In this article I promise deception, technological trickery, impart a bit of knowledge, insight, and all through what I hope to be an interesting read for you.
I was browsing through a long list of malicious URL's and I came across an interesting URL that caught my eye, hxxp://www.yahoo550.com/...../logo.jpg?queryid=77092. Your first question might be; What is a URL? Well, most of you know it as another name; simply put, a text string that represents a website and its path or components. URL stands for uniform resource locator. Your second question might be; why did it catch my eye? Well lets take a closer look at the anatomy of a URL. Trust me; the really interesting parts are coming soon.
Take the website http://www.ca.com/. The "www" represents that the website is on the World Wide Web. This value is optional when putting it into your web browser. The "ca" section is what is referred to as the domain name. It often (but not always) indicates the name of something (i.e. McDonalds.com, or Microsoft.com). It could also be something random, like 66123.net (which is actually registered). The ".com" portion is what is called the suffix. This usually represents the type of organization that is operating the network. For example ".edu" is reserved for education entities, ".gov" the government sectors and ".org" for non-profit organizations. There are many others, but I think you get the point. Anything that trails the suffix (i.e. ".com", ".gov") is what is called the pathname or directory, and this pathname (with special characters) can lead to static documents (web pages) or dynamically available content such as user requested values passed back to and from a database. More on that later. For instance the URL http://www.ca.com/us/securityadvisor/ tells us that the domain belongs to CA, the "/us/" tell us that this webpage belongs those customers who chose US-English as their viewing website, and finally /securityadvisor/ is the desired landing directory that the user navigated to. All of this makes up the full path or URL.
So what makes this URL deceptive?
Whew, now that that boring stuff is out of the way I can tell you more about the URL that I discovered. At first glance the domain portion of the URL (yahoo550) looks very similar to the popular website and user community Yahoo!. One might assume that this is one of Yahoo!'s thousands of webpages. Did you know that Google owns 520 different domains? That is right, so why wouldn't you think that Yahoo! owns yahoo550.com? But they don't. In fact someone by the name of Bill Adward owns it. More on him later.
The yahoo550.com URL seems innocuous enough; in fact it is very similar looking to Yahoo!'s Yahoo360 social networking website (similar to Facebook and MySpace). The main difference is that when visiting the Yahoo360 site the URL actually reads http://360.yahoo.com/. That is because the "360" portion of the URL is the hostname of the server in that domain. Similarly if you went to http://travel.yahoo.com/, yahoo is the domain and travel is the hostname for the site that houses all the travel information for Yahoo!. So you can see where one might think that yahoo550.com is part of the larger yahoo domain infrastructure. But as stated, yahoo550.com is not owned and operated by Yahoo!. This is a clear effort to deceive the public by obfuscating the URL. Further more, when you visit the yahoo550.com website your computer is infected with malicious software.
So why obfuscate a URL?
Internet con artists, aka Criminals will obfuscate websites or URLs to trick users into visiting their websites by making people think that they are clicking on an innocent or familiar URL; for example a link embedded in an email or webpage. This tactic is also used in phishing. So what is the benefit of tricking people? The main reason is money. There is a flourishing criminal enterprise that is running on (or underneath) the Internet. Mostly, when unsuspecting people click on what seems like an innocent URL, their computer system could be infected with malware (malicious software). This software could take complete control of your computer turning it into a bot or using it to display revenue generating adware. A bot is part of an army of infected computer systems controlled by others called a botnet. For more information on botnets you can read the following: http://community.ca.com/blogs/securityadvisor/archive/2007/11/07/web-of-deception.aspx. The worst case scenario is when the installation software is used to steal personal information, such as credit cards or social security numbers. I am sure you have heard about the horrors of identity theft.
There are many ways to disguise a URL. You can do it through typo squatting, which is changing a letter or two in the domain name or just confusion through similarity. This would be inserting an extra character like an "i", "l", or switching a "1" for a "l", "0" for "O". Hard to tell the difference when they are all combined in a string of characters. As promised before, I will talk more about the pathname and how in my example it was used to deceive Internet users.
When describing the full pathname (i.e. /us/securityadvisor/ or /..../logo.jpg?queryid=77092), some characters in this portion of the URL path are special and have a different meaning than regular plain text characters. What do I mean by that? Well, characters such as the "&", "?" and "=" all have special meanings or functions in the URL string. The pathname can contain a query string. This is represented by the presence of a "?" in the URL. What follows the "?" is interpreted by a backend program intended to handle the user request or query. Sorry for the techno babble, but here is what I mean. If you went to espn.com and went to their gallery of sports images you would see a URL that looks something like this: http://sports.espn.go.com/espn/apphoto/photo?photoId=1880786&sportId=90. Lets cut down the URL to the interesting part, photo?photoId=1880786&sportId=90. The first "photo" is an application that reads the string of text following the "?". The "photoId=" is telling the "photo" application what file (or photo) to return to the user. The numerical string "1880786" is the filename or value ID, and the "&sportId=90" is the identifier for pictures in the ESPN database that are hockey related. Pictures that fall under the NFL would be "sportId=28. These are nothing more than groupings.
Okay, so where am I going with all of this? I will tell you. Let's go back to our original URL: hxxp://www.yahoo550.com/..../logo.jpg?queryid=77092. When I first came across this, I assumed that by going to this website it would show me a logo (file type .jpg) which has the filename or value 77092. So I would imagine that if I was on a website with hundreds of thumbprint pictures or logos and I selected one that I wanted to view, the URL would transform my request into a query "?queryid=77092" and present me that logo. Well, that is not what you get when you visit this malicious URL. Now just imagine that you receive an email like the one below. If the topic interested you, you might just assume that the URL in the email is going to lead you to a website that belonged to Yahoo!.
Figure 1
Interestingly enough, no matter what number trails at the end of the query (i.e. 77092) you will get the same piece of malware. I inserted various numbers, 4, 554, and 77458, each time I received the same malicious code.
Here is an example of a website that you would more clearly be able to identify as potentially malicious: hxxp://216.12.204.2/..../scfl.exe. You can tell because the file trailing the pathname is an .exe, which doesn't in and of itself mean that it is malicious, but you would want to make sure that you trust the site and the executable that you are downloading and installing before you clicked the link. The main difference between our yahoo550.com example and this one is that with the yahoo550 site, just visiting it can infect your computer system with malware. This is also known as a drive-by-download.
So what is behind this URL?
Here is where the interesting parts occur. There will be differing results depending on what Internet browser is used to visit the site (for the record, I do not recommend you doing so). If you use Firefox your browser will render a little image in the top left hand corner that when resolved just displays the website. See figure 2 below.
Figure 2
The above page looks innocent enough; however, if you view the source for the page, you will see that there is actually a binary executable file that is packed with UPX. UPX is a tool used for both compression and obfuscation. UPX is popular among malware authors. See figure 3 below.
Figure 3
Originally when I visited the site with Microsoft Internet Explorer browser, I received a popup window informing me that the file was being downloaded to my temporary directory. The binary was disguised as a large empty image displayed in the Windows Picture and Fax Viewer as shown below, when in fact it is actually an executable file. See figure 4 below.
Figure 4
Now upon returning to the site, instead of the aforementioned popup, the binary code is now just spewed across the browser screen as if it were just text.
Just by visiting this website your system has now been infected with a trojan and backdoor, which seems to have some functionality issues. This particular malware has taken on many names from the security community, such as Win32/Farfli.G, Trojan,DR.HMir.Gen2, Sus/Behav-194 and others.
So, just who is this site registered to? Who is responsible for this? According to Whois.net, the site was registered to Bill Adward in California. This site was registered recently in October of 2007, and only for one year. The short term lease of the domain name can be indicative of registering it for malicious or criminal intent. I am fairly confident that all the information supplied is false as well, and the site was probably procured with a stolen credit card from previous criminal activity. While the registration information for the yahoo550 site is domestic to the US, a website is inserted into the web browser's favorites (6781.com) and is registered in Beijing China. From what I was able to observe, no malware was dropped from this 6781.com site.
The moral of this story is that you have to really be careful about clicking on URL's that are sent to you, even from those people you know, and that you do not accidentally mistype an important URL such as your bank or other financial institution's website. There are a lot of unscrupulous people lurking on the Internet looking for victims to prey on. People will often register websites for malicious or criminal purposes that are very similar to the popular or intended website. While this particular piece of malware didn't really seem to cause any severe damage or impose immediate danger to the system, the fact remains that there are malware in existence that can be very dangerous and the vector used by yahoo550.com is common and should be taken seriously.