Somebody once said..

"If you convince people that the wheel isn't right, they will allow you to re-invent it"

Wednesday, December 30, 2009

Digging deep into BlackHat SEO - Part2

Picking from where we left-off last time, I decided to dig deep into how the whole fake AV scam was being done. So, I fired up Wireshark as I started to browse the Google search results for Brittany Murphy.

Wireshark Capture of my Google search

After clicking on the poisoned search result, we first land on a page that is just a html page with all the junk related to the Google search query. Depending on your internet speed, you may or may not see this page as you are quickly redirected to the Fake AV scanning page.

Now, this intermediate SEO page is very interesting ! It seems the bad folks are pretty clever. The content that we see on this page is dynamically generated. Here is the actual query -

http://xxxxxxxx.de/main.php?q=brittany-murphy-death-pictures

main.php?q=brittany-murphy-death-pictures

So, I decided to play around and changed the query to something else, like a more recent news of terrorist Abdul Mutallab – Nigerian suicide bomber and surprise surprise ! …

/main.php?q=Umar-Farouk-Abdul-Mutallab

What is happening is that there is smart script running behind scenes that creates dynamic content based on the parameters passed to it. It probably gets the search related content from Google in the backend and creates a page like the one above. Then Google’s web crawlers along with tools like XRumer do the rest !

There are two links or redirects embedded in this HTML source. First one appears to go to some blogger site. But looking at the HTTP Request you see referrer being set for it and most likely happens to be a tracker to keep a log of hits being made to the page.

The second request appears to go to the same PHP page on the same malicious server, but this time the parameter is different. So the query looks like this -

http://xxxxxxxx.de/main.php?red=brittany-murphy-death-pictures

Notice how the “q” changed to “red”, probably meaning “redirect” and in response we get a nice -

window.location = “http://mal-url-2/?code=944

Bang ! This is the fake AV page. So, as I said before, you may or may not see all this action happening and simply land up on the Fake AV web page. So the whole flow happens like this -

Flow chart explaining the whole redirect process

The Fake AV site contains a bunch of JavaScript's (with funky names like drugndrop.js :) ! ) that are designed to show as if a real Antivirus is scanning your PC. Even the filenames shown during the scan and hardcoded in Java arrays :P ! Finally if you click anywhere on the page, you end up getting a so called “installer” which is a downloader Trojan. That request looks like this -

http://xxxx2010.biz/cgi-bin/setup.pl?adv=944&p=5

This was just one of the type of Fake AV campaigns that I have shown above. Some of them are more sophisticated. E.g. the names of the JavaScript files are random and different each time the page is accessed, thus making it difficult to block using network based signatures.

All this appears to be part of a kit that is being used by lot of bad guys sitting probably in Russia or Ukraine. Also, the parameters like “adv” might be affiliate id’s given to different gangs for spreading this Fake AV campaign. The downloaded binaries are Rogue AV software’s that display misleading alerts regarding computer problems in order to convince users to purchase it.

This whole SEO pages and Fake AV hosting websites keep moving with new domains being registered every now and then. So, next time you are searching for some “Breaking news”, be careful. Have a Happy and Safe and malware Free new year ! :)

No comments:

Post a Comment