You are viewing tacit

Previous Entry | Next Entry

Polyamory and crime on the Internet

terminator
Note: Followups to this entry at http://tacit.livejournal.com/238112.html (part 1) and http://tacit.livejournal.com/240750.html (part 2)

UPDATED 13-December-07 10:50 EST Updates indicated in text
UPDATED2 14-December-07 1:05 PM EST Updates indicated in text
UPDATED3 14-December-07 2:00 PM EST Updates indicated in text
UPDATED4 02-January-08 2:44 PM EST Updates indicated in text

So I recently decided, like many folks do, to Google my name. I do this periodically, because it's always fun to see how many sites are linking to me (and I'm in the process of building a list of non-English mirrors of my polyamory site -- it's been translated into Polish, Hebrew, German, and a bunch of other languages, which is cool).

And in the process, I think I've discovered what might be one of the largest-scale cases of Web site hacking and virus distribution I've ever heard of.

A little background is in order. If you've used Google for any length of time, you probably know that when you Google popular keywords you'll often run into "spam pages." These are pages that are just stuffed full of keywords at random; in the Google search results, they will have titles like "tribadism fight scenes, free tribadism porn video Britney Spears, make money fast terrorism Iran big cock" and have excerpts that look like "she shoved it in and bridal hosiery wedding cake viagra fetish smurf Bible amateur transvestite video free vacation europe nymphomaniac ipod". These are spam pages; they are filled with hundreds of keywords, and if you click on them, you will be redirected to the spammer's site. They exist just to intercept popular Google searches and direct traffic wherever the spammers want it.

They are also popular with virus writers. Virus writers will create thousands of fake Web pages filled with popular keywords, then use those Web pages to servers that will attempt to automatically download viruses onto the computer of anyone running Windows who's unwary enough to click on them.

Okay, so.

Yesterday, I did a keyword search for my name. Normally, I get about nine pages of results; but yesterday, I got 56 pages of results, over 200 in all.

Most of these pages look like this:

The polyamory news franklin veaux mitt was rigid enough to prevent me from either closing them too hard or opening polyfamilies polyamory for the practical them too far. She raised my left hand and fastened it in a similar polyamory weekly podcast manner, into a similar latex mitten.society for human sexuality polyamory info "I just wondered. You were standing there with a dazed polyamory open wedding vows look on your face playing with that cucumber and I thought something might world polyamory association presentations and workshops franklin veaux. Once inside, he polyamory san diego quickly stripped off his apron and polyamory cape coral unfastened his belt and pants. It was nearly as big as Mark's, and open relationships polyamory that pleased her. Quickly unbuttoning her blouse to reveal her tits. page personal poly polyamory web He gently squeezed them, making her moan deep in her throat.





UPDATED3: I've looked at some of the random text on these pages, and it's not really random at all--it's a short porn story with random keywords seeded throughout it. It contains a number of statistically improbable phrases. One of these is "Ashley had always wanted to go there"--doing a Google search for that exact phrase results in 13,800 hits--nearly every single one of which is a spam redirector.




You get the idea. "Oh, well, this is interesting," thought I, "polyamory, and my name, have become popular enough Google web searches that the spammers are including them in spam pages now."

I clicked on some of these result links, curious to see who the spammer was and what site he was trying to direct traffic to.

And that's when things started to get weird. What I found was a very large, highly organized campaign to direct Web traffic to servers hosted in Eastern Europe that would infect visitors with a computer virus, all orchastrated by a single person or group of people and all being done by what appears to be a massive breach of hundreds and hundreds of hacked Web sites, all hosted by the same ISP--the largest single Web site security breach I've heard of.

If you want to keep going down the rabbit hole:

CAUTION * CAUTION * CAUTION The spam URLs given in this post redirect to virus droppers. If you are on a Windows machine using a normal Web browser, DO NOT click on these links. A text-based browser is safe to use, and the viruses affect only Windows machines and so will not hurt Mac or Linux systems.

The first Web site I found that contained one of these spam pages is on page 19 of the Google results for the search term "franklin veaux" (with quotes). It's on a site called patkolstad.org; the URL of the spammer redirect page is

http://patkolstad.org/images/ipmtt/har/ad/5/polyamory.html

The Web site at patkolstad.org belongs to a man named Pat Kolstad, who is one of the city councilmen in Santa Clara, CA. Not, in other words, a likely spammer interested in directing people to virus droppers in Eastern Europe. Clearly, his Web server has been hacked, and the redirectors have been placed on his server without his knowledge. I did a whois lookup on his domain name to see who his Web host is. He is hosted by ipowerweb, a cut-rate Web hosting company that advertises "Hosting over 700,000 Web sites!"

The next Web site I found that contains one of these spam pages is a place called u4info.net. It's a Chinese-language forum of some sort. The spam page is at

http://u4info.net/study/templates/subSilver/images/lang_english/nucrz/har/ad/5/polyamory.html

It looks like what happened here is pretty straightforward; the forum software has a security vulnerability, and the hackers used it to drop spam redirection pages into the forum template directory, right? Anyway, I did a whois on this site, and found that it is also hosted by ipowerweb. Interesting coincidence, I thought.

Next on the list is axlemike.com. It's a Web site for a business in Mesa, Arizona that recycles and rebuilds axles for trucks. The hacker apparently penetrated this site's security and placed a redirector at

http://axlemike.com/Catalog/image/Index2/wclyn/har/ad/1/polyamory.html

that goes to the same virus dropper. I looked up this site's hosting information; it's hosted at ipowerweb.com.

Okay, two is coincidence; three is starting to look like a trend.

I started skipping around, looking up the whois information for Web sites that contained obvious spam pages in the search.

indielegaldocs.com? Hosted by ipowerweb. theannuityvault.com? Hosted by ipowerweb. cntmicrosystems.com? Hosted by ipowerweb. sixgunband.com? Hosted by ipowerweb.

Every one of these Web sites, and hundreds and hundreds more, has been hacked. In every case, the hacker has placed pages filled with keywords related to polyamory, that redirect to virus droppers. And every one of them is hosted by the same Web hosting firm: ipowerweb.

I kept going. maggerific.com. footloosecanada.com. osynergyc.com. culpeperchristianschool.com. peoplethought.com. ansacnet.com. All hosted by ipowerweb. In fact, I kept this up for over an hour, checking hundreds of domains that had been hacked and had these redirector pages installed on them. ALL of them reside on servers owned by ipowerweb.com.

In other words, it appears that someone has figured out how to penetrate Web sites hosted by this hosting company at will, and has all at once placed Web pages on all of them which intercept popular Google keyword searches and redirect them to virus droppers.

ipowerweb boasts that it hosts over 700,000 Web sites. Think about that for a minute.

UPDATE: Apparently, this is nothing new. It seems ipowerweb.com is notorious across the Internet for their poor security, and sites hosted on ipowerweb.com can be hacked at will. This blog post claims that ipowerweb has known about their security issues for quite some time, and that the anti-malware organization Stop Badware reports that one out of every five compromised virus-dropping Web sites is hosted by ipowerweb.




I dropped an email to the abuse team at ipowerweb.com, letting them know that I had found a number of Web sites they were hosting had been compromised, and contained Web pages that redirected visitors to sites that tried to install viruses on their systems. I gave them a list of some of the URLs of the redirectors, and told them there were hundreds, if not thousands. more, and that they seemed to have a massive security breach on a huge scale.

Today, I got an email back that said "I have checked the web site (domain name) and noticed that there is no virus redirector files located at (redirector URL) . Please get back to us with link where exactly no virus redirector files are located so that we can take necessary action against this web site."

Well, hmm, that's odd, I thought, they were there yesterday.

I clicked on the links in the email that I'd sent, and sure enough, all of them showed 404: File Not Found errors. "Now that's damn odd," I thought.

I went back and repeated the Google search. The same comporomised servers came up. I clicked on the links in Google and found myself redirected to the virus droppers.

I clicked on the links in the email and found myself staring at a 404 File Not Found error.

I clicked on the links in Google and found myself at a virus dropper.

A light bulb went on. "Aha!" I thought. "I bet these redirectors hide themselves! If you visit one of these pages from Google, it'll redirect you; but if not, it won't!"

A little background is necessary for anyone who does not understand how the Web works. If you are on a Web site, and you click on a link to another site, your browser will tell the site you clicked on where you came from. For example, if you are reading my LiveJournal, and you click on a link to my SymToys site, your browser will tell my Symtoys site "I came from tacit.livejournal.com".

This is called a "referer." Your browser will tell any link you clicked on who the referer was--that is, where you clicked on the link.

My theory was that if the referer to one of these spam pages was set to anything but "google.com" the page would redirect to a 404 error; otherwise, it would redirect to the virus dropper.

To test this, I used a program called wget. This is a nifty little program that's sometimes used to troubleshoot malfunctioning Web servers. If you type "wget www.symtoys.com" on a command line, it will show you step by step every bit of communication between your computer and the symtoys.com server; that is, you'll be able to see the exact commands that a Web browser would send to www.symtoys.com, and the exact responses the server would send back.

You can tell wget to pretend to be just about any browser, and you can tell wget to pretend to have any referer you want. I picked one of the URLs of one of these redirectors, namely:

http://mdhardyinc.com/rclrn/har/ad/5/polyamory.html

Then I typed the command "wget http://mdhardyinc.com/rclrn/har/ad/5/polyamory.html" This is what I saw:

wget http://mdhardyinc.com/rclrn/har/ad/5/polyamory.html
--16:21:32-- http://mdhardyinc.com/rclrn/har/ad/5/polyamory.html
=> `polyamory.html'
Resolving mdhardyinc.com... done.
Connecting to mdhardyinc.com[66.235.203.135]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: /404 [following]
--16:21:34-- http://mdhardyinc.com/404
=> `404'
Connecting to mdhardyinc.com[66.235.203.135]:80... connected.
HTTP request sent, awaiting response... 404 Not Found
16:21:35 ERROR 404: Not Found.


It got a "file not found error. Then I used the same command, only this time I instructed wget to pretend that it had come from a link on Google:


wget --referer=http://www.google.com http://mdhardyinc.com/rclrn/har/ad/5/polyamory.html
--16:19:40-- http://mdhardyinc.com/rclrn/har/ad/5/polyamory.html
=> `polyamory.html'
Resolving mdhardyinc.com... done.
Connecting to mdhardyinc.com[66.235.203.135]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://traffloader.info/go.php?s=mdhardyinc.com&ver=6 [following]
--16:19:41-- http://traffloader.info/go.php?s=mdhardyinc.com&ver=6
=> `go.php?s=mdhardyinc.com&ver=6'
Resolving traffloader.info... done.
Connecting to traffloader.info[87.248.180.67]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.clipsfestival.com/movie1.php?id=4161&n=teen&bgcolor=000000 [following]
--16:19:43-- http://www.clipsfestival.com/movie1.php?id=4161&n=teen&bgcolor=000000
=> `movie1.php?id=4161&n=teen&bgcolor=000000'
Resolving www.clipsfestival.com... done.
Connecting to www.clipsfestival.com[82.208.18.109]:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://powerof3x.com/m2/movie1.php?id=4161&n=teen&bgcolor=000000 [following]
--16:19:45-- http://powerof3x.com/m2/movie1.php?id=4161&n=teen&bgcolor=000000
=> `movie1.php?id=4161&n=teen&bgcolor=000000'
Resolving powerof3x.com... done.
Connecting to powerof3x.com[85.255.118.156]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.3xpowered.com/m4/index.php?id=4161&n=&a=SatyrIconIc&v=928400.66666667&preview=http%3A%2F%2Fwww.3xfestival.com%2Fst%2Fthumbs%2F010%2F8859211374.jpg [following]
--16:19:47-- http://www.3xpowered.com/m4/index.php?id=4161&n=&a=SatyrIconIc&v=928400.66666667&preview=http%3A%2F%2Fwww.3xfestival.com%2Fst%2Fthumbs%2F010%2F8859211374.jpg
=> `index.php?id=4161&n=&a=SatyrIconIc&v=928400.66666667&preview=http%3A%2F%2Fwww.3xfestival.com%2Fst%2Fthumbs%2F010%2F8859211374.jpg'
Resolving www.3xpowered.com... done.
Connecting to www.3xpowered.com[85.255.115.180]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]

[ <=> ] 32,811 5.17K/s

16:20:03 (5.17 KB/s) - `index.php?id=4161&n=&a=SatyrIconIc&v=928400.66666667&preview=http%3A%2F%2Fwww.3xfestival.com%2Fst%2Fthumbs%2F010%2F8859211374.jpg' saved [32811]


Look at that!

Here is what is happening:

You go to one of these spam pages. If you came from anywhere but Google, you see a 404 file not found error. However, if you came from Google:

It sends you off to a Web site called "traffloader.info". Traffloader.info is a Web site hosted in the country of Moldova, a tiny Eastern European country that used to be part of the Soviet Union.

The traffloader.info Web site then picks one of three other Web sites at random, and redirects to that Web site. In this case, it randomly picked www.clipsfestival.com. Clipsfestival.com is a Web site in the Czech Republic, also in Eastern Europe.

Clipsfestival.com redirects to powerof3x.com. The server powerof3x.com is registered in the Ukraine, in Eastern Europe. It redirects to www.3xpowered.com, also registered in the Ukraine.

3xpowered.com is the virus dropper. When you go here, your computer will attempt to download an .exe file, which will, if downloaded and executed, infect your computer.




UPDATED2: A representative from ipowerweb has posted a reply in the comments saying that ipowerweb is actively working to clean up the problem, and working with Google to flag the redirectors in Google search results. However, new entries are appearing in Google search results this afternoon, from additional compromised ipowerweb sites.

These new entries work the same way, but redirect through a different chain of servers to a different virus dropper. An example of one of the new redirectors is at

http://www.nundachamber.com/img/.../qq33/02/polyamory.html

It redirects through a different set of Eastern European servers to a different virus dropper as follows:

wget --referer=http://www.google.com http://www.nundachamber.com/img/.../qq33/02/polyamory.html
--12:54:09-- http://www.nundachamber.com/img/.../qq33/02/polyamory.html
=> `polyamory.html'
Resolving www.nundachamber.com... done.
Connecting to www.nundachamber.com[66.235.211.83]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://xerxer.net/go.php?s=nundachamber.com_qq33 [following]
--12:54:09-- http://xerxer.net/go.php?s=nundachamber.com_qq33
=> `go.php?s=nundachamber.com_qq33'
Resolving xerxer.net... done.
Connecting to xerxer.net[87.248.180.88]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://shockbabetv.com/l/coloraz/id/3912960/black/white/ / [following]
--12:54:09-- http://shockbabetv.com/l/coloraz/id/3912960/black/white/%20/
=> `index.html.1'
Resolving shockbabetv.com... done.
Connecting to shockbabetv.com[85.255.119.93]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]

[ <=> ] 9,896 2.36M/s





So, to recap: A huge number of Web sites, all hosted by a company called ipowerweb, have recently been hacked all at once. The hacked Web sites have all had new files placed on them which contain thousands of common Google keywords, including my name. When someone visits one of these pages from Google, he gets passed from the hacked Web site through a chain of Web sites in Eastern Europe, and finally ends up on a server that attempts to install a virus.

But who is 3xpowered.com? Surely, there must be some information about the owner of this Web site, right?

Well, no.

UPDATE: I have received a reply from privacyprotect.org; they have stripped the private registration from the virus site. The old and new information is shown below.

OLD information:

whois 3xpowered.com

Domain Name: 3XPOWERED.COM
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com
Name Server: NS1.3XPOWERED.COM
Name Server: NS2.3XPOWERED.COM
Status: clientTransferProhibited
Updated Date: 22-nov-2007
Creation Date: 22-nov-2007
Expiration Date: 22-nov-2008

>>> Last update of whois database: Wed, 12 Dec 2007 23:07:34 UTC <<<

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: 3XPOWERED.COM

Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Creation Date: 22-Nov-2007
Expiration Date: 22-Nov-2008

Domain servers in listed order:
ns2.3xpowered.com
ns1.3xpowered.com


Administrative Contact:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Technical Contact:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Billing Contact:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Status:ACTIVE


CURRENT information:

whois 3xpowered.com

Domain Name: 3XPOWERED.COM
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com
Name Server: NS1.3XPOWERED.COM
Name Server: NS2.3XPOWERED.COM
Status: clientTransferProhibited
Updated Date: 22-nov-2007
Creation Date: 22-nov-2007
Expiration Date: 22-nov-2008

>>> Last update of whois database: Thu, 13 Dec 2007 15:45:23 UTC <<<

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: 3XPOWERED.COM

Registrant:
n/a
Nikolay Fedorov (nik@getxxxphotos.com)
Chapligina ul 4
Novosibirsk
null,630099
RU
Tel. +7.3832235851

Creation Date: 22-Nov-2007
Expiration Date: 22-Nov-2008

Domain servers in listed order:
ns2.3xpowered.com
ns1.3xpowered.com


Administrative Contact:
n/a
Nikolay Fedorov (nik@getxxxphotos.com)
Chapligina ul 4
Novosibirsk
null,630099
RU
Tel. +7.3832235851

Technical Contact:
n/a
Nikolay Fedorov (nik@getxxxphotos.com)
Chapligina ul 4
Novosibirsk
null,630099
RU
Tel. +7.3832235851

Billing Contact:
n/a
Nikolay Fedorov (nik@getxxxphotos.com)
Chapligina ul 4
Novosibirsk
null,630099
RU
Tel. +7.3832235851

Status:ACTIVE




The information about the person who registered this domain is hidden by a privacy protection organization. These organizations--and there are many--register domains on behalf of others, and then place their own imformation in the whois. They exist because the owner of a domain is required to be listed in the whois database, but many people don't like revealing that they own a particular Web site. There may be legitimate reasons for this, but it's popular with spammers and criminals, too.



UPDATE2: The new virus dropper being used in the newest wave of attacks is shockbabetv.com. Unsurprisingly, its whois is also protected by privacyprotect.org:

whois shockbabetv.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: SHOCKBABETV.COM
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com
Name Server: NS1.SHOCKBABETV.COM
Name Server: NS2.SHOCKBABETV.COM
Status: clientTransferProhibited
Updated Date: 12-dec-2007
Creation Date: 12-dec-2007
Expiration Date: 12-dec-2008

>>> Last update of whois database: Fri, 14 Dec 2007 18:10:05 UTC <<<

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: SHOCKBABETV.COM

Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676




The domain that drops viruses is very new--less than a month old. I'd be willing to bet that all the hacked Web sites have been hacked for less than a month, too. I did a simple search for "polyamory" confined to one of the hacked Web sites, mdhardyinc.com, and got 125 hits. So not only have the hackers penetrated hundreds or thousands of Web sites, but each hacked site has hundreds of redirector pages on it.

My conclusion: the Web hosting company ipowerweb.com has been victimized by a security breach on a scale that's hard to imagine. Eastern European criminals have hacked a huge number of ipowerweb customers, and are using them to catch Google searches for popular search terms, including search terms about polyamory, and redirect them to virus droppers while simultaneously hiding them from anyone not coming in from Google.

The things you can learn by Googling your name.

Any sysadmins or abuse people out ther know what I should do with this information? Who should I report it to?




UPDATED4 Incredibly, the attacks on iPowerWeb documented above are still ongoing, nearly three weeks after iPower was first notified of the problem! I have identified several hundred more compromised Web sites which are as of this writing still redirecting to the same virus droppers. Also incredibly, the same virus droppers are still active on the same servers. Some of the compromised iPower Web site URLs that are still active include:

http://pcdoctor-community.com/pcdblog/wp-admin/hvfjv/her/bad/3/violet-wand.html
http://anthonydilorenzo.com/images/_notes/bxoct/her/bad/8/glans.html
http://lckitchen.com/_borders/_vti_cnf/crfyz/her/bad/8/gay-cowboys.html
http://whitneygaylord.com/css/tfcph/her/bad/8/exhibit.html
http://europaparcs.com/old/img/cpuqc/her/bad/3/spermicide.html
http://riversideauctionsc.com/img/.thumbs/otlvl/her/bad/8/virginity.html
http://dizzysfarm.com/img/_vti_cnf/fdtoi/her/bad/3/queef.html
http://thebizmate.com/LazyBoy/Ads/ocdko/her/bad/3/harlot.html
http://thebizmate.com/LazyBoy/Ads/ocdko/her/bad/3/harlot.html
http://michaelannyoung.com/PuertoV/images/uplhz/her/bad/3/vaginal.html
http://motionpicturesdvd.com/shopping/files/hczwv/her/bad/8/oral-contraceptives.html
http://heavenstouchgifts.com/bksbbls/bible/rswmd/her/bad/8/pregnant.html
http://jphonline.com/pdffiles/_vti_cnf/ddzqv/her/bad/3/yaoi.html

and hundreds more. As before, going to any of these links directly produces a 404 error; going to these links with the browser referrer set to "google.com" causes redirection to the traffloader.info site, which then further redirects to a virus dropper hosted at 3xfestival.com or scanner.spyshredderscanner.com.

Comments

( 89 comments — Leave a comment )
Page 1 of 2
<<[1] [2] >>
justben
Dec. 12th, 2007 11:30 pm (UTC)
Wow. Crazy.

My first guess is to go first back to the hosting company with the new info so that they can fix their systems and second to Google. The latter might want to see if their searchgoons can come up with a way to protect their database against this type of spam in the future.

Beyond that, though, I'm not sure.
cramer
Dec. 17th, 2007 04:40 am (UTC)
The hosting company doesn't care. Unless it costs them hundred of thousands of customers, they aren't going to care. Security costs money; when you pay someone $2/month (for example), what do you expect to get?

Google would be a good route except there's almost nothing they can do about it. Do you expect them to virus scan the entire Internet?
(no subject) - justben - Dec. 17th, 2007 12:49 pm (UTC) - Expand
(no subject) - cramer - Dec. 17th, 2007 08:01 pm (UTC) - Expand
(no subject) - tacit - Dec. 17th, 2007 03:17 pm (UTC) - Expand
(no subject) - cramer - Dec. 17th, 2007 08:19 pm (UTC) - Expand
visudo
Dec. 13th, 2007 12:04 am (UTC)
This is really quite a find, Franklin. I'd suggest sticking with ipowerweb and seeing if you can get them to work with you, at least at first.
jtroutman
Dec. 13th, 2007 12:07 am (UTC)
SANS. They may find it interesting, and it would get a mention in their security newsletter, which is widely read. This would also force the host to pay attention to it.

http://isc.sans.org/contact.html
tacit
Dec. 13th, 2007 04:17 pm (UTC)
Just posted a message on the SANS contact page; thanks!
dwer
Dec. 13th, 2007 12:14 am (UTC)
I agree with the above, but also the FBI.
seotoday
Mar. 4th, 2010 02:47 pm (UTC)
Yea let's get those rude people to justice
grey_evil_twin
Dec. 13th, 2007 12:15 am (UTC)
Can I link this post in my LJ? I have some mates who would be very interested in this.
tacit
Dec. 13th, 2007 12:17 am (UTC)
Absolutely! The more eyes the better!
jtroutman
Dec. 13th, 2007 12:30 am (UTC)
digging a little
The payload program that they try to get you to download is some sort of a trojan, with an installer made with the NullSoft windows installer kit.

Running strings on the binary shows a lot of function calls to hook into various security related windows DLLs.

The MD5 sum of the binary is 14c9e76c2df1fac2820f5d56f426d06b, which does not yield any hits on Google. So I guess you have found something new!

It does seem like the binary has additional payload that is packed up (compressed) and obfuscated in some way. I was able to uncompress a piece of it, but it didn't have much that was interesting.

But it may be a lot like this this Trojan:

http://www.offensivecomputing.net/?q=node/370

and may even be from the same Trojan generator kit. I don't know, I am not really an expert in these things.

here is a sample of the sort of system calls, etc:

SHAutoComplete
SHLWAPI
GetUserDefaultUILanguage
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegDeleteKeyExA
ADVAPI32
MoveFileExA
GetDiskFreeSpaceExA
KERNEL32
maddogruff
Dec. 13th, 2007 12:32 am (UTC)
Franklin...you have stumbled onto some things that we in the information security industry have been harping on for some time. I work for a company that does primary research in bot and computer security. You have done a pretty good job of summarizing just one of many techniques used by organized crime to take over computers. The best place to start is with the ISP upstream from the infected company and the sysadmins of the infected machines themselves. Quite frankly, many sysadmins ignore many of these requests due to the overhwelming time issues. There are several industry "ISACS" that will share this information across industry lines. You may also want to pursue one of those entities. Finally, there is the local FBI HTCIA and Infraguard chapters. I would be happy to share those if interested.

Mark
maddogruff
Dec. 13th, 2007 12:36 am (UTC)
There are several techniques used to accomplish this through searches...one is through DNS harvesting...a recent white paper was published out of Ga Tech regarding some of these techniques. There are several other ways that searches and traffic are directed to illegitimate sites.
(no subject) - maddogruff - Dec. 13th, 2007 12:49 am (UTC) - Expand
toki_warax
Dec. 13th, 2007 12:34 am (UTC)
I would second the FBI.
tacky_tramp
Dec. 13th, 2007 12:36 am (UTC)
Surely PrivacyProtect.org has a TOS that prohibits its users from using their service to mask criminal activity ...?
(Deleted comment)
(Deleted comment)
Re: Apparently they do: - maddogruff - Dec. 13th, 2007 12:52 am (UTC) - Expand
Re: Apparently they do: - maddogruff - Dec. 13th, 2007 12:50 am (UTC) - Expand
Re: Apparently they do: - tacky_tramp - Dec. 13th, 2007 12:52 am (UTC) - Expand
Re: Apparently they do: - maddogruff - Dec. 13th, 2007 01:02 am (UTC) - Expand
Re: Apparently they do: - tacit - Dec. 13th, 2007 03:56 pm (UTC) - Expand
Re: Apparently they do: - maddogruff - Dec. 13th, 2007 04:00 pm (UTC) - Expand
Re: Apparently they do: - tacit - Dec. 14th, 2007 06:16 pm (UTC) - Expand
merovingian
Dec. 13th, 2007 01:02 am (UTC)
Wow, that's quite a scheme! I am guessing that unless you personally know someone honest at ipowerweb, you're not going to get good answers unless there's a letter that comes from a lawyer. but that's just a guess.

The FBI might be a good one to call.

I'm guessing Google is likely to be more productive. If I happen across someone who could help with this, mind if I reference this page?
tacit
Dec. 13th, 2007 01:16 am (UTC)
That'd be awesome!
(no subject) - alem - Dec. 13th, 2007 11:04 pm (UTC) - Expand
sylvar
Dec. 13th, 2007 01:50 am (UTC)
If you don't mind the bother of subscribing to the INCIDENTS mailing list, it might be worth sending them the text of this post. In plain-text, of course. :)
jayene
Dec. 13th, 2007 02:08 am (UTC)
lol if you want someone on the inside I know someone going to Moldova in a month for a while. I don't think he has the computer background though. ;-)
wolfger
Dec. 13th, 2007 02:33 am (UTC)
I skipped the highly technical stuff, mainly for lack of time, but it seems to me I'd be fine surfing on a Windows box with Firefox and NoScript... Why do people have to use insecure browsers?
...and can we make a rug out of these people's hides? (the spammers/virus-writers, not the IE users)
master_wolf
Dec. 13th, 2007 02:36 am (UTC)
I could be wrong, but as of 4 years ago Ipowerweb did not own its own data center. And if this is still true you can do a reverse DNS lookup on the server IPs and report it to the data center.

My hosting company leases all of our servers from The Planet and the few abuse reports we have gotten have been treated very seriously by the data center.

peace
Wolf
www.alphaone-tech.com
tacit
Dec. 13th, 2007 03:58 pm (UTC)
A reverse DNS of some of the compromised Web site IP addresses just leads back to ipowerweb, so I don't know if they host their own data centers or not.

Apparently, however, this is not a new problem, and ipowerweb appears to have such poor security that hackers can penetrate sites hosted with them easily. I've updated the main message above with links and references to this problem, which appears to be long-standing.
radven
Dec. 13th, 2007 03:30 am (UTC)
Keep fighting the good fight.

Forget the war on drugs or in Iraq, I'd like to see our next president declare war on spammers and trojans.

I think a cruise missile or two might get the point across...
datan0de
Dec. 14th, 2007 09:09 pm (UTC)
Of course, our president is unclear on both global warming and on how humans evolved. If he's that dense regarding science, I can't imagine his ability to comprehend technical issues is any better, even if it's explained to him in tiny words.
(no subject) - mzmadmike - Dec. 15th, 2007 08:29 pm (UTC) - Expand
mantic_angel
Dec. 13th, 2007 05:39 am (UTC)
Wow, impressive research job. I'm a bit surprised to realize I'm actually familiar with all of the tools and techniques you've used, from similar stuff I've done in the past (although I only deal with referrers because I've discovered a referrer-blocking proxy server makes the web work far smoother)

Also, just a plain interesting event. You don't seem to mind people linking this, so... *yoink* :)
3200asa
Dec. 13th, 2007 05:45 am (UTC)
i know some people inside iPowerweb and i'll pass this along to them. I suspect they already know though.

As of 12:45am EST
wget --referer=http://www.google.com http://mdhardyinc.com/rclrn/har/ad/5/polyamory.html still works and redirects to the payload site.
tacit
Dec. 13th, 2007 04:00 pm (UTC)
That'd be awesome!

I suspect it will do little good, however. I've updated the main post with additional information about ipowerweb.com; it appears they have persistent security problems that extend back a long time, possibly related to vulnerabilities in their Web control panel software. According to stopbadware.org, an astonishing 20% of all Web sites being used to host or download malware are hosted by ipowerweb.com. If this is correct, it appears their problems run deep indeed, and that to date they have not acknowledged or addressed these problems.
Ipower killed my dedicated server on 12/13 - (Anonymous) - Dec. 26th, 2007 07:41 pm (UTC) - Expand
chaoticset
Dec. 13th, 2007 07:22 am (UTC)
Faaaaassssscinating...not only as a real-life example of a "weaponized" virus (i.e., one "payloaded" in such a manner as to provide maximum infection vectors) but also as a great idea for fictional hackers to follow. :D
surelars
Dec. 13th, 2007 02:10 pm (UTC)
she shoved it in and bridal hosiery wedding cake viagra fetish smurf Bible amateur transvestite video free vacation europe nymphomaniac ipod

I just wanted to note that this is wonderful Vogon poetry.

Other than that - well, we have an ISP pretty badly hosed there. Challenge might be to actually get through the front desk and get hold of someone who understands that they have a problem. If they have actual tech people (and that's a pretty big if these days), getting on a security forum or list these people use or where people who know them hang out might be a way to get hold of intelligent lifeforms there.

One thing to notice here is the effect of the new world of hacking. This is a truly large-scale effort. This is not done by script kiddies, there's no defacing here. These guys are professionals, and as a result take the threat to a whole new level.

This is fascinating stuff. I will forward it around a bit. If you know how to reach knowledgeable people in law enforcement, that might be a good thing. For one thing, the FBI can probably get the attention of a US ISP. On a longer term, having the FBI's of the world knocking the door of Ukraine etc authorities is one way we might eventually convince them to wear white hats.

Thanks for posting this.


maddogruff
Dec. 13th, 2007 04:02 pm (UTC)
Agreed...



But on another note..>I REALLY need a nymphomaniac ipod....TRULY!
also_huey
Dec. 13th, 2007 07:20 pm (UTC)
Excellent writeup. Authorities have been notified.
james_the_evil1
Dec. 13th, 2007 08:26 pm (UTC)
I passed this along to a friend of mine who's in the biz with domains & hosts & such.
I'll let you know if he has any more suggestions, unless he posts them himself :-)
(Deleted comment)
james_the_evil1
Dec. 13th, 2007 09:02 pm (UTC)
Somehow this does not make me feel much better about LJ being bought by a Russian company that would like us all to send them scans of our government IDs.
(no subject) - tendyl - Dec. 14th, 2007 01:19 pm (UTC) - Expand
(no subject) - tacit - Dec. 14th, 2007 06:18 pm (UTC) - Expand
(Anonymous)
Dec. 14th, 2007 03:18 am (UTC)
On Behalf of IPOWER
We are aware of this malicious attack, a patch is currently being rolled out, and over the next few hours the redirects should get wiped out. We are also working with the search engines to clear out the indexed malicious pages. This attack was isolated to our legacy platform. As some of you are aware, we have been in the process for a couple months of moving our customers to our new platform, on which one of the many improvements is moving away from the legacy server by server architecture to a distributed platform which allows for greater security processes and controls. The changes we are making should protect our customers from these type of attacks in the future. And, we are also working with law enforcement with regards to this matter.
tacit
Dec. 14th, 2007 06:19 pm (UTC)
Re: On Behalf of IPOWER
Excellent! That's good news, and I'm happy to see that you're taking efforts to stop the problem and to work with Google about cleaning up their listings. You may be interested to know that this afternoon there appear to be more compromised Web sites, and that they're using a different payload server now.
Re: On Behalf of IPOWER - (Anonymous) - Dec. 26th, 2007 07:44 pm (UTC) - Expand
Re: On Behalf of IPOWER - (Anonymous) - Dec. 27th, 2007 02:27 pm (UTC) - Expand
footpad
Dec. 14th, 2007 11:30 am (UTC)
For a frightening demonstration of the organisation and competence of the Russian computer-criminal underworld, you might like to read David Bizeul's study of the "Russian Business Network" (PDF, 1.5 MB, needs some internetworking knowledge). I suspect you've been looking at the handiwork of the same people.
tacit
Dec. 14th, 2007 08:09 pm (UTC)
Wow, very interesting reading. I'd heard of RBN peripherally, but this PDF is fascinating.
twisted_times
Dec. 14th, 2007 03:44 pm (UTC)

I saw this from a link on the polfamilies mailing list. The sheer scale of this beggars belief. Then again, virtually all of the insecurity and dangers of the Internet come from machine not full up to date with their security patches... sad to say, but unfortunately true. The irresponsibility of ipower, given that it hosts such a huge number of websites is what really makes me dispair more than anything else.

Page 1 of 2
<<[1] [2] >>
( 89 comments — Leave a comment )
Powered by LiveJournal.com
Designed by Lilia Ahner