Tuesday, November 29, 2011

Cyber Monday Transactions - Indication of Economy?

Last year I did a post on the transactions that we saw related to online shopping on Cyber Monday - as I indicated in the past, yes there is a spike. And looking at the transactions this year, again we notice a spike:
You can see the cyclic nature of the work week given that we handle enterprise traffic. The Y-axis values are is the monthly percentage of online shopping/auction transactions. So Cyber Monday made up 7.51% of the November 2011 shopping transactions and Black Friday made up 3.82%. The average for the month was 3.57%, excluding weekends the average for the month was 4.53%. These stats look at web transactions from a "micro" level - looking at a a longer-term trend across Black Friday and Cyber Monday online shopping transactions:

We notice a downward trend in online shopping transactions from 2009-2011 Black Fridays and that online shopping transactions have remained fairly static from 2009-2011. In this case the Y-axis is the percentage of online shopping transactions for the day - for example, 4.63% of this Cyber Monday's transactions were online shopping. The precise numbers for the other Cyber Mondays were 4.68% in 2009 and 4.61% in 2010. So there was a 0.05% decrease from 2009 to 2010 and a 0.02% increase in 2011. Given the general increase in online shopping vendors, general awareness of "Cyber Monday", and people being more comfortable making online purchases I would expect Cyber Monday online shopping to noticeably trend upward. Black Friday online shopping trended downward year over year, and we see the Cyber Monday downturn in 2010 and the slightest increase / stagnation in 2011 -- these online shopping stats may provide an indication as to the health of the economy.

Tuesday, November 22, 2011

More software-related searches lead to malware

Spammers have done a very good job a hijacking web searches related to buying software online. More than 90% of search results for "buy Microsoft Windows" and similar searches, lead to fake stores on major search engines. Not much has been done by the search engines to clean up these search results.

Since the beginning of 2011, the number of search results for popular queries leading to fake AV pages and malware has dramatically decreased, especially on Google.

I've wondered when attackers would switch from the poisoning popular search phrases, to more targeted searches. In the past few weeks, I've seen more and more spam redirected to malware, where similar searches would previously have led to a fake online store.

For example, the website www.saloncti.com contains multiple spam pages around "buy microsoft office" (be careful if you decide to follow the search results). These spam pages are very similar to the spam pages leading to fake stores.

Spam page on http://www.saloncti.com/?p=1523
Instead of a fake store, the visitor is redirected to at least three types of malware.

Fake AV

One of the malicious redirections is to It hosts a Fake AV page. Although the page looks visually the same as the Fake AV pages I've seen so far, the source code is very different.

Here is a video of the Fake AV page. I quickly got blacklisted (see details below in the post), so I had to reconstruct the page on my local machine. On the real website, I would have been prompted to download an executable, which was malware disguised as an antivirus solution.

Naked Emma Watson video

I've described this malicious page in a previous blog post. Basically, the page looks like YouTube, with a purported video of Emma Waston naked. The "Play" button warns users that they don't have the latest version of Flash and tricks users into installing malware.

Fake Flash installation

Top 10 Famous Celebrity Scandals

This is a variation of the naked Emma Watson video. The page shows a picture of a scantily clad Paris Hilton. Again, the goal is to trick users into installing malware disguised as a Flash update.

The page was hosted on firstuzsoft.rr.nu and was not blocked by Google Safe Browsing. The malicious executable was detected by only 6 AV out of 43. Zscaler's free Search Engine Security add-on for Firefox, does protect against these types of sites.

IP checks

There are multiple redirections between the spam page on the initial site (www.saloncti.com) and the final malicious page ( or firstuzsoft.rr.nu). The referrer and the IP address are checked along the way. Here is a sample of a redirection from a Yahoo! search, to the malicious domain:

  1. http://search.yahoo.com/ra/click?.bcrumb=tfNYWE9Y1t1&p=site%3Asaloncti.com%20software&cq=[...]
  2. http://www.saloncti.com/?p=1870 (302 redirection)
  3. (302 redirection)
  4. (302 redirection)
  5. http://www.communitysupportottawa.ca/cutenews/ip.php (302 redirection)
  6. http://www.skibec.ca/castor-kanik/cutenews/ss/2.php (302 redirection)
  7.  http://www3.bestiiarmy.rr.nu/?nlqqufcc=kuHa1bKbmpOZi%2BPdzaaUmNnsq56lopva18%2Bfl6Sqnp%2BU1Z3cntKV
After following a couple of search results, my IP address got blacklisted and I was redirected to ask.com instead of the malicious domain.

It is scary, but predictable, to see attackers switching their targets. I hope the search engines will take the threat of malicious executables more seriously than fake stores and clean up their search results. It will be interesting to see who has the best Blackhat SEO skills: people behind fake stores, or people behind fake AV/Flash pages.

Monday, November 21, 2011

Zscaler Likejacking Prevention for Opera

Along with Firefox, Chrome and Safari, Zscaler Likejacking Prevention is now also available for Opera. You can download it on the official Opera add-on site.

Zscaler Likejacking Prevention on the Opera extensions site

The Opera version works the same as the Google Chrome version, with a similar popup to obtain more information about the Facebook widgets on the current page.

Zscaler Likejacking Prevention for Opera in action

The red/green icon that indicates if a page is safe or suspicious, is located on the far right of the Opera browser. I believe it would have been more visible if it were part of the URL bar, as I did for Chrome and Firefox, but unfortunately, Opera does not permit such a placement.

Icon on the right of the screen, after the search bar
Preferences page


There is one big limitation in Opera: the extension cannot detect hidden Facebook widgets in frames or iframes. This is due to restrictions in the Opera extension framework, which don't permit frames and iframes to be linked to the top window. Scripts can be injected in frames and iframes, but it is not possible to know which tab they belong to and the background page cannot communicate with the frames and iframes inside a tab.

In practice, 90% of the hidden Facebook widgets I've seen do not use layers of frames and iframes. Zscaler Likejacking Prevention will help users to stay safe from Facebook spam for the majority of spam pages

Version 1.0.9

I'm continually improving Zscaler Likejacking Prevention on all platforms. The latest version available is 1.0.9. You can download it and the other plugins we have released, on our Tools page.


I expect version 1.1.0 of the Firefox Zscaler Likejacking plugin to be approved on the official Mozilla add-on site within a few days.

-- Julien

Friday, November 18, 2011

When scammers call you at home

UPDATE: I've updated the post with a second Skype call I received on 1/17.

Scammers are always trying new ways to reach their targets to foil them into buying free software, sending credit card information, etc. Yesterday, they called me directly at home!

I was working on my computer when I got a Skype call from an unknown caller with a Skype ID of "NOTIFICATION® URGENT - WWW.SWNOW.COM - UPGRADE INSTRUCTIONS". The automated call explained that my "software protections" were disabled and I had to urgently go to www.swnow.com (spelled out in the call). I could not record the call, but it was very similar to what you hear when you visit hxxp://www.swnow.com/.

Skype call from a scammer

The call does not give any information about who is calling or what this "software protection" is supposed to be. It lasted 1 min. 50 secs. and basically just urged me to visit www.swnow.com.

Skype call information

When visited, hxxp://www.swnow.com/ displays a fake antivirus page. It looks different than the Fake AV sites that use Blackhat spam SEO to reach users. Of course, the site purports that numerous viruses are found on your computer...

Fake AV claim to have found viruses
The website is trying to sell the antivirus solution, rather than trying to get user's to install malware disguised as a free AV program. The website is well designed. The button "Activate Computer Protections" shows an "activation" form..

Check out form
Then, the website gathers some personal information (name, e-mail address, etc.) via the "activation" form.

Information gathering

Finally, the user is sent to a different website, securecheckouts.org, to process the payment.

Payment processing form

Looking at the HTML code, the page only contains an iframe, pointing to hxxp://www.liveadmin.com/affiliates.php?affil104, where the payment form is actually hosted.

HTML source of securecheckouts.org
There have been a steady rise of websites trying to resell free software (AVG and other antivirus, OpenOffice, P2P clients, etc.) or deliver fake stores that claim to offer software at deep discounts, etc. However, this was the first time that I've encountered a Skype call being used to push users to visit a fake store.

Second call

I received a similar Skype call on 11/17. I was urged to visit www.msgmf.com to protect my computer. Te website is similar to www.swnow.com. It tricks users into paying $19.95 through click2sell.eu for an antivirus.

Second Skype call spam
Fake antivirus on www.msgmf.com
Antivirus "activation" page
Payment form on click2sell.eu

-- Julien

Wednesday, November 16, 2011

Facebook: Anatomy of Self-Inflicted Javascript Injection

Many are already familiar with "likejacking" (a form of "clickjacking") in which a user is tricked into clicking on and interacting with the Facebook "like" button -- this has been one of the most common vectors of abusing Facebook. For example, the "like" button may be hidden behind an image such as a picture of an embedded YouTube video with a play button. Zscaler released a free browser plugin for identifying and warning of hidden "like" buttons in webpages. However, a recent campaign on Facebook in which inappropriate pictures (porn, mutilation, etc.) were spread through user's social networks was conducted via a different mechanism that many are unfamiliar with: self-inflicted JavaScript (JS) injection. This post will explain the basic technique and some of what we are seeing on Facebook.

Many people are unaware that they can run JS directly from their browser's URL bar. Go ahead and try it. Here is a benign script that pops up a test alert in your browser, enter this into your URL bar: javascript:alert('test');

If you're running NoScript it prevents running JS directly from your URL bar to combat social engineering attempts to get users to unknowingly run something malicious, and will provide the following dialog message:

Otherwise, here is a screenshot from entering this in Safari:
In this example on Safari, I was initially on the www.apple.com page before I launched the JS in my URL bar - so you can see the Apple page in the background and the JS alert message appears to have come from www.apple.com. This would change depending on whatever page I was on when I launched the JS in the URL bar - additionally the JS could be modified to interact with or modify content on the current page. In other words, you could run JS that could completely modify the Apple page locally in your browser or interact with buttons or links. This is an important concept to understand and is a technique that is being used to do damage to Facebook accounts / profiles.

The "same origin policy" is a security concept used in JS and other browser-side scripting languages that prevents scripts from one website from accessing methods/properties on another website. So when you visit your friend's blog, he is unable to have JS execute and automatically interact with your Facebook account. Instead he includes a link at the bottom of his blog to interact with facebook.com and pass a parameter to Facebook saying that you "like" his post (the "like" button). For example,


There is an exception to the "same origin policy" in which you can execute script locally within your browser to interact with a page (shown above in the apple.com example). Developers and browser plugins (e.g., greasemonkey) take advantage of this fact to alter various aspects about a webpage. Bad guys are also taking advantage of this fact, by social engineering users to copy/paste or type JS in their URL bar to perform unwanted actions. While logged into Facebook, the JS can automatically perform actions in your account such as, "liking" content or messaging your friends.

Facebook has cleaned up most of the offensive content from in the recent campaign. But doing some specific searches I was able to find some examples of this self-inflicted JS injection technique being used on Facebook.

The most common case, are Facebook groups that ask you to join and then enter in some JS into your URL bar. For example,

This JS loops through all of your Friends and suggests / invites them to the group. In other words, this JS performs a bulk invite of a group to all of your Friends. Simple, right?

Here is an example of a more complex and malicious JS I found on FB:

The strings in the JS are all hex encoded, below is the unescaped version:

This JS generates an Facebook invite message to your friends with the message containing an IFrame to: bit.ly/9CxGhY?82

Visiting this shortened link, shows that Bit.Ly is aware of the abuse and warning users from following:
The shortened link was to the now down site:
There are many examples of past abuse from various "facebook.joyent.us" sites, here for example.

This technique is not a new technique - Zscaler has reported past abuse examples using this Self-Inflicted JS Injection method, for example:
Be careful of all actions you take while online, to include copying and pasting content into your URL bar.

Tuesday, November 15, 2011

More free software repackaged for money

In previous posts, I've shown how popular free software programs are repackaged and sold by scammers, while containing spyware, or are outright replaced by malware. The number of web sites offering such repackaged software has been on the rise in the past weeks [LINK TO PREVIOUS POST]. The most popular repackaged software used to be Flash, antivirus programs and VLC (video player). The list has broadened to contain less-know software such as 7zip (free alternative to Winzip), WinSCP (SCP client for Windows), Filezilla (FTP client), GOM (media player), Notepad++ (powerful text editor), etc.

Here are some of the websites:

Filezilla on http://filezilladownload.net/
VLC on http://downloadflashplayer.org/ advertised a s stand-alone Flash player
WinSCP on http://winscpdownload.com/
7zip on http://7zip-download.org/

Here is a list of 9 similar websites responsible for distributing such malware:
  1. hxxp://filezilladownload.net/
  2. hxxp://downloadflashplayer.org/
  3. hxxp://avi-player.net/
  4. hxxp://flv-player.org/
  5. hxxp://gom-player.org/
  6. hxxp://photoshopfreedownload.net/
  7. http://winscpdownload.com/
  8. hxxp://7zip-download.org/
  9. hxxp://notepaddownload.net/

The files that are downloaded use a similar naming convention - software-setup-win32.exe or software-setup-win32_us.exe: aviplayer-setup-win32.exe, winscp-setup-win32_us.exe, flashplayer-setup-win32,exe, filezilla-setup-win32_us.exe, etc. Their size is always about 1.7MB.

The detection rate amongst AV vendors is very low: only NOD32 was able to find the spyware in the 3 samples I submitted to Virus Total: 1 2 3.

Software repackaged by Conversionads

The software actually makes three changes: it installs the StartNow Toolbar (from Zugo, a company associated with Spyware/Adware), sets MSN as the home page and then sets Bing as the default search engine. All steps are completed by default.

Microsoft packages installed by default

I've found most of these sites through spam comments in forums such as this one on carepages.com:

Links to repackaged software

They are also well referenced by Google. For example, filezilladownload.net shows up at #5 for filezilla download, just after the four search result links to the official filezilla-project.org website

-- Julien

Thursday, November 10, 2011

Adobe Flash “SWF” Exploit still in the Wild.

A vulnerability reported in Adobe Flash in April 2011 (CVE-2011-0611) continues to be targeted. When first reported, the vulnerability was widely exploited by embedding a “.swf” file into Microsoft Office documents/html pages. Adobe issued patch for this vulnerability soon after it was reported, but the vulnerability remains a popular target.

Source of hxxp:// :

This exploit code embeds a “nb.swf” flash file into a webpage, which is then executed by the Adobe Flash player object initialized using classid “d27cdb6e-ae6d-11cf-96b8-444553540000”. When the page is being loaded, the malicious “nb.swf” file is downloaded from the URL “”.

Execution of “nb.swf” leads to memory corruption in Flash Player, which allows execution of arbitrary shellcode, which is passed as an input parameter.


The Virustotal report for “nb.swf” shows it is a Trojan Downloader, used to deliver additional malware to the infected machine.

Flash and other browser plugins remain a popular target for attackers, even for known vulnerabilities that have been patched for some time. This is because attackers know that plugins regularly remain unpatched for some time. The chart below details the most outdated browser plugins seen by Zscaler during Q3 2011. As can be seen, about 7% of all browsers that we see with Flash Player installed, are running an outdated and potentially vulnerable version of the software. Other plugins present are even more frightening targets.

Be sure you update your plugins regularly!


Analyzing malicious files for writing network signatures

Attackers continually modify malware in order to evade antivirus software. Attackers will pack or encrypt malicious files using various packers. Blocking each and every malicious executable is a challenging task for antivirus vendors. Most malicious files, once installed, try to download additional malware or send HTTP GET/POST requests to malicious servers controlled by attackers. Malicious files can gather sensitive information and then send it to the controlled servers. Given the networking capabilities of malware, beyond simply trying to identify the malicious binary itself, we can also detect malware by identifying certain patterns in network traffic. This blog will explain how someone with limited reverse engineering skills can monitor network traffic to identify malicious binaries.

For this tutorial, we will use the example of a real-world malicious server - “hxxp://uaetoon.net/scan/”. This website hosted a fake antivirus program, designed to convince a victim that their PC was infected. The site displayed different security alerts, such as “Your Computer is Infected”. Here is the screenshot of the malicious website once visited,

The website would then convince the victim to download a malicious binary file called “setup.exe” in order to remove fake threats found on the system. Installing the binary was of course actually installing a Trojan on the machine as opposed to an AV solution. The malicious binary would then send various HTTP requests to malicious servers controlled by the attackers. We can study the network traffic by allowing the binary to execute in a virtual machine, but this approach has some limitations:
  1. You need a separate controlled environment to run the malicious samples. It is never advisable to run the samples on your production network.
  2. There are chances that not all HTTP requests are fired by the malicious binary depending upon the availability of malicious severs.
Due to the above limitations, we sometimes need to first reverse the malicious binary in order to retrieve strings such as the destination servers. This can easily be done, with limited reverse engineering knowledge and without running the sample. Let’s begin with some static analysis. Download the malicious file on your machine or VMware image, but don’t run it.

Let’s first find out if the file has been packed using some well-known packer. To do so, you will need to open the malicious file in a hex or text editor. Here is the screenshot of file when opened in a text editor:
Here, a little knowledge of commonly used packers will be helpful. UPX (Ultimate Packer for Executables) is often used by attackers, as it is a free and open source packer. You will generally find strings like “UPX” and “UPX1” in the malicious file in plain text if the file is packed using UPX. Now that we know the file has been packed by UPX, we need to unpack it and open it in the IDA pro dissembler. To unpack the malicious file, download UPX packer. Unzip the packer and copy the malicious file into the UPX folder. Unpack the malicious file with the simple command shown in below screenshot,
Now, the file has been unpacked and can be opened in IDA pro. We are not going to fully reverse engineer the file for the purpose of this blog, rather we’ll look for potential domains where traffic is sent. In the next screenshot, you can see the binary in IDA Pro:

Allow IDA Pro to complete its analysis and then open the “Strings window” to identify strings used by the file. Going through the strings window, you will learn a great deal about the activities conducted by this binary, such as registry changes or network traffic sent. Let’s look at some interesting strings:
From the above strings, we can conclude that this malicious binary creates registry entries under “Run” in order to run this executable each time the computer is rebooted. This binary can also send HTTP POST requests with content type x-www-form-urlencoded, which refers to the URL format. This is valuable information when writing pattern matching signatures, in order to block further infection. Copy and save the URL format which is “http://%s%s?act%sor&v=1&a=%d&id=%s&hardid=%s”. The malicious file later will substitute domain strings and other data in place of the %s (string) variables.

Here is another set of strings:

We now have all the malicious domains, along with another URL pattern. That’s it! We now have all the domains and URL patterns necessary to write network-based signatures. While this approach won’t work in every case, it does represent an efficient way to write network signatures without the need to conduct a full and time consuming reverse engineering exercise. Now we have 2 URL patterns:
  1. http://%s%s?act%sor&v=1&a=%d&id=%s&hardid=%s
  2. %s?action=%sgen&v=%s
We can now easily block all HTTP requests, including the above patterns. Even if the attacker changes the domains used, chances are high that the URL format will remain the same. It turns out that this traffic relates to the now well-known Koobface worm.

Blocking all variants of malware can be difficult but we can greatly improve detection rates by additionally monitoring network traffic.

Hope this will be useful.