Thursday, June 03, 2010

Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign - Part Two

UPDATED: Sunday, June 06, 2010.
The new redirections currently take place through www4.greatav40-td.co.cc/?uid=213&pid=3&ttl=51545746f5c (93.190.141.40) and www1.avscaner-40pr.co.cc (217.23.5.52).

Parked on 93.190.141.40, AS49981, WorldStream are also:
www3.justsoft12-td.co.cc
www3.donrart55-td.co.cc
www3.donrart57-td.co.cc
www3.donrart59-td.co.cc
www4.swintermz.cz.cc
www3.goldvox-50td.xorg.pl
www3.goldvox-60td.xorg.pl
www3.goldvox-52td.xorg.pl
www3.goldvox-54td.xorg.pl
www3.goldvox-64td.xorg.pl
www3.goldvox-56td.xorg.pl
www3.goldvox-58td.xorg.pl
www1.check-saveyour-pc-now.in
www1.in-safe-keepmyzone.in
www1.makesafe-scan-forsure.com


Detection rate:
- packupdate107_213.exe - Trojan.Fakealert.origin; Mal/FakeAV-BW - Result: 12/41 (29.27%)


Upon execution, the sample phones back to:
update1.free-guard.com - 95.169.186.25; 188.124.5.64 - Email: gkook@checkjemail.nl
update2.protect-helper.com - 78.159.108.170 - Email: gkook@checkjemail.nl
secure2.protectzone.net - 91.207.192.24 - Email: gkook@checkjemail.nl
secure1.protect-zone.com - 209.212.147.241 - Email: gkook@checkjemail.nl
secure1.protect-zone.com - 209.212.147.241 - Email: gkook@checkjemail.nl
www5.securitymasterav.com - 91.207.192.25 - Email: gkook@checkjemail.nl
update2.free-guard.net - Email: gkook@checkjemail.nl
report.land-protection.com - 188.124.7.156 - Email: gkook@checkjemail.nl
report.goodguardz.com - 93.186.124.94 - Email: gkook@checkjemail.nl
report.zoneguardland.com - 93.186.124.91 - Email: gkook@checkjemail.nl
report1.stat-mx.xorg.pl - 109.196.132.41 - Email: gkook@checkjemail.nl
secure1.protect-zone.com - 209.212.147.241 - Email: gkook@checkjemail.nl
74.125.45.100
74.82.216.3


Parked on 95.169.186.25 (AS31103, KEYWEB-AS); 188.124.5.64 (AS44565, VITAL TEKNOLOJI) are also:
www3.justsoft11-td.co.cc
www3.justsoft12-td.co.cc
www4.swintermz.cz.cc
www4.trustzone17-td.xorg.pl
www3.coantys-41td.xorg.pl
www3.coantys-42td.xorg.pl
www3.coantys-46td.xorg.pl
www4.miymiy3.com
update1.free-guard.com
useguard.com
update1.useguard.com
www2.avcleaner30-pd.co.cc
www1.favoritav30-pd.co.cc
www2.avcleaner32-pd.co.cc
www2.avcleaner34-pd.co.cc
www1.favoritav34-pd.co.cc
www2.avcleaner36-pd.co.cc
www1.favoritav36-pd.co.cc
www3.avprotector54-td.xorg.pl
www3.avprotector56-td.xorg.pl
update1.free-guard.com
update1.winsystemupdates.com


Remember the massive blackhat SEO campaign using U.S Federal Forms themed keywords, which was extensively profiled in August, 2009?
The cybercriminals behind it, never really stopped feeding new domains, including compromised ones, naturally diversifying the set of topics in order to serve scareware. Now that enough data is gathered, naturally exposing connections within the cybercrime ecosystem which would be communicated using the "perfect timing, perfect channel" philosophy, it's time to dissect the online campaign, expose the entire portfolio of domains involved, and, of course, take it down.


What particularly interesting about this gang, is their clear understanding of QA (quality assurance) for the sake of increase OPSEC (operational security). Just like the previous campaigns, each individual domain involved in the campaign is registered using a separate email, in the majority of cases it's an automatically registered one. With or without the QA, there's no escape from the monetization vector - in this case, and like many other - scareware.

Domains used in the blackhat SEO campaign, none of these are currently flagged as harmful:
1ip5p8h.co.cc - Email: mijkzh@gmail.com
1us51n.co.cc - Email: mqxd2r2@gmail.com
aifmydpuhv.co.cc - Email: kent.attonis9140@yahoo.com
amquijycpntb.co.cc - Email: volf.aittala1388@yahoo.com
aqejhilmvb.co.cc - Email: amandeep.terrisse8102@yahoo.com
arnepqjya.co.cc - Email: vkpnzxn@gmail.com
bekqjcra.co.cc - Email: yaala.benardos7911@yahoo.com
benyd.co.cc - Email: lexyb610@gmail.com
bestdesision.co.cc - Email: an9020@bk.ru
bipilyqomyusvuhy.co.cc - Email: eeclllw3xqu19tr9wb@gmail.com
bjalumericz.co.cc - Email: diamond.aittala4367@yahoo.com
chammaope.co.cc - Email: wefergss@ukr.net
coebfjqmkhsn.co.cc - Email: kent.attonis9140@yahoo.com
comp-s.co.cc - Email: stas14423321@mail.ru
eynuqacjrtiz.co.cc - Email: ketina.tomsic2552@yahoo.com
getmoney4me.co.cc - Email: finalizer12@mail.ru
goumucnypuxuhyikzi.co.cc - Email: ekx7roq8p5hrd61tah@gmail.com
hiokirygohxinugohu.co.cc - Email: q88zh7dwshibteg05l@gmail.com
hryjhuklo.co.cc - Email: fgyuhedgdrfghhio@ymail.com
ibdumycp.co.cc - Email: madelyn.ajai1243@yahoo.com
ifohviwihuuxitqoil.co.cc - Email: bsowez9usp1u8cjyxp@gmail.com
ifyfgybyuxisoffu.co.cc - Email: 5nrg2bgm2og0cloxpf@gmail.com
ihquyrvutyridyuwyj.co.cc - Email: wh1p9c5f0jwlvn5jlq@gmail.com
ijojinhuxifykygysu.co.cc - Email: lq7s26llpq2sxbcyd9@gmail.com
imdjrsfybnav.co.cc - Email: sarig.ajaye7737@yahoo.com
incom-sale.co.cc - Email: wisha700_5@yahoo.com
inoltoumydonulijuk.co.cc - Email: e6pgu8mamts6fco5ik@gmail.com
iroqimcuohubizgooh.co.cc - Email: sku0cthz7ttgzwaqzw@gmail.com
iwanti.co.cc - Email: justtobebeauty@gmail.com
iyqvogx.co.cc - Email: do.co.lo.k.oh.o.ngo.v.o@gmail.com
jepabhto.co.cc - Email: festas.mcilsey1646@yahoo.com
kiaxmh4.co.cc - Email: kiaxmh@kiaxmh.com
kiboinikixuvquliro.co.cc - Email: 5k2j7bnpxzgkoyibb0@gmail.com
krghiqyiht.co.cc - Email: ouhegtlx@yahoo.com
kyogpylymypusulojo.co.cc - Email: rrykuqs44ilgf2xd6q@gmail.com
ltcsi0.co.cc - Email: v9xodcm@gmail.com
omsuimuhysjoujiqip.co.cc - Email: nattyxbfpvcaivauf6@gmail.com
opimuzxiyrxigoiwur.co.cc - Email: ebiy9hwt817zs5m0wa@gmail.com
ostozuorypofitjuti.co.cc - Email: 2rdo8uwh14y5mqckkh@gmail.com

pqusrzycd.co.cc - Email: adalricus.aijala4749@yahoo.com
ptvibnrjeayh.co.cc - Email: miliani.mccomrick3922@yahoo.com
pubaxj.co.cc - Email: runuk8976@gmail.com
pucrsnihoqy.co.cc - Email: dalila.babusek8958@yahoo.com
qbhomskuine.co.cc - Email: keona.canose6839@yahoo.com
qcumoyh.co.cc - Email: bethiah.mcglasky5891@yahoo.com
qyczejdlita.co.cc - Email: abegail.woitkoski3075@yahoo.com
ridcamybv.co.cc - Email: laurentius.diamandoglou5401@yahoo.com
rithubmolnda.co.cc - Email: adalynn.aiololo3070@yahoo.com
riyvroiqfoydcilifo.co.cc - Email: irjghmpq7w9t0ah6rz@gmail.com
rnoqzydjuia.co.cc - Email: ieuan.calcutt9416@yahoo.com
rpdkjuaft.co.cc - Email: worley.biernacka1945@yahoo.com
rybidlzck.co.cc - Email: ander.airwyk9339@yahoo.com
ryliydulivuvdojo.co.cc - Email: b5657927wcdn48k3u2@gmail.com
rywutydymoxyodygyt.co.cc - Email: e8fzpd2yzy4w8hf7t4@gmail.com
sdemfjotuc.co.cc - Email: annemarie.bichan3685@yahoo.com
search-portal.co.cc - Email: akhmadarroyan@gmail.com
siycugufryyrkoylky.co.cc - Email: v5o71m4qiy5is0zcs3@gmail.com
sounluolvuoxyqixky.co.cc - Email: ay2643zdi8kywwu444@gmail.com
sprqucoatz.co.cc - Email: vindhya.perilean5722@yahoo.com
ucywmuziboytylwi.co.cc - Email: m45267tiipj7xk9n71@gmail.com
unotufukujygugusto.co.cc - Email: qe2m9s1abdvw02g1p3@gmail.com
upykhogupiybuwojyz.co.cc - Email: 7ea7iulbkzmfp0grso@gmail.com
usbokuycryocyjykqi.co.cc - Email: 5fnuzbof36ug19ly7f@gmail.com
vobyumfoodzygubuyv.co.cc - Email: mjkexe0d9gaqkzihlo@gmail.com
xepepele969.co.cc - Email: bemumoro6654@gmail.com
xodovumuycguhyujip.co.cc - Email: zeqa6hr6kltwpt6eis@gmail.com
yfwiiwoqwipihovo.co.cc - Email: 87koy5ljr5j4oe9dcm@gmail.com
ygitysbocysokuujok.co.cc - Email: qa0gvqsa8t3dr5u3yr@gmail.com
ykraivec.co.cc - Email: wergr@ukr.net
ynywyvtioxiloghoin.co.cc - Email: g955emcus8z0dbfebs@gmail.com
yourbestchose.co.cc - Email: daan900@bk.ru
yzirukwoilokocpohi.co.cc - Email: scqnbtps908moi8rgx@gmail.com

The .co.cc domains portfolio responds to the following IPs, parked on them are also related malicious domains:
69.163.236.70
78.159.114.244
82.146.50.101
82.146.54.111
82.146.50.156
82.146.54.116
82.146.54.118
82.146.54.119
82.146.54.122
82.146.54.129
82.146.50.183
82.146.54.143
82.146.50.184
82.146.50.188
82.146.54.150
82.146.50.193
82.146.50.194
82.146.50.213
82.146.54.177
82.146.51.237
82.146.53.244
82.146.54.62
82.146.54.69
82.146.54.84
84.16.236.31
84.16.236.32
84.16.229.42
89.149.202.106
89.149.226.127
89.149.201.224
89.149.255.174
89.149.255.20
89.149.238.225
89.149.255.21
89.149.200.47
89.149.237.83
92.63.105.179
92.63.105.191
92.63.98.239
94.76.205.176
94.76.205.177
94.76.205.178
94.76.205.180
94.76.205.182
94.76.205.183
94.76.205.184
174.121.196.227
174.120.128.62
188.120.231.249
205.234.222.169
212.95.56.102
212.95.56.104
212.95.56.89
212.95.56.92
212.95.56.93
212.95.56.95
212.95.56.96



Compromised sites part of the blackhat SEO campaign:
kleertjesenmooi.nl
knapadvies.nl
kruidendreef60.nl
kruijspunt.nl
ktf-texel.nl
lali.nl
laplanchette.nl
lenzfilm.nl
leuveld.nl
liana-makeup.com
lidavanvelzensportmassage.nl
lief4kids.com
logamklusmaster.nl
lookingblueeye.nl
luccie-007.nl
lucmeubelbouw.nl
lukasart.nl
maakkennismetkennis.nl
magisoft.be
magnetenspecialist.nl
mahu-services.nl
maismoe.nl
makaroni.info
malena-team.nl
maliebaanutrecht.nl


Once the end user clicks on a link found within Google's index, a tiny .js checks the referrers (compromised_site.nl/directory/randomcontent.js) and the redirection takes place. For instance:
- www3.donrart58-td.co.cc/ ?uid=213&pid=3&ttl=21f4e73673b - 93.190.141.41 - Email: mailwork.abc@gmail.com
    - www2.uberguardzz6.com - 94.228.220.114 - Email: gkook@checkjemail.nl
        - www1.favoritav31-pd.co.cc - 188.124.5.66 - Email: mailwork.abc@gmail.com
            - www2.avcleaner44-pd.co.cc - 93.190.139.214 - Email: mailwork.abc@gmail.com

Where do we know the same campaigner (?uid=213&pid=3&ttl=21f4e73673b) from? From related campaigns.

Parked on 93.190.141.41, donrart58-td.co.cc, AS49981 WorldStream are also:
www3.justsoft11-td.co.cc
www3.donrart56-td.co.cc
www1.newav31-pr.co.cc
www3.goldvox-51td.xorg.pl
www3.goldvox-61td.xorg.pl
www3.goldvox-53td.xorg.pl
www3.goldvox-55td.xorg.pl
www3.goldvox-57td.xorg.pl
www3.goldvox-59td.xorg.pl
www1.bestdefender-58p.xorg.pl
www4.miymiy3.com -
93.190.141.41 - Email: gkook@checkjemail.nl
www3.ruboidmon-60td.com - 93.190.141.41 - Email: gkook@checkjemail.nl

Parked on 188.124.5.66, favoritav31-pd.co.cc, AS44565 VITAL TEKNOLOJI are also:
www2.avcleaner31-pd.co.cc
www2.avcleaner35-pd.co.cc
www3.avprotector51-td.xorg.pl
www3.avprotector53-td.xorg.pl
www3.avprotector55-td.xorg.pl
www3.avprotector57-td.xorg.pl
www3.omgsaveit4.com -
74.118.194.76 - Email: gkook@checkjemail.nl
useguard.com - 95.169.186.25 - Email: gkook@checkjemail.nl
update1.useguard.com - 95.169.186.25 - Email: gkook@checkjemail.nl
www4.miymiy2.net - Email: gkook@checkjemail.nl

Parked on 95.169.186.25, AS31103, KEYWEB-AS are also:
www3.justsoft10-td.co.cc
www4.freewarez10-td.co.cc
www3.justsoft11-td.co.cc
www3.justsoft12-td.co.cc
www3.avforyou23-td.co.cc
www4.swintermz.cz.cc
www4.trustzone16-td.xorg.pl
www4.trustzone17-td.xorg.pl
www4.trustzone19-td.xorg.pl
www3.coantys-41td.xorg.pl
www3.vointuas-81td.xorg.pl
www3.coantys-42td.xorg.pl
www3.coantys-46td.xorg.pl
www4.miymiy3.com
useguard.com


Detection rate:
- packupdate_107_213.exe - TROJ_FRAUD.SMAF; Mal/FakeAV-AX - Result: 28/40 (70%)

Phones back to:
update1.useguard.com - 95.169.186.25 - Email: gkook@checkjemail.nl
update2.guardinuse.net - 78.159.108.171 - Email: gkook@checkjemail.nl
secure1.protect-zone.com - 209.212.147.241 - Email: gkook@checkjemail.nl
secure2.protectzone.net - 91.207.192.24 - Email: gkook@checkjemail.nl
report.goodguardz.com - 93.186.124.94 - Email: gkook@checkjemail.nl
74.82.216.3/ncr - interesting HOSTS file modification

O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 http://www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 http://www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 http://www.getavplusnow.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 http://www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 74.82.216.3 http://www.google.com
O1 - Hosts: 74.82.216.3 google.com
O1 - Hosts: 74.82.216.3 google.com.au
O1 - Hosts: 74.82.216.3 http://www.google.com.au
O1 - Hosts: 74.82.216.3 google.be
O1 - Hosts: 74.82.216.3 http://www.google.be
O1 - Hosts: 74.82.216.3 google.com.br
O1 - Hosts: 74.82.216.3 http://www.google.com.br
O1 - Hosts: 74.82.216.3 google.ca
O1 - Hosts: 74.82.216.3 http://www.google.ca
O1 - Hosts: 74.82.216.3 google.ch
O1 - Hosts: 74.82.216.3 http://www.google.ch
O1 - Hosts: 74.82.216.3 google.de
O1 - Hosts: 74.82.216.3 http://www.google.de
O1 - Hosts: 74.82.216.3 google.dk
O1 - Hosts: 74.82.216.3 http://www.google.dk
O1 - Hosts: 74.82.216.3 google.fr
O1 - Hosts: 74.82.216.3 http://www.google.fr
O1 - Hosts: 74.82.216.3 google.ie
O1 - Hosts: 74.82.216.3 http://www.google.ie
O1 - Hosts: 74.82.216.3 google.it
O1 - Hosts: 74.82.216.3 http://www.google.it
O1 - Hosts: 74.82.216.3 google.co.jp
O1 - Hosts: 74.82.216.3 http://www.google.co.jp
O1 - Hosts: 74.82.216.3 google.nl
O1 - Hosts: 74.82.216.3 http://www.google.nl
O1 - Hosts: 74.82.216.3 google.no
O1 - Hosts: 74.82.216.3 http://www.google.no
O1 - Hosts: 74.82.216.3 google.co.nz
O1 - Hosts: 74.82.216.3 http://www.google.co.nz
O1 - Hosts: 74.82.216.3 google.pl
O1 - Hosts: 74.82.216.3 http://www.google.pl
O1 - Hosts: 74.82.216.3 google.se
O1 - Hosts: 74.82.216.3 http://www.google.se
O1 - Hosts: 74.82.216.3 google.co.uk
O1 - Hosts: 74.82.216.3 http://www.google.co.uk
O1 - Hosts: 74.82.216.3 google.co.za
O1 - Hosts: 74.82.216.3 http://www.google.co.za
O1 - Hosts: 74.82.216.3 http://www.google-analytics.com
O1 - Hosts: 74.82.216.3 http://www.bing.com
O1 - Hosts: 74.82.216.3 search.yahoo.com
O1 - Hosts: 74.82.216.3 http://www.search.yahoo.com
O1 - Hosts: 74.82.216.3 uk.search.yahoo.com
O1 - Hosts: 74.82.216.3 ca.search.yahoo.com
O1 - Hosts: 74.82.216.3 de.search.yahoo.com
O1 - Hosts: 74.82.216.3 fr.search.yahoo.com
O1 - Hosts: 74.82.216.3 au.search.yahoo.com


What's so interesting about it anyway? Exact same modification was seen in "Koobface Botnet's Scareware Business Model - Part Two", in regard to the Google IP 74.125.45.100.

Take down actions are already taking place, updated will be posted as soon as new developments emerge.

Related research on blackhat SEO campaigns:
The ultimate guide to scareware protection
A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang 
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
A Peek Inside the Managed Blackhat SEO Ecosystem
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot 

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

No comments:

Post a Comment