I am a Jedi. 我:http://sinaurl.cn/hiWzC 化繁成简… 破茧成蝶 Panda Cloud Antivirus 首款基于云的免费防病毒软件
Archive for the ‘Adware’ Category
Metatags in malware websites: II part
March 5, 2009A couple of days ago we mentioned how some creators of websites that host malware add metatags to them, so that they are not indexed by the search robots.
Today, we are going to mention the opposite case. Let’s take the following URL as an example: http://malwa<blocked>.com
The following tag can be found in the source code of the website:
The FOLLOW attribute allows the links included in the website to be scanned.
The ALL attribute allows all the files to be indexed completely.
The INDEX attribute allows the search engines to index the website.
Generally the creators of this type of websites want the malware to spread widely and asap. That’s why they decide not to add metatags or to add them, so that the indexing robots could index and scan the links easily. This way, when users make queries in the search engines, they are likely to access a malicious website, causing their computers to get infected with the malware hosted in them.
Metatags in malware websites
March 3, 2009An indexing robot is a program which tracks websites, storing their content in databases and following the links which point to other websites.
Rogue antimalware creators don’t usually add tags to the code of their websites or they add them so that the websites are indexed by the robots of the searchers. This way, they are more accessible and malware can be widely spread.
Lately we have found several cases that prove quite the opposite: tags are added to go unnoticed.
Let’s take the following URL as an example:
http://<blocked>akedpics.blogspot.com
When clicking the video to view it, we are redirected to the following URL http://<blocked>pomp.com/index.php?q=Adrienne-Bailon-Naked-Pics, which in turn redirect us to http://crack-<blocked>.com (*) and finally to http://fast<blocked>.com/xplays.php?id=40004 from which we will download the file viewtubesoftware.40004.exe, detected as Adware/MSAntiSpyware2009
(*) This URL redirects us to different malware hosting websites randomly, depending on the time.
If we look at the source code of the URL http://fast<blocked>.com/xplays.php?id=40004, we can find the following tag: <META content=noindex,nofollow,noarchive name=robots>
1. The noindex tag doesn’t allow the search engines to index a website.
2. The nofollow tag doesn’t allow the search engines to scan the links of the document.
3. The noarchive tag prevents the website from being cached.
It seems that these techniques are aimed at making malware analysts’ and antivirus companies’ job more difficult. They are also used to prevent the proactivity, in the sense of preventing the infection with techniques such as URL blocking, which consists in making queries of specific parameters in the search engines.
Rogue ScanVirus site impersonates SaaS Anti-Virus
February 3, 2009Today we discovered a new site using an interesting tactic to trick users into infecting themselves with malware. This time the cyber-criminals opted to pretend to be a Software as a Service (SaaS) Anti-Virus solution.
The "Scan Virus" website uses several legitimate Anti-Malware logos and badges in order to gain the victims confidence. Immediately upon loading the site a fake scan will begin and shortly
after that the site will prompt the user to download a file called
AntiVir.exe, which we detect as Adware/Antivirus2009. The site attempts to scare users by displaying images such as, "Your PC is infected! Sorry, standard programs cannot disinfect your PC now", and "DOWNLOAD PATCH to fix this problem"
SuperAntivirus's Blog 