Thursday, May 26, 2011

Zscaler Safe Shopping Now Available for Google Chrome

The number of fake online stores displaying downloadable software at a steep discount remains high. It can be hard to distinguish these sites from legitimate online stores. Therefore, I had previously released Zscaler Safe Shopping for Firefox and Firefox mobile to warn users when they are visiting such sites. The extension is now available for Google Chrome. This extension also flags compromised stores, legitimate sites that are under the full control of malicious hackers.

Get Zscaler Safe Shopping from the Chrome web store
Zscaler Safe Shopping warning

When a user access a fake or compromised store, the extension displays a warning at the top of the page. It warns the users to not enter any sensitive information such as a credit card number which might be used illegally.

Zscaler Safe Shopping warning for a fake store

Options

The list of fake and compromised domains is updated regularly. You can choose how often the latest version should be downloaded in the options. You can also choose to whitelist domains to prevent any warning from being displayed.

Zscaler Safe Shopping options

This is my first extension for Google Chrome. Let me know if you find any issues. It has been tested with Google Chrome 11.0.696.68 on Windows.

You can download the extension directly from the Chrome Web Store. Don't forget to rate the extension if you like it!

-- Julien

Monday, May 23, 2011

Cashing in on ‘ScamBook’

Last week, Umesh blogged extensively about the Facebook Scams. The previous scams have demonstrated that Facebook is struggling to contain these attacks. While some attacks seek to spread malicious code, many that we see are attempts to profit from shady advertising.

Yesterday I saw a posting on friend's Facebook wall entitled “DOG ATTACKS A KID! Real video!”.




Clicking on the link lands you on a fake “YouTube” page which is actually hosted at the “watch.in” domain. This page asks the victim for “Security Verification” to comply with YouTube's Anti-SPAM regulations.



This is simply social engineering, attempt to build trust with the victim and lead them to believe that the site is legitimate. The page prompts the victim to resolve a CAPTCHA for verification (the CAPTCHA image never changes even if you refresh the page repeatedly).


Now after resolving the CAPTCHA and clicking submit, the victim is sent to another page which asks them to take a YouTube survey for “Age Verification”.



This is where the attacker generates his profit. Clicking on any of the survey links will take victim to a third party survey which earns the attacker a few cents for every survey completed..



Additionally, the text which the victim inputs, is not verified against the CAPTCHA string, but instead is used as a comment, and the malicious post is then added to the victim’s wall to further spread the scam to the victim's other friends.



As shown in snapshots above, even if one adds a malicious URL in the CAPTCHA test, it will be posted on the wall. This vector can be used to redirect victims to malicious sites to cause further damage.

This attack spreads with varying video and title entries. Yesterday the postings were entitled “DOG ATTACKED A KID!” today the newer malicious postings have title "this woman has ..! LOL".


This is yet another fake advertising campaign designed to earn money by coercing victim’s into completing surveys. Facebook needs to take steps toward stopping these deceptive postings as they are becoming far too common. Be on the lookout for these and other more malicious Facebook scams.

Until then, enjoy Facebook but think before you click…

- Ajit Hatti

Friday, May 20, 2011

Is 360.CN Evil?

... a tough and controversial question to answer (I'm sure there will comments on this).

360.cn is a Chinese provider of "free security software", more specifically: "360.cn is a Chinese anti virus program that integrates with IE" (reference) ... huh, "integrates" with my browser how? And "free" usually means there is some other revenue stream than end-user licensing.

360.cn was developed by Qihoo, a Beijing-based community search company. There has been some controversy surrounding Qihoo and its 360 security suite, such as it reporting other anti-virus software and search tools as being malicious (reference) and doing QQ (IM/chat) session hijacking (reference). Within the past year of Qihoo going public, there have been further controversies - including reports of the company spying, hacking, and leaking data (reference). And then there are the rumors that the 360 software includes spyware - and that they may have affiliations with PRC Gov't to track, monitor, and police user's online activity (reference).

Looking at our web logs, I can see a number of requests regularly beaconing out doing HTTP POST requests to sites like:

conf.f.360.cn/getconf.php
qurl.f.360.cn/check_outchain.php

All with the User-Agent string "Post_Multipart"

These POST requests typically average around 1200 bytes in data (excludes HTTP header), and 360.cn responds back with 164 byte status message. Below is the status that I pulled:
To protect customer privacy and also handle the volume of transactions that we do - content of the transactions are not stored, so it is hard to say what data is leaving the network of these hosts - whether the data is user/host tracking information, keystrokes, or just license information it is hard to tell. But the frequent beaconing seems to be more spyware like in nature than say a daily check-in for latest signatures or something similar. I'll see if I can get some meaningful packet traces out of the software to find out what data is included in the POSTs.

The current McAfee SiteAdvisor report for 360.cn shows it as having a poor reputation (note though, 360.cn is also technically a competitor to McAfee, albeit a small one):

McAfee marks the site and its affiliates as bad - containing spyware. It also shows an affiliation with a Chinese Gov't site: miibeian.gov.cn (Ministry of Industry and Information Technology Department). One such sample that McAfee flagged in this report was also uploaded to VirusTotal ... 21/40 A/V vendors identified the binary as malicious.

This puts security companies such as ourselves in an interesting predicament - do we flat out block 360.cn? Probably not. Is traffic to the domain, its affiliates and wares suspicious? Certainly. It is then left up to security products to detect the malicious binaries and is up to organizations to make the decisions about these sites. If you don't use 360.CN products in your organization, it probably wouldn't hurt to block traffic to their domains.

Wednesday, May 18, 2011

Increase in use of PDFs for spam

In recently weeks, I have noticed an increase in the use of PDF files for spam. Instead of uploading an HTML page using a compromised account, as seen shown in a previous post "Hundreds of College and Government websites still redirecting to fake stores", spammers are instead uploading PDF files. My guess for their motivation, is that PDF files are less likely to be checked for spam than plain HTML pages.

Most of the spam PDF files contain text only.

Example of spam PDF
The goal of the spammer is to redirect users to a malicious website. This is done using a piece of JavaScript embedded into the PDF file.

JavaScript snippet from the PDF file

In this example, the user is redirected to hxxp://searchglobalsite.com/in.cgi?23 (the URL is obfuscated in the PDF file) which then redirects to hxxp://www.results-today.com/.

hxxp://www.results-today.com/



The list of websites hosting spam PDF files is very similar to what I have reported earlier. It includes college web sites, governmental sites, and wiki pages, such as the following:
  • hxxp://forum.wiki.usfca.edu/file/view/file10.pdf
  • hxxp://www.lapspecs.com/wiki/_media/http:cr43.pdf 
  • hxxp://www.dublincore.biz/accessibilitywiki/ImplementersNews?action=AttachFile&do=get&target=dub14.pdf
  • hxxp://wikiglobe.org/en/images/c/c9/Texas-veterans-home-loan.pdf
  • hxxp://wiki.solusvm.com/images/c/c6/Uk-cash-loans.pdf
  • hxxp://nspcommunity.net/wiki/images/e/e8/Small-loan-business.pdf
  • hxxp://wiki.fossasia.org/images/6/67/Ship-loans.pdf
  • hxxp://vuas.net/~dpmccann/mw/images/Real-estate-mortgage-loans.pdf
A Google search for "cialis viagra canadian pharmacy filetype:pdf site:.edu" for example, provides plenty of other examples.

-- Julien

Tuesday, May 17, 2011

Facebook under attack by scammers

Facebook is facing no shortage of attacks from scammers. Yesterday, I posted a blog about a recent scam being circulated on the Facebook network and only a few hours later, we uncovered yet another one. The goal of this scam remains the same as earlier one, namely to coerce Facebook users into completing various surveys which in turn generate money for the scammer. The interesting fact about this scam is that it is not only posting the malicious message to the wall of the victim’s friends, but it also gets a list of online friends to send them chat message like “hey you are still there?Check my wall for the link ^_^ It showed me who viewd my profile. Amazing :p" with a link to the malicious domain. Here is what the wall posts look like:


When a user clicks on the links in the message, they are presented with a fake pop up displaying how many friends are supposedly viewing the victim’s profile. Here is a screenshot:

Remember, this is fake message and each time it is accessed, it simply generates a random number– this has nothing to do with actual users viewing your profile (something that Facebook does not share). The page also suggests that the user must copy and paste JavaScript into the address bar, which will of course execute the JavaScript in the context of the victim. This is similar to the earlier scam. Once the user runs that malicious code, they are presented with some fake messages requiring that they undertake surveys or view additional messages: Here are the screenshots:

As mentioned, the attack also sends chat messages to online friends in order to further spread the attack. Here is the screenshot of the associated source code:

The malicious code also forces the victim to become a fan of “OSAMA” Facebook pages. Here is the screenshot of that code:

Facebook is currently losing this cat and mouse game. As quickly as they take scams down, new ones appear and take their place, each time evolving the tactics slightly to evade detection. This is second scam we uncovered in only a few hours. Facebook needs to do a better job protecting its users. Both of these scams use the same techniques of social engineering users into pasting JavaScript into the URL bar – something that we’re seeing on a more regular basis and something that would never be required by a legitimate page.

Nasty Scams!!!
Umesh

Monday, May 16, 2011

Yet another Facebook scam – You look so stupid in this video

Today, we have come across yet another rapidly spreading Facebook scam. The ultimate aim of this scam is to coerce Facebook users into completing various surveys which in turn generate money for the scammer. The messages arrive with embedded Flash video and different messages such as “WTF!! You look so stupid in this video” or “yo, why are you on this video” etc. Below is a screenshot of such messages:

The post displays fake meta data showing the number of “Views”, “Likes”, etc. to make the posts appear more genuine. When a user clicks on the video link, the Flash file loads in the background. Once the loaded, it prompts the user to play a fake video. When the user clicks again to play the video, it looks like,

The above message displays instructions with keyboard shortcuts that cause the victim to paste clipboard information in the address bar. The flash file itself sets the clipboard data with malicious JavaScript which further spreads the attack. Here is what the malicious JavaScript looks like:

Let’s format this for better readability. Here is a formatted version:

If user runs this malicious JavaScript in the address bar, the script will randomly load one of two JavaScript files from different domains. The “config.js” is actually used to further spread this scam using different descriptions of the video. This JavaScript file not only posts the same flash video message to user’s wall, but also their friends walls. Here is partial screenshot of “config.js” file:

The above code contains all the configuration settings for spreading this message with different text messages and different domains. The “config.js” file also contains the code for posting the message to wall of every Facebook friend.

Here is what the source of “verify.js” looks like:

The above file references yet another JavaScript file. This referenced file is used to keep track of real time stats. The user is further prompted with message box asking “Please verify your identity” by taking surveys as shown below:

It will keep checking for the survey to be completed even if you click “Complete” button without taking the survey. This is yet another scam run by attackers to earn some money by encouraging Facebook users to complete surveys that pay for completion. This is not the first time we have seen such a scam spreading on Facebook. Attackers are doing an excellent job by taking advantages of both social engineering and social networking.

Believe me - I don’t look stupid in that video!

Umesh

Sunday, May 15, 2011

India’s DNA e-newspaper website infected with fake antivirus campaign

DNA (Daily News and Analysis) is an Indian daily English language newspaper. According to Wikipedia, DNA ranks 8th among the top ten English dailies in India. Recently, the Zscaler solution was blocking access to this site, as it contained malicious content. Here is the homepage of this website:
The ‘Today’s E-newspaper’ link (circled above) is an online version of the printed periodical. We discovered that one of the pages from this e-newspaper site was infected with malicious script. Here is the screenshot of that page:
The malicious script tag had been inserted in plain text as can be seen in this screenshot of page
source:

The malicious script tag directs the victim’s browser to ‘hxxp://vcvsta.com/ur.php’. This page then redirects the user to another malicious site (‘hxxp://www4.to-gysave.byinter.net,), which will again redirect victim to random sites hosting fake antivirus campaigns. Here is the screenshot displaying a fake malware alert:


As usual, page employs social engineering tactics, which display fake warning messages and threat names to scare the victim into downloading a fake AV product. The VirusTotal result for the downloaded binary currently shows only 10/43 AV engines detecting this particular attack. Here we have yet another example of a legitimate and popular websites being infected so that the attacker(s) can impact a significant number of victims.

Umesh

Geek.com hacked with an exploit kit

Update 15/04/11 @ 3.40pm IST: With further research, it has come to our attention that many different pages like main homepage, about us page are infected with malicious Iframe pointing to different malicious sites.

We often blog about popular web sites being infected with different exploit kits. The attack vector remains the same, namely injecting a malicious HTML Iframe or script tag into the legitimate pages. One of our blog readers, Mr. David S. emailed me to share a popup alert that he was receiving on one of the pages of Geek.com. Geek has been a very popular site for online technology resources since 1996. They feature the latest news and reviews from the technology world. Here is the home page:

If you look at the screenshot above, you will notice that they feature the latest articles on the home page. The latest topic or article currently discussed is “Call of Duty: Modern Warfare 3 details leaked”. As this is first article is highlighted and “Call of Duty” is a very popular game, one can assume that many people have fallen victim to this attack. It is in the article itself where the malicious Iframe has been injected. Here is the screenshot of the article in question:

The article was published on May 13th. As usual, the malicious Iframe is injected at the bottom of the page. Here is a screenshot of the malicious Iframe:

The malicious Iframe redirects victims to a malicious website hosting an exploit kit. Once you visit, heavily obfuscated JavaScript is returned which will target various known vulnerabilities. Here is what the exploit looks like:


The decoded version of this malicious JavaScript results in the same vulnerabilities being exploited as we have seen in past blogs on exploit kits, so I will omit details on decoding the JavaScript. For interested readers, a Webpawet report is available for the malicious JavaScript.

Unfortunately, we see hundreds of attacks such as this each and every day. Many legitimate websites are being compromised by taking advantages of poor coding practices in web applications. Attackers are constantly on the lookout for popular websites or top news sites as targets for their attacks. Users need to be aware that no site is a safe site.

Umesh

Saturday, May 14, 2011

The most common obfuscation techniques in Fake AV pages

We have shown some of the heavy JavaScript obfucation techniques used by Fake AV pages, but the vast majority of such pages use lighter, yet effective techniques. Those techniques are aimed at bypassing detection devices (IDS, antivirus, etc.), rather than hiding the source code. The creators focus on making life difficult for those tasked with writing signatures to detect the malicious content.

HTML encoding and white space

The FakeAV pages often encode random HTML elements using HTML entities.
Use of HTML entities in the TITLE tag
This is a very common and basic evasion techniques. FakeAV pages have now however, brought this to the next level, and even encode HTML attributes (ID, Name, Class), not just text content.

Use of HTML entities in tag attributes
They also add random white space throughout the page. This causes problems for string matching algorithms.

JavaScript and CSS encoding

While most of the CSS information is contained in external files, some inline CSS is included within the HTML document. Attackers use hexadecimal encoding (\xXX) in combination with JavaScript. Again, the encoded characters differ from page to page.

Encoded inline CSS
This hexadecimal encoding is actually used for most inline JavaScript code on the page.

Hexadecimal encoding in JavaScript code
JavaScript obfuscation

The FakeAV pages use some JavaScript obfuscation, as seen in most malicious pages, but it tends to be very light, and the code spans over a few line only.

Obfuscated JavaScript

I have found over 100 variants of the Fake AV pages in the past year. The code and the obfuscation techniques have changed quite a bit, but the result is still very much the same. I have encountered only about 10 visually different Fake AV pages.

-- Julien

Monday, May 9, 2011

Rajasthan State marketing site infected with malicious code

India’s Rajasthan State Co-operative Marketing Federation Ltd (http://rajfed.gov.in/) has been infected with a malicious script tag. This government site promotes the objectives of procuring agricultural produce from farmers through the member societies on support prices declared by the Govt. of India. Here is the home page of this site:


The malicious script has been injected at the bottom of this page. Here is the screenshot of source page,

Below, you can see a decoded version of the script using Malzilla.

The decoded script tag leads to JavaScript from “hxxp://cs.cskick.cn/cs/sc.js”. Currently, this malicious site is down. A quick Google search for this domain shows that it has been involved with malicious activity in the past. Trend Micro has issued a report for a separate threat hosted at that same domain.

Umesh

Friday, May 6, 2011

Help Center URL Validation Vulnerability (CVE-2010-1885) Campaign

I've recently noticed a number of transactions to:

vvvvvv.dyndns-mail.com/
46.254.16.61 (PTR: www.asl-s.com)

Update: we're now seeing this attack hosted as well on:
blog.dyndns-blog.com
googlepics.dyndns.tv
whitehorse.dyndns-server.com
everybodythere.dyndns-blog.com
smalloffice1.dyndns-office.com
alwaystv.dyndns-free.com
showmustgoon.dyndns.info
webarchive.dyndns-web.com

Some of the transactions have referer strings from pages from a number of sites (i.e., these sites are compromised/hosting content that links to the attack pages), for example:

www.crescent-news.com
www.trainingmag.com
*.ejecentral.com.mx
www.louisville.com
www.investmentu.com
www.the-daily-record.com
www.tennispoint.com
www.recordpub.com
blog.eduzones.com
www.planodevivienda.com
www.surfnewsnetwork.com
(ads.)moneymorning.com
www.gooofullsearch.com
www.smartautosavings.com
www.times-gazette.com
www.daily-jeff.com
www.twinsburgbulletin.com
www.rvag.com
www.mimusicagratis.net
www.gooofull.com
elpartidodehoy.es
www.linuxforums.org
www.newtvsoft.com

(the list goes on ... I'll make additions with the more interesting sites as I see them)

Some of these sites are also blocked by GSB, but initially I was not able to
track down the malicious content. Fortunately Wepawet was able to help me through the maze of content being loaded on the pages. The report is visible here.

googlepics.dyndns.tv/news/1997
whitehorse.dyndns-server.com/news/1997
blog.dyndns-blog.com/news/1997
vvvvvv.dyndns-mail.com/news/1997
--->

Turns out that it exploits the Microsoft Help Center URL Validation Vulnerability (CVE-2010-1885).

Unfortunately it doesn't appear that the Wepawet sandbox falls victim to the exploit or is able to actually obtain a malicious payload from this. I'll analyze the HCP parameter / exploit further and include any information I find about the payload.

Update:
Here's the first stage decode of the payload (spaced to read better):

Update 2 (final dropper decode):

Uses cscript.exe (command-line version of Windows Script Host) to run commands that are "echoed" to a file ".js" which downloads contents from:

hxxp://vvvvvv.dyndns-mail.com:80/news/c80e9994fe5fa7af48d3a00010b9f349.php?start=4&thread_id=3256081&forum_id=1997&

and stores them into a file bonjour.exe at the root directory. This executable is then launched and all processes containing the string "help" are forcefully killed.

Unfortunately, I have not been able to directly download the executable payload from vvvvvv.dyndns-mail.com, I keep getting a 302 response to Google.

There is also a Java attack being served from this exploit kit - possibly Incognito,
but I can't access the control panel: hxxp://blog.dyndns-blog.com/admin.php (I get an "error 3" text response).

Sample of .jar file drops:

vvvvvv.dyndns-mail.com/news/8db59781b281e80e1284a8847f73d58d.jar
blog.dyndns-blog.com/news/8db59781b281e80e1284a8847f73d58d.jar
blog.dyndns-blog.com/news/ef36787f21fb429c4c7cb2212902dcbd.jar
blog.dyndns-blog.com/news/09ec45a029f86af501a1391c2a6e781c.jar

Note: I've tried to download the executable payloads spoofing the referer / user-agent and coming from different hosts without success. It is possible that the hash value filename is time or source sensitive.

Had a friend send me a copy of the binary:
V/T Report: 2/41
ThreatExpert Report shows network connectivity to:
67.18.166.173:10000/load.php?file=#
where # = 0-19 (possibly piecemeal malware building)
81.177.33.95/forum.php
Here's an earlier variant (April 12, 2011) of the malware that I was able to find, however it is just as elusive at being pinned to a specific malware family:
V/T Report: 9/42
ThreatExpert Report, network activity:
summer-ciprys.com/load.php?file=#
joomla-desing.com/admin.php

Zscaler Safe Shopping available for Firefox 4 Mobile

After porting Search Engine Security to Firefox Mobile, I have also made Zscaler Safe Shopping available for smartphones. This add-on warns users when they are browsing a fake or compromised store. If you happen to visit one of these sites, you will be warned to not enter sensitive information, such as a credit card number or a mailing address.

Install Zscaler Safe Shopping add-on for Firefox 4 Mobile

Mobile notifications

Version 1.1 of Zscaler Safe Shopping offers the same features as version 1.0 for Desktop browsers. However, the notification system on the mobile version is a slightly different. Extension developers can use either the built-in alert system, or display a dialog box to the user. The former system is less intrusive, but it seems that the implementation is different depending on the OS. Firefox 4 Mobile on Windows displays a nice panel at the botttom of the phone, while my Android phone shows a tiny message at the top of the phone. On my phone, the warning is barely noticeable, and does not work when the browser is in full-screen.

Desktop notification on Windows
Desktop notification on a phone

I've therefore added an option to choose the appropriate notification system. Users can choose the best option for their system.

Choose the type of alert for your OS
Low bandwidth requirements

The list of fake and compromised stores is stored locally. It is refreshed once a day, but you can change it to a longer interval using the options. The blacklist is about 11kb.

Zscaler Safe Shopping options



Install Zscaler Safe Shopping add-on for Firefox 4 Mobile

-- Julien