Spyware Quake installed through exploits [Site list included]

I’ve written earlier about Spyware Quake, a nasty rogue antispyware program that runs a protection racket on people’s PCs, forcing them to buy the product in order to get rid of “fake spyware”.   

There is a growing number of sites in the US using vulnerabilities in Internet Explorer to install this program. .

All these site are part of security scam hijackers we know of well, and have the same script in common in the head of their site code:

 

At the moment, the code leads to exploits and installs of Spyware Quake. Since last week, they have been taking over domains in blocks of IPs .   

The basic look of all the sites is something like this:

 

 They are using both the old Javascript and WMF (css.wmf) exploits to install themselves:

(Javascript exploit)

 

 (WMF exploit)

Of course, if your system is patched, not much will happen.

These sites are often available through search engines, such as this example of a bad site, gioiatours(dot)com (do not go to this site):

We have some new IPs of sites that are doing this behavior:  70.85.179.48  and 70.85.179..49. 

Server for the IPs

OrgName:  ThePlanet.com Internet Services, Inc.
OrgID:   TPCM
Address:  1333 North Stemmons Freeway
Address:  Suite 110
City:    Dallas
StateProv: TX
PostalCode: 75207
Country:  US

A list domains associated with these IPs is available (Excel and PDF).

 

Alex Eckelberry
(Data provided by Sunbelt senior researcher Patrick Jordan)