Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Evil Sports Sites SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Evil Sports Sites

One of our regular readers submitted a Google query to us that points to yet another temptation that the criminals are taking advantage of - the March Madness basketball tournaments here in the USA.  I'm sure that other sporting events are just as popular with the scammers and crooks.  If you want to check out the fun, put this into your browser:

http://www.google.com/search?q=big+ten+tournament+2010+wiki

We trust that you are not crazy enough to click on the links that Google marks as hazardous to your computer's health, but if you do and you net something really cool that you'd like to analyze, please let us know what you uncover.  Use the comment feature below or send us a note via our contact form.

Thanks Melvin for the info!

Marcus H. Sachs
Director, SANS Internet Storm Center

 Marcus

301 Posts
ISC Handler
Mar 13th 2010
Thread locked Subscribe Mar 13th 2010
1 decade ago
I analyzed the URI's using fiddler

These are the sequence of http requests
1> Compromised website
GET http://babel7.net/yfk.php?go=big%20ten%20tournament%202010%20student%20tickets
302 Moved Temporarily to http://utxi04.xorg.pl/in.php?t=cc&d=12-03-2010_120318&h=babel7.net&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dbig%2Bten%2Btournament%2B2010%2Bwiki

2> leads to a Polish domain
GET http://utxi04.xorg.pl/in.php?t=cc&d=12-03-2010_120318&h=babel7.net&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dbig%2Bten%2Btournament%2B2010%2Bwiki
302 Found to http://www1.zcureone16.in/?uid=195&pid=3&ttl=0124c668a22

3)and finally FakeAV favourite .in domain which also downloads a obfuscated javascript

GET http://www1.zcureone16.in/?uid=195&pid=3&ttl=0124c668a22
302 Moved Temporarily to http://www1.norm-care-forurpcnow.in/?p=p52dcWltbV%2FCj8bYbnOCdVik12qaVp%2FZatrau4FdlJ%2FJnsWYe3lxWqyopHaRXpaalGZjbJNqllPVpJHaotahiaJ0WKrO1c%2Beb1qfnaSZdV%2FXlsndblaWpG9wm1uTaWSUX5iWkWNwWKjKx6Chpqipbmdjr7DYW8vVoJeZmWCb05qRo5XHn8bMoqJ0lJ%2FMjNeeoF%2Bto62mpprOktLaXGJdZWJj25bNmVbaoKCVlWdvaGaVmpRtWKisZnVlam%2BZY5SWamFhWpWboXSk


4) Encoded response from the .in domain

<meta http-equiv="Refresh" content="1; URL='?cmd=executeRedirect&p=rVaunZxWcmqaYpCIoZmRVmxrkE%2FDkpLYT52GpoZ4VGKHytNbbFZxa2ZlcW2PX5mYX2JmVl5a1pLIUmqIldfY02uTYZKU2NqwYJuoo5%2BgnWfEnNHCYKOSlaSbzGzTbZLPlI7YyJ9ipqXa09Gan5mnqGNmaGqRWNvPnJlPYFSk10%2BcaFyInNaGnVOuqI61g49blJ2dVnJWmpiqcpyIXVKgqJOs2aCEapbHmdbJj1OspKKHm4WhpqipbpRjlGjOktbPn2JfYp%2Bn05yQk5%2FTiZLN0V%2Bnmqak1aCbk5ekVmRWm5yDZ4atc1JZVqNanpPDnKPLWYXYzKWjl1ifx8SlpZllVp6dpJ6DZ8rHnaOSYFSuzZLZUmrMjs%2FXyF1ZpqrRg51bYmVraJtqbnHCX5aIXVKhp1RylV%2BYaGaWXZyVl11ZpqmXg51qZGpxamhkcWqVqg%3D%3D'"><script type="text/javascript"> window.location = 'http://www1.norm-care-forurpcnow.in/?p=p52dcWltbV%2FCj8bYbnOCdVik12qaVp%2FZatrau4FdlJ%2FJnsWYe3lxWqyopHaRXpaalGZjbJNqllPVpJHaotahiaJ0WKrO1c%2Beb1qfnaSZdV%2FXlsndblaWpG9wm1uTaWSUX5iWkWNwWKjKx6Chpqipbmdjr7DYW8vVoJeZmWCb05qRo5XHn8bMoqJ0lJ%2FMjNeeoF%2Bto62mpprOktLaXGJdZWJj25bNmVbaoKCVlWdvaGaVmpRtWKisZnVlam%2BZY5SWamFhWpWboXSk';</script>
0


 Anonymous
Quote Mar 14th 2010
1 decade ago

Sign Up for Free or Log In to start participating in the conversation!