Another Round of Beladen? Or, The New "Go" Infection
On Wednesday July 22, 2009 we started seeing what looks to be a new round of beladen style website infections by cybercriminals.
The reason we think they’re beladen style is that they appear to infect all the websites on shared servers and they also seem to be remotely controlled with a “on as needed” mode.
This infection resulted in thousands more sites being tagged with Google’s “This site may harm your computer”.
According to Google Diagnostics for certain websites we were asked to help with, this is what was shown:
“Malicious software is hosted on 4 domain(s), including: ventsol.info/, ina6co.com/, goscansoon.com/.”
Other sites we were asked to help with were also showing these domains in their Google Diagnostics:
Which deobfuscated looks like:
sessionid=39128605A531; path=/; expires=Thu, 23 Jul 2009 18:42:32 GMT
We found similar code with various names for the “var” part (replacing oigmlob) above in the obfuscated code. Other names were:
In addition, we also saw various combinations of the hexidecimal numbers to replace the actual letters. For instance, instead of pa\x74h=/\x3b ex\x70ir\x65s we found these as well:
- p\x61th=/\x3b exp\x69r\x65s
- p\x61\x74h=/\x3b \x65x\x70i\x72es
- p\x61t\x68=/\x3b expi\x72e\x73
All of these deobfuscate to: path=/; expires
One common theme was the hosting providers. Wouldn’t you know that a day after we blog about how wrongly accused many hosting providers are for the gumblar, martuz and iframe infections that they actually become the target.
It appears that these recent infections are a server issue and not just a specific website on a shared server. How the server became infected is purely speculation. Could it have been from one set of compromised FTP credentials that was able to infect the server and then control other sites as well? Could it have been SQL injection for one site that then gave the attackers a method to start a process on the server thereby controlling all the websites on that server?
Who knows. At this point all we do know is that this does affect all the websites on infected servers.
How do we know that?
We created a program for situations like this. It grabs a list of all the websites for a specific IP address and starts checking them. On some IP addresses 91% of the websites were showing the obfuscated cookie code from above. Our thought is that since this is an “on again – off again” type of infection, the other 9% were dormant when our program scanned those sites.
Another interesting observation was that for a specific IP address, each website showed the exact same obfuscated code. While websites on different IP addresses had similar obfuscated code with the slight variations mentioned previously.
The first step in this “drive-by” infection was to set a cookie on the visitor’s PC. Then if that same visitor came back within the expiration period of the cookie (24 hours), this would be delivered to their browser:
Which essentially does a Meta tag redirect. The above deobfuscates to:
We did see some of the other domains mentioned earlier in place of safetyshareonline.com and the goscansoon.com.
The whole purpose of this attack is to infect the PCs of visitor’s to these websites. This is done with this bit of social engineering code:
This code uses some fake graphics (okay the graphics are real, but they’re not the “official” graphics of Microsoft) in an attempt to trick the visitor into believing they have a virus. The code starts by checking to see if the operating system on the visitor’s PC is Microsoft’s Vista. If it is, it displays “Vista” looking graphics. If not Vista, then it assumes Windows XP and shows different graphics.
No matter who you are or what operating system and browser you have, this code shows a window that looks like a “Windows Security Center” window and it informs you that:
“Virus (I-Worm.Trojan.b) was found on your computer! Click OK to install System Security Antivirus.” If you select “OK” from their screen it will download their “antivirus”.
If you cancel, a new alert is displayed with this message:
“Windows Security Center recommends you to install System Security Antivirus.”
If you cancel that, it will display again.
One more cancel gets you to this message:
“Your computer remains infected by viruses! They can cause data loss and file damages and need to be cured as soon as possible. Return to System Security and download it to secure your PC”
This is some very elaborate scheming by hackers and cybercriminals just to get visitors to download their “mother lode of infectious code”, but it will probably work on many people.
We decided to show the code here, although the code is inserted graphic files, so that if your website starts being tagged as suspicious by Google with some of the domains listed here, and you get the “This site may harm your computer” moniker, you can compare this code to some of the code you might see in your site and have a better understanding of what is going on.
What To Do
First you need to contact your hosting provider. Have them read this blog post so they can also better understand what’s going on.
Have them check at the server level for unusual processes running on the server. If you’d like, have them contact us and we can help them diagnose this further. We can show them the other websites on your server that are also infected with the exact same code.
At this point we still don’t know how the server gets infected. Be prudent and scan your PCs with a different anti-virus than what you’re currently using. Why? Because if you are infected and you have anti-virus already installed, then it’s obvious that the virus knows how to evade detection of your current security.
We’ve had good success with AVG, Avast or Avira. If you already have one of those installed, then use one of the others. You need to use something different. Scan and clean all PCs with FTP access to your site.
Then change FTP passwords on all of your accounts.
This will have to be done as soon as you start seeing these infections as it may take some time to fully investigate and remediate – so don’t be late (sorry, it’s been a long few days).
Post comments below if you’ve been infected by this or know someone who has.
Friday July 24, 2009 update: We worked with a couple different hosting providers who had servers infected with this and it appears the way these malscripts are injected into the the webpages is through a process on the server. The cybercriminals have cleverly named this process “crontab” however this process runs under the user name “nobody” typically the same user name that Apache (or httpd) runs as.
The file that executes this process is remotely deleted by the cybercriminals controlling it so it just runs in memory. Once the server is rebooted, the process disappears and doesn’t appear to return. The hosting providers also mentioned implementing suPHP as an aid to blocking this from happening again.
This is quite clever as how many times does a shared server really get rebooted? Probably not very often unless there’s a reason to shut-down numerous (hundreds?) websites all at once.
Keep posted, we’ll be adding more information as we get it.