Tuesday, February 28, 2012

Fake AV: .ru sites used for redirections

This past month, I've seen an increase in hijacked sites redirecting to a Fake AV page. These attacks typically involves three separate phases:
  1. The hijacked website redirects users coming from a Google search to an external domain.
  2. A website redirects users to the Fake AV page or to a harmless site (mostly bing.com and google.com) depending upon the referer in step #1. This page adds a cookie using JavaScript, and reads it immediately, to make sure the page was accessed by a real browser that supports both JavaScript and cookies.
  3. The fake AV page is delivered.

Hijacked sites

I demonstrated last year that the Blackhat SEO attacks had migrated from the most popular searches to more specific searches like buying software online where up to 90% of the links returned are malicious. It comes as no surprise that about 95% of the hijacked sites were found for searches like "purchase microsoft word", "achat windows" ("buy Windows" in French), "precio office 2007" (Italian), etc.

There were 12 hijacked sites being used, with 3 domains representing 90% of the hijacked sites redirecting to a fake AV page:
  • politicalcampaignexpert.com (WordPress)
  • www.extralast.com (WordPress)
  • www.ukresistance.co.uk (blocked by Google Safe Browsing)
Redirection site

The domain used to redirect users from the hijacked sites to the fake AV pages are all .ru sites, with the same URL path:
  • bannortim-qimulta.ru/industry/index.php
  • daliachuuaroyalys.ru/industry/index.php
  • bannortim.ru/industry/index.php
  • uaroyalysdaliachu.ru/industry/index.php
  • uaroyalys.ru/industry/index.php
  • etc.
This page is used to differentiate between real browsers and bots or scanners. It uses JavaScript to write a cookie, and then reads it immediately thereafter. If the cookie is retrieved, the visitor is redirected to a malicious site, otherwise they are redirected to Bing or Google. Here is the snipped of the source code:

JavaScript and Cookie support test

Fake AV page

Fake AV page

Attackers are getting lazy! The fake AV page looks the same as it did two years ago and the source code of the page has barely changed. Fake AV pages used to change every 2-3 weeks when they were found all over the most popular searches, now they are remaining stagnant for six months. Here is the video that shows the Fake AV page in action:

As you can see in the video, the malicious executable is detected by 14 of 43 AV vendors.

Hopefully, one day Google will clean up the search results related to buying software as they did for the most popular searches. Until then, many users will end up on fake stores, fake AV pages or other malicious sites.  

Tuesday, February 21, 2012

Groupon scam site

groupon500.com was registered in Feb 20, 2012. The home page for the domain claims to offer a free $500 voucher for Groupon or LivingSocial, another popular daily-deal site.

Users must fill out a form with their information, including a phone number:

users must share their information

To get the $500 voucher, the user must complete one offer: buy Disney Books, try a tooth whitening, etc. And with one more offer completed, they can even get a free iPod Touch!

One or more offer must be completed
The site earns money by getting users into "free" trial offers where users are charged without realizing most of the time.

The saddest part of all - this is perfectly legal. groupon500.com was published by RETAILBRANDPRIZE.COM. Search for this name in Google and you will find no shortage of people complaining about various scams.

The Privacy information, Terms and Conditions and small print are clear on what is occurring, although must users will of course ignore them. The vendor uses personal information "to provide your contact information to our marketing partners", "By Participating, You Expressly "Opt In" to "Receive Information And Grant Us Permission To Share Your Information", "Completion of reward offers most often requires a purchase or filing a credit application and being accepted for a financial product such as a credit card or consumer loan. ", etc.

If it is too good to be true, it's probably... a scam!

Monday, February 20, 2012

Analysis of a Blackhole Exploit page

The Blackhole Exploit kit is still a very popular attack on the web. They are many variants of the threat. Here is a detailed analysis of one Exploit kit page and the obfuscation technique leveraged by the attack.

In this example, the exploit is heavily obfuscated. The exploit has been encoded and stored as HTML and JavaScript is used to decode the payload and run it.

Blackhole Exploit encoded ans stored in HTML
JavaScript decoding loop
To decode the exploit, I used Malzilla, a popular JavaScript deobfuscation tool. Malzilla cannot manipulate the DOM like a real web browser, so I needed to copy and past the HTML-encoded data into a JavaScript variable. I then changed the JavaScript loop slightly, to extract the data from the variable instead of the HTML. Instead of doing an eval() of the code, I replaced the last line with document.write(c) to output the result.

The code below was delivered by Malzilla following the aforementioned adjustments (I've cut out the encoding data):

Modified code to run in Malzilla

I can now execute the script. The obfuscation requires many passes to fully decode the data andit takes quite a while to complete.

Script executed by Malzilla
Now, let's examine the output from Malzilla. The first part addresses a "Please wait page is loading..." message, very typical of the Blackhole Exploit kit so that the victim remains patient while the exploit code executes.

Then, the JavaScript figures out which browser is visiting the page, what plugins are installed and with which version. This is subsequently to decide which exploit payloads to deliver.

Browser fingerprinting
Depending on what browser information was obtained, different exploits can be delivered. It could for example be a malicious Java applet:

Launch a malicious Java applet
... or a remote code execution targeting a known Internet Explorer vulnerability:

MDAC exploit for Internet Explorer
.. or a malicious PDF file:

Malicious external PDF file
... or a malicious Flash file:

Malicious Flash file

Separating the exploit into an encoded payload and a decoding loop made it easier for the exploit kit creators to create an infinite array of different pages in order to evade detection. The Exploit kit is also more sophisticated than many other exploits as it is able to use the right exploit for each visitor.

Monday, February 13, 2012

Follow up on Russian scam

Last week, I described how many websites hosted on DreamHost had been hijacked.Since then, I found the same scams on websites hosted with different providers.

Often, vulnerable sites are hacked by many groups for various purposes including spam delivery, such as Blackhat SEO, other scams, etc. Many of the sites hosting the Russian scams are now used for other malicious purposes.

Blackhat SEO

One of the parameters that is used to determine the rank of a web site in the search results is the number of links to a given page. As such, spammers take advantage of vulnerable sites by adding links to site that the attackers want to promote and these links are often hidden from visitors to the page. The most common technique used involves adding a hidden DIV tag at the end of the page. This was done on http://goingonfive.com/ for example:

Spam links
In this example, the DIV tag is moved out of the screen, to the left. The links for Viagra and other drugs point to other pages uploaded on the same site (in the /include folder), as well as to other hijacked websites (http://airtravel-services.com/js/index.html, etc.).

The spam pages claim to be a "Google Pharmacy":


The pages then link to grand-pills.com where people can order the drugs:

There is also a second groups of spam links hidden on http://goingonfive.com/. These links point directly to Canadian Pharmacy sites, rather than using hijacked sites for redirection. These links may have been added by a different group.

Hidden spam links
One of the Canadian Pharmacy sites is http://viagra7online.com/:

Canadian Pharmacy

American and other Russian scams

The Russian scam I reported on initially is using  http://goingonfive.com/modules/mod_wdbanners/resmmdnd.php. The directory /modules/mod_wdbanners/ contains many other pages redirecting to other scams.

Pages uploaded on http://goingonfive.com/
 You can find the same list of files on other DreamHost sites: http://dev.orioncombat.com/wp-content/uploads/, http://chicagoexposedstrippers.info/wp-content/plugins/extended-comment-options/, etc.

Most of these pages redirect to another Russian scam at http://arhivi-familii.com/. I noticed this one about a month ago.

At this site, you are supposed to be able to lookup information on the family tree of anybody. The service looks free, but at the very bottom of the page the site mentions that the user will be charged 186 rubles every 10 days via SMS. Many people have complained about high charges for no actual service on Russian forums. Here are the cost details translated in English:

the service is NOT free!

Two other pages redirect to a US scam that I detailed in an earlier post: get rich working from home, which abuses a Facebook Like widget to look legitimate.

"Work from home" scam

These sites will probably host more and more spam and malicious content until they get blacklisted by popular lists, at which point, the hackers will move to new targets.

Friday, February 3, 2012

DreamHost: hijacked websites redirect to Russian scam

Following the Dreamhost hack, that was revealed this week, many websites hosted by the company have been hijacked to redirect users to a Russian scam page.

I've identified hundreds of websites hosted by DreamHost that contained a PHP page redirecting to hxxp://www.otvetvam.com/. Here are a few examples:
  • http://www.lciva.com/wp-content/plugins/extended-comment-options/gyrewnv.php
  • http://honorboundphoto.net/photos/10007-mankato_habitat_for_humanity_golf_tournament/agtruje.php
  • http://ryanmasters.ca/wp-content/gallery/our-kingdom/thumbs/tyiueg.php
  • http://treatmentofpanicattacks.com/wp-content/cache/supercache/www.treatmentofpanicattacks.com/category/anxiety-support/polzin.php
  • http://r4theband.co.uk/content/wp-content/themes/agregado/includes/cache/gyrewnv.php 
  • http://dedehaluk.com/cache/hakkinda/fgjke.php
  • http://www.agustindondo.co.uk/yellowbrick/wp-content/files_flutter/modules/fgjke.php 
  • http://dcstavclub.org/wp-content/themes/newzen_2.0_build_105/images/fgndnju.php 
  • http://camtarn.org/gizmoblog/content/06/03/entry060305-180312/comments/fgjke.php 
  • http://derek.hinchy.org/MT-5.031-en/mt-static/support/theme_static/professional_website/themes/professional-green/polzin.php
  • http://ojosdelmundo.dreamhosters.com/images/comprofiler/gallery/tghreig.php

otvetvam.com promotes a common "get rich working from home" scam. On the left side, all links point to the same collection of fake testimonies from people purporting to have made plenty of money using the system.

The right side of the page, looks like Adsense ads from Google (same font, same colors, layout, etc.), but they are all links to www.tvoitube.com. This is a YouTube look-alike site, which contains a video shown promoting an online gambling site (www.cristal-casino.com).

Fake Russian YouTube site http://www.tvoitube.com/

www.otvetvam.com copied the layout of the popular Russian site, mail.ru. The source code actually reveals that the page was created from http://otvet.mail.ru/question/59882991/, which has now been blocked by mail.ru.

The hijacked sites now redirect to other websites including ru-0tveti.com, ru-0tveti1.com, etc. These domains were registered on 01/25/2012, but no websites are yet hosted at the domains.

I'm sure this is just the beginning of massive abuses on websites hosted by DreamHost.