Friday, February 12, 2016

Jan-Feb 2016 domains associated with "Admedia" Wordpress compromises (WP plugins)

We've been seeing a fair number of compromised Wordpress sites with various javascript plugins that are redirecting visitors to assorted malicious domains.

Sucuri discussed this in an excellent post: "Massive Admedia/Advertising iFrame Injection"

Since then, we've seen the URI construct of the redirection change from "/admedia/?" to "/megaadvertize/?keyword="

Currently the most popular redirect URLs appear to be:
http://vrot.stervapoimeniliana[.]info/megaadvertize/?keyword=<>
http://pon.krasnayadama[.]info/megaadvertize/?keyword=<>

All the redirect domains we've seen use the following as nameservers

  • gotl549293.mars.orderbox-dns[.]com
  • gotl549293.earth.orderbox-dns[.]com
  • gotl549293.venus.orderbox-dns[.]com
  • gotl549293.mercury.orderbox-dns[.]com

So to get an idea of what other domains might be used for this campaign, we looked at two things:
* Which domains are using these nameservers?
* Which domains have the email address "valera.valera-146.yandex.ru" in the DNS SOA records.?

Below is a list of the domains meeting this criteria:


barabawka.net
london88.pw
barada222.pw
suchka46.pw
easy-trading.biz
balw5ezvicz7hka.pw
balw5ezvicz7hka.pw
goroda235.pw
trymyfinger.website
trymyfinger.website
borodavka.website
zaleimneviskivgorlo.website
bababolka.website
daitepospatirodu.website
poprobyimoihyi.website
suchkakrawenaya.website
lovelyclub.biz
lovelygames.biz
tapochekmiwu.website
tapochekkati.website
tapochekmiwu.website
suchtozahyinya.com
golayagopa.website
goluivovka.website
goluivalerka.website
golayapipetka.website
golayazadnica.website
suchtozahyinya.com
batyaebetvseh.website
matyaebetvseh.website
rozovuiurka.website
rozovuimiwka.website
rozovuisawka.website
rozovuivasunya.website
mainlandpage.website
siniuurka.website
siniukolka.website
siniusawka.website
zaleimneviskivgorlo.website
chernuioleg.website
chernuikolya.website
chernuipetya.website
chernuisanya.website
kolhoznik.website
malenkiyprince.website
zaleimneviskivgorlo.website
beluidanya.website
beluilanya.website
beluisanya.website
beluitanya.website
beluivanya.website
beluidanya.website
seruidebil.website
seruisanya.website
seruitanya.website
seruidyatel.website
seruidolboeb.website
mainlandpage.website
zelenuiranya.website
zelenuisanya.website
zelenuitanya.website
zelenuivanya.website
meetclub.biz
borodatayagenwina.website
borodatuiloh.website
borodatuiotec.website
borodatuimyguk.website
borodayasobaka.website
easy-trading.biz
zo1lotayawlyapa.website
zol1otayawlyapa.website
zolo1tayawlyapa.website
zolot1ayawlyapa.website
zolota1yawlyapa.website
zolotay1awlyapa.website
zolotaya1wlyapa.website
zolotayaw1lyapa.website
zolotayawl1yapa.website
zolotayawly1apa.website
getallcooltraffic.com
trymysocks1.ws
trymysocks2.ws
trymysocks4.ws
trymysocks5.ws
forexmyways.com
gameforgods.com
ilovetradingz.com
nicefilmwatchs.com
realylovegames.com
surveyforyourss.com
watchlovedfilms.com
fastestmonkeymakes.com
moneyforfriends.net
pl1atiebeloe.ws
platie1beloe.ws
platieb1eloe.ws
getallcooltraffic.com
lovelygames.biz
nicefilmwatchs.com
watchlovedfilms.com
surveyforyourss.com
1n-dobloebu.ws
1n-dobloebu1.ws
1n-dobloebu2.ws
1n-dobloebu3.ws
gamingguidess.com
landpagegames.com
localpagegengames.com
moneyforfriends.net
zzzsleepy.ws
zzzsleepy1.ws
zzzsleepy2.ws
realylovegames.com
fastestmonkeymakes.com
zzzmaluw3.ws
zzzmaluw4.ws
gameforgods.com
ownfavoritesite.com
dearcustomersgogo.com
listenquicklypage.com
gameforgods.com
ilovetradingz.com
polnuewtaniwki.ws
p3olnuew3taniwki.ws
poln1uewt1aniwki.ws
polnu4ewtan4iwki.ws
polnue2wtani2wki.ws
polnuewtaniwki.ws
dearcustomersgogo.com
trackersystemsz.biz
barkdenboms.com
crazydomainfoq.com
p3olnuew3taniwki.ws
poln1uewt1aniwki.ws
polnu4ewtan4iwki.ws
polnue2wtani2wki.ws
dydochka12345.ws
lydochka12345.ws
vodochka12345.ws
mordochka12345.ws
collectinfoitemsz.com
findyourwaytotr.net
samplefasttrack.org
getmylovelyyy.com
dearcustomersgogo.com
polnuewtaniwki.ws
barkdenboms.com
listenquicklypage.com
trackersystemsz.biz
findyourwaytotr.net
goingfortraff.com
trackingzystem.com
findtrafficcount.com
p3olnuew3taniwki.ws
polnu4ewtan4iwki.ws
polnue2wtani2wki.ws
poln1uewt1aniwki.ws
barkdenboms.com
crazydomainfoq.com
fabosik12345.ws
nifnafbet.biz
nifnafbet.com
nifnafbet.net
nifnafbet.org
baltimoreprivet.biz
baltimoreprivet.org
baltimoreprivet.com
baltimoreprivet.net
dedulkasanya.biz
malenkiuniger.biz
oduvanchiksawa.biz
dedulkasanya.com
oduvanchiksawa.com
dedulkasanya.net
oduvanchiksawa.net
dedulkasanya.org
oduvanchiksawa.org
malenkiuniger.info
malenkiuniger.com
malenkiuniger.net
malenkiuniger.org
chrenovuihren.biz
chrenovuihren.com
bolwayazalypencuya.com
chrenovuihren.net
bolwayazalypencuya.net
chrenovuihren.org
bolwayazalypencuya.org
chrenovuihren.biz
babulkadayn.in.net
babulkasyka.in.net
forbetterget.in.net
babulkamaksim.in.net
bravayasuchka.in.net
nravayasuchka.in.net
pravayasuchka.in.net
wravayasuchka.in.net
poprobyipoprawaika.in.net
bravayasuchka.in.net
nravayasuchka.in.net
pravayasuchka.in.net
wravayasuchka.in.net
thatsbigidea.info
crazyfastestway.info
belayadama.info
serayadama.info
chernayadama.info
krasnayadama.info
stervapoimeniolya.info
stervapoimenialena.info
stervapoimenialina.info
stervapoimeniliana.info



Nearly all domain names are transliterated Russian word combinations.
Some of the domains registered by valera.valera-146@yandex.ru such as barabolka[.]com bear the Registrant Name: Valeriy Babosuch. - http://www.whoismind.com/whois/barabolka.com.html

This name is associated with other domains listed below and registrant email address mindupper@gmail.com .

Domains registered by mindupper@gmail.com were made of mostly English language word combinations.

Some of the domains associated with Nuclear EK and Pony/Fareit post infection were hosted on 162.247.12.207.  See more at:
http://malwaredb.malekal.com/url.php?netname=WFC
http://malwarefor.me/2015-04-26-nuclear-ek-dropping-ponyfareit/

162.247.12.207
https://www.virustotal.com/en/ip-address/162.247.12.207/information/
Country CA - Autonomous System6939 (Hurricane Electric, Inc . )

Phishing (such as https://whois.domaintools.com/blondescript.net) was seen on 91.200.85.137



Passive DNS results for these two IP addresses reveal the domains. VirusTotal results show:

3/66 2016-01-10 15:49:37 http://givemeaudi . com/
4/66 2015-12-13 15:31:51 http://sampletds . net/
4/66 2015-11-25 09:25:32 http://yellowfrance . info/
2/67 2015-11-22 04:21:10 http://sampletds . org/
1/66 2015-11-20 10:51:43 http://yellowfrance . com/
3/63 2015-07-19 14:33:43 http://sampletds . info/
6/63 2015-06-08 01:03:04 http://www . yellowfrance . info/
4/63 2015-05-19 09:43:33 http://yellowfrance . com/wRJrUHURtdt20 . html
3/63 2015-04-30 15:37:56 http://yellowfrance . com/HelVGnsIlBR20 . html
3/62 2015-04-21 14:30:13 http://yellowfrance . com/falJTWHvsFU20 . html
6/62 2015-04-21 13:35:51 http://yellowfrance . info/qYCrsJuHWhE20 . html
3/62 2015-04-17 10:49:08 http://yellowfrance . com/sHrWgPcxdvy20 . html
6/62 2015-04-16 02:21:39 http://yellowfrance . info/woMbVHaDOfk20 . html
6/62 2015-04-15 19:46:12 http://yellowfrance . info/HXndqXghAHy20 . html
6/62 2015-04-15 19:45:57 http://yellowfrance . info/ppmerkzbRUk20 . html
2/62 2015-04-15 18:57:31 http://givemeaudi . com/ZlqkpeqDQoy20 . html
6/62 2015-04-15 18:33:34 http://yellowfrance . info/JYndncMIRlu20 . html
6/62 2015-04-15 14:31:15 http://yellowfrance . info/vTGmbyYZBGB20 . html
6/62 2015-04-13 14:23:58 http://yellowfrance . info/YRgyxhPwalE20 . html
1/62 2015-04-09 19:58:58 http://givemeaudi . com/jWRihuJevxB20 . html
6/62 2015-04-09 15:12:33 http://yellowfrance . info/LqLEqeicSXT20 . html
6/62 2015-04-09 15:12:15 http://yellowfrance . info/RhFaRmFvnhE20 . html
3/62 2015-04-09 02:35:13 http://yellowfrance . info/qXgxBLvENoH20 . html
4/62 2015-04-08 11:49:18 http://yellowfrance . info/LEZrGknOuaD20 . html
3/62 2015-04-07 18:33:32 http://yellowfrance . info/BaKYxblgbHt20 . html
3/62 2015-04-07 10:44:09 http://yellowfrance . info/gUoyLbRBcJw20 . html
3/62 2015-04-06 18:55:57 http://yellowfrance . info/AomQXriDFBd20 . html
3/62 2015-04-06 05:21:23 http://yellowfrance . info/rIoeSAnGUuf20 . html
3/62 2015-04-03 20:32:58 http://yellowfrance . info/wpwssjkpevc20 . html
3/62 2015-04-02 14:30:25 http://yellowfrance . info/cLFHmTVqCEW20 . html
3/62 2015-04-02 13:11:26 http://yellowfrance . info/KyLpyRWHMUb20 . html
2/62 2015-04-01 12:08:35 http://yellowfrance . info/GNuCrxcJYcP20 . html
2/62 2015-04-01 10:06:37 http://yellowfrance . info/lvNbgtiyxOu20 . html
1/62 2015-04-01 01:53:08 http://yellowfrance . info/inDOFfbujAt20 . html
1/62 2015-04-01 00:23:39 http://yellowfrance . info/vvBdLhNoChB20 . html
1/62 2015-03-31 23:59:50 http://yellowfrance . info/pAJQxOsQxXP20 . html
1/62 2015-03-17 02:16:12 http://sampletds . org/cevch18 . html
1/62 2015-03-16 19:42:09 http://sampletds . org/ANcXoDpCldL20 . html
1/62 2015-03-12 17:48:28 http://sampletds . info/in . cgi?
1/62 2015-03-12 15:47:25 http://sampletds . net/in . cgi?20&CS=1
1/62 2015-03-12 13:48:35 http://sampletds . net/in . cgi?20&CS=1
1/62 2015-03-12 13:43:03 http://sampletds . net/SfzYoUZLuDw20 . html
2/52 2014-05-23 14:11:51 http://theviagrapills . com/?1


Registrant Name: Valeriy Babosuch
Registrant Organization: 
Registrant Street: Truhanovskaya 45
Registrant City: Moscow
Registrant State/Province: N/A
Registrant Postal Code: 121497
Registrant Country: RU
Registrant Phone: +7 . 9453466645
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext: 
Registrant Email: mindupper@gmail.com


Compromises in CMS, including Wordpress, Joomla!, and Drupal remain a significant threat. Detecting the malicious redirect via the URI construct is useful.  However this is often changed quickly by the attacker.  Hopefully to improve awareness and detection, we wanted to provide this list of domains that may be related to this active Wordpress compromise.