On August 14, we started to see mass compromise of websites to inject malicious iframes that spread fake antivirus malware. The attack is ongoing, and this is our report.
[Table of Contents]
[1. Summary]
[2. The visitor infection process]
[3. The fake antivirus being spread]
[4. Sample FTP logs of infected websites]
[5. Sample list of infected websites and screenshots of some of them]
[1. Summary]
1. Initial detection date: August 14.
2. Number of infected website: We estimate at least 22,400 unique DOMAINS. The attackers' first attempt was not successful and therefore google indexed more than 536,000 infected pages. However, since then the attackers have fixed the injected pattern and therefore the injected script is executed rather than displayed. Google therefore does not index infected websites any longer.
3. Injected scripts:
Initially (no <script> tag and therefore indexed by Google):
Later, it quickly became one of the following (with <script> tag and therefore works)
4.Browser Exploitation: Drive-by download script served by a modified version of the BlackHole exploit pack.
5. Malware: Fake antivirus, different names in different OS: "XP Security 2012" under Windows XP, "Vista Antivirus 2012" under Windows Vista, and "Win 7 Antivirus 2012" under Windows 7.
6. Injection method: Primarily via stolen FTP credentials, and then use automated program to FTP, retrieve files, inject iframe, and upload back. FTP credentials are stolen from personal Windows computers that have been infected with malware. Malware searches stored password files of FTP clients and also sniffs the FTP traffic. Stolen credentials are sent back to the attackers.
7. Malicious domains and IPs:
Redirectors:
1. hysofufewobe.com (ex: http://hysofufewobe.com/k985ytv.htm)
2. zirycatum.com (ex: http://zirycatum.com/k985ytv.htm)
3. numudozaf.com (ex: http://numudozaf.com/k985ytv.htm)
Above all resolve to the same Moldova (south of Ukraine)IP: 178.17.163.92, registered under the name of "Alexandr S Grebennikov," on July 25.
Exploit servers:
1. jbvnhw.com (ex: http://jbvnhw.com/i87yta.htm)
2. mlvurp.com (ex: http://mlvurp.com/i87yta.htm)
3. rprlpb.com (ex: http://rprlpb.com/i87yta.htm)
4. efnxkg.com (ex: http://efnxkg.com/i87yta.htm)
All resolves to US IP: 69.50.202.74 (AS18866), belonging to Atjeu Website Hosting. All exploit domains were registered under name "Alardo Macias" on August 14.
8. Antivirus detection rate: Currently 5 out of 43 on VirusTotal:
[2. The visitor infection process]
To show how visitors are infected and how we can analyze the infection, we've made the following video:
[3. The fake antivirus being spread]
The Fake AV displays different names in different OS: "XP Security 2012" under Windows XP, "Vista Antivirus 2012" under Windows Vista, and "Win 7 Antivirus 2012" under Windows 7. Below are some screenshots:
[4. Sample FTP logs of infected websites]
204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "LIST /example.com/ftp/" 226 11862
204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "TYPE I" 200 -
204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "PASV" 227 -
204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "SIZE index.htm" 213 -
204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "RETR index.htm" 226 12573
204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "TYPE I" 200 -
204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "PASV" 227 -
204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "STOR index.htm" 226 13018
[5. Sample list of infected websites and screenshots of some of them]
uwpagina.nl
mydesert.com
paramountcommunication.com
freebloggiveaways.com
sikhsangeet.com
thenewcivilrightsmovement.com
shakeshack.com
greenandcleanmom.org
noor7.us
restorationsos.com
gopusanj.com
amateurmodelsite.com
animationblogspot.com
accessoryworld.net.au
advancedwaterfilters.com
autoventa.com.bo
usgoldbuyers.com
kharidani.biz
nwp4life.com
chicagofree.info
howwazyourweekend.com
marinerslearningsystem.com
articleolive.com
pitchanything.net
toysonics.com
diaperdecisions.com
realtimedesigner.com
group-games.com
coffeebreakwithlizandkate.com
tvtopten.com
la-zen.com
mountainmaids.com
healthlady.com
articleality.com
shophenna.com
lifescircle.info
xmworks.com
articleoncall.com
trainace.com
grupo20.com
tinkfanatic.com
metrokingpc.ca
rapidgiveawayprofits.com
icebreakers.ws
9y3h.com
miamitvchannel.com
beemaster.com
buydropstop.com
freeautoblogger.com
bid4agents.com
interstateplastics.com
b3bootcamp.net
bestbuyuniforms.com
antigravityinc.com
azholisticchamber.com
root-h.org
affiliateplrmarketing.com
justinmichie.com
cyberbullyingreport.com
creativeblogsolutions.com
advancedfanpagesolutions.com
sungrubbies.com
homewiththeboys.net
marsvenus.com
nhwellnesscenters.com
universityfashions.com
bandjob.com
atmananda.com
flyl4l.com
filmyforum.com
iftn.ie
rjharris2012.com
heppellmedia.com
unionsquarecafe.com
vatanfilm.co.cc
statebrief.com
daylabor.org
affnet.com
passingthru.com 906065,775885.net
khojit.com.au
listacquisition.com
vestalwatch.com
printedblindsfactory.com
oauq.org
theoriginalrudebitch.com
quickcash4.us
intraligilaw.ca
ohswekenspeedway.com
autosenbolivia.net
cityclassifiedsads.com
keepingmeposted.com
henckengaines.com
sportsmatchmaker.com
premiereworks.com
ahyasalam.com
sandiegoduilawyer.com
wecravegamestoo.com
vodkasobieski.com
itrmagictricks.com
f1racefactory.com
epoquehotels.us
freakshowvideo.com
write-solution.com
hydrocephaluskids.org
intersectioncapital.com
killzonezero.com
www.en.chosenfewurbano.com
www.generalmoly.com
www.pinnint.com
www.hiphop.org
www.fiftysevendegrees.com
spbaseball.org
www.ohiogisociety.org
www.senjomartialarts.com
www.assignmentproof.com
tulakesbaptist.com
www.generalmoly.com
www.balboaparkdancers.org
sho-ryders.com
www.azholisticchamber.com
www.ajseatery.com
www.thegrangelifestylevillage.com.au
www.north-fayette.com
tilos.com
www.parteen-gaa.com
www.hawaiiancouncil.org
www.levi-catering.com
sbnmarble.com
sayanythingblog.com
cincyshopper.com
www.fiftysevendegrees.com
www.cincygardens.com
www.freeridesurfshop.com
sayanythingblog.com
steve-watt.com
www.thacoshammer.info
www.stevenjackson.net
www.dearborndumpsterrental.com
basementrejects.com
www.hawaiiancouncil.org
www.frostbrothersentertainment.net
www.levi-catering.com
www.chicagodumpsterrental.org
www.center44.com
sbnmarble.com
www.chicagodumpster.org
buysomenow.com
www.noinkonyourfingers.com
www.nashvilledesign.com
photocrystal.biz
www.momsclubofbranchburg.org
www.cardboardrecycling.freedumpsterrental.com
www.atlantadumpster.org
designresumes.com
www.fiftysevendegrees.com
3millionfans.com
lpmndc.org
www.bugfreeservices.com
ibvsct.com
Read more (rest of article)...
