Monday, September 07, 2009

News Items Themed Blackhat SEO Campaign Still Active

According to a blog post at PandaLabs, a massive and very persistent blackhat SEO campaign exclusively hijacking "hot BBC and CNN news" related keywords has once again popped-up on their radars. The campaign itself has been active since April, when I last analyzed it.

What has changed?

Instead of relying on purely malicious domains, the Ukrainian fan club, the one with the Koobface connection, remains the most active blackhat SEO group on the Web, and due to the quality of the historical OSINT making it possible to detect their activity -- practice which prompts them to insult back -- they're also starting to put efforts into making it look like it's another group.

However, knowing  the tools and tactics that they use, next to evident efficiency-centered mentality, they continue leaving minor leads that make it possible to establish a direct relationship between the group, the Koobface worm and the majority of blackhat SEO campaigns launched during the last couple of months across the entire Web.

The "News Items" themed blackhat SEO campaign is also serving scareware from the domains already participating in the U.S Federal Forms themed blackhat SEO campaign, what's new is the typical dynamic change of the redirectors in place.

Let's dissect a sample campaign currently parked at coolinc.info. Once the http referrer checks are met, bernie-madoff.coolinc .info/fox-25-news.html executes the campaign through a static images/ads.js located on all of the subdomains participating in campaign (bernie-madoff.coolinc .info/images/ads.js; eenadu-epaper.hmsite .net/images/ads.js) with generic detection triggered only by Sophos as Mal/ObfJS-CI.

Through a series of redirectors - usanews2009 .com/index.php - 78.46.129.170 - Email: derrick2@mail.ru; newscnn2009 .com/index.php - 193.9.28.62 - Email: derrick2@mail.ru; cnnnews2009 .com/index.php - 91.203.146.38 - EMail: derrick2@mail.ru; the user is redirected to the scareware domain through justintimberlakestream .com/?pid=95&sid=4e6ffe - 193.169.12.70; Email: info@zebrainvents.com.

The scareware itself (phones back to worldrolemodeling .com/?b=1s1 - 193.169.12.71) is dynamically served through 78.46.201.89; 193.169.12.70 and 92.241.177.207 with an diverse portfolio of fake security software domains parked there.

Parked at 92.241.177.207 are:
best-scanpc .com
bestscanpc .org
downloadavr2 .com
downloadavr3 .com
trucount3005 .com
antivirus-scan-2009 .com
antivirusxppro-2009 .com
advanced-virus-remover-2009 .com
advanced-virusremover-2009 .com
advanced-virus-remover2009 .com
advanced-virusremover2009 .com
best-scanpc .com
bestscanpc .com
xxx-white-tube .com
rude-xxx-tube .com
blue-xxx-tube .com
trucountme .com
10-open-davinci .com
vs-codec-pro .com
vscodec-pro .com
1-vscodec-pro .com
download-vscodec-pro .com
v-s-codecpro .com
antivirus-2009-ppro .com
onlinescanxppro .com
downloadavr .com
bestscanpc .info
bestscanpc .net
ns1.megahostname .biz
ns2.megahostname .biz


Parked at 78.46.201.89 (IP used in the U.S Federal Forms themed blackhat SEO campaign) are also:
virscan-online1 .com
virscan-live1 .com
antivirus-promo-scan1 .com
valueantivirusshop1 .com
megaspywarescan2 .com
worldbestonlinescanner2 .com
hqvirusscanner2 .com
warningmalwarealert2 .com
totalspywarescan3 .com
antivirus-promo-scanner3 .com
bewareofvirusattacks3 .com
totalspywarescan4 .com
worldbestonlinescan5 .com
megaspywarescan5 .com
totalspywarescan5 .com
hqvirusscanner5 .com
warningmalwarealert5 .com
hqvirusscanner8 .com
antivirus-promo-scan9 .com
worldbestonlinescan9 .com
antivir-scan-my-pc .com
antivir-scan-online .com


remove-all-pc-adware .com
antivir-my-pc-scan .com
leading-malware-scan .com
leading-antispyware-scan .com
antivirus-promo-scan .com
tryantivir-scan .com
leading-antivirus-scan .com
megaspywarescan .com
totalspywarescan .com
worldsbestantivirscan .com
awardantivirusscan .com
winningantivirusscan .com
tryantivirusscan .com
worldsbestscan .com
tryantivir-scanner .com
worldbestonlinescanner .com
tryantivirscanner .com
tryantivirusscanner .com
hqvirusscanner .com
worldsbestscanner .com
antivirscanmycomputer .com
warningvirusspreads .com
bewareofvirusattacks .com
secure.web-software-payments .com
warningmalwarealert .com
warningspywarealert .com
warningvirusalert .com


Parked at 193.169.12.70 are also more scareware domains/payment gateways/malware redirectors used in the campaign:
colonizemoon2010 .com
blastertroops2011 .com
virscan-online1 .com
virscan-live1 .com
antivirus-promo-scan1 .com
valueantivirusshop1 .com
megaspywarescan2 .com
worldbestonlinescanner2 .com
hqvirusscanner2 .com
warningmalwarealert2 .com
antivirus-promo-scanner3 .com
bewareofvirusattacks3 .com
totalspywarescan4 .com
worldbestonlinescan5 .com
megaspywarescan5 .com
totalspywarescan5 .com
hqvirusscanner5 .com
warningmalwarealert5 .com
hqvirusscanner8 .com
antivirus-promo-scan9 .com
worldbestonlinescan9 .com
antivir-scan-my-pc .com
becomemybestfriend .com
bravemousepride .com
antivir-scan-online .com
emphasis-online .com
justseethisonline .com
futureshortsonline .com


remove-all-pc-adware .com
waitforsunrise .com
funpictureslive .com
justintimberlakestream .com
antivir-my-pc-scan .com
leading-malware-scan .com
leading-antispyware-scan .com
antivirus-promo-scan .com
tryantivir-scan .com
leading-antivirus-scan .com
totalspywarescan .com
worldsbestantivirscan .com
awardantivirusscan .com
winningantivirusscan .com
tryantivirusscan .com
worldsbestscan .com
tryantivir-scanner .com
worldbestonlinescanner .com
tryantivirscanner .com
tryantivirusscanner .com
hqvirusscanner .com
worldsbestscanner .com
antivirscanmycomputer .com
obbeytheriver .com
obamanewterror .com
warningvirusspreads .com
watch2010movies .com
primeareanetworks .com
investmenttooltips .com
executive-officers .com
newsoverworldhot .com
management-overview .com
justthingsyouneedtoknow .com
criticalmentality .com


In between the central redirectors, counters from known domains affiliated with the Ukrainian fan club are also embedded as iFrames - sexualporno .ru/admin/red/counter2.html (74.54.176.50; Email: skypixre@nm.ru) leading to sexualporno .ru/admin/red/mwcounter.html. Parked on 74.54.176.50 are related domains that were once using the ddanchev-suck-my-dick.php redirection, such as sexerotika2009 .ru; celki2009 .ru; seximalinki .ru and videoxporno .ru, as well as the de-facto counter used by the gang - c.hit.ua/hit?i=6001.

Does this admin/red directory structure ring a bell? But, of course. In fact the ddanchev-suck-my-dick redirectors originally introduced by the Ukrainian fan club are still in circulation - for instance not only is videoxporno .ru/admin/red/ddanchev-suck-my-dick.php (parked at the very same 74.54.176.50) still active, but the gang has pushed an update to all of their campaigns, once again establishing a direct connection between previous ones and the ongoing "News Items" themed one.

The ddanchev-suck-my-dick.php file has a similar Mac, Firefox and Chrome check just like the U.S federal forms themed campaign, and the original "Hot News" themed campaigns - if (navigator.appVersion.indexOf("Mac")!=-1) window.location="http://www.zml.com/?did=5663";[. The script also includes a central iFrame from the now known malicious coolinf .info - dash-store.coolinc .info/images/levittpedofil.html which redirects to 1008.myhome .tv/888.php, popoz.wo .tc/p/go.php?sid=4 and 1009.wo .tc/8/ss.php to finally load the now known justintimberlakestream .com/?pid=42&sid=8f68b5.

The bottom line - the Ukrainian "fan club" is a very decent example of a multitasking cybecrime enterprise that is not only systematically abusing all the major Web 2.0 services, but is also directly involved with the Koobface botnet.

Monitoring of their campaigns, and take down actions would continue.

Related posts:
Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign
U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding
Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware
A Peek Inside the Managed Blackhat SEO Ecosystem

Historical OSINT of the group's blackhat SEO campaigns pushing Koobface samples, and the connections between the campaigns:
Movement on the Koobface Front - Part Two -- detailed account of the domain suspension and direct ISP take down actions against the gang during the last month
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot

This post has been reproduced from Dancho Danchev's blog.

No comments:

Post a Comment