Tuesday, December 22, 2009

Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline


Last week, Josh Kirkwood, Network Engineer at Blue Square Data Group Services Limited, with whom I've been keeping in touch regarding the blackhat SEO activity courtesy of the Koobface gang, and actual Koobface botnet activity that's been taking place there for months, pinged me with an interesting email - "Riccom are now gone" (AS29550). He also pinged the folks at hpHosts in response to their posts once again emphasizing on the malicious activity taking place there.

Since I've been analyzing Riccom LTD activity in the context of "in-the-wild" blackhat SEO campaigns launched by the Koobface gang, followed by establishing direct Koobace botnet connections, as well as sharing data with Josh, Riccom LTD clearly deserves a brief  retrospective of the malicious activity that took place there.

Malicious activity I've been analyzing since August, 2009:
Clearly, in terms of cybercrime, especially one that's monetizing an asset with high liquidity such as scareware, "better late than never" doesn't seem to sound very appropriate.

Image courtesy of TrendMicro's The Heart of Koobface - C&C and Social Network Propagation report.

Related Koobface research published in 2009:
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog.