While doing some google searches for particular keywords, with a specific google search we have noted that in some cases the websites found have the same URL after the .co.cc and that all of them use a $_GET[‘k’] query related to the keyword I was searching for. Almost all the links found have also the same HTML template and they look like to be non-live websites, maybe are used to capture keywords or are related to some kind of SEO poisoning activity:
The secret has been revealed:
GET /index.php?k=virus-scan HTTP/1.1 Host: liostimoremvfk.co. cc |
Response:
HTTP/1.1 302 Found Date: Tue, 19 Apr 2011 16:43:03 GMT Server: Apache/2.2.9 (Debian) DAV/2 SVN/1.4.2 PHP/5.2.6-1+lenny8 with Suhosin-Patch X-Powered-By: PHP/5.2.6-1+lenny8 Location: hxxp://includingwhich.cz. cc/in.cgi?4&seoref=[...] Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 20 Connection: close Content-Type: text/html .................... |
There is a redirect to… guess what ? A fake scanner page…
Is prompted a popup window to download the rogue security software setup:
Network traffic:
GET /get_file.php?id=16 HTTP/1.1 Host: mywebavck-2.co. cc User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16 HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 14:41:25 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.14 Content-Description: File Transfer Content-Length: 331776 Content-Disposition: attachment; filename="setup.exe" Connection: close Content-Type: application/download MZ......................@..................[...] |
The setup file looks like to be almost undetected by Antiviruses:
Report date: 2011-04-19 16:51:48 (GMT 1)
File name: setup-exe
File size: 331776 bytes
MD5 hash: c6adf910c8e56b4b0577ddface41898d
SHA1 hash: 978794a9705fec3f5dd5d7256b147a75d6c6f6fe
Detection rate: 0 on 10 (0%)
Status: CLEAN
Few malicious domains .co.cc used to capture keywords:
plandicardyu9.co.cc/index.php?k=Spun pensvernohp.co.cc/index.php?k=16-blocks-wiki jacbocome6.co.cc/index.php?k=Pianist,-The setibetkeee8r.co.cc/index.php?k=xXx vacuumguide.co.cc/index.php?k=loop vacuumreview.co.cc/index.php?k=actress catbepow372.co.cc/index.php?k=Few-Good-Men,-A loismolaqimvab.co.cc/index.php?k=Upside-of-Anger,-The loismolaqimvab.co.cc/index.php?k=007-goldeneye nutnorbntegiw0.co.cc/index.php?k=Hoodwinked! pordisfpoc64.co.cc/index.php?k=faculty-the bustmiswoodckosnh.co.cc/index.php?k=Webs bustmiswoodckosnh.co.cc/index.php?k=007-The-Spy-Who-Loved-Me lrecamac8r4.co.cc/index.php?k=Shaft phoderadc9i.co.cc/index.php?k=Sentinel,-The buzzpozapyq5.co.cc/index.php?k=Freedomland tionforhardversry.co.cc/index.php?k=007-Octopussy scesniasay3u.co.cc/index.php?k=Prince-and-Me-2,-The rohislantsello.co.cc/index.php?k=Grind xpowgihydreegk.co.cc/index.php?k=Gladiatress xpowgihydreegk.co.cc/index.php?k=15-minutes-pr buitalanbu6.co.cc/index.php?k=Ali arenelx1l.co.cc/index.php?k=Open-Range saduhydsp.co.cc/index.php?k=007-Goldfinger saiclevaps1s.co.cc/index.php?k=Alien:-Resurrection hoerhinbendescrt.co.cc/index.php?k=Core,-The fledunoutin5t.co.cc/index.php?k=21-grams-casting-director teoucbosonenfo.co.cc/index.php?k=Rules-of-Attraction,-The apsagsoumyp42o.co.cc/index.php?k=Predator-2 fanbaperpeisg.co.cc/index.php?k=Dungeons metersaddrantb7.co.cc/index.php?k=Fast-and-the-Furious,-The ibsummabobs1q.co.cc/index.php?k=Body,-The tingrobfoz60.co.cc/index.php?k=15-minutes-of-shame macronessi9.co.cc/index.php?k=1941 macronessi9.co.cc/index.php?k=When-a-Stranger-Calls filtsubscalsuvrl.co.cc/index.php?k=Die-Hard:-With-a-Vengeance siidosantv.co.cc/index.php?k=007-Licence-to-Kill siidosantv.co.cc/index.php?k=Get-Shorty questeprap28.co.cc/index.php?k=Bourne-Identity,-The geoganshi5n5.co.cc/index.php?k=Jaws-2 riapaewarmcooksbm.co.cc/index.php?k=007-live-and-let-die-online decapivetr.co.cc/index.php?k=Changing-Lanes ictiforkh.co.cc/index.php?k=Cheaper-by-the-Dozen ictiforkh.co.cc/index.php?k=Spun sandsatdar3.co.cc/index.php?k=Dances-with-Wolves gatthanbastams.co.cc/index.php?k=Hudsucker-Proxy,-The gatthanbastams.co.cc/index.php?k=Cellular deathstippark1h.co.cc/index.php?k=English-Patient,-The deathstippark1h.co.cc/index.php?k=Clerks. crowpaetucep95m.co.cc/index.php?k=Clerks. adefarichz.co.cc/index.php?k=Dogma adefarichz.co.cc/index.php?k=16-blocks-review talcoutip2y.co.cc/index.php?k=Pride opupreggazti.co.cc/index.php?k=Fahrenheit-9/11 opupreggazti.co.cc/index.php?k=bewitched-cast sqeestheogwenrepm83.co.cc/index.php?k=Bread-and-Roses pekiguaningmv.co.cc/index.php?k=Rollerball congrinaleo.co.cc/index.php?k=View-from-the-Top cuttcanthnaznu.co.cc/index.php?k=Scream-3 kannmowarmq2.co.cc/index.php?k=Cliffhanger gesnecalti7qc.co.cc/index.php?k=U-571 parlandcolrac1u.co.cc/index.php?k=Scream-2 rapaconptf.co.cc/index.php?k=Ali profifreturqn.co.cc/index.php?k=007-Octopussy dendthylthejnu.co.cc/index.php?k=Mummy,-The ictiforkh.co.cc/index.php?k=Corky-Romano |
Note that the value after k= is same as page title!
Other related malicious domains:
apsagsoumyp42o.co.cc cklik.in degreesupplies.cz.cc montlimal.co.cc optimizes.cz.cc sadrfedwer.co.cc talcoutip2y.co.cc volecap.cz.cc www.cklik.in yhnecqapp.co.cc |
All these malicious domains appear to be hosted in this IP address:
95.169.191.217 ns2.km35913.keymachine.de 95.169.160.0/19 - Keyweb AG IP Network AS31103 - KEYWEB-AS Keyweb AG |
IPVoid analysis: