Showing posts with label Koobface. Show all posts
Showing posts with label Koobface. Show all posts

Sunday, May 05, 2019

Historical OSINT - Yet Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Massive Scareware-Serving Campaign Courtesy of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Gang

It's 2010 and I've recently came across to yet anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r currently active scareware-serving campaign courtesy of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface gang this time successfully introducing a CAPTCHA-breaking module potentially improving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 propagation and distribution scale within major social networks.

In this post I'll discuss cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign and provide actionable intelligence on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 infrastructure behind it.

Related malicious domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://goscandir.com/?uid=13301 - 91.212.107.103 - hosting courtesy of AS29550 - EUROCONNEX-AS Blueconnex Networks Ltd Formally Euroconnex Networks
hxxp://ebeoxuw.cn/?uid=13301
hxxp://ebiezoj.cn/22/?uid=13301
hxxp://goscanhand.com/?uid=13301
hxxp://byxzeq.cn/22/?uid=13301

Sample malicious MD5 known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
MD5: 16575a1d40f745c2e39348c1727b8552

Once executed a sample malware phones back to:
hxxp://in5it.com/download/Ipack.jpg - cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 actual executable

Related malicious MD5 known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
MD5: 1d5e3d78dd7efd8878075e5dbaa5c4fd

Related malicious MD5 known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
MD5: 6262c0cb1459adc8f278136f3cff2777

It's worth pointing out that prior to analyzing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign it appears that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface gang has recently introduced a CAPTCHA-breaking module which basically relies on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 active outsourcing of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CAPTCHA-breaking process potentially improving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface spreading and propagation effectiveness.

Sample malicious URL known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
http://peacockalleyantiques.com/.sys/?getexe=v2googlecheck.exe

Sample malicious MD5 known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
MD5: cf9729bf3969df702767f3b9a131ec2c

Sample malicious URL known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
http://peacockalleyantiques.com/.sys/?getexe=v2captcha.exe

Sample malicious MD5 known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
MD5: f2d0dbf1b11c5c2ff7e5f4c655d5e43e

Once executed a sample phones back to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following C&C server IPs:
hxxp://capthcabreak.com/captcha/?a=get&i=0&v=14 - 67.212.69.230
hxxp://captchastop.com/captcha/?a=get&i=1&v=14 - 67.212.69.230

Historical OSINT - Yet Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Massive Scareware Serving Campaign Courtesy of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Gang

It's 2010 and I've recently intercepted a currently circulating malicious and fraudulent scareware-serving campaign courtesy of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Gang this time successfully typosquatting my name within its command and control infrastructure.

In this post I'll provide actionable intelligence behind cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign and will discuss in-depth cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 infrastructure behind it.

Sample malicious and fraudulent domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://qjcleaner.eu/hitin.php?affid=02979

Sample malicious MD5 known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
MD5: 8df3e9c50bb4756f4434a9b7d6c23c8c

Once executed a sample malware phones back to:
hxxp://212.117.160.18/install.php?id=02979

which is basically our dear friends at AS44042 ROOT-AS root eSolutions

Parked at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same IP where Crusade Affiliates continue serving a diverse set of fake security software are also more scareware domains.

It's also worth pointing out that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface gang has recently started typosquatting various domains using my name. Koobface gang is typosquatting my name for registering domains (for instance Rancho Ranchev; Pancho Panchev etc.) including hxxp://mayernews.com - which is registered to Danchev Danch (1andruh.a1@gmail.com).

Sunday, October 21, 2018

Historical OSINT - Rogue Scareware Dropping Campaign Spotted in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Wild Courtesy of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Gang

It's 2010 and I've recently came across to a diverse portfolio of fake security software also known as scareware courtesy of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface gang in what appears to be a direct connection between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 gang's activities and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Russian Business Network.

In this post I'll provide actionable intelligence on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 infrastructure behind it and discuss in-depth cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tactics techniques and procedures of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cybercriminals behind including cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 direction establishment of a direct connection between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 gang's activities and a well-known Russian Business Network customer.

Related malicious domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://piremover.eu/hitin.php?affid=02979 - 212.117.161.142; 95.211.27.154; 95.211.27.166

Once executed a sample malware (MD5: eedac4719229a499b3118f87f32fae35) phones back to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following malicious C&C server IPs:
hxxp://xmiueftbmemblatlwsrj.cn/get.php?id=02979 - 91.207.116.44 - Email: robertsimonkroon@gmail.com

Known domains known to have responded to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same malicious C&C server IPs:
hxxp://aahsdvsynrrmwnbmpklb.cn
hxxp://dlukhonqzidfpphkbjpb.cn
hxxp://barykcpveiwsgexkitsg.cn
hxxp://bfichgfqjqrtkwrsegoj.cn
hxxp://dhbomnljzgiardzlzvkp.cn

Once executed a sample malware phones back to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following malicious C&C service IPs:
hxxp://xmiueftbmemblatlwsrj.cn
hxxp://urodinam.net - which is a well known Koobface 1.0 C&C server domain IP also seen in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "Mass DreamHost Sites Compromise" exclusively profiled in this post.
hxxp://xmiueftbmemblatlwsrj.cn

Once executed a sample malware MD5: 66dc85ad06e4595588395b2300762660; MD5: 91944c3ae4a64c478bfba94e9e05b4c5 phones back to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following malicious C&C server IPs:
hxxp://proxim.ntkrnlpa.info - 83.68.16.30 - seen and observed in related analysis regarding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mass Embassy Web site compromise throughout 2007 and 2009.

Successfully dropping cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following malicious Koobface MD5 hxxp://harmonyhudospa.se/.sys/?getexe=fb.70.exe

Related malicious MD5s (MD known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
MD5: 66dc85ad06e4595588395b2300762660
MD5: 8282ea8e92f40ee13ab716daf2430145

Once executed a sample malware phones back to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following malicious C&C server IPs:
hxxp://tehnocentr.chita.ru/.sys
hxxp://gvpschekschov.iv-edu.ru/.sys/?action=fbgen

We'll continue monitoring cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign and post updates as soon as new developments take place.

Saturday, October 20, 2018

HIstorical OSINT - Latvian ISPs, Scareware, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Gang Connection

It's 2010 and we've recently stumbled upon yet anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r malicious and fraudulent campaign courtesy of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface gang actively serving fake security software also known as scareware to a variety of users with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 majority of malicious software conveniently parked within 79.135.152.101 - AS2588, LatnetServiss-AS LATNET ISP successfully hosting a diverse portfolio of fake security software.

In this post, I'll provide actionable intelligence on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 infrastructure behind cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign and discuss in-depth cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tactics techniques and procedures of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cybercriminals behind it.

Sample malware known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
installer.1.exe - MD5: 4ab2cb0dd839df64ec8d682f904827ef - Trojan.Crypt.ZPACK.Gen; Mal/FakeAV-CQ - Result: 9/40 (22.50%)

Related malicious phone back C&C server IPs:
hxxp://av-plusonline.org/install/avplus.dll
hxxp://av-plusonline.org/cb/real.php?id=

Related malicious MD5s known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
avplus.dll - MD5: 57c79fb723fcbf4d65f4cd44e00ff3ed - FakeAlert-LF; Mal/FakeAV-CL - Result: 6/39 (15.39%)

It's gets even more interesting as hxxp://fast-payments.com - 91.188.59.27 is parked within Koobface botnet's 1.0 phone back locations (hxxp://urodinam.net) and is also hosted within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same netblock at 91.188.59.10.

Sample related malicious URLs known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://urodinam.net/33t.php?stime=125558
- hxxp://91.188.59.10/opa.exe -MD5: d4aacc8d01487285be564cbd3a4abc76 - Downloader.VB.7.S; Mal/Koobface-B - Result: 10/40 (25%)

Once executed a sample malware phones back to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following malicious C&C server IPs:
hxxp://aburvalg.com/new1.php - 64.27.0.237
- hxxp://fucking-tube.net

The following domains use it as a name server:
hxxp://ns1.addedantivirus.com

Related malicius domains known to have responded to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same malicious name server:
hxxp://antiviralpluss.org
hxxp://antivirspluss.org
hxxp://avonlinescanerr.org
hxxp://online-scannerr.org
hxxp://onlinescanerr.org
hxxp://onlinescannerr.org
hxxp://pretection-page.org
hxxp://sys-mesage.org
hxxp://av-plus-online.org
hxxp://av-plusonline.org
hxxp://avplus-online.org
hxxp://avplusonline.org
hxxp://avplussonline.org
hxxp://protecmesages.org
hxxp://protect-mesagess.org
hxxp://protectmesages.org
hxxp://protectmesagess.org
hxxp://protectmessages.org
hxxp://avplus24support.com
hxxp://searchwebway4.com
hxxp://searchwebway5.com
hxxp://searchwebway10.com
hxxp://searchwebway9.com
hxxp://searchwebway6.com

Related malicious URLs known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://avplus-online.org/buy.php?id=
- hxxp://fast-payments.com/index.php?prodid=antivirplus_02_01&afid=

Related malicious domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://antiviruspluss.org
hxxp://avplusscanner.org
hxxp://protection-messag.org
hxxp://antivirs-pluss.org
hxxp://antiviru-pluss.org
hxxp://antivirus-p1uss.org
hxxp://protection-mesage.org
hxxp://sysstem-mesage.org
hxxp://system-message.org
hxxp://antiviral-pluss.org
hxxp://av-onlinescanner.org
hxxp://avonlinescanner.org
hxxp://avonlinescannerr.org
hxxp://avp-scanner.org
hxxp://avp-scannerr.org
hxxp://avp-sscaner.org
hxxp://avp-sscannerr.org
hxxp://avplscaner-online.org
hxxp://avplscanerr-online.org
hxxp://avplsscannerr.org
hxxp://avplus-scanerr.org
hxxp://online-protection.org
hxxp://antivirupluss.org
hxxp://syssmessage.org
hxxp://avonlinescanerr.org
hxxp://online-scannerr.org
hxxp://onlinescanerr.org
hxxp://onlinescannerr.org
hxxp://av-scanally.org
hxxp://av-scaner-online.org
hxxp://av-scaner-online3k.org
hxxp://av-scaner-onlineband.org
hxxp://av-scaner-onlinebody.org
hxxp://av-scaner-onlinebuzz.org
hxxp://av-scaner-onlinecabin.org
hxxp://av-scaner-onlinecrest.org
hxxp://av-scaner-onlinefolk.org
hxxp://av-scaner-onlineplan.org
hxxp://av-scaner-onlinesite.org
hxxp://iav-scaner-online.org
hxxp://netav-scaner-online.org
hxxp://techav-scaner-online.org
hxxp://antivirspluss.org
hxxp://sys-mesage.org
hxxp://antiviralpluss.org
hxxp://pretection-page.org
hxxp://av-scaner-onlinefairy.org
hxxp://av-scaner-onlinegrinder.org
hxxp://av-scaner-onlinehistory.org
hxxp://av-scaner-onlineicity.org
hxxp://av-scaner-onlinemachine.org
hxxp://av-scaner-onlinepeople.org
hxxp://av-scaner-onlineretort.org
hxxp://av-scaner-onlinereview.org
hxxp://av-scaner-onlinetopia.org
hxxp://directav-scaner-online.org
hxxp://expertav-scaner-online.org
hxxp://orderav-scaner-online.org
hxxp://speedyav-scaner-online.org
hxxp://thriftyav-scaner-online.org
hxxp://timesav-scaner-online.org
hxxp://411online-scanner-free.org
hxxp://dynaonline-scanner-free.org
hxxp://fastonline-scanner-free.org
hxxp://homeonline-scanner-free.org
hxxp://online-scanner-freebin.org
hxxp://online-scanner-freebuy.org
hxxp://online-scanner-freelook.org
hxxp://online-scanner-freemap.org
hxxp://online-scanner-freemeet.org
hxxp://online-scanner-freesite.org
hxxp://online-scanner-freetent.org
hxxp://online-scanner-freeu.org
hxxp://online-scanner-freevolt.org
hxxp://onlinescannerfree.org
hxxp://av-plus-online.org
hxxp://protecmesages.org
hxxp://av-onlicity.org
hxxp://av-online-scanner.org
hxxp://av-online-scannerbid.org
hxxp://av-online-scannercrest.org
hxxp://av-online-scannerfolk.org
hxxp://av-online-scannergate.org
hxxp://av-online-scannerland.org
hxxp://av-online-scannerpc.org
hxxp://av-online-scannersite.org
hxxp://av-online-scannerweek.org
hxxp://av-online-scannerwing.org
hxxp://infoav-online-scanner.org
hxxp://shopav-online-scanner.org
hxxp://cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365av-online-scanners.org
hxxp://avplus-online.org
hxxp://protectmesages.org
hxxp://av-scaner.org
hxxp://av-scaners.org
hxxp://av-scanner.org
hxxp://av-scanners.org
hxxp://avplussonline.org
hxxp://avscaner.org
hxxp://avscaners.org
hxxp://avscanner.org
hxxp://avscanners.org
hxxp://eav-scaner.org
hxxp://eav-scaners.org
hxxp://eav-scanner.org
hxxp://eav-scanners.org
hxxp://myav-scaner.org
hxxp://myav-scaners.org
hxxp://myav-scanner.org
hxxp://myav-scanners.org
hxxp://protectmessages.org
hxxp://avplusonline.org
hxxp://av-plusonline.org
hxxp://protect-mesagess.org

We'll continue monitoring cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign and post updates as soon as new developments take place.

Historical OSINT - Massive Blackhat SEO Campaign Courtesy of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Gang Spotted in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Wild

It's 2010 and I've recently stumbled upon yet anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r massive blackhat SEO campaign courtesy of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface gang successfully exposing hundreds of thousands of users to a multi-tude of malicious software.

In this post I'll provide actionable intelligence on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 infrastructure behind it and discuss in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 depth cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tactics techniques and procedures of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cybercriminals behind it.

Sample domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://jhpegdueeunz.55fast.com
hxxp://vzhusyeeaubk.55fast.com
hxxp://cvzizliiustw.55fast.com
hxxp://zetaswuiouax.55fast.com
hxxp://shzopfioarpd.55fast.com
hxxp://nqpubruioeat.55fast.com
hxxp://krrepteievdr.55fast.com
hxxp://gtoancoiuyqv.55fast.com
hxxp://felopfooaydk.55fast.com
hxxp://dknejxaeozjb.55fast.com
hxxp://ljperwaaoxjs.55fast.com
hxxp://hxmagxaeulbn.55fast.com
hxxp://mueombooikgp.55fast.com
hxxp://gluezneoolhs.55fast.com
hxxp://ptpodseeanvk.55fast.com
hxxp://jgdeyraoojdr.55fast.com
hxxp://kjsetqaoojdr.55fast.com
hxxp://kvuelveuicmn.55fast.com
hxxp://ywoamnooikfp.55fast.com
hxxp://dnkopgioawss.55fast.com
hxxp://qjtepyaoigts.55fast.com
hxxp://fdsudpeeewam.55fast.com
hxxp://qumobxoiigst.55fast.com
hxxp://fkvahzaeibbz.55fast.com
hxxp://lxxikhiuutwm.55fast.com
hxxp://meboczoiikgy.55fast.com
hxxp://mevoxliiidyq.55fast.com
hxxp://hxvoysaoozhp.55fast.com
hxxp://wiaabcoookfs.55fast.com
hxxp://wlbatgeeiohc.55fast.com

Sample malicious domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://narezxaauggf.55fast.com
hxxp://gdsetqaoocks.55fast.com
hxxp://ptxihhiiihpq.55fast.com
hxxp://ramilhueamxg.55fast.com
hxxp://vvnoxliiigsp.55fast.com
hxxp://ywweypeaeemz.55fast.com
hxxp://rqqetweeupwn.55fast.com
hxxp://fprewmaoojpn.55fast.com
hxxp://kbmahjiiigpw.55fast.com
hxxp://romozjuuurov.55fast.com
hxxp://tmxufseaacks.55fast.com
hxxp://viaegjiooeun.55fast.com
hxxp://znmasdiiicbc.55fast.com
hxxp://gdbiczooaoaw.55fast.com
hxxp://boqegkooouom.55fast.com
hxxp://xncoxloiiwrm.55fast.com
hxxp://flxowreuuhkb.55fast.com
hxxp://zzkihgiuupwb.55fast.com
hxxp://gxcobmeeuvls.55fast.com
hxxp://wygimweuizxz.55fast.com
hxxp://winowmeaoxhy.55fast.com
hxxp://hhpewmaoidtm.55fast.com
hxxp://nemoxloiixlh.55fast.com
hxxp://bvbowvooigtq.55fast.com
hxxp://pgmassuiixvx.55fast.com
hxxp://vbxoxkiiijst.55fast.com
hxxp://clnobhaoobzf.55fast.com
hxxp://proawnaoozxf.55fast.com

Sample malicious domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://romwrpueerr.007gb.com
hxxp://rtperweaauux.5nxs.com
hxxp://prougpeeabzd.hostevo.com
hxxp://stwermoiigwc.10fast.net
hxxp://znmasdiiicbc.55fast.com
hxxp://gjxotyuuobmv.007sites.com

Sample malicious domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://dpfujhiuijhd.hostevo.com
hxxp://gfhizliiikjd.hostevo.com
hxxp://driozkuueqic.hostevo.com
hxxp://rrkihfuuuspr.hostevo.com
hxxp://xzkikhueeivf.hostevo.com
hxxp://trqawmaookgp.hostevo.com
hxxp://hggudseuerqn.hostevo.com
hxxp://phveflaeulmn.hostevo.com
hxxp://cvxiljiuuyrm.hostevo.com
hxxp://fdseffuueqiv.hostevo.com
hxxp://dsteyraaaxgr.hostevo.com
hxxp://pfjocbeuiznb.hostevo.com
hxxp://ccziljiuurab.hostevo.com

Sample malicious domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://jgfuspeeeauc.hostevo.com
hxxp://grioxhueoxlf.hostevo.com
hxxp://dpdilkiiihfy.hostevo.com
hxxp://miuonbaoifwv.hostevo.com
hxxp://fpteymoiuqmj.hostevo.com
hxxp://dyoovziuebvj.hostevo.com
hxxp://rpdojzaaesgg.hostevo.com
hxxp://zzkuhguuewib.hostevo.com
hxxp://bqyunruiaecw.hostevo.com
hxxp://sruoljiuurqb.hostevo.com
hxxp://stratreaaebk.hostevo.com
hxxp://kjsetwaookdt.hostevo.com
hxxp://prougpeeabzd.hostevo.com
hxxp://nrfitdioaoyd.hostevo.com
hxxp://cxligdueewoc.hostevo.com
hxxp://tqaawmaoamvj.hostevo.com
hxxp://qunoxliiifyw.hostevo.com
hxxp://zkfusteaanch.hostevo.com
hxxp://qumobcooozjf.hostevo.com
hxxp://sqqawmaaamvj.hostevo.com
hxxp://klguyraoojdr.hostevo.com
hxxp://fspespueeiez.hostevo.com
hxxp://sjcadjoaepfh.55fast.com

Sample malicious domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://sjcadjoaepfh.55fast.com
hxxp://pkbadlaeujcv.55fast.com
hxxp://vnvocziiifst.55fast.com
hxxp://wauanbooikfy.55fast.com
hxxp://yovikdeaanch.55fast.com
hxxp://jvuelvaeukcc.55fast.com
hxxp://lkgufpeeaunz.55fast.com
hxxp://kjfufseeeiml.55fast.com
hxxp://bmmoxliiifdt.55fast.com
hxxp://nqtuxneuixbb.55fast.com
hxxp://wioabnaoikfp.55fast.com
hxxp://ssdikzaaaiiq.55fast.com
hxxp://rwaammaaeowm.55fast.com
hxxp://ljifsueaumz.55fast.com

Sample malicious domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://lljifsueaumz.55fast.com
hxxp://nbzigpeaoksq.55fast.com
hxxp://mvjufraoidqb.55fast.com
hxxp://hgdupraoisqc.55fast.com
hxxp://khdudseeeauc.55fast.com
hxxp://fspetwaaabxh.55fast.com
hxxp://tqoavxoiidyq.55fast.com
hxxp://xeaubwuiardg.55fast.com
hxxp://nbvoncooolhp.55fast.com
hxxp://wexigpaoambl.55fast.com
hxxp://klhuggiuufdt.55fast.com
hxxp://dxwetteoigst.55fast.com
hxxp://glvashoaeygj.55fast.com
hxxp://xmoejcaeujxc.55fast.com

Sample malicious domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://jfsfkfuueqw.007gb.com
hxxp://bbxcimoiify.007gb.com
hxxp://ljgjxkueewi.007gb.com
hxxp:///xzkgkguueaa.007gb.com
hxxp://wmhjvkuaabj.007gb.com
hxxp://yqbzmciuupt.007gb.com
hxxp://lvxvieaoizj.007gb.com
hxxp://srnvuioookf.007gb.com
hxxp://melhlhueeqe.007gb.com
hxxp://lkhjclueuwa.007gb.com

Sample malicious domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://lkhjclueuwa.007gb.com
hxxp://bvgsfyaooxh.007gb.com
hxxp://xbkhceeuifd.007gb.com
hxxp://ywncmvoiojf.007gb.com
hxxp://kjptpwaaacl.007gb.com
hxxp://gpmcumooavx.007gb.com
hxxp://dpwnaioookf.007gb.com
hxxp://stqnaiaoihd.007gb.com
hxxp://fspygfuuerq.007gb.com
hxxp://wbgtsyeaamb.007gb.com
hxxp://fprmwoaaavl.007gb.com
hxxp://mmxlnvoiijd.007gb.com
hxxp://vvllnmooocl.007gb.com

Sample malicious domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://vvllnmooocl.007gb.com
hxxp://zlgsgpeaabz.007gb.com
hxxp://ccjfxleeewq.007gb.com
hxxp://cvhfjguueqi.007gb.com
hxxp://lhprsraaack.007gb.com
hxxp://razzbciiupt.007gb.com
hxxp://rancoeooozh.007gb.com
hxxp://muczimoooxh.007gb.com
hxxp://tphotdioetdf.hostevo.com
hxxp://vvxifpeaocks.hostevo.com
hxxp://jjhillooolhf.hostevo.com
hxxp://bzxixliiudpr.hostevo.com
hxxp://xmvovxooozhp.hostevo.com
hxxp://proocziuuprm.hostevo.com
hxxp://qebovziuuswb.hostevo.com
hxxp://xzhusteaabzs.hostevo.com
hxxp://bbbovxiuifyq.hostevo.com

Sample malicious domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://dpretqaoocjy.hostevo.com
hxxp://ywaaqbaoozjs.5nxs.com
hxxp://fsyepteaaenl.5nxs.com
hxxp://jhgufpeeeaic.5nxs.com
hxxp://dsterqaaoczg.5nxs.com
hxxp://rivilhueeiuc.5nxs.com
hxxp://znouxneuaayd.5nxs.com
hxxp://kkgijguueonh.5nxs.com
hxxp://khsamvooihdt.5nxs.com
hxxp://nncikgueaflg.5nxs.com
hxxp://fdpixnaaaoiv.5nxs.com
hxxp://zzzikhiiihfy.5nxs.com
hxxp://sqaayteaaimz.5nxs.com

Sample malicious domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://tquambooilhs.5nxs.com
hxxp://gdtaqboiojdt.5nxs.com
hxxp://queoxliuudtq.5nxs.com
hxxp://vbcokloiikhs.5nxs.com
hxxp://raoadpiuigst.5nxs.com
hxxp://qevijfueeibj.5nxs.com
hxxp://kjlicvoooncj.5nxs.com
hxxp://sroavlueeixd.5nxs.com
hxxp://xxlijkiuuyqm.5nxs.com
hxxp://vvcijreaaenl.5nxs.com
hxxp://zzkigdueurab.5nxs.com
hxxp://zxkigdueeoel.5nxs.com
hxxp://tqoanvooijfy.5nxs.com

Sample malicious domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://wnxufpeaaevj.5nxs.com
hxxp:///ptaamboiihsw.5nxs.com
hxxp://vbxijhueurix.5nxs.com
hxxp://fpkijxiiidox.5nxs.com
hxxp://streqwaooxcg.5nxs.com
hxxp://ptyewmaoolgy.5nxs.com
hxxp://hgyeqboiihpw.5nxs.com
hxxp://cxjijgueeaez.5nxs.com
hxxp://woeobvoiihdt.5nxs.com
hxxp://bcxixjueuqmj.5nxs.com
hxxp://mmvobxoiihdr.5nxs.com
hxxp://prqawnaoozgy.5nxs.com
hxxp://xzkugsueeunk.5nxs.com
hxxp://vvbovxiiidym.5nxs.com
hxxp://qinozkiuidyw.5nxs.com
hxxp://tpdumweuughh.5nxs.com

Sample malicious domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://tpdumweuughh.5nxs.com
hxxp://zkfudpeaaech.5nxs.com
hxxp://vvcijfueeamk.5nxs.com
hxxp://jkhihdiuuypw.5nxs.com
hxxp://womancoiuyav.5nxs.com
hxxp://sfkoyfooepgh.5nxs.com
hxxp://zzhetqaooxkd.5nxs.com
hxxp://czjudyeaacjp.5nxs.com
hxxp://gssudpeaaecg.5nxs.com
hxxp://wiuobvooozjp.5nxs.com
hxxp://twaamnaookhd.5nxs.com
hxxp://bbvocloiigsr.5nxs.com

Sample malicious domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://dspugduuuytm.5nxs.com
hxxp://kljigdueeqic.5nxs.com
hxxp://gpioxhuuutav.5nxs.com
hxxp://wouavcooiyil.5nxs.com
hxxp://mevoxliuuyrm.5nxs.com
hxxp://xvcocxoiojfy.5nxs.com
hxxp://zljudyeaaunl.5nxs.com
hxxp://woaabcoiusst.5nxs.com
hxxp://dppudpeeewmh.5nxs.com
hxxp://zzhustueequk.5nxs.com
hxxp://quboczoiolgd.5nxs.com

Sample malicious domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://kdwetmoiuics.5nxs.com
hxxp://jgfudseeerqb.5nxs.com
hxxp://qunolhueeonx.5nxs.com
hxxp://khdusyeaaeez.5nxs.com
hxxp://bvcikgueequx.5nxs.com
hxxp://xzjupteaovzg.5nxs.com
hxxp://rmludpueoebj.5nxs.com
hxxp://pfyupteeeauz.5nxs.com
hxxp://qqreqnoeewhs.5nxs.com
hxxp://ysfuyraaaczs.5nxs.com
hxxp://ljdudyeaamcj.5nxs.com
hxxp://vbvovziiustm.5nxs.com
hxxp://gffugdueeibz.5nxs.com

Sample malicious domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://bnjdzkiuuyw.007gb.com
hxxp://dpppdpeeeii.007gb.com
hxxp://zzfdhdeeeoe.007gb.com
hxxp://hhhhzciuusa.007gb.com
hxxp://dpmlbkiuuta.007gb.com
hxxp://ccgsgpeaaev.007gb.com
hxxp://vbzxecoiuso.007gb.com
hxxp://nbkfhdeaack.007gb.com
hxxp://bmvcaoeeaoe.007gb.com
hxxp://xchfggiuewq.007gb.com
hxxp://jgypgpeaoxh.007gb.com

Sample malicious domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://jgypgpeaoxh.007gb.com
hxxp://hdstpraoojd.007gb.com
hxxp://nnkkvziiigh.007gb.com
hxxp://qwyduquuoeo.007gb.com
hxxp://jhgdkzooobn.007gb.com
hxxp://ljyqweoiihf.007gb.com
hxxp://xzfdfsueaux.007gb.com
hxxp://kjfhzjueeae.007gb.com
hxxp://tanbuoeaanb.007gb.com
hxxp://rammooaaocx.007gb.com
hxxp://gsmxmlueoht.007gb.com
hxxp://xxjgkguueuu.007gb.com
hxxp://jgppfpeeaev.007gb.com
hxxp://xzfpfpeaozh.007gb.com

Sample malicious domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://khsphdueaev.007gb.com
hxxp://wabnieoiikg.007gb.com
hxxp://rojshgeoisw.007gb.com
hxxp://zlhffgueaec.007gb.com
hxxp://quxxmnoiokd.007gb.com
hxxp://rpsdkzoeeqq.007gb.com
hxxp://rozfksaoiht.007gb.com
hxxp://vvzkcviiuru.007gb.com
hxxp://ptgdghueedq.007gb.com
hxxp://xvjhcliuufi.007gb.com
hxxp://ywqntweaeqo.007gb.com
hxxp://mubwqaaaoxl.007gb.com

Sample malicious domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://quzjlgueeib.007gb.com
hxxp://fdyttteeaou.007gb.com
hxxp://xxjggseeeom.007gb.com
hxxp://robvimoiikg.007gb.com
hxxp://hgspsyeeanx.007gb.com
hxxp://nbzkckueein.007gb.com
hxxp://syfdgmoiipy.007gb.com
hxxp://nmkjzjueequ.007gb.com

Sample malicious domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://nmkjzjueequ.007gb.com
hxxp://ytwqyteaaen.007gb.com
hxxp://kgdfkhuuuyq.007gb.com
hxxp://zbcvieaoocc.007gb.com
hxxp://sywrdpeeeie.007gb.com
hxxp://prnmwaaaamm.007gb.com
hxxp://djddhfuuilc.007gb.com
hxxp://wibnuboiusw.007gb.com
hxxp://muclmboiigd.007gb.com
hxxp://vvlkevoiidy.007gb.com
hxxp://xhprrteaaun.007gb.com
hxxp://bncvoeaaauu.007gb.com

Sample malicious domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://ravhzluuewo.007gb.com
hxxp://gsywptaaabz.007gb.com
hxxp://xxkzbcoiijd.007gb.com
hxxp://mevirwaaovlf.hostevo.com
hxxp://roboxloiihdt.007sites.com
hxxp://rauonbooozkf.007sites.com
hxxp://ywiatreeewam.007sites.com
hxxp://nxfetmaoolfr.007sites.com
hxxp://gkmelbeuoear.007sites.com
hxxp://mmcigsueeexg.007sites.com
hxxp://vxxiljoioxxg.10fast.net
hxxp://jgsuspeeeaic.10fast.net
hxxp://qenocxiiihsr.10fast.net
hxxp://lklilliiigdt.10fast.net
hxxp://hgdepreaamzs.10fast.net

Sample malicious domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://gffupteaaebj.10fast.net
hxxp:///kljigfuuugfp.10fast.net
hxxp://raianvoiokgy.10fast.net
hxxp://rtqerqeaamcg.10fast.net
hxxp://gfdugdeaavls.10fast.net
hxxp://ddterboiugsr.10fast.net
hxxp://jgpewnoiihpq.10fast.net
hxxp://kjfpfseeeqo.007gb.com
hxxp://wubcmciuuya.007gb.com
hxxp://quzkxvooift.007gb.coml
hxxp://nblhlheaaum.007gb.com
hxxp://cclxnciuupq.007gb.com
hxxp://nbhkckueeib.007gb.com
hxxp://hgddxliuudp.007gb.com
hxxp://winilhueuwiz.10fast.net
hxxp://queocliuupqv.10fast.net
hxxp://gdtaqboiihhs.10fast.net
hxxp://bbvovbaaancg.10fast.net
hxxp://fpramvoiiftm.10fast.net
hxxp://fjliljiiizhp.10fast.net
hxxp://gspedpeeeiel.10fast.net

Sample malicious domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://fssukjaoanbx.5nxs.com
hxxp://ptaawviuuppw.5nxs.com
hxxp://llxozkoiikdq.5nxs.com
hxxp://kkkijguuuquz.5nxs.com
hxxp://womobciiiftn.5nxs.com
hxxp://vvcikgueequl.5nxs.com
hxxp://zzzoxcooozzl.5nxs.com
hxxp://wuuocziuupwn.5nxs.com
hxxp://hfyeqnoiiftm.5nxs.com
hxxp://sttewboookgy.5nxs.com
hxxp://ghhusteaozgt.5nxs.com
hxxp://fjzoqtuuukiw.5nxs.com
hxxp://muuaqciueomz.5nxs.com
hxxp://fsfugduuutav.5nxs.com
hxxp://jgdeywaoocks.5nxs.com
hxxp://raniljuuurix.5nxs.com
hxxp://pabikhueamcg.5nxs.com
hxxp://gsteqbooikdr.5nxs.com
hxxp://llhugfuuerab.5nxs.com
hxxp://dspeyyeeeauv.5nxs.com
hxxp://xzkixhuaoczg.5nxs.com
hxxp://rouawmaaammz.5nxs.com
hxxp://kxlijjiuuspt.5nxs.com
hxxp://xzliljiuifyw.5nxs.com
hxxp://vvvilhiueqac.5nxs.com
hxxp://tovikhiiufdt.5nxs.com
hxxp://ttretreeuhgs.5nxs.com

Sample malicious domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://ypserreeuytq.5nxs.com
hxxp://xxzijkiiikkf.5nxs.com
hxxp://bvzoknaoigpm.5nxs.com
hxxp://nnxihduuutqv.5nxs.com
hxxp://muzidyeeeevh.5nxs.com
hxxp://tpdufhiiidrn.5nxs.com
hxxp://ffpupteeeaqd.5nxs.com
hxxp://bbxigseeolpm.5nxs.com
hxxp://gsdugpeaeibj.5nxs.com
hxxp://pwteyyeaamcg.5nxs.com
hxxp://zxcoljiiigpw.5nxs.com
hxxp://bmacxoiixjs.5nxs.com
hxxp://twqawmaooczf.5nxs.com
hxxp://bbrartuauhjh.5nxs.com
hxxp://dtiolhueeexd.5nxs.com

Sample malicious domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://gdduhgiiikhd.5nxs.com
hxxp://ryquhfuuuypr.5nxs.com
hxxp://sfhijkiuusrn.5nxs.com
hxxp://staennaoolgy.5nxs.com
hxxp://vvvoczooolzg.5nxs.com
hxxp://bmnokgueequz.5nxs.com
hxxp://proocxoiigds.5nxs.com
hxxp://ptwepwaoozht.5nxs.com
hxxp://fsdufpeeeovg.5nxs.com
hxxp://dtlidwoiuyoz.5nxs.com
hxxp://kvyamboiuhsr.5nxs.com
hxxp://kvmardioetyp.5nxs.com
hxxp://taniljueuwul.5nxs.com
hxxp://jvnartuuixvx.5nxs.com
hxxp://qubijgiuutac.5nxs.com

Sample malicious domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaigns:
hxxp://qebocziuidfy.10fast.net
hxxp://gffudpeeeauc.10fast.net
hxxp://vbjustaiurox.10fast.net
hxxp://jgyuptaoutic.10fast.net
hxxp://lkhighueeevk.10fast.net
hxxp://ptpudreeeobz.10fast.net
hxxp://meeambaooxls.10fast.net
hxxp://yrreyraaovld.10fast.net
hxxp://kkdutwaoobzd.10fast.net
hxxp://czxitbouuquz.10fast.net
hxxp://lvbovnaoozjp.10fast.net
hxxp://wiiambaookdt.10fast.net
hxxp://zxkijgueaecg.10fast.net
hxxp://ywqawqaoovzh.10fast.net
hxxp://gzoukwuuizbv.10fast.net
hxxp://roiabcoiigpq.10fast.net
hxxp://vvlufseaavld.10fast.net
hxxp://hgpusyeaamxg.10fast.net
hxxp://kkkikziiifyq.10fast.net
hxxp://dtqaczoiuswb.10fast.net
hxxp://llzozxoiigpw.10fast.net
hxxp://nmcijkiuuobg.10fast.net
hxxp://mnxijliuusrm.10fast.net
hxxp://quuanbooikfy.10fast.net
hxxp://xxzijhuueuex.10fast.net
hxxp://gsyepyeaaubk.10fast.net
hxxp://tqoaqmaoigsr.10fast.net
hxxp://cvbocziiikgp.10fast.net
hxxp://gdyepteaancj.10fast.net

Sample malicious domains known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://qibocziuewuz.10fast.net
hxxp://qrkargoaatsf.10fast.net
hxxp://zzdeymaoifyq.10fast.net
hxxp://noeancoiutac.10fast.net
hxxp://qunovnaaammb.10fast.net
hxxp://gffugdeeeibk.10fast.net
hxxp://cmvijsueenls.10fast.net
hxxp://tqaeryeaanxj.10fast.net
hxxp://xmuambiiifyt.10fast.net
hxxp://cvnanneeesff.10fast.net
hxxp://muuaqbooolfy.10fast.net
hxxp://qimacvaaetyr.10fast.net
hxxp://vxfutqaoihsw.10fast.net
hxxp://ywreyruuuhhg.10fast.net
hxxp://fdteyteeeoel.10fast.net
hxxp://ywianvoiupwc.10fast.net
hxxp://zlgeyraoobls.10fast.net
hxxp://zkhujdeaojpm.10fast.net
hxxp://kjfufduuutqm.10fast.net
hxxp://xxjudpueewiz.10fast.net
hxxp://rooewmeaamcg.10fast.net
hxxp://hffugdueeink.10fast.net
hxxp://xmcoxzoiikkd.10fast.net
hxxp://lllizkuiifyq.10fast.net
hxxp://xmuapsuiovnb.10fast.net
hxxp://tquanvoiuyqv.10fast.net
hxxp://kvnartuuujlk.10fast.net
hxxp://lllikhioozjf.10fast.net
hxxp://yrreypeeamck.10fast.net
hxxp://glhihfueaeck.10fast.net

Sample malicious domains known to have participate in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://goadult.info/go.php?sid=13 -> -> hxxp://goadult.info/go.php?sid=9 -> -> hxxp://r2606.com/go/?pid=30937 -> which is a well known Koobface 1.0 command and control server domain.

Related malicious redirectors known to have participated in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
hxxp://goadult.info - 78.109.28.16 - tech@goadult.info
hxxp://go1go.net - 174.36.214.32 - tech@go1go.net
hxxp://wpills.info - 174.36.214.3 - Email: tech@wpills.info

Sunday, December 25, 2016

Historical OSINT - Koobface Gang Utilizes, Google Groups, Serves, Scareware and Malicious Software

In, a, cybercrime, ecosystem, dominated, by, malicious, software, releases, cybercriminals, continue, actively, populating, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir, botnet's, infected, populating, successfully, affecting, hundreds, of, thousands, of, users, globally, potentially, exposing, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, confidentiality, integrity, and, availability, of, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, affected, hosts, to, a, multi-tude, of, malicious, software, furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, spreading, malicious, software, furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, earning, fraudulent, revenue, in, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, process, of, monetizing, access, to, malware-infected, hosts, largely, relying, on, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, utilization, of, an, affiliate-network, based, type, of, monetization, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, affecting, Google Groups, potentially, exposing, users, to, a, multi-tude, of, malicious, software, including, fake, security, software, also, known, as, scareware, furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, enticing, users, into, interacting, with, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, bogus, links, potentially, exposing, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir, devices, to, a, multi-tude, of, malicious, software.

In, this, post, we'll, profile, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, campaign, provide, actionable, intelligence, on, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, infrastructure, behind, it, and, discuss, in-depth, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, tactics, techniques, and, procedures, of, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, cybercriminals, behind, it, and, establish, a, direct, connection, between, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, campaign, and, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, Koobface, gang.

Related, malicious, rogue, content, URLs, known, to, have, participated, in, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, campaign:
- anisimivachev17 - 1125 messages
- ilariongrishelev24 - 1099 messages
- yuvenaliyarzhannikov15 - 1108 messages
- burniemecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ny52 - 1035 messages
- mengrug - 1090 messages
- silabobrov27 - 1116 messages

Related, malicious, URls, known, to, have, participated, in, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, campaign:
hxxp://wut.im/343535
hxxp://tpal.us/wedding2
hxxp://shrtb.us/New_year_video
hxxp://snipurl.com/tx2r6
hxxp://www.tcp3.com/helga-4315
hxxp://budurl.com/egph
hxxp://flipto.com/jokes/
hxxp://rejoicetv.info/newyear
hxxp://fauz.me/?livetv
hxxp://go2.vg/funnykids
hxxp://usav.us/anecdotes
hxxp://vaime.org/joke
hxxp://cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365flooracle.com/mistakes
hxxp://dashurl.com/video-jokes
hxxp://www.shortme.info/smileykids/
hxxp://starturl.com/clip32112
hxxp://starturl.com/rebeca
hxxp://starturl.com/video2231
hxxp://starturl.com/funclip
hxxp://starturl.com/sexchat
hxxp://snipurl.com/tx2r6
hxxp://www.41z.com/animals
hxxp://www.rehttp.com/?smileykids
hxxp://starturl.com/adamaura
hxxp://mytinyurls.com/wfj
hxxp://budurl.com/egph

Sample, detection, rate, for, a, malicious, executable:
MD5: 1e0d06095a32645c3f57f1b4dcbcfe5c

Sample, malicious, URL, involved, in, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, campaign:
hxxp://newsekuritylist.com/index.php?affid=92600 - 213.163.89.56 - Bobby.J.Hyatt@gmail.com

Parked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are also:
hxxp://networkstabilityinc .com - Email: juliacanderson@pookmail.com; marcusmhuffaker@mailinator.com; justinpnelson@dodgit.com
hxxp://indiansoftwareworld .com - Email: cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365lmamhandley@trashymail.com; leanngscofield@gmail.com; ernestygresham@trashymail.com
hxxp://antyvirusdevice .com - Email: latonyawmiller@pookmail.com; royawiley@pookmail.com; gracegoshea@pookmail.com; latonyawmiller@pookmail.com
hxxp://digitalprotectionservice .com - Email: clarencepfetter@trashymail.com; jamesdrobinson@pookmail.com; jamesdrobinson@pookmail.com; clarencepfetter@trashymail .com
hxxp://bestantyvirusservice .com - Email: kathrynrsmith@gmail.com; richardbhughey@gmail.com; joshuamwest@trashymail.com; kathrynrsmith@gmail.com
hxxp://antivirussoftrock .com - Email: michaelaturner@trashymail.com; gracemparker@trashymail.com; cliffordsfernandez@pookmail.com; michaelaturner@trashymail.com
hxxp://antywiramericasell .com - Email: Shannon.J.Ferguson@gmail.com
hxxp://antydetectivewaemergencyroom .com - Email: brettdpetro@gmail.com; valeriejweaver@dodgit.com; williekharris@mailinator.com; brettdpetro@gmail.com
hxxp://freeinternetvacation .com - Email: edwardmyoung@trashymail.com; aileenasaylor@gmail.com; williamjoverby@trashymail.com; edwardmyoung@trashymail.com
hxxp://aolbillinghq .com - Email: haroldamccarthy@trashymail.com; teodoromkeller@trashymail.com; joanswhite@dodgit.com; haroldamccarthy@trashymail.com
hxxp://scanserviceprovider .com - Email: rogerdmurphy@gmail.com; charlescvalentino@mailinator.com; eliarmcdonald@trashymail.com; rogerdmurphy@gmail.com
hxxp://securitytoolsquotes .com - Email: thurmanepidgeon@dodgit.com; jessicapgrady@dodgit.com; jamesmcummings@trashymail.com; thurmanepidgeon@dodgit.com
hxxp://electionprogress .com - Email: clarenceafloyd@pookmail.com; junerwurth@pookmail.com; edjbaxter@gmail.com; clarenceafloyd@pookmail.com
hxxp://myantywiruslist .com - Email: Nathan.S.Dennis@gmail.com
hxxp://antyspywarelistnow .com - Email: James.M.Miller@gmail.com
hxxp://securitylabtoday .com - Email: Marc.N.Torres@gmail.com
hxxp://yournecessary .com - Email: debrahbettis@gmail.com; myracbryant@dodgit.com; marycwilliams@dodgit.com; debrahbettis@gmail.com
hxxp://securityutilitysite .net - Email: michellemwelch@mailinator.com; charlesdfrazier@trashymail.com; rosaliejhumphrey@pookmail.com; michellemwelch@mailinator.com
hxxp://securitytoolsshop .net - Email: sarajgunter@gmail.com; kerstinrbray@gmail.com; keithrdejesus@mailinator.com; sarajgunter@gmail.com
hxxp://securitytooledit .net - Email: byronlross@pookmail.com; jamesslewis@mailinator.com; leighschancey@trashymail.com; byronlross@pookmail.com
hxxp://portsecurityutility .net - Email: marquettacpettit@trashymail.com; melindakbolin@pookmail.com; rhondaehipp@mailinator.com; marquettacpettit@trashymail.com

Sample, detection, rate, for, a, malicious, executable:
MD5: 4a3e8b6b7f42df0f26e22faafaa0327f
MD5: 64a111acdc77762f261b9f4202e98d29

Once, executed, a, sample, malware, phones, back, to, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, following, malicious, C&C, server, IPs:
hxxp://newsekuritylist.com/in.php?affid=92600
hxxp://newsekuritylist.com/in.php?affid=92600

Sample, URL, redirection, chain:
hxxp://rejoicetv.info/newyear
    - hxxp://91.207.4.19/tds/go.php?sid=3
        - hxxp://liveeditionpc.net?uid=297&pid=3&ttl=11845621a62 - 95.169.187.216 - korn989.net; liveeditionpc.net; createpc-pcscan-korn.net
            - hxxp://www1.hotcleanofyour-pc.net/p=== - 98.142.243.174 - live-guard-forpc.net is also parked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re:

Sample, detection, rate, for, a, malicious, executable:
MD5: 4912961c36306d156e4e2b335c51151b

Once, executed, a, sample, malware, phones, back, to, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, following, malicious, C&C, server, IPs:
hxxp://update2.pcliveguard.com/index.php?controller=hash - 124.217.251.99
hxxp://update2.pcliveguard.com/index.php?controller=microinstaller&abbr=PCLG&setupType=xp&ttl=210475833d3&pid=
hxxp://update2.pcliveguard.com/index.php?controller=microinstaller&abbr=PCLG&setupType=xp&ttl=210475833d3&pid=
hxxp://securityearth.cn/Reports/MicroinstallServiceReport.php - 210.56.53.125

Sample, URL, redirection, chain:
hxxp://garlandvenit.150m.com
    - hxxp://online-style2.com
        - hxxp://scanner-malware15.com/scn3/?engine=
            - hxxp://scanner-malware15.com/download.php?id=328s3

Related, malicious, domains, known, to, have, participated, in, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, campaign:
hxxp://eclipserisa.150m.com
hxxp://adamaura.150m.com
hxxp://hugodinah.150m.com
hxxp://roycesylvia.150m.com
hxxp://lindaagora.150m.com
hxxp://sharolynpam.150m.com
hxxp://letarebeca.150m.com
hxxp://letarebeca.150m.com

Sample, URL, redirection, chain:
hxxp://egoldenglove.com/Images/bin/movie/
    - hxxp://egoldenglove.com/Images/bin/movie/Flash_Update_1260873156.exe

Once, executed, a, sample, malware, phones, back, to, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, following, malicious, C&C, server, IPs:
hxxp://2-weacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r.com/?pid=328s03&sid=3593b2&d=3&name=Loading%20video - 66.197.160.104 -mail@tatrum-verde.com
hxxp://scanner-spya8.com/scn3/?engine= - info@gainweight.com -

Sample, detection, rate, for, a, malicious, executable:
MD5: bfaba92c3c0eaec61679f03ff0eb0911

Once, executed, a, sample, malware, phones, back, to, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, following, malicious, C&C, server, IPs:
hxxp://91.212.226.185/download/winlogo.bmp (windowsaltserver.com)

Related, malicious, domains, known, to, have, participated, in, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, campaign:
hxxp://2-coat.com - 193.104.22.202 - Email: mail@tatrum-verde.com
hxxp://2-weacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r.com - 193.104.22.202 - - Email: mail@tatrum-verde.com - currently embedded on Koobface-infected hosts pushing scareware

Related, malicious, domains, known, to, have, participated, in, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, campaign:
hxxp://online-style2.com - 66.197.160.104 - Email: mail@tatrum-verde.com
hxxp://scanner-malware15.com - Email: info@natural-health.org

Related, malicious, IPs, known, to, have, participated, in, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, campaign:
hxxp://68.168.212.142
hxxp://91.212.226.97
hxxp://66.197.160.105

Parked on 68.168.212.142:
hxxp://antispywareguide20 .com - Email: contacts@vertigo.us
hxxp://antispywareguide22 .com - Email: contacts@vertigo.us
hxxp://antispywareguide23 .com - Email: contacts@vertigo.us
hxxp://antispywareguide25 .com - Email: contacts@vertigo.us
hxxp://antispywareguide27 .com - Email: contacts@vertigo.us
hxxp://antispywaretools10 .com - Email: contacts@vertigo.us
hxxp://antispywaretools11 .com - Email: contacts@vertigo.us
hxxp://antispywaretools12 .com - Email: contacts@vertigo.us
hxxp://antispywaretools17 .com - Email: contacts@vertigo.us
hxxp://antispywaretools18 .com - Email: contacts@vertigo.us
hxxp://best-scan-911 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-921 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-931 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-951 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-961 .com - Email: TheodoreWTurner@live.com
hxxp://birthday-gifts2 .com - Email: TheodoreWTurner@live.com
hxxp://christmasdecoration2 .com - Email: contact@trythreewish.us
hxxp://computerscanm0 .com - Email: JamesNTurner@yahoo.com
hxxp://computerscanm2 .com - Email: JamesNTurner@yahoo.com
hxxp://computerscanm4 .com - Email: JamesNTurner@yahoo.com
hxxp://computerscanm6 .com - Email: JamesNTurner@yahoo.com
hxxp://computerscanm8 .com - Email: JamesNTurner@yahoo.com
hxxp://go-scan021 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan061 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan081 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan091 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan121 .com - Email: TheodoreWTurner@live.com

hxxp://microscanner1 .com - Email: info@enigmazero.com
hxxp://micro-scanner1 .com - Email: info@enigmazero.com
hxxp://microscanner2 .com - Email: info@enigmazero.com
hxxp://micro-scanner2 .com - Email: info@enigmazero.com
hxxp://microscanner3 .com - Email: info@enigmazero.com
hxxp://micro-scanner3 .com - Email: info@enigmazero.com
hxxp://microscanner4 .com - Email: info@enigmazero.com
hxxp://micro-scanner4 .com - Email: info@enigmazero.com
hxxp://microscanner5 .com - Email: info@enigmazero.com
hxxp://micro-scanner5 .com - Email: info@enigmazero.com
hxxp://micro-scannera1 .com - Email: info@enigmazero.com
hxxp://micro-scannerb1 .com - Email: info@enigmazero.com
hxxp://micro-scannerc1 .com - Email: info@enigmazero.com
hxxp://micro-scannerd1 .com - Email: info@enigmazero.com
hxxp://pc-antispyo3 .com
hxxp://pc-antispyo5 .com
hxxp://pc-antispyo6 .com
hxxp://pc-antispyo9 .com
hxxp://pc-securityv8 .com - Email: info@billBlog.com
hxxp://protect-pca1 .com
hxxp://protect-pcr1 .com
hxxp://protect-pct1 .com
hxxp://protect-pcu1 .com

hxxp://quick-antispy91 .com - Email: williams.trio@yahoo.com
hxxp://quick-antispy92 .com - Email: williams.trio@yahoo.com
hxxp://quick-antispy93 .com - Email: williams.trio@yahoo.com
hxxp://quick-antispy95 .com - Email: williams.trio@yahoo.com
hxxp://quick-antispy99 .com - Email: williams.trio@yahoo.com
hxxp://quick-scanner2 .com - Email: williams.trio@yahoo.com
hxxp://quick-scanner4 .com - Email: williams.trio@yahoo.com
hxxp://quick-scanner6 .com - Email: williams.trio@yahoo.com
hxxp://quick-scanner77 .com - Email: williams.trio@yahoo.com
hxxp://quick-scanner78 .com - Email: williams.trio@yahoo.com
hxxp://run-scanner023 .com - Email: TheodoreWTurner@live.com
hxxp://run-scanner056 .com - Email: TheodoreWTurner@live.com
hxxp://run-scanner067 .com - Email: TheodoreWTurner@live.com
hxxp://safe-pc01 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-pc02 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-pc03 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-pc07 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-pc09 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-your-pc002 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-your-pc004.com - Email: JamesNTurner@yahoo.com
hxxp://safe-your-pc009 .com - Email: JamesNTurner@yahoo.com
hxxp://scan-and-secure01 .com
hxxp://scan-and-secure04 .com
hxxp://scan-and-secure06 .com
hxxp://scan-and-secure07 .com
hxxp://scan-and-secure09 .com
hxxp://scan-computerab .com
hxxp://scan-computere0 .com

hxxp://scanner-malware01 .com - Email: info@natural-health.org
hxxp://scanner-malware02 .com - Email: info@natural-health.org
hxxp://scanner-malware04 .com - Email: info@natural-health.org
hxxp://scanner-malware05 .com - Email: info@natural-health.org
hxxp://scanner-malware06 .com - Email: info@natural-health.org
hxxp://scanner-malware11 .com - Email: info@natural-health.org
hxxp://scanner-malware12 .com - Email: info@natural-health.org
hxxp://scanner-malware13 .com - Email: info@natural-health.org
hxxp://scanner-malware14 .com - Email: info@natural-health.org
hxxp://scanner-malware15 .com - Email: info@natural-health.org
hxxp://securitysoftware1 .com
hxxp://securitysoftware3 .com
hxxp://securitysoftware5 .com
hxxp://securitysoftwaree .com
hxxp://securitysoftwaree7 .com
hxxp://security-softwareo1 .com
hxxp://security-softwareo5 .com
hxxp://security-softwareo7 .com
hxxp://unique-gifts2 .com - Email: contact@trythreewish.us
hxxp://unusual-gifts2 .com - Email: contact@trythreewish.us
hxxp://xmas-song .com - Email: contact@trythreewish.us

Parked on 91.212.226.97; 66.197.160.105:
hxxp://best-scan-911 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-921 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-931 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-951 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-961 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan021 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan061 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan081 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan091 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan121 .com - Email: TheodoreWTurner@live.com
hxxp://microscanner1 .com - Email: info@enigmazero.com
hxxp://micro-scanner1 .com - Email: info@enigmazero.com
hxxp://microscanner2 .com - Email: info@enigmazero.com
hxxp://micro-scanner2 .com - Email: info@enigmazero.com
hxxp://microscanner3 .com - Email: info@enigmazero.com
hxxp://micro-scanner3 .com - Email: info@enigmazero.com
hxxp://microscanner4 .com - Email: info@enigmazero.com
hxxp://micro-scanner4 .com - Email: info@enigmazero.com
hxxp://microscanner5 .com - Email: info@enigmazero.com

hxxp://micro-scanner5 .com - Email: info@enigmazero.com
hxxp://micro-scannera1 .com - Email: info@enigmazero.com
hxxp://micro-scannerb1 .com - Email: info@enigmazero.com
hxxp://micro-scannerc1 .com - Email: info@enigmazero.com
hxxp://micro-scannerd1 .com - Email: info@enigmazero.com
hxxp://run-scanner023 .com - Email: TheodoreWTurner@live.com
hxxp://run-scanner056 .com - Email: TheodoreWTurner@live.com
hxxp://run-scanner067 .com - Email: TheodoreWTurner@live.com
hxxp://scanner-malware01 .com - Email: info@natural-health.org
hxxp://scanner-malware02 .com - Email: info@natural-health.org
hxxp://scanner-malware04 .com - Email: info@natural-health.org
hxxp://scanner-malware05 .com - Email: info@natural-health.org
hxxp://scanner-malware06 .com - Email: info@natural-health.org
hxxp://scanner-malware11 .com - Email: info@natural-health.org
hxxp://scanner-malware12 .com - Email: info@natural-health.org
hxxp://scanner-malware13 .com - Email: info@natural-health.org
hxxp://scanner-malware14 .com - Email: info@natural-health.org
hxxp://scanner-malware15 .com - Email: info@natural-health.org

Parked on 66.197.160.104:
hxxp://2activities.com - Email: mail@tatrum-verde.com
hxxp://2-scenes.com - Email: mail@tatrum-verde.com
hxxp://2-weacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r.com - Email: mail@tatrum-verde.com
hxxp://online-fun2 .com - Email: mail@tatrum-verde.com
hxxp://online-news2.com - Email: mail@tatrum-verde.com
hxxp://online-style2 .com - Email: mail@tatrum-verde.com
hxxp://online-tv2.com - Email: mail@tatrum-verde.com
hxxp://snow-and-fun2 .com - Email: mail@tatrum-verde.com
hxxp://winterart2 .com - Email: info@territoryplace.us
hxxp://winterchristmas2 .com - Email: info@territoryplace.us
hxxp://wintercrafts2 .com - Email: info@territoryplace.us
hxxp://winterkids2 .com - Email: info@territoryplace.us
hxxp://winterphotos2 .com - Email: info@territoryplace.us
hxxp://winterpicture2 .com - Email: info@territoryplace.us
hxxp://winterscene2 .com - Email: info@territoryplace.us
hxxp://winterwallpaper2 .com - Email: info@territoryplace.us

What's particularly, interesting, about, this, particular, campaign, is, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, direct, connection, with, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, Koobface, gang, taking, into, consideration, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, fact, that, hxxp://redirector online-style2.com/?pid=312s03&sid=4db12f has, also, been, used, by, Koobface-infected hosts, and, most, importantly, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, fact, that, a, sampled, scareware, campaign from December 2009, were serving scareware parked on 193.104.22.200, where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface scareware portfolio is parked, as, previously, profiled, and, analyzed.

We'll, continue, monitoring, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Related posts:
Historical OSINT - Celebrity-Themed Blackhat SEO Campaign Serving Scareware and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Botnet Connection
The Koobface Gang Wishes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Industry "Happy Holidays"
Koobface Gang Responds to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "10 Things You Didn't Know About cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Gang Post"
How cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Gang Monetizes Mac OS X Traffic
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model
From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Gang with Scareware Serving Compromised Site
Koobface Botnet Starts Serving Client-Side Exploits
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Dissecting Koobface Gang's Latest Facebook Spreading Campaign
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Koobface Botnet Redirects Facebook's IP Space to my Blog
Koobface Botnet Dissected in a TrendMicro Report
Massive Scareware Serving Blackhat SEO, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Gang Style
Movement on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Front - Part Two
Movement on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Front
Dissecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Worm's December Campaign
The Koobface Gang Mixing Social Engineering Vectors
Dissecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Latest Koobface Facebook Campaign

Friday, December 23, 2016

Historical OSINT - Celebrity-Themed Blackhat SEO Campaign Serving Scareware and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Botnet Connection

In, a, cybercrime, dominated, by, fraudulent, propositions, historical, OSINT, remains, a, crucial, part, in, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, process, of, obtaining, actionable. intelligence, furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, expanding, a, fraudulent, infrastructure, for, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, purpose, of, establishing, a, direct, connection, with, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, individuals, behind, it. Largely, relying, on, a, set, of, tactics, techniques, and, procedures, cybercriminals, continue, furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, expanding, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir, fraudulent, infrastructure, successfully, affecting, hunreds, of, thousands, of, users, globally, furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, earning, fraudulent, revenue, in, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, process, of, committing, fraudulent, activity, for, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, purpose, of, earning, fraudulent, revenue, in, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, process.

In, this, post, we'll, discuss, a, black, hat, SEO (search engine optimization), campaign, intercepted, in, 2009, provide, actionable, intelligence, on, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, infrastructure, behind, it, and, discuss, in-depth, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, tactics, techniques, and, procedures, of, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, cybercriminals, behind, it, successfully, establishing, a, direct, connection, with, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, Koobface, gang.


The, Koobface, gang, having, successfully, suffered, a, major, take, down, efforts, thanks, to, active, community, and, ISP (Internet Service Provider), cooperation, has, managed, to, successfully, affect, a, major, proportion, of, major, social, media, Web, sites, including, Facebook, and, Twitter, for, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, purpose, of, furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, spreading, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, malicious, software, served, by, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, Koobface, gang, while, earning, fraudulent, revenue, in, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, process, of, monetizing, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, hijacked, and, acquired, traffic, largely, relying, on, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, use, of, fake, security, software, and, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, reliance, on, a, fraudulent, affiliate-network, based, type, of, monetizing, scheme.


Largely, relying, on, a, diverse, set, of, traffic, acquisition, tactics, including, social, media, propagation, black, hat, SEO (search engine optimization), and, client-side, exploits, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, Koobface, gang, has, managed, to, successfully, affect, hundreds, of, thousands, of, users, globally, successfully, populating, social, media, networks, such, as, Facebook, and, Twitter, with, rogue, and, bogus, content, for, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, purpose, of, spreading, malicious, software, and, earning, fraudulent, revenue, in, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, process, largely, relying, on, a, diverse, set, of, traffic, acquisition, tactics, successfully, monetizing, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, hijacked, and, acquired, traffic, largely, relying, on, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, use, of, affiliate-network, based, traffic, monetizing, scheme.

Let's, profile, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, campaign, provide, actionable, intelligence, on, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, infrastructure, behind, it, discuss, in-depth, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, tactics, techniques, and, procedures, of, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, cybercriminals, behind, it, and, establish, a, direct, connection, with, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, Koobface, gang, and, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, Koobface, botnet's, infrastructure.

Sample URL, redirection, chain:
hxxp://flash.grywebowe.com/elin5885/?x=entry:entry091109-071901; -> http://alicia-witt.com/elin1619/?x=entry:entry091112-185912 -> hxxp://indiansoftwareworld.com/index.php?affid=31700 - 213.163.89.56


Sample, detection, rate, for, a, malicious, executable:MD5: bd7419a376f9526719d4251a5dab9465


Sample, URL, redirection, chain, leading, to, client-side, exploits:
hxxp://loomoom.in/counter.js - 64.20.53.84 - cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 front page says "We are under DDOS attack. Try later".
hxxp://firefoxfowner.cn/?pid=101s06&sid=977111 -> hxxp://royalsecurescana.com/scan1/?pid=101s6&engine=p3T41jTuOTYzLjE3Ny4xNTMmdGltZT0xMjUxNMkNPAhN

Sample, detection, rate, for, a, malicious, executable:
MD5: a91a1bb995e999f27ffc5d9aa0ac2ba2

Once, executed, a, sample, malware, phones, back, to:
hxxp://systemcoreupdate.com/download/timesroman.tif - 213.136.83.234


Sample, URL, redirection, chain:
hxxp://oppp.in/counter.js - 64.20.53.83 - cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same message is also left "We are under DDOS attack. Try later"
hxxp://johnsmith.in/counter.js - 64.20.53.86
hxxp://gamotoe.in/counter.js
hxxp://polofogoma.in/counter.js
hxxp://jajabin.in/counter.js
hxxp://dahaloho.in/counter.js
hxxp://gokreman.in/counter.js
hxxp://freeblogcounter2.com/counter.js
hxxp://lahhangar.in/counter.js
hxxp://galorobap.in/counter.js


Sample, directory, structure, for, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, black, hat, SEO (search engine optimization), campaign:
hxxp://images/include/bmblog
hxxp://bmblog/category/art/
hxxp://images/style/bmblog
hxxp://photos/archive/bmblog/
hxxp://templates/img/bmblog
hxxp://phpsessions/bmblog
hxxp://Index_archivos/img/bmblog/
hxxp://bmblog/category/hahahahahah/
hxxp://gallery/include/bmblog


Sample, malicious, domains, participating, in, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, campaign:
pcmedicalbilling.com - Email: sophiawrobertson@pookmail.com
securitytoolnow.com - Email: ronaldmpappas@dodgit.com
securitytoolsclick.net - Email: ruthdtrafton@dodgit.com
security-utility.net - Email: richardrmccullough@trashymail.com

Historically on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same IP were parked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following, now responding to 91.212.107.37 domains:
online-spyware-remover.biz - Email: robertsimonkroon@gmail.com
online-spyware-remover.info - Email: robertsimonkroon@gmail.com
spyware-online-remover.biz  - Email: robertsimonkroon@gmail.com
spyware-online-remover.com - Email: robertsimonkroon@gmail.com
spyware-online-remover.info - Email: robertsimonkroon@gmail.com
spyware-online-remover.net - Email: robertsimonkroon@gmail.com
spyware-online-remover.org - Email: robertsimonkroon@gmail.com
tubepornonline.biz - Email: robertsimonkroon@gmail.com
tubepornonline.org - Email: robertsimonkroon@gmail.com


Sample, malicious, domains, known, to, have, participated, in, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, campaign:
hxxp://antyspywarestore.com/index.php?affid=90400
hxxp://newsecuritytools.net/index.php?affid=90400 - 78.129.166.11 - Email: joyomcdermott@gmail.com

Sample, detection, rate, for, a, malicious, executable:
MD5: 0feffd97ffe3ecc875cfe44b73f5653b
MD5: a0d9d3127509272369f05c94ab2acfc9

Naturally, it gets even more interesting, in particular cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 very same robertsimonkroon@gmail.com used to register cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 domains historically parked at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IP that is currently hosting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scareware domains part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 massive blackhat SEO campaign -- cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 very same domains (hxxp://firefoxfowner.cn), were also in circulation on Koobface infected host, in a similar fashion when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 domains used in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 New York Times malvertising campaign were simultaneously used in blackhat SEO campaigns managed by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface gang -- have not only been seen in July's scareware campaigns -- but also, has been used to register actual domains used as a download locations for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scareware campaigns part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface botnet's scareware business model.


Parked, at, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, same, malicious, IP (91.212.107.37), are, also, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, following, malicious, domains:
hxxp://free-web-download.com
hxxp://web-free-download.com
hxxp://iqmediamanager.com
hxxp://oesoft.eu
hxxp://unsoft.eu
hxxp://losoft.eu
hxxp://tosoft.eu
hxxp://kusoft.eu

Sample, detection, rate, for, a, malicious, executable:
MD5: 29ff816c7e11147bb74570c28c4e6103
MD5: e59b66eb1680c4f195018b85e6d8b32b
MD5: b34593d884a0bc7a5adb7ab9d3b19a2c

The overwhelming evidence of underground multi-tasking performed by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface gang, it's connections to money mule recruitment scams, high profile malvertising attacks, and current market share leader in blackhat SEO campaigns, made, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, group, a, prominent, market, leader, within, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, cybercrime, ecosystem, having, successfully, affecting, hundreds, of, thousands, of, users, globally, potentially, earning, hundreds, of, thousands, in, fraudulent, revenue, in, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, process.

Related posts:
The Koobface Gang Wishes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Industry "Happy Holidays"
Koobface Gang Responds to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "10 Things You Didn't Know About cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Gang Post"
How cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Gang Monetizes Mac OS X Traffic
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model
From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Gang with Scareware Serving Compromised Site
Koobface Botnet Starts Serving Client-Side Exploits
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Dissecting Koobface Gang's Latest Facebook Spreading Campaign
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Koobface Botnet Redirects Facebook's IP Space to my Blog
Koobface Botnet Dissected in a TrendMicro Report
Massive Scareware Serving Blackhat SEO, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Gang Style
Movement on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Front - Part Two
Movement on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Front
Dissecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Worm's December Campaign
The Koobface Gang Mixing Social Engineering Vectors
Dissecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Latest Koobface Facebook Campaign

Monday, November 26, 2012

Koobface Botnet Master KrotReal Back in Business, Distributes Ransomware And Promotes BHSEO Service/Product

On January 09, 2012 I exposed Koobface botnet master KrotReal. On January 16, 2012, The New York Times went public with data from Facebook Inc. exposing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 identities of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rest of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 group. What happened? With cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 botnet masters still at large, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface botnet currently offline, a logical question emerges - what are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se cybercriminals up to now that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y're no longer involved in managing Koobface?

Cybercrime as usual!

Continuing to squeeze cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cybercrime ecosystem, and keep known bad actors on a short leash, in this intelligence brief I'll expose Anton Nikolaevich Korotchenko a.k.a KrotReal's s latest activities, indicating that he's currently busy experimenting with two projects:
  • A Black Hat (SEO) Search Engine Optimization related service/product
  • Underground traffic exchange/pay-pay-install network currently distributing localized Ransomware
Just like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case when KrotReal's real life identity was revealed due to a single mistake he made over a period of several years, namely to register a Koobface command and control server using his personal GMail account, in this intelligence brief I'll once again expose his malicious and fraudulent activities by profiling two of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most recently domains he once again registered with his personal GMail account.

Let's start by profiling his Black Hat SEO service/product, currently hosted on one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 domains he registered in 2011.

trafficconverter.in - 176.9.146.78 - Email: krotreal@gmail.com
Created On:28-Jul-2011 12:37:45 UTC
Last Updated On:28-Jun-2012 08:11:43 UTC
Expiration Date:28-Jul-2013 12:37:45 UTC

The service/produce apparently allows cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 systematic abuse of legitimate blogging platforms such as Google's Blogger and Wordpress, next to Yoom CMS. KrotReal himself might be using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tool, or sell/offer access to it as a managed service. Does this mean he's not using it by himself to monetize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hijacked legitimate traffic that he's able to obtain through his Black Hat SEO campaigns? Not at all.

More domains presumably to be used for Black Hat SEO purposes registered with KrotReal's personal email account (krotreal@gmail.com):
superstarfind.com
celeb-search.com
myown-search.com
myfindstuff.com
network-find.com
coolfind200309.com
experimentsearch.com
fashion-overview.com
krotpong.com
adultpartypics.com
findhunt.com


How is he actually monetizing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hijacked traffic? Keep reading. Now it's time to expose his malicious activities in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 form of spreading localized Ransomware variants. For cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 record, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface gang distributed primarly scareware -- cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's evidence that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 group was also involved in ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r malicious campaigns -- and even bragged about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y're not damaging infected user PCs.

What's particularly interesting about profiling this campaign, is that it's a great example of double-layer monetization, as KrotReal is earning revenue through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Traffic Holder Adult Affiliate Program, in between serving client-side exploits and ultimately dropping Ransomware on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 affected host using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same redirection chain.


Sample malicious domain name reconnaissance:
traffictracker.in - 176.9.146.78 (AS24940) - Email: krotreal@gmail.com
Created On:22-Nov-2011 13:42:53 UTC
Last Updated On:22-Nov-2012 22:33:25 UTC
Expiration Date:22-Nov-2013 13:42:53 UTC

Responding to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same IP 176.9.146.78 (AS24940):
allcelebrity.ru
easypereezd.ru


Sample malicious activity redirection chain: hxxp://traffictracker.in/in.cgi?11¶meter=nude+girls&CS=1 -> hxxp://celeb-search.com/in.php?source=th&q=nude+girls -> hxxp://celeb-search.com/in3.php?source=th&q=nude+girls -> hxxp://www.trafficholder.com/in/in2.php?ppillow-pics_erotic -> hxxp://hit.trafficholder.com/cgi-bin/traffic/process.fcgi?a=ppillow&c=1&n=pics_erotic&r= ->  hxxp://gravityexp.com/go.php?sid=12 -> hxxp://nosnowfevere.com/ZqRqk (exploiting CVE-2008-5353) -> hxxp://nosnowfevere.com/oxsXAE?KpDzQ=61 -> hxxp://nosnowfevere.com/ZqRqk -> hxxp://nosnowfevere.com/EHSvFc -> hxxp://nosnowfevere.com/XMDrkH

KrotReal's Traffic Holder Adult Affiliate Network ID is ppillow-pics_erotic.


Malicious domain names reconnaissance:
gravityexp.com - returns "Digital River GmbH" on its home page - 46.163.117.144 - Email: francesca.muglia.130@istruzione.it
Updated Date: 30-aug-2012
Creation Date: 30-aug-2012
Expiration Date: 30-aug-2013

nosnowfevere.com - 91.211.119.32 - Email: djbroning@definefm.com
Updated Date: 25-nov-2012
Creation Date: 25-nov-2012
Expiration Date: 25-nov-2013

Upon successful client-side exploitation, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign drops MD5: d234a238eb8686d08cd4e0b8b705da14 - detected by 10 out of 43 antivirus scanners as Trojan.Winlock.7431

Sample screenshot displayed to users from geolocated countries:
Second screenshot of a sample page displayed to affected U.K users:
Additional malicious payload obtained from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaign:
MD5: fd47fe3659d7604d93c3ce0c0581fed7 - detected by 4 out of 44 antivirus scanners as Exploit:Java/CVE-2012-5076.BBW
MD5: e47991d7f172e893317f44ee8afe3811 - detected by 5 out of 44 antivirus scanners as JS:Pdfka-gen [Expl]
MD5: 7e58703026c7ffba05ac0d2ae4d3c62f - detected by 5 out of 44 antivirus scanners as Exploit:Java/CVE-2012-1723!generic

Ransomware C&C malicious domain name reconnaissance:
sarscowoy.com - currently responds to 176.28.22.32 (AS20773); 176.28.14.42 (AS20773) - Email: rmasela@ymail.com

On 2012-06-21 cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 domain responded to 204.13.160.28 (AS33626), cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n on 2012-07-01 it changed IPs to 46.163.113.79 (AS20773), cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n again on 2012-11-14 it changed IP to 176.28.14.42 (AS20773), followed by one last change on 2012-11-24 to 176.28.22.32 (AS20773)

One more MD5 is known to have phoned back to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same Ransomware C&C URL - MD5: 1600577edece1efe11c75158f9dd24db - detected by 28 out of 38 antivirus scanners as Trojan:Win32/Tobfy.H

Interestingly, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cybercriminals behind cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Ransomware left cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 administration panel open to anyone who wants to take a look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole process works. 

Sample screenshot of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 administration panel:
Second screenshot of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 administration panel, showing a directory listing, including unique and localized files for potential victims from multiple countries:

More domains are currently responding to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same IPs (176.28.22.32; 176.28.14.42):
bussinesmail.org - Email: belov28@gmail.com
elitesecuritynet.com - Email: pescifabio83@yahoo.fi
ideasdeunion.com - Email: esbornikk@aol.com
ineverworrynet.com - pescifabio83@yahoo.fi
testcitycheckers.com - pescifabio83@yahoo.fi
uneugroup.com - Email: anders_christensen@yahoo.com
winntegroups.eu - Email: robertobona69@yahoo.com
sexchatvideo.org - Email: daddario.maria@virgilio.it
quasarnet.co - Email: valter.bars@venezia.pecavvocati.it
bestconsultingoffice.com
apaineal.ru

What we've got here is a great example of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following - when you don't fear legal prosecution for your fraudulent activities over a period of several years, earning you potentially hundreds of thousands of dollars, you just launch new projects, continuing to cause more harm and fraudulently obtain funds from infected victims.
 
For those who are interested in more details on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technical side of this Ransomware, you should consider going through this research.

Hat tip to Steven Adair from Shadowserver for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 additional input.

Monday, January 09, 2012

Who's Behind cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Botnet? - An OSINT Analysis

In this post, I will perform an OSINT analysis, exposing one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 key botnet masters behind cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 infamous Koobface botnet, that I have been extensively profiling and infiltrating since day one. I will include photos of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 botnet master, his telephone numbers, multiple email addresses, license plate for a BMW, and directly connect him with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 infrastructure -- now offline or migrated to a different place -- of Koobface 1.0.

The analysis is based on a single mistake that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 botnet master made - namely using his personal email for registering a domain parked within Koobface's command and control infrastructure, that at a particular moment in time was directly redirecting to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ubiquitous fake Youtube page pushed by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface botnet.

Let's start from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 basics. Here's an excerpt from a previous research conducted on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface botnet:

However, what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface gang did was to register a new domain and use it as Koobface C&C again parked at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same IP, which remains active - zaebalinax.com Email: krotreal@gmail.com - 78.110.175.15 - in particular zaebalinax.com/cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365/?pid=14010 which is redirecting to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface botnet. Two more domains were also registered and parked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re, u15jul .com and umidsummer .com - Email: 2009polevandrey@mail.ru which remain in stand by mode at least for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time being.

The Koobface botnet master's biggest mistake is using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface infrastructure for hosting a domain that was registered with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 botnet master's personal email address. In this case that zaebalinax.com and krotreal@gmail.com. zaebalinax.com is literally translated to "Gave up on Linux". UPDATED: Multiple readers have to contacted me to point out that zaebalinax is actually translated to "f*ck you all" or "you all are p*ssing me off".

The same email krotreal@gmail.com was used to advertise cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sale of Egyptian Sphynx kittens on 05.09.2007:

The following telephone belonging to Anton was provided - +79219910190. The interesting part is that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same telephone was also used in anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r advertisement, this time for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sale of a BMW:


Photos of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 BMW, offered for sale, by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same Anton that was using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface infrastructure to host zaebalinax.com Email: krotreal@gmail.com:



Upon furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r analysis, it becomes evident that his real name is Anton Nikolaevich Korotchenko (Антон Николаевич Коротченко). Here are more details of this online activities:

Real name: Anton Nikolaevich Korotchenko (Антон Николаевич Коротченко)
City of origin: St. Petersburg
Primary address: Omskaya st. 26-61; St. Petersburg; Leningradskaya oblast,197343
Associated phone numbers obtained through OSINT analysis, not whois records:
+79219910190
+380505450601
050-545-06-01
ICQ - 444374
Emails: krotreal@yahoo.com
krotreal@gmail.com
krotreal@mail.ru
krotreal@livejournal.com
newfider@rambler.ru
WM identification (WEB MONEY) : 425099205053
Twitter account: @KrotReal; @Real_Koobface
Flickr account: KrotReal
Vkontakte.ru Account: KrotReal; tonystarx 
Foursquare Account: KrotReal

Also, a chat log from 2003, identifies KrotReal while he's using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following IP -  krotreal@ip-534.dialup.cl.spb.ru

How do you trigger a change that would ultimately affect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire cybercrime ecosystem? By personalizing cybercrime.

Go through previous research conducted on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface botnet:
Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova
The Koobface Gang Wishes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Industry "Happy Holidays"
Koobface Gang Responds to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "10 Things You Didn't Know About cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Gang Post"
10 things you didn't know about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface gang
How cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Gang Monetizes Mac OS X Traffic
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model
From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Gang with Scareware Serving Compromised Site
Koobface Botnet Starts Serving Client-Side Exploits
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Dissecting Koobface Gang's Latest Facebook Spreading Campaign
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Koobface Botnet Redirects Facebook's IP Space to my Blog
Koobface Botnet Dissected in a TrendMicro Report
Massive Scareware Serving Blackhat SEO, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Gang Style
Movement on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Front - Part Two
Movement on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Front
Dissecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Worm's December Campaign
The Koobface Gang Mixing Social Engineering Vectors
Dissecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Latest Koobface Facebook Campaign

Monday, May 17, 2010

Koobface Gang Responds to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "10 Things You Didn't Know About cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Gang Post"


UPDATED Moday, May 24, 2010: The scareware domains/redirectors pushed by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface botnet, have been included at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bottom of this post, including detection rates and phone back URLs.

On May 13th, 2010, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface gang responded to my "10 things you didn't know about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface gang" post published in February, 2010, by including cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following message within Koobface-infected hosts, serving bogus video players, and, of course, scareware:
  •  regarding this article By Dancho Danchev | February 23, 2010, 9:30am PST

    1. no connection
    2. what's reason to buy software just for one screenshot?
    3. no connection
    4. :)
    5. :)
    6. :)
    7. it was 'ali baba & 4' originally. you should be more careful
    8. heh
    9. strange error. cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re're no experiments on that
    10. maybe. not 100% sure

    Ali Baba
    13 may 2010
This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second individual message left by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 botnet masters for me, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 third one in general where I'm referenced.

What makes an impression is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir/his attempt to distance cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves/himself from major campaigns affecting high profile U.S based web properties, fraudulent activities such as click fraud, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir/his attempt to legitimize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir/his malicious activities by emphasizing on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y/he are not involved in crimeware campaigns, and have never stolen any credit card details.

01. The gang is connected to, probably maintaining cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 click-fraud facilitating Bahama botnet
- Koobface gang: no connection

You wish, you wish. ClickForensics pointed it out, I confirmed it, and at a later stage reproduced it.

Among cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 many examples of this activities, is MD5: 0fbf1a9f8e6e305138151440da58b4f1 modifying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 HOSTS file on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 infected PCs to redirect all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Google and Yahoo search traffic to 89.149.210.109, whereas, in between phoning back to well known Koobface scareware C&Cs at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time, such as 212.117.160.18, and urodinam .net/8732489273.php at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time.

In May, 2010, parked on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 very same IP to which urodinam.net (91.188.59.10) is currently responding to, is an active client-side exploits serving campaign using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 YES malware exploitation kit (1zabslwvn538n4i5tcjl.com - Email: michaeltycoon@gmail.com).

I can go on forever.


02. Despite cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir steady revenue flow from sales of scareware, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 gang once used trial software to take a screenshot of a YouTube video
- Koobface gang: what's reason to buy software just for one screenshot?

No reason at all, I guess that's also cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reason behind cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 temporary change in scareware URls to include GREED within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 file name.

03. The Koobface gang was behind cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 malvertising attack cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 web site of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 New York Times in September
- Koobface gang: no connection

You wish, you wish.

In fact, several of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 recent high-profile malvertising campaigns that targeted major Web 2.0 properties, can be also traced back to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir infrastructure. Now, whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are aware of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 true impact of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 malvertisement campaign, and whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are intentionally pushing it at a particular web site remains unknown.

The fact is that, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exact same domain that was used in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NYTimes redirection, was also back cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n embedded on all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface infected hosts, in order to serve scareware.

04. The gang conducted a several hours experiment in November, 2009 when for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first time ever client-side exploits were embedded on Koobface-serving compromised hosts
- Koobface gang: :)

He who smiles last, smiles best.

05. The Koobface gang was behind cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 massive (1+ million affected web sites) scareware serving campaign in November, 2009
- Koobface gang: :)

Since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y're admitting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir involvement in point 5, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y also don't know/forget that one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 many ways cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 connection between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface gang and massive blackhat SEO campaign was established in exactly cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same way as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 one in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir involvement in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NYTimes malvertising campaign. Convenient denial of involvement in high-profile campaigns means nothing when collected data speaks for itself.

06. The Koobface Gang Monetizes Mac OS X Traffic through adult dating/Russian online movie marketplaces
- Koobface gang: :)

Read more on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 practice - "How cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Gang Monetizes Mac OS X Traffic".


07. Ali Baba and 40 LLC a.k.a cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface gang greeted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security community on Christmas
- Koobface gang: it was 'ali baba & 4' originally. you should be more careful

Since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 original Ali Baba had 40 thieves with him, not 4, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 remaining 36 can be best described as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cybecrime ecosystem's stakeholders earning revenues and having cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir business models scaling, thanks to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 involvement of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface botnet.


08. The Koobface gang once redirected Facebook’s IP space to my personal blog
- Koobface gang: heh

Read more on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 topic - "Koobface Botnet Redirects Facebook's IP Space to my Blog".

09. The gang is experimenting with alternative propagation strategies, such as for instance Skype
- Koobface gang: strange error. cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re're no experiments on that

Hmm, who should I trust? SophosLabs and TrendMicro or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface gang? SophosLabs and TrendMicro or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface gang? Sophos Labs and TrendMicro or....well you get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point. Of course cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re isn't, now that's is publicly known it's in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 works.


10. The gang is monetizing traffic through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Crusade Affiliates scareware network
- Koobface gang: maybe. not 100% sure

They don't know where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y get all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 money by being pushing scareware? How convenient.

When data and facts talk, even "Cyber Jesus" listens. Read more on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 monetization model - "Koobface Botnet's Scareware Business Model"; "Koobface Botnet's Scareware Business Model - Part Two".

The Koobface botnet is currently pushing scareware through 2gig-antivirus.com?mid=312&code=4db12f&d=1&s=2 - 195.5.161.210 - Email: test@now.net.cn


Parked on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same IP (195.5.161.210, AS31252, STARNET-AS StarNet Moldova) are also:
0web-antispyware.com - Email: test@now.net.cn
12netantispy.com - Email: test@now.net.cn
13netantispy.com - Email: test@now.net.cn
14netantispy.com - Email: test@now.net.cn
16netantispy.com - Email: test@now.net.cn
1anetantispy.com - Email: test@now.net.cn
1bnetantispy.com - Email: test@now.net.cn
1gb-scanner.com - Email: test@now.net.cn
1gig-antivirus.com - Email: test@now.net.cn
1webantivirus.com - Email: test@now.net.cn
20gb-antivirus.com - Email: test@now.net.cn
2gb-scanner.com - Email: test@now.net.cn
2gig-antivirus.com - Email: test@now.net.cn
2mb-scanner.com - Email: test@now.net.cn
2web-antispy.com - Email: test@now.net.cn
2webantivirus.com - Email: test@now.net.cn
30gb-antivirus.com - Email: test@now.net.cn
3gb-scanner.com - Email: test@now.net.cn
3gig-antivirus.com - Email: test@now.net.cn
3mb-scanner.com - Email: test@now.net.cn
3web-antispy.com - Email: test@now.net.cn
3web-antispyware.com - Email: test@now.net.cn
3webantivirus.com - Email: test@now.net.cn
40gb-antivirus.com - Email: test@now.net.cn
4gb-scanner.com - Email: test@now.net.cn
4gig-antivirus.com - Email: test@now.net.cn
4mb-scanner.com - Email: test@now.net.cn
4web-antispy.com - Email: test@now.net.cn
4webantivirus.com - Email: test@now.net.cn
50gb-antivirus.com - Email: test@now.net.cn
5gb-scanner.com - Email: test@now.net.cn
5gig-antivirus.com - Email: test@now.net.cn
5mb-scanner.com - Email: test@now.net.cn
5web-antispy.com - Email: test@now.net.cn
5webantivirus.com - Email: test@now.net.cn
60gb-antivirus.com - Email: test@now.net.cn
6mb-scanner.com - Email: test@now.net.cn
6web-antispy.com - Email: test@now.net.cn
7web-antispyware.com - Email: test@now.net.cn
aweb-antispyware.com - Email: test@now.net.cn
awebantivirus.com - Email: test@now.net.cn
cwebantivirus.com - Email: test@now.net.cn
dwebantivirus.com - Email: test@now.net.cn
ewebantivirus.com - Email: test@now.net.cn
novascanner4.com - Email: test@now.net.cn

- setup.exe - Gen:Variant.Koobface.2; W32.Koobface - Result: 15/40 (37.5%)
- MalvRem_312s2.exe - W32/FakeAlert.5!Maximus; Trojan.Win32.FakeAV - Result: 10/41 (24.4%) which once executed phones back to:

- s1system.com/download/winlogo.bmp - 91.213.157.104, AS13618, CARONET-AS - Email: contact@privacy-protect.cn
- networki10.com - 91.213.217.106, AS42473, ANEXIA-AS - Email: contact@privacy-protect.cn

UPDATED: Wednesday, May 19, 2010:
The current redirection taking place through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 embedded link on Koobface infected hosts, takes place through:
www3.coantys-48td.xorg.pl - 188.124.5.66 - AS44565, VITAL TEKNOLOJI
    - www1.fastsearch.cz.cc - 207.58.177.96 - AS25847, SERVINT ServInt Corporation

Detection rates:
- setup.exe - Win32/Koobface.NCX; Gen:Variant.Koobface.2 - Result: 13/41 (31.71%)
- packupdate_build107_2039.exe - W32/FakeAV.AM!genr; Mal/FakeAV-AX - Result: 8/41 (19.52%)

Upon execution, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scareware sample phones back to:
update1.myownguardian.com - 94.228.209.223, AS47869, NETROUTING-AS - Email: gkook@checkjemail.nl
update2.myownguardian.net - 93.186.124.92, AS44565, VITAL TEKNOLOJI - Email: gkook@checkjemail.nl

UPDATED Moday, May 24, 2010 The following Koobface scareware domains/redirectors have been pushed by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface gang over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pat 7 days. All of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m continue using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 services of AS31252, STARNET-AS StarNet Moldova at 195.5.161.210 and 195.5.161.211.


0web-antispyware.com - Email: test@now.net.cn
12netantispy.com - Email: test@now.net.cn
13netantispy.com - Email: test@now.net.cn
14netantispy.com - Email: test@now.net.cn
15netantispy.com - Email: test@now.net.cn
16netantispy.com - Email: test@now.net.cn
1anetantispy.com - Email: test@now.net.cn
1bnetantispy.com - Email: test@now.net.cn
1cnetantispy.com - Email: test@now.net.cn
1dnetantispy.com - Email: test@now.net.cn
1eliminatemalware.com - Email: test@now.net.cn
1eliminatespy.com - Email: test@now.net.cn
1eliminatethreats.com - Email: test@now.net.cn
1eliminatevirus.com - Email: test@now.net.cn
1enetantispy.com - Email: test@now.net.cn
1webantivirus.com - Email: test@now.net.cn
1webfilter1000.com - Email: test@now.net.cn
1www-antispyware.com - Email: test@now.net.cn
1www-antivirus.com - Email: test@now.net.cn
20gb-antivirus.com - Email: test@now.net.cn
2eliminatemalware.com - Email: test@now.net.cn
2eliminatevirus.com - Email: test@now.net.cn
2web-antispy.com - Email: test@now.net.cn
2webantivirus.com - Email: test@now.net.cn
2www-antispyware.com - Email: test@now.net.cn
2www-antivirus.com - Email: test@now.net.cn
30gb-antivirus.com - Email: test@now.net.cn
3web-antispy.com - Email: test@now.net.cn
3web-antispyware.com - Email: test@now.net.cn
3webantivirus.com - Email: test@now.net.cn
3www-antispyware.com - Email: test@now.net.cn
3www-antivirus.com - Email: test@now.net.cn
40gb-antivirus.com - Email: test@now.net.cn
4web-antispy.com - Email: test@now.net.cn
4webantivirus.com - Email: test@now.net.cn
4www-antispyware.com - Email: test@now.net.cn
4www-antivirus.com - Email: test@now.net.cn
5web-antispy.com - Email: test@now.net.cn
5webantivirus.com - Email: test@now.net.cn
5www-antispyware.com - Email: test@now.net.cn
5www-antivirus.com - Email: test@now.net.cn
60gb-antivirus.com - Email: test@now.net.cn
6web-antispy.com - Email: test@now.net.cn
7web-antispyware.com - Email: test@now.net.cn
a30windows-scan.com - Email: test@now.net.cn
a40windows-scan.com - Email: test@now.net.cn
a50windows-scan.com - Email: test@now.net.cn
a50windows-scan.com - Email: test@now.net.cn
a60windows-scan.com - Email: test@now.net.cn
americanscanner.com - Email: test@now.net.cn
aresearchsecurity.com - Email: test@now.net.cn
awebantivirus.com - Email: test@now.net.cn
barracuda10.com - Email: test@now.net.cn
beguardsystem.com - Email: test@now.net.cn
beguardsystem2.com - Email: test@now.net.cn
bewareofthreat.com - Email: test@now.net.cn
bewareofydanger.com - Email: test@now.net.cn
bprotectsystem.com - Email: test@now.net.cn
bwebantivirus.com - Email: test@now.net.cn
choclatescanner2.com - Email: test@now.net.cn
cleanerscanner2.com - Email: test@now.net.cn
cnn2scanner.com - Email: test@now.net.cn
cprotectsystem.com - Email: test@now.net.cn
cwebantivirus.com - Email: test@now.net.cn
dacota4security.com - Email: test@now.net.cn
defencyresearch.com - Email: test@now.net.cn
defenseacquisitions.com - Email: test@now.net.cn
defenseacquisitions.com - Email: test@now.net.cn
defensecapability.com - Email: test@now.net.cn
dprotectsystem.com - Email: test@now.net.cn
dwebantivirus.com - Email: test@now.net.cn
eliminatespy.com - Email: test@now.net.cn
eliminatethreat.com - Email: test@now.net.cn
eliminatethreats.com - Email: test@now.net.cn
eprotectsystem.com - Email: test@now.net.cn
ewebantivirus.com - Email: test@now.net.cn
fantasticscan2.com - Email: test@now.net.cn
fortescanner.com - Email: test@now.net.cn
four4defence.com - Email: test@now.net.cn
fprotectsystem.com - Email: test@now.net.cn
house2call.com - Email: test@now.net.cn
house4call.com - Email: test@now.net.cn
ibewareofdanger.com - Email: test@now.net.cn
iresearchdefence.com - Email: test@now.net.cn
ldefenceresearch.com - Email: test@now.net.cn
micro2smart.com - Email: test@now.net.cn
micro4smart.com - Email: test@now.net.cn
micro6smart.com - Email: test@now.net.cn
necessitydefense.com - Email: test@now.net.cn
nolongerthreat.com - Email: test@now.net.cn
nova3-antispyware.com - Email: test@now.net.cn
nova4-antispyware.com - Email: test@now.net.cn
nova5-antispyware.com - Email: test@now.net.cn
nova7-antispyware.com - Email: test@now.net.cn
nova8-antispyware.com - Email: test@now.net.cn
nova-antivirus1.com - Email: test@now.net.cn
nova-antivirus2.com - Email: test@now.net.cn
novascanner2.com - Email: test@now.net.cn
nova-scanner2.com - Email: test@now.net.cn
novascanner3.com - Email: test@now.net.cn
nova-scanner3.com - Email: test@now.net.cn
novascanner4.com - Email: test@now.net.cn
nova-scanner4.com - Email: test@now.net.cn
novascanner5.com - Email: test@now.net.cn
nova-scanner5.com - Email: test@now.net.cn
novascanner7.com - Email: test@now.net.cn
nova-scanner7.com - Email: test@now.net.cn
onguardsystem2.com - Email: test@now.net.cn
over11scanner.com - Email: test@now.net.cn
pcguardsystem2.com - Email: test@now.net.cn
pcguardsystems.com - Email: test@now.net.cn
pcpiscanner.com - Email: test@now.net.cn
pitstopscan.com - Email: test@now.net.cn
protectionfunctions.com - Email: test@now.net.cn
protectionmeasure.com - Email: test@now.net.cn
protectionmethods.com - Email: test@now.net.cn
protectionoffices.com - Email: test@now.net.cn
protectionprinciples.com - Email: test@now.net.cn
protectsystema.com - Email: test@now.net.cn
protectsystemc.com - Email: test@now.net.cn
protectsystemd.com - Email: test@now.net.cn
protectsysteme.com - Email: test@now.net.cn
protectsystemf.com - Email: test@now.net.cn
researchdefence.com - Email: test@now.net.cn
researchysecurity.com - Email: test@now.net.cn
spywarekillera.com - Email: test@now.net.cn
spywarekillerc.com - Email: test@now.net.cn
spywarekillerd.com - Email: test@now.net.cn
spywarekillere.com - Email: test@now.net.cn
spywarekillerr.com - Email: test@now.net.cn
spywarekillerz5.com - Email: test@now.net.cn
stainsscanner2.com - Email: test@now.net.cn
stop20attack.com - Email: test@now.net.cn
tendefender2.com - Email: test@now.net.cn
cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365losers2010.com - Email: test@now.net.cn
trivalsoftware.com - Email: test@now.net.cn
unstoppable2010.com - Email: test@now.net.cn
unstoppable2010.com - Email: test@now.net.cn
use6defence.com - Email: test@now.net.cn
viruskiller3a.com - Email: test@now.net.cn
viruskiller4a.com - Email: test@now.net.cn
viruskiller5a.com - Email: test@now.net.cn
viruskiller6a.com - Email: test@now.net.cn
webfilter100.com - Email: test@now.net.cn
webfilter999.com - Email: test@now.net.cn
winguardsystem.com - Email: test@now.net.cn 
yourguardsystem.com - Email: test@now.net.cn
yourguardsystem2.com - Email: test@now.net.cn
z22windows-scan.com - Email: test@now.net.cn
z23windows-scan.com - Email: test@now.net.cn
z25windows-scan.com - Email: test@now.net.cn
z27windows-scan.com - Email: test@now.net.cn
zaresearchsecurity.com - Email: test@now.net.cn

Detection rates:
- setup.exe - Net-Worm:W32/Koobface.HN; Mal/Koobface-D - Result: 11/41 (26.83%)
- avdistr_312.exe - Trojan.FakeAV!gen24; Trojan.FakeAV - Result: 8/41 (19.52%)

Upon execution phones back to:
s1system.com/download/winlogo.bmp - 91.213.157.104 - Email: contact@privacy-protect.cn
accsupdate.com/?b=103s1 - 193.105.134.115 - Email: contact@privacy-protect.cn

Previous parked on 91.213.217.106, AS42473, ANEXIA-AS now responding to 193.105.134.115, AS42708, PORTLANE:
networki10.com - Email: contact@privacy-protect.cn
winsecuresoftorder.com - Email: contact@privacy-protect.cn
time-zoneserver.com - Email: contact@privacy-protect.cn
1blacklist.com - Email: contact@privacy-protect.cn

In order to understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 importance of profiling Koobface gang's activities, consider going cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir underground multitasking campaigns in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 related posts.

Related Koobface botnet/Koobface gang research:
From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Gang with Scareware Serving Compromised Sites
Dissecting Koobface Gang's Latest Facebook Spreading Campaign
Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova
10 things you didn't know about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface gang
A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Gang
How cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Gang Monetizes Mac OS X Traffic
The Koobface Gang Wishes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Front - Part Two
Movement on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.