Friday, October 30, 2009

Blogspot Whammies

Slot machines in the Trump Taj MahalImage via Wikipedia

I enjoy seeing what the world has to say from time to time and to give everyone's voice a fair shake I will often click "Next Blog" in Blogspot's standard blog header. I know that Blogspot pages are now a popular point of redirection for initiating malware download, especially with Koobface. I also know that rogue AV is the gravy train of scam software and is now being promoted through Koobface. Now when I go gambling I never win anything, but it appears the Blogspot "Next Blog" slot machine has shown up all cherries. Well, maybe lemons.

In a very swift redirection I was brought to "antivirusn.com/scan1/?pid=156&engine=%3DnQyzTjuNjgyLjIzLjI4JnRpbWU9MTI1MTgxMI0OaA%3DN". This was supposed to perform a "scan" of my computer as is customary with rogue AV, but Firefox was kind enough to report this as a "Reported Attack Site!"
Let's take a peek at "antivirusn.com" and see what this family of rogue AV looks like. Maybe I know some of your relatives.

antivirusn.com A 83.133.119.154
antivirusn.com A 91.212.107.7
antivirusn.com NS ns1.everydns.net
antivirusn.com NS ns2.everydns.net
antivirusn.com NS ns3.everydns.net
antivirusn.com NS ns4.everydns.net

Registrant:
Name: Lian S Richard
Address: Overhogdal 25
City: MOLNLYCKE
Province/state: MOLNLYCKE
Country: SE
Postal Code: 43510

Administrative Contact:
Name: Lian S Richard
Organization: n/a
Address: Overhogdal 25
City: MOLNLYCKE
Province/state: MOLNLYCKE
Country: SE
Postal Code: 43510
Phone: +5.3017560166
Fax: +5.3017560166
Email: info@airlineshun.be

Technical Contact:
Name: Lian S Richard
Organization: n/a
Address: Overhogdal 25
City: MOLNLYCKE
Province/state: MOLNLYCKE
Country: SE
Postal Code: 43510

Nameserver Information:
ns1.everydns.net
ns2.everydns.net
ns3.everydns.net
ns4.everydns.net

Create: 2009-10-28 18:44:36
Update: 2009-10-29
Expired: 2010-10-28

What else is going on at these IPs?

Passive DNS over at www.bfk.de reveals the following:

virus-detect01.com A 83.133.119.154
bestantispyware11.com A 83.133.119.154
top-scanner11.com A 83.133.119.154
detect-spyware1.com A 83.133.119.154
top-scanner02.com A 83.133.119.154
top-scanner2.com A 83.133.119.154
virus-detect2.com A 83.133.119.154
top-scanner04.com A 83.133.119.154
virus-detect04.com A 83.133.119.154
detect-spyware5.com A 83.133.119.154
virus-detect6.com A 83.133.119.154
detect-spyware7.com A 83.133.119.154
virus-detect08.com A 83.133.119.154
bestantispyware09.com A 83.133.119.154
detect-spyware9.com A 83.133.119.154
top-scanner9.com A 83.133.119.154
kill-virusc.com A 83.133.119.154
kill-virusd.com A 83.133.119.154
scannerg.com A 83.133.119.154
scannerh.com A 83.133.119.154
antivirusk.com A 83.133.119.154
antivirusm.com A 83.133.119.154
antivirusn.com A 83.133.119.154
scannerr.com A 83.133.119.154
scanneru.com A 83.133.119.154
154.119.133.83.in-addr.arpa PTR id1148.rdso.ru

virus-detect01.com A 85.12.24.12
bestantispyware11.com A 85.12.24.12
top-scanner11.com A 85.12.24.12
top-scanner02.com A 85.12.24.12
top-scanner2.com A 85.12.24.12
top-scanner04.com A 85.12.24.12
bestantispyware09.com A 85.12.24.12
top-scanner9.com A 85.12.24.12

And we find another IP: 91.212.107.7

virus-detect01.com A 91.212.107.7
bestantispyware11.com A 91.212.107.7
top-scanner11.com A 91.212.107.7
detect-spyware1.com A 91.212.107.7
top-scanner02.com A 91.212.107.7
top-scanner2.com A 91.212.107.7
virus-detect2.com A 91.212.107.7
top-scanner04.com A 91.212.107.7
virus-detect04.com A 91.212.107.7
detect-spyware5.com A 91.212.107.7
virus-detect6.com A 91.212.107.7
detect-spyware7.com A 91.212.107.7
virus-detect08.com A 91.212.107.7
bestantispyware09.com A 91.212.107.7
detect-spyware9.com A 91.212.107.7
top-scanner9.com A 91.212.107.7
kill-virusc.com A 91.212.107.7
kill-virusd.com A 91.212.107.7
scannerg.com A 91.212.107.7
scannerh.com A 91.212.107.7
antivirusk.com A 91.212.107.7
antivirusm.com A 91.212.107.7
antivirusn.com A 91.212.107.7
scannerr.com A 91.212.107.7
scanneru.com A 91.212.107.7

Well, rogue AV is obviously the name of the game here. Let's look on a larger scale at the AS level.

83.133.119.154 is under AS13237 (LAMBDANET)

MalwareURL.com reports 200 domains under Lambdanet, the majority of which relate to rogue AV.

85.12.24.12 points to AS34305 (EUROACCESS)

They are small time with only 23 domains reported by MalwareURL.com. They consist of rogue AV and Zbot.

The big guy comes with AS49038 (RICCOM) which was over the IP 91.212.107.7.

326 Riccom domains were reported by MalwareURL.com, and only about seven were unrelated to rogue software.

There's a dozen other IPs mixed in here going back to March, but most notable is 91.212.107.103 which also comes up under AS29550 (EUROCONNEX). This IP gem has hundreds of domains pointed to it in relation to rogue software, such as:
windoptimizer.com A 91.212.107.103
woptimizer.com A 91.212.107.103
goscandir.com A 91.212.107.103
in5cs.com A 91.212.107.103
general-antivirus.com A 91.212.107.103
www.general-antivirus.com A 91.212.107.103
generalantivirus.com A 91.212.107.103
goscanneat.com A 91.212.107.103
in5ct.com A 91.212.107.103
in5it.com A 91.212.107.103
wopayment.com A 91.212.107.103
goscanrest.com A 91.212.107.103
ereuqba.cn A 91.212.107.103
dycotda.cn A 91.212.107.103

just to list a few. This also leads back to Koobface and the "2008 ali baba and 40, LLC" which you can read about in Dancho's blog from September. It looks like antivirusn.com was part of a large family after all. No surprise there. I'm sure I'll be bumping into you again.

Matt Sully
Director
Threat Research & Analysis



Reblog this post [with Zemanta]

No comments: