It seems that in the brave new world of the Intertubes, crime does pay. It pays very well indeed, in fact. The network I had discovered earlier had, over three or four months, morphed and changed radically, and become larger and more resilient. In addition, a new attack vector has emerged: attacks on old, outdated versions of WordPress weblog software.
As a side note: I know a lot of folks who maintain their own WordPress blogs. Please, please, please, if you run WordPress or know somebody who does, update your WordPress software. It's quick (takes about five minutes) and easy, and earlier versions of WordPress are able to be compromised by automatic hacking software. Someone doesn't even need to target you in particular to run a program that will locate and automatically hack your site if you run an outdated version of WordPress.
The network that is being used to distribute viruses is being fed from a lot of different sources: hacked iPower sites (of course), hacked WordPress installations, Google Groups set up as malicious redirectors, compromised, fake, or otherwise dodgy Facebook profiles that contain links to the traffic redirectors, custom attack domains piggybacked on top of legitimate Web URLs, and hijacked phpBB and phpNuke installs seem to be the most common.
A visitor gets into the network by doing a Google search, which turns up one of the hackers' hacked sites. When he clicks on the Google result, he is sent to a traffic handling Web site. In the past, there was only one of these: traffloader.info, which kept a record of the Google search the user used and would then pick a virus dropper at random to send the user to. Doing this has several advantages: it places an extra step between the hacked Web site and the place where the virus comes from, making it more difficult to trace the source of the infection; and if one virus dropping Web site goes offline or is taken down, traffloader.info will simply start redirecting people to a different virus dropping Web site.
I've found several traffloader.info mirrors, some of which have since been taken down and others of which are still up and running
traffloader.info/go.php (registrar: estdomains)
traff-mega.net/in.php (registrar: estdomains)
blyapizdets.info/go.php (registrar: estdomains)
kentford.cn/in.php (registered in China and using a name server, which is registered by estdomains)
So traffic comes in through a hacked Web site and goes to one of these sites. From there, it is redirected to one of the virus dropper sites, which have (as the chart above shows) exploded in number.
Some of the hacked WordPress installs that I discovered don't redirect to a traffic handler site, but instead redirect directly to a virus dropper hosted at sexlookupworld.com directly.
Interestingly, some of the hacked WordPress sites also redirect, not to a virus dropper at all, but to www.cams.com (an affiliate pay-for-access porn Webcam site) or to xml.valary.com (which is a front-end for several pay-per-search search engines). It's possible the hackers responsible for the iPower intrusions and the WordPress hacks are also looking to expand their revenue stream by using the hacked Web sites to redirect to pay-per-search engines and old-fashioned affiliate porn sites. It's also possible that these particular hacks are the work of some other party, who has noticed the vulnerable WordPress installs (or possibly is using the same automated hacking tools that the virus guys are using) to try to piggyback on the WordPress exploits.
Another new twist is poisoned Google Groups. The hackers have set up a large number of Google Groups, which they are advertising by conventional and Weblog spam. These Google Groups have names like
Visiting the home page of any of these Google Groups reveals a link to sexlookupworld.com, which (predictably) attempts to install a virus on the visitor's system.
What's also interesting is that the number of payload sites which examine the visitor's browser user-agent and automatically install Mac or Windows malware has not proliferated since I first discovered the Mac versions of the malware. As of the time of this writing, I have identified only one site that tries to download Mac malware; the additional new payload sites still download Windows-only malware. I don't know if this means that the hackers have decided the number of Mac users who will infect themselves is too small to pay attention to, or if they simply have had their hands full expanding the network.
The current network is far more resilient than the original network I first stumbled across, and no longer has a single point of failure. It also has a much larger number of inputs, and more ways to trap the unwary into infecting themselves. The explosion of compromised WordPress installs is especially worrisome. Folks, running software on your own Web server means vigilance. It's the price you pay for getting your own blog--now you own all the security concerns. I cannot stress this enough: If you run software, ANY software, on your server, you MUST be diligent in keeping up with security patches. As of version 2.5, WordPress now automatically notifies you of security updates when you log in to the administrator area. And again, if you are running any version of WordPress prior to 2.5 in any configuration, you should assume you can be pwn3d at will, and that potentially everything on your Web server is up for grabs. The hackers don't even have to target you in specific; judging from the number of compromised WordPress installs I've seen, they simply have to run automated programs that scan the Web searching for insecure WordPress installs.
Even the Boston Public Library's WordPress install has been hacked, and was hosting redirectors to virus droppers for a period of over a month.
There's a lot of money in this malware. The group responsible for this network profits in many ways. The malware that pretends to be antivirus software is "scareware;" it pops up alerts every few minutes telling you about fake viruses on your system, to try to trick you into paying for the "unlocked" version which will supposedly "fix" these nonexistent viruses.
The software that pretends to be movie player software is actually a program known as Zlob or DNSchanger. it surrenders control of an infected computer by telling the computer to use name servers controlled by Russian organized crime. Whenever you do a Google search or visit a Web site, the hostile name servers quietly take control of what you see in your Web browser; they can do anything from controlling what search results you see to placing ads on your pages to taking you to a completely different site altogether (for example, if you type bankofamerica.com in a browser window, they can steer you away from the real Bank of America site to a fake site that looks just like it, but gives your login information to Russian criminals).
Security firm Panda Labs estimates that this kind of malware brings in as much as $34 million a month for Russian organized crime. Even if this estimate is off by an order of magnitude, the scale of the money being brought in means there will likely be no solution to the problem any time soon.