Last week, I talked about heavy obfuscation being used by attackers to hide their HTML source code from detection. This time we came across an interesting fake antivirus website, which not only continually changes the source of the webpage but also the malicious binaries being used in the attack. This occurs when you revisit that same malicious site. The malicious site also changes certain strings used inside the animation sequences. For this blog, I have visited that site a few times in span of a minute and collected the various source files and malicious binaries. Here are the screenshots of fake security warnings for different visits:
The highlighted fake security message in the above images varies each time with different trojan count. If you look at the source code of these webpages, it has been randomized for each subsequent visit. Here is a sampling of the altered source code:
The code contains different random variables and fake security warnings, which have been split into smaller variables in an effort to evade antivirus and IDS/IPS engines that may seek to match common string patterns. As with other fake AV sites, when a victim visits the page, he is social engineered into downloading fake security software which in turns out to be malicious program. Interestingly, each time you visit this website the malicious binary changes, which results in a different MD5 hash. The size of those malicious binaries remains same. Here are the MD5 hashes for different binaries downloaded from the same website:
The Virustotal AV detection results remain very poor with only 8/43 antivirus vendors detecting the files as malicious. Here are the results for above binaries:
http://www.virustotal.com/file-scan/report.html?id=524b2ae5004d1e80628c7e69363e6a0d6357e5a01340bf0f1a9c406d9f38cd77-1300754240
http://www.virustotal.com/file-scan/report.html?id=00d2f5827712547c18e294123f7984268cc47cc2b225a9214873584178cdc058-1300754363
http://www.virustotal.com/file-scan/report.html?id=ee3c2057135d084ea8fdeba2e3f4b8c4501728ef40fcc62bec84da4cddca7352-1300754286
http://www.virustotal.com/file-scan/report.html?id=8d4ac1aeb83f18c401b0df447e5fba2a6a02a744de6f7404a76939bd4278da94-1300754302
The example demonstrates that pure pattern matching engines will fail to detect the attack based on pattern matching strings in source code. Randomization of malicious binaries will also evade good antivirus engines.
Thanks
Umesh
Related Posts
- Heavy obfuscation used by Fake Antivirus websites
Just a few days back, I published a post discussing the popularity of fake antivirus websites in 2011. As I mentioned in the blog, attackers are continually creating new domains and websites promoting... - Malicious Spam on the increase again
Malware distribution via email is far from dead. While we had a distinctly quiet period from October 2010 to March 2011, our stats show the bot herders are gearing up again with the proportion o... - The Royal Wedding and The Fake Antivirus
The Royal Wedding of Prince William and Catherine Middleton that will be held tomorrow, on April 29, will attract the attention of many people around the world, and has become a trending topic on vari... - Phishing Attack Uses Fake Donation Website
Earlier today, we found a phishing site that poses as a donation site to raise money for the victims of the recent earthquake in Japan. The phishing site http://www.japan{BLOCKED}.com is created by us... - Fake HMRC website offers bank refunds
A friend sent me this link, which is an interesting spin on the old "HMRC tax refund" scam - a fake HMRC claiming your bank wants to issue a refund instead.
Click to Enlarge
As you can see below, ... - BSNL, Bangalore website yet another victim of malicious code injection
BSNL, Bangalore telecom district has become yet another victim of poor website security and has been infected with malicious JavaScript code. This time, the code points to a malicious domain used by t... - Fake Rogue Anti-Virus & Anti-Spyware in Action
See what happens when I purposely infect my computer with Power AntiVirus (a rogue anti-virus known to be malicious.) Notice some of the patterns and learn how to protect your computer in our series o... - Naked pictures from Emily carry fake anti-virus surprise
It's 8:30am. You stumble into work half asleep and slouch at your desk. You boot up your computer.. tick tick tick. It runs its system diagnostics and you see the Windows logo lurch into view.
Umptee... - Compromised website used in Bank of America phish
In malware analysis, it is quite common to come across attacks that you quite simply cannot believe could really work. I quite often find myself asking the question how anyone could actually fall vic... - Australian job hunters offered money laundering jobs via fake seek.com.au website
Today, SophosLabs witnessed a new job spam campaign targeting Australians.
The email message claims to provide part-time jobs with excellent pay. The interesting part of this spam campaign is that th...
Posted on 24 March 2011. Tags: Antivirus, binaries, Code, Fake, Randomization, used, Website
The above information is reprinted from and copyrighted © by Zscaler.
The highlighted fake security message in the above images varies each time with different trojan count. If you look at the source code of these webpages, it has been randomized for each subsequent visit. Here is a sampling of the altered source code:
