Malicious Web Sites

With the number of malware infected sites in Google searches one wrong click and your PC is unusable. And recent racket performed by worms designed for financial gain is quite sophisticated and very successful so they have money to by adwords ;-)

If you analyze July 2012 version of "Data Recovery" scareware,  the second half of 2012 version of "Security Shield" and various version of Win32:Sirefef – a family of malware that controls infected computer’s Internet activities by redirecting requested URL to a different one, you will feel real anger toward Microsoft and other software vendors (Adobe recently became favorite target of malware authors with its pathetic Acrobat and insecure Flash they provide ready backdoors for those who want to penetrate your computer).  Microsoft is under pressure with shrinking market share and they can't switch to total signing of executables as this will destroy the industry they created (AV vendors) which became powerful enough to control Microsoft technical direction so that it does not hurt their profits. They tried to tighten the screws in Windows 7 but the industry fought back (with Symantec suing them) and won. Like with financial industry you the user is a lucrative franchise that can be milked by both malware vendor and Av vendors.  

Recently quite prominent position was achieved by a new type of malware which is called Scareware (but is as close to extortionware as one can get ;-). It's the main purpose of its creation is financial gain via some sort of implicit threat to the user. It became a real problem for Windows users but also exists for Apple OsX.

The number of users who paid those extortionists is probably millions so we can talk about hundred of millions or even a billion of dollars of criminal revenue.  This is not profits at the level of narcobarons revenue but this is not a small change either:

On February 10, 2010 the United States District Court for the District of Maryland entered a default judgment and order for permanent injunction against Jain, Sundin and Innovative Marketing, Inc. that imposed a judgment of more than $163 million. Subsequently, on May 26, 2010, Jain, Sundin and Reno were indicted by a federal grand jury for the United States District Court, Northern District of Illinois for wire fraud, conspiracy to commit computer fraud and computer fraud. The indictment alleges that from December 2006 to October 2008, Jain and Sundin placed false advertisements on the websites of legitimate companies. Currently both Jain and Sundin are fugitives and the FBI is offering a $20,000 reward for information that leads to their arrest..[18]

That means that against new high volume, high penetration speed written by professional programmers exploits AV software is always late. Using PC for committing financial crimes including creation of army of zombie computers that are remotely controlled by the "master" of particular zombie network and used for spamming and other purposes make elimination of malware really difficult as it is created by highly paid professionals who analyze deeply internals of Windows. That limit usefulness of security companies like McAfee, Kaspersky, etc as their opponent operates on the same or higher level of technological sophistication as they are. Other approaches are needed. At the same time to abandon Windows based on its insecurity is an overreaction. Linux is probably more secure as installed but relative absence of high profile exploits is mainly connected to the fact that on desktop it is niche OS. Android might change that and there are already a mess with Android security... 

Another type of malware (some of which can be part of any other type of malware but most often can be found with data stealing Trojans is called Remote Access Trojans( RATs).

Facing those new generation of cyber-criminals even former security professionals like myself feel insecure and start viewing their own PC as a snooping device that is constantly on. I remember Italian film in which the guys who was involved in reporting conversation using special directed microphones at the end of the film became paranoid and crushed everything in his apartment trying to find a hidden microphone. This is the way I now feel about PC :-).

Social sites is another problem. Some of them like Facebook are essentially private information collecting agencies masquerading as social sites. Facebook and other services are collecting so much information on their users that as if famous Onion spoof they actually outdid three latter agencies themselves. In any case you can say privacy good buy. It is privacy of crowded street with video cameras each ten yards.  not all people can close their Facebook accounts as for many (not me) they represent essential services, a new reincarnation of AOL.  Even if you don't have Facebook account Facebook collects list of sites that you visited if the site has "Like" button.

That means that you need to create a special architecture to make our PCs more secure. Architectural approaches to increasing security are the most promising because they fundamentally change the environment in which malware operated. And the law of evolutions is that the more specialised organism is and the more adapted to the current environment it becomes, the more disruptive are to it even small changes in the environment. This is perfectly true about the malware which is a highly specialized software that makes several implicit assumption about the way PC operates. 

NEWS CONTENTS

• 20130105 : Foreign Policy Group Gets Hacker Happy New Year Discovery News ( Foreign Policy Group Gets Hacker Happy New Year Discovery News, Jan 05, 2013 )
• 20130105 : On Malicious Web Sites from Google Searches ( On Malicious Web Sites from Google Searches, )

Old News ;-)

[Jan 05, 2013] Foreign Policy Group Gets Hacker Happy New Year Discovery News

See also Sirefef and Win32/Tracur.AV. Using IE 8 became really dangerous those days.

Hackers said a big Happy New Year to the Council on Foreign Relations, using the organization's own website to attack unsuspecting visitors.

The CFR is a non-partisan policy group, known mostly for publishing Foreign Affairs, an influential journal on the subject. The group's website was infected with malware that uses a "watering hole" attack -– waiting for users to visit the site before downloading the malware to their machines. The malware involved allows a hacker to execute code remotely on the target computer.

... ... ...

The malware only works on Internet Explorer 8 or earlier versions. The hackers altered the HTML code on the CFR's website itself and were able to remotely execute a program on any computer that accessesed the site. The malware was hidden in several pieces and stored in areas that the web page needed to go to in order to retrieve stored content such as text and pictures. "The javascript is hidden in a file on the system that is usually used for a completely different purpose," he said.

Microsoft is reportedly working on a permanent fix, and issued a security advisory on Dec. 29. In the meantime there is an automatic work-around here. The simplest way to protect oneself is to disable Javascript and Flash, according to Microsoft, but sometimes turning those two features on an off for different sites can be inconvenient.

Users of Internet Explorer 9 and later aren't vulnerable.

While the particular attack on the CFR website used a previously unknown vulnerability in Internet Explorer, the "watering hole" attack is nothing new: a local government site in Maryland and a bank in Boston were hit by one called VOHO in July, which infected targeted computers with code that sent information such as keystrokes back to a server.

On Malicious Web Sites from Google Searches

blog.trendmicro.com by Jonell Baltazar (Senior Threat Researcher)

Let's take a deeper look into the much talked-about malicious sites discussed here.

As an overview, the whole process starts with a user searching for a certain string in the Google search engine (e. g., "Christmas"). After the search engine returns several search results, the user visits one of the sites. The catch is on the result set where there are several malicious sites hosting a malicious script, which in turn can lead to the compromise of the user's system.

In this case, the malicious script redirects to another web page using the "window.location={url}" function.

<--- image removed -->

It's somewhat simple. However, there is a little catch for us security researchers. We now look at the "if" statement where it relies on the "document.referrer" function. The code tells that in order for the "eval" function to be executed, the page where the user visited before arriving on the malicious Web page should be a page containing Google search results. Also, the search string used by the user must not have the "inurl:" and "site:" Google search functions. Thus, direct visit or access of the malicious site will not trigger the evil script and not redirect us to the site hosting the malicious binary file.

For security reseachers developing tools to automate the capture of the malicious files found on Web threats, this is something to consider. It is clear that this is a limitation for tools designed to directly access the malicious site aiming to capture the malicious files. The affected tools include honeyclients, Web crawlers, and downloaders.

Several modifications and enhancement to our tools should be applied in order to catch these kinds of Web threats.

You Better Watch Out, Xmas Web Threats Come to Town

You better watch out and you'll probably cry as Web threats come to town with a bang. Yes, it's that time of the year again when we search for Christmas goodies online. Sad to say, it's also that time of year when cyber hooligans compromise innocent Web searches such as the simple phrase "christmas gift shopping" to serve up malicious URLs via search results such as this:

<-- image removed -->

Lo and behold, one innocent search turns into a Web threat nightmare. Searching for the above phrase can lead you to the malicious URLs encircled in the image above. Clicking on these URLs then takes you to another site (http://{BLOCKED}ldgonit.com/search.php?gzapr=…) via a JavaScript that eventually leads to the download and execution of a malware. Good thing Trend Micro Web Threat Protection already prevents malicious downloads from these URLs, protecting users from possible infection.

The site mentioned above also has an IFRAME that allows for redirection and installation of more malware on the affected system from the URLs

http://{BLOCKED}id.theoreon.com/setup.php?aff_id=6025 and http://{BLOCKED}aga.com/exe.php?pid=1008.

We keep coming up with different binaries for every download, suggesting rehashing on the server-side. Expect more new ones to come our way this Christmas.

Digging deeper into the scene, extending the discovery by Sunbelt of malicious URLs creeping up in christmas related searches, the .CN domains above are also being rampantly advertised in Japanese forums/blogs/bbs, et al.:

Other compromised Christmas-y Google searches:

• christmas gift shopping
• christmas holiday sale
• holiday shopping fun

Note that there could be more variations to this theme of searches.

Moreover, the IFRAME mentioned above also uses the so-called 404 Web threat toolkit – probably a new version- in some of its infection URL vectors:

• http://{BLOCKED}sliksuka.com/check/version.php?t=148
• http://{BLOCKED}sliksuka.com/check/n14041.htm
• http://{BLOCKED}sliksuka.com/check/n14042.htm
• http://{BLOCKED}sliksuka.com/check/n14043.htm
• http://{BLOCKED}sliksuka.com/check/n14044.htm
• http://{BLOCKED}sliksuka.com/check/n14045.htm
• http://{BLOCKED}sliksuka.com/check/n14046.htm
• http://{BLOCKED}sliksuka.com/check/n14047.htm
• http://{BLOCKED}sliksuka.com/check/n14048.htm
• http://{BLOCKED}mndskj.com/check/vers2.php
• http://{BLOCKED}mndskj.com/check/tpknlkk433.php
• http://{BLOCKED}mndskj.com/check/tpktskk2.php

A graphical representation of this routine is as follows:

Here are some of the malware and grayware programs that are installed on the affected system from several other Web sites where the user is redirected to:

• TROJ_SPAMBOT.B
• ADW_WINFIXER.CJ
• TROJ_SRIZBI.A
• TROJ_XORPIX.CF
• TROJ_AGENT.WHO
• TROJ_CLICKER.SF
• TROJ_AGENT.ACLR
• TROJ_SMALL.IYK
• TROJ_AGENT.AELC
• DIAL_DIALPLAT.NC
• TROJ_DLOADER.SPZ
• JS_WONKA.AK
• TROJ_PUSHDO.A
• TROJ_TINY.ML
• HTML_IFRAME.EZ
• JS_PSYME.BEZ
• TROJ_AGENT.FA
• TROJ_AGENT.AELB

Ho, ho, ho, a malware-y christmas to us all indeed. Malware is just a click away, but cautious and vigilant online shopping can keep your computer's infection at bay. Having solid Web threat protection like Trend Micro at your back wouldn't hurt either.

Malicious website, now computer acting... Apple Support Communities

Mar 10, 2010 6:42 PM

I was looking for "see through" fireplaces and searched on google. This led me to a website which is (DO NOT CONNECT please): "picadezign.com/indzh/show.php?pg=236368*368" which supposedly showed photos of these fireplaces. This was a connection to a malicious website that started scanning my computer for viruses without my permission. I first tried to shut down safari, then turn the computer off using the power button but no surprise no luck. So I unplugged the computer and closed the lid and removed the battery. Turned it on again and it went straight to the website again (no login screen). So I unplugged the computer, closed the lid, removed the battery and unplugged the WiFi. Waited and then turned on everything again. This time, computer turned on but safari and mail would not connect to the internet. Turned everything off again, then on again and things seemed fine, the internet connected etc.
Then I went out of the room and the computer went to sleep with the lid open. But it would no longer wake up from sleep regardless of what I did. So I turned it on and off using the power button and it seemed to work.
I repaired permissions though this is not the problem. Any other housekeeping/fixing ideas? Also, who can I report the bad website to (there was no warning on either Yahoo search or Google search that it was malicious).

Recommended Links

Softpanorama Recommended

Top articles

Sites

Cross-site scripting - Wikipedia, the free encyclopedia

Cross-site request forgery - Wikipedia, the free encyclopedia

Exploit (computer security) - Wikipedia, the free encyclopedia

Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotes :  Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce :  Bernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS :  Programming Languages History : PL/1 : Simula 67 : C : History of GCC development :  Scripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month :  How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March, 12, 2019