Your Cyber Intelligence Source

Hundreds of Thousands of Links Leading to Malware Found in Google Results

Cyveillance has discovered a complex attack vector that uses Google search results to distribute malicious software (malware) to unsuspecting Internet users. Using this attack vector, users click on links within Google search results and are routed to sites that attempt to download malware to their computers. The attack method also relies on inattentive webmasters who do not update the software on their sites and often unknowingly provide the material that appears in the search results.

The screenshots below display examples of blogs with posts that are simply images and contain no text or stories:

The common string albums/bsblog/category is found in the URLs for all these blogs. By simply using the Google search parameter allinurl, along, you can see how many other sites contain the same string.

More than 260,000 poisoned Google results. If you carry out the same Google search, DO NOT click on the results.

As can be seen in the image above, more than 260,000 URLs are presented in Google’s search index leading to blogs similar to the ones illustrated in our example. Beware: if you were to visit one of the above blogs after clicking on the URLs in Google search results, then you would be taken to two different websites. The second site would attempt to install fake anti-virus software on your computer. (For safety purposes, we are not directly linking to infected search results, but if you enter the query shown in the image, you can recreate the above results.)

Readers can simply copy and paste the destination URL into your browser to direct it to the desired website, you would be taken to the boring but otherwise harmless blog posting like those pictured earlier in this discussion. The attack only happens when the compromised blog site determines that you arrived by way of Google by checking the HTTP referrer.

An earlier search similar to the one above produced 104,000 infected URLs:

Another 104,000 results that will lead to malware. Again, if you carry out the same Google search, DO NOT click on the results.

As you can see, only a small portion of sites in the search results carry a warning provided by Google. The reason for the small number of warnings is likely because the actual attacks do not take place on the website URLs in the search results, but on the sites you’re redirected to thereby decreasing the chances that Google will designate the destination sites as harmful.

Digging Deeper

On all the infected sites found there is rogue blog publishing software installed, sometimes in the popular online photo gallery software Coppermine. (The most recent version of Coppermine we observed being used in this attack was 1.4.24, and Coppermine is now on release 1.4.25.) These rogue blogs automatically and regularly publish new posts that are titled with esoteric terms like “las vegas rental no credit check”, “real world melinda and danny”, or “uninvited song lyrics alanis morrissette morissette”. These posts are intentionally not titled just with simple terms that are very popular like “Britney Spears”, “Obama” or “Paris Hilton” to avoid having to compete in search rankings with the millions of pages which already exist for these topics. Instead, the authors of this exploit take advantage of the long-tail of search where rare combinations of search terms in aggregate make up a very large portion of the queries made by web surfers in search engines. In fact, a surprising amount of internet searches contain four and five words, and the authors of this attack appear to have titled their blogs’ titles with this in mind to be exposed to as many potential victims as possible.

No words are to be found in these blog posts. The content of each post consists solely of images that are found among images.google.com results of queries for the same terms found in the post’s title. Each of the images are then presented inside the new blog post and contain alt and title tags which also match the post’s title in an attempt to maximize the relevancy in Google’s eyes for any query matching those terms. For example, if one of these blog postings was titled “common and kanye west”, the blog posting would simply contain four or five of the images shown in the results of a Google image search for “common and kanye west”, and each of these images would in turn be given alt and title tags that read “common and kanye west”.

The repetition of the same terms in the post title and image tags is a clumsy but straightforward mechanism of suggesting to Google that the page contains highly relevant information about those topics, hoping that Google will then present these pages to searchers. When the searchers click on these links in Google search results, the blog will redirect that visitor to the fake anti-virus installation site.

The Attack

Image of an attack site in progress.

The fake anti-virus site displays what appears to be the results of a computer scan, warning the user that “31 Malware programms was found!” (sic). The fake notifications display illegitimate Windows anti-virus warnings regardless of the user visiting the site on a Macintosh, as happened in the pictured example. Interestingly however, it did correctly dynamically insert this researcher’s computer’s IP address into the image (which has now been blurred out). Clicking on anything in the fake infection findings, including the blue framed popup, will result in a file named Inst_58s6.exe being downloaded to the user’s computer.

Where the Wild Things Are

The path from the infected websites to the fake anti-virus software drop sites is swift and likely not noticed by the user. A user will click on one of the innocent-looking Google search results and is transported to a “middle man” domain like ionisationtools.cn or moored2009.cn. The server at these domains will then redirect the web surfer to a final destination where the fake anti-virus is pushed on the user, as described above.

The middlemen domains like ionisationtools.cn or moored2009.cn are “live” for just a day or two and quickly go offline. Their DNS records briefly point to the free DNS service provider EveryDNS.net.

The actual fake anti-virus drop sites are found on domains such as:

• premium-protection6.com
• file-antivirus3.com
• checkalldata.com
• foryoumalwarecheck4.com
• antispy-scan1.com

All these domains observed by Cyveillance were registered with Chinese registrar TodayNIC.com and like the middlemen sites above, these domains are registered one or two days before the inbound Google search traffic will be arriving, suggesting that the software now directing search traffic from the infected websites may know in advance where the drop sites will be in advance.

Only Google?

It appears that Google is the only search engine with knowledge of these infected sites. We learned this by taking several domains that contained the infected Coppermine installs and used Bing’s site: command and Yahoo!’s Site Explorer; neither of these search engines returned any URLs which contained this particular exploit in action, suggesting that Google is the only major search engine being used as the attack vector by these malware distributors.

It is possible that the attackers took advantage of the ability to submit .xml sitemaps in Google to stimulate the search engine to visit and index the rogue blogs’ postings. A suitable .xml file was found on the sites examined to support this technique.

What Can Be Done?

Cyveillance recommends that Google investigate all URLs in its main index which contain albums/bsblog/category or bmsblog/category in the URLand take the appropriate action to minimize the potential danger to users. Additionally, webmasters need to ensure that software is constantly kept up-to-date with the latest revisions and site content is periodically reviewed for potential malicious activity.

While not necessarily practical, users can minimize the exposure to the attack vector described in this writing by copying and pasting the link in the Google search results directly in their browser rather than a directly clicking on the search result link. Additional steps to minimize the harm from the attack vector are ensuring all computer software is up-to-date and practicing safe Web surfing habits.

Heading in to 2010 and beyond, Cyveillance will continue to make the investments in personnel and technology needed to warn the Internet community of new threats, protect our customers, and stay one step ahead of the bad guys.

In recent phishing attacks targeting Cyveillance and numerous other organizations, cyber criminals are exploiting outward facing Microsoft Exchange Mail Servers to customize/personalize emails in order to spoof the address of internal email addresses. Once the email addresses are spoofed, the bogus messages are sent to addresses of the organizations’ personnel. The messages ask the recipients to click on a link in order to update their Microsoft Exchange settings. Once clicked, the user is routed to a fake site that appears to be authentic. If the user clicked on the link to the executable file on the fake site, then malware was downloaded to his or her computer. After the malware is downloaded and installed, the user’s computer becomes part of a larger botnet capable of a multitude of malicious acts.

Email screenshot:

This attack type was originally reported by SANS earlier this week. The SANS report can be found at https://isc.sans.org/diary.html?storyid=7333. Since the time of the report, the attack has become even more dangerous by adding fast flux technology to the attack. Fast flux is a method of phishing where the attacks are moved throughout a group of servers in order to evade detection and takedown.

The malware used in the attack is a Trojan-Spy virus. More information about sample… It is detected by only 4 of the top 41 anti-virus vendors according to VirusTotal (http://www.virustotal.com/analisis/95583b5228d16750aa81a8c8ba6d29455b89297560fbb65b53638bc6b3b9c188-1255547944).

It appears on the surface that the goal of the attacks is to increase the computing power of botnets by increasing the number of bots that belong to the network. Given the numerous organizations targeted and the methods used, this approach clearly demonstrates the sophistication of modern phishers and their ability to amplify the potential danger of attacks targeted at specific victims. By being more creative in their approach, this mixing of phishing methods increase the likelihood that the phisher’s emails will successfully reach their intended recipients. Users can minimize the potential for falling victim to these types of attacks by never clicking on links within emails and only accessing their online applications through known Web sites and pages.

A story published recently by a researcher at Cisco does a great job of illustrating what it takes to setup, manage, and profit from a botnet. The story details many of the typical activities performed by the criminals who manage and sell botnets. What is unique about the story is that the information is obtained directly from correspondence and discussions with an actual criminal behind the botnet. The story can be found at: http://www.cisco.com/web/about/security/intelligence/bots.html

What is especially unnerving about the story to many security professionals is the ease of which the criminals are able to perpetrate their activities. The criminals behind the botnets can bypass many security technologies through malware and phishing attacks. Additionally, these criminal enterprises can be extremely profitable despite recent claims to the contrary by researchers at Microsoft.

Further evidence of the relative ineffectiveness of some of the most well-known security technologies is illustrated by test results in one of our recent reports, Cyveillance Intelligence Report 1^st Half 2009. The report can be downloaded at http://www.cyveillance.com/web/forms/request.asp?getFile=115

Despite the success of the more sophisticated online criminals, some progress in the fight against online crime has been been made. Cyveillance long noticed the trend of criminals being forced to develop very sophisticated methods to bypass detection and security countermeasures. This is a clear indication that the efforts of Cyveillance and others in the security industry are working. As we enter a new era in Security and Intelligence with our acquisition by Qinetiq NA, Cyveillance will continue to make the investments in personnel and technology needed to protect our customers and always stay one step ahead of the bad guys.

Antivirus and Anti-Phishing Tools Provide Inadequate Detection of Cyber Attacks During Critical First 24-Hour Period

In addition to the AV, Web browser anti-phishing and consumer protection application testing, other key findings in the report include:

• Cyveillance tracked an online “fraud chain” which included malware components that store and serve malware executables, distribute malware to consumers and receive and store confidential information collected from infected computers.
  • The United States and China continue to host the majority of malware executables representing 33 percent and 21 percent of attacks, respectively, which make up over half of the malware found during the first half of this year. 
• During the first half of 2009, there was an average of over 23,000 unique phishing attacks per month, which makes phishing still one of the top threats on the Internet.
• Popular consumer applications used for detecting phishing attacks do not provide adequate protection. Initially, Symantec’s Norton SafeWeb only blocked/warned against 4.4 percent of phishing attacks and increased to only 5 percent after the first 24-hour period.
• During the first half of 2009, 200 unique brands were first-time targets of phishing attacks, which represents a 26 percent increase over new brands phished in the second half of 2008.

View the report: http://www.cyveillance.com/web/forms/request.asp?getFile=115

Phishers have been targeting software updates to distribute malicious software (malware). In the example below, the phisher sent the email from a spoofed Microsoft account to a Cyveillance email address, prompting the user to click on the update link in the body of the message. The link itself appears to be a legitimate Microsoft update site (update.microsoft.com). However, the link is actually obfuscated and when clicked, routes the user to a malicious Website infected with malware.

While attacks such as the one above are not new, it is only recently that this method has truly become a mainstream vector. It is likely that we will continue to see more of this type of attacks in the future.

Clicking on links within emails presents potential danger to users. Cyveillance recommends only updating software from the update feature within the application or actually downloading the update from the software vendor’s Website.

To better understand the daily risks consumers face from phishing attacks, Cyveillance test sampled unique and confirmed phishing attacks uncovered against a variety of organizations. To measure the effectiveness of some of today’s leading anti-phishing solutions, Cyveillance fed these confirmed live attacks through four of the most widely used anti-phishing browser-based offerings. The data was fed in real time to each solution and then again 24 hours later to determine detection rates over a minimal period of time. The specific detection rates of each solution used during the testing are below:

As the results show, even the most popular Internet browser anti-phishing applications detect less than half of the phishing attacks when the attacks are initially launched. The attack detection rate improves significantly after a period of 24 hours. Unfortunately, the majority of the damage caused by phishing attacks is realized during the first 24 hours after an attack is launched as illustrated in The Cost of Phishing: Understanding the True Cost Dynamics Behind Phishing Attacks, which can be downloaded at http://www.cyveillance.com/web/forms/request.asp?getFile=112. Given these facts, reliance on browser-based tools to protect consumers against phishing attacks is not an adequate phishing defense strategy.

For more information about Cyveillance’s research findings, please visit: http://www.cyveillance.com/web/forms/request.asp?getFile=113

Recently, there have been several high-profile incidents involving a novel combination of techniques to hijack the legitimate domains of banks and other financial institutions.  This new, blended attack is a hybrid we like to call “Phish-Pharming”, where a Phishing attack is used to gather the information that in turn enables an even more dangerous Pharming attack.

Background
Phish-Pharming combines two well established types of scams.  In traditional a Phishing attack, a fake Web site tricks consumers into entering passwords, ATM card numbers and PINs or other sensitive information into a fake Web site meant to look like the legitimate site being spoofed.

Pharming is more sophisticated.  In a Pharming attack, users’ computers are directed to a fake Web site even though the user enters the correct address of the real site in their browser. What makes Pharming so challenging is that this can be accomplished at many stages in the DNS resolution chain.  For example, one common method involves infecting a PC with malware that modifies how that machine behaves, e.g. it changes the local “Hosts” file on the PC or redirects DNS queries to a fraudulent DNS resolver out on the Internet.

Another way to impact an individual user or household is to attack unsecured wireless routers used in many homes.  (Apartment dwellers in large complexes can sometimes access dozens of unsecured Internet connections, leaving their neighbors open to malicious attack.)  In yet another more challenging, but more broadly damaging variant, the machines that resolve DNS lookups for a large group such as the customer base of a local ISP, are hacked from the outside, and modified to direct all requests for a given domain name to a bogus Web site.

The ultimate extension of this line of thinking would be a method that maliciously re-directs all visitors to the bogus site, not just a few affected by a localized hack. And that is exactly what Phish-Pharming seeks to do.

How it works
The best way to hijack all the traffic to a legitimate site would be to re-delegate the domain name (that is, re-setting the IP address to which it resolves) to a fraudulent destination at the authoritative home of that instruction.  The “official” entry for the IP address(es) to which a name should resolve is dictated by the domain owner when they set up and manage their site via their hosting provider or registrar.

If the domain owner/manager’s administrative login is stolen, the criminal can re-assign the resolution for the domain to a fraudulent IP address.  When the change propagates across the ‘Net, nearly all requests for that domain name will take users to the bogus Web site.

Phish-Pharming uses a classic Phishing approach of “bogus email + spoof site” to entice the domain administrator to log in to a fake domain-management or registrar Web site, giving the criminals administrative access to that user’s entire domain portfolio.  Instead of trying to trick users to “update their bank information” (a ploy now widely and correctly greeted with suspicion), an email might say be sent to company employees saying “your registration for www.somename.com is about to expire.  Please login to renew now.”  Since registration dates, contacts and other domain-related information are publicly available, details of the email can be tailored literally down to a single individual (a practice known as “Spear Phishing”), which makes the message that much more convincing.

If an administrator falls for the same, the criminal can immediately log into the legitimate domain “control panel” for the domains in that account.Once logged in as the administrator, a criminal targeting a large enterprise could re-delegate entire portfolios of domain names, attempt to transfer ownership of unused domains (where administrators might not notice they are gone), change passwords to lock out the legitimate owners, and create many other kinds of mischief.

“What can our enterprise do to protect the company and its customers?”
Like all “social engineering” attacks, Pharming depends on the fact that people are often the weakest link in the security chain.  Awareness is the single best weapon.  Make certain that all domain-name administrators (brand owners, IP and legal staff, anyone with access to domain delegation instructions) is educated about the possibility and the reality (i.e. known cases – this actual does happen) of “being Phished to be Pharmed.”

Any message regarding domain ownership, expiration dates or other messages “from” your service provider should be examined with the same critical eye as emails claiming to come from a bank, eBay or PayPal.  Check the URL to which the link actually resolves, or better yet, type the address in manually.  Call your registrar or vendor rather than relying on email and links if you have questions or concerns about your domains.

Second, consider a monitoring service or other method that helps proactively check DNS resolution for your domains at different levels of the resolution chain.  Like all Phishing and similar types of attacks, the impact of the attack is best mitigated by minimizing the time it takes to detect and take down or control the site in question.  A proactive rather than reactive approach to detecting these attacks could save potentially critical (and expensive) minutes or even hours.

Finally, the financial industry has gone to extraordinary lengths to complicate, strengthen and validate the customer login process.  To date, some registrars and hosting providers have not yet done the same, yet if your domain is hijacked at the source, all the authentication, validation and security investments are for naught.  If you have any concerns about the level of authentication or security from your provider, ask them what they are doing to help raise awareness of spoof registrar messages, to stop login-stealing scams or to strengthen the protections they offer to your enterprise as a customer.

There has been no shortage of press regarding malware on the Internet over the past several months. Malware continues to grow in volume and evolve in complexity. As security companies continue to address the problem, the number of Web sites that distribute the unwanted downloads is growing out of control.

What classifies a malware download as a drive-by download? While there is no one standard definition, the problem can be described simply as a file downloaded to a user’s computer without permission or user action when visiting a Web site. This feat is typically accomplished by exploiting a vulnerability in the web browser or operating system.

So, with the exploding growth of malware on the Internet, how many malicious web sites distribute malware via drive-by downloads? Based on a sample of hundreds of thousands of malware distribution web sites discovered in the past 60 days, sixty-eight percent of malware distribution sites deliver malware via drive-by downloads.

Think about it, there are millions of malicious web sites on the Internet. Not only do you have the fear of your AV software not detecting malware on your computer as described in an earlier Cyveillance report (http://www.cyveillance.com/web/forms/request.asp?getFile=111), but simply visiting a web site could infect your computer.

Users can minimize the risk of being infected by a drive by download through several ways. One of the most effective protective measures is to use the more secure settings on your web browser. This action may cause some inconvenience by requiring users to respond to security prompts when visiting feature rich web sites, but it will reduce potential malware infections. Another common sense protective measure is simply to avoid going to unfamiliar or disreputable Websites.

Additionally, security companies that provide user protection through desktop clients can significantly improve protection against drive-by downloads through the use of Cyveillance Malware Protection™. The service evaluates web sites by both signature-based and behavioral-based technologies. This multi-pronged approach to detecting online threats allows Cyveillance to collect the most comprehensive and up-to-date intelligence regarding new malware and attack methods

Fueled by scalability and ease of use, it is not surprising that malware attacks delivered via the Web have more than doubled in frequency. What is interesting is the creativity taken by malware writers to evade detection and mitigation through technical means and wider geographical distribution.

So the question remains, how safe is it to surf the Internet? The answer is not one people want to hear.

The reality – the majority of active malware attacks go undetected, with leading anti-virus (AV) solutions detecting only 50% of instances or less. These results came to light when we recently test-sampled malware that we routinely uncover against several of the top AV products. The findings were released in our “1H 2008 Online Fraud Report” and can be seen in the table below.

The fact that these results are based on a 30-day period, only further emphasizes the dynamic nature and scalability of today’s malware attacks. Given the reactive nature of today’s malware and AV detection technology, traditional AV solutions are inherently at a disadvantage when it comes to keeping up with these constantly changing and emerging threats. Now granted, no solution will ever be 100% effective against all real-time and zero-day threats, but by adding proactive intelligence gathering techniques to reactive AV solutions, the gap between infection and protection can be greatly reduced.

Online criminals are using any and every means available to maliciously infect computers and evade detection. Online security solutions should take heed and implement a truly comprehensive approach to security that includes both defensive and offensive elements, or online criminals will remain one step ahead.

It’s hardly newsworthy that security experts at the RSA Conference this week pointed to malware as the biggest threat facing the Internet today.  However, a more thought provoking, if not somewhat controversial idea about malware was put out there by a noted security expert who offered that “the most effective approach to tackling botnets would be to impose penalties on people who allow their computers to become infected, making users take more responsibility.”  Read the story here. 

While it’s critical that we explore new solutions, the idea of holding consumers responsible for becoming infected with malware is hard to imagine.   For starters, given that between 20 to 40 percent of malware is not detected by endpoint security software, is it reasonable to expect every day Internet users to protect themselves from a continual barrage of malware-based attacks?  Our best and brightest security experts have been unable to address the malware threat.  Will a largely non technical Internet audience significant reduce malware problems because of the threat of penalties?

Clearly, consumers have a responsibility to take reasonable precautions in order to protect themselves from online attacks. But it’ll take new approaches by businesses, security providers and government to really make a dent in the problem. Consumers are the weak link in the security chain. Social engineering combined with increasingly sophisticated technical attacks are too much for the average Internet user to overcome. A big part of the malware solution has to be hardening the consumer against human-based vulnerabilities. Otherwise, we’ll create an Internet that is not practical for use by the average Joe.