Pages

Sunday, September 11, 2011

Russian Black SEO ❤ Google.ru.

Introducing ESAT NQD32 and "Test Version" of Windows

ESAT robot iz  very sad
I wasn't planning to make any posts while traveling for the lack of fast internet connection and ability to handle malicious files. For the same reason I will not be posting any analysis or malware zip archives in this post, only malicious links.


I visited Russia and needed to help someone purchase a new computer. This post is the result of the interesting experience, which should at least partially explain the share of malware from Russia .

 The two reasons I saw were the widespread use of pirated Windows that cannot be updated and poisoned Google.ru results for any commonly used software - nearly all Google Sponsored Links for searches of Adobe products, antivirus products, free players and utilities will redirect you to malware downloads. Sites.google.com is most commonly used domain for advertising these malicious "products".


Computer store

PART I - Computer purchase

Most desktops sold in Russia are generic boxes built by local computer shops and sold for the price of hardware. There are more brand name laptops than desktops, for obvious reasons. Pirated software is officially illegal but it does not mean you would automatically get a licensed version of Windows if you buy a computer or get a box that does not boot. We purchased our computer for $500 at a computer center that is part of a chain with many stores in the city and were assisted by a sales guy in store uniform. I am not mentioning the store name here because it is not a rare exception. Such computer stores are scattered all over, you find them in every city and town of Russia in many numbers.

Our conversation went this way:

M:      Can we get Windows and Office install disks with it?
Seller: No, we do not provide them.
M:      But are you selling it with Windows and all the software?
Seller: No, this is our "test" version of Windows to show that hardware works
M:      Is it pirated?
Seller: No, it is our store copy
M:      Will it expire?
Seller: No, it will not, will work fine forever
M:      Can I get a computer with a licensed version of Windows?
Seller: We sell only hardware.
M:      Can I get it without your "test" Windows?
Seller: We can remove it for you for extra $5.00. You can pick it up in a couple of days.
M:      never mind

Windows indeed works forever but you cannot update it because Microsoft detects it as counterfeit.
At home we found the following "test" software installed on the desktop:
MS Office
FastStone Capture 6.3
Nero 6 Ultra
Quake III Arena
PCMark2002
Result Browser 2002
K-Lite Codec pack
Dreamweaver 8
WinRar
Viewport player
and other small utilities and apps

Since you cannot update it, you may get Conficker as soon as you connect it to internet. Browsing with IE6 is a guarantee for trouble as well. Many average buyers are content with software already installed on their new PCs and do not worry about licenses or other such details.

Update Sept 14, 2011: Today I had to help with two more computers. I noticed that the concept of Windows updates is foreign to all average users and to most technically capable users. Pirated Windows XP SP2 is most common, I also ran into something called Windows Royale (with a trademark too) - which is actually pirated Windows XP SP2. See  the screenshot on the left.
You can buy Windows 7 in stores for $350-400 but most people prefer to use what they have and not to pay huge money for something they have been getting for free.




PART II - Updates (aka searches in the Wild Wild West, aka Google.ru)
I had to install a licensed version of Windows to be able to run Windows updates.  However, finding updates for Flash player, Adobe Reader, Skype, and instant messenger is not for the na├»ve and gullible. Nearly all search results are booby trapped with fake installers carrying all kinds of malware. Black SEO / search result poisoning is very common in Russian language internet but I was appalled by the high prevalence of malicious Sponsored Links Results with sites.google.com domain are often being used for malicious ads.

Google.com used to bring malicious ads in the past and you can find plenty of publications about it from 2008-2009. Google.com ads system improved, at least I did not get any malicious hits when tested today, but Google.ru seems to be still in the dark ages. I did not test other regional flavors of Google, perhaps Contagio readers can offer some insights.

According to Google AdWords Help Pages:

http://adwords.google.com/support/aw/bin/answer.py?hl=en&answer=6546
Can I make my ads appear above search results?
Google believes strongly in providing high-quality and relevant advertising to our users. On Google search result pages, only the highest ranking AdWords ads are eligible to appear in the top positions above the search results.
Our system does not rank ads solely on cost, so there is no way to guarantee top placement on a search result page. However, by adjusting your keywords' Quality Scores and CPC bids, you can better control the position of your ad and help improve your ad's chance to appear higher within search results.
You can use the top of page bid estimate (Est. top of page bid) as a guide when estimating the cost-per-click (CPC) bid needed for your ad to appear in the top positions above the search results. This metric is only an estimate and not a guarantee of top placement.  Learn more about top of page bid estimates.
Remember: The higher the quality, the lower the CPC, and vice versa.

http://adwords.google.com/support/aw/bin/answer.py?hl=en&answer=10188
What is a maximum CPC? Your maximum cost-per-click (CPC) is the highest amount that you are willing to pay for a click on your ad.

When ads appear on the Search Network, the maximum CPC is one of the factors affecting ad position. Increasing your maximum CPC can improve the position of your ad

This result for Flash player is from Google.com - seems clean




Here are few common searches from Google.ru

Flash Player 
Search http://www.google.ru/search?sclient=psy&hl=ru&newwindow=1&site=&source=hp&q=flash+player


Sponsored Links: The first result - Site advertising Flash Player (hxxp://sites.google.com/site/flashplayer4uu) offering download of what turns out to be Fake Antivirus from hxxp://loadrarfast.ru/install_flash_player.exe
Virustotal:  http://www.virustotal.com/file-scan/report.html?id=1c20a73e28e1bdab541ee05e46007cf9faea0346eab218b6de3276641bc62209-1315766770





Pretty much every result after the official is malicious or questionable as well.


Adobe Reader
Search http://www.google.ru/search?sclient=psy&hl=ru&newwindow=1&site=&source=hp&q=Adobe+Reader
Sponsored Links: hxxp://sites.google.com/site/adobeereader/ =   hxxp://newrusky.ru/42324/install_reader.exe
Virustotal: http://www.virustotal.com/file-scan/report.html?id=f3ee152969e79baed37740990bab1a2c4c4cb7e87448d353781612a12a3d6f1a-1315733202



 

 


Kaspersky
Sponsored Search Result offers mysterious ESAT NQD32 - Fake AV pretending to be Eset Nod32 "Russian Free version".
Other Sponsored links that rotate: hxxp://free-antivirus.se-ua.net/home/2/3/
Virustotal: http://www.virustotal.com/file-scan/report.html?id=fab5a1ce612c13aea622fc41115da74b2c01d194f033b26f5274a873ef1306de-1315741098
 


 


Skype
Search http://www.google.ru/search?sclient=psy&hl=ru&newwindow=1&site=&source=hp&q=skype
Sponsored Links: hxxp://skaoper.webnode.com/ 
Other sponsored links that rotate:
hxxp://sites.google.com/site/skypesnew/
hxxp://sites.google.com/site/newskvype55/
Virustotal:











Update Sept. 14, 2011
I noticed that ALL searches for any software are poisoned with black SEO. Both Sponsored Links and most links on the first page. I nearly clicked on one myself.

Search for Internet Explorer 8 on Google.ru - one result in Sponsored Links on the side is www.slo.ru. I hate to think what is there

Search for Windows Validation Tool in Google.ru bring a lot of questionalble and dangerous links as well.

Other Sponsored Ads links are listed below. They are for codecs, media players, Skype, and other apps.
Be careful when visiting, Most of them offer links to malware downloads but some have drive-by installs as well. These are just a few examples, you can find many more.
  • hxxps://sites.google.com/site/freeskipcon/
http://www.virustotal.com/url-scan/report.html?id=4ebe0255e4dfbd3193ab106d182f8874-1315731249
http://www.virustotal.com/file-scan/report.html?id=abbbac11f1d74204990a4e3c48a8cf8872ea859ae356d2770acb6b41e0b2cf21-1315738456

  •  hxxp://sites.google.com/site/cikype/ = hxxp://demilar.narod2.ru/ - hxxp://vitiamalkoff.narod.ru/
  • hxxp://sites.google.com/site/flashplayer11new/  
  • hxxps://sites.google.com/site/kodekiprorus/
  • hxxps://sites.google.com/site/pleerandkodeki/
  • hxxp://sites.google.com/site/skypesnew/
  • hxxp://sites.google.com/site/newskvype55/
  • hxxps://sites.google.com/site/ryskodik/
  • hxxps://sites.google.com/site/godekicool/
  • hxxps://sites.google.com/site/kodukqrus/
  • hxxps://sites.google.com/site/packodeklite/
  • hxxp://sites.google.com/site/exflash10/ = http://109.120.157.81/install_flashplayer.exe
    //www.virustotal.com/file-scan/report.html?id=9550f44ec572d684f06fe6272eb0c501e04268259700fdb1d73673d33ef09355-1315740571

8 comments:

  1. do you know the salary in Russia??? people just can't buy such an expansive soft!

    ReplyDelete
  2. @anastasia Linux is free

    ReplyDelete
  3. It's not about the money - people in Russia or other post-Soviet states just aren't used to paying for software. Even if they have money - downloading software is much simpler and easier. Piracy there is very common, especially among the young. Naturally, fake trojan-infected programs are common, too.

    ReplyDelete
  4. Im living in Russia and i always buy genuine software (except these tools, which i need once a year and there is a trial version).
    I do not know about other cities, but in Moscow now there are no small computer shops(or they are hidden), and in big ones you will get the maximum quality of service.
    @anastasia - people cannot buy means people should not use :)

    ReplyDelete
  5. Maxim - Russia is slightly bigger the The Ring road around Moscow.Average salary in 2010 was ~640$.

    And security professionals have to be realistic - if Operating System price tag is equivalent to 50% of average salary, and access to Internet is vital for their children future - then A LOT of people would not pay.

    ReplyDelete
  6. Indeed, Moscow and St. Petersburg are very different in income and life in general from the rest of the country. It takes above average income, motivation, technical knowledge, and patience to have genuine and patched Windows - most of the population lack one or the other. In comparison, situation is the opposite in USA - one would need technical knowledge and patience to obtain and install pirated windows on his/her pc. Also, when in Russia, Google automatically reverts to poisoned Google.ru. Yandex search results (Ru search engine) are poisoned as well. I know the search providers constantly change algorithm and work on ways to filter out junk but it is uphill battle. SEO is one of the ways to make money, seminars and teaching materials on how-to are popular and abundant there.

    ReplyDelete
  7. However, Russian as a lucky ..
    Look: A botnet TDSS - by country.

    (Line 1 includes "All Other", of which less than 1.5%)

    http://www.nobunkum.ru/issue003/tdss-botnet/stat_countries.png

    ReplyDelete
  8. This is RUSSIA!!!!

    ReplyDelete