Saturday, June 22, 2013

Fake 'Rihanna & Chris Brown S3X Video' Spam Campaign Spreading Across Facebook, Monetized Through Adf Dot Ly PPC Links


A currently ongoing, click-jacking driven spam campaign is circulating across Facebook, with the affected users further spreading the adf.ly links on the Walls of their friends, in between tagging them, with the cybercriminal/cybercriminals behind the campaign, earning revenue through the adf.ly pay-per-click (PPC) monetization scheme.

Redirection chain:
hxxp://adf.ly/Qrd2f?cid=51c3e798aff9a -> hxxp://rihannaofficialvideo.blogspot.de/?231514 -> hxxp://www.smilegags.com/watch/jack.php?action=connect&cid=51c3e798aff9a -> hxxp://lolzbestpic.com


MD5s for the Facebook spamming/click-jacking scripts:
MD5: fe97840bd2af654acdb63fd80b094531
MD5: f8a360728a896d40bbb0f190375fb6f6
MD5: bae32ffd43ac2f518dafeedb8901e2de
MD5: 90fa366b8affac24fe182b7b5de51b16


Domain name reconnaissance:
smilegags.com - 184.107.164.158
lolzbestpic.com - 64.79.76.226

Name servers used:
Name Server: NS1.PYARISHQ.INFO
Name Server: NS2.PYARISHQ.INFO
Name Server: NS1.HOSTING.XLHOST.COM
Name Server: NS2.HOSTING.XLHOST.COM

Responding to the same IP (184.107.164.158) are also the following domains:
amasave.com
wikilieaksvideo.com
ns1.pyarishq.info
ns2.pyarishq.info

Known to have responded to the same IP (184.107.164.158) in the past are also the following domains:
costcochristmas.com
costcogives.com
giftcardgratis.com
icagivings.com
lomanako.com
picknpaygives.com
remabilaget.com
rewegives.com
vodkaforyou.info
topvideosweden.com

Responding to (64.79.76.226) is also the following domain:
silali.info

Known to have responded to the same IP (64.79.76.226) is also the following domain:
promvideo.pw

Related posts:
Koobface Botnet Redirects Facebook's IP Space to my Blog
Malware-Serving "Who's Viewed Your Facebook Profile" Campaign Spreading Across Facebook
Fake 'Facebook Profile Spy Application' Campaign Spreading Across Facebook
Phishing Campaign Spreading Across Facebook
Facebook Malware Campaigns Rotating Tactics
MySpace Phishers Now Targeting Facebook
Facebook Photo Album Themed Malware Campaign, Mass SQL Injection Attacks Courtesy of AS42560
Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Thursday, June 20, 2013

Bogus "Shocking Video" Content at Scribd Exposes Malware Monetization Scheme Through Parked Domains


Bogus content populating Scribd, centralized malicious/typosquatted/parked domains/fraudulent infrastructure, combined with dozens of malware samples phoning back to this very same infrastructure to monetize the fraudulently generated traffic, it doesn't get any better than this, does it?

URL redirection chain:
hxxp://papaver.in/shocking/scr68237 -> hxxp://dsnetservices.com/?epl=98EbooDNwLit-qQViA4tbYD7JMZAQuEUyV387pMYNBODms0CdAg9qAe5QvBgKTO6xW6jHW1iYo5F8yDIvYx
7Aavd8wLHmZwHDIltbG4Eta-GVtiO3i9LlnzyK0YgWmT2BOaEeaipahFlE8yB7mCEBrQzXXtQBVUSIMGIEwTo9iUp0IyDUOM
0mZKYzSpf6qGlAAgYN_vvwAA4H8BAABAgFsLAADgPokxWVMmWUExNmhaQqAAAADw -> monetization through Google/MSN

 


Domain names reconnaissance:
papaver.in - 69.43.161.176 - Email: belcanto@hushmail.com - Belcanto Investment Group
dsnetservices.com - 208.73.211.152 - Email: admin@overseedomainmanagement.com - Oversee Domain Management, LLC

 
The following related domains are also registered with the same email (belcanto@hushmail.com):
4cheapsmoke.com
777payday.com
aboutforexincome.com
agroindusfinance.com
atvcrazy.com
bbbamericashop.com
bizquipleasing.com
cashforcrisis.com
cashmores-caravans.com
cashswim.com
cheapbuyworld.com
cheaptobbacco.com
cheapuc.com
debtheadaches.com
debtonatorct.com
gcecenter.com
goldforcashevents.com
studioshc.com
thestandardjournal.com
travelgurur.com
atlanticlimos.net
bethelgroup.net
caravanningnews.net
casting-escort.net
cheapersales.net
couriernetwork.net
dragonarttattoo.net
girlgeniusonline.net
madameshairbeauty.net
manchester-escort.net
mygirlythings.net
vocabhelp.net
cheapmodelships.com
financialdebtfree.com
mskoffice.com
cashacll.com
apollohealthinsurance.com
nieportal.com
playfoupets.com
wducation.com
carwrappingtorino.net
crewealexultras.net
diamondsmassage.net
isleofwightferries.org
migliojewellery.org
mind-quad.org
moneyinfo.us
2daysdietslim.com
999cashlline.com
capitalfinanceome.com
capitlefinanceone.com
captialfinanceone.com
carehireinsurance.com
cashadvaceusa.com
cashadvancesupprt.com
cashdayday.com
cashgftingxpress.com
cashginie.com
cashsoltionsuk.com
cathayairlinescheapfare.com
cheapaddidastops.com
cheapaparmets.com
cheapariaoftguns.com
cheapcheapcompters.com
cheapdealsinmalta.com
cheapdealsorlando.com
cheapeestees.com
cheapetickete.com
cheapeygptholidays.com
cheapfaresairlines.com
cheap-flighs.com
cheapflyithys.com
cheapfreestylebmx.com
cheapgoldjewelery.com
cheaphnoels.com
cheapholidaysites.com
cheaphotellakegeorge.com
cheaplawnbowls.com
cheapm1a1airsoft.com
cheapmetalsticksdiablo.com
cheapmpwers.com
cheapmsells.com
cheapotickeds.com
cheapottickets.com
cheapprotien.com
cheapryobicordlesstools.com
cheap-smell.com
cheapsmellscom.com
cheapsmes.com
cheapsscents.com
cheapstockers.com
cheapsummerdresser.com
cheaptents4sale.com
cheaptertextbooks.com
cheaptikesps.com
cheaptrainfairs.com
cheaptstickts.com
cheaptunictops.com
cheapuksupplement.com
cheapversaceclothes.com
cheapviagra4u.com
cliutterdiet.com
cocheaptickets.com
dailcheapreads.com
dcashstudious.com
debtinyou.com
diabetesdietsplans.com
dietaetreino.com
dietcetresults.com
dietcheff.com
dietdessertndgos.com
dietemaxbrasil.com
dietopan.com
discoveryremortgages.com
dmrbikescheap.com
ferrrycheap.com
financeblogspace.com
firstleasingcompanyofindia.com
firstresponcefinance.com
forexdirecotery.com
forexfacdary.com
foreximegadroid.com
forextrading2u.com
iitzcash.com
insanelycheapfights.com
insurancenbanking.com
inevenhotel.net
islamic-bank.us
italyonlinebet.com
m3motorsite.com



Out of the hundreds of domains known to have phoned back to the same IP in the past, the following are particularly interesting:
motors.shop.ebay.com-cars-trucks-9722711.1svvo.net
motors.shop.ebay.com-trucks-cars-922.1svvo.net
paupal.it
paypa.com.login.php.nahda-online.com
paypal-secure.bengalurban.com
paypal.com-cgi.bin-webscr.cmd.login.submit-dispatch.5885d80a.13c0db1f8.e263663.d3faee.38deaa3.e263663.login.submit.3.webrocha.com
paypal.com-cgi.bin-webscr.cmd.login.submit-dispatch.5885d80a.13c0db1f8.e263663.d3faee.38deaa3.e263663.login.submit.4.webrocha.com
paypal.com.update.service.cgi.bin.webscr.cmd.login-submit.modernstuf.com
paypal.com.update.service.cgi.bin.webscr.cmd.login.submit.modernstuf.com
paypal.com.us.cgi-bin.webscr-cmd.login-run.dispatch.5885d80a13c0db1f8e263663d3faee8d43b1bb6ca6ed6aee8d43b16cv27bc.

darealsmoothvee.com
paypal.it.bengalurban.com


Malicious MD5s known to have made HTTP (monetization) requests to the same IP (69.43.161.176):
MD5: 7fa7500cd90bd75ae52a47e5c18ba800
MD5: 84b28cf33dee08531a6ece603ca92451
MD5: f04ce06f5b1c89414cb1ff9219401a0e
MD5: b2019625e4fd41ca9d70b07f2038803e
MD5: 6cfb98ac63b37c20529c43923bcb257c
MD5: 04641dbafe3d12b00a6b0cd84fba557f
MD5: 02476b31f2cdc2b02b8ef1e0072d4eb2
MD5: 0d5a69fa766343f77630aa936bb64722
MD5: 57f7520b3958031336822926ed0d10b5
MD5: 00d08b163a86008cbe3349e4794ae3c0
MD5: 8dd2223da1ad1a555361c67794eb7e24
MD5: 737309010740c2c1fba3d989233c199c
MD5: eb3043e13dd8bb34a4a8b75612fe401e
MD5: eb4737492d9abcc4bd43b12305c4b2fc
MD5: 6257b9c3239db33a6c52a8ecb2135964
MD5: 481366b6e867af0d47a6642e07d61f10
MD5: d58b7158b3b1fb072098dba98dd82ed5
MD5: 9dd425b00b851f6c63ae069abbbec037
MD5: 6b0c07ce5ff1c3a47685f7be9793dce5
MD5: b2b5e82177a3beb917f9dd1a9a2cf91c
MD5: 05070da990475ac3e039783df4e503bc
MD5: c332dd499cdba9087d0c4632a76c59f0
MD5: 0768764fbbeb84daa5641f099159ee7f
MD5: 843b44c77e47680aa4b274eee1aad4e7
MD5: 36f92066703690df1c11570633c93e73
MD5: 0504b00c51b0d96afd3bea84a9a242a2
MD5: 8b0de5eabc27d37fa97d2b998ffd841a
MD5: 2944b1437d1e8825585eea3737216776
MD5: fa13c7049ae14be0cf2f651fb2fa74ba
MD5: ba5e47e0ed7b96a34b716caee0990ea3
MD5: e67e56643f73ed3f6027253d9b5bdfac
MD5: 8b0de5eabc27d37fa97d2b998ffd841a
MD5: 2944b1437d1e8825585eea3737216776
MD5: 0ab654850416e347468a02ca5a369382
MD5: 4e372e5d1e2bd3fa68b85f6d1f861087
MD5: 696a9b85230a315cfe393d9335cae770
MD5: 04343c3269c33a5613ac5860ddb2ab81
MD5: 384a496cd4c2bc1327c225e19edbee54
MD5: a44b2380cdac36f9dfb460f8fbff3714
MD5: 9e2a83adb079048d1c421afaf56a73a6
MD5: e377c7ad8ab55226e491d40bf914e749
MD5: 46c7c70e30495b4b60be1c58a4397320
MD5: 841890281b7216e8c8ea1953b255881e
MD5: 4392f490e6ee553ff7a7b3c4bd1dd13f
MD5: eeeda63bec6d2704cf6f77f2fb8431cd
MD5: b68e183884ce980e300c93dfa375bb1f
MD5: 7990fb5c676bbcd0a6168ea0f8a0c1d7
MD5: adc250439474d38212773e161dadd6b4
MD5: 075ae09c016df3c7eb3d402d96fc2528
MD5: d03b5bf4a905879d9b93b6e81fc1ca55
MD5: 00c62c8a9f2cf7140b67acec477e6a14
MD5: b228fae216a9564192fa2153ae911d54
MD5: 2f778fc3a22b7d5feb0a357c850bdd0d
MD5: 9080f3a0dfde30aa8afa64f7c3f5d79a
MD5: 526c1f10f94544344de12abec96cf96f
MD5: 4d8ddc8d5f6698a6690985ca86b3de00
MD5: 1a7bb0c9b79d1604b4de5b0015202d02
MD5: 528be69afad5a5e6beb7b40aeb656160
MD5: 1769f1b5beae58c09e5e1aac9249f5de
MD5: 6fb86421ea607ed6c912a3796739ce9b
MD5: 22e36b887946e457964a2a28a756a1cd
MD5: 31a7816a1458321736979e0cfdd3d20f
MD5: 113572249856fc5f2848d1add06dc758
MD5: a8a002732c5a4959afbf034d37992b5d
MD5: 413a9116362ab8fb9ba622cc98c788b1
MD5: 4abb29fe3ec3239d93f7adbc8cb70259
MD5: 989bea3435e5ac5b8951baa07d356526
MD5: 9a966076f114fbffc5cdbf5a90b3fd01
MD5: 14e64da2094ab1aae13d162107c504ec
MD5: 96bb6df37daef5b8de39ceae1e3a7396
MD5: d864369a0e8687ad3f89b693be84c8eb
MD5: 26b8b2c06e1604daee6bfe783a82479e
MD5: 63b922c94338862e7b9605546af2ef14
MD5: 19ba1497f088d850bd3902288bb3bd92
MD5: 96bb6df37daef5b8de39ceae1e3a7396
MD5: d864369a0e8687ad3f89b693be84c8eb
MD5: 26b8b2c06e1604daee6bfe783a82479e


Malicious MD5s known to have made HTTP (monetization) requests to the same IP (208.73.211.152):
MD5: db0aac72ed6d56497e494418132d7a41
MD5: aa47bd20f8a00e354633d930a3ebcb19
MD5: a957e914f697639df7dfb8483a88483b
MD5: a0b7b01a0574106317527e436e515fd3
MD5: 3d0d834fe7ca583ca6ed056392f4413d
MD5: fa342104b329978cba33639311afe446
MD5: f3b3e8b98bdfb6673da6d39847aec1b3
MD5: 3ef52b2fd086094b591eb01bc32947c8
MD5: 128e70484a9f19ab9096fb9b1969bf89
MD5: ee7dc2d2c7d33855b4dd86ae6243ad22
MD5: 6fc317b6f66d73903ffe8d12df72e5f7
MD5: 3800a4a6d6620aa15db7ea717b4d10f5
MD5: 830bbfcaa499de30ab08a510ce4cbba2
MD5: 085afd7f26f388bd62bc53ed430fbbc6
MD5: 3035e120ce08f1824817e0d6eaecc806
MD5: d4db511618c52272e58f4c334414ed6e
MD5: dc4ab086d50dcdcd5ae060acfe9bddca
MD5: c2bc9e266857537699fd10142658bf31
MD5: 9e6ab643d34a6c37b6150aeb8a2e5adb
MD5: b6bb96470ef67c26c0a0e8a4d145c169
MD5: f5aa326e0b5322d7ac47a379e1e1c1f8
MD5: dc0f5c01d8deaabe9d57d31f9daf50b9
MD5: 4a42c42e7acd9ff32ebb18efc2d5b801
MD5: a254b2824867e05d52c60e0464121588
MD5: 7e612f7ac81ccddb368d3c9e47c9942a
MD5: 66cec28f23b692ff2019c70a76894c41


This case is a great example of one of the core practices when profiling cybercrime incidents and campaigns -> sample everything, as what you're originally seeing is just the tip of the iceberg.

Related posts:
Click Fraud, Botnets and Parked Domains - All Inclusive
A Commercial Click Fraud Tool

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Monday, June 10, 2013

Malware-Serving "Who's Viewed Your Facebook Profile" Campaign Spreading Across Facebook


A currently ongoing Facebook spreading malware-serving campaign, entices users into downloading and executing a malicious executable, pretending to be a "Who's Viewed Your Facebook Profile" extension. In reality though, the executable, part of a campaign that's been ongoing for several months, will steal private information from local browsers, will auto-start on Windows starup, and will attempt to infect all of the victim's friends across Facebook.

The executable, including several other related executables part of the campaign, are currently hosted on Google Code, and according to Google Code's statistics, one of the malicious files has already been downloaded 1,870,788 times. Surprisingly, the Coode Project is called "Project Don't Download". Very interesting self-contradicting social engineering attempt.

Let's dissect the campaign, list the domain's portfolio used in it, provide detection rates for the malicious executables, and connect the campaign to multiple other campaigns observed in the wild over the last couple of weeks.

 

Sample redirection chain:
hxxp://cnlz3.tk/?2959858 -> hxxp://profilelo.8c1.net/ -> hxxp://profileste.uni.me/?skuwjjsadsuquwhdas -> hxxps://project-dont-download.googlecode.com/files/Profile%20View%20-%205v2.exe

Subdomain reconnaissance:
profilelo.8c1.net - 82.208.40.3
profileste.uni.me - 198.23.52.98
project-dont-download.googlecode.com - Email: mergimi14@live.com

Detection rate for the malicious executable: MD5: c5b2247a37a8d26063af55c6c975782d - detected by 23 out of 47 antivirus scanners as JS:Clicker-P [Trj]; RDN/Generic.dx!chs

Once executed, the sample drops the following MD5s on the affected hosts:
MD5: 3729796a618de670128e80bb750dba35
MD5: bc5ea93000fd79cf3d874567068adfc5
MD5: 3448d5a74e86fdc88569df99dbc19c55
MD5: c3c67c3df487390dfdfa4890832b8a46
MD5: 161fff31429f1fcd99a56208cf9d2b58
MD5: c8dfbeb2e89a9557523b5a57619a9c44
MD5: b83d2283066c68e8cc448c578dd121aa
MD5: 0e254726843ed308ca142333ea0c5d28
MD5: cbb6e03d0b08ba4a8eeac1467921b7dd
MD5: a3ef72a0345a564bde3df2654f384a21
MD5: 123c9d897b74548aa6ce65b456a8b732
MD5: 181f01156f23d4e732a414eaa2f6b870
MD5: 74d4b4298bc6fe8871ad1aa654d347c6




Download statistics for the malicious executables hosted on Google Code:
Profile Viewer - 5.exe - 1,870,788 downloads
Profile Stalker - V.exe - 45983 downloads
Profile View - 5v2.exe - 9496 downloads
Profile Stalker - D.exe - 2 downloads

Detection rates for the malicious executables hosted on Google Code:
Profile Stalker - D.exe - MD5: c9220176786fe074de210529570959c5 - detected by 3 out of 47 antivirus scanners as Trojan.AVKill.30538; JS/TrojanClicker.Agent.NDL
Profile Stalker - V.exe - MD5: a6073378d764e3af4cb289cac91b3f97 - detected by 24 out of 47 antivirus scanners as JS/TrojanClicker.Agent.NDL; Trojan.Win32.Clicker!BT
Profile Viewer - 5.exe - MD5: 814837294bc34f288e31637bab955e6c - detected by 24 out of 47 antivirus scanners as Troj/Agent-ABOE

Samples phone back to the followind URLs/domains:
hxxp://stats.app-data.net/installer.gif?action=started&browser=ie6&ver=1_26_153&bic=00A473047B09414785A7A54908970321IE&app=30413&appver=0&verifier=d3459d462f931be10f76456d86fe24d5&srcid=0&subid=0&zdata=0&ff=0&ch=0&default=ie&os=XP32&admin=1&type=1&asw=0

stats.app-data.net - 207.171.163.139
app-static.crossrider.com - 69.16.175.10
errors.app-data.net - 207.171.163.139

Facebook and Google have been notified.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.