Tag Archives: fake tube

New Massive BlackHat SEO Attacks

We noticed in these days a new massive number of websites hacked and used in a new campaign of blackhat seo attack with the objective to redirect all users to very dangerous websites that spread the infamous and well known rogue security software and the other dangerous threats such as TDSS rootkit and Zeus.

The hijacked keywords are:

melina+kanakaredes
vonage+login
ind+vs+zim
diff+rent+strokes
amgentourofcalifornia
derrick+favors
mayweather+vs+mosley+results
redspottv+hot+video
liddell+vs+franklin
2012+movie
ufc+116+fight+card
law+and+order+cancelled
eclipse+box+office
ali+bachelorette
cheap+laptops

Pay attention when you search one of the above keywords in search engines as even in the first page of the results is possible to find one of the malicious websites that redirect to dangerous urls.

When an user click on an infected link from the search results, the user is redirected to a malicious website url that looks like identical to YouTube but with a surprise:

Image

When the user click in the black box of the fake video to play it, the browser is hijacked by malicious scripts and is displayed the classic fake scanner page:

Image

This is a complete trace of the network traffic:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
GET /images/page.php?page=keyword&check= HTTP/1.1
Host: www.schermionline .it
 
GET /tick.php?sub=1&r=&u= HTTP/1.1
Host: export.byethost3 .com
 
GET / HTTP/1.1
Host: webcache109 .com
 
GET /images/load.swf?&p=0&t=_self&u= HTTP/1.1
Host: www.schermionline .it
 
GET /images/redir.php HTTP/1.1
Host: www.bestellkanal .tv
 
GET /images/we.php?uid=2034 HTTP/1.1
Host: www.bestellkanal .tv
 
HTTP/1.1 302 Found
Location: hxxp://www3.true-av31 .co.cc/?p=
 
GET /?p= HTTP/1.1
Host: www3.true-av31 .co.cc
 
HTTP/1.1 302 Moved Temporarily
Location: hxxp://www2.ipsec30 .co.cc/?p=
 
GET /?p= HTTP/1.1
Host: www2.ipsec30 .co.cc
 
GET /107a6da77d1a9deac7f69c7524e7980135ed3011811.js HTTP/1.1
Host: www2.ipsec30 .co.cc
 
GET /wadr107_2034.php?p= HTTP/1.1
Host: www1.mysecurity8 .co.cc
 
GET /packupdate107_2034.exe HTTP/1.1
Host: www1.mysecurity8 .co.cc

A summary of malicious domains extracted from the network traffic:

schermionline.it / 217.160.5.133
export.byethost3.com / 209.51.196.250
bestellkanal.tv / 194.145.226.48
www3.true-av31.co.cc / 74.118.193.81
www2.ipsec30.co.cc / 209.222.3.154
www1.mysecurity8.co.cc / 209.222.8.181

This is a small list of compromised websites:

uniquephotollc.com   (69.89.27.211)
familyyoga.org   (66.96.131.33)
mskeever.com   (66.96.130.49)
randyhortonassociates.com   (66.96.130.40)
kheirgroup.com   (66.96.132.9)
ganddsteidtmann.net   (66.96.131.4)
treeoflifeinc.org   (66.147.240.158)
wanakaconference.com   (69.89.22.121)
wallisprinting.com   (69.89.22.101)
tri-statehobbies.com   (70.40.210.51)
traviskmillward.com   (70.40.211.228)
honourbound.com   (66.96.131.7)
saintlouisspring.com   (66.33.213.72)
deltadawnkennels.com   (66.96.131.57)
unionpacificband.com   (69.89.27.248)
number301.com   (66.96.131.85)
walkercountyfair.com   (74.220.202.37)
olneyprep.org   (66.96.132.32)
unforgettablelicensing.com   (69.89.25.175)
bobbyloves.com   (66.96.132.71)
canyonlandsutah.com   (66.96.130.85)
wail-ss.org   (66.96.132.16)
barrybusby.com   (66.96.131.12)
urbanauthentic.com   (69.89.22.110)
webbsrvsupply.com   (70.87.155.26)
gardensbypat.com   (66.96.130.23)
vsracing.net   (74.220.203.167)
wdbc.net   (66.96.130.122)
deluxecakesandpastries.com   (66.96.130.87)
studiodahan.com   (66.96.131.150)
trafficgrafix.com   (74.220.219.124)
salelimo.com   (69.163.251.53)
swoonrocket.com   (66.96.131.30)
drdoregilbert.com   (66.96.132.114)
depauldems.org   (66.96.131.124)
millerstuartinc.com   (66.96.132.99)
zzzap.net   (66.96.131.131)
saunderslawoffice.com   (66.96.131.56)
w-o-o.com   (74.220.219.141)
aaronschuman.com   (66.96.131.145)
sbuild.com   (69.163.237.218)
vmgoflompoc.com   (74.220.202.34)
uptil2music.com   (69.89.22.126)
reddotav.com   (66.96.131.150)
vitalpix.com   (74.220.215.107)
dmcclure.org   (66.96.132.116)
thirtygreen.com   (174.120.117.123)
kellymariesdancewear.co.uk   (85.92.73.119)
deltaarsenal.com   (69.174.52.51)
lensesforless.com   (216.166.84.5)
ncc-achmm.org   (64.235.49.231)
trentbosch.com   (209.217.36.7)
naslub.pl   (77.55.79.46)
cd-tools.de   (87.106.63.62)
advent-umc.org   (67.225.163.159)
salsaboston.com   (67.15.55.147)
alleycatmedia.com.au   (67.228.238.14)
discountblindparts.com   (65.99.242.66)
thaifishshop.net   (122.155.1.40)
boomeranggames.com.br   (189.38.91.27)
bestdiscountperfumeonline.com   (72.52.141.138)
repuestosjuanito.com   (212.34.152.245)
verkkokauppa.jkitsolutions.fi   (77.240.21.141)
hcj.sju.edu.tw   (163.21.75.57)

Dangerous websites used to spread trojans

Here is a list of 50 dangerous domains used to distribute trojans and rogue security software under false video codecs needed to play non-existents videos displayed in the malicious websites:

super-clear-tube.com   (-)
supertube4all.com   (-)
hard-xxx-tube.com   (-)
boobtubenet.com   (-)
neorealmedia.com   (66.197.129.199)
vorkfreekeys.org   (217.23.9.248)
new-xxxtube.com   (-)
tubehomepage.com   (-)
greatdanetubesite.com   (-)
hot-tube-site.com   (-)
green-media-tube.com   (66.197.160.246)
great-super-tube.com   (-)
best-flash-tube.com   (-)
celebs-tube-2010.com   (-)
greattubefest.com   (-)
real-best-tube.net   (-)
thetubestores.com   (-)
bestgoldtube.com   (66.45.237.165)
red-bull-tube.com   (-)
great-boobs-tube.com   (-)
greatlaketube.com   (-)
artshowmedia.com   (66.96.239.25)
digital-rose-tube.com   (-)
besttube4all.com   (-)
lux-tube2010.com   (-)
red-rokko-tube.com   (-)
mega-scan-pc-new14.net   (88.80.4.19)
entiresafescripts.net   (67.228.219.50)
best-scanner-2010.net   (79.135.152.2)
first-online-scanner.com   (79.135.152.2)
scanner.entiresafescripts.net   (67.228.219.50)
scannerglobal.com   (79.135.152.2)
scannerglobal.net   (79.135.152.2)
nameservice-worldwide.com   (79.135.152.2)
volunteer-scan.com   (79.135.152.2)
scanner2010.com   (79.135.152.2)
super-scanner.org   (79.135.152.2)
best-scanner-2010.org   (79.135.152.2)
first-online-scanner.net   (79.135.152.2)
scanner2010.org   (79.135.152.2)
scanner2010.net   (79.135.152.2)
super-scanner.net   (79.135.152.2)
mega-scan-pc-new14.biz   (88.80.4.19)
rockthetube.com   (-)
home-xxx-tube.com   (-)
enjoy-best-tube.com   (-)
real-new-tube.com   (216.240.140.201)
all-tube-world.com   (-)
mediawebtube.com   (-)
red-diana-tube.com   (-)
home-sun-tube.net   (-)
my-flare-tube.com   (-)

This kind of technique to distribute trojans with fake video “tube” sites is commonly used by pay-per-installs companies and the victim’s PC is generally compromised with a variety of dangerous threats, such as rootkits, stealth trojans and banking trojans such as Zeus Bot. In these two articles are analyzed some recent and active pay-per-install companies:

Pay-Per-Install Analysis – Part One
Pay-Per-Install Analysis – Part Two

In most cases the files that are downloaded from these websites are named install.exe, codec.exe, video.exe, update.exe, player.exe and this is an example Antivirus scan of a file downloaded from one website:

Report date:   2010-07-01 16:31:22 (GMT 1)
File Name:   install.exe
File Size:   56832 bytes
MD5 Hash:   9c3f740b26d1200c80e89d48885e79a4
SHA1 Hash:   3911668f0e9c7b19f27bc215d0abb3e7409a5a65

a-squared   29/06/2010   5.0.0.7   Trojan.Win32.FakeAV!IK
Avast   100628-0   5.0   Win32:Rootkit-gen [Rtk]
AVG   271.1.1/2969   9.0.0.725   SHeur2.CMOJ
Avira AntiVir   7.10.8.213   7.6.0.59   TR/Dldr.FakeAle.kon
BitDefender   01/07/2010   7.0.0.2555   Trojan.Generic.3231804
ClamAV   29/06/2010   0.96.1   Trojan.Downloader-89625
Dr.Web   01/07/2010   5.0   Trojan.Fakealert.12876
F-PROT6   20100630   4.5.1.85   W32/FraudLoad.C!Generic
G-Data   21.442   2.0.7309.847   Trojan-Downloader.Win32.FraudLoad.gmc A
Ikarus T3   29/06/2010   1.1.84.0   Trojan.Win32.FakeAV
Kaspersky   01/07/2010   9.0.0.736   Trojan-Downloader.Win32.FraudLoad.gmc
NOD32   5243   4.0.474 Win32/TrojanDownloader.FakeAlert.AED
Panda   28/06/2010   10.0.3.0   Adware/SecurityEssentials2010
TrendMicro   273   9.120-1004   TROJ_GEN.UAC161X
VBA32   01/07/2010   3.12.12.2   Win32.TrojanDownloader.FakeAlert.AED

The above file was downloaded from a fake system scanner page used to scary the user with false security alerts, from the detection patterns we can clearly see it is a rogue security software (FraudLoad, FakeAlert).