Google Code Hosting Malware... Again

May 20, 2013 - By Chris Larsen, Adnan Shukor

[Apologies to Adnan for letting his post languish on our internal blog for a week. I remembered last night that I hadn't pushed it out on the public blog yet. --C.L.]

 

In our "A Dive into the Water Hole" post, we talked about how URLDownloadToFile was used in the shellcode of an exploit to download malware and later use WinExec to execute it. The malware is usually hosted on a different server and not on the same exploit site. In short, usually the bad guys will hack two sites: one is used to host the exploit/inject iframe, the other one is to host the malware/payload. In an exploit payload that I found today [last week --C.L.], Google Code was abused to host the malware:

 

screenshot of google code account hosting malware

[You gotta love those "Summary" fields...]

 

I performed a quick scan using VirusTotal and here are the results.

For the first sample:

virustotal results for the first sample

 

And the second sample:

virustotal results for the second sample

 

As a content filtering service, of course we don't want to rate the entire Google Code domain as malicious, as it hosts thousands of legitimate projects. Luckily, we don't have to; we can rate at the level of the project page, the download page, or at the level of an individual file.

 

Are you downloading something from a Google Code project page? Make sure it is legitimate! You can cross-check the binary by performing virus scanning to reduce the risk.

[Of course, this begs the question of why Google -- who owns the VirusTotal service -- doesn't use it to scan for obvious malware in Google Code so that end users don't have to. After all, these aren't exotic zero-day malware samples. What's up, Google? --C.L.]

 

That's all from me for now. Till next time, stay safe!

--Adnan Shukor

@xanda