The Legacy Sunbelt Software Blog

An “XBox code generator” site has been popping up on video sharing websites and elsewhere recently, even though a lot of the content promoting it hawked “Runescape moneymaking”. The site is dead now, but the executable it promoted is still doing the rounds so let’s take a look.

First, the sales pitch – “How to make money with Runescape”:

Visiting the site would bounce you around a number of different redirects, all of which wanted you to download a program. The example below had some awesome pseudo tech babble:

“This is a fully employed xbox whippy maker. It cannot move your xbox untaped account – it gives you a cypher”.

Well, as long as it gives you a cypher. Anyway, hitting the “Generate code” button takes you to a download located on a free file hosting website. Like many programs of this nature, it cycles through a collection of (completely useless) fake codes each time you hit the Generate button. Most programs like this would have dropped something nasty on the PC by this point, or have asked for login credentials to email to the attacker behind the scenes. This one tries something a little different.

You’ll notice some text at the bottom of the program. It says:

“This version uses an outdated formula. The keys generated may not produce correct codes. Upgrade to 1.17”

I guess their cypher was faulty. Anyway, hitting the “upgrade button” – which I can’t say I’ve ever seen in one of these things – takes you to a suspiciously named (dot)tk URL: xbox360generator(dot)tk.

Strangely, it was pointing to a football website – I say “was”, because it now leads nowhere. In this case, the scammer was probably worried they’d be shut down and attempted to point the site to somewhere less suspicious (didn’t work).

Given the name of the .tk URL, it’s possible that the scammer was attempting to first gain the trust of the user with the program, then direct them a web based equivalent that asked for login credentials. Maybe they just dumped you onto a survey scam instead. There’s no real way to know now as all of the sites involved appear to be offline, but we can confirm this program does not generate anything remotely useful.

Including cyphers.

Christopher Boyd (Thanks to Alden Baleva for additional research)

Yesterday I gave a talk at VB 2011 on the history of rogue web browsers – browsers that have been built from the ground up to cause end-users trouble. They often imitate the real thing, use similar logos to legit browsers, claim to be incredibly secure and offer lots of features and functionality. Typically it’s all lies, and they’re dropping rootkits, hijacking your desktop or clicking invisible links out of view from the person using it.

In my humble opinion, the worst of these browsers was something called Yapbrowser. This was a browser from 2006 that you could download, install and run just like any regular browser. Although it bundled with Zango adware, no hijacks were involved and you had the option to back out. Running the browser didn’t raise any alarm bells – until you typed in a web address….any web address….and found yourself redirected to places you’d rather not go.

Redirecting users to content that could send them to jail wasn’t the best way to promote their browser, and it was quickly pulled. Shortly after the browser vanished, it reappeared for a few more weeks claiming “full protection from virus attacks” – that didn’t last long, and Yapbrowser was finally buried in 2006 after being acquired by a company called SearchWebMe – the browser was gone forever, and the site was basically DOA.

Well.

While giving my slide deck a final runthrough, I noticed a screenshot I was using from the Internet Archive wasn’t displaying correctly so I went there to get an image that worked. I’m not sure what happened next – I thought I was looking at the Yapbrowser pages from 2006. Then I saw this:

“July 2011”? Uh oh. Sure enough, visiting the Yapbrowser website right now gives us this:

Not only is there a “2011” notice at the bottom, there’s a link to the Yapbrowser executable. The file appears to be the original from 2006, the EULA looks identical (to the extent it lists “yapbrowserATyapsearchDOTcom” as a contact, despite the fact that domain is long dead) and when fired up on a testbox it currently takes the end-user to Yapsearch, which is parked:

Not only does it appear to be the same old file, the website blurb also makes the same ludicrous promises of security which are optimistic by any stretch of the imagination:

“Your computer will be free from viruses breeding online…There is a 100% guarantee no system infection will occur when using our software.”

When did the site and browser decide to rise from the grave? It’s hard to tell, but here’s the last Archive snapshot of the Yapbrowser(dot)com site from 2009:

As you can see, it’s still dead. Archive.org don’t crawl the site during 2010, but they do revisit in 2011 and at this point (Feburary 9th at the earliest) the site has returned, complete with old page layout, text and file download. One new change is the location of the download – whether clicking the “regular” download or the “adult” version, you’re served the EXE from filesurfing(dot)com, which is a site used for “file searching” from download sites such as Rapidshare and Mediafire.

Currently, Yapbrowser is registered to what looks like a company registered in the UK. The name of the URL listed as the contact email address differs from SearchWebMe who originally bought the site / program back in 2006, but it’s possible they’re one and the same.

Seeing this site lurch back into life, looking identical to how it did back in 2006 and with the browser download following close behind is quite a shock. I imagine anyone else who researched this one will be feeling much the same, and given the history of this program coupled with the (still) nonsensical claims of security and virus evasion it would be quite the leap of faith to want to download and use this program.

We’ll be keeping a close eye on this one, and if the program starts to do anything beyond point at the parked domain we’ll publish an update. For now? Our advice would be to stick with another browser. Like their highly appropriate slogan says: “Don’t waste your time”.

Christopher Boyd (Thanks to Matthew and Patrick for additional information)

Seven months ago, Google officially released its Android app, the Android Market Security Tool, in response to an outbreak of malicious apps being served then on the Android Market website. Just a few days after, a trojanized version of the said app had been spotted, baiting users into downloading and installing it on their smartphones. This was served on third-party download sites. AV companies already detect the trojanized app.

If your antivirus software detects the Android Market Security Tool retrieved from the Android Market as malicious, even up to this point in time, let us reassure you that this app is clean. If you found yours elsewhere, however, more than likely your app is a fake one. It’s best to remove it from your phone (or PC if you have a copy of it in there, too) and get the legitimate copy from the Market.

Jovi Umawing (Thanks to Dean Bueno)

I can’t speak on behalf of all the folks on this side of the globe who loves technology, specifically from Apple. Who knows how these nifty gadgets have impacted their business and personal lives, but surely, the impact is hugely positive and lasting.

Thank you, Steve Jobs. You have made an indelible impression not just in the technology sector but also in the hearts and minds of people.

Jovi Umawing

Matthew, one of our researchers at the AV Labs, flagged us regarding a Facebook scam he spotted late last weekend. And his timing could not have been more impeccable. The scam is about Southwest Airlines giving away free tickets. Now, as a practical rule of thumb, if something free is given by (a) a non-friend, (b) a non-relative, and (c) a random someone / bot who / that found their way on your social networking feed, you better start thinking twice before clicking that link to accept the freebie. If they’re from people you actually know? Double the amount of thinking. Trust me.

What made this particular scam interesting is that the scammers had used and abused a Facebook token generator to spread it. A token is basically an electronic key that is used to access something one does not readily have access to. In this case, a token is used to gain rights to post on Facebook walls. Once users click the link of the scam post, they are directed to www(dot)southwestisbest(dot)com where an entry box pops up, asking users to “access the offer” by entering a validation code. You can’t go around this one, since there is no option to somehow allow a user to decline to do this action.

“Click Here to Generate Your Validation Code” – and a small browser window, with the URL m(dot)facebook(dot)com/ajax/dtsg(dot)php, shows to display the code.

Hitting the Submit button enables the app to post on the user’s Facebook wall. “But wait!” It doesn’t end there though. Users, clearly unbeknownst to the posting done on their walls, are then redirected to a page asking for their email addresses. After this, they will be asked to complete a survey.

Our experts had already reported this to Facebook and the sites had been taken down shortly after, in turn also terminating the issuance of tokens.

There are other Southwest Airline scams that have been making rounds on Facebook. One such scam was found by our friends at Sophos (Do check out that post, too). So far, however, this is the only one we’ve seen that uses tokens.

As the Christmas season draws near, criminals are taking advantage of consumers wanting to grab the cheapest flights towards their destinations. And they have been for the longest time we can all remember. Be prudent and smart when it comes to gimmicks you see online, never click on links that offer things that sound too good to be true, and never give away any information until you know what these companies are going to do with them.

Jovi Umawing (Thanks to Matthew for spotting this)

It seems scammers need to play a little catch up, or at least read the odd news site occasionally. Here’s an email going around trying out the well worn theme of “Google Anniversary” 419 scam mails:

“We are pleased to inform you that your email address has won you an Award in the Google 11th Anniversary Awards as organized by the Anniversary Centre of Google Inc. held on September 28th 2011 in London, United Kingdom.”

Humorously, the scammers are sending out 11th anniversary mails when that actually took place in 2009 – we recently hit number 13. They don’t need your financial details, they need a calendar.

Christopher Boyd (Thanks to Wendy for sending this one over)

One of our researchers noticed that searches in Yahoo! for popular programs will result in Yahoo! placing their own link as the first result, effectively bumping the official program links down into second place.

Click to Enlarge

Clicking the first link takes you to the Yahoo! Downloads portal instead of the official Teamviewer site which is sitting down in the number two spot.

Click to Enlarge

It’s the same deal for various other downloads such as Skype:

Click to Enlarge

The downloads come with additional extras that you wouldn’t see if you’d grabbed them from the official developer site. Cue GFI Researcher Matthew, who first noticed this:

“If the user runs the download from this page, they will be presented with an offer for the Yahoo toolbar and then either Shop to Win or Social Ribbons add-on. After the user accepts or declines these offers, the installer then downloads the actual Teamviewer installer from Tucows to the user’s desktop and and prompts the user to run it.”

Click to Enlarge

The SocialRibbons install is interesting – if you’re not familiar with it, it’s a browser plugin that inserts their affiliate code into the URLs of merchants’ sites you happen shop at, then picks up the the affiliate commission when you make purchases at those sites. The idea is that an end-user would install it because Social Ribbons pledges to donate a percentage of that affiliate commission to charities.

However, the exact percentage of the affiliate commission that is donated to charity is not specified. Just one month ago they claimed that $18,000 had been donated based on 250,000 users – which works out to 8 cents per user. The whole point of this type of program is to drive shoppers to participating merchants’ sites, yet no list of participating merchants is available on the Social Ribbons site. In other words, users don’t even know where to go to make their shopping dollars count for charities.

Furthermore, the charities themselves are not specified – there is an example of the below installer mentioning  the “Susan G. Kohen Foundation” – did they mean the Susan G. Komen Foundation?

Click to Enlarge

They collect basic demographic information and claim to monitor web surfing behavior for the purposes of targeted advertising, though this is never mentioned in a clear and conspicuous fashion outside of the EULA/Privacy Policy (Section 2, “Use of individual information”).

All in all, there’s a fair amount of additional content you’re installing via these promoted search links that you wouldn’t receive if installing from the sites of the program creators. It would perhaps be worth pointing out to relatives unfamiliar with promoted search engine results that you don’t always get the “official” site as the first clickable link at the top of the pile – especially when the search engine you’re using is placing links it has a connection with above the rest.

Christopher Boyd (Thanks to Matthew and Eric for additional information)

Here’s a curious bit of spam mail involving the well worn subject of Green Card Lotteries:

Did you know the “Department of State” send out random emails from a free MSN address? No, neither did I. This multicoloured monstrosity claims you’ve won a US green card, then goes on to say you need to stump up $400 to seal the deal anyway.

Yeah, brilliant. They also claim you’ll get a “free airline ticket to the US”, use a lesser known .hm domain as their contact email address and their website contains the following disclaimer:

“USGreenCardLottery(dot)org is a division of ‘US IMMIGRATION CENTER’, a private entity not affiliated with the U.S. Government.”

What a great name for a private entity, and not at all confusing. The best is saved for last, which would be the location of the lady who supposedly sent you this ticket to a new way of life in the first place:

Poor old Ken.

Christopher Boyd (Thanks Alex)

Bad adverts in Bing leading end-users to Malware downloads first popped up on our radar on the 16th of September, and we covered them again on the 19th. Well, they’re back again – this time promoting fake Firefox downloads whose ads are displayed when searching for….wait for it….”Firefox download”:

You’ll notice they missed a trick there, advertising Firefox 6 instead of the freshly minted Firefox 7. The URLs involved are hotelcrystalpark(dot)com/firefox_1 and firefox(dot)dl-labs(dot)com, with the rogue downloads being hosted at the dl-labs URL. VirusTotal score currently gives us 6/43, with VIPRE detecting this as Trojan.Win32.Kryptik.cqw (v).

Christopher Boyd (Thanks to Matthew for finding this one).

Desperate to purloin money out of stupid and desparate people, 419 scammers are now trying Google Calendar invites.

The pain of it is that if you’re using Outlook, the calendar invite is automatically accepted and you get a reminder popping up. 

This has to be the rudest, nastiest spam I’ve seen in a long time.

Alex Eckelberry

It seems scammers have a bit of thing for spoofing BBC websites at the moment. Yesterday it was work from home scams, and last month it was a Facebook wheeze which (in a nutshell) went like this: “Lady Gaga is dead and here’s a BBC video to prove it, also click here.”

Maybe the (unrelated) work from home fakeout has inspired scammers into a fresh round of BBC shenanigans, because the phony BBC video rides again on Facebook. As usual, it’s surveytacular and is geared around fake Facebook messages promoting the completely fake BBC page:

The site in question is sqvw(dot)myfannso(dot)in/e/, and is still currently live at time of writing. This is one news report you can afford to miss.

Christopher Boyd (Thanks to Matthew for finding this one).

Just a quick heads up that there’s a Twitter spamrun targeting mentions of the videogame Bioshock Infinite.

The promise: “My friend got Bioshock Infinite free”.

The reality:

A woman doing aeroplane impressions. Of course, people getting free copies of Bioshock Infinite would be quite a feat in itself, given the thing won’t be released until 2012.

[Update 1] It seems numerous games are having the same spammy treatment – we’re informed that poor old Batman is having similar problems with spam such as this:

“This is amazing! Get a FREE copy of the new Batman: Arkham City. Get one here”
“I love batman, I play the video game look at this”

As before, the URLs lead to linkdumps, spam offers and other assorted junk. Thanks to Pete for the heads up.

Christopher Boyd

We’re seeing some more bad adverts popping up in Bing – just like the original attack, these results are served with very basic search terms so it’s pretty easy to stumble into one of the bad URLs. The results below appear when searching for “Flash player download”:

In the below example, the end-user arrives at malaysiaaktif(dot)com/flash and the fake Flash Player file is served up from dl-softonic(dot)net (a slight change from the original URL used to push the files which flatlined a few days ago):

As before, these are not particularly sites you want to be wandering into so please be careful when searching for basic tools, programs and files in Bing until these rogue adverts have a healthy dose of “put in jail and throw away the key” applied to them.

Christopher Boyd (Thanks Matthew)

In-game advertising has been around for a long time (specifically since 1978, when the Scott Adams game ‘Adventureland’ placed a promotional message in the game for his next release ‘Pirate Adventure‘, which involved crackers, a parrot and dying a lot).

There are three main types: Static (which as you probably guessed don’t do much other than sit there advertising things. They don’t change and can’t interact with the outside world), Dynamic (which are adverts effectively injected into the game world on the fly, meaning your futuristic shooter can have up to the minute posters on the wall for Pepsi or Alienware or whatever. These can also track gamers with regards successful advertising – for example, length of time spent staring at it when you should have been shooting at other gamers). The final type is ‘Advergaming” which would take way too much time to explain, so here’s the Wiki page. Go nuts.

Attempts at ingame advertising can be successful (Keanu billboards in The Matrix Online? Meta), somewhat innovative or run into teething troubles – more often than not on consoles where EULAs and other agreements may involve some hoop jumping to read.

You can see why gamers tend to be irked by advertising in their gaming, and a case in point would be a furore surrounding a recent patch applied to Deus Ex: Human Revolution (which is apparently not the cause of said advertising furore, it’s just some unfortunate timing.) Gamers are complaining about a somewhat noticeable addition to loading screens: see if you can spot it.

I’m not sure if it’s up there with the Vader “NOOOOOOOOOO”, but it certainly gives Midichlorians a run for their money. A rather bright and unavoidable Star Wars advert sits in the bottom right corner of the screen, pleading with you to use the Force and buy the boxset. A few more examples can be seen here and here.

As you may have guessed, people aren’t best pleased and the inevitable result is users attempting to game the system – you can see what I did there – and kill the ads off. Some are tweaking their Hosts file:

Others are downloading random patches and mods from the internet:

While there aren’t any reports of malicious patches compromising systems (though the above popular ad killer currently hits a 1/44 detection in VirusTotal which appears to be a “Wisdom of the Crowds” thing), I can’t say it’s a great idea to be downloading files and hoping they don’t blow your PC sky high. Another issue is that the game developers (or whoever is providing you the platform to play your PC game on, such as Steam) may not take kindly to tampering, and could theoretically ban your account / access / some other thing you can’t really go without.

This would not be a good thing.

Of course, “patches” and cracks are appearing on Youtube and similar sites, all of which result in survey popups and fakeout websites galore – this probably won’t matter one jot to anybody really desperate to hose that Star Wars promo and a clicking they will go:

…and so on. For me, the most interesting thing about this one is that the adverts have gone live a little while after the game has already sold a stack of copies – I’m struggling to think of ingame adverts that weren’t live from the moment the title was released, and this has contributed toward the negative reaction for what is a small (if distracting) advertisement. At any rate, it’s definitely created an opportunity for people with malicious intent to snag some victims, either by survey affiliate moneymaking or the ever present threat of infection files.

It may well be worth waiting to see if the adverts are pulled due to the negative reaction before deciding to download File X from Site Y while crossing your fingers.

And Han shot first.

Christopher Boyd

Overnight we saw a number of adverts being displayed in Bing that were directing end-users to malicious content. These adverts were promoting all manner of downloads including Firefox, Skype and uTorrent.

Some of the search terms used:

“FireFox Download”
“Download Skype”
“Download Adobe Player”

As you can see, they’re not particularly complicated or unusual searches so you probably wouldn’t be jumping through hoops to reach these things.

Clicking the adverts takes end-users to sites such as river-park(dot)net, and they do a pretty good job of convincing visitors that these sites are the real deal (incidentally, you’ll notice that some of the ads display the “real” URL of the program mentioned, but take you to a rogue site such as the “Download uTorrent Free” advert above which actually takes you to aciclistaciempozuelos(dot)es/torrent).

All of the malicious downloads are coming from en-softonic(dot)net, and here’s their open directory with various files waiting to be launched on unsuspecting end-users:

As an example, the fake Firefox file installs a rootkit, runs IE silently in the background attempting clickfraud and also performs Google redirects. Current VirusTotal score for that one is 16/44, and we detect it as Win32.Malware!Drop. These adverts were also appearing in Yahoo search – we notified both Yahoo and Microsoft, and both companies are in the process of killing these things off.

It’s entirely possible these sites will show up somewhere else, so be careful when downloading programs and make sure you’re on the official site before grabbing anything. These are definitely not the kind of files you want on your system.

Christopher Boyd (Thanks to Matthew for finding this one).

I keep getting asked for comments on McAfee/Intel’s new Deepsafe. So what the heck, here goes.

This is a great marketing pitch.  But remember that the platform that the technology is based upon, Intel VTx, is an open archictecture that any antivirus company can use.  McAfee is innovating but I truly doubt it’s because of any proprietary relationship with Intel. 

I just don’t think there is any secret sauce here.  This stuff is available to us all, and if it makes sense to use it, we will.

Alex Eckelberry

Hands up: who wants a cheap HP Touchpad complete with charging dock and bluetooth keyboard?

Yep, you all do. However, not only does this prospect look a little unlikely due to the ultra scarce stock, you may well find you end up with a little more than you bargained for while searching for one of the few remaining deals knocking around the web.

Should you visit the rather long web address listed below (which may or may not completely ruin my formatting, cross your fingers), you’ll be enticed by the rather awesome offer that includes all of the above for the low, low price of $159.99.

tigger(dot)horizon-host(dot)com/123/td/applications/SearchTools/touchpad(dot)html

It sounds like a great deal. However, hit the “Buy” button and this website – which was pulling genuine content from a Tiger Direct page – would use some handy Javascript to load up a Survey box populated with data from fileice(dot)net.

I must admit, seeing a survey in this instance is somewhat bizarre as typical survey scams involve the affiliate offering freebies in return for a completed survey. I guess they’re banking on the lure of the cheap touchpad being too much for end-users to resist. An example offer:

Just a quick heads up that a gaming website is offering up what appears to be a version of FileZilla, but is actually throwing the Jeefo Virus into the mix.

The site in question is someofcs(dot)com, and (as far as we can tell) it looks as though you may have to be a member of the site to download the file in question. The VirusTotal result right now is sitting at 38/44, so at least there’s decent coverage of this one.

Christopher Boyd (Thanks to Patrick Jordan for sending this over).

After (well, during):

I think something in the region of 200(ish) people turned up to listen to talks on a wide variety of subjects. Ye Olde Cyberterror kept popping up throughout the event, as it’s clearly a bit of a hot topic although there were plenty of other things to get your teeth into if you never wanted to hear the word “cyber” attached to anything ever again.

For the duration of the event, there were fairly spectacular gaming rigs available for people to hop on:

When the PC above is turned on it seems to glow brighter than the Sun:

Of course, this being a hacker con there were various wargames / capture the flag type events taking place too. While it’s entirely possible I captured someone below simply wiping their face, I like to imagine the pwnage before her is so amazing that she is straight up shrieking into a napkin.

Probably not though.

Anyway, there was also an obligatory tshirt booth and everybody had a badge complete with a QC code or two to crack.

So there we go. As for the talks, they came thick and fast over the two day event. No prizes for guessing that I talked about videogame / PC game hacking and threats, but in addition to that there was a great ZEUS talk by Trend Micro:

Another presentation given by a chap well known for being involved in the legal side of things discussed the topic of whether the Philippines was ready for “cyber terrorism”. I must admit, I was curious when I heard that “Cyberterrorism” was a “convergence of cybernetics and terrorism“. I always thought that was something to do with scary robots, but feel free to plough through this lot and make sense of it for me.

There was also a fairly exciting kerfuffle between him and researchers from a company who gave a talk prior to this then found themselves referenced incorrectly in his own. I missed most of it, but below is some of the drama captured for posterity:

Yeah, that was pretty awesome.

Something else that was awesome was the TDL 4 talk by my colleague Berman Enconado, which explored the history of TDL 4, what it does and the damage it can cause.

Now it’s time to break for cakes because, well, look at them.

Hacker cons tend to have some sort of lockpicking shenanigans taking place in the form of a village, but Rootcon had a one man lockpick village in the form of Jolly Mongrel who went through the various types of lock you could pick, examined a famous bank heist from yesteryear that involved lockpicking galore and also had some fun with handcuffs:

I also thought his tshirt said “I love Batman”, which would have been amazing.

A quick prize draw at the GFI booth later (with a handily swiped fishbowl which I’m sure the fish didn’t miss) and it was time for the panel talk including speakers from IBM, Trend Micro, GFI Software, that legal guy and a chap called Sven Herpig who is as awesome as his name suggests. It was about – you’ve guessed it – cyberterror, along with a bunch of random security questions including ethical vulnerability reporting, Wikileaks and, er, setting up an overseas anonymous security company that quickly wandered into a discussion about tax evasion.

Also someone said something pretty funny here, but I have no idea what it was.

All in all, this was an excellent event – especially as this was the first “official” security conference in the Philippines (despite there being four Rootcons prior to this, which were much smaller in scale). This had numerous speakers (both local and international), talks on a wide range of subjects, PC gaming, hacking events and booths stuffed with products and freebies.

Plans are already underway for Rootcon 6, so it would probably be wise to pencil in a visit to Cebu sometime next year. Thanks to everyone who organised the event and thanks also to everyone who visited the booth / listened to the talks, we had a great time!

Christopher Boyd

Our research team have discovered a rather nasty SEO poisoning scam over the last few days, targeting 9/11 related search terms (along with anything else they can get their hands on) to attempt the infection of vulnerable PCs. They use a combination of the Black Hole Exploit Kit (Correction: Phoenix Exploit Kit) and an interesting “on the fly” SEO poisoning tactic to try and drop infections onto the target PC.

Shangpalace(dot)com(dot)vn was the initial URL our research team discovered, although there are quite a few others out there right now. It goes without saying that all of these domains should be considered hostile and visited only in a dedicated testing machine.

authorizationlettersample(dot)org
chiefpricingofficer(dot)com
craftyk9(dot)com
decaci(dot)mmister(dot)com
e-gizmo(dot)com
geekvenues(dot)com
glorioleedu(dot)com
gospeloftruth(dot)net
hotelcatedralvallarta(dot)com
jetpackdreamsthebook(dot)com
maresmortgage(dot)com
marianaemslie(dot)com
megadeth(dot)megawan(dot)com(dot)ar
moorethoughts(dot)com
plusidol(dot)com
rayoverde(dot)com(dot)ar
referencelettersample(dot)org
ritasresources(dot)com
saponifier(dot)com
saprivateschools(dot)co(dot)za
schorrsolutions(dot)com
secondmilecenter(dot)com|
sellbeads(dot)com
studio-r(dot)in
tisztaszenzor(dot)hu
trainerskills(dot)com
winbeforetrial(dot)com
bridging-the-gap(dot)com
ishmaelkhaldi(dot)com
joshtickell(dot)com
sofresh(dot)ro
themetalden(dot)com

Some example search terms:

If you’re unfortunate enough to visit one of these rogue links, then you can look forward to attacks on your PC. Here’s what GFI Software Malware Research Supervisor Adam Thomas had to say about it:

“The server will return a script pointing to a malicious server which is running Phoenix exploit kit…the referral string used when visiting the compromised site must be an approved referral string (e.g. search.google.com). If not, the server will simply re-direct you to anon-malicious page.”

Click to Enlarge

He continues: “The malicious domain ‘nvwjefrzacronyms(dot)info’ appears to be hosted on a server in Germany. Passive DNS data reveals several other likely malicious servers hosted at the same IP address.”

serveruzgdf(dot)info A 109.230.217.113
acronymsoflh(dot)info A 109.230.217.113
zqqhfowhserver(dot)info A 109.230.217.113
cronymsu(dot)info A 109.230.217.113
aasfhcxserver(dot)info A 109.230.217.113
bpxtecdacronyms(dot)info A 109.230.217.113
nvwjefrzacronyms(dot)info A 109.230.217.113
acronymstxey(dot)info A 109.230.217.113

Adam tells me the site is “attempting to load as many exploits as possible in order to drop the payload”. This is typically what the user will see while the exploits and files are busy behind the scenes:

Click to Enlarge

Here’s an example VirusTotallink to one of the pieces of Malware being used – as you can see, 21/44 currently detect it. As with most attacks of this nature, you can expect to see multiple domains, files and search terms used to lure potential victims. Speaking of search terms, the people behind this are doing some interesting things with their poisoned search results. Adam again:

“The content for SEO poisioning can be generated ‘on-the-fly’. To explain further, the owner of this SEO poisoning system can utilize their network of hacked domains to quickly generate any content desired. By simply passing a search criteria to the url ‘shangpalace(dot)com(dot)vn/<search-term>’, the ‘SEO pack’ generates relevant content based on the search term.”

As an example, he passed a random search term to the server to see what would happen – “purple-golden-retriever”, in thiscase. Sure enough…”Within 2-3 seconds a page complete with keywords, related search phrases and even relevant working images is returned from theserver.”

Click to Enlarge

Pretty slick. Keeping your system patched and your security software up to date is a good place to start with regards to avoiding these kinds of attacks, in addition to running a Limited User Account and (perhaps) some browser based script blocking tools such as NoScript. There’s bound to be more domains out there playing host to the kind of badness seen above, and I’m pretty sure you don’t want to be caught out by this one.

Christopher Boyd (Thanks Adam)