Threat Center Live Blog

ThreatCenter Live Blog is now zveloBLOG™

threatcenter@esoft.com (Patrick Walsh) — Wed, 9 Feb 2011 14:25:00 -0700

zvelo is proud to announce that the Threat Center Live Blog has moved, and is now zveloBLOG™.

We greatly appreciate all current subscribers to this blog and kindly thank you for the expressed interest and support over the past couple of years. zvelo looks forward to possibly continuing the discussions at our new location.

So go ahead, subscribe and partake in the conversation at the new zveloBLOG™, where we will continue to feature alerts and discussions about the latest malware, spam, viruses, phishing scams, rogue software and other web threats stemming from the exclusive research conducted by the engineers and Web Analysts at zveloLABS™.

Please note that this Threat Center Live Blog will be shut down sometime in the summer of 2011.

Adobe CS7 Searches Saturated With Dangerous Results

threatcenter@esoft.com (Patrick Walsh) — Thu, 29 Jul 2010 13:21:00 -0600

Looking to save a few bucks on software will almost always lead users down a dangerous path. Users either end up at “OEM Software” sites offering unlicensed and illegal software, or to downloading cracks or keygens laced with malware.

One of the big issues here is that these sites are quite easy to find. Google searches for “cheap” or “discount” software reveal it’s very easy to come across these sites. Searches for all kinds of popular software from MS Office, to Adobe CS will bring up dangerous results.

Even searches like ‘Microsoft Windows 7’ which should be filled with Microsoft related sites and articles instead include fraudulent OEM sites in the top results. Today, the eSoft Threat Prevention Team is warning users to be especially wary of unreleased software. A major target of these scams is Adobe, who recently released their Creative Suite 5 (CS5) software. However, searches for CS7, a product not yet announced and two versions premature, result in a solid wall of bogus search results leading to scams and malware.

Aside from poisoning search results, the criminal enterprises behind these scams are increasingly using Spam to increase their reach. The criminal rings associated with these sites also control infected machines capable of sending millions of Spam messages per day, making it very easy to draw users to these sites. Spam messages are sent offering “instant” downloads and huge savings, only leading the user to a full blown fraud operation.

Rightly suspicious users who are wary of entering their personal information on these sites, or don’t want to pay for the software at all (aka stealing), may try to find cracks or keygens to allow them to activate trial versions of the software.

Take the example of the site below, keygenguru.com. The keygen download on this page is malware that attempts to call home and download more malicious software. The other links on this page lead the user right back to the same OEM software scams.

Each week eSoft finds hundreds of sites and domains related to these OEM Scams. It’s important for users to realize that these sites are fraudulent and could potentially be very dangerous. If you are purchasing new software, make sure it is from the vendor itself or a reputable distributor.

Widespread Compromise Impacts Thousands of Legitimate Websites

threatcenter@esoft.com (Patrick Walsh) — Mon, 19 Jul 2010 19:33:00 -0600

The eSoft Threat Prevention Team has detected a new widespread compromise, with tens of thousands of domains infected. Cybercriminals have used stolen credentials, placing specially crafted pages into legitimate websites that lead visitors to malicious payloads.

The cybercriminals involved in this campaign are primarily targeting pornographic search terms. Poisoned searches involve celebrities and porn stars nude, nudism, sex parties and searches that are much more lewd and inappropriate. Obfuscated javascript is used to redirect a visitor to Rogue Anti-Virus and other malicious payloads.

At the time of writing most infected pages lead to the rogue anti-virus scam “Antivirus Plus” as shown below.

Cybercriminals are increasingly infecting legitimate sites rather than creating their own websites. Otherwise honest sites that have been compromised have a much longer lifetime with which to infect visitors and have a better chance of passing undetected through web filtering technologies, infecting a greater number of users. Sites created specifically for malware distribution or malicious intentions can be shut down by the domain registrar or ISP much more quickly than a legitimate site that’s been compromised. With granular URL classifications, eSoft SiteFilter technology is able to detect and block these sites before a user is infected.

Based on the number of different platforms and web server software that are infected in this specific attack (recognized by the recurring malicious code it uses), it’s most likely the sites were compromised using stolen FTP credentials. For webmasters out there, be sure to keep your FTP passwords secure, and don’t save them in popular FTP programs where they can easily be harvested by attackers. If possible, use SFTP and key based authentication instead of the less secure FTP protocol. Also avoid passwords that are found in the dictionary or are common place or person names (even adding a number to the end will not protect you from a determined brute force attack).

Further details are available for security researchers interested in the specific attack and related code. Right now, eSoft estimates that the attack affects 3,200 websites.

Red Button SEO Poisoning and Malware Campaign

threatcenter@esoft.com (Patrick Walsh) — Tue, 29 Jun 2010 19:49:00 -0600

eSoft researchers have been tracking a new campaign by cybercrooks, compromising and creating websites for use in SEO poisoning and malware distribution. Thousands of these sites have been detected which use elaborate techniques to trick search engines and are ready to serve malware in an instant.

At the forefront of this attack is the use of a website referrer, or user-agent, which enables the cybercriminals to effectively increase their search engine ranking while keeping their malicious intentions hidden. Google and other search engine bots will be served up SEO tailored content to manipulate search results and drive traffic. This content cleverly uses a mashup of text and images scraped from various sites.

Danger lurks for users that visit these pages using Google search or other search engines. In the course of monitoring, eSoft has seen these pages deliver Rogue AV, redirect to fraudulent pharmacies, fake search pages and more.

At the time of writing, most of the sites involved in the campaign are currently hosting a Red Button flash file, as shown below. This file indicates a compromise, but clicking the red button currently does nothing malicious, but these pages serve as a placeholder for the attackers. These pages change their character depending on how they are referenced and at any time these pages could be infect the user with malware.

The Threat Prevention Team is keeping a close watch on these sites as they continue to multiply. There is a strong chance that these sites are currently establishing good reputations with security companies that will make future attacks through these sites more effective. eSoft is classifying these sites as Compromised to protect SiteFilter users from any future malicious payloads.

What Drives Organizational Web Filtering?

threatcenter@esoft.com (Patrick Walsh) — Thu, 24 Jun 2010 11:53:00 -0600

Network administrators and businesses install web filtering on networks for a variety of reasons ranging from compliance and legal requirements to worker productivity issues. To gain some insight, eSoft is taking a poll of network administrators, customers, readers, and security professionals to identify the most important drivers behind web filtering. We’d love participation of our readers and loyal eSoft customers. When complete, we’ll report the findings back to readers on the Threat Center Live blog.

Please take a moment to respond below, or on the eSoft website, and thanks for your participation.

Introduction to Rogue Anti-Virus

threatcenter@esoft.com (Patrick Walsh) — Wed, 23 Jun 2010 12:05:00 -0600

If you follow the Threat Center Blog, you’ve heard us talk about “Rogue AV,” but may not fully understand what we’re referencing. This post is for those users who are not already familiar with this widespread and common threat.

In short, when we and other security researchers reference Rogue AV, we’re referring to an Internet scam where an official-looking web page pops up telling the user that a virus has been detected on their computer. The web page often appears to be scanning the local computer and often reports multiple found infections. The web page, the report, and everything about this scam is a fraud.

Millions of users have been duped into installing malicious software, also known as malware onto their systems allowing cybercriminals to steal money and other personal details. Here’s how the attack works:

Step One: Get the user to the malicious website

First, the group or groups behind these attacks first post large numbers of links to some new domain by spamming community forums, blog comments, and by putting the links inside hidden elements on compromised websites in a technique known as Blackhat SEO (Search Engine Optimization). In this way, they are able to get the target website high up in search results for common or recently trending search terms. Right now, for example, search results on Wimbledon and the World Cup are actively being poisoned in this manner.

The above technique is usually seen in conjunction with one or more of the following:

Redirects from compromised websites that are otherwise legitimate
Spam emails that are often sent via other compromised computers
Malvertisements where attackers pay for an ad in a legitimate ad network, but use the ad to send people to the malicious website. In the past year, reputable sites like the New York Times, White Pages, Tech Crunch and others have been caught hosting such malvertizements.

Step Two: The con game

Once on the website, social engineering tricks are invoked to convince a user to fall for this modern Internet con. Computer users are conditioned with constant reminders to keep their computer free from virus and malware by running anti-virus software and keeping their virus definitions up to date. These websites use this conditioning against the user, using visual elements to establish authority and trust and then causing a sense of danger and urgency when notifying the user that their computer is infected with viruses and that their data personal computer is under someone else’s control.

Rogue anti-virus malware comes in many different forms and will take different approaches to fool a user, but at the most basic level, rogue anti-virus scams convince the user that they have a problem and that they need to download some software to fix the problem.

The screenshots below are just a few examples of fake scanners. These specially crafted pages are made with great detail to look exactly like Windows XP, Vista, or Windows 7 system alerts.

Fake scans like these are very believable for uneducated users and lead to a very high success rate for cybercriminals.

Step Three: Infection

Frequently a box pops up that asks the user if they want to download the software that will fix the purported problem. In many cases, it doesn’t matter if the user agrees or cancels, the download will begin in either case. Once the downloaded file is opened, the system is infected and the user has been tricked into installing the very thing he or she sought to remove.

Cybercriminals make it very difficult to click away from the page, so that in some cases, the user relents out of a sense of frustration and not knowing how else to move forward. In many cases the malicious file is downloaded with no user interaction at all.

The actual file that is downloaded changes often with different names and characteristics. eSoft rarely sees more than two or three legitimate anti-virus software (of over 40 checked) detecting the file as a virus at the time of the attack. The perpetrators of this attack spit out new variations on the download at a very high rate in an attempt to stay ahead of signature-based anti-virus software.

Step Four: Asking for payment

Once a user has clicked to open the malicious file and install the software, the problem only gets worse. The cybercriminals do well in masking their malicious intentions throughout the install process. In many cases the installation is a silent install – one which requires no user interaction – or a standard install wizard which raises no red flags to the user.

Once installed, the rogue anti-virus program will inundate the user with notifications that the system is infected and that they still need to take action. In order to remove the supposed infections (not the real problem) the user is asked to pay a license or subscription fee that typically runs between $50 and $100 USD.

Though the branding changes – these screenshots show the Rogue AV “Alpha AntiVirus” – the checkout pages remain as convincing as the rest of the scam, frequently with badges showing secure payments and other “trust me” icons. Pricing is comparable to legitimate anti-virus products and comes with a money back guarantee to further convince the user who may be wavering that the risk to giving up their credit card and personal information is low. In reality, submitting credit card info does not clean their system, but instead sends name, address, and credit card info directly to the perpetrators of the attack.

Users infected with this might just assume this is an annoyance, but the scam goes much deeper than this. These programs have been created by large underground crime rings that now have the users’ personal information and credit card number. In addition, these programs are often packaged with downloader Trojans which are capable of downloading any type of malware the attacker chooses. Because many of these criminal enterprises are also heavily involved in banking malware this is just one of the many additional types of malware that can be installed. As a result, an infected computer should have a computer professional remove the virus, which can cost small businesses thousands of dollars per year.

Prevention

Cybercriminals go a long way to making sure they can infect a machine and to get around classic signature-based virus scanning. If a user gets a web browser window that says their computer is infected with malware, they should immediately attempt to close the window. If that is not possible, then quitting and restarting the web browser is the next best thing. This, of course, requires that users are trained in spotting and avoiding this attack, but in practice, training unsavvy users alone is not always fruitful.

Now more than ever, malware is distributed via the web. In fact, over 75% of new malware is delivered through the web. Classic anti-virus is struggling to address these threats effectively. The most effective way to stop web-based threats is with Secure Web Filtering. Secure web filtering works by detecting and blocking dangerous sites even before there is any anti-virus protection. By blocking access to the site, the threat is mitigated. Secure web filtering must have real-time updates in order to block these fast moving websites, but with such a solution, users should be well protected from this pervasive threat.

Alert to Web Security Researchers: Malicious scripts masquerade as Google Analytics

threatcenter@esoft.com (Patrick Walsh) — Mon, 14 Jun 2010 15:48:00 -0600

eSoft's Threat prevention team has detected attacks that are masked to look like standard Google Analytics code. Google Analytics issues snippets of javascript code that dynamically adds a script tag for a page. This tag then loads the Google Analytics code for logging visists to the site.

Researchers see this code in HTML source so often that it almost never gets a second glance - until now. eSoft researchers have seen several compromised sites recently using Google Analytics to mask malicious scripts, as in the example below.

Decoded, this turns into a script tag that looks like this:

Note the use of the "sr?" tag for the Google Analytics URL, with the actual "src" tag pointing to the malicious script at 91.212.65.148. Security researchers out there, be sure to take a second look at that Google Analytics code next time you're looking at an infected site.

New Email Phish Targets Twitter Users, Abuses Google Groups

threatcenter@esoft.com (Patrick Walsh) — Mon, 7 Jun 2010 18:14:00 -0600

A new twitter spam campaign is making rounds, infecting users with rogue anti-virus malware. The spam mail attempts to convince the user that someone was trying to steal their Twitter account information, and to download a “secure module” to protect their account.

The email that begins the attack looks like authentic communications from Twitter with a link ostensibly to twitter.com.

However, the link provided by the attacker does not actually link back to Twitter, but to a Google Groups page where the malware is currently hosted. The use of Google Groups to distribute malware has been a continuing trend since eSoft first blogged about it last month.

Virus Total shows a moderate detection rate of 21 out of 41 anti-virus companies that currently detect this threat. For users whose anti-virus software does not detect the threat, a download will result in an infection with the rogue anti-virus malware. The malware launches a “Protection Center,” which runs a fake anti-virus scan ostensibly revealing the machine is infected by a slew of viruses. The user must activate the software to remove the bogus infections, handing their credit card info over to cyber criminals.

The cybercriminals behind this attack make excellent use of social engineering tricks to fool users into installing this malware. They use the topic of stolen Twitter account credentials to get the users’ attention, then link to Google Groups to make users feel comfortable with the download, and finally use convincing fake anti-virus scans to make the user believe their machine is infected.

eSoft is flagging these infected Google Groups pages as Compromised.

135,000 Fake YouTube Pages Delivering Malware

threatcenter@esoft.com (Patrick Walsh) — Mon, 7 Jun 2010 13:36:00 -0600

The eSoft Threat Prevention Team has uncovered thousands compromised web servers hosting fake YouTube pages. Attempting to play the video on these fake pages prompts the user to install a ‘media codec’ which then infects the machine with malware.

The fake YouTube pages are well crafted and look almost identical to the real site. By using websites like YouTube, cyber criminals are taking advantage of a users’ inherent trust in the site and are able to infect more machines.

Each page claims to have a “Hot Video” associated with anything from the Gulf Oil Spill to the NBA Playoffs. Google search results show 135,000 of these infected pages at the time of writing.

By clicking ‘OK’ to install the codec the user is redirected through intermediary sites to a final destination where the malware is downloaded. After opening the file, the malware runs silently in the background giving unsuspecting users no sign that their computer is now infected and their data and computing resources are under the control of hackers.

Presently, this fake codec is actually a downloader Trojan with very low anti-virus detection. Virus Total shows that only 8 of 41 anti-virus scanners currently detect the threat. Without capable, secure web filtering to block access to these malicious sites these threats will have a high percentage chance of infecting users.

eSoft is flagging any sites hosting the fake YouTube pages as compromised until the pages are removed. Intermediary sites and distribution points will also be blocked as compromised or malicious distribution points, protecting SiteFilter customers from infection.

Anatomy of a Modern Compromised Website

threatcenter@esoft.com (Patrick Walsh) — Tue, 25 May 2010 16:48:00 -0600

In the security community, little attention is paid to compromised websites that don't serve up malware. The malicious URL lists maintained by the anti-virus companies, by Google, and by nearly every other source of malicious URLs rely on anti-virus to trigger on exploits and malware to determine if a site is malicious. In a few select cases, behavioral analysis may be used to determine if a visit to a website will lead to an infected computer. But sites that are taken over by hackers are frequently used for other purposes besides directly serving up viruses or redirecting to sites that do.

When a hacker gains control of a site, they generally do one of several things:

Nothing -- they sit on it waiting for a later date,
Malware -- they load on exploits and malware or links to sites that host these in an attempt to infect visitors to the site,
Defacement -- they put up a big notice saying they hacked the site,
Attack relay -- they use the site as part of a chain of sites that lead to malware, or
Hijacked advertising -- they put ads on the site or change ads on the site to make themselves the beneficiaries
Blackhat SEO -- they use the site to trick search engines into thinking that some other site or sites are very popular and should be elevated in search page results

It is the last one, Blackhat Search Engine Optimization (SEO), where hackers are seeing so much success (see our previous blogs on this topic). SEO is the pseudo science of increasing a website's ranking in a set of search results. Landing at or near the top means more traffic to a website, which can mean advertising revenue or, if the site is malicious, a larger number of infected computers. In either case, the motive is money. And in some cases, hackers sell their SEO services and make money by increasing that search engine ranking.

In any case, search engine rankings are largely driven by popularity. The top results have links coming from many other sites where the more popular the sites that link, the higher the popularity of the site being linked. We call it Blackhat SEO because hackers use the websites they've compromised to host links to a website that they want to appear high up in search results. These links are usually hidden so that casually visitors to the site and the site's maintainers don't see them. The links are disguised by putting them off screen or using other techniques to make them invisible to a human visitor, while they remain perfectly visible to computers like Google's crawlers.

Take, for example, the case of Nauman Sod Farms, a small business in Iowa with a simple website that eSoft first flagged as compromised on February 4th, 2009. It was continuously rechecked and found by eSoft to be infected from then up through this posting.

It is easy to see why someone would think this site is innocent. To a normal user, it appears perfectly fine, but this small business is being exploited by hackers. If you view their home page without security precautions, everything looks normal. If you then disable javascript (using the NoScript plugin or your browser preferences) and reload the home page, you’ll see a long stream of cell phone related links show up at the bottom of the page including:

cf card gsm review siemens
unlocking nokia 5210e
tocatta and fugue in d minor ringtone verizon
motorola e1 secret codes
samsung le32r41bd
free download polyphonic ringtones through sms
motorola java games
law and order ringtone

In this case, javascript was used to hide the links, but that is not necessarily the case. And in this case, the links are search engine bait for various mobile phone searches, but we more often see links to pornography sites and malicious sites inside these PageRank Bombs.

In this case, two pieces of obfuscated javascript (meaning it is loosely encrypted to evade anti-virus signatures) add some code to the page that hides the links for those who have javascript enabled. This obfuscated javascript looks like this:

   document.write(unescape('%3C%73%63%72%69%70%74...



   dF('*8HXHWNUY*8J*5Fi...

and basically evaluates to this:

document.write('<div style="height:1px;overflow:auto;\">');

where that height of 1 pixel is what instructs the browser to hide the links from a visiting user.

Scanning this compromised page with novirusthanks.org shows that of their 20 AV scanners, none detect a problem. Similarly, not one other URL checker shows any problem with this site including Google’s Safe Search and SiteAdvisor.

Unfortunately, in the case of this particular site, the infection runs deeper. Clicking through into the site offers up a new threat. At the bottom of the page, a hidden iframe has been injected. Essentially this means that the attackers have chosen to have the browser fetch content from another site but not for the purpose of displaying anything to the user. These are typically used to embed exploits hosted on another site onto the compromised site while reducing the maintenance effort. In this particular case, the iframe links to a page that is now missing, so for the moment, visitors are not being infected with malware. Based on our records though, the embedded iframe used to lead to malware, meaning that visitors to this site were targeted with viruses.

This site has been compromised like this for over a year without the owner of the web site knowing -- and this is quite common. It is difficult for security companies like eSoft to automatically notify website owners when their websites are compromised since public information about sites is frequently hidden through privacy screens or else leads to spam traps. eSoft's Threat Prevention Team reached out to Nauman Sod Farms four days ago using the email address on their site to alert them to the problem, but so far there has been no response and the website remains under the control of hackers. Until this is fixed and because of the likelihood of that the hackers may again start infecting visitors with malware, we recommend that folks avoid this site for now. Users of eSoft's secure web filtering will see this site marked as Compromised.

In general, we believe it is important to identify sites that are under the control of hackers even when those sites aren't being used to propagate computer viruses. These sites may at any time become threatening in that way and are frequently used as part of the machine that drives other sites where the actual malware is stored. The industry as a whole needs to pay more attention to these sites. In the meantime, eSoft does provide protection from these sites and identifies thousands like this one every day.

Phishing Scams Lure Twitter Users

threatcenter@esoft.com (Patrick Walsh) — Fri, 14 May 2010 12:56:00 -0600

The newest phishing scam on Twitter has snared thousands of users hoping to increase their number of followers. Instead, users are sent off to a phishing page where cybercriminals steal their Twitter logins using them to generate more spam.

Thousands of spam messages are floating around on Twitter with links to increase the users’ follower count:

FREE MORE TWITTER FOLLOWERS!
CHECK out this site, im a member of it, gets you more followers
If you trying to get more followers check out
WANT MORE TWITTER FOLLOWERS?
Get more followers for free!

The cybercriminals use shortened URLs to prevent spam detection on Twitter. Scammers are using a variety of URL shortening services to evade standard security precautions.

The shortened links lead to phishing pages capturing the users Twitter login, but never doing anything to increase the users following. The compromised accounts are then used to send more spam and lure in more unsuspecting users.

With more followers on Twitter, you’re able to expand your reach and connect with more people. This makes for a very effective social engineering trick; taking advantage of user tendencies for malicious purposes. Users are typically none the wiser until spam messages start appearing from their account.

There are now a tremendous amount of 3rd party sites and services available to support the Twitter crowd. It’s important that users remember not to give out login information without first verifying the legitimacy of Twitter applications and websites. Most legitimate services now redirect users directly to the Twitter API and use the OAuth method of authentication. Users should look closely at their URL bar to be sure they are on Twitter's site before entering their login credentials.

If you see strange spam messages like these showing up on your account, change your password immediately. eSoft protects SiteFilter users from these phishing sites with the “Phishing & Fraud” category and is actively flagging new sites as they’re discovered.

Google Groups Latest Hot Spot for Rogue AV and Malware

threatcenter@esoft.com (Patrick Walsh) — Wed, 12 May 2010 08:52:00 -0600

eSoft researchers have been tracking a recent campaign abusing Google Groups to spread malicious links in Spam emails. Users following the link are infected with a Downloader Trojan, silently infecting the machine with various types of malware including Rogue Anti-Virus.

The scam starts with an email asking the user to update their email settings according to the linked instructions. The URL in the message brings the user to a Google Groups page linking to a malicious download.

Sample Email:

The link on the Google Groups page is a Downloader Trojan with better than normal virus detection. 58% of virus scanners detected the file as malicious on Virus Total.

The Downloader then does its job, downloading a mixed bag of malware from several locations. eSoft is currently blocking all known distribution points. Among the malware downloaded is Desktop Security 2010, a Rogue Anti-Virus program.

A fake system scan is run notifying the user they’ve been infected and prompting the user to purchase a license key to remove the malware.

For only $89.95 you can get a lifetime license with special support. Users following through on the purchase have handed their credit card and other personal information to cybercriminals on a silver platter.

Access to the Internet through the browser is blocked until you’ve purchased a license, adding a hint of Ransomware to the mix. Between this tactic and the official looking interface, unsavvy users are unfortunately easy prey.

Use of community sites like Google Groups, Windows Live, Blogger and others is becoming commonplace for cybercriminals looking to get the upper hand on web and spamfilters. Secure Web Filtering with a combination of granular classifications and real-time URL lookups is the most effective way to combat these threats.

eSoft is actively identifying and flagging select Google Groups pages as Compromised as they’re discovered. Other sites involved with this attack are blocked as Malware Distribution Points.

Update: May 12th 10:00 AM

It appears the spammers have switched tactics and are now sending fake ecards claiming to be from 123greetings.com. Users receive an email in the form below with an image link. The links in the email use the same Google Groups URLs and present the same dangerous malware. This new round of spam uses an even more effective social engineering trick than in the first campaign, and more unsuspecting users will certainly fall victim.

Pharma-Fraud Continues to Dominate Spam

threatcenter@esoft.com (Patrick Walsh) — Thu, 22 Apr 2010 10:51:00 -0600

Have you taken a look inside your Spam folder recently? Without a doubt you’ll find the folder full of pharmacy Spam, pitching everything from Cialis and Viagra to Vicodin and Hydrocodone. The problem is almost none of the linked web sites are legitimate certified pharmacies.

Pharmacy Spam is delivered at an estimated 70% of global spam volumes, or 140 billion messages per day. These massive volumes are largely fueled by botnets such as Grum and Cutwail, creating all types of problems for business networks large and small.

These botnet operators are continually trying to find ways around Spam filters and web filters to earn money as part of the larger criminal operation behind these sites. The latest attempt to get around these filters uses livejournal.com, a free blogging service, to link back to fraudulent pharmacy sites. eSoft has seen similar attempts using other free blog services, including Windows Live Spaces.

In this example, a number of methods were used to get around Spam filtering technologies including using numbers and underscores (0rder_Now) to prevent the text from being detected as Spam. A user following the link is taken to the Live Journal blog which then links them to the fraudulent online pharmacy.

In our research, the image link provided on each of the blogs linked back to many different “Canadian pharmacy” type pages. eSoft has very good detection of pharma-fraud sites, finding hundreds of new sites per week. Last year eSoft worked with the ThreatChaos blog to report on these sites. The recent government crackdown has decreased the amount of sites coming online as compared to last year’s report, but certainly not stopped the operation or the related Spam.

It can be difficult to ascertain if an online pharmacy is legitimate or not. The National Association of Boards of Pharmacy (NABP) provides some excellent safety information for buying medicine online. Here are a few of the jaw dropping stats from their site.

• 83% do not require a valid prescription
• 42% offer foreign or non-FDA-approved drugs
• 55% do not provide a physical address
• 96% of sites reviewed are NOT recommended

At the time of writing, Live Journal has disabled the fake blogs we found using their service. eSoft categorizes these fake blogs and the pharma-fraud sites they link to as "Pharmaceuticals" paired with “Phishing & Fraud” and “Spam” if the URL was detected in a Spam message.

Note that visiting these sites may result in stolen identity, delivery of fake products, further Spam and more. eSoft strongly recommends sticking to lists of approved pharmacies and always using extreme caution and skepticism before following links in emails.

Tiger Woods (Searches) Not to Be Trusted

threatcenter@esoft.com (Patrick Walsh) — Thu, 8 Apr 2010 13:54:00 -0600

Tiger Woods’ personal life and marital affairs have attracted constant attention from the press and has certainly damaged his public reputation. With his return to the Masters only days away, Nike has released a new commercial in an effort to rebuild Woods’ image. This compelling commercial is intended to spark a reaction, and may well be the next thing you talk about at the office water cooler. Anyone who hasn’t seen it will go right back to their desk and search for the video. Blackhats have once again worked their way into these search results, leading users to malicious sites and Rogue Anti-Virus downloads.

A user looking to see the commercial online would likely search “tiger woods commercial” – the search is heavily poisoned. Out of the top 7 search results, six lead to Fake Anti-Virus pages begging the user to install malicious software. The video results have also been poisoned to do the same.

With low anti-virus detection rates, users tricked by this attack have little to prevent them from installing downloaded malware. In fact, only 1 out of the 20 scanners on Jotti detected the payload as malicious.

Users should also be wary of any Masters’ related searches as these will also be a target of cyber criminals. eSoft’s proactive detection of these attacks protects any SiteFilter customers. Any sites associated with these attacks are being flagged as malicious or compromised.

[Additional Note: In this particular attack, the referring site is also important. If the user is not coming from Google, or presumably other search engines they will be redirected to cnn.com rather than the malicious site. eSoft has noted the use of this technique in the past, but it is interesting the attackers have chosen CNN for use in this campaign.]

Affiliate Programs Rising Cause of Fraud and Abuse

threatcenter@esoft.com (Patrick Walsh) — Mon, 5 Apr 2010 07:01:00 -0600

What happens when you offer up money to anyone who can drive traffic to your website? Hackers, scammers, spammers and fraudsters come to your aid. That’s the case with online movie site zml.com, which offers 30% of each sale and 5% of rebills paid via anonymous means to anyone who refers paying customers to the site. And zml.com is just one of many.

In general, it works like this: a person signs up as an affiliate and is given a code. If someone goes to the website with the proper code embedded in the URL, then a cookie is set and if that person later buys something on the site, the affiliate gets a piece of the transaction. Outside of the shadows this means others are encouraged to setup ads or to refer friends to the site. But on bigger scales, this can be big money, so the established cyber criminal community gets in on the action – not always by breaking the law, but certainly using shady means to drive customers to these websites.

Among the techniques being used by these shadow affiliates are blackhat SEO, fake blogs, spam campaigns and more. These will frequently redirect through servers managed by the shadow affiliate and, in eSoft’s investigations, frequently used for other purposes such as malware distribution and phishing campaigns.

Windows Live Spaces is again being abused with a slew of fake blog pages covering hundreds of popular movies available for download. The download links redirect the user to a number of different movie sites that offer high paying affiliate programs.

Example 1

The blockbuster movie The Hangover is the sole blog post in the blog shown above and includes a promo image and full description of the movie with links to download. After a series of redirects to ensure the scammer gets paid, the user is brought to moviedownloads-pro.com. In order to download for free, the user must sign up for a yearly subscription with a credit card and our blog spammer gets a cut.

After signing up, the user is emailed a link to download software which we suspect to be questionable although we did not give up our credit card info to find out. The affiliate network in this case is Marketbay, which is also home to some other very shady software including 14 different bogus anti-virus products.

Example 2

In another example, the eSoft Threat Prevention Team found the intermediary sites used by a shadow affiliate were hosted on the same site used in a ring of fraudulent "OEM Software" distribution sites we blogged about last year. These links lead to zml.com, whose affiliate signup page contains the warning, "SEO or E-Mail spam is not tolerated!" However, after sharing information of abuse with zml.com five days before the posting of this blog, we have yet to see the affiliate removed or to receive any response from zml.com. In all likelihood, it is simply more profitable to turn a blind eye.

Using Windows Live Blogs to disguise URLs can be an effective way to get around some Spam and Web filters. eSoft reported on a similar tactic used to push pharma-fraud sites just a few months back. While this is nothing new, it goes to show that cybercriminals will continue these types of campaigns so long as they continue to be effective and profitable.

eSoft currently categorizes a number of these affiliates’ sites as Phishing & Fraud due to their use in Blackhat SEO campaigns and others are categorized as Online Ads or Spammed URLs depending on the methods being used to drive users to the links.

Obfuscated URLs no match for eSoft SiteFilter

threatcenter@esoft.com (Patrick Walsh) — Mon, 22 Mar 2010 15:54:00 -0600

Researchers at Kaspersky labs have discovered a new banking malware campaign that uses an old trick to obfuscate malicious URLs. Rather than using a domain name or IP address for their malicious link the URL is converted to numerical bases such as octal or hexadecimal formats. These formats are supported by major browsers and serve the purpose of tricking users into following the link and infecting their machine.

The post goes on to speculate that URL filters would have difficulty detecting and blocking the obfuscated URLs, leaving users vulnerable to these attacks. While many web filtering vendors may be susceptible to this attack, eSoft customers are protected. eSoft SiteFilter provides full support for these obfuscated URLs, filtering sites in ALL categories.

Using the example of playboy.com, the URL can be expressed in many different ways including the few examples below.

http://216.163.137.68
http://3634596164
http://0xd8.0xa3.0x89.0x44
http://0xd8.0xa3.0x89.68
http://0330.0243.0211.0104
http://000000330.0xa3.137.0104
http://0xD8A38944
http://033050704504

As shown on the Test a Site portal, eSoft correctly interprets these encoded addresses and detects each of these URLs as Pornography/Sex, the same as the domain playboy.com.

With the example found by Kaspersky, vendors that do not accurately filter these URLs leave users vulnerable to dangerous banking Trojans and end-user evasions. Malicious campaigns using this technique have been seen in the past and due to their effectiveness will be used in the future.

eSoft’s web filtering technology and focus on security provides users with unsurpassed protection against the latest web threats, including these obfuscation techniques.

Cinderella Story Leads to March Madness Malware

threatcenter@esoft.com (Patrick Walsh) — Sun, 21 Mar 2010 19:53:00 -0600

The first week of March Madness has brought about many compelling stories, with a good deal of upsets and bracket busters. The most newsworthy of these has been the University of Northern Iowa’s ousting of #1 overall seed Kansas. This ‘Cinderella’ story has deservedly gotten a great deal of press coverage. However, those looking for information on the web may get infected with malware rather than a great story.

The eSoft Threat Prevention Team has been tracking search results on the story, and the NCAA Basketball Tournament in general, uncovering a great number of poisoned search terms. Searches for UNI Basketball or star player Ali Farokhmanesh return dangerous results leading to malware.

7 out of the top 10 results for UNI Basketball link to malware including the second result. The rogue anti-virus payload has very low detection among anti-virus vendors.

eSoft proactively detects and blocks blackhat SEO and search attacks similar to these using its automated systems and in-depth web site analysis. Any sites found are flagged as Compromised or Malicious, protecting eSoft SiteFilter customers.

Virus Alert! Twitter, Google, Hallmark and Others Subject To Attack

threatcenter@esoft.com (Patrick Walsh) — Thu, 4 Mar 2010 17:08:00 -0700

The eSoft Threat Prevention Team is warning customers today of a new email scam circulating very quickly. These fraudulent emails claim to be from Google Staffing, Hallmark, Twitter as well as other social networks and legitimate businesses.

The email persuades the user to open the attached zip file to find out more information. Users that follow through and open the file infect their own system and become part of the threat.

The very legitimate looking email below is just one example of the scam. The email uses the actual Google logo downloaded directly from their website and easily hooks you into opening the attached file to find out more.

In this case, the downloader infected the system with a bot which immediately begins spewing thousands more of infected emails including fake e-cards from Hallmark, and invitations from social networks like Twitter and Hi5.

The Twitter email is also very well crafted to make the user believe they were invited by a friend and is legitimately from Twitter. The from address is spoofed to invitations@twitter.com with a subject “Your friend invited you to Twitter!”. The body of the message begs the user to open the attached file - “To join or see who invited you check the attachment”. Using this clever social engineering tactic the scammers are able to peak interest in finding out who may have sent them the message. The user is tricked into opening the attachment and infecting their system.

As always, be very cautious opening any attachments and especially cautious when they are unexpected. When in doubt verify with the sender or do not open them.

Hotmail Users Look for Answers in Dangerous Places

threatcenter@esoft.com (Patrick Walsh) — Tue, 16 Feb 2010 16:28:00 -0700

An outage of the Windows Live ID service affected a large number of MSN users today including users of the popular Hotmail email service. Hotmail is one of the largest web based email outlets and not surprisingly news of the outage spread quickly as users were not able to access their email.

Those hoping to find more information on Google may have ended up with more than they bargained for. Blackhats have once again worked their magic to infect users looking for news related to the outage. In fact, 8 out of the top 10 results for “hotmail service unavailable” returned dangerous URLs.

At the time of writing Google Trends shows this as one of the top searches of the day. Other dangerous searches include “hotmail down” and “hotmail not working” both of which also returned malicious URLs that can cause a visitor’s computer to become infected with malware.

As an added twist, some results direct users that revisit the same page to a fake download site. The user is asked to download hotmail_down.rar, but not before entering their credit card information.

eSoft has detection for many of these sites and is flagging any new sites into their appropriate security category to protect SiteFilter users.

IRS Tax Avoidance Scam

threatcenter@esoft.com (Patrick Walsh) — Sat, 6 Feb 2010 11:08:00 -0700

Today, eSoft is alerting customers to a new targeted email scam. This newest twist to the common IRS email scam seems to be targeted to organizations, notifying the recipient of a tax evasion complaint being filed against the company. Opening the file infects the user's machine with dangerous trojans that monitor the infected machine, report back to the attacker and download other malicious payloads.

An example of the fraudulent email is below, which prompts the user to open "balance report" attachment. Because the attachment appears to be a Word file, most users will readily trust the file and proceed to open the file to find out more.

The file is actually in Rich Text Format (RTF) and contains a hidden executable. Upon opening the file, an error is reported and the user is asked to double click to restart Word. Doing so will open the executable as shown below, with most unsuspecting users allowing the malicious file to run.

Two processes are started and added to Windows startup to run on subsequent boots, microsoft.exe and wks.exe. These processes send data back to the attacker using HTTP connections to their call home destination. eSoft is flagging these sites as Malicious to protect any victims of this attack.

These call home destinations are even disguised as a Google search page to evade detection by web filtering companies and automated systems which may detect the site as a search engine.

At the time of writing, Virus Total reports only a 25% detection rate on the most recent samples.

Users should be very cautious with any unsolicited emails, particularly those containing an attachment. The IRS will never email you if they need to contact you, and any emails appearing to come from them are very likely malicous scams. As noted on the IRS website, "The IRS does not initiate taxpayer communications through email."

Fake Firefox Update Pages Push Adware

threatcenter@esoft.com (Patrick Walsh) — Tue, 2 Feb 2010 17:42:00 -0700

Since its’ release on January 21st, the newest version of the Firefox web browser has received a great deal of attention. In just a short time it has achieved over 30 million downloads. Adware pushers are capitalizing on the success of Firefox, packing ad serving software in with the program in an effort to increase their reach.

Purveyors of spyware and adware will try to take advantage of well known programs, illegitimately bundling their software into the install of the popular software. These programs are also commonly referred to as Potentially Unwanted Programs (PUPs) whose content is not necessarily malicious, but is almost never wanted by the user. These types of software are often used to collect information about the user without the users’ knowledge or consent.

The latest example is found on the fake Firefox download site below. The page is cleverly disguised with the appearance of a legitimate Firefox download site and could easily fool many users hoping to upgrade.

Taking a closer look reveals clues to the fraudulent page. While the page advertises version 3.5 the newest version is actually 3.6. There are also misspellings such as “Anti-Pishing” in the title of the security section.

Victims of this scam install the “Hotbar” toolbar by Pinball Corp, formerly Zango. Not only are users subject to the annoying toolbar, they're also barraged with pop-up ads and host to a new Hotbar weather application running in the system tray.

It should be noted that the owner of the fake Firefox site above is most likely not associated with Pinball Corp and only using its pay-per-install ad network for fast cash. Pay-per-install affiliate programs reward referring sites that generate installs of their programs, with Pinball paying as high as $1.45 per install.

Always take caution installing any software and ensure the software is downloaded directly from the publisher whenever possible. Users looking to upgrade Firefox should go to the real download site at http://getfirefox.com.

Blocking the Spyware and Malicious Sites category protects eSoft SiteFilter customers from this site and others like it.

Super Bowl Associations: football, nachos, big screens and … malware?

threatcenter@esoft.com (Patrick Walsh) — Tue, 19 Jan 2010 12:08:00 -0700

The Super Bowl is the one of the biggest and most watched television events of the year in the United States. People everywhere scour the internet looking for predictions, gambling spreads and news before the event and scores, stories and clips after the event. In anticipation of the increased search traffic for Super Bowl related terms, cybercriminals have shown themselves to be well-organized and planning ahead. Search results for Super Bowl related search terms are already turning up top-ten results linked to malicious websites.

Among the poisoned search terms detected by eSoft are:
Super bowl 2010 score
Super bowl 44 MVP
Super bowl 2010 entertainment
Super bowl champions 2010

For some of these searches, the top result is malicious. It seems that this round of poisoning is, so far, being done by the Rogue AV outfits as these links lead to sites with fake antivirus software and low detection rates from legitimate anti-virus software:

Background

Poisoned search results are becoming commonplace. Most recently searching for information on the earthquake in Haiti returned large numbers of poisoned results. Getting bogus search results to the top of the rankings is commonly achieved by linking to the site from compromised sites or fake blogs and thereby boosting the apparent popularity of the bogus site. The bogus site is then used to compromise the machine of visiting users through social engineering tricks and browser or browser-plugin exploits.

eSoft’s automated systems quickly identify these risky websites and block them for customers and partners.

eSoft recommends confining Super Bowl searches to news search engines such as Google News. These results tend to be safer since the sources have gone through an approval process.

Lack of Egress Filtering Spurs Success of Injected IFrame Attack

threatcenter@esoft.com (Patrick Walsh) — Mon, 18 Jan 2010 15:05:00 -0700

The security community at large and the eSoft Threat Prevention Team have recently noticed an uptick in sites compromised by a new injection attack that results in an injected iframe. This attack can be recognized by its attempts to masquerade the malicious script as GNU GPL or LGPL. GPL and LGPL refer to public licenses for open source software and add a veneer of legitimacy to the malicious files.

The attacks in themselves are not new or novel, but their success seems to be in part because the iframes point to websites on non-standard ports. In particular, the attackers are hosting browser exploits and social engineering tricks on servers running on port 8080. Such as this one shown below:

(note also the trusted domains that have been added to the URL to get the casual user to trust the link)

As secure web filtering is added to anti-virus products and makes inroads in gateway security products, attackers are trying to circumvent the web filters with this age-old technique. Frequently these secure web filters only operate on common ports such as port 80. By hosting a web server on an alternate port, the security may be bypassed.

For this reason, it is essential that administrators who deploy secure web filtering lock down any ports not expressly being scanned. In other words, egress firewall rules that block outbound traffic on ports that don't have some security and content filtering, will save networks from this attack and ones like it.

At present, eSoft is detecting dozens to hundreds of newly compromised websites that have fallen victim to this attack and become conduits for attacks against their site's visitors. More detailed information on how the attack is spreading and its links to gumblar can be found on the Unmask Parasites blog.

Live.com Exploited as Pharma-Fraud Cover

threatcenter@esoft.com (Patrick Walsh) — Tue, 22 Dec 2009 12:54:00 -0700

The FDA crackdown on online pharmacy sites has driven a lot of attention to illegal and fraudulent online pharmacies and in particular to their methods for tricking people to visit their sites. These practices include prolific spam and search engine poisoning.

eSoft’s Threat Prevention Team has noticed that the search engine poisoning is now very actively making use of Microsoft’s Windows Live Spaces – a free blog hosting environment. By registering accounts and using those accounts solely to link to the pharma-fraud sites, the search engine ranking of the target sites goes up. Additionally, the spam emails now link to these fake blogs rather than directly to the pharma-fraud site in an effort to better evade spam filters that might otherwise detect the link to the fraudulent website.

The blog page shown here is typical of those seen by the Threat Prevention Team: it consists of a single blog entry with a single image that is linked to a classic “Canadian Pharmacy” website using a template that eSoft has seen used on thousands of websites. eSoft worked with the ThreatChaos blog to shine the light and provide full details on these sites during a major outbreak in May. More details about this threat may be found in that posting.

Similar attacks have been reported recently using Yahoo and Blogger to draw users to fraudulent pharmacy sites. Google Job Spam has also reportedly infiltrated spaces.live.com.

Whatever the distribution method, its clear these cybercriminals will stop at nothing and continue to evolve new ways of advertising their bogus sites. eSoft has excellent detection for pharma-fraud sites and detects thousands of these URLs month after month. Exploited blogs on spaces.live.com are being flagged as ‘Phishing & Fraud’.

Boeing 787 Searches Hijacked by Rogue AV

threatcenter@esoft.com (Patrick Walsh) — Tue, 15 Dec 2009 21:33:00 -0700

Today, the Boeing 787 Dreamliner jet completed its much awaited first flight. As users searched to find videos and news articles related to the story, blackhats quickly moved in for yet another attack against Google search results.

The most popular search for several hours today was “787 first flight video”. This search and related searches are saturated with malicious results leading to rogue AV and potentially other malicious payloads.

At peak hours, 5 out of the first 9 results lead to malicious payloads as users were pushed through a series of redirect pages and to different distribution points.

While the distribution points and payloads varied, their effectiveness did not. Most sites were undetected by Google Safe Browsing and the malicious payloads they delivered had very low anti-virus detection rates.

This latest attack is nothing new, but it is shocking how quickly and effectively cybercriminals are able to react to the latest news trends. In this particular attack, the dangerous top results seemed to be compromised sites with existing reputations which makes detection much more difficult.