Wednesday, June 30, 2010

Spam SEO trends & statistics (Part I)

I have been gathering information on Blackhat SEO for a couple of months now, mainly to find new domains hosting malicious content. More specifically, I monitor the most popular Google searches from Google Hot Trends and plan to use this data to show different trends and statistics over a few different blog posts.

I've shown in previous posts that Google takes a long time to clean up their search results and that hijacked websites are still shown in the top 100 results after several days. Here are a couple of graphs that illustrate how many hijacked links (Google results which redirect to a malicious page) are displayed without a warning (red line), and how many links are blocked by Google (blue line) over time (X axis).

A search for "2010 nba draft order" made the top-20 hot trends for the first time on 05/18/2010. I have scanned the first 100 results from 05/19/2010 to 05/27/2010, a total of nine days of results.

Statistics for "2010 nba draft order", 05/19 - 05/27

For this search, the highest number of hijacked links displayed happened on day 2 and day 7. Google started showing warnings only on day 3.

The statistics are even more compelling for other search terms. "american idol top 2" and "american idol top 3" were both popular in mid-May. But the second search significantly more malicious links (up to 31 is the first 100 results), and Google struggled mightily to clean up these search results:

Statistics for "american idol top 2", 05/20 - 05/27


 Statistics for "american idol top 3", 05/17 - 05/27

On heavily infected searches (more than 70% of results are malicious), Google took 5 days to do any serious cleanup:

Statistics for "anacostia river", 05/19 - 05/27


More troubling, some searches still contain more than 10% malicious links after 3 weeks:
Statistics for "boondocks season 3 episode 1", 05/18 - 05/23


-- Julien

Monday, June 28, 2010

'LikeJacking' - What is it?

In the past few days I've had a number of people send me URLs that they received from friends on Facebook that seemed unusual and asked me what is this? In each of these cases, the answer was 'LikeJacking' - while this has been discussed in the security community for the last month or so (e.g., Sophos blog post), the general public seems fairly unaware of this technique. The term has been adopted enough, that there is a Wikipedia page for it, with a very straight-forward definition:


For those unfamiliar with Facebook's 'Like Button' - "The Like button enables users to make connections to your pages and share content back to their friends on Facebook with one click" additional details can be read here.

Many of the sites involved with LikeJacking are NSFW (contain nudity). However, below is a recent example of sites that I can safely take some screenshots of (sorry, no nudity on this blog):

Example: hxxp://tattooshaha.info/

Viewing the source of the site, we can see the META tags used for the information that will propagate to Facebook:
And a transparent iframe to for the visitor to 'Like' the site:
Why? Well the simple answer is to drive up the number of visitors to your site though Facebook 'Like' advertisement. For this particular example, clicking on the image directs users to hxxp://coolest-bathroom.info/tattoo/, and viewing the source of the page shows that JS source is loaded from cpalead.com:
The purpose of this campaign appeared to monetize click-throughs with cpalead.com:

I've seen this technique in play in a number of other LikeJacking campaigns, e.g.,
hxxp://www.101hottestwomen.com/
hxxp://102hottestwomen.com/
hxxp://103hottestwomen.com/video.html
hxxp://104hottestwomen.com/video.html
hxxp://105hottestwomen.com/video.html
hxxp://106hottestwomen.com/video.html
hxxp://107hottestwomen.com/video.html
hxxp://108hottestwomen.com/video.html
hxxp://109hottestwomen.com/video.html
hxxp://110hottestwomen.com/video.html
hxxp://111hottestwomen.com/video.html


The source of this one shows that if your visiting from Germany, Finland, or Spain IP you load from cpalead.com, otherwise you load from adscendmedia.com (CPA affiliate):

Friday, June 25, 2010

Zeus C&C (Avalanche)

Recent Zeus C&C activity has been observed from: mnbvicdij4uhdjb5421knnkd.com
At the time of posting, the domain is not present in ZeusTracker.

The domain is currently fluxing (Fast-Flux), notice short TTLs and numerous A records across a number of netblocks (in this case, bots):

Zeus Configuration URLs:
hxxp://mnbvicdij4uhdjb5421knnkd.com/bin/oraha.bin
hxxp://mnbvicdij4uhdjb5421knnkd.com/bin/orahxa.bin
hxxp://mnbvicdij4uhdjb5421knnkd.com/xman/xman.bin

oraha.bin = dfd46f8fdf3084984f57580fbe4f40b9
orahxa.bin = dfd46f8fdf3084984f57580fbe4f40b9
xman.bin = f27cb8327406f999fbd60d39d6ad81ea

Zeus Drop Zones:
hxxp://mnbvicdij4uhdjb5421knnkd.com/xman/gogo.php
hxxp://mnbvicdij4uhdjb5421knnkd.com/cp01/zen.php

Domain Registration Information:
Registrant Contact:
The name server domain (dimplemolar.net) has been observed providing name services for other past Zeus domains:
haijeihefoobeekahkohweto.com
eethahchaehiexahgeemaugh.com
ziosuovareipheighaisheek.com

Registration for the nameserver domain:

Dancho blogs related to carruawau registration information:

IRS/PhotoArchive Themed Zeus:
ns1.hourscanine.com - 87.117.245.9

Keeping Money Mule Recruiters on a Short Leash:
ns1.dimplemolar.net - 207.126.161.29

Investigating some of the IPs involved in the fluxing show that they are part of a Zeus botnet.
For example, DNSBL.abuse.ch shows that 98.214.150.140 resolving the domain kldmten.net which at present has had 547 bot IPs observed supporting this domain.


The botnet infrastructure supporting the fast-flux hosting and name resolution for these Zeus and money mule recruiting campaigns is related to the Avalanche botnet which has been discussed on the PhishLabs blog.

iPad Beta-Testing Scam

I saw this being spam advertised on Facebook:
Tammi Tyler appears to be a throw-away, spam profile used for this campaign.

The bit.ly link takes the follower to: hxxp://www.theigadget.com/?80af9787


Site advertises that you sign-up and beta-test an iPad for 2 months and then get to keep it ... in addition to feeding this spam group with your contact information (step 1 of registration), they also request that you give them your email account password (step 2):


The contact info on the page shows:

The betatestinginc.com domain was recently parked and theigadget.com domain was registered earlier this month, both use privatewhois.net to mask the registration information.
theigadget.com currently resolves to 188.64.184.61 (UKHOST4U), and betatestinginc.com to 216.8.179.23 (NEXT DIMENSION INC). Here's an earlier blog post that mentions someone falling victim to this group for this iPad scam.

Googling for the bit.ly link shows it spammed out to Twitter as well:


Remember "if it's too good to be true...

Monday, June 21, 2010

World Cup, Black Hat SEO list

Leading up to the World Cup, there were several Black Hat SEO instances poisoning specific World Cup search terms. Since the start of the World Cup however, I thought I'd seen less and less poisoned results make it into the top results when searching for World Cup phrases. This made me wonder if Google was doing a better job at removing or preventing these poisoned results from being delivered, or that the bad guys were shifting their focus to poison less obvious targets and stay under the radar (Google and the security community have been on alert for poisoned results for high profile events like the World Cup).

This morning I was able to view the files on a compromised website being used for a BlackHat SEO campaign and view over 1,000 some websites and search terms used in the BlackHat SEO back-linking. The poisoned search term list is large and diverse, but do include a number of World Cup related search terms, for example:

Ghana Vs Serbia
Germany Australia World Cup
Soccer Offside Rule
German National Anthem Youtube
Espn Soccer
Algeria Vs Slovenia
Germany Cup Roster
South Africa Time Zone
World Cup Schedule Printable
World Cup Inauguration 2010
World Cup Scores
Fifa Schedule
Ghana World Cup 2010
Usa Vs England World Cup
Espn World Cup Schedule
Germany Australia World Cup Date
World Cup 2010 Bracket
Ghana World Cup 2010 Fixtures
German Soccer Team Roster
Germany World Cup
Germany Soccer Team
World Cup Opening Ceremony
Uruguay Soccer Team
Espn World Cup Coverage
Australia Vs Ghana World Cup 2010
World Cup Live Streaming
Germany Soccer Team Apparel
Soccer Rules
German Soccer Team Logo
Mexico Soccer Team
The poisoning success of some of these terms varies, but in almost every case I was able to find a number of poisoned results. For example, World Cup 2010 Bracket had 3 of the top 10 results poisoned:
And Soccer Offside Rule had a number of poisoned results.
Following a poisoned result through the redirect to the badness (fake codec in this instance):
Virus Total result for this example was 12/41 A/Vs detect.

So a reminder in case you needed one, World Cup search terms are still being successfully poisoned.

Wednesday, June 16, 2010

Watch Live World Cup Fraud/Scams

As expected the fraudsters are leveraging the World Cup to spread malware or just steal victim's financial information. One such example that I'm seeing are lots of advertisements for websites claiming to allow you to watch the World Cup live on your computer.


(Screenshot from software-mall.net/world-cup-football/)


This blog post advertises both the NBA finals and World Cup (though, not very well, the World Cup image is cut off):

(Screenshot from onlineussportstv.blogspot.com/2010/05/blog-post.html)

In both of these examples the advertisement "click-through": click.tvprocessing.com with an affiliate ID and then land on a site like one of the following:
  • live-worldcup-football.com
  • worldcup-finals.com
  • watch-2010-worldcup.com
Looking at the WHOIS registration for a number of the domains, shows a number of domains with the same registration information:



A search for Wasily's registration information shows that this registration information has been used in a number of fraud / scams (including iTunes and iPod related scams), reference MalwareURL. In fact the same NetBlock was used for this as in past scams:
A search within DomainTools shows that there are currently 46 live domains with this registration information. The fraud pages all look professional / legit, and each one has a slightly different look:

These sites at a minimum are affiliate's of tvprocessing.com which claims to have a high payout to its affiliates:
And a worst-case for victims are a means to stealing your financial information. Following the worldcup-finals.com site through its Registration process (join.asp) it asks for financial information over a non-SSL page:

In either case, these sites should not be trusted.

Tuesday, June 15, 2010

Antivirus Struggling with Obfuscated JavaScript

As part of our offline research, we regularly test various desktop antivirus (AV) solutions to determine how effective they are at catching web based threats. One segment where I feel that AV has struggled, is with the identification of malicious content when analyzing obfuscated JavaScript. While obfuscated JavaScript can be an indication of malicious content, such as injected IFRAME attacks, the technique is regularly used by legitimate sites. Most notably, we see heavy usage of JavaScript obfuscation among online advertising vendors. JavaScript obfuscation is used by legitimate sites for two reasons. First, code may be obfuscated in an effort to limit the size of the code by removing whitespace and changing variable names in order to make it more efficient. Secondly, sites leverage obfuscation in order to 'protect' code by making it harder to understand and therefore copy. This latter motivation is of minimal value however as client side content can always be de-obfuscated given a basic level of effort. After all, the browser needs to interpret the code at some point.

JavaScript obfuscation presents a challenge for AV vendors. Despite what marketing literature would suggest, detecting malicious content still heavily relies on the use static signatures. Obfuscation is problematic as signatures cannot detect what they cannot see. This leaves two options. The AV engine can either first de-obfuscate the JavaScript or signatures can be created for obfuscated content. The latter is problematic as even a slight change in the content or encoding algorithm can lead to vastly different output, while de-obfuscation is an imperfect science as those who have used tools such as Malzilla can attest to.

I ran across an obfuscated JavaScript sample recently which illustrates this challenge. The code in question is perfectly legitimate and resides at About.com, a popular website which delivers information on a variety of topics. On a page entitled APR calculator, when looking at the page source, you will note a large block of obfuscated JavaScript within the section of the page.

<script language="javascript">document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A...

At first glance, this appears to be a classic case of malicious content injected into an otherwise legitimate page. It's essentially a large block of hexadecimal encoded characters and it requires a couple of passes to fully decode everything. However, once de-obfuscation is complete, you uncover JavaScript code designed to calculate your mortgage payments...not attack your browser. For those interested in seeing the code in all it's glory, please follow the links below.

Obfuscated/De-obfuscated JavaScript files
Despite the benign nature of this Javascript code, at the time this blog was published, no fewer than 18 of 41 antivirus engines flagged this code as malicious. What does this tell us about how the engines operate? Clearly they are inspecting the obfuscated code as opposed to the de-obfuscated code and flagging based on the existence of certain functions/data. The problem with this approach - while JavaScript obfuscation is used by the bad guys, it's used by the good guys as well. Identifying malicious content by statically inspecting obfuscated JavaScript is overly simplistic and as can be seen, is bound to trigger false positives.

- michael

Thursday, June 10, 2010

robint.us SideNote: "CuteQQ"

A report of the malicious JavaScript on robint.us can be seen in this Wepawet report. I noticed that within the JS, the variable name "cuteqq" was used for evaluating the payload - this sounded really familiar. Google "cuteqq malware" and 784 results returned ... CuteQQ is actually a browser exploit toolkit that was popular during 2008. Google for "var cuteqq" and there are several more interesting results including those marked "This site may harm your computer."

Here is a VirusTotal report for an early version of the CVE-2010-0249 ("Aurora") exploit, showing that the malicious binary was authored by the "Cuteqq Software Team"


"Cuteqq" does seem to have its usage in several Chinese exploits / variable names. (QQ is a popular Chinese web service for email, chat, news, etc.)

VirusTotal analysis of the actual payloads shows that most A/V vendors (including our inline A/V solution) detect the malicious payloads dropped by the infected webservers:
Neither of these payloads attributed themselves to the "Cuteqq" team directly within the binary signature / authorship information.

WHOIS information for the two domains related to this incident show CN attribution:

robint.us – Case Study in Mass Website Infection

There have been numerous reports about the IIS/ASP SQL injection compromises that redirected users to ww.robint.us. See below for reading on this incident:

However, many of these posts do not discuss what was seen in terms of impact to actual users. Zscaler has millions of users from around the globe that use our cloud service. From our pool of users, this is what we saw:
  • The first transactions that we saw to ww.robint.us were on June 7, 2010 at 03:56 PT.
  • Zscaler became aware of and placed a block on the offending domain within the first 3 hours of the incident. Zscaler's inline A/V solution had signatures to detect the payload used prior to the attack.
  • To date, we have seen 1071 transactions to ww.robint.us across 71 unique users on 64 unique source IPs. Of the source IPs, 74% were from the United States, 6.5% from India, were from 4.3% from Germany, and the remaining 15.2% were spread across 7 other countries - illustrating the indiscriminate nature of the webserver attacks.

The ww.robint.us incident is considered a mass scale incident given that several thousand websites were impacted and used to redirect users to the malicious JavaScript. However, our data shows that a very small pool of our users (less than 1% of 1%) actually had attempted transactions to ww.robint.us, meaning that generally speaking the infected websites were fairly unpopular among our enterprise user base.

The below graph charts the transactions, source IPs and users impacted over time. Close to 50% (48.7%) of the transactions and 25% of the users that we saw were in the first 3 hours of the incident.



Comparison of Malware protections: Google Safe Browsing, Microsoft SmartScreen, etc.

All modern web browsers now include protections for malware. They include a list of known malicious URLs, and compare each address visited by the user against this list. If the URL is recognized as malicious, a warning message is displayed in place of the HTML page. They also protect against Phishing sites, but I won't dive into this feature during this post.

SmartScreen Filter warning in Internet Explorer


Chrome, Safari and Firefox 3.x use Google SafeBrowsing, while Internet Explorer 8 has SmartScreen Filters and Opera includes lists from Netcraft and TRUSTe. Note that it took Safari more than 20 minutes for SafeBrowsing to start working after I upgraded from Safari 4. It did not show any warning, informing that malware protection was disabled while it was retrieving the database.

Safari waning message

I was wondering how well these protections work against current threats. Since antivirus doesn't perform well against viruses spread through fake AV pages, fake videos, or against malicious jar files, I wondered if these browser block lists would keep users safe against current spam SEO attacks.

I've tried a few domains for each type of attack, using each browser. All the malicious domains were directly identified from within Google search results, using popular search terms.

Protection against fake AV pages

I first tried various new fake AV domains as well as subdomains for xorg.pl (hostguard-31p.xorg.pl, hostguard-47p.xorg.pl, ubersaving26.xorg.pl, etc.), a domain that has hosted fake AV pages for months.

Browser New domains blocked Xorg.pl subdomains blocked
Firefox 3.6 7/75/5
Internet Explorer 8 2/7 0/5
Opera 10.5 0/7 0/5

Google Safe Browsing is very good at blocking fake AV pages. We report to Google on fake AV domains we identify, which they don't block, but we're noticing that there are fewer and fewer which they don't already block.

Protection against fake video codecs

This type of malicious pages seem to have staged a come back and we're seeing them more and more frequently since last week-end. In this scenario, the user is tricked into downloading an executable disguised as a video codec or new flash version.

Browser Urls blocked
Firefox 3.6 2/6
Internet Explorer 8 5/6
Opera 10.5 0/6

Internet Explorer did a great job at flagging the fake video sites. Google Safe browsing, surprisingly had a very low rate of success.

Protection against Java/PDF/Flash exploits

The number of Java exploits has also increased dramatically over the past few weeks.

BrowserUrls blocked
Firefox 3.62/4
Internet Explorer 81/4
Opera 10.50/4

Opera did not flag any of the malicious sites. Their security blacklists may be targeting phishing only. To make sure the security notification worked, I attempted to visit a phishing site and Opera did warn me.

Opera phishing warning


-- Julien

Tuesday, June 8, 2010

Fake video codecs replacing fake AV pages

We've recently seen fake AV pages being replaced by fake video pages - malicious pages showing a Flash based video player, along with an error telling the user that he has to download a new codec to play the video. This is certainly not a new technique used by attackers, but it is interesting to see that these attacks are showing up on the same pages that were previously used to deliver a fake antivirus attacks.

Fake video page


These malciious pages are accessed from spam SEO links on Google results. For example, hxxp://cghiggins.com/index.php/?bomp=17th+amendment appears on the first page for the search term "17th amendment", a popular search term on June 7th. This link redirects to the domain www2.realcleaner23p.co.cc. This domain name is typical of a fake AV page - it contains a term related to antivirus (clean) with a number, like virtually all such malicious domains that we've seen.

 Spam link to the malicious domain



The title of the page is the same as the fake AV page: Security Threat Analysis. The source code is also similar - an HTML page with no content, and an external Javascript file that contains the visual elements as well as the malicious code. The user is prompted with an executable to download, which will install the "missing" codec in order to watch the video. This is of course a virus.



The malicious domain is not (yet?) blocked by Google SafeBrowsing, and no warning is displayed in the search results. The malicious executable is currently flagged by 10 antivirus vendors out of 41.


-- Julien

Friday, June 4, 2010

New fake AV pages

There have been a number of changes in the world of Search Engine Optimization (SEO) poisoning attacks. I reported yesterday that there we're seeing ever more dangerous exploits using Flash and Java.We're now also finding new types of fake AV pages. While these pages are visually similar to the previous fake AV pages, the source code is very different. The Javascript code is more compact and is included inline with the HTML page.


New fake AV page

Most of these new fake AV pages are hosted on porntube-nowx.com. The spam SEO urls look different and are harder to spot because they now look like regular URLs for static HTML pages. The malicious executable associated with the attack is currently detected by 10 antivirus vendors of 40.

Interestingly, some of the hacked sites that were used to redirect users from Google to Java/Flash exploits are now used to redirect to this new fake AV page.

-- Julien

Thursday, June 3, 2010

Tricks to easily detect malware and scams in search results

As we've shown before, fake antivirus pages are hiding behind hacked legitimates sites, which are used as a redirectors between Google/Bing/Yahoo search results and malicious target sites. The user clicks on a link in Google/Bing/Yahoo lands on the hacked page and is then redirected automatically to the fake AV site.

Let's take this example:
  1. A user looks for "this is a test" on Google.
  2. The user goes from http://www.google.com/?q=this+is+a+test (Google search result) to a hacked site http://example.com/index.php?q=this+is+a+test (search result)
  3. He is then automatically redirected to http://evilcom/index.php (fake AV page).

How can you easily spot potential fake AV page directly from the search results, or avoid to be redirected to the malicious page? Unfortunately, you cannot count on your antivirus or browser blacklists. There are two tricks you can use.

Recognize a site has been hacked

Attackers create new virtual pages on hacked sites. They all look pretty much the same - for example:

hxxp://<page>.php?=http://cuedspeechminnesota.org/venzi.php?sell=old%20navy%20shooting

Because the query string (sell=old%20navy%20shooting) is similar to the search term, it will be highlighted in the Google results. Check for links with a .php file extension, a query string with a single variable ('sell' in the example) and a value similar to the search term (old%20%navy%shooting or old+navy+shooting or old-navy-shooting, etc.).

This suspicious link is indeed a redirection to fake AV page


Avoid the redirection to the fake AV page

The hacked pages check if the user is coming from Google, Bing or Yahoo by looking at the HTTP Referer header. If the page is accessed directly, the user is either redirected to a different site (typically  http://www.cnn.com/) or the original page used to spam the search engine is displayed. In both cases, the user is not at risk.


Harmless Search Engine Optimization (SEO) page

So, if you spot a suspicious search result, copy the URL (right click on the link + Copy Link Location), and paste the URL in a new tab. Because your Referrer header is empty in this case, you will not be redirected to the fake AV page in most cases.

These two tricks can be integrated in a security scanner to scan the search results: access the same URL with an empty referrer, and with a referrer that contains http://www.google.com/ to check if you are redirected to different domains. If this is the case, it is very likely to be a fake AV page (60% of the cases we found) or a shady/fake search engine (40% in our research).

-- Julien