Tuesday, April 27, 2010

Dissecting Koobface Gang's Latest Facebook Spreading Campaign

UPDATED: Thursday, April 29, 2010: Google is aware of these Blogspot accounts, and is currently suspending them.

During the weekend, our "dear friends" from the Koobface gang -- folks, you're so not forgotten, with the scale of diversification for your activities to be publicly summarized within the next few days -- launched another spreading attempt across Facebook, with Koobface-infected users posting bogus video links on their walls.
What's particularly interesting about the campaign, is that the gang is now start to publicly acknowledge its connections with xorg.pl (Malicious software includes 40706 scripting exploit(s), 4119 trojan(s), 1897 exploit(s), with an actual subdomain residing there embedded on Koobface-serving compromised hosts.

Moreover, the majority of scareware domains, including the redirectors continue using hosting services in Moldova, AS31252, STARNET-AS StarNet Moldova in particular.
With the campaign still ongoing it's time to dissect it, expose the scareware domains portfolio and the AS29073, ECATEL-AS connection, with the Koobface gang a loyal customer of their services since November, 2009. AS29073, ECATEL-AS Koobface gang connections:

Automatically registered Blogspot accounts used as bogus video links across Facebook:
aashikamorsing.blogspot.com
alpezajeromie.blogspot.com
andcoldjackey.blogspot.com
asiaasiabenzaidi.blogspot.com
atalaygraciani.blogspot.com
barsheshetshakirat.blogspot.com
battittastelzer.blogspot.com
beckermasico.blogspot.com
biedlerharjit.blogspot.com
britainudobot.blogspot.com
bruchnadirnadir.blogspot.com
bryonbryonhofhenke.blogspot.com
ceceliaverner.blogspot.com
centofantiaviran.blogspot.com
codeycodeymarcott.blogspot.com
cottinghamginnyginny.blogspot.com
courtenayharry.blogspot.com
dalton-daviesheinee.blogspot.com
dipietroaudrea.blogspot.com
ericssonbrigid.blogspot.com
ervinervinturnquest.blogspot.com
fashingbauerkylerkyler.blogspot.com
felicetanae.blogspot.com
friedamignogna.blogspot.com
friedlamiraslani.blogspot.com
garthgarthheal.blogspot.com
gavin-williamslielie.blogspot.com
ginnoviaharbottle.blogspot.com
grinolsisanna.blogspot.com
hamiltondesantis.blogspot.com
hananhananmoros-hanley.blogspot.com
heberheberdellinger.blogspot.com
iftikharkacykacy.blogspot.com
imtiazzimmer.blogspot.com
ireneirenejasmen.blogspot.com
jacojacowintermeyer.blogspot.com
jameishaleninger.blogspot.com
jhalaagustin.blogspot.com
johnathenmirani.blogspot.com
kassablynnelle.blogspot.com
kaycieazoni.blogspot.com
keeferjeneejenee.blogspot.com
keibakeibaclarembeaux.blogspot.com
kieroncrowdus.blogspot.com
kilcullenheadhead.blogspot.com
kreuzaavins.blogspot.com
labbatoalphaj.blogspot.com
lellpeyton.blogspot.com
marleenmckoi.blogspot.com
mccarlbargin.blogspot.com
mendizabalnayranayra.blogspot.com
mitranoshaghayegh.blogspot.com
momoneybeltz.blogspot.com
mushenkolirian.blogspot.com
navarretemcarthur.blogspot.com
nekolnekoltasler.blogspot.com
nightrasteyn.blogspot.com
nushnushcave.blogspot.com
ortiz-maynardyvreene.blogspot.com
padalinodarcydarcy.blogspot.com
pantslalala.blogspot.com
papsteinhatemwahsh.blogspot.com
pavanpavandekelver.blogspot.com
pencekleighan.blogspot.com
puzderdenzel.blogspot.com
rabiarabiacarruth.blogspot.com
raeferaefejhanmmat.blogspot.com
raheelolu.blogspot.com
ranaranakundu.blogspot.com
sabeenhunjan.blogspot.com
serroukhshymia.blogspot.com
sertimamislay.blogspot.com
shannonschronce.blogspot.com
sheridanpaltiel.blogspot.com
slomovitzvaughna.blogspot.com
soccicoitcoit.blogspot.com
stengel-bohneinaveinav.blogspot.com
suedeglenna.blogspot.com
sylvainbarnes-rivers.blogspot.com
tammeybutenko.blogspot.com
tartagliatrayvis.blogspot.com
tasunanette.blogspot.com
teddiedommasch.blogspot.com
temitopetodorova.blogspot.com
terranovataiwan.blogspot.com
torneyatsushi.blogspot.com
trovatohaiahaia.blogspot.com
tuncelintrieri.blogspot.com
vislayovadovad.blogspot.com
wellkensie.blogspot.com
yabsleyjessajessa.blogspot.com
zedzedmorelle.blogspot.com


UPDATED: Thursday, April 29, 2010: Another update on Blogspot Accounts courtesy of the Koobface gang:
aaslehnekaya.blogspot.com
aimanaimanpaulis.blogspot.com
altonaltonbruyninckx.blogspot.com
annemiekenorford.blogspot.com
asghardch.blogspot.com
atencioishmael.blogspot.com
ativanichayaphongdionysios.blogspot.com
ayorindesavoia.blogspot.com
bagnoandreae.blogspot.com
bakalarczykmaipumaipu.blogspot.com
baribarithulin.blogspot.com
beavordawnedawne.blogspot.com
boninidivandivan.blogspot.com
cabooterfinne.blogspot.com
chakkarinlehnertz.blogspot.com
chavarriaarumugam.blogspot.com
coleirolenaylenay.blogspot.com
colkittmogens.blogspot.com
crummittgerhardt.blogspot.com
dahmeialeveque.blogspot.com
dalmolinparamparam.blogspot.com
danaedanaemadan.blogspot.com
danmakumaak.blogspot.com
dauntazusaazusa.blogspot.com
devrimmasaimasai.blogspot.com
dicksdeplancke.blogspot.com
dormiedyismael.blogspot.com
dremadremareany.blogspot.com
duffinflippen.blogspot.com
eliyahneubecker.blogspot.com
eloragiogio.blogspot.com
faubertmacarena.blogspot.com
friedlamiraslani.blogspot.com
gallianinijanija.blogspot.com
gandolphscootscoot.blogspot.com
garbsayrinayrin.blogspot.com
geerbergpovlpovl.blogspot.com
gennygennytjoeng.blogspot.com
gianiniomegalmegal.blogspot.com
griffithlampack-layton.blogspot.com
guerrettebrchibrchi.blogspot.com
guillemineauramyaramya.blogspot.com
gunheedomenick.blogspot.com
haisedymond.blogspot.com
halahalafales.blogspot.com
hamidoujacijaci.blogspot.com
hamminganoush.blogspot.com
honamisouliotis.blogspot.com
japeriagoding.blogspot.com
jaymeecleto.blogspot.com
jinghuamarmorale.blogspot.com
kadeemrebsamen.blogspot.com
karokaroliney.blogspot.com
kashmirahoeger.blogspot.com
kasidasaugust.blogspot.com
kattylaitia.blogspot.com
kaynatferetos.blogspot.com
kimberlikohlmann.blogspot.com
kissikshaney.blogspot.com
kjerstisatterwhite-landry.blogspot.com
korbessamessam.blogspot.com
kozubmarshand.blogspot.com
kruthjancijanci.blogspot.com
krystellecahoon.blogspot.com
kuroiwadelphdelph.blogspot.com
laakkokimkim.blogspot.com
labbatoalphaj.blogspot.com
leichtmarjmarj.blogspot.com
leludis-matarangasdeyonna.blogspot.com
lescailletpetopeto.blogspot.com
letsongrover.blogspot.com
liermanramadan.blogspot.com
lindingrajkishan.blogspot.com
linsjerchell.blogspot.com
lorrilorrihosgor.blogspot.com
maglifitfit.blogspot.com
matsumarudeserae.blogspot.com
mcsteinniecey.blogspot.com
melitalynnelynne.blogspot.com
menezeswendywendy.blogspot.com
mimosepalazon.blogspot.com
mottmottzengel.blogspot.com
naysanmutton.blogspot.com
nicolenabershon.blogspot.com
nidonidobuetow.blogspot.com
ninaninalottin.blogspot.com
nonziodarasha.blogspot.com
pandushalmon.blogspot.com
pawelpawelpoti.blogspot.com
paytonbeegle.blogspot.com
phillipoeleaseleas.blogspot.com
philpottlurelle.blogspot.com
pipenhagennguyen.blogspot.com
plattsdatoria.blogspot.com
plomaritislaurylaury.blogspot.com
polmantameltamel.blogspot.com
polopoloangulo.blogspot.com
porrettifarmers.blogspot.com
radieradiecatalina.blogspot.com
raenellegreathouse.blogspot.com
ranaeranaerossy.blogspot.com
reidreidmiele-crifo.blogspot.com
rickyrickydonis.blogspot.com
roselinegilvin.blogspot.com
russobriarbriar.blogspot.com
salizaguayanilla.blogspot.com
samuelesedere.blogspot.com
sanchepascasie.blogspot.com
sangyoungpadalecki.blogspot.com
scarthscrewlie.blogspot.com
schaumburgirishirish.blogspot.com
schubringdheledhele.blogspot.com
scorahchreechree.blogspot.com
shakehcoletto.blogspot.com
shaqareqninette.blogspot.com
shaw-zorichemmanemman.blogspot.com
shortalgerongeron.blogspot.com
singhoffertymisha.blogspot.com
sinnathuraiperminas.blogspot.com
skjutarevikram.blogspot.com
spataforaannamay.blogspot.com
staats-meliaahronahron.blogspot.com
tagantagankissane.blogspot.com
tamietamiedemirkol.blogspot.com
tamillecavitt.blogspot.com
tommiekerstetter.blogspot.com
tosunsangbum.blogspot.com
treechadacoppage.blogspot.com
treziajoanjoan.blogspot.com
triadorlachauna.blogspot.com
tukellyaburrage.blogspot.com
tyrisaoverly.blogspot.com
ulrikaraithatha.blogspot.com
valericlarissa.blogspot.com
ventronejokerjoker.blogspot.com
victorinomeharmehar.blogspot.com
vikvikruaut.blogspot.com
vlrajanrajan.blogspot.com
wasonmarilynn.blogspot.com
wendewendeschyma.blogspot.com
whitwhitmontoure.blogspot.com
wynnhannan.blogspot.com
xochitlvillenurve.blogspot.com
yaoskalongthorne.blogspot.com
youyoustreit.blogspot.com
zickkirrakirra.blogspot.com



The Blogspot accounts redirect to the following compromised Koobface and scareware serving domains:
cartujo.org /private-clips/main.php?87bb8f2
cerclewalloncouillet.be /main.movie/main.php?28d
cseajudiciary.org /animateddvd/main.php?c8
de-nachtegaele.be /main/main.php?b04ebb
ediltermo.com /common.film/main.php?deccfd
forwardmarchministries.org /candid_movie/main.php?42d1
highway77truckservice.com /pretty-clip/main.php?7bb2
kcresale.com /crazyvids/main.php?2ee
libermann.phpnet.org /comicperformans/main.php?9b5a5a
lode-willems.be /cute_clip/main.php?be2
lunaairforlife.com /crucial-clips/main.php?d3d6ccfe
mainteck-fr.com /complete-movie/main.php?f6
nottinghamdowns.com /criminaltube/main.php?2388d
programs.ppbsa.org /crazy_video/main.php?0ea1969
richmondpowerboat.com /yourtv/main.php?89fb0
scheron.com /delightful_demonstration/main.php?e2f92
Training.ppbsa.org /comic_dvd/main.php?f9261f
vangecars.it /crazy-films/main.php?827da


Detection rates for Koobface samples and a sampled scareware:
- setup.exe - Trojan.Generic.KD.8890 - Result: 9/40 (22.50%) phones back to:
- proelec-dpt.fr/.85rfs/?action=ldgen&a=-1394498804&v=108&c_fb=0&ie=7.0.5730.13
    - proelec-dpt.fr/.85rfs/?action=fbgen&v=108&crc=669
        - proelec-dpt.fr/.85rfs/?getexe=p.exe

- p.exe - Trojan.Drop.Koobface.J; W32/Koobface.GUB - Result: 5/41 (12.2%)
- koob.js - Trojan:JS/Redirector - Result: 1/41 (2.44%)


The scareware serving domain embedded on all of the Koobface-serving compromised hosts is internet-scanner.xorg.pl?mid=312&code=4db12f&d=1&s=2 - 195.5.161.125 - AS31252, STARNET-AS StarNet Moldova.

Parked on 195.5.161.125 is the rest of the scareware domains portfolio:
antispy-detectn1.com - Email: test@now.net.cn
antispy-detectn2.com - Email: test@now.net.cn
antispy-detectn3.com - Email: test@now.net.cn
antispy-detectn5.com - Email: test@now.net.cn
antispy-detectn7.com - Email: test@now.net.cn
antispy-detectz2.com - Email: test@now.net.cn
antispy-detectz4.com - Email: test@now.net.cn
antispy-detectz5.com - Email: test@now.net.cn
antispy-detectz7.com - Email: test@now.net.cn
antispy-detectz9.com - Email: test@now.net.cn
antispy-scan4i.com - Email: test@now.net.cn
antispy-scan5i.com - Email: test@now.net.cn
antispy-scan6i.com - Email: test@now.net.cn
antispy-scan7i.com - Email: test@now.net.cn
antispyscan85.com - Email: test@now.net.cn
antispyscan89.com - Email: test@now.net.cn
antispyscan91.com - Email: test@now.net.cn
antispyscan92.com - Email: test@now.net.cn
antispyscan93.com - Email: test@now.net.cn
antispy-scan9i.com - Email: test@now.net.cn
antispyware-no1.com - Email: test@now.net.cn
antispyware-no3.com - Email: test@now.net.cn

antivir1a.com.xorg.pl
antivirus-detect21.com - Email: test@now.net.cn
antivirus-detect23.com - Email: test@now.net.cn
antivirus-detect25.com - Email: test@now.net.cn
antivirus-detect27.com - Email: test@now.net.cn
antivirus-detect29.com - Email: test@now.net.cn
antivirus-detectz1.com - Email: test@now.net.cn
antivirus-detectz2.com - Email: test@now.net.cn
antivirus-detectz5.com - Email: test@now.net.cn
antivirus-detectz7.com - Email: test@now.net.cn
antivirus-detectz9.com - Email: test@now.net.cn
antivirus-lv1.com - Email: test@now.net.cn
antivirus-lv2.com - Email: test@now.net.cn
antivirus-lv3.com - Email: test@now.net.cn
antivirus-lv5.com - Email: test@now.net.cn
antivirus-lv8.com - Email: test@now.net.cn
antivirus-top1.com - Email: test@now.net.cn
antivirus-top2.com - Email: test@now.net.cn
antivirus-top6.com - Email: test@now.net.cn
antivirus-top8.com - Email: test@now.net.cn
be-secured.xorg.pl

bestantivirus1.com.xorg.pl
bestscanmalware.com.xorg.pl
best-security.xorg.pl
defender20.xorg.pl
fastantivirusscanner15.com.xorg.pl
fastmalwarescan15.com.xorg.pl
fast-scan.xorg.pl
fastweb-scanner.com.xorg.pl
get-protection.xorg.pl
my-computers.xorg.pl
protection100.xorg.pl
protection-center1.xorg.pl
protector10.xorg.pl
secure10.xorg.pl
security1.xorg.pl
security100.xorg.pl
spy-defender1.com
spydefender1.com.xorg.pl
spydefender11.com.xorg.pl

spy-defender1a.com - Email: test@now.net.cn
spy-defender2.com - Email: test@now.net.cn
spy-defender2a.com - Email: test@now.net.cn
spy-defender4a.com - Email: test@now.net.cn
spy-defender5.com - Email: test@now.net.cn
spy-defender6a.com - Email: test@now.net.cn
spy-defender8a.com - Email: test@now.net.cn
spy-defender9.com - Email: test@now.net.cn

spy-protection01.com - Email: test@now.net.cn
spy-protection1.com - Email: test@now.net.cn
spy-protection14.com - Email: test@now.net.cn
spy-protection17.com - Email: test@now.net.cn
spy-protection19.com - Email: test@now.net.cn
spy-protection3.com - Email: test@now.net.cn
spy-protection4.com - Email: test@now.net.cn
spy-protection6.com - Email: test@now.net.cn
spy-protection8.com - Email: test@now.net.cn
spy-scanner2i.com - Email: test@now.net.cn
spy-scanner6i.com - Email: test@now.net.cn
spy-scanner8i.com - Email: test@now.net.cn
spyware-sweep1.com - Email: test@now.net.cn
spyware-sweep1i.com - Email: test@now.net.cn
spyware-sweep2i.com - Email: test@now.net.cn
spyware-sweep3.com - Email: test@now.net.cn
spyware-sweep3i.com - Email: test@now.net.cn
spyware-sweep4i.com - Email: test@now.net.cn
spyware-sweep5.com - Email: test@now.net.cn
spyware-sweep7.com - Email: test@now.net.cn


spyware-sweep8.com - Email: test@now.net.cn
spyware-sweep9i.com - Email: test@now.net.cn
virus-sweeper0i.com - Email: test@now.net.cn
virus-sweeper1.com - Email: test@now.net.cn
virus-sweeper2.com - Email: test@now.net.cn
virus-sweeper2i.com - Email: test@now.net.cn
virus-sweeper3.com - Email: test@now.net.cn
virus-sweeper4i.com - Email: test@now.net.cn
virus-sweeper6.com - Email: test@now.net.cn
virus-sweeper7i.com - Email: test@now.net.cn
virus-sweeper8.com - Email: test@now.net.cn
virus-sweeper8i.com - Email: test@now.net.cn
win-antispyware10.com.xorg.pl
windefender1.xorg.pl
windows-secure.xorg.pl
win-security.xorg.pl
winwebscanner10.com.xorg.pl


Parked within AS31252, STARNET-AS StarNet Moldova are also: 195.5.161.11; 195.5.161.145
spy-scanner20.com - Email: test@now.net.cn
spy-scanner30.com - Email: test@now.net.cn
spy-scanner3i.com - Email: test@now.net.cn
spy-scanner40.com - Email: test@now.net.cn
spy-scanner4i.com - Email: test@now.net.cn
spy-scanner60.com - Email: test@now.net.cn
spy-scanner80.com - Email: test@now.net.cn
virscanner-done4.com - Email: test@now.net.cn
virscanner-done5.com - Email: test@now.net.cn

- Detection rate for the scareware sample: Setup_312s2.exe - Heuristic.BehavesLike.Win32.Trojan.H - Result: 5/40 (12.50%) phones back to windows-mode.com/?b=1s1 - 89.248.168.21, AS29073, ECATEL-AS , Ecatel Network - Email: contact@privacy-protect.cn


Parked on the phone-back IP are also the following domains:
firewall-rules2.com - Email: contact@privacy-protect.cn
version-upgrade.com - Email: contact@privacy-protect.cn
2accommodation.com - Email: ttvmail12@hotmail.com
systemreserves.com - Email: contact@privacy-protect.cn
cariport.com - Email: contact@privacy-protect.cn
spyblocktest.com - Email: contact@privacy-protect.cn
antispywarelist.com - Email: contact@privacy-protect.cn
checkwhitelist.com - Email: contact@privacy-protect.cn
chekmalwarelist.com - Email: contact@privacy-protect.cn

Stay tuned for more updates on recent Koobface gang activities, beyond the Koobface botnet.

Related Koobface gang/botnet research:
Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova
10 things you didn't know about the Koobface gang
A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang
How the Koobface Gang Monetizes Mac OS X Traffic
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.