Tuesday, December 23, 2008

More than 1 Million Ways to Infect Your Computer

An unknown hacker has been on a Search Engine Optimization rampage to flood search engines with more than a million ways to infect yourself with his virus. This is the first major "Scareware" infection we've seen since writing about the Federal Trade Commission's action in our December 10th blog post, FTC Moves Against Fake Anti-Virus Scareware.

The current scam takes advantage of the thousands of websites which have a "URL redirect" on them. A URL redirection program allows the website owner to "send you" to another website, while keeping track of where you went. They are often used in conjunction with an exit page that says something like "You are now leaving our site and being redirected to a new location. We aren't responsible for the content there." The problem is that many of those sites actually allow other people to use their URL to redirect traffic as well. That's what's happening here. A hacker has managed to cause Google to "learn" many of these URLs by placing them on sites they control.

In the current example, the hacker is using the site "00119922.com", which they have just registered December 19th. More than a million Google hits show that he has injected redirectors all around the Internet pointing to this site.


Sites like Microsoft.com, IRS.gov, countless media outlets, magazines, universities, and other websites can be found in the search engines in this way. The hackers get these entries into Google by littering tens of thousands of blog comments, guestbook entries, and imaginary blog stories all around the Internet. So, to choose one of the non-pornography related search terms, a hacker has written a program to comment on people's blog entries with a link to:


Now, if someone is searching for the phrase "download fruityloops 6 free", (fruityloops is apparently a music mixing software) because of Microsoft's popularity, their search term will take them to the number one position on Google.

The same technique has been used for many hundreds of phrases associated with pornography and software piracy. Some example search terms (and there are TENS OF THOUSANDS) all of which will give you the Microsoft open redirector as the #1 search result on Google:

"microsoft office 2002 download"
"hacking private myspace accounts"
"download runescape password hack"
"xxx rated joke"
"live free hardcore sex cams"


Some of the other sites with open redirectors being targeted by this attacker include: dbrecovery.com, togshop.com, wnbc.com, mrm.mms.gov, countrycurtains.com, portugal-info.net, cyberswim.com, nbcsandiego.com, thebostonchannel.com, thepittsburghchannel.com, hermanstreet.com, viadeo.com, nationalgeographic.com, barronscatalog.com, click2houston.com, lucy.com, wgal.com, rexart.com, kitv.com, bookmatestore.com, attarbazaar.com, titlenine.com, vermontteddybear.com, readthehook.com, theessentials.com, martlmadidebeli-gristianoba.com

Visiting the website redirects the visitor to 00119922.com, which in turn currently redirects the user to the site: netisecurity.com/ws/index.php?affid=04800, which pops up a warning:

Clicking "OK" on the warning, SEEMS to start a scan of your system, but a closer look will indicate that you are actually only seeing an animation playing from the netisecurity.com website:

When the scan is completed, a "Windows Security Alert" seems to pop up, although in reality you are still on the netisecurity.com website:

Clicking the "Remove All" button, which seems to be the reasonable thing to do, actually prompts the download of "install.exe".

You can review the coverage on "install.exe" on VirusTotal.com. As of this writing, we were the first one to report this malware to VirusTotal, where only 5 of 37 antivirus products were able to identify the file as malware.

File size: 62505 bytes
MD5...: 2bd950fdb5770ce6a1567f162dfa2679

eSafe and Panda call it "Suspicious file" (they call most things a suspicious file)
Ikarus says its "Trojan-Downloader.Win32.Delf"
Prevx1 says its "Malicious software"
TrendMicro calls it "PAK_Generic.001"

The other 32 anti-virus products offered no protection or detection.

install.exe was actually installed from the URL:

After "install.exe" runs, a more professional looking scanner executes. On our system the full product was installed under our logged in user's Documents and Settings in as: "1626125795\1300463089.exe". There were files in the directory indicating that a keylogger was in effect.

At the completion of the full scan, a new warning asked if we would like to "Remove all threats now" or "Continue unprotected".

Choosing "Remove all threats now" invites us to purchase the product for $51.45.

Refusing to purchase the software results in two types of annoyances constantly popping up. One warns that a worm is trying to steal my credit card with a full pop-up windows:

while the other is just a task bar reminder of the same thing:

Hopefully the FTC will take swift action to shut down this ring. In the meantime, there is a very real chance that your search engine results may contain links to this newest round of scareware. Surfers beware!


Microsoft has closed the Open Redirector which was being abused by the pages above. Clicking one of the Microsoft pages indicated in the Google search above will now take you to a safe page stating that the page was not found, and then forwarding you to a Microsoft search page. Thanks to Microsoft for such a quick response once the problem was pointed out to them.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.