Website Referral Spam and Cyber Security Malware

Fear Uncertainty DoubtRemove Referrals Information from This Website because of Malware

Like many blogs, this website has displayed the last few hits (referrals) that it’s received as a kind of ‘live’ activity recorder and a small service back to the referring website.  However, I’ve had to pull this from my front page because over the last few days, hundreds of malware-laden websites have seemingly broadcasting pings to everyone else….

Anyone unlucky enough to click on these back-links to the ‘referrer’, is then presented with some fake anti-malware scan that’s almost impossible to get away from without resorting to Task Manager.

Analysis and Appearance

The referring link is usually from a sub-domain of an apparently ‘normal’ website (whatever ‘normal’ means, but I hope you know!).  Here’s an example that points to malware:

http://srpvxdd.franklinrealtyvacationrentals.com/page.php?n=overcome-compulsive-overeating

franklinrealtyvacationrentals.com is a normal-looking estate agent’s site in Florida.

This next one points to a blank page, has a similar php ?page= construct, but lacks a sub-domain:

http://sweetepeach.com/page.php?uuu=cube-memory-dane-elec

sweetepeach.com is a website under construction at ixWebHosting, my old host that I left because it was so slow.

And this one is another malware-laden website:

http://www.pbparts.com/error.php?404

pbparts.com appears to be a computer parts on-line store in Arizona.

And here are two web addresses from the same domain!:

http://rlzkiio.tummy2tummy.com/page.php?n=tiered-tulle-dress

http://ziqklvc.tummy2tummy.com/page.php?d=official-ffa-dress

tummy2tummy.com appears to be mother and baby website.

Examples

CyberSecurityWarning1

Cyber Security Warning1

CyberSecurityWarning2

Cyber Security Warning2

CyberSecurityWarning3

Cyber Security Warning3

Here are examples of the typical warning messages after hitting a duff link or two…  These are taken from Firefox 3 & IE8, all fully patched and up-to-date etc.

  • The website sometimes redirects, sometimes not, to the malware-coded location.
  • The message/dialog boxes have a variety of wording and button suggestions
  • Some websites are completely un-closable by normal means and the Task Manager is the only way to get out of a loop
  • There are a variety of files to download from the various websites.  The one in the video below is called “Inst_174s1.exe” – which I’ve seen 3 times now.  I’ve also seen another called “setup_build8_239.exe” which has a standard windows setup icon inside it to ensure it’s apparent legitimacy!

Standard Anti-Virus Failure

The video shows the fake scan and the various failed attempts at closure I made.  The current IP address of the user (myself) shows to add an air of realism to it, although this is easily shown on any webpage.

Fortunately, in this video, IE8, even though the browser privacy and window size & positioning was mucked around by the malware-site, was finally closable with the normal close button at the top right.  On other sites, the only way to get out of the loop in both IE8 and Firefox, was to use Task Manger to crash the process down.  This worked, fortunately.

I downloaded the files purposely on some occasions for analysis….

ESET’s NOD32 (my AV program) failed to detect both these files as bad!  I uploaded both for analysis to ESET and one has since been found to contain a trojan, a variant of Win32/Kryptik.AWY trojan!  This trojan has been in the signature database since 21/10/2009 when NOD32 was the only AntiVirus program to detect it!  So things aren’t that bad.  Presumably, if I’d have ran the programs NOD32 would’ve kicked in, but I haven’t tried that yet.  The setup file was only first detected as malware yesterday, and then only by a few vendors.  The analysis of it’s actions is particularly revealing as along with a shed-load of new registry keys, it also modifies the ‘hosts’ file!

NOD32 wasn’t alone in this scanning detection failure.  I tried the online scanners of Trend, McAfee and AVG on the two files and they all failed to detect anything!  Time constraints meant I didn’t try Kaspersky, Symantech et al, but I’m fairly certain that the same results would’ve happened.

Conclusion

Everything is not as it seems!  Be very careful what you click on!

Send any suspicious file to VirusTotal.com as it has quite a crack at finding out the truth about files from it’s methodology of using most of the Anti-virus vendors.

As for my website here, the recent referrer back-links are now gone as they made me look like a pointer to bad sites, and I’m not.  Whether it’s possible for this sub-domain behaviour to be blocked, probably depends on the website owners, as it’s not the browser’s fault.

What I have noticed, is:

  • A lot of these malware sites are hosted at my old crap host, ixWebhosting.com  (If I recall, a setting exists to block sub-domain creation)
  • A lot of host sites are in Arizona, Florida and Utah
  • A lot of malware sites can be traced back to China & eastern European states.

Make of that what you will.  If I spot any more ‘tendencies’ or ‘co-incidences’, I’ll add them to the list.

Related Posts:

3 responses .

  1. Strangely says:

    spiritsoftheforce.com

    This is another website, hosted by ixWebhosting.com (again!) and living in Arizona (again!) that’s hosting the Cyber Security malware!

    This time, a sub-domain isn’t used and the code is springing straight off a false page in the website.
    This is the link, so beware.

    spiritsoftheforce.com/page.php?e=java-check-available-memory

    It’s the same file download.
    What is particularly bad about this whole thing is that even though you can crash the browser down to get out of the loop, all the links attempt to download the file!
    Also, I’ve now tried to install the file….

    RESULTS

    The file installs and pops up a menu to either install Cyber Security – or cancel.
    What happens is that it will install regardless!

    It is important to realise that it bypasses two different anti-virus systems that I’ve tried and installs into Program Files (x86)CBcs.exe

    THE ANTI-VIRUS PROGRAMS DID NOT STOP THE INSTALL!!! Naturally, in Windows 7 you have to click OK to let it run. This is your last chance of blocking the install! I repeat….THE ANTI-VIRUS PROGRAMS DID NOT STOP THE INSTALL!!!

    It installs into Add/Remove programs

    It pops up a false “Windows Security Centre” and to all intents and purposes it looks and feels like a real kosher application…..

    The only thing that removes it(and it’s after the event anyway), is MalwareBytes in my experience, which does a thorough job.

    Because of this, I’m now re-assessing my internet connection and whole anti-malware systems for a better approach.
    If I can fall victim to this crap with all my experience, what hope for the mother-in-law and my click-happy former spouse? !!

    I’ve currently installed an XP installation into a Virtual Box install for sandbox testing. I think I’ll have to use this route for general browsing of the web. These malware-laden websites are becoming ever more prevalent, and I just hope that all the stuff I’ve implemented here on this website is enough to keep the hackers at bay…
    (However, the incidence of these crap sites originating from Arizona is a co-incidence that cannot be ignored! It could be by design and with the connivance of the site owners – who’s to tell?)

    USEFUL LINKS
    https://www.malwarebytes.org/ : reliable malware removal
    https://www.virtualbox.org/ : virtual operating system install system for sandbox browsing – this means that if the sandbox is infected just quickly roll-back to an un-infected version – takes a minute, tops!

  2. Tracy says:

    Hi I have recently cleaned up 2 of my friends computers that were infected with cyber security. I did a virus scan with Norton and it failed to detect anything. I used the free version of Spyware Doctor and it noticed and removed everything. The 2nd computer ran Vista and the free Comodo Internet Security which did detect a trojan/virus and prevented the installation. I was wondering if you had any Firefox extensions in use when you did your test?

    • Strangely says:

      @Tracey
      Yes I did/do have some Firefox plugins. Flash, a developer possibly, dictionary, picture search and screen grabber, I think (I tend to enable/disable a bit dependant on what I'm up to!!). The whole thing is pretty weird as it resizes the windows etc. I was quite amazed that big name anti-virus programs failed to react properly. Since then, I'm giving the new Opera a go again but haven't actually tested it against the threat sites.

      Fortunately, you don't HAVE to actually install the download once it's down. You can delete it as it doesn't have any automation(yet) to do this… But NOD32 let it install in my test, which I wasn't happy about as it's been highly effective for several years.
      I used Comodo several years ago, but was dissatisfied because it actually did things to the PC that could be construed as 'spying', and it wasn't that good then anyway. I haven't tried it since that time because of this.
      I haven't used Norton for many years although I've tested it when I've got a new mainboard as it's always on the disc! I've always found it to be an unreasonable hog of everything and then removed it after my test.

© 2007-2017 Strangely Perfect All Rights Reserved -- Copyright notice by me