Malicious domain bestellkanal.tv has been suspended
Block unknown processes with NoVirusThanks EXE Radar Pro
In one of our previous articles we have wrote info about new massive blackhat seo attacks that have infected a high number of websites. The main website used in that blackhat seo campaign to redirect users to dangerous websites, used for spreading rogue security software, was name bestellkanal.tv and we noticed that, finally, it has been suspended.
After testing some websites that are still infected, we noticed that now they redirect users to the suspended page, avoiding the redirect to the websites that were used for spreading the setup files of rogue security software. Below we can see traffic generated by a website that is still infected and that is now “not dangerous” as before:
Hijacked URL:
1 2 | GET /webshop2/images/page.php?page=kate+walsh HTTP/1.1 Host: www.uwpiaa.org (69.174.115.206) |
Response code:
1 2 3 4 5 | HTTP/1.1 200 OK Date: Sat, 21 Aug 2010 13:47:54 GMT Server: Apache X-Powered-By: PHP/5.2.12 Content-Type: text/html |
Fake Youtube page:
Load player.gif for the fake video:
1 2 | GET /images/player.gif HTTP/1.1 Host: www.uwpiaa.org |
Redirection to bestellkanal.tv:
1 2 | GET /webshop2/images/load.swf?&p=0&t=_self&u=hxxp://www.bestellkanal.tv/images/redir.php HTTP/1.1 Host: www.uwpiaa.org |
Final redirection to bestellkanal.tv:
1 2 | GET /images/redir.php HTTP/1.1 Host: www.bestellkanal.tv |
Output:
Domain has been suspended.
The malicious domain named bestellkanal.tv was a vital part of the blackhat seo campaign because it was the final redirect used to receive the address of the dangerous websites, updated in most cases more than two times per day, used for promoting and spreading the rogue security software. Suspending the domain has caused a hole in the redirection system of this malicious blackhat seo campaign.