Bangkok--18 Nov--Core & Peak
Relying on your trust in free blog sites, malware authors are now faking entire blogs to install malware into computers. By inserting malicious iFrames into blogs, hackers are able to redirect users from legitimate blogs to porn Web sites. Here they recycle an old technique: convince users to download a “codec,” which turns out to be a browser helper object, or a DLL file that has virtually unlimited access to a user’s Internet browser.
The Threat Defined
Blogging blurred the distinction between traditional and new media as more and more people turned to blogs. Readers now consume blogs for content that, not so long ago, only television, newspapers and magazines have been able to provide. On the one hand, the proliferation of blogs by independent bloggers greatly contributed to this shift. More types of content, after all, meant more choices for online readers. On the other hand, traditional media firms embraced blogging to supplement their usual content.
Spammers, always keen on exploring new avenues to reach the most number of users, started abusing blog features as well. In 2005, security researchers coined the terms “splog” or“blam” to refer to bogus Weblog sites that are designed specifically to host spam or to promote some product page. Nonsensical texts or contents parsed from other online sources typically riddled these blogs.
Distasteful and annoying, splogs pollute search engine results. Furthermore, if their volume reaches critical mass they can degrade Internet bandwidth. Online networking communities consider them a nuisance. Distinct from these are spam in blogs, where spammers post spam content on the comment areas provided by most blogging sites.
Recent blog-related abuses, however, prove to be much more damaging. Malware writers set up blogs and post script-laden entries to redirect visitors to other malicious sites. These third-party sites may contain anything from spam to spyware. Malware writers, apparently, rely on the perceived legitimacy of the abused blog domain, such that they need not advertise the malicious URLs in, for instance, spammed email messages.
In mid-October this year, Trend Micro researchers discovered approximately 1,899 blogs hosted on a widely used blog publishing service that contained malicious iFrames redirecting visitors to a porn Web site. While accessing a hacked blog automatically redirects users to the said porn site, malware writers also put links in the blog itself as backup in case the redirection does not work. When users click on any of the videos on the said site, a window asking users to download a codec pops up. Video codecs are common masks for malware as in the case of ZLOB variants. In this instance the file being downloaded, installed, and executed is a Trojan detected by Trend Micro as TROJ_DROPPER.BX, which, in turn, drops a malicious DLL, TROJ_BHO.EZ.
TROJ_BHO.EZ installs itself as a browser helper object (BHO) which automatically runs at every startup. Registry keys created are protected by the operating system and while the file is loaded in the memory, its removal in normal mode needs professional knowledge. Browser
Helper Objects (BHO) are DLL modules that provide added functionality to Internet Explorer. Legal BHO may serve user habits to get desired information faster and in the preferred format. Toolbars like Google or the Adobe Flash player are examples of legal and valid BHO.
However in this and many other illegal cases, these DLL modules are abused by malware writers. The attack is technically easy because they can access and control navigation of currently opened pages in a browser using normal user rights. They essentially become browser plug-ins. Cybercriminals may use BHOs to install toolbars that could log user keystrokes. Online companies could also install BHOs to enable them to display annoying advertisements.
Curiously the URL to where the blog page redirects draws a blank. It turns out that the hackers behind this attack made a coding mistake in assigning the domain of the download URL. This error stunted the would-be offensive, but users remain vulnerable should a hacker learn from this live example.
The said URLs by themselves are legitimate. This complicates the problem, as there clearly could be no automated way to separate fake blogs from legitimate blogs. A McCann report mentions that the number of blog users all over the world is still growing. Including bloggers themselves, about 63% of Internet users worldwide routinely access personal blogs.
User Risks and Exposure
Users who do not have Trend Micro protection risk infection from a myriad of threats possibly hosted on the final landing page in this attack. In this particular case, TROJ_BHO.EZ creates registry entries that install it as a BHO. It monitors browsing habits to deliver “relevant advertising content.” These unsolicited pages disrupt optimal user browsing experience.
The reputation of blog publishing firms may also suffer because of these attacks. Since the blogs lead to malicious URLs, users may assume that the blog domains themselves are malicious.
Trend Micro Solutions and Recommendations
Trend Micro Smart Protection Network delivers security that is smarter than conventional approaches. It blocks the latest threats before they reach you. Leveraged across Trend Micro’s solutions and services, Smart Protection Network combines unique in-the-cloud technologies and lightweight client architecture to immediately and automatically protect your information wherever you connect.
Smart Protection Network also provides another layer of defense through Web Reputation technology, which identifies known malicious or dangerous Web sites and blocks users’ access based on domain reputation ratings. File Reputation technology assesses the integrity of all files downloaded unknowingly onto computers. It detects and removes TROJ_DROPPER.BX, TROJ_BHO.EZ and other dangerous threats. In-the-cloud correlation technology with behavior analysis finds associations between combinations of threat activities to determine if they are part of an overall malicious attack.
The following posts at the Trend Micro Malware blog discuss the spam runs:
http://blog.trendmicro.com/fake-blogs-lead-to-fake-porn/
http://blog.trendmicro.com/splog21-blam21
http://blog.trendmicro.com/fake-bebo-profiles-spam-early-spam-often/
Technical descriptions of the malware related to this attack can be viewed here:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DROPPER.BX
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_BHO.EZ
The McCann report is found here:
http://www.universalmccann.com/Assets/wave_3_20080403093750.pdf
Busakorn Sonthikorn
Public Relations Consultant
Core & Peak Co.,Ltd.
Tel. +66 (2) 439 4600 ext 8202
e-mail: [email protected]
www.coreandpeak.com