By

The new Attack – d0lphin.biz

We recently came across a number of websites that have been injected with malscript iframes that load malware from d0lphin.biz. Following is our report on this attack.
 
Cybercriminals appear to be using their network of infected PCs to modify “hacked” websites and turning them into infectious websites – attempting to infect many more PCs.
  
This attack appears to only infect index pages; index.htm, index.html, index.php. That’s all we’ve seen thus far.
 

The malicious code that gets injected into these webpages is the following:

body of injected script

Which deobfuscates to:

deobfuscatedscript

The usual iframe malscript parameters: width=1, height=1 style=’visibility:hidden’
 

 What was interesting is that we had to use a valid browser user agent to obtain the in.php file. We used: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.0) as our user-agent string. Other similar user-agents worked as well, but they had to be MSIE and Windows compatible so we knew it had to be a Microsoft specific exploit they (the hackers) were attempting on unsuspecting visitors.

You’ll see from the above iframe that the file it references is in.php. Here is the code for in.php:

 

in.php malscript (click to enlarge)

 

Which deobfuscates to:  

in.php deobfuscated

As you can see, there are 2 other files that this malscript tries to load:

load.php (which is actually a Windows executable)

and

pdf.php (which is an actual PDF file that uses ActionScript to try and infect the visitor’s PC).

 

At the time of our investigation, the malware load.php was only detectable by 2 out of 41 anti-virus companies. Here is the VirusTotal report on that little gem:

load.php VirusTotal Results

 

 

And pdf.php was detectable by 11 out of 41 anti-virus programs. Here is the Virus Total report on that file:

pdf.php VirusTotal Results

 

Inspecting the FTP log files for the infected website we found that the majority of the FTP traffic on the day the infected files were modified was from the following IP addresses:

89.36.84.249 which is Bucharest, Romania
98.209.145.133 which is Michigan, United States
74.211.69.79 which is New Mexico, United States
85.122.6.86 which is Bucharest, Romania
123.236.139.33 which is India
91.105.112.220 which is Great Britain, United Kingdom
96.20.117.224 which is Montreal, Canada
119.171.100.108 which is Tokyo, Japan
71.65.72.159 which is Ohio, United States
97.84.174.241 which is Michigan, United States
 

The interesting thing about this FTP traffic from various places around the world is that the exact same FTP username and password were used. There weren’t any failed login attempts with this username for the prior 6 months so we didn’t feel it was a brute force or dictionary attack on a weak password. This leads us to believe that this infection is another case of compromised FTP credentials.

Another interesting point is that the FTP traffic from these various IP addresses happened within minutes of each other and the number of files transferred from each IP address was 2. It appears from this information that the attackers were using a distributed network of compromised PCs (read botnet) to send the modified files to the website server.

This could be for a number of reasons.

But the one reason that seems most obvious is that the attackers know many people try to block their IP addresses. By using a botnet of remotely controlled PCs a website owner would have to block dynamic IP addresses. Would you block a range of IP addresses from a DSL connection in the United States? Probably not.

Having a website means handling traffic from visitors all over the world. If you’re going to start blocking groups of IP addresses, how will you know when you’re blocking innocent visitors? Wouldn’t that hurt your business?

The IP address that d0lpin.biz is hosted on show this for their whois:

 whois-d0lphin.biz

The whois on the domain d0lphin.bz is:

whois-domain-d0lphin.biz

Google’s report on the network hosting d0lphin.biz shows:

google-diags-network

FIRE’s maliciousnetworks.org shows this information for the network d0lphin.biz is hosted on:
 
FIRE-d0lphinNetwork
 
You see that their report shows 2 C&C Servers (Command and Control – the servers hackers use to control their botnets) and 2 exploit servers – both bad stuff.
 
Prevention of this type of attack on your website is simple. Keep your PCs clean of viruses. If want to be sure you’re PC is clean, don’t use an administrator account for your daily activities. If you can’t install software as your currently logged in user, neither can a virus.
 
What’s your thoughts on this new attack? Is there any further information you’d like to know? Let me know…

By

Another Round of Beladen? Or, The New "Go" Infection

On Wednesday July 22, 2009 we started seeing what looks to be a new round of beladen style website infections by cybercriminals.

The reason we think they’re beladen style is that they appear to infect all the websites on shared servers and they also seem to be remotely controlled with a “on as needed” mode.

This infection resulted in thousands more sites being tagged with Google’s “This site may harm your computer”.

According to Google Diagnostics for certain websites we were asked to help with, this is what was shown:

“Malicious software is hosted on 4 domain(s), including: ventsol.info/, ina6co.com/, goscansoon.com/.”

Other sites we were asked to help with were also showing these domains in their Google Diagnostics:

  • daobrains.info/
  • safetyshareonline.com/
  • goslimscan.com/
  • goscansome.com/
  • globalsecurityscans.com/

Our scanners were detecting suspicious obfuscated javascript on the sites we were helping with, but it appeared to only be setting cookies to expire the following day. The obfuscated javascript was this:

malscript-0-11

Which deobfuscated looks like:

sessionid=39128605A531; path=/; expires=Thu, 23 Jul 2009 18:42:32 GMT

We found similar code with various names for the “var” part (replacing oigmlob) above in the obfuscated code. Other names were:

  • dtxzidl
  • bmno
  • wcdg
  • tpet
  • stqfpbc
  • meuhgor

In addition, we also saw various combinations of the hexidecimal numbers to replace the actual letters. For instance, instead of pa\x74h=/\x3b ex\x70ir\x65s we found these as well:

  • p\x61th=/\x3b exp\x69r\x65s
  • p\x61\x74h=/\x3b \x65x\x70i\x72es
  • p\x61t\x68=/\x3b expi\x72e\x73

All of these deobfuscate to: path=/; expires

One common theme was the hosting providers. Wouldn’t you know that a day after we blog about how wrongly accused many hosting providers are for the gumblar, martuz and iframe infections that they actually become the target.

It appears that these recent infections are a server issue and not just a specific website on a shared server. How the server became infected is purely speculation. Could it have been from one set of compromised FTP credentials that was able to infect the server and then control other sites as well? Could it have been SQL injection for one site that then gave the attackers a method to start a process on the server thereby controlling all the websites on that server?

Who knows. At this point all we do know is that this does affect all the websites on infected servers.

How do we know that?

We created a program for situations like this. It grabs a list of all the websites for a specific IP address and starts checking them. On some IP addresses 91% of the websites were showing the obfuscated cookie code from above. Our thought is that since this is an “on again – off again” type of infection, the other 9% were dormant when our program scanned those sites.

Another interesting observation was that for a specific IP address, each website showed the exact same obfuscated code. While websites on different IP addresses had similar obfuscated code with the slight variations mentioned previously.

The first step in this “drive-by” infection was to set a cookie on the visitor’s PC. Then if that same visitor came back within the expiration period of the cookie (24 hours), this would be delivered to their browser:

malscript-1-1

Which essentially does a Meta tag redirect. The above deobfuscates to:

malscript-2-1

We did see some of the other domains mentioned earlier in place of safetyshareonline.com and the goscansoon.com.

The whole purpose of this attack is to infect the PCs of visitor’s to these websites. This is done with this bit of social engineering code:

malscript-3-1

This code uses some fake graphics (okay the graphics are real, but they’re not the “official” graphics of Microsoft) in an attempt to trick the visitor into believing they have a virus. The code starts by checking to see if the operating system on the visitor’s PC is Microsoft’s Vista. If it is, it displays “Vista” looking graphics. If not Vista, then it assumes Windows XP and shows different graphics.

No matter who you are or what operating system and browser you have, this code shows a window that looks like a “Windows Security Center” window and it informs you that:

 “Virus (I-Worm.Trojan.b) was found on your computer! Click OK to install System Security Antivirus.” If you select “OK” from their screen it will download their “antivirus”.

If you cancel, a new alert is displayed with this message:

 “Windows Security Center recommends you to install System Security Antivirus.”

If you cancel that, it will display again.

One more cancel gets you to this message:

“Your computer remains infected by viruses! They can cause data loss and file damages and need to be cured as soon as possible. Return to System Security and download it to secure your PC”

This is some very elaborate scheming by hackers and cybercriminals just to get visitors to download their “mother lode of infectious code”, but it will probably work on many people.

We decided to show the code here, although the code is inserted graphic files, so that if your website starts being tagged as suspicious by Google with some of the domains listed here, and you get the “This site may harm your computer” moniker, you can compare this code to some of the code you might see in your site and have a better understanding of what is going on.

What To Do

First you need to contact your hosting provider. Have them read this blog post so they can also better understand what’s going on.

Have them check at the server level for unusual processes running on the server. If you’d like, have them contact us and we can help them diagnose this further. We can show them the other websites on your server that are also infected with the exact same code.

At this point we still don’t know how the server gets infected. Be prudent and scan your PCs with a different anti-virus than what you’re currently using. Why? Because if you are infected and you have anti-virus already installed, then it’s obvious that the virus knows how to evade detection of your current security.

We’ve had good success with AVG, Avast or Avira. If you already have one of those installed, then use one of the others. You need to use something different. Scan and clean all PCs with FTP access to your site.

Then change FTP passwords on all of your accounts.

This will have to be done as soon as you start seeing these infections as it may take some time to fully investigate and remediate – so don’t be late (sorry, it’s been a long few days).

Post comments below if you’ve been infected by this or know someone who has.

Thank you.

Friday July 24, 2009 update: We worked with a couple different hosting providers who had servers infected with this and it appears the way these malscripts are injected into the the webpages is through a process on the server. The cybercriminals have cleverly named this process “crontab” however this process runs under the user name “nobody” typically the same user name that Apache (or httpd) runs as.

The file that executes this process is remotely deleted by the cybercriminals controlling it so it just runs in memory. Once the server is rebooted, the process disappears and doesn’t appear to return. The hosting providers also mentioned implementing suPHP as an aid to blocking this from happening again.

This is quite clever as how many times does a shared server really get rebooted? Probably not very often unless there’s a reason to shut-down numerous (hundreds?) websites all at once.

Keep posted, we’ll be adding more information as we get it.