I blame the_xtina for the fact that I discovered this evening what appears to be a large, coordinated, and widespread attack on multiple Web hosting providers.
I hadn’t actually intended to do any computer security stuff today; my plans for the evening involved playing WoW. the_xtina speculated during an IM conversation this evening about the existence of Viking porn, so naturally I did a Google search, and got rather more than I expected.
A Google search for “viking porn” turns up a few hits with a Google “this site may harm your computer” tag. Both of the first two I looked at–because I can’t stay away from the “this site may harm your computer” tag–had a couple of interesting things in common: they were hosted on iPower Web, the notoriously insecure Web host I’ve written about on several occasions in the past; both had malicious redirection files in a directory named /backup/, both used a complex series of traffic redirectors before ending up at the malware site proper, and both were heavily seeded throughout Google using a very large number of popular pornographic and non-pornographic keywords.
In other words, all the hallmarks of the Russian Zlob gang. God, how I hate those people.
I widened the Google search using both common keywords (like “porn”) and keywords I know the Zlob gang favors, and specifying inurl:/backup/ as part of the search.
What I ended up with was a VERY long list of compromised Web sites, each with a directory named /backup/ containing large numbers of files stuffed full of keywords and each of which redirects through a series of redirectors to a site that attempts a drive-by malware download.
The compromised Web sites I found–and I do elieve that these redirectors are the result of automated Web site compromises–are located on a wide variety of Web hosts in and out of the US, not just on iPower (though as per usual, iPower is hosting a bunch of them–those guys couldn’t secure a paper bag with duct tape and titanium plating).
There appears to be no common trend to the compromised sites. Some of them are running content management software; some of them aren’t. Some of them are hosting blog software; some of them aren’t. Some of them are hosting forum software; some of them are not. whatever technique is being used to hack these sites, it isn’t confined to one package, one script, one vulnerability, or one Web host.
A sampling of sites that have been compromised includes:
*** WARNING *** WARNING *** WARNING ***
ALL of the URLs in the following list are active as of the time of this writing. All of these URLs redirect to sites that WILL attempt to download a computer virus onto your computer. DO NOT visit these URLs if you don’t know what you’re doing.
In each case, there are multiple redirectors per compromised host; the /backup/ directory you see in each of these URLs contains many files, each of which is tuned to a different set or type of Google keyword search and each of which redirects to malicious servers.
The Web site at wholostkate.com in turn redirects to one of several target destination sites, which vary depending on the user agent of the user’s Web browser. Most often, it redirects to
which in turn redirects to
Occasionally, however, wholostkate.com redirects to one of:
The key to this whole network is wholostkate.com. Here’s what Whois has to say:
Whois Server Version 2.0
Domain Name: WHOLOSTKATE.COM
Registrar: CENTROHOST CLOSED JOINT STOCK COMPANY
Whois Server: whois.centrohost.ru
Referral URL: http://centrohost.ru
Name Server: NS1.HC.RU
Name Server: NS2.HC.RU
Updated Date: 12-may-2009
Creation Date: 09-mar-2009
Expiration Date: 09-mar-2010
Registrant contact :
Litovskii bulvar, d.22
Phone: +7 495 5445566
Fax: +7 495 5140957
Billing contact :
Molchanov Sergei Aleksandrovich
119334, RF, Moskva, 5-i Donskoi proezd, d. 15, str. 4
Phone: +7 495 5445566
Technical contact :
15/4 5th Donskoi Proezd
The site at datingactionnow.com is using privacy protection on the whois.
Whois Server Version 2.0
Domain Name: DATINGACTIONNOW.COM
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: NS100.DATINGACTIONNOW.COM
Name Server: NS101.DATINGACTIONNOW.COM
Updated Date: 15-may-2009
Creation Date: 02-jan-2007
Expiration Date: 02-jan-2010
Domain name: datingactionnow.com
Whois Privacy Protection Service, Inc.
Whois Agent ()
PMB 368, 14150 NE 20th St – F1
Bellevue, WA 98007
Creation date: 02 Jan 2007 22:23:41
Expiration date: 02 Jan 2010 22:23:41
xxxblackbook.com, the site that users are redirected to from datingactionnow.com, is a run-of-the-mill pay for play adult dating site that is probably not directly involved in hacking; at best, they most likely simply turn a blind eye to people who use these techniques to get traffic to them. When someone is directed to xxxblackbook.com by these unethical means and then signs up, the hackers get a kickback, which strongly, strongly implies that xxxblackbook.com has a way to reach the hackers responsible for these attacks (else the hackers couldn’t get paid).
On my Mac, datingactionnow.com/getlaidtonight/ doesn’t attempt to download any malware–it simply presents a bunch of pictures that redirect to xxxblackbook.com. However, it refuses to return anything at all–not even an empty HTML file–to wget, which leads me to the suspicion that it could possibly be testing for browser vulnerabilities server-side before it does anything. Therefore, I’m not ready to say that datingactionnow.com doesn’t download any malware; only that it doesn’t download any malware to my Mac.
The fact that the Zlob gang is becoming more sophisticated in their detection of Macs (in the past, they have used simple redirection scripts to download Mac malware rather than Windows malware when they see a Mac user agent, but now they are using some redirectors which will redirect to entirely different servers based on Mac or Windows user agents) worries me.
Edited to add: Many, but not all, of the hacked sites also have invisible iFrames placed on them which load content from
The first isn’t resolving for me at the moment. The second is, but returns a blank page when loaded directly; again, it’s probably checking the browser for exploits and attempting to download malware in the background.