Introducing ESAT NQD32 and "Test Version" of Windows
 |
| ESAT robot iz very sad |
I visited Russia and needed to help someone purchase a new computer. This post is the result of the interesting experience, which should at least partially explain the share of malware from Russia .
The two reasons I saw were the widespread use of pirated Windows that cannot be updated and poisoned Google.ru results for any commonly used software - nearly all Google Sponsored Links for searches of Adobe products, antivirus products, free players and utilities will redirect you to malware downloads. Sites.google.com is most commonly used domain for advertising these malicious "products".
 | ||
| Computer store |
Most desktops sold in Russia are generic boxes built by local computer shops and sold for the price of hardware. There are more brand name laptops than desktops, for obvious reasons. Pirated software is officially illegal but it does not mean you would automatically get a licensed version of Windows if you buy a computer or get a box that does not boot. We purchased our computer for $500 at a computer center that is part of a chain with many stores in the city and were assisted by a sales guy in store uniform. I am not mentioning the store name here because it is not a rare exception. Such computer stores are scattered all over, you find them in every city and town of Russia in many numbers.
Our conversation went this way:
M: Can we get Windows and Office install disks with it?
Seller: No, we do not provide them.
M: But are you selling it with Windows and all the software?
Seller: No, this is our "test" version of Windows to show that hardware works
M: Is it pirated?
Seller: No, it is our store copy
M: Will it expire?
Seller: No, it will not, will work fine forever
M: Can I get a computer with a licensed version of Windows?
Seller: We sell only hardware.
M: Can I get it without your "test" Windows?
Seller: We can remove it for you for extra $5.00. You can pick it up in a couple of days.
M: never mind
Windows indeed works forever but you cannot update it because Microsoft detects it as counterfeit.
At home we found the following "test" software installed on the desktop:
MS Office
FastStone Capture 6.3
Nero 6 Ultra
Quake III Arena
PCMark2002
Result Browser 2002
K-Lite Codec pack
Dreamweaver 8
WinRar
Viewport player
and other small utilities and apps
Since you cannot update it, you may get Conficker as soon as you connect it to internet. Browsing with IE6 is a guarantee for trouble as well. Many average buyers are content with software already installed on their new PCs and do not worry about licenses or other such details.You can buy Windows 7 in stores for $350-400 but most people prefer to use what they have and not to pay huge money for something they have been getting for free.
PART II - Updates (aka searches in the Wild Wild West, aka Google.ru)
I had to install a licensed version of Windows to be able to run Windows updates. However, finding updates for Flash player, Adobe Reader, Skype, and instant messenger is not for the naïve and gullible. Nearly all search results are booby trapped with fake installers carrying all kinds of malware. Black SEO / search result poisoning is very common in Russian language internet but I was appalled by the high prevalence of malicious Sponsored Links Results with sites.google.com domain are often being used for malicious ads.
Google.com used to bring malicious ads in the past and you can find plenty of publications about it from 2008-2009. Google.com ads system improved, at least I did not get any malicious hits when tested today, but Google.ru seems to be still in the dark ages. I did not test other regional flavors of Google, perhaps Contagio readers can offer some insights.
According to Google AdWords Help Pages:
http://adwords.google.com/support/aw/bin/answer.py?hl=en&answer=6546
Can I make my ads appear above search results?
Google believes strongly in providing high-quality and relevant advertising to our users. On Google search result pages, only the highest ranking AdWords ads are eligible to appear in the top positions above the search results.
Our system does not rank ads solely on cost, so there is no way to guarantee top placement on a search result page. However, by adjusting your keywords' Quality Scores and CPC bids, you can better control the position of your ad and help improve your ad's chance to appear higher within search results.
You can use the top of page bid estimate (Est. top of page bid) as a guide when estimating the cost-per-click (CPC) bid needed for your ad to appear in the top positions above the search results. This metric is only an estimate and not a guarantee of top placement. Learn more about top of page bid estimates.
Remember: The higher the quality, the lower the CPC, and vice versa.
http://adwords.google.com/support/aw/bin/answer.py?hl=en&answer=10188
What is a maximum CPC? Your maximum cost-per-click (CPC) is the highest amount that you are willing to pay for a click on your ad.
When ads appear on the Search Network, the maximum CPC is one of the factors affecting ad position. Increasing your maximum CPC can improve the position of your ad
This result for Flash player is from Google.com - seems clean
Here are few common searches from Google.ru
Flash Player
Search http://www.google.ru/search?sclient=psy&hl=ru&newwindow=1&site=&source=hp&q=flash+player
Sponsored Links: The first result - Site advertising Flash Player (hxxp://sites.google.com/site/flashplayer4uu) offering download of what turns out to be Fake Antivirus from hxxp://loadrarfast.ru/install_flash_player.exe
Virustotal: http://www.virustotal.com/file-scan/report.html?id=1c20a73e28e1bdab541ee05e46007cf9faea0346eab218b6de3276641bc62209-1315766770
Pretty much every result after the official is malicious or questionable as well.
Adobe Reader
Search http://www.google.ru/search?sclient=psy&hl=ru&newwindow=1&site=&source=hp&q=Adobe+Reader
Sponsored Links: hxxp://sites.google.com/site/adobeereader/ = hxxp://newrusky.ru/42324/install_reader.exe
Virustotal: http://www.virustotal.com/file-scan/report.html?id=f3ee152969e79baed37740990bab1a2c4c4cb7e87448d353781612a12a3d6f1a-1315733202
Kaspersky
Sponsored Search Result offers mysterious ESAT NQD32 - Fake AV pretending to be Eset Nod32 "Russian Free version".Other Sponsored links that rotate: hxxp://free-antivirus.se-ua.net/home/2/3/
Virustotal: http://www.virustotal.com/file-scan/report.html?id=fab5a1ce612c13aea622fc41115da74b2c01d194f033b26f5274a873ef1306de-1315741098
Skype
Search http://www.google.ru/search?sclient=psy&hl=ru&newwindow=1&site=&source=hp&q=skypeSponsored Links: hxxp://skaoper.webnode.com/
Other sponsored links that rotate:
hxxp://sites.google.com/site/skypesnew/
hxxp://sites.google.com/site/newskvype55/
Virustotal:
Update Sept. 14, 2011
I noticed that ALL searches for any software are poisoned with black SEO. Both Sponsored Links and most links on the first page. I nearly clicked on one myself.Search for Internet Explorer 8 on Google.ru - one result in Sponsored Links on the side is www.slo.ru. I hate to think what is there
Search for Windows Validation Tool in Google.ru bring a lot of questionalble and dangerous links as well.
Other Sponsored Ads links are listed below. They are for codecs, media players, Skype, and other apps.
Be careful when visiting, Most of them offer links to malware downloads but some have drive-by installs as well. These are just a few examples, you can find many more.
- hxxps://sites.google.com/site/freeskipcon/
http://www.virustotal.com/file-scan/report.html?id=abbbac11f1d74204990a4e3c48a8cf8872ea859ae356d2770acb6b41e0b2cf21-1315738456
- hxxp://sites.google.com/site/cikype/ = hxxp://demilar.narod2.ru/ - hxxp://vitiamalkoff.narod.ru/
- hxxp://sites.google.com/site/flashplayer11new/
- hxxps://sites.google.com/site/kodekiprorus/
- hxxps://sites.google.com/site/pleerandkodeki/
- hxxp://sites.google.com/site/skypesnew/
- hxxp://sites.google.com/site/newskvype55/
- hxxps://sites.google.com/site/ryskodik/
- hxxps://sites.google.com/site/godekicool/
- hxxps://sites.google.com/site/kodukqrus/
- hxxps://sites.google.com/site/packodeklite/
- hxxp://sites.google.com/site/exflash10/ = http://109.120.157.81/install_flashplayer.exe
//www.virustotal.com/file-scan/report.html?id=9550f44ec572d684f06fe6272eb0c501e04268259700fdb1d73673d33ef09355-1315740571
do you know the salary in Russia??? people just can't buy such an expansive soft!
ReplyDelete@anastasia Linux is free
ReplyDeleteIt's not about the money - people in Russia or other post-Soviet states just aren't used to paying for software. Even if they have money - downloading software is much simpler and easier. Piracy there is very common, especially among the young. Naturally, fake trojan-infected programs are common, too.
ReplyDeleteIm living in Russia and i always buy genuine software (except these tools, which i need once a year and there is a trial version).
ReplyDeleteI do not know about other cities, but in Moscow now there are no small computer shops(or they are hidden), and in big ones you will get the maximum quality of service.
@anastasia - people cannot buy means people should not use :)
Maxim - Russia is slightly bigger the The Ring road around Moscow.Average salary in 2010 was ~640$.
ReplyDeleteAnd security professionals have to be realistic - if Operating System price tag is equivalent to 50% of average salary, and access to Internet is vital for their children future - then A LOT of people would not pay.
Indeed, Moscow and St. Petersburg are very different in income and life in general from the rest of the country. It takes above average income, motivation, technical knowledge, and patience to have genuine and patched Windows - most of the population lack one or the other. In comparison, situation is the opposite in USA - one would need technical knowledge and patience to obtain and install pirated windows on his/her pc. Also, when in Russia, Google automatically reverts to poisoned Google.ru. Yandex search results (Ru search engine) are poisoned as well. I know the search providers constantly change algorithm and work on ways to filter out junk but it is uphill battle. SEO is one of the ways to make money, seminars and teaching materials on how-to are popular and abundant there.
ReplyDeleteHowever, Russian as a lucky ..
ReplyDeleteLook: A botnet TDSS - by country.
(Line 1 includes "All Other", of which less than 1.5%)
http://www.nobunkum.ru/issue003/tdss-botnet/stat_countries.png
This is RUSSIA!!!!
ReplyDelete