PandaLabs : Rogueware

Black(hat) Friday

Sean-Paul Correll — Fri, 20 Nov 2009 21:01:00 GMT

If you plan on shopping online for "Black Friday", or "Cyber Monday", you might be in for more than you bargained for.　 Cyber criminals behind the Rogueware epidemic have their blackhat SEO campaigns optimized to take advantage of deal seekers looking for advertisements online.　 One misstep and you just might find yourself staring at a scareware site designed to trick you into believing that your computer is infected.

Google Search:

Fake Antivirus Page:

We are constantly monitoring this and other Blackhat SEO campaigns to protect our customers against the latest malware attacks on the Internet. If you are not a customer yet, we recommend at least installing our free Cloud Antivirus protection. We also recommend adding an extra layer of browsing protection with safer browsing technology, such as the community driven system provided by our partner, Web Of Trust.

Blackhat SEO Aggressively Targets Halloween Related Keywords

Sean-Paul Correll — Wed, 28 Oct 2009 00:00:00 GMT

Cyber criminals behind the Rogueware epidemic have been hard at work in poisoning search results to increase traffic to their campaign sites. Today, we identified a new Blackhat SEO campaign, which is currently targeting Halloween related keywords aggressively. While studying the campaign, I noticed that the most commonly targeted keywords were classic costume favorites, such as the Cat woman costume, vampire costume, and various adult costumes. In addition to costumes, the BHSEO campaign also targets Halloween related food recipes, haunted house directions, Halloween parties, and the movie Halloween.

Tainted search results:

Fake Antivirus site:

Tag cloud of targeted search terms:

As we have documented in prior blog posts, Blackhat SEO continues to be one of the most prevalent and pervasive attack vectors on the Internet today. As users, we tend to trust search engines to provide safe and accurate search results, but the reality is that today, search engines are becoming the most dangerous way to browse the Internet.

Blackhat SEO Campaign Targets 2009 Nobel Prize Winner

Sean-Paul Correll — Fri, 09 Oct 2009 12:20:00 GMT

We’ve identified a new Blackhat SEO campaign today which targets President Obama as the 2009 Nobel Peace Prize winner among a thousand or so other search terms. Clicking on a malicious search result yields the typical Rogueware campaign.

Search result:

Rogueware site:

The complete list of targeted search terms can be found here.

Rogueware with new Ransomware Technology™

Sean-Paul Correll — Thu, 08 Oct 2009 11:05:00 GMT

The criminals behind Rogueware attacks are becoming increasingly aggressive in their approach to make money. We recently stumbled across a sample (Adware/TotalSecurity2009) which uses a ransomware technique to improve its sales. Once the computer becomes infected, Total Security forces the victim to purchase it before it will allow any files from being accessed on the system. When attempting to open a file, a message pops up in the notification area claiming that the application was blocked due to infection. The pop up recommends activating the "antivirus" software, which costs $79.95.

This would be a devistating blow to any user and would likely force the victim to purchase it, so we went ahead and cracked the sample to reveal all of the valid serial numbers. We're hoping that victims can find this blog post before shelling out any hard earned cash to these criminals.

Watch the video to see it in action:

Valid serials for Adware/TotalSecurity2009:

WNDS-TGN15-RFF29-AASDJ-ASD65
WNDS-U94KO-LF4G4-1V8S1-2CRFE
WNDS-6W954-FX65B-41VDF-8G4JI
WNDS-G84H6-S854F-79ZA8-W4ERS
WNDS-TTUYJ-7UO54-G561H-J1D6F
WNDS-A1SDF-6AS4D-RF5RE-79G84
WNDS-A1SDF-RY4E8-7U98D-F1GB2
WNDS-5SRTS-AEHUF-YA54S-D6F35
WNDS-P9685-4H41A-DSW3A-2R64T
WNDS-2AE32-1VFC2-B6894-G67YU
WNDS-4TS8R-D6F5D-4JH8T-U4JK5
WNDS-FGS5D-649RG-4S53D-412SF
WNDS-452S3-ER00F-TSE35-S8FSD
WNDS-SERFH-2642S-F04SD-64FG1
WNDS-F40SA-1ER5H-4FG5D-F8412
WNDS-5D1V2-XB0D5-JT1TY-97DS3
WNDS-4BGY2-JY4KO-IT98Y-7HJ43
WNDS-G8FB6-1V87S-DRT1S-63SRG
WNDS-HFVDR-9844O-U54DA-5TBSC
WNDS-89OF7-7324R-5SAD4-TG68U
WNDS-JUYH3-24GHJ-HGKSH-FKLSD

You can download a free trial to completely remove the infection once the ransomware feature is removed.

Special thanks to Sherab Giovannini for extracting the serials.

Rogueware distributors use Skype

Sean-Paul Correll — Mon, 05 Oct 2009 10:41:00 GMT

Rogueware distributors are like the cockroaches of the Internet; they’re everywhere. Malicious search results, online advertisements, and iframe hijacked sites are the typical distribution methods, but every once in a while we come across an interesting approach.

Recently, a colleague alerted me of a spam message coming through to his personal Skype account. The message appeared out of nowhere from an account labeled “Online Notification” and made the typical claims of a found infection. Once the victim navigates to the site, the usual fake antivirus trickery takes place.

Skype isn’t the most reliable or innovative distribution method, but we’ll go ahead and give them an "A" for effort.

Blackhat SEO continues to ravage search results

Sean-Paul Correll — Tue, 22 Sep 2009 23:26:00 GMT

Every day cyber criminals are exploiting search engines to display high ranking malicious search results. Targeting hot topics allows for cyber criminals to improve infection rates for their money making Rogueware (pdf) schemes. Below is an example of the attack we observed today.

Most targeted search terms:

Dallas Cowboys
NFL
School
Emmy Awards
Autumn Equinox (Mabon)
Atlanta
News

..The full list of targeted keywords can be downloaded here: BlackhatSEO3.txt

Sample search result:

Redirection to fake security (Rogueware) site:

Rogueware: Adware/PCDefender

Tag cloud of targeted terms:

Blackhat SEO Attack Targets Obama's Speech

Sean-Paul Correll — Wed, 09 Sep 2009 23:52:00 GMT

Using search engines to browse the Internet these days is a dangerous endeavor. Cyber criminals are keen on gaming search engine algorithms and are able to quickly divert innocent news seekers to malicious websites. Today, WIRED reported that cyber criminals were targeting a highly anticipated Dan Brown novel, but the target and scope is much deeper than that. Literally every current relevant news topic is actively targeted each day, including highly publicized speeches given by President Obama this week.

Clicking the following link in a Google search result will point us to a malicious Rogueware campaign page:

Malware Info: Adware/SmartVirusEliminator

Investigating the attack shows us a bigger picture of the targeted keywords:

Most commonly targeted keywords:

Obama Speech
GM group enterprises
Apple
Beatles
America
White House
Jon Gosselin
Live Interview
School Season
The full list of targeted keywords can be downloaded here: BlackhatSEO2.txt

Over the past six months that PandaLabs has closely tracked the evolution of Blackhat SEO attacks, we’ve seen these targeted campaigns be executed by cybercriminals with increasing levels of speed and sophistication. Today, Blackhat SEO is truly a mainstream tactic used by cyber criminals. Targeting real-time news events is a serious problem not only for search engines, but for all parties involved in malware mitigation. In shifting to the "real-time web," the entire IT security community must also recognize the need for real-time Malware protection and this is precisely why the move to cloud-based antivirus technology is necessary.

Rogueware Demo: Online Antivirus

Sean-Paul Correll — Sat, 05 Sep 2009 01:51:00 GMT

Rogueware authors continue to push the limits when tricking innocent users into infecting themselves. In this video example, we demonstrate the audio and visual cues used in a scareware campaign.

Be Careful With Your Search Results

Sean-Paul Correll — Tue, 01 Sep 2009 17:29:00 GMT

Update: Learn about the latest BHSEO attack here.

Blackhat SEO (BHSEO) is currently one of the most prevalent distribution methods for Malware on the Internet. It’s also one of the most dangerous methods because of the user-implied trust in search results. A Forrester research study conducted in 2008 showed that 50 percent of Internet users trust content delivered by search engines. It’s no surprise that cyber criminals have been using malicious search results as a main monetization stream.

The Rogueware campaign we blogged about last week turned into a full blown BHSEO attack targeting relevant news topics such as, the California wildfires, Ted Kennedy’s death, DJ AM’s death, Mega Millions Lottery, Hurricane Danny, UFC 102, CNN and BBC breaking news among thousands of search terms and 123,000 links. Upon clicking one of many malicious links in the top ranking search results, the victim is put through several redirections and finally taken to a fake scan website designed to infect and extort money.

Fake scan site:

Installer:

File: setup.exe
Size: 72192
MD5: 2C0625D97A5BC7EC299D33CE8C9A299E

Adware/SmartVirusEliminator

Tag cloud of exploited keywords:

Most exploited keywords:

BBC News 2009
CNN News 2009
Ted Kennedy
Official Website
USA News
Hottest Info/News
CA/California Fire
Lottery
Hurricane
Halloween
The full list can be downloaded here: BlackhatSEO.txt

You can read more about Rogueware in our most recent report: The Business of Rogueware [pdf]

Are Cyber Criminals Targeting Local Events In Your City?

Sean-Paul Correll — Thu, 27 Aug 2009 21:36:00 GMT

Panda Security has a California based office in Los Angeles. We are located in close proximity to two ongoing wildfires in the Angeles Crest National Forrest that have now burned through at least 30 acres, so naturally we have been keeping an eye on it. To my surprise, I pulled up a Google search for “Angeles Crest Fire” and the result yielded a malicious link above most relevant sources.

Update: 9/01/08 - The Blackhat SEO attack has now grown significantly: http://bit.ly/7jqGc

Once clicked, the site loads and checks to make sure the user came from Google. If so, the following script begins the redirection to the Rogueware site:

The Rogueware site is designed to display a fake Antivirus scan designed scare victims into thinking that their computer is infected. If the Malware is downloaded and installed as the site suggests, the user will see a fake Antivirus program pop up on their computer. At that point it becomes very aggressive and difficult to remove.

File: Antivirus-x_x.exe
Size: 172032
MD5: 0E9BC3499560EEA9261F5883FAE2A10E
Malware Info: Adware/PersonalAntivirus.

Rogueware attacks are among the most prevalent attacks on the Internet today. You can see our latest report on them here: The Business of Rogueware (pdf)

5 Steps to Avoid Infection:

Always have up-to-date Anti-Malware software installed. If you don’t have one or if your current solution is not removing the Malware, you could download a free trial from us here: http://www.pandasecurity.com/usa/homeusers/downloads/evaluation/

Don’t rely on search engines to provide valid or safe search results. You can improve your chances of safe browsing by downloading our free Web of Trust browser plugin: http://www.pandasecurity.com/homeusers/downloads/wot/

Pay close attention to what links you are clicking on. If you don’t recognize the source you may want to research the domain in a separate search or avoid the link all together.

Rogueware attacks rely on Social Engineering (I.e. making you believe you are infected when you are not). Don’t believe it! Simply close the browser window if you see a scan appear all of the sudden. If you cannot close the window with your mouse you can try ALT+F4 to force close it.

Don’t be afraid to ask for help. Call your Antivirus Company or a tech savvy friend if you feel that you are in over your head.