Google sponsored link points to a malicious Web site.
Everybody has favorite applications and tools. When it is time to find and download a copy of an application, Google is often used to help locate a download site. In our featured case, suppose an unsuspecting user wants a copy of the Winrar application, and uses the keyword Winrar in a Google search. Here are the results that Google returns:
The malicious Winrar download site doesn't use techniques such as search engine cache poisoning to get to the top results in Google. Instead, it uses Google's advertising services directly. Clicking on the link redirects the user to a spoofed CNET Download.com site which offers to download a "spyware free" copy of Winrar:
Winrar + surprise.
When a user downloads and runs the application, a full, operating copy of Winrar is installed, but with a twist: the installer also drops a malicious file named explore.exe in the Windows system32 folder, and then runs the executable. The malicious file is associated with the icon used by Winrar SFX archives, and it binds to the system's start-up.
The malicious explore.exe file makes two major changes to the system:
- It changes the hosts file to point popular home page sites to a fake Microsoft Security Center site:
- It displays a message box at one minute intervals showing the text "interval hehehe!!!!!".
This is how the scam works: after installing the infected program, users are interrupted with message boxes at one minute intervals. Thinking that the system has been infected, and irritated at the constant interruption, they might next search for information about the infection using the text that appears in the pop-up message. Finding legitimate forums discussing this infection, they will find confirmation that they are infected. The malware itself offers a fake remedy in the form of a pointer to a fake site. Users with any of the sites in the modified hosts file as their home page, or users who try to access any of those sites, are redirected to a site that pretends to be a Microsoft security center alert:
Users who click "Download Antispyware Now" are redirected to a rogue antivirus site that initiates a fake scan and confirms their concerns about an infection.
The scan displays the following message: "Scan Result: Your Computer have been attacked by 'intervalhehehe'." Users are then offered the rogue cleaning utility for a price. The software does clean up the harassing infection and eliminates the disturbing pop-up messages. This makes this scam very similar to ransomware techniques.
One of the more troubling facts about this scam is that when the malicious file explore.exe was run through Virustotal, the detection rate was 2/38. Running a scan on Virustotal a day later revealed a detection rate of 7/38. At the time that this blog was written, the detection rate is up to 12/38.
At the time of this blog post, sponsored links to the malicious download site are still available via Google sponsored ads. This raises some questions. Is this problem Google's fault for not checking whether advertised links actually serve malware? Is it the miseducated user's fault for getting infected?
It seems that we live in a world where functionality comes first and security later. Online services typically have the attitude that it's better to introduce functionality (and realize revenue) first, and then make the services more secure later. This time gap between functionality and security, however, leaves users exposed to all sorts of crimeware abuse, with the resulting losses of money, time, and peace of mind.
Update - ThreatExpert has blogged about reports of this infection in message boards.
Security Researcher: Elad Sharf