Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Down the FakeAV rabbit hole InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Down the FakeAV rabbit hole

Published: 2011-07-21
Last Updated: 2011-07-21 02:21:00 UTC
by Daniel Wesemann (Version: 1)
1 comment(s)

 

This one started with ISC reader Lorenzo spotting a suspicious EXE download in his proxy logs. Sorting and analyzing the logs further led him to the page that actually triggered the download... and from there, he discovered a slice of what is behind those poisoned Google Image Searches that we covered earlier.

In a nutshell, there are websites running PHP, and a vulnerable version of (what we believe so far) WordPress or Joomla.

Once hacked, the bad guys add some custom malicious PHP.

The custom PHP uses "Google Trends" and other web sites with trending statistics to find out what people currently are interested in. Out of this, the PHP generates lots of links for these topics, pointing to itself and other similarly infected pages. Politely enough, the current version of the PHP keeps a log file of sorts of its activity .. and this log file is accessible, looking something like this (defanged to keep your anti-virus from panicking :)

a href="http://domain-removed/js/ajax.php?p=social-security-checks">social security checks
a href="http://domain-removed/js/ajax.php?p=rebecca-nalepa">rebecca nalepa
a href="http://domain-removed/js/ajax.php?p=droid-bionic">droid bionic
a href="http://domain-removed/js/ajax.php?p=marilyn-monroe-statue">marilyn monroe statue
a href="http://domain-removed/js/ajax.php?p=murdoch">murdoch
a href="http://domain-removed/js/ajax.php?p=facebook">facebook
a href="http://domain-removed/js/ajax.php?p=iphone-5-release-date">iphone 5 release date
a href="http://domain-removed/js/ajax.php?p=men-of-a-certain-age">men of a certain age
a href="http://domain-removed/js/ajax.php?p=george-anthony">george anthony
a href="http://domain-removed/js/ajax.php?p=toshiba-thrive">toshiba thrive

One thing in common is the ?p=trendy-topic. If you search, for example, for

inurl:?p=casey-anthony inurl:php

in Google, chances are that a good bunch of the results are actually infected web sites. BEFORE YOU GO THERE: These search results are highly likely to return MALICIOUS content. As they say on TV: Don't try this at home, kids! As I say off TV: If you brick your PC or blackout your company, don't blame ME!

One of the search results, for example, is blog. ccdex.com/wp-admin/rtl.php?p=casey-anthony-jurors

In this case, you would go to blog. ccdex.com/wp-admin/log

... and lookie what you find: A long list of trending topics and other infected domains.

After trying a handful of these domains manually, Lorenzo wrote a script that recursively requested the "log" files, parsed them, and requested the log files of the domains mentioned within the log, etc...  The result are currently about 100 domains that are hacked, and used to poison the search results.

Our investigation is still ongoing, if we find any further clues, we'll update this diary. If you have been analyzing the same thing in the past days, please share what you found so far.

 

 

 

Keywords: fakeav fave AV
1 comment(s)
Diary Archives