Since October 2011 we watch this affiliate system. Money Racing AV, a private PPS (Pay-Per-Sale) affiliate who spread actively fake antispywares (rogue). We have already seen this gang active in August 2009: A recent tour of scareware XII.Advertising can be found on various russian underground communities:
First contact with FTL (6 October 2011):
The money racing gang operate from moneyracing.ru. And are know to for spread scarewares who have this type of graphical user interface:
Money Racing website login:
The fish image is the logo of G-Loomis (a company, makers of fishing rods, reels, rod blanks and accessories), and probably a coincidence but during the 19th century there was the Loomis Gang.
A notorious family of outlaws that operated in central New York.
I've etablished the following structure of money racing site:
From all these directories, some are interestings. Like the folder /back/
And if we go back in 2009 we can see that these scarewares connect directly to moneyracing.ru:
urls found inside:
Now if we do a simple brain reflexion on 'Racing Money'
Racing... hmm what.. racing = cars
And if we check the old IP used in years 200..
we found lanos-club.ru a forum about cars, maybe it's just a coincidence.
Back about the moneyracing.ru domain, we have also this 'test.php' a malicious page detected as Blackhole Exploit Kit, (probably very old)
Obfuscated code lead to xmlalien.in/main.php?page=1321edc7470b347f
Now, what's the IP of money racing can told us:
The 302/403 responses of DNS are interesting because they return the name of machines
for example, on the money racing network: orderonline-1.com was used as billing machine.
And freshmediacontent.com as report machine:
I've recontacted the owner of money racing on 09 December 2011:
Out of business apparently and according to him.
He told me to search on undergrounds forum a guys with the nick: 'бомбе'
But i've never find a 'Bomb' or someone else affiliated with money racing, so i've again contacted him, 18 December 2011:
But it's more probable that he don't want partners for the moment due to the exposure of Vyacheslav Zakorzhevsky made in October 27.
Now more recently, in January, a colleague detected the domain core6575.opensourceavpro.com as malicious download, but the domain in question is from the money racing network.
By searching infos and urls we can determine the following syntax:
This domain was used as landing page for money racing partners.
A screenshot of the site:
From the cascading style sheets of the site I've found also an image who is absolutely not related with the usual scareware landing:
But i've found nothing related to a 'Youtube Studio' landing page on the server
but with Google i get this: youtubestudiopro.com.
Downloaded file is legit:
The graph of youtubestudiopro.com is interesting:
Detail for 126.96.36.199:
And if i click on contact: 188.8.131.52/contacts.html. Another landing page, this time 'Monstocloud':
The company adress is the same a Registry Fixer (egistryengineer.com):
Now for return to core6575.opensourceavpro.com, there is just a scareware hosted 'setup.exe' (AV Protection Online).
As usual we can have the machines name with 302 or 403 requests.
ourbigbooklibrarry.com and mediaforclouds.com as "reports.host".
storeordersonline.com and onlineorderbilling.com as "bill.host".
Also note that this '360 Security' was never found as 'executable version'
opensourceavpro.com have also a fake purchase page online
Even the captcha is a fake (a static GIF image) and not verified:
When we do a wrong billing order, the following text is displayed:
CCBill, is a payment processing service, mostly used for Adult.
We have also this url from opensourceavpro.com, once again related with the money racing network:
Screenshot of avsecurecs.com:
On the "About Us" page they claim to be at 392 Potrero Avenue, Sunnyvale.
But 360 Security LP don't exist:
We have also found a phpinfo file on the server.
And get interesting informations:
Actual domain of money racing is mrwrk.com, mrwrk stand probably for "Money racing workers"
mrwrk and SSH connections was under brute force (pure and with wordlists) but that have done nothing. This gang continue to make errors and we will continue to keep an eye on.
Steven K (Xylitol)