msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Hacked WordPress Blogs Poison Google Images

   05 Aug 11   Filed in Website exploits

After a series of posts about Google Image poisoning campaigns that used hot-linked images a main trick to get top positions in search results, I’d like to describe a different Google Image poisoning attack that affects WordPress blogs and uses self-hosted images.

I found 4,358 self-hosted WordPress blogs that contained many (usually more than 100) doorway pages that redirected visitors coming from Google Image search to fake AV sites.

Those doorway pages can be easily identified:

Doorway URL pattern

They have the following URL pattern: hxxp://<hacked-wordpress-blog.com>/?[a-f]{3}=<keywords> , where [a-f]{3} is a combination of three letters “a” through “f” and the <keywords> is a hyphen-separated combination of keywords that contain either word picture or pictures. Here are some examples:

hxxp://example.com/?fef=pictures-of-mitzi-mueller-wrestling
hxxp://example.net/?cda=tropical-fruits-picture-index

Spammy image files

Doorway pages use a normal template of the hacked WordPress blogs, but their original content is replaced with twenty something “thumbnails” and short text snippets relevant to <keywords> searches.

The images are not hot-linked. Both thumbnails and links to “full-sized” images have URLs that look like this:

/?[a-f]{3}=<keywords><encrypted-key><short-name>.jpg

for example:

/?fec=pictures-of-blagojovich-arrested-Eun8671l43WGQNUa7rKWUdG/5d60kf6AQ4VM4KfPdbfaMro2PNRMVlYmniC50Kh6SJdwMkeSz7s19kggH0WT4j_AYuW36OEWyfkABshi/Tk5R16sYiKUfS8OJGDZ_K7p/WoYUNZZ_Q==uek.jpg

At the top of the images you can see an inscription — the domain name of the hacked site. This way criminals set their seal to the images to make them look like an original content of that site, not stolen images. At the same time this artifact can help identify poisoned image search results and avoid clicking on them.

seal at the top of the images

The image files contain the following string inside: <CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 100. This means that they were created using the GD Graphics library.

In my understanding, hackers use a PHP script to fetch top rated images (returned by Google Images search), resize them to “tbumbnail-size” (width: 200-300 pixels) and to “full-size” (some random size – may even be larger that the original image) and finally add the domain name stamp.

Timestamps

At the very bottom of the HTML code of the doorway pages you can see comments like this:

<!-- 7/24/2011 4:30:03 PM --><!-- new england railroad pictures -->

The timestamp and the targeted keywords (they match the <keywords> part of the URL). This way you can easily see when the doorway was generated.

Redirects

The doorway pages rank quite well for some keywords both in Google Web search and Google Images search (especially when you are searching for exact phrases). However the malicious redirects occur only when you click on Google Images search results, which proves that Google Images poisoning is the main goal of this black-hat SEO campaign.

The redirects have two stages. The first redirect goes to an intermediary server (TDS) that, in turn, redirects to a landing pages that pushes a fake anti-virus tool (I’ve seen two different variations of the fake AV pages).

Here’s a real redirect chain:

302->hxxp://video.bywhy .com/?k=girdles+pictures&s=google&r=http%3A%2F%2Fwww.google.com%2Fimgres%3Fimgurl%3Dhttp%3A%2F%2Fbcsmusic.me%2F%253Fbdd%253Dgirdles-pictures-Vyhynx%2FbFO_9rUEvfK72isOTIVpmnmzLxnzp51gHqzVXi5I5jE2lyrsssMFcfbwOFoXk3VR8TwxTQeexe%2FonLd6RPIG_M6hkLQMh6ACctX4kzsuwbN5w_6YOYxZYj1AJQl1OBCXNjPYQoA%253D%253Dxy5.jpg%26imgrefurl%3Dhttp%3A%2F%2Fbcsmusic.me%2F%253Fbdd%253Dgirdles-pictures%26usg%3D__6ho2Rtl5S4GcwInf2xzUhPN4vkI%3D%26h%3D439%26w%3D262%26sz%3D98%26hl%3Den%26start%3D19%26zoom%3D1%26um%3D1%26itbs%3D1%26tbnid%3DoHNHWFmQjxIwqM%3A%26tbnh%3D127%26tbnw%3D76%26prev%3D%2Fsearch%253Fq%253Dsite%3Abcsmusic.me%2526um%253D1%2526hl%253Den%2526sa%253DN%2526channel%253Dfs%2526biw%253D1222%2526bih%253D260%2526tbm%253Disch%26ei%3DnU80TtGDG4mE-wa5vPH9DA&d=http%3A%2F%2Fbcsmusic.me%2F%3Fbdd%3Dgirdles-pictures
302->hxxp://update34.svernick .in/index.php?Q0rhQ9S3be5GTHpOM5RNjiUpBaa7CmPerSb+VBBE57iCXCC1iDs+XgOe4qXsg1ggs5uk7Ck1GcwyRZ2vqM7MPVofO5WM3eBmP5tRpBeBu/kPphowRYvnTq2+4BmHNg==

As you can see, the TDS server receives information about the keywords, source, and the actual referring URL.

The intermediary domains change every day. They actually belong to other hacked sites (mostly WordPress blogs)

Here are just a few domain names of the intermediary TDS sites used in this attack:

  • video.bywhy .com
  • ppopo2.bget .ru
  • awalstudios .com
  • demo.hireindians .net
  • www.privatepilot .hu
  • footballgirdles .tk

The domain name of a landing page consists of a .in domain that changes every day and some random “updateNN” or “scanNN” subdomain, e.g. update82.yourscan .in or “scan73.moomles .in

Here are a few .in domains of the fake AV sites used in this attack:

  • spelleit .in
  • svernick .in
  • senerino .in
  • moomles .in
  • klopster .in
  • bastandro .in
  • waspeeds .in
  • yourscan .in
  • x-scan .in

Most of the .in sites point to the 193 .105 .154 .31 IP address (United Kingdom, Ars Tolerantia, with Latvian contact information).

Detection rate

The fake AV sites push scareware .exe with names like InstallSecurityScanner_NNN.exe, e.g. InstallSecurityScanner_225.exe. These files are being repackaged every day and their detection rate (according to VirusTotal) is quite low. The typical detection rate for currently served files is 8/43 (18.6%). It usually improves to 35%-50% by the time when the malicious file is no longer in use and a new file with a low detection rate is being served by the fake AV server.

Out of 4,358 checked compromised sites, Google currently flags (or recently flagged) less than 5% of them. Typical Safe Browsing diagnostic page says something like this:

Malicious software is hosted on 2 domain(s), including bastandro .in/, senerino .in/.

3 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including hireindians .net/, awalstudios .com/, bywhy .com/.

Update (Aug 10, 2011):

  1. There are more than 4,358 hacked WP sites (found a few more)
  2. After I sent them my lists and additional information, Google has removed those doorway pages on hacked sites from index (both web search and image search).
  3. Hackers have injected hidden links that point to the doorway pages on the same sites into legitimate web pages of the hacked WP blogs. The links are cloaked (visible to search engine crawlers only). I believe they are injected into WordPress theme files (most likely footer.php).
  4. I still haven’t receive a single response neither from webmasters of the hacked sites nor from their hosting providers. Hey, your information can help thousands of WordPress bloggers!
  5. I found some additional information about this attack. More about it later. Stay tuned! (Published)

Hiccups in serving malware

Starting this week, I noticed multiple hiccups in this attack.

On Tuesday, TDS generated redirects that missed domain name part in URLs of the fake AV sites. E.g.

hxxp://scan15./index.php?QwrhS9RYbcxGhnpcM45NtCWyBT…RcrnQq2F4MWHYQ==

As you can see, everything else is in place, except for the domain name. It looked as if the criminals ran out of the domain names (most of them were registered on July 20th) or forgot to specify a new domain for a new day.

Nonetheless, on Wednesday, the URL generation process was restored. However the landing pages wouldn’t open (at least for me). At the same time, when I opened the root page of the fake AV site (e.g. hxxp://scan36.bastandro .in, hxxp://bastandro .in or even simply hxxp://193 .105 .154 .31) the malicious download would start automatically.

On Friday, I see a different hiccup. The TDS redirects to a newly registered domain (August 4th)

hxxp://update82.yourscan .in/index.php?Q+Xh59RmbVNGM3p…fnk6164ISHXQ==

that points to a different IP address (46 .4 .161 .228) and that server seems to be down. At the same time, the 193 .105 .154 .31 server still automatically starts malicious downloads if you visit it, but the download size is 0 bytes.

I wonder if all these hiccups have to do with the crisis of the fake AV industry that Brian Krebs describes in his recent post.

“During the past few weeks, some top fake AV promotion programs either disappeared or complained of difficulty in processing credit card transactions for would-be scareware victims”

If this is true, we should expect the hacked sites will eventually try to monetize search traffic some different way.

Update (Aug 8, 2011): A new hiccup today.  The landing page is on updateNN.x-scan .in site. While x-scan .in (193 .105 .154 .31) is up and serves an updated .exe file, its subdomains won’t resolve. What’s going on?

How the hack works

At this point I couldn’t find cooperative webmasters of the hacked WordPress blogs that would share internal details of the hack. Nonetheless, my black box testing approach allows me to make some conclusions.

Narrowing down

The hacked sites belong to different people and are hosted by different hosting providers. Other sites (both WP and non-WP) on the same servers are not affected. They are all WordPress blogs. Many of them are up-to-date (run the latest version of WordPress). So it’s neither a server-wide hack, nor an intrusion via stolen site credentials (otherwise we’d see many non-WP sites). At the same time, it is not a core WP hack. In my experience, this usually means that hackers used some backdoor script.

Where is the security hole?

The backdoor script might have been uploaded using vulnerabilities in WordPress themes or plugins. For exapmple, many of the hacked sites (not all though) use themes that include a timthumb.php file that is known to have a security hole that allows attackers to upload .php files to a server.

Actually, this is where webmasters of compromised sites can help me. Usually a log analysis + a server scan can provide a very reliable information about the attack vector: vulnerable files and backdoor scripts. Please, contact me if you have raw access logs for July.

.htaccess

Sometimes, I saw two different blogs on the same server (and most likely under the same user account) with the same doorway pages. Moreover, while blogs themselves looked different, the doorway pages used a template of only one of those sites and had links to that site only.

I think this happens because hackers created a .htaccess files with rewrite rules above the site root (quite a prevalent trick with .htaccess hacks). The rewrite rules map the doorway URLs to some .php script.

Caching

All doorway pages and images are cached somewhere on the server. Unlike other SEO poisoning attacks that I wrote about, they are not generated on the fly. If you specify some different keywords in the URL, you will get a 404 error. Moreover this 404 error will be different than normal 404 error pages of the hacked sites.

Another proof that the spammy content is cached and is not injected at the run-time into live WordPress pages is the timestamps at the bottom of the HTML code and old articles in the “Recent Posts” section. On some sites, instead of a real site template, they use a pre-built empty Kubrick template with the fingerprint that doesn’t change from site to site (WordPress 2.3.1, 22 queries, 0.912 seconds)

Rounding up: If I were a webmaster of one of those hacked sites, I would start looking for rogue rules in .htaccess files in the site root and above the site root directory. The rewrite rules should point to a doorway script. Then the script should point to a cache directory with all the html and jpg files. Then I would try to analyze access logs and scan files on server to find backdoor scripts and security holes.

To webmasters

Creating doorway pages on legitimate websites is quite a prevalent reason behind website hacks. Make sure your site doesn’t contain rogue web pages.

Regularly check statistics for suspicious requests. In this particular case you can even use JavaScript-based services like Google Analytics since hackers don’t remove your scripts from page templates and not all user requests get immediately redirected to malicious sites — e.g. people may actually open the doorway pages when the click on Google web search results (not image search results). However, raw logs will show more accurate information.

You should also check Google Webmaster Tools for suspicious search queries and indexed pages.

Make sure your WordPress is up-to-date. All themes and plugins come from trusted sources and don’t contain known security holes (check their websites, google them). If your themes or/and plugins use the timthumb.php file, consider updating this file (Its developers are currently actively improving the security).

##
If you have any details about internals of this attack and especially the security hole, please leave your comment below or contact me directly. It would also be interesting to hear your thoughts about the hiccups of this attack (and whether they are really hiccups).

Related posts:

Reader's Comments (12)

  1. |

    FWIW the 193 IP address is known to be bad – its been part of the “Russian Business Network” since April this year (http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork )

    The 46 address never seems to have resolved to anything except ns2.prozones.in
    (prozones.in was registered in 18 July 2011 according to whois – http://www.networksolutions.com/whois-search/prozones.in). I wonder if they ran out of time/money and couldn’t set that domain up

    • |

      That 46 address seems to be temporary. “yourscan .in” now points to the 193 address again. So does the “x-scan .in” (both registered on Aug 4th).

      By the way, today they didn’t change the domains. Instead the landing page address no longer have a subdomain (which didn’t resolve yesterday).
      hxxp://x-scan .in/index.php?Q0jhfN…
      This means that they also changes the TDS code (it would always add random subdomains)

  2. |

    [...] security researcher Denis Sinegubko has posted details of 4,358 WordPress blogs that are poisoning Google Images to insert doorway pages that [...]

  3. |

    [...] haben offenbar tausende WordPress-Blogs so manipuliert, dass deren Bilder, wenn Sie auf Google angezeigt werden, Links auf betrügerische Seiten [...]

  4. |

    There was a recent vulnerability with TimThumb’s image resizing where it was not checking MIME. Could this be the result of exploiting TimThumb, which is used as a standalone plugin and also used in many themes.

  5. |

    Hello,
    How can I tell if you website has been compromised? Could you publish that list of 4300 websites so I could check?
    Thank you

    • |

      I don’t want to publish the list as it may affect reputation of the websites.

      You could try to Google for
      [site:yourdomain.com intitle:"pictures of"]. However it won’t work now that Google has removed those doorway pages from index.

      Just read the to webmasters section, and the “rounding up” sligthly above. If you do that, you’ll be able to detect other hacks too.

      P.S. The site in your signature is not in my list.

  6. |

    [...] as secure as a platform as I have ever seen, however, it’s main weaknesses lie in plugins. Unmask Parasites briefly touches on how up-to-date WordPress blogs can be compromised: the TimThumb vulnerability, [...]

  7. |

    I believe I was victim of what you are discussing. In fact, I recently received a letter saying we are in copyright infringement for using photos. This is how I found out about the url on my site that I didn’t create.

    hxxp://www.e…d.com/?eed=pictures-of-tallahassee’s-new-state-capitol

    Is there a way to track who hacked my site and determine when it was done?

    I cannot find the source of this page to even delete it off of my FTP or wordpress blog.

    Any help would be greatly appreciated.
    Thanks,
    Greg

  8. |

    [...] Once a site is infected, it’s not always easy to remove all the malicious code. Denis Sinegubko, the Russian researcher who discovered the WordPress attack used to poison Google Image results, has advised webmasters of compromised sites to look for rogue rules in the .htaccess files in the site root and above the site root directory. He has more here. [...]

  9. |

    I was victim of what you are discussing

  10. |

    I just got a spam email sent to me that had no subject and the link was ***.ru/wp-content/themes/minico/work.php?public53.gif

    Is that considered the same thing as what you are talking about here? First time I had seen a link like that.