Following on from the previous documentation on the blackhat SEO campaigns going on in the search engines at present, I've noticed over the past few weeks, that those I previously documented, using filenames such as cadets.php, with the .js file, were mysteriously leading to 404 pages.
Thankfully (or disappointingly, depending on which way you want to look at it), they're still making it super easy to identify their malicious domains. Such as the following for example;
Current IP: 126.96.36.199
IP PTR: 188.8.131.52.internetserviceteam.com
You'll no doubt have noticed our dear friends at the IST, or missed the fact that whilst the IP range is registered to V3SERVERS-NET-967806 (v3servers.net), it also just so happens to be on the NetDirekt AS - coinkydink? I don't think so.
Getting back to it. Feed this domain a Google referer (I've not tested it, but am 99% sure it'll also work if you feed it a Bing, Live or Yahoo etc referer too), and you're taken to triwoperl.com (IP: 184.108.40.206 - 220.127.116.11.internetserviceteam.com), which looks like an ordinary search page.
Alas however, you'll no doubt have guessed, that you're not actually taken to the domains it claims you'll be taken to - nope, instead, you're taken through;
Which you've no doubt guessed, leads you to the usual scareware infection.
The actual infection itself, is loaded from tlupdate.info (IP: 18.104.22.168 - 22.214.171.124.internetserviceteam.com);
Which gives you a file called install.exe (563K - 206ca7574b8cf634f3b4add5e8d96e09)
You'll no doubt have noticed Sunbelt's flagging it as Waledac, which means you're getting a whole host more than just scareware.
One of these days, NetDirekt will learn that the longer they're allowing this on their IP ranges, the longer it's going to take for those such as myself to stop blackholing all NetDirekt ranges I come across (including several I'm currently processing for addition as I write this (126.96.36.199-188.8.131.52).
/edit 13-08-2009 16:15
As of August 13th, the stromiko.com domain appears to have been deleted as it's no longer registered and thus, no longer active.
hpHosts - Stromiko
hpHosts - Internet Service Team
hpHosts - 95.168.*