Picking from where we left-off last time, I decided to dig deep into how the whole fake AV scam was being done. So, I fired up Wireshark as I started to browse the Google search results for Brittany Murphy.
After clicking on the poisoned search result, we first land on a page that is just a html page with all the junk related to the Google search query. Depending on your internet speed, you may or may not see this page as you are quickly redirected to the Fake AV scanning page.
Now, this intermediate SEO page is very interesting ! It seems the bad folks are pretty clever. The content that we see on this page is dynamically generated. Here is the actual query -
So, I decided to play around and changed the query to something else, like a more recent news of terrorist Abdul Mutallab – Nigerian suicide bomber and surprise surprise ! …
What is happening is that there is smart script running behind scenes that creates dynamic content based on the parameters passed to it. It probably gets the search related content from Google in the backend and creates a page like the one above. Then Google’s web crawlers along with tools like XRumer do the rest !
There are two links or redirects embedded in this HTML source. First one appears to go to some blogger site. But looking at the HTTP Request you see referrer being set for it and most likely happens to be a tracker to keep a log of hits being made to the page.
The second request appears to go to the same PHP page on the same malicious server, but this time the parameter is different. So the query looks like this -
Notice how the “q” changed to “red”, probably meaning “redirect” and in response we get a nice -
window.location = “http://mal-url-2/?code=944”
Bang ! This is the fake AV page. So, as I said before, you may or may not see all this action happening and simply land up on the Fake AV web page. So the whole flow happens like this -
All this appears to be part of a kit that is being used by lot of bad guys sitting probably in Russia or Ukraine. Also, the parameters like “adv” might be affiliate id’s given to different gangs for spreading this Fake AV campaign. The downloaded binaries are Rogue AV software’s that display misleading alerts regarding computer problems in order to convince users to purchase it.
This whole SEO pages and Fake AV hosting websites keep moving with new domains being registered every now and then. So, next time you are searching for some “Breaking news”, be careful. Have a Happy and Safe and malware Free new year ! :)