Blog for hpHosts, and whatever else I feel like writing about ....

Sunday 10 October 2010

SurfTown: When a parking page is not just a parking page

There's two kinds of parking pages - the annoying kind, and the less annoying kind.

The annoying kinds are those such as dedicated parking servers, that shove sponsored rubbish in your face, should you go to a domain that used to exist, has just been created, or has been suspended or {insert some other reason here}.

The less annoying kind, are those with a plain page, and simple text telling you the site is parked, either because it's just been created, or because it's suspended. The less annoying kind however, as you've guessed since I'm writing about it - can be just as bad for your computers health, as a SurfTown customer will have found out.

I came across this one during my usual scout, and in the results, it looked like a typical blackhat SEO campaign - and indeed it is, however, looking through the source code, before I'd loaded it, I thought the site had already been suspended by the host - almost everything in the source was telling me that - but then, I noticed some tell tale signs that the bad guys were evidently trying to fool people (surprise surprise). The tell tale signs of course, being those lovely scrumptious keywords that search engines eat for lunch.

If you load simple-tea.dk directly, you'll see the following page, which tells you the site is parked.



However, click through to it through Google and .... yep, you've guessed it - you're taken on a stairway to roguesville;

GET /mores-ontario-plar-cadets/ HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/msword, application/vnd.ms-excel, */*
Referer: http://www.google.co.uk/url?sa=t&source=web&cd=22&ved=0CC4QFjABOBQ&url=http%3A%2F%2Fsimple-tea.dk%2Fmores-ontario-plar-cadets%2F&rct=j&q=%22hphosts%22&ei=ZJiyTP7hFMKSOuX4lMgF&usg=AFQjCNGS8Y5OIVVmJ5vqUsaa2trMEcOTVQ
Accept-Language: en-GB
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; Avant Browser; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; HPNTDF; .NET4.0C; .NET4.0E; InfoPath.2)
Host: simple-tea.dk
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Mon, 11 Oct 2010 04:54:20 GMT
Server: Apache/1.3.41
X-Powered-By: PHP/5.2.10
Set-Cookie: Hello-friend=2
Location: http://67.9.45.149:11066/index.html?u=156&t=1
Connection: close
Content-Type: text/html
Content-Length: 0

------------------------------------------------------------------
GET /index.html?u=156&t=1 HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/msword, application/vnd.ms-excel, */*
Referer: http://www.google.co.uk/url?sa=t&source=web&cd=22&ved=0CC4QFjABOBQ&url=http%3A%2F%2Fsimple-tea.dk%2Fmores-ontario-plar-cadets%2F&rct=j&q=%22hphosts%22&ei=ZJiyTP7hFMKSOuX4lMgF&usg=AFQjCNGS8Y5OIVVmJ5vqUsaa2trMEcOTVQ
Accept-Language: en-GB
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; Avant Browser; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; HPNTDF; .NET4.0C; .NET4.0E; InfoPath.2)
Connection: Keep-Alive
Host: 67.9.45.149:11066

HTTP/1.1 200 OK
Server: nginx/0.8.49
Date: Mon, 11 Oct 2010 04:47:23 GMT
Content-Type: text/html
Content-Length: 26460
Last-Modified: Tue, 05 Oct 2010 12:05:33 GMT
Connection: close
Accept-Ranges: bytes

------------------------------------------------------------------
GET /ajax/libs/jquery/1.4.1/jquery.min.js HTTP/1.1
Accept: */*
Referer: http://67.9.45.149:11066/index.html?u=156&t=1
Accept-Language: en-GB
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; Avant Browser; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; HPNTDF; .NET4.0C; .NET4.0E; InfoPath.2)
Host: ajax.googleapis.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=UTF-8
Last-Modified: Tue, 09 Feb 2010 23:05:02 GMT
Date: Sun, 10 Oct 2010 23:41:03 GMT
Expires: Mon, 10 Oct 2011 23:41:03 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
Content-Encoding: gzip
Cache-Control: public, max-age=31536000
Content-Length: 24123
Age: 18799

------------------------------------------------------------------
GET /click/?n=true&u=156&s=1 HTTP/1.1
Accept: */*
Referer: http://67.9.45.149:11066/index.html?u=156&t=1
Accept-Language: en-GB
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; Avant Browser; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; HPNTDF; .NET4.0C; .NET4.0E; InfoPath.2)
Host: 67.9.45.149:11066
Connection: Keep-Alive
Cookie: ccounted=11.09.2010

HTTP/1.1 200 OK
Server: nginx/0.8.49
Date: Mon, 11 Oct 2010 04:54:23 GMT
Content-Type: image/gif
Connection: close
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 43

------------------------------------------------------------------
GET /res/1/1/images/img.gif HTTP/1.1
Accept: */*
Referer: http://67.9.45.149:11066/index.html?u=156&t=1
Accept-Language: en-GB
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; Avant Browser; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; HPNTDF; .NET4.0C; .NET4.0E; InfoPath.2)
Host: 67.9.45.149:11066
Connection: Keep-Alive
Cookie: ccounted=11.09.2010

HTTP/1.1 200 OK
Server: nginx/0.8.49
Date: Mon, 11 Oct 2010 04:47:24 GMT
Content-Type: image/gif
Content-Length: 28548
Last-Modified: Wed, 25 Aug 2010 11:38:45 GMT
Connection: close
Accept-Ranges: bytes

------------------------------------------------------------------
GET /hit;av-counter?t44.1;rhttp%3A//www.google.co.uk/url%3Fsa%3Dt%26source%3Dweb%26cd%3D22%26ved%3D0CC4QFjABOBQ%26url%3Dhttp%253A%252F%252Fsimple-tea.dk%252Fmores-ontario-plar-cadets%252F%26rct%3Dj%26q%3D%2522hphosts%2522%26ei%3DZJiyTP7hFMKSOuX4lMgF%26usg%3DAFQjCNGS8Y5OIVVmJ5vqUsaa2trMEcOTVQ;s1366*768*32;uhttp%3A//67.9.45.149%3A11066/index.html%3Fu%3D156%26t%3D1;0.8142607657186633 HTTP/1.1
Accept: */*
Referer: http://67.9.45.149:11066/index.html?u=156&t=1
Accept-Language: en-GB
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; Avant Browser; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; HPNTDF; .NET4.0C; .NET4.0E; InfoPath.2)
Host: counter.yadro.ru
Connection: Keep-Alive
Cookie: VID=0nBr1e3C77Wo

HTTP/1.1 200 OK
Date: Mon, 11 Oct 2010 04:54:27 GMT
Server: 0W/0.8c
Connection: Close
Content-Type: image/gif
Content-Length: 140
Expires: Sat, 10 Oct 2009 20:00:00 GMT
Pragma: no-cache
Cache-control: no-cache

------------------------------------------------------------------
GET /get.php?v=0&u=156&t=1&k=8Hfr4It HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/msword, application/vnd.ms-excel, */*
Accept-Language: en-GB
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; Avant Browser; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; HPNTDF; .NET4.0C; .NET4.0E; InfoPath.2)
Connection: Keep-Alive
Host: 67.9.45.149:11066
Cookie: ccounted=11.09.2010

HTTP/1.1 200
Content-Type: application/octet-stream
Content-Name: InstallAntivirus2010.exe
Content-Disposition: attachment; filename=InstallAntivirus2010.exe
Content-Length: 147456
Connection: close

------------------------------------------------------------------


What is intruiging, is that this particular campaign, doesn't use servers on known crimeware ranges, to serve the payload - instead serving it directly from what looks like compromised residential machines (I've not yet looked to see if the IP in this case, is part of a botnet, but it belongs to a RoadRunner customer).

The payload itself (InstallAntivirus2010.exe, 3E9FB1DCAFA291FAA6F04E881D6FCA0D, 144KB), comes from;

hxxp://67.9.45.149:11066/get.php?v=0&u=156&t=1&k=8Hfr4It

And of course, is a rogue - Rogue.SecurityEssentials to be exact.

No comments: