Showing posts with label Exmanoize. Show all posts
Showing posts with label Exmanoize. Show all posts

Wednesday, November 25, 2009

Koobface Botnet Starts Serving Client-Side Exploits

UPDATED, Wednesday, December 02, 2009: The systematic rotation of new redirectors and scareware domains remains ongoing, with no signs of resuming cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 use of client-side exploits.

Some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest ones include inviteerverwhere .cn - Email: box@cethcuples.com -> scanner-infoa .com - Email: inout@celestia.com, scareware detection rate; 1economyguide .cn - Email: contact@berussa.de -> superdefenceaj .com - Email: inout@celestia.com, scareware detection rate; slip-stream .cn - Email: info@mercedess.de -> getsafeantivirusa .com - Email: morrison2g@yahoo.com, scareware detection rate.

The complete list of redirectors introduced over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past week is as follows: 1economyguide .cn; 1monocline .cn; 1nonsensical .cn; 1onlinestarter .cn; 1political-news .cn; argentinastyle .cn; australiagold .cn; austriamoney .cn; beatupmean2 .cn; belgiumnation .cn; brazilcountry .cn; firefoxfowner .cn; inviteerverwhere .cn; iraqcontacts .cn; makenodifference2 .cn; manualgreese .cn; overmerit3 .cn; powerhelms2 .cn; secretalltrue2 .cn; separator2009 .cn; slip-stream .cn; solidresistance .cn; wallgreensmart .cn; windowsclone .cn; womenregrets .cn; womenregrets2 .cn

UPDATED, Saturday, November 28, 2009: Following yesterday's experiment with bit.ly redirectors, relying on a "visual social engineering element" by adding descriptive domains after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 original link -- bit.ly/588dmE?YOUTUBE.COM/ea05981d43, which works with any generated bit.ly link, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 gang is now spamvertising links using Google News redirection to automatically registered Blogspot accounts, whose CAPTCHA challenge has been solved by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 already infected with Koobface victims, a feature that is now mainstream, compared to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 gang's previous use of commercial CAPTCHA solving services, where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 price for a thousand solved CAPTCHAs varies between $1 and $2:

- news.google.com/news/url?url=http://pierrickcastoe .blogspot.com/
- news.google.com/news/url?url=http://biilybiilybangert .blogspot.com/
- news.google.com/news/url?url=http://majdimajdinoordijk .blogspot.com/
- news.google.com/news/url?url=http://vassellpelovska .blogspot.com/
- news.google.com/news/url?url=http://troitroiweinbrenner .blogspot.com/
- news.google.com/news/url?url=http://keyserefrain .blogspot.com/


New redirectors introduced include:
overmerit3 .cn - Email: admin@cryzisday.com
belgiumnation .cn - Email: vesta@greaselive.au
iraqcontacts .cn - Email: admin@resemm.de
womenregrets .cn - Email: admin@resemm.de
wallgreensmart .cn - Email: admin@cryzisday.com
brazilcountry .cn - Email: vesta@greaselive.au
womenregrets2 .cn - Email: in@groovezone.com

News scareware domains introduced include:
internetdefencesystem .com - Email: admin@wyverny.com
royalsecure-a1 .com - Email: in@groovezone.com
royaldefencescan1 .com - Email: in@groovezone.com
royaldefensescan1 .com - Email: in@groovezone.com
royaldefencescan .com - Email: contacts@esseys.au
royaldefensescan .com - Email: contacts@esseys.au
royalprotectionscan .com - Email: contacts@esseys.au

Sampled copy phones back to a new domain (austin2reed .com/?b=1s1; austin2reed .com/?b=1) using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same IP (92.48.119.36) as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous phone-back domain.

UPDATED, Thursday, November 26, 2009: The gang has currently suspended cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 use of client-side exploits, let's see if it's only for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time being or indefinitely. Scareware is whatsoever, introduced with periodically registered new domains - argentinastyle .cn - Email: vesta@greaselive.au and australiagold .cn - Email: vesta@greaselive.au, redirect to bestscan066 .com - Email: fransysles2@yahoo.com and to bestscan044 .com - Email: fransysles2@yahoo.com - detection rate.

The exploit serving domains (el3x .cn; kiano-180809 .com and ttt20091124 .info) remain active.

The Koobface botnet, a case study on propagation relying exclusively on social engineering tactics and systematic abuse of legitimate Web 2.0 services, has introduced a second "game-changer" next to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 migration to distributed command and control infrastructure once its centralized operations got shut down.

Next to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 embedded and automatically rotating scareware redirects placed on each and every infected host part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface botnet, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 gang behind it has now started officially using client-side exploits (VBS/Psyme.BM; Exploit.Pidief.EX; Exploit.Win32.IMG-WMF etc.) by embedding two iFrames on all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface-infected hosts (Underground Molotov - function molot (m)), which connect to a well known (average) web malware exploitation kit's interface. Not only would a user that clicks on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface URL be exposed to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface binary itself, now pushed through client-side exploits, but also, to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 periodically changed scareware domains.

Let's dissect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign, expose cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire domains portfolio involved or introduced since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 beginning of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 week, and once again establish a connection between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface gang and money mule recruitment scams followed by scareware domains (Inst_312s2.exe; Inst_312s2.exe from today, both of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m phone back to angle-meter .com/?b=1), all registered using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same emails.

Scareware redirectors seen during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past couple of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 days, parked at 91.213.126.250:
solidresistance .cn - Email: admin@cryzisday.com
separator2009 .cn - Email: admin@cryzisday.com
zapotec2 .cn - Email: admin@cryzisday.com
befree2 .cn - Email: gmk2000@yahoo.com
entombing2009 .cn - Email: info@grindsteal.fr
economyguide .cn - Email: info@plaguegr.de
smile-life .cn - Email: gmk2000@yahoo.com
everlastmovie .cn - Email: gmk2000@yahoo.com
monocline .cn - Email: info@plaguegr.de
mozzillaclone .cn - Email: sanbeans6@yahoo.com
monkey-greese .cn - Email: sanbeans6@yahoo.com
surgingnurse .cn - Email: info@grindsteal.fr
mailboxinvite .cn - Email: sanbeans6@yahoo.com
flatletkick .cn - Email: info@plaguegr.de
nonsensical .cn - Email: info@grindsteal.fr
moralisefilm .cn - Email: info@grindsteal.fr
firefoxavatar .cn - Email: sanbeans6@yahoo.com
onlinestarter .cn - Email: info@plaguegr.de
clowncirus .cn - Email: sanbeans6@yahoo.com
political-news .cn - Email: info@plaguegr.de
harry-pott .cn - Email: gmk2000@yahoo.com
repeatability .cn - Email: info@grindsteal.fr

New scareware domains portfolio parked at 95.143.192.51; 83.133.119.84; 91.213.126.103:
valuewebscana .com - Email: lynd.stafford@yahoo.com
valuescana .com - Email: lynd.stafford@yahoo.com
cyber-scan-1 .com - Email: admin@dedicatezoom.com
yourantispy-1 .com - Email: shah_indigo@googlemail.com
cyber-scan011 .com - Email: admin@dedicatezoom.com
cyber-scan-2 .com - Email: admin@dedicatezoom.com
antimalware-3 .com - Email: shah_indigo@googlemail.com
yourmalwarescan3 .com - Email: shah_indigo@googlemail.com
antimalwarescana4 .com - Email: j.wirth@smsdetective.com
today-scan4 .com - Email: millercall413@yahoo.com
antispy-scan5 .com - Email: shah_indigo@googlemail.com
yourantivira7 .com - Email: j.wirth@smsdetective.com
yourmalwarescan7 .com - Email: info@bellyn.com
yourantispy-8 .com - Email: info@bellyn.com
cyber-scan08 .com - Email: admin@dedicatezoom.com
cyber-scan09 .com - Email: admin@dedicatezoom.com
beprotected9 .com - Email: essi@calinsella.eu
spyware-scan9 .com - Email: info@bellyn.com
yourantispy-a .com - Email: shah_indigo@googlemail.com
checkforspywarea .com - Email: sanbeans6@yahoo.com
checkfilesherea .com - Email: sanbeans6@yahoo.com
scanfilesherea .com - Email: sanbeans6@yahoo.com
findprotectiona .com - Email: admin@wyverny.com
checkfilesnowa .com - Email: sanbeans6@yahoo.com
web-scanm .com - Email: essi@calinsella.eu
today-scann .com - Email: essi@calinsella.eu
4eay-protection .com - Email: millercall413@yahoo.com

The client-side exploit redirection takes place through three separate domains, all involved in previous Zeus crimeware campaigns, parked on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same IP in a cybercrime-friendly ASN. For instance, el3x.cn/test13/index.php - 210.51.166.119 - Email: Exmanoize@qip.ru redirects to el3x.cn/test13/x.x -> el3x.cn/test13/pdf.php -> el3x.cn/test13/load.php?spl=javad -> el3x.cn/test13/soc.php using VBS/Psyme.BM; Exploit.Pidief.EX; Exploit.Win32.IMG-WMF etc. pushing load.exe, which phones back to a well known "leftover" from Koobface botnet's centralized infrastructure - xtsd20090815 .com/adm/index.php.

Now it gets even more interesting, with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface gang clearly rubbing shoulders with authors of actual web malware exploitation kits, who diversify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir cybercrime operations by participating in money mule recruitment scams, zeus crimeware serving campaigns, and scareware.

Parked on 210.51.166.119 where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first iFrame is hosted, are also cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following domains participating in related campaigns:
amer0test0 .cn - Email: abusehostserver@gmail.com -> money mule recruitment
antivirusfreec0 .cn - Email: abusehostserver@gmail.com -> money mule recruitment 
arendanomer2 .cn - Email: Exmanoize@qip.ru
dom0cn .cn - Email: Exmanoize@qip.ru
dom1cn .cn - Email: Exmanoize@qip.ru
dom2cn .cn - Email: Exmanoize@qip.ru
domx0 .cn - Email: Exmanoize@qip.ru
domx1 .cn - Email: Exmanoize@qip.ru
domx2 .cn - Email: Exmanoize@qip.ru
dox0 .cn - Email: Exmanoize@qip.ru
dox1 .cn - Email: Exmanoize@qip.ru
dox2 .cn - Email: Exmanoize@qip.ru
dox3 .cn - Email: Exmanoize@qip.ru
edit2china .cn - Email: Exmanoize@qip.ru
edit3china .cn - Email: Exmanoize@qip.ru
el1x .cn - Email: Exmanoize@qip.ru
el2x .cn - Email: Exmanoize@qip.ru
el3x .cn - Email: Exmanoize@qip.ru
gym0replace .cn - Email: chen.poon1732646@yahoo.com -> scareware domain registration
herosima1yet .cn - Email: Exmanoize@qip.ru
herosima1yet00g .cn - Email: abusehostserver@gmail.com
ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rchina .cn - Email: Exmanoize@qip.ru
parliament .tk - Email: royalddos@gmail.com
privet1 .cn - Email: Exmanoize@qip.ru
privet2 .cn - Email: Exmanoize@qip.ru
privet3 .cn - Email: Exmanoize@qip.ru
sport-lab .cn - Email: abuseemaildhcp@gmail.com -> money mule recruitment domain registrations
trafdomins .cn - Email: Exmanoize@qip.ru

The second iFrame domain parked at 61.235.117.83 redirects in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following way - kiano-180809 .com/oko/help.html - 61.235.117.83 - Email: bigvillyxxx@gmail.com leads to kiano-180809 .com/oko/dyna_soc.html -> kiano-180809 .com/oko/tomato_guy_13.html -> kiano-180809 .com/oko/update.vbe -> kiano-180809 .com/oko/dyna_wm.wmf.

The same exploitation structure is valid for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 third iFrame domain - ttt20091124 .info/oko/help.html which is again, parked at 61.235.117.83 and was embedded at Koobface-infected hosts over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past 24 hours.

What prompted this shift on behalf of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface gang? Declining infection rates -- I'm personally not seeing a decline in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 click-through rate, with over 500 clicks on a spamvertised Kooobface URL over a period of 24 hours -- or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir obsession with traffic optimization? In terms of social engineering, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 periodic introduction of new templates proved highly successful for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 gang, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 newly introduced outdated client-side exploits can in fact generate more noise than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y originally anticipated, if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were to continue relying on social engineering vectors only.

One thing's certain - cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface gang is now on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 offensive, and it would be interesting to see whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y'd introduce a new exploits set, or continue relying on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 one offered by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 web exploitation kit.

Related posts:
Secunia: Average insecure program per PC rate remains high
Research: 80% of Web users running unpatched versions of Flash/Acrobat
Fake Security Software Domains Serving Exploits
Massive Scareware Serving Blackhat SEO, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Koobface Botnet's Scareware Business Model
Movement on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Front - Part Two
Movement on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Worm's December Campaign
Dissecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors

This post has been reproduced from Dancho Danchev's blog.