Massive Blackhat SEO Malware Campaign Launched
January 25, 2011 - "On January 23rd, thousands of machine generated attack sites were registered through GoDaddy via DNSPod name servers. These sites generally include a name of 5 characters in length, and utilize the .info TLD. The sites combine black hat SEO poisoning with virulent malware infections. At least one anti-virus vendor has labeled the infections as "not disinfectable". The structure of these sites take two forms. The attack sites utilize a technique known as wild card DNS. This enables an infinite number of subdomains to be created for a single domain name. Sites like pgkqy.info... refer to as the hounds, contain over 6000 links to the attack sites. The hounds' content (6000 links) consists of 200 links to the subdomains of 30 different attack domains... The hounds' large number of links serve to boost the search engine rankings of the attack sites. The attack sites themselves are littered with keywords and phrases designed to poison search engine results, and lure the unwary. These include references to celebrity sex scandals, teenage sex, and so forth. The attack sites also contain machine generated text consisting of numerous paragraph length narratives (in English and Mandarin). Inserted among these narratives are out of context messages, which resemble coded messages... One of the sites distributing malware to the visitors of the attack sites (code1.2bj.cc) has previously distributed malware deemed "exact, not disinfectable" by F-Prot. In that incident, anti-virus detection rates were approximately 50%... both hound site dsqof .info and attack site bjpwn .info are at 126.96.36.199. -All- are utilizing f1g1ns1 .dnspod .net as a DNS server. We will pinpoint more hostile IP addresses as time permits. You can pursue further investigation with the use of this file:
- http://doc.emergingt...udes_skynet.txt ..."
(Note "RussianBusinessNetwork" in the URL...)
Edited by AplusWebMaster, 27 January 2011 - 08:28 AM.