Different strokes for different folks, spyware and browsers

Published: 2006-05-12
Last Updated: 2006-05-12 00:23:57 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)

One of our readers, Chris, sent us a URL to an interesting site. The site in question tries to install some spyware on the users' machine. This in itself is not interesting, but some "more advanced" features that we've seen deployed on this site are.

The site creators first setup a wildcard DNS entry for their domain, so anything prefixed to their domain name will go to their web server. They needed to do this so they can try to poison Google rates and enhance their page rankings when users are searching for potential keywords. In Chris' case, he was looking for information about one higher education institution (the attack is not limited to higher education institutions; we've seen a lot of other "poison" attempts from this group).

Now they have the basis for their attacks and we come to the interesting part. As a security researcher, you should always be careful when accessing unknown URLs (if you want to try it with a browser, probably the best way is to use one in a virtual machine). So, we decided to use wget to download the initial index.html web page, to see what's inside. Surprisingly, wget didn't manage to download anything:

$ wget http://[REMOVED].ascii. zstopers.com
--10:56:29--  http://[REMOVED].ascii. zstopers.com/
           => `index.html'
Resolving [REMOVED].ascii. zstopers.com...
Connecting to [REMOVED].ascii. zstopers.com||:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
10:56:30 ERROR 403: Forbidden.

Hmm, forbidden. Ok, that goes with what Chris told us in his e-mail that the site seems to be down now. Being curious as we are (otherwise you won't be reading this diary) we decided to try the same site with Internet Explorer (in a virtual machine, of course).

What we got: (I've removed the domain prefix, which showed higher education institution, but the spyware domain is still visible there):

Notice the ActiveX control up there? That's what they want you to install. The popup will be shown until the user decides to install the ActiveX control. Keep in mind that other Internet Explorer versions will actually show a window asking the user to install the ActiveX component.

So, why didn't our wget work? Let's try with Mozilla:

Interesting! They detect what kind of browser is running, probably by parsing the User Agent field.
So, let's try to download the web page (just the index.html) file with wget, but this time faking the User Agent field, so the remote site will think that we are actually using Internet Explorer. If you're wondering what the User Agent field should look like, the easiest way is to check web server logs on one of the servers you have access to. Below we used Internet Explorer's User Agent field.

$ wget -U "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" http://[REMOVED].ascii. zstopers.com/

--11:04:52--  http://[REMOVED]. zstopers.com/
           => `index.html'
Resolving [REMOVED].ascii. zstopers.com...
Connecting to [REMOVED].ascii. zstopers.com||:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]

    [                                                                                                                        ] 18,416        42.02K/s

11:04:53 (41.87 KB/s) - `index.html' saved [18416]

Aha! So they do use the User Agent field to detect what browser you are running and then send you to different web pages depending on it.
Further investigation of the index.html web page showed that it calls a JavaScript which then tries to install the WinAntiSpyware2006FreeInstall.cab, a well known spyware application, which some anti-virus vendors even detect as Trojans.

Those guys are definitely getting better and are actively adding new features to their malware. Remember the -U option for wget, it is very handy in cases like this.

0 comment(s)


Diary Archives