Saturday, July 31, 2010

Blackhat 2010 - Day Two

Welcome to the first blog post that I've ever written on an iPad in a casino, thanks to a delayed flight.

Day Two of Blackhat once again had far too many overlapping presentations so I was forced to skip a few that I would have liked to attend. For the most part, I chose to stick with some proven talent that I knew would keep me entertained.

Robert Hansen
Josh Sokol
HTTPS can Byte Me

RSnake and Josh chose to tackle a component of the web that I've always believed is misunderstood by the general web population - HTTPS. They went through a laundry list of ways that HTTPS can be abused, not so much because the technology is flawed but because users implicitly trust the 'lock and key' and assume that it is a silver bullet to solving security on the web. For me, the most interesting part of the talk dealt with passively monitoring encrypted traffic on the web to gain insight into what a user is doing, even if you cannot see the decrypted traffic. For example, by monitoring packet sizes you can determine if POST or GET requests are being sent. POST requests will generally result in more egress packets due to content being sent to the server while GET requests typically result in more ingress packets. The timing of packets can also reveal information with frequent requests suggesting AJAX traffic. Combine this knowledge from prior reconnaissance of the site being visited and a passive attacker may be able to determine with reasonable confidence, where you were on a web site and what you were doing - even without being able to access decrypted traffic. RSnake and Josh admitted that another group had already gone public with similar research but I certainly feel that it's a topic worthy of more investigation.

FX
Blitzableiter - The Release

FX, a longtime Blackhat speaker, released Blitzableiter (German for lightning rod), a tool designed to protect against malicious Adobe Flash files. Rather than take the approach of AV vendors and use a library of signatures to identify malicious content within a Flash File, FX has chosen instead to parse the Flash binary to ensure that the file is well formatted by looking for undocumented tags and length values that do not match the data that they contain. Blitzableiter is a command line tool written in C# which can be integrated with NoScript to provide in-line protection while browsing online.

Samy Kamkar
How I Met Your Girlfriend

Samy Kamkar, for those not familiar, gained fame for writing an XSS based MySpace worm when the Feds failed to appreciate his great sense of humor. What I love about Samy is that he's not a security guy per se, but rather a talented developer, intrigued by security. He delivered the funniest talk of the show and I found myself regularly laughing out loud throughout. The premise of his talk - detailing a variety of web based hacking techniques told through a story of how Samy might attack Robert 'RSnake' Hansen in order to steal his 'girlfriend'. Techniques that he discussed:

- How to reduce entropy in PHP in order to more reliably predict session cookie values
- Cross-Protocol Scripting (XPS)
- NAT Pinning
- XXXSS (aka 'Triple X-SS') - Samy's term for a series of attacks leveraging XSS to inject Javascript ultimately designed to use Google's GeoIP information to determine a victim's physical location

Rob Ragan
Francis Bacon
Lord of the Bing

Johnny Long's indispensable Google Hacking Database sadly hasn't been well maintained since it was first released years ago - fortunately, Rob and Francis have not only resurrected it from the dead, they've taken it to the next level and added Bing hacking to the mix. They discussed a variety of free tools that will be released, built around Google Diggity and Bing Diggity, two platforms that automate Goggle/Bing hacking and provide a repository for current and future hacking queries.

That's it for Blackhat 2010 - see you next year.

- michael

Friday, July 30, 2010

New Firefox add-on to protect against Blackhat spam SEO

There are currently no ultimate solutions for end-users to protect themselves against fake AV pages, fake videos and other malicious spam SEO: antivirus have a low detection rate, blacklist (such as Google Safe Browsing) lag behind the creation of new malicious domains.

In a previous post, I pointed out the vast majority of malicious spam SEO sites check the referrer string of the visitor. If this string does not include bing.com, yahoo.com or google.com, the user is not redirected to a malicious page.

We are releasing a Firefox add-on that uses this trick to protect Firefox users against most spam SEO threats, including fake AV and fake Video pages. This plugin works with Firefox 3.x. Click on the image below to install it. It is called "Search Engine Security".

Install Search Engine Security add-on for Firefox 3.x

Search Engine Security add-on installed

How it works

This Firefox add-on handles Bing, Yahoo and Google search engines, in all languages. Normally, if a user clicks on a link within search engine results, the HTTP request to the external site contains a Referrer string from the search engine within the HTTP header. For example, if a user searches for "this is a test" in Google, any request to a search result will include the following Referrer:

Referer: http://www.google.com?q=this+is+a+test&hl=en&safe=active
For these requests, the add-on changes the Referrer header to a different value. This means that the requested page does not know that a given request came from a Google, Yahoo or Bing search. This is critical as Blackhat SEO pages only deliver malicious content (fake AV, Flash/Java updates, codecs, etc.) when requests come from the SEO results. Changing the Referer header, breaks the attack.

The add-on does not change the referrer if you navigate within the same site (for example, inside google.com), or if your Referrer does not include a Bing, Yahoo or Google domain.


Install Search Engine Security add-on for Firefox 3.x


Configuration

You can customize the behavior of the Search Engine Security add-on. In the preferences menu, you can change the following values:

Search Engine Security preferences

-Protect

Select the search engines for which you wish to enable protection.

- Use Referer header

Choose the Referer value to use for overriding the Google/Bing/Yahoo Referer. You can use an empty value, but it is recommended that you use a valid URL.

- Modify User-Agent (NEW in 1.0.8)

Most spam pages look at the Referrer value to decide whether or not to redirect users to a malicious page. However, in some cases like the Hot Video pages, only the User-Agent value is used. One common check is to look for "slurp" in the user-agent string to flag the request as coming form the Yahoo crawler. If you check the "Modify User-Agent" checkbox in the options, the string "slurp" is added to the User-Agent header when you leave Google/Bing/Yahoo in addition to overriding the Referrer header.

This option provides additional protection against malicious spam SEO.

-Whitelist

Some websites display a different page if you come from a search engine. When you use this add-on, the websites can no longer detect that you come from Google/Yahoo/Bing. If you are sure that a website is safe, you can add it to the whitelist. This will disable the add-on for this website.

If the URL matches any of the elements in the whitelist, the add-on does not change the Referer value. This is a string match and the match occurs if the URL includes one element of the whitelist. For example, http://www.expert-exchange.com/ can be whitelisted by adding:

  • http://www.expert-exchange.com/ (also matches http://www.expert-exchange.com/foo)
  • expert-exchange.com/ (matches any subdomain)
  • expert-exchange. (matches the domains expert-exchange.net, expert-exchange.org, and paths like http://example.com/expert-exchange.html/)
  • etc.

Notification (NEW in 1.0.4)

A notification is shown on Bing, Yahoo, and Google to let users know whether the SES protection is enabled for this search engine. The notification is shown under the search input.

Search Engine Security notification in Google search
Search Engine Security notification in Bing search


If you find any problem with this add-on, please let me know at jsobrier@zscaler.com.

Install Search Engine Security add-on for Firefox 3.x

-- Julien

Wednesday, July 28, 2010

Blackhat 2010 - Day One

It's summer in Vegas! That means two things, 100+ degree heat (but it's a dry heat, yeah right) and the Blackhat security conference. My how Blackhat has grown! This year there are no fewer than eleven tracks - yes, you read that right, eleven tracks. Far too many IMO as it's now impossible to attend all of the talks that you want as several are sure to overlap. Hopefully in future years they'll scale back the number of tracks or consider extending the conference over additional days.

While I wasn't able to attend everything that I would have liked to, I did take in several great talks and here's an overview of the hilights.

Dan Hubbard, Websense
Real-Time Search Poisoning

Dan has been spending time researching ways to abuse realtime search of social networking content, most notably Twitter. His goal - figure out how to ensure that your desired content shows up in the most popular results for a given topic. Think Blackhat SEO with a social angle. Dan illustrated a variety of approaches that focused on the following techniques:
  • Time and trend hacks - continual or well timed postings
  • Social graph hacking - linking to or taking control of existing account
  • Geo hacks - spoof your location to target people in a certain geography (i.e. Nearby Tweets)
Looks like the Blackhat SEO crew has a whole new playground.

Wolfgang Kandek, Qualys
Jeremiah Grossman, Whitehat Security
CSA Application Security Findings

I wasn't able to stay for the full talk but Jeremiah made some insightful comments.
  • Web application security is a scale problem. 200M websites built before we knew that they needed to be secured and 200M more built by people that don't have security knowledge.
  • Web application developers have a lack of motivation when it comes to security - developers get paid to ship product, not secure product.
So true Jeremiah.

Charlie Miller
Noah Johnson
Crash Analysis Using BitBlaze
I'm always up for a good Charlie Miller talk. He's sure to drop an 0day (Adobe was the target this time) and speak his mind. He's also a great guy, after all, he provided critical feedback on the Fuzzing book that we released in 2007. Charlie spoke about BitBlaze, a binary analyzer out of UC Berkeley that he's been using to streamline vulnerability discovery. It fuzes static and dynamic analysis, allows for taint analysis and delivers taint slicing - an approach which allows the researcher to more easily follow the path of user supplied input throughout the code execution process. Charlie's ultimate assessment - the trace data provided by BitBlaze is very valuable. Although the tool can be a bit slow, the overall approach will likely save you time in the end as you'll be able to better focus on crashes likely to be exploitable.

Michael Sutton, Zscaler
Dan Hubbard, Websense
Steven Adair, ShadowServer
Steve Riley, Amazon
Michael Panico, Microsoft
Chris St. Myers, Rackspace
Alex Rice, Facebook
Unpanel Royale
Dan and I had the good fortune to assemble an all-star cast to debate security in the cloud and how the cloud is being abused by attackers. I was especially pleased at how honest the vendors were willing to be, providing insight into the challenges that they face. More than once they hilighted the fact that they are restricted in what they can do from a security perspective due to business requirements to maintain customer privacy. Yes, they could identify malicious content if they scanned all uploaded content but that would not be well received by customers who expect that their data will not be inspected - a business/security battle that will need to be resolved. Monitoring is therefore largely restricted to the network level. To date, far too much security from cloud vendors has been the man behind the curtain, with too little shared publicly. It was great to hear directly from the vendors that they recognize the security challenges and are working to resolve them. My favorite quote came from Steve Riley who insisted that Amazon is committed to providing customers with options and not locking them into the AWS platform. He stated that "[Amazon] wants to build a service that is as easy for you to enter as it is to exit". Good for you Steve - we're going to hold you to that.

I unfortunately wasn't able to attend what was ultimately the talk of the day as it conflicted with our panel. After lunch, Barnaby Jack delivered a talk that was pulled last year on how to hack ATM machines. Barnaby actually purchased his own ATMs for the research and was able to root the machines. Here's a video of his live demo - getting a machine to spit out dollar bills using his program called (what else) Jackpot...and he did it all to music.
Day one done.
- michael

Tuesday, July 27, 2010

Fake AV: new look & feel

I recently stumbled upon a new type of fake AV page. This one looks like the store front of an anti-virus vendor.
New fake AV look & feel
The page is animated and displays a fake AV scanner in action. At the end of the animation, the user is warned that several viruses were found on the user computer and the page attempts do download a fake anti-virus binary named: antivirus.exe. Strangely, the "Download for free" image is not clickable.
Popup is followed by an attempt to download fake antivirus
The page is hosted on scanerzone.cz.cc. At the time it was found, neither Google Safe Browsing (Firefox, Safari, Chrome) or Internet Explorer SmartScreen filter block the page. The malicious executable is detected by 12 antivirus vendors out of 42.I was lead to this page through a spam SEO link in a Google search. However, unlike most other fake AV pages, direct access to the page displays the fake antivirus page. A similar page can be found on bestmalwarescaner.cz.cc, the domain is currently blocked by Google Safe Browsing.

 -- Julien

Wednesday, July 21, 2010

Spam SEO trends & statistics (Part IV)

In Spam SEO trends & statistics (Part III), I've shown that hot trends should be scanned five to twelve days after they first appear in Google hot trends. To decrease the number of URLs to check even further, while maximizing the number of spam SEO sites found, I have further analyzed spam SEO found to date.

I've scanned 294,691 unique URLs the Google search results. A full 5% of results (15,913 URLs) turned out to be spam SEO pages, which redirected to 573 different spam or malicious domains.



Filter URLs to scan with a regular expression

The spam URLs often look the same. For the search "word1 word2 word3", most of the spam addresses match this regular expression:


   (\.php|\/)\?[a-z]+=word1(%20|\+|-| )word2(%20|\+|-| )word3

For example, for the search "keith britto actor", I get these types of URLs:
http://t-and-d.net/jzxhe.php?sell=keith%20britton%20actor
http://taos-inc.com/jxddd.php?p=keith%20britton%20actor
http://whitevoice.com/wiktp.php?sell=keith%20britton%20actor

I've applied this regular expression to all the spam SEO links. This gives 10,821 matches (68% of all spam links) which lead to 352 domains (61% of all the spam/malicious domains). If applied on all the links, this regular expression also triggers on 5,455 good URLs.

So, by using this one regular expression, I can scan 3.4% off all search results (16,276 links) and I catch 68% of all spam and 61% of the bad domains.


Loose regular expressions

We can catch even more spam by making the regular expression less strict. Some popular searches exist in different variations. For example, the search  "keith britto actor" shows spam results for the another poplar trend - "keith britton wiki". So I came with the following regular expression: (\.php|\/)\?[a-z]+=[a-z]

This new regular expression gives us 3,618 additional spam links to 56 new domains, but it doubles the number of good URLs scanned by adding 5,047 good search results. So the new numbers are:
  • 14,439 spam results, 91% of all spam links
  • 408 spam/malicious domains, 71% of all bad domains
  • 10,502 good results, 3.5% of all links to scan


More effective regular expressions

There is one more optimization that can be done: all hot trends contain at least 2 words, so the regular expression may contain one word separator: (\.php|\/)\?[a-z]+=[a-z]+(%20|\+|-| )

This new regular expression adds only 1,362 legitimate results, and adds the 56 bad domains found with the previous regex version. It also finds 2,115 spam links. Total results:
  • 12,936 spam results, 81% of all spam links
  • 408 spam/malicious domains, 71% of all bad domains
  • 6,817 good results, 2.3% of all links to scan
There is one more benefit to filtering the search results with any of the 3 regular expressions: it tends to filter out false positives, and increase the proportion of malicious domains versus spam.


Here is a comparison of the scan efficiency with no filter and with the optimized filter:







Which search pages to scan?

Finally, I wanted to find out which search results pages should be scanned. Here is the distribution of spam SEO links on the first 10 pages of a Google search:


While pages 5 to 10 have more malicious links, no page should be skipped. The fact that page10 contains the most number of links means that more pages should be scanned.

Conclusion

We can optimize the Google search results scanning by looking at trends 5 to 12 days after they appear, and by looking at links that match a regular expression. This will allow for the scanning of more pages per search terms, and increase the number of malicious domains found each day.


-- Julien

.LNK (CVE-2010-2568) / Stuxnet Incident

We’ve had a number of inquiries regarding the .LNK (CVE-2010-2568) vulnerability and related Stuxnet malware. There are a number of stories (for example, CNET) that detail the timeline of events and the SCADA angle to the attacks. Being a SaaS vendor focusing on web-based threats and having the powerful ability to do post-incident web log forensics, I wanted to share information on what we saw.

Detections:

Conducting web log forensics, we detected a small number of Stuxnet infected machines calling out to known C&C servers. None of the impacted machines appear to be running SCADA or industrial equipment.

We are sharing the below information to facilitate detection and analysis for other security operations centers (SOCs) and the like.

The date of all of the infected transactions observed was on July 12.

C&C Server: www.mypremierfutbol.com
Server IP: 78.111.169.146
URL Sample: www.mypremierfutbol.com/index.php?data=66a96e28<redacted>
Request Type: GET
  • Only one transaction was observed to the C&C per infected machine.
  • The request size varied depending on the data parameter.
  • The response size was always 24,778 bytes in the observed transactions.
  • The user agent string varied among Microsoft Internet Explorer versions (to include MS IE 8).
  • The transaction to the C&C was observed immediately following a transaction to MSN or WindowsUpdate.
The URL data parameter always began with “66a96e28” in the observed transactions – the remainder of the data string has been redacted to protect the victim information. The exact details of the data string is currently unknown, however it is likely to contain encoded details about the victim – such as Windows version, host name, account name, and possibly whether the Siemens WinCC or PCS7 software is running.

Organizations that have the ability to, should conduct similar log analysis, and respond to any identified infections.

In-Line Protections:

The following are in-line protections that an enterprise can and should have in place to protect its users against this threat.

Blocks against known C&C servers including:
  • mypremierfutbol.com
  • todaysfutbol.com

In-line anti-virus signatures in place and tested against known related malware artifacts. For example, MD5s:
  • 743E16B3EF4D39FC11C5E8EC890DCD29F (Stuxnet)
  • 15db99383d46d790812e83df6196f4fd (SuckMe LNK PoC)

Signatures deployed for traffic that may mimic past observed C&C activity, for example,
  • In URL: “index.php?data=66a96e28”

As well as signatures to detect the Metasploit WebDAV .LNK exploit.

Additionally, if appropriate or available organizations can deploy technologies to identify, parse, and/or block LNK files entering their organization.

Local Protections:

There is not currently a patch, though Microsoft has issued a work around detailed here.

Didier Stevens, a security researcher, has released a tool and screenshots on his blog about how to apply protections locally to prevent against LNK exploitation.

Conclusion:

This vulnerability has been, is being, and will continue to be exploited in the wild. Use the above information to conduct log forensics and analysis to identify and respond to infected systems. Apply appropriate in-line and local protections as appropriate within your environments.

Monday, July 19, 2010

"Spyware and Virus free" - Really?

Most of the non-malicious spam that we see in search results relates to fake search engines. The operators of these sites make money by tricking users into clicking on disguised advertising. Another way they make money is to convince users to install adware onto their computers as they will then receive a fee from the adware vendor.

For example, LoudMo is a well-known adware vendor. Their affiliate network pays $1.50 per installation.

 LoudMo's adversting on their main page

Spammers don't hesitate to trick users into downloading such adware. They hack legitimate web sites to pollute Google search results, and then redirect users to fake video pages.


Fake video

Clicking on the "video" (actually a simple image) warns the user that the "Latest version of FLVDirect Video Player not found! Click OK to install the FREE FLVDirect Video Player latest version."

Prompt to download a video player

The user gets redirected to an external site where he can download the video player. This player is guaranteed "spyware and virus free".  This does not mean adware free! 20 antivirus vendors find something dangerous about the executable, 5 flag it as an adware.

Guaranteed "spyware and virus free"!

-- Julien

placeblogger and others lead to imgwebsearch spam

Over the weekend I was playing around with the iPad application SkyGrid to read the latest news stories on particular subjects. In one of my feeds that I setup for mobile security I saw a story with the title "GvHpMqAVt." From the title I immediately suspected the story as spam (can't seem to go anywhere these days without running into some type of spam on the web). The page has nothing on Blackberry or mobile security which was my topic on SkyGrid - but there was one link on the page for "streaming porn on blackberry pearl" - not really the subject I was looking for. The page is a spam advertisement page to multiple affiliate pages advertising various porn and dating sites. Figured I'd write a brief blog post to detail this campaign:

Placeblogger spam page:


Clicking any of the links takes you to the affiliate page (this one is setup on Quogger but there are a large number of social media sites used for this):

It didn't take long from here to start to unravel the web of spam and affiliate pages setup to monetize porn and dating service pay-per-clicks / pay-per-purchase.

Some Placeblogger spam pages:
hxxp://placeblogger.com/content/gvhpmqavt
hxxp://placeblogger.com/content/rrvlxrrhjpnt
hxxp://www.placeblogger.com/content/tvkbzvxrmydrdmtlit
hxxp://placeblogger.com/content/hnuxlavx
hxxp://placeblogger.com/content/efvwiokczlmffeeugnt
hxxp://placeblogger.com/content/tipsgyxr
hxxp://placeblogger.com/content/lxyyfrohukysmzev
hxxp://placeblogger.com/content/frbonuntjf
hxxp://placeblogger.com/content/dnlnfbbkmfvcxga
hxxp://placeblogger.com/content/hsgsqurgd
The list goes on...
This Google search identifies about 300 or so for example.

Some Affiliate / Advertisement pages:
hxxp://www.quogger.com/pg/profile/AassidyWood49
hxxp://silentzow.com/elgg/pg/profile/AaydaThompson01
hxxp://www.yappey.com/pg/profile/AharlizeMiller59
hxxp://jivebook.co.uk/main/pg/profile/AreannCook29
hxxp://www.quogger.com/pg/profile/ArynnJames38
hxxp://www.swakiya.com/pg/profile/AaylaHayes00
hxxp://socialcommerce.in/pg/profile/AryannaDoyle28
~ snip ~
Note: there are a lot more affiliate pages - about 10 per Placeblogger spam page. Most of these are profile pages on a variety of social media sites.

Most of the affiliate links direct the visitor through imgwebsearch.com. A search for this site uncovers a large number of spam links to a variety of campaigns including: porn/dating, pharma, casinos, loans, replicas, etc., etc. Imgwebsearch spam shows up everywhere - yes, including Facebook. An example of imgwebsearch pharma spam on Facebook:
hxxp://www.facebook.com/pages/Com-Program-ahdth-bramj-alkmbywtr/277890114062
Actually, this Google search shows over 600 some related spam pages on Facebook.

How does this work?

Here is an example of one such related spammer detected via Project HoneyPot. In this case the spammer / spam group seems to have one or more netblocks (94.142.131.0/24 in Latvia for example) with the hosts setup to spider the web and post comment spam to sites (infected machines / bots may be used or rented out for this purpose as well). In this case all of the spammer's links were through imgwebsearch. The pool of source IP addresses for spidering / spamming and the changing of the user-agent is used to evade detection. This relatively simple spam operation could be home grown by the spammer(s), or there are relatively inexpensive tools such as XRumer for purchase to facilitate this type of spam (also used for SEO). This and other tools provide account creation / CAPTCHA bypass to be able to spam to sites that require account / login. Affiliate programs (aka Partnerka in Russian slang) -- in this case it appears to be imgwebsearch -- pay these spammers from anywhere from a few cents per click, a few dollars per sign-up/purchase, or in some cases tens of dollars per install (for example, the FakeAV campaigns). There is a good paper from Dmitry Samosseiko from last year's Virus Bulletin that details the Partnerka.

Friday, July 16, 2010

Exploit Targeting a 7 Year Old Vulnerability? Really?

We’ve actually spotted in-the-wild exploitation of “Microsoft Internet Explorer ADODB.Stream Object File Installation Weakness” (Bugtraq ID 10514), a vulnerability first released in 2003. The exploit does get a little more modern as the code also targets vulnerability from 2009 (MS09-002). Here is a screenshot of the live infected page,

The malicious obfuscated JavaScript has been injected at the bottom of webpage. Let’s decode it. Here is the small part of the decoded script.

From the above code, it is clear that it is targeting the ADODB.Stream vulnerability from 2003. Here is the other part of the decoded content which exploits the MS09-002 vulnerability.

I am not going into the more details of this exploit as the code is pretty self explanatory. It is going to download additional malicious binaries and execute them on the system. The author who discovered this older ADODB.Stream vulnerability has posted a proof-of-concept. For those interested, an explanation of the MS09-002 vulnerability can be found here.

Virustotal results for the infected webpage show it being detected by 13 of 41 AV engines – not very impressive results for a seven year old vulnerability. It would appear that no matter how old vulnerabilities are, attackers will still try to leverage them as weapon. Hopefully most people have patched their systems at some point during the past seven years. Sadly, despite the age of the vulnerability, the use of JavaScript obfuscation has made this attack a challenge for AV vendors – a topic that we’ve discussed in the past.

Umesh

Thursday, July 15, 2010

.co.cc is the new place for viruses, free proxies, spam, etc.

Co.cc offers free domain names with full DNS management. They claim more than 5 million .co.cc domains names. .CC is for Cocos (Keiling) Islands. The sub-domain co.cc is managed by a Korean company.

I've never seen a registrar with such prominent links to reports of "Spam or Abuse", but there is a good reason for this: most of the malicious sites (fake AV, browser exploits, etc.), spam and free proxies seen in recent weeks use co.cc domains.

One of the 3 links to report spam and abuse at www.co.cc


All of  the fake AV sites we've seen since July 1st are .co.cc domains, including sunclear.co.cc, avsolution20.co.cc, truefind49p.co.cc, oksave5.co.cc, fillfree21.co.cc, etc.

37% of all free proxies we've seen from our customers in the past 5 days are .co.cc including: surflife.co.cc, feelmuchbetter.co.cc, pickupsurf.co.cc, surfday.co.cc, etc.


Example of a malicious co.cc domain

Here is an example of malicious co.cc site: hxxp://flashupdate.co.cc/ As its name suggests,  the sites tries to lure users into thinking they are downloading a never version of the Flash plugin. The page was made for Internet Explorer users. It displays a fake IE warning that the  flash version is too old, and automatically attempt to download a malicious executable v11_adobe_flash_update.exe. This executable is flagged by only 9 antivirus vendors out of 41.

Malicious site faking a Flash upgrade


-- Julien

ATECH-SAGADE Badness - Malicious .IN campaign

I'm working on generating our Q2 2010 Stats and Trends report, and I noticed a large number of blocked exploit kit activity from domains registered with the .IN TLD. These were not hacked sites but domains registered for the explicit purpose of supporting a criminal enterprise. This activity is on-going. As the post will show, the campaign involves leveraging exploit kits to exploit known vulnerabilities on client applications and installing various payloads including installing various wares to monetize pay-per-installs.

A large number of the the malicious domains have been hosted on:

91.188.60.225 - 91.188.60.227

These IPs belong to the 91.188.60.0/24 owned by ATECH-SAGADE:

Which other ATECH-SAGADE netblocks have been described as "evil" in blog posts from earlier this month:

"Evil network: Sagade Ltd / ATECH-SAGADE" -- Dynamoo

"Basically, 91.188.59.0 – 91.188.59.255 is completely evil and has no legitimate use as far as I can see." -- ComputerSecurityArticles

"Exploits, Malware, and Scareware Courtesy of AS6851, BKCNET, Sagade Ltd." -- ComputerSecurityArticles

There have also been a number of recent malicious sites related to this .IN campaign seen on the 85.234.190.0/24 ATECH-SAGADE netblock as well, for example:
nvild.in
volnv.in
uinge.in
brusd.in
woonv.in
brayx.in
edois.in
which currently resolve to 85.234.190.4, .15, and .16.

Here is a snippet of what we've seen and blocked related to this ongoing .IN campaign:


Other open-source research show several of these sites still live on this /24, for example:
http://support.clean-mx.de/clean-mx/viruses.php?ip=91.188.60.225&sort=id%20desc
http://support.clean-mx.de/clean-mx/viruses.php?ip=91.188.60.226&sort=id%20desc
http://support.clean-mx.de/clean-mx/viruses.php?ip=91.188.60.227&sort=id%20desc

Here is an example of the WHOIS for one of the malicious .IN domains:
Russian based information and self-resolving domain. The name servers currently resolve to 91.188.60.225 and 91.188.60.229 respectively on the same ATECH-SAGADE netblock.

Here is a small snippet from the exploit kit hosted on the .IN domains:
I believe this is from the SUTRA exploit pack. In any case, here is an example of an earlier Wepawet report from analyzing one of these .IN sites:
http://wepawet.iseclab.org/view.php?hash=753106a87a6e72e407c7e7b80164a538&t=1277905162&type=js
The exploits detected from the report are CVE-2009-0927 and CVE-2007-5659
And the ActiveX controls:
CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA
CA8A9780-280D-11CF-A24D-444553540000

While many of the payloads include Trojan Downloaders and FakeAV, there have been some other wares installed via this campaign. VirusTotal has shown that some of the payloads dropped by the kit are undetectable via anti-virus:
http://www.virustotal.com/analisis/bb16ee91e726a4d99e79e1815f539bbac6fc5195a0ef2b9f2d25d5df8ab11148-1277895209

The sigcheck on the artifact shows it as System Explorer by the Mister Group:
Secunia has a brief advisory posted on the Mister Group and their System Explorer here.

The Mister Group has a few pages setup for their System Explorer:
http://www.mistergroup.org/
http://www.systemexplorer.net/



From the above, it seems that this campaign is largely driven by pay-per-install profit.

Monday, July 12, 2010

Spam SEO trends & statistics (Part III)

I've shown in Spam SEO trends & statistics (Part II) that the volume of spam SEO in Google searches can vary greatly, with anywhere from 0 to 90% of the search results being malicious. As a data miner, I'd love to be able to know which hot searches I should focus on, and after how many days. With minimal resources, I'd like to quickly find the trends that would give the me the most number infected links in order to find more malicious pages.

Trends by search rank

First, let's try to see if the rank of a search term turns out to be a factor. Hot trends are ranked from 1 to 20. A search term can appear on several days in hot trends, with a different rank each time. The graph below shows the average number of spam links for each trend rank:

The average count of spam links varies from five to twelve. It looks like ranks two thru thirteen give the highest numbers, but I am not sure the graph will look the same over time.

I generated the same type of graph, but based on the percentage of searches that contain at least one spam link:

The variations are smaller: 44% to 65% of each rank contains at least one SEO spam link.

The distribution of spam per hot trend search is pretty flat, so it is not a good indicator of which search is more likely to be interesting for security research.

Trends by days

Next I checked the distribution of spam over time. One researcher told me that there seems to be a spike of spam, five days after a term first appears in the hot trends. A search is more likely to contain spam, or contain more spam results, five days after it first appeared in Google hot trends. Here is what I get from my data:

The graph shows a peak at day six: about nine spam SEO links on average are shows for searches scanned six days after they first appeared in Google hot trends. Most the spam links can be found after five to twelve days.

The graph below shows similar information: the number of searches that contain at least one spam result. As I have not scanned as many searches each day, I also included the number of search terms scanned that day:

On day eleven - eleven days after a trend made it to the top-20 - 76% of the 132 searches I scanned contained at least on spam link.

Conclusion

How can I reduce the number of security scans required, while maximizing the potential number of spam links I find? I cannot rely on the rank of a trend, as the distribution is flat, but I can skip trends which appeared within five days. I'll probably scan the search results five to ten days after they show up in Google Hot trends.

-- Julien

Friday, July 9, 2010

Fake Youtube page used to infect soccer fans

Attackers are using the excitement surrounding the World Cup to attack users. As we've shown earlier, they have posted links to fake live streams on social networks, or used BlackHat SEO spam to infect the top soccer-related searches.

Attackers are constantly changing the way the operate. Recently, I found a malicious page for the search term "world cup extra time rules", which does not have the common traits of a spam SEO attack for a fake AV page.

The Google result is actually a fake YouTube page (see screen shot below). The page is comprised of three parts:
  • HTML and images display a fake YouTube video page
  • Hidden HTML (a
    tag moved outside of the screen) stuffed with keywords for "world cup extra time rules" in order to rank well in searches

  • Obfuscated Javascript which redirects the user to a different domain




Fake Youtube page on modeltog.nu

The obfuscated Javascript loads a Flash file which attempts to download files to the user's computer and then redirect them to rapidejdr.fr, a hacked site hosted in France. This flash file is detected by 6 out of 41 antivirus vendors as malicious.

The hacked French site then redirects the browser to a fake AV page. I've seen redirections to four different fake AV domains, and only one of them was blocked by Google Safe Browsing - ryuk4.co.cc was blocked while savewarez54.co.cc, richav8.co.cc and richav2.co.cc were not. I also witnessed six different versions of the fake AV page. One seemed to be broken, it displayed the "loading..." animation, but did not ultimately deliver fake AV page. Instead, it directly attempted to download the malicious executable. Here is the screen shot of the five variations of the fake AV page:



-- Julien

Wednesday, July 7, 2010

Spam SEO trends & statistics (Part II)

As a follow up to Spam SEO trends & statistics (Part I), here are some high-level statistics on Google spam SEO from 05/17/2010 to 06/28/2010. The following chart shows that over 50% of the most popular search terms contain at least one spam SEO links and that 10% of the search results contain over 50% of the total malicious links.

Number of infected search results

More than 50% of the popular searches contain at least 1 SEO spam.


Number of spam links per infected search

Less than 10% of the infected searches display more than 50% of the malicious links! We've even found some searches where 90% of the results contain malicious links.

You can compare these statistics with the number of warnings shown by Google:

Number of warnings in overall search results

 Number of warnings for infected searches

Comparing the graphs above, 41 searches contained more than 50% of the malicious links. But only 3 searches showed more than 50 warnings. In general, Google is very rarely able to flag all the harmful links. Warnings tend to disappear from the first 10 pages of results as new, legitimate content pushes them down.

-- Julien