Posts Tagged ‘search engine malware’

Fake AntiVirus Scams Add MacOS Support

Thursday, May 19th, 2011

by Luis Chapetti & Dave Michmerhuizen – Security Researchers

Fake antivirus scams are designed to scare innocent computer users with exaggerated displays of virus activity in the hope that they will hand over their credit card numbers to make it go away.   They’ve been around for years and the most prevalent ones use a freely available JavaScript design that mimics the Windows user interface, as seen here:

Fake Antivirus that mimics Windows

Fake Antivirus that mimics Windows

 

When these pages pop up on Macintosh computers, it’s immediately obvious that something isn’t right.

Last quarter, Apple set a new record (3.47 million sold in the quarter) with a growth rate of 33% over the prior year’s quarter.  Apple has about 10% of the computer market in the United States, and that doesn’t even include iPads.

That market share has been noticed by the fake antivirus scammers, and this week they have added a new JavaScript design that mimics the Macintosh interface, as seen here:

Fake antivirus that mimics Macintosh

Fake antivirus that mimics Macintosh

 

Drive-by download sites now serve up this page if they detect access from a MacOS computer while Windows users still see a Windows style page.   The example above is called “Apple Security Center” but similar templates have been seen named MacDefender.

Since this is just JavaScript, the correct move at this point is to refuse the download and browse elsewhere.  Accepting the download and running it installs “Mac Protector” which displays pornographic images and promises to remove them for a credit card payment.

The initial infection vector is poisoned entries in Google search results.  We’ve talked extensively about poisoned search results and this represents another example of where otherwise normal Web sites are compromised and made to serve up bogus pages that are well ranked by Google. When one of these links is clicked, the compromised Web site detects a visit from Google search results and sends the visitor to a server that presents the fake antivirus. The recent change in Google content ranking has not stymied these attacks – the malicious link we tested was on page 1 of our search results:

Malicious link in Google results

Malicious link in Google results

 

Past Search Engine Optimization campaigns targeted very popular search terms such as celebrity sightings or breaking news events.  The poisoned links mentioned in this post are more likely to show up in the results for more mundane search terms so as to attract less attention, but they’re still getting plenty of traffic.

This is turning out to be a big problem for Apple. It has been conventional wisdom for years that one of the simplest Internet security solutions is to “just buy a Mac” and stop worrying.  Now that the most common drive-by attack vectors are serving up malware, unwary Mac users are being exposed to the harsh world that Windows users have dealt with for years, and are going to have to learn the same lessons.  Don’t believe everything that pops up on your screen, and don’t run any software unless you know where it came from and what it will do.

Barracuda Networks Barracuda Web Filters and the Barracuda Web Security Flex stop the download of this threat.

Share

Tags: , , , , ,
Posted in Security, SEO Poisoning, Uncategorized, Web Security | No Comments »

HTML is Not Harmless – Email Security Update

Thursday, September 23rd, 2010

By Dave Michmerhuizen, Security Researcher

Barracuda Labs has seen an enormous increase – in fact, well over one million instances a day – of spam containing malicious HTML attachments. The attackers are trying every trick in the book, from using trending news topics to sending deliberately vague messages, with the hope that users will be curious enough to open the HTML. After all, what harm can an HTML file do?

The answer is - plenty.

For years computer professionals have been telling email users to be particularly careful with emails from sources they do not recognize, and to even be careful with unusual looking email from sources that they do trust.  Users have been warned of the potential dangers associated with clicking on a file or link that arrives in an email. But many people assume that an HTML file is just a webpage and that webpages are safe. This assumption is misleading, and the examples below show why HTML attachments are just as serious of a threat as other attachment types.

On September 16, this particular campaign started with spams tied to current Google trending topics:

Attracting attention by latching on to the latest breaking news is a technique that attackers have been using for quite some time. In fact, several examples of SEO poisoning and search malware are explored throughout barracudalabs.com and this blog. Google hot topic search results frequently are littered with links to hacked sites that serve up malicious JavaScript.  Now, the attackers are taking that a step further and not requiring the user to come to their hacked sites but rather simply emailing the same malicious JavaScript sites straight to an inbox.

These campaigns evolved slightly over the following days, with the subject lines changing from trend topics to more nonspecific email subjects that one might receive from a business associate:

With messages to match:

These emails are presented as something just innocent enough that a user might allow curiosity to overrule caution and click “open”.  However, once that happens, the HTMLs suddenly don’t seem so harmless.

The attachments include 100% obfuscated JavaScript – JavaScript deliberately made confusing to read or scan in order to make it harder for anti-virus products to identify it.

When opened in a browser window, this JavaScript sends the browser to a variety of destinations depending on the spam flavor of the moment. In some instances, that is fake pharmacy sites which are harmless:

In others, it may be fake codec sites which are harmless as long as the fake codec is not downloaded (note: a codec should never be downloaded in this manner):


And finally, some instances lead to fake anti-virus sites which can carry a variety of problems:

Consider the HTML behind the fake anti-virus site redirect:

The HTML that serves this redirect also contains an IFRAME element that attacks the browser and installs a backdoor, as seen below:

What makes this a real problem is that although the fake anti-virus site can be defeated by simply terminating the browser, the backdoor has already quietly been installed.

After several days, the spammers then shifted gears and started embedding the malicious JavaScript directly in otherwise innocent looking HTML files:

This is what the email attachment looks like when viewed with JavaScript disabled.   This inclusion strategy helps disguise the JavaScript from email scanners and reassure users whose email clients preview HTML content without evaluating JavaScript.

But there is malicious JavaScript inside, just waiting for the attachment to be opened in a browser:

In a browser, this displays the seemingly legitimate attachment very briefly and then blanks out the screen.  Once the screen is blank, the malicious code is busy exploiting the browser and downloading malware culminating in the installation of a Trojan from the Zeus family.

The absence of any significant visual feedback means the user typically has no idea what has just happened or that they have contracted one of the most dangerous pieces of malware on the Internet.  Zeus Trojans are a stealthy family of malware that steal online credentials, particularly those used for online banking.

So yes, a seemingly innocent HTML email attachment can do plenty of damage, and while quite stealthy, definitely not harmless.

Barracuda Spam & Virus Firewalls block these emails, and Barracuda Web Filters and the Barracuda Web Filtering Service stop the malicious traffic.


Share

Tags: , , , , , , , ,
Posted in Email Security, ID Theft, phishing, Security | 7 Comments »

Barracuda Labs 2010 Midyear Security Report

Wednesday, July 28th, 2010

 Today Barracuda Labs released our 2010 Midyear Security Report, revealing data from two key areas: search engine malware  and Twitter use and crime rate.

Our study shows that attackers have serious efforts devoted towards getting in front of the billions of eyeballs that are using search engines everyday and the millions of users that are connecting on social networks like Twitter. These research efforts allow us to continue to analyze their approaches and build new techniques to find them and protect users. Highlights of the study are below, and you can download the full report off the BarracudaLabs.com homepage.

Searching for Malware

We conducted a study across Bing, Google, Twitter and Yahoo! over a roughly two-month period. The analysis reviews more than 25,000 trending topics and nearly 5.5 million search results. The purpose of the study was to analyze trending topics on popular search engines to understand the scope of the problem and to identify the types of topics used by malware distributors.  Key highlights:

  • Overall, Google takes the crown for malware distribution – turning up more than twice the amount of malware as Bing, Twitter and Yahoo! combined when searches on popular trending topics were performed. Google presents at 69 percent; Yahoo! at 18 percent; Bing at 12 percent; and Twitter at one percent.
  • The average amount of time for a trending topic to appear on one of the major search engines after appearing on Twitter varies tremendously: 1.2 days for Google, 4.3 days for Bing, and 4.8 days for Yahoo!
  • Over half of the discovered malware had originated between the hours of 4:00 a.m. and 10:00 a.m. GMT.
  • The top 10 terms used by malware distributors include the name of a NFL player, three actresses, a Playboy Playmate and a college student who faked his way into Harvard.

The Dark Side of Twitter

As part of an ongoing study to data we released in June 2009 and subsequently in March 2010, we analyzed more than 25 million Twitter accounts, both legitimate and malicious. The purpose of this part of the study was to measure and analyze account behavior on Twitter in order to model normal user behavior and identify features that are strong indicators of illegitimate account use. The study reviews several key areas including True Twitter Users1, Twitter Crime Rate2, and Tweet Number3.  Key highlights:

  • In general, activity is increasing on Twitter: more users are coming online; True Twitter Users are tweeting more often, and even casual users are becoming more active. As users become more active, the malicious activity also increases.
  • Only 28.87 percent of Twitter users are actual True Twitter Users.
  • Half of Twitter users tweet less than once a day, yet one in 10 users tweet five or more times a day and 30 percent of Twitter accounts have never tweeted.
  • One in every eight Twitter users has at least 10 times more followers than they are following.
  • Only one in 10 users is following more than 100 users, and almost half are following less than five.
  • The Twitter Crime Rate for the first half of 2010 was 1.67 percent.

 

We are presenting the findings of both studies, as well as other Barracuda Labs work, at Security BSides Las Vegas and DefCON 18 this week in Las Vegas. Come see us!

Security BSides Las Vegas:

Wednesday July 28 at 3pm PT – The Darkside of Twitter (Dr. Paul Judge, Dave Maynor)

Thursday July 29 at 3pm PT – A Mechanic’s View of SQL Injection (Ray Kelly)

DefCON 18:

Saturday July 31 at 11am PT – Searching for Malware (Dr. Paul Judge, Dave Maynor)

Resources:

Footnotes:

1 – ‘True Twitter User’ is defined as a user that has at least (≥) 10 followers, follows at least (≥) 10 people, and has tweeted at least (≥) 10 times.

2 – ‘Twitter Crime Rate’ is defined as the percentage of accounts created per month that were eventually suspended for malicious or suspicious activity, or otherwise misused.

3 – ‘Tweet Number’ is defined as a user’s average number of tweets per day.

Share

Tags: , , , , , , ,
Posted in Uncategorized | 3 Comments »