Just a few days back, I published a post discussing the popularity of fake antivirus websites in 2011. As I mentioned in the blog, attackers are continually creating new domains and websites promoting their fake software using various obfuscation techniques to hide their code from detection by IDS, IPS, antivirus etc. We have since encountered a number of malicious websites hosted on the same IP address. The main pages of the websites are heavily obfuscated. The structure of obfuscated JavaScript remains the same, throughout, but all variables are random. This likely means that the attacker has created, or is using a tool to handle the code obfuscation. Here are screenshots of the JavaScript code from two different websites:
Looking at the above images, you can see that the structure of code remains the same and only the variable names are randomized. Even the source of the page contains only a body tag and the malicious JavaScript. When this page loads, it starts creating animations that deliver security warnings to scare the victim. Here is one example:
As I mentioned in the earlier blog post, these are fake security attempting to coerce the victim into downloading fake antivirus software that will download additional malware onto the system. The code for doing these animations and initiating the download of malicious binaries is hidden inside the malicious script. Let’s decode the main script. The malicious JavaScript code has two functions defined and three lines of code to decode the content. Here is how they look:
The variable “euqbvulz” is passed in the first iteration to the decoding function “ikcmfynlzk()”. The decoded content is then stored in a variable called “wfuaydtmd”. The “wfuaydtmd” variable is again passed to in a second iteration to a second function called “fiyctdv()” with a “document.write()” function call. So the code will go through two iterations of the decoding. Let’s decode this code using Malzilla.
Malzilla successfully decoded the contents. But the decoded results contain another three heavily obfuscated JavaScript snippets and some HTML code. Let’s decode them one by one. Here is first one:
The first malicious JavaScript snippet decodes to the HTML “title” tag, which will be displayed as the title of the webpage, claiming it is a legitimate Windows security website. This means the HTML code displaying warnings and animation is hidden in the remaining malicious scripts. Here is second one:
The above script code will load the animated images with message “Initializing virus Protection System…”. Here is the third one:
If you look at the above image, you will notice some strings related to security, which suggests that this JavaScript code actually loads the animation. The first variable is declared as “strategy” so the strategy used by the attacker is to load the variable with JavaScript code in a CSS format. Here are some of the screenshots of that CSS code:
So, the code displaying the security warnings and messages are obfuscated multiple times by the attacker. You will notice the strings used by the attacker are displayed in warning images mentioned in the first few images. Due to the heavy obfuscation used, the detection rate remains very poor for legitimate antivirus vendors when scanning this HTML file.
Umesh
Related Posts
- Randomization of code and binaries used by a fake antivirus website
Last week, I talked about heavy obfuscation being used by attackers to hide their HTML source code from detection. This time we came across an interesting fake antivirus website, which not only contin... - Malicious Spam on the increase again
Malware distribution via email is far from dead. While we had a distinctly quiet period from October 2010 to March 2011, our stats show the bot herders are gearing up again with the proportion o... - The Royal Wedding and The Fake Antivirus
The Royal Wedding of Prince William and Catherine Middleton that will be held tomorrow, on April 29, will attract the attention of many people around the world, and has become a trending topic on vari... - Hundreds of College and Government websites still redirecting to fake stores
In January, I talked about high-profile websites, which had been hacked to redirect users to fake online stores. One unique aspect of the hack was the fact that the attackers had set up additional web... - Many University websites used for spam
In January, I wrote about many high profile websites, mostly universities, that were hijacked to redirect to fake stores. Many have since been cleaned up, but a few of these University websites are st... - Fake Security Software Websites – Still popular in 2011
Fake security software is a form of computer malware that misleads users into installing and potentially paying for fake security software. The sites convince users to download the malicious software ... - Fake Rogue Anti-Virus & Anti-Spyware in Action
See what happens when I purposely infect my computer with Power AntiVirus (a rogue anti-virus known to be malicious.) Notice some of the patterns and learn how to protect your computer in our series o... - Naked pictures from Emily carry fake anti-virus surprise
It's 8:30am. You stumble into work half asleep and slouch at your desk. You boot up your computer.. tick tick tick. It runs its system diagnostics and you see the Windows logo lurch into view.
Umptee... - High profile websites hijacked to lead to fake stores
Recently, a lot of high profile .EDU and .GOV were hijacked to redirect users to fake online stores. Google searches related to buying software ("buy windows 7 key", where to buy microsoft, "purchase ... - Twitter hit by fake antivirus software scam
Twitter has been resetting passwords for accounts that started distributing links promoting fake antivirus software in an attack that used Google's Web address shortening service to conceal the links...
Posted on 21 March 2011. Tags: Antivirus, Fake, Heavy, Obfuscation, used, Websites
The above information is reprinted from and copyrighted © by Zscaler.
Looking at the above images, you can see that the structure of code remains the same and only the variable names are randomized. Even the source of the page contains only a body tag and the malicious JavaScript. When this page loads, it starts creating animations that deliver security warnings to scare the victim. Here is one example:
As I mentioned in the earlier blog post, these are fake security attempting to coerce the victim into downloading fake antivirus software that will download additional malware onto the system. The code for doing these animations and initiating the download of malicious binaries is hidden inside the malicious script. Let’s decode the main script. The malicious JavaScript code has two functions defined and three lines of code to decode the content. Here is how they look:
The variable “euqbvulz” is passed in the first iteration to the decoding function “ikcmfynlzk()”. The decoded content is then stored in a variable called “wfuaydtmd”. The “wfuaydtmd” variable is again passed to in a second iteration to a second function called “fiyctdv()” with a “document.write()” function call. So the code will go through two iterations of the decoding. Let’s decode this code using Malzilla.
So, the code displaying the security warnings and messages are obfuscated multiple times by the attacker. You will notice the strings used by the attacker are displayed in warning images mentioned in the first few images. Due to the heavy obfuscation used, the detection rate remains very poor for legitimate antivirus vendors when scanning this HTML file.
