SQL Injecting Malicious Doorways to Serve Malware

Abusing legitimate sites as redirectors to malicious doorways serving malware is becoming increasing common, as is the use of SQL injections in order for the malicious parties to ensure their campaigns will receive enough generic traffic to their redirectors. Excluding the use of the very same traffic management tools, web malware exploitation kits, templates for the rogue adult sites and the rogue security software, perhaps the most important thing to point out regarding all of the previously analyzed such campaigns, is that they are all related to one another, and are operated by the same people, using the very same infrastructure and live exploit URLs most of the time.

Let’s expose yet another such campaign, that has been SQL injected and spammed across a couple of hundred web forums. gpamelaaandersona .info ( is the typical comprehensive malicious doorway, whose galleries redirect to tds.zbestservice .info/tds/in.cgi?11 (, and from there the following campaigns load on-the-fly :

porntubev20 .com/viewmovie.php?id=86 (

getmyvideonow .com/exclusive2/id/3912999/2/black/white/ – (

immenseclips .com/m6/movie1.php?id=1552&n=celebs (

movieexternal .com/download.php?id=1552 (

2008adults2008a .com/freemovie/144/0/

avwav .com/1931.htm

codecupgrade .com (

iwillseethatvideo .com (

dciman32 .com (

Naturally, these are just the tip of the iceberg, and the deeper you go, the more connections with malware gangs and previous campaigns can be established. For instance, here are some more “sleeping beauties” at :

 winantivirus2008 .org

porntubev20 .com

crack-land .com

just-tube .com   

codecupgrade .com

codecupgrade .com

scanner-tool .com

surf-scanner .com

best-cracks .com

updatehost .com

updatehost .com

freemoviesdb .net

megasoftportal .net

And even more malicious doorways, and rogue software at :

musicportalfree .com

softportalfree .com

verifiedpaymentsolutionsonline .com

my-adult-catalog .com

indafuckfuck .com

best-porncollection .com

funfuckporn .com

sanxporn .com

dolcevido .com

xiedefender .com

online-malwarescanner .com

easyvideoaccess .com

my-searchresults .com

creatonsoft .com

ihavewetfuckpussy .com

How come none of these are in a fast-flux? Pretty simple. Keeping in mind that they continue using the services of the ISPs that you rarely see in any report, survivability through fast-flux is irrelevant when emails sent to abuse@cybercrime.tolerating.isp receive a standard response two weeks later, and when your abuse emails become more persistent, a fake account suspended notice makes it to the front page, whereas the campaigns get automatically updated to redirect to an internal page, again serving the malware and the redirectors.

Related posts:

Fake Porn Sites Serving Malware – Part Two

Fake Porn Sites Serving Malware

Underground Multitasking in Action

Fake Celebrity Video Sites Serving Malware

Blackhat SEO Redirects to Malware and Rogue Software

Malicious Doorways Redirecting to Malware

A Portfolio of Fake Video Codecs

Author: Dancho Danchev

Leave a Reply

Your email address will not be published. Required fields are marked *