Google User Content CDN Used for Malware Hosting

CDN

CDN Used for Malware Hosting in Google User Content

CDN (content delivery network) refers to a geographically distributed group of servers which work together to provide fast delivery of Internet content. A CDN allows for the quick transfer of assets needed for loading Internet content including HTML pages, javascript files, stylesheets, images, and videos. The popularity of CDN services continues to grow, and today the majority of web traffic is served through CDNs, including traffic from major sites like Facebook, Netflix, and Amazon.

Hackers are hiding malicious code inside the metadata fields of images hosted on Google’s official CDN (content delivery network) —googleusercontent.com.

The type of images that are being hosted on this domain are usually the photos uploaded on Blogger.com sites and the Google+ social network.

Denis Sinegubko, a security researcher with web security firm Sucuri (now part of GoDaddy), has recently discovered one malware distribution campaign where the GoogleUserContent CDN was used to host one such malicious image.

 

CDN

 

 

 

EXIF field to web shell

In a report published on Wednesday, Sinegubko says he found a malware operation focused on stealing PayPal security tokens (for bypassing PayPal authentication) where crooks were loading an image hosted on googleusercontent.com, extracting and then executing code found in its “UserComment” EXIF metadata field.

The code contained in that field was a Base64-encoded string that when decoded multiple times would end up being a script that could upload a predefined web shell on the compromised server, along with various other files.

 

 

 

web shell

 

Issues with taking down the malicious image

Crooks have hidden malicious code in image metadata fields before, or in the image itself (a technique known as steganography).

Hosting the images on the GoogleUserContent CDN was a unique approach, one that gave the Sucuri researcher quite a few headaches.

The biggest was that there was no simple way to report the malicious image to Google, which has forms set up for reporting copyright infringement, but not security issues.

 

Crooks

 

 

Researchers can’t identify source of the malicious upload

Sinegubko says that malicious code hidden in images uploaded on Google sites outlives malware hosted on other public sites such as the malware uploaded on GitHub, Pastebin, Twitter, or other similar services.

Furthermore, the researcher also draws a sign of alarm regarding security scans of image files, which are usually ignored by most web-based security scanners.

Such tools usually look for malware in text-based files such as HTML, PHP, JS, or other typical server files, but do not scan the metadata of images hosted or loaded on a site.

 

Malicious

 

 

 

Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Python Training in Hyderabad

Python Training in Bhubaneswar

Microsoft Azure Training in Hyderabad

Microsoft Azure Training in Bangalore

Microsoft Azure Training in Bhubaneswar

Networking Training in Bangalore

Networking Training in Hyderabad

Networking Training in Bhubaneswar

Advance Python Training in Hyderabad

Advance Python Training in Bangalore

Advance Python Training in Bhubaneswar

Amazon Web Services Training in Hyderabad

Amazon Web Services Training in Bangalore

Amazon Web Services Training in Bhubaneswar

Certified Ethical Hacker Certification – C | EH v10

Computer Forensic Training in Kolkata

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Internet Of Things Training

Internet Of Things Training Hyderabad

Embedded System Training

Digital Marketing Training

Machine Learning Training

Python Programming training

Android Training in Bangalore

Android Training in Hyderabad

Android Training in Bhubaneswar

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

 

Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

Other Location for Online Courses:

Bhubaneswar

Bangalore

Hyderabad

 


Show Buttons
Hide Buttons