Malicious Doorways Redirecting to Malware

June 16, 2008
Blacklisting malicious sites in times when legitimate ones are starting to compete with bogus .info and .biz ones for the leading position of hosting and serving malicious content, is a bit of an outdated and reactive approach for protecting against unknown threats. However, a single malicious domain whose live exploits can be easily detected and consequently blocked, is often just a front end to a large domains portfolio whose malicious content may easily pass through web filtering and on-the-fly malware attempts. Even worse, a malicious domain often exists in multiple "alternate realities" since a single IP is hosting many other unique and related malware domains.

In this post, I'll assess a misconfigured malicious doorway, that is redirecting to ten different malware sites serving Zlob variants by delivering fake codecs that all the bogus adult sites require. The doorway is misconfigured in the sense of not recording the IP and checking the cookie set, in comparrision to every average web malware exploitation kit out there, which will not serve anything malicious when accessed for a second time since it's hashing the IPs that accessed it already. This is just the tip of the iceberg when it comes to the emerging evasive approaches applied to make the analysis of such doorways a bit more time and resources consuming. In a single sentence - there's evidence blackhat SEO-ers are starting to exchange crawling manipulation know-how with malware authors.

In this example we have ( which is reditecting to ( a URL that's been actively spammed across forums and guestbooks vulnerable to automatic posting vulnerabilities (weak CAPTCHAs and web application vulnerabilities) which is then redirecting to the following fake codec domains on the fly, and since the redirection script isn't hashing my IP like the majority of well configured ones requiring the use of multiple IPs if we're to expose all the campaigns, it makes the investigation easier : - ( - ( - ( - ( - ( - ( - ( - ( - ( - ( - ( - (

Where's the "alternate reality"? All of the following fake codec and adult sites serving Zlob variants, with minor exceptions of course, are also responding to the main IP of the redirector - :

Shall we also expose the entire scammy ecosystem of Zlob variants, as always, sharing the same netblocks in order to keep it simple? But of course :

The bottom line - malicious doorways are slowly starting to emerge thanks to the convergence of traffic redirection and management tools with web malware exploitation kits, and just like we've been seeing the adaptation of spamming tools and approaches for phishing purposes, next we're going to see the development of infrastructure management kits, a feature that DIY phishing kits are starting to take into consideration as well.

About the author

Dancho Danchev is the world's leading expert in the field of cybercrime fighting and threat intelligence gathering having actively pioneered his own methodlogy for processing threat intelligence leading to a successful set of hundreas of high-quality anaysis and research articles published at the industry's leading threat intelligence blog - ZDNet's Zero Day, Dancho Danchev's Mind Streams of Information Security Knowledge and Webroot's Threat Blog with his research featured in Techmeme, ZDNet, CNN, PCWorld, SCMagazine, TheRegister, NYTimes, CNET, ComputerWorld, H+Magazine currently producing threat intelligence at the industry's leading threat intelligence blog - Dancho Danchev's - Mind Streams of Information Security Knowledge. With his research featured at RSA Europe, CyberCamp, InfoSec, GCHQ and Interpol the researcher continues to actively produce threat intelligence at the industry's leading threat intelligence blog - Dancho Danchev's - Mind Streams of Information Security Knowledge publishing a diverse set of hundreds of high-quality research analysis detailing the malicious and fraudulent activities at nation-state and malicious actors across the globe.