Monday, December 7, 2015

Malware freeloading on security pros' good name?

The following are notes about something I am investigating, and for which I don't yet have a conclusion. I am sharing in the hopes that perhaps some of my readers have seen this as well and might have some insight into the purpose or delivery mechanism. Of note, each example hosts the malicious download link on *.appspot.com

I have a variety of Google Alerts queries set up to alert me to mentions of my blog or my name on the Internet. I frequently get notices for news articles about a David Longenecker who happens to be the fire chief in Lancaster, Pennsylvania, but that's not my point today.

December 7, Alerts informed me of three documents on Google Docs. These documents contain a long list of excerpts and headlines from various security writers, including some from my own blog. They also contain links to a likely-malicious website.

The first two documents contain headlines and excerpts about security flaws in Adobe Flash Player, along with a link to download an "update" for Flash; the third document is similar, but refers to Asus wireless router firmware instead of Adobe Flash. Below is a screenshot of one document:




All three documents are owned by variations on "fint*@fint*.iam.gserviceaccount.com," and contain links to fint*.appspot.com, which redirect to www.yournetmediastore.com.

hxxps://docs.google.com/document/d/1hYIpE3PWNvXv4ppyFD7aV3DRqfsqAOy97DaWk2V2tMg
Download link: hxxp://fintprn11.appspot.com/dn?k=Windows+8.1+flash+player+fix

Redirects to: hxxp://www.yournetmediastore.com/2000/download.php?id=2000&name=Windows%208.1%20flash%20player%20fix

hxxps://docs.google.com/document/d/1oRkpy-CG5bbTX5dJ9BDwEZV8OaUAKPKZHQTeVyTdZnY
Download link: hxxp://fintcrn9.appspot.com/dn?k=Adobe+flash+patch+for+ie
Redirects to: hxxp://www.yournetmediastore.com/2000/download.php?id=2000&name=Adobe%20flash%20patch%20for%20ie

hxxps://docs.google.com/document/d/1g8Wcu5wFuxoR--JAHn8Z_C3hchsSSERx74oCn6xsHXg
Download link: hxxp://fintcrn10.appspot.com/dn?k=Asus+rt+n10+firmware+upgrade+fail
Redirects to: hxxp://www.yournetmediastore.com/2000/download.php?id=2000&name=Asus%20rt%20n10%20firmware%20upgrade%20fail

Following the links brings up the following (the destination site is flagged as phishing by multiple vendors). I especially like that the third screen shot includes a "testimonial" that "This site is not a scam." The final screen shot might be the end game: in order to download the "updates," I am required to register an account with the service. 

For the moment, I have three working theories:
  1. This is an elaborate phish, delivered by email or by poisoning "watering holes." Victims see the "you need a download" warning, follow the link, and ultimately register an account with download-genius (thereby giving away private information).
     
  2. It is still a phish, but is an attempt at search engine optimization using headlines and excerpts that victims might be searching for.
     
  3. My paranoid side though has a more diabolical theory: since the original document includes excerpts from blog posts and news stories by a number of legitimate security researchers, that like myself may well have Google Alerts set up to monitor their sites. On a bad day, I may well have opened the Google Alerts content from a live machine instead of from my research VM.

Have any readers seen these documents? Any insight as to how it is being delivered to potential victims?






Update December 8, 2015: Yesterday, this scheme appeared to have just been created (the Google Docs creation date was Sunday December 6). The download link required one to register for an account, leading me to believe it a phishing campaign.

That is no longer the case. The download link has been changed, and now goes through a series of redirections ending at a website likely created by a domain generator algorithm. By way of example, the Asus router firmware-themed document leads to the following sites:

hxxp://www.yournetmediastore.com/2000/download.php?id=2000&name=Asus%20rt%20n10%20firmware%20upgrade%20fail

[JavaScript redirection] --> hxxp://mymediadownloadstwentyeight.com/?dmVyc2lvbj0xLjEuNS4yNiZjYW1waWQ9MzY4NyZhcHBuYW1lPUFzdXMlMjBSdCUyME4xMCUyMEZpcm13YXJlJTIwVXBncmFkZSUyMEZhaWwlMjBEb3dubG9hZGVyJmdldGlkW2FwcHNldHVwdXJsXT1odHRwJTNBJTJGJTJGZmFzdG1lZGlhZG93bmxvYWRzLmNvbSUyRmRvd25sb2FkJTJGUHJvbXB0LURvd25sb2FkZXItMTM1Nzg1OTY5OS5leGUmZ2V0aWRbY21kbGluZV09JmdldGlkW2FwcGltYWdldXJsXT1odHRwJTNBJTJGJTJGcHJvbXB0ZG93bmxvYWRlci5jb20lMkZsb2dvLnBuZyZwcmVmaXg9QXN1cyUyMFJ0JTIwTjEwJTIwRmlybXdhcmUlMjBVcGdyYWRlJTIwRiUyMERvd25sb2FkZXImZ2V0aWRbaW50ZXJydXB0ZWRdPWh0dHAlM0ElMkYlMkZwcm9tcHRkb3dubG9hZGVyLmNvbSUyRiUzRmNhbmNlbCZ0aTE9MTM1Nzg1OTY5OSZnZXRpZFt0aGFua3lvdXBhZ2VdPWh0dHAlM0ElMkYlMkZwcm9tcHRkb3dubG9hZGVyLmNvbSUyRiUzRnN1Y2Nlc3MmdGtuPTE0NDk1ODQzODMuOWY1MDBmNTA0YmE5MThkNmM1YTkyYWUyZmZmNjFlZmU%3D GET 302 text/html 0.74 KB 313 ms navigate 0 172 141 0 0 1937

[302] --> hxxp://www.mark8hill.info/?version=1.1.5.26&campid=3687&appname=Asus%20Rt%20N10%20Firmware%20Upgrade%20Fail%20Downloader&getid[appsetupurl]=http%3A%2F%2Ffastmediadownloads.com%2Fdownload%2FPrompt-Downloader-1357859699.exe&getid[cmdline]=&getid[appimageurl]=http%3A%2F%2Fpromptdownloader.com%2Flogo.png&prefix=Asus%20Rt%20N10%20Firmware%20Upgrade%20F%20Downloader&getid[interrupted]=http%3A%2F%2Fpromptdownloader.com%2F%3Fcancel&ti1=1357859699&getid[thankyoupage]=http%3A%2F%2Fpromptdownloader.com%2F%3Fsuccess&tkn=1449584383.9f500f504ba918d6c5a92ae2fff61efe GET 302 text/html 0.67 KB 250 ms navigate 313 156 94 0 0 1687

[302] --> hxxp://www.fuze10sea.info/?version=1.1.5.26&campid=3687&prefix=Asus+Rt+N10+Firmware+Upgrade+F+Downloader&getid[thankyoupage]=http%3A%2F%2Fpromptdownloader.com%2F%3Fsuccess&getid[interrupted]=http%3A%2F%2Fpromptdownloader.com%2F%3Fcancel&ti1=1357859699&getid[appsetupurl]=http%3A%2F%2Ffastmediadownloads.com%2Fdownload%2FPrompt-Downloader-1357859699.exe&appname=Asus+Rt+N10+Firmware+Upgrade+Fail+Downloader&getid[cmdline]=&getid[appimageurl]=http%3A%2F%2Fpromptdownloader.com%2Flogo.png&rf=dd

[302] --> hxxp://www.xwmimoryme29bkzdu.info/modd2.php?version=1.1.5.26&campid=3687&prefix=Asus+Rt+N10+Firmware+Upgrade+F+Downloader&getid[thankyoupage]=http%3A%2F%2Fpromptdownloader.com%2F%3Fsuccess&getid[interrupted]=http%3A%2F%2Fpromptdownloader.com%2F%3Fcancel&ti1=1357859699&getid[appsetupurl]=http%3A%2F%2Ffastmediadownloads.com%2Fdownload%2FPrompt-Downloader-1357859699.exe&appname=Asus+Rt+N10+Firmware+Upgrade+Fail+Downloader&getid[cmdline]=&getid[appimageurl]=http%3A%2F%2Fpromptdownloader.com%2Flogo.png&s1=fbf3ea5d7cb45a56d165b6b269e0ed4290ff1750&t1=1449584582

[302] --> hxxp://www.xwmimoryme29bkzdu.info/mer2.php?npqzw1aLkCGBUDCR5eD3FabV9eRFRFB0cvCi4eGRVHRAdZe00zHBUXEw8MID8eMEUiBVE5AFFnLSocHQYbBVRKGRskHBEVH1x3SggENAAcHhsTVBNqDCYaGRUhA1kAIgA6AQUBGxBUPHEDNxoAVEk2FFMKTnEoAAMVGkEVKAQ0ABweGxNUE2IILANVQzxSAic/HiANFQIJUVYEOAInNRkfDhJDEzkbNwsULEcfRRU8TnAvVUM8UgMnPBksAwAFHhhGDyAEIgoVA1QUXgxpWQVLQzcZFl8CKQdlGhlAR0YCVHtTdldGSENRVgQ4Aic1EQEKBFQVORs2HBwsRx9FFTxOcC9VQzxSAycqCjAaHRQeHlAFIxwtAh8QHgQfAiMGZlw2FRUAXw0jCidLQjcqBV4MPB9uKh8GFBteACgOMUNBQk9ACVR1XXpXXhQCEhcAPBstDx0URzZCFD9AERpbP0tHGiclGS4ZEQMfXGQRKxkiChVaPBZYDWcvLBkeHRUWVQQ+TSQLBBgeLFIMKAcqABUsR1FWBDgCJzURAQoeXAArDjYcHCxHH0UVPE5wL1VDPFIDJzwZLAMABR4YRg8gBCIKFQNUFF4MaVkFAh8WFVlBDytNMF9NFxgRAgQtXidZExNOQlBUeg9yWEUTTBUDV3UOcwsURUhOAQcqWnRbQFcORgxQeF96W0hFT08D

The last link changes with every download, but the downloaded file for the Asus-themed document is always entitled "Asus Rt N10 Firmware Upgrade F Downloader.exe" As of this writing it has a Virustotal detection rate of 16/54 (meaning about a third of common AV programs deem it malicious). Most of the detection names are variants of "OutBrowse Adware," software that brings its developer revenue by injecting advertisements into webpages.

Which brings me back to my question from yesterday: how is the attacker putting this in front of potential victims? Search engine optimization? Watering hole attacks and email spam? Or something I haven't considered?

I'd appreciate tips from any readers that have encountered one of the Google Docs documents mentioned, as I'd like to figure out the delivery mechanism.



Update December 9, 2015: I came across a couple more examples this morning. Here is a list of every bait document I have seen, along with the redirection. From my testing, the redirection to yourmedianetstore is a static HTTP 302 redirect, while the download.php link at yournetmediastore is dynamically generated. The payload varies among a handful of adware types. ("Amonetize" and "OutBrowse" are recurring names by several AV products). At the moment, I am leaning toward this being search result poisoning, by including as many phrases as possible that an end user might search for related to a given topic.

Title: Windows 8.1 flash player fix
hxxps://docs.google.com/document/d/1hYIpE3PWNvXv4ppyFD7aV3DRqfsqAOy97DaWk2V2tMg 
Download link: hxxp://fintprn11.appspot.com/dn?k=Windows+8.1+flash+player+fix
Redirects to: hxxp://www.yournetmediastore.com/2000/download.php?id=2000&name=Windows%208.1%20flash%20player%20fix

Title: Adobe flash patch for ie
hxxps://docs.google.com/document/d/1oRkpy-CG5bbTX5dJ9BDwEZV8OaUAKPKZHQTeVyTdZnY
Download link: hxxp://fintcrn9.appspot.com/dn?k=Adobe+flash+patch+for+ie
Redirects to: hxxp://www.yournetmediastore.com/2000/download.php?id=2000&name=Adobe%20flash%20patch%20for%20ie

Title: Asus rt n10 firmware upgrade fail
hxxps://docs.google.com/document/d/1g8Wcu5wFuxoR--JAHn8Z_C3hchsSSERx74oCn6xsHXg
Download link: hxxp://fintcrn10.appspot.com/dn?k=Asus+rt+n10+firmware+upgrade+fail
Redirects to: hxxp://www.yournetmediastore.com/2000/download.php?id=2000&name=Asus%20rt%20n10%20firmware%20upgrade%20fail

Title: Download ie8 security patches
hxxps://docs.google.com/document/d/1sqtDmVvrGUhreGJYaYxYFDWjhNe0AYlC72V28vyq38k
Download link: hxxp://pnvpov5.appspot.com/dn?k=Download+ie8+security+patches
Redirects to: hxxp://www.yournetmediastore.com/002000/download.php?id=2000&name=Download%20ie8%20security%20patches

Title: Cannot download flash player in ie9 Downloader
hxxps://docs.google.com/document/d/1PoacQhfH5EbU27C6CLvT8emT-4_r0f2tNGsizMEEUWg
Download link: hxxp://pivpov4.appspot.com/dn?k=Cannot+download+flash+player+in+ie9
Redirects to: hxxp://www.yournetmediastore.com/002000/download.php?id=2000&name=Cannot%20download%20flash%20player%20in%20ie9

Title: Click to play flash chrome

hxxps://docs.google.com/document/d/1xkM2r2SFeMsZ6zygoGZCJRbAy7qqLRYmfwobq35EkjI
Download link: hxxp://dempim6.appspot.com/dn?k=Click+to+play+flash+chrome
Redirects to: hxxp://www.yournetmediastore.com/002000/download.php?id=2000&name=Click%20to%20play%20flash%20chrome


Title: Comment installer flash player sur windows 8
hxxps://docs.google.com/document/d/1-iTBAzSZFAMqeGWwysGsziC66HoQ3naqM4Jpnr25lIc
Download link: hxxp://sxdhm11.appspot.com/dn?k=Comment+installer+flash+player+sur+windows+8
Redirects to: hxxp://www.mymediasearchnowtwo.com/2000/download.php?id=2000&name=Comment%20installer%20flash%20player%20sur%20windows%208

Title: Adobe plugin download internet explorer
hxxps://docs.google.com/document/d/1fMXJmDZSqjo9yKhGqGhHDjgR8-hpuwFLpc79mZKXwXU
Download link: hxxp://sxdhm2.appspot.com/dn?k=Adobe+plugin+download+internet+explorer
Redirects to: hxxp://www.mypromediastoretwo.com/02000/download.php?id=2000&name=Adobe%20plugin%20download%20internet%20explorer

Title: Flash internet manager
hxxps://docs.google.com/document/d/1lh4HK1mfY4T7sppKeFsKy14lvB6GS-X4dvKBXfrmaTY
Download link: hxxp://frdxin2.appspot.com/dn?k=Flash+internet+manager
Redirects to: hxxp://www.mypromediastoretwo.com/02000/download.php?id=2000&name=Flash%20internet%20manager

Title: Asus rt-n66u bricked after firmware update
hxxps://docs.google.com/document/d/1iqToBAWD0qYVzSqv6NPUBGYj6heu-pDthWGiMbVAqjk
Download Link: hxxp://ghpnc10.appspot.com/dn?k=Asus+rt-n66u+bricked+after+firmware+update
Redirects to: hxxp://www.mypromediastoretwo.com/02000/download.php?id=2000&name=Asus%20rt-n66u%20bricked%20after%20firmware%20update

Title: Null scan against windows
hxxps://docs.google.com/document/d/1d2puIDUr-46F2LuZyjdfo64sFJsJaqcNWn5Gycx03ew
Download link: hxxp://ponsdn12.appspot.com/dn?k=Null+scan+against+windows
Redirects to: hxxp://www.mypromediastoretwo.com/02000/download.php?id=2000&name=Null%20scan%20against%20windows

Title: Adobe flash windows rt
hxxps://docs.google.com/document/d/1FcoYGvVJoLeE_w4DtC2t-9JF9nEm31TkXOzuzaIzG-Y
Download link: hxxp://ghpnc5.appspot.com/dn?k=Adobe+flash+windows+rt
Redirects to: hxxp://www.mypromediastoretwo.com/02000/download.php?id=2000&name=Adobe%20flash%20windows%20rt

Title: Flash player installer ie
hxxps://docs.google.com/document/d/1wZmCPFV31BMItvpK1Yo52L2fvujGeQAcMF9E0PRQW8Y
Download link: hxxp://dnmake12.appspot.com/dn?k=Flash+player+installer+ie
Redirects to: hxxp://december12download.com/download/cloud6009/12214667/2/?q=Flash%20player%20installer%20ie

Title: Adobe flash player lite 3.0 download
hxxps://docs.google.com/document/d/1WCDYL2MbwavUknzJHW9RvsUSkBYGWrgyRp5zoFjQ8V4
Download link: hxxp://pinnerst6.appspot.com/dn?k=Adobe+flash+player+lite+3.0+download
Redirects to: hxxp://december12download.com/download/cloud6009/12214667/2/?q=Adobe%20flash%20player%20lite%203.0%20download

Title: Ie flash download helper
hxxps://docs.google.com/document/d/1N83lO0_tLG2Cb13JiZzbhxfknIAoL3Bv6FermnLL4Ao
Download link: hxxp://vinnpx1.appspot.com/dn?k=Ie+flash+download+helper
Redirects to: hxxp://december12download.com/download/cloud6009/12214667/2/?q=Flash%20player%20installer%20ie

Title: Asus firmware stuck at 0
hxxps://docs.google.com/document/d/1pHhZtHg7nRi6INzOXwsPeEk7_EKsmYfv89BaXNrk88M
Download link: hxxp://dnforlnk.pythonanywhere.com/inp?k=Asus+firmware+upgrade+stuck+at+0
Redirects to: hxxp://aprilreddownload.com/download/cloud70853681/12214667/4/?q=Asus%20firmware%20upgrade%20stuck%20at%200

Title: Flash ie plugin download
hxxps://docs.google.com/document/d/1hZRg3QQmK5akLgUbgkqx-938y5o0BCcKxxO6-PbBIYw
Download link: hxxp://dnforlnk.pythonanywhere.com/inp?k=Flash+ie+plugin+download
Redirects to: hxxp://aprilreddownload.com/download/cloud94582298/12214667/4/?q=Flash%20ie%20plugin%20download

Title: Free download flash player for windows 7 internet explorer
Download link: hxxp://dnforlnk.pythonanywhere.com/inp?k=Free+download+flash+player+for+windows+7+internet+explorer
Redirects to: hxxp://aprilreddownload.com/download/cloud70941786/12214667/4/?q=Free%20download%20flash%20player%20for%20windows%207%20internet%20explorer

Sample payload: hxxp://koqk28minedvybpijekf.info/mer2.php?YS2t4kZJ6nLzZAB10ENHcHQGh9B1oGXXwpVwMpOlZJB11ifRAeKzZUHUxWHiVBADU8UxAfIj9yHT08MEcGXR8jYWYPLTBaEUdAHiVBADU8UxBRGXwtUxowN2kAXAo0IU8BLCNTE1E2ZyJCGil2ATURWRxvBCgpIV0ZRB8+JUEANTxTEFEZdClZA3xhdFEHLSk/VQ08IEFSUw4uI1I1MD1GEUYZLzpCCz0ODxxAHypvBS98YXRRBi0qOFkDKSdWG0MFNiVXCjwhHBdbBn94cEtqFVEVWgg/JhAaMGIPRQZdbn8BWG1gB1JTDi4jUjU4I0IHUR8vOkMcNQ4PHEAfKm8FL3xhdFEGLTwrRRo0NlYdVQ81PVgCNjJWBxoINScTXB83XQNaBzUrUktrFWIGWwYqPhsqNiRcGFsKPi9EQ2hhBEABXGx+BVt3NkoREgoqOlgPNDYPMFscNCZZDz14exEMQAkvVRsrOkYNHzs7PlUGPCAZMFscNCZZDz02QFJTDi4jUjU6PlYYXQU/FwtIPjZGHVAwOzpGBzQyVRFBGTYXCwYtJ0JRByp/eHBLaxVCBlsGKj5SAS49XhtVDz84GA02PhdGcgc1LVlAKT1VUkdaZykAWG1hVExWCGl5VQpvYQpABVtiKw5ZbTdTQwAOby4CWzhiBBZSCDlsQl9kYgZADV1tegBfag==

Virustotal analysis of sample: https://www.virustotal.com/en/file/dc20a39a78afb2cb10eb4ae5b937d4f144bd00d66e25d8b907576a4fa12379e7/analysis/



Update December 10, 2015: A reader contacted me with a similar tale to tell. In her case, she works for a consulting firm that has produced a number of works on organizational development, at least one of which used in many graduate level university courses. She discovered a website offering "free e-books," including the aforementioned textbook.

Upon review, the "free e-book" is not a book at all, but rather another sample of the same adware/malware I encountered earlier this week: OutBrowse, software that injects unwanted advertising into otherwise benign websites. As in the information security topics I described earlier, her firm's consulting works are being used as bait to get unsuspecting users to download and install malware.

For the record, here is a link to the fraudulent site:

hxxp://databaseebook.com
"Bait" page: hxxp://databaseebook.com/Field-Guide-to-Consulting-and-Organizational-Development-A-Collaborative-and-Systems-Approach-to-Performance-Change-and-Learning/p1737085263/
Download link: hxxp://databaseebook.com/download002/

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.