While there is nothing surprising these days about finding a website that contains malicious code, it is educational to investigate them in order to determine how the bad guys are using the web to scam people and make money. A recent documents the increased use of javascript by attackers in their attempts to install malware on victim machines. Recently I came across a site with some malicious javascript that caught my attention. In this article I will detail how the javascript works in its attempt to download and install malware on unsuspecting visitors’ machines.
The site in question is hxxp://www.dompimps.com. Do not attempt to access this site unless you know how to protect your machine or else you may find yourself dealing with a nasty infection (and this one won’t be treatable with antibiotics). I attempted to notify the owners of the site to alert them to the malicious javascript, but I have not received any response. It is impossible to know if this malicious code was installed by the site owners themselves or if it was injected by a hacker who took advantage of a vulnerability in the site. In either case, the result is the same for visitors to this site.
The screen shot below shows the malicious javascript that exists on this site.
Interestingly, no attempt is made to obfuscate this code which frequently is the case with malicious javascript in order to make detection more difficult. The result when someone visits hxxp://www.dompimps.com is that the javascript will be executed by the browser which will then load hxxp://onlineisdudescars.com/js.php. This site has an IP address of and appears to be registered in Latvia. And this is where things get interesting. I submitted this URL to Anubis for analysis and used the provided network trace to determine exactly what this PHP script does. The below screen shot shows the pertinent part of this PHP script and how it attempts to install its malware.
As can be seen, the js.php script makes a call to hxxp://www3.netsurfingprotectionuc.rr.nu/?9247dcba5c=m%2Bzgl2uglqasm%2BLPzaualubj4KKbpZ%2Bk0KWbYKWklJI%3D” which has an IP address of and appears to be registered in Virginia. This site actually serves up the scareware that attempts to install rogue anti-virus software and infect your machine. It is particularly persistent and requires you to kill your browser via task manager in order to get away from the site.
Since I started working on this article last week, the js.php script on hxxp://onlineisdudescars.com has been updated and now refers to hxxp://www4.lawcps-safe.rr.nu/?944184a698=m%2BzgmGuekqmcluOW156Zi6Lm3mvUpnJpaGFvZpFrmlw%3D rather than hxxp://www3.netsurfingprotectionuc.rr.nu/?9247dcba5c=m%2Bzgl2uglqasm%2BLPzaualubj4KKbpZ%2Bk0KWbYKWklJI%3D. Hackers frequently change the source of their malware distribution points to make detection more difficult and help prevent their sites from being exposed and possibly taken offline.
The process described in this article is very typical of how hackers use javascript to install malware on unsuspecting users browsing the web. There are often two or three hosts involved with the first one being used to distribute the javascript that has either been placed on a web server without the knowledge of the owners (e.g. via SQL injection) or on purpose by the site owners. The javascript will redirect to another site that either actually attempts to install the malware or possibly uses redirection to yet another site that will actually host the malware. By using this series of redirections and changing the intermediate hosts/URLs occasionally, it is much more difficult to track down the people behind the scam. Understanding how the bad guys use web technology to conduct their attacks can help all of us defend our networks from them.
If you have used the web for any length of time at all, it is quite likely that you have seen a pop-up box similar to the one above on your computer when visiting a web site. In the security industry this type of malware is frequently referred to as scareware or rogue anti-virus. When confronted with this message, many people will unsuspectingly click the “OK” button which will usually install some type of malware that claims your machine is infected with a virus. It then offers to remove the virus if you purchase a product. The problem is, not only is this not going to protect your machine, but will likely lead to further system compromise and possibly the loss of personally identifiable information or credit card data.
A client of mine recently called to inform me that his system had been infected with malware after clicking the “OK” button on the above pop-up box. After removing the malware from his machine, I decided to dig further into this scareware campaign. The client reported that he performed a search for “tatiana banx” and one of the top 10 results took him to this site.
I started my analysis by performing the same search as my client. The results of my search are shown below. Notice the 10th result which I have highlighted with a red arrow.
The URL is hxxp://collin-county-real-estate.rmdfw.com/gsfyn/yuxfm.php?gu=500242. Also notice all the keywords listed for “tatiana”. This one caught my attention and sure enough, clicking on this link will take you to a rogue AV site. Moreover, your browser will become unusable except to click the “OK” button. In fact, if you click on any part of the pop-up box the malware will be installed, indicating that is part of this attack as well. The only way to prevent infection after clicking on the link in the search result is to kill the browser process. Clicking on any part of the pop-up box results in infection.
So, the first part of this scareware campaign is the use of SEO poisoning to generate high search results for the term “tatiana banx” among others. This is a common technique used by scammers to increase traffic to their sites and to increase infection rates. But how did they do this? I began by investigating the collin-county-real-estate.rmdfw.com site. This site is the Dallas-Fort Worth Re/Max Realtor web site. The A record for this server is 216.177.141.4 with a PTR of web17.websitesource.net. Thus, it appears that this site is hosted at WebSiteSource with a location somewhere in Kansas if the geoIP information is accurate. Next I examined the web server itself and found that directory listing was enabled which led to a treasure trove of interesting information.
This is only a partial list of over 330 files on this server that appear to be part of an SEO poisoning campaign. Examination of these files indicates that this server is being used to manipulate search results for many, many different search terms. For example, the search I performed for “tatiana banx” brought the result hxxp://collin-county-real-estate.rmdfw.com/gsfyn/yuxfm.php?gu=500242. A partial listing of the contents of the file 500242 is listed below:
Other files on this server show similar content for different search terms. It appears that this server is being used as part of an SEO poisoning campaign, likely without the knowledge of the web site’s owner. Furthermore, assuming that the owners of the rmdfw.com domain are not purposely redirecting traffic to malware distribution sites, it is likely that this server has been compromised.
The next step in my analysis involves an examination of the method that the site uses for redirecting traffic from hxxp://collin-county-real-estate.rmdfw.com to another site that attempts to install malware on the visitor’s machine. This turns out to be the most interesting part. There is a PHP script (yuxfm.php) that redirects to various other sites that host the scareware campaign. You will only be redirected if you click on the URL from a search result, indicating that the referer is being used to determine how traffic will be handled. Using a proxy to capture all of the communication between my system and the servers involved, I was able to reconstruct the sequence of events. After performing a search and clicking on the URL hxxp://collin-county-real-estate.rmdfw.com/gsfyn/yuxfm.php?gu=500242 which was the 10th result presented, the server responds with a 302 redirect to one of several different URLs. Below is the original request:
In this case I was redirected to hxxp://zeoro1.strangled.net/3/?c=947. This server then presents the scareware that attempts to trick the visitor into installing malware. Notice the javascript that gets executed on the client. No doubt this is the source of the malware. The site also includes images that resemble actual Windows warning messages in order to increase the likelihood that the visitor will be fooled into accepting the malware:
Online Protection
Initializing Virus Protection System…
The redirected URL changes frequently in an attempt to make detection and investigation more difficult. In fact, since I started my analysis a week ago, the collin-county-real-estate.rmdfw.com URL no longer shows up when searching for “tatiana banx” and no longer appears to be used in this malware campaign. However, other top 10 search results for “tatiana banx” result in the same scareware tactics. For example, today hxxp://tmsoftwaresolutions.co.uk/linmx/plol.php?gi=438195 shows up as the number 6 result. It is also important to keep in mind that this type of attack is not confined to only searches for “tatiana banx”. It is clear that whoever is behind this attack is targeting many different search terms and thus all search results should be viewed with care. Also, it appears that there are many compromised servers that are part of this campaign leading to the conclusion that this is not an isolated case.
To summarize, this scareware campaign makes use of a variety of techniques in order to spread its malware. First, it uses compromised hosts to manipulate search results and drive traffic to its servers, a technique called SEO poisoning. When a visitor clicks on one of these bogus search results, they are then redirected to a the malware delivery host which serves up content designed to make the visitor think their machine is infected with a virus. If the visitor clicks on the pop-up box to try and “remove” the virus, they will actually be installing malware on their machine. This malware pretends to be an anti-virus program, but in fact is malicious software. In the the near future I will be conducting further analysis on the hosts involved, how they may have been compromised and used as part of this malware distribution campaign, and the nature of the malware itself.
It was about noon today when the first reports started coming in. Several people reported seeing a message on their screen from McAfee VirusScan indicating that their machine was infected with a virus. Then, their machines shutdown. As I was looking over the shoulder of one of my SAs, I saw the same thing happen to his machine. VirusScan claimed to have detected the W32/wecorl.a virus showing a message similar to this:
The file C:WINDOWS\system32\svchost.exe contains the W32/Wecorl.a Virus.
Undetermined clean error, OAS denied access and continued.
Detected using Scan engine version 5400.1158 DAT version 5958.0000.
My first reaction was that we were suffering a worm outbreak. However, after a couple of minutes it became clear that this was not malware, but badware. The 5958 DAT released by McAfee today incorrectly detected the svchost.exe file on Windows systems as a virus and then proceeded to delete/quarantine it. We took several actions immediately:
We added an exclusion for the svchost.exe file and pushed it out to all PCs
We deleted the 5958 DAT from the ePO software repository
We stopped the automated download of DAT files from McAfee
We disabled the automatic push of DAT files to client machines
The svchost.exe file is very important for the proper operation of Windows and PCs cannot function properly without it. Luckily, we only had a handful of systems that were impacted before we could prevent further damage. Repairing the problem required physically visiting each system with a USB thumb drive to replace the deleted file. Being a small company, this was not a huge issue for us. However, large enterprises have been severely impacted with losses mounting as IT staff physically go to each machine to undo the damage.
McAfee VirusScan is one of the most widely used anti-virus products in the world. This is not because it is particularly good at malware detection and removal, but because of its superior management tools. I have used McAfee products for many years and can attest that this is not the first time McAfee has had such an incident. In fact, just a few months ago we had to update the code on our web sites because McAfee VirusScan falsely alerted our visitors that we had malware on our site. Below is a list of links documenting recent instances of false positive detections from McAfee:
This list only covers the last couple of years and only the major false positives that caused enough problems to be reported. I for one am getting tired of dealing with these incidents. I expect more from a major security vendor such as McAfee. Given the number of issues they have had over the years, it is clear that they need to improve their QA processes. Right now I am more concerned about the next update from McAfee than I am about a malware infection. And that is not a good thing for McAfee as I will definitely be evaluating other vendors when it comes time to renew our subscription.
The conversation usually goes something like this:
Me: “Hey, have you heard about that new phishing attack targeting Bank of America customers?”
Mac User: “Oh, I’m not worried about that. I use a Mac.”
Me: “Well you know, just because you use a Mac doesn’t mean you are safe from an attack.”
Mac User: “Ha. Everyone knows that Macs are waaaay more secure than Windows systems.”
If I had a nickel for every time I have heard a Mac user make some type of statement to this effect, I would not have to buy any more lottery tickets. There is a widespread belief that Mac OS X is inherently more secure than Windows and that by using a Mac, one is protected from all threats. Unfortunately, not only is this not true, but it is dangerous as it leads people to not take appropriate precautions to protect their computers and information.
Let’s start with some basic facts. I performed a search of the and found the below data regarding Windows and OS X vulnerabilities:
Year
# of OS X Vulns
# of Vista Vulns
2007
152
61
2008
117
61
2009
101
106
These numbers represent the total number of vulnerabilities published for each of the last 3 years for Mac OS X (all versions) and Microsoft Windows Vista (all versions). It is clear that OS X has had more total vulnerabilities in the last 3 years than Vista has. These vulnerabilities provide potential avenues of attack for hackers which can lead to system compromise and data disclosure.
But that is only the tip of the iceberg. Phishing scams, trojans, drive by downloads and other threats don’t depend on any vulnerability in software in order to be successful. The weakness they exploit is in the user of the computer. It doesn’t matter whether you use a Mac, a PC, a Next, or a Cray. If you fall victim to one of these types of attacks that relies on social engineering to get users to divulge their credentials or install malware, using a Mac doesn’t offer you any protection at all.
Given the fact that Mac OS X has plenty of vulnerabilities, it might seem surprising that there is not more malware in the wild that exploits these weaknesses. I believe the answer to this riddle can be found in the relative percentage of Windows to Mac users. Most studies have found that Apple has between 7% – 12% market penetration, while Microsoft maintains nearly 85% market share. If you are a hacker hoping to exploit vulnerabilities, it clearly makes more sense to devote your time and resources to the Windows platform since your odds of success will be much higher. However, as the percentage of Mac OS X users grows, the number of exploits that target OS X will also grow. So Mac users take note. Do not be lulled into a false sense of security. Be sure to follow for protecting your computer and your data in order to minimize the risk of a successful attack.
The recent massive attacks on web sites, dubbed and show that one of the primary weaknesses (if not the primary weakness) of information systems is the endpoint. Attackers have been using malware to steal the FTP credentials of web site maintainers and uploading malicious code that redirects site visitors to servers that attempt infect their machines. Leaving aside the fact that a small minority of people may have systems running no or outdated anti-malware software, how do these types of attacks continue to be so successful?
For one reason, most anti-virus software does a very poor job of detecting new, in the wild malware. This is the dirty little secret of the anti-virus industry. Most anti-virus companies tout 99% or greater detection rates and many independent organizations back this up in their testing. However, these tests are based on samples of known malware for which vendors have signatures. These tests often show numbers such as those found in this news article.
However, tests that focus on new malware, programs that are actively circulating on the Internet show a much different result. In this case, most vendors are lucky if they can detect 50% of the samples. SRI’s conducts daily tests of the major AV vendors’ products against active, in the wild malware and the average detection rate is typically below 60%. Thus, until a new malware is discovered by the AV vendors and a signature developed, it can infect large numbers of systems. Plus, most virus authors test their code against the major AV products to ensure it will spread unimpeded.
Anti-virus vendors have added additional technologies to try to improve their ability to detect malware that they do not have signatures for. One popular mechanism is to use cloud-based detection techniques. Essentially, this involves comparing a file or its fingerprint to a database of recently discovered malware, even before a signature has been created. McAfee is one such product that uses this type of technology. Vendors are also using more behavioral techniques to detect malware based on the way the application acts when running. And finally, whitelisting is growing in popularity. This involves specifying only those applications that are allowed to run. All others will be blocked.
The holiday season is upon us and the scammers are taking advantage by sending out emails with bogus holiday cheer. They attempt to take advantage of the holiday season by sending out emails with Christmas and New Years greetings. Many such emails that find their way into our mailboxes contain malicious attachments or links to malicious web sites. One such spam email making the rounds appears to be from MacDonalds or Coca Cola and claims to have a promotional coupon for free food attached to the email. In fact, the coupon is a Trojan downloader that installs malware on your computer. Below is an example of such an email:
Another such email attack that has been documented recently appears to be a holiday greeting card from the domain postcards.org. Again, the scammers are using social engineering to get unsuspecting recipients to download and install malicious software that they can use for fraud and identity theft. Below is an example of such an email:
Don’t let your guard down during this holiday season. Internet scammers will attempt to take advantage of peoples’ feelings of good will by sending out emails with holiday greetings and themes. Be aware. If you don’t know the sender, delete the email. Don’t rely on your anti-virus software because frequently, it will not detect these malicious files, especially early in a spam campaign when vendors have not had time to update their signatures. It is better to be cautious than to end up infected.
If you are a user of Microsoft’s Windows operating system, you no doubt are very familiar with the popup dialogue boxes that are so frequently displayed on your screen. These popup windows were designed to inform you when an event occurs that requires your attention or input. These popup windows occur even more frequently with Windows Vista which by default asks for your permission before running applications that require administrative privileges. This is a good thing from a security perspective, but a bad thing from an annoyance perspective.
As a result, computer users have become accustomed to simply clicking “OK” to every popup window they are presented with. A recent conducted by researchers at North Carolina State University found that two-thirds of the participants in the study would click “OK” to any popup window presented to them, even ones that were fake. Furthermore, the study found that most Internet users have a difficult time distinguishing between real and fake popup windows.
This fact is not lost on Internet scammers. If you have surfed the web for any length of time at all you have likely encountered a fake popup dialogue box such as the one below:
These fake popup windows are generally designed to install malware on your system. There are several things you can do to protect yourself. First, always run up-to-date antivirus and antispyware software. Second, enable the popup blocker option in your browser. This is available in both Firefox and Internet Explorer. Third, take the time to read the message. Familiarize yourself with real popup dialogue boxes so that you can tell the difference between these and fake ones. If you are presented with a popup window while actively surfing the web it is most likely a fake intended to do your system harm. Do not click the “OK” button unless you are sure of its authenticity and understand what you are agreeing to. If not, close the window by clicking the “X” in the top right hand corner of the dialogue box or by using the Windows task bar. And if it happens to be one of those persistent popups that just doesn’t want to go away, you should close and restart your browser.
When I visit the local farmers market with my family, my children are always excited to buy a couple of honey sticks from the local bee keepers. These are essentially plastic tubes about the size of a straw filled with honey. Unlike these delicious treats, there is another type of honey stick that isn’t so tasty and could be very harmful to your computer. The , which was started earlier this year, is a research project designed to determine how many people will plug a USB thumb drive that they find in a random place into their computer. These USB drives have a program on them to “phone home” so that the researcher can determine what percentage of thumb drives distributed to random locations will be accessed. The results so far? Out of 33 deployed honey sticks, 42% of them have been accessed.
You may be wondering what the issue is with plugging a found thumb drive into your computer. I mean hey, who wouldn’t want a free thumb drive, right? Unfortunately, by installing a thumb drive from an unknown source into your computer you are putting your system at risk of infection by a virus or trojan. The autorun feature of many operating systems can automatically execute a malicious program on the drive which could lead to the compromise of the machine. Such a compromise could lead the theft of your bank account information, personal information, usernames, passwords and more. So if you ever find a USB drive or any other type of media (CDROM, DVD, etc), don’t put it in your machine unless you are feeling very lucky that day.
A well known technique used to test the security of a company’s network is to distribute a few thumb drives in the parking lot of the target company. These thumb drives will have software on them that will automatically install when the drive is plugged into a computer leading to the compromise of the system and potentially other systems within the corporate network. Many unsuspecting people will see these thumb drives while walking through the parking lot, pick it up and plug it in to their computer. Our curiosity often gets the best of us leading to unintented consequences (like a visit from the corporate security administrator).
Recently a virus was detected on laptops used in the . It is suspected that they were transmitted via shared USB drives. There was nothing sweet in those sticks!
The Evolution of Malware and the Underground Economy
When I first started working in the information technology profession back in the early 1990′s, there was not really a defined field specifically for security professionals. Network and system security was handled by the system and network administrators responsible for the general management of the networks. Most security concerns revolved around viruses and basic access controls. The term malware had not even entered the general IT lexicon. Fast forward 15 years and the situation has changed dramatically. The hacker underground has gone from young kids defacing websites for fame and glory to a sophisticated, financially motivated network that involves several different layers of actors and groups often including organized crime rings.
In the last few years the way in which malware is used by criminal elements has changed drastically. Just 5 years ago a single hacker working with one or two friends would create a virus or trojan, distribute it to unsuspecting users via email and utilize the information gathered for their own personal gain. But things are much different now. The malware developers are content to sell their software for others to use, reducing their risk of being caught and allowing them to concentrate on the technical work they do best. And they have gone a long way to improve their products. Far from simply selling malware on the underground marketplace, hackers have begun to sell a service providing easy access to information and allowing criminals to “rent” infected computers for a period of time.
Witness the web site. This site provides a web interface to information gathered from all the machines that are part of the hackers’ botnet. Criminals pay a fee to access the web site for a period of time which allows them to easily obtain personal information from the people using the infected computers. The malware is able to collect information typed into forms including usernames and passwords, gather bank account information and intercept keystrokes among other things. All of this information is sent back to the 76service web server where criminals login and use the information to steal money, obtain credit and make fraudulent transactions while the person with the infected host is left wondering why their bank account is shrinking and credit card balance is growing.
Another such service allows criminals to rent the use of all or part of a hacker’s botnet. The botnet can be used to send spam or orchestrate DDOS attacks against another network. The is a good example of this type of service whereby the creators of the botnet have been known to rent portions of the network to criminal elements. All of this suggests that the underground economy is changing whereby multiple players are involved and criminals have easier access to tools that will allow them to obtain valuable information to commit fraudulent activities. I expect to see more such services in the future with improved methods for delivery of information. Imagine a database filled with personal information, constantly being updated by bots and automatically distributed to paying customers via encrypted channels. This is possibly the direction that malware is headed as hackers continue to evolve their products and services.
