Thursday, June 05, 2008

Blackhat SEO Redirects to Malware and Rogue Software

A black SEO farm with built-in redirection to a multitude of sites serving rogue codecs (Zlob malware variants) and fake security software phoning back to UkrTeleGroup Ltd's network - could it get even more interesting? Of course, as the current state of Zlob malware serving tactics can be seperated in two distinct groups, those abusing the "sort of" zero day Flash exploit, as the currently active SQL injection attacks are all taking advantage of it, and those still relying on plain simple redirect to multimedia sites requiring you to install the fake codec.


While tracking down the massive blackhat SEO poisoning campaigns that took place in March, 2008, as well as the countless number of embedded/injected malware campaigns targeting high profile sites that we've been seeing recently, it's becoming increasingly common to come across a repeating malicious pattern. Basically, a domain portfolio of typosquatted domains looking like legitimate codec sites is created, several bogus video, mostly p0rn related sites with no content start acting as a frontend to the codecs, where traffic is driven through blackhat SEO doorways. Moreover, rogue codec sites are increasing because the templates for the p0rn and codec sites are turning into a commodity, just like phishing pages and DIY phishing page generators lowering down the entry barriers into these practices.


Let's assess a sample redirection doorway, a visualization and sample traffic of which you can see in the attached screenshots. At porntubedirect.info we have a fake counter porntubedirect.info/stat/count.php loading the redirection script from 216.240.139.234/sutra/in.cgi?3 which is a javascript serving a different site on-the-fly, courtesy of a well known blackhat SEO campaign tool. The output of this redirection is a new domain serving Zlob variants in the form of fake codecs hosted under the following domains :

antivirus-scanonline.com
indafuckfuck.com
newcontents2008.com
avwav.com
anykindclips.com
dirtyxxxvids.com
clipsmachines.com
thesoft-portal-08.com

Sample detecton rates for the codecs obtained :

Scanners Result: 8/32 (25%)
W32/PolyZlob!tr.dldr; Trojan:Win32/Tibs.gen!lds
File size: 119296 bytes
MD5...: dc5538af557cb4c311cb86d6574400ba
SHA1..: 5cf1602db8c4fdd3c5ac5101e5a6c5daa77f5ff1

Scanners Result: 6/32 (18.75%)
Trojan-Downloader.Win32.FraudLoad.axa; Trojan.Dldr.FraudLoad.axa
File size: 60416 bytes
MD5...: 14938bfe35128687e05f7f8ccbd29c7d
SHA1..: cf651e959fff945c9659321e79ba2788062b721d

Scanners Result: 14/32 (43.75%)
Trojan-Downloader.Win32.Zlob.lps; TrojanDownloader:Win32/Zlob.IB
File size: 18432 bytes
MD5...: 9b3bbcd4549970a92eb1b11c46a451bb
SHA1..: 679508aba4e547935d5e4104a735c754b40de49e

Scanners Result: 18/32 (56.25%)
Trojan-Downloader.Win32.Delf.ilx; TrojanDownloader:Win32/Chengtot.A
File size: 91683 bytes
MD5...: 727e3f353281229128fdb1728d6ef345
SHA1..: 3f9c9000b273e8bf75db322382fbaabf333faf26

Once we've managed to obtain several of the fake codec domains, passive DNS monitoring and using third-party tools helps us expose a huge portfolio of rogue domains such as :

funfuckporn.com
musicpo
rtalfree.com
online-dvdrip.com

widget-porn.com

gt-funny.com

gt-movies.com

gt-stars.com
hot-sextube.com

hot-pornotube-2008.com

hot-pornotube08.com

hotpornotube08.com

porn-youtube-08.org

uriy.org

sextube20008.com

streamxxxvideo.com
xxxgirlsgirls.com
porno-tube20008.com

2008adultstreamportal2008.com

2008adults2008.com

adult18tube2008.com

sextube18adult.com

all-videos-home.com

adultstreamportal2008.com
onlinestreamvide.com

adultvideos4all.com

sex18tube2008.com

adultxx-18.com

mymediasex.com

ladyxxxworld.com
adultstreamportal.com
young-girls-board.com

porn-youtube08.net

adultfreemarket.info
adult-codec08.com

adult-tubecodec08.com

adult-tubecodec2008.com

adulthot-codec08.com

adulttubecodec2008.com

hot-tubecodec20.com

media-tubecodec2008.com

porn-tubecodec20.com

hot-sextubecodec.com

sexporntubecodec14.com

sexporntubecodec32.com

sexporntubecodec77.com

sexporntubecodec98.com

adult-codec08.com

adult-codec2008.com
adult-tubecodec08.com

adult-tubecodec2008.com

adulthot-codec08.com

adulthot-codec20008.com

adulthot-codec2008.com

adulthotcodec032008.com

adulthotcodec072008.com

adulthotcodec092008.com

adulthotcodec29018.com

adulthotcodec29098.com

adulttubecodec2008.com

media-tubecodec2008.com

sexhotcodec09.com

sexhotcodec1.com

sexhotcodec11.com

sexhotcodec12.com

sexhotcodec90.com

thehotcodec21.com

thehotcodecgt.com

thehotcodechq.com

thehotcodeclk.com
thehotcodecrt.com

thehotcodecxx.com
thehotcodeczz.com

What you see is not always what you get online, however, the infrastructure providers in the majority of malware campaigns tend to remain the same.

No comments:

Post a Comment