Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
SpywareGuide powered by FaceTime Security Labs
Search SpywareGuide Greynets Database & Site
Security Email Alerts & Updates
Search the Blog
 
Recent Posts
Categories
Monthly Blog Archives
Links
Subscribe
Subscribe to this blog's feed
About the Blog
About SpywareGuide Greynets Blog
Link to Us
Link to SpywareGuide.com

« Yapbrowser acquired by Searchwebme | Main | Myspace Under Flash Fire »

  • The World Cup- The Internet "Red Card"

The issue of Blogspot URLs being redirected and used for exploits has been noted before. In this particular case we follow the evolution of sophisticated mass spamming of Google's Blogspot service URLs, coupled with other search engine spam techniques and trace the cascade of events that follow.

Overview: The "Simple Scenario"

1) Party unknown figures out how to optimize Blogspot pages to achieve high rankings in MSN portal Search Engine Results Pages (SERPS) for popular terms known as keywords, in particular keywords around World Cup coverage.

2) This person uses Google's Blogspot hosting. It has been noted before that Blogspot hosting allows users to insert JavaScript into the head of the HTML page, creating a vulnerable environment.

3) Party unknown implements a complex server-side, auto-rotation system on a domain hosted elsewhere.

4) Party unknown accomplishes "cloaking" the Blogspot URLs, hiding the auto-rotation system. The pages rank high in many MSN search results for targeted keywords.

5) Users conducting queries on MSN or users who arrive on the tainted blogspot URLs are redirected to various pages. In this particular example some sites display explicit pornographic content in addition to offering software downloads with a documented history of security risk.

The World Cup

This investigation over distribution and deception was kicked off by one of the world's biggest sporting events- the World Cup. We all have our favorite teams, and at FaceTime we want people to be able to follow their favorite teams and sports safely! The goal of our research was to investigate a popular sporting event and probe the Internet for attacks, social engineering, or any other malicious or deceptive activity centered around this event.

Flow Chart Sample of Events

To better understand the event flow, click the thumbnail image below to enlarge. This will open to a new window.

http://blog.spywareguide.com/upload/2006/07/flowchart-thumb.JPG

Deceptive Mass Spamming Distribution

Basic search engine analysis shows the "party unknown" appears to be using automated techniques to spam guest books and other web pages in order create links to the domain. Because of the auto-rotatation system the domain's homepage changes frequently and apparently randomly. For example, it often defaults to Google's own portal for India.

Search System Pollution

As we will show, the techniques used to taint MSN search rankings are based on an understanding of the MSN search algorithm. However the primary deceptive tactics are carried out through obfuscated JavaScript injected into Google's Blogspot page headers. This is significant because this particular problem as been publicly noted before by researcher Ben Edelman.


WARNING TO USERS: DO NOT go searching for these sites unless you are a trained security researcher. There is a dynamic component to this operation which could lead to a hostile environment or unwanted content. In short- What you see is not what you may get..

Research: How Did This Happen?

While searching for the keyword “World Cup 2006” in the MSN search Engine, our researcher clicked the first natural result, the result below the sponsored ads. This result appeared to be an innocent looking Blogspot URL as screenshot will demonstrate.


Note on Search Engine Results:

Search engines use their own systems to determine the relevancy of a page for a keyword entered in the Search Box. Based on the search engine's algorithms the pages will be ranked and appear in the results. These results are often called SERPS or Search Engine Result Pages.

In crude theory the first result should be more relevant to the keyword, and second result would be a somewhat less relevant page…etc. Numerous factors effect relevancy beyond the scope of this write-up. It is reasonable to expect people to believe they will find the most most relevant pages on the first pages of the results. For this reason, in this study, we have placed emphasis on studying the first results returned in the SERPS.

http://blog.spywareguide.com/upload/2006/06/Blogspot_Hijack/FIFAWorldCupSearchResult-thumb.JPG
Click To Enlarge Screenshot


How Did this Page Get to the Top?

In simple terms by using "spam techniques." With JavaScript functions of a browser turned off the user would see a page like this:

Click To View Page with JavaScript Off


Redirection and Misdirection Over Time

Upon some of the first checks of these URLs our researcher noted redirects to the following
Russian web-site. By.ru is a common hosting company, and the "tkgroup" appears to be a student class blog.

http://blog.spywareguide.com/upload/2006/06/Blogspot_Hijack/FIFARussianWebSite-thumb.JPG
Click to enlarge ScreenShot

At first glance it might seem this could be a student prank merely playing search engine tricks. However,
after several days the same result redirected our researcher to a different website which is now “Adult DVD Download Network” IcooNet. The context and tone have now changed considerably. The tone is now commercial in intent but also pornographic. Users would have no way of knowing the site they were trying to reach would serve pornographic content if they relied on the title, text description and link displayed in the SERP.

http://blog.spywareguide.com/upload/2006/06/Blogspot_Hijack/FIFAIcoonet-thumb.JPG
Click to enlarge screenshot

In this example our research term used was for FIFA, so it would seem unreasonable to be offered an adult downloader. This is deceptive, and many users may find it offensive, especially since it is reasonable to expect young football fans would be searching for similar terms and will be guided by the domain name, title and description.

From a legal context this is significant: US CODE: Title 18,2252B. Misleading domain names on the Internet, from law.cornell.edu.

In a final example, the redirection goes to a website which features pornographic galleries offering a program that is cited as a variant of Zlob.Media-Codec. It may go under different names. A EULA is presented if the user wants to access the deceptively advertised pornography. We have not placed a screenshot here because the images are simply too offensive for our blog standards, but we have retained screen capture documentation and video of the site.

The different variants of these programs have to be downloaded in order to play any of the movies on the web-site.

Note this particular search query was conducted from one of our labs in India, so other users and countries will likely get different results. In addition search results change frequently. For purposes of documentation, we have included packet logs from query to destination as well as install of software.

Query Sample 1: Term FIFA+World+Cup+2006 .txt file

Query Sample 2: Term FIFA+World+Cup+2006 .txt file


We Just Wanted the World Cup

In the sample query illustrated by the packet logs above our researcher, searching for “FIFA World Cup 2006”, finds a tainted Blogspot site and clicks-thru. The log documents the various redirects which end with the researcher arriving on a pornographic website where he was offered, and accepted, programs with well documented problematic behavior.

The initial MSN results showed 3 out of 10 results from Blogspot which display the obfuscated JavaScript and re-direction system. Users rely on search engines to deliver them high quality and relevant results. Since the domain names contain football (soccer to U.S. readers) related terms, titles and descriptions it is reasonable the user will feel confident to click-thru.

In a system such as this any number of attacks could be launched, and depending on the degree of sophistication of the attack or skill in social engineering- the results could be quite harmful. The screenshot below shows the tainted Blogspot URLs at MSN in the top ten results.

http://blog.spywareguide.com/upload/2006/07/3of10BlogSpotURLsinFirstpageoftheMSNResult-thumb.JPG
Click To Enlarge Image


Past History of Problems

It should be noted that while unable to document any exploit behavior with the software page of the pornographic content, it has a well documented history of problematic behavior from numerous third party sources. It is usually classified as a "trojan". Reference: Sunbelt on Zlob.Media-Codec. and on Super AdBlocker on xpassman-v3 for example.

EULA Red Flags

In this particular case EULAs were presented with the software product(s) needed to access the content deceptively advertised by the unknown party. EULA analysis shows additional security software will be added, updates can be made, and home page will be change among other items.

See one EULA Analysis Sample

By accepting it the user grants the software rights to install additional components on the machine. These components or updates may not have cleared appropriate security hygiene processes. In addition no warranty on performance of the software is given.

Also notable among the EULAs displayed, using our automated readability analysis demonstrates above 12-Grade Reading Level skills needed to understand the document based on various readability batteries.

Flesch Grade: Beyond Twelfth Grade reading level
Automated Readability Index: Beyond Twelfth Grade reading level
Coleman-Liau Index:Beyond Twelfth Grade reading level
Gunning-Fog Index: Beyond Twelfth Grade reading level

Technical Background: How Did Blogspot Do This?

The attack is quite subtle. Put simply it uses obfuscated or "garbled" JavaScript.

Inspecting the inside of the source code of the blog entry, we noted a JavaScript calling a function decode().. We noted there was no simple redirection code found from the page source code at first glance. We also noted only the random numbers stored as a string. Function name itself decode, which was the hint to decode the whole function. Let us take a look at the original source code:

http://blog.spywareguide.com/upload/2006/06/Blogspot_Hijack/FIFAJavaScript-thumb.JPG
Click to Enlarge Screenshot


Now let us examine the screenshot of the "decoded" code:



http://blog.spywareguide.com/upload/2006/06/Blogspot_Hijack/FIFAJavaScriptDecoded-thumb.JPG
Click to Enlarge Screenshot


Explanation of Code:
The code says if the blog is referred by any of the following major search engines:

Google
MSN
Yahoo
AOL
Ask
Altavista

Then it will open the URL http://www.toptravel10.com/search.php?aid=<*****>&q=World+Cup, which calls into action the redirection system. Therefore, the writer of this code is actively looking to intercept search traffic and move it somewhere else and the code writer is doing this with obvious intent.

However, if the blogspot address is only pasted or typed into the address bar of the IE browser it will redirect to MSN search result with the keyword "World Cup 2006". As we know from the above search result screen capture 3 out of the first 10 MSN natural search results could most likely be the same kind of tainted Blogspot entries. Clicking any of the entries will again redirect to the same system. This puts the user into a dangerous cycle. We qualify "most likely" because top ten entries can and do change dynamically beyond control of users.

Controlling the Deceit

In this case there is no need to change the source code of the page because the operator of toptravel10 domain has set-up a complex server-side, auto-rotation system of unknown make-up. The tainted Blogspot URLs used the URL http://www.toptravel10.com/search.php?aid=56340&q=World+Cup as a mediator. The Blogspot URLs will to open this page when called. At this point the toptravel10 domain's system decides where the user is redirected. The mediator remains constant and links to different URLs over a given period of time. In this entry the researcher was referred to a Russian Web-site, second ICOONet(Adult DVD Downloader), and now the mediator links to VideoGalleries which in turn offers adult oriented software.

It is also notable the ownership information for the toptravel10.com domain is cloaked through a proxy registration service.


Why Use Blogspot?

Blogspot has been the target for similar attacks in the past. Researcher Ben Edelman’s concern about blogspot will help us understand why this case is important. From his article:

“...Numerous blogs hosted at Google's Blogspot service contain JavaScript that tries to trick users into installing unneeded software..."

In this instance the obfuscated JavaScript not only impacts the quality of search engine results it also acts as a more complex line of redirects to distance the designer from the scene.


Why MSN Search?

As researchers, we might ask: "Why would someone target the MSN search system?"

The logical reasons would probably be most of the Windows based O/S use default redirection to MSN search and/or the orchestrator had some mastery at gaming the Microsoft ranking algorithm.

Examples of tainted URLs are:

http://worldcup2006z.blogspot.com
http://footballwordcup2006.blogspot.com
http://fifaworldcup2006-.blogspot.com
http://-fifaworldcup2006.blogspot.com

(Note: After contacting Google last week- these are now offline!)

.Are There More?

Yes. One such instance was found for the keyword "AIRLINE TICKETS".

These blog URLs may also be redirected to the same pornographic galleries, again depending on the system of rotation.

List of the following blog URLs for the keyword "AIRLINE TICKETS".

http://airlineticketsz.blogspot.com
http://cheapairlineticketsz.blogspot.com

Conclusion and Final Notes:

A solution was already offered by Ben Edelman:

"...What should Google do? Google already disallows JavaScript within Blogspot.com posts. Apparently Google considers embedded JavaScript too risky -- too likely to trick, deceive, or otherwise take advantage of users. But Google oddly allows JavaScript to be added to Blogspot headers and navigation bars. This decision should be reversed..."

In terms of football (soccer) this is the equivalent of a "Yellow Card".

We must add the following caution and warning on the tactical approach.

In this particular case the unknown party used some technological sophistication coupled with knowledge of world events, search engine algorithms and planning. However, the party used poor targeting.

Let us explore a "what if" scenario...

What if the same system, using football (soccer) keywords were used to trick a user to open a page that asked them to view 'World Cup Bloopers' or 'World Cup Highlights' or lured users with a fake video over a 'disputed call' or 'insider interview' cobbled together from pirated video footage? The user, now contextually targeted would probably click and any number of hostile scenarios could be played out. The attack would only limited by the creativity and motivation of the operator.

To use our football analogy again- this is a "Red Card".

LATE ADDITION: We have contacted Google about our concerns pointing out the problem around the World Cup spam and they reacted rapidly. Initial research seems to show they scoured Blogspot and removed the tainted URLs so World Cup fans wouldn't fall into this trap during the championship weekend. However, the root of the problem still remains. What to do about the JavaScript? Ultimately that is a problem Google will have to solve.

The problem has been pointed out before- history should be the teacher.


Blog Summary Write-Up: Wayne Porter, Sr. Dir. Greynets Research
Technical Research: Peter Jayaraj, FSL Threat Researcher


Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide JapanJapanese

© Copyright 2006, FaceTime Communications, Inc. All rights reserved.