Friday, April 30, 2010

Storm Worm 2.0

A detailed analysis was provided, here, on the new version of the Storm Worm making it's rounds this week. I went looking in our logs for HTTP POSTs to three and four character GIF and JPG files with relatively small request and response sizes (<1000 bytes). What I found was a number of transactions to 91.212.127.114 (on Telos, no PTR record).

Wednesday, April 28, 2010

Following recent QQ phishes


QQ is a popular email and instant messaging service within China. In yesterday's logs I saw entries for:

aq.qq.com.cn-inddex.com
qq.com.cn.indexx-cn.com

Following the pages, the display looks identical to the qq.com pages. Click on the login within the phish and a login similar to qq.com is displayed. The above screenshot is of the phish login prompt.

Tuesday, April 27, 2010

Wordpress sites hacked, again!

A big web hosting company was the target of a massive attack of hosted Wordpress sites. This is hardly a surprise. Wordpress, and other Content manager Systems (CMS) like Drupal, Joomla!, etc. are regularly targeted because of the high number of security flaws either in their core functionality, or in the numerous 3rd-party plugins that they work with.

To verify if this feeling of deja-vu is right, I took a loot at our statistics to identify the volume of we've seen over the last week that were infected with malicious IFRAMES or Javascript:

Measurement Pecentage of Wordpress sites
Hits 68%
Hosts 87%
Percentage of infected sites running Wordpress

68% of the pages infected with malicious IFRAMES or javascript were running on Wordpress. If we look at the number of unique hosts, 87% of infected sites are running Wordpress!

Monday, April 26, 2010

Remote Downloader ActiveX: old exploits, new malware

ActiveX is a proprietary Microsoft technology, which allows developers to produce reusable software components. The controls are compatible with the Internet Explorer (IE) web browser and over the years have been a frequent security threat, as many developers have produced insecure ActiveX controls which can lead to the remote execution of code when a user with IE visits a malicious web page. This is a very powerful tool for attackers because everything happens in the background (no user interaction), and they can trigger exploitation with only a few lines of code.

Tuesday, April 20, 2010

Fun with N-gram Analysis

A former colleague and I had discussed character based analysis of domains to provide indications of suspicious / malicious usage. For example, the Avalanche botnet has a domain registration and fast-flux infrastructure that is frequently used for hosting Zeus, phishing, and money-mule recruitment sites. Typically, Avalanche bulk registers domains that often do not have any correlation to any particular word or alias, for example:

erasv
jjkk
yuuikom
yy1azsva
zah7kio
zyuojli
...

Monday, April 19, 2010

Google says: their site is used "as an intermediary for the infection of 13 site(s)"

Google is doing regular security scans of the websites it indexes. Google SafeBrowsing, the service that Google uses to communicate if a domain is malicious, or used to redirect to a malicious site will show the results for a given URL with the following query:

http://www.google.com/safebrowsing/diagnostic?site=.

Friday, April 16, 2010

Video: first link on Google leads to a malware site

A video is worth a thousand words. This short clip shows a Google search for "tax day freebies", one of the hottest search terms on 04/14/2010. The first regular search result (below the News and Twitter sections) redirects to a fake antivirus page.





-- Julien

Monday, April 12, 2010

Search engines need to protect their users

Following the post on “Web Security: the Google paradox”, I wanted to compare the number of malicious search results for major search engines including Google, Bing and Yahoo!. The question that I wanted to answer - do any of them do a good job filtering results to protects users?

Same-day trends

I started by scanning the top-searches (according to Google Trends) over the course of three days.

Google Bing Yahoo!
terms bad links in top-10 bad links in top-50
bad links in top-100
bad links in top-100
bad links in top-100
what becomes of the broken hearted
0
9
13
0
0
miegakure
0
11
27
0
0
03/30 trends

Tuesday, April 6, 2010

CVE-2010-0806 Exploit in the Wild

CVE-2010-0806, a use-after-free vulnerability in the Peer Objects component, was announced in mid-March 2010. The vulnerability impacts Internet Explorer 6, 6 SP1, and 7 - a patch was made available by Microsoft in the MS10-018 security update last week. Zscaler received early notification of the vulnerability through our trusted partnership with Microsoft and was able to deploy signatures to detect and block exploit attempts soon after the public release of the vulnerability.

Today this site was detected and blocked for attempting to exploit CVE-2010-0806:
hxxp://cn.cnsa56.info/w/woz.htm
--> and supporting script: hxxp://cn.cnsa56.info/w/k.js

The JavaScript used to exploit the vulnerability is heavily obfuscated,
And the script contains some try-catch statements to evade detection and some automated analysis tools,
and
The above try{} statements will fail, so the code within catch{} will be run, which defines some variables and logic for decoding the above shellcode.

Wepawet fails to decode/analyze properly, and categorizes the URL as benign. VirusTotal has 2/39 Anti-Virus engines that detect as a suspicious JavaScript downloader through their heuristic engines.

After decoding and analyzing the shellcode, it downloads the payload:
hxxp://v.vkjk6.info/w/win.exe

Unfortunately, VirusTotal shows no detection for this file. When conducting basic analysis on the binary payload, it becomes obvious that this is not a valid PE executable. It is likely that the binary is encrypted or obfuscated and that the shellcode run from the CVE-2010-0806 exploit will decode the binary on the victim's machine. (I will run the exploit in a sandbox, and post any follow-on analysis of the payload).

Often times, the domain information for malicious domains is masked through a domain privacy service (like Domains by Proxy)- however, this was not the case for the domains involved in this attack.

Here is the billing information for the cnsa56.info domain:
This same registration information was used for another live domain: ac364.info

And for vkjk6.info:
126.com is a free email provider,

The registration information, email provider used, and variable names used in the attack indicate the attacker is a Chinese speaker and possibly of Chinese nationality.

Bing and Yahoo! sponsored advertising leads to malicious websites

Search engines display results along with links sponsored by advertisers. Sponsored links are generally placed atop non-paid results, in order to provide higher visibility. Due to this fact, there is a higher chance of an end user clicking on these links. We have previously seen popular search engines returning sponsored links leading to malware sites. This time we’re seeing Microsoft’s new search engine Bing as well as Yahoo! with sponsored links leading to malicious websites. When you search for keyword “advertising” using Bing or Yahoo!, the search engine will return results with sponsored sites. One of the sponsored sites contains a link to a malicious website. Here is search result:



If you click on the link mentioned in above image, you may be infected by malware. Looking at the source code of the page shows that malicious script has been injected into the webpage, which points to a malicious third party site. Here is the screenshot of the source code.


In the screenshot, you can see that the page contains one script tag which links to malicious website. When you open the malicious site using Firefox or Chrome, you will be alerted with warnings as the site has been blacklisted via the Google SafeBrowsing initiative.


The attackers are very active and they keep finding new ways to infect users. The question remains– why is this paid advertising link being displayed even if it contains a malicious link? Why are search engine vendors not filtering sponsored links? This is especially perplexing as they have knowledge of the infection (Google maintains Google SafeBrowsing content). There are two reasons why the page may contain malicious content in the first place,

1) First, the sponsored site is owned by attackers and was intentionally set up to spread malware. In this case, an initial scan of the page content prior to inclusion in the list of authorized sponsors would have prevented displaying the malicious link.
2) Second, the sponsored link is for a legitimate web site, but was infected with malicious content due to a vulnerability in the site (e.g. via SQL injection). In this scenario, as the infection could have occurred at any time and search engines would need to continually scan page content to detect the infection.

Although this attack scenario has been known for some time, the search engines are failing to filter out these malicious results. If sponsored links are not being properly scanned for security issues, users will remain at risk. Search engine providers not only have to scan sponsored links for security threats initially, but must also do so continually, in order to ensure that attackers have not infected otherwise legitimate sites. This also means that end-users need to ensure that they have appropriate protections in place to inspect all page content in real-time, regardless of the source. Even search engine results can’t be trusted.

Happy Surfing!!!
Umesh

Monday, April 5, 2010

Google search: more links are malicious than you realize

It is not uncommon to find malicious links in 15% to 20% of the first 100 results returned by Google for any popular search term (according to Google trends). If Google doesn’t take the Blackhat SEO problem more seriously, the total number of malicious links is bound to increase and this may already be happening.

The top search on April 2nd was “tri energy”. I am not sure why it became so popular, but don’t google it: more than 90% of the first 100 links are malicious! Here is what I found for this search on April 4th:

  • 86 links were sending users directly to a malicious, fake antivirus page that tries to install malware. This is the same issue, with the same domain name (xorg.pl) involved in most of the redirections that I detailed in a previous post.
  • 4 malicious links were down or Google displayed a warning page
  • The first 5 links on the first page of results were legitimate

One of the too few warnings from Google

Same search on Bing and Yahoo

For the same search, Bing did not show any malicious links. Yahoo! displayed 4 malicious links on pages 2, 6 and 7. At this point, I’m not sure if Bing and Yahoo! do a better job at cleaning up their search results, or if they are simply slower at picking up new pages.

8 hours later

I have re-scanned the Google results 8 hours later and things are a bit better. There are still only 10 legitimate links in the first 100 results, but Google displays a warning for 87 links. Only 3 malicious links redirect to a harmful site.

Google warns the users to not follow these links. Why do they even show them?


Not an exception

This number of malicious links may be extreme in this example, but the overall problem of attackers leveraging SEO optimization is not rare at all. For the same day, the #5 Google Trends search term,  “epic google”, 50% of the first 100 links are malicious. For the #2 search term, “mendicant”, 38% of the links are malicious. It took 2 days to Google to start clean up the results, from April 2nd to April 5th in the morning.

I do not understand why Google decides to include malicious links in their search results. Depending on the user’s browser version, clicking on these links can be harmful to users, or display useless content. In both cases, users do not want to visit these sites.

-- Julien

How Google is (NOT) tackling the Blackhat SEO issue

Google is widely used by attackers to trick users into going to malicious sites. The attackers hack legitimate sites that rank high on popular searches. The hacked pages display good content to the Google crawlers but when users surf to the hacked pages, they receive malicious content, which redirects them to other harmful domains.

While some Google searches contain numerous malicious results, even on the first page, Google seems to be attempting to address this issue. While analyzing the results for “google april fool”, I found several malicious results. I’ve investigated two - the 11th and 15th search results. The first link is to hxxp://consultenet.com/seriously/topeka-google-april-fools.html, while the second one is hxxp://sitnprettyphoto.com/werishmne/topeka-google-april-fools.html. Both links redirect to mysecure-safetypc.xorg.pl, a domain that displays fake antivirus pages to trick users in downloading and installing malware disguised as antiviruses.

A known bad site to Google

Google maintains a public list of malicious site, known as Google SafeBrowsing. You can look at the status of any domain by going to http://www.google.com/safebrowsing/diagnostic?site=<domain>. Within a few seconds of spotting these 2 malicious links, consultenet.com was not showing up anymore in the top 100 results.. The Google diagnostic page flagged the domain as having been involved in distributing malware.

Google Diagnostic for consultenet.com



Note that Google says “this site is not listed as malicious”, but that it is used to distribute malware. Indeed, consultenet.com does not host any malware, but it used to redirect the users to a different domain that host the malicious content.

How does Google use this information? A search for “site:consultenet.com” yields 403 results. By looking at the URLs, it is easy to spot the bad pages. One of them is hxxp://consultenet.com/seriously/didi.html. If you access this page from Google using the same search terms, you get the harmless page which Google used to rank the content. The hacked page looks at the Referer header to check where the user is coming from. Not only does the user has to come from Google, but it also needs to have done a “normal” search. This is an attempt to fool both Google and security tools into marking these pages as good.




Yes, all the fake pages are as ugly as this one! But this is the content that matters to Google.

I extracted 3 words from the page, and ran the following Google search: “didi index indicator”. Sure enough, the malicious page shows on the first result page as the 5th result.
Don’t click on link #5


If you follow the link, you get redirected to the following fake antivirus page on xorg.pl.

Fake antivirus page


An unknown hacked site

Google did not, at the time this blog was published, flag the second domain, sitnprettyphoto.com as malicious.
Domain is safe according to Google

It may not take long for Google to flag this domain. Since I don’t know when the website was hacked, I’m not able to measure Google’s response time to scan and flag it correctly.


What is Google doing with its data?

While it is not surprising that Google does not flag all hacked websites immediately, it is very concerning that they keep bad websites in their index. They know consultenet.com is used to spread malware, yet they still display dangerous links to this domain in their search results! Protecting users should be their number one priority. I personally, would prefer that they erroneously blacklist some websites temporarily, rather than keeping known bad websites in their search results - even showing them in the top 10 results!

-- Julien

Thursday, April 1, 2010

Governmental website hacked to spread malware

Malicious sites are hiding themselves behind hacked legitimate sites. Attackers use these legitimate sites to fool the search engines into showing them as the top results for the most popular searches. These sites are then used to redirect visitors to a malicious site on a different domain, displaying a fake antivirus page.

Most of the hack sites are low profile: personal pages, small community sites, etc. But yesterday (03/31), an Argentinian governmental website was showing up in the first 10 results on Yahoo for "who got kicked off dancing with the stars tonight".: hxxp://misioneseduca.gov.ar/rob.php?id=who+got+kicked+off+dancing+with+the+stars+tonigh After clicking on the link, I got redirected to hxxp://p3p0.com/?said=3333&q=WHO+GOT+KICKED+OFF+DANCING+WITH+THE+STARS+TONIGHT

misioneseduca.gov.ar is down today. It appears that it was hacked along with several other PHP websites using Joomla due to a vulnerability in an image gallery plugin.

Not so long ago, hacking a website was the final goal. Attackers would do it for fun, as a political statement, or to steal money or information (login credentials, Social Security Numbers, etc.). Now, a hacked website is a platform to attack users, and not just the ones who frequent the site. Attackers are using Google SEO to widen the range of visitors to the hacked site serving malware.

-- Julien