Remove Referrals Information from This Website because of Malware
Like many blogs, this website has displayed the last few hits (referrals) that it’s received as a kind of ‘live’ activity recorder and a small service back to the referring website. However, I’ve had to pull this from my front page because over the last few days, hundreds of malware-laden websites have seemingly broadcasting pings to everyone else….
Anyone unlucky enough to click on these back-links to the ‘referrer’, is then presented with some fake anti-malware scan that’s almost impossible to get away from without resorting to Task Manager.
Analysis and Appearance
The referring link is usually from a sub-domain of an apparently ‘normal’ website (whatever ‘normal’ means, but I hope you know!). Here’s an example that points to malware:
franklinrealtyvacationrentals.com is a normal-looking estate agent’s site in Florida.
This next one points to a blank page, has a similar php ?page= construct, but lacks a sub-domain:
sweetepeach.com is a website under construction at ixWebHosting, my old host that I left because it was so slow.
And this one is another malware-laden website:
pbparts.com appears to be a computer parts on-line store in Arizona.
And here are two web addresses from the same domain!:
tummy2tummy.com appears to be mother and baby website.
Here are examples of the typical warning messages after hitting a duff link or two… These are taken from Firefox 3 & IE8, all fully patched and up-to-date etc.
- The website sometimes redirects, sometimes not, to the malware-coded location.
- The message/dialog boxes have a variety of wording and button suggestions
- Some websites are completely un-closable by normal means and the Task Manager is the only way to get out of a loop
- There are a variety of files to download from the various websites. The one in the video below is called “Inst_174s1.exe” – which I’ve seen 3 times now. I’ve also seen another called “setup_build8_239.exe” which has a standard windows setup icon inside it to ensure it’s apparent legitimacy!
Standard Anti-Virus Failure
The video shows the fake scan and the various failed attempts at closure I made. The current IP address of the user (myself) shows to add an air of realism to it, although this is easily shown on any webpage.
Fortunately, in this video, IE8, even though the browser privacy and window size & positioning was mucked around by the malware-site, was finally closable with the normal close button at the top right. On other sites, the only way to get out of the loop in both IE8 and Firefox, was to use Task Manger to crash the process down. This worked, fortunately.
I downloaded the files purposely on some occasions for analysis….
ESET’s NOD32 (my AV program) failed to detect both these files as bad! I uploaded both for analysis to ESET and one has since been found to contain a trojan, a variant of Win32/Kryptik.AWY trojan! This trojan has been in the signature database since 21/10/2009 when NOD32 was the only AntiVirus program to detect it! So things aren’t that bad. Presumably, if I’d have ran the programs NOD32 would’ve kicked in, but I haven’t tried that yet. The setup file was only first detected as malware yesterday, and then only by a few vendors. The analysis of it’s actions is particularly revealing as along with a shed-load of new registry keys, it also modifies the ‘hosts’ file!
NOD32 wasn’t alone in this scanning detection failure. I tried the online scanners of Trend, McAfee and AVG on the two files and they all failed to detect anything! Time constraints meant I didn’t try Kaspersky, Symantech et al, but I’m fairly certain that the same results would’ve happened.
Everything is not as it seems! Be very careful what you click on!
Send any suspicious file to VirusTotal.com as it has quite a crack at finding out the truth about files from it’s methodology of using most of the Anti-virus vendors.
As for my website here, the recent referrer back-links are now gone as they made me look like a pointer to bad sites, and I’m not. Whether it’s possible for this sub-domain behaviour to be blocked, probably depends on the website owners, as it’s not the browser’s fault.
What I have noticed, is:
- A lot of these malware sites are hosted at my old crap host, ixWebhosting.com (If I recall, a setting exists to block sub-domain creation)
- A lot of host sites are in Arizona, Florida and Utah
- A lot of malware sites can be traced back to China & eastern European states.
Make of that what you will. If I spot any more ‘tendencies’ or ‘co-incidences’, I’ll add them to the list.