Thursday, December 13, 2007

"Google Referrer Only" malware sites

Here's a curious thing that I read in "Tacit's" LiveJournal post today. There is a new major infection on iPowerWeb.

This one has an interesting new twist. Based on Tacit's post, I decided to do some of the normal Google searches that I would do anyway, but add to them the requirement "inurl:/ad/har/", which was a string associated with what Tacit mentioned.

So, for example, I do Search Engine Optimization to keep some of the sites I host performing well. I'll do a search on "haiku books", where my haiku poetry website always is in the top 5, but with this additional requirement.

There are 142 webpages containing the words "haiku" and "books" that have the string "/ad/har/" in the URL. So, sites such as "joygabrieldentistry.com", "barkershotdogs.com", "wassermanandthomas.com", and "hawaiiyachts.com" have pages, ranging in topic from "geisha memoirs", "cybersex webcams", and "scrotum enlargement surgery", which respond to this.

I did another search on "warner genealogy", with the "/har/ad/" requirement and got 16 hits, but when I changed it to "smith genealogy" there were 3,010 with the link. All of them that I checked were hosted on iPowerWeb.

Being rather sure that "cabincraftskishop.com" was not actually a porn site, I continued with the experiment, after first making sure NoScript was running in my FireFox browser.

The sites were the traditional spam sites you've probably seen before, where whatever term you search on is randomly scattered through the content of a pornographic story. "Joan answered the door to her michael butch genealogy NY apartment. I couldn't help but notice her sizing up my centerville utah genealogy."

The links go all over the place when you click on them (with NoScript blocking like crazy...) The first took me to "3xpowered.com" which calls itself "PornTube" and is set up to look like YouTube only with porn movies. If it hadn't been for NoScript, my browser would have called a download.php file from "xyzsolution.com", which would pop a window saying "Would you like to continue?" and asking to install "setup.exe". (xyzsolution.com and 3xpowered.com are both hosted on URKTelecom in the Ukraine). 3xpowered.com is a "top 10,000 website" and is visited by over 330,000 American IP addresses per month.

3xpowered.com seems to be another venture from Nikolay Fedorov (not the philosopher) like his getxxxphotos.com. His getxxxphotos.com site forwards to "imgstorages.com", which currently tries to download malware to your computer through a link from "www.abcdperformance.com". abcdperformance.com is brand new. Not yet 48 hours old, but I bet it will gain in popularity!

The next link (compusupport.biz) tried to forward me to "xscanner.spyshredderscanner.com", which would warn me that I had malware on my computer and that I needed to install their software to protect myself. The file "Install1642.exe" would then have been run on my computer. SpyShredderScanner is hosted in Russia on the IP 77.91.229.106. According to statistics from a web monitoring company, 2.7 MILLION American IP addresses visited this website in the month of November, making it the 560th most popular website they monitor. Another webstat company gives it 2.5 Million unique visitors and calls it the 544th most popular site on the web. Anyone who goes there is at risk of infection, but the statistics clearly show that AT LEAST 100,000 AMERICAN COMPUTERS PER DAY visit the site.

Here's where things get very intersting though. Having just visited each of those sites, I then tried to visit them by typing the URL in my browser. Just as Tacit experienced, I received a "404 message" -- File Not Found.

Again, with my hat off to Tacit, we can duplicate this behavior using "wget", a text-based website fetcher.




C:\incoming\danger\ipower>\tools\wget http://homeautomationtech.us/images/xpxrs/har/ad/1/het.html
--07:06:05-- http://homeautomationtech.us/images/xpxrs/har/ad/1/het.html
=> `het.html'
Resolving homeautomationtech.us... 66.235.203.141
Connecting to homeautomationtech.us|66.235.203.141|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: /404 [following]
--07:06:05-- http://homeautomationtech.us/404
=> `404'
Connecting to homeautomationtech.us|66.235.203.141|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
07:06:06 ERROR 404: Not Found.




C:\incoming\ipower>\tools\wget --referer=http://www.google.com/ http://homeautomationtech.us/
images/xpxrs/har/ad/1/het.html
--07:03:55-- http://homeautomationtech.us/images/xpxrs/har/ad/1/het.html
=> `het.html'
Resolving homeautomationtech.us... 66.235.203.141
Connecting to homeautomationtech.us|66.235.203.141|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://traffloader.info/go.php?s=homeautomationtech.us&ver=7 [following]
--07:03:55-- http://traffloader.info/go.php?s=homeautomationtech.us&ver=7
=> `go.php@s=homeautomationtech.us&ver=7'
Resolving traffloader.info... 87.248.180.67
Connecting to traffloader.info|87.248.180.67|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.clipsfestival.com/movie1.php?id=4161&n=teen&bgcolor=000000 [following]
--07:03:56-- http://www.clipsfestival.com/movie1.php?id=4161&n=teen&bgcolor=000000
=> `movie1.php@id=4161&n=teen&bgcolor=000000'
Resolving www.clipsfestival.com... 82.208.18.109
Connecting to www.clipsfestival.com|82.208.18.109|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://powerof3x.com/m2/movie1.php?id=4161&n=teen&bgcolor=000000 [following]
--07:03:56-- http://powerof3x.com/m2/movie1.php?id=4161&n=teen&bgcolor=000000
=> `movie1.php@id=4161&n=teen&bgcolor=000000'
Resolving powerof3x.com... 85.255.118.156
Connecting to powerof3x.com|85.255.118.156|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.3xpowered.com/m4/index.php?id=4161&n=&a=Gnark&v=1392601&preview=http%3A%2F%2Fww
w.3xfestival.com%2Fst%2Fthumbs%2F047%2F4521569111.jpg [following]
--07:03:56-- http://www.3xpowered.com/m4/index.php?id=4161&n=&a=Gnark&v=1392601&preview=http%3A%2F%
2Fwww.3xfestival.com%2Fst%2Fthumbs%2F047%2F4521569111.jpg
=> `index.php@id=4161&n=&a=Gnark&v=1392601&preview=http%3A%2F%2Fwww.3xfestival.com%2Fst%2
Fthumbs%2F047%2F4521569111.jpg'
Resolving www.3xpowered.com... 85.255.115.180
Connecting to www.3xpowered.com|85.255.115.180|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]

[ <=> ] 33,097 71.19K/s

07:03:57 (71.08 KB/s) - `index.php@id=4161&n=&a=Gnark&v=1392601&preview=http%3A%2F%2Fwww.3xfestival.
com%2Fst%2Fthumbs%2F047%2F4521569111.jpg' saved [33097]







Can you imagine what happens if someone calls iPowerWeb tech support to report the problem.

"What's the URL? Yes sir, we've just looked. No, there is no such page, it must have been discovered and removed."

Why wonder. I'm going to call them and try to get a live person on the phone. l-888-511-HOST.

(They are still experiencing heavy call volumes and refer me to their website. Their "live chat" puts my wait time at 12 minutes. Waiting . . .

SUCCESS! I'm on the phone with iPowerWeb now! I'll update with their response.

Well, ALMOST success. Support could duplicate the above, but said I would need to email "abuse@", who wasn't in yet this morning. (sigh)




An update (14 DEC 2007)

iPowerWeb is working closely with some Federal Cybercrime folks to get their sites cleaned up.

In the meantime, I was thrilled by the response from Google Investigations, who says they are going to be taking immediate action, by adding a "This Link May Harm Your Computer" link on all of these sites. They also encouraged me to share this link with others:

http://googleonlinesecurity.blogspot.com/2007/11/help-us-fill-in-gaps.html

which tells of their "report badware" program, and gives a link to allow reporting of malware-drive-by sites and to pass notes which will be included in the report sent to investigators.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.