Zscaler Research

A look at the top websites blacklisted

2012-05-14T14:58:00.000-07:00

Google Safe Browsing is the most popular security blacklist in use. It is leveraged by Firefox, Safari and Google Chrome. As such, being blacklisted by Google is a big deal - users of these three browsers are warned not to visit the sites and Google puts warnings in their search results.

I've run Google Safe Browsing against the top 1 million (based on number of visits) websites according to Alexa. 621 of them are blacklisted by Google Safe Browsing. I've looked at the most popular to understand why they are considered malicious. Here is what I found for the most popular blacklisted sites:

Rank	Domain	Threat	Comment
6,239	subtitleseeker.com	Malicious JavaScript	Hijacked
18,784	financereports.co	Scam	Work from home scam
35,610	tryteens.com	PDF malware	Porn
41,560	iranact.co	Malicious JavaScript	Hijacked
47,016	creativebookmark.com	Fake AV	Hijacked
52,409	ffupdate.org	Adware download
52,431	vegweb.com	Malicious JavaScript	Hijacked
53,902	delgets.com	Malicious JavaScript	Hijacked
78,202	totalpad.com	Fake AV	Hijacked
81,403	kvfan.net	Malicious JavaScript	Hijacked
82,344	hgk.biz	Malicious JavaScript	Hijacked
83,858	youngthroats.com	Malicious IFRAME	Porn
125,305	metro-ads.co.in	Malicious JavaScript	Hijacked
133,455	salescript.info	Malicious JavaScript	Hijacked

http://financereports.co

creativebookmark.com

Most of the top-ranked websites that have been blacklisted are not malicious by nature, but they have been hijacked. Malicious JavaScript, similar to the code we found on a French government website, or a malicious IFRAME is generally the culprit. It is interesting to notice that Google decided to blacklist the infected site, rather than just blocking the external domain hosting the malicious content.

I have also checked to see which country the blacklisted domain is hosted in. Here is the breakdown:

Most of the blacklisted sites are hosted in the US. Western Europe (especially Germany, France and the Netherlands) is number two, followed by China (8%).

There is a government website in this list: mdjjj.gov.cn. It contains malicious JavaScript for a third domain. The code is much more sophisticated that on the other sites on this list. The JavaScript is obfuscated, broken down in several files with a .jpeg extension. There is also a Flash exploit with a heap spray targeting Mac OS X, not unlike a Flash exploit we found on another Chinese site a few years ago. Windows users with Internet Explorer 6 and 7 users get the old "iepeers.dll" exploit (a different version for each browser).

No site is safe from hijacking. Personal websites and top-10,000 sites are all likely to be infected at some point.

Search Engine Security for Internet Explorer

2012-04-30T19:27:00.000-07:00

Search Engine Security (SES), a browser extension designed to protect users against Blackhat SEO links in search engines, is now available for Internet Explorer. You can download it from our website. It is compatible with Internet Explorer 6.0 and above, on Windows XP thru Windows 7.

The features are the same as Search Engine Security for Google Chrome, released two weeks ago. The Referer and the User-Agent headers are modified when you follow a search result link on Google, Bing and Yahoo! This prevents the hijacked sites from redirecting users to a malicious page.

As with SES for Firefox and Google Chrome, you can turn the extension on and off for the three search engines.

Search Engine Security enabled on Bing

You can also whitelist specific pages. The only difference with the IE version as opposed to Firefox and Chrome is that the Referrer cannot be empty. This is why the default value is "-".

The options are available under Tools > Search Engine Security options.

Search Engine Security options

To test the features, search for "what is my user agent" or "what is my referrer" in Google, Bing or Yahoo! and follow a link. You will notice a different value when Search Engine Security is ON or OFF.

Modified User-Agent

There are very few browser extensions available for Internet Explorer, especially extensions helping to keep users safe. I will continue to port the Zscaler security extensions to Internet Explorer and will bring other security tools to this platform.

You can find a full list of all our browser extensions on the ThreatLabZ portal under Tools. Search Engine Security for Internet Explorer can be downloaded here.

Multiple hijacking

2012-04-26T21:57:00.000-07:00

Vulnerable websites are regularly hijacked to redirect users to malicious domains. The most popular type of of malicious page are Fake AV pages. Attackers commonly increase traffic to these hijacked websites using Blackhat SEO techniques.

Blackhat SEO requires that two different pages be delivered to different audiences:

A harmless spam page to the Googlebot and security scanners, in order to get references and be ranked well by Google, as well as evade blacklists
A redirection to a malicious domain to attack users

Existing pages on the hijacked sites are usually unchanged and instead, new pages are created. The newly created spam pages are completely harmless, with no obfuscated JavaScript. A 302/307 HTTP redirection is done mostly via a PHP file, or using an .htaccess file.

Other groups of attackers may want to use vulnerable websites for different purposes. So it is not rare to see the same vulnerable sites being abused by different groups. Recently, there was an increase in hijacked websites sending users to Fake AV pages also being infected with malicious JavaScript. The obfuscated JavaScript code is added before the original HTML code on all pages, making it much more likely to be blacklisted by Google. Here are a few examples:

Found on dailygizmonews.com

Found on malaysianaspiration.com

A mix of the 2 previous JavaScript codes

All of these examples result in the same HTML code, an IFRAME injection pointing to a malicious domain:

hxxp://fbyvdtydyth.myfw.us/?go=2
hxxp://tds46.lookin.at/stds/go.php?sid=1
hxxp://qerhkbdimoitvd5t.lowestprices.at/?go=2

Deofuscated code

Ironically, this malicious code might actually keep user safer. Since it is present on all pages, regardless of the HTTP Referrer, the entire website is flagged as malicious much more quickly by search engines.

French Budget Minister website hijacked

2012-04-18T16:46:00.000-07:00

We've seen an increase in hijacked websites in recent months, redirecting users to Fake AV pages, Blackhole exploit kits and other malware. While most websites hacked are personal sites, or University websites, some are more high profile.

http://www.performance-publique.budget.gouv.fr/ hijacked

The website of the French Minister of Budget (www.performance-publique.budget.gouv.fr) is an example of a high profile site that was recently hijacked. Obfuscated JavaScript was added at the top of the page. It is very similar to what we have seen on other websites. The obfuscation contains some tricks to break JavaScript scanning tools, such as making reference to browser objects, exceptions, etc.

Malicious JavaScript inserted on the hijacked site

The code creates an IFRAME to hxxp://nysbrtyjdjntytdrj7yn.rr.nu/?go=2. This address is not blocked by Google Safe Browsing at this time. I was not able to retrieve the content.

Deobfuscated JavaScript

The domain rr.nu has been widely abused. It has been linked to the Mac Flashback Trojan, previous Fake AV campaigns, etc.

budget.gouv.fr is not the only governmental website that has been hijacked recently. In the last three months, we have seen many hijacked government sites including:

Australia: library.cgg.wa.gov.au, ofv.sa.gov.au
US: cityofhampton-ga.gov, sandy.utah.gov, governor.virginia.gov, letsread.cobbcountyga.gov, mississippi.gov, etc.
Philippines: car.dost.gov.ph
Colombia: acuavalle.gov.co, risaralda.gov.co
Malaysia: ipharm.gov.my

Unfortunately, no website can be fully trusted anymore.

Search Engine Security for Google Chrome

2012-04-16T09:58:00.002-07:00

Google Chrome has recently added an API to modify HTTP headers. This in turns, made it possible to port Zscaler's Search Engine Security add-on from Firefox and Firefox Mobile to Google Chrome.

Search Engine Security on the Chrome Web Store

Most hijacked websites used for Blackhat SEO check the Referer header and the User-Agent, to decide whether to redirect the visitor to a harmless spam page or to a malicious domain (Fake AV page, Blackhole exploit kit, etc.). By modifying these 2 headers when the user leaves a Google, Bing or Yahoo! search, Search Engine Security fools the hijacked site into thinking that the visitor is not a real user and therefore avoids redirection to the malicious content.

Search Engine Security enabled for Google

All the work is done in the background, so it can be tricky to understand exactly what happens, or even if the add-on is working. We have therefore added a small note on the Google/Bing/Yahoo! search result pages to show you whether Search Engine Security is on (default settings) or off (disabled in the options): Zscaler SES on or Zscaler SES off.

Search Engine Security disabled on Bing

To understand how the the headers are modified, look for "referer mobilefish" in Google after you have installed Search Engine Security. Click on the first link "Mobilefish.com - Show my IP". The page will display your User-Agent string and Referer header. With the default settings, the string "slurp" is appended to your User-Agent, and the Referer header is removed. These changes are done only when leaving a Google/Bing/Yahoo! search page.

You can also enable/disable the various settings on the Search Engine Security options page to see how the User-Agent and Referer strings are affected.

Search Engine Security options

You can install Search Engine Security for Google Chrome in the Chrome Web Store.

Details of a "new" Fake AV page

2012-04-13T09:33:00.000-07:00

As I mentioned last week, more Fake AV pages are once again showing up in popular Google searches. Although these malicious pages look the same as they did 2 years ago, the source code is different.

The first thing you notice in the source code is that there is no obfuscation at all. The attacker is not trying to hide anything: CSS is inline, plain-text JavaScript (no obfuscation, no minification or packing) is inline, etc. That makes the pages very easy to track and block. Or it should....however, antivirus vendors are still not able to block the Fake AV executable with an acceptable level of accuracy. As you can see in the video, only 5 out of 42 antivirus engines find anything suspicious. You can easily download the executable with a simple wget command, so it is not hard to gather these samples

Download the malicious executable with wget

The source code is fairly simple. Another interesting fact is that Firefox is handled differently by the page compared to other browsers, meaning that different JavaScript code is run, but the end result is the same as on the other web browsers.

Fake AV page

The JavaScript function used to trigger the malicious file download is called google(). It creates an IFRAME pointing to the malicious executable, which triggers the download prompt without having to leave the page.

The google() function

The animations (blinking text, scanning progress bar, etc.) are all done with animated GIF files.

Overall,these Fake Av pages are low tech, very unique and very easy to track .... but still very effective. Desktop antivirus, often the only protection available to home users, generally fails to block the page and fails again to block the malicious executable.

PDF exploits targeted through Blackhole exploit kits.

2012-04-09T21:52:00.003-07:00

PDF exploits have been targeted by Blackhole exploit kits for some time now. The Blackhole exploit kit will deliver various malicious PDF files to a user if the victim is running a potentially vulnerable version of Adobe Reader. When these PDFs are opened through Adobe Reader, a known vulnerability is exploited which will then compromise the user’s machine.

Let’s look at the de-obfuscated portion of the Blackhole exploit kit. The exploit kit for this sample was delivered from “flightpub.net/l/src.php?case=46677c190b37f2d6”.

The de-obfuscated code above shows how an iFrame of 1x1 pixels is created to load a malicious PDF file residing at “./content/ap1.php?f=97d19::182b5” or “./content/ap1.php?f=97d19::182b5”, depending upon the version of Adobe reader installed. These two files are hosted on same the domain - “flightpub.net”.

The absolute paths of the malicious files are,

hxxp://flightpub.net/l/content/ap1.php?f=97d19::182b5 and
hxxp://flightpub.net/l/content/ap2.php?f=97d19::182b5

For analysis purposes, we can manually downloaded the aforementioned PDF files. The PDF files contain a JavaScript object, which contains obfuscated JavaScript, as shown below:

The JavaScript code loops through array ‘ar’ and converts each element of the array with logic included in function ‘test2()’. The de-obfuscated code targets a three year old vulnerability in Adobe Acrobat reader.

Let’s take a look at the some of the de-obfuscated code,

A stack based buffer overflow vulnerability exists in the ‘getIcon()’ method, which is detailed in CVE-2009-0927.

This vulnerability is widely targeted by various versions of the Blackhole exploit kit. I have seen different variants of the payload URL used to host these PDF exploits. The URL pattern changes with different variants of the exploit kit. The different URL path patterns seen so far are:

/content/ap1.php?f=97d19::182b5
/content/ap2.php?f=97d19::182b5
/content/fdp1.php?f=63
/content/fdp2.php?f=63
/content/adfp2.php?f=193
/content/adfp1.php?f=193

The common pattern in the above URL paths are ‘/content/’ and ‘.php?f=’. By identifying these common patterns one can write a network signature on URL strings to catch these malicious URLs.

Let’s take a look at couple of snort signatures for detecting these malicious URL’s.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Acrobat 1-7 PDF exploit download request 3"; flow:established,to_server; content:"/fdp1.php?f="; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014052; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole PDF Exploit Request /fdp2.php"; flow:established,to_server; content:"/fdp2.php?f="; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014035; rev:2;)

Most of the vulnerabilities targeted by various exploit kits are public. Making sure all of your applications are updated regularly with the latest security updates will go a long way in helping to keep your computer secure.

Pradeep

Blackhat SEO back in Google searches

2012-04-06T15:27:00.001-07:00

In 2011, Blackhat SEO links were pretty much absent from the most popular searches in Google. Instead, Blackhat SEO was used to target more specific searches. The technique heavily used to poison the searches for buying software online with hundreds of fake online stores.

Blackhat SEO

Things are starting to change in 2012. I ran some numbers on Google searches for the month of March 2012 and found:

117 malicious domains, including 66 serving Fake AV pages and 35 fake online store domains
1,142 spam/malicious links in Google searches, including 299 links leading to a Fake AV page

The number of new domains hosting fake online stores is slowly decreasing, I found only 6 new domains in March, but the number of Fake AV sites has increased significantly.

While Google search results leading to Fake AV pages used to be caused primarily by hijacked sites that were redirecting the entire site to a malicious domain, the current increase is due mostly to the targeted use of Blackhat SEO for popular searches, as it was in 2010. The big difference with current results compared to those in 2010 is that Google is doing a much better job at flagging these malicious links: 294 of the 299 search results leading to a Fake AV page were flagged by Google.

The spammers are still able to get their spam pages on hijacked sites to appear on the first result page for popular searches such as "puerile in a sentence" and "edhelper password".

Malicious link in first result page

The technique used is still the same. Websites are hijacked and new pages are added. Each new page is targeting a popular search term trending in Google Hot Trends. Pages from different hijacked sites are linked together to increase their rank.

As I mentioned in an earlier post, the Fake AV pages still look the same, but surprisingly, use new source code with no obfuscation in most cases.

Fake AV instead of Fake store

The second trend I see is the increase in Fake AV links in searches related to software sales, like "Buy Windows 7". This is something I noted last year. The increase in search results leading to malware (Fake AV pages and others) where you would usually find fake stores is alarming because Google has not yet cleaned up these results. None of the spam links sending users to fake stores are flagged by Google.

Search Engine Security

The best tool to protect yourself against Blackhat SEO is Search Engine Security, a free browser extension from Zscaler. It was available for Firefox only, but versions for Google Chrome (currently waiting for approval in the Google Chrome Store) and Internet Explorer will be available shortly.

Mac OSX Flashback Confusion and Hype

2012-04-06T12:25:00.000-07:00

We, like most in the security community, have been following the latest developments with the Mac OS X Flashback Trojan and it's exploitation of the recently patched Java vulnerability (CVE-2012-0507). This story has a lot of interesting twists and turns:

The Flashback Trojan is a relatively new Trojan family, appearing on the scene late last summer/early September 2011. Since it's inception, there have been numerous variants - moving from being a pure social engineering play (appearing to be a fake Flash update) to leveraging exploits. The rapid evolution of this family has made it a little confusing to stay on top of. There were reports of Twitter being used for C&C updates as part of an early March variant. However, it is unclear if this communication avenue was ever actually used by the botherder.
The latest variants of the Trojan, namely variant I and variant K, both exploit Java vulnerabilities- CVE-2011-3544 (Flashbak.I) and CVE-2012-0507 (Flashback.K). Oracle patched this latest vulnerability back in mid-February. Their CVSS risk matrix for this vulnerability can be seen below:
Apple initially released a patch for the vulnerability April 3rd, six weeks after Oracle and then quietly announced on April 5th an update to the patch due to a few issues:
Then there is the question of what the Trojan does/is doing. It has the capability to modify web pages (web-injects) viewed in Safari, based on a configuration file received from the C&C. However, it is not clear exactly what the web-injects will be used for. Similar functionality exists in many other bots, such as Zeus and is typically used to include additional form fields on banking sites to gather additional information such as SSN, debit card number, pin, etc.
Finally, there is the question of how widespread the infections are. Dr. Web has reported 550K infections. Which would certainly rank this among the largest botnets. Some have claimed the numbers to be over-hyped or mis-counted. However, Kaspersky recently published a blog confirming the and even upping the number to 600K+ after sink-holing a C&C.

From the perspective of Zscaler's Enterprise customers - we are indeed seeing Flashback infections, many of which include older variants of the Trojan. One C&C from an older variant for example that we are seeing, which has not been reported in the other stories is:

ASDFUH982HDODJC.COM

HTTP GET requests to this and other related C&Cs is done with a base64 encoded User-Agent (UA) that includes the CPU, hardware UUID, OS version, and other system/infection details - so each victim has a unique UA when connecting to the C&C. The latest variant does not appear to use this same UA encoding.

Most/all of the malicious ".rr.nu" sites on 95.215.63.38 that hosted malware associated with the attack, are now down (resolve to 127.0.0.1). Below is a screenshot of code from one website hosting the Java applet which exploited CVE-2012-0507:

The site meta-refreshes to a blank page if JavaScript is disabled or NoScript is detected and uses a cookie to mark whether or not to embed the malicious Java applet.

Doing domain/hosting analysis, other domains are believed to be related in the campaign not listed in the Dr. Web or F-Secure reports include:

bodyrocks.rr.nu
femalebodyinspector.rr.nu
johncartermovie2012.com

We are seeing a number of the related websites on 67.208.74.71 (InfoRelay Online Systems). There are a large number of interesting looking/suspicious domains that are or have have resolved here, including numerous ".rr.nu" sites.

While this has been an interesting and in some ways confusing (due to mis-information and hype) campaign to follow, we are not currently seeing an enormous number of infections. This may however be due to our enterprise customer base which tends to have a lesser Mac install base or better patch management processes. That being said though, another interesting bit of information comes from looking at Alexa data showing the list the top ".rr.nu" sites here (screenshot below):

All of the top sites are related to this campaign, for example:

ustreambesttv.rr.nu

femalebodyinspector.rr.nu

gangstasparadise.rr.nu

ustreamtvonline.rr.nu

mystreamvideo.rr.nu

youtubevideos.rr.nu

ironmanvideo.rr.nu

We'll close out with statistics on the browser plugins that we are seeing among our enterprise customer base. These stats were collected by querying the browser DOM during customer-logins, which allows us to identify browser plugins/extensions. We are currently seeing only about 6% of Enterprise systems with an out dated version of Java. Percentages of out-dated versions of Acrobat for example are much, much higher.

On-Going Dynamic FakeAV Campaign

2012-03-30T08:29:00.001-07:00

Looking back on traffic from this week, I noticed a large spike in the number of companies accessing free TLD / Dynamic DNS related sites. Digging deeper it appears that a malware campaign tied to massive WordPress compromises was the culprit. This is a very widespread malware campaign that remains live / on-going and is currently redirecting to FakeAV websites. The campaign is making use of auto-domain generation and auto-updating of infected sites to change the embedded link with every visit. Some major infected sites that remain live include: psoftsearch.com and sql-plus.com (careful if you visit these sites as they are currently infected). We are in the process of reaching out to victim sites and assisting with handling the incident. Here are the initial details:

There were over 100 of our customers attempting to access a large number of websites on a handful of IPs with domains matching the pattern:
[3-6 random letters][2 digits][3-6 random letters].rr.nu
Given the very, very large number of domains used, this has to be some auto-domain generation/registration algorithm used in this campaign.

The pages accessed in the campaign includes:
/n.php?h=1&s=mm
/mm.php?d=x1
/nl.php?p=d

Tracing referrer strings in our logs, here is one live example:
www.psoftsearch.com/peoplebooks/ (infected PeopleSoft search site)
-->
tank95ersfl.rr.nu/mm.php?d=x1
-->
tank95ersfl.rr.nu/n.php?h=1&s=mm
-->
protectcustodianmonitor.info/39f678a0d39279b6/3/
-->
protectcustodianmonitor.info/39f678a0d39279b6/3/setup.exe

FakeAV page that dropped setup.exe:
MD5: 153ae4d1813c6d29a7809a62ff23f84c
VirusTotal reports 2/42 A/V vendors detect (very, very poor detection)

I re-downloaded the malware sample a few seconds later and the MD5 was immediately different.
Also a few seconds later, I re-visited the above site and the embedded link had already changed:

I refreshed the page, and sure enough the embedded link changed again. Aside from the hosting IPs, this appears to be a dynamic FakeAV campaign.

protectcustodianmonitor.info resolves to 64.120.207.106 (HostNOC)
Based on other domains on this IP, this will be an IP that you'll want to blacklist - there are numerous other FakeAV sites hosted here (see list below).

It looks like the primary hosting IP of the ".rr.nu" redirect changes each day, for example:
194.28.114.103 and 194.28.114.102 used in an earlier Sucuri post on this.
March 27 it was: 195.88.181.112
March 30 (today) it is: 91.230.147.204

A number of pages on sites have been compromised to drive this campaign. For example:
www.psoftsearch.com
www.sql-plus.com
www.frozencodebase.com
www.megafuentes.com
www.sdamned.com
genaud.net
www.pumpkinpatchdaycare.in
indianmuslims.in

Infected websites have injected "eval(base64_decode(...));" statements in their wp-config.php and other WordPress .php files to communicate back to a command and control to retrieve a list of websites to inject these ".rr.nu" site inclusions into pages.

---

195.88.181.112 hosting information:

inetnum: 195.88.181.0 - 195.88.181.255
netname: INET4YOU
descr: PE Bogaturev Sergey Anatolievich
country: RU

person:          Bogaturev Sergey
address:         RU, Gornuy Shit, Komsomolskiy str.
phone:           +7(495) 324-35-69

route:           195.88.181.0/24
descr:           Subnet for servers and VPS
origin:          AS57621
mnt-by:          INET4YOURU-MNT

route:           195.88.181.0/24
descr:           Client_TC_WIFI
origin:          AS57189
mnt-by:          COMCORNET-MNT

---

91.230.147.204 hosting information:

inetnum: 91.230.147.0 - 91.230.147.255
netname: zuzu-net
descr: OOO "Aldevir Invest"
country: RU

person: Krutko Evgeni Yurevich

address: 192012, St.-Petersburg, Chernova ul., 25, office 12

phone: +7812850202

e-mail: aldevirinvest@lenta.ru

route: 91.230.147.0/24

descr: Route for DC

origin: AS5508

mnt-by: zuzu-mnt

---

protectcustodianmonitor.info domain information:

Registrant Name:Leah Carandini
Registrant Street1:54 Ridge Road
Registrant City:Cordalba
Registrant State/Province:QLD
Registrant Postal Code:4660
Registrant Country:AU
Registrant Phone:+61.733106403
Registrant Phone: gapes@cutemail.org

---

Other related FakeAV sites that resolve / resolved to 64.120.207.106:

agentcleanerrescue.info
agentkeeprisks.info
agentonlineinspector.info
areon-linescan.info
avdefendqueerprocess.info
cleanavcenter.info
cleanerspywaresecurity.info
cleanprotectionspyware.info
computerinformationthreat.info
controlpcon-line.info
controlsafetystability.info
datasaverprotect.info
debuggerrisksfirewall.info
debugscannerhazard.info
debugvulnerabilityfirewall.info
defenderoptimizermonitor.info
defendtasksspyware.info
delivererdangerkeep.info
delivereron-linepc.info
delivererpreventionthreat.info
delivererworms.info
detectdeliverertrojans.info
detectionprotection.info
efficiencyprotectordefender.info
guarantorthreatcenter.info
guarantorwarderdata.info
highcleantasks.info
inspectionprotectprotection.info
keepcenteron-line.info
keeperdetectormonitor.info
lowhighworry.info
lowwormstesting.info
microsoftdatacenter.info
optimizerscanningpc.info
perilsthreatworry.info
preventiondebuggercenter.info
protectcustodianmonitor.info
protectionvulnerabilityantivirus.info
protectorsolutionav.info
protectsecurityanalysis.info
protectwarderav.info
queerprocesscentersolution.info
queerprocessdetectionon-line.info
queerprocesshazardmonitor.info
reliabilitydefenderon-line.info
remedyscannerprevention.info
risksbrittlenesssafety.info
scannerfirewallrescue.info
scansupervisionprotection.info
securityavdebugger.info
solverqueerprocessinformation.info
solverremedylow.info
spywareantivirusworry.info
stabilitydatadetection.info
systemminimizeranalysis.info
taskssafetyremedy.info
testersolutionperils.info
warderdetectionkeeper.info
warderinspectionantivirus.info
warderrescuescan.info
windowsservantdefend.info
windowssolutionprotect.info
wormsdefenderagent.info
wormsminimizerdanger.info
wreckminimizerprotection.info

Anatomy of an on-going Malvertising Campaign

2012-03-28T07:30:00.006-07:00

During the course of investigating an open incident ticket with a customer, we uncovered what is a common occurrence on the web - legitimate sites linking in third-party content (often advertisements or banners) that ultimately drives the victim browser to an exploit kit.

Here is the chain of events that we observed:

User browsed to: www.thenewsvault.com
The site included content from: www.tvshark.com/read/?art=arc8755
Which included content from: www.tvshark.com/abritebtm300.html
Which linked in what appears to be an advertisement iframe: ads-svx.httpads.com/adserver/cached_iframe?guid=16ce4035-ded0-49c8-8515-8e234cbb2b8b
That loaded the "advertisement" rotator from: c1.zxxds.net, which includes a number of pages, the main one being: /jsc/c1/ff2.html?n=1721;c=3;s=4;d=9;w=300;h=250. Some online references show c1.zxxds.net as having a poor reputation, including involvement with adware.
The c1.zxxds.net site then loaded: chgdjk.info/nw87b6rh/counter.php?id=5 and a number of other pages on this domain which are allegedly exploit kit driven.
From the response size in the logs, we can see that the exploit kit payload page was: chgdjk.info/nw87b6rh/?11ecfa793c76017554490058535a0301030355535d5555090a05035456510f0a00;1;10

At the time of the transactions, chgdjk.info resolved to 208.76.54.210. Doing some Google searching, we found that the site TheTVDB.com linked in content (probably in the same way) to an exploit kit hosted on behtyg.info (208.76.54.210) - the same IP, reported March 12, 2012.

Looking up other domains that resolved to this same IP shows an interesting history of this recent, on-going campaign. These are some of the domains that resolved to this IP - most/all registered within the last few days, all have the same registrant info, but the emails vary (presumably to get around bulk registration checks):

Domain	Registrant Email
behtyg.info	srtyhe@mail.com
beokjr.info	afety@mail.com
bikegf.info	moyde@mail.com
byjeik.info	afety@mail.com
cehrty.info	centner@mail.com
cekioj.info	srtyhe@mail.com
cekuij.info	fendihy@mail.com
chertyu.info	qdesa@mail.com
chgdjk.info	zfert@mail.com
chtygf.info	nelius@mail.us
cmuijy.info	zfert@mail.com
dgeryt.info	qdesa@mail.com
ggtyut.info	srtyhe@mail.com
nehuikj.info	srtyhe@mail.com
nuekhg.info	zfert@mail.com
vejuyt.info	nelius@mail.us
zehryu.info	drijed@mail.com

Registrant Information:
Registrant Name:Filippovskiy Aleksandr
Registrant Organization:DOM
Registrant Street1:ylica Baymana. dom 9.korpys A. kvartira 106
Registrant Street2:
Registrant Street3:
Registrant City:yoshkar ola
Registrant State/Province:yoshkar ola
Registrant Postal Code:42400
Registrant Country:RU
Registrant Phone:+7.79276827596
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:

DomainTools shows that there have been about 1200 domains registered with this whois information (e.g., search by phone number). We're now seeing 199.59.166.86 used for resolution of the chgdjk.info domain (part of a Black Lotus Communications /24 netblock). Clearly a decent-sized and dynamic malware campaign currently leveraging malvertising to redirect to exploit kit sites.

Unfortunately our replay attempts have been unsuccessful at pulling down the malware content- to include using forged headers (such as user-agent and referrer) as well as beginning from the initial transaction chain. This is a common problem when analyzing malvertising incidents - since the malware is injected as part of an advertisement rotator site, it is difficult to replay as the advertisements and key variables used to drive the advertisement (in this case malware) may change. We will update if there are additional details.

My experience wirting an add-on for Internet Explorer

2012-03-27T15:30:00.000-07:00

I've released my first add-on for Internet Explorer and I've almost finished a second one. Developing for Internet Explorer was a very different experience than developing for the other browsers I've worked with before - Firefox, Firefox Mobile, Google Chrome, Safari and Opera.

Overall Architecture

Internet Explorer extensions are called Browser Helper Objects (BHO). They are libraries (DLL) implementing a specific interface. They must be registered as a BHO through a registry key in order to be used by Internet Explorer.

The BHO is loaded per tab or window, meaning there is no built-in communication between tabs/windows. BHOs can interact with the browser and the document through native code or injected JavaScript.

BHOs can be written in C++, C# or VB.Net. Since I'm most familiar with C#, this is the language I've used. Unfortunately, there are many limitations with .Net based BHOs:

The BHO name, displayed in the Internet Explorer "Manage Add-on" page, displays the namespace of the application. I could not therefore display "Zscaler Safe Shopping", so I had to cheat and use Zscaler as the namespace, and SafeShopping as the main class name to display "Zscaler.SafeShopping".
Many important functions are not implemented in C# and unmanaged C++ code has to be imported.
Internet Explorer is very picky about performance - if an add-on takes more then 0.20 seconds to load, IE suggests to users that they disable the plugin (see more details below). Due to the fact that .Net add-ons require IE to load the .Net framework, it is pretty much impossible to stay below this limit.

Because the extensions are comprised of compiled code, I could not download extensions to check out their source code as examples, unlike extensions for other browsers, which are written in JavaScript. In addition, Microsoft has only high-level documentation about BHOs and very few code examples (with most leveraging C++).

Protected mode

Starting with Windows Vista and Internet Explorer 7, Internet Explorer works in Protected Mode by default. This means BHOs are limited in the places they can read/write to disk and read/write to the registry. You need to call special functions to know where you are allowed to write to the disk, but these functions are available in C++ only. I had to use a mix of hardcoded values and unmanaged C++ DLL import to add all necessary functionality.

Because there are no built-in debugging functions to understand what is going on inside the extension, and limited documentation from Microsoft, it took me quite a while to understand how to deal with Protected Mode.

Inconsistent environments

On other platforms, extensions are relatively compatible between browser versions and operating systems. With Firefox extensions, for example, it doesn't matter if the browser is running on Linux, Windows 95 or Mac OS X. These browsers are also very good at maintaining forward compatibility: extensions working on one version usually work fine on newer versions of the same browser. Internet Explorer is a different beast.

Some of the API belongs to the Windows OS, while other portions belong to Internet Explorer. For example, Protected Mode exists on IE 7 on Windows Vista, but not on Windows XP. The API to manage disk access is also different on the two OSs. Calling Windows Vista's API will crash Internet Explorer on Windows XP, for example. Add-ons are definitely not forward compatible.

Some API calls also get "randomly" broken. For example, the event BeforeNavigate2 is broken on Windows 7. This was reported during for Release Candidates, but never fixed and the event is not triggered anymore.

No love for extensions

Microsoft does not seem to have much love for browser extensions. In fact, I think they actually hate them!

There is no good website to download IE extensions. The official Microsoft website, Internet Explorer Gallery, contains very few extensions. Add-ons are not even shown on the front page, instead they promote pinned sites (introduced with IE 9)

Developers don't get much love either. In addition to the problems and limitations listed above, the add-on infrastructure in Internet Explorer is very weak. Developers have to write their own installer to install and register their BHOs. They also have to write the uninstaller, as IE lets users disabled BHOs, but not uninstall them. There is no simple way of adding an option page for to configure the extension either.

If this was not enough to discourage add-on developers, IE regularly asks users whether they want to uninstall add-ons. Even if all add-ons are loading under 0.200 seconds, Internet Explorer still suggests that the add-ons be disabled to improve the start up time!

A Bad Reputation

BHO is a dirty word. If you look for BHO in Google, most search results are about how to remove malware installed as a BHO.

Users are also more wary, as they should be, of downloading executables that must be executed outside of their browser, and require Admin rights to register themselves, as opposed to Firefox .xpi files, which are handled entirely inside the browser.

References

If I have not yet discouraged you to write a .Net BHO, here are a couple of references I used:

StackOverflow: the BHO tag has only 249 questions, but still a good source of information
The Code Project has several tutorials and code samples
vcsjones with 5 blog posts about managed BHO
Free VPC images to test your add-on different versions of Windows and Internet Explorer
MSDN documentation of the WebBrowser class

"Super Bowl" and "March Madness" in the Enterprise

2012-03-20T11:00:00.007-07:00

3/26 Update: I was approached and asked to run stats to do a bit of comparison and contrast with Sports traffic from last year - with the goal in mind to identify if there was a noticeable percentage increase in Sports (March Madness) this year compared to last year. There was a two day difference from March 2011 to 2012 for the tournament dates - these are noticeable in the tracked stats. The data shows only a slight increase (<1%) in March Madness traffic this year compared to last year - in general this appears to be a fairly static and expected event within Enterprise traffic.

With the Super Bowl in early February and the NCAA basketball tournament ("March Madness") sports are a major focus of attention in Quarter 1. That means a lot of bandwidth consumed by the enterprise and time spent by employees on this subject. One report calculated that an estimated $1.7B is to be lost in productivity at the office during this March Madness. Even if sports are not your thing, you may find yourself participating in an office pool surrounding the Super Bowl or March Madness. When I was filling out my bracket this year, I found myself on some "gambling" web-sites to do some quick research on team odds in the tournament (not that it helped my bracket any). I was curious how much bandwidth we saw across our enterprise customers related to sports and gambling for these major Q1 sporting events and to also see if there was any correlation. For those interested in tracking this subject, here are my findings from our large, diverse, enterprise customers:

The above blue line represents gambling traffic as a percentage of its total seen thus far for the quarter, and the red line is sports traffic as a percentage of its total seen thus far for the quarter. The cyclic nature of our data-set is because this is from our enterprise customers -many of which have less employees working on weekends. (Date periods are related to PST time)

There were not large noticeable spikes in sports or gambling traffic observed in the enterprise during the NFL playoffs or Super Bowl - likely due to the fact that the NFL games are on the weekend and toward the end of the season may have a more regional versus global fan base.

However, there was a very noticeable increase in traffic surrounding March Madness - particularly during the 2nd round of games, several of which are televised during US work hours. Specifically the start of March Madness had about a 74% increase in sports related traffic from the Super Bowl.

Throughout our Q1 data-set we see that gambling closely follows the traffic patterns related to sports. In the case of the noticeable spike in sports traffic, we see a similar related pattern increases in gambling traffic. One major exception related to gambling was the period of Feb 20 -22. While most of the baseline gambling traffic are online casinos and gambling affiliates -- looking more closely at the website paths visited related to gambling within this period determined that this anomaly was caused due to the ICC Cricket World Cup in which many of our Australian and Indian customers were following the games.

Chances are that traffic from your enterprise participated in one or more of these events during this Q1.

Zscaler Safe Shopping for Internet Explorer

2012-03-19T09:45:00.002-07:00

Zscaler Safe Shopping, the browser extension that warns users when they visit a fake store or compromised store, was Firefox, Google Chrome, Safari and Opera. It is now available for Internet Explorer 6 to 9 (Windows XP, Vista and 7). This is the first extension we released for Internet Explorer, and hopefully not the last one. You can download it here.

Zscaler Safe Shopping warning in Internet Explorer

Fake stores are still prevalent in Google searches for buying software online. If you get redirected to one of the fake store, a banner will be displayed at the top of the page to let you know the the website is not safe. We update the blacklist of fake and compromised stores regularly.

Browser Helper Object

Internet Explorer extensions are called Browser Helper Object (BHO). Unlike all the other major browsers, the add-on infrastructure in Internet Explorer is very incomplete. Internet Explorer does not offer a way to easily install add-ons, to update them, or to configure them. Instead, add-ons are treated as regular Windows program. Zscaler Safe Shopping comes in the form of executable to install and register the BHO. You can disable add-ons from within Internet Explorer, but you have to use the Control Panel to remove them completely from your system.

Zscaler Safe Shopping installer

Zscaler Safe Shopping installed

The executable required administration rights to register itself as an Internet Explorer add-on by modifying the registry. Although the add-on appears in Internet Explorer right after the installation, a restart of Internet Explorer is required to activate the plugin.

You can download Zscaler Safe Shopping from our website.

I will talk more about developing BHO in later posts.

Malware campaign targeting Opera Mobile

2012-03-14T12:53:00.000-07:00

I've stumbled upon hundreds of links targeting Opera Mobile users, to trick them into installing a malware on the device.

The links are in the form of:

hxxp://geqe.net/opera_mini/1965/opera_mini.auto#phpsessid=85cfe7f19a08b6387d0441a9d949bb95

Each has a different phpsessid value. The domain was registered last month (02/12/2012) and does not seem to host any legitimate content.

These pages redirect to another domain, mskmarkets.ru (hxxp://mskmarkets.ru/l.php?l=o4&r=2695&a=29#phpsessid=afe9720a74a56800a2bd682b171e9914) where users are warned in Russian that their browser is out of date:

WARNING! An update your browser!

Your browser version is outdated, your phone is at risk of infection by dangerous virus!

We strongly recommend that you upgrade your browser. To update, click Update.

hxxp://geqe.net/opera_mini/1965/opera_mini.auto#phpsessid=85cfe7f19a08b6387d0441a9d949bb95

Note that a Google Chrome favicon is used and the page leverages the same theme and icons as Opera Mobile. The source code has multiple references to Opera (CSS, links, etc.) and targets WAP-enabled devices.

When the user clicks on the Refresh button, the file browser_update.jar gets downloaded (and possibly installed, I don't have the right device to test). This malicious Java application is currently flagged by 8 of 43 AV engines as an SMS sender. This type of malware is very common on mobile devices. They are used for spam or contact surcharged phone numbers.

According to Wikipedia, Opera has a huge market share in Russia and Eastern Europe, with more than 36% of the browser market (only 2.7% world-wide).

With the lack of effective AV and other security tools on smartphones, especially on low-end devices, mobile users must be very careful about downloading and installing applications, especially outside of the official app stores.

Free provider x90x.net hosting numerous Facebook phishing sites

2012-03-13T10:08:00.000-07:00

In the long history of free hosting and DNS providers abused (co.cc, pastehtml.com, etc.), x90x.net can now be added to the list, as it is being used to host many Facebook Phishing sites in a variety of languages:

faceb000k.x90x.net
jebemtakra-pisdfa-asdasdsds-ddfs.x90x.net
mesnaindustrija-goranovic-m-e-s-n-a.x90x.net
dft3.x90x.net/fbcd.html
d3xt0pcr3w.x90x.net
etc.

www.mesnaindustrija-goranovic-m-e-s-n-a.x90x.net

d3xt0pcr3w.x90x.net

dft3.x90x.net/fbcd.html

x90x provides free hosting on their sub-domain

A little bit more research showed that many other types of scams and spam content are hosted on x90x.net sub-domains. Here are a few of them:

Fake Google page

mygoogle.x90x.net

This site does not appear to be functional.

Links to Canadian Pharmacies

vmdygoa.x90x.net

forex.com phishing site

jasf.x90x.net/tag/chase/

Porn (no screenshot!)
and much more....

The hosting provider is also used by legitimate sites. It is very risky to host any important website with a free provider which is going to get abused over and over. co.cc has been blacklisted by Google Safe Browsing in the past, meaning all Firefox/Safari/Chrome users were prevented from visiting any of the websites hosted under co.cc. I believe that a $10/year domain name is really a must for any website. Do not rely on a free domain such as those provided by x90x.net that could soon be blacklisted.

"Check who is visiting your profile" scam on Russian social network Vkontakte

2012-03-07T10:18:00.000-08:00

Vkontakte is the Russian equivalent of Facebook and has been criticized for being a direct "clone". Well, scammers are "cloning" the most popular Facebook scams and porting them to this Russian platform as well.

One recurring scam, used to trick people into giving up credentials to their Facebook account, or executing a cross-site scripting attack against themselves, has it's equivalent at Vkontakte: hxxp://gosti-vk.p7h.in/?r=3262.

Here is a screenshot of the page translated into English:

Scam site

The site claims to be an official Vkontakte application (with a .in TLD!). The page uses the same logo, layout and colors as the official site. The fake user testimonials explain that they have found likely lovers checking out your profile.

You need to give your ID or profile link (no password required) to let the "app" figure out who is viewing your profile:

Form (translated in English) to enter user ID

I inserted a fake name (in English) and the app miraculously found 7 people who had looked at my profile!

Name of people who visited by non-existent profile

Before I had time to click on any links, I was also asked to enter my cell phone number to ensure that I was indeed a human:

Phone number must be entered

This is where the Russian scam differs from the Facebook scam. In the US, scammers try to get users to fill out surveys, install spyware or try "free" offers. In Russia, as shown in other scams, scammers make money by sending SMS messages with a surcharge.

Are Pinterest "Pin it" going the way of Facebook "Like"?

2012-03-05T09:29:00.000-08:00

Pinterest is a new social network that has been getting a lot of press lately. Basically, Pinterest is a virtual board, where users can pin things they like online. They can share the content with their friends, follow other people, etc.

My Pinterest board

Like Facebook, Pinterest users can add items to their board from the website, but also by clicking on "Pin it" widgets set up by webmasters on any website, which are equivalent of the Facebook "like" widgets. Any new pin shows up as a notification for all people following you. Although Pinterest is very new (you need to first apply for an invitation to get your login after a couple of days) and has a small number of users, spammers are already abusing the "Pin it" widget.

This week, I found spam campaigns at pinterestpromo.info and giftinterest.com that use Pinterest as the main tool to propagate scams.

pinterestpromo.com

The scam is very similar to some previous Facebook spam campaigns: users have to click on the "Pin it" widget in order to receive a free iPhone or iPad. On these two sites, scammers have used a fake "Pin it" widget rather than the official widget code.

After clicking on the widget, the site redirects to another website, such as:
http://www.giftsforshoppers.com/aseg-1142?trkSessID=195212565&dLID=5084&pRdrTrkID=667421271&skipExit=[skipExit]&pLeadEmailAddress=[pLeadEmailAddress].

www.giftsforshoppers.com

The scam is the same as one that I described last week for a Groupon scam: the visitor has to fill out surveys or trial offers in the hope of getting a gift card or some other gadget.

Any website with features to spread links quickly to a trusted group of people is doomed to be abused by spammers.

Fake AV: .ru sites used for redirections

2012-02-28T09:49:00.000-08:00

This past month, I've seen an increase in hijacked sites redirecting to a Fake AV page. These attacks typically involves three separate phases:

The hijacked website redirects users coming from a Google search to an external domain.
A website redirects users to the Fake AV page or to a harmless site (mostly bing.com and google.com) depending upon the referer in step #1. This page adds a cookie using JavaScript, and reads it immediately, to make sure the page was accessed by a real browser that supports both JavaScript and cookies.
The fake AV page is delivered.

Hijacked sites

I demonstrated last year that the Blackhat SEO attacks had migrated from the most popular searches to more specific searches like buying software online where up to 90% of the links returned are malicious. It comes as no surprise that about 95% of the hijacked sites were found for searches like "purchase microsoft word", "achat windows" ("buy Windows" in French), "precio office 2007" (Italian), etc.

There were 12 hijacked sites being used, with 3 domains representing 90% of the hijacked sites redirecting to a fake AV page:

politicalcampaignexpert.com (WordPress)
www.extralast.com (WordPress)
www.ukresistance.co.uk (blocked by Google Safe Browsing)

Redirection site

The domain used to redirect users from the hijacked sites to the fake AV pages are all .ru sites, with the same URL path:

bannortim-qimulta.ru/industry/index.php
daliachuuaroyalys.ru/industry/index.php
bannortim.ru/industry/index.php
uaroyalysdaliachu.ru/industry/index.php
uaroyalys.ru/industry/index.php
etc.

This page is used to differentiate between real browsers and bots or scanners. It uses JavaScript to write a cookie, and then reads it immediately thereafter. If the cookie is retrieved, the visitor is redirected to a malicious site, otherwise they are redirected to Bing or Google. Here is the snipped of the source code:

JavaScript and Cookie support test

Fake AV page

Attackers are getting lazy! The fake AV page looks the same as it did two years ago and the source code of the page has barely changed. Fake AV pages used to change every 2-3 weeks when they were found all over the most popular searches, now they are remaining stagnant for six months. Here is the video that shows the Fake AV page in action:

As you can see in the video, the malicious executable is detected by 14 of 43 AV vendors.

Hopefully, one day Google will clean up the search results related to buying software as they did for the most popular searches. Until then, many users will end up on fake stores, fake AV pages or other malicious sites.

Groupon scam site

2012-02-21T13:47:00.000-08:00

groupon500.com was registered in Feb 20, 2012. The home page for the domain claims to offer a free $500 voucher for Groupon or LivingSocial, another popular daily-deal site.

groupon500.com

Users must fill out a form with their information, including a phone number:

users must share their information

To get the $500 voucher, the user must complete one offer: buy Disney Books, try a tooth whitening, etc. And with one more offer completed, they can even get a free iPod Touch!

One or more offer must be completed

The site earns money by getting users into "free" trial offers where users are charged without realizing most of the time.

The saddest part of all - this is perfectly legal. groupon500.com was published by RETAILBRANDPRIZE.COM. Search for this name in Google and you will find no shortage of people complaining about various scams.

The Privacy information, Terms and Conditions and small print are clear on what is occurring, although must users will of course ignore them. The vendor uses personal information "to provide your contact information to our marketing partners", "By Participating, You Expressly "Opt In" to "Receive Information And Grant Us Permission To Share Your Information", "Completion of reward offers most often requires a purchase or filing a credit application and being accepted for a financial product such as a credit card or consumer loan. ", etc.

If it is too good to be true, it's probably... a scam!