Today I discovered an interesting example of how attackers spread malware using a webpage. This was so interesting that I took a closer look at it.
Behavior
The Attackers used a URL shortener to hide the malicious URL. They placed this URL on an harmless website and tried to fool the visitors. After clicking the link the user is redirected to a second webpage. This webpage checks the Referrer value in the HTTP Header and redirects the user to a harmless or to an malicious webpage.
After a short analysis the structure and the actions of the website were relatively clear to me. It is shown in the following video. An interesting fact is that the website delivers three different webpages. The first is very simple. It only shows a download dialogue. But the others show a faked virus scan on two different operation systems. The different webpages appear randomly.
[hana-flv-player video="/wp-content/uploads/2010/07/malware.flv" width="640" height="480" description="Malware" player="4" autoload="false" autoplay="false" loop="false" autorewind="true" /]
Protection
A full protection against attacks will never be possible. But with some uncomplicated actions we could minimise the infection rate. It's possible to deactivate JavaScript on all webpages. But this isn't what most people want. An alternative to deactivate JavaScript globally is the NoScript AddOn. It is available for Firefox and lets the user decide on witch webpages he wants to activate or deactivate JavaScript.
A second point is: "Don't panic and act carefully!!!" Think twice and don't try to execute files you don't know. If you are unsure run a local virus scan.
Malware
The downloaded file was checked with several anti-virus engines using VirusTotal.org But only 2 of them detect the download as malware. Executing the software in a sandbox environment shows its real activities. It infects the system and tries to download additional software from different websites reported to be malicious.
Links
- VirusTotal.org (english)
- NoScript AddOn (english)
- Firefox (english)