SonicWALL Security Center
Share: Linkedin Share Facebook Like


Back to SonicALERT


Holiday Shopping - Black Hat SEO (Nov 18, 2010)



Description


SonicWALL UTM Research team discovered a number of polluted results appearing in search engine results for holiday shopping related search terms. Malware authors often use SEO poisoning technique to lure unsuspecting users into clicking on malicious links strategically placed in search engine results. For instance, search term "Walmart Black Friday Sales 2010" leads users to the malicious search results shown below

screenshot

If the user clicks on the malicious link then it performs the following on the victim's machine

  • The initial link redirects users to another page containing a JavaScript, an extract of which is shown below. Based on the user's web browser it redirects to an appropriate landing page.

    screenshot

  • If the user is using Internet Explorer it redirects to a FakeAV landing page

    screenshot

  • If the user is using Firefox then it redirects to a fake Firefox update page suggesting an upgrade to flash player:

    screenshot

    If the user downloads and executes the fake flash update then it performs the following on the victim's machine

    • Drops files:
      • %temp%/Img.exe [Detected as GAV: Renos.MJ_4 (Trojan)]
      • %temp%/Imh.exe [Detected as GAV: Renos.MJ_4 (Trojan)]
      • %temp%/Imi.exe [Detected as GAV: Renos.MJ_4 (Trojan)]
      • %windir%/Ipisoa.exe (Copy of Img.exe) [Detected as GAV: Renos.MJ_4 (Trojan)]

    • Creates registry entry to ensure that the dropped malware runs on every system reboot:

      • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run: "%temp%/Imh.exe"

    • Posts confidential data back to remote servers

      screenshot

    • It redirects the browser and opens pop-up windows
Similar results were observed for other post Thanksgiving holiday shopping season related search terms like "Black Friday" and "Cyber Monday".

SonicWALL Gateway AntiVirus provides protection against this threat via following signatures:

GAV: Renos.MJ_4 (Trojan)
GAV: GAV: FakeAlert.SR (Trojan)
GAV: JSRedir.BF (Trojan)
GAV: Suspicious#fakeav.html (Trojan)


screenshot


Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#DellSecurity
© 2014 Dell | Privacy Policy | Conditions for use | Feedback  Version: 8.2.5  S1MSW08
Live Demo | SonicALERT