#MalwareMustDie! LOP.COM has the Keyword Linked to FakeAV

1. # MalwareMustDie! @unixfreaxjp /malware]$ date
2. # Sat Mar  2 16:35:02 JST 2013
3.  
4. // You should already know about search system lop.com, No?
5. // If you don't know please see the review in this video↓
6. // http://www.youtube.com/watch?feature=player_detailpage&v=Cv2TPf4SKrk
7. // ↑So know I presume you know about LOP.COM and I want to
8. // explain the link between LOP.COM searched keywords to the
9. // FakeAV sites!!! <=== My concern is the malware related threat ;-))
10. //
11. // If you search a keyword in lop.com, A server in lop com,
12. // (in this case is ayb.lop.com) was forwarding ypour request as per
13. // below url:
14.  
15. http://ayb.lop.com/abt?udata=WWW_7MSN:4.22msn:%20557281297:United%20States:program_started:3d2578c0c35ad338
16.  
17. // ↑This is my search of the MSN.COM
18.  
19. // let's see it "closely" ;-))
20.  
21. --2013-03-02 16:01:12--  http://ayb.lop.com/abt?udata=WWW_7MSN:4.22msn:%20557281297:United%20States:program_started:3d2578c0c35ad338
22. Resolving ayb.lop.com... seconds 0.00, 208.91.197.160
23. Caching ayb.lop.com => 208.91.197.160
24. Connecting to ayb.lop.com|208.91.197.160|:80... seconds 0.00, connected.
25.   :
26. GET /abt?udata=WWW_7MSN:4.22msn:%20557281297:United%20States:program_started:3d2578c0c35ad338 HTTP/1.0
27. Referer: http://malwaremustdie.blogspot.com
28. User-Agent: Whatever moronz hates..#MalwareMustDie!
29. Host: ayb.lop.com
30.   :
31. HTTP/1.1 200 OK
32. Date: Sat, 02 Mar 2013 07:00:55 GMT
33. Server: Apache/2.2.3 (Red Hat)
34. X-Powered-By: PHP/5.3.21
35. Set-Cookie: vsid=901vr1097532554815432; expires=Thu, 01-Mar-2018 07:00:55 GMT; path=/; domain=ayb.lop.com; httponly
36. Vary: Accept-Encoding,User-Agent
37. Content-Length: 780
38. Keep-Alive: timeout=5, max=113
39. Connection: Keep-Alive
40. Content-Type: text/html; charset=UTF-8
41.   :
42. 200 OK
43. Registered socket 1896 for persistent reuse.
44. Stored cookie ayb.lop.com -1 (ANY) / <permanent> <insecure> [expiry 2018-03-01 16:00:55] vsid 901vr1097532554815432Length: 780 [text/html]
45. Saving to: `abt@udata=WWW_7MSN%3A4.22msn%3A 557281297%3AUnited States%3Aprogram_started%3A3d2578c0c35ad338'
46. 2013-03-02 16:01:13 (22.2 MB/s) - `abt@udata=WWW_7MSN%3A4.22msn%3A 557281297%3AUnited States%3Aprogram_started%3A3d2578c0c35ad338' saved [780/780]
47.  
48. // OK, we fetched it ,
49. // and it has the below script...
50.  
51. <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
52. <html>
53. <head>
54. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
55. <title>Loading...</title>
56. <script src="http://cdn.rooktemplate.com/rmgdsc/newProcess.js?v3" type="text/javascript" language="javascript"></script>
57. </head>
58. <body>
59. <div id="rmgblock"></div>
60.     <script type="text/javascript" id="_rMG_fir">
61. var _pR="gkwrf="+"http%3A%2F%2Fareyouhotornotbec.tumblr.com",_folio="7POW59076",_bkt="";
62. var _adPage="<scr"+"ipt id=\"_rMG_dyn\" type=\"text/javascript\" language=\"JavaScript\""+" src=\"http://fwdservice.com/main.php?dmn="+"lop.com"+"&folio="+_folio+"&"+_pR+"&bkt="+_bkt+"\">"+ "</scr" + "ipt>";
63. document.write(_adPage);
64. </script>
65. </body></html>
66.  
67. // goes to the below iframer...
68.  
69. <script id="_rMG_dyn" type="text/javascript" language="JavaScript"
70. src="http://fwdservice.com/main.php?dmn=lop.com&folio=7POW59076&gkwrf=http%3A%2F%2Fareyouhotornotbec.tumblr.com&bkt="></script>
71.  
72. // how was it?
73. // it's unusual to find the forwarder (fwdservice.com) goes after decoded..
74. // referer is the lop.com and aftering the 2Fareyouhotornotbec.tumblr.com
75. //  :
76. // forwarder...
77.  
78. --2013-03-02 16:07:02--  http://fwdservice.com/main.php?dmn=lop.com&folio=7POW59076&gkwrf=http%3A%2F%2Fareyouhotornotbec.tumblr.com&bkt=
79. Resolving fwdservice.com... seconds 0.00, 141.8.224.25
80. Caching fwdservice.com => 141.8.224.25
81.   :
82. GET /main.php?dmn=lop.com&folio=7POW59076&gkwrf=http%3A%2F%2Fareyouhotornotbec.tumblr.com&bkt= HTTP/1.0
83. Referer: http://ayb.lop.com/abt?udata=WWW_7MSN:4.22msn:%20557281297:United%20States:program_started:3d2578c0c35ad338
84. User-Agent: Hi , it's MMD again :-))
85. Host: fwdservice.com
86. HTTP request sent, awaiting response...
87.  :
88. HTTP/1.1 200 OK
89. Date: Sat, 02 Mar 2013 07:06:45 GMT
90. Server: Apache/2.2.3 (Red Hat)
91. X-Powered-By: PHP/5.3.21
92. Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
93. Pragma: no-cache
94. Set-Cookie: gvc=908vr1097536056718867; expires=Thu, 01-Mar-2018 07:06:45 GMT; path=/; domain=fwdservice.com; httponly
95. Vary: Accept-Encoding,User-Agent
96. Connection: close
97. Content-Type: application/x-javascript
98.  :
99. 200 OK
100. Stored cookie fwdservice.com -1 (ANY) / <permanent> <insecure> [expiry 2018-03-01 16:06:45] gvc 908vr1097536056718867
101. Length: unspecified [application/x-javascript]
102. Saving to: `main.php@dmn=lop.com&folio=7POW59076&gkwrf=http%3A%2F%2Fareyouhotornotbec.tumblr.com&bkt='
103. 2013-03-02 16:07:04 (57.0 KB/s) - `main.php@dmn=lop.com&folio=7POW59076&gkwrf=http%3A%2F%2Fareyouhotornotbec.tumblr.com&bkt=' saved [40202]
104.  
105. // So we got the Javascript downloaded...
106. // If we see the script carefully
107. //      :
108. // It has the FakeAV Flag keyword TDS....
109.  
110.     :
111. _rMG.init(
112.   {
113.     "kwds":
114.     {
115.       "keyword_click_host":"http:\/\/fwdservice.com\/","keyword_click_page":"main.php","keyword_click_sess":"
116.       gmn=lop.com&ga=ew7BlNi35k8r%2BZtEBjh6Jg0pxaP3HNgeM%2Bq3UbBkVKh%2Bl5ytF6zZ3aGNK5%2B8gY325CFwaqwqER2kNymQW0msDUCi%2B8%2FLoQurAbRvYTSmL5o0lK0eYqNs7AISpY73DYj%2BV7z%2BtCxB6ZMX%2FnvI3XTOtgbWPwnRMPuJbnYvVMIhfVaXg%2B8ZpD75GCdU23OtLec5&gqsg=e4RxVXiAXl4K5406XinQ3P2z%2FTlChEhwLamxPLTUD8VJXHQE%2FO6sd37Wg%2FR44Tj1&maxads=0&gerf=s3aP1fmBFGSoXH1ZMYK87NHq2E3jZFXYbzSZB96C%2FW%2FUSEnpUo4fq6nywkRm9stlIimGf8VGnH0olYkYM2VpGQ%3D%3D&gkwrf=http%3A%2F%2Fareyouhotornotbec.tumblr.com&bkt=",
117.       "last_token":null,"keyword_ratio":[1,0.4,0.6],"feedback_enabled":1,
118.       "manual_keywords":[
119.       ["Online Spyware Scanner","210"],
120.            :
121.       ["Spyware Finder","210"],
122.       ["Remove Toolbar","210"],
123.       ["Virus Remover","210"],
124.       ["Trojan Removal Software","210"],
125.       ["Remove Spyware","210"]],
126.  
127.  
128. // ↑ You see this? I don't recommend you to test this further...
129. // with additionally a well-categorized tickets..
130.  
131. "category_keywords":[["\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf","214"],
132.                      ["\u65e5\u7cfb\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf","214"],
133.                      ["\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u30b7\u30b9\u30c6\u30e0","214"],
134.                      ["\u30d1\u30cd\u30eb\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf","214"],
135.                      ["\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3","214"],
136.                      ["\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u30a6\u30a3\u30eb\u30b9\u5bfe\u7b56","214"]],
137.  
138. // and also serving the spam sites TDS too..
139.  
140.      "pop_cats":
141.          ["Job Listings",
142.          "Discount Shopping",
143.          "Education Degrees",
144.          "Work at Home",
145.          "Affordable Housing",
146.          "Find a Business",
147.          "Online Gaming",
148.          "Breaking News",
149.          "Free Credit Report",
150.          "Make Money Online",
151.          "MP3 Music Downloads",
152.          "Cheap Laptops",
153.          "Hotel Reservations",
154.          "Finance Investments",
155.          "Free Ringtones",
156.          "Social Networking",
157.          "Health and Fitness",
158.          "Online Dictionary",
159.          "Weather Report",
160.          "Yellow Pages",
161.          "Download Movies Online",
162.          "Wholesale Electronics",
163.          "Online Greetings"],
164.          "misc_keywords":[]
165.  
166. ----
167.  
168. #MalwareMustDie!!
169. @unixfreaxjp