Abusing legitimate sites as redirectors to malicious doorways serving malware is becoming increasing common, as is the use of SQL injections in order for the malicious parties to ensure their campaigns will receive enough generic traffic to their redirectors. Excluding the use of the very same traffic management tools, web malware exploitation kits, templates for the rogue adult sites and the rogue security software, perhaps the most important thing to point out regarding all of the previously analyzed such campaigns, is that they are all related to one another, and are operated by the same people, using the very same infrastructure and live exploit URLs most of the time.Let's expose yet another such campaign, that has been SQL injected and spammed across a couple of hundred web forums. gpamelaaandersona .info (82.103.129.98) is the typical comprehensive malicious doorway, whose galleries redirect to tds.zbestservice .info/tds/in.cgi?11 (85.255.120.45), and from there the following campaigns load on-the-fly :
porntubev20 .com/viewmovie.php?id=86 (74.50.117.84)
getmyvideonow .com/exclusive2/id/3912999/2/black/white/ - (89.149.194.188)
immenseclips .com/m6/movie1.php?id=1552&n=celebs (85.255.118.156)
movieexternal .com/download.php?id=1552 (77.91.231.201)
2008adults2008a .com/freemovie/144/0/
avwav .com/1931.htm
codecupgrade .com (74.50.117.84)
iwillseethatvideo .com (91.203.92.53)
dciman32 .com (85.255.120.45)
Naturally, these are just the tip of the iceberg, and the deeper you go, the more connections with malware gangs and previous campaigns can be established. For instance, here are some more "sleeping beauties" at 74.50.117.84 :winantivirus2008 .org
porntubev20 .com
crack-land .com
just-tube .com
codecupgrade .com
codecupgrade .com
scanner-tool .com
surf-scanner .com
best-cracks .com
updatehost .com
updatehost .com
freemoviesdb .net
megasoftportal .net
And even more malicious doorways, and rogue software at 89.149.227.195 :
musicportalfree .com
softportalfree .com
verifiedpaymentsolutionsonline .com
my-adult-catalog .com
indafuckfuck .com
best-porncollection .com
funfuckporn .com
sanxporn .com
dolcevido .com
xiedefender .com
online-malwarescanner .com
easyvideoaccess .com
my-searchresults .com
creatonsoft .com
ihavewetfuckpussy .com
How come none of these are in a fast-flux? Pretty simple. Keeping in mind that they continue using the services of the ISPs that you rarely see in any report, survivability through fast-flux is irrelevant when emails sent to abuse@cybercrime.tolerating.isp receive a standard response two weeks later, and when your abuse emails become more persistent, a fake account suspended notice makes it to the front page, whereas the campaigns get automatically updated to redirect to an internal page, again serving the malware and the redirectors.
Related posts:
Fake Porn Sites Serving Malware - Part Two
Fake Porn Sites Serving Malware
Underground Multitasking in Action
Fake Celebrity Video Sites Serving Malware
Blackhat SEO Redirects to Malware and Rogue Software
Malicious Doorways Redirecting to Malware
A Portfolio of Fake Video Codecs
No comments:
Post a Comment