By

Has security moved from prevention to detection and response?

Recently, Symantec’s senior vice president of information security Brian Dye declared that anti-virus is dead, as told to the Wall Street Journal.

Is it?

Has the security industry moved away from prevention to early detection and quick response?

I know when I started WeWatchYourWebsite back in 2007, I started preaching prevention. However, it became evident that nobody was interested. It appeared that people, even then, were more interested in early detection and quick remediation.

If you look at many of the startups and large security companies, it becomes real clear that most of the industry is focused on early detection and quick remediation. Is this like closing the barn door after the horses are out?

Is this giving up on prevention and focusing instead on early detection? That, to me, is like admitting defeat to the cyber criminals of the world.

Or, is it a different strategy?

In combat, whether your battlefield is on soil or a chess board, one key strategy is to lure your opponent into an area and then close in and destroy them.

Could this work in cyber security?

Of course, we’ll never catch the cyber criminals, unless they’re really lazy, but can we capture their methods? That would be considered a victory.

battleIn the book, “The Art of War” it states:

All warfare is based on deception. Hence, when able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.

If our deception is to lure the cyber criminal into our website, but record and report everything, then we can consider that a victory for the masses. That information can be used to protect other websites and prevent other sites from being successfully breached.

What do you think?

Should focus be placed on detection and response? Is that a sound strategy?

Share your thoughts…

Thank you.

By

What’s the best anti-virus program?

In cleaning infected websites and protecting them, we constantly see infected websites that have been infected due to stolen passwords.

Which passwords?

That all depends. Sometimes it’s the CMS (WordPress, Joomla, Drupal, etc.) or the ecommerce (Zen Cart, osCommerce, etc.). Other times it’s either the hosting account or the FTP account’s password that is stolen.

How can we tell?

There are numerous ways of determining when stolen passwords were used as the point of entry into a hosting account or website, but frequently we can see successful logins in the log files from places all over the world. Mind you, these are not attempted logins, but actual logins.

Often times we can tell by the type of infection or where the infectious code is located, whether or not the point of entry to an infected website is via stolen passwords.

How does this happen?

Typically there is a virus on someone’s local computer that is stealing the password. When this happens you can “cloak” your WordPress login page, you can have a 52 character password with multiple special characters, you can rename the admin account, but none of this matters as the password stealing viruses and trojans steal: the login URL, the username and the password.

This can also happen if you’re using SFTP or FTPS, the “secured” file transfer protocol.

Yes, this even happens to Mac users. Quite often we find that Mac owners don’t have any anti-virus program or they’re using ClamAV for Mac.

With everyone seeking “free” anti-virus programs, we typically recommend: Free version of Avast for Mac, or Sophos for Mac.

On PCs, the most used anti-virus program is Microsoft Security Essentials. That is not what we recommend, but that is what most people are using.

Today, I read an article that gives some details into why Microsoft Security Essentials may not be a reliable program to use if you’re trying to keep your PC safe.

Here is the article I read:

Please understand I am not a Microsoft hater. I don’t hate anyone. But in our efforts to lower our already low re-infection rate (currently at .048%) we like to recommend products that will save you money and be highly effective.

If you could take a minute, let me know what anti-virus program you use and whether you’re on a Mac or a PC.

Thank you.

By

The new Attack – d0lphin.biz

We recently came across a number of websites that have been injected with malscript iframes that load malware from d0lphin.biz. Following is our report on this attack.
 
Cybercriminals appear to be using their network of infected PCs to modify “hacked” websites and turning them into infectious websites – attempting to infect many more PCs.
  
This attack appears to only infect index pages; index.htm, index.html, index.php. That’s all we’ve seen thus far.
 

The malicious code that gets injected into these webpages is the following:

body of injected script

Which deobfuscates to:

deobfuscatedscript

The usual iframe malscript parameters: width=1, height=1 style=’visibility:hidden’
 

 What was interesting is that we had to use a valid browser user agent to obtain the in.php file. We used: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.0) as our user-agent string. Other similar user-agents worked as well, but they had to be MSIE and Windows compatible so we knew it had to be a Microsoft specific exploit they (the hackers) were attempting on unsuspecting visitors.

You’ll see from the above iframe that the file it references is in.php. Here is the code for in.php:

 

in.php malscript (click to enlarge)

 

Which deobfuscates to:  

in.php deobfuscated

As you can see, there are 2 other files that this malscript tries to load:

load.php (which is actually a Windows executable)

and

pdf.php (which is an actual PDF file that uses ActionScript to try and infect the visitor’s PC).

 

At the time of our investigation, the malware load.php was only detectable by 2 out of 41 anti-virus companies. Here is the VirusTotal report on that little gem:

load.php VirusTotal Results

 

 

And pdf.php was detectable by 11 out of 41 anti-virus programs. Here is the Virus Total report on that file:

pdf.php VirusTotal Results

 

Inspecting the FTP log files for the infected website we found that the majority of the FTP traffic on the day the infected files were modified was from the following IP addresses:

89.36.84.249 which is Bucharest, Romania
98.209.145.133 which is Michigan, United States
74.211.69.79 which is New Mexico, United States
85.122.6.86 which is Bucharest, Romania
123.236.139.33 which is India
91.105.112.220 which is Great Britain, United Kingdom
96.20.117.224 which is Montreal, Canada
119.171.100.108 which is Tokyo, Japan
71.65.72.159 which is Ohio, United States
97.84.174.241 which is Michigan, United States
 

The interesting thing about this FTP traffic from various places around the world is that the exact same FTP username and password were used. There weren’t any failed login attempts with this username for the prior 6 months so we didn’t feel it was a brute force or dictionary attack on a weak password. This leads us to believe that this infection is another case of compromised FTP credentials.

Another interesting point is that the FTP traffic from these various IP addresses happened within minutes of each other and the number of files transferred from each IP address was 2. It appears from this information that the attackers were using a distributed network of compromised PCs (read botnet) to send the modified files to the website server.

This could be for a number of reasons.

But the one reason that seems most obvious is that the attackers know many people try to block their IP addresses. By using a botnet of remotely controlled PCs a website owner would have to block dynamic IP addresses. Would you block a range of IP addresses from a DSL connection in the United States? Probably not.

Having a website means handling traffic from visitors all over the world. If you’re going to start blocking groups of IP addresses, how will you know when you’re blocking innocent visitors? Wouldn’t that hurt your business?

The IP address that d0lpin.biz is hosted on show this for their whois:

 whois-d0lphin.biz

The whois on the domain d0lphin.bz is:

whois-domain-d0lphin.biz

Google’s report on the network hosting d0lphin.biz shows:

google-diags-network

FIRE’s maliciousnetworks.org shows this information for the network d0lphin.biz is hosted on:
 
FIRE-d0lphinNetwork
 
You see that their report shows 2 C&C Servers (Command and Control – the servers hackers use to control their botnets) and 2 exploit servers – both bad stuff.
 
Prevention of this type of attack on your website is simple. Keep your PCs clean of viruses. If want to be sure you’re PC is clean, don’t use an administrator account for your daily activities. If you can’t install software as your currently logged in user, neither can a virus.
 
What’s your thoughts on this new attack? Is there any further information you’d like to know? Let me know…

By

Another Round of Beladen? Or, The New "Go" Infection

On Wednesday July 22, 2009 we started seeing what looks to be a new round of beladen style website infections by cybercriminals.

The reason we think they’re beladen style is that they appear to infect all the websites on shared servers and they also seem to be remotely controlled with a “on as needed” mode.

This infection resulted in thousands more sites being tagged with Google’s “This site may harm your computer”.

According to Google Diagnostics for certain websites we were asked to help with, this is what was shown:

“Malicious software is hosted on 4 domain(s), including: ventsol.info/, ina6co.com/, goscansoon.com/.”

Other sites we were asked to help with were also showing these domains in their Google Diagnostics:

  • daobrains.info/
  • safetyshareonline.com/
  • goslimscan.com/
  • goscansome.com/
  • globalsecurityscans.com/

Our scanners were detecting suspicious obfuscated javascript on the sites we were helping with, but it appeared to only be setting cookies to expire the following day. The obfuscated javascript was this:

malscript-0-11

Which deobfuscated looks like:

sessionid=39128605A531; path=/; expires=Thu, 23 Jul 2009 18:42:32 GMT

We found similar code with various names for the “var” part (replacing oigmlob) above in the obfuscated code. Other names were:

  • dtxzidl
  • bmno
  • wcdg
  • tpet
  • stqfpbc
  • meuhgor

In addition, we also saw various combinations of the hexidecimal numbers to replace the actual letters. For instance, instead of pa\x74h=/\x3b ex\x70ir\x65s we found these as well:

  • p\x61th=/\x3b exp\x69r\x65s
  • p\x61\x74h=/\x3b \x65x\x70i\x72es
  • p\x61t\x68=/\x3b expi\x72e\x73

All of these deobfuscate to: path=/; expires

One common theme was the hosting providers. Wouldn’t you know that a day after we blog about how wrongly accused many hosting providers are for the gumblar, martuz and iframe infections that they actually become the target.

It appears that these recent infections are a server issue and not just a specific website on a shared server. How the server became infected is purely speculation. Could it have been from one set of compromised FTP credentials that was able to infect the server and then control other sites as well? Could it have been SQL injection for one site that then gave the attackers a method to start a process on the server thereby controlling all the websites on that server?

Who knows. At this point all we do know is that this does affect all the websites on infected servers.

How do we know that?

We created a program for situations like this. It grabs a list of all the websites for a specific IP address and starts checking them. On some IP addresses 91% of the websites were showing the obfuscated cookie code from above. Our thought is that since this is an “on again – off again” type of infection, the other 9% were dormant when our program scanned those sites.

Another interesting observation was that for a specific IP address, each website showed the exact same obfuscated code. While websites on different IP addresses had similar obfuscated code with the slight variations mentioned previously.

The first step in this “drive-by” infection was to set a cookie on the visitor’s PC. Then if that same visitor came back within the expiration period of the cookie (24 hours), this would be delivered to their browser:

malscript-1-1

Which essentially does a Meta tag redirect. The above deobfuscates to:

malscript-2-1

We did see some of the other domains mentioned earlier in place of safetyshareonline.com and the goscansoon.com.

The whole purpose of this attack is to infect the PCs of visitor’s to these websites. This is done with this bit of social engineering code:

malscript-3-1

This code uses some fake graphics (okay the graphics are real, but they’re not the “official” graphics of Microsoft) in an attempt to trick the visitor into believing they have a virus. The code starts by checking to see if the operating system on the visitor’s PC is Microsoft’s Vista. If it is, it displays “Vista” looking graphics. If not Vista, then it assumes Windows XP and shows different graphics.

No matter who you are or what operating system and browser you have, this code shows a window that looks like a “Windows Security Center” window and it informs you that:

 “Virus (I-Worm.Trojan.b) was found on your computer! Click OK to install System Security Antivirus.” If you select “OK” from their screen it will download their “antivirus”.

If you cancel, a new alert is displayed with this message:

 “Windows Security Center recommends you to install System Security Antivirus.”

If you cancel that, it will display again.

One more cancel gets you to this message:

“Your computer remains infected by viruses! They can cause data loss and file damages and need to be cured as soon as possible. Return to System Security and download it to secure your PC”

This is some very elaborate scheming by hackers and cybercriminals just to get visitors to download their “mother lode of infectious code”, but it will probably work on many people.

We decided to show the code here, although the code is inserted graphic files, so that if your website starts being tagged as suspicious by Google with some of the domains listed here, and you get the “This site may harm your computer” moniker, you can compare this code to some of the code you might see in your site and have a better understanding of what is going on.

What To Do

First you need to contact your hosting provider. Have them read this blog post so they can also better understand what’s going on.

Have them check at the server level for unusual processes running on the server. If you’d like, have them contact us and we can help them diagnose this further. We can show them the other websites on your server that are also infected with the exact same code.

At this point we still don’t know how the server gets infected. Be prudent and scan your PCs with a different anti-virus than what you’re currently using. Why? Because if you are infected and you have anti-virus already installed, then it’s obvious that the virus knows how to evade detection of your current security.

We’ve had good success with AVG, Avast or Avira. If you already have one of those installed, then use one of the others. You need to use something different. Scan and clean all PCs with FTP access to your site.

Then change FTP passwords on all of your accounts.

This will have to be done as soon as you start seeing these infections as it may take some time to fully investigate and remediate – so don’t be late (sorry, it’s been a long few days).

Post comments below if you’ve been infected by this or know someone who has.

Thank you.

Friday July 24, 2009 update: We worked with a couple different hosting providers who had servers infected with this and it appears the way these malscripts are injected into the the webpages is through a process on the server. The cybercriminals have cleverly named this process “crontab” however this process runs under the user name “nobody” typically the same user name that Apache (or httpd) runs as.

The file that executes this process is remotely deleted by the cybercriminals controlling it so it just runs in memory. Once the server is rebooted, the process disappears and doesn’t appear to return. The hosting providers also mentioned implementing suPHP as an aid to blocking this from happening again.

This is quite clever as how many times does a shared server really get rebooted? Probably not very often unless there’s a reason to shut-down numerous (hundreds?) websites all at once.

Keep posted, we’ll be adding more information as we get it.

By

The Blame Game

Major Malware Outbreaks Evade Anti-Virus Protection

A report released on July 14, 2009 states that “Several successive and massive malware outbreaks caused a spike in malware that was undetected by major AV engines.”

In Commtouch’s Q2 Report available here , which covers the analysis of over 2 billion emails and Internet transactions, they also claim:

  • “Business” was the website category most infected with malware
  • An average of 376,000 new zombies were activated each day with malicious intent

Amir Lev, Chief Technology Officer of Commtouch said that for the last 18 months anti-virus (AV) engines used many generic signatures, which were effective at blocking malware. However, malware writers and distributors introduced new variants which are immune to these generic signatures.

This time period coincides with the infection of 1,000s of websites with gumblar, martuz and iframe malscripts which then received Google’s moniker of “This site may harm your computer.”

The Blame Game

Answering many, many blog and forum postings from disgruntled website owners and developers who’ve been the victim of these recent gumblar, martuz and iframe infections, it’s been our experience that quite often the thought process of the victimized website owner follows this path:

  1. The website owner or webmaster receives an email from Google notifying them that their site is infectious. Google rarely (if ever) is wrong so they immediately slap all SERPs (Search Engine Result Pages) with the “This site may harm your computer” label thereby stopping all traffic dead in it’s tracks.
  2. Cautiously the site owner or webmaster will try to view the site. They don’t want to become infected from their own site, but their curiosity is overwhelming. They typically don’t see anything malicious.
  3. “How do I find and clean this?” Often these people will post questions on sites like Google’s Webmaster Forums or www.badwarebusters.org or some other favorite online watering hole.
  4. Then their focus turns to, “Who’s to Blame?”

The feeling of many site owners is one of “I’ve been violated and I need to blame someone.”

When hacking victims get to “Who’s to blame”, they quite often turn their attention to their hosting provider. Many times the blogs and forums are filled with postings where people blame even some of the largest hosting providers. Site owners want to instantly spend the time and money to move their website to a different hosting provider where they’ll once again feel safe and secure.

All because they feel it’s the hosting provider’s fault their site, or sites, were hacked.

The site owner or developer will call the hosting provider looking for assistance from their technical staff and quite frequently, they can’t find the obfuscated malscript buried deep inside some harmless HTML code either. Many times the website has been blocked by various anti-virus programs, Google’s search results and sometimes even corporate website filters for days or weeks before the issue is resolved.

Even if the site owner goes through the trouble of moving to a new hosting provider, with these recent infections, their site will just get hacked again and again.

Then who’s to blame? The new hosting provider? How many more hosting provider’s will the site owner move to until they finally find one that gives them that safe and secure feeling?

Many site owner’s want the hosting provider to take responsibility and clean their site. After all, they’re paying their $5 – $10 per month so the hosting provider should take responsibility and the spend the time to clean the infectious website, right? No matter how many times the site gets re-infected.

Don’t Shoot the Messenger

I hate to be the one to break it to you, but, hosting providers had nothing to do with websites getting hacked with the recent gumblar, martuz or iframe injections. It was anyone’s fault but theirs.

It could be the site owner’s fault, or the anti-virus company’s fault, or Microsoft’s fault, or the fault of the company that wrote the FTP software being used.

It was almost anyone’s fault – except that of the hosting provider.

Let me explain.

You see, with all the malware that went undetected by these generic signatures, thousands of PCs were compromised. According to the Commtouch report referenced above, 376,000 new zombies per day.

You could blame Microsoft, however, the Commtouch report also shows an increase in the amount of Mac malware as well. Besides, blaming Microsoft is so 2,000 late.

These recent website infections came from viruses on the PCs of people who have FTP access to websites.

OMG!

Does that mean it could be the fault of the website owners, developers and webmasters?

It might, rabbit, it might.

These recent undetectable viruses steal FTP credentials – usernames and passwords. These viruses search through the files of popular FTP software looking for the file with the stored FTP credentials. These viruses also record keystrokes so when an infected PC is used to type in the FTP credentials, they get stolen. As another point of attack the viruses also “sniff” FTP traffic. Since FTP transmits all data in plain text, it’s easy for a sniffer to see the username and password in the FTP data stream and steal it. We even did a video to show how easy it is to sniff FTP traffic. It’s so easy that some people use a sniffer on their own FTP traffic if they forgot their stored password. Here’s our video.

Virus writers are incredibly smart and this round of malware proves it.

Once the virus has the FTP credentials it sends them to the server of a cybercriminal. This server is configured to login to the website as a valid user, inject it’s infectious code and move on to the next site.

Who’s to Blame?

How many websites did you visit that displayed some type of ad? Did you know that many ad networks have served up infectious ads – unknowingly of course, but nonetheless, the ads could have infected many visitors.

How many websites did you visit that displayed Flash intro’s or allowed you to view an Adobe Acrobat file (pdf)? Adobe had a few vulnerabilities in their software, that were exploited during and prior to this time period. Combine a vulnerability in files so widely used with the ineffective generic anti-virus signatures, and there’s another source to blame. Maybe two new sources – the AV companies and Adobe.

Did you update your Adobe products as soon as the update was available?

If not, then there’s another person to blame – you.

Could the companies that wrote the FTP software used, maybe have encrypted the stored usernames and passwords so that it wasn’t quite so easy to find and steal the FTP credentials? There’s anothe source to blame.

Maybe if so many people didn’t use their PCs with full administrator rights, there wouldn’t be such a virus outbreak in the first place. Maybe these PC owners are to blame.

Whoever you decide to blame, don’t incur the costs involved with moving to a new hosting provider before you find out what your site was infected with and how those infections occurred. You might be barking up the wrong tree.

I’ll tell you, the cybercriminals are to blame.

They’re the people who write and distribute viruses, malware and malscripts.

Cybercriminals (some call them hackers) want to control as many computers as they possibly can. They don’t care if it’s a computer for a university or if it’s the computer of a new Internet start-up company. One compromised computer looks just the same as another.

Compromised computers make up their inventory.

You know what a hacker calls an uninfected computer – opportunity!

Their digital assets are the computers they control. Often times some of their inventory of infected computers gets rented out to other cybercriminals. This provides them with a source of income.

If you really need to blame someone, blame the hackers, or the international cyber laws, or the world economy. Just don’t blame the hosting providers.

Hosting providers provide a very valuable service. Their margins are squeezed tighter and tighter as it seems everybody thinks it’s a great idea to enter the hosting industry. The good hosting providers work hard for their customers. They depend on customer retention and acquisition – just like every other business. They do the best they can with what they have.

The only thing a hosting provider could do to prevent these gumblar, martuz and iframe infections is to block all FTP traffic. Then you would have a very good reason to blame them for something, but you still wouldn’t be able to justify blaming them for the rash of website infections.

It simply isn’t their fault.

Let me know your thoughts on this. Who would you blame if your site got hacked? Who did you blame if your site was already hacked?

By

The Errors of Error Pages

Over the past few months, the number of sites infected with malscripts has increased dramatically. Many of these injection infections are difficult to track. Unbeknownst to many site operators, “error pages” can actually complicate the detection process. This blog posting discusses what we call “The Errors of Error Pages”.

Frequently, if you mistype a word in a URL, the “Page Not Found” error page is displayed. The very plain, non-descriptive message is not terribly user friendly in that it gives minimal information. The error code produced by a “Page Not Found” is a 404.

If you request a non-existent page on a Microsoft IIS webserver you might see something like this:

 404-iis1

Much has been written about preventing the typical “Page Not Found” error page from scaring away potential buyers. However, most of these marketing articles omit the critical discussion of how cybercriminals use these error pages to distribute their malware. This posting focuses on that topic.

The General Problem

When a site discloses Google’s moniker, “This site may harm your computer”, the user’s or host’s first response is to scan their website with anti-virus programs – rarely will this find the malscripts. Since Google prohibits the site from appearing as a normal search result while generating this message, the user aims to quickly find the injection infection. Once discovered, the site then seeks Google’s permission to reappear. We’ve handled many cases where everyone from the hosting provider, to friends, to the web developer, has checked “every file” and found nothing malicious on the site in question. Often, the error page is the source of the problem. However, they routinely fail to investigate the error pages – and cybercriminals know this.

Relevant Codes

To understand the criminal mind, one must first understand the various response codes generated by different requests. For example, when one uses their browser to request http://www.wewatchyourwebsite.com, the page actually exists. Therefore, the response code the browser receives is a 200. These codes don’t appear on the screen, but the browser sees them.

On the other hand, if one types in http://www.wewatchyourwebsite.com/fredflintstone.php, the browser would generate a 404 (Page Not Found) response code because there is no page with that name on the site.

To avoid a user receiving a 404 response, and the resulting “ugly” Page Not Found page, a website can be configured to generate a different response for those requests which would typically result in a 404 response code. Instead of a 404 response, you would see a page that’s been created to replace the “Page Not Found” response, or some substitue page that informs the visitor that the page they’ve requested has either moved or does not exist.

Use of Security Tools

In our work, we’ve tested various tools, vulnerability scanners, exploit engines, etc. seeking a vulnerable script file or software exploit, and found that if the tool sends a request to a website that generates a response of any kind, often times the tool considers the exploit successful. However, if the website being tested is setup to return a custom error page rather than the basic “Page Not Found” page, the security tool will record that attempted exploit as successful, thus, rendering a false positive.

For example, a security tool may be used to check for a vulnerable version of some shopping cart software. If the website being checked is set up to return a customized 404 error page, the security tool will see that it generated a webpage response to it’s request for the vulnerable shopping cart URL. If the tool detects a webpage in response to it’s check, the tool will assume that the site must have the vulnerable version of the shopping cart software – a potentially false positive.

Since hackers know that false positives arise under these circumstances, when they infect a website, they inject their infectious code into the default error pages. As cybercriminals also know, frequently, these pages are neglected by those working to detect infections on websites.

Clues to Find and Methods for Searching

Knowing all of this, during a search for infections, we always check for fredflintstone.php. (When we start seeing websites with a webpage with this name, we might switch to betty.php, wilma.html, barney.cfm or dino.asp.) Nevertheless, by checking for pages that we know don’t exist, we are confident that we have scanned for this obvious point of infection, and thereby detected possible cybercriminal activity.

Further, many shared hosting services use a folder off of the root folder named something like “error_docs”. Often, the hosting provider will fill that folder with basic webpages that a site uses as responses when visitors request webpages they aren’t allowed to see or simply don’t exist. Sometimes these files will be named with the response code, e.g. for a “Page Not Found” error the resulting webpage might be called 404.html. Other times, the webpage will be called by the error name it’s produced by – like “page_not_found.html” for a 404 response code.

Every host or site owner should determine how their site handles these different responses and check those files for any malscripts. At the end of this article, we suggest a valuable tool to conduct such checks.

More Examples

In the course of our work, we recently discovered a rather ingenious way of delivering malscripts through the use of 404 error pages. Apache Web server software can be configued differently to a request for a webpage that doesn’t exist.

One basic response is in the configuraton file: httpd.conf, and it would look like this:

  • ErrorDocument   404   /404.html

If you’re on a shared hosting plan (you’ll know if you’re not), you probably (hopefully) don’t have access to this file. But you will have access to .htaccess (yes there is a period in front of that file name). This file might also have the same entry for ErrorDocument listed in there.

How do hackers use this to infect visitors to one of their distributional assets?

One of two ways.

First, they can see what file is used for the 404 (or other such response codes) and inject their malscript into that page. This can be found during a scan of the files residing on the webserver.

Or, they can instead insert their own malicious URL replacing the /404.html in the line ErrorDocument…

Instead of this: ErrorDocument    404    /404.html

They would put: ErrorDocument    404   http://hackerswebsiteinsertedhere

That way when someone scans all the files with a search tool, it won’t find the malscript because the malscript isn’t in any of the files located on that server. It’s located on a server miles away.

This is why it’s always important to know how a site is handling 404’s and other errors. The specific method used by the hosting provider must be checked. Any suspicious looking should be checked and verified.

As hackers become more sophisticated, website owners and developers must as well. Therefore, while the hackers increase their attempts to infect websites, so too, must we all increase our efforts to detect and to block them.

How can you check your site?

I recommend a tool I learned about from Kaleh (a moderator on www.badwarebusters.org and a frequent contributor on Google’s Webmaster forum). The tool is a website: http://web-sniffer.net. Simply, enter a URL in the box at the top, add “/fredflintstone.php” (no quotes) to the end of it, and hit “Submit”.

Scroll down to the bottom of the screen to see what HTML/code the site sends to a visitor’s browser when they request a page that doesn’t exist (404 error).

If you see something that looks out of place, you should suspect that code, research it and possibly remove it. If you ever have any doubts, please contact me and I’ll review it for you. We have deobfuscation tools available and can usually determine what a piece of obfuscated script is really doing.

Should you have any questions or wish to continue this discussion, please post your comments below or contact directly at traef@wewatchyourwebsite.com

Thank you.

By

Don't Open That File!

Yes, just when you thought it was safe to open Adobe Acrobat files (with a .pdf extension), it’s not.

Everyone who reads this should update their Adobe Acrobat Reader here: http://www.adobe.com/support/security/bulletins/apsb09-04.html

Hackers (or as some prefer – cybercriminals), have found a new way to use pdf’s to infect computers (CVE-2009-0927) http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927. By using a legitimate website, or websites, hackers can reach many more unsuspecting web users.

What the cybercriminals are doing is finding legitimate websites they can hack and replacing any pdf files with their infectious pdf’s. Anyone who opens that pdf, either on screen or by downloading it and then opening it, will be subjected to this exploit and could face infection.Some websites have various forms they use for reports, registrations or any of a number of uses.

Frequently the infected webpage is designed to open automatically when you visit the page. Rarely will the website owner know they have an infectious website. Often times the infectious website won’t actually contain the malicious code. The webpage will have a line of javascript that downloads the malicious code from some server in a land far far away.

I usually hear people saying, “I scanned my website with 5 different anti-virus programs and nothing was detected.”

While this doesn’t hurt, rarely will this action find the infected webpage because only the javascript code that “reaches” out to the far away server is on the webpage – and it’s heavily encrypted to avoid easy detection. The actual virus or other malicious code is located on their server and often it’s polymorphic – it changes it’s shape and size for each time it’s downloaded on a user’s PC. This “strategy” helps the infectious code in evading detection by most anti-virus programs.

Hacking of a legitimate website is nothing new in distributing malware as I’ve written about numerous times in other blog postings here.

Update your Adobe Acrobat Reader now!

Let’s be careful out there, huh?

Thank you.

By

Paul McCartney's Web Site Hacked – "Back in the USSR"

Yes it’s true. The rock n roll icon Paul McCartney had his website hacked. (This attack isn’t necessarily originating in Russia, but I couldn’t refuse the obvious opportunity.)

It’s amazing how certain hackings follow the news. It was just a couple days ago when I was watching the news on TV (yes that old, outdated media) and learned that Paul McCartney and Ringo Starr were going to get back together for a “reunion” tour.

The website hacking could have been purely coincidental, as the toolkit planted on his website – Luckysploit, has been used in many, many recent website malware distributions. It could be that the cybercriminals behind this exploit  just happened to find this site vulnerable to their recent attack. I believe it’s irrelevant how or why, their timing was impeccable.

This is another example of social engineering used successfully to infect more computers.

Think of the millions of Beatle’s fans (my father-in-law is one of them – a fan not a virus victim) hearing about this reunion and flocking to Mr. McCartney’s website to find out where their concerts will be performed only to find out at the next anti-virus scan that they’ve been compromised by a bank login and password stealing virus.

The nerve of these hackers. Using something so “in the news” to lure millions of people to  infectious websites that have been planted with malicious code, appearing to be legitimate websites, for the sole purpose of delivering a virus that is currently evading detection by many anti-virus programs.

Is there no shame?

This attack is being carried out by the Zeus botnet. Yes while everyone was watching out for Conficker, many forgot about the other botnets out there.

It’s easy to spot the infectious malware code in the “source” of the web page. All you have to do is look for something that’s impossible to read because it is encrypted and obfuscated to avoid easy detection. Luckily for us, we don’t look for specific infections while scanning websites. Our systems are based on any changes to a website. We pay close attention to changes that include specific keywords, but our alert system is based on any changes made to a website.

Once again the cybercriminals use a popular event to spread their malware. This particular infection will steal banking credentials which are then sold on the open black market. This is one of the cybercriminals profit centers. They have many.

Be careful when using the Internet, you never know if you’re getting more than you bargained for.

Other Beatle’s songs that come to mind with my sub-titles:

“Do You Want to Know a Secret” (about my malware)

“Don’t Ever Change” (my website)

“Don’t Let Me Down” (please click on this infectious link)

“Eight Days a Week” (and I’ll infect you every one of them)

“Everybody’s Got Something to Hide Except Me and My Monkey” (okay maybe my monkey has some malware to hide too)

“Fixing a Hole” (in your website)

“Free as a Bird” (free as in free malware)

“From Me to You” (more malware from me to you)

“Get Back” (to where you can get infected)

“Got To Get You Into My Life” (so I can hack you some more)

“Help!” (I need the services of WeWatchYourWebsite)

“I Am the Walrus” (I live Belarus) (okay you find something that goes with Walrus)

I could go on, but the Beatles wrote a lot of songs and I need to save server space.

Let’s be careful out there…

By

Social Networks & Social Engineering – What a Pair

When we started this service we knew that one of our main goals was to “get the word out” on how websites have been in the line of fire for cybercriminals. We published a report, “How Cybercriminals Use Your Website to Distribute their Malware”, but found not many people were interested in what we had to say. We blamed on it “head in the sand” mentality.

We looked to the Internet Marketing world to see how they do it. Some of them have actually sold thousands of e-books for as much as $27 a piece. They must know some secret that we didn’t.

Our studying introduced us to the works of some big name Internet Marketers (IMers). Names like Frank Kern, Jeff Walker, Brian Clark, Yanik Silver and many others all seemed to resonate one key strategy – build community. On of their favorite strategies is using social networks to build this community of loyal followers.

I shouldn’t say it’s one of their strategies, it’s one of their tactics. Their strategy is to always provide something of value. The social networks is just one way they suggest you use to distribute your valuable message.

Using social networks seemed like a great idea so I set out to explore this value distribution tactic. I did this with my ever present security guard on – that’s how I roll.

My exploration included sites like: Twitter, MySpace, Facebook, LinkedIn and FastPitch.

Over the next few weeks I’ll be revealing my findings and then suggest ways (tactics) you can protect your informational assets while taking advantage of social networks.

I titled this posting “Social Networks & Social Engineering – What a Pair” because many of the tactics of cybercriminals revolve around social engineering which is the art of deceiving others into clicking on a link that you think is safe.

As I write this, I’ve been bombarded with emails about people who received errors while trying to view your profile on Facebook. What happens is when someone clicks on your profile they get an error saying that they could find out the problem by installing the “Error Check System”. You’ll get notifications that “X” number of people have been getting errors while viewing your profile and this “application” will help you determine the cause.

If you Google “Error Check System” Facebook, at least one of the links takes you to an infectious website that will display a message telling you you’re infected with a virus and offers to scan your system. Of course, this is a social engineering attempt. If you agree to the scan, you’ll be downloading a virus. This has been a very popular tactic of cybercriminals lately. They have even started creating websites that offer reviews of anti-virus software – more social engineering, to earn your trust.

I thought the timing of this Facebook “Error Check System” scam was perfect for me to start this series.

Come on back and read the follow-ups.

If you’ve had any experiences with one of the social networking sites, post a comment and let us know.

By

Is the Internet worth it?

I know I’ll be accused of FUD (Fear, Uncertainty, Doubt) with this post but here goes.
The whole world knows the Internet is used for building businesses. Some businesses rely solely on the Internet – they simply wouldn’t exist without it.
However, with all the security threats, at some point you have to ask: Is it worth it?

On November 12, 2008 the 63rd Session of the International Telecommunications Union (ITU) Council met and discussed the current state of cybersecurity. The event concluded with the declaration that cyber-security is one of the most important challenges of our time. The ITU Secretary-General, Dr. Hamadoun Toure stated: “The costs associated with cyber threats and cyber-attacks are real and significant — not only in terms of lost revenue, breaches of sensitive data, cyber-attacks and network outages but also in terms of lives ruined by identity theft, debts run up on plundered credit cards or the online exploitation of children.”

While I might not totally agree with the severity he states, I do agree that the situation is bleak – and apparently only getting worse.

Hackers use any method available to achieve their goal – total domination of the Internet. Okay, that’s really extreme.

Think of your own specific situation. You undoubtedly have at least one anti-virus (AV) program installed on your working computers, right? (many of you have 3-4 different security programs installed)

How many times has it actually caught a virus? If your AV is set to scan once a day, how often has it detected a virus/worm/trojan during it’s scan? If ever, you have to

During the course of the past 2 months we’ve seen the following security issues:

  • Malware delivered by infectious Adobe Acrobat files (pdf)
  • “Common” websites delivering malware (i.e., www.mlb.com, www.businessweek.com, www.cbs.com)
  • 85% of malware being delivered by infectious websites
  • Numerous content management systems (CMS) and forums having various vulnerabilities
  • “Hacking” used in a multitude of political wars (website defacements, etc)
  • More intelligent malware (blocking of AV updates, disabling security software)

In addition to the above list, more malware has been delivered via social engineering. Social engineering is the “art” of using deception to get a user to intentionally install something which turns out to be malware (definition of trojan).

Back in October we saw the keyword “costumes” being abused by cybercriminals to get people to visit malicious websites promising to offer fantastic ideas on Halloween attire. Then in November we saw numerous emails be circulated that offered various food recipes for Thanksgiving many of which resulted in webpages that contained more than recipes. They offered recipes for infection (you can use that if you want).

Along with the holiday themed malware strategies, here in the US we were also going through a Presidential election which brought about an abundance of election themed malware attacks. Then we had the year-end holidays and New Year’s each with their own malware messages and accompanying websites.

Now with the Presidential Inauguration just completed we’ve seen numerous messages “flying” around the internet touting “Obama refuses to take oath”. When any of these links are followed, they lead the unsuspecting inquisitive reader to a website that delivers more than the message they were seeking. It also attempts to infect their computer with little pieces of code that are just the beginning of taking control of the infected PC.

All of this is actual, real world reality. I didn’t make this “stuff” up. I didn’t write these viruses/worms/trojans like some of you think.

Cyber crime is something we all have to deal with.

You’re in business to solve some real world problem. Whether you’re a plumber or a rocket scientist, you solve someone’s problem otherwise you wouldn’t be in business.

I selected computer security as my profession and I believe I do it well. I try to solve real world computer security problems. If you find my work offensive, you’re free to ignore it.

I don’t work in FUD. I just merely try to educate you so you know what you’re facing being online.

Please leave me your comments on this posting.

Thank you.