Tuesday, December 09, 2008

The Koobface Gang Mixing Social Engineering Vectors

It's the Facebook message that came from one of your infected friends pointing you to an on purposely created bogus Bloglines blog serving fake YouTube video window, that I have in mind. The Koobface gang has been mixing social engineering vectors by taking the potential victim on a walk through legitimate services in order to have them infected without using any client-side vulnerabilities.

For instance, this bogus Bloglines account (bloglines .com/blog/Youtubeforbiddenvideo) has attracted over 150 unique visitors already, part of Koobface's Hi5 spreading campaign (catshof .com/go/hi5.php). The domain is parked at the very same IP that the rest of the central redirection ones in all of Koobface's campaigns are -

Interestingly, since underground multitasking is becoming a rather common practice, the bogus blog has also been advertised within a blackhat SEO farm using the following blogs, currently linking to several hundred bogus Google Groups accounts :

bloglines .com/blog/gillehuxeda
bloglines .com/blog/chaneyok
bloglines .com/blog/ramosimeco
bloglines .com/blog/antwanuvfa
bloglines .com/blog/tamaraaqo
bloglines .com/blog/josephyhti
bloglines .com/blog/whiteqivaju
bloglines .com/blog/hayleyem
bloglines .com/blog/tateigyamor
bloglines .com/blog/burnsseuhaqe
bloglines .com/blog/jennaup

bloglines .com/blog/jermainedus
bloglines .com/blog/floydwopew55
bloglines .com/blog/arielehy
bloglines .com/blog/onealqypsu
bloglines .com/blog/mackirma
bloglines .com/blog/sabrinaxycit
bloglines .com/blog/gloverqy
bloglines .com/blog/lisaurja
bloglines .com/blog/greenefayg18
bloglines .com/blog/craigxiw36
bloglines .com/blog/parsonsdos
bloglines .com/blog/martinsutuz
bloglines .com/blog/deandreefe
bloglines .com/blog/briannetu
bloglines .com/blog/kierailpe
bloglines .com/blog/fordyfo27
bloglines .com/blog/litzyracnuj
bloglines .com/blog/bonillavaok
bloglines .com/blog/jennyuxe85
bloglines .com/blog/wilkersonin
bloglines .com/blog/nicolasqydby
bloglines .com/blog/darbyeve
bloglines .com/blog/izaiahro83
bloglines .com/blog/parsonsdos
bloglines .com/blog/fullerjeb81

Abusing legitimate services may indeed get more attention in the upcoming year, following their interest in the practice from the last quarter.

Monday, December 08, 2008

Dissecting the Koobface Worm's December Campaign

The Koobface Facebook worm -- go through an assessment of a previous campaign -- is once again making its rounds across social networking sites, Facebook in particular. Therefore, shall we spill a big cup of coffee over the malware campaigners efforts for yet another time? But of course.

Only OPSEC-ignorant malware campaigners would leave so much traceable points, in between centralizing the campaign's redirection domains on a single IP. For instance, taking advantage of free web counter whose publicly obtainable statistics -- the account has since been deleted -- allow us to not only measure the clickability of Koobface's campaign, but also, prove that they're actively multitasking by combining blackhat SEO and active spreading across several other social networking sites. Here are some of the key summary points for this campaign :

Key summary points :
- the hosting infrastructure for the bogus YouTube site and the actual binary is provided by several thousand dynamically changing malware infected IPs
- all of the malware infected hosts are serving the bogus YouTube site through port 7777
- the very same bogus domains acting as central redirection points from the November's campaign remain active, however, they've switched hosting locations
- if the visitor isn't coming from where she's supposed to be coming, in this case the predefined list of referrers, a single line of "scan ref" is returned with no malicious content displayed
- the campaign can be easily taken care of at least in the short term, but shutting down the centralized redirection points

What follows are the surprises, namely, despite the fact that Koobface is pitched as a Facebook worm, according to their statistics -- go through a previously misconfigured malware campaign stats -- the majority of unique visitors from the December's campaign appear to have been coming from Friendster. As for the exact number of visitors hitting their web counter, counting as of  7 November 2008, 12:58, with 91,109 unique visitors on on 07 Nov, Fri and another 53,260 on 08 Nov, Sat before the counter was deleted, the cached version of their web counter provides a relatively good sample.

On each of the bogus Geocities redirectors, the very same lostart .info/js/gs.js ( used in the previous campaign, attempts to redirect to find-allnot .com/go/fb.php ( or to playtable .info/go/fb.php (, with fb.php doing the referrer checking and redirecting to the botnet hosts magic. Several other well known malware command and control locations are also parked at :

jobusiness .org
a221008 .com
y171108 .com
searchfindand .com
ofsitesearch .com
fashionlineshow .com
anddance .info
firstdance .biz

prixisa .com
danceanddisc .com
finditand .com
findsamthing .com
freemarksearch .com
find-allnot .com
find-here-and-now .com
findnameby .com
anddance .info

These domains, with several exeptions, are actively participating in the campaign, with the easiest way to differentiate whether it's a Facebook or Bebo redirection, remaining the descriptive filenames. For instance, fb.php corresponds to Facebook redirections and be.php corresponding to Bebo redirections (ofsitesearch .com/go/be.php). However, the meat resides within the statistics from their campaign :

Malware serving URLs part of Koobface worm's December's campaign, based on the identical counter used across all the malicious domains :
youtube-x-files .com
youtube-go .com
youtube-spy.5x .pl
youtube-files.bo .pl
youtube-media.none .pl
youtube-files.xh .pl
youtube-spy.dz .pl
youtube-files.esite .pl
youtube-spy.bo .pl
youtube-spy.nd .pl
youtube-spy.edj .pl
spy-video.oq .pl
shortclips.bubb .pl
youtubego.cacko .pl

asda345.blogspot .com
uholyejedip556.blogspot .com
ufyaegobeni7878.blogspot .com
uiyneteku20176.blogspot .com
ujoiculehe19984.blogspot .com
uinekojapab29989.blogspot .com
uhocuyhipam13345.blogspot .com

Geocities redirectors participating :
geocities .com/madelineeaton10/index.htm
geocities .com/charlievelazquez10/index.htm
geocities .com/raulsheppard18/index.htm

Sample malware infected hosts used by the redirectors :
92.241.134 .41:7777/?ch=&ea=
89.138.171 .49:7777/?ch=&ea=
92.40.34 .217:7777/?ch=&ea=
79.173.242 .224:7777/?ch=&ea=
122.163.103 .91:7777/?ch=&ea=
217.129.155 .36:7777/?ch=&ea=
84.109.169 .124:7777/?ch=&ea=
91.187.67 .216:7777/?ch=&ea=
84.254.51 .227:7777/?ch=&ea=
190.142.5 .32:7777/?ch=&ea=
190.158.102 .246:7777/?ch=&ea=
201.245.95 .86:7777/?ch=&ea=
78.90.85 .7:7777/?ch=&ea=
82.81.25 .144:7777/?ch=&ea=
78.183.143 .188:7777/?ch=&ea=
89.139.86 .88:7777/?ch=&ea=
85.107.190 .105:7777/?ch=&ea=
84.62.84 .132:7777/?ch=&ea=
78.3.42 .99:7777/?ch=&ea=
92.241.137 .158:7777/?ch=&ea=
77.239.21 .34:7777/?ch=&ea=
41.214.183 .130:7777/?ch=&ea=

90.157.250 .133:7777/dt/?ch=&ea=
89.143.27 .39:7777/?ch=&ea=
91.148.112 .179:7777/?ch=&ea=
94.73.0 .211:7777/?ch=&ea=
124.105 .187.176:7777/?ch=&ea=
77.70.108  .163:7777/?ch=&ea=
190.198.162 .240:7777/?ch=&ea=
89.138.23 .121:7777/?ch=&ea=
190.46.50 .103:7777/?ch=&ea=
80.242.120 .135:7777/?ch=&ea=
94.191.140 .143:7777/?ch=&ea=
210.4.126 .100:7777/?ch=&ea=
87.203.145 .61:7777/?ch=&ea=
94.189.204 .22:7777/?ch=&ea=
92.36.242 .47:7777/?ch=&ea=
77.78.197 .176:7777/?ch=&ea=
94.189.149 .231:7777/?ch=&ea=
89.138.102 .243:7777/?ch=&ea=
94.73.0 .211:7777/?ch=&ea=
79.175.101 .28:7777/?ch=&ea=
78.1.251 .26:7777/?ch=&ea=
201.236.228 .38:7777/?ch=&ea=
85.250.190 .55:7777/?ch=&ea=
211.109.46 .32:7777/?ch=&ea=
91.148.159 .174:7777/?ch=&ea=
87.68.71 .34:7777/?ch=&ea=
85.94.106 .240:7777/?ch=&ea=
195.91.82 .18:7777/?ch=&ea=
85.101.167 .197:7777/?ch=&ea=
193.198.167 .249:7777/?ch=&ea=
94.69.130 .191:7777/?ch=&ea=
79.131.26 .192:7777/?ch=&ea=
190.224.189 .24:7777/?ch=&ea=

119.234.7 .230:7777/?ch=&ea=
199.203.37 .250:7777/?ch=&ea=
89.142.181 .226:7777/?ch=&ea=
84.110.120 .82:7777/?ch=&ea=
119.234.7 .230:7777/?ch=&ea=
84.110.253 .163:7777/?ch=&ea=
82.81.163 .40:7777/?ch=&ea=
79.179.249 .218:7777/?ch=&ea=
190.224.189 .24:7777/?ch=&ea=
79.179.249 .218:7777/?ch=&ea=
87.239.160 .132:7777/?ch=&ea=
79.113.8 .107:7777/?ch=&ea=
81.18.54 .6:7777/?ch=&ea=
118.169 .173.101:7777/?ch=&ea=
85.216.158 .209:7777/?ch=&ea=
219.92.170 .4:7777/?ch=&ea=
79.130.252 .204:7777/?ch=&ea=
93.136.53 .239:7777/?ch=&ea=
62.0.134 .79:7777/?ch=&ea=
79.138.184 .253:7777/?ch=&ea=
173.16.68 .18:7777/?ch=&ea=
190.155.56 .212:7777/?ch=&ea=
190.20.68 .136:7777/?ch=&ea=
119.235.96 .173:7777/?ch=&ea=
77.127.81 .103:7777/?ch=&ea=
190.132.155 .122:7777/?ch=&ea=
89.138.177 .91:7777/?ch=&ea=

79.178.111 .25:7777/?ch=&ea=
84.109.1 .15:7777/?ch=&ea=
89.0.157. 1:7777/?ch=&ea=
122.53.176 .43:7777/?ch=&ea=
200.77.63 .190:7777/?ch=&ea=
67.225.102 .105:7777/?ch=&ea=
119.94.171 .114:7777/?ch=&ea=
125.212.94 .80:7777/?ch=&ea=

Detection rate for the binary, identical across all infected hosts participating :
flash_update.exe (Win32/Koobface!generic; Win32.Worm.Koobface.W)
Detection rate : 28/38 (73.69%)
File size: 27136 bytes
MD5...: 3071f71fc14ba590ca73801e19e8f66d
SHA1..: 2f80a5b2575c788de1d94ed1e8005003f1ca004d

Koobface's social networks spreading model isn't going away, but it's domains definitely are.

Related posts:
Dissecting the Latest Koobface Facebook Campaign
Fake YouTube Site Serving Flash Exploits
Facebook Malware Campaigns Rotating Tactics
Phishing Campaign Spreading Across Facebook
Large Scale MySpace Phishing Attack
Update on the MySpace Phishing Campaign
MySpace Phishers Now Targeting Facebook
MySpace Hosting MySpace Phishing Profiles

Wednesday, November 19, 2008

The DDoS Attack Against Bobbear.co.uk

When you get the "privilege" of getting DDoS-ed by a high profile DDoS for hire service used primarily by cybercriminals attacking other cybercriminals, you're officially doing hell of a good job exposing money laundering scams.

The attached screenshot demonstrates how even the relatively more sophisticated counter surveillance approaches taken by a high profile DDoS for hire service can be, and were in fact bypassed, ending up in a real-time peek at how they've dedicated 4 out of their 10 BlackEnergy botnets to Bobbear exclusively.

Perhaps for the first time ever, I come across a related DoS service offered by the very same vendor - insider sabotage on demand given they have their own people in a particular company/ISP in question. Makes you think twice before considering a minor network glitch what could easily turn into a coordinated insider attack requested by a third-party. Moreover, now that I've also established the connection between this DDoS for hire service and one of the command and control locations (all active and online) of one of the botnets used in the Russia vs Georgia cyberattack, the concept of engineering cyber warfare tensions once again proves to be a fully realistic one.

Related posts:
A U.S military botnet in the works
DDoS Attack Graphs from Russia vs Georgia's Cyberattacks
Botnet on Demand Service
OSINT Through Botnets
Corporate Espionage Through Botnets
The DDoS Attack Against CNN.com
A New DDoS Malware Kit in the Wild
Electronic Jihad v3.0 - What Cyber Jihad Isn't

Thursday, November 13, 2008

Dissecting the Latest Koobface Facebook Campaign

The latest Koobface malware campaign at Facebook, is once again exposing a diverse ecosystem worth assessing in times of active migration to alternative ISPs tolerating or conveniently ignoring the malicious activities courtesy of their customers. The -- now removed -- binaries that the dropper was requesting were hosted at the American International Baseball Club in Vienna, indicating a compromise.

us.geocities .com/adanbates84/index.htm
lostart .info/js/js.js (
off34 .com/go/fb.php (
youtube-spyvideo .com/youtube_file.html (
ahdirz .com/movie1.php?id=638&n=teen (
top100clipz .com/m6/movie1.php?id=638&n=teen (
hq-vidz .com/movie1.php?id=638&n=teen (

The dropper then phones back home to : f071108 .com/fb/first.php ( with the binaries hosted at a legitimate site that's been compromised :

aibcvienna.org/youtube/ bnsetup24.exe
aibcvienna.org/youtube/ tinyproxy.exe

Related fake Youtube domains participating :
catshof .com (
youtube-spy .info (
youtubehof .net (
youtube-spyvideo .com (
yyyaaaahhhhoooo.ocom .pl (
youtube-x-files .com (

The development of cybercrime platforms utilizing legitimate infrastructure only, has always been in the works. With spamming systems relying exclusively on the automatically registered email accounts at free web based providers, to the automatic bulk registration of hundreds of thousands of domains enjoying a particular domain registrar's weak anti-abuse policies, it would be interesting to monitor whether marginal thinking or improved OPSEC relying on compromised hosts will be favored in 2009.

Related posts:
Fake YouTube Site Serving Flash Exploits
Facebook Malware Campaigns Rotating Tactics
Phishing Campaign Spreading Across Facebook
Large Scale MySpace Phishing Attack
Update on the MySpace Phishing Campaign
MySpace Phishers Now Targeting Facebook
MySpace Hosting MySpace Phishing Profiles

Monday, October 20, 2008

Real-Time OSINT vs Historical OSINT in Russia/Georgia Cyberattacks

The original real-time OSINT analysis of the Russian cyberattacks against Georgia conducted on the 11th of August, not only closed the Russia vs Georgia cyberwar case for me personally, but also, once again proved that real-time OSINT is invaluable compared to historical OSINT using a commercial social network visualization/data mining tool which cannot and will never be able to access the Dark Web, accessible only through real-time CYBERINT practices.

The value of real-time OSINT in such people's information warfare cyberattacks -- with Chinese hacktivists perfectly aware of the meaning of the phrase -- relies on the relatively lower operational security (OPSEC) the initiators of a particular campaign apply at the beginning, so that it would scale faster and attract more participants. What the Russian government was doing is fueling the (cyber) fire - literally, since all it takes for a collectivist socienty's cyber militia to organize, is a "call for action" which was taking place at the majority of forums, with the posters of these messages apparently using a spamming application to achieve better efficiency.

The results from 56 days of Project Grey Goose in action got published last week, a project I discussed back in August, point out to the bottom of the food chain in the entire campaign - stopgeorgia.ru :

"Furthermore, coming up with Social Network analysis of the cyberattacks would produce nothing more but a few fancy graphs of over enthusiastic Russian netizen's distributing the static list of the targets. The real conversations, as always, are happening in the "Dark Web" limiting the possibilities for open source intelligence using a data mining software. Things changed, OPSEC is slowly emerging as a concept among malicious parties, whenever some of the "calls for action" in the DDoS attacks were posted at mainstream forums, they were immediately removed so that they don't show up in such academic initiatives"

So what's the bottom line? Nothing that I haven't already pointed out back in August : "Report: Russian Hacker Forums Fueled Georgia Cyber Attacks" :

"But experts say evidence suggests that Russian officials did little to discourage the online assault, which was coordinated through a Russian online forum that appeared to have been prepped with target lists and details about Georgian Web site vulnerabilities well before the two countries engaged in a brief but deadly ground, sea and air war."

Some more comments :

"Just because there was no smoking gun doesn't mean there's no connection," said Jeff Carr, the principal investigator of Project Grey Goose, a group of around 15 computer security, technology and intelligence experts that investigated the August attacks against Georgia. "I can't imagine that this came together sporadically," he said. "I don't think that a disorganized group can coalesce in 24 hours with its own processes in place. That just doesn't make sense."

It wouldn't make sense if this was the first time Russian hacktivists are maintaining the same rhythm as real-life events - which of course isn't.

Moreover, exactly what would have constituted a "smoking gun" proving that the Russian government was involved in the campaign, remains unknown -- I'm still sticking to my comment regarding the web site defacement creative. If they truly wanted to compromise themselves, they would have cut Georgia off the Internet, at least from the perspective offered by this graph courtesy of the Packet Clearing House speaking for their dependability on Russian ISPs.

As for the script kiddies at stopgeorgia.ru, they were informed enough to feature my research into their "negative public comments section". To sum up - the "DoS battle stations operational in the name of the "Please, input your cause" mentality is always going to be there.

Thursday, August 14, 2008

Who's Behind the Georgia Cyber Attacks?

Of course the Klingons did it, or you were naive enough to even think for a second that Russians were behind it at the first place? Of the things I hate  most, it's lowering down the quality of the discussion I hate the most. Even if you're excluding all the factual evidence (Coordinated Russia vs Georgia cyber attack in progress), common sense must prevail.

Sometimes, the degree of incompetence can in fact be pretty entertaining, and greatly explains why certain countries are lacking behind others with years in their inability to understand the rules of information warfare, or the basic premise of unrestricted warfare, that there are no rules on how to achieve your objectives.

So who's behind the Georgia cyber attacks, encompassing of plain simple ping floods, web site defacements, to sustained DDoS attacks, which no matter the fact that Geogia has switched hosting location to the U.S remain ongoing? It's Russia's self-mobilizing cyber militia, the product of a collectivist society having the capacity to wage cyber wars and literally dictating the rhythm in this space. What is militia anyway :

"civilians trained as soldiers but not part of the regular army; the entire body of physically fit civilians eligible by law for military service; a military force composed of ordinary citizens to provide defense, emergency law enforcement, or paramilitary service, in times of emergency; without being paid a regular salary or committed to a fixed term of service; an army of trained civilians, which may be an official reserve army, called upon in time of need; the national police force of a country; the entire able-bodied population of a state; or a private force, not under government control; An army or paramilitary group comprised of citizens to serve in times of emergency"

Next to the "blame the Russian Business Network for the lack of large scale implementation of DNSSEC" mentality, certain news articles also try to wrongly imply that there's no Russian connection in these attacks, and that the attacks are not "state-sponsored", making it look like that there should be a considerable amount of investment made into these attacks, and that the Russian government has the final word on whether or not its DDoS capabilities empowered citizens should launch any attacks or not. In reality, the only thing the Russian government was asking itself during these attacks was "why didn't they start the attacks earlier?!".

Thankfully, there are some visionary folks out there understanding the situation. Last year, I asked the following question - What is the most realistic scenario on what exactly happened in the recent DDoS attacks aimed at Estonia, from your point of view? and some of the possible answers still fully apply in this situation :

- It was a Russian government-sponsored hacktivism, or shall we say a government-tolerated one

- Too much media hype over a sustained ICMP flood, given the publicly obtained statistics of the network traffic

- Certain individuals of the collectivist Russian society, botnet masters for instance, were automatically recruited based on a nationalism sentiments so that they basically forwarded some of their bandwidth to key web servers

- In order to generate more noise, DIY DoS tools were distributed to the masses so that no one would ever know who's really behind the attacks

- Don't know who did it, but I can assure you my kid was playing !synflood at that time

- Offended by the not so well coordinated removal of the Soviet statue, Russian oligarchs felt the need to send back a signal but naturally lacking any DDoS capabilities, basically outsourced the DDoS attacks

- A foreign intelligence agency twisting the reality and engineering cyber warfare tensions did it, while taking advantage of the momentum and the overall public perception that noone else but the affected Russia could be behind the attacks

- I hate scenario building, reminds me of my academic years, however, yours are pretty good which doesn't necessarily mean I actually care who did it, and pssst - it's not cyberwar, as in cyberwar you have two parties with virtual engagement points, in this case it was bandwidth domination by whoever did it over the other. A virtual shock and awe

- I stopped following the news story by the time every reporter dubbed it the first cyber war, and started following it again when the word hacktivism started gaining popularity. So, hacktivists did it to virtually state their political preferences

Departamental cyber warfare would never reach the flexibity state of people's information warfare where everyone is a cyber warrior given he's empowered with access to the right tools at a particular moment in time.

Related posts:
People's Information Warfare Concept
Combating Unrestricted Warfare
The Cyber Storm II Cyber Exercise
Chinese Hacktivists Waging People's Information Warfare Against CNN
The DDoS Attacks Against CNN.com
China's Cyber Espionage Ambitions
North Korea's Cyber Warfare Unit 121

Monday, August 11, 2008

The Russia vs Georgia Cyber Attack

Last month's lone gunman DDoS attack against Georgia President's web site seemed like a signal shot for the cyber siege to come a week later. Here's the complete coverage of the coordination phrase, the execution and the actual impact of the cyber attack so far - "Coordinated Russia vs Georgia cyber attack in progress" :

"Who’s behind it? The infamous Russian Business Network, or literally every Russian supporting Russia’s actions? How coordinated and planned the cyber attack is, and do we actually have a relatively decent example of cyber warfare combining PSYOPs (psychological operations), and self-mobilization of the local Internet users by spreading “For our motherland, brothers!” or “Your country is calling you!” hacktivist messages across web forums. Let’s find out, in-depth. With the attacks originally starting to take place several weeks before the actual “intervention” with Georgia President’s web site coming under DDoS attack from Russian hackers in July, followed by active discussions across the Russian web on whether or not DDoS attacks and web site defacements should in fact be taking place, which would inevitably come as a handy tool to be used against Russian from Western or Pro-Western journalists, the peak of DDoS attack and the actual defacements started taking place as of Friday."

Some of the tactics used :
distributing a static list of targets, eliminate centralized coordination of the attack, engaging the average internet users, empower them with DoS tools; distributing lists of remotely SQL injectable Georgian sites; abusing public lists of email addresses of Georgian politicians for spamming and targeted attacks; destroy the adversary’s ability to communicate using the usual channels -- Georgia's most popular hacking portal is under DDoS attack from Russian hackers.

Some of the parked domains acting as command and control servers for one of the botnets at :
emultrix .org
yandexshit .com
ad.yandexshit .com
a-nahui-vse-zaebalo-v-pizdu .com
killgay .com
ns1.guagaga .net
ns2.guagaga .net
ohueli .net
pizdos .net

Actual command and control locations :
a-nahui-vse-zaebalo-v-pizdu .com/a/nahui/vse/zaebalo/v/pizdu/
prosto.pizdos .net/_lol/

Consider going through the complete coverage of what's been happening during the weeked. Considering the combination of tactics used, unless the conflict gets solved, more attacks will definitely take place during the week.

Friday, July 18, 2008

Money Mule Recruiters use ASProx's Fast Fluxing Services

Just consider this scheme for a second. A well known money mule recruitment site Cash Transfers is maintaining a fast-flux infrastructure on behalf of the Asprox botnet, that is also providing hosting services for several hundred domains used on the last wave of SQL injection attacks. Ironically, the money mule recruitment site is sharing IPs with many of them. Who are these money launderers (cashtransfers.tk; cashtransfers.eu; type53.eu; sid57.tk; catdbw.mobi; cdrpoex.com etc.  ) anyway?

"Cash-Transfers Inc. is an online-to-offline international money transfer service. We offer a secure, fast, and inexpensive means of sending money from the UK to offline recipients worldwide. Recipients do not require a bank account or Internet connection to receive funds. We have teamed with select local disbursement partners to provide a convenient, secure, and cost-effective means of sending money to family, friends and business partners abroad. The basic requirements to send money/transfer money are:

1) Senders must have Internet access and a bank account or credit/debit card to transfer money. However, recipients do not require either a bank account or Internet connection.

2) Money sent through Cash-Transfers Inc. is available for pick up at the distribution partner instantly, or, in most countries, money can be delivered to the recipient in a matter of hours.

3) Our local agents will call your recipient (during local business hours) to provide additional details, including: forms of identification required, hours of operation, and other locations. The sender will also receive an email confirmation with transaction details and tracking information.

The fast-flux infrastructure they're currently using is also providing services to domains that are currently used, or have been used in previous SQL injection attacks. Some info on the current DNS servers used in the fast-flux :


With the distributed and dynamic hosting infrastructure courtesy of the malware infected user, scammers, spammers, phishers and malware authors are only starting to experiment with the potential abuses of such an underground ecosystem build on the foundations of compromises hosts.

Related posts:
Storm Worm's Fast Flux Networks
Managed Fast Flux Provider
Fast Flux Spam and Scams Increasing
Fast Fluxing Yet Another Pharmacy Spam
Obfuscating Fast Fluxed SQL Injected Domains
Storm Worm Hosting Pharmaceutical Scams
Fast-Fluxing SQL injection attacks executed from the Asprox botnet

Tuesday, June 10, 2008

Who's Behind the GPcode Ransomware?

So, the ultimate question - who's behind the GPcode ransomware? It's Russian teens with pimples, using E-gold and Liberty Reserve accounts, running three different GPcode campaigns, two of which request either $100 or $200 for the decryptor, and communicating from Chinese IPs. Here are all the details regarding the emails they use, the email responses they sent back, the currency accounts, as well their most recent IPs used in the communication :

Emails used by the GPcode authors where the infected victims are supposed to contact them :

Virtual currency accounts used by the malware authors :
Liberty Reserve - account U6890784
E-Gold - account - 5431725
E-Gold - account - 5437838

Sample response email :
"Next, you should send $100 to Liberty Reserve account U6890784 or E-Gold account 5431725 (www.e-gold.com) To buy E-currency you may use exchange service, see or any other. In the transfer description specify your e-mail. After receive your payment, we send decryptor to your e-mail. For check our guarantee you may send us one any encrypted file (with cipher key, specified in any !_READ_ME_!.txt file, being in the directorys with the encrypted files). We decrypt it and send to you originally decrypted file. Best Regards, Daniel Robertson"

Second sample response email this time requesting $200 :
"The price of decryptor is 200 USD. For payment you may use one of following variants: 1. Payment to E-Gold account 5437838 (www.e-gold.com). 2. Payment to Liberty Reserve account U6890784 (www.libertyreserve.com). 3. If you do not make one of this variants, contact us for decision it. For check our guarantee you may send us ONE any encrypted file. We decrypt it and send to you originally decrypted file. For any questions contact us via e-mail. Best regards. Paul Dyke"

So, you've got two people responding back with copy and paste emails, each of them seeking a different amount of money? Weird. The John Dow-ish Daniel Robertson is emailing from (Liaoning Province Network China Network Communications Group Corporation No.156,Fu-Xing-Men-Nei Street, Beijing 100031), and Paul Dyke from Province Network China Network Communications Group Corporation No.156,Fu-Xing-Men-Nei Street, Beijing 100031), both Chinese IPs, despite that these campaigners are Russians.

Here are some comments I made regarding cryptoviral extortion two years ago - Future Trends of Malware (on page 11; and page 21), worth going through.