Twitter Worm Mikeyy Keywords Hijacked to Serve Scareware

Wednesday, April 15, 2009

Twitter Worm Mikeyy Keywords Hijacked to Serve Scareware

Not necessarily in real-time (Syndicating Google Trends Keywords for Blackhat SEO) but scareware/fake security software distributors quickly attempted to capitalize on the anticipated traffic related to this weekend's Twitter XSS worm StalkDaily/Mikeyy.

What's particularly interesting about this campaign, is not the fact that all of the currently active domains are operated by the same individual/group of individuals or that their blackhat SEO farms are growing to cover a much wider portfolio of keywords.

It's a tiny usa.js script (e.g my1.dynalias .org/usa.js) hosted on all of the domains, which takes advantage of a simple evasive practice - referrer checking in order to serve or not to serve the malicious content.

For instance, deobfuscated the script checks whether the user is coming from the following search engines var se = new Array("google", "msn", "aol.com", "yahoo", " comcast"); if (document.referrer)ref = document.referrer;. If the user/researcher is basically wandering around, a blackhat SEO page with no malicious redirections would be served.

The following are all of the currently active and participating domains/subdomains:
tran.tr.ohost .de
actual.homelinux .com
achyutheil.ac.ohost .de
aprln.getmyip .com
east.homeftp .org
my1.dynalias .org
my2.dynalias .org
my3.dnsalias .org
my5.webhop .org

The redirection process consists of two layers. The first one is redirecting to hjgf .ru/go.php?sid=5 (88.214.198.25) and then to msscan-files-antivir .com (195.88.81.93), and the second one takes place through a well known malicious doorway redirecting domain hqtube .com/to_traf_holder.html (88.85.66.116) that either serves a fake codec that's dropping the scareware, or the scareware itself from files.ms-load-av .com. The rest of the scareware/fake security software domains participating in the campaigns are as follows:

msscan-files-antivir .com (195.88.81.93) - Coi Carol Email: car0sta0@gmail.com
hot-girl-sex-tube .com - Erica Thomas Email: gerrione@gmail.com
msscan-files-antivir .com
msscanner-top-av .com - Mui Arnold Email: arnoebr@gmail.com
msscanner-files-av .com
antivir-4pc-ms-av .com - Jason Munguia Email: jasmung@gmail.com

The bottom line - the campaign looks like a typical event-based blackhat SEO portfolio diversification practice.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Wednesday, April 15, 2009

Twitter Worm Mikeyy Keywords Hijacked to Serve Scareware

No comments:

Post a Comment