Franklin Veaux (tacit) wrote,
Franklin Veaux
tacit

  • Mood:

Another day, another massive Web hack by the Zlob gang

I blame the_xtina for the fact that I discovered this evening what appears to be a large, coordinated, and widespread attack on multiple Web hosting providers.

I hadn't actually intended to do any computer security stuff today; my plans for the evening involved playing WoW. the_xtina speculated during an IM conversation this evening about the existence of Viking porn, so naturally I did a Google search, and got rather more than I expected.

A Google search for "viking porn" turns up a few hits with a Google "this site may harm your computer" tag. Both of the first two I looked at--because I can't stay away from the "this site may harm your computer" tag--had a couple of interesting things in common: they were hosted on iPower Web, the notoriously insecure Web host I've written about on several occasions in the past; both had malicious redirection files in a directory named /backup/, both used a complex series of traffic redirectors before ending up at the malware site proper, and both were heavily seeded throughout Google using a very large number of popular pornographic and non-pornographic keywords.

In other words, all the hallmarks of the Russian Zlob gang. God, how I hate those people.

I widened the Google search using both common keywords (like "porn") and keywords I know the Zlob gang favors, and specifying inurl:/backup/ as part of the search.

What I ended up with was a VERY long list of compromised Web sites, each with a directory named /backup/ containing large numbers of files stuffed full of keywords and each of which redirects through a series of redirectors to a site that attempts a drive-by malware download.


The compromised Web sites I found--and I do elieve that these redirectors are the result of automated Web site compromises--are located on a wide variety of Web hosts in and out of the US, not just on iPower (though as per usual, iPower is hosting a bunch of them--those guys couldn't secure a paper bag with duct tape and titanium plating).

There appears to be no common trend to the compromised sites. Some of them are running content management software; some of them aren't. Some of them are hosting blog software; some of them aren't. Some of them are hosting forum software; some of them are not. whatever technique is being used to hack these sites, it isn't confined to one package, one script, one vulnerability, or one Web host.

A sampling of sites that have been compromised includes:
*** WARNING *** WARNING *** WARNING ***
ALL of the URLs in the following list are active as of the time of this writing. All of these URLs redirect to sites that WILL attempt to download a computer virus onto your computer. DO NOT visit these URLs if you don't know what you're doing.

http://www.monty.sk/editor/filemanager/themes/default/css/_notes/backup/map.html

http://solucoesmusicais.hostmach.com.br/phpform/forms/_backup/backup/ladies-cartier-santos.html

http://metroehost.com/suspended.page/backup/map.html

http://skylimit2.com/backup/large-titted-mature-women.html

http://www.penumada.com/backup/viking-sewing-machine-rockford-illinois.html

http://paradiseislost.com/aspnet_client/system_web/1_1_4322/backup/map.html

http://www.optimizemypage.com/test/apacheasp/backup/big-dick-galleries.html

http://griffeth9.com/formbuilder/web/forms/backup/10-best-honeymoons.html

http://www.schwindelfrei.info/projekt/naturheil/inhalt/_notes/backup/like-my-free-paysite.html

http://www.mgms.de/livingxchange/xstone/material/presse/backup/lara-craft-hentai-games.html

http://www.hvdv.de/spielwiese/joomla/components/com_contact/views/category/tmpl/backup/used-car-carthage-texas.html

http://www.nhadausa.com/backup/celebrity-crush-fetish.html

http://www.milnepaye.com/backup/tinni-sex-clip.html

http://www.koplowitz.net/2007/New_Folder/backup/elf-sex-porn.html

http://solucoesmusicais.hostmach.com.br/phpform/forms/_backup/backup/ladies-cartier-santos.html

http://www.knowingthis.com/backup/14-17-nude.html

http://wavesidechurch.com/dnn/Providers/HtmlEditorProviders/Fck/FCKeditor/editor/_source/backup/reverse-cowgirl-position.html




In each case, there are multiple redirectors per compromised host; the /backup/ directory you see in each of these URLs contains many files, each of which is tuned to a different set or type of Google keyword search and each of which redirects to malicious servers.

All of these sites redirect in the same way (using obfuscated JavaScript) to the same URL:

http://wholostkate.com/go.php?sid=3&tds-k=[url of redirector]&sref=

The Web site at wholostkate.com in turn redirects to one of several target destination sites, which vary depending on the user agent of the user's Web browser. Most often, it redirects to

http://www.datingactionnow.com/getlaidtonight/

which in turn redirects to

http://www.xxxblackbook.com/?s=register&rand=1&ard=7152&r=lc147655&p_id=18664866

Occasionally, however, wholostkate.com redirects to one of:

http://allvirusscannow.com (a phony antivirus site that tries to download malware disguised as fake antivirus software)

http://94.75.228.0/ (not currently loading for me)

http://yourbestway.cn/in.cgi?4 (which in turn redirects to one of several sites, including http://netsecurityaudit.com/index.php?affid=20700 -- another phony antivirus site that tries to download malware disguised as fake antivirus software)

http://tska.exofire.net/go.php?sid=2&tds-k=best%20masturbation (not currently loading for me; clearly another redirector)

http://www.myspnace.com/754/j24613.html (a URL that looks at the user agent of the browser; if it's a Windows browser, it redirects to http://www.2trades.com/ and downloads the Windows W32/Zlob malware, if it's a Mac browser, it redirects to http://www.mac-videos.com/ and downloads the Macintosh DNSchanger malware)





The key to this whole network is wholostkate.com. Here's what Whois has to say:

whois wholostkate.com

Whois Server Version 2.0

Domain Name: WHOLOSTKATE.COM
Registrar: CENTROHOST CLOSED JOINT STOCK COMPANY
Whois Server: whois.centrohost.ru
Referral URL: http://centrohost.ru
Name Server: NS1.HC.RU
Name Server: NS2.HC.RU
Status: clientRenewProhibited
Updated Date: 12-may-2009
Creation Date: 09-mar-2009
Expiration Date: 09-mar-2010

domain: WHOLOSTKATE.COM
nserver: NS1.HC.RU
nserver: NS2.HC.RU
nic-hdl: HOSTINGCNT-ORG-CTH

Registrant contact :
Ltd. Hosting-Center
Litovskii bulvar, d.22
Phone: +7 495 5445566
Fax: +7 495 5140957
E-mail: domain@hc.ru

Billing contact :
Molchanov Sergei Aleksandrovich
119334, RF, Moskva, 5-i Donskoi proezd, d. 15, str. 4
Phone: +7 495 5445566

Technical contact :
CENTROHOST CJSC
Alexander Panov
15/4 5th Donskoi Proezd
Moscow 119334
RU
Phone: +7.4955439101




The site at datingactionnow.com is using privacy protection on the whois.

whois datingactionnow.com

Whois Server Version 2.0

Domain Name: DATINGACTIONNOW.COM
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: NS100.DATINGACTIONNOW.COM
Name Server: NS101.DATINGACTIONNOW.COM
Status: clientTransferProhibited
Updated Date: 15-may-2009
Creation Date: 02-jan-2007
Expiration Date: 02-jan-2010

Domain name: datingactionnow.com

Registrant Contact:
Whois Privacy Protection Service, Inc.
Whois Agent ()

Fax:
PMB 368, 14150 NE 20th St - F1
C/O datingactionnow.com
Bellevue, WA 98007
US

Name Servers:
ns100.datingactionnow.com
ns101.datingactionnow.com

Creation date: 02 Jan 2007 22:23:41
Expiration date: 02 Jan 2010 22:23:41




xxxblackbook.com, the site that users are redirected to from datingactionnow.com, is a run-of-the-mill pay for play adult dating site that is probably not directly involved in hacking; at best, they most likely simply turn a blind eye to people who use these techniques to get traffic to them. When someone is directed to xxxblackbook.com by these unethical means and then signs up, the hackers get a kickback, which strongly, strongly implies that xxxblackbook.com has a way to reach the hackers responsible for these attacks (else the hackers couldn't get paid).

On my Mac, datingactionnow.com/getlaidtonight/ doesn't attempt to download any malware--it simply presents a bunch of pictures that redirect to xxxblackbook.com. However, it refuses to return anything at all--not even an empty HTML file--to wget, which leads me to the suspicion that it could possibly be testing for browser vulnerabilities server-side before it does anything. Therefore, I'm not ready to say that datingactionnow.com doesn't download any malware; only that it doesn't download any malware to my Mac.

The fact that the Zlob gang is becoming more sophisticated in their detection of Macs (in the past, they have used simple redirection scripts to download Mac malware rather than Windows malware when they see a Mac user agent, but now they are using some redirectors which will redirect to entirely different servers based on Mac or Windows user agents) worries me.


Edited to add: Many, but not all, of the hacked sites also have invisible iFrames placed on them which load content from http://microsotf.cn/ or http://updatedate.cn/.

The first isn't resolving for me at the moment. The second is, but returns a blank page when loaded directly; again, it's probably checking the browser for exploits and attempting to download malware in the background.
Tags: computer security, computer viruses
Subscribe
  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 15 comments