Infected when using Bing Image search?
Wed, 09/23/2009 - 12:03
Looks like there may be some risks with using Bing for image searching. I had a user late yesterday who got a drive by infection from Bings Image search header page.
I still need to pull the details together from the IE cache/index.dats, but they were apparently viewing "normal" image search results with in Bings pages, when they got the AV alerts.
cached filenames were:-
bursted[1].js (detected as JS/Downloader.gen)
text_constants_en[1].js (detected as HTML/FakeAV)
Google search on "text_constants_en" throws up a heap of reports on malware.
As I get more details I will update. It could always be a false positive, but indications so far are making it sound valid.
Fifth.Sentinel.
Wed, 09/23/2009 - 15:43
#2
Other findings
1. Yes it was a positive AV threat identified. It gets served up from rampir[dot]info. (dont go there unless you know how to protect yourself)
2. Javascripts from that site serve a Fake HTML AV, and then also seems to have links to download a windows PE exe that gets stomped as an AV also. (have viewed the javascripts that got stomped on)
3. Our working theory on how you get redirected from a Bing image search result page (read Bing showing you image thumbnails):
It looks like above the thumbnails Bing includes content from the source web page of the image that includes your search terms. The theory at the moment is Bing was not sanatising/escaping that content in some or all of the occasions. So if potentially in the thumbnail "title" it included HTML you could get the browser to redirect to rampir[dot]info
It does not look like the same image search results in an infection today, so we can not replicate the problem. I am still trying to identify the original infecting source which may go to help test the theory above.
The end user was an IT sys admin, and from talking to them and going over some of the data I have analysed I do have confidence that it "seems" the infection came via Bing at this stage. (read, covering my behind in case it turns out ot be something else :) )
Fifth.Sentinel
Wed, 09/23/2009 - 15:55
#3
Replicating that wouldn't be too hard...
Just set up your own pseudo-malicious pages somewhere and try to get them indexed.. see if the js is getting served up via Bing.
Honestly my gut tells me MS wouldn't be quite that stupid... maybe in '03, but not anymore. But I tell you this -- if you can replicate it, then it's a hell of a story! :)
Wed, 09/23/2009 - 16:22
#4
MS being that stupid?
I agree, thats why I am being very careful about how I am laying blame. It just looks to be the case at this stage, but it only takes that one key bit of evidence to spin the analysis down another path.
Wed, 09/23/2009 - 16:47
#5
lack of evidence :/
Ok, I am not going to get the evidence I want. It seems that when the infection occured, it was discovered straight away (due to fake AV), and because the IE wasnt shutting down, the laptop was hard reset. This meant the IE history and cache index.dat data I was looking for was probablly still buffered in memory and didnt get written to disk :/
The best evidence I have is that at exactly the same time from the proxy with the same "login" I have a SSL connection in proxy logs to:
urs.microsoft.com
(end user was signed into live, hence session to Bing was SSL'd (just to make it more fun))
and also to rampir[dot]info (fake AV URL)
There is no proxy URL requests after rampir for the username, and the previous URL request before these was 10 seconds in the past.
So I am left with something that seems to quack like a duck, just cant prove it looks like a duck :)
Wed, 09/23/2009 - 16:51
#6
Strange breed...
Maybe it's some sort of duck/snake hybrid with wings and blue horns...
...that can breathe fire.
Now THAT would be a cool story.
Sheesh... I'd love to find out how that happened!