Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Friday, March 28, 2008

Massive IFRAME SEO Poisoning Attack Continuing

Last week's massive IFRAME injection attack is slowly turning into a what looks like a large scale web application vulnerabilities audit of high profile sites. Following the timely news coverage, Symantec's rating for the attack as medium risk, StopBadware commenting on XP Antivirus 2008, and US-CERT issuing a warning about the incident, after another week of monitoring the campaign and the type of latest malware and sites targeted, the campaign is still up and running, poisoning what looks like over a million search queries with loadable IFRAMES, whose loading state entirely relies on the site's web application security practices - or the lack of.

What has changed since the last time? The number and importance of the sites has increased, Google is to what looks like filtering the search results despite that the malicious parties may have successfully injected the IFRAMEs already, thus trying to undermine the campaign, new malware and fake codecs are introduced under new domain names, and a couple of newly introduced domains within the IFRAMES themselves.

Keep it Simple Stupid for the sake efficiency is what makes the campaign relatively easy to track once you understand the importance of hot leads, and real-time assessments for the purpose of setting the foundation for someone else's upcoming piece of the puzzle in an OSINT manner. The main IPs within the IFRAMES acting as redirection points to the newly introduced rogue software and malware, remain the same, and are still active. The very latest high profile sites successfully injected with IFRAMES forwarding to the rogue security software and Zlob malware variants :

USAToday.com, ABCNews.com, News.com, Target.com, Packard Bell.com, Walmart.com, Rediff.com, MiamiHerald.com, Bloomingdales.com, PatentStorm.us, WebShots.com, Sears.com, Forbes.com, Ugo.com, Bartleby.com, Linkedwords.com, Circuitcity.com, Allwords.com, Blogdigger.com, Epinions.com, Buyersindex.com, Jcpenney.com, Nakido.com, Uvm.edu, hobbes.nmsu.edu, jurist.law.pitt.edu, boisestate.edu.

Which are the main IPs injected as IFRAME redirection points?

72.232.39.252

NetRange: 72.232.0.0 - 72.233.127.255

CIDR: 72.232.0.0/16, 72.233.0.0/17

NetName: LAYERED-TECH-

NetHandle: NET-72-232-0-0-1

Parent: NET-72-0-0-0-0
NetType: Direct Allocation

NameServer: NS1.LAYEREDTECH.COM

NameServer: NS2.LAYEREDTECH.COM

Comment: abuse@layeredtech.com

195.225.178.21
route: 195.225.176.0/22

descr: NETCATHOST (full block)

mnt-routes: WZNET-MNT

mnt-routes: NETCATHOST-MNT

origin: AS31159

notify: vs@netcathost.com

remarks: Abuse contacts: abuse@netcathost.com

89.149.243.201

inetnum: 89.149.241.0 - 89.149.244.255

netname: NETDIRECT-NET
remarks: INFRA-AW

admin-c: WW200-RIPE

tech-c: SR614-RIPE
changed: technik@netdirekt.de 20070619

89.149.220.85

inetnum: 89.149.220.0 - 89.149.221.255

netname: NETDIRECT-NET

remarks: INFRA-AW

admin-c: WW200-RIPE

tech-c: SR614-RIPE

changed: technik@netdirekt.de 20070619

Newly introduced malware serving domains upon loading the IFRAMES :

mynudedirect.com/3/5144 (216.255.186.107) loads mynudenetwork.com/flash2/?aff=5144 (85.255.120.203) which attempts to load mynudenetwork.com/load.php?aff=5144&saff=0&sid=3 where the malware is attempting to load upon accepting the ActiveX object :

Scanners Result: Result: 12/32 (37.5%)

Suspicious:W32/Malware!Gemini; W32/BHO.BVW

File size: 107536 bytes

MD5: e50f2c9874a128d4c15e72d26c78352c

SHA1: 91f8a0e2531ea63ce22d0c7f90e7366a78ebeb8a

Moreover gift-vip.net/images/index1.php (195.225.178.19) is still loading from the previous campaign, this time pointing to webmovies-b.com/movie/black/0/21/411/0/ (58.65.234.25), and of course, e.pepato.org/e/ads.php?b=3029 (58.65.238.59) :

Scanners Result: 2/32 (6.25%)

JS.Feebs.rv; JS/Feebs.gen2 @ MM

File size: 16098 bytes

MD5: 64bbd8ba8a0c9ce009d19f5b8c9d426e

SHA1: 1b313198ef140d2c74f36aa84c13afe9497865b6

We also have vipasotka.com/in.php?adv=5032&val=43c46ed2 (119.42.149.22) loading and redirecting to golnanosat.com/in.php?adv=5058&val=e32a412f (119.42.149.22)

Scanners Result : Result: 11/32 (34.38%)

Trojan.Crypt.AN; FraudTool.Win32.UltimateDefender.cm

File size: 61440 bytes

MD5: 5d83515199803e1fbcd3d2d8e0cd4ce5

SHA1: 4c1f0eba4be895cf3b018e41fa7f13523424874d

Last but not least is d08r.cn (203.174.83.55) a new domain introduced within the IFRAMES, which is also responding to, another scammy ecosystem :

07search.com
5m9h41.com
a666hosting.info

gzoe7w.com
l6q7x6.com
nashepivo.com
nbb3g1.com
sraly.com
uvilo.com
vmksxo.com
credits-counselor.com
hx0k21.com
mob-shop.net
smart-search.net

For the time being, Google is actively filtering the results, in fact removing the cached pages on number of domains when I last checked, the practice makes it both difficult to assess how many and which sites are actually affected, and of course, undermining the SEO poisoning, as without it the input validation and injecting the IFRAMEs would have never been able to attract traffic at the first place.

The attack is now continuing, starting two weeks ago, the main IPs behind the IFRAMES are still active, new pieces of malware and rogue software is introduced hosting for which is still courtesy of the RBN, and we're definitely going to see many other sites with high page ranks targeted by a single massive SEO poisoning in a combination with IFRAME injections. Which site is next? Let's hope not yours, as if you don't take care of your web application vulnerabilities, someone else will.

Related posts:
More High Profile Sites IFRAME Injected
More CNET Sites Under IFRAME Attack
ZDNet Asia and TorrentReactor IFRAME-ed
Rogue RBN Software Pushed Through Blackhat SEO
Massive RealPlayer Exploit Embedded Attack
Another Massive Embedded Malware Attack
Yet Another Massive Embedded Malware Attack
Massive Blackhat SEO Targeting Blogspot
Massive Online Games Malware Attack

Press coverage:
Symantec's Internet Threat Meter
Major Web sites hit with growing Web attack
Audit Your Web Server Lately?
Hackers expand massive IFrame attack to prime sites
Major Web Sites Hit with Growing Web Attack
Major Sites Hit with IFRAME Injection Attacks
Researcher - IFRAME Redirect Attacks Escalate
An Update to the IFRAME SEO Poisoning
Massive Web Server Hack
Massive IFRAME Continues to Hit Top Sites
Attackers booby-trap searches at top Web sites
Several Major Websites Affected By Major Iframe Attack
Web Security Scanning Is Paramount
SEO poisoning attack hits big sites; Can the defenses scale?
Hackers step up search results attack
Tale of the IFRAME Continues

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me dancho.danchev@hush.com

Who is Dancho Danchev?

Dancho Danchev is the world's leading expert in the field of cybercrime fighting and threat intelligence gathering having actively pioneered his own methodology for processing threat intelligence throughout the past decade following a successful career as a hacker-enthusiast in the 90's leading to active-community participation and contribution as a Member to WarIndustries, List Moderator at BlackCode Ravers, Contributor to Black Sun Research Facility (BSRF) List Moderator Software Contributor (TDS-2 Trojan Information Database) at DiamondCS Trojan Defense Suite, contributor to LockDownCorp, Contributor to HelpNetSecurity, Managing Director of Astalavista Security Group's Astalavista.com - The Underground, a Security Consultant for Frame4 Security Systems, contributor to TechGenix's WindowSecurity.com, security blogger for ZDNet Zero Day, Threat Intelligence Analyst for Webroot, leading to a successful set of hundreds of high-quality anaysis and research articles published at the industry's leading threat intelligence blog - ZDNet's Zero Day, Dancho Danchev's Mind Streams of Information Security Knowledge and Webroot's Threat Blog with his research featured in Techmeme, ZDNet, CNN, PCWorld, SCMagazine, TheRegister, NYTimes, CNET, ComputerWorld, H+Magazine currently producing threat intelligence at the industry's leading threat intelligence blog - Dancho Danchev's - Mind Streams of Information Security Knowledge.

With his research featured at RSA Europe, CyberCamp, InfoSec, GCHQ and Interpol the researcher continues to actively produce threat intelligence at the industry's leading threat intelligence blog - Dancho Danchev's - Mind Streams of Information Security Knowledge publishing a diverse set of hundreds of high-quality research analysis detailing the malicious and fraudulent activities at nation-state and malicious actors across the globe.

What is Disruptive Individuals?

Disruptive Indivuduals is a research-intensive data-driven company successfully establishing the world's largest snapshot of malicious cybercrime activity for the purpose of offering the industry the world's most versatile portfolio of malicious cybercrime-driven services successfully positioning itself as the world's leading provider of real-time intelligence-driven services and product portfolio including cybercrime-research data malicious activity profiling services and custom-tailored intelligence assessments successfully positioning the company as the world's leading provider of cybercrime-data driven research-intensive intelligence data-driven company.

What is Astalavista Security Group?

Astalavista Security Group 2.0 - The Underground is Europe's oldest running and most popular international hacking and security brand successfully serving the needs of millions of users globally throughout the decade successfully converting hundreds of thousands of unique users into loyal long-term type of customers and premium members of the portal. Following the original split of the original founding partners prozac and r00tless a new kid on the block acting as Managing Director circa 2003-2006 - Dancho Danchev - decided to undertake the initiative to lauch and re-surrect the portal the way we know it - the Scene's most popular hacking and computer security Web Site in an attempt to once again re-position the Web site as the primary destination point for hackers/crackers/phreakers/anarchists.

What is Offensive Warfare 2.0?

Offensive Warfare 2.0 - The Future of Cyber Warfare is an international Pro-Western Hacking and Security Community managed and operated by the World's leading expert in the field of cybercrime research - Dancho Danchev - ex-hacker back in the infamous hacking spree back in the 90's. Its purpose is to spread information data and knowledge and educate millions of active users on current and emerging cyber threats and to provide general and in-depth discussion on current and emerging hacking and security technologies empowering the U.S Intelligence Community with the necessary data information and knowledge to stay on the top of its game.

What is the Obmonix Platform?

The Obmonix platform aims to build the World's most versatile and comprehensive sensor network for intercepting monitoring and responding to cybercrime and cyber jihad events successfully deploying a variety of proprietary sensor network based of honeypot appliances industry-wide partnership including the utilization of prorietary cybercrime and cyber jihad forum and community monitoring and infiltration campaigns successfully positioning the platform as the leading indicator for cybercrime and cyber jihad activity globally empowering the operator law enforcement and the security industry with then necessary tactics techniques and procedures (TTPs) for successfully responding and monitoring cybercrime and cyber jihad activity globally leading to successful launch of the Disruptive Individuals startup successfully serving the needs of the Intelligenge Community, the security industry and law enforcement agencies globally successfully anticipating an emerging set of malicious and fraudulent tactics techniques and procedures sucessfully protecting millions of users globally.

What is World Hacker Global Domination Group (WHGDG)?

World Hacker Global Domination Group (WHGDG) - the Dark Web's most popular single-page one-man hacking and security hacking group is a project launched by the World's Leading Expert in the field of cybercrime research security blogging and threat intelligence gathering - Dancho Danchev - who undertook the initiative to launch and re-surrect the portal the way we know it - the Dark Web's most popular hacking and computer security Web Site in an attempt to once again re-position the Dark Web Onion as the primary destination point for hackers/crackers/phreakers/anarchists.