Remove Referrals Information from This Website because of Malware
Like many blogs, this website has displayed the last few hits (referrals) that it’s received as a kind of ‘live’ activity recorder and a small service back to the referring website. However, I’ve had to pull this from my front page because over the last few days, hundreds of malware-laden websites have seemingly broadcasting pings to everyone else….
Anyone unlucky enough to click on these back-links to the ‘referrer’, is then presented with some fake anti-malware scan that’s almost impossible to get away from without resorting to Task Manager.
Analysis and Appearance
The referring link is usually from a sub-domain of an apparently ‘normal’ website (whatever ‘normal’ means, but I hope you know!). Here’s an example that points to malware:
http://srpvxdd.franklinrealtyvacationrentals.com/page.php?n=overcome-compulsive-overeating
franklinrealtyvacationrentals.com is a normal-looking estate agent’s site in Florida.
This next one points to a blank page, has a similar php ?page= construct, but lacks a sub-domain:
http://sweetepeach.com/page.php?uuu=cube-memory-dane-elec
sweetepeach.com is a website under construction at ixWebHosting, my old host that I left because it was so slow.
And this one is another malware-laden website:
http://kwdkafg.pbparts.com/page.php?b=zalman-zm-wb4-plus
pbparts.com appears to be a computer parts on-line store in Arizona.
And here are two web addresses from the same domain!:
http://rlzkiio.tummy2tummy.com/page.php?n=tiered-tulle-dress
http://ziqklvc.tummy2tummy.com/page.php?d=official-ffa-dress
tummy2tummy.com appears to be mother and baby website.
Examples
Cyber Security Warning1
Cyber Security Warning2
Cyber Security Warning3
Here are examples of the typical warning messages after hitting a duff link or two… These are taken from Firefox 3 & IE8, all fully patched and up-to-date etc.
- The website sometimes redirects, sometimes not, to the malware-coded location.
- The message/dialog boxes have a variety of wording and button suggestions
- Some websites are completely un-closable by normal means and the Task Manager is the only way to get out of a loop
- There are a variety of files to download from the various websites. The one in the video below is called “Inst_174s1.exe” – which I’ve seen 3 times now. I’ve also seen another called “setup_build8_239.exe” which has a standard windows setup icon inside it to ensure it’s apparent legitimacy!
Standard Anti-Virus Failure
The video shows the fake scan and the various failed attempts at closure I made. The current IP address of the user (myself) shows to add an air of realism to it, although this is easily shown on any webpage.
Fortunately, in this video, IE8, even though the browser privacy and window size & positioning was mucked around by the malware-site, was finally closable with the normal close button at the top right. On other sites, the only way to get out of the loop in both IE8 and Firefox, was to use Task Manger to crash the process down. This worked, fortunately.
I downloaded the files purposely on some occasions for analysis….
ESET’s NOD32 (my AV program) failed to detect both these files as bad! I uploaded both for analysis to ESET and one has since been found to contain a trojan, a variant of Win32/Kryptik.AWY trojan! This trojan has been in the signature database since 21/10/2009 when NOD32 was the only AntiVirus program to detect it! So things aren’t that bad. Presumably, if I’d have ran the programs NOD32 would’ve kicked in, but I haven’t tried that yet. The setup file was only first detected as malware yesterday, and then only by a few vendors. The analysis of it’s actions is particularly revealing as along with a shed-load of new registry keys, it also modifies the ‘hosts’ file!
NOD32 wasn’t alone in this scanning detection failure. I tried the online scanners of Trend, McAfee and AVG on the two files and they all failed to detect anything! Time constraints meant I didn’t try Kaspersky, Symantech et al, but I’m fairly certain that the same results would’ve happened.
Conclusion
Everything is not as it seems! Be very careful what you click on!
Send any suspicious file to VirusTotal.com as it has quite a crack at finding out the truth about files from it’s methodology of using most of the Anti-virus vendors.
As for my website here, the recent referrer back-links are now gone as they made me look like a pointer to bad sites, and I’m not. Whether it’s possible for this sub-domain behaviour to be blocked, probably depends on the website owners, as it’s not the browser’s fault.
What I have noticed, is:
- A lot of these malware sites are hosted at my old crap host, ixWebhosting.com (If I recall, a setting exists to block sub-domain creation)
- A lot of host sites are in Arizona, Florida and Utah
- A lot of malware sites can be traced back to China & eastern European states.
Make of that what you will. If I spot any more ‘tendencies’ or ‘co-incidences’, I’ll add them to the list.
Related posts:
- MyBookFace Crap
- Introduction I had an interesting referral from an external website early today. It was, http://kexhoxonxk.iblogger.org/ iblogger.com has a decent WHOIS...
- MyBookface, Google, Utah and Nevis Scamboys United
- Introduction I knew there was something really, really dodgy about that MyBookFace.net crap highlighted in this post the other day....
- Hacking Attempt Today via FoxReality
- Multiple Attempts to Drop Trojan on This Website Failed These are the Wassup details of the attack 69.65.41.165 2009-06-13 10:48:00...
- Monavie, Gillmap, Idaho Falls, Google Treasure Chest and Oprah
- Monavie, Gillmap, Idaho Falls, Google Treasure Chest and Oprah Winfrey Introduction Last June, a contributor to this website @Not Kevin...
- Dangerous EffectiveCleanse – and Scams Too!
- PreScript Advice If you think you’ve had your bank ‘cleaned out’ by any of a multitude of ‘life cleanse’ or...
October 31, 2009 at 1:22 pm
spiritsoftheforce.com
This is another website, hosted by ixWebhosting.com (again!) and living in Arizona (again!) that’s hosting the Cyber Security malware!
This time, a sub-domain isn’t used and the code is springing straight off a false page in the website.
This is the link, so beware.
It’s the same file download.
What is particularly bad about this whole thing is that even though you can crash the browser down to get out of the loop, all the links attempt to download the file!
Also, I’ve now tried to install the file….
RESULTS
The file installs and pops up a menu to either install Cyber Security – or cancel.
What happens is that it will install regardless!
It is important to realise that it bypasses two different anti-virus systems that I’ve tried and installs into Program Files (x86)\CB\cs.exe
THE ANTI-VIRUS PROGRAMS DID NOT STOP THE INSTALL!!! Naturally, in Windows 7 you have to click OK to let it run. This is your last chance of blocking the install! I repeat….THE ANTI-VIRUS PROGRAMS DID NOT STOP THE INSTALL!!!
It installs into Add/Remove programs
It pops up a false “Windows Security Centre” and to all intents and purposes it looks and feels like a real kosher application…..
The only thing that removes it(and it’s after the event anyway), is MalwareBytes in my experience, which does a thorough job.
I’ve currently installed an XP installation into a Virtual Box install for sandbox testing. I think I’ll have to use this route for general browsing of the web. These malware-laden websites are becoming ever more prevalent, and I just hope that all the stuff I’ve implemented here on this website is enough to keep the hackers at bay…
(However, the incidence of these crap sites originating from Arizona is a co-incidence that cannot be ignored! It could be by design and with the connivance of the site owners – who’s to tell?)
USEFUL LINKS
http://www.malwarebytes.org/ : reliable malware removal
http://www.virtualbox.org/ : virtual operating system install system for sandbox browsing – this means that if the sandbox is infected just quickly roll-back to an un-infected version – takes a minute, tops!
November 16, 2009 at 3:01 pm
Hi I have recently cleaned up 2 of my friends computers that were infected with cyber security. I did a virus scan with Norton and it failed to detect anything. I used the free version of Spyware Doctor and it noticed and removed everything. The 2nd computer ran Vista and the free Comodo Internet Security which did detect a trojan/virus and prevented the installation. I was wondering if you had any Firefox extensions in use when you did your test?
November 16, 2009 at 3:24 pm
@Tracey
Yes I did/do have some Firefox plugins. Flash, a developer possibly, dictionary, picture search and screen grabber, I think (I tend to enable/disable a bit dependant on what I'm up to!!). The whole thing is pretty weird as it resizes the windows etc. I was quite amazed that big name anti-virus programs failed to react properly. Since then, I'm giving the new Opera a go again but haven't actually tested it against the threat sites.
Fortunately, you don't HAVE to actually install the download once it's down. You can delete it as it doesn't have any automation(yet) to do this… But NOD32 let it install in my test, which I wasn't happy about as it's been highly effective for several years.
I used Comodo several years ago, but was dissatisfied because it actually did things to the PC that could be construed as 'spying', and it wasn't that good then anyway. I haven't tried it since that time because of this.
I haven't used Norton for many years although I've tested it when I've got a new mainboard as it's always on the disc! I've always found it to be an unreasonable hog of everything and then removed it after my test.