Dissection of an Active Malware Campaign

Friday, August 06, 2010

Mark Baldwin

6648b1abd4a9b964566c3690613f20a6

 If you have used the web for any length of time at all, it is quite likely that you have seen a pop-up box similar to the one above on your computer when visiting a web site.  In the security industry this type of malware is frequently referred to as scareware or rogue anti-virus. 

When confronted with this message, many people will unsuspectingly click the "OK" button which will usually install some type of malware that claims your machine is infected with a virus.  It then offers to remove the virus if you purchase a product. 

The problem is, not only is this not going to protect your machine, but will likely lead to further system compromise and possibly the loss of personally identifiable information or credit card data.

image

A client of mine recently called to inform me that his system had been infected with malware after clicking the "OK" button on the above pop-up box.  After removing the malware from his machine, I decided to dig further into this scareware campaign.  The client reported that he performed a search for "tatiana banx" and one of the top 10 results took him to this site.

I started my analysis by performing the same search as my client.  The results of my search are shown below.  Notice the 10th result which I have highlighted with a red arrow.

image

The URL is hxxp://collin-county-real-estate.rmdfw.com/gsfyn/yuxfm.php?gu=500242.  Also notice all the keywords listed for "tatiana".  This one caught my attention and sure enough, clicking on this link will take you to a rogue AV site.  Moreover, your browser will become unusable except to click the "OK" button. 

In fact, if you click on any part of the pop-up box the malware will be installed, indicating that clickjacking is part of this attack as well.  The only way to prevent infection after clicking on the link in the search result is to kill the browser process. Clicking on any part of the pop-up box results in infection.

So, the first part of this scareware campaign is the use of SEO poisoning to generate high search results for the term "tatiana banx" among others.  This is a common technique used by scammers to increase traffic to their sites and to increase infection rates.  But how did they do this? 

I began by investigating the collin-county-real-estate.rmdfw.com site.  This site is the Dallas-Fort Worth Re/Max Realtor web site.  The A record for this server is 216.177.141.4 with a PTR of web17.websitesource.net. 

Thus, it appears that this site is hosted at WebSiteSource with a location somewhere in Kansas if the geoIP information is accurate.   Next I examined the web server itself and found that directory listing was enabled which led to a treasure trove of interesting information.

image

This is only a partial list of over 330 files on this server that appear to be part of an SEO poisoning campaign.  Examination of these files indicates that this server is being used to manipulate search results for many, many different search terms.  For example, the search I performed for "tatiana banx" brought the result hxxp://collin-county-real-estate.rmdfw.com/gsfyn/yuxfm.php?gu=500242

A partial listing of the contents of the file 500242 is listed below:

collin-county-real-estate.rmd
fw.com

tatiana milovani

shte eet glawa ivanova tatiana che

eest ivanova tatiana dean electrical

tatiana narvaez

life info on tatiana golovin

tatiana isotov

mary tatiana krot

tatiana fistrovic and us visa

tatiana gregorieva

tatiana keeshan

tatiana petit

tatiana scam

tatiana startseva parkville

chris tatiana

tatiana free pics

tatiana nikolaevna tumanova

tatiana ali in king mag

tatiana jones

tatiana petersen

find tatiana schwappach

tatiana alverez

Other files on this server show similar content for different search terms.  It appears that this server is being used as part of an SEO poisoning campaign, likely without the knowledge of the web site's owner.  Furthermore, assuming that the owners of the rmdfw.com domain are not purposely redirecting traffic to malware distribution sites, it is likely that this server has been compromised.

The next step in my analysis involves an examination of the method that the site uses for redirecting traffic from hxxp://collin-county-real-estate.rmdfw.com to another site that attempts to install malware on the visitor's machine. 

This turns out to be the most interesting part.  There is a PHP script (yuxfm.php) that redirects to various other sites that host the scareware campaign.  You will only be redirected if you click on the URL from a search result, indicating that the referer is being used to determine how traffic will be handled. 

Using a proxy to capture all of the communication between my system and the servers involved, I was able to reconstruct the sequence of events.  After performing a search and clicking on the URL hxxp://collin-county-real-estate.rmdfw.com/gsfyn/yuxfm.php?gu=500242 which was the 10th result presented, the server responds with a 302 redirect to one of several different URLs.  Below is the original request:

GET http://collin-county-real-estate.rmdfw.com/gsyfn/yuxfm.php?gu=500242 HTTP/1.1
Host: collin-county-real-estate.rmdfw.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 GTB7.1 (.NET CLR 3.5.30729) Paros/3.2.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=&q=tatiana+banx&sourceid=navclient-ff&rlz=1B3GGGL_enUS340US341&ie=UTF-8
Cookie: Hello-friend=4

And the response:

HTTP/1.1 302 Found
Date: Tue, 27 Jul 2010 02:37:50 GMT
Server: Apache
Set-Cookie: Hello-friend=5
Location: hxxp://zeoro1.strangled.net/3/?c=947
Content-Type: text/html

In this case I was redirected to hxxp://zeoro1.strangled.net/3/?c=947.  This server then presents the scareware that attempts to trick the visitor into installing malware.  Notice the javascript that gets executed on the client.  No doubt this is the source of the malware.  The site also includes images that resemble actual Windows warning messages in order to increase the likelihood that the visitor will be fooled into accepting the malware:

image

Initializing Virus Protection System...

image

image

The redirected URL changes frequently in an attempt to make detection and investigation more difficult.  In fact, since I started my analysis a week ago, the  collin-county-real-estate.rmdfw.com URL no longer shows up when searching for "tatiana banx" and no longer appears to be used in this malware campaign.  However, other top 10 search results for "tatiana banx" result in the same scareware tactics. 

For example, today hxxp://tmsoftwaresolutions.co.uk/linmx/plol.php?gi=438195 shows up as the number 6 result.  It is also important to keep in mind that this type of attack is not confined to only searches for "tatiana banx". 

It is clear that whoever is behind this attack is targeting many different search terms and thus all search results should be viewed with care.  Also, it appears that there are many compromised servers that are part of this campaign leading to the conclusion that this is not an isolated case.

To summarize, this scareware campaign makes use of a variety of techniques in order to spread its malware.  First, it uses compromised hosts to manipulate search results and drive traffic to its servers, a technique called SEO poisoning. 

When a visitor clicks on one of these bogus search results, they are then redirected to a the malware delivery host which serves up content designed to make the visitor think their machine is infected with a virus.  If the visitor clicks on the pop-up box to try and "remove" the virus, they will actually be installing malware on their machine. 

This malware pretends to be an anti-virus program, but in fact is malicious software.  In the the near future I will be conducting further analysis on the hosts involved, how they may have been compromised and used as part of this malware distribution campaign, and the nature of the malware itself.

Originally posted at InfoSecStuff.

Possibly Related Articles:
5260
Viruses & Malware
malware
Post Rating I Like this!
F5a6556225bb4e85ce5be5dda9d05b8a
Mike Abrahams Nice analysis. Should be more of this.

These are very very common so it makes sense to come up with a 'best practice' idea of how to respond to them as a user (you'd hope I guess that they don't involve 'zero day' exploits that load the malware anywhere as a first step when you hit the hijacked site). Stopping the process is probably not straightforward for most users but I suppose they could close the popup browser from the taskbar - although presumably the javascript could use 'on_close' just as easily as 'on_click' to factor this in.
1281145849
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.