Thursday, September 30, 2010

Best and worst antivirus against fake AV malware

The detection rate for fake antivirus malware amongst antivirus vendors is usually below 25%. I was curious to see which AV engines were the best and worst, when it comes to blocking malicious fake AV executables. In order to figure it out, I obtained 16 different samples which I uploaded to VirusTotal in order to get the detection information on 43 AV engines.

Before I get into the results, it is interesting to note that fake AV perpetrators often reuse the same names for different executables. For example, the malicious executable scanner.exe, was found with different file sizes, which resulted in different AV detection results, depending on where the executables came from. The opposite is also true. The same exact file (same size, same MD5) was found on different domains under different names. I made sure my 16 samples were indeed different files to not skew the comparison.

VirusTotal - Detection information for one sample
No absolute protection

The average detection rate was found to be 30%. The detection rate for each sample varied from 12% to 49%.

The best AV engine detected 13 of the 16 samples (81% detection rate). Only 13 out of the 43 AV software detected at least 50% of the samples.

Click on the image to see the detection rate for all AV software
Best AV solutions

The best AV solution to detect fake AV malware is Sophos, with an 81% detection rate, followed by Sunbelt (75%).

5 best AV solutions against fake AV malware

The 13 AV engines which detected at least 50% of the malicious executables are (in alphabetical order):
  1. AhnLab-V3
  2. AntiVir
  3. BitDefender
  4. F-Secure
  5. GData
  6. Kaspersky
  7. NOD32
  8. PCTools
  9. Sophos
  10. Sunbelt
  11. Symantec
  12. TrendMicro
  13. TrendMicro-HouseCall
Worst AV software

The following 7 AV engines did not detect any of the samples:
  1. ClamAV
  2. eSafe
  3. Fortinet
  4. Jiangmin
  5. TheHacker
  6. ViRobot
  7. VirusBuster
AVG, a popular free antivirus, detected 19% of the samples, the same as McAfee.


The AV vendors need to step up and improve their detection. Samples are easily found. I've explained how to get to the fake AV pages from a Google query of the Hot Trends in previous posts.

-- Julien

Wednesday, September 29, 2010

"Hot Video" pages: analysis of an hijacked site (Part III)

In Part I and II, I analyzed files on a hijacked site that was part of the "Hot Video" campaign. While doing the analysis, I identified other hijacked domains and found additional scripts used to create the "Hot Video" pages. Some of them were much more elaborate.

page.php and

These pages present a slight variation of the "Hot Video" scripts seen in Part I and Part II. The template is loaded from instead of Otherwise the script works the same way, however, the redirection to the malicious page is done by a different site, namely Interestingly, this website was already redirecting users to fake AV sites in July 2010. I did warn the owner of the site at the time, but apparently it fell on deaf ears.


This script is very interesting. It does basically the same thing as news.php and page.php, displaying the "Hot Video" page and creating spam content, but in a different way. Checks for bots are also more thorough.

Here are the main differences:


The previous examples were only looking at the User-Agent header, to differentiate between users and bots. This version includes several other checks:
  • Client IP address check - The script has a list of IP addresses/ranges which are considered to be bots. They are known Google IP addresses. A similar list can be seen at SEO-Wolf. It is interesting to see that, once again, attackers care primarily about Google, not Yahoo or Bing.
List of blacklisted IP addresses
  • Referer header check - If you do a search for "", the request to the page is considered as being done by a bot
  • User-Agent header check - Blackberry and Samsung browsers are flagged as bots
  • Referer header must contain google or search.
  • Referer header must contain q=.
Part of the is_search_bots() function

The scripts display slightly different pages for bots and users. They use two templates: for users and for bots. The differences between the pages generated are designed to trick Google into thinking this is not a spam page. The page delivered to search engine bots has the following characteristics:
  • No "Hot Video:" string in the title
  • The Flash overlay on the page is not created, so there is no redirection to a fake AV site
Otherwise, the content of the 2 pages is the same as detailed in a previous post: spam content, links to other spam pages, and a picture of the fake Youtube player.

The sendPage function

This function did not exist in the previous scripts. The "Hot Video" pages include the 20 most popular searches from Google Hot Trends for the same day. This means new links to fake video pages are created automatically every day.


The spam page also contains links to older Google Hot Trends, taken randomly from the last 25 days:

$address = "".date("Y-m-d",time() - 60*60*24*rand(1,25));


Another list of spam keywords is generated using Google Suggest, the list of suggestions which Google shows you as you type your keywords in the search engine. This means the fake pages are created not only for the popular searches, but also for searches suggested by Google.

Source of the function generating new keywords for spam

Another difference with the previous script is that there is no hash done on the keywords to ensure that the request includes specific parameters.


As with the other "Hot Video" pages, there is a link to a sitemap page which lists other spam pages. But in this example, the sitemap is generated from the content on a different domain: This page can create a list of spam pages for any domain and the base URL is sent as a URL parameter.

sitemap.html is generated from a different domain


This script looks like it was written by the same group as the other "Hot Video" scripts. However, it's functionalities are more like the other Blackhat spam SEO scripts I've seen, with extensive checks to separate users from bots, with different content displayed to each.

-- Julien

Saturday, September 25, 2010

New Orkut worm: “Bom Sabado!” – Good Saturday for Orkut Users

Today, on 25th September 2010, a new worm affecting Orkut emerged. I received several calls from friends asking about this new Orkut worm. They told me that their scrapbook was flooded with text messages called “Bom Sabado!” and they were forcefully made to join some fake Orkut communities. This worm seems to be created by a Portuguese hacker as the meaning of this message is “Good Saturday” in Portuguese. I found the scrapbook of one of my friends flooded with the same malicious messages. Here is the screenshot,
I looked at the source code of the scrapbook page and found that a malicious iframe is being used to spread the worm. Here is what the malicious code looks like:
The malicious iframe points to “”. I tried to download this malicious JavaScript file but the domain no longer exists. I was however able to find the source code for this malicious JavaScript file on a Google forum. The obfuscated JavaScript inside the file can be seen below:
The script was easy to decode and I too found the decoded source code on the internet. This malicious JavaScript creates some HTTP GET and POST requests to Orkut. It then obtains the list of friends for the infected user and sends the same malicious message to them with embedded hidden Iframe. This malicious JavaScript also forces infected users to join a few fake Portuguese communities as listed below,
This worm does not perform any truly harmful activities, but instead forces infected users to join different fake communities. It looks like the motive of the attacker behind this is simply to see how many he could infect. The screenshots of different communities involved in the attack (below), show that within few hour,s this worm infected many users:
This new worm shows how quickly an attack can spread and how dangerous social networking sites can be. Even though this worm didn't perform any malicious activities, it could have been used to steal sensitive information like passwords, personal information, etc. This was certainly not a 'Good Saturday' for Orkut users to be sure. Do not open your Orkut scrapbook until Orkut fixes the problem, even though the malicious site is down.
“Bad Saturday” for Orkut users.

Thursday, September 23, 2010

fake AV moving from to

I've mentioned before that most of the fake AV sites were hosted on the sub-domain of which offers free DNS services.

It is certainly true that the domain is still hosting most of the fake AV sites, however, they are also doing a lot of cleanup. All the malicious sites we have reported to them have been removed within 24 hours. Many sites I've checked recently have been taken down.

Fake AV domain was taken down

While we're still seing new fake AV sites, we've seen an increase of such sites hosted on They offer free sub-domains, and free hosting as well.

Attackers take advantage of free hosting services

Attackers will keep changing providers to find a more hospitable home, a place where they are not shut down quickly. It took several months for registrars to first take actions against attackers abusing their service, certainly enough time to infect plenty of unaware users and we expect the same for

-- Julien

Wednesday, September 22, 2010

"Hot Video" pages: analysis of an hijacked site (Part II)

In Part I of this series, I analyzed the files used in coordination with news.php to create the malicious spam "Hot Video" pages. In this second post, I'll analyze the rest of the files found on the site:
  • .cch/ - folder contains thousands of spam pages
  • page.php - displays the "Hot Video" page
  • .sys.php - execute any PHP code and upload files
  • g------.php (censored) and a few similar pages - execute any command and upload files
page.php and .cch/

page.php is nearly identical to the script news.php described previously: it displays the fake AV pages using the template. It uses sites.txt and key.txt to get the list of other spam pages, etc. The script is also obfuscated using FOPO.

Part of the de-ofuscated PHP code

The only difference with news.php is that the spam content is stored in .cch/ instead of .news/.

The other 2 PHP scripts are not related to the "Hot Video" spam pages, but they are very dangerous for any website affected by this attack as they open it up to further compromise as discussed below.


This PHP script is not encrypted. It is very short, but very dangerous. It executes any PHP code entered in a POST request, and can upload any file, including .php files that can be executed on the site later.

Full source code
Looking at the source code is not enough to be able to use it. Indeed, the script runs only if the correct parameter key=value is sent. The code starts with:

if (sha1(md5(sha1($_POST['key']))) == "697e86fd67cd215cfa03b98a5c3a1d7b34a79534")

So you need to find the right value whose SHA1 of MD5 of SHA1 (!)  is equal to "697e86fd67cd215cfa03b98a5c3a1d7b34a79534", otherwise the script does not do anything.

g------.php (censored)

I've found a few.php scripts with similar names, but always slightly different, on several hundred websites. Unfortunately for the webmasters, this means that a simple Google search can let anybody take full control of their website.

The script allows anybody to run any shell command on the site, run any PHP code, and to upload any file. It is not obfuscated, and unlike .sys.php, there is no trick to prevent people from using it. To protect the websites which have been hijacked, and now include these scripts, I won't go into further details regarding this file.


The scripts used to create the fake "Hot Video" pages are pretty simple. They work autonomously, so it is not possible to track the origin, or individual that may be behind the attack. Hundreds of websites have been compromised.

These hijacked sites are mostly online stores. They are dangerous not only for their users, whose information can be easily stolen, or could be presented with all kinds of malware, but for Internet users in general.

-- Julien

Tuesday, September 21, 2010

Twitter ReTweet Spam (XSS)

This morning before I even logged into my system, I was receiving inquiries about the Twitter Spam going around. The source looks like:

And appears in Twitter as:

For those unfamiliar with, it is Twitter's link service, which provides URL shortening as well as checks to ensure that the link doesn't go to a known malicious site (see About Twitter's Link Service for more info). You can see from the source of the tweet, that it is leveraging a cross-site scripting (XSS) vulnerability so that the scripting code following the "@" character is executed within the victim's browser, and just by mousing over the tweet you are retweeting it. The tweet name / retweet value varies. ( has been seen in addition to the domain).

Doing a Twitter search for "Onmouseover" provides a laundry list of URLs and "victims" of this spam. The results of the spam campaign are tweet spam (annoyance) and a likely strain on Twitter services from the increase in retweets. After doing a Twitter search, after a few minutes, the search results showed over 30K more tweets since my initial search - this illustrates how rapidly spreading the XSS retweet spam is being spread.

Digging a bit deeper into this reveals that it was an Australian teenager going by the handle zzap that discovered the XSS vulnerability whereby arbitrary script following the "@" character is executed (ref. NetCraft). Cross-site request forgery and cookie stealing attacks have been demonstrated leveraging the XSS vulnerability as well. Currently there are a number of Twitter worms leveraging this vulnerability (ref. F-Secure).

Some security precautions for users to consider:
  • Avoid accessing your Twitter account from a browser, consider using a Twitter client
  • If accessing your account via browser turn off JavaScript or use NoScript

Update from Twitter:

Monday, September 20, 2010

"Hot Video" pages: analysis of an hijacked site (Part I)

I was fortunate enough to find a hijacked site which was being used to host fake "Hot video" pages, which I've blogged about before. However, this time around, the site had directory listings enabled. As such, I could view all the files used in the attack, including source code of the php files which display the fake video page and redirect users to a malicious pages. This provided insight into how the attack actually works.

Here is the list of interesting files in the /images/ directory:
  • error_log - somebody tried to cover their tracks?
  • - template for the Hot video page
  • sitemap.php - displays a list of spam pages from other domains
  • sites.txt - list of spam pages from other domains
  • key.txt - a list of popular Google searches
  • news.txt - log of crawler visits
  • .news/ - folder containing thousands of spam pages
  • .cch/ - folder containing thousands of spam pages
  • g------.php (censored) and a few similar pages - execute external commands and upload files
  • .sys.php - execute any PHP code and upload file
  • page.php - displays the "Hot Video" page
  • news.php - display the "Hot Video" page
  • style.css - style sheet used on fake video page
  • load.swf - Flash file which redirects the user to the malicious page
  • player.gif - image of the fake Youtube video
Here are some information about some of the files.


This file shows a series of PHP errors. On the website, it contained a list of rmdir (remove a local folder) commands that had failed. It appears that somebody had attempted to delete the folders which contain the spam pages, which may have resulted from a failed attempt to clean a site by the webmaster, or perhaps a failed attempt to cover the hijacking by the attacker.

Failed attempt to remove the folder containing the spam pages.

sitemap.php, sites.txt  key.txt

key.txt contains the list of popular searches from Google Hot Trends. A spam page is created for each of the searches.

List of popular searches
The file reviewed, contained 8,000 popular searches.

sites.txt contains a list of hijacked sites which host spam pages. There are 139 domains listed.

List of hijacked sites hosting spam pages
These 2 text files are used by sitemap.php to generate HTML pages with links to a total of 1,112,000 (8,000 x 139) spam pages.

HTML links to spam pages

sitemap.php generates different lists each time the page is accessed and shows a few hundred links each time.

Part of the sitemap.php PHP source code
The source shows that the same script, news.php, is used on all the 139 domains to display the fake video pages.


news.txt contains the logs from search engine crawlers that have accessed the spam page news.php.

Information about crawlers accessing he spam pages
The log file contained 29,983 lines. Google started to crawl the spam pages on August 15th. Here is the breakdown of crawler access:
  • Google: 29,402
  • Yahoo!: 580
  • MSN: 1
98% of the crawler access to this page was done by Google, so it is not surprising that Google search results contained more spam links than Yahoo! or Bing.

Bing visited the spam page on September 6th, and Yahoo! for the first time on August 27th, 12 days after Google. This plays well with what I've described before: Yahoo! is late to add spam pages to its search results, and Bing does not seem to contain any.


This folder contains about 25,000 pages.

Spam pages
The file name is based on the popular searches. For each search, there is a -new.html file,  a -key.html file, and a .html file.

The -new.html and -key.html pages look similar. The -new.html files contain links to the malicious "Hot Video" page on other domains, whereas -key.html files contain links to the fake pages on the same domain, for example news.php?page=tour+de+francecheck=f7b972cf78d306834a08b9655bff1822

Links to "Hot Video" pages

The 3rd file contains a spam page, the same type we've seen for other blackhat spam SEO attacks.

Spam page
The content of these 3 files is combined to create the overall "Hot Video" spam page.

This is the template for the "Hot Video" spam page.There are 4 main sections in the template:
  • the fake Youtube page, with the flash file load.swf to redirect users to the malicious site, player.gif for the picture of the fake Video player and style.css for the style sheet
  • a list of links to "Hot Video" pages on other domains
  • a list of links to "Hot Video" pages on the same domain
  • spam content for a specific search

HTML template


This PHP script is obfuscated with "FOPO - Free Online PHP Obfuscator v1.2:".

Obfuscated PHP code
Once de-obfuscated, the code is pretty simple.The script does two main actions:
  • display the spam page
  • create spam content

De-ofuscated code for news.php
The script displays the same page to crawlers and regular users. If the script detects a crawler, it also logs information about the crawl in news.txt. The detection is based on the user agent only - if the string slurp is found, it is the Yahoo crawler, GoogleBot is detected by the string googlebot, and Bing is detected with msnbot.

Requests to news.php are involve a query string which contains 2 parameters:
  • the search term
  • a hash
The search term is used to fill out the template with the corresponding spam content and links to other "Hot Video" pages. The hash is used to make sure the request is legitimate, and it is done against the search term and an internal key. This prevents researchers, for example, from accessing the page with random query strings.

Surprisingly, there is some "dead code". Checks are done for the presence of a file, or the value of an HTTP request, but nothing is then done with it.

If a new search term is used, and the corresponding files are not found in the news/ directory, the script generates it's own spam content. It does so by requesting the first 100 results of the search term from It then uses the summary of each search result given by Google to build the page. Images are added to the page as well, but they come from a Bing image search for the given search terms. The links to other "Hot Video" pages is built from the files key.txt and sites.txt.

The "Hot Video" page does not require any command and control server. It can generate new spam pages automatically.

The redirection to the malicious site is ultimately done by another hijacked site, Pages on this domain still redirect to fake AV pages, and they are not blocked by Google Safe browsing:,, etc.

I will detail the other files in later blog posts. Stay tuned!

-- Julien

Wednesday, September 15, 2010

Phishing Sites Hosted On Google Blogpsot

We've previously reported on malware that can be accessed from Google search results and malicious executables hosted on Google Code. Additionally, Google Docs has been used for phishing and spam in the past. Now, Blogspot is being used to phish for Twitter credentials.

Form to enter your Twitter username and password

The blogs use different techniques to get a Twitter username and password from users. For example, they may offer to stream news about Jason Bieber or to help with dating, etc. Most of them claim to be the official Jason Bieber fan store,

Blog claims to be the official Jason Bieber fan store
The form used to gather the Twitter credentials is not actually hosted on blogspot, but rather on It is embedded as an iframe. Ironically, this hosting provider claims to offer a "Full Computer Cleaning Service package"! The credentials are sent to using a script hosted on a Yahoo account at

To reassure potential victims, the form states "WE have made the change to application sharing per Twitter TOS. We do not store User Names/Passwords". Twitter actually forbids transmission of login/password information from third party web applications, opting instead for the more secure OAuth protocol to communicate with Twitter accounts.

Some of the blogs involved are:

I've reported the domains to Google and expect that they will be shut down soon.

-- Julien

Tuesday, September 14, 2010

Attackers re-create an entire Facebook site for phishing

Most phishing sites consist of one login page with perhaps a few additional pages. However, I recently stumbled upon a Facebook phishing site which cloned all the facebook pages: About, Developers, Adverting, Sign up, etc. and even in all of the 64 languages the original site offers!

Fake Facebook login page
The domain of the phishing site is hxxp:// gives an error as you have to access it with hxxp:// The website is remarkably well done; all the controls are the same as Facebook.

Fake Facebook sign up page

There is also another Russian domain hosting the same "clone" of Facebook:

These sites are not yet listed in Phishtank, and they are not blocked by Google SafeBrowsing.

-- Julien

Thursday, September 9, 2010

Google & malicious spam: a cat and mouse game

The good guys (Google in our case) are trying to stop the bad guys (blackhat SEO spammers) from infecting victims by leveraging legitimate resources. The bad guys try to stay ahead of the game by continually changing their attacks. Google has made visible changes in the last two weeks to Google Hot Trends and their search engine in order to stop spammers from abusing their system.

Tighter Google Hot Trends queries

The reason I became aware of Google's latest changes is that the scripts I use to harvest malicious spam links from Google results broke about 2 weeks ago! Fortunately for me, and probably for the attackers, the changes were trivial to get around.

The first change I noticed was for Google Hot Trends. Attackers use this page to identify popular search terms, which they then use for their spam pages. To get a list of 20 popular searches for any given day, the following request can be used:

Where 'e' is in the form: YYYY-MM-DD. For example, "2010-9-7".

If the month, or day, is less than 10,  1 digit should be used. I had previously been able to access Google Hot Trends using 09 for September, and 07 for the day, for example:

But now, you have to use the right format (no leading 0), or you'll get an error message:

New error message on Google Hot Trends
This change might aimed at stopping the spam SEO command center to get the list of keywords for their spam pages, but it is very easy to work around it.

Google "Sorry" page

If you manage a lot of queries for the popular searches, especially with the the parameters inurl: or site:, you can now receive the Google "Sorry" page very quickly, even when conducting manual queries.

Google "Sorry" page stops me from doing more queries
Once again, the workaround is easy: increase the time between subsequent Google queries.

Aggressive blacklisting

Google is usually very reluctant to blacklist the hijacked sites which host spam pages, and prefer to focus on blocking the actual malicious pages. But they have done just that for most of the infamous "Hot Video" fake video pages.

Google warns about the "Hot Video" spam pages
This means all users, including Internet Explorer users which do not benefit from Google SafeBrowsing, are better protected.

Attackers fight back

Attackers fight back by .... adding white space to their fake AV HTML code! Surprising, instead of using randomized Javascript obfuscation to hide the fake AV pages, the attackers have chosen to simply add random white space to the HTML code.

Fake AV source code with white spaces
This is actually an easy way to break security tools which rely on rigid signatures to detect such pages. Such tools include antivirus engines, deep packet inspection devices, etc.

Fake AV pages with obfuscated content remain very rare, I see only 1 or 2 instances a week out of hundreds of such pages. This is concerning as it suggests that such steps are not yet necessary as non-obfuscated pages aren't being detected.

AV vendors still asleep

The only people who seem to stay out of the game are antivirus vendors. The detection rate of malicious executables disguised as antivirus solutions is still very low, often under 15% like as with this example.

We, as security researchers, have to keep monitoring malicious spam SEO as attackers keep tweaking their spam and malicious pages to keep our protections up to date.

-- Julien

Fake AV sites using Flash for social engineering

We have seen many fake AV sites using images and cascading style sheets (CSS files) to display fake security messages. These pages are designed to trick users into believing that their machines are already infected and that they must download a ‘fix’. Recently, we are seeing many “” domains hosting fake AV sites that are instead using Adobe Flash for displaying the fake security messages. They all are using same source code and Flash files to create the animation effects of the messages. Once you visit these sites, you will be presented with a fake error message declaring something like “Your PC is infected” and you are then encouraged to download what turns out to be a malicious binary. Sadly, there is poor detection by AV vendors as we can see from the Virustotal results. Let’s take an example of one of the live fake AV sites, “hxxp://”. Here is the what a potential victim will see at the site:

Even clicking on the “Cancel” button, a user will be forced to download the malicious binary which is followed by additional fake security messages.
Here is the source code from the main page:
Since these sites are using the “flashH264decoder.swf” Flash file for animation, all the images and scripts are embedded inside this single malicious file. I have decompiled this malicious flash file to see what is inside. I found 13 image files, 26 shapes, 5 buttons and 10 scripts embedded inside the file. Here is the screenshot of this decompiled malicious flash file:
These domains are now blocked by Google SafeBrowsing,which is leveraged by both Firefox and Chrome browsers. Why did the attackers choose to use Flash instead of the images and CSS files that we traditionally see? While this approach requires a third party browser add-on, Flash is essentially ubiquitous with most browsers and perhaps the attackers felt that it allowed them to produce a more convincing social engineering attack.

Stay safe


Wednesday, September 8, 2010

Beware of

Mass attacks on websites are common they usually take advantage of underlying vulnerabilities in the technology upon which multiple sites are built. My recent posts illustrate examples of mass web attacks. Here is another example of such an attack:

Screen-shot of Malicious JavaScript:

After analysing the JavaScript I identified the following items of interest:

Decoding the encoded JavaScript assigned to variable ‘mspoeae’, resulted in the following definition of function ‘jyho’, which is responsible for further decoding the JavaScript.

As you can see in the remaining code, this function takes the following input string:

The result of above execution ultimately decodes the following JavaScript:

This version of ‘Google Analytics’ is certainly not the one run by Google!!!!

A Google search for ‘’ will land you on various discussion forums driven by those affected by this malicious script. It appears that many sites have been affected with this malicious JavaScript, while we first spotted it at “”.

Affected Webpage:

Currently if you try visiting ‘ you will be redirected to a porn site.

Screen-shot of

Make sure your site is using the genuine ‘Google Analytics’!!!