The Latest in IT Security

Hijacked sites serve up exploits, SEO poisoning

13
Sep
2011

Our research team have discovered a rather nasty SEO poisoning scam over the last few days, targeting 9/11 related search terms (alongwith anything else they can get their hands on) to attempt the infection of vulnerable PCs. They use a combination of the Black Hole Exploit Kit and an interesting “on the fly” SEO poisoning tactic totry and drop infections onto the target PC.

Shangpalace(dot)com(dot)vn was the initial URL our research team discovered, although there are quite a few others out there right now. It goes without saying that all of these domains should be considered hostile and visited only in a dedicated testing machine.

authorizationlettersample(dot)org
chiefpricingofficer(dot)com
craftyk9(dot)com
decaci(dot)mmister(dot)com
e-gizmo(dot)com
geekvenues(dot)com
glorioleedu(dot)com
gospeloftruth(dot)net
hotelcatedralvallarta(dot)com
jetpackdreamsthebook(dot)com
maresmortgage(dot)com
marianaemslie(dot)com
megadeth(dot)megawan(dot)com(dot)ar
moorethoughts(dot)com
plusidol(dot)com
rayoverde(dot)com(dot)ar
referencelettersample(dot)org
ritasresources(dot)com
saponifier(dot)com
saprivateschools(dot)co(dot)za
schorrsolutions(dot)com
secondmilecenter(dot)com|
sellbeads(dot)com
studio-r(dot)in
tisztaszenzor(dot)hu
trainerskills(dot)com
winbeforetrial(dot)com
bridging-the-gap(dot)com
ishmaelkhaldi(dot)com
joshtickell(dot)com
sofresh(dot)ro
themetalden(dot)com

Some example search terms:
 Click to Enlarge Click to Enlarge
If you’re unfortunate enough to visit one of these rogue links, then you can look forward to attacks on your PC. Here’s what GFI Software Malware Research Supervisor Adam Thomas had to say about it:

“The server will return a script pointing to a malicious server which is running BlackHole exploit kit…the referral string used when visiting the compromised site must be an approved referral string (e.g. search.google.com). If not, the server will simply re-direct you to anon-malicious page.”
  Click to Enlarge
He continues: “The malicious domain ‘nvwjefrzacronyms(dot)info’ appears to be hosted on a server in Germany. Passive DNS data reveals several other likely malicious servers hosted at the same IP address.”

serveruzgdf(dot)info A 109.230.217.113
acronymsoflh(dot)info A 109.230.217.113
zqqhfowhserver(dot)info  A 109.230.217.113
cronymsu(dot)info A 109.230.217.113
aasfhcxserver(dot)info  A 109.230.217.113
bpxtecdacronyms(dot)info  A 109.230.217.113
nvwjefrzacronyms(dot)info  A 109.230.217.113
acronymstxey(dot)info  A 109.230.217.113

Adam tells me the site is “attempting to load as many exploits as possible in order to drop the payload”. This is typically what the user will see while the exploits and files are busy behind the scenes:
 Click to Enlarge
Here’s an example VirusTotallink to one of the pieces of Malware being used – as you can see, 21/44 currently detect it. As with most attacks of this nature, you can expect to see multiple domains, files and search terms used to lure potential victims. Speaking of search terms, the people behind this are doing some interesting things with their poisoned search results. Adam again:

“The content for SEO poisioning can be generated ‘on-the-fly’. To explain further, the owner of this SEO poisoning system can utilize their network of hacked domains to quickly generate any content desired. By simply passing a search criteria to the url ‘shangpalace(dot)com(dot)vn/<search-term>’, the ‘SEO pack’ generates relevant content based on the search term.”

As an example, he passed a random search term to the server to see what would happen – “purple-golden-retriever”, in thiscase. Sure enough…”Within 2-3 seconds a page complete with keywords, related search phrases and even relevant working images is returned from theserver.”
 Click to Enlarge
Pretty slick. Keeping your system patched and your security software up to date is a good place to start with regards to avoiding these kinds of attacks, in addition to running a Limited User Account and (perhaps) some browser based script blocking tools such as NoScript. There’s bound to be more domains out there playing host to the kind of badness seen above, and I’m pretty sure you don’t want to be caught out by this one.
Christopher Boyd (Thanks Adam)

Leave a reply


Categories

TUESDAY, MARCH 19, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments