Fake AV Site Uses Code as Well as Binary Randomization

According to Zscaler the security company, some ill-intentioned people have randomized the source code of a website so whenever anyone goes to that site, he gets one fraudulent version of malicious software detection along with a hostile binary that pretends to be an anti-virus application suggested for download. Help Net Security published this on March 25, 2011.

Apparently, the tainted website, in addition to constantly altering the web-page's source code, alters the malevolent binaries as well. It even modifies a few strings utilized during an animation.

Elaborates Umesh Wanve, the security company's researcher, there are various random variables as well as bogus security alerts inside the code that have been so divided to form smaller variables that they easily bypass AV solutions as also IPS/IDS engines, which may attempt at matching the usual kinds of string patterns. Help Net Security published this.

Explain security specialists that a large number of contaminated websites exist that divert Web-surfers onto bogus security software schemes. These websites exhibit bogus security alerts in animation form to visitors so they may be scared into pulling down and planting a binary that's actually a bogus anti-virus.

Now for proving this point, Zscaler researchers accessed the website repeatedly over a minute during when they gathered the different malevolent binaries and source files.

Moreover, on each access, they found a different security alert having a different Trojan. A careful examination of these web-pages' source files shows that they're randomized whenever a visit occurs.

And just like it happens with any bogus anti-virus website, in the current instance too, whilst anyone goes to the web-page a social engineering tactic tricks him into taking down a bogus security application that actually installs malware.

Significantly, this malware alters whenever a fresh visit is performed while the different source files contain various MD5 hashes. The binaries though remain same in size.

Concludes Wanve, it's clear from the above incident that simple engines for matching patterns won't be successful in spotting the assault that relies on source codes with built-in strings for pattern matching. Malevolent binaries that are randomized too will bypass effective AV engines, the researcher adds.

Related article: Fake Spam Mail Announces Australian PM’s Heart Attack

» SPAMfighter News - 4/4/2011