Introducing ESAT NQD32 and "Test Version" of Windows
|ESAT robot iz very sad|
I visited Russia and needed to help someone purchase a new computer. This post is the result of the interesting experience, which should at least partially explain the share of malware from Russia .
The two reasons I saw were the widespread use of pirated Windows that cannot be updated and poisoned Google.ru results for any commonly used software - nearly all Google Sponsored Links for searches of Adobe products, antivirus products, free players and utilities will redirect you to malware downloads. Sites.google.com is most commonly used domain for advertising these malicious "products".
Most desktops sold in Russia are generic boxes built by local computer shops and sold for the price of hardware. There are more brand name laptops than desktops, for obvious reasons. Pirated software is officially illegal but it does not mean you would automatically get a licensed version of Windows if you buy a computer or get a box that does not boot. We purchased our computer for $500 at a computer center that is part of a chain with many stores in the city and were assisted by a sales guy in store uniform. I am not mentioning the store name here because it is not a rare exception. Such computer stores are scattered all over, you find them in every city and town of Russia in many numbers.
Our conversation went this way:
M: Can we get Windows and Office install disks with it?
Seller: No, we do not provide them.
M: But are you selling it with Windows and all the software?
Seller: No, this is our "test" version of Windows to show that hardware works
M: Is it pirated?
Seller: No, it is our store copy
M: Will it expire?
Seller: No, it will not, will work fine forever
M: Can I get a computer with a licensed version of Windows?
Seller: We sell only hardware.
M: Can I get it without your "test" Windows?
Seller: We can remove it for you for extra $5.00. You can pick it up in a couple of days.
M: never mind
Windows indeed works forever but you cannot update it because Microsoft detects it as counterfeit.
At home we found the following "test" software installed on the desktop:
FastStone Capture 6.3
Nero 6 Ultra
Quake III Arena
Result Browser 2002
K-Lite Codec pack
and other small utilities and apps
Since you cannot update it, you may get Conficker as soon as you connect it to internet. Browsing with IE6 is a guarantee for trouble as well. Many average buyers are content with software already installed on their new PCs and do not worry about licenses or other such details.
You can buy Windows 7 in stores for $350-400 but most people prefer to use what they have and not to pay huge money for something they have been getting for free.
PART II - Updates (aka searches in the Wild Wild West, aka Google.ru)
I had to install a licensed version of Windows to be able to run Windows updates. However, finding updates for Flash player, Adobe Reader, Skype, and instant messenger is not for the naïve and gullible. Nearly all search results are booby trapped with fake installers carrying all kinds of malware. Black SEO / search result poisoning is very common in Russian language internet but I was appalled by the high prevalence of malicious Sponsored Links Results with sites.google.com domain are often being used for malicious ads.
Google.com used to bring malicious ads in the past and you can find plenty of publications about it from 2008-2009. Google.com ads system improved, at least I did not get any malicious hits when tested today, but Google.ru seems to be still in the dark ages. I did not test other regional flavors of Google, perhaps Contagio readers can offer some insights.
According to Google AdWords Help Pages:
Can I make my ads appear above search results?
Google believes strongly in providing high-quality and relevant advertising to our users. On Google search result pages, only the highest ranking AdWords ads are eligible to appear in the top positions above the search results.
Our system does not rank ads solely on cost, so there is no way to guarantee top placement on a search result page. However, by adjusting your keywords' Quality Scores and CPC bids, you can better control the position of your ad and help improve your ad's chance to appear higher within search results.
You can use the top of page bid estimate (Est. top of page bid) as a guide when estimating the cost-per-click (CPC) bid needed for your ad to appear in the top positions above the search results. This metric is only an estimate and not a guarantee of top placement. Learn more about top of page bid estimates.
Remember: The higher the quality, the lower the CPC, and vice versa.
What is a maximum CPC? Your maximum cost-per-click (CPC) is the highest amount that you are willing to pay for a click on your ad.
When ads appear on the Search Network, the maximum CPC is one of the factors affecting ad position. Increasing your maximum CPC can improve the position of your ad
This result for Flash player is from Google.com - seems clean
Here are few common searches from Google.ru
Flash PlayerSearch http://www.google.ru/search?sclient=psy&hl=ru&newwindow=1&site=&source=hp&q=flash+player
Sponsored Links: The first result - Site advertising Flash Player (hxxp://sites.google.com/site/flashplayer4uu) offering download of what turns out to be Fake Antivirus from hxxp://loadrarfast.ru/install_flash_player.exe
Pretty much every result after the official is malicious or questionable as well.
Adobe ReaderSearch http://www.google.ru/search?sclient=psy&hl=ru&newwindow=1&site=&source=hp&q=Adobe+Reader
Sponsored Links: hxxp://sites.google.com/site/adobeereader/ = hxxp://newrusky.ru/42324/install_reader.exeVirustotal: http://www.virustotal.com/file-scan/report.html?id=f3ee152969e79baed37740990bab1a2c4c4cb7e87448d353781612a12a3d6f1a-1315733202
KasperskySponsored Search Result offers mysterious ESAT NQD32 - Fake AV pretending to be Eset Nod32 "Russian Free version".
Other Sponsored links that rotate: hxxp://free-antivirus.se-ua.net/home/2/3/
Sponsored Links: hxxp://skaoper.webnode.com/
Other sponsored links that rotate:
Update Sept. 14, 2011I noticed that ALL searches for any software are poisoned with black SEO. Both Sponsored Links and most links on the first page. I nearly clicked on one myself.
Search for Internet Explorer 8 on Google.ru - one result in Sponsored Links on the side is www.slo.ru. I hate to think what is there
Search for Windows Validation Tool in Google.ru bring a lot of questionalble and dangerous links as well.
Other Sponsored Ads links are listed below. They are for codecs, media players, Skype, and other apps.
Be careful when visiting, Most of them offer links to malware downloads but some have drive-by installs as well. These are just a few examples, you can find many more.
- hxxp://sites.google.com/site/cikype/ = hxxp://demilar.narod2.ru/ - hxxp://vitiamalkoff.narod.ru/
- hxxp://sites.google.com/site/exflash10/ = http://220.127.116.11/install_flashplayer.exe