• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Redirection Malware Very Good Leads to Fake AV

August 8, 2012Daniel Cid

FacebookTwitterSubscribe

If you look at our Labs malware dump for the last few days, you will find something odd in the name of the top domains distributing malware:

712 redirections http://moi-verygoods.ru/simmetry?6
154 redirections http://moiverygoods.ru/simmetry?6
135 redirections http://webverygoods.ru/simmetry?6
131 redirections http://moiverygoods.ru/simmetry?6
88 redirections http://24-verygoods.ru/in.cgi?9


Can you see the similarity? All of them have “very good” as part of the domain name. And this is not something that started today, but for the last few weeks we are seeing many domains following the same pattern. This type of malware acts in the same way as the Blackmuscats, redirecting users visiting a hacked site to Fake AV via .htaccess redirections.

These are some other domains we are seeing:

215 http://verygood2010.ru/in.cgi?9
204 http://2011verygood.ru/in.cgi?10
192 http://2011-verygood.ru/in.cgi?10
165 http://verygoods-2011.ru/in.cgi?10
160 http://1-verygoods.ru/in.cgi?9
146 http://verygood24.ru/in.cgi?9
138 http://2012-verygoods.ru/in.cgi?11
131 http://verygoods2014.ru/in.cgi?11
129 http://verygoods-2011.ru/in.cgi?10
111 http://verygoods2010.ru/in.cgi?9
111 http://verygood-2014.ru/in.cgi?11
107 http://24-verygoods.ru/in.cgi?9
101 http://verygood-2010.ru/in.cgi?9
100 http://verygood2014.ru/in.cgi?11
92 http://verygoods-24.ru/in.cgi?9
82 http://2013-verygoods.ru/in.cgi?11
80 http://verygoods-2014.ru/in.cgi?11
76 http://verygoods2013.ru/in.cgi?11
75 http://verygood-24.ru/in.cgi?9
64 http://verygoods2013.ru/in.cgi?11
51 http://24-verygoods.ru/in.cgi?9
43 http://verygood2013.ru/in.cgi?11
42 http://verygoods24.ru/in.cgi?9
40 http://24-verygoods.ru/in.cgi?9
39 http://24-verygoods.ru/in.cgi?9
37 http://24-verygoods.ru/in.cgi?9
32 http://1verygoods.ru/in.cgi?9
31 http://verygood2014.ru/in.cgi?11
29 http://24verygood.ru/in.cgi?9
27 http://verygoods-2011.ru/in.cgi?10
25 http://verygood-content.ru/in.cgi?9
24 http://2013-verygoods.ru/in.cgi?11
24 http://2013-verygoods.ru/in.cgi?11
…

As far as location, most of them are on 212.71.10.220 and hosted with many other malicious domains. Another interesting correlation is that all those domains were registered on July 18.

domain: VERYGOOD2011.RU
nserver: ns1.reg.ru.
nserver: ns2.reg.ru.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
registrar: REGRU-REG-RIPN
admin-contact: http://www.reg.ru/whois/admin_contact
created: 2012.07.18
paid-till: 2013.07.18
free-date: 2013.08.18
source: TCI

As always, we will post more details when we have them.

FacebookTwitterSubscribe

Categories: Website Malware InfectionsTags: Hacked Websites, Malware Updates, Redirects

About Daniel Cid

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

The Anatomy of Website Malware Webinar

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.