Wednesday, February 9, 2011

ThreatCenter Live Blog is now zveloBLOG™

zvelo is proud to announce that the Threat Center Live Blog has moved, and is now zveloBLOG.

We greatly appreciate all current subscribers to this blog and kindly thank you for the expressed interest and support over the past couple of years. zvelo looks forward to possibly continuing the discussions at our new location.

So go ahead, subscribe and partake in the conversation at the new zveloBLOG, where we will continue to feature alerts and discussions about the latest malware, spam, viruses, phishing scams, rogue software and other web threats stemming from the exclusive research conducted by the engineers and Web Analysts at zveloLABS™.

Please note that this Threat Center Live Blog will be shut down sometime in the summer of 2011.

Thursday, July 29, 2010

Adobe CS7 Searches Saturated With Dangerous Results

Looking to save a few bucks on software will almost always lead users down a dangerous path.  Users either end up at “OEM Software” sites offering unlicensed and illegal software, or to downloading cracks or keygens laced with malware. 

One of the big issues here is that these sites are quite easy to find. Google searches for “cheap” or “discount” software reveal it’s very easy to come across these sites.  Searches for all kinds of popular software from MS Office, to Adobe CS will bring up dangerous results.

Even searches like ‘Microsoft Windows 7’ which should be filled with Microsoft related sites and articles instead include fraudulent OEM sites in the top results.  Today, the eSoft Threat Prevention Team is warning users to be especially wary of unreleased software.  A major target of these scams is Adobe, who recently released their Creative Suite 5 (CS5) software.  However, searches for CS7, a product not yet announced and two versions premature, result in a solid wall of bogus search results leading to scams and malware.

Aside from poisoning search results, the criminal enterprises behind these scams are increasingly using Spam to increase their reach.  The criminal rings associated with these sites also control infected machines capable of sending millions of Spam messages per day, making it very easy to draw users to these sites.  Spam messages are sent offering “instant” downloads and huge savings, only leading the user to a full blown fraud operation.

Rightly suspicious users who are wary of entering their personal information on these sites, or don’t want to pay for the software at all (aka stealing), may try to find cracks or keygens to allow them to activate trial versions of the software.

Take the example of the site below,  The keygen download on this page is malware that attempts to call home and download more malicious software.  The other links on this page lead the user right back to the same OEM software scams. 

Each week eSoft finds hundreds of sites and domains related to these OEM Scams.  It’s important for users to realize that these sites are fraudulent and could potentially be very dangerous.  If you are purchasing new software, make sure it is from the vendor itself or a reputable distributor.

Monday, July 19, 2010

Widespread Compromise Impacts Thousands of Legitimate Websites

The eSoft Threat Prevention Team has detected a new widespread compromise, with tens of thousands of domains infected.  Cybercriminals have used stolen credentials, placing specially crafted pages into legitimate websites that lead visitors to malicious payloads.

The cybercriminals involved in this campaign are primarily targeting pornographic search terms.  Poisoned searches involve celebrities and porn stars nude, nudism, sex parties and searches that are much more lewd and inappropriate.  Obfuscated javascript is used to redirect a visitor to Rogue Anti-Virus and other malicious payloads.

At the time of writing most infected pages lead to the rogue anti-virus scam “Antivirus Plus” as shown below.

Cybercriminals are increasingly infecting legitimate sites rather than creating their own websites.  Otherwise honest sites that have been compromised have a much longer lifetime with which to infect visitors and have a better chance of passing undetected through web filtering technologies, infecting a greater number of users.  Sites created specifically for malware distribution or malicious intentions can be shut down by the domain registrar or ISP much more quickly than a legitimate site that’s been compromised.  With granular URL classifications, eSoft SiteFilter technology is able to detect and block these sites before a user is infected.

Based on the number of different platforms and web server software that are infected in this specific attack (recognized by the recurring malicious code it uses), it’s most likely the sites were compromised using stolen FTP credentials. For webmasters out there, be sure to keep your FTP passwords secure, and don’t save them in popular FTP programs where they can easily be harvested by attackers. If possible, use SFTP and key based authentication instead of the less secure FTP protocol.  Also avoid passwords that are found in the dictionary or are common place or person names (even adding a number to the end will not protect you from a determined brute force attack).

Further details are available for security researchers interested in the specific attack and related code.  Right now, eSoft estimates that the attack affects 3,200 websites.

Tuesday, June 29, 2010

Red Button SEO Poisoning and Malware Campaign

eSoft researchers have been tracking a new campaign by cybercrooks, compromising and creating websites for use in SEO poisoning and malware distribution. Thousands of these sites have been detected which use elaborate techniques to trick search engines and are ready to serve malware in an instant.

At the forefront of this attack is the use of a website referrer, or user-agent, which enables the cybercriminals to effectively increase their search engine ranking while keeping their malicious intentions hidden. Google and other search engine bots will be served up SEO tailored content to manipulate search results and drive traffic. This content cleverly uses a mashup of text and images scraped from various sites.

Danger lurks for users that visit these pages using Google search or other search engines. In the course of monitoring, eSoft has seen these pages deliver Rogue AV, redirect to fraudulent pharmacies, fake search pages and more.

At the time of writing, most of the sites involved in the campaign are currently hosting a Red Button flash file, as shown below.  This file indicates a compromise, but clicking the red button currently does nothing malicious, but these pages serve as a placeholder for the attackers.  These pages change their character depending on how they are referenced and at any time these pages could be infect the user with malware.

The Threat Prevention Team is keeping a close watch on these sites as they continue to multiply.  There is a strong chance that these sites are currently establishing good reputations with security companies that will make future attacks through these sites more effective.  eSoft is classifying these sites as Compromised to protect SiteFilter users from any future malicious payloads.

Thursday, June 24, 2010

What Drives Organizational Web Filtering?

Network administrators and businesses install web filtering on networks for a variety of reasons ranging from compliance and legal requirements to worker productivity issues. To gain some insight, eSoft is taking a poll of network administrators, customers, readers, and security professionals to identify the most important drivers behind web filtering. We’d love participation of our readers and loyal eSoft customers. When complete, we’ll report the findings back to readers on the Threat Center Live blog.

Please take a moment to respond below, or on the eSoft website, and thanks for your participation.

Wednesday, June 23, 2010

Introduction to Rogue Anti-Virus

If you follow the Threat Center Blog, you’ve heard us talk about “Rogue AV,” but may not fully understand what we’re referencing.  This post is for those users who are not already familiar with this widespread and common threat.

In short, when we and other security researchers reference Rogue AV, we’re referring to an Internet scam where an official-looking web page pops up telling the user that a virus has been detected on their computer.  The web page often appears to be scanning the local computer and often reports multiple found infections.  The web page, the report, and everything about this scam is a fraud.

Millions of users have been duped into installing malicious software, also known as malware onto their systems allowing cybercriminals to steal money and other personal details. Here’s how the attack works:

Step One: Get the user to the malicious website

First, the group or groups behind these attacks first post large numbers of links to some new domain by spamming community forums, blog comments, and by putting the links inside hidden elements on compromised websites in a technique known as Blackhat SEO (Search Engine Optimization).  In this way, they are able to get the target website high up in search results for common or recently trending search terms.  Right now, for example, search results on Wimbledon and the World Cup are actively being poisoned in this manner.

The above technique is usually seen in conjunction with one or more of the following:
  • Redirects from compromised websites that are otherwise legitimate
  • Spam emails that are often sent via other compromised computers
  • Malvertisements where attackers pay for an ad in a legitimate ad network, but use the ad to send people to the malicious website.  In the past year, reputable sites like the New York Times, White Pages, Tech Crunch and others have been caught hosting such malvertizements.
Step Two: The con game

Once on the website, social engineering tricks are invoked to convince a user to fall for this modern Internet con.  Computer users are conditioned with constant reminders to keep their computer free from virus and malware by running anti-virus software and keeping their virus definitions up to date.  These websites use this conditioning against the user, using visual elements to establish authority and trust and then causing a sense of danger and urgency when notifying the user that their computer is infected with viruses and that their data personal computer is under someone else’s control. 

Rogue anti-virus malware comes in many different forms and will take different approaches to fool a user, but at the most basic level, rogue anti-virus scams convince the user that they have a problem and that they need to download some software to fix the problem.

The screenshots below are just a few examples of fake scanners. These specially crafted pages are made with great detail to look exactly like Windows XP, Vista, or Windows 7 system alerts.

Fake scans like these are very believable for uneducated users and lead to a very high success rate for cybercriminals. 

Step Three: Infection

Frequently a box pops up that asks the user if they want to download the software that will fix the purported problem.  In many cases, it doesn’t matter if the user agrees or cancels, the download will begin in either case. Once the downloaded file is opened, the system is infected and the user has been tricked into installing the very thing he or she sought to remove. 

Cybercriminals make it very difficult to click away from the page, so that in some cases, the user relents out of a sense of frustration and not knowing how else to move forward.  In many cases the malicious file is downloaded with no user interaction at all.

The actual file that is downloaded changes often with different names and characteristics.  eSoft rarely sees more than two or three legitimate anti-virus software (of over 40 checked) detecting the file as a virus at the time of the attack.  The perpetrators of this attack spit out new variations on the download at a very high rate in an attempt to stay ahead of signature-based anti-virus software.

Step Four: Asking for payment

Once a user has clicked to open the malicious file and install the software, the problem only gets worse. The cybercriminals do well in masking their malicious intentions throughout the install process. In many cases the installation is a silent install – one which requires no user interaction – or a standard install wizard which raises no red flags to the user. 

Once installed, the rogue anti-virus program will inundate the user with notifications that the system is infected and that they still need to take action. In order to remove the supposed infections (not the real problem) the user is asked to pay a license or subscription fee that typically runs between $50 and $100 USD.

Though the branding changes – these screenshots show the Rogue AV “Alpha AntiVirus” – the checkout pages remain as convincing as the rest of the scam, frequently with badges showing secure payments and other “trust me” icons.  Pricing is comparable to legitimate anti-virus products and comes with a money back guarantee to further convince the user who may be wavering that the risk to giving up their credit card and personal information is low.  In reality, submitting credit card info does not clean their system, but instead sends name, address, and credit card info directly to the perpetrators of the attack.

Users infected with this might just assume this is an annoyance, but the scam goes much deeper than this. These programs have been created by large underground crime rings that now have the users’ personal information and credit card number.  In addition, these programs are often packaged with downloader Trojans which are capable of downloading any type of malware the attacker chooses. Because many of these criminal enterprises are also heavily involved in banking malware this is just one of the many additional types of malware that can be installed.  As a result, an infected computer should have a computer professional remove the virus, which can cost small businesses thousands of dollars per year.


Cybercriminals go a long way to making sure they can infect a machine and to get around classic signature-based virus scanning.  If a user gets a web browser window that says their computer is infected with malware, they should immediately attempt to close the window.  If that is not possible, then quitting and restarting the web browser is the next best thing.  This, of course, requires that users are trained in spotting and avoiding this attack, but in practice, training unsavvy users alone is not always fruitful.

Now more than ever, malware is distributed via the web. In fact, over 75% of new malware is delivered through the web. Classic anti-virus is struggling to address these threats effectively.  The most effective way to stop web-based threats is with Secure Web Filtering.  Secure web filtering works by detecting and blocking dangerous sites even before there is any anti-virus protection.  By blocking access to the site, the threat is mitigated. Secure web filtering must have real-time updates in order to block these fast moving websites, but with such a solution, users should be well protected from this pervasive threat.

Monday, June 14, 2010

Alert to Web Security Researchers: Malicious scripts masquerade as Google Analytics

eSoft's Threat prevention team has detected attacks that are masked to look like standard Google Analytics code. Google Analytics issues snippets of javascript code that dynamically adds a script tag for a page. This tag then loads the Google Analytics code for logging visists to the site.

Researchers see this code in HTML source so often that it almost never gets a second glance - until now. eSoft researchers have seen several compromised sites recently using Google Analytics to mask malicious scripts, as in the example below.

Decoded, this turns into a script tag that looks like this:

Note the use of the "sr?" tag for the Google Analytics URL, with the actual "src" tag pointing to the malicious script at Security researchers out there, be sure to take a second look at that Google Analytics code next time you're looking at an infected site.

Monday, June 7, 2010

New Email Phish Targets Twitter Users, Abuses Google Groups

A new twitter spam campaign is making rounds, infecting users with rogue anti-virus malware. The spam mail attempts to convince the user that someone was trying to steal their Twitter account information, and to download a “secure module” to protect their account.

The email that begins the attack looks like authentic communications from Twitter with a link ostensibly to

However, the link provided by the attacker does not actually link back to Twitter, but to a Google Groups page where the malware is currently hosted.  The use of Google Groups to distribute malware has been a continuing trend since eSoft first blogged about it last month.

Virus Total shows a moderate detection rate of 21 out of 41 anti-virus companies that currently detect this threat.  For users whose anti-virus software does not detect the threat, a download will result in an infection with the rogue anti-virus malware.  The malware launches a “Protection Center,” which runs a fake anti-virus scan ostensibly revealing the machine is infected by a slew of viruses. The user must activate the software to remove the bogus infections, handing their credit card info over to cyber criminals.

The cybercriminals behind this attack make excellent use of social engineering tricks to fool users into installing this malware. They use the topic of stolen Twitter account credentials to get the users’ attention, then link to Google Groups to make users feel comfortable with the download, and finally use convincing fake anti-virus scans to make the user believe their machine is infected.

eSoft is flagging these infected Google Groups pages as Compromised.

135,000 Fake YouTube Pages Delivering Malware

The eSoft Threat Prevention Team has uncovered thousands compromised web servers hosting fake YouTube pages.  Attempting to play the video on these fake pages prompts the user to install a ‘media codec’ which then infects the machine with malware.

The fake YouTube pages are well crafted and look almost identical to the real site.  By using websites like YouTube, cyber criminals are taking advantage of a users’ inherent trust in the site and are able to infect more machines.

Each page claims to have a “Hot Video” associated with anything from the Gulf Oil Spill to the NBA Playoffs.  Google search results show 135,000 of these infected pages at the time of writing. 

By clicking ‘OK’ to install the codec the user is redirected through intermediary sites to a final destination where the malware is downloaded.  After opening the file, the malware runs silently in the background giving unsuspecting users no sign that their computer is now infected and their data and computing resources are under the control of hackers.

Presently, this fake codec is actually a downloader Trojan with very low anti-virus detection.  Virus Total shows that only 8 of 41 anti-virus scanners currently detect the threat.  Without capable, secure web filtering to block access to these malicious sites these threats will have a high percentage chance of infecting users.

eSoft is flagging any sites hosting the fake YouTube pages as compromised until the pages are removed.  Intermediary sites and distribution points will also be blocked as compromised or malicious distribution points, protecting SiteFilter customers from infection.

Tuesday, May 25, 2010

Anatomy of a Modern Compromised Website

In the security community, little attention is paid to compromised websites that don't serve up malware. The malicious URL lists maintained by the anti-virus companies, by Google, and by nearly every other source of malicious URLs rely on anti-virus to trigger on exploits and malware to determine if a site is malicious. In a few select cases, behavioral analysis may be used to determine if a visit to a website will lead to an infected computer. But sites that are taken over by hackers are frequently used for other purposes besides directly serving up viruses or redirecting to sites that do.

When a hacker gains control of a site, they generally do one of several things:

  1. Nothing -- they sit on it waiting for a later date,
  2. Malware -- they load on exploits and malware or links to sites that host these in an attempt to infect visitors to the site,
  3. Defacement -- they put up a big notice saying they hacked the site,
  4. Attack relay -- they use the site as part of a chain of sites that lead to malware, or
  5. Hijacked advertising -- they put ads on the site or change ads on the site to make themselves the beneficiaries
  6. Blackhat SEO -- they use the site to trick search engines into thinking that some other site or sites are very popular and should be elevated in search page results

It is the last one, Blackhat Search Engine Optimization (SEO), where hackers are seeing so much success (see our previous blogs on this topic). SEO is the pseudo science of increasing a website's ranking in a set of search results. Landing at or near the top means more traffic to a website, which can mean advertising revenue or, if the site is malicious, a larger number of infected computers. In either case, the motive is money. And in some cases, hackers sell their SEO services and make money by increasing that search engine ranking.

In any case, search engine rankings are largely driven by popularity. The top results have links coming from many other sites where the more popular the sites that link, the higher the popularity of the site being linked. We call it Blackhat SEO because hackers use the websites they've compromised to host links to a website that they want to appear high up in search results. These links are usually hidden so that casually visitors to the site and the site's maintainers don't see them. The links are disguised by putting them off screen or using other techniques to make them invisible to a human visitor, while they remain perfectly visible to computers like Google's crawlers.

Take, for example, the case of Nauman Sod Farms, a small business in Iowa with a simple website that eSoft first flagged as compromised on February 4th, 2009. It was continuously rechecked and found by eSoft to be infected from then up through this posting.

It is easy to see why someone would think this site is innocent. To a normal user, it appears perfectly fine, but this small business is being exploited by hackers. If you view their home page without security precautions, everything looks normal. If you then disable javascript (using the NoScript plugin or your browser preferences) and reload the home page, you’ll see a long stream of cell phone related links show up at the bottom of the page including:

  • cf card gsm review siemens
  • unlocking nokia 5210e
  • tocatta and fugue in d minor ringtone verizon
  • motorola e1 secret codes
  • samsung le32r41bd
  • free download polyphonic ringtones through sms
  • motorola java games
  • law and order ringtone

In this case, javascript was used to hide the links, but that is not necessarily the case. And in this case, the links are search engine bait for various mobile phone searches, but we more often see links to pornography sites and malicious sites inside these PageRank Bombs.

In this case, two pieces of obfuscated javascript (meaning it is loosely encrypted to evade anti-virus signatures) add some code to the page that hides the links for those who have javascript enabled. This obfuscated javascript looks like this:



and basically evaluates to this:

   document.write('<div style="height:1px;overflow:auto;\">');

where that height of 1 pixel is what instructs the browser to hide the links from a visiting user.

Scanning this compromised page with shows that of their 20 AV scanners, none detect a problem. Similarly, not one other URL checker shows any problem with this site including Google’s Safe Search and SiteAdvisor.

Unfortunately, in the case of this particular site, the infection runs deeper. Clicking through into the site offers up a new threat. At the bottom of the page, a hidden iframe has been injected. Essentially this means that the attackers have chosen to have the browser fetch content from another site but not for the purpose of displaying anything to the user. These are typically used to embed exploits hosted on another site onto the compromised site while reducing the maintenance effort. In this particular case, the iframe links to a page that is now missing, so for the moment, visitors are not being infected with malware. Based on our records though, the embedded iframe used to lead to malware, meaning that visitors to this site were targeted with viruses.

This site has been compromised like this for over a year without the owner of the web site knowing -- and this is quite common. It is difficult for security companies like eSoft to automatically notify website owners when their websites are compromised since public information about sites is frequently hidden through privacy screens or else leads to spam traps. eSoft's Threat Prevention Team reached out to Nauman Sod Farms four days ago using the email address on their site to alert them to the problem, but so far there has been no response and the website remains under the control of hackers. Until this is fixed and because of the likelihood of that the hackers may again start infecting visitors with malware, we recommend that folks avoid this site for now. Users of eSoft's secure web filtering will see this site marked as Compromised.

In general, we believe it is important to identify sites that are under the control of hackers even when those sites aren't being used to propagate computer viruses. These sites may at any time become threatening in that way and are frequently used as part of the machine that drives other sites where the actual malware is stored. The industry as a whole needs to pay more attention to these sites. In the meantime, eSoft does provide protection from these sites and identifies thousands like this one every day.