Dissection of an Active Malware Campaign

If you have used the web for any length of time at all, it is quite likely that you have seen a pop-up box similar to the one above on your computer when visiting a web site.  In the security industry this type of malware is frequently referred to as scareware or rogue anti-virus.  When confronted with this message, many people will unsuspectingly click the “OK” button which will usually install some type of malware that claims your machine is infected with a virus.  It then offers to remove the virus if you purchase a product.  The problem is, not only is this not going to protect your machine, but will likely lead to further system compromise and possibly the loss of personally identifiable information or credit card data.

A client of mine recently called to inform me that his system had been infected with malware after clicking the “OK” button on the above pop-up box.  After removing the malware from his machine, I decided to dig further into this scareware campaign.  The client reported that he performed a search for “tatiana banx” and one of the top 10 results took him to this site.

I started my analysis by performing the same search as my client.  The results of my search are shown below.  Notice the 10th result which I have highlighted with a red arrow.

The URL is hxxp://collin-county-real-estate.rmdfw.com/gsfyn/yuxfm.php?gu=500242.  Also notice all the keywords listed for “tatiana”.  This one caught my attention and sure enough, clicking on this link will take you to a rogue AV site.  Moreover, your browser will become unusable except to click the “OK” button.  In fact, if you click on any part of the pop-up box the malware will be installed, indicating that clickjacking is part of this attack as well.  The only way to prevent infection after clicking on the link in the search result is to kill the browser process. Clicking on any part of the pop-up box results in infection.

So, the first part of this scareware campaign is the use of SEO poisoning to generate high search results for the term “tatiana banx” among others.  This is a common technique used by scammers to increase traffic to their sites and to increase infection rates.  But how did they do this?  I began by investigating the collin-county-real-estate.rmdfw.com site.  This site is the Dallas-Fort Worth Re/Max Realtor web site.  The A record for this server is with a PTR of web17.websitesource.net.  Thus, it appears that this site is hosted at WebSiteSource with a location somewhere in Kansas if the geoIP information is accurate.   Next I examined the web server itself and found that directory listing was enabled which led to a treasure trove of interesting information.

This is only a partial list of over 330 files on this server that appear to be part of an SEO poisoning campaign.  Examination of these files indicates that this server is being used to manipulate search results for many, many different search terms.  For example, the search I performed for “tatiana banx” brought the result hxxp://collin-county-real-estate.rmdfw.com/gsfyn/yuxfm.php?gu=500242.  A partial listing of the contents of the file 500242 is listed below:

<a href=hxxp://collin-county-real-estate.rmdfw.com>collin-county-real-estate.rmd
fw.com</a><p> tatiana milovani </p>
<p> shte eet glawa ivanova tatiana che </p>
<p> eest ivanova tatiana dean electrical </p>
<p> tatiana narvaez </p>
<p> life info on tatiana golovin </p>
<p> tatiana isotov </p>
<p> mary tatiana krot </p>
<p> tatiana fistrovic and us visa </p>
<p> tatiana gregorieva </p>
<p> tatiana keeshan </p>
<p> tatiana petit </p>
<p> tatiana scam </p>
<p> tatiana startseva parkville </p>
<p> chris tatiana </p>
<p> tatiana free pics </p>
<p> tatiana nikolaevna tumanova </p>
<p> tatiana ali in king mag </p>
<p> tatiana jones </p>
<p> tatiana petersen </p>
<p> find tatiana schwappach </p>
<p> tatiana alverez </p>

Other files on this server show similar content for different search terms.  It appears that this server is being used as part of an SEO poisoning campaign, likely without the knowledge of the web site’s owner.  Furthermore, assuming that the owners of the rmdfw.com domain are not purposely redirecting traffic to malware distribution sites, it is likely that this server has been compromised.

The next step in my analysis involves an examination of the method that the site uses for redirecting traffic from hxxp://collin-county-real-estate.rmdfw.com to another site that attempts to install malware on the visitor’s machine.  This turns out to be the most interesting part.  There is a PHP script (yuxfm.php) that redirects to various other sites that host the scareware campaign.  You will only be redirected if you click on the URL from a search result, indicating that the referer is being used to determine how traffic will be handled.  Using a proxy to capture all of the communication between my system and the servers involved, I was able to reconstruct the sequence of events.  After performing a search and clicking on the URL hxxp://collin-county-real-estate.rmdfw.com/gsfyn/yuxfm.php?gu=500242 which was the 10th result presented, the server responds with a 302 redirect to one of several different URLs.  Below is the original request:

GET http://collin-county-real-estate.rmdfw.com/gsyfn/yuxfm.php?gu=500242 HTTP/1.1
Host: collin-county-real-estate.rmdfw.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: Gecko/20090729 Firefox/3.5.2 GTB7.1 (.NET CLR 3.5.30729) Paros/3.2.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=&q=tatiana+banx&sourceid=navclient-ff&rlz=1B3GGGL_enUS340US341&ie=UTF-8
Cookie: Hello-friend=4

And the response:

HTTP/1.1 302 Found
Date: Tue, 27 Jul 2010 02:37:50 GMT
Server: Apache
Set-Cookie: Hello-friend=5
Location: hxxp://zeoro1.strangled.net/3/?c=947
Content-Type: text/html

In this case I was redirected to hxxp://zeoro1.strangled.net/3/?c=947.  This server then presents the scareware that attempts to trick the visitor into installing malware.  Notice the javascript that gets executed on the client.  No doubt this is the source of the malware.  The site also includes images that resemble actual Windows warning messages in order to increase the likelihood that the visitor will be fooled into accepting the malware:

<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml”>
<link href=”style.css” rel=”stylesheet” type=”text/css” />
<meta http-equiv=”Content-Type” content=”text/html; charset=utf-8″ />
<meta http-equiv=”Content-Language” content=”en” />
<meta http-equiv=”Cache-control” content=”Public” />
<title>Online Protection</title>
<link rel=”icon” href=”images/favicon.ico” type=”image/x-icon” />

<link rel=”shortcut icon” href=”images/favicon.ico” type=”image/x-icon” />

<script type=”text/javascript” src=”4c4e43dde34f8.js?c=947″></script>
<div id=”loading” style=”display:block”>
<img height=”50″ width=”50″ style=”margin-right: 8px; float: left; vertical-align: top;” src=”images/loading.gif”/>

<span id=”loadspan”>Initializing Virus Protection System…</span>

The redirected URL changes frequently in an attempt to make detection and investigation more difficult.  In fact, since I started my analysis a week ago, the  collin-county-real-estate.rmdfw.com URL no longer shows up when searching for “tatiana banx” and no longer appears to be used in this malware campaign.  However, other top 10 search results for “tatiana banx” result in the same scareware tactics.  For example, today hxxp://tmsoftwaresolutions.co.uk/linmx/plol.php?gi=438195 shows up as the number 6 result.  It is also important to keep in mind that this type of attack is not confined to only searches for “tatiana banx”.  It is clear that whoever is behind this attack is targeting many different search terms and thus all search results should be viewed with care.  Also, it appears that there are many compromised servers that are part of this campaign leading to the conclusion that this is not an isolated case.

To summarize, this scareware campaign makes use of a variety of techniques in order to spread its malware.  First, it uses compromised hosts to manipulate search results and drive traffic to its servers, a technique called SEO poisoning.  When a visitor clicks on one of these bogus search results, they are then redirected to a the malware delivery host which serves up content designed to make the visitor think their machine is infected with a virus.  If the visitor clicks on the pop-up box to try and “remove” the virus, they will actually be installing malware on their machine.  This malware pretends to be an anti-virus program, but in fact is malicious software.  In the the near future I will be conducting further analysis on the hosts involved, how they may have been compromised and used as part of this malware distribution campaign, and the nature of the malware itself.


4 Responses to “Dissection of an Active Malware Campaign”

  1. Mark Evertz says:

    Hey Mark,
    Getting familiar with your work after the Home Depot hack discovery. Damn. There’s a lot of knowledge packed in this post. I appreciate the analysis.

    In the prevent, detect, resolve mode, what are you advising your clients to do and/or buy (or not do!) to keep from falling victim to things like SEO poisoning and minimizing the damage of an exploit?

    Keep it coming.

  2. Mark Baldwin says:

    Mark. Thanks for reading my site. I concentrate primarily on enterprise environments and aside from the must haves such as anti-malware and regular system patching, there are a few other things that can reduce the risk associated with these threats. For example, there are various products to detect and block access to malicious web sites such as Bluecoat and Websense. There are also a variety of HIPS products on the market that will help prevent exploitation by a malicious website. And if you are really concerned about this, check out the advanced endpoint protection products from vendors such as Bit9. But the best thing that any enterprise can do is educate their users to the threats and implement a security awareness program. People are usually the weakest link in any security program and the more they know about computer security the safer the organization will be.

  3. Quentin says:

    Do you mind if I quote a couple of your articles as long as I provide
    credit and sources back to your weblog? My blog site is in the
    exact same niche as yours and my users would definitely benefit from
    some of the information you present here. Please let me know if this
    okay with you. Many thanks!

  4. Mark Baldwin says:

    Of course. I would welcome the exposure. Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *