Thousands of web sites compromised, redirect to scareware

Thousands of web sites compromised, redirect to scareware

Summary: Security researchers have detected a massive blackhat SEO (search engine optimization) campaign consisting of over 200,000 compromised web sites, all redirecting to fake security software, commonly referred to as scareware.

TOPICS: Browser, Security

Updated: Thursday, November 19 - According to eSoft who contacted me, they've been monitoring the campaign since September, with another 720,000 affected sites back then.

There are now over a million affected sites serving scareware, with only a small percentage of them currently marked as harmful. Google has been notified. As always, NoScript and your decent situational awareness are your best friends.

Security researchers have detected a massive blackhat SEO (search engine optimization) campaign consisting of over 200,000 compromised web sites, all redirecting to fake security software (Inst_58s6.exe), commonly referred to as scareware.

More details on the campaign:

The compromised sites are hosting legitimately looking templates, using automatically generated bogus content, with a tiny css.js (Trojan-Downloader.JS.FraudLoad) uploaded on each of them which triggers the scareware campaign only if the visitor is coming a search engine listed as known http referrer by the gang - in this case Google, Yahoo, Live, Altavista, and Baidu :

"Cyveillance has discovered a complex attack vector that uses Google search results to distribute malicious software (malware) to unsuspecting Internet users. Using this attack vector, users click on links within Google search results and are routed to sites that attempt to download malware to their computers. The attack method also relies on inattentive webmasters who do not update the software on their sites and often unknowingly provide the material that appears in the search results.

The common string albums/bsblog/category is found in the URLs for all these blogs. By simply using the Google search parameter allinurl, along, you can see how many other sites contain the same string. As can be seen in the image above, more than 260,000 URLs are presented in Google’s search index leading to blogs similar to the ones illustrated in our example.

As you can see, only a small portion of sites in the search results carry a warning provided by Google. The reason for the small number of warnings is likely because the actual attacks do not take place on the website URLs in the search results, but on the sites you’re redirected to thereby decreasing the chances that Google will designate the destination sites as harmful."

At first, it would appear that the campaign is an isolated one and is maintained by a cybercrime enterprise yet to be analyzed. However, analyzing it reveals a rather anticipated connection - the massive blackat SEO campaign has been launched by the same people who operate/or manage the campaigns for the Koobface botnet. For instance, the domains mentioned by Cyveillance, as well as the newly introduced ones over the past couple of hours, are the very same domains currently embedded on Koobface infected hosts.

How did they manage the compromise the sites? Through web application vulnerabilities as the attack vector, with OWASP's recently updated Top 10 most critical web application security risks, highlighting some of the riskiest ones.

Topics: Browser, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • This would only apply to Windows users.

    I can only imagine what the payload would be?
    • Yes, of course. That's what happens when you have 1.2 billion users

      Hackers take notice.

      Except it only applies to the "smart" Windows users that turn off automatic updates, doesn't even bother to install one of the good, free anti-virus packages (MSE), or pirates Windows.

      The rest of the 1.19 billion Windows users are safe.

      Hackers don't particularly care about the loser OSes. So what is your point?
      • Nope

        It's what happens when your OS is full of holes,
        and depends on security through obscurity (hides
        all of its code from the public eye), so that by
        the time a patch comes out the vulnerability has
        been in use by malicious hackers for at least a
        few months.
        • MS is not the problem ID 10 T users are

          I will not hide my disdain for you people who spout off unsubstantiated anti-microsoft trash. I have been an IT expert for over 12 years and using Windows all along I am also a Microsoft Partner and if it was not for their awesome partner support program would not have been as sucessful as I am in business. I agree with some people but I also do my homework and research Linux distros as well as Apples Tiger, Leopard, and Snow Leopard, They all have security vulnerabilities too!!! You just don't hear that much about them because combined they only account for 5% of the desktops deployed worldwide. Most computer users that are compromised are ID 10 Ts and would get themselves infected no matter what OS they used!! I recently had a customer pc infected irregardless of the security software installed as follows ( AVG Free 8.5, Ad-Aware Aniversary Edition, Webroot Spysweeper, AVG also had the security toolbar which keeps track of search results and classifies them, McAfee Site Advisor which is free, Spyware Blaster which blacklists thousands of sites, and lastly Microsofts Windows Defender, OS Was a fully patched Windows Vista Machine. Here is the reason it got infected end user turned off UAC, I had auto scans sheduled to all take place at night while user not using pc told them to leave it running so maintenance would take place but they shut it off anyway so scans never happened, they ignored windows updates and only patched when it was a forced install, They used 2 different file sharing programs and downloaded gobs of pirated music and even a couple software titles ILLEGAL!!! and surfed the internet for porn, they also think they know how to use a computer but in reality they are clueless like 70% of end users in the world. The Point is this no matter how much security you put in a pc it is only as good as the user behind the mouse and keyboard. If you know what security software you use you would not be duped by the scareware and all you need to do is use ALT/CTRL/DEL and kill your browser instance and clear your CACHE and it won't get in but the malware writters are good the page is designed so that no matter what you click the X to close, the NO button or anything else the nasty trojan is designed to drop it's nasty payload and I have recently seen an apple Leopard OS using Safari get infected. Sorry to spout but I deal with this stuff everyday and in 12 years my pc has never been infected all it takes is a little COMMON SENSE and do not participate in unsafe online habits and you will be ok. Microsofts new Windows 7 with IE8 just happens to be the best they have ever produced and is also the most secure OS in a long time and oh by the way it is awesome and runs flawlessly.
          • I would agree with your post

            in it's entirety except for [i]"and is also the most secure OS in a long time and oh by the way it is awesome and runs flawlessly."[/i].

            While the rest of what you've written is pretty accurate, Win7 still will not be able to play in secure environments like the hardened Linux distros or Solaris 10 with Trusted Extensions. That statement is the same sort of BS that gets Mac users in trouble and makes people believe that their OS can't be compromised. It is simply more secure than previous versions, but the malware writers aren't sitting around either and exploits do exist for unpatched Win7.
          • UMM ever hear of this thing called paragraph's

            You start one when you change thoughts. It is ok to use the Enter key every once and a while.

            As seen in the article this isn't necessarily a browsing habit like, "while I was out surfing porn, I got this popup", no it is getting nailed with this crap when you are even doing research. As and IT person I know enough to run FF with Noscript installed and active, average Joe is not likely going to do that.

            Another notorious place for this stuff, is Myspace, which is why I avoid Myspace like it's the plague.

            But there are also things like Koobface where social engineering, and like this attack takes place where a user that doesn't know better clicks it and says "Fix me", or your Flash Player is out of date, "fix me".

            Pressing Control+Alt+Del works for people like you and I who know WTF we are doing, but not so much for the average user who really think that they may be infected, and don't know that by clicking the "fix me" that they are inviting the infection in. Common Sense does not apply, because if it was really common there wouldn't be a need for you or I.

          • Infected Leopard?

            "... no matter what you click the X to close, the NO button or anything else the nasty trojan is designed to drop it's nasty payload and I have recently seen an apple Leopard OS using Safari get infected."

            Unless I misread the original article this blog post is based on, the trojan in this case is a .exe file. How does an OS X system get infected by one of those? Perhaps it was something else?
          • Walls of text

            You may have had something useful to say but I'll never know.

            It's very uncomfortable to read a wall of text.
          • Unsubstantiated?

            Go call them yourself and ask if you can review
            their source code. They will not let you. They
            will not let anyone. You can see this for yourself
            first hand by asking them.
          • rebuttal

            "Microsofts new Windows 7 with IE8 just happens to be the best they have ever produced and is also the most secure OS in a long time and oh by the way it is awesome and runs flawlessly."

            Even with the huge time of 12 years as an IT expert under the belt, one can't think that win7 et. al. is the most secure OS in a long time because 12 years is not a long time at all. Consider O/S that run for decades without rebooting. VMS is an o/s that is better than its users, because id10ts are not given priveleges except for the required applications, which then run with the id10ts' privelege levels. It might have been better to say it's no better than it's system managers (that's admins to the MS hordes). Right out of the h/p box however, things like "buffer overruns" and running random commands in arbitraty memory don't happen. The hat won't know where his hole in virtual memory is, and it will vanish in a puff of |d|i|g|i|t|a|l| smoke along with whatever process was holding it open. Assuming a process was compromised in the first place. Unlikely if properly written.

            There are reasons VMS is used in certain unseen places and some of them have very much to do with crufty "windows security". And the security of some other OS's as well, not just rebutting MS here but since the Grand Tout was to MS, let the quadwords fall where they may.

            see here for a funny:

            I have not tried it with win7, only 2003 but probably the same result would ensue with VMS and the other O/S barenaked playing in traffic. apples to apples test to be fair.

            Also another somewhat lengthy account of apples to apples, truly and verily impartial according to real live hackers whom are not to be taunted:

            Of course MS products are OK for home use and for business if you have an IT staff to watch everything and fascistly police all the Lusers. Good luck on that last one.

            I feel as though Windows is a bit overpriced. VMS is priced according to its value (but is free if you get a non-commercial hobbyist license). So the above has been the rebuttal to the "(win7) also the most secure OS in a long time" party line. VMS 8.4 is in field test now.
          • I agree

            I can't believe I forgot VMS, the as yet unhacked OS. In terms of invulnerability it's right up there with Solaris 10 Trusted Extensions.
    • All compromised servers are running Linux/Apache

      So much for Linux/Apache security.

      EDIT: Almost all. Some are on BSD/Apache.

      They may be trying to trick users into
      downloading the malware. Malware where they'll
      target Windows users because, well, rather go
      after 92% of the worlds users than 5% Macs or
      less than 1% Linux?

      <b>but how did these sites get infected in the
      first place?</b> Does Linux or Apache have
      exploitable vulnerabilities. I have been told
      in these talkbacks again and again that because
      of the superior security by "design" of Linux,
      vulnerabilities are not exploitable.

      And yet here we evidently have a <b>mass
      infection</b> which has compromised thousands
      of <b>websites</b> without social engineering.
      I.e. the infections came through the network
      <b>with no user interaction</b>.

      • (.exe) does not WORK on a Linux distro

        You are dreaming, it is really hard to run an (.exe) on a Linux/Unix system when it is NOT compatible.

        Second, your CLAIMS are false, look at and see the stats yourself.

        Lastly, the Windows BOT network numbers in the MILLIONS of infected/hacked Windows Servers/Desktops used by criminals/spammers/hackers they got the world at their finger tips.

        Your PC is probably being used as a BOT right now...

        • I can back up my claims. Can you?

          So you want to play games? How about we take
          that first page of links to infected sites from

          (http strings have been intentionally
          obfuscated to avoid web addresses to appear as

          This is the sad result:

          Server: <b>Apache</b>
          X-Powered-By: PHP/5.2.6
          X-Pingback: hxxp://horse-n-

          Connection: close
          Content-Type: text/html; charset=UTF-8
          <i>Conclusion: Apache + some *nix</i>

          hxxp/1.1 302 Found
          Date: Wed, 18 Nov 2009 00:53:55 GMT
          Server: <b>Apache</b>/2.0.63 (Unix)
          mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-<b>rhel5</b>
          mod_auth_passthrough/2.1 mod_bwlimited/1.4
          FrontPage/ mod_perl/2.0.4 Perl/v5.8.8
          Location: hxxp://
          Content-Length: 438
          Connection: close
          Content-Type: text/html; charset=iso-8859-1
          <i>Conclusion: Apache + RedHat Enterprise

          hxxp/1.1 200 OK
          Date: Wed, 18 Nov 2009 00:56:25 GMT
          Server: <b>Apache</b>/2.2.3 (<b>CentOS</b>)
          Last-Modified: Wed, 28 Feb 2007 16:39:59 GMT
          ETag: "130db3-f12-67595c0"
          Accept-Ranges: bytes
          Content-Length: 3858
          Connection: close
          Content-Type: text/html
          <i>Conclusion: Apache + CentOS (a RedHat
          derived Linux)</i>

          hxxp/1.1 200 OK
          Date: Wed, 18 Nov 2009 00:57:49 GMT
          Server: <b>Apache</b>
          Last-Modified: Tue, 20 Feb 2007 11:43:03 GMT
          ETag: "7143a0-4b54-429e6f1cfffc0"
          Accept-Ranges: bytes
          Content-Length: 19284
          Connection: close
          Content-Type: text/html
          <i>Conclusion: Apache + some *nix</i>

          hxxp/1.1 200 OK
          Date: Wed, 18 Nov 2009 00:58:50 GMT
          Server: <b>Apache</b>
          X-Powered-By: PHP/4.4.9
          Connection: close
          Content-Type: text/html
          <i>Conclusion: Apache + some *nix</i>

          hxxp/1.1 200 OK
          Date: Wed, 18 Nov 2009 00:59:57 GMT
          Server: <b>Apache</b>/2.2.14 (Unix)
          mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-<b>rhel5</b>
          mod_auth_passthrough/2.1 mod_bwlimited/1.4
          Last-Modified: Sat, 15 Sep 2007 16:21:20 GMT
          ETag: "26d04fe-412-43a2ef62ea000"
          Accept-Ranges: bytes
          Content-Length: 1042
          Connection: close
          Content-Type: text/html
          <i>Conclusion: Apache + RedHat Enterprise

          hxxp/1.1 200 OK
          Date: Wed, 18 Nov 2009 01:01:17 GMT
          Server: <b>Apache</b>
          Last-Modified: Tue, 29 Sep 2009 16:44:02 GMT
          ETag: "409cdd7-987-474ba1f2e023f"
          Accept-Ranges: bytes
          Content-Length: 2439
          Vary: Accept-Encoding
          Connection: close
          Content-Type: text/html
          <i>Conclusion: Apache + some *nix</i>

          hxxp/1.1 403 Forbidden
          Date: Wed, 18 Nov 2009 01:02:26 GMT
          Server: <b>Apache</b>
          Content-Length: 623
          Connection: close
          Content-Type: text/html
          <i>Conclusion: Apache + some *nix</i>

          hxxp/1.1 200 OK
          Date: Wed, 18 Nov 2009 01:03:58 GMT
          Server: Apache
          Last-Modified: Sat, 28 Feb 2009 01:03:44 GMT
          ETag: "cb1a2e-88-463f0282a3c00"
          Accept-Ranges: bytes
          Content-Length: 136
          Connection: close
          Content-Type: text/html
          <i>Conclusion: Apache + some *nix</i>

          hxxp/1.1 301 Moved Permanently
          Date: Wed, 18 Nov 2009 01:04:53 GMT
          Server: Apache
          X-Powered-By: PHP/5.2.11
          X-Pingback: hxxp://
          Location: hxxp://
          Content-Length: 0
          Connection: close
          Content-Type: text/html; charset=UTF-8
          <i>Conclusion: Apache + some *nix</i>

          Ugh! 10 out of 10 infected sites are running
          Apache and some form of Linux/BSD.

          But thanks for playing.
          • That does prove a lot of windows admins configure linux web servers

            This is exactly what happens when an admin who does not properly configure the OS and applications with security in mind, or do not know how to do so.

            To quote the article:

            "The attack method also relies on inattentive webmasters who do not update the software on their sites"

            That is exactly why I would not let a windows admin configure my linux web server & applications - they would install it once, and never touch it again. Eventually it would make a great honeypot to attract malware authors.
          • There's no evidence of that. As a matter of fact

            I think it's pretty safe to assume that compromised Windows servers are a result of letting a Linux/Unix admins configure the systems.

            But I will bet that those Linux servers he talking about are administered by Linux admins.

            So the only thing it DOES prove is that alot of Linux admins are just as lazy as alot of Windows admins.
          • not all drivers are good drivers...

            Just because someone has a motor vehicle and a driver license, it does not automatically make them a good driver. Hopefully they will strive to be good drivers.

            I have seen many a experienced windows admin install/configure LAMP servers, without linux experience, and have noticed most are done incorrectly since only the basic research on how to perform the install was done - some so badly it needed to be redone from scratch.

            Conversely, I (and others on my team, who are primarily *nix admins), help out the windows team very frequently and no windows server has been mis-configured let alone compromised.

            Maybe someone has seen your assumed theoretical scenario, I sure have not. It could be since I am in the banking/finance industry, and the standards are quite high.
          • Ha!

            So do the administrators at GoDaddy lack experience, training and ability?

            A friend of mine owns a retail computer shop, a small one store operation. His store was hosted by GoDaddy - the server was hacked, though not through his store from what he is told.

            In fact he told me that every site an that server was DELETED. Yes, I know all about permissions, and ROOT access and so on, and someone clearly obtained ROOT access and poof, all the vhosts were just gone! In each of them was a replacement home page, what a nice touch.

            Regardless, it was a Linux server, and if Linux is so strong and if you are claiming it had to be the administrator then I defy you to back that up.

            Maybe it was a whole in some open source technology?

            They never happen though, do they?
          • are you serious?

            Since I have no experience with them I really can't comment - but I will say you will get what you pay for.

            It is not linux itself that gives it strength - it is the user behind the keyboard. Both can be said for the desktop and server, regardless of the OS it is running on.

            Ponder on this for a moment - which user is more likely to fall for a social engineering scam, a linux user or a windows user?

            With that in mind, ask yourself "who can better install and configure a linux web server"...

          • Are [i]you[/i] serious "DooLittle"

            With Ubuntu pushing Linux to the masses, it is getting just as likely that Linux users would just as likely fall for the same scam. With Ubuntu pushing out into the "masses" as the more secure option, if they are not careful, they'll end up breeding a common user-base with the same ignorant sense of invulnerability that Mactards seem to suffer from.