In my last post I mentioned that the “Operation Aurora” exploit code was public and that we could expect other attacks leveraging the CVE-2010-0249 exploit to emerge.  Given the significance of the recent earthquake in Haiti, and the slew of phishing sites, email scams, etc; it makes sense that attackers would try to incorporate an unpatched Internet Explorer vulnerability and Haiti-related web content.

I figured a good place to look for attackers is by Googling the most popular search terms of the day.  It’s been a while since I last researched search engine manipulation.  As expected it was quite easy to find high ranking search results for Haiti-related terms; the vast majority led to rogue antivirus malicious sites, similar to earlier blogs.  I did not come across any sites exploiting the recent zero-day IE vulnerability.  However, I did come across plenty of Clickjacking, but not just Clickjacking, they have incorporated Google Trends, Digg.com, Blackhat SEO, and Clickfraud as well.

Here’s the apparent flow of the attack:

The attacker finds a hot search term using Google Trends or some other keyword tracking site (and perhaps anticipates term variations):

Next, they create the malicious web page (more below) and submit an entry to Digg.com using the same title, and a description that includes a bunch of relevant terms.  They also Digg the story (+1):

Seemingly the affiliation with Digg.com, the association of the title (taken from Google Trends), and description help boost the ranking in Google’s search results:

When a user following the link on Digg.com, they are taken to a generic website, enticing them to click on a “Play” icon.

What the user doesn’t see is the content that sits behind the image.  When a user clicks on the image, that click is passed along to an advertisement delivered through Google’s ad network (note the sites in the image below are potential victims here too as they could be charged for “unwanted clicks” on their ads).

This form of Clickfraud can generate money for the attacker.  If this fraud goes unnoticed, the advertiser would likely pay a referral fee to the attacker.

The web server shows many search terms seeded this way, including several related to Haiti:

• haiti-breaking-news
• haiti-earthquake-damage
• haiti-earthquake-info
• haiti-earthquake-relief
• haiti-earthquake-time
• haiti-pact-with-the-devil
• haiti-pat-robertson
• haiti-relief-effort
• haiti-support
• haitian-earthquake-relief
• haitian-relief-efforts
• hatia-earthquake-pictures

I should note that this isn’t so much a Haiti-targeted attack, but rather an attack targeted at any popular topic on the web right now.  In fact, they’re poisoning the term “internet security 2010 virus removal”, which exists because web users fell victim to rogue antivirus software, some undoubtedly due to the same type of search engine poisoning.

Koobface has been busy. Activities associated with the worm have increased during the month of December. Often the activity is sending traffic to compromised servers to obtain more servers. Other times it uses those compromised servers to proxy users to malicious domains that distribute more malware or take control of the infected machines.

This morning we noticed a trend: some of the domain-based locations are making use of the holiday theme. This has included everything from “presents for your pets” to “festive holiday trees.” These are domains that appear legitimate but are not. In fact, many of the domains were legitimate at one point but are now are serving a different purpose.

When users go to these these happy holiday sites, they are greeted by having files downloaded to their computers. Then they receive the gift of holiday identity theft!

We have monitored the progress of this attack and its spread throughout the day. Based upon past trends we expect it to continue to evolve and find new servers and methods with similar associations over the next few weeks.

Stay updated and safe over the holidays!

Sadly, actress Brittany Murphy passed away over the weekend. With her unfortunate passing will come the inevitable web searches that lead Internet users to some potentially unsafe sights. This has been a well established trend throughout 2009. It is a sad reflection that malware authors and scammers will use these events as lures to distribute their warez and site links.

Over the weekend I first started seeing tweets relating to Brittany Murphy and began capturing images and running some searches. Very quickly these lead to the expected results:

The SiteAdvisor warning page on it is pretty clear on its intentions:

Some of the search phrases that are yielding very questionable results are:

Brittany Murphy dies
Brittany Murphy dead
Brittany Murphy husband
Brittany Murphy death hoax
Ashton Kutcher Brittany Murphy
Brittany Murphy 8 mile
Brittany Murphy luanne

Some of these had more than half the results on the first Google search page as flagged yellow or red by our SiteAdvisor technology.

The bad guys have been using celebrity deaths and natural disasters as a successful lure for most of this year. The words “Brittany” and “Murphy” along with related event words are trending very high in Google Trends and Tweetcloud currently. This means the bad guys will be using it as a lure because users are already searching for information on the subject. Make sure you are aware of the trend and stay one step ahead of them! Use SiteAdvisor and search safely!!

McAfee Labs has observed various spam runs exploiting the recent sensational Carrie Prejean news. The Prejean video is rapidly becoming one of the most searched-for topics ever on the net since the existence of the tape became common knowledge.

Source: Google Trends

Java applets provide everything from interactive features to web applications to advertisements. Since the birth of Java, attackers have exploited its security platform. Attackers are now taking advantage of a feature in Java to social-engineer not tech-savvy Internet users into infecting themselves with malware.

Here’s how an attack works:

• The bad guys spam a link claiming to be the Carrie PreJean video
• Then they trick victims into visiting a malicious website, which prompts users into running a Java applet to view the video

The signed applet contains a signature that browsers should verify through a remote, independent certificate-authority server. Once the signature is verified and the user also approves, the signed applet can gain more rights, becoming equivalent to an ordinary application. When the app is injected into a trusted website, users would hardly take the trouble to validate if the certificate is legitimate.

• At this point, the applet runs in the browser, which in turn downloads a malicious executable that launches itself on the victim’s machine

This approach is very effective for the following reasons:

• It’s easier to social-engineer users, as many rich multimedia applications use Java
• Unlike spammed links that contain a cocktail of exploits or a zero-day attack, this approach exploits the applet’s design
• The attack is independent of browser type and version
• The attack works on a machine with the latest version of Java, which makes the exploit all the more dangerous

The malicious applet has almost no detection on Virustotal, but it is detected by McAfee with the current DATS as Exploit-ByteVerify.b. The malicious executable incorporates SMTP functionality that is capable of sending spam and is currently detected as BackDoor-EHP.

We urge users to handle unknown Java applets with caution and make sure any digital signature comes from a trusted authority before executing it.

The idea of malware distributors abusing Google Trends is not new. The bad guys have once again demonstrated that they, too, can take advantage of Google Trends. This time their target is Big Bird’s birthday.

It’s not new that the Google logo includes Big Bird; it does so on special occasions. The Google logo clearly shows Today’s Hot Trends, and that’s a target for malware writers.

This year is the fortieth anniversary of Sesame Street, and the bad guys have begun their attack. Searching for keywords such as Big Bird’s birthday and Big Bird on Google displays pages with compromised sites.

Watch the video below, which shows how rogue anti-spyware attacks a system.

The video shows that the malware is literally pushed onto the system regardless of what the user does. In the past we have seen malware injected into a compromised site through exploits and iframes. Today, malware often attacks only from a search-results page. In certain attacks, if a user directly accesses a compromised site, then there’s no redirection to a payload and no infection.

Users have no idea what they will get by clicking on search results, which now are like a virtual minefield; you never know what will happen next. McAfee strives to protect users from such attacks through its free SiteAdvisor technology. It warns users with green, yellow, and red alerts next to each search result. You can minimize your risk of attack by using SiteAdvisor and paying attention to what you are clicking on.

I revisited the topic of search-engine manipulation (a.k.a. blackhat SEO) in two recent posts. Something caught my eye while investigating cases of search-result poisoning–a shift away from tactics used by the attackers earlier in the year.

Previously, attackers mostly registered free websites to pull off their attacks. They would create a bunch of new sites, cross-link them, and use other tricks to get their pages indexed and ranked high on relevant search result pages (again, largely targeting the most popular search terms of the day, such as those found on Google Trends.) I blogged earlier in the year about how the user forum on democrats.org was leveraged to link a high-ranking site with newly created malicious sites.

It seems now that attackers are combing various elements of different attacks to achieve blackhat SEO.

There are currently many examples of high-ranking poisoned results that lead to compromised legitimate sites. This is a bit different than in the past, as now security vulnerabilities are being exploited simply for the sake of search-engine manipulation. 

Historically we’ve seen attackers upload malicious content to compromised sites, either directly by injected exploit code, or indirectly by injecting an iframe or script that brings in exploit code from a remote site.  Such situations can lead to site users notifying the compromised site administrator that they were attacked while visiting that site. Redirecting victims to a completely different site can help conceal the poisoned site.

The attackers go a step further by implementing a well used trick, which is to redirect conditionally.  It’s not enough for people to go to a compromised page; they must arrive there from a search-result page. In other words, users (or site admins) navigating to http://compromised-site.com/attacker_created_page will not be redirected to a payload site unless they are coming from a Google search-result page. 

Some of the compromised sites are running older, vulnerable phpBB and Word Press applications.  Others sites are serving attacker HTML pages, perhaps from compromised admin/user credentials or misconfigured web servers.

These events further blur the line between “trusted” sites and malicious content. This trend is likely to continue for years to come.

Wouldn’t you know it. Just the other day I blogged about rogue anti-virus software makers selectively targeting certain hot search terms. Since then the majority of top terms lead to poisoned links within the top 10-20 search results.

Recently there have been some news stories about attackers targeting specific topics or terms, but from what I’m seeing they are pretty indiscriminate. It doesn’t matter what the topic is. If people are searching for it, then the bad guys want to poison the results. The speed at which these links appear suggests the operation is largely automated. 

Here’s one example for bengals blackout. One potential way of identifying a bad link is if the title is exactly the same as search term, it’s in all-capital letters, and the URL contains the search terms as well. The summary usually contains the text you’d expect to find from a news story. This is not a foolproof way to call something bad, but it’s a strong indication that something might be fishy.

Search safe.

It’s been a while since I blogged about Google Trends being abused to serve malware. However, recent attention around Google search poisoning led to me to check on things. It seems the attackers are being more selective in the search terms that they target–favoring those that have something to do with computer security. Hunting for poisoned search results based on random hot-search terms is hit or miss (and more miss than hit, at least in the top 10 results being poisoned). But terms that contained virus, trojan, rogue, and bulletin all lead to poisoned top search results. Some even lead to pages and pages of bogus links, which redirect to rogue anti-virus malware.

The following image is not intended to show the actual text of the search results, but rather it highlights the fact that four out of the top fifteen results are poisoned for one of today’s most searched terms at the time of this writing:

Starting from result number 20, the situation gets much worse–with dozens of poisoned results:

Granted, the link names on the second batch of results have nothing to do with the trojan search term I used. However, the attackers have set up thousands of pages that cross-link to each other, and contain various hot-search terms and content. So even if the long tail of poisoned results on any search term has a low conversion rate for that term, it can still serve to boost the score of other pages and terms that have a higher conversion rate.

Once a search user takes the bait, it’s business as usual for the attackers:

Graphic displayed while web page loads

Bogus warning message displayed from web page

Simulated system scan displayed from web page

Bogus scan results displayed from web page

“FREE” is by far the most commonly used term in spam mails. The word free is such a striking term that any layman, without the knowledge of these tricks of the trade, can get into the trap of cloaked mails sent by the spammers.

Here are a couple of the most often used sentences in spam mails:

•  We are letting you try it for FREE, you just pay the shipping costs!
•  FREE Download without limits!
•  Get your Free Trial Now!
•  Take FREE exotic vacations!
•  Get Free trial bottle!

This barrage reminds me of the maxim “appearances can be deceiving.” This adage becomes true in a scenario in which an innocent user falls pray to these eye-catching spam mails and then regrets it later.

Coming back to the main topic of broadcasting for “free,” we are observing a trend wherein spammers abuse social networking websites quite frequently by creating fake accounts to host spam.

The most common trend these days is spammers inserting spoofed URLs associated with social networking and social bookmarking sites such as Blogspot, Yahoo Groups, and Google Groups to host porn, health, replica watches, acai power slim, and many others categories of spam on them. Thus it becomes a big challenge for these social networking sites to moderate any abusive or spammy messages on their networks.

A recent and classic example of how the bad guys (spammers) take advantage of some really cool features provided by these networking websites will leave you amazed. Have a look at the following sample, which will give you a better understanding of these types of spam mails.

“Get your Free Trial Now” is a hyperlink to “google.com/reader/view/user/…” Clicking it will redirect you to the web page, where the spammer has created a fake profile on social networking websites. The actual spam is in the form of an image that is again hyperlinked to the main spam website. Basically the spammers have abused the “sharing items” feature to their advantage and are spreading spam.

The feature-sharing items allows you to share all your reading-list contents with the public.

Why is the spammer using a different approach altogether rather than simply placing the spam URL in the mail?

It’s very easy for anti-spam filters to cut out mails with URLs that have been recently created and are hosting spam. An example to this would be URLs with .cn domains hosting meds spam most of the time.

Due to a seeming inability to filter and remove their content, spammers abuse social networking websites far more than any other free web-hosting site. We advise our customers to be cautious about such mails and refrain from clicking any URLs in them.

We’ll finish with some more typical examples of how spam looks on social networking websites.

Pharmacy

Replica Watches

Acai Power Slim

It has been almost a year since the rogue anti-virus products, a.k.a. scareware, became rampant.  These Trojan families are typically spread via drive-by downloads, search-engine-optimization poisoning, spam campaigns, and clever social engineering.
Having these methods discussed in earlier blogs, today we will look into the protection mechanisms adopted by these fake alerts Trojan families to evade detection from antivirus vendors.

• Code obfuscation using junk instructions

In the above screenshot, lots of junk code is visible between valid instructions. Usage of junk instructions is being used widely across Fake Alert families.

• Fake API calls

The screen shot shows the usage of API called SetArcDirection which is not necessary in the code. These kinds of unnecessary APIs are used by malware to defeat emulation. Sometimes, API calls that don’t exist are also used by these families to check if they are being emulated.

• Customized packer

Lot of fake alert families uses their own custom packers, encryption routines.  Some of the families patch the existing packers.

• Use of XMM and MMX instruction sets

Usage of XMM, MMX and FPU instructions which are not needed in the code along with the other junk code are also utilized by most of the fake alert families.

The techniques discussed above are not something very new and has been used in notable malware. But fake alert Trojans use these evasion techniques to there full potential with every new variant. Just when we thought we’re seeing a decline in adware and spyware – fake alert Trojans families have stepped in to claim the scum of the Internet tag.