Saturday, June 30, 2012

Redis back-end for Net::Google::SafeBrowsing2

I started working on Net::Google::SafeBrowsing2, a Perl library for Google Safe Browsing v2, about a year ago and released it last November.

This library can use many back-ends for storage. In addition to Sqlite, MySQL and Postgres (added by a contributor), you can now use Redis, a fast key-value store, as a back-end for Google Safe Browsing with Net::Google::SafeBrowsing2::Redis (source available on github). This storage speeds up updates by a factor of 10 over the SQL back-ends.

Upgrade Net::Google::SafeBrowsing2
Numerous fixes and improvements went into the Net::Google::SafeBrowsing2 in the past few weeks, so make sure you are running the latest version.

I have also introduced a new import/export feature that makes it easy to switch from one back-end to another. You can easily switch from the MySQL back-end to the Redis back-end, for example:

my $mysql = Net::Google::SafeBrowsing2::MySQL->new(...);
$mysql->export(list => MALWARE, file => 'malware.dat');
$mysql->export(list => PHISHING, file => 'phishing.dat');

my $redis = Net::Google::SafeBrowsing2::Redis->new(...);
my $gsb = Net::Google::SafeBrowsing2->new(key => ..., storage => $redis);
$gsb->import_chunks(list => MALWARE, file => 'malware.dat');
$gsb->import_chunks(list => PHISHING, file => 'phishing.dat');

Despite the popularity of Google Safe Browsing (used by Firefox, Google Chrome and Safari), there are still very few implementations available and even fewer complete implementations. Since I published a list of Google Safe Browsing libraries available back in December 2011, I'm aware of just one new implementation for Scala/Java. Popular languages like Ruby don't have such libraries yet.

Tuesday, June 26, 2012 Infected with Blackhole Exploit Kit.

Cleartrip is used for booking flights, hotels and IRCTC Indian Railways tickets  in India. It is a leading online booking portal. Recently, I was searching flight information on and my desktop antivirus delivered the following  alert:

Infection alert of AVG antivirus.

AVG had detected a Blackhole exploit on the following page:
Let’s take a look at a wireshark capture taken while visiting the page.

Packet capture snapshot of

The page content of "hxxp://" was broken, but after a bit of searching on the site, I was able to ultimately find the same malicious code with intact de-obfuscation logic.

The URL identified this time was:

For further analysis, we’ll take a look at page content. A snippet of the code is shown below:

Code source of blocked page

Much of the content is obfuscated, so we’ll need to first de-obfuscate it in order to analyze it further.
Let’s look the obfuscated code delivered this time:

Obfuscated code souce.

De-obfuscation of the aforementioned code reveals JavaScript which was creates a 1x1 pixel iFrame pointing to  “hxxp://”
The de-obfuscated code is shown below.

URL in iFrame tag

Fortunately, Google has blacklisted that particular URL.
Let’s take look at source of the page:

Source page view.
This URL displays a .gif file, but if you look carefully, you will see that an iFrame is also delivered. It is this URL (highlighted above), which points to the Blackhole Exploit Kit.
The .info domain used in the iframe is registered for one year and was registered only recently. Naturally, newly registered domains tend to have higher risk as they attackers often register new names for a single attack. Let’s do a whois query on the domain:
Created On: 14-Jun-2012 07:52:31 UTC
Last Updated On: 14-Jun-2012 07:52:31 UTC
Expiration Date: 14-Jun-2013 07:52:31 UTC
Spammers also prefer .info domains as they as less expensive to register than .com or .net domain names.
A de-obfuscated version of the contents is shown below:

A De-obfuscated contents.
Zscaler has informed on this infection.

I thank to my colleague Pradeep Kulkarni for helping to analyze this infection.

Friday, June 22, 2012

Fake Flash update with a twist

We've seen Fake Flash updates for several years. A webpage claims that the user is running an outdated of version of Flash and they require an upgrade of the plugin to watch a video. The fake Flash update is actually a malicious executable.

This type of attack is still going on. Today, I was investigating such a malicious page. The page claims to be from, a free porn site. The fake video player shows a warning: "You need the latest version of Adobe Flash Player to play this video."

Fake porn video
However, instead of downloading a malicious executable, the user is actually asked to download a fake Flash extension. There are different variants for different browsers: .XPI for Firefox, .CRX for Google Chrome, and .EXE (BHO + installer) for Internet Explorer.

Malicious extension for Firefox

Extension installation on Firefox
Fake extension installed

Browser extensions are open doors to infect users. Antivirus vendors do a very poor job at decting fake extensions, mostly because they are just plain text files (HTML, JavaScript), and cannot therefore contain binary malware. The VirusTotal reports for this particular attack illustrate the challenge:

Browser extensions

Browser extensions have a fairly simple structure. They don't generally contain any malicious code directly, rather, when the browser starts, the add-on fetches the malicious JavaScript code from an external server and executes it.

Fake extension code after deobfuscation

The current files being pulled are not very dangerous, but that could change in the future. An invisible IFRAME is inserted in each new page loaded. The IFRAME contains advertising from, and contains a username in the URL. This tells me that the adware author gets money for the traffic sent to this site, even if the infected user cannot actually see what is being loaded.

Remote file content after deobfuscation

The author could change the remote file at any moment to do much more harm, like stealing cookies to obtain access to the user accounts on any site, stealing username/credentials being entered or previously saved, etc.

Wednesday, June 6, 2012

Stolen code signing certificates are your worst nightmare

Flamer used spoofed code signing certificates from Microsoft. This was done to make it appear that the malicious content was actually software delivered by Microsoft.

You have likely seen the use of code signing certificates when Windows pops up a User Account Control (UAC) warning to ask for your permission to make a change to your system. If the executable is signed by a Trusted code signing certificate, the UAC will display a "Trusted Publisher" notice, otherwise it will display an "Unknown Publisher" notice.

Trusted executable
Executable not signed

However, you can actually do much more with a stolen code signing certificate. Using the Microsoft ClickOnce technology, it is possible to download, run and install any executable on the user's desktop just with one click on a regular HTML link. Users do not have a way to stop the executable from being downloaded and installed once the link has been clicked.

If you use a valid code signing certificate to sign a ClickOnce deployment file and the certificate is not part of the user's list of Trusted Publishers, you will receive the following popup:

ClickOnce abused. You can choose between Install and Run.

You may have noticed several elements that make this popup look more reassuring to a user than the usual download/run popup from Internet Explorer:
  1. The popup is not actually part of the browser, it is actually a separate application.
  2. It claims to be a Windows Update. If the user clicks on the link, they will be sent to
  3. The software seems to be hosted on a sub-domain of
  4. The publisher (myself), is trusted.
This looks like the real deal - Microsoft is asking me to run a Windows update, but it is actually a program I wrote myself! The "Name" attribute is arbitrary, it can be set to anything that looks official by the author. Also, the link, which I chose to have point to, is not related to where the software is installed from.

If you host the application on a sub-domain that is very long, the popup will truncate it, making it look like a sub-domain of if you carefully craft the URL. Since the popup width is the same on all Windows versions, regardless of the user screen resolution, such a misleading URL is easy to craft.

The valid code signing certificate cost me $59, but you can get one for free. With a "stolen" certificate from Microsoft, the UAC would show Publisher: Microsoft.

Trusted Publisher

You can bypass the UAC warning completely if the application is signed with a code signing certificate that is part of the "Trusted Publishers" list on the user's computer. In that case, there is no warning and no cancel button - the application is downloaded and run automatically. Pretty scary!

The good news - the "Trusted Publishers" list is empty by default on Windows. The bad news - some software vendors install their own certificates along side a separate software installation. Your administrator may also push your company's certificate to the list in order to deploy software automatically. If one of these certificates is stolen, or if the attacker can fool users into installing a certificate of his choosing (especially if it is signed by Microsoft...), then any application can be installed on your computer without your knowledge.

To verify if you have any certificates installed in your Trusted Publisher list, run "certmgr". In the right pane, click on "Trusted Publishers". if there are certificates, click on "Certificates" to see the list. To be safe, you should remove any that you don't explicitly recognize as needing to be there.

My Trusted Publishers certificates

There is no need to find vulnerabilities to install software silently on computers when ClickOnce lets you do so legitimately.