Monday, April 30, 2012

Search Engine Security for Internet Explorer

Search Engine Security (SES), a browser extension designed to protect users against Blackhat SEO links in search engines, is now available for Internet Explorer. You can download it from our website. It is compatible with Internet Explorer 6.0 and above, on Windows XP thru Windows 7.

The features are the same as Search Engine Security for Google Chrome, released two weeks ago. The Referer and the User-Agent headers are modified when you follow a search result link on Google, Bing and Yahoo! This prevents the hijacked sites from redirecting users to a malicious page.

As with SES for Firefox and Google Chrome, you can turn the extension on and off for the three search engines.

Search Engine Security enabled on Bing

You can also whitelist specific pages. The only difference with the IE version as opposed to Firefox and Chrome is that the Referrer cannot be empty. This is why the default value is "-".

The options are available under Tools > Search Engine Security options.

Search Engine Security options

To test the features, search for "what is my user agent" or "what is my referrer" in Google, Bing or Yahoo! and follow a link. You will notice a different value when Search Engine Security is ON or OFF.

Modified User-Agent
There are very few browser extensions available for Internet Explorer, especially extensions helping to keep users safe. I will continue to port the Zscaler security extensions to Internet Explorer and will bring other security tools to this platform.

You can find a full list of all our browser extensions on the ThreatLabZ portal under Tools. Search Engine Security for Internet Explorer can be downloaded here.

Thursday, April 26, 2012

Multiple hijacking

Vulnerable websites are regularly hijacked to redirect users to malicious domains. The most popular type of of malicious page are Fake AV pages. Attackers commonly increase traffic to these hijacked websites using Blackhat SEO techniques.

Blackhat SEO requires that two different pages be delivered to different audiences:

  • A harmless spam page to the Googlebot and security scanners, in order to get references and be ranked well by Google, as well as evade blacklists
  • A redirection to a malicious domain to attack users
Existing pages on the hijacked sites are usually unchanged and instead, new pages are created. The newly created spam pages are completely harmless, with no obfuscated JavaScript. A 302/307 HTTP redirection is done mostly via a PHP file, or using an .htaccess file.

Other groups of attackers may want to use vulnerable websites for different purposes. So it is not rare to see the same vulnerable sites being abused by different groups. Recently, there was an increase in hijacked websites sending users to Fake AV pages also being infected with malicious JavaScript. The obfuscated JavaScript code is added before the original HTML code on all pages, making it much more likely to be blacklisted by Google. Here are a few examples:

Found on

Found on

A mix of the 2 previous JavaScript codes

All of these examples result in the same HTML code, an IFRAME injection pointing to a malicious domain:

  • hxxp://
  • hxxp://
  • hxxp://

Deofuscated code

Ironically, this malicious code might actually keep user safer. Since it is present on all pages, regardless of the HTTP Referrer, the entire website is flagged as malicious much more quickly by search engines.

Wednesday, April 18, 2012

French Budget Minister website hijacked

We've seen an increase in hijacked websites in recent months, redirecting users to Fake AV pages, Blackhole exploit kits and other malware. While most websites hacked are personal sites, or University websites, some are more high profile. hijacked

The website of the French Minister of Budget ( is an example of a high profile site that was recently hijacked. Obfuscated JavaScript was added at the top of the page. It is very similar to what we have seen on other websites. The obfuscation contains some tricks to break JavaScript scanning tools, such as making reference to browser objects, exceptions, etc.
Malicious JavaScript inserted on the hijacked site

The code creates an IFRAME to hxxp:// This address is not blocked by Google Safe Browsing at this time. I was not able to retrieve the content.
Deobfuscated JavaScript

The domain has been widely abused. It has been linked to the Mac Flashback Trojan, previous Fake AV campaigns, etc. is not the only governmental website that has been hijacked recently. In the last three months, we have seen many hijacked government sites including:
  • Australia:,
  • US:,,,,, etc.
  • Philippines:
  • Colombia:,
  • Malaysia:
Unfortunately, no website can be fully trusted anymore.

Monday, April 16, 2012

Search Engine Security for Google Chrome

Google Chrome has recently added an API to modify HTTP headers. This in turns, made it possible to port Zscaler's Search Engine Security add-on from Firefox and Firefox Mobile to Google Chrome.

Search Engine Security on the Chrome Web Store

Most hijacked websites used for Blackhat SEO check the Referer header and the User-Agent, to decide whether to redirect the visitor to a harmless spam page or to a malicious domain (Fake AV page, Blackhole exploit kit, etc.). By modifying these 2 headers when the user leaves a Google, Bing or Yahoo! search, Search Engine Security fools the hijacked site into thinking that the visitor is not a real user and therefore avoids redirection to the malicious content.

Search Engine Security enabled for Google

All the work is done in the background, so it can be tricky to understand exactly what happens, or even if the add-on is working. We have therefore added a small note on the Google/Bing/Yahoo! search result pages to show you whether Search Engine Security is on (default settings) or off (disabled in the options):  Zscaler SES on or Zscaler SES off.

Search Engine Security disabled on Bing

To understand how the the headers are modified, look for "referer mobilefish" in Google after you have installed Search Engine Security. Click on the first link " - Show my IP". The page will display your User-Agent string and Referer header. With the default settings, the string "slurp" is appended to your User-Agent, and the Referer header is removed. These changes are done only when leaving a Google/Bing/Yahoo! search page.

You can also enable/disable the various settings on the Search Engine Security options page to see how the User-Agent and Referer strings are affected.

Search Engine Security options

You can install Search Engine Security for Google Chrome in the Chrome Web Store.

Friday, April 13, 2012

Details of a "new" Fake AV page

As I mentioned last week, more Fake AV pages are once again showing up in popular Google searches. Although these malicious pages look the same as they did 2 years ago, the source code is different.

The first thing you notice in the source code is that there is no obfuscation at all. The attacker is not trying to hide anything: CSS is inline, plain-text JavaScript (no obfuscation, no minification or packing) is inline, etc. That makes the pages very easy to track and block. Or it should....however, antivirus vendors are still not able to block the Fake AV executable with an acceptable level of accuracy. As you can see in the video, only 5 out of 42 antivirus engines find anything suspicious. You can easily download the executable with a simple wget command, so it is not hard to gather these samples

Download the malicious executable with wget

The source code is fairly simple. Another interesting fact is that Firefox is handled differently by the page compared to other browsers, meaning that different JavaScript code is run, but the end result is the same as on the other web browsers.

Fake AV page

The JavaScript function used to trigger the malicious file download is called google(). It creates an IFRAME pointing to the malicious executable, which triggers the download prompt without having to leave the page.

The google() function
The animations (blinking text, scanning progress bar, etc.) are all done with animated GIF files.

Overall,these Fake Av pages are low tech, very unique and very easy to track .... but still very effective. Desktop antivirus, often the only protection available to home users, generally fails to block the page and fails again to block the malicious executable.

Monday, April 9, 2012

PDF exploits targeted through Blackhole exploit kits.

PDF exploits have been targeted by Blackhole exploit kits for some time now. The Blackhole exploit kit will deliver various malicious PDF files to a user if the victim is running a potentially vulnerable version of Adobe Reader. When these PDFs are opened through Adobe Reader, a known vulnerability is exploited which will then compromise the user’s machine.

Let’s look at the de-obfuscated portion of the Blackhole exploit kit. The exploit kit for this sample was delivered from “”.

The de-obfuscated code above shows how an iFrame of 1x1 pixels is created to load a malicious PDF file residing at “./content/ap1.php?f=97d19::182b5” or “./content/ap1.php?f=97d19::182b5”, depending upon the version of Adobe reader installed. These two files are hosted on same the domain - “”.

The absolute paths of the malicious files are,

hxxp:// and

For analysis purposes, we can manually downloaded the aforementioned PDF files. The PDF files contain a JavaScript object, which contains obfuscated JavaScript, as shown below:

The JavaScript code loops through array ‘ar’ and converts each element of the array with logic included in function ‘test2()’. The de-obfuscated code targets a three year old vulnerability in Adobe Acrobat reader.

Let’s take a look at the some of the de-obfuscated code,

A stack based buffer overflow vulnerability exists in the ‘getIcon()’ method, which is detailed in CVE-2009-0927.

This vulnerability is widely targeted by various versions of the Blackhole exploit kit. I have seen different variants of the payload URL used to host these PDF exploits. The URL pattern changes with different variants of the exploit kit. The different URL path patterns seen so far are:


The common pattern in the above URL paths are ‘/content/’ and ‘.php?f=’. By identifying these common patterns one can write a network signature on URL strings to catch these malicious URLs.

Let’s take a look at couple of snort signatures for detecting these malicious URL’s.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Acrobat 1-7 PDF exploit download request 3"; flow:established,to_server; content:"/fdp1.php?f="; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014052; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole PDF Exploit Request /fdp2.php"; flow:established,to_server; content:"/fdp2.php?f="; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014035; rev:2;)

Most of the vulnerabilities targeted by various exploit kits are public. Making sure all of your applications are updated regularly with the latest security updates will go a long way in helping to keep your computer secure.


Friday, April 6, 2012

Blackhat SEO back in Google searches

In 2011, Blackhat SEO links were pretty much absent from the most popular searches in Google. Instead, Blackhat SEO was used to target more specific searches. The technique heavily used to poison the searches for buying software online with hundreds of fake online stores.

Blackhat SEO

Things are starting to change in 2012. I ran some numbers on Google searches for the month of March 2012 and found:
  • 117 malicious domains, including 66 serving Fake AV pages and 35 fake online store domains
  • 1,142 spam/malicious links in Google searches, including 299 links leading to a Fake AV page
The number of new domains hosting fake online stores is slowly decreasing, I found only 6 new domains in March, but the number of Fake AV sites has increased significantly.

While Google search results leading to Fake AV pages used to be caused primarily by hijacked sites that were redirecting the entire site to a malicious domain, the current increase is due mostly to the targeted use of Blackhat SEO for popular searches, as it was in 2010. The big difference with current results compared to those in 2010 is that Google is doing a much better job at flagging these malicious links: 294 of the 299 search results leading to a Fake AV page were flagged by Google.

The spammers are still able to get their spam pages on hijacked sites to appear on the first result page for popular searches such as "puerile in a sentence" and "edhelper password".

Malicious link in first result page
The technique used is still the same. Websites are hijacked and new pages are added. Each new page is targeting a popular search term trending in Google Hot Trends. Pages from different hijacked sites are linked together to increase their rank.

As I mentioned in an earlier post, the Fake AV pages still look the same, but surprisingly, use new source code with no obfuscation in most cases.

Fake AV instead of Fake store

The second trend I see is the increase in Fake AV links in searches related to software sales, like "Buy Windows 7". This is something I noted last year. The increase in search results leading to malware (Fake AV pages and others) where you would usually find fake stores is alarming because Google has not yet cleaned up these results. None of the spam links sending users to fake stores are flagged by Google.

Search Engine Security

The best tool to protect yourself against Blackhat SEO is Search Engine Security, a free browser extension from Zscaler. It was available for Firefox only, but versions for Google Chrome (currently waiting for approval in the Google Chrome Store) and Internet Explorer will be available shortly.

Mac OSX Flashback Confusion and Hype

We, like most in the security community, have been following the latest developments with the Mac OS X Flashback Trojan and it's exploitation of the recently patched Java vulnerability (CVE-2012-0507).  This story has a lot of interesting twists and turns:
  1. The Flashback Trojan is a relatively new Trojan family, appearing on the scene late last summer/early September 2011.  Since it's inception, there have been numerous variants - moving from being a pure social engineering play (appearing to be a fake Flash update) to leveraging exploits.  The rapid evolution of this family has made it a little confusing to stay on top of. There were reports of Twitter being used for C&C updates as part of an early March variant. However, it is unclear if this communication avenue was ever actually used by the botherder.
  2. The latest variants of the Trojan, namely variant I and variant K, both exploit Java vulnerabilities- CVE-2011-3544 (Flashbak.I) and CVE-2012-0507 (Flashback.K). Oracle patched this latest vulnerability back in mid-February. Their CVSS risk matrix for this vulnerability can be seen below:
  3. Apple initially released a patch for the vulnerability April 3rd, six weeks after Oracle and then quietly announced on April 5th an update to the patch due to a few issues: 
  4. Then there is the question of what the Trojan does/is doing. It has the capability to modify web pages (web-injects) viewed in Safari, based on a configuration file received from the C&C.  However, it is not clear exactly what the web-injects will be used for. Similar functionality exists in many other bots, such as Zeus and is typically used to include additional form fields on banking sites to gather additional information such as SSN, debit card number, pin, etc.
  5. Finally, there is the question of how widespread the infections are.  Dr. Web has reported 550K infections.  Which would certainly rank this among the largest botnets. Some have claimed the numbers to be over-hyped or mis-counted.  However, Kaspersky recently published a blog confirming the and even upping the number to 600K+ after sink-holing a C&C.
From the perspective of Zscaler's Enterprise customers - we are indeed seeing Flashback infections, many of which include older variants of the Trojan. One C&C from an older variant for example that we are seeing, which has not been reported in the other stories is:


HTTP GET requests to this and other related C&Cs is done with a base64 encoded User-Agent (UA) that includes the CPU, hardware UUID, OS version, and other system/infection details - so each victim has a unique UA when connecting to the C&C.  The latest variant does not appear to use this same UA encoding.

Most/all of the malicious "" sites on that hosted malware associated with the attack, are now down (resolve to  Below is a screenshot of code from one website hosting the Java applet which exploited CVE-2012-0507:

The site meta-refreshes to a blank page if JavaScript is disabled or NoScript is detected and uses a cookie to mark whether or not to embed the malicious Java applet.

Doing domain/hosting analysis, other domains are believed to be related in the campaign not listed in the Dr. Web or F-Secure reports include:
We are seeing a number of the related websites on (InfoRelay Online Systems).  There are a large number of interesting looking/suspicious domains that are or have have resolved here, including numerous "" sites.

While this has been an interesting and in some ways confusing (due to mis-information and hype) campaign to follow, we are not currently seeing an enormous number of infections. This may however be due to our enterprise customer base which tends to have a lesser Mac install base or better patch management processes. That being said though, another interesting bit of information comes from looking at Alexa data showing the list the top "" sites here (screenshot below):

All of the top sites are related to this campaign, for example:

We'll close out with statistics on the browser plugins that we are seeing among our enterprise customer base. These stats were collected by querying the browser DOM during customer-logins, which allows us to identify browser plugins/extensions.  We are currently seeing only about 6% of Enterprise systems with an out dated version of Java.  Percentages of out-dated versions of Acrobat for example are much, much higher.