Not all widgets are equally useful.
Sometimes webmasters and site owners voluntarily (of course, unknowingly) install on their site components that threaten both visitors and the site itself. This is mainly true for lovers of freebies: free premium templates, “zeroed” commercial CMS, plugins downloaded not from the developer’s site, and other “freebies”. You can safely add javascript and flash widgets for the site to this list: a calendar, an mp3 player, a calculator, a currency converter - all these elements, besides useful functional elements of the site, can bring a whole bundle of unwanted content or even distribute malicious code, infecting computers and mobile devices of site visitors.
At first glance, such widgets only place “Vasya Pupkin” on the pages of their personal blogs, but over the past week I have been able to analyze three commercial and fairly visited projects that also used infected widgets (one placed a calculator to calculate the amount of the order, the second - a calendar on the news site, the third - online radio).
The situation with the spread of malicious code through widgets is aggravated by the fact that the directories and aggregators of these resources are displayed in the first lines of search engines for targeted queries, which clearly increases the likelihood of their use by webmasters.
')
So, what problems appeared on sites where infected widgets were installed? Redirects were always executed, but they depended on the platform and browser:
1. When entering from an android device, as a result of a series of redirections, a viral .apk file was downloaded to the visitor's device under the guise of an update of system components or antivirus for mobile.
2. When logging in from a browser on Mac OS, the visitor’s platform was transferred to the site, which notified that viruses were detected on the computer and that it is necessary to immediately install the application under the guise of antivirus.
3. When visiting pages from a browser under Windows , the visitor opened popander or redirected to various affiliate programs.
The redirect was performed once a day for one IP when the Referer field was set, which made it somewhat difficult to detect problems when viewing the widget code in the browser or when re-entering the site during the day. For illustration, here is the result of loading the widget with and without the Referer field set:
Analyzed widgets with redirects were loaded from two aggregators:
101widgets.com
widgetsmonster.com
Further search revealed a number of sites of the same owner:
xuxu.org.ua
widgetok.com
mygold.pp.ua
www.mygold.pp.ua
widgeta.net
At one time, a similar problem was in the “One Button” service, which, together with the payload in the form of a bookmark service and the “share” function, loaded the code of mobile and WAP affiliate programs. It looked like this:
But lately, more and more webmasters havebeen using pluso, share.yandex.ru, widgets from VKontakte, Facebook and other major services, so I haven’t come across sites with the “OK” widget installed for a long time.
Unfortunately, such problems with widgets cannot be detected by checking the site files with antivirus or specialized malware scanners, no matter how effective they are. Since the code of the widget itself is not malicious, and redirects result from unauthorized uploading of third-party scripts along with loading of the flash code. An effective way to detect "left" scripts when loading pages is to use traffic sniffers (Fiddler, Wireshark, Charles, etc). Analysis of HTTP traffic will help identify the causes of redirects, advertising banners, popanders, etc.
As a solution to problems with redirects (except, of course, deleting the source of the redirect itself from the site), you can also advise you to configure CSP rules by adding to the trusted only those sources of code and data (hosts) that you are sure of. This will help get rid of the "left" transitions in the statistics of site visits, which is now quite a frequent occurrence.
In conclusion, I would like to once again draw the attention of web developers and site owners to the sources from which scripts, widgets and templates are loaded. You should not install hacked commercial components and plug-ins, or free ones, but not downloaded from the official site or the developer repository. Such simple rules will significantly reduce the likelihood of voluntary placement of unauthorized advertising, backdoors, spam links, mobile redirects, or malicious code on your site. And, of course, if you use widgets from one of the domains listed in the article, it is better to remove them from the site.
At first glance, such widgets only place “Vasya Pupkin” on the pages of their personal blogs, but over the past week I have been able to analyze three commercial and fairly visited projects that also used infected widgets (one placed a calculator to calculate the amount of the order, the second - a calendar on the news site, the third - online radio).
The situation with the spread of malicious code through widgets is aggravated by the fact that the directories and aggregators of these resources are displayed in the first lines of search engines for targeted queries, which clearly increases the likelihood of their use by webmasters.
')
So, what problems appeared on sites where infected widgets were installed? Redirects were always executed, but they depended on the platform and browser:
1. When entering from an android device, as a result of a series of redirections, a viral .apk file was downloaded to the visitor's device under the guise of an update of system components or antivirus for mobile.
2. When logging in from a browser on Mac OS, the visitor’s platform was transferred to the site, which notified that viruses were detected on the computer and that it is necessary to immediately install the application under the guise of antivirus.
3. When visiting pages from a browser under Windows , the visitor opened popander or redirected to various affiliate programs.
The redirect was performed once a day for one IP when the Referer field was set, which made it somewhat difficult to detect problems when viewing the widget code in the browser or when re-entering the site during the day. For illustration, here is the result of loading the widget with and without the Referer field set:
Analyzed widgets with redirects were loaded from two aggregators:
101widgets.com
widgetsmonster.com
Further search revealed a number of sites of the same owner:
xuxu.org.ua
widgetok.com
mygold.pp.ua
www.mygold.pp.ua
widgeta.net
At one time, a similar problem was in the “One Button” service, which, together with the payload in the form of a bookmark service and the “share” function, loaded the code of mobile and WAP affiliate programs. It looked like this:
But lately, more and more webmasters have
Unfortunately, such problems with widgets cannot be detected by checking the site files with antivirus or specialized malware scanners, no matter how effective they are. Since the code of the widget itself is not malicious, and redirects result from unauthorized uploading of third-party scripts along with loading of the flash code. An effective way to detect "left" scripts when loading pages is to use traffic sniffers (Fiddler, Wireshark, Charles, etc). Analysis of HTTP traffic will help identify the causes of redirects, advertising banners, popanders, etc.
As a solution to problems with redirects (except, of course, deleting the source of the redirect itself from the site), you can also advise you to configure CSP rules by adding to the trusted only those sources of code and data (hosts) that you are sure of. This will help get rid of the "left" transitions in the statistics of site visits, which is now quite a frequent occurrence.
In conclusion, I would like to once again draw the attention of web developers and site owners to the sources from which scripts, widgets and templates are loaded. You should not install hacked commercial components and plug-ins, or free ones, but not downloaded from the official site or the developer repository. Such simple rules will significantly reduce the likelihood of voluntary placement of unauthorized advertising, backdoors, spam links, mobile redirects, or malicious code on your site. And, of course, if you use widgets from one of the domains listed in the article, it is better to remove them from the site.
Source: https://habr.com/ru/post/268815/
All Articles