PandaLabs : Adware

Metatags in malware websites: II part

Asier Martínez — Thu, 05 Mar 2009 08:15:00 GMT

A couple of days ago we mentioned how some creators of websites that host malware add metatags to them, so that they are not indexed by the search robots.

Today, we are going to mention the opposite case. Let’s take the following URL as an example: http://malwa<blocked>.com

The following tag can be found in the source code of the website:

The FOLLOW attribute allows the links included in the website to be scanned.

The ALL attribute allows all the files to be indexed completely.

The INDEX attribute allows the search engines to index the website.

Generally the creators of this type of websites want the malware to spread widely and asap. That’s why they decide not to add metatags or to add them, so that the indexing robots could index and scan the links easily. This way, when users make queries in the search engines, they are likely to access a malicious website, causing their computers to get infected with the malware hosted in them.

Metatags in malware websites

Asier Martínez — Tue, 03 Mar 2009 16:20:00 GMT

An indexing robot is a program which tracks websites, storing their content in databases and following the links which point to other websites.

Rogue antimalware creators don’t usually add tags to the code of their websites or they add them so that the websites are indexed by the robots of the searchers. This way, they are more accessible and malware can be widely spread.

Lately we have found several cases that prove quite the opposite: tags are added to go unnoticed.

Let’s take the following URL as an example:
http://<blocked>akedpics.blogspot.com

When clicking the video to view it, we are redirected to the following URL http://<blocked>pomp.com/index.php?q=Adrienne-Bailon-Naked-Pics, which in turn redirect us to http://crack-<blocked>.com (*) and finally to http://fast<blocked>.com/xplays.php?id=40004 from which we will download the file viewtubesoftware.40004.exe, detected as Adware/MSAntiSpyware2009

(*) This URL redirects us to different malware hosting websites randomly, depending on the time.

If we look at the source code of the URL http://fast<blocked>.com/xplays.php?id=40004, we can find the following tag: <META content=noindex,nofollow,noarchive name=robots>

1. The noindex tag doesn’t allow the search engines to index a website.
2. The nofollow tag doesn’t allow the search engines to scan the links of the document.
3. The noarchive tag prevents the website from being cached.

It seems that these techniques are aimed at making malware analysts’ and antivirus companies’ job more difficult. They are also used to prevent the proactivity, in the sense of preventing the infection with techniques such as URL blocking, which consists in making queries of specific parameters in the search engines.

Rogue ScanVirus site impersonates SaaS Anti-Virus

Sean-Paul Correll — Tue, 03 Feb 2009 13:23:00 GMT

Today we discovered a new site using an interesting tactic to trick users into infecting themselves with malware. This time the cyber-criminals opted to pretend to be a Software as a Service (SaaS) Anti-Virus solution.

The "Scan Virus" website uses several legitimate Anti-Malware logos and badges in order to gain the victims confidence. Immediately upon loading the site a fake scan will begin and shortly after that the site will prompt the user to download a file called AntiVir.exe, which we detect as Adware/Antivirus2009. The site attempts to scare users by displaying images such as, "Your PC is infected! Sorry, standard programs cannot disinfect your PC now", and "DOWNLOAD PATCH to fix this problem"