(Archive) A Malware Masquerade

October 12, 2010 - By Chris Larsen

(Editor's note: This is an archived post from the BCWF team's internal blog -- The "Trotline" -- from 10/13/2010.)

Last year, I blogged about a Halloween-themed malware attack. Given the "malware masquerade" theme, I thought this would be a good month to revisit the topic of how the Bad Guys like to masquerade as something else in order to fool their victims.

One classic type of malware masquerade is the Fake Warez attack. ("Warez" -- from "softwarez" -- is hacker-slang for pirated software or other digital booty.) Today, I'll show some examples of how the modern fake-warez sites look.

All of these sites are masquerading as "warez" hosts, typically purporting to have the Web's greatest collection of "cracks, keygens, and serials". Many, if not most, of these domains used to be legitimate sites, but were allowed by their original owner to expire for one reason or another. As the expired names became available, they were grabbed by the Bad Guys (possibly in the hope that the sites would have clean "Web reputations" with anti-malware companies like Blue Coat). After a quick HTML transplant, the new sites go on line in their new costumes. Here are some samples:

sample fake-warez site

sample fake-warez site

sample fake-warez site

sample fake-warez site

sample fake-warez site

sample fake-warez site

 

...and on and on...

As you can see, the look of these sites varies considerably. In each case, however, clicking on one of the warez takes you to a second page, where there is usually some sort of "review" of how cool the software or movie is, along with one or more links that purport to take you to the download. (Sometimes, these links actually do go to popular file-sharing sites; more often, they instead connect to a malware server that returns an executable file claiming to be the download, or else claiming to be a "key generator" or "serial number generator" or a "crack" -- in other words, a helper application to make the full version of the software run without needing to be officially licensed.)

There are dozens and dozens of these domains currently in use, with a smaller network of constantly rotating malware domains serving up the actual payloads. It's a very sophisticated network that took considerable time and effort to set up and maintain. They wouldn't go to this much trouble if they weren't picking up a steady stream of visitors/victims.

So be careful out there -- the Web's a scary place. (And not just at Halloween!)

--C.L.