June 14, 2012 By Dancho Danchev

Cybercriminals populate Scribd with bogus adult content, spread malware using Comodo Backup

On their way to convert legitimate traffic into malware-infected hosts using web malware exploitation kits, cybercriminals have been actively experimenting with multiple traffic acquisition techniques over the past couple of years. From malvertising (the process of displaying malicious ads), to compromised high-trafficked web sites, to blackhat SEO (search engine optimization), the tools in their arsenal have been systematically maturing to become today’s sophisticated traffic acquisition platforms delivering millions of unique visits from across the world, to the cybercriminals behind the campaigns.

What are some of the latest campaigns currently circulating in the wild? How are cybercriminals monetizing the hijacked traffic? Are they basically redirecting to the landing page of an affiliate network, earning revenue in the process, or are they serving malicious software to unsuspecting and gullible end and corporate users?

Let’s find out by profiling a currently active blackhat SEO (search engine optimization) campaign at the popular document sharing web site Scribd, currently using double monetization of the anticipated traffic, namely, redirecting users to a dating affiliate network, and serving malware in between.

More details:

Here’s how the campaign works in a nutshell – basically the cybercriminals behind it have registered multiple bogus accounts at Scribd and are using them to populate the site’s search index — including Google’s index — with adult themed search queries. Once they attempts to view the document, they’ll be exposed to a bogus video screen that’s basically an image with an embedded link pointing to a dating affiliate network, and to a malware currently hosted at Comodo Backup’s infrastructure.

Screenshot of the bogus video screen displayed when viewing a sample document used in the campaign:

Screenshot of sample blackhat SEO friendly bogus content created by the cybercriminals hijacking legitimate traffic:

Let’s profile the dating affiliate network vector. Some of the generated videos basically redirect to the dating network Find and Try. Sample redirection chain and involved URls:

hxxp://www.scribd.com/doc/88566709/hentai-anime-naruto-videos -> hxxp://blogultram.com/scribd/hentai+anime+naruto+videos – 95.168.173.251; Email: nickbzzzz@gmail.com -> hxxp://searchallforfree.com/1/feed/index.php?q=hentai+anime+naruto+videos&saff=gfeed12 – 95.168.173.251; Email: nickbzzzz@gmail.com -> hxxp://findandtry.com/?aff=94604856-tsp.new

The URls also include the affiliate network IDs of the cybercriminals. For instance aff=gfeed12 earning revenue for the hijacked traffic once, and aff=94604856 earning revenue based on redirected traffic of actual transaction of newly registered members at the Find and Try dating network.

Screenshot of the dating network Find and Try:

How are the cybercriminals making money through the affiliate network? According to the network’s rules, new participants can earn up to $100 for every 1000 visitors that they send, 75% on initial member fees, plus 50% on all recurring fees.

Screenshot of the affiliate network’s monetization offerings:

The following domains have also been registered with the same email used to register blogultram.com and searchallforfree.com

blogcialis.com – Email: nickbzzzz@gmail.com
freesearcch.com – Email: nickbzzzz@gmail.com
beeey.com – Email: nickbzzzz@gmail.com
videofree565.com – Email: nickbzzzz@gmail.com
fortraf.com – Email: nickbzzzz@gmail.com
blogfioricet.com – Email: nickbzzzz@gmail.com

The second attack vector in the campaign is exposing end and corporate users to malicious software currently hosted at Comodo’s Backups service:

hxxps://server.backup.comodo.com/json/direct/default/XXX-DVDRip%20XVID-DFA.avi.zip?key=81741989-5172-4156-b70f-2e503b2ea21c

Detection rate – MD5: 9e87f0f54e158fcd9f3b6005ead125aa detected by 36 out of 42 antivirus scanners as Gen:Variant.Kazy.66225; Trojan:Win32/Sirefef.P; ZeroAccess.ea

Upon execution it phones back to the following — currently not-responding — URls:

jmjffyjr.cn/stat2.php?w=30465&i=000000000000000000000000b756e3bf&a=1
jmjffyjr.cn/stat2.php?w=30465&i=000000000000000000000000b756e3bf&a=19
jmjffyjr.cn/stat2.php?w=30465&i=000000000000000000000000b756e3bf&a=21
jmjffyjr.cn/stat2.php?w=30465&i=000000000000000000000000b756e3bf&a=4
jmjffyjr.cn/stat2.php?w=30465&i=000000000000000000000000b756e3bf&a=5
jmjffyjr.cn/stat2.php?w=30465&i=000000000000000000000000b756e3bf&a=6
jmjffyjr.cn/stat2.php?w=30465&i=000000000000000000000000b756e3bf&a=7
jmjffyjr.cn/stat2.php?w=30465&i=000000000000000000000000b756e3bf&a=8
jmjffyjr.cn/stat2.php?w=30465&i=000000000000000000000000b756e3bf&a=23
jmjffyjr.cn/stat2.php?w=30465&i=000000000000000000000000b756e3bf&a=24
jmjffyjr.cn/stat2.php?w=30465&i=000000000000000000000000b756e3bf&a=25
jmjffyjr.cn/stat2.php?w=30465&i=000000000000000000000000b756e3bf&a=26
jmjffyjr.cn/stat2.php?w=30465&i=000000000000000000000000b756e3bf&a=27
jmjffyjr.cn/stat2.php?w=30465&i=000000000000000000000000b756e3bf&a=11

More MD5s are know to have used the same C&C in the past. For instance:

MD5: a1d2bf7c7a8c03240a05c329b5060213
MD5: 91c8bcf34e87e81ac50446c006d1ab49
MD5: 33184d0750809ba937276755dd929a06
MD5: f61e9136695ac2b251b08abae7fee488
MD5: 0cc4bc12eacaf362d69688155cf617bc
MD5: f9eb003644e894ce3ad42e7408881f3c
MD5: ce758842a5eb06135f49b9bef62b1f5e
MD5: 2ae42a30e87a1cdc9fd66a34ce53d861
MD5: 2e516201fd16b3bd395cf2d5f851aefc
MD5: 84f9132fcd271b87d2ae41f85d1b6e62
MD5: 0e490b9edbebb95317f19d00889732c2
MD5: b2c58dda97416396610034bc35fe990d
MD5: 0514b2da7333f64fe6cc9150251f31b0
MD5: 005bd9c2c850d40e54fd9ddde0e51cb3
MD5: 33779efe9fb6517bfe45d2fbc7dbab2f
MD5: fcd29f204792fea7e739dabe1e325cfc
MD5: 9e5da815a485a6d3b249a61ae92f69e3
MD5: 584f64a5feca1326eadd71e522e7cb5e
MD5: daf9cd83825b59fba202d154e99e76b8
MD5: c3b354cd5286c9aee01506d3ff59224c
MD5: 55a8b5da64fdb50fc9e5e38d56919f8e
MD5: d67200339bc1a26284dfe4ef0ab9e21a
MD5: 4e607ee369dd348dcecb48eb31b08826
MD5: d623b4f803018a4a8c14ff8758297f4e
MD5: f57b808ce538e26b63d3de86e0d57205
MD5: 7c5b82fea8105a599a4ef90d949305ff
MD5: 8ee2d9a501d70573f130e729531e0c96
MD5: d054cc54495183d3479be6930d02217a
MD5: d2c4ff89c0f6025cd29bfb320e8815bd
MD5: d7f61d7b19b8e7a3a29c5346faa84fd6
MD5: fde386f0018d598b726a00bdec63f7d2
MD5: 84faae1c3336fb44b116d4f47bef141f
MD5: 6a0e713168d0f3e891ae8f0420275916
MD5: ac8f01bc8ba4735ee10a3f391d765732
MD5: 1be595b3ad0bd9e9c1db048f3d2be914
MD5: 0608876d993c9c7f5f5b6d0d08da19dd
MD5: 91c8bcf34e87e81ac50446c006d1ab49
MD5: 8efcade7e2c27908e8c36baf56b338d8
MD5: 2e516201fd16b3bd395cf2d5f851aefc
MD5: a1d2bf7c7a8c03240a05c329b5060213
MD5: 5909b3fa1298e5c51d9653654a073407
MD5: 1db3a2d78805c9c4c708554ca66df5c4
MD5: 86ebf70db1f62e4e3c45de6e58dac36b
MD5: 71cec9ebe65367f609fb2f580654a6f4
MD5: a2c3bbcdb16d908373acfbe7fae89d67
MD5: 2d93ce4323104a87252d8bc4ee155b4e
MD5: 1edd7ff9db8b462a016b988f856fe372
MD5: 3fa187278268068a594f3bf9ca7622df
MD5: cda0adb653eaf4a9fe6486ceb05b1289
MD5: 56b6cb55daaad009ea54784d01047e5c
MD5: c9b26c3aecbb4ab82f3c9bbcd029bfe9
MD5: 0577591767b0feae9a0aa934ac3a8890
MD5: 8c214fdb2e50b008ff368970497a9d0c
MD5: 13939f2dad274588c805f696e6f64511
MD5: 3a30fc9cd6db5a7723dc3e4d51d5de61
MD5: 47b8c41d0214dcc660813bb0815ebbe4
MD5: fde386f0018d598b726a00bdec63f7d2
MD5: 1e7fb0db31385ab3437d4d4368bc004b
MD5: c00fab240065fbe82f6c4320a752939d
MD5: 73634ae63cecf7db8b31eb634c1d5136
MD5: 719c8f2fac4dcf46a5a5f5eaa3ebd298
MD5: 1d724471bd1aa7361a6ff6b3cf12489b
MD5: 31bd8a4829b80efb5744ea09cc2f3555
MD5: 9d901178fca81925348489cbc035e9e9
MD5: 8f293f6064fb7d4ce7f558befe410bd6
MD5: 064824030deed51518f7750d4036133a
MD5: 584f64a5feca1326eadd71e522e7cb5e
MD5: de2472d6c66bdd5a8134ee2e2e55f20d
MD5: 91372b10887a84eec342008fe71c8021
MD5: f36cf02a68e6d1a7cebeccd142fc14aa
MD5: e4a6c52928a8fb7148b8baaaf469f933
MD5: 8bcf8a15828dd3b8d57c55381d2adfa2
MD5: 32fbb9d4e4dd5cee58cec8a17b8d0694
MD5: 00fa0efa183d82a16e831c8b7a15eaee
MD5: 5f16d0806536248cc4bb045b8bd8c765
MD5: fe6298bca01a08e126abf9026fd2bd74
MD5: 5a91030427370a775a169eb222366234
MD5: 377da2d34a4eb7fb7c5114cd060a2e20
MD5: 8238939153760b831c56a16f77db0cfe
MD5: 3d2d8dcb61ffbc1a6bd3885bbb3d3f72
MD5: 6db6b3dc836e4b6ff2ea6dbc37180f28
MD5: 9f157817145cb0cffaf408f27a7ef856
MD5: 68e433a93ff80db0666f62d88021152d
MD5: 39c99b3ebb956c2522c240073573ee10
MD5: 0413641a36d16b40d3a39a4423d9f49f
MD5: 17c59e6d62182d46bfcf494359d85d0c
MD5: 701abb91e0997efef3f408c3f9e728c2
MD5: 5b489ea868bcf3d23397bb3a16555dfb
MD5: 30963dd5d58dba92f115ba4ba45115ee
MD5: 3ef194082a583560b58069b0da691c04
MD5: 0382c16beb186c4ea34d87fd6c396a6d
MD5: 2421dc2c2ea0cae30b4a31eca1fa29a6
MD5: 10247cb7cbc64033142a122ef3c15417
MD5: dd577d2e9749a4d6115ea5efae61af93
MD5: 744695826257863c7567c820c4c6e8c0
MD5: 5d53ecb98c5afbb0ffaf92e5e05c386e
MD5: bce67b4a22e1c0c2b292eb0144b22e50
MD5: a03350e37f07bc0494317333d18e3b17
MD5: 2d185c78238a389624eeec36612ddbd7
MD5: 0cc4bc12eacaf362d69688155cf617bc
MD5: ae422757ea60786826c8da21f9436d8d
MD5: dfa41ed72f7a8d4a373ccffbe6361e5d
MD5: f61e9136695ac2b251b08abae7fee488
MD5: ce758842a5eb06135f49b9bef62b1f5e
MD5: 2ae42a30e87a1cdc9fd66a34ce53d861
MD5: 0e490b9edbebb95317f19d00889732c2
MD5: 8f1e4c533f65458879818d6e82c3312f
MD5: c3b354cd5286c9aee01506d3ff59224c
MD5: d7f61d7b19b8e7a3a29c5346faa84fd6
MD5: 0514b2da7333f64fe6cc9150251f31b0
MD5: d054cc54495183d3479be6930d02217a
MD5: 9e5da815a485a6d3b249a61ae92f69e3
MD5: 9f9f27c50c4d2c8a67e034f4e4bc18af
MD5: daf9cd83825b59fba202d154e99e76b8
MD5: 33779efe9fb6517bfe45d2fbc7dbab2f
MD5: 8efcade7e2c27908e8c36baf56b338d8
MD5: 5bf6981fc79f42865ff6fde5bb3d7b5c
MD5: 2b59d6d208893f92f14554ae2a05a6b0
MD5: 8e2f4bf01cb0de455d1a2c97ee606842
MD5: d2c4ff89c0f6025cd29bfb320e8815bd
MD5: 005bd9c2c850d40e54fd9ddde0e51cb3
MD5: 8ee2d9a501d70573f130e729531e0c96
MD5: 4e607ee369dd348dcecb48eb31b08826
MD5: 7c5b82fea8105a599a4ef90d949305ff
MD5: ac8f01bc8ba4735ee10a3f391d765732
MD5: fa51bbe66ac10f2b639ff1b2c472daf3
MD5: fcd29f204792fea7e739dabe1e325cfc
MD5: b69f2c6bf1174e207a579986ccee39d9
MD5: 0f46910399be9f698a2f268e30e1c013
MD5: 77ff7a59f4880eb41d43d7853b9698d1
MD5: b6a14e3156f53121766013895dc8148f

This isn’t the first time that Scribd has been abused by cybrecriminals monetizing the hijacked traffic through multiple campaign optimization techniques. In 2009, I exposed several scareware (fake security software) serving campaigns that were once again hijacking legitimate traffic using Scribd:

Webroot Secure Anywhere users are proactively protected from these threat. Scribd and Comodo have been notified.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button

Trackbacks

  1. […] Cybercriminals populate Scribd with bogus adult content, spread … […]

true