Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus


September 16th, 2010

Accurate file names – part 2

Malware writers seem to never sleep and this time their activity refers also to my last article (published yesterday). How is it possible? When I used google today to find references to my blog post, these results appeared:

google search results

Fourth link on first page (which is directly accessible and clickable) refers to a fake AV distribution network. What the infection chain looks like?

virusremovaltool.info refers to this script provider

and the script carries another redirection

the redirected page refers to another script

and this heavily obfuscated script shows a fake warning that your computer might be at risk and starts its nasty game

All URLs involved in this chain have been immediately added to our URL blocker, so all users with VPS version 100916-1 and above are protected from this threat. But frankly, who of you ever expected reading IT security articles to be such a dangerous thing? People responsible for virusremovaltool.info have been notified to inquire whether their presence in the chain is intentional or not.

  • http://twitter.com/dkGsantana Giu Santana

    Congratulations on the discovery! So I use Avast!

  • http://www.avast.com Michal Krejdl

    The domain admin confirmed an unintentional tampering with the web content. Cleaning of the malware traces is currently being worked on and everything’s gonna be all right again (as soon as possible).

  • http://www.ppinfotek.com yanto chiang

    Hi Michal,

    Nice information and sharing,

    Keep go forth to sharing like this manners…

    cheers,
    yanto chiang

  • http://virusremovaltool.info Liza Kliko

    Hi Michael,

    As I said in the email, yesterday we had our entire network of websites hacked, and this malicious code was instantly added to 100,000+ of .php files we have on our account, throughout the domains.

    Right now, all the malicious code was cleared by Servint’s admins and websites got restored to a previous date, before the virus copied itself. Many of my domains stored on this account actually have thousands of visitors daily, and it’s dreading to think that someone could have caught a trojan, just by visiting our site on a daily basis. I am curious how did you get to see the file’s content in the first place, because all I could see is a small piece of code added to the footer of each page, it took over 6 hours until the script was even found on the server.

    Once again, just want to clarify, that we have nothing to do with this network of “fake AV’s”.

  • http://www.avast.com Michal Krejdl

    @Liza Kliko
    It was not that difficult to locate the injection in fact. Actually, we’re often faster than a web maintainer (because we have an “army” of 130M users and there’s a high probability that someone reports such incident promptly) and sometimes even the author of a web page is not able to locate the injection in own code. Yesterday I had a phone call from such web author. As shown on the images above, the initial script (or iframe) injection could be pretty small but effective. Guessing the count of average surfers infected through your site is a task for a crystal ball, the best action when dealing with such attacks is to take the particular webservers down asap – it’s better to let a domain inaccessible for two hours than to let it spread malware for two hours. ;-)

  • FeRD

    @Liza Kliko
    “this malicious code was instantly added to 100,000+ of .php files we have on our account, throughout the domains.”? That’s some impressive server performance, I imagine even the beefy systems running Google or Yahoo! would take at least a few seconds to modify over .1 million PHP files! So, kudos on the server platform y’all have built, it sounds mythic!

    (…Or was that mythical?) ;)

  • R

    @FeRD
    Considering Google did around 34000 searches/second in Dec2009
    (http://www.comscore.com/Press_Events/Press_Releases/2010/1/Global_Search_Market_Grows_46_Percent_in_2009),
    each search would transfer some KB of data via network.
    Adding a few bytes of text to 100k files in a local server (no need to transfer over net) is much easier…
    (Google’s bandwidth capacity is the mythical thing there)

    [anyway this is totally out-of-topic]

    gj Michal for your findings!

  • abdallah

    i think a new virus is walking around i discover it through IE browser
    plz check

    ” hxxp://confort-moderne.r/logo_CM.php ”
    i think this site contain a virus plz help !!!

    Thanks Alot

  • http://www.avast.com Michal Krejdl

    @abdallah
    Don’t post live links to potential malware and use our forums for questions about web infections.

  • Pingback: Accurate file names – part 2 | Security Antivirus Virus