Wednesday, March 05, 2008

Rogue RBN Software Pushed Through Blackhat SEO

On numerous occasions in the past, I emphasized on the malicious attacker Keep it Simple Stupid (KISS) approach for anything starting from Rock Phishing, to maintaining a huge live exploits domains portfolio hosted on a single IP. This is yet another example of the KISS strategy uncovering another huge IFRAME campaign, again taking advantage of locally cached pages generated upon searching for a particular word, and the IFRAME itself. In the previous example for instance, we had an second ongoing IFRAME campaign with just 4 pages injected with 89.149.243.201, however, what Keep it Simple Stupid really means in this case is that the next IP in their netblock 89.149.243.202 is currently getting injected at many other sites as well. The difference between the previous campaign and this one, is that the previous one was targeting just two high page rank-ed sites, while in the second one, the malicious parties pushing RBN's rogue XP AntiVirus are relying on a much more diverse set of domains loading the IFRAME. One factor remains the same, both campaigns continue pushing the rogue XP AntiVirus. XP AntiVirus's pitch, note the downloads success rate mentioned and how they forgot to change the template used in the campaign by putting the rogue's name :

"XP antivirus has been downloaded over 4 Million times; with a 20,000 more downloads every week. Millions of people worldwide use Spyware Doctor to protect their identity and PC security. XP antivirus has consistently been awarded Editors' Choice, by leading PC magazines and testing laboratories around the world, including United States, United Kingdom, Germany and Australia. All current versions of XP antivirus have won Editors' Choice awards from Secure Home PC Magazine in United States. XP antivirus is advanced technology designed specially for people, not experts. It is automatically configured out of the box to give you optimal protection with limited interaction so all you need to do is install it for immediate and ongoing protection. XP antivirus's advanced RealOnGuard technology only alerts users on a true Spyware detection. This is significant because you should not be interrupted by cryptic questions every time you install software, add a site to your favorites or change your PC settings."

Upon visiting 89.149.243.202/t and 89.149.243.202/a we get forwarded to bestsexworld.info/soft.php?aid=0064&d=3&product=XPA (72.232.224.154) and from there to xpantivirus2008.com (69.50.173.10). There're in fact several other domains currently promoting this as well : xpantiviruspro.com (69.50.183.50); xpdownloadings.com (69.50.183.50); xpantivirus.com (216.255.180.58), as well as the following : hotantivirus.info (74.86.81.80); easyantivirus.info (74.86.81.80); a2zantivirus.com (74.86.81.80). The downloader's detection rate :

Scanner results : 17% Scanner(6/36) found malware!
Time : 2008/03/05 13:57:48 (EET)
File Size : 47104 byte
MD5 : 2102cb53606f535ca8132c3324953596
SHA1 : 0756f530e782c3d2e85a8186e052b722b017f1ea
AntiVir - TR/Crypt.ULPM.Gen
Fortinet - Suspicious
Microsoft - Trojan:Win32/Vxidl.gen!B(Suspicious)
Panda - Suspicious file
Prevx - TROJAN.DOWNLOADER.GEN
Sophos - Mal/HckPk-A

Smells like RBN's used InterCage and ATRIVO netblocks from routers away.

Related RBN coverage:
RBN's Phishing Activities
RBN's Puppets Need Their Master
RBN's Fake Account Suspended Notices
A Diverse Portfolio of Fake Security Software
Go to Sleep, Go to Sleep my Little RBN
Exposing the Russian Business Network
Detecting the Blocking the Russian Business Network
Over 100 Malwares Hosted on a Single RBN IP
RBN's Fake Security Software
The Russian Business Network