The most stressful thing about Halloween has always been deciding on a costume. Second place: making sure to have enough candy around for trick-or-treaters who may come a-knocking. All pretty straightforward stuff, right? This time around, though, it looks like the folks behind various rogue security software packages are using Halloween-related search engine poisoning techniques to hoist their fake scanners and other malware onto the computers of unsuspecting users. While searching for a Halloween costume, one of my Security Response colleagues found a number of pages that – following the usual chain of JavaScript redirects – employ various techniques to coerce the user into installing one of several rogue security applications. Poisoned search terms discovered by us include ‘Halloween costumes’, ‘Best Halloween recipes’ and ‘Halloween theme music’, and it’s likely that there are many more where those came from. The search engine listings appear as follows: Note the obviously machine-generated text, the ‘blog’ text in the URL and the numeric file name given to the document. A significant number of the hosts seem to be blog sites that have been hacked, and it appears that some degree of automation is present here. Clicking though the poisoned results leads to the following page: The page contains: (Notice the Halloween-related parameters being passed to the script; we’ll revisit this later.) The above file contains the following obfuscated JavaScript that masks the URL to which users are redirected: A series of redirects then takes the user down the poorly-lit back alley that leads to fake in-browser security “scans”, drive-by downloads, adult material, fake Flash Player updates and numerous pop-ups containing dire warnings about the perils of continuing “unprotected”. Somehow I don’t think they have your best interests at heart. One of the pages to which users may be redirected appears as follows: This is a generic page: we can see the parameters passed in to the redirect function in the title and the address bar as well as on the page itself. The inclusion of these terms also has the nice side-effect of allowing the bad guys to track the effectiveness of their scareware campaigns. One has to wonder how many other campaigns these pages are being used for. Posing as a link to Flash Player software that will allow the user to watch the non-existent ‘video’, the URL from which the actual executable is downloaded can be seen at the bottom left of the browser window. This URL also contains the topic-related words: Simply manipulating the characters in the page URL causes the link to the malicious executable to vary; it’s possible to set the executable to be called, say, ‘this-will-harm-your-computer.exe’. This is more evidence that the people behind this aren’t likely to be content with just Halloween. Next up: Thanksgiving! In another instance, doing a binary diff of two different downloads of what externally appears to be the same rogue security product installer yields the following: The two files are identical apart from these few bytes and a separate two-byte difference earlier in the executable. It’s possible this is done for registration/tracking purposes or as an attempt to foil security products that use simple hash/checksum algorithms. Symantec Security Response will continue to monitor the progress of this seasonal badware distribution; new threats are likely to be added to the already long list of malware being distributed by these guys. Symantec products detect the downloaded software as variants of Trojan.FakeAV and Downloader, with heuristic and behavioral blocking taking care of the rest. Keeping your browser up-to-date, a judicious eye on where you browse and a finger on the ‘back’ button will always help to avoid falling victim to these scams, and of course be sure never to give any credit card details to these Halloween imps. (Thanks to my colleague Patrick Fitzgerald for the heads-up on the search engine poisoning.)