?

Log in

No account? Create an account

Previous Entry | Next Entry

I blame the_xtina for the fact that I discovered this evening what appears to be a large, coordinated, and widespread attack on multiple Web hosting providers.

I hadn't actually intended to do any computer security stuff today; my plans for the evening involved playing WoW. the_xtina speculated during an IM conversation this evening about the existence of Viking porn, so naturally I did a Google search, and got rather more than I expected.

A Google search for "viking porn" turns up a few hits with a Google "this site may harm your computer" tag. Both of the first two I looked at--because I can't stay away from the "this site may harm your computer" tag--had a couple of interesting things in common: they were hosted on iPower Web, the notoriously insecure Web host I've written about on several occasions in the past; both had malicious redirection files in a directory named /backup/, both used a complex series of traffic redirectors before ending up at the malware site proper, and both were heavily seeded throughout Google using a very large number of popular pornographic and non-pornographic keywords.

In other words, all the hallmarks of the Russian Zlob gang. God, how I hate those people.

I widened the Google search using both common keywords (like "porn") and keywords I know the Zlob gang favors, and specifying inurl:/backup/ as part of the search.

What I ended up with was a VERY long list of compromised Web sites, each with a directory named /backup/ containing large numbers of files stuffed full of keywords and each of which redirects through a series of redirectors to a site that attempts a drive-by malware download.


The compromised Web sites I found--and I do elieve that these redirectors are the result of automated Web site compromises--are located on a wide variety of Web hosts in and out of the US, not just on iPower (though as per usual, iPower is hosting a bunch of them--those guys couldn't secure a paper bag with duct tape and titanium plating).

There appears to be no common trend to the compromised sites. Some of them are running content management software; some of them aren't. Some of them are hosting blog software; some of them aren't. Some of them are hosting forum software; some of them are not. whatever technique is being used to hack these sites, it isn't confined to one package, one script, one vulnerability, or one Web host.

A sampling of sites that have been compromised includes:
*** WARNING *** WARNING *** WARNING ***
ALL of the URLs in the following list are active as of the time of this writing. All of these URLs redirect to sites that WILL attempt to download a computer virus onto your computer. DO NOT visit these URLs if you don't know what you're doing.

http://www.monty.sk/editor/filemanager/themes/default/css/_notes/backup/map.html

http://solucoesmusicais.hostmach.com.br/phpform/forms/_backup/backup/ladies-cartier-santos.html

http://metroehost.com/suspended.page/backup/map.html

http://skylimit2.com/backup/large-titted-mature-women.html

http://www.penumada.com/backup/viking-sewing-machine-rockford-illinois.html

http://paradiseislost.com/aspnet_client/system_web/1_1_4322/backup/map.html

http://www.optimizemypage.com/test/apacheasp/backup/big-dick-galleries.html

http://griffeth9.com/formbuilder/web/forms/backup/10-best-honeymoons.html

http://www.schwindelfrei.info/projekt/naturheil/inhalt/_notes/backup/like-my-free-paysite.html

http://www.mgms.de/livingxchange/xstone/material/presse/backup/lara-craft-hentai-games.html

http://www.hvdv.de/spielwiese/joomla/components/com_contact/views/category/tmpl/backup/used-car-carthage-texas.html

http://www.nhadausa.com/backup/celebrity-crush-fetish.html

http://www.milnepaye.com/backup/tinni-sex-clip.html

http://www.koplowitz.net/2007/New_Folder/backup/elf-sex-porn.html

http://solucoesmusicais.hostmach.com.br/phpform/forms/_backup/backup/ladies-cartier-santos.html

http://www.knowingthis.com/backup/14-17-nude.html

http://wavesidechurch.com/dnn/Providers/HtmlEditorProviders/Fck/FCKeditor/editor/_source/backup/reverse-cowgirl-position.html




In each case, there are multiple redirectors per compromised host; the /backup/ directory you see in each of these URLs contains many files, each of which is tuned to a different set or type of Google keyword search and each of which redirects to malicious servers.

All of these sites redirect in the same way (using obfuscated JavaScript) to the same URL:

http://wholostkate.com/go.php?sid=3&tds-k=[url of redirector]&sref=

The Web site at wholostkate.com in turn redirects to one of several target destination sites, which vary depending on the user agent of the user's Web browser. Most often, it redirects to

http://www.datingactionnow.com/getlaidtonight/

which in turn redirects to

http://www.xxxblackbook.com/?s=register&rand=1&ard=7152&r=lc147655&p_id=18664866

Occasionally, however, wholostkate.com redirects to one of:

http://allvirusscannow.com (a phony antivirus site that tries to download malware disguised as fake antivirus software)

http://94.75.228.0/ (not currently loading for me)

http://yourbestway.cn/in.cgi?4 (which in turn redirects to one of several sites, including http://netsecurityaudit.com/index.php?affid=20700 -- another phony antivirus site that tries to download malware disguised as fake antivirus software)

http://tska.exofire.net/go.php?sid=2&tds-k=best%20masturbation (not currently loading for me; clearly another redirector)

http://www.myspnace.com/754/j24613.html (a URL that looks at the user agent of the browser; if it's a Windows browser, it redirects to http://www.2trades.com/ and downloads the Windows W32/Zlob malware, if it's a Mac browser, it redirects to http://www.mac-videos.com/ and downloads the Macintosh DNSchanger malware)





The key to this whole network is wholostkate.com. Here's what Whois has to say:

whois wholostkate.com

Whois Server Version 2.0

Domain Name: WHOLOSTKATE.COM
Registrar: CENTROHOST CLOSED JOINT STOCK COMPANY
Whois Server: whois.centrohost.ru
Referral URL: http://centrohost.ru
Name Server: NS1.HC.RU
Name Server: NS2.HC.RU
Status: clientRenewProhibited
Updated Date: 12-may-2009
Creation Date: 09-mar-2009
Expiration Date: 09-mar-2010

domain: WHOLOSTKATE.COM
nserver: NS1.HC.RU
nserver: NS2.HC.RU
nic-hdl: HOSTINGCNT-ORG-CTH

Registrant contact :
Ltd. Hosting-Center
Litovskii bulvar, d.22
Phone: +7 495 5445566
Fax: +7 495 5140957
E-mail: domain@hc.ru

Billing contact :
Molchanov Sergei Aleksandrovich
119334, RF, Moskva, 5-i Donskoi proezd, d. 15, str. 4
Phone: +7 495 5445566

Technical contact :
CENTROHOST CJSC
Alexander Panov
15/4 5th Donskoi Proezd
Moscow 119334
RU
Phone: +7.4955439101




The site at datingactionnow.com is using privacy protection on the whois.

whois datingactionnow.com

Whois Server Version 2.0

Domain Name: DATINGACTIONNOW.COM
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: NS100.DATINGACTIONNOW.COM
Name Server: NS101.DATINGACTIONNOW.COM
Status: clientTransferProhibited
Updated Date: 15-may-2009
Creation Date: 02-jan-2007
Expiration Date: 02-jan-2010

Domain name: datingactionnow.com

Registrant Contact:
Whois Privacy Protection Service, Inc.
Whois Agent ()

Fax:
PMB 368, 14150 NE 20th St - F1
C/O datingactionnow.com
Bellevue, WA 98007
US

Name Servers:
ns100.datingactionnow.com
ns101.datingactionnow.com

Creation date: 02 Jan 2007 22:23:41
Expiration date: 02 Jan 2010 22:23:41




xxxblackbook.com, the site that users are redirected to from datingactionnow.com, is a run-of-the-mill pay for play adult dating site that is probably not directly involved in hacking; at best, they most likely simply turn a blind eye to people who use these techniques to get traffic to them. When someone is directed to xxxblackbook.com by these unethical means and then signs up, the hackers get a kickback, which strongly, strongly implies that xxxblackbook.com has a way to reach the hackers responsible for these attacks (else the hackers couldn't get paid).

On my Mac, datingactionnow.com/getlaidtonight/ doesn't attempt to download any malware--it simply presents a bunch of pictures that redirect to xxxblackbook.com. However, it refuses to return anything at all--not even an empty HTML file--to wget, which leads me to the suspicion that it could possibly be testing for browser vulnerabilities server-side before it does anything. Therefore, I'm not ready to say that datingactionnow.com doesn't download any malware; only that it doesn't download any malware to my Mac.

The fact that the Zlob gang is becoming more sophisticated in their detection of Macs (in the past, they have used simple redirection scripts to download Mac malware rather than Windows malware when they see a Mac user agent, but now they are using some redirectors which will redirect to entirely different servers based on Mac or Windows user agents) worries me.


Edited to add: Many, but not all, of the hacked sites also have invisible iFrames placed on them which load content from http://microsotf.cn/ or http://updatedate.cn/.

The first isn't resolving for me at the moment. The second is, but returns a blank page when loaded directly; again, it's probably checking the browser for exploits and attempting to download malware in the background.


Comments

( 15 comments — Leave a comment )
onyxrising
Jul. 11th, 2009 06:51 am (UTC)
Now I'm curious, though- did you find any actual (and not terrible) Viking porn?
amber_n_teal
Jul. 11th, 2009 12:31 pm (UTC)
yeah, I wondered about that too... mmmm viking porn!
tacit
Jul. 11th, 2009 07:50 pm (UTC)
It seems, at least from my Google searching, that Viking porn is a niche which is sadly unfilled.
zotmeister
Jul. 30th, 2009 07:03 pm (UTC)
RULE THIRTY-FOUR! RULE THIRTY-FOUR! Someone visit 4chan and demand an invocation of Rule 35. - ZM
tacit
Jul. 11th, 2009 07:49 pm (UTC)
Nope! No real Viking porn at all.
onyxrising
Jul. 11th, 2009 09:29 pm (UTC)
Surprisingly, we didn't find any either when the bet happened about porn having been made of every deity in every major pantheon at some point... Well, there was porn of certain members of that pantheon, but not what you'd call Viking porn.
aexo
Jul. 11th, 2009 11:43 am (UTC)
Imageshack seems to have been hacked by the anti-sec movement last night too.
tacit
Jul. 11th, 2009 07:51 pm (UTC)
Yeah, I saw that! Pretty embarrassing for ImageShack, though to be fair their security has always kinda sucked. Me, I don't use image-hosting services; I keep my images on my own server. :)
(Deleted comment)
tacit
Jul. 11th, 2009 07:53 pm (UTC)
On the Mac, you're pretty well protected by the operating system itself. As with Safari, it runs in user space and you can't become infected with malware downloaded by the browser unless you type in an administrator password.

The Mac DNSchanger malware relies on social engineering rather than browser exploits. If you stumble across a hacked Web site that redirects you to a DNSchanger download site, it'll download a .dmg file and then run an installer which requires your Administrator password. The site will try to convince you that the download package is a movie player CODEC, to trick naive users into entering their passwords, but if you don't enter it you ain't infected.
amber_n_teal
Jul. 11th, 2009 12:32 pm (UTC)
You know, everytime you post one of these I find it very geek sexy/cute.
I'm sure that there are others who feel the same way *heh*
tacit
Jul. 11th, 2009 07:54 pm (UTC)
Aww... :)
fallingupthesky
Jul. 12th, 2009 04:46 am (UTC)
You know, one time when I was fantasizing about a sci-fi scenario (not any particular TV series or movie) I came up with a way that, in theory, would prevent a computer from being infected by any virus ever. Okay, slight exaggeration, someone could still upload one to a computer *in person* provided the terminal was unsecured or they had a password or something, or someone managed to infect the update files for the operating system on the server of the company that provides them (which would again need to be done in person), or someone did something completely retarded which would not be easy for a casual user to figure out and would have no reason to do. But nothing that's likely to ever happen to an ordinary computer. Otherwise, the worst any malicious program could do is crash and/or corrupt *itself* or fill the hard drive with useless files without having any effect on anything else.

However, this would require specially designed hardware and an operating system which takes full advantage of that hardware - I seriously doubt any modern system could do what I had in mind, but it should be well within modern capabilities to create such a thing. Or maybe I'm just talking out of my ass; while do have some programming experience and a bit of an idea how computer hardware works, I'm hardly an expert.
tacit
Jul. 12th, 2009 07:55 pm (UTC)
Now I'm curious; what's that way?
fallingupthesky
Jul. 13th, 2009 06:16 am (UTC)
Okay. Rather than give the full detail (especially since I haven't entirely worked it out) I'll explain the thought process that lead up to it and maybe you can see where I'm going with this.

My original idea would have basically been the ultimate in security measures, but probably impractical for the foreseeable future. Every computer would have custom-fabricated hardware that uses a different set of machine-level codes, and the operating system (windows, linux, whatever) would need to be translated to a particular machine's set of codes. Beyond that, programs would not be software but rather script or data files which could be run or emulated by certain system programs (such as something like flash player) and limited in strict ways which prevent them from doing much of anything outside themselves. (See the next idea below to get some idea of what I mean by this.) Any malicious software would have to be deliberately run as a system program, which few people would have any reason to try, and even then it would just be garbage if someone weren't specifically targeting the machine it happened to be on.

A somewhat more likely idea I had later was to have any non-system program partitioned off from everything else. Each gets their own block of system resources (memory, processor load, etc.) and is not allowed to directly interact with any other program, any memory location not allocated to it, or any data file it did not create by itself, ever. The operating system works on an entirely different access layer (and may even use a different set of machine coding, though that's probably not necessary) and primarily serves as a conduit for hardware access.

Though I just figured out a few ways that it's not entirely foolproof. Assuming near-unlimited hardware access, someone could write a program which says "hey! gimme yer social security number!" and sends it over the internet to identity thieves if someone is stupid enough to type it in the input box. Or a program which accesses your printer in order to waste all of your paper and ink. Or a program which detects whether or not you have hooked up a death laser to your computer and then uses it to blow up your house. But whichever way, you still need to deliberately run the program first. It also won't stop phishing scams or the like, but that's not technically a form of virus.
foxmagic
Jul. 15th, 2009 02:46 am (UTC)
Incidentally, just FYI: my most recent journal entry mentions you. :)

( 15 comments — Leave a comment )