|
|
|
Finjan: Bogus Anti-virus Is Big Business
By: Brian Prince
2009-03-23
Article Rating: / 21
There are 2 user comments on this Network Security & Hardware story.
In a new cyber-crime report, security vendor Finjan found a traffic management server that showed a ring of cyber-crooks redirected 1.8 million users to a site that installed rogue anti-virus over the course of two weeks, raking in an average of $10,800 a day. There are several groups involved in similar schemes, Finjan reports.The stock market may be struggling, but the market for purveyors of rogue anti-virus is going strong.
In a report, researchers at Finjan offered a peek into the
inner-workings of the market for rogue anti-virus. The company
focused on a group of cyber-crooks running a rogueware
affiliate network that hauled in an average of $10,800 a
day in profits.
The affiliate network is divided into two teams, one responsible for
compromising legitimate Websites and injecting Web pages with popular
keywords and typos. These pages redirect users to Websites owned by
Team B, which tries to install the rogue AV on the users desktop.
Team B pays Team A for every user Team A manage to redirect to Team B Website," explained Finjan CTO Yuval Ben-Itzhak.
The profits can be impressive. A look at a traffic management server
based in the Ukraine found 1.8 million users were redirected to the
rogue anti-virus software site during a 16-day period. The installation
rates varied from 7 percent to as high as 12 percent. Some 1.79
percent of the victims who installed the AV paid $50 for the fake
software, with 58 to 90 percent flowing back to the network.
The group behind this operation relied heavily on search engine optimization (SEO).
Fellow security vendors Symantec and McAfee have found similar
SEO-poisoning techniques being used in malware campaigns, and said the
trend has been increasing since the beginning of the year.
To further improve their chances of placing high in a search, the
hackers inserted SEO targeted pages to compromised Websites. According
to Finjan, the injected pages were actually PHP scripts dynamically
generating search keywords with typos and popular terms. The script is
based on a parameter passed in the URL,
hxxp://[compromised-domain]/talk/page.php?id=1503. Each of the
dynamically generated pages was linked to other dynamically generated
pages to increase the probability the search engine would index even
more keywords for the compromised sites.
The end result was users searching for popular keywords (with or
without typos) on search engines were sometimes directed to a malicious
page that tried to install the rogueware on their PCs.
In the last two months we have seen these SEO techniques a
lot, Ben-Itzhak said. It is happening on legit Websites that
were compromised and fill the Web page with keywords. These pages trick
the search engine spider.
I believe there are a few dozen groups doing that today, the
CTO continued. Having the great numbers they make, the number of
groups increase and their techniques are improving.
|
|
�������x}v89�hN;�/ڎ#rey,%s� IlS|Iξ>V�M�Z{6-�`P*�
��~vv$IM�klJv'[D;;?.�P|gS�/92p=z#�m��)>M3ȩ�����;#|6�%?w *s�R;�:wɘZqPɈQە>Q/?u�Lbh:&q٤XA#
: rWӺ%~`ZN<�Qu)p�gEQ6'k[! t�V�N W*U�n��p{#a_ʞ��z5"p8$j��;^7W�w23w:�bq:!Om�l�ڮ�U� ؓ�ۭ@x!D�y!rs�#�g߶�0Tݑm:���1�Bsdb�LJNtf?D�9�z�u
v=�r7Ƀ5ǁ#�ű B'Zj;�}�&
D%\.��'I&�_��c���=,gV}��j�kQҋZ-[�M�R=4,g��f�VҐ�g�UUYZͣމdni^WWngGW)wfYY�ji�ed�X�]2��o-U5us%+r:nv�3ɀ&�dXAZ|[kU[߮{�!~b[ d�Pp9Lwj/�?t{_.d�[[$'uXOz'�g9�0omYn^H.)ޕ|T|Y|ěy30si���2)�<
L8��Z��u�tkKUykA
4�+@_x0N�D9nkcf�M�r,e��g{0@�M)��61p���v!fBy�M)o��z@@�ZR~V(�U�S%EI7#DD�
v23~�B(:�pHq��> z%�y1Ӱu�arq�}�]7+De.,
s5ͷwfz�;\gT?m6z'{ٹvS6>4aUb}ƺƻ��sEhYf7ͣ$��ꨦU��,V�𢲯*X@8ʍ�??6m!SG�ñA
SM:gvY0`���;}B_�Oi&89~��t$�ࠣM��/�C˥~f�1�@�
L�N0i�|
+���wGݺ|LӰ�=��Wԇ5D�5��i��-D�&q}@�q�HhR0<�sz70Z[�σ�5]5�H��ˋ�0���P6=�x
��Be^~>�a�xs݀�̧P��r`OA[�9[ݲeǀxԜ�)uK�w2R}g9>�(G))(?�]HPw9�J�
B�!\��0H��`P� a�b
.<��Һ�B�I}vn<�){T�Kh!+�K@fsfh(4{~6�cbB�|#'b�Xr`Y
�\h+|�h)c
Ԩ˶V.hXi(P�s�0 =#WV+%EU}`H�Lͦo90吖3t�f�3@pČ'HwH{cJLaͽs|s8���Z|'�VMT�2v�&�f+Loo�j�7ab#C[l~pe�
l4�T f��FfO���~5lwfB9\O7,{t?�Gc�NEi[Jι/7�N)j�`ޗJ�7f�2g�NP/h|WY� �3EDVhdF!zC�2{�ڡ[Z3R;=�=Mrʳ$�#��]_7o�X>ťHN(m�t'�й+>q^t.i}mOӬX��Uo?JՕE[�1(Ŀ�:R�j'-�H�o`��koռy_x�ui8Hi�-"�rB`8����1f&6XC˦>o��ӧ㎃WKH.Z�YAٰ\R
�!I�6�D�ȸau-`by��eS�]Wѹq@8t�1Dږ3��`�mpj
\�#BE-��Dd�
�??uPV����/:OY�ͨ�lD+Jc�\�CКy]։;lRjz|pݑM% �WЀ�ap���;E�.2
�ZA60�hs}�!T0�ܖ+
eT)5*�IM86�nabIoXL�+*�9K.pϟ��
sFWyQFfY?K�^HjP�'VVR尨V*�h�!Gq�)4�ɾ;��c>x�}ˬ5�_>k�{]7�\�μ��+�'�3E�<&��{H�[�eX�`/�cҧ8@�ĺU0�UESUG�+�+\>�F����]h��C\4�<�}g�c�4�pf�mWq=YJjLwg
`�ZpkzVGc�'ԿA���XsA-ReW᧘TVQqi?p;h跸�@^5o8`Ȍ�)Ĩ�5UW�*~iZ'5^�_MhDA��`��
Нv;#ؐCKA;aVS$o�t렀6RaExތ�9"yea@WIl��J�hL跖?o�_�/Qm(}�g�"-Ǥ|e�2u-tn1�b%[>E?9dN u3� U�Sf>
��|m|0k嬙fwṛ:
�߀&�\@qcc��n#2v"9�zB*>�|/I�7aO�n�:R.��R
r1|]�ܩe>t1֎�;*}z)Oc��ʌ�E/(SYmq'&F.�,ex.N3 akc>��
4Ff
U(Qk�oZ,+eeP��/)
JU-��A^Mo6m$B�|<ݤ1p�
JU<6{1{H�Jݶ�e�(N�TbPQKJB'Q�C.:'�-&�v�eN�6qaw?ͅg7ckX?"�B��0u%hnzGSYqza\/�n/$hO ^�1M�u0@ЧlJ�wXA8fGS�QlYVc�6f�Ǻ}���agMٸU
V|�eZU
ՂVD'�ft0�|��G�.CGTTWFogM�GD�o0|�f��^%5�RiE�mT)�ܑJ-ӄ>zA�bzQ�=Y�r�v�jT
���dP��Hb.x|V
n�&~|8ZƇ&?�pȾYMw$(��X���t�c�s'q/gzVDl/�''��6|v<���2CHv4|u�Nqu!>w!CrhJIcxΥx\NC{�R‥G!hUHf*<�hq\1nǛ&���L_>�0swMT/!mE@I}\48`\5c-ɅH'ZM⪱�=Cɢl�+8�w#E�%'k3t{)�-'�g[
�=}_exH��M{pУXTJq+g9#$ubSPՅ�{_Λr;�0y!Q2�7��{�%E�:W�dl&u"N M5�W"v5O|�B�AqB�=HfPƓ46ˢ
ݖ2`�9s:)!ON]F 2H PV,O&e=lI1 iKBih%bbVHGR�{ٸX6<1ޤMƙLVmK$��Ζ�(�̗4.נ�zy8��V�#kvh~�t�a}QגZ4ҫoeW!9�
?VA6,qx\�<[<,�Mw[�v1CN:#^4.@
&̯�>w��H-Э�>�5?�y{h
o&<)ǣ AC~kt3r¸njהyLf0�>ovR8}_'ivݷ;i9nin[n�U�Z�xB�J}~l't2�D(jySa[{��Ȫ̅S.ۉ�G#S~`q8-<���&jlǵ�wD/�ZdO>^jC|9~��2�/>
�AY�ؖrnbL��d<�J��;��moZpצ�N
Oz �F#%k�ϖS˱6ͭG�@|Ր[�hUZ1pE0pe�a�%$\}1 _;bE �c+G�|('N?�Y�%p Mkko!1�%C%_h3�[aG0^
<�"�t�(u��߂Kd[:��`8Y&?�6#d,GeTu_-��]&�5Ċ?ٿz9+ֻ
ߧ^�XN]�DH��?�L5Wteã/?+�^$Kg�'�Z�5�EMy�5{o� ԑEcw2��F=� ha>[�+U*O^)m�V6s'd#NG}ޫJio9�d':[pI=,���+Ke�6.y6p�vZ���#�QJ-+qkMM�+6jij&>%KR$]qd$q�/.+1J�"͗|*pݔ,bq8><�ʌp]c N�Z�düO8c�ph�25r}�˺Mo�(X(-ͽ87IT3RbmѬƢc��XIo&~�&=ذ��h<�{;A|+)ԚN
�B-$�X)"o�r&gkl�*EPm�
Wب��cx.YCL>t�OB��@6c��|�V�K~)���o\;9l�&�6ach1�Þ7BEg")"�h�i[Է|qNe�ۻ7� )&�/f=O��Kj:#{Y$*ϲ��kQ�_�}캜]TT9�8'r{$J�*pI�0�u5�r_ _8!]E}6d?UʺWx>���3�X,tfTu-.Y
�8�Ir�������=SC�}�:!a&F}77ՁEI˄矗.t�4ApXÜ٪БN['t��^T*ՒZYk>@1O�Ɍ'|@ �}u3TYG^_�ꭰ.gK%\D ;EAFw|��K�`m'"R+�RXT*�
.�E8(��T29 �*4�$Z.Uuy\%0җ-c3�Pe։H{��X)<ݝ�KO��Ĺ�8M�-�r�y�lTJ�f(#tE'. ]%tݸ}?7��Y
E~�i�p��zʿq;#}�k( 3�lgT7#�.%#/�[À��|NLljn
:x'�J'�ZPy��[T�H0l�8n^dy�]J:]R5X�?�Ěl>V/��Jt5DjHG,Q>sA��.=7kf*L�0Ȗ�" !b
�11zThN%nE�^^��LF5Ih`t��Շ~`%$~�@ӡ�F��Hwi`�b���� 1
�^��<�[&^z�2t|v�n���BrQD4|H|Z,#/L^+7l��*귵췱gyN[mV)jhk+1=\ĺt.=؆_����JR��9V$���5"*Nh斖HP25aD��o�]�`<)L-Nptowwv]g�S�2�ֵ7
�}�/Y���ie^�,m'�It�'rX,hAL�ÑZCu�sTa(Y� օ��^:r9g��ظol}>��Dz"~mOӪ{
es�^[7>kE_A-�iΞCD/� 3g#*ډ4$X0�vUuطz/=
�nX��PAgXt�y|Ù`'㷈�EDCঀ;~�� *nSH Tv%xrǷ�J?
_V�]{F9- �b~[ԑ>W8M-V�8=겆&:�Ba�D0ޥ�Dg�*'Nty�g�8G
�:aw%�0mg1+A#샒�=�%h�n? ,qp-Ds�9�?:.���AXx-�7tE�9��D�NE07��vy`8(ĒI
1�6�
ͤ<8�g/t=LG�9h*b4�B�-'>/�8&ƘKjxVQ咋xzzɟCtNk-b�".˘xk�iOk�6j=!ѣ`5�?�|6n&M0m'h�zBRKo^3C'�ܬXM$�,cvU�jykE�8a Xfoӑ8-ާa{�G�2�Z�`miX�x.�>H�'ܲzF��wI�fؽjR>]ho_)�ZTSi(+R%W�9 5��;��Փ>Ϲ,^k[:Rg�y祒V,T˩7u~gӠTXA.,|��a,D�&ˇt~Q-mDRb^gӃo(?"@O�
`ʖC/0UzpW}�K`ڵǔ8F%h0\[�M_`7��᷵��khD̉Љ��HuWkR)ݫ��SRmF��έN_ceϋ:t<1�
ʒ�i�ͬ{[RJBYIvn|D�uv�H1�X�p,�C�"Na8TJ�_[E�z%r�=+=�i!oB�ü�S0]LL9_ň�R>\gD+9m� �:4x�� &L�WlAJL�B(fYiv'
.-\��P�|P*S7O�R(kUeab+;Y�!kb��^HҾ7+qܔx�E�oS?#o:��7W0�OI�}h+{VzK"?{|�Q�d�>���pXHґ!w��m[Ae6\IxC#�k �볐:do��
�іIz# ,@G!yꊍ\D��Q��;B�p�՛GF\4^yE��@�<3�2�>Cߑ7RS@)
�$�£u=
8�9asH ]TW\A&x~ĝ�!k:�|e1v1��{��\oX|J79f+H� s �ǫ�<�u~���̀��Z0��CF��2*mGM=�nI79m6O�-i`Ik@���J���ux��IA!5�R�"�^kX,s2J3br���QǠ{�=Ӻdb��WoP$P +wdc�||�9K�0nߗ�H'x�\J�)��T��&}�nA=bA!>?'~��e�ML)!H0Z��rfe%��]�����F�"L( ӻ�q0ݍqWiN� �+<�fɻS��:r�tT(ʞ�2|{��`�f>�c�[7��ΥiCZ||L�
]ǒ�4�Bq0hp2eB2߰�b�JU(IhRW�|W
|�+R0�'o�/z�fY#U�t�ӄ^I+\A��/ �PIZ��
�W{}K�IS��ko;7}�s�rڹ"
rzlU\y��2a[Kp��\MnQqiyyպf��|j%<ח6/*�˙ΒQ�9hNQ�ʉ~oSgĵ,�%�y�*wDY Ccq~�cw�|�{#�U֣e9DM@*8� �njR�qrrvljŵ�V#g5^L˒WkJ]3C _9mF�x9j��0}-W܄q�P��"v�\4sФo%�u���cFPkF�_.?n�62;P(GN.?��43ʏxu)4>�����VrI:(�Z�uQ�2?v3ʿ@�<�>vv�~;�>зA6ЧA66g;?�D�g(Q~�g�eQ�{1� ?��s�w1~��O'Ct@t2%e�\�_�\eO���@?V�_sV9sF>�>g�ʯʁ3�ڿh�:s$eCPȐ%.N�p2KQ�ʠ/ޯ2�yby@�2
�s hxVyd�b�
bye?VP�w;]�SҤ�]��su9m�U}Ӊ0VbM�dGE<�m}Lkd��Ⱦٟ1{ %Y!ό]#=Dze?|�[a[�G8QB��7��q*�n}�7�}v=ye�Ax�`j�?&7SZwp~k;ُϋGkw�եC%AfПb
5?&OxVfw<P�`2_7UJ`���z!O J1��4cdK1�B�&\I�x��&R۫2f�dofsaSKCt8cRKx;b(�q,�?,"(�v0��Tߙ_IblO]��C/g�V��MHw-ߟQ>ƽǤ�m&9cl]i*b�B�5 t~81pgj�Ì,�aނz~l�46F[(Hj9�SÏYF
�
D
zu�idKdp!gB[t�@e)�D ˪,B`
�,kϗ9,@aƈ�kDM�In�_!-x'GeIJ"96>Xslc�M$�XS�GG��~�Q!bJy>yr/hpz�Ʊs� �(�:-c�8MzR�7wRIclx!'&]c/0
��
3�c_\E�mf@L�@zqv|6h_u�8|�5V$G1x_&05�%�xr�Ӎ�Qf7nm˩ruJMXvg���{
�sa?f
}u'K6�1�wh/�'Հ�m&���xb4&gV3MuG$�dzB՝?�\v��}���eF˷�]f�BaI'�x;įu�9>`&<)yϖ$|r/���Ǝ�$z �߀9%���
ɡ6�It;&>x68�"��DQ$�L{�yݟG/7~~��r@b]lQO����&X�\f��n�Im.�KE0�%&(Xp\- +44�;>�Ba2\�H�G�x
ky�f#ŧ�W<߶nRP+j|V@8l:�ؖ?^
cϓ1K$~Al=bu�)W�r�1e~8Ş�i#|��@ ](ۈnfةB%`y��@L�4�
�qS`��-hvp#��+2t�cB\
(a��t L/Q1?cyM�nBQXƪa#mQaS:�6W�n
U�y7w{&W{&*l*kS�4V�*�<Ǥ9m�@�>���1[>�܋ϑ{̾!V��af-Ssu��Rɤ{i���e�pClkZ��0JqU�
�XL´â�WqTR:!�;/����kO`LbOP���1,��,�ozԛ'T�S*�4.6>ϭn<\e^��.<�̳�(`)�,��dv"V�7rsh;h�3THهl*~��&��فl{k[�НTnxLK-P?Q�>χ"F�TNENE<<�Sf}')VSL_Xџ�_<|:T+O��`�Tb{ T�.7u{_Λ�wc^;�<\Fu倇T3uG�@;�O�ot[6�hT*㉋�g%ǝU���nң�WO�'RXFYzhI:f��]6NNZ���P0�E�h�⍿C01�4[SˬZY$I#�o[M1�uc*a�yaT셳Qbɭ٦d�Ti2�9?R{) q=4>�9ani߄;l| �n%96O`�[�
P��A�X.��
|
Network Security & Hardware 
