X-Labs
Mai 3, 2012

Widespread malware abuses unsecured Geolocation Service of Adult Website

Forcepoint

While researching outbound malware communications to improve detections for our products, we recently made an interesting discovery. Thousands of samples running in our malware lab reached out to the URLpromos.fling.com/geo/txt/city.php. At first we suspected this to be a command and control (C&C) server of botnet malware. However,  Websense® categorization of the main Web page of the domain fling.com returned Adult, and visiting the page certainly confirmed this:

 

The self-proclaimed "Hottest Place to Hook Up" suggested that we sign up to "Meet the Hottest Members in San Diego" (the location of the US Websense® Security Labs™). This is where the originally discovered URL promos.fling.com/geo/txt/city.php comes into play. Directly visiting the URL results in JavaScript code to print the geolocation of the visitor: 

 

So how is this unsecured geolocation service used by the malware? Using the network tool Wireshark to look at the malware network traffic contacting this service, we can see that more information is disclosed:

 

In this example our malware sandbox was connected to the Internet through a proxy service in Canada. Apart from the JavaScript payload there are several HTTP cookies sent in the response header specifying the country, state, city, latitude and longitude. Our analysis systems identified other likely C&C connections in the outbound connections of the malware samples in question. Interestingly, these connections try to hide the malicious HTTP using a forged user-agent string:

 

Looking at the geolocation service abused by the malware we can make the connection that the 'CA' part (country code for Canada) in this user-agent is used to disclose the geolocation of the infected machine to the botnet server. This information can be used by the botmaster for statistics or to give different commands to infected machines in certain countries.

 

As of the time of writing this blog post, a total of 4,775 samples that ran in our malware lab show connections to the adult geolocation service in question. Websense customers are protected against known variants of this malware; we also have real-time coverage in place for the traffic between the malware and the C&C servers.

Forcepoint

Forcepoint-authored blog posts are based on discussions with customers and additional research by our content teams.

Read more articles by Forcepoint

Über Forcepoint

Forcepoint ist einer der weltweit führenden Anbieter von Cyber-Sicherheit im Bereich Anwender- und Datensicherheit und hat es sich zur Aufgabe gemacht, Organisationen zu schützen und gleichzeitig die digitale Transformation und das Wachstum voranzutreiben. Unsere Lösungen passen sich in Echtzeit an das Nutzerverhalten an und ermöglichen Mitarbeitern einen sicheren Datenzugriff bei voller Produktivität.