Wednesday, December 28, 2011

Web threats: trends and statistics

One of the question I often get asked is "What is the most prevalent threat on the Internet for the enterprises?". In terms of the total number of transactions, botnets are the biggest security risk. Once a host gets infected, the botnet usually spreads quickly within an enterprise. It also generates a significant amount of traffic to the command and control server, to download additional malware or perform other actions. For the last 30 days, botnets account for almost 80% of the security blocks at Zscaler.

Security blocks for the last 30 days


When it comes to individual variants of malware, botnets, or other threats, there is no single piece of malware that dominates. Some threats appear one day, and disappear just as quickly. Others are seen daily for months, with random peaks. For example, Blackhole exploits and Zeus have been active for months.
One of the Blackhole exploits
Zeus traffic
Mass infections of legitimate sites can still be seen months after the infection initially occurred and the vulnerable application has been patched. For example, our customers are still hitting websites infected with Lizamoon which was first reported in May 2011 and reached it's peak in September.
Legitimate sites infected by mass LizaMoon SQL Injection attacks
The security landscape is very wide. Although botnets, as a category, represent the majority of overall malicious web traffic, there are a huge number of different threats seen daily by enterprise users. This means that security solutions must be able to detect and block a wide variety of traffic by looking at all components: URLs, HTTP header and content on both the client and server side.

Wednesday, December 21, 2011

Facebook used to make scams look legitimate

One of the recurring web spam themes I saw in 2011, was the "Work from home and make $X,000/month" scam. In some variations of the well-known and well-used scam, websites are set up to look like a well-established newspaper with a front-page (fake) article about making a lot of money from home.

Here are a few examples I saw earlier this year (now offline):


Fake NBC website at hxxp://news11bizopp.com/landing.php

Fake news site at http://www.nbcnews43.com/?news/articleid=8351

The new scam I found this week included an interesting new trick and is still online.

Fake news site at hxxp://newsday7.com/
The site is set up like the previous scams - it claims to be an online, established newspaper, which displays an article about someone who is making a lot of money, working from home.

At the top of the picture, which shows a woman and a girl, on the right, you can see a Facebook Like button that says "214,217 people recommend this. Be the first of your friends." Apparently, 214,217 went to his page and clicked on "Like", making this page look more legitimate.


At first, I thought this was a fake Facebook widget. But this is the real deal, as seen from the page HTML code:


Real Facebook widget (click on the image too see in full screen)
There is however a trick. The "Like" widget does not point to hxxp://newsday7.com/, but rather to http://www.facebook.com/CBS. As you can see in the images taken from the two websites, the number of Likes is the same:

214,217 Likes on hxxp://newsday7.com/
214,217 Likes on http://www.facebook.com/CBS

Facebook allows you to embed any Like widget on any website, even if the domains or URLs do not correspond. Scammers are using this trick to appear more legitimate, by tricking visitors into thinking their website has been visited and liked by many people.

My guess is that this technique is very effective, and will be used more and more by spammers and scammers.

Tuesday, December 20, 2011

2012 Security Predictions


It’s the most wonderful time of the year. A time when we set aside our quarrels and show compassion for complete strangers, realize that it’s better to give than to receive and in the security industry, let everyone know just how smart we are playing Nostradamus. Yes, it wouldn’t be December if I didn’t join in the chorus of prognosticators to let you know exactly what is in store for us all in the coming twelve months.

Mobile

With WebOS now officially an orphan, Blackberry OS racing to the grave and Windows Mobile still trying to get ready for the party, the victors can be crowned – iOS and Andorid have won. The interesting part of the race is about to begin, namely who has the best security model. Will it be Apple’s draconian, ‘we control everything’ or Google’s happy-go-lucky ‘come on in, everyone’s invited’ approach?
Prediction: The ‘do no evil’ company will struggle mightily to keep evil applications out of their App Marketplace. In an effort to avoid being to mobile what Windows is to PCs (a breeding ground for malware), Google will subtly make Android less open to both partners and developers. They will also announce an initiative to increase security screening for applications before deployment in the App Marketplace. Apple on the other hand will have comparatively few malicious apps to deal with, but at least three major OS flaws that impact all users (and make the jailbreak team happy). Apple will address the vulnerabilities several days late and apologize to no one. iPad 3 and iPhone 5 sales will turn financial analysts into giddy schoolgirls.

Enterprise

Thanks to marketing teams across the globe, APT (Advanced Persistent Threat) has become a meaningless buzzword in the security lexicon. Let’s therefore ditch that term and instead focus on targeted attacks, specifically those focused on enterprises with the goal of corporate espionage or to inflict financial damage. Many praised Google for coming forward in January 2010 to reveal that they and others had been the victim of a sophisticated targeted attack, likely originating from China. Many in the public mistakenly assumed that this was a new and previously unseen event on the security stage. What was new about it was the openness displayed by Google in discussing the situation, not the class of attack.
Prediction: The term ‘APT’ will go the way of ‘eCommerce’ and the Dodo bird, but stories of targeted attacks against enterprises will rise tenfold in the media. This will be a reflection of increased activity by attackers as they broaden their reach to smaller companies and decisions by corporate council to disclose details of an attack rather than to suppress the information and risk litigation for trying to cover up such activity.

Web

Want to know a secret for making security predictions? Take a look at what was being discussed at security conferences 2-3 years ago. At Black Hat DC 2009, I discussed the dangers of persistent web browser storage. One of the key technologies that will be taking browser storage to the next level is HTML5. In 2009, HTML5 apps were few and far between. Thanks in large part to mobile browsers; HTML5 is now much more mainstream. As with any new technology, developers are quickly rushing to play with the new kid on the block and publishing their goods, without taking the time to understand the security implications.
Prediction: We’ll see an increasing number of web application vulnerabilities in HTML5 apps, not because the technologies behind them are insecure, but because HTML5 is not well understood from a security perspective.

Hardware

Security in the hardware space is at least ten years behind security in the software industry. This isn’t so much a reflection of the good work being done in software, as it is the reality of software vendors being forced to address an issue that was impacting business. Thanks to the efforts of many great researchers investing countless hours doing QA work that should have been done long before products hit the shelf, today most major security vendors have no choice but to employ security response teams and take vulnerability disclosure very seriously.
Hardware vendors simply haven’t faced the same scrutiny, but that’s changing. This year at Blackhat, I spoke about the sad state of embedded web servers and recently researchers at Columbia University discussed the ability to remotely cause physical damage to HP printers due to security flaws.
Prediction: Hardware vendors will get a wake-up call as researchers shift their efforts and party like it’s 1999.

Social

The majority of malicious activity surrounding social networks today primarily involves unwanted or nuisance traffic as opposed to attacks that lead to a fully compromised machine. We’re seeing an increase in likejacking and self-inflicted JavaScript injection attacks that have the same overall goal – drive web traffic or prompt software downloads that can earn the scammer a few cents per click.
Social networks such as Facebook are of value to more serious criminals, but mainly for reconnaissance during targeted attacks. They are a great resource for learning background information about an individual and uncovering relationships, all of which can be of great value for social engineering. We’re not however, commonly seeing the communication aspects of social networks used to deliver malicious payloads directly to victims or investments in uncovering web application vulnerabilities used to compromise end user machines as opposed to spreading the aforementioned scams.
Prediction: Attackers will raise the bar and leverage social networks for more sophisticated attacks, the goal of which will be full compromise as opposed to marketing financial scams.
Merry New Year!
- michael

Thursday, December 15, 2011

Google Safe Browsing v2 Lookup libraries for Perl, Python and Ruby

Last week, I mentioned that the Google Safe Browsing API has migrated to version 2. The new protocol is much more complex than version 1 and there are only a few libraries available for version 2 (see the full list in the previous post). Some popular languages, like Ruby, don't have any implementation at all.

To make the API accessible to more developers, Google has also introduced the Lookup API. This API is fairly simple. It lets users send a list of URLs (up to 500 per request) to Google and receive the classification for each of them. You still need a free API key to use the service and you are limited to 10,000 lookups per day.

I have released libraries for the Google Safe Browsing v2 Lookup API in Perl, Python and Ruby:

Perl;
CPAN: http://search.cpan.org/perldoc?Net::Google::SafeBrowsing2::Lookup
Source: https://github.com/juliensobrier/Net-Google-SafeBrowsing2

Python
PyPi: http://pypi.python.org/pypi/Google Safe Browsing v2 Lookup/
Source: https://github.com/juliensobrier/google-safe-browsing-lookup-python

Ruby
RubyGems: https://rubygems.org/gems/google-safe-browsing-lookup
Source: https://github.com/juliensobrier/google-safe-browsing-lookup-ruby

All the libraries contain proper documentation and unit tests. You can use the corresponding github repository to file bugs or discuss the libraries.

Tuesday, December 13, 2011

Java Drive by download attack

Recently I blogged about how attackers are forcing users to download fake codecs to spread malicious content. I’ve also encountered across another drive by download attack vector, which uses Java applets to execute downloaded malicious content on the victim’s machine. Download and execution of malicious content happens without user interaction. Let’s take look at a screen-shot of the malicious URL “hxxp://www.nicholaspettas.com/”,

As you can see, when a user visits the website the browser requests user permission to execute the Java applet code. Here is the HTML source of the page:

When the user allows the applet code to run by clicking on “run” button, the browser downloads the “Client.jar” file from “hxxp://www.nicholaspettas.com/Client.jar”. Let’s take look at the Wireshark captures, which show the network activity performed during this process:

The downloaded JAR file contains “Client.class”, which is executed by the JRE. An argument to the “Client.class” file is passed with the location of the malicious .exe residing on “hxxp://dl.dropbox.com/u/31332834/server_crypt.exe”. It’s interesting to see that the malicious exe file is uploaded on www.dropbox.com. The file “server_crypt.exe” is then downloaded by the above applet code and executed on the victim’s machine.

Decompiling “Client.class” reveals the Java code, which you can read to better understand how it downloads the file and executes it. Let’s have look at piece of decompiled java code, which executes the downloaded file.

Virustotal Reports:
Client.jar - 27 AV vendors on Virustotal reports it as “Trojan Downloader”.
server_crypt.exe - 16 AV vendors reports as “Trojan”

ThreatExpert Report:
server_crypt.exe – Indicated highest severity level for this threat.

Beware of drive by download attacks.

Pradeep

Friday, December 9, 2011

Switch to Google Safe Browsing v2

Google maintains a list of malicious URLs and phishing sites distributed through their Google Safe Browsing API. On December 12, version 1 was deprecated in favor of version 2. The API for version 2 works quite differently from version 1.

Importance of Google Safe Browsing

Google Safe Browsing is part of most popular web browsers including Firefox, Chrome, Safari and Opera. Internet Explorer uses it owns list, Microsoft SmartScreen. This makes Google Safe Browsing lists the most used security filter among all web users.

The Google Safe Browsing lists are also very extensive. There are currently about 460,000 entries in the lists and they are updated every 30 minutes. You can refer to "Google Safe Browsing v2: Implementation Notes" for more detailed numbers.

Coverage

I was curious see the overlap between Google Safe Browsing v2 and a few other security blacklists
Of the Alexa top 1,000,000 sites, 250 are blocked by Google Safe Browsing v2.

Google Safe Browsing v2 libraries

The Google Safe browsing v2 API is fairly complex, at least more so than version 1. There are a number of libraries available, but not all implement the complete API. Here is a list of the libraries available within Google Safe Browsing v2:

Language Name Missing features Comment
Python google-safe-browsing none Reference implementation from Google
Perl Net::Google::SafeBrowsing2 none Several back-ends available for storage: MySQL, Sqlite, DBI, etc.
PHP phpgsb MAC Helpful statistics for testing
PHP gsb4u MAC Storage: MySQL, Sqlite;
C# google-safebrowse-v2-client-csharp MAC
Back-off mechanism ?
Save full hashes,
discard them after 45 minutes
MAC
Storage: data file
C# Google-Safe-Browsing-API-2.0-C-p MAC Storage: SQL server
Java jGoogleSafeBrowsing ??? Not finished?
Google Safe Browsing v2 libraries

Lookup API

If you need to check fewer than 10,000 URLs a day, you can use the much simpler Lookup API. This API allows you to send URLs directly to Google and receive the classification.

I've made a Perl library for the Lookup API, Net::Google::SafeBrowsing2::Lookup and I'm working on Ruby anfd Python implementations.

Tuesday, December 6, 2011

Fake video codecs still going strong

Convincing users to download malicious software using fake AV pages is not a new attack vector, but has been a very successful one. Julien has previosuly blogged about how fake codecs are starting to replace fake AV pages. I recently encountered an interesting example employing both fake AV and fake codecs in a single attack. When a victim visits a page, they are presented with a warning message stating “You don’t have the correct Codec installed. Download should start automatically, if not, please click here to download”. Here is the screenshot of the page:

The page is loaded from “hxxp://onlinetubes24.com/go.html”. Let’s take a look at the HTML source of the page to identify the malicious code.


As you can see, it downloads an exe from “hxxp://privatetube.onlinetubes24.com/codec.exe". If the victim runs “codec.exe”, it starts a fake antivirus scan and delivers a report such as the following:


The above screenshot is typical of a fake AV attack and displays several fictitious threats being detected on the victim’s computer. Every time you run this exe file, different threats are allegedly detected . Once installed, the victim is asked to activate or buy the full version of this fake AV. This exe file downloads it’s content from a remote web server hosted at “94.23.39.156”. The ThreatExpert report for this IP address details the network activity performed by this malware.

The VirusTotal results for the fake security software in this example show that it is detected by only 20/42 popular AV vendors. You can find some tips to stay away from such attacks in a separate blog post.

Make sure you are downloading real codecs, not fake ones!

Pradeep

Tuesday, November 29, 2011

Cyber Monday Transactions - Indication of Economy?

Last year I did a post on the transactions that we saw related to online shopping on Cyber Monday - as I indicated in the past, yes there is a spike. And looking at the transactions this year, again we notice a spike:
You can see the cyclic nature of the work week given that we handle enterprise traffic. The Y-axis values are is the monthly percentage of online shopping/auction transactions. So Cyber Monday made up 7.51% of the November 2011 shopping transactions and Black Friday made up 3.82%. The average for the month was 3.57%, excluding weekends the average for the month was 4.53%. These stats look at web transactions from a "micro" level - looking at a a longer-term trend across Black Friday and Cyber Monday online shopping transactions:

We notice a downward trend in online shopping transactions from 2009-2011 Black Fridays and that online shopping transactions have remained fairly static from 2009-2011. In this case the Y-axis is the percentage of online shopping transactions for the day - for example, 4.63% of this Cyber Monday's transactions were online shopping. The precise numbers for the other Cyber Mondays were 4.68% in 2009 and 4.61% in 2010. So there was a 0.05% decrease from 2009 to 2010 and a 0.02% increase in 2011. Given the general increase in online shopping vendors, general awareness of "Cyber Monday", and people being more comfortable making online purchases I would expect Cyber Monday online shopping to noticeably trend upward. Black Friday online shopping trended downward year over year, and we see the Cyber Monday downturn in 2010 and the slightest increase / stagnation in 2011 -- these online shopping stats may provide an indication as to the health of the economy.

Tuesday, November 22, 2011

More software-related searches lead to malware

Spammers have done a very good job a hijacking web searches related to buying software online. More than 90% of search results for "buy Microsoft Windows" and similar searches, lead to fake stores on major search engines. Not much has been done by the search engines to clean up these search results.

Since the beginning of 2011, the number of search results for popular queries leading to fake AV pages and malware has dramatically decreased, especially on Google.

I've wondered when attackers would switch from the poisoning popular search phrases, to more targeted searches. In the past few weeks, I've seen more and more spam redirected to malware, where similar searches would previously have led to a fake online store.

For example, the website www.saloncti.com contains multiple spam pages around "buy microsoft office" (be careful if you decide to follow the search results). These spam pages are very similar to the spam pages leading to fake stores.

Spam page on http://www.saloncti.com/?p=1523
Instead of a fake store, the visitor is redirected to at least three types of malware.

Fake AV

One of the malicious redirections is to 31.44.184.89. It hosts a Fake AV page. Although the page looks visually the same as the Fake AV pages I've seen so far, the source code is very different.

Here is a video of the Fake AV page. I quickly got blacklisted (see details below in the post), so I had to reconstruct the page on my local machine. On the real website, I would have been prompted to download an executable, which was malware disguised as an antivirus solution.



Naked Emma Watson video

I've described this malicious page in a previous blog post. Basically, the page looks like YouTube, with a purported video of Emma Waston naked. The "Play" button warns users that they don't have the latest version of Flash and tricks users into installing malware.

Fake Flash installation



Top 10 Famous Celebrity Scandals

This is a variation of the naked Emma Watson video. The page shows a picture of a scantily clad Paris Hilton. Again, the goal is to trick users into installing malware disguised as a Flash update.


The page was hosted on firstuzsoft.rr.nu and was not blocked by Google Safe Browsing. The malicious executable was detected by only 6 AV out of 43. Zscaler's free Search Engine Security add-on for Firefox, does protect against these types of sites.

IP checks

There are multiple redirections between the spam page on the initial site (www.saloncti.com) and the final malicious page (31.44.184.89 or firstuzsoft.rr.nu). The referrer and the IP address are checked along the way. Here is a sample of a redirection from a Yahoo! search, to the malicious domain:

  1. http://search.yahoo.com/ra/click?.bcrumb=tfNYWE9Y1t1&p=site%3Asaloncti.com%20software&cq=[...]
  2. http://www.saloncti.com/?p=1870 (302 redirection)
  3. http://74.63.193.178/tra1/change.php?sid=8 (302 redirection)
  4. http://74.63.193.178/tra1/got.php?sid=8 (302 redirection)
  5. http://www.communitysupportottawa.ca/cutenews/ip.php (302 redirection)
  6. http://www.skibec.ca/castor-kanik/cutenews/ss/2.php (302 redirection)
  7.  http://www3.bestiiarmy.rr.nu/?nlqqufcc=kuHa1bKbmpOZi%2BPdzaaUmNnsq56lopva18%2Bfl6Sqnp%2BU1Z3cntKV
After following a couple of search results, my IP address got blacklisted and I was redirected to ask.com instead of the malicious domain.

It is scary, but predictable, to see attackers switching their targets. I hope the search engines will take the threat of malicious executables more seriously than fake stores and clean up their search results. It will be interesting to see who has the best Blackhat SEO skills: people behind fake stores, or people behind fake AV/Flash pages.

Monday, November 21, 2011

Zscaler Likejacking Prevention for Opera

Along with Firefox, Chrome and Safari, Zscaler Likejacking Prevention is now also available for Opera. You can download it on the official Opera add-on site.

Zscaler Likejacking Prevention on the Opera extensions site

The Opera version works the same as the Google Chrome version, with a similar popup to obtain more information about the Facebook widgets on the current page.

Zscaler Likejacking Prevention for Opera in action

The red/green icon that indicates if a page is safe or suspicious, is located on the far right of the Opera browser. I believe it would have been more visible if it were part of the URL bar, as I did for Chrome and Firefox, but unfortunately, Opera does not permit such a placement.

Icon on the right of the screen, after the search bar
Preferences page


Limitations

There is one big limitation in Opera: the extension cannot detect hidden Facebook widgets in frames or iframes. This is due to restrictions in the Opera extension framework, which don't permit frames and iframes to be linked to the top window. Scripts can be injected in frames and iframes, but it is not possible to know which tab they belong to and the background page cannot communicate with the frames and iframes inside a tab.

In practice, 90% of the hidden Facebook widgets I've seen do not use layers of frames and iframes. Zscaler Likejacking Prevention will help users to stay safe from Facebook spam for the majority of spam pages

Version 1.0.9

I'm continually improving Zscaler Likejacking Prevention on all platforms. The latest version available is 1.0.9. You can download it and the other plugins we have released, on our Tools page.

Firefox

I expect version 1.1.0 of the Firefox Zscaler Likejacking plugin to be approved on the official Mozilla add-on site within a few days.

-- Julien

Friday, November 18, 2011

When scammers call you at home

UPDATE: I've updated the post with a second Skype call I received on 1/17.

Scammers are always trying new ways to reach their targets to foil them into buying free software, sending credit card information, etc. Yesterday, they called me directly at home!

I was working on my computer when I got a Skype call from an unknown caller with a Skype ID of "NOTIFICATION® URGENT - WWW.SWNOW.COM - UPGRADE INSTRUCTIONS". The automated call explained that my "software protections" were disabled and I had to urgently go to www.swnow.com (spelled out in the call). I could not record the call, but it was very similar to what you hear when you visit hxxp://www.swnow.com/.

Skype call from a scammer

The call does not give any information about who is calling or what this "software protection" is supposed to be. It lasted 1 min. 50 secs. and basically just urged me to visit www.swnow.com.

Skype call information

When visited, hxxp://www.swnow.com/ displays a fake antivirus page. It looks different than the Fake AV sites that use Blackhat spam SEO to reach users. Of course, the site purports that numerous viruses are found on your computer...

Fake AV claim to have found viruses
The website is trying to sell the antivirus solution, rather than trying to get user's to install malware disguised as a free AV program. The website is well designed. The button "Activate Computer Protections" shows an "activation" form..

Check out form
Then, the website gathers some personal information (name, e-mail address, etc.) via the "activation" form.

Information gathering

Finally, the user is sent to a different website, securecheckouts.org, to process the payment.


Payment processing form

Looking at the HTML code, the page only contains an iframe, pointing to hxxp://www.liveadmin.com/affiliates.php?affil104, where the payment form is actually hosted.

HTML source of securecheckouts.org
There have been a steady rise of websites trying to resell free software (AVG and other antivirus, OpenOffice, P2P clients, etc.) or deliver fake stores that claim to offer software at deep discounts, etc. However, this was the first time that I've encountered a Skype call being used to push users to visit a fake store.


Second call

I received a similar Skype call on 11/17. I was urged to visit www.msgmf.com to protect my computer. Te website is similar to www.swnow.com. It tricks users into paying $19.95 through click2sell.eu for an antivirus.

Second Skype call spam
Fake antivirus on www.msgmf.com
Antivirus "activation" page
Payment form on click2sell.eu

-- Julien

Wednesday, November 16, 2011

Facebook: Anatomy of Self-Inflicted Javascript Injection

Many are already familiar with "likejacking" (a form of "clickjacking") in which a user is tricked into clicking on and interacting with the Facebook "like" button -- this has been one of the most common vectors of abusing Facebook. For example, the "like" button may be hidden behind an image such as a picture of an embedded YouTube video with a play button. Zscaler released a free browser plugin for identifying and warning of hidden "like" buttons in webpages. However, a recent campaign on Facebook in which inappropriate pictures (porn, mutilation, etc.) were spread through user's social networks was conducted via a different mechanism that many are unfamiliar with: self-inflicted JavaScript (JS) injection. This post will explain the basic technique and some of what we are seeing on Facebook.

Many people are unaware that they can run JS directly from their browser's URL bar. Go ahead and try it. Here is a benign script that pops up a test alert in your browser, enter this into your URL bar: javascript:alert('test');

If you're running NoScript it prevents running JS directly from your URL bar to combat social engineering attempts to get users to unknowingly run something malicious, and will provide the following dialog message:

Otherwise, here is a screenshot from entering this in Safari:
In this example on Safari, I was initially on the www.apple.com page before I launched the JS in my URL bar - so you can see the Apple page in the background and the JS alert message appears to have come from www.apple.com. This would change depending on whatever page I was on when I launched the JS in the URL bar - additionally the JS could be modified to interact with or modify content on the current page. In other words, you could run JS that could completely modify the Apple page locally in your browser or interact with buttons or links. This is an important concept to understand and is a technique that is being used to do damage to Facebook accounts / profiles.

The "same origin policy" is a security concept used in JS and other browser-side scripting languages that prevents scripts from one website from accessing methods/properties on another website. So when you visit your friend's blog, he is unable to have JS execute and automatically interact with your Facebook account. Instead he includes a link at the bottom of his blog to interact with facebook.com and pass a parameter to Facebook saying that you "like" his post (the "like" button). For example,

www.facebook.com/plugins/like.php?href=HIS_BLOGPAGE&width=120&height=22&layout=button_count&show_faces=false&action=like&colorscheme=light

There is an exception to the "same origin policy" in which you can execute script locally within your browser to interact with a page (shown above in the apple.com example). Developers and browser plugins (e.g., greasemonkey) take advantage of this fact to alter various aspects about a webpage. Bad guys are also taking advantage of this fact, by social engineering users to copy/paste or type JS in their URL bar to perform unwanted actions. While logged into Facebook, the JS can automatically perform actions in your account such as, "liking" content or messaging your friends.

Facebook has cleaned up most of the offensive content from in the recent campaign. But doing some specific searches I was able to find some examples of this self-inflicted JS injection technique being used on Facebook.

The most common case, are Facebook groups that ask you to join and then enter in some JS into your URL bar. For example,

This JS loops through all of your Friends and suggests / invites them to the group. In other words, this JS performs a bulk invite of a group to all of your Friends. Simple, right?

Here is an example of a more complex and malicious JS I found on FB:

The strings in the JS are all hex encoded, below is the unescaped version:

This JS generates an Facebook invite message to your friends with the message containing an IFrame to: bit.ly/9CxGhY?82

Visiting this shortened link, shows that Bit.Ly is aware of the abuse and warning users from following:
The shortened link was to the now down site:
hxxp://aagmphxa.facebook.joyent.us/goog/index1.php
There are many examples of past abuse from various "facebook.joyent.us" sites, here for example.

This technique is not a new technique - Zscaler has reported past abuse examples using this Self-Inflicted JS Injection method, for example:
Be careful of all actions you take while online, to include copying and pasting content into your URL bar.

Tuesday, November 15, 2011

More free software repackaged for money

In previous posts, I've shown how popular free software programs are repackaged and sold by scammers, while containing spyware, or are outright replaced by malware. The number of web sites offering such repackaged software has been on the rise in the past weeks [LINK TO PREVIOUS POST]. The most popular repackaged software used to be Flash, antivirus programs and VLC (video player). The list has broadened to contain less-know software such as 7zip (free alternative to Winzip), WinSCP (SCP client for Windows), Filezilla (FTP client), GOM (media player), Notepad++ (powerful text editor), etc.

Here are some of the websites:

Filezilla on http://filezilladownload.net/
VLC on http://downloadflashplayer.org/ advertised a s stand-alone Flash player
WinSCP on http://winscpdownload.com/
7zip on http://7zip-download.org/

Here is a list of 9 similar websites responsible for distributing such malware:
  1. hxxp://filezilladownload.net/
  2. hxxp://downloadflashplayer.org/
  3. hxxp://avi-player.net/
  4. hxxp://flv-player.org/
  5. hxxp://gom-player.org/
  6. hxxp://photoshopfreedownload.net/
  7. http://winscpdownload.com/
  8. hxxp://7zip-download.org/
  9. hxxp://notepaddownload.net/

The files that are downloaded use a similar naming convention - software-setup-win32.exe or software-setup-win32_us.exe: aviplayer-setup-win32.exe, winscp-setup-win32_us.exe, flashplayer-setup-win32,exe, filezilla-setup-win32_us.exe, etc. Their size is always about 1.7MB.

The detection rate amongst AV vendors is very low: only NOD32 was able to find the spyware in the 3 samples I submitted to Virus Total: 1 2 3.

Software repackaged by Conversionads


The software actually makes three changes: it installs the StartNow Toolbar (from Zugo, a company associated with Spyware/Adware), sets MSN as the home page and then sets Bing as the default search engine. All steps are completed by default.

Microsoft packages installed by default


I've found most of these sites through spam comments in forums such as this one on carepages.com:

Links to repackaged software

They are also well referenced by Google. For example, filezilladownload.net shows up at #5 for filezilla download, just after the four search result links to the official filezilla-project.org website





-- Julien