November 17th, 2009 Thousands of web sites compromised, redirect to scareware Posted by Dancho Danchev @ 12:12 pm Categories: Anti Virus, Botnets, Browsers, Hackers, Malware..., Passwords, Web 2.0 Security researchers have detected a massive blackhat SEO (search engine optimization) campaign consisting of over 200,000 compromised web sites, all redirecting to fake security software (Inst_58s6.exe), commonly referred to as scareware. More details on the campaign: The compromised sites are using legitimately looking templates using automatically generated bogus content, with a tiny css.js (Trojan-Downloader.JS.FraudLoad) uploaded on each of them which triggers the scareware campaign only if the visitor is coming a search engine listed as known http referrer by the gang - in this case Google, Yahoo, Live, Altavista, and Baidu : 'Cyveillance has discovered a complex attack vector that uses Google search results to distribute malicious software (malware) to unsuspecting Internet users. Using this attack vector, users click on links within Google search results and are routed to sites that attempt to download malware to their computers. The attack method also relies on inattentive webmasters who do not update the software on their sites and often unknowingly provide the material that appears in the search results. The common string albums/bsblog/category is found in the URLs for all these blogs. By simply using the Google search parameter allinurl, along, you can see how many other sites contain the same string. As can be seen in the image above, more than 260,000 URLs are presented in Google's search index leading to blogs similar to the ones illustrated in our example. As you can see, only a small portion of sites in the search results carry a warning provided by Google. The reason for the small number of warnings is likely because the actual attacks do not take place on the website URLs in the search results, but on the sites you're redirected to thereby decreasing the chances that Google will designate the destination sites as harmful.' At first, it would appear that the campaign is an isolated one and is maintained by a cybercrime enterprise yet to be analyzed. However, analyzing it reveals a rather anticipated connection - the massive blackat SEO campaign has been launched by the same people who operate/or manage the campaigns for the Koobface botnet. For instance, the domains mentioned by Cyveillance, as well as the newly introduced ones over the past couple of hours, are the very same domains currently embedded on Koobface infected hosts. '¢ Go through related posts - The ultimate guide to scareware protection; My scareware night and how McAfee lost a customer; Scareware scammers hijack Twitter trending topics; 9/11 related keywords hijacked to serve scareware; Koobface Botnet's Scareware Business Model - Part One; Koobface Botnet's Scareware Business Model - Part Two How did they manage the compromise the sites? Through web application vulnerabilities as the attack vector, with OWASP's recently updated Top 10 most critical web application security risks, highlighting some of the riskiest ones.
I'm glad Microsoft Windows goes the extra mile to protect users from this kind of mischief. In Microsoft Windows I can set security zones in the Internet Options window so that only trusted sites will load, or set it so internet sites will not be able to run certain scripts. I have all kinds of warnings that alert me to such devious programs. First its with my web browsers, no matter which one I choose none of them will allow an exe to run without first asking the user, and when they see exe flash up they are quick to hit cancel. Second if someone purposely hits the ok button its asked to save to the harddrive so they would cancel out of that, third and thats assuming they made it this far they would need to find the file, run it and click ok to the warning window. Again, the malware writers fail to compromise anything because Microsoft Windows has taken security to a new level.
This has nothing to do with the operating system used in the computer. Nor has it anything to do with "security zones in the Internet Options window". Best if your read details.
The most important phrase in the first post I made is this. It shows how disturbing the situation is. Most of us in this forum do a Google or Yahoo search regualrly.
"...if the visitor is coming (from) a search engine .... Google, Yahoo, Live, Altavista, and Baidu : '... search results to distribute malicious software (malware) to unsuspecting Internet users......"
The most important phrase in the first post I made is this. It shows how disturbing the situation is. Most of us in this forum do a Google or Yahoo search regualrly.
"...if the visitor is coming (from) a search engine .... Google, Yahoo, Live, Altavista, and Baidu : '... search results to distribute malicious software (malware) to unsuspecting Internet users......"
I'm glad Microsoft Windows goes the extra mile to protect users from this kind of mischief. In Microsoft Windows I can set security zones in the Internet Options window so that only trusted sites will load, or set it so internet sites will not be able to run certain scripts. I have all kinds of warnings that alert me to such devious programs. First its with my web browsers, no matter which one I choose none of them will allow an exe to run without first asking the user, and when they see exe flash up they are quick to hit cancel. Second if someone purposely hits the ok button its asked to save to the harddrive so they would cancel out of that, third and thats assuming they made it this far they would need to find the file, run it and click ok to the warning window. Again, the malware writers fail to compromise anything because Microsoft Windows has taken security to a new level.
Please Admin. remove this thread, it has no value to Satellite TV . Why do your MOLES remove some posts and not some others? Aren't the ecoustics rules met for ever member here including the rats,I mean the MOLES?
If you think that the information that "200,000 sites are compromised" is worthless. In fact it is very relevant to Ecoustics, as it is a thriving FTA related site which is the envy of a lot of other sites. Attacks could come to Ecoustics. so if you want to post positive feedbacks (after learning how to cut and paste a URL) you are welcome, otherwise stay out of it, and learn from the good posts in the thread.
What do you have to do with it ? Are you Nalin Nyda lawyer? if not let Nalin answer my question and keep you rating motherfucking azz out where it don't belone
"Posted on Thursday, November 19, 2009 - 09:36 am: by Nalin Nyda If you think that the information that "200,000 sites are compromised" is worthless. In fact it is very relevant to Ecoustics, as it is a thriving FTA related site which is the envy of a lot of other sites. Attacks could come to Ecoustics. so if you want to post positive feedbacks (after learning how to cut and paste a URL) you are welcome, otherwise stay out of it, and learn from the good posts in the thread."
Are you that stupid, bad eyes or can't read. You two clowns must think that all of us here are Newbies. Of all my years here you two are about the dumbass,liers and rats that I have ever came across with. Now saying all that answer my question.
There is only two posters here you and Gregraf so, what did you learn from your C/P thread that you may use to help the Newbies?
Sandwoman: Attacks could come to Ecoustics. so if you want to post positive feedbacks (after learning how to cut and paste a URL) you are welcome, otherwise stay out of it.
You are losing your touch. This happens a lot of people when they get laid off their regular job and are trying to fill in time using the skills that are gradually but surely leaving them.
I can't belive you ppl still even read nalins' or plymutts posts after 1 week of being a newbie...we all know, they don't know anything about anything and work here for ecoustics and the officials..and if NOT, then they are just simply retarded..
c'mon ppl..if yer not a newbie, they don't read or reply to their nonsense cause that what they want ya to do...get their post count up, and ecoustics $$$$, while monitoring FTA peeps and news..
I can't belive that jusforhahas aka Chumley aka LK aka thill aka Largo Key is still around trying to foll you all into believing that she knows it all. She has been kicked out of several forums and discredited here. Watch out.
Freedom of the Press aka Doreen Silver Member Username: White_girl
I am not at all surprised with your assessment of Applebee's work, when you said "Great piece of work". From an Indian point of view, you are showing the right attitude of respect and admiration towards your Guru, however poor quality of work he might have, and however bad teacher he might be. In Sanskrit, it is said
"Guru Is Brahmaa (Who plants the qualities of goodness) Guru Is Vishnu (Who nurtures and fosters the qualities of goodness) Guru Is Maheswara (Who weeds out the bad quality) Guru Is Supreme Brahman Itself Prostration Unto That Guru"
If, in the end, he succeeds in weeding out the bad qualities in you, it will be a horrendous task successfully undertaken.
People from all over the world vist ecoustics just to see Apple-Bee's art work.
So I will say to you eggheads start being nice to Apple-Bee or he may ask the Admin. to Ban you two.
Just this morning here is what an old member had to say about Apple-Bee's fine work.
Dracu-Laal Bronze Member Username: Meyerlansky
NYC USA
Post Number: 67 Registered: Nov-07 Posted on Friday, November 20, 2009 - 08:47 am:
-------------------------------------------------------------------------------- you guys are great. I love the pics posted on this site. Some of the funniest I ever seen. Thanks.
So no more bashing the good members here from you two Eggheads.
I am sorry to have offended yet another disciple of the great Guru. May God give him enough strength to teach you two - considering his own enormous inadequacies as a teacher, it is too much to ask of the poor guy.
You are too old to jump so much from thread to thread with your posts that no one can understand. so take a break before you have a heart attack your friend let up on you for now so for now your post count is safe
Captain Hook: I have had enough of your hero worship of inadequate and incomplete masters of yours with the pedigree of LK and Ryerson. You either stay and learn afresh or get out and pray for the resurrection of these masters of yours.
I will be stepping out of line in order to educate some SOUR ignorant people here. (the likes of Mr.Nydas & Co.)
You see, the purpose of Jokes and Cartoons is to convey a message or an idea in a HUMOROUS WAY. So what really is important is if the listener/viewer received and understood the message or the intention of the idea. Better yet, with a smile on his/her face.
In such a sense, I've seen a plentiful of enjoyment and liveliness in this Forum, which is enormously fortunate to count with such fine "Happy People" as Cartoonists GregRaf, Esvaldo Chevez and Applebee, amongst others, and Humorists such as White Girl, Captain Hook, 'Jesus Christ', Doreen, RUSH, and so many others it would take so long to mention.
It is this, altogether with generous technical guidance from 'gurus' the likes of Mr. LK, King Tapeman, Dr. Oleg, etc. that makes these forums the most entertaining and enjoyable ride.
El Cheepo: YOU ARE way out of line. You joined here in October, this year barely a month ago, and immediately started bashing people, including me and Plymouth. Now you have the Gaul to come and advice me.
Novices like you should first learn for 3-6 months, then advise. Also note that this is not a cartoon channel or joke channel, or a bashing channel. Keep your posts to intelligent inquiries and comments relating to FTA and satellite related issues and Television programming.
ya know what...nalin, I remember U coming here your very first 2 weeks and immediately bashing LK and PRFRMNJ...then Doreen, next Satscanner, and then everybody here..
so take a look in the mirror next time ya have a need to bash "el cheapo" or anybody for things U did/do yourself...
and ppl will post whatever they want in whatever manner they want, and if ya don't like it too fukkn bad....we all like humor, pics, the cartoons...its U nalin, we don't like....and U are the "bashing channel", as U say...eat some humble pie and STFU..or take ya long hike on that fukkn Muslim camel of yours..
justforhahas aka LK: You said: "ya know what...nalin, I remember U coming here your very first 2 weeks and immediately bashing LK and PRFRMNJ...then Doreen, next Satscanner, and then everybody here.."
I asked you after being on this forum for 2-3 months a simple question, and you said "I don't like you" I never bashed you or anybody else after 2 weeks on the forum.
break before you have a heart attack