k985ytv mass compromise ongoing, spreads fake antivirus

(Credits: Wayne Huang, Chris Hsiao, NightCola Lin)

On August 14, we started to see mass compromise of websites to inject malicious iframes that spread fake antivirus malware. The attack is ongoing, and this is our report.

[Table of Contents]

[1. Summary]
[2. The visitor infection process]
[3. The fake antivirus being spread]
[4. Sample FTP logs of infected websites]
[5. Sample list of infected websites and screenshots of some of them]

[1. Summary]

1. Initial detection date: August 14.
2. Number of infected website: We estimate at least 22,400 unique DOMAINS. The attackers' first attempt was not successful and therefore google indexed more than 536,000 infected pages. However, since then the attackers have fixed the injected pattern and therefore the injected script is executed rather than displayed. Google therefore does not index infected websites any longer.
3. Injected scripts:
Initially (no <script> tag and therefore indexed by Google):
Full text of above is here on pastebin.

Later, it quickly became one of the following (with <script> tag and therefore works)
Full text of above is here on pastebin.
Full text of above is here on pastebin.

4.Browser Exploitation: Drive-by download script served by a modified version of the BlackHole exploit pack.

5. Malware: Fake antivirus, different names in different OS: "XP Security 2012" under Windows XP, "Vista Antivirus 2012" under Windows Vista, and "Win 7 Antivirus 2012" under Windows 7.

6. Injection method: Primarily via stolen FTP credentials, and then use automated program to FTP, retrieve files, inject iframe, and upload back. FTP credentials are stolen from personal Windows computers that have been infected with malware. Malware searches stored password files of FTP clients and also sniffs the FTP traffic. Stolen credentials are sent back to the attackers.

7. Malicious domains and IPs:
Redirectors:
1. hysofufewobe.com (ex: http://hysofufewobe.com/k985ytv.htm)
2. zirycatum.com (ex: http://zirycatum.com/k985ytv.htm)
3. numudozaf.com (ex: http://numudozaf.com/k985ytv.htm)

Above all resolve to the same Moldova (south of Ukraine)IP: 178.17.163.92, registered under the name of "Alexandr S Grebennikov," on July 25.

Exploit servers:
1. jbvnhw.com (ex: http://jbvnhw.com/i87yta.htm)
2. mlvurp.com (ex: http://mlvurp.com/i87yta.htm)
3. rprlpb.com (ex: http://rprlpb.com/i87yta.htm)
4. efnxkg.com (ex: http://efnxkg.com/i87yta.htm)

All resolves to US IP: 69.50.202.74 (AS18866), belonging to Atjeu Website Hosting. All exploit domains were registered under name "Alardo Macias" on August 14.

8. Antivirus detection rate: Currently 5 out of 43 on VirusTotal:

[2. The visitor infection process]

To show how visitors are infected and how we can analyze the infection, we've made the following video:


[3. The fake antivirus being spread]

The Fake AV displays different names in different OS: "XP Security 2012" under Windows XP, "Vista Antivirus 2012" under Windows Vista, and "Win 7 Antivirus 2012" under Windows 7. Below are some screenshots:

[4. Sample FTP logs of infected websites]

204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "LIST /example.com/ftp/" 226 11862
204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "TYPE I" 200 -
204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "PASV" 227 -
204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "SIZE index.htm" 213 -
204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "RETR index.htm" 226 12573
204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "TYPE I" 200 -
204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "PASV" 227 -
204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "STOR index.htm" 226 13018

[5. Sample list of infected websites and screenshots of some of them]


uwpagina.nl
mydesert.com
paramountcommunication.com
freebloggiveaways.com
sikhsangeet.com
thenewcivilrightsmovement.com
shakeshack.com
greenandcleanmom.org
noor7.us
restorationsos.com
gopusanj.com
amateurmodelsite.com
animationblogspot.com
accessoryworld.net.au
advancedwaterfilters.com
autoventa.com.bo
usgoldbuyers.com
kharidani.biz
nwp4life.com
chicagofree.info
howwazyourweekend.com
marinerslearningsystem.com
articleolive.com
pitchanything.net
toysonics.com
diaperdecisions.com
realtimedesigner.com
group-games.com
coffeebreakwithlizandkate.com
tvtopten.com
la-zen.com
mountainmaids.com
healthlady.com
articleality.com
shophenna.com
lifescircle.info
xmworks.com
articleoncall.com
trainace.com
grupo20.com
tinkfanatic.com
metrokingpc.ca
rapidgiveawayprofits.com
icebreakers.ws
9y3h.com
miamitvchannel.com
beemaster.com
buydropstop.com
freeautoblogger.com
bid4agents.com
interstateplastics.com
b3bootcamp.net
bestbuyuniforms.com
antigravityinc.com
azholisticchamber.com
root-h.org
affiliateplrmarketing.com
justinmichie.com
cyberbullyingreport.com
creativeblogsolutions.com
advancedfanpagesolutions.com
sungrubbies.com
homewiththeboys.net
marsvenus.com
nhwellnesscenters.com
universityfashions.com
bandjob.com
atmananda.com
flyl4l.com
filmyforum.com
iftn.ie
rjharris2012.com
heppellmedia.com
unionsquarecafe.com
vatanfilm.co.cc
statebrief.com
daylabor.org
affnet.com
passingthru.com 906065,775885.net
khojit.com.au
listacquisition.com
vestalwatch.com
printedblindsfactory.com
oauq.org
theoriginalrudebitch.com
quickcash4.us
intraligilaw.ca
ohswekenspeedway.com
autosenbolivia.net
cityclassifiedsads.com
keepingmeposted.com
henckengaines.com
sportsmatchmaker.com
premiereworks.com
ahyasalam.com
sandiegoduilawyer.com
wecravegamestoo.com
vodkasobieski.com
itrmagictricks.com
f1racefactory.com
epoquehotels.us
freakshowvideo.com
write-solution.com
hydrocephaluskids.org
intersectioncapital.com

killzonezero.com
www.en.chosenfewurbano.com
www.generalmoly.com
www.pinnint.com
www.hiphop.org
www.fiftysevendegrees.com
spbaseball.org
www.ohiogisociety.org
www.senjomartialarts.com
www.assignmentproof.com
tulakesbaptist.com
www.generalmoly.com
www.balboaparkdancers.org
sho-ryders.com
www.azholisticchamber.com
www.ajseatery.com
www.thegrangelifestylevillage.com.au
www.north-fayette.com
tilos.com
www.parteen-gaa.com
www.hawaiiancouncil.org
www.levi-catering.com
sbnmarble.com
sayanythingblog.com
cincyshopper.com
www.fiftysevendegrees.com
www.cincygardens.com
www.freeridesurfshop.com
sayanythingblog.com
steve-watt.com
www.thacoshammer.info
www.stevenjackson.net
www.dearborndumpsterrental.com
basementrejects.com
www.hawaiiancouncil.org
www.frostbrothersentertainment.net
www.levi-catering.com
www.chicagodumpsterrental.org
www.center44.com
sbnmarble.com
www.chicagodumpster.org
buysomenow.com
www.noinkonyourfingers.com
www.nashvilledesign.com
photocrystal.biz
www.momsclubofbranchburg.org
www.cardboardrecycling.freedumpsterrental.com
www.atlantadumpster.org
designresumes.com
www.fiftysevendegrees.com
3millionfans.com
lpmndc.org
www.bugfreeservices.com
ibvsct.com

32 comments:

Anonymous said...

Great research here but I have a question on this:

How do you discover attacks like this? Have you deployed something like a honeypot anywhere?

Anonymous said...

Interesting blog but did you know that ESET blocks access and quarantines your blog home page?
It shows JS/Kryptik/AY.trojan

David Dede said...

Are you sure it is through stolen FTP? I am seeing some sites compromised with it and they had no FTP connections for months...

All of them had WordPress outdated and it seems they got compromised through that.

Maybe both?

Anonymous said...

Also now using cubyfonizi.com

Anonymous said...

also ajstcb.com

Anonymous said...

Great information, but where's the resolution? How do we fix it? None of my antivirus software is picking up any problems on my PC. I am not showing any fake antivirus on my PC. But all of the WP websites I have worked on lately (including brand new installs) have the bad script code in them. I delete and do clean install and more bad code the next day. WHAT DO I DO?

Anonymous said...

Thanks! Great research job. I have found the great deal of websites attacked with this JavaScript lately

Cyberbullying Report said...

Also, for anyone who has Win 7 Home Security 2012 terrorizing their computer I wrote a removal guide back on August 8th based on how I removed it from my computer. It was a huge pain that even Norton AntiVirus couldn't get rid of. Check out http://cyberbullyingreport.com/bully/win-7-home-security-2012-hijacked-my-pc-until-i-removed-it-219.aspx

Anonymous said...

americanfootballmod.com as well.

armorize said...

test123

Wayne Huang said...

test123

Wayne Huang said...

Nice write-up, thanks!

Wayne Huang said...

You have to change your FTP credentials. Also have to check if they've left any backdoors (webshells). If you need help email me and we'll help you (free). wayne@armorize.com

Wayne Huang said...

The website is down right now

Wayne Huang said...

Thank you, C.K., and yes, very likely so.

Wayne Huang said...

Hi David, yes, could be.

Wayne Huang said...

Oh well, AVs do simple regex.

Wayne Huang said...

We run one of the world's largest cloud-based Web malware scanning operations, serving customers like Symantec VeriSign and GlobalSign. We also try to scan as much of the Web as possible on our own. We study the threat landscape on a daily basis. Just don't have time to write all intelligence into blog posts.

Swiss Gaer Backpack said...

I completely agree
with the above comment, the internet is with a doubt growing into the most
important medium of communication across the globe and its due to sites like
this that ideas are spreading so quickly.

Houston Home Security said...

Actually like your websites details! Undoubtedly a wonderful provide of data that is extraordinarily helpful. Keep on to hold publishing and i'm gonna proceed reading by way of!

website registration india said...

Wow, great stuff! I have gone though this website and found it very interesting read.. I appreiciate this task for sharing this information. Hope, you keep updating it very frequently. 

Rocketantivirus said...

Anti-Virus-Pack
PC Sécurité


Supprimez les Virus et logiciels
Espion de Votre PC
Votre PC est
plein de Virus?
Peut-être possédez vous un PC qui ne fonctionne plus bien, qui se bloque, ou
qui affiche des Pub indésirées ...?


http://go.santoso.zf5.6.1tpe.net

chicago weight loss said...

That is a pretty huge list ... How the hell do they recover after?

Monika Borua said...

Nice Blog ! Thank you for your very nice articles. I look forward to visiting your site in the future! I like this very much.
Methods of Modern Farming

actos lawsuits said...

You're a great writer, truly know how to put the words in such a way that makes me very interested in reading more.
 

Marierodriguez673 said...

Impressive!Your blog is very informative. However, it is pretty hard task but your post and experience serve and teach me how to handle and make it more simple and manageable.
Thanks for the tips… Best regards.



create
logo online

Dipak Gajera said...

This Mass Injection attack is not stopped yet. As on 9th July 2012, thousands of websites are redirecting to a malicious webpage and later downloading a fake antivirus program called "Live Security Platinum" forcing users to buy a licenced version of this fake program. it also gives fake virus alerts. its really very bad. My personal domain was also infected with this one and i got abuse warning from my domain name provider. later i did workout on this and fixed this malware using COMBOFIX tool . (a DOS based antivirus tool)  , If you need further help , you can write me at dipak@hackermail.com ( i am not a hacker)

Ashley Haynes said...

Majuscule aggregation, but where's the determination? How do we fix it? Service of my antivirus software is yield up any problems on my PC. I am not viewing any unreal antivirus on my PC.

Essay Editing Service

Juliemalone80 said...

Majuscule message, but where's the papers? How do we fix it? Service of my antivirus software is picking up any problems on my PC.


logo design

Monika said...

What a list. Thanks. (Your blog is also very good designed)

Modern Farming

GemilMC said...

k985ytv.htm cam be STOPPED (2013 tested Warning: might make your internet fail.)(only chrome)
press the X button to stop loading, F12 to see code you will se code of it, delete it then reload it.
Another warning: your internet might be reloaded but the code will be reloaded too, it might be removed or reloaded.

Brook Phillips said...

You have really provide detailed info on antivirus. Must have done some long research... Interesting article...:) Optimo Defender is one of the nicest antivirus software that I am using nowadays...

Post a Comment