How are cybercriminals most commonly abusing legitimate Web traffic?

On the majority of occasions, some will either directly embed malicious iFrames on as many legitimate Web sites as possible, target server farms and the thousands of customers that they offer services to, or generate and upload invisible doorways on legitimate, high pagerank-ed Web properties, in an attempt to monetize the hijacked search traffic.

In this post I’ll profile a DIY blackhat SEO doorway generator, that surprisingly, has a built-in module allowing the cybercriminal using it to detect and remove 21 known Web backdoors (shells) from the legitimate Web site about to be abused, just in case a fellow cybercriminal has already managed to compromise the same site.

Are turf wars back in (the cybercrime) business? Let’s find out.

More details:

The newly introduced feature appears to have been recommended to the developer of the tool by one of its users. What we’ve got here is a great example of how cybercriminals apply QA by taking into consideration the concept of customerization.

Sample screenshots of the DIY doorway generator in action:

DIY_Doorway_Generator_Web_Shells_Quality_Assurance

DIY_Doorway_Generator_Web_Shells_Quality_Assurance_01 DIY_Doorway_Generator_Web_Shells_Quality_Assurance_02 DIY_Doorway_Generator_Web_Shells_Quality_Assurance_03 DIY_Doorway_Generator_Web_Shells_Quality_Assurance_04 DIY_Doorway_Generator_Web_Shells_Quality_Assurance_05

As you can seen in the screenshot above, the developer has added support for 21 of the most popular Web backdoors (shells).

DIY_Doorway_Generator_Web_Shells_Quality_Assurance_06 DIY_Doorway_Generator_Web_Shells_Quality_Assurance_07 DIY_Doorway_Generator_Web_Shells_Quality_Assurance_08

As you can seen in the screenshot above, the tool appears to have detected a competing shell and is presenting the output to the user to investigate and eventually clean the site of the competitors backdoor.

Does the newly introduced feature signal an upcoming turf war on the blackhat SEO front, the way we’ve seen it with Bagle, Netsky and MyDoomSpyEye’s ‘Kill ZeuS’ feature, or Storm Worm vs Srizbi? Not necessarily, at least not in this particular case since for a turf war to take place, we need to have an exchange of virtual ‘shots’ between all the market leading — or least one to act as a provoker — blackhat SEO platforms. And this is something we aren’t seeing, at least for the time being.

As always, we’ll keep an eye on any future updates introduced by the developer of this DIY doorway generator.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This