Posts
"Do not blame the Soviet Union had thousands of such care, the body for small medical gas cents, even if he is especially the fear, if allowed to spread this poison out of stock"
On January 23rd, thousands of machine generated attack sites were registered through GoDaddy via DNSPod name servers. These sites generally include a name of 5 characters in length, and utilize the .info TLD. The sites combine black hat SEO poisoning with virulent malware infections. At least one anti-virus vendor has labeled the infections as "not disinfectable".
The structure of these sites take two forms. The attack sites utilize a technique known as wild card DNS. This enables an infinite number of subdomains to be created for a single domain name. Sites like pgkqy.info, which I will refer to as the hounds, contain over 6000 links to the attack sites. The hounds' content (6000 links) consists of 200 links to the subdomains of 30 different attack domains (note http://doc.emergingthreats.net/bin/viewfile/Main/RussianBusinessNetwork?rev=1;filename=hounds_to_the_hunters.txt). The hounds' large number of links serve to boost the search engine rankings of the attack sites.
The attack sites themselves are littered with keywords and phrases designed to poison search engine results, and lure the unwary. These include references to celebrity sex scandals, teenage sex, and so forth. The attack sites also contain machine generated text consisting of numerous paragraph length narratives (in English and Mandarin). Inserted among these narratives are out of context messages, which resemble coded messages. Might the following be a reference to Iranian oil?:
"Since no increase, and that this spirit of building the base fluid, the patriarch will be purchased by the Shaw and the next war"
Regardless, the malware payload appears quite ominous on its own. One of the sites distributing malware to the visitors of the attack sites (code1.2bj.cc) has previously distributed malware deemed "exact, not disinfectable" by F-Prot. In that incident, anti-virus detection rates were approximately 50%:
Sites serving malware to the attack sites have been highly successful in separate campaigns over the past 90-days. A sampling of Google Safe Browsing reveals results like the following:
In the case of attack site 175.bctjd.info, network activity included:
The sites have been deployed throughout HostNOC. Hound site pgkqy.info is at 173.212.238.77, while attack sites vdjiv.info and bbzfc.info reside at 173.212.238.76. However, both hound site dsqof.info and attack site bjpwn.info are at 184.82.9.206. All are utilizing f1g1ns1.dnspod.net as a DNS server.
We will pinpoint more hostile IP addresses as time permits. You can pursue further investigation with the use of this file: http://doc.emergingthreats.net/bin/viewfile/Main/RussianBusinessNetwork?rev=1;filename=includes_skynet.txt.
James McQuaid
1-25-2011
On January 23rd, thousands of machine generated attack sites were registered through GoDaddy via DNSPod name servers. These sites generally include a name of 5 characters in length, and utilize the .info TLD. The sites combine black hat SEO poisoning with virulent malware infections. At least one anti-virus vendor has labeled the infections as "not disinfectable".
The structure of these sites take two forms. The attack sites utilize a technique known as wild card DNS. This enables an infinite number of subdomains to be created for a single domain name. Sites like pgkqy.info, which I will refer to as the hounds, contain over 6000 links to the attack sites. The hounds' content (6000 links) consists of 200 links to the subdomains of 30 different attack domains (note http://doc.emergingthreats.net/bin/viewfile/Main/RussianBusinessNetwork?rev=1;filename=hounds_to_the_hunters.txt). The hounds' large number of links serve to boost the search engine rankings of the attack sites.
The attack sites themselves are littered with keywords and phrases designed to poison search engine results, and lure the unwary. These include references to celebrity sex scandals, teenage sex, and so forth. The attack sites also contain machine generated text consisting of numerous paragraph length narratives (in English and Mandarin). Inserted among these narratives are out of context messages, which resemble coded messages. Might the following be a reference to Iranian oil?:
"Since no increase, and that this spirit of building the base fluid, the patriarch will be purchased by the Shaw and the next war"
Regardless, the malware payload appears quite ominous on its own. One of the sites distributing malware to the visitors of the attack sites (code1.2bj.cc) has previously distributed malware deemed "exact, not disinfectable" by F-Prot. In that incident, anti-virus detection rates were approximately 50%:
Antivir TR/Agent.DT
Avast Win32:Trojan-gen
Bit Defender Trojan.Agent.DT
ClamAV Trojan.Agent-298
DrWeb Trojan.PWS.Htool
F-Prot W32/Trojan.CXF (exact, not disinfectable)
F-Secure Anti-Virus Trojan.Win32.Agent.dt
Ikarus Trojan.Win32.Agent
Kaspersky Anti-Virus Trojan.Win32.Agent.dt
McAfee VirusScan potentially unwanted program Generic HTool
Panda Anti-Virus Trj/Agent.AMJ
Sophos Troj/HTool-B
Symantec Command Line Scanner Trojan Horse
VBScan Trojan.Agent.HPVY
VirusBlokAda Trojan.Win32.Agent.dt
Sites serving malware to the attack sites have been highly successful in separate campaigns over the past 90-days. A sampling of Google Safe Browsing reveals results like the following:
tpjt.info:
Over the past 90 days, tpjt.info appeared to function as an intermediary for the infection of 254 site(s)
coooog.com:
Malicious software includes 143 exploit(s).
Over the past 90 days, coooog.com appeared to function as an intermediary for the infection of 371 site(s)
In the case of attack site 175.bctjd.info, network activity included:
RequestsIn addition, numerous ActiveX controls were invoked.
URL Status Content Type
http://175.bctjd.info 200 text/html
http://175.bctjd.info/tj400.js 404 text/javascript
http://175.bctjd.info/tj.js 200 text/javascript
http://js.users.51.la/4440802.js 200 text/javascript
http://175.bctjd.info/1.js 200 text/javascript
http://tpjt.info/bs003/?9865 200 text/html
http://vip.coooog.com:8080/f/cpv.asp?adid=4207&uid=11228 200 text/javascript
http://122.226.223.149:8080/coo/uploadfile/20110114110108277.swf 200 application/x-shockwave-flash
about:blank 200 text/html
http://s6.cnzz.com/stat.php?id=1583556&web_id=1583556 200 text/javascript
http://vip.coooog.com:8080/f/mt.js 200 text/javascript
http://tpjt.info/skins/orange/images/style.css 200 text/javascript
http://tpjt.info/liaotian/cjtc.js 200 application/x-javascript
http://74.207.249.234/liaotian2/ 200 text/html
http://74.207.249.234/liaotian1/flash/novie.swf 200 application/x-shockwave-flash
http://74.207.249.234/liaotian2/img/ChatShow.js 200 application/x-javascript
http://74.207.249.234/liaotian1/f1ash/16.swf 404 text/html
http://www.blogkou.com/f1ash/11.swf 200 application/x-shockwave-flash
http://www.blogkou.com/f1ash/3.swf 200 application/x-shockwave-flash
http://www.blogkou.com/f1ash/6.swf 200 application/x-shockwave-flash
http://www.blogkou.com/f1ash/5.swf 200 application/x-shockwave-flash
http://www.blogkou.com/f1ash/4.swf 200 application/x-shockwave-flash
http://www.blogkou.com/f1ash/7.swf 200 application/x-shockwave-flash
http://www.blogkou.com/f1ash/8.swf 200 application/x-shockwave-flash
http://www.blogkou.com/f1ash/9.swf 200 application/x-shockwave-flash
http://www.blogkou.com/f1ash/2.swf 200 application/x-shockwave-flash
http://www.blogkou.com/f1ash/13.swf 200 application/x-shockwave-flash
http://www.blogkou.com/f1ash/12.swf 200 application/x-shockwave-flash
http://www.blogkou.com/f1ash/15.swf 200 application/x-shockwave-flash
http://www.blogkou.com/f1ash/1.swf 200 application/x-shockwave-flash
http://74.207.249.234/liaotian2/img/ip.js 200 text/javascript
http://fw.qq.com:80/ipaddress 200 text/javascript
http://js.users.51.la/4429735.js 200 text/javascript
http://cpm.ad123456.com/m.js 200 text/javascript
http://tpjt.info/1.js 200 text/javascript
http://images.sohu.com/cs/jsfile/js/lu.js 200 text/javascript
http://js.star8.net/code.js 200 text/javascript
http://js.users.51.la/4192183.js 200 text/javascript
http://js.users.51.la/4397946.js 200 text/javascript
http://js.users.51.la/4392080.js 200 text/javascript
http://js.users.51.la/4286690.js 200 text/javascript
http://vip.coooog.com:8080/gotocpvv.asp?id=11228&adid=2105&Vfc=38333831333132383131313438313534&tid=11295&url=http://tpjt.info/bs003/?9865 500 text/html
http://lu.sogou.com/kwd?pid=meilalala&ct=kwd&fmt=h_kwd&dn=8&iw=728&ih=15&fs=12&c_bo=ffffff&c_bg=ffffff&c_fg=ff0000&tdw=&charset=gb2312&ti=QVOD%E4%BC%A6%E7%90%86%E7%94%B5%E5%BD%B1,%E4%BC%A6%E7%90%86%E7%94%B5%E5%BD%B1,QVOD%E7%94%B5%E5%BD%B1,%E5%BF%AB%E6%92%AD%E7%94%B5%E5%BD%B1,%E4%BC%A6%E7%90%86%E7%89%87,%E5%BF%AB%E6%92%AD%E4%BC%A6%E7%90%86%E7%94%B5%E5%BD%B1-%E5%9C%A8%E7%BA%BF%E5%85%8D%E8%B4%B9%E4%BC%A6%E7%90%86%E7%94%B5%E5%BD%B1%E7%BD%91&ref=http://tpjt.info/bs003/?9865&sohuurl=http://tpjt.info/bs003/?9865 200 text/html
http://code1.2bj.cc:8899/click.html?adid=687&uid=9idy 200 text/html
http://code1.2bj.cc:8899/cf.aspx?action=adget&ad_id=687&username=9idy 200 text/javascript
http://code1.2bj.cc:8899/CF.aspx?action=adget_2&UserName=9idy&Ad_ID=687&CycleAd=0&TcType=0&TcSpace=0&Ly=http://code1.2bj.cc:8899/click.html?adid=687&uid=9idy&FirstShow=1&CookieOk=1&WebWidth=0&WebHeight=0&WebTop=0&WebLeft=0 200 text/html
http://code1.2bj.cc:8899/click.html?adid=551&uid=9idy 200 text/html
http://code1.2bj.cc:8899/cf.aspx?action=adget&ad_id=551&username=9idy 200 text/javascript
http://code1.2bj.cc:8899/CF.aspx?action=adget_2&UserName=9idy&Ad_ID=551&CycleAd=0&TcType=0&TcSpace=0&Ly=http://code1.2bj.cc:8899/click.html?adid=551&uid=9idy&FirstShow=1&CookieOk=1&WebWidth=0&WebHeight=0&WebTop=0&WebLeft=0 200 text/html
http://pic.2bj.cn/upload/wz823/55/950x90.files/2.js 200 application/x-javascript
http://code1.2bj.cc:8899/click.html?adid=675&uid=9idy 200 text/html
http://code1.2bj.cc:8899/cf.aspx?action=adget&ad_id=675&username=9idy 200 text/javascript
http://code1.2bj.cc:8899/CF.aspx?action=adget_2&UserName=9idy&Ad_ID=675&CycleAd=0&TcType=0&TcSpace=0&Ly=http://code1.2bj.cc:8899/click.html?adid=675&uid=9idy&FirstShow=1&CookieOk=1&WebWidth=0&WebHeight=0&WebTop=0&WebLeft=0 200 text/html
http://c.star8.net/c1.ashx?ln=1&w=314261&sid=0&logo=true&e=OR8cNc5cKsA3Zk8bA2zB4PEV5be4MdCu4ZolkxB8r4c6mTNwRdD3UQ==&ar2s=1&furl=http://tpjt.info/bs003/?9865&ffurl=http://tpjt.info/bs003/?9865 200 text/html
http://sougoudaima.soua.com/101105/950x220/950x220.html?uid=2234 200 text/html
http://code.soua.com/js/common.js 200 text/javascript
http://code.soua.com/js/word.js 200 application/x-javascript
http://code1.2bj.cc:8899/click.html?adid=311&uid=9idy 200 text/html
http://code1.2bj.cc:8899/cf.aspx?action=adget&ad_id=311&username=9idy 200 text/javascript
http://code1.2bj.cc:8899/CF.aspx?action=adget_2&UserName=9idy&Ad_ID=311&CycleAd=0&TcType=0&TcSpace=0&Ly=http://code1.2bj.cc:8899/click.html?adid=311&uid=9idy&FirstShow=1&CookieOk=1&WebWidth=0&WebHeight=0&WebTop=0&WebLeft=0 200 text/html
http://pic.2bj.cn/upload/wz425/950_90_5_files/js.js 200 text/javascript
http://pic.2bj.cn/upload/wz425/950_90_5_files/279.css 200 text/javascript
The sites have been deployed throughout HostNOC. Hound site pgkqy.info is at 173.212.238.77, while attack sites vdjiv.info and bbzfc.info reside at 173.212.238.76. However, both hound site dsqof.info and attack site bjpwn.info are at 184.82.9.206. All are utilizing f1g1ns1.dnspod.net as a DNS server.
We will pinpoint more hostile IP addresses as time permits. You can pursue further investigation with the use of this file: http://doc.emergingthreats.net/bin/viewfile/Main/RussianBusinessNetwork?rev=1;filename=includes_skynet.txt.
James McQuaid
1-25-2011
