<![CDATA[[SecurityRatty] tag: codecs]]>

<![CDATA[[SecurityRatty] tag: codecs]]> http://securityratty.com/tag/codecs Sun, 13 Jul 2008 23:26:24 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[Syndicating Google Trends Keywords for Blackhat SEO]]> http://securityratty.com/article/c56eb4f87e14b19e95246ca1bd8a55dd http://securityratty.com/article/c56eb4f87e14b19e95246ca1bd8a55dd

Several hundred Windows Live Spaces and AOL Journals, are currently syndicating the most popular keywords provided by Google Trends, and are consequently hijacking the top search queries exposing users to Zlob codecs.

Here are some same bogus blogs used in the campaign, naturally pre-registered long before they executed it :

vinniedigg18 .spaces.live.com
journals.aol .com/iolatour16
fredabreak02 .spaces.live.com
thedaalerts01 .spaces.live.com
allisonpolls08 .spaces.live.com
rheabreak18 .spaces.live.com
racquellog17 .spaces.live.com
monikavideo11 .spaces.live.com
journals.aol .com/shelvakill27
tomekadigg26 .spaces.live.com
ivahnet19 .spaces.live.com
journals.aol .com/louisathere13
allisonpolls08 .spaces.live.com
valericatch03 .spaces.live.com
journals.aol .com/iolatour16
hadleycue01 .spaces.live.com
journals.aol .com/staceyliving01
collettebreak17 .spaces.live.com
journals.aol .com/nataliablog16
natalymore26 .spaces.live.com

A comprehensive listing of the blogs involved can be downloaded here.

What do all of these bogus blogs have in common? The fact that they are all being abused by a single malware campaign, and the Keep it Simple Stupid mentality only a lazy malware campaigner can take advantage of. All of the blogs as using a central redirection domain, shutting it down or blocking it renders the number of bogus blogs is circulation irrelevant. In this case, the domain in question is video.xmancer.org (216.195.59.75).

Here are the the rest of the domains participating in the campaign, as well as the parked ones at the corresponding IPs :

video.xmancer .org (216.195.59.75)
buynowbe .com
loveniche .com
antivirus-freecheck .com
jetelephone .cn
reducki .cn
woteenhas .cn
lilaloft .cn

clipztimes .com (78.157.143.235)
imagelized .com
vidzdaily .com

gotmovz .com (78.108.177.91)
dwnld-clips .com

movwmstream .com (77.91.231.183)
newwmpupdate .com
zaeplugin .com
movaccelerator .com
optimwares .com
piterserv .com

moviesportal2008p .com (72.232.183.154)
movieportal2008a .com
funnyportal2008l .com
starsportal2008p .com
softportal2008p .com
movieportal2008q .com

In short, despite that the campaign is poised to attract generic search traffic, it's a self-exposing blackhat SEO campaign since each and every blog participating is also linking to the rest of the ones within the ecosystem.

Related posts:
Blackhat SEO Redirects to Malware and Rogue Software
Blackhat SEO Campaign at The Millennium Challenge Corporation
Massive IFRAME SEO Poisoning Attack Continuing
Massive Blackhat SEO Targeting Blogspot
The Invisible Blackhat SEO Campaign
Attack of the SEO Bots on the .EDU Domain
p0rn.gov - The Ongoing Blackhat SEO Operation
The Continuing .Gov Blackat SEO Campaign
The Continuing .Gov Blackhat SEO Campaign - Part Two
Compromised Sites Serving Malware and Spam

]]> Fri, 03 Oct 2008 00:19:24 +0000 spaces windows live spaces malware live single malware campaign aol journals journals campaign blackhat seo campaign Syndicating Google Trends Keywords for Blackhat SEO <![CDATA[Holy Media Codecs, Batman!]]> http://securityratty.com/article/3d984264f929456ea8e4f274d55394ef http://securityratty.com/article/3d984264f929456ea8e4f274d55394ef Zango / Dark Knight issue still rattling around my brain) I thought it would be fun to see exactly how quickly it can all go wrong when looking for Dark Knight material online.

The answer is: extremely quickly.

There's a lot of sites out there claiming to carry "full versions" of The Dark Knight, and although they don't offer Zango, they do offer fake media codecs (which usually do all sorts of horrible things to a computer). Let's pull one of these sites apart as an example of how the scam fits together.

Here's a typical site pushing what they claim to be The Dark Knight:

Click to Enlarge

Dijgg(dot)com, an obvious Digg.com knockoff apparently hosting a large streaming window - the movie quality will be awesome, won't it? Well, actually, no it won't.

In the middle of the video window is a popup:

Install the "codec", and this won't end well. The EXE comes from a site called Favoritetube(dot)com:

A quick check for the safety ratings of that website should be enough to tell you this is a scam. Indeed, there isn't even a movie being streamed here (despite it saying "Connecting" at the bottom of the movie player) - because if you right click on the player itself:

You can see the "player" is actually just a static image (because I'm given the option to "Copy Image Location"). The image is hosted at Favoritetube, just like the "codecs":

Click to Enlarge

There are quite a lot of these sites floating around out there at present:

Click to Enlarge

Click to Enlarge

Click to Enlarge

At this point, it's a given that I'm going to show you what happens if you install one of the files typically pushed from the above sites, right? Well, wait no longer - this....

...will deposit a rogue antispyware tool on your desktop (one of more more obnoxious ones that refuses to leave you alone):

Click to Enlarge

Strange and annoying icons will start to creep across your desktop:

....and you'll have more fake system alerts than you can shake a very large stick at:

This concludes my public safety announcement. I'm off to see Dark Knight again...

]]> Wed, 27 Aug 2008 06:10:53 +0000 dark knight issue dark knight movie player click player enlarge image copy image location movie Holy Media Codecs, Batman! <![CDATA[A Diverse Portfolio of Fake Security Software - Part Four]]> http://securityratty.com/article/89e92ac703db317a9f2d0ad0ae004a56 http://securityratty.com/article/89e92ac703db317a9f2d0ad0ae004a56

Thanks to the affiliate based business model that's driving the increase of fake security software and rogue codecs serving domains, the very same templates, but with different domain names, continue appearing in blackhat SEO, spam, and malicious doorways redirection campaigns.

Moreover, with the "time-to-market" of a fake security software decreasing due to the efficiency approach introduced in the form of tips for abuse-free hosting services provided by the "known suspects", and the freely available templates, we're slowly starting to see the upcoming peak of this approach.

In a true proactive spirit, the domains parked at 216.195.56.88 are all upcoming fake security software, to be introduced anytime soon.

fast-pc-scanner-online .com - (92.62.101.41; 91.203.92.48; 91.203.92.106; 58.65.238.171)
top-pc-scanner .com
buy-secure-protection .com
security-scan-pc .com
pc-scanner-online .com
viruses-scanonline .com
virus-scanonline .com
antivirus-scanonline .com
topvirusscan .com
virusbestscan .com
best-security-protection .com
infectionscanner .com
virusbestscanner .com
full-protection-now .com

Pwrantivirus .com - 91.208.0.246
vav-x-scanner .com
vav-scanner .com
scanner.vavscan .com
malware-scan .com
Scanner-Pwrantivirus .com
Xpertantivirus .com
Scanner-xpertantivirus .com

spyware-quickscan-2008 .com - (216.195.56.88)
virus-quickscan-2008 .com
spyware-quickscan-2009 .com
virus-quickscan-2009 .com
winmalwarecontrol .com
antispyware-quick-scan .com
virus-quick-scan .com
antivirus-quick-scan .com
winprivacytool .com

topantispyware2008 .com - (216.195.56.86)
cleanermaster .com - (216.195.56.85)
antivirus777 .com - (67.228.120.3)
pcsecuritynotice .com - (67.228.120.3)

Whereas the average Internet users are falling victims into this type of fraud, what I'm more concerned about is the large traffic the malicious domains receive in general due to all the different traffic acquisition tactics the people behind them apply. This anticipated traffic can then be greatly used as valuable metrics for the many other malicious ways in which it can be monetized.

Ironically, the participant in the affiliate program whose original objective was to drive traffic to the fake security software's site, may in fact start receiving so much traffic due to the combination of traffic acquisition tactics, that introducing client-side exploits courtesy of a third-party affiliate network, may in fact prove more profitable then the revenue sharing partnership with the rogue security software's vendor at the first place.

Related posts:
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Localized Fake Security Software
Diverse Portfolio of Fake Security Software
Got Your XPShield Up and Running?
Fake PestPatrol Security Software
RBN's Fake Security Software
Lazy Summer Days at UkrTeleGroup Ltd
Geolocating Malicious ISPs
The Malicious ISPs You Rarely See in Any Report

]]> Mon, 25 Aug 2008 01:58:02 +0000 fake security software traffic drive traffic diverse portfolio traffic acquisition tactics malicious malicious isps due traffic due A Diverse Portfolio of Fake Security Software - Part Four <![CDATA[Fake Celebrity Video Sites Serving Malware - Part Two]]> http://securityratty.com/article/c395d54f1c682346aee8b2d88973e345 http://securityratty.com/article/c395d54f1c682346aee8b2d88973e345

Malicious parties remain busy crunching out domain portfolios of legitimately looking celebrity video sites. The very same templates used on the majority of fake celebrity video sites which I exposed in a previous post, remain in circulation with anecdotal situations where they aren't even bothering to match the site's logo with the domain name -- it would ruin the malicious economies of scale approach. And since centralization to some, an laziness to others, remains in tact, the fake security software and fake codecs served remain once parked at the same IP as the fake celebrity sites which I'll expose in this post.

starfeed1 .com - (85.255.117.218)
codecservice1 .com
siteresults1 .com
codecservice6 .com
celebs69 .com
topdirectdownload .com
sexlookupworld .com
favoredtube .com
yourfavoritetube .com
wwvyoutube .com
celebsnofake .com
celebsvidsonline .com
celebstape .com
freevidshardcore .com
topsoftupdate .com
porndebug .com
newfunnyvideo .com
bestfunnyvids .com
pornmoviestube .net

worldstars2008 .com - (79.135.167.54)

antivirus2008-pro .name
antivirus-2008pro .name
antivirus2008pro .name
antivirus2008pro-download .org
antivirus-2008-pro .org
antivirus2008-pro .org
antivirus-2008pro .org
antivirus2008pro .org
thesoft-portal-08 .com
stars-08 .com
thestars-08 .com
thebigstars-08 .com
funny-08 .com
realonlinevideo-2008 .com
2008-adult-2008 .com
adult18tube2008 .com
adultstreamportal2008 .com
2008-adult-s2008 .com

new-content-s2008 .com
newcontent-s2008 .com
worldstars2008 .com
thestars2008 .com
thebigstars2008 .com
newcontents2008 .com
18x-adult2008 .com
2008adult2008 .com
adult-x2008 .com
hotadulttube08 .com
adultxx-18 .com
newcontent-s2008a .com
antivirus2008pro-download .com
onlinestreamvide .com
onlinestreamvide .com
ns2.onlinestreamvide .com
xxxstreamonline .com4
supersoft21freeware .com
kvm-secure .com
kvmsecure .com
themusic-08portal .com
adultstreamportal .com
streamxxxvideo .com
antivirus-2008-pro .com
antivirus2008-pro .com
antivirus-2008pro .com
thefunny-08 .com
thestars-08 .com
thestars08 .com
celebsnofake .com
adult-s-portal .com
adultsoftcodec .com
adultstreamportal .com
adultxx-18 .com

And while none of these seem to be taking advantage of client-side exploits, a Russian celebrity site that seems to by syndicating the malicious redirectors from a legitimate advertising network, is an exception worth point out due to the Adobe Flash player exploit it's attempting to take advantage of.

Bestcelebs .ru javascript redirectors through several different doorways :

crklab .us/index.php => firstblu .cn/3.php?19383577 => xanjan .cn/in.cgi?mytraf => atomakayan .biz/afterftpcheck/2603/index.php =>
toksikoza .net/fi/index.php?mytraf => toksikoza .net/fi/1.swf

What you see is so not what you get.

]]> Wed, 20 Aug 2008 21:52:00 +0000 celebrity video sites net org net fi1 russian celebrity site site php net fiindex previous post Fake Celebrity Video Sites Serving Malware - Part Two <![CDATA[Compromised Web Servers Serving Fake Flash Players]]> http://securityratty.com/article/df22299b279b6326bc0fb82a62ea61b9 http://securityratty.com/article/df22299b279b6326bc0fb82a62ea61b9

The tactic of abusing web servers whose vulnerable web applications allow a malicious attacker to locally host a malicious campaign is nothing new. In fact, malicious attackers have been building so much confidence in this risk-forwarding process of hosting their campaigns, that they would start actively spamming the links residing within low-profile legitimate sites across the web.

This campaign serving fake flash players is getting so prevalent these days due to the multiple spamming approaches used, that it's hard not to notice it - and expose it. From a strategic perspective, having a legitimate low-profile site -- of course with the obvious exceptions being on purposely registered for malicious purposes within the participating sites -- hosting your malicious campaign is pretty creative in terms of forwarding the responsibility, and the eventual blocking of a legitimate site to the its owner. As far as the owner's are concerned, it appears that some of them are already seeing the malware page popping-up on the top of their daily traffic stats, and have taken measures to remove it.

Moreover, Adobe's Product Security Incident Response Team (PSIRT) issued a warning notice about the attack yesterday, which could come handy if the attackers weren't taking advantage of client-side vulnerabilities, putting the unware end user is a situation where he wouldn't even receive a download dialog :

"We have seen coverage from the security community of a worm on popular social networking sites that is using social engineering lures to get users to install a piece of malware. According to the reports, the worm posts comments on these sites that include links to a fake site. If the link is followed, users are told they need to update their Flash Player. The installer, posted on a malicious site, of course installs malware instead of Flash Player.We’d like to take this opportunity to reiterate the importance of validating installers and updates before installing them. First off, do not download Flash Player from a site other than adobe.com – you can find the link for downloading Flash Player here. This goes for any piece of software (Reader, Windows Media Player, Quicktime, etc.) – if you get a notice to update, it’s not a bad idea to go directly to the site of the software vendor and download the update directly from the source. If the download is from an unfamiliar URL or an IP address, you should be suspicious."

The structure of the malware campaign is pretty static, with several exceptions where they also take advange of client-side vulnerabilities (Real player exploit) attempting to automatically deliver the fake flash update or player depending on the campaign. On each and every site, there are dnd.js and master.js scripts shich serve the rogue download window, and another .html file, where an IFRAME attempts to access the traffic management command and control, in a random URL it was 207.10.234.217/cgi-bin/index.cgi?user200. A sample list of participating URLs, most of which are still active and running :

joseantoniobaltanas .com

automoviliaria .es/hotnews.html
risasnc .it/fresh.html
carpe-diem .com.mx/fresh.html
kotilogullari .com.tr/hotnews.html
ferrariclubpesaro .it/hotnews.html
imobiliariacom .com.br/default.html
misoares .com
osniehus .de/fresh.html
mydirecttube .com/1/5098/
madosma .com/default.html
tutotic .com/checkit.html
veit-team .si/default.html
antigewaltkurse .de/stream.html
kwhgs .ca/topnews.html
vorgo .com/stream.html
ankaraspor .com.tr/default.html
xxxdnn0314 .locaweb.com.br/watchit.html
ossuzio .com/watchit.html
cit-inc .net/default.html
negocioindependiente .biz/default.html
ambermarketing .com/topnews.html
web27 .login-7.loginserver.ch/stream.html
moretewebdesign .br-web.com/stream.html
omdconsulting .es/topnews.html
parapendiolestreghe .it/hotnews.html
campodifiori .it/topnews.html
212.50.55.81 /stream.html
logisigns .net/fresh.html
intimaescorts .com/default.html
ghioautotre .it/live.html
geckert .de/stream.html
yuricardinali .com/watchit.html
retder .com/fresh.html
valdaran .es/default.html
getadultaccess .com/movie/?aff=5274
bauelemente-giering .de/stream.html
newyork-hebergement .com/watchit.html
allevatoritrotto .it/live.html
exoss2 .com/hotnews.html
soundandlightkaraoke .com/stream.html
land-kan .com/stream.html
grimaldi.nexenservices .com/watchit.html
inconstancia .com.br/watchit.html
gretelstudio .com/stream.html
sumacyl .com/watchit.html
mysna .net/fresh.html
gimnasioyx .com.ar/watchit.html
lagalbana .com/watchit.html
bielizna.tgory .pl/topnews.html
bcs92.imingo .net/stream.html
lapiramidecoslada .es/topnews.html
raulortega .com/stream.html
go-art-morelli .de/hotnews.html
wowhard.baewha .ac.kr/watchit.html
dianagraf .es/default.html
komma10-thueringen .de/hotnews.html
miavassilev .com/stream.html
swampgiants .com/watchit.html
compagniedephalsbourg .com/fresh.html
arla-rc .net/hotnews.html
salacopernico .es/watchit.html
drfinster .de/checkit.html
healthylifehypnotherapy .com/stream.html
ecotrike-bg .com/fresh.html
paoepalavra .org/watchit.html
jureplaninc-sp .com/topnews.html
fichte-lintfort .de/default.html
hergert-band .de/checkit.html
izliyorum .org/topnews.html
lideka .com/stream.html
athena-digitaldesign .com.tw/hotnews.html
e-paso .pl/stream.html
colombeblanche .org/stream.html
teatromalasa .es/watchit.html
mesporte.digiweb.com .br/stream.html
bistrodavila.com .br/watchit.html
hausfeld-solar .de/topnews.html
nakedinbed.co .uk/topnews.html
csr.imb .br/stream.html
herion-architekten .de/default.html
jbhumet .com/default.html
gruppouni .com/hotnews.html
francex .net/fresh.html
galvatoledo .com/topnews.html
cmeedilizia .eu/topnews.html
kroenert .name/default.html
textilhogarnovadecor .com/topnews.html
keithcrook .com/stream.html
elpatiodejesusmaria .com/checkit.html
neticon .pl/hotnews.html
malerbetrieb-pelzer .de/hotnews.html
easterstreet .de/fresh.html
piogiovannini .com.ar/watchit.html
ser-all .com/topnews.html
petzold-dieter .de/checkit.html
beatmung-brandenburg .de/checkit.html
ossuzio .com/watchit.html
teatromalasa .es/watchit.html
vuelosultimahora .com/topnews.html
zelenaratolest .cz/pornotube/index1.htm
ambulatoriovirtuale .it/topnews.html
10a3 .ru/index1.php
izliyorum .org/topnews.html
collectedthoughts .co.uk/index12.html
afg .es/topnews.html
albertruiz .net/topnews.html
bielizna.tgory .pl/topnews.html
blueseven.com .br/topnews.html
bollettinogiuridicosanitario .it/topnews.html
caprilchamonix.com .br/topnews.html
carlolongarini .it/topnews.html
champimousse .com/topnews.html
cheviot.org .nz/topnews.html
contrapie .com/topnews.html
gruppouni .com/topnews.html
hausfeld-solar .de/topnews.html
herbatele .com/topnews.html
houseincostaricaforsale .com/topnews.html
alim.co .il/topnews.html
allevatoritrotto .it/topnews.html
amafe .org/topnews.html
ambulatoriovirtuale .it/topnews.html
atelier-de-loulou .fr/topnews.html
automoviliaria .es/topnews.html
autoreserve .fr/topnews.html
izliyorum .org/topnews.html
jureplaninc-sp .com/topnews.html
kwhgs .ca/topnews.html
lapiramidecoslada .es/topnews.html
last-minute-reisen-4u .de/topnews.html
marcadina .fr/topnews.html
maremax .it/topnews.html
corradiproject .info/topnews.html
dantealighieriasturias .es/topnews.html
deliriuslaspalmas .com/topnews.html
ecchoppers .co.za/topnews.html
elianacaminada .net/topnews.html
fonavistas .com/topnews.html
fraemma .com/topnews.html
fundmyira .com/topnews.html
galvatoledo .com/topnews.html
grafisch-ontwerpburo .nl/topnews.html
markmaverick .com/topnews.html
micela .info/topnews.html
motoclubnosvamos .com/topnews.html
nebottorrella .com/topnews.html
negozistore .it/topnews.html
neticon .pl/topnews.html
norbert-leifheit.gmxhome .de/topnews.html
segelclub-honau .de/topnews.html
snmobilya .com/topnews.html
splashcor .com.br/topnews.html
stephanmager .gmxhome.de/topnews.html
svcanvas .com/topnews.html
tautau.web .simplesnet.pt/topnews.html
textilhogarnovadecor .com/topnews.html
theflorist4u .com/topnews.html
thewindsorhotel .it/topnews.html
vuelosultimahora .com/topnews.html
aliarzani .de/topnews.html
ambermarketing .com/topnews.html
arnold82.gmxhome .de/topnews.html
ocoartefatos.com .br/topnews.html
omdconsulting .es/topnews.html
parapendiolestreghe .it/topnews.html
positive-begegnungen .de/topnews.html
projetsoft .net/topnews.html
rbc.gmxhome .de/topnews.html
beatmung-sachsen .eu/topnews.html
campodifiori .it/topnews.html
clickjava .net/topnews.html
cmeedilizia .eu/topnews.html
dammer .info/topnews.html
embedded-silicon .de/topnews.html
ferrariclubpesaro .it/topnews.html
fgwiese .de/topnews.html
fswash.site .br.com/topnews.html
fytema .es/topnews.html
gildas-saliou. com/topnews.html
go-art-morelli .de/topnews.html
go-siegmund .de/topnews.html
guerrero-tuning .com/topnews.html
gut-barbarastein .de/topnews.html
japansec .com/topnews.html
komma10-thueringen .de/topnews.html
koon-design .de/topnews.html
lanz-volldiesel .de/topnews.html
lauscher-staat .de/topnews.html
losnaranjos.com .es/topnews.html
medical-service-krause .de/topnews.html
nakedinbed.co .uk/topnews.html
nepi.si/topnews .html
radieschenhein. de/topnews.html
residenceflora .it/topnews.html
sabuha .de/topnews.html
ser-all .com/topnews.html
siemieniewicz .de/topnews.html
viajesk .es/topnews.html
allevatoritrotto .it/live.html
bollettinogiuridicosanitario .it/live.html
carlolongarini .it/topnews.html
maremax .it/topnews.html
negozistore .it/topnews.html
parapendiolestreghe .it/live.html
www.donlisander .it/stream.html
aerogenesis .net/watchit.html
allevatoritrotto .it/live.html
atelier-de-loulou .fr/topnews.html
bistrodavila.com .br/watchit.html
bollettinogiuridicosanitario .it/live.html
caprilchamonix.com .br/topnews.html
cheviot.org .nz/live.html
condorautocenter .com.br/watchit.html
dantealighieriasturias .es/live.html
ecchoppers .co.za/topnews.html
elianacaminada .net/live.html
fonavistas .com/topnews.html
fundmyira .com/topnews.html
g6esporte .com.br/stream.html
grafisch-ontwerpburo .nl/topnews.html
gretelstudio .com/stream.html
gutierrezymoralo .com/watchit.html
healthylifehypnotherapy .com/stream.html
herbatele .com/live.html
jureplaninc-sp .com/topnews.html
lacomercialsrl .com.ar/stream.html
lagalbana .com/watchit.html
lapuertaestrecha .com.es/watchit.html
marcadina .fr/topnews.html
maremax .it/topnews.html
myadultcube .com/flash//aff=5176
myadultcube .com/flash//aff=5810
myadultcube .com/movie//aff=5155
newyork-hebergement .com/watchit.html
norbert-leifheit.gmxhome .de/topnews.html
omdconsulting .es/topnews.html
oyakatakent46537 .com/stream.html
parapendiolestreghe .it/live.html
regesh. co.il/watchit.html
rikkeroenneberg .dk/watchit.html
s215847279 .onlinehome.fr/stream.html
salacopernico .es/watchit.html
seekzones .com/watchit.html
seicomsl .es/watchit.html
sigma-lux .ro/watchit.html
soundandlightkaraoke .com/stream.html
stephanmager.gmxhome .de/topnews.html
tartuinstituut .ca/watchit.html
teatromalasa .es/watchit.html
vuelosultimahora .com/topnews.html
wowhard.baewha .ac.kr/watchit.html
aliarzani .de/topnews.html
ambermarketing. com/live.html
bilbondo .com/watchit.html
bollettinogiuridicosanitario .it/live.html
colombeblanche .org/stream.html
donlisander .it/stream.html
fgwiese .de/topnews.html
geckert .de/stream.html
helene-taucher .de/watchit.html
lanz-volldiesel .de/topnews.html
mairie-margnylescompiegne .fr/watchit.html
medical-service-krause .de/topnews.html
nakedinbed.co .uk/topnews.html
ossuzio .com/watchit.html
piogiovannini .com.ar/watchit.html
sabuha .de/topnews.html
sumacyl .com/watchit.html
swampgiants .com/watchit.html
xn--glland-3ya .de/stream.html
yuricardinali .com/watchit.html
nepi .si/topnews.html
dammer .info/topnews.html
atelier-de-loulou .fr/topnews.html
galvatoledo .com/topnews.html
allevatoritrotto .it/topnews.html
hausfeld-solar .de/topnews.html
micela .info/topnews.html
bistrodavila .com.br/watchit.html
hausfeld-solar .de/topnews.html
csr.imb .br/stream.html
herion-architekten .de/default.html
gruppouni .com/hotnews.html
galvatoledo .com/topnews.html
kroenert .name/default.html
keithcrook .com/stream.html
elpatiodejesusmaria .com/checkit.html
malerbetrieb-pelzer .de/hotnews.html
dantealighieriasturias .es/topnews.html
oyakatakent46537 .com/stream.html
89.19.29 .13/stream.html
slobodandjakovic .com/fresh.html
cqcs.com .br/stream.html
seekzones .com/watchit.html
pascosa .it/stream.html
caprilchamonix .com.br/topnews.html
positive-begegnungen .de/topnews.html
ferien-urlaub-lastminute .de/default.html
mueggelpark .info/watchit.html
hillner-online .de/fresh.html
guiasaojose .net/default.html
deliriuslaspalmas .com/topnews.html
fraemma .com/topnews.html
morsbaby .net/default.html
vickywhite .com/fresh.html
micela .info/topnews.html
corradiproject .info/topnews.html
liguehavraise .com/live.html
capacitacaoemlideranca .com.br/fresh.html
materialesyacabados .com.mx/stream.html
208.112.7.68 /checkit.html
152.10.1.37 /1.html
carlolongarini .it/topnews.html
splashcor.com .br/topnews.html
lobpreisstrasse .org/1.html
motoclubnosvamos .com/hotnews.html
hk-rc.com /1.html
taaf.re /stream.html
dulceysalao .com/default.html
amafe .org/topnews.html

Sample detection rate : flashupdate.exe
Scanners Result: 35/36 (97.23%)
Trojan-Downloader.Win32.Exchanger.hk; Troj/Cbeplay-A
File size: 78848 bytes
MD5...: c81b29a3662b6083e3590939b6793bb8
SHA1..: d513275c276840cb528ce11dd228eae46a74b4b4

The downloader then "phones back home" at 72.9.98.234 port 443 which is responding to the rogue security software AntiSpy Spider (antispyspider.net) :

"AntiSpy Spider is a cutting-edge anti-spyware solution.This revolutionary anti-spyware program was created by the industry's top spyware experts in order to protect your computer and your privacy.html, while ensuring optimal system performance.With the ability to locate, eliminate and prevent the widest range of spyware threats, AntispyStorm is able to offer its users a safe, spyware-free computing experience; and with it's convenient automatic update feature, AntispyStorm ensures continuous up-to-date protection."

Sample detection rate : antispyspider.msi
Scanners Result: 11/35 (31.43%)
FraudTool.Win32.AntiSpySpider.b;
File size: 1851904 bytes
MD5...: 2f1389e445f65e8a9c1a648b42a23827
SHA1..: e32aa6aa791e98fe6fdef451bd3b8a45bad0acd8

The bottom line - over a thousand domains are participating, with many other apparently joining the party proportionally with the web site owner's actions to get rid of the malware campaign hosted on their servers.

Related posts:
Lazy Summer Days at UkrTeleGroup Ltd
Fake Porn Sites Serving Malware - Part Two
Fake Porn Sites Serving Malware
Underground Multitasking in Action
Fake Celebrity Video Sites Serving Malware
Blackhat SEO Redirects to Malware and Rogue Software
Malicious Doorways Redirecting to Malware
A Portfolio of Fake Video Codecs

]]> Tue, 05 Aug 2008 10:50:04 +0000 file html file html comtopnews detopnews windows media player player web real player exploit Compromised Web Servers Serving Fake Flash Players <![CDATA[Summarizing July's Threatscape]]> http://securityratty.com/article/2860027a1eaa69350d814429c3bf6070 http://securityratty.com/article/2860027a1eaa69350d814429c3bf6070

July's threatscape -- consider going through June's summary as well -- once again demonstrated that nothing is impossible, the impossible just takes a little longer where the incentive would be the ultimate monetization of the process.

Russian hacktivists attacking Lithuania and Georgia, several Storm Worm campaigns, a couple of new malware tools, Neosploit team abandoning support for their web malware exploitation kit, CAPTCHA for several of the most popular free email providers getting efficiently attacked in order to resell the bogus accounts registered in the process, several copycat SQL injects next to the evasion techniques applied by the copycats, botnets continuing to commit click fraud and generate revenue for those who own or have rented them, an infamous money mule recruitment service taking advantage of the fast-fluxed network provided by the ASProx botnet - pretty interesting month indeed.

01. Decrypting and Restoring GPcode Encrypted Files -
The GPcode authors read the news too, and are catching up with the major weaknesses pointed out in their previous release in order to come with a virtually unbreakable algorithm. And since more evidence of who's behind the GPcode ransomware was gathered, vendors and independent researchers realized that the latest release is also susceptible to a plain simple flaw, namely the encrypted files were basically getting deleting and not securely erased making them fairly easy to recover.

02. Chinese Bloggers Bypassing Censorship by Blogging Backward -
When you know how it works, you can either improve, abuse or destroy it in that very particular order. Chinese bloggers are always very adaptive in respect to spreading their message by obfuscating their messages in a way that common keywords filtering software wouldn't be able to pick them.

03. Gmail, Yahoo and Hotmail’s CAPTCHA Broken -
This has been an urban legend for a while, but with more services starting to offer hundreds of thousands of pre-registered accounts at these providers, it's surprising that spam and phishing emails coming from legitimate email providers is increasing. The "vendors" behind these propositions are naturally starting to "vertically integrate" by offering value-added services for extra payments, namely, scripts to automatically abuse the pre-registered accounts for automatic registration of splogs and anything else malicious or blackhat SEO related.

04. The Antivirus Industry in 2008 -
If it were anyone else but a security vendor to come up with such a realistic cartoon aiming to stimulate innovation by emphasizing on how prolific and sophisticated malware groups have become, it would have been a biased cartoon. However, this one is courtesy of a security vendor, and it's pretty objective.

05. Lithuania Attacked by Russian Hacktivists, 300 Sites Defaced -
This attack is a good example of a decent PSYOPS operation. Of course they have already build the capabilities to deface and even execute DDoS attacks against Lithuania, so why not put them in a "stay tuned" mode, by speculating on the upcoming attack and then executing it making it look like they delived what they've promised? This a lone gunman mass defacement given that the sites were all hosted on a single ISP, with no indication of any kind of coordination whatsoever. The same for the Georgia President’s web site which was under DDoS attack from Russian hackers later this month. Despite that the hacktivists behind it dedicated a separate C&C for the attack, one that hasn't been used in any type of previous attacks so far, they did a minor mistake by using a secondary command and control location that's known to have been connected with a particular "botnet on demand" service in the past. The second attack once again proves that you don't need to build capacity when you can basically outsource the process to someone else.

06. The ICANN Responds to the DNS Hijacking, Its Blog Under Attack -
The ICANN finally issued a statement concerning the DNS hijacking of some of their domains, which is in fact what Comcast.net and Photobucket.com should have done as well, next to stating it was a "glitch". The ICANN also took advantage of the moment and also pointed out that their blog has also been under attack during the month. There's no better example of how the combination of tactics can result in the hijacking of the domains of the organizations implementing procedures aiming to protect against these very same attacks. And while Photobucket.com remained silent during the entire incident, the hosting provider that was used by the Netdevilz team in the two attacks, since they were also responsible for the ICANN and IANA DNS hijackings, technological and social engineeringissued a statement.

07. The Risks of Outdated Situational Awareness -
Security vendors are often in a "catch-up mode" and if I were an average Internet user not knowing that real-time situational awareness speaks for the degree to which my vendor knows what going on online, I'd be pretty excited. However, I'm not. Prevx were catching up with a service which I covered approximately two months ago, I even had the chance to constructively confront with one of the affected sites on how despite their security measures in place, this attack was still possible. Recently Prevx have once again demonstrated an outdated situational awareness by coming across a banking malware in July 2008, whereas the malware has been around since July 2007, and earlier depending on which version you're referring to.

08. Fake Porn Sites Serving Malware - Part Two -
Yet another domain portfolio of fake porn sites serving rogue codecs and live exploit URLs, just the tip of the iceberg as usual, however their centralization is greatly assisting in tracking them down.

09. Storm Worm's U.S Invasion of Iran Campaign -
Stormy Wormy is once again making the headlines with their ability to actually make up the headlines on their own.

10. Mobile Malware Scam iSexPlayer Wants Your Money -
The best scams are the ones to which you've personally agreed to be scammed with without even knowing it. Like this one, which was tracked down and analyzed a couple of hours once a uset tipped on it.

11. The Template-ization of Malware Serving Sites -
The increase of fake porn and celebrity sites is due to the overall template-ization of these, with the people behind them basically implementing several malicious doorways to ensure that the domains get rotated on the fly. Despite that they all look the same, they all sever different type of malware, and zero porn of celebrity content at all except the thumbnails.

12. Violating OPSEC for Increasing the Probability of Malware Infection -
No better way to expose your affiliations and several unknown bad netblocks so far, by adding the netblocks and the malicious domains as trusted sites upon infecting a PC with the malware. Of course, the usual suspects lead the "trusted netblocks".

13. Monetizing Compromised Web Sites -
Several years ago, a script kiddie would install Apache on a mail server, they claim that they defaced it. Today, these amusing situations are replaced by monetization of the compromised sites, by reselling the access to them to blackhat SEO-ers, malware authors, phishers, or personally starting to manage a scammy infrastructure on them, by earning money on an affiliate based model, like this particular attack.

14. Malware and Office Documents Joining Forces -
A recent DIY malware kit, sold as a proprietary tool basically crunching out malware infected office documents, whose built-in obfuscation makes them harder to detect. It will sooner or later leak out, turning into a commodity tool, a process that's been pretty evident for web malware exploitation kits as well.

15. Are Stolen Credit Card Details Getting Cheaper? -
Depends on who you're buying them from, and whether or not they offer discounts on a volume basis, namely the more you buy the cheaper the price of a card is supposed to get. With the current oversupply of stolen credit card details, what used to be an exclusive good once where they could enjoy a higher profit-margin, is today's commodity good.

16. The Neosploit Malware Kit Updated with Snapshot ActiveX Exploit -
Since alll the web malware exploitation kits are open source, and leaked in the wild at large, their modularity allows everyone to easily embed any type of exploit that they want to, resulting in Neosploit's single most beneficial feature, the fact that certain versions include all the publicly available exploits targeting Internet Explorer, Firefox and Opera. Moreover, the open source nature of the kit is resulting in a countless number of modified versions yet to be detected and analyzed, therefore keeping track of the exploits included in a malware kit can only be realistic if you take into considered the exploits that come with the default installation.

17. Obfuscating Fast-fluxed SQL Injected Domains -
Now that's a very good example of different tactics combined to attack, ensure survivability, and apply a certain degree of evasion in between.

18. The Unbreakable CAPTCHA -
There's never been a shortage of ideas, there's always been an issue of usability.

19. The Ayyildiz Turkish Hacking Group VS Everyone -
That's a pretty inspiring mission if you are to ensure your future in the next couple of years, by targeting everyone, everywhere that has ever publicly stated their disagreement with the Turkish foreign policy.

20. Money Mule Recruiters use ASProx's Fast Fluxing Services -
A true multitasking in action with a botnet that's been crunching out phishing emails, SQL injecting and now hosting a well known money mule recruitment service.

21. SQL Injecting Malicious Doorways to Serve Malware -
Constantly switching tactics and combining different ones to achive an objective that used to be accomplished by plain simple techniques, is only starting to take place. In this case, instead of a hard coded SQL injected domain, we have the typical malicious doorways the result of the converging traffic management tools with web malware exploitation kits.

22. Impersonating StopBadware.org to Serve Fake Security Warnings -
Typosquatting popular security vendors and services is nothing new, by having HostFresh providing the hosting for the parked domains promoting the rogue security software, is a privilege and flattery for the success of the Stopbadware initiative.

23. Coding Spyware and Malware for Hire -
Customerization -- not customization -- has been taking place for a while, that's the process of tailoring your upcoming products to the needs of your future customers, compared to the product concept myopia where the malware coder would code something that he believes would be valuable to the potential customers. End user agreements, issuing licenses for the malware tool, as well as forbidding the reverse engineering of the malware so that no remotely exploitable flaws could be, are among the requirements the coder assists on.

24. Lazy Summer Days at UkrTeleGroup Ltd -
Taking a random snapshot of the current malicious activity at a well known provider of hosting services for rogue security applications, live exploit URLs and botnet command&control locations, always provides an insight into what are their customers up to. In this case, centralization of their scammy ecosystem, and parking a countless number of rogue domains on the same server.

25. Email Hacking Going Commercial -
Cybercrime is in fact getting easier to outsource, and while the number of scammers trying to offer non-existent services, or at least services where they cannot deliver the goods, the business model of this service that is that you only pay once they show you a proof that they've managed to hack the email address you game them. How are they doing it? Social engineering and enticing the user to click on live exploit URL from where they'll infect the PC and obtain the email password, of course, next to definitely abusing it for many other purposes in the process.

26. Vulnerabilities in Antivirus Software - Conflict of Interest -
You can easily twist the number of vulnerabilities found in your antivirus solution, but not recognizing them as vulnerabilities at the first place. It's all a matter of what you define as a vulnerability, or perhaps what you admit as a serious vulnerability - remote code execution through a security software, or a flaw that's allowing malware to bypass the security solution itself.

27. Counting the Bullets on the (Malware) Front -
Emphasizing on the number of malware/threats/viruses/worms/slugs your solution detects may be marketable in the short-term, but is damaging the end user's understanding of the threatscape in the long-term. So, by the time he catches up with what exactly is going on, he'll recall the moment in time where he was using the number of threats his solution was detecting as the main benchmark for its usefulness. In reality through, the number is irrelevant from a pro-active point of view, with zero day malware like the one coded for hire undermining the signatures based scanning model.

28. Smells Like a Copycat SQL Injection In the Wild -
It was pretty obvious that copycats seeing the success of SQL injections the the huge number of sites susceptible to exploitation, would also starting taking advantage of the practice. Some are, however, targeting local communities and trying to avoid detection by using targeted SQL injections.

29. Click Fraud, Botnets and Parked Domains - All Inclusive -
The scheme is nothing new, what's new is that the botnet masters are trying to limit the revenues that used to go out to affiliate networks they were participating in, and are trying to own or rent the entire infrastructure on their own.

30. Over 80 percent of Storm Worm Spam Sent by Pharmaceutical Spam Kings -
With access to Storm Worm sold and resold, and new malware introduced on Storm Worm infected hosts used as foundation for the propagation of the new malware in this case, it's questionable whether or not the Storm Worm-ers themselves are sending out the junk emails, or are they people who've rented access to the botnet doing it.

31. Neosploit Team Leaving the IT Underground -
Pretty surprising at the first place, but in reality it clearly demonstrates that when you cannot enforce the end user agreement on your crimeware kit, but continue seeing it used in a very profitable malware operations, you basically shut down the support for the public version. The team is not going to stop innovating for their own purposes, and in the long-term they may in fact re-appear with an updated malware kit that's converging different services next to the product itself.

32. Dissecting a Managed Spamming Service -
Managed spamming services using botnets as the foundation for the campaigns are starting to introduce improved metrics for the delivery, as well as experienced customer support ensuring the spam messages make it through spam filters, or at least increase the probability of making the happen. This is an example of a random service emphasizing on the improved metrics they're capable of delivering.

33. Storm Worm's Lazy Summer Campaigns -
Looks like a "cybercrime intern" launched this campaign, lacking any of the usual Storm Worm evasive practices, no exploitation of client side vulnerabilities, as well as no survivability offered by their usual fast-flux nodes.

]]> Fri, 01 Aug 2008 12:08:24 +0000 malware profitable malware operations malware authors malware tools malware coder malware kit malware infection neosploit malware kit spam Summarizing July's Threatscape <![CDATA[Lazy Summer Days at UkrTeleGroup Ltd]]> http://securityratty.com/article/6215851b79c397250e5f1b5a07d047b4 http://securityratty.com/article/6215851b79c397250e5f1b5a07d047b4

The result of building extra confidence into your malicious hosting provider's ability to remain online, is a scammy ecosystem that's constantly jumping from one netblock to another, whose very latest exploit URLs and rogue security software nexto to the codecs served, always represent a decent sample of malicious activities to analyze.

UkrTeleGroup Ltd (85.255.112.0-85.255.127.255 UkrTeleGroup UkrTeleGroup Ltd. 27595 ASN ATRIVO), a personal favorite due to its historical connection with the Russian Business Network, and hosting provider for a countless of number of injected and malware embedded campaigns during the last two years, is still keeping it as lazy as possible, a laziness allowing you to easily expose a great deal of the malicious activities going on there, and establish the connections between the hosting provider, its current and historical customers.

Take microsoftcodecs.com (88.214.198.220) for instance, and avxp08.com where it redirects the user into yet another rogue security software. avxp08.com is responding to 194.110.162.114; 216.195.41.11; 216.195.41.11; 216.240.139.169, and to UkrTeleGroup Ltd's 85.255.117.163.

Each of these IPs are also being shared by other rogue software and fake codecs simultaneously :

(216.195.41.11)
antivirusxp2008 .com
malwareprotector2008 .com
antivirxp08 .com
antivirusxp08 .com
avxp08 .com
youpornztube .com
winifixer .com
advancedxpfixer .com
encountertracker .ws

It gets even more UkrTeleGroup Ltd related upon the malware (Trojan:Win32/Tibs.HK) served at the avxp08.com gets sandboxed. The malware phones back home stat.avxp08 .com (85.255.118.172) announcing the successful infection winifixer .com/log2.php?affid=980382bdb4e7b779ff6308b0b706571c&uid=06f80eaf-94d7-4b8b-9cf0-5c6f75d2c69f&tm=1211198022 (85.255.118.171), and the scammy ecosystem continues using the same hosting provider. The rest of the rogue tools are also using the same subdomain structure, and IP, stat.antivirusxp2008 .com (85.255.118.172), stat.antivirxp08 .com (85.255.118.172), stat.antivirusxp08 .com (85.255.118.172) in order to phone back home.

winifixer .com, a well known rogue software, is entirely relying on UkrTeleGroup's hosting services hosted at 85.255.117.163; 85.255.118.171; 85.255.120.115; 85.255.120.139; 216.195.41.11 pinpoing several other obvious and well known netblocks hosting anything starting from fake celebrity video sites serving fake Windows Media Player videos, to rogue security software and live exploit URLs. Take for instance their efficiency centered approach to park numerous malicious domains on a single IP, like 85.255.117.218 in this case :

bestfunnyvids .com
celebs69 .com
celebsnofake .com
celebstape .com
celebsvidsonline .com
codecservice1 .com
freevidshardcore .com
newfunnyvideo .com
sexlookupworld .com
starfeed1 .com
starfeed2 .com
topdirectdownload .com
topsearchresults1 .com
topsoftupdate .com
yourfavoritetube .com

Now that it's becoming clear who's providing the hosting infrastructure, it's perhaps also worth pointing out who's using the hosting infrastructure to serve rogue security software and fake codecs on the basis of participating in an affiliate program? A great number of domains used by the rogue security software are registered by krab@thekrab.com behind which is supposidely Mishakov Viktor Ivanovich support@tobesoftware.com, and ironically tobesoftware.com is again hosting within UkrTeleGroup (85.255.120.115). The personal efforts into the number of the typosquatted domains and the persistence applied when registered and spamming them across the web, is the result of the incentives provided to them by the affiliate program they participate in.

]]> Tue, 22 Jul 2008 03:12:02 +0000 ukrtelegroup codecs fake codecs simultaneously rogue security software ukrtelegroup ukrtelegroup fake codecs home home stat scammy ecosystem Lazy Summer Days at UkrTeleGroup Ltd <![CDATA[Impersonating StopBadware.org to Serve Fake Security Warnings]]> http://securityratty.com/article/f4988806c23605425ad4d4182fb247ad http://securityratty.com/article/f4988806c23605425ad4d4182fb247ad

Malware is known to have been hijacking search results, take for instance the rogue Antivirus XP 2008 as a recent example, but it's even more interesting to see other rogue security software impersonating Stopbadware.org in order to server fake security warnings that ultimately lead to fake security software.

stopbadware2008 .com (58.65.238.171) is one of these examples, where stopbadware2008 .com/antivirus.php redirects to infectionscanner .com and attempts to trick the user into installing download.infectionscanner.com /AntvrsInstall.exe. The message used :

"Reported Insecure Browsing: Navigation blocked. Due to insecure Internet browsing your PC can easily get infected with viruses, worms and trojans without your knowledge, and that can lead to system slowdown, freezes and crashes. Also insecure Internet activity can result in revealing your personal information. To get full advanced real-time protection for PC and Internet activity, register Antivirus 2008. We recommend you to protect your PC now and continue safe Internet browsing."

There's in fact even more rogue software using the same IP (58.65.238.171), courtesy of HostFresh :
virus-scanner-online .com
security-scanner-online .com
viruses-scanonline .com
virus-scanonline .com
antivirus-scanonline .com
download.antivirus-scanonline .com
topantivirus-scan .com
topvirusscan .com
virusbestscan .com
virus-detection-scanner .com
antivirus-scanner .com
infectionscanner .com
virusbestscanner .com
internet-security-antivirus .com

It would be interested to monitor whether or not the template for the fake security warning would start getting used on a large scale.

Related posts:
A Portfolio of Fake Video Codecs
Fake PestPatrol Security Software
Got Your XPShield up and Running?
Localized Fake Security Software
A Diverse Portfolio of Fake Security Software
RBN's Fake Security Software

]]> Sun, 20 Jul 2008 23:30:51 +0000 fake security fake security software insecure internet activity internet activity insecure internet insecure lead fake video codecs portfolio Impersonating StopBadware.org to Serve Fake Security Warnings <![CDATA[SQL Injecting Malicious Doorways to Serve Malware]]> http://securityratty.com/article/6cec302595fea49e4d1ec4cc6e8a2a25 http://securityratty.com/article/6cec302595fea49e4d1ec4cc6e8a2a25

Abusing legitimate sites as redirectors to malicious doorways serving malware is becoming increasing common, as is the use of SQL injections in order for the malicious parties to ensure their campaigns will receive enough generic traffic to their redirectors. Excluding the use of the very same traffic management tools, web malware exploitation kits, templates for the rogue adult sites and the rogue security software, perhaps the most important thing to point out regarding all of the previously analyzed such campaigns, is that they are all related to one another, and are operated by the same people, using the very same infrastructure and live exploit URLs most of the time.

Let's expose yet another such campaign, that has been SQL injected and spammed across a couple of hundred web forums. gpamelaaandersona .info (82.103.129.98) is the typical comprehensive malicious doorway, whose galleries redirect to tds.zbestservice .info/tds/in.cgi?11 (85.255.120.45), and from there the following campaigns load on-the-fly :

porntubev20 .com/viewmovie.php?id=86 (74.50.117.84)
getmyvideonow .com/exclusive2/id/3912999/2/black/white/ - (89.149.194.188)
immenseclips .com/m6/movie1.php?id=1552&n=celebs (85.255.118.156)
movieexternal .com/download.php?id=1552 (77.91.231.201)
2008adults2008a .com/freemovie/144/0/
avwav .com/1931.htm
codecupgrade .com (74.50.117.84)
iwillseethatvideo .com (91.203.92.53)
dciman32 .com (85.255.120.45)

Naturally, these are just the tip of the iceberg, and the deeper you go, the more connections with malware gangs and previous campaigns can be established. For instance, here are some more "sleeping beauties" at 74.50.117.84 :

winantivirus2008 .org
porntubev20 .com
crack-land .com
just-tube .com
codecupgrade .com
codecupgrade .com
scanner-tool .com
surf-scanner .com
best-cracks .com
updatehost .com
updatehost .com
freemoviesdb .net
megasoftportal .net

And even more malicious doorways, and rogue software at 89.149.227.195 :

musicportalfree .com
softportalfree .com
verifiedpaymentsolutionsonline .com
my-adult-catalog .com
indafuckfuck .com
best-porncollection .com
funfuckporn .com
sanxporn .com
dolcevido .com
xiedefender .com
online-malwarescanner .com
easyvideoaccess .com
my-searchresults .com
creatonsoft .com
ihavewetfuckpussy .com

How come none of these are in a fast-flux? Pretty simple. Keeping in mind that they continue using the services of the ISPs that you rarely see in any report, survivability through fast-flux is irrelevant when emails sent to abuse@cybercrime.tolerating.isp receive a standard response two weeks later, and when your abuse emails become more persistent, a fake account suspended notice makes it to the front page, whereas the campaigns get automatically updated to redirect to an internal page, again serving the malware and the redirectors.

Related posts:
Fake Porn Sites Serving Malware - Part Two
Fake Porn Sites Serving Malware
Underground Multitasking in Action
Fake Celebrity Video Sites Serving Malware
Blackhat SEO Redirects to Malware and Rogue Software
Malicious Doorways Redirecting to Malware
A Portfolio of Fake Video Codecs

]]> Sun, 20 Jul 2008 21:45:57 +0000 malware malicious doorways sites rogue adult sites malware gangs campaigns load on-the-fly campaigns fake porn sites sql SQL Injecting Malicious Doorways to Serve Malware <![CDATA[Monetizing Compromised Web Sites]]> http://securityratty.com/article/9f7b106457f7cdcbfb11dd8b0b3dd971 http://securityratty.com/article/9f7b106457f7cdcbfb11dd8b0b3dd971

Despite that pure patriotic hacktivism is still alive and kicking, compromised sites are largely getting monetized these days, starting from hosting blackhat SEO junk pages, to redirecting to live exploit URLs and fake codecs where revenue is earned through their participation in an affiliate business model.

With The Africa Middle Market Fund's site monetized by web site defacers who defaced it "in between" the blackhat SEO infrastructure they were hosting internally, in this I'll comment on the currently compromised and redirection to a fake porn sites, Camara Municipal de Amparo (camaraamparo.sp.gov.br/r.html). Basically, it's homepage is heavily linking to the Zlob variant (camaraamparo.sp.gov.br/ video.exe) in between loading an IFRAME to 61.162.230.12/ index.php. As always, upon uploading their redirector, they've build enough confidence into their new hosting provider that the link to the redirector was instantly spammed across the web. The site is so heavily linking to the internal redirector itself, that upon clicking on the majority of links the user will inevitably come across it.

Speaking of fake porn sites redirecting to Zlob variants, here are the very latest additions spammed across the web through blackhat SEO practices :

just-tube .com
mypornmovies .net
moms-galls .net
porntubefilms .com
porntubedot .com
hot-porntube .com
landmovieblog .com
sexvidtube .com
freelifevideo .com
getyourfreemovie .com
iubat .com
sweetyjoly .com
hardbizarre .com
freeworldvideo .net
hot-porntube .net
qualitymovies .net
porntube1con .net
video-info .net
videocityblog .com
fuckedolder .com
highpro1 .com
max-graf.com .pl
grandsupertds .info
hot-porn-tube .net
hot-porntube .com
terryschulz .com
show-sextube .com
qualitymovies .net
clubvideos .net

No matter the high profile site that's been exploited in order to participate in such malicious operations, for the time being, crunching out new domain names and using the hosting services of the well known ISPs neglecting their removal, seems to be the tactic of choice. The long tail of SQL injected sites is however, clearly replacing the plain simple blackhat SEO web spamming, so that traffic to these rogue sites is driven through redirection of the the traffic from legitimate sites.

]]> Sun, 13 Jul 2008 23:26:24 +0000 sites rogue sites web net web site defacers site fake porn sites profile site redirector Monetizing Compromised Web Sites