More Blackhat SEO, Pelosi is Target

The blackhats continue to push their rogue security programs via Search Engine Optimization techniques. This time I ran across a site using US Congress House Speaker Nancy Pelosi's name. It appears to be all sorts of headlines and keywords such as:

pelosi says surge did not work

And there's also some not so flattering phrases:

pelosi insane
pelosi is an idiot
pelosi is a communist

Some well worded SEO there bound to attract search engine hits.

The site contains some Javascript code in it (well not anymore but it was there) which after traveling through a couple redirect sites ultimately takes the visitor to some rogue security software sites. One of which uses drive-by fake scanning tactics. The redirect sites contain quite sophisticated Javascript code to hide their purpose. They also appear to redirect you based on where you came from.

The two rogue websites by the way are:

• protectionbenefits.cn (83.133.123.113 Germany)
• securedvirusscan.com (94.102.48.29 Netherlands)

This is in no way "new news" as reported by me earlier this year Ford was a target of these fraudsters and Panda Security has numerous siteings. This surely will continue for as long as they have the ability to operate the sites.
:(

Low post volume

Hi everyone. Sorry this blog has been getting quieter, I've been busy battling the rogues and other Internet fun. I promise I will try to update this blog more often than once a week.

My recent Targeted Blackhat SEO Attack against Ford Motor Co. - link to Panda blog

Speaking of rogue security software, Microsoft's recently released security intelligence report talks about the dramatic rise in rogue security software they saw on Windows machines during 2nd half of 2008. They saw a 15% rise over the course of 2008 from 20% of all machines to a full 35%! I would estimate that number is even higher today given the unbelievable increase in websites and "brands" of this scumware.

You can see Microsoft's report here. It's a pretty good report, worth a read.

Rogue security software screenshot collection

The look of rogue/fraudulent security software has evolved to where it's impossible to distinguish between them and the legitimate applications.














Want to see how close - see Sunbelt Software Patrick Jordon's screenshot collection here.

Rogue and Fraudulent Security Software and Websites a Growing Threat

The line between these two is blurring, but let's try to to define them anyway...

• Rogue : The primary purpose of this software is to compromise your computer with the intent of giving the attacker access to it, to steal your information, or both. This is done by malicious code inside of the software that is installed or run on your computer without you knowing it. In most cases this software does not live up to advertised functionality. For example an anti-virus software that appears to be security software instead installs a trojan on your computer that records your keystrokes with the intent on stealing your account login credentials.

• Fraudulent : The primary purpose of this software is to separate you from your money. This software might operate as advertised, but in many cases it doesn't. The software will use fraudulent practices to get you to buy it. Some of the tactics might be to scan your machine and then show you have several dangerous viruses on it or other such scare tactics. I have tested some of these on newly built virus-free systems only to have them report there are some 30 viruses on the machine. Scanning with a reputable product shows that it's clean. I have even seen cases where the fraudulent software places actual viruses on the system. :(

In my opinion the problem of rogue and fraudulent security software is quickly approaching epidemic proportions. I have seen a dramatic rise in the number of fraudulent applications and websites in the past few months to where there isn't a day that goes by where I don't come in contact with one or see one pop up. It used to be maybe once a month or so. And everybody is getting infected: my friends, relatives, co-workers, everyone is falling victim. Trend Micro says that 10 percent of all infections they see are caused by rogue software.

There are few solutions that I can think of currently at our disposal to solve this issue: education of users, law enforcement crackdown, and enforcement of usage policies by ISPs and web hosters.

User Education
It boils down to the basics and examples from the physical world map quite nicely to the cyber world: if it looks or sounds too good to be true, it probably is. You don't (usually don't) get something for nothing. While there are some great free software on the Internet you need to be wary. As a security professional help them by providing them with a list of known good security software and where to get them.

Law Enforcement Crackdown
My theory here goes: if the criminals think they can get away with it, they will. IMO, the deterrence factor is missing. There have been very few prosecutions so the risks of getting caught, unfortunately, are low. If there were no police watching the roadways would you still go the speed limit? Without the deterrence factor things will not get better.

There are many factors causing this problem but let me send a plea out to the folks in control of the budget purse strings: please fund your cyber police better! Provide training to them and hire more. Also tie any funding assistance to other countries to cyber crime cooperation. These topics are big enough for a separate post so I wont get into them here.

ISP Enforcing Usage Policies
I understand that ISPs and resource challenged like many of us and also are in the business to allow and route traffic but things are just out of hand. ISPs need to do several things: 1) enforce your EULAs, 2) stop routing to the bad networks, 3) react quicker to complaints and pressures from industry professionals about rogue elements on your networks, 4) MONITOR your networks for these bad actors and then shut them down and report them to the authorities, 5) react quicker to law enforcement queries. In many ways you, ISP, hold the keys to the cars that the criminals use. A better analogy is that you provide them with the roads they drive on. Put up those toll booths, stock them with machine gun wielding guards and stop them if they are doing bad.

One last note: ICANN please please please do your job of enforcing your domain registration policies with your authorized registrars. For more information see the great folks at Knujon.com who are combating this problem and news articles here from The Industry Standard, eWeek, and Axcess News.

UPDATE: A great win!
McColo hosting center, who had been hosting many websites that propagate malware, rogue security software, and spam has lost its Internet connection. Two Internet providers have stopped routing to this California-based hosting company. See article by Washington Post reporter Brian Krebs here. He also has an update here. The immediate result? IronProt reports spam has dropped by 66 percent. 66 percent! Spamcop.net reports a 75 percent decrease. See graph.

This is a great example of how a community comes together for a good cause and makes a difference. Fight the good fight!

Speaking of McColo, check out a new report released by Hostexploit.com that shows that data and analysis behind the case against McColo. Several security researchers contributed their data and analysis to this article, including me. ;-)