A look at the top websites blacklisted

Google Safe Browsing is the most popular security blacklist in use. It is leveraged by Firefox, Safari and Google Chrome. As such, being blacklisted by Google is a big deal - users of these three browsers are warned not to visit the sites and Google puts warnings in their search results.

I've run Google Safe Browsing against the top 1 million (based on number of visits) websites according to Alexa. 621 of them are blacklisted by Google Safe Browsing. I've looked at the most popular to understand why they are considered malicious. Here is what I found for the most popular blacklisted sites:

Rank	Domain	Threat	Comment
6,239	subtitleseeker.com	Malicious JavaScript	Hijacked
18,784	financereports.co	Scam	Work from home scam
35,610	tryteens.com	PDF malware	Porn
41,560	iranact.co	Malicious JavaScript	Hijacked
47,016	creativebookmark.com	Fake AV	Hijacked
52,409	ffupdate.org	Adware download
52,431	vegweb.com	Malicious JavaScript	Hijacked
53,902	delgets.com	Malicious JavaScript	Hijacked
78,202	totalpad.com	Fake AV	Hijacked
81,403	kvfan.net	Malicious JavaScript	Hijacked
82,344	hgk.biz	Malicious JavaScript	Hijacked
83,858	youngthroats.com	Malicious IFRAME	Porn
125,305	metro-ads.co.in	Malicious JavaScript	Hijacked
133,455	salescript.info	Malicious JavaScript	Hijacked

http://financereports.co

creativebookmark.com

Most of the top-ranked websites that have been blacklisted are not malicious by nature, but they have been hijacked. Malicious JavaScript, similar to the code we found on a French government website, or a malicious IFRAME is generally the culprit. It is interesting to notice that Google decided to blacklist the infected site, rather than just blocking the external domain hosting the malicious content.

I have also checked to see which country the blacklisted domain is hosted in. Here is the breakdown:

Most of the blacklisted sites are hosted in the US. Western Europe (especially Germany, France and the Netherlands) is number two, followed by China (8%).

There is a government website in this list: mdjjj.gov.cn. It contains malicious JavaScript for a third domain. The code is much more sophisticated that on the other sites on this list. The JavaScript is obfuscated, broken down in several files with a .jpeg extension. There is also a Flash exploit with a heap spray targeting Mac OS X, not unlike a Flash exploit we found on another Chinese site a few years ago. Windows users with Internet Explorer 6 and 7 users get the old "iepeers.dll" exploit (a different version for each browser).


No site is safe from hijacking. Personal websites and top-10,000 sites are all likely to be infected at some point.

Search Engine Security for Internet Explorer

Search Engine Security (SES), a browser extension designed to protect users against Blackhat SEO links in search engines, is now available for Internet Explorer. You can download it from our website. It is compatible with Internet Explorer 6.0 and above, on Windows XP thru Windows 7.

The features are the same as Search Engine Security for Google Chrome, released two weeks ago. The Referer and the User-Agent headers are modified when you follow a search result link on Google, Bing and Yahoo! This prevents the hijacked sites from redirecting users to a malicious page.

As with SES for Firefox and Google Chrome, you can turn the extension on and off for the three search engines.

Search Engine Security enabled on Bing

You can also whitelist specific pages. The only difference with the IE version as opposed to Firefox and Chrome is that the Referrer cannot be empty. This is why the default value is "-".

The options are available under Tools > Search Engine Security options.

Search Engine Security options

To test the features, search for "what is my user agent" or "what is my referrer" in Google, Bing or Yahoo! and follow a link. You will notice a different value when Search Engine Security is ON or OFF.

Modified User-Agent

There are very few browser extensions available for Internet Explorer, especially extensions helping to keep users safe. I will continue to port the Zscaler security extensions to Internet Explorer and will bring other security tools to this platform.

You can find a full list of all our browser extensions on the ThreatLabZ portal under Tools. Search Engine Security for Internet Explorer can be downloaded here.

Multiple hijacking

Vulnerable websites are regularly hijacked to redirect users to malicious domains. The most popular type of of malicious page are Fake AV pages. Attackers commonly increase traffic to these hijacked websites using Blackhat SEO techniques.

Blackhat SEO requires that two different pages be delivered to different audiences:

• A harmless spam page to the Googlebot and security scanners, in order to get references and be ranked well by Google, as well as evade blacklists
• A redirection to a malicious domain to attack users

Existing pages on the hijacked sites are usually unchanged and instead, new pages are created. The newly created spam pages are completely harmless, with no obfuscated JavaScript. A 302/307 HTTP redirection is done mostly via a PHP file, or using an .htaccess file.

Other groups of attackers may want to use vulnerable websites for different purposes. So it is not rare to see the same vulnerable sites being abused by different groups. Recently, there was an increase in hijacked websites sending users to Fake AV pages also being infected with malicious JavaScript. The obfuscated JavaScript code is added before the original HTML code on all pages, making it much more likely to be blacklisted by Google. Here are a few examples:

Found on dailygizmonews.com

Found on malaysianaspiration.com

A mix of the 2 previous JavaScript codes

All of these examples result in the same HTML code, an IFRAME injection pointing to a malicious domain:

• hxxp://fbyvdtydyth.myfw.us/?go=2
• hxxp://tds46.lookin.at/stds/go.php?sid=1
• hxxp://qerhkbdimoitvd5t.lowestprices.at/?go=2

Deofuscated code

Ironically, this malicious code might actually keep user safer. Since it is present on all pages, regardless of the HTTP Referrer, the entire website is flagged as malicious much more quickly by search engines.

French Budget Minister website hijacked

We've seen an increase in hijacked websites in recent months, redirecting users to Fake AV pages, Blackhole exploit kits and other malware. While most websites hacked are personal sites, or University websites, some are more high profile.

http://www.performance-publique.budget.gouv.fr/ hijacked

The website of the French Minister of Budget (www.performance-publique.budget.gouv.fr) is an example of a high profile site that was recently hijacked. Obfuscated JavaScript was added at the top of the page. It is very similar to what we have seen on other websites. The obfuscation contains some tricks to break JavaScript scanning tools, such as making reference to browser objects, exceptions, etc.

Malicious JavaScript inserted on the hijacked site

The code creates an IFRAME to hxxp://nysbrtyjdjntytdrj7yn.rr.nu/?go=2. This address is not blocked by Google Safe Browsing at this time. I was not able to retrieve the content.

Deobfuscated JavaScript

The domain rr.nu has been widely abused. It has been linked to the Mac Flashback Trojan, previous Fake AV campaigns, etc.

budget.gouv.fr is not the only governmental website that has been hijacked recently. In the last three months, we have seen many hijacked government sites including:

• Australia: library.cgg.wa.gov.au, ofv.sa.gov.au
• US: cityofhampton-ga.gov, sandy.utah.gov, governor.virginia.gov, letsread.cobbcountyga.gov, mississippi.gov, etc.
• Philippines: car.dost.gov.ph
• Colombia: acuavalle.gov.co, risaralda.gov.co
• Malaysia: ipharm.gov.my

Unfortunately, no website can be fully trusted anymore.

Search Engine Security for Google Chrome

Google Chrome has recently added an API to modify HTTP headers. This in turns, made it possible to port Zscaler's Search Engine Security add-on from Firefox and Firefox Mobile to Google Chrome.

Search Engine Security on the Chrome Web Store

Most hijacked websites used for Blackhat SEO check the Referer header and the User-Agent, to decide whether to redirect the visitor to a harmless spam page or to a malicious domain (Fake AV page, Blackhole exploit kit, etc.). By modifying these 2 headers when the user leaves a Google, Bing or Yahoo! search, Search Engine Security fools the hijacked site into thinking that the visitor is not a real user and therefore avoids redirection to the malicious content.

Search Engine Security enabled for Google

All the work is done in the background, so it can be tricky to understand exactly what happens, or even if the add-on is working. We have therefore added a small note on the Google/Bing/Yahoo! search result pages to show you whether Search Engine Security is on (default settings) or off (disabled in the options):  Zscaler SES on or Zscaler SES off.

Search Engine Security disabled on Bing

To understand how the the headers are modified, look for "referer mobilefish" in Google after you have installed Search Engine Security. Click on the first link "Mobilefish.com - Show my IP". The page will display your User-Agent string and Referer header. With the default settings, the string "slurp" is appended to your User-Agent, and the Referer header is removed. These changes are done only when leaving a Google/Bing/Yahoo! search page.

You can also enable/disable the various settings on the Search Engine Security options page to see how the User-Agent and Referer strings are affected.

Search Engine Security options

You can install Search Engine Security for Google Chrome in the Chrome Web Store.

Details of a "new" Fake AV page

As I mentioned last week, more Fake AV pages are once again showing up in popular Google searches. Although these malicious pages look the same as they did 2 years ago, the source code is different.



The first thing you notice in the source code is that there is no obfuscation at all. The attacker is not trying to hide anything: CSS is inline, plain-text JavaScript (no obfuscation, no minification or packing) is inline, etc. That makes the pages very easy to track and block. Or it should....however, antivirus vendors are still not able to block the Fake AV executable with an acceptable level of accuracy. As you can see in the video, only 5 out of 42 antivirus engines find anything suspicious. You can easily download the executable with a simple wget command, so it is not hard to gather these samples

Download the malicious executable with wget

The source code is fairly simple. Another interesting fact is that Firefox is handled differently by the page compared to other browsers, meaning that different JavaScript code is run, but the end result is the same as on the other web browsers.

Fake AV page

The JavaScript function used to trigger the malicious file download is called google(). It creates an IFRAME pointing to the malicious executable, which triggers the download prompt without having to leave the page.

The google() function

The animations (blinking text, scanning progress bar, etc.) are all done with animated GIF files.

Overall,these Fake Av pages are low tech, very unique and very easy to track .... but still very effective. Desktop antivirus, often the only protection available to home users, generally fails to block the page and fails again to block the malicious executable.

PDF exploits targeted through Blackhole exploit kits.

PDF exploits have been targeted by Blackhole exploit kits for some time now. The Blackhole exploit kit will deliver various malicious PDF files to a user if the victim is running a potentially vulnerable version of Adobe Reader. When these PDFs are opened through Adobe Reader, a known vulnerability is exploited which will then compromise the user’s machine.

Let’s look at the de-obfuscated portion of the Blackhole exploit kit. The exploit kit for this sample was delivered from “flightpub.net/l/src.php?case=46677c190b37f2d6”.

The de-obfuscated code above shows how an iFrame of 1x1 pixels is created to load a malicious PDF file residing at “./content/ap1.php?f=97d19::182b5” or “./content/ap1.php?f=97d19::182b5”, depending upon the version of Adobe reader installed. These two files are hosted on same the domain - “flightpub.net”.

The absolute paths of the malicious files are,

hxxp://flightpub.net/l/content/ap1.php?f=97d19::182b5 and
hxxp://flightpub.net/l/content/ap2.php?f=97d19::182b5

For analysis purposes, we can manually downloaded the aforementioned PDF files. The PDF files contain a JavaScript object, which contains obfuscated JavaScript, as shown below:

The JavaScript code loops through array ‘ar’ and converts each element of the array with logic included in function ‘test2()’. The de-obfuscated code targets a three year old vulnerability in Adobe Acrobat reader.

Let’s take a look at the some of the de-obfuscated code,

A stack based buffer overflow vulnerability exists in the ‘getIcon()’ method, which is detailed in CVE-2009-0927.

This vulnerability is widely targeted by various versions of the Blackhole exploit kit. I have seen different variants of the payload URL used to host these PDF exploits. The URL pattern changes with different variants of the exploit kit. The different URL path patterns seen so far are:

/content/ap1.php?f=97d19::182b5
/content/ap2.php?f=97d19::182b5
/content/fdp1.php?f=63
/content/fdp2.php?f=63
/content/adfp2.php?f=193
/content/adfp1.php?f=193

The common pattern in the above URL paths are ‘/content/’ and ‘.php?f=’. By identifying these common patterns one can write a network signature on URL strings to catch these malicious URLs.

Let’s take a look at couple of snort signatures for detecting these malicious URL’s.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Acrobat 1-7 PDF exploit download request 3"; flow:established,to_server; content:"/fdp1.php?f="; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014052; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole PDF Exploit Request /fdp2.php"; flow:established,to_server; content:"/fdp2.php?f="; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014035; rev:2;)

Most of the vulnerabilities targeted by various exploit kits are public. Making sure all of your applications are updated regularly with the latest security updates will go a long way in helping to keep your computer secure.

Pradeep