Tuesday, November 17, 2009

Blackhats Unleash Another Fake Blog Campaign

In September, eSoft reported as many as 720,000 compromised sites hosting fake blog pages and being used to distribute rogue anti-virus programs. Many of these sites are still active and continue to plague searches with malicious results.

Earlier today, Cyveillance issued this report of a nearly identical attack with over 260,000 dangerous URLs prompting the Threat Prevention Team to revisit this threat.

Between the newly reported Cyveillance URLs and additional URLs discovered by the eSoft there are now well over 800,000 active URLs matching this pattern. Surprisingly, Google only detects a small portion of these sites as malicious.

The key to this scheme is javascript uploaded to the compromised server and used in the fake blog pages. The file, css.js, contains obfuscated javascript which redirect users to Rogue AV if the site is accessed through certain search engines.

Using this technique allows the attackers to quickly and easily change distribution points and payloads. The current payloads have low detection rates among AV scanners.

In addition to the URL strings reported by Cyveillance be on the lookout for these additional URL types.

eSoft will continue to flag associated domains into their appropriate security categories, protecting SiteFilter users from falling victim to this attack.

No comments: