Friday, March 5, 2010

Exploiting Google

SEO : Search Engine Optimization.

No, it's not another buzz word. It's a technique used by malware authors to propagate their malware. They use one of the most respected search engines today (Google) to make their way into the user's machine. Piggybacking on a prestigious, and highly trusted search engine is an efficient and effective way to reach out to billions of users worldwide.

Rogue AVs usually use this method. They create fraudulent sites (site A) which redirects to another site (site B) which in turn downloads Rogue AVs into the system. The malware industry makes sure that Site A gets a hit during Google search by targeting search queries that are sensational or new, for example, the Haiti earthquake.

In light of this, users are advised to be vigilant when accessing sites. When even Google is used as a medium by malwares, blind trust on returned links is unacceptable.

Virus.Virut takes the spotlight

In this era of spywares, file infectors have little exposure left. But nevertheless, they are still a challenge to antimalware engineers. Years ago, the names Nimda and CIH were famous in both the malware and antimalware industry. These past few years, the spotlight is on Virut.

Last year we saw an influx of Virus.Virut infected samples. Virus.Virut is, in my opinion, one of the best viruses in a while. Despite the fact that viruses are harmful, I cannot help but admire the work done to create such a virus.

Virut is a polymorphic file infector. What makes Virut different is the fact that it employs all known infection routines: Entry-Point Obscuring, appending, prepending, cavity. Not only does it employ all these techniques, it can combine them (e.g. EPO appending, EPO + cavity + appending, cavity + appending). It also has decryption layers, the algorithm of which can change from ADD/ SUB/ XOR, etc. Both detection and analysis pose as a challenge, but is one that the antimalware industry has met head-on.


Disasterware strikes again, as they call it!

The magnitude 6.4 earthquake does not only rattle Taiwan but even the internet users as well. It is another opportunity for Malware writers to poison returned results from searches about this disaster. It now became a constant attack every time there is major news, earthquake, tsunami or any other event that would call the attention of the people. It seems now it guarantees every news has equivalent virus site. This abused infection vector by fake AVs serve as a warning.

Once unsuspecting users click the malicious site, it will be redirected to fake AV online scan page and shows different annoying pop-ups warning the user that his system is infected and vulnerable to attacks. This might lead the user to download and install the Rogue Antispyware such as Security Antivirus. They have used multiple malicious domain names to prevent them to be easily identified. This infection routine is the same with other reports as you might have read from the previous blogs. But despite of awareness campaign, there are still an increasing number of victims fallen to this scam and worst, lost their money.

I have seen few malicious searched results which start with comma (,) and dash (-) such as above screen shot and from this blog. It is advisable to prevent from visiting these kinds of searched results. Internet users should be very careful in picking which sites to read the latest news. It is much better to read from reputable sources.

Monday, March 1, 2010

Chilling rogues on Chile

Shortly after the Haiti earthquake incident, the world is rocked again with the news of the Chile earthquake. And with the wave of searches on google about the Chile earthquake, malware authors have once again taken this opportunity to proliferate rogue antipsyware.

Searches returned from google are generally not suspect, especially if they bear URLs that seem normal. But one particular site ( when accessed will redirect you to

This site will display a fake system scan using an HTML page, and clicking anywhere on the page will prompt the user to download the INST.EXE file (SecurityTool fake AV). It also displays annoying popups that feeds FUD to users (FUD: Fear, Uncertainty, Doubt).

INST.EXE is just another Security Tool installer. Shortly after executing, it will display a fake scan showing some bogus results. Attempting to activate it will lead you to a page where they offer you a 2 year software license of $49.95, and a lifetime software license of $79.95. Looks tempting, but it's just a ploy to part you with your money. In truth, it's one hell of a hefty price to pay for such a useless and annoying scareware.

Wednesday, February 24, 2010

How To Remove: Security Essentials 2010

Security Essentials 2010 (SE2010.exe) is a new rogue application which is usually arrives as a file dropped by a Trojan or downloaded from the internet. It employs the same techniques as of Internet Security 2010…then again, said techniques have proven effective before, so why fix what is not broken?

Without being asked, SE2010 scans the infected computer and displays the list of threats present in the system. Note that the said list is fake and the files do not really exist.

It displays several fake alert messages and warnings to pursuade user into buying the full version of the application.

Aside from the annoying pop-ups and alert messages, it will not allow users to run any applications, legitimate or not. Instead, it displays a message stating that the application is infected and the only solution to execute the affected application is to purchase the product!

It must be clear that SE2010 should be removed from the infected machine as it only imitates legitimate Antispyware program, not to mention the endless annoying pop-ups and messages. Please follow manual removal instructions provided below:

Tuesday, February 23, 2010

SEO Poisoning scores a goal at the 2010 Winter Olympics

The Hockey games on the 2010 Winter Olympics are well under way and SEO poisoning attacks abound! Hockey enthusiasts turning to the Internet in search of game schedules are in for quite a surprise as cyber-criminals are quick to ensure that their malicious websites appear in the top Google search results.

Unsuspecting users who click on the malicious search results are redirected to a fake My Computer online scan page. Here is where the bad guys attempt to 'scare' their way into the user's computers.

Fake My Computer online Scan

Message displaying false detections on the user's computer

Navigating Away
Users attempting to manoeuvre away from the malicious website are presented with the following message and are left with very little choice:

Countermeasure Against the Good Guys
Malware researchers often share URLs with each other as a way of spreading the news and to warn others and prevent further infection. But the bad guys behind this attack are smart enough to devise a countermeasure. The URLs are no longer enough to replicate the attack. Entering the URL directly on the browser simply redirects the users to the CNN website.

CNN Website

The fake My Computer online scan page ultimately offers a solution to in the form of an installer of the fake antivirus software called Security Antivirus.

File Download

The Works
As with other fake security software, Security Antivirus displays a decent graphical user interface to give its victims that warm fuzzy feeling of installing a legitimate software that will protect their computer.

As mentioned in a previous post, Security Antivirus is a clone of Live PC Care, Windows Security Suite, and Windows System Suite.


Fake Scans

Annoying Pop ups

As unsuspecting users would like to remove all the purported detections found on their machine, Security Antivirus requires activation. And for a lifetime subscription, victims would have to say goodbye to a hefty $89.95 from their hard-earned cash.


License Selection

Credit Card Payment

Entering credit card details here seals the deal. But there's no stopping the bad guys from abusing the information they have collected.

If you have been a victim of this attack, immediately contact your credit card company to get your money back and to make sure there will be no future unauthorised charges.

Also, when searching for information relating to the Winter Olympics, it always a good idea to turn to reputable sources like news networks and of course the official 2010 Winter Olympics website.

Monday, February 22, 2010

Rogues on Winter Olympics' Playing Field

Another hot topic circulating around the internet is the Winter Olympics and the hits around the search engines come soaring when the news of the death of a 21 year old luger Nodar Kumaritashvili breaks out. Malware writers are quick on taking advantage of this news to infect computer users browsing every website wanting to be updated. They also use as well as the current medal count at the said Olympics.
Moreoever, the (malware) samples that are found in the previous hot events (such as Haiti Earthquake, Twilight and Superbowl) were all the same kind of Rogue AV found now. They are of the same family, same setup and the same characteristics. It seems that they’re doing this fashion in an automated way. They’re trying to link these hot keywords so that search engines would point the users to their malicious websites where the malware is hosted.

Death of a luger in winter Olympics triggered the Rogue AV writers to use this as a vector of their infection most especially when the actual video of his death is released.

Search result for luger’s death. Clicking the search result (in red box) would redirect to RogueAV

Internet users who wanted to be updated with this news will unknowingly visit one of these malicious sites. Redirections will occur until the user will experience fake AV pop-ups and enticing them to download the malicious installer file..


Another Malware Writers takes advantage of as the winter Olympics are on-going is the medal standings of each participating countries. They use keyword such as “Medal Count”, “Olympic medal count”, “Olympic standing” in order to be included in search engines and be able to infect users.

Search result for Winter Olympic Medal Standings. Clicking the search result (in red box) would redirect to RogueAV.

Unaware users who wanted to look for medal standings will unknowingly visit one of these malicious sites. Visiting these malicious URLS will download Rogue AV and make the user’s computer have annoying pop ups.


Upon clicking the enticing malicious URL / link, there will be redirections and some different enticing pop-up messages or web page for the user to click on it and download a malicious file.

Pop-up messages telling that the user's machine is currently infected:

Pop-up messages posing as media player:

The URLs used with these redirections are constantly changed to ensure that propagation of this Rogue AVs are always obtainable for every malicious search result and make certain that it will not be blocked by legit Antivirus Vendors.


As of this writing, there were two types of Rogue AV that can infect user’s computer. One is Security Antivirus and the other is Security Tool (which is a constant download even with the previous RogueAVs’ SEO campaign).
  • Security Antivirus file to be downloaded:
- packupdate_build<1-3>_<1-3>.exe
  • Security Tool file to be downloaded:
- install.exe or player_update.exe

Security Antivirus

It comes as perfectly legit looking antivirus software enticing the user to download and purchase it. Looking further, we can say that it is a clone or a family of Rogue AVs called Live PC Care, Windows Security Suite, and Windows System Suite. Upon execution of the downloaded sample, installation on computer takes place. It will display a welcome message before installation and then runs in the background making annoying pop-ups. It also tries to stop execution of all legit AV executables through registry modification.


Main Window

Security Tool

Upon execution of the downloaded sample, installation on computer takes place. It will then silently drop a copy of itself with randomised filename and registry autorun key for automatic execution upon boot up. The user will only know that installation takes place when a message box appears saying that Security Tool successfully installed.
Same with other RogueAVs it will silently run in the background and make annoying fake AV messages. It also has the ability to prevent legit files to be executed when the user tries to.

Friday, February 19, 2010

Porntube Anyone? Bonus Scareware!

Porn clips are everywhere! But then again, rogue antivirus software are everywhere too.

The fake video codec tactic targets unsuspecting users wanting to view the adult videos purportedly being hosted in the malicious website:


Clicking on one of the thumbnails presents a video player window with the error message "Video ActiveX Object Error". The message asks the user install a new version of Video ActiveX Object which is actually an installer for Security Tool posing as a fake video codec.

This page also shows the following messageboxes when the user tries to move away from the malicious website and basically does not allow the user to select cancel.

Downloading and installing the presented file install.exe installs Security Tool on the affected computer.

Users of infected machines will have to deal with these annoyances:

Unsuspecting users pay a hefty price of $79.95 for a lifetime software license. Ouch!

Friday, January 22, 2010

Social Engineering Tactics Promote "Miracle" Berries

I received an unlikely Yahoo! IM from a long time friend with whom I have not been in contact with for quite a long time.

Af first I thought, wow this would be a good time to catch up.

She buzzed me and asked me if I was busy, then gave me a URL to try out very quickly and tell her what the results tell me.

Well, here's the screenshot:

The link was: hxxp://

At this time I was already suspicious about the whole thing. So I tried out the link in a controlled environment. There were a series of redirections and my browser was redirected to:


It seems that whoever I was talking to was not my friend (possibly a bot). She might have been a victim of a phishing scam, and her Yahoo! IM account was being used as part of this social engineering tactic in order execute the Acai Berry spam which has been bugging people for ages.

This one was a bit harmless as the whole exercise was just another form of spam. But as always, I would like to remind everyone to be careful of clicking links, even if they come from people you know.