New tool: Google index Retriever

Friday, April 24, 2015

Have you ever found a webpage that seems to talk exactly about what you need, but it has been removed? Yes, Google cache is the answer but... What if the cache has been removed too? What if the site is just in Google Index page? You can not get the webpage back, but you know it was there. 

Google Index Retriever will try to retrieve back the index in Google, so you can get part of the text back, and maybe that removed content you need. Google cache is not there forever. From time to time, they are just removed for good. Archive.org and its WayBackMachine does not take as many snapshots of the less popular pages... so, there are some situations where the only part of a web that is left is in the Google Index.

Google index is that little part of text in the results page that Google search engine shows when the user searches for anything. In the "index", the searched words matching appear in bold. Google Index is the last part of a web to disappear. So there will be situations where that is the only part left. Google keeps different "indexes" from the same webpage, so, if they could be all put together, the text would be reconstructed and it would maybe come up.

But that is not the only situation where the tool may be useful. What if the index contains passwords, credit card numbers or any other sensitive information? In fact that was one of the reasons to create the tool: to demonstrate that removing the webpage and cache with offensive or sensitive content is not enough. The content may be still reachable. This is all explained in this presentation.

How does the tool work?

It is very easy. The tool is fed with a Google Search that produces an index result. It will try, brute forcing the Google Search ("stimulating it") to retrieve as much as possible. Then, it has some different options:

Example with an evernote profile

  • One Shot button: It just searches once with the information provided. Use this to try to be the more specific you can with the search string before hitting on "start button".
  • Start button: It starts searching in automatic mode. Result box will display the time elapsed since the search started, the word that made the information to come up, and finally the longest possible sentence if it differs from the last one, so the user may reconstruct the webpage.


The logic to try to "stimulate" the index and get back the information is:

  • First, try to stimulate the index with the words already found in the first index result "around" the main word searched, so it tries to retrieve the whole sentences again and again.
  • If there are no more results or "words around" left, the search is repeated with keywords provided by the user, like a "dictionary attack". When this occurs, the progress bar changes its color.

Google, of course will launch a CAPTCHA from time to time because of the continuous use of their service. This is perfectly ok. Google Index Retriever will capture the CAPTCHA so it is easy to resolve and keep on going.

Google will show a CAPTCH from time to time

Spam

This tool may be used as well to check if a site has been probably compromised and injected with spam and black SEO. It is usual that attackers compromise webpages and inject spam words in them so the "steal" their pagerank.

Using the tool to find possible "hidden" Spam in a webpage

This content is not visible for visitors but only to Google robot and spider, so it is usually visible in this index. This tab works exactly the same as the other, but with another logic:

  • It directly tries to search from a different set of keywords (related to spam) in a Google index result.

So this way, it is easier to know if a webpage has been compromised and injected with SEO spam.

Other features

The program is written in Java, so it should work under any system and version, although it has been tested under Windows. The results may be exported to a html document in the local computer. Keywords and spamKeywords are completely customizable. They may be added individually or edited directly from a TXT file.

Customizable keywords
The tool is available to download here.

Vote for Latch on the Internet Day awards 2015

Friday, April 10, 2015




About Internet Day awards
Internet Day awards recognise those initiatives, persons and organizations that best use Internet and new technologies.

The entry
The main categories to Internet Day awards 2015 are: Best Web, Best Communication Campaign, Best Audiovisual Content, Best App Multidevice and Best Social Media Profile.

Latch app has been selected to participate in the Mobile App Multidevices category for the best app multidevice of year. Protected your accounts and online services. Discover the services where you can use Latch. Search for online services bearing the Latch: Protected badge and click on the logo to regain control of your digital life.

We can win with your vote.
Winners are selected from the on-line votes of Internet users together with the votes of a jury including recognised professionals from each category. Vote for Latch.

Thanks for being a part of Latch.

Fake AdBlocks in Chrome Web Store leads to... ¿adware?

Monday, April 6, 2015

No platform is free from abuse. Chrome Web Store has been abused in the past, mainly by ad injectors or general adware. In fact, Google has just removed almost 200 offensive extensions affecting 14 million users. But, what if apps and extensions are just the "way" to convince to install some other software or to visit a webpage? Apps and extensions as a spam technique? This has been happening for a while now with fake "AdBlocks" that leads to some other Russian anti-adware, using the Web Store as a spamming platform.

It is, in a way, a similar situation as when we found fake AdBlocks in Google Play and the recent use of Google Play Books as a platform for spreading adware and malware. Chrome Web Store is hosting fake AdBlocks, one of the most popular extensions for browsers. These apps (they are not extensions) are harmless "per se", since they are just redirectors to some other website where some other programs are offered. Not specially dangerous... by now. This technique may result quite successful for attackers that want to "spam" their content, programs, adware or anything else. Does this mean Chrome Web Store is storing adware/malware directly with these fake apps or extensions? Not at all (they are hosting ad injectors but trying to remove them), but they are allowing developers to upload fake extensions that take advantage of a reputed brand (like AdBlock) to confuse users and get them to download something else. Nothing new, except maybe for the platform used.

How they work

Detected fake AdBlocks are very simple typical Chrome apps. We have found the same program with little differences under several different developer accounts. Here are some samples (not all of them appeared at the same time):

Some of the AdBlocks detected from different developers


These apps need no permissions. That is strange and "impossible" if it was a real AdBlock, since these apps should be able at least to read and modify data in the websites you are visiting. Even more, they should be real extensions, rather than apps.

No permissions needed

Internally, the only thing these apps do is this:

Fake AdBlockPlus code (in background.js file)

  • chrome.runtime.onInstalled.addListener: Means that, once the app is installed, this webpage will be opened in Chrome. 
  • chrome.app.runtime.onLaunched.addListener: Means that, when it is launched, this webpage is opened in Chrome. 
URLS to go to are being changed all the time.

Where they go to

These are the links we have seen so far:

  • hxxp://www.appforbrowsers.com/adguard.html
  • hxxp://www.surprisess.com/adguard.html
  • hxxp://www.appforchrome.com/adguard.html

And there are some others that, after going to some kind of app aggregator, redirect to the real AdBlock.

  • hxxp://prodownnet.info/adblock-super/
  • hxxp://appstoreonline.blogspot.com/search/label/adblock%20chrome
  • hxxp://appstoreonline.blogspot.com/search/label/adblock%20youtube

Most of them open websites that encourage the user to download a program called Adguard. A supposed ad-blocker for PC that has its own extensions for different browsers. Is this adware disguised as an anti-adware? Not an easy answer. Google blocks the site if visited with Chrome, at least a few days ago. It means Google (and maybe just them) think or thought some day that this URL should be in a blacklist.

Google blocking adguard installer a few days ago

We know that Adguard app was removed (maybe by Google, maybe by the owners) from Google Play last December. Moreover, some engines in VirusTotal, think that this is some kind of malware, detecting it with generic signatures (except Rising, the Chinese AV).

Some engines detecting the AdGuard installer

It could be a false positive, something not widely discovered yet, or just this kind of software that are legal and moving on this grey zone where some AV engines have to "respect" them by not detecting them... but are harmful for users once installed anyway.

The only way to know it for sure, would be a manual analysis. A quick analysis shows that the exe itself is changing very often. It is just a downloader for download.adguard.com/setup.exe which is a much more complex program and, again, detected just by one engine with generic signatures... which means nothing. Although Google and some AVs are detecting it, it is, most likely, not a dangerous program. And, probably as well, they are not the ones directly responsible for these fake AdBlocks... They may have a rewarding program for websites bringing downloads... who knows.

Conclusions

The important thing is not fake Chrome Apps pointing to some adware blocker. The conclusions could be:
  • Obvious, but any platform is susceptible of being abused and "spammed". Chrome Web Store is being abused in an "innocent" way (aside the ad injectors) with fake apps, to induce the user to visit and download some other software. Using the same name and icon of reputed programs as a bait, is very effective for attackers... but easy to track and avoid for the store.
  • Although it seems to redirect to some software in a "spamming" campaign aimed to get more "visits" and that's all so far... what if it redirects to some other website? Would it be as effective from the attackers' standpoint as these ad injectors with 14 million affected users? We may see more apps like this in the future leading to real aggressive adware or malware.
  • Users have to be careful interpreting AV results, for good or bad, false positives exist... and of course false negatives do as well. But with enough ratio of both, the average user never really gets to know.

    The Chrome app launcher after installing some fake ABP
Sergio de los Santos
ssantos@11paths.com