September 9, 2010

The Ultimate BlackHat Tool Kit hosted by Google Code

Elad Sharf Security Researcher

Last week, the media picked up that the Google Code project Web site is used to host malicious files. I decided to have a look at what kinds of malicious Web-based code Threatseeker has detected on the site. In particular, one interesting example came up: one of the pages hosted on Google Code was a PHP-based Web console code - you might ask, what's a Web console? It's a Web tool that enables its user to control remote shells - it's like telling a remote-controlled host what to do via the Web. So the one we've got is certainly one used by the baddies and is known by the name of "r57shell". (I just want to be clear that remote PHP shells can be used by black-hats and also by penetration testers. This variant was developed by the black-hat community and is also known to be backdoored, which means that some versions are planted with backdoor code, so users of this software themselves are exposed to an attack.)


Here are some screen-shots of the Web console code and the various options it offers.

This code is located at: http://[removed].googlecode.com/svn/[removed]/webshells/r57shell.php: 



When browsing the project's SVN, a whole set of penetration and black hat tools is revealed, of which some are also Trojan files:


It looks like the person that initiated this project tried to stay anonymous, as every link to the author's Web site was inactive. However, looking at the Wiki page of the project revealed some interesting information:


The repository also contains a text file with a list of 50,000+ compromised MySpace accounts; below is a screenshot of a small part of it. However, this list hosted by Google isn't new, as it has been circulating from around 2007 in the underground black-hat community and initially sold for a price, until it surfaced and revealed by the white-hat community: 


One of the staggering facts is that this project has been hosted on Google Code since 2007 (last updated on Februrary 2010):


In conclusion, we saw that the Google Code Web site isn't just used to host malicious files, but is also used to host malicious Web content and tools. Abusing Google's services isn't new: with so many offered services as a platform, it follows that attackers will naturally use and abuse it, but it certainly looks like it doesn't have to be through the back door. Coming though the front one can also be an easy option.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.