CA Security Advisor Research Blog

by Rossano Ferraris

Users are being infected with malware from a variety of sources.  Unfortunately, malware authors are

continually refining their technique.  As I will show in this write-up, clicking on the results from innocent

searches, like looking for a flight, music or news story, can infect your machine with harmful malware. 

The process of getting infected is scarily easy.

Even though most of the infected links listed in this document have been removed, I would suggest

you avoid replicating the same issue unless you are skilled, protected and working in quarantined research environment.

The following is a case related to innocent websites and connections to rogue security software.

A seemingly benign search using the MSN search engine for "preschooler chore chart" can lead you straight to malware -- below is a screenshot of the search results. 

The second search result “Printable Chore Chart of Preschooler” leads to a site hosting a rogue security application

called “MalwareCrush.”  Note that the actual URL returned is hosted in the Spanish domain space of Lycos. 

The “Printable Chore Chart of Preschooler” website is pretty interesting since part of its code is obfuscated and malicious.

This is what happens:

• The obfuscated code makes a call to traffbox.com
• Traffbox.com redirects the user to scan.malwarecrush.com asking the user to perform a scan of his machine

• The user clicks OK  to accept  and an online scan is launched

• A pop-up box falsely indicating the presence of “infection” comes up
• Rogue security software is installed along with adware difficult to remove, whose job is to annoy the user with a
constantly recurring popup window to get him to purchase the software

The example presented is a case where advertising networks and their affiliates play a big role in getting

users to purchase unnecessary software (for more details about the details hidden behind the scam please

refer to the December 2007 ISSA Journal article that I authored entitled “The Era of Rogue Security Software”).

So how do they do it?

The search engine’s index is poisoned by specially crafting a web page with keywords and metatags to

ensure the page gets indexed at the top of the list.  Below are the contents of the web page that gets

indexed by the search engine but that you never actually see due to the Javascript; the web page redirects

the end-user as detailed above.

Metatags in html:

<title>Printable Chore Chart For Preschooler</title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1251" />
<meta name="keywords" content="Printable Chore Chart For Preschooler" />
<meta name="description" content="All about Printable Chore Chart For Preschooler and Afirmative Action Policies." />
<meta name="generator" content="WordPress 2.0.2" />

Keywords in html:

Rights and restrictions in how the <u>Printable Chore Chart For Preschooler</u> file may<u>Printable

Chore Chart For Preschooler</u> be a clergyman 's study by looking at his books whether he is going on ,

and sometimes it indicates the progress in thought I have ever visited is that we should read with as much of <i>Printable Chore Chart For Preschooler</i> ourselves that a book ,especially ,'Macbeth .' If he is much

else besides .Unless we read books is to know how to use them.If <b>Printable Chore Chart For Preschooler</b> in the first thing to preach and to the student of any special <u>Printable Chore Chart

For Preschooler</u> subject .Usually ,of course ,such as text-books ,and <b>Printable Chore Chart For Preschooler</b> are able to switch off your ears from other people 's conversation .It is said that the high philosophy by which he lifted the political differences of his reading the latest fatuity in fiction ,without the joy ,encouragement ,and in each department a specific course ,this counsel no less real to-day--some of them .We have said enough ,perhaps ,of the riddles <i>Printable Chore Chart For Preschooler</i>

of the book grows familiar a different edition ,even endowed with spiritual Printable Chore Chart For

Preschooler insight ,who distrust book learning and fall back on the back pages of the Gettysburg Address ,

these higher qualities of genius ,beyond the endowment of any native wit ,came to Lincoln in some part

from the Bible and his Biblical helps .I can always lay it down before it becomes a bore .After finishing a

chapter he would like to read much but not often virile verse <b>Printable Chore Chart For Preschooler</b> ,

or even bores the student .You do not make the survey ,it is clear that the most fruitful moments of his achievements ,revealing his doubts and difficulties ,his self-conflicts and self-victories ,and ,certainly ,

if you are a good thing ,and I do not make the survey ,it </p>
<p>
printable pprintable prrintable priintable prinntable printtable printaable printabble printablle printablee

printable chore cchore chhore choore chorre choree chore chart cchart chhart chaart charrt chartt chart

for ffor foor forr for preschooler ppreschooler prreschooler preeschooler presschooler prescchooler

preschhooler preschoooler preschoooler preschooller preschooleer preschoolerr preschooler printable

rintable pintable prntable pritable prinable printble printale printabe printabl printable chore hore core

chre choe chor chore chart hart cart chrt chat char chart for or fr fo for preschooler reschooler peschooler prschooler prechooler preshooler prescooler prescholer prescholer preschooer preschoolr preschoole reschooler  printable p rintable pr intable pri ntable prin table print able printa ble printab le printabl e

printable  printable   chore c hore ch ore cho re chor e chore  chore   chart c hart ch art cha rt char t

chart  chart   for f or fo r for  for preschooler p reschooler pr eschooler pre schooler pres chooler

presc hooler presch ooler prescho oler preschoo ler preschool er preschoole r preschooler 

preschooler printable rpintable pirntable prnitable pritnable prinatble printbale printalbe printabel

printable printable chore hcore cohre chroe choer chore chore chart

……………
</p>

After reading the text you can easily see that this page was specially crafted to be found by a search engine. 

Some recommendations

Since the problem is getting worse and worse day by day I suggest to our readers to take into consideration

the following steps:

• Be aware of the details of the search results coming up from your search engine
• Do not trust any online scan launched on your machine without your consent and especially 
  when it occurs after an undesired redirection of your browser; rogue security software is a very
  frequent security breach nowadays
• Always mind the instructions you are getting: take a look at the address bar of your browser
  when you are required to download something
• Ensure that you have the latest updates of your anti-malware software; that way you are
  better protected from the latest powerful threats
• Consider using a browser plugin that provides granular control over Javascript