Fake AV - another attack method

Discussion in 'malware problems & news' started by Rmus, May 4, 2011.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    In another thread I asked if anyone knew of a drive-by fake AV exploit that didn't use javascript, and I didn't get any response.

    This one also involves scripting -- using poisoned images retrieved in a Google search. It's not new - the recent malware targeting Mac computers uses it:

    how to remove macdefender?
    https://discussions.apple.com/thread/3029554?tstart=0
    But this is the first analysis I've seen as to how this specific image exploit works:

    More on Google image poisoning
    http://isc.sans.edu/diary/More on Google image poisoning/10822

    Here is a screen shot of part of the script:

    googleimgscrpt.gif

    I don't have scripting enabled when doing searches, just as a precautionary measure.

    regards,

    -rich
     
    Last edited: May 4, 2011
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    I've often wondered why they use scripting to show the fake scans. I would have thought it would be possible to use for eg animated GIF's etc to achieve the same effect. Most people have this "feature" auto enabled by their browser/s, i would think ?

    Also i seem to remember, but might be wrong, that using CSS in some way/s could be abused to deliver unwanted etc stuff. And that's free flowing in the browser, as far as i know !

    So combining both methods even without scripting "might" do some nasty deeds. Whether or not user stupidity etc would still be required ?
     
  3. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    Very interesting, Rmus! Thanks much for the breakdown.

    A few questions, though, if you would. Let's say that a user has their browser configured to only allow Javascript and plugins on a whitelist basis, with the default behavior being to disable Javascript and plugins on domains otherwise. Let us also assume that javascript and plugins are active on the Google domain (otherwise, Google Image Search doesn't work - At least, not for me).

    When the user clicks on the thumbnail, I assume the attack will still function - so the user will be redirected to the FakeAV site. But once there, I'd assume that javascript standards would be the preferred method of attack. In this case, will anything happen? Or will the whitelisting behavior render the attack toothless after landing on an unfamiliar domain?
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Not I, says me!

    I'm not familiar with much web programming - perhaps someone else can answer.

    Looking at the codes, however, reveals that the scripts load more than just the fake scans: they use 'mouseover' script commands to keep the user in a loop, for example, and scripts to make popup messages continue by means of the 'onclick' script command. Here are popups from an Antivirus2009 exploit, when the user attempts to close the page by clicking on the "X":

    jspopup.gif

    regards,

    -rich
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I've not needed javascript to use Google Images.

    But to test your question about whitelisting behavior, I'll enable javascript and search for bin laden:

    googleImgJS-1New.gif

    I'll click on one. Hovering the mouse over the image|link, I can see that Google is retrieving the page from longwarjournal.org
    and loading it into its Google domain, and I can verify that by seeing the URL in the browser addess line.
    Since it's the same domain, javascript remains enabled:

    googleImgJS-2New.gif

    Now, If I click on the longwarjournal.org link at the top of the page, I'm taken to their site, and I see the same page,
    but since it's not the Google domain, javascript is not enabled:

    googleImgJS-3New.gif

    And so with a redirect from a Google search via search engine poisoning: javascript would be disabled on the redirected page, even though it's enabled on Google.

    (Google has been taking some heat regarding these SEO exploits using images, so they've been monitoring, and I didn't find any images that redirected.)

    In the "Nothing is New" department: redirect exploits from Google searches have been around for at least 4 years.
    Here at Wilders, back in 2007, member noway caught the 'sloantreefarm" exploit.
    Compare the sloantree code with the first code sample in step 4 in the Diary I linked in Post #1:

    sloantreefarNew.gif

    The difference is that instead of clicking on a text hyperlink, as in the sloan exploit, the user clicks on an image hyperlink.
    Slightly different type of code, but the result is the same: redirect to a bad site with a malicious script.

    And so it goes...

    regards,

    -rich
     
    Last edited: May 5, 2011
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Not you ;) but most people would have animated GIF's active. And looking it up, it seems they have used them as part of exploits.

    Remember the WMF fiasco :D


    Me niether :D

    We live in hope ;)

    Found this ?

    Stuff's gone missing from your Post # 5 ?
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    We'll have to wait and see if the fake AV people use any of those techniques!

    What's missing from post #5?

    -rich
     
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    I thought you had some screenies in the "Missing" sections before your Edit ?

    m.gif
     
  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Images are missing.
     
  10. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Yes :thumb:
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
  12. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
  13. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,974
    Location:
    U.S.A.
    Merged Threads to Continue Related Topic.
     
  14. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,974
    Location:
    U.S.A.
     
  15. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,974
    Location:
    U.S.A.
     
  16. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,974
    Location:
    U.S.A.
     
Loading...
Thread Status:
Not open for further replies.