Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: 07/21/08

Monday, July 21, 2008

Impersonating StopBadware.org to Serve Fake Security Warnings

Malware is known to have been hijacking search results, take for instance the rogue Antivirus XP 2008 as a recent example, but it's even more interesting to see other rogue security software impersonating Stopbadware.org in order to server fake security warnings that ultimately lead to fake security software.

stopbadware2008 .com (58.65.238.171) is one of these examples, where stopbadware2008 .com/antivirus.php redirects to infectionscanner .com and attempts to trick the user into installing download.infectionscanner.com /AntvrsInstall.exe. The message used :

"Reported Insecure Browsing: Navigation blocked. Due to insecure Internet browsing your PC can easily get infected with viruses, worms and trojans without your knowledge, and that can lead to system slowdown, freezes and crashes. Also insecure Internet activity can result in revealing your personal information. To get full advanced real-time protection for PC and Internet activity, register Antivirus 2008. We recommend you to protect your PC now and continue safe Internet browsing."

There's in fact even more rogue software using the same IP (58.65.238.171), courtesy of HostFresh :

virus-scanner-online .com

security-scanner-online .com

viruses-scanonline .com

virus-scanonline .com

antivirus-scanonline .com

download.antivirus-scanonline .com

topantivirus-scan .com

topvirusscan .com

virusbestscan .com

virus-detection-scanner .com

antivirus-scanner .com

infectionscanner .com

virusbestscanner .com

internet-security-antivirus .com

It would be interested to monitor whether or not the template for the fake security warning would start getting used on a large scale.

Related posts:

A Portfolio of Fake Video Codecs

Fake PestPatrol Security Software

Got Your XPShield up and Running?

Localized Fake Security Software

A Diverse Portfolio of Fake Security Software

RBN's Fake Security Software

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

SQL Injecting Malicious Doorways to Serve Malware

Abusing legitimate sites as redirectors to malicious doorways serving malware is becoming increasing common, as is the use of SQL injections in order for the malicious parties to ensure their campaigns will receive enough generic traffic to their redirectors. Excluding the use of the very same traffic management tools, web malware exploitation kits, templates for the rogue adult sites and the rogue security software, perhaps the most important thing to point out regarding all of the previously analyzed such campaigns, is that they are all related to one another, and are operated by the same people, using the very same infrastructure and live exploit URLs most of the time.

Let's expose yet another such campaign, that has been SQL injected and spammed across a couple of hundred web forums. gpamelaaandersona .info (82.103.129.98) is the typical comprehensive malicious doorway, whose galleries redirect to tds.zbestservice .info/tds/in.cgi?11 (85.255.120.45), and from there the following campaigns load on-the-fly :

porntubev20 .com/viewmovie.php?id=86 (74.50.117.84)

getmyvideonow .com/exclusive2/id/3912999/2/black/white/ - (89.149.194.188)

immenseclips .com/m6/movie1.php?id=1552&n=celebs (85.255.118.156)

movieexternal .com/download.php?id=1552 (77.91.231.201)

2008adults2008a .com/freemovie/144/0/

avwav .com/1931.htm

codecupgrade .com (74.50.117.84)

iwillseethatvideo .com (91.203.92.53)

dciman32 .com (85.255.120.45)

Naturally, these are just the tip of the iceberg, and the deeper you go, the more connections with malware gangs and previous campaigns can be established. For instance, here are some more "sleeping beauties" at 74.50.117.84 :

winantivirus2008 .org

porntubev20 .com

crack-land .com

just-tube .com

codecupgrade .com

codecupgrade .com

scanner-tool .com

surf-scanner .com

best-cracks .com

updatehost .com

updatehost .com

freemoviesdb .net

megasoftportal .net

And even more malicious doorways, and rogue software at 89.149.227.195 :

musicportalfree .com

softportalfree .com

verifiedpaymentsolutionsonline .com

my-adult-catalog .com

indafuckfuck .com

best-porncollection .com

funfuckporn .com

sanxporn .com

dolcevido .com

xiedefender .com

online-malwarescanner .com

easyvideoaccess .com

my-searchresults .com

creatonsoft .com

ihavewetfuckpussy .com

How come none of these are in a fast-flux? Pretty simple. Keeping in mind that they continue using the services of the ISPs that you rarely see in any report, survivability through fast-flux is irrelevant when emails sent to abuse@cybercrime.tolerating.isp receive a standard response two weeks later, and when your abuse emails become more persistent, a fake account suspended notice makes it to the front page, whereas the campaigns get automatically updated to redirect to an internal page, again serving the malware and the redirectors.

Related posts:

Fake Porn Sites Serving Malware - Part Two

Fake Porn Sites Serving Malware

Underground Multitasking in Action

Fake Celebrity Video Sites Serving Malware

Blackhat SEO Redirects to Malware and Rogue Software

Malicious Doorways Redirecting to Malware

A Portfolio of Fake Video Codecs

Dancho Danchev