Mac users appear to have a special place in the heart of the Koobface gang, since they’ve recently started experimenting with a monetization strategy especially for them – by compromising legitimate sites for the sole purpose of embedding them with the popular PHP backdoor shell C99 (Synsta mod), in an attempt to redirect all the Mac OS X traffic to affiliate dating programs, such as for instance AdultFriendFinder.
The use of Synsta’s C99 mod is not a novel approach, the gang has been using for over an year and a half now. The original KROTEG injected script, is now including a “hey rogazi” message. “Hey rogazi” appears to be some kind of slang word (rogatstsi) for scooter driving Italian people. What’s also interesting to point out is that the Mac OS X redirection takes place through one of the few currently active centralized IPs from Koobface 1.0’s infrastructure – 184.108.40.206.
This very same IP (profiled in August, 2009 and then in September, 2009) was once brought offline thanks to the folks at China CERT, but quickly resumed operation, with Koobface 1.0’s “leftovers” xtsd20090815 .com and kiano-180809 .com (domain was serving client-side exploits in November 2009’s experiment by the Koobfae gang, followed by another one again hosted at 220.127.116.11) still parked there.
- Go through related web shell backdoors, monetization posts: A Compilation of Web Backdoors; Monetizing Web Site Defacements; Underground Multitasking in Action; Monetizing Compromised Web Sites, Web Site Defacement Groups Going Phishing
Moreover, this China-based IP (it even has a modest Alexa pagerank) was also the centralized redirection point in Koobface 1.0’s scareware business model using popup.php to redirect to a systematically updated portfolio of scareware domains, and the first time ever that I came across to what the gang is now publicly acknowledging as the “2008 ali baba and 40, LLC” team.
AS9394 (CRNET) itself is currently hosting the following active Zeus crimeware campaigns:
6alava .com – 18.104.22.168 – Email: email@example.com
sicha-linna .com – 22.214.171.124 – Email: firstname.lastname@example.org
stopspaming .com – 126.96.36.199 – Email: email@example.com
ubojnajasila .net – 188.8.131.52 – Email: firstname.lastname@example.org
Here’s how the experiment looks like in its current form. Once the OS is detected, the redirection takes place through 184.108.40.206 /mac.php -> 220.127.116.11 /vvv.htm loading the following pages, using the gang’s unique campaign IDs at AdultFriendFinder:
– BestDatingDirect .com/page_hot.php?page=random&did=14029
– adultfriendfinder .com/go/page/ad_ffadult_gonzo?pid=p291351.sub2w954&lang=english
– adultfriendfinder .com/go/page/landing_page_geobanner?pid=g227362-ppc
Parked on 18.104.22.168 – AS3491; PCCWGlobal-ASN PCCW Global is the rest of the dating site redirectors:
This isn’t the first time that the Koobface gang is attempting to monetize traffic through dating affiliate networks. In fact, in November’s “Koobface Botnet’s Scareware Business Model – Part Two” post emphasizing on the gang’s connection with blackhat SEO campaigns, the Bahama botnet and the malvertising attacks at the web site of the New York Times, I also pointed out on their connection with an Ukrainian dating scam agency profiled before, whose botnet was also linked to money mule recruitment campaigns in May, 2009.
An excerpt is worth a thousand words:
The historical OSINT paragraph mentioned that several of the scareware domains pushed during the past two weeks were responding to 22.214.171.124. This very same 126.96.36.199 IP was hosting domains part of an Ukrainian dating scam agency known as Confidential Connections earlier this year, whose spamming operations were linked to a botnet involved in money mule recruitment activities.
For the time being, the following dating scam domains are responding to the same IP:
healthe-lovesite .com – Email: email@example.com
love-isaclick .com – Email: firstname.lastname@example.org
love-is-special .com – Email: email@example.com
only-loveall .com – Email: firstname.lastname@example.org
and-i-loveyoutoo .com – Email: email@example.com
andiloveyoutoo .com – Email: firstname.lastname@example.org
romantic-love-forever .com – Email: email@example.com
love-youloves .com – Email: firstname.lastname@example.org
love-galaxys .com – Email: email@example.com
love-formeandyou .com – Email: firstname.lastname@example.org
ifound-thelove .net – Email: email@example.com
findloveon .net – Email: firstname.lastname@example.org
love-isexcellent .net – Email: email@example.com
Could it get even more malicious and fraudulent than that? Appreciate my rhetoric. The same email (firstname.lastname@example.org) that was used to register the dating scam domains was also used to register exploit serving domains at 188.8.131.52, participate in phishing campaigns, and register a money mule recruitment site for the non-existent Allied Insurance LLC. (Allied Group, Inc.).
Of course, the money made in process looks like pocket change compared to the money they gang makes through blackhat SEO, click fraud and scareware in general — go through the related posts at the bottom of the article. But since they’ve previously indicated what I originally anticipated they’ll do sooner or later, namely, start diversifying and experimenting due to the ever-growing compromised infrastructure, what they’ll do next on the Mac front is an issue worth keeping an eye on.
Related Koobface gang/botnet research:
The Koobface Gang Wishes the Industry “Happy Holidays”
Koobface-Friendly Riccom LTD – AS29550 – (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet’s Scareware Business Model – Part Two
Koobface Botnet’s Scareware Business Model – Part One
Koobface Botnet Redirects Facebook’s IP Space to my Blog
New Koobface campaign spoofs Adobe’s Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front – Part Two
Movement on the Koobface Front
Koobface – Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm’s Twitter Campaign
This post has been reproduced from Dancho Danchev’s blog. Follow him on Twitter.