Typosquatting has been around practically since the dawn of the Web. Often if you're typing a site address whose domain ends in .gov or .org and you mistakenly type .com or .net instead, you'll end up somewhere you didn't expect. There are also countless domains based on various misspellings of google.com, microsoft.com, and numerous other sites.
I recently noticed when browsing through MalwareURL's database that some malefactors are actively using typosquatted Google Analytics domains for nefarious purposes. Google Analytics is a service that allows webmasters to keep track of anonymized statistics about visits to their site. The recently discovered typosquatted Google Analytics domains contain a JavaScript file named urchin.js or ga.js in the root directory—the same filenames and locations of the scripts on the real Google Analytics domain (google-analytics.com).
The operators of the typosquatter domains probably have one of the following scenarios in mind. The first is that they're banking on the idea that some webmasters might have mistyped the Google Analytics code (very unlikely since virtually everyone would have copied and pasted the code directly from Google's site), and if they mistyped the domain just so, they could end up inadvertently injecting malicious JavaScript code into their Web pages. The second scenario is that the typosquatters plan to put this code into their own pages, and they're hoping that individuals or companies that maintain their own URL blacklists might have made the mistake of whitelisting */urchin.js or */ga.js instead of whitelisting the full URL of those scripts on the official Google domain. Either way, it seems like there's an extremely remote chance that it would actually make a difference to go to the trouble of trying to emulate Google Analytics' JavaScript URLs, but someone did it anyway.
To mitigate the threat of malicious JavaScript code, you can do your casual Web browsing or searching in a separate browser with JavaScript disabled. More advanced users may prefer to use the NoScript add-on for Firefox.
Following are additional details that may be of interest to fellow security researchers, including reports for the domains that have been actively hosting malicious urchin.js files in their root directories within the past week and domains to which the obfuscated JavaScript code attempted to redirect:
google-abalytics .info
http://wepawet.iseclab.org/view.php?hash=5fe48a81a1823241ed4a87583a421e30&t=1269703815&type=js
http://wepawet.iseclab.org/view.php?hash=fd99d0ea4496fbc54fc5432231c6829d&type=js
http://wepawet.iseclab.org/view.php?hash=5fe48a81a1823241ed4a87583a421e30&t=1270222974&type=js
http://www.mywot.com/en/scorecard/google-abalytics.info
http://www.mywot.com/en/scorecard/sonyfreevouchers.com
http://www.mywot.com/en/scorecard/finalearth2010.com
http://www.mywot.com/en/scorecard/ladygagaprivate.com
google-nalytics .info
http://wepawet.iseclab.org/view.php?hash=799f31fa4be2dbef7e7c76cf79643141&t=1269367107&type=js
http://wepawet.iseclab.org/view.php?hash=799f31fa4be2dbef7e7c76cf79643141&t=1270224122&type=js
http://www.mywot.com/en/scorecard/google-nalytics.info
http://www.mywot.com/en/scorecard/dragon4star.com
http://www.mywot.com/en/scorecard/dragon4ebay.com
google-aqalytics .info
http://wepawet.iseclab.org/view.php?hash=82a03924c835405e731e7e14a9a06b00&t=1269292716&type=js
http://wepawet.iseclab.org/view.php?hash=82a03924c835405e731e7e14a9a06b00&t=1270225409&type=js
http://www.mywot.com/en/scorecard/google-aqalytics.info
http://www.mywot.com/en/scorecard/novellstars2.com
http://www.mywot.com/en/scorecard/finalearth2010.com again
94.102.52 .27
http://wepawet.iseclab.org/view.php?hash=79d4ff894aa25a5f7fa38c84ba105ab2&t=1269570600&type=js
http://www.mywot.com/en/scorecard/discovermetallica.com
http://www.mywot.com/en/scorecard/google-azalitics.info (mentioned at hxxp://94.102.52 .27)
google-acalytics .info
http://wepawet.iseclab.org/view.php?hash=ba9cd1beb7c3dcda941488a1912efdad&t=1269305698&type=js
http://www.mywot.com/en/scorecard/google-acalytics.info
http://www.mywot.com/en/scorecard/allgirlsvideos2.com
Following are VirusTotal analyses for each of 11 variants of this JavaScript (note that these are current scans, not the original scans prior to when I submitted samples to AV vendors):
https://www.virustotal.com/analisis/e9d1acf3859dca3ca09eaa91b83964b434877a3cf591ca853a2828f8a5e57528-1270753931
https://www.virustotal.com/analisis/cd425d4accdfcd7381ee9762f03f6db66da28cd3e858660d6720c0c91bac1df6-1270753951
https://www.virustotal.com/analisis/c2ae0940214095ff71df887aa6d770741ab8d2409f81f8077812289977358fc4-1270753970
https://www.virustotal.com/analisis/e55157f3c20964ad2e878c5f1a0369b330fa4a7d6698db9385ce2544bc7c295f-1270753988
https://www.virustotal.com/analisis/bfca9da96841ab5dfec4fe23540d11811dbf2af89446f6b7c1981a0b695820d5-1270753997
https://www.virustotal.com/analisis/8807ad064a87978b2ce9b9ac167a6baf134a0f99761121af5f13af524dd3aa48-1270754013
https://www.virustotal.com/analisis/4a5f715f7212fb530a735b24d0989e8f410fc3ea634f44a294f3eaf426f4e365-1270754021
https://www.virustotal.com/analisis/fc4f88247dca91a7d0cc335f29ba5badda5f4e2eb619d542bfd264f2df020232-1270754039
https://www.virustotal.com/analisis/8ac6c153881d8d1bd63bd048b654ed83e52ff519121a75b4a1b96e978db59738-1270754048
https://www.virustotal.com/analisis/eb8c478ad68ac6c2dd7a69c3a3676e728697e60d86f5de0594c724c6dab26cae-1270754067
https://www.virustotal.com/analisis/b55a9b61336f576b28f40949b9c36ef8f143cffb701a70f40f2ea51744a93cb9-1270754105
These variants have been variously detected as JS:Downloader-LP, JS.Crypt.CSA, JS.Siggen.84, JS/Agent.LP!tr.dldr, JS/Crypted.CP.gen, JS/Downloader, JS/Pakes, JS/Psyme.PP!tr.dldr, JS/Redir.AG.gen, JS/Redirector, JS/Redirector.AM!tr, TR/Click.Agent.NG, TR/Click.Agent.NI, TR/Dldr.Agent.fei.2, TR/Dldr.Agent.fej, TR/Dldr.Agent.fek, TR/Dldr.Agent.fel, TR/Dldr.Agent.fem, TR/Redirector.BU, TR/Redirector.BU.1, TR/Redirector.BU.2, Trojan-Clicker.JS.Agent.ng, Trojan-Clicker.JS.Agent.ni, Trojan-Downloader.JS.Agent.fei, Trojan-Downloader.JS.Agent.fej, Trojan-Downloader.JS.Agent.fek, Trojan-Downloader.JS.Agent.fel, Trojan-Downloader.JS.Agent.fem, Trojan.Click.Agent.NG, Trojan.Click.Agent.NI, Trojan.Clicker.JS, Trojan.Dldr.Agent.fei.2, Trojan.Dldr.Agent.fej, Trojan.Dldr.Agent.fek, Trojan.Dldr.Agent.fel, Trojan.Dldr.Agent.fem, Trojan.JS.Redirector, Trojan.JS.Redirector!IK, Trojan.JS.Redirector.bu, Trojan.Redirector.BU, Trojan.Redirector.BU.1, Trojan.Redirector.BU.2, Trojan.Script.397828, Trojan/JS.Redirector, Virus.JS.Downloader.LP, Virus.JS.Downloader.LP!IK, etc.
Additional domains that were actively hosting malicious urchin.js files in January or February according to MalwareURL:
gogle-analitics .info
http://wepawet.iseclab.org/view.php?hash=9366c7b0f0e2675f97f2014ae424ea3a&t=1267176549&type=js
http://www.mywot.com/en/scorecard/gogle-analitics.info
http://www.mywot.com/en/scorecard/wincreeps.com
google-amalytics .info
http://wepawet.iseclab.org/view.php?hash=05abc26abb5c007b3519120d67b64de9&t=1264815145&type=js
http://www.mywot.com/en/scorecard/google-amalytics.info
http://www.mywot.com/en/scorecard/2thomasjefferson.com
google-anaiytics .info
http://wepawet.iseclab.org/view.php?hash=12b02043d52f73a73a58e4de95c251bc&t=1265052560&type=js
http://www.mywot.com/en/scorecard/google-anaiytics.info
http://www.mywot.com/en/scorecard/delhiwebcamera.com
Here's another that apparently hosted a malicious ga.js file last month:
91.213.174 .101
http://www.mywot.com/en/scorecard/91.213.174.101
Strangely enough, most (if not all) of the domains to which the JavaScript code tries to redirect are offline. The Wepawet reports indicate that the sites were also offline when they conducted their initial scans.
See MalwareURL's lists of sites hosting urchin.js or ga.js files:
http://www.malwareurl.com/search.php?urls=on&rp=200&s=urchin.js
http://www.malwareurl.com/search.php?urls=on&rp=200&s=ga.js
For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.
Thursday, April 8, 2010
Google Analytics Typosquatters Hosting Malicious JavaScript Files
Labels:
google,
javascript,
malicious sites,
malware
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Comment moderation is enabled. (If you wish to contact Josh privately, you can leave a comment and ask that it not be published.)