View Single Post
  #1   (View Single Post)  
Old 13th May 2011
nilsgecko's Avatar
nilsgecko nilsgecko is offline
Port Guard
 
Join Date: Apr 2011
Location: Chicago, USA
Posts: 45
Default Google Image Search poisoned Results

Hi Forum,

I read about the google image poisoning attacks redirecting users to fake antivirus sites.

http://isc.sans.edu/diary/More+on+Go...oisoning/10822

Because I was curious, I performed a wget on a malicious page I chance-landed on, and rudimentarily inspected the php code. The page I landed on had a popup with warnings about my "Windows" system being infected and needing a scan etc even though I was running FF with Noscript on PC-BSD.

Now I don't really program but can generally get an idea for what a program is doing somewhat. Curiously, while inspecting the script, I found that the script also targets Konqueror, the KDE Browser.

Long story short, I traced the Konqueror process running the php script with the truss command on PC-BSD and am attaching snippets of what the output was below. Unless I am wrong, it looks like the script is scanning the .kde directories and trying to write to it using library functions like fchmod and stat etc. Perhaps someone can elaborate on what exactly the portions of the trace on the script are looking to do? As an aside, I took the machine offline before I started the trace.

Code:
getpid()                                         = 97569 (0x17d21)
stat("/usr/home/damek/.kde4/share/apps/konqueror/autosave",{ mode=drwx------ ,inode=141572,size=512,blksize=16384 }) = 0 (0x0)
open("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53t97569.new",O_RDWR|O_CREAT|O_EXCL,0600) = 10 (0xa)
fcntl(10,F_SETFD,FD_CLOEXEC)                     = 0 (0x0)
stat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",0x31ba5664) ERR#2 'No such file or directory'
lstat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",0xbfbfdaf0) ERR#2 'No such file or directory'
fchmod(0xa,0x1a4,0xffffffff,0x2913dce3,0xbfbfdc18,0xbfbfdc48) = 0 (0x0)
open("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53t97569.new",O_RDWR|O_CREAT,0666) = 12 (0xc)
fcntl(12,F_SETFD,FD_CLOEXEC)                     = 0 (0x0)
lseek(10,0x0,SEEK_SET)                           = 0 (0x0)
close(10)                                        = 0 (0x0)
fchmod(0xc,0x180,0xffffffff,0x2913dce3,0xbfbfdc18,0xbfbfdc48) = 0 (0x0)
fstat(12,{ mode=-rw------- ,inode=147734,size=0,blksize=16384 }) = 0 (0x0)
write(12,"[General]\nNumber of Windows=1\n"...,16272) = 16272 (0x3f90)
write(12,"file:///home/damek/MAL/index2.ph"...,6607) = 6607 (0x19cf)
fstat(12,{ mode=-rw------- ,inode=147734,size=22879,blksize=16384 }) = 0 (0x0)
close(12)                                        = 0 (0x0)
rename("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53t97569.new","/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53") = 0 (0x0)
unlink("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53.lock") = 0 (0x0)
stat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/owned_by_1.53",0x31ba4ca4) ERR#2 'No such file or directory'
lstat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/owned_by_1.53",0xbfbfdd50) ERR#2 'No such file or directory'
clock_gettime(4,{17136.522843944 })              = 0 (0x0)
read(7,0x2ae7d018,4096)                          ERR#35 'Resource temporarily unavailable'
clock_gettime(4,{17136.523219132 })              = 0 (0x0)
poll({3/POLLIN 8/POLLIN 7/POLLIN 11/POLLIN 13/POLLIN},5,295) = 0 (0x0)

.......
.......

clock_gettime(4,{17146.524552821 })              = 0 (0x0)
clock_gettime(4,{17146.524857608 })              = 0 (0x0)
unlink("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53") = 0 (0x0)
stat("/usr/home/damek/.kde4/share/config/",{ mode=drwxr-xr-x ,inode=23566,size=2560,blksize=16384 }) = 0 (0x0)
access("/etc/kde4rc",4)                          ERR#2 'No such file or directory'
stat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",0x2e11c4e4) ERR#2 'No such file or directory'
lstat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",0xbfbfdbe0) ERR#2 'No such file or directory'
access("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",2) ERR#2 'No such file or directory'
access("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",0) ERR#2 'No such file or directory'
access("/usr/home/damek/.kde4/share/apps/konqueror/autosave",2) = 0 (0x0)
stat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",0x2e11c4e4) ERR#2 'No such file or directory'
lstat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",0xbfbfda30) ERR#2 'No such file or directory'
poll({7/POLLIN|POLLOUT},1,-1)                    = 1 (0x1)
writev(0x7,0xbfbfd980,0x3,0x2ab8027c,0x1,0xbfbfd894) = 24 (0x18)
poll({7/POLLIN},1,-1)                            = 1 (0x1)
read(7,"\^A Np\^A\0\0\0\^]\^A\0\0\^D\0\0"...,4096) = 36 (0x24)
read(7,0x2ae7d018,4096)                          ERR#35 'Resource temporarily unavailable'
poll({7/POLLIN|POLLOUT},1,-1)                    = 1 (0x1)
writev(0x7,0xbfbfd980,0x3,0x2ab8027c,0x1,0xbfbfd894) = 24 (0x18)
poll({7/POLLIN},1,-1)                            = 1 (0x1)
read(7,"\^A\0Op\0\0\0\0\0\0\0\0\0\0\0\0"...,4096) = 32 (0x20)
read(7,0x2ae7d018,4096)                          ERR#35 'Resource temporarily unavailable'
stat("/usr",{ mode=drwxr-xr-x ,inode=2,size=512,blksize=16384 }) = 0 (0x0)
stat("/usr/home",{ mode=drwxr-xr-x ,inode=23552,size=512,blksize=16384 }) = 0 (0x0)
stat("/usr/home/damek",{ mode=drwxr-xr-x ,inode=23553,size=2048,blksize=16384 }) = 0 (0x0)
stat("/usr/home/damek/.kde4",{ mode=drwxr-xr-x ,inode=23564,size=512,blksize=16384 }) = 0 (0x0)
stat("/usr/home/damek/.kde4/share",{ mode=drwxr-xr-x ,inode=23565,size=512,blksize=16384 }) = 0 (0x0)
stat("/usr/home/damek/.kde4/share/apps",{ mode=drwxr-xr-x ,inode=23645,size=1024,blksize=16384 }) = 0 (0x0)
stat("/usr/home/damek/.kde4/share/apps/konqueror",{ mode=drwx------ ,inode=94250,size=512,blksize=16384 }) = 0 (0x0)
stat("/usr/home/damek/.kde4/share/apps/konqueror/autosave",{ mode=drwx------ ,inode=141572,size=512,blksize=16384 }) = 0 (0x0)
lstat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53.lock",0xbfbfdc84) ERR#2 'No such file or directory'
stat("/tmp/kde-damek/",{ mode=drwx------ ,inode=48143,size=512,blksize=16384 }) = 0 (0x0)
getpid()                                         = 97569 (0x17d21)
stat("/usr/home/damek/.kde4/share/apps/konqueror/autosave",{ mode=drwx------ ,inode=141572,size=512,blksize=16384 }) = 0 (0x0)
open("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53.lock.N97569",O_RDWR|O_CREAT|O_EXCL,0600) = 10 (0xa)
fcntl(10,F_SETFD,FD_CLOEXEC)                     = 0 (0x0)
fchmod(0xa,0x1a4,0x31a54700,0x294f047a,0x31a0a800,0xbfbfd9a8) = 0 (0x0)
__sysctl(0xbfbfd9ac,0x2,0xbfbfda24,0xbfbfd9c4,0x0,0x0) = 0 (0x0)
getpid()                                         = 97569 (0x17d21)
fstat(10,{ mode=-rw-r--r-- ,inode=141584,size=0,blksize=16384 }) = 0 (0x0)
write(10,"97569\n",6)                            = 6 (0x6)
write(10,"konqueror\n",10)                       = 10 (0xa)
write(10,"foo.my.domain\n",15)                  = 15 (0xf)
link("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53.lock.N97569","/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53.lock") = 0 (0x0)
lstat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53.lock.N97569",{ mode=-rw-r--r-- ,inode=141584,size=31,blksize=16384 }) = 0 (0x0)
lstat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53.lock",{ mode=-rw-r--r-- ,inode=141584,size=31,blksize=16384 }) = 0 (0x0)
lseek(10,0x0,SEEK_SET)                           = 0 (0x0)
close(10)                                        = 0 (0x0)
unlink("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53.lock.N97569") = 0 (0x0)
stat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",0x31ba4ca4) ERR#2 'No such file or directory'
lstat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",0xbfbfd980) ERR#2 'No such file or directory'
stat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",0x31ba4ca4) ERR#2 'No such file or directory'
lstat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",0xbfbfdb70) ERR#2 'No such file or directory'
lstat("/usr",{ mode=drwxr-xr-x ,inode=2,size=512,blksize=16384 }) = 0 (0x0)
lstat("/usr/home",{ mode=drwxr-xr-x ,inode=23552,size=512,blksize=16384 }) = 0 (0x0)
lstat("/usr/home/damek",{ mode=drwxr-xr-x ,inode=23553,size=2048,blksize=16384 }) = 0 (0x0)
lstat("/usr/home/damek/.kde4",{ mode=drwxr-xr-x ,inode=23564,size=512,blksize=16384 }) = 0 (0x0)
lstat("/usr/home/damek/.kde4/share",{ mode=drwxr-xr-x ,inode=23565,size=512,blksize=16384 }) = 0 (0x0)
lstat("/usr/home/damek/.kde4/share/apps",{ mode=drwxr-xr-x ,inode=23645,size=1024,blksize=16384 }) = 0 (0x0)
lstat("/usr/home/damek/.kde4/share/apps/konqueror",{ mode=drwx------ ,inode=94250,size=512,blksize=16384 }) = 0 (0x0)
lstat("/usr/home/damek/.kde4/share/apps/konqueror/autosave",{ mode=drwx------ ,inode=141572,size=512,blksize=16384 }) = 0 (0x0)
lstat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",0xbfbfcb48) ERR#2 'No such file or directory'
access("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",2) ERR#2 'No such file or directory'
access("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",0) ERR#2 'No such file or directory'
access("/usr/home/damek/.kde4/share/apps/konqueror/autosave",2) = 0 (0x0)
getpid()                                         = 97569 (0x17d21)
stat("/usr/home/damek/.kde4/share/apps/konqueror/autosave",{ mode=drwx------ ,inode=141572,size=512,blksize=16384 }) = 0 (0x0)
open("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53x97569.new",O_RDWR|O_CREAT|O_EXCL,0600) = 10 (0xa)
fcntl(10,F_SETFD,FD_CLOEXEC)                     = 0 (0x0)
stat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",0x31ba55a4) ERR#2 'No such file or directory'
lstat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",0xbfbfdaf0) ERR#2 'No such file or directory'
fchmod(0xa,0x1a4,0xffffffff,0x2913dce3,0xbfbfdc18,0xbfbfdc48)
I just thought it was interesting that most users think because they are not using a "Win" system, they are therefore immune but unless I am wrong, this code seems to target web browsers in general although I believe KDE can also be run on Windows systems. Any thoughts? Anyone else have experience with this? Regards
Reply With Quote