT

UPDATE13: The domain snimka31082009 .com has been suspended. Just like the domains listed in UPDATE11, it's worth pointing out that once the PrivacyProtect.org whois records return to their original state, all of the domains are registered using the name Rancho Ranchev -- from Ukraine with typosquatting.

UPDATE12: A new Koobface domain is in circulation across Facebook - snimka31082009 .com -- snimka means photo -- which redirects to the Chinese IP (China Railcom Guangdong Shenzhen Subbranch) offering hosting services for the Koobface gang as of last week - 61.235.117.83 /redirectsoft/go/fb_w.php. The snimka31082009.com domain is in a process of getting shut down.

UPDATE11: The latest Koobface domains masa31082009 .com - Email: yxlvpewoztjox@gmail.com; pari270809 .com - Email: baoyshzrcwmraq@gmail.com; rect08242009 .com and suz11082009 .com have been suspended.

The Koobface gang has also changed the C&C domain in their latest updated pushed throughout the past couple of days. Interestingly, it's a subdomain used in the Twitter campaign from July - cubman32 .net.ua/.sys/?action=ldgen&v=14 and cubman32 .net.ua/.sys/?action=ldgen&f=0&a=-531027389&lang=&v=14&c=0&s=ld&l=1000&ck=0&c_fb=0&c_ms=0&c_hi=0&c_tw=0&c_be=0&c_fr=-2&c_yb=-2&c_tg=0&c_nl=0&c_fu=-2.

UPDATE10: Two new Koobface domains, and a new redirector are in circulation across Facebook - rect08242009 .com (61.235.117.83) and pari270809 .com, which redirects to masa31082009 .com/go/fb_w.php. The "fan club" has also introduced updated the malware - web.reg .md/1/v2prx.exe.

The domains, pari270809 .com, rect08242009 .com and masa31082009 .com are in a process of getting shut down.

UPDATE9: Domain zadnik270809 .com - Email: baoyshzrcwmraq@gmail.com has been suspended.

UPDATE8: Koobface reactivated itself once again at 61.235.117.83 - China Railcom Guangdong Shenzhen Subbranch - a well known Zeus crimeware C&C, which is also apparently used for automatic hacking of third-party sites through compromised FTP accounts.

The gang has also introduced a new domain, used exclusively for Facebook campaigns - zadnik270809 .com - in particular zadnik270809 .com/youtube.com/w/?video which loads zadnik270809 .com/youtube.com/w/ups.php and redirects to a well known Koobface redirector kiano-180809 .com/go/fb_w.php.

Zadnik means a**hole. Domain suspension and IP take down are in progress.

UPDATE7: Earlier today, TelosSolutions confirmed that "this customer has been removed from our network". Great news taking into consideration the fact that Directi's Abuse Desk has also suspended boomer-110809 .com, as well as upr200908013 .com.

The Koobface gang responded to the take down action by once again moving to China, 61.235.117.83 (China Railcom Guangdong Shenzhen Subbranch) in particular. The IP has been taken care of, with all of Koobface campaigns once again in an "inactive stage". It's worth pointing out that kallagoon13 .cn and allavers .org are also parked at this Chinese IP, with both domains clearly involved in Zeus crimeware campaigns.

UPDATE6: Following the 24 hours downtime, the Koobface gang has found a new home online, courtesy of Telos-Solutions-AS/Telos Solutions LTD, with an ongoing migration of the Koobface C&C and campaign domains to 91.212.127.140. Take down activities are in progress.

UPDATE5: Oc3 Networks & Web Solutions Llc abuse team took care of 67.215.238.178. All of Koobface worm's campaigns once again redirect to nowhere.

UPDATE4: Koobface has been kicked out of China -- again -- courtesy of China's CERT, and is no longer responding to 221.5.74.46. This is the second time that the Koobface gang is using the same IP for its central campaign domains, clearly indicating an ISP which "reserves its right to offer them services in the future once they stop receiving abuse notifications".

So which hosting provider's services is the Koobface botnet using for the time being? It's 67.215.238.178 - AS22298 - Netherlands Distinctio Ltd, which they were also using in the beginning of the month. A new domain is in circulation across social networks/micro blogging services - kiano-180809 .com/go/fb2.php (67.215.238.178) Email: bigvillyxxx@gmail.com. Take down activities are in progress.

UPDATE3: The entire portfolio of Koobface related domains is now parked at 221.5.74.46 - AS17816 - CHINA169-GZ CNCGROUP IP network China169 Guangzhou MAN. For instance, xtsd20090815 .com/youtube.com/xexe.php redirects to the actual IP 221.5.74.46 /redirectsoft/go/fb2.php with piupiu-110809.com/achcheck.php, web.reg.md /1/prx90.exe and web.reg.md/1 /prx90.exe as phone back locations. Two new components are dropped DDnsFilter.dll - MD5: 0x8904BCEBACB2B878FF46C5EB0C5C57EB and DnsFilter.sys - MD5: 0x30DD915396E46824DA92FE70485F7CF8 which prevent infected users from interacting with antivirus vendor sites.

UPDATE2: The gang has responded to the take down activities, by using the only IP that wasn't shut down 221.5.74.46, with piupiu-110809 .com, upr200908013 .com, and upr200908013 .com already moved there.

Interestingly, now that the gang's centralized domains used in the majority of campaigns are not responding thanks the quick reaction of BlueConnex, they've started embedding up to 15 iFrames directly loading IPs from the Koobface botnet. The script is detected as Trojan-Clicker.HTML.IFrame.a. The pattern? Each and every host is serving the fake Facebook page from a similar directory - /0x3E8/. 221.5.74.46 is in a process of getting shut down.

UPDATE: Three hours after notification, Blue Square Data Group Services Limited ensures that "the customer has been disconnected permanently". It's a fact. All of Koobface worm's campaigns currently redirect to nowhere. Let's see for how long.

Kuku Ruku Koobface! What does Koobface has to do with a legendary cocoa cream wafer Koukou Roukou sold in the 90's? It's one of new domains introduced over the past seven days (kukuruku-290709 .com now offline thanks to community efforts).

What is the Koobface gang up to anyway? Despite that they've randomized the automatically generated directories on the compromised sites (kimchistory.freevar .com/fantasticfi1ms; tastemasters .ca/freeem0vie; simonsoderberg .se/mmym0vies; ekespangs .se/meggavide0; akesheronline .com/privalesh0w; belljarstudio .com/bestttube), the gang continues relying on centralized hosting for its campaigns.

During the week, they've migrated from 67.215.238 .178/redirectsoft/go/fb_s.php (PacificRack.com) to 85.234.141 .92/redirectsoft/go/fb_s.php (BlueConnex Ltd), interestingly, they did so with all of the their currently active domains, the ones used as central redirection points on the thousands of legitimate/malicious sites participating in their campaigns. Interestingly, merely suspending a domain name wouldn't get you a personal greeting from the Koobface gang, since they'll basically register a new one. Getting them kicked out of several different hosting providers simultaneously would. Upon having their newly pushed domains shut down, the gang stopped using domains and switched to the original IP of their hosting provider, once again requiring a direct ISP action, instead of domain registar's one.

Koobface C&C, central malware campaign domains suspended through community efforts:
- glavnij20090809 .com - Email: bigvillyxxx@gmail.com was parked at 85.234.141.92
- kukuruku-290709 .com - Email: kuku.ruku.pam@gmail.com was parked at 85.234.141.92
- superturbo20090809 .com - Email: bigvillyxxx@gmail.com was parked at 85.234.141.92 (Super Turbo is yet another legendary product sold in the 90's)
- bombimbom20090809 .com - Email: bigvillyxxx@gmail.com was parked at 85.234.141.92 (Bombi Bom is also a classic chewing gum sold in the 90's in Europe/Eastern Europe)
- mishkigammy-060809.com - Email: kuku.ruku.pam@gmail.com was parked at 85.234.141.92

Currently active Koobface C&C domains, also participating in the CAPTCHA-solving, malware campaigns:
- piupiu-110809 .com - 85.234.141.92
- xtsd20090815 .com - 85.234.141.92 - Email: bigvillyxxx@gmail.com
- boomer-110809 .com - 85.234.141.92
- upr200908013 .com - 85.234.141.92 - Email: kfmnmkswrnkcxlgpfdxb68@gmail.com
- suz11082009 .com - 85.234.141.92 - Email: xxmgbtwgdhyv@gmail.com
- upr0306 .com - 221.5.74.46 China Unicom Guangdong province network - Email: bigvillyxxx@gmail.com
- findhereandnow .com - 85.234.141.92 - Email: bigvillyxxx@gmail.com

The CAPTCHA solving process on behalf of the infected victims, is exclusively targeting Google web properties (piupiu-110809 .com/cap/tempgoo/GOO8cdabdfe8d68013c6217ce754a519194.jpg). Koobface worm's captcha7.dll module is active at:
- glavnij20090809 .com/cap/?a=get&i=1&v=7
- suz11082009 .com/cap/?a=get&i=3&v=7
- boomer-110809 .com/cap/?a=get&i=4&v=7
- piupiu-110809 .com/cap/?a=get&i=2&v=7

BlueConnex Ltd has been notified. The Koobface gang continues enjoying the largest market share of systematic Web 2.0 abuse

Related posts:
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign
The Koobface Gang Mixing Social Engineering Vectors

Ukrainian "fan club" and the Koobface connection:
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot

This post has been reproduced from Dancho Danchev's blog.

Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign

dancho.danchev@gmail.com (Dancho Danchev) — Fri, 18 Sep 2009 09:26:09 PDT

AltusHost Inc, the company whose services were exclusively used in the blackhat SEO campaign using U.S Federal Forms theme for scareware service purposes, has finally responded to the abuse notifications sent seven days ago stating that "the sites have been terminated". Such a slow response once again proves that dysfunctional abuse departments increase the lifecycle of a malware/spam/phishing campaign by not taking it down when it's most actively gaining momentum.

(For historical OSINT research, the following domains not previously listed were in circulating during the past week - thwovretgi .com - 91.214.44.239 - Email: joby47619@msn.com; shtifobpy .com - 91.214.44.210 - Email: hiraldo13686@hotmail.com; vodcotha .com - 91.214.44.203 - Email: jamarcus59884@yahoo.com; stromiko .com - Email: hyacinthiemccolman@gmail.com; ceslyemsof .com - 91.214.44.205 - Email: brisco68781@lycos.com; ejeifyevy .com - 91.214.44.208 - Email: brisco68781@lycos.com; kuhatjidd .com - 91.214.44.203 - Email: khrista12110@hotmail.com )

How did the cybercriminals respond? By proving that this blackhat SEO campaign has been well planed and coordinate a long time before it was executed in the wild. For the time being, it relies on a combination of legitimate U.K based sites, the result of a evident compromise of Web Hosting Mania due to the fact that all the affected legitimate sites are hosted there, a growing portfolio of .cc tld domains, automatic abuse of free services such as myftpsite.net; dns2go.com; dynodns.net; thebbs.org, and systematic pushing of new scareware variants/redirector and scareware domains, which explains the low generic detection rate of all the samples obtained.

Moreover, not only did the blackhat SEO themes expanding in the typical randomly generated junk that has naturally been crawled by public search engines, but also, according to publicly obtainable statistics, millions of users (collectively) have already visited the landing sites, with 42.80% of the referring site for a particular domain coming from thebbs.org and 31.97% from Google - their tactics are actively hijacking millions of users already.

Let's dissect the latest developments in the ongoing blackhat SEO campaign, list the participating scareware/blackhat SEO/redirection domains, the various monetization tactics going beyond scareware, as well as discuss some of the innovations used in the javascript obfuscation which makes it virtually impossible for a crawler to detect that the site is malicious.

Key summary points:

U.K based hosting provider Web Mania Hosting appears to be compromised due to the fact that all the abused legitimate sites are hosted there

the redirection and scareware domain/binary are updated two times during 24 hours period of time

the scareware has a very low generic detection rate due to their persistence in updating it

all the scareware samples continue phoning back to several domains parked at 78.46.201.90

the cybercriminals have introduced multiple monetization tactics through pay-per-click malware-friendly search engines

a central redirection point (a-n-d-the .com/wtr/router.php) used in this campaign was used by the RBN/customer of the RBN in massive iFrame injection attacks abusing input validation flaws within high profile sites over an year ago

sampled scareware adds the following registry entry [HKEY_LOCAL_MACHINE\SOFTWARE\6A36EA6E11EAAECDF5E540DEF2149079] plxxh = "Dujaq!!" - Dujaq!! means "Bl*w me!!"

the blackhat SEO gang is using a unique javascript obfuscation which I originally stumbled upon a couple of months ago while assessing another blackhat SEO courtesy of the Ukrainian "fan club", the one with the Koobface connection. It relies on dynamically generated code spoofing go.live.com and rds.yahoo.com random URLs for evasion purposes. The only vendor that detects it is McAfee-GW-Edition as Heuristic.BehavesLike.JS.CodeUnfolding.A

Compromised legitimate domains at Web Hosting Mania currently in circulation:
ladydestiny .com
marchbrook.co .uk
mgwooldridge.co .uk
midfleet .com
mikedz.co .uk
millypeds.co .uk
mitchameditorial.co .uk
moddeydhoomcc.co .uk
monkeyfist.co .uk
morita.co .uk
mosoul.co .uk
mrbuzzhard.co .uk
mtbpigs.co .uk
mysticspirals.co .uk
mythagostudios .com
neilwebsterhoundtrailing.co .uk
newmarskecricketclub.co .uk
oneintenrock.co .uk
pcook.co .uk
pengineer.co .uk

Blackhat SEO domains redirecting to scareware, currently in circulation using a .cc tld extension:

agjjgtfyi .cc - Email: susan@michiganfarms.com
ckckoo .cc - Email: briettamacpherson@gmail.com
eunlabkce .cc - 93.170.134.175 - Email: susan@michiganfarms.com
ewjwjiavg .cc - 74.206.242.22 - Email: susan@michiganfarms.com
fgodvsli .cc - 93.170.133.205 - Email: susan@michiganfarms.com
fgodvsli .cc - 93.170.133.205 - Email: susan@michiganfarms.com
fyecdizt .cc 93.170.156.119 - Email: susan@michiganfarms.com
hgzondsul .cc - 174.137.171.69 - Email: susan@michiganfarms.com
iiuuoo .cc - Email: briettamacpherson@gmail.com
ijnteqc .cc - 93.170.130.105 - Email: susan@michiganfarms.com
irolopl .cc - 93.170.134.203 - Email: susan@michiganfarms.com
jglcbngvu .cc - 93.170.130.217 - Email: susan@michiganfarms.com
jpydmee .cc - 93.170.133.247 - Email: susan@michiganfarms.com
kdwwwwon .cc - 93.170.134.231 - Email: susan@michiganfarms.com
kgowncgi .cc - 93.170.154.179 - Email: susan@michiganfarms.com
lmhhsnd .cc - 93.170.156.105 - Email: susan@michiganfarms.com

mezkopq .cc - 93.170.129.75 - Email: susan@michiganfarms.com
mvsoomw .cc - 93.170.131.66 - Email: susan@michiganfarms.com
njfgfbd .cc - 93.170.156.21 - Email: susan@michiganfarms.com
nsdgkrge .cc - 93.170.153.98 - Email: susan@michiganfarms.com
nselkss .cc - 93.170.130.245 - Email: susan@michiganfarms.com
owudfnay .cc - 93.170.131.178 - Email: susan@michiganfarms.com
pfjfsiunt .cc - 93.170.151.80 - Email: susan@michiganfarms.com
piqvrrugd .cc - 93.170.156.63 - Email: susan@michiganfarms.com
rroiqbznj .cc - 93.170.134.35 - Email: susan@michiganfarms.com
ssyydqyh .cc - 93.170.131.206 - Email: susan@michiganfarms.com
sucdugon .cc - 93.170.154.100 - Email: susan@michiganfarms.com
tftrwxlg .cc - 93.170.130.133 - Email: susan@michiganfarms.com
tirtop .cc - 188.72.198.21 - Email: elaynedangubic@gmail.com

uclrwpyp .cc - 93.170.131.38 - Email: susan@michiganfarms.com
uomfchbj .cc - 93.170.131.10 - Email: susan@michiganfarms.com
vrmmnicl .cc - 93.170.151.10 - Email: susan@michiganfarms.com
vtgisihjy .cc - 93.170.133.163 - Email: susan@michiganfarms.com
vwyldlbe .cc - 188.72.204.57 - Email: brigidadorion@gmail.com
vzlbamuvs .cc - 93.170.130.49 - Email: susan@michiganfarms.com
wgyxrmtld .cc - 93.170.152.226 - Email: susan@michiganfarms.com
xisuuzos .cc - 93.170.134.77 - Email: susan@michiganfarms.com
xlkzmqiw .cc - 93.170.131.234 - Email: susan@michiganfarms.com
zirtop .cc - Email: elaynedangubic@gmail.com
zmtkpugbz .cc - 93.170.130.189 - Email: susan@michiganfarms.com
zncutvk .cc - 174.137.171.117 - Email: susan@michiganfarms.com

New blackhat SEO domains portfolio using NOC4Hosts Inc's services:
rebuwe .net - 206.51.230.97
sivezo .net - 206.51.230.98
mipola .net - 206.51.230.95
kowipe .net - 206.51.230.92
kerobo .net - 206.51.230.90
gelupe .net - 206.51.230.104
fuquwe .net - 206.51.230.103
hyduve .net - 206.51.230.200
bisehu .net - 206.51.230.99
wypule .net - 206.51.230.95
xylucy .net - 206.51.230.97
xulady .net - 206.51.230.96
lyqyte .net - 206.51.230.94

nimygu .net - 206.51.230.96
zuziki .net - 206.51.230.98
symiza .net - 206.51.230.99
bisehu .net - 206.51.230.99
msrxdk .com - 188.72.192.78 - Email: charlenecrewshgkn@yahoo.com
kimuka .net - 188.72.192.78 - Email: charlenecrewshgkn@yahoo.com
ylkbin .com - 188.72.192.81

Portfolio of scareware domains participating in the blackhat SEO campaing, parked at 83.133.126.155; 88.198.107.25; 88.198.120.177; 91.212.107.5; 94.102.51.26; 188.40.61.236; 62.90.136.237; 91.212.127.200; 78.46.251.43; 91.212.107.5; 69.4.230.204; 78.46.251.43; 88.198.107.25; 88.198.105.149; 88.198.233.225; 93.158.114.132:
antispywaretotalscan9 .com - 213.163.89.60; 89.47.237.55; 89.248.174.61 - Email: info@siggy.com
antispywaretotalscan5 .com - Email: info@siggy.com
antispywaretotalscan6 .com - Email: info@siggy.com
antispywaretotalscan8 .com - Email: info@siggy.com
antispywaretotalscan9 .com - Email: info@siggy.com
delete-all-virus05 .com - Email: sales@naukrit.com
delete-all-virus07 .com - Email: sales@naukrit.com
delete-all-virus09 .com - Email: sales@naukrit.com
delete-all-virus03 .com - 213.163.89.60; 88.198.233.225; 91.213.126.100; 193.169.12.70 - Email: sales@naukrit.com
clean-all-spyware10 .com - Email: crbarnes@uvic.ca
remove-all-adware01 .com - Email: info@nco.com.cn
clean-all-spyware01 .com - Email: crbarnes@uvic.ca
fast-virus-scan2 .com - Email: courseinfo@greenwich.ac.uk
remove-all-spyware03 .com - Email: info@nco.com.cn
fast-virus-scan4 .com - Email: courseinfo@greenwich.ac.uk
clean-all-spyware05 .com - Email: crbarnes@uvic.ca
best-virus-scanner5 .com - Email: info@ecomsol.com
remove-all-spyware07 .com - Email: info@nco.com.cn
fast-virus-scan7 .com - Email: courseinfo@greenwich.ac.uk
005threats-scanner .com
09computerquickscan .com
005yourprivatescanner .com
online-systemscan .net - Email: gertrudeedickens@text2re.com
best-spyware-scan01 .com - Email: info@viter-media.com
online-antivir-scan09 .com - Email: contacts@stevens-media.com
checkviruszone .com - Email: gertrudeedickens@text2re.com

guardsearch .net - Email: gertrudeedickens@text2re.com
protection-check07 .com - Email: info@democraticyouth.com
malwareinternetscanner03 .com - Email: kathy@nj-steams.com
best-spyware-scan03 .com - Email: info@viter-media.com
antispywarescanner08 .com - Email: info@cpehn.org
antivirusonlinescan03 .com - Email: kathy@nj-steams.com
quick-virus-scanner02 .com - Email: info@person.k112.nc.us
securedlivescan .com
superb-virus-scan09 .com - Email: tours@admiralgroup.co.uk
superb-antivir-scan01 .com - Email: tours@admiralgroup.co.uk
intellectual-vir-scan09 .com - Email: info@worldlifehencey.com
intellectual-vir-scan08 .com - Email: info@worldlifehencey.com
private-antivirus-scannerv2 .com - Email: webmaster@parun.co.kr
reliable-scanner01 .com - Email: info@cansupply.com
superb-virus-scan07 .com - Email: tours@admiralgroup.co.uk
antivirus-online-scan8 .com - Email: webmaster@TangoDance.cn
best-antivirus3 .com - Email: info@legtimeprime.com
live-virus-scanner5 .com - Email: info@infy-tasks.com
antivirus-online-scan4 .com - Email: pranky-marie@yahoo.com
antispyware-scanner5 .com - Email: janny.mar123@yahoo.com
antivirus-online-scan5 .com - Email: pranky-marie@yahoo.com
live-virus-scanner7 .com - Email: info@infy-tasks.com

clean-all-spyware .com - Email: jdemagis@rocheste.ganet.com
getyoursecuritynowv2 .com - Email: info@meat-beaf.com.cn
getyourantivirusv3 .com - Email: info@meat-beaf.com.cn
getyourpcsecurev3 .com - Email: info@meat-beaf.com.cn
antivirus-scannerv12 .com - Email: info@chinatownnetwork.com.cn
safeonlinescannerv4 .com - Email: steg.greg1992@yahoo.com
check-for-malwarev3 .com - Email: al@bis-solutions.com
check-your-pc-onlinev3 .com - Email: al@bis-solutions.com
searchurlguide .com - 64.86.16.9 - Email:powell.john11@gmail.com
securitypad .net - 206.53.61.70 - Email: gertrudeedickens@text2re.com
prestotunerst .cn - 64.86.16.210 - Email: unitedisystems@gmail.com
officesecuritysupply .com - Email: Ronald.T.Samora@spambob.com
securityread .com - Email: Anna.R.Helm@dodgit.com
scanasite .com - Email: Carol.J.Hipp@mailinator.com
cheapsecurityscan .com - Email: Kevin.L.Linkous@trashymail.com
securitysupplycenter .com - Email: Janet.R.Vasquez@spambob.com
best-folder-scanv3 .com - Email: info@best-util-til.com
online-best-scanv3 .com - Email: public@cropfactor.in
online-defenderv9 .com - Email: public@cropfactor.in
antispyware-live-scanv3 .com - Email: ervin1981rolf@yahoo.com
antispywarelivescanv5 .com - Email: sales.in@bauhmerhhs.com

antispyware-online-scanv7 .com - Email: ervin1981rolf@yahoo.com
basicsystemscannerv8 .com - Email: changhong@corpdefence.cn
bestpersonalprotectionv2 .com - Email: cfaa1996@yahoo.com.cn
bestpersonalprotectionv7 .com - Email: cfaa1996@yahoo.com.cn
computer-antivirus-scanv9 .com - Email: melaniestarmelanie@yahoo.com
fastvirusscanv6 .com - Email: info@rasystems.com
govirusscanner .com - Email: contact@demoninchina.com
mysafecomputerscan .com - Email: acurtis@stevens.com
onlineantispywarescanv6 .com - Email: czoao@hotmail.com
online-antivir-scanv2 .com - Email: iren.g@sysintern.in
onlinebestscannerv3 .com - Email: info@srilanka.cn
onlinepersonalscanner .com - Email: info@srilanka.cn
onlineproantivirusscan .com - Email: addworld@freebbmail.com
online-pro-antivirus-scan .com - Email: findz@freebbmail.com

onlineproantivirusscanner .com - Email: findz@freebbmail.com
online-secure-scannerv2 .com - Email: iren.g@sysintern.in
personalantivirusprotection .com - Email: info@Wholesaler.cn
personalfolderscanv2 .com - Email: hfbeauty@yahoo.com
premium-antispy-scanv3 .com - Email: Ktrivedi@go2uti.com
premium-antispy-scanv7 .com - Email: Ktrivedi@go2uti.com
premium-antivirus-scanv6 .com - Email: Ktrivedi@go2uti.com
private-antivirus-scannerv2 .com - Email: webmaster@parun.co.kr
privatevirusscannerv8 .com - Email: info@rasystems.com
secure-antispyware-scanv3 .com - Email: info@prrp.de
securepersonalscanner .com - Email: info@prrp.de
secure-spyware-scannerv3 .com - Email: info@prrp.de
secure-virus-scannerv5 .com - Email: info@prrp.de
securityfolderprotection .com - Email: info@Wholesaler.cn
spyware-scannerv2 .com - Email: hanan.abdelrazek@bibalexy.org
spywarescannerv4 .com - Email: hanan.abdelrazek@bibalexy.org

Sampled scareware from the last 24 hours phones back to mineralwaterfilter .com - 78.46.201.90. Parked there are also: june-crossover .com; goldmine-sachs .com; momentstohaveyou .cn. More sampled scareware phones back to a new domain Phones back to pencil-netwok .com (94.102.48.31), parked there are the rest of the phone back locations for the rest of the scareware such as mineralwaterfilter .com; june-crossover .com; goldmine-sachs .com; bestparishotelsnow .com

A second sampled scareware phones back to a different location - 92.241.176.188. Parked there are the rest of the domains in their scareware portfolio:
bestscanpc .org
bestscanpc .biz
downloadavr2 .com
downloadavr3 .com
trucount3005 .com
antivirus-scan-2009 .com
antivirusxppro-2009 .com
advanced-virus-remover-2009 .com
advanced-virus-remover2009 .com
advanced-virusremover2009 .com
bestscanpc .com
xxx-white-tube .com
blue-xxx-tube .com
trucountme .com
10-open-davinci .com
vs-codec-pro .com
vscodec-pro .com
download-vscodec-pro .com
v-s-codecpro .com
antivirus-2009-ppro .com
onlinescanxppro .com
downloadavr .com
bestscanpc .info
bestscanpc .net
bestscanpc .biz

New/historical redirection domains used in the campaign, this time parked at 78.46.201.89/94.102.48.29/different locations as noted:
cnn-bcc2 .com - 89.248.174.61 - Email: mail@sccits.com.cn
issuenews1 .com - Email: mail@sccits.com.cn
headlinenews2 .com - Email: mail@sccits.com.cn
usdisturbed .cn - Email: info@brandbanks.com
milesdavisorland .cn - Email: info@brandbanks.com
usaworkinghard .cn - Email: info@brandbanks.com
nationaltreasure .cn - Email: info@brandbanks.com
milesdavisorland .cn - 91.213.126.101 - Email: info@brandbanks.com
we-accepted .cn - Email: info@rcusan.org
myth-busters .cn - Email: info@rcusan.org
russell-brand .cn - Email: info@sciencesdemo.com
willsmithinc .cn - Email: contact@oregonvma.org
dirty-dancing .cn - Email: allisonh@soeconline.org
sex-and-the-city .cn - Email: oregon.artscomm@state.or.us
clicksick .cn - 67.215.245.187 - Email: webmaster@clicksick.cn
doubleclicknet .cn - 67.215.245.187 - Email: webmaster@doubleclicknet.cn
shrekmovie .cn - Email: oregon.artscomm@state.or.us
radioheadicon .cn - Email: contact@oregonvma.org
batman-comics .cn - Email: contact@oregonvma.org
beststarwars .cn - Email: allisonh@soeconline.org
mashroomtheory .cn - Email: webmaster@TangoDance.cn
space2009city .cn - Email: webmaster@TangoDance.cn
messengerinfo .cn - Email: allisonh@soeconline.org
greattime2009 .cn - Email: webmaster@seniorstuds.com.ar
iwanttowin .cn - Email: webmaster@seniorstuds.com.ar
hardnut .cn - Email: tan.mei.sie@monash.com.my
sitemechanics .cn - info@powertrackers.com
exceldocumentsinfo .cn - Email: info@powertrackers.com
chinafavorites .cn - Email: cmo@ci.springfields.or.us
best-live-lottery .cn - Email: info@powertrackers.com
adeptofmastery .cn - Email: info@powertrackers.com
trytowintoday .cn - Email: info@powertrackers.com
bulkdvdreader .cn - 94.102.48.29 - Email: info@powertrackers.com
style-everywhere .com - 88.198.105.145 - Email: angy.helm21@yahoo.com
clicksick .cn - 67.215.245.187 - Email: webmaster@clicksick.cn
supportyourcountry .cn - Email: cmo@ci.springfields.or.us
wheels-on-fire .cn - 94.102.48.29 - Email: epron.sales@epron.com.hk
stillphotoshots .cn - 94.102.48.29 - Email: epron.sales@epron.com.hk
delayyouranswer .cn - Email: info@globaltechs.com.cn
getbestsales .cn - Email: info@globaltechs.com.cn
library-presents .cn - Email: hanzellandgretell@googlemail.com
in-t-h-e .cn - 72.21.41.198 (Layered Technologies, Inc.) - Email: admin@in-t-h-e.cn
bestwishestoyou .cn - 94.102.48.29 - Email: hanzellandgretell@googlemail.com
library-presents .cn - 94.102.48.29 - Email: hanzellandgretell@googlemail.com
getbestsales .cn - 94.102.48.29 - Email: info@globaltechs.com.cn
aware-of-future .cn - Email: info@globaltechs.com.cn
nothing-to-wear .cn - Email: steg.greg1992@yahoo.com
newsmediaone .com - 72.21.41.198 - Email: advertizers@newsmediaone.com
bapoka .net - 87.118.96.6
stylestats1 .net - 94.102.63.16 - Email: grem@yahoo.com
luckystats .org - Email: director@climbing-games.com
luckystats1 .com - Email: grem@yahoo.com
lifewepromote .cn - Email: ruixiang.guo@yahoo.com
securecommercialnews .cn - Email: contacts@swedbank.com.cn
snowboard2009 .cn - Email: weinwein2@yahoo.com
nothern-ireland .cn - Email: accabj@cn.accaglobal.com
goldensunshine .cn - Email: info@tartirtar.com
steplessculture .cn - Email: info@myfibernetworks.cn
vipsoccermanager .cn - Email: opressor1992@yahoo.com
b2b-forums .cn - Email: weinwein2@yahoo.com
rondo-trips .cn - Email: acurtis@stevens.com
mywatermakrs .cn - Email: shanghaihuny@yahoo.com
gazsnippets .cn - Email: acurtis@stevens.com
bestvanillaresorts .cn - Email: opressor1992@yahoo.com
personalrespect .cn - Email: weinwein2@yahoo.com
consensualart .cn - Email: shanghaihuny@yahoo.com
yourholidaytoday .cn - Email: opressor1992@yahoo.com
guidetogalaxy .cn - Email: stp9014@yahoo.com

Among the new monetization tactics used are the typical pay-per-click malware-friendly search engines which act as both, redirectors to phony sites/scams, as well as keyword blackholes which help them assess the popularity for a particular keyword, and therefore start pushing it more aggressively through a process called synonymization.

Interestingly, they're exclusively using the compromised .co.uk, as well as purely malicious blackhat SEO domains for scareware serving purposes, but continue using the ones they operate under the free DNS service providers for monetization through the bogus search engines. The domains used in this monetization approach are as follows:

rivasearchpage .com - 64.27.21.5 - Email: support@ruler-domains.com
triwoperl .com - 95.168.191.19 - Email: florenzaluwemba@gmail.com
tropysearch .us - 74.52.216.46 - Email: tech@add-manager.com
glorys .info (glorys .info/red/cube.js) - - 78.159.97.186 - Email: kor4seo@rambler.ru
funnyblogetc .info/go.php - - Email: tigerwood1@nm.ru

triwoperl.com's front page is currently relying on the go.live.com javascript obfuscation. Deobfuscated it redirects to fi97 .net/jsr.php?uid=dir&group=ggl&keyword=&okw=&query=", deja vu again - fi97 .net was used in the Ukrainian "fan club's" blackhat SEO campaign in June.

Monitoring of the campaign and takedown actions would continue, with an emphasis on the RBN connection from a related blackhat SEO campaign from last year. The gang is not going away anytime soon, but their campaigns definitely are.

Related posts:
A Peek Inside the Managed Blackhat SEO Ecosystem
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot

This post has been reproduced from Dancho Danchev's blog.

U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding

dancho.danchev@gmail.com (Dancho Danchev) — Tue, 11 Aug 2009 05:21:43 PDT

UPDATE2: New scareware domain is in rotation - antispywarelivescanv5 .com - 83.133.123.174; 83.133.126.155; 91.212.107.5; 94.102.48.29; 94.102.51.26; 188.40.61.236 - Email: sales.in@bauhmerhhs.com. Redirection takes place through consensualart .cn - 78.46.201.89 - Email: shanghaihuny@yahoo.com.

UPDATE: Four new domains have been introduced, again using the services of AltusHost Inc. (AS44042):

thwovretgi .com - 91.214.44.239 - Email: joby47619@msn.com
hernewdy .com - 91.214.44.152 - Email: jacub26887@lycos.com
shtifobpy .com - 91.214.44.210 - Email: hiraldo13686@hotmail.com
vodcotha .com - 91.214.44.203 - Email: jamarcus59884@yahoo.com

The redirection takes place through mywatermakrs .cn - 78.46.201.89 - Email: shanghaihuny@yahoo.com

In response to the takedown of the blackhat SEO domains used in the campaign dissected lat week, the group has responded by introducing new domains next to new redirectors and most interestingly, has started using compromised/mis-configured legitimate sites in an attempt to increase the lifecycle of the campaign by making it takedown-proof.

New blackhat SEO domains again using AS44042 ROOT-AS root eSolutions/ALTUSHOST-NET/AltusHost Inc hosting services:
fifiopod .com - 91.214.44.204 - Email: florenzaluwemba@gmail.com
trodlocho .com - 91.214.44.204 - Email: alie57575@lycos.com
ickgetaph .com - 91.214.44.209 - Email: alie57575@lycos.com
igecanneg .com - 91.214.44.205 - Email: baxter18314@yahoo.com
somveots .com - 91.214.44.203 - Email: frieda24482@msn.com
memodreydi .com - 91.214.44.240 - Email: frieda24482@msn.com
jejnahob .com - 91.214.44.206 - Email: alie57575@lycos.com
nuwofteuz .com - 91.214.44.206 - Email: frieda24482@msn.com
hyhoppeo .com - 91.214.44.239 - Email: jamarcus59884@yahoo.com
egnegvufvu .com - 91.214.44.239 - Email: ehetere29006@yahoo.com
lauzpeog .com - 91.214.44.208 - Email: ehetere29006@yahoo.com
sniozeanvo .com - 91.214.44.239 - Email: ehetere29006@yahoo.com
hebmipenn .com - 91.214.44.207 - Email: adanne43906@rocketmail.com

The cybercriminals are also attempting to use a well proven tactic - occupying as many search engine results as possible for a particular hijacked word by using identical blackhat SEO junk content at multiple domains. A similar attempt was successfully executed in January, 2009's search results poisoning campaign at Google Video, where the first ten results for a particular keyword were all malicious in their nature.

The compromised/misconfigured legitimate sites used in the campaign are serving dynamic javascript obfuscations. Here's a list of ones currently in use:
ali.zaher.101main .com
averder.cwsurf .de
beaver-cub-scout.co .uk
bebbinbears.co .uk
britishbaits .com
cancerselfhelp.org .uk
carolineengland.co .uk
casanickel.co .uk
catspro-northants.org .uk
ceiec.co .uk
cheritontennisclub.co .uk
childrenofthedrone .net
chirnside.org .uk
chris-hillman .com
chris-hillman-photography.co .uk
christine-pearson .com
cicatrixonline.co .uk
cinta.co .uk
classic-pizza.co .uk
crewshillgolfclub.co .uk
cs-photo.co .uk
dak.crep01.linux-site .net
darkhorsegraphics.co .uk
divagoddess.co .uk
fet.jujas.myftpsite .net
tferh.mi-website .es

The campaign continues switching between different redirectors parked at 83.133.123.113 for instance:
rondo-trips .cn
gazsnippets .cn
besthockeyteams .cn
allfootballmanager .cn
rollerskatesadvise .cn
honda-recycle .cn - used in the previous campaign
nothern-ireland .cn
discovernewchina .cn

An updated portfolio of scareware/fake security software, parked at 94.102.51.26; 188.40.61.236; 83.133.126.155; 91.212.107.5; 94.102.48.29 has been introduced:
bestpersonalprotectionv2 .com
onlinesecurescannerv3 .com
basicsystemscannerv3 .com
onlinebestscannerv3 .com
basicsystemscannerv6 .com
bestpersonalprotectionv7 .com
basicsystemscannerv8 .com
thankyouforscan .com
onlinepersonalscanner .com
basicsystemscanner .com
onlineproantivirusscanner .com
personalantivirusprotection .com
internetantivirusscanner .com
govirusscanner .com
iwantsweepviruses .com
personalfoldertest .com

Sampled scareware once again phones back to the thebigben .cn - Email: chu-thi-huong@giang.com and june-crossover .com - 78.46.201.90 Email: doru@sattenis.com, with more scareware parked there - purchuase-premium-software .com - Email: nagappan.krishnan@persons.us; livepaymentssystem .com - Email: mike12haro@yahoo.com; secure.livepaymentssystem .com - Email: mike12haro@yahoo.com; purchuasepremiumprotection .com - Email: Malcolm@partypants.com.

Evasion techniques are in again in place, however, this time they end up in a Russian Business Network deja vu moment from 2008. In March, 2008, ZDNet Asia and TorrentReactor followed by a large number of other high profile, high pagerank sites started activing as intermediaries to scareware campaigns, among the first such abuse of legitimate sites for scareware serving purposes.

The compromised/mis-configured web sites participating in this latest blackhat SEO campaign are surprisingly redirecting to a-n-d-the.com /wtr/router.php - 95.168.177.35 - Email: bulk@spam.lv - AS28753 NETDIRECT AS NETDIRECT Frankfurt, DE if the http referrer condition isn't met. This very same domain -- back then parked at INTERCAGE-NETWORK-GROUP2 -- was also used in the same fashion in March, 2008's massive blackhat SEO campaigns serving scareware.

This post has been reproduced from Dancho Danchev's blog.

Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware

dancho.danchev@gmail.com (Dancho Danchev) — Thu, 06 Aug 2009 12:43:02 PDT

During the past 24 hours, a blackhat SEO campaign has been hijacking U.S Federal Forms related keywords in an attempt to serve scareware.

What's particularly interesting about the campaign is that the Ukrainian fan club behind it -- you didn't even think for a second that there's no connection with their previous campaigns, did you? -- are using basic segmentation principles since the tax form keywords poisoning is attempting to hijack U.S traffic. Evasive practices are also in place through the usual http referrer check, which would only serve the scareware if the visitor is coming from Google.com, if not a 404 error message will appear.

Upon clicking on the link, the user is redirected through a centralized location responsible for managing the traffic from the thousands of subdomains/keywords used - honda-recycle .cn/go.php?id=2017&key=cbafb5cb2&p=1 - 83.133.123.113 Email: accabj@cn.accaglobal.com. Parked on the same IP are also related malware/scareware domains:

winsoftwareupdatev2 .com - Email: webmaster@kaity.or.kr
much-in-love .com - Email: krebikim@kanmail.net
i-dont-care-much .com - Email: krebikim@kanmail.net
malwareurlblock .com - Email: Qinrui971@hotmail.com
bennysaintscathedral .com - Email: gayaomila@yahoo.com
browsersecurityinfo .com - Email: visor@elcomtech.com
windowssecurityinfo .com - Email: arziw12@freebbmail.com
ringtone-radio .com - Email: bobbyer@iofc.org
events-team-manager .com - Email: krebikim@kanmail.net
1worldupdatesserver .com - Email: tapias.andres@hdtvspain.org
discovernewchina .cn - Email: leijun.ma@unifem.org
rollerskatesadvise .cn - Email: info@chinaeuropaforum.net
allfootballmanager .cn - Email: info@chinaeuropaforum.net
hardwarefactories .cn - Email: leijun.ma@unifem.org
besthockeyteams .cn - Email: info@chinaeuropaforum.net
gowildtours .cn - Email: leijun.ma@unifem.org

The malicious domains used -- with two exceptions -- are all parked at AltusHost Inc./ALTUSHOST-NET. Here's the complete list:
tebdigasbi .com - 91.214.44.205 - Email: martin94304@yahoo.com
kraijfaw .com - 91.214.44.240 - Email: argantael31869@msn.com
reychohica .com - 91.214.44.209 - Email: martin94304@yahoo.com
fequervo .com - 91.214.44.239 - Email: orla53111@hotmail.com
ukaszohat .com - 91.214.44.205 - Email: argantael31869@msn.com
buwrynko .com - 91.214.44.204 - Email: keallach84256@yahoo.com
fetholye .com - 91.214.44.208 - Email: martin94304@yahoo.com
pasbirrada .com - 91.214.44.204 - Email: martin94304@yahoo.com
dynodns.net - legitimate
thebbs.org - legitimate

The people behind the campaign have also taken contingency planning in mind since the scareware domain portfolio is parked on five different IPs - no-spyware-thanks .com - 94.102.48.29; 94.102.51.26; 188.40.61.236; 83.133.126.155; 91.212.107.5 Email: Paul.Saydak@lovellis.com. The complete list:

fast-scan-your-pcv3 .com - Email: info@valeros.com
basicsystemscannerv3 .com - Email: changhong@corpdefence.cn
antivirus-quickscanv5 .com - Email: diana1982@yahoo.com
basicsystemscannerv6 .com - Email: changhong@corpdefence.cn
basicsystemscannerv8 .com - Email: changhong@corpdefence.cn
privatevirusscannerv8 .com - Email: info@rasystems.com
spywarefastscannerv9 .com - Email: info@rasystems.com
online-pro-antivirus-scan .com - Email: findz@freebbmail.com
onlineproscan .com - Email: addworld@freebbmail.com
onlineproantivirusscan .com - Email: addworld@freebbmail.com
online-pro-scanner .com - Email: addworld@freebbmail.com
basicsystemscanner .com - Email: changhong@corpdefence.cn
onlineproantivirusscanner .com - Email: findz@freebbmail.com
iwantsweepviruses .com - Email: leesten@fedexnow.com

Two sampled scareware samples during the past 24 hours phone back to goldmine-sachs .com (Goldman Sachs typosquatting) - 83.133.122.211; 89.47.237.52 - Email: rodriguez.dallas@romehotels.com and to june-crossover .com - 83.133.123.109 - Email: doru@sattenis.com. In regard to 89.47.237.52, the "fan club" used it to host scareware in their June's campaigns.

AltusHost Inc./ALTUSHOST-NET is expected to take action shortly.

This post has been reproduced from Dancho Danchev's blog.

Scareware Template Localized to Arabic

dancho.danchev@gmail.com (Dancho Danchev) — Wed, 05 Aug 2009 13:08:35 PDT

A "new tactic" is supposedly being used as a Blue Screen of Death scareware template with a single missing fact "for the record" - the template is old, I came across it on June 17th, with Marshal8e6 featuring it even earlier on the 12th of June.

What's new on the template front in respect to scareware is what will inevitably start taking place across all the market segments within the underground economy in the long term - market segmentation and localization, namely, translating the malware/spam/phishing templates to the native language of the prospective victims.

A decent example is the first ever template of the popular "My Computer Online Scan" fake scanning screen localized to Arabic - scan-online .co.cc/arabic.php (67.222.148.26).

The last time localization of fake security software was actively taking place was in April, 2008, and the campaigners back then also localized the domain names next to the actual content.

This post has been reproduced from Dancho Danchev's blog.

Movement on the Koobface Front

dancho.danchev@gmail.com (Dancho Danchev) — Tue, 04 Aug 2009 15:25:59 PDT

Now that the Koobface gang is no longer expressing its gratitude for the takedown of its command and control servers, the group has put its contingency planning in action thanks to the on purposely slow reaction of UKSERVERS-MNT's (78.110.175.15) abuse department.

Next to the regular updates (web.reg .md/1/websrvx2.exe; web.reg.md/1/ prx.exe), the group introduced two new domains and started taking advantage of two more IPs for its main command and control server. upr0306 .com now responds to:

67.215.238.178 - AS22298 - Netherlands Distinctio Ltd
78.110.175.15 - AS42831 UKSERVERS-AS UK Dedicated Servers Limited UK Dedicated Servers
221.5.74.46 - AS17816 - CHINA169-GZ CNCGROUP IP network China169 Guangzhou MAN

and that includes the two new domains introduced - pam-220709 .com; ram-220709 .com, with ram-220709 .com/go/?pid=30909&type=videxpgo.php?sid=4&sref= redirecting to the Koobface botnet.

Interestingly, 67.215.238.178 (hosted.by.pacificrack.com) was also used in the blackhat SEO campaigns from June/July, with warwork .info and tangoing .info parked there.

Related posts:
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign
The Koobface Gang Mixing Social Engineering Vectors

Ukrainian "fan club" and the Koobface connection:
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot

This post has been reproduced from Dancho Danchev's blog.

Managed Polymorphic Script Obfuscation Services

dancho.danchev@gmail.com (Dancho Danchev) — Tue, 04 Aug 2009 10:32:42 PDT

Cybecriminals understand the value of quality assurance, and have been actively running business models on the top of it for the past two years.

From the multiple offline antivirus scanners using pirated software, the online detection rate checking services allowing scheduled URL scan and notification upon detection by antivirus vendors, to the underground alternatives of VirusTotal in the form of multiple firewalls bypass verification checks - cybercriminals are actively benchmarking and optimizing their releases before launching yet another campaign.

A newly launched service aims to port a universal managed malware feature on the web - the polymorphic obfuscation of malicious scripts in an attempt to increase the lifecycle of a particular campaign.

Interestingly, due to the obvious software piracy within the cybercrime ecosystem which allowed proprietary malware tools to leak in the wild, the service is using a particular malware kit's javascript obfuscation routines and is running a business model on it.

For the time being, it relies on three obfuscation algorithms, HTMLCryptor olnly - used 56 times, TextUnescape - used 109 times, and PolyLite - already used 177 times. The DIY obfuscation service, also checks and notifies the cybercriminal over ICQ in cases when his IPs and domain names have been blacklisted by Google's Safebrowsing, as well as Spamhaus, and more checks against public malware domain/IP databases are on the developer's to-do list.

The price? $20 for monthly access and $5 for weekly. Despite the fact that the service is attempting to monetize a commodity feature available to cybecriminals through the managed updates that come with the purchase of a proprietary web malware exploitation kit, it's not a fad since it fills in the DIY niche where the variety of the algorithms offered and their actual quality will either spell the doom or the rise of the service.

This post has been reproduced from Dancho Danchev's blog.

Summarizing Zero Day's Posts for July

dancho.danchev@gmail.com (Dancho Danchev) — Mon, 03 Aug 2009 10:36:08 PDT

The following is a brief summary of all of my posts at ZDNet's Zero Day for July.

You can also go through previous summaries for June, May, April, March, February, January, December, November, October, September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed.

Notable articles include - Manchester City Council pays $2.4m in Conficker clean up costs; Transmitter.C mobile malware spreading in the wild and Does free antivirus offer a false feeling of security?

01. Manchester City Council pays $2.4m in Conficker clean up costs
02. EyeWonder malware incident affects popular web sites
03. Koobface worm joins the Twittersphere
04. Transmitter.C mobile malware spreading in the wild
05. ImageShack hacked by anti-full disclosure movement
06. Does free antivirus offer a false feeling of security?
07. Remote code execution exploit for Firefox 3.5 in the wild
08. Adobe ships insecure version of Reader from official site
09. The future of mobile malware - digitally signed by Symbian?
10. 419 scammers using Dilbert.com
11. Spammers go multilingual, use automatic translation services

This post has been reproduced from Dancho Danchev's blog.

Social Engineering Driven Web Malware Exploitation Kit

dancho.danchev@gmail.com (Dancho Danchev) — Thu, 24 Sep 2009 14:03:01 PDT

The standardization through template-ization of bogus codec/flash player/video pages, taking place during the past two years, has exponentially increased the efficiency levels of malware campaigns relying exclusively on social engineering.

Just like phishing pages being commodity, these commodity spoofs of legitimate software/plugins relying on "visual social engineering" represent a market segment by themselves, one that some cybercriminals have been attempting to monetize for a while.

Case in point - their latest attempt to do so comes in the form of the first social engineering driven web malware exploitation kit.

Despite that the kit's author has ripped off a well known exploits-serving malware kit's statistics interface, what's unique about this release is the fact that the exploit modules come in the form of "Missing Flash Player", "Outdated Flash Player", "Missing Video Codec", "Outdated Video Codec", "Codec Required" modules.

These very same modules represent the dominant social engineering attack vector on the Internet due to the quality of the spoofs and the end users' gullibility while self-infecting themselves. For the time being, the author appears to be an opportunist rather than someone interested in setting new benchmarks for standardization social engineering by using the efficiency and delivery methods offered by a web malware exploitation kit.

Interestingly, a huge number of fake codec serving web sites are already detecting the OS/Browser of the visitor, and serving Mac OS X based malware or Windows based malware based on the detection. This fact, as well as the fact that visual spoofs of OS X like dialogs are also getting template-ized are not a coincidence - it's a signal for an efficient and social engineering driven malware delivery mechanism in the works. The development of the kit will be monitored and updates posted - if any.

Meanwhile, the recent blackhat SEO campaign which attempted to hijack 'Harry Potter and the Half-Blood Prince' related traffic is a good example on how despite the magnitude of the campaign -- hundreds of thousands of indexed and malware serving pages -- due to the manual campaign management, its centralized nature makes it easier to shut down.

Upon clicking on a link, the end user was redirected to usa-top-news .info - 67.228.147.71 - Email: fullhdvid@gmail.com, then to world-news-scandals .com Email: wnscandals@gmail.com, and finally to tubesbargain .com/xplay.php?id=40018 - 216.240.143.7 - j0cqware@gmail.com where the codec was served from exefreefiles .com - 95.211.8.20 - Email: case0ns@gmail.com. More coded serving domains are parked on the same IPs:

216.240.143.7

sunny-tube-world .com - Email: briashou@gmail.com
the-blue-tube .com - Email: malccrome@gmail.com
onlysteeltube.com - Email: briashou@gmail.com
thecooltube .com - Email: malccrome@gmail.com
etesttube .com - Email: katschezz@gmail.com
thegrouttube .com - Email: katschezz@gmail.com
fllcorp .com

95.211.8.20

exe-load-2009 .com - Email: robeshur@gmail.com
exefiledata .com - Email: robeshur@gmail.com
exereload .com - Email: robeshur@gmail.com
load-exe-world .com - Email: robeshur@gmail.com
cool-exe-file .com - Email: robeshur@gmail.com
last-home-exe .com - Email: robeshur@gmail.com
exefreefiles .com - Email: case0ns@gmail.com
boardexefiles .com - Email: case0ns@gmail.com
exeloadsite .com - Email: j0cqware@gmail.com

The gang maintains another domain portfolio with pretty descriptive nature for phone back, direct fake codec serving purposes:

agro-files-archive .com
alkbbs-files .com
all-tube-world .com
best-light-search .com
besttubetech .com
chamitron .com
cheappharmaad .com
dipexe .com
downloadnativeexe .com
ebooks-archive .org
etesttube .com
exedownloadfull .com
exefiledata .com
exe-paste .com
exe-soft-development .com
exe-xxx-file .com
eyeexe .com
go-exe-go .com
greattubeamp .com
green-tube-site .com
hotexedownload .com
hot-exe-load .com
imagescopybetween .com
isyouimageshere .com
labsmedcom .com
last-exe-portal .com
lost-exe-site .com
lyy-exe .com
main-exe-home .com
mchedlishvili .name
metro-tube .net
my-exe-load .com
newfileexe .com
protectionimage .com
robo-exe .com
rube-exe .com
securetaxexe .com
softportal-extrafiles .com
softportal-files .com
storeyourimagehere .com
super0tube .com
super-exe-home .com
supertubetop .com
sysreport1 .com
sysreport2 .com
testtubefilms .com
texasimages2009 .com
the-blue-tube.com
thecooltube .com
thegrouttube .com
thetubeamps .com
thetubesmovie .com
tiaexe .com
tube-best-4free .com
tube-collection .com
tvtesttube .com
yourtubetop .com

Who's behind these domains and the Harry Potter blackhat SEO campaign? But, "of course", it's the "fan club" with the Koobface connection, continuing to use the same phone back locations that they've been using during the past couple of months - myart-gallery .com/senm.php - 64.27.5.202 - Email: jnthndnl@gmail.com; robert-art .com/senm.php - 66.199.229.229 - Email: robesha@gmail.com; superarthome .com/senm.php - 216.240.146.119 - Email: chucjack@gmail.com.

This post has been reproduced from Dancho Danchev's blog.