Malware web based threats: Anatomy of a web hack.
Mass compromise of legitimate websites - Blackhat SEO Rogue Antivirus software and zero-day exploits!
After Trend Micro researchers claimed that Easter related sites were used to redirect visitors to rogue antivirus websites, PandaLabs recently uncovered similar Black hat SEO attacks against Ford and Ned.org.
By mis-using keywords typically related to global businesses and institutions, the criminals attract unsuspecting visitors to compromized web sites. These sites deceive visitors into downloading and installing a fake antivirus product that is very hard to deactivate or remove.The rogue antivirus gives false alerts to the user making them think that theircomputer is infected. Scared users are then susceptible to buying the "antivirus protection" via a page that looks like a secure SSL web site. In fact, their money are confidential credit card information are stolen by the criminals the moment that they enter their personal information into the payment page.
Many global companies, including Ford have been exploited in this way. Over a million compromized web sites used Ford-based keywords to attract visitors to fake antivirussites via search engines such as Google (Black hat SEO may force Google to change algorithm).Other examples of this attack include the mis-use of Easter related keywords to attract unsuspecting visitors during the Easter season (Trend Micro Malware Blog - Rotten Eggs: An Easter Malware Campaign).
There are other variants of this type of attack originating from the same Ukraine / Russianbased criminal fraternity. For example, the criminals use technical exploits to compromizeweb sites, blog, forums and the like. Wordpress blog management software has been a victim of such an exploit allowing the criminals to inject malicious code directly into all pages.A visitor to one of these infected sites will beredirected to another site where rogue antivirus software is again downloaded (PandaLabs: New Blackhat SEO attack exploits vulnerabilities in Wordpressto distributerogue antivirus software).
The criminals put a lot of effort into assuring the longevity of their scam. Frequent IP changes and moving from location to location help ensure that they can continue their activities.
You can get more information about all these attacks from the following resources. The PandaLabs video gives a particularly clear and concise overview.
The following links provide more information about this attack:
The websites in question are: trustsecurityshield.com and topsecurity4you.com which both have served for only two or three days (hosted on 209.44.126.14).
Technicals details can be found below
Vulnerabilities in Wordpress exploited to distribute rogue antivirus software
Watch the full video:
I will take your attention on the video above.
This is a screenshot at 03:11
If you zoom into it you will see the domain "load-archive-av-pro.com". The domain is still active and shared with many other fake scanner websites like "antivir-scan-pro-best.com" for the location of the payload. Wepawet Analysis
The process:
I will take some words found on Ned.org for example.
From the article on PandaLabs' blog about the SEO attack against
Ford Motor Co.
you can see the domain "globextubes.com"
previously hosted on 64.69.32.203.
This is a graph (from Robtex) of some of these sites serving in
the same campaign:
A quick move to this IP block 209.44.126.0/24 by "Netelligent Hosting Services Inc" which hosts several fake av websites as well as exploits to spread the trojan TDSS/Alureon.
All of these have been found following iframe injected on legit websites, poisoned keyworks in Google Search Engine and links on ad network (screenshot below)
Check it out - maybe someone have access to your PC right now! Protect yourself.