Zscaler Data Protection Recognized as a 2023 Product of the Year by CRN

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Fake AV vs. Zscaler

image
JULIEN SOBRIER
April 05, 2011 - 2 min read
I've been monitoring Blackhat spam SEO for more than a year now. I frequently have to modify the scripts used to retrieve the fake AV pages in order to deal with obfuscation and other obstacles the perpetrators have put in place.

Fake AV pages are designed to keep security scanners and researchers away. One of the techniques used to weed out automated scanning tools from victims using real web browser is JavaScript redirection. I have seen more than ten different techniques to redirect users from the spam page to malware pages leveraging different types of JavaScript. Usually, they use two to four redirections, one after the other, each using different code.
 
Image
JavaScript code of some of the redirections
Once again, by trying too hard to hide the malicious code, Fake AV pages are actually easier to detect by looking at the redirections rather the malicious code itself.

Strict HTTP Referer

In addition to making the JavaScript redirections difficult for security tools to follow, there are strict checks on the HTTP Referer header. For example, a real browser sends a Referer if the redirection is done through an HTTP Location header redirection, a meta redirection, etc., but no referer is sent through when using the JavaScript functions location.assign(new_value) or window.location=new_value

IP Blocking

It usually only requires a few minutes of work to bypass the "protections" put in place by Fake AV pages. The fake AV authors have no doubt realized that their modifications were not very effective, and that Zscaler and others are still finding their malicious content.

A few days after Mike found IP tables settings shared online to block major security vendors, our main IP address was blocked. I quickly changed to a different IP address in the same sub-net, but only 3 days later, our complete sub-net was blocked. I have recently switched to Tor to get random IP address. This has allowed me to keep tracking new Fake AV pages.

The cat and mouse game between Fake AV and the security researchers will probably keep going on for a long time. Since the attackers keep modifying their content, malicious HTML, JavaScript and executables, Zscaler has to keep monitoring the changes in order to protect their customers given this rapidly-evolving threat.

-- Julien
form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
TOITOIN Trojan
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.