CDN Used for Malware Hosting in Google User Content

CDN (content delivery network) refers to a geographically distributed group of servers which work together to provide fast delivery of Internet content. A CDN allows for the quick transfer of assets needed for loading Internet content including HTML pages, javascript files, stylesheets, images, and videos. The popularity of CDN services continues to grow, and today the majority of web traffic is served through CDNs, including traffic from major sites like Facebook, Netflix, and Amazon.

Hackers are hiding malicious code inside the metadata fields of images hosted on Google’s official CDN (content delivery network) —googleusercontent.com.

The type of images that are being hosted on this domain are usually the photos uploaded on Blogger.com sites and the Google+ social network.

Denis Sinegubko, a security researcher with web security firm Sucuri (now part of GoDaddy), has recently discovered one malware distribution campaign where the GoogleUserContent CDN was used to host one such malicious image.

EXIF field to web shell

In a report published on Wednesday, Sinegubko says he found a malware operation focused on stealing PayPal security tokens (for bypassing PayPal authentication) where crooks were loading an image hosted on googleusercontent.com, extracting and then executing code found in its “UserComment” EXIF metadata field.

The code contained in that field was a Base64-encoded string that when decoded multiple times would end up being a script that could upload a predefined web shell on the compromised server, along with various other files.

Issues with taking down the malicious image

Crooks have hidden malicious code in image metadata fields before, or in the image itself (a technique known as steganography).

Hosting the images on the GoogleUserContent CDN was a unique approach, one that gave the Sucuri researcher quite a few headaches.

The biggest was that there was no simple way to report the malicious image to Google, which has forms set up for reporting copyright infringement, but not security issues.

Researchers can’t identify source of the malicious upload

Sinegubko says that malicious code hidden in images uploaded on Google sites outlives malware hosted on other public sites such as the malware uploaded on GitHub, Pastebin, Twitter, or other similar services.

Furthermore, the researcher also draws a sign of alarm regarding security scans of image files, which are usually ignored by most web-based security scanners.

Such tools usually look for malware in text-based files such as HTML, PHP, JS, or other typical server files, but do not scan the metadata of images hosted or loaded on a site.