This document discusses Google image poisoning attacks, which use hacked sites to redirect users searching for images to sites containing fake antivirus software or exploits. The attacks work by generating keyword-rich pages with hotlinked images that are indexed highly by search bots. An evolving PHP script is used to create spam pages, change server settings, download malicious files, and redirect users to the fake sites. Data from Avast shows over 22,000 infected domains have been detected between March and August 2011 through this method.
There have long been links on the internet that take the unwary user to a page with unexpected or malicious content. Most of these attempts rely on the user to click on the link to be successful. However, the latest variation has moved beyond simple text links to "Google-image poisoning" - placing malware in the middle of Google searches for images where users have traditionally had no reason to be wary. Our presentation will focus on How malware writers are able to infect the average website; detailed analyses of the PHP script used to infect s ites and SEO techniques to get infected images at the top of search results.
People using your web app also use many other online services. You'll often want to pull data from those other services into your app, or publish data from your app out to other services. In this talk, Randy will explain the terminology you need to know, share best practices and techniques for integrating, and walk through two real-world examples. You'll leave with code snippets to help you get started integrating.
Build a Node.js Client for Your REST+JSON APIStormpath
In this presentation, Les Hazlewood - Stormpath CTO and Apache Shiro PMC Chair - will share all of the golden nuggets learned while designing, implementing and supporting a Node.js Client purpose-built for a real-world REST+JSON API.
Further reading: http://www.stormpath.com/blog
Stormpath is a user management and authentication service for developers. By offloading user management and authentication to Stormpath, developers can bring applications to market faster, reduce development costs, and protect their users. Easy and secure, the flexible cloud service can manage millions of users with a scalable pricing model.
An introduction to AWS Elastic Beanstalk, a service to help run your Java web applications on the Amazon cloud, leaving you free to focus on your app. Slides from the London Java Community meetup, 1st June 2011.
At the Devoxx 2015 conference in Belgium, Guillaume Laforge, Product Ninja & Advocate at Restlet, presented about the never-ending REST API design debate, covering many topics like HTTP status codes, Hypermedia APIs, pagination/searching/filtering, and more.
There have long been links on the internet that take the unwary user to a page with unexpected or malicious content. Most of these attempts rely on the user to click on the link to be successful. However, the latest variation has moved beyond simple text links to "Google-image poisoning" - placing malware in the middle of Google searches for images where users have traditionally had no reason to be wary. Our presentation will focus on How malware writers are able to infect the average website; detailed analyses of the PHP script used to infect s ites and SEO techniques to get infected images at the top of search results.
People using your web app also use many other online services. You'll often want to pull data from those other services into your app, or publish data from your app out to other services. In this talk, Randy will explain the terminology you need to know, share best practices and techniques for integrating, and walk through two real-world examples. You'll leave with code snippets to help you get started integrating.
Build a Node.js Client for Your REST+JSON APIStormpath
In this presentation, Les Hazlewood - Stormpath CTO and Apache Shiro PMC Chair - will share all of the golden nuggets learned while designing, implementing and supporting a Node.js Client purpose-built for a real-world REST+JSON API.
Further reading: http://www.stormpath.com/blog
Stormpath is a user management and authentication service for developers. By offloading user management and authentication to Stormpath, developers can bring applications to market faster, reduce development costs, and protect their users. Easy and secure, the flexible cloud service can manage millions of users with a scalable pricing model.
An introduction to AWS Elastic Beanstalk, a service to help run your Java web applications on the Amazon cloud, leaving you free to focus on your app. Slides from the London Java Community meetup, 1st June 2011.
At the Devoxx 2015 conference in Belgium, Guillaume Laforge, Product Ninja & Advocate at Restlet, presented about the never-ending REST API design debate, covering many topics like HTTP status codes, Hypermedia APIs, pagination/searching/filtering, and more.
Companion slides for Stormpath CTO and Co-Founder Les REST API Security Webinar. This presentation covers all the RESTful best practices learned building the Stormpath APIs. This webinar is full of best practices learned building the Stormpath API and supporting authentication for thousands of projects. Topics Include:
- HTTP Authentication
- Choosing a Security Protocol
- Generating & Managing API Keys
- Authorization & Scopes
- Token Authentication with JSON Web Tokens (JWTs)
- Much more...
Stormpath is a User Management API that reduces development time with instant-on, scalable user infrastructure. Stormpath's intuitive API and expert support make it easy for developers to authenticate, manage and secure users and roles in any application.
It's possible to make a structured, consistent, API that can handle changes to logic and the schema. Sure, it seems like a good plan to dump everything out of the database today, but what are you going to do when something changes down the road? Let's have a talk about some SOLID ways to structure our APIs and keep them from breaking down the road.
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015Matt Raible
Many Spring projects exist that leverage XML for their configuration and bean definitions. Most Java web applications use a web.xml to configure their servlets, filters and listeners. This session shows you how you can eliminate XML by configuring your Spring beans with JavaConfig and annotations. It also shows how you can remove your web.xml and configure your web components with Java.
StirTrek 2018 - Rapid API Development with SailsJustin James
Creating a RESTful API should be the easiest part of your development. You should not have to be a rocket scientist to successfully create a RESTful API. With Sails, you can create a full featured RESTful API in just a few minutes without writing any code. You get create, destroy, update, find, paginate, sort, and filtering out of the box. If you need to add your business logic to any of the methods or create your own methods, you can do that by writing simple JavaScript functions. Once you are ready to implement security, Sails provides policies that can be applied to any REST action to implement email/password, social login or Windows authentication. For data storage, Sails bundles the power ORM, Waterline, which provides a simple data access layer that just works, no matter which one of the more than 30 data storage providers you are using.
This talk will be code heavy as we walk through getting started with Sails and demonstrate how to implement the features of Sails through the creation of an API. As well, I will share the tips and tricks that I have learned using Sails at a Fortune 100 company. You will walk away understanding how and why you should use Sails on your next project. All code covered in the talk with be immediately available for download.
Designing and building a really clean and intuitive ReST API is no small feat. You have to worry about resources, collections of resources, pagination, query parameters, references to other resources, which HTTP methods to use, HTTP caching, security, and more. And you have to make sure it lasts and doesn’t break clients as you add features over time. Furthermore, although there are many references on creating REST APIs with XML, there are far fewer references on REST + JSON. It is enough to drive you crazy. This session demonstrates how to design and implement an elegant REST API.
Sign up for Stormpath: https://api.stormpath.com/register
More from Stormpath: http://www.stormpath.com/blog
Slides from presentation: "Invoke-DOSfuscation: Techniques FOR %F IN (-style) DO (S-level CMD Obfuscation)" originally released at Black Hat Asia 2018 in Singapore.
For more information: http://www.danielbohannon.com/presentations/
Jim Weirich gave us many things. Among his last was Wyriki, a small Rails app described in his own words as an "Experimental Rails application to explore decoupling app logic from Rails." Many of us paid our final respects to Jim on his last commit to this project. Now it's time to learn from it.
In this talk we'll explore how Jim applied the principles of Object Oriented Design to achieve his goals of decoupling; look at how he used decoupling to speed up testing; how decoupling improved and simplified his tests; and look at his design style. Jim's legacy leaves a lot to learn from, let's do it.
Attacking and Defending Mobile ApplicationsJerod Brennen
The rapid increase in mobile technology adoption in the workplace has resulted in a rise in mobile application attacks. This presentation provides attendees with insight into how mobile application attacks are perpetuated, as well as how we can develop to defend against them.
Web applications secure development. Tips for securing your web applications.
Credits to the cover artwork: http://stickeesbiz.deviantart.com/art/You-Shall-Not-Pass-Gandalf-lotr-389220701
Connecting to the Pulse of the Planet with the Twitter PlatformAndy Piper
How the Twitter Web, Data and Mobile platforms enable developers to connect to the real-time pulse of the planet.
Talk given at the PHP Hampshire meetup in Portsmouth, December 2014
Join Stormpath Java Developer Evangelist, Matt Raible, to learn how to build apps using Angular. You will learn about the tools you need to setup a project, how to run/debug your app, and how to deploy it to the cloud. You’ll also learn about new concepts in Angular 2+.
Companion slides for Stormpath CTO and Co-Founder Les REST API Security Webinar. This presentation covers all the RESTful best practices learned building the Stormpath APIs. This webinar is full of best practices learned building the Stormpath API and supporting authentication for thousands of projects. Topics Include:
- HTTP Authentication
- Choosing a Security Protocol
- Generating & Managing API Keys
- Authorization & Scopes
- Token Authentication with JSON Web Tokens (JWTs)
- Much more...
Stormpath is a User Management API that reduces development time with instant-on, scalable user infrastructure. Stormpath's intuitive API and expert support make it easy for developers to authenticate, manage and secure users and roles in any application.
It's possible to make a structured, consistent, API that can handle changes to logic and the schema. Sure, it seems like a good plan to dump everything out of the database today, but what are you going to do when something changes down the road? Let's have a talk about some SOLID ways to structure our APIs and keep them from breaking down the road.
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015Matt Raible
Many Spring projects exist that leverage XML for their configuration and bean definitions. Most Java web applications use a web.xml to configure their servlets, filters and listeners. This session shows you how you can eliminate XML by configuring your Spring beans with JavaConfig and annotations. It also shows how you can remove your web.xml and configure your web components with Java.
StirTrek 2018 - Rapid API Development with SailsJustin James
Creating a RESTful API should be the easiest part of your development. You should not have to be a rocket scientist to successfully create a RESTful API. With Sails, you can create a full featured RESTful API in just a few minutes without writing any code. You get create, destroy, update, find, paginate, sort, and filtering out of the box. If you need to add your business logic to any of the methods or create your own methods, you can do that by writing simple JavaScript functions. Once you are ready to implement security, Sails provides policies that can be applied to any REST action to implement email/password, social login or Windows authentication. For data storage, Sails bundles the power ORM, Waterline, which provides a simple data access layer that just works, no matter which one of the more than 30 data storage providers you are using.
This talk will be code heavy as we walk through getting started with Sails and demonstrate how to implement the features of Sails through the creation of an API. As well, I will share the tips and tricks that I have learned using Sails at a Fortune 100 company. You will walk away understanding how and why you should use Sails on your next project. All code covered in the talk with be immediately available for download.
Designing and building a really clean and intuitive ReST API is no small feat. You have to worry about resources, collections of resources, pagination, query parameters, references to other resources, which HTTP methods to use, HTTP caching, security, and more. And you have to make sure it lasts and doesn’t break clients as you add features over time. Furthermore, although there are many references on creating REST APIs with XML, there are far fewer references on REST + JSON. It is enough to drive you crazy. This session demonstrates how to design and implement an elegant REST API.
Sign up for Stormpath: https://api.stormpath.com/register
More from Stormpath: http://www.stormpath.com/blog
Slides from presentation: "Invoke-DOSfuscation: Techniques FOR %F IN (-style) DO (S-level CMD Obfuscation)" originally released at Black Hat Asia 2018 in Singapore.
For more information: http://www.danielbohannon.com/presentations/
Jim Weirich gave us many things. Among his last was Wyriki, a small Rails app described in his own words as an "Experimental Rails application to explore decoupling app logic from Rails." Many of us paid our final respects to Jim on his last commit to this project. Now it's time to learn from it.
In this talk we'll explore how Jim applied the principles of Object Oriented Design to achieve his goals of decoupling; look at how he used decoupling to speed up testing; how decoupling improved and simplified his tests; and look at his design style. Jim's legacy leaves a lot to learn from, let's do it.
Attacking and Defending Mobile ApplicationsJerod Brennen
The rapid increase in mobile technology adoption in the workplace has resulted in a rise in mobile application attacks. This presentation provides attendees with insight into how mobile application attacks are perpetuated, as well as how we can develop to defend against them.
Web applications secure development. Tips for securing your web applications.
Credits to the cover artwork: http://stickeesbiz.deviantart.com/art/You-Shall-Not-Pass-Gandalf-lotr-389220701
Connecting to the Pulse of the Planet with the Twitter PlatformAndy Piper
How the Twitter Web, Data and Mobile platforms enable developers to connect to the real-time pulse of the planet.
Talk given at the PHP Hampshire meetup in Portsmouth, December 2014
Join Stormpath Java Developer Evangelist, Matt Raible, to learn how to build apps using Angular. You will learn about the tools you need to setup a project, how to run/debug your app, and how to deploy it to the cloud. You’ll also learn about new concepts in Angular 2+.
Web-App Remote Code Execution Via Scripting Engines by Rahul Sasi at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html
This was presented at the March 16th, 2016 WordPress Meetup in Hamilton and describes WordPress Security and best practices that should be taken to protect any WordPress website against hackers whom target WordPress websites and impact your Google reputation and online presence.
GDD Japan 2009 - Designing OpenSocial Apps For Speed and ScalePatrick Chanezon
Google Developer Days Japan 2009 - Designing OpenSocial Apps For Speed and Scale
Original slides from Arne Roomann-Kurrik & Chris Chabot with a few Zen quotes and references added by me:-)
This is the presentation which I used during the awesome "WPSession #11: Security for Site Owners". I shared important information about how site owners should react to website attacks. I talked about risk management, assets evaluation and getting help from the right people that know WordPress and care about security.
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...CA API Management
Web Based APIs have become a powerful tool for reaching end users in an increasingly fragmented market. The emergence of public and private APIs have introduced new challenges in identity management and access control. Attend this session to get a crash course in Web APIs, the risks they introduce and the emerging standards that can make them safer to use (including OAuth 2 and Open ID Connect)
Disrupting the application eco system with progressive web applicationsChris Love
Progressive Web Applications (PWA) is a comprehensive term describing web applications that implement a base set of browser platform features like HTTPS, Web Manifest and Service Workers. But it bleeds beyond the scope of an application's code because browsers are enabling qualified web applications to offer the same user experiences native application enjoy. This includes prominent home screen placement, push notifications, eliminated browser chrome and app store placement.
Become a Progressive Web App expert with my course: Progressive Web Apps (PWA) Beginner to Expert -> http://PWACourse.com
This is a talk about some of the higher level topics that you need to think when design an Android app. These include architecture, security, hybrid apps, SDKs, logging, and testing.
These are the slides presented at StarWest 2015 in Anaheim, CA. The slides are showcasing all of the advanced usages of selenium or add ons to improve your selenium test cases
All Things Open 2014 - Day 1
Wednesday, October 22nd, 2014
Frédéric Harper
Senior Technical Evangelist for Mozilla
Mobile
HTML for the Mobile Web, Firefox OS
Find more by Frédéric here: http://www.slideshare.net/fredericharper
API Prefetching - HTML5DevConf - Oct. 21, 2014JonAbrams
Single page apps and Front-end rendering are all the rage. They have a lot of benefits, but one major downside is the need to make an API call once the page is first loaded. This presentation shows off a trick (and library) to easily fix that problem, regardless of front-end framework.
Similar to Google-image poisoning: How hackers use images to spread malware (20)
In the largest global study of the Internet of Things in consumers’ homes, researchers from Avast and Stanford University have shown a surprising emergence of IoT devices in consumer homes and shed light on troubling number of devices that continue to use guessable passwords.
The study provides the first large-scale empirical analysis of IoT devices by leveraging user-initiated network scans of 83 million devices in 16 million households worldwide.
The findings will be published in a paper, All Things Considered: An Analysis of IoT Devices on Home Networks, which will be appearing at USENIX Security this week. Avast researchers scanned the devices to understand the distribution of IoT devices by type and manufacturer and to understand the security profiles of various devices. The findings were validated and analyzed in collaboration with Stanford researchers.
Learn more about the research here: https://blog.avast.com/avast-and-stanford-research-shows-global-internet-of-things-avast
The Avast Threat Report provides an overview of global threat activity for Q1 2015.
Avast malware researchers and Avast customers work 24/7 to protect each other. Avast protects 230 million people worldwide in more than 186 different countries — we are present in more countries than McDonalds and protect more people than any other antivirus security provider.
The Q1 security report looks at the state of cyberthreats as it relates to Wi-Fi, PC threats, mobile threats, and the steady evolution of ransomware.
Where There's Money, There's Crime: Web-based ThreatsAvast
The massive expansion of the Internet and the devices that use it to communicate is slowly but inevitably changing the lives of billions of people. Social networks are at the peak of their popularity, data is moving to the Cloud and traditional computing platforms are in recess. More and more applications are being created directly for the Web - a new platform, common to all devices. This silent revolution is causing browsers to become more important than operating systems themselves.
Where there are users, there's money. Where there's money, there's crime. The Web, as a new platform, is becoming a target for cyber-attackers who abuse the OS-independent technology with malicious intentions. Anyone who uses a browser can become their victim.
This presentation shows how cybercrime actually works from social engineering tactics to how browsers can be locked down with ransom demands by visiting just a single webpage. Our goal is to make the Web more secure. Help us by knowing the techniques of the enemy, recognizing scam attempts, and making your web apps resilient to future attacks.
Presented by Pavel Šrámek, malware analyst at Avast, at the Web Expo 2014.
In recent years, cybernetic attacks against banks have become more and more popular. Attackers are motivated by potential profits. The number of people connecting to their bank accounts online has steadily increased, however their knowledge of computer security is often insufficient. Unaware users often become victims of phishing attacks, where they lose control of their login credentials and private data, which may eventually lead to them losing money.
During March 2013, we discovered attacks targeting major Korean banks. This attack originated from a legitimate Korean website which belonged to Korea Software Property Right Council (SPC). Although some websites appear visually the same, their inner structure looks different on a clean and compromised computer.
Many users fall victims of such types of attacks when legitimate websites are compromised. In these situations they do not expect any security risk, because they consider the high reputation of the legitimate company as a measure of security.
In this presentation, we present what happens on a compromised computer of an unaware user.
Presented at AVAR 2013 by Jaromir Horejsi and Jan Sirmer, Virus Analysts & Researchers at Avast Software.
Every Click Counts (But All the Money Goes to Me)Avast
Today, social sites make up a big, open vector for people who want monetize their ideas. But sometimes those ideas are not as legitimate as one would hope. One of the more unscrupulous ways to “earn” money is to steal your identity, email accounts, and/or credit card details. Another way is to misuse your computer as a money-making machine for cybercriminals.
Presented at AVAR 2013 by Jan Sirmer and Lukas Hasik, Virus Analysts & Researchers at Avast Software.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
2. AVAR 2011
Agenda
• What is Google-images poisoning?
• How it works
• Doorway generator
• Java script redirector
• Evolution
• Data from AVAST CommunityIQ userbase
• Summary
• Questions
www.avast.com
3. AVAR 2011
Google Images poisoning
• SEO blackhat poisoning attack
• Uses hacked sites to redirect users to sites containing
fake AV or exploit
• Uses key-word rich pages with hot-linked images for
higher indexing by search bots
• Images from hacked sites are near the top search
results
• Focused on users coming from well-know search
engines
www.avast.com
8. AVAR 2011
Google Images poisoning
www.avast.com
User
Infected server
Remote serverFake AV
Bad guy
9. AVAR 2011
Why is it so successful?
www.avast.com
• Great SEO and nobody used SEO for “images”
10. AVAR 2011
Why is it so successful? (2)
www.avast.com
Infected
serverFake AV
• Computer users do not expect that they can get
infected when searching for images on legitimate sites
11. AVAR 2011
Why is it so successful? (3)
• Hide and Seek
– if users are using Opera browser or they are coming from
Google, Yahoo or a Bing, they are served a Java script
redirector
www.avast.com
Malicious
content
12. AVAR 2011
Your website gets infected
• The bad guys are using stolen FTP credentials
• They upload PHP script to the WEB server
• This is used for uploading malicious content to the
web server, creating spam pages, and uploading
additional files to web server
• Bonus feature - it lets the owners know that the page
is ready
www.avast.com
13. AVAR 2011
Additional malicious files
• Xmlrpc.txt – Remote server address
stored
• -> Xml.txt -> Xml.cgi – address in
Base64
• Iog.txt – Redirecting java script stored
• Shab100500.txt – Spam HTML template
stored
• -> Don.txt – HTML template in
Base64
www.avast.com
14. AVAR 2011
PHP script on infected sites
• Earlier, they used names such as d{1,3}.php
• Today, they use names like microphone.php, etc.
• This script is responsible for:
1. Creating spam pages for Google bot indexing
2. Changing .htaccess
3. Serving redirect script to user to exploit sites
4. Serving redirect script to user to fake AV
5. Downloading malicious files to server
6. Telling owners that the site is ready
www.avast.com
15. AVAR 2011
PHP script
Original PHP file uploaded to server
• <?eval
(gzuncompress
(base64_decode('eNqVWG2P4kYM/…/woBlZVj
C9zK2Ok8McOZrF5z9hfM+5P/AbQiT9I=')
)
);
?>
www.avast.com
16. AVAR 2011
PHP script
PHP file after first step of deobfuscation
• $GLOBALS['_1600532410_']=Array(base64_dec
ode('ZXJyb3Jfcm'.'Vwb3J0'.'aW5'.'n
• Function _1070120820($i)
{$a=Array('c'.'Q='.'=','cQ==',
• ($GLOBALS['_1600532410_'][16](
_1070120820(6))) {…
www.avast.com
18. Doorway generator
• HTML template is stored in the file
.log/SITE/shab100500.txt
• In the new version, shab100500.txt was replaced by
don.txt
www.avast.com
<HTML>
Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut
labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco
laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in
Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut
labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco
</HTML>
<Replaceme>
</Replaceme>
19. Doorway generator
• Get descriptions of top
50 ‘search keywords’
from Google web
• Shuffle the words into
their descriptions to get
unique text
www.avast.com
harmful action
against a person or
group in response
revenge to a
grievance, be it real
or rick santorum
perceived
20. Doorway generator
• Get top 20 ‘search
keyword’ from Google
Images and extract links
to image files
• Generates <img> tags
and shuffle them
www.avast.com
<img
src="http://SITE/p
ath/hot-linked-
image.jpg"
alt="search
keywords"
align="random(cent
er, right, left)">
21. Doorway generator
www.avast.com
harmful action
against a person or
group in response
revenge to a
grievance, be it real
or rick santorum
perceived
<img
src="http://SITE/p
ath/hot-linked-
image.jpg"
alt="search
keywords"
align="random(cent
er, right, left)">
harmful action against a
person or group in
response revenge to a
grievance<img
src="http://SITE/path/hot-
linked-image.jpg"
alt="search keywords"
align="random(center,
right, left)">
22. Doorway generator
www.avast.com
<HTML>
Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut
labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco
laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in
Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut
labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco
</HTML>
<Replaceme>
</Replaceme>
<h1>SEARCH KEYWORD</h1>
Suggested links
Links to 30 most recently generated links
Rich-word generated text with hot-linked images
Links to alternative pages
23. AVAR 2011
How do they make image URLs
less suspicious?
• "RewriteEngine On RewriteCond
%{REQUEST_FILENAME} !-f RewriteCond
%{REQUEST_FILENAME} !-d RewriteRule ^(.*)$
".$_SERVER[ 'SCRIPT_NAME'."?q=$1 [L] “
• this changes URL from suspicious
http://SITE/wp-admin/BAD.php?q=search-keywords
to
http://SITE/wp-admin/search-keywords
www.avast.com
24. AVAR 2011
PHP script evolution
• The first version was focused on all users using Opera
browser or users coming from Google, Yahoo or Bing
• During June, we found some changes in PHP code
- Google is the only target
- New redirection system
• Request goes to a remote server ( mydiarycom.net )
- centralized
• They have statistic data from parameters
• No need to update iog.txt (redirecting script) or make
differentiating changes on each server
www.avast.com
29. AVAR 2011
Redirection
• Mac – http://IP/r/RANDOM_STRING
IP and ‘r’ are change every 30 minutes
• Exploit site -
http://SITE/index.php?tp=RANDOM_STRING
Site and ‘tp’ are change every 30 minutes
• Fake AV – http://SITE/fast-scan/
www.avast.com
30. AVAR 2011
Other changes
• Rotating user-agent string
• Password-protected maintenance request
Someone who know how this algorithm works can
easily change it and redirect to his or her own site
• Xml.txt was replaced by xml.cgi
• Working with free blogs sites
www.avast.com
32. AVAR 2011
Data from the
AVAST CommunityIQ
• From March to August 2011, we discovered 22,580
unique infected sites
• 5,698 sites are still infected
• Typo : <IMG HEIGTH=?1?WIDTH
www.avast.com
35. AVAR 2011
Summary
• Google-image poisoning is an easy way how to spread
fake AV and exploits
• It’s based on stolen FTP credentials of webmasters
and great backdoor algorithms
• The number of infected legitimate domains is growing
every day
• Common sense is not sufficient protection
www.avast.com
37. AVAR 2011
Thank you
Jan Sirmer (sirmer@avast.com)
Senior Virus Analyst
Lukas Hasik (hasik@avast.com)
QA Director
www.avast.com
Editor's Notes
predstaveni
Zminit: uspesny atak (a proc), a jak “funguje” (obecne)
SEO – obrazky jsou “dobre rankovane”
Presmerovani na FAKE AV, managovani zarizuje remote server
Jak to funguje a na koho je to zamereny
Ze zacatku “nerozlisovali” OS ani browsers
Co chteji bad guys? Money!
Black SEO
Trust phenomenon
Rozdilne chovani -> predat slovo
Pred rozebiranim chovani zminit JAK se nakazily “legitimate website”
+ pridat “pribeh”
Strucne!
Main PHP script
+ pribeh – povidani
+funke skriptu jen “vyjmenovat” (nerozebirat)
Jak to vypadalo nejprve, a co jsme s tim museli delat (decode)
Ma to dve pole, z kterych zbuilduje vysledny skript (zadne detaily)
Whole PHP script has more than 400 lines of code
+ rozhodovaci logika
Hlavni duvod uspechu!
K cemu je urcen – co pouziva (template)
Template se generuje z mainpage dane “site” == jsou “nenapadny”
Why we can’t find theses pages in Google results to easier detection? They used simple tag <meta name=”googlebot” content=”noarchive”>
shab100500.txt contains the HTML code of the site’s homepage with the <REPLACEME> placeholder, that will be later replaced with a generated spammy block.
the original <title> tag is replaced with <title>Search Keywords</title> and the <meta name=”googlebot” content=”noarchive”> tag is inserted — that’s why you don’t see cached copies of the pages in Google search results, which definitely makes the problem diagnostic more difficult for webmasters
Simuluje vzhled GoogleAds
-Co tam strka (vysvetlit)
- <noarchive>
They modify or create .htaccess with this code
Script_name is the path to the uploaded .php file
Probably cased by low profit from other search engines ( less chance to be found if they use only one of the three browsers)
Name of remote server is stored in xml.cgi as base64 string
Popsat “stary” system
Jake parametry a k cemu jim slouzi
Popis “redirekce”
Spam page is showed for unwanted visits
1. To be less suspicious when they looking for top search keywords
.cgi files produce server errors when you try to open them in directories that aren’t configured to execute CGI scripts
Working with free blogs sites – posting posts with hundreds of links to doorway pages
Maintenance request:
To be able to change the xml.txt(xml.cgi file in the newest version (with the domain name of the remote server)) and to use a file uploader, you now need to provide a password in the “name” parameter of a POST request. Someone who know how maintenance request works could change it to redirection on own site.
this request updates the content of the xmlrpc.txt file with the domain name of a malicious server that hosts fresh redirect code.
?up100500=<some-value> – this request turns the script into an upload form.
We are blocking 174 sites used for attack – Of course we have different more sofisticated detections