Rogue Software 101
Posted by: Jacques Erasmus
Now the most common way to get infected with these are from drive by infections as most of you know. Tonight I was reading an article on www.tradingmarkets.com named "The Mercury News Interview: Symantec CEO Enrique Salem" and ironically, while I was reading, the page redirected me to an installation of SpywareRemover2009 which is a known rogue anti spyware program. So being naturally curious, I cleared down my cookies, switched ip's and reloaded the page while running wireshark. By looking at the output from wireshark, the culprit is a E-Trade banner that is directing visitors to the download page for SpywareRemover2009.
Let’s take a look at how the traffic flow looks:
This above picture shows how the banner for E-Trade which you can see in the Referrer redirects to "welovesandi dot com". This raises a very important question... Who is Sandi ?!
Visiting that domain brings you to a webpage that will look something like the page below, they rotate so you might not see the same.
At the end of the day, this is just another example of how widespread the infection vectors are these days. Banner redirection from perfectly legitimate sites is just another way you can end up with unwanted nonsense on your machine if it’s not protected properly.
I have been wondering if web sites that seem to distribute malware are really compromised or if it is from the externally hosted ads that are shown. For example was tradingmarkets.com compromised or was the ad being displayed compromised or from a suspicious source? My guess is that some sites take on ads from questionable sources to get the money.
Do you have any insight into that?