Blog for hpHosts, and whatever else I feel like writing about ....

Friday, 28 May 2010

WARNING: Blackhat SEO turns (once again) to exploits

Not content with serving up fake AVs and the likes, it seems one of the blackhat SEO gangs have one again, turned to serving up exploits instead. Obviously this leads to a fake AV infection aswell, but I thought this worth mentioning.

The story starts not surprisingly, at Google, where you're searching for your favourite TV show, news clip, or something completely random, such as why you always wake up on the right side of the bed when going to sleep on the left.

You find a result and go "Ooooh, that'll have my answer", and go clickity click - but woops! You find yourself going through the recognizable MITM (man in the middle), in this case, typeforman.net (195.88.144.80 - Failed resolution, AS48984 195.88.144.0/23 VLAF-AS Vlaf Processing Ltd), and on to an exploit (in this case, at splitssoft.com (91.188.59.55 - Failed resolution, AS6851 91.188.32.0/19 BKCNET _SIA_ IZZI) and vvvne.in (91.188.59.55 - Failed resolution, AS6851 91.188.32.0/19 BKCNET _SIA_ IZZI).



I've added the domains involved to MDL and hpHosts, and Malwarebytes AntiMalware users will be pleased to know, the IPs involved are already blocked by the IP Protection facility.

For those wanting samples, the headers are below.

shirleybarbers.com/polwe/xgfedn.php?jx=716054

http://typeforman.net/in.cgi?12
http://typeforman.net/redirect3/
http://splitssoft.com/x/?src=dg&id=20758


HTTP/1.1 302 Moved Temporarily
Date: Fri, 28 May 2010 10:03:17 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.12
Location: http://typeforman.net/in.cgi?12
Vary: Accept-Encoding,User-Agent
Content-Type: text/html

HTTP/1.1 302 Found
Date: Fri, 28 May 2010 10:01:30 GMT
Server: Apache/2
Set-Cookie: SL_12_0000=_1_; domain=typeforman.net; path=/; expires=Sat, 29-May-2010 10:01:30 GMT
Location: http://typeforman.net/redirect3/
Vary: Accept-Encoding,User-Agent
Content-Type: text/html

HTTP/1.1 302 Found
Date: Fri, 28 May 2010 10:01:30 GMT
Server: Apache/2
Location: http://splitssoft.com/x/?src=dg&id=20758
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Fri, 28 May 2010 10:03:20 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.3.2-0.dotdeb.2
Set-Cookie: bmb=1275041000; expires=Fri, 04-Jun-2010 10:03:20 GMT; path=/; domain=splitssoft.com


magnusbystrom.com/qosbi/hwsqbs.php?n=318039

http://typeforman.net/in.cgi?9
http://typeforman.net/redirect3/
http://splitssoft.com/x/?src=dg&id=20758


HTTP/1.1 302 Found
Date: Fri, 28 May 2010 10:59:30 GMT
Server: Apache/1.3.41
X-Powered-By: PHP/5.2.10
Location: http://typeforman.net/in.cgi?9
Connection: close
Content-Type: text/html

HTTP/1.1 302 Found
Date: Fri, 28 May 2010 10:57:41 GMT
Server: Apache/2
Set-Cookie: SL_9_0000=_1_; domain=typeforman.net; path=/; expires=Sat, 29-May-2010 10:57:41 GMT
Location: http://typeforman.net/redirect3/
Vary: Accept-Encoding,User-Agent
Content-Type: text/html

HTTP/1.1 302 Found
Date: Fri, 28 May 2010 10:57:41 GMT
Server: Apache/2
Location: http://splitssoft.com/x/?src=dg&id=20758
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Fri, 28 May 2010 10:59:32 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.3.2-0.dotdeb.2
Set-Cookie: bmb=1275044372; expires=Fri, 04-Jun-2010 10:59:32 GMT; path=/; domain=splitssoft.com


These are only allowing access once per IP, so you'll find the vURL Online results for the doorway pages below (I don't have caching written in for vURL Online yet, but incase you'd like it, the URL to the vURL dissection for this is http://vurldissect.co.uk/?url=1355697).
http://it-mate.co.uk/temp/vURL_Online_results_-_shirleybarbers_com.pdf

The exploits they're using include;

MSOfficeWebComponents
Snapshot Viewer Control
Acrobat PDF
MDAC (Microsoft Data Access Components)
Java Deployment Kit

No comments: