Monday, June 16, 2008

Malicious Doorways Redirecting to Malware

Blacklisting malicious sites in times when legitimate ones are starting to compete with bogus .info and .biz ones for the leading position of hosting and serving malicious content, is a bit of an outdated and reactive approach for protecting against unknown threats. However, a single malicious domain whose live exploits can be easily detected and consequently blocked, is often just a front end to a large domains portfolio whose malicious content may easily pass through web filtering and on-the-fly malware attempts. Even worse, a malicious domain often exists in multiple "alternate realities" since a single IP is hosting many other unique and related malware domains.

In this post, I'll assess a misconfigured malicious doorway, that is redirecting to ten different malware sites serving Zlob variants by delivering fake codecs that all the bogus adult sites require. The doorway is misconfigured in the sense of not recording the IP and checking the cookie set, in comparrision to every average web malware exploitation kit out there, which will not serve anything malicious when accessed for a second time since it's hashing the IPs that accessed it already. This is just the tip of the iceberg when it comes to the emerging evasive approaches applied to make the analysis of such doorways a bit more time and resources consuming. In a single sentence - there's evidence blackhat SEO-ers are starting to exchange crawling manipulation know-how with malware authors.

In this example we have bestxvids.info (87.118.116.11) which is reditecting to all-index.com/in.cgi?5 (87.118.116.11) a URL that's been actively spammed across forums and guestbooks vulnerable to automatic posting vulnerabilities (weak CAPTCHAs and web application vulnerabilities) which is then redirecting to the following fake codec domains on the fly, and since the redirection script isn't hashing my IP like the majority of well configured ones requiring the use of multiple IPs if we're to expose all the campaigns, it makes the investigation easier :

tubeuniverses.com/teen/index.php?id=1883 - (78.108.177.99)
new-content-s2008.com/freemovie/938/0/ - (72.21.53.218)
teens.0bucksforpornmovie.com/?id=4199 - (64.28.181.28)
getadultaccess.com/movie/?aff=5310 - (200.63.46.84)
hqtube.com/?7014000000 - (88.85.66.116)
supersharebox.com/softw/?aff=5310&saff=0 - (200.63.46.84)
scanner.shredderscan.com/5/?advid=4329 - (92.241.182.13)
myflydirect.com/1/5310/ - (200.63.46.84)
getadultaccess.com/movie/?aff=5310 - (200.63.46.84)
hotvidstube.com/teen/index.php?id=1883 - (78.108.177.99)
2008-adult-2008.com/freemovie/938/0/ - (72.21.53.218)
s-soft08freeware.com/download/502/938/0 - (91.203.70.18)

Where's the "alternate reality"? All of the following fake codec and adult sites serving Zlob variants, with minor exceptions of course, are also responding to the main IP of the redirector - 87.118.116.11 :

carsfoto.ru
cheapest-pharmacy.com

coolsexmovies.net

free-movie-xxx.net
gold-collection.biz

p-o-r-n-0.com

p-o-r-n-0.info

sexakaporn.com

stred.biz

stred.in

tosserhost.com

west-video-xxx.info

wowtofree.info


Shall we also expose the entire scammy ecosystem of Zlob variants, as always, sharing the same netblocks in order to keep it simple? But of course :

porn-youtube08.net
sextubecodec55.com

2008adult2008.com

adultstreamportal2008.com
newcontent-s2008.com

adultxx-18.com

newcontents2008.com

onlinestreamvide.com

2008adultstreamportal2008.com

newcontents2008.com

hot-pornotube2008.com
adult-youtube-8.com

2008adult-s2008.com
2008adultstreamportal2008.com

adult-freetube-8.com

adult18tube2008.com
adultstreamportal2008.com
free-porntube-8.com

gt-funny.com
gt-movies.com

gt-stars.com

hot-sextube.com

new-content-s2008.com

newcontent-s2008.com

newcontents2008.com

onlinestreamvide.com

porno-tube20008.com

pornotube-20008.com

pornotube20008.com

sex-18tube-2008.com

sex-tube-20008.com
sex-tube20008.com

sex18tube2008.com

sexi18tube2008.com

sextube18adult.com

sextube20008.com

streamadultvideo.com

xxxstreamonline.com


The bottom line - malicious doorways are slowly starting to emerge thanks to the convergence of traffic redirection and management tools with web malware exploitation kits, and just like we've been seeing the adaptation of spamming tools and approaches for phishing purposes, next we're going to see the development of infrastructure management kits, a feature that DIY phishing kits are starting to take into consideration as well.