Blackhat SEO Campaign targets Security Software

Recently, while I was searching on google for some security software related keywords, I have noticed a massive attempt of Blackhat SEO strategy used to capture users that search for keywords related to various security software.

Compromised websites for Blackhat Seo

When clicking on any of these links the user is generally redirected to the malicious links that are used to capture new keywords, details of the user that visits the links, how many users have visited the links and many other info.

Fake links used to log statistics

Not all the links are used to redirect the users to malicious websites that promote rogue security software, maybe because the Blackhat SEO campaign is at its beginning stage and it is used to collects some specific details, such as what are the compromised websites that can generate the most traffic, the country of origin of the users, or to simply make sure to gain the first results on a Google search. All the collected details can be used then to start a very powerful attack that can assure a very big percentage of infected users.

We had some luck and we have found some links that have already started to redirect users to very dangerous websites that show a lot of aggressives security warnings and false system scans stating your computer is infected with a huge number of trojans. When the user clicks with the mouse on the website in any point, it is immediately prompted to download an executable file of a rogue security software to remove the so-called infections.

Fake alerts

Below there is network traffic with malicious websites:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
GET /in.php?t=cc&h=acornwiki.com&p=xxx HTTP/1.1
Host: merin22.mooo.com
 
HTTP/1.1 302 Found
Location: hxxp://gink22hok.com/?uid=195&pid=3&ttl=51e48633529
 
GET /?uid=195&pid=3&ttl=51e48633529 HTTP/1.1
Host: gink22hok.com
 
HTTP/1.1 302 Found
Location: hxxp://www1.allstaffdefender.com/?p=xxx
 
GET /Scripts/Strategies/6a32aaf2501cb37bf18e746c5d2eddcb503004011.js
Host: www1.allstaffdefender.com
 
GET /build6_195.php?cmd=getFile&counter=2&p=xxx HTTP/1.1
Host: www1.yourstaffdefender.com
 
HTTP/1.1 200 OK
Pragma: hack
Content-Length: 254976
Content-Disposition: attachment; filename=packupdate_build6_195.exe
Content-Transfer-Encoding: binary
Set-Cookie: ds=1

From the above traffic, we can see that the malicious website loads the script:

1
 6a32aaf2501cb37bf18e746c5d2eddcb503004011.js

And then it has immediately redirected us to the file to download named packupdate_build6_195.exe, that is the setup file of the rogue security software named LivePC Guard. When the program is executed, it creates the following files in the system:

1
2
3
4
5
6
7
8
9
10
11
12
13
%AllUsers%\Application Data\3dfcb0e
%AllUsers%\Application Data\3dfcb0e\LivePCGuard.exe
%AllUsers%\Application Data\3dfcb0e\LP3dfc.exe
%User%\LOCALS~1\Temp\del.bat
%AllUsers%\Application Data\3dfcb0e\sqlite3.dll
%AllUsers%\Application Data\3dfcb0e\mozcrt19.dll
%AllUsers%\Application Data\LPPKCG
%AllUsers%\Application Data\LPPKCG\LPMMIPCG.cfg
C:\WINDOWS\system32\drivers\etc\host_new
%User%\Application Data\Live PC Care
%AllUsers%\Application Data\3dfcb0e\Quarantine Items
%AllUsers%\Application Data\3dfcb0e\LPCGSys
%AllUsers%\Application Data\3dfcb0e\LPCGSys\vd952342.bd

The program hijacks the HOSTS file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
74.125.45.100 4-open-davinci.com
74.125.45.100 securitysoftwarepayments.com
74.125.45.100 privatesecuredpayments.com
74.125.45.100 secure.privatesecuredpayments.com
74.125.45.100 getantivirusplusnow.com
74.125.45.100 secure-plus-payments.com
74.125.45.100 www.getantivirusplusnow.com
74.125.45.100 www.secure-plus-payments.com
74.125.45.100 www.getavplusnow.com
74.125.45.100 safebrowsing-cache.google.com
74.125.45.100 urs.microsoft.com
74.125.45.100 www.securesoftwarebill.com
74.125.45.100 secure.paysecuresystem.com
74.125.45.100 paysoftbillsolution.com
74.125.45.100 protected.maxisoftwaremart.com
84.19.171.5 google.ae
84.19.171.5 google.as
84.19.171.5 google.at
84.19.171.5 google.az
84.19.171.5 google.ba
84.19.171.5 google.be
84.19.171.5 google.bg
84.19.171.5 google.bs
...

We have noticed new connections to other malicious websites:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
GET /index.php?controller=hash HTTP/1.1
Host: newsystem-guard.in
 
HEAD /index.php?controller=microinstaller&abbr=LPCG HTTP/1.1
Host: newsystem-guard.in
 
GET /Reports/MicroinstallServiceReport.php?p=xxx HTTP/1.1
Host: securityearth.cn
 
GET /?abbr=LPCG&pid=3 HTTP/1.1
Host: pay1.livepcguard.com
 
HEAD / HTTP/1.1
User-Agent: Lp3dfc
Host: livepcguard.com
 
HEAD / HTTP/1.1
User-Agent: Lp3dfc
Host: safetyearth.net
 
HEAD / HTTP/1.1
User-Agent: Lp3dfc
Host: newsystem-guard.in
 
GET /?abbr=LPCG&pid=3 HTTP/1.1
Host: pay2.livepcguard.com
 
HEAD / HTTP/1.1
User-Agent: Lp3dfc
Host: protectedfield.in
 
GET /?abbr=LPCG&pid=3 HTTP/1.1
Host: paymentsafety.net
 
GET /Reports/install-report.php/?abbr=LPCG&wv=wvXP HTTP/1.1
Host: safetyearth.net
 
GET /Reports/SoftServiceReport.php?verint=645&wv=wvXP HTTP/1.1
Host: safetyearth.net
 
HEAD / HTTP/1.1
User-Agent: Lp3dfc
Host: update1.livepcguard.com
 
HEAD / HTTP/1.1
User-Agent: Lp3dfc
Host: mysecurityland.com
 
HEAD / HTTP/1.1
User-Agent: Lp3dfc
Host: update2.livepcguard.com

From the traffic above we can see that the program has established some connections with fraudulent payment systems and started to receive the fraudulent HTML templates that are displayed to the user and where is asked the user to insert sensitive data, such as credit card details, needed to buy the rogue security program.

Keywords used in the Blackhat SEO strategy:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
trespass.php?be=free-online-virus-protection
labora.php?ate=online-virus-scan-free
scuffle.php?un=free-online-malware-scan
gleek.php?kip=free-malware-scanner
trespass.php?be=free-online-virus-protection
domesday.php?om=free-spyware-scanner
noobe.php?bal=avg-free-virus-scanner
ingesta.php?cb=free-conficker-scan
sucrose.php?va=free-anti-rootkit
jib.php?hew=bandwidth-test-free
rudd.php?auf=free-spyware-and-adware-removal
metritis.php?ugh=activex-free-install
colaptes.php?mem=adware-removal-free
jib.php?hew=free-virus-patch
edged.php?yea=free-spy-doctor
mammal.php?be=conficker-virus-free-removal
gleek.php?kip=norton-firewall-free
serratus.php?lb=ad-aware-se-free-download
ersatz.php?ben=avg-spyware-free
eile.php?jib=norton-virus-free-trial
anaphase.php?toy=free-keylogger-program
colaptes.php?mem=free-popup-blocker
ingesta.php?cb=free-spybot-downloads
sucrose.php?va=free-bootable-cd
aden.php?x=free-online-malware-scan
chinked.php?pee=online-virus-scan-free
timeful.php?rou=free-mcafee-online-virus-scan
lipase.php?few=free-virus-scan-mac

Be always careful while searching for any kind of keywords and make sure to check the links before click on them. We suggest to browse the Internet with Mozilla Firefox and with the addon NoScript.

Random Posts

Previous Posts