Thursday, April 2, 2009

Black Hat SEO and Rogue Antivirus p.4

The silent threat: Black Hat SEO and Rogue Antivirus

Full of rogues

READ THIS page if you need more information


This is just a sample of websites found in the previous days which are still running.
(with some ThreatExpert or VirusTotal reports)

Site running on these IPs can also be found on this blog and several other forums.

Hosted by Netelligent Hosting Services Inc on the IP 209.44.126.14

activesecurityshield.com - ThreatExpert Report
bestsecurityupdate.com - ThreatExpert Report
getscanonline.com - ThreatExpert Report
getsecuritywall.com - ThreatExpert Report
scanalertspage.com - ThreatExpert Report
scanbaseonline.com - ThreatExpert Report
onlinescandetect.com - ThreatExpert Report
runpcscannow.com - ThreatExpert Report
yourstabilitysystem.com - ThreatExpert Report
websecuritymaster.com - ThreatExpert Report
websecurityvoice.com - ThreatExpert Report

Hosted by Layered Technologies, Inc on the IP 72.233.34.6

zpmuwbtqqwkw.net

Hosted by ZlKon on the IP 94.247.3.3

greatvirusscan.com - ThreatExpert Report
webprotectionscan.com - ThreatExpert Report

Hosted by ZlKon on the IP 94.247.3.74

onlinescandetect.com - ThreatExpert Report

Hosted by Eurohost LLC on the IP 91.212.65.55

securityscanguide.com - ThreatExpert Report

Hosted by UK2 GROUP LTD using resellermatrix on the IP 66.197.154.198
other info:
netname: HOSTNOC-2BLK
AS21788 - BurstNet Technologies, Inc.
route: 66.197.128.0/17
canonical name for 66.197.154.198: ip.ipdatacenter.net

megascan6.com
nowscan6.com
scanline6.com
scan6just.com
scan6log.com
scan6main.com
scan6now.com

Hosted by netdirekt e.K. on the IP 89.149.241.134

desktopprepairpackage.com
pcantimalwaresolution.com

Hosted by Ecatel LTD on the IP 91.212.65.55 [AS29073]

securityscanguide.com - ThreatExpert Report

Hosted by netdirekt e.K. on the IP 89.149.241.134
also use 94.102.51.14 by Ecatel Network

comdwnld.com
desktopprepairpackage.com
pcantimalwaresolution.com
removespywarethreats.com
securecleanersolution.com
securecleanertool.com



Another interesting link on"evenmorestats.com" leads to a collection of SCAM sites

cleanerpcsolution.com89.149.241.134AS28753 - NETDIRECT Frankfurt, DE
malwareremovingtool.com89.149.241.134AS28753 - NETDIRECT Frankfurt, DE
pcantimalwaresolution.com89.149.241.134 AS28753 - NETDIRECT Frankfurt, DE
removespywarethreats.com89.149.241.134 AS28753 - NETDIRECT Frankfurt, DE
securecleanersolution.com89.149.241.134AS28753 - NETDIRECT Frankfurt, DE
securecleanertool.com89.149.241.134AS28753 - NETDIRECT Frankfurt, DE
comdwnld.com94.102.51.14AS29073 - Ecatel Network
evenmorestats.com84.243.252.160AS16131 - GrafiX Internet B.V.
go-uniq.com72.55.153.155AS32613 - iWeb Technologies Inc.
mydwnld.com88.198.8.15 AS24940 - Hetzner Online AG RZ-Nuernberg
promotion-offer.com88.198.233.225AS24940 - Hetzner Online AG RZ-Nuernberg
traff-direct.com78.129.158.69 AS29131 - RapidSwitch Ltd

comdwnld.com94.102.51.14AS29073 - Ecatel Network

The first sixst used 89.149.241.134 and 94.102.51.14

Some of them are registered using "Nexton Limited" as registrant but a search on google also reveal no
entries apart frompornography and malware sites.
And several other using "Preston Wasson" wassonpreston@email.com

Some common DNS actively used (several other will not be added to this page)

with ENOM, INC. as registar:
ns1.comondns.com [58.65.233.33] - AS10026 - ANC Asia Netcom Corporation
ns2.comondns.com [58.65.233.33] - AS10026 - ANC Asia Netcom Corporation
ns3.comondns.com [89.149.227.248] - AS28753 - NETDIRECT AS NETDIRECT Frankfurt, DE
ns4.comondns.com [79.135.168.112] - AS44097 - SNETTELECOM-AS Sistemnet Telekomunikasyon
ns5.comondns.com [79.135.168.112] - AS44097 - SNETTELECOM-AS Sistemnet Telekomunikasyon

with DIRECTI INTERNET SOLUTIONS PVT. LTD. as registrar:
ns1.gonsset.com [94.102.51.14]
ns1.gonsset.com [89.149.227.248]

Previous IPs, netblock, WHOIS info and other domain can be retreived on the
msmvps spyware sucks blog here

Redirectors are: evenmorestats.com/in.cgi?6 - go-uniq.com/in.cgi?13&gai=cspamg&gli=79 (Analysis)



comdwnld.com has a collection of rogue security software which serve for several other sites:

Some detections: Trojan FakeSpyGuard, Adware VirusRemover, WinAntiVirus2008, Trojan Hiloti, SpywareRemover2009

comdwnld.com/AntiMalwareGuard_Paid_Rezer.exe
comdwnld.com/SpywareRemover2009_Installer_Dual_Rezer_en.exe
comdwnld.com/VirusRemover2008_Setup_Paid_Rezer_en.exe
comdwnld.com/AntiMalwareGuard/1.0.36.0/AMGFreeUpdate_Rezer.exe
comdwnld.com/AntiMalwareSuite/4.1.233.1/AMSFreeUpdate_Rezer.exe
comdwnld.com/AntiMalwareSuite/4.1.233.1/AMSFreeUpdate_Rezer_qrt.exe
comdwnld.com/SpywareRemover2009.com/SpywareRemover2009_Installer_Paid_Rezer_en.exe
comdwnld.com/SpywareRemover2009.com/SpywareRemover2009_Setup_Dual_Rezer_en.exe
comdwnld.com/antimalwaresuite2009.com/AMS_FullInstaller_Rezer.exe
comdwnld.com/bestvirusremover2009.com/1.0.3.1/FreeApp%20_Rezer.exe
comdwnld.com/bestvirusremover2009.com/1.0.3.1/FreeApp_Rezer.exe
comdwnld.com/bestvirusremover2009.com/1.0.3.1/FreeApp_Rezer_qrt.exe
comdwnld.com/bestvirusremover2009.com/1.0.6.0/FreeApp%20_Rezer.exe
comdwnld.com/bestvirusremover2009.com/1.0.6.0/FreeApp_Rezer.exe
comdwnld.com/bestvirusremover2009.com/1.0.6.0/FreeApp_Rezer_qrt.exe
comdwnld.com/bestvirusremover2009.com/virusremover2009_setup_paid_rezer_en.exe
comdwnld.com/cleaner2009pro.com/1.0.18.0/CLNFreeApp_Rezer.exe
comdwnld.com/cleaner2009pro.com/1.0.18.0/CLNFreeApp_Rezer_qrt.exe
comdwnld.com/cleaner2009pro.com/CLN_2009FullInstall_Rezer.exe
comdwnld.com/nss_downloads/AntiMalwareGF_Rezer.exe
comdwnld.com/nss_downloads/VirusRemover2008_Setup_Free_Rezer_en.exe
comdwnld.com/nss_downloads/SpywareRemover2009.com/SpywareRemover2009_Installer_Dual_Rezer_en.exe
comdwnld.com/nss_downloads/SpywareRemover2009.com/SpywareRemover2009_Installer_Dual_br1_en.exe
comdwnld.com/nss_downloads/SpywareRemover2009.com/SpywareRemover2009_Installer_Paid_br1_en.exe
comdwnld.com/nss_downloads/antimalwaresuite2009.com/AMS_FreeInstaller_Rezer.exe
comdwnld.com/nss_downloads/bestvirusremover2009.com/virusremover2009_setup_free_rezer_en.exe
comdwnld.com/nss_downloads/cleaner2009pro.com/CLN_2009FreeInstall_Rezer.exe
comdwnld.com/nss_downloads/secureexpertcleaner.com/SecureExpertCleaner_Dual_Rezer_En.exe
comdwnld.com/nss_downloads/secureexpertcleaner.com/SecureExpertCleaner_Dual_br1_En.exe
comdwnld.com/secureexpertcleaner.com/SecureExpertCleaner_Paid_Rezer_En.exe
comdwnld.com/secureexpertcleaner.com/SecureExpertCleaner_Paid_br1_En.exe
comdwnld.com/secureexpertcleaner.com/1.0.18.3/SECFreeApp_Rezer.exe
comdwnld.com/secureexpertcleaner.com/1.0.18.3/SECFreeApp_Rezer_qrt.exe
comdwnld.com/secureexpertcleaner.com/1.0.18.5/SECFreeApp_Rezer.exe
comdwnld.com/secureexpertcleaner.com/1.0.18.5/SECFreeApp_Rezer_qrt.exe
comdwnld.com/secureexpertcleaner.com/1.0.18.6/SECFreeApp_br1.exe
comdwnld.com/secureexpertcleaner.com/1.0.18.6/SECFreeApp_br1_qrt.exe
comdwnld.com/virusremover2008.com/1.0.3.1/FreeApp_Rezer.exe
comdwnld.com/virusremover2008.com/1.0.3.1/FreeApp_Rezer_qrt.exe
comdwnld.com/virusremover2008.com/1.0.6.0/FreeApp_Rezer.exe
comdwnld.com/virusremover2008.com/1.0.6.0/FreeApp_Rezer_qrt.exe
comdwnld.com/virusremover2009.com/1.0.3.1/FreeApp_Rezer.exe
comdwnld.com/virusremover2009.com/1.0.3.1/FreeApp_Rezer_qrt.exe
comdwnld.com/virusremover2009.com/1.0.6.0/FreeApp_Rezer.exe
comdwnld.com/virusremover2009.com/1.0.6.0/FreeApp_Rezer_qrt.exe
comdwnld.com/virusremover2009.com/1.0.8.0/FreeApp_Rezer.exe
comdwnld.com/virusremover2009.com/1.0.8.0/FreeApp_Rezer_qrt.exe



So firstly, let's show you the home page of these sites:

cleanerpcsolution.com



desktoprepairpackage.com
pcsolutionshelp.com



malwareremovingtool.com



pcantimalwaresolution.com



removespywarethreats.com



securecleanersolution.com





And now the collection of fake scanner with different template.

http://removespywarethreats.com/2009/142/?a=&l=&f=&ex=&ed=&sub=pdt&prodabbr=USRM

Redirectors:

hxxp://evenmorestats.com/in.cgi (redirect to yahoo news)
hxxp://evenmorestats.com/in.cgi?2 (redirect to google)

hxxp://evenmorestats.com/in.cgi?3 (Analysis)
redirect to:
hxxp://securecleanersolution.com/2009/1001/?a=&l=&f=&sub=&prodabbr=3P_USEC



hxxp://evenmorestats.com/in.cgi?4 (Analysis)
redirect to:
hxxp://spywareprotectiontool.com/2009/141/?a=&l=&f=&ex=&ed=&sub=csp&prodabbr=USRM

hxxp://evenmorestats.com/in.cgi?6 (Analysis)
redirect to:
hxxp://securecleanersolution.com/2009/102/?a=&l=&f=&sub=&prodabbr=3P_USEC



Other on the same site:

hxxp://securecleanersolution.com/2009/101/?a=&l=&f=&sub=&prodabbr=3P_USEC




hxxp://securecleanersolution.com/2009/103/?a=&l=&f=&sub=&prodabbr=3P_USEC



hxxp://securecleanersolution.com/2009/104/?a=&l=&f=&sub=&prodabbr=3P_USEC



hxxp://securecleanersolution.com/2009/105/?a=&l=&f=&sub=&prodabbr=3P_USEC



hxxp://securecleanersolution.com/2009/1000/?a=&l=&f=&sub=&prodabbr=3P_USEC



hxxp://securecleanersolution.com/2009/1002/?a=&l=&f=&sub=&prodabbr=3P_USEC



hxxp://evenmorestats.com/in.cgi?7 (Analysis)
redirect to:
hxxp://advancesoftwaretool.com/2009/142/?a=&l=&f=&ex=&ed=&h=&sub=&prodabbr=3P_UVSM

hxxp://evenmorestats.com/in.cgi?8
redirect to:
hxxp://goforuniq.com/in.cgi?9&gai=-o2z&gli=&gff=
then
hxxp://spywareprotectiontool.com/2009/142/?a=&l=&f=&ex=&ed=&sub=&prodabbr=USRM

hxxp://evenmorestats.com/in.cgi?9
redirect to:
hxxp://goforuniq.com/in.cgi?9&gai=-o2z&gli=&gff=
then
hxxp://promotion-offer.com/srm/adv/142/?a=-o2z&l=&f=&ex=&ed=&sub=&prodabbr=USRM

Other on the same site: promotion-offer.com [89.248.168.46]

hxxp://promotion-offer.com/srm/adv/140/?a=-o2z&l=&f=&ex=&ed=&sub=&prodabbr=USRM




hxxp://promotion-offer.com/srm/adv/141/?a=-o2z&l=&f=&ex=&ed=&sub=&prodabbr=USRM




hxxp://promotion-offer.com/srm/adv/142/?a=-o2z&l=&f=&ex=&ed=&sub=&prodabbr=USRM

Sometimes it redirect to another location
hxxp://evenmorestats.com/in.cgi?9
redirect to:
hxxp://removespywarethreats.com/2009/142/?a=&l=&f=&ex=&ed=&sub=pdt&prodabbr=USRM
(old template - no screenshot)
or
hxxp://pcantimalwaresolution.com/2009/141/
hxxp://pcantimalwaresolution.com/2009/142/




hxxp://desktoprepairpackage.com/2009/5?a=cspsant1p&l=273
&f=cs_6247616163&ex=&ed=&h=&sub=&prodabbr=3P_UVSM




hxxp://desktoprepairpackage.com/2009/142/ (old template - no screenshot)
hxxp://desktoprepairpackage.com/2009/14/ (old template - no screenshot)

hxxp://desktoprepairpackage.com/2009/2/?a=cspvm-sst&l=370&f=cs_4384615693&ex=1&ed=2&h=&sub=csp&prodabbr=3P_UVSM




hxxp://desktoprepairpackage.com/2009/142/?a=cspsni-sst&l=373&f=cs_7794016513&ex=1&ed=2&h=&sub=csp&prodabbr=3P_UVSM (old template - no screenshot)

Other screenshot:






Some interesting search on google for "Spyware.Wather.ic" and "Spyware.CreditCarder.y" also reveal:

antispywareexpertplus.com
antivirus-xp-pro-2009.com on 91.212.65.43
antispywareexpert-plus.com
asxp-2009.com
as-xp-2009.com
av-pro2009.com
aviruspro2009.com
homeav-2009.com on 94.75.253.92
pc-virusremover2008.com
pcsolutionshelp.com on 94.102.51.14
powerfulvirusremover2008.com
virusremover2008-offer.com
virusremover-2008.com on 70.38.73.26
xp-p-center.com
xpas2009.com
xppcenter.com
xpprotcenter.com
xp-protection-center.com
xpsecuritycentral.com on 66.63.167.50



and
78.46.99.173 - "Hetzner Online AG". Looking on the google cache for this page reveal
the common email address: at @virusremover2008.com

Previous IP for virusremover-2008.com - 200.115.173.29 (Flagged on sorbs). Now 70.38.73.26



Also quite interesting with 58.65.233.33 sharing IP for other name servers including ns1.removespywarethreats.com