Wednesday, April 08, 2009
With Microsoft's latest Security Intelligence Report indicating that scareware/fake security software continues growing, it's worth exposing some of the currently circulating rogue security software domains, their registrants, and the usual "Deja Vu" moment putting the spotlight on well-known RBN web properties, whose exposure demonstrates that some of the groups that I've been tracking are still alive and kicking, but this time are much more actively monetizing their cybercrime committing capabilities.

avs-online-scan .org (209.250.241.164) Oleg Bajenov Email: oleg.bajenov@gmail.com
av-lookup .org
am-scan .com
system-scan-1 .biz
sys-scanner-1 .biz
sys-scan-wiz .biz
scanner-wiz-1 .com

webwidesecurity .com (94.247.3.3) Rosalind Lewis Email: RosalindRLewis@text2re.com
webprotectionscan .com
greatvirusscan .com
beststabilityscans .com

todaybestscan .com (174.129.241.185; 174.129.244.106; 209.44.126.14) Elliott Cameron Email: support@zitoclick.com; Anatolij Andreev Email: yeep33@gmail.com
thebestsecurityspot .com
securitytopagent .com
inetsecuritycenter .com
fullandtotalsecurity .com
activesecurityshield .com
getpcguard .com
websecurityvoice .com
onlinescanservice .com
scanalertspage .com
scanbaseonline .com
bestsecurityupdate .com
getsecuritywall .com
bestfiresfull .com
initialsecurityscan .com
websecuritymaster .com
runpcscannow .com
thegreatsecurity .com
truescansecurity .com
checkonlinesecurity .com
spy-protector-pro .com

DNS servers of notice:

ns1.ahuliard .com
ns2.ahuliard .com
ns1.fuckmoneycash .com
ns2.fuckmoneycash .com
ns1.zitodns .com
ns2.zitodns .com

Now comes the deja vu moment. At 174.129.241.185 and 174.129.244.106 we also have parked ilovemyloves .com one of the domains used in the iFrame attack during the "Possibility Media's Malware Fiasco" back in 2007 which was then parked at the RBN's HostFresh ifrastructure (58.65.239.28). Behind the malware campaign back then was the New Media Malware Gang" (Part Three; Part Two and Part One) which was not only using RBN services, but was directly cooperating with the Storm Worm authors. Among their most recent campaigns was the groups direct involvement in the malware campaigns at the Azerbaijanian Embassies in Pakistan and Hungary.

It gets even more interesting to see what they're up to in 2009, considering the fact that they have also parked domains used (174.129.241.185 and 174.129.244.106) in currently ongoing Facebook phishing campaign, which is switching themes from Match.com to Classmates.com :

facebook.shared.id-pegxaaei62.emberuiweb .765access.com
facebook.shared.id-0izlud0w6j.launchpad .765access.com
facebook.shared.id-6oxyclcpus.initiated .765access.com
facebook.shared.id-6xcse5q79c.usermanage .765access.com
facebook.shared.id-9q0bfta8bf.login .765access.com
facebook.shared.id-l8rz3d87j7.processlogon .765access.com
facebook.shared.id-m071qcxkf3.version .765access.com
facebook.shared.id-ao7zx28bhw.identification .765access.com
facebook.shared.id-usxeye68vn.secureconnection .765access.com
facebook.shared.id-lc9i4p09yi.disbursements .765access.com
facebook.shared.id-6y8nzpemkx.securedocuments .765access.com
facebook.shared.id-0u1o0e9gyj.cebmainservlet .765access.com
facebook.shared.id-4b16kzpiuk.ceptservlet .765access.com
facebook.shared.id-xqa6odo94z.content .765access.com
facebook.shared.id-5u10q3vp8q.completeserv .765access.com
facebook.shared.id-ql2fzhydat.intvitation .9845account.com
facebook.shared.id-5ajv5861qd.securedocuments .9845account.com
facebook.shared.id-3dcznhmord.statement .9845account.com
facebook.shared.id-o6lo04atww.statement .9845account.com

The group has clearly diversified its activities, but continues relying on its well known portfolio of domains as a foundation.

DDanchev Blog