SEO Poisoning scores a goal at the 2010 Winter Olympics

The Hockey games on the 2010 Winter Olympics are well under way and SEO poisoning attacks abound! Hockey enthusiasts turning to the Internet in search of game schedules are in for quite a surprise as cyber-criminals are quick to ensure that their malicious websites appear in the top Google search results.

Redirection

Unsuspecting users who click on the malicious search results are redirected to a fake My Computer online scan page. Here is where the bad guys attempt to 'scare' their way into the user's computers.

Fake My Computer online Scan

Message displaying false detections on the user's computer

Navigating Away

Users attempting to manoeuvre away from the malicious website are presented with the following message and are left with very little choice:

Countermeasure Against the Good Guys
Malware researchers often share URLs with each other as a way of spreading the news and to warn others and prevent further infection. But the bad guys behind this attack are smart enough to devise a countermeasure. The URLs are no longer enough to replicate the attack. Entering the URL directly on the browser simply redirects the users to the CNN website.

CNN Website

Download

The fake My Computer online scan page ultimately offers a solution to in the form of an installer of the fake antivirus software called Security Antivirus.

File Download

The Works

As with other fake security software, Security Antivirus displays a decent graphical user interface to give its victims that warm fuzzy feeling of installing a legitimate software that will protect their computer.

As mentioned in a previous post, Security Antivirus is a clone of Live PC Care, Windows Security Suite, and Windows System Suite.

Installation

Fake Scans

Annoying Pop ups

As unsuspecting users would like to remove all the purported detections found on their machine, Security Antivirus requires activation. And for a lifetime subscription, victims would have to say goodbye to a hefty $89.95 from their hard-earned cash.

Activation

License Selection

Credit Card Payment

Entering credit card details here seals the deal. But there's no stopping the bad guys from abusing the information they have collected.

If you have been a victim of this attack, immediately contact your credit card company to get your money back and to make sure there will be no future unauthorised charges.

Also, when searching for information relating to the Winter Olympics, it always a good idea to turn to reputable sources like news networks and of course the official 2010 Winter Olympics website.

Rogues on Winter Olympics' Playing Field

Another hot topic circulating around the internet is the Winter Olympics and the hits around the search engines come soaring when the news of the death of a 21 year old luger Nodar Kumaritashvili breaks out. Malware writers are quick on taking advantage of this news to infect computer users browsing every website wanting to be updated. They also use as well as the current medal count at the said Olympics.

Moreoever, the (malware) samples that are found in the previous hot events (such as Haiti Earthquake, Twilight and Superbowl) were all the same kind of Rogue AV found now. They are of the same family, same setup and the same characteristics. It seems that they’re doing this fashion in an automated way. They’re trying to link these hot keywords so that search engines would point the users to their malicious websites where the malware is hosted.

OLYMPIC LUGER’S DEATH

Death of a luger in winter Olympics triggered the Rogue AV writers to use this as a vector of their infection most especially when the actual video of his death is released.

Search result for luger’s death. Clicking the search result (in red box) would redirect to RogueAV

Internet users who wanted to be updated with this news will unknowingly visit one of these malicious sites. Redirections will occur until the user will experience fake AV pop-ups and enticing them to download the malicious installer file..

WINTER OLYMPIC’S MEDAL STANDING

Another Malware Writers takes advantage of as the winter Olympics are on-going is the medal standings of each participating countries. They use keyword such as “Medal Count”, “Olympic medal count”, “Olympic standing” in order to be included in search engines and be able to infect users.

Search result for Winter Olympic Medal Standings. Clicking the search result (in red box) would redirect to RogueAV.

Unaware users who wanted to look for medal standings will unknowingly visit one of these malicious sites. Visiting these malicious URLS will download Rogue AV and make the user’s computer have annoying pop ups.

REDIRECTIONS

Upon clicking the enticing malicious URL / link, there will be redirections and some different enticing pop-up messages or web page for the user to click on it and download a malicious file.

Pop-up messages telling that the user's machine is currently infected:

Pop-up messages posing as media player:

The URLs used with these redirections are constantly changed to ensure that propagation of this Rogue AVs are always obtainable for every malicious search result and make certain that it will not be blocked by legit Antivirus Vendors.

Download

As of this writing, there were two types of Rogue AV that can infect user’s computer. One is Security Antivirus and the other is Security Tool (which is a constant download even with the previous RogueAVs’ SEO campaign).

• Security Antivirus file to be downloaded:

- packupdate_build<1-3>_<1-3>.exe

• Security Tool file to be downloaded:

- install.exe or player_update.exe

Execution

Security Antivirus

It comes as perfectly legit looking antivirus software enticing the user to download and purchase it. Looking further, we can say that it is a clone or a family of Rogue AVs called Live PC Care, Windows Security Suite, and Windows System Suite. Upon execution of the downloaded sample, installation on computer takes place. It will display a welcome message before installation and then runs in the background making annoying pop-ups. It also tries to stop execution of all legit AV executables through registry modification.

Installation

Main Window

Security Tool

Upon execution of the downloaded sample, installation on computer takes place. It will then silently drop a copy of itself with randomised filename and registry autorun key for automatic execution upon boot up. The user will only know that installation takes place when a message box appears saying that Security Tool successfully installed.

Same with other RogueAVs it will silently run in the background and make annoying fake AV messages. It also has the ability to prevent legit files to be executed when the user tries to.

Porntube Anyone? Bonus Scareware!

Porn clips are everywhere! But then again, rogue antivirus software are everywhere too.

The fake video codec tactic targets unsuspecting users wanting to view the adult videos purportedly being hosted in the malicious website:

hxxp://porntube2000.com

Clicking on one of the thumbnails presents a video player window with the error message "Video ActiveX Object Error". The message asks the user install a new version of Video ActiveX Object which is actually an installer for Security Tool posing as a fake video codec.

This page also shows the following messageboxes when the user tries to move away from the malicious website and basically does not allow the user to select cancel.

Downloading and installing the presented file install.exe installs Security Tool on the affected computer.

Users of infected machines will have to deal with these annoyances:

Unsuspecting users pay a hefty price of $79.95 for a lifetime software license. Ouch!

MaCatte scareware fools users by masquerading as McAfee

MaCatte Antivirus is a rogue av that attempts to impersonate McAfee scanners in order to scam users.

This scareware has been seen to be using a bogus My Computer online scan similar to ones we've seen here, here and here.



The online scan can be seen on this url:

hxxp://proscan5.info/25/26-088wLzQzL1EzL==

The downloader being served from this url is time-sensitive and will not work after a period of time. A session ID of some sort is embedded on the binary executable itself. After such time has elapsed, the downloader tells the user to contact MaCatte Antivirus support people. This prevents reverse-engineers from replicating the infection and gathering samples for analysis.

Presence of these files / folders would signal infection from this scareware:
C:\Documents and Settings\All Users\Application Data\msca
C:\Documents and Settings\All Users\Application Data\msca\MaCatte.ico
C:\Documents and Settings\All Users\Application Data\msca\mcull.exe
C:\Documents and Settings\All Users\Application Data\msca\msc.exe
C:\Documents and Settings\All Users\Application Data\msca\Viruses.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Media\WPtect.dll
C:\Documents and Settings\All Users\Desktop\MaCatte.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\MaCatte
C:\Documents and Settings\All Users\Start Menu\Programs\MaCatte\MaCatte.lnk

Unsuspecting users are set back from their hard-earned money by a hefty $99.

Stay away from these rogue apps.

Another Shameless SEO based on Atlanta Flooding

Users Googling "Atlanta flood pictures" receive a yet another SEO attack, using a possibly compromised legitimate Australian website hosting restaurants in the famous Bondi area.

Here's a screenshot of a google search result:


A Fiddler capture shows us the redirections:


So we go from
hxxp://idrb.com/pdf_files/atlanta-flood-pictures.html
>hxxp://06d.ru/t.php
>>hxxp://read-cnn2.com/?pid=207&sid=de9f8f
>>>hxxp://winfixscanner7.com/scan1/?pid=207&engine=pHTyzjTyMzEyOS44Mi4xOTAmdGltZT0xMjUuNgAMPAVN

An installer named Soft_207.exe will be presented for download, which is a variant of the Total Security family of Fake AVs.

At the moment, the following domains have been observed to have been involved in this attack:

winfixscanner7(dot)com
15scanner(dot)com

These domains resolve to the following IP addresses:
89.47.237.55
89.248.174.61
213.163.89.60

But knowing the trend in scareware, there could be heaps more domains being created as we speak.

Porn site distributes scareware

Another website has recently been spotted to be serving up malware in the guise of fake video codecs.

This one praises itself as "The Best Nude Celebrity Movie Site"
hxxp://alyssafan.net/1.html



But in order to watch the any video, we would need to download and install their "Certified ActiveX video codec (VAC codec) use to protect content Copyrights"

The fake fake codec can be downloaded here:
hxxp://alyssafan.net/Mediacodec_v4.8.exe

One of the components used in this attack is an onfuscated javascript file that can be found in the %temp% folder.



This script translates to:



This script downloads:
hxxp://ue4x08f5myqdl.cn/u3.exe

Which then gives us scareware Safety Center:



Beware of fake video codecs!

Scareware asking for ransom: System Security

Scareware is BIG business. They use heaps of scare tactics in order to convince unsuspecting users into buying rogue applications. But here's one that does a bit more than just scaring.

System Security terminates almost all running processes. This basically prevents us from using our computers. More importantly, this hinders execution of tools necessary to investigate the infection and aid in removal of this rogue app.

Back in the day, in order to evade detection and removal, malware writers have targeted security-related applications. They have a black list of applications including (but not limited to) the following:

avast.exe
avp.exe
cmd.exe
icesword.exe
kav.exe
regedit.exe
taskmgr.exe

But now they block even the most harmless Windows applications such as calc.exe and notepad.exe. But not all applications should be terminated, because that basically means no Windows. No Windows means no profit so the bad guys need basic Windows functionality. Which tells us that they have probably stopped using blacklisting and shifted to whitelisting instead. They now have a list of applications that they would allow to be executed in the system.

Here's part of some disassembly taken from a sample of System Security, showing us evidence of whitelisting:

Rogue app takes a snapshot of all the processes in the system:

.rsrc:140B4B4F push edi
.rsrc:140B4B50 push 2
.rsrc:140B4B52 call CreateToolhelp32Snapshot
.rsrc:140B4B57 mov [ebp+hObject], eax
...
.rsrc:140B4B79 push ecx
.rsrc:140B4B7A push eax
.rsrc:140B4B7B mov [ebp+var_64C], 22Ch
.rsrc:140B4B85 call Process32FirstW
...
.rsrc:140B4BAB push [ebp+dwProcessId] ; dwProcessId
.rsrc:140B4BB1 push 0 ; bInheritHandle
.rsrc:140B4BB3 push 1FFFFFh ; dwDesiredAccess
.rsrc:140B4BB8 call ds:OpenProcess

It then terminates the processes not found in the white list:
.rsrc:140B4C00 push 0FFFFFFFFh ; uExitCode
.rsrc:140B4C02 push edi ; hProcess
.rsrc:140B4C03 call ebx ; TerminateProcess

and displays this message as a notification in the system tray:
.rsrc:14039998 aApplicationCan: ; DATA XREF: sub_140B4ADD+16A
.rsrc:14039998 unicode 0,
.rsrc:14039998 unicode 0,
.rsrc:14039998 dw 0Ah
.rsrc:14039998 unicode 0, ,0
.rsrc:14039A5E align 10h
.rsrc:14039A60 aWarning: ; DATA XREF: .rsrc:140104BF
.rsrc:14039A60 ; sub_140B4ADD+1DB ...
.rsrc:14039A60 unicode 0, ,0
.rsrc:14039A72 align 4



It then resumes processing the snapshot created earlier and the cycle continues:
.rsrc:140B4CDF lea eax, [ebp+var_64C]
.rsrc:140B4CE5 push eax
.rsrc:140B4CE6 push [ebp+hObject]
.rsrc:140B4CEC call Process32NextW

Here's the list of applications that the scareware allows:
.rsrc:14046A48 off_14046A48 dd offset aAlg_exe ; DATA XREF: sub_140B49CF+26
.rsrc:14046A48 ; "alg.exe"
.rsrc:14046A4C dd offset aCsrss_exe ; "csrss.exe"
.rsrc:14046A50 dd offset aCtfmon_exe ; "ctfmon.exe"
.rsrc:14046A54 dd offset aExplorer_exe ; "explorer.exe"
.rsrc:14046A58 dd offset aServices_exe ; "services.exe"
.rsrc:14046A5C dd offset aSlsvc_exe ; "slsvc.exe"
.rsrc:14046A60 dd offset aSmss_exe ; "smss.exe"
.rsrc:14046A64 dd offset aSpoolsv_exe ; "spoolsv.exe"
.rsrc:14046A68 dd offset aSvchost_exe ; "svchost.exe"
.rsrc:14046A6C dd offset aSystem ; "system"
.rsrc:14046A70 dd offset aIexplore_exe ; "iexplore.exe"
.rsrc:14046A74 dd offset aLsass_exe ; "lsass.exe"
.rsrc:14046A78 dd offset aLsm_exe ; "lsm.exe"
.rsrc:14046A7C dd offset aNvsvc_exe ; "nvsvc.exe"
.rsrc:14046A80 dd offset aWininit_exe ; "wininit.exe"
.rsrc:14046A84 dd offset aWinlogon_exe ; "winlogon.exe"
.rsrc:14046A88 dd offset aWscntfy_exe ; "wscntfy.exe"
.rsrc:14046A8C dd offset aWuauclt_exe ; "wuauclt.exe"

As we can see, System Security is more than just scareware. You won't be able to properly use your computer unless you buy the rogue app. Sounds more like ransomeware to me.

But, now that we know that it uses whitelisting, we can do a little work around and bypass this technique. We can rename a copy of the tools that we need to run as one of the whitelisted applications and voila! We've already taken one step into regaining full use of our infected computer.

Rogue AV Clone: Windows Protection Suite

Another scareware has been spotted and it calls itself Windows Protection Suite.

You can get Windows Protection Suite from one of these urls:

hxxp://searchscanner.net/?p=WKmimHVlbXCHjsbIo22EfYCIt1POo22YXZmK0qR0qay9sYmbm5h2lpd9fXCHodjSbpRelWZsmGGZYWPMU9jSzKKsl3OWh9esb2VraWhpbWyWX5aMlJNq
hxxp://linewebsearch.com/?p=WKmimHVlbXCHjsbIo22EfYCIt1POo22YXZmK0qR0qay9sYmbm5h2lpd9fXCHodjSbpRelWZsmGGZYWPMU9jSzKKsl3OWh9esb2VraWhpbWyWX5aMlJNq
hxxp://linewebsearch.com/?p=WKmimHVlaGuHjsbIo22Eh4uLt1POo22eU9LXoKitiJ%2FY1cRflJ2dcZqTgX6YU9janW1eZWpslGGbZmGXkonZ0Zqop5uikomtpXFqZmxtbWmaYZyfV5OQcQ%3D%3D
hxxp://linewebsearch.com/build8_102.php?cmd=getFile&counter=1&p=WKmimHVlaGuHjsbIo22EfYCLt1POo22eU9LXoKitiJ/Y1cRflJ2dcZqTgX6ZU9janW1jZWJsmGGXZGSeXonZ0Zqop5uikomtpXFqZmxsa3CaXpmbV5OQcQ==
hxxp://guardinfo.net/?p=WKmimHVlbm2HjsbIo22EfYCIt1POo22cU9LXoKith6Swz9KwoFqbnZxxmpinc4rapZxql2OemI6WaWeZY5WK2J%2Bgo6vKnpRfpqd2ZWppaHCUXpeaaFaQl28%3D

It uses the same tactic as seen on earlier posts here and here where the website claims to scan the unsuspecting user's computer, detects heaps of infections, and offers a bogus solution.



Looking at the installed scareware we find out that Windows Protection Suite is nothing but a clone of Windows Security Suite.



Even their websites are clones:



hxxp://windowsprotectionsuite.com
hxxp://windowssecuritysuite.com

Social engineering trick leads to Rogue AV: MacroVirus

I was reading a blog about a Rogue AV then I noticed a suspicious comment on it:



It the user was recommending an antispyware program and gave us the following url:
www(dot)tinyurl(dot)com/qlft9c

Following the link, tinyurl does its magic and we are directed to:

hxxp://macrovirus(dot)com/?hop=starbasi



If we believe everything we see and hear, we'll be downloading and installing a scareware:



Here we can see that the bad guys are clearly taking advantage of the url shortening service from tinyurl.com.

Also, you might notice, there's a striking resemblance between the following:

bassey edet
and
hxxp://macrovirus(dot)com/?hop=starbasi

This is probably giving us a hint as to how the bad guys get paid.

If you got this scareware, remove it immediately.

Rogue AV: Winifighter

We've talked about digital clutter on a previous post.

But this one's a real bugger. Winifighter creates heaps of junk binary files in the %systemroot% and %system% directories. The filenames, the contents, and filesize are all random. The names, however, contains bits and pieces taken from malware names such as the following:

backdoor
not a virus
spy
trojan
virus
worm

This one also, spoofs the Windows Security Center to give itself that authentic feel and advises unsuspecting users to register Winifighter.



Ad of course we also have those ever so genuinely adorable warning messages:




As always, I advise everyone to steer clear of these Rogue AVs.