Search Engine Redirects to Malware Continue

Discussion in 'malware problems & news' started by Rmus, Sep 7, 2009.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I found this with the Yahoo search engine. A similar search of Google revealed that Google had cleaned up all traces of this particular site which had infected a number of people in the past two days.

    Clicking on the link in the Yahoo Search redirected me a fake AV scan page.

    traac-1.gif

    Note that there is no information filled in about threats and actions. This is because the exploit using the animated scan followed by the popup windows requires scripting to be enabled. With scripting configured per-site, the exploit will not work.

    To demonstrate, I enabled scripting for the Yahoo Search Page:

    traac-yahoo1.gif

    traac-yahoo2.gif

    Then I clicked on the link which redirected me to the site as above. Scripting is disabled:

    traac-pref1.gif

    traac-pref2.gif

    Here are the javascript files which start the exploit:

    Code:
    <title>My computer Online Scan</title>
    
    < script type="text/javascript" src="img/jquery.js"></ script>
    
    < script type="text/javascript" src="img/jquery-init.js"></ script>
    
    < script type="text/javascript" src="img/[B]listfile.js[/B]"></ script>
    
    < script type="text/javascript" src="img/drugndrop.js"></ script>
    Here are some of the files that are included in the listfile.js file. These would appear in the "Now Scanning" box on the fake scan page to trick the user into thinking an actual scan was taking place:

    Code:
    var gs=new Array();
    gs[0] = '$winnt$.inf';
    gs[1] = '12520437.cpx';
    gs[2] = '12520850.cpx';
    gs[3] = '6to4svc.dll';
    gs[4] = 'aaaamon.dll';
    gs[5] = 'aaclient.dll';
    gs[6] = 'AboutRepliGo.dll';
    gs[7] = 'ac3acm.acm';
    gs[8] = 'access.cpl';
    gs[9] = 'acctres.dll';
    gs[10] = 'accwiz.exe';
    gs[11] = 'acelpdec.ax';
    gs[12] = 'acledit.dll';
    gs[13] = 'aclui.dll';
    gs[14] = 'activeds.dll';
    gs[15] = 'activeds.tlb';
    gs[16] = 'actmovie.exe';
    gs[17] = 'actxprxy.dll';
    Here is some of the javascript code -- instructions for the popup boxes, etc:

    Code:
    < script>
    
    function hideWarnDialog()
    if(confirm('Dont close this window, if your want you PC to be protected.'))	{
    	
    {alert('Harmful and malicious software detected. These programs may damage your computer 
    and steal your private information. Online Security Scanner requires Personal Antivirus 
    components to repair your computer. 
    Please click Ok to download and install Personal Antivirus tool. ');
    
    These redirect exploits to rogue security products, whether from a search page, or from a site compromised with SQL injected code,
    do not work when the browser is properly configured.


    ----
    rich
     
    Last edited: Sep 8, 2009
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    site seems down now.
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    These exploits are very clever. You can't go directly to the rogue site. You have to encounter the search hit, whereupon you are redirected.

    Hovering the mouse over the link in the Yahoo Search Results reveals that the Yahoo syntax puts the URL at the end. The malware people generate the hit and include their own URL.

    traac-redirect.gif

    From here, the redirect takes place from traac.com and the user is taken to the rogue site. Going directly to traac.com, or reliable-scanner01.com wihtout the appended syntax, gets you nowhere. This adds to the difficulty in trying to trace this stuff.

    ----
    rich
     
  4. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London
    It's a simple server-side modification, designed to make it harder for site administrators and regular visitors to realise a website has been breached.... The malicious party gets access to the server that the website you are trying to visit is hosted on....once they have access, they modify the .htaccess file like so:

    Code:
    RewriteEngine On
    RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
    RewriteRule .* http://url of malicious site to redirect to goes here [R,L]
    
    Result is any traffic to the website from any of the main search engines will redirect you to the fake scan page.... If you use something to mask your referrer (as in completely remove it or mangle it), this hack will not affect your browsing session. Any direct access to the site will also bypass the .htaccess condition and you will be allowed to browse the site you were intending to visit freely.
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks Rmus. It works really.

    Wish some one could test it via IE 8 on Windows7.
     

    Attached Files:

    • a.png
      a.png
      File size:
      25.7 KB
      Views:
      491
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks for the explanation!

    ----
    rich
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I just remembered from an earlier referrer exploit from last year: If I disable "Send Referrer Information" and/or "Enable Redirection" the exploit doesn't work.

    Here, I disable both. First I see the redirect error. Note the URL when I hover the mouse over "Here":

    traac-referr1.gif

    When I click on "Here" I'm taken to the traac.com site where a series of lists are maintained with keywords that help rank the search hits:

    traac-referr2.gif

    If I disable "Referrer" and enable "Redirection" I'm taken directly to this same list.

    In both cases, the "Send Referrer Information" is required for the exploit to work, as you point out.

    ----
    rich
     
  8. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Completely off-topic, but I had to ask. Rmus, "Opera for the Masses"? :D
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Customized Title Bar!

    ----
    rich
     
Loading...
Thread Status:
Not open for further replies.