By: Julien Sobrier

Fake AV Vs. Zscaler

Analysis

I've been monitoring Blackhat spam SEO for more than a year now. I frequently have to modify the scripts used to retrieve the fake AV pages in order to deal with obfuscation and other obstacles the perpetrators have put in place.

Fake AV pages are designed to keep security scanners and researchers away. One of the techniques used to weed out automated scanning tools from victims using real web browser is JavaScript redirection. I have seen more than ten different techniques to redirect users from the spam page to malware pages leveraging different types of JavaScript. Usually, they use two to four redirections, one after the other, each using different code.
 
JavaScript code of some of the redirections
Once again, by trying too hard to hide the malicious code, Fake AV pages are actually easier to detect by looking at the redirections rather the malicious code itself.

Strict HTTP Referer

In addition to making the JavaScript redirections difficult for security tools to follow, there are strict checks on the HTTP Referer header. For example, a real browser sends a Referer if the redirection is done through an HTTP Location header redirection, a meta redirection, etc., but no referer is sent through when using the JavaScript functions location.assign(new_value) or window.location=new_value

IP Blacklisting

It usually only requires a few minutes of work to bypass the "protections" put in place by Fake AV pages. The fake AV authors have no doubt realized that their modifications were not very effective, and that Zscaler and others are still finding their malicious content.

A few days after Mike found IP tables settings shared online to block major security vendors, our main IP address was blacklisted. I quickly changed to a different IP address in the same sub-net, but only 3 days later, our complete sub-net was blacklisted. I have recently switched to Tor to get random IP address. This has allowed me to keep tracking new Fake AV pages.

The cat and mouse game between Fake AV and the security researchers will probably keep going on for a long time. Since the attackers keep modifying their content, malicious HTML, JavaScript and executables, Zscaler has to keep monitoring the changes in order to protect their customers given this rapidly-evolving threat.

-- Julien

Learn more about Zscaler.