News Categories
(34)Malware (39)Malicious emails (11)Web 2.0 (24)Facebook (22)Social Networks (44)Spam (2)Defensio (1)Comment Spam (15)Phishing (9)Web spam (4)Click-jacking (38)Compromise (20)Analysis (38)Exploits (14)Research (3)Presentations (3)Conferences (4)security conference (9)Mass Injection (10)Rogue AV (4)Blackhat SEO (2)Neosploit (23)Targeted attacks (7)Video (14)Zeus (5)Microsoft (4)Monthly Reports (1)twitter (3)Google (18)Vulnerabilities (9)Adobe (12)Java (4)Mobile (4)Apple (1)hacked (1)TAB (1)Black Hat USA 2011 (1)Google+ (20)0-day (1)CVE-2010-2884 (1)CVE-2011-1255 (1)Worm (14)Blackhole exploit kit (1)Incognit Exploit kit (2)Tuesday Patch (6)APT (6)Typosquatting (3)Vulnerability Analysis (1)CVE-2011-3402 (4)Web Research (4)Predictions (3)Adult (5)News (3)Black Hat SEO (6)Data loss (8)Scam (1)QR codes (6)Twitter (1)CVE-2012-0003 (1)CVE-2011-3389 (1)CVE-2012-0004 (1)Phoenix Exploit Kit (1)CrimePack (3)Reverse Engineering (2)Captcha (1)Valentine's day (2)Kelihos (1)SC Magazine Award Winner (1)Wordpress (1)MS12-010 (1)CVE-2012-0002 (1)Infosec (2)CVE-2012-0507 (8)Toolkits (1)Skywiper (2)Flame (1)Flamer (2)Passwords (1)freedom of expression (1)censorship (2)Plugins (3)Malvertising (14)Exploit (1)CVE-2012-1723 (1)CSI (2)ThreatSeeker (2)Adventures in Spam (1)CVE-2012-4681 (1)LBS (2)RAT (1)module Apache/2 (1)Cyber Monday (1)Black Friday (1)Pastebin (4)CVE-2012-4792 (1)iPad (1)super bowl (1)iPhone (2)iOS (4)Spear Phishing (1)Threat Report (3)ThreatScope (1)Dynamic DNS (1)China (1)SSL (1)APT1 (2)DLP (3)Hack (1)CVE-2012-4969 (2)threat lifecycle (1)ThreatSeeker Network (1)ACE (10)exploit kit (1)blackhole (2)Black Hole (1)DNS poisoning (1)RedKit Exploit Kit (4)exploit kits (1)threat stages (1)Certificates (1)Topical (1)Waterhole (1)CVE-2013-2463 (1)Neutrino exploit kit (1)CVE-2013-2473 (1)CVE-2013-3893 (2)Collective Threat Intelligence (1)CVE-2013-3963 (1)Targeted Attack (3)Advanced Malware (1)CVE-2013-3897 (1)Tor (5)cyber-crime (1)Mevade (2)Ransomware (3)Social Engineering (1)CookieBomb (2)LinkedIn (1)CVE-2013-3906 (2)Pony (3)Cryptolocker (2)Upatre (1)application telemetry (1)meta-data (3)dr. watson (1)windows error reporting (1)big data (2)data theft prevention (1)DTP (1)telemetry (2)CVE-2014-0322 (2)MSIE 0-day (1)Deputy Dog (1)Ephemeral Hydra (1)CVE-2013-0074 (1)CVE-2013-3896 (1)Silverlight (2)crash reports (1)POS (1)anomaly detection (1)goon (4)angler (1)ru:8080 (1)magnitude (3)flash (1)CVE-2013-2465 (1)malicious iframes (1)FIESTA (1)Exploits Kit (1)iframe (3)CVE-2014-0160 (2)OpenSSL (3)Heartbleed (3)Citadel (2)CVE-2014-1776 (1)VGX.DLL (1)necrus (1)cutwail (2)gameover (3)vulnerability (3)zbot (1)control panel (1)carberp (1)zberp (1)Caphaw (2)Nuclear exploit kit (1)Shylock (1)Dragonfly (1)Zeus PIF (1)bitly (1)fraud (2)RIG Exploit Kit (1)POS malware (1)Point Of Sale Malware (1)Ukraine (1)Russia (1)Shellshock (1)CVE-2014-6271 (1)poodle (1)cve-2014-3566 (1)sslv3 (1)Ebola (1)CVE-2014-4114 (1)CPA (1)Regin (1)CVE-2015-0311 (1)CVE-2015-0235 (1)linux (1)GHOST (1)CVE-2015-0072 (1)Internet Explorer (1)XSS (1)IE (1)TorrentLocker (1)Product Information (1)Money Laundering (1)APSA10-05 (1)Skype spam
RSS Feed
Google Image Poisoning Leads to Exploit
Posted by Xue Yang on 21 April 2011 01:42 PM


Google search results have traditionally been the target of black hat SEO campaigns. Websense® Security Labs™ has identified a new trend in which cyber criminals take advantage of Google Image search rankings to spread malware.



Websense Security Labs Threatseeker® network has detected that Google Image search returns poisoned pictures when searching on celebrity child "Presley Walker". We first found on Monday that all the image search results took users to a notorious exploit kit – Neosploit. Later, it changed to redirecting users to rogue AV sites. As we publish this blog, the search results are still poisoned and are leading to Neosploit again. Websense customers are protected from both types of attack by ACE, our Advanced Classification Engine.




The search results for "Presley Walker" through Google Image:





Let's take a look at the first attack case. When a user clicks the pictures on the top line, the user will be redirected to a Neosploit exploit page.


Below is one of the redirection chains used by this exploit kit:


From the chain, we see the third URL is the malicious site holding the exploit code. We found that all the exploited sites are hosted on the same IP, and interestingly, they constructed it with the same path named TF19, which looks like a pattern of this campaign. At last it will trigger appropriate vulnerabilities targeted by this exploit kit according to the user's operating system and browser. From the chain above we see it downloaded a PDF file that targeted three Adobe Reader vulnerabilities. This PDF file is heavily obfuscated and has a relatively low VirusTotal detection.


The list of URLs hosted on the IP, as shown from our Threatseeker network:



Neosploit is a well-known exploit kit in the black market. The authors reportedly stopped supporting and updating the exploit kit due to financial problems, but variants of Neosploit have been updated frequently. The variants may contain MDAC (CVE-2006-0003), ActiveX (CVE-2008-2463, CVE-2008-1898), and three Adobe Reader (Collab.getIcon, Util.Printf, Collab.collectEmailInfo) vulnerabilities, among others.


The second case is one of the common tricks black hat SEO campaigns always use: luring users to download fake antivirus software called InstallInternetProtectionXXX.exe. From the VirusTotal scan result, only 20% of antivirus engines detected this malware.


 The rogue AV page when using Firefox to surf the Web:









Read more »


I wonder how much longer rogue AV will ride the wave of major news?  Having recently blogged about Rogue AV riding the US Midterm Elections wave, we spotted further activity on what appeared to be blank pages from the Black Hat SEO we noticed yesterday.  Websense customers are continually being protected against this attack through our Advanced Classification Engine.


In line with what we noticed previously, these blank pages were being prepared for what we can only assume is a major assault today, being election day itself.  This particular attack is browser-aware, as the threats are specific to the browser being used.   



Using the same source as yesterday's Black Hat SEO campaign, the links within the page are now fully primed to become active and ready to serve the malicious content.  The main differences from what we noticed in the previous attack are that no URL is provided in the "script : if (navigator:userAgent.indexOf("MSIE")<0)var url= "http:" part, and in addition the parking page is now active. However, when the link is clicked, the user is still not redirected to the intended malicious site.


Let's start off with the first of the malicious candidates in the rogue AV election Adobe Flash update.  This is specific to Internet Explorer 8, and when the link is activated, the unsuspecting user gets a prompt to install fake Macromedia Flash Components, claiming this is required to view the web site.



The second malicious component, which masquerades as a Firefox update message, is - as can be guessed - specific to Firefox browser users.



As shown above, the user again gets prompted to update Flash player, but this time specific to Firefox.


With all other browsers, we notice it just redirects to the same site for the rogue AV download page we noticed yesterday.


As of the time of writing and publishing this blog, the coverage for the file download prompts for both IE Flash Update and Firefox Flash update was about 27.9% as confirmed by VirusTotal.



Read more »