By

Another Round of Beladen? Or, The New "Go" Infection

On Wednesday July 22, 2009 we started seeing what looks to be a new round of beladen style website infections by cybercriminals.

The reason we think they’re beladen style is that they appear to infect all the websites on shared servers and they also seem to be remotely controlled with a “on as needed” mode.

This infection resulted in thousands more sites being tagged with Google’s “This site may harm your computer”.

According to Google Diagnostics for certain websites we were asked to help with, this is what was shown:

“Malicious software is hosted on 4 domain(s), including: ventsol.info/, ina6co.com/, goscansoon.com/.”

Other sites we were asked to help with were also showing these domains in their Google Diagnostics:

  • daobrains.info/
  • safetyshareonline.com/
  • goslimscan.com/
  • goscansome.com/
  • globalsecurityscans.com/

Our scanners were detecting suspicious obfuscated javascript on the sites we were helping with, but it appeared to only be setting cookies to expire the following day. The obfuscated javascript was this:

malscript-0-11

Which deobfuscated looks like:

sessionid=39128605A531; path=/; expires=Thu, 23 Jul 2009 18:42:32 GMT

We found similar code with various names for the “var” part (replacing oigmlob) above in the obfuscated code. Other names were:

  • dtxzidl
  • bmno
  • wcdg
  • tpet
  • stqfpbc
  • meuhgor

In addition, we also saw various combinations of the hexidecimal numbers to replace the actual letters. For instance, instead of pa\x74h=/\x3b ex\x70ir\x65s we found these as well:

  • p\x61th=/\x3b exp\x69r\x65s
  • p\x61\x74h=/\x3b \x65x\x70i\x72es
  • p\x61t\x68=/\x3b expi\x72e\x73

All of these deobfuscate to: path=/; expires

One common theme was the hosting providers. Wouldn’t you know that a day after we blog about how wrongly accused many hosting providers are for the gumblar, martuz and iframe infections that they actually become the target.

It appears that these recent infections are a server issue and not just a specific website on a shared server. How the server became infected is purely speculation. Could it have been from one set of compromised FTP credentials that was able to infect the server and then control other sites as well? Could it have been SQL injection for one site that then gave the attackers a method to start a process on the server thereby controlling all the websites on that server?

Who knows. At this point all we do know is that this does affect all the websites on infected servers.

How do we know that?

We created a program for situations like this. It grabs a list of all the websites for a specific IP address and starts checking them. On some IP addresses 91% of the websites were showing the obfuscated cookie code from above. Our thought is that since this is an “on again – off again” type of infection, the other 9% were dormant when our program scanned those sites.

Another interesting observation was that for a specific IP address, each website showed the exact same obfuscated code. While websites on different IP addresses had similar obfuscated code with the slight variations mentioned previously.

The first step in this “drive-by” infection was to set a cookie on the visitor’s PC. Then if that same visitor came back within the expiration period of the cookie (24 hours), this would be delivered to their browser:

malscript-1-1

Which essentially does a Meta tag redirect. The above deobfuscates to:

malscript-2-1

We did see some of the other domains mentioned earlier in place of safetyshareonline.com and the goscansoon.com.

The whole purpose of this attack is to infect the PCs of visitor’s to these websites. This is done with this bit of social engineering code:

malscript-3-1

This code uses some fake graphics (okay the graphics are real, but they’re not the “official” graphics of Microsoft) in an attempt to trick the visitor into believing they have a virus. The code starts by checking to see if the operating system on the visitor’s PC is Microsoft’s Vista. If it is, it displays “Vista” looking graphics. If not Vista, then it assumes Windows XP and shows different graphics.

No matter who you are or what operating system and browser you have, this code shows a window that looks like a “Windows Security Center” window and it informs you that:

 “Virus (I-Worm.Trojan.b) was found on your computer! Click OK to install System Security Antivirus.” If you select “OK” from their screen it will download their “antivirus”.

If you cancel, a new alert is displayed with this message:

 “Windows Security Center recommends you to install System Security Antivirus.”

If you cancel that, it will display again.

One more cancel gets you to this message:

“Your computer remains infected by viruses! They can cause data loss and file damages and need to be cured as soon as possible. Return to System Security and download it to secure your PC”

This is some very elaborate scheming by hackers and cybercriminals just to get visitors to download their “mother lode of infectious code”, but it will probably work on many people.

We decided to show the code here, although the code is inserted graphic files, so that if your website starts being tagged as suspicious by Google with some of the domains listed here, and you get the “This site may harm your computer” moniker, you can compare this code to some of the code you might see in your site and have a better understanding of what is going on.

What To Do

First you need to contact your hosting provider. Have them read this blog post so they can also better understand what’s going on.

Have them check at the server level for unusual processes running on the server. If you’d like, have them contact us and we can help them diagnose this further. We can show them the other websites on your server that are also infected with the exact same code.

At this point we still don’t know how the server gets infected. Be prudent and scan your PCs with a different anti-virus than what you’re currently using. Why? Because if you are infected and you have anti-virus already installed, then it’s obvious that the virus knows how to evade detection of your current security.

We’ve had good success with AVG, Avast or Avira. If you already have one of those installed, then use one of the others. You need to use something different. Scan and clean all PCs with FTP access to your site.

Then change FTP passwords on all of your accounts.

This will have to be done as soon as you start seeing these infections as it may take some time to fully investigate and remediate – so don’t be late (sorry, it’s been a long few days).

Post comments below if you’ve been infected by this or know someone who has.

Thank you.

Friday July 24, 2009 update: We worked with a couple different hosting providers who had servers infected with this and it appears the way these malscripts are injected into the the webpages is through a process on the server. The cybercriminals have cleverly named this process “crontab” however this process runs under the user name “nobody” typically the same user name that Apache (or httpd) runs as.

The file that executes this process is remotely deleted by the cybercriminals controlling it so it just runs in memory. Once the server is rebooted, the process disappears and doesn’t appear to return. The hosting providers also mentioned implementing suPHP as an aid to blocking this from happening again.

This is quite clever as how many times does a shared server really get rebooted? Probably not very often unless there’s a reason to shut-down numerous (hundreds?) websites all at once.

Keep posted, we’ll be adding more information as we get it.

By

Don't Open That File!

Yes, just when you thought it was safe to open Adobe Acrobat files (with a .pdf extension), it’s not.

Everyone who reads this should update their Adobe Acrobat Reader here: http://www.adobe.com/support/security/bulletins/apsb09-04.html

Hackers (or as some prefer – cybercriminals), have found a new way to use pdf’s to infect computers (CVE-2009-0927) http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927. By using a legitimate website, or websites, hackers can reach many more unsuspecting web users.

What the cybercriminals are doing is finding legitimate websites they can hack and replacing any pdf files with their infectious pdf’s. Anyone who opens that pdf, either on screen or by downloading it and then opening it, will be subjected to this exploit and could face infection.Some websites have various forms they use for reports, registrations or any of a number of uses.

Frequently the infected webpage is designed to open automatically when you visit the page. Rarely will the website owner know they have an infectious website. Often times the infectious website won’t actually contain the malicious code. The webpage will have a line of javascript that downloads the malicious code from some server in a land far far away.

I usually hear people saying, “I scanned my website with 5 different anti-virus programs and nothing was detected.”

While this doesn’t hurt, rarely will this action find the infected webpage because only the javascript code that “reaches” out to the far away server is on the webpage – and it’s heavily encrypted to avoid easy detection. The actual virus or other malicious code is located on their server and often it’s polymorphic – it changes it’s shape and size for each time it’s downloaded on a user’s PC. This “strategy” helps the infectious code in evading detection by most anti-virus programs.

Hacking of a legitimate website is nothing new in distributing malware as I’ve written about numerous times in other blog postings here.

Update your Adobe Acrobat Reader now!

Let’s be careful out there, huh?

Thank you.

By

Paul McCartney's Web Site Hacked – "Back in the USSR"

Yes it’s true. The rock n roll icon Paul McCartney had his website hacked. (This attack isn’t necessarily originating in Russia, but I couldn’t refuse the obvious opportunity.)

It’s amazing how certain hackings follow the news. It was just a couple days ago when I was watching the news on TV (yes that old, outdated media) and learned that Paul McCartney and Ringo Starr were going to get back together for a “reunion” tour.

The website hacking could have been purely coincidental, as the toolkit planted on his website – Luckysploit, has been used in many, many recent website malware distributions. It could be that the cybercriminals behind this exploit  just happened to find this site vulnerable to their recent attack. I believe it’s irrelevant how or why, their timing was impeccable.

This is another example of social engineering used successfully to infect more computers.

Think of the millions of Beatle’s fans (my father-in-law is one of them – a fan not a virus victim) hearing about this reunion and flocking to Mr. McCartney’s website to find out where their concerts will be performed only to find out at the next anti-virus scan that they’ve been compromised by a bank login and password stealing virus.

The nerve of these hackers. Using something so “in the news” to lure millions of people to  infectious websites that have been planted with malicious code, appearing to be legitimate websites, for the sole purpose of delivering a virus that is currently evading detection by many anti-virus programs.

Is there no shame?

This attack is being carried out by the Zeus botnet. Yes while everyone was watching out for Conficker, many forgot about the other botnets out there.

It’s easy to spot the infectious malware code in the “source” of the web page. All you have to do is look for something that’s impossible to read because it is encrypted and obfuscated to avoid easy detection. Luckily for us, we don’t look for specific infections while scanning websites. Our systems are based on any changes to a website. We pay close attention to changes that include specific keywords, but our alert system is based on any changes made to a website.

Once again the cybercriminals use a popular event to spread their malware. This particular infection will steal banking credentials which are then sold on the open black market. This is one of the cybercriminals profit centers. They have many.

Be careful when using the Internet, you never know if you’re getting more than you bargained for.

Other Beatle’s songs that come to mind with my sub-titles:

“Do You Want to Know a Secret” (about my malware)

“Don’t Ever Change” (my website)

“Don’t Let Me Down” (please click on this infectious link)

“Eight Days a Week” (and I’ll infect you every one of them)

“Everybody’s Got Something to Hide Except Me and My Monkey” (okay maybe my monkey has some malware to hide too)

“Fixing a Hole” (in your website)

“Free as a Bird” (free as in free malware)

“From Me to You” (more malware from me to you)

“Get Back” (to where you can get infected)

“Got To Get You Into My Life” (so I can hack you some more)

“Help!” (I need the services of WeWatchYourWebsite)

“I Am the Walrus” (I live Belarus) (okay you find something that goes with Walrus)

I could go on, but the Beatles wrote a lot of songs and I need to save server space.

Let’s be careful out there…

By

Halloween Costumes and SEO

Not to be left out of the upcoming festivities, hackers are using SEO to infect more people with their fake Anti-virus programs.

For the past week we’ve been monitoring 2 current events – Halloween and the financial crisis.

What we’ve seen is that hackers are infecting legitimate websites that show up in the SERPs when “halloween costume” is the the search term. Their infection includes some javascript that does a silent redirect to one of their websites which falsely shows the visitor that their computer might be infected and they should download “their” anti-virus software to improve the speed of the visitor’s computer.

The thing is, the infection of the legitimate website is a silent redirect that actually includes the keywords optimized for high SE rankings. So the hacker is actually making the infected webpage rank higher in the search engines. They actually use common SEO techniques to attract more people to their infectious webpages.

Another thing we’ve seen and has been confirmed by Panda Labs is the correlation between down days in the stock market and the amount of new malware released. As the market dips, the number of infectious files increases. We’ve been noticing this on our honeypots (computers we leave open on the Internet hoping they’ll get infected so we can further analyze the infection)

This kind of runs parallel with the halloween costume scenario. What the hackers are doing during the dips in the market are making “available” their rogue (read fake) anti-malware software via various infected webpages.

Instead of going after banking logins and other such useful information they’re (the hackers) interested in “legitimitizing” their business by selling their rogue anti-malware. First they have to convince the visitor that their computer is infected, then they offer an immediate solution.

Ingenious!

Following standard marketing strategies, the hackers are actually making the visitor aware of a need and then offering a quick solution – for $60.

According to Panda Labs, they estimate that this marketing strategy has made the hackers approximately $14 million a month. I’m not sure I follow their math, but regardless, the hackers are making money.

I believe that the financial crisis is creating more fear about identity theft and therefore making this strategy more effective during the down cycles in the market.

Just so you know, our honeypots are fed popular keywords based on current events and then they visit the resulting webpages, record the activity and that’s what we base our information on.

It’s a fun way of spying on the hackers and it’s what we use in our securitiy appliance “The Box” to blacklist websites and malicious code. It’s what we use in WeWatchYourWebsite to find malicious code. We then search all of our clients websites looking for this malicious code. If any is found, we alert them immediately.

Be careful out there. It’s getting real nasty.