The Latest in IT Security

Blackhat SEO poisoning is something we have blogged about numerous times in the past [1] [2] [3].

If you aren’t familiar with the topic here are the basics:

Attackers that control botnets have the ability to poison search engine results to point to pages they own or that they have compromised in order to redirect users to web sites hosting malicious code. When a user clicks on a poisoned search result, their machine may be exploited or they may be prompted with rogue antivirus to which they are almost always tricked into installing.

The ThreatSeekerR Network regularly monitors “trending topics” on Google,  Twitter, major news outlets, and other sources to see which keywords attackers are most likely to attempt to poison. Here is an example that our ThreatSeeker Network picked up one morning.

Google hot search keyword “patti labelle” poisoned
 

:

(Figure 1: The Google “Hot Searches” for June 27, 2011)

As you can see “patti labelle” is “hot search” topic #6.

Using our ThreatSeeker Network, which includes our backend processes, customer feedback loops, and most importantly ACE, our Advanced Classification Engine, we routinely monitor billions of pages. Amongst those are potentially poisoned search results.

This morning when I checked my inbox for notifications and alerts this is what I found:

Google “hot search” keyword = “patty labelle” found in URL 30 : hxxp://www.divastation.com/patti_labelle/labelle_bio.html

Details:
4 Security connections:

• src: hxxp://www.divastation[dot]com/patti_labelle/labelle_bio.html (Malicious Web Sites), dest: hxxp://toolbarqueries-google[dot]com/in.cgi?default (Emerging Exploits)
• src: hxxp://dalanaya[dot]cz.cc/dtr.php?a=QQkFBwQDDAIFAAUEEkcJBQcEDAUGBAcNDQ==(Malicious Web Sites), dest: hxxp://778887467/sdghsdfv (Malicious Web Sites)
• src: hxxp://win-update[dot]cz.cc/in.php?a=QQkFBwQDDAIFAAUEEkcJBQcEDAUGBAcNDQ==(Malicious Web Sites), dest: hxxp://dalanaya[dot]cz.cc/dtr.php?a=QQkFBwQDDAIFAAUEEkcJBQcEDAUGBAcNDQ== (Malicious Web Sites)
• src: hxxp://toolbarqueries-google[dot]com/in.cgi?default (Emerging Exploits), dest:hxxp://win-update[dot]cz.cc/in.php?a=QQkFBwQDDAIFAAUEEkcJBQcEDAUGBAcNDQ== (Malicious Web Sites) 

I then checked Google Search and confirmed the findings. Searching for “patty labelle”, I found a malicious link on the 3rd page (result 30) of Google search results:


(Figure 2: Poisoned Google search results)

What happens to the user if they click on the link?

By clicking on the link from Google search results the user is sent to:
hxxp://www.divastation[dot]com/patti_labelle/labelle_bio.html

Upon visiting this site the following network connections are made:

:
 (Figure 3: divastation[dot]com redirection chain)

The attackers payloads consist of various PDF and Java Exploits that will be attempted and executed if the user is not patched:

(Figure 4: Attempted exploitation of APSB06-20)

(Figure 5: Attempted exploitation of CVE-2010-0840 (more detailed analysis below))

(Figure 6: Attempted exploitation of CVE-2010-0886)

The end result of successful exploitation is that a trojan downloader is downloaded and executed on the users machine.

The Details

hxxp://www.divastation[dot]com/patti_labelle/labelle_bio.html contains an injected iframe, which causes a connection from the user’s machine to a website owned by an attacker, this is done without any user interaction.

Analyzing the source and dom in the browser we can see this more clearly:

(Figure 7: Source and DOM of hxxp://www.divastation[dot]com/patti_labelle/labelle_bio.html)

Here is the order of web sites that a user will be redirected to upon visiting the compromised site (redirection chain):

1. User visits hxxp://www.divastation[dot]com/patti_labelle/labelle_bio.html (compromised web site)
2. An iframe connection to hxxp://toolbarqueries-google[dot]com/in.cgi?default is made
3. hxxp://toolbarqueries-google[dot]com/in.cgi?default redirects the user via 302 redirect to (Status: 302) to hxxp://win-update[dot]cz.cc/in.php?a=QQkFBwQDDAIFAAUEEkcJBQcEDAUGBAcNDQ==
4. hxxp://win-update[dot]cz.cc/in.php?a=QQkFBwQDDAIFAAUEEkcJBQcEDAUGBAcNDQ== redirects the user via iframe to http://dalanaya[dot]cz.cc/dtr.php?a=QQkFBwQDDAIFAAUEEkcJBQcEDAUGBAcNDQ==
   AND also attempts to load a jar file hxxp://dalanaya[dot]cz.cc/bodun.jar (see analysis below) and a PDF exploit.
5. http://dalanaya[dot]cz.cc/dtr.php?a=QQkFBwQDDAIFAAUEEkcJBQcEDAUGBAcNDQ== attempts to load a jar file file from hxxp://778887467/sdghsdfv which returns a “503-Service Unavailable” status code.

778887467 is just 46.108.225.43 decimal encoded (this is a very typical technique used by malicious attackers and spammers to obfuscate URL links). 

Logic:
46 = 00101110
108 = 01101100
225 = 11100001
43 = 00101011

Joining all the binary digits together results in 00101110011011001110000100101011 binary, which equals 778887467 decimal. Browsers correctly interpret decimal encoding.

Although the jar file from 46.108.225.43 returns “503-Service Unavailable”, the interface to ThreatSeeker allows me to see any previous exploits or malware that the site hosted. Here are the results:

• http://46.108.225.43/dira/jar.class (sha1: 530f83a963927963908d272de90760de30577add) (TrojanDownloader:Java/OpenConnection.OF) – date first seen: 2011-05-24 22:46:47
• http://46.108.225.43/srv.exe  (sha1: d917dc291259def9dd65ab17c4f51b6e88488648) (TrojanDownloader:Win32/Carberp.G) – date first seen:  2011-06-03 05:10:20
• http://46.108.225.43/update_us.exe  (sha1: ffba80822ad9c12a827b07ee652a59a579ecbc9b) (Rogue:Win32/FakeRean) – date first seen: 2011-06-23 19:06:41
• http://46.108.225.43/srv_1.exe (sha1: c079a4d11125e5868965327fdc5949d1bafa1bc6) (TrojanDownloader:Win32/Carberp.C) – date first seen: 2011-06-17 12:13:56 
• http://46.108.225.43/update.exe (sha1: bdfaee06a6335005bbaf04339fe9370679e858f4) (Win32/LockScreen.AHO trojan)  – date first seen: 2011-06-27 03:07:38

As we can see this IP has hosted other exploits and malware in the past.

Network Analysis of bad players

Let’s analyze the sites involved because they are all malicious, either acting as a redirector or serving a potential exploit. 

hxxp://www.divastation[dot]com/patti_labelle/labelle_bio.html  is a compromised site that the attackers can control and update.

The “whois” record shows the following creation and expiration data:


 (Figure 8: whois record for divastation[dot]com)

The clue that makes the case that this is a compromised site as opposed to a site owned by an attacker, is that it’s been around since 1998, typically malicious sites are registered within a few days to a few months of being used. 

toolbarqueries-google[dot]com resolves to 91.214.209.19, 195.226.218.101, 195.226.218.101, 193.105.240.11


(Figure 9: whois record for toolbarqueries-google[dot]com)


win-update[dot]cz.cc resolves to 207.58.177.96
dalanaya[dot]cz.cc resolves to 207.58.177.96
46.108.225.43 

The following whois lookup, courtesy of team cymru, exposes the following information:

whois -h whois.cymru.com ” -v 91.214.209.19″
AS | IP          | BGP Prefix           | CC                             | Registry   | Allocated  | AS Name
196808  | 91.214.209.19    | 91.214.208.0/22     | UA             | ripencc     | 2009-06-24 | KOMSERVICE-AS NET KOMSERVICE

whois -h whois.cymru.com “-v 207.58.177.96” 
AS      | IP               | BGP Prefix          | CC | Registry | Allocated  | AS Name
25847   | 207.58.177.96    | 207.58.128.0/18     | US | arin     | 2004-04-29 | SERVINT – ServInt


whois -h whois.cymru.com ” -v 46.108.225.43″
AS      | IP      | BGP Prefix          | CC | Registry |  Allocated  | AS Name
50244   | 46.108.225.43    | 46.108.224.0/21     | RO | ripencc  | 2010-07-21 | ITELECOM Pixel View SRL

Although both win-update[dot]cz.cc and dalanaya[dot]cz.cc resolve to the same IP address (207.58.177.96), the rest of the redirector chain is quite distributed. 

Let’s take a quick look at the jar exploit that ends up being served to the user:

Analysis of hxxp://dalanaya[dot]cz.cc/bodun.jar

hxxp://dalanaya[dot]cz.cc/bodun.jar (sha1: de573766f4095ab979174df2033b834c62abd603) (Java/TrojanDownloader.OpenStream.NCE trojan) – date first seen: 2011-06-26 10:45:40

A JAR file is nothing more than a file that has been PKZIP’d (compressed) and that includes several Java class files that are used for execution.

bodun.jar contains the following class files:

 
(Figure 10: IDA display of bodun.jar class files) 

shalun\nterhoop.class – Exploit.Java.Agent.ff – exploits CVE-2010-0840, which allows for downloading and execution (in this case a trojan downloader)
pinoche.class – Trojan-Downloader.Java.Agent.mc (this class is responsible for downloading and executing the trojan downloader)

pinoche.class makes a connection based on params sent in from the main webpage:

(Figure 11: Java Applet object HTML code)

The class files within the jar file contain obfuscated strings throughout the code base, but the intention of the code is to initiate an Internet connection to download and execute a file.

(Figure 12: Java code in Java Decompiler)

The actual executable that was downloaded was not analyzed, but you can see how simple it is for an attacker to use jar files to exploit a user.

Targeting JRE (Java run-time) is currently the number one drive-by exploit vector on the web. Most exploit kits and attackers who use custom exploits will typically use both Adobe PDF exploits and Java exploits to run code on a user’s machine. Typically, exploitation  is silent. Websense Security Labs would like to emphasize that users should always be careful when searching the web. This is true for Google, Bing, Yahoo and all popular and lesser known search engines.


Hopefully. this example has shown the potential dangers in clicking on search engine results.

Stephan Chenette – Principal Security Researcher