Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
3163 Views 2 Replies Latest reply: Oct 20, 2011 2:18 PM by newjack RSS
Hayton Volunteer Moderator 4,590 posts since
Sep 27, 2010
Currently Being Moderated

Oct 17, 2011 7:48 PM

Zero Access rootkit from Yahoo & Bing searches

The Zero Access threads in Top Threats and Artemis have gone quiet for the moment, but this particular piece of malware hasn't gone away.

 

None of the posters to those threads has indicated where or how they might have acquired Zero Access, although in at least some cases there appears to be a connection with a Fake AV program going under various names including Open Cloud Security.

 

Now one of the infection vectors has been identified. Anyone using Yahoo or Bing to search for a place from which to download the latest version of Flash Player would have seen, before any of the search results, one or more "Sponsored Results" - like the example below.

Bing search result + sponsored ad.JPG

 

One of those Sponsored Results redirected browsers to a directory on a hijacked site (Arulbrothers dot com, a haulage [trucking] company) which downloaded the rootkit from torreandaluz-dot-com (a site rated Red by WOT, Green by SiteAdvisor).

arulbrothers hijack.JPG

torreandaluz SA rating.JPG

So that's how these things are done. Be careful what you click on, and DO NOT click on the Sponsored Ads unless you recognise the URL (if in doubt, hover the cursor over it and look for the address at the bottom of the page). They're just so easy to arrange - always first on the page, vaguely familiar names, tailored to popular searches. They must be okay, right, or Google/Bing/Yahoo wouldn't allow them? Wrong. Search-engine companies need the money, and they accept paid-for advertising, few questions asked. If it behaves itself for a couple of days they lose interest, and that's when the switch can be made ... and you end up with a rootkit.

 

Full story is on Computerworld, here. From that story :

IDG News Service - Searching for Flash Player on Bing and Yahoo can lead to rogue pages distributing a hard-to-remove rootkit, according to security researchers from antivirus vendor GFI Software.

 

The problem resides with the so-called sponsored results, the advertisements displayed at the top of search results for particular keywords. These look slightly different from the organic results normally returned by Bing's algorithm, but close enough for users to frequently click on them.

 

In the new attack observed by GFI Software, a sponsored result shown when searching for "Adobe Flash" linked to a page called "Download Flash Player" under the GetAdobeFlash.com domain.

 

However, according to Alex Eckelberry, vice president and general manager of the security software division at GFI, clicking on the link redirected users to a rogue page that was advertising Flash Player 10 but distributed a dangerous rootkit instead.

 

"In this case, we're talking Sirefef (ZeroAccess aka Max++), probably the nastiest piece of malware circulating on the 'net right now," said Eckelberry. "Sirefef kills any attempt to remove it, and is nearly impossible to clean (short of booting onto a rescue disk and performing cleanup actions, or reformatting)," he added.

 

Message was edited by: Hayton on 18/10/11 01:48:50 IST

Volunteer Moderator  Leeds, UK
No PM's please
  • newjack Veteran 1,172 posts since
    Dec 5, 2009
    Currently Being Moderated
    2. Oct 20, 2011 2:18 PM (in response to Hayton)
    Re: Zero Access rootkit from Yahoo & Bing searches

    Thanks for the Info Hayton,Very interesting. But the million dollar Question is.Since site Advisor reccomends the use of Yahoo.Plus the site is no good but rated green.Is`nt this more of a reason for site advisor to look into how they are operating.I know there is alot involved.But how does Wot seem to be more accurate then site advisor?Not sure how they work it.But I believe some of the trusted reviewers should have a little say in the ratings.

More Like This

  • Retrieving data ...

Bookmarked By (0)