Tuesday, August 24, 2010

Nearly 3 million "Hot Video" pages pushing fake AV are undetected

Note: Google contacted me shortly after the blog was published, and claimed there were only 77 such links. But when I tried a query for the first domain in the list, naghoospress.ir, I got more than 600 Google results for just this domain: site:naghoospress.ir hot video. Attackers create fake Youtube pages for each 20 Google Hot Trend each day on each domain. I've seen pages for trends of the last 60 days at least, so that's about 1,000-1,200 pages per domain. There seemed to be at least 100 domains indexed by Google, so a very low estimate is 100,000 Hot Video pages in Google search results. But each Google queries show different domains, so there could be more fake pages. Google displays a maximum number of 1,000 results for any search, only they know the real numbers. But it was clearly at least 100,000 when the post was published.

We've seen many fake YouTube pages redirecting to fake antivirus software downloads in the past. However, we're now seeing this same phenomenon with a new twist: Google has indexed nearly 3 million "Hot Video" pages - all pushing fake AV. Yandex, a Russian search engine, also returns numerous links to these pages for random searches. Try the following Google search: inurl:"page.php?page=" "hot video" :

Google search for Hot Video

The fake Youtube video page is covered by an invisible Flash layer and the Flash object automatically redirects the user to a fake AV page. If the user has Flash disabled, the page becomes harmless. The URL of the Flash file, hosted on a different domain, is obfuscated with Javascript.

Fake Youtube page

The spam content, which is used to ensure that the page is indexed by search engines, includes an invisible DIV element pushed out of the screen. It contains links to other fake Youtube pages on the same site. To make the content look more legitimate, the page includes links to legitimate sites (e.g. flickr.com, nasa.gov, etc.) and images from external sites.

HTML code of the spam

Redirection to Fake AV

The fake YouTube page redirects to a fake AV page. Several domains are used to host the fake AV software, including www2.soft-analysis79.co.cc, www1.selfprotection20.co.cc, etc. There are different variations of the Fake AV page, but they are all similar to pages previously seen elsewhere.

Fake AV page

Virtually undetected

Besides the huge numbers of such malicious pages indexed, and the fact that they show up in many search results, the main problem here is that the pages and their malicious payloads are virtually undetected by regular security tools:
  • Google Safe Browsing does not block most of these pages (90% I've tried where not blocked in Firefox), and the fake AV domains were not detected either.
  • The detection rate amongst anitivrus vendors is only 11%!
This type of threat is different from the usual Balckhat spam SEO: the same content is shown to the user and to the search engine, therefore the page can be accessed directly, without clicking on search engine results.

Because the "Hot Video" page uses both obfuscated Javascript and Flash, it is harder for security scanners to detect them. Zscaler has protection in place for our customers.

-- Julien

1 comment:

Anonymous said...

great article!! Hats off to all you guys!