Avoiding Malicious Sites

by Andy on June 2nd, 2010 in Security Tips.

Malware distributors often hijack current events to serve malware and with the FIFA World Cup almost upon us (come on Northern Ireland!! Oh.. wait..) a deluge of booby trapped sites appearing in search engine results is inevitable.

As an example,  I searched for information on a recent event - Al and Tipper Gore announcing their separation - and found quite a few links that looked innocent but weren't.

Spotting potentially dangerous links within search engine results can be tricky but there are a few things you can look for to avoid being infected.

Tip 1
Unusual or unexpected search results.

[img_assist|nid=13974|title=|desc=|link=none|align=left|width=500|height=70]


In the example, it is strange that an Al and Tipper Gore news story would appear alongside cheap insurance. Also notice the other information returned about the site - it seems random, but it refers to recent hot topics in the news, which can be another giveaway that this site is 'search engine optimised'.

Tip 2
This requires more careful consideration.

[img_assist|nid=13975|title=|desc=|link=none|align=left|width=500|height=68]



The link 'Al Gore divorce' and the further information listed below it match, which doesn't look suspicious. However, look at the structure of the link. A section reads "lkjaa.php?ssp=". This looks pretty random, but the results below all have something similar to the section lkjaa.php?ssp= in the link: <random>.php?<random>=. These sites all served malware.

[img_assist|nid=13978|title=|desc=|link=none|align=left|width=500|height=71]



[img_assist|nid=13977|title=|desc=|link=none|align=left|width=500|height=68]



[img_assist|nid=13976|title=|desc=|link=none|align=left|width=500|height=67]



Tip 3
So, you clicked on one of the bad links - what typically happens? You could be presented with a web page that looks like it will play a video.

[img_assist|nid=13982|title=|desc=|link=none|align=left|width=500|height=319]

 

When you click on the video window, it will offer a video codec to download. Don't download or run it - navigate away from the page.

You might also be presented with an alert that your PC is infected.[img_assist|nid=13979|title=|desc=|link=none|align=left|width=500|height=126]

 

[img_assist|nid=13980|title=|desc=|link=none|align=middle|width=500|height=344][img_assist|nid=13981|title=|desc=|link=none|align=left|width=500|height=343]

 

Your best option is to use Task Manager to kill the browser. To do this:
 
Hit ctrl+alt+delete
Select the Task Manager
Select the Processes tab.
If you use Firefox, look for firefox.exe. Highlight & end process
If you use Internet Explorer, look for iexplore.exe (NOT explorer.exe!). Highlight & end process
If you use Opera, look for opera.exe. Highlight & end process

When you restart your browser, if it offers to reload the pages you were viewing previously, select not to, otherwise the rogue installer pages will reload.

unsolicited@tenalia.com