I took another quick look yesterday to monitor how we're doing in identifying new sites and servers in the big Fake-AV attack that we blogged about twice in April. The analysts have been keeping an eye out for them, and Maria sent me some this week. Here is a closer look at two of them:
-When I checked on 18.104.22.168 in the morning, it had been active for a little over a day, and the WebPulse logs showed 744 requests, across 18 domains. Interestingly, the list of domains showed that the Bad Guys have been making some changes. They still like the "stick three words together" domain naming scheme, but they've moved away from living in the .info space: of the 18 domains, 1 was a .com, 1 was a .net, 1 was a .info, and 15 were .in domains.
-Another server is at 22.214.171.124, and has been active for about two weeks. The WebPulse logs show over 10,000 requests during that time, to over 100 domains hosted there (most of the names were of the .info variety, but show the move to .in in the last few days.) In addition to adding ratings for those domains to our database, WebPulse keeps an eye out for the EXE payloads: among those URLs were 107 requests for the actual EXE payload, and I'm pleased to report that we dynamically flagged all 107 as Suspicious, as we did for all the EXEs from the other server.)
Note that sucuri.net has a nice post about this same attack, and they highlight the role of hacked WordPress sites in relaying visitors through a network of shady .ru sites to the Fake-AV sites.
However, when I traced a couple of the most active domains yesterday in the logs (systemscanninginspector.in and taskstestkeeper.in), to check on where the attacks were coming from, I didn't see that. Instead, the most common referrers by far were google.com and bing.com, showing that the attack we were seeing is still being driven by search engine poisoning (SEP). Hmm…
After pondering "the strange case of the missing .ru's" for a minute or two, I plugged a few of the example domains from the Sucuri list into our database — and saw that they were all auto-rated as Malware, courtesy of the WebPulse malnet tracker. Well, that solved the mystery: we weren't seeing any traffic relaying in from those .ru domains, because they were all on a server (126.96.36.199) that the Background Checker had identified as evil.
In fact, when I traced this server back through the logs, we had caught it the day it came on line (5/07). And the logs show over 27,000 malware ratings served up through yesterday. So it looks like a combination attack, relying on SEP and a whole bunch of hacked sites to drive large numbers of victims to Fake-AV payloads.
Leave a reply