At this point, I had discovered a Web site that was acting as a traffic middleman, accepting traffic from hacked sites hosted by a company called iPower Web and redirecting it to sites that tried to download computer viruses.
I kept an eye on the network, rooting out lists of thousands of hacked sites hosted by iPower. For nearly a year, the attacks kept up, and iPower refused or was unable to stop them. i saw thousands and thousands of Web sites hosted on iPower being hacked, some of them over and over again; one site in particular was hacked five times in a three month period.
I received emails from my journal, many from iPower customers who reported being stonewalled by iPower Web when they called to report that their sites were being hacked. I even listened in when one person phoned iPower to complain, and was told that the attack must be her fault, she must have chosen a poor password for her Web site, even though the password was sixteen characters long and contained uppercase and lowercase letters and numbers. iPower steadfastly denied having a server security issue, even in the face of an overwhelming attack.
As the months went on, I also kept notes on the size and shape of the various raffic redirectors, and mapped out the network of hacked sites, virus droppers, and raffic handling systems.
In March of 2008, the nature of the hacks has changed. Between December and March, the hacks were all the same; the hackers would penetrate an iPower Web site, create a directory on the site named /her, create a directory on the site named /bad, and then create a directory with a one or two digit number as a name. The redirector pages would go in the numered directory. This made spotting hacked iPower Web sites trivially easy.
After March, the hackers began changing the naming scheme of the directory. This led me on a path to discovering an entire network of compomised Web sites, feeding into an elaborate underground network of computers used to distribute computer viruses.
And they're distributing Macintosh malware, too.
At first, finding the hacked sites on iPower was a breeze, because the directory structure was always the same and the hackers used the same keywords to try to poison Google searches. Now, however, the hackers have changed the naming structure of the directories, and they are no longer using the same keywords to try to snare Google searches. They're not using my name often any more, for example.
They are using a number of sex and porn-related keywords, though, some of which are very unusual. The Google cache of hacked iPower Web sites provided an easy way to compile lists of words and phrases that are common to all the hacked sites, and searching on Google for these words and phrases yields a treasure trove of Web sites that have been hacked.
Interestingly, these words and phrases also show up in many, many forum posts, almost all of them on forums running phpBB or phpNuke software, and invariably old, insecure versions of this software.
It also produced lists of domains with strange names, such as http://6.bgmww-news.info and http://3.vxwzj-news.info.
So I saw a pattern: certain words and phrases, appearing over and over again in hacked Web sites hosted by iPowerWeb, and also appearing in messages placed on hacked phpBB and phpNuke forums, and also appearing in domains with strange names.
In each case, visiting one of the hacked iPower Web sites, reading one of the messages in a hacked forum, or visiting one of the strange domains does the same thing. And, interestingly, it reveals an elaborate network of computers all intended to transmit viruses while obscuring the source of the viruses.
The central lynchpin of the entire network as it first started out is a site called traffloader.info. Traffloader.info is a Web site hosted in the country of Moldovia), which also hosts the sites with strange domains. If you visit traffloader.info in your browser, you'll see nothing but a blank page; it sends back no HTML code at all. There appears to be nothing there.
But all the hacked iPower Web sites, all the messages placed on hacked forums, and all the strange domains all redirect to traffloader.info. Specifically, they redirect to a script on traffloader.info called "go.php". Here's how it works.
A person does a Google search for certain comon, popular keywords. It might be my name, or "free sex movies," or "build ultralight helicopters"--they create hundreds of thousands of lists of popular keywords, which they place on hacked Web sites, into hacked message board posts, or onto domains they either create or hack.
The person sees one of the attack pages in Google and clicks on the Google result. The page or message board post redirects the user to http://traffloader.info/go.php, and usually includes information about where the user came from, presumably so the hackers can tell which particular hacked sites are most effective. The information passed to the script varies, but often includes the name of the hacked site the user came from, and the Google keywords used.
Traffloader.info then redirects the user to any one of a bunch of other sites. These other sites might look like porn sites, and try to download a virus disguised as movie player software. They might look like virus scanner sites,and try to download a virus disguised as antivirus software. Sometimes, the sites have embedded iFrames or redirectors that will try to download additional files to the user's computer.
As of March 2008, traffloader.info was the central point of this network; however, today, there are many redirectors that work in the same way. This provides robustness; before, the whole network could have been knocked out just by taking down traffloader.info (not that that will ever happen, since the country it is hosted in is friendly to organized crime). Today, with amy redirectors, there is no one system that can be taken down to cripple the whole network.
The network changes very fast. New virus dropping sites go up every day as old ones are discovered and blocked by anti-virus companies or taken offline. The network overall looked like this one day when I mapped it out, though it has since changed; the URLs are different, though the overall structure is the same (click for larger image):
A user clicks on a Google search that leads to a hacked iPower site, a hacked forum post, or a custom domain created to snare unwary Net users. The user is redirected to traffloader.info or a similar redirector site, which records information about where the user came from and what keywords he used. The script at traffloader.info then sends the user to a site such as adult-youtube-8.com/freemovie/234/0 or xpantivirus.com/2008/3/_freescan.php which attempts to download a virus.
The site that the user ends up on seems to be chosen more or less at random (at least if there's a system behind it, I haven't been able to figure out what that system is yet). Some of the sites are more sophisticated than others; some of the sites redirect the user to other sites. For example, traffloader.info will sometimes send the user to a script hosted at chillyclips.com/movie1.php which will in turn send the user to movstube.com/movie1.php.
Now, movstube.com is a particularly interesting payload site. Unlike all the other sites, it attempts to attack both Mac and Windows machines; all the other sites host Windows-specific attacks.
The script at movstube.com checks the browser's "user agent". For folks who don't know a lot about how browsers work, each time your Web browser accesses a Web site, it tells the site what it is and what kind of computer you have. When you go to a Web site, your browser might say "Hi there! I'm Internet Explorer 7 running on Windows XP" or "Hello! I'm Safari running on an Intel Mac".
The script at movstube.com looks at this user agent. If it sees a Windows user agent, it attempts to download a Windows virus pretending to be movie viewer software, just like many of the other sites do.
But...
But if the script sees a Mac user agent, it sends the browser to
http://64.28.178.27/download/1023.dmg
The file 1023.dmg is a Macintosh disk image file. It contains an installer that attempts to install a piece of Mac malware variously called OSX/DNSChanger or OSX.RSPlug.A. This is a Trojan horse that attempts to modify the Mac's domain name server settings so that a Mac user who surfs the Web can be secretly redirected to sites controlled by the Russian malware writers, without knowing it.
The good news is that the Mac malware can not infect a computer without help. You must choose to install it and you must type your administrator password in order to be infected. The bad news: clearly, the Mac is now on the radar of malware writers.