By Andrew Brandt
Yesterday, a few of the Threat Research folks and I had a little fun playing with a hack that had, for one day at least, pretty much decimated Google’s Image Search feature. One researcher, who stumbled into the attack purely by chance, found that a Google Images link to a map of the United States was, instead, redirecting hapless Web surfers to pages that deliver an installer of a rogue antivirus in the Security Tool family of fine, fraudulent products.
What really caught our interest was how the hack behaved, depending on the operating system and browser you used. With each different browser configuration, we were treated to one of several different, specially crafted malware delivery Web pages.
I’m not sure when the attack started, but we started analyzing it at around 10am, Mountain time. By late afternoon, the sites were offline and the attack no longer worked.
To test the extent of the hack, we played around with the manipulated search results using five different browsers: Internet Explorer 6 and 8, Safari 5, Google Chrome, and Firefox. All the browsers were set up with default settings in an otherwise identical installation of Windows XP SP3. We then searched for USA Map and clicked the second result that appeared under the header “Images for usa map.” (All but the first image result that appeared on that first page of results linked to the malicious Web site.)
On your computer detected the malicious code.
Should immediately make sure that your system is safe! Killing Hazard(R) for Microsoft Windows XP immediately started to work
Yeah, yeah, seen it before, yadda yadda yadda. Unintentional bad-grammar humor even extends to the browser title bar, which reads “Wait a minute! This is important – we check your device” like a waitress who’s chasing you out the door when you run out on the check. Funny, but not technically interesting in the slightest.
Using Internet Explorer 8, however we were led to an interstitial page on Google which previews the image. Note, however, that the “imgurl” value in the Address Bar shows the source image as coming from http://www.qsl.net but Google Images reports that the “Website for this image” is mookhost.com — the domain where the page that performs the redirection was hosted.
One would assume that an organization as sophisticated Google would actually be able to tell that the image was hosted at the “imgurl” domain, but I suppose that’s the secret sauce behind the trickery the blackhat SEO goofballs employed.
When you click the same malicious link in Google using Firefox, for example, you’re led to a page that looks like this.
Oddly enough, the page (hosted at update-ff.co.cc) loads both the stylesheet and images from Mozilla’s own Web server, but replaces the content in the center of the screen with an orange box that reads:
You should update Adobe Flash Player right now.
Firefox is up to date, but your current version of Flash Player can cause security and stability issues. Please install the free update as soon as possible.
Of course, both of the linked blobs of text lead to an installer (which, despite claims that it was supposed to be an Adobe Flash update, called itself ff-update.exe). If you don’t click anything, a countdown timer eventually elapses and starts a download of the same installer. Each time we refreshed the page and downloaded the file we received a copy that was the same size but had a unique MD5 hash. That means, something on the server was randomizing each file as it was delivered to the machine.
OK, this was getting a little more interesting. Server-side randomization isn’t exactly new, but it’s not commonly seen with rogues; Distributors of rogues don’t usually go to all the trouble to set up their Web servers with the ability to randomize the payload file because the sites don’t usually remain online for very long anyway. Hash randomization is just one technique the bad guys use to thwart detection by real antivirus products.
How could you know this was a fake page, other than the fact that visitors didn’t actually update Firefox in the course of our little test? Check out that version number in the screenshot of the Web page. Version 3.6.7 is one version lower than the newest version (3.6.8 went live this past July 23rd), but that isn’t the version of Firefox I had running. My testbed has Firefox 2.0 on it. D’oh!
The version of the manipulated page that was customized for Safari was hosted on fffest.co.cc. It pops up a dialog box which reads, simply, “You must install new version of flash player” without any punctuation, capitalization, or use of the definite article.
Oddly enough, the page itself puts an Internet Explorer-like message at the top of the screen which says “You need to install media components. ActiveX: “Adobe Flash Player” from “Adobe Systems Incorporated.” Oops. I guess nobody told them that Safari doesn’t use ActiveX.
And in Chrome, you get a page that looks almost identical to the Safari page, but instead of a Safari popup, the page displays a graphic that says “Flash ActiveX Object Error” and then prompts you to “install new version of Adobe Flash Player 11 to take advantage of web 2.0.”
Awesome. So, let me get this straight: On Chrome, which also doesn’t use ActiveX as its plug-in architecture, I need the ActiveX version of a nonexistent, future version of Flash in order to view the page? These malware geniuses need to get out of their time machine and look around a bit.
By the way, here is what a real Adobe Flash update dialog looks like. If you are running an older version of Flash, Adobe started pushing out these update notices in June. Can you spot the differences between this one and the others?
Besides the fact that it gives you a lot more information, there’s the little matter of that button labeled Don’t Install. You’ll never find that on a malicious Flash Update dialog.
The final piece of our research involved fiddling around with the Web domain to which all these manipulated search results link. After sending a few dozen queries at the server, I started to see this in the result window:
Wow, really? It’s watching for little old me? Not knowing what “Googleum” is supposed to be, I (naturally) Googled it, and here’s what appeared:
Let’s see: “Black SEO Empire” – check. Russian language Web site – check. Domain name ends in .biz – check. Yeah, sounds about right.