Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: When Rogue On-Line Pharmacies Take Over Forum Discussions - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
When Rogue On-Line Pharmacies Take Over Forum Discussions

Rogue on-line pharmacy sites, claiming to sell legitimate medicine to naive shoppers, continue to be a problem. This quick note is about one approach used to insert advertisements into forum discussions that completely cover up the legitimate discussion page.

My first look at this approach began with an ISC reader J. notifying us of an apparent defacement of a particular discussion thread on social.technet.microsoft.com:

The advertisement is for medical.deal-info.info (please don't go there).

The offending HTML code seems to have been added to the discussion thread as a forum posting. Here's the relevant HTML source code excerpt that sets the stage for the advertisement:

<div class="container"><div class="body"><div style="border:medium none;background:white none repeat scroll 0% 50%;position:fixed;left:0pt;top:0pt;text-decoration:none;width:1700px;height:7600px;z-index:2147483647">

The <div class="body"> tag part of the original website's code and is supposed to be followed by the user's forum posting, such as "I have a question about CAS servers..." Instead, we see HTML code creating a white DIV region that is at the top left corner of the browser's window and is 1700x7600 pixels in size to cover the forum's legitimate content. The "z-index" parameter is set to 2147483647, which is the largest possible value for many browsers; this is to make sure that the offending region is on top of any other elements on the page.

As the result, the whole website looks defaced. In reality, the discussion's page content is still in place--it was just covered up by the advertisement.

I'm unclear why the forum software did not filter out the HTML tags when they were submitted for posting; this may be attributed to an input-scrubbing bug.

I came across several other pharma-advertising websites that employed a similar discussion-covering technique:

This advertisement is for canadian-drugshop.com and supercapsulesrx.com (please don't go there).

Here's relevant HTML source code excerpt:

div style=&quot;border: medium none ; background: white none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; position: fixed; left: 0pt; top: 0pt; text-decoration: none; width: 1700px; height: 7600px; z-index: 2147483647

And another example using similar code:

This advertisement is for top.pharma-search.biz and purchase.dnsdojo.com (please don't go there).

Have you analyzed such incidents? Have insights to offer? Please let us know.

 -- Lenny

Lenny Zeltser - Security Consulting
Lenny teaches malware analysis at SANS Institute. You can find him on Twitter.

Lenny

216 Posts
ISC Handler
i get 20 of these trying to register to my rather-unused forum on a weekly basis. since i have admin-activate enabled, i haven't seen what they do once they are allowed to post, but it's rather obvious. the only thing you can do is enable admin-activate, or have very proactive moderators to remove the afflicting threads/posts and possibly even contacting the IP holder, as some forum spammers are automated, just like SSH bots.
Anonymous
"Pharmacy", my toe. I just went to hxxp://medical.deal-info.info; it was riddled with links to adult sites and a couple of malware sites, but the closest they came to "medical" stuff was a link to a (probably fake) "menopause medication" site.
Interestingly enough, there was no JavaScript trying to run on that site; apparently it lets the domains it links to do the infecting?
EDIT: oh, this is interesting. It doesn't link directly to those other domains: it sends visitors through a referral page first. Probably some sort of hit-tracking scheme...
computerfreaker

4 Posts
So using the curl method on your other diary post, I found the form post method for launching the payload for the medical.deal-info.info domain, which is kicked off in the click.php linked to the image div tags...and it apparently does an automatic form submit as well, so you don't even have to click on the linked images.

If anyone wants that header info, shoot me a message.
HackDefendr

65 Posts

Sign Up for Free or Log In to start participating in the conversation!