Rootkits and SEO attacks target fans searching for Final Four tickets. (IMG:Butler.edu)
Since the posting of the original article, where we discussed criminals targeting Butler University and NCAA fans with poisoned search results, there have been both positive and negative developments, including the silent installation of Rootkits on some pages.
[Note: The previous story, which led to this one, is here.]
When it comes to the positive developments, Firefox is blocking most of the malicious links and reporting them as attack sites. In addition, the malicious sites that once appeared high in the rankings when searching for NCAA Final Four related keywords, are dropping further back down the list, meaning that the odds of someone clicking them just got a little lower.
As mentioned in the previous story, the common thread in the Black Hat SEO attacks spreading the Rogue anti-Virus applications was a PHP script that redirects users searching for NCAA related terms to rowinscanpcNN-xorg-pl, where NN is the placeholder for the random number.
Of the 20 sites we observed redirecting to the rowinscanpc domain to spread the malicious software, all of them have been blocked in Firefox or were offline as of 1:00 a.m. EST. However, users of Google’s Chrome were still able to access some of them, creating an entirely separate issue, which is expected to be resolved soon as Chrome and Firefox both use the same Website blocking engines.
Since the blocks against the rowinscanpc started, new URLs have been tossed into the mix. Using a search for “Butler Final Four 2010 Tickets”, The Tech Herald was able to track nine domains in the first 20 results on Google that were serving Rogue anti-Virus applications. Three of them are on page one.
One of them does not use the PHP script, which is what we referenced in the original story as a means of detection. This site is using something else to move people to another site, and we were unable to locate a script or code in the page’s source to determine how it happened.
The new search results also use different sites, savepcnowNN-xorg-pl, where the NN is again a random two digit number, and first-antispyware-info, to serve the files and display random screens mimicking Windows Vista or Windows XP themes. The pages themselves warn of infection and display popup boxes and other eye grabbing features in an attempt to make you download the executable.
In addition to the change out of domains, some of them are actually serving Malware, which Microsoft Security Essentials detected during our visit to one. According to MSSE, the site is installing Alureon, which is another name for TDL3, a variant of the TDSS family of rootkits. If this name seems familiar, that is because it was the reason behind all of the Blue Screen of Death issues related to MS10-015 in February.
In the previous article, we mentioned that the best way to avoid these types of Black Hat SEO attacks was to stick to getting news from known sources. While that advice remains relevant, we want to expand on it a bit.
As you saw in the previous image, as well as the images from the previous story, the URL displayed in the search results is a clue that there may be a problem. The random five character script name, followed by the keywords you entered, is a noticeable pattern. This is because of a PHP script that redirects users to a malicious site after they were convinced to click on it thanks to search terms appearing in the URL.
However, that is only one way to make Black Hat SEO attacks work. As you saw with the final link we discovered on the main page of the search results, there is no visible pattern to the URL itself.
So in that case, you will need to have layered protections in place as always. This is especially important considering the discovery of a Rootkit being installed on one of the sites.
Preventing an infection is easier than removing one after the fact. This is why the pattern the PHP script produced is important, you can avoid those sites and prevent being bothered by attempted Rogue anti-Virus installations or silent Malware installations.
At the same time, even if you do happen to stumble across a site that is installing Alureon or other Malware, if you are using layered defenses (installing current software and operating system patches, keeping your security software updated), then you are safe as long as your security software detects it. If the security software you use is kept updated, then the odds of detection (and your system's protection) are that much greater.
When it comes to Rogue anti-Virus, if you suddenly find yourself on a site that is throwing around outrageous warnings and popup windows while attempting to get you to download and install a file, the safest bet is to hit the ALT key and F4 key together at the same time. This should close the window or the browser, keep hitting them untill the messages from the Rogue anti-Virus site are gone.
If you use a session manager (Firefox, chrome and Internet Explorer have these), then start a new session once the browser is reopened. At no time should you download anything from these sites.
A good habit to get in to is updating and scanning your system with a secondary security program, such as Malwarebytes AntiMalware, once every other week. This will help keep your computer running smooth and free of any malicious software your other security program may have missed.
For those interested, while researching this story, we used Windows XP SP 3, Firefox, Google’s Chrome browser, Microsoft Security Essentials and Malwarebytes AntiMalware.