Are these the same attacks which we have been monitoring?
Take an example of one of the Monitor domain (B4 in the diagram below) for illustration below. The action string which we are investigating is:
http://zold?????.com/search.php?gzapr=<keyword generating the page>&mzapr=<google referrer used>
Previously, the domain redirected to a page like this:
(Note that the space in the page was serving Google adword which is how the revenue was generated, which has now been disabled.)
(In case you are wondering about the reference to Rooney, it was the main keyword used to generate the keyword stuffed page source page of B2 in this particular example.)
Now when visiting the same domain, we got this:
The HTML file is detected as JS/Dload-X in this particular instance of attack.
(Note that the script mentioned by Sunbelt’s researchers is a particular example of script on step B2. Such scripts include variants which are heavily obfuscated)
In conclusion, this attack is similar to the previous one. The only element that has changed is the code on the redirecting site. Instead of redirecting to innocent pages with Google adware or porn affiliate site, it takes you to a site which pushes malware (the malware is Zlob related, and detected by Sophos as Troj/Zlobar-Fam).
At the end of our last blog, we mentioned:
“Currently none of these blog-spammers seems to be hosting malicious files on their website. However, within SophosLabs we classify the relevant URLs so that they are blocked at our web appliance.”
The good news is that Sophos customers are proactively protected both at the gateway by the web appliance product by URLs being blocked, and also at the Endpoint due to data in our anti-virus product.
Looking at how successful this attack is by checking the popularity of this redirection domain (courtesy of whois.domaintools.com):