Thursday, June 05, 2008

Blackhat SEO Redirects to Malware and Rogue Software

A black SEO farm with built-in redirection to a multitude of sites serving rogue codecs (Zlob malware variants) and fake security software phoning back to UkrTeleGroup Ltd's network - could it get even more interesting? Of course, as the current state of Zlob malware serving tactics can be seperated in two distinct groups, those abusing the "sort of" zero day Flash exploit, as the currently active SQL injection attacks are all taking advantage of it, and those still relying on plain simple redirect to multimedia sites requiring you to install the fake codec.

While tracking down the massive blackhat SEO poisoning campaigns that took place in March, 2008, as well as the countless number of embedded/injected malware campaigns targeting high profile sites that we've been seeing recently, it's becoming increasingly common to come across a repeating malicious pattern. Basically, a domain portfolio of typosquatted domains looking like legitimate codec sites is created, several bogus video, mostly p0rn related sites with no content start acting as a frontend to the codecs, where traffic is driven through blackhat SEO doorways. Moreover, rogue codec sites are increasing because the templates for the p0rn and codec sites are turning into a commodity, just like phishing pages and DIY phishing page generators lowering down the entry barriers into these practices.

Let's assess a sample redirection doorway, a visualization and sample traffic of which you can see in the attached screenshots. At we have a fake counter loading the redirection script from which is a javascript serving a different site on-the-fly, courtesy of a well known blackhat SEO campaign tool. The output of this redirection is a new domain serving Zlob variants in the form of fake codecs hosted under the following domains :

Sample detecton rates for the codecs obtained :

Scanners Result: 8/32 (25%)
W32/PolyZlob!tr.dldr; Trojan:Win32/Tibs.gen!lds
File size: 119296 bytes
MD5...: dc5538af557cb4c311cb86d6574400ba
SHA1..: 5cf1602db8c4fdd3c5ac5101e5a6c5daa77f5ff1

Scanners Result: 6/32 (18.75%);
File size: 60416 bytes
MD5...: 14938bfe35128687e05f7f8ccbd29c7d
SHA1..: cf651e959fff945c9659321e79ba2788062b721d

Scanners Result: 14/32 (43.75%)
Trojan-Downloader.Win32.Zlob.lps; TrojanDownloader:Win32/Zlob.IB
File size: 18432 bytes
MD5...: 9b3bbcd4549970a92eb1b11c46a451bb
SHA1..: 679508aba4e547935d5e4104a735c754b40de49e

Scanners Result: 18/32 (56.25%)
Trojan-Downloader.Win32.Delf.ilx; TrojanDownloader:Win32/Chengtot.A
File size: 91683 bytes
MD5...: 727e3f353281229128fdb1728d6ef345
SHA1..: 3f9c9000b273e8bf75db322382fbaabf333faf26

Once we've managed to obtain several of the fake codec domains, passive DNS monitoring and using third-party tools helps us expose a huge portfolio of rogue domains such as :

What you see is not always what you get online, however, the infrastructure providers in the majority of malware campaigns tend to remain the same.