Tuesday, August 31, 2010

Corporate Espionage for Dummies: HP Scanners

One Version of the WebScan interface on an HP scanner
Scanning functionality in
an alternate UI
Web servers have become commonplace on just about every hardware device from printers to switches. Such an addition makes sense as all devices require a management interface and making that interface web accessible is certainly more user friendly than requiring the installation of a new application. Despite typically being completely insecure, such web servers on printers/scanners are generally of little interest from a security perspective, even though they may be accessible over the web, due to network misconfigurations. Yes, you can see that someone neglected to replace the cyan ink cartridge but that's not of much value to an attacker. However, that's not always the case. I was recently looking at a newer model of an HP printer/scanner combo and something caught my eye. HP has for some time, embedded remote scanning capabilities into many of their network aware scanners, a functionality often referred to as Webscan. Webscan allows you to not only remotely trigger the scanning functionality, but also retrieve the scanned image, all via a web browser. To make things even more interesting, the feature is generally turned on by default with absolutely no security whatsoever.

The Insider Threat
With over $1B in printer sales in Q3 2010 alone, and with many of those devices being all-in-one printers, running across an HP scanner in the enterprise is certainly very common. What many enterprises don't realize, is that their scanners may by default allow anyone on the LAN to remotely connect to the scanner and if a document was left behind, scan and retrieve it using nothing more than a web browser. Ever left a confidential document on the scanner and sprinted back to retrieve it when you realized? Thought so.

Want to know if your office LAN has any wide open HP scanners running? Run this simple Perl script to to determine if there are any devices on the local network running HP web servers.

As everything is web based, an enterprising but disgruntled employee could simply write a script to regularly run the scanner in the hopes of capturing an abandoned document. The URL used to send the web scanned documents to a remote browser is also completely predictable as shown:

http://[Scanner IP]/scan/image1.jpg?id=1&type=4&size=1&fmt=1&time=[epoch time]

A script could therefore also be written to run once per second to capture any documents scanned using the Webscan feature.

The External Threat

Status screen
It's bad enough that many enterprises are running scanners that are remotely accessible by rogue employees, but what if those same scanners were accessible to anyone on the Internet? Whether intentionally set up as such or more likely accidentally exposed via a misconfigured network, there are numerous scanners exposed on the Internet, the majority of which are not password protected. In fact, HP kindly lets you know on the home page if sensitive functionality is password protected, by displaying the Admin Password status alongside other status information such as printer ink levels and the current firmware version. Interestingly, based on the sample set examined, there was a greater likelihood that HP Photosmart scanners were not locked down as opposed to Officejet scanners. This finding actually makes sense, given that Officejet scanners tend to be marketed to corporate users, a group that is hopefully more likely to implement security protections on hardware/software.

Likelihood of Admin password being set
on scanner types identified
Example Google/Bing queries used to identify open scanners:
The many variations of the HP web interface ensures that no single query will identify all exposed scanners, but as can be seen, with a little creativity, it is trivially easy to find exposed scanners.

The Wall of Shame

What sort of things do people leave on their scanners? In researching this blog, I saw checks, legal documents, completed ballot forms, phone numbers...and my personal favorite, Jim's diploma informing the world that he's now a Certified Mold Inspector - congratulations Jim!

Below are samples of documents remotely retrieved due to corporations using HP scanners that were not password protected, on misconfigured networks that exposed their scanners to the Web.

Signed documents
Voting Advice
Signed Checks
Technical Reports
My advice - run the Perl script to see if you have any HP scanners on your network and if you do...lock 'em down quick, by setting the Admin password.

- michael

Beaconing Leads to Swarft Trojan & Suspicious Netblock

Often, open-source information helps to confirm our suspicion about certain web transactions being tied to an infection or download of something malicious. While conducting analysis on the results from some of my scripts that extract out potentially suspicious web transactions, I found web transactions that appear to be tied to a bot with keylogger / drop site functionality. Searching for open-source information reveals little to no information on the server or threat.

The infected host does an HTTP POST every 5 minutes to the URL:


The IP is part of a US netblock, Las Vegas NV Datacenter PREMIANET, swipt out to a customer in the Ukraine (UA):

Vladimir Miloserdov SERVERPOINT-CUSTOMER-SYNEJY (NET-216-108-234-166-1) -

Here is the customer information for this small netblock:

CustName: Vladimir Miloserdov
Address: So,136
City: Donetsk
StateProv: DN
PostalCode: 83054
Country: UA
RegDate: 2009-05-24
Updated: 2009-05-24

Below is a snippet of the transactions seen.
Notice that the size of the POST is larger than the response from the server - over 20000 bytes compared to a very short response of 168 bytes. This means that the client is regularly pushing a fair amount of data somewhere and not receiving anything other than a very simple acknowledgment back. In the case of a normal web application, pushing data to a server usually has a larger response such as a webmail or blog interface.

Visiting responds with the default Apache response “It works!”

Open-source searches show that the IP is blocked in a few block lists due to spam, e.g., Project Honeypot.

At a minimum this netblock is suspicious and should be alerted/blocked within your organization.

Reaching out to some colleagues, helped to reveal that this beaconing is likely tied to the Swarft Banking Trojan due to the “scr1pt7-r#.php” phone home URL path. This is a relatively new Trojan family, the Microsoft threat entry states, that the Trojan steals data that may “include credit card numbers, tax returns, login credentials or any other informed deemed to be of interest to the attacker. The collected data is then surreptitiously sent to the remote attacker via a variety of electronic means.” Technical details of the Trojan do not appear to be readily available in the open-source- I am in the process of back tracking and reaching out to the impacted customer to get additional information on the Trojan and the incident. Any new details will be shared in a follow-up post.

Also, if anyone has details on the above-mentioned netblock or Swarft Trojan, feel free to post a comment.

Monday, August 30, 2010

How many malicious "Hot Video" pages does Google show?

Last week I wrote about 3 million fake YouTube pages leading to fake antivirus pages. The day after the blog was published, they seemed to be gone from the Google index,  as search results were showing only 2 to 4 of the malicious pages. But now...they are back again.

After my last post, some questioned whether or not there were actually 3 million fake YouTube pages in the google index. In fact, Google contacted me to suggest that there were only 77 results. I disagree. Why isn't the total number of results straight forward? Although Google's search results may state that approximately 3 million results exist, the search engine won't actually deliver that number of raw results. Given that fact, how can we know the total number of pages currently indexed by Google for a particular query? Only Google know the exact number, but by issuing various different types of queries, we can make a reasonable estimate.

Attempt to get all pages

Since all the pages contain "page.php?page=" in the URL, and "Hot Video" in the title, we can try a single query to find all of them with: inurl:"page.php?page=" "hot video"

The Google search results currently show "About 2,990,000 results" (the number varied between 2.8 million and .4 million), but there are only 8 pages of results (90 links) shared, or 12 pages (121 links) if we click on " repeat the search with the omitted results included". 

3 million fake YouTube pages?

It may look like Google has indexed "only" 121 fake "Hot Video" pages (despite suggesting ~3 million results), but other queries paint a different picture.

Domain query

Let's take the first domain hosting malicious pages from the first query: addisonhouse.com.

To find out the number of fake YouTube pages hosted by this domain, we can try the following query: site:addisonhouse.com "hot video"

Google states that there are "About 7,850 results" but actually shares 51 pages of results (512 links).

For the domain memoryshack.net, Google indicates "About 204 results" and provides a total of 204 links for this search. For the domain theochristi.com, I get 245 results, etc.

"Hot Video" pages hosted on addisonhouse.com
A first estimate

An initial estimate can be obtained by multiplying the number of domains seen in the first query by an average of 250 pages. This gives an estimate of the minimum number of pages in Google's index. The real number is very likely much higher.

The 90 results form the first query show 90 different domains. This means there are at least 90 * 250 = 22,500 pages.

Many more domains

Are there only 90 domains infected with "Hot Video" pages as the first query suggested? Unfortunately, there are many more. Fake pages are being created for each search term found in Google Hot Trends.

For example, I checked a search that was popular 6 days ago: erica blasberg "hot video"On page 2, I found a fake YouTube page on a domain that is not listed in the first query: elijasalud.com.
On page 3 of the results, there is another domain not seen in the first query: sklep.aicom.com.pl.

New domain infected shown for a different search

Google has clearly indexed more than 90 infected domains, but it remains difficult to know the exact number.

How many could there be?

Attackers create one "Hot Video" pages for each popular search as shown in Google Hot Trends. There are 20 hot searches each day, but one search can be popular for several days. I've checked a few infected domains, and found pages created for searches popular on June 1st. So there are pages for at latest 90 days of popular trends on each domain.

That gives us 90 * 20 = 1,800 pages. Assuming that a few search terms that are popular over several days, we can use an estimate of 1,500 pages per domain. If Google indexed (only) 100 of these domains, that would be 150,000 fake Video pages.

Only Google knows the exact number of infected domains indexed, and the total number of malicious pages. We estimate that they have at the very least , 22,500 such malicious pages in their index. The number of 3 millions "Hot Video" page is not however inconceivable. It means Google would have indexed:
  • 2,000 infected domains with 90 days worth of Google Hot Trends
  • or 1,250 infected domains with 120 days worth of Google Hot Trends
"Hot Video" in action

Here is a video of a user browsing a "Hot Video" page, and being redirected to a fake AV page. Then I uploaded the malicious executable to VirusTotal - sadly, only 20% of the antivirus vendors detect the malware.

-- Julien

Help Contribute to the Cloud Security Alliance 'Top Threats' v2.0

In March of this year, at RSA 2010, the Cloud Security Alliance, officially unveiled the Top Threats to Cloud Computing. This was a collaborative effort that drew upon the expertise of some of the finest minds in the security industry to compile a list of threats facing both enterprises deploying cloud based solutions and the vendors providing the infrastructure. The original list took several months to compile with input from cloud vendors, consumers and researchers. In the end, the Top Threats to Cloud Computing v1.0 guidance was released, but it was always meant to be a starting point, not the end of the journey.

We're now working toward updating the Top Threats and plan to release the v2.0 list at the RSA Europe 2010 conference in October, but we need your help. You may have read v1.0 and thought "why did/didn't they include this particular threat", well now it's your chance to ensure that your voice heard. Whereas v1.0 was compiled by a closed group in the interest of 'putting a stake in the ground', we want v2.0 and future revisions to be a true open, collaborative effort with submissions from all those concerned.

Here's our plan:
  1. Starting now, you have the ability to propose the inclusion of new threats to the Top Threats list by submitting them online.
  2. We'll compile and summarize all submissions and present them to a judging panel
  3. The panel will ultimately select the final v2.0 list, which will be released at RSA Europe 2010.
A summary of the v1.0 Top Threats to Cloud Computing is below, but please also see the detailed guidance, which is available here.
  1. Abuse and Nefarious Use of Cloud Computing
    • Service Models - IaaS & PaaS
    • Description -  By abusing the relative anonymity behind these registration and usage models, spammers, malicious code authors, and other criminals have been able to conduct their activities with relative impunity.
  2. Insecure Interfaces and APIs
    • Service Models - IaaS, PaaS & SaaS
    • Description - The security and availability of general cloud services is dependent upon proprietary APIs that may not have been adequately scrutinized.
  3. Malicious Insiders
    • Service Models - IaaS, PaaS & SaaS
    • Description - The threat of a malicious insider is amplified for consumers of cloud services by the convergence of IT services and customers under a single management domain, combined with a general lack of transparency into provider process and procedure.
  4. Shared Technology Issues
    • Service Models - IaaS
    • Description -  Vulnerabilities within components of the underlying cloud architecture or the virtualization hypervisor could lead to inappropriate levels of control or influence on the underlying platform and/or unauthorized data stores.
  5. Data Loss or Leakage
    • Service Models - IaaS, PaaS & SaaS
    • Description -  The threat of data compromise increases in the cloud, due to the number of and interactions between risks and challenges which are either unique to cloud, or more dangerous because of the architectural or operational characteristics of the cloud environment.
  6. Account or Service Hijacking
    • Service Models - IaaS, PaaS & SaaS
    • Description -  If an attacker gains access to the credentials of a cloud based platform, they can eavesdrop on activities and transactions, manipulate data, return falsified information, and redirect clients to illegitimate sites.
  7. Unknown Risk Profile
    • Service Models - IaaS, PaaS & SaaS
    • Description -  When adopting a cloud service, details or compliance of the internal security procedures, configuration hardening, patching, auditing, and logging are often unknown, leaving customers with an unknown risk profile that may include serious threats.
See something you don't agree with? Then do something about it! Contribute to the v2.0 list.

- michael

Wednesday, August 25, 2010 A Haven For Swizzor

Based on a comment, I modified the title to be versus DNSMADEEASY. Let me explain:
  • DNSMADEEASY provides the resolution / name services for the domains in question
  • Hurricane Electric / C2 Media provides the hosting / IP space (
  • Tucows is the registrar for the registered domain names
When I was doing the analysis I was looking at free/cheap DNS services and their abuse, which was why I fixated on the name resolution services, DNSMADEEASY. However, there are multiple players supporting this Swizzor infrastructure and it should be explained as such.

Update 2:
Also, after I published the post, I checked and found that the hostname portion of the domain does not seem to matter / affect the ability to download the binary payload. For example,
let's you download the binary (where "garbage" can be anything). It is likely that the hostname is used for tracking purposes to identify which sites / trojan packages are most successful. The listed fully-qualified domain names below are what was seen in the wild.

This may not be news for some of you, all it takes is a simple Google for something like host192-168-1-2.com malware. You’ll see a rich history of abuse from Trojan Swizzor ranging from 2009 to today:

host192-168-1-2.com is registered through Tucows and has resolution / name services provided through DNSMADEEASY. This robtex report shows the other related domains, each having a varying degree of abuse related to Swizzor:


Below is a brief list of recent domains used to host Trojan Swizzor payloads. Note the domains used / listed here include: host127-0-0-1.com, host192-168-1-2.com, host-domain-lookup.com, and host255-255-255-0.com:

All resolve to the Hurricane Electric IP:
Note, the above active/live list we provide is much more extensive that what is listed on MalwareURL for example. The URL paths to the malware within the above domains include:

While they all have an "int" file extension, they are all PE32 executable files.

9kgen_up.int (Swizzor variant)
MD5: c79cd77012c848f93e0a8dfc28dee992
V/T (20/41)

upd_admn.int (Swizzor variant)
MD5: 43edfa7f55d4331ad2d3f5ca1bb4b999
V/T (22/42)

kr3.int (Swizzor variant)
MD5: ff7d4cbb6aa30bbf58d945e182700fb7
V/T (22/41)

tp_map16.int (Swizzor variant)
MD5: 599ebaed9e147ef8a0b6967dba2da040
V/T (24/42)

Swizzor is a Trojan that is typically installed via drive-by download or social engineering. It has the ability to interact with Internet Explorer through Browser Helper Objects (BHOs) to inject ads and to download/install other threats (for additional information see Microsoft's threat entry for Swizzor). In the particular variants that I downloaded, I saw C&C update activity to other related domains, e.g.,



I’m in the process of sending something along to Hurricane Electric / Tucows/ DNSMADEEASY now, but you may want to check the logs in your environment for systems connecting to the mentioned domains. Here's a continuation of the above list of recent Swizzor domains:

Tuesday, August 24, 2010

Nearly 3 million "Hot Video" pages pushing fake AV are undetected

Note: Google contacted me shortly after the blog was published, and claimed there were only 77 such links. But when I tried a query for the first domain in the list, naghoospress.ir, I got more than 600 Google results for just this domain: site:naghoospress.ir hot video. Attackers create fake Youtube pages for each 20 Google Hot Trend each day on each domain. I've seen pages for trends of the last 60 days at least, so that's about 1,000-1,200 pages per domain. There seemed to be at least 100 domains indexed by Google, so a very low estimate is 100,000 Hot Video pages in Google search results. But each Google queries show different domains, so there could be more fake pages. Google displays a maximum number of 1,000 results for any search, only they know the real numbers. But it was clearly at least 100,000 when the post was published.

We've seen many fake YouTube pages redirecting to fake antivirus software downloads in the past. However, we're now seeing this same phenomenon with a new twist: Google has indexed nearly 3 million "Hot Video" pages - all pushing fake AV. Yandex, a Russian search engine, also returns numerous links to these pages for random searches. Try the following Google search: inurl:"page.php?page=" "hot video" :

Google search for Hot Video

The fake Youtube video page is covered by an invisible Flash layer and the Flash object automatically redirects the user to a fake AV page. If the user has Flash disabled, the page becomes harmless. The URL of the Flash file, hosted on a different domain, is obfuscated with Javascript.

Fake Youtube page

The spam content, which is used to ensure that the page is indexed by search engines, includes an invisible DIV element pushed out of the screen. It contains links to other fake Youtube pages on the same site. To make the content look more legitimate, the page includes links to legitimate sites (e.g. flickr.com, nasa.gov, etc.) and images from external sites.

HTML code of the spam

Redirection to Fake AV

The fake YouTube page redirects to a fake AV page. Several domains are used to host the fake AV software, including www2.soft-analysis79.co.cc, www1.selfprotection20.co.cc, etc. There are different variations of the Fake AV page, but they are all similar to pages previously seen elsewhere.

Fake AV page

Virtually undetected

Besides the huge numbers of such malicious pages indexed, and the fact that they show up in many search results, the main problem here is that the pages and their malicious payloads are virtually undetected by regular security tools:
  • Google Safe Browsing does not block most of these pages (90% I've tried where not blocked in Firefox), and the fake AV domains were not detected either.
  • The detection rate amongst anitivrus vendors is only 11%!
This type of threat is different from the usual Balckhat spam SEO: the same content is shown to the user and to the search engine, therefore the page can be accessed directly, without clicking on search engine results.

Because the "Hot Video" page uses both obfuscated Javascript and Flash, it is harder for security scanners to detect them. Zscaler has protection in place for our customers.

-- Julien

A week of Research

This post is a little bit different from what I usually write. Rather than explaining one topic, I'd like to provide insight into what we uncover during a typical week of research. Here are some of the malicious pages that I found this week during some research not related to spam SEO.


Facebook phishing pages are showing up regularly. I uncovered an Italian phishing page at hxxp://facebookentry.altervista.org/. The page looked exactly like the Facebook login page, but all the links produce a blank page. It looks like the author focused on getting the main page right, but did not bother to create fake links. Anyway, I guess most  people will fill out the form right away and will not check the links.

This page has been up for more than a week.

Italian Facebook Phishing page

Another Facebook phishing page that I uncovered was hosted at hxxp://www.facebookconfirmation.com/ - a great domain name! I have not seen this login or "confirmation" page anywhere on Facebook, but I'm sure it fooled many people. The domain is registered bin Russia.

Fake Facebook confirmation page

Fake antivirus vendor

hxxp://generalavs.com/ looks like an online store for antivirus. You are invited to try their software for free, and you must even accept their "Terms and Conditions". The executable GeneralAntivirus4.exe which a user is prompted to download, is actually a virus. Fortunately, it is detected by 90% of the AV vendors.

Fave AV online store

hxxp://bulletproofsoft.com/ is a similar malware site, but it has more than 10 executables for download. The detection rate among AV vendors is much lower at about 40%.

Malicious sites for download
These are examples of all the malicious sites that are out there. Once again, using Google Safe Browsing (with Firefox, Opera, Safari) or SmartScreen filters (Internet Explorer) does not help. None of these sites were flagged. They have been up for several days, probably weeks, and may not be taken down any time soon.

Antivirus can help to protect against some malware, but they are not a silver bullet.

-- Julien

Thursday, August 19, 2010

Union Public Service Commission website of India Compromised

My previous blog discussed the injection of malicious JavaScript into the html/JS pages of a Red Cross website. This time victim of similar attack is an Indian government website, namely http://upsc.gov.in/ .

Screen-shot of the UPSC homepage:

Screen-shot of the source code:

A quick Google search for this malicious JavaScript code shows that many sites are infected with the same code. Clearly, there is an automated attack targeting the same application logic flaws within various different websites. Currently, the link to the malicious website is down. Though it seems from related attacks that the perpetrators are continually changing the domains and the malicious script associated with the attacks. Tried to send notification on certain email address found while doing look up on domain name, but messages were rejected.

For those not aware, Virustotal has now launched new functionality that permits you to submit URLs, which will then be checked against popular blocklists. The result for this site shows that none of the lists have yet detected the infection. Additionally, if you submit malicious HTML file, only 8/41 AV engines identify it as malicious.


Wednesday, August 18, 2010

More Chinese phishing sites

in a previous post, I talked about the QQ phishsing sites targeting chinese users. There is another popular type of Chinese phishing: Yahoo! Auctions lotteries. Yahoo Auctions is more popular than eBay in China.

These phishing sites claim that Yahoo users have won a gift, and that they need to login with their Yahoo! Auctions credentials to claim their reward. Like the QQ Reward phishing pages, these fake sites look all the same.

Fake yahoo Auction lottery page

These sites were not flagged by Google SafeBrowsing or Phishtank. One of them, hxxp://ccyahoo.in/, is now down. But others are still live: hxxp://yahoo.uu2010.in/index.asphxxp://ye.163.to/, etc.

Languages in Phishtank

"PhishTank is a collaborative clearing house for data and information about phishing on the Internet." (from their website). The site maintains a public list of phishing URLs. Since none of the Chinese phishing sites were included in Phishtank, I was wondering if the list was centered on english phishing sites only.

I used the Google Ajax Language API to verify the language of each Phishing page. 90% of the phishing pages still reachable are in English. Number 2 is French, with 6% of the list.

Languages in Clean-MX

Another public list of phishing sites is provides by clean-mx.de. It contains about 3,500 URLs versus the 250 of Phishtank.

The Clean-MX list contains 80% English phishing sites. There were only 6 Chinese pages out of 2,158. I am not aware of any public phishing list focused on Chinese language, but it would appear that one is warranted.

-- Julien

Monday, August 16, 2010

QQ phishing sites stay under the radar

In April, Mike reported an increase of QQ phishing sites. This does not come as a surprise, QQ is the equivalent of Google + eBay + Paypal in China. QQ first started as an Instant Messaging site and has now evolved as a Chinese web giant, with e-mail, search, online auctions, online payments, etc.

QQ Security Center

The main target here is the QQ Security Center aq.qq.com, which is used, among other things, to retrieve lost passwords, confirm account ownership, etc. The phishing sites are exact copies of the original site.

Most of the sites spotted are still live, and not blocked by Google Safe Browsing or Phishtank:
  • hxxp://www.qqaq.info/
  • hxxp://aq.qq.com.inddexx.com/
  • hxxp://aqq.txfree.net/aq/
  • hxxp://aq.qq.com.cgi-get.tencant.com.cn/
  • hxxp://aq.qq.sevrivae.cn-indvx.com/index.asp
  • hxxp://qq2010hd.h7.8210.cn/qq/88.htm

Phishing site hxxp://www.qaq.info/

QQ Rewards

The other popular QQ phishing target is the Reward Center, where QQ rewards users for using their services. Fake QQ Reward Centers attempt to steal user credentials. Like for the QQ Security center scam, all phishing pages are nearly identical, and not detected by Phistank or Google SafeBrowsing.

QQ Reward phishing page
Some of the phishing pages are:
  • hxxp://ctqq.in/qq/
  • hxxp://asdsdf.ns3.lianfa.info/qq2010/
  • hxxp://1111aaaa.01kro.idcqq.net/3/
  • hxxp://qqtx08.tk/
  • hxxp://nghfyu585.us3.hg288m.com/qq1/
  • etc.

hxxp://qqtx08.tk/ QQ phishing site
I've seen only one QQ phishing site flagged by Google Safe Browsing while reviewing more than 20 QQ phishing sites, and the domain was already down: hxxp://qqli.go.3322.org/

-- Julien

Thursday, August 12, 2010

Red Cross Hacked Again!!!

It seems as though attackers are fond of Red Cross sites as this isn’t the first time that we’ve blogged about a compromised Red Cross site. The victim this time was the Red Cross of Serbia. Previously, they hacked the site by simply injecting a malicious iframe. Injecting malicious content into static pages on the server side seems to be an emerging trend. Let’s analyze how it was done this time.

Screen-shot of the homepage:

Screen-shot of “http://www.redcross.org.rs/ source code:

Some of the infected JavaScript files are,

A simple Google search on the domain “obscurewax.ru” suggests that this domain has been used in other attacks as victims can be seen discussing similar injected code on various forums and similar files have been submitted to online malware analyzers. We have also observed that many sites are still infected by the same malicious script. For example, “http://www.myasianroots.com/, where the same malicious script is inserted at the bottom of the webpage.

Although the injected JavaScript file “hxxp://obscurewax.ru/Kbps.js” is no longer accessible, this same file has appeared on other domains. Even though the malicious code is no longer being delivered, it is possible that the vulnerability that led to the attack has not yet been patched and further infection could occur, or the existing malicious content could become active once again. Notifications are being sent to Redcross.


Malicious scripts hidden inside JavaScript files – a new trick used by attackers

We have written many blogs on malicious iframes or script injection in dynamic webpages. The malicious iframes/script tags were typically being injected at the bottom of webpages or after html tags such as , etc. Often, they are very easy to find once you know that site is infected. You can easily able to see the injected malicious code inside the webpages just by opening the source of the page and inspecting the typical injection locations. Recently however, we are seeing another trick used by attackers whereby malicious iframes/script tags are being injected into static JavaScript files rather than on page itself. These are static files in the sense they are JavaScript libraries used for various purposes. This trick is used by the attacker so that it will be difficult to identify the injected iframe simply by inspecting the only source of the page. It also allows multiple pages to be infected, while only injecting content into a single location. Let’s walk through a live example of an infected website. Here is a screenshot of the website:

Interestingly, at present, Firefox does not provide any warning about the threat while Google Chrome does, despite the fact that both leverage Google SafeBrowsing block lists. Here is the block message from Chrome,

Chrome blocks this website with message saying “this site contains elements from the site ‘malepad.ru’ which appears to host malware”. I initially searched for malicious iframe/script tags inside the page source but could not identify it. The source of page looked clean at first glance. I then saw some JavaScript files being used inside the webpage however, they too appeared legitimate. Here is the source of the main page,

I then inspected the source code of the JavaScript files and found that they had clearly been altered. Let’s look at “blockcurrencies.js” as an example:

The malicious script code is being injected at the bottom of the JavaScript file. If you look at the above Chrome block image, you will find that this is the site present in the Chrome message. Every JavaScript file present inside the main webpage was injected with malicious script tags like the one shown above. Interestingly, we have also found the following malicious code present in JavaScript files on alternate sites:It is interesting to study the various tricks and techniques attackers use to hide their malicious code. We have seen an increase in attacks where malicious content is being injected into static JavaScript pages.

This is a good lesson, to not simply inspect the source code of the main page when looking for malicious content.

Have you checked your web files?


Wednesday, August 11, 2010

Spam SEO and adware

It seems that Blackhat spam SEO is getting more and more effective, allowing attackers to spread malware and adware. Spammers can now easily infect thousands of websites in order to rank high in popular searches and trick users into surfings to their malicious pages.

Attackers are never short of ideas for disguising their malware or adware as legitimate software. While following some of the spam links I recently discovered, I stumbled upon a free video site which attempts to get users to install both the Zango and LoudMo adware.

First, an ad for VLC, a popular open-source video player, pops up. However, the executable downloaded is actually Zango adware. Only 8 antivirus vendors out of 42 find this particular piece of adware. This malicious file is only 20KB, compared to the official, and clean,  18.6MB official executable file for VLC.

This VLC executable comes with a spyware
Then, at another site, in order to watch a movie, a user is prompted to download the Bing toolbar. This download however actually contains the Loudmo spyware (caught by only 10 antivirus vendors) that I  had mentioned in a previous post.

Second attempt to install an adware
As always, users should be aware to not download any software outside of official websites, and should not rely on their antivirus to sort out the bad from the good.

These adware attacks are a major source of revenue for websites that distribute copyrighted material such as pirated novies, as they cannot participate in legitimate advertising networks. I've found several websites offering free movie downloads which linked to these 2 sites.

-- Julien

Tuesday, August 10, 2010

Wikileaks: A Case Study in Internet Rubber-Necking (Gawking)


Wikileaks.org has been the subject of some major news stories in mid-2010. The site is geared toward sharing information that was previously unknown in the public eye, usually obtained through insider contacts (leaks, whistle-blowers, disgruntled employees, etc.). I won’t rehash the history of Wikileaks and all of its related stories, I’ll leave that for the reader to research if they haven’t already done so. These are the prominent Wikileaks stories from mid-2010:
  • April 5, 2010 – release of “Collateral Murder” video (reference)
  • June 7, 2010 – arrest of Army Spc. Bradley Manning
  • July 25, 2010 – release of “Afghan War Diary” (reference)
A more detailed timeline of these and other Wikileaks events can be found on Cryptome and Wikipedia.

Internet Traffic: The Wikileaks “Pandemic”

For those unfamiliar with Zscaler, Inc. – we are a security software-as-a-service (SaaS) vendor. I won’t detail our capabilities here (if interested visit our website), but I will say that we have a large and geographically diverse population of enterprise users browsing the web through our solution: several million users across a large number of countries. This puts Zscaler in a unique position to conduct analyses, stats, and trends for a variety of events on the web (e.g., malware threats). In the case of this story, the event is “Internet Rubber-Necking” or “Gawking.” In other words, the population hears about the Wikileaks story on the news, from their friends, etc. and have to go check it out for themselves.

To conduct some basic statistics for this event, I first focused in on the April and June events and pulled logs for traffic to wikileaks.org from April-June and extracted the number of unique client IP addresses seen visiting the site per day. This provided a basic measure of popularity throughout Q2 2010.

(April - June 2010 Wikileaks traffic)

The results show spikes in visiting IPs on:
  • April 5 – 8
  • June 7 – 9, 11
  • June 22
The largest spike was April 6th, where 25% of the total unique IPs seen visiting the site for the quarter were seen visiting the site on this day. The April spike corresponds to the “Collateral Murder” video release. Comparing the spike to the days leading up to the event, shows that the initial spike was roughly a 2000% increase in daily visits. The spike follows a similar pandemic pattern (see below): (1) spike at the onset of the event, (2) secondary spike from those coming in contact with (learning of) the event, (3) drop-off from saturation of the population, and (4) return to slightly elevated normal levels.

(1918 Flu Pandemic - reference)

The spikes in early June are directly related to Manning’s arrest on June 7th and the corresponding press briefing from the Dept. of State on June 11 on the incident. The spike on June 22, 2010 corresponds to Wikileaks announcement of its plans to release documents related to a U.S. airstrike that killed Afghan civilians in 2009 (reference). Eventually it released a corpus of documents July 25, 2010 entitled “Afghan War Diary.”

These documents resulted in much more of a traffic increase. The below chart averages the daily client visits to Wikileaks from March – July 2010 and charted the percentage increase or decrease over time:

(March - July 2010 Wikileaks traffic)

Needless to say, there was a huge spike throughout 7/25 – 7/31 corresponding with the Afghan documents release. To be more specific, 7/25, the release of the documents, saw a 242% increase above average and 7/26 over a 2300% increase above average. In comparison, the April 6th spike for the ‘Collateral Murder’ video was around a 407% increase above average.

Below shows Zscaler’s daily average of unique IPs visiting Wikileaks each month. Both April and June had over twice that of March and May, but July had four times that of April and June.

(2010 Wikileaks traffic)

The following chart shows the geographic distribution of the unique client IPs / organizations visiting Wikileaks. 51.5% of the client IPs seen visiting Wikileaks were from the United States, and Australia, Germany, France, and India made up slightly over 25%.
(Country Breakdown of Wikileaks Visitors)

Purpose / Future Work

Aside from this just being interesting statistics about a noteworthy Internet event, it provides us with some stats/trends to identify a micro pandemic or viral, user-driven event on the Internet. By studying this and other noteworthy events on the Internet, helps us to define models (algorithms) for early detection and prediction of similar future events. Early detections and predictions of these events could be leveraged for a variety of reasons, such as, identification and prioritization of news, stories, and Internet resources (e.g., caching and routing). Google Trends provides a window of such spikes in their search topics. This information can be valuable in advertising and marketing (SEO). It may also be possible to identify and distinguish between an event like the Wikileaks event and a malware attack.

There are several differences between a malware attack and the Wikileaks event on the Internet – most notably was the voluntary, user-driven nature of the traffic to Wikileaks. In comparison, malicious events like the mass SQL injection / robint.us malware from this past June are not voluntary. The involuntary nature means a larger and wider user base is impacted, and depending on the infection vector can spread more quickly than a voluntary event.