SEP, Porn, and Malware - Lurking in the Boondocks

May 13, 2013 - By Chris Larsen

Out in the Boondocks of DynDNS

I find myself spending a lot of time in the jungles of Dynamic DNS (DynDNS) hosted sites these days -- there is a lot of shady stuff going on in there. (And very little useful content, comparatively speaking, so it's probably a good idea to consider just blocking off this whole area, from a security standpoint...)

Friday, I was looking at a DynDNS host in China (xicp.net, which is part of a family of shady DynDNS hosts). One particular subdomain ranked fairly high in the traffic, and had an obviously junk/fake name (gdynjss.xicp.net).

Noticing that some of the pages on this site had been rated as Porn in real-time by our DRTR system, I decided to look at the metadata from the analysis. Interestingly, mixed in with a bunch of typical porn words and phrases on the page, there were a lot of links to boondocksbootleg.com, a site we had rated as Entertainment.

"Uh-oh," I thought, "we might have an error in the database."

So I followed one of the links:

screenshot of bogus user profile

When I saw the familiar Boondocks characters and the "explicit adult material" warning, my first thought was, "Boondocks has gone hentai!" But then I saw the "Enter" and "Leave" buttons, which looked familiar, and recognized the hallmarks of a fake-porn operation:

  • This "user profile" on the boondocksbootleg.com site has a junk name. It's obviously not a real person, but a ficticious account created by the Bad Guys. (A favorite tactic for Search Engine Poisoning, as it lets them steal the page rank of the host site for their link-farm pages.) There are a lot of these profiles on the site.
  • The aforementioned Enter/Leave buttons (both of which go to the exact same URL; the Bad Guys aren't really interested in letting you leave).
  • The porn "bait" content (aside from the content shown here, there is a bunch of bait-text if you scroll down the page).

Loading the URL from the Leave button, as shown, uses Google.com as a relay to the URL shortener site (shrink-your-link.org) that is being used as the head of the chain.

And it's a long chain. From here, it runs through not one, not two, but three relay/tracker sites. And there are actually even more relays than this, since some of these sites do multiple internal relays as well, for some reason.

The final destination is a site hosted as a throwaway/junk subdomain on yet another DynDNS host. (I found examples using from-ri.com and is-into-anime.com, but there are probably many more.)

By the time I reached the DynDNS destination, the URL had morphed into a Lolita-themed search, and the site itself was pretending to be a popular porn video site. [No screenshot, obviously. Even with the pictures turned off, the text is NSFW.]

The video links, however, are dummies. When clicked, they dump you onto a pseudo Youtube-looking page, with a message telling you that you need to download the latest version of Flash to watch the movie.

So I downloaded the "update" (adobeflashplayerv10.2.152.32.exe) and ran it through Virustotal.com (it hadn't been submitted before), where it got 9 hits out of 46 AV engines -- moderately good recognition for a fresh malware sample, actually.

 

WebPulse on the Job

So how did we do, overall? Let's see...

  • Start point (xicp.net) is rated Suspicious as well as DynDNS. Check.
  • Relay site #1 has been rated as Malware since 2011. (Caught by Malnet Tracker, originally, and later verified by an analyst.) Check.
  • Relay site #2 has also been rated as Malware since 2011. (Another Malnet Tracker catch.) Check.
  • Ditto for relay site #3. Check.
  • End points (from-ri.com and is-into-anime.com) are rated as DynDNS. Check (at least if you're following my advice at the beginning of the post).

 

So not a lot of risk to our users from this attack, but it illustrates some good points:

  • This attack is driven by Search Engine Poisoning. We've called out the use of DynDNS URLs in SEP attacks before.
  • The combination of apparent free porn as bait, and a supposed upgrade of Flash as the hook, is a classic attack. (Even the slightly child-porn theme of the final destination matches the earlier research.)
  • The use of DynDNS sites and hijacked forum profiles allows this malnet to rapidly and constantly change the bait and the location of the actual attack files. These are perfect examples of a "leaf and twig" infrastructure that would be very time-consuming to block (and hard to make sure you'd covered everything). The relay sites, however, illustrate the "branch and trunk" infrastructure that WebPulse tries to target, which is a much more efficient approach.

 

Still, this group of Bad Guys seems to have found a formula that works, and they're sticking to it. They wouldn't keep doing it otherwise.

 

--C.L.

@bc_malware_guy