I will be sharing a recent high profile Security breach encountered by me which caused the infection of 40,000+ website worldwide.Till last year we have heard of mass infection of personnel computers but 2009 mark the mass infection of website which indeed is very dangerous to millions of innocent users around the globe.
“The attack is very advanced,” says Stephan Chenette, manager of security research at Websense Labs.The attacks, which began about a week ago, show no signs of slowing down, said Dancho in a posting in his blog ,the post also shows the high profile sites infected by the attack.
Unfortunately one of my clients was a victim of this ongoing scenario.His popular forum was under attack since a week defacing the forum home page and redirecting users to a malicious site googleanalytlcs.net by this anyone who comes to his site will be subject to the attack. A closer look at the domain googleanalytlcs.net will reveal that it has replaced “i” in analytics to small letter “L“,which tricks users to think its a site owned by google,but its not.
I will explain how I dealt with this situation and all the little decisions I made for solving this problem.I am not able to share the website address due to privacy issues, let us call the forum xyz.com.
The owner of the xyz.com calls me and asked to check his website,when I opened it on google chrome I saw this weired alert.It says “Warning:Visting this site may harm your computer” .Warning given by Google Chrome
First I thought the forum may contain some illegal/malicious files attached by forum members which may have active links to the malicious site. I scanned the database and found nothing.Then I check with SafeBrowsing Advisory provided by Google to know more about the alert.But to my surprise Advisory says the forum is neat and clean seeing this, a lot of questions began to hang in and around me.Is google chrome vulnerable ?So I opened the xyz.com in firefox it didn’t show up the warning,then I checked Internet Explorer 8 it too showed no warning but crashes when attempting to load the forum.So I concluded that it is something to do with chrome which turned my attention in to scanning the source code of the index.php
I scanned the source code of the index.php which is considered has the default naming convention for the first page of a website.At the first look it didn’t show up any problem,the below screenshots shows the source code of the index.php.The first arrow shows the starting the source code with an open php tag.Click on the Image to get Enlarged View
But when I searched to the right side of the page towards the second arrow I found a suspicious code hidden inside the php tag which is show in below screenshot.
For confirming what this code might do I copied the exploit code and inserted it in a file named test.php and opened in the chrome browser to see what happens,bingo!! it just gave the same warning.The warning is showed only for the first time and it creates a cookie named zyipppspgerfd which ensures the alert is showed only once,and if we cleared the cookie and reload the test.php we get the warning again.I deleted the exploit code from the index.php file and rechecked for any similar codes and I didn’t find anything else.The forum was restored back to normal and undergone sql vulnerability check.
How infection spreads ?
I did a small research in google and came in to a conclusion that the attack originates with a SQL injection of the code through a form on a web page somewhere on the site or another on the server where the site is hosted and the autonomous system spreads malicious code using Scareware, Rogue Antivirus software, and exploit sites (including the latest PDF exploits).The ingenious attack plants itself at the server level and starts searching through folders looking for files with the “index” or “default” names and starts replicating itself to those pages. Just one compromised form on one site in a server will have a cascading affect on every website on the same web server. After the attacker compromises a legitimate website and adds code that silently redirects to the exploit site.Users when browsed to the compromised website redirects unknowingly to exploit site.
Click on the Image to get Enlarged View
Exploit code which invoke an alert in chrome when it tries to redirect.
Technique used to hide exploit code from google
Malicious code is embedded in a php tag which uses an obfuscation method that begins with the initialization of a string parameter. This gets de-obfuscated and then executed by the browser. This kind of technique can employ many levels of obfuscation ,in which the obfuscated code leads to more obfuscated code, and so on. .The encoded script decode it when invoked (“base64_decode”),this is so that search engines can’t scan it, but Google is one step ahead of them, correctly flagging that the site is infected with malware,the exploit code is obfuscated which prevent people from finding what the code actually does. I was not able to fully decode the script in to human readable form,due to lack of time.For web application programmers working on Security firms I have uploaded the obfuscated exploit code in a text file,you can download it from here.I would appreciate if somebody could de-obfuscated the code for geniushackers.com.
Daniel Wesemann (SANS)
SANS Internet Storm Center
The above survey is released by Niels Provos, Security Team of Google Online Security Blog on June 3, 2009 .The graph shows the top-10 malware sites as counted by the number of compromised web sites that referenced it. All domains on the top-10 list are suspected to have compromised more than 10,000 web sites on the Internet. The graph also contains arrows indicating when these domains where first listed via the Safe Browsing API and flagged in their search results as potentially dangerous.The domain googleanalytlcs.net stands 2nd on the top 10 list which teaches the gravity of the situation we are facing here.
Is wordpress affected by this mass injection ?
Unfortunately wordpress version 2.6 and below is vulnerable to this kind of attack which has been confirmed by the ebiquity blog hacked 2 weeks ago.They explained it was due to a Wordpress installation exploit and upgrading the blog to the latest WordPress release, hopefully prevent the exploit from being used again.
Installation of a plugin Thickbox Gallery v2 aslo caused a file inclusion vulnerability in wordpress which was Discovered By Sirgod
Which Malicious Web Site holds the payload for the attack ?
According to the DNS search, the hosting malicious site was located at the IP subnet block of 220.127.116.11 which belongs to a Russian Business Network (RBN). But now the googleanalytlcs.net comes from the IP block of 18.104.22.168/24, which is part of AS48031 NOVIKOV located in the Ukraine.
How to prevent the infection/attack ?
- Check for SQL vulnerability using an updated scanner & tighten up the code that processes all your forms on your site and the webserver(seek the help of webmaster).
- Upgrade to new wordpress version because wp version below 2.6 are believed vulnerable to this attack.
- Create a backup copy of the “index” or “default” pages of the website,in case of infection it saves time from re-coding.
- Shared hosting members must be aware that compromising any website in the same webserver will be fatal to all residing under the shared environment.
- Do not surf the Internet while you are logged in to your webserver or wordpress account.
- Configure you firewall to block the IP used by the Malicious Web Site.
- Subscribe to our RSS feed and stay tuned for more updates.