Time for a quick blog post on an attack we've been following for several weeks now. I've seen a few news articles and blog posts that could be describing it, at least in general terms (i.e., hacked WordPress sites redirecting victims to Fake AV malware sites), so let's flesh it out a bit.
(It's also been several months since I've blogged about one of the "gold standard" attack vector combos: Search Engine Poisoning (SEP) + Fake Antivirus, so let's kill two malware birds with one stone…)
The on-going malware campaign is distinctive both in its volume and in the domain names it is using to serve up the Fake AV executables. Here are some recent stats and examples from a couple of WebPulse modules:
– One module (which still needs a cool nickname) has dynamically flagged 875 EXEs (all coming from one server!) as Suspicious in the last 7 days, hosted on domains with names like:
testingfail-safetycontrol.info
solutionguarantorcomputer.info
microsoftdetectservant.info
etc.
– Another module, our trusty "Background Checker", has flagged well over 5000 URLs (not just the EXEs) from another such network as Malicious — just in the last 24 hours. Although its domains are hosted on a different server, the names are similar enough to make us suspect that the same gang is at work:
keeperdataperfomance.info
golddefence.net
supervisionsafetycleaner.info
etc.
In other words, predominantly using .info domain names constructed by stringing three words together that have something (at least vaguely) to do with computers and security…
I traced some of these domains back through the logs to see where the victims were coming from, and quickly found some obvious examples of SEP at work:
bridalgownsplaza.com/wp-content/uploads/2012/i-love-you-baby-quotes-tumblr
(The fact that the page is down below an often-hacked WordPress blog directory, and has a name like "i-love-you-baby-quotes-tumblr" is the giveaway. Indeed, nearly all of the referring URLs I saw had the /wp-content/ path component.)
Here's what that page looked like when I visited. Part-way down the blog posts about different styles of wedding dresses, you can see the out-of-place injected SEP content:
Unfortunately, visiting the site directly like this just lets you see the non-malicious "bait only" view of the page — that is, the junk content that is served to the search engine when it visits. It's missing the "hook" (iFrame or Javascript) that relays the victim to the Fake AV site.
Likewise, I was unable to coax either malnet to display a copy of the Fake AV landing page, meant to convince the victims that their computers are infected, and that they need to download and run the malicious "cure" for the imaginary "infection". (I miss the good old days, when the Bad Guys were more careless in how they ran their attacks. It was a lot easier to get good screenshots…)
I grabbed a copy of one of the EXE payloads from our malware collection. It was captured over 24 hours ago, but had not been seen in Virustotal when I checked — indicating that the payloads are most likely polymorphic on each download. The detection rate there was discouragingly low: just 6 out of 42 engines — indicating regular evolution of the payload code and encryption, since this is a long-running attack, and I would otherwise expect detection to be much higher.
Anyway, just because SEP-driven Fake-AV attacks are a bit old-fashioned doesn't mean that they're not effective. The volume of this attack, and particularly the number of EXEs being requested (meaning people are taking the bait!) shows just how effective it is. Luckily for our users, this attack vector is a lot less effective with WebPulse getting in the way.
–C.L.
Leave a reply
