Monday, August 22, 2011

Website hijack example: from Brigham Young to Romaina and Belarus

update: I informed Brigham Young of the issue which was fixed for a time but now the cfacbeta site redirects again. I also submitted the tobmarket.com and business-download.com domains to hpHosts but soon after this the attacker changed the store front address to index-downloads.com. This is standard practice for malicious actors, as soon as a domain gets too hot it is easy to switch it a clean domain. This is what the intermediary controller at tobmarket.com is for.

As Zscalar pointed out there was a large campaign of .EDU web hijacking earlier this year. The purpose of the hijacking was to redirect users to fake online stores that purport to sell heavily discounted commercial software using techniques similar to those used to route people to fake online pharmacies. An excellent paper on the fake pharmacy problem was recently published by researches at the University of Cambridge.

Let's take a closer look at this, starting with the fake software stores. Here are some of the top 10 results from a Google search for “buy windows 7” in early August 2011. The red arrows indicate two fake stores which have made it into the top 10. The second one, cfacbeta.byu.edu, is a web hijack.


A more refined Google site search shows that many cfac.byu.edu pages are redirected.

 
cfac.byu.edu is the home page of the College of Fine Arts and Communications at Brigham Young University and from the look of the below page they have been working on upgrading their site and in the process may have inadvertently opened themselves up to an attack. 

Down the rabbit hole

A web hijack starts by an attacker compromising a web server and altering the site code so that users are unknowingly redirected to the attackers' website. Let's look at what happens when a user visits a compromised site.

If the Google result above is clicked, the below sequence of six HTTP packets is generated between the client and server. HTTP packet 2 redirects the user to tobmarket.com, a re-director/controller, which as shown in HTTP packet 4, redirects the user to business-download.com, the final shopfront site. If a user visits the cfacbeta.byu.edu site without clicking through Google they will see the actual site. The redirection is only triggered when the correct referer field and search terms are present within the HTTP GET request. The minimal string which triggers the redirect is.

Referer: http://www.google.com/search?q=windows

HTTP packet 1: Client to Server

GET /departments/tma/fulton-chair-menu HTTP/1.1
Host: cfacbeta.byu.edu
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
DNT: 1
Connection: keep-alive
Referer: http://www.google.com/search?q=buy+windows+7&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a
Cookie: SESSb3f40867ca15d6a84ab81b0c22a576f9=d4e0d99e5fe575e3ad399de82051dec2; transpass=385f37072a55969b1d8b294e88720b3e8ba49f63; has_js=1
If-Modified-Since: Mon, 15 Aug 2011 16:58:05 GMT

HTTP packet 2: Server to client, redirect to tobmarket.com via 302 Found

HTTP/1.1 302 Found
Date: Mon, 15 Aug 2011 17:14:18 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.10-2ubuntu6.10
Location: http://tobmarket.com/in.cgi?5&seoref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dbuy%2Bwindows%2B7%26ie%3Dutf-8%26oe%3Dutf-8%26aq%3Dt%26rls%3Dorg.mozilla%3Aen-US%3Aofficial%26client%3Dfirefox-a&parameter=$keyword&se=$se&ur=1&HTTP_REFERER=http%3A%2F%2Fcfacbeta.byu.edu%2Fdepartments%2Ftma%2Ffulton-chair-menu&default_keyword=
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html

HTTP packet 3: Client now contacts server tobmarket.com

GET /in.cgi?5&seoref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dbuy%2Bwindows%2B7%26ie%3Dutf-8%26oe%3Dutf-8%26aq%3Dt%26rls%3Dorg.mozilla%3Aen-US%3Aofficial%26client%3Dfirefox-a&parameter=$keyword&se=$se&ur=1&HTTP_REFERER=http%3A%2F%2Fcfacbeta.byu.edu%2Fdepartments%2Ftma%2Ffulton-chair-menu&default_keyword= HTTP/1.1
Host: tobmarket.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
DNT: 1
Connection: keep-alive
Referer: http://www.google.com/search?q=buy+windows+7&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a
Cookie: SL_5_0000=_1_

HTTP packet 4:Server to client, second redirect this time to business-download.com

HTTP/1.1 302 Found
Date: Mon, 15 Aug 2011 17:12:58 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: SL_5_0000=_1_; domain=tobmarket.com; path=/; expires=Tue, 16-Aug-2011 17:12:58 GMT
Location: http://business-download.com
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=CP-1251

<html>
<head>
<meta http-equiv="REFRESH" content="1; URL='http://business-download.com'">
</head>
<body>
document moved <a href="http://business-download.com">here</a>
</body>
</html>

HTTP packet 5:Client now contact business-download.com

GET / HTTP/1.1
Host: business-download.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
DNT: 1
Connection: keep-alive
Referer: http://www.google.com/search?q=buy+windows+7&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a
Cookie: shopsesid=1313422538StMyVnEqtxpIrywMeQTTnAAAAZjdhiIt

HTTP packet 6:Server to client, setting a cookie.

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 15 Aug 2011 17:14:25 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.6
Set-Cookie: shopsesid=1313422538StMyVnEqtxpIrywMeQTTnAAAAZjdhiIt; path=/
Content-Encoding: gzip


Visting the site tobmarket.com directly triggers a HTTP connection:Close packet while visiting tobmarket/in.cgi triggers the redirection to business-download.com. The registrar for tobmarket.com is Ukranian firm ukrnames.com and Whois information is masked by a privacy service. As of August 2011 the domain resolves to 95.64.58.238, a machine hosted by Voxility of Romania.


Upon clicking through business-download.com to the checkout pay site, we are sent to https:private-pay.net.


As shown above they have used SSL to make the site seem more legitimate, the site is using a real certificate issued by Certificate Authority RapidSSL/GeoTrust Inc in the United States. Many Certificate Authorities do only minimal checks on their clients so the possession of a certificate really means nothing anymore. Below is RapidSSL's home page, they make it very easy to get a certificate!
 
Whois information shows that business-download.com was registered by planetdomain.com with the fake contact details below.

Owner, Administrative Contact, Technical Contact, Billing Contact:
      Isabelle Franchet (ID00467503)
      6 Rue de la Republique
      Avignon, Provence 84000
      FR
      Phone: +33.490864978
      Email: curve@cutemail.org
 
As of August 2011 business-download.com resolves to 213.152.172.90 which also hosts business-download.net,download-sale.net and luxury-customer.net and the supposed pay site private-pay.net. All of these actually host the same fake software store.

The controller/re-director domain tobmarket.com was issued by ukrnames.com of Ukraine and has anonymous Whois records. The domain is hosted at IP address 95.64.58.238 located in Romania. This IP address also hosts the-first-five-pages.com which redirects users to tobmarket.com. Whois information for the-first-five-pages.com reveals that it too was registered with ukrnames.com but this time we are given the contact details below.

Registrant:
Vitalij Shorikov mboga12@yahoo.com
Nagornaya,78
Gomel, 246015
BELARUS
+375232724839

Now for some Google searching

Search on cutemail.org

cutemail.com is a webmail service operated by SafetyNet Systems Ltd of the UK but cutemail.org does not resolve to anything though the domain is registered with FastDomain.com. A search on cutemail.org reveals that @cutemail.org addresses have been used to register numerous malware and web hijack campaign sites including recent fake AV, money mule recruitment and fake online drug stores.

Search on +33.490864978

Reveals this to be the fax number for a hotel in France!

Search on Vitalij Shorikov, mboga12@yahoo.com or +375232724839 (actually normalized to +375.232724839)

This reveals two other domain names registered using this contact information.

belkonvert.net IP address 91.226.78.9
This is a HTTrack Website Copy of belkonvert.com. Belkonvert.com is a legitimate business site for a Minsk,Belarus advertising company. No other hosts were at this address.

tdsfree.org IP address 91.217.153.46
This returns a HTTP 403 forbidden message but this IP address also hosts the following sites.

dorotydiary.org
com-watch-id181222ooo.info
casinonewsblog.org
bradpittfanclub.org

Both bradpittfanclub.org and dorotydiary.org have recently been flagged as involved in malware distribution and fake AV campaigns as the below results from Malware Domain List show.
 
And from hphosts we can find that the whole of ASN 41390 91.217.153.0/24 RN-DATA-LV RN Data, SIA is riddled with malware sites

So there we have it, clicking on a Brigham Young University page takes a visitor on a unexpected trip to Romania  and Belarus! Following the threads further has lead us right into a nest of malware domains at 91.217.153.0/24

Be careful out there on the interwebs.....

Posted by at 4 comments:
Labels:

Wednesday, August 17, 2011

A little analysis on that Zugo toolbar

Related names: StartNow, Whitesmoke, Babylon, HyperBar, Zugo, toolbar
Threat: low
Main artifacts: Browser toolbar installed and home page set
Main install vector: Surreptitious install by affiliate with little or no notice to user.
Company behind all this: Zugo Services Ltd of London
How to remove: See this link.

Introduction

The Zugo toolbar for web browsers, a Zugo Services Ltd product, is an annoying adware product that often gets installed on users computers in a surreptitious manner. The product is included within other software and during install the user may only be given limited information on the toolbar installation or, worse, no information at all. According to GFI Software, Zugo Services Ltd has a large affiliate network with affiliates being payed up to $1.50 per install. There is little oversight of affiliates by Zugo which have every incentive to obtain the largest possible number of installs by whatever means necessary.

Zugo's default toolbar is StartNow though Zugo has also created toolbar products for other companies, including Whitesmoke and Babylon. Once installed, the software will change the user's home page and relay search information to the Zugo infrastructure to allow the placement of targeted advertising. An earlier version of this product was known as the StartNow HyperBar.

An example is provided by the website adlsoft.net which hosts a number of free download utilities, all of which install the toolbar. Interestingly adlsoft.net resolves to the same IP address as zcode.biz, a host that the toolbar installer contacts suggesting that the adlsoft site was established to drive installs of the toolbar.

Intro paragraph on adlsoft.net
Incidentally this site has taken the free download version of Systweak's Advanced System Protector and re-packaged it to include the StartNow Toolbar.
adlsoft.net with Systweak software for download

Here is the install screen of one of the products, in this case a decompression utility.
Uncompressor install screen
Though the screen does mention that another product will be installed, the language could very easily be missed. Liberal use is made of the “Bing” name rather than the StartNow name. It looks almost as though it was designed to be overlooked.

Interestingly, when you install the software without an Internet connection, a different install screen appears(see below). There is now a reference to the Babylon toolbar which is a different Zugo toolbar product.
Uncompressor install screen showing Babylon toolbar

In contrast, below is an example of best practice in toolbar installation. This is the screen an Adobe installer will give you before installing the Google toolbar. Nice and clear.
Adobe Googler toolbar install

Tracking the install
z-silent starts!
 Once the utility installer is executed two files are downloaded via HTTP on port 80, a tiny token file and an executable named z-silent.exe(why name this silent Zugo folks, a little spooky no?). Z-silent.exe is a Nullsoft NSIS installer for Zugo products signed by Zugo Ltd. The HTTP GET commands are as follows.

HTTP GET sent to 204.232.212.106

GET /getCountry/ HTTP/1.0
Host: zcode.biz
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*

HTTP/1.1 200 OK
Date: Mon, 02 Aug 2011 14:23:12 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Vary: Accept-Encoding
Content-Length: 2
Connection: close
Content-Type: text/plain; charset=UTF-8
US

HTTP GET sent to 184.25.108.35

GET /z-silent-2804.exe HTTP/1.0
Host: c194738.r38.cf1.rackcdn.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*

z-silent is then started with the following command.

z-silent.exe /S /CHANNEL="2_6" /TOOLBAR /DEFAULTSTART /DEFAULTSEARCH

z-silent now does a number of things including the following.
  1. Disables proxy use and Internet connection auto configuration scripts.
  2. Calculates a unique user globally unique id(guid) and machine id.
  3. Installs the StartNow toolbar software to Program Files/Startnow Toolbar
  4. Registers StartNow as a Browser Helper Object, Internet Explorer will now run with Toolbar32.dll
  5. Spawns the toolbarupdateservice process
  6. Registers the install with remote infrastructure via HTTP GET.
Most registry and file activity is routine,however, the following keys are deleted. This disables proxy use and auto configuration scripts.

HKCU/Software/Windows/CurrentVersion/Internet Settings/ProxyServer
HKCU/Software/Windows/CurrentVersion/Internet Settings/ProxyOverride
HKCU/Software/Windows/CurrentVersion/Internet Settings/AutoConfigUrl

z-silent and most of the various files it generates in the Temp directory during install are now deleted.

Interestingly registry activity includes a check for the existence of the key shown below. This is the first of three ties between Zugo Services Ltd and the company AfterDownload.com

HKLM/Software/AfterDownload

The second is that if the properties details tab of z-silent is examined it can be seen that both the File description and Product name fields have the value AfterDownload.

The following Internet traffic is generated during the z-silent install.

HTTP GET sent to 209.159.151.3

GET /getcountry?
pid=628
channel=2_6
bdate=20110802T091233
bversion=1.7
client=installer
action=tb_installed,sp_installed,ds_installed
user_guid=<removed>
Host: installer.zugo.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*

HTTP GET sent to 209.159.151.3

GET /ztb/update?
partner_id=249
product_id=628
affiliate_id=
channel=2%5F6
toolbar_id=200
toolbar_version=2.0
install_country=US
install_date=20110802
user_guid=<removed>
machine_id=<removed>
browser=IE
os=Win
os_version=5.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: tbupdate.zugo.com
Connection: Keep-Alive

Once the toolbar is installed information will be stored in cookies beginning with the following strings.

\Documents and Settings\Owner\Cookies\owner@www.startnow
Searches using the toolbar will send information to the Zugo infrastructure via HTTP GET requests as the following search for “football” shows. This information includes the operating system version, country of install and a globally unique machine id.

HTTP GET sent to 64.20.54.67

GET /s/?q=football
category=web
dummy_pn=Bing
partner_id=249
product_id=628
affiliate_id=
channel=2_6
toolbar_id=200
toolbar_version=2.0
install_country=US
install_date=20110802
user_guid=<removed>
machine_id=<removed>
browser=IE
os=win
os_version=5.1-x86-SP3
provider=bing
provider_name=bing
provider_code=Z082
src=startpage HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.startnow.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.startnow.com
Connection: Keep-Alive
Cookie:
sp_query_string=src startpage
provider Bing
provider_code Z082
partner_id 249
product_id 628
affiliate_id
channel 2_6
toolbar_id 200
toolbar_version 2.0
install_country US
install_date 20110802
user_guid <removed>
machine_id <removed>
browser IE
os win
os_version 5.1-x86-SP3

In contrast this is the information the real Bing toolbar sends back to Bing infrastructure.

GET /search?q=football
FORM=BB07LB
PC=BB07
QS=n HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, */*
X-SearchRewards: brcv=18.0.2066.0[mi=4ef64220-fc5d-4894-9972-3dfef868b86f,HID=0,IID=781940d98b126d94fc80273927bd9c20,tc=1]
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; BRI/2)
Accept-Encoding: gzip, deflate
Host: www.bing.com
Connection: Keep-Alive
Cookie:
SRCHUID=V=2
GUID=<removed>
_SS=SID=<removed>
CW=555
CH=0
bIm=147; RMS=F=GgAg
A=AAAAAAAAAAAQAAAk; SRCHD=D=1896158
SM=1MS=1896158
AF=MSN005; SRCHUSR=AUTOREDIR=0
GEOVAR=
DOB=20110730; MUID=<removed>; _UR=OMW=1

Whitesmoke and Zugo

An example of how using Zugo's services can help a company comes from the public SEC filings of Whitesmoke. Whitesmoke offers a spelling and grammar correction software product and entered into an agreement with Zugo which resulted in significant benefits for Whitesmoke. From the SEC filing we have
the following.

"A significant portion of our revenues arise when end-users download a custom third-party toolbar for use with third-party websites, such as bing.com. In the United States, Zugo powers and operates this toolbar download process under a letter of intent with us, dated February 25, 2010. Under the binding letter of intent, Zugo agrees to perform at a specified service level to ensure, among other things, 99.9% uptime. Zugo pays us either a portion of the revenues or a per-download amount from toolbar downloads. Our letter of intent with Zugo may be terminated by either party with 24 hours notice. In November 2010 we entered into an amendment to the letter of intent with Zugo which amended certain payment terms."

Whois information and related entities

A whois search of zugo.com previously revealed that it is held by Zugo Ltd with a Jersey, Channel Island PO Box address. However, this recently changed to an anonymous entry.

Old zugo.com Whois record
Interestingly when the code signing certificate for z-silent is examed the subject field reveals a slightly different Channel Island address.

CN = Zugo Ltd
O = Zugo Ltd
STREET = PO Box 36
STREET = 1st Floor
STREET = 37 Broad St.
L = St Helier
S = Jersey
PostalCode = JE4 9NU
C = JE


Whois record updated Aug-2011, now anonymous


The domain zcode.biz from which z-silent downloads the GetCountry token is registered to an Omer Kaplan with a Tagore St,Tel Aviv, Israel. This person also founded the company AfterDownload.com and note that z-silent checks for the existence of an AfterDownload registry key. AfterDownload.com used to list the same name and Israeli address as zcode.biz in the whois database however this has recently changed to an anonymous entry. According their website, AfterDownload is “the first and largest CPC platform to provide effective display monetization for the entire download funnel.” It is likely that Omer and AfterDownload are acting as an affiliate of Zugo and being payed for each install.

The domain startnow.com is registered anonymously via Moniker Privacy Services and is hosted at IP address 64.20.54.67. The hosts installer.zugo.com, tbupdate.zugo.com and utrack.zugo.com resolve to IP addresses 209.159.151.2-4.

The domain adlsoft.net is registered anonymously via Domains by Proxy but interestingly it is hosted on the same IP address as zcode.biz, 204.232.212.106.
 
More on Zugo and a possible connection to porn company Inxio Ltd

Zugo Services Ltd is a registered UK company and a search of public UK records reveals that the company's physical address is

UNIT 5 UTOPIA VILLAGE,
7 CHALCOT ROAD PRIMROSE HILL
LONDON
NW1 8LH

The current CEO is Jeronen Seghers(see http://about.me/jeroenseghers) and a named director is a Mark Simon Hirschfield. Mr Seghers founded StartNow International (now dissolved).

Referral whois information reveals a connection between the IP addresses used by Zugo and the porn company Inxio Ltd. The IP address Zugo sends search query information to is 64.20.54.67 and the referral whois record below shows that the block 64.20.54.64/29 is registered to Inxio Ltd.


Referral whois record showing block registered to Inxio Ltd


Further the IP addresses utrack.zugo.com etc resolves to e.g 209.159.151.4 is also a member of a block registered to Inxio Ltd as the below record shows.
Referral whois record showing block registered to Inxio Ltd
In addition a simple Google search on the phone number Zugo Ltd supplied for it's whois record reveals that this number is also used as a registration contact for a large number Inxio porn websites(see below).


People

Jeronen Seghers, CEO Zugo Services Ltd, http://about.me/jeroenseghers
Mark Simon Hirschfield, Director Zugo Services Ltd.
Omer Kaplan, Founder of AfterDownload, http://il.linkedin.com/in/omerkaplan1

IP addresses, hosts and domains

IP address Hosts
204.232.212.106zcode.biz,adlsoft.net
209.159.151.2-4installer.zugo.com,tbupdate.com,utrack.zugo.com
64.20.54.67startnow.com
66.45.232.178zugo.com
184.25.108.35c194738.r38.cf1.rackcdn.com

Further information

Posted by at 4 comments:
Labels:
Subscribe to: Posts (Atom)