May 31 2011

Super Mario brought to you by… Slice Factory?

There has been some recent online discussion about games from the Chrome Web Store requesting excessive permissions. These games are extensions for Google Chrome. To access various aspects of Chrome, certain permissions are required; for example, to allow access to the Bookmark manager to update bookmarks. The “Super Mario 2” app is offered by the developer “chromitude”, which is associated with Slice Factory, a company that develops services and browser extensions to remix Web data. The extension requests permissions which seem excessive for simply playing a game. These permissions are:

·         Access to bookmarks

·          Notification of  new tabs being created

·         Access to all URLs

To determine why these permissions are required for the game and what the extension actually does, Symantec analyzed the app. The extension consists of two parts. The first is the “Super Mario 2” game, which is a benign Flash-based game. It doesn’t access Chrome in any of the ways the permissions require.

The second part of the extension however does require additional permissions. This part runs in the background and requests two pieces of JavaScript code. The requested code is located on slicefactory.com and extensionfactory.com (Figure 1). Extensionfactory.com is a service provided by Slice Factory.

Figure 1. Background JavaScript includes

As well as logging some basic information about the time the game was installed and its last run, the code also intercepts new tabs and checks the locations of the addresses of those tabs. If the new tab being opened is going to the domain “www.lemonde.fr” then some additional JavaScript, sourced from extensionfactory.com, is inserted into that page.

This injected piece of JavaScript creates a fake toolbar, as shown in Figure 2.

Figure 2. Injected toolbar

The toolbar contains a link to install an extension. When installed, this extension provides a feed to Le Monde, displaying new news articles. The same extension is advertised on the slicefactory.com Web site, as shown in Figure 3.

Figure 3. SliceFactory advertising Le Monde extension

This additional behaviour is not disclosed when installing Super Mario 2 from the Chrome Web Store.  Note at present the inserted Javascript only occurs when visiting www.lemonde.fr, but as this code is dynamic, it could change in the future.

The Super Mario 2 game has since been removed from the Chrome Web Store.

We contacted Slice Factory who stated:

“This Mario web app should never have been published with this "Le Monde" invitation. It is an experimental feature we have been testing internally, which was put in a production package by mistake.” In addition, a representative from Slice Factory mentioned the other Javascript code injected into the Mario app was necessary to send statistical data to the Extension Factory backoffice (similar to other stats scripts such as Google Analytics), but did not compromise any personal data.

Slice Factory also have published some additional games on the Chrome Web Store under the “chromitude” developer account, including:

  • Tetris
  • Zelda
  • Platform Racing 2
  • Othello
  • Snake

We are currently analyzing these versions of the applications published by chromitude. These versions are not those specifically offered by the owners of the official game brands.

Uninstalling a Chrome web app can be done by opening a new tab, mousing over an app icon, clicking on the wrench icon, and selecting “Uninstall”. Uninstalling an extension can be done by selecting the Tools | Extensions menu in Chrome.

We recommend also reviewing Google's guidance regarding permissions and trusting unknown app developers.

May 31 2011

Apple releases update to protect against MacDefender

Apple has released security update 2011-003 to address the recent increase in malware targeting Mac OS X.

Mac update 2011-003

It updates the included XProtect program to detect scareware variants we have seen attacking Mac users, including MacDefender, Mac Guard and Mac Security. It seems to still have the restriction of only working through the LSQuarantine library.

Once installed it will now check for updates to the XProtect list on a daily basis. This can be disabled in the Security preferences pane by unchecking the box “Automatically update safe downloads list”.

Security preferences pane

Upon installation this update will check for existing infections of known malware and remove it from the system if present. Additional checks are performed when an administrative user logs into the system.

I did some testing this afternoon and was able to confirm that it works. Using Safari, I visited the infected site Graham mentioned from the link spreading on Facebook.

I immediately received a warning that OS X had detected OSX.MacDefender.B, and yet it prompted to allow me to open the file. This is one of the limitations of LSQuarantine, but it is a very bad behavior. If you know something is malicious, don’t let people continue on infecting themselves…

XProtect detection dialog

To test the cleanup functionality I infected a system that had not applied the update. I proceeded to apply 2011-003 and nothing happened. I’m not sure how it is supposed to work, but it didn’t alert me nor remove Mac Guard.

I rebooted my Mac and logged in as an administrative user and within a moment or two the new removal functionality kicked in. A dialog box popped up stating:

“Malware was found and removed from your computer. The ‘MacGuard’ malware was found and removed.”

Mac malware removed

My impressions? A good reaction from Apple in a short amount of time. They are making the best of what is available in the OS X platform at this time. Unfortunately it falls short in many respects.

The biggest problem is the lack of an on-access scanning component. While LSQuarantine works to protect against downloads in most browsers, it doesn’t prevent infections through USB drives, BitTorrent downloads and other applications.

Daily updates are a good start, but it remains to be seen how frequently the criminals may release new variants. If they start moving in a polymorphic direction similar to the one the Windows malware writers have gone, XProtect will have issues.

Of course this update only applies to OS X 10.6 “Snow Leopard,” so older Mac users are left unprotected.

OS X 10.6 users should apply this update as soon as possible, and I recommend installing a more fully featured anti-virus solution like our free Sophos Anti-Virus for Mac Home Edition. It’s totally free; we don’t even ask you for your name or email.

May 31 2011

The ‘Art’ of Fake Anti-Virus Software

Hi, everyone. I am very excited to announce that I recently joined McAfee Labs. As many of you know, I have spent more than 20 years doing anti-virus (AV) development and research. Needless to say, I am not happy to see the new developments in fake AV software.

Fake AV developments began only a few years ago, but rapidly evolved in their delivery mechanism. Cybercriminals hired talented attackers and developers to implement one of the largest fake AV attacks so far, involving millions of users using Google Image Search poisoning.

Recently, I searched for my own name on Google, looking for an old picture from a conference. To my surprise, a lot of strange pictures showed up on the top search page that were seemingly not related to my search.

I quickly realized that the bizarre pictures referenced hacked websites, which redirected my browser to yet another compromised machine in an attempt to deliver new variants of fake AV products for my Mac.

This attack is impressive in the manner in which it can trick the user. Through JavaScript, it makes Safari appear as if a fake scan is taking place in a search for “threats” while the actual window uses elements from Finder. (If you use IE, your browser will start to look like Windows Explorer and a similar fake AV scan takes place.)

At the same time, a download starts that delivers an installation package of the fake AV product MacDefender and its variants. Revisiting the site a day later, I saw a change in the package’s content, and further research revealed that the new version did not require an OS X password to start installation, as noticed a day earlier. I wondered how long it will take for the bad guys to run the whole installation via an exploit.

(Note: Safari’s option of “Open Safe Files After Downloading” needs to be enabled for the downloads to run, and JavaScript needs to be enabled, too. These are the default options. Disabling these options can help to mitigate the attack.)

How did the attackers get this far? Cybercriminals prepared this attack for several months, and implemented it in several stages.

Stage 1: The first step of the attack involved the discovery of FTP passwords for websites. Although the exact method for obtaining these credentials is unknown, FTP software often stores passwords in plain text, or in easily recoverable forms. Once the attackers collected enough FTP accounts for several hundred websites, they began the second stage of the attack. (This observation is based on reviews of FTP logs for logins and uploads on compromised sites.)

Stage 2: The attackers began uploading malicious PHP scripts to compromise the websites using FTP and the stolen passwords. These PHP scripts could create a lot of HTML content. A very sophisticated automation was used to identify top Google search keywords, and to combine them with Top Google Image Searches. The result is a ton of junk HTML, which reads like a junk blog, a section of text, and pictures linked from other websites.

Notice my name in the text. What a nice haiku!

“CAKE IMPROVES WITH A CHOCOLATE PETER SZOR FOR OCT, PAGE DOG THING HAS BEEN TIME, SO MAKETHE CHEESECAKE FACTORY CHOCOLATE ORANGE PECAN, THE CHEESECAKE AND ITEMS , REY AND OTHER COURSE RECIPES FOR CHOCOLATE CHEESECAKE LIKE THIS PHOTO ACTUAL COPYCAT RECIPE BON CHEESECAKEALAS”

The actual picture returned by Google for my search had a reference right above this text. The actual PHP attack script identifies that the page is visited via Google Image Search. This helps to hide the attack from the web master.

Stage 3: Because the generated pages have been linked into the actual content of the hacked website, Google’s robots start to index them. The generated HTML pages made sure that the robots would take them by identifying them as keywords. Also, they requested that the robots not cache the page’s content, making it harder to discover the compromised sites in bulk because easily searched cached content would not be available.

Stage 4: The attackers needed to wait. A lot of content has been generated on these hacked sites, thousands and thousands of HTML pages, with interesting pictures being referenced. The attackers requested Google to index the sites to make this a little faster. But they needed to be patient. Once the pictures were populated to Google Image Search, people started clicking on them, which also took some time. Eventually, many of these pictures ended up on the first page for selected keyword searches.

Stage 5: Once enough Google references were poisoned, the attackers started the distribution of fake AV products. When you visit the hacked sites from Windows, they distribute fake AV for Windows. A visit from Safari on the Mac delivers different flavors of fake AV for the Mac: complete packages or downloaders. Eventually these installations ask for credit card information. And to make sure that you believe that your machine is infected, they have a fully supported UI. In the background they bring up porn sites to scare you. The application installation references the fake AV from the login items, so whenever you log in the application will be launched again. The Mac packages contain “fat binaries,” which have both 32-bit and 64-bit executable content.

Each compromised website has a list of IP addresses that belong to compromised machines, or free domain registration services, which were registered by the attacker in advance. The malicious scripts planted on the hacked sites forward the Google Image Search requests to one of these addresses, which host malicious JavaScript to play tricks with the browser. Furthermore, the installation package is localized to English and Russian.

As I write this, Google is doing a great job of throwing out the bad references. Apple is also getting involved in the cleanup process, promising detection and remediation for the Mac variation of the attack.

At McAfee we are dedicated to delivering real-time protection against these attacks, as well as thousands of others, each day.

May 31 2011

Finding the Money Behind Rogue Pharmacies

It is relatively easy for illegitimate websites to “poison” Google search results and achieve a top-5 ranking. And it’s financially well worth their while. Last Friday, at the French CLUSIR/RSSIA conference, Frédéric Roumat from EdelWeb (groupe ON-X) gave us an impressively argued demonstration on the subject.

After Roumat exposed the methods to gain illegal traffic using blackhat search-engine optimization (backlinks, spam-indexing, doorway, cloaking, canonical beacon infection, SEO kits) or malware (man-in-the-browser attacks, DNS changer), he talked about the real aim: profit. His working hypotheses included the following:

  • Average click through rate (CTR) for a third rank in search engine result pages (SERP): 9.5% (source: Optify study, April 2011)
  • Medium e-commerce conversion rate (CR): 1%
  • Scareware pay-per-install commission: US$25
  • Rogue pharmacy commission: 40%
  • Rogue pharmacy medium shopping cart: $200

Recent news attracted the interest of the French and contributed to Google research spikes. On May 17, using Google Insight and Google Traffic Estimator,, Roumat captured this interest. With a consistent search string (“Paris”) he measured:

  • On May 2, 1.24 million (37,200,000/30) French searches for the “Paris” string,
  • On May 2, 1.82 million French searches for the “Ben Laden” string,
  • On May 16, 1.55 million French searches for “DSK” (the initials of Dominique Strauss-Kahn)

These hypotheses demonstrate the interest that cybercrooks pay to the news. For example, they show that a scareware campaign on the day of his death yielded a third-ranked Google search engine result for “Ben Laden” as well as a reward of $43,000 in one day:

  • 1.82 million results * 9.5% = 172,900 visits (with a 9.5% average CTR)
  • 172,900 * 1% * 25 = $43,225 (with a 1% CR and a $25 commission)

To convince the skeptics, Roumat next focused on rogue pharmacies to show how to obtain a third rank in a search engine routine. He invited the audience to search for “viagra” on Google.fr. Here is my search:

To verify the search’s finishing in third rank we ran a query on LegitScript.com. And, indeed, LegitScript warns us against this website, which lacks general conditions of sale and business address yet offers an attractive affiliates program.

By the way, LegitScript gives us some interesting information about the scope of rogue pharmacies. Their database contains:

  • 68,826 referenced pharmacy websites
  • With only 345 legitimate
  • And 1,212 candidates for approval
  • 66,725 pharmacy websites do not meet the standards

Let’s get back to the money: Searches on Google Adwords Traffic Estimator for “viagra” and “cialis” returns for the United States only 1,830,000 and 823,000, respectively, in local monthly searches:

Using these figures and a similar calculation as before, we can estimate the income of this suspicious pharmacy at $190,000 a month for the USA alone:

  • 1,830,000 + 823,000 = 2,653,000 visits * 9.5% (CTR) = 252,035 monthly visits
  • 252,035 * 1% * (200 * 40%) = $190,160 (with a 1% CR and an $80 commission)

So now we know why scareware and rogue pharmacies are so prevalent on the web.

Frédéric Roumat’s presentation (in French) can be downloaded here.
Under the CLUSIF label, I presented the 2010 Cybercrime Overview, which is available here.