October 14, 2015 at 14:03Not all widgets are equally “useful”
Sometimes webmasters and site owners voluntarily (naturally, out of ignorance) install components on their site that pose a threat to both visitors and the site itself. This mainly concerns lovers of freebies: free premium templates, “null” commercial CMS, plugins downloaded not from the developer's site and other “free” ones. You can safely add javascript and flash widgets for the site to this list: calendar, mp3 player, calculator, currency converter - all of these elements, except for useful functional elements of the site, can bring a whole “bundle” of inappropriate content or even spread malicious code, infecting Computers and mobile devices of site visitors.
At first glance, such widgets are only posted by “Vasya Pupkiny” on the pages of their personal blogs, but over the past week I managed to analyze three commercial and sufficiently visited projects that also used infected widgets (one posted a calculator to calculate the order amount, the second - a calendar on the news site, the third is online radio).
The situation with the spread of malicious code through widgets is further aggravated by the fact that directories and aggregators of these resources are displayed on the first lines of search engines for targeted queries, which clearly increases the likelihood of their use by webmasters.
So, what problems appeared on sites where infected widgets were installed? Redirects have always been performed, but they depended on the platform and browser:
1. When entering fromAndroid devices as a result of a series of redirects, a viral .apk file was downloaded to the visitor’s device under the guise of updating system components or an anti-virus for mobile.
2. When entering from a browser on a Mac OS platform, a visitor was transferred to a site that notified that viruses were detected on the computer and that an application urgently needed to be installed under the guise of an antivirus.
3. When visiting pages from a browser for Windows , the visitor opened popanders or redirected to various affiliate programs.
The redirect was performed once a day for one IP with the Referer field set, which made it somewhat difficult to detect problems when viewing the widget code in the browser or when re-entering the site during the day. To illustrate, I’ll give the result of loading a widget with the Referer field set and without it:
The analyzed widgets with redirects were downloaded from two aggregators:
101widgets.com
widgetsmonster.com
A further search revealed a number of sites of the same owner:
xuxu.org.ua
widgetok.com
mygold.pp .ua
www.mygold.pp.ua
widgeta.net
At one time, a similar problem was in the “One Button” service, which, together with the payload in the form of a bookmarking and sharing service, loaded the code of mobile and WAP affiliates. It looked like this:
But recently, more and more webmasters usepluso, share.yandex.ru, widgets from VKontakte, Facebook and other large services, so I haven’t come across sites that have the “OK” widget installed for a long time.
Unfortunately, such problems with widgets cannot be detected by checking the site files with antiviruses or specialized malicious code scanners, no matter how effective they are. Since the code of the widget itself is not malicious, and redirects arise as a result of unauthorized loading of third-party scripts along with the loading of flash code. An effective way to detect "left" scripts when loading pages is to use traffic sniffers (Fiddler, Wireshark, Charles, etc). Analysis of HTTP traffic will help to identify the causes of redirects, advertising banners, popanders, etc.
As a solution to problems with redirects (except, of course, removing the source of the redirect from the site), you can also advise you to configure CSP rules by adding to the trusted sources of code and data (hosts) that you are sure of. This will help to get rid of the “left” transitions in the statistics of site visits, which is now quite common.
In conclusion, I would like to once again draw the attention of web developers and site owners to the sources from which scripts, widgets and templates are loaded. Do not install hacked commercial components and plugins on the site, or free, but not downloaded from the official site or the developer repository. Such simple rules will significantly reduce the likelihood of voluntary posting of unauthorized ads, backdoors, spam links, mobile redirects or malicious code on your site. Well, of course, if you use widgets from one of the domains listed in the article, it is better to remove them from the site.
At first glance, such widgets are only posted by “Vasya Pupkiny” on the pages of their personal blogs, but over the past week I managed to analyze three commercial and sufficiently visited projects that also used infected widgets (one posted a calculator to calculate the order amount, the second - a calendar on the news site, the third is online radio).
The situation with the spread of malicious code through widgets is further aggravated by the fact that directories and aggregators of these resources are displayed on the first lines of search engines for targeted queries, which clearly increases the likelihood of their use by webmasters.
So, what problems appeared on sites where infected widgets were installed? Redirects have always been performed, but they depended on the platform and browser:
1. When entering fromAndroid devices as a result of a series of redirects, a viral .apk file was downloaded to the visitor’s device under the guise of updating system components or an anti-virus for mobile.
2. When entering from a browser on a Mac OS platform, a visitor was transferred to a site that notified that viruses were detected on the computer and that an application urgently needed to be installed under the guise of an antivirus.
3. When visiting pages from a browser for Windows , the visitor opened popanders or redirected to various affiliate programs.
The redirect was performed once a day for one IP with the Referer field set, which made it somewhat difficult to detect problems when viewing the widget code in the browser or when re-entering the site during the day. To illustrate, I’ll give the result of loading a widget with the Referer field set and without it:
The analyzed widgets with redirects were downloaded from two aggregators:
101widgets.com
widgetsmonster.com
A further search revealed a number of sites of the same owner:
xuxu.org.ua
widgetok.com
mygold.pp .ua
www.mygold.pp.ua
widgeta.net
At one time, a similar problem was in the “One Button” service, which, together with the payload in the form of a bookmarking and sharing service, loaded the code of mobile and WAP affiliates. It looked like this:
But recently, more and more webmasters use
Unfortunately, such problems with widgets cannot be detected by checking the site files with antiviruses or specialized malicious code scanners, no matter how effective they are. Since the code of the widget itself is not malicious, and redirects arise as a result of unauthorized loading of third-party scripts along with the loading of flash code. An effective way to detect "left" scripts when loading pages is to use traffic sniffers (Fiddler, Wireshark, Charles, etc). Analysis of HTTP traffic will help to identify the causes of redirects, advertising banners, popanders, etc.
As a solution to problems with redirects (except, of course, removing the source of the redirect from the site), you can also advise you to configure CSP rules by adding to the trusted sources of code and data (hosts) that you are sure of. This will help to get rid of the “left” transitions in the statistics of site visits, which is now quite common.
In conclusion, I would like to once again draw the attention of web developers and site owners to the sources from which scripts, widgets and templates are loaded. Do not install hacked commercial components and plugins on the site, or free, but not downloaded from the official site or the developer repository. Such simple rules will significantly reduce the likelihood of voluntary posting of unauthorized ads, backdoors, spam links, mobile redirects or malicious code on your site. Well, of course, if you use widgets from one of the domains listed in the article, it is better to remove them from the site.