By

The Blame Game

Major Malware Outbreaks Evade Anti-Virus Protection

A report released on July 14, 2009 states that “Several successive and massive malware outbreaks caused a spike in malware that was undetected by major AV engines.”

In Commtouch’s Q2 Report available here , which covers the analysis of over 2 billion emails and Internet transactions, they also claim:

  • “Business” was the website category most infected with malware
  • An average of 376,000 new zombies were activated each day with malicious intent

Amir Lev, Chief Technology Officer of Commtouch said that for the last 18 months anti-virus (AV) engines used many generic signatures, which were effective at blocking malware. However, malware writers and distributors introduced new variants which are immune to these generic signatures.

This time period coincides with the infection of 1,000s of websites with gumblar, martuz and iframe malscripts which then received Google’s moniker of “This site may harm your computer.”

The Blame Game

Answering many, many blog and forum postings from disgruntled website owners and developers who’ve been the victim of these recent gumblar, martuz and iframe infections, it’s been our experience that quite often the thought process of the victimized website owner follows this path:

  1. The website owner or webmaster receives an email from Google notifying them that their site is infectious. Google rarely (if ever) is wrong so they immediately slap all SERPs (Search Engine Result Pages) with the “This site may harm your computer” label thereby stopping all traffic dead in it’s tracks.
  2. Cautiously the site owner or webmaster will try to view the site. They don’t want to become infected from their own site, but their curiosity is overwhelming. They typically don’t see anything malicious.
  3. “How do I find and clean this?” Often these people will post questions on sites like Google’s Webmaster Forums or www.badwarebusters.org or some other favorite online watering hole.
  4. Then their focus turns to, “Who’s to Blame?”

The feeling of many site owners is one of “I’ve been violated and I need to blame someone.”

When hacking victims get to “Who’s to blame”, they quite often turn their attention to their hosting provider. Many times the blogs and forums are filled with postings where people blame even some of the largest hosting providers. Site owners want to instantly spend the time and money to move their website to a different hosting provider where they’ll once again feel safe and secure.

All because they feel it’s the hosting provider’s fault their site, or sites, were hacked.

The site owner or developer will call the hosting provider looking for assistance from their technical staff and quite frequently, they can’t find the obfuscated malscript buried deep inside some harmless HTML code either. Many times the website has been blocked by various anti-virus programs, Google’s search results and sometimes even corporate website filters for days or weeks before the issue is resolved.

Even if the site owner goes through the trouble of moving to a new hosting provider, with these recent infections, their site will just get hacked again and again.

Then who’s to blame? The new hosting provider? How many more hosting provider’s will the site owner move to until they finally find one that gives them that safe and secure feeling?

Many site owner’s want the hosting provider to take responsibility and clean their site. After all, they’re paying their $5 – $10 per month so the hosting provider should take responsibility and the spend the time to clean the infectious website, right? No matter how many times the site gets re-infected.

Don’t Shoot the Messenger

I hate to be the one to break it to you, but, hosting providers had nothing to do with websites getting hacked with the recent gumblar, martuz or iframe injections. It was anyone’s fault but theirs.

It could be the site owner’s fault, or the anti-virus company’s fault, or Microsoft’s fault, or the fault of the company that wrote the FTP software being used.

It was almost anyone’s fault – except that of the hosting provider.

Let me explain.

You see, with all the malware that went undetected by these generic signatures, thousands of PCs were compromised. According to the Commtouch report referenced above, 376,000 new zombies per day.

You could blame Microsoft, however, the Commtouch report also shows an increase in the amount of Mac malware as well. Besides, blaming Microsoft is so 2,000 late.

These recent website infections came from viruses on the PCs of people who have FTP access to websites.

OMG!

Does that mean it could be the fault of the website owners, developers and webmasters?

It might, rabbit, it might.

These recent undetectable viruses steal FTP credentials – usernames and passwords. These viruses search through the files of popular FTP software looking for the file with the stored FTP credentials. These viruses also record keystrokes so when an infected PC is used to type in the FTP credentials, they get stolen. As another point of attack the viruses also “sniff” FTP traffic. Since FTP transmits all data in plain text, it’s easy for a sniffer to see the username and password in the FTP data stream and steal it. We even did a video to show how easy it is to sniff FTP traffic. It’s so easy that some people use a sniffer on their own FTP traffic if they forgot their stored password. Here’s our video.

Virus writers are incredibly smart and this round of malware proves it.

Once the virus has the FTP credentials it sends them to the server of a cybercriminal. This server is configured to login to the website as a valid user, inject it’s infectious code and move on to the next site.

Who’s to Blame?

How many websites did you visit that displayed some type of ad? Did you know that many ad networks have served up infectious ads – unknowingly of course, but nonetheless, the ads could have infected many visitors.

How many websites did you visit that displayed Flash intro’s or allowed you to view an Adobe Acrobat file (pdf)? Adobe had a few vulnerabilities in their software, that were exploited during and prior to this time period. Combine a vulnerability in files so widely used with the ineffective generic anti-virus signatures, and there’s another source to blame. Maybe two new sources – the AV companies and Adobe.

Did you update your Adobe products as soon as the update was available?

If not, then there’s another person to blame – you.

Could the companies that wrote the FTP software used, maybe have encrypted the stored usernames and passwords so that it wasn’t quite so easy to find and steal the FTP credentials? There’s anothe source to blame.

Maybe if so many people didn’t use their PCs with full administrator rights, there wouldn’t be such a virus outbreak in the first place. Maybe these PC owners are to blame.

Whoever you decide to blame, don’t incur the costs involved with moving to a new hosting provider before you find out what your site was infected with and how those infections occurred. You might be barking up the wrong tree.

I’ll tell you, the cybercriminals are to blame.

They’re the people who write and distribute viruses, malware and malscripts.

Cybercriminals (some call them hackers) want to control as many computers as they possibly can. They don’t care if it’s a computer for a university or if it’s the computer of a new Internet start-up company. One compromised computer looks just the same as another.

Compromised computers make up their inventory.

You know what a hacker calls an uninfected computer – opportunity!

Their digital assets are the computers they control. Often times some of their inventory of infected computers gets rented out to other cybercriminals. This provides them with a source of income.

If you really need to blame someone, blame the hackers, or the international cyber laws, or the world economy. Just don’t blame the hosting providers.

Hosting providers provide a very valuable service. Their margins are squeezed tighter and tighter as it seems everybody thinks it’s a great idea to enter the hosting industry. The good hosting providers work hard for their customers. They depend on customer retention and acquisition – just like every other business. They do the best they can with what they have.

The only thing a hosting provider could do to prevent these gumblar, martuz and iframe infections is to block all FTP traffic. Then you would have a very good reason to blame them for something, but you still wouldn’t be able to justify blaming them for the rash of website infections.

It simply isn’t their fault.

Let me know your thoughts on this. Who would you blame if your site got hacked? Who did you blame if your site was already hacked?

9 Responses to The Blame Game

  1. Rob says:

    Great post and very informative. I run a Forum have and been ‘hit’ twice, the last one about two weeks ago. Who’s to blame? Simple … me. Accept responsibility, sort it out and move on.
    I decided to change my anti-virus programme, so let’s see if it’s any better.

  2. wise bets says:

    No need to answer to your question as you already did. It might be anyone’s fault for getting infected. But mainly it’s webmasters’ fault because they aren’t informed very well about the new threats, and what they sould and shuld not do. This kind of articles is simply a great source of knowledge.

    I hope that I won’t have the same problem again, like I did when Mr. Thomas helped.
    Regards, and thanks again.

  3. HackTalk says:

    I really enjoyed this article and agree that there are a plethora of possible “scapegoats” when it comes to botnets and such but in the end it all falls on those people with malicious intents who go out and spread these malicious programs on the unsuspecting public and not a hosting company or an FTP software manufacturer, etc.

  4. abilitydesigns says:

    Great informative post.

    Is it a safer option to ditch the FTP programs like CuteFTP or Filezilla and simply use the hosting Cpanel to upload/download files ?

    AD

    • admin says:

      Thank you for the comment.

      While avoiding FTP is a good idea, the fact that this virus also installs a keyboard logger leads one to believe that even CPanel access might be compromised. At that point the cybercriminals could add their own FTP account then carry out more malicious attacks that very few people would even realize.

      We feel that the real key here is to keep PCs clean. Please do not use a PC with administrator rights. It can be very dangerous.

  5. Carl Raschke says:

    My site was flagged by Google for seven weeks before Tom went in there and eventually fixed it. After much discussion and sleuthing, it became obvious the site had suffered a Gumblar attack. Tom found the telltale evidence in the cgi-bin. We are a non-profit, but fairly high-profile, academic web site, and Tom was gracious enough to volunteer to clean it up for us.

    The irony is that until I found Tom serendipitously through a forum a stopbadware.org, we had been getting an endless stream of well-intentioned, but wrong advice from tech support at our web hosting service, which is large and has a very good reputation in the industry. Repeatedly they kept denying after performing their own scans that there was any malware. They kept saying we needed to upgrade security, even though we were at the maximum level that their provider provides.

    They also advised us to tear down all the file trees, clean them up, and reload. We did that, but still Google kept flagging us. It was sort of like trying to cure the flu with leeches and bloodletting, and it didn’t work, of course. No one ever thought to say, even after about many wasted hours, “check the cgi-bin.”

    I finally got pushy and demanded to speak directly with the head tech guy, which I did. He assembled a team, worked several hours, and finally realized there was something wrong with the cgi-bin, but wasn’t sure where it might be located. He also personally checked for code (or at least that’s what he said), but couldn’t be sure what he was looking for.

    It was just then I found Tom.

    It is clear to me now that, after the magnitude of this attack on the digital networks and after trying to learn as much as I could (including this blog), that we have experienced something unprecedented. It may not be equivalent to a cyber-911, but it has had a lasting effect. Fortunately, our readers were understanding, but a commercial site would have been devastated.

    I agree that the “blame game” has gone nowhere, at least when it comes to web hosting services. Clearly, most web hosting tech people, including supervisors, were not informed – or had no way of knowing – about Gumblar, Martuz, etc. breadth, as well as their breadth and scope. They weren’t in Kansas anymore.

    But while “blame” is not appropriate, assessing accountability is, so that it won’t happen again. We did that with 911. I’m amazed that while we heard in the press a lot about Gumblar while it was happening, we had very little information about its ability to get through the standard AV software, or the damage. That probably should have been the job of the appropriate “national cybersecurity” officials, which seemed to have failed us. Maybe they didn’t know either, which means we need far more awareness of these threats, who these cybercriminals might be (I know Tom has his theories), and how they operate.

    We probably don’t need a “Martuz Commission,” but if we all remain in the dark about this, the next wave could be even more devastating. We all know about the nature of the swine flu threat, how to guard against it, and what are its symptoms. How come we don’t have the same knowledge as a public about the electronic kind of viruses, and given the time I was “down” in June and July, I would have almost preferred (well, maybe not) the biological version.

    • admin says:

      We’ve been trying to work with many hosting providers, but quite often we’re told “we already have a security team.”

      While that might be true, I think the “security team” of most hosting providers don’t spend enough time learning the latest attack vectors of today’s cybercriminals. It might also be that they’re the ones who drew the short straw that week.

      Many of the gumblar, martuz and iframe injections were following a relatively basic pattern. How does that escape the discovery process of a security team? Accountability is key when discussing any security situation and maybe the breach disclosure laws should be expanded to include more web based attacks as well, but until people do stand up and take responsibility for their actions, it’s just a concept not based on reality.

      Maybe we’ll start the Martuz Commission. A global warning system alerting website owners, webmasters and hosting providers of the latest threats, how to check for them, how to clean them and how to prevent them.

      Thank you for the idea.

  6. Pingback: The Blame Game | HackTalk

  7. JD says:

    I’m not sure if this is an appropriate solution, but wouldn’t running a sandbox just for dev work help alleviate this sort of thing.

    I do all my dev work inside an ubuntu virtualbox, so using my uninformed logic, even if the desktop itself is infected for whatever reason, the sandbox is a sterile environment with precautions not dissimilar to that used to minimise the risk of infection in hospital operating theatres.

Leave a Reply

Your email address will not be published. Required fields are marked *