Turning scareware devious distribution tactics into practical protection mechanisms

Fake anti-virus software (also known as scareware, rogueware or “FakeAV”) is without doubt one of the most significant threats today. Bogus security warnings adorned with flashy images and incessant popup windows attempt to scare unwitting users into coughing up cash to clean up non-existent infections.

Fake anti-virus attack

To ensure a greater number of successful attacks, the culprits behind fake anti-virus attacks have two important but conflicting goals; (1) to broaden the attack surface to reach a wider audience, and (2) to narrow the attack surface to thwart the efforts of security vendors. This post will highlight how the devious techniques used against security vendors can in fact be turned against fake anti-virus distributors as pragmatic defense.

Fake anti-virus SEO attacks
To reach a broader audience and catch users off-guard, fake anti-virus perpetrators use search engine optimization (SEO) poisoning techniques to trick search engines into redirecting users to the malware when they search for every-day terms or the latest hot trends. Compromised websites are used as the launch point for the attack and act as the doorway pages that actually appear in search results.

Seaworld killer whale malicious search result

The doorway page presents keyword-stuffed content to the search engine crawler so its page rank is increased, but presents a redirect to the malware when a real user visits the same page — a technique known as cloaking.

Web threat experts Onur Komili and Fraser Howard have an excellent whitepaper on these SEO poisoning techniques and the software kits used to drive the back-end of these attacks, and you may also be interested in watching this YouTube video featuring my colleague Chet Wisniewski:

Search results for images are also being poisoned to distribute fake anti-virus. For these attacks, the doorway page links to several images from other sites across the web, piggybacking on the existing structure of each legitimate image link in addition to the keyword stuffing on the doorway page.

Each doorway page links to many others on the same compromised site to bolster its page rank across multiple searches, which often results in unrelated images being returned as top hits, as seen in the following example of poisoned search results with an image of Clydesdale horses while searching for beer coupons:

… which, if you clicked out of curiosity, would redirect you to a bogus “Windows Security Alert” page like the one depicted above.

Narrowing the attack scope
In addition to cloaking the content, fake anti-virus pushers use several other tricks to narrow the attack scope — hoping to thwart automated analysis systems while still delivering the malicious payload to real users.

Firstly, some trivial HTTP header checks attempt to ensure a real user has browsed to the page via a search engine — checking the HTTP User-Agent against that of known web-browsers and the HTTP referrer for the search engine’s mark.

Slightly more involved anti-crawling techniques include the use of cookies and javascript to compute the redirection link dynamically.

Going further, some of the generated links to the payload are time-sensitive, using a nonce to only return the attack payload if the link is fetched immediately after being generated.

Although it is stating the obvious, it is worth noting that the client (i.e. the victim) must always be given all the information required to compute the malicious payload link — otherwise the attack would never be successful.

As such, the javascript used to construct the payload link on the client is often obfuscated to prevent automated systems without sufficient javascript emulation from crawling the intended malicious destination. The script may be obfuscated with multiple layers of encryption or the entire script may be split across multiple pages to force multiple HTTP requests to be fetched, reassembled and emulated all within a short period of time.

Lastly, network location is also being used to discern which clients are cloaked and which clients receive the payload. A mix of static IP blocks and dynamic IP tracking are used.

TORAnonymizing proxy services, such as TOR, are a standard part of web threat research — allowing the analyst or automated system to mask its true IP address.

However, due to the way TOR works, web servers can still use the requester’s IP address to determine if it has come from a TOR node, even though the true requesting IP address remains anonymous.

Some fake anti-virus SEO doorway pages are protected in this manner, producing the cloaked content for accesses via TOR, as in the example below:

Anti-TOR redirection

Cloaking against known anonymizers forces the client into using their true IP address, which is then subject to dynamic IP tracking done at any of the malicious redirection layers. Just a single successful fetch is enough to have one’s IP recorded and temporarily blacklisted from further malicious redirection.

The combination of these tactics at any single malicious redirection point, multiplied by the number of intermediary hops in the redirection chain, makes for quite a long and convoluted trail to the actual malware.

Pragmatic proactive defenses
So how can we turn the devious distribution tactics described above against the attacker ?

Firstly, the redirect mechanism can be neutralized by tightening control over javascript execution within the browser. As described above, the malicious redirects to the fake anti-virus payload are heavily reliant on client-side javascript to compute the malicious link.

NoScriptRestricting javascript execution to a set of `trusted domains` of your choosing is an ideal solution.

Firefox users have the NoScript Add-on to accomplish this, while Chrome users can turn javascript off-by-default and use the built-in Exceptions list to allow specific sites. Of course, you could simply disable javascript altogether, especially while trawling the web for images as search engines tend to support basic HTML views.

Secondly, some trivial manipulation of the HTTP user-agent and referrer parameters can have a similar payload-neutering effect. Changing the default User-Agent string to some non-standard value, e.g. “I am not a browser” or “Up yours FakeAV jerks”, can trick the doorway page into thinking it is being crawled rather than browsed. This will typically result in a mis-direction to the cloaked content..

..as opposed to the phony scan page displayed when a normal User-Agent string is used.

In other cases, the HTTP Referer is used in a similar way to check that the doorway page has been visited via a search engine, so again pre-configuring your browser to use a non-standard value or none at all can derail the attack. Firefox users can manipulate the User-Agent via the about:config page and the Referer using the RefControl Add-on, while other browsers like Safari have support for HTTP header modifications as part of developer tools.

Lastly, as some doorway pages returned cloaked content (or none at all) when reached via the TOR network, then it follows you will be protected from these attacks simply by using said service. While this can have the disadvantage of losing legitimate location-based content and a potential slow down, the TOR project does provide some stand-alone TOR-enabled browsers, so you could easily isolate your TOR usage (as well as some of the other tweaks described above) for a little mindless searching.

Closing thoughts
Obviously, the measures discussed above do not guarantee protection against fake anti-virus SEO attacks, as the use of each devious tactic does vary between the different gangs. So it goes without saying that these methods should only be used in conjunction with other security best practices — like running up-to-date real anti-virus software, treating email attachments with caution, etc. etc — as they provide additional layers to a defense-in-depth strategy.

That being said, these anti-anti-analysis techniques do have value in their own right, especially if adopted on a large scale. The more that the internet community can muddy the waters to make typical users look more like analysts, the more the attacker is forced to broaden the attack scope to reach enough potential victims to make a reasonable profit — and thus providing more liberal access to security vendors, to more easily automate better protection — the cycle continues.

As they say, sometimes “the best defense is a good offense.”

Learn more about fake anti-virus attacks
How internet users are lured into paying for fake anti-virus software.