GoDaddy's Mass WordPress Blogs Compromise Serving Scareware

April 27, 2010 / Comments (0) / by Dancho Danchev


UPDATED: Thursday, May 13, 2010: Go Daddy posted the following update "What’s Up with Go Daddy, WordPress, PHP Exploits and Malware?".

UPDATED: Thursday, May 06, 2010: The following is a brief update of the campaign's structure, the changed IPs, and the newly introduced scareware samples+phone back locations over the past few days.

Sample structure from last week:
- kdjkfjskdfjlskdjf.com/kp.php - 94.23.242.40 - AS16276, OVH Paris
    - www3.workfree36-td.xorg.pl/?p= - 95.169.186.25 - AS31103, KEYWEB-AS Keyweb AG
        - www1.protectsys28-pd.xorg.pl - 94.228.209.182 - AS47869, NETROUTING-AS Netrouting Data Facilities

Detection rate:
- packupdate_build107_2045.exe - Gen:Variant.Ursnif.8; TrojanDownloader:Win32/FakeVimes - Result: 23/41 (56.1%) Phones back to update2.safelinkhere.net and update1.safelinkhere.net.

Sample structure from this week:
- kdjkfjskdfjlskdjf.com/kp.php - 91.188.59.98 - AS6851, BKCNET "SIA" IZZI
    - www4.suitcase52td.net/?p= - 78.46.218.249 - AS24940, HETZNER-AS Hetzner Online AG RZ
        - www1.safetypcwork5.net/?p= - 209.212.147.244 - AS32181, ASN-CQ-GIGENET ColoQuest/GigeNet ASN
        - www1.safeyourpc22-pr.com - 209.212.147.246 - Email: gkook@checkjemail.nl

Detection rate:
- packupdate_build9_2045.exe - Trojan.Fakealert.7869; Mal/FakeAV-BW - Result: 9/41 (21.95%)

Sample phones back to:
- update2.keepinsafety.net /?jbjyhxs=kdjf0tXm1J2a0Nei2Mrh24U%3D
- www5.my-security-engine.net
- report.land-protection.com /Reports/SoftServiceReport.php?verint
- 91.207.192.24 - Email: gkook@checkjemail.nl
- secure2.securexzone.net/?abbr=MSE&pid=3 - 78.159.108.170 - Emaikl: gkook@checkjemail.nl
- 173.232.149.92 /chrome/report.html?uid=2045&wv=wvXP&
- 74.118.193.47 /report.html?wv=wvXP&uid=50&lng=
- 74.125.45.100
- update1.keepinsafety.net
- 94.228.209.223 - Email: gkook@checkjemail.nl

Related scareware domains part of the ongoing campaign are also parked on the following IPs:
78.46.218.249
www3.workfree20-td.xorg.pl
www3.nojimba52-td.xorg.pl
www3.workfree25-td.xorg.pl



209.212.147.244
www1.newsys-scanner.com - Email: gkook@checkjemail.nl
www2.securesys-scan2.net - Email: gkook@checkjemail.nl
www1.new-sys-scanner3.net - Email: gkook@checkjemail.nl
www1.safetypcwork5.net - Email: gkook@checkjemail.nl
www1.securesyscare9.net - Email: gkook@checkjemail.nl
www1.freeguard35-pr.net - Email: gkook@checkjemail.nl

95.169.186.25
www4.ararat23.xorg.pl
www3.sdfhj40-td.xorg.pl
www3.nojimba45-td.xorg.pl
www3.workfree36-td.xorg.pl
www3.nojimba46-td.xorg.pl
www4.fiting58td.xorg.pl
www4.birbinsof.net


94.228.209.182
www1.protectsys25-pd.xorg.pl
www1.protectsys26-pd.xorg.pl
www1.protectsys27-pd.xorg.pl
www1.protectsys28-pd.xorg.pl
www1.protectsys29-pd.xorg.pl
www1.soptvirus32-pr.xorg.pl
www1.soptvirus34-pr.xorg.pl



209.212.147.246
www2.securesys-scan2.com - Email: gkook@checkjemail.nl
www1.newsys-scanner1.com - Email: gkook@checkjemail.nl

UPDATED: Thursday, April 29, 2010: kdjkfjskdfjlskdjf.com/js.php remains active and is currently redirecting to www3.workfree36-td.xorg.pl/?p= - 95.169.186.25 and www1.protectsys28-pd.xorg.pl?p= - 94.228.209.182.

Detection rate: packupdate_build107_2045.exe - Suspicious:W32/Malware!Gemini; Trojan.Win32.Generic.pak!cobra - Result: 6/41 (14.64%) phoning back to new domains:
safelinkhere.net - 94.228.209.223 - Email: gkook@checkjemail.nl
update2.safelinkhere.net - 93.186.124.93 - Email: gkook@checkjemail.nl
update1.safelinkhere.net - 94.228.209.222 - Email: gkook@checkjemail.nl
    - ns1.safelinkhere.net - 74.118.192.23 - Email: gkook@checkjemail.nl
    - ns2.safelinkhere.net - 93.174.92.225 - Email: gkook@checkjemail.nl

The gkook@checkjemail.nl email was used for scareware registrations in December 2009's "A Diverse Portfolio of Fake Security Software - Part Twenty Four".

Parked on 74.118.192.23, AS46664, VolumeDrive (ns1.safelinkhere.net) are also:
ns1.birbins-of.com
ns1.cleanupantivirus.com
ns1.createpc-pcscan-korn.net
ns1.fhio22nd.net
ns1.letme-guardyourzone.com
ns1.letprotectsystem.net
ns1.my-softprotect4.net
ns1.new-pc-protection.com
ns1.payment-safety.net
ns1.romsinkord.com
ns1.safelinkhere.net
ns1.safetyearth.net
ns1.safetypayments.net
ns1.save-secure.com
ns1.search4vir.net
ns1.systemmdefender.com
ns1.upscanyourpc-now.com


Parked on 93.174.92.225, AS29073, ECATEL-AS , Ecatel Network (ns2.safelinkhere.net) are also:
marmarams.com
ns2.cleanupantivirus.com
ns2.dodtorsans.net
ns2.fastsearch-protection.com
ns2.go-searchandscan.net
ns2.guardsystem-scanner.net
ns2.hot-cleanofyourpc.com
ns2.marfilks.net
ns2.my-systemprotection.net
ns2.myprotected-system.com
ns2.myprotection-zone.net
ns2.mysystemprotection.com
ns2.new-systemprotection.com
ns2.newsystem-guard.com
ns2.onguard-zone.net
ns2.pcregrtuy.net
ns2.plotguardto-mypc.com
ns2.protected-field.com
ns2.safelinkhere.net
ns2.scanmypc-online.com
ns2.search-systemprotect.net
ns2.searchscan-online.net
ns2.securemyzone.com
ns2.systemcec7.com
ns2.trust-systemprotect.net
ns2.trustscan-onmyzone.com
ns2.trustsystemguard.net
ns2.upscanyour-pcnow.com
ns2.windows-systemshield.net
ns2.windows-virusscan.com
ns2.windowsadditionalguard.net



Following last week's Network Solutions mass compromise of WordPress blogs (Dissecting the WordPress Blogs Compromise at Network Solutions), over the weekend a similar incident took place GoDaddy, according to WPSecurityLock.

Since the campaign's URLs still active, and given the fact that based on historical OSINT, we can get even more insights into known operations of cybercriminals profiled before (one of the key domains used in the campaign is registered to hilarykneber@yahoo.com. Yes, that Hilary Kneber.), it's time to connect the dots.
One of the domains used cechirecom.com/js.php - 61.4.82.212 - Email: lee_gerstein@yahoo.co.uk was redirecting to www3.sdfhj40-td.xorg.pl?p= - 95.169.186.25 and from there to www2.burnvirusnow34.xorg.pl?p= - 217.23.5.51. The front page of the currently not responding cechirecom.com was returning the following message:
  • "Welcome. Site will be open shortly. Signup, question or abuse please send to larisadolina@yahoo.com"
Registered with the same email, larisadolina@yahoo.com,  is also another domain known have been used in similar attacks from February, 2010 - iss9w8s89xx.org.


Parked on 217.23.5.51 are related scareware domains part of the campaign:
www2.burnvirusnow31.xorg.pl
www2.burnvirusnow33.xorg.pl
www2.burnvirusnow34.xorg.pl
www2.trueguardscaner30-p.xorg.pl
www2.trueguardscaner33-p.xorg.pl
www1.savesysops30p.xorg.pl
www1.suaguardprotect11p.xorg.pl
www2.realsafepc32p.xorg.pl
www1.suaguardprotect13p.xorg.pl
www1.suaguardprotect14p.xorg.pl


Detection rate for the scareware:
- packupdate_build107_2045.exe - VirusDoctor; Mal/FakeAV-BW - Result: 14/41 (34.15%) with the sample phoning back to the following URLs:
- update2.savecompnow.com/index.php?controller=hash - 91.207.192.25 - Email: gkook@checkjemail.nl
- update2.savecompnow.com/index.php?controller=microinstaller
- update1.savecompnow.com/index.php?controller=microinstaller - 94.228.209.223 - Email: gkook@checkjemail.nl

The same email was originally seen in December 2009's "A Diverse Portfolio of Fake Security Software - Part Twenty Four". Parked on these IPs are also related phone back locations:

Parked on 188.124.7.156:
savecompnow.com - Email: gkook@checkjemail.nl
securemyfield.com - Email: gkook@checkjemail.nl
update1.securepro.xorg.pl

Parked on 91.207.192.25:
update2.savecompnow.com - Email: gkook@checkjemail.nl
update2.xorg.pl
update2.winsystemupdates.com - Email: gkook@checkjemail.nl
report.zoneguardland.net - Email: gkook@checkjemail.nl

Parked on 94.228.209.223:
update1.savecompnow.com - Email: gkook@checkjemail.nl
update1.winsystemupdates.com


Although the cechirecom.com/js.php is not currently responding, parked on the same IP 61.4.82.212, is another currently active domain, which is registered to hilarykneber@yahoo.com.

Parked on 61.4.82.212, AS17964, DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd.:
kdjkfjskdfjlskdjf.com - Email: hilarykneber@yahoo.com
ns1.stablednsstuff.com - Email: lee_gerstein@yahoo.co.uk
js.ribblestone.com - Email: skeletor71@comcast.net - includes a link pointing to panelscansecurity.org/?affid=320&subid=landing - 91.212.127.19 - Email: bobarter@xhotmail.net

The currently active campaign domain redirection is as follows:
kdjkfjskdfjlskdjf.com/js.php - 61.4.82.212 - Email: hilarykneber@yahoo.com
    - www3.sdfhj40-td.xorg.pl?p=
        - www1.soptvirus42-pr.xorg.pl?p= - 209.212.149.19


Parked on 209.212.149.19:
www2.burnvirusnow43.xorg.pl
www2.trueguardscaner42-p.xorg.pl
www1.suaguardprotect23p.xorg.pl
www2.realsafepc27p.xorg.pl
www1.fastfullfind27p.xorg.pl
www1.yesitssafe-now-forsure.in


Detection rate for the scareware:
- packupdate_build106_2045.exe - TrojanDownloader:Win32/FakeVimes; High Risk Cloaked Malware - Result: 7/41 (17.08%)

Just like in Network Solution's case (Dissecting the WordPress Blogs Compromise at Network Solutions) the end user always has to be protected from himself using basic security auditing practices in regard to default WordPress installations. The rest is wishful thinking, that the end user would self-audit himself.

It seems that hilarykneber@yahoo.com related activities are not going to go away anytime soon.

Related WordPress security resources:
20 Wordpress Security Plug-ins And Tips To keep Hackers Away
11 Best Ways to Improve WordPress Security
20+ Powerful Wordpress Security Plugins and Some Tips and Tricks

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.