Franklin Veaux (tacit) wrote,
Franklin Veaux
tacit

  • Mood:

Another day, another new computer virus distribution technique

I've spent quite a lot of time in this journal posting about a particular group of Russian computer virus writers, starting from when I first discovered last year that my name was being used to poison Google keyword searches and drive traffic to Web sites that attempt to download malware onto computers. (Does that make me an official net.celebrity?) I've made it something of a hobby to follow this particular group, and have written about how they have repeatedly hacked an ISP called iPower Web to spread viruses, and how they've built an elaborate underground computer network to funnel traffic to virus-infected Web sites.

Along the way, they've changed tactics a number of times. The hacks against iPowerWeb are still ongoing, though they seem to have slowed; at the height of the attack, iPower was hosting tens of thousands of newly-hacked Web sites per day, though now it's slowed to a paltry trickle...at any given time these days, there are only a couple hundred hacked Web sites living on iPower's servers. When the post about iPower first went live last December, I was flooded with emails from folks saying "My Web site is hosted by iPower and I've been hacked!" and I even got two phone calls from iPowewr customers whose Web sites had been penetrated. (Yes, my phone number is out there, for folks who want to dig it up. No, I'm not gonna tell you what it is.)

The interesting thing about this particular computer gang is their adaptability. They're constantly changing targets, and as time goes on their underground network grows larger and more resilient.

In the past, they've planted redirectors to malware sites on hacked Web servers, they've exploited security flaws in software like phpBB and WordPress to redirect traffic to virus droppers, they've set up fake FaceBook profiles that redirect visitors to virus-infected sites, and they've even created fake Google Groups to direct traffic to virus sites.

In the past couple of weeks, though, I've seen a whole new approach, and it's all about exploiting open redirectors.


Many Web sites use "redirectors." A redirector is a program on a Web server that is designed to send you somewhere else.

Now, let's say you own a Web site or a blog or something. You probably know that there is an HTML command you can use to create a link to somebody else's Web site. If you wanted to put a link in your blog or on your Web site that leads to Yahoo, for example, you would say something like

<a href="http://www.yahoo.com">Click here to visit Yahoo!</a>

Sometimes, though, this isn't good enough. What if you want to count the number of times that people click on a link, either to track ads on your site or to get a feel for what kind of link your audience is interested in? What do you do then?

One solution is to put a redirector on your site. You pass it a link you want to send folks to, and it sends them there but also counts the number of people who have clicked on that link. So if you own www.mybigsite.com, instead of doing this

<a href="http://www.yahoo.com">Click here to visit Yahoo!</a>

you might do this

<a href="http://www.mybigsite.com/redirector.php?target=www.yahoo.com">Click here to visit Yahoo!</a>

So when someone clicks on the link, they are taken to your redirector, and your redirector counts the click and then sends them off to Yahoo.

Lots and lots of sites do this. AOL does this; sites that care about measuring clicks do this; news sites do this (to see which news articles are the most popular); you can even download a WordPress plugin to do it on your blog, so you know how many people are visiting the links that you talk about.

Its easy to write a little redirector to do this. In fact, it only takes a few lines of code; if you know anything about Web programming, you can write a redirector like this in less time than it has taken me to explain what it does.

And, unfortunately, most folks who write these things don't think about, or even know about, security.

A great deal lately, I've been seeing Google links to malware sites that take advantage of other people's redirectors. Malware writers have a couple of problems, one of them being the fact that Google will occasionally put a "This Site May Harm Your Computer" warning on any link to a known malware site.

So what to do about it?

One thing I've seen is the virus writers placing links to malware on their servers that use other people's redirectors to direct traffic to the virus-infected sites. Instead of putting

www.virussite.com

into Google and hoping people click on it, they instead put

www.somerespectednewscompany.com/redirector?target=www.virussite.com

into Google. Anyone who clicks on the link will end up visiting the virus site. Google will not flag the link with a "this site may harm your computer" warning because to Google, it's a link to a respected news company.

Furthermore, since Google thinks the link belongs to a respected news company, not only does the poisoned link show up in Google searches, it shows up in Google News as well!

I've seen many malware links that work this way, some of which exploit insecure redirectors on sites that ought to know better. A handful of such links I've seen include:

*** WARNING *** WARNING *** WARNING ***
These links are live as of the time of this writing. They will take you to sites that try to install computer viruses on your computer. DO NOT visit these links if you do not know what you are doing!

http://www.nola.com/cgi-bin/nph-redirect.cgi?LOCATION=http://megaatom.net%2Fin.php (uses an insecure redirector on the New orleans Times-Picayune Web site)

http://www.xlsoft.com/cgi-bin/banner.cgi?link=megaatom.net%2Fin.php (uses an open redirector on a site that, among other things, offers--get this--computer security services)

http://ezproxy.uwc.edu/login?url=http://megaatom.net/in.php (uses an open redirector at the University of Wisconsin; many colleges and universities, including Stanford University, have similar open redirectors)



Now comes the rant.

Folks, if you use a redirector anywhere on your site, it is *** ABSOLUTELY *** ***IMPERATIVE *** that your redirection script checks the browser referrer to make sure the referrer is your domain.

I can not stress this enough. This is easy to do; takes one, or, at the most, two lines of code. You MUST do this

That way, if someone clicks on a Google link to your redirector, it won't work.

This is a simple, easy thing to do. Yet many, many people do not do it, and as a result, they unwittingly allow their redirectors to be hijacked to poison Google results and spread computer viruses. One particularly notorious offender here, which I've seen abused in exactly this way, is the WordPress plugin called OZH Click Counter. The purpose of the plugin is to track link popularity, but it is vulnerable to this kind of abuse.

If you own a WordPress blog, I strongly, strongly recommend that you DO NOT install the OZH Click Counter plugin, or any similar plugin hat uses an insecure redirector. I've seen many examples of Google links to malware droppers that take the form

www.somewordpressblog.com/content/go.php?http://www.somevirussite.com

It doesn't matter how obscure your site is. If you have an open redirector on your site, sooner or later it will be abused; the hackers use automated tools to search the Web for such redirectors.
Tags: computer security, computer viruses
Subscribe
  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 14 comments