2018-01-06 - COMPROMISED WEB SITES LEADING TO FAKE AV OR OTHER UNWANTED PAGES

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the pcaps:  2018-01-06-fake-AV-traffic-7-pcaps.zip   956.1 kB (956,071 bytes)

• 2018-01-05-fake-AV-page-after-viewing-metafor_fr.pcap   (310,340 bytes)
• 2018-01-05-fake-AV-page-after-viewing-mrs-inkjet_com.pcap   (151,532 bytes)
• 2018-01-05-fake-AV-page-after-viewing-sunrisegolf_club.pcap   (307,867 bytes)
• 2018-01-05-fake-AV-site-after-viewing-galina-eg_com.pcap   (77,651 bytes)
• 2018-01-06-fake-AV-page-after-viewing-breathtest_com_au.pcap   (299,812 bytes)
• 2018-01-06-fake-AV-page-after-viewing-mitchandgina_com.pcap   (48,229 bytes)
• 2018-01-06-fake-AV-page-after-viewing-prelatureofayaviri_org.pcap   (69,955 bytes)

 

EXECUTIVE SUMMARY

Using a Google search, you can find a large number of compromised web sites redirecting to a fake anti-virus (AV) page or other unwanted destinations.  Today's blog post provides characteristics of this campaign, and it reviews how I found more compromised sites based on the injected script.

 

Shown above:  An example of the fake AV pages seen from this campaign.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs and domains:

• hxxp[:]//emarketing-immobilier[.]com/wp-content/plugins/gotmls/safe-load/plugin-settings.php
• hxxp[:]//kodmax[.]com/wp-content/plugins/twitter-widget-pro/lib/class.widget.php
• hxxp[:]//nh70putera[.]com/wp-content/plugins/login-lockdown/plugin-settings.php
• hxxp[:]//stefanialeto[.]it/wp-content/plugins/flexible-lightbox/css/plugin-settings.php
• hxxp[:]//www.katiatenti[.]com/wp-content/plugins/sydney-toolbox/inc/class.json.php
• n0blecalling30501123456789[.]tk
• nn0blecalling305011[.]tk
• nn0blesapport6050112345[.]tk
• nn0blesapport605011234567[.]tk
• richcalling3050112[.]tk
• richcalling30501123[.]tk
• richsapport60501123[.]tk
• richsapport605011234[.]tk

 

DATA FROM MY TRAFFIC EXAMPLES

REDIRECT URLS CAUSED BY INJECTED SCRIPT ON COMPROMISED SITES:

• hxxp[:]//emarketing-immobilier[.]com/wp-content/plugins/gotmls/safe-load/plugin-settings.php
• hxxp[:]//kodmax[.]com/wp-content/plugins/twitter-widget-pro/lib/class.widget.php
• hxxp[:]//nh70putera[.]com/wp-content/plugins/login-lockdown/plugin-settings.php
• hxxp[:]//stefanialeto.it/wp-content/plugins/flexible-lightbox/css/plugin-settings.php
• hxxp[:]//www.katiatenti[.]com/wp-content/plugins/sydney-toolbox/inc/class.json.php

NEXT STEP: URLS REDIRECTING TO THE FAKE AV PAGES (DOMAINS CONSTANTLY CHANGING):

• 204.155.28[.]5 port 80 - nn0blecalling305011[.]tk - GET /index/?2101505838590
• 204.155.28[.]5 port 80 - n0blecalling30501123456789[.]tk - GET /index/?2101505838590
• 204.155.28[.]5 port 80 - richcalling3050112[.]tk - GET /index/?2101505838590
• 204.155.28[.]5 port 80 - richcalling30501123[.]tk - GET /index/?2101505838590

FINAL STEP: DOMAINS USED FOR FAKE AV PAGES (CONSTANTLY CHANGING):

• 185.159.83[.]48 port 80 - nn0blesapport605011234567[.]tk
• 185.159.83[.]48 port 80 - nn0blesapport6050112345[.]tk
• 185.159.83[.]48 port 80 - richsapport60501123[.]tk
• 185.159.83[.]48 port 80 - richsapport605011234[.]tk

 

THE GOOGLE SEARCH

The Google search is quot;ferh.noitacol.tnemucod" (here's a link for it).  You should find something similar to the image below.  I've highlighted some of the reversed URLs from the injected script in the search results.

 

FINDING THE INJECTED SCRIPT

On Friday, @baberpervez2 tipped me off to some websites that caused fake anti-virus (AV) pages to appear.  I tested a few of them in my lab.  Each of the websites generated fake AV pages, or they generated pages to other unwanted destinations.  Below are Wireshark captures on four of them I checked out.

 

Each compromised website led to a URL hosted on kodmax[.]com that redirected to the fake AV page.  Below is an example of the chain of events.  The last URL is the fake AV page.

• Compromised site with injected script leading to kodmax URL
• 138.128.176[.]210 port 80 - kodmax[.]com - GET /wp-content/plugins/twitter-widget-pro/lib/class.widget.php
• 204.155.28[.]5 port 80 - nn0blecalling305011[.]tk - GET /index/?2101505838590
• 185.159.83[.]48 port 80 - nn0blesapport605011234567[.]tk - GET /?number=61-3-8595-6773

The kodmax[.]com URL redirected to a URL on nn0blecalling305011[.]tk, and that URL redirected to the fake AV page on nn0blesapport605011234567[.]tk.  These [.]tk domains occasionally changed throughout the day.

On the initial compromised site, what does the injected script look like?  Below is an example.  The injected script is outlined in red.  Some of the script, including the kodmax URL is backwards.  I've highlighted the backwards kodmax URL in yellow.

 

The injected script usually appears multiple times on any page viewed from the compromised site.  In the example below, I've highlighted the entire injected script in yellow.  As you can see, it randomly breaks up the HTML code in a page from the compromised site.

 

I found more compromised sites by searching Google for that backwards URL.  My search on "php.tegdiw.ssalc/bil/orp-tegdiw-rettiwt/snigulp/tnetnoc-pw/moc.xamdok" returned several pages of results.

 

When I tried a search to find out how long a 15000 delay was, I realized you can search on other parts of the injected script.  That way, you can find other backwards URLs.

 

I checked one of the pages and found two different reverse URLs on the same page from a compromised site.  I've highlighted them in the image below.

 

Click here to return to the main page.