Google Redirect
SloanTreeFarm.com
May, 2007


Discovered by a member at wilderssecurity.com 
Noticed that one of my firewall rules was activated for the first time today...
The IP in question: 85.255.115.221.
________________________________________________________________
The Google redirect works in both IE and Opera.

The exploit targets several IE vulnerabilities, using javascript to launch the files.

This part of the exploit does not work in Opera.

The site in question is Sloan Tree Farms. Clicking on the link redirects to a malicious web site:

image
___________________________________________________________

The wilderssecurity.com member made this Proxomitron capture,
showing the Referrer heading from Google
and the Redirect (302 page) from the Sloan site (Server= Apache/1.3.37):

image
___________________________________________________________

Disabling Automatic Redirect, I can force the 302 page error.
Hovering the mouse over the hyperlink reveals the redirect URL.
The spoof uses an appended URL:

image
___________________________________________________________

NOTE: I have contacted Sloan Tree Farm and they have identified the vulnerability
and have fixed their site so that the referrer/redirect no longer works.

However, the direct link above is still in operation.


Analysis

Several HTML pages cache

image
__________________________________________________________

The Index.html page calls out to a different web server
to download the nasty WinAntiVirus web site:

image __________________________________________________________

This is the source of the WinAntiVirus page: 
http://6950172115.hbison.com/sp/fpa/
WhoIs Query on hbison.com: 
Initiating server query ...
Looking up IP address for domain: hbison.com
The IP address for the domain is: 69.50.184.59
Other Information. hbison is a notorious originator of spyware 
the domain is registered to someone in Finland.
Administrative
Henry Bison
Kauppakatu
Suomussalmi, -- 89600
Finland -- FI
email: domains@hbison.com

your-searcher.com

[CWSTrojan]:69.50.184.50-69.50.184.50
esthost.com[CWSTrojans]:69.50.179.217-69.50.179.217
nns1.hbison.com:69.50.184.50-69.50.184.50
nns2.hbison.com:69.50.184.51-69.50.184.51

User Review Summary for hbison.com 
Adware, spyware, or viruses

User Reviews
Rating: Adware, spyware, or viruses

image __________________________________________________________

image __________________________________________________________

As soon as the WinAntiVir Page loads, immediately the first downloader attempts to cache
and is blocked:

image

image __________________________________________________________

Scan of cnte-oiduuyes.gif

image ___________________________________________________________

This exploit uses an evasive technique whereby the malicious site somehow tracks the IP adddress and declines a return visit from the same address. I had to disconnect|reconnect in order to run the exploit a second time.

I noticed that a series of random characters appended to the cached URLs was generated each time.The last file in the list is the URL which downloads of the spoofed *.gif executable file:

image
_____________________________________________________________________

image
_____________________________________

In this case, trying to run this URL again returns an error page that the file cannot be located:

image
_____________________________________________________________________

Finjan's 2nd Quarterly Report discusses some of these evasive measures:

Finjan Report