There have long been links on the internet that take the unwary user to a page with unexpected or malicious content. Most of these attempts rely on the user to click on the link to be successful. However, the latest variation has moved beyond simple text links to "Google-image poisoning" - placing malware in the middle of Google searches for images where users have traditionally had no reason to be wary. Our presentation will focus on How malware writers are able to infect the average website; detailed analyses of the PHP script used to infect s ites and SEO techniques to get infected images at the top of search results.
2. Agenda
• What is Google-images poisoning?
• How it works
• Doorway generator
• Java script redirector
• Evolution
• Data from AVAST CommunityIQ userbase
• Summary
• Questions
AVAR 2011 www.avast.com
3. Google Images poisoning
• SEO blackhat poisoning attack
• Uses hacked sites to redirect users to sites containing
fake AV or exploit
• Uses key-word rich pages with hot-linked images for
higher indexing by search bots
• Images from hacked sites are near the top search
results
• Focused on users coming from well-know search
engines
AVAR 2011 www.avast.com
8. Google Images poisoning
User
Infected server
Fake AV Remote server
Bad guy
AVAR 2011 www.avast.com
9. Why is it so successful?
• Great SEO and nobody umed SEO for “imagem”
AVAR 2011 www.avast.com
10. Why is it so successful? (2)
• Computer users do not expect that they can get
infected when searching for images on legitimate sites
Infected
Fake AV server
AVAR 2011 www.avast.com
11. Why is it so successful? (3)
• Hide and Seek
– if users are using Opera browser or they are coming from
Google, Yahoo or a Bing, they are served a Java script
redirector
Malicious
content
AVAR 2011 www.avast.com
12. Your website gets infected
• The bad guys are using stolen FTP credentials
• They upload PHP script to the WEB server
• This is used for uploading malicious content to the
web server, creating spam pages, and uploading
additional files to web server
• Bonus feature - it lets the owners know that the page
is ready
AVAR 2011 www.avast.com
13. Additional malicious files
• Xmlrpc.txt – Remote server address
stored
• -> Xml.txt -> Xml.cgi – address in
Base64
• Iog.txt – Redirecting java script stored
• Shab100500.txt – Spam HTML template
stored
• -> Don.txt – HTML template in
Base64
AVAR 2011 www.avast.com
14. PHP script on infected sites
• Earlier, they used names such as d{1,3}.php
• Today, they use names like microphone.php, etc.
• This script is responsible for:
1. Creating spam pages for Google bot indexing
2. Changing .htaccess
3. Serving redirect script to user to exploit sites
4. Serving redirect script to user to fake AV
5. Downloading malicious files to server
6. Telling owners that the site is ready
AVAR 2011 www.avast.com
15. PHP script
Original PHP file uploaded to server
• <?eval
(gzuncompress
(base64_decode('eNqVWG2P4kYM/…/woBlZVj
C9zK2Ok8McOZrF5z9hfM+5P/AbQiT9I=')
)
);
?>
AVAR 2011 www.avast.com
16. PHP script
PHP file after first step of deobfuscation
• $GLOBALS['_1600532410_']=Array(base64_dec
ode('ZXJyb3Jfcm'.'Vwb3J0'.'aW5'.'n
• Function _1070120820($i)
{$a=Array('c'.'Q='.'=','cQ==',
• ($GLOBALS['_1600532410_'][16](
_1070120820(6))) {…
AVAR 2011 www.avast.com
18. Doorway generator
• HTML template is stored in the file
.log/SITE/shab100500.txt
• In the new version, shab100500.txt was replaced by
don.txt
<HTML>
Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut
labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco
laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in
<Replaceme>
</Replaceme>
Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut
labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco
</HTML>
www.avast.com
19. Doorway generator
• Get descriptions of top
40 ‘mearch keywordm’ harmful action
from Google web against a person or
group in response
• Shuffle the words into revenge to a
their descriptions to get grievance, be it real
unique text or rick santorum
perceived
www.avast.com
20. Doorway generator
• Get top 20 ‘mearch <img
keyword’ from Google src="http://SITE/p
Images and extract links ath/hot-linked-
to image files image.jpg"
• Generates <img> tags alt="search
and shuffle them keywords"
align="random(cent
er, right, left)">
www.avast.com
21. Doorway generator
<img
harmful action against aharmful action
src="http://SITE/p
person or group in against a person or
ath/hot-linked-
response revenge to a group in response
image.jpg"
grievance<img revenge to a
alt="search
src="http://SITE/path/hot-
grievance, be it real
keywords"
linked-image.jpg" or rick santorum
align="random(cent
alt="search keywords" perceived
er, right, left)">
align="random(center, right
, left)">
www.avast.com
22. Doorway generator
<HTML>
Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut
labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco
laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in
<h1>SEARCH KEYWORD</h1>
Suggested links
<Replaceme>
Links to 30 most recently generated links
</Replaceme>
Rich-word generated text with hot-linked images
Links to alternative pages
Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut
labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco
</HTML>
www.avast.com
23. How do they make image URLs
less suspicious?
• "RewriteEngine On RewriteCond
%{REQUEST_FILENAME} !-f RewriteCond
%{REQUEST_FILENAME} !-d RewriteRule ^(.*)$
".$_SERVER[ 'SCRIPT_NAME'."?q=$1 [L] “
• this changes URL from suspicious
http://SITE/wp-admin/BAD.php?q=search-keywords
to
http://SITE/wp-admin/search-keywords
AVAR 2011 www.avast.com
24. PHP script evolution
• The first version was focused on all users using Opera
browser or users coming from Google, Yahoo or Bing
• During June, we found some changes in PHP code
- Google is the only target
- New redirection system
• Request goes to a remote server ( mydiarycom.net )
- centralized
• They have statistic data from parameters
• No need to update iog.txt (redirecting script) or make
differentiating changes on each server
AVAR 2011 www.avast.com
29. Redirection
• Mac – http://IP/r/RANDOM_STRING
IP and ‘r’ are change enery 30 minutem
• Exploit site -
http://SITE/index.php?tp=RANDOM_STRING
Site and ‘tp’ are change enery 30 minutem
• Fake AV – http://SITE/fast-scan/
AVAR 2011 www.avast.com
30. Other changes
• Rotating user-agent string
• Password-protected maintenance request
Someone who know how this algorithm works can
easily change it and redirect to his or her own site
• Xml.txt was replaced by xml.cgi
• Working with free blogs sites
AVAR 2011 www.avast.com
32. Data from the
AVAST CommunityIQ
• From March to August 2011, we discovered 22,580
unique infected sites
• 5,698 sites are still infected
• Typo : <IMG HEIGTH=?1?WIDTH
AVAR 2011 www.avast.com
35. Summary
• Google-image poisoning is an easy way how to spread
fake AV and exploits
• It’m bamed on mtolen FTP credentialm of webmamterm
and great backdoor algorithms
• The number of infected legitimate domains is growing
every day
• Common sense is not sufficient protection
AVAR 2011 www.avast.com