Manga Scanlation Services, a Viable Target for Malicious Activities

Japanese animation is known as anime and Japanese comics are known as Manga. In the last two decades, these industries have grown in popularity across the world. People know that cashing in on the latest trend is often an easy way to earn money, and many legal and illegal businesses often take advantage of this. The popularity of anime and manga has opened up a new avenue for cybercriminals to push malware threats onto unsuspecting fans through malvertisements and mobile risks.

During the early 90’s Japanese comics experienced a boom in the US market and earned their place on the shelves of major book sellers. Before these books can be read by fans who do not speak Japanese, they must be translated. The number of manga being officially translated is growing, but this doesn’t seem to be enough to keep fans satisfied. In addition, only the more popular titles are candidates for translation.

One problem the manga industry faces is how to choose the comics that will be appreciated by non-Japanese speaking fans. One indicator that proves to be very useful is reader communities. Some of these communities work together to produce translated scans of Japanese manga, known as scanlation (or scanslation).

Official editors monitored these communities and orientated their business accordingly; unfortunately it backfired. The Japanese comics and anime industry began to lose customers due to growing number of people accessing the Internet in the late 90’s and the rise of giant scanlation sites providing free online manga content.

In the last few years lawsuits have been launched against websites and communities offering scanlation services, as it is a violation of copyright if the holder hasn’t given their permission.

Scanlation involves a lot of work and a scanlating team can include the following members:

  • Translator
  • Cleaner
  • Proofer
  • Typesetter
  • Re-drawer

Team members are mostly volunteers, so in order to keep the publication of new material coming out at regular intervals, some form of monetization is needed and advertisements are often a key source of income.

Exploit kits and malvertisement
These sites show up to ten advertisements on a chapter’s page on average, and in some cases they are using eleven ad providers. Recent investigations around malvertisements, exploit kits, and the recently rolled out Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2013-2551) led us to observe a number of scanlation sites linked to malicious redirections by malvertisement and malicious code. The chart shown in Figure 1 provides an overview of the different malware detections observed from July 2013 through early January 2014.

chart1.png

Figure 1. IPS detections from scanlation domains (July 2013 – January 2014)

With the roll out of CVE-2013-2551 in December 2013 and the shutdown of the Blackhole exploit kit, the trend has changed. We are observing more malvertisement type attacks that are mainly pushing out Trojan.FakeAV. In these recent malvertisement cases, the scanlation websites were not directly compromised with malicious code, it was their ad providers. The users of scanlation websites also become victims in these cases because of the heavy use of ads targeted at them on the websites. Figure 2 shows IPS detections from Scanlation domains observed from October 2013 to early January 2014.

chart2.png

Figure 2. IPS detections from scanlation domains (October 2013 - January 2014)

An evolving reading format
As smartphones and tablets have become a more integral part ofpeople’s lives, less are using their computers or actual books. A vast majority of websites have released mobile versions of their content to make mobile access easier.

We conducted a mobile browsing test and observed how readers were redirected while reading random pages of recently released manga. We saw that users sometimes encountered a forced redirection when trying to go to the next page. The redirection led to a download prompt for an APK file. We categorized this Android application, Airpush Adware, as a security risk. Airpush Adware can collect and send out the user’s phone number, email address, and a list of applications to third parties, which could lead to the user receiving spam through email and SMS.

Fig3_4.png

Figure 3. Airpush privacy policy and advertising terms

A large number of mobile applications that collect manga from different scanlation domains have begun to appear. These apps can offer over 10,000 manga in multiple languages that users can read online and off. With high download and installation rates, these applications are ideal targets for malicious piggybacking and Trojanized readers. As an example, we found one application, distributed on third party markets that offered manga reading services, delivering premium SMS. Symantec detects this threat as Android.Opfake.

A growing global enthusiasm for scanlating
The detection data gathered from July 2013 through January 2014 on these scanlation domains shows regular spikes and that can easily be tied  to the release of popular manga chapters for Naruto, Bleach, One Piece, Fairy Tail, and Kingdom.

A heatmap of the malvertisements seen on scanlation websites confirms that the highest readership is in the United States, followed by Europe, and Australia. Manga readership is also present in the Middle East and Brazil. Currently, the scanlation teams appear to be translating manga into six different languages (English, German, Italian, Spanish, Russian, and French).

Fig4_2.png

Figure 4. IPS detections for Scanlation domains and malvertising (July 2013 – January 2014)

With a large variety of manga available, the vast amount of new comics can make the medium difficult to access unless the reader understands Japanese or waits for official editors to provide a translated version.

Because new mangaka (manga authors) need to earn their popularity with fans, they often allow, or turn a blind eye to, scanlation services. As such, the functional structure of scanlation services closely flirts with legal issues and copyright abuse. Unfortunately, the growing popularity of scanlation services has caused it to attract cybercriminal attention.

Symantec Security Response advises users to keep their software up-to-date to limit the successful exploit of vulnerabilities and not to install applications outside of trusted app stores.

W32.Changeup – A Malicious Gift That Keeps On Giving

In mid-2009 W32.Changeup, a polymorphic worm written in Visual Basic, was first discovered on systems around the world. Over the last few years, we have profiled this threat, explained why it spreads, and shown how it was created.

In the last week there has been an increase in the number of W32.Changeup detections. The increase in detections is a result of an updated version of W32.Changeup now circulating in the wild:
 

Figure. Detections of updated version of W32.Changeup in last seven days
 

W32.Changeup comes bearing gifts. When a system is compromised, W32.Changeup may install additional malware. The threats can vary from Backdoor.Tidserv to Trojan.FakeAV as well as Backdoor.Trojan and Downloader Trojan. And the Downloader Trojan will download even more malware onto the compromised computer.

The worm copies itself to removable and mapped drives by taking advantage of the AutoRun feature in Windows. The latest version of the worm also copies itself to the following locations:

  • %UserProfile%\Passwords.exe
  • %UserProfile%\Secret.exe
  • %UserProfile%\Porn.exe
  • %UserProfile%\Sexy.exe

Security Response strongly recommends steps be taken to prevent worms from leveraging this feature. We have the following protections in place for the latest version of W32.Changeup:

Antivirus

Intrusion Prevention System

System Infected: W32.Changeup Worm Activity

We also have identified the servers the latest version of the worm attempts to contact after compromising a computer:

Servers

  • ns1.helpupdater.net
  • ns1.helpchecks.net
  • ns1.helpupdates.com
  • ns1.helpupdates.net
  • ns1.couchness.com
  • ns1.chopbell.net
  • ns1.chopbell.com
  • ns1.helpupdated.net
  • ns1.helpupdated.org
  • ns1.helpupdatek.at
  • ns1.helpupdatek.eu
  • ns1.helpupdatek.tw
  • existing.suroot.com
  • 22231.dtdns.net

Security Response will continue to monitor W32.Changeup and provide protections against variations and accompanying malware.

How to Ensure Vulnerabilities Are Not a Gateway to Blackhole Exploits

Co-Author: Peter Coogan

Earlier in 2012, a patch was issued to correct a potential vulnerability in Parallels Plesk Panel version 10.3 or earlier, helping secure unauthorized access to the website control panel. While it is believed that this potential vulnerability is now patched, administrators who have applied this fix may have already been the victim of a compromise and had their login credentials stolen. Best security practice would be for administrators using Parallels Plesk Panel 10.3 or earlier to ensure they have up-to-date patches and change any login credentials that may have been exposed as a result of this vulnerability. They can learn more by reading Securing Parallels Plesk Panel: Best Practices to Prevent Threats.

Reports stated that, following a compromise, heavily obfuscated JavaScript is injected into HTML pages on the server. Once evaluated, the deobsfucated code generates a unique iframe using the code snippets shown in the image below each time the compromised Web page is visited. This injected code is similar to code we have talked about before in a blog post about the Blackhole Exploit Kit. Symantec customers visiting these compromised Web pages containing the injected code are protected by several IPS signatures, including Web Attack: Blackhole Toolkit Website 10.
 


 

As seen in the image for generating the iframes, there is a string of ‘runforestrun’ that remains constant in all the generated iframes.

Example generated iframe domains:

Symantec’s telemetry for July 2012 alone demonstrates we have protected customers against over 68,000 unique URLs containing this string which were leading to the Blackhole Exploit Kit. The following world heatmap indicates that the U.S. has seen the most detections:
 


 

Our telemetry in total for 2012 has also identified over 17100 unique IPs for the referral URLs leading to the generated iframes detected by Symantec. While we cannot definitively say how all the servers related to these IP addresses were compromised to serve up the generated ‘runforestrun’ iframes, it does show the relative size and success of this campaign. The following world heatmap shown below indicates once again that the U.S has hosted the majority of the referral URL IPs:
 


 

The injected iframes at one time followed link to a number of sites that contained redirects and forwards in order to deliver the final payload of Downloader.Parshell (a small executable that contains a hardcoded URL to effectively download additional malware onto the unsuspecting user’s computer). Among the additional malware downloaded are Trojan.FakeAV and Trojan.Maljava. Protection against a new variant of this Downloader is also available as Downloader.Parshell!gen1.

Symantec customers who use our Network-Based Protection Technology are proactively protected from the Blackhole Exploit Kit. If you are concerned that you may have been compromised after visiting a website, you can download Symantec’s free Power Eraser tool to aid in the removal of any infections.

The True Face of Urchin

In recent days, we have seen blogs about a specific type of Mass Injection campaign. We take this opportunity to publish our findings in this blog.

This particular campaign has already picked up pace and it is infecting a lot of innocent users out there. It all starts with a script that is injected into certain sites. The script itself points to one particular site: “http://[REMOVED]/urchin.js”. Throughout this blog, we will see the different exploits that this particular campaign uses in order to install malicious files on to a compromised computer.

Upon visiting a site with the injected script, the user is redirected to a malicious site. A subsequent redirection takes the user to a site that contains an obfuscated script. When the script is decoded, it reveals an embedded iFrame tag. Below is an example of the de-obfuscated iFrame tag embedded in the site.

The page then presents a video with a play button, which, when clicked on, will display a fake message advising the user to update their Adobe Flash Player as can be seen in the image below.

Even when “Don’t Install” is clicked, the user is still prompted to install the update.

The “i.html” page also stores a multitude of exploits. As an anti de-obfuscation method, the script employs the “argument.callee” function, which is a function that we have seen employed by many malicious scripts. This can be seen in the highlighted section in the image below.

De-obfuscating this script gives us a manifold of scripts that appear to have an identical pattern to that in the above image. Each of them, when decoded separately, reveal a hidden exploit. Each script also contains a plug-in detection script that helps to identify different plug-ins installed on the compromised computer. At the time of writing, the site was attempting to exploit the following vulnerabilities:

  • CVE-2010-0842 – Java Midi Vulnerability (BID 39077)
  • CVE-2008-2992 – PDF Util.Printf Vulnerability (BID 32091)
  • CVE- 2007-5659 – PDF CollectEmailInfo Vulnerability (BID 27641)
  • CVE- 2009-0927 – PDF GetIcon Vulnerability (BID 34169)
  • CVE-2010-0840 – Java Trusted Methods Chaining Remote Code Execution Vulnerability (BID 39065)
  • CVE-2010-4452 - Java Web Start Vulnerability (BID 46388)

Below is a snapshot of a decoded version of the Java Midi exploit (CVE-2010-0842).

The malicious RMF file that is required to trigger the vulnerability is obfuscated and later passed to the JAR file at runtime as an html array. The malicious JavaScript inside the PDF was also using a similar template for obfuscating the script. De-obfuscating it reveals the exploits included within it. The highlighted section in the following image shows the different exploits.

Regardless of whether the user manually installs the malware from the fake Adobe Flash Player update screen, we can see that the malware will be installed if any of the aforementioned vulnerabilities are successfully exploited. Hence, the chances of the malware being successfully installed on the computer are significantly increased.

Ultimately when any of the vulnerabilities are exploited or the user manually clicks the “Install Now” button as seen in the below image, the FakeAV downloader will be installed.

Below is a snapshot of the FakeAV scanner that prompts the user to run the FakeAV downloader, which actually downloads the FakeAV.

Consequently, it is not only a single method that exists whereby the computer can become compromised, but rather there are several methods. This is another typical scenario that blends the installation of malware through both social engineering attacks and the installation of malware through exploiting various vulnerabilities.

Symantec‘s multi-layered approach protects its users from these types of attacks. However, we do urge users to update both their security software and their various plug-ins in order to thwart these attacks.