The scareware and rogue AV problem that initially appeared a few years ago and has since found its way onto thousands and thousands of legitimate Web sites, including The New York Times home page, has now reached epidemic levels. The scams are mostly boilerplate and well-understood, but it’s not often that we get to take a peek behind the curtain and see the inner workings of the schemes. Here’s just such a chance.
In a fascinating post, Bojan Zdrnja of the SANS Internet Storm Center, has detailed exactly how one specific rogue AV attack works and exposed the methods that the attackers are using to gain victims and plant their malware on legitimate sites. The analysis started with the acquisition of a heavily obfuscated PHP script, which, after analysis, turned out to be the main script used by one particular rogue AV gang.
The attackers are placing that obfuscated script on legitimate sites running on Apache with PHP, and are taking advantage of mis-configurations or vulnerabilities in the Web server to install the script. Meanwhile, the attackers also are using one or perhaps a handful of master servers to search Google and see what keywords are trending as the most popular at the moment. Those are the keywords that the gang wants to target with the spam and rogue AV campaign.
Once the best keywords are identified, the attackers then place links containing those words on the sites that they have previously compromised. Then, as the search engines crawl the owned sites, the master PHP script phones home to the attackers’ C&C server and retrieves a dynamically generated page that contains a slew of phrases containing the specific keyword in use, as well as links to other compromised sites, Zdrnja wrote in his analysis.
“In step 2, besides spammed links, search engine crawlers will also visit
compromised web sites. Now an interesting thing happens that helps
poison the results: when the script detects a visit from a search engine
crawler, but without the required poisoned parameters,
the PHP script by the attackers will return the original requested web
page, but with concatenated links to other compromised web sites that it
has in the local database,” Zdrnja wrote.
The idea is to link all of their compromised sites together as a way to increase their rankings with Google, because that’s the key to the entire game. The higher they can move their owned sites up in the rankings, the more potential victims they’ll get visiting those sites. And more visitors of course means more money extracted through the rogue AV and scareware scams.
The end result of all of these machinations is that the potential victim is presented with a dialog box with one of the all-too-familiar warnings that his PC is infected with malware and he needs to pay a $50 or $75 license fee to clean it. It’s a well-worn tactic, but it’s been working very, very well for the attackers and they’re not much for leaving money on the table.
But these scams obviously don’t succeed without two key elements: vulnerable Web sites and gullible end users. Unfortunately, both are in ready supply.