It’s not the first time I write about Servage. Actually this will be the 4th article in the series about rogue blogs on Servage network. It all started in November when I wrote about malicious blogs created in subdirectories of legitimate websites. The blogs poisoned Google search results for millions of relatively unpopular keywords (the long tail) redirecting visitors to scareware websites. In the second article, I showed the history of those rogue blogs (the first generation have dates in April of 2009) and how most of them (90%+) were found on Servage network. In the third article, I wrote about the internals of those rogue blogs and their malicious features.
A few days ago I found a new generation of rogue blogs on Servage network.
I was going over suspicious URLs detected by Unmask Parasites and found one page that looked fishy. It’s report paged looked like this:
When I opened it in a web browser (in Linux with NoScript to minimize risks), it resembled the rogue blogs that I had found on Servage network sometime ago: a blog with multiple posts that consisted only of a few images hot linked from other sites and no meaningful information. All its pages redirected visitors to a fake anti-virus site. And the blog definitely didn’t belong to the site at the root of the domain.
At the same time it was clear that this new site was different:
Any way, I decided to check the site IP – it belong to Servage network! Was is a coincidence? To find it out I decided to try to find any other similar blogs.
The URL structure of the blog was quite unique (e.g. example.com/someword1234/?x=y:10&paged=4) so I tried to use the allinurl: Google search operator.
The allinurl:x=y:10 paged query returned 16,000,000 results! All of them (at least the first 1,000 that Google allows to see) led to rogue blogs similar to the one I had just found.
Having analyzed the URL structure of different blogs, I came up with many more search queries. E.g.:
Note, the numbers of search results reported by Google may significantly vary depending on internal Google’s factors (e.g. data centers that were used to prepare them).
Since search results for different queries don’t completely overlap, I managed to compile a list of 1130 unique domain names of rogue blogs – enough to start the analysis of their IP addresses.
638 unique IPs
936 unique domains evenly distributed in the range of 126.96.36.199 – 188.8.131.52 – Servage.net
162 unique domains evenly distributed in the range of 184.108.40.206 – 220.127.116.11 – Servage.net
The rest 32 domains either don’t resolve (7) or exist in a parked state thus pointing to servers of parking services. No wonder, during the several months of this attack some domains could have expired and some sites ceased to exist. A few more sites no longer have the rogue blogs (probably moved from Servage when they detected the hack) and only 3 (less than 0.3%) sites from different networks contained the rogue blogs.
97% of the rogue blogs are hosted by Servage in subdirectories of legitimate websites.
Of course, those 1130 hacked sites are only a subset of all hacked sites with the new type of malicious blogs. Lets estimate the whole number.
The allinurl:x=y:10 m:03 paged search returns 2,600,000 results. This provides us with the idea about the number of indexed archive pages for posts published in March of 2010. Most of the blogs have less than 40 such pages, few have more than 100 pages, and the largest number of archive pages of March posts I saw was 144.
So let’s be over-optimistic and assume that Google has indexed 150 pages on each blog that contain the following sting in their URLs: ?x=y:10;m:03&paged=<num>
2,600,000/150 = 17,333
More than 17,000 legitimate site of Servage clients contain subdirectories where criminals have created rogue blogs that poison millions of search results and redirect unsuspecting web searchers to scareware sites that push Fake AV software. And if we take more realistic number of 50 indexed archive pages per site in March, this will give us 50,000+ unique blogs. (Well, some sites host two rogue blogs in different subdirectories but it still leaves us with 25,000+ compromised legitimate sites!)
Another estimate is based on the numbers in the names of subdirectories. If they are unique throughout all the blogs, this will give us about 10,000 unique rogue blogs (the largest number I saw was 10345). Google could have indexed duplicates of archive pages with alternative URLs, so this number looks credible.
Note, these numbers don’t include previous generations of rogue blogs that are still there.
Now let’s estimate the number of the malicious landing pages indexed by Google.
Lets take the numbers of indexed archive pages for each month of this attack (November 2009 through April 2010):
Each archive page contains 4-5 individual posts. This means that there should be at least 36 million individual pages. Or 45+ million pages including archive pages. This is optimistic estimate.
But if we take the allinurl:x=y:10 paged search that returns indexed archive pages only in 2010, we get 16,000,000 results, which gives us 80 million malicious pages in just four months of this year.
Each page is optimized for several different search keywords (main keywords and a dozen of keyword variations). This means that search results for more than 100 million search queries are poisoned by this particular attack. Of course, most of those keywords are relatively unpopular. Some of them may attract just a few searches a day, some may attract only one search a month, and some keywords may not be used at all, but if we take into account the volume of Google searches and the quantity of poisoned search results, I can roughly estimate that every month more than a million of searches return results that contain links to those rogue blogs.
What are the chances that searchers will actually see or click on the poisoned search results? After all, malicious blogs have to compete with legitimate resources for the same keywords. And if the poisoned link is displayed on the 10th or even 3rd page of search results, hardly anyone will see it.
Well, with regular web search the situation is more or less normal. Only about 5% of tested keywords produce one or two poisoned links on the first two pages (top 20) of Google search results. Usually on the second page. However some specific queries (like this one woman with a broken neck and leg braces, beware!) return the first pages of search results that consist exclusively of links to the rogue blogs described in this article.
However, these blogs contain a lot of images for a reason. They primarily target image searches. And I should also mention that about half of the keywords are of adult nature. So most pages contain very explicit images and Google Image search excludes those blogs from searches with strict and moderate (default) filtering. Only a very small percentage of rogue blogs with relevantly moderate content make it into default image search results.
But once you turn off the SafeSearch (after all the content of the blogs suggests that they are after porn searchers who disable the SafeSearch filtering), you’ll get poisoned search results on the first page for almost every keyword found on the malicious landing pages. Moreover, for many of the searches, more than 50% of search results on the first pages point to the rogue blog pages.
With turned off filtering, you don’t have to search for adult content to be exposed to poisoned search results. Even completely innocent searches like “Barry Manilow” or “Trade Show British Columbia” will get you a few (if not all) malicious links on the first pages of Google Image search results. As you can see, not only porn sites can be dangerous. Even changing Google search preferences to “porn-friendly” mode may be dangerous.
In Google’s defense, I can say that a lot of the rogue blogs have been blacklisted already and Google would display the “This site may harm your computer” warning next to their web search results. However, this warning don’t appear in Image Search (although when people click on the blacklisted results they see the warning page anyway) and only about 30% of the malicious blogs are currently flagged. This means that web surfers won’t see any warnings when the click on the rest 70% (tens of millions) of the poisoned search results. I hope this article will help improve this ratio.
Not only did hackers created rogue blogs in subdirectories of legitimate websites on Servage network, they also experimented with similar Blogger blogs. They created a lot of blogs with URLs like: candace8711.blogspot.com and robyn2123.blogspot.com – 20 blogs under a single Blogger account.
For Blogger blogs, hackers used special domain name in scripts that redirected to Fake AV sites: blogpics3 .in
But it looks like Blogger blogs didn’t work as well as blogs on established legitimate sites, and they seems to have been abandoned in the beginning of April. Since then, Blogger team has closed a lot of such malicious blogs (for example the blogs I specified above, had been online just a few days ago – now they are gone).
Another alternative location of rogue blogs is the celebsfinectpics .com site. It has many subdomains like kara10181 .celebsfinectpics .com or dann3841 .celebsfinectpics .com. They are just the same rogue blogs redirecting users to scareware sites. The only difference is they are hosted on the hackers’ own server.
The domain name, used in the malicious scripts on the celebsfinectpics .com blogs is celebsfinectpics .in.
This celebsfinectpics .com domain resolves to 94 .228 .209 .133. This is one of the IPs where the malicious scripts on the rogue blogs point to.
Apparently, those subdomains didn’t work well for criminals too. I don’t see any new posts after April 22.
Servage hosting provider has serious security problems that allow hackers to create thousands of rogue blogs in subdirectories of legitimate websites of Servage clients. This happens at least since April of 2009. Servage have been notified about it a few months ago but their support never acknowledged the problem and blamed it on users, which is hard to believe in when the attack is limited to Servage servers and affects thousands of websites. Moreover, Servage hasn’t done anything to stop the attack and evict hackers from their servers.
Black-hat SEO guys have figured an effective way to spam Google Image search and now their spammy and malicious links dominate on the first pages of search result for millions of queries. Google should definitely tweak its ranking algorithms for Image Search or improve its anti-spam efforts.
Google can start by delisting subdirectories with the rogue blogs on legitimate websites described here. It’s quite simple to identify them all:
Or use the searches that I mentioned above – they are quite accurate.
(Consider this article as a bulk spam and malware report – I’m not going to report every URL individually)
Turning off the SafeSearch option in Google search (especially in Image search) is a dangerous practice. It significantly increases risk of clicking on poisoned search results that lead to attack sites even when you search for something completely innocent.
What do you think about hosting providers that allow such massive hacks and don’t address them for a long time? Did you ever stumble across search results pages where most of the links point to malicious or outright spammy pages?
Your comments are welcome. It would be especially interesting to hear from Servage and Google.
In the next post I’ll post more details about those rogue blogs.