2018-01-06 - COMPROMISED WEB SITES LEADING TO FAKE AV OR OTHER UNWANTED PAGES

ASSOCIATED FILES:

  • 2018-01-05-fake-AV-page-after-viewing-metafor.fr.pcap   (310,340 bytes)
  • 2018-01-05-fake-AV-page-after-viewing-mrs-inkjet.com.pcap   (151,532 bytes)
  • 2018-01-05-fake-AV-page-after-viewing-sunrisegolf.club.pcap   (307,867 bytes)
  • 2018-01-05-fake-AV-site-after-viewing-galina-eg.com.pcap   (77,651 bytes)
  • 2018-01-06-fake-AV-page-after-viewing-breathtest.com.au.pcap   (299,812 bytes)
  • 2018-01-06-fake-AV-page-after-viewing-mitchandgina.com.pcap   (48,229 bytes)
  • 2018-01-06-fake-AV-page-after-viewing-prelatureofayaviri.org.pcap   (69,955 bytes)

 

EXECUTIVE SUMMARY

Using a Google search, you can find a large number of compromised web sites redirecting to a fake anti-virus (AV) page or other unwanted destinations.  Today's blog post provides characteristics of this campaign, and it reviews how I found more compromised sites based on the injected script.

 

Shown above:  An example of the fake AV pages seen from this campaign.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs and domains:

 

DATA FROM MY TRAFFIC EXAMPLES

REDIRECT URLS CAUSED BY INJECTED SCRIPT ON COMPROMISED SITES:

NEXT STEP: URLS REDIRECTING TO THE FAKE AV PAGES (DOMAINS CONSTANTLY CHANGING):

FINAL STEP: DOMAINS USED FOR FAKE AV PAGES (CONSTANTLY CHANGING):

 

THE GOOGLE SEARCH

The Google search is quot;ferh.noitacol.tnemucod" (here's a link for it).  You should find something similar to the image below.  I've highlighted some of the reversed URLs from the injected script in the search results.

 

FINDING THE INJECTED SCRIPT

On Friday, @baberpervez2 tipped me off to some websites that caused fake anti-virus (AV) pages to appear.  I tested a few of them in my lab.  Each of the websites generated fake AV pages, or they generated pages to other unwanted destinations.  Below are Wireshark captures on four of them I checked out.

 

Each compromised website led to a URL hosted on kodmax.com that redirected to the fake AV page.  Below is an example of the chain of events.  The last URL is the fake AV page.

The kodmax.com URL redirected to a URL on nn0blecalling305011.tk, and that URL redirected to the fake AV page on nn0blesapport605011234567.tk.  These .tk domains occasionally changed throughout the day.

On the initial compromised site, what does the injected script look like?  Below is an example.  The injected script is outlined in red.  Some of the script, including the kodmax URL is backwards.  I've highlighted the backwards kodmax URL in yellow.

 

The injected script usually appears multiple times on any page viewed from the compromised site.  In the example below, I've highlighted the entire injected script in yellow.  As you can see, it randomly breaks up the HTML code in a page from the compromised site.

 

I found more compromised sites by searching Google for that backwards URL.  My search on "php.tegdiw.ssalc/bil/orp-tegdiw-rettiwt/snigulp/tnetnoc-pw/moc.xamdok" returned several pages of results.

 

When I tried a search to find out how long a 15000 delay was, I realized you can search on other parts of the injected script.  That way, you can find other backwards URLs.

 

I checked one of the pages and found two different reverse URLs on the same page from a compromised site.  I've highlighted them in the image below.

 

After refining my Google searches, I found five backwards URLs associated with this campaign.  If you search, be aware that not every search result actually has the injected script.  Furthermore, the injected script doesn't always lead to a fake AV page (although it will redirect to something).  And finally, the malicious script is sometimes not properly injected, and it will not work.

Feel free to use the Google search I described earlier to find the compromised sites.  Your results should be productive until the criminals behind this campaign change their tactics.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.