Redirection Malware Very Good Leads to Fake AV

If you look at our Labs malware dump for the last few days, you will find something odd in the name of the top domains distributing malware:

712 redirections http://moi-verygoods.ru/simmetry?6
154 redirections http://moiverygoods.ru/simmetry?6
135 redirections http://webverygoods.ru/simmetry?6
131 redirections http://moiverygoods.ru/simmetry?6
88 redirections http://24-verygoods.ru/in.cgi?9


Can you see the similarity? All of them have “very good” as part of the domain name. And this is not something that started today, but for the last few weeks we are seeing many domains following the same pattern. This type of malware acts in the same way as the Blackmuscats, redirecting users visiting a hacked site to Fake AV via .htaccess redirections.

These are some other domains we are seeing:

215 http://verygood2010.ru/in.cgi?9
204 http://2011verygood.ru/in.cgi?10
192 http://2011-verygood.ru/in.cgi?10
165 http://verygoods-2011.ru/in.cgi?10
160 http://1-verygoods.ru/in.cgi?9
146 http://verygood24.ru/in.cgi?9
138 http://2012-verygoods.ru/in.cgi?11
131 http://verygoods2014.ru/in.cgi?11
129 http://verygoods-2011.ru/in.cgi?10
111 http://verygoods2010.ru/in.cgi?9
111 http://verygood-2014.ru/in.cgi?11
107 http://24-verygoods.ru/in.cgi?9
101 http://verygood-2010.ru/in.cgi?9
100 http://verygood2014.ru/in.cgi?11
92 http://verygoods-24.ru/in.cgi?9
82 http://2013-verygoods.ru/in.cgi?11
80 http://verygoods-2014.ru/in.cgi?11
76 http://verygoods2013.ru/in.cgi?11
75 http://verygood-24.ru/in.cgi?9
64 http://verygoods2013.ru/in.cgi?11
51 http://24-verygoods.ru/in.cgi?9
43 http://verygood2013.ru/in.cgi?11
42 http://verygoods24.ru/in.cgi?9
40 http://24-verygoods.ru/in.cgi?9
39 http://24-verygoods.ru/in.cgi?9
37 http://24-verygoods.ru/in.cgi?9
32 http://1verygoods.ru/in.cgi?9
31 http://verygood2014.ru/in.cgi?11
29 http://24verygood.ru/in.cgi?9
27 http://verygoods-2011.ru/in.cgi?10
25 http://verygood-content.ru/in.cgi?9
24 http://2013-verygoods.ru/in.cgi?11
24 http://2013-verygoods.ru/in.cgi?11

As far as location, most of them are on 212.71.10.220 and hosted with many other malicious domains. Another interesting correlation is that all those domains were registered on July 18.

domain: VERYGOOD2011.RU
nserver: ns1.reg.ru.
nserver: ns2.reg.ru.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
registrar: REGRU-REG-RIPN
admin-contact: http://www.reg.ru/whois/admin_contact
created: 2012.07.18
paid-till: 2013.07.18
free-date: 2013.08.18
source: TCI

As always, we will post more details when we have them.

Scan your website for free:
About Daniel Cid

Daniel B. Cid is the CTO&Founder of Sucuri and the founder of the open source OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid