Archive for October, 2009

Blackhat SEO Aggressively Targets Halloween Related Keywords

October 28, 2009

Cyber criminals behind the Rogueware epidemic have been hard at work in poisoning search results to increase traffic to their campaign sites. Today, we identified a new Blackhat SEO campaign, which is currently targeting Halloween related keywords aggressively. While studying the campaign, I noticed that the most commonly targeted keywords were classic costume favorites, such as the Cat woman costume, vampire costume, and various adult costumes. In addition to costumes, the BHSEO campaign also targets Halloween related food recipes, haunted house directions, Halloween parties, and the movie Halloween.

Tainted search results:

Blackhat SEO - Search Results

Fake Antivirus site:

Rogueware Site

Tag cloud of targeted search terms:

BHSEO Tagcloud

As we have documented in prior blog posts, Blackhat SEO continues to be one of the most prevalent and pervasive attack vectors on the Internet today. As users, we tend to trust search engines to provide safe and accurate search results, but the reality is that today, search engines are becoming the most dangerous way to browse the Internet.

Posted in Blackhat SEO, Rogueware | Comments Off on Blackhat SEO Aggressively Targets Halloween Related Keywords

Blackhat SEO Campaign Targets 2009 Nobel Prize Winner

October 9, 2009

 We’ve identified a new Blackhat SEO campaign today which targets President Obama as the 2009 Nobel Peace Prize winner among a thousand or so other search terms.   Clicking on a malicious search result yields the typical Rogueware campaign. 

Search result:
Nobel Peace Prize Winner 2009 - Obama Blackhat SEO

Rogueware site:
Windows Performance Center Rogueware

The complete list of targeted search terms can be found here.   

Posted in Blackhat SEO, Rogueware | Comments Off on Blackhat SEO Campaign Targets 2009 Nobel Prize Winner

Rogueware with new Ransomware Technology™

October 8, 2009

The criminals behind Rogueware attacks are becoming increasingly aggressive in their approach to make money. We recently stumbled across a sample (Adware/TotalSecurity2009) which uses a ransomware technique to improve its sales. Once the computer becomes infected, Total Security forces the victim to purchase it before it will allow any files from being accessed on the system.  When attempting to open a file, a message pops up in the notification area claiming that the application was blocked due to infection.  The pop up recommends activating the "antivirus" software, which costs $79.95. 

Notification Area - Notepad.exe blocked

This would be a devistating blow to any user and would likely force the victim to purchase it, so we went ahead and cracked the sample to reveal all of the valid serial numbers. We're hoping that  victims can find this blog post before shelling out any hard earned cash to these criminals.

Watch the video to see it in action: 

Valid serials for Adware/TotalSecurity2009:

WNDS-TGN15-RFF29-AASDJ-ASD65
WNDS-U94KO-LF4G4-1V8S1-2CRFE
WNDS-6W954-FX65B-41VDF-8G4JI
WNDS-G84H6-S854F-79ZA8-W4ERS
WNDS-TTUYJ-7UO54-G561H-J1D6F
WNDS-A1SDF-6AS4D-RF5RE-79G84
WNDS-A1SDF-RY4E8-7U98D-F1GB2
WNDS-5SRTS-AEHUF-YA54S-D6F35
WNDS-P9685-4H41A-DSW3A-2R64T
WNDS-2AE32-1VFC2-B6894-G67YU
WNDS-4TS8R-D6F5D-4JH8T-U4JK5
WNDS-FGS5D-649RG-4S53D-412SF
WNDS-452S3-ER00F-TSE35-S8FSD
WNDS-SERFH-2642S-F04SD-64FG1
WNDS-F40SA-1ER5H-4FG5D-F8412
WNDS-5D1V2-XB0D5-JT1TY-97DS3
WNDS-4BGY2-JY4KO-IT98Y-7HJ43
WNDS-G8FB6-1V87S-DRT1S-63SRG
WNDS-HFVDR-9844O-U54DA-5TBSC
WNDS-89OF7-7324R-5SAD4-TG68U
WNDS-JUYH3-24GHJ-HGKSH-FKLSD

You can download a free trial to completely remove the infection once the ransomware feature is removed.

Special thanks to Sherab Giovannini for extracting the serials. 

Posted in Ransomware, Rogueware, Total Security, Video | Comments Off on Rogueware with new Ransomware Technology™

Rogueware distributors use Skype

October 5, 2009

Rogueware distributors are like the cockroaches of the Internet; they’re everywhere.   Malicious search results, online advertisements, and iframe hijacked sites are the typical distribution methods, but every once in a while we come across an interesting approach.

Recently, a colleague alerted me of a spam message coming through to his personal Skype account.  The message appeared out of nowhere from an account labeled “Online Notification” and made the typical claims of a found infection.  Once the victim navigates to the site, the usual fake antivirus trickery takes place.

Skype Spam


Skype isn’t the most reliable or innovative distribution method, but we’ll go ahead and give them an "A" for effort. 

Posted in Rogueware, Skype | Comments Off on Rogueware distributors use Skype

Q3 report released

October 1, 2009

We've just published our latest quarterly report. We'll show the different figures about malware in Q3, and some interesting articles.  If you want to know what has happened in the last 3 months, which have been the most important Blakhat SEO attackes or the latest movements of the Koobface worm, just download it and enjoy!

 English: 

Spanish:   

       

Posted in Uncategorized | Comments Off on Q3 report released