Wednesday, September 1, 2010

Google Code hosting website used to spread malware again

Last year, there was discussion of Google Code, a site which allows developers to host their projects, being used to spread malware. We have now found yet another case where Google Code is being used to spread malware. According to Google Code site, “Project Hosting on Google Code provides a free collaborative development environment for open source projects. Each project comes with its own member controls, Subversion/Mercurial repository, issue tracker, wiki pages, and downloads section. Our project hosting service is simple, fast, reliable, and scalable, so that you can focus on your own open source development”. The malicious project in question has about 50+ executable stored in the download section of the project. Here is the screenshot of the malicious content:

Most of the files are executable files along with zipped “.rar” files. The time stamps show that the files have been uploaded over the course of the last month. This suggests that an attacker is actively using this free service to spread malware. Virustotal results for the first file, show that only 8 antivirus vendors out of 43 flagged the file as malicious. The detection ratio for second file is slightly better than that of the first file.

Let’s analyze first file which is “xin.exe”. When the first file is executed on the system, it will make several GET requests to download additional malware onto the system. Here is the first GET request,

A request for the “love.txt” file contains additional malware also stored on the Google Code site. Here is the link to an analysis of malware by Sunbelt security. The malware performs significant file, network and process activity to while infecting the system. Here is the packet capture of various requests to receive additional malware.

Further analysis of all files shows that they are all malicious threats including Trojans horses, backdoors, password stealing Keyloggers for online games such as “World of Warcraft” etc. Analysis of the file resources from ThreatExpert report indicates the possible country of origin is China. Interestingly, Google Code FAQ page says they will take down the whole project if they find malware being hosted on the project.

The question is how and when the Google Code team scans content hosted on their website to ensure that it’s not infected with malware? The first malicious file was uploaded on June 24, 2010, while this blog was written at the end of August – over a month has passed and still the malicious files are being hosted at the Google Code site. The attacker not only storing old malware but he is also actively uploading new malware on the site. The detection ration by AV vendors varies from reasonable to poor given the specific malware sample. As Google Code is free hosting website for developers, attackers are clearly taking advantage of the site to push their malware.

Have you hosted anything?

UPDATE: 2 September 2010

Google has immediately taken down the project and URL to that project is no longer accessible.

Umesh

2 comments:

देवेन्द्र यादव (Devendra Yadav) said...

I downloaded files listed @ http://code.google.com/p/q888/downloads/list and run multiple virus scanners(submitted to virustotal)none of these were detected as virus. how you can say these are malwares ??

- Devendra Yadav

Umesh Wanve said...

Can you double check? My AVG detects most of them. And here is latest uploaded VirusTotal result for "wowip.exe" .
http://www.virustotal.com/file-scan/report.html?id=9b28edb1ccb85b78cd612233022a017045c998821daab2f3183859af6375e513-1283346681

12 out of 43 detects the newly uploaded.