funsec mailing list archives
Rogue RBN Software Pushed Through Blackhat SEO
From: "Paul Ferguson" <fergdawg () netzero net>
Date: Thu, 6 Mar 2008 01:40:20 GMT
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dancho Danchev: [snip] This is yet another example of the KISS strategy uncovering another huge IFRAME campaign, again taking advantage of locally cached pages generated upon searching for a particular word, and the IFRAME itself. In the previous example for instance, we had an second ongoing IFRAME campaign with just 4 pages injected with 89.149.243.201, however, what Keep it Simple Stupid really means in this case is that the next IP in their netblock 89.149.243.202 is currently getting injected at many other sites as well. The difference between the previous campaign and this one, is that the previous one was targeting just two high page rank-ed sites, while in the second one, the malicious parties pushing RBN's rogue XP AntiVirus are relying on a much more diverse set of domains loading the IFRAME. One factor remains the same, both campaigns continue pushing the rogue XP AntiVirus. [snip] More: http://ddanchev.blogspot.com/2008/03/rogue-rbn-software-pushed-through.html Note: So it appears to be time to start naming names. netdirekt e.K. [1] - a hosting provider based in Frankfurt, Germany - has long been a (perhaps unwittingly) hosting provider for RBN activities for well over a year. So has Layered Technologies, Inc. [2] (based in Plano, Texas), InterCage, Inc. [3] (Concord, California), and SoftLayer Technologies, Inc. [4] (Dallas, Texas). Each of these have long been known to be operational deployment platforms for RBN-related activities. And they have been repeatedly notified of these activities. Isn't it time for these companies to be called to task for continuing to turn a blind eye to criminal activities hosted in their networks? - - ferg [1] http://www.cidr-report.org/cgi-bin/as-report?as=AS28753 [2] http://www.cidr-report.org/cgi-bin/as-report?as=AS13767 [3] http://www.cidr-report.org/cgi-bin/as-report?as=AS27595 [4] http://www.cidr-report.org/cgi-bin/as-report?as=AS36351 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFHz0uAq1pz9mNUZTMRAq0FAJ93KmZCpEi0eqjLLNFgBhjjlEuYogCg7FNU tbTPkRxCqOB172iJl9DLQbo= =Z7t3 -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Rogue RBN Software Pushed Through Blackhat SEO Paul Ferguson (Mar 05)