ESET Threat Blog

We told you to watch out, didn't we? (see Randy's blog at http://www.eset.com/threat-center/blog/2009/10/23/this-is-the-funniest-video-ever). But it's not just Michael Myers, zombies and vampires you need to watch out for. It's also Funny Halloween Costumes, Harvey Milk, Pumpkin Carving Stencils, candy, Pokemon, and McDonalds Monopoly online.

Yes, the fake/rogue AV gang have started on their Halloween special, and this time it's… well, it's the same old SEO (Search Engine Optimization) poisoning ploy. Right now, after a very interesting conversation with Juraj Malcho, head of our lab in Slovakia, I'm looking through a list of keywords currently being used by a particularly prolific Black Hat SEO campaign which has been updated to reflect the sort of stuff that people – and certainly American people - are likely to be searching for at this time of year.

I'm looking through a list of thousands of words and phrases, so I'm not going to list them all here: I don't suppose you'd read it from top to bottom if I did. However, if you use common search engines like Google to look for terms like those above and a great many others, you're likely to find a lot of links at the top of the results lists that lead you to fake security software.  This claims to find imaginary malware on your system, with the ultimate intention of defrauding you of money and possibly of harvesting your credit card details, for example.

Many of the search terms I'm looking at here relate to fairly specific stuff like halloween costumes; lots are fairly generic but have the word Halloween added (often at the start of the term, but not invariably); some don't relate to Halloween at all, as far as I can see; and some are just bizarre. ("Halloween originated in mt kilamanjaro (sic)")

So much for the social engineering aspect: what about the malware? Juraj has been checking samples, and most of is already covered by our generic detections. There'll be more specific naming in our next update. Of course, we'd expect the bad guys to do some tweaking as their campaign develops, to try to regain the advantage, so you can't assume that anti-virus products, even those with good proactive detection (like ours!) will catch everything.

Anti-virus is a useful layer of protection against threats like this, but we can't always save you from your own lack of caution. If you're looking for Halloween-related material, you might want to check out my previous blog at http://www.eset.com/threat-center/blog/2009/10/24/fake-anti-malware-blurring-the-boundaries for other resources that will tell you more about fake security programs.

 [Particular thanks to Sean-Paul Correll and Patrick Mullen for spreading the word on this.]

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

(1)

Websense, our neighbour in San Diego, has reported a fake anti-malware scam centred on Labor Day social engineering. The scam uses malicious SEO (Search Engine Optimization) techniques, sometimes referred to as index hijacking or SEO poisoning, to misdirect potential victims. When the victim uses Google to search for Labor Day sales (apparently these are very popular in the US), the bad guys use SEO poisoning to ensure that some of the highest ranking hits are actually malicious URLs that redirect the victim to a site "warning" him that his machine is infected, and offers "free but fake" anti-virus software. According to Websense, AOL and ASK.com have been affected by similar SEO poisoning.

(We have a paper on our white papers page on the topic  of fake anti-malware,written by Cristian Borghello, one of my colleagues in ESET Latin America. This describes how "free" anti-malware can turn out to be pretty expensive.)

There’s nothing particularly new about SEO poisoning, of course: my colleague on the AMTSO Board of Directors, Igor Muttik, wrote a comprehensive chapter for the AVIEN Malware Defense Guide* on web attacks that includes a section on index hijacking. Similarly, malware frequently uses social engineering based on public holidays to lure its victims – remember the Waledac 4th of July spam, which we and Websense, among others, also flagged? - as well as other attention-grabbing topics such as theAthens fires. Nevertheless, it’s well worth reiterating that this kind of social engineering isn’t restricted to spamming out malicious attachments or links. You may trust Google’s good intentions, but that doesn’t mean that every link that turns up in a Google search is going to be trustworthy.

Like legitimate concerns who make money out of their web presence, the bad guys also like to take steps to ensure that their "business" is top of the heap in web searches.

(2)

Sophos have also brought our attention to a slightly novel wrinkle currently employed by fake AV distributors. In this case, it’s a fake AV product which doesn’t just tell you that you’re infected by imaginary malware, but tells you which files are "spyware". We have seen instances where a system is deliberately attacked in order to sell the "solution": for instance, part of the pitch for one type of fake file recovery software was to encrypt some of the victim’s files and flag them as "corrupted", so that the fake software can "repair" them. Fortunately, this isn’t quite the same: the Trojan isn’t actually creating malware on the victim’s machine: it’s simply creating garbage files and flagging them as malicious. However, they can’t execute and are easily removed (you certainly don’t need to buy the fake AV to remove them.

You may wonder what’s to stop these guys generating real malware. Well, not much: there’s nothing to stop one malicious program generating another, which a third (the fake security software) claims to detect and remove. The reason that we don’t see this more often may simply be that the authors of fake AV are constantly trying to blur the distinction between fake security software and the real thing. This has at least two advantages for them:

• It makes it more difficult (obviously) for a potential victim to spot a rogue product
• By trying to make real security products look bad, they increase the take-up of their own badware.

So they may be holding back from generating real malware in contexts where it will make it harder for them to claim in court, for example, that the fake scanner is legitimate security software.

However, that doesn’t mean  that some criminal genius won’t decide that it makes sense to write the malware and the "anti-malware" at the same time. In fact, there are precedents for this that go back to the 1990s: indeed, I once declined to participate in a book project that was intended to teach the art of antivirus development by describing how to write specific viruses, and then describing how to write detection routines.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

 *Dr. Igor G. Muttik, A Tangled Web, in "The AVIEN Malware Defense Guide for the Enterprise", ed. Harley, Syngress 2007.

I feel like the learned judge in the ’60s who asked, in the course of a trial, "What is a Beatle?" since until recently I couldn’t have given you an accurate answer to the question "What is a Jessica Biel?"

In fact, I’d probably have said something like ""Wasn’t she in Flashdance?" (The answer is no: she would apparently have been a baby when I saw Jennifer Beals in that film, back in the days when I had a social life.) Clearly, I need to do something about my work/life balance, and the fact that I now only ever see movies on television or on planes.

Or perhaps not, since McAfee have reported, according to Yahoo News, that web searches for Ms Biel are "more likely to lead to online threats such as spyware and viruses than searches for any other celebrity."

There’s a certain irony here, in that the media and the blogosphere have picked up so readily on McAfee’s latest report, based on statistics from their SiteAdvisor site rating database. Well, celebrity stories are not only the stock-in-trade of many journalists and a major preoccupation of much of their readership (clearly there’s a correlation between those two factors!) but also a favoured target among spammers, scammers and purveyors of malware, who are always ready to use a topical story (real, fabricated, important or trivial) as social engineering bait in order to spread Badness.

Why is it ironic? Because even while they’re pointing to the dangers of celebrity hunting on the ‘net, they are, to some extent, perpetuating it. Of course, it’s a good thing if more people become aware of the dangers that malicious search engine optimization (SEO) poses, and I don’t blame McAfee for using the "cult of celebrity" to make that point, but it’s a pity that the media is focused on that narrow aspect of a much wider problem.

McAfee researchers Shane Keats and Eipe Koshy came out with a substantial research document earlier this year, using a number of statistical resources as well as SiteAdvisor. Rather than focusing on celebrities, it looked at a whole range of hooks used by the bad guys to lure the unwary, using search categories like screensavers, free games, taxes and viagra, as well as personalities from the entertainment world and politics.

Why is it ironic? Because even while they’re pointing to the dangers of celebrity hunting on the ‘net, they are, to some extent, perpetuating it. Of course, it’s a good thing if more people become aware of the dangers that malicious search engine optimization (SEO) poses, and I don’t blame McAfee for using the "cult of celebrity" to make that point, but it’s a pity that the media is focused on that narrow aspect of a much wider problem.

McAfee researchers Shane Keats and Eipe Koshy came out with a substantial research document earlier this year, using a number of statistical resources as well as SiteAdvisor. Rather than focusing on celebrities, it looked at a whole range of hooks used by the bad guys to lure the unwary, using search categories like screensavers, free games, taxes and viagra, as well as personalities from the entertainment world and politics.

Bizarrely, while celebrities did rank number 7 in the list of high-risk keywords in the US, the top two items in the table "Top 50 riskiest search terms in the United States" were "word scrambler" and "lyrics", so perhaps Lady Mondegreen is even more dangerous than Jessica.

But the paper deserves much closer attention than I can give it in a short blog. If you’re interested in what other psychological quirks the bad guys are finding it useful to exploit, take a look.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/