ALERT: a malvertizement redirect that does not use malicious advertising...

The details are below - you will see that a lot of information is redacted. That is because the bad guys *DO* read this blog, and I don't like to make things too easy for them.

The site owner asked for help and has been sent advice on what to look for and what to do.

This blog entry has been reported to Directi for their immediate attention.

The hijack was occurring when the browser tries to retrieve "favicon.ico". The victim site's server is responded with "document has moved" and is redirecting the browser to:

87.248.180.90/in.html?s=sg_err

From there we get bumped to:

quicktds.name/soft.php?aid=<<redacted>>&d=6&product=XPA&refer=<<redacted>>

And from there, to:

pcvirusbuster.com/2009/1/freescan.php?id=<<redacted>>

Now, what is interesting is that the GET path to favicon.ico is incorrect. The GET path used, as you can see, is:

<<redacted>>/favicon.ico

When in fact the correct path is <<redacted>>/<<redacted>>/templates/<<redacted>>/favicon.ico

ANY URL that is incorrect for the affected domain will result in a browser redirect, eg:

<<redacted>>/something redirects to the 87.248.180.90 URL
<<redacted>>/nonsense redirects to the 87.248.180.90 URL
<<redacted>>/123 redirects to the 87.248.180.90 URL
<<redacted>>/supersallysingsasong redirects to the 87.248.180.90 URL

Now, the next question is *why* is this happening? There are lots of references in Google to the IP address URL that indicate the behavior is dependent upon the referrer detected (eg: the proper domain will load if accessed directly but a visitor will be hijacked if accessing the site via Google) via hacking of the htaccess file with the following code inserted:

Source: http://www.phpbb.com/community/viewtopic.php?f=1&t=1123235

87.248.180.90 - Moldova, Republic Of Chisinau Sc Starnet Srl (leased for users) - 87-248-180-90.starnet.md
Reverse IP: vsemutorba.com
Domains in IP range 87.248.180.% - alternosfera.com, artsfera.com, bestrezult.com, blyapizdets.info

vsemutorba.com
ICANN Registrar - Directi Internet Solutions
Created 2 April 2008
NS: NS-ALT.STARNET.MD (20 domains)
NS: NS.STARNET.MD
Registrant: "Cinema, William Boyd, Bronz, New York" - email used with 2 other domains.

quicktds.name - 216.240.134.211 - California - Irvine - Go2online Corp
ICANN Registrar - Directi Internet Solutions
Created 16 September 2008
NS: NS1.STARTED.RU
NS: NS2.STARTED.RU
Registrant: Hidden behind privacyprotect.org

216.240.134.211 - Resolve Host trap17.com
Domains in IP range - 239 domains.

pcvirusbuster.com - 64.86.17.44 - Ontario - Brampton - Velcom
ICANN Registrar - Directi Internet Solutions
Created: 7 October 2008
NS: SKY.EARTH.ORDERBOX-DNS.COM
NS: SKY.MARS.ORDERBOX-DNS.COM
NS: SKY.MERCURY.ORDERBOX-DNS.COM
NS: SKY.VENUS.ORDERBOX-DNS.COM
Registrant: Hidden behind privacyprotect.org

64.86.17.44 - domains in IP range - 144 domains.

started.ru - 64.21.13.232 - New Jersey - Oakland - Net Access Corporation
Created 1 April 2007

trap17.com - 208.87.242.120 - California - Walnut - Psychz Networks
ICANN Registrar - Directi Internet Solutions
Created 9 May 2004
NS: OM1.COMPUTINGHOST.COM
NS: OM2.COMPUTINGHOST.COM
NS: OM3.COMPUTINGHOST.COM
NS: OM4.COMPUTINGHOST.COM
Registrant: Hidden behind privacyprotect.org

orderbox-dns.com - domain not resolving - registered, no web site
ICANN Registrar - Directi Internet Solutions
Created 2 July 2004

computinghost.com - 67.19.253.53 - Texas - Dallas - Theplanet.com Internet Services Inc
ICANN Registrar - Directi Internet Solutions
Registrant: Xisto Corporation (owns about 43 other domains)

GET /favicon.ico HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (<<redacted>>)
Host: <<redacted>>
Proxy-Connection: Keep-Alive

HTTP/1.1 302 Found

Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 404
Date: Tue, ** Oct 2008 <<redacted>>
Location: http : // 87.248.180.90/in.html?s=sg_err
Content-Type: text/html; charset=iso-8859-1
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Keep-Alive: timeout=15, max=98

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http : // 87.248.180.90/in.html?s=sg_err">here</a>.</p>
<hr>
<address>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at **host removed** Port 80</address>
</body></html>

------------------------------------------------------------------
GET /in.html?s=sg_err HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (<<redacted>>)
Host: 87.248.180.90
Proxy-Connection: Keep-Alive

HTTP/1.1 302 Found

Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Transfer-Encoding: chunked
Date: Tue, ** Oct 2008 <<redacted>>
Location: http : // quicktds.name/soft.php?aid=<<redacted>>&d=6&product=XPA&refer=<<redacted>>
Content-Type: text/html
Server: Apache/1.3.39 (Unix) PHP/5.2.5 with Suhosin-Patch
X-Powered-By: PHP/5.2.5
Set-Cookie: visited=1

------------------------------------------------------------------
GET /soft.php?aid=<<redacted>>&d=6&product=XPA&refer=<<redacted>> HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (<<redacted>>)
Host: quicktds.name
Proxy-Connection: Keep-Alive

HTTP/1.1 302 Found

Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Transfer-Encoding: chunked
Date: Tue, ** Oct 2008 <<redacted>>
Location: http : // pcvirusbuster.com/2009/1/freescan.php?id=<<redacted>>
Content-Type: text/html
Server: Apache
X-Powered-By: PHP/5.2.6
Set-Cookie: soft=1; expires=<<redacted>>
Keep-Alive: timeout=5, max=500

------------------------------------------------------------------
GET /2009/1/freescan.php?id=<<redacted>> HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (<<redacted>>)
Host: pcvirusbuster.com
Proxy-Connection: Keep-Alive

HTTP/1.1 302 Found

Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 0
Date: Tue, ** Oct 2008 <<redacted>>
Location: en/freescan.php?id=<<redacted>>&user=<<redacted>>
Content-Type: text/html
Server: Apache
X-Powered-By: PHP/5.2.6
Keep-Alive: timeout=5, max=500

------------------------------------------------------------------
GET /2009/1/en/freescan.php?id=<<redacted>>&user=<<redacted>> HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (<<redacted>>)
Host: pcvirusbuster.com
Proxy-Connection: Keep-Alive

HTTP/1.1 200 OK

Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 1362
Date: Tue, ** Oct 2008 <<redacted>>
Content-Type: text/html
Server: Apache
X-Powered-By: PHP/5.2.6
Set-Cookie: av_inst=<<redacted>>; expires=<<redacted>> GMT; path=/
Keep-Alive: timeout=5, max=500

Published Tue, Oct 14 2008 21:03 by sandi

Filed under: Security, safety and privacy on the Internet, Vulnerabilities, viruses and exploits

Comments

# re: ALERT: a malvertizement redirect that does not use malicious advertising...

Tuesday, October 14, 2008 1:03 PM by Started Support

Client registered this domain name has been blocked. Domains registered by this client blocked too. Thanks for your feedback!

Spyware Sucks

This Blog

Syndication

Search

Tags

Community

Archives

News