Tuesday, June 30, 2009

Michael Jackson headline used in Password Stealing scheme

Last week we reported that a Fake Microsoft Critical Update was one of the top sources of active computer exploitation being delivered in the emails we were watching in the UAB Spam Data Mine. That campaign took the weekend off and emerged Monday morning with a new feature that we shared with you yesterday. The same campaign has mutated yet again, but now is pretending to be a conspiracy email about Michael Jackson!

The new campaign uses email like this one:



which redirects visitors to more than 40 different websites which all look like this:



The list of websites we've seen so far in our spam include all of these:

MJackson.1ffli.com.mx
MJackson.hhili.com.mx
MJackson.hilli.com.mx
MJackson.ijjik1.com
MJackson.ijjik1.net
MJackson.ijjil1.com
MJackson.ijjil1.net
MJackson.ijjilk.com
MJackson.ijjilk.net
MJackson.ijjill.com
MJackson.ijjill.net
MJackson.ijjkl1.net
MJackson.ijkil1.com
MJackson.ijkil1.net
MJackson.ikikij.com
MJackson.ikilfk.com
MJackson.ikilij.com
MJackson.ikilij.net
MJackson.ikilik.net
MJackson.ikilkj.com
MJackson.ikilkj.net
MJackson.ikjil1.com
MJackson.ikjil1.net
MJackson.ikklij.com
MJackson.ilifi.com.mx
MJackson.iljihli.com.mx
MJackson.kiffil.com.mx
MJackson.kjjil1.com
MJackson.kkilij.com

Analysis of the malware performed by UAB Malware Analyst, Brian Tanner, a Computer Forensics student, reveals that just visiting the website is enough to infect your computer. Especially if the visitor doesn't have the current version of Adobe Acrobat Reader.

Older versions of Adobe Acrobat have a vulnerability that allows JavaScript to run when a PDF file is viewed. Visitors to the Michael Jackson X-Files website are asked to download and run a program called:

x-file-MJacksonsKiller.exe

But even if the visitor is wise enough not to open the file, a secret IFRAME embedded on the site will cause an infected PDF file to be downloaded and opened in a background window. If the Adobe Reader is an old version, the Javascript in the PDF will cause the .exe file to download and execute anyway.

VirusTotal reveals that only 10 of 41 anti-virus products currently detect this malware. Here's a VirusTotal Report.

Monday, June 29, 2009

Two Quick Updates

We blogged last week about the Fake Microsoft Update which was actually an attempt to infect visitors with ZBot in order to steal their banking passwords.

We continue to see more of this spam, but now there is also a "drive-by infection" component to the spam. That means that just visiting the website may be enough to infect you. The preferred driveby method is an IFRAME injection which tries to open your Adobe Reader to use an infected PDF to infect you in a background window. To be successfully exploited via the drive-by, an older version of Adobe Reader would need to be present on the visitor's computer.

Fake Microsoft updates were seen today on these domain names:

update.microsoft.com.1ffli.com.mx
update.microsoft.com.h1hihk.com
update.microsoft.com.h1hiik.com
update.microsoft.com.h1hiik.net
update.microsoft.com.h1hikk.net
update.microsoft.com.h1hil1.com
update.microsoft.com.h1hil1.net
update.microsoft.com.h1hilh.com
update.microsoft.com.h1hilh.net
update.microsoft.com.h1hili.com
update.microsoft.com.h1hili.net
update.microsoft.com.h1hilk.com
update.microsoft.com.h1hilk.net
update.microsoft.com.h1hill.com
update.microsoft.com.h1hill.net
update.microsoft.com.hhili.com.mx
update.microsoft.com.hijjl1.com
update.microsoft.com.hijjlf.com
update.microsoft.com.hijjlh.com
update.microsoft.com.hijjll.com
update.microsoft.com.hilli.com.mx
update.microsoft.com.ij1ilik.com
update.microsoft.com.ijfilik.com
update.microsoft.com.ijhilik.com
update.microsoft.com.ijjilik.com
update.microsoft.com.ijjilik.net
update.microsoft.com.ijlilik.com
update.microsoft.com.ikihil1.com
update.microsoft.com.ikihil1.net
update.microsoft.com.ikihilf.com
update.microsoft.com.ikihilf.net
update.microsoft.com.ikihilh.com
update.microsoft.com.ikihilh.net
update.microsoft.com.ikihilk.com
update.microsoft.com.ikihill.com
update.microsoft.com.ikihill.net
update.microsoft.com.ikkilf1.com
update.microsoft.com.ikkilif.com
update.microsoft.com.ikkilih.com
update.microsoft.com.ikkilii.com
update.microsoft.com.ikkilij.com
update.microsoft.com.ikkilik.com
update.microsoft.com.ikkilil.com
update.microsoft.com.ilifi.com.mx
update.microsoft.com.iljihli.com.mx
update.microsoft.com.kiffil.com.mx
update.microsoft.com.kijj1k.com
update.microsoft.com.kijji1.com
update.microsoft.com.kijji1.net
update.microsoft.com.kijjif.com
update.microsoft.com.kijjif.net
update.microsoft.com.kijjih.com
update.microsoft.com.kijjih.net
update.microsoft.com.kijjil.com
update.microsoft.com.kijjil.net


Second Update - we mentioned the Spam Crisis in China also last week, and would like to continue to encourage Chinese officials to encourage an appropriate response - especially for networks hosting many spam domains, and for Registrars who are registering many spam domains.

The top registrar for Chinese spam domains is currently "Ename.cn" which uses the Chinese name: 易名中国

In our spam for June 28th, we saw 195 unique domain names advertised in spam which were registered at eName.cn /

axuqiues.cn
bbegqewok.cn
bcicgaxan.cn
bdamnicok.cn
bewgohef.cn
bhapcajon.cn
biplovoq.cn
bkejezer.cn
bladferud.cn
bpittasiw.cn
bqilzoyus.cn
btaxfoqof.cn
bxiyzexiw.cn
byelufap.cn
bzemkonet.cn
cfirgofin.cn
ckosyedaw.cn
cloculez.cn
cpuvyomok.cn
cqutfesok.cn
cruznivif.cn
ctismumib.cn
cvapsohib.cn
cwehtiboh.cn
cwirbamus.cn
cwobueuj.cn
deoooren.cn
dfuknajec.cn
dkohhusur.cn
dlizafoy.cn
drucximuv.cn
drugsitechord.com.cn
drugsonlinefront.com.cn
dsunmulut.cn
dzonqovug.cn
dzoslakiy.cn
eqejucus.cn
fcoyekii.cn
fhoaabah.cn
fkuvtalow.cn
fubgogil.cn
fwakwedoc.cn
fwuzjixag.cn
fyoyifuh.cn
garfeduf.cn
gmuchidec.cn
goynoyod.cn
gresodag.cn
gtiqaxoh.cn
gtuhfugid.cn
guihiruj.cn
gyojviwus.cn
gzazduxux.cn
hbedvigog.cn
hdezqojok.cn
hhuxdutoh.cn
hsupohed.cn
htihnefug.cn
hwalvunol.cn
hxilxebim.cn
hxozripop.cn
hxuyakuh.cn
ihuyoruv.cn
jbalcefel.cn
jbiwzijef.cn
jjohojoq.cn
jluzyelig.cn
joivosah.cn
jrejsecut.cn
jtenruman.cn
jxulqaqam.cn
jyasvixih.cn
jyeffohec.cn
kjakbomih.cn
kkedfesaq.cn
kkicakoo.cn
klattiyoj.cn
kqimfebif.cn
kratvunaj.cn
lanqagep.cn
ljeydekat.cn
lpeskaduj.cn
lyubolud.cn
medicaldirectpearl.com.cn
medsbeststreet.com.cn
mfuddonib.cn
mhawuhuy.cn
mmulceyip.cn
mmuqdumay.cn
mnurwuyiw.cn
moahoyev.cn
mpasgukux.cn
mrazkebet.cn
mtoldiyel.cn
mvalpotor.cn
mzaxyitul.cn
newpharmthe.com.cn
newrxflair.com.cn
nqaqbuqih.cn
onlinepillsflat.com.cn
pdaspikot.cn
phacurus.cn
pharmssitefarm.com.cn
pilldirectage.com.cn
pillsgreatup.com.cn
ppibgoken.cn
pqobviqut.cn
psocnujiq.cn
pvefzoder.cn
qcimgoroq.cn
qdasgemuk.cn
qkivvisor.cn
qriwxemez.cn
qubribox.cn
qwibfojuy.cn
rciqdoniz.cn
rfadukoe.cn
rgafwadif.cn
rgiyiuoz.cn
rgugzobaf.cn
rjokpayij.cn
rjulcuzex.cn
rkijnefid.cn
rnueulah.cn
rtuymerol.cn
rwalzufuh.cn
ryakiruv.cn
rzijheduf.cn
shacoqiw.cn
sizlehag.cn
sjizsumut.cn
smartdrugtell.com.cn
sqihemas.cn
stezcimip.cn
storemedburn.com.cn
superpharmacymelody.com.cn
sxaviyod.cn
syuczuwex.cn
tcewqucox.cn
tgamauik.cn
thewkujiv.cn
thilmogap.cn
tjaxpetoy.cn
tluksumov.cn
tnatxusof.cn
tnokpaduk.cn
toppilldrink.com.cn
tpoxrugur.cn
troknizec.cn
tuwxabup.cn
tvaiigiz.cn
tzoxboyuk.cn
vhesfanex.cn
vkimgimaw.cn
vnangihar.cn
vnuzijav.cn
vqetokuj.cn
vqukhacun.cn
vrebewez.cn
vtubnenom.cn
vwahmazav.cn
vxilretop.cn
vyiycunud.cn
wcerdolis.cn
wrivhetes.cn
wtasjediv.cn
wwepkuroz.cn
wwetsozoy.cn
wxaqbaqet.cn
wxutnavih.cn
wyoydolod.cn
xcohwibac.cn
xfivdosih.cn
xfopbetid.cn
xhosiniq.cn
xuipaiaq.cn
xvoqfuwog.cn
xvuwbudok.cn
xyipmakif.cn
ybozliqay.cn
yfetwonoc.cn
yjubcejaj.cn
ylopqufoq.cn
ynabaqio.cn
yqafvunib.cn
yruvjinil.cn
zbofyazal.cn
zcugfaniq.cn
zmuyjefil.cn
znoyrulef.cn
zpoywanup.cn
zrapzotar.cn
zriwsumoc.cn
zsalwosad.cn
zzilmasiy.cn

Monday, June 22, 2009

Fake Twitter, LinkedIn, and ScribD pages lead to Fake AV

Last week we were talking about how Twitter users are encouraged to blindly click on "shortened URLs" which could actually lead to anything under the sun. We were discussing Twitter users and the Iran DDOS at the time, but other security researchers were looking at other Twitter issues, including Dancho Danchev who was discussing Ukrainian Scareware links.

We decided to follow up on one of these malware links to see if it would be an example of Chinese domain names being used by Ukrainians and Russians. (In Saturday's blog article, Spam Crisis in China we suggested that its actually Eastern Europeans who are abusing the cheap domain names in China.)



On the dozens of weblinks posted pretending to be Jennifer Anniston, or Paris Hilton, or Jennifer Love Hewitt on Twitter, LinkedIn, and ScribD, the links all pointed to the same place -- showmealltube.com on the path /paqi-video/7.html

The Danger of Tiny Twitter URLs


After the first several hours of the campaign, the URLs switched to being "shortened URLs" like:

"bit.ly/aSDhl" or something like that - you've seen them. When you only have 140 characters, using a shortened URL makes sense. The problem is that you just really don't know where those links are going - and because of that SEARCHING on Twitter is a security nightmare. As an example, searching on "Transformers 2" tonight, the first link took me to a site telling me how I could get rich on the Internet.



The top link there is trying to drive traffic to her Work at Home scammer site by tagging the current top search terms on Twitter. So whether you search for "Iran" or "IranElection" or "Jon & Kate" or "AT&T" or "Transformers 2", you're going to hit her site.



The second site, which takes you to "http://bit.ly/pmU8P", is also a scam. How do you know where the "bit.ly" site is going to take you? You really don't, you just trust on blind faith and click. In this case it take you to a site called "Free-Gay-Mature-Movie-Clips". Trust me, you don't want a thumbnail of that!

So, typical Twitter advice is "only click on links from people you follow" but with some recent news of Twitter account takeovers, is that safe?

If you wonder about a Tiny URL of any sort, this article form the JoshMeister, Joshua Long, explains how to "preview" where nearly any "tiny URL" is going to take you before you blindly follow it: How to Preview Shortened URLs.

A chain of redirects



So, let's go back to our Jennifer Anniston example and see how bad these links can get. Just clicking the link is going to start a chain reaction of website visits that end with infection. We'll see where the chain leads.

So we start by looking at the whois information for that domain:

showmealltube.com

Registrant Contact:
homme de
samandar hoja zbestgotterflythe@gmail.com
+9989770145698 fax: +9989770145698
yunusobod 13
buxara boxara 21654321
uz

and where it was hosted - which was Layered Technologies (in Texas) on the IP address 64.92.170.135.

That same email address from the WHOIS has been previously associated with domains like "bolapaqir.com", "tafficbots.com", and "myfilehostings.net".

We downloaded the site and looked at the encrypted javascript for the page, which we've removed from our blog because it started triggering AV warnings (I promise it wasn't able to infect you! Really!)

Decoding that takes us to: http://myhealtharea.cn/ with the path in.cgi?12

Domain Name: myhealtharea.cn
ROID: 20090201s10001s04196295-cn
Domain Status: clientTransferProhibited
Registrant Organization: Health Area Inc.
Registrant Name: home
Administrative Email: zbest2008@mail.ru
Sponsoring Registrar: 广东时代互联科技有限公司 (That's Chinese for "now.cn")
Name Server:ns1.myhealtharea.cn
Name Server:ns2.myhealtharea.cn
Registration Date: 2009-02-01 19:34
Expiration Date: 2010-02-01 19:34

So, this domain, registered February 1, 2009, on "now.cn" in China, is still live and still serving malware on a server in Texas four and a half months later. (The IP address 216.32.83.110 on Layered Technologies.)

Some of the other sites on that IP address include:

gozbest.net - (alexeyvas@safe-mail.net)
parisochka.com - (venessahudgenses@gmail.com)
tafficbots.com - (zbestgotterflythe@gmail.com)
tiquilushka.com - (jebobealapeli@gmail.com)

I'm sure you'll recognize the first email, Shestakov Yuriy being one of the primary Eastern European's registering Chinese domains.

So what happens when you visit the "healtharea.cn" site? It forwards to:

showmeall-tube-xx.com on the path /tube.htm

That domain name is hosted in the UK on the IP address 67.228.137.2 where more than 90 other domains, including several registered using another Alexey Vasyliev alias (axeljob@mail.ru) are located. (Alexey is another alias for the alexeyvas above.)

/tube.htm then causes the download of the file:

911pornox.com on the path /_codec/103.exe

That domain is located on the IP address 194.164.4.77 in the Ukraine on Plitochnik's network.

This site also hosts a ton of fake anti-virus download sites:

browser-errors.com -(volodolov@gmail.com)
counteringate.com -(constnw@gmail.com)
downloadfixandlove.com -(constnw@gmail.com)
homepcupdate.com -(admin@wecanall.net)
homewinupdate.com -(admin@wecanall.net)
loved-online-tube.com -(constnw@gmail.com)
macromedla.com -(constnw@gmail.com)
molodiepilotki.com -(yakandeey2008@mail.ru)
online-video-tube.com -(technical-vladislava@gmail.com)
porno-online-tube.com -(constnw@gmail.com)
pornotube911.com -(constnw@gmail.com)
pornotube912.com -(constnw@gmail.com)
pornotubeonline09.com -(constnw@gmail.com)
pornotubeonline10.com -(constnw@gmail.com)
pornproduction.org -(skill1984@yahoo.com)
pornproductions09.com -(constnw@gmail.com)
pornproductions09.net -(constnw@gmail.com)
securebill09.com -(constnw@gmail.com)
tubeonporn09.com -(constnw@gmail.com)
tubeonporn09.net -(constnw@gmail.com)
tubepornolive.com -(constnw@gmail.com)
videoporntrue.com -(constnw@gmail.com)
videoporntrue.net -(constnw@gmail.com)
windownloading.com -(winderboosters@gmail.com)
winpcdef.com -(constnw@gmail.com)
winpcdefender09.com -(constnw@gmail.com)
suckitnow1.net -(constnw@gmail.com)

The Malware at the End of the Trail



The malware that we just downloaded however, the 103.exe file, is largely undetected by the 41 anti-virus programs used at VirusTotal:

That only has 7 of 41 detects on VirusTotal:
File size: 77827 bytes
MD5 : 96590109bb28042dc8cf6e9d92163bc9

VirusTotal Report on 103.exe - 7 of 41 detects

Once the malware was unpacked we found that it was going to cause us to visit several other websites, including:

911pornox.com on the path /installed.php?id=
911pornox.com on the path /videosz.php
downloadfixandlove1.com on the path file.exe

and finally connect to a payment site:

payorderthis.com on the path /pp2/?id=

The "file.exe" from downloadfixandlove1 is very well-known at VirusTotal (32 of 41 detects) but that really doesn't matter since the previous malware already turned off your anti-virus program, and it only had 7 of 41 detects.

File size: 102400 bytes
MD5 : 5f1b9a406fd43de8c006f261feb36816

VirusTotal Report for "file.exe" - 32 of 41 detects.

PayOrderThis.com is the payment processing site for the fake anti-virus program "Win PC Defender".

Saturday, June 20, 2009

Spam Crisis in China

At the UAB Spam Data Mine, we continue to see that MOST of the spam we receive has ties to China. As an experiment this morning I looked at 37,825 URLs received in spam on Thursday. These boiled down to 687 domain names, of which 207 ended in ".cn". I decided to expand the scope of my query, and looked at all the spam from May 1 until June 18, 2009.


48 Days of Spam
Total Domains.cn domainsHosted in China
12,2468,0456,813


For the year thus far, January 1 to present, we've successfully looked up the hosting IP address of 69,117 domains.


Top Level Domain
=================
48,552 .cn - 70% of all domains used in spam have a Chinese Top Level Domain
14,547 .com
1,553 .net
948 .ru
575 .info
425 .es
278 .at
212 .ch
73 .in
73 .tk
67 .org
46 .pl
30 .biz
27 .cz
22 .eu
16 .de
14 .ws
11 .cc
11 .ar
10 .nu
10 .sk



Hosting Country
================
48,331 CN - 70% of all spam domains hosted in China
8,412 US
3,914 KR
1,555 RU
1,053 UA
884 CA
719 MY
594 BG
524 DE
460 HK
323 AR
228 BR
210 IL
199 BE
187 NL
185 PL
179 GB
178 RO
104 CZ



It is very normal that more than 1/3rd of the domain names we see each day in spam messages come from China. When one also considers the many ".com" and ".ru" domain names which are also hosted in China, the problem is much worse. More than half of all spam either uses domain names registered in China, is sent from computers in China, or uses computer in China to host their web pages. The numbers above look much higher than half, but these are numbers about spam DOMAINS, not the actual number of spam messages. Some non-CN domains send a disproportionately high number of messages.

Historical Context



Before taking my current position as Director of Research in Computer Forensics at the University of Alabama at Birmingham, I was a volunteer anti-phishing handler at the CastleCops PIRT squad. PIRT, which stood for Phishing Incident Reporting & Termination, had a group of dedicated individuals who donated their time to identifying counterfeit websites designed to steal the login information to real websites, mostly the Userid and Password for your Bank, Credit Union, or other financial institution, or the credentials for your eBay/Paypal account.

From time to time, we would find a Registrar who was facilitating cybercrime. A Registrar is a company that has the ability to assign their customer's the use of a domain name. When a criminal controls their own webservers, or distributes their webservices by hosting on a botnet, its often the case that the only way to stop a particular fraud domain is to terminate the name by having the Registrar "take away" its nameserver. If a domain has no name services, it can't be resolved to an IP address, which means no one can visit the fraudulent domain.

Usually the problem was that the Registrar did not understand how cybercriminals operated, or that they had insufficient fraud detection mechanisms, or they had policies which ended up protecting the criminal. On very rare occasion it was because they chose to host criminal activity.

Some examples we faced at CastleCops included:

YESNIC in Korea who was being used as the preferred Registrar by certain phishing criminals, but we were unable to get the sites terminated. Finally we made friends with a member of the Korean Information Security Agency who was able to take our cause straight to their door, and the behavior changed immediately.

NIC.AT in Austria was hosting criminal activity, and their lawyers told us the only way they would stop was for our team to mail a letter through the postal service to the individual in the WHOIS data. If the letter was returned to us as undeliverable, we could then forward that package to Austria, and they would terminate the domain name. The problem with that of course is that the criminals were using stolen credit cards, and the mail probably WOULD BE deliverable to whoever's credit card information had been used. Spamhaus helped us get them straightened out.

HKDNR in Hong Kong was actually the worst situation, and has turned out to be the most wonderful success story. On March 18, 2007 we finally decided that the only solution to our problem was to go fully public in a plea for help, and I issued an email called Crisis in Hong Kong, which was widely distributed.

Many friends, new and old, stepped forward to assist us in helping to influence change at HKDNR, including friends at HSBC Bank who had staff in Hong Kong who worked with the local police, Suresh Ramasubramian, now with IBM, who describes his own role in the situation in this article, and Howard Lau of the Professional Information Security Association in Hong Kong, who supported our cause with this letter to the CIO of Hong Kong.

As a result, HKDNR's Operations Manager and the Hong Kong Technology Police worked together with us to form a solution, and HKDNR went from one of the highest fraud rates on the Internet to one of the lowest. I was pleased to be able to meet with my friends from this situation in Singapore where the three of us told our story together. They now publish tips for avoiding fraud such as Stay Away from Online Scam and Do's and Don'ts of Online Banking, and were praised in June of 2008 for Reducing Online Fraud 92% in One Year!

What about China?

We are well past time for someone to declare a "Spam Crisis in China".

There are three components to the Spam Crisis:

1) Certain Registrars in China who refuse to cooperate with abuse complaints and who let domains "live forever", even when they are involved in criminal activity. We do not believe these companies are criminals. We believe that these companies have provided "reseller services" to criminals, and do not engage themselves proactively in stopping the criminal activities of their resellers. We look forward to helping in any way possible to identifying and stopping the criminals who are tarnishing the names of the companies listed below. I specifically name:

Sponsoring Registrar: 易名中国 ENAME Corporation, www.ename.cn

Sponsoring Registrar: XIN NET TECHNOLOGY CORPORATION

2) Certain Network operators in China refuse to cooperate with abuse complaints and who let bad computers "live forever", even when they are clearly involved in criminal activity. We invite the companies who are allowing criminals to continuously use their networks to take action so that they can be an International Success Story similar to our friends at HKDNR. We do not believe that these network companies are criminals. We believe that criminals use their network, and these companies have not yet found a way to effectively receive our complaints and remove these criminals from their networks. There are many companies, but I specifically name:

ASN 4837 CHINA169-BACKBONE CNCGROUP China 169 Backbone

ASN 4134 CHINANET-BACKBONE No.31, Jin-rong Street

ASN 9929 CNCNET-CN China Netcom Corp.

3) Law Enforcement activity. It is unacceptable in the International Community to allow one's country to continue to serve as a haven for spammers of illegally counterfeited pills, illegally counterfeited software, and illegally counterfeited watches and handbags. It is also unacceptable to provide hosting services for numerous international criminals to place their servers on networks in your country. We invite Chinese Law Enforcement to become engaged in being part of the solution to this problem, and through dialogue with the International Community learn more about interacting with other countries about these issues.

Examples of Spam Registrars

XIN NET has the distinction of being named the #1 Worst Registry for Spam two years in a row by our friends at Knujon in their Registrars report.

We've mentioned fraud related to these domains repeatedly in this blog in articles such as:

XIN NET Fraud Domains


Oct 10, 2008 where Debt Relief spam was hosted on XIN NET domains using hacked MSN/Live.com accounts to forward the messages.

Nov 12, 2008 where Many Canadian pharmacy domains hosted at McColo were registered at XIN NET (when XIN NET keeps showing up in lists with McColo and EST Domains, its a big hint. Those companies are gone, because they cooperated with criminals too often!)

Nov 21, 2008 where Phishing domains such as 2r2cw3a8u.com were registered with XIN NET
May 31, 2009 where an MSN Worm stealing passwords used XIN NET registered domains

April 13, 2009 where Hydrocodone drug sales sites were registered at XIN NET

ENAME and Malware


April 15, 2009 - SMS Spy version of Waledac.

In that article I mentioned that
The root problem with Waledac's long-lived domains is they are using a Chinese domain name registrar who won't cooperate with anyone on shutdowns. We have sent shutdown requests to their abuse contact, in both English and Chinese, and have received no cooperation whatsoever. If you have good contact information for "Ename.com",


April 29, 2009 we posted that Waledac-spreading virus domains were all registered at ENAME.

March 16, 2009 - Waledac Dirty Bomb version - using ENAME domain names

February 25, 2090 - Waledac Couponizer version- using ENAME domain names

Examples of Spam Hosting

The China Spam Crisis goes far beyond just the registrar's who refuse to terminate domain names. I'm sorry that I can't put the whole list in my blog here, but here are two example files . . .

20,150 domain/IP pairs for spam received in the UAB Spam Data Mine in May 2009 where the domain is either a ".cn" domain, or is hosted in China.

11,900 domain/IP pairs for spam received in the UAB Spam Data Mine between June 1 and June 18, 2009 where the domain is either a ".cn" domain, or is hosted in China.

We invite others to review these lists, and to make comments or observations about them. If you create derivative products from this data, please provide a pointer back to the original, and share a link with me so that we can add a link here.

These reports contain a great deal of data, but I'd like to point out some of the abusive hosting practices which are occurring in China:

ASN 4837 CHINA169-BACKBONE CNCGROUP China 169 Backbone


From May 1, 2009 until June 18, 2009 this Network has hosted 8,678 unique domains for which I have samples in the UAB Spam Data Mine. Twenty-eight separate IP addresses have been used for the hosting:

58.17.3.38
58.17.3.41
58.17.3.42
58.17.3.44
58.20.140.5
110.52.6.250
110.52.8.252
110.52.8.253
110.52.8.254
119.39.238.2
218.10.16.49
218.10.16.239
218.61.126.24
220.248.167.68
220.248.167.71
220.248.167.72
220.248.167.99
220.248.167.110
220.248.167.126
220.248.172.37
220.248.184.7
220.248.184.158
220.248.184.231
220.248.184.232
220.248.184.233
220.248.186.101
220.248.186.106
222.162.115.94

ASN 4134 CHINANET-BACKBONE No.31, Jin-rong Street


From May 1, 2009 until June 18, 2009, this Network has hosted 4,146 unique domains for which I have spam examples in the UAB Spam Data Mine. Eighteen separate IP addresses have been used for the hosting:

59.42.254.178
60.191.221.123
60.191.239.164
60.191.239.165
60.191.239.166
60.191.239.181
60.191.239.189
60.191.239.191
60.191.191.241
61.191.63.150
121.10.117.244
121.12.169.167
125.87.1.4
211.147.224.28
218.75.144.6
222.189.239.108
222.189.239.122

ASN 9929 CNCNET-CN China Netcom Corp.


From May 1, 2009 until June 18, 2009, this Network has hosted 3,831 unique domains for which I have spam examples in the UAB Spam Data Mine. Three separate IP addresses have been used for the hosting:

203.93.208.86
203.93.209.104
210.51.181.161

Update


Our friend Jeff Chan runs SURBL, a site which tracks "spam-vertised" websites, and allows spam black-listing based on checking new email to see if it is advertising a known spam-vertised website. He ran through our list of more than 10,000 domains above and only found 36 domains which were not confirmed to have been seen in spam according to SURBL!


Next Steps

What do we do about this situation? For now, we are only calling for increased awareness. If you have a Blog, mention this. If you have a group of technical friends, discuss it and offer solutions. Most importantly, if you have contacts in China, whether at an Internet Service Provider, a Hosting Company, or in Law Enforcement, please point out to them these statistics.

I truly believe that the Chinese government would not willingly tolerate this horrible situation. My only answer is that it must not have been properly brought to their attention so far. Think creatively about what you could do to help with that situation, given the resources at your disposal.

Thanks!

Gary Warner

Wednesday, June 17, 2009

Swine Flu Pandemic (H1N1 Influenza) Leads to Increased Tamiflu Spam

We received a media query yesterday about how the announcement by the World Health Organization that we are now at "Full Pandemic" with H1N1 Influenza had impacted the type of spam scams we had seen.

I was among the many who believed that as soon as we went Pandemic, the spam would light up with malware lures using the Pandemic as bait, but so far we haven't seen any wide-spread or long-lasting malware campaigns based on the flu.

I ran some queries in the UAB Spam Data Mine this morning looking for information about the spam we've seen about swine flu, H1N1 influenza, or similar things, and the truth is that the biggest trend is that illegal pharmacy sites have begun including "Tamiflu" in their spam subjects.

Ever since the Swine Flu scare started, pill sites have begun to include the sales of Tamiflu on their sites. For instance, the Graphic URL Attachment spam that we've been seeing hosted on the Superman Internet Cafe in China sells Tamiflu in addition to their sex-enhancement pills.


(screen shot from "7594.org" website)

The Canadian Pharmacy group, run by affiliate program GlavMed pays their spammers a 40% commission for every pill sales. Let's see, that's a minimum of $70 per bottle of Tamiflu. Too bad its all fake.




We've seen 49 different domain names advertised with the word Tamiflu in the subject line of the email so far this year.

From January through April there were zero emails that used Tamiflu in the subject line.

The first batch came May 8th and May 9th with this group of domains:

baswodek.cn
qelribak.cn
dokkelar.cn
vinlajoy.cn
fajbopim.cn
nuhkolim.cn
femkasug.cn
bajsovez.cn
vaclicak.cn
luctedid.cn
tucroqov.cn
cinmayad.cn
roybapew.cn
pofzirap.cn
cebnufew.cn
wojhoyub.cn
nezjobur.cn
fidzopaf.cn
yaggeraj.cn
lejsigev.cn
naqcuxuy.cn
waxhuyam.cn
niwkacuy.cn
ceynofos.cn
suvrijuw.cn
borbupad.cn
dasvitaw.cn
duqjamex.cn
lenteniq.cn

(He's got HUNDREDS of other spam domains for his pill sites, see more at the end of this article...)

That batch used a mix of subject lines such as:

Buy Tamiflu cheaper!
Tamiflu on low prices
Tamiflu on discounts!
Tamiflu. Discreet shipping
Flu attacks! Buy Tamiflu
Tamiflu on -40% prices
Fast shipping of Tamiflu

There was another tiny run on May 20th with two domains used:

narsusun.cn
roommeaningful.com

A funny email subject from this group:
"Opera Says - Stay Healthy this Season Get Tamiflu"

(dear spammer, please spell Oprah correctly or we won't buy your crap!)


A bit of German language spam used this domain starting June 7th:

keptbox.com


And now we have a VERY big spam blast which began late on June 10th, and has run continuously since, using these domains:

naqresus.cn - first Jun 10
bampiqid.cn - Jun 10
niwjogur.cn - Jun 10
totbagix.cn - Jun 11
mazgiged.cn - Jun 11
mumragix.cn - Jun 11
wekziyow.cn - Jun 12
kegpocaw.cn - Jun 12
luxmukiw.cn - Jun 12
sitkibot.cn - Jun 13
simjuwep.cn - Jun 14
zupdefem.cn - Jun 14
senhivar.cn - Jun 15
vasvokuz.cn - Jun 15
roljahuv.cn - Jun 16
pudludil.cn - Jun 16

This group is sending heavy volume, using spam subjects that primarily look like these:

2009 WORLD BEST #1 Internet Drugstore: Tamiflu (H1N1), FemaleCialix, FemaleViagra, Phentermin,(Viagra10ਦꖋᵴ꾊 10=$119) mfebea n42
2009 World No.1 Internet Drugstore $1.00/pill: Viagrਦꖋᾋ竸, Tamiflu (H1N1), Phentermin, FemaleCialix, FemaleViagra umcpzj e6

Random characters at the end of each subject line make each occurrence unique, which the spammers believe makes it harder to block the emails. That's also the reason we see foreign characters mixed in to the spelling of the word "Viagra", since many spam filters just block everything with the word "Viagra" in the subject automatically.

Each of those websites has redirected to websites from this group:

Bestdrugs.net.cn
Cheap-meds.cn
Cheap-pill.cn
Cheapdrugs.com.cn
Coolagree.cn
Discountpills.cn
Drugsdirectmoral.com
Lovecanadianpower.com
Lowpricepills.cn
Medsbestone.com.cn
Medstoresome.com.cn
Newmedslofty.com
Newpharmthe.com.cn
Pharmacyonlinefound.com
Pharmssitefarm.com.cn
Pillsiteadd.com.cn
Placepharmacygentle.com
Ridestone.com
Siterxmoral.com
Smartdrugtell.com.cn
Storemedburn.com.cn
Thosefuns.com
Topdrugalive.com
Topmedsraise.com
Toppharmlike.com.cn
Toppilldrink.com.cn
Wholesaledrugsand.com.cn
Wholesalepharmsfirst.com

These sites have a Tamiflu page that looks like this:


Probably worth noting that the price is exactly the same from Canadian Healthcare as it is from Canadian Pharmacy. Most of the descriptive text is the same as well, including the self-dosing recommendations:

"To treat flu symptoms: Take Tamiflu every 12 hours for 5 days.
To prevent flu symptoms: Take Tamiflu every 24 hours for 10 days or as prescribed. Follow your doctor's instructions."

The reason for the forwarding pages is for plausible deniability within the affiliate group. These spam messages are coming from a spammer who is being paid to generate drug sales leads. The affiliate program has rules which say they will deny payment from any website which used spam email to generate their sales. Now the affiliate can say "I've never advertised any of the sites selling my drugs with spam", which would be a true statement. The spam advertises the sites in the top group, which then FORWARDS to the sites in the bottom group, which is where the drug sales occur.

All of the sites in the bottom group are in Beijing China, currently on the IP address - 119.39.238.2


=================================
Here are the IP addresses of computers which are sending the current Tamiflu campaign:

IP Address, Country Code, ASN, Organization
201.235.219.91 , AR ,10318, CABLEVISION S.A.
190.193.10.190 , AR ,10481, Prima S.A.
200.81.207.105 , AR ,17401, ERTACH S.A.
186.13.216.5 , AR ,19037, CTI Compania de Telefonas del Interior S.A.
190.173.196.121 , AR ,22927, Telefonica de Argentina
190.173.21.54 , AR ,22927, Telefonica de Argentina
190.173.8.216 , AR ,22927, Telefonica de Argentina
190.174.159.53 , AR ,22927, Telefonica de Argentina
190.176.14.126 , AR ,22927, Telefonica de Argentina
190.176.227.108 , AR ,22927, Telefonica de Argentina
190.179.166.201 , AR ,22927, Telefonica de Argentina
190.50.96.179 , AR ,22927, Telefonica de Argentina
190.51.174.251 , AR ,22927, Telefonica de Argentina
190.51.254.122 , AR ,22927, Telefonica de Argentina
201.255.125.35 , AR ,22927, Telefonica de Argentina
201.255.51.164 , AR ,22927, Telefonica de Argentina
190.55.237.125 , AR ,27747, Telecentro S.A.
124.191.20.111 , AU ,1221, ASN-TELSTRA Telstra Pty Ltd
83.97.69.112 , BG ,25206, UNACS-AS-BG UNACS Ltd
187.13.54.42 , BR ,7738, Telecomunicacoes da Bahia S.A.
187.40.244.118 , BR ,7738, Telecomunicacoes da Bahia S.A.
189.13.134.190 , BR ,7738, Telecomunicacoes da Bahia S.A.
189.70.109.220 , BR ,7738, Telecomunicacoes da Bahia S.A.
189.71.143.137 , BR ,7738, Telecomunicacoes da Bahia S.A.
200.149.106.220 , BR ,7738, Telecomunicacoes da Bahia S.A.
201.4.23.138 , BR ,7738, Telecomunicacoes da Bahia S.A.
201.58.144.150 , BR ,7738, Telecomunicacoes da Bahia S.A.
201.35.226.155 , BR ,8167, TELESC - Telecomunicacoes de Santa Catarina SA
189.41.160.159 , BR ,16735, Companhia de Telecomunicacoes do Brasil Central
201.74.149.48 , BR ,19090, Canbras Net Ltda.
201.74.39.225 , BR ,19090, Canbras Net Ltda.
201.75.200.86 , BR ,19090, Canbras Net Ltda.
187.24.154.39 , BR ,22085, Telet S.A.
189.92.202.175 , BR ,22085, Telet S.A.
201.54.82.33 , BR ,22689, Internet By Sercomtel Ltda
189.66.66.197 , BR ,26615, Tim Brasil S.A.
187.35.248.54 , BR ,27699, TELECOMUNICACOES DE SAO PAULO S/A - TELESP
187.35.251.247 , BR ,27699, TELECOMUNICACOES DE SAO PAULO S/A - TELESP
189.110.208.157 , BR ,27699, TELECOMUNICACOES DE SAO PAULO S/A - TELESP
189.68.190.7 , BR ,27699, TELECOMUNICACOES DE SAO PAULO S/A - TELESP
189.78.215.98 , BR ,27699, TELECOMUNICACOES DE SAO PAULO S/A - TELESP
200.153.152.161 , BR ,27699, TELECOMUNICACOES DE SAO PAULO S/A - TELESP
200.171.241.129 , BR ,27699, TELECOMUNICACOES DE SAO PAULO S/A - TELESP
200.204.50.105 , BR ,27699, TELECOMUNICACOES DE SAO PAULO S/A - TELESP
201.27.76.104 , BR ,27699, TELECOMUNICACOES DE SAO PAULO S/A - TELESP
201.92.160.128 , BR ,27699, TELECOMUNICACOES DE SAO PAULO S/A - TELESP
187.22.100.26 , BR ,28573, NET Servicos de Comunicao S.A.
189.121.148.49 , BR ,28573, NET Servicos de Comunicao S.A.
189.123.228.3 , BR ,28573, NET Servicos de Comunicao S.A.
189.6.70.129 , BR ,28573, NET Servicos de Comunicao S.A.
201.80.177.83 , BR ,28573, NET Servicos de Comunicao S.A.
201.83.113.238 , BR ,28573, NET Servicos de Comunicao S.A.
189.39.150.199 , BR ,28611, 614 TVC INTERIOR S/A
190.208.89.187 , CL ,6535, Telmex Servicios Empresariales S.A.
190.22.151.126 , CL ,7418, Terra Networks Chile S.A.
190.22.18.170 , CL ,7418, Terra Networks Chile S.A.
190.82.45.114 , CL ,7418, Terra Networks Chile S.A.
201.223.129.114 , CL ,7418, Terra Networks Chile S.A.
190.95.76.233 , CL ,14117, Telefonica del Sur S.A.
190.100.255.123 , CL ,22047, VTR BANDA ANCHA S.A.
190.161.117.160 , CL ,22047, VTR BANDA ANCHA S.A.
190.164.133.118 , CL ,22047, VTR BANDA ANCHA S.A.
190.46.210.84 , CL ,22047, VTR BANDA ANCHA S.A.
190.47.35.247 , CL ,22047, VTR BANDA ANCHA S.A.
201.241.174.27 , CL ,22047, VTR BANDA ANCHA S.A.
190.29.129.228 , CO ,8065, EPM Telecomunicaciones S.A. E.S.P.
186.80.139.211 , CO ,10620, TV Cable S.A.
186.81.7.191 , CO ,10620, TV Cable S.A.
190.156.211.10 , CO ,10620, TV Cable S.A.
190.9.91.114 , CO ,11581, TRANSTEL S.A.
190.249.0.103 , CO ,13489, EPM Telecomunicaciones S.A. E.S.P.
190.71.114.161 , CO ,13489, EPM Telecomunicaciones S.A. E.S.P.
190.71.2.92 , CO ,13489, EPM Telecomunicaciones S.A. E.S.P.
190.71.4.95 , CO ,13489, EPM Telecomunicaciones S.A. E.S.P.
200.116.134.14 , CO ,13489, EPM Telecomunicaciones S.A. E.S.P.
190.93.128.20 , CO ,19429, ETB - Colombia
186.15.49.166 , CR ,3790, RADIGRAFICA COSTARRICENSE
190.80.220.41 , DO ,6400, Compa\195\177\195\173a Dominicana de Tel\195\169fonos, C. por A. - CODETEL
201.229.183.162 , DO ,6400, Compa\195\177\195\173a Dominicana de Tel\195\169fonos, C. por A. - CODETEL
190.131.8.2 , EC ,27738, Ecuadortelecom S.A.
62.43.185.72 , ES ,6739, ONO-AS Cableuropa - ONO
84.121.179.227 , ES ,6739, ONO-AS Cableuropa - ONO
85.57.205.231 , ES ,12479, UNI2-AS Uni2 Autonomous System
80.174.181.153 , ES ,16338, AUNA_TELECOM-AS Cableuropa - ONO
85.155.9.240 , ES ,16338, AUNA_TELECOM-AS Cableuropa - ONO
217.217.129.206 , ES ,16338, AUNA_TELECOM-AS Cableuropa - ONO
210.7.6.236 , FJ ,9241, FINTEL-FJ Fiji International Telecomunications Ltd
212.198.181.98 , FR ,6678, ASN-NOOS NUMERICABLE is a cable operator,
86.20.85.64 , GB ,5089, NTL NTL Group Limited
92.13.85.34 , GB ,13285, OPALTELECOM-AS Opal Telecom
221.124.212.200 , HK ,9304, HUTCHISON-AS-AP Hutchison Global Communications
221.126.9.43 , HK ,9304, HUTCHISON-AS-AP Hutchison Global Communications
202.138.225.150 , ID ,9657, MELSANET-ID-AP Melsa-i-net AS
117.198.163.112 , IN ,9829, BSNL-NIB National Internet Backbone
58.68.100.157 , IN ,10201, DWL-AS-IN Dishnet Wireless Limited. Broadband Wireless
60.243.7.52 , IN ,17488, HATHWAY-NET-AP Hathway IP Over Cable Internet
121.247.170.127 , IN ,17908, TCISL Tata Communications
121.148.152.77 , KR ,4766, KIXS-AS-KR Korea Telecom
125.248.61.6 , KR ,9316, DACOM-PUBNETPLUS-AS-KR DACOM PUBNETPLUS
123.212.105.100 , KR ,9318, HANARO-AS Hanaro Telecom Inc.
211.117.88.251 , KR ,9318, HANARO-AS Hanaro Telecom Inc.
218.55.52.231 , KR ,9318, HANARO-AS Hanaro Telecom Inc.
219.240.61.169 , KR ,9318, HANARO-AS Hanaro Telecom Inc.
125.178.105.177 , KR ,17858, KRNIC-ASBLOCK-AP KRNIC
89.218.9.59 , KZ ,9198, KAZTELECOM-AS Kazakhtelecom Corporate Sales Administration
196.217.194.169 , MA ,6713, IAM-AS
95.86.34.156 , MK ,49056, INEL-AS-MK INEL-MKD Autonomous System
88.203.61.226 , MT ,12709, MELITACABLE Melita Cable plc
189.162.125.193 , MX ,8151, Uninet S.A. de C.V.
189.162.208.237 , MX ,8151, Uninet S.A. de C.V.
189.179.142.252 , MX ,8151, Uninet S.A. de C.V.
201.173.159.200 , MX ,11888, Television Internacional S.A. de C.V.
190.141.55.9 , PA ,18809, Cable Onda
201.230.170.238 , PE ,6147, Telefonica del Peru S.A.A.
79.184.238.236 , PL ,5617, TPNET Polish Telecom_s commercial IP network
79.186.140.217 , PL ,5617, TPNET Polish Telecom_s commercial IP network
83.20.189.138 , PL ,5617, TPNET Polish Telecom_s commercial IP network
83.25.18.106 , PL ,5617, TPNET Polish Telecom_s commercial IP network
83.27.119.39 , PL ,5617, TPNET Polish Telecom_s commercial IP network
83.5.73.244 , PL ,5617, TPNET Polish Telecom_s commercial IP network
89.77.43.92 , PL ,9141, AS9141 UPC Poland
89.79.102.220 , PL ,9141, AS9141 UPC Poland
77.254.51.3 , PL ,12741, INTERNETIA-AS Netia SA
87.116.230.230 , PL ,21021, MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
79.163.194.181 , PL ,43447, PTK-CENTERTEL-DSL-AS PTK Centertel Sp. z o.o.
85.240.190.23 , PT ,3243, TELEPAC PT.Com - Comunicacoes Interactivas, S.A.
93.102.74.245 , PT ,24698, OPTIMUS-AS Optimus Portugal
85.186.104.105 , RO ,6746, ASTRAL UPC Romania Srl, Romania
195.190.121.194 , RU ,3216, SOVAM-AS Golden Telecom, Moscow, Russia
80.234.42.161 , RU ,15500, Samara Telegraph
93.124.17.218 , RU ,24612, PENZA-SVIAZINFORM-AS JSC Volgatelecom, Penza branch
81.23.116.222 , RU ,24739, SEVEREN-TELECOM Severen-Telecom Autonomous System
95.165.92.251 , RU ,25513, ASN-MGTS-USPD OJS Moscow city telephone network Moscow Russia
95.73.1.188 , RU ,25515, CTCNET-AS Joint-Stock Central Telecommunication Company Autonomous System
94.19.139.90 , RU ,35807, SKYNET-SPB-AS SkyNet LLC AS
92.127.7.33 , RU ,41440, SIBIRTELECOM-AS Sibirtelecom backbone AS
95.78.90.102 , RU ,42116, ERTH-NCHLN-AS ZAO _Telemax_ Company_ Naberejnye Chelny ISP AS
213.160.184.188 , SK ,6855, SK SLOVAK TELECOM, AS6855
58.137.9.158 , TH ,4750, CSLOXINFO-ISP-AS-AP CSLOXINFO Public Company Limited.
78.159.43.105 , UA ,34143, IHOME-AS iHome, Kiev, Ukraine
99.206.61.157 , US ,1239, SPRINTLINK - Sprint
12.99.46.251 , US ,7018, ATT-INTERNET4 - AT&T WorldNet Services
66.57.174.14 , US ,11426, SCRR-11426 - Road Runner HoldCo LLC
66.9.62.186 , US ,16440, ISPACE - Wave2Wave Communications, Inc
24.136.76.34 , US ,20001, ROADRUNNER-WEST - Road Runner HoldCo LLC
65.30.208.77 , US ,20231, ROADRUNNER-CENTRAL - Road Runner HoldCo LLC
209.124.126.41 , US ,20299, Newcom Limited
67.59.46.64 , US ,26554, US-SIGNAL - US Signal Corporation
190.200.41.2 , VE ,8048, CANTV Servicios, Venezuela
201.211.221.122 , VE ,8048, CANTV Servicios, Venezuela

So, of the 149 spam senders in the current group we've seen:

86 - lacnic (Latin American)
38 - ripencc (European)
17 - apnic (Asia Pacific)
8 - arin (North American)
1 - afrinic (Africa)

That's VERY unusual to have such a high percentage of a spam campaign come from South America! The botnet herder whose botnet is being used in this case could possibly have used a Spanish language bait to help spread his malware.

=================================
More spam pill domains from the May 8th Tamiflu spammer, which can all be found at the Superman Internet Cafe . . .

bejgiruv.cn
bewwozep.cn
bidwigeq.cn
bipcarol.cn
bothefic.cn
buvgujus.cn
buxvogeb.cn
cabziqis.cn
cawmonef.cn
ceghuxoq.cn
cejgebav.cn
cezhiqid.cn
ciggecop.cn
cilrowsq.cn
cipsigoy.cn
ciskoyal.cn
ciypohaw.cn
cokyipuf.cn
connibim.cn
cotqoxaq.cn
dantowur.cn
dirjawan.cn
dirzinoq.cn
dosfiyav.cn
dudyosih.cn
dugquqit.cn
fawqaneq.cn
fefbebav.cn
fipmojuf.cn
fipsojes.cn
fivqudex.cn
fodwukuz.cn
fofbadeg.cn
fohqelam.cn
fomxiyay.cn
fubzapox.cn
fujleyil.cn
gacyufoc.cn
gagyinop.cn
gajkiyuy.cn
gatsifoh.cn
gawbesiz.cn
gazkiwog.cn
germopew.cn
gewvamiy.cn
gilqufuc.cn
goyfemiv.cn
gumbawow.cn
guptugap.cn
habdulac.cn
hajcikon.cn
hesdanum.cn
hewmawem.cn
hexpadix.cn
higbijid.cn
hihnuwak.cn
hipnobus.cn
hiqwonis.cn
howtigac.cn
hujneyed.cn
hupmizit.cn
jafnaluf.cn
jirwuxat.cn
jofginis.cn
jokgacoh.cn
jovmuhil.cn
kamnufik.cn
kejxiwut.cn
kimbipok.cn
kirkewut.cn
kisfibes.cn
kizreyat.cn
koptudaf.cn
koygosuf.cn
kucdawep.cn
kukxibak.cn
lebgivub.cn
letjucun.cn
libxamen.cn
lijwituc.cn
lintuten.cn
loctekiq.cn
lohqonir.cn
loqbaxuc.cn
losvukey.cn
lugqubix.cn
lulfapaf.cn
mafcixiz.cn
mapzugeq.cn
marfeber.cn
mecqulez.cn
mejhewav.cn
mihparol.cn
mivxadey.cn
moblasiw.cn
modqopoh.cn
mohkumaf.cn
mowfovet.cn
mozcudan.cn
muksedis.cn
mutcuqid.cn
muzworop.cn
nabpulef.cn
namxugug.cn
neklajok.cn
nimwasur.cn
niydabiv.cn
novmegey.cn
nuhxituz.cn
nulkedas.cn
nuttidal.cn
nuvsigoy.cn
pajtacip.cn
pefvecox.cn
pekzariy.cn
pesjapuf.cn
pezzigef.cn
pixbozeq.cn
porvegim.cn
poxgivid.cn
puzxugus.cn
qihqohil.cn
qilfadek.cn
qoczipik.cn
qogzizoj.cn
qolxofor.cn
qonnebor.cn
rarmatem.cn
rebnahik.cn
recragas.cn
ridrufex.cn
rintayuq.cn
ritvukef.cn
rizfinim.cn
sdgjifoc.cn
sevbujoz.cn
sewtatad.cn
sihpiwoh.cn
sijfopik.cn
soldikom.cn
soxzados.cn
subnakoz.cn
sugqowik.cn
suhhenuv.cn
supyeneq.cn
suxrifuc.cn
talluket.cn
tapfehoz.cn
taypesag.cn
tevfaquh.cn
tikgepij.cn
tiqmifix.cn
tonsagon.cn
tovzulum.cn
toztipax.cn
tujmeqom.cn
tumxagul.cn
vefgefev.cn
vivwiwef.cn
vuhmudey.cn
vujxekuj.cn
vupsogib.cn
waffawew.cn
wawmoxul.cn
wiffofep.cn
witlulap.cn
wivwiqap.cn
wokmeyad.cn
wollehoc.cn
worxezej.cn
wovnuput.cn
xasmomub.cn
xecgohuq.cn
ximvopuk.cn
xiyjucoc.cn
xiysuqiv.cn
xumlodob.cn
yakquyeq.cn
yamniqoz.cn
yanyifej.cn
yatsanak.cn
yawceqel.cn
yebmakuz.cn
yelsecuk.cn
yesonlynoun.com
yikdoyov.cn
yikxuzom.cn
yimpegog.cn
yiwwesap.cn
yodrocak.cn
zabzogaj.cn
zaqzerup.cn
zekxuney.cn
zespudup.cn
zexbenav.cn
zifkevic.cn
zikmigob.cn
zikvupul.cn
zojvapus.cn

Tuesday, June 16, 2009

Armchair CyberWarriors: Twitter and #IranElection

Our friends over at ThreatChaos let us know about the newest "CyberWar" in their blog this morning, so we went over to Twitter (yeah, follow /garwarner) and decided to check things out for ourselves.

Apparently the Moral Compass of the Internet is currently indicating that CyberWar is a harmless feel good activity that Americans should be involved in. Let me quickly go on the record to say: ALL DDOS ACTIVITY IS A CRIME AND SHOULD NOT BE ENCOURAGED OR CONDONED IN ANY CIRCUMSTANCE

First, let's get the legal part out of the way. In the United States, the relevant code is Title 18 Part I Chapter 47 § 1030(a)(5)(A)(i), which says that anyone who:

(i) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

is in violation of the law and can be fined and imprisoned for up to one year (unless their intrusion causes medical or physical harm, or unless they are already a convicted felon, or unless they seek monetary gain, in which cause the penalties go up).

So, is the president of Iran's website a protected computer? No, probably not. But any computer engaged in Interstate commerce is a protected computer. For example, all of the computers belonging to your ISP, which you are placing load on by your criminal activity. If it turns out you were collaborating with others in order to cause this activity to occur, say for instance, all of your buddies on Twitter, then you could also be said to be part of a Conspiracy, but we won't get into that here.

Before we spend any more time on the wisdom of deciding as a private citizen to declare war on a foreign power, let's see what's actually going on in Twitter-space with regards to this DDOS:

Esko Reinikainen of Wales is offering this #iranelection cyberwar guide for beginners, which includes some Ghandi type actions, such as identifying yourself as an Iranian blogger with a time zone of GMT +3.30, on the theory, I suppose, that Iranian security forces will get confused as they seek out the real Iranian bloggers, and book a flight to Wales or the United States to stop the blogger. His point #6 is:


6. Denial of Service attacks. If you don't know what you are doing, stay out of this game. Oly target those sites the legitimate Iranian bloggers are designating. Be aware that these attacks can have detrimental effects to the network the protesters are relying on. Keep monitoring their traffic to note when you should turn the taps on or off.


Of course you can tell the "legitimate" Iranian bloggers, because they use the tags "#iranelection" or "#gr88" in their posts.

Many of those calling for DDOS attacks are harmless voices that suggest things like:

/nzmrmn - #DDOS this http://isna.ir/ISNA/Default.aspx?Lang=E 1. Load page in browser 2. Hit refresh a million times. 3. ??? 4. Profit!

Others call for DDOS but offer no guidance whatsoever:

/vwkess - ...keep DDOS attacks.

While others promise that the DDOS is having a great affect, such as:

/FREETHEFUTURE: RT UNCONF: News from Inside Tehran #DDOS affecting police communications, not able to track protestors PLZ RT!!

which is being heavily retweeted:
/djd1414, /FreePersians, /ian_lcv, /momsprissy, /Chromedaffodils, /z3bbster, TheBarRag, etc., etc.

Given the high tech crowd on Twitter though, it was certain that someone would come along and build a better mousetrap. Many Twitter folks discussed using "PageReboot.com" early in the DDOS. Giving this site a URL is an easy way for the site to be constantly reloaded. While historically the site has received little traffic, and almost all of it from China (88%), the MediaTemple hosted site is now showing that 25% of its traffic originates from Tehran.

/ElizabethFinn God/Allah bless everyone fighting in Iran. Set your browsers to http://www.pagereboot.com/?url=http://www.khamenei.ir/&Refresh=1 Goodnight.

/Tigrael http://www.pagereboot.com/?url=http://www.farhang.gov.ir/&refresh=1

/protactinium84 Hurt websites. http://www.pagereboot.com Set to 1. http://www.khamenei.ir/ http://www.presstv.ir/ www.President.ir http://www.irna.ir

/kamaleddin RT Lets take this down everybody CopyPasteKeepOpen http://www.pagereboot.com/...www.bornanews.ir&refresh=1 Let EVERYONE know.

The site was taken down, however, as the Twitter's reported:

/iran88 - pagereboot.com used for DDOS attacks in Iran is purposely DOWN.

One popular tweet offering a replacement for the original "PageReboot" is suggesting that people visit the site "whereismyvote.info". At the moment 9 of the 16 targeted pages are unreachable.

The site actually loads a webframe from "www.my-persia.com/ie", which in turn loads 16 frames named "Frame1.html" through "Frame16.html".

Each of these frames is using a service called "PageReboot" which causes the frame to reload itself once per second, so that visiting the single webpage will cause each of 16 "targeted" sites to be visited every second by each person viewing the page. The pages currently targeted by My-Persia are:

1. www.irna.ir = a search string is used to maximize the load on the server.
2. farsnews.com
3. www.rajanews.com = a search string is also used here to maximize the load on the server.
4. www.ahmadinejad.ir
5. www.leader.ir = a search for "khamenei" is used
6. www.president.ir = this site is actually still online despite being the most targeted of the campaign. Located on 80.191.69.40
7. www.irib.ir
8. www.iribnews.ir
9. www.kayhannews.ir = this site is the second one responding as live in my current visit.
10. farsi.khamenei.ir = actually sends a message back, saying that "Your IP, location, and other information has been recorded! Security Defence Team!"
11. www.entekhab10.net
12. www.isna.ir = also live, hosted at 64.130.220.65, which means DDOSing this box is an attack against a computer in Ontario Canada.
13. presstv.com = also live, hosted at 217.218.67.228
14. www.moi.ir = also live, hosted at 80.191.0.78
15. english.iribnews.ir = also live, hosted at 62.220.121.23
16. www.leader.ir = using a search

Other sites also are being put out to do "refreshes" automatically, such as:

/uberguru - who points us to "refreshthing.com" currently being used to DDOS isna.ir

/iran88 - Use refreshthing.com instead of pagereboot if it is down

/ironcamel - provides a pointer to a list of Iranian embassies around the world and suggests those as better DDOS targets: http://www.embassyworld.com/Iran/

/Spooky_Fox - providing a list of proxies to use to perform your DDOS on the site "iran.whyweprotest.net" -- people logging in there are posting offers for proxies to allow "anonymized" twitter posting. Of course following the general theme of paranoia that this whole site is based upon, one has to ask how we know those aren't Iranian security forces offering the proxies??


Others are asking people to STOP the DDOS, such as:

/iron_riots - "RT: Pls stop DDOS on iran's website they slow down the entire countries internet"

/B2020 - (same thing)

/OrangeCorner - offers a link on Daily Kos on why NOT to DDOS Iran. I agree with the general argument ( http://www.dailykos.com/story/2009/6/15/742591/-Do-NOT-DDOS-Iranian-websites ), but please don't tell my Fox News mother-in-law I agreed with something on Daily Kos, or she won't cook me dinner tonight!

/danteimprimis - Iranians reporting that the DDOS attacks on gov't sites are hurting overall bandwidth. May be satisfying, but we should stop.

/danielsandberg - To #IranElection protestors: DO NOT DDOS Iranian gov websites:

Monday, June 15, 2009

Graphic URL Attachment Spam and the Superman Internet Cafe

This summary is not available. Please click here to view the post.

Sunday, June 14, 2009

Money Laundering $1 at a time - a win for the UK's PCeU

In London a little-known police unit called the Police Central E-Crime Unit (PCeU) has scored another big win. For several years people have been seeing tracks they didn't remember purchasing showing up on their credit card statements. In England they referred to this as "51 pence fraud", and explained that buying a track was a way that the criminals were using to test stolen Credit Cards to see whether the card was valid. The theory was that if the card was valid, the criminals would then move on to bigger and better purchase, or they would sell it as a "proven" card.

The PCeU found that there was actually something else going on. Working with the FBI, they arrested three women and seven men between the ages of 19 and 46 for buying their own music on iTunes and Amazon.com. The group of DJ's recorded at least 19 tracks and sold them via distribution company Tunecore, who marketed the tracks through the two online giants. They then used more than 1500 stolen credit cards to buy their own music repeatedly. As the creators of the music, their $750,000 (£469,000) in purchases earned them $300,000 in profits!

The investigation, which was launched in February of this year, culminated in simultaneous arrests, conducted on June 10th by more than 60 officers in London, Birmingham, Wolverhampton, and Kent, were used to round up the first nine members, and a tenth member was arrested later, according to the Times Online.

The PCeU certainly has a great sounding set of goals:

# Analysis and development of intelligence on e-crime to produce actionable operational products, in collaboration with other agencies.

# Intelligence-led disruption of e-crime.

# Development and maintenance of a collaborative network of police, government and industry partners on e-crime.

# Exchange of information and intelligence concerning e-crime with principal stakeholders, including government departments, industry partners, academia, and the charitable sector.

# Provision of education and preventative advice about e-crime to industry and the public.

# Promotion of standards for training, procedure and response to e-crime.

# Co-ordination of research on emerging e-crime threats and vulnerabilities (in collaboration with industry partners, government agencies and academia) and provision of advice on this to all stakeholders.

Some will think that sounds like the old National Hi-Tech Crime Unit, which was moved back in April of 2006 to the Serious Organised Crime Agency (SOCA). A controversy began brewing in early 2008 as various parties began calling for the creation of a new cybercrime unit, claiming that SOCA was devoting less than 2% of its staff and less than 1% of its budget to fighting e-crime.". The Tories began a public shaming attack trying to raise the £1.3m that was needed to get the unit started up. Not all covert law enforcement activities end up as line items in government reports, and SOCA was forced to come to its own defense in the press, revealing some of its operations, including the fact that a 58 person staff was focused "almost exclusively on cybercrime", while 140 liaison officers work worldwide on international matters, including cybercrime coordination with five other major western countries.

The money was approved, and now, with the PCeU officially online, SOCA's 2009-2010 plan reveals that technology enabled crime and fiscal fraud will continue to be a small part of its overall operations -- about 5% according to p. 12 of their Annual Plan, but as with so many other parts of crime, more and more computerization is occurring. Can we really say that the "Criminal finances and profits" portion of SOCA's 12% dedicated to "Criminals and their businesses" is not going to include a great deal of cybercrime?

ZD Net.UK calls Detective Superintendent Charlie McMurdie "one of the architects of the Police Central e-Crime Unit". McMurdie envisioned a "National Fraud Reporting Centre", which sounds very similar to the US's Internet Crime and Complaint Center - a place where the public could report the frauds they have experienced to a central law enforcement body. Questions have been raised in the British press if their government is serious about fighting cybercrime in articles such as: Can £7m dent £105bn cyber crime menace?, which admits they will not have the budget to be able to do centralized reporting of e-crime as was originally intended, especially with that £7m being spread over 3 years. McMurdie replies that with a limited budget, her unit will only be successful with great cooperation from industry, especially of their expertise. In that way PCeU may be more similar to some of the successful FBI public-private partnerships, such as the National Cyber Forensics Training Alliance, recently praised by President Obama's Cybersecurity review, where industry experts gather to share their expertise with Federal law enforcement, or the InfraGard program, where more than 28,000 citizens who work in security and infrastructure companies share their knowledge with their peers in government. McMurdie's push was described back in October in the Silicon.com article "Do you have what it takes to be an e-caped crusader?"

If someone from the PCeU's Partnership Development Team wants to chat, feel free to reach out.

Saturday, June 06, 2009

Gumblar's 48,000 Compromised Domains Makes the Web a Dangerous Place

Last week one of the students in the UAB Computer Forensics program came to see me about a virus problem he'd been working on for a classmate. Her computer was infected with many malware programs, and my student, who works for me as a Malware Analyst, decided to take a look.

He came by to tell me about the situation, which involved a Facebook group that his classmate had joined. It was a group dedicated to organizing political action around a particular cause, with more than 40,000 members. At the top of their site it says "If you're looking for more information ..., visit our website" and gives the link.

Unfortunately, when any of the 40,000 members visited the link, they got a little extra surprise. The organizers didn't strike us as the type to be involved in infecting their membership to steal passwords, so we decided to make contact. They called back, and after checking my team out with some law enforcement references to verify that we are nice guys who are good at looking at viruses, they sent us everything they knew about their situation.

Their xfer logs indicated that the malicious content was uploaded to their server by a visitor from the Ukraine, who had logged in using their webmaster's correct userid and password. It wasn't a poorly chosen password, and it wasn't brute forced. They logged in successfully on the first try, indicating that their webmaster probably had a keylogger running on his home computer. In other words, the webmaster's FTP password was known to the criminals.

The biggest hint was the names of the two IFRAMEs which were located on the site:

http://dotcomnameshop.cn/in.cgi?income25
and
http://namesupermart.cn/in.cgi?income20

(Update: This campaign is also associated with two other injection keywords:

/ts/in.cgi?mozila## found on:

nonfatautobest.cn
greatliteautobest.cn
litefinestdirect.cn
yourlitetop.cn

/ts/in.cgi?pepsi## found on:

findbigboob.cn
bigtopmanagement.cn
finditinbigapple.cn
greatnamemovie.cn
homebrandname.cn
homenameworld.cn
hugebest.cn
hugepremium.cn
hugetopdiscover.cn
litepremium.cn
mediahomenameshoppicture.cn
mediahousenamemartmovie.cn
mynewnameshop.cn
namebuyfilmlife.cn
nameclaimstore.cn
namemartfilm.cn
namestorevideo.cn
technologybigtop.cn
thebestyoucanfind.cn
thefilmmusic.cn
topfindworld.cn
topfindworld.cn
toplitesite.cn
tvnameshop.cn
tvnameshop.cn
usednamestore.cn

Their original content was still in place, but someone had saved the code, added IFRAMEs pointing to the above URLs, and then logged in as the webmaster to upload the modified pages.

The two domains both resolve to the IP address, 67.228.194.237, which is SoftLayer Technologies in Dallas, Texas. We decided to look at what other domains were on the same IP address, and found 59 others.

Now, we know that just because two domains resolve to the same IP address does not mean they are related, so we compared the WHOIS information for some of the domains to each other.

For instance:

Domain Name: namesupermart.cn
ROID: 20081007s10001s46287853-cn
Domain Status: clientTransferProhibited
Registrant Organization: Scott Bell
Registrant Name: Scott Bell
Administrative Email: scottkbell@missiongossip.com
Sponsoring Registrar: 广东时代互联科技有限公司
Name Server:ns1.freednshostserver.com
Name Server:ns2.freednshostserver.com
Registration Date: 2008-10-07 04:47
Expiration Date: 2009-10-07 04:47

Domain Name: thelotbet.cn
ROID: 20081108s10001s82360691-cn
Domain Status: clientTransferProhibited
Registrant Organization: Raymond Keaton
Registrant Name: Raymond Keaton
Administrative Email: keaton@cybernauttech.com
Sponsoring Registrar: 广东时代互联科技有限公司
Name Server:ns1.freednshostway.com
Name Server:ns2.freednshostway.com
Registration Date: 2008-11-08 16:13
Expiration Date: 2009-11-08 16:13

Many of the domains were registered to Raymond Keaton or Scott Bell above, or also to Michelle Rea rea@cybernauttech.com.

Many of the domains were EXTREMELY POPULAR as well. For instance, "superbetfair.cn" had more than 50,000 visitors last month. (By comparison, this blog only gets around 10,000 visitors per month.)

But are all the domains malicious? To answer that question, we asked Google's SafeBrowsing project to assess whether the domains were known to be associated with malware, and if so, how many domains seemed to have been infected by the malware.

Here's the results we got. You can click on the number in the right hand column to visit the current Google SafeBrowsing page for each domain. The numbers listed are the results as shown on Friday, June 5, 2009.


IFRAME DomainInfected Domain Count
coolnameshop.cn935
cutlot.cn1549
denverfilmdigitalmedia.cn601
diettopseek.cn477
dotcomnameshop.cn399
filmlifemediaguide.cn0
filmlifemusicsite.cn38
filmtypemedia.cn0
findbigname.cn452
findbigurls.cn371
homenameregistration.cn542
hotslotpot.cn860
internetnamestore.cn956
liteautotop.cn965
litecarfinestsite.cn2324
litecartop.cn3889
litedownloadseek.cn805
litegreatestdirect.cn2664
litepremiumlist.cn0
litetopfindworld.cn1375
litetoplocatesite.cn202
lotante.cn1699
lotbetworld.cn741
lotmachinesguide.cn3654
lotultimatebet.cn546
mainnameshop.cn459
mediahomenamemartvideo.cn240
mediahousenameshopfilm.cn265
mixante.cn1050
nameashop.cn645
namebuyline.cn310
namebuypicture.cn2692
namestorefilmlife.cn351
namesupermart.cn424
nanotopfind.cn14
nonfatautobest.cn271
nonfatcarbest.cn744
perfectnamestore.cn662
playbetwager.cn383
promixgroup.cn823
superbetfair.cn3967
superlitecarbest.cn677
thelotbet.cn415
yourfilmmovie.cn0
yourliteseek.cn59


It should be noted that these domain names have been moved on several occasions (possibly as many as eleven as of this timestamp). We know that many of these domains previously resolved to: 94.247.3.150 and 77.221.154.138

Here are some searches on the site "Malware Domain List" that will be useful for tracking these domains:

http://www.malwaredomainlist.com/mdl.php?search=in.cgi%3Fincome&colsearch=All&quantity=50

It is common for malware in this group to have as the file and attributes in its IFRAME "in.cgi?income##" or "in.cgi?cocacola##", where ## is any two digit number. We believe the "income" and "cocacola" are similar to affiliate tags, and that different malware may be dropped depending on which affiliate has routed the computer to the malware drop site.

But what happens after you are sent to one of these IFRAME pages? That's what UAB Malware Analyst Brian Tanner set about to determine.

The pages that receive the IFRAME traffic currently have two exploits present on them - one which takes advantage of a known Flash Player exploit, and the other which takes advantage of a known Adobe PDF Reader exploit. By visiting the page, a poorly configured browser will attempt to play the ".swf" file with Flash Player and open the ".pdf" file with Adobe Reader. If they are using unpatched versions of either the Player or the Reader, they will become infected.

Brian tested the PDF by installing Adobe Reader 7.0 (although we have since confirmed that all of the 7.x and 8.x versions of Adobe Reader are exploitable with this trick.)

Upon opening the PDF file, Javascript code embedded within the PDF causes it to download a program called pdfupd.exe. In our test example, it did so by visiting the site giantbeaversdiet.cn:8080/landig.php?id=8

Domain Name: giantbeaversdiet.cn
ROID: 20081114s10001s24254090-cn
Registrant Organization: Raymond Best
Registrant Name: Raymond Best
Administrative Email: raymond@cybernauttech.com
Sponsoring Registrar: 广东时代互联科技有限公司
Name Server:ns1.freednshostway.com
Name Server:ns2.freednshostway.com
Registration Date: 2008-11-14 21:48
Expiration Date: 2009-11-14 21:48

Hmmm...another CyberNautTech.com email address. I think that will count as a link. This domain was hosted on The Planet at the time of our testing on the IP address: 70.85.142.250

They've since been kicked off The Planet and are now residing here:
87.106.103.122
on Schlund's network in the UK.

On the day when Brian ran his analysis, here is what VirusTotal had to say about his infected PDF, and the executable that it dropped:

The following is the Virus Total scan for readme.pdf
File size: 6560 bytes
MD5...: 754b90b3850a17264be95e00ec005b48
8/39 detections:
a-squared -
AhnLab-V3 -
AntiVir -
Antiy-AVL -
Authentium PDF/CollabExpl.E!Camelot
Avast JS:Packed-P
AVG -
BitDefender Exploit.PDF-JS.Gen
CAT-QuickHeal -
ClamAV Exploit.PDF-63
Comodo -
DrWeb -
eSafe -
eTrust-Vet -
F-Prot -
F-Secure -
Fortinet -
GData Exploit.PDF-JS.Gen
Ikarus -
K7AntiVirus -
Kaspersky -
McAfee -
McAfee+Artemis -
McAfee-GW-Edition -
Microsoft -
NOD32 -
Norman -
nProtect -
Panda -
PCTools -
Prevx -
Rising -
Sophos Troj/PDFJs-L
Sunbelt Exploit.PDF-JS.Gen (v)
Symantec Bloodhound.Exploit.196
TheHacker -
TrendMicro -
VBA32 -
ViRobot -


The following is the Virus Total scan for pdfupd.exe (and load.exe):
File size: 20992 bytes
MD5...: 03d959dde5b7f9b9f62f12762ba72f43
2/40 detections:
a-squared -
AhnLab-V3 -
AntiVir -
Antiy-AVL -
Authentium -
Avast -
AVG -
BitDefender -
CAT-QuickHeal -
ClamAV -
Comodo -
DrWeb -
eSafe Suspicious File
eTrust-Vet -
F-Prot -
F-Secure -
Fortinet -
GData -
Ikarus -
K7AntiVirus -
Kaspersky -
McAfee -
McAfee+Artemis -
McAfee-GW-Edition -
Microsoft -
NOD32 -
Norman -
nProtect -
Panda -
PCTools -
Prevx Medium Risk Malware
Rising -
Sophos -
Sunbelt -
Symantec -
TheHacker -
TrendMicro -
VBA32 -
ViRobot -
VirusBuster -

So, what do we have?

IFRAMEs which have been injected into more than 48,000 domains, probably via an FTP upload of an altered webpage. How much traffic is going to the domain which indicates a successful compromise via the PDF exploit?

Some of the domains, which we decline to name here, have seen more than 260,000 unique US IP addresses visit them during the month of April 2009, according to Quantcast and Compete.com

An interesting comment in the PDF file:

Boris like horilka

The Ukrainian word for vodka is horilka. We'd love to see more PDFs with that comment in them if you have any samples, please send them to me!

Here is an expanded list of domains connected with this malware campaign:

autobestwestern.cn
bestfindaloan.cn
bestfinderr.cn
bestlitediscover.cn
bestlitetopfind.cn
bestlotron.cn
bestwebfind.cn
betbigwager.cn
betstarwager.cn
betworldwager.cn
bigbestfind.cn
bigtopcabaret.cn
bigtopmanagement.cn
bigtopsuper.cn
casinoslotbet.cn
cheapslotplay.cn
combinebet.cn
coolnameshop.cn
cutalot.cn
cutlot.cn
denverfilmdigitalmedia.cn
diettopseek.cn
dotcomnameshop.cn
filmlifemediaguide.cn
filmlifemusicsite.cn
filmtypemedia.cn
findbigbearproperty.cn
findbigboob.cn
findbigbrother.cn
findbigmoneygame.cn
findbigname.cn
findbigsoftpack.cn
findbigurls.cn
finditbig.cn
finditinbigapple.cn
findyourbigwhy.cn
giantbeaversdiet.cn
giantnonfat.cn
gianttoplocate.cn
globalnameshop.cn
greatbethere.cn
greatliteautobest.cn
greatnamemovie.cn
homebrandname.cn
homenameregistration.cn
homenameworld.cn
hotslotpot.cn
hugebest.cn
hugebestbuys.cn
hugepremium.cn
hugetopdiscover.cn
hugetoplocate.cn
intend_allergy-54.somehelpful.com
internetnamestore.cn
liteautotop.cn
litecarfinestsite.cn
litecartop.cn
litedownloadseek.cn
litefinestdirect.cn
litegreatestdirect.cn
litehighestmodel.cn
litepremium.cn
litepremiumlist.cn
litetopdiscoversite.cn
litetopfinddirect.cn
litetopfindworld.cn
litetoplocatesite.cn
litetopseeksite.cn
lotante.cn
lotbetsite.cn
lotbetworld.cn
lotmachinesguide.cn
lotultimatebet.cn
lotwageronline.cn
mainnameshop.cn
mediahomenamemartvideo.cn
mediahomenameshoppicture.cn
mediahousenamemartmovie.cn
mediahousenameshopfilm.cn
mixante.cn
mynewnameshop.cn
nameashop.cn
namebrandmart.cn
namebuyfilmlife.cn
namebuyline.cn
namebuypicture.cn
nameclaimstore.cn
namemartfilm.cn
namestorefilmlife.cn
namestorevideo.cn
namesupermart.cn
nanotopdiscover.cn
nanotopfind.cn
nonfatautobest.cn
nonfatcarbest.cn
nonfathighestlocate.cn
odmina.ru
perfectnamestore.cn
playbetwager.cn
premiumlocate.cn
promixgroup.cn
somehelpful.com
superbetfair.cn
superdietfind.cn
superlitecarbest.cn
technologybigtop.cn
thebestwaytofind.cn
thebestyoucanfind.cn
thefilmmusic.cn
thelotbet.cn
topfindworld.cn
toplitesite.cn
tvnameshop.cn
usednamestore.cn
usrv03.ru
v-state.com
yourfilmmovie.cn
yourliteseek.cn
yourlitetop.cn
yourlitetopfind.cn