I don’t like making every announcement of new infections regarding timthumb.php. It feels like everyone is pointing the finger at the author, but I do have to report the recent happenings, so here goes.

The latest website infections we’ve been seeing inject obfuscated script to the bottom of .html files and the index.php file.

The code looks like:

(opening script tag)String.prototype.test="harC";for(i in $='')m=$[i];var ss="";try{eval('asdas')}catch(q)... n=[7-h,7-h,103-h,100-h,30-h,38-h,98-h,109-h...eval(ss);(closing script tag)

We usually see this at the very bottom of the file. Typically after the closing html tag in an html file.

This code deobfuscates to an iframe that includes:

microsearchstat.com/temp/stat.php

As of this writing, Google does not find this URL suspicious, however:

What is the current listing status for microsearchstat.com? This site is not currently listed as suspicious.

What happened when Google visited this site? Of the 4 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-09-02, and the last time suspicious content was found on this site was on 2011-09-02. Malicious software includes 1 trojan(s).

That is for today, September 2, 2011. Which is the same day that Google reports as the last time they found suspicious content.

Again, we’ve cleaned this on WordPress sites with vulnerable timthumb.php files. These really need to be updated.

If your website is listed as having malicious or suspicious content and it’s linked to microsearchstat.com, you might want to look for the code mentioned above.

If you need help cleaning this, please send us an email: support@wewatchyourwebsite.com or call us at (847)728-0214.

Have you spotted this on your website? Let us know…

The malicious code that gets injected into these webpages is the following:

Which deobfuscates to:

 What was interesting is that we had to use a valid browser user agent to obtain the in.php file. We used: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.0) as our user-agent string. Other similar user-agents worked as well, but they had to be MSIE and Windows compatible so we knew it had to be a Microsoft specific exploit they (the hackers) were attempting on unsuspecting visitors.

You’ll see from the above iframe that the file it references is in.php. Here is the code for in.php:

 (click to enlarge)

Which deobfuscates to:  

As you can see, there are 2 other files that this malscript tries to load:

load.php (which is actually a Windows executable)

and

pdf.php (which is an actual PDF file that uses ActionScript to try and infect the visitor’s PC).

At the time of our investigation, the malware load.php was only detectable by 2 out of 41 anti-virus companies. Here is the VirusTotal report on that little gem:

And pdf.php was detectable by 11 out of 41 anti-virus programs. Here is the Virus Total report on that file:

Inspecting the FTP log files for the infected website we found that the majority of the FTP traffic on the day the infected files were modified was from the following IP addresses:

The interesting thing about this FTP traffic from various places around the world is that the exact same FTP username and password were used. There weren’t any failed login attempts with this username for the prior 6 months so we didn’t feel it was a brute force or dictionary attack on a weak password. This leads us to believe that this infection is another case of compromised FTP credentials.

Another interesting point is that the FTP traffic from these various IP addresses happened within minutes of each other and the number of files transferred from each IP address was 2. It appears from this information that the attackers were using a distributed network of compromised PCs (read botnet) to send the modified files to the website server.

This could be for a number of reasons.

But the one reason that seems most obvious is that the attackers know many people try to block their IP addresses. By using a botnet of remotely controlled PCs a website owner would have to block dynamic IP addresses. Would you block a range of IP addresses from a DSL connection in the United States? Probably not.

Having a website means handling traffic from visitors all over the world. If you’re going to start blocking groups of IP addresses, how will you know when you’re blocking innocent visitors? Wouldn’t that hurt your business?

The IP address that d0lpin.biz is hosted on show this for their whois:

The whois on the domain d0lphin.bz is:

Google’s report on the network hosting d0lphin.biz shows:

Major Malware Outbreaks Evade Anti-Virus Protection

A report released on July 14, 2009 states that “Several successive and massive malware outbreaks caused a spike in malware that was undetected by major AV engines.”

In Commtouch’s Q2 Report available here , which covers the analysis of over 2 billion emails and Internet transactions, they also claim:

• “Business” was the website category most infected with malware
• An average of 376,000 new zombies were activated each day with malicious intent

Amir Lev, Chief Technology Officer of Commtouch said that for the last 18 months anti-virus (AV) engines used many generic signatures, which were effective at blocking malware. However, malware writers and distributors introduced new variants which are immune to these generic signatures.

This time period coincides with the infection of 1,000s of websites with gumblar, martuz and iframe malscripts which then received Google’s moniker of “This site may harm your computer.”

The Blame Game

Answering many, many blog and forum postings from disgruntled website owners and developers who’ve been the victim of these recent gumblar, martuz and iframe infections, it’s been our experience that quite often the thought process of the victimized website owner follows this path:

1. The website owner or webmaster receives an email from Google notifying them that their site is infectious. Google rarely (if ever) is wrong so they immediately slap all SERPs (Search Engine Result Pages) with the “This site may harm your computer” label thereby stopping all traffic dead in it’s tracks.
2. Cautiously the site owner or webmaster will try to view the site. They don’t want to become infected from their own site, but their curiosity is overwhelming. They typically don’t see anything malicious.
3. “How do I find and clean this?” Often these people will post questions on sites like Google’s Webmaster Forums or www.badwarebusters.org or some other favorite online watering hole.
4. Then their focus turns to, “Who’s to Blame?”

The feeling of many site owners is one of “I’ve been violated and I need to blame someone.”

When hacking victims get to “Who’s to blame”, they quite often turn their attention to their hosting provider. Many times the blogs and forums are filled with postings where people blame even some of the largest hosting providers. Site owners want to instantly spend the time and money to move their website to a different hosting provider where they’ll once again feel safe and secure.

All because they feel it’s the hosting provider’s fault their site, or sites, were hacked.

The site owner or developer will call the hosting provider looking for assistance from their technical staff and quite frequently, they can’t find the obfuscated malscript buried deep inside some harmless HTML code either. Many times the website has been blocked by various anti-virus programs, Google’s search results and sometimes even corporate website filters for days or weeks before the issue is resolved.

Even if the site owner goes through the trouble of moving to a new hosting provider, with these recent infections, their site will just get hacked again and again.

Then who’s to blame? The new hosting provider? How many more hosting provider’s will the site owner move to until they finally find one that gives them that safe and secure feeling?

Many site owner’s want the hosting provider to take responsibility and clean their site. After all, they’re paying their $5 – $10 per month so the hosting provider should take responsibility and the spend the time to clean the infectious website, right? No matter how many times the site gets re-infected.

Don’t Shoot the Messenger

I hate to be the one to break it to you, but, hosting providers had nothing to do with websites getting hacked with the recent gumblar, martuz or iframe injections. It was anyone’s fault but theirs.

It could be the site owner’s fault, or the anti-virus company’s fault, or Microsoft’s fault, or the fault of the company that wrote the FTP software being used.

It was almost anyone’s fault – except that of the hosting provider.

Let me explain.

You see, with all the malware that went undetected by these generic signatures, thousands of PCs were compromised. According to the Commtouch report referenced above, 376,000 new zombies per day.

You could blame Microsoft, however, the Commtouch report also shows an increase in the amount of Mac malware as well. Besides, blaming Microsoft is so 2,000 late.

These recent website infections came from viruses on the PCs of people who have FTP access to websites.

OMG!

Does that mean it could be the fault of the website owners, developers and webmasters?

It might, rabbit, it might.

These recent undetectable viruses steal FTP credentials – usernames and passwords. These viruses search through the files of popular FTP software looking for the file with the stored FTP credentials. These viruses also record keystrokes so when an infected PC is used to type in the FTP credentials, they get stolen. As another point of attack the viruses also “sniff” FTP traffic. Since FTP transmits all data in plain text, it’s easy for a sniffer to see the username and password in the FTP data stream and steal it. We even did a video to show how easy it is to sniff FTP traffic. It’s so easy that some people use a sniffer on their own FTP traffic if they forgot their stored password. Here’s our video.

Virus writers are incredibly smart and this round of malware proves it.

Once the virus has the FTP credentials it sends them to the server of a cybercriminal. This server is configured to login to the website as a valid user, inject it’s infectious code and move on to the next site.

Who’s to Blame?

How many websites did you visit that displayed some type of ad? Did you know that many ad networks have served up infectious ads – unknowingly of course, but nonetheless, the ads could have infected many visitors.

How many websites did you visit that displayed Flash intro’s or allowed you to view an Adobe Acrobat file (pdf)? Adobe had a few vulnerabilities in their software, that were exploited during and prior to this time period. Combine a vulnerability in files so widely used with the ineffective generic anti-virus signatures, and there’s another source to blame. Maybe two new sources – the AV companies and Adobe.

Did you update your Adobe products as soon as the update was available?

If not, then there’s another person to blame – you.

Could the companies that wrote the FTP software used, maybe have encrypted the stored usernames and passwords so that it wasn’t quite so easy to find and steal the FTP credentials? There’s anothe source to blame.

Maybe if so many people didn’t use their PCs with full administrator rights, there wouldn’t be such a virus outbreak in the first place. Maybe these PC owners are to blame.

Whoever you decide to blame, don’t incur the costs involved with moving to a new hosting provider before you find out what your site was infected with and how those infections occurred. You might be barking up the wrong tree.

I’ll tell you, the cybercriminals are to blame.

They’re the people who write and distribute viruses, malware and malscripts.

Cybercriminals (some call them hackers) want to control as many computers as they possibly can. They don’t care if it’s a computer for a university or if it’s the computer of a new Internet start-up company. One compromised computer looks just the same as another.

Compromised computers make up their inventory.

You know what a hacker calls an uninfected computer – opportunity!

Their digital assets are the computers they control. Often times some of their inventory of infected computers gets rented out to other cybercriminals. This provides them with a source of income.

If you really need to blame someone, blame the hackers, or the international cyber laws, or the world economy. Just don’t blame the hosting providers.

Hosting providers provide a very valuable service. Their margins are squeezed tighter and tighter as it seems everybody thinks it’s a great idea to enter the hosting industry. The good hosting providers work hard for their customers. They depend on customer retention and acquisition – just like every other business. They do the best they can with what they have.

The only thing a hosting provider could do to prevent these gumblar, martuz and iframe infections is to block all FTP traffic. Then you would have a very good reason to blame them for something, but you still wouldn’t be able to justify blaming them for the rash of website infections.

It simply isn’t their fault.

Let me know your thoughts on this. Who would you blame if your site got hacked? Who did you blame if your site was already hacked?