Saturday, September 11, 2010

Summarizing 3 Years of Research Into Cyber Jihad


From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "been cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re, actively researched that" department.
  1. Tracking Down Internet Terrorist Propaganda
  2. Arabic Extremist Group Forum Messages' Characteristics
  3. Cyber Terrorism Communications and Propaganda
  4. A Cost-Benefit Analysis of Cyber Terrorism
  5. Current State of Internet Jihad
  6. Analysis of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Technical Mujahid - Issue One
  7. Full List of Hezbollah's Internet Sites
  8. Steganography and Cyber Terrorism Communications
  9. Hezbollah's DNS Service Providers from 1998 to 2006
  10. Mujahideen Secrets Encryption Tool
  11. Analyses of Cyber Jihadist Forums and Blogs
  12. Cyber Traps for Wannabe Jihadists
  13. Inshallahshaheed - Come Out, Come Out Wherever You Are
  14. GIMF Switching Blogs
  15. GIMF Now Permanently Shut Down
  16. GIMF - "We Will Remain"
  17. Wisdom of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Anti Cyber Jihadist Crowd
  18. Cyber Jihadist Blogs Switching Locations Again
  19. Electronic Jihad v3.0 - What Cyber Jihad Isn't
  20. Electronic Jihad's Targets List
  21. Teaching Cyber Jihadists How to Hack
  22. A Botnet of Infected Terrorists?
  23. Infecting Terrorist Suspects with Malware
  24. The Dark Web and Cyber Jihad
  25. Cyber Jihadist Hacking Teams
  26. Two Cyber Jihadist Blogs Now Offline
  27. Characteristics of Islamist Websites
  28. Cyber Traps for Wannabe Jihadists
  29. Mujahideen Secrets Encryption Tool
  30. An Analysis of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Technical Mujahid - Issue Two
  31. Terrorist Groups' Brand Identities
  32. A List of Terrorists' Blogs
  33. Jihadists' Anonymous Internet Surfing Preferences
  34. Sampling Jihadists' IPs
  35. Cyber Jihadists' and TOR
  36. A Cyber Jihadist DoS Tool
  37. GIMF Now Permanently Shut Down
  38. Mujahideen Secrets 2 Encryption Tool Released
  39. Terror on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet - Conflict of Interest
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
on

Wednesday, September 08, 2010

Historical OSINT: Celebrities Death, Fedex Invoices, Office-Themed Malware Campaigns

As promised, this would be a pretty short historical OSINT post -- catching up is in progress -- detailing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 structure of several campaigns that took place throughout July-August, 2010, and (as always) try to emphasize on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 connection with historical malware campaigns profiled on my personal blog.

Campaigns of notice include: spamvertised "Celebrities death-cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365med emails", "Fedex shipment status cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365med invoices", and "Office-cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365med documents".

Sample subjects:
Angelina Jolie died; Gwen Stefani died; Oprah Winfrey died; Tom Cruise died; Application; Thursday Journal Club; End Of Rotation; Abstracts; Project Declaration; Residency Happy Hour: SOP_POLICIES; Fwd: Updated Journal Club Handout

Sample attachments:
journal club articles.zip; Rotation Input Sheet.zip; ppi and c dif.zip; MSpeck.zip; ResidencyPrep.zip; speck Case presentation draft.zip; journal club template.zip

Detection rates, phone back URLs, and connections with previously profiled campaigns:
- news.exe - Trojan.Bredolab-993 - 40/ 43 (93.0%)
MD5: 44522def7cf2a42aa26f59c2ac4ced58
SHA1: 2f60531b6e33d842eba505f3c3cb81a3ff6e3e6a

- journal club articles.exe - Backdoor/Bredolab.edb - 41/ 43 (95.3%)
MD5: 72e90fd1264e731109d1b6b977b2c744
SHA1: 0a36b882d1b4d8b42cc466ec286e95bbb2e77d49

Upon execution, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 samples phone back to:
188.65.74.161 /mrmun_sgjlgdsjrthrtwg.exe - AS42473 - DOWN
194.28.112.3 /outlook.exe - AS48691 - ACTIVE

- outlook.exe - TrojanSpy:Win32/Fitmu.A - 17/ 43 (39.5%)
MD5: 8f4eca49b87e36daae14b8549071dece
SHA1: 1d390e9f8d6e744ead58dd6c424581419f732498

Upon execution, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 dropped sample phones back to:
cuscuss.com - 188.65.74.164 - Email: info@blackry.com


Responding to 188.65.74.164 at AS42473 are also:
wiggete.com - Email: info@blackry.com
depenam.com - Email: info@blackry.com
fishum.com - Email: info@blackry.com
blackry.com - Email: info@blackry.com

Two of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 domains are know to have been serving client-side exploits, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 redirection is currently returning an error "Connect to 188.40.232.254 on port 80 ... failed".

- depenam .com/count22.php
- blackry .com/count21.php
    - vseohuenno .com/trans/b3/ - 188.40.232.254 - Email: latertrans@gmail.com

Responding to 188.40.232.254, AS24940 are also cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following command and control, client-side exploit serving domains:
gurgamer.com - (New IP: 86.155.172.30) Email: latertrans@gmail.com
moneybeerers.com - Email: latertrans@gmail.com
daeshnew.com - (New IP: 86.145.158.90) Email: latertrans@gmail.com
volosatyhren.com - Email: latertrans@gmail.com
vyebyvglaz.com - Email: latertrans@gmail.com
---------------------------------------------------------------------------------

- FedexInvoice_EE776129.exe - Win32/Oficla.LK - 41/ 43 (95.3%)
MD5: d4e2875127f5cbdf797de7f1417f96a7
SHA1: c2df8d8c178142ba7bee48dbf9a9f68c32a14f5e

Upon execution, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sample phones back to:
ilovelasvegas .ru/web/St/bb.php?v=200&id=636608811&b=24augNEW&tm= - 109.196.134.44, AS39150 - Email: vadim.rinatovich@yandex.ru with x5vsm5.ru - Email: vadim.rinatovich@yandex.ru also parked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re.

Where do we know cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vadim.rinatovich@yandex.ru email from? From two previously profiled campaigns "Spamvertised iTunes Gift Certificates and CV Themed Malware Campaigns"; and "Dissecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Xerox WorkCentre Pro Scanned Document Themed Campaign" having a direct relationship with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Asprox botnet.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
on

Friday, August 13, 2010

Dissecting a Scareware-Serving Black Hat SEO Campaign Using Compromised .NL/.CH Sites


Over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past week, I've been tracking -- among cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 countless number of campaigns currently in process of getting profiled/taken care of internally -- a blackhat SEO campaign that's persistently compromising legitimate sites within small ISPs in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Necá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rlands and Switzerland, for scareware-serving purposes.

Although this beneath cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 radar targeting approach is nothing new, it once again emphasizes on a well proven mentality within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cybercrime ecosystem - collectively cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hundreds of thousands of low profile sites, if well poisoned with bogus/timely/relevant blackhat SEO content, can outpace cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hijacked traffic from a high profile site due to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 shorter time frame it would take for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 administrators to clean it up/ quicker community members' reaction based on prioritization due to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 importance of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 site.

What's particularly interesting about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign, is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 redirectors/scareware domains were previously parked within our "dear friends at AS31252, STARNET-AS StarNet Moldova. Go through related posts on STARNET-AS StarNet Moldova:
Let's dissect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign, expose cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 complete portfolio of scareware/redirector domains, emphasize on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 monetization vector and how this blackhat SEO campaign is using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same scareware affiliate network like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 one campaigns launched through Gumblar's infrastructure (Spamvertised Best Buy, Macy's, Evite and Target Themed Scareware/Exploits Serving Campaign) continue using.

Once cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 self.location.href = condition is met, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following redirectors take place, until cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user is exposed to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ubiquitous "You're infected" screen:


- dotyuzcifl.ru/liq/?st= - 200.63.44.211 - Email: kireev@ravermail.com (NS: ns1.freemobiledns.mobi Email: akorn1022@gmail.com)
    - errgxhxzerr.co.cc/r/feed.php?k= - 200.63.44.211, AS27716, ASEVELOZ - Email: andrew_bush52@hotmail.com
    - errgxhxzerr.co.cc/tube/?k=
    - errgxhxzerr.co.cc/r/sss.php
        - www4.protection-guard89.co.cc - 74.118.193.81, AS46664 - Email: abc.emm@gmail.com
        - www1.virus-detection50.co.cc/?p=p52 - 94.228.220.117, AS47869, NETROUTING-AS - Email: abc.emm@gmail.com

- Detection rate:
packupdate9_289.exe - Win32/TrojanDownloader.FakeAlert.AEY - 6/ 42 (14.3%)
MD5   : 3e4920aa3ff24db64372ae96854f3f02
SHA1  : 75bcb6acf5ff65269bfc5f685e5d03688b8b1ade
SHA256: 7272f889520cd1d1898ccd91f1b01835cf53f06b452041baae0336796ff09fd7

Responding to 94.228.220.117, AS47869, NETROUTING-AS are also cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following domains:
www1.virus-detection50.co.cc/?p=p52 - Email: abc.emm@gmail.com
www1.virus-detection51.co.cc/?p=p52 - Email: abc.emm@gmail.com
www1.virus-detection52.co.cc/?p=p52 - Email: abc.emm@gmail.com
www1.virus-detection53.co.cc/?p=p52 - Email: abc.emm@gmail.com
www1.virus-detection54.co.cc/?p=p52 - Email: abc.emm@gmail.com
www1.virus-detection55.co.cc/?p=p52 - Email: abc.emm@gmail.com
www1.virus-detection56.co.cc/?p=p52 - Email: abc.emm@gmail.com
www1.virus-detection57.co.cc/?p=p52 - Email: abc.emm@gmail.com
www1.virus-detection58.co.cc/?p=p52 - Email: abc.emm@gmail.com
www1.virus-detection59.co.cc/?p=p52 - Email: abc.emm@gmail.com
www2.mypersonalshield70.in - Email: gkook@checkjemail.nl
www2.mypersonalshield71.in - Email: gkook@checkjemail.nl
www2.mypersonalshield72.in - Email: gkook@checkjemail.nl


It gets even more interesting, and cybercrime ecosystem-friendly, when we see that one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scareware redirector domains, has been registered with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same email as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scareware domain redirector used in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 monetization vector of Gumblar's campaigns.

The currently used uramozat.cz.cc /scanner10/?afid=76 - 195.16.88.62, AS50109, HOSTLIFE-AS WIBO PROJECT LLC - Email: ydeconspi@nice-4u.com is registered using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same email as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 recently used hoopdotami.cz .cc/scanner5/?afid=24 - 188.72.192.229 - Email: ydeconspi@nice-4u.com from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "Spamvertised Best Buy, Macy's, Evite and Target Themed Scareware/Exploits Serving Campaign".

This centralization of monetization networks ultimately serves best cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security industry and law enforcement, and remains a trend racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than a fad.

Responding to 195.16.88.62 are also cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following affiliate redirector domains:
sulphomihin.cz.cc - Email: ydeconspi@nice-4u.com
suppcorfoke.cz.cc - Email: ydeconspi@nice-4u.com
swinumlobzua.cz.cc - Email: ydeconspi@nice-4u.com
taitretarjus.cz.cc - Email: ydeconspi@nice-4u.com
talinighge.cz.cc - Email: ydeconspi@nice-4u.com
tangmomawigg.cz.cc - Email: ydeconspi@nice-4u.com
taniverwea.cz.cc - Email: ydeconspi@nice-4u.com
tedroidragin.cz.cc - Email: ydeconspi@nice-4u.com
tifucacel.cz.cc - Email: ydeconspi@nice-4u.com
ungelacoc.cz.cc - Email: ydeconspi@nice-4u.com
unriprazzhalf.cz.cc - Email: ydeconspi@nice-4u.com
uramozat.cz.cc - Email: ydeconspi@nice-4u.com
vochicorneu.cz.cc - Email: ydeconspi@nice-4u.com
voihuavino.cz.cc - Email: ydeconspi@nice-4u.com
voldcafuri.cz.cc - Email: ydeconspi@nice-4u.com
weineitronty.cz.cc - Email: ydeconspi@nice-4u.com
wintotersstal.cz.cc - Email: ydeconspi@nice-4u.com
worddreamelpa.cz.cc - Email: ydeconspi@nice-4u.com
wordrochosom.cz.cc - Email: ydeconspi@nice-4u.com
xboxunechin.cz.cc - Email: ydeconspi@nice-4u.com
ydeconspi.cz.cc - Email: ydeconspi@nice-4u.com
zilrebelma.cz.cc - Email: ydeconspi@nice-4u.com
zukavito.cz.cc - Email: ydeconspi@nice-4u.com
Complete list of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 URLs for compromised sites (CURRENTLY ACTIVE) hosted at AS15547, TVS2NET-NETPLUS Servicing cable-network customer in CH.
abitasion.ch /ilIucpUWAeima
abitasion.ch /ilOeUSbRtm/
abmontage.ch /73NJub8iWea/
absteam.ch /UfHZl8Qm7/
accueiletpartagesuisse.ch /WbVc0fiHIabe/
accueiletpartagesuisse.ch /Wbytpauohcjk/
adikt-a.ch /isisAuMOImXW/
adikt-a.ch /isIWcgUV7L/
adsite.ch /lAULixdSoWmA/
adumas.ch /QVxaomZ7er
aemo-valais.ch /uaIagow/
aerobic-chablais.ch /IYMy3IAejmiq/
aerobic-chablais.ch /IYuMW8yHJ/
a-fauchere.ch /rU8alutON/
agpinstallations.ch /WAoxnHauvyUi/
agpinstallations.ch /WAwANoXv9rek/
alayra.ch /ufgMxORjbNz9i/
alex-xxxl.ch /u9VUyo9hw/
alpirama.ch /A0Sc3Iu/
alterfamiliae.ch /RgauIMVZ/
ametys.ch /IZ2eblxoL3tSN/
ametys.ch /IZbAaYy/
amis-orgue-moudon.ch /WuIatdWMbRSg/
amis-orgue-moudon.ch /WuYUoH3/
apf-hev-fr.ch /drkoUqjx/
artdidier.ch /vZkR7ap2gQiAU/
artefax.ch /u8oApWua/
artefax.ch /u8qrYoi8ASh/
artisanatbramoisien.ch /jRVAEWyXqLsM/
artisane.ch /Scg3lEv/
artisan-fondeur.ch /RX0y9OdUu/
artist-e.ch /j8WfiIEa/
asb-coaching.ch /uJWOIdHeuai/
atelier-bois.ch /skJun0elUgM8/
ateliercube.ch /3bqNHnLy/
attoufoula-al-baria.ch /scWZHibIemAqr/
autoecole-sion.ch /kuWcUM3yn9xgo/
aux-doigts-de-fee.ch /eooVapJNWcuHx/
auxpetitsbois.ch /8OxIaoWeydbc7/
avgf.ch /xr3t0uvanegb/
avmep.ch /niyW3RHiaoE/
avmep.ch /nizXOdumW/
avosbagages.ch /ebaAuynxel2L/
avta.ch /Zu0VoixA/
banques-assurances.ch /WEeyt7iUYL/
batibois.ch /hgAbavx/
batibois.ch /hghkyUNO9/
bconseils.ch /tAIUzJVn/
bc-production.ch /9XupRmIbE/
bdelfolie.ch /ushj20miJW9wu/
bdelfolie.ch /usIUomaYfWeN/
becoval.ch /aVUqW9xYbp/
bedat-conseils.ch /AUyYRtuhWrpA/
belfid.ch /ftRbtgl3/
bellodelledonne.ch /oX0kUuN/
bellodelledonne.ch /oXoNgekf7i/
bestwear.ch /j0iyeJ3v/
bienecrire.ch /YAE9ldiakvy/
biocave.ch /AuhuwoAUxOI3W/
birman.ch /Z7MoeVXgAafL/
blanchival.ch /ANabQIgk0zeO/
blanchival.ch /ANJjlQgHb/
bnbmorel.ch /yfE3AyWoQx8/
bonnes-occases.ch /HlYMhcE/
bouquins.ch /IWH0dAa/
cafepsy.ch /ZoiAcIWlRM/
calzolarorocco.ch /9a8aYRjIrW/
camping-sedunum.ch /SvvMQjsem/
canadulce.ch /wuIlMriaN/
canadulce.ch /wuQYryJ/
carrgeiger.ch /ehsVy2uXxoAWE/
carte-menu.ch /JQinNyA/
castalie.ch /cq3xeyWmjaf/
cacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rineritter.ch /AdUJiRq/
cacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rineritter.ch /AdUqRAiSnNsyv/
cavedegoubing.ch /ERNzcu9iagdo/
cave-des-chevalieres.ch /WuunyOq/
celinerenaud.ch /Qj7dHcLo/
celinerenaud.ch /QjZoUyaJ/
centre-autos.ch /lNUYRuWnA/
cere-sa.ch /IyEHdVqAIYbXL/
cere-sa.ch /IyknWJr/
cgt.ch /egAaVUfne/
chalets-for-sale.ch /SaNXWcvU/
chavaz-archi.ch /8iAZxEaJ/
chavaz-archi.ch /8iQOjlS/
cretillons.ch /ianeZc2/

Responding to 200.63.44.211 (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 original redirector domains dotyuzcifl.ru; errgxhxzerr.co.cc), AS27716, ASEVELOZ Eveloz are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 remaining domains part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scareware/redirection/Fake Adobe Player (tube/Adobe__Flash__Player.exe) campaign.

- Detection rate:
Adobe__Flash__Player.exe - Heuristic.BehavesLike.Win32.Suspicious.H - 11/ 42 (26.2%)
MD5   : 8a10909c487a739e85028a19a1e898dc
SHA1  : d9f7d78fe245f8df04fa398835b52d5a2c2d6af7
SHA256: 63befe78a7895a8efc6d893491d8f77ef8ada1cd52d562587490a79f29b65336

- Upon execution phones back to:
qualattice.com - 64.20.63.58 - Email: trough@mobiletonight.com
jaxcage.net - 91.188.60.233, AS6851, BKCNET "SIA" IZZI - Email: delee@easteroffers.com
mybubblebean.com - 85.234.190.47, AS6851, BKCNET "SIA" IZZI - Email: place@popupquote.com
freejaxbird.net - 77.78.239.42 - Email: delee@easteroffers.com

07tqqwem.ru - Email: pishkov@rbcmail.ru
0qhe7y6o.ru - Email: pishkov@rbcmail.ru
0st44x7z.ru - Email: stroganov@mail.ru
0w6scx6a.ru - Email: goncharov@rapworld.com
20xzpzga.ru - Email: danilov@boatnerd.com
23qjmdic.ru - Email: lebedev@rapworld.com
28iue5ri.ru - Email: kireev@bgay.com
28jnbuak.ru - Email: kirillov@ravermail.com
2poaxz3k.ru - Email: alekseev@land.ru
2tmo2ba2.ru - Email: kustov@remixer.com
30zcz8ot.ru - Email: slabkov@bigmailbox.net
32iafdnp.ru - Email: erohin@intimatefire.com
3a0stbqe.ru - Email: golodnikov@blida.info
3jruf6nc.ru - Email: taranov@inorbit.com
40ktc2tn.ru - Email: antonov@insurer.com
4hp2ag6c.ru - Email: belov@kidrock.com
4mausx2w.ru - Email: lavrov@blackcity.net
4y8pqcby.ru - Email: pokatilov@realtyagent.com
5eqq3sgj.ru - Email: abakumov@smtp.ru
5gsco2w5.ru - Email: davidov@bikermail.com
5q4eyd2w.ru - Email: stepanov@pop3.ru
5znhff2s.ru - Email: kalinin@boarderzone.com
6ojj8sks.ru - Email: patralov@bigheavyworld.com
6pgsqndh.ru - Email: baklanov@mail333.com
83qndvnj.ru - Email: taranov@relapsecult.com
868r5e0b.ru - Email: udalov@rastamall.com
8n7pnyyr.ru - Email: patralov@front.ru
8reclame.ru - Email: kirikov@billssite.com
atyyyopg.ru - Email: viktorov@bikerheaven.net
azaamdwo.ru - Email: samsonov@bikermail.com
bvo62o0i.ru - Email: kirillov@rastamall.com
c28xd2ck.ru - Email: luzgin@front.ru
cf8sagkn.ru - Email: alekseev@ratedx.net
ckmdbrio.ru - Email: ulyanov@rapworld.com
crosslinks-services.ru - Email: ekomasov@kidrock.com
csokolom.ru - Email: kirikov@irow.com
cw5k47ye.ru - Email: viktorov@bicycling.com
duz5n2ca.ru - Email: belov@billssite.com
dwunvuum.ru - Email: stepanov@pop3.ru
ea7xh4vw.ru - Email: goncharov@repairman.com
err39hxzerr.co.cc - Email: andrew_bush52@hotmail.com
err3ghxzerr.co.cc - Email: andrew_bush52@hotmail.com
err5phxzerr.co.cc - Email: andrew_bush52@hotmail.com
err61hxzerr.co.cc - Email: andrew_bush52@hotmail.com
err6ehxzerr.co.cc - Email: andrew_bush52@hotmail.com
err6jhxzerr.co.cc - Email: andrew_bush52@hotmail.com
err8jhxzerr.co.cc - Email: andrew_bush52@hotmail.com
err8whxzerr.co.cc - Email: andrew_bush52@hotmail.com
errb9hxzerr.co.cc - Email: andrew_bush52@hotmail.com
errbehxzerr.co.cc - Email: andrew_bush52@hotmail.com
errbqhxzerr.co.cc - Email: andrew_bush52@hotmail.com
errcihxzerr.co.cc - Email: andrew_bush52@hotmail.com
errdhhxzerr.co.cc - Email: andrew_bush52@hotmail.com
errekhxzerr.co.cc - Email: andrew_bush52@hotmail.com
errfdhxzerr.co.cc - Email: andrew_bush52@hotmail.com
errgqhxzerr.co.cc - Email: andrew_bush52@hotmail.com
errgthxzerr.co.cc - Email: andrew_bush52@hotmail.com
errguhxzerr.co.cc - Email: andrew_bush52@hotmail.com
errgvhxzerr.co.cc - Email: andrew_bush52@hotmail.com


f50rbdb8.ru - Email: samsonov@kidrock.com
fbbktj2z.ru - Email: zhukov@kidrock.com
fimpvs8t.ru - Email: zhuravlev@blackvault.com
fppf2h28.ru - Email: danilov@pochta.ru
gayq8rgx.ru - Email: kovalev@blackcity.net
geavdwal.info
gerotal.info
gztyue8w.ru - Email: kirillov@boatnerd.com
h6poe6or.ru - Email: beglov@inorbit.com
hc6zxms4.ru - Email: lebedev@intimatefire.com
hem3oxjh.ru - Email: ulyanov@boarderzone.com
hszwwvjq.ru - Email: kustov@fromru.com
i2wv8rdm.ru - Email: shedrin@billssite.com
i4nhjopf.ru - Email: antonov@fromru.com
i7in0b64.ru - Email: ulyanov@kinkyemail.com
ihbkbzcm.ru - Email: abdulov@iname.com
io0yfyc8.ru - Email: molchanov@repairman.com
j6yeky7p.ru - Email: bazhenov@krovatka.su
j7k6xze2.ru - Email: vasilev@pop3.ru
jimm2rusru.ru - Email: kustov@rapworld.com
jimm4fan09.ru - Email: antonov@blida.info
jimmjimm895.ru - Email: kuznecov@insurer.com
jimmkolesoru.ru - Email: naumov@boarderzone.com
jimmonline0.ru - Email: miheev@gmail.com
jimmplum2.ru - Email: vishnevskiy@pop3.ru
jimmcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365best1.ru - Email: aleksandrov@blackcity.net
jnano5gh.ru - Email: zhukov@realtyagent.com
jokerjokk.ru - Email: beglov@blida.info
kefpvbsi.ru - Email: kalinin@boarderzone.com
kfgemaae.ru - Email: ulyanov@bigmailbox.net
koliander.ru - Email: zaicev@insurer.com
liononlinensd.ru - Email: nikitin@rastamall.com
lokipol.ru - Email: kirikov@bikerheaven.net
mjbims7m.ru - Email: pishkov@ravermail.com
mrt0zqcb.ru - Email: shedrin@pochtamt.ru
mxek5t5g.ru - Email: beglov@repairman.com
nesselandeportal.info
ni2m4kua.ru - Email: zhukov@bikermail.com
nv8os6yt.ru - Email: kuznecov@mail.ru
o3wg4sya.ru - Email: abakumov@bolbox.com
ocggnaif.ru - Email: zaicev@iname.com
ofz5qzgu.ru - Email: zaicev@ravermail.com
oh7iumr7.ru - Email: belov@inorbit.com

onlinefeeds.ru - Email: beglov@insurer.com
onlinegearsd.ru - Email: luzgin@smtp.ru
onlinejimmmovse.ru - Email: abakumov@realtyagent.com
onlineonlkiok.ru - Email: kirillov@billssite.com
pgvvua6j.ru - Email: goncharov@bicycling.com
pororkol.ru - Email: erohin@bikerider.com
prc6t7z3.ru - Email: kirikov@pochtamt.ru
psxdv0nr.ru - Email: zhukov@inbox.ru
pvbsiy5y.ru - Email: komarov@kinkyemail.com
q3ysg05s.ru - Email: golodnikov@insurer.com
qbecqe0s.ru - Email: ulyanov@bicycling.com
qec5beqn.ru - Email: morozov@pochta.ru
qfnye2t7.ru - Email: bednyakov@irow.com
qpsxdv0n.ru - Email: viktorov@blackcity.net
rikosdhu.ru - Email: pokatilov@pisem.net
ronaldknol.ru - Email: taranov@smtp.ru
rs3gpd0m.ru - Email: alekseev@bicycledata.com
rudjimmdjimm.ru - Email: alekseev@boarderzone.com
s4gvhd35.ru - Email: lebedev@blackvault.com
s748eop4.ru - Email: aleksandrov@repairman.com
sgivnn0t.ru - Email: volkov@repairman.com
stpf6qpv.ru - Email: bednyakov@relapsecult.com
sv4wmtxj.ru - Email: ivanov@bikerider.com
t0a2afyq.ru - Email: ivanov@boatnerd.com
t3tzynvj.ru - Email: bazhenov@rapstar.com
trustincompanies.ru - Email: abdulov@insurer.com
u5fyfzjt.ru - Email: polovov@rbcmail.ru
ucf47vnu.ru - Email: abdulov@bikerider.com
uplcash.com - Email: director@climbing-games.com
v5w3xgzn.ru - Email: morozov@rbcmail.ru
vgksry7k.ru - Email: vishnevskiy@land.ru
w8iroomb.ru - Email: golodnikov@pop3.ru
x7p03g0j.ru - Email: kirikov@front.ru
xni27ftd.ru - Email: timofeev@mail.ru
xsd3id8t.ru - Email: kovalev@pochta.ru
xthjrgxz.ru - Email: pokatilov@insurer.com
xu44i03y.ru - Email: arhipov@insurer.com
yi0ewtmd.ru - Email: antonov@blackvault.com
yp7o07nq.ru - Email: golodnikov@rbcmail.ru
z26hggcb.ru - Email: pokatilov@fromru.com
z656cvje.ru - Email: slabkov@boatnerd.com
zsrd4xj5.ru - Email: kuznecov@iname.com
zznks8fh.ru - Email: bulaev@registerednurses.com


Could we have a blackhat SEO campaign, without a Koobface gang connection? Appreciate my rhetoric. Parked at 200.63.44.48, again within AS27716, ASEVELOZ Eveloz are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following domains:
35l3cv2oywwycrfz1yo3.com - Email: michaeltycoon@gmail.com
4idmcxlczdy52yh7rklb.com - Email: michaeltycoon@gmail.com
56ml7zj047l0x6wm9v6y.com - Email: michaeltycoon@gmail.com
8vsgzuu084e9i8ohl5nn.com - Email: michaeltycoon@gmail.com
aatyamlkpgxp8h3m17ky.com - Email: michaeltycoon@gmail.com
bvzpvunifooe8t946d2p.com - Email: michaeltycoon@gmail.com
i905jzsht33cd4kfcqvh.com - Email: michaeltycoon@gmail.com
jhn72w76khysuxdgj0bo.com - Email: michaeltycoon@gmail.com
k78ju8lyzratna0c5r7m.com - Email: michaeltycoon@gmail.com
lrbx4hzznbdmedfk4xrd.com - Email: michaeltycoon@gmail.com
ls1eepnzj784nid96prn.com - Email: michaeltycoon@gmail.com
n0itv7fh7qscrfse3i1i.com - Email: michaeltycoon@gmail.com
pdusxsiuedamjc83qlpi.com - Email: michaeltycoon@gmail.com
rabotaetpolubomu.net - Email: michaeltycoon@gmail.com
t0vqred4itv4pmo488k9.com - Email: michaeltycoon@gmail.com
thmyb0s6se5febs0ghb8.com - Email: michaeltycoon@gmail.com
u5a05q1dnmr4jwqrnav3.com - Email: michaeltycoon@gmail.com
uq1wedg9tr523wbafdzp.com - Email: michaeltycoon@gmail.com
vk4j2x7n49nq1il9vm5h.com - Email: michaeltycoon@gmail.com
ysut5gx094w2dddjtswh.com - Email: michaeltycoon@gmail.com

Deja vu! Where do we know cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 michaeltycoon@gmail.com email from? From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Gang" campaign, and in particular from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that it was once directly connected to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface gang -- this is not an email that was used to register a domain belonging to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scareware affiliate network, instead it's an email used to register a client-side exploits serving domain parked on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same IP where a hardcore Koobface C&C from Koobface 1.0's infrastructure was responding to - urodinam.net
  • Dissecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Mass DreamHost Sites Compromise - "Moreover, on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exact same IP where Koobface gang's urodinam.net is parked, we also have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 currently active 1zabslwvn538n4i5tcjl.com - Email: michaeltycoon@gmail.com, serving client side exploits using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Yes Malware Exploitation kit - 91.188.59.10 /temp/cache/PDF.php; admin panel at: 1zabslwvn538n4i5tcjl.com /temp/admin/index.php"
Blackhat SEO campaigns, migration from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface-friendly AS31252, STARNET-AS StarNet Moldova, plus a direct connection established as once a customer is migrating, he's usually taking all of his dirty luggage with him, proves that, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's no such thing as coincidence within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cybercrime ecosystem, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's just a diverse infrastructure where everyone appears to be self-serving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir needs as a service, consequently forwarding responsibility for someone else's actions to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 infrastructure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are abusing.

Related blackhat SEO/scareware monetization assessments:
Dissecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 100,000+ Scareware Serving Fake YouTube Pages Campaign
Dissecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Ongoing U.S Federal Forms Themed Blackhat SEO Campaign - Part Two
Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware
U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding
Dissecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Ongoing U.S Federal Forms Themed Blackhat SEO Campaign
The ultimate guide to scareware protection
A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Gang
Massive Scareware Serving Blackhat SEO, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Gang Style
A Peek Inside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Managed Blackhat SEO Ecosystem
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot  

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
on

Monday, August 09, 2010

Spamvertised Best Buy, Macy's, Evite and Target Themed Scareware/Exploits Serving Campaign


They are back again (Spamvertised Amazon "Verify Your Email", "Your Amazon Order" Malicious Emails; Dissecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Xerox WorkCentre Pro Scanned Document Themed Campaign) for a fresh start of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 week, with a currently ongoing spam campaign, serving scareware and client-side exploits, using a "Thank you for your payment"/"Thank you for your EXPRESS payment" cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365med subjects impersonating popular brands such as Best Buy, Macy's, Target and Evite.

Let's dissect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign, its structure, emphasize on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 monetization strategy, and expose cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 complete portfolio of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 domains involved in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign.

Sample email:
"Subject :Thank you for your payment Don’t miss a thing – Add support@e.macys.com to your email address book! Click here if you are unable to see images in this email.

1. Sign in on macys.com at https://www.macys.com/myinfo/index.ognc
2. Click on “My Account” – “My Profile” at https://www.macys.com/myinfo/profile/index.ognc
3. Uncheck cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 box Receive email notification when statements are available to view online and when payments are due.
4. Click on “Update Profile”
5. Expect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 change to take place in 3 days
©2009 macys.com Inc., 685 Market Street, Suite 800, San Francisco, CA 94105. All rights reserved."

Compared to previous campaigns, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 directory structure (fast fluxed :8080/index.php?pid=10; maliciousurl.ru /QWERTY.js; maliciousurl.ru /ODBC.js; LAN.js; Access.js; End_User.js etc.) of this one remains virtually cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same, depending, of course, on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 angle you choose for dissecting it.


Sample campaign structure:
- musicsgeneva.com /x.html - "PLEASE WAITING 4 SECOND..."
- opus22.org /x.html - "PLEASE WAITING 4 SECOND..."
- shamelessfreegift.com /x.html - "PLEASE WAITING 4 SECOND..."
- physicianschoiceonline.com /x.htm - "PLEASE WAITING 4 SECOND..."
    - baymediagroup .com:8080/index.php?pid=10 - client-side exploits - 188.165.95.133; 188.165.192.106; 91.121.108.61; 94.23.60.106; 178.32.5.233 - Email: fb@bigmailbox.ru
        - hoopdotami.cz .cc/scanner5/?afid=24 - 188.72.192.229 - scareware monetization

- Detection rate:
antivirus_24.exe - Trojan.Win32.FraudPack.berq - Result: 16/42 (38.1%)
File size: 166912 bytes
MD5...: b3cd297c654d3be52ffeb5f6a5ff13b4
SHA1..: bae889dd8ac7b22ec5f5649d6e0c073c8e2119d5

Upon execution, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sample phones back to:
httpsstarss.in /httpss/v=40&step=2&hostid= - 188.72.226.154 - Email: stevieksbaiz@hotmail.com
httpstatsconfig.com /getfile.php?r= - 204.12.226.173 - Email: httpstatsconfig.com@evoprivacy.com


Responding to 204.12.226.173 are also:
ns1.desktopsecurity2010ltd.com - Email: sixtakidlt2@hotmail.com
ns2.desktopsecurity2010ltd.com
www.desktopsecurity2010ltd.com
httpstatsconfig.com
ns1.httpstatsconfig.com
ns2.httpstatsconfig.com
desktopsecuritycorp.com
ns1.desktopsecuritycorp.com
ns2.desktopsecuritycorp.com

Domains using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same name server, ns1.freedomen.info - 209.85.99.32 - Email: mail@vetaxa.com
adsonlineinc.com - 66.96.239.86
picmonde.com - 94.228.220.93
bonblogger.com - 94.228.220.93
h2fastpornpics.com - 94.228.220.93
celebsfinectpics.com - 94.228.209.133 - Email: temp.for.loan@gmail.com
celebsfreeimages.com - 94.228.209.134 - Email: hannigey233@hotmail.com
picindividuals.com - 94.228.220.93
picbloggerprojet.com - 94.228.220.93
httpsstarss.in
hippocounter.info - 96.9.177.21
genesisbeta.net - 94.228.220.94


Name servers of notice:
ns1.getyourdns.com - 194.79.88.121
ns2.getyourdns.com - 77.68.52.52
ns3.getyourdns.com - 87.98.149.171
ns4.getyourdns.com - 66.185.162.248
ns1.instantdnsserver.com - 194.79.88.121 - Email: depot@infotorrent.ru
ns2.instantdnsserver.com - 77.68.52.52
ns3.instantdnsserver.com - 87.98.149.171
ns4.instantdnsserver.com - 66.185.162.248

Client-side exploits serving domains part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
aquaticwrap.ru - Email: vibes@freenetbox.ru
aroundpiano.ru - Email: vibes@freenetbox.ru
baybear.ru - Email: vibes@freenetbox.ru
baymediagroup.com - Email: fb@bigmailbox.ru
bayjail.ru - Email: bushy@bigmailbox.ru
betaguy.ru - Email: vibes@freenetbox.ru
blockoctopus.ru - Email: semi@freenetbox.ru
budgetdude.ru - Email: totem@freenetbox.ru
chaoticice.ru - Email: vibes@freenetbox.ru
clannut.ru - Email: totem@freenetbox.ru
clockledge.ru - Email: totem@freenetbox.ru
coldboy.ru - Email: totem@freenetbox.ru
countryme.ru - Email: totem@freenetbox.ru
dayemail.ru - Email: totem@freenetbox.ru
diseasednoodle.ru - Email: vibes@freenetbox.ru
discountprowatch.com - Email: bike@fastermail.ru
dyehill.ru - Email: angles@fastermail.ru
easychurch.ru - Email: vibes@freenetbox.ru
economypoet.ru - Email: semi@freenetbox.ru
envirodollars.ru - Email: vibes@freenetbox.ru
forhomessale.ru - Email: dull@freemailbox.ru
galacticstall.ru - Email: vibes@freenetbox.ru
getyourdns.com - Email: fb@bigmailbox.ru
hairyartist.ru - Email: vibes@freenetbox.ru
lonelyzero.ru - Email: vibes@freenetbox.ru
lovingmug.ru - Email: vibes@freenetbox.ru
lowermatch.ru - Email: vibes@freenetbox.ru
luckyfan.ru - Email: vibes@freenetbox.ru
malepad.ru - Email: semi@freenetbox.ru
matchsearch.ru - Email: semi@freenetbox.ru
microlightning.ru - Email: vibes@freenetbox.ru
mindbat.ru - Email: semi@freenetbox.ru
mealpoets.ru - Email: totem@freenetbox.ru
nutcountry.ru - Email: dying@qx8.ru
obscurewax.ru - Email: vibes@freenetbox.ru
oceanobject.ru - Email: semi@freenetbox.ru
parkperson.ru - Email: semi@freenetbox.ru
penarea.ru - Email: dying@qx8.ru
ponybug.ru - Email: dying@qx8.ru
pocketbloke.ru - Email: angles@fastermail.ru
programability.ru - Email: dying@qx8.ru
rancideye.ru - Email: vibes@freenetbox.ru
rawscent.ru - Email: vibes@freenetbox.ru
recordsquare.ru - Email: totem@freenetbox.ru
rescuedtoilet.ru - Email: vibes@freenetbox.ru
riotassistance.ru - Email: angles@fastermail.ru
scarletpole.ru - Email: vibes@freenetbox.ru
secondgain.ru - Email: vibes@freenetbox.ru
shortrib.ru - Email: vibes@freenetbox.ru
slaveperfume.ru - Email: totem@freenetbox.ru
sodacells.ru - Email: dying@qx8.ru
smelldrip.ru - Email: totem@freenetbox.ru
starvingarctic.ru - Email: vibes@freenetbox.ru
stagepause.ru - Email: totem@freenetbox.ru
sweatymilk.ru - Email: vibes@freenetbox.ru
tartonion.ru - Email: vibes@freenetbox.ru
tunemug.ru - Email: tips@freenetbox.ru
wearyratio.ru - Email: vibes@freenetbox.ru
yummyeyes.ru - Email: vibes@freenetbox.ru

UPDATED: Thursday, August 12, 2010: Historical OSINT for client-side exploit serving domains part of Gumblar's campaigns for April/May 2010 using hostdnssite.com (Email: cop@qx8.ru) name server:
bestdarkman.info - Email: wwww@qx8.ru
bestwebclub.info - Email: asleep@5mx.ru
buyfootjoy.info - Email: mellow@5mx.ru
carswebnet.info - Email: mynah@freenetbox.ru
cityrealtimes.info - Email: asleep@5mx.ru
clandarkguide.info - Email: mellow@5mx.ru
clandarksky.info - Email: wwww@qx8.ru
darkangelcam.info - Email: mellow@5mx.ru
darkbluecoast.info - Email: wwww@qx8.ru
darksidenetwork.info - Email: mellow@5mx.ru
digitaljoyworld.info - Email: mellow@5mx.ru
eroomsite.info - Email: feint@qx8.ru
esunsite.info - Email: wwww@qx8.ru
extrafreeweb.info - Email: mynah@freenetbox.ru
feedandstream.info - Email: mynah@freenetbox.ru
gloomyblack.info - Email: wwww@qx8.ru
homesweetrv.info - Email: mynah@freenetbox.ru
indiawebnet.info - Email: mynah@freenetbox.ru
joylifein.info - Email: mellow@5mx.ru
joysportsworld.info - Email: mellow@5mx.ru
justroomate.info - Email: feint@qx8.ru
kenjoyworld.info - Email: mellow@5mx.ru
learnwebguide.info - Email: mynah@freenetbox.ru
luxurygenuine.info - Email: asleep@5mx.ru
myfeedsite.info - Email: feint@qx8.ru
newsuntour.info - Email: wwww@qx8.ru
oneroomhome.info - Email: feint@qx8.ru
realshoponline.info - Email: asleep@5mx.ru
redsunpark.info - Email: feint@qx8.ru
roomstoretexas.info - Email: feint@qx8.ru
suncoastatlas.info - Email: feint@qx8.ru
sunstarvideo.info - Email: feint@qx8.ru
supersunbeds.info - Email: feint@qx8.ru
superwebworld.info - Email: asleep@5mx.ru
sweetpeapots.info - Email: mynah@freenetbox.ru
sweetteenzone.info - Email: mynah@freenetbox.ru
cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365darkwaters.info - Email: wwww@qx8.ru
cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365joydiet.info - Email: mellow@5mx.ru
cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365realclamp.info - Email: drum@maillife.ru
cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365sunchaser.info - Email: wwww@qx8.ru
cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365sweetchild.info - Email: mynah@freenetbox.ru
cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ultimateweb.info - Email: asleep@5mx.ru
cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365yellowsun.info - Email: feint@qx8.ru
webguidetv.info - Email: asleep@5mx.ru
webnetenglish.info - Email: mynah@freenetbox.ru
yourprintroom.info - Email: feint@qx8.ru
yoursweetteen.info - Email: mynah@freenetbox.ru 
 

UPDATED: Friday, August 13, 2010:
The use of Yahoo Groups is still ongoing. Sample URL: groups.yahoo .com/group/nfldcsyi/message which includes a link to perfectpillcool .com:8080.

The campaign is ongoing, updates will be posted as soon as new developments emerge.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
on

Monday, August 02, 2010

Summarizing Zero Day's Posts for July


The following is a brief summary of all of my posts at ZDNet's Zero Day for July, 2010. You can also go through previous summaries, as well as subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

Recommended reading:
01. Image Gallery: June's cyber threat landscape
02. The Pirate Bay hacked through multiple SQL injections
03. Does Microsoft's sharing of source code with China and Russia pose a security risk?
04. Report: Apple had cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most vulnerabilities throughout 2005-2010
05. Malware Watch: Malicious Amazon cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365med emails in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wild
06. RSA: Banking trojan uses social network as command and control server
07. Middle East countries: cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 BlackBerry is a national security threat
08. Image Gallery: Avast! Antivirus office in Prague, Czech Republic
09. Image Gallery: Introduction to Avast! Antivirus version 5.1
10. Image Gallery: The (European) Antivirus market - current trends
11. Google tops comparative review of malicious search results

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
on

Tuesday, July 20, 2010

ZeuS Crimeware Serving 123Greetings Ecard Themed Campaign in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Wild

Ubiquitous social engineering schemes, never fade away. ZeuS crimeware campaigners are currently using a 123greetings.com ecard-cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365med campaign, in an attempt to entice users to "enjoy cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir ecard".

Subject: "You have received an Greeting eCard"
Message: "Good day. You have received an eCard

To pick up your eCard, choose from any of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following options: Click on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following link (or copy & paste it into your web browser): matt-levine.com /ecard.exe; secondary URL offered: forestarabians.nl /ecard.exe Your card will be aviailable for pick-up beginning for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next 30 days. Please be sure to view your eCard before cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 days are up! We hope you enjoy you eCard. Thank You!"

Detection rate:
- ecard.exe - Cryp_Zbot-12; Trojan/Win32.Vundo - Result: 9/42 (21.43%)
File size: 147968 bytes
MD5...: e6f3aa226bf9733b7e8c07cab339f4dc
SHA1..: e983767931900a13b88a615d6c1d3f6ff8fb6b60

Upon execution, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sample phones back to:
zephehooqu.ru /bin/koethood.bin - 77.78.240.115, AS42560 - Email: skit@5mx.ru
jocudaidie.ru /9xq/_gate.php - 118.169.173.218, AS3462 - Email: skit@5mx.ru - FAST-FLUXED

Multiple MD5s are also currently active at zephehooqu.ru.
Detection rates:
aimeenei.exe - Win32/Zbot.CJI - Result: 30/42 (71.43%)
File size: 149504 bytes
MD5...: 096b7e8c4f611f0eb69cfb776f3a0e7e
SHA1..: 909d7c2740f84599d5e30ffed7261e19ad4a962a

cahdoigu.exe - Mal/Zbot-U - Result: 27/42 (64.29%)
File size: 147968 bytes
MD5...: 11f9f96c17584a672c2a563744130a46
SHA1..: f31c40c5c766c7628023105be6f004e5322b17b6

koethood.exe - Troj/Zbot-SW - Result: 30/42 (71.43%)
File size: 147968 bytes
MD5...: da1979227141844be69577f7f31a7309
SHA1..: 5ada2c390e63ca051c9582fe723384ce52a45912

loobuhai.exe - BKDR_QAKBOT.SMB - Result: 33/42 (78.58%)
File size: 147968 bytes
MD5...: df4e19af8c356b3ff810bc52f6081ccc
SHA1..: d4a1d2f147ae0d24a3eaac66e8d2f9de50cf7a0c

oovaenai.exe - Packed.Win32.Katusha.j - Result: 32/42 (76.2%)
File size: 147456 bytes
MD5...: f0fd5579f06d5b581b5641546ae91d52
SHA1..: c81fa66c546020f3c1c34a0d1aa191b2d9578f07

quohcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365i.exe - Win32/Spy.Zbot.YW - Result: 33/42 (78.58%)
File size: 147968 bytes
MD5...: ffc0d66024f690e875638f4c33ba86f1
SHA1..: c958f3426a3e6fedd76b86a5aef16c90915ac539

sofeigoo.exe - Win32/Spy.Zbot.YW - Result: 31/42 (73.81%)
File size: 148992 bytes
MD5...: 45e98426fafd221ffb7d55ce8a1ae531
SHA1..: 8235b3a80ba6611779dfd4db40a48627af7374eb

teemaeko.exe - PWS:Win32/Zbot.gen!Y - Result: 32/42 (76.2%)
File size: 148992 bytes
MD5...: 9758f04d2f1bd664f37c4285a013372a
SHA1..: 4273dc48f9aeaf69cb7047c4a882af74479fb635

thaigogo.exe - Win32/Spy.Zbot.YW - Result: 34/42 (80.96%)
File size: 147968 bytes
MD5...: b667d75f5bb9f23a8ae249f7de4000a5
SHA1..: 7b57783dcf2aeaafbab3407bb608469851d342bb

ziejaing.exe - Trojan.Zbot.610 - Result: 30/42 (71.43%)
File size: 147456 bytes
MD5...: 7592e957de01e53956517097c0e9ccd8
SHA1..: e7c04d2c8c5d4a51e2615a2ee015d87d28655320


Related .ru cybercrime-friendly domains, sharing fast-flux infrastructure with this campaign's C&C:
adaichaepo.ru - Email: subtle@maillife.ru
aroolohnet.ru - Email: brawn@bigmailbox.ru
dahzunaeye.ru - Email: celia@freenetbox.ru
esvr3.ru - Email: bender@freenetbox.ru
hazelpay.ru - Email: owed@bigmailbox.ru
iesahnaepi.ru - Email: heel@bigmailbox.ru
iveeteepew.ru - Email: atomic@freenetbox.ru
jocudaidie.ru - Email: skit@5mx.ru
ohphahfech.ru - Email: warts@maillife.ru
railuhocal.ru - Email: celia@freenetbox.ru
sdlls.ru - Email: vc@bigmailbox.ru

Name servers of notice within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fast-flux infrastructure:
ns1.tophitnews.net - 74.122.197.22 - Email: worldchenell@ymail.com
ns2.tophitnews.net - 173.19.142.57
ns1.usercool.net - 74.122.197.22
ns2.usercool.net - 76.22.74.15
ns1.welcominternet.net - 74.54.82.223 - Email: admin@rangermadeira.com
ns2.welcominternet.net - 74.54.82.223
ns1.gamezoneland.com - 188.40.204.158 - Email: xtrail.corp@gmail.com
ns2.gamezoneland.com - 174.224.63.18
ns1.tropic-nolk.com - 188.40.204.158  - Email: greysy@gmx.com
ns2.tropic-nolk.com - 171.103.51.158
ns1.interaktivitysearch.net - 202.60.74.39 - Email: ssupercats@yahoo.com
ns2.interaktivitysearch.net - 202.60.74.39
ns1.openworldwhite.net - 202.60.74.39 - Email: xtrail.corp@gmail.com
ns2.openworldwhite.net - 43.125.79.23
ns1.helphotbest.net - Email: worldchenell@ymail.com

It gets even more interesting.  

greysy@gmx.com has already been profiled in an Avalanche botnet campaign using TROYAK-AS's services back cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n (The Avalanche Botnet and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 TROYAK-AS Connection), followed by anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r assessment "TorrentReactor.net Serving Crimeware, Client-Side Exploits Through a Malicious Ad" where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same email was also used to register a name server part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fast-flux infrastructure of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ZeuS crimeware's C&Cs.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
on

Monday, July 19, 2010

Dissecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Xerox WorkCentre Pro Scanned Document Themed Campaign


Over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 weekend, a "Scan from a Xerox WorkCentre Pro" cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365med malware campaign relying on zip archives, was actively spamvertised by cybecriminals seeking to infect gullible end/corporate users.

What's particularly interesting about this campaign, is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cocktail of malware dropped on infected hosts, including Asprox sample (Money Mule Recruiters use ASProx's Fast Fluxing Services), and two separate samples of Antimalware Doctor.

- Sample subject: Scan from a Xerox WorkCentre Pro $9721130
- Sample message: "Please open cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.

Sent by: Guest
Number of Images: 1
Attachment File Type: ZIP [DOC]

WorkCentre Pro Location: machine location not set Device Name: XRX2090AA7ACDB45466972. For more information on Xerox products and solutions, please visit http://www.xerox.com"

- Detection rates:
- Xerox_doc1.exe - Trojan.Win32.Jorik.Oficla.bb - Result: 34/42 (80.96%)
File size: 30926 bytes
MD5...: 1d378a6bc94d5b5a702026d31c21e242
SHA1..: 545e83f547d05664cd6792e254b87539fba24eb9

- Xerox_doc2.exe - Trojan.Win32.Jorik.Oficla.ba - Result: 34/42 (80.96%)
File size: 43520 bytes
MD5...: 829c86d4962f186109534b669ade47d7
SHA1..: 5d3d02d0f6ce87cd96a34b73dc395460d623616e

The samples cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n phone back to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Oficla/Sasfis C&Cs at hulejsoops.ru/images/bb.php?v=200&id=554905388&b=avpsales&tm=3 - 91.216.215.66, AS51274 - Email: mxx3@yandex.ru which periodically rotates three different executables using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following URLs:

0815.ch /pic/view.exe
curseri.ch /pictures/securedupdaterfix717.exe
regionalprodukte-beo.ch /about/cgi.exe


Backup URLS:
leeitpobbod.ru/image/bb.php - 59.53.91.195, AS4134 - Email: mxx3@yandex.ru - dead response
loloohuildifsd.ru/image/bb.php - 68.168.222.158 - Email: mxx3@yandex.ru - dead response
nemohuildifsd.ru/image/bb.php - 59.53.91.195 (nemohuildiin.ru, russianmomds.ru), AS4134 - Email: mxx3@yandex.ru - dead response

Let's take a peek at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 samples found within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 C&C.

view.exe - Trojan.Win32.Jorik.Aspxor.e - Result: 11/42 (26.2%)
File size: 79360 bytes
MD5...: 5d296fe1ef7bf67f36fe9adb209398ee
SHA1..: 41b45bcd241cd97b72d7866d13c4a0eb6bf6a0ee


Upon execution, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sample phones back to well known Asprox C&Cs:
cl63amgstart.ru: 80/board.php - 91.213.217.4, AS42473 - Email: ssa1@yandex.ru
hypervmsys.ru: 80/board.php - 89.149.223.232 (hostagents.ru), AS28753 - Email: vadim.rinatovich@yandex.ru


Previously, all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following ASPRox domains used exclusively for massive SQL injections, used to respond to 91.213.217.4:

webservicesbba.ru - Email: anrnews@mail.ru
webservicelupa.ru - Email: anrnews@mail.ru
webserivcekota.ru - Email: anrnews@mail.ru
webservicesrob.ru - Email: anrnews@mail.ru
webserivcezub.ru - Email: anrnews@mail.ru
webserviceforward.ru - Email: anrnews@mail.ru
webserivcessh.ru - Email: anrnews@mail.ru
webservicesmulti.ru - Email: anrnews@mail.ru
webservicezok.ru - Email: anrnews@mail.ru
webservicebal.ru - Email: anrnews@mail.ru
webservicefull.ru - Email: anrnews@mail.ru
webservicessl.ru - Email: anrnews@mail.ru
webserviceaan.ru - Email: anrnews@mail.ru
webservicedevlop.ru - Email: anrnews@mail.ru
webserviceftp.ru - Email: anrnews@mail.ru
hypervmsys.ru - Email: anrnews@mail.ru
webserviceget.ru - Email: anrnews@mail.ru
webserviceskot.ru - Email: anrnews@mail.ru
cl63amgstart.ru - Email: ssa1@yandex.ru
ml63amgstart.ru - Email: ssa21@yandex.ru
webservicesttt.ru - Email: anrnews@mail.ru
webservicenow.ru - Email: anrnews@mail.ru
webservicekuz.ru - Email: anrnews@mail.ru

Currently, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 gang's migrating this infrastructure to 109.196.134.58, AS39150, VLTELECOM-AS VLineTelecom LLC Moscow, Russia.

All of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se domains+subdomains sharing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same js.js directory structure, which upon visiting loads URLs such as (accesspad.ru :8080/index.php?pid=6) with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rest of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 domains sharing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same infrastructure as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ones profiled in "Spamvertised Amazon "Verify Your Email", "Your Amazon Order" Malicious Emails" post:

access.webservicebal.ru
admin.webserivcekota.ru
api.webserivcessh.ru
app.webserviceforward.ru
app.webservicesrob.ru
base.webserviceftp.ru
batch.webserviceaan.ru
batch.webservicebal.ru
bios.webservicesbba.ru
block.webserviceaan.ru
block.webservicesrob.ru
cache.webservicesbba.ru
cache.webservicesmulti.ru
chk.webservicezok.ru
cmdid.webserivcezub.ru
code.webservicesbba.ru
com.webserivcekota.ru
com.webservicedevlop.ru
ddk.webservicesrob.ru
default.webservicezok.ru
diag.webserviceftp.ru
direct.webserviceftp.ru
dll.webservicelupa.ru
drv.webservicebal.ru
drv.webservicesrob.ru
encode.webservicefull.ru
err.webserivcessh.ru
export.webservicedevlop.ru
ext.webserviceaan.ru
ext.webservicesbba.ru
file.webserivcekota.ru
file.webserivcessh.ru
filter.webservicedevlop.ru
font.webservicelupa.ru
gdi.webserviceftp.ru
get.webservicesbba.ru
go.webserivcekota.ru
go.webservicefull.ru
guid.webserivcezub.ru
hostid.webservicesbba.ru
hostid.webservicesmulti.ru


http.webserviceforward.ru
icmp.webservicesbba.ru
id.webserivcezub.ru
inf.webserviceaan.ru
info.webservicedevlop.ru
ini.webservicesrob.ru
ioctl.webservicedevlop.ru
kernel.webservicezok.ru
lan.webservicefull.ru
lan.webservicesbba.ru
lib.webservicebal.ru
lib.webserviceftp.ru
libid.webservicelupa.ru
load.webservicebal.ru
locate.webservicelupa.ru
log.webservicelupa.ru
log.webservicezok.ru
log-in.webservicessl.ru
manage.webservicesbba.ru
map.webserivcezub.ru
map.webservicedevlop.ru
media.webserviceftp.ru
mode.webservicelupa.ru
net.webservicebal.ru
netapi.webserviceaan.ru
netmsg.webserivcezub.ru
ns1.webservicelupa.ru
ns2.webservicelupa.ru
ntdll.webservicessl.ru
ntio.webservicelupa.ru
ntio.webservicezok.ru
obj.webservicesbba.ru
object.webserivcessh.ru
object.webservicesmulti.ru
oem.webservicebal.ru
offset.webservicefull.ru
ole.webservicesbba.ru
org.webservicesrob.ru
page.webserviceaan.ru
parse.webservicebal.ru
peer.webserviceaan.ru
pic.webservicesbba.ru
pool.webservicelupa.ru
port.webservicebal.ru
port.webservicesbba.ru
port.webservicessl.ru
proc.webserviceaan.ru
proc.webservicessl.ru
rdir.webserviceftp.ru
redir.webservicedevlop.ru
refer.webserivcezub.ru
reg.webserviceaan.ru
remote.webservicessl.ru
run.webserivcekota.ru
script.webserivcezub.ru
sdk.webserivcezub.ru
search.webserviceaan.ru
search.webservicedevlop.ru
setup.webserivcezub.ru
setup.webservicezok.ru
snmp.webserviceforward.ru
snmp.webservicesrob.ru
sslcom.webserivcessh.ru
sslcom.webservicesrob.ru
sslid.webserivcekota.ru
sslnet.webservicedevlop.ru
svc.webservicedevlop.ru
tag.webservicebal.ru
tag.webservicessl.ru
tid.webserviceftp.ru
time.webservicelupa.ru
udp.webserviceftp.ru
udp.webservicezok.ru
update.webserviceftp.ru
update.webservicefull.ru
url.webservicesbba.ru
url.webservicezok.ru
vba.webservicesrob.ru
vbs.webservicelupa.ru
ver.webserivcekota.ru
webserivcekota.ru
webserivcessh.ru
webserivcezub.ru
webserviceaan.ru
webservicebal.ru
webservicedevlop.ru
webserviceforward.ru
webserviceftp.ru
webservicefull.ru
webserviceget.ru
webservicelupa.ru
webservicesmulti.ru
webservicesrob.ru
webservicessl.ru
webservicezok.ru
win.webservicezok.ru
xml.webservicefull.ru


 Getting back to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 samples rotated by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 original campaign binary, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir detection rates, network interactions.

- Detection rates:
- securedupdaterfix717.exe - Trojan.Win32.FakeYak - Result: 22/42 (52.39%)
File size: 36864 bytes
MD5...: cd16d4c998537248e6d4d0a3d51ca6de
SHA1..: 7e36ef0ce85fac18ecffd5a82566352ce0322589

Phones back to:
s.ldwn.in/inst.php?fff=7071710000&saf=ru - 91.188.60.236 (updget.in; wordmeat.in), AS6851 - Email: feliciachappell@ymail.com
bootfree.in/ MainModule717release10000.exe - 194.8.250.207 (flowload.in; lessown.in; sstats.in), AS43134 - Email: feliciachappell@ymail.com
s.wordmeat.in/install.php?coid= - 91.188.60.236, AS6851 - Email: feliciachappell@ymail.com


- Detection rate for MainModule717release10000.exe
- MainModule717release10000.exe - Trojan:Win32/FakeYak - Result: 26/42 (61.90%)
File size: 1043968 bytes
MD5...: 3c30c62e9981bd86c5897447cb358235
SHA1...: 36bfc285a61bcb67f2867dd303ac3cefa0e490a0

Phones back to:
wordmeat.in - 91.188.60.236 - Email: feliciachappell@ymail.com
vismake.in - 91.188.60.236 - Email: keelingelizabeth@ymail.com

- Detection rate for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 3rd binary rotated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 original C&C:
- cgi.exe - Trojan.Inject.8960 - Result: 6/42 (14.29%)File size: 62976 bytes
MD5...: 45c062490e0fc262c181efc323cb83ba
SHA1..: bff90630f2064d7bcc82b7389c2b8525ff960870

Phones back to:
musiceng.ru /music/forum/index1.php - 91.212.127.40, AS49087 - Email: ol.feodosoff@yandex.ru

The whole campaign, is a great example of what cybercrime underground multitasking is all about. Moreover, it illustrates cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interactions between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 usual suspects, with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 not so surprising appearance of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 already profiled AS6851, BKCNET, Sagade Ltd.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
on

Friday, July 16, 2010

Spamvertised Amazon "Verify Your Email", "Your Amazon Order" Malicious Emails


And cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y're back (Gumblar or RUmblar due to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 extensive use of .ru domains) for a decent start of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 weekend - switching social engineering cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mes one more time, this time impersonating Amazon.com
  •  NOTE: A summary of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 malicious payload served will be posted at a later stage. Meanwhile, in order to facilitate quicker response, a complete list of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 domains participating will be featured/disseminated across cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 appropriate parties.
- Sample subject: Amazon.com: Please verify your new e-mail address
- Sample message: "Dear email, You recently changed your e-mail address at Amazon.com. Since you are a subscriber of Amazon.com Delivers E-mail Subscriptions, you will need to verify your new e-mail address. Please verify that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 e-mail address email belongs to you. You can click on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 link below to complete cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 verification process. Alternatively, you can type or paste cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following link into your Web browser: http://www.amazon.com"


Client-side exploitation is taking place through, for instance, crystalrobe.ru: 8080/index.php?pid=14 and hillchart.com: 8080/index.php?pid=14. As seen in previous campaigns, this one is also sharing an identical directory structure, such as:
malicious-domain.com :8080/index.php?pid=2
malicious-domain.com :8080/Notes1.pdf (Notes1-to-Notes10.pdf)
malicious-domain.com :8080/NewGames.jar
malicious-domain.com :8080/Games.jar
malicious-domain.com :8080/Applet1.html (Applet1-to-Applet10.html)
malicious-domain.com :8080/welcome.php?id=6&pid=1&hello=503

crystalrobe.ru :8080/index.php?pid=14
crystalrobe.ru :8080/jquery.jxx?v=5.3.4
crystalrobe.ru :8080/new/controller.php
crystalrobe.ru :8080/js.php
crystalrobe.ru :8080/welcome.php?id=6&pid=1&hello=503
crystalrobe.ru :8080/welcome.php?id=0&pid=1


Client-side exploits serving domains (94.23.231.140; 91.121.115.208; 94.23.11.38; 94.23.224.221; 94.23.229.220) part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
applecorn.com - Email: es@qx8.ru
areadrum.com - Email: qx@freenetbox.ru
busyspade.com - Email: baffle@freenetbox.ru
cafemack.com - Email: soy@qx8.ru
clanday.com - Email: elope@fastermail.ru
dnsofthost.com - Email: depot@infotorrent.ru
drunkjeans.com - Email: runway@5mx.ru
earlymale.com - Email: amply@maillife.ru
galslime.com - Email: soy@qx8.ru
gigasofa.com - Email: grind@fastermail.ru
hillchart.com - Email: soy@qx8.ru
hugejar.com - Email: runway@5mx.ru
ionicclock.com - Email: kin@maillife.ru
lasteye.com - Email: amply@maillife.ru
luckysled.com - Email: kin@maillife.ru
macrotub.com - Email: dodge@5mx.ru
oldgoal.com - Email: kin@maillife.ru
outerrush.com - Email: amply@maillife.ru
quietzero.com - Email: grind@fastermail.ru
radiomum.com - Email: es@qx8.ru
roundstorm.com - Email: es@qx8.ru
sadute.com - Email: grind@fastermail.ru
sheepbody.com - Email: es@qx8.ru
shinytower.com - Email: cord@maillife.ru
splatspa.com - Email: elope@fastermail.ru
tanspice.com - Email: dodge@5mx.ru
tanyear.com - Email: grind@fastermail.ru
tightsales.com - Email: runway@5mx.ru
tuneblouse.com - Email: es@qx8.ru
validplan.com - Email: dodge@5mx.ru
waxyblock.com - Email: cord@maillife.ru


allnext.ru - Email: swipe@maillife.ru
barnsoftware.ru - Email: people@bigmailbox.ru
bestbidline.ru - Email: jody@fastermail.ru
bestexportsite.ru - Email: orphan@qx8.ru
bittag.ru - Email: tips@freenetbox.ru
boozelight.ru - Email: ole@bigmailbox.ru
brandnewnet.ru - Email: orphan@qx8.ru
cangecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365lp.ru - Email: liver@freenetbox.ru
chainjoke.ru - Email: ole@bigmailbox.ru
comingbig.ru - Email: swipe@maillife.ru
countypath.ru - Email: liver@freenetbox.ru
crystalrobe.ru - Email: people@bigmailbox.ru
cupjack.ru - Email: tips@freenetbox.ru
dealyak.ru - Email: people@bigmailbox.ru
eyesong.ru - Email: tips@freenetbox.ru
familywater.ru - Email: ole@bigmailbox.ru
funsitedesigns.ru - Email: orphan@qx8.ru
galneed.ru - Email: people@bigmailbox.ru
girllab.ru - Email: tips@freenetbox.ru
greedford.ru - Email: ole@bigmailbox.ru
guntap.ru - Email: tips@freenetbox.ru
heroguy.ru - Email: ole@bigmailbox.ru
homecarenation.ru - Email: orphan@qx8.ru
homesitecam.ru - Email: orphan@qx8.ru
hookdown.ru - Email: crag@maillife.ru
horsedoctor.ru - Email: ole@bigmailbox.ru
jarpub.ru - Email: ole@bigmailbox.ru
liplead.ru - Email: ole@bigmailbox.ru
livesitedesign.ru - Email: orphan@qx8.ru
mansbestsite.ru - Email: orphan@qx8.ru
marketholiday.ru - Email: people@bigmailbox.ru
metalspice.ru - Email: ole@bigmailbox.ru
mingleas.ru - Email: crag@maillife.ru
mocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rfire.ru - Email: people@bigmailbox.ru


musicbestway.ru - Email: jody@fastermail.ru
musicsiteguide.ru - Email: crag@maillife.ru
netbescá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365lp.ru - Email: liver@freenetbox.ru
netwebinternet.ru - Email: dibs@freemailbox.ru
newagedirect.ru - Email: orphan@qx8.ru
newhomelady.ru - Email: orphan@qx8.ru
newinfoworld.ru - Email: orphan@qx8.ru
newworldunion.ru - Email: orphan@qx8.ru
ourfreesite.ru - Email: orphan@qx8.ru
panlip.ru - Email: tips@freenetbox.ru
pantscow.ru - Email: ole@bigmailbox.ru
problemdollars.ru - Email: people@bigmailbox.ru
raceobject.ru - Email: people@bigmailbox.ru
silencepill.ru - Email: ole@bigmailbox.ru
sisterqueen.ru - Email: ole@bigmailbox.ru
slaveday.ru - Email: ole@bigmailbox.ru
stareastwork.ru - Email: next@fastermail.ru
superblenderworld.ru - Email: crag@maillife.ru
superhoppie.ru - Email: soft@bigmailbox.ru
supertruelife.ru - Email: edsel@fastermail.ru
superwestcoast.ru - Email: crag@maillife.ru
cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365antimatrix.ru - Email: ole@bigmailbox.ru
tintie.ru - Email: swipe@maillife.ru
topmediasite.ru - Email: tips@freenetbox.ru
treecorn.ru - Email: tips@freenetbox.ru
trueblueally.ru - Email: soft@bigmailbox.ru
trueblueberyl.ru - Email: soft@bigmailbox.ru
tunemug.ru - Email: tips@freenetbox.ru
ushead.ru - Email: crag@maillife.ru
westbendonline.ru - Email: edsel@fastermail.ru
yaktrack.ru - Email: ole@bigmailbox.ru
yournewonline.ru - Email: orphan@qx8.ru
yourtolltag.ru - Email: orphan@qx8.ru
yourtruecrime.ru - Email: soft@bigmailbox.ru
zooneed.ru - Email: ole@bigmailbox.ru


Name servers of notice:
ns1.dnsofthost.com - 81.2.210.98
ns2.dnsofthost.com - 194.79.88.121
ns3.dnsofthost.com - 67.223.233.101
ns4.dnsofthost.com - 85.214.29.9

The NAUNET-REG-RIPN domain registrar, although, having already registered over a 100 ZeuS crimeware friendly domains, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's little chance cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y'll take action. Updates, including take down/remediation actions will be posted as soon as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y emerge.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
on

Thursday, July 15, 2010

Sampling Malicious Activity Inside Cybercrime-Friendly Search Engines


UPDATED, Friday, July 16, 2010 - Directi has suspended cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 domains portfolio of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cybercrime-friendly search engines. 

Cybercrime-friendly search engines are bogus search engines, which in between visually social engineering cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir users, offer fake results leading to client-side exploits, bogus video players dropping more malware, scareware, next to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pharmaceutical scams, and domain farms neatly embedded with Google AdSense scripts for monetization.

In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 majority of cases -- whenever blackhat SEO is not an option -- end users are exposed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir maliciousness once cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y get infected with malware redirecting each and every request to popular search engines such as Google, Yahoo and Bing to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 malicious IPs/domains operated by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cybercriminals.

As far as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir monetization tactics are concerned, fellow cybercriminals are free to purchase any kind of keyword cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y want to, for instance "spyware", make it look like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end user is clicking on security-vendor.com's site, whereas upon clicking, based on his physical location a particular type of malicious activity takes place.

Remember cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 HOSTS file modification taking place courtesy of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 malware at AS6851, BKCNET, Sagade Ltd., and in particular cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface gang related IP 89.149.210.109? Sampling cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 malicious activity within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 search engines parked/forwarded (DNS recursion) from this IP, results in client-side exploits, bogus video players dropping malware, and scareware, and that in less than 5 minutes of testing.


The cybercrime-friendly domains in question:
searchclick1.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753
searchclick2.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753
searchclick3.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753
searchclick4.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753
searchclick5.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753
searchclick6.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753
searchclick7.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753
searchclick8.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753
searchclick9.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753
searchclick10.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753
searchmeup4.com - 78.159.112.46 - AS28753
zetaclicks4.com - 78.159.112.46 - AS28753
websafeclicks.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753

Internal redirections reading to malicious take place through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following domains:
7search.com - 12.171.94.40 - Email: webadmin@7search.com
greatseeking.com, superfindmea.info - 213.174.154.9 - Email: serdukov.art@gmail.com
superseeking.org - 213.174.154.9 - Email: serdukov.art@gmail.com
searching4all.com, pharmc9.com - 66.230.188.68 - Email: abuse@click9.com
syssmessage.com; sysstem-mesage.com; sys-mesage.com; potectmesage.com - 91.188.59.62 -  Email: roroaleksey@gmail.com
xml.click9.com/click.php - 66.230.188.67 - Email: abuse@click9.com
sunday-traffic.com/in.php - 74.52.216.46 - Email: tech@add-manager.com
efindsite.info/search2.php - 74.52.216.46
greatseeking.com/search2.php - 213.174.154.9 - Email: serdukov.art@gmail.com
n-traff.com/clickn.php - 64.111.208.39
going-to-n.com/clickn.php - 64.111.208.38
everytds.tk/in.cgi?3=&ID=19504; onlyscan.tk; pornstaar.tk; dotroot.tk - 94.100.31.26


Internal pharmaceutical redirections take place through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following domains:
medsbrands.com - 74.52.216.46 - Email: tech@add-manager.com
cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365pillsdiscounts.info - 74.52.216.46 - Email: tech@add-manager.com
yourcatalogonline.biz - 74.52.216.46
bestderden.org - 74.52.216.46

Internal redirections reading to malicious take place through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following IPs:
199.80.55.19/go.php?data=
199.80.55.80/go.php?data=
78.140.141.18/kkk.php
78.140.143.83/go.php
64.111.212.234/c.php
64.111.196.126/c.php
66.230.188.67
68.169.92.61/c.php
68.169.92.60/c.php
68.169.93.242/c.php
68.169.92.55/c.php


Sample malicious activity consists of scareware campaigns, client-side exploits, and bogus video players dropping malware.

Upon visiting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bogus PornTube at vogel-tube.com/xfreeporn.php?id= - 66.197.187.118 (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365-real-tube-best.com great-celebs-tube.net parked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re) - Email: admin@cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365nweb.com cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 use is tricked into manually installing basemultimedia.com/video-plugin.45309.exe - 66.197.154.21 (visualbasismedia.com) - Email: joe@silentringer.com

- Detection rate
video-plugin.45309.exe - Downloader-CEW.b, Result: 6/42 (14.29%)
File size: 113152 bytes
MD5...: 25e644171bf9ee2a052b5fa71f8284e5
SHA1..: e4ac01534c7c1b71d2a38cf480339d31db187ecb

Upon execution, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sample phones back to:
best-arts-2010.com - 216.240.146.119 - Email:
hello-arts.com - 64.191.44.73 - Email:
youngfinearts.com - 64.20.35.3 - Email:
newchannelarts.com - 64.191.64.105 - Email:
vrera.com/oms.php - 208.43.125.180 - Email:
allxt.com/borders.php - 64.191.82.25

Parked at 216.240.146.119, AS7796 are also:
best-arts-2010.com - Email: aurora@seekrevenue.com
crystaldesignlab.com - Email: tamara.watson@chemist.com
homegraphicarts.com - Email: elizabethj@cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365plate.com
mediaartsplaza.com - Email: darhom@lendingears.com
morefinearts.net - Email: vdickerson37@yahoo.com
photoartsworld.com - Email: margaret_adams@rocketmail.com
pinehousearts.com - Email: jgaron@physicist.net
sunnyartsite.com - Email: jbowker@blader.com
cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365fanarts.com - Email: keasler@surferdude.com
waycoolart.com - Email: blynch@net-shopping.com
woodsmayart.com - Email: raymo@songwriter.net
garner.funtaff.com - Email: dph@greentooth.net


Parked at 64.191.44.73, AS21788 are also:
auctionhouseart.com - Email: emerynancy@ymail.com
bestmalearts.com - Email: mcfarlin@religions.com
coolcatart.com - Email: pbiron@catlover.com
freesurrealarts.com - Email: ghuertas@rocketmail.com
goldfireart.com - Email: thysell@gardener.com
greatmovieart.com - Email: linger@cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365plate.com
worldartsguide.com - Email: ghagen@allergist.com
install.netwaq.com - Email: admin@overseedomainmanagement.com

Parked at 64.20.35.3, AS19318 are also:
artscontact.net - Email: mschneider@doctor.com
catbodyart.com - Email: pbiron@catlover.com
feearts.com - Email: breckenridge56@hotmail.com
freeflasharts.com - Email: russell@clubmember.org
gardendesignart.com - Email: jasona@gardener.com
greatflashstudies.com - Email: jdeal@worshipper.com
superlegoarts.com - Email: jdeal@worshipper.com
cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365digitalarts.com - Email: hoffman@cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365aterpillow.com
virginmegaart.com - Email: hoffman@cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365aterpillow.com


Related malicious domains sharing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same DNS infrastructure:
iransatnews.org
best-arts-2010.com - Email: aurora@seekrevenue.com
mediasite2010.com - Email: webmaster@pullstraws.com
setlamedia.com - Email: monro@eclipsetool.com
doublesetmedia.com - Email: monro@eclipsetool.com
cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365testmedia.com - Email: webmaster@maidnews.com
trinitytestmedia.com - Email: webmaster@maidnews.com
i-metodika.com - Email: facovskiy__n__1977@rambler.ru
iffic.com
moviefactinc.com - Email: usa@crystals.com
newdataltd.com - Email: wenzel@techie.com
new-2010-tube.com - Email: fortney@petlover.com
super-world-tube.com - Email: fortney@petlover.com
real-good-tube.com - Email: fortney@petlover.com
green-real-tube.com - Email: sanctim59@yahoo.com
sensual-tube.com - Email: sanctim59@yahoo.com
webfilmoffice.com - Email: pam@skunkalert.com
xxl-tube-home.com
nowsearchonline.com
localmediasearch.com - Email: mega@stockdvds.com
mediaonsearch.com - Email: mega@stockdvds.com
mesghal.com - Email: shahnamgolshany@yahoo.com
niptoon.com
mydvdinfo.com - Email: usa@crystals.com
receptionist-pro.com
hitinto.com
importedfoodscorp.com - Email: apompeo@importedfoodscorp.com
newhavenfiles.com - Email: wenzel@techie.com
walterwagnerassociates.com
excellentutilites.com - Email: wentexkino@ymail.com
pengs.com
livingwithdragons.com - Email: gregory@lamerton.ltd.uk
amigroups.com
iransatnews.com
dvddatadirect.com - Email: friese@toke.com
itlist.com - Email: support@gossimer.biz
gossimer.net - Email: support@gossimer.biz

Following cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bogus dropper, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cybercriminals are also directly serving client-side exploits to users seeking for security related content. In this case, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exploits/malware are served from xoxipemej.cn/gr/s1/ - 178.63.170.185 - Email: shiwei_fang77@126.com.

- Detection rate:
.exe - Rootkit.Agent.AJDR, Result: 20/42 (47.62%)
File size: 53760 bytes
MD5...: 23244c5b5b02fab65b3a7ab51005fd51
SHA1..: a5f1a10344378f2c8f13c266dce39247ba3bae5f


Parked on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same IP 178.63.170.185, AS24940 are also:
2011traff.com - Email: MillieDiaz4@aol.com
2011-traff.com - Email: MillieDiaz4@aol.com
bbbinvestigation.org - Email: accounting@moniker.com
best-sofa-choice.com - Email: migray71@yahoo.com
celloffer-2015.com - Email: migray71@yahoo.com
flying-city-2011.com - Email: migray71@yahoo.com
jiujitsufgua.com - Email: varcraft@care2.com
jopaduloz.cn - Email: qing_hongwei@126.com
lokexawan.cn - Email: shiwei_fang77@126.com
mapozeloq.cn - Email: shiwei_fang77@126.com
melonirmonianmonia.com - Email: accounting@moniker.com
mivaqodaz.cn - Email: shiwei_fang77@126.com
nasnedofweiggyt.com - Email: roller_59@hotmail.com
redolopip.cn - Email: shiwei_fang77@126.com
redspot2010.com - Email: migray71@yahoo.com
rohudufoj.cn - Email: qing_hongwei@126.com
sujelodos.cn - Email: qing_hongwei@126.com
traff2011.com - Email: MillieDiaz4@aol.com
traff-2012.com - Email: MillieDiaz4@aol.com
uweyujem.com - Email: resumemolars@live.com
viwuvefot.cn - Email: shiwei_fang77@126.com
wkeuhryyejt.com - Email: excins@iname.com
xoxipemej.cn - Email: shiwei_fang77@126.com

Last, but not least is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scareware infection taking place through www1.warezforyou24.co.cc/?p=p52 - 114.207.244.146; 114.207.244.143; 114.207.244.144; 114.207.244.145. Parked on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se IPs is also an extensive portfolio of related scareware domains.

- Detection rate:
packupdate107_231.exe - Suspicious:W32/Malware!Gemini, Result: 3/42 (7.15%)
File size: 238080 bytes
MD5...: 93517875c59ac33dab655bc8432b0724
SHA1..: 774af049406baeef3427b91a2d67ee0250b2b51b

Upon execution cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sample phones back to:
update2.cleanupyoursoft.com - 209.222.8.101 - Email: gkook@checkjemail.nl
update1.soft-cleaner.com - 95.169.186.25 - Email: gkook@checkjemail.nl
secure1.smartavz.com - 91.207.192.26 - Email: gkook@checkjemail.nl
report.mygoodguardian.com - 93.186.124.94 - Email: gkook@checkjemail.nl
www5.securitymasterav.com - 91.207.192.25 - Email: gkook@checkjemail.nl
update2.soft-cleaner.net - 209.222.8.100 - Email: gkook@checkjemail.nl
report.mytrueguardian.net - 79.171.23.150 - Email: gkook@checkjemail.nl
secure2.smartavz.net - 217.23.5.99 - Email: gkook@checkjemail.nl
update1.free-guard.com - Email: gkook@checkjemail.nl
report.mygoodguardian.com - 93.186.124.94 - Email: gkook@checkjemail.nl
update1.soft-cleaner.com - 95.169.186.25 - Email: gkook@checkjemail.nl
www5.securitymasterav.com - 91.207.192.25 - Email: gkook@checkjemail.nl
update2.soft-cleaner.net - 209.222.8.100 - Email: gkook@checkjemail.nl
report.mytrueguardian.net - 79.171.23.150 - Email: gkook@checkjemail.nl

The cybercrime-friendly domains portfolio is in a process of getting suspended.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
on
Subscribe to: Posts (Atom)