DaemonForums  

Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 13th May 2011
nilsgecko's Avatar
nilsgecko nilsgecko is offline
Port Guard
 
Join Date: Apr 2011
Location: Chicago, USA
Posts: 45
Thanked 0 Times in 0 Posts
Default Google Image Search poisoned Results

Hi Forum,

I read about the google image poisoning attacks redirecting users to fake antivirus sites.

http://isc.sans.edu/diary/More+on+Go...oisoning/10822

Because I was curious, I performed a wget on a malicious page I chance-landed on, and rudimentarily inspected the php code. The page I landed on had a popup with warnings about my "Windows" system being infected and needing a scan etc even though I was running FF with Noscript on PC-BSD.

Now I don't really program but can generally get an idea for what a program is doing somewhat. Curiously, while inspecting the script, I found that the script also targets Konqueror, the KDE Browser.

Long story short, I traced the Konqueror process running the php script with the truss command on PC-BSD and am attaching snippets of what the output was below. Unless I am wrong, it looks like the script is scanning the .kde directories and trying to write to it using library functions like fchmod and stat etc. Perhaps someone can elaborate on what exactly the portions of the trace on the script are looking to do? As an aside, I took the machine offline before I started the trace.

Code:
getpid()                                         = 97569 (0x17d21)
stat("/usr/home/damek/.kde4/share/apps/konqueror/autosave",{ mode=drwx------ ,inode=141572,size=512,blksize=16384 }) = 0 (0x0)
open("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53t97569.new",O_RDWR|O_CREAT|O_EXCL,0600) = 10 (0xa)
fcntl(10,F_SETFD,FD_CLOEXEC)                     = 0 (0x0)
stat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",0x31ba5664) ERR#2 'No such file or directory'
lstat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",0xbfbfdaf0) ERR#2 'No such file or directory'
fchmod(0xa,0x1a4,0xffffffff,0x2913dce3,0xbfbfdc18,0xbfbfdc48) = 0 (0x0)
open("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53t97569.new",O_RDWR|O_CREAT,0666) = 12 (0xc)
fcntl(12,F_SETFD,FD_CLOEXEC)                     = 0 (0x0)
lseek(10,0x0,SEEK_SET)                           = 0 (0x0)
close(10)                                        = 0 (0x0)
fchmod(0xc,0x180,0xffffffff,0x2913dce3,0xbfbfdc18,0xbfbfdc48) = 0 (0x0)
fstat(12,{ mode=-rw------- ,inode=147734,size=0,blksize=16384 }) = 0 (0x0)
write(12,"[General]\nNumber of Windows=1\n"...,16272) = 16272 (0x3f90)
write(12,"file:///home/damek/MAL/index2.ph"...,6607) = 6607 (0x19cf)
fstat(12,{ mode=-rw------- ,inode=147734,size=22879,blksize=16384 }) = 0 (0x0)
close(12)                                        = 0 (0x0)
rename("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53t97569.new","/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53") = 0 (0x0)
unlink("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53.lock") = 0 (0x0)
stat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/owned_by_1.53",0x31ba4ca4) ERR#2 'No such file or directory'
lstat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/owned_by_1.53",0xbfbfdd50) ERR#2 'No such file or directory'
clock_gettime(4,{17136.522843944 })              = 0 (0x0)
read(7,0x2ae7d018,4096)                          ERR#35 'Resource temporarily unavailable'
clock_gettime(4,{17136.523219132 })              = 0 (0x0)
poll({3/POLLIN 8/POLLIN 7/POLLIN 11/POLLIN 13/POLLIN},5,295) = 0 (0x0)

.......
.......

clock_gettime(4,{17146.524552821 })              = 0 (0x0)
clock_gettime(4,{17146.524857608 })              = 0 (0x0)
unlink("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53") = 0 (0x0)
stat("/usr/home/damek/.kde4/share/config/",{ mode=drwxr-xr-x ,inode=23566,size=2560,blksize=16384 }) = 0 (0x0)
access("/etc/kde4rc",4)                          ERR#2 'No such file or directory'
stat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",0x2e11c4e4) ERR#2 'No such file or directory'
lstat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",0xbfbfdbe0) ERR#2 'No such file or directory'
access("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",2) ERR#2 'No such file or directory'
access("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",0) ERR#2 'No such file or directory'
access("/usr/home/damek/.kde4/share/apps/konqueror/autosave",2) = 0 (0x0)
stat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",0x2e11c4e4) ERR#2 'No such file or directory'
lstat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",0xbfbfda30) ERR#2 'No such file or directory'
poll({7/POLLIN|POLLOUT},1,-1)                    = 1 (0x1)
writev(0x7,0xbfbfd980,0x3,0x2ab8027c,0x1,0xbfbfd894) = 24 (0x18)
poll({7/POLLIN},1,-1)                            = 1 (0x1)
read(7,"\^A Np\^A\0\0\0\^]\^A\0\0\^D\0\0"...,4096) = 36 (0x24)
read(7,0x2ae7d018,4096)                          ERR#35 'Resource temporarily unavailable'
poll({7/POLLIN|POLLOUT},1,-1)                    = 1 (0x1)
writev(0x7,0xbfbfd980,0x3,0x2ab8027c,0x1,0xbfbfd894) = 24 (0x18)
poll({7/POLLIN},1,-1)                            = 1 (0x1)
read(7,"\^A\0Op\0\0\0\0\0\0\0\0\0\0\0\0"...,4096) = 32 (0x20)
read(7,0x2ae7d018,4096)                          ERR#35 'Resource temporarily unavailable'
stat("/usr",{ mode=drwxr-xr-x ,inode=2,size=512,blksize=16384 }) = 0 (0x0)
stat("/usr/home",{ mode=drwxr-xr-x ,inode=23552,size=512,blksize=16384 }) = 0 (0x0)
stat("/usr/home/damek",{ mode=drwxr-xr-x ,inode=23553,size=2048,blksize=16384 }) = 0 (0x0)
stat("/usr/home/damek/.kde4",{ mode=drwxr-xr-x ,inode=23564,size=512,blksize=16384 }) = 0 (0x0)
stat("/usr/home/damek/.kde4/share",{ mode=drwxr-xr-x ,inode=23565,size=512,blksize=16384 }) = 0 (0x0)
stat("/usr/home/damek/.kde4/share/apps",{ mode=drwxr-xr-x ,inode=23645,size=1024,blksize=16384 }) = 0 (0x0)
stat("/usr/home/damek/.kde4/share/apps/konqueror",{ mode=drwx------ ,inode=94250,size=512,blksize=16384 }) = 0 (0x0)
stat("/usr/home/damek/.kde4/share/apps/konqueror/autosave",{ mode=drwx------ ,inode=141572,size=512,blksize=16384 }) = 0 (0x0)
lstat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53.lock",0xbfbfdc84) ERR#2 'No such file or directory'
stat("/tmp/kde-damek/",{ mode=drwx------ ,inode=48143,size=512,blksize=16384 }) = 0 (0x0)
getpid()                                         = 97569 (0x17d21)
stat("/usr/home/damek/.kde4/share/apps/konqueror/autosave",{ mode=drwx------ ,inode=141572,size=512,blksize=16384 }) = 0 (0x0)
open("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53.lock.N97569",O_RDWR|O_CREAT|O_EXCL,0600) = 10 (0xa)
fcntl(10,F_SETFD,FD_CLOEXEC)                     = 0 (0x0)
fchmod(0xa,0x1a4,0x31a54700,0x294f047a,0x31a0a800,0xbfbfd9a8) = 0 (0x0)
__sysctl(0xbfbfd9ac,0x2,0xbfbfda24,0xbfbfd9c4,0x0,0x0) = 0 (0x0)
getpid()                                         = 97569 (0x17d21)
fstat(10,{ mode=-rw-r--r-- ,inode=141584,size=0,blksize=16384 }) = 0 (0x0)
write(10,"97569\n",6)                            = 6 (0x6)
write(10,"konqueror\n",10)                       = 10 (0xa)
write(10,"foo.my.domain\n",15)                  = 15 (0xf)
link("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53.lock.N97569","/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53.lock") = 0 (0x0)
lstat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53.lock.N97569",{ mode=-rw-r--r-- ,inode=141584,size=31,blksize=16384 }) = 0 (0x0)
lstat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53.lock",{ mode=-rw-r--r-- ,inode=141584,size=31,blksize=16384 }) = 0 (0x0)
lseek(10,0x0,SEEK_SET)                           = 0 (0x0)
close(10)                                        = 0 (0x0)
unlink("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53.lock.N97569") = 0 (0x0)
stat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",0x31ba4ca4) ERR#2 'No such file or directory'
lstat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",0xbfbfd980) ERR#2 'No such file or directory'
stat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",0x31ba4ca4) ERR#2 'No such file or directory'
lstat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",0xbfbfdb70) ERR#2 'No such file or directory'
lstat("/usr",{ mode=drwxr-xr-x ,inode=2,size=512,blksize=16384 }) = 0 (0x0)
lstat("/usr/home",{ mode=drwxr-xr-x ,inode=23552,size=512,blksize=16384 }) = 0 (0x0)
lstat("/usr/home/damek",{ mode=drwxr-xr-x ,inode=23553,size=2048,blksize=16384 }) = 0 (0x0)
lstat("/usr/home/damek/.kde4",{ mode=drwxr-xr-x ,inode=23564,size=512,blksize=16384 }) = 0 (0x0)
lstat("/usr/home/damek/.kde4/share",{ mode=drwxr-xr-x ,inode=23565,size=512,blksize=16384 }) = 0 (0x0)
lstat("/usr/home/damek/.kde4/share/apps",{ mode=drwxr-xr-x ,inode=23645,size=1024,blksize=16384 }) = 0 (0x0)
lstat("/usr/home/damek/.kde4/share/apps/konqueror",{ mode=drwx------ ,inode=94250,size=512,blksize=16384 }) = 0 (0x0)
lstat("/usr/home/damek/.kde4/share/apps/konqueror/autosave",{ mode=drwx------ ,inode=141572,size=512,blksize=16384 }) = 0 (0x0)
lstat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",0xbfbfcb48) ERR#2 'No such file or directory'
access("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",2) ERR#2 'No such file or directory'
access("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",0) ERR#2 'No such file or directory'
access("/usr/home/damek/.kde4/share/apps/konqueror/autosave",2) = 0 (0x0)
getpid()                                         = 97569 (0x17d21)
stat("/usr/home/damek/.kde4/share/apps/konqueror/autosave",{ mode=drwx------ ,inode=141572,size=512,blksize=16384 }) = 0 (0x0)
open("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53x97569.new",O_RDWR|O_CREAT|O_EXCL,0600) = 10 (0xa)
fcntl(10,F_SETFD,FD_CLOEXEC)                     = 0 (0x0)
stat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",0x31ba55a4) ERR#2 'No such file or directory'
lstat("/usr/home/damek/.kde4/share/apps/konqueror/autosave/_1.53",0xbfbfdaf0) ERR#2 'No such file or directory'
fchmod(0xa,0x1a4,0xffffffff,0x2913dce3,0xbfbfdc18,0xbfbfdc48)
I just thought it was interesting that most users think because they are not using a "Win" system, they are therefore immune but unless I am wrong, this code seems to target web browsers in general although I believe KDE can also be run on Windows systems. Any thoughts? Anyone else have experience with this? Regards
Reply With Quote
Reply

Tags
malware, web vulnerabilities

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
STORAGE: benchmarks results (diskinfo) vermaden FreeBSD General 53 28th November 2010 06:06 PM
Google's encrypted search casts shadow on web analytics J65nko News 6 26th May 2010 09:35 PM
Encrypted Google Search Coming to a Browser near You Android1 News 2 24th May 2010 04:47 PM
Incorrect df results (not -h, not a FAQ) nathang FreeBSD General 5 8th June 2008 06:44 AM


All times are GMT. The time now is 07:06 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick