Evil Sports Sites

Published: 2010-03-13
Last Updated: 2010-03-14 16:11:03 UTC
by Marcus Sachs (Version: 2)
1 comment(s)

One of our regular readers submitted a Google query to us that points to yet another temptation that the criminals are taking advantage of - the March Madness basketball tournaments here in the USA.  I'm sure that other sporting events are just as popular with the scammers and crooks.  If you want to check out the fun, put this into your browser:


We trust that you are not crazy enough to click on the links that Google marks as hazardous to your computer's health, but if you do and you net something really cool that you'd like to analyze, please let us know what you uncover.  Use the comment feature below or send us a note via our contact form.

Thanks Melvin for the info!


One of our readers took the challenge and tried clicking through the Google warnings to see what happened.  According to Richard (and Melvin pointed this out to us in his original note) clicking on a link that Google marks as hazardous will not lead you to the exploited site.  Instead, you have to copy/paste the evil URL but when you do that you remove the referring site (Google) from the URL and the exploit won't work.  In this case, some of the site redirect to www.cnn.com.  Others give you a 404 error.  Some browsers will also alert you to the impending doom if you have certain helper plug-ins installed.  However, some of the infected sites have not been flagged by Google.  Richard followed a few of these and sent us these notes:

Many of these redirect to a .in server to dish up a rogue AV exploit:


The trojan executable starts to cache while the usual popup messages begin to appear along with the fake scan.


But these are not remote code execution exploits, for at some point the download prompt box appears, requiring a click.


You cannot X out of the page with the mouse, but ALT + F4 works, and of course, closing the Process in Task Manager.

These same exploits are also served up if you search for "Holly Graf."

I downloaded one of the binaries earlier today from a "Holly Graf" site; it had already been analyzed at Virus Total:


Thanks Richard for sacrificing your computer and providing the additional analysis.  :)

Marcus H. Sachs
Director, SANS Internet Storm Center

1 comment(s)


I analyzed the URI's using fiddler

These are the sequence of http requests
1> Compromised website
GET http://babel7.net/yfk.php?go=big%20ten%20tournament%202010%20student%20tickets
302 Moved Temporarily to http://utxi04.xorg.pl/in.php?t=cc&d=12-03-2010_120318&h=babel7.net&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dbig%2Bten%2Btournament%2B2010%2Bwiki

2> leads to a Polish domain
GET http://utxi04.xorg.pl/in.php?t=cc&d=12-03-2010_120318&h=babel7.net&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dbig%2Bten%2Btournament%2B2010%2Bwiki
302 Found to http://www1.zcureone16.in/?uid=195&pid=3&ttl=0124c668a22

3)and finally FakeAV favourite .in domain which also downloads a obfuscated javascript

GET http://www1.zcureone16.in/?uid=195&pid=3&ttl=0124c668a22
302 Moved Temporarily to http://www1.norm-care-forurpcnow.in/?p=p52dcWltbV%2FCj8bYbnOCdVik12qaVp%2FZatrau4FdlJ%2FJnsWYe3lxWqyopHaRXpaalGZjbJNqllPVpJHaotahiaJ0WKrO1c%2Beb1qfnaSZdV%2FXlsndblaWpG9wm1uTaWSUX5iWkWNwWKjKx6Chpqipbmdjr7DYW8vVoJeZmWCb05qRo5XHn8bMoqJ0lJ%2FMjNeeoF%2Bto62mpprOktLaXGJdZWJj25bNmVbaoKCVlWdvaGaVmpRtWKisZnVlam%2BZY5SWamFhWpWboXSk

4) Encoded response from the .in domain

<meta http-equiv="Refresh" content="1; URL='?cmd=executeRedirect&p=rVaunZxWcmqaYpCIoZmRVmxrkE%2FDkpLYT52GpoZ4VGKHytNbbFZxa2ZlcW2PX5mYX2JmVl5a1pLIUmqIldfY02uTYZKU2NqwYJuoo5%2BgnWfEnNHCYKOSlaSbzGzTbZLPlI7YyJ9ipqXa09Gan5mnqGNmaGqRWNvPnJlPYFSk10%2BcaFyInNaGnVOuqI61g49blJ2dVnJWmpiqcpyIXVKgqJOs2aCEapbHmdbJj1OspKKHm4WhpqipbpRjlGjOktbPn2JfYp%2Bn05yQk5%2FTiZLN0V%2Bnmqak1aCbk5ekVmRWm5yDZ4atc1JZVqNanpPDnKPLWYXYzKWjl1ifx8SlpZllVp6dpJ6DZ8rHnaOSYFSuzZLZUmrMjs%2FXyF1ZpqrRg51bYmVraJtqbnHCX5aIXVKhp1RylV%2BYaGaWXZyVl11ZpqmXg51qZGpxamhkcWqVqg%3D%3D'"><script type="text/javascript"> window.location = 'http://www1.norm-care-forurpcnow.in/?p=p52dcWltbV%2FCj8bYbnOCdVik12qaVp%2FZatrau4FdlJ%2FJnsWYe3lxWqyopHaRXpaalGZjbJNqllPVpJHaotahiaJ0WKrO1c%2Beb1qfnaSZdV%2FXlsndblaWpG9wm1uTaWSUX5iWkWNwWKjKx6Chpqipbmdjr7DYW8vVoJeZmWCb05qRo5XHn8bMoqJ0lJ%2FMjNeeoF%2Bto62mpprOktLaXGJdZWJj25bNmVbaoKCVlWdvaGaVmpRtWKisZnVlam%2BZY5SWamFhWpWboXSk';</script>

Diary Archives