Blue hair dryers and Scareware.

start part 1/3

#include disclaimer.h

I am by no means an expert at this sort of thing. Nor am I very good at it. This post is just about what I found today and some of the steps I took in my investigation of the problem. If you see where I have gone wrong or spot a mistake, please let me know. It’s the only way I learn.

background

Someone was doing some research on a famous designer named Dieter Rams. In particular there was a blue hair dryer that caught said someones eye. This is mostly because his search terms brought the hair dryer to the number one result in Google Image Search. So wanting to know more about the hair dryer the user clicked on the image. It went steadily downhill from there.

javascript

The image result to him to a blog post which has the photo, along with some hidden javascript in the page source which looked a little like so:

Embedded Javascript

Unfortunately that little piece of the puzzle seems to be completely missing as it’s since been removed from the site. I am also a little confused as to how it got there in the first place. It wasn’t in a comment, nor was it an upload. My only thought is that it’s an existing link to a site which has since been compromised and is hosting malicious javascript…

the scan.

The first time I followed the link to the “Blue Hair Dryer of Doom” ™ I was redirected to pcmedicalbilling.com which then proceeded to tell me my machine was infected and needed to be scanned. I believe the redirection was handled by the above Javascript but without having the original source it’s hard to say. The scary thing about this is that I checked with Google and F-Secure and both said the link was good. It was only toward the end of the day that it finally got marked as malicious.

So upon loading the page you will get presented with a neat little warning claiming shenanigans afoot on your PC. I love the fact that my browser now knows when my PC is infected with malware. Great work Safari !

Warning !

This will then kick off into a “scan” of your machine where it will find enough infections of various flavours to warrant you downloading something to deal with the problem.

Scanning your machine for infection

Here you can see your machine is truly infected and in desparate need of some software assisted cleansing.

Oh no..I'm infected....

And what do you know ? They have just the application to help you out with this…

Help is on the way

Looking at the “scan” results page you can see how easily it would dupe Joe Bloggs. It’s pretty convincing. What bothers me most about this incident is that while the search terms may have been fairly specific to the user, who’s to say that this doesn’t happen much more often. There was no dodgy links being followed, no search for pornography, just a guy trying to do research for his job…

so we have an executable

We now have an executable downloaded to our machine. I haven’t had the time to reverse engineer it yet. Mostly because I haven’t had the chance to learn reverse engineering of PE files. Yet. There was a lot more code involved here. Some very interesting javascript which was fairly obfuscated. I will be posting about this once I have had the time to sit down and analyze the code. Look out for the follow up in the next couple of days…

end of part 1/3

Malware/Anti-Virus

The days of signature based malware / trojan detection are over. We are now living in some of the most dangerous times to be using the Internet I consider if it’s even worth sticking around. Farming cats in the Karoo sounds like a far safer and less stressful job anyway. Long gone are the days when a cute character of the authors choosing would run across your screen and moon you. These days, with humanities greed, it’s all about how quickly and easily a 0-day can be transformed into a working exploit which can either be sent out in a (spear)phishing attack or hosted on some web server with Javascript doing the rest of the work. And the worst part of it all is that we are constantly playing catchup.

When new malware is introduced into the ecosystem that is the Internet at large, we rely on someone catching a specimen of this malware and either analyzing it themselves or sending it through to one of the big AV vendors who will analyze it and produce a signature which will then disseminate out to paying customers. This whole process leaves gaps which are filled by zombies and eventually botnets which plague not only home users, but big corporates. No one is safe.

Conficker, while a great example of what can be done by the community at large, is still very badly understood. No one seems to know why it’s out there and what it’s truly capable of. The media didn’t help us at all around April 1st either with all the hype that went around. I think the awful catch phrase of “Cyber Katrina” was thrown around with gay abandon. Please don’t get me wrong, I am not bashing the groups who worked on the Conficker Working Group, they did tremendous work. I am just worried that there is a fairly serious piece of malware floating around which no one seems to really know the capabilities of.

What are we going to do about this ? Switch to multi-engine scanning on our AV ? Move to a more proactive IDS/IPS setup ? How does this really help the little guy in the street ? Do you think Joe Average who just wants to download the lastest funny video from that site that needs that special codec from that other site that ends in .ru ? Oh wait…I’ve gone cross eyed. Am I the only person who is still worried that we are relying on vendors who’s principal goal is to make money for our anti-virus updates ? They’re not going to do anything rash are they ? Yes, they’re out to help us, but at what cost ?

I fear I may have too many questions and doubts with not enough answers. All I know is that there is a very, very wild west (and east) out there and suddenly, running my web browser in a Virtual Machine or Live CD doesn’t sound like such a bad idea.

Hold that thought, I’m going to fire up Vmware Fusion.