Halloween is just around the corner, and, as expected, malware authors have already concocted a brew of early scares: blackhat SEO, fake Adobe Flash notification, and a malicious file download.

We start with the search term "halloween skeleton templates," which brings up a poisoned search result. The link redirects users to what appears to be a fake YouTube site.

The fake YouTube site uses nude images of celebrities like Emma Watson and Paris Hilton as a ploy. These, along with salacious captions, are meant to entice users into playing the apparent video.  When users click any of the links on the page, they are prompted to update Adobe Flash Player.

Users who fall for the trick are prompted to download a malicious file called scandsk.exe, identified by 15/43 VirusTotal engines.

Websense Web Security customers are protected against this attack through our Advanced Classification Engine.

Instead of blogging about another case of Blackhat SEO poisoning (yes, Blackhat SEO poisoning does happen every day), I'm going to focus more on what happens after clicking on the poisoned search result. Although in the majority of cases unpatched users are exploited, I want to show how sometimes researching these cases can lead to a dead end.

This morning I saw a case that led a user from a Google search result to a Blackhole exploit kit, one of the most widely used exploit kits in the wild. 

Like most exploit scenarios, attackers always have a lure to attract the user to click on a link and start them on the path of exploitation or installation of malware. This can be done in numerous ways: Phishing emails, Facebook social networking viral scams, Google search engine poisoning, etc. In this case, attackers have poisoned search engine results of the keywords "shia labeouf", which is #10 on Google's hot trends:

(Figure 1: Google Hot Searches. "shia labeouf" is #10)

If a user was to search for "shia labeouf", search result #45 leads to  hxxp://shiantology[dot]com/:

(Figure 2:  hxxp://shiantology[dot]com/ screen shot)

This site has been compromised, and has an iframe injection that leads to a Blackhole exploit kit:

The iframe injected in the code silently makes a connection to the above IP address:

(Figure 3:  hxxp://shiantology[dot]com/ redirection chain)

65 [dot] 75 [dot] 129 [dot] 9 responds with the following payload (obfuscated HTML code + a JavaScript deobfuscation algorithm):

(Figure 4: Obfuscated text within HTML div tags)

(Figure 5: JavaScript deobfuscation algorithm)

The code above causes the browser to make a connection to /games/A.class.

hxxp:// 65 . 75 . 128 . 9/Home/index.php makes a connection hxxp:// 65 . 75 . 128 . 9/Home/games/A.class 

Normally, we'd be able to see this by looking at the final resulting DOM of the browser (after all the JavaScript has run and the document.ready event has been triggered):

(Figure 6: 65 [dot] 75 [dot] 129 [dot] 9 final DOM)

One thing to notice is that looking at the above DOM code, there is no object or applet tags that are shown and require an A.class. Good thing we were watching the network connections and JavaScript hooked events. This is a reminder that a Web page with the use of dynamic client-scripting like JavaScript can continually change.The finalized DOM does not always represent the DOM at all stages of the document, changing due to JavaScript functions being called. 

What happened is that during the deobfuscation phase, the algorithm above created a series of document nodes. One of them was most certainly an object or applet which required A.class. It then did some other checks, for example browser type, and function existence all for the purpose of verifying which browser was actually running (this is an alternative to checking the user agent string) and then redirecting the browser based on the result to another redirector:

Status: 302
Location : hxxp:// 109 . 236 . 81 . 40/
Content-Type : text/html; charset=iso-8859-1

hxxp:// 109 . 236 . 81 . 40/ is a redirector that redirects the browser to google.com

Status: 302
Location : http://google.com
Content-Type : text/html

In this particular case our research has led us to a dead end. Many times the obfuscated code and checks will only trigger if ALL conditions are correct. If they are, the code redirects the browser to exploit files. If they are NOT then the redirector redirects the browser somewhere else. In this case the browser was redirected to hxxp://google[dot]com, but we could have just as well been redirected to Bing or Yahoo! or another major search engine as means of leading you off track. In many cases your browser will also be redirected to hxxp://searchportal.information[dot]com

Websense Labs has a group of researchers specifically focused on exploit kits. Websense customers are protected from the Blackhole exploit kit as well as other exploit kits by ACE, our Advanced Classification Engine.

If you have any comments on this blog or questions about engine poisoning or exploit kits please ask them below: we always look forward to hearing from our readers and hopefully helping them understand how to protect themselves from the ever-changing threat landscape.

Thanks! 

Stephan Chenette - Principal Security Researcher
Contributions by Elad Sharf - Security Researcher 

Blackhat SEO poisoning is something we have blogged about numerous times in the past [1] [2] [3].

If you aren't familiar with the topic here are the basics:

Attackers that control botnets have the ability to poison search engine results to point to pages they own or that they have compromised in order to redirect users to web sites hosting malicious code. When a user clicks on a poisoned search result, their machine may be exploited or they may be prompted with rogue antivirus to which they are almost always tricked into installing.

The ThreatSeeker® Network regularly monitors "trending topics" on Google,  Twitter, major news outlets, and other sources to see which keywords attackers are most likely to attempt to poison. Here is an example that our ThreatSeeker Network picked up one morning.

Google hot search keyword "patti labelle" poisoned
 

:

(Figure 1: The Google "Hot Searches" for June 27, 2011)

As you can see "patti labelle" is "hot search" topic #6.

Using our ThreatSeeker Network, which includes our backend processes, customer feedback loops, and most importantly ACE, our Advanced Classification Engine, we routinely monitor billions of pages. Amongst those are potentially poisoned search results.

This morning when I checked my inbox for notifications and alerts this is what I found:

Google "hot search" keyword = "patty labelle" found in URL 30 : hxxp://www.divastation.com/patti_labelle/labelle_bio.html

Details:
4 Security connections:

• src: hxxp://www.divastation[dot]com/patti_labelle/labelle_bio.html (Malicious Web Sites), dest: hxxp://toolbarqueries-google[dot]com/in.cgi?default (Emerging Exploits)
• src: hxxp://dalanaya[dot]cz.cc/dtr.php?a=QQkFBwQDDAIFAAUEEkcJBQcEDAUGBAcNDQ==(Malicious Web Sites), dest: hxxp://778887467/sdghsdfv (Malicious Web Sites)
• src: hxxp://win-update[dot]cz.cc/in.php?a=QQkFBwQDDAIFAAUEEkcJBQcEDAUGBAcNDQ==(Malicious Web Sites), dest: hxxp://dalanaya[dot]cz.cc/dtr.php?a=QQkFBwQDDAIFAAUEEkcJBQcEDAUGBAcNDQ== (Malicious Web Sites)
• src: hxxp://toolbarqueries-google[dot]com/in.cgi?default (Emerging Exploits), dest:hxxp://win-update[dot]cz.cc/in.php?a=QQkFBwQDDAIFAAUEEkcJBQcEDAUGBAcNDQ== (Malicious Web Sites) 

I then checked Google Search and confirmed the findings. Searching for "patty labelle", I found a malicious link on the 3rd page (result 30) of Google search results:


(Figure 2: Poisoned Google search results)

What happens to the user if they click on the link?

By clicking on the link from Google search results the user is sent to:
hxxp://www.divastation[dot]com/patti_labelle/labelle_bio.html

Upon visiting this site the following network connections are made:

:
 (Figure 3: divastation[dot]com redirection chain)

The attackers payloads consist of various PDF and Java Exploits that will be attempted and executed if the user is not patched:

(Figure 4: Attempted exploitation of APSB06-20)

(Figure 5: Attempted exploitation of CVE-2010-0840 (more detailed analysis below))

(Figure 6: Attempted exploitation of CVE-2010-0886)

The end result of successful exploitation is that a trojan downloader is downloaded and executed on the users machine.

Update (2011/06/29) upon further research, hxxp://dalanaya[dot]cz.cc is hosting the Incognito exploit kit. 

The Details

hxxp://www.divastation[dot]com/patti_labelle/labelle_bio.html contains an injected iframe, which causes a connection from the user's machine to a website owned by an attacker, this is done without any user interaction.

Analyzing the source and dom in the browser we can see this more clearly:

(Figure 7: Source and DOM of hxxp://www.divastation[dot]com/patti_labelle/labelle_bio.html)

Here is the order of web sites that a user will be redirected to upon visiting the compromised site (redirection chain):

1. User visits hxxp://www.divastation[dot]com/patti_labelle/labelle_bio.html (compromised web site)
2. An iframe connection to hxxp://toolbarqueries-google[dot]com/in.cgi?default is made
3. hxxp://toolbarqueries-google[dot]com/in.cgi?default redirects the user via 302 redirect to (Status: 302) to hxxp://win-update[dot]cz.cc/in.php?a=QQkFBwQDDAIFAAUEEkcJBQcEDAUGBAcNDQ==
4. hxxp://win-update[dot]cz.cc/in.php?a=QQkFBwQDDAIFAAUEEkcJBQcEDAUGBAcNDQ== redirects the user via iframe to hxxp://dalanaya[dot]cz.cc/dtr.php?a=QQkFBwQDDAIFAAUEEkcJBQcEDAUGBAcNDQ==
   AND also attempts to load a jar file hxxp://dalanaya[dot]cz.cc/bodun.jar (see analysis below) and a PDF exploit.
5. hxxp://dalanaya[dot]cz.cc/dtr.php?a=QQkFBwQDDAIFAAUEEkcJBQcEDAUGBAcNDQ== attempts to load a jar file file from hxxp://778887467/sdghsdfv which returns a "503-Service Unavailable" status code.

778887467 is just 46.108.225.43 decimal encoded (this is a very typical technique used by malicious attackers and spammers to obfuscate URL links). 

Logic:
46 = 00101110
108 = 01101100
225 = 11100001
43 = 00101011

Joining all the binary digits together results in 00101110011011001110000100101011 binary, which equals 778887467 decimal. Browsers correctly interpret decimal encoding.

Although the jar file from 46.108.225.43 returns "503-Service Unavailable", the interface to ThreatSeeker allows me to see any previous exploits or malware that the site hosted. Here are the results:

• hxxp://46.108.225.43/dira/jar.class (sha1: 530f83a963927963908d272de90760de30577add) (TrojanDownloader:Java/OpenConnection.OF) - date first seen: 2011-05-24 22:46:47
• hxxp://46.108.225.43/srv.exe  (sha1: d917dc291259def9dd65ab17c4f51b6e88488648) (TrojanDownloader:Win32/Carberp.G) - date first seen:  2011-06-03 05:10:20
• hxxp://46.108.225.43/update_us.exe  (sha1: ffba80822ad9c12a827b07ee652a59a579ecbc9b) (Rogue:Win32/FakeRean) - date first seen: 2011-06-23 19:06:41
• hxxp://46.108.225.43/srv_1.exe (sha1: c079a4d11125e5868965327fdc5949d1bafa1bc6) (TrojanDownloader:Win32/Carberp.C) - date first seen: 2011-06-17 12:13:56 
• hxxp://46.108.225.43/update.exe (sha1: bdfaee06a6335005bbaf04339fe9370679e858f4) (Win32/LockScreen.AHO trojan)  - date first seen: 2011-06-27 03:07:38

As we can see this IP has hosted other exploits and malware in the past.

Network Analysis of bad players

Let's analyze the sites involved because they are all malicious, either acting as a redirector or serving a potential exploit. 

hxxp://www.divastation[dot]com/patti_labelle/labelle_bio.html  is a compromised site that the attackers can control and update.

The "whois" record shows the following creation and expiration data:


 (Figure 8: whois record for divastation[dot]com)

The clue that makes the case that this is a compromised site as opposed to a site owned by an attacker, is that it's been around since 1998, typically malicious sites are registered within a few days to a few months of being used. 

toolbarqueries-google[dot]com resolves to 91.214.209.19, 195.226.218.101, 195.226.218.101, 193.105.240.11


(Figure 9: whois record for toolbarqueries-google[dot]com)


win-update[dot]cz.cc resolves to 207.58.177.96
dalanaya[dot]cz.cc resolves to 207.58.177.96
46.108.225.43 

The following whois lookup, courtesy of team cymru, exposes the following information:

whois -h whois.cymru.com " -v 91.214.209.19"
AS | IP          | BGP Prefix           | CC                             | Registry   | Allocated  | AS Name
196808  | 91.214.209.19    | 91.214.208.0/22     | UA             | ripencc     | 2009-06-24 | KOMSERVICE-AS NET KOMSERVICE

whois -h whois.cymru.com "-v 207.58.177.96" 
AS      | IP               | BGP Prefix          | CC | Registry | Allocated  | AS Name
25847   | 207.58.177.96    | 207.58.128.0/18     | US | arin     | 2004-04-29 | SERVINT - ServInt


whois -h whois.cymru.com " -v 46.108.225.43"
AS      | IP      | BGP Prefix          | CC | Registry |  Allocated  | AS Name
50244   | 46.108.225.43    | 46.108.224.0/21     | RO | ripencc  | 2010-07-21 | ITELECOM Pixel View SRL

Although both win-update[dot]cz.cc and dalanaya[dot]cz.cc resolve to the same IP address (207.58.177.96), the rest of the redirector chain is quite distributed. 

Let's take a quick look at the jar exploit that ends up being served to the user:

Analysis of hxxp://dalanaya[dot]cz.cc/bodun.jar

hxxp://dalanaya[dot]cz.cc/bodun.jar (sha1: de573766f4095ab979174df2033b834c62abd603) (Java/TrojanDownloader.OpenStream.NCE trojan) - date first seen: 2011-06-26 10:45:40

A JAR file is nothing more than a file that has been PKZIP'd (compressed) and that includes several Java class files that are used for execution.

bodun.jar contains the following class files:

 
(Figure 10: IDA display of bodun.jar class files) 

shalun\nterhoop.class - Exploit.Java.Agent.ff - exploits CVE-2010-0840, which allows for downloading and execution (in this case a trojan downloader)
pinoche.class - Trojan-Downloader.Java.Agent.mc (this class is responsible for downloading and executing the trojan downloader)

pinoche.class makes a connection based on params sent in from the main webpage:

(Figure 11: Java Applet object HTML code)

The class files within the jar file contain obfuscated strings throughout the code base, but the intention of the code is to initiate an Internet connection to download and execute a file.

(Figure 12: Java code in Java Decompiler)

The actual executable that was downloaded was not analyzed, but you can see how simple it is for an attacker to use jar files to exploit a user.

Targeting JRE (Java run-time) is currently the number one drive-by exploit vector on the web. Most exploit kits and attackers who use custom exploits will typically use both Adobe PDF exploits and Java exploits to run code on a user's machine. Typically, exploitation  is silent. Websense Security Labs would like to emphasize that users should always be careful when searching the web. This is true for Google, Bing, Yahoo and all popular and lesser known search engines.


Hopefully. this example has shown the potential dangers in clicking on search engine results.

Stephan Chenette - Principal Security Researcher

Earlier today, Google announced a number of new technologies as part of their Google Inside Search Launch (http://www.google.com/insidesearch/). One of the more interesting is their idea to speed up the Web with something called "Instant Pages." The basic idea is that they are taking their ability to correctly guess what a user is going to search on, and pre-loading the content from the origin server onto your local machine. Apparently, this only works with the Chrome browser.

This leads to some interesting exploit scenarios. In the past, search algorithms have been duped to have malicious pages show up in results. In those cases, although they are dangerous, the user still has to click on one of the top results to get infected. In the new scenario, the big question is if a user can be exploited by simply searching, without even clicking on a link.

In slightly related news, Google also announced voice recognition to search. It will be interesting to see how/if the rogue AV camps will also be utilizing this to their advantage in the future.

Websense Security Labs Threatseeker network has detected the Black Hat SEO attack on a domain that belongs to the United Nations Environment Programme (UNEP).  The domain appears to be compromised by a number of medical spam-related URLs, most of which are compromised sites themselves.  As you can see from the screenshots below, unless you were to view the source code for the Web page, it is almost impossible to know that this page has been modified.

The sub-domain in question is the Sustainable Energy Finance Initiative (SEFI) site - sefi.unep.org. SEFI is a division of UNEP and provides support and tools to financiers in regards to the use of clean energy technologies.

Like most Black Hat SEO attacks on compromised sites, the site tends to look perfectly fine, and there is no indication that the site has been compromised.

However further analysis of the source code reveals that the entire block for the Black Hat SEO is appended to the end of the HTML code.  Also notice that the code contains a hidden disposition, and the height and width pertaining to the size of the displayed content is set to zero.

 Trailing through a chunk of the appended code, you can see the use of drug names such as 'viagra' and 'levitra'. These keywords help result in a better search engine ranking. 

Most of the mainstream search engines such as Google know of these tricks and do their best to prevent these attacks, but it does not always work. However, the prevention success rate is higher for well-known search engines compared to the less mainstream ones.

At the time of posting this blog, the Black Hat SEO threat has been removed and the sefi.unep.org Web site is safe for browsing.

Google search results have traditionally been the target of black hat SEO campaigns. Websense® Security Labs™ has identified a new trend in which cyber criminals take advantage of Google Image search rankings to spread malware.

Websense Security Labs Threatseeker® network has detected that Google Image search returns poisoned pictures when searching on celebrity child "Presley Walker". We first found on Monday that all the image search results took users to a notorious exploit kit – Neosploit. Later, it changed to redirecting users to rogue AV sites. As we publish this blog, the search results are still poisoned and are leading to Neosploit again. Websense customers are protected from both types of attack by ACE, our Advanced Classification Engine.

The search results for "Presley Walker" through Google Image:

Let's take a look at the first attack case. When a user clicks the pictures on the top line, the user will be redirected to a Neosploit exploit page.

Below is one of the redirection chains used by this exploit kit:

From the chain, we see the third URL is the malicious site holding the exploit code. We found that all the exploited sites are hosted on the same IP 66.235.180.91, and interestingly, they constructed it with the same path named TF19, which looks like a pattern of this campaign. At last it will trigger appropriate vulnerabilities targeted by this exploit kit according to the user's operating system and browser. From the chain above we see it downloaded a PDF file that targeted three Adobe Reader vulnerabilities. This PDF file is heavily obfuscated and has a relatively low VirusTotal detection.

The list of URLs hosted on the IP, as shown from our Threatseeker network:

Neosploit is a well-known exploit kit in the black market. The authors reportedly stopped supporting and updating the exploit kit due to financial problems, but variants of Neosploit have been updated frequently. The variants may contain MDAC (CVE-2006-0003), ActiveX (CVE-2008-2463, CVE-2008-1898), and three Adobe Reader (Collab.getIcon, Util.Printf, Collab.collectEmailInfo) vulnerabilities, among others.

The second case is one of the common tricks black hat SEO campaigns always use: luring users to download fake antivirus software called InstallInternetProtectionXXX.exe. From the VirusTotal scan result, only 20% of antivirus engines detected this malware.

 The rogue AV page when using Firefox to surf the Web:

Ever noticed a magnifying glass next to your Google search results lately?  It is actually a new service that Google launched last week called Instant Previews.  This service allows users to see what a page looks like before going to it by hovering or clicking the magnifying glass next to the Google search results. 

Simple?  Yes.  Secure?  Not so much.  Our research shows that the images shown in Instant Previews is not updated as frequently as anyone might assume.  Therefore, we don't think this feature would help users as much in making an informed decision on judging whether a link is indeed malicious or not.  On the other hand, Websense customers are protected from this attack by our ACE real-time analytics.     

We reported some Black Hat SEO'd websites from searches relating to Prince William's engagement yesterday.  Using Google's Instant Preview on the malicious search results may lead users into believing that  the links they're clicking on is actually safe when in fact it's not. 

Take the picture above for example.  Instant Preview returns a very legitimate looking page, complete with pictures and relevant words.  To unsuspecting eyes, it looks clean.  Of course, when the user clicks the link, they will be redirected to the fake Firefox Update page.  This tactic is also evident on Black Friday related search results.

Other variations of images used by malware pushers in Instant Previews are the usual standard Google Search Page and a very simple "Preview not available."

It didn't take long for attackers to take advantage of the big news that Prince William and Kate Middleton are getting married. As we have explained before, attackers have the process down to a science. They monitor breaking news, trending topics, and buzz words, then automatically manipulate search results based on what's happening in the world. Websense customers are protected against this attack through our Advanced Classification Engine.

As we discussed in our 2010 Threat Report, searching for news and buzz words is now more dangerous than searching for adult content, with approximately 22.4% of all searches for current news leading to malicious search results. And that's in the top 100 results!

The result when clicking on one of the malicious links is exactly the same as with last week's Veteran's Day scams. As always, make sure you go to reputable sites when looking for news. Don't just do random searches.

Today is Veteran's Day and like any other holidays, black hat SEO and spam emails have been visible since Monday this week.  Websense customers are protected against this attack through our Advanced Classification Engine.

Search terms like veteran's day, veteran's day 2010, veteran's day events, veteran's day california and veteran's day honolulu return poisoned web results.    



 
Earlier this week, the code found on the infected site is reminiscent of last week's Midterm Elections attack.  In fact, the websites used in the the Midterm elections black hat SEO are also the ones used for Veteran's day black hat SEO.  At the time, the redirection was not working although the URL specified is an active rogue AV site.  As you can see below, the election term is replaced by veteran's day related search terms.

Today, the poisoned results' redirection pages are up and running.  If the user is using Firefox, they will be redirected to a fake Firefox update page, prompting them to download a file called firefox-update.exe, detected by 13/40 VT engines.  For Internet Explorer, the ever so familiar Rogue AV page is where users are redirected.  The only thing noticeable is that the rogue AV installer is not available for download, clicking on the "Remove all" button only prompts a warning box.

The fact remains that there is more than one way to find something in the web.  And so the malware pushers also decided to use poisoned image results too.  Unlike the poisoned web search results, poisoned image results have been active since Monday.   The payload is also browser-based today although it was serving up rogue AV regardless of the browser last Monday. 



Finally, spammers also want their share of the pie as well, so when you look at the results under videos, a slew of adult content is returned.  Of course this is in addition to the spam emails spammers have been distributing since last week.

To conclude, we have seen how business minded malware pushers are.  One code used in two different events.  As always, be cautious on clicking search results.  It's not every time that the "This site may harm your computer." warning is there to save the day, especially in video and image search results.  Moreover, keep in mind that malware pushers are diversifying their portfolio by including poisoned image search results more and more.  

UPDATE

We are also seeing the same attack on search terms related in today's UK Remembrance Day.  Do be cautious in searching for holocaust remembrance day 2010 and remembrance day 2010.

I wonder how much longer rogue AV will ride the wave of major news?  Having recently blogged about Rogue AV riding the US Midterm Elections wave, we spotted further activity on what appeared to be blank pages from the Black Hat SEO we noticed yesterday.  Websense customers are continually being protected against this attack through our Advanced Classification Engine.

In line with what we noticed previously, these blank pages were being prepared for what we can only assume is a major assault today, being election day itself.  This particular attack is browser-aware, as the threats are specific to the browser being used.   

Using the same source as yesterday's Black Hat SEO campaign, the links within the page are now fully primed to become active and ready to serve the malicious content.  The main differences from what we noticed in the previous attack are that no URL is provided in the "script : if (navigator:userAgent.indexOf("MSIE")<0)var url= "http:" part, and in addition the parking page is now active. However, when the link is clicked, the user is still not redirected to the intended malicious site.

Let's start off with the first of the malicious candidates in the rogue AV election Adobe Flash update.  This is specific to Internet Explorer 8, and when the link is activated, the unsuspecting user gets a prompt to install fake Macromedia Flash Components, claiming this is required to view the web site.

The second malicious component, which masquerades as a Firefox update message, is - as can be guessed - specific to Firefox browser users.

As shown above, the user again gets prompted to update Flash player, but this time specific to Firefox.

With all other browsers, we notice it just redirects to the same site for the rogue AV download page we noticed yesterday.

As of the time of writing and publishing this blog, the coverage for the file download prompts for both IE Flash Update and Firefox Flash update was about 27.9% as confirmed by VirusTotal.