SHARE
TWEET

#MalwareMustDie! LOP.COM has the Keyword Linked to FakeAV

MalwareMustDie Mar 2nd, 2013 173 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # MalwareMustDie! @unixfreaxjp /malware]$ date
  2. # Sat Mar  2 16:35:02 JST 2013
  3.  
  4. // You should already know about search system lop.com, No?
  5. // If you don't know please see the review in this video↓
  6. // http://www.youtube.com/watch?feature=player_detailpage&v=Cv2TPf4SKrk
  7. // ↑So know I presume you know about LOP.COM and I want to
  8. // explain the link between LOP.COM searched keywords to the
  9. // FakeAV sites!!! <=== My concern is the malware related threat ;-))
  10. //
  11. // If you search a keyword in lop.com, A server in lop com,
  12. // (in this case is ayb.lop.com) was forwarding ypour request as per
  13. // below url:
  14.  
  15. http://ayb.lop.com/abt?udata=WWW_7MSN:4.22msn:%20557281297:United%20States:program_started:3d2578c0c35ad338
  16.  
  17. // ↑This is my search of the MSN.COM
  18.  
  19. // let's see it "closely" ;-))
  20.  
  21. --2013-03-02 16:01:12--  http://ayb.lop.com/abt?udata=WWW_7MSN:4.22msn:%20557281297:United%20States:program_started:3d2578c0c35ad338
  22. Resolving ayb.lop.com... seconds 0.00, 208.91.197.160
  23. Caching ayb.lop.com => 208.91.197.160
  24. Connecting to ayb.lop.com|208.91.197.160|:80... seconds 0.00, connected.
  25.   :
  26. GET /abt?udata=WWW_7MSN:4.22msn:%20557281297:United%20States:program_started:3d2578c0c35ad338 HTTP/1.0
  27. Referer: http://malwaremustdie.blogspot.com
  28. User-Agent: Whatever moronz hates..#MalwareMustDie!
  29. Host: ayb.lop.com
  30.   :
  31. HTTP/1.1 200 OK
  32. Date: Sat, 02 Mar 2013 07:00:55 GMT
  33. Server: Apache/2.2.3 (Red Hat)
  34. X-Powered-By: PHP/5.3.21
  35. Set-Cookie: vsid=901vr1097532554815432; expires=Thu, 01-Mar-2018 07:00:55 GMT; path=/; domain=ayb.lop.com; httponly
  36. Vary: Accept-Encoding,User-Agent
  37. Content-Length: 780
  38. Keep-Alive: timeout=5, max=113
  39. Connection: Keep-Alive
  40. Content-Type: text/html; charset=UTF-8
  41.   :
  42. 200 OK
  43. Registered socket 1896 for persistent reuse.
  44. Stored cookie ayb.lop.com -1 (ANY) / <permanent> <insecure> [expiry 2018-03-01 16:00:55] vsid 901vr1097532554815432Length: 780 [text/html]
  45. Saving to: `abt@udata=WWW_7MSN%3A4.22msn%3A 557281297%3AUnited States%3Aprogram_started%3A3d2578c0c35ad338'
  46. 2013-03-02 16:01:13 (22.2 MB/s) - `abt@udata=WWW_7MSN%3A4.22msn%3A 557281297%3AUnited States%3Aprogram_started%3A3d2578c0c35ad338' saved [780/780]
  47.  
  48. // OK, we fetched it ,
  49. // and it has the below script...
  50.  
  51. <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
  52. <html>
  53. <head>
  54. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  55. <title>Loading...</title>
  56. <script src="http://cdn.rooktemplate.com/rmgdsc/newProcess.js?v3" type="text/javascript" language="javascript"></script>
  57. </head>
  58. <body>
  59. <div id="rmgblock"></div>
  60.         <script type="text/javascript" id="_rMG_fir">
  61. var _pR="gkwrf="+"http%3A%2F%2Fareyouhotornotbec.tumblr.com",_folio="7POW59076",_bkt="";
  62. var _adPage="<scr"+"ipt id=\"_rMG_dyn\" type=\"text/javascript\" language=\"JavaScript\""+" src=\"http://fwdservice.com/main.php?dmn="+"lop.com"+"&folio="+_folio+"&"+_pR+"&bkt="+_bkt+"\">"+ "</scr" + "ipt>";
  63. document.write(_adPage);
  64. </script>
  65. </body></html>
  66.  
  67. // goes to the below iframer...
  68.  
  69. <script id="_rMG_dyn" type="text/javascript" language="JavaScript"
  70. src="http://fwdservice.com/main.php?dmn=lop.com&folio=7POW59076&gkwrf=http%3A%2F%2Fareyouhotornotbec.tumblr.com&bkt="></script>
  71.  
  72. // how was it?
  73. // it's unusual to find the forwarder (fwdservice.com) goes after decoded..
  74. // referer is the lop.com and aftering the 2Fareyouhotornotbec.tumblr.com
  75. //  :
  76. // forwarder...
  77.  
  78. --2013-03-02 16:07:02--  http://fwdservice.com/main.php?dmn=lop.com&folio=7POW59076&gkwrf=http%3A%2F%2Fareyouhotornotbec.tumblr.com&bkt=
  79. Resolving fwdservice.com... seconds 0.00, 141.8.224.25
  80. Caching fwdservice.com => 141.8.224.25
  81.   :
  82. GET /main.php?dmn=lop.com&folio=7POW59076&gkwrf=http%3A%2F%2Fareyouhotornotbec.tumblr.com&bkt= HTTP/1.0
  83. Referer: http://ayb.lop.com/abt?udata=WWW_7MSN:4.22msn:%20557281297:United%20States:program_started:3d2578c0c35ad338
  84. User-Agent: Hi , it's MMD again :-))
  85. Host: fwdservice.com
  86. HTTP request sent, awaiting response...
  87.  :
  88. HTTP/1.1 200 OK
  89. Date: Sat, 02 Mar 2013 07:06:45 GMT
  90. Server: Apache/2.2.3 (Red Hat)
  91. X-Powered-By: PHP/5.3.21
  92. Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  93. Pragma: no-cache
  94. Set-Cookie: gvc=908vr1097536056718867; expires=Thu, 01-Mar-2018 07:06:45 GMT; path=/; domain=fwdservice.com; httponly
  95. Vary: Accept-Encoding,User-Agent
  96. Connection: close
  97. Content-Type: application/x-javascript
  98.  :
  99. 200 OK
  100. Stored cookie fwdservice.com -1 (ANY) / <permanent> <insecure> [expiry 2018-03-01 16:06:45] gvc 908vr1097536056718867
  101. Length: unspecified [application/x-javascript]
  102. Saving to: `main.php@dmn=lop.com&folio=7POW59076&gkwrf=http%3A%2F%2Fareyouhotornotbec.tumblr.com&bkt='
  103. 2013-03-02 16:07:04 (57.0 KB/s) - `main.php@dmn=lop.com&folio=7POW59076&gkwrf=http%3A%2F%2Fareyouhotornotbec.tumblr.com&bkt=' saved [40202]
  104.  
  105. // So we got the Javascript downloaded...
  106. // If we see the script carefully
  107. //      :
  108. // It has the FakeAV Flag keyword TDS....
  109.  
  110.     :
  111. _rMG.init(
  112.   {
  113.     "kwds":
  114.     {
  115.       "keyword_click_host":"http:\/\/fwdservice.com\/","keyword_click_page":"main.php","keyword_click_sess":"
  116.       gmn=lop.com&ga=ew7BlNi35k8r%2BZtEBjh6Jg0pxaP3HNgeM%2Bq3UbBkVKh%2Bl5ytF6zZ3aGNK5%2B8gY325CFwaqwqER2kNymQW0msDUCi%2B8%2FLoQurAbRvYTSmL5o0lK0eYqNs7AISpY73DYj%2BV7z%2BtCxB6ZMX%2FnvI3XTOtgbWPwnRMPuJbnYvVMIhfVaXg%2B8ZpD75GCdU23OtLec5&gqsg=e4RxVXiAXl4K5406XinQ3P2z%2FTlChEhwLamxPLTUD8VJXHQE%2FO6sd37Wg%2FR44Tj1&maxads=0&gerf=s3aP1fmBFGSoXH1ZMYK87NHq2E3jZFXYbzSZB96C%2FW%2FUSEnpUo4fq6nywkRm9stlIimGf8VGnH0olYkYM2VpGQ%3D%3D&gkwrf=http%3A%2F%2Fareyouhotornotbec.tumblr.com&bkt=",
  117.       "last_token":null,"keyword_ratio":[1,0.4,0.6],"feedback_enabled":1,
  118.       "manual_keywords":[
  119.       ["Online Spyware Scanner","210"],
  120.            :
  121.       ["Spyware Finder","210"],
  122.       ["Remove Toolbar","210"],
  123.       ["Virus Remover","210"],
  124.       ["Trojan Removal Software","210"],
  125.       ["Remove Spyware","210"]],
  126.  
  127.  
  128. // ↑ You see this? I don't recommend you to test this further...
  129. // with additionally a well-categorized tickets..
  130.  
  131. "category_keywords":[["\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf","214"],
  132.                      ["\u65e5\u7cfb\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf","214"],
  133.                      ["\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u30b7\u30b9\u30c6\u30e0","214"],
  134.                      ["\u30d1\u30cd\u30eb\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf","214"],
  135.                      ["\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3","214"],
  136.                      ["\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u30a6\u30a3\u30eb\u30b9\u5bfe\u7b56","214"]],
  137.  
  138. // and also serving the spam sites TDS too..
  139.  
  140.      "pop_cats":
  141.          ["Job Listings",
  142.          "Discount Shopping",
  143.          "Education Degrees",
  144.          "Work at Home",
  145.          "Affordable Housing",
  146.          "Find a Business",
  147.          "Online Gaming",
  148.          "Breaking News",
  149.          "Free Credit Report",
  150.          "Make Money Online",
  151.          "MP3 Music Downloads",
  152.          "Cheap Laptops",
  153.          "Hotel Reservations",
  154.          "Finance Investments",
  155.          "Free Ringtones",
  156.          "Social Networking",
  157.          "Health and Fitness",
  158.          "Online Dictionary",
  159.          "Weather Report",
  160.          "Yellow Pages",
  161.          "Download Movies Online",
  162.          "Wholesale Electronics",
  163.          "Online Greetings"],
  164.          "misc_keywords":[]
  165.  
  166. ----
  167.  
  168. #MalwareMustDie!!
  169. @unixfreaxjp
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top