Wednesday, April 15, 2009

Twitter Worm Mikeyy Keywords Hijacked to Serve Scareware

Not necessarily in real-time (Syndicating Google Trends Keywords for Blackhat SEO) but scareware/fake security software distributors quickly attempted to capitalize on the anticipated traffic related to this weekend's Twitter XSS worm StalkDaily/Mikeyy.

What's particularly interesting about this campaign, is not the fact that all of the currently active domains are operated by the same individual/group of individuals or that their blackhat SEO farms are growing to cover a much wider portfolio of keywords.

It's a tiny usa.js script (e.g my1.dynalias .org/usa.js) hosted on all of the domains, which takes advantage of a simple evasive practice - referrer checking in order to serve or not to serve the malicious content.

For instance, deobfuscated the script checks whether the user is coming from the following search engines var se = new Array("google", "msn", "", "yahoo", " comcast"); if (document.referrer)ref = document.referrer;. If the user/researcher is basically wandering around, a blackhat SEO page with no malicious redirections would be served.

The following are all of the currently active and participating domains/subdomains: .de
actual.homelinux .com .de
aprln.getmyip .com
east.homeftp .org 
my1.dynalias .org
my2.dynalias .org
my3.dnsalias .org
my5.webhop .org

The redirection process consists of two layers. The first one is redirecting to hjgf .ru/go.php?sid=5 ( and then to msscan-files-antivir .com (, and the second one takes place through a well known malicious doorway redirecting domain hqtube .com/to_traf_holder.html ( that either serves a fake codec that's dropping the scareware, or the scareware itself from .com. The rest of the scareware/fake security software domains participating in the campaigns are as follows:

msscan-files-antivir .com ( - Coi Carol Email:
hot-girl-sex-tube .com - Erica Thomas Email:
msscan-files-antivir .com
msscanner-top-av .com -
Mui Arnold Email:
msscanner-files-av .com
antivir-4pc-ms-av .com
- Jason Munguia Email:

The bottom line - the campaign looks like a typical event-based blackhat SEO portfolio diversification practice.