Thursday, July 15, 2010

Sampling Malicious Activity Inside Cybercrime-Friendly Search Engines


UPDATED, Friday, July 16, 2010 - Directi has suspended the domains portfolio of the cybercrime-friendly search engines. 

Cybercrime-friendly search engines are bogus search engines, which in between visually social engineering their users, offer fake results leading to client-side exploits, bogus video players dropping more malware, scareware, next to the pharmaceutical scams, and domain farms neatly embedded with Google AdSense scripts for monetization.

In the majority of cases -- whenever blackhat SEO is not an option -- end users are exposed the their maliciousness once they get infected with malware redirecting each and every request to popular search engines such as Google, Yahoo and Bing to the malicious IPs/domains operated by the cybercriminals.

As far as their monetization tactics are concerned, fellow cybercriminals are free to purchase any kind of keyword they want to, for instance "spyware", make it look like the end user is clicking on security-vendor.com's site, whereas upon clicking, based on his physical location a particular type of malicious activity takes place.

Remember the HOSTS file modification taking place courtesy of the malware at AS6851, BKCNET, Sagade Ltd., and in particular the Koobface gang related IP 89.149.210.109? Sampling the malicious activity within the search engines parked/forwarded (DNS recursion) from this IP, results in client-side exploits, bogus video players dropping malware, and scareware, and that in less than 5 minutes of testing.


The cybercrime-friendly domains in question:
searchclick1.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753
searchclick2.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753
searchclick3.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753
searchclick4.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753
searchclick5.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753
searchclick6.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753
searchclick7.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753
searchclick8.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753
searchclick9.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753
searchclick10.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753
searchmeup4.com - 78.159.112.46 - AS28753
zetaclicks4.com - 78.159.112.46 - AS28753
websafeclicks.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753

Internal redirections reading to malicious take place through the following domains:
7search.com - 12.171.94.40 - Email: webadmin@7search.com
greatseeking.com, superfindmea.info - 213.174.154.9 - Email: serdukov.art@gmail.com
superseeking.org - 213.174.154.9 - Email: serdukov.art@gmail.com
searching4all.com, pharmc9.com - 66.230.188.68 - Email: abuse@click9.com
syssmessage.com; sysstem-mesage.com; sys-mesage.com; potectmesage.com - 91.188.59.62 -  Email: roroaleksey@gmail.com
xml.click9.com/click.php - 66.230.188.67 - Email: abuse@click9.com
sunday-traffic.com/in.php - 74.52.216.46 - Email: tech@add-manager.com
efindsite.info/search2.php - 74.52.216.46
greatseeking.com/search2.php - 213.174.154.9 - Email: serdukov.art@gmail.com
n-traff.com/clickn.php - 64.111.208.39
going-to-n.com/clickn.php - 64.111.208.38
everytds.tk/in.cgi?3=&ID=19504; onlyscan.tk; pornstaar.tk; dotroot.tk - 94.100.31.26


Internal pharmaceutical redirections take place through the following domains:
medsbrands.com - 74.52.216.46 - Email: tech@add-manager.com
thepillsdiscounts.info - 74.52.216.46 - Email: tech@add-manager.com
yourcatalogonline.biz - 74.52.216.46
bestderden.org - 74.52.216.46

Internal redirections reading to malicious take place through the following IPs:
199.80.55.19/go.php?data=
199.80.55.80/go.php?data=
78.140.141.18/kkk.php
78.140.143.83/go.php
64.111.212.234/c.php
64.111.196.126/c.php
66.230.188.67
68.169.92.61/c.php
68.169.92.60/c.php
68.169.93.242/c.php
68.169.92.55/c.php



Sample malicious activity consists of scareware campaigns, client-side exploits, and bogus video players dropping malware.

Upon visiting the bogus PornTube at vogel-tube.com/xfreeporn.php?id= - 66.197.187.118 (the-real-tube-best.com great-celebs-tube.net parked there) - Email: admin@thenweb.com the use is tricked into manually installing basemultimedia.com/video-plugin.45309.exe - 66.197.154.21 (visualbasismedia.com) - Email: joe@silentringer.com

- Detection rate
video-plugin.45309.exe - Downloader-CEW.b, Result: 6/42 (14.29%)
File size: 113152 bytes
MD5...: 25e644171bf9ee2a052b5fa71f8284e5
SHA1..: e4ac01534c7c1b71d2a38cf480339d31db187ecb

Upon execution, the sample phones back to:
best-arts-2010.com - 216.240.146.119 - Email:
hello-arts.com - 64.191.44.73 - Email:
youngfinearts.com - 64.20.35.3 - Email:
newchannelarts.com - 64.191.64.105 - Email:
vrera.com/oms.php - 208.43.125.180 - Email:
allxt.com/borders.php - 64.191.82.25

Parked at 216.240.146.119, AS7796 are also:
best-arts-2010.com - Email: aurora@seekrevenue.com
crystaldesignlab.com - Email: tamara.watson@chemist.com
homegraphicarts.com - Email: elizabethj@theplate.com
mediaartsplaza.com - Email: darhom@lendingears.com
morefinearts.net - Email: vdickerson37@yahoo.com
photoartsworld.com - Email: margaret_adams@rocketmail.com
pinehousearts.com - Email: jgaron@physicist.net
sunnyartsite.com - Email: jbowker@blader.com
thefanarts.com - Email: keasler@surferdude.com
waycoolart.com - Email: blynch@net-shopping.com
woodsmayart.com - Email: raymo@songwriter.net
garner.funtaff.com - Email: dph@greentooth.net


Parked at 64.191.44.73, AS21788 are also:
auctionhouseart.com - Email: emerynancy@ymail.com
bestmalearts.com - Email: mcfarlin@religions.com
coolcatart.com - Email: pbiron@catlover.com
freesurrealarts.com - Email: ghuertas@rocketmail.com
goldfireart.com - Email: thysell@gardener.com
greatmovieart.com - Email: linger@theplate.com
worldartsguide.com - Email: ghagen@allergist.com
install.netwaq.com - Email: admin@overseedomainmanagement.com

Parked at 64.20.35.3, AS19318 are also:
artscontact.net - Email: mschneider@doctor.com
catbodyart.com - Email: pbiron@catlover.com
feearts.com - Email: breckenridge56@hotmail.com
freeflasharts.com - Email: russell@clubmember.org
gardendesignart.com - Email: jasona@gardener.com
greatflashstudies.com - Email: jdeal@worshipper.com
superlegoarts.com - Email: jdeal@worshipper.com
thedigitalarts.com - Email: hoffman@theaterpillow.com
virginmegaart.com - Email: hoffman@theaterpillow.com


Related malicious domains sharing the same DNS infrastructure:
iransatnews.org
best-arts-2010.com - Email: aurora@seekrevenue.com
mediasite2010.com - Email: webmaster@pullstraws.com
setlamedia.com - Email: monro@eclipsetool.com
doublesetmedia.com - Email: monro@eclipsetool.com
thetestmedia.com - Email: webmaster@maidnews.com
trinitytestmedia.com - Email: webmaster@maidnews.com
i-metodika.com - Email: facovskiy__n__1977@rambler.ru
iffic.com
moviefactinc.com - Email: usa@crystals.com
newdataltd.com - Email: wenzel@techie.com
new-2010-tube.com - Email: fortney@petlover.com
super-world-tube.com - Email: fortney@petlover.com
real-good-tube.com - Email: fortney@petlover.com
green-real-tube.com - Email: sanctim59@yahoo.com
sensual-tube.com - Email: sanctim59@yahoo.com
webfilmoffice.com - Email: pam@skunkalert.com
xxl-tube-home.com
nowsearchonline.com
localmediasearch.com - Email: mega@stockdvds.com
mediaonsearch.com - Email: mega@stockdvds.com
mesghal.com - Email: shahnamgolshany@yahoo.com
niptoon.com
mydvdinfo.com - Email: usa@crystals.com
receptionist-pro.com
hitinto.com
importedfoodscorp.com - Email: apompeo@importedfoodscorp.com
newhavenfiles.com - Email: wenzel@techie.com
walterwagnerassociates.com
excellentutilites.com - Email: wentexkino@ymail.com
pengs.com
livingwithdragons.com - Email: gregory@lamerton.ltd.uk
amigroups.com
iransatnews.com
dvddatadirect.com - Email: friese@toke.com
itlist.com - Email: support@gossimer.biz
gossimer.net - Email: support@gossimer.biz

Following the bogus dropper, the cybercriminals are also directly serving client-side exploits to users seeking for security related content. In this case, the exploits/malware are served from xoxipemej.cn/gr/s1/ - 178.63.170.185 - Email: shiwei_fang77@126.com.

- Detection rate:
.exe - Rootkit.Agent.AJDR, Result: 20/42 (47.62%)
File size: 53760 bytes
MD5...: 23244c5b5b02fab65b3a7ab51005fd51
SHA1..: a5f1a10344378f2c8f13c266dce39247ba3bae5f


Parked on the same IP 178.63.170.185, AS24940 are also:
2011traff.com - Email: MillieDiaz4@aol.com
2011-traff.com - Email: MillieDiaz4@aol.com
bbbinvestigation.org - Email: accounting@moniker.com
best-sofa-choice.com - Email: migray71@yahoo.com
celloffer-2015.com - Email: migray71@yahoo.com
flying-city-2011.com - Email: migray71@yahoo.com
jiujitsufgua.com - Email: varcraft@care2.com
jopaduloz.cn - Email: qing_hongwei@126.com
lokexawan.cn - Email: shiwei_fang77@126.com
mapozeloq.cn - Email: shiwei_fang77@126.com
melonirmonianmonia.com - Email: accounting@moniker.com
mivaqodaz.cn - Email: shiwei_fang77@126.com
nasnedofweiggyt.com - Email: roller_59@hotmail.com
redolopip.cn - Email: shiwei_fang77@126.com
redspot2010.com - Email: migray71@yahoo.com
rohudufoj.cn - Email: qing_hongwei@126.com
sujelodos.cn - Email: qing_hongwei@126.com
traff2011.com - Email: MillieDiaz4@aol.com
traff-2012.com - Email: MillieDiaz4@aol.com
uweyujem.com - Email: resumemolars@live.com
viwuvefot.cn - Email: shiwei_fang77@126.com
wkeuhryyejt.com - Email: excins@iname.com
xoxipemej.cn - Email: shiwei_fang77@126.com

Last, but not least is the scareware infection taking place through www1.warezforyou24.co.cc/?p=p52 - 114.207.244.146; 114.207.244.143; 114.207.244.144; 114.207.244.145. Parked on these IPs is also an extensive portfolio of related scareware domains.

- Detection rate:
packupdate107_231.exe - Suspicious:W32/Malware!Gemini, Result: 3/42 (7.15%)
File size: 238080 bytes
MD5...: 93517875c59ac33dab655bc8432b0724
SHA1..: 774af049406baeef3427b91a2d67ee0250b2b51b

Upon execution the sample phones back to:
update2.cleanupyoursoft.com - 209.222.8.101 - Email: gkook@checkjemail.nl
update1.soft-cleaner.com - 95.169.186.25 - Email: gkook@checkjemail.nl
secure1.smartavz.com - 91.207.192.26 - Email: gkook@checkjemail.nl
report.mygoodguardian.com - 93.186.124.94 - Email: gkook@checkjemail.nl
www5.securitymasterav.com - 91.207.192.25 - Email: gkook@checkjemail.nl
update2.soft-cleaner.net - 209.222.8.100 - Email: gkook@checkjemail.nl
report.mytrueguardian.net - 79.171.23.150 - Email: gkook@checkjemail.nl
secure2.smartavz.net - 217.23.5.99 - Email: gkook@checkjemail.nl
update1.free-guard.com - Email: gkook@checkjemail.nl
report.mygoodguardian.com - 93.186.124.94 - Email: gkook@checkjemail.nl
update1.soft-cleaner.com - 95.169.186.25 - Email: gkook@checkjemail.nl
www5.securitymasterav.com - 91.207.192.25 - Email: gkook@checkjemail.nl
update2.soft-cleaner.net - 209.222.8.100 - Email: gkook@checkjemail.nl
report.mytrueguardian.net - 79.171.23.150 - Email: gkook@checkjemail.nl

The cybercrime-friendly domains portfolio is in a process of getting suspended.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

No comments:

Post a Comment