Blue Coat Labs

Labs Blog

A Halloween Malware Attack

A Halloween Malware Attack

Chris Larsen,

Blue Coat WebPulse™ detected (and immediately blocked) an interesting Halloween-themed malware attack that began on Friday, Oct. 30, the day before Halloween. This was passed on to a contact at Information Week and written up. Here's a more detailed write-up of what happened.

That Friday morning, mixed in with the usual sorts of malware filenames in the WebPulse logs, there were a bunch of EXE files with Halloween-themed names:

  • halloween-makeup-techniques-cleopatra-to-play.40064.exe
  • scary-halloween-signs-to-play.40064.exe
  • free-streaming-halloween-music-to-play.40064.exe
  • regis-and-kelly-halloween-show-2009-to-play.40064.exe
  • halloween-games-printables-for-teens-to-play.40064.exe
  • office-appropriate-halloween-costumes-to-play.40064.exe
  • smurf-halloween-costume-to-play.40064.exe
  • cereal-killer-halloween-costume-ideas-to-play.40064.exe etc.

Clearly, they were taking search terms as input and providing a malware binary -- with a name based on those search terms -- as output. The logs showed that our European and Asian datacenters had none of this traffic; it had begun with our East Coast datacenter, and then a couple of hours later began showing up in our West Coast logs. (So either no one in Europe or Asia was searching for Halloween costumes, or the Bad Guys assumed they wouldn't be, and waited to "go live" until morning on the East Coast.)

It was very gratifying to note that the WebPulse log entries for all of these URLs showed that we had been rating them as Malware from the outset, so that none of our customers were infected. (Kudos to Patrick, one of our math-whiz analysts, whose detection module nailed all of these!)

Not that I don't trust Patrick's defenses, but since we believe in layered protection, I went ahead and rated the domains that were serving the malware ( was the main one, but there were also a few coming from

The next item of business was to see where the traffic to those domains was coming from. The logs zeroed in on a particular blog that seems to have acquired a new subdirectory, courtesy of the Bad Guys. This makes sense: if you're rolling out a new malware campaign, you want a fresh/unknown domain to host the binaries, and if you can utilize a hacked site as the relay, you're less likely to be blocked.

Tracking back from the hacked blog that was serving as the relay site, we come to the link farms that were scamming the search engines into linking to them. These were located in various places, including a shady Indian torrent-tracking forum (, a dedicated link-farm site (, and several others. A typical victim, therefore, would search in their favorite search engine (we'll pick on Google, since they're the biggest, but it could have been anyone else) for something like: "simple ladies halloween costumes".

They see a likely-looking link, and click it. It turns out to be located at:

But this page doesn't come up in their browser; instead, it redirects to:

[innocent blog].com/pro/index.php?q=simple+ladies+halloween+costumes

which then displays the following page in their browser. (Note how the search terms were passed along at each point, culminating the naming of the .exe file that's pretending to be the answer to their query. Also, since this is purporting to show that their Search Result is a video, it now makes sense that the file name has the "-to-play" at the end.)

(screen shot of fake video player)


(I actually captured this screenshot a day or two later, hence the different malware-serving domain shown in the status bar. Malware networks usually change their host domain names frequently.)

Interestingly, today when I re-followed the original URL, it led not to the fake-video page, but to another set of relay domains that ended up on a Fake AV Scanner page. 

Also, I was curious to see what sorts of search results I would get from googling (and bing-ing, and yahoo-ing) some of the search terms today. Boy, talk about scary Halloween stuff...

One (very generic) set of terms returned a "top 10" results list with all legitimate sites; but another (more specific) set of terms returned a Top 10 list with only ONE(!) legitimate site. The other nine all led off into dark Internet alleys (most of which ended up at Fake AV Scanner pages). Yikes!


(content taken from internal security blog -- 02 Nov 2009 -- Chris Larsen)