?

Log in

Previous Entry | Next Entry

I've spent quite a lot of time in this journal posting about a particular group of Russian computer virus writers, starting from when I first discovered last year that my name was being used to poison Google keyword searches and drive traffic to Web sites that attempt to download malware onto computers. (Does that make me an official net.celebrity?) I've made it something of a hobby to follow this particular group, and have written about how they have repeatedly hacked an ISP called iPower Web to spread viruses, and how they've built an elaborate underground computer network to funnel traffic to virus-infected Web sites.

Along the way, they've changed tactics a number of times. The hacks against iPowerWeb are still ongoing, though they seem to have slowed; at the height of the attack, iPower was hosting tens of thousands of newly-hacked Web sites per day, though now it's slowed to a paltry trickle...at any given time these days, there are only a couple hundred hacked Web sites living on iPower's servers. When the post about iPower first went live last December, I was flooded with emails from folks saying "My Web site is hosted by iPower and I've been hacked!" and I even got two phone calls from iPowewr customers whose Web sites had been penetrated. (Yes, my phone number is out there, for folks who want to dig it up. No, I'm not gonna tell you what it is.)

The interesting thing about this particular computer gang is their adaptability. They're constantly changing targets, and as time goes on their underground network grows larger and more resilient.

In the past, they've planted redirectors to malware sites on hacked Web servers, they've exploited security flaws in software like phpBB and WordPress to redirect traffic to virus droppers, they've set up fake FaceBook profiles that redirect visitors to virus-infected sites, and they've even created fake Google Groups to direct traffic to virus sites.

In the past couple of weeks, though, I've seen a whole new approach, and it's all about exploiting open redirectors.


Many Web sites use "redirectors." A redirector is a program on a Web server that is designed to send you somewhere else.

Now, let's say you own a Web site or a blog or something. You probably know that there is an HTML command you can use to create a link to somebody else's Web site. If you wanted to put a link in your blog or on your Web site that leads to Yahoo, for example, you would say something like

<a href="http://www.yahoo.com">Click here to visit Yahoo!</a>

Sometimes, though, this isn't good enough. What if you want to count the number of times that people click on a link, either to track ads on your site or to get a feel for what kind of link your audience is interested in? What do you do then?

One solution is to put a redirector on your site. You pass it a link you want to send folks to, and it sends them there but also counts the number of people who have clicked on that link. So if you own www.mybigsite.com, instead of doing this

<a href="http://www.yahoo.com">Click here to visit Yahoo!</a>

you might do this

<a href="http://www.mybigsite.com/redirector.php?target=www.yahoo.com">Click here to visit Yahoo!</a>

So when someone clicks on the link, they are taken to your redirector, and your redirector counts the click and then sends them off to Yahoo.

Lots and lots of sites do this. AOL does this; sites that care about measuring clicks do this; news sites do this (to see which news articles are the most popular); you can even download a WordPress plugin to do it on your blog, so you know how many people are visiting the links that you talk about.

Its easy to write a little redirector to do this. In fact, it only takes a few lines of code; if you know anything about Web programming, you can write a redirector like this in less time than it has taken me to explain what it does.

And, unfortunately, most folks who write these things don't think about, or even know about, security.

A great deal lately, I've been seeing Google links to malware sites that take advantage of other people's redirectors. Malware writers have a couple of problems, one of them being the fact that Google will occasionally put a "This Site May Harm Your Computer" warning on any link to a known malware site.

So what to do about it?

One thing I've seen is the virus writers placing links to malware on their servers that use other people's redirectors to direct traffic to the virus-infected sites. Instead of putting

www.virussite.com

into Google and hoping people click on it, they instead put

www.somerespectednewscompany.com/redirector?target=www.virussite.com

into Google. Anyone who clicks on the link will end up visiting the virus site. Google will not flag the link with a "this site may harm your computer" warning because to Google, it's a link to a respected news company.

Furthermore, since Google thinks the link belongs to a respected news company, not only does the poisoned link show up in Google searches, it shows up in Google News as well!

I've seen many malware links that work this way, some of which exploit insecure redirectors on sites that ought to know better. A handful of such links I've seen include:

*** WARNING *** WARNING *** WARNING ***
These links are live as of the time of this writing. They will take you to sites that try to install computer viruses on your computer. DO NOT visit these links if you do not know what you are doing!

http://www.nola.com/cgi-bin/nph-redirect.cgi?LOCATION=http://megaatom.net%2Fin.php (uses an insecure redirector on the New orleans Times-Picayune Web site)

http://www.xlsoft.com/cgi-bin/banner.cgi?link=megaatom.net%2Fin.php (uses an open redirector on a site that, among other things, offers--get this--computer security services)

http://ezproxy.uwc.edu/login?url=http://megaatom.net/in.php (uses an open redirector at the University of Wisconsin; many colleges and universities, including Stanford University, have similar open redirectors)



Now comes the rant.

Folks, if you use a redirector anywhere on your site, it is *** ABSOLUTELY *** ***IMPERATIVE *** that your redirection script checks the browser referrer to make sure the referrer is your domain.

I can not stress this enough. This is easy to do; takes one, or, at the most, two lines of code. You MUST do this

That way, if someone clicks on a Google link to your redirector, it won't work.

This is a simple, easy thing to do. Yet many, many people do not do it, and as a result, they unwittingly allow their redirectors to be hijacked to poison Google results and spread computer viruses. One particularly notorious offender here, which I've seen abused in exactly this way, is the WordPress plugin called OZH Click Counter. The purpose of the plugin is to track link popularity, but it is vulnerable to this kind of abuse.

If you own a WordPress blog, I strongly, strongly recommend that you DO NOT install the OZH Click Counter plugin, or any similar plugin hat uses an insecure redirector. I've seen many examples of Google links to malware droppers that take the form

www.somewordpressblog.com/content/go.php?http://www.somevirussite.com

It doesn't matter how obscure your site is. If you have an open redirector on your site, sooner or later it will be abused; the hackers use automated tools to search the Web for such redirectors.


Comments

( 14 comments — Leave a comment )
delphinea
Nov. 18th, 2008 07:24 pm (UTC)
Wow. Thanks for the warning about www.nola.com -- I go there frequently, so I guess I need to be a bit more careful.
lolitasir
Nov. 18th, 2008 08:02 pm (UTC)
Why do they do it? It takes a lot of work. what do they get out of it?
tacit
Nov. 18th, 2008 08:24 pm (UTC)
Money. Lots and lots and lots of money. Computer viruses and malware are big business, raking in huge amounts of cash for Eastern European organized crime.

The network is used to spread two different kinds of malware: the W32/Zlob computer virus, and fake antivirus software.

Zlob works by changing the domain name servers on an infected computer and pointing them to domain name servers in Eastern Europe controlled by Russian organized crime. If a person controls your domain name server, he has complete, unfettered access to everything you see in your browser. He can intercept your browser and redirect it to any site he chooses.

Several variants of Zlob exist. Some insert ads onto pages you view, or replace the ads on pages you view with ads placed by the Russian criminals. Others are more direct, and more evil; they look at the domain names you're trying to reach, and divert you to other sites (so for example, you can type bankofamerica.com into your browser's address bar and get diverted to a fake Bank of America site controlled by the hackers, and oyu'll never know it because your browser's address bar shows you to be at bankofamerica.com).

The other end points in their network run fake "virus scans" in your browser, then tell you that your computer is infected and download fake antivirus software. The fake antivirus software pops up warnings every few minutes alerting you to non-existent "infections" (and often makes your computer unusable), then tells you to unlock the software by paying $40 to make the alerts go away.

Computer security firm Panda Labs estimates that the fake antivirus software generates $15 million a month for Russian organized crime. Even if this estimation is exaggerated, it's still clear that this is a major cash cow for the malware writers.
addiejd
Nov. 19th, 2008 12:32 am (UTC)
I am so glad I added you as a friend. Your posts are awesome! I just sent a permanent link of this one to someone I know who uses wordpress. I also have the fake virus scan virus on my computer. My IT friend managed to get my laptop to work again, and right now the pop-up's just kind of irritating while I am backing up my hard drive for a reformat.
knaw
Nov. 18th, 2008 09:16 pm (UTC)
Give me redirection.
My LiveJournal page can be accessed by typing my personal domain, http://www.gavincruickshank.com.

Is that open to hijacking and if so, how do I make sure that it doesn't happen?
tacit
Nov. 18th, 2008 09:24 pm (UTC)
Re: Give me redirection.
No, domain-level redirection (where one domain points to another) is not subject to this kind of hijacking. The problem only occurs if you are running a redirector script on your server; for example, if

http://www.gavincruickshank.com/cgi/redir.cgi?www.livejournal.com

redirected to your site, then you'd have to make sure that the script named "redir.cgi" checked that the referrer was set to "gavincruickshank.com" before it redirected. But domain-based redirection, domain aliasing, and domain forwarding is a whole 'nother ball of wax.
knaw
Nov. 18th, 2008 09:51 pm (UTC)
Re: Give me redirection.
That's a relief, because I was given the domain as a present and I didn't want to waste it.

I find redirection scripts very annoying, mainly because it's fiddly to copy the correct URL.
tacit
Nov. 19th, 2008 02:25 pm (UTC)
Re: Give me redirection.
Redirection scripts *are* very annoying, and are sometimes written to obfuscate the redirection URL, which I find even more annoying. I don't know of any other way to count link clicks on a site, though.
tacit
Nov. 19th, 2008 02:24 pm (UTC)
Re: Am I doing it right?
That's the general notion!
(Deleted comment)
joreth
Nov. 19th, 2008 01:39 am (UTC)
I don't know if this is how tacit does it, but when I make a journal entry into LJ from the LJ webpage, I type in html into the Rich Text editor and it treats it like regular text, but when I type it into the HTML editor, it treats it like a command.

In the comments, however, it automatically goes into an html editing box, not a rich text. There are instructions for how to force an html page to treat html codes like text on Google, I just don't happen to have the URLs handy at the moment.
tacit
Nov. 19th, 2008 02:23 pm (UTC)
I do it by typing the HTML codes for the left and right angle brackets. The code for < is "&lt;" and the code for > is "&gt;".

If you want to put a Web address but you do not want LJ to turn it into a link, put <LJ-RAW> before it and </LJ-RAW> after it.
sageautumn
Nov. 19th, 2008 01:50 am (UTC)
I don't think I commented on the last post you did that was sort of like this... on making sure to look and see what comes before the first / ?

But I really really liked it... it's something is both useful and that I can learn how to do.
shevabree
Nov. 20th, 2008 11:38 pm (UTC)
A friend on my flist said something tried to download a virus from an ad he was viewing on LJ. Here is the post he made about it: http://claws-n-stripes.livejournal.com/397033.html thought you'd like to see.
( 14 comments — Leave a comment )