[ Security Alert ] 28 April, 2011 16:38

    AegisLab has found that COMM.NCCU.EDU.TW contains BlackHat SEO poisoned pages with some business software ads. There are about 1090 pages in google searching results as shown in figure 1. Innocent people will be redirected to a online software shopping store "good-downloads.net". AegisLab also found that while Google bot are crawling the following 2 websites(shown as below) with same IP address, it will be cheated by some software ad words.(Figure 2)

  • hxxp://air-conditioner.funpe.com/keyword-vista business sp2.html 
  • hxxp://law.qdvii.com/51587.html 
 
 
Figure 1.
 

 
Figure 2. 
 
 
The attack path is listed as below.
[search] 'Avid' on Google
    [root] hxxp://comm.nccu.edu.tw/wp-content/uploads/2011/01/buy-oem-download/avid-media-...
        [hop] hxxp://good-downloads.net/shop/search/?s=Avid Media Composer 2.8
            [fraud site] hxxp://good-downloads.net/shop/item/266/ 
 
The detection rate of this malicious link is 9% (2/23) in URLVoid.com.  

Since 25/04/2011,  AegisLab WebGuard has blocked this site.

By AegisLab  
[ Security Alert ] 27 April, 2011 17:07

    AegisLab has found that WWW.PULIONE.COM.TW contains BlackHat SEO poisoned pages, the hopping site is "glrrrzjc.co.cc"(IP:78.26.179.10) as shown in figure 1. It's a fast-flux network and will change domain name frequently. Once you visited the PULIONE official website, you will be redirected to the fake anti-virus scan page. Finally you will be forced to download the malicious file. 

   

Figure 1

The attack path is listed as below.  

[search] 'degrassi' on Google

[root] hxxp://www.pulione.com.tw/uploads/...

    [fake scan] hxxp://glrrrzjc.co.cc/s...

        [exe] hxxp://glrrrzjc.co.cc/download... 

 

The detection rate of this virus is 19.5% (8/41) in VirusTotal. 

 
The detection rate of this malicious link is 0% (0/23) in URLVoid.com. 
 

Since 22/04/2011,  AegisLab WebGuard has blocked this hopping site.

By AegisLab 


[ Security Alert ] 26 April, 2011 17:27

    AegisLab has found that HOYU.AKIA.TW contains BlackHat SEO poisoned pages, the hopping site is "jrdlrnlr.co.cc"(IP:78.26.179.10) as shown in figure 1. It's a fast-flux network and will change domain name frequently. WebGuard has blocked 96 domains with the same IP.

Figure 1

The attack path is listed as below.  

[search] 'kristin kreuk dating' on Google

[root] hxxp://hoyu.akia.tw/osc/images/...
    [fake scan] hxxp://jrdlrnlr.co.cc/?s=...
        [exe] hxxp://jrdlrnlr.co.cc/download/...

 

The detection rate of this virus is 12.2% (5/41) in VirusTotal. 

 
The detection rate of this malicious link is 0% (0/23) in URLVoid.com. 
 

Since 22/04/2011,  AegisLab WebGuard has blocked this hopping site.

By AegisLab  

[ Security Alert ] 25 April, 2011 17:38

    AegisLab has found that WWW.PMM.COM.TW contains BaclkHat SEO poisoned pages, the hopping site is "sacon.org". Once you visited the PMM official website, you will be redirected to the scam page "www.urlscan.net".

 

The attack path is listed as below. 

[search] 'avid' on Google
[root] hxxp://www.pmm.com.tw/en/help/css/pc.php?buy=Avid_Media_Composer_5.0.3.2&t=0
    [hop] hxxp://www.sacon.org/download-oem-Avid_Media_Composer_5.0.3.2.html

        [scam site] hxxp://www.urlscan.net/index.php?target=desc1&progid=Avid_... 

 

The detection rates of these malicious links are as below. 
 

Since 28/03/2011,  AegisLab WebGuard has blocked this hopping site.

By AegisLab   

[ Security Alert ] 20 April, 2011 11:30

   We discover multiple sites are suffered with SEO poisoned page injection recently, including education site and companies.

Case 1:

   The website of an education center belongs to a technology university (http://fs3.just.edu.tw/) was invaded and injected with lots of Black Hat SEO poisoned pages as the following figure. Under the directory of (hxxp://fs3.just.edu.tw/~rdeec/moodle/ell/xp/), there are hundreds of similar pages. 

 

     When user clicks, it will lead to some suspicious casino page as following figure.

The attack path is:

[search] Search "the dilemma" in Google  [root] hxxp://fs3.just.edu.tw/~rdeec/moodle/ell/xp/dilemma91021.php
  [hop] hxxp://jdkiemaf.co.cc/redir.php
   [fake search engine] hxxp://jdkiemaf.co.cc/search.php?q=online+casino 

     The hopping site was zero detection in URLvoid, but our WebGuard stopped it from 2011-02-23.

Case 2:

      The website of towel maker (http://www.besttowel.com.tw) was invaded and injected with lots of Black Hat SEO poisoned pages. The hopping sites includes "wjrjipjr.co.cc, siskrjyj.co.cc", but it can't be connected at the moment we write the report. Lots of web shell were discovered in this site as figure.

 


The attack path was:
[search] Search "easter games" in Google 
 [root] hxxp://www.besttowel.com.tw/images/page.php?A92PIDHw=free-easter-printable-games
  [hop] Location: hxxp://wjrjipjr.co.cc/?s=sF02wp7Cxj
     

      The hopping sites had low detection rate (1/23, 4%) in URLvoid, and our WebGuard stopped them from 2011-04-06.
    (http://www.urlvoid.com/scan/wjrjipjr.co.cc
     http://www.urlvoid.com/scan/siskrjyj.co.cc)

Case 3:

      The website of paper product vendor (http://shop.5horn.com/) was invaded and injected with lots of Black Hat SEO poisoned pages. The hopping site is "zrdrrnrr.co.cc" and displays fake anti-virus. The user was lured and requested to download an executable.

The attack path was:
[search] Search portal 2 in Google 
 [root] hxxp://shop.5horn.com/install-/images/page.php?k=portal-2
  [hop] hxxp://zrdrrnrr.co.cc/?s=sF02...
   [exe] hxxp://zrdrrnrr.co.cc/download/?k=sF02w5zFz...

      The executable has low detection rate in VirusTotal: 7/41 (17.1%) ( http://www.virustotal.com/file-scan/report.html?id=b2803eb239ce42174968e56342c125ea8855fd6f1e87fd34d9ac0de999a452d0-1303264477

      The hopping had zero detection rate in URLvoid: 0/23 (0 %)  (http://www.urlvoid.com/scan/zrdrrnrr.co.cc)

      AegisLab WebGuard stops this hopping site from 2011-04-20.

 

By Luke
AegisLab

[ Security Alert ] 06 April, 2011 15:26

    AegisLab has found that A-Fish.com.tw(澎湖海鮮網) official website has been trojaned with virus and malicious links. While innocent visitors open these pages, they will be forcely downloaded the malware or redirected to the malicious site to download the IE exploit.

    The root page contains two iframes of zero size and the corresponding pages are x.htm and h.asp as shown in Figure 1. However, the h.asp is not available.

    The x.htm(Figure 2) includes a script file (log.js) and creates a invisible button whose onClick() callback function is called at the end of the file.The callback function calls Riaa('bo'+'dy'),which is defined in log.js. The statement is to call:

   document.createElement('body')

 

 

iframe

Figure 1: root page

 

button 

Figure 2: x.htm

    The created object is attached to the document and invoke the setAttribute method. This attack exploits CVE-2010-0806 (Microsoft Internet Explorer iepeers.dll use-after-free exploit). 

    After analyzing the log.js file(Figure 3), we can get the download site "hxxp://www.a-fish.com.tw/gif/3.exe".

 

澎湖海鮮王

  Figure 3: log.js 

The attack path is listed as below. 

[root]hxxp://www.a-fish.com.tw/gif/
    [exp]hxxp://www.a-fish.com.tw/gif/x.htm(Exploit.Ie0dayCVE0806.a)
        [script]hxxp://www.a-fish.com.tw/gif/log.Js
        [virus]hxxp://www.a-fish.com.tw/gif/3.exe 

 

The detection rate of this virus is 66.7% (26/39) in VirusTotal.

 

 

 The detection rate of this malicious link is 9% (2/22) in URLVoid.com. 

 


Since 06/04/2011,  AegisLab WebGuard has blocked these trojaned pages.

By AegisLab