Tuesday, June 29, 2010

Red Button SEO Poisoning and Malware Campaign

eSoft researchers have been tracking a new campaign by cybercrooks, compromising and creating websites for use in SEO poisoning and malware distribution. Thousands of these sites have been detected which use elaborate techniques to trick search engines and are ready to serve malware in an instant.

At the forefront of this attack is the use of a website referrer, or user-agent, which enables the cybercriminals to effectively increase their search engine ranking while keeping their malicious intentions hidden. Google and other search engine bots will be served up SEO tailored content to manipulate search results and drive traffic. This content cleverly uses a mashup of text and images scraped from various sites.

Danger lurks for users that visit these pages using Google search or other search engines. In the course of monitoring, eSoft has seen these pages deliver Rogue AV, redirect to fraudulent pharmacies, fake search pages and more.

At the time of writing, most of the sites involved in the campaign are currently hosting a Red Button flash file, as shown below.  This file indicates a compromise, but clicking the red button currently does nothing malicious, but these pages serve as a placeholder for the attackers.  These pages change their character depending on how they are referenced and at any time these pages could be infect the user with malware.

The Threat Prevention Team is keeping a close watch on these sites as they continue to multiply.  There is a strong chance that these sites are currently establishing good reputations with security companies that will make future attacks through these sites more effective.  eSoft is classifying these sites as Compromised to protect SiteFilter users from any future malicious payloads.

Thursday, June 24, 2010

What Drives Organizational Web Filtering?

Network administrators and businesses install web filtering on networks for a variety of reasons ranging from compliance and legal requirements to worker productivity issues. To gain some insight, eSoft is taking a poll of network administrators, customers, readers, and security professionals to identify the most important drivers behind web filtering. We’d love participation of our readers and loyal eSoft customers. When complete, we’ll report the findings back to readers on the Threat Center Live blog.

Please take a moment to respond below, or on the eSoft website, and thanks for your participation.

Wednesday, June 23, 2010

Introduction to Rogue Anti-Virus

If you follow the Threat Center Blog, you’ve heard us talk about “Rogue AV,” but may not fully understand what we’re referencing.  This post is for those users who are not already familiar with this widespread and common threat.

In short, when we and other security researchers reference Rogue AV, we’re referring to an Internet scam where an official-looking web page pops up telling the user that a virus has been detected on their computer.  The web page often appears to be scanning the local computer and often reports multiple found infections.  The web page, the report, and everything about this scam is a fraud.

Millions of users have been duped into installing malicious software, also known as malware onto their systems allowing cybercriminals to steal money and other personal details. Here’s how the attack works:

Step One: Get the user to the malicious website

First, the group or groups behind these attacks first post large numbers of links to some new domain by spamming community forums, blog comments, and by putting the links inside hidden elements on compromised websites in a technique known as Blackhat SEO (Search Engine Optimization).  In this way, they are able to get the target website high up in search results for common or recently trending search terms.  Right now, for example, search results on Wimbledon and the World Cup are actively being poisoned in this manner.

The above technique is usually seen in conjunction with one or more of the following:
  • Redirects from compromised websites that are otherwise legitimate
  • Spam emails that are often sent via other compromised computers
  • Malvertisements where attackers pay for an ad in a legitimate ad network, but use the ad to send people to the malicious website.  In the past year, reputable sites like the New York Times, White Pages, Tech Crunch and others have been caught hosting such malvertizements.
Step Two: The con game

Once on the website, social engineering tricks are invoked to convince a user to fall for this modern Internet con.  Computer users are conditioned with constant reminders to keep their computer free from virus and malware by running anti-virus software and keeping their virus definitions up to date.  These websites use this conditioning against the user, using visual elements to establish authority and trust and then causing a sense of danger and urgency when notifying the user that their computer is infected with viruses and that their data personal computer is under someone else’s control. 

Rogue anti-virus malware comes in many different forms and will take different approaches to fool a user, but at the most basic level, rogue anti-virus scams convince the user that they have a problem and that they need to download some software to fix the problem.

The screenshots below are just a few examples of fake scanners. These specially crafted pages are made with great detail to look exactly like Windows XP, Vista, or Windows 7 system alerts.

Fake scans like these are very believable for uneducated users and lead to a very high success rate for cybercriminals. 

Step Three: Infection

Frequently a box pops up that asks the user if they want to download the software that will fix the purported problem.  In many cases, it doesn’t matter if the user agrees or cancels, the download will begin in either case. Once the downloaded file is opened, the system is infected and the user has been tricked into installing the very thing he or she sought to remove. 

Cybercriminals make it very difficult to click away from the page, so that in some cases, the user relents out of a sense of frustration and not knowing how else to move forward.  In many cases the malicious file is downloaded with no user interaction at all.

The actual file that is downloaded changes often with different names and characteristics.  eSoft rarely sees more than two or three legitimate anti-virus software (of over 40 checked) detecting the file as a virus at the time of the attack.  The perpetrators of this attack spit out new variations on the download at a very high rate in an attempt to stay ahead of signature-based anti-virus software.

Step Four: Asking for payment

Once a user has clicked to open the malicious file and install the software, the problem only gets worse. The cybercriminals do well in masking their malicious intentions throughout the install process. In many cases the installation is a silent install – one which requires no user interaction – or a standard install wizard which raises no red flags to the user. 

Once installed, the rogue anti-virus program will inundate the user with notifications that the system is infected and that they still need to take action. In order to remove the supposed infections (not the real problem) the user is asked to pay a license or subscription fee that typically runs between $50 and $100 USD.

Though the branding changes – these screenshots show the Rogue AV “Alpha AntiVirus” – the checkout pages remain as convincing as the rest of the scam, frequently with badges showing secure payments and other “trust me” icons.  Pricing is comparable to legitimate anti-virus products and comes with a money back guarantee to further convince the user who may be wavering that the risk to giving up their credit card and personal information is low.  In reality, submitting credit card info does not clean their system, but instead sends name, address, and credit card info directly to the perpetrators of the attack.

Users infected with this might just assume this is an annoyance, but the scam goes much deeper than this. These programs have been created by large underground crime rings that now have the users’ personal information and credit card number.  In addition, these programs are often packaged with downloader Trojans which are capable of downloading any type of malware the attacker chooses. Because many of these criminal enterprises are also heavily involved in banking malware this is just one of the many additional types of malware that can be installed.  As a result, an infected computer should have a computer professional remove the virus, which can cost small businesses thousands of dollars per year.


Cybercriminals go a long way to making sure they can infect a machine and to get around classic signature-based virus scanning.  If a user gets a web browser window that says their computer is infected with malware, they should immediately attempt to close the window.  If that is not possible, then quitting and restarting the web browser is the next best thing.  This, of course, requires that users are trained in spotting and avoiding this attack, but in practice, training unsavvy users alone is not always fruitful.

Now more than ever, malware is distributed via the web. In fact, over 75% of new malware is delivered through the web. Classic anti-virus is struggling to address these threats effectively.  The most effective way to stop web-based threats is with Secure Web Filtering.  Secure web filtering works by detecting and blocking dangerous sites even before there is any anti-virus protection.  By blocking access to the site, the threat is mitigated. Secure web filtering must have real-time updates in order to block these fast moving websites, but with such a solution, users should be well protected from this pervasive threat.

Monday, June 14, 2010

Alert to Web Security Researchers: Malicious scripts masquerade as Google Analytics

eSoft's Threat prevention team has detected attacks that are masked to look like standard Google Analytics code. Google Analytics issues snippets of javascript code that dynamically adds a script tag for a page. This tag then loads the Google Analytics code for logging visists to the site.

Researchers see this code in HTML source so often that it almost never gets a second glance - until now. eSoft researchers have seen several compromised sites recently using Google Analytics to mask malicious scripts, as in the example below.

Decoded, this turns into a script tag that looks like this:

Note the use of the "sr?" tag for the Google Analytics URL, with the actual "src" tag pointing to the malicious script at Security researchers out there, be sure to take a second look at that Google Analytics code next time you're looking at an infected site.

Monday, June 7, 2010

New Email Phish Targets Twitter Users, Abuses Google Groups

A new twitter spam campaign is making rounds, infecting users with rogue anti-virus malware. The spam mail attempts to convince the user that someone was trying to steal their Twitter account information, and to download a “secure module” to protect their account.

The email that begins the attack looks like authentic communications from Twitter with a link ostensibly to twitter.com.

However, the link provided by the attacker does not actually link back to Twitter, but to a Google Groups page where the malware is currently hosted.  The use of Google Groups to distribute malware has been a continuing trend since eSoft first blogged about it last month.

Virus Total shows a moderate detection rate of 21 out of 41 anti-virus companies that currently detect this threat.  For users whose anti-virus software does not detect the threat, a download will result in an infection with the rogue anti-virus malware.  The malware launches a “Protection Center,” which runs a fake anti-virus scan ostensibly revealing the machine is infected by a slew of viruses. The user must activate the software to remove the bogus infections, handing their credit card info over to cyber criminals.

The cybercriminals behind this attack make excellent use of social engineering tricks to fool users into installing this malware. They use the topic of stolen Twitter account credentials to get the users’ attention, then link to Google Groups to make users feel comfortable with the download, and finally use convincing fake anti-virus scans to make the user believe their machine is infected.

eSoft is flagging these infected Google Groups pages as Compromised.

135,000 Fake YouTube Pages Delivering Malware

The eSoft Threat Prevention Team has uncovered thousands compromised web servers hosting fake YouTube pages.  Attempting to play the video on these fake pages prompts the user to install a ‘media codec’ which then infects the machine with malware.

The fake YouTube pages are well crafted and look almost identical to the real site.  By using websites like YouTube, cyber criminals are taking advantage of a users’ inherent trust in the site and are able to infect more machines.

Each page claims to have a “Hot Video” associated with anything from the Gulf Oil Spill to the NBA Playoffs.  Google search results show 135,000 of these infected pages at the time of writing. 

By clicking ‘OK’ to install the codec the user is redirected through intermediary sites to a final destination where the malware is downloaded.  After opening the file, the malware runs silently in the background giving unsuspecting users no sign that their computer is now infected and their data and computing resources are under the control of hackers.

Presently, this fake codec is actually a downloader Trojan with very low anti-virus detection.  Virus Total shows that only 8 of 41 anti-virus scanners currently detect the threat.  Without capable, secure web filtering to block access to these malicious sites these threats will have a high percentage chance of infecting users.

eSoft is flagging any sites hosting the fake YouTube pages as compromised until the pages are removed.  Intermediary sites and distribution points will also be blocked as compromised or malicious distribution points, protecting SiteFilter customers from infection.