Category Archives: Blackhat SEO

Search engine optimization (SEO) is the fine art of tweaking a Web page so it ranks highly for relevance in search results. When this behavior is used to promote Web links which engage in hostile acts against visiting computers, we call it Blackhat SEO.

Fake Firefox Update is a Social Engineering Triple Fail

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Where’s the work ethic, malware geniuses? If this latest example of shenanigans is the best you can deliver, you’re not even trying to generate convincing scams — or even something that makes sense — anymore.

One of our Threat Research Analysts pointed me to a Web page hosting a fake update program for Firefox the other day, and the only thing it was useful for was a pretty good laugh.

In replicating the Firefox “you’re now running…” page, the malware distributor managed only to build something that looks remarkably similar to a more sophisticated, and ultimately more plausible, scam we first described this past summer. But the scam is full of fail.

The malicious page, which had been hosted at firefoxlife.cz.cc (and is now, thankfully, shut down), looks like the page that automatically pops up when you first launch the Firefox browser after you’ve applied an update. Ultimately, it not only fails the smell test, giving the user contradictory information, but also fails at the effective malware test, delivering multiple different samples, all of which crashed when we tried to run them on test systems or in debuggers.
Continue reading

Internet Misuse: Bandwidth Does Matter

Posted on by

By Ian Moyse, EMEA Channel Director

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Recent studies demonstrate that upwards of 25% of Internet bandwidth in an office are consumed by employees misusing the internet. According to Gartner, the average growth of business email volume is 30% annually, with the average size of the email content growing in parallel. Add to this the growth of Web misuse from streaming media, downloads, file sharing, social networking, and spam, and it becomes pretty clear that the mismanaged cost to business of non-work-related Internet use is already bad and getting worse.

There are plenty of examples, including employees wasting more than two hours a day on recreational computer activities (according to a survey fielded by AOL & Salary.com) and that, according to an IDC report, “30% – 40% of Internet use in the workplace is unrelated to business.”

Studies and surveys such as these typically focus only on lost productivity — and there’s no doubt that’s bad enough. But they rarely discuss the significant hidden financial impact of bandwidth wastage from these activities.

Continue reading

Five Reasons You Should Always “Stop. Think. Connect.”

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Today’s the official kickoff for National Cyber Security Awareness Month, and the organizations supporting the event, including the National Cyber Security Alliance, the Anti-Phishing Working Group, and dozens of corporate citizens including Webroot, want you to protect your computer and your personal information. So they’ve come up with a three word campaign slogan they hope will become conventional wisdom for every Internet user: Stop. Think. Connect. Think of it as the 21st century equivalent of looking both ways before crossing the street.

In my case, they’re preaching to the choir. For years, I’ve advocated that people treat everything they see online critically, and to scrutinize information before acting on it. That’s because the army of criminals who commit fraud and theft over the Internet on a daily basis rely on you to not stop, not think, and to click links or open files immediately, without regard to the consequences of your actions. That’s how most people infect themselves. If you stop and think before you connect, you can prevent most of these infections yourself, simply by exercising a little restraint.

It’s hard to think of a major cybercrime outbreak over the past year that hasn’t relied, to some extent, on the naivete of its targets. Security professionals call these tricks “social engineering,” but that’s just a geeky term for criminal skullduggery that’s as common offline as online. The ruse almost always tries to invoke an adrenaline-fueled need for an immediate response — usually out of fear, greed, or panic — on the part of a victim. The victim ends up in a mental state where they are likely to make rash, impulsive decisions. And they do.

Putting the brakes on social engineering tricks usually takes all the steam out of them. To that end, I’d like to show you examples of five of the most common cyberscams that lead to the loss of personal information or sensitive data. Hopefully, if you know what to expect, you’ll simply walk away from the encounters unscathed.

Continue reading

Epic Malware Dropper Makes No Attempt to Hide

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

In the world of first-person shooter games, getting the most headshots – hits on the opponent which instantly take the opponent’s avatar out of the game — is a prized goal. The headshot is the quickest way to dispatch a foe in virtually every shooter, which is why the file name of a malware sample, currently in circulation, stood out.

The file, yogetheadshot.php.exe (VT), is a dropper, a glorified bucket designed to tip over and spill other malware all over a PC. But where other droppers might leave behind a handful of payloads, this one utterly decimated a testbed PC with a malware headshot — an unusually overt infection that, defying conventional wisdom about malware infections, took no apparent effort to mask its behavior or remain low key.

The file, extracted from network traffic recorded while a test system got manhandled by a drive-by download site, was only one of several executable payloads that originated from the same domain hosting the drive-by.

But this sole dropper was more than capable of delivering the terminal blow to a middle aged Windows XP box. We first saw it appear on September 7th, but it has become more widespread since then.

(Update, 22 Sept.: Here’s a video that shows what happens on a system when someone executes this dropper. The dropper is near the upper-left corner of the screen. The rest of the screen is taken up with Process Explorer, which lets you see just how many payloads the dropper delivers.)

Continue reading

New Rogue Is Actually Five Rogues in One

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

For years, the makers of those snake oil security programs we call Rogue Security Products have spent considerable effort making up new names, developing unique graphic design standards, and inventing backstories for their utterly useless, expensive scam products. Now a new rogue has taken this never ending shell game one step further, releasing a single program that calls itself one of five different names, depending on what button an unfortunate victim clicks in a highly deceptive dialog box. Let’s call it what it really is, though: A malicious play in five acts.

The rogue’s delivery method, or Act 1 in this melodrama, is no different from the many we’ve seen in the past 18 months which use a Javascript-enhanced Web page to convince viewers they’re watching a live malware scan on their computer. This trick is so hackneyed, it’s become the cybercrime equivalent of the dastardly villain in a silent movie tying the hapless woman to a railroad track, then twisting the ends of his mustache for dramatic effect. Does anyone still fall for this?

Only, this time the fakealert delivers a different payload: When the victim runs the rogue executable (named simply setup.exe), Act 2 begins. The rogue displays a dialog box that looks like an alert message issued by Microsoft Security Essentials, cautioning the victim that a legitimate Windows component present on most or all installations of Windows, such as iexplore.exe or cmd.exe, is actually a piece of malware.

The rogue helpfully offers to perform some sort of online scan, and that’s where it gets weird. The rogue pretends to scan the hard drive with 32 different antivirus engines, a-la VirusTotal. The vast majority of them are well known, at least in the security community. But five are new, and it’s those five that merit closer inspection.

Continue reading

Blackhat SEO of Google Images Links to Rogue AV

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Yesterday, a few of the Threat Research folks and I had a little fun playing with a hack that had, for one day at least, pretty much decimated Google’s Image Search feature. One researcher, who stumbled into the attack purely by chance, found that a Google Images link to a map of the United States was, instead, redirecting hapless Web surfers to pages that deliver an installer of a rogue antivirus in the Security Tool family of fine, fraudulent products.

What really caught our interest was how the hack behaved, depending on the operating system and browser you used. With each different browser configuration, we were treated to one of several different, specially crafted malware delivery Web pages.

I’m not sure when the attack started, but we started analyzing it at around 10am, Mountain time. By late afternoon, the sites were offline and the attack no longer worked.

To test the extent of the hack, we played around with the manipulated search results using five different browsers: Internet Explorer 6 and 8, Safari 5, Google Chrome, and Firefox. All the browsers were set up with default settings in an otherwise identical installation of Windows XP SP3. We then searched for USA Map and clicked the second result that appeared under the header “Images for usa map.” (All but the first image result that appeared on that first page of results linked to the malicious Web site.)
Continue reading

Modified Websites Pushing Trojans On the Rise

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

For the past couple of weeks, owners of Web sites have been hit with a wave of attacks that surreptitiously infect unsuspecting visitors with a wide variety of malware types. The first wave inflicted rogue antivirus on unlucky victims, but late last week victims who visited infectious sites were redirected into a drive-by download site that pushes clickers onto a vulnerable visitor’s computer.

The affected web sites have been modified to add malicious, obfuscated Javascript code to the footer of each page. Some Web hosts are trying to notify customers or fix the problems. At first, the problem affected sites that run the open-source WordPress publishing system, but the attack has broadened into non-Wordpress (and non-blog) Web sites. The gobbledygook Javascript opens an iframe hosted from a different Web site, and the code that loads inside that iframe redirects the victim’s browser to yet another site, which loads the infection and executes it.

I’m going to name (domain) names in this post, so please, for your own sake, use this information only to block the domains at your gateway or in your Hosts file — don’t go visiting them just to see what happens. I guarantee you won’t like what happens.

In the earlier attacks that began the week of April 5th, the malicious script directed victims to a page hosting the Eleonor exploit kit; The kit uses several well-worn methods to try to push executable malware (typically the Tacticlol downloader, which malware distributors have been using of late to push down rogue antivirus programs) at susceptible browsers, or computers running vulnerable versions of Adobe Acrobat or the Java Runtime Engine.

Those attacks originated from several domains, including corpadsinc.com, mainnetsoll.com, and networkads.net — all of which are hosted on the same IP address in Turkey, and are still live and hosting the exploit page.

But last week the script began directing users into a page on the domain name yahoo-statistic.com, a site which, despite its name, has nothing at all to do with the giant portal. That page, which loads in an iframe, opens other malicious sites which push the infection.

The list of affected sites is global, including a newspaper in Florida; the English-language page of a government’s Ministry of Women’s Affairs Web site; the Web site of a Spanish lawyer’s association; and a car dealership Web site in Indonesia. And as of today, visitors to this growing list of Web sites are still getting hit with Trojans.

Continue reading

’30 Rock’ Phrase ‘Circulus et Pruna’ Draws Fakealerts

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Liz Lemon should be livid. Jack would be damned angry…in a quiet, repressed sort of way.

The rogue antivirus goons have taken on 30 Rock, the NBC meta-sitcom about the internal workings of a sketch comedy show.

In a subplot from last week’s episode (which I will recap for those who may have missed it), Alec Baldwin’s character teams up with one of the writing team to prank the rest of the writers. The two form a secret society named the Silver Panthers, and when the prank is successfully sprung on the unsuspecting writers, Baldwin’s character Jack begins to walk out of the room, but pauses, turns back to the victims, and ominously utters the (we assume) Silver Panther motto: “Circulus et Pruna.”

Latin scholars (who, I’m sure, are all ardent 30 Rock fans) probably chuckled when they heard Baldwin’s character utter the nonsense phrase “circle and (burning) charcoal (ember).” Or is it circle and plum? Meanwhile, the rest of us were left scratching our heads and wondering what the hell does that mean?

And so, turning to the font of all worldly knowledge, many Googled the phrase and may have been surprised to find that not one, not a few, but every search result on the first page (and most of the second page of results) led to a Fakealert trap that tries to force victims into downloading and running the installer for a Rogue Antivirus product.

The scoundrels.

It’s actually kind of an astonishing feat, as well as a horrific example of the current state of search results. When you consider that few, if any, outside Tina Fey’s production team had heard the phrase Circulus et Pruna uttered prior to last Thursday night at 9:30 (8:30 central), one has to wonder how the purveyors of these rogue antivirus products managed to wrest such total control of a nonsense Latin phrase from the world’s largest and (in theory) most comprehensive Internet search engine — mere moments after those words were spoken on television.
Continue reading

Fakealerts Invade Google Image Search Results for ’24′ Star

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Searchers beware: Those photos of celebrities or funny cat pictures that turn up in your Google image search results might not be photos at all, but fake antivirus alerts. Evidence appears to indicate that a similar scam to one we blogged about last November may be working its way up the Google food chain into other forms of search results.

While searching for photos of Annie Wersching, an actress who recently joined the cast of the TV show 24, we stumbled into one of these javascript-enabled fakealert browser traps. Oddly enough, when you click one of these bogus linked pictures in the Image Search results frame, the original Google search frame remains at the top of the page. The fakealert runs in the lower part of the page, closing the Google search pane but retaining the Google URL in the browser’s Address Bar.

Throughout the day we’ve been looking for links such as these; Each malicious URL we found funnels the browser into the same fakealert, which itself leads to the same rogue antivirus product. Each time we revisited the site, we ended up with what was essentially the same equally nasty rogue antivirus application, sometimes in a different skin, sometimes with a different name. Early in the day we were pulling down something called Total Security. By the afternoon, the tool’s name had morphed to become Security Tool.

The rogue’s behavior on an infected system is obnoxious in the extreme. It hides the desktop by covering everything over with its own wallpaper, and blocks your ability to right-click the desktop, so it’s more difficult to revert the desktop’s appearance by changing your Display Properties settings. It also disables the scroll wheel on the mouse, then blames that behavior on a massive infection it claims has taken over your PC. It prohibits most Internet-capable applications, or even tools like the Task Manager, from running, in the guise of its “firewall” component. Of course, it’s all smoke and mirrors, an attempt to convince you to spend from $50 to $90 on completely ineffective, utterly useless former-Soviet snake oil.

Continue reading

Ron Paul, Beyonce Tease a Drive-By Rogue AV

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Here’s a mind-bender for you to ponder over the holidays: What do diva musician Beyonce, the massively-multiplayer game World of Warcraft, the anime series Naruto, and Libertarian politician (and failed presidential candidate) Ron Paul have in common?

I couldn’t guess what you might come up with, but we’ve found a drive-by download attack that delivers malware, using these disparate icons as a hook to convince Web surfers to click malicious links. The hack attempt was discovered by a Threat Research Analyst who also happens to be a Ron Paul fanatic (and I do mean fanatic — that’s a photo of his truck parked out back). While doing his daily search for Ron’s latest words of wisdom, he encountered a cleverly crafted campaign to manipulate search results which originated with Twitter feeds suddenly lighting up with links supposedly pointing to YouTube videos.

A large number of Twitter accounts tweeted messages like “YOUTUBE RON PAUL – BEST NEW VIDEO – WATCH NOW” or “YOUTUBE NARUTO CHAT ROOM 1 | BEST NEW VIDEO | WATCH NOW” — you get the idea — all within a short amount of time. Each of those screaming teasers was accompanied by a URL shortened using the bit.ly (and to a lesser extent, TinyURL.com) service; The bit.ly URLs pointed to a (now deleted) hidden subdirectory on the website of Stage Time magazine, an online only, stand-up-comedy industry publication (neither YouTube nor Stage Time was, knowingly, involved in the hack — they were victims as well). And the many first-time visitors to that site found their computers in a world of hurt shortly after following one or another of those links.

The malicious pages on Stage Time hosted PHP scripts that pushed down several new malware samples; The scripts exploited security vulnerabilities in older versions of Adobe Flash and Adobe Reader, loading maliciously crafted SWF and PDF files in order to force the browser to pull down and run malicious executables which had virtually no detection across the spectrum of antivirus vendors. Some of these samples were droppers, others were downloaders; In either case, the drive-by payloads left the PC in a very bad state.

Drive-by downloads such as these serve to illustrate a point I can’t emphasize enough: No matter how careful you might think you are, one wrong click can lead to an infection. In the case of this drive-by, the malicious website attempted to load first an Adobe Flash video, then a PDF file, which tricked the browser into downloading more malware. Now more than ever, browser plug-ins like Flash and Adobe Reader need to be kept up to date. For additional protection, you can disable Javascript in Adobe Reader; in this case, it would have stopped the initial infection in its tracks.

Continue reading