Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

ALERT: a malvertizement redirect that does not use malicious advertising…

October 14th 2008 in Uncategorized

The details are below – you will see that a lot of information is redacted. That is because the bad guys *DO* read this blog, and I don’t like to make things too easy for them.

The site owner asked for help and has been sent advice on what to look for and what to do.

This blog entry has been reported to Directi for their immediate attention.

The hijack was occurring when the browser tries to retrieve “favicon.ico”.  The victim site’s server is responded with “document has moved” and is redirecting the browser to:

87.248.180.90/in.html?s=sg_err

From there we get bumped to:

quicktds.name/soft.php?aid=<<redacted>>&d=6&product=XPA&refer=<<redacted>>

And from there, to:

pcvirusbuster.com/2009/1/freescan.php?id=<<redacted>>

 

Now, what is interesting is that the GET path to favicon.ico is incorrect.  The GET path used, as you can see, is:

<<redacted>>/favicon.ico

When in fact the correct path is <<redacted>>/<<redacted>>/templates/<<redacted>>/favicon.ico

 ANY URL that is incorrect for the affected domain will result in a browser redirect, eg:

<<redacted>>/something redirects to the 87.248.180.90 URL
<<redacted>>/nonsense redirects to the 87.248.180.90 URL
<<redacted>>/123 redirects to the 87.248.180.90 URL
<<redacted>>/supersallysingsasong redirects to the 87.248.180.90 URL

Now, the next question is *why* is this happening?  There are lots of references in Google to the IP address URL that indicate the behavior is dependent upon the referrer detected (eg: the proper domain will load if accessed directly but a visitor will be hijacked if accessing the site via Google) via hacking of the htaccess file with the following code inserted:

image

Source: http://www.phpbb.com/community/viewtopic.php?f=1&t=1123235

 

87.248.180.90 – Moldova, Republic Of Chisinau Sc Starnet Srl (leased for users) – 87-248-180-90.starnet.md
Reverse IP: vsemutorba.com
Domains in IP range 87.248.180.% – alternosfera.com, artsfera.com, bestrezult.com, blyapizdets.info

vsemutorba.com
ICANN Registrar – Directi Internet Solutions
Created 2 April 2008
NS: NS-ALT.STARNET.MD (20 domains)
NS: NS.STARNET.MD
Registrant: “Cinema, William Boyd, Bronz, New York” – email used with 2 other domains.

quicktds.name – 216.240.134.211 – California – Irvine – Go2online Corp
ICANN Registrar – Directi Internet Solutions
Created 16 September 2008
NS: NS1.STARTED.RU
NS: NS2.STARTED.RU
Registrant: Hidden behind privacyprotect.org

216.240.134.211 – Resolve Host trap17.com
Domains in IP range – 239 domains.

pcvirusbuster.com64.86.17.44 – Ontario – Brampton – Velcom
ICANN Registrar – Directi Internet Solutions
Created: 7 October 2008
NS: SKY.EARTH.ORDERBOX-DNS.COM
NS: SKY.MARS.ORDERBOX-DNS.COM
NS: SKY.MERCURY.ORDERBOX-DNS.COM
NS: SKY.VENUS.ORDERBOX-DNS.COM
Registrant: Hidden behind privacyprotect.org

64.86.17.44 – domains in IP range – 144 domains.

started.ru – 64.21.13.232 – New Jersey – Oakland – Net Access Corporation
Created 1 April 2007

trap17.com – 208.87.242.120 – California – Walnut – Psychz Networks
ICANN Registrar – Directi Internet Solutions
Created 9 May 2004
NS: OM1.COMPUTINGHOST.COM
NS: OM2.COMPUTINGHOST.COM
NS: OM3.COMPUTINGHOST.COM
NS: OM4.COMPUTINGHOST.COM
Registrant: Hidden behind privacyprotect.org

orderbox-dns.com – domain not resolving – registered, no web site
ICANN Registrar – Directi Internet Solutions
Created 2 July 2004

computinghost.com – 67.19.253.53 – Texas – Dallas – Theplanet.com Internet Services Inc
ICANN Registrar – Directi Internet Solutions
Registrant: Xisto Corporation (owns about 43 other domains)

 

GET /favicon.ico HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (<<redacted>>)
Host: <<redacted>>
Proxy-Connection: Keep-Alive

HTTP/1.1 302 Found

Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 404
Date: Tue, ** Oct 2008 <<redacted>>
Location: http : // 87.248.180.90/in.html?s=sg_err
Content-Type: text/html; charset=iso-8859-1
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Keep-Alive: timeout=15, max=98

<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href=”http : // 87.248.180.90/in.html?s=sg_err”>here</a>.</p>
<hr>
<address>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at **host removed** Port 80</address>
</body></html>

——————————————————————
GET /in.html?s=sg_err HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (<<redacted>>)
Host: 87.248.180.90
Proxy-Connection: Keep-Alive

HTTP/1.1 302 Found

Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Transfer-Encoding: chunked
Date: Tue, ** Oct 2008 <<redacted>>
Location: http : // quicktds.name/soft.php?aid=<<redacted>>&d=6&product=XPA&refer=<<redacted>>
Content-Type: text/html
Server: Apache/1.3.39 (Unix) PHP/5.2.5 with Suhosin-Patch
X-Powered-By: PHP/5.2.5
Set-Cookie: visited=1

0

——————————————————————
GET /soft.php?aid=<<redacted>>&d=6&product=XPA&refer=<<redacted>> HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (<<redacted>>)
Host: quicktds.name
Proxy-Connection: Keep-Alive

HTTP/1.1 302 Found

Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Transfer-Encoding: chunked
Date: Tue, ** Oct 2008 <<redacted>>
Location: http : // pcvirusbuster.com/2009/1/freescan.php?id=<<redacted>>
Content-Type: text/html
Server: Apache
X-Powered-By: PHP/5.2.6
Set-Cookie: soft=1; expires=<<redacted>>
Keep-Alive: timeout=5, max=500

0

——————————————————————
GET /2009/1/freescan.php?id=<<redacted>> HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (<<redacted>>)
Host: pcvirusbuster.com
Proxy-Connection: Keep-Alive

HTTP/1.1 302 Found

Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 0
Date: Tue, ** Oct 2008 <<redacted>>
Location: en/freescan.php?id=<<redacted>>&user=<<redacted>>
Content-Type: text/html
Server: Apache
X-Powered-By: PHP/5.2.6
Keep-Alive: timeout=5, max=500

——————————————————————
GET /2009/1/en/freescan.php?id=<<redacted>>&user=<<redacted>> HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (<<redacted>>)
Host: pcvirusbuster.com
Proxy-Connection: Keep-Alive

HTTP/1.1 200 OK

Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 1362
Date: Tue, ** Oct 2008 <<redacted>>
Content-Type: text/html
Server: Apache
X-Powered-By: PHP/5.2.6
Set-Cookie: av_inst=<<redacted>>; expires=<<redacted>> GMT; path=/
Keep-Alive: timeout=5, max=500


One comment to...
“ALERT: a malvertizement redirect that does not use malicious advertising…”

Started Support

Client registered this domain name has been blocked. Domains registered by this client blocked too. Thanks for your feedback!


Kimberley pinged me about the incidents -she has a write-up here:http://www.bluetack.co.uk/forums/index.php?s=&showtopic=18064&view=findpost&p=89528 I haven’t been able to reproduce the problem so can’t confirm what the source is.  There are a couple of things to bear in mind when examining incidents such as this one. If affected by the clipboard hijack, you will not regain […]

Previous Entry

Here are the October patches. Cumulative Security Update for Internet Explorerhttp://www.microsoft.com/technet/security/Bulletin/MS08-058.mspx The IE cumulative update address several vulnerabilities, 4 of which are rated as critical.  The critical patches affect Windows 2000 SP4 with IE5.01 SP4 and IE6 SP1, as well as XPSP2, XPSP3, XPx64 and XPx64 SP2 (IE6) Vulnerability in Microsoft Office Could Allow […]

Next Entry

Archives