Blackhat SEO Campaign targets Security Software
Recently, while I was searching on google for some security software related keywords, I have noticed a massive attempt of Blackhat SEO strategy used to capture users that search for keywords related to various security software.
When clicking on any of these links the user is generally redirected to the malicious links that are used to capture new keywords, details of the user that visits the links, how many users have visited the links and many other info.
Not all the links are used to redirect the users to malicious websites that promote rogue security software, maybe because the Blackhat SEO campaign is at its beginning stage and it is used to collects some specific details, such as what are the compromised websites that can generate the most traffic, the country of origin of the users, or to simply make sure to gain the first results on a Google search. All the collected details can be used then to start a very powerful attack that can assure a very big percentage of infected users.
We had some luck and we have found some links that have already started to redirect users to very dangerous websites that show a lot of aggressives security warnings and false system scans stating your computer is infected with a huge number of trojans. When the user clicks with the mouse on the website in any point, it is immediately prompted to download an executable file of a rogue security software to remove the so-called infections.
Below there is network traffic with malicious websites:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | GET /in.php?t=cc&h=acornwiki.com&p=xxx HTTP/1.1 Host: merin22.mooo.com HTTP/1.1 302 Found Location: hxxp://gink22hok.com/?uid=195&pid=3&ttl=51e48633529 GET /?uid=195&pid=3&ttl=51e48633529 HTTP/1.1 Host: gink22hok.com HTTP/1.1 302 Found Location: hxxp://www1.allstaffdefender.com/?p=xxx GET /Scripts/Strategies/6a32aaf2501cb37bf18e746c5d2eddcb503004011.js Host: www1.allstaffdefender.com GET /build6_195.php?cmd=getFile&counter=2&p=xxx HTTP/1.1 Host: www1.yourstaffdefender.com HTTP/1.1 200 OK Pragma: hack Content-Length: 254976 Content-Disposition: attachment; filename=packupdate_build6_195.exe Content-Transfer-Encoding: binary Set-Cookie: ds=1 |
From the above traffic, we can see that the malicious website loads the script:
1 | 6a32aaf2501cb37bf18e746c5d2eddcb503004011.js |
And then it has immediately redirected us to the file to download named packupdate_build6_195.exe, that is the setup file of the rogue security software named LivePC Guard. When the program is executed, it creates the following files in the system:
1 2 3 4 5 6 7 8 9 10 11 12 13 | %AllUsers%\Application Data\3dfcb0e %AllUsers%\Application Data\3dfcb0e\LivePCGuard.exe %AllUsers%\Application Data\3dfcb0e\LP3dfc.exe %User%\LOCALS~1\Temp\del.bat %AllUsers%\Application Data\3dfcb0e\sqlite3.dll %AllUsers%\Application Data\3dfcb0e\mozcrt19.dll %AllUsers%\Application Data\LPPKCG %AllUsers%\Application Data\LPPKCG\LPMMIPCG.cfg C:\WINDOWS\system32\drivers\etc\host_new %User%\Application Data\Live PC Care %AllUsers%\Application Data\3dfcb0e\Quarantine Items %AllUsers%\Application Data\3dfcb0e\LPCGSys %AllUsers%\Application Data\3dfcb0e\LPCGSys\vd952342.bd |
The program hijacks the HOSTS file:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | 74.125.45.100 4-open-davinci.com 74.125.45.100 securitysoftwarepayments.com 74.125.45.100 privatesecuredpayments.com 74.125.45.100 secure.privatesecuredpayments.com 74.125.45.100 getantivirusplusnow.com 74.125.45.100 secure-plus-payments.com 74.125.45.100 www.getantivirusplusnow.com 74.125.45.100 www.secure-plus-payments.com 74.125.45.100 www.getavplusnow.com 74.125.45.100 safebrowsing-cache.google.com 74.125.45.100 urs.microsoft.com 74.125.45.100 www.securesoftwarebill.com 74.125.45.100 secure.paysecuresystem.com 74.125.45.100 paysoftbillsolution.com 74.125.45.100 protected.maxisoftwaremart.com 84.19.171.5 google.ae 84.19.171.5 google.as 84.19.171.5 google.at 84.19.171.5 google.az 84.19.171.5 google.ba 84.19.171.5 google.be 84.19.171.5 google.bg 84.19.171.5 google.bs ... |
We have noticed new connections to other malicious websites:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 | GET /index.php?controller=hash HTTP/1.1 Host: newsystem-guard.in HEAD /index.php?controller=microinstaller&abbr=LPCG HTTP/1.1 Host: newsystem-guard.in GET /Reports/MicroinstallServiceReport.php?p=xxx HTTP/1.1 Host: securityearth.cn GET /?abbr=LPCG&pid=3 HTTP/1.1 Host: pay1.livepcguard.com HEAD / HTTP/1.1 User-Agent: Lp3dfc Host: livepcguard.com HEAD / HTTP/1.1 User-Agent: Lp3dfc Host: safetyearth.net HEAD / HTTP/1.1 User-Agent: Lp3dfc Host: newsystem-guard.in GET /?abbr=LPCG&pid=3 HTTP/1.1 Host: pay2.livepcguard.com HEAD / HTTP/1.1 User-Agent: Lp3dfc Host: protectedfield.in GET /?abbr=LPCG&pid=3 HTTP/1.1 Host: paymentsafety.net GET /Reports/install-report.php/?abbr=LPCG&wv=wvXP HTTP/1.1 Host: safetyearth.net GET /Reports/SoftServiceReport.php?verint=645&wv=wvXP HTTP/1.1 Host: safetyearth.net HEAD / HTTP/1.1 User-Agent: Lp3dfc Host: update1.livepcguard.com HEAD / HTTP/1.1 User-Agent: Lp3dfc Host: mysecurityland.com HEAD / HTTP/1.1 User-Agent: Lp3dfc Host: update2.livepcguard.com |
From the traffic above we can see that the program has established some connections with fraudulent payment systems and started to receive the fraudulent HTML templates that are displayed to the user and where is asked the user to insert sensitive data, such as credit card details, needed to buy the rogue security program.
Keywords used in the Blackhat SEO strategy:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | trespass.php?be=free-online-virus-protection labora.php?ate=online-virus-scan-free scuffle.php?un=free-online-malware-scan gleek.php?kip=free-malware-scanner trespass.php?be=free-online-virus-protection domesday.php?om=free-spyware-scanner noobe.php?bal=avg-free-virus-scanner ingesta.php?cb=free-conficker-scan sucrose.php?va=free-anti-rootkit jib.php?hew=bandwidth-test-free rudd.php?auf=free-spyware-and-adware-removal metritis.php?ugh=activex-free-install colaptes.php?mem=adware-removal-free jib.php?hew=free-virus-patch edged.php?yea=free-spy-doctor mammal.php?be=conficker-virus-free-removal gleek.php?kip=norton-firewall-free serratus.php?lb=ad-aware-se-free-download ersatz.php?ben=avg-spyware-free eile.php?jib=norton-virus-free-trial anaphase.php?toy=free-keylogger-program colaptes.php?mem=free-popup-blocker ingesta.php?cb=free-spybot-downloads sucrose.php?va=free-bootable-cd aden.php?x=free-online-malware-scan chinked.php?pee=online-virus-scan-free timeful.php?rou=free-mcafee-online-virus-scan lipase.php?few=free-virus-scan-mac |
Be always careful while searching for any kind of keywords and make sure to check the links before click on them. We suggest to browse the Internet with Mozilla Firefox and with the addon NoScript.
Leave a Reply