Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # MalwareMustDie! @unixfreaxjp /malware]$ date
- # Sat Mar 2 16:35:02 JST 2013
- // You should already know about search system lop.com, No?
- // If you don't know please see the review in this video↓
- // http://www.youtube.com/watch?feature=player_detailpage&v=Cv2TPf4SKrk
- // ↑So know I presume you know about LOP.COM and I want to
- // explain the link between LOP.COM searched keywords to the
- // FakeAV sites!!! <=== My concern is the malware related threat ;-))
- //
- // If you search a keyword in lop.com, A server in lop com,
- // (in this case is ayb.lop.com) was forwarding ypour request as per
- // below url:
- http://ayb.lop.com/abt?udata=WWW_7MSN:4.22msn:%20557281297:United%20States:program_started:3d2578c0c35ad338
- // ↑This is my search of the MSN.COM
- // let's see it "closely" ;-))
- --2013-03-02 16:01:12-- http://ayb.lop.com/abt?udata=WWW_7MSN:4.22msn:%20557281297:United%20States:program_started:3d2578c0c35ad338
- Resolving ayb.lop.com... seconds 0.00, 208.91.197.160
- Caching ayb.lop.com => 208.91.197.160
- Connecting to ayb.lop.com|208.91.197.160|:80... seconds 0.00, connected.
- :
- GET /abt?udata=WWW_7MSN:4.22msn:%20557281297:United%20States:program_started:3d2578c0c35ad338 HTTP/1.0
- Referer: http://malwaremustdie.blogspot.com
- User-Agent: Whatever moronz hates..#MalwareMustDie!
- Host: ayb.lop.com
- :
- HTTP/1.1 200 OK
- Date: Sat, 02 Mar 2013 07:00:55 GMT
- Server: Apache/2.2.3 (Red Hat)
- X-Powered-By: PHP/5.3.21
- Set-Cookie: vsid=901vr1097532554815432; expires=Thu, 01-Mar-2018 07:00:55 GMT; path=/; domain=ayb.lop.com; httponly
- Vary: Accept-Encoding,User-Agent
- Content-Length: 780
- Keep-Alive: timeout=5, max=113
- Connection: Keep-Alive
- Content-Type: text/html; charset=UTF-8
- :
- 200 OK
- Registered socket 1896 for persistent reuse.
- Stored cookie ayb.lop.com -1 (ANY) / <permanent> <insecure> [expiry 2018-03-01 16:00:55] vsid 901vr1097532554815432Length: 780 [text/html]
- Saving to: `abt@udata=WWW_7MSN%3A4.22msn%3A 557281297%3AUnited States%3Aprogram_started%3A3d2578c0c35ad338'
- 2013-03-02 16:01:13 (22.2 MB/s) - `abt@udata=WWW_7MSN%3A4.22msn%3A 557281297%3AUnited States%3Aprogram_started%3A3d2578c0c35ad338' saved [780/780]
- // OK, we fetched it ,
- // and it has the below script...
- <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
- <html>
- <head>
- <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
- <title>Loading...</title>
- <script src="http://cdn.rooktemplate.com/rmgdsc/newProcess.js?v3" type="text/javascript" language="javascript"></script>
- </head>
- <body>
- <div id="rmgblock"></div>
- <script type="text/javascript" id="_rMG_fir">
- var _pR="gkwrf="+"http%3A%2F%2Fareyouhotornotbec.tumblr.com",_folio="7POW59076",_bkt="";
- var _adPage="<scr"+"ipt id=\"_rMG_dyn\" type=\"text/javascript\" language=\"JavaScript\""+" src=\"http://fwdservice.com/main.php?dmn="+"lop.com"+"&folio="+_folio+"&"+_pR+"&bkt="+_bkt+"\">"+ "</scr" + "ipt>";
- document.write(_adPage);
- </script>
- </body></html>
- // goes to the below iframer...
- <script id="_rMG_dyn" type="text/javascript" language="JavaScript"
- src="http://fwdservice.com/main.php?dmn=lop.com&folio=7POW59076&gkwrf=http%3A%2F%2Fareyouhotornotbec.tumblr.com&bkt="></script>
- // how was it?
- // it's unusual to find the forwarder (fwdservice.com) goes after decoded..
- // referer is the lop.com and aftering the 2Fareyouhotornotbec.tumblr.com
- // :
- // forwarder...
- --2013-03-02 16:07:02-- http://fwdservice.com/main.php?dmn=lop.com&folio=7POW59076&gkwrf=http%3A%2F%2Fareyouhotornotbec.tumblr.com&bkt=
- Resolving fwdservice.com... seconds 0.00, 141.8.224.25
- Caching fwdservice.com => 141.8.224.25
- :
- GET /main.php?dmn=lop.com&folio=7POW59076&gkwrf=http%3A%2F%2Fareyouhotornotbec.tumblr.com&bkt= HTTP/1.0
- Referer: http://ayb.lop.com/abt?udata=WWW_7MSN:4.22msn:%20557281297:United%20States:program_started:3d2578c0c35ad338
- User-Agent: Hi , it's MMD again :-))
- Host: fwdservice.com
- HTTP request sent, awaiting response...
- :
- HTTP/1.1 200 OK
- Date: Sat, 02 Mar 2013 07:06:45 GMT
- Server: Apache/2.2.3 (Red Hat)
- X-Powered-By: PHP/5.3.21
- Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
- Pragma: no-cache
- Set-Cookie: gvc=908vr1097536056718867; expires=Thu, 01-Mar-2018 07:06:45 GMT; path=/; domain=fwdservice.com; httponly
- Vary: Accept-Encoding,User-Agent
- Connection: close
- Content-Type: application/x-javascript
- :
- 200 OK
- Stored cookie fwdservice.com -1 (ANY) / <permanent> <insecure> [expiry 2018-03-01 16:06:45] gvc 908vr1097536056718867
- Length: unspecified [application/x-javascript]
- Saving to: `main.php@dmn=lop.com&folio=7POW59076&gkwrf=http%3A%2F%2Fareyouhotornotbec.tumblr.com&bkt='
- 2013-03-02 16:07:04 (57.0 KB/s) - `main.php@dmn=lop.com&folio=7POW59076&gkwrf=http%3A%2F%2Fareyouhotornotbec.tumblr.com&bkt=' saved [40202]
- // So we got the Javascript downloaded...
- // If we see the script carefully
- // :
- // It has the FakeAV Flag keyword TDS....
- :
- _rMG.init(
- {
- "kwds":
- {
- "keyword_click_host":"http:\/\/fwdservice.com\/","keyword_click_page":"main.php","keyword_click_sess":"
- gmn=lop.com&ga=ew7BlNi35k8r%2BZtEBjh6Jg0pxaP3HNgeM%2Bq3UbBkVKh%2Bl5ytF6zZ3aGNK5%2B8gY325CFwaqwqER2kNymQW0msDUCi%2B8%2FLoQurAbRvYTSmL5o0lK0eYqNs7AISpY73DYj%2BV7z%2BtCxB6ZMX%2FnvI3XTOtgbWPwnRMPuJbnYvVMIhfVaXg%2B8ZpD75GCdU23OtLec5&gqsg=e4RxVXiAXl4K5406XinQ3P2z%2FTlChEhwLamxPLTUD8VJXHQE%2FO6sd37Wg%2FR44Tj1&maxads=0&gerf=s3aP1fmBFGSoXH1ZMYK87NHq2E3jZFXYbzSZB96C%2FW%2FUSEnpUo4fq6nywkRm9stlIimGf8VGnH0olYkYM2VpGQ%3D%3D&gkwrf=http%3A%2F%2Fareyouhotornotbec.tumblr.com&bkt=",
- "last_token":null,"keyword_ratio":[1,0.4,0.6],"feedback_enabled":1,
- "manual_keywords":[
- ["Online Spyware Scanner","210"],
- :
- ["Spyware Finder","210"],
- ["Remove Toolbar","210"],
- ["Virus Remover","210"],
- ["Trojan Removal Software","210"],
- ["Remove Spyware","210"]],
- // ↑ You see this? I don't recommend you to test this further...
- // with additionally a well-categorized tickets..
- "category_keywords":[["\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf","214"],
- ["\u65e5\u7cfb\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf","214"],
- ["\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u30b7\u30b9\u30c6\u30e0","214"],
- ["\u30d1\u30cd\u30eb\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf","214"],
- ["\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3","214"],
- ["\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u30a6\u30a3\u30eb\u30b9\u5bfe\u7b56","214"]],
- // and also serving the spam sites TDS too..
- "pop_cats":
- ["Job Listings",
- "Discount Shopping",
- "Education Degrees",
- "Work at Home",
- "Affordable Housing",
- "Find a Business",
- "Online Gaming",
- "Breaking News",
- "Free Credit Report",
- "Make Money Online",
- "MP3 Music Downloads",
- "Cheap Laptops",
- "Hotel Reservations",
- "Finance Investments",
- "Free Ringtones",
- "Social Networking",
- "Health and Fitness",
- "Online Dictionary",
- "Weather Report",
- "Yellow Pages",
- "Download Movies Online",
- "Wholesale Electronics",
- "Online Greetings"],
- "misc_keywords":[]
- ----
- #MalwareMustDie!!
- @unixfreaxjp
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement