http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2009-07-08 23:18:10 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge : IMAGEA currently spreading mobile malware known as TransmitterC sexySpacesisx;MD5: 3e9b026a92583c77e7360cd2206fbfcd, has brandjacked a legitimateapplication in an attempt to infect the initial number of devices thatwould later on further disseminate it by aggressively SMS-ing messagedto the web site hosting it - megac1jck com 6422120235 Email:weijiang198@hotmailcomUpon execution it drops the following files in an attempt to infectS60 3rd Edition devices:"c_sysinInstaller_0x20026CA6exe"-"c:sysinInstaller_0x20026CA6exe",FR, RI, RW"c_sysinAcsServerexe"-"c:sysinAcsServerexe", FR, RI"c_private101f875aimport20026CA5rsc"-"c:private101f875aimport20026CA5rsc"IMAGEWhat's sad is that just like the majority of mobile malwareincidents, this one is also digitally signed using a certificateissued by Symbian to the name of XinZhongLi Kemao Co Ltd or vendorname "Play Boy"The sample has been distributed to vendors, and the ISP hosting it hasbeen informedRelated posts:Proof of Concept Symbian Malware Courtesy of the Academic WorldCommercializing Mobile MalwareMobile Malware Scam iSexPlayer Wants Your MoneySMS Ransomware Source Code Now Offered for Sale3rd SMS Ransomware Variant Offered for SaleThis post has been reproduced from Dancho Danchev's blogIMAGEIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/118158.shtmlhttp://www.secuobs.com/revue/news/118158.shtml Secuobs.com : 2009-07-07 16:08:29 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEOperating since 2008, the fraudulent tactics applied by SolettoGroup, SA also known as Netlink Network Corp, greatly remind of thoseapplied by Interactive Brands also known as IBSOFTWARE CYPRUS; IBSoftwares and most recently Euclid Networks Ltd -- you have toappreciate the irony here since they too multitask on multiple frontsthrough their official phone number since 2007 -- in particular theirmassive typosquatted domain farms where they'd would change andrepeatedly charge without permission once someone falls victim intothe fraudulent practiceIMAGEWhat Soletto Group, SA or Netlink Network Corp phone 02071939823 does differently is the use of micro sms payment scamhaving operated the SMS numbers 78881 and 81039 in the past in orderto offer a download service for legitimate software in the followingway:"WARNING: ACCESS TO THE PREMIUM SERVICE SHALL REQUIRE SENDING ONE SMSPER DOWNLOAD, AND YOU WILL RECEIVE TWO SMS THE PRICE OF EACH SMS ISTHREE POUNDS EACH TOTAL COST OF SERVICE SIX POUNDS"IMAGEWho's typosquatted anyway Pretty much each and every popularpiece of software there is From Kaspersky, NOD32, Malware Bytes,Avira, AVAST, BitDefender, to Firefox, BitTorrent, Microsoft Office,Winzip, Winrar, and Internet Explorer - for startersHere's a complete list of their domains farm, with hosting servicescourtesy of Rapidswitch Ltd:IMAGEnod32soft infomalware-bytes infowww-avasthome comwwwwww-avasthome comkaspersky-full infowww-kaspersky infomalware-bytes infowwwavira-antivir infobitdefender-plus infooffice2007-full infosopcast-full infolphant-plus infoadobeacrobat-plus infobitcomet-plus infobitdefender-plus infobittorrent-plus infoelisoft-plus infomediaplayer-plus infomessenger-msn-9 commessenger-msn-9 infomessenger-msn-9 orgmessenger-msn orgmessenger-plus netmoviemaker-plus infomsn-messenger-9 commsn-messenger-9 infomsn-messenger-9 netmsn-messenger-9 orgopenoffice-plus infophotoscape-plus infosopcast-plus infoutorrent-plus info3gpconverter-plus info3gpconvertersoft infoares-2008 orgares-2009 comIMAGEares-2009 netares-net orgavira-net infobitcomet-plus infobitorrent ccbittorrent-net infobittorrent-plus infodirect-x ccdivx-player-plus infoe-mule nuelisoft-plus infoemule-2008 netemule-proyect infoemulenet netiexplorer-full infoiphonefull comjavaruntime netlyrics2 memalware-bytes infomediaplayer-full infomediaplayer-plus infomesengerplus orgmessenger-9 netmessenger-plus netmessenger-soft infoIMAGEmoviemaker-plus infomsn-messenger-9 netmsn-messenger-9 orgnero-2008 comnerohome netnod-32 netnod32-net infooffice2007-ful linfoopenoffice-plus infophotoscape-plus infophotoscapesoft infopspvideo9 infosorpresor comspybotsearch-full infoutorrent-net infovirtualdj-soft infovlc-full infovvinrar comIMAGEvvinrar infowinamp-2009 netwinamp wswindows-movie-maker infowinrar-2008 comwiinzip infocdburnerxpsoft infowww-emule usultradefrag usbearflix usguitar-pro usmessenger-2009 usemule-telecharger usaresnet usemulenet usemulepro usnerohome usvvinrar usaresfull usavastt usbiaze use-bitdefender usIMAGEe-bitorrent use-mule usflrefox usmessengerhome usutorent usutorren uswinzipp uscccpcodecs orgares-2008 orgpdf-creator orglimevvire orgmesengerplus orgw-ares orgw-emule orgwww-3gpconverter orgwww-advanced orgwww-emule orgwww-messenger orgwww-realplayer orgwww-windowsmediaplayer orgares-3 orgares-net orgchroome orgemule-pro orgmessenger-msn-9 orgIMAGEA similar fraudulent Google AdWords scheme was exposed andtaken care of in January The fraudster back then was using alegitimate third-party revenue sharing toolbar installation programwhich was bundled within the legitimate software In Soletto Group,SA's case they aim to cut any intermediaries on their way to generateprofitRapidswitch Ltd has been informed of Soletto Group, SA's brandjackingactivitiesThis post has been reproduced from Dancho Danchev's blogIMAGEIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/117584.shtmlhttp://www.secuobs.com/revue/news/117584.shtml Secuobs.com : 2009-07-07 11:16:33 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEFrom a Chase phishing campaign, to a bogus Microsoft update, andan exploit serving spam campaign using a "Who Killed Michael Jackson"theme prior to his death go through related Michael Jackson malwarecampaigns, to a currently ongoing phishing campaign impersonating theUnited Services Automobile Association USAA, the gang behind thisbotnet has been actively multitasking during the past two monthsIMAGEThe spam message is as follows:"Michael Jackson Was Killed But Who Killed Michael Jackson VisitX-Files to see the answer: MJacksonkilijj com/x-files", uponclicking on it the user is redirected to two exploit serving domains -ogzhnsltk com/plugins/indexphp 94199200125 Email:osaltik@windowslivecom; and dogankomurculuk com/stil/indexphp91191164100 - Email: byyasin@msncomThrough the use of an Office Snapshot Viewer exploit the user is theexposed to a downloader x-file-MJacksonsKillerexe which attempts todrop a copy of the Zeus malware from labormi com/lbrc/lbrbin912062016 The following is an extensive list of theparticipating domains, as well as the currently active andfast-fluxing DNS servers part of the botnet:IMAGEList of participating domains:kilij1 comilkil1 comilkifi comkili1j comkil1jj comki1ijj comkikijj comk1lijj comkilijj com1ilikj comilki1k comilk1lk comi1kilk comilkilk comIMAGEkilij1 netilkil1 netkili1j netkil1jj netki1ijj netk1lijj netkilijj net1ilikj netilki1k netilk1lk neti1kilk netilkilk netilificom mx1fflicom mxiljihlicom mxhhilicom mxhillicom mxkiffilcom mxIMAGEMichael Jackson related subdomains:mjacksonijjik1 commjacksonijjil1 commjacksonkjjil1 commjacksonikjil1 commjacksonijkil1 commjacksonijjkl1 commjacksonikilij commjacksonikklij commjacksonikilkj commjacksonikilfk comIMAGEmjacksonijjilk commjacksonijjill commjacksonijjik1 netmjacksonijjil1 netmjacksonikjil1 netmjacksonijkil1 netmjacksonijjkl1 netmailikilij netmjacksonikilij netmjacksonilifi commxmjacksoniljihli commxmjacksonhhili commxmjacksonhilli commxMicrosoft related subdomains:updatemicrosoftcom h1hilicomupdatemicrosoftcom ijlk1jcomupdatemicrosoftcom hillijcomupdatemicrosoftcom hillkjcomupdatemicrosoftcom ikillifnetupdatemicrosoftcom jikikjinetupdatemicrosoftcom hillijnetupdatemicrosoftcom hilliknetupdatemicrosoftcom ikihillnetupdatemicrosoftcom ilificommxupdatemicrosoftcom iljihlicommxupdatemicrosoftcom hillicommxupdatemicrosoftcom kiffilcommxIMAGEUSAAcom related phishing subdomains:wwwusaacomkihhif comwwwusaacomkihhih comwwwusaacomkihhik comwwwusaacomkihhil comwwwusaacomkihhik netwwwusaacomkihhil netwwwusaacomhillicom mxwwwusaacomfrtllcom mxwwwusaacommrtllcom mxDNS Servers of notice:ns1vine-prad comns2vine-prad comns1blacklard comns1fax-multi comns2fax-multi comns1rondonman comns2rondonman comns1host-fren comns2host-fren comns1hotboxnet comns2hotboxnet comns1free-domainhost comns2free-domainhost comns1sunthemoow comIMAGEns2sunthemoow comns1high-daily comns2high-daily comns1otorvald netns1red-bul netns2red-bul netns1footdoor netns1bestdodgeros netns2bestdodgeros netns1azdermen comns2azdermen comns1departconsult comns2departconsult comns1torentwest comns2torentwest comns1downlloadfile netns2downlloadfile netDue to this botnet's involvement with several other malware campaignsof notice due to their evident connection with the ongoing monitoringof several particular cybecrime groups, analysis and updates will beposted as soon as they emergeRelated posts:Money Mule Recruiters use ASProx's Fast Fluxing ServicesManaged Fast Flux Provider - Part TwoManaged Fast Flux ProviderStorm Worm's Fast Flux NetworksFast Flux Spam and Scams IncreasingFast Fluxing Yet Another Pharmacy SpamObfuscating Fast Fluxed SQL Injected DomainsStorm Worm Hosting Pharmaceutical ScamsFast-Fluxing SQL injection attacks executed from the Asprox botnetIMAGEIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/117512.shtmlhttp://www.secuobs.com/revue/news/117512.shtml Secuobs.com : 2009-07-03 20:15:34 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEPart twenty two of the diverse portfolio of fake security softwareseries will summarize the typosquatted scareware serving domainscurrently in circulation, pushed through the usual distributionchannels, but will also emphasize on the "money trail", namely thepayment processing gateways used in the scareware campaignsIn this particular case the scareware front-ends ultimately leading toChronoPay, which Germany-based Pandora Software has been abusing since2008 under its countless number of aliases such as Meyrocorp forinstanceIMAGEThe scareware domains are as follows:atomscan6 info - 381051927 - Email: donboset@gmailcomlistscan6 com - Email: loiskiltz@gmailcomgoscanedge com - Email: subtenda@gmailcomgoscanfine com - Email: chirelqas@gmailcomin6ch com - Email: relgetn@gmailcomgoscanrich com - Email: pathstals@gmailcomgoscanrank com - Email: alcnafuch@gmailcomina6sk com - Email: equatelepi@gmailcomin6sk com - Email: thomastruby@gmailcomgoscanslim com - Email: chinrfi@gmailcomgowidescan com - Email: alcnafuch@gmailcomgoedgescan com - Email: subtenda@gmailcomgofinescan com - Email: alcnafuch@gmailcomgoelitescan com - Email: funully@gmailcomgorichscan com - Email: pathstals@gmailcomgoslimscan com - Email: chinrfi@gmailcomgosoonscan com - Email: aloxier@gmailcomgoironscan com - Email: aloxier@gmailcomgoflexscan com - Email: alcnafuch@gmailcomgomanyscan com - Email: alcnafuch@gmailcomgoscaniron com - Email: aloxier@gmailcomina6co com - Email: equatelepi@gmailcomin6co com - Email: thomastruby@gmailcomgoscantop com - Email: funully@gmailcomina6iq com - Email: equatelepi@gmailcomgoscanstar com - Email: stgeyman@gmailcomgoscanflex com - Email: chirelqas@gmailcomgoscanmany com - Email: chirelqas@gmailcomscantrue6 info - Email: jokinzer@gmailcomscantool6 info - Email: jokinzer@gmailcomscanzoom6 info - Email: jokinzer@gmailcomlitescan6 info - Email: litescan6infotruescan6 info - Email: jokinzer@gmailcomtoolscan6 info - Email: jokinzer@gmailcomIMAGEatomscan6 info - Email: donboset@gmailcomgenscan6 info - Email: imendegal@gmailcomluxscan6 info - Email: donboset@gmailcomwayscan6 info - Email: jokinzer@gmailcomscanuser6 info - Email: jokinzer@gmailcomscanway6 info - Email: jokinzer@gmailcomscan6line info - Email: jokinzer@gmailcomscan6note info - Email: jokinzer@gmailcomscan6true info - Email: jokinzer@gmailcomscan6tool info - Email: jokinzer@gmailcomtrue6scan info - Email: jokinzer@gmailcomtool6scan info - Email: jokinzer@gmailcomtop6scan info - Email: jokinzer@gmailcomuser6scan info - Email: jokinzer@gmailcomlist6scan info - Email: jokinzer@gmailcomway6scan info - Email: jokinzer@gmailcomscan6user info - Email: jokinzer@gmailcomscan6list info - Email: jokinzer@gmailcomscan6fix info - Email: jokinzer@gmailcomscan6way info - Email: jokinzer@gmailcomIt's pretty obvious case demonstrating the dynamics of the undergroundecosystem A thousand bogus accounts purchased for $10 used in a bulkregistration of scareware serving domains on a revenue sharingaffiliate model ends up in a win-win-win situation for thecybercriminals involved in these processes The practice is becomingrather popular not only due to their interest in less centralizationof the domain control under a single email address -- cross checkingreveals the entire portfolio managed under it -- but due to theavailability of the serviceIMAGEclean-pc-now net - 9475233162 - Email:robertsimonkroon@gmailcomfast-spyware-cleaner org - Email: robertsimonkroon@gmailcomspyware-scaner com - Email: robertsimonkroon@gmailcomscan-pc-now com - Email: robertsimonkroon@gmailcomfree-tube-porn biz - Email: robertsimonkroon@gmailcomspyware-killer biz - Email: robertsimonkroon@gmailcomsoftportal-extrafiles com - 642038172exe-profile com - Email: kimwerner92@yahoocomextrafiles-softportal com - Email: opipkl@googlemailcomsoftportal-files com - Email: kimwerner92@yahoocomsoftportal-extrafiles comload-exe-soft com - Email: kimwerner92@yahoocomexe-box com - Email: normtroup@yahoocomhot-exe-area net - Email: josepetie@gmailcomIMAGEspywarecomputerscanv2 com - 69105935 - Email:huang@barkeduhk1live-antimalware-pro-scan com - Email: hongkong@campusparisorg1live-antimalware-scanner com - Email: hongkong@campusparisorgfolderantispywarescanner com - Email: xinhuawuhan@yahoocomantivirushelpscanner com - Email: info@brandturkeycomfastfolderscanner com - Email: info@brandturkeycommycomputerscanner com - Email: vanmullem@yahoocomrestricteddomainhelp com - 8313312481 - Email:franklinnig@yahoocommsncoreupdate com - Email: jen@parallelslivecnworld-payment-system com - Email: info@yashitaindiancomliveinternetupdates com - Email: kuzya77@freebbmailcomonlineantivirusmarket com Email: podbisb@hotmailcomIMAGEthreats-scanner com - 694230204 - Email:vanmullem@yahoocomsecuritypcscanner2 com - Email: office@actionaidinusaorganti-virussecurity3 com - Email: office@actionaidinusaorgprivate-online-scan com - Email: info@kianahorgliveantivirusproscan com - Email: second@freebbmailcomno1virusscan com - Email: info@kianahorgmy-private-protection com - Email: info@kianahorgscanmyfolders com - Email: info@kianahorgscanmycomputerforvirus com - Email: vanmullem@yahoocomonlinescan-ultraantivirus2009 com - 206536176relevantwebsearches comvirussweeper-scanvirus comguardincorp infomainsecsys info - Email: andrewfbecket@gmailcomguardsecurity info - Email: poljaykop@gmailcomvirusalarm-scanvirus netIMAGEbest-protect info - 174142113205 - Email:chainadmin@gmailcombest-protect-av1 info - Email: chainadmin@gmailcombest-antivirus-pc info - Email: chainadmin@gmailcombest-av1-protect info - Email: chainadmin@gmailcomav1-protect info - Email: chainadmin@gmailcomav1-best-protect info - Email: chainadmin@gmailcombest-protect info - Email: chainadmin@gmailcombest-av info - Email: chainadmin@gmailcompay-virusshield cn - 6421314070 - Email: unitedisystems@gmailcomshieldinc infosystemprotectinc infoironshield infomyofficeguard infoprotectionurl infomy-protection infoantivirus09 netfast-antivirusnetIMAGEvirusshieldpro com - 648616127 - Email:unitedisystems@gmailcomprestotuneup com - Email: hycderxvur@whoisservicescnvirussweeper-scanvirus comvirusmelt com - Email: nuhuarrczq@whoisservicescnsystemsec infoshieldinc infomyofficeguard infoprotect-online infoprotectionlol infoprotectionurl infovirussweeper-scan netadvanced-virus-remover2009 com - 92241176188 - Email:masle@maslekztrucount3005 com - Email: chenpoon1732646@yahoocomantivirus-scan-2009 com - Email: cheng2009@yahoocomantivirusxppro-2009 com - Email: u@sochiruadvanced-virusremover2009 com - Email: giogr@uafmbestscanpc comtrucountme com - Email: valentin@gergieakzvs-codec-pro com - Email: bhtjnjhggn@googlemailcomvscodec-pro com - Email: cyber38462@hotmailcomantivirus-2009-ppro com - Email: cheng2009@yahoocomonlinescanxppro com - Email: chenpoon1732646@yahoocomdownloadavr com - Email: gorbun@uafmbestscanpc netIMAGEactivation-antivirus-software com - 2084312483 - Email:matlee@fsukedufxantispy com - Email: TycoonMichael@googlemailcommy-protection info - 6421314070 - Email: hopdavis@gmailcomprotectonline info - 64861747 - Email: hopdavis@gmailcomsafetywwwtools com - 2094412636 - Email:martinsjohnson@spambobcomdefenderupdates2 com - 8924816846 - Email: china@sebansesecuritytoolsdirect com - 2094412622 - Email:RuthMMarcotte@text2recombest-antivirus-security com - 841623752 - Email:valentinyermolaev@gmailcommalwaresdestructor com - 206536174suprotect com - 89149212218 - uuuuu@uafmthreatpcscanner com - 63223110177 ; 7847132216 ; 784717266 -Email: vanmullem@yahoocomantimalwareliveproscannerv3 com - Email: vanmullem@yahoocomantivirus-online-pro-scan com - Email: vanmullem@yahoocomavpro-labs com - 213182197229avprotectionstat com - 745099236explorerfilescan com - 63223110178; 7847132221; 784717268Email: xinhuawuhan@yahoocomantivirushelpscanner com A 83133125116; 69105935;83133125116 - Email: info@brandturkeycomfastfolderscanner com - Email: info@brandturkeycommycomputerscanner com - Email: info@brandturkeycommal-warexls net - 72910826 - Email: joehugardo@yaruinternetware-safe com - Email: candikeller@yaruIMAGEscanonlinesite info - 6614874126scanonlineblog infoscanonlineshop infoscanonlinenow infoyouravprotection com - 745098162 - Email: armandgregory3@gmailcomregisterantivirus com Email: edareyra@gmailcomavprotectionstat comavagent-pro com - 8313312646 - Email: dwrdcardenas95@gmailcomdownloads-123 com - Email: dwrdcardenas95@gmailcomsoft-process com - Email: dwrdcardenas95@gmailcomdownload-123 cn - Email: dwrdcardenas95@gmailcomactupdate net - Email: dwrdcardenas95@gmailcomIMAGENow the emphasis on the payment gateways, currently active andprocessing the scareware transactions:softwaresecuredbilling com - 209845122 -TemchenkoViktor@googlemailcomsoftsales-discount com - Email: daunrwwciq@whoisservicescnbest-internet-payments com - 209845148 - Email:specsupport@gmailcomadioro com - 21317415232 - Email:xyhsbjlrl@whoisprivacyprotectcomsecure-plus-payments com - 209825204 - Email: sparck000@mailcomsecurepnm-software com - 209845124 - Email:pnm-softwarecom@liveinternetmarketingltdcomsoft-process com - 8313312646 - Email: XtPbtP@privacypostcomprivatesecuredpayments com - 7846216238 - Email:TemchenkoViktor@googlemailcomIMAGEThese payment processing gateways are sometimes front-end tothe original and often legitimate payment processors In thisparticular case, the the legitimate processor is Netherlands-basedChronoPay, which is known to have been used in the past by affiliatesin the scareware affiliate model in the past, with several complaintsfor repeated credit card billing, which in reality is included in thescareware's Terms of ServiceUpon a successful purchase - the customer is told that "This chargewill appear on your card statement as CHRPaycom/ducforceide"Interestingly, Pandora Software has also been using the followingChronoPay accounts for over an year - Chrpaycom/meyrocorp;CHrpaycom/pnra using disconnected numbers, CallerID's of scarewareoperations, desperate attempts to contact the alias for the front-endpayment processor, ultimately resulting in several hundred ChronoPayrelated complaintsNext to scareware, ChronoPay Pavel Vrublevsky acting as CEO is alsoknown to have been used in a mobile application scam dissected here,as well as being a victim of a DDoS attack in 2008, which is prettylogical since if ChronoPay is the payment processor of choice for thehundreds of thousands of scareware generated revenues on daily basis,the commissions ChronoPay takes from cybercriminals would be more thanwelcome in the competing payment processor's networkRelated posts:Dissecting a Swine Flu Black SEO CampaignMassive Blackhat SEO Campaign Serving ScarewareFrom Ukrainian Blackhat SEO Gang With LoveFrom Ukrainian Blackhat SEO Gang With Love - Part TwoFrom Ukraine with Scareware Serving Tweets, Bogus LinkedIn/ScribdAccounts, and Blackhat SEO FarmsFake Web Hosting Provider - Front-end to Scareware Blackhat SEOCampaign at BlogspotA Diverse Portfolio of Fake Security Software - Part Twenty OneA Diverse Portfolio of Fake Security Software - Part TwentyA Diverse Portfolio of Fake Security Software - Part NineteenA Diverse Portfolio of Fake Security Software - Part EighteenA Diverse Portfolio of Fake Security Software - Part SeventeenA Diverse Portfolio of Fake Security Software - Part SixteenA Diverse Portfolio of Fake Security Software - Part FifteenA Diverse Portfolio of Fake Security Software - Part FourteenA Diverse Portfolio of Fake Security Software - Part ThirteenA Diverse Portfolio of Fake Security Software - Part TwelveA Diverse Portfolio of Fake Security Software - Part ElevenA Diverse Portfolio of Fake Security Software - Part TenA Diverse Portfolio of Fake Security Software - Part NineA Diverse Portfolio of Fake Security Software - Part EightA Diverse Portfolio of Fake Security Software - Part SevenA Diverse Portfolio of Fake Security Software - Part SixA Diverse Portfolio of Fake Security Software - Part FiveA Diverse Portfolio of Fake Security Software - Part FourA Diverse Portfolio of Fake Security Software - Part ThreeA Diverse Portfolio of Fake Security Software - Part TwoDiverse Portfolio of Fake Security SoftwareThis post has been reproduced from Dancho Danchev's blog IMAGEIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/116792.shtmlhttp://www.secuobs.com/revue/news/116792.shtml Secuobs.com : 2009-07-02 00:10:40 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEThe following is a brief summary of all of my posts at ZDNet'sZero Day for JuneYou can also go through previous summaries for May, April, March,February, January, December, November, October, September, August andJuly, as well as subscribe to my personal RSS feed or Zero Day's mainfeed01 Email service provider: 'Hack into our CEO's email, win $10k'02 419 scammers using NYTimescom 'email this feature'03 Microsoft study debunks profitability of the underground economy04 Malware poses as fake Yellowsn0w iPhone unlocker05 Cybercriminals hijack Twitter trending topics to serve malware06 Overall spam volume unaffected by 3FN/Pricewert's ISP shutdown07 Mac OS X malware posing as fake video codec discovered08 Researchers demo wireless keyboard sniffer for Microsoft 27Mhzkeyboards09 China confirms security flaws in Green Dam, rushes to release apatch10 Iranian opposition launches organized cyber attack againstpro-Ahmadinejad sites11 Fake Microsoft patches themed malware campaigns spreading12 Remote code execution exploit for Green Dam in the wild13 Secunia: Average insecure program per PC rate remains high14 Michael Jackson's death themed malware campaigns spreadingIMAGEIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/116033.shtmlhttp://www.secuobs.com/revue/news/116033.shtml Secuobs.com : 2009-06-24 16:59:59 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEEven wondered how are thousands of bogus accounts across multipleWeb services, automatically generated with built-in monetizationchannels consisting of scareware, malware to the use of legitimateaffiliate links from major ad networksThrough several clicks or if complete automation and experience count,through outsourcing the process to a managed blackhat SEO providerthat wouldn't charge you for the product, but for the service offeredLet's take a peek at some of the currently available DIY tools, andwhat a managed blackhat SEO service provider has to offerIMAGETake for instance the "professional blackhat SEO" expertfeatured here His ongoing Twitter spam campaigns are in fact sosuccessfully hijacking trending topics that at first they looked likeyour typical scareware serving campaign What both sides have incommon are spamming techniques usedIMAGEHowever, the tactics vary and indicate an interesting shiftfrom the typical outsourcing of CAPTCHA recognition for the purpose ofstoring the blackhat SEO content on the legitimate provider'sservices In order to scale more efficiently, several currently activemanaged blackhat SEO providers that have vertically integrated to thepoint where they manage their own blackhat SEO friendly ISPBy doing so, their bogus account generating platforms are capable ofachieving speeds that would be otherwise either impossible orimpractical to set as objectives through outsourcedCAPTCHA-recognition - 2,931 bogus Wordpress accounts with templatebased blackhat SEO content generated in 1 second using their ownmanaged infrastructure The following screenshots provide an insidepeek into one of the products offered by the "professional blackhatSEO expert" :IMAGEIMAGEIMAGEIMAGEIMAGEIMAGEIMAGEIMAGEIMAGEWhat took place in one second, was the generation ofthousands of bogus accounts with descriptive blackhat SEO subdomains,with the bogus content pulled/scrapped from legitimate and real-timenews providers, with the entire operation run as a managed service, orthe tool itself offered for sale As in every other managedunderground service, customization plays a major role that is oftenthe key benchmark for judging a particular product next to anotherCustomization in respect to this particular tool comes under the formof numerous Wordpress templates that can be randomly used during theregistration process:IMAGEStatic customization is one thing, dynamic customization isentirely another The product, and consequently the managed serviceare offering the ability to automatically add Ebay and Amazon listingswith the user's unique affiliate code posted within the bogus content:IMAGEIMAGEThe practice of affiliate network fraud -- excluding thecybersquatting as a prerequisite for it success -- was recentlymentioned as a much more lucrative fraudulent practice than thepay-per-click model, which entirely depends on the fraudster'sknowledge of which is the monetization model with the highest pay-outrates:"Some companies offer legitimate affiliate programs that allowthird-party Web site owners to post links and banners with thecompany’s branded content on their site or to send traffic to thecompany’s site directly through domain forwards In return, the ownerof the site hosting the link receives a commission for everyclick-through that results in a purchase This lucrative commissionstructure has enticed cybercriminals to take advantage of affiliateprograms by registering typo domains that redirect to legitimatecontent and enable them to collect affiliate fees"Next to the malware/scareware serving Twitter campaigns, affiliatenetwork fraud is also very common at the ever-growing micro-bloggingservice, whose lack of common sense account registration practices --Twitter doesn't require a valid email, neither does it require anemail confirmation upon registrating an account -- makes the practiceof generating bogus accounts a child's playThe bottom line - is the managed blackhat SEO hosting service $500per month and $5000 for one year for unlimiteddomains/subdomains/traffic/disk space package the future, or are wegoing to continue seeing the systematic abuse of legitimate service'sinfrastructure through outsourced CAPTCHA recognition I'd go for thesecond due to a simple reason - it's more cost-effective than themanaged service at least for the time being In the long term, once itachieves its logical "malicious economies of scale" the hosting andprocess would become cheaper thereby attracting more customersRecommended reading -Outsourced CAPTCHA recognition:Community-driven Revenue Sharing Scheme for CAPTCHA BreakingThe Unbreakable CAPTCHASpammers attacking Microsoft's CAPTCHA -- againSpam coming from free email providers increasingGmail, Yahoo and Hotmail’s CAPTCHA broken by spammersMicrosoft’s CAPTCHA successfully brokenVladuz's Ebay CAPTCHA PopulatorSpammers and Phishers Breaking CAPTCHAsDIY CAPTCHA Breaking ServiceWhich CAPTCHA Do You Want to Decode TodayManaged Cybercrime-facilitating services/tools:Commercial Twitter spamming tool hits the marketZeus Crimeware as a Service Going MainstreamManaged Fast-Flux ProviderManaged Fast Flux Provider - Part Two76Service - Cybercrime as a Service Going MainstreamInside Yet Another Managed Spam ServiceInside a DIY Image Spam Generating Traffic Management KitQuality Assurance in a Managed Spamming ServiceManaged Spamming Appliances - The Future of SpamDissecting a Managed Spamming ServiceInside a Managed Spam ServiceSpamming vendor launches managed spamming serviceCybersquatting/Per Pay Click Fraud:Exposing a Fraudulent Google AdWords SchemeBotnets committing click fraud observedClick Fraud, Botnets and Parked Domains - All InclusiveCybersquatting Security Vendors for Fraudulent PurposesCybersquatting Symantec's Norton AntiVirusThe State of Typosquatting - 2007This post has been reproduced from Dancho Danchev's blogIMAGEIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/113144.shtmlhttp://www.secuobs.com/revue/news/113144.shtml Secuobs.com : 2009-06-17 19:03:31 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEAs usual, persistence must be met with persistence A singleblackhat SEO group -- if well analyzed and monitored -- has thepotential to provide an insight into some of the current monetizationtactics which cybecriminals use, as well as directly demonstrate theautomatic impact they have across different Web 20 servicesWhat is my "fan club" up to anyway Covering up their weekend'sTwitter campaign that was serving scareware by using a new template,and once again diversifying - this time by managing a bogus LinkedInaccounts campaign, another one on Scribd, followed by another anothercurrently active one on Twitter, in between increasing the size oftheir blackhat SEO farm at is-the-bosscomMoreover, for the first time ever, the group is starting to serve liveexploits based on a bitly URL shortening service referrer, like theones used in the latest Twitter campaign The use of Arbitrary filedownload via the Microsoft Data Access Components MDAC exploits isdone to ultimately drop a new Koobface variant, making this the secondtime the group is pushing Koobface variants beyond FacebookIMAGELet's summarize their activities during the past six daysstarting with the weekend's campaign across TwitterUpon clicking on the TinyURL, the user is redirected through theirwell known 66199229 253/etds 66199229 253/etds/gophpsid=41;66199229 253/etds/gotphpsid=41; 66199229 253/etds/gophpsid=43;66199229 253/etds/gotphpsid=43 traffic management location, toend up at the scareware av4best net 64861747 with a new templateis served FakeAlert-EAIMAGEParked on the same IP are also well known scareware domainsknown from their previous campaigns, namely fast-antivirus com andviruscatcher net The scareware message used in the new templatetakes you back to the good old school MS-DOS days :"A problem has been detected and windows has been shut down to preventdamage to your computerInitialization_failed C:WINDOWSsystem32himemsysIf this is the first time you've seen this Stop error screen, restartthe computer If this screen appears again, read information below:The reason why this might happen is the newest malicious softwarewhich blocks access to the system libraries Check to make sure anynew antivirus software is properly installed We suggest you todownload and install antivirus, new up-to-date software whichspecializes on detection and removal of malicious and suspicioussoftware"The messaged used in the weekend's Twitter campaign, as well as agraph on the peaks and downds for a particular keyword:IMAGE"Competitions video; What do you think about video; I know whyPercent Of Accounts; Between food and gay; movie Trailler; Suneclipce free; Air France extreem; Tetris long and sweet; Take sexunder control; alcohol long and sweet; Between food and SATs; What doyou think about Autotune; Gotcha, Palm Pre; Goodnight high in thesky; What do you think about Hangover; Death of Autotune crack addict;Amazing movie from MSFT; Amazing Air France from MSFT; Sims 3, It'sCool; video, It's Cool; Manage Air France; Amazing porn from MSFT;alcohol unbroken; Them girls Honduras; Between food and phish; Betweenfood and Detroit; Tetris high in the sky; I know why iPhone; Futuramaunbroken; Balls to the Woman Who Missed Air; alcohol high in the sky;follow the video"Sample now suspended automatically registered accounts used in theweekend's campaign:twitter com/wenning351twitter com/ula475twitter com/escher338twitter com/ochs40twitter com/karlen131twitter com/cordes904twitter com/hecker905twitter com/bohl566twitter com/sattler649twitter com/hildegard115twitter com/andreas281twitter com/wassermann38twitter com/rummel980twitter com/guilaine896twitter com/orlowski781twitter com/rupette972twitter com/holzner473twitter com/dumke576twitter com/hilgers465twitter com/heese157twitter com/meier679twitter com/habel896twitter com/holzinger567twitter com/wilhelm578twitter com/dearg450twitter com/habicht717twitter com/ferde373twittercom/hass323twitter com/heckmann918twitter com/bruna555twitter com/wilbert25twitter com/eckart412twitter com/sperlich374twitter com/jahn562twitter com/ludvig30twitter com/bing274twitter com/fett628twitter com/brock93twitter com/mally981twitter com/merle752twitter com/axmann101twitter com/pelz478twitter com/renaud687twitter com/wienke879twitter com/hartinger619twitter com/chriselda988twitter com/kloos267twitter com/dreyer15twitter com/herta740twitter com/brauer427twitter com/nadina732twitter com/wenda245twitter com/rieken434twittercom/reinhard192twitter com/plath132twitter com/bick497twitter com/johannsen747twitter com/tacke432Besides the TinyURL links used, they've also returned to temporarilyusing their original us domains such as twitter 8w8us -8214651126 - Email: ambersurman@gmailcom; 5us us - 821465125 -Email: elchip0707@mailru, and girlstubes cn 8214652158 - Email:alexvasiliev1987@cocainmailcom with Alex Vasiliev's emails firstnoticed in the Diverse Portfolio of Fake Security Software - Part Nineand again in Part TwentyIMAGENow it's time to assess their currently active campaigns acrossTwitter, LinkedIn and Scribd, and connect the dots in the face of thesingle URL acting as a counter across all the campaigns -counteringate com 194165477 which has already been profiled intheir original massive blackhat SEO campaign, and still remainsactiveIMAGEThe automatically registered and currently active Twitteraccounts participating in the campaign are as follows, it's also worthpointing out that compared to their previous campaigns, in this waythey've included relevant backgrounds and avatars to the Twitteraccounts:twitter com/AshleyTisdal1twitter com/AnnaNicoleSmittwitter com/ParisHiltonjpg1twitter com/ParisHiltonmov1twitter com/ParisHiltonNaketwitter com/ParisHiltonSex1twitter com/ParisHiltonNud2twitter com/ParisSexTape2twitter com/Britneynipslip1twitter com/Britneywomanitwitter com/Britneystrip1twitter com/BritneySextwitter com/Britneycomixtwitter com/Britneywomaniztwitter com/BritneyNaked2twitter com/britneysextapetwitter com/BritneyxSpears1twitter com/Britneydesnuda1IMAGEtwitter com/LopezAsstwitter com/jennifermorrisotwitter com/JenniferTilly2twitter com/AnistonSexscentwitter com/AnistonBangstwitter com/JenniferTilly1twitter com/Jennifernudetwitter com/JenniferConneltwitter com/JenniferGarner1twitter com/LopezNakedtwitter com/AnistonSexiesttwitter com/JenniferAnisto4twitter com/JenniferToasteeIMAGEtwitter com/JenniferAnisto2twitter com/LoveHewitt1twitter com/JenniferLoveH1twitter com/JenniferGreyntwitter com/1JenniferAnistotwitter com/2JenniferAnistotwitter com/1JenniferLopeztwitter com/Lopedesnuda1twitter com/ElishaCuthbert3IMAGEtwitter com/ElishaCuthbert1twitter com/AlysonHannigan2twitter com/AliciaMachadotwitter com/AliLarterNaked/twitter com/AliLarterNudetwitter com/MelissaJoanhatwitter com/AishwaryaRaiN1IMAGEUpon clicking on bit ly/Je2Sd, the user is redirected tooymomahon com/mirolim-video/3html - 2163286106 Email:StaceyGuerreroSF@gmailcom, redirecting to myhealtharea cn/incgi13and then to oymoma-tube freehostiacom/x-tubehtm where the fakecodec/scareware is served, downloaded from totalsitesarchive com/errorphpid=62- TrojanWin32FakeAVnz which once executed phones back tobestyourtrust com/inphpurl=5etaffid=00262 20944126241 parked atthe same IP are also the following scareware domains:uniqtrustedweb comhortshieldpc comsecuretopshield comgisecurityshield comourbestsecurityshield comintellectsecfind comthesecuritytree comgodsecurityarchive combesecurityguardian comthefirstupper comsecurityshieldcenter combitsecuritycenter comjoinsecuritytools comhupersecuritydot combestyourtrust comthetrueshiledsecurity comsouptotalsecurity comscantrustsecurity comIMAGEThe second bit ly/1a5ZsY link used in the Twitter campaign, isredirecting to showmealltube com/paqi-video/7html - 6492170135Email: zbestgotterflythe@gmailcomFrom there, the redirector myhealtharea cn/incgi12 - 2163283110- zbest2008@mailru again loads oymoma-tubefreehostia com/tubehtmand most importantly the counter counteringate com/countphpid=186which is using an IP known from their previous campaign194165477IMAGETime to move on to the LinkedIn campaign, and establish adirect connection with the Twitter one, both maintained by the samegroup of cybercriminalsCurrently active and participating LinkedIn accounts:linkedin com/in/rihannanudelinkedin com/in/rihannanude2linkedin com/in/nudecelebslinkedin com/in/britneyspearsnudeelinkedin com/in/pamelaandersonnudeelinkedin com/in/nudepreteen2linkedin com/in/tilatequilanudeelinkedin com/pub/beyonce-nude/14/b/952linkedin com/pub/child-nude/13/b4b/a16linkedin com/in/nudemodelsIMAGElinkedin com/in/preteennudelinkedin com/in/mariahcareynude3linkedin com/in/nudeboyslinkedin com/in/evamendesnude2linkedin com/in/nudebeacheslinkedin com/in/nudebabeslinkedin com/in/nudewomen2linkedin com/pub/ashley-tisdale-nude/13/b4b/762linkedin com/pub/ashley-tisdale-nude/13/b4b/762linkedin com/pub/mila-kunis-nude/13/b4a/b99linkedin com/pub/nude-kids/13/b4b/aalinkedin com/pub/young-nude-girls/13/b4a/6aIMAGEThe LinkedIn campaign is linking to the delshikandco com, fromwhere the user is redirected to the same domains used in the Twittercampaign, sharing the same celebrity theme - delshikandco com/mirolim-video/3html/delshikandcocom/paqi-video/1html - 2163283104 leads to myhealtharea cn/incgi12to finally serve the codec at ymoma-tubefreehostiacom/xxxtubehtm orat tubes-portalcom/xplaymoviephpid=40012 - 2162401437, anotherIP that has already been profiled part of their previous campaignsYet another nude themed campaign is operated by the same group atScribd, linking to the already profiled delshikandco com, used inboth, Twitter's and LinkedIn's campaignsIMAGECurrently active and participating Scribd accounts:scribd com/Stacy%20Keibler-nudescribd com/Vanessa_Hudgens%20nudescribd com/Jessica%20%20Simpson%20%20nudescribd com/MileyCyrus%20nudescribd com/KimKardashian%20%E2%80%98nude%E2%80%99scribd com/Carmen%20%20Electra%20nudescribd com/Jennifer%20Anistonnudescribd com/Paris-Hilton-nude3scribd com/Vida%20%20Guerra%20%20nudescribd com/nude2scribd com/Kim%20%20Kardashian%20nudescribd com/ZacEfron%20nudescribd com/BritneySpears%20nudescribd com/Hilary-Duff-nude%202scribd com/Angelina-Jolie-nude11scribd com/Vanessa-Hudgens-nude2scribd com/Natalie-Portman-nude2scribd com/JessicaAlba%20nudescribd com/Jennifer-Love-Hewitt-nude11IMAGEscribd com/Kim-Kardashian-nude2scribd com/Jessica-Alba-nude11sscribd com/JENNIFER%20LOPEZ%20NUDE3scribd com/Elisha%20%20Cuthbert%20%20nudescribd com/Paris-Hilton-nude1scribd com/HilaryDuff%20nudescribd com/Megan-Fox-nude2scribd com/Britney-Spears-nude1scribd com/Candice%20%20Michelle%20nudescribd com/Lindsay-Lohan-nude3scribd com/Mila-Kunis-nude2scribd com/Miley%20Cyrus%20nudescribd com/Vanessa%20%20Anne%20%20Hudgens%20nudescribd com/rihanna-nude2scribd com/Jenny%20Mccarthy%20nudescribd com/Kim%20%20Kardashian%20%20nudescribd com/Olsen-Twins-nude2scribd com/Brooke-Hogan-nude2IMAGEscribd com/DeniseRichardsnude2scribd com/Scarlett%20Johansson%20nudescribd com/miley-cyrus-nudescribd com/Celebrity%20%20nudescribd com/Lindsay-Lohan-nude2scribd com/Tila%20Tequila%20nudescribd com/Ashley%20Tisdale%20nudescribdcom/Angelina-Jolie-nude2scribd com/Denise-Richards-nude-2scribd com/Britney%20Spears%20nudescribd com/Hayden%20Panettiere%20nudescribd com/Carmen-Electra-nude1scribd com/Brooke-Burke-nude2scribd com/Megan%20Fox%20nudescribd com/JessicaSimpson%20nudescribd com/Kendra-Wilkinson-nude2scribd com/DeniseRichardsnudescribdcom/AngelinaJolie%20nudescribdcom/Kate%20Mara%20nudescribd com/Eva%20Green%20nudescribd com/Mariah%20Carey%20nudeIMAGEscribd com/Britney-Spears-nude2scribd com/Paris%20Hilton%20nudescribd com/CHristina%20Applegate%20nudescribd com/Billie%20Piper%20nudescribd com/Rosario%20Dawson%20nudescribd com/Anna%20Kournikova%20nudescribd com/Jennifer-Love-Hewitt-nude2scribd com/Kate%20Winslet%20nudescribd com/Carmen%20Electra%20nudescribd com/Jennifer%20Love%20Hewitt%20nudescribd com/Vida%20Guerra%20nudescribd com/AnneHathaway%20nudescribd com/JenniferLopez_nudescribd com/Trish%20Stratus%20nudescribd com/Lindsay_Lohannudescribd com/Pamela%20Anderson%20nude3scribd com/Jessica-Simpson-nude3IMAGEscribd com/JENNIFER%20LOPEZ%20NUDEscribd com/CHristina%20Aguilera%20nudescribd com/hilary%20duff%20nudescribd com/MariahCarey%20nudescribd com/JohnCena%20nudescribd com/Halle%20Berry%20nudescribd com/Amanda%20%20Beard%20%20nudescribd com/Patricia%20%20Heaton%20%20nudescribd com/Madonna%20nudescribd com/JenniferLopez%20nudescribd com/DeniseRichards%20nudeIMAGEscribd com/PatriciaHeaton%20nudescribd com/Celebrity%20nudescribd com/TilaTequila_nudescribd com/Hayden-Panettiere-nude2scribd com/Brenda-Song-nude2scribd com/Demi%20Moore%20nudescribd com/celebrity%20nude%201scribd com/JenniferLove%20Hewitt%20nudescribd com/Ashley_Harkleroad%20nudescribd com/AudrinaPatridge%20nudescribd com/PamelaAnderson%20nudescribd com/Anna%20Nicole%20Smithnudescribd com/Meg%20Ryan%20nudescribd com/Kate%20HudsonnudeNow that all the campaigns are exposed in the naked fashion of theirthemes, it's worth emphasizing on the live exploits serving Koobfacesamples based on a bitly referrer - in this case the process takesplace through myhealtharea cn/incgi13, which instead of redirectingto scareware domain as analyzed above, is redirecting to fast-fluxedset of IPs serving identical Koobface binary - myhealtharea cn/incgi13loads r-cg100609 com/go/pid=30455ettype=videxp 9238069 whichredirectss to the live exploits/KoobfaceParked on 9238069 are also the following domains:er20090515 comupr0306 comcgpay0406 comr-cgpay-15062009 comr-cg100609 comtrisem comuprtrishest comupr15may comrd040609-cgpay netDynamic redirectors from r-cg100609 com/go/pid=30455ettype=videxp onper session basis:92255131 217/pid=30455/type=videxp/ch=etea=92255131 217/pid=30455/type=videxp/setupexe76229152 148/pid=30455/type=videxp/ch=etea=76229152 148/pid=30455/type=videxp/ch=etea=/setupexe18997106 121/pid=30455/type=videxp/ch=etea=18997106 121/pid=30455/type=videxp/setupexe11719891 99/pid=30455/type=videxp/ch=etea=11719891 99/pid=30455/type=videxp/setupexe791818 29/pid=30455/type=videxp/ch=etea=791818 29/pid=30455/type=videxp/setupexe8525362 53/pid=30455/type=videxp/ch=etea=8525362 53/pid=30455/type=videxp/setupexe79164220 170/pid=30455/type=videxp/ch=etea=79164220 170/pid=30455/type=videxp/setupexe5998104 129/pid=30455/type=videxp/ch=etea=5998104 129/pid=30455/type=videxp/setupexe784324 211/pid=30455/type=videxp/ch=etea=784324 211/pid=30455/type=videxp/setupexe629863 254/pid=30455/type=videxp/ch=etea=629863 254/pid=30455/type=videxp/setupexe8417674 231/pid=30455/type=videxp/ch=etea=8417674 231/pid=30455/type=videxp/setupexepanmap in/html/3003/25ee551429fcbfd75fe7bcfeba4a9cb8/ - 114806732- charicard@googlemailcomIMAGEParked on 114806732 are also:managesystem32comnapipsecintrialocinpbcofiginpclxlinifxcardminifmoninpanmapinmoriconsinoeimportinncprovinThe served setupexe Win32/KoobfaceBC; Worm:Win32/KoobfacegenD;samples phone back to a single location:- upr15may com/achcheckphp;upr15may com/ld/genphp - 9238069; 61235117 71/files/pdrvexeIMAGETo further demonstrate the group's involvement in thesecampaigns, two active campaigns at is-the-bosscom indicate thatthey're also using the newly introduced counteringatecom, however,parked on the same IP as a previously analyzed redirector maintainedbot the groupA sample campaign is using the engseo net/sutra/incgi4etparameter=bravoerotica- 841623038 - Email: popkadyp@gmailcom as well as the warworkinfo/cgi-bin/counterid=945706etk=independentetref= - 912076148redirectors to load free-porn-video-free-porn com/1/indexphpq=bravoerotica- 841623038 - Email: popkadyp@gmailcom serving a fake codec, andis also using the universal counter serving maintained by groupcounteringate com/countphpid=308A second sampled campaign at is-the-bosscom points to a new domainthat is once again parked at a well known IP mainted by the gang -goldeninternetsites com/gophpid=2022etkey=4c69e59acetp=1 -83133123140 - known from previous campaignsThe redirectors lead to anti-virussecurity3 com - 694230204;69105934; 831331159; 9121265125 with more typosquatted "PersonalAntivirus" scareware parked at these multiple IPs aimed to increasethe life cycle of the campaign:bestantiviruscheck2 comsecuritypcscanner2 comfastpcscan3 comgoodantivirusprotection3 comantimalware-online-scanv3 comanti-malware-internet-scanv3 comantimalwareinternetproscanv3 comantimalwareonlinescannerv3 comanti-virussecurity3 combestantispywarescanner4 comfastsecurityupdateserver comIMAGEPersonal Antivirus then phones back to startupupdates com -83133123140 where more scareware is parked, with the domains knownfrom previous campaigns:bestwebsitesin2009 comlive-payment-system combestbuysoftwaresystem comantiviruspaymentsystem combestbuysystem comhomeandofficefun comadvanedmalwarescanner comallinternetfreebies comgoldeninternetsites comprimetimeworldnews comliveavantbrowser2 cnmomentstohaveyou cnworldofwarcry cnawardspacelooksbig usThe affected services have been notified, blacklisting and take downof the participating domains is in progressThis post has been reproduced from Dancho Danchev's blog IMAGEIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/110796.shtmlhttp://www.secuobs.com/revue/news/110796.shtml Secuobs.com : 2009-06-16 15:22:23 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEBy utilizing the people's information warfare concept, Iranianopposition has managed to successfully organize a cyber attack againstTehran's regime complete analysis by using Twitter, web forums, andlocalization translation of the recruitment messages in order toseek assistance from foreignersSo far, their rather simplistic denial of service tools has managed todisrupt access to key government web sites, and the intensity of theattacks is prone to increase since the opposition appears to be in a"learning mode"What does "learning mode" stands for here It's their current stage ofexperimentation clearly indicating their inexperience with suchcampaigns and DDoS attacks in general The opposition's de-centralizedchain of command isn't even speculating on the use of botnets, sincethe primitive multi-threaded Iranian connections hitting Iranian sitesseems to achieve their effectIMAGEFrom a strategic perspective, this internal unrest resulting inthe disruption of key government web sites, the de-facto propagandavehicles of the current government, is directly denying their abilityto influence the population and the media, which on its way to findinformation is inevitably going to visit the working opposition websitesMoreover, the majority of people's information warfare driven cyberattacks we've seen during the past two years, have all been orbitingaround the scenario where a foreign adversary is attacking yourinfrastructure from all over the world But in the current situation,it's Iran's internal network that's self-eating itself, where thetrade off for denying all the traffic would be the traffic which couldbe potentially influenced through PSYOPs psychological operationsIMAGEWhat has changed since yesterday's real-time OSINT analysisThe web based "Page Rebooter" tool heavily advertised by theopposition has decided to stop offering the service due to the massiveabuse:"Unfortunately I have had to take the site down temporarily The sitewas being used to attack other websites, until I can determine thesource of these attacks, I have decided to keep it offline Myapologies to everyone who uses this site for it's intended purpose,hopefully we'll be back soon I have now received several emailsregarding this Unfortunately, last night's spike in traffic cost me alot of money in server costs, I therefore cannot afford to keep itonline - even if the use is just I have therefore decided to releasethe code for this site, so that you may create your own copies"Meanwhile, the opposition has come up with a segmented targets listincluding hardline news portals, official Ahmadinejad sites, Iranianlaw enforcement sites, banks, judiciary and transportation sites,aiming to recruit international supporters:IMAGE"ALL PEOPLE AROUND THE WORLD:Please help us in a full-scale cyberwar againts the dictatorial brutalgovernment of Ahmadinjead Help Iranians to earn back their votes perinstructions below:Simply click on few of the following links better too choose yourselections from different categories; it opens the site in a new tabIt will not stop you from browsing but by sending a refresh signal tothe target site will saturate it By doing so, we can blockAhmadinjead's governments flow of information in many of its keycomponents as shown below Please help us and yourself from thislunatic who will push the world to world war III"IMAGEFollowing the updated list of targets, a new LOICexe DoS toolis being advertised The tool is however, anything but sophisticatedit's been around since 6 Jul 2008 compared to even the averageRussian DDoS bot Combined, the simplistic nature of the opposition'sattack tools indicates the lack of any in-depth understanding ofinformation warfare principles, in times when other countries arealready going beyond cyber warfare and aiming for the unrestrictedwarfare stageIMAGEThe Conspiracy Theory and the FactsHow is the Iranian government/regime responding to these attacks, isit striking back to the fullest extend speculated in a countlessnumber of cyber warfare research papers Moreover, can it actuallyattack the "adversaries" which in this case reside within thecountry's own network Can we easily compare this unpleasant situationfrom an information warfare perspective to the ongoing discussionswhether or not the Should the US Go Offensive In Cyberwarfare, and"go offensive" against who at the first place The hundreds ofthousands of US based malware infected hosts operated by a foreignentity as the adversary while using the targeted country'sinfrastructure as a human shieldIMAGEThat's a dilemma that Iran's government is currently facing,but let's connect the dots and prove that the Fars News Agency whichis pro-Ahmadinejad, and maintains ties to the Iranian judiciary, hasin fact participated in this "cyber warfare attack with sticks andstones"The Fars News Agency has been under attack since the beginning of thecampaign, approximately 48 hours ago, prompting the site -- just likemany others -- to switch to "lite" versions taking into considerationthe ongoing attacks wasting the sites' bandwidthIMAGEIn a desperate attempt to influence the outcome of the DDoSattack, Fars News included iFrames pointing to opposition andanti-Ahmadinejad news sites balatarincom; ghalamnewscom andmirhusseincom in order to redirect some of the attack traffic tothem The campaigners noticed the change, but upon confirming that theopposition's web sites remain online even with the iFrames in place,decided to continue the attackThe bottom line - when your very own infrastructure hates you, youbecome nothing else but an observer to the declining propagandaexposure projections that you've once set, failing to anticipate thefully realistic scenario when the adversary that you've beenfortifying to protect from, or have build sophisticated offensivecapabilities to deal with, is in fact residing within your owninfrastructure Attempting to attack him or shut him down will onlymultiply the effect of his original campaignThe net is vast and infiniteRecommended reading:A CCDCOE Report on the Cyber Attacks Against GeorgiaDDoS Attack Graphs from Russia vs Georgia's CyberattacksThe Russia vs Georgia Cyber AttackPro-Israeli Pseudo Cyber Warriors Want your BandwidthPeople's Information Warfare ConceptCombating Unrestricted WarfareThe Cyber Storm II Cyber ExerciseChinese Hacktivists Waging People's Information Warfare Against CNNThe DDoS Attacks Against CNNcomChina's Cyber Espionage AmbitionsNorth Korea's Cyber Warfare Unit 121Chinese Hackers Attacking US Department of Defense NetworksElectronic Jihad v30 - What Cyber Jihad Isn'tElectronic Jihad's Targets ListA Cyber Jihadist DoS Tool TeachingCyber Jihadists How to HackEmpowering the Script KiddiesOSINT ThroughBotnetsCorporate Espionage Through BotnetsMalware Infected Hosts asStepping StonesHacktivism Tensions - Israel vs Palestine CyberwarsTheCurrent, Emerging, and Future State of HacktivismInternet PSYOPS -Psychological OperationsIMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/110197.shtmlhttp://www.secuobs.com/revue/news/110197.shtml Secuobs.com : 2009-06-10 02:13:37 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEIt seems that the portfolio of redirectors using my name part ofan ongoing Ukrainian blackhat SEO is expanding, with seximalinkiru/images/ddanchev-sock-my-dickphp, as the latest addition Thisbrings up the number of redirectors to three, at least for the timebeing:* seximalinkiru/images/ddanchev-sock-my-dickphp - active -745417650; Email: Hippacmc@landru* seohostia ru/ddanchev-sock-my-dickphp - active - 213155237* HiDanchomine nu/loginjs - active - 64218616IMAGELet's dissect the latest campaigns, including several relatedones not necessarily serving scareware, moreover, let's also establisha connection between this gang and the ongoing hijacking of Twittertrending topics for malware serving purposes, shall weThe redirector takes the user to antimalwareonlinescannerv3 com -831331159; 9121265125; 694230204 - Email:immigrationbeijing@footercn where the scareware is servedThe campaign is also relying on three more scareware domainsantimalware-live-scanv3 com; antimalwareliveproscanv3 com ;fastsecurityupdateservercom, with ns1futureselfdeeds com ensuring that the rest of theportfolio remains in tact :IMAGEpremiumlivescanv1 comadvanedmalwarescanner comadvanedpromalwarescanner comantiviruspcscannerv1 comantiviruspremiumscanv2 commalware-live-pro-scanv1 commalwareliveproscanv1 commalwareliveproscannerv1 commalwareinternetscannerv1 comanti-spyware-scan-v1 comantimalwarescanner-v2 comfreeantispywarescan2 comantivirus-scanner-v1 cominternetotherwise commacrosoftwarego comworld-payment-system comIMAGE paymentonlinesystem comlivewwwupdates comliveinternetupdates comlivesecurityupdate comsecuritysoftwarepayments comantiviruspaymentsystem comsystemsecurityupdates comnetworksecurityadvice comsysteminternetupdates comprotectionsystemupdates comupdateinternetserver2 comprotectionupdates2 comproantivirusscannerv2 comproantivirusscanv2 compowerantivirusscanv2 comIMAGEThese blackhat SEO-ers have been actively multitasking duringthe past couple of months For instance, another campaign maintainedby them at Lycos Tripod's is-the-bosscom is using the redirectorntlligentinfo/tds/incgi11etseoref=etparameter=$keywordetse=$seetur=1etHTTP_REFERER=72232163171, hosted by Layered Technologies, Inc, in order toserve a a Koobface sample located at 912126535/view/1/1416/0, whichupon execution phones back to upr15may com/achcheckphp; upr15maycom/ld/genphp 119110107137 as well as to i-site ph/1/6244exe;i-site ph/1/nfrexe with the second binary phoning back to 8513236154/v50/v=71ets=Ietuid=1824245000etp=14160etip=etq=IMAGEAnother campaign maintained by them at is-the-bosscom is usingthree redirectors kurinahfreehostia com/incgi8promodomain info/incgi8etseoref=etparameter=$keywordetse=etur=1etHTTP_REFERER=- 66405263 - Email: support@ruler-domainscom and thetrafficcontrolnet/incgi8etseoref=etparameter=$keywordetse=etur=1etHTTP_REFERER=, untilthe user is finally redirected to a fake PornTube portal big-tube-listcom/teens/xmoviephpid=45048 - 2162401437 - isaacdonn@gmailcomwhere malware is served from my-exe-profile com/streamviewer45048exe- 661971716 - Email: michalevd@gmailcomUpon execution, streamviewer phones back to reportsystem32 com/senmphpdata=- 216240146119 -, terradataweb com/senmphpdata=v22 -66199229229 -, and dvdisorapid com/senmphpdata=v22 -64275202Several related fake codec serving domains parked at 2162401437 arealso currently active:get-mega-tube com - Email: raymgnw95@gmailcombest-crystal-tube com - Email: raymgnw95@gmailcomthe-lost-tube com - Email: hilachow@gmailcomsunny-tube-house com - Email: hilachow@gmailcomproper-tube-site com - Email: hilachow@gmailcomtube-xxx-work com - Email: hilachow@gmailcombig-tube-list com - Email: isaacdonn@gmailcomIMAGEA third campaign is using a single redirector to tangoing info/cgi-bin/analyticsid=917304etk=- 912076148 - Email: dophshli@gmailcom to dynamically redirectvisitors to pretty much all the scareware domains listed in parttwenty one of the diverse portfolio of fake security software seriesMoreover, the very same email used to register the redirecting domainwas also used to register a payment processing gateway for scarewaretransactions in January, 2009Yet another blackhat SEO operation maintained by the same group sinceFebruary, 2009 is fi97 net/jsrphpuid=diretgroup=ggletkeyword=etokw=etquery="+query+"referer="+escapedocumentreferrer+"ethref="+escapelocationhref+"etr="+rzz+"'",which according to publicly obtainable statistics receivedapproximately 138, 000 unique visitors in April, with 3023% comingfrom GoogleIMAGEThe traffic hijacking of for the purpose of serving malware,using over a hundred different us domains was in fact so successfulthat several webmasters reported loosing their organic search trafficdue to the content within the sites The campaign then switched to apharmaceutical theme using a Google search engine theme, with severalstatic links to pharma scams, once again using the already establishedtraffic redirections tacticsIMAGEThe redirectors in question petrenko biz - 88214200150 -Email: olegoff@yandexru and myseobiz net - 6722515816 - Email:3bd864dddbe4421ab1112a6ebc6df4fbprotect@whoisguardcom remain inoperation The bogus Google front page is advertising the followingpharma domains:theusdrugs com - 7814013211, parked at the same IP are also morepharma domains:IMAGEmedscompany orgcanadian-rxpill combestyourpills comrx-drugs-support compayment-rx comgenericdrugs inmendrugsshop comhealthrefill comIMAGEIt gets even more inter-connected and malicious since this verysame gang is also the one responsible for the ongoing malware campaignspreading scareware by using Twitter's trending topics Let'sestablish a direct connection between the Ukrainian gang and thecampaignThe TinyURL links used redirect to an identical domain - 00freewebhostcn - 2119579115 - Email: louisgreenfield@gmailcom, where aniFrame is loading happy-tube-video com/xplaysphpid=40030 -2162401437 - Email: isaacdonn@gmailcom where Mal/FakeAV-AYstreamviewer40030exe is served, this time from exe-soft-files com/streamviewer40030exe- 661971716 - Email: michalevd@gmailcomIMAGEThis very same domain happy-tube-video com registered toisaacdonn@gmailcom is part of the second PornTube fake codeccampaign which I assessed above, this time pushed through the gang'sblackhat SEO campaignsMoreover, in a typical cybercrime-friendly style, the main maliciousdomain operated by the gang and used in the Twitter campaign -00freewebhost cn - continues to load the malware serving domaindespite that it's main index is serving a fake account suspendednotice - "This Account Has Been Suspended, This includes, but is notlimited to overusing server resources, publishing adult content, orunauthorized posting of copyrighted material Please contact ourSupport Team for more information" Which is pretty amusing, sincedespite the fact that they're using an iFrame to point to a differentlocation, they've left an animated GIF image of a fake codec hostedthere - 00freewebhost cn/shmo/plgifIMAGEA second connection between the Ukraininan black SEO gang,Twitter's ongoing campaign and the fake web hosting provider which Iprofiled yesterday can also be madeFor instance, the URL shortening service used in last week's campaignat Twitter agd/2524d9/ redirects to 66199229253/etds/gophpsid=43 and then to av-guard net/uid=27etpid=3 aswell as to fast-antivirus com which are the scareware domains exposedin the recent "Fake Web Hosting Provider - Front-end to ScarewareBlackhat SEO Campaign at Blogspot" post The scareware obtained fromit, as well as the scareware from the above-exposed PornTube campaignstreamviewer40030exe also share the same phone back locationsComing across yet another operation managed by them, namely, theongoing Twitter trending topics hijacking attack, clearly demonstratesthe impact this single group of individuals can have whilemultitasking at different fronts And despite the numerous trafficacquisition tactics used, the monetization approach remains virtuallythe same - scarewareIMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/107736.shtmlhttp://www.secuobs.com/revue/news/107736.shtml Secuobs.com : 2009-06-08 15:25:12 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEFollowing the GazTransitStroy/GazTranZitStroy gaztranzitstroyinforu;6715253241 coverage, the gang behind the bogus gas companydrilling for insecure PCs across the Web has returned to its roots -St Petersburg, Russia, with routing services courtesy of PIN-ASPetersburg Internet Network LLC AS44050 internet-spbru :"descr: Petersburg Internet Network LLCaddress: Sedova 80address: St-Petersburg, Russiae-mail: support@internet-spbruphone: +7 812 4483863fax-no: +7 812 4483863person: Metluk Nikolay Valeryevichaddress: korp 1a 40 Slavy ave,address: St-Petersburg, Russiae-mail: nm@internet-spbruphone: +7 812 4483863fax-no: +7 812 2683113PIN LLCSedova 80+7 812 4483863support@internet-spbruIMAGEMetluk Nikolay Valeryevichkorp 1a 40 Slavy ave,St-Petersburg, Russia+7 812 4483863nm@internet-spbruLadoha Anton Vladimirovichkorp 1a 40 Slavy ave,St Petersburg, Russia+7 812 4483863admin@internet-spbruStrukov Evgeny Olegovichkorp 1a 40 Slavy ave,St-Petersburg, Russia+7 812 4483863admin2@internet-spbruestrukov@pinspbruPrefixes 91212410/24; 9521500/22; 19411160/24;19411200/23; 19522400/23"IMAGEWhat's also worth pointing out that is a huge number of ofdomains operated by GazTransitStroy's customers, and, of course,GazTranzitStroy themselves not only traceroute back to PetersburgInternet Network LLC's network, but also, there's an evident migrationto the legitimate NETDIRECT-NET - 891492060 - 89149207255 -AS2875, as well as to CHINANET-SH CHINANET shanghai province network -2226400 - 22273255255IMAGECombined with the fact that EUROHOST-NET/Eurohost LLCeurohostbizua 91212650 - 9121265255 - AS48841 remain aninseparable part of GazTransitStroy's info, clearly indicates thepresence of a well known cybercrime powerhouse - the RBN itselfThe following domains crimeware, live exploits, scareware, you nameit they engage in it maintained by GazTranzitStroy have migrated asfollows From 912124196 to CHINANET-SH CHINANET shanghai provincenetwork - 2226400 - 22273255255:loshadinet comroselambda cnuse-sena cnpeopleopera cnforexsec cnsymphonygold cndreamlitediamond cnvilihood cnbookadorable cndrawingstyle cnhousedomainname cnroomsme cnvilasse cnworkfuse cnstakeshouse cnfinanceimprove cnlifenaming cntravetbeach cnschoolh cnrainfinish cnhousevisual cnkvkhousevisual cnxflnhousevisual cnworksean cnblogtransaction cnliteauction cnseamodern cnsmilecasino cnnewtransfer cnoceandealer cnpuboceandealer cnmusicdomainer cnwowregister cnwebsiteflower cntravets cndesignroots cnteamwows cnstartgetaways cnmoulitehat cncaxfmoulitehat cnislandtravet cnweekendtravet cnresorttravet cnlitefront cnpalaceyou cnyoubonusnew cnclubmillionswow cnrainjukebox cnxuyxuyxuy cnFrom 9121241114 to NETDIRECT-NET - 891492060 - 89149207255 -AS28753, interestingly, the DNS servers for the following domainsns1pubilcnameserver7com/ns1pubilcnameserver7com are diversifyingat 8914920756 and 9121241114:freeantivirusplus09 comrealantivirusplus09 comgetantivirusplus09 comsmartantivirusplus09 comaddedantivirusonline comaddedantivirusstore comaddedantiviruslive comaddedantiviruspro comcountedantiviruspro complusantiviruspro commyplusantiviruspro comaddedantivirus comyouraddedantivirus combestaddedantivirus comeasyaddedantivirus comyourcountedantivirus combestcountedantivirus comyourplusantivirus comeasyplusantivirus comyourguardonline cneasydefenseonline cnbestprotectiononline cnfreecoveronline cnatioqe cnyourguardstore cnmycheckdiseasestore cnexaminepoisonstore cnfreecoverstore cnmyexaminevirusstore cnbestexaminedisease cnyourfriskdisease cneasyfriskdisease cnfriskdiseaselive cnbestdefenselive cnbigprotectionlive cnbigcoverlive cnexamineillnesslive cnexodih cnsuxpymi cnaciazi cnyourfriskinfection cneasyserviceprotection cneasyincomeprotection cneasypersonalprotection cneasybestprotection cnmyascertainpoison cnyourguardpro cnrefugepro cnmycheckdiseasepro cnascertaindiseasepro cnyourcheckpoisonpro cneasycheckpoisonpro cnyourfriskviruspro cnmyascertainviruspro cnfegbywo cnfeptuaq cnmyexamineillness cnexousyt cnnewguard2u cnfreedefense2u cnbigdefense2u cnbestcover2u cnnewguard4u cnmydefense4u cnbestcover4u cnnewguard4you cnmydefense4you cnbestcover4you cnyourguardforyou cnnewguardforyou cnmyguardforyou cnfreedefenseforyou cnmydefenseforyou cnbestcoverforyou cnIMAGEThe ongoing affiliation with EUROHOST-NET/Eurohost LLC eurohostbizua91212650 - 9121265255 - AS48841, and the migration of domainsscareware, live exploits, crimeware etc as follows From9121241119 to 91212657 EUROHOST-NET/Eurohost LLC:nicdaheb cnsehmadac cnralcofic cnbikpakoc cnxidsasuc cnkoqsuyod cntozxiqud cnbowselaf cncuzlumif cnporgacig cnhifgejig cnrogkadej cnsipcojeq cnsilzefos cnpopyodiw cnhayboxiw cnpeskufex cnridmoyey cncakpapaz cnIMAGE What kind of an ISP be maintaining a permanent UnderConstruction page and engage in Zeus and live exploit servingactivities on the same IP as its web server EUROHOST-NET/Eurohost LLCis one of them:"person: Mikhail Ignatyevaddress: off 1, 81 Frunze str,phone: +38 093 079 00 32address: Evpatoria, Crimea, Ukrainee-mail: ipadmin@eurohostbizua"At eurohostbizua 91212655 we also have parked 123-serviceru,serving a deja-vu account suspended message - "This account has beensuspended Either the domain has been overused, or the reseller ranout of resources" as well as ramshanabcru, with another accountsuspended message despite its previous involvement in Zeus crimewarecampaigns in January, 2009 ramshanabc ru/ferrari/mainbin;ramshanabc ru/ferrari/mainbinBesides these domains, several others, again registered tokirilboltovnet@yandexru are known to have been maintaining runningZeus crimeware campaigns as well:grafjasqq ru/kiew/kiewcfgheliskamm ru/kiew5cfgmamaloki ru/dir2cfg489mamaloki ru/kiew3cfgnionalku ru/dir5cfgnionalku ru/kiew6cfgStill not convinced in how malicious their intentions really are Thephone number +7 928 7867612 used in the registrations of thesedomains was most recently used in a spammed Zeus crimeware campaignimpersonating Western UnionIMAGEIMAGE IMAGE IMAGE IMAGEIMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/106919.shtmlhttp://www.secuobs.com/revue/news/106919.shtml Secuobs.com : 2009-06-08 10:43:53 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEJust like GazTranzitStroyInfo's case, what we've got here isfailure to understand that the efforts put into building legitimacy offront-ends to cybercrime, is prone to get undermined upon closerexamination of the particular web hosting providerWho, and what is Life4you info - Free Hosting for Live dirsite com;65981580; Dennis Linkor Email: admin@dirsitecomIMAGE"We are pleased to announce the launch of dirsitecom, the bestASPNET host on the web We currently offer one plan This plan isentirely free Free ASPNET 20 hosting* Unfortunately we have hitour quota for ad free accounts Every new signup is now required todisplay a 460x60 banner ad on their content pages We will be runninganother ad free promotion soon, so be sure to check back We arecurrently experiencing some technical issues that are out of ourcontrol We are suffering some server problems and as a result, slightdelays in processing signups We are working on it, and will haveeverything resolved as soon as possible Thank you for your patience"IMAGEWhat's so special about them Well, for starters, they've gotno customers but the cybercriminals themselves maintaining a portfolioof over 7,000 adult related keywords which they have been using forblackhat SEO campaigns across thousands of automatically registered --CAPTCHA recognition outsourced -- Blogspot accounts since February,2009With the Blogspot campaign still ongoing, let's assess it and exposeall the participating scareware domains Upon automatic generation ofthe Blogspot accounts, links like the following are included next tothe bogus content, all using dirsitecom's pseudo-legitimate hostingservices:gotodirsite com/gophpsid=2ettds-key=erotic+bikini+babesgotodirsite com/gophpsid=2ettds-key=sexe+amateur+on+my+spacegotodirsite com/gophpsid=2ettds-key=aunt+judy+older+womengotodirsitecom/gophpsid=2ettds-key=view+private+profiles+on+myspacegotodirsite com/gophpsid=2ettds-key=fullmetal+alchemist+porngotodirsite com/gophpsid=2ettds-key=Asian+style+bed+throwsgotodirsite com/gophpsid=2ettds-key=cheerleader+candid+picturesgotodirsite com/gophpsid=2ettds-key=desisexstoriesgotodirsite com/gophpsid=2ettds-key=Hey+Arnold+pornogotodirsite com/gophpsid=2ettds-key=warcraft+henraiIMAGEUpon clicking the users are redirected to tdncgo2009com/uid=68etpid=3 trdatasft com; fra22 net; Email: 64861747,Email: hmlragnsky@whoisservicescn, where the scareware domains arerandomly loaded:virusdoctor-onlinedefender com - 6421314069 Email:sebarinvertivus@gmailcomonlinescan-ultraantivirus2009 com - 206536176virussweeper-scan net - 206536176virusalarm-scanvirus net - 206536176viruscatcher net - 6421314071 Email: jeannemcpeters@gmailcomfast-antivirus com - 6421314068The scareware attempts to phone back to update1virusshieldprocom/ReleaseXPexe - 206536175 - Email: unitedisystems@gmailcomand to updvmfnow cn - 6486179 Email: oijfsdsd@gmailcomReleaseXPexe then phones back to the following locations, naturallyearning profit for the cybecriminal -IMAGEpay-virusshield cn - 6421314070; Email:unitedisystems@gmailcom; Returning the following message: "Sorry, theoperation is currently unavailable, please email our support team fromproduct's site Error Code #150"updvmfnow cn - 6486179updvmfnow cn/reports/install-reportphp 6486179updvmfnow cn/reports/soft-reportphpupdvmfnow cn/reports/minstallsphpIMAGEThe phone back location is also hosting more activescarewaredomains:ultraantivirus2009 com - 6486179virusalarmpro comvmfastscanner commysuperviser compay-virusdoctor comvirusmelt compayvirusmelt comNot only is life4info info or dirsite com a bogus free hostingprovider, but the campaigns hosted by them are interacting with our"dear friends" at AS30407; VELCOM com which Spamhaus describes as "NAmerican base of Ukrainian cybercrime spammers" - and with a reasonIMAGEIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/106870.shtmlhttp://www.secuobs.com/revue/news/106870.shtml Secuobs.com : 2009-06-05 17:53:01 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEThe ongoing abuse of AS10929; NETELLIGENT Hosting Services Incfor scareware distribution purposes is peaking once again, whichcombined with the well-proven traffic acquisition tactics thecampaigners take advantage of, prompts me to proactively undermine theeffectiveness of the campaigns by ruining the monetization factorNext to listing the scareware domains currently in circulation, inpart twenty one of the Diverse Portfolio of Fake Security Softwareseries, it's time we put the spotlight on the so called paymentprocessors mainted by phony in-house operationsIMAGEThe following scareware domains are parked exclusively withinAS10929; NETELLIGENT Hosting Services Inc's network, 20944126102 inparticular :fanscan4 com 20944126102 Email: brmargul@gmailcomrayscan4 com Email: brmargul@gmailcomscantop4 com Email: ansouthe@gmailcomscanlist6 com Email: metamant@gmailcomgoscanfine com Email: chirelqas@gmailcomgoscanone com Email: canrcnad@gmailcomscan4note com Email: ansouthe@gmailcomin4ck com Email: taboussybr@gmailcomgoscanwork com Email: govemati@gmailcomin4tk com Email: skeltonrw@gmailcomgoscanatom com Email: gleyersth@gmailcomtop4scan com Email: ansouthe@gmailcomslot6scan com Email: metamant@gmailcomgometascan com Email: ricboin@gmailcomgopagescan com Email: tanehen@gmailcomgofinescan com Email: alcnafuch@gmailcomgoelitescan com Email: funully@gmailcomgorankscan com Email: canrcnad@gmailcomgoworkscan com Email: govemati@gmailcomgogoalscan com Email: chinrfi@gmailcomgogenscan com Email: tanehen@gmailcomgoautoscan com Email: tanehen@gmailcomgoflexscan com Email: alcnafuch@gmailcomgoscanauto com Email: canrcnad@gmailcomscan6slot com Emaik: telerdomb@gmailcomin4st com Email: skeltonrw@gmailcomscan6list com Email: telerdomb@gmailcomgoscanflex com Email: chirelqas@gmailcomIMAGEgoscankey com Email: ricboin@gmailcomscanmeta4 info Email: sitintu@gmailcomscannote4 info Email: sitintu@gmailcommetascan4 info Email: finewnrk@gmailcomzonescan4 info Email: mexnacc@gmailcomnotescan4 info Email: finewnrk@gmailcomminiscan4 info Email: finewnrk@gmailcomrankscan4 info Email: mexnacc@gmailcomatomscan4 info Email: finewnrk@gmailcomfanscan4 info Email: finewnrk@gmailcomgenscan4 info Email: finewnrk@gmailcomautoscan4 info Email: sitintu@gmailcomtopscan4 info Email: finewnrk@gmailcomstarscan4 info Email: finewnrk@gmailcomfixscan4 info Email: sitintu@gmailcommixscan4 info Email: finewnrk@gmailcomluxscan4 info Email: finewnrk@gmailcomrayscan4 info Email: finewnrk@gmailcomkeyscan4 info Email: sitintu@gmailcomscangen4 info Email: sitintu@gmailcomscanauto4 info Email: mexnacc@gmailcomIMAGEscantop4 info Email: finewnrk@gmailcomscanflex4 info Email: mexnacc@gmailcomscan4meta info Email: finewnrk@gmailcomscan6meta info Email: donboset@gmailcomscan4fine info Email: mexnacc@gmailcommeta4scan info Email: finewnrk@gmailcomnote4scan info Email: finewnrk@gmailcomgen4scan info Email: finewnrk@gmailcomflex4scan info Email: mexnacc@gmailcomfix4scan info Email: sitintu@gmailcomkey4scan info Email: mexnacc@gmailcommeta6scan info Email: donboset@gmailcomnote6scan info Email: donboset@gmailcomscan4gen info Email: finewnrk@gmailcomscan6gen info Email: donboset@gmailcomscan4auto info Email: sitintu@gmailcomscan4top info Email: finewnrk@gmailcomscan4fix info Email: sitintu@gmailcomscan4key info Email: sitintu@gmailcomfine4scan info Email: beelriel@gmailcomscanmega4 info Email: bnntnkmn@gmailcomzonescan4 info Email: mexnacc@gmailcomrankscan4 info Email: mexnacc@gmailcomscanauto4 info Email: mexnacc@gmailcomscan4fine info Email: mexnacc@gmailcomway4scan info Email: bnntnkmn@gmailcomkey4scan info Email: mexnacc@gmailcomscan4fan info Email: myscarbe@gmailcomExceptions out of AS10929; NETELLIGENT Hosting Services Inc:ia-pro com - 194165441; 2006345224; 20944126104;2006345224 Email: abuse@domaincpnetcngeneralantivirus com Email: compalso@gmailcomgenpayment com Email: seeingrud@gmailcomlivestopbadware com Email: producergrom@gmailcomav-payment com Email: abuse@domaincpnetcnantimalware-live-scanv3 com - 38991709; 784791153;831331159; 894723752;9121265125; Email:immigrationbeijing@footercnantivirus-scanner-v1 com Email: tareen@yahoocomproantivirusscannerv2 com Email: ecindia@hotmailcomIMAGEWho's processing the payments made by the scammed customersThese are the major payment processors of scareware software that havebeen changing aliases for a while now, with Pandora Software being themost persistent one:easybillhere com - 2006345221; Email: myerysin@gmailcomsecuresoftwaresecuredbilling com - 209845122; Viktor TemchenkoEmail: TemchenkoViktor@googlemailcomsecurepropayments org - 78461528; Oleg Bajenov Email:olegbajenov@gmailcomsecuresoft-transaction com - 7791228155; Riabokon, Igor;rw6rr69n7z2@networksolutionsprivateregistrationcomsecure-plus-payments com - 209825204; John Sparck; Email:sparck000@mailcomsecurepnm-software com - 209845124; Live Internet MarketingLimited; pnm-softwarecom@liveinternetmarketingltdcomsecurethepaymentonline com Email: Sergey Ryabovdirector@climbing-gamescomIMAGEWhat is Pandoware Software, and who's behind Pandora Software pandora-softwarecom; pandora-software info; pandoraxxl com - 209845121; LiveInternet Marketing Limited; Email:pandoraxxlcom@liveinternetmarketingltdcomThe payment processor describes itself as :"PandoraXXL is a company which provides the best adult entertainmentonline and is the managing company of the adult websites of the groupThe concept itself is the carefull creation of websites which aredifferent from the average vanilla adult production We create them,we run them and we provide customer care to our customersIf You are acustomer and would like to know more about our websites please clickon Our Websites above PandoraXXLcom and all sites which listed onPandoraXXLcom owned by Oleg Dvoretskiy Varzinerstr 127, 44369Dortmund, Germany"Upon "doing business" with them they include their very latest domainwithin the the credit card statement:"Your credit card statement may show any of the following names:WWWPANDORAXXLCOM If so , than You have made a purchase on one of ourwebsites This form on the right will help You to locate thesetransactions Absolutely sure You have never ever purchased anythingwith us Contact us immediately then Due to our knowledge we are oneof a VERY few adult paysites companies out there providing INHOUSElive support along with telephone support Please call only when Youare sure that this site was not ab to help You with Your transactionsYou may call with technical questions as well but You must read allour site's FAQs first"Going through the terms of service for several scareware domains,there's a contact support image saying "Copyright 2008 Oleg Dvorezky,Dortmund, Germany" Why an image and not a text Cybercriminalssometimes ensure that sensitive info potentially undermining theirOPSEC doesn't get crawled by public search engines It's gets evenmore interesting as Oleg Dvorezky, whose activities as paymentprocessor for scareware go beyond the support desk has also includedhis address - Varzinerstr 127 44369 Dortmund, Germany and anotherphone, again as an image +1636549-8103, followed by two more numbers+18669997851 USA +33179972633 France listed as contact detailsMoreover, despite the fact that they've active affiliates distributionscareware and earning money in the process, next to managing theprocessing of payments, one should not exclude the possibility thatthey may also be engaging in customer relationship management forother scareware affiliate partners For instance, the followingsupport emails are all managed by them :support@supportdeskacomsupport@msantispyware2009comsupport@pandora-softwarecomsupport@pandoraxlcomsupport@data-saverorgsupport@generalantiviruscomFo the time being, scareware remains the single most efficient,managed and high liquidity asset used for monetization cybercrimecampaignsIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEIMAGEhttp://www.secuobs.com/revue/news/106259.shtmlhttp://www.secuobs.com/revue/news/106259.shtml Secuobs.com : 2009-06-04 19:20:00 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEYou know you have a fan club, as well as positive ROI out of yourresearch, when one of the most active blackhat SEO groups for the timebeing starts cursing you in its multiple redirectors, in thisparticular case that's seohostia ru/ddanchev-sock-my-dickphpBack in 2007, it used to be the polite form of get lost or "ai siktirvee" courtesy of the New Media Malware Gang, a customer of the RussianBusiness NetworkUpon hijacking legitimate traffic and verifying that the visitor iscoming from var se = newArray"google","msn","yahoo","comcast","aol", the redirector thentakes us to macrosoftwarego com; live-payment-system com -83133123140 Email: fabian@ingenovatecom, and toantimalware-live-scanv3 com - 38991709; 784791153;831331159; 894723752; 9121265125 Email:immigrationbeijing@footercn where the scareware is servedIMAGEScareware domains delegated part of their campaigns which asof recently diversity to Lycos owned is-the-bosscom:anti-spyware-scan-v1 com - ns1futureselfdeeds com 784788217malware-live-pro-scanv1 compremiumlivescanv1 commalwareliveproscanv1 comantiviruspcscannerv1 commalwareliveproscannerv1 comfreeantispywarescan2 comantiviruspremiumscanv2 comproantivirusscanv2 comantiviruspaymentsystem commacrosoftwarego comadvanedmalwarescanner comadvanedpromalwarescanner comfutureselfdeeds comallinternetfreebies comliveinternetupdates commomentstohaveyou cnRephrasing the Cardigans Love Fool song - Common sense tells me Ishouldn't bother, and I ought to stick to another blackhat SEOcampaign, a blackhat SEO campaign that surely deserves me, but I thinkyou folks doThanks to Sean-Paul Correll from PandaLabs for the tipIMAGEIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/105860.shtmlhttp://www.secuobs.com/revue/news/105860.shtml Secuobs.com : 2009-06-02 17:09:46 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEYour future template-based wife is here, waiting not only for you,but also, for the hundreds of thousands of spammed gullible futurehusbandsOur "dear friends" at Confidential Connections are at it again -spamming out bogus dating profiles, introducing new domains andinevitably exposing the phony company's connections with managed spamservices operated by money mules, and sharing DNS servers with morecybercrime-facilitating partiesAs in their previous campaigns, they're spamming fromLRouen-152-82-6-202w80-13abowanadoofr 8013101202, and here'sthe most recent portfolio of domains used in the spam campaigns parkedat 6290136207:IMAGEdating-forin-loved com - Email: deolserdo@safe-mailnetmatchwithworld com - Email: esheodin@safe-mailnetlove-f-emale com - Email: lo3664570460504@absoluteecomi-amsingle com - Email: i-3685838623704@absoluteecomfor-you-from-me com - Email: PabloStantonXW@gmailcomlove-me-long-time com - Email: lo3685839114104@absoluteecomdestinycombine com - Email: esheodin@safe-mailnetyou-isnot-alone com - Email: SamNilsenson@gmailcomfind-some-love com - Email: SamNilsenson@gmailcomfind-thereal-love com - Email: deolserdo@safe-mailnetIMAGEall-hot-love com - Email: sup3portne3west@safe-mailnetfind-the-reallove com - Email: fi3653005547304@absoluteecomsweet-hearts-dating com - Email: SamNilsenson@gmailcommy-great-dating com - Email: SamNilsenson@gmailcomyourmatchwith com - Email: esheodin@safe-mailnetloking-for-aman com - Email: lo3653004406804@absoluteecommyloving-heart com - Email: my3685835605504@absoluteecombeautiful-prettywoman com - Email: JosiahMillerTP@gmailcombuildyour-happylove net - Email: bu3664569267104@absoluteecomadorelovewon com - Email: supportnewest@safe-mailnetandiloveyoutoo com - Email: enorst10@yahoocomIMAGEmyloveamour com - Email: supportnewest@safe-mailnetluckyheatrs com - Email: neujelivsamomdeli@gmailcomjust-waiting-foryou com - Email: SamNilsenson@gmailcomdreams-about-lady com - Email: JosiahMillerTP@gmailcominspiredlove net - Email: antonkovalchukk@gmailcommake-family net - Email: JosiahMillerTP@gmailcomcreateyourlove netfillinglove netIMAGELet's connect the dots, shall we Notice some of theregistrant's emails, namely supportnewest@safe-mailnet andsup3portne3west@safe-mailnet It gets even more interesting takinginto consideration the fact that the money laundering group's botnetcommand and control domain was registered tosupp3ortnewest@safe-mailnet Moreover, among the unique usernamesused exclusively by this botnet, was in fact the one used inConfidential Connections spam campaigns, confirming their connectionIMAGENaturally, Confidential Connections are also rubbing shoulderswith more cybercrime facilitating domains sharing the same DNSinfrastructure ns1srv comFor instance, superfuturebiz com/maingovermnfer5 comTrojan-SpyWin32Zbotuyn where a Trojan-SpyWin32Zbotuyn ishosted at maingovermnfer5 com/anyfldr/demoexe which once executedattempts to download Zeus crimeware from maingovermnfer5com/anyfldr/cfgbinIMAGEMoreover, carder-shop com which is an ex-Atrivo darling,yourmagicpills com which is a typical pharmaceutical scam, zaikib ina malware command and control, and eefs info which is a phony "EastEurope Financial System" and looks like a typical money mulerecruitment operationIMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/104969.shtmlhttp://www.secuobs.com/revue/news/104969.shtml Secuobs.com : 2009-06-02 17:09:46 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEThe following is a brief summary of all of my posts at ZDNet'sZero Day for MayYou can also go through previous summaries for April, March, February,January, December, November, October, September, August and July, aswell as subscribe to my personal RSS feed or Zero Day's main feedNotable articles include: Inside the botnets that never make the news- a gallery; China's 'secure' OS Kylin - a threat to US offsensivecyber capabilities and The Web's most dangerous keywords to searchfor01 Cybercriminals promoting malware-friendly search engines02 New Mac OS X email worm discovered03 China's 'secure' OS Kylin - a threat to US offsensive cybercapabilities04 Spammers harvesting emails from Twitter - in real time05 56th variant of the Koobface worm detected06 Study: password resetting 'security questions' easily guessed07 D-Link router's CAPTCHA flawed, WPA passphrase retrieved08 Inside the botnets that never make the news - a gallery09 The Web's most dangerous keywords to search forIMAGEIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/104968.shtmlhttp://www.secuobs.com/revue/news/104968.shtml Secuobs.com : 2009-05-28 00:26:49 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEThe concept of ransomware is clearly making a comeback During thepast two months, scareware met the ransomware business model in theface of File Fix Professional 2009 and FakeAlert-CO or System Security,followed by two separate SMS-based ransomware variants Trj/SMSlockAand a modified version of itThe very latest one is once again offered for sale, with a socialengineering theme attempting to trick the infected user that as of 1stof May Microsoft is launching a new anti-pirates initiative, and thatunless a $1 SMS is sent in order to receive the deactivation codeback, their copy of Windows will remain lockedKey features:Support for Windows 98/Vista- Blocks the entire desktop- Locks system key combinations attempting to remove it- Copied to the system folder the file is almost impossible to find- Can be put in the startup- Launches the blocking system before the desktop appears upon reboot- Blocks all windows including the Task Manager- Upon entering the secret code, the ransomware is removed from thesystem folder and autorunThe price for a custom-made version with the customer's own SMS datais $10, with $5 per new undetected copy, as well as the completesource code available for $50 again from the same vendorFrom a "visual social engineering" perspective, the one that makescareware what it is as product -- a product which would have scaledso fast if it wasn't the distribution channel in the form of web sitecompromises and blackhat SEO at the first place -- the latest SMSransomware variant lacks any significant key visual features which cancompete with for instance, the DIY fake Windows XP activation trojanand its 20 versionWith the emerging localization on demand services offeringtranslations for phishing, spam and malware campaigns into popularinternational languages, it wouldn't take long before the SMSransomware starts targeting English-speaking users next to thehardcoded Russian speaking ones for the time beingIMAGEIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/102328.shtmlhttp://www.secuobs.com/revue/news/102328.shtml Secuobs.com : 2009-05-26 19:48:14 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGENext to the efficiency and cost-effectiveness centeredcybercriminals having anticipated the outsourcingCybercrime-as-a-Service model a long time ago, there are thoseself-serving groups of cybercriminals which engage in literally eachand every aspect of cybercrime - money mule recruiters in this veryspecific caseIMAGEWhat do the known money laundering aliases such as Value TransFinancial Group, Inc valuetransbiz; Advance Finance Group LLC af-gnet;ABP Capital abpcapitalcom; Premium Financial Services advance-financial-productsorg;eTop Group Inc etop-grouplicc; Liberty Group Inc libertygroupcc;Eagle Group Inc eaglegroupmaincn; Star Group Inc eagle-groupnet;DBS Group Inc dbs-groupcn; FBetB Group Inc fbb-grouplicc;Advance Finance Group LLC af-gnet; DC Group Inc dc-groupcn; IBSGroup Inc ibsgroupcc; ibsgrouplicn and FCB Group Inc fcb-groupcchave in commonIt's a 31,000 infected hosts botnet which they use exclusively forspammingIMAGEThe money laundering organization describes itself as:"The company was set up in 1990 in New York, the USA by threeenthusiasts who have financial education The head of the company wasKarl Schick At the very beginning of its business activity thecompany provided fairly narrow range of services at the investmentmarket Within 15 years of hard work the company has acquiredinternational standing and managed to develop into a global financialholding with the staff of 3,000 people and headquarters in more than100 countries of the world"IMAGEInterestingly, on the majority of occasions cybercriminals tendto undermine the level of operational security that they could haveachieved at the first place, and this is one of those cases wheretheir misconfigured botnet command and control allows othercybercriminals to hijack their botnet, and security researchers toshut it down effectivelyThe people behind this money laundering organization are either lazy,or ignorant to the point where the botnet's command and controlinterface would be using the very same web server that they use forrecruitment purposesHere are some screenshots of their command and control interface usedexclusivelly for spam campaigns:IMAGEIMAGEIMAGEIMAGEIMAGEIMAGEIMAGEThe domain is registered to supp3ortnewest@safe-mailnet and the DNSservices are courtesy of onegoldwonderful9info;nspartnergreatest8net; backpartnergreatest8net;twogoldwonderful9info which are the de-facto DNS servers for a hugenumber of related and separate money laundering brand portfolios thequality of the historical CYBERINT on behalf of Bobbear is the mainreason why commissioned DDoS attacks were hitting the site last yearTaking down the group's command and control domain is in progressIMAGEIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/101775.shtmlhttp://www.secuobs.com/revue/news/101775.shtml Secuobs.com : 2009-05-20 05:16:04 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGE"In gaz we trust" I'd rather change GazTranzitStroyInfo's visionto HangUp Team's infamous - "in fraud we trust" It is somehow weirdto what lengths would certain cybercriminals go to create a feeling oflegitimacy of their enterpriseAS29371 - gaztranzitstroyinfo LLC - 91212410/24 based in Russia,Sankt Peterburg, Kropotkina 1, office 299, is one of them Let's"drill" for some malicious activity at GazTranzitStroyInfo, anddemonstrate how cybercriminals are converging different hostingproviders to increase the lifecycle of their campaignsIMAGEThe recent peak of fake codecs for instance video-info infoand sex-tapes-celebs com serving softwarefortubeview40018exe putsthe spotlight on GazTranzitStroyInfo and its connections with anotherrogue hosting provider in the face of AS48841, EUROHOST-AS EurohostLLC, which was providing hosting infrastructure to the scarewaredomains part of Conficker's Scareware Monetization strategy, andcontinues to do so for a great deal of exploits/malware servingdomains, next to AS10929 NETELLIGENT Hosting Services Inc where theinfrastructure of the three hosting providers has convergedLet's detail some malicious activity found at GazTranzitStroyInfo Thefollowing are redirectors to live exploits/zeus config files/scarewarefound within AS29371 and pushed through blackhat SEO and web sitecompromises:IMAGEpeopleopera cn - 912124196forexsec cnvitamingood cnbookadorable cndrawingstyle cnhousedomainname cnworkfuse cnschoolh cnrainfinish cnhousevisual cnworksean cnliteauction cnnewtransfer cnoceandealer cnmusicdomainer cnwebsiteflower cndesignroots cnislandtravet cnlitefront cnclubmillionswow cnsoftwaresupport-group com - 912124191bestfindahome cndastrealworld ruelantrasantrope ruborishoffbibi rusandiiegoexpo runightplayauto rustartdontstop ruFor instance, a sampled domain such as housedomainname cn/incgi6redirects us to securityonlinedirect com/scanphpaffid=02083 whichis serving scareware with hosting courtesy of AS10929 NetelligentHosting Services Inc, which in case you remember popped-up in theDiverse Portfolio of Fake Security Software - Part Twenty Atsecurityonlineworld com 2094412622 we also have a portfolio ofscareware domains:thestabilityweb comsecurityonlineworld comwebsecuritypolice comwwwsafeexamine comdynamicstabilityexamine comnetworkstabilityexamine comsafetyscansite comonlinesafetyscansite comsecurityscansite comstabilityonlineskim comsocialsecurityscan comsecurityexamination cominternetsecuritymetrics comonlinebrandsecuritys comsecurityonlinedirect comscanstabilityinternet comstabilityaudit comwebsecuritybureau comsafewebsecurity comwebbrowsersecurity comfutureinternetsecurity comsuperiorinternetsecurity comThe fake codec at video-info info AS29371 - gaztranzitstroyinfo LLCis in fact downloaded from kir-fileplanet com - 912126554 AS48841;EUROHOST-NET where more malicious activity is easily detected at:downloadmax org - 912126519hd-codec comshotgol comkauitour comcoecount comcountbiz comvideoaaa net7stepsmedia netispartof netamoretour netbrowardcount nettrucount3000 com - 912126510; 912126529trucount3001 comtrucount3002 comantivirus-xppro-2009comonlinescanxppp comonlinescanxpp comonlinescanxp comfree-webscaners comIn cybercriminals I don't trustRelated posts:Fake Codec Serving Domains from Diggcom's Comment Spam AttackLazy Summer Days at UkrTeleGroup LtdBogus LinkedIn Profiles Redirect to Malware and Rogue SecuritySoftwareMassive Blackhat SEO Campaign Serving ScarewareEstDomains and Intercage VS CybercrimeThe Template-ization of Malware Serving SitesThe Template-ization of Malware Serving Sites - Part TwoMalware campaign at YouTube uses social engineering tricksPoisoned Search Queries at Google Video Serving MalwareSyndicating Google Trends Keywords for Blackhat SEORelated Russian Business Network coverage:The New Media Malware Gang - Part FourThe New Media Malware Gang - Part ThreeThe New Media Malware Gang - Part TwoThe New Media Malware GangRogue RBN Software Pushed Through Blackhat SEORBN's Phishing ActivitiesRBN's Puppets Need Their MasterRBN's Fake Account Suspended NoticesA Diverse Portfolio of Fake Security SoftwareGo to Sleep, Go to Sleep my Little RBNExposing the Russian Business NetworkDetecting the Blocking the Russian Business NetworkOver 100 Malwares Hosted on a Single RBN IPRBN's Fake Security SoftwareThe Russian Business Network IMAGEIMAGE IMAGE IMAGE IMAGEIMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/98597.shtmlhttp://www.secuobs.com/revue/news/98597.shtml Secuobs.com : 2009-05-14 23:24:04 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEHas the cloudy economic climate hit the scareware business model,the single most efficient and high-liquidity monetization practicethat's driving the majority of blackhat SEO and malware attacks Theaffiliate networks are either experiencing a slow Q2, or are basicallyexperimenting with profit optimization strategiesFollowing the "aggressive" piece of scareware with elements ofransomware discovered in March, a new version of the rogue securitysoftware is once again holding an infected system's assets hostageuntil a license is purchasedThis tactic is however a great example of the dynamics of undergroundecosystem The Dynamics of the Malware Industry - Proprietary MalwareTools; The Underground Economy's Supply of Goods; 76Service -Cybercrime as a Service Going Mainstream; Zeus Crimeware as a ServiceGoing Mainstream; Will Code Malware for Financial Incentives; The Costof Anonymizing a Cybercriminal's Internet Activities - Part Two; UsingMarket Forces to Disrupt Botnets; E-crime and Socioeconomic Factors;Price Discrimination in the Market for Stolen Credit Cards; Are StolenCredit Card Details Getting CheaperDespite the fact that it's the network of cybercriminals that pays andmotivates other cybercriminals to SQL inject legitimate sites, sendspam, embedd malicious code through compromised accounts and launchblackhat SEO campaigns, it cannot exist without the traffic that theyprovide, and is therefore competing with other affiliate networks foritFor your blacklisting, case-building and cross-checking pleasure,currently active blackhat SEO and Koobface campaigns monetize thetraffic through the following rogue domains:IMAGEyourpcshield com 2094412614 - AS10929 NETELLIGENT HostingServices Inc Email: bershkapull@gmailcomvirustopshield comtotalvirushield compcguardscan comtopwinsystemscan combasevirusscan comsystemvirusscan combastvirusscan commyfirstsecurityscan comfastviruscleaner comallvirusscannow comfreeforscanpc com 20944126241 - AS10929 NETELLIGENT HostingServices Inctruevirusshield comtotalvirusshield comhypersecurityshield comscanyourpconline comallowedwebsurfing comxvirusdescan comsecuritytrustscan comfullsecurityaction comfullvirusprotection comfullsecuritydefender comhupersecuritydot comtrustedwebsecurity comgreatscansecurity comupdateyoursecurity comIMAGEantimalware-scannerv2 com 784688202 - AS16265 LeaseWeb ASAmsterdam, Netherlands Email: basni@lewisprcomonlinevirusbusterv2 comxpvirusprotection2009 comtotal-malwareprotection comtotal-virusprotection comxpvirusprotection combestbillingpro comtruconv comsafeinternettoolv1 com 212117165126; 38991709; 694230204;784791153 - AS36351 SOFTLAYER Technologies Inc; AS24940 HETZNER-ASHetzner Online AG RZ-Nuernberg; AS44042 ROOT-AS root eSolutions; AS174COGENT /PSI Email: info@dmfcomtrantivirusquickscanv1 comcomputerscanv1 comantivirusbestscannerv1 comantiviruslivescanv3 comproantivirusscanv3 comfullantispywarescan comwebscannertools comapproved-payments comIMAGEms-scan org 8419184160 - AS31103 KEYWEB-AS Keyweb AG,Email: striderglider@gmailcomsystem-protector orgsystem-protector netav-lookup comms-scan infosrv-scan usms-scan netms-scan bizsrv-scan bizbitcoreguard net 72232187197 AS22576 LAYEREDTECH LayeredTechnologies, Email: cbristed1996@gmailcombitcoreguard comcoreguard2009 com 7846151181 - AS24940 HETZNER-AS Hetzner OnlineAG RZ-Nuernberg Email: iversbradly72@gmailcomcoreguard2009 bizcoreguard2009 netcoreguardlab2009 biz 9521114161 - AS16265 LeaseWeb AS Amsterdam,Netherlands, Email: stivpanama@gmailcomcoreguardlab2009 netcoreguardlab2009 comguardlab com 72232187198 - AS22576 LAYEREDTECH LayeredTechnologies Email: alexvasiliev1987@cocainmailcomguardav comguardlab2009 biz 7676103164 - AS21548 MTO Telecom Inc Email:stivpanama@gmailcomguardlab2009 netguardlab2009 comRelated posts:Dissecting a Swine Flu Black SEO CampaignMassive Blackhat SEO Campaign Serving ScarewareA Diverse Portfolio of Fake Security Software - Part NineteenA Diverse Portfolio of Fake Security Software - Part EighteenA Diverse Portfolio of Fake Security Software - Part SeventeenA Diverse Portfolio of Fake Security Software - Part SixteenA Diverse Portfolio of Fake Security Software - Part FifteenA Diverse Portfolio of Fake Security Software - Part FourteenA Diverse Portfolio of Fake Security Software - Part ThirteenA Diverse Portfolio of Fake Security Software - Part TwelveA Diverse Portfolio of Fake Security Software - Part ElevenA Diverse Portfolio of Fake Security Software - Part TenA Diverse Portfolio of Fake Security Software - Part NineA Diverse Portfolio of Fake Security Software - Part EightA Diverse Portfolio of Fake Security Software - Part SevenA Diverse Portfolio of Fake Security Software - Part SixA Diverse Portfolio of Fake Security Software - Part FiveA Diverse Portfolio of Fake Security Software - Part FourA Diverse Portfolio of Fake Security Software - Part ThreeA Diverse Portfolio of Fake Security Software - Part TwoDiverse Portfolio of Fake Security SoftwareIMAGEIMAGE IMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/96485.shtmlhttp://www.secuobs.com/revue/news/96485.shtml Secuobs.com : 2009-05-12 17:36:32 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGERemember the ransomware variant that was locking down user's PCsand demanding a premium SMS in order for them to receive the unlockingcodeIn an attempt to further monetize the "innovative" practice ofconverging Windows-based malware and premium SMS numbers operated bythe cybercriminals, a do-it-yourself version of the ransomware iscurrently offered for sale for a mere $15Here are some of its features:- When executed presents the uset with a Blue Screen of Death styleerror message- A simple auto-loading feature ensuring it will load every time thehost is rebooted, completely disables the startup shell in order tobecome the first application to appear upon reboot- Disables Windows Task Manager, Registry Editor, default shortcutsfor terminating a programThe vendor would also like to remind its customers that "theapplication is for educational purposes only", next to a comment onhow all of their current customers are fully satisfied with the moneythey're making by locking infected user's PCs This piece ofransomware has been spreading across the Russian web space sinceApril, and with its source code now offered for sale, it's only amatter of time before the error messages get localized to multiplelanguages courtesy of localization on demand cybercrime-friendlyservices breaking any language barrier for a spam/malware campaignHowever, from an operational security OPSEC perspective which Ioften emphasize on in order to demonstrate how efficient cybercrimefacilitating tactics increase the probability of successfully trackingdown the people behind a particular attack, this premium SMS basedransomware tactic is exposing the people behind the campaign mucheasily due to its reliance on a mobile operator, compared to GPCode'svirtual money exchange approach Who's behind the GPcode ransomwarewhich given they put enought efforts, the process can be virtuallyuntraceableDespite the fact that vendors have already released unlock codegenerators for the SMS ransomware, taking into consideration thepotential for widespread ransomware campaigns through the nowubiqitous revenue generator in the form of scareware Scareware meetsransomware: "Buy our fake product and we'll decrypt the files", theconcept is not going away anytime soonRelated posts:Mobile Malware Scam iSexPlayer Wants Your MoneyNew mobile malware silently transfers account creditNew Symbian-based mobile worm circulating in the wildIMAGEIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/94932.shtmlhttp://www.secuobs.com/revue/news/94932.shtml Secuobs.com : 2009-05-06 23:06:06 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEFrom Sweet Sugar Anastasia, Svetlana, Angela, Marino4ka, Irina,Hot Julia, Ane4ka, Nastya, and Yulia, to the Lonely Polina and themalware and exploits serving girls, Russian/Ukrainian dating scams arestill pretty active these daysA recently spammed dating campaign exposes the fraudulent practices ofa well known such agency that has been changing its name,typosquatting new domains in order to remain beneath the radar, a bitof an awkward practice given their noisy spamming approach ofattracting visitorsThe spam's message:IMAGE"Good day, my gentlemanAll love is probationary, a fact which frightens women and exhilaratesmen I believe that unarmed truth and unconditional love will have thefinal word in reality I was born in a friendly, cultured family andwould like to have the same family in my own life I love nature,flowers, music, dancing I like to receive guests at home and spendtime with friends I always try to use opportunity to travel and seenew places in the world I have a good, quite and merry character,don't like argues and rows I hope to meet a white man, Christian,clever Besides I would like to meet a good person with a good senseof humor, who wants to create a good strong family If you would beloved, love and be lovable I am waiting for youhttp://iam-waiting4love com/infinity/Waiting for your mailSveetlana B"The user is then asked to register at hifor-you com/registerphpfollowed by an email confirmation explaining how the agency/scam atualadys com 7674250239 Email: Tyom13@aolcom works:IMAGE"We view ourselves as more of MATCHMAKERS than a mereIntroduction Company We DO NOT BUY OR SELL addresses of Ladies fromother agents Rather, we take the time and effort to meet each Ladyreferred to us in person, interview her at length, checkout hercredentials to make sure her intentions are proper, before she getshosted as our client It is this knowledge of the Ladies that allowsus to select the right persons to introduce to each manIMAGECompatibility is the KEY Our formula is simple, yet highlyproductive:1 You fill out our profile, same as the Ladies2 Select the Ladies you would like to meet3 Until you have a predetermined amount of Ladies reply with a yes4 During your trip meetings are scheduled on a private, one-on-onesetting, with an interpreter to assist you if you require one Weknow that your time is limited when you go on trip This is a veryefficient selections process that saves your time and, in fact, allowsyou the extra time to really get to know the LadiesAll meetings are one-on-one We do not organize socials that do notwork Our service is usually based upon a male clients access to timeand his available budget The normal procedure is for a client to lookthrough our gallery of Ladies, select the Ladies forpre-qualification, and correspond with them by e-mail or phone, thanarrange a one-on-one visit Still others, after viewing the Ladies,decide that the best overall approach would be to simply go there andmeet as many women as we can arrange for them to meet, and spend timewith them before making a decisionIMAGEAlso experiencing first-hand their environment and culturegives the man a future understanding of his future bride OUR PERSONALINTRODUCTION TRIP HAS BEEN YEILDING A 95% SUCCESS RATE Again, thereason for this is the growing frustration among the Ladies about thelack of follow through the men, Consequently, many Ladies do notrespond to letters, knowing that few ever follow through They simplywait to meet the men who go there THUS, THE SITUATION HAS BECOME ADREAM FOR THE MAN WHO ARE SERIOUSDuring our Special Photoshoot Trips e-mail for dates; you will getan opportunity to watch and meet new Ladies Many times, clients pickthese new Ladies because they are fresh and no one has ever met thembefore We have quite a few Ladies who have never made it to thegallery because they got engaged immediately to the men who went notrips"The agency is also reserving the right to forward the responsibilityfor any fraudulent activities to the girls, the majority of which donot exist at the first place in the following way:All scam patterns have similarities that are very easy to spot if youknow what to watch out for:* Usually the contact originates from a personals site where anyonecan place his/her ad for free Most often it was not you whoinitiated the acquaintance; you received a letter from a lovelyRussian female who was interested in you *Her* description of thepartner is always very broad that will fit anybody - "kindintelligent man, age and race don't matter"* Sometimes *she* places a real nice discription and lovely,INNOCENT pictures, with honest eyes and kind smile You willinitiate the acquaintance* It is always email correspondence; and letters are sent regularly,often every day; a new picture is sent with almost every letterThis is very entertaining since the agency is driving traffic to itsdomains through spamming The full list of spammed domains part of thecampaign :love-f-emale com - 6290136207i-amsingle comfor-you-from-me comdestinycombine comwith-hope-for-love comiam-waiting4love comallisloveandlove comamourwedding comadorelovewon comandiloveyoutoo comattractive-ladies comluckyheatrs comsunwants commyloving-heart comtouchmy-heart comdreams-about-lady comfillinglove netcreateyourlove netbuildyour-happylove nettender-woman netmake-family netIMAGEThere's something "ingenious" about this type of dating scams,since the bogus dating agency can forward the scam responsibility tothe non-existent girls at the first place Moreover, despite thecountless number of email credits, flowers and photos that you'vepurchased by using the agency's commercial services, the non-existentgirl can always reserve the right not to meet or interact with you inany way And even if there are actual girls working for the ad agencyon a revenue-sharing basis, the agency silently makes money byreserving its right to ruin your return on investment no matter howmuch and what you spend on their siteNow, that's a business model scamming the gullible and the lonely,which from a legal perspective -- excluding the spamming -- can infact be legal in the country of operation due to the eventualmis-matching of charactersIMAGEIMAGE IMAGE IMAGE IMAGEIMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/92825.shtmlhttp://www.secuobs.com/revue/news/92825.shtml Secuobs.com : 2009-05-01 10:33:26 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEThe following is a brief summary of all of my posts at ZDNet'sZero Day for April You can also go through previous summaries forMarch, February, January, December, November, October, September,August and July, as well as subscribe to my personal RSS feed or ZeroDay's main feedNotable articles include: Google's CAPTCHA experiment and the humanfactor; Conficker's estimated economic cost $91 billion and Twitterhit by multiple variants of XSS worm01 Conficker worm's copycat Neeris spreading over IM02 Paul McCartney's official site serving malware03 Fake "Conficker Infection Alert" spam campaign circulating04 Twitter hit by multiple variants of XSS worm05 Scareware pops-up at FoxNews06 Waledac botnet spamming fake SMS spying tool07 Twitter worm author gets a job at exqSoft Solutions08 Google's CAPTCHA experiment and the human factor09 Hackers hijack DNS records of high profile New Zealand sites10 New ransomware locks PCs, demands premium SMS for removal11 Conficker's estimated economic cost $91 billion12 Swine flu email scams circulating13 Online broker CommSec criticised for weak passwords, lack of SSL14 Survey: 37% of employees would become insiders given the rightincentive15 French hacker gains access to Twitter's admin panelIMAGEIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/90923.shtmlhttp://www.secuobs.com/revue/news/90923.shtml Secuobs.com : 2009-05-01 00:22:30 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEIn times when more and more scammers/spammers are gettingDomainKeys verified, others are finding adaptive ways to increase theprobability of bypassing antispam filtersTake for instance this 419s scam artist, that's been pretty active inhis scamming attempts as of recentlyIMAGEBasically, he's exploiting the fact that he's allowed to entera message within NYTimescom's 'Email this" feature, whereas it willsuccessfully reach the potential victim based on clean IP reputationof NYTimes - and sadly, he's right since he's already sending scammessages through the following accounts registered at the site:douglas_999@livefrdouglas77@livefrmamadou_sanou@livefrmarkkabore0@yahoofrabdelk11@hotmailfrsulem_musa@livefrdavidbchirot@hotmailcomIMAGEHis excuse for using NYTimescom - "Based on the bank highsensitiveness and security i have decided to contact you outside thebank's sever IP for a beneficial transaction"Another scam that I've been tracking for a while is using a new "Handbag stolen at Barcelona air port" social engineering attempt, and isattaching scanned copies of real baggage loss documents in order toimprove the truthfulness of the scam Pretty catchy if you don't knowwhat advance fee fraud isIMAGEIMAGE IMAGE IMAGE IMAGEIMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/90722.shtmlhttp://www.secuobs.com/revue/news/90722.shtml Secuobs.com : 2009-04-29 14:57:59 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEFrom the lone Chinese SQL injectors empowered with point'n'clicktools for massive SQL injection attacks, to the much more efficientand automated botnet approach courtesy of the, for instance, ASProxbotnet the process of automatically fetching URLs from public searchengines in order to build hit lists for verifying against remote fileinclusion attacks and potential SQL injections, remains a commodityfeature in a great number of newly released malware botsIMAGEIn 2004, the Santy worm advertised the feature to the not soefficiently centered hordes of script kiddies back then Due to itssimplicity, but huge potential for abuse, the concept of SQLinjections through search engines reconnaissance has not only reacheda real-time syndication with the latest remotely exploitable webapplication vulnerabilities, but has also converged with remote fileinclusion checks, local file inclusion checks, and ip2geolocation tounethically pen-test a particular country going beyond its designateddomain extensionA recently released malware bot is once again empowering the averagescript kiddie with the possibility to take advantage of the window ofopportunity for each and every remotely exploitable web applicationflaw featured at Milworm, based on its real-time syndication of theexploits Moreover, the IRC based bot is also featuring a consolewhich allows manual exploitation or intelligence gathering for aparticular siteIMAGESome of the features include:- Remote file inclusion- Local file inclusion checks - MySQL database details- Extract all database names- Data dumping from column and table- Notification issued when Google bans the infected host forautomatically using itThe commoditization of these features results in a situation where thewindow of opportunity for abusing a partcular web application flaw isabused much more efficiently due to the fact that reconnaissance dataabout its potential exploitability is already crawled by a publicsearch engine - often in real timeThe concept, as well as the features within the bot are not rocketscience - that's what makes it so easy to useRelated posts:Massive SQL Injection Attacks - the Chinese WayYet Another Massive SQL Injection Spotted in the WildObfuscating Fast-fluxed SQL Injected DomainsSmells Like a Copycat SQL Injection In the WildSQL Injecting Malicious Doorways to Serve MalwareSQL Injection Through Search Engines ReconnaissanceStealing Sensitive Databases Online - the SQL StyleFast-Fluxing SQL injection attacks executed from the Asprox botnetSony PlayStation's site SQL injected, redirecting to rogue securitysoftwareRedmond Magazine Successfully SQL Injected by Chinese HacktivistsIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/89830.shtmlhttp://www.secuobs.com/revue/news/89830.shtml Secuobs.com : 2009-04-28 23:03:47 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEThe people behind the ongoing swine flu spam campaign have eithermissed their marketing lectures, haven't been to any at all, or aresimply too lazy -- their processing order is not even using SSL -- tofully exploit the marketing window opened by the viral oubreak - themajority of spamvertised domains are redirecting to your typicalCanadian Pharmacy scam, instead of swine flu related templatesSwine flu spamvertised domains:lijgihabcn; jihkohabcn; litgukabcn; namyalabcn; waytipabcn;ritlarabcn; bersoxabcn; xaqkabebcn; jamnibebcn; pahdehebcn;qeqyukebcn; qiwqorebcn; zajbavebcn; zacniyebcn; baqnubibcn;zephecibcn; texlocibcn; fedpijibcn;meysujibcn; qoltujibcn;mukwujibcn; buljakibcn; cutcuribcn; bejdasibcn; xikgosibcn;bacnaxibcn; kuskuzibcn; juvyidobcn; sowgugobcn; buhbulobcn;tonjotobcn; kozgewobcn; gasfexobcn; pocdiyobcn; kujroyobcn;mirlacubcn; kixqucubcn; rovjudubcn; jokrogubcn; tusyajubcn;gixxukubcn; mospomubcn; hixmipubcn; zismerubcn; cegfasubcn;dimfevubcn; qebhuvubcn; duvlixubcn; tiqceyubcn; cogwibaccn;minkucaccn; dadwafaccn; dilpogaccn; jovsogaccn; juwcolaccn;wefmunaccn; cexfopaccn; wejpopaccn; dovniqaccn; mulsataccn;labwewaccn; lirquwaccn; latzoyaccn; tuwbazaccn; motjudeccn;jicmefeccn; qujqugeccn; fajnaheccn; wobfojeccn; saybileccn;siyjoqeccn; gehgixeccn; gajdezeccn; sgytubiccn; cabfeciccn;nedsiciccn; xorpiliccn; bulxopiccn; kisniriccn; beszesiccn;hiwdosiccn; linrudoccn; rijnakoccn; mahhekoccn; hahwikoccn;labniloccn; zocwoloccn; gommupoccn; yubbaqoccn; mefbuqoccn;xeclaroccn; qurburoccn; wupqatoccn; capjebuccn; wofmufuccn;boxxiguccn; zeffehuccn; pegvijuccn; bubkenuccn; fixfunuccn;IMAGEqivbiruccn; vahraxuccn; camxezuccn; tomyubadcn;sohmifadcn; sukgogadcn; kossehadcn; mopwijadcn; pagtujadcn;nohxokadcn; pugvuqadcn; bapvusadcn; wekzetadcn; lozfoyadcn;vuppoyadcn; forvafedcn; cetcofedcn; dadrofedcn; sacvahedcn;qoqgoledcn; madwemedcn; rilgepedcn; voydewedcn; liyxozedcn;regmihidcn; bujquhidcn; damtuqidcn; nifhosidcn; dapfotidcn;yofkibodcn; roghudodcn; gacpagodcn; xijhihodcn; japtikodcn;meyrilodcn; patjulodcn; hixvunodcn; towqotodcn; ridnuxodcn;vevteyodcn; deqgobudcn; lilnedudcn; rusdehudcn; zidpajudcn;qibxenudcn; xixvasudcn; yapqitudcn; xuldeyudcn; nacyeyudcn;ciknezudcn; qiwsuzudcn; leblidafcn; timpejafcn; vacxamafcn;nugnosafcn; xawpicefcn; beqnahefcn; kumhulefcn; somnimefcn;pejyunefcn; zuwpikifcn; bixvikifcn; sajbipifcn; vikqipifcn;xotdaxifcn; qalrezifcn; xuhkudofcn; lijsofofcn; gimvufofcn;kofgehofcn; xixgikofcn; percaqofcn; nifjarofcn; xivqirofcn;rucmusofcn; yizsatofcn; qihqutofcn; devqivofcn; mijvaxofcn;kiyvayofcn; bubduyofcn; pohfabufcn; zudsadufcn; tuhfehufcn;yaytumufcn; fumtinufcn; gibkesufcn; xaqqivufcn; wandawufcn;faqloyufcn; paqhizufcn; nowzacagcn; xowjicagcn; nolyodagcn;tavyafagcn; lijgihabcn; jihkohabcn; litgukabcn;namyalabcn;waytipabcn; ritlarabcn; bersoxabcn; xaqkabebcn;jamnibebcn; pahdehebcn; qeqyukebcn; qiwqorebcn; zajbavebcn;zacniyebcn; baqnubibcn; zephecibcn; texlocibcn; fedpijibcn;meysujibcn; qoltujibcn; mukwujibcn; buljakibcn; cutcuribcn;bejdasibcn; xikgosibcn; bacnaxibcn; kuskuzibcn; juvyidobcn;sowgugobcn; buhbulobcn; tonjotobcn; kozgewobcn; gasfexobcn;pocdiyobcn; kujroyobcn; mirlacubcn; kixqucubcn; rovjudubcn;jokrogubcn; tusyajubcn; gixxukubcn; mospomubcn; hixmipubcn;zismerubcn; cegfasubcn; dimfevubcn; qebhuvubcn; duvlixubcn;tiqceyubcn; cogwibaccn; minkucaccn; dadwafaccn; dilpogaccn;jovsogaccn; juwcolaccn; wefmunaccn; cexfopaccn; wejpopaccn;dovniqaccn; mulsataccn; labwewaccn; lirquwaccn; latzoyaccn;tuwbazaccn; motjudeccn; jicmefeccn; qujqugeccn; fajnaheccn;wobfojeccn; saybileccn; siyjoqeccn; gehgixeccn; gajdezeccn;sgytubiccn; cabfeciccn; nedsiciccn; xorpiliccn; bulxopiccn;kisniriccn; beszesiccn; hiwdosiccn; linrudoccn; rijnakoccn;mahhekoccn; hahwikoccn; labniloccn; zocwoloccn; gommupoccn;yubbaqoccn; mefbuqoccn; xeclaroccn; qurburoccn; wupqatoccn;capjebuccn; wofmufuccn; boxxiguccn; zeffehuccn; pegvijuccn;bubkenuccn; fixfunuccn; qivbiruccn; vahraxuccn; camxezuccn;tomyubadcn; sohmifadcn; sukgogadcn; kossehadcn; mopwijadcn;pagtujadcn; nohxokadcn; pugvuqadcn; bapvusadcn; wekzetadcn;lozfoyadcn; vuppoyadcn; forvafedcn; cetcofedcn; dadrofedcn;sacvahedcn; qoqgoledcn; madwemedcn; rilgepedcn; voydewedcn;liyxozedcn; regmihidcn; bujquhidcn; damtuqidcn; nifhosidcn;dapfotidcn; yofkibodcn; roghudodcn; gacpagodcn; xijhihodcn;japtikodcn; meyrilodcn; patjulodcn; hixvunodcn; towqotodcn;ridnuxodcn; vevteyodcn; deqgobudcn; lilnedudcn; rusdehudcn;zidpajudcn; qibxenudcn; xixvasudcn; yapqitudcn; xuldeyudcn;nacyeyudcn; ciknezudcn; qiwsuzudcn; leblidafcn; timpejafcn;vacxamafcn; nugnosafcn; xawpicefcn; beqnahefcn; kumhulefcn;somnimefcn; pejyunefcn; zuwpikifcn; bixvikifcn; sajbipifcn;vikqipifcn; xotdaxifcn; qalrezifcn; xuhkudofcn; lijsofofcn;gimvufofcn; kofgehofcn; xixgikofcn; percaqofcn; nifjarofcn;xivqirofcn; rucmusofcn; yizsatofcn; qihqutofcn; devqivofcn;mijvaxofcn; kiyvayofcn; bubduyofcn; pohfabufcn; zudsadufcn;tuhfehufcn; yaytumufcn; fumtinufcn; gibkesufcn; xaqqivufcn;wandawufcn; faqloyufcn; paqhizufcn; nowzacagcn; xowjicagcn;nolyodagcn; tavyafagcn; hujrulagcn; sodbenagcn; gafkiqagcn;lijgihabcn; jihkohabcn; litgukabcn; namyalabcn; waytipabcn;ritlarabcn; bersoxabcn; xaqkabebcn; jamnibebcn; pahdehebcn;qeqyukebcn; qiwqorebcn; zajbavebcn; zacniyebcn; baqnubibcn;zephecibcn; texlocibcn; fedpijibcn; meysujibcn; qoltujibcn;mukwujibcn; buljakibcn; cutcuribcn; bejdasibcn; xikgosibcn;bacnaxibcn; kuskuzibcn; juvyidobcn; sowgugobcn; buhbulobcn;tonjotobcn; kozgewobcn; gasfexobcn; pocdiyobcn; kujroyobcn;mirlacubcn; kixqucubcn; rovjudubcn; jokrogubcn; tusyajubcn;gixxukubcn; mospomubcn; hixmipubcn; zismerubcn; cegfasubcn;dimfevubcn; qebhuvubcn; duvlixubcn; tiqceyubcn; cogwibaccn;minkucaccn; dadwafaccn; dilpogaccn; jovsogaccn; juwcolaccn;wefmunaccn; cexfopaccn; wejpopaccn; dovniqaccn; mulsataccn;labwewaccn; lirquwaccn; latzoyaccn; tuwbazaccn; motjudeccn;jicmefeccn; qujqugeccn; fajnaheccn; wobfojeccn; saybileccn;siyjoqeccn; gehgixeccn; gajdezeccn; sgytubiccn; cabfeciccn;nedsiciccn; xorpiliccn; bulxopiccn; kisniriccn; beszesiccn;hiwdosiccn; linrudoccn; rijnakoccn; mahhekoccn; hahwikoccn;labniloccn; zocwoloccn; gommupoccn; yubbaqoccn; mefbuqoccn;xeclaroccn; qurburoccn; wupqatoccn; capjebuccn; wofmufuccn;boxxiguccn; zeffehuccn; pegvijuccn; bubkenuccn; fixfunuccn;qivbiruccn; vahraxuccn; camxezuccn; tomyubadcn; sohmifadcn;sukgogadcn; kossehadcn; mopwijadcn; pagtujadcn; nohxokadcn;pugvuqadcn; bapvusadcn; wekzetadcn; lozfoyadcn; vuppoyadcn;forvafedcn; cetcofedcn; dadrofedcn; sacvahedcn; qoqgoledcn;madwemedcn; rilgepedcn; voydewedcn; liyxozedcn; regmihidcn;bujquhidcn; damtuqidcn; nifhosidcn; dapfotidcn; yofkibodcn;roghudodcn; gacpagodcn; xijhihodcn; japtikodcn; meyrilodcn;patjulodcn; hixvunodcn; towqotodcn; ridnuxodcn; vevteyodcn;deqgobudcn; lilnedudcn; rusdehudcn; zidpajudcn; qibxenudcn;xixvasudcn; yapqitudcn; xuldeyudcn; nacyeyudcn; ciknezudcn;qiwsuzudcn; leblidafcn; timpejafcn; vacxamafcn; nugnosafcn;xawpicefcn; beqnahefcn; kumhulefcn; somnimefcn; pejyunefcn;zuwpikifcn; bixvikifcn; sajbipifcn; vikqipifcn; xotdaxifcn;qalrezifcn; xuhkudofcn; lijsofofcn; gimvufofcn; kofgehofcn;xixgikofcn; percaqofcn; nifjarofcn; xivqirofcn; rucmusofcn;yizsatofcn; qihqutofcn; devqivofcn; mijvaxofcn; kiyvayofcn;bubduyofcn; pohfabufcn; zudsadufcn; tuhfehufcn; yaytumufcn;fumtinufcn; gibkesufcn; xaqqivufcn; wandawufcn; faqloyufcn;paqhizufcn; nowzacagcn; xowjicagcn; nolyodagcn; tavyafagcn;hujrulagcn; sodbenagcn; gafkiqagcn; remqavagcnHappy blacklisting/cross-checkingRelated posts:Inside an Affiliate Spam Program for PharmaceuticalsLove is a Psychedelic, TooPharmaceutical Spammers Targeting LinkedInFast-Flux Spam and Scams IncreasingStorm Worm Hosting Pharmaceutical ScamsOver 80 percent of Storm Worm Spam Sent by Pharmaceutical Spam KingsIncentives Model for Pharmaceutical ScamsIMAGEIMAGE IMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/89375.shtmlhttp://www.secuobs.com/revue/news/89375.shtml Secuobs.com : 2009-04-22 21:11:44 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEOver the past couple of days, I've been monitoring yet anothermassive blackhat SEO campaign consisting of the typical hundreds ofthousands of already crawled bogus pages serving scareware/fakesecurity softwareIMAGELater on Google detected the campaign and removed all theblackhat SEO farms from its index, which during the time of assessmentwere close to a hundred domains with hundreds of subdomains, andthousands of pages withinAnd despite that the abuse notifications for some of the centralredirection domains proved effective, it took the cybercriminalsapproximately 24 hours to catch up, and once again start hijackingsearch queries, in a combination of scareware, and pay per clickredirectionsIMAGEIt's worth pointing out that this very latest campaign isdirectly related to last's week's keywords hijacking blackhat SEOcampaign, with both campaigns relying on identical redirectiondomains, and serving the same malware Who's behind these searchengine poisoning attacks An Ukranian gang monetizing the hijackedtraffic through the usual channels - scareware and reselling of theanticipated trafficThe first stage of the campaign was relying on mainstream media titleswithin its pages such as USA News; BBC News; CNN News as well asHottest info; HOT NEWS; Official Website and Official Site, therebymaking it fairly easy to expose their portfolio of domainsIMAGEInterestingly, the cybercriminals appear to have detected theactivity -- certain traffic management kits can log attempts ofwandering around -- and removed the titles, which combined with thetypical referrer checking made the campaign a bit more evasive :""var ref,i,is_se=0; var se = new Array"google","msn","yahoo","comcast","aol","dead";ifdocumentreferrerref=documentreferrer; else ref="";fori=0;i5;i++""Once the user visits any of the domains within the portfolio, with areferrer check confirming he used a search engine to do so, twojavascripts load, one dynamically redirecting to the portfolio of fakesecurity software, and the other logging the visit using an Ukrainianweb site counter service chitua/hiti=6058etg=0etx=2ets=1etc=1ett=420etw=1024eth=768etd=24et05505934176708958etr=etu=http%3A//13newshobby-sitecom/counterjs'IMAGEThe most recent list of of domains on popular DNS services is asfollows Sub-domains within are excluded since there are severalhundred currently active per domain:0kfzzl us - 95168172202 - Email: diannefostergcei@yahoocom52ubih us - 95168172198 - Email: joeminoryhjb@yahoocom5nw8b3 us - 95168172193 - Email: carolynfosteruwwi@yahoocom60mptk us - 95168172192 - Email: bernadettehockadayfedt@yahoocom6ry4nv us - 95168172191 - Email: markpackvesa@yahoocom77m8uh us - 95168172190 - Email: miguelbellhyes@yahoocomaxnwpy us - 95168172204 - Email: hungsandfordoehx@yahoocombumgli us - Email: coobybrown3@gmailcomcqxuhk us - 95168172203 - Email: michaelkoontzutae@yahoocomdfkghdf us - 212955849 - Email: umora@livecomdfwdowrly us - Email: orest@hotmailruedtbcm us - 95168172198 - Email: warrenskinnerumpi@yahoocomedu4life us - Email - johnebrilo@gmailcomfc4oih us - 95168172187 - Email: florencemclaughlinovpp@yahoocomfcbcwo us - 89149216146 - Email: dorisnaupkou@yahoocomfpq58z us - 95168172205 - Email: thomassoileautysz@yahoocomfzjt82 us - 95168172188 - maryevansarpl@yahoocomgfor8g us - Email: christopherdockinsptdg@yahoocomgotpig us - Email: BeatriceJBrown@text2recomhhjsuuy us - 21720117198 - Email: jarovv@gmailcomhk2april us - 78159122123 - Email: zainez@gmailcomhk3april us - 78159122137 - Email: zainez@gmailcomhno6sh us - 8914923812 - Email: alfredmeadenzcy@yahoocomi2u6nr us - 95168172202 - Email: jameshendricksxuwg@yahoocomik3trends us - 8821419814 - Email: akililewis@gmailcomitn92j us - Email: nicholasmanoicdmg@yahoocomj4vre4 us - bettyfavorsiqzv@yahoocomkzq2i2 us - 89149229157 - Email: robertmitchellrswv@yahoocoml5ykp6 us - 95168172195 - Email: chrishuntpjzc@yahoocomlh85uk us - 95168172200 - Email: susannelsonggyp@yahoocomlp24april us - 89149228129 - Email: ramerod@gmailcomm9nvzp us - 8914921650 - Email: jenniferduncanakcq@yahoocommm00april us - 2129555115 - Email: brevno3@gmailcommm99april us - 7815912291 - Email: brevno3@gmailcomn5y3m8 us - 8914924386 - Email: imogenegreenrqqr@yahoocomna8nw2 us - 89149216146 - Email: jeremyfitchcupl@yahoocomoag3h8 us - 95168172200 - Email: susanspidelesig@yahoocompo1april us - 2129555138 - Email: preadzz@gmailcompo3april us - 7815912293 - Email: preadzz@gmailcompp6sqo us - 95168172197 - Email: connierobertsolni@yahoocompr061r us - 89149216146 - Email: shirleywardauof@yahoocomqdhccy us - Email: shark@nightmailruqq338p us - 8914922136 - Email: debragonzalezyplu@yahoocomrepszp us - 8914922136 - Email: christinamerrillzzhd@yahoocomrrgtnm us - 95168172203 - Email: josephelliskozc@yahoocomrt658y us - 8914920733 - Email: luannamcgeeiqwb@yahoocomrzi6rj us - 95168172189 - Email: leatriceporterlhbz@yahoocomscsrn8 us - 95168172201 - Email: donnabrownpgpa@yahoocomt9xu44 us - 95168172194 - Email: robertbissettezeub@yahoocomtrfddp us - 8914924389 - Email: davidwilliamsqljt@yahoocomup3xv7 us - Email: dennismontantecoco@yahoocomvecy5r us - Email: merlynsmithsqxm@yahoocomvlj5jn us - 95168172196 - Email: angelostewartqfoq@yahoocomvr31qo us - 95168172199 - Email: christinearcherzhqz@yahoocomwk7iie us - 95168172204 - Email: jewellnakashimalgny@yahoocomx2ar3e us - Email: bobbielopezeits@yahoocomxe24py us - 89149243138 - Email: johnbarberprfi@yahoocomxecuk8 us - 95168172194 - Email: lutheralfaronloz@yahoocomyl8ais us - 89149216147 - Email: meredithflackflub@yahoocomyqfvp4 us - 781599684 - Email: julierussellnnro@yahoocomzvlewrms us - Email: ygovoruhin@listruzxe11d us - 95168172195 - Email: christopherlewisxghb@yahoocomzy7itf us - 89149207244 - Email: cindyruizixqr@yahoocom13newsdoesntexist com13newshobby-site com17newsendofinternet net18newshomeftp org19newsblogdns com19newsdnsdojo org19newsgotdns com19newskicks-ass org19newsservebbs com22newsblogdns comcreditratingguide hobby-sitecomdisneyearrings hobby-sitecomflatbellydiet hobby-sitecomhydrangacutflowers hobby-sitecomisa-geek orgmxzsaw hobby-sitecommysteryterms hobby-sitecomThe rotated scareware/fake security software domains include:scan-antispyware-4pc com - parked at 195888193 the same portfolioof fake security software domains which I warned that by blocking youwould proactively protect your customers from black hat SEO campaigns- like this one for instancepcvistaxpcodec comonlinevirus-scannerv2 comav-antispyware comscan-antispy-4pc comfastviruscleaner comsecurityhelpcenter comscan-antispy-4pc comscanner-work-av comscanner-antispy-av-files comadwarealert comproantispyware comIMAGEDownload locations/related fake codec redirections:winpcdown10 com 194165477suckitnow1 comwinpcdown99 comloyaldown99 comcodecxpvista comwincodecupdate comvelzevuladmin comtubeloyaln comwedaretubeloyaln comlamertubeloyaln combillingpaymentnetcodecstubeloyaln comvideosztubeloyaln comloyal-porno com - the same domain was recently exposed in the sameblackhat SEO campaignwin-pc-defender comcodecvistaz comloyalvideoz comSample detection rates:litetubevideoz net/codec/277exe - detection ratewinpcdown99 com/pcdefexe - detection ratewinpcdown99 com/fileexe - detection ratesetupadwarealert com/setupxvexe - detection ratefilesscanner-antispy-av-files com/exe/setup_200093_1_1exe -detection rateMonitoring of the campaign would continueRelated posts:Dissecting the Bogus LinkedIn Profiles Malware CampaignBogus LinkedIn Profiles Redirect to Malware and Rogue SecuritySoftwareBlackhat SEO Redirects to Malware and Rogue SoftwareThe Invisible Blackhat SEO CampaignAttack of the SEO Bots on the EDU Domainp0rngov - The Ongoing Blackhat SEO OperationThe Continuing Gov Blackat SEO CampaignThe Continuing Gov Blackhat SEO Campaign - Part TwoRogue RBN Software Pushed Through Blackhat SEOMassive Blackhat SEO Targeting BlogspotBlackhat SEO Campaign at The Millennium Challenge CorporationIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/86718.shtmlhttp://www.secuobs.com/revue/news/86718.shtml Secuobs.com : 2009-04-16 19:38:39 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEFollowing the coverage of my "Coordinated Russia vs Georgia cyberattack in progress" research in the Georgian government's officialreport "Russian Cyberwar on Georgia" on page 4, I was very excitedto find out that a report by NATO's Cooperative Cyber Defense Centreof Excellence entitled "Cyber Attacks Against Georgia: Legal LessonsIdentified" and authored by Eneken Tikk, Kadri Kaska, KristelRünnimeri, Mari Kert, Anna-Maria Talihärm, Liis Vihul, is not onlyquoting me extensively, but has also reproduced the entire researchwithin the AnnexesLooks greatRecommended reading:DDoS Attack Graphs from Russia vs Georgia's CyberattacksThe Russia vs Georgia Cyber AttackPro-Israeli Pseudo Cyber Warriors Want your BandwidthPeople's Information Warfare ConceptCombating Unrestricted WarfareThe Cyber Storm II Cyber ExerciseChinese Hacktivists Waging People's Information Warfare Against CNNThe DDoS Attacks Against CNNcomChina's Cyber Espionage AmbitionsNorth Korea's Cyber Warfare Unit 121Chinese Hackers Attacking US Department of Defense NetworksElectronic Jihad v30 - What Cyber Jihad Isn'tElectronic Jihad'sTargets ListA Cyber Jihadist DoS Tool Teaching Cyber Jihadists How toHackEmpowering the Script KiddiesOSINT Through BotnetsCorporateEspionage Through BotnetsMalware Infected Hosts as Stepping StonesHacktivismTensions - Israel vs Palestine CyberwarsThe Current, Emerging, andFuture State of HacktivismInternet PSYOPS - Psychological OperationsIMAGEIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/84305.shtmlhttp://www.secuobs.com/revue/news/84305.shtml Secuobs.com : 2009-04-16 19:29:21 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEYou know things are getting out of hand when the scarewareecosystem scales to the point when typosquatted scareware domainsoffering removal services for the very same scareware distributedunder multiple brandsIn response to the potential Conficker-ization of the scarewarebusiness, part nineteen of the Diverse Portfolio of Fake SecuritySoftware is the most massive update since the series started, and witha reason - to squeeze the cybercrime ecosystem, and ruin theirmalicious economies of scale revenue generation approachesHere are the most recent additions, with their associated registrantemails for clustering, cross-checking, and case building purposes:IMAGEvundofixtool com 174132250194remove-winpc-defender comremove-virus-melt comremove-ultra-antivir-2009 comremove-ultra-antivirus-2009 comremove-total-security comremove-system-guard comremove-spyware-protect-2009 comremove-spyware-protect comremove-spyware-guard comremove-personal-defender comremove-ms-antispyware comremove-malware-defender comremove-ie-security comremove-av360 comremove-antivirus-360 comremove-a360 comav360removaltool comantivirus360remover comremove-winpc-defender comremove-virus-melt comremove-virus-alarm comremove-ultra-antivirus-2009 comremove-ultra-antivir-2009 comremove-total-security comIMAGEgotipscan com 66197154199 Robert Sampson Email:bausness@gmailcomscanline6 comscanstep6 comscanbest6 comgoscandata comgoscanhigh comtrue6scan comany6scan comgolitescan comgofanscan comgotipscan comgostarscan comgoluxscan comgoonlyscan comscan6step comgoscanstep comscan6fast comscanline6 infoscanlog6 infolinescan6 infomainscan6 infolog6scan infomain6scan infoIMAGEaddedantiviruslive com 942472215 Administrative Email:werracruz99008@gmailcomsearchrizotto comeasyaddedantivirus comyourcountedantivirus comav-plus-support comyourguardonline cneasydefenseonline cnbestprotectiononline cnyourguardstore cnexaminepoisonstore cnfreecoverstore cnmyexaminevirusstore cnbestexaminedisease cnyourfriskdisease cnfriskdiseaselive cnbestdefenselive cnbigprotectionlive cnbigcoverlive cneasyserviceprotection cneasypersonalprotection cnmyascertainpoison cnyourguardpro cnrefugepro cnmycheckdiseasepro cnyourcheckpoisonpro cnbigdefense2u cnnewguard4u cnmydefense4u cnbestcover4u cnIMAGEfullsecurityshield com 2094412614 Gregory Bershk Email:bershkapull@gmailcomgreatsecurityshield comtrustsecurityshield comanytoplikedsite comtopsecurityapp cominetsecuritycenter comsecuritytopagent comthebestsecurityspot comtopsecurity4you comfullandtotalsecurity comIMAGEextrantiviruscom 947520911rapid-antivir-2009comrapid-antivir2009comrapidantivirus2009comrapidantivirus09comrapidantiviruscomultraantivirus2009comsoft-trafficcomseresultcom is a traffic management domain for the campaign egseresult com/gophpid=3466IMAGEgreatstabilitytraceonline com 9424734 Jacquelyn JainEmail: jacquelynjjain@gmailcombeststabilityscan combeststabilityscans comesnetscanonline comgreatstabilitytraceonline comgreatvirusscan comnetworkstabilitytrace comonlinestabilityscanada comprotectionexamine comquickstabilityscan comsafetyexamine comstabilityinetscan comstabilitysolutionslook comswiftsafetyexamine comwebprotectionscan comwebwidesecurity comscanmix4 com 63146292 Clifford Barton Email: learnico@gmailcombestscan7comgoscandata comscan7live comnew7scan comgodatascan comgosidescan comgoluxscan comgoonlyscan comgoscanstep comscantool4 infonewscan4 infoscannew4 infotool4scan infoIMAGEexstra-av-scanner net 7826179237 Joan Oglesby Email:extraantivirus@gmailcommsantivir-storage comms-antivirus-storage comgoodproantispyware comms-antivir-scan comanispy-storage-ms comms-av-storage-best comantivir-scanner-ms-av commsscan-files-antivir com 195888193hot-girl-sex-tube commsscan-files-antivir commsscanner-top-av commsscanner-files-av comantivir-4pc-ms-av comIMAGEultraantivirus2009 com 6486179virusalarmpro comvmfastscanner commysuperviser compay-virusdoctor comvirusmelt compayvirusmelt commysupervisor netmsscanner-top-av com 195888193msscanner-files-av comantivir-4pc-ms-av comhot-girl-sex-tube comantivirus-av-ms-check com 7826179131antivirus-av-ms-checker comms-anti-vir-scan commega-antiviral-ms comextremetube09 com 9424727 Mariya Latinina Email:latinina40@gmailcomsoftupdate09 comextrafastdownload commyrealtube netextraantivir com 206536174no-as-scanner com 195888137 Roy Latoya Email:latoysmith@gmailcompro-scanner-av-pc comtantispyware com 6511060123; 6511060122webantispy compantispyware09 comfastantivirus09 com 947520974Blacklisting --until the domains themselves get suspended -- thescareware domains proactively protects your customers from the "finaloutput" of a huge percentage of attacks taking advantage of blackhatSEO, SQL injection, site compromise, malvertising, and automatic abuseof Web 20 services through human-based CAPTCHA solving such as Digg;LinkedIn, Bebo, Picasa and ImageShack, YouTube and Google VideoRelated posts:A Diverse Portfolio of Fake Security Software - Part EighteenA Diverse Portfolio of Fake Security Software - Part SeventeenA Diverse Portfolio of Fake Security Software - Part SixteenA Diverse Portfolio of Fake Security Software - Part FifteenA Diverse Portfolio of Fake Security Software - Part FourteenA Diverse Portfolio of Fake Security Software - Part ThirteenA Diverse Portfolio of Fake Security Software - Part TwelveA Diverse Portfolio of Fake Security Software - Part ElevenA Diverse Portfolio of Fake Security Software - Part TenA Diverse Portfolio of Fake Security Software - Part NineA Diverse Portfolio of Fake Security Software - Part EightA Diverse Portfolio of Fake Security Software - Part SevenA Diverse Portfolio of Fake Security Software - Part SixA Diverse Portfolio of Fake Security Software - Part FiveA Diverse Portfolio of Fake Security Software - Part FourA Diverse Portfolio of Fake Security Software - Part ThreeA Diverse Portfolio of Fake Security Software - Part TwoDiverse Portfolio of Fake Security SoftwareIMAGEIMAGE IMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/84282.shtmlhttp://www.secuobs.com/revue/news/84282.shtml Secuobs.com : 2009-04-15 23:28:15 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGENot necessarily in real-time Syndicating Google Trends Keywordsfor Blackhat SEO but scareware/fake security software distributorsquickly attempted to capitalize on the anticipated traffic related tothis weekend's Twitter XSS worm StalkDaily/MikeyyWhat's particularly interesting about this campaign, is not the factthat all of the currently active domains are operated by the sameindividual/group of individuals or that their blackhat SEO farms aregrowing to cover a much wider portfolio of keywordsIMAGEIt's a tiny usajs script eg my1dynalias org/usajs hostedon all of the domains, which takes advantage of a simple evasivepractice - referrer checking in order to serve or not to serve themalicious contentIMAGEFor instance, deobfuscated the script checks whether the useris coming from the following search engines var se = newArray"google", "msn", "aolcom", "yahoo", " comcast"; ifdocumentreferrerref = documentreferrer; If the user/researcher isbasically wandering around, a blackhat SEO page with no maliciousredirections would be servedIMAGEThe following are all of the currently active and participatingdomains/subdomains:trantrohost deactualhomelinux comachyutheilacohost deaprlngetmyip comeasthomeftp orgmy1dynalias orgmy2dynalias orgmy3dnsalias orgmy5webhop orgIMAGEThe redirection process consists of two layers The first oneis redirecting to hjgf ru/gophpsid=5 8821419825 and then tomsscan-files-antivir com 195888193, and the second one takesplace through a well known malicious doorway redirecting domain hqtubecom/to_traf_holderhtml 888566116 that either serves a fakecodec that's dropping the scareware, or the scareware itself fromfilesms-load-av com The rest of the scareware/fake securitysoftware domains participating in the campaigns are as follows:msscan-files-antivir com 195888193 - Coi Carol Email:car0sta0@gmailcomhot-girl-sex-tube com - Erica Thomas Email: gerrione@gmailcommsscan-files-antivir commsscanner-top-av com - Mui Arnold Email: arnoebr@gmailcommsscanner-files-av comantivir-4pc-ms-av com - Jason Munguia Email: jasmung@gmailcomThe bottom line - the campaign looks like a typical event-basedblackhat SEO portfolio diversification practiceIMAGEIMAGE IMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/83797.shtmlhttp://www.secuobs.com/revue/news/83797.shtml Secuobs.com : 2009-04-14 21:59:19 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEIt doesn't take a rocket scientist to conclude that sooner orlater the people behind the Conficker botnet had to switch tomonetization phase, and start earning revenue by using well provenbusiness models within the cybercrime ecosystemInterestingly -- at least for the time being -- there's no indicationof mainstream advertising propositions offering partitioned pieces ofthe botnet, managed fast-fluxing services Managed Fast Flux Provider;Managed Fast Flux Provider - Part Two, hosting of scams and spam,examples of which we've already seen related cases where a money mulerecruitment agency was using ASProx's fast-flux network services, nextto Srizbi's botnet managed spam service propositionsHow come Pretty simple, starting from the fact that scareware/fakesecurity software as a monetization process remains the most liquidand efficiently monetized asset the underground economy has at itsdisposal The scheme is so efficient that the money circulating withinthe affiliate networks are often an easy way for cybercriminals toquickly money launder large amounts of money in a typical win-winrevenue sharing schemeIMAGEThe Conficker gang is monetization-aware, that's for sure Butthey forget a simple fact - that in a cybercrime ecosystem visibilityis not just proportional with decreased OPSEC Violating OPSEC forIncreasing the Probability of Malware Infection, but also, thatdespite their risk-decreasing revenue sharing model, the "follow themoney trail" practice becomes more and more relevantThe most recent variant Net-WormWin32Kidojs is the group's secondattempt to monetize the botnet, following by the original Confickervariant's traffic converter connection pushing fake security softwareAccording to Aleks Gostev at Kaspersky Labs:"One of the files is a rogue antivirus app, which we detect asFraudToolWin32SpywareProtect2009s The first version of Kido,detected back in November 2008, also tried to download fake antivirusto the infected machine And once again, six months later, we’ve gotunknown cybercriminals using the same trick The rogue software,SpywareProtect2009, can be found on spy-protect-2009com,spywrprotect-2009com, spywareprotector-2009com"Regular researchers/law enforcement followers of the Diverse Portfolioof Fake Security Software series are pretty familiar with theSpywareProtect brand Therefore, it's time to familiarize ourselveswith the rogue SpywareProtect through the revenue earning scheme thelatest Conficker variant is using Among the currently active/recentlyregistered SpywareProtect portfolios are managed by Geraldevich ViktusEmail: krutoymen2009@inboxru and conveniently just like Kasperskystates, are all parked in UkraineIn case you remember according to SRI International's Analysis of theConficker worm, the authors did signal a national preference since thefirst release "randomly generates IP addresses to search foradditional victims, filtering Ukraine IPs based on the GeoIP database"and also "Conficker A incorporates a Ukraine-avoidance routine thatcauses the process to suicide if the keyboard language layout has beenset to Ukrainian" followed by a third Ukrainian lead, namely the factthat "on 27 December 2008 we stumbled upon two highly suspiciousconnection attempts that might link us to the malware authorsSpecifically, we observed two Conficker B URL requests sent to aConficker A Internet rendezvous point: * Connection 1: 8123XXXX -Kyivstarnet, Kiev, Ukraine; Connection 2: 20068XXXXX -Alternativagratiscom, Buenos Aires, Argentina"IMAGESpywareProtect's current portfolio is hosted in Ukraine asfollows:spy-wareprotector2009 com 9423224853 Ukraine Bastion TradeGroup, AS48841, EUROHOST-AS Eurohost LLCspyware-protector-2009 comspy-protect-2009 comspywprotect comThe second portfolio is also parked in Ukraine as follows:sysguard2009 com 195245119131 AS34187, RENOME-AS Renome-Service:Joint Multimedia Cable Network Odessa, Ukraineswp2009 comspwrpr2009 comalsterstore comadwareguard netIn a typical multitasking fashion, a connection between some of thesevery latest SpywareProtect portfolios eg spywrprotect-2009 com canbe established with Zeus crimeware campaigns, since particulardroppers have been known to have been installing the scareware next toZeus crimeware used to be hosted at the following locations:capitalex ws/advbin 21315510176cashtor net/tor22/torbin 91193108222goldarea biz/advbin 9119713039It's also worth pointing out that every time the Conficker authorsclaim their payments from the affiliate network in question, theyexpose themselves which makes me wonder one thing Are the hardcoreConficker authors directly earning revenue out of the scareware, orare they basically partitioning the botnet and selling it to someonewho's monetizing it and naturally breaking-even out of theirinvestmentIn a network whose activities will inevitably start converging withthe rest of the cybercrime ecosystem's participants' activities -- theWaledac connection -- it's crucual to keep thetrack-down-and-prosecute process as simple as possible In this case -the Conficker authors'/customers of their botnet services assetliquidity obsession, may easily end up in someone's $250k rewardclaim Patience is a virtueIMAGEIMAGE IMAGE IMAGE IMAGEIMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/83206.shtmlhttp://www.secuobs.com/revue/news/83206.shtml Secuobs.com : 2009-04-08 22:14:51 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEEvery then and now I get asked a similar question in regard tocrimeware kits - which is the latest version of a particularcrimeware/web malware exploitation kitThe short answer is - I don't know And I don't know not because I'm avictim of an outdated situational awareness, but due to the fact thatnowadays third-party developers are so actively tweaking it thatcoming up with a version number would be inaccurate from myperspective Therefore, whenever I provide such a version number, Itry to emphasize and provide practical examples of how the currentdecentralization of coding from the core authors to third-partydevelopers and, of course, scammers brand jacking the Zeus brand, ismaking the answer a little bit more complex than it may seem at thefirst placeFor instance, cybercriminals themselves have been capitalizing on thissituation during the last two quarters, by speculating with theversion numbers and offering backdoored copies of non-existent Zeusreleases, in a attempt to hijack their Zeus botnets at a later stage-- a practice that phishers have been taking advantage of for a whileAnyway, once I'm able to sort of cluster a particular third-partydeveloper's persistence in tweaking the Zeus crimeware kit, aninteresting picture emerges For instance, a team member from athird-party developer of backend systems for botnets that came up withthe built-in MP3 player in a Zeus release, is also directly involvedin developing the backend system and GUI for the Chimera botnet whichthe British Broadcasting Corporation purchased last monthIMAGELet's discuss the way the version number system in the Zeuscrimeware, before we take a peek at a recent CHANGELOG, and a futureTO-DO list from one of the third-party developers Zeus versionabcd means that change in A stands for a complete change in thebot, B stands for major changes that make previous bot versionsincompatible, C stands for modifications and performance boosting, andD is a prophylactic change in order to avoid antivirus solutions fromdetecting itThe QetA applied in Zeus can be easily seen by taking a peek at some ofthe changes that took place in December, 2008 :"Change 10122008- Documentation will no longer be available in a CHM format, insteadin a plain-text format- The bot is a now able to receive commands not only by using the sendcommand function, but also during requests for files and logs changes- Local data requests to the server and the configuration file can beencrypted with RC4 key depending on your choice- In order to decrease the load on the server, a fully updatedbot-to-server and server-to-bot communication protocol is introducedChange 20122008- Small error fixed when sending reports- The size of the report cannot exceed 550 characters- Error fixed in the bot due to low timeout for sending POST requestsresulting in dropping requests for log files bigger than 1 MBChange 2032009- Changed the default cryptor routines- Updated process of building the bot- Optimized compressed of the binary- Rewritten the process of assembling the configuration file- Changed the MyMSQL tables- Fixed fonts in the panel due to bogus displaying of characters- Updated Geolocation database"The following "To-Do" list, pretty similar to another one which Idiscussed last year A Botnet Master's To-Do List What's to come inthe Zeus crimeware kit, at least courtesy of a sampled third-partydeveloper The following features have been in the works for severalmonths now:"- Compatibility with Windows Vista and Windows 7- Improved WinAPI hooking- Random generation of configuration files to avoid generic detection"- Console-based builder- Version supporing x86 processors- Full IPv6 support- Detailed statistics on antivirus software and firewalls installed onthe infected machines"The Zeus crimeware is not going away from the radar anytime soon, andthe main reason for that is not the fact that its exclusive featuresoutperform the ones in the Limbo crimeware and the Adrenalincrimeware, but due to the fact that Zeus has a much bigger fan base,and well established third-party community around itImage courtesy of Abusech's Zeus Tracker -- the one that got DDoS-edin February due to its apparent usefulnessRelated posts:Crimeware in the Middle - LimboCrimeware in the Middle - AdrenalinCrimeware in the Middle - Zeus76Service - Cybercrime as a Service Going MainstreamZeus Crimeware as a Service Going MainstreamModified Zeus Crimeware Kit Gets a Performance BoostModified Zeus Crimeware Kit Comes With Built-in MP3 PlayerZeus Crimeware Kit Gets a Carding LayoutThe Zeus Crimeware Kit Vulnerable to Remotely Exploitable FlawIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/81130.shtmlhttp://www.secuobs.com/revue/news/81130.shtml Secuobs.com : 2009-04-08 22:14:51 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEWith Microsoft's latest Security Intelligence Report indicatingthat scareware/fake security software continues growing, it's worthexposing some of the currently circulating rogue security softwaredomains, their registrants, and the usual "Deja Vu" moment putting thespotlight on well-known RBN web properties, whose exposuredemonstrates that some of the groups that I've been tracking are stillalive and kicking, but this time are much more actively monetizingtheir cybercrime committing capabilitiesavs-online-scan org 209250241164 Oleg Bajenov Email:olegbajenov@gmailcomav-lookup orgam-scan comsystem-scan-1 bizsys-scanner-1 bizsys-scan-wiz bizscanner-wiz-1 comwebwidesecurity com 9424733 Rosalind Lewis Email:RosalindRLewis@text2recomwebprotectionscan comgreatvirusscan combeststabilityscans comtodaybestscan com 174129241185; 174129244106; 2094412614Elliott Cameron Email: support@zitoclickcom; Anatolij Andreev Email:yeep33@gmailcomthebestsecurityspot comsecuritytopagent cominetsecuritycenter comfullandtotalsecurity comactivesecurityshield comgetpcguard comwebsecurityvoice comonlinescanservice comscanalertspage comscanbaseonline combestsecurityupdate comgetsecuritywall combestfiresfull cominitialsecurityscan comwebsecuritymaster comrunpcscannow comthegreatsecurity comtruescansecurity comcheckonlinesecurity comspy-protector-pro comDNS servers of notice:ns1ahuliard comns2ahuliard comns1fuckmoneycash comns2fuckmoneycash comns1zitodns comns2zitodns comNow comes the deja vu moment At 174129241185 and 174129244106we also have parked ilovemyloves com one of the domains used in theiFrame attack during the "Possibility Media's Malware Fiasco" back in2007 which was then parked at the RBN's HostFresh ifrastructure586523928 Behind the malware campaign back then was the NewMedia Malware Gang" Part Three; Part Two and Part One which was notonly using RBN services, but was directly cooperating with the StormWorm authors Among their most recent campaigns was the groups directinvolvement in the malware campaigns at the Azerbaijanian Embassies inPakistan and HungaryIt gets even more interesting to see what they're up to in 2009,considering the fact that they have also parked domains used174129241185 and 174129244106 in currently ongoing Facebookphishing campaign, which is switching themes from Matchcom toClassmatescom :facebooksharedid-pegxaaei62emberuiweb 765accesscomfacebooksharedid-0izlud0w6jlaunchpad 765accesscomfacebooksharedid-6oxyclcpusinitiated 765accesscomfacebooksharedid-6xcse5q79cusermanage 765accesscomfacebooksharedid-9q0bfta8bflogin 765accesscomfacebooksharedid-l8rz3d87j7processlogon 765accesscomfacebooksharedid-m071qcxkf3version 765accesscomfacebooksharedid-ao7zx28bhwidentification 765accesscomfacebooksharedid-usxeye68vnsecureconnection 765accesscomfacebooksharedid-lc9i4p09yidisbursements 765accesscomfacebooksharedid-6y8nzpemkxsecuredocuments 765accesscomfacebooksharedid-0u1o0e9gyjcebmainservlet 765accesscomfacebooksharedid-4b16kzpiukceptservlet 765accesscomfacebooksharedid-xqa6odo94zcontent 765accesscomfacebooksharedid-5u10q3vp8qcompleteserv 765accesscomfacebooksharedid-ql2fzhydatintvitation 9845accountcomfacebooksharedid-5ajv5861qdsecuredocuments 9845accountcomfacebooksharedid-3dcznhmordstatement 9845accountcomfacebooksharedid-o6lo04atwwstatement 9845accountcomThe group has clearly diversified its activities, but continuesrelying on its well known portfolio of domains as a foundationRelated posts:A Diverse Portfolio of Fake Security Software - Part SeventeenA Diverse Portfolio of Fake Security Software - Part SixteenA Diverse Portfolio of Fake Security Software - Part FifteenA Diverse Portfolio of Fake Security Software - Part FourteenA Diverse Portfolio of Fake Security Software - Part ThirteenA Diverse Portfolio of Fake Security Software - Part TwelveA Diverse Portfolio of Fake Security Software - Part ElevenA Diverse Portfolio of Fake Security Software - Part TenA Diverse Portfolio of Fake Security Software - Part NineA Diverse Portfolio of Fake Security Software - Part EightA Diverse Portfolio of Fake Security Software - Part SevenA Diverse Portfolio of Fake Security Software - Part SixA Diverse Portfolio of Fake Security Software - Part FiveA Diverse Portfolio of Fake Security Software - Part FourA Diverse Portfolio of Fake Security Software - Part ThreeA Diverse Portfolio of Fake Security Software - Part TwoDiverse Portfolio of Fake Security SoftwareIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/81129.shtmlhttp://www.secuobs.com/revue/news/81129.shtml Secuobs.com : 2009-04-01 19:24:21 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEFrom the automatically registered bogus LinkedIn profilespromoting pharmaceuticals campaign in February, to January's malwarecampaign redirecting to malware Zlob variants and rogue securitysoftware, the malware gang behind both of these campaigns is onceagain showcasing its persistenceIt gets even more interesting when a direct connection betweenJanuary's, this very latest campaign, and the most recent massivecomment-spam attack at Diggcom, is established since the very samemalware domains are participating in all of the campaigns egfunkytube netBogus LinkedIn profiles for March:linkedin com/in/keeleyhazellsextapelinkedin com/in/minimesextapelinkedin com/in/lindsaylohansextape1linkedin com/in/vernetroyersextapelinkedincom/in/freejennifertoasteetoofsexlinkedin com/in/parishiltonsextapeqlinkedin com/in/britneyspearssextapeqlinkedin com/in/carmenelectralinkedin com/in/halleberrysexscenelinkedin com/pub/dir/tila tequila/sexlinkedin com/in/carmenelectrasex1linkedin com/in/carmenelectrasexscene1linkedin com/pub/dir/jennifer%20aniston/sex%20scenelinkedin com/in/lindsaylohansex1linkedincom/in/olsentwinsnudelinkedincom/in/keiraknightleynudelinkedincom/in/christinaaguileradirrty1linkedincom/pub/dir/emma watson/wearinglinkedincom/in/trishstratusnudelinkedincom/pub/dir/ellen degeneres/gaylinkedincom/in/angelinajolienaked1linkedincom/in/carmenelectranaked1linkedincom/pub/dir/tila tequila/pornlinkedincom/pub/dir/emma watson/pornIMAGElinkedincom/pub/dir/disney's raven/symone nudelinkedin com/pub/dir/olsen twins/camel toelinkedin com/in/aliciamachadodesnudalinkedin com/pub/dir/leighton meester/nudelinkedin com/in/katehudsonnudelinkedin com/in/jenniferanistonbangs1linkedin com/in/hilaryduffnude2linkedin com/in/adriennebailonnakedlinkedin com/in/jennifermorrisonnude1linkedin com/in/jenniferlopezdesnudalinkedin com/in/jennifergarnernude1linkedin com/in/aishwaryaraiwearingnothinglinkedin com/in/isprinceharrygaylinkedin com/in/vanessahudgensnudelinkedin com/in/mariahcareynude1linkedin com/pub/dir/olsen twins/nuditylinkedin com/pub/dir/denise richards/nakedlinkedin com/pub/dir/kate mara/nakedlinkedin com/in/carmencocks1linkedin com/in/ravensymonebreastlinkedin com/in/adriennebailonnudephotoslinkedin com/pub/dir/shakira/nudelinkedin com/in/jenniferanistonnudelinkedin com/in/emmawatsonkissingsomeoneUsing a celebrities theme, all of these bogus accounts are linking tothe same malware serving domains The following central redirectors :oymomahon com/fathulla/11htmloymomahon com/mirolim-video/3htmloymomahon com/paqi-video/28htmlmuse100-celebrities com/paqi-video/1htmlnahyu org/xxxx/1k pl/nufexzare then redirecting to another set of fake codec domains :xretrotube comglobextubes comglobalstube2009 comgloberstube comspywareremover21 comantispyscanner13 comprivacyscanner15 comeasywinscanner17 comsystemscanner19 comsgviralscan comto ultimately direct the visitor to the actual binaries:nahyu org/xxx/video/teens_fuck_orgy11mpegexe - detection rateloyaldown99 com/codec/186exe - detection ratekol-development com/viewtubesoftware40012exe - detection rateDespite the fact that real-time/event-based blackhat search engineoptimization is gaining popularity these days, blackhat SEO in itsvery nature relies on huge bogsus content farms, using a diversetheme-based set of content, usually generated in an automated fashionReal-time blackhat SEO or standard volume-based blackhat SEO as atactic of choice Does it really matter given that from theperspective of tactical warfare, combining well proven tactics resultsin high click-through/infection rates for the campaigns in questionRelated posts:Blackhat SEO Redirects to Malware and Rogue SoftwareThe Invisible Blackhat SEO CampaignAttack of the SEO Bots on the EDU Domainp0rngov - The Ongoing Blackhat SEO OperationThe Continuing Gov Blackat SEO CampaignThe Continuing Gov Blackhat SEO Campaign - Part TwoRogue RBN Software Pushed Through Blackhat SEOMassive Blackhat SEO Targeting BlogspotBlackhat SEO Campaign at The Millennium Challenge CorporationFake Porn Sites Serving MalwareFake Porn Sites Serving Malware - Part TwoFake Celebrity Video Sites Serving MalwareFake Celebrity Video Sites Serving Malware - Part TwoFake Celebrity Video Sites Serving Malware - Part ThreeThe Template-ization of Malware Serving SitesThe Template-ization of Malware Serving Sites - Part TwoA Portfolio of Fake Video CodecsIMAGEIMAGE IMAGE IMAGE IMAGEIMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/78027.shtmlhttp://www.secuobs.com/revue/news/78027.shtml Secuobs.com : 2009-03-31 19:25:32 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEThe following is a brief summary of all of my posts at ZDNet'sZero Day for March You can also go through previous summaries forFebruary, January, December, November, October, September, August andJuly, as well as subscribe to my personal RSS feed or Zero Day's mainfeedNotable articles include: Inside BBC's Chimera botnet and Study: IE8'sSmartScreen leads in malware protection01 Conficker worm to DDoS legitimate sites in March02 Bad, bad, cybercrime-friendly ISPs03 Google downplays severity of Gmail CSRF flaw04 USAIDgov compromised, malware and exploits served05 International Kaspersky sites susceptible to SQL injection attacks06 New study details the dynamics of successful phishing07 BBC team buys a botnet, DDoSes security company Prevx08 Comcast responds to passwords leak on Scribd09 Diebold ATMs infected with credit card skimming malware10 Ex-botnet master hired by TelstraClear11 Study: IE8's SmartScreen leads in malware protection12 Scareware meets ransomware: "Buy our fake product and we'lldecrypt the files"13 Inside BBC's Chimera botnetIMAGEIMAGE IMAGE IMAGE IMAGEIMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/77468.shtmlhttp://www.secuobs.com/revue/news/77468.shtml Secuobs.com : 2009-03-31 19:25:32 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEThe following are some of the currently active/about to go onlinerogue security software domains, and their associated payment gatewaysexposed in the spirit of the Diverse Portfolio of Fake SecuritySoftware series During the past two months, an obvious migration ofwell known Russian Business Network customers continues taking place,with their portfolios of malicious campaigns currently parked severalISPs zlkonlv DATORU EXPRESS SERVISS Ltd AS12553 PCEXPRESS-ASremaining the ISP of choice for the time being, in the context ofrogue security softwaremydwnld com 941025114; 88198815; 941025114desktoprepairpackage commalwareremovingtool comspywareprotectiontool compcantimalwaresolution compcsolutionshelp comremovespywarethreats comyournetcheckonline com 942472215bestnetcheckonline comeasynetcheckonline comyourwebexamine combestwebexamine comeasywebexamine comyourinternetexamine commyinternetexamine comlinkcanlive comyourwebscanlive comeasywebscanlive cominternethomecheck comwebsecurecheck comwebsportscheck comwebsmartcheck comyournetascertain comyournetcheckpro combestwebscanpro comsecurity-check-center comdownloadantivirusplus comtheantivirusplus commyantivirusplus comsafeyouthnet comav-plus-support comIMAGEantispywareproupdates com 9476213227 Jeanne M BartelsEmail: dev@angelespdcommicrosoftinfosecuritycenter commicrosoftsoftwaresecurityhelp comprofessionalupdateservice complatinumsecurityupdate complatinumsecurityupdate comantispywarequickupdates com 7813716833paymentsystemonline com 21323921054 Jerom M Collins Email:admin@routerpaymentscomliveupdatesoftware comroyalsoftwareupdate comprotectionsoftwarecheck comsecuritysoftwarecheck comprivateupdatesystem comupdatesoftwarecenter comupdateprotectioncenter comupdatepcsecuritycenter compowerdownloadserver comrapidsoftwareupdates comprofessionalsoftwareupdates comallsoftwarepayments compowerfullantivirusproduct comsecuredprostatsupdates cnIMAGEliveantimalwareproscan com 912116447 Giang B AhrensEmail: chu-thi-huong@giangcomliveantimalwarequickscnan comonline-antimalware-scanner comadvancedprotectionscanner comadvancedproantivirusscanner comsecuredsystemupdates com 7847248113 Anatoliy Lushko Email:tvdomains@lycoscompremiumworldpayments comsystemsecuritytool com 2094412616systemsecurityonline cominternetsafetyexamine com 912126555youronlinestability compromotion-offer com 784614849; 8517254158; 88198233225;8924816846 Email: Roland Peters rolandpeters@europecomDuring March, a new type of scareware with elements of ransomwarestarted circulating in the wild It will be interesting to monitorwhether it will become the de-facto standard for optimizing revenuesout of rogue security softwareRelated posts:A Diverse Portfolio of Fake Security Software - Part SixteenA Diverse Portfolio of Fake Security Software - Part FifteenA Diverse Portfolio of Fake Security Software - Part FourteenA Diverse Portfolio of Fake Security Software - Part ThirteenA Diverse Portfolio of Fake Security Software - Part TwelveA Diverse Portfolio of Fake Security Software - Part ElevenA Diverse Portfolio of Fake Security Software - Part TenA Diverse Portfolio of Fake Security Software - Part NineA Diverse Portfolio of Fake Security Software - Part EightA Diverse Portfolio of Fake Security Software - Part SevenA Diverse Portfolio of Fake Security Software - Part SixA Diverse Portfolio of Fake Security Software - Part FiveA Diverse Portfolio of Fake Security Software - Part FourA Diverse Portfolio of Fake Security Software - Part ThreeA Diverse Portfolio of Fake Security Software - Part TwoDiverse Portfolio of Fake Security SoftwareIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/77467.shtmlhttp://www.secuobs.com/revue/news/77467.shtml Secuobs.com : 2009-03-26 13:20:46 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEThe following are some of the very latest typosquatted roguesecurity software domains pushed through blackhat SEO, web sitecompromises, and systematic abuse of legitimate Web 20 servicesyourstabilitysystem com 2094412614onlinescanservice comscanalertspage comgetscanonline combestfiresfull comyourstabilitysystem commostpopularscan comvistastabilitynow comscanvistanow netvistastabilitynow netcentral-scan com 212117165126 Maureen Whelan Email:maureenwhelanjr@googlemailcomroyalsoftwareupdate comuptodate-protection comupdatesoftwarecenter comwebscannertools comprotectprivacy18 com 20924922248 Arnes Skopec Email:arnessl2370@gmailcommalwarescanner20 comantispyscanner13 comprivacyscanner15 comeasywinscanner17 comsystemscanner19 commalwaredefender2009 com 674323775 Josef Branc Email:jsfsl2341@googlemailcomsystemguard2009 comsystemguard2009m comangantivirus-2009 com 70387326angantivirus2009 comcheck-ms-antivirus com 7826179131 Brett Quihuiz Email:BrettQuihuiz@gmailcomms-loads-av com 7826179137 Hou Stephen Email:StepDunnu@gmailcomsecure-data-group com 209845147 Joseph Barnes Email:jhbarnes40@gmailcomdlmaldef09 com 674323778 Josef Branc Email:jsfsl2341@googlemailcomdlsgd3 comgetsgd3 comgetsysgd09 comgetmaldef09 comdlsg09 comgetsg09 comIMAGEgomaldef09 com 674323777 Josef Branc Email:jsfsl2341@googlemailcomgosgd3 comgosysgd09 comgosg09 comanti-virus-2010-pro info 703819201 Ivan Durov Email:idomainsadmin@gmailcomav2010pro comanti-virus-1 infobestdownloadav1 infoantivirus1-site infoanti-virus-2010-pro-downloads infoanti-virus1-installs infowebprotectionreads com 94247374stabilitytraceweb comsafetyscanworld cominstantsecurityscanworld comthestabilityinternetworld comstabilityexamineguide comscanusonline comwebsafetynetscan comwebsafetynetscan comwebstabilityscan comBad, bad, cybercrime-friendly ISPsRelated posts:A Diverse Portfolio of Fake Security Software - Part FifteenA Diverse Portfolio of Fake Security Software - Part FourteenA Diverse Portfolio of Fake Security Software - Part ThirteenA Diverse Portfolio of Fake Security Software - Part TwelveA Diverse Portfolio of Fake Security Software - Part ElevenA Diverse Portfolio of Fake Security Software - Part TenA Diverse Portfolio of Fake Security Software - Part NineA Diverse Portfolio of Fake Security Software - Part EightA Diverse Portfolio of Fake Security Software - Part SevenA Diverse Portfolio of Fake Security Software - Part SixA Diverse Portfolio of Fake Security Software - Part FiveA Diverse Portfolio of Fake Security Software - Part FourA Diverse Portfolio of Fake Security Software - Part ThreeA Diverse Portfolio of Fake Security Software - Part TwoDiverse Portfolio of Fake Security SoftwareIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/75492.shtmlhttp://www.secuobs.com/revue/news/75492.shtml Secuobs.com : 2009-03-25 23:21:01 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEYet another embassy web site is falling victim into a malwareattack serving Adobe exploits to its visitors As of last Friday, theofficial web site of the Embassy of Portugal in India has beencompromised embportindiacoin Who's behind the attackInterestingly, that's the very same group that compromised theAzerbaijanian Embassies in Pakistan and Hungary earlier this monthAssessing this campaign once again establishes a direct connectionwith the Rusian Business Network's pre-shutdown netblocks and staticlocationsThe very same domain using the same web traffic redirection script,used in the malware campaigns at the Azerbaijanian Embassies inPakistan and Hungary, can be found at the Portugal embassy's web sitebetstarwager cn/incgicocacola84 redirects to ghrgthostindianetcom/indexphpcocacola84 942473151 where Multiple Adobe Readerand Acrobat buffer overflows are served :zzzzhostindianet com/loadphpid=4 - ghrgthostindianetcom/cache/readmepdfzzzzhostindianet com/loadphpid=5 - ghrgthostindianetcom/cache/flashswfThe second iFramed domain ntkrnlpa cn/rc/ 1592267162 has a juicyhistory linking it to previous campaigns In February, 2008, ananti-malware vendor's site AvSoft Technologie was iFramed with theiFrame back then ntkrnlpa info/rc/i=1 pointing to the RussianBusiness Network's original netblock It gets even more interestingwhen you take into consideration the fact that ntkrnlpainfo was alsosharing ifrastructure with ziefpl, among the most widely abuseddomains in the recent Google Trends keywords hijacking campaignsZiefpl is also service of choice for certain campaigns of the Virutmalware family, ircziefpl in particularIt gets even more malicious considering that on the same IP ntkrnlpacn/rc/ 1592267162 where one of the malware domains in theembassy's campaign is parked, we can easily spot domains baidu-baiduxin3cn for instance that were participating in last year's IE7 massivezero day exploit serving campaign Moreover, in a typical multitaskingstage, the cybercriminals behind the campaign are also hosting Zeuscrimeware campaigns on itA reincarnation of a well known RBN domain, confirmed participation atrelated compromises of embassy web sites by the same group, sharingifrastructure with domains from a massive IE7 ex-zero day attack andhosting Zeus crimeware command and control locations -undergroundmultitasking at its bestRelated posts:Ethiopian Embassy in Washington DC Serving MalwareUSAIDgov compromised, malware and exploits servedAzerbaijanian Embassies in Pakistan and Hungary Serving MalwareEmbassy of India in Spain Serving MalwareEmbassy of Brazil in India CompromisedThe Dutch Embassy in Moscow Serving MalwareUS Consulate in St Petersburg Serving MalwareSyrian Embassy in London Serving MalwareFrench Embassy in Libya Serving MalwareIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/75242.shtmlhttp://www.secuobs.com/revue/news/75242.shtml Secuobs.com : 2009-03-19 18:21:26 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEWhile you were out - "Cybercrime-as-a-Service is finally takingoff" and a $400 will get you in the hacking business Such a mentalityspeaks for an outdated situational awarenessCybercrime as a service originally started in the form of"value-added" post-purchase services, the now ubiquitous lowerdetection rate management for a malware binary, and anti-abuse domainhosting for the command and control interface, several years ago Asfar as the $400 required as an entry barrier into cybercrime no longerexists In reality, pirated copies each and every web malwareexploitation kit including the proprietary crimeware kits are becomingmore widespread these daysThe cybercrime economy has not only matured into a sophisticatedservices-driven marketplace a long time ago, but also, nowadays we canclearly see how standardizing the exploitation approach is inevitablyresulting in efficiencies -- think web malware exploitation kits withdiverse exploits sets and massive SQL injection attacks Theunderground economy is in fact so vibrant, that the existingmonoculture on the crimeware front is already allowing cybercriminalsto hijack the crimeware botnets of other cybercriminals unaware of thefact that they're running an oudated copy of their kitFollowed by Zeus and Adrenalin, it's time to profile Limbo, analternative crimeware kit that's been publicly available for purchasesince 2007 Interestingly, none of these kits can compare to thecurrent market share of Zeus, perhaps the most popular crimeware kitthese days, a development largely driven by the community build aroundZeus, and the major enhancements introduced within the kit on behalfof third-party developersHere's what Limbo is all about:IMAGE"It works on the principle of the add-in to Internet Explorer,not visible in the processes to make the logs being hidden from thefirewall redirector, and other programs to monitor network activitySupplied as a loader, which is removed after the launch, unpacksitself and make all necessary entries in the registry When you firststart IE it cleans Cookies, reads Protected Storage Autosavedpasswords in IE, Outlook passwords, etc Whenever a user visits themonitored sites, Limbo intercepts the parameters which are later ontransmitted to the server once the user presses the browser keyIMAGECommands:- Update the binary- Launch arbitrary exe file- Update configurator xml file available- Cleaning Cookies- Remove Limbo- Theft of keys for Bank of America, as well as the keys of thosebanks that have moved to a system of keys- Exclude all the keys for Bank of America, as well as other banks ofkeys control questions asked again, and you can intercept the answersto them- Add to your hosts - to block a certain site it seems as if it doesnot boot at all- Reboot Windows- Destroy WindowsIMAGEMain features:- Grabs data from forms, including data around forms all in a row ora pattern described in the configuration file- Logging of keystrokes in the browser, at the time when the userenters something in the edit form it is sometimes useful - forexample when the entered data is encrypted after submit form- Logging of virtual keyboards universal technology was developed forthe Turkish and Australian banks- Theft of keys Bank of America, as well as other banks, whoseprotection is key-based - are in the archive, the archive is createdfrom the user on the computer- Delete key Bank of America, as well as other banks, whoseprotection is built based on keys - it is useful to force the user toenter answers to security questions- Scam page redirection the fake of same page with the substitutionof the address bar of IE and the status bar on infected hosts- Harvesting of emails including the address book user - by requestincludes this possibility- Set the filter for sites that do not need to intercept- Simple injects-based system paste your text input field on aparticular site - for example, to ask for a pin Holder- Smart injects system - blocking form until user input is notinjected into the data fields checking for the count-woo charactersof their type - the numbers or letters- TANs grabbing - vital for the German sitesPaid only features:- A hidden transfer transfer of command from the admin panel -HARD-sharpen under one bank- Autocomplete of hijacked session eg when a user makes a transfer,useful if the transfer requires the SMS confirmation Strictly tied toa particular bank onlyIMAGEPHP based admin includes:- Mapping of users to the admin- Directing teams selected users- Delete commands and users- Showing the status of the command- Mapping and IP users- Ability to delete tax- Display the size of logs- Search for logs- Archiving of logs- Filter by country- Possibility of sending logs to email- Statistics on infection- View collected emails- The giving of the notes selected users- The last call- Displaying a page by page say 200 records per page- An opportunity to log everything in one file optional- Sorting of logs according to different criteria- Delete all logs- Have the opportunity to log into mysql, as well as the ability tosearch for him there is an order of magnitude faster searchThese commands are downloaded to the host after a certain period oftime and performed in the admin panel you can see the status ofcommands for a specific user - download downloaded but not executed implemented"With crimeware in the middle, no SSL/two-factor based authenticationcan ensure a non-transparent to the eyes of the cybercriminaltransactionRelated posts:Crimeware in the Middle - AdrenalinCrimeware in the Middle - Zeus76Service - Cybercrime as a Service Going MainstreamZeus Crimeware as a Service Going MainstreamModified Zeus Crimeware Kit Gets a Performance BoostModified Zeus Crimeware Kit Comes With Built-in MP3 PlayerZeus Crimeware Kit Gets a Carding LayoutThe Zeus Crimeware Kit Vulnerable to Remotely Exploitable FlawIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/72770.shtmlhttp://www.secuobs.com/revue/news/72770.shtml Secuobs.com : 2009-03-18 23:01:06 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEOops, they keep doing it again and again The web site of theEthiopian Embassy in Washington DC ethiopianembassyorg has beencompromised and is currently iFrame-ed to point to a live exploitsserving URL on behalf of Russian cybercriminals, naturally in amultitasking mode since the iFrame used to act as a redirector inseveral other malware campaignsDespite that the iFrame domain 1tvv com/indexphp is already "takencare of", details on the original campaign can still be providedMultiple dynamic redirectors with a hard coded malware serving domainare nothing new, thanks to sophisticated traffic management kitsallowing this to happen The mentality applied here is pretty simpleand is basically mimicking fast-flux as a conceptWith or without one of the redirection domains, the campaign keepsrunning like the following: us18ru/@/include/splphp 912034112as the hard coded malware serving domain within the mix, is currentlyserving Office Snapshot Viewer, MDAC, Adobe Collab overflow exploitsetc courtesy of web malware exploitation kit Fiesta Trafficmanagement is done through trafficinc ru and trafficmonsterinc rualso parked at 912034112 with Win32VirToolObfusca served at theendRelated posts:USAIDgov compromised, malware and exploits servedAzerbaijanian Embassies in Pakistan and Hungary Serving MalwareEmbassy of India in Spain Serving MalwareEmbassy of Brazil in India CompromisedThe Dutch Embassy in Moscow Serving MalwareUS Consulate in St Petersburg Serving MalwareSyrian Embassy in London Serving MalwareFrench Embassy in Libya Serving MalwareIMAGEIMAGE IMAGE IMAGEIMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/72370.shtmlhttp://www.secuobs.com/revue/news/72370.shtml Secuobs.com : 2009-03-11 15:22:44 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEThe very latest addition to the "Compromised InternationalEmbassies Series" are the Hungarian and Pakistani embassies of theRepublic of Azerbaijan, which are currently iFramed withexploits-serving domainsIs there such a thing as a coincidence, especially when it comes tothree malware embedded attacks in a week affecting Azerbaijan'sUSAIDgov section, and now their Pakistani azembassycompk andHungarian azerembassyhu embassies Depends, and while the USAIDgovattack was exclusively orchestrated for their section, the Pakistaniand Hungarian ones are part of a more widespread campaignTheoretically, this could be a noise generation tactic Here's a briefassessment of the attacksIMAGEBoth embassies are embedded with identical domains, parked atthe same IP and redirecting to the same client-side exploits servingURL operated by Russian cybercriminals filmlifemusicsitecn/incgicocacola95; promixgroup cn/incgicocacola91; betstarwagercn/incgicocacola86 and betstarwager cn/incgicocacola80 allrespond to 782617964; 662321163 and redirect to clickcounercn/t=5 193138173251Parked domains at 782617964; 662321163 :denverfilmdigitalmedia cnlitetopfindworld cnnanotopfind cnfilmlifemusicsite cnlitetoplocatesite cnlitedownloadseek cnyourliteseek cndiettopseek cnbestlotron cnpromixgroup cnbetstarwager cnWhat prompted this sudden attention to Azerbaijanian web sitesAzerbaijan's President visit to Iran in the same week when RussianForeign Minister Sergei Lavrov is visiting Azerbaijan And why is thephone back domain for the malware served at the USAIDgov site phoningback to a well known Russian Business Network domain fileuploadercn/check/checkphp which was again active in January, 2008 and usedby one of my favorite malware groups to monitor during 2007/2008 - the"New Media Malware Gang" Part Three; Part Two and Part OneFood for thoughtRelated posts:Embassy of India in Spain Serving MalwareEmbassy of Brazil in India CompromisedThe Dutch Embassy in Moscow Serving MalwareUS Consulate in St Petersburg Serving MalwareSyrian Embassy in London Serving MalwareFrench Embassy in Libya Serving MalwareIMAGE IMAGE IMAGE IMAGEIMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/70070.shtmlhttp://www.secuobs.com/revue/news/70070.shtml Secuobs.com : 2009-03-09 22:37:00 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGESeveral years ago, getting into the spam business used to involvethe process of harvesting emails, figuring out ways to segment thedatabase, localize the spam campaign by using a free translationservice eventually ruining the social engineering effect, creatingyour very own botnet and coming up with creative ways to bypassanti-spam filters, ensuring the botnet remains operational, coming upwith ways to obtain access to IPs with clean reputation, with littleor no campaign effectiveness measurement at allThese relatively higher market entry barriers are long gone Today,every single step in the spamming process is managed and can beoutsourced in a cost-effective manner to the point where theone-stop-shop spam vendors have vertically integrated and occupiedevery single market segment possible in order to increase the"lifetime value" of their potential customersIMAGEWhen do you know that it's going to get uglier in the longterm It's that very special moment in time when the backend for sucha managed spam system utilizing malware infected hosts and legitimateservers for achieving its objectives, goes mainstream and its authorsremove the "proprietary, high-profit margin revenues earning businessmodel" label from itAnd with this particular moment in time already a fact since themiddle of 2008 Spamming vendor launches managed spamming service,yet another new market entrant is pitching its managed spam servicewith the ambition to monetize his access to a particular botnet, andbreak-even from the investment made in the backend systemIMAGEWith 9 different campaigns already finished see the topscreenshot and another one currently in progress spamming out 3215emails using 1672 infected hosts based on a harvested email databaseconsisting of 306204 emails notice the percentage of non-existentemails potentially spam-poison traps, his business model is up andrunningFurther developments and new features within the service would remainunder close monitoring in the future as well In particular, theoriginal vendor's updates which would ultimately affect all of his"value-added partners" improved managed spamming capabilitiesIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/69242.shtmlhttp://www.secuobs.com/revue/news/69242.shtml Secuobs.com : 2009-03-04 12:19:06 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEFrom Russia with homophobiaA week long DDoS attack launched against Russia's most popularcommercial homosexual sites has finally ended The simultaneous attackmanaged to successfully shut down the web servers of most of thesites, which responded with filtering of all traffic that is notcoming from Russia Ironically, the attack was in fact coming fromRussian, courtesy from a botnet operated by a DDoS for hire serviceHere's a list of the sites that were subject to the DDoS, with themajority of them returning "503 Service Temporarily Unavailable" errormessage during last week :gogayru1gayruandroginruboysclubruegayrugaylinesrugaymoneyrugayplanetrugayrelaxruxabalkaruOn the 25th of January, gogayru was among the few sites to issue astatement and confirm the attacks offering financial reward forinformation leading to the source :IMAGE"Yesterday 25 February, our site is subjected to serioushacker attacks flood-attack capacity of 2 Mbit / sec The attackreflected, but is still continuing at other gay sites 1gayru,egayru, xabalkaru and so on If you have any information we arewilling to pay for инфу of tailor-made on the causes of the attack,if you - the webmaster and your own gay website exposed attacks ifthe last few days your site has been slow to load and create a greaterburden - it is very likely that the same attack, only disguised,sabotage, blackmail or extortion by unidentified persons - alwayscontact us"IMAGESince the sites are commercial providers of homosexualmultimedia content and are thereby bandwidth-consuming, the attackswere aiming to disrupt their business operations, and they managed todo so Russia's government is well known to have a rather violent takeon homosexuality in general, and with overall availability ofoutsourced DDoS attack services offering anonymity and destructivebandwidth, the efforts to request such an attack remain minimalIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/67236.shtmlhttp://www.secuobs.com/revue/news/67236.shtml Secuobs.com : 2009-03-04 12:11:44 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEThe following is a brief summary of all of my posts at ZDNet'sZero Day for February You can also go through previous summaries forJanuary, December, November, October, September, August and July, aswell as subscribe to my personal RSS feed or Zero Day's main feed01 Commercial Twitter spamming tool hits the market02 Fake Antivirus XP pops-up at Clevelandcom03 Report: 92% of critical Microsoft vulnerabilities mitigated byLeast Privilege accounts04 Massive comment spam attack on Diggcom leads to malware05 Crimeware tracking service hit by a DDoS attack06 Targeted malware attacks exploiting IE7 flaw detected07 New Symbian-based mobile worm circulating in the wild08 Rogue security software spoofs ZDNet Reviews09 Adobe Reader 9 and Acrobat 9 zero day exploited in the wild10 Chinese hackers deface the Russian Consulate in Shanghai11 eBay solutions provider Auctivacom infected with malware12 Malware campaign at YouTube uses social engineering tricks13 Research: 76% of phishing sites hosted on compromised web serversIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/67220.shtmlhttp://www.secuobs.com/revue/news/67220.shtml Secuobs.com : 2009-02-26 22:07:53 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEWhatever the spammer/pharma master or plain simple cybercriminalrequires - the spamware vendors deliver so that a win-win-win scenariotakes place for the buyer, the seller, and the enabler, in this casethe affiliate network allowing image-based spam compared to Web 10'slink based performance measurementThat's the main objective of one of the very latest traffic managementkit is once again quality assurance in the process of managingimage-spam based campaignsIMAGEHere's a translated description of the traffic management kit:"As you know, now many pay per click networks offer within their adscripts the so called graphic feedsAny site allowing the use of theIMG tag can serve them, that includes popular free web based servicesThe problem so far has been the lack of quality measurement andoptimization of this approachIMAGEThis imposes severe restrictions on the ability to converttraffic to the resource, the automatic redirection of which isimpossible Our system allows you to allows you to create your own adsand send traffic to them to where you think they fitHow it works: you create a campaign with your own keywords, generate arandom image, customize it, generate a link to the ad and paste itinto the hosting site, or include it in your email campaigns By doingthis you're able to add more interactivity in your campaigns andimprove your click through ratesIMAGEHere's a summary of the features we offer you:- Create messages with random text and random design Change ad sizeand font color, underline, and the selection, styles, font andalignment, frames - everything is set up You can use any font thatyou want to - it's completely up to you- Manage design ads through profiles within the system, save yourcreativity- Use of any image as the ads This may be a screenshot of yourpharmacy, banner, and even anythingIMAGE- Combine different types of simple ads on the same page- Create messages with any embedded images For example click onpicture to see actual ad size- Use alternative keywords in the references some of the resources donot allow to post links containing the names of pills and other bannedwords- Filter incoming traffic to the countries of the User-Agent, IP orrange of IP"It's important to emphasize on the fact that this is a DIY image-spamgenerating kit, in comparison, the much more efficient and againrandom image-spam generating service is offered by the sophisticatedand experienced managed spam service providers who still preferworking with reputable and well known individuals, instead of goingmainstreamRelated posts:Quality Assurance in a Managed Spamming ServiceManaged Spamming Appliances - The Future of SpamDissecting a Managed Spamming ServiceInside a Managed Spam ServiceSpamming vendor launches managed spamming serviceSegmenting and Localizing Spam CampaignsIMAGE IMAGE IMAGEIMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/65651.shtmlhttp://www.secuobs.com/revue/news/65651.shtml Secuobs.com : 2009-02-26 21:58:30 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEI've been looking for a similar chatter for a while now, given theexistence of a remotely exploitable vulnerability in an old Zeuscrimeware release allowing a cybercriminal to inject a new user withinthe admin panel of another cybecriminalIt appears that this guy has had his 100k+ Zeus botnet hijackedseveral months ago, and now that he's managed to at least partlyrecover the number of infected hosts in two separate botnets, isrequesting advice on how to properly secure his administration panelHere's an exact translation of his concerns :"Dear colleagues, I'd like to hear all sorts of ideas regarding tosecurity of Zeus I've been using Zeus for over an year now, and whileI managed to create a botnet of 100k infected hosts someone hijackedit from me by adding a new user and changing my default layout toorange just to tip once he did it Once I fixed my directorypermissions I now have two botnets, the first one is 30k and thesecond thanks to a partnership with a friend is now 3k located atdifferent hosting providersSadly, yesterday I once again found out that my admin panel seems tohave been compromised since all the files were changed to differentname, and access to the admin panel blocked by IP Yes, that seems tobe the IP the hijacker is using The attacker has been snooping Apachelogs in order to find IPs that have been used for logging purposes andblocked them all Therefore I think the new user has been added byexploiting a flaw in Zeus In my opinion a request was made to thedatabase, either through an sql injection in sphp a file or a requestfrom within a user with higher privilegesSince I've aplied patches to known bugs, this could also be acompromise of my hosting provider So here are some clever tips whichI offer based on my experience with securing Zeus- Change the default set of commands, make them unique to your needsonly- If it is possible to prohibit the reading and dump tables with logsall IP, to allow only certain so that the crackers were not able tomake a dump and did not read the logs in the database- If it is possible to prohibit editing of tables with all thecommands of Zeus IP, to allow only certain that could not be"hijacked", insert the command bots"Surreal Not at all, given the existing monoculture on the crimewaremarket Morever, yet another vulnerability was found in the Firepackweb malware exploitation kit earlier this month Firepack remotecommand execution exploit that leverages admin/refphp This exploitcould have made a bigger impact in early 2008, the peak of theFirepack kit, which was also localized to Chinese several monthslater:The FirePack Web Malware Exploitation KitThe FirePack Exploitation Kit - Part TwoThe FirePack Exploitation Kit Localized to ChineseIronically, cybercriminals too, seem to be using outdated versions oftheir crimewareRelated posts:Crimeware in the Middle - Adrenalin76Service - Cybercrime as a Service Going MainstreamZeus Crimeware as a Service Going MainstreamModified Zeus Crimeware Kit Gets a Performance BoostModified Zeus Crimeware Kit Comes With Built-in MP3 PlayerZeus Crimeware Kit Gets a Carding LayoutThe Zeus Crimeware Kit Vulnerable to Remotely Exploitable FlawCrimeware in the Middle - ZeusIMAGE IMAGE IMAGE IMAGE IMAGEIMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/65624.shtmlhttp://www.secuobs.com/revue/news/65624.shtml Secuobs.com : 2009-02-24 15:39:18 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEWith VPN-enabled malware infected hosts easily acting as steppingstones thanks to modules within popular malware bots, next tocommercial VPN-based services, the cost of anonymizing acybecriminal's Internet activities is not only getting lower, but theprocess is ironically managed in data retention heavens such as theNetherlands, Luxembourg, USA and Germany in this particular case, byusing the services of the following ISPs: LeaseWeb AS Amsterdam,Netherlands; ROOT-AS root eSolutions; HOPONE-DCA HopOne InternetCorp; NETDIRECT AS NETDIRECT Frankfurt, DEIMAGEOperating since 2004, yet another "cybercrime anonymization"service is using the bandwidth of legitimate data centers in order torun its VPN/Double/Triple VPN channels service which it exclusivelymarkets in a "it's where you advertise your services, and how youposition yourself that speak for your intentions" fashionIMAGEDescription of the service:"- We will never sought to make the service cheaper than saving thesafety of customers - Our servers are located in one of the moststable and high-speed date points total channel gigabita 12- Only we have the full support service to the date of the center,which prevents the installation of sniffers and monitoring- We do not use standard solutions, our software is based on themodified code- Only here you get a stable and reliable serviceCharacteristics of Sites:- Channel 100MB, total channels gigabita 12- Authentication MSCHAP v2 pptpd VPN- MPPE encryption algorithm is 128 bit- Complete lack of logs and monitoring - a guarantee of your safety- Completely unlimited traffic- Support for all protocols of the Internet"IMAGEOn the basis of chaining several different VPN channels locatedin different countries all managed by the same service, combined witha Socks-to-VPN functionality where the Socks host is a malwarecompromised one, all of which maintain no logs at all, is directlyundermining the usefulness of already implemented data retention lawsMoreover, even a not so technically sophisticated user is aware thatchaining these and adding more VPN servers in countries where no dataretention laws exist at all, would result in the perfect anonymizationservice where the degree of anonymization would be proportional withthe speed of the connection In this case, it's the mix of legitimateand compromised infrastructure is that makes it so cybercrime-friendlyIn respect to the "no logs and monitoring for the sake of ourcustomers security" claims, such services are based on trust, namelythe customers are aware of the cybercriminals running them "inbetween" the rest of the services they offer, which and since they'reall "on the same page" an encrypted connection is more easilyestablished However, an interesting perspective is worth pointing out- are the owners of the cybecrime-friendly VPN service forwarding theresponsibility to their customers, or are in fact the customersforwarding the responsibility for their activities to the owners whichare directly violating data retention laws and on purposely gettingrid of forensic evidenceThings are getting more complicated in the "cybercrime cloud" thesedaysIMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/64657.shtmlhttp://www.secuobs.com/revue/news/64657.shtml Secuobs.com : 2009-02-24 00:32:40 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEIn the overwhelming see of the templatization of malware servingsites, naked celebrities would always remain the default choiceoffered in the majority of bogus content generating tools takingadvantage of the high-page rank of legitimate Web 20 servicesFollowing the 2008's Fake Celebrity Video Sites Serving Malware seriesPart Two the very latest addition to the series demonstrates theautomatic abuse of legitimate infrastructure - in this case Blogspotfor the purpose of traffic acquisitionIMAGEThe following are currently active and part of the samecampaign:lisa-bonet-angel-heartblogspotcommilla-jovovich-galleryblogspotcompamela-anderson-hot-sex-tapeblogspotcomrihanna-nude-galleryblogspotcomkate-hudson-nude-galleryblogspotcommilla-jovovich-galleryblogspotcomteacher-slept-with-boyblogspotcommeg-white-new-sex-tapeblogspotcomanna-faris-hot-videoblogspotcomso-hard-moviesblogspotcomIMAGEvanessa-hotblogspotcomparis-hilton-sexassblogspotcomsex-tape-lindsay-lohanblogspotcomchloesevigny-privategalleryblogspotcomkate-winslet-nude-galleryblogspotcomkeeley-hazell-sex-hot-video blogspotcommiley-cyrus-sex-tape blogspotcombritney-spears-hottest-video blogspotcommiley-cyrus-naked-video blogspotcomalyssa-milano-naked-video blogspotcomkardashian-hot-video blogspotcomnaked-jennifer-lopez blogspotcomvanessa-hudgens-hot-video blogspotcomhottest-lindsay-lohan-video blogspotcomcameron-diaz-porn blogspotcomunderworld-rise-lycans blogspotcomCompared to the single-post only Blogspots, the following domainstop100videozcom; cinemacafetv; xvids-topcom have a lot more boguscontent to offerIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEIMAGEhttp://www.secuobs.com/revue/news/64464.shtmlhttp://www.secuobs.com/revue/news/64464.shtml Secuobs.com : 2009-02-18 18:07:29 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEFollowing January's malware campaign relying on bogus LinkedInprofiles, this time it's pharmaceutical spammers' turn to target thebusiness-oriented social networking siteFrom a spammers/blackhat SEO-er's perspective, this is done for thepurpose of increasing the page rank of their pharmaceutical domainsbased on the number of links coming from LinkedIn The campaigns aremonetized through the usual affiliate based pharmaceutical networksThe following is a complete list of the currently active bogusdomains, all part of identical campaigns:linkedin com/in/buyviagra45linkedin com/in/phenterminetruewaylinkedin com/in/OnlineBuyProzaclinkedin com/in/CheapBuyGabapentinlinkedin com/in/BuyCheapTramadollinkedin com/in/cheaptramadollinkedin com/in/buybactrimonlinelinkedin com/in/OnlineBuyAugmentinlinkedin com/in/OnlineBuyMetforminlinkedin com/in/OnlineBuyBiaxinlinkedin com/in/CheapBuyNorvasclinkedin com/in/OrderBuyCelebrexlinkedin com/in/OnlineBuyLipitorlinkedin com/in/BuyCheapOxycontinlinkedin com/in/OnlineBuyHydrocodonelinkedin com/in/OrderBuyPercocetlinkedin com/in/OnlineBuyFioricetlinkedin com/in/OrderBuyKlonopinlinkedin com/in/OnlineBuyDiazepamlinkedin com/in/OnlineBuyXanaxlinkedin com/in/CheapBuyOxycodonelinkedin com/in/OnlineBuyClonazepamlinkedin com/in/OnlineBuyEffexorlinkedin com/in/OnlineBuyAmbienlinkedin com/in/OnlineBuyAtivanlinkedin com/in/OnlineBuyVicodinlinkedin com/in/OnlineBuyNexiumlinkedin com/in/OrderBuyCiprolinkedin com/in/OnlineBuyLorazepamlinkedin com/in/propecialinkedin com/in/OnlineBuyAllegralinkedin com/in/CheapBuyMeridialinkedin com/in/OnlineBuyZithromaxlinkedin com/in/OnlineBuyCelexalinkedin com/in/clomidlinkedin com/in/clonazepamlinkedin com/in/BuyCheapNeurontinlinkedin com/in/cheapfioricetlinkedin com/in/OnlineBuyClomidlinkedin com/in/OnlineBuyIbuprofenlinkedin com/in/OnlineBuyZoloftlinkedin com/in/OnlineBuyToprollinkedin com/in/OnlineBuyAlevelinkedin com/in/OnlineBuyAlevelinkedin com/in/OnlineBuyVioxxlinkedin com/in/OnlineBuyWellbutrinlinkedin com/in/OnlineBuyAmoxicillinlinkedin com/in/OnlineBuySuboxonelinkedin com/in/OnlineBuyOxycodonelinkedin com/in/OnlineBuyLisinoprillinkedin com/in/OrderBuyPrevacidlinkedin com/in/OnlineBuyLevaquinlinkedin com/in/OnlineBuyUltramlinkedin com/in/OnlineBuyAlprazolamlinkedin com/in/OnlineBuyLamictallinkedin com/in/OnlineBuyNaproxenlinkedin com/in/OnlineBuyZyprexalinkedin com/in/OnlineBuyCoumadinlinkedin com/in/OnlineBuyValiumlinkedin com/in/OnlineBuyLithiumlinkedin com/in/OnlineBuySynthroidlinkedin com/in/OnlineBuyHerceptinlinkedin com/in/OnlineBuyAvandiaIMAGElinkedin com/in/OnlineBuyTramadollinkedin com/in/OnlineBuyCymbaltalinkedin com/in/OnlineBuyDoxycyclinelinkedin com/in/OnlineBuyProtonixlinkedin com/in/OnlineBuyTestosteronelinkedin com/in/OnlineBuyTopamaxlinkedin com/in/OnlineBuyBenadryllinkedin com/in/OnlineBuyBactrimlinkedin com/in/OnlineBuyMethadonelinkedin com/in/OnlineBuyAtenolollinkedin com/in/OnlineBuyConcertalinkedin com/in/OnlineBuyCrestorlinkedin com/in/OnlineBuyTrazodonelinkedin com/in/OnlineBuyVytorinlinkedin com/in/OnlineBuyMelatoninlinkedin com/in/OnlineBuyCephalexinlinkedin com/in/OnlineBuyThyroidlinkedin com/in/OnlineBuyChantixlinkedin com/in/OnlineBuyInsulinlinkedin com/in/OnlineBuyGenacelinkedin com/in/OnlineBuyByettalinkedin com/in/OnlineBuyPropecialinkedin com/in/OnlineBuyPlavixlinkedin com/in/OnlineBuyYazlinkedin com/in/OnlineBuyYasminlinkedin com/in/OnlineBuyPotassiumlinkedin com/in/OnlineBuyValtrexlinkedin com/in/OnlineBuyVoltarenlinkedin com/in/OnlineBuyPenicillinlinkedin com/in/OnlineBuyZyrteclinkedin com/in/OnlineBuyMagnesiumlinkedin com/in/OnlineBuyPrednisonelinkedin com/in/OnlineBuySeroquellinkedin com/in/OnlineBuySomalinkedin com/in/OnlineBuyGabapentinlinkedin com/in/OnlineBuyAspirinlinkedin com/in/OnlineBuyPseudoventlinkedin com/in/OnlineBuyLortablinkedin com/in/OnlineBuyPaxillinkedin com/in/OnlineBuyAllilinkedin com/in/BuyCheapXenicallinkedin com/in/CheapBuyUltracetlinkedin com/in/buyhydrocodonelinkedin com/in/OrderBuyAllilinkedin com/in/buypaxilonlinelinkedin com/in/OnlineBuyMobiclinkedin com/in/OnlineBuyNaprosynlinkedin com/in/OnlineBuyCiprolinkedin com/in/OnlineBuyMorphinelinkedin com/in/vimaxlinkedin com/in/OnlineBuyAccutanelinkedin com/in/vigrxlinkedin com/in/OnlineBuyNorvasclinkedin com/in/OnlineBuyOxycontinlinkedin com/in/OnlineBuyProvigillinkedin com/in/OnlineBuyPercocetlinkedin com/in/OnlineBuyCelebrexlinkedin com/in/OnlineBuyAdipexlinkedin com/in/OnlineBuyRitalinlinkedin com/pub/dir/purchase/viagralinkedin com/pub/dir/cialis/onlinelinkedin com/pub/dir/methocarbamol/onlinelinkedin com/pub/dir/acyclovir/onlinelinkedin com/pub/dir/klonopin/onlinelinkedin com/pub/dir/zyprexa/onlinelinkedin com/pub/dir/amitriptyline/onlinelinkedin com/pub/dir/buymodalertonline/buymodalertonlinelinkedin com/pub/dir/zocor/onlinelinkedin com/pub/dir/levitra/onlinelinkedin com/pub/dir/citalopram/onlinelinkedin com/pub/dir/arimidex/onlinelinkedin com/pub/dir/niacin/onlinelinkedin com/pub/dir/phentermine/onlinelinkedin com/pub/dir/provigil/onlinelinkedin com/pub/dir/ritalin/onlineIMAGEPharmaceutical domains used in the campaigns:buy-pharmacy infoviagra-pills infonenene ogrxoffers netallrxs orgonlinepharmacy4u orgcheap-tramadol usbuy-tramadolblogdrive combuymodalert comrx-prime comsuche-project euAcquiring new users in a highly competitive Web 20 world is crucial,no doubt about it But in 2009, if you're not at least requiring avalid email address, a confirmation of the registration combined witha CAPTCHA to at least slow down the bogus account registration processand ruin their efficiency model - systematic abuse of the service isinevitable Commercial Twitter spamming tool hits the marketLinkedIn's abuse team has already been notified of these accountsIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/62834.shtmlhttp://www.secuobs.com/revue/news/62834.shtml Secuobs.com : 2009-02-17 14:54:17 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEWhat follows when a system that was originally created to berecognizable by humans only, gets undermined by low-waged humans orgrassroots movements Irony, with no chance of reincarnation CAPTCHAis dead, humans killed it, not botsA new market entrant into the CAPTCHA-breaking economy, is proposing anovel approach that is not only going to result in a more efficienthuman-based CAPTCHA solving on a large scale, but is also going togenerate additional revenues for webmasters and their site's communitymembers The concept is fairly simple, since it's mimickingreCAPTCHA's core ideaHowever, instead of digitizing books, the CAPTCHA entry field that anywebmaster of an underground community, or a general site in particularthat would like to syndicate CAPTCHAs from Web 20 web properties isfree to do so on a revenue-sharing, or plain simple voluntary basisIMAGEConsider for a moment the implications if such a project ofthey manage to execute it successfully Starting from community-drivenCAPTCHA breaking of Web 20 sites on basic forum registration fieldsusing MySpacecom's CAPTCHA for authenticating new/old users, theplain simple automatic rotation for idle community users, to theenforcement of CAPTCHA authentication for each and every new forumpost/replyWhat happens with the successfully recognized CAPTCHAs As usual,hundreds of thousands of bogus profiles will get automaticallyregistered for the purpose of spam and malware spreading, or resellingpurposes The development of this service -- if any -- will bemonitored and updates posted if it goes mainstreamRelated posts:The Unbreakable CAPTCHASpammers attacking Microsoft's CAPTCHA -- againSpam coming from free email providers increasingGmail, Yahoo and Hotmail’s CAPTCHA broken by spammersMicrosoft’s CAPTCHA successfully brokenVladuz's Ebay CAPTCHA PopulatorSpammers and Phishers Breaking CAPTCHAsDIY CAPTCHA Breaking ServiceWhich CAPTCHA Do You Want to Decode TodayIMAGE IMAGE IMAGEIMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/62454.shtmlhttp://www.secuobs.com/revue/news/62454.shtml Secuobs.com : 2009-02-12 00:19:16 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGE The following assessment details all the redirectors, fake codecserving domains, as well as related fake security software domainsused in the Diggcom' comment spam attackIMAGEThe complete list of the domain redirectors used in the commentspam attack:worldnews-video com - 459,000 bogus commentsyoutube-top-video com - 98,000 bogus commentsnew-videos info - 92,500 bogus commentsfilm-man com - 50,700 bogus commentslast-sex-news com - 26, 000 bogus commentsvideo-news cn - 25, 500 bogus commentslast-porno-news com - 21,500 bogus commentsfresh-video-news com - 10,900 bogus commentsbroken-tv com - 10,000 bogus commentsvideo-trailers net - 8,370 bogus commentsexclusive-videos net - 7860 bogus commentsfunkytube net - 6,170 bogus commentsshocking-stars net - 2,600 bogus commentscinemacafe tv - 1560 bogus commentswatch-video cn - 3000 bogus commentsvidstream cn - 397 bogus commentsdivgg com - 174 bogus commentsgolden-portal us - 3040 bogus commentstubedirects net - 290 bogus commentsfunkytube net - 6,480 bogus commentswatchepisodes cn - 331 bogus commentsIMAGEvideo-sensation com - 1,500 bogus commentsbestlive-tv cn - 216 bogus commentssvtube cn - 222 bogus commentsonlyhotvideos com - 413 bogus commentscelebnudestars net - 326 bogus commentsusatvshows us - 41 bogus commentsvidstream cn - 398 bogus commentsdivgg com - 171 bogus commentstubedirects net - 285 bogus commentsyuotnbe com - 370 bogus commentsomeia info - 769 bogus commentsvideostumbulepon com - 669 bogus commentsshocking-stars net - 2,650 bogus commentssowonder net - 3000 bogus commentssex-tapes-celebs com - 2,210 bogus commentsvideo-sensation com - 1,690 bogus commentsIMAGECurrently active download locations for the fake codecs, andthe rogue security software:vivaextra comtube-xxx-tv2009 comonlinestreamsofware comdemoextra combest-tube-2008 nettubeportalsoftware2008 comtubesoftwareviewer2008 comexefilesdownload2009 comtubesoftwareviewer2009 comuporntube-07 comtubeporn08 comuporn-tube comuporntube2009 comporn-tube09 comtubeporn09 comxxxporn-tube comporntubenew comultra-extra comxp-police comxp-police-av comxp-police-2009 comantiviralscanner14 comDetection rates for the codecs/rogue security software:viewtubesoftware40020exeResult: 8/39 2051%File size: 71680 bytesMD5: ef26250b946a63112659c94eed016e0dSHA1: 902fd30cd4a7465c9f5271971604d273ed74a60cviewtubesoftware400201exeResult: 7/39 1795%File size: 62464 bytesMD5: 1d4c3a6d2cc8c645652f7090636e5a4bSHA1: ccc1994a521d9e8a053a345b9d9cc28a63415845InstallexeResult: 5/39 1282%File size: 77830 bytesMD5: 64557f21c50b6c063cc96ba661bcd27cSHA1: 5a765a92de07af756c96c83139be8ddace117ef1install1exeResult: 4/39 1026%File size: 73222 bytesMD5: 890bf32b34b7abab7aa7ea049215c429SHA1: 8c311a8b6096914f758bcaf82aca465bcc885110The first comments including links to these domains have been postedat Diggcom on January, 2008 - over an year agoIMAGE IMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/61011.shtmlhttp://www.secuobs.com/revue/news/61011.shtml Secuobs.com : 2009-02-11 18:58:29 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEFollowing previous coverage of the managed spam services offeredby the Set-X mail system and a copycat variant of it, a newlyintroduced managed spam service is emphasizing on quality assurancethrough the use of a Google Search Appliance for storing of theharvested email databases and the spam templatesHere's an automatic translation of some of the key features offered bythe system, currently having a price tag of $1,200 per month:"A summary of the main possibilities of the system- Innovative technology deliver a unique e-mail system designedspecifically for ******** to maximize serve up e-mails with a low rateof rejection-Kernel Multi-organization system provides extremely highspeed while the low-platform-Provide complete sender's anonymity atthe maximum system performance in terms multi-technology operatingsystem bypass content filters using the built-in special tags:+ Configurable generation of random strings+ Change the case ofletters randomly in a block+ random permutation of symbols in the block+ Inserting a random character in an arbitrary place in the block+ Replacing the same style of letters Latin alphabet for the Russianblock+ Duplicating a random character in the block+ Paste into the body of a random letter strings from a file+ Managed morfirovanie image files in the format GIF-Correct emulationheader sent letters Simultaneous connection of several bases e-mailaddresses of those letter-substitution is performed fromfile-substitution e-mail addresses for the fields From and Reply-To isperformed from a file-format of outgoing messages TEXT and HTML+Ability to send emails from attachments+Correct work with images in HTML messages possible as a direct methodand with copies of CC , BCC-record-keeping system, results of thesystem is stored in files good, bad and unlucky for each connection ofe-mail addresses, respectively+The system is convenient and intuitive graphical user interfaceIMAGESystem managementThe system is operated under the interface to "Control Panel" Thefirst is of them is multifunctional and serves to start the process ofsending the state of the "Run", pause the state of "pause" andconfirm the end of the state "Report" The second button "Stop"serves to interrupt the process otpravki Data section also containsthe following information fields:- executes an action in this field is carried out to date, thesystem-progress indicator graphic indication of progress the task,Completed Display task progress percentage- Successful delivery of letters to the number of addresses that hadbeen carried out successfully, failure of the number of addresses thatfailed to deliver a letter-number bad non-existent addresses, durationof the actual time of the task-status displays the status of thekernel system kernel kernel memory Displays memory core systems"The ongoing arms race between the security industry andcybercriminals, is inevitably driving innovation at both sides of thefront However, based on the scalability of these managed spamservices, it's only a matter of time for the vendors to embrace simplepenetration pricing strategies that would allow even the mostprice-conscious cybercriminals, or novice cybercriminals in general totake advantage of this standardized spamming approach The disturbingpart is that the innovation introduced on behalf of the spam vendorsin terms of bypassing spam filters, seems to be introduced not on thebasis of lower delivery rates, but due to the internal competition inthe cybercrime ecosystemFor instance, new market entrants in the face of botnet mastersattempting to monetize their botnets by offering the usual portfolioof cybercrime services, often undercut the offerings of thesophisticated managed spam vendors And so the vendors innovate withcapabilities that the new market entrants cannot match, in order tonot only preserve their current customers, but also, acquire new onesManaged spam services as a business model is entirely driven by longterm "bulk orders", compared to earning revenues on a volume basis byempowering low profile spammers with sophisticated deliverymechanismsIn the long term, just like every other segment within the cybercrimeecosystem, vertical integration and consolidation will continue takingplace, and thankfully we'll have a situation where the spam vendorswould be sacrificing OPSEC operational security on their way toscale their business model and acquire more customersIMAGE IMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/60867.shtmlhttp://www.secuobs.com/revue/news/60867.shtml Secuobs.com : 2009-02-05 22:06:58 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEThe following is a brief summary of all of my posts at ZDNet'sZero Day for January You can also go through previous summaries forDecember, November, October, September, August and July, as well assubscribe to my personal RSS feed or Zero Day's main feedNotable articles for January include Microsoft study debunks phishingprofitability; Legal concerns stop researchers from disrupting theStorm Worm botnet and Google Video search results poisoned to servemalware01 Thousands of Israeli web sites under attack02 Bogus LinkedIn profiles serving malware03 Microsoft study debunks phishing profitability04 Paris Hilton's official web site serving malware05 Malware author greets Microsoft's Windows Defender team06 35m hosts affected by the Conficker worm globally07 GoDaddy hit by a DDoS attack08 Legal concerns stop researchers from disrupting the Storm Wormbotnet09 Malware-infected WinRAR distributed through Google AdWords10 New mobile malware silently transfers account credit11 GPU-Accelerated Wi-Fi password cracking goes mainstream12 Google Video search results poisoned to serve malwareIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/58984.shtmlhttp://www.secuobs.com/revue/news/58984.shtml Secuobs.com : 2009-02-03 23:00:00 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEDescriptive fake security software domains speak for themselves,and what follows are the very latest ones currently active in the wild:spywareguard2009m com 7826179253; 94247239systemguard2009m comspywareguard2009 comsystemguard2009 comgetsysgd09 comRegistrant : Damir Sbil; Email: damirsbils791@googlemailcomantispyscanner13 com 94247239; 7826179253sgproductm comsgviralscan comsg10scanner comsg11scanner comsg12scanner comsg9scanner comsgproduct comRegistrant: Ahmo Stolica; Email: ahmostoln73@yahoocomIMAGEbuysysantivirus2009 com 94247275sysav-download comsysav-storage comsysantivirus-check comantispyware-pro-dl comsysantivirus2009 comsysav-download comsysav-storage comsysantivirus-check comantispywarefastcheck comantispyware-scanner-2009 comantispyware-pro-dl comRegistrant: Dion Choiniere; Email: noelwollenberg@ymailcompremium-antivirus-defencecom 1952478186lite-antispyware-scancomcomputeronlinescancomlite-antispyware-scancomliteantispywarescancomliteantispywarescannercomliteantispywareproscancomonlineproantispywarescancombestantispywarescancombestantispywarelivescancomantispywareliveproscancomantispywareinternetproscancombestanti-virusscancomantimalware-scannercomcomputerantivirusproscannercomantimalwareproscannercomantimalware-pro-scannercomantimalware-scannercomantimalware-scancomcomputeronlineproscannercomRegistrant: Maksim Hirivskiy Email: alt165@freebbmailcomIMAGEDNS servers to keep an eye on, courtesy of UralComp-as UralIndustrial Company LTD AS48511 :ns1europegigabyte comfastuploadserver comns1managehostdns comdns3systempromns comns1freehostns comns1singatours comns1airflysupport comns1eguassembly comns1fastfreetest cnProactively blocking these undermines a great deal of trafficacquisition campaigns whose aim is to hijack legitimate traffic tothese domainsRelated posts:A Diverse Portfolio of Fake Security Software - Part FourteenA Diverse Portfolio of Fake Security Software - Part ThirteenA Diverse Portfolio of Fake Security Software - Part TwelveA Diverse Portfolio of Fake Security Software - Part ElevenA Diverse Portfolio of Fake Security Software - Part TenA Diverse Portfolio of Fake Security Software - Part NineA Diverse Portfolio of Fake Security Software - Part EightA Diverse Portfolio of Fake Security Software - Part SevenA Diverse Portfolio of Fake Security Software - Part SixA Diverse Portfolio of Fake Security Software - Part FiveA Diverse Portfolio of Fake Security Software - Part FourA Diverse Portfolio of Fake Security Software - Part ThreeA Diverse Portfolio of Fake Security Software - Part TwoDiverse Portfolio of Fake Security SoftwareIMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/58007.shtmlhttp://www.secuobs.com/revue/news/58007.shtml Secuobs.com : 2009-02-03 22:53:41 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEWhat is Adrenalin Adrenalin is an alternative to the Zeuscrimeware kit that never actually managed to scale the way Zeus didFollowing recently leaked copies of what is originally costing a hefty$3000, crimeware kit Adrenalin, it's time to profile the kit, discussits key differentiation factors from Zeus, and emphasize on whydespite the fact that it leaked, the kit is not going to take any ofZeus-es market share At least not in its current formIn the spirit of the emerging copycat web malware exploitation kits,Adrenalin too, isn't coded from scratch, but appears that -- at leastaccording to cybercriminals questioning its authenticity on their wayto secure a bargain deal when purchasing it -- Adrenalin is usingportions of Corpse's original A-311 releaseAdrenalin's description and features :"Injections system - inserting html / javascript code in the page /files / javascript or substitution of one code by another injectionoccurs in the stream mode, ie the modified page is loaded at oncenot as in the other BHO based trojans with insertions only after thefull load the page causing javascript problems or limiting theimpact if for instance the user is on a mobile device connection Inour implementation, all works quickly and efficiently- The collection of pieces of text from the html pages, as one of themodes of operation injector balance, etc - Ftp grabbing - sniffer handles traffic and rip out from access toFTP All of this is going in an easy to read and process the form- Collector of certificates Pulling out of all installed certificatesincluding attempts to commit, and certificates that are marked asuncrackable Certificates neatly stored for each individual bot- Page redirector allows you to replace a page or separate framing inthe network everything is done completely unnoticed substitution ofthe content occurs in the interior windsurfing, and even then thebrowser and any special lotion can be confident that is what you want- Domain redirector forwards all requests from the original site onthe fake address bar, and all references point to the original coursecan also be used to block access to certain sites- Universal form grabbing puller forms, can strip the data from thevirtual keyboard these forms can rip off, even with not fully loadedpages As distinguished from the other crimeware kits working throughthe tracking of users clicking buttons / links it intercepts the datahas already been formed, which can be seen in the log Data can becollected all the running, and keyword filterto delete the logs; noise over debris to chat and not necessary forthe work sitesAll data are transmitted in encrypted form, which is important tobypass the protection, like for instance ZoneAlarm's ID LockUndoubted advantage is also that the logs are sent instantly - inparallel with the data sent to the original site No need to worrythat the victim will go into an offline and accumulated locally logform grabbing are not able to send- Screenshots at the address- TAN grabbing The technology allows to effectively collect workersTANs- Periodic cleaning of cookies/flashcookie- Grabbing around-the-forms words without adjustment - Adrenalindefines its own algorithm that it must be collected algorithmImproved- The collection of passwords, for instance Protected Storage IE autocomplete, protected sites, outlook- Classic keylogger- Cleaning system from BHO trojans, advertising panels and otherdebris As is well known - are less vulnerable machines, and want toput on something more Cleaning system greatly increases the chancesof survival- Anti-Anti Rootkit mechanisms- Work on the system without the EXE file- User-friendly format logs Forget the piles of files stupid- Socks4 / 5 + http s proxy server enabled on the infected host- Shell + Backshell enabled on the infected host- Socks admin- Management of each bot individually, or simultaneously Downloadingfiles, updating settings, etc- Requires PHP on the web based command and control host- Ability to output commands including downloads, taking intoaccount the country's bot function as a resident loader statisticallyfor programs - and other small pleasures"IMAGEWithout the web injection and the TAN grabbing ability,Adrenalin is your typical malware kit, whose only differentiationfactor would have been the customer support in the form of the managedundetected malware binaries that naturally comes with it However,it's TAN grabbing ability, proprietary collection of data "around theforms", stripping content from virtual keyboards and automaticcertificates collection on per host basis, and its ability to cleanthe system from competing BHO-based trojans, make it specialIMAGEHow do you actually measure the popularity of crimeware kitBased on the the market share of the crime kit, or based on anotherbenchmark It's all a matter a perspective and aquantitative/qualitative approach For instance, I can easily arguethat if the very same community was build around Adrenalin the way itwas built around Zeus making the original Zeus release looks like anamateur-ish release, perhaps Adrenalin would have scaled pretty fastSome of the community improvements include :- Modified Zeus Crimeware Kit Comes With Built-in MP3 Player- Modified Zeus Crimeware Kit Gets a Performance Boost- Zeus Crimeware Kit Gets a Carding LayoutIMAGEFor the time being, the innovation or user-friendly featuresboosting the popularity of Zeus come from the third-party codersimproving the original Zeus release Moreover, not only are theyimproving it, they're also looking for vulnerabilities within thedifferent releases, and actually finding some What does this mean Itmeans that we have clear evidence of crimeware monoculture, with asingle kit maintaining the largest market shareWith the cybercrime ecosystem clearly embracing the outsourcingconcept for a while, it shouldn't come as a surprise, that botnetsrunning the Zeus crimeware are offered for rent at such cheap ratesthat purchasing the kit and putting efforts into aggregating thebotnet may seem a pointless endeavor in the eyes of a prospectivecybercriminal, even an experienced one interested in milkinginexperienced cybercriminals not knowing the real value of whatthey're doingMoreover, speaking of monetization, the attached screenshots representa very decent example of monetizing the reconaissance process ofE-banking authentication that cybercriminals or vendors of crimewareservices undertake in order to come up with the modules targeting thefinancial institutions of a particular country Is this monetizationjust "monetization of what used to be a commodity good/service" asusual taking into consideration this overall trend, or perhaps there'sanother reason for monetizing snapshots of E-banking authenticationactivities in order to later on achieve efficiency in the process ofabusing them But of course there is, and in that case it's the factthat no matter that a potential cybercriminal has obtained access to acrimeware kit, its database of injects is outdated and therefore a newone has to be either built or purchasedWith Adrenalin now leaked to the general script kiddies and wannabecybercriminals, it's only a matter of time until a community is buildaround it, one that would inevitably increase is popularity and promptothers to introduce new features within the kitRelated posts:Targeted Spamming of Bankers MalwareLocalized Bankers Malware CampaignClient Application for Secure E-bankingDefeating Virtual KeyboardsPayPal's Security KeyIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEIMAGEhttp://www.secuobs.com/revue/news/57991.shtmlhttp://www.secuobs.com/revue/news/57991.shtml Secuobs.com : 2009-02-02 22:42:35 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEThe growing use of "visual social engineering" in the form oflegitimately looking codecs, flash player error screens, adult websites, and YouTube windows in order to forward the infection processto the end use himself, is the direct result of the ongoingtemplate-ization of malware serving sites This standardizing is allabout achieving efficiency, in this case, coming up with high-qualityand legitimately looking templates impersonating the average Internetuser by enjoying the clean reputation of the impersonated service inquestionThe attached screenshot of very latest DIY windows media player withpretty straightforward instructions on how to modify the timing of the"missing codec" pop-up, is a great example of how cybercriminalsrarely value the intellectual property of their fellow colleagues TheDIY template has in fact been ripped-off from a competing affiliatenetwork participant currently active xxxporn-tubecom/123/2/FFFFFF/3127/TestCodec/Best, its images hosted atImageShack, and the codec released for everyone in the ecosystem touse -- and so they willIMAGEInterestingly, within the mirrored copy now tweaked anddistributed for free using free image hosting services asinfrastructure provider for the layout, there are also leftovers fromthe original campaign template that they mirrored - which ultimatelyleads us to DATORU EXPRESS SERVISS Ltd AS12553 PCEXPRESS-AS orzlkonlv In the wake of UkrTeleGroup Ltd's demise -- don't pop thecorks just yet since the revenues they've been generating for the pastseveral years will make it much less painful -- a significant numberof UkrTeleGroup customer, of course under domains, have beengenerating quite some malicious activity at zlkonlv for a whilePortfolio of fake codecs serving domains parked at the originalmirrored domain's IP :xxxporn-tube com 9319014056uporntube-07 comtubeporn08 comporn-tube09 comtubeporn09 comxxxporn-tube comallsoft-free comall-softfree comlsoftfree comporntubenew comDownload locations :brakeextra com/download/FlashPlayervexe 942472183brakeextra com/download/TestCodecv3127exeEntire portfolio of domains parked at 942472183 :brakeextra comthebestporndump2 comfire-extra comxp-extra comdelfiextra comqazextra comtrack-end comfire-movie comextrabrake comcrack-serial-keygen-online comextra-turbo comextra-nitro comapple-player commeggauploads comsoft-free-updates comquicktimesoft comcleanmovie netnitromovie nettrackgame netquotre netrexato netspacekeys netDots, dots dots, trackgame net is once again providing themultitasking mentality of cybercriminals these days - it's one of thedownload locations participating in the recent Google Video searchqueries poisoning attacksIMAGE IMAGE IMAGE IMAGE IMAGEIMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/57573.shtmlhttp://www.secuobs.com/revue/news/57573.shtml Secuobs.com : 2009-01-28 20:14:15 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEA blackhat SEO-ers group that's been generating bogus link farmsultimately serving malware to their visitors during the past couple ofmonths, has recently started poisoning Google Video search queries andredirecting the traffic to a fake flash player using the PornTubetemplate The Template-ization of Malware Serving SitesApproximately 400,000+ bogus video titles have already been crawled byGoogle VideoInstead of sticking to a proven traffic acquisition tactic in the faceof adult videos, the campaigns are in fact syndicating the titles oflegitimate YouTube videos in order to populate the search resultsWhat's also worth pointing out that is that once they startduplicating the content -- like they're doing with specific titles --based on their 21 bogus publisher domains, they can easily hijack eachand every of the first 21 results for a particular video The fakeflash player redirection is served only when the visitor is comingfrom Google Video, if he or a researcher isn't based on a simple httpreferer check, a legitimate YouTube video is servedUpon clicking on the video from any of their publisher domains, theuser is taken to porncowboysnet/continuephp 94247234 thenforwarded do xfuckedorg/videophpgenre=babesetid=7375 94247234to have the binary served at trackgamenet/download/FlashPlayerv3181exe and qazextracom/download/FlashPlayerv3181exe Detection rate for the flashplayerIMAGEThe malware publisher domains crawled by Google Videoredirecting to the bogus flash player :nudistxxx net - 22,000 bogus video titlesrealsexygirls net - 21,000 bogus video titlestrulysexy net - 27,100 bogus video titlesmadsexygirls net - 18,900 bogus video titlesmypornoplace net - 25,700 bogus video titleshotcasinoxxx net - 28,900 bogus video titleshotgirlstube net - 37,900 bogus video titlesxgirlplayground com - 50,600 bogus video titlespuresextube net - 20,700 bogus video titlesxxxtube4u com - 11,400 bogus video titlessexygirlstube net - 63,100 bogus video titlesxporntube org - 12,800 bogus video titlesxxxgirls name - 33,500 bogus video titlesgirlyvideos net - 37,500 bogus video titlesmytubecentral net - 38,900 bogus video titlespuresextube net - 20,700 bogus video titlesteencamtube com - 18,400 bogus video titlescelebtube org - 41,100 bogus video titlestruexx com - 16,900 bogus video titleshottesttube net - 28,100 bogus video titleshotgirlsvids net - 27,200 bogus video titleswatch-music-videos net - 14,900 bogus video titlesmarketvids net - 29,900 bogus video titlesgamingvids net - 7,930 bogus video titleshentaixxx info - 25,500 bogus video titlesThe campaign is currently in a cover-up phrase since discussing ityesterday and notifying Google with all the details But the potentialfor abuse remains there Timeliness vs comphrenesiveness of a malwarecampaignFollowing this example of comprehensivess, take into consideration thetimeliness in the face of October 2008's campaign when hot GoogleTrends keywords were automatically syndicated in order to hijacksearch traffic which was then redirected to several hundredautomatically registered Windows Live blogs whose high pagerank madeit possible for the blogs to appear within the first 5 resultsIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/56039.shtmlhttp://www.secuobs.com/revue/news/56039.shtml Secuobs.com : 2009-01-27 13:30:04 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEThe very latest addition to the "embassies serving malware" seriesis the Indian Embassy in Spain/Embajada de la India en España embajadaindiacomwhich is currently iFrame-ED -- original infection seems to have takenplace two weeks ago -- with three well known malicious domainsInterestingly, the malicious attackers centralized the campaign byparking the three iFrames at the same IP, and since no efforts are putinto diversifying the hosting locations, two of them have already beensuspended Let's dissect the third, and the only currently active oneiFrames embedded at the embassy's site:msn-analytics net/countphpo=2pinoc org/countphpo=2wsxhost net/countphpo=2wsxhost net/countphpo=2 20273576 redirects to 20273576/mito/t=2 and then to 20273576 /mito/h=2e where the binary isserved, a compete analysis of which has already been published Therest of the malicious domains -- registered topalfreycrossvw@gmailcom -- parked at mito's IP appear to have beenparticipating in iFrame campaigns since August, 2008 :google-analyze cnyahoo-analytics netgoogle-analyze orgqwehost comzxchost comodile-marco comedcomparison comfuadrenal comrx-white comAs always, the embassy is iFramed "in between" the rest of theremotely injectable sites part of their campaignsRelated assessments of embassies serving malware:Embassy of Brazil in India CompromisedThe Dutch Embassy in Moscow Serving MalwareUS Consulate in St Petersburg Serving MalwareSyrian Embassy in London Serving MalwareFrench Embassy in Libya Serving Malware IMAGE IMAGE IMAGEIMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/55523.shtmlhttp://www.secuobs.com/revue/news/55523.shtml Secuobs.com : 2009-01-21 19:13:35 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEDespite my personal reservations towards the use of Googlesponsored ads as an emerging traffic acquisition tactic on behalf ofscammers and cybercriminals -- blackhat SEO is getting moresophisticated -- Google sponsored ads are whatsoever still taken intoconsiderationIMAGEThe fraudulent AdWords scheme that I'll discuss in this post,is an example of a Dominican scammer ayuda@sharewarepro; Sms TelecomLLC, Roseau, St George 00152 Dominica Tel: +117674400530 who'shijacking search queries for popular software applications, takingadvantage of geolocation and http referer checks, in order to delivera customized toolbar while earning revenue part of the Conduit RewardsProgramIMAGENaturally, the traffic acquisition tactic and the brandjackingof legitimate software are against the rules of both Google's, andConduit's terms of use Interestingly, out of all the adware-ishtoolbars and affiliate based networks out there, he's chosen toparticipate in an affiliate network without a flat rate on per toolbarinstallation basis Despite the efforts put into the typosquatting,the descriptive binaries on a country basis, and the localization ofthe sites in several different languages, he's failing to monetize thescam in the way he could possibly do compared to "fellow colleagues"of hisIMAGEBrandjacked software domains part of the AdWords campaign :adobe-reader-co comadware-co comflash-player-co compaint-shop-pro comwinrar-co comccleaner-co comfirefox-co comavi-codec-co comguitar-pro-co comcodec-co comopera-co commessenger-comp comservicepack-co comazureus-co comemulegratis esmessenger-plus-co comzone-alarm-co comdirectx-co combittorrent-co commedia-player-co comemulefree comdivx-co comoffice-co comvirtualdj-co comzattoo-co comclonecd-co comtuneup-cocomlphant-cocomexplorer-cocomamule-co commessenger75-co comlimewire-comp comlite-codec-co compower-dvd-co commessenger-plus-live-co comreamweaver-co comaresgratis netvuze-co comemuleespaña esregcleaner-co compaint-net-co comdownload-acelerator comwindownloadweb comxp-codecpack-co comThe AdWords campaigns are spread across different local Google site,targeting a particular local demographic only Moreover, if the enduser isn't coming from a sponsored ad, the download link on each andevery of the participating sites is linking to the official site ofthe brandjacked software, and if he's coming from where he's supposedto be coming the software bundle including the revenue-generatingtoolbar is served in the following way :firefox-co com/downloads/installer-5-firefox-ukexewinamp-co com/downloads/installer-37-winamp-ukexewinamp-co com/downloads/installer-37-winamp-nlexezone-alarm-co com/downloads/installer-18-zonealarm-nlexeservicepack-co com/downloads/installer-14-service-pack-3-ukexedivx-co com/downloads/installer-25-divx-ukexeUpon installation the toolbar generates revenue for the campaigner,and given the fact that a single DIY toolbar can be associated with asingle rewards account, the campaigner is also maintaining a modestportfolio of toolbars For instance :peer2peernemedia-toolbarcom - UserID=UN20090120111936062peer2peerenmedia-toolbarcom - UserID=598F9353-BD10-47B9-8B40-29B33AD7A3E4The bottom line is that despite the fact that the campaigner isacquiring lots of traffic through the brandjacking, and is definitelybreaking even based on the number of toolbars installed, he's failingto monetize the fraud scheme, at least for the time beingIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/53774.shtmlhttp://www.secuobs.com/revue/news/53774.shtml Secuobs.com : 2009-01-19 21:43:10 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEThe practice of using stolen or data mined -- from a botnet'sinfected population -- FTP accounts is nothing new In March, 2008, atool originally published in February, 2007, got some publicity oncedetails of stolen FTP accounts belonging to Fortune 500 companies werefound in the wild Interestingly, none of the companies were servingmalicious iFrames on their compromised hosts back thenDespite the fact that 2008 was clearly the year of the massive SQLinjection attacks hitting everyone, everywhere, massive iFrameinjection tools through stolen FTP accounts are still in developmentTake for instance this very latest console/web interface basedproprietary one currently offered for sale at $30IMAGEIts main differentiation factors according to the author arethe pre-verification of the accounting data in order to achieve betterspeed, advanced logs management and update feature allowing themalicious campaigner to easily introduce new iFrame at alreadyiFrame-ED hosts through the compromised FTP accounts, and, of course,the what's turning into a commodity feature in the face of long-termcustomer support In this case, that would be a hundred FTP accountingdetails to get the customers accustomed to the tool's featuresInterestingly, at least according to the massive SQL injections takingplace during the entire 2008, iFrame-ing has reached its declinestage, at least as the traffic acqusition/abuse method of choice Andwith SQL injections growing, this very same FTP account data isserving the needs of the blackhat search engine optimizers bargainingon the basis of a pagerankIMAGE IMAGE IMAGE IMAGE IMAGEIMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/52823.shtmlhttp://www.secuobs.com/revue/news/52823.shtml Secuobs.com : 2009-01-15 02:49:22 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEIn the very same fashion in which Chinese cyber warriors utilizedthe "people's information warfare concept" against CNN, followed byRussia vs Estonia cyberattack, the Russia vs Georgia cyberattack, andthe Electronic Jihad grassroots movement attempt, pro-Israeli pseudocyber warriors have released an application which once run would allowthem to direct the supporters' bandwidth to well known pro-Hamas websitesEach of these campaigns is orbiting around a unique applicationreleased on behalf of the coordinators In China vs CNN campaign itwas anticnnexe, in the Electronic Jihad campaign it was e-jihadexe,and in the pro-Israeli hacktivists vs Hamas it is PatriotInstallerexeExcluding anticnnexe which was working, both e-jihadexe andPatriotInstallerexe act as examples of how people's informationwarfare execution goes wrong How come The tools failed to deliverwhat they promised An idle bot that I left upon becoming a patrioticsupporter of the cause, indicated that the participants are basicallyidling, without any active DDoS attacks against a particular pro-Hamasweb siteIMAGEWho are the people behind the project"We are a group of students who are tired of sitting around doingnothing while the citizens of Sderot and the cities around the GazaStrip are suffering, NO MORE We will not sit around and watch ourchildren fear and cry out for help while the missiles are flying overtheir heads We say NO MOREWe created a project that unites the computer capabilities of manypeople around the world Our goal is to use this power in order todisrupt our enemy's efforts to destroy the state of Israel The moresupport we get, the efficient we are You download and install thefile from our site The file is harmless to your computer and could beimmediately removed There is no need for identification of any kind -anonymity guaranteed"The Help-Israel-Win movement is naturally feeling the heat as well,and is constantly switching locations, with its currently active one -boraboraglobatcom/~help-israel-wincom The following are relateddomains used by the pro-Israeli cyber warriors:ronshalitdot5hostingcomhelp-israel-wincomhelp-israel-wintkhelp-israel-wininfohelpisraelwincomIn times when DDoS attacks can be cost-effectively outsourced, it'spretty surprising that all the cyber warriors -- excluding the ones inthe Russia vs Georgia cyberattack -- aren't taking advantage of theconcept, but are relying on grassroots movement The reason for thisis the lack of contact points between the sellers of the DDoS servicesand the potential buyers, at least for the time beingMonitoring of the pro-Israeli patriot campaign would continue, withupdates posted as soon as something actually happensIMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/51508.shtmlhttp://www.secuobs.com/revue/news/51508.shtml Secuobs.com : 2009-01-15 02:39:30 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEDecember, 2008 was marked by yet another widespread Koobfacecampaign, next to a massive SQL injection attack targeting Asiancountries and serving the ex-Internet Explorer XML parsing zero dayMonitoring the attack closely and issuing abuse notices, it's worthpointing out that only two domains were SQL to target internationalsites, with the rest injected at Asian sites onlyThis tactic once again demonstrates the dynamics of the internationalunderground communities whose understanding of valuable stolen goodsgreatly differ based on the local market's demand for a particularitem For instance, stolen accounting data for a MMORPG is more thanaccess to a stolen banking account on the Chinese undergroundmarketplace, and exactly the opposite on the Russian undergroundmarketplace Interestingly, if the IE zero day was first discoveredand abused in a targeted nature by Russian parties the very last thingthey'd be serving is a password stealer for a MMORPG given the farmore valuable from their perspective crimeware Here are all of theSQL injected domains participating in the attack, with two Chinesegroups responsible for them :SQL injected domains currently active:- cnuclear3 com/css/cjs 12110108161;12110107233;70389997 also SQL injected as c%6Euclear3com/css/cjs in a cheap attempt to avoid detection- zsgcpedu cn/zjs redirects to alimcma 3322org/a0076159/a07htm12112173218 and then to tongjitj3322 org/tj/a07htm- w94saomm com/jsjs 5853128177 redirects to clc2007nenueducn/tt/swfhtm 218621647- idea21org/hjs 66249130142 redirects to idea21 org/index1htm- yrwap cn/hjs 596315771 redirects to kodimnet/CONTENT/faqhtmCurrently down, for historical preservation purposes and case buildingas these were exclusively serving the ex-IE zero day in December,2008:17gamo com/1jss4d in/hjsdbios org/hjsarmsart com/hjsacglgoa com/hjs9i5t cn/ajsqq117cc cn/kjss800qn cn/csrss/wjstwwen com/1jssshunxing comcn/sjsko118 cn/ajssshunxing comcn/sjs17aq com/17aq/ajsskaisimi net/sjssshanghai com/sjssardoshanghai com/sjsscawjb com/sjsmysy8 com/1/1jsmvoyo com/1jsnmidahena com/1jstjwh202162 ns98cn/1jsThankfully, the IE zero day attack in December is an example of a"wasted" zero day, with the potential for abuse not taken advantageofRelated posts:Massive SQL Injection Attacks - the Chinese WayYet Another Massive SQL Injection Spotted in the WildObfuscating Fast-fluxed SQL Injected DomainsSmells Like a Copycat SQL Injection In the WildSQL Injecting Malicious Doorways to Serve MalwareSQL Injection Through Search Engines ReconnaissanceStealing Sensitive Databases Online - the SQL StyleFast-Fluxing SQL injection attacks executed from the Asprox botnetSony PlayStation's site SQL injected, redirecting to rogue securitysoftwareRedmond Magazine Successfully SQL Injected by Chinese HacktivistsIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/51474.shtmlhttp://www.secuobs.com/revue/news/51474.shtml Secuobs.com : 2009-01-07 18:09:01 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGENice catch, in the sense that LinkedIn was among the very fewsocial networking sites left untouched by cybercriminals in 2008 WithLinkedIn's staff actively removing the close to a hundred bogusprofiles, let's dissect the campaign by exposing all the participatingmalware domains, the redirectors, the droppers' detection rates andthe rest of the domains in their portfolioDomains used on the bogus profiles :sextapegirls net 882142005celebsvids net 2161955747katynude com 2161955747delshikandco com 82103132114IMAGEAll the internal pages at sextapegirls net sextapegirlsnet/1html; sextapegirls net/2html; sextapegirls net/3html;sextapegirls net/4html; sextapegirls net/5html redirect tohotvidz info/5html 882142005 as well as all the internal pagesat celebsvids net where TubePlayerver620885exe is served as afake video playerAmong the rest of the domains used, katynude com/1html2161955747 redirects to quickly-porn-tubenet/getphpid=20885etp=74 695921247 which then redirects totube-4you-best com/xxplayphpid=20885 695921247 where2009download-best-soft com/TubePlayerver620885exe 942473228is again servedThe fourth domain used on the bogus LinkedIn profiles, delshikandcocom/movies/linkedinhtml 82103132114 once deobfuscated leads todelshiktds com/incgi6 642728225, a traffic management kit'sredirection point which redirects to delshiktds com/incgi11,celebs-online2009 com/videophp 642728225 andmegaporntubesonline com/xplaysphpid=88 wherecodecdownloadfilesstorage4you com/exclusivemovie88exe is servednext to codecdownloadviewersoftwarearchive com/exclusivemovie0exe942473232 which a copy of Win32/RenosIMAGEThe downloader then phones back to :dasgdasg net 912059612new-york-images com 89149207114future-pictures com 942472117download-everythingcom 69461699archiveviewsoftwarecom19314224417Naturally, the people behind this malware campaign have centralizedthe rest of the malicious domains by parking them at the very same IPsused in the redirectors The domains are pretty descriptivethemselves, and it's also worth pointing out that they intend to startintroducing newly registered fake security software ones:942473228files-upload-21 comdownloabsecurehere1 comdownloabsecurehere2 comdownloabsecurehere3 comdownloabsecurehere4 comfast-download-base-free comdownload-all4free comdownload-softarch comdwnld-files comget-frsh-files comdownload-flscomdownloadall-soft-now comdownloadallsoft-now comdownload-allsoftnow comdownloadallsoftnow comsoft-4-you-download netget-files-4free netdownload-top-software netfiles-download-arch netdownload-files-bak netdownload-files-plus netpure-download-new net695921247uni-tube-911 combestmytubeonilne1 combestmytubeonilne2 combestmytubeonilne3 commybest-pov-tube commy-bestpov-tube comu-tube-verse comtubeger comtube-4-free-center comtube-4you-best comtube-hu comtube-more-sex comquickly-porn-tube netfast-xxx-tube nettube-chick nettube-free-4-adult netantivir-av-toolz netscanner-pc-toolz netav-scan-soft netav-scan-here netanti-vir-toolz comfreenonline-scannerw comfreenonline-scanner comav-mc-antivir-checker comfreenonline-scannera combestmyscanneronilne3 combestmytubeonilne3 combestmyscanneronilne2 combestmytubeonilne2 com942473232viewerdownload2009 comfreedownload2009 comfilesstorage2009 comexefileshere2009 combestfilesarchive2009 comsoftwareviewers2009 comfilesinnet4you2009 comdownloadfilesservice comjetexestorage comclickandgetfile comsecretfilesstoragehere comx-filesstorehere comfilesportalhere comexefileshere comextrafilesonlyhere compornexearchive comviewerarchive comcrystalfilesarchive comdownload2009exe com3d-softwareportal comdownloadfilesportal comexesoftportal comsoftwareportalexefiles combecollectionoffiles comextracoolfiles comfreepornclips2u comfilesstorage4youcomdownloadexenow comThe same people, the same tactics, different domains and netblocksusedIMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/49388.shtmlhttp://www.secuobs.com/revue/news/49388.shtml Secuobs.com : 2009-01-06 16:19:29 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEHow do you trigger a change that would ultimately affect theentire cybercrime ecosystem Going full disclosure may be the mostlogical option, but past experience reveals that using it has a modesttemporary effect For instance, exposing a stolen credit cards shopisn't going to separate the owner from the stolen database, neitherwould his customers base disappear, so stating that it's shut down inreality means that it's currently active at another location which theowner quickly communicates to the customers base I keep seeing ithappen once a sample service gets media attention, and I'll keepseeing it happenThe myth that geolocating their malicious activities would always endup in an Eastern European network where developed law enforcementagencies would have little to no jurisdiction at all, proved to be acommon stereotype given that the well known cybercrime-friendly ISPsthat were shut down in 2008 were and have always been US basedoperations Therefore, the excuse of not being able to take action dueto the lack of international law enforcement cooperation isn'tappicable in this caseSo how should the cybercrime ecosystem be squeezed Personalize it andcommunicate the levels of efficiency cybercriminals achieve by usingthe very same disturbing photos that they use to demonstrate theeffectiveness of their web based stolen credit card shops in order toachieve the necessary public outbreakEven though I pretend that the research and profiles of theunderground tools and services that I've been detailing throughout2008 is cutting-edge research, this research is basically scratchingthe surface, but how come Just like there's a perfect and bad timingfor a particular product or service to hit the market, in this verysame fashion the general public is still not ready to embrace some ofthe highly disturbing point'n'click identity theft services that havebeen operating for years Sadly, some even question the usability andauthenticity of these underground services, and therefore a change hasto be triggered by starting to publish the cybercriminals' ROI out ofusing them in the form of the photos of users swimming in cash thatthey've cashed-out of the stolen credit cards Disturbing It'ssupposed to be, since it will not only prompt public outbreak, butalso, have a well proven self-regulation effect on behalf of theservice owner's, at least from my personal experience while profilingrelated servicesThis is perhaps the perfect moment to emphasize on how importantthreat intell sharing with law enforcement, whether directly based onpersonal contacts or through one-to-many communication model throughprivate mailing lists, a cyber threats analysts case-buildingcapabilities would not only prove valuable in the long term, but wouldalso make it easier for someone to do their prosecuting job fasterAnd while important, threat intell sharing with law enforcement is notthe panacea of squeezing the cybecrime ecosystem, since cybercrimeshould not be treated as the systematic abuse of common ITinsecurities for fraudulent purposes, instead, it should be treated asa form of economic terrorism Only then, would cybercrime receive thenecessary attention instead of such comments regarding McColo orAtrivo - "Resource-wise, we can't be in the business of prevention Wehave to be in the business of prosecution" Exactly I guess that justlike you cannot be a prophet in your own country, you cannot also be aprophet in your own agency, thankfully, the wisdom of the cybercrimefighting crowd is always there to take care and get zero credit at theend of the dayIMAGEPersonally, 2009 is going to be the year when personalizingcybercriminals would be taking place on a more regular basis, so staytuned for an upcoming report summarizing "behind the curtains"cybercrime activities in 2008, underground responses to some of majorbusts of year including the DarkMarket operation, the fraudulentschemes allowing them to cash-out digital assets into hard cash, thebasics of their social networking model, who's who in the hierarchy ofa sampled business model of vendors of ATM skimming devices, thepost-DarkMarket OPSEC practices introduced in order for cybecrimecommunities to verify the authenticity of their customers, the processof advertising and operating underground services as well as thecommunication methods used, in short - all the juicy details,screenshots and photos courtesy of the owners and customers of theservices that haven't been communicated to the industry and the worldthroughout 2008Find attached a photo teaser acting as a confirmation for theusefulness of "yet another stolen credit card details service" in thewild, and have a productive year exposing low lifes and spillingcoffee over their business modelsRelated posts:76Service - Cybercrime as a Service Going MainstreamUsing Market Forces to Disrupt BotnetsLocalizing Cybercrime - Cultural Diversity on DemandLocalizing Cybercrime - Cultural Diversity on Demand Part TwoEstDomains and Intercage VS CybercrimeE-crime and Socioeconomic FactorsMoney Mules Syndicate Actively Recruiting Since 2002Price Discrimination in the Market for Stolen Credit CardsAre Stolen Credit Card Details Getting CheaperThe Underground Economy's Supply of GoodsIMAGE IMAGE IMAGEIMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/48967.shtmlhttp://www.secuobs.com/revue/news/48967.shtml Secuobs.com : 2009-01-06 16:19:29 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEThe following is a brief summary of all of my posts at Zero Dayfor December, 2008 You can also go through previous summaries forNovember, October, September, August and July, as well as subscribe tomy personal RSS feed or Zero Day's main feedNotable articles for December include ICANN terminates EstDomains,Directi takes over 280k domains interview with Stacy Burnette fromthe ICANN; With 256-bit encryption, Acrobat 9 passwords still easy tocrack interview with Dmitry Sklyarov and Vladimir Katalov fromElcomsoft and Gmail, Yahoo and Hotmail systematically abused byspammers01 AlertPay hit by a large scale DDoS attack02 IT expert executed in Iran03 Vendor claims Acrobat 9 passwords easier to crack than ever04 Microsoft’s Live Search finally adds malware warnings05 ICANN terminates EstDomains, Directi takes over 280k domains06 Password stealing malware masquerades as Firefox add-on07 With 256-bit encryption, Acrobat 9 passwords still easy to crack08 Trusteer launches search engine for malware configuration files09 With or without McColo, spam volume increasing again10 Vint Cerf’s Twitter account hacked, suspended for spam11 Gmail, Yahoo and Hotmail systematically abused by spammers12 IE7 XML parsing zero day exploited in the wild13 Four XSS flaws hit Facebook14 Thousands of legitimate sites SQL injected to serve IE exploitIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/48966.shtmlhttp://www.secuobs.com/revue/news/48966.shtml Secuobs.com : 2008-12-17 20:58:16 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEIn one of those "better later than never" type of situations, lastmonth members of the Global Islamic Media Front were busted in GermanyThe group is largely known due to its releases and propaganda of theTechnical Mujahid E-zine Part Two and the Mujahideen Secretsencryption tool Second Version, and was distributing its multimediathrough popular Web 20 video sharing sites, perfectly fitting in theprofile of the majority of cyber jihadist groupsGIMF used to be one of my favorite sources of raw OSINT regardingvarious cyber jihadist activities due to its centralized nature andlack of any operational security in place, in particular the ways itwas unknowingly exposing their social networks onlineRelated posts:GIMF Switching BlogsGIMF Now Permanently Shut DownGIMF - "We Will Remain"Inshallahshaheed - Come Out, Come Out Wherever You AreA List of Terrorists' BlogsCyber Jihadist Blogs Switching Locations AgainWisdom of the Anti Cyber Jihadist CrowdAnalyses of Cyber Jihadist Forums and BlogsTerror on the Internet - Conflict of Interest IMAGE IMAGE IMAGEIMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/44810.shtmlhttp://www.secuobs.com/revue/news/44810.shtml Secuobs.com : 2008-12-15 20:11:18 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEDear malware spreader, here we meet again It's been a while sinceI last wrote to you, half an year ago to be precise Since I first metyou, keeping automated track of your phishing campaigns serving oldschool VBS scripts has become an inseparable part of my daily routineIMAGEI really enjoyed the fact since then you've changed your emailaddress from ikbaman@gmailcom to ikbasoft@gmailcom and due to itsdescriptive nature speaking for a software company set up, I can onlyenvy your profitability However, due to the tough economic times,your latest round of blended with malware phishing emails has to godown I'm sure you'd understand, as it only took "5 minutes out of myonline experience" to notice you, and so I'm no longer interested inprocessing the /service-peyment/ that you require on the majority ofbrandjacked subdomains that you keep creating at the very samens8-wisteefrsecureskypeuuuq com redirects to monybokersns8-wisteefr/skype/cgi-bin/us/security/update-skype/service-peyment/update/loginaspx/indexhtmlswhere the VBS is pushed, with its detection rate prone to improveIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/43988.shtmlhttp://www.secuobs.com/revue/news/43988.shtml Secuobs.com : 2008-12-15 16:32:12 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEIf I were to come aross this service last year, I'd be verysurprised But coming across it in 2008 isn't surprising at all, andthat's the disturbing partFollowing the ongoing trend of localizing cybercrime LocalizingCybercrime - Cultural Diversity on Demand; Localizing Cybercrime -Cultural Diversity on Demand Part Two a new service takes the conceptfurther by introducing a multilingual on demand social engineeringservice especially targeting scammers and fraudsters that are unableto "properly scam an international financial institution" due to thelanguage limitations What is the service all about Currentlyoffering to "talk cybercrime on behalf of you", the service ischarging $9 for a call wih increased use of it leading to the usualprice discounts falling to $6 per call The languages covered and themale/female voices available are as follows :- English 3 male voices and 2 female ones- German 2 male voice and 1 female one- Spanish 1 male voice and 2 female ones- Italian 1 male voice and 1 female one- French 1 male voice and 1 femele oneIf the service was only advertising male or female English voices, I'dsuspect it of being run by a single individual using a commercialvoice changer application, however, due to the fact that it'scurrently offering male and female voices in 5 languages, there's agreat chance that these are in fact separate people they're workingwith The ugly part is that the whole business model is very wellthought of in the sense that given that fact that certain banks oronline services can automatically freeze the assets to which thecybercriminal has access to, the service, through its multilingualcapabilities can indeed convince the institution in the authenticityof the Spanish caller that's indeed Spanish based on the stolenpersonal information provided by the cybercriminal in the first placeWhere's the trade-off for cybercriminals They would have to veryspecific in order for the service to work, meaning, they would have touse it as a intermediary by sharing data regarding compromised bankingaccounts, expected courier deliveries obtained through fraudulentmeans stolen credit card details, and the service reserves the rightnot to work with them Consequently, the people working with theservice easily act as the weakest link in the process of exposingongoing cybercrime or real-life crime activities, and compared toplain simple localization in the sense of translation servies, thereal nature of the type of conversations and impersonation happeningthough this one should be pretty obvious to the people offering theirnatural cultural diversity and voices for saleDespite that monetizing social engineering is not new, monetizingaccomplice voices, and running a social engineering ring definitelyisIMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/43901.shtmlhttp://www.secuobs.com/revue/news/43901.shtml Secuobs.com : 2008-12-11 16:33:47 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEThe following is a brief summary of all of my posts at Zero Dayfor November You can also go through previous summaries for October,September, August and July, as well as subscribe to my personal RSSfeed or Zero Day's main feed Thanks for being with usSome notable articles for November include Black market for zero dayvulnerabilities still thriving; Anti fraud site hit by a DDoS attackand Cybercriminals release Christmas themed web malware exploitationkit01 Black market for zero day vulnerabilities still thriving02 Google and T-Mobile push patch for Android security flaw03 Fake WordPress site distributing backdoored release04 Koobface Facebook worm still spreading05 Cyber terrorists to face death penalty in Pakistan06 AVG and Rising signatures update detects Windows files as malware07 BBC hit by a DDoS attack08 Google fixes critical XSS vulnerability09 $10k hacking contest announced10 Anti fraud site hit by a DDoS attack11 Commercial vendor of spyware under legal fire12 Fake Windows XP activation trojan goes 2013 Cybercriminals release Christmas themed web malware exploitationkitIMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/42958.shtmlhttp://www.secuobs.com/revue/news/42958.shtml Secuobs.com : 2008-12-09 19:09:16 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEIt's the Facebook message that came from one of your infectedfriends pointing you to an on purposely created bogus Bloglines blogserving fake YouTube video window, that I have in mind The Koobfacegang has been mixing social engineering vectors by taking thepotential victim on a walk through legitimate services in order tohave them infected without using any client-side vulnerabilitiesFor instance, this bogus Bloglines account bloglinescom/blog/Youtubeforbiddenvideo has attracted over 150 uniquevisitors already, part of Koobface's Hi5 spreading campaign catshofcom/go/hi5php The domain is parked at the very same IP that therest of the central redirection ones in all of Koobface's campaignsare - 5824125537IMAGEInterestingly, since underground multitasking is becoming arather common practice, the bogus blog has also been advertised withina blackhat SEO farm using the following blogs, currently linking toseveral hundred bogus Google Groups accounts :bloglines com/blog/gillehuxedabloglines com/blog/chaneyokbloglines com/blog/ramosimecobloglines com/blog/antwanuvfabloglines com/blog/tamaraaqobloglines com/blog/josephyhtibloglines com/blog/whiteqivajubloglines com/blog/hayleyembloglines com/blog/tateigyamorbloglines com/blog/burnsseuhaqebloglines com/blog/jennaupIMAGEbloglines com/blog/jermainedusbloglines com/blog/floydwopew55bloglines com/blog/arielehybloglines com/blog/onealqypsubloglines com/blog/mackirmabloglinescom/blog/breonnazoxbloglines com/blog/sabrinaxycitbloglines com/blog/gloverqybloglines com/blog/lisaurjabloglines com/blog/greenefayg18bloglines com/blog/craigxiw36bloglines com/blog/parsonsdosbloglines com/blog/martinsutuzbloglines com/blog/deandreefebloglines com/blog/briannetubloglines com/blog/kierailpebloglines com/blog/fordyfo27bloglines com/blog/litzyracnujbloglinescom/blog/darwinupi57bloglines com/blog/bonillavaokbloglines com/blog/jennyuxe85bloglines com/blog/wilkersoninbloglines com/blog/nicolasqydbybloglines com/blog/darbyevebloglines com/blog/izaiahro83bloglines com/blog/parsonsdosbloglines com/blog/fullerjeb81Abusing legitimate services may indeed get more attention in theupcoming year, following their interest in the practice from the lastquarterIMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/42212.shtmlhttp://www.secuobs.com/revue/news/42212.shtml Secuobs.com : 2008-12-08 19:54:32 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEThe Koobface Facebook worm -- go through an assessment of aprevious campaign -- is once again making its rounds across socialnetworking sites, Facebook in particular Therefore, shall we spill abig cup of coffee over the malware campaigners efforts for yet anothertime But of courseOnly OPSEC-ignorant malware campaigners would leave so much traceablepoints, in between centralizing the campaign's redirection domains ona single IP For instance, taking advantage of free web counter whosepublicly obtainable statistics -- the account has since been deleted-- allow us to not only measure the clickability of Koobface'scampaign, but also, prove that they're actively multitasking bycombining blackhat SEO and active spreading across several othersocial networking sites Here are some of the key summary points forthis campaign :Key summary points :- the hosting infrastructure for the bogus YouTube site and the actualbinary is provided by several thousand dynamically changing malwareinfected IPs- all of the malware infected hosts are serving the bogus YouTube sitethrough port 7777- the very same bogus domains acting as central redirection pointsfrom the November's campaign remain active, however, they've switchedhosting locations- if the visitor isn't coming from where she's supposed to be coming,in this case the predefined list of referrers, a single line of "scanref" is returned with no malicious content displayed- the campaign can be easily taken care of at least in the short term,but shutting down the centralized redirection pointsIMAGEWhat follows are the surprises, namely, despite the fact thatKoobface is pitched as a Facebook worm, according to their statistics-- go through a previously misconfigured malware campaign stats -- themajority of unique visitors from the December's campaign appear tohave been coming from Friendster As for the exact number of visitorshitting their web counter, counting as of 7 November 2008, 12:58, with91,109 unique visitors on on 07 Nov, Fri and another 53,260 on 08 Nov,Sat before the counter was deleted, the cached version of their webcounter provides a relatively good sampleOn each of the bogus Geocities redirectors, the very same lostartinfo/js/gsjs 5824125537 used in the previous campaign, attemptsto redirect to find-allnot com/go/fbphp 5824125537 or toplaytable info/go/fbphp 5824125537, with fbphp doing thereferrer checking and redirecting to the botnet hosts magic Severalother well known malware command and control locations are also parkedat 5824125537 :jobusiness orga221008 comy171108 comsearchfindand comofsitesearch comfashionlineshow comanddance infofirstdance bizprixisa comdanceanddisc comfinditand comfindsamthing comfreemarksearch comfind-allnot comfind-here-and-now comfindnameby comanddance infoThese domains, with several exeptions, are actively participating inthe campaign, with the easiest way to differentiate whether it's aFacebook or Bebo redirection, remaining the descriptive filenames Forinstance, fbphp corresponds to Facebook redirections and bephpcorresponding to Bebo redirections ofsitesearch com/go/bephpHowever, the meat resides within the statistics from their campaign :IMAGEMalware serving URLs part of Koobface worm's December'scampaign, based on the identical counter used across all the maliciousdomains :youtube-x-files comyoutube-go comyoutube-spy5x plyoutube-filesbo plyoutube-medianone plyoutube-filesxh plyoutube-spydz plyoutube-filesesite plyoutube-spybo plyoutube-spynd plyoutube-spyedj plspy-videooq plshortclipsbubb plyoutubegocacko plasda345blogspot comuholyejedip556blogspot comufyaegobeni7878blogspot comuiyneteku20176blogspot comujoiculehe19984blogspot comuinekojapab29989blogspot comuhocuyhipam13345blogspot comGeocities redirectors participating :geocities com/madelineeaton10/indexhtmgeocities com/charlievelazquez10/indexhtmgeocities com/raulsheppard18/indexhtmIMAGESample malware infected hosts used by the redirectors :92241134 41:7777/ch=etea=89138171 49:7777/ch=etea=924034 217:7777/ch=etea=79173242 224:7777/ch=etea=122163103 91:7777/ch=etea=217129155 36:7777/ch=etea=84109169 124:7777/ch=etea=9118767 216:7777/ch=etea=8425451 227:7777/ch=etea=1901425 32:7777/ch=etea=190158102 246:7777/ch=etea=20124595 86:7777/ch=etea=789085 7:7777/ch=etea=828125 144:7777/ch=etea=78183143 188:7777/ch=etea=8913986 88:7777/ch=etea=85107190 105:7777/ch=etea=846284 132:7777/ch=etea=78342 99:7777/ch=etea=92241137 158:7777/ch=etea=7723921 34:7777/ch=etea=41214183 130:7777/ch=etea=90157250 133:7777/dt/ch=etea=8914327 39:7777/ch=etea=91148112 179:7777/ch=etea=94730 211:7777/ch=etea=124105 187176:7777/ch=etea=7770108 163:7777/ch=etea=190198162 240:7777/ch=etea=8913823 121:7777/ch=etea=1904650 103:7777/ch=etea=80242120 135:7777/ch=etea=94191140 143:7777/ch=etea=2104126 100:7777/ch=etea=87203145 61:7777/ch=etea=94189204 22:7777/ch=etea=9236242 47:7777/ch=etea=7778197 176:7777/ch=etea=94189149 231:7777/ch=etea=89138102 243:7777/ch=etea=94730 211:7777/ch=etea=79175101 28:7777/ch=etea=781251 26:7777/ch=etea=201236228 38:7777/ch=etea=85250190 55:7777/ch=etea=21110946 32:7777/ch=etea=91148159 174:7777/ch=etea=876871 34:7777/ch=etea=8594106 240:7777/ch=etea=1959182 18:7777/ch=etea=85101167 197:7777/ch=etea=193198167 249:7777/ch=etea=9469130 191:7777/ch=etea=7913126 192:7777/ch=etea=190224189 24:7777/ch=etea=IMAGE1192347 230:7777/ch=etea=19920337 250:7777/ch=etea=89142181 226:7777/ch=etea=84110120 82:7777/ch=etea=1192347 230:7777/ch=etea=84110253 163:7777/ch=etea=8281163 40:7777/ch=etea=79179249 218:7777/ch=etea=190224189 24:7777/ch=etea=79179249 218:7777/ch=etea=87239160 132:7777/ch=etea=791138 107:7777/ch=etea=811854 6:7777/ch=etea=118169 173101:7777/ch=etea=85216158 209:7777/ch=etea=21992170 4:7777/ch=etea=79130252 204:7777/ch=etea=9313653 239:7777/ch=etea=620134 79:7777/ch=etea=79138184 253:7777/ch=etea=1731668 18:7777/ch=etea=19015556 212:7777/ch=etea=1902068 136:7777/ch=etea=11923596 173:7777/ch=etea=7712781 103:7777/ch=etea=190132155 122:7777/ch=etea=89138177 91:7777/ch=etea=79178111 25:7777/ch=etea=841091 15:7777/ch=etea=890157 1:7777/ch=etea=12253176 43:7777/ch=etea=2007763 190:7777/ch=etea=67225102 105:7777/ch=etea=11994171 114:7777/ch=etea=12521294 80:7777/ch=etea=Detection rate for the binary, identical across all infected hostsparticipating :flash_updateexe Win32/Koobfacegeneric; Win32WormKoobfaceWDetection rate : 28/38 7369%File size: 27136 bytesMD5: 3071f71fc14ba590ca73801e19e8f66dSHA1: 2f80a5b2575c788de1d94ed1e8005003f1ca004dKoobface's social networks spreading model isn't going away, but it'sdomains definitely areRelated posts:Dissecting the Latest Koobface Facebook CampaignFake YouTube Site Serving Flash ExploitsFacebook Malware Campaigns Rotating TacticsPhishing Campaign Spreading Across FacebookLarge Scale MySpace Phishing AttackUpdate on the MySpace Phishing CampaignMySpace Phishers Now Targeting FacebookMySpace Hosting MySpace Phishing ProfilesIMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/41842.shtmlhttp://www.secuobs.com/revue/news/41842.shtml Secuobs.com : 2008-12-04 15:06:20 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGESince 100% transparency doesn't exist in any given market nomatter how networked and open its stakeholders are,Cybecrime-as-a-Service CaaS in the underground marketplace wentmainstream with the introduction of the 76service -- now available inWinter and Spring editions -- followed by a flood of copycatsmonetizing commodity services on the foundations of proprietaryunderground toolsIMAGEOriginally launched as an invite only service where onlytrusted individuals would be able to take advantage of the maliciouseconomies of scale concept, in August, 2008 copycats ruined theproprietary model of the 76service by tweaking the service andconverging it with web malware exploitation kits of their choice Theoutput Near real-time access to freshly harvested financial data,which when combined with their aggressive price cutting once againlowers down the entry barriers into this underground market segmentIMAGEStart from the basics Intellectual property theft in theunderground marketplace has been a fact for over an year now, withproprietary web malware exploitation kits leaking to the averagecybercriminals who after a brief process of re-branding and layoutchanging, include their very own copyright notice Upon obtaining thekits for which they haven't a cent/eurocent, it would be fairlylogical to assume that they can therefore charge as much as they wantfor offering on demand access to them, thereby undercutting the pricesoffered by the experienced market participants IP theft in theunderground marketplace equals a volume sales driven cash cow thatmesses up the basics of demand and supply that the experiencedcybercriminals consciously or subconsciously followNot only is IP theft a reality, but also, among the very latest Zeuscrimeware for hire services is charging pocket money for extendedperiods of time :"Q What is ZeuEstaA ZeuEsta is a mix between the ZeuS Trojan and MalKit, A browserattack toolkit that will steal all information logged on the computerAfter being redirected to the browser exploits, the zeus bot will beinstalled on the victims computer and start logging all outgoingconnectionsQ How much does it costA Hosting for ZeuEsta costs $50 for 3 months This includes thefollowing:# Fully set up ZeuS Trojan with configured FUD binary# Log all information via internet explorer# Log all FTP connections# Steal banking data# Steal credit cards# Phish US, UK and RU banks# Host file override# All other ZeuS Trojan features# Fully set up MalKit with stats viewer inter graded# 10 IE 4/5/6/7 exploits# 2 Firefox exploits# 1 Opera exploit"We also host normal ZeuS clients for $10/monthThis includes a fully set up zeus panel/configured binary"IMAGEThink cybercriminals in order to anticipate cybercriminalsWould a potential cybercriminal purchase a crimeware kit for a coupleof thousand dollars, when they can either rent a managed crimewareservice, or even buy a gigabyte worth of stolen E-banking data for anychosen country, collected during the last 30 days I doubt so, andfactual evidence on the increasing number of such services confirmsthe trend - in 2009 anything cybercrime will be outsourceableRelated posts:Modified Zeus Crimeware Kit Gets a Performance BoostModified Zeus Crimeware Kit Comes With Built-in MP3 PlayerZeus Crimeware Kit Gets a Carding LayoutThe Zeus Crimeware Kit Vulnerable to Remotely Exploitable FlawCrimeware in the Middle - ZeusRelated underground marketplace posts:Will Code Malware for Financial IncentivesCoding Spyware and Malware for HireMalware as a Web ServiceThe Underground Economy's Supply of Goods and ServicesThe Dynamics of the Malware Industry - Proprietary Malware ToolsUsing Market Forces to Disrupt BotnetsMultiple Firewalls Bypassing Verification on DemandManaged Spamming Appliances - The Future of SpamInside a Managed Spam ServiceDissecting a Managed Spamming ServiceSegmenting and Localizing Spam CampaignsLocalizing Cybercrime - Cultural Diversity on DemandLocalizing Cybercrime - Cultural Diversity on Demand Part TwoIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/40605.shtmlhttp://www.secuobs.com/revue/news/40605.shtml Secuobs.com : 2008-12-02 15:05:51 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGENothing can warm up the hearth of a security researcher than abatch of currently active Rock Phish domains, fast-fluxing by usingUS based malware infected hosts as infrastructure provider What isthis assessment of currently active Rock Phish campaign aiming toachieve In short, prove that the people that were Rock Phish-ing atthe beginning of the year, are exactly the same people that continueRock Phish-ing at the end of the year, thereby pointing out that aslong as they're not where they're supposed to be, they are not goingto stop innovating and working on a higher average online time fortheir campaignsIMAGEWhat's particularly interesting about this campaign, is thatcompared to previous ones targeting multiple brands, the thousands ofmalware infected hosts and domains are targeting Alliance et Leicesterand Abbey National onlyActive Rock Phish Domains in fast-flux :stgsfw7sr comq06ciwt60 comjnlyf96v4 comneegzlh35 com7azwmrsg5 compn3ekq976 com2coxi8sb6 comd8ri1iz5d comIMAGEki7wvgauf com5nt5r3keh com5nt29884j combgoryomek coma725jv8ik comfke5nnp8m comstgsfw7sr com10c0ka49t comzp304ju3z comj0rykafwn cn2j1f netconfirm-updates compaypalconfirm-updates comuser-data-confirmation compaypaluser-data-confirmation comcapitaloneupdating-informations comSample sub-domain structure :mybankalliance-leicestercouk7azwmrsg5 commybankalliance-leicestercoukbgoryomek commybankaliance-leicestercoukstgsfw7sr commybankalliance-leicestercoukzp304ju3z commybankalliance-leicestercouk5nt29884j commybankaliance-leicestercoukbgoryomek commybankalliance-leicestercoukbgoryomek commybankaliance-leicestercoukstgsfw7sr commybankalliance-leicestercoukstgsfw7sr commybankaliance-leicestercoukzp304ju3z commybankalliance-leicestercoukzp304ju3z commyonlineaccounts2abbeynationalcoukpn3ekq976 commyonlineaccounts1abeynationalcompn3ekq976 comIMAGEDNS servers for the campaigns :ns1thecherrydns comns2thecherrydns comns3thecherrydns comns4thecherrydns comns5thecherrydns comns6thecherrydns comns10realgoodnameserver comns1realgoodnameserver comrens2realgoodnameserver comrns3realgoodnameserver comns4realgoodnameserver comns8realgoodnameserver comns6myboomdns comns4myboomdns comIMAGEDomains registrant :Name : Pan Wei weiOrganization : Pan Wei weiAddress : BaoChun Rd 27, No 3, 1F, Apt 1903City : BejingProvince/State : BeijingCountry : CNPostal Code : 100176Phone Number : 010-010-58022118-58022118Fax : 86-010-58022118-58022118Email : 127@126comThese well known Rock Phish campaigners, have been naturallymultitasking on several different underground fronts throughout theyear For instance, their 2j1f net is known to have been hostingmoney mule company's site, and also, it was used in a previouslyanalyzed phishing campaign that was spreading across Facebook in JuneNeed more evidence on the consolidation that's been ongoing for overan year and half now An infamous money mule recruiting company Cash-TransfersInc was also taking advantage of the fast-flux network offered bythe ASProx botnet masters in JulyAs a firm believer in that "the whole is greater than the sum of itsparts", the popular "sitting duck" cybercrime infrastructure hostingmodel will be either replaced by a cybercrime infrastructure relyingentirely on legitimate services, or one where the average malwareinfected Internet user would be temporarily used as a hostingproviderIf millions were made by using the "sitting duck" hosting model, howmany would be made using the others, given that they would inevitablyincrease the average online time for a malicious campaignRelated Rock Phish research :209 Host Locked2091 Host Locked661 Host LockedConfirm Your GullibilityAssessing a Rock Phish CampaignRelated fast-flux research :Fast-Flux Spam and Scams IncreasingFast Fluxing Yet Another Pharmacy ScamStorm Worm's Fast Flux NetworksManaged Fast Flux ProviderManaged Fast Flux Provider - Part TwoObfuscating Fast Fluxed SQL Injected DomainsStorm Worm Hosting Pharmaceutical ScamsFast-Fluxing SQL injection attacks executed from the Asprox botnetIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/39931.shtmlhttp://www.secuobs.com/revue/news/39931.shtml Secuobs.com : 2008-12-02 14:06:15 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEWith business-minded malicious attackers embracing basic marketingpractices like branding, it is becoming increasingly harder, if notpointless to keep track of all XYZ-Packs currently in circulation Howcome Due to their open source nature allowing modifications, claimingcopyright over the modified and re-branded kit, the source code ofcore web malware exploitation kits continue representing thefoundation source code for each and every newly released kitIMAGEIn fact, the practice is becoming so evident, that anecdotalevidence in the form of monitoring ongoing communications betweensellers and buyers reveals actual attempts of intellectual propertyenforcement in the form of exchange of flames between an author of aoriginal kit, and a newly born author who seems to have copied over80% of his source code, changed the layout, re-branded it, addedseveral more exploits and started pitching it as the most exclusivekit there is available in the underground marketplaceIMAGEWhat's new about this particular kit anyway Changed iframe andjs obfuscation techniques, doesn't require MySQL to run, with severalmodified Adobe Acrobat and Flash exploits - all patched and publiclyobtainable This is precisely where the marketing pitch ends for themajority of malware kits released during the last quarterAs always, there are noticable exceptions to the common wisdom thattime-to-underground market isn't allowing them to innovate, butthankfully, these exceptions aren't yet going mainstream What isgoing to change in the upcoming 2009 Web malware exploitation kitsare slowly maturing into multi-user cybercrime platforms, wheretraffic management coming from the SQL injected or malware embeddedsites is automatically exploited with access to the infected hosts orto the traffic volume in general offered for sale under a flat rate,or on a volume basisConverging traffic management with drive-by exploitation and offeringthe output for sale, all from a single web interface, is preciselywhat malicious economies of scale is all aboutRelated posts:Cybercriminals release Christmas themed web malware exploitation kitNew Web Malware Exploitation Kit in the WildModified Zeus Crimeware Kit Gets a Performance BoostZeus Crimeware Kit Gets a Carding LayoutWeb Based Malware Emphasizes on Anti-Debugging FeaturesCopycat Web Malware Exploitation Kit Comes with DisclaimerWeb Based Malware Eradicates Rootkits and Competing MalwareTwo Copycat Web Malware Exploitation Kits in the WildCopycat Web Malware Exploitation Kits are FaddishWeb Based Botnet Command and Control Kit 20BlackEnergy DDoS Bot Web BasedA New DDoS Malware Kit in the WildThe Small Pack Web Malware Exploitation KitThe Nuclear Grabber KitThe Apophis KitNuclear Malware KitThe Random JS Malware Exploitation KitMetaphisher Malware Kit Spotted in the WildIMAGE IMAGE IMAGEIMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/39925.shtmlhttp://www.secuobs.com/revue/news/39925.shtml Secuobs.com : 2008-11-27 15:19:54 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEYou didn't even think for a second that the supply of typosqutteddomains serving packed and triple crypted to the point where thebinary is not longer executing, fake security software domains isdeclining With the upcoming holidays and the usual peak of webtraffic, malicious activity on all fronts is prone to increase duringDecember YEWGATE LTD, Sawert Alliance, and Sagent Group, personalfavorites affiliate participants in a revenue sharing program forserving fake security software, try to maintain a decent rhythm intheir typosquatting process, always worth taking a peek at The verylatest rogue security software additions include :micro-antiv2009 com 912080223micro-antivir2009 commicro-antivirus-2009 commicro-av-2009 comSawert AlliancePeltonen Martti seodancer@gmailcom33 New Road, Upper FlatBelize CityBelizeTel: +79602578790IMAGEavmyscan com 9120392186; 78157143184go-your-scan combestproscan comavproscan comgoyourscan comiabestscan comavmyscan combest-scan-pro comavscan-pro combestscanner-pro comavscanpro comiascannerpro comJaroslav VoltzEmail: mensfult@gmailcomOrganization: Private personAddress: Biskupsk 9City: PrahaState: PrahaZIP: 11000Country: CZPhone: +4202224811382IMAGEvirus-labs2009 com 6623211362virus-trigger comvirusresponse2009 comvirusresplab comvirus-response comRoman SpitsikovUus-Sadama 12Tallinn, Tallinn 10120EstoniaRomanSpitsikov@gmailcomvirusremover2008plus com 772456180; 93190139229Sagent Group sergbelo@gmailcomBrignal SolutionsPO Box 3469 Geneva Place, Waterfront driveRoad town, BVIBZ+114193017015IMAGEantivirus-pro-scancom 84243197183anti-virus-defencecomprotection-livescancomAleksey Kononov cndomainz@yahoocom+74954538435 fax: +74954538435ul Yakimanskay 34-56Moskva Moskovskay oblast 112745rurapidantivir com 912080220rapidantivirus-2009 comsecurityscanner2009 comrapidantivirus2009 comrapid-antivir comextraantivir comrapid-antivirus comrapidantivirus comIMAGESawert AlliancePeltonen Martti seodancer@gmailcom33 New Road, Upper FlatBelize CityBelizeTel: +79602578790sgscanner com 1165014185sguardscan comscansguard comgetsg2008 comIMAGEVrenk TihomilEmail: gray444371@gmailcomOrganization: Private personAddress: Kolodvorska 73, Sl3270 LaskoCity: LaskoState: LaskoLaskoZIP: Sl1355Country: SIPhone: +38614588324adwaredeluxe com 64401188 private whoisantivirusadvanced comantivirusadvance comspydestroy comspywareremoval wsShipping them in batches means exposing them in batchesRelated posts:A Diverse Portfolio of Fake Security Software - Part ThirteenA Diverse Portfolio of Fake Security Software - Part TwelveA Diverse Portfolio of Fake Security Software - Part ElevenA Diverse Portfolio of Fake Security Software - Part TenA Diverse Portfolio of Fake Security Software - Part NineA Diverse Portfolio of Fake Security Software - Part EightA Diverse Portfolio of Fake Security Software - Part SevenA Diverse Portfolio of Fake Security Software - Part SixA Diverse Portfolio of Fake Security Software - Part FiveA Diverse Portfolio of Fake Security Software - Part FourA Diverse Portfolio of Fake Security Software - Part ThreeA Diverse Portfolio of Fake Security Software - Part TwoDiverse Portfolio of Fake Security SoftwareIMAGE IMAGE IMAGEIMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/39032.shtmlhttp://www.secuobs.com/revue/news/39032.shtml Secuobs.com : 2008-11-25 16:24:44 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGE It's where you advertise your services, and how you positionyourself that speak for your intentions, of course, "between thelines" There's a common misunderstanding that in order for a malwarecampaigner or scammer to launch a localized attack speaking the nativelanguage of their potential victims, they need to speak the locallanguage This misconception is largely based on the fact that a hugenumber of people remain unaware on how core strategic businesspractices have been in operation across the cybercrime underground forthe last couple of yearsOutsourcing the localization process translation services forspam/phishing/malware campaigns has been happening for a while,courtsy of DIY servics ensuring complete anonymity of their customersInterestingly, the translators may in fact be unaware that theadvertising channels the service is using is directly attractingeveryone from the bottom to the top of the cybercriminal food chain asa customer Sometimes, it's services like this that open a new marketsegment covering an untapped opportunity, with this particular servicealready pointing out that it's charging cheaper than theircompetitors"We offer our services in translation We are only competenttranslators profile higher education Service is working with alltypes of texts Languages available at this time of Russian, English,German Average translation of the text takes up to 10 hours usuallymuch faster through the full automation of the order and paymentJust want to note that we do not keep any logs on IP and does notrequire registration In addition you can remove your order from thedatabase after his execution In addition to running more than 1000translations already, we can use all the lessons learned to be moreeffective in our services Prices vary depending on the complexity ofthe topic coveredPrices and deadlines:* Standard - the deadline is not more than 24 hours Prices depend onthe direction and guidance from the 'Order'* Term - work on your translation begins precedence The price of the50% more than the standard translation Prices also depend on thedirection and guidance from the 'Order'The cost of the transfer depends on the amount of work The workloadis measured in symbols In calculating the characters are shownletters and numbers Punctuation do not count Minimum order 100characters"I'm particularly curious how is a contractortranslator going toreact to a situation when a large scale malware campaign speakingseveral different languages tell a fake story that the contractormight have recently translated for them With the employer positioningitself as a fully legitimate company, whereas its customers requestinglocalized version of texts for the spam/phishing/malware campaigns arethe "usual suspects", the contractors would continue allowingcybercriminals the opportunity to build more authenticity within theircampaignsRelated posts:E-crime and Socioeconomic FactorsMPack and IcePack Localized to ChineseThe Icepack Exploitation Kit Localized to FrenchThe FirePack Exploitation Kit Localized to ChineseLocalizing Open Source MalwareLocalized Fake Security SoftwareA Localized Bankers Malware CampaignLonely Polina's Secret Localized malware campaignIMAGE IMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/38556.shtmlhttp://www.secuobs.com/revue/news/38556.shtml Secuobs.com : 2008-11-19 16:29:45 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEWhen you get the "privilage" of getting DDoS-ed by a high profileDDoS for hire service used primarily by cybercriminals attacking othercybercriminals, you're officially doing hell of a good job exposingmoney laundering scamsThe attached screenshot demonstrates how even the relatively moresophisticated countersurveillance approaches taken by a high profileDDoS for hire service can be, and were in fact bypassed, ending up ina real-time peek at how they've dedicated 4 out of their 10BlackEnergy botnets to Bobbear exclusivelyPerhaps for the first time ever, I come across a related DoS serviceoffered by the very same vendor - insider sabotage on demand giventhey have their own people in a particular company/ISP in questionMakes you think twice before considering a minor network glitch whatcould easily turn into a coordinated insider attack requested by athird-party Moreover, now that I've also established the connectionbetween this DDoS for hire service and one of the command and controllocations all active and online of one of the botnets used in theRussia vs Georgia cyberattack, the concept of engineering cyberwarfare tensions once again proves to be a fully realistic oneRelated posts:A US military botnet in the worksDDoS Attack Graphs from Russia vs Georgia's CyberattacksBotnet on Demand ServiceOSINT Through BotnetsCorporate Espionage Through BotnetsThe DDoS Attack Against CNNcomA New DDoS Malware Kit in the WildElectronic Jihad v30 - What Cyber Jihad Isn'tIMAGE IMAGE IMAGEIMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/37112.shtmlhttp://www.secuobs.com/revue/news/37112.shtml Secuobs.com : 2008-11-19 12:29:33 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEOops, they keep doing it, again and again - trying to cash-in onthe biased exclusiveness of web malware exploitation kits in general,which when combined with active branding is supposed to make themrich However, despite the low price of $300 in this particular case,this copycat kit is once again lacking any significationdifferentiation factors besides perhaps the 20+ exploits targetingOpera and Internet Explorer included withinIMAGE Marketed for novice users, despite lacking any key featuresworth being worried about, it's still managing to maintain a steadyinfection rate of unpatched Opera browsers Such statistics obtainedin an OSINT fashion always provide a realistic perspective on publiclyknown facts, like the one where millions of end users continue gettingexploited due to their overall misunderstanding of today's threatscapedriven by the ubiquitous web exploitation kitsRelated posts:Modified Zeus Crimeware Kit Gets a Performance BoostZeus Crimeware Kit Gets a Carding LayoutWeb Based Malware Emphasizes on Anti-Debugging FeaturesCopycat Web Malware Exploitation Kit Comes with DisclaimerWeb Based Malware Eradicates Rootkits and Competing MalwareTwo Copycat Web Malware Exploitation Kits in the WildCopycat Web Malware Exploitation Kits are FaddishWeb Based Botnet Command and Control Kit 20BlackEnergy DDoS Bot Web BasedA New DDoS Malware Kit in the WildThe Small Pack Web Malware Exploitation KitThe Nuclear Grabber KitThe Apophis KitNuclear Malware KitThe Random JS Malware Exploitation KitMetaphisher Malware Kit Spotted in the WildIMAGE IMAGE IMAGEIMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/37074.shtmlhttp://www.secuobs.com/revue/news/37074.shtml Secuobs.com : 2008-11-18 21:34:57 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEA couple of hundred dollars can indeed get you state of the artundetectable piece of malware with post-purchase service in the formof automatic lower detection rate for sure, but what happens when thevendors of such releases start vertically integrating just likeeveryone else, and start offering OS-independent spamming, flooding,modifications and tweaking of popular crimeware kits in the very samefashion The quality assurance process gets centralized into the handsof experienced programmers that have been developing cybercrimefacilitating tools for yearsIMAGEIt's interesting to monitor the pricing schemes that theyimplement For instance, the modularity of a particular malware, thatis the additional functions that a buyer may want or not want,increase or decrease the price respectively Others, tend to leave theprice open topic by only mentioning the starting price for theirservices and they increasing it again in open topic fashionLet's take look at some recently advertised translated "malwarecoding for hire" propositions, highlighting some of the latestdevelopments in their pricing strategies :IMAGEProposition 1 :"Programs and scripts under the following categories are accepted :grabbers; spamming tools for forums, spamming tools for socialnetworking sites, modifications of admin panels for popular crimewarekits, phishing pagesPlatform: software running on MAC OS to WindowsMultitasking: have the capacity to work on multiple projectsSpeed and responsibility: at the highest levelPre-payment for new customers: 50% of the whole price, 30% pre-pay ofthe whole price for repreated customersSupport: PaidRates: starting from 100 eurosIMAGEIf, after speaking ultimate price, you decide to add to yourorder something else - the price change Prepare the job immediately,which will understand what to do and how much it will cost you, if youhave any suggestions for a price, then lays them immediately and notafter the work is completed If you order something that requiresparsing your logs, and their continued use, you agree to provide "asignificant portion of the logs, so that after putting the project didnot raise misunderstandings due to the fact that some logs are nolonger "fresh", because of their "uniqueness" In this case, for thefinalization of the project will be charged an additional fee"IMAGEThis is an example of an "open topic pricing scheme" with thevendor offering the possibility to code the malware or the tool forany price above 100 euro based on what he perceives as featuresincluded within worth the priceProposition 2:"Starting price for my malware is 250 EUR Additional modules like P2Pfeatures, source code for a particular module go for an additional 50EUR If you're paying in another currency the price is 200 GBP or 395dollars I sell only ten copies of the builder so hurry up Thetrading process is simple - a password protected file with the malwareis sent to you so you can see the files inside You then sent themoney and I mail you back the password If you don't like this way youloseI can also offer you another deal, I will share the complete sourcecode in exchange to access to a botnet with at least 4000 infectedhosts because I don't have time to play around with me bot right nowThis proposition is particularly interesting because the seller isintroducing basic understanding of exchange rates, but most of allbecause he's in fact offering a direct bargain in the form of accessto a botnet in exchange for a complete source code of his malware botBoth propositions are also great examples that vendors engage bykeeping their current and potential customers up-to-date with TODOlists of features to come next to the usual CHANGELOGS, and, ofcourse, establish trust by allowing potential customers to take a peekat the source code of the malware they're about to purchaseRelated posts:Coding Spyware and Malware for HireThe Underground Economy's Supply of Goods and ServicesThe Dynamics of the Malware Industry - Proprietary Malware ToolsUsing Market Forces to Disrupt BotnetsMultiple Firewalls Bypassing Verification on DemandManaged Spamming Appliances - The Future of SpamLocalizing Cybercrime - Cultural Diversity on DemandE-crime and Socioeconomic FactorsRussia's FSB vs CybercrimeMalware as a Web ServiceLocalizing Open Source MalwareQuality and Assurance in Malware AttacksBenchmarking and Optimising MalwareIMAGE IMAGE IMAGE IMAGEIMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/36951.shtmlhttp://www.secuobs.com/revue/news/36951.shtml Secuobs.com : 2008-11-13 17:26:50 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEOnly an amateur or unethical competition would embedd maliciouslinks at the Embassy of Brazil in India's site, referencing theironline community With the chances of an Embassy involvement into thefake antivirus software industry close to zero,IMAGEThe compromise is a great example of a mixed use of puremalicious domains in a combination with compromised legitimate onesand on purposely registered accounts at free web space providers,hosting the blackhat SEO content However, digging deeper we exposethe entire malicious doorways ecosystem pushing PDF exploits, bankermalware and Zlob variants The malicious attackers embedded links totheir blackhat SEO farms advertising fake security software, and alsoa link to a traffic redirection doorwayepmwckmedex1comhtkobafdex1comogbucofdex1comsegundomuellecom/mex/antivirusjgzleaadex1comigpranru/services/tolstyeIMAGEThe active and redirecting traff asia 89149251203 iscurrently serving a fake account suspended notice - "This account hasbeen suspended Either the domain has been overused, or the resellerran out of resources" but is whatsoever redirecting us toantimalware09 net This particular traffic redirection doorway isactively redirecting us to a command and control server running a wellknown web malware exploitation kit which is currently serving PDFexploitsgoogle-analyze com/socket/indexphp 2161955977 from where we'reredirected to google-analyzecom/tracker/loadphp which is servingsystemexe Trojan-SpyWin32Zbotehk; Win32TrojanSpyZbotgenC5,and google-analyze com/tracker/pdfphp Exploit:Win32/PdfjscG;ExploitJSPdfkaw; BloodhoundExploit196 Naturally, within thelive exploit URLs there are multiple IFRAMEs redirecting us to more ofthis group's campaigns google-analyze com has multiple IFRAMEspointing to google-analystic net 2091606756, yet another trafficredirection doorway further exposing their campaignsFor instance, google-analystic net/incgi20 loadsgoogle-analysticnet/teaphp 2091606756 where google-analysticnet/incgi8 is redirecting to 912039361 /incgi2 taking us to912039361 /25/2/ where we deobfuscate the javascript leading us tothe exact location of the PDF exploit - 912039361/25/2/getfilephpf=pdf This is just for starters google-analysticnet/incgi9 redirects to mangust32 cn/pod/indexphp21893202102 where they serve loadexeBackdoor:Win32/KoceggenA atmangust32 cn/pod2/loadphp and loadexe at mangust32cn/eto2/loadphp, moreover, google-analystic net/incgi10 leads usto mmcounter com/incgiid194 9410250130 a traffic managementlogin which is no longer responding The last IFRAME found withingoogle-analystic points to busyhere ru/incgipipka which redirectsto beshragos com/work/indexphp 7913518738 where once wedeobfuscate the script, we get to see the PDF exploit locationbeshragoscom /work/getfilephpf=pdfWhat's contributing to the increase of PDF exploits durin the lastmonth It's an updated version of a web based malware exploitationtool, which despite the fact that it remains proprietary for the timebeing, will leak in the next couple of weeks causing the usualshort-lived epidemicRelated posts:The Dutch Embassy in Moscow Serving MalwareUS Consulate in St Petersburg Serving MalwareSyrian Embassy in London Serving MalwareFrench Embassy in Libya Serving MalwareIMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/35789.shtmlhttp://www.secuobs.com/revue/news/35789.shtml Secuobs.com : 2008-11-13 15:40:39 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEThe latest Koobface malware campaign at Facebook, is once againexposing a diverse ecosystem worth assessing in times of activemigration to alternative ISPs tolerating or conveniently ignoring themalicious activities courtesy of their customers The -- now removed-- binaries that the dropper was requesting were hosted at theAmerican International Baseball Club in Vienna, indicating acompromiseusgeocities com/adanbates84/indexhtmlostart info/js/jsjs 7913221151off34 com/go/fbphp 7913221151youtube-spyvideo com/youtube_filehtml 5824125537ahdirz com/movie1phpid=638etn=teen 2088518169top100clipz com/m6/movie1phpid=638etn=teen 2088518167hq-vidz com/movie1phpid=638etn=teen 2088518168IMAGEThe dropper then phones back home to : f071108com/fb/firstphp 7913221150 with the binaries hosted at alegitimate site that's been compromised :aibcviennaorg/youtube/ bnsetup24exeaibcviennaorg/youtube/ tinyproxyexeRelated fake Youtube domains participating :catshof com 7913221151youtube-spy info 9410260119youtubehof net 2189320530youtube-spyvideo com 5824125537yyyaaaahhhhooooocom pl 671510483youtube-x-files com 9410260119The development of cybercrime platforms utilizing legitimateinfrastructure only, has always been in the works With spammingsystems relying exclusively on the automatically registered emailaccounts at free web based providers, to the automatic bulkregistration of hundreds of thousands of domains enjoying a particulardomain registrar's weak anti-abuse policies, it would be interestingto monitor whether marginal thinking or improved OPSEC relying oncompromised hosts will be favored in 2009Related posts:Fake YouTube Site Serving Flash ExploitsFacebook Malware Campaigns Rotating TacticsPhishing Campaign Spreading Across FacebookLarge Scale MySpace Phishing AttackUpdate on the MySpace Phishing CampaignMySpace Phishers Now Targeting FacebookMySpace Hosting MySpace Phishing ProfilesIMAGE IMAGE IMAGEIMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/35774.shtmlhttp://www.secuobs.com/revue/news/35774.shtml Secuobs.com : 2008-11-13 00:08:10 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEThe ongoing supply of access to compromised portfolios consistingof hundreds, sometimes thousands of legitimate domains, is continuingto produce anecdotal situations For instance, in one of the latestpropositions, a cybercriminal has managed to hijack the blackhat SEOdomains portfolio 8,145 domains plus another 100 legitimate ones ofanother cybercriminal, and is now offering it for saleIMAGEFrom an attacker's perspective, are remotely exploitable SQLinjections, the insecure hosting provider's web interfaces, or thepragmatic possibility for data mining a botnet's accounting data foraccess to such portfolios the tactic of choice In both of thesepropositions, the seller is citing vulnerabilities within the webhosting providers as an attack tacticThe continues supply of such access is, however, a great indicator forthe upcoming development of this segment within the undergroundmarketplace in 2009IMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEIMAGEhttp://www.secuobs.com/revue/news/35629.shtmlhttp://www.secuobs.com/revue/news/35629.shtml Secuobs.com : 2008-11-13 00:08:10 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEWhat is the difference between a reactive and proactive threatintell A reactive threat intell is assessing a campaign, individual,a group of individuals, how are they related to one another, and whathave they been doing in the past, based exclusively on a lead that'sbeen found within the past couple of hoursTry the very latest rogue security domains courtesy of three domainersFedor Ibragimov cndomainz@yahoocom, Anton Golovaykgpdomains@yahoocom and Ivan Durov idomainsadmin@gmailcom whoseportfolios can always keep you updated about the latest releases ofsuch popular software as The Best Antivirus Cleaner 2008powerfullantivirusscan com 78159118217; 89149253215;20872168185protection-update comupdatepcprotection comupdateyourprotection commac-imunizator net 672057510avproinstall com 7815714126winavpro com 9224116330IMAGEAs far as proactive threat intell is concerned, try thefollowing "upcoming fake security software domains" :spywaredefender2009 comspywaredestroyer2009 comspywareeliminator2009 comspywareprotector2009 comIt would be interesting to monitor whether or not the well knownnon-existent security software brands we've monitoring throughout2008, will be basically typosquatted in a 2009 like fashion, or wouldthey simply introduce new brands With their business model underpressure, I'm starting to see evidence of schemes involving theillegal advertisement of affiliate links to legitimate securitysoftware, where the cybercriminals are actual resellers of it There'salso no shortage of surreal situations, where a fake security softwareis taking advantage of blackhat SEO practices promising the removal ofcompeting fake security software brandsLast week, the noadware net 69207182; 6920104139 software waspersistently advertised in such a way, mostly by generating Wordpressaccounts promising to remove competing software :antiviruspro2009wordpress comultraantivirus2009wordpress comsmartantiviruswordpress comantiviruslab2009wordpress comantivirusvipwordpress compersonaldefender2009wordpress commalwareremovalwordpress comNaturally, it didn't take long before blackhat SEO farms were createdfor the purpose, like these very latest ones :removal-toolblogspot comcgidoctor comspywareremoval netspyware-adware-remover comspywarestop comzero-adware netadware-remove comantispywaresecrets comprotectyourcomputerfromspyware infocleanpcfree netspyware-bot comspywarezapperco ukthepcsecurity comnoadware-official-site comspywaredoctorfavor cnremovespywareedge cnthespywareremover comvirusremovalguru comvirusremovalguide orgThe day when fake security software sites start attracting traffic bypromising to remove other fake security software, is the day when wehave clear evidence that an ecosystem has emergedRelated posts:A Diverse Portfolio of Fake Security Software - Part TwelveA Diverse Portfolio of Fake Security Software - Part ElevenA Diverse Portfolio of Fake Security Software - Part TenA Diverse Portfolio of Fake Security Software - Part NineA Diverse Portfolio of Fake Security Software - Part EightA Diverse Portfolio of Fake Security Software - Part SevenA Diverse Portfolio of Fake Security Software - Part SixA Diverse Portfolio of Fake Security Software - Part FiveA Diverse Portfolio of Fake Security Software - Part FourA Diverse Portfolio of Fake Security Software - Part ThreeA Diverse Portfolio of Fake Security Software - Part TwoDiverse Portfolio of Fake Security SoftwareIMAGE IMAGE IMAGEIMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/35628.shtmlhttp://www.secuobs.com/revue/news/35628.shtml Secuobs.com : 2008-11-12 19:44:15 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEWho needs to build hit lists by harvesting user names when ausability feature allows you to expose millions of users to yourlatest social engineering campaign That seems to be the mentality ofyet another Skype malware spreading tool, which just like the majorityof publicly obtainable tools is aiming to contact everyone,everywhereThe tool's main differentiation factor is its feature of harvestingthe personal information of users it has managed to detect randomly,that's of course in between the mass spamming of malicious URLsHowever, despite it's DIY nature allowing someone to easily launch amalware campaign spreading across Skype, the tool is lacking thesegmentation features offered by related Skype spamming tools Justlike in a cybercrime 10 world where DIY exploit embedding tools werefavored due to the lack of web malware exploitation kits, in acybercrime 20 world these DIY tools matured into IM malware spreadingmodules easily attached to any infected host given the botnet masteris looking for such a functionalityRelated posts:Skype Spamming Tool in the Wild - Part TwoSkype Spamming Tool in the WildHarvesting Youtube Usernames for SpammingUncovering a MSN Social Engineering ScamMSN Spamming BotDIY Fake MSN Client Stealing PasswordsThousands of IM Screen Names in the WildYahoo Messenger Controlled MalwareIMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/35571.shtmlhttp://www.secuobs.com/revue/news/35571.shtml Secuobs.com : 2008-11-10 13:04:39 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEWith cybercriminals clearly expressing their nostalgia for severalnotorious and already shut down credit card fraud communities, theyseem to have found a way to once again give their self-esteem a boostFollowing the ongoing modification of open source crimeware kits andthe inevitable innovation introduced by third parties, last week a newlayout was introduced for Zeus, once again courtesy of a group that'spiggybacking on Zeus popularityIt's particularly interesting to see how a one-man operation evolvesinto a group of third-party developers starting to claim ownershiprights over the modified versions despite that they're basicallybrandjacking the Zeus brand and building business models on the top ofitIMAGEOpen source crimeware and web malware exploitation kits on theother hand undermine the business model of a great number of "malware/spywarefor hire" vendors, which surprisingly doesn't stop them fromcontinuing offering their services and products which are often usingthe de facto crimeware kits as the foundations for their propositionsAre the buyers even aware of this fact From a buyer's perspective intimes when most of the output is sold in bulk form, or access to thebotnet rented for a specific period of time, the buyer doesn't careabout the cybercrime platform of use, but is looking for transparentways to justify the investment he's made into renting the serviceNow that Zeus administrators and their cybercrime clerks in the faceof those managing the campaigns knowingly or unknowingly knowing thetype of campaigns and the data that they manage, can listen to theirfavorite music within Zeus and choose different layouts for thecommand and control interfaces while commiting cybercrime, what'snextConvergence and improved monetizationIMAGE IMAGE IMAGE IMAGEIMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/34971.shtmlhttp://www.secuobs.com/revue/news/34971.shtml Secuobs.com : 2008-11-06 13:45:39 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEThe day when DIY phishing pages start coming with manuals is theday when consciously or subconsciously a phisher is lowering down theentry barriers into phishing for yet another time A much moreuser-friendly compared to the old-fashioned -- yet effective -- rockphish directory listing, a recently released command and controlinterface for Rapidshare phishing campaigns aims to empower its userswith easy dynamic link generation for their campaignsIMAGEWhat they've managed to achieve is another trust factor sinceRapidshare generates a second dynamic link upon clicking on theoriginal one The script not only generates a dynamically lookinglink, but also, actually logs in the victim into their account inorder to avoid suspicion whereas it still logs all the accountingdataIMAGEScammers also tend to be ironic every then and now Forinstance, in this particular case, one of the users finds it ironicthat the Rapidshare phishing page is hosted at Rapidshare itself Isthe script actually working It appears so at least going through amisconfigured accounting data dump left by one of the phishersRelated posts:Phishing Pages for Every Bank are a CommodityDIY Phishing KitsDIY Phishing Kit Goes 20DIY Phishing Kits Introducing New Features209 Host Locked2091 Host Locked661 Host LockedIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEIMAGEhttp://www.secuobs.com/revue/news/33873.shtmlhttp://www.secuobs.com/revue/news/33873.shtml Secuobs.com : 2008-11-04 16:03:03 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEHere's a brief summary of all of my posts at Zero Day for OctoberYou can also go through previous summaries for September, August andJuly, as well as subscribe to my personal RSS feed or Zero Day's mainfeedNotable articles for October - Scammers introduce ATM skimmers withbuilt-in SMS notification; Inside an affiliate spam program forpharmaceuticals; CardCops: Stolen credit card details getting cheaper01 Cybercriminals syndicating Google Trends keywords to serve malware02 Scammers introduce ATM skimmers with built-in SMS notification03 Atrivo/Intercage's disconnection briefly disrupts spam levels04 Adobe posts workaround for clickjacking flaw, NoScript releasesClearClick05 Asus ships Eee Box PCs with malware06 Fake Microsoft Patch Tuesday malware campaign spreading07 Secunia: popular security suites failing to block exploits08 Survey: 88% of Mumbai's wireless networks easy to compromise09 Adobe's Serious Magic site SQL Injected by Asprox botnet10 Inside an affiliate spam program for pharmaceuticals11 Google to introduce warnings for potentially hackable sites12 Lack of phishing attacks data sharing puts $300M at stake annually13 CardCops: Stolen credit card details getting cheaper14 Cybercrime friendly EstDomains loses ICANN registrar accreditation15 Phishers apply quality assurance, start validating credit cardnumbers16 Spammers targeting Bebo, generate thousands of bogus accountsIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/33395.shtmlhttp://www.secuobs.com/revue/news/33395.shtml Secuobs.com : 2008-11-03 23:24:37 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEThese very latest rogue security software domains have been incirculation -- blackhat SEO, SQL injections, traffic redirectionscripts -- since Friday and remain active :premium-pc-scan com 78159118217; 89149253215; 912039247antivirus-pc-scan com 20872169100securityfullscan com 84243197184antivirus-live-scan com 84243196136; 89149227196windefender-2009 com - 200634555windefender2009 comIMAGEWhat these domains have in common, excluding the last twoWinDefender ones, is the domain registrant, the DNS servers used, andthat despite the fact that it has already been featured in severalmalicious doorways, meaning these are receiving traffic already, theyforgot to upload the binaries on all of the active domains :"Not Found The requested URL /2009/download/trial/A9installer_exewas not found on this server"Registrant:Vladimir PolilovEmail: gpdomains@yahoocomOrganization: Private personAddress: ul Bauma 13-76City: MoskvaState: Moskovskaya oblastZIP: 112621Country: RUPhone: +79031609536DNS servers used - ns1freefastdnscom; ns2freefastdnscomIMAGEMoreover, the following domains are also parked at the sameIPs, but are currently in stand-by mode, yet they're also using thesame DNS servers with the only difference in the registrant who seemsto have been running a very extensive portfolio of bogus domains,potentially making hundreds of thousands in the process :save-my-pc-now comreal-antivirus comliveantivirustest comantiviruspctest compremium-live-scan comliveantivirustest comantiviruspersonaltest commysecuritysupport comupdateyourprotection comantivirus-premiumscan comsecuritylivescan comsecurity-full-scan comsecured-liveupdate comlivepcupdate comprotection-update comantivirus-scan-online comxpsoftupgrade comlive-virus-defence comIMAGERegistrant:Shestakov Yuriyalexey@cocainmailcom/alexeyvas@safe-mailnet+79218839910Lenina 21 16Mirniy,MSK,RU 102422The sampled WinDefender binaries phone back to megauplinkbindinstallercom/cfg1php 912039299 with the entire netblock clearly a badneighborhood Here are some sample command and control locations :9120392101 /admin/cdphpuserid=19102008_184429_260953912039225 /dmn/domentxt9120392135 /alligator/cfgbin9120392132 /cbinThis operation is being monitored, results will be posted as theyemergeRelated posts:A Diverse Portfolio of Fake Security Software - Part ElevenA Diverse Portfolio of Fake Security Software - Part TenA Diverse Portfolio of Fake Security Software - Part NineA Diverse Portfolio of Fake Security Software - Part EightA Diverse Portfolio of Fake Security Software - Part SevenA Diverse Portfolio of Fake Security Software - Part SixA Diverse Portfolio of Fake Security Software - Part FiveA Diverse Portfolio of Fake Security Software - Part FourA Diverse Portfolio of Fake Security Software - Part ThreeA Diverse Portfolio of Fake Security Software - Part TwoDiverse Portfolio of Fake Security SoftwareIMAGE IMAGE IMAGEIMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/33224.shtmlhttp://www.secuobs.com/revue/news/33224.shtml Secuobs.com : 2008-11-03 21:59:54 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEOops, they did it again - modifying an open source crimeware kitlike Zeus in order to improve its performance, fix previously knownbugs, and release the improved administration script for free at theend of OctoberIt's important to point out that both of these modifications haven'tbeen released by the original author of Zeus, but by third partiesfilling in the gaps he has left open The very nature of open sourceweb based malware exploitation kits is one of the key factors for theongoing convergence of traffic management, exploits serving, ddos, andcybercrime as a service features into a simplified cybercrime platformavailable on demandFollowing the discovery of a remotely exploitable flaw within Zeus inJune -- a flaw affecting Pinch leaked out two months later -- allowingcyberciminals to inject their own credentials and hijack the botnet ofother cybercriminals, this modified version claims to have fixed threevulnerabilities within the original Zeus release, namely, a remotefile inclusion flaw and two SQL injections within the administrationpanel Here's the new CHANGELOG :"- code improvements and optimizations- internal data checkings added- exit function instead of die- echo function instead of print- mysql_affected_rows changed to mysql_num_rows everywhere- all queries are fixed in system or mod php files- no text password in the database and clear text password in$_SESSION, cookies authentication is gone and md5 hashes areeverywhere- Geo IP support has been added- umask bug fixed, the file has been created chmoded withdifferent permissions- language improvements and pre-installation checks- checking for php version/safe_mod/open_basedir as you're required torun php 510 or higher to run it successfully- fixed sql injection in credentials checking- GetUserData function has been rewritten - possible sql injectionfixed- possible remote file inclusion fixed- socket error definition changed- gcnt function has been rewritten so you can use geolication -GeoIP which is free and GeoIPCity which is paid- ip address checking improved through validIP function improvement- all queries are now fixed, input data has been sanitized- fs function has been fixed in order to improve the quality of thelog names- formatFilePath function has been added for file upload purposes- arbitrary file upload bug has been fixed so that you can now uploadonly images with original names- the Log2SQL function has been changed and stricter datachecking/sanitizing is added- internal file sorting mechanism is improved so that files/dirs aresorted by file modification time"As it's becoming increasingly clear that what once used to be aproprietary crimeware kits whose business model got undermined bytheir open source nature and the fact that they've started leaking foraverage cybercriminals and script kiddies to take advantage of, aretoday's "open source projects" - and therefore maintaining staticlists of exploits and features included within a particular kit isgetting even more irrelevant these days In the long term, the qualityassurance processes applied within crimeware kits courtesy of thirdparty cybercriminals, is prone to shift from performance to improvingthe infection ratesIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEIMAGEhttp://www.secuobs.com/revue/news/33208.shtmlhttp://www.secuobs.com/revue/news/33208.shtml Secuobs.com : 2008-10-30 01:54:01 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGELargely ignoring its real life applicability, a vendor of "emailmarketing" tools continues the development of a DIY spamming tools,whose features greatly evolved throughout the last couple of yearsOriginally released in 2004, the vendor appears to have been activelyimproving the real-time metrics of the campaigns, next to buildinginteractivity into the spamming process through the WYSIWYG editorFor better or worse, despite that these applications are empoweringspammers and lowering down the entry barriers into spamming, the toolshave gotten largely replaced by the increasing number of managedspamming services, whose quality assurance features of bypassing spamfilters act as a main differentiation factor Here are some of thistool's features :IMAGE"- High speed distribution - 200,000 letters per hour- Contains an embedded SMTP server that allows you to send lettersdirectly to the recipient's mailbox without using your provider's SMTPserver- If you are accessing the Internet via modem, and distribution usingthe SMTP server, you do not fit - also allowed to send mail throughany number of remote SMTP servers relay, or via SMTP serverprovider- Support for SMTP authenticationIMAGE- Supports up to 500 concurrent streams to send to eachmailing- Automatic caching DNS requests to speed up distribution and reducingthe load on the DNS server- Ability to run multiple independent shots at the same time- Ability to suspend delivery and continue later with a point- All modes distribution - TO, CC, BCC and PersonalCopy In the lattercase, the program generates a personal letter to each recipientIMAGE- Ability to specify the size of BCC package regimes TO, CC,and BCC- Ability to specify the TO: field for mailing regimes and CS BCC- Full emulation signature letters Outlook Express to increasecross-your-mails through spam filters- Support for distribution via a proxy server- Automatically detect the bad non-existent and not by E-Mailaddresses directly in the process of distribution based on a flexible,user SMTP rules Thanks SMTP rules achieved a very precise definitionof bad addresses virtually no false positivesIMAGE- Ability to create lists of addresses, depending on thespecific responses of remote servers for SMTP commands- Organize automatically subscribe / unsubscribe to the mailingaddresses- Perform any processing of existing lists- Develop a letter to the powerful WYSIWYG Html editor- Automatically apply to each recipient by name, as well as paste in aletter to a specific, personalized information through powerful MailMerge templatesIMAGE- Set the calendar to automatically launch shots at the righttime- Quickly send out mail"With managed spam services' on-demand, risk forwarding and completelyoutsourced processes, they're not only going to replace such DIYtools, but also, position them as a dynamically evolving cybercrimeplatformsIMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/32415.shtmlhttp://www.secuobs.com/revue/news/32415.shtml Secuobs.com : 2008-10-28 18:49:16 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEThe following portfolio of fake security software appear to havebeen integrated within traffic redirection doorways during theweekend, consequently redirecting hundreds of thousands of usersacquired from blackhat hat SEO, malvertising, email spam and SQLinjections, to non-existent security vendors and their non-existentsecurity products Here's an excerpt from one of the templates thatthey're using :IMAGE"Since its first establishement in 2001, Antivirus VIPconsistently maintained its position as one of the world's leadingcompanies in antivirus research and product development AntivirusVIP is known mostly for Antivirus VIP, its powerful mix ofAnti-Malware, Anti-Virus, Anti-Trojan, Anti-Backdoor, Anti-Worm andAnti-PornoDial in one program Antivirus VIP scans and removestrojans and other malware, which can be placed on a computer withoutthe owner's knowledgeAntivirus VIP is a powerful and easy-to-use Trojan horses, Virusesand all types of Malware removal software, which detects andeliminates more than 100'000 Trojan Horses and Spywares It alsodetects viruses, trojans, worms, spyware, malicious ActiveX controlsand Java applets The latest version of Antivirus VIP featuresoutstanding detection abilities, together with high performanceAntivirus VIP creates best anti-virus, anti-trojan and anti-spywaresecurity solutions that protect computer users from ever-increasingcyber threats and all the dangers of the new century"IMAGEAnd the domains and their associated IPs :antivirus-freescan com 20872169100defendyourpc commycupupdate comsecureupdatecenter comsecureupdateserver comwebscannertools comsecureyourpayments comprotection-overview comsave-my-pc-now com 84243196136; 89149227196; 89149227232antivirus-pcscan comhiqualityscan comactive-scanner comperfectscanner comlivesecurityinfo com 216240134208protection-freescan comantvirushelp comprosecurity-audit comscan-my-pc com 8914925156securedclickhere comIMAGEpremiumlivescan com 78159118217; 89149253215;216240134211quick-live-scan comekerberos com 77244220134; 1194781140; 21810690227virtualpcguard com 675581200antivirus-vip com 216327687As I've pointed numerous times in the past, on the majority ofoccasions the "campaigners" aren't fully taking advantage of theevasive features that their traffic management kits empower them withRelated posts:A Diverse Portfolio of Fake Security Software - Part TenA Diverse Portfolio of Fake Security Software - Part NineA Diverse Portfolio of Fake Security Software - Part EightA Diverse Portfolio of Fake Security Software - Part SevenA Diverse Portfolio of Fake Security Software - Part SixA Diverse Portfolio of Fake Security Software - Part FiveA Diverse Portfolio of Fake Security Software - Part FourA Diverse Portfolio of Fake Security Software - Part ThreeA Diverse Portfolio of Fake Security Software - Part TwoDiverse Portfolio of Fake Security SoftwareIMAGE IMAGE IMAGEIMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/32118.shtmlhttp://www.secuobs.com/revue/news/32118.shtml Secuobs.com : 2008-10-28 15:16:22 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEMoney mules have already been an inseparable part of theunderground ecosystem And while others try to hide their activitiesby outsourcing their hosting needs to botnet masters partitioningtheir botnets, the experienced ones apply a decent level of OPSECoperational security by establishing a trust based model based onrecommendations in order to even consider letting you register fortheir services Their geographical location not only reflects theaverage time it would take to take action against their activities andexpose yet another extensive network of fraudulent operations, butalso, has the potential to increase or decrease the commissions thatthe mules take based on the risk factor of getting caughtThere are several different types of money mules, those servingthemselves, and those offering their services to others, in thisparticular case, we have a money mules syndicate that's been operatingsince 2002, and is only serving the high profile customers Whathappens when such a money mule syndicate naturally starts verticallyintegrating by offering value-added services like credit card balancechecking and date of birth lookups Profits apparently increase, sincethe syndicate is actively recruiting and is currently looking for 20to 30 mules -- their current staff is said to be approximately 100people -- to cash out anything from bank account logins, Paypalaccounts, to stolen credit card data Here's a translated descriptionof the service :"Who we are- First place at cyber crime community top list of trusted serviceproviders for 2008- We serve the big guys only since 2002- We never scam, in business since 2002 without a single scamcomplaint- We look for you, you don't look for us- We offer outstanding working conditions and high commissionsWho you should be- Dedicated person with experience in the field- Have been in the business for at least 6 months- Have been recommended by at least 1 person from cybercrimecommunity and from cybercrime community- You take 45% commission of the processed check, minimal amount is$3000- You pay a membership feeIn the next two months we draw the command of 20-30 people who willmost satisfy our requirements For the selected team will be Paradiseconditions:- Instant payment a few hours after delivered- Large numbers to drop service in the USA and the UK 30- Individual drop in the number of large islands- 3-5 fresh weekly drop- Round-the-clock support"In case some of their customers get scammed -- appreciate the ironyhere as scammers compensate the scammers getting scammed by thescammer's outsourced personnel -- by some of their money mules, theservice is offering compensation for the stolen goods/amount of money,clearly speaking for the revenues it is to prone to be generatingOPSEC Operational Security has been taking place across high-profilecybercrime communities during the last quarter, mostly in response totheir increasing awareness that in the very same way they keep trackof the major anti-fraud features implemented across their services ofabuse, those implementing them could be monitoring them as wellIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/32073.shtmlhttp://www.secuobs.com/revue/news/32073.shtml Secuobs.com : 2008-10-24 17:38:44 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - Is the demand for access to compromised legitimate portfolios of domains-- where the price is based on the pagerank and is shaped by thenumber of domains in question -- the main growth factor for theincreasing supply of such stolen accounting data, or is it the resultof cybercriminals data mining their botnets for accounting data thatwould provide them with access to such portfolios of high traffickeddomains with clean reputation Moreover, would such a data miningapproach made easily possible due to the availability of botnetparsing services and stolen accounting data dumps streaming directlyfrom a botnet, would in fact be the more efficient approach ininjecting their malicious presence on as many hosts as possible, nextto the plain simple massive SQL injection approachAs always, it's a matter of who you're dealing with, and theirunderstanding of the exclusiveness of a particular underground item ata given period of time This exclusiveness is inevitably going toincrease due to the fact that they're several "vendors" that arealready purchasing access to such portfolios, as well as compromisedCpanel accounts as a core business, the access to which they wouldlater on either resell at a higher price enjoying the undergroundmarket's lack of transparency, or directly monetize and break-evenimmediatelly As for this particular proposition for an account with404 domains in it, it's interesting to monitor how the seller issoliciting bids from multiple sources by leaving the price an opentopic, clearly indicating his low profile into the undergroundecosystem How come An experienced seller or buyer would be offeringor requesting page rank verification respectivelyWith nearly each and every aspect of cybercrime already available as aservice, or literally outsourced as a process to those supposidelyexcelling into a particular practice, building capabilities for datamining botnets is no longer a requirement, with the people behind thebotnets monetizing all the data coming from it by soliciting deals ofaccounting data dumps based on a particular country onlyIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/31546.shtmlhttp://www.secuobs.com/revue/news/31546.shtml Secuobs.com : 2008-10-22 16:35:32 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEPopping up like mushrooms, these are the very latest roguesecurity software domains for your case building, cross-checking, orblackholing pleasure Interestingly, next to decentralizing thehosting locations, they're also using legitimate hosting providers,whose reputation they've also been abusing for spamming in the past :IMAGEgo-scan-pro com 78157143184internet-antivirus-2008 comia-stat-ia comia-scanner-pc comia-scanner-pro comgoscanpc comgo-iascan comia-install-pro comia-scan-pro comia-scanner-pro comia-scanpro comia-scannerpro comia-free-scanner comia-scan-now comIMAGEonline-antivirus net 912037057virus-scan-online comonline-virus-scanning comscanner-protection comonline-scan nets-avirus2009 com 9224117770sa-vir2009-buy coms-avir2009-buy comxpas-2009 com 96913585; 20616112026xp-as-2009 comantimalwaresuite2009 com 5865234193cleaner2009pro compcdefender2008 com 89149241228database-virus com 7512521535IMAGEMoreover, a new template which you can see in the attachedscreenshots that mimicking a local AV scanning, has been circulatingfor a while Naturally, it's localized and based on the browser'sdefault language is serving a local version of the message Follow thecustomer and expose the vendor still works, however, in between theaverage time it takes to track them down, a great number of peoplehave already purchased the rogue software The rogue security softwarebusiness model is very similar to the spamming business model in thesense that they don't care whether 5, 10 or 15 people get tricked andinstall it, since even if 4 people out of the 100,000 unique dailyvisits fall victim - they break evenRelated posts:A Diverse Portfolio of Fake Security Software - PartNineA Diverse Portfolio of Fake Security Software - Part EightA Diverse Portfolio of Fake Security Software - Part SevenA Diverse Portfolio of Fake Security Software - Part SixA Diverse Portfolio of Fake Security Software - Part FiveA Diverse Portfolio of Fake Security Software - Part FourA Diverse Portfolio of Fake Security Software - Part ThreeA Diverse Portfolio of Fake Security Software - Part TwoDiverse Portfolio of Fake Security SoftwareIMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/31068.shtmlhttp://www.secuobs.com/revue/news/31068.shtml Secuobs.com : 2008-10-21 23:44:58 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEFrom copycats and "localizers" of Russian web malware exploitationkits, to suppliers of original hacking tools, the Chinese ITunderground has been closely following the emerging threats and theobvious insecurities on a large scale, and so is either filling theniches left open by other international communities, or coming up withtools setting new benchmarks for massive SQL injection attacks, likethe case with this one :IMAGE"A professional web site vulnerability scanning, use of tools,SQL injection is a new generation of tools to help Web developers andsite of the station quickly find vulnerabilities in order to be ableto effectively prepare Security work At the same time, the tool toWeb developers to demonstrate the ways in which hackers are usingthese vulnerabilities, hackers, as well as through the loopholes to dothings, can effectively raise the safety awareness of relevantpersonnel"IMAGENothing's wrong with the marketing pitch at the first place,but going through the features, the "massive SQL injections throughsearch engine reconnaissance" and automatic page rank verificationwhich you can see in the attached screenshots, ruin the "securityauditing" marketing pitch The tool not only allows easy integrationof potentially vulnerable sites obtained through search enginesreconnaissance, but also, is prioritizing the results based on theprobability for successful injection, next to the page rank of thedomains in question A simple demonstration offered by the company isalso, directly enticing its users to "localize" the search enginereconnaissance, by filtering the search results for a particuparcountry, in this case they used French sites for one of the demosHere are some excerpts from its CHANGE log speaking for themselves :"2008715 release version 13IMAGE- New powerful "automatic machine cycle" feature- Automatic machine cycle is to provide assistance to the advanceduser manual into the use of a very- powerful and flexible module, the main sites used for some specialfiltering into the hand, is almost a- universal tool, you can achieve the following:IMAGE1 In support of GET / POST / COOKIES in a variety of ways,such as the injection2 Scan the key to the page background, upload, WebShell, databases,backup files, etc3 According to the dictionary to violence landing back-guess solutionWebShell password and password required to verify that the code cannot guess solution4 Page language does not limit the types and databases to providespecific statements into the database5 At the same time, support for the circulation of the two variablesand two dictionaries, fast running and violent content of the databasesolution to guess a password"It gets even more interesting in terms of the massive SQL injectionattacks mentality which is pretty evident on all fronts :IMAGE"- The use of the three search engine sites scans to invade theside to complete- in scanning probe into the Web site ranking points- added, "VBS upload to download", "upload directory Web site viewer,""FTP upload to download configuration file" function to make it moreconvenient for the sa rights to use the site- New "sequence document scanners"- What is the sequence document scanners role Upload to findloopholes, some of the procedures to upload the file after the uploadwill be renamed, rename the way the system is usually based on time orincremental increase in the number prefix code for the upload process,if not to return after the file name, Upload files to know the url isusually very difficult to sequence the use of paper scanner can bescanned outIMAGE- The best reverse domain name query engine, and quasi-wide- in scanning the database of basic information, an increase of thedatabase of information related to the process, the link hasinformation on the database server user login sa need permission- control of the interface had a big adjustment, the interface processeasier to understand and operate- based on a significant site of the wrong mode of access to acomprehensive code optimization and more accurate access to thecontent, accuracy and access to show progress- added, "VBS upload to download", "upload directory Web site viewer,""FTP upload to download configuration file" function to make it moreconvenient for the sa rights to use the siteIMAGE- point into the types of improved detection order to improve theefficiency of detection- improved automatic keyword detection, automatic keyword detectionmore accurate- probe into the points the way to improve and increase the use ofautomatic detection of the keyword detection- type of database to improve the detection, the use of the contentsof the length of the failure to detect the type of databaseautomatically switch to the probe through the keyword- automatically save and load solution has been to guess the treestructure of the database, guess Solutions has been the content andstructure of the database will automatically save and open the nexttime the injection point will be automatically made available, thesolutions do not have to guess again, the continuity of work GreatlyincreasedIMAGE- solved from the database to read large amounts of data on hundredsof thousands or millions of records, the half-way card program willdie- increased significantly on the wrong model of ASPNET and SQLServer2005 significant mode of dealing with mistakes, error messagescan be extracted from a Web directory- significant amendments to the wrong mode, some of the injected oneby one point in the field or access to the contents of the issue cannot be successful error code in hand; for increased access tospecific points table and into the field- amendments to the text of a significant error patterns to detect andcorrect use of loopholes in the system can be used more to expandText significantly in the wrong mode in version 11 alreadysupported, but in the version 12 upgrade in the process of scanningto improve the performance of the Gaodiao careless -_-#- on a variety of encoded text can be significantly wrong in theright-compatible, able to correctly handle the ASPNET page of thetext marked wrong Through custom error keyword, truly compatible withany language, any coding error message- crack anti-improvement and enhancement- An increase of auto-detection feature keywords- Mssql database specifically for significant points into the wrongmode of detection and the use of up and down the hard work, and manyother software can not detect the point of injection can also be used- Automatic save and load access to the database, to allow manualknown to add tables and fields for solutions to guess- Can be used to amend the degree of accuracy; optimize the code toreduce memory footprint; enhance the stability of multi-threading- Significant amendments to the wrong mode solution guess the contentsof the database must be checked first field defects"The public version of the tool has been in the while for over an year,with a VIP version available to customers onlyIMAGE IMAGE IMAGEIMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/30970.shtmlhttp://www.secuobs.com/revue/news/30970.shtml Secuobs.com : 2008-10-20 17:08:29 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEThe original real-time OSINT analysis of the Russian cyberattacksagainst Georgia conducted on the 11th of August, not only closed theRussia vs Georgia cyberwar case for me personally, but also, onceagain proved that real-time OSINT is invaluable compared to historicalOSINT using a commercial social network visualization/data mining toolwhich cannot and will never be able to access the Dark Web, accessibleonly through real-time CYBERINT practicesIMAGEThe value of real-time OSINT in such people's informationwarfare cyberattacks -- with Chinese hacktivists perfectly aware ofthe meaning of the phrase -- relies on the relatively loweroperational security OPSEC the initiators of a particular campaignapply at the beginning, so that it would scale faster and attract moreparticipants What the Russian government was doing is fueling thecyber fire - literally, since all it takes for a collectivistsocienty's cyber militia to organize, is a "call for action" which wastaking place at the majority of forums, with the posters of thesemessages apparently using a spamming application to achieve betterefficiencyThe results from 56 days of Project Grey Goose in action got publishedlast week, a project I discussed back in August, point out to thebottom of the food chain in the entire campaign - stopgeorgiaru :IMAGE"Furthermore, coming up with Social Network analysis of thecyberattacks would produce nothing more but a few fancy graphs of overenthusiastic Russian netizen's distributing the static list of thetargets The real conversations, as always, are happening in the "DarkWeb" limiting the possibilities for open source intelligence using adata mining software Things changed, OPSEC is slowly emerging as aconcept among malicious parties, whenever some of the "calls foraction" in the DDoS attacks were posted at mainstream forums, theywere immediately removed so that they don't show up in such academicinitiatives"So what's the bottom line Nothing that I haven't already pointed outback in August : "Report: Russian Hacker Forums Fueled Georgia CyberAttacks" :"But experts say evidence suggests that Russian officials did littleto discourage the online assault, which was coordinated through aRussian online forum that appeared to have been prepped with targetlists and details about Georgian Web site vulnerabilities well beforethe two countries engaged in a brief but deadly ground, sea and airwar"Some more comments :"Just because there was no smoking gun doesn't mean there's noconnection," said Jeff Carr, the principal investigator of ProjectGrey Goose, a group of around 15 computer security, technology andintelligence experts that investigated the August attacks againstGeorgia "I can't imagine that this came together sporadically," hesaid "I don't think that a disorganized group can coalesce in 24hours with its own processes in place That just doesn't make sense"IMAGEIt wouldn't make sense if this was the first time Russianhacktivists are maintaining the same rhythm as real-life events -which of course isn't Moreover, exactly what would have constituted a"smoking gun" proving that the Russian government was involved in thecampaign, remains unknown -- I'm still sticking to my commentregarding the web site defacement creative If they truly wanted tocompromise themselves, the would have cut Georgia off the Internet, atleast from the perspective offered by this graph courtesy of thePacket Clearing House speaking for their dependability on RussianISPsAs for the script kiddies at stopgeorgiaru, they were informed enoughto feature my research into their "negative public comments section"To sum up - the "DoS battle stations operational in the name of the "Please,input your cause" mentality is always going to be thereIMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/30655.shtmlhttp://www.secuobs.com/revue/news/30655.shtml Secuobs.com : 2008-10-16 21:13:03 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEIt appears that TorrentReactornet, a highly popular torrenttracker, got compromised in September, with it's users databaseconcisting of 12M users and TorrentReactor's source code stolenDespite that the attacker claiming responsibility is citing reputationenhancement as the reason for the attack, sooner or later the personaldetails will be sold and resold to spammers, with the possibilitityfor spear phishing attacks left wide openIMAGE IMAGE IMAGEIMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/30062.shtmlhttp://www.secuobs.com/revue/news/30062.shtml Secuobs.com : 2008-10-16 21:13:03 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEAmong the most recently spotted rogue security softwareapplications and fake system maintenance tools are :pcvirusremover2008 com 7815714247; 926210167registrydoctorpro2008 compowerfulvirusremover2008 comregistrydoctor2008 comtopregistrydoctor2008 comsecurefileshredder2009 comsecurefilesshred comregistrydoctor2008-scan comregistrydoctor2008-pro comprosecureexpertcleanerpro comsupersecurefileshredder comhypersecurefileshredder comsecurefilesshredder comsecureexpertcleaner comwinsecureexpertcleaner comprosecureexpertcleaner comyoursecureexpertcleaner combestsecureexpertcleaner commysecureexpertcleaner comenergysavecenter comvirusremover2008plus comIMAGEmalwarecrashpro com 1955117248antimalwareguard commalwarecrash comantimalwareguardpro comantimalwaremasterpro comxp-antispyware-2009 com 20616112021xp-antispyware2009 com 20616112020xp-as-2009 com 20616112024xpantispyware-2009 com 20616112022xpas2009 com 20616112023IMAGEkillwinpc com 200634520registryupdate org 21612221811antivirus-2009-pro net 2172017544a-a-v-2008 com 9224116327aav2008 comadv-a-v comietoolsupdate com 2087216884iexplorerfile comRegistrants of notice for cross-checking purposes :Sagent Group adminsagent@gmailcomBilly A Schmitt admiragroup@yahoocomShestakov Yuriy alexvasiliev1987@cocainmailcomAndrej Kazanski akazanski@europecomRelated posts:Violating OPSEC for Increasing the Probability of Malware InfectionA Diverse Portfolio of Fake Security Software - Part EightA Diverse Portfolio of Fake Security Software - Part SevenA Diverse Portfolio of Fake Security Software - Part SixA Diverse Portfolio of Fake Security Software - Part FiveA Diverse Portfolio of Fake Security Software - Part FourA Diverse Portfolio of Fake Security Software - Part ThreeA Diverse Portfolio of Fake Security Software - Part TwoDiverse Portfolio of Fake Security Software IMAGE IMAGE IMAGEIMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/30061.shtmlhttp://www.secuobs.com/revue/news/30061.shtml Secuobs.com : 2008-10-15 22:30:37 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEPart of Georgia's information warfare campaign aiming to minimizethe bandwidth impact on its de-facto media platforms such as the website of their Ministry of Foreign Affairs, I've just received a reportpart of Georgia's "Russian Invasion of Georgia" series entitled "RussianCyberwar on Georgia", which is quoting me on page 4 in regard to the"too good to be courtesy of Russia's cyber militia" creative thatappeared on the defaced Georgian President's web site The report alsoincludes DDoS attack graphs and related details worth going through :"The last large cyberattack took place on 27 August After that, therehave been no serious attacks on Georgian cyberspace By that is meantthat minor attacks are still continuing but these areindistinguishable from regular traffic and can certainly be attributedto regular civilians On 27 August, at approximately 16:18 GMT +3 aDDoS attack against the Georgian websites was launched The maintarget was the Georgian Ministry of Foreign Affairs The attackspeaked at approx 0,5 million network packets per second, and up to200–250 Mbits per second in bandwidth see attached graphs Thegraphs represent a 5-minute average: actual peaks were higherIMAGEThe attacks mainly consisted of HTTP queries to thehttp://mfagovge website These were requests for the main pagescript with randomly generated parameters These requests weregenerated to overload the web server in a way where every singlerequest would need significant CPU time The initial wave of theattack disrupted services for some Georgian websites The servicesbecame slow and unresponsive This was due to the load on the serversby these requests As you see from the graphs above the attacksstarted to wind down after most of the attackers were successfullyblocked The latest attack may have been initiated as a response tothe media coverage on the Russian cyber attacks"In case you're interested in more factual evidence about what washappening at the particular moment in time, go through the followingassessment - "Coordinated Russia vs Georgia cyber attack in progress",as well as through the following posts - "The Russia vs Georgia CyberAttack"; "Who's Behind the Georgia Cyber Attacks"; "GeorgiaPresident’s web site under DDoS attack from Russian hackers"IMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/29851.shtmlhttp://www.secuobs.com/revue/news/29851.shtml Secuobs.com : 2008-10-15 15:47:12 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGESurreal, especially when you get to read that EstDomains has "ruthlesslysuspended over five thousand domains only for last week", and also,that it "has a reliable ally in its battle against malware in a faceof Intercage, Inc"Here's the press release :"The EstDomains, Inc management does not deny the fact that no one issecured from having a customer who uses provided services fordelinquent purposes But it must be noted that the carefully plannedinfrastructure of EstDomains, Inc makes the special provision for thecases of malware distribution that may originate from the domain nameregistered under the company's name Such domain names are suspendedimmediately along with domain holder's account if there is an evidenceof malware presence on the web site According to the most recentstatistics over five thousand domain names were detected andruthlessly suspended by EstDomains, Inc specialists only last weekThe company also has a reliable ally in its battle against malware ina face of Intercage, Inc which provides company with the hostingservices of the highest quality But the outstanding performance ofhosting services is not the sole reason why EstDomains, Incappreciates this partnership so greatly Intercage, Inc generouslyprovides EstDomains, Inc specialists with reports regarding discoveredmalware vehicles As the main database for additional domain namemanagement services is located in Intercage Data Center, EstDomains,Inc has the perfect opportunity to get notifications of the slightestmark of malware presence in the shortest time and take measures inadvance "The press release reminds me of RBN's defacement of my blog posted onthe 1st of April, and despite that EstDomains started "performing forthe community" as of recently, thanks to the collective intelligenceand persistence of everyone turning their research into actionableintelligence against them, this performance aiming to minimize theeffect of the negative PR is more or less futile considering all thecybercrime activities that they've been tolerating or ignoring for thepast couple of years For future generations to see, this is howEstDomains "performs for the community" :"We've suspended all the domains listed in this topic But pleasedon't make posting these domains on this forum a habit We have a 24/7online tech support which can be contacted athttps://supportestdomainscomBest regards,EstDomains TeamEstMate says : Ihatemondayandcom and antispycheckcom - bothsuspended If any of the suspended websites are still active to you itmaybe be because of your computer's or ISP's DNS-cache, others won'tbe able to access these websitesgooglescanners-360com isn't registered with us As for other domains,the ones, which were registered through us, have been suspendedRegarding our preventive measures, the fact that you don't see themdoesn't mean there isn't any Yes, we don't write about them but inmost cases we suspend whole accounts with problematic domains and lookfor connections to other accounts etc During the last week we'vesuspended over 15000 different domains"What's more disturbing regarding this particular domain registrar isthat it's a US based operation, namely, using the lack ofinternational cybercrime cooperation as an excuse for not takingactions earlier doesn't fit into the picture Moreover, this is justthe tip of the iceberg, and taking into consideration a personalmentality that the cybercriminals you know are better than thecybercriminals you don't know, the RBN or any of its "leftovers"aren't fully taking advantage of the tactics they could be using inorder to make it harder to shut them down, but how come Simply, theydon't have to put extra efforts and would once again remain online foryears to come, which is perhaps more disturbing at the first placeWhat in the world is the Russian Business Network, is it still aliveand kicking, are the same people that used to maintain my favoritenetblock ever, still the ones running it, and what tactics are theytaking advantage of in order to make it harder for the community toestablish direct links with a particular netblock and the RBN itselfWith RBN's "leftovers" -- InterCage, Inc, Softlayer Technologies,Layered Technologies, Inc, Ukrtelegroup Ltd, Turkey Abdallah InternetHizmetleri, and Hostfresh -- making headlines just like the way itshould be, what I've been researching for the past couple of months ishow they've migrated from the centralized hosting provider to whatappears to be a fully operational franchise The business model isvery simple, the RBN through its extensive underground networkingskills supplies to customers to franchisers operating small anti-abusenetblocks across the globe, where they offer dedicated hosting andshare revenue with the RBN Anyone trusted enough and capable ofsupplying such netblocks starts running the RBN anti-abuse franchiseIt's also worth pointing out that these franchises are in factstarting to cut the middle man, and disintermediate the RBN byactively advertising their services in order for them to create aself-sustainable business model without having to rely on the RBNconnecting them with customersWhat used to be a centralized cybercrime powerhouse operating severalhighly visible anti-abuse netblocks, is today's decentralizedinfrastructure, with the profit margins for the anti-abuse servicesthat it's logically capable to break-even and earn profits even with afew high profile dedicated hosting customers Anyone can be theRussian Business Network, gain experience into the market segment,then disintermediate them by starting to advertise their own servicesFrom a powerhouse to a franchise model, what the RBN had to offer canbe easily duplicated by a countless number of local RBN's, and this isonly starting to take placeRelated posts:Lazy Summer Days at UkrTeleGroup LtdThe Malicious ISPs you Rarely See in Any ReportGeolocationg Malicious ISPsThe New Media Malware Gang - Part FourThe New Media Malware Gang - Part ThreeThe New Media Malware Gang - Part TwoThe New Media Malware GangHACKED BY THE RBNRogue RBN Software Pushed Through Blackhat SEORBN's Phishing ActivitiesRBN's Puppets Need Their MasterRBN's Fake Account Suspended NoticesA Diverse Portfolio of Fake Security SoftwareGo to Sleep, Go to Sleep my Little RBNExposing the Russian Business NetworkDetecting the Blocking the Russian Business NetworkOver 100 Malwares Hosted on a Single RBN IPRBN's Fake Security SoftwareThe Russian Business NetworkIMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/28245.shtmlhttp://www.secuobs.com/revue/news/28245.shtml Secuobs.com : 2008-10-15 15:47:12 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEThink spammersYahoocom trusts Yahoocom, consequently, a spamcampaign that using bogus Yahoocom email accounts, and spamming onlyYahoo users with links to Yahoo's search engine using queries leadingto the exact spammer's URLs, is almost 100% sure to make it throughspam filters That seems to be case with this spam campaign perfectlyfitting into the "spam that made it through" categorySample search queries resulting in a single result with the spammer'sURL :-yahoocom/////////////////////////////search/search;_ylt=p=callfold5000-searchyahoocom/searchp=housetear5000-yahoocom/search/search;_ylt=p=galestay$229-yahoocom/search/search;_ylt=p=galestay$229-yahoocom/////////////////////////////search/search;_ylt=p=richorbit$229-yahoocom/////////////////////////////search/search;_ylt=p=richorbit$229IMAGEThe search queries lead to galestaycom; housetearcom; callfoldcom;richorbitcom with several hundred spam domains participating in thecampaign parked at 21861721 and 22024818564IMAGEWith CAPTCHA solving and automatic account registration gettingeasier to outsource next to the easily obtainable segmented emaildatabases of a particular ISP or web based email service provider,launching such a campaign requires less efforts than it used tobefore Interestingly, the spammed through Yahoo emails never leaveYahoo Mail since it's only spamming Yahoo users according to theextensive number of emails CC-edWhat's to come in the long-term With an entire spamminginfrastructure build on the foundation of the hundreds of thousands ofbogus accounts at legitimate services, spammers are already startingto embrace the "legitimate sender" mentality and are working on waysto integrate that infrastructure in their spam systems, evidence ofwhich can be seen in several different managed spamming servicesRelated posts:Microsoft’s CAPTCHA successfully brokenGmail, Yahoo and Hotmail’s CAPTCHA broken by spammersSpam coming from free email providers increasingInside India’s CAPTCHA solving economyIMAGE IMAGE IMAGE IMAGEIMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/28244.shtmlhttp://www.secuobs.com/revue/news/28244.shtml Secuobs.com : 2008-10-15 15:47:12 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEWe're slowly entering into "can you find the ten similarities"stage in respect to web malware exploitation kits, and their coderscontinuous supply of copycat malware kits under different names,taking advantage of different exploits combination Copycat webmalware exploitation kits are faddish, however, from a strategicperspective, releasing exploits kits like this one covered byTrustedsource, consisting entirely of PDF exploits, can greatlyincrease the exploitability level of Adobe vulnerabilities in generalIMAGEA similar web malware exploitation kit, once again using onlyAdobe related exploits is Zopa Have you seen this layout beforeThat's the very same layout MPack and IcePack were using, were in thesense of cybercriminals preferring to use much mode modularalternatives these days Ironically, Zopa is more expensive than MPackand IcePack, with the coder trying to cash-in on its biasedexclusiveness and introduction stage buzz generated around itIMAGEThe second web malware exploitation kit is relying on a mix ofexploits targeting patched vulnerabilities affecting IE, Firefox andOpera, with its authors asking for $50 for monthly updates, updates ofwhat yet remains unknown Both of these kits once again demonstratethe current mentality of the kit's coders having to do with --thankfully -- zero innovation, fast cash and no long-term valueHowever, modularity, convergence with traffic management kits,vertical integration with cybercrime services and bullet proof hostingproviders, advanced metrics, evasive practices, improved OPSECoperational security, and dedicated cybercrime campaign optimizingstaff, are all in the worksRelated posts:Web Based Botnet Command and Control Kit 20DIY Botnet Kit Promising Eternal UpdatesPinch Vulnerable to Remotely Exploitable FlawThe Zeus Crimeware Kit Vulnerable to Remotely Exploitable FlawThe Small Pack Web Malware Exploitation KitCrimeware in the Middle - ZeusThe Nuclear Grabber KitThe Apophis KitThe FirePack Exploitation Kit Localized to ChineseMPack and IcePack Localized to ChineseThe Icepack Exploitation Kit Localized to FrenchThe FirePack Exploitation Kit - Part TwoThe FirePack Web Malware Exploitation KitThe WebAttacker in ActionNuclear Malware KitThe Random JS Malware Exploitation KitMetaphisher Malware Kit Spotted in the WildThe Black Sun BotThe Cyber BotGoogle Hacking for MPacks, Zunkers and WebAttackersThe IcePack Malware Kit in ActionIMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/28243.shtmlhttp://www.secuobs.com/revue/news/28243.shtml Secuobs.com : 2008-10-15 15:47:12 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEThanks to misconfigured traffic management kits, not takingadvantage of all the built-in features that could have made a researcha little bit more time consuming, here are the latest fake securitysoftware domains popping up at the end of fake adult content sites :anti-spyware8 comanti-spyware4 comanti-spyware11 comanti-spyware10 comantivirus-cs1 comantivirus-cs14 comantivirus-cs4 comantivirus-cs15 comantivirus-cs5 comantivirus-cs7 comantivirus-cs8 comantivirus-cs9 comtrustedpaymenssite comaltawebgl-500 commasterspitetds09 comprotectionaudit comprt3ctionactiv3scan comprtectionactivescan comsmartantivirusv2 comsmartantivirus2009v2 comsmartantivirus2009v2-buy comsmartantivirus-2009v2buy comsmart-antivirus2009v2buy comanti-virus-xp comanti-virus-xp nete-antiviruspro comultimate-anti-virus comantimalwarewarrior2009 comspyware-buy comsuperantivirus2009 comtotal-secure2009 compcprivacycleanerpro combestguardownload comtrustedantivirus comantivirus-buy1 comspyware-quickscan-2008 comsecurealertbar comsecureclick1 commegantivirus2009 commicro-antivirus2008 comsuperantivirus2009 comadvanced-anti-virus comantivirusmaster2009 comscanner-online1 cominternet-scanner2009 comfilescheck-list303 comvirus-webscanner comvirus9-webscanner comspamnuker comdetect-file101 comgooglescanners-360 comonlinescannersite9 combestantivirusscan comhottystars cominternet-defenses comglobals-advers comquickupdates29 commyscanners101 commyfreescan500 comscanthnet comscanners-pro commegatradetds0 comxp-licensingpages combestantivirusscan comIMAGEpower-avc compvrantivirus comonline-xp-antivirus-checker comantivir-online-scan comonline-win-xpantivirus comtube-911 comfavoredmovie comgetqtysoftware comsoftwareportal2008 commegazcodec comsoft-upgrade-network comdownload-base comfastsoftdownloads comsoftware-downloadz comdownload-soft-basez complupdate com0scan comvirus-online-scan com0scanner comporno-tds comjirolu comvirus-online-scanz comred-tubbe infowin-xp-antivir-hqscanne comxp-protections comxp-registration comxp2008-protect comgetdefender2009 comgettotalsec2008 commsantivirus-xp comxp-licensingpages comprotectionpurchase comwinxp-antivir-on-line-scan comantispychecker comerrorofbrowser comfresh-video-news comnewschannel2008 cominternet--daily-news comsecuresignupsecurity comxpacodec comxpbcodec comgmkvideo comhqsextube08 comantivirusworld9 comviacodecright1 comviacodecright2 comquickupdates29 comantivirusworld9 comscanthnet comcity-codec comcitycodec netcodecdownloadanothersoftportal09 comviacodecright2 comsextubecodec023dfs41 comhot-sextubedriver2 comviacodecright2 comThe Diverse Portfolio of Fake Security Software series are prone tocontinue taking a bite out of cybercrime, and the people whodistribute them on a affiliation based revenue sharing modelRelated posts:Fake Porn Sites Serving Malware - Part ThreeFake Porn Sites Serving Malware - Part TwoFake Porn Sites Serving MalwareEstDomains and Intercage VS CybercrimeFake Security Software Domains Serving ExploitsA Diverse Portfolio of Fake Security Software - Part FiveA Diverse Portfolio of Fake Security Software - Part FourA Diverse Portfolio of Fake Security Software - Part ThreeA Diverse Portfolio of Fake Security Software - Part TwoLocalized Fake Security SoftwareDiverse Portfolio of Fake Security SoftwareGot Your XPShield Up and RunningFake PestPatrol Security SoftwareRBN's Fake Security SoftwareLazy Summer Days at UkrTeleGroup LtdGeolocating Malicious ISPsThe Malicious ISPs You Rarely See in Any ReportIMAGE IMAGE IMAGEIMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/28242.shtmlhttp://www.secuobs.com/revue/news/28242.shtml Secuobs.com : 2008-10-15 15:47:12 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGE$50 in this particular case, however, keeping in mind that theemail harvester is anything but ethical, this very same database willbe sold and re-sold more times than the original buyer would like toknow about Moreover, what someone is offering for sale, may in factbe already available as a value-added addition to a managed spammingserviceWith metrics and quality assurance applied in a growing number of spamand phishing campaigns, filling in the niche of email harvesting bydistinguishing between different types of obfuscated emails byreleasing an easily embeddable module, was an anticipated move What'sto come Spam and malware campaigns across social networks "as usual"will propagate faster thanks to the ongoing harvesting of usernameswithin social networks, that would later on get imported in Web 20"marketing" tools targeting the high-trafficked sites andautomatically spamming themFrom a spammer's perspective, geolocating these 250k emails couldincrease their selling prices since the buyers would be able to launchlocalized attacks with messages in the native languages of thereceipts Is the demand for quality email databases fueling thedevelopments of this market segment, or are the spammers self-servingthemselves and cashing-in by reselling what they've already abused alog time ago That seems to be the case, since there's no way a buyercould verify the freshness of the harvested emails database andwhether or not it has already been abusedIMAGEFor the time being, we've got several developed and many otherdeveloping market segments within spamming and phishing as differentmarkets with different players On one hand are the legitimatelylooking spamming providers offering "direct marketing services"working with lone spammers who find a reliable business partner in theface of the spamming vendor whose customers drive both side's businessmodels On the other hand, you've got the spammers excelling inoutsourcing the automatic account registration process, coming up withways to build a spamming infrastructure -- already available as amodule to integrate in managed spamming services -- using legitimateservices as a provider of the infrastructureDespite that the arms race seems to be going on at several differentfronts, spammers VS the industry and spammers VS spammers fighting formarket share, the entire underground ecosystem is clearly allocating alot of resources for research and development in order to ensure thatthey are always a step ahead of the industryRelated posts:Harvesting Youtube Usernames for SpammingThousands of IM Screen Names in the WildAutomatic Email Harvesting 20Dissecting a Managed Spamming ServiceManaged Spamming Appliances - the Future of SpamInside an Email Harvester's Configuration FileSegmenting and Localizing Spam CampaignsShots from the Malicious Wild West - Sample FourIMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/28241.shtmlhttp://www.secuobs.com/revue/news/28241.shtml Secuobs.com : 2008-10-15 15:47:12 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEThis spammer is DomainKeys verified, a natural observationconsidering that the spam compaign which I discussed last Wednesday isusing bogus Yahoo Mail accounts, and is spamming only Yahoo Mail usersthrough a segmented emails databaseNot necessarily what I wanted to achieve, but once posting the spamcampaigns SEO URLs, Yahoo's crawler's picked up the post pretty fast,and have ruined the SEO effect, with everyone clicking on thecampaign's links reaching the post Close to 15,000 unique visitorsreached the article during the past 7 days since the now hijacked,spammer's link is no longer achieving the effect it used toIMAGEWhat does this prove It proves that users tend to trust emailsthat pass through spam filters so much that they actually click on thelinks And whereas it's a spam campaign, and not a malware campaign,the next time they over trust such a email, they'll expose themselvesto client-side vulnerabilities courtesy of a copycat web malwareexploitation kitThe latest search query the campaign is using :-yahoocom/search/search;_ylt=p=stossregularnew$000leads to stossregularnewcom 61255135185-yahoocom/search/search;_ylt=p=||||||||||||||||clapmoon||||||||||||$229||||||||||||||||leads to clapmooncom 122198624IMAGE IMAGE IMAGE IMAGEIMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/28240.shtmlhttp://www.secuobs.com/revue/news/28240.shtml Secuobs.com : 2008-10-15 15:47:12 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGECommoditization or commercialization, Themida or Code Virtualizer,individually crypting or outsourcing to an experienced malwarecrypting service offering discounts on a volume basis next todetection rates of the crypted binary offered by a trusted onlinescanner that is NOT distributing the samples to the vendors These arejust some of the questions malware authors often ask themselves, whileothers distribute pirated copies of Code Virtualizer urging everyoneto start taking advantage of commercial anti-reverse engineering toolsto make their malware harder to analyze Once again, just like we'veseen before, a legitimate commercial application can come handy in thehands of the wrong people :"Code Virtualizer will convert your original code Intel x86instructions into Virtual Opcodes that will only be understood by aninternal Virtual Machine Those Virtual Opcodes and the VirtualMachine itself are unique for every protected application, avoiding ageneral attack over Code Virtualizer Code Virtualizer can protectyour sensitive code areas in any x32 and x64 native PE files likeexecutable files/EXEs, system services, DLLs , OCXs , ActiveXcontrols, screen savers and device driversIMAGECode Virtualizer can generate multiple types of virtualmachines with a different instruction set for each one This meansthat a specific block of Intel x86 instructions can be converted intodifferent instruction set for each machine, preventing an attackerfrom recognizing any generated virtual opcode after the transformationfrom x86 instructions The following picture represents how a block ofIntel x86 instructions is converted into different kinds of virtualopcodes, which could be emulated by different virtual machinesWhen an attacker tries to decompile a block of code that was protectedby Code Virtualizer, he will not find the original x86 instructionsInstead, he will find a completely new instruction set which is notrecognized by him or any other special decompiler This will force theattacker to go through the extremely hard work of identifying how eachopcode is executed and how the specific virtual machine works for eachprotected application Code Virtualizer totally obfuscates theexecution of the virtual opcodes and the study of each unique virtualmachine in order to prevent someone from studying how the virtualopcodes are executed"With Cyber-as-a-Service business model becoming increasingly common,the entire quality assurance model in respect to malware is slowlymaturing from individual malware crypting propositions, where theseller of the service is basically taking advantage of a diverse setof public/private tools, into DIY web services offering cryptingdiscounts on a volume basis, and perhaps most importantly - improvingthe customer's experience by letting him take advantage of theinventory of crypting tools and bypassing verification servicesWithin the tool's inventory are naturally lots of pirated commercialanti-reverse engineering toolsAs we've seen before, whenever someone starts commercializing whatused to be a self-selving process, others will either follow, ordisintermediate their services by persistently releasing cryptingtools for free in the wild At the end of the day, it's all a matterof how serious they're about commercializing this market segment, andtaking into consideration that a spamming vendor is offering malwarecrypting services "in between" the rest of the services in theirportfolio, this underground cash cow is yet to prove itself in thelong termIMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/28239.shtmlhttp://www.secuobs.com/revue/news/28239.shtml Secuobs.com : 2008-10-15 15:47:12 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEModified versions of popular open source crimeware kits rarelymake the headlines due to the fact that anyone can hijack a crimewarekit's brand, build and innovate using its foundations, and claim it'sa new version released by the original authors That's of course inbetween the tiny time frame until he's exposed as the fake author ofZeus that may have in fact came up with a unique feature that theoriginal authors didn't includeThis modified version of Zeus is yet another example of howcybercriminals are actively modifying crimeware kits, literally makingsuch practices as keeping version numbers irrelevant While theadministrator is managing his botnet, he can load local, or tunein thebuilt-in online radio stations the author of this modificationincluded, next to changing Zeus entire graphical layoutIMAGELet's take into consideration another example, the infamousPinch DIY malware builder, that's been around for over 4 years Withthe populist arrest of its authors in 2007, cybercriminals are stillinnovating on the foundations offered by Pinch, and thanks to itspublicly obtainable source code It's also worth pointing out thatthese two Zeus and Pinch modifications are courtesy of a singleindividual, that in between modifications of popular crimeware kits,seems to be busy porting different modules on different malware kitsand web based malware, knowingly or unknowingly contributing to theconvergence of spamming, DDoS, web based malware, and botnetmanagement kitsFrom a sarcastic perspective - what's next Perhaps a built-inslideshow of random screenshots taken from malware infected desktopsin the botnet, or even a pink layout modification for female botnetmasters Customerization, and customer tailored services can makeanything happen, and naturally enjoy the higher profit marginsIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/28238.shtmlhttp://www.secuobs.com/revue/news/28238.shtml Secuobs.com : 2008-10-15 15:47:12 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEIn case you haven't heard - Microsoft and the Washington state aresuing a US based -- naturally -- "scareware" vendor Branch Software :"We won't tolerate the use of alarmist warnings or deceptive 'freescans' to trick consumers into buying software to fix a problem thatdoesn't even exist," Washington Attorney General Rob McKenna said"We've repeatedly proven that Internet companies that prey onconsumers' anxieties are within our reach"Sadly, Branch Software is the tip of the iceberg on the top of theaffiliates participating in different affiliation based programs,which similar to IBSOFTWARE CYPRUS and Interactivebrands, which I'vebeen tracking down for a while, are the aggregators of scareware thatpopped up on the radars due to their extensive portfolios These threecompanies offering software bundles or plain simple fake software, aresomewhere in between the food chain of this ecosystem, with the realvendors paying out the commissions on a per installation basis slowlystarting to issue invitation codes that they've distributed onlyacross invite-only forums/sections of particular forumsBehind these brands is everyone that is participating in the franchiseand is putting personal efforts into monetizing the high payout ratesthat the fake security software vendor is paying for successfulinstallation These high payout rates -- with the financing naturallycoming straight from other criminal activities online -- are in factso high, that I can easily say that the last two quarters we'vewitnesses the largest increase of such domains ever, and they're onlyheating up since the typosquatting possibilities are countless andthey seem to know that as wellIt's important to point out that their business model of acquiringtraffic is outsourced to all the affiliates that do the blackhat SEO,SQL injections, web sessions hijacking of malware infected hosts inorder to monetize, so basically, you have an affiliates network whoseactions are directly driving the growth into all these areas Throwingmoney into the underground marketplace as a "financial injection", isproving itself as a growth factor, and incentive for innovation onbehalf of all the participantsHere are some of the most recent fake security software domains, a"deja vu" moment with a known RBN domain from a "previous life" thatis also parked at one of the servers, and evidence that typosquattingfor fraudulent purposes is still pretty active with a dozen of NortonAntivirus related domains, some of which have already started issuing"fake security notices" by brandjacking the vendor for trafficacquisition purposesAntivirus-Alert com 20311711147 where pepato org a domain thatwas used in the Wiredcom and Historycom IFRAME injections, whichback in March was also hosted at Hostfresh 586523859softload2008name com 78157143250softload2008nm comsoftload2008n comsoftload2008jq commicroantivir-2009 com 912080223scannermicroantivir-2009 commicroantivir2009 commicroantivirus-2009 commicroantivirus2009 comms-scan com 912080228msscanner comms-scanner comPersonalantispy com 93190139197freepcsecure comquickinstallpack comquickdownloadpro comadvancedcleaner comperformanceoptimizer cominternetanonymizer comieprogramming com 926210183uptodatepage comfileliveupdate comqwertypages comsharedupdates comierenewals comIMAGEnorton-antivirus-alert comnorton-anti-virus-2007 comnorton-antivirus-2007 comnorton-antivirus2007 comnortonantivirus2007 comnorton-antivirus-2008 comnortonantivirus2008 comnortonantivirus2008freedownload comnorton-antivirus-2009 comnortonantivirus2009 comnorton-antivirus-2010 comnortonantivirus2010 comnortonantivirus360 comnortonantivirus8 comnortonantivirusa comnortonantivirusactivation comnorton-antivirus-alert comnortonantivirusalerts comnorton--anti-virus comnorton-anti-virus comnorton-antivirus comnortonanti-virus comnortonantiviruscomnortonantiviruscom comnortonantiviruscorporate comnortonantiviruscorporateedition comnortonantiviruscoupon comnortonantivirusdefinition comnortonantivirusdefinitions comnortonantivirusdirect comFake Antivirus Inc is not going away as long as the affiliate basedmodel remains active If the real vendors were greedy enough not toshare the revenues with others, they would have been the one poppingup on the radar, compared to the situation where it's the affiliatenetwork's participations greed that's increasing their visibilityonlineRelated posts:A Diverse Portfolio of Fake Security Software - Part SixA Diverse Portfolio of Fake Security Software - Part FiveA Diverse Portfolio of Fake Security Software - Part FourA Diverse Portfolio of Fake Security Software - Part ThreeA Diverse Portfolio of Fake Security Software - Part TwoDiverse Portfolio of Fake Security SoftwareCybersquatting Symantec's Norton AntiVirusCybersquatting Security Vendors for Fraudulent PurposesFake Porn Sites Serving Malware - Part ThreeFake Porn Sites Serving Malware - Part TwoFake Porn Sites Serving MalwareEstDomains and Intercage VS CybercrimeFake Security Software Domains Serving ExploitsLocalized Fake Security SoftwareGot Your XPShield Up and RunningFake PestPatrol Security SoftwareRBN's Fake Security SoftwareLazy Summer Days at UkrTeleGroup LtdGeolocating Malicious ISPsThe Malicious ISPs You Rarely See in Any Report IMAGE IMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/28237.shtmlhttp://www.secuobs.com/revue/news/28237.shtml Secuobs.com : 2008-10-15 15:47:12 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEInteresting article, but it implies that there has been a shortageof quality OSINT regarding the campaigners behind the recent Gpcodetargeted cryptoviral extortion attacks :"The individual is believed to be a Russian national, and has been incontact with at least one anti-malware company, Kaspersky Lab, in anattempt to sell a tool that could be used to decrypt victims' filesKaspersky Lab set about locating the man by resolving the proxied IPaddresses used to communicate with the world to their real addressesThe proxied addresses turned out to be zombie PCs in countries such asthe US, which pointed to the fact that GPcode's author had almostcertainly used compromised PCs from a single botnet to get Gpcode onto victim's machines"In reality, there hasn't been a shortage of timely OSINT aiming to toidentify the authors - "Who’s behind the GPcode ransomware" :"So, the ultimate question - who’s behind the GPcode ransomware It’sRussian teens with pimples, using E-gold and Liberty Reserve accounts,running three different GPcode campaigns, two of which request either$100 or $200 for the decryptor, and communicating from Chinese IPsHere are all the details regarding the emails they use, the emailresponses they sent back, the currency accounts, as well their mostrecent IPs used in the communication 58388211; 2212012227 :Emails used by the GPcode authors where the infected victims aresupposed to contact them :content715@yahoo comsaveinfo89@yahoo comcipher4000@yahoo comdecrypt482@yahoo comVirtual currency accounts used by the malware authors :Liberty Reserve - account U6890784E-Gold - account - 5431725E-Gold - account - 5437838"The bottom line - out of the four unique emails used by the GPcodecampaigners, only two were actively corresponding with the victims,each of them requesting a different amount of money, but both, takingadvantage of US based web services to accomplish their attackIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/28236.shtmlhttp://www.secuobs.com/revue/news/28236.shtml Secuobs.com : 2008-10-15 15:47:12 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEA tiny 20kb antivirus module within "yet another web based malwarein the wild", promises to get rid of all Zeus variants, and also,detect and remove rootkits found on the infected system in order toensure that it's the only malware the victim remains infected withWhat's really special about its command and control interface is thatit's AJAX based, with the seller pitching the feature as "you nolonger have to hit F5 in order to see how's your malware campaigndoing"IMAGEHere's a brief translated description :- Simultaneously execute different campaigns, allocate specific botsfor specific countries only, set time and data for automatic updatewith the new binaries- Firewalls and antivirus bypassing capabilities, Anti-tracing,anti-reverse engineering- Self defense mechanism for harder removal- ICQ notifications for finished tasks, newly infected hosts,graphical statisticsIMAGEExactly how it removes rootkits remains yet unknown due to itsproprietary nature and brief description, but resetting the hosts fileand taking advantage of updated BHO list of known malware are amongthe ways it removes competing malwareIMAGE IMAGE IMAGE IMAGEIMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/28235.shtmlhttp://www.secuobs.com/revue/news/28235.shtml Secuobs.com : 2008-10-15 15:47:12 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGESuch disclaimers make you wonder what's the point of including anotice forwarding the responsibility for the upcoming cybercrimeactivities to the buyer, when the seller himself is offering dailyupdates with undetected bots, and is promising to include new exploitswithin the kitFor the time being, this recently released copycat web exploitationmalware kit, includes two PDF exploits, IE snapshot, and naturallyMDAC, with a DIY builder for the binary Here's the disclaimer,greatly reminding us of Zeus's copyright notice :IMAGE"Purchasing this product, you hold the full responsibility forits usage and for consequences which may have been caused by incorrectusage or the usage with some evil intent or violation of the usagerules The author excludes the placement of the scripts somewhere onthe Internet, you can only place them on localhost, virtual machine oron a test botnet minibotnet WARNING The usage of this product withevil intent leads to the criminal responsibility"IMAGEWhat happens when the buyer tries to resell the kit - "If youtry to resell, decode, remove the boundaries, you will lose all thesupport, updates and guarantees" which is surreal considering thatthe kit is open source one, and just like we've seen with a recentmodification of Zeus if it were to include unique features -- which itdoesn't -- others would build upon its foundationsIMAGEGoing through the exploitation statistics of a sample campaign, youcan clearly see that out of the 859 unique visits 250 got exploitedwith outdated and already patched vulnerabilities Therefore,diversifying the exploits set would have increased the number ofexploited hostsIMAGEWith IE6 visitors exploited at 46% as a whole, it would be hardnot to notice that just like Stormy Wormy's historical persistence ofusing outdated vulnerabilities, a great majority of today's botnetshave been aggregated using old exploitsTrying to enforce the intellectual property of a malware kit meansyou're claiming ownership, and therefore the disclaimer becomesirrelevantIMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/28234.shtmlhttp://www.secuobs.com/revue/news/28234.shtml Secuobs.com : 2008-10-15 15:47:12 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEWhen logs with accounting data are no longer of interest due tolow liquidity on the underground market, monetization of the infectedhosts comes into playThis web based malware seems like an early BETA aiming to scale,however it's only unique features are its ability to hijack theinfected user's searches and server relevant ads courtesy of theaffiliate networks the administrator participates in, and also, anintegrated DDoS module that the author simply stole from another kitStrangely, it's 2008 yet the author also included the ability to turnon the telnet service on an infected hostIMAGEWith the search queries feature easy to duplicate by otherkits, this web based malware is a great example of how thetime-to-market mentality lacking any kind of personal experience --the malware cannot intercept SSL sessions compared to the majority ofcrimeware kits that can -- ends up in a weird hybrid of randomfeaturesIMAGECustomerization will inevitably prevail over the productconcept mentalityIMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/28233.shtmlhttp://www.secuobs.com/revue/news/28233.shtml Secuobs.com : 2008-10-15 15:47:12 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEThis video of Cha0's bust earlier this month in Turkey, is aperfect example of what happens when someone starts over-performing inthe field of cardingIMAGETry counting the desktops, and notice the "full package" acarder can dream of - the box full of ATM skimmers, the holograms, theplastic cards machine, the suitcase with the POS point of saleterminals, the house and swimming pool, and, of course, the hard cashIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/28232.shtmlhttp://www.secuobs.com/revue/news/28232.shtml Secuobs.com : 2008-10-15 15:47:12 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEWe're slowly entering into a stage where RBN bullet proof hostingfranchises are vertically integrating, and due to the requests fromtheir customers are starting to offer that they refer to as "mirroredhosting" which in practice is plain simple fast flux networkconsisting of RBN-alike purchased netblocks, and naturally, botnetinfected hostsManaged fast-fluxing is only starting to go mainstream, for instance,in July I found evidence that money mule recruiters were usingASProx's infected hosts as hosting infrastructure, and in November,2007, an infamous spamming software vendor was also found to have beenoffering fast-flux services in the pastIn this most recent fast-flux service, we have a known spammer andbotnet master that in between self-serving himself on is way to ensurehis portfolio of scammy domains remains online for a "little longer",is commercializing fast-fluxing and is offered a DIY service :"Finally after hardwork and great appreciation from our normal bulletproof hosting/server clients we are able to launch Mirrored hostingWhat is Mirrored hosting ================Mirrored hosting is a powerful mirrored web hosting management, usesmultiple Virtual servers to host website with 100% uptime Mirroredhosting is a combination of two things, which are:1 Specially Designed Virtual Servers2 Powerful Automated Control PanelHow does it work ===============Mirrored hosting uses specially configured Virtual Servers making themlink with the Mirrored hosting Control Panel which is then controlledby our own control panel allowing us to provide smooth streamlinehosting with no downtime No one is able to trace original IP of theserver or the place where the files are hosted so the websites/domainshosted have a 100% Uptime This is achieved by unique customisation ofour Virtual ServersActually, it takes ips around the world and our powerful control paneljust rotates the ips every 15 minutes though all these ips you willsee will be fake no one can trace the orignal ip where files arehosted Sometimes the ip is from China, Korea, USA, UK, Japan,Lithuania etc"The concept has always been there for cybercriminals to take advantageof, but once it matures into a managed service it would undoubtedlylower down the entry barriers allowing yesterday's average phishers totake advantage of what only the "pros" were used toRelated posts:Storm Worm's Fast Flux NetworksManaged Fast Flux ProviderFast Flux Spam and Scams IncreasingFast Fluxing Yet Another Pharmacy SpamObfuscating Fast Fluxed SQL Injected DomainsStorm Worm Hosting Pharmaceutical ScamsFast-Fluxing SQL injection attacks executed from the Asprox botnetIMAGEIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/28231.shtmlhttp://www.secuobs.com/revue/news/28231.shtml Secuobs.com : 2008-10-15 15:47:12 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGESeveral hundred Windows Live Spaces and AOL Journals, arecurrently syndicating the most popular keywords provided by GoogleTrends, and are consequently hijacking the top search queries exposingusers to Zlob codecsHere are some same bogus blogs used in the campaign, naturallypre-registered long before they executed it :vinniedigg18 spaceslivecomjournalsaol com/iolatour16fredabreak02 spaceslivecomthedaalerts01 spaceslivecomallisonpolls08 spaceslivecomrheabreak18 spaceslivecomracquellog17 spaceslivecommonikavideo11 spaceslivecomjournalsaol com/shelvakill27tomekadigg26 spaceslivecomivahnet19 spaceslivecomjournalsaol com/louisathere13allisonpolls08 spaceslivecomvalericatch03 spaceslivecomjournalsaol com/iolatour16hadleycue01 spaceslivecomjournalsaol com/staceyliving01collettebreak17 spaceslivecomjournalsaol com/nataliablog16natalymore26 spaceslivecomA comprehensive listing of the blogs involved can be downloaded hereIMAGEWhat do all of these bogus blogs have in common The fact thatthey are all being abused by a single malware campaign, and the Keepit Simple Stupid mentality only a lazy malware campaigner can takeadvantage of All of the blogs as using a central redirection domain,shutting it down or blocking it renders the number of bogus blogs iscirculation irrelevant In this case, the domain in question isvideoxmancerorg 2161955975Here are the the rest of the domains participating in the campaign, aswell as the parked ones at the corresponding IPs :videoxmancer org 2161955975buynowbe comloveniche comantivirus-freecheck comjetelephone cnreducki cnwoteenhas cnlilaloft cnclipztimes com 78157143235imagelized comvidzdaily comgotmovz com 7810817791dwnld-clips commovwmstream com 7791231183newwmpupdate comzaeplugin commovaccelerator comoptimwares compiterserv commoviesportal2008p com 72232183154movieportal2008a comfunnyportal2008l comstarsportal2008p comsoftportal2008p commovieportal2008q comIn short, despite that the campaign is poised to attract genericsearch traffic, it's a self-exposing blackhat SEO campaign since eachand every blog participating is also linking to the rest of the oneswithin the ecosystemRelated posts:Blackhat SEO Redirects to Malware and Rogue SoftwareBlackhat SEO Campaign at The Millennium Challenge CorporationMassive IFRAME SEO Poisoning Attack ContinuingMassive Blackhat SEO Targeting BlogspotThe Invisible Blackhat SEO CampaignAttack of the SEO Bots on the EDU Domainp0rngov - The Ongoing Blackhat SEO OperationThe Continuing Gov Blackat SEO CampaignThe Continuing Gov Blackhat SEO Campaign - Part TwoCompromised Sites Serving Malware and Spam IMAGE IMAGE IMAGEIMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/28230.shtmlhttp://www.secuobs.com/revue/news/28230.shtml Secuobs.com : 2008-10-15 15:47:12 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEA managed spam vendor always has to raise the stakes during itsintroduction period on the market But what happens when a marketfollower starts using the market leader's proprietary managed spammingsystem, and is able to provide better spamming rates at a cheaperprices Market forces and unethical competition at its bestSo, what is this market challenger using the monopolist's -- inrespect to managed spamming services not spam in general --proprietary system Spamming vendor launches managed spamming serviceup to anyway Promising and delivering, 1, 400,000 emails daily,60,000 mails per hour, and 100 emails per minute What we've got hereare the spam metrics out of 5 already finished spam campaigns that hasmanaged to sent out a million spam emails using only 2000 malwareinfected hosts Also, CC-ing and BCC-ing made it possible to multiplethe effect of the campaign and increase the total number of emailsspammed Talking about benchmarks, 789 emails per minute at a rate of12/13 emails per second is a pretty good one, considering it's only 2kbots that they were using What they also promise is automaticrotation of IPs upon automatically checking them against publicblacklists, and a mix rotation of IPs from their own netblocks locatedin Russia and Germany with the fresh IPs coming from the newlyinfected hostsEarlier this month, I discussed the market leader's managed spammingsystem, access to which they also offer for rent :IMAGE"An inside look of the system obtained on 2008-08-12 indicatesthat they are indeed capable of delivering what they promise - speed,simplicity and 5000 malware infected hosts Moreover, the attachedscreenshot demonstrates that 20 different email databases can besimultaneously used resulting in 16,523,247 emails about to getspammed using 52 different macroses Furthermore, what they refer toas a dynamic set of regional servers aiming to ensure that the centralserver never gets exposed, is in fact fast-flux which depending on howmany bots they are willing to put into “rtsegional server mode” shapesthe size of the fast-flux network at a later stage"With cutting edge managed spam services like the ones currently incirculation, it remains to be seen whether or not spammers wouldmigrate to this outsourcing model, or continue coming up with adaptiveways to send out their scams and malware on their ownIMAGE IMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/28229.shtmlhttp://www.secuobs.com/revue/news/28229.shtml Secuobs.com : 2008-10-15 15:47:12 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEIn a self-contradicting social engineering attempt, a malwareauthor is offering to sale a updated version of Kardphisher DIY fakeWindows XP activation builder, which despite the fact that it claims "Wewill ask for your billing details, but your credit card will NOT becharged", is requesting and remotely uploading all the credit carddetails required for a successfully credit card theftPerhaps among the main reasons why such simplistic social engineeringattempts never scaled in a "malicious economies of scale" approach, isbecause sophisticated crimeware kits capable of obtaining the verysame data automatically, started leaking for everyone to start takingadvantage of - including yesterday's cybercriminals using such DIYfake message buildersMoreover, according to recently reseased survey results, end userscannot distinguish between fake popups and real ones, and on their wayto continue doing what they were doing, click OK on that pesky warningmessage telling them that they're about to get infected with malwareTaking into consideration the fact that the popup windows theresearchers used look like cheap creative compared to the average fakesecurity software's layout high quality GUIs, it is perhaps worthrestating your research questions with something in the lines of -What motivates end users to install an antivirus application goingunder the name of Super Antivirus 2009 or Mega Virus Cleaner 2008 Thefact that the fake status bar is telling them that they're infectedwith 47 spyware cookies, or the fact that they ended up at the fakesite while browsing their trusted web servicesIMAGEThe increase of rogue security software domains is happeningdue to the high payout affiliation based model, the standardizedcreative allowing the participants to come up with their own fakenames if they want to, and due to the fact that the fake securitythreats scareware approach seems to be perfectly taking advantage ofthe overall suspicion on the effectiveness of their legitimatesecurity softwareIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEIMAGEhttp://www.secuobs.com/revue/news/28228.shtmlhttp://www.secuobs.com/revue/news/28228.shtml Secuobs.com : 2008-10-15 15:47:12 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEFollowing the ongoing development of a particular web basedmalware, always comes handy in terms of assessing the commoditizationof anti-debugging features within modern malware With plain simple,"managed binary crypting and firewall bypassing verification" ondemand in February, to August's overall anti antivirus softwarementality as a key differentiation factor of the malwareIMAGESo what are they working on Anti tracing and emulationprotection, PeiD and PESniffer protection, as well as anti heuristicscanning with a simple junk data adding feature in order to maintain asmaller binary sizeHere's a translated description :IMAGE"- The binary works under admin and under normal user- The binary is always run as the "current user"- An unlimited number of bots can be loaded and integrated within thecommand and control, and with the geolocation feature, filters can beapplied for a particular country-After successful infection, the binary which is tested againstpopular firewall and proactive protection security ensures that theactions it takes and their order do not trigger protactive protectionmechanisms in place- binary file size is 25k, the size can be reduced once it's cryptedIMAGE- Doesn't take advantage of BITS protocol- Doesn't allow an infected host to be infected twice- Bypassing NAT and supporting "always-on" connections- A simple, easy to configure web based admin panel"What if the buyer doesn't care about the quality assurance practicesapplied Managed lower AV detection and firewall bypassing servicecomes into playIMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEIMAGEhttp://www.secuobs.com/revue/news/28227.shtmlhttp://www.secuobs.com/revue/news/28227.shtml Secuobs.com : 2008-10-15 15:47:12 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEIn the spirit of "taking a bite out of cybercrime", here are thelatest fake security software domains, typosquatted and alreadyacquiring traffic through a dozen of malware campaigns redirecting tomost of them :antivirus-scanner-onlinecom 672057514archivepackercom 78157142111winpackercomxh-codecnetsecuredownloadcentercom 891818944winupdates-servercombrowserssecuritypagecommegatradetds0comIMAGEquickscanpccom 78159118144clickchecker6comgensoftdownloadcom 912039325online-av-scan2008com 66232105232anothersoftportal09combigfreesoftarchivecomcelebs-on-video-08comcelebs-on-video-2008comcleansoftportal2009comhot-p0rntubecomhot-porn-tube-2008comhot-porn-tube2008comhot-porn-tube2009comjustdomain08comnew-porntube-2008comonline-av-scan2008comIMAGEs0ftvvarep0rtalcoms0ftvvareportalcoms0ftvvareportal08coms0ftwarep0rtal08comsoftportalforfuncomsoftportalforfun08comsoftportalforfun2008comsoftvvareportalcomsoftvvareportal08comsoftvvareportal2008comtrustedsoftportal06comtrustedsoftportal2008comIMAGEantivirus-online-08com 8918748155; 21810690227anti-virus-xpcomanti-virus-xpnetanti-virusxp2008netantimalware09comantivirxpnetav-xp08netav-xp2008comav-xp2008netavx08netaxp2008come-antivirusprocomeantivirus-paymentcomekerberoscomonline-security-systemscomxpprotectorcomyoupornzztubecomIMAGEsp-preventercom 9224116332spypreventerscomu-a-v-2008com 9224116331uav2008compower-avcccom 926210157power-avccompvrantiviruscomm-s-a-v-ccom 926210155ms-avcccomms-avccomwav2008com 9224116330wiav2009comwin-avcomwindows-avcomwindowsavcomYou know the drillRelated posts:A Diverse Portfolio of Fake Security Software - Part SevenA Diverse Portfolio of Fake Security Software - Part SixA Diverse Portfolio of Fake Security Software - Part FiveA Diverse Portfolio of Fake Security Software - Part FourA Diverse Portfolio of Fake Security Software - Part ThreeA Diverse Portfolio of Fake Security Software - Part TwoDiverse Portfolio of Fake Security Software IMAGE IMAGE IMAGEIMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/28226.shtmlhttp://www.secuobs.com/revue/news/28226.shtml Secuobs.com : 2008-10-15 15:47:12 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEAs usual, here's September's summary of all of my posts at ZeroDay You may also want to catch up and go through August's and July'ssummaries, next to adding my personal RSS feed or Zero Day's main feedto your RSS readerNotable article for September - Spamming vendor launches managedspamming service01 DoS vulnerability hits Google's Chrome, crashes with all tabs02 Malware and spam attacks exploiting Picasa and ImageShack03 Spamming vendor launches managed spamming service04 Facebook introducing new security warning feature05 Google downplays Chrome's carpet-bombing flaw06 Targeted malware attack against US schools intercepted07 The most "dangerous" celebrities to search for in 200808 Norwegian BitTorrent tracker under DDoS attack09 Attacker: Hacking Sarah Palin's email was easy10 Bill O'Reilly's web site hacked, attackers release personaldetails of users11 India's government: At last, we've cracked Blackberry's encryption12 Memory exhaustion DoS vulnerability hits Google's Chrome13 44% of second hand mobile devices still contain sensitive data14 Spammers attacking Microsoft's CAPTCHA -- againIMAGE IMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/28225.shtmlhttp://www.secuobs.com/revue/news/28225.shtml Secuobs.com : 2008-10-15 15:47:12 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEYet another piece of malware promoted as a RAT remote accesstool includes what's turning into the defacto set of anti-debuggingfeatures within RATsAs the authors point out, the Anti Virtual PC, VMware, Virtualbox,Sandboxie, ThreatExpert, Anubis, CWSandbox, Joebox, Norman Sandboxfeatures inevitably increase the server size Next to the product,there's always the managed service of ensuring a lower detection ratefor binaries submitted to the authorsIMAGE IMAGE IMAGE IMAGEIMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/28224.shtmlhttp://www.secuobs.com/revue/news/28224.shtml Secuobs.com : 2008-10-15 15:47:12 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGESpanish cybercriminals have recently started taking advantage ofthe bogus accounts at Lycos Spain, which they seem to be registeringon their own, by releasing a do-it-yourself malicious link generatorredirecting to fake YouTube and Adobe Flash video pages Whereas theconcept of abusing legitimate web services for infection andpropagation isn't new, what's new is the fact that the FTP access isefficiently abusedHere's a description of the link generator :IMAGE"Download the program and run it asks for an ID identifier,then copy it and paste it there, then press' Create Installer 'and theprogram will create the Installer this program to run a simulationthat is installing the Adobe Flash and indicates to our page that "hasbeen installed Adobe Flash," in order to show the video when YouVideorefresh the page, this you must file tie it in with your server andwhat flames or Installer Setup simulating being an installer Nowyou need to upload that file you've joined an FTP, click Next and putthe path of that file in the next step"IMAGEWhereas the tool is exclusively relying on Lycos Spain to hostthe binaries and the campaign itself, the recent blackhat SEO campaignrelying on pre-registered Windows Live Spaces and AOL Journalssyndicating hot Google Trends keywords, further indicates themalicious attacker's capabilities of efficiently abusing legitimateservices And with the process of bogus accounts registrationperformed automatically, or outsourced entirely, malicious servicesaiming to automate the abuse process are only going to get moreefficientIMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/28223.shtmlhttp://www.secuobs.com/revue/news/28223.shtml Secuobs.com : 2008-10-15 15:47:12 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGESurprisingly, while opportunistic cybercriminals have longembraced the malware as a service model, and are offering managedlower detection rate services for a customer's malware, or DIY oneswhere the customer can take advantage of popular tools ported to theWeb, others are still trying to innovate at a faddish market niche -multiple offline AV scanners tools aiming to ensure that their malwaredoesn't end up in the hands of vendors/researchersIMAGEMultiple offline AV scanning tools like this very latestrelease, naturally using pirated copies of popular antivirus software,are faddish, due to the fact that during the last two years, theunderground has been busy working on several paid web based services,that not only make sure vendors and researchers never get the chanceto obtain the samples, but also, are already offering scheduledscanning of malware and automatic ICQ/Jabber notifications for QA ofthe campaign, next to the rest of unique features disintermediatinglegitimate multiple AV scanning servicesIMAGECertain features within such services clearly speak for theintentions of the people behind the service For instance, among oneof these features is the ability to fetch a binary from a set of givendropper URLs like malwaredomaincom/binaryexe, the result of the scancan then alert the malware campaigner about the current state ofdetectionWhat's on these proprietary multiple AV scanning service's to-do listLet's say anything that a legitimate multiple AV scanning servicewould never offer, like the following according to one of the servicesin question :IMAGE- DIY heuristic scanning level settings for each of thesoftware in place- upcoming sets of anti spyware and personal firewalls with detailedstatistics of the sandboxing- behavior-based detection resultsThe possibilities for integrating such proprietary multi AV scanningservices within the QA process of a malware campaign are countless,and both, the customers and the sellers seem to have realized thepotential of this ecosystemIMAGE IMAGE IMAGE IMAGE IMAGEIMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/28222.shtmlhttp://www.secuobs.com/revue/news/28222.shtml Secuobs.com : 2008-10-15 15:47:12 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGEWhat would the perfect traffic anonymity service providertargeting cybercriminals consist of A service operating in Russiathat is on purposely not logging any of its user's activities, next toallowing direct spamming from the socks servers, automatic rotation ofthe VPN servers which they operate in a RBN style hosting provider, ora service using actual malware infected hosts as VPN tunnels not onlysecuring the cybercrime traffic, but also, forwarding theresponsibility for the malicious activities to the end userIMAGELong gone are the days of socks chaining, the practice ofautomatically connecting to multiple malware infected hosts in orderto use them as stepping stones, in between the rest of the maliciousactivities going on their behalfIMAGEThe possibilities for building point-to-point orserver-to-multiclient encrypted tunnels between malware infected hostsby using already available Socks5 functions has always been there Asof August, the coders behind a relatively popular web based malwareoriginally started as a DDoS kit, but later on started introducing newfeatures on a "module basis", they have started offering a BETA modulefor building a VPN network of malware infected hosts, including anadmin panel for reselling access to these hosts in order to bettermonetize their botnetIMAGEThis VPN-owning of malware infected hosts is not only resultingin improved anonymity for botnet masters and anyone else having accessto the network, but is also contributing to the growth of VPN servicesdesigned specifically to be accessed by cybercriminals created on thefoundatiosn of such admin panels offering easier reselling of accessto the networkSo, what's the cost of anonymizing a cybercriminal's Internetactivities Starting from $40 and going to $300 for a quarter ofaccess, with the price increasing based on the level of anonymityaddedIMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/28221.shtmlhttp://www.secuobs.com/revue/news/28221.shtml http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2010-08-13 19:18:01 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge : Over the past week, I've been tracking -- among the countless number of campaigns currently in process of getting profiled taken care of internally -- a blackhat SEO campaign that's persistently compromising legitimate sites within small ISPs in the Netherlands and Switzerland, for scareware-serving purposes Although this beneath the radar targeting approach is nothing new, it once again IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/249307.shtmlhttp://www.secuobs.com/revue/news/249307.shtml Secuobs.com : 2010-08-09 15:28:36 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - They are back again Spamvertised Amazon Verify Your Email , Your Amazon Order Malicious Emails Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign for a fresh start of the week, with a currently ongoing spam campaign, serving scareware and client-side exploits, using a Thank you for your payment Thank you for your EXPRESS payment themed subjects impersonating popular IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/247730.shtmlhttp://www.secuobs.com/revue/news/247730.shtml Secuobs.com : 2010-07-21 02:49:20 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - Ubiquitous social engineering schemes, never fade away ZeuS crimeware campaigners are currently using a 123greetingscom ecard-themed campaign, in an attempt to entice users to enjoy their ecard Subject You have received an Greeting eCard Message Good day You have received an eCard To pick up your eCard, choose from any of the following options Click on the following link or copy IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/242274.shtmlhttp://www.secuobs.com/revue/news/242274.shtml Secuobs.com : 2010-07-20 01:16:39 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - Over the weekend, a Scan from a Xerox WorkCentre Pro themed malware campaign relying on zip archives, was actively spamvertised by cybecriminals seeking to infect gullible end corporate users What's particularly interesting about this campaign, is the cocktail of malware dropped on infected hosts, including Asprox sample Money Mule Recruiters use ASProx's Fast Fluxing Services , and two IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/241881.shtmlhttp://www.secuobs.com/revue/news/241881.shtml Secuobs.com : 2010-07-17 02:37:54 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - And they're back Gumblar or RUmblar due to the extensive use of ru domains for a decent start of the weekend - switching social engineering themes one more time, this time impersonating Amazoncom NOTE A summary of the malicious payload served will be posted at a later stage Meanwhile, in order to facilitate quicker response, a complete list of the domains participating will be featured IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/241300.shtmlhttp://www.secuobs.com/revue/news/241300.shtml Secuobs.com : 2010-07-15 19:14:33 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - Cybecrime-friendly search engines are bogus search engines, which in between visually social engineering their users, offer fake results leading to client-side exploits, bogus video players dropping more malware, scareware, next to the pharmaceutical scams, and domain farms neatly embedded with Google AdSense scripts for monetization In the majority of cases -- whenever blackhat SEO is not an IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/240895.shtmlhttp://www.secuobs.com/revue/news/240895.shtml Secuobs.com : 2010-07-14 21:08:49 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - Never trust an AS whose abuse-mailbox is using a Gmail account piotrek89 gmailcom , and in particular one that you've come across to during several malware campaigns over the past couple of month It's AS6851, BKCNET SIA IZZI I'm referring to, also known as Sagade Ltd Let's dissect the currently ongoing malicious activity at that Latvian based AS, expose the exploit malware crimeware IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/240602.shtmlhttp://www.secuobs.com/revue/news/240602.shtml Secuobs.com : 2010-07-14 00:12:10 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - Cybercrime ecosystem irony, at its best Why the irony Because the cybercrime-friendly proxies service TOS explicitly states that its users cannot launch XSS SQL injection attacks through it A relatively low profile cybercriminal has managed to exploit a remote SQL injection within a popular proxies service, offering access to compromised hosts across the globe for any kind of malicious IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/240247.shtmlhttp://www.secuobs.com/revue/news/240247.shtml Secuobs.com : 2010-06-17 18:29:54 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - Lottery Winning Notifications, Western Union payment notifications, dead relatives, advance fee schemes impersonating law enforcement agencies - their arsenal of themes is endless, their IPs, however, aren't, taking into consideration the fact that the majority of 419 scams are not sent using botnets, but manually, and in a targeted fashion In fact, some of their spamming techniques 419 IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/232529.shtmlhttp://www.secuobs.com/revue/news/232529.shtml Secuobs.com : 2010-06-16 15:49:34 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - Yesterday's exploits-serving campaign spreading across Twitter, using automatically registered accounts pinging random Twitter users with links to the campaign, is worth profiling due to its state of maliciousness - if the end user is exploitable, exploits are served ultimately leading to scareware, and if he isn't, the cybercriminals behind it attempt to monetize through the same network used IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/232100.shtmlhttp://www.secuobs.com/revue/news/232100.shtml Secuobs.com : 2010-06-15 17:50:14 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - A spamvertised through Facebook personal messages, Photo Album themed campaign, with the domain IP responding to ZeuS C Cs, combined with an indirect connection between this campaign and the 100,000 Scareware Serving Fake YouTube Pages Campaign , followed by a domain portfolio used in a currently active mass SQL injection attack serving CVE-2007-5659 exploits, parked within the same AS as the IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/231664.shtmlhttp://www.secuobs.com/revue/news/231664.shtml Secuobs.com : 2010-06-09 01:16:17 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - Researchers from eSoft are reporting on 135,000 Fake YouTube pages currently serving scareware, in between using multiple monetization traffic optimization tactics for the hijacked traffic Based on the campaign's structure, it's pretty clear that the template-ization of malware serving sites Part Two is not dead Let's dissect the campaign, it's structure, the monetization traffic IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/229776.shtmlhttp://www.secuobs.com/revue/news/229776.shtml Secuobs.com : 2010-06-03 22:18:01 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - Remember the massive blackhat SEO campaign using US Federal Forms themed keywords, which was extensively profiled in August, 2009 Blackhat SEO Campaign Hijacks US Federal Form Keywords, Serves Scareware US Federal Forms Blackhat SEO Themed Scareware Campaign Expanding Dissecting the Ongoing US Federal Forms Themed Blackhat SEO Campaign Koobface-Friendly Riccom LTD - AS29550 - Finally Taken IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/228382.shtmlhttp://www.secuobs.com/revue/news/228382.shtml Secuobs.com : 2010-06-03 16:03:16 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - It's always worth monitoring the developments in the commercial mobile spying apps space In particular, the inevitable customerization customization of their services A shady vendor of such applications, is attempting to migrate from the mass market model of competing vendors, by offering its potential customers to ability to generate their own sis files, for the spying app targeting Symbian IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/228249.shtmlhttp://www.secuobs.com/revue/news/228249.shtml Secuobs.com : 2010-05-26 16:08:49 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - One of the most commonly used tactics by shady online enterprises wanting to position themselves as legitimate ones Shark2 - RAT or Malware , is to promote malicious software or Denial of Service attack tooks, as remote access control tools stress testing tools Chinese vendors of such releases are particularly interesting, since their front pages always position the tool as a 100pourcents IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/225832.shtmlhttp://www.secuobs.com/revue/news/225832.shtml Secuobs.com : 2010-05-17 22:49:15 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - On May 13th, 2010, the Koobface gang responded to my 10 things you didn't know about the Koobface gang post published in February, 2010, by including the following message within Koobface-infected hosts, serving bogus video players, and, of course, scareware regarding this article By Dancho Danchev February 23, 2010, 9 30am PST 1 no connection 2 what's reason to buy software just for IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/222938.shtmlhttp://www.secuobs.com/revue/news/222938.shtml Secuobs.com : 2010-05-14 00:14:55 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - According to the latest APWG Global Phishing Survey But by mid-2009, phishing was dominated by one player as never before the Avalanche phishing operation This criminal entity is one of the most sophisticated and damaging on the Internet, and perfected a mass-production system for deploying phishing sites and crimeware - malware designed specifically to automate identity theft and facilitate IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/221998.shtmlhttp://www.secuobs.com/revue/news/221998.shtml Secuobs.com : 2010-05-13 22:21:05 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - What do the recently spamvertised Thank you for buying iTunes Gift Certificate and the Look at my CV themed malware campaigns have in common It's the fact that they've been launched by the same individual gang What's particularly interesting about the campaign, is that it's relying on a currently compromised web server, with a publicly accessible PHP based backdoor This exact same IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/221948.shtmlhttp://www.secuobs.com/revue/news/221948.shtml Secuobs.com : 2010-05-12 01:07:26 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - Yet another mass sites compromise is currently taking place, this time targeting DreamHost customers, courtesy of the same gang behind the US Treasury GoDaddy NetworkSolutions mass compromise campaigns What's particularly interesting about the campaign, is not just the Hilary Kneber connection, but also, the fact that a key command and control domain part of the Koobface botnet, is residing IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/221176.shtmlhttp://www.secuobs.com/revue/news/221176.shtml Secuobs.com : 2010-05-11 10:03:03 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - Deja vu Jerome Segura at the Malware Diaries is reporting that TorrentReactornet, a high-trafficked torrents tracker, is currently serving live-exploits through a malicious ad served by Fulldlscom - Your source for daily torrent downloads Why deja vu It's because the TorrentReactornet malware campaign takes me back to 2008, among the very first extensive profiling of Russian Business IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/220893.shtmlhttp://www.secuobs.com/revue/news/220893.shtml Secuobs.com : 2010-05-08 22:01:40 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - Following last month's Dissecting Koobface Gang's Latest Facebook Spreading Campaign Koobface gang coverage, it's time to summarize some of their botnet spreading activities, from the last couple of days Immediately after the suspension of their automatically registered Blogspot accounts, the gang once again proved that it has contingency plans in place, and started pushing links to IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/220283.shtmlhttp://www.secuobs.com/revue/news/220283.shtml Secuobs.com : 2010-05-05 00:13:43 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - AVG and PandaLabs are reporting that the web sites of the US Bureau of Engraving and Printing beptreasgov moneyfactorygov are serving client-side vulnerabilities that ultimately expose the visitor to scareware The Ultimate Guide to Scareware Protection What's particularly interesting about this campaign is that, it's part of last month's NetworkSolutions mass WordPress blogs IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/218801.shtmlhttp://www.secuobs.com/revue/news/218801.shtml Secuobs.com : 2010-04-27 22:26:07 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - Following last week's Network Solutions mass compromise of WordPress blogs Dissecting the WordPress Blogs Compromise at Network Solutions , over the weekend a similar incident took place GoDaddy, according to WPSecurityLock Since the campaign's URLs still active, and given the fact that based on historical OSINT, we can get even more insights into known operations of cybercriminals profiled IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/216598.shtmlhttp://www.secuobs.com/revue/news/216598.shtml Secuobs.com : 2010-04-27 16:29:28 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - During the weekend, our dear friends from the Koobface gang -- folks, you're so not forgotten, with the scale of diversification for your activities to be publicly summarized within the next few days -- launched another spreading attempt across Facebook, with Koobface-infected users posting bogus video links on their walls Recommended reading 10 things you didn't know about the Koobface IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/216469.shtmlhttp://www.secuobs.com/revue/news/216469.shtml Secuobs.com : 2010-04-20 20:01:19 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - What's the most static element of the vibrant money mule recruitment ecosystem It's the DNS infrastructure that the the cybercriminals behind the campaigns repeatedly use to push new scams This post aims to expose the name servers involved, the associates ASs, using the research previously conducted on their recruitment campaigns, and their affiliations with multiple other cybercrime IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/214231.shtmlhttp://www.secuobs.com/revue/news/214231.shtml Secuobs.com : 2010-04-19 00:55:18 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - The folks at Sucuri Security have posted an update on the reemergence of last week's mass WordPress blogs compromise at Network Solutions What has changed since last week's campaign Several new domains were introduced, including new phone back locations, with the majority of new domains once again parked on the same IP as they were last week - 6450165169 - AS15244, LUNARPAGES proxy aut-num IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/213515.shtmlhttp://www.secuobs.com/revue/news/213515.shtml Secuobs.com : 2010-04-14 21:15:56 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - Researchers from BitDefender are reporting on a currently spamvertised malware campaign, using a Unlock, Jailbrake and hack tivate iPhone 313 theme The spamvertised domain iphone-iphoneinfo - 188210236181 - Email iphone-iphoneinfo protecteddomainservicescom, is enticing the end user into download the malware from pepdorg blackra1nexe - 188210236109 - Email pepdorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/212197.shtmlhttp://www.secuobs.com/revue/news/212197.shtml Secuobs.com : 2010-04-12 20:29:29 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - The copyright violation alert themed ransomware campaign Copyright violation alert ransomware in the wild ICPP Copyright Foundation is Fake is not just a novel approach for extortion of the highest amount of money seen in ransomware variants so far, but also, offers interesting clues into the multitasking mentality of the cybercriminals whose campaigns have already been profiled The bogus IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/211219.shtmlhttp://www.secuobs.com/revue/news/211219.shtml Secuobs.com : 2010-04-12 13:25:20 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - It's one thing to indirectly target a bank's reputation by brand-jacking it for phishing or malware servince purposes, and entirely another when the front page of the bank NorthWesternBankOnlinecom itself is embedded with an iFrame leading to client-side exploits, to ultimately serve a copy of BackdoorDMSpammer Go through an assessment of a similar incident from 2007 - Bank of India Serving IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/211053.shtmlhttp://www.secuobs.com/revue/news/211053.shtml Secuobs.com : 2010-04-09 12:41:59 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - Based on the already established patterns of this group, it was only a matter of time until they re-introduced yet another portfolio of money mule recruitment domains, combining them with spamvertised recruitment messages, and forum postings Just like their campaign from last month Keeping Money Mule Recruiters on a Short Leash - Part Three the current one is once again interacting IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/210481.shtmlhttp://www.secuobs.com/revue/news/210481.shtml Secuobs.com : 2010-03-30 19:38:42 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - Remember Cefin Consulting Finance, the bogus, money mule recruitment company that ironically tried to recruit me last month They are back, with a currently ongoing money mule recruitment campaign, this time not just attempting to recruit gullible users, but also, serving client-side exploits CVE-2009-1492 CVE-2007-5659 through an embedded javascript on each and every page within the IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/206987.shtmlhttp://www.secuobs.com/revue/news/206987.shtml Secuobs.com : 2010-03-29 19:10:29 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - Having just received a copy of what appears to be the last active domain involved in last week's Copyright Lawsuit filed against you themed malware campaign, it's time to conduct a brief assessment of its inner workings Subject used Copyright Lawsuit filed against you Sample message March 24, 2010 Crosby Higgins 350 Broadway, Suite 300 New York, NY 10013 To Whom It May Concern On the IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/206533.shtmlhttp://www.secuobs.com/revue/news/206533.shtml Secuobs.com : 2010-03-24 20:30:16 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - One of TROYAK-AS's most aggressive customers used to host their Zeus C Cs there for Q1, 2010, is once again latest campaign is from March 12th 2010 - Scareware, Sinowal, Client-Side Exploits Serving Spam Campaign in the Wild attempting to build a crimeware botnet, by spamvertising the well known PhotoArchive theme, in between serving client-side exploits using an embedded iFrame on the IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/205062.shtmlhttp://www.secuobs.com/revue/news/205062.shtml Secuobs.com : 2010-03-24 00:12:32 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - Remember 2009's GazTransitStroy GazTranZitStroy LLC, AS29371 The fake Russian gas company whose motto was In gaz we trust It appears that in order to stay competitive within the cybercrime ecosystem, they are now diversifying their offerings from hosting scareware domains and redirectors, to active Zeus crimeware campaigns, next to client-side exploits serving campaigns used as the IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/204657.shtmlhttp://www.secuobs.com/revue/news/204657.shtml Secuobs.com : 2010-03-20 23:59:03 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - UPDATED 7 minutes after notification, EUROACCESS responded that the IPs mentioned within the AS have been blackholed for the time being until a confirmation of cleanup has been received from the customer It's a fact However, in less than a minute the money mule recruitment gang moved the domains from the now blackholed 851246241 851246242 851246243 851246244 851246245 to IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/203751.shtmlhttp://www.secuobs.com/revue/news/203751.shtml Secuobs.com : 2010-03-20 17:10:01 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - With Zeus crimeware infections reaching epidemic levels, two-factor authentication under fire, and the actual DIY do-it-yourself kit becoming more sophisticated, it s time to reassess the situation by discussing the current and emerging crimeware trends What s the current state of the crimeware threat Just how vibrant is the underground marketplace when it comes to crimeware What are IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/203684.shtmlhttp://www.secuobs.com/revue/news/203684.shtml Secuobs.com : 2010-03-15 13:54:34 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - Just how greedy has the Koobface gang become these days Very greedy In fact, their currently active scareware campaigns operate with a changed directory structure that speaks for itself - scareware-domain fee1 indexphp GREED random_characters Let's dissect the scareware monetization vector, expose the entire typosquatted domains portfolio, and offer a historical OSINT perspective on their IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/201658.shtmlhttp://www.secuobs.com/revue/news/201658.shtml Secuobs.com : 2010-03-13 00:34:58 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - AS50215 Troyak-as customers are back, with an ugly mix of scareware, sinowal, and client-side exploits serving campaign using the You don't have the latest version of Macromedia Flash Player theme Quality assurance is also in place this time, with the client-side exploit serving domains using a well known function nerot obfuscation technique in an attempt to bypass link scanners Let's IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/201259.shtmlhttp://www.secuobs.com/revue/news/201259.shtml Secuobs.com : 2010-03-11 21:44:47 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - Just how dumb, or perhaps ingenious is a cybecriminal that would host his money mule recruitment operations using Yahoo 's Web Hosting services Is the reputable hosting location, worth the risk of having their campaigns taken down much easily than if there were hosting them on the bad reputation block, and would have never bothered replying to abuse notifications Whatever the motivation of the IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/200817.shtmlhttp://www.secuobs.com/revue/news/200817.shtml Secuobs.com : 2010-03-10 20:41:47 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - AS50215 Troyak-as, the cybercrime-friendly virtual neighborhood that was a key component in the hosting infrastructure for all of the Zeus-crimeware serving campaigns during Q1 of 2010, has been taken offline, resulting in a pretty evident drop in Zeus C Cs, according to this graph courtesy of the ZeusTracker AS50215 Troyak-as ctlannet prombdnet was of course the tip of the iceberg, IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/200373.shtmlhttp://www.secuobs.com/revue/news/200373.shtml Secuobs.com : 2010-03-09 23:28:15 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - The monetization of phony online gambling networks -- clearly tolerating systematic violation of their TOS -- is continuing with the scammers behind last month's campaign Don't Play Poker on an Infected Table - Part Two spamvertising another portfolio of domains using new templates It's worth pointing out that the spammers don't just earn revenue every time someone installs the application, IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/199956.shtmlhttp://www.secuobs.com/revue/news/199956.shtml Secuobs.com : 2010-02-25 13:10:12 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - Over the past week and a half, cybercriminals have been aggressively spamvertising a growing portfolio of domains, relying on deceptive advertising for nonexistent and fraudulent online gambling web sites, serving the well known Win32GAMECasino Go through related posts Don't Play Poker on an Infected Table Malware Client-Side Exploits Serving Online Casinos What's particularly interesting IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/195511.shtmlhttp://www.secuobs.com/revue/news/195511.shtml Secuobs.com : 2010-02-16 01:45:20 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGE As anticipated, the botnet masters behind the systematically rotated campaigns dissected in previous posts, kick off the week with multiple campaigns parked on the newly introduced fast-fluxed domains In a typical multitasking fashion, two campaigns are currently active on different sub domains introduced at the typosquatted fast-flux ones, impersonating the US IRS with Unreported Underreported Income Fraud Application theme , as well as a variation of the already profiled PhotoArchive campaign, using a well known You don't have the latest version of Macromedia Flash Player error message IMAGE Let's dissect both campaigns, sharing the same fast-flux infrastructure, and currently spammed in the wild Sample campaign URLs from the PhotoArchive, SecretArchives themed campaign - archive repokorkr archive0714 id test testcom - secretarchives renynkr archive0714 id test testcom - secretfiles repo1itmeuk archive0714 id test testcom - secretarchives renynnekr archive0714 id test testcom - postcards repo1ixcouk archive0714 id test testcom Embedded iFrame - 91201196101 ukasp inphp AS42229 MARIAM-AS PP Mariam attempts to exploit CVE-2007-5659 CVE-2008-2992 CVE-2008-2992 CVE-2008-0015 CVE-2009-0927 Upon successful exploitation, fileexe - Trojan-SpyWin32Zbotgen - Result 12 41 2927pourcents is served Just like the original updateexe - TrojanZbot - Result 13 40 3250pourcents available as a manual download from the pages, both samples phone back to the well known elnasaru asd elnasable - 1099511471 - Email kievsk yandexru - Aleksey V Kijanskiy Naturally, AS42229 MARIAM-AS PP Mariam is a cybercrime-friendly AS, with the following currently active Zeus C Cs parked there 9120119635 9120119675 9120119676 9120119638 9120119634 9120119637 Sample URL from the IRS-themed campaign - irsgov renynkr fraudapplications application statementphp Sample iFrame from the IRS-themed campaign - 10995114251 usa50 inphp is currently down The same IP was used to serve client-side exploits in a previous campaign - Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams Detection rate for tax-statementexe - Trojan-SpyWin32Zbotgen - Result 37 41 9025pourcents , which upon execution phones back to the well known nekovoru cbd nekovobr - 1099511518 - Email kievsk yandexru - Aleksey V Kijanskiy IMAGE Active and spamvertised fast-fluxed domains part of the campaign _renyacokr - Email Sethdc77 yahoocouk _renyakr - Email Sethdc77 yahoocouk _renyanekr - Email Sethdc77 yahoocouk _renyaorkr - Email Sethdc77 yahoocouk _renynkr - Email Sethdc77 yahoocouk _renynnekr - Email Sethdc77 yahoocouk _renynorkr - Email Sethdc77 yahoocouk _renyocokr - Email Sethdc77 yahoocouk _renyokr - Email Sethdc77 yahoocouk _renyonekr - Email Sethdc77 yahoocouk _renyoorkr - Email Sethdc77 yahoocouk _renyxcokr - Email Sethdc77 yahoocouk _renyxkr - Email Sethdc77 yahoocouk _renyxnekr - Email Sethdc77 yahoocouk _renyxorkr - Email Sethdc77 yahoocouk _rep021cokr - Email DRendell3407 hotmailcom _rep021kr - Email DRendell3407 hotmailcom _rep021nekr - Email DRendell3407 hotmailcom _rep021orkr - Email DRendell3407 hotmailcom _rep022cokr - Email DRendell3407 hotmailcom _rep022kr - Email DRendell3407 hotmailcom _rep022nekr - Email DRendell3407 hotmailcom _rep022orkr - Email DRendell3407 hotmailcom _rep023cokr - Email DRendell3407 hotmailcom _rep023kr - Email DRendell3407 hotmailcom _rep023orkr - Email DRendell3407 hotmailcom _rep024kr - Email DRendell3407 hotmailcom _rep071cokr - Email KantuM37690 hotmailcom _rep071kr - Email KantuM37690 hotmailcom _rep071nekr - Email KantuM37690 hotmailcom IMAGE rep071orkr - Email KantuM37690 hotmailcom _rep072cokr - Email KantuM37690 hotmailcom _rep072kr - Email KantuM37690 hotmailcom _rep072nekr - Email KantuM37690 hotmailcom _rep072orkr - Email KantuM37690 hotmailcom _rep073cokr - Email KantuM37690 hotmailcom _rep073kr - Email KantuM37690 hotmailcom _rep073nekr - Email KantuM37690 hotmailcom _rep073orkr - Email KantuM37690 hotmailcom _rep074cokr - Email KantuM37690 hotmailcom _rep074nekr - Email KantuM37690 hotmailcom _rep074orkr - Email KantuM37690 hotmailcom _rep1051couk _rep1051meuk _rep1051orguk _rep1051ukcom _repakcokr - Email limhomeslm yahoocouk _repakkr - Email limhomeslm yahoocouk _repaknekr - Email limhomeslm yahoocouk _repakorkr - Email limhomeslm yahoocouk _repazcokr - Email Olb55768 yahoocouk _repazkr - Email Olb55768 yahoocouk _repazorkr - Email Olb55768 yahoocouk _repekcokr - Email limhomeslm yahoocouk _repeknekr - Email limhomeslm yahoocouk _repekorkr - Email limhomeslm yahoocouk _repeycokr - Email Olb55768 yahoocouk _repeykr - Email Olb55768 yahoocouk _repeynekr - Email Olb55768 yahoocouk _repeyorkr - Email Olb55768 yahoocouk _repiacokr - Email Olb55768 yahoocouk _repiakr - Email Olb55768 yahoocouk _repianekr - Email Olb55768 yahoocouk _repiaorkr - Email Olb55768 yahoocouk _repikcokr - Email limhomeslm yahoocouk IMAGE repikkr - Email limhomeslm yahoocouk _repikorkr - Email limhomeslm yahoocouk _repokcokr - Email limhomeslm yahoocouk _repokkr - Email limhomeslm yahoocouk _repoknekr - Email limhomeslm yahoocouk _repokorkr - Email limhomeslm yahoocouk _repoycokr - Email Olb55768 yahoocouk _repoykr - Email Olb55768 yahoocouk _repoynekr - Email Olb55768 yahoocouk _repoyorkr - Email Olb55768 yahoocouk _repo1i1couk _repo1i1meuk _repo1i2couk _repo1i2meuk _repo1i3couk _repo1iecouk _repo1iocouk _repo1iqcouk _repo1iqmeuk _repo1itmeuk _repo1iwcouk _repo1iwmeuk _repo1ixcouk _repo1ixmeuk Name servers of notice ns1 skcrealestatenet - 89238165195 - Email support skrealtynet ns1 addresswaynet - 89238165195 - Email poolbill hotmailcom ns1 skcpanelcom - 642042235 - Email support skcom ns1 holdinglorycom - 642042235 - Email greysy gmxcom ns1 skcrescom - 642042235 - Email hr skcnet ns1 x-videocoversnet - 642042235 - Email storylink livecom Interestingly, researchers from M86 Security gained access to the web malware exploitation kit used in a previous campaign It has been up and running and serving exploits for nearly a day In this time almost 40,000 unique users have been exposed to these exploits, and the Zeus file has been downloaded over 5000 times These downloads do not include the PhotoArchiveexe file downloads that a user may be tricked into downloading and executing themselves Updated will be posted as soon as new developments emerge Related coverage of the gang's previous campaigns Tax Report Themed Zeus Client-Side Exploits Serving Campaign in the Wild PhotoArchive Crimeware Client-Side Exploits Serving Campaign in the Wild Facebook AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware Pushdo Injecting Bogus Swine Flu Vaccine Your mailbox has been deactivated Spam Campaign Serving Crimeware Ongoing FDIC Spam Campaign Serves Zeus Crimeware The Multitasking Fast-Flux Botnet that Wants to Bank With You This post has been reproduced from Dancho Danchev's blog Follow him on Twitter IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/192152.shtmlhttp://www.secuobs.com/revue/news/192152.shtml Secuobs.com : 2010-02-12 23:53:21 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGE Money mule recruiters can be sometimes described as mass-marketing zombies, who have absolutely no idea who they're trying to recruit Cefin Consulting Finance - cefincf com - 19519013106 - Email flier infotorrentru is the very latest example of such a campaign, trying to recruit, well, me The initial recruitment email was spammed from maximumsxz78 roulottesste-annecom with IP 22115476195 Cefin Consulting Finanace is one of the leading providers of consulting services in the world Our success depends both on high quality of services and on professionally managed and reliable business processes This is the reason why quality is our main concern However, the only way to reach top-notch quality in our business is permanent struggle for quality and engineering of stable procedures It is not possible to reach high quality standards without dedicated personnel striving for flawless operation of processes and projects in their daily life Currently we have a Financial Manager opening No deadlines for applications are set The job of Financial Manager includes processing of money transfers, sent to his personal bank accounts by company clients Upon receiving a transfer the Financial Manager has to redirect it to the account specified by our dispatchers All you need for this job are 3-4 free hours a day, your wish, ability to work in a team and responsibility The initial wages will equal 5pourcents of total monthly turnover Requirements to Candidates - 20 years old and more - Be able to check your email several times a day - Should have personal or business bank account - Have a skill to communicate and access to the Internet - Foreign language English is preferable - To have an opportunity in any working hours to go to closest Western Union location and make money transfer What we offer - Generous wages - Your earnings will originally make 5 pourcents from each payment Your earnings will originally make 5 pourcents from each payment After 5 remittances if you will operatively work and correctly, your earnings raises up to 10 pourcents - Opportunity of increase in your earnings - Free seminars and training courses After 6 months of great work 2010 Cefin Consulting FinanaceIf you are interested in this opening, don't hesitate to send your CV at our e-mail cefincfss yahoocom All right reserved IMAGE Response received from cefincfss yahoocom with IP 912074162, asking for the following details, althrough the DIY money-mule recruitment management interface automates the entire process, thereby allowing it to scale If you have understood the meaning of work and ready to begin working with us, please send us your INFO in the following format 1 First name 2 Last name 3 Country 4 City 5 Zip code 6 Home Phone number, Work Phone number, Mobile Phone number 7 Bank account info a Bank name b Account name c Account number d Sort code 8 Scan you passport or driver license The CV forwarding email provided is mynesco yahoocom, although they'll even recruit you without sending them the required CV What's special about the bogus company, is not the new template layout that they've purchased from a vendor offering creative for money-mule recruitment campaign, but their attempt to establish themselves as a trusted brand by featuring fake certificates issued by easily recognizable brands, such as Western Union, Money Gram, Investors in People, the World Business Community and even an award from the Chamber Awards for 2004 in the category - Most Promising New Business IMAGE Moreover, parked on the very same IP where the money mule recruitment is, are also domains currently serving live exploits, as well as a DIY interface for a spamming service known as OS-CORP The certificates in question IMAGE IMAGE IMAGE IMAGE IMAGE Cefin Consulting Finance describes itself as Cefin consulting Finance was founded at the beginning of 1990 The emerged structure united specialists with unique background in management consulting, marketing research, business evaluation and stock-exchange operationsThe following two companies constitute Cefin consulting Finance - Omega Financial Dept - the dedicated company in the field of securities operations - Omega Consult - the dedicated consulting company, rendering services in strategic planning and corporate management Activity of Cefin consulting Finance is focused on generation of balanced solutions for active development of the company and minimization of business risks IMAGE Cefin consulting Finance offers successful managerial solutions through consulting support to projects in various spheres, namely comprehensive restructuring and organizational development, generation of managing companies, engineering of tailored management systems for corporate clients, implementation of project management methods, business development financial and economic simulation Top-notch dedicated professionals with key competence in various consulting fields constitute our rigorous staff We boast to have management consulting and business strategy development experts, certified securities dealers, assessment and registration, marketing and financial specialists, corporate law and anti-monopoly legislation gurus Address Cefin consulting Finance is located at 510 East 80th Street, New York, New York 10021 , United States 786-475-3994 786-475-3994 FAX IMAGE The money mule recruitment domain cefincf com - 19519013106 - Email flier infotorrentru remains active Parked on the same IP are also the following domains, currently hosting live exploit kits 384756783900 cn - Email abuse domainsregcn 109438129432 cn - Email abuse domainsregcn 234273849543 cn - Email abuse domainsregcn 783456788839 cn - Email abuse domainsregcn odnaklasniki cn - Email MichellGregory2009 yahoocom - Email profiled in December 2009's Celebrity-Themed Scareware Campaign Abusing DocStoc - money mule recruitment connection mynes-consultings cn - Email grishanizov gmailcom mynes-consult cn - Email grishanizov gmailcom IMAGE Sample live exploit structure, currently active at these domains - mynes-consult cn - if exploitation is not possible, the user is redirected to the legitimate neweggcom - mynes-consult cn loadphp spl mdac - mynes-consult cn loadphp spl buddy - mynes-consult cn loadphp spl myspace - mynes-consult cn loadphp spl vml2 - mynes-consult cn loadphp spl ymj - mynes-consult cn loadphp spl zango1 - mynes-consult cn loadphp spl zango2 All of these exploits drop loadexe - TrojanDownloader Win32 Cutwailgen C - Result 41 41 10000pourcents , which upon execution phones back to 6916286210 With cybercriminals actively multi-tasking these days, this money mule recruitment gang doesn't make an exception On one of the domains listed above, a low-profile DIY spamming service known as OS-CORP is offering its services IMAGE The DIY spam service, also has Terms of Service and offers basic spamming recommendations The following is a roughly translated version of them - No child Porno spamming - Do not offer me affiliate program pourcents of sales , I do not care - ICQ almost always online, but this does not mean that I always present If you have not received an answer immediately have patience, I will answer as soon as appearing - Mailing lists on bases of certain subjects are more expensive - I am not responsible for your campaigns and sites sites that are sometimes nailed in the process of spam Use anti-abuse hosting - I'm not offering anti-abuse hosting services - I don't offer recommendations for such services I give only the services that spam - Campaign's size should be UP TO 50 kb IMAGE Recommendations for the preparation of material for delivery - Do not always send the same text messages, ideally, to change the text after each mailing, the effect of there - Do not use themes in writing headers words such as EARN, OFFER, do not put a lot of exclamation marks and other better do without them , just one - For a good response from countries whose native language is not English eg Sweden, Spain, Denmark, etc is highly desirable to use the native language of the text distributed to countries, it gives a wonderful effect, and should not be mistaken, in countries such not everyone knows English, verified repeatedly - Do not write too long texts on a number of reasons this does not give a positive effect, but not limited to one sentence worth Ideally, make the text in a few not particularly bulky paragraphs The deeper your analyze, the more malicious, and most importantly, inter-connected it gets Related coverage of money laundering in the context of cybercrime Keeping Money Mule Recruiters on a Short Leash - Part Two Keeping Reshipping Mule Recruiters on a Short Leash Keeping Money Mule Recruiters on a Short Leash Standardizing the Money Mule Recruitment Process Money Mule Recruiters use ASProx's Fast Fluxing Services Money Mules Syndicate Actively Recruiting Since 2002 Inside a Money Laundering Group's Spamming Operations This post has been reproduced from Dancho Danchev's blog Follow him on Twitter IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/191514.shtmlhttp://www.secuobs.com/revue/news/191514.shtml Secuobs.com : 2010-02-11 23:00:02 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGE A currently ongoing malware campaign courtesy of the gang that's been busy rotation themes over the past few weeks, has changed the theme to You are in a higher tax bracket , and continues serving client-side exploits next to a Zeus crimeware sample using a bogus You don't have the latest version of Macromedia Flash Player error message - Sample URL rep1031 be reports getreportphp email email - Email souchuck yahoocom The following currently suspended domains are also involved - rep1032 be rep1030me uk rep1031me uk rep1032me uk rep1030co uk rep1031co uk rep1032co uk rep1043me uk rep1041co uk rep1032co uk - Sample message Dear taxpayer, The Federal income tax is a progressive tax, meaning that the more you earn, the higher your tax rate Your tax rate depends not just upon your taxable income, but also upon your filing status single, married filing jointly, etc You're in a higher tax bracket because - your annual income for the last tax year has increased Please review your annual tax report immediately at get report IMAGE - Sample iFrame used 10995115 36 uzs inphp also used in last week's PhotoArchive campaign - AS50215 - Troyak-as Starchenko Roman Fedorovich - akanyovskiy troyakorg akanyovskiy vishclubnet and serving CVE-2007-5659 CVE-2008-2992 CVE-2009-0927 CVE-2009-4324 IMAGE - Sample malware detection rate phone back C Cs updateexe - Trojan-SpyWin32Zbotgen - Result 8 41 1952pourcents , upon execution phones back to trollar ru cnf trljpg - 10995114133 - Email bernardo_pr inboxru AS50369 - VISHCLUB-AS Kanyovskiy Andriy Yuriyovich Email was also used to register the Zeus C C from last week's PhotoArchive Crimeware Client-Side Exploits Serving Campaign in the Wild campaign - Name servers of notice ns1gompley net - 7411763218 - Email storylink livecom ns1hoocky net - 7411763218 - Email footboolfan7 aolcom, also known to have been parked on the same IP are ns1allhostinfo com - Email line metalfancom ns1helpgoldbank net - Email glonders gmailcom and ns1drowthdb com - Second portfolio of related name servers the second portfolio is parked at 621932 - ns1faktorypro com - Email poolbill hotmailcom ns1x-videocovers net - Email storylink livecom ns1serwisezone net - Email line metalfancom ns1guarantexpres com ns1respectiveowners net Updates will be posted as soon as new developments emerge Related coverage of the gang's previous campaigns PhotoArchive Crimeware Client-Side Exploits Serving Campaign in the Wild Facebook AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware Pushdo Injecting Bogus Swine Flu Vaccine Your mailbox has been deactivated Spam Campaign Serving Crimeware Ongoing FDIC Spam Campaign Serves Zeus Crimeware The Multitasking Fast-Flux Botnet that Wants to Bank With You This post has been reproduced from Dancho Danchev's blog Follow him on Twitter IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/191105.shtmlhttp://www.secuobs.com/revue/news/191105.shtml Secuobs.com : 2010-02-09 20:49:09 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGE With money mule recruitment syndicates continuing to expand their geographically diverse inventories of gullible mules, keeping their operations on a short leash is becoming a tradition What the non-existent organizations profiled in this post have in common with the non-existent organizations profiled before, is the vendor of money mule recruitment creative, thanks to whose standardization of the recruitment process, everyone willing to invest a modest amount of money can start recruiting Despite the ongoing mix of abusing legitimate infrastructure Web 20 services, dedicated hosting within legitimate ISPs - Tweet 1 Tweet 2 Tweet 3 Tweet 4 Tweet 5 Tweet 6 and using purely malicious infrastructure, centralization is cybecrime operations is still an inseparable part of the cybercrime ecosystem Case in point is AS47560 - VESTEH-NET-as Vesteh LLC, where the cybercriminals have not only chosen to host their money mule recruitment domain portfolio, but also, the actual Zeus crimeware command and control servers Pretty convenient indeed, however a minimalistic OPSEC attitude leading to increased exposure The newly introduced money mule recruitment domains, rely on the same DIY web interface, and the same payment processing agent agreement seen in previous campaigns What's naturally changing are the web page layouts combined with a new description of the non-existent company Here's a sample from the currently active ones IMAGE Welcome to the world of Outsourcing Never has a phenomenon been so all encompassing and empowering like outsourcing Transcending beyond an industry's vertical segments, outsourcing has become the by default strategy for all profit conscious organizations that struggle to retain their winning streak and high profitability Today's scenario in the business world is more competitive than what it was in the past There is a growing realization that wisdom lies in consolidating the core competency functions and outsourcing the supplement We are an online services marketplace in USA and Australia Our goal is to empower businesses with the absolute freedom to choose where to outsource their business needs to maximize their competitive advantage We believe that money saved due to outsourcing can be effectively and successfully utilized to focus more on strategic and core businesses functions The fact that money mule recruiters aggregate contact details from career building web sites, isn't new -- see Major career web sites hit by spammers attack Here are the sample letters emailed to a prospective money mule, which spotted the scam and avoided it IMAGE After reviewing your resume online we have decided to propose you a Payment Processing Agent vacancy My name is Sarah Forbes and I'm working at SUCCESS Group Inc Our company is a well-known one It was founded in the USA and deals mainly with recruitment of IT professionals The job we offer is a part-time position with a flexible schedule On average the working hours are 2-3 hours a day Monday through Friday Our job requirements Internet access and e-mail Successful applicants are offered a probationary period 30 days All agents get a training and online support We evaluate the employees at least one week prior to the end of their trial period NOTE During the probationary period termination can be recommended by the supervisor The pay is 2,300 per month during the Trial Period 8pourcents commission from each successfully handled payment Total income is about 4,500 per month After the first 30 days your base salary will be increased up to 3,000 a month NOTE After the probationary period you may request additional assignments or proceed a full-time If you are interested in the offer, please, contact me at successsarahforbes googlemailcom for the details _________FORM_______FORM________FORM_________ First name Last name Country of residence Contact phone Preferred catime _______________ _________FORM_______FORM________FORM____________ Our representatives will reply within 48 hours NOTE This is not a sales position Sincerely, Sarah Forbes SUCCESS Group Inc job success-groupinctw Phone 1-585-267-5988 Fax 1-585-672-6137 Let's expose the domain portfolios in question IMAGE Active money mule recruitment sites parked within AS47560 - VESTEH-NET-as Vesteh LLC, at 9120016418 9120016419 9120016420 9120016421 and 9120016422 in particular aurora-groupco tw - Email dodo fastermailru aurora-groupco ws - Email info gtecru aurora-groupinc tw - Email cents qx8ru aurora-groupinc ws - Email info gtecru bear-groupco ws - Email info gtecru bear-groupinc ws - Email info gtecru citizen-groupco tw - Email sane qx8ru citizen-groupco ws - Email info gtecru citizengroupinc ws - Email info gtecru citizen-groupsvc tw - Email frown fastermailru classic-groupco ws - Email info gtecru classicgroupinc ws - Email info gtecru classic-groupsvc tw - Email haste fastermailru excel-groupco tw - Email thaws bigmailboxru excel-groupinc tw - Email thaws bigmailboxru excel-groupinc ws - Email info gtecru financial-groupco tw - Email think mailliferu financial-groupco ws - Email info gtecru financial-groupinc tw - Email sane qx8ru financial-groupsvc ws - Email info gtecru market-vision tw - Email place bigmailboxru market-visioninc ws - Email info gtecru measure-groupco tw - Email cents qx8ru measure-groupco ws - Email info gtecru measure-groupinc tw - Email cents qx8ru measure-groupinc ws - Email info gtecru millennium-groupco tw - Email thaws bigmailboxru millennium-groupinc ws - Email info gtecru millennium-groupsvc tw - Email thaws bigmailboxru millennium-groupsvc ws - Email info gtecru nuris-groupco tw - Email rips fastermailru nuris-groupco ws - Email info gtecru nuris-groupinc tw - Email rips fastermailru nuris-groupinc ws - Email info gtecru render-groupco tw - Email muggy freenetboxru success-groupco ws - Email info gtecru Naturally, it gets even more interesting with AS47560 - VESTEH-NET-as Vesteh LLC acting as a good example of cybercrime-friendly virtual neighborhood Not only are the cybercriminals hosting the money mule recruitment sites there, but also, a decent number of Zeus crimeware C Cs, client-side exploit serving campaigns are currently active there IMAGE Zeus C Cs active at 9120016444, front pages return dsfkgjk rgkj justinnew1 com - Email 3242dswewrf yahoocom justinnew2 com - Email 3242dswewrf yahoocom justinnew3 com - Email 3242dswewrf yahoocom justinnew4 com - Email 3242dswewrf yahoocom justinnew5 com - Email 3242dswewrf yahoocom justinnew6 com - Email 3242dswewrf yahoocom justinnew7 com - Email 3242dswewrf yahoocom justinnew8 com - Email 3242dswewrf yahoocom justinnew9 com - Email 3242dswewrf yahoocom justinnew10 com - Email 3242dswewrf yahoocom justinnew11 com - Email 3242dswewrf yahoocom justinnew12 com - Email 3242dswewrf yahoocom justinnew12 com - Email 3242dswewrf yahoocom justinnew13 com - Email 3242dswewrf yahoocom justinnew14 com - Email 3242dswewrf yahoocom justinnew15 com - Email 3242dswewrf yahoocom justinnew16 com - Email 3242dswewrf yahoocom justinnew17 com - Email 3242dswewrf yahoocom justinnew18 com - Email 3242dswewrf yahoocom justinnew19 com - Email 3242dswewrf yahoocom justinnew20 com - Email 3242dswewrf yahoocom justinnew21 com - Email 3242dswewrf yahoocom justinnew22 com - Email 3242dswewrf yahoocom justinnew23 com - Email 3242dswewrf yahoocom justinnew24 com - Email 3242dswewrf yahoocom Historical OSINT of live exploit serving, malware phone back locations parked at 9120016444 abecedarian in - Email jobmasterx yahoocom absinthial in - Email jobmasterx yahoocom acarine in - Email jobmasterx yahoocom aeruginous in - Email jobmasterx yahoocom agrestic in - Email jobmasterx yahoocom alveolate in - Email jobmasterx yahoocom anaclastic in - Email jobmasterx yahoocom anatine in - Email jobmasterx yahoocom anconoid in - Email jobmasterx yahoocom ancoral in - Email jobmasterx yahoocom anserine in - Email jobmasterx yahoocom archididascalian in - Email jobmasterx yahoocom arietine in - Email jobmasterx yahoocom babied in - Email jobmasterx yahoocom baffled in - Email jobmasterx yahoocom banal in - Email jobmasterx yahoocom barren in - Email jobmasterx yahoocom battle-worn in - Email jobmasterx yahoocom bawled in - Email jobmasterx yahoocom beatific in - Email jobmasterx yahoocom beckoned in - Email jobmasterx yahoocom betonomeshalkatraktor in - Email ynetsw gmailcom fcaliber65 in - Email wert32 ramblerru humpiii1 in - Email wert32 ramblerru izyvecheniy0tragladit in - Email ynetsw gmailcom lifeberyt in - Email wert32 ramblerru marrychristmasforyou com - ACTIVE marrychristmasforyou net - ACTIVE my1stdomain in - Email wert32 ramblerru pingcrews in - Email jobmasterx yahoocom razymniygluk in - Email ynetsw gmailcom rescservuce in - Email wert32 ramblerru IMAGE Name servers of notice dns1yektnet - 671547189 ns1trythisokcn - 8924816645 - chunk qx8ru ns1basilkeyws - 8924816645 - info gtecru ns2maninwhitecc - 3899169210 - duly fastermailru ns2mythinregionws - Email info gtecru ns2partytimeecn - 3899169208 - Email chunk qx8ru ns3cnnandpizzacc - 1951825736 - Email bears fastermailru ns3partymorningws - 942311471 - Email info gtecru Take a look at the routing graph for a moment Who do we have here Our dear friends at AS5577 ROOT eSolutions also seen here here here here here and here acting as a node to an ever expanding portfolio of malicious customers, with AS50215 Troyak-as Starchenko Roman Fedorovich part of the Pushdo crimeware and client-side exploit serving campaigns, second in the list AS47560 - VESTEH-NET-as Vesteh LLC has been notified, awaiting response take down reaction Or the lack of such Related coverage of money laundering in the context of cybecrime Keeping Reshipping Mule Recruiters on a Short Leash Keeping Money Mule Recruiters on a Short Leash Standardizing the Money Mule Recruitment Process Money Mule Recruiters use ASProx's Fast Fluxing Services Money Mules Syndicate Actively Recruiting Since 2002 Inside a Money Laundering Group's Spamming Operations This post has been reproduced from Dancho Danchev's blog Follow him on Twitter IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/190150.shtmlhttp://www.secuobs.com/revue/news/190150.shtml Secuobs.com : 2010-02-04 00:25:49 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGE With scareware rogueware fake security software continuing to be the cash-cow choice for the Koobface gang, keeping them on a short leash in order to become the biggest opportunity cost for the gang's business model is crucial The following are currently active blackhat SEO redirectors Koobface-infected hosts redirectors and actual scareware domains courtesy of the gang Blackhat SEO redirectors, also embedded at Koobface-infected hosts chevroletvmodeltoys com - 9644128245 - Email CourtneyRWebb aolcom volvomodeltoys com - Email CourtneyRWebb aolcom manilawebcamera com - Email monkey22 livecom mumbaiwebcamera com - Email monkey22 livecom karachiwebcamera com - Email monkey22 livecom delhiwebcamera com - Email monkey22 livecom istanbulwebcamera com - Email monkey22 livecom lexusmodeltoys com - Email monkey22 livecom chevroletvmodeltoys com - Email CourtneyRWebb aolcom bmwmodeltoys com - Email CourtneyRWebb aolcom Upon redirection, the scareware is served from malware-b-scan com - 9121222697 91212226185 911214567, 91212226203, 94228209195 - Email mail bristonnewscom Sample detection rate Setup_312s2exe - Result 3 40 75pourcents Upon execution the sample phones back to winxp7server com download winlogobmp - 9422820857 rescuesysupdate com b 312s2 - 83133125216 IMAGE Parked on the same IPs are more scareware domains part of the portfolio 11-antivirus com - Email call555call livecom 1-antivirus com - Email call555call livecom 1m-online-scanner com - Email stellar2 yahoocom 2m-online-scanner com - Email stellar2 yahoocom 2pro-antispyware com - Email mail yahoocom 3pro-antispyware com - Email mail yahoocom 6-antivirus com - Email call555call livecom 7-antivirus com - Email call555call livecom 9-antivirus com - Email call555call livecom a0-online-scanner com - Email stellar2 yahoocom a9-online-scanner com - Email stellar2 yahoocom aa-antivirus com - Email call555call livecom aa-online-scanner com - Email call555call livecom ab-antivirus com - Email call555call livecom ac-antivirus com - Email call555call livecom ad-antivirus com - Email call555call livecom adv1-system-scanner com - Email JayRKibbe livecom adv2-system-scanner com - Email JayRKibbe livecom ae-antivirus com - Email call555call livecom antivirus-expert-a com - Email 900ekony livecom antivirus-expert-i com - Email 900ekony livecom antivirus-expert-r com - Email 900ekony livecom antivirus-expert-y com - Email 900ekony livecom antivirussystemscan1 com - Email 900ekony livecom antivirussystemscana com - Email 900ekony livecom army-antispywarea com - Email beliec99 yahoocom army-antispywarei com - Email beliec99 yahoocom army-antispywarel com - Email beliec99 yahoocom army-antispywarep com - Email beliec99 yahoocom army-antivirusa com - Email beliec99 yahoocom army-antivirusd com - Email beliec99 yahoocom army-antivirust com - Email beliec99 yahoocom army-antivirusv com - Email beliec99 yahoocom army-antivirusy com - Email beliec99 yahoocom b1-online-scanner com - Email stellar2 yahoocom best-antivirusk0 com bestpd-virusscanner com - Email SusanCWagner yahoocom bestpr-virusscanner com - Email SusanCWagner yahoocom crystal-antimalware com - Email mail vertigocatscom crystal-antivirus com - Email mail vertigocatscom crystal-pro-scan com - Email mail vertigocatscom crystal-pro-scanner com - Email mail vertigocatscom crystal-spyscanner com - Email mail vertigocatscom crystal-threatscanner com - Email mail vertigocatscom crystal-virusscanner com - Email mail vertigocatscom extra-spyware-defencea com - Email fabula8 livecom extra-spyware-defenceb com - Email fabula8 livecom malware-a-scan com - Email mail bristonnewscom malware-b-scan com - Email mail bristonnewscom malware-c-scan com - Email mail bristonnewscom malware-d-scan com - Email mail bristonnewscom malware-t-scan com - Email mail bristonnewscom mega-antispywarea com - Email fabula8 livecom mega-antispywareb com - Email fabula8 livecom mm-online-scanner com - Email stellar2 yahoocom my-computer-antivirusa com - Email dillinzer1 yahoocom my-computer-antivirusb com - Email dillinzer1 yahoocom my-computer-antiviruse com - Email dillinzer1 yahoocom my-computer-antivirusq com - Email dillinzer1 yahoocom my-computer-antivirusw com - Email dillinzer1 yahoocom my-computer-scanc com - Email clintommail2 yahoocom my-computer-scane com - Email clintommail2 yahoocom my-computer-scanl com - Email clintommail2 yahoocom my-computer-scannera com - Email clintommail2 yahoocom my-computer-scannerl com - Email clintommail2 yahoocom my-computer-scannerm com - Email clintommail2 yahoocom my-computer-scannern com - Email clintommail2 yahoocom my-computer-scannerv com - Email clintommail2 yahoocom my-computer-scanw com - Email clintommail2 yahoocom my-pc-online-scanm com - Email dillinzer1 yahoocom my-pc-online-scann com - Email dillinzer1 yahoocom my-pc-online-scanr com - Email dillinzer1 yahoocom my-pc-online-scanv com - Email dillinzer1 yahoocom n1-system-scanner com - Email JayRKibbe livecom n2-system-scanner com - Email JayRKibbe livecom nasa-antivirus1 com - Email call555call livecom nasa-antivirus3 com - Email call555call livecom nasa-antivirusa com - Email call555call livecom nasa-antivirusb com - Email call555call livecom nasa-antiviruso com - Email call555call livecom pc1-system-scanner com - Email JayRKibbe livecom pc2-system-scanner com - Email JayRKibbe livecom pro0-antivirus com - Email mail yahoocom pro0-system-scanner com - Email JayRKibbe livecom pro1-system-scanner com - Email JayRKibbe livecom pro2-antivirus com - Email mail yahoocom pro4-antivirus com - Email mail yahoocom pro6-antivirus com - Email mail yahoocom pro8-antivirus com - Email mail yahoocom remote-antispywarec com - Email teresa2mailme livecom remote-antispywared com - Email teresa2mailme livecom remote-antispywaree com - Email teresa2mailme livecom remote-antispywarey com - Email teresa2mailme livecom remote-pc1-scanner com - Email teresa2mailme livecom remote-pc-scannera com - Email teresa2mailme livecom remote-pc-scannerr com - Email teresa2mailme livecom remote-pc-scannerv com - Email teresa2mailme livecom remote-pc-scannery com - Email teresa2mailme livecom IMAGE scan3antispyware com - Email o mozzilastufcom scan6antispyware com - Email o mozzilastufcom scan8antispyware com - Email o mozzilastufcom scan-antispywarea com - Email o mozzilastufcom scan-antispywarec com - Email o mozzilastufcom scan-antispywared com - Email o mozzilastufcom scan-antispywarez com - Email o mozzilastufcom spyware-01-scanner com - Email mail bristonnewscom spyware-03-scanner com - Email mail bristonnewscom spyware-05-scanner com - Email mail bristonnewscom spyware-06-scanner com - Email mail bristonnewscom spyware-07-scanner com - Email mail bristonnewscom stcanning-your-computerc com - Email mitra66 yahoocom stcanning-your-computerd com - Email mitra66 yahoocom stcanning-your-computerq com - Email mitra66 yahoocom stcanning-your-computerr com - Email mitra66 yahoocom stcanning-your-computert com - Email mitra66 yahoocom stcanning-your-pca com - Email mitra66 yahoocom stcanning-your-pcb com - Email mitra66 yahoocom stcanning-your-pcc com - Email mitra66 yahoocom stcanning-your-pcd com - Email mitra66 yahoocom stcanning-your-pce com - Email mitra66 yahoocom stealthv1-antispyware com - Email SteveLCartwright yahoocom stealthv2-antispyware com - Email SteveLCartwright yahoocom stealthv7-antispyware com - Email SteveLCartwright yahoocom stealthv8-antispyware com - Email SteveLCartwright yahoocom stealthv9-antispyware com - Email SteveLCartwright yahoocom ver1-system-scanner com - Email JayRKibbe livecom ver2-system-scanner com - Email JayRKibbe livecom virus-a1-scanner com - Email mail bristonnewscom virus-a1-scanner com - Email mail bristonnewscom virus-b1-scanner com - Email mail bristonnewscom virus-b1-scanner com - Email mail bristonnewscom virus-c1-scanner com - Email mail bristonnewscom virus-c1-scanner com - Email mail bristonnewscom virus-d1-scanner com - Email mail bristonnewscom virus-d1-scanner com - Email mail bristonnewscom virus-e2-scanner com - Email mail bristonnewscom virus-e2-scanner com - Email mail bristonnewscom windowsv5-antispyware com - Email SteveLCartwright yahoocom windowsv6-antispyware com - Email SteveLCartwright yahoocom windowsv7-antispyware com - Email SteveLCartwright yahoocom windowsv8-antispyware com - Email SteveLCartwright yahoocom windowsv9-antispyware com - Email SteveLCartwright yahoocom z0-online-scanner com - Email stellar2 yahoocom z1-online-scanner com - Email stellar2 yahoocom IMAGE Active scareware domains portfolio blackhat SEO Koobface pushed parked at 212150164190 - AS1680 - NV-ASN 013 NetVision Ltd antispy-download org - Email robertsimonkroon gmailcom scanner-virus-free org - Email robertsimonkroon gmailcom tube-best-porn org - Email robertsimonkroon gmailcom tube-sex-porn org - Email robertsimonkroon gmailcom download-free-files org - Email robertsimonkroon gmailcom tube-porn-best org - Email robertsimonkroon gmailcom scan-your-pc-now org - Email michaeltycoon gmailcom scanner-virus-free com - Email robertsimonkroon gmailcom tube-sex-porn com - Email robertsimonkroon gmailcom scanner-free-virus com - Email robertsimonkroon gmailcom tube-porn-best com - Email robertsimonkroon gmailcom antispy-download info - Email robertsimonkroon gmailcom soft-download-free info - Email robertsimonkroon gmailcom scanner-virus-free info - Email robertsimonkroon gmailcom scanner-free-virus info - Email robertsimonkroon gmailcom scan-your-pc-now info - Email michaeltycoon gmailcom adult-tube-free net - Email michaeltycoon gmailcom scanner-virus-free net - Email robertsimonkroon gmailcom tube-sex-porn net - Email robertsimonkroon gmailcom download-free-files net - Email michaeltycoon gmailcom scanner-free-virus net - Email robertsimonkroon gmailcom tube-porn-best net - Email robertsimonkroon gmailcom ekjsoft eu - Email robertsimonkroon gmailcom antispy-download biz - Email robertsimonkroon gmailcom soft-download-free biz - Email robertsimonkroon gmailcom scanner-virus-free biz - Email robertsimonkroon gmailcom free-malware-scan biz - Email robertsimonkroon gmailcom tube-best-porn biz - Email robertsimonkroon gmailcom tube-sex-porn biz - Email robertsimonkroon gmailcom download-free-files biz - Email michaeltycoon gmailcom IMAGE scanner-free-virus biz - Email robertsimonkroon gmailcom download-free-soft biz - Email robertsimonkroon gmailcom tube-porn-best biz - Email robertsimonkroon gmailcom scan-your-pc-now biz - Email michaeltycoon gmailcom porn-tube-sex biz - Email robertsimonkroon gmailcom alrzsoft in - Email petrenkokolia yandexru antispy-download biz - Email robertsimonkroon gmailcom cool-tube-porn net - Email robertsimonkroon gmailcom cool-tube-porn org - Email robertsimonkroon gmailcom download-free-now net - Email robertsimonkroon gmailcom download-free-now org - Email robertsimonkroon gmailcom download-free-soft com - Email robertsimonkroon gmailcom download-free-soft net - Email robertsimonkroon gmailcom download-scaner-free com - Email robertsimonkroon gmailcom ekjsoft eu fdglsoft in - Email petrenkokolia yandexru free-virus-scanner net - Email robertsimonkroon gmailcom kleqsoft in - Email petrenkokolia yandexru kltysoft in - Email petrenkokolia yandexru ktyjsoft in - Email petrenkokolia yandexru IMAGE kyezsoft in - Email petrenkokolia yandexru lkrjsoft in - Email petrenkokolia yandexru lkrtsoft in - Email petrenkokolia yandexru mgtlsoft in - Email petrenkokolia yandexru porn-sex-tube net - Email robertsimonkroon gmailcom porn-sex-tube org - Email robertsimonkroon gmailcom scan-free-malware net - Email robertsimonkroon gmailcom scan-free-malware org - Email robertsimonkroon gmailcom spyware-scaner-free com - Email robertsimonkroon gmailcom spyware-scaner-free info - Email robertsimonkroon gmailcom spyware-scaner-free net - Email robertsimonkroon gmailcom spyware-scaner-free org - Email robertsimonkroon gmailcom tube-best-porn biz - Email robertsimonkroon gmailcom tube-best-porn com - Email robertsimonkroon gmailcom tube-best-porn net - Email robertsimonkroon gmailcom tube-best-porn org - Email robertsimonkroon gmailcom tube-porn-sex info - Email robertsimonkroon gmailcom tube-porn-sex net - Email robertsimonkroon gmailcom tube-porn-sex org - Email robertsimonkroon gmailcom What's so special about robertsimonkroon gmailcom anyway It's the fact that not only was the email was once again used to register scareware domains two times in July, 2009, but also, as pointed out in November 2009's Koobface Botnet's Scareware Business Model - Part Two , the same email was used to register the following download locations for scareware pushed by the Koobface botnet 0ni9o1s3feu60 cn - Email robertsimonkroon gmailcom 6j5aq93iu7yv4 cn - Email robertsimonkroon gmailcom mf6gy4lj79ny5 cn - Email robertsimonkroon gmailcom 84u9wb2hsh4p6 cn - Email robertsimonkroon gmailcom 6pj2h8rqkhfw7 cn - Email robertsimonkroon gmailcom 7cib5fzf462g8 cn - Email robertsimonkroon gmailcom 7bs5nfzfkp8q8 cn - Email robertsimonkroon gmailcom kt4lwumfhjb7a cn - Email robertsimonkroon gmailcom q2bf0fzvjb5ca cn - Email robertsimonkroon gmailcom rncocnspr44va cn - Email robertsimonkroon gmailcom t1eayoft9226b cn - Email robertsimonkroon gmailcom 4go4i9n76ttwd cn - Email robertsimonkroon gmailcom kzvi4iiutr11e cn - Email robertsimonkroon gmailcom hxc7jitg7k57e cn - Email robertsimonkroon gmailcom mfbj6pquvjv8e cn - Email robertsimonkroon gmailcom mt3pvkfmpi7de cn - Email robertsimonkroon gmailcom fb7pxcqyb45oe cn - Email robertsimonkroon gmailcom fyivbrl3b0dyf cn - Email robertsimonkroon gmailcom z6ailnvi94jgg cn - Email robertsimonkroon gmailcom ue4x08f5myqdl cn - Email robertsimonkroon gmailcom p7keflvui9fkl cn - Email robertsimonkroon gmailcom gjpwsc5p7oe3m cn - Email robertsimonkroon gmailcom f1uq1dfi3qkcm cn - Email robertsimonkroon gmailcom 7mx1z5jq0nt3o cn - Email robertsimonkroon gmailcom 3uxyctrlmiqeo cn - Email robertsimonkroon gmailcom p0umob9k2g7mp cn - Email robertsimonkroon gmailcom od32qjx6meqos cn - Email robertsimonkroon gmailcom bnfdxhae1rgey cn - Email robertsimonkroon gmailcom 7zju2l82i2zhz cn - Email robertsimonkroon gmailcom Stay tuned for a massive Koobface related activities update, analyzing the gang's multi-tasking throughout the entire January, 2010 -- descriptive historical OSINT offers long-term value in cross-checking for connections Related Koobface gang botnet research How the Koobface Gang Monetizes Mac OS X Traffic The Koobface Gang Wishes the Industry Happy Holidays Koobface-Friendly Riccom LTD - AS29550 - Finally Taken Offline Koobface Botnet Starts Serving Client-Side Exploits Massive Scareware Serving Blackhat SEO, the Koobface Gang Style Koobface Botnet's Scareware Business Model - Part Two Koobface Botnet's Scareware Business Model - Part One Koobface Botnet Redirects Facebook's IP Space to my Blog New Koobface campaign spoofs Adobe's Flash updater Social engineering tactics of the Koobface botnet Koobface Botnet Dissected in a TrendMicro Report Movement on the Koobface Front - Part Two Movement on the Koobface Front Koobface - Come Out, Come Out, Wherever You Are Dissecting Koobface Worm's Twitter Campaign The Diverse Portfolio of Fake Security Software Series A Diverse Portfolio of Fake Security Software - Part Twenty Four A Diverse Portfolio of Fake Security Software - Part Twenty Three A Diverse Portfolio of Fake Security Software - Part Twenty Two A Diverse Portfolio of Fake Security Software - Part Twenty One A Diverse Portfolio of Fake Security Software - Part Twenty A Diverse Portfolio of Fake Security Software - Part Nineteen A Diverse Portfolio of Fake Security Software - Part Eighteen A Diverse Portfolio of Fake Security Software - Part Seventeen A Diverse Portfolio of Fake Security Software - Part Sixteen A Diverse Portfolio of Fake Security Software - Part Fifteen A Diverse Portfolio of Fake Security Software - Part Fourteen A Diverse Portfolio of Fake Security Software - Part Thirteen A Diverse Portfolio of Fake Security Software - Part Twelve A Diverse Portfolio of Fake Security Software - Part Eleven A Diverse Portfolio of Fake Security Software - Part Ten A Diverse Portfolio of Fake Security Software - Part Nine A Diverse Portfolio of Fake Security Software - Part Eight A Diverse Portfolio of Fake Security Software - Part Seven A Diverse Portfolio of Fake Security Software - Part Six A Diverse Portfolio of Fake Security Software - Part Five A Diverse Portfolio of Fake Security Software - Part Four A Diverse Portfolio of Fake Security Software - Part Three A Diverse Portfolio of Fake Security Software - Part Two Diverse Portfolio of Fake Security Software This post has been reproduced from Dancho Danchev's blog Follow him on Twitter IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/188351.shtmlhttp://www.secuobs.com/revue/news/188351.shtml Secuobs.com : 2010-02-03 23:15:46 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge - IMAGE Pushdo Cutwail's customers, or perhaps the botnet masters themselves, continue rotating the malware campaigns, with the very latest one using a Photo Archive 2070735 theme, and continuing to server client-side exploits hosted within crimeware-friendly networks it's time we profile and expose Extensive list of the domains subdomains involved at Gary Warner's blog IMAGE Photo Archives Hosting describes itself as Photos Archives Hosting has a zero-tolerance policy against ILLEGAL content All archives and links are provided by 3rd parties We have no control over the content of these pages We take no responsibility for the content on any website which we link to, please use your own discretion while surfing the links 2007-2009, Photos Archives Hosting Group, Inc- ALL RIGHTS RESERVED - Sample URL photoshockMalwareDomain id1073bv getphp email - Sample iFrame f