URL Redirection, the good and the bad

URL redirection also called URL forwarding is not all malicious and has valid and acceptable uses. The technique allows servers to redirect a client request to a different location of a page, site or domain for legitimate reasons. In a redirect a web browser attempts to open a URL and that request is forwarded on to another location. Some of the legitimate reasons for URL redirection include:

Device targeting
A very common example of this is redirecting users to a mobile version of a website. If a user browses a site with a mobile client they could automatically be forwarded to a corresponding mobile version of a website.

Geo targeting
Typically seen on sites targeting larger audiences in more then one location essentially redirects users to more relevant localized content.

Removing referer details
When a link is clicked the browser sends the referer field which could contain sensitive URLs that end up in the server logs of an external site. for example, http://packetreport.com/future-plans would not be a desirable referer field leaving an organization, a redirection page would remove the exposure.

Similar domain names
Users might type in a misspelled domain such as packtereport.com and get redirected to our actual site packetreport.com. This safeguards both the audience as well as the organization.

Redirection Used in Exploits
As a security analyst we see this everyday of the week, a user suddenly sets off an IDS alert for touching a known malware site or bad domain. I am always curious to see why this happened and in most cases the user did one of three things clicked a link or opened a document in a phish or browsed a compromised site that has a malicious redirect configured. The following examples are not a complete list of techniques but the most common malicious redirects.

HTTP Redirects
The HTTP 3xx Redirection status code indicates the client must take additional action to complete the request. Many of these status codes are used in URL redirection the three most common are 301 Moved Permanently, 302 Found and 307 Temporary Redirection.

301 Moved Permanently This is known as a permanent redirect and is used to indicate that the originating URL has permanently moved to a new location.

302 Found Indicates the target resource resides temporarily under a different URI.

307 Temporary Redirect The target resource resides temporarily under a different URI and the user agent must not change the request method if it performs an automatic redirection to that URI.

HTML Redirects
This is a client-side redirection and tells the browser to request another page.

To create an HTML redirect page, you use the HTML meta tag, along with the ‘http-equiv’ and ‘content’ attributes. Meta Refresh is a special meta tag contained with the header section of the HTML source. This will refresh the page to the new site listed after the url field. The number after content attribute is the seconds to load, if set to 0 it redirects immediately as the page is loading.

What to look for:

  • <meta http-equiv=”Refresh” content=”0; url=http://www.evil.site/” />

Javascript Redirects
A common method of redirecting users via JavaScript is performed without any user input. In JavaScript a redirect script uses the same code to load a page.

What to look for:

  • “text/javascript”>window.location=’http://evil.site’
  • “text/javascript”>window.location.reload(“http://evil.site”)
  • “text/javascript”>window.location.replace(“http://evil.site”)
  • “text/javascript”>document.location.href =’http://evil.site’

iframe/Frameset Redirects
This is a method where the content of another page is shown within an iframe or frameset, so that it looks like the content is part of the original URL. Especially dangerous are hidden iframe with a width and/or height values of 0 or a few pixels are hardly visible to the user.

What to look for:

  • <iframe src=”hxxp://evil.site/count.php?o=1″ width=0 height=0 style=”hidden” frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>

Outlook

These methods explained above are not new and revolutionary, hard to detect or very sneaky but they do work and malware authors will continue to use them in the future. Redirecting users to malicious content using http redirects or embedded iFrames is not going to trend downwards or cease to be a easy way to deliver malicious content anytime soon. Detecting the redirect using IDS signatures or black lists and blocking the subsequent chain is always key.

Resources 

http://unmaskcontent.com/
http://www.rexswain.com/httpview.html
http://redirectdetective.com/

Python Script

Simple script that follows the HTTP redirections and displays the resulting HTTP Status Codes

—————–   http-redirect.py     ——————-
import requests
r = requests.get(‘http://evil.site’)
for h in r.history:
print ‘[%s] %s’ % (h.status_code, h.url,)
print ‘[%s] %s’ % (r.status_code, r.url,)

screen1

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Malware Domain Lists

If you analyse pcaps often and are looking for a way to quickly see if any of the domains are on a Domain Blacklist, this script may help.

The Python script will do the following:

  • Download a current malware domain Blacklist and parse out the domains.
  • Run a tshark command on your pcap and pull all the domains.
  • Compare the two lists and print to the screen the malicious domain on you have on your network.

Python Script

       print(“Please change your pcap filename to new.pcap”)
       import urllib2

       # file to be written to
       file = “domains.txt”

       # download a current domain blacklist
       url = “http://malwaredomains.lehigh.edu/files/domains.txt”
       response = urllib2.urlopen(url)

       # You can also use the with statement:
       with open(file, ‘w’) as f: f.write(response.read())

       # Clean the file and remove all the extra stuff
       import subprocess
       COMMAND = “cat domains.txt | awk ‘{print $1}’ | sort |uniq >         BLdomains.txt”
       subprocess.call(COMMAND, shell=True)

       # Grab all domains from the pcap
       #pcapfile = raw_input(“What is the pcap file name?”)
       COMMAND = “tshark -N n -r new.pcap | awk ‘{print $3}’ | sort |uniq > localdomains.txt”
       subprocess.call(COMMAND, shell=True)

       # print to screen any domains from pcap that are listed in domain blacklist.
       COMMAND = “grep -F -f BLdomains.txt localdomains.txt”
       subprocess.call(COMMAND, shell=True)

 

python2

 

Recommendation

  • Change the pcap filename to new.pcap
  • Change the attached file extension to .py as shown in screenshot.

Reference

BLDomainsFoundinPcap_py

 

 

Facebooktwittergoogle_plusredditpinterestlinkedinmail