Zscaler Research

DreamHost: hijacked websites redirect to Russian scam

2012-02-03T18:07:00.000-08:00

Following the Dreamhost hack, that was revealed this week, many websites hosted by the company have been hijacked to redirect users to a Russian scam page.

I've identified hundreds of websites hosted by DreamHost that contained a PHP page redirecting to hxxp://www.otvetvam.com/. Here are a few examples:

http://www.lciva.com/wp-content/plugins/extended-comment-options/gyrewnv.php
http://honorboundphoto.net/photos/10007-mankato_habitat_for_humanity_golf_tournament/agtruje.php
http://ryanmasters.ca/wp-content/gallery/our-kingdom/thumbs/tyiueg.php
http://treatmentofpanicattacks.com/wp-content/cache/supercache/www.treatmentofpanicattacks.com/category/anxiety-support/polzin.php
http://r4theband.co.uk/content/wp-content/themes/agregado/includes/cache/gyrewnv.php
http://dedehaluk.com/cache/hakkinda/fgjke.php
http://www.agustindondo.co.uk/yellowbrick/wp-content/files_flutter/modules/fgjke.php
http://dcstavclub.org/wp-content/themes/newzen_2.0_build_105/images/fgndnju.php
http://camtarn.org/gizmoblog/content/06/03/entry060305-180312/comments/fgjke.php
http://derek.hinchy.org/MT-5.031-en/mt-static/support/theme_static/professional_website/themes/professional-green/polzin.php
http://ojosdelmundo.dreamhosters.com/images/comprofiler/gallery/tghreig.php

otvetvam.com promotes a common "get rich working from home" scam. On the left side, all links point to the same collection of fake testimonies from people purporting to have made plenty of money using the system.

hxxp://www.otvetvam.com/

The right side of the page, looks like Adsense ads from Google (same font, same colors, layout, etc.), but they are all links to www.tvoitube.com. This is a YouTube look-alike site, which contains a video shown promoting an online gambling site (www.cristal-casino.com).

Fake Russian YouTube site http://www.tvoitube.com/

www.otvetvam.com copied the layout of the popular Russian site, mail.ru. The source code actually reveals that the page was created from http://otvet.mail.ru/question/59882991/, which has now been blocked by mail.ru.

The hijacked sites now redirect to other websites including ru-0tveti.com, ru-0tveti1.com, etc. These domains were registered on 01/25/2012, but no websites are yet hosted at the domains.

I'm sure this is just the beginning of massive abuses on websites hosted by DreamHost.

MSUpdater Trojan and link to targeted attacks

2012-01-31T06:47:00.000-08:00

This blog post is based on a joint report by Zscaler and Seculert (their blog post). Researchers from both companies separately identified attacks which used a remote access tool (RAT) malware that apparently targeted defense-related organizations. With joined forces, we analyzed the incidents that we observed and those published in the open-source to identify attack patterns and incidents from early 2009 to present.

Figure 1: Screenshot of Report Heading

The threat arrives in phishing emails with a PDF attachment, possibly related to conferences for the particular targeted industry. The PDF exploits a vulnerability within Adobe (for example, a 0-day exploit was used against CVE-2010-2883) which then drops a series of files to begin communicating with the command and control (C&C).

Figure 2: Screenshot of Example Conference PDF "Lure"

The malware dropped and launched from the PDF exploit has been seen to be virtual machine (VM) aware in order to prevent analysis within a sandbox. The Trojan functionality is decrypted at run-time, and includes expected functionality, such as, downloading, uploading, and executing files driven by commands from the C&C. Communication with the C&C is over HTTP but is encoded to evade detection. The Trojan file name (e.g., "msupdate.exe") and the HTTP paths used in the C&C (e.g., "/microsoftupdate/getupdate/default.aspx") are used to stay under the radar by appearing to be related to Microsoft Windows Update - hence the name given to this Trojan.

Correlating this information with open-source intelligence (OSINT), we were able to find other reports of this Trojan within past targeted incidents, as well as a link to other incidents and compromise indicators. Further details of this information can be read within our joint report. The mission of this report is to inform organizations and security executives about these threats, and assist them in detection and mitigation.

Introducing Project Zulu

2012-01-25T15:21:00.000-08:00

I want to personally and publicly thank Julien, Pradeep and Mike for all of their hard work over the past several months, to make today's launch of Project Zulu a reality. Zulu is a completely free service, open to anyone, which allows people to determine the risk posed by a particular web resource.

Zulu Launch Banner

Our goal in building Zulu, was to provide a simple and straightforward interface accessible to anyone regardless of security knowledge, while still delivering granular results that are of value to those that are more security savvy. I believe we've achieved this by providing a UI that requires no additional input beyond the UI to be analyzed, while allowing a few necessary advanced options, (User-Agent and Referer) when encountering malware triggered only when certain input variables are met. Results also display an overall ranking of Benign, Suspicious or Malicious, but also include details of elements that went into the overall score.

Zulu User Interface

We were also determined not to deliver a 'me too' project as there are already a number of great security projects available. Services like VirusTotal, Anubis and Wepawet for example, are invaluable tools when running specific tests (multi-AV, JavaScript/PDF analysis and sandboxing respectively). However, most projects such as these tend to focus on a specific threat or type of analysis. With Zulu, we sought to combine our own proprietary scanning techniques, with the great open source intel. that is available, to provide a broad view of the overall risk posed by virtually any web resource. We also look not just at a specific aspect of the resource, but instead, separately focus on determining risk for the content, URL and host separately, which is then combined into an overall risk score. For each component, we employ the following approaches:

Zulu results for Zeus Related Malware

Content – Page content is scoured for the inclusion of potentially malicious code leveraging proprietary Zscaler algorithms, conducting heuristic tests and querying public sources.
URL – The requested URL is tested against known suspicious/malicious patterns, public black/white lists, as well as historic risk assessments for subdomains, domain TLDs, file types, etc.
Host – Historic reputations of the host IP address, Anonymous System Number (ASN) and geographic location are analyzed, along with suspicious behaviors displayed by the host in question.

A unique benefit of this approach is that we can deliver a risk score even when the page content is no longer available. While we can't access the page, we can still assess the URL and host and when they deliver a high risk score despite a lack of page content, one can often conclude the page was indeed malicious but has since been taken down. We also provide full access to historical scan results for the same resource. This can often uncover when a page first became infected and when it was subsequently cleaned up.

Why would Zscaler, a commercial entity, release a free tool? I'm sure that companies release free tools for a variety of reasons and ours are quite straightforward. Obviously Zulu provides a marketing benefit, but beyond this, it permits ThreatLabZ great freedom to experiment with new detection techniques. We plan to use Zulu as a proving ground for our great ideas (and yes, that makes you our guinea pigs). The benefit to you is that you're able to leverage some of our latest and greatest techniques. Moreover, you may well analyze a malicious web site that we haven't seen before. In the end, we hope that you find Zulu to be a valuable tool to combat web based threats and we certainly welcome your feedback at zulu[at]zscaler[dot]com.

One last thing. Why Zulu? Well, the Zulu warrior was a formidable foe, but more importantly, Zulu warriors represented a citizens army. Not a standing army, but one that came together and fought valiantly when faced with an impending threat to their society. We view our Zulu as a tool for for a citizen army combating malicious content. Everyone can use it and everyone benefits from historical results. Join the army!

- michael

Fake missing plugin warnings used for spam/spyware

2012-01-25T15:00:00.000-08:00

A key element for a successful spam/malicious page is to establish trust with the visitor so that he will perform the requested actions. Users trust their browser, but not necessarily the content (i.e. web page) that it displays. A trick that I've blogged about earlier, is to fool the user into thinking that certain elements on the page are actually from the browser.

Recently, I've seen several websites showing a fake warning for a missing plugin. The fake warning is designed to look the same as the real warning shown by Firefox when the page requires a plugin that is not installed: a yellow bar at the top of the page with a link to install the plugin on the right, and a blue icon on the left.

Legitimate Firefox warning for a missing Adobe Shockwave plugin

On allostreaming.biz (French language), the fake warning is for a "missing" VLC plugin. You can tell that the warning is part of the page, and not part of the browser, because the scroll bar goes to the top of the warning, whereas the real warning is above the scroll bar (see the image above).

Fake warning for missing plugin

A look at the source code shows that the warning is indeed HTML from the page:

HTML code for the fake warning

The "VLC plugin" is the classic pay-per-install bundle, where the spammer gets paid for tricking the users into installing spyware/adware.

The spammers are using the same fake warning on all browsers, which is also a giveaway as browsers other than Firefox don't actually have the same warning for missing plugins. Anyway, the attack will likely fool users of other browsers into installing this adware/spyware.

Zscaler keygen: beware of what you are looking for

2012-01-20T09:50:00.000-08:00

Some searches yield more dangerous results than others, for example, looking to buy software online has a 90% risk of bring you to a fake store and free software might not be free of adware/spyware. Looking for 'warez' is another risky query.

Last week, I received a Google alert for "Zscaler Likejaking Prevention 1.1.2 for MAC keygen serial crack Apple registration code activation". Given that Zscaler Likejaking Prevention is a free tool that we provide, it certainly doesn't need a keygen utility!

hxxp://mycleverlab.com/zscaler-likejaking-prevention-1-1-2-free-download.htm

The download link brings the user to firstclass-download.com. Downloading this specific file requires an account on firstclass-download.com which costs $1.99/month, plus a $69.95 one-time fee! At best, this money will allow you to download what is already available for free on multiple websites (Zscaler, Mozilla add-ons, Softpedia, etc.). At worst, users are paying to get a malware or spyware.

firstclass-download.com

This is the same technique I described in an earlier post related to Blackhat spam SEO. There are a lot of websites similar to mycleverlab.com. A search for "Zscaler keygen" shows many sites using the same trick: wacky-wii.com, dwlfile.com, zengenix.com, cracksguru.com, zengenix.com, etc.

Always go to the official source to download any software. If you want "Zscaler Likejacking Prevention for MAC", go directly to Zscaler's website. No need to pay for what is already free!

SOPA Protest: Wikipedia Traffic Trend (updated)

2012-01-19T10:11:00.000-08:00

Updated 1/19: we have updated charts and the narrative to reflect all of 1/18 (protest timeframe) data and the first 10 hours of today. The last graph shows about a 365% increase in visits to their SOPA Initiative page and >77% increase across SOPA related page visits during the protest - this visually shows the success of Wikipedia's protest in which it is successfully spreading their message and educating visitors on SOPA. The middle graphs visually show an increase in unique visitors, while the number of transactions per visitor decreases throughout the protest - a phenomena that we have called "online rubber necking," in which visitors are there to see the protest page and perhaps inform themselves about the issue but are not accessing the site in the "normal" manner in which many more pages/media files are accessed.

If you want a quick way of increasing traffic to your website - change or take down portions of your website in protest ... at least that is what we have gleaned from today's (1/18) Wikipedia protest against SOPA. There will likely be other blog posts and stats released on the results of this and other cyber protests - here is what we have seen from traffic thus far that has passed through one of Zscaler's clouds.

We observed a noticeable percentage increase in the unique visits (by client IP address) to Wikipedia comparing the protest timeframe to the surrounding dates:

However, these additional visitors are not incurring that much more bandwidth for Wikipedia - we have noticed only a slight percentage increase in Wikipedia web transactions today. See the chart below to see the slight increase in number of transactions per hour:

We can combine the two above graphs into a graph of transactions per unique visitor, and we see that this is much smaller today. This suggests that more people are flocking to Wikipedia today, but just to see the protest page and some details on SOPA. This behavior could be described as "online rubber necking".

We observed significantly more visits to Wikipedia's main page and SOPA Initiative page than the surrounding dates - further corroborating our above statements:

From the above stats we are able to visually represent the Wikipedia protest and the Internet community's "rubber necking" behavior in which the number of visitors increase but the transactions per vistor decreases. While not the goal of Wikipedia's protest, from a media and public relations standpoint these types of Internet events can stand to be beneficial or even lucrative. This last graph shows a large volume of people checking out the protest page. However, there too was about a 365% increase (going from about 16% to 75% of the visits) in visits to their SOPA Initiative page and >77% increase (going from about 9% to 16% of the visits) across SOPA related page visits during the protest - this visually shows the success of Wikipedia's protest in which it is successfully spreading their message and educating visitors on SOPA. I would expect that this may be a sign of the times to come given the successful results of the protest on the Internet and that the message was received on Capitol Hill (reference on which Senators dropped support for SOPA).

Popularity of Exploit kits leading to an increase in compromised websites

2012-01-16T20:54:00.000-08:00

The dominance of exploit kits like Blackhole, Incognito and others, continues to be seen in the wild. Attackers continue to use these exploit kits to generate malicious webpages and host them on various domains. These exploit kits usually targets browser and browser plugin vulnerabilities.

To increase the likelihood of a successful attack, exploit kits are commonly used to infect legitimate sites that already have significant traffic. Attackers achieve this by crafting scripts designed to identify sites with injection vulnerabilities, which allow for hidden iFrames to be written, which then point to the exploit kit URL. When users visit the infected sites and are redirected to the browser exploit kits, a known browser or plugin vulnerability is typically used to download and execute malicious content without user knowledge. You can visit this related blog for more information about iFrame injection in detail.

Recently, I’ve seen a spike in such compromised sites, which lead to exploit kit URLs. In most cases, the JavaScript code containing the hidden iFrame is heavily obfuscated. Different exploit kits have their own techniques to obfuscate malicious code. Let’s take look at a couple of examples and their respective de-obfuscated code.

iFrame leading to Incognito exploit kit
URL: hxxp://www.snapstudios.net/kitchen-set-hidden-behind-the-cupboard.html

Obfuscated code:

The aforementioned obfuscated code was injected at the start of the webpage. Let’s deobfuscate the code to make sense of it.

De-obfuscated code:

You can see that the deobfuscated code generates a hidden iFrame with the ‘src’ attribute being assigned the exploit kit URL. Generally, the visibility of the iFrame is kept hidden and dimensions are kept to a minimum, which ensures that the iFrames don’t alter the look and feel of the page.

Exploit kit URL: hxxp://racingengines.osa.pl/showthread.php?t=63942072

After observing patterns in the exploit URL, one can determine that this URL belongs to the Incognito Exploit kit.

Suspicious URL Pattern: “/showthread.php?t=”

Search results for the above pattern at www.malwaresomainlist.com confirms that URL belongs to the well known Incognito exploit kit. The exploit kit URL is still active but currently not delivering the malicious code. Visit this blog on Incognito exploit kit for more details.

iFrame leading to Blackhole exploit kit
URL: hxxp://steelrode.com/

Obfuscated code:

De-obfuscated code:

Exploit kit URL: hxxp://brighttz.com/main.php?page=dac9bd89165e2708

Suspicious URL pattern : “/main.php?page=”

Search results for the suspicious pattern at www.malwaredomainlist.com can be found here. The exploit kit URL is not currently active. We have been writing about the Blackhole exploit kit for some time. At present, this seems to be the favored exploit kit amongst attackers. You can find more information about the Blackhole exploit kit here.

Fortunately, the aforementioned exploit kit URLs have been blocked by Google Safe Browsing. A sample Google diagnostic report of the Incognito exploit kit URL can be found here. While conducting research I came across a number of such compromised websites on a daily basis. Attackers continually alter obfuscated code to ensure that it is not yet detected by popular AV/IPS/IDS vendors. This keeps them one step ahead in this ongoing game of cat and mouse.

To conclude, I would like to say,

“The growth in compromised websites is directly proportional to the growth in popularity of different exploit kits”.

Pradeep

An example of likejacking (Facebook clickjacking)

2012-01-10T10:05:00.000-08:00

Last year, we released Zscaler Likejacking Prevention, a free browser extension to protect users from clickjacking leveraging Facebook widgets. Since then, I've seen many websites using Likejacking as their "business model" (i.e. this is how they get traffic to their spam site).

Usually, these spam websites try to get the user to click on a specific area of the page where they have hidden one or more 'Like' buttons. Recently, we found a website where the hidden Facebook 'Like' button follows the mouse throughout the page. No matter where you click, you hit the Like button.

Hidden Like widget follows the mouse

The technique to hide the button, has however been seen previously. There are hidden DIV elements with the opacity set to 0.0.1, which makes them transparent, although they are in the foreground. The position is set to absolute so that it can move anywhere on the page.

Here is a video that explains how it works:

You can get the free Zscaler Likejacking Prevention extension for Firefox, Google Chrome, Safari and Opera on our website.

Google serves ad for Adware/Spyware

2012-01-03T16:09:00.000-08:00

Last year, we wrote about Bing and Yahoo! serving ads leading to malicious websites. This week, it was Google who inserted ads for adware/spyware.

I found a suspicious ad in my Google Reader for a free FLV player. I've recently shown that this type of free software is regularly repackaged with adware/spyware for profit.

The ad leads to a download page for FoxTab FLV Player. There is a disclosure statement at the end of the page discussing the content of the bundle: "This product is totally free and offers the user additional bundle products that may include advertisement."

FLV Player download page

The adware/spyware is flagged by only 4 antivirus vendors out of 43. A behavioral analysis of the executable provided much more information about packages that were downloaded and ports open on the machine, etc.

The ad was found on the RSS feed of a security company specialized in cleaning up infected websites. This highlights the fact that even reading content from otherwise legitimate resources can inadvertently lead users to unwanted applications when sites include third-party elements (JavaScript driven ads in this case, but also IFRAMES, widgets, etc.) that they do not not have control over. Even trusted third-parties like Google are apparently not succeeding in delivering 100% adware/spyware free content to users.

Happy New Year 2012!

Web threats: trends and statistics

2011-12-28T16:33:00.000-08:00

One of the question I often get asked is "What is the most prevalent threat on the Internet for the enterprises?". In terms of the total number of transactions, botnets are the biggest security risk. Once a host gets infected, the botnet usually spreads quickly within an enterprise. It also generates a significant amount of traffic to the command and control server, to download additional malware or perform other actions. For the last 30 days, botnets account for almost 80% of the security blocks at Zscaler.

Security blocks for the last 30 days

When it comes to individual variants of malware, botnets, or other threats, there is no single piece of malware that dominates. Some threats appear one day, and disappear just as quickly. Others are seen daily for months, with random peaks. For example, Blackhole exploits and Zeus have been active for months.

One of the Blackhole exploits


Zeus traffic

Mass infections of legitimate sites can still be seen months after the infection initially occurred and the vulnerable application has been patched. For example, our customers are still hitting websites infected with Lizamoon which was first reported in May 2011 and reached it's peak in September.

Legitimate sites infected by mass LizaMoon SQL Injection attacks

The security landscape is very wide. Although botnets, as a category, represent the majority of overall malicious web traffic, there are a huge number of different threats seen daily by enterprise users. This means that security solutions must be able to detect and block a wide variety of traffic by looking at all components: URLs, HTTP header and content on both the client and server side.

Facebook used to make scams look legitimate

2011-12-21T14:58:00.000-08:00

One of the recurring web spam themes I saw in 2011, was the "Work from home and make $X,000/month" scam. In some variations of the well-known and well-used scam, websites are set up to look like a well-established newspaper with a front-page (fake) article about making a lot of money from home.

Here are a few examples I saw earlier this year (now offline):

Fake NBC website at hxxp://news11bizopp.com/landing.php

Fake news site at http://www.nbcnews43.com/?news/articleid=8351

The new scam I found this week included an interesting new trick and is still online.

Fake news site at hxxp://newsday7.com/

The site is set up like the previous scams - it claims to be an online, established newspaper, which displays an article about someone who is making a lot of money, working from home.

At the top of the picture, which shows a woman and a girl, on the right, you can see a Facebook Like button that says "214,217 people recommend this. Be the first of your friends." Apparently, 214,217 went to his page and clicked on "Like", making this page look more legitimate.

At first, I thought this was a fake Facebook widget. But this is the real deal, as seen from the page HTML code:

Real Facebook widget (click on the image too see in full screen)

There is however a trick. The "Like" widget does not point to hxxp://newsday7.com/, but rather to http://www.facebook.com/CBS. As you can see in the images taken from the two websites, the number of Likes is the same:

214,217 Likes on hxxp://newsday7.com/

214,217 Likes on http://www.facebook.com/CBS

Facebook allows you to embed any Like widget on any website, even if the domains or URLs do not correspond. Scammers are using this trick to appear more legitimate, by tricking visitors into thinking their website has been visited and liked by many people.

My guess is that this technique is very effective, and will be used more and more by spammers and scammers.

2012 Security Predictions

2011-12-20T12:41:00.000-08:00

It’s the most wonderful time of the year. A time when we set aside our quarrels and show compassion for complete strangers, realize that it’s better to give than to receive and in the security industry, let everyone know just how smart we are playing Nostradamus. Yes, it wouldn’t be December if I didn’t join in the chorus of prognosticators to let you know exactly what is in store for us all in the coming twelve months.

Mobile

With WebOS now officially an orphan, Blackberry OS racing to the grave and Windows Mobile still trying to get ready for the party, the victors can be crowned – iOS and Andorid have won. The interesting part of the race is about to begin, namely who has the best security model. Will it be Apple’s draconian, ‘we control everything’ or Google’s happy-go-lucky ‘come on in, everyone’s invited’ approach?

Prediction: The ‘do no evil’ company will struggle mightily to keep evil applications out of their App Marketplace. In an effort to avoid being to mobile what Windows is to PCs (a breeding ground for malware), Google will subtly make Android less open to both partners and developers. They will also announce an initiative to increase security screening for applications before deployment in the App Marketplace. Apple on the other hand will have comparatively few malicious apps to deal with, but at least three major OS flaws that impact all users (and make the jailbreak team happy). Apple will address the vulnerabilities several days late and apologize to no one. iPad 3 and iPhone 5 sales will turn financial analysts into giddy schoolgirls.

Enterprise

Thanks to marketing teams across the globe, APT (Advanced Persistent Threat) has become a meaningless buzzword in the security lexicon. Let’s therefore ditch that term and instead focus on targeted attacks, specifically those focused on enterprises with the goal of corporate espionage or to inflict financial damage. Many praised Google for coming forward in January 2010 to reveal that they and others had been the victim of a sophisticated targeted attack, likely originating from China. Many in the public mistakenly assumed that this was a new and previously unseen event on the security stage. What was new about it was the openness displayed by Google in discussing the situation, not the class of attack.

Prediction: The term ‘APT’ will go the way of ‘eCommerce’ and the Dodo bird, but stories of targeted attacks against enterprises will rise tenfold in the media. This will be a reflection of increased activity by attackers as they broaden their reach to smaller companies and decisions by corporate council to disclose details of an attack rather than to suppress the information and risk litigation for trying to cover up such activity.

Web

Want to know a secret for making security predictions? Take a look at what was being discussed at security conferences 2-3 years ago. At Black Hat DC 2009, I discussed the dangers of persistent web browser storage. One of the key technologies that will be taking browser storage to the next level is HTML5. In 2009, HTML5 apps were few and far between. Thanks in large part to mobile browsers; HTML5 is now much more mainstream. As with any new technology, developers are quickly rushing to play with the new kid on the block and publishing their goods, without taking the time to understand the security implications.

Prediction: We’ll see an increasing number of web application vulnerabilities in HTML5 apps, not because the technologies behind them are insecure, but because HTML5 is not well understood from a security perspective.

Hardware

Security in the hardware space is at least ten years behind security in the software industry. This isn’t so much a reflection of the good work being done in software, as it is the reality of software vendors being forced to address an issue that was impacting business. Thanks to the efforts of many great researchers investing countless hours doing QA work that should have been done long before products hit the shelf, today most major security vendors have no choice but to employ security response teams and take vulnerability disclosure very seriously.

Hardware vendors simply haven’t faced the same scrutiny, but that’s changing. This year at Blackhat, I spoke about the sad state of embedded web servers and recently researchers at Columbia University discussed the ability to remotely cause physical damage to HP printers due to security flaws.

Prediction: Hardware vendors will get a wake-up call as researchers shift their efforts and party like it’s 1999.

Social

The majority of malicious activity surrounding social networks today primarily involves unwanted or nuisance traffic as opposed to attacks that lead to a fully compromised machine. We’re seeing an increase in likejacking and self-inflicted JavaScript injection attacks that have the same overall goal – drive web traffic or prompt software downloads that can earn the scammer a few cents per click.

Social networks such as Facebook are of value to more serious criminals, but mainly for reconnaissance during targeted attacks. They are a great resource for learning background information about an individual and uncovering relationships, all of which can be of great value for social engineering. We’re not however, commonly seeing the communication aspects of social networks used to deliver malicious payloads directly to victims or investments in uncovering web application vulnerabilities used to compromise end user machines as opposed to spreading the aforementioned scams.

Prediction: Attackers will raise the bar and leverage social networks for more sophisticated attacks, the goal of which will be full compromise as opposed to marketing financial scams.

Merry New Year!

- michael

Google Safe Browsing v2 Lookup libraries for Perl, Python and Ruby

2011-12-15T10:41:00.000-08:00

Last week, I mentioned that the Google Safe Browsing API has migrated to version 2. The new protocol is much more complex than version 1 and there are only a few libraries available for version 2 (see the full list in the previous post). Some popular languages, like Ruby, don't have any implementation at all.

To make the API accessible to more developers, Google has also introduced the Lookup API. This API is fairly simple. It lets users send a list of URLs (up to 500 per request) to Google and receive the classification for each of them. You still need a free API key to use the service and you are limited to 10,000 lookups per day.

I have released libraries for the Google Safe Browsing v2 Lookup API in Perl, Python and Ruby:

Perl;
CPAN: http://search.cpan.org/perldoc?Net::Google::SafeBrowsing2::Lookup
Source: https://github.com/juliensobrier/Net-Google-SafeBrowsing2

Python
PyPi: http://pypi.python.org/pypi/Google Safe Browsing v2 Lookup/
Source: https://github.com/juliensobrier/google-safe-browsing-lookup-python

Ruby
RubyGems: https://rubygems.org/gems/google-safe-browsing-lookup
Source: https://github.com/juliensobrier/google-safe-browsing-lookup-ruby

All the libraries contain proper documentation and unit tests. You can use the corresponding github repository to file bugs or discuss the libraries.

Java Drive by download attack

2011-12-13T00:34:00.000-08:00

Recently I blogged about how attackers are forcing users to download fake codecs to spread malicious content. I’ve also encountered across another drive by download attack vector, which uses Java applets to execute downloaded malicious content on the victim’s machine. Download and execution of malicious content happens without user interaction. Let’s take look at a screen-shot of the malicious URL “hxxp://www.nicholaspettas.com/”,

As you can see, when a user visits the website the browser requests user permission to execute the Java applet code. Here is the HTML source of the page:

When the user allows the applet code to run by clicking on “run” button, the browser downloads the “Client.jar” file from “hxxp://www.nicholaspettas.com/Client.jar”. Let’s take look at the Wireshark captures, which show the network activity performed during this process:

The downloaded JAR file contains “Client.class”, which is executed by the JRE. An argument to the “Client.class” file is passed with the location of the malicious .exe residing on “hxxp://dl.dropbox.com/u/31332834/server_crypt.exe”. It’s interesting to see that the malicious exe file is uploaded on www.dropbox.com. The file “server_crypt.exe” is then downloaded by the above applet code and executed on the victim’s machine.

Decompiling “Client.class” reveals the Java code, which you can read to better understand how it downloads the file and executes it. Let’s have look at piece of decompiled java code, which executes the downloaded file.

Virustotal Reports:
Client.jar - 27 AV vendors on Virustotal reports it as “Trojan Downloader”.
server_crypt.exe - 16 AV vendors reports as “Trojan”

ThreatExpert Report:
server_crypt.exe – Indicated highest severity level for this threat.

Beware of drive by download attacks.

Pradeep

Switch to Google Safe Browsing v2

2011-12-09T14:38:00.000-08:00

Google maintains a list of malicious URLs and phishing sites distributed through their Google Safe Browsing API. On December 12, version 1 was deprecated in favor of version 2. The API for version 2 works quite differently from version 1.

Importance of Google Safe Browsing

Google Safe Browsing is part of most popular web browsers including Firefox, Chrome, Safari and Opera. Internet Explorer uses it owns list, Microsoft SmartScreen. This makes Google Safe Browsing lists the most used security filter among all web users.

The Google Safe Browsing lists are also very extensive. There are currently about 460,000 entries in the lists and they are updated every 30 minutes. You can refer to "Google Safe Browsing v2: Implementation Notes" for more detailed numbers.

Coverage

I was curious see the overlap between Google Safe Browsing v2 and a few other security blacklists

Malware domain list: 18,670 blocked / 71,352 entries (26%)
Clean-MX Phishing: 540 blocked / 1,820 entries (30%)
Phishtank: 1,318 blocked / 5,665 entries (24%)

Of the Alexa top 1,000,000 sites, 250 are blocked by Google Safe Browsing v2.

Google Safe Browsing v2 libraries

The Google Safe browsing v2 API is fairly complex, at least more so than version 1. There are a number of libraries available, but not all implement the complete API. Here is a list of the libraries available within Google Safe Browsing v2:

Google Safe Browsing v2 libraries
Language	Name	Missing features	Comment
Python	google-safe-browsing	none	Reference implementation from Google
Perl	Net::Google::SafeBrowsing2	none	Several back-ends available for storage: MySQL, Sqlite, DBI, etc.
PHP	phpgsb	MAC	Helpful statistics for testing
PHP	gsb4u	MAC	Storage: MySQL, Sqlite;
C#	google-safebrowse-v2-client-csharp	MAC Back-off mechanism ? Save full hashes, discard them after 45 minutes MAC	Storage: data file
C#	Google-Safe-Browsing-API-2.0-C-p	MAC	Storage: SQL server
Java	jGoogleSafeBrowsing	???	Not finished?

Lookup API

If you need to check fewer than 10,000 URLs a day, you can use the much simpler Lookup API. This API allows you to send URLs directly to Google and receive the classification.

I've made a Perl library for the Lookup API, Net::Google::SafeBrowsing2::Lookup and I'm working on Ruby anfd Python implementations.

Fake video codecs still going strong

2011-12-06T21:55:00.000-08:00

Convincing users to download malicious software using fake AV pages is not a new attack vector, but has been a very successful one. Julien has previosuly blogged about how fake codecs are starting to replace fake AV pages. I recently encountered an interesting example employing both fake AV and fake codecs in a single attack. When a victim visits a page, they are presented with a warning message stating “You don’t have the correct Codec installed. Download should start automatically, if not, please click here to download”. Here is the screenshot of the page:

The page is loaded from “hxxp://onlinetubes24.com/go.html”. Let’s take a look at the HTML source of the page to identify the malicious code.

As you can see, it downloads an exe from “hxxp://privatetube.onlinetubes24.com/codec.exe". If the victim runs “codec.exe”, it starts a fake antivirus scan and delivers a report such as the following:

The above screenshot is typical of a fake AV attack and displays several fictitious threats being detected on the victim’s computer. Every time you run this exe file, different threats are allegedly detected . Once installed, the victim is asked to activate or buy the full version of this fake AV. This exe file downloads it’s content from a remote web server hosted at “94.23.39.156”. The ThreatExpert report for this IP address details the network activity performed by this malware.

The VirusTotal results for the fake security software in this example show that it is detected by only 20/42 popular AV vendors. You can find some tips to stay away from such attacks in a separate blog post.

Make sure you are downloading real codecs, not fake ones!

Pradeep

Cyber Monday Transactions - Indication of Economy?

2011-11-29T16:16:00.000-08:00

Last year I did a post on the transactions that we saw related to online shopping on Cyber Monday - as I indicated in the past, yes there is a spike. And looking at the transactions this year, again we notice a spike:

You can see the cyclic nature of the work week given that we handle enterprise traffic. The Y-axis values are is the monthly percentage of online shopping/auction transactions. So Cyber Monday made up 7.51% of the November 2011 shopping transactions and Black Friday made up 3.82%. The average for the month was 3.57%, excluding weekends the average for the month was 4.53%. These stats look at web transactions from a "micro" level - looking at a a longer-term trend across Black Friday and Cyber Monday online shopping transactions:

We notice a downward trend in online shopping transactions from 2009-2011 Black Fridays and that online shopping transactions have remained fairly static from 2009-2011. In this case the Y-axis is the percentage of online shopping transactions for the day - for example, 4.63% of this Cyber Monday's transactions were online shopping. The precise numbers for the other Cyber Mondays were 4.68% in 2009 and 4.61% in 2010. So there was a 0.05% decrease from 2009 to 2010 and a 0.02% increase in 2011. Given the general increase in online shopping vendors, general awareness of "Cyber Monday", and people being more comfortable making online purchases I would expect Cyber Monday online shopping to noticeably trend upward. Black Friday online shopping trended downward year over year, and we see the Cyber Monday downturn in 2010 and the slightest increase / stagnation in 2011 -- these online shopping stats may provide an indication as to the health of the economy.

Zscaler Likejacking Prevention for Opera

2011-11-21T08:57:00.000-08:00

Along with Firefox, Chrome and Safari, Zscaler Likejacking Prevention is now also available for Opera. You can download it on the official Opera add-on site.

Zscaler Likejacking Prevention on the Opera extensions site

The Opera version works the same as the Google Chrome version, with a similar popup to obtain more information about the Facebook widgets on the current page.

Zscaler Likejacking Prevention for Opera in action

The red/green icon that indicates if a page is safe or suspicious, is located on the far right of the Opera browser. I believe it would have been more visible if it were part of the URL bar, as I did for Chrome and Firefox, but unfortunately, Opera does not permit such a placement.

Icon on the right of the screen, after the search bar

Preferences page

Limitations

There is one big limitation in Opera: the extension cannot detect hidden Facebook widgets in frames or iframes. This is due to restrictions in the Opera extension framework, which don't permit frames and iframes to be linked to the top window. Scripts can be injected in frames and iframes, but it is not possible to know which tab they belong to and the background page cannot communicate with the frames and iframes inside a tab.

In practice, 90% of the hidden Facebook widgets I've seen do not use layers of frames and iframes. Zscaler Likejacking Prevention will help users to stay safe from Facebook spam for the majority of spam pages

Version 1.0.9

I'm continually improving Zscaler Likejacking Prevention on all platforms. The latest version available is 1.0.9. You can download it and the other plugins we have released, on our Tools page.

Firefox

I expect version 1.1.0 of the Firefox Zscaler Likejacking plugin to be approved on the official Mozilla add-on site within a few days.

-- Julien

When scammers call you at home

2011-11-18T10:42:00.000-08:00

UPDATE: I've updated the post with a second Skype call I received on 1/17.

Scammers are always trying new ways to reach their targets to foil them into buying free software, sending credit card information, etc. Yesterday, they called me directly at home!

I was working on my computer when I got a Skype call from an unknown caller with a Skype ID of "NOTIFICATION® URGENT - WWW.SWNOW.COM - UPGRADE INSTRUCTIONS". The automated call explained that my "software protections" were disabled and I had to urgently go to www.swnow.com (spelled out in the call). I could not record the call, but it was very similar to what you hear when you visit hxxp://www.swnow.com/.

Skype call from a scammer

The call does not give any information about who is calling or what this "software protection" is supposed to be. It lasted 1 min. 50 secs. and basically just urged me to visit www.swnow.com.

Skype call information

When visited, hxxp://www.swnow.com/ displays a fake antivirus page. It looks different than the Fake AV sites that use Blackhat spam SEO to reach users. Of course, the site purports that numerous viruses are found on your computer...

Fake AV claim to have found viruses

The website is trying to sell the antivirus solution, rather than trying to get user's to install malware disguised as a free AV program. The website is well designed. The button "Activate Computer Protections" shows an "activation" form..

Check out form

Then, the website gathers some personal information (name, e-mail address, etc.) via the "activation" form.

Information gathering

Finally, the user is sent to a different website, securecheckouts.org, to process the payment.

Payment processing form

Looking at the HTML code, the page only contains an iframe, pointing to hxxp://www.liveadmin.com/affiliates.php?affil104, where the payment form is actually hosted.

HTML source of securecheckouts.org

There have been a steady rise of websites trying to resell free software (AVG and other antivirus, OpenOffice, P2P clients, etc.) or deliver fake stores that claim to offer software at deep discounts, etc. However, this was the first time that I've encountered a Skype call being used to push users to visit a fake store.

Second call

I received a similar Skype call on 11/17. I was urged to visit www.msgmf.com to protect my computer. Te website is similar to www.swnow.com. It tricks users into paying $19.95 through click2sell.eu for an antivirus.

Second Skype call spam

Fake antivirus on www.msgmf.com

Antivirus "activation" page

Payment form on click2sell.eu

-- Julien

Zscaler Research

DreamHost: hijacked websites redirect to Russian scam

MSUpdater Trojan and link to targeted attacks

Introducing Project Zulu

Fake missing plugin warnings used for spam/spyware

Zscaler keygen: beware of what you are looking for

SOPA Protest: Wikipedia Traffic Trend (updated)

Popularity of Exploit kits leading to an increase in compromised websites

An example of likejacking (Facebook clickjacking)

Google serves ad for Adware/Spyware

Web threats: trends and statistics

Facebook used to make scams look legitimate

2012 Security Predictions

Mobile

Enterprise

Web

Hardware

Social

Google Safe Browsing v2 Lookup libraries for Perl, Python and Ruby

Java Drive by download attack

Switch to Google Safe Browsing v2

Fake video codecs still going strong

Cyber Monday Transactions - Indication of Economy?

More software-related searches lead to malware

Zscaler Likejacking Prevention for Opera

When scammers call you at home