So it turns out we may see a respite, even if only for a while, in new infections with the Mac DNSchanger malware.

The story starts with an Estonian company operating out of the US, called ESTdomains, and its associated Web hosting company, ESThosts. ESTdomains is the preferred domain registrar for Eastern European cybercriminals, who often host viruses and malware on its sister company ESThosts.

ESThosts relies on an upstream ISP called Intercage for its connection to the Internet. Happily, Intercage, which has long turned a blind eye to all kinds of criminal activity on the Internet, finally crossed the line and was dropped by its service provider. An new upstream provider rode to its rescue, only to have its packets dropped by an Internet backbone provider.

Why is this happy news for Mac users?

A while ago, I mapped out an underground network of virus and malware droppers, some of which were being used to spread the Mac version of the Zlob, aka OSX.DNSchanger, OSX.RSplug.A, or OSX.RSpluginA, malware.

Many of the sites that spread this malware were disguised as porn sites. Other sites were legitimate sites that had been hacked. Still other sites contained outdated, insecure versions of popular blogging or forum software such as WordPress and PHPnuke, and had been hacked to carry redirectors to the malware. Still other sites disguised the malware as antivirus software, or browser plug-ins, or any number of other things.

But–and here’s the interesting part–all of these fake porn sites, hacked blogs, hacked Web sites, hacked forum sites, and bogus software sites all pulled the malware from the same repository, a server living at IP address 64.28.178.27.

Which is in Intercage’s IP space, and so is currently unreachable.

Meaning that as of right now, the one server being used to spread the Mac DNSchanger malware is offline.

Now, I have no doubt that the bad guys are going to move the Mac malware to a different server at some point. But they are going to have to rejigger the rest of the network to point to the new server, which will take time. In the meantime, we should see a lot fewer infections with this malware.

So the past few weks have been rough on Microsoft and on Adobe. First, a flaw in Microsoft SQL Server allows ASP sites to be compromised by a general SQL injection attack; then a flaw in the Adobe Flash player allows a miscreant to hijack the Web browsers of people with the Flash plugin installed.

In both cases, the vulnerabilities have been exploited to try to redirect surfers to a Web site at www.dota11.cn, which hosts a malicious script that tries to infect users’ computers with a virus.

That’s the old news.

The funny news–and believe me, I think this is fucking hysterical–is that one of the Web sites clobbered by the SQL injection attack is redmondmag.com, a Web site that is “the independent voice of the Microsoft IT community.” It’s a pro-Microsoft, look-how-great-we-are “news” site that has been so massively infected that…

uh…

…well, if you Google it, Google gives you a “this site may harm your computer” warning.

Many of the infected Web pages are pages about computer security–or, at least, apologies for Microsoft products masquerading as articles on computer security.

I know, I know, the real assholes here are the hackers, but still…goddammit, I can’t stop laughing.

And it gets harder when ISPs are aware of security problems on their network but don’t care. And believe it or not, I’m not talking about iPower this time.

Actual IM transcript from a conversation with xmission.com:

Tacit: You are hosting a phish.
Tacit: ftp://webmaster:webmaster@204.228.142.40/.ws/eBayISAPIi.dll
catalyst: chill, you could send a notification to abuse@xmission.com or to phish@ebay.com or whatever they have now
Tacit: Sent it two weeks ago.
Tacit: And a week ago.
Tacit: No response, phish still active.
Tacit: Two weeks is a long time.
Tacit: Your abuse@ address appears to be routed straight to /dev/null.
catalyst: I’m not an xmission employee, so I can’t help, just thought I’d recommend some alternatives
rostrax: Abuse is a valid e-mail address and it is looked at.
rostrax: That would be my suggestion on what to do.
Tacit: Again?
Tacit: How many times do you think I should send the same email to abuse@xmission.com before I conclude that xmission supports and condones hacks and phishes on their network?
rostrax: How many times have you sent it?
Tacit: Four.
Tacit: First one two weeks ago.
rostrax: I cannot speak for our abuse team, but I’m sure they’ve looked into it
Tacit: If they’ved looked into it, and it’s still active, what conclusion would you draw from that?
Tacit: 204.228.142.40 is on your network, yes?
rostrax: It is one of the IP’s we have yes.
Tacit: And if you click on the above link, you would agree that it is definitely an eBay phish, yes?
rostrax: You have to understand business’ have certain ways of handling these things. It may take some time. Please be patient with us, if you could send another e-mail I would appreciate it greatly. Also cc it to rostrax [at] xmission.com
Tacit: I do understand that businesses operate certain ways; I run one myself. Two weeks to handle a phish? Even China Netcom deals with phish sites faster…
rostrax: I’m unsure of our particular policy, but if you can send the e-mail and cc me on it, I will look into it on Tuesday

—
Edit: It gets better. Apparently, this phish has been active on Xmission’s network since at least April 9th.

So a while ago, I posted extensively about an underground network of computer virus distributors that I’d uncovered while pursuing American ISP iPower Web about their ongoing, chronic security problems which I first wrote about last December.

It seems that in the brave new world of the Intertubes, crime does pay. It pays very well indeed, in fact. The network I documented earlier has morphed and changed radically in the past few weeks, and become larger and more resilient. In addition, a new attack vector has emerged: attacks on old, outdated versions of WordPress weblog software.

I know that a lot of folks on my flist maintain their own WordPress blogs. Please, please, please, if you run WordPress or know somebody who does, update your WordPress software. It’s quick (takes about five minutes) and easy, and all versions of WordPress prior to 2.5 should be considered completely insecure.

In the past couple of weeks, I’ve noticed a huge surge in WordPress hack attacks, to the point where last Monday there were more hacked WordPress systems than hacked iPower Web sites that were being used to redirect folks to Eastern European virus downloaders. It seems quite likely that the hackers are using automated tools to find and automatically attack old WordPress installs, though one person I’ve spoken with says he believes his WordPress install was attacked through an insecure FTP username and password that was brute-force guessed as well.

The network that is being used to distribute viruses is being fed from a lot of different sources: hacked iPower sites (of course), hacked WordPress installations, Google Groups set up as malicious redirectors, custom attack domains piggybacked on top of legitimate Web URLs, and hijacked phpBB and phpNuke installs seem to be the most common. For an update on what’s going on in the seamy computer underground, and a new map of the computer distribution network:

Clicky the link! (We are going to get technical here)

Note: Followup to this entry at http://tacit.livejournal.com/240750.html

So apparently, Macintosh users are now the targets of Eastern European organized crime.

First, a bit of backstory. Last December, I wrote an article about how I had done a Google search for my name and uncovered a massive hacking attack against a Web hosting company called iPowerWeb. iPower, a company in Phoenix, Arizona, has trouble securing their Web servers, and Russian organized crime can hack any Web site hosted by iPower completely at will.

That was last December. Today, as I write this, iPower still has not fixed their server security; each day, a whole crop of new Web sites hosted by iPower is hacked, and the hackers plant redirectors on the site that are designed to snare unwary visitors and send them to servers in Eastern Europe that attempt to infect users with computer viruses.

For the past couple of months, I have been emailing iPower every day with new lists of hacked Web sites they’re hosting. Each day, I bug them to fix their computer security. Each day, they remove the virus redirectors that I tell them about, but they do not fix their server security; so the next day, more of their Web sites are hacked. Some poor sots who host Web sites with iPower have had their sites hacked over and over again.

In the past 48 hours, the nature of the hacks has changed. Between December and now, the hacks were all the same; the hackers would penetrate an iPower Web site, create a directory on the site named /her, create a directory on the site named /bad, and then create a directory with a one or two digit number as a name. The redirector pages would go in the numered directory. This made spotting hacked iPower Web sites trivially easy.

About two days ago, the hackers began changing the naming scheme of the directory. This led me on a path to discovering an entire network of compomised Web sites, feeding into an elaborate underground network of computers used to distribute computer viruses.

And they’re distributing Mac viruses now, too.

If this stuff interests you, read on! (We're about to get technical here.)

Last December, I was monkeying around on the Internet doing a Google search for my name, and I discovered a massive security breach at a major Web hosting company that eventually made it to The Register.

So today, I was monkeying around on the Internet doing a Google search for my name, and…

…wait for it…

…discovered that iPower has been hacked again, and hundreds more Web sites hosted by iPower have been penetrated by Russian organized crime and used to spread computer viruses. Want to know more?

Apparently, my LJ post yesterday freaked some folks out; I got contacted almost immediately after it went up by a startling number of people asking for more information. Softlayer.com was on top of the problem with remarkable swiftness, and as of today the intrusion into their servers appears to have been corrected–all the hacked domains I was able to identify on their network are fixed.

Cut for folks who don't much care for the technical details about this sort of thing…

Note: Followups to this entry at http://tacit.livejournal.com/238112.html (part 1) and http://tacit.livejournal.com/240750.html (part 2)

UPDATED 13-December-07 10:50 EST Updates indicated in text
UPDATED2 14-December-07 1:05 PM EST Updates indicated in text
UPDATED3 14-December-07 2:00 PM EST Updates indicated in text
UPDATED4 02-January-08 2:44 PM EST Updates indicated in text

So I recently decided, like many folks do, to Google my name. I do this periodically, because it’s always fun to see how many sites are linking to me (and I’m in the process of building a list of non-English mirrors of my polyamory site — it’s been translated into Polish, Hebrew, German, and a bunch of other languages, which is cool).

And in the process, I think I’ve discovered what might be one of the largest-scale cases of Web site hacking and virus distribution I’ve ever heard of.

A little background is in order. If you’ve used Google for any length of time, you probably know that when you Google popular keywords you’ll often run into “spam pages.” These are pages that are just stuffed full of keywords at random; in the Google search results, they will have titles like “tribadism fight scenes, free tribadism porn video Britney Spears, make money fast terrorism Iran big cock” and have excerpts that look like “she shoved it in and bridal hosiery wedding cake viagra fetish smurf Bible amateur transvestite video free vacation europe nymphomaniac ipod”. These are spam pages; they are filled with hundreds of keywords, and if you click on them, you will be redirected to the spammer’s site. They exist just to intercept popular Google searches and direct traffic wherever the spammers want it.

They are also popular with virus writers. Virus writers will create thousands of fake Web pages filled with popular keywords, then use those Web pages to servers that will attempt to automatically download viruses onto the computer of anyone running Windows who’s unwary enough to click on them.

Okay, so.

Yesterday, I did a keyword search for my name. Normally, I get about nine pages of results; but yesterday, I got 56 pages of results, over 200 in all.

Most of these pages look like this:

The polyamory news franklin veaux mitt was rigid enough to prevent me from either closing them too hard or opening polyfamilies polyamory for the practical them too far. She raised my left hand and fastened it in a similar polyamory weekly podcast manner, into a similar latex mitten.society for human sexuality polyamory info “I just wondered. You were standing there with a dazed polyamory open wedding vows look on your face playing with that cucumber and I thought something might world polyamory association presentations and workshops franklin veaux. Once inside, he polyamory san diego quickly stripped off his apron and polyamory cape coral unfastened his belt and pants. It was nearly as big as Mark’s, and open relationships polyamory that pleased her. Quickly unbuttoning her blouse to reveal her tits. page personal poly polyamory web He gently squeezed them, making her moan deep in her throat.

UPDATED3: I’ve looked at some of the random text on these pages, and it’s not really random at all–it’s a short porn story with random keywords seeded throughout it. It contains a number of statistically improbable phrases. One of these is “Ashley had always wanted to go there”–doing a Google search for that exact phrase results in 13,800 hits–nearly every single one of which is a spam redirector.

You get the idea. “Oh, well, this is interesting,” thought I, “polyamory, and my name, have become popular enough Google web searches that the spammers are including them in spam pages now.”

I clicked on some of these result links, curious to see who the spammer was and what site he was trying to direct traffic to.

And that’s when things started to get weird. What I found was a very large, highly organized campaign to direct Web traffic to servers hosted in Eastern Europe that would infect visitors with a computer virus, all orchastrated by a single person or group of people and all being done by what appears to be a massive breach of hundreds and hundreds of hacked Web sites, all hosted by the same ISP–the largest single Web site security breach I’ve heard of.

If you want to keep going down the rabbit hole: Follow me! Things are about to get very technical here.