Blue hair dryers and Scareware.

start part 1/3

#include disclaimer.h

I am by no means an expert at this sort of thing. Nor am I very good at it. This post is just about what I found today and some of the steps I took in my investigation of the problem. If you see where I have gone wrong or spot a mistake, please let me know. It’s the only way I learn.

background

Someone was doing some research on a famous designer named Dieter Rams. In particular there was a blue hair dryer that caught said someones eye. This is mostly because his search terms brought the hair dryer to the number one result in Google Image Search. So wanting to know more about the hair dryer the user clicked on the image. It went steadily downhill from there.

javascript

The image result to him to a blog post which has the photo, along with some hidden javascript in the page source which looked a little like so:

Embedded Javascript

Unfortunately that little piece of the puzzle seems to be completely missing as it’s since been removed from the site. I am also a little confused as to how it got there in the first place. It wasn’t in a comment, nor was it an upload. My only thought is that it’s an existing link to a site which has since been compromised and is hosting malicious javascript…

the scan.

The first time I followed the link to the “Blue Hair Dryer of Doom” ™ I was redirected to pcmedicalbilling.com which then proceeded to tell me my machine was infected and needed to be scanned. I believe the redirection was handled by the above Javascript but without having the original source it’s hard to say. The scary thing about this is that I checked with Google and F-Secure and both said the link was good. It was only toward the end of the day that it finally got marked as malicious.

So upon loading the page you will get presented with a neat little warning claiming shenanigans afoot on your PC. I love the fact that my browser now knows when my PC is infected with malware. Great work Safari !

Warning !

This will then kick off into a “scan” of your machine where it will find enough infections of various flavours to warrant you downloading something to deal with the problem.

Scanning your machine for infection

Here you can see your machine is truly infected and in desparate need of some software assisted cleansing.

Oh no..I'm infected....

And what do you know ? They have just the application to help you out with this…

Help is on the way

Looking at the “scan” results page you can see how easily it would dupe Joe Bloggs. It’s pretty convincing. What bothers me most about this incident is that while the search terms may have been fairly specific to the user, who’s to say that this doesn’t happen much more often. There was no dodgy links being followed, no search for pornography, just a guy trying to do research for his job…

so we have an executable

We now have an executable downloaded to our machine. I haven’t had the time to reverse engineer it yet. Mostly because I haven’t had the chance to learn reverse engineering of PE files. Yet. There was a lot more code involved here. Some very interesting javascript which was fairly obfuscated. I will be posting about this once I have had the time to sit down and analyze the code. Look out for the follow up in the next couple of days…

end of part 1/3