msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Hackers Use Twitter API To Trigger Malicious Scripts

   11 Nov 09   Filed in Website exploits

To improve my Unmask Parasites online service I regularly visit compromised sites and analyze malicious content cybercriminals inject into legitimate web pages. I have to admit that hackers are very creative and I learn new tricks every week.

Today, I’ve found an interesting obfuscated script that used Twitter API to trigger malicious process.

Here’s the story

In Unmask Parasites logs I noticed a site that reported the following script (I removed a lot of code in the middle):

$a="Z64dZ3dZ22q|se|qdu]qwys^e}rub8tqiZ3c0}Z257F~dxZ3c0iuqbZ3c0y~tuh9kbudeb ... }eval(z($a));

The first round of deobfuscation produced another obfuscated script that contained one part in clear text. That part injected a script tag that fetched current week’s top 30 trending topics from Twitter using their API. Here’s the injected code:

<img src='http://search.twitter.com/images/search/rss.png' width=1 height=1 style='visibility:hidden' />
<script language=javascript src='http://search.twitter.com/trends/weekly.json?callback=callback&exclude=hashtags'></script>

This looks pretty benign. Could the rest of the script be benign too? After all, sometimes webmasters use legitimate obfuscated scripts (e.g. to protect intellectual property or to hide some data from screen scrapers).

However the way the script was obfuscated and the place in the HTML code where it was injected to (right after the closing </html> tag) suggested that it didn’t belong to the site and tried to do something malicious. So I continued the deobfuscation.

After a few more rounds, I finally discovered a call to “fbcmfir .com” site that Google lists as suspicious. The domain name is currently parked and shouldn’t be able to serve malicious payloads, but a few month ago this attack was active and according to this Wepawet report it served two exploits that used vulnerabilities in AOL’s SuperBuddy ActiveX and Apple QuickTime.

Twitter API in the malicious script

What makes this script interesting is the use of Twitter API.

1 It makes the whole script look less suspicious after the first round of manual deobfuscation.

2 In the obfuscated script, the function that does all the bad things is not explicitly called anywhere. This can prevent scanners that follow execution paths from detecting the malicious code. To call the malicious function, hackers use the “callback” feature of Twitter API. They pass the name of their function as a callback parameter ...weekly.json?callback=callback... As a result, Twitter returns JavaScript that explicitly calls the hacker-defined function passing the trend data an incoming parameter of that function, which triggers the malicious iframe injection.
callback({"trends":{"2009-11-03":[{"name":"Halloween","query":"Halloween"},...]},"as_of":1257850226})

3 Hackers could simply ignore everything Twitter passes to the callback function, but they found a creative way to use Twitter trends. The fbcmfir .com domain is used as a default source of badness. At the same time the malicious script tries to use a new domain name every day. They use a very elaborate algorithm to construct new domain names based on multiple parameters such as current day, month and year. To make the domain name generation less predictable, they use the code of the second character in the Twitter search that was the most popular two days earlier. This way they have one day to register a new domain name that will be active the next day.

For example, today is November 11, 2009. Two days ago the most popular Twitter search was “Jedward“. The second character is “e” and its code is 101. The hacker’s algorithm will generate the “ghoizwvlev .com” domain name.

Here are a few more examples of generated domain names: abirgqvlev .com, fgxhzgvlev .com, abxhcgvlev .com (in November they all end in lev). As you can see, the generated domain names are almost guaranteed to be available for registration.

However, something went wrong for hackers and this attack seems to be inactive now. I checked many generated domain names and only one of them was actually registered (the site currently reports internal errors though). I guess the approach was too laborious – you have to keep track of Twitter top searches and manually register and configure new domain names every day. At the same time this approach provides the same timeframe for security organizations to blacklist tomorrow’s malicious domain names.

Nonetheless, this is probably the most creative malicious script I’ve seen so far. Luckily for us, it was not very well thought out. (BTW, the domain name generation algorithm is buggy – it fails on certain days. Looks like bugs are pretty common for hacker software.)

To webmasters

1 At this point I don’t have reliable information about this attack, but it’s always a good idea to scan your local computers for malware and then change FTP passwords.

2 If you find anything in your web pages that you don’t remember to have put there – it should be suspicious. Especially if the strange code is outside of the <html>…</html> block (this is a sign that the code was added by someone who is not familiar with your site). And don’t be fooled by well-known names such as Google, Yahoo or Twitter. It’s your site, and only you have right to modify it.

Have your say

What are the most creative malicious scripts you’ve seen? Or maybe the most deceptive? Any comments are welcome.

By the way, not only hackers use Twitter. You can find and follow me on Twitter! ;-)

Similar posts:

Reader's Comments (5)

  1. |

    What you have found is Mebroot aka Sinowal or Torpig. This malware uses Twitter’s trends for months.

    http://www.cs.ucsb.edu/~seclab/projects/torpig/index.html

  2. |

    [...] la fluxul pe Email. De asemenea ne poti urmari si pe Twitter. Powered by WP Greet BoxEchipa de pe Unmaskparasites se descurca foarte bine in detectarea site-urilor suspecte. Deasemenea ei analizeaza toate [...]

  3. |

    [...] Hackers Use Twitter API To Trigger Malicious Scripts, Unmask Parasites [...]

  4. |

    [...] This post was mentioned on Twitter by Denis and Silvia, Tips, Tools, Status. Tips, Tools, Status said: Hackers Using Twitter API To Trigger Malicious Scripts: http://j.mp/3wv1F2 –Share: http://bit.ly/2SKei1 [...]

  5. |

    [...] Hackers Use Twitter API To Trigger Malicious Scripts | Unmask Parasites. Blog. [...]