Archived Blog

Previous Posts

October 2006

10/26/2006	MOTW: Halloween Hunting »
10/21/2006	MOTW: Parasitic Infector Analysis »
10/19/2006	Microsoft Internet Explorer 7 Released »
10/13/2006	MOTW: Stealing Fun for Profit »
10/09/2006	MOTW: Search Engine Typosquatting »
10/06/2006	Googling for security in source code. »

Archive
+ September 2006
+ August 2006
+ July 2006
+ June 2006
+ May 2006

This article also shows how important the phrases "user-education" and "user-awareness" are. As you can see by the examples, novice users would have to be careful about what they type in their search engines; investigate raw HTML with alternative browsers or client tools; ignore most security warning messages; and know that instead of clicking on "YES" or "CANCEL" they should sometimes do neither and instead kill some processes.

So, on with the shooooow:

HALLOWEEN HUNTING: BE CAREFUL OUT THERE EXAMPLE I

What do people do around a current event to get more information? They "Google" for it of course! One of the great things about today’s search engines is that you have a world of information at your fingertips. By simply querying for some key phrases, you gather a plethora of options from around the world. Unfortunately, as we have pointed out in the past, you don’t always get what you expected.

The first example is something we call a typo-attack. This is when website owners create pages and links to those pages for commonly queried words and phrases that may have been miss-typed (AKA "Fat Fingered") in order to attract users to their sites.

As you can see by the screenshot below, we searched for "halkoween" instead of "halloween". The "K" and the "L" are pretty darn close to each other on the keyboard, so I can see this happening. Well, obviously others believe that this error is a possibility also, because approximately 10,000 results came back from the search. Within the top five were two links to two different sites that, when clicked, attempted to install a number of programs onto my machine. They had advertised in their titles Halloween-related details but had no content whatsoever.

I selected the second returned result from the list and got the following in my browser. Bear in mind that I am using a 100% patched machine. This site does not appear to be using any exploit code, just some social engineering practices that are all too common.

My screen was entirely populated with a window with a message in the foreground that displayed "If your computer has been running slower than normal, it may be infected with Adware or Spyware. WinAntiSpyware will perform a free check of your system".

As you can see, this page was served directly from the Google search result:

It had the standard "OK" and "CANCEL". At this point you would think that novice users have a 50-50 chance at being right (that is, selecting CANCEL). So, I decided to take the CANCEL option. As soon as I clicked on CANCEL another window opened on my machine:

By now, beginners would certainly be more confused. They selected CANCEL, but yet more warnings keep coming up. There surely must be a problem with the system. Since this appears to be a free download, I decided to give it a try. (P.S., selecting Cancel takes you back to square one, and you essentially have a loop of confirmation boxes until you select OK or kill some processes.)

After I clicked OK, the following dialog box came up:

This was placed in the foreground of the WinAntiSpyware homepage, which was reporting that there were 60 threats found on my machine somehow. This dialog box was comforting, because it gave me simple instructions and assured me that the code had been digitally signed and was 100% free of viruses, adware, and spyware. (P.S., The dialog box was technically accurate. The code was signed and did not have any viruses, adware, or spyware installed with it.) After I selected "OK" (the only option), I got the next dialog box:

Per the earlier instructions, I was supposed to "Run" the application to install it and cleanse my machine. However, novice users may once again be confused from the mixed messaging. One dialog box earlier, they were told that the code was 100% OK to run, and now there is a warning that this code could harm the system. I decided to run it. Soon after I selected Run, a siren sounded from my PC speakers (yes, I literally mean a siren). This new program found several problems with my machine, all of which needed to be fixed ASAP! Screenshot:

At this point I was informed that I had some serious "CRITICAL" Spyware objects on my machine. To clean them off, I needed to acquire the full working version of the software:

Although in this case the demonstrated software was not installed through exploit code and did not install any backdoors, Trojan Horses, or password-stealing code, the providers certainly appeared to be trying to dupe users into acquiring their software. We did not actually test the code to see if it does anything good, but based on their poor practices, we are skeptical.

HALLOWEEN HUNTING: BE CAREFUL OUT THERE EXAMPLE II

The next example is a little more nefarious than the first. This one uses new exploit code to install malicious code onto the end-user’s machine without any end-user intervention. You can access the site by searching for common phrases within your favorite search engines, but because this site is still up we have decided not to publish the details on the search (in order to protect the innocent).

This site appears to be a Halloween site that provides all kinds of information around October 31st including: Halloween movies, history, discussion forums, costumes, and so forth.

Unfortunately, it appears as though this site has been victimized by a well-known group called "IFRAME Cash". Either that or they have innocently signed up as an affiliate of the IFRAME Cash program to make revenue based on visitors to their sites.

The IFRAME Cash folks have been known to install Spyware, Trojan Horses, Crimeware keyloggers, Browser Helper Objects, and Potentially Unwanted Software.

Upon visiting the site, users who do not have the latest patch from Microsoft are directed to an affiliate site through an invisible frame at the bottom of the page.

The exploit code’s goal is to install a file with the name win32.exe. This is a known Trojan Horse Downloader that installs (among other things) a piece of Potentially Unwanted Software called Brave Sentry. Unfortunately, it also connects to and downloads several other pieces of malicious code from a number of .biz websites that all appear to be part of the IFRAME Cash affiliate program. In total we counted more than 20 pieces of additional code that were downloaded and installed.

The web-exploit code is encoded in an attempt to avoid detection. We have included some snippets of one of the files below, which is attempting to use one of several vulnerable CLSIDs within Windows, the most recent being the MS MDAC vulnerability (MS06-014).

In closing, as demonstrated there are certain times of the year to be a little more cautious than others. Holidays, politics, sporting events, and several other current events are all used to attract users to websites that perform maliciousness.

Enjoy the extra hour of sleep and remember to set your clocks forward!

Note: We would like to thank Google for preventing these sites from returning in the search soon after the problems were reported to them. Also special thanks to ExtremePumpkins.com for the pumpkin images.