Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

September 16th, 2010

Accurate file names – part 2

Malware writers seem to never sleep and this time their activity refers also to my last article (published yesterday). How is it possible? When I used google today to find references to my blog post, these results appeared:

google search results

Fourth link on first page (which is directly accessible and clickable) refers to a fake AV distribution network. What the infection chain looks like?

virusremovaltool.info refers to this script provider

and the script carries another redirection

the redirected page refers to another script

and this heavily obfuscated script shows a fake warning that your computer might be at risk and starts its nasty game

All URLs involved in this chain have been immediately added to our URL blocker, so all users with VPS version 100916-1 and above are protected from this threat. But frankly, who of you ever expected reading IT security articles to be such a dangerous thing? People responsible for virusremovaltool.info have been notified to inquire whether their presence in the chain is intentional or not.

  1. September 16th, 2010 at 17:13 | #1

    Congratulations on the discovery! So I use Avast!

  2. September 16th, 2010 at 17:30 | #2

    The domain admin confirmed an unintentional tampering with the web content. Cleaning of the malware traces is currently being worked on and everything’s gonna be all right again (as soon as possible).

  3. September 17th, 2010 at 09:55 | #3

    Hi Michal,

    Nice information and sharing,

    Keep go forth to sharing like this manners…

    cheers,
    yanto chiang

  4. September 17th, 2010 at 12:43 | #4

    Hi Michael,

    As I said in the email, yesterday we had our entire network of websites hacked, and this malicious code was instantly added to 100,000+ of .php files we have on our account, throughout the domains.

    Right now, all the malicious code was cleared by Servint’s admins and websites got restored to a previous date, before the virus copied itself. Many of my domains stored on this account actually have thousands of visitors daily, and it’s dreading to think that someone could have caught a trojan, just by visiting our site on a daily basis. I am curious how did you get to see the file’s content in the first place, because all I could see is a small piece of code added to the footer of each page, it took over 6 hours until the script was even found on the server.

    Once again, just want to clarify, that we have nothing to do with this network of “fake AV’s”.

  5. September 17th, 2010 at 14:20 | #5

    @Liza Kliko
    It was not that difficult to locate the injection in fact. Actually, we’re often faster than a web maintainer (because we have an “army” of 130M users and there’s a high probability that someone reports such incident promptly) and sometimes even the author of a web page is not able to locate the injection in own code. Yesterday I had a phone call from such web author. As shown on the images above, the initial script (or iframe) injection could be pretty small but effective. Guessing the count of average surfers infected through your site is a task for a crystal ball, the best action when dealing with such attacks is to take the particular webservers down asap – it’s better to let a domain inaccessible for two hours than to let it spread malware for two hours. ;-)

  6. FeRD
    September 19th, 2010 at 13:58 | #6

    @Liza Kliko
    “this malicious code was instantly added to 100,000+ of .php files we have on our account, throughout the domains.”? That’s some impressive server performance, I imagine even the beefy systems running Google or Yahoo! would take at least a few seconds to modify over .1 million PHP files! So, kudos on the server platform y’all have built, it sounds mythic!

    (…Or was that mythical?) ;)

  7. R
    September 21st, 2010 at 07:13 | #7

    @FeRD
    Considering Google did around 34000 searches/second in Dec2009
    (http://www.comscore.com/Press_Events/Press_Releases/2010/1/Global_Search_Market_Grows_46_Percent_in_2009),
    each search would transfer some KB of data via network.
    Adding a few bytes of text to 100k files in a local server (no need to transfer over net) is much easier…
    (Google’s bandwidth capacity is the mythical thing there)

    [anyway this is totally out-of-topic]

    gj Michal for your findings!

  8. abdallah
    October 4th, 2010 at 18:16 | #8

    i think a new virus is walking around i discover it through IE browser
    plz check

    ” hxxp://confort-moderne.r/logo_CM.php ”
    i think this site contain a virus plz help !!!

    Thanks Alot

  9. October 4th, 2010 at 20:59 | #9

    @abdallah
    Don’t post live links to potential malware and use our forums for questions about web infections.

Comments are closed.