• Reuters via Threat Level | Wired.com

Users were targeted via a vulnerability in Internet Explorer when they visited websites infected with the malware. Spanish authorities shutdown the Mariposa bot-net on December 23, 2009 although the details of what is being called the “largest cyber-raid to date” are just being released.

Infection Statistics:

• 190 countries
• 40 of the largest financial institutions
• 50% of 1,000 largest companies

vBulletin is a little bit different than the list of CMSes we have been analyzing in this series. The first and most apparent being that it is not a free piece of software. The vBulletin site displays a cost of $195-$285 for a new license. The obvious question then, is why do people pay for this CMS when there are other good CMSs available for free? The answer lies in the varied list of features, such as a built-in photo album, event management and many other interesting and helpful features. Add to this good support, compatibility with existing software, many themes, built-in integration for payment engines and advertisement support… it’s not hard to see why vBulletin has acquired a large fan base.

Next, we will take a closer look at vBulletin to understand security issues facing active installations seen publicly on the Internet.

The aim of this experiment:

• To determine the number of vBulletin sites using older versions of the CMS package (and hence vulnerable to attacks).
• To identify the associated scripts vBulletin that users install in addition to core vBulletin functionality.
• Identify the vulnerabilities of using the associated scripts.

Experiment methodology:

An initial corpus of 100,000 websites was mined (via Google) using a keyword search to locate websites which discussed vBulletin. Understandably, not all 100,000 websites would actually be using vBulletin. Approximately 10,000 websites from this corpus were analyzed. Each website was analyzed to determine if it was generated by vBulletin or its associated plugins. Each website was then cross-referenced with the Google Safe Browsing List. This experiment was conducted between February 5th and February 8th, 2010.

Distribution of vBulletin versions:

In 93.09% of sites running on vBulletin the version number could be identified. We found the following distribution of vBulletin versions in the websites examined (where versions of installations could be determined). A more detailed breakdown of the distribution of vBulletin versions can be seen at the end of this article.

Significant numbers of older vBulletin installations are present on the Internet.

Note: Publicly available information about exploits for vBulletin 3.x.x and earlier versions exist. [1] [2]

We present the most interesting results here:

• Nearly 95% (see graph above) of vBulletin sites are running older versions for which exploits are available.
• None of the vBulletin sites were blacklisted by Google Safe Browsing.
• Only 13.5% of vBulletin sites had Iframes embedded in them. None of the Iframes were obfuscated or tried to load malware. All Iframes found loaded ads.
• 10.2% of the vBulletin sites which had Iframes were using JQuery.
  Note: JQuery has been known to be targeted by malicious hackers as a code-injection delivery mechanism.
• Only 0.1% of the vBulletin sites use Mootools
• None of the vBulletin sites use AC_RunActiveContent.js.

Conclusion:

This limited experiment shows that like WordPress, vBulletin also suffers from a large number of vulnerable installations being available on the Internet. It is intriguing to see that a CMS system, which is not free, and is tightly controlled is not kept up to date across the board. Consider the case of Drupal, where we observed that the variety in the versions of various installations is very low. The natural question at this point is: why is a free CMS system like Drupal doing better, security-wise, than a commercial CMS system like vBulletin? Why are most Drupal installations up to date. One thing to note though is that like Drupal and phpBB, vBulletin installations also seem to be relatively safe from the most prevalent malware. Most Iframes on vBulletin sites are Ads, a likely revenue stream for most forum admins.

The fact remains that there many vulnerable installations of vBulletin which can fall prey to malicious hackers.

Till next time.

See below for detailed breakdown of the distribution of vBulletin versions:

• 0.89% of sites were running version 3.0.13
• 0.29% of sites were running version 3.0.14
• 0.29% of sites were running version 3.0.3
• 0.29% of sites were running version 3.0.5
• 0.29% of sites were running version 3.0.7
• 1.18% of sites were running version 3.5.2
• 2.67% of sites were running version 3.5.4
• 0.29% of sites were running version 3.6.1
• 1.18% of sites were running version 3.6.10
• 0.59% of sites were running version 3.6.12
• 1.18% of sites were running version 3.6.2
• 4.45% of sites were running version 3.6.4
• 0.29% of sites were running version 3.6.6
• 1.48% of sites were running version 3.6.7
• 4.74% of sites were running version 3.6.8
• 0.29% of sites were running version 3.6.9
• 2.96% of sites were running version 3.7.0
• 2.37% of sites were running version 3.7.1
• 1.78% of sites were running version 3.7.2
• 4.74% of sites were running version 3.7.3
• 2.37% of sites were running version 3.7.4
• 1.18% of sites were running version 3.7.5
• 2.96% of sites were running version 3.7.6
• 1.48% of sites were running version 3.8.0
• 8.90% of sites were running version 3.8.1
• 10.3% of sites were running version 3.8.2
• 3.85% of sites were running version 3.8.3
• 31.7% of sites were running version 3.8.4
• 2.07% of sites were running version 4.0.0
• 2.07% of sites were running version 4.0.1
• 0.59% of sites were running version 4.0.2

I can already hear CMS purists howling that phpBB is not a CMS. In a way they’re right, but in other ways it is a CMS.  phpBB is without a doubt one of the most popular “Internet Forum” software packages available. Its ease of installation, various custom skins, and large installation base make it a very attractive choice for anyone who wishes to set up a community discussion board on the Internet. phpBB has had a few million downloads at the very least and enjoys a very active user group.

phpBB is popular among webmasters who want to set up Internet forums easily. Users of phpBB also benefit from a high level of customization. Another big plus for this CMS. Support for this CMS is awesome, in fact, phpBB has flash based video tutorials to help new users get started! Additionally, the phpBB developer community is very security conscious.

Next, we will take a close look at phpBB to understand security issues with active installations seen publicly on the Internet.

The aim of this experiment:

• To determine the number of phpBB sites using older versions of the CMS package (and hence vulnerable to attacks).
• Identify the associated scripts phpBB users install in addition to core phpBB functionality.
• Identify the vulnerabilities of using the associated scripts.

Experiment methodology:

An initial corpus of 100,000 websites was mined (via Google) using a keyword search to locate websites which discussed phpBB. Understandably, not all 100,000 websites would actually be using phpBB. Approximately 10,000 websites from this corpus were analyzed. Each website was analyzed to determine if it was generated by phpBB or its associated plugins. Each website was then cross-referenced with the Google Safe Browsing List. This experiment was conducted between February 1st and February 3rd, 2010.

Distribution of phpBB versions:

In 84.16% of sites running on phpBB a version number of the CMS package could be identified. We found the following distribution of phpBB versions in the websites examined (where versions of installations could be determined).

• 32.2% of sites were running version 2.x
  Note: Publicly available information about exploits for phpBB 2.x versions exist.
• 67.8% of sites were running version 3.x

We present the most interesting results:

• None of the phpBB sites were blacklisted by Google Safe Browsing.
• Only 2.5% of phpBB sites had Iframes embedded in them. None of the Iframes were obfuscated or tried to load malware.
• None of the phpBB sites which had Iframes were using JQuery.
  
• About 4.2% of all phpBB sites use jQuery.
  Note: JQuery has been known to be targeted by malicious hackers as a code-injection delivery mechanism.
• Only 0.3% of the phpBB sites use Mootools.
• Only 0.3% of the phpBB sites use AC_RunActiveContent.js.

Conclusion:

This limited experiment shows that like Drupal, phpBB installations seem to be relatively safe from the most prevalent forms of malware. However, the fact remains that there are quite a few vulnerable installations of phpBB which can fall prey to malicious hackers. This trend is echoed by our analysis of WordPress . It will be interesting to probe further and understand why the number of “infected” sites is not higher when there are vulnerable installations in the wild.

Till next time.

Drupal is another prime example of a modern CMS. With more than 250,000 weekly hits to its APIs, this CMS has gained immense popularity! One would agree with the statement on the Drupal site which proclaims: “Tens of thousands of people and organizations are using Drupal to power scores of different web sites”.

Similar to the other CMSs which we have profiled in this series, Drupal offers the flexibility to manage content easily, add attractive themes and otherwise customize websites. Considering the plethora of themes available through the Drupal website, users seem to be very conscious of the attractiveness of their sites.

In this post we will be taking a close look at Drupal to understand any interesting issues with active installations publicly seen on the Internet.

The aim of this experiment:

• What associated scripts do Drupal users use in addition to core Drupal functionality?
• What are the vulnerabilities of using the associated scripts?

Experiment methodology:

An initial corpus of 100,000 websites was mined (via Google) using a keyword search to locate websites which discussed Drupal. Understandably, not all 100,000 websites were actually using Drupal. Approximately 10,000 websites from this corpus were analyzed. Each website was analyzed to determine if it was generated by Drupal or its associated plugins. Each website was then cross-referenced with the Google Safe Browsing List. This experiment was conducted between January 28th and January 30th, 2010.

We present the most interesting results in brief:

• None of the Drupal sites were blacklisted by Google Safe Browsing.
• 10.1% of Drupal sites had Iframes embedded in them. None of the Iframes were obfuscated or tried to load malware.
• 79.3% of Drupal sites which had Iframes were using JQuery.
  Note: JQuery has been known to be targeted by malicious hackers as a code-injection delivery mechanism.
• A whopping 66.2% of all Drupal sites use jQuery.
• None of the Drupal sites use Mootools.
• Only 1.7% of the Drupal sites use AC_RunActiveContent.js.

Conclusion:

This limited experiment shows that unlike some of the other CMS packages we have looked at, Drupal installations seem to be safe from the most prevalent malware. Furthermore, it seems that the correlation between Drupal users and jQuery users is much tighter than in the case of other CMS packages. It might be an interesting point to probe further, to understand why the number of infected Drupal installations is much less than the number of infected installations of other CMS systems while jQuery continues to be a common attack vector.

Till next time.

WordPress is a prime example of a popular CMS. With more than 8,176 plugins and 73,037,498 downloads, this particular CMS package is extremely popular! I would agree with the statement on the WordPress site which proclaims: “WordPress is a state-of-the-art publishing platform with a focus on aesthetics, web standards, and usability.” It is.

WordPress also offers the flexibility to manage content easily, add attractive themes and customize webpages to your hearts content. And again quoting the main site: “Plugins can extend WordPress to do almost anything you can imagine.” I would agree with this too.

In this post we will be looking at WordPress closely to understand any interesting properties of the active installations publicly seen on the Internet.

The aim of this experiment:

• To determine the number of WordPress sites using older versions of the CMS package (and hence vulnerable to attacks).
• What are the associated scripts do WordPress users use in addition to core WordPress functionality?
• What are the vulnerabilities of using the associated scripts?

Experiment methodology:

An initial corpus of 100,000 websites was mined (via Google) using a keyword search to locate websites which discussed WordPress. Understandably, not all 100,000 websites would actually be using WordPress. Approximately 10,000 websites from this corpus were analyzed. Each website was analyzed to determine if it was generated by WordPress or its associated plugins. Each website was then cross-referenced with the Google Safe Browsing List. This experiment was conducted between January 28th and January 30th, 2010.

Distribution of WordPress versions:

• 30.9% of sites were running version 2.9.1
• 4.7% of sites were running version 2.9
• 9.14% of sites were running version 2.8.6
• 4.7% of sites were running version 2.8.5
• 21.42% of sites were running version 2.8.4
• 7.1% of sites were running version 2.8.2
• 9.14% of sites were running version 2.7.1
• 2.3% of sites were running version 2.6.2
• 2.3% of sites were running version 2.6
• 2.3% of sites were running version 2.1.3
• 2.3% of sites were running version 2.0.4

We found the following distribution of WordPress versions in the websites examined (where versions of installations could be determined).
Note: Publicly available information about exploits for WordPress version < 2.8.6 exist.

We present the most interesting results in brief:

• Only 0.18% of the WordPress sites were blacklisted by Google Safe Browsing.
• Only 1.6% of WordPress sites had Iframes embedded in them. We found that all these sites harbored Iframe based malware. The Iframes were not obfuscated (examples provided below)
• 44.4% of WordPress sites which had Iframes were using JQuery.
  Note: JQuery has been known to be targeted by malicious hackers as a code-injection delivery mechanism.
• About 7.2% of all WordPress sites use jQuery.
• None of the WordPress sites use Mootools.
• None of the WordPress sites use AC_RunActiveContent.js.

Examples of malware found:

Now we present some examples of the non-obfuscated malware that was detected on some of the analyzed sites.

Example Code #1,  detected on: olgamake.com/wp-login.php?action=lostpassword

<if ra e src="hxxp://a151.scrappi ng.cc:80 80/ts/in. cgi ?op en" width=971 height=0 style="visibility: hi dden"></i fra m e>

Example Code #2,  detected on: makinghimknown.com/wp-login.php

<if ra e src="src="hxxp://ke ymydoma ins.com/" width="3" height="2"></i fra m e>

Example Code #3,  detected on: bisoppreview.com/wp-login.php

<if ra e src="hxxp://ntw porta l.com/" w idth="2" hei ght="4"</i fra m e>

Conclusion:

This limited experiment shows that there are many older WordPress installations active on the Internet. Furthermore, some of them are have been infected by non-obfuscated Iframes which point to malicious websites to load exploit code dynamically. WordPress makes for an easy target by lieu of its popularity and wide installation base. The people associated with this CMS software take security very seriously and have done a great job releasing security patches and stable releases. However, the fact remains that vulnerable versions of WordPress are live on the Internet and are hosting malware, primarily via infected Iframes.

Till next time.

CMS software packages have gained widespread popularity owing to the easy to use interface they provide to web-administrators. CMS packages can be easy to set up. Most web hosting companies already have CMS packages ready to be set up on their client’s account, all the clients need to do is click a button in their hosting control panel! Furthermore, maintaining web-pages using CMS software takes away the pain of keeping track of multiple versions, manually granting user permissions and other mundane issues.

Joomla is prime example of popular CMS packages. With thousands of downloads and upwards of 7,000 followers on Twitter, this CMS package is extremely popular among web-administrators and content publishers. Joomla offers the flexibility to manage content easily, add attractive themes and customize web-pages to your hearts content. All this can be achieved without having any programming experience.

In this series of posts, we will be looking at five popular CMSs. Joomla is the first one on which we will focus.

The aim of the experiment:

• To determine the number of Joomla sites using older versions of the CMS package (and hence vulnerable to attacks).
• What associated scripts do Joomla users use in addition to core Joomla functionality?
• What are the vulnerabilities of using the associated scripts?

Experiment methodology:

An initial corpus of 100,000 websites was mined (via Google) using a keyword search to locate websites which discussed Joomla. Understandably, not all 100,000 websites would actually be using Joomla. Of these, approximately 10,000 websites from this corpus were analyzed. Each website was analyzed to determine if it was generated by Joomla. Each website was also cross-referenced with the Google Safe Browsing List. The experiment was completed between January 27th and January 29th, 2010.

We present the most interesting results in brief:

• In 80.25% of Joomla websites examined, the version of the installation could be determined.
• All websites for which the Joomla version could be identified were running Joomla 1.5.
  Note: Publicly available exploits for Joomla version < 1.5.6 exist.
• None of the Joomla sites were blacklisted by Google Safe Browsing.
• Only 0.84% of Joomla sites had Iframes embedded in them.
• 75% of Joomla sites using Iframes were using Mootools.
• 79% of Joomla sites use Mootools.
  Note: MooTools has been known to be targeted by malicious hackers as a code-injection delivery mechanism.
• Only 0.42% of Joomla sites use AC_RunActiveContent.js.
  Note: When using HTML templates in Flash CS3 Professional, a JavaScript file linked to the HTML file, named AC_RunActiveContent.js is automatically created.
• Only 0.63% of Joomla sites use jQuery.
  Note: JQuery has been known to be targeted by malicious hackers as a code-injection delivery mechanism.

This limited experiment showed that there is a correlation between Joomla installations and vulnerabilities targeted by hackers to spread malware. It will be interesting to compare this trend with the trends of the CMS packages that we will analyze in the coming days. Nonetheless, it is heartening to see that none of the websites hosting Joomla 1.5 were actually listed on Google’s Safe Browsing List.

Till next time.

Below we present a sample of the websites using Joomla.

123ror.no
123-vle.com
1-euro-gmbh.com
1stoneonline.org
22paths.com
5-bhai.org
989vip.com
abc-webshop.com
abqjournal.com
absolutetraders.co.za
absolutionists.com
aerospacehorizons.com
afocusonyourfuture.com
akiraciai.com
albania4arab.com
alkatron.it
allbdevents.com
alphasoundstudios.com
anesthesiacare.com
angkasa.gov.my
annmurphyflorists.com
aominions.org
ap2.joomlapraise.com
apfmi.com
arabicamusic.tv
arawaktech.com
aritcon.de
atelier-rousseaufrederic.com
autoadoption.com
azbukapro.net
babymar.net
back2africa.nl
balittro.litbang.deptan.go.id
bassittenterprises.com
bavdw.com
beancounterz.org
bebejour.com
bellevuecollisioncare.com
belmontstudenthousing.com
bhpartners.net
biblioteca.catie.ac.cr
bic.moe.go.th
big-sammys-hotdogs.com
big-sammyshotdogs.com
billhope.net
brandartistlife.com
brazilpedia.com
brazzilinfo.com
brokerlarry.com
budgetsupplement.nl
bulgarialettings.co.uk
buttonwillowhq.com
calaqueroleta.com
cantyouhear.com
carbonkiller.com
caribbeancomputercompany.com
caribenscoutgroup.org
cartagocomercial.com
ccauroraems.com
cehcp.org
cellularoptimization.com
centralcoastlavenderfestival.com
centrocnc.com
centrometeosiciliano.com
chaipat.or.th
chechenews.com
chezcesaria.com
chuckdiehl.com
classics.uc.edu
clipcdc.com
cmfm.net
cobaltcamera.com
co.douglas.ne.us
colegioignacioaldama.com
coltraining.org
combilling.ru
computerscm.com
connorsphotography.net
crezz.org
crittersgallery.com
cuibs.org
cygnet-ecm.com
cypcstore.com
d22485318.a37.agcreativehosting.com
dakofix.de
dan-brown.org
darklevel.org
davidstanleytransport.com
dcuweb.com
deckboat.co.za
delmarfishing.com
demo.mosets.com
denicarnahan.com
detcompservices.com
diabetic-health.info
discospheric.com
dmgmusicgroup.com
docwithms.com
dongvienthai.com
dreamtive.com
drnunemacher.com
droidcon.de
drsusiehill.com
dsmdataservices.com
dubmum.com
dunklspace.com
dwaynemorris.com
ebay-is-out.com
e-dynamics.net
elaps-timing.com
ellistyle.com
email-synchronisation.com
energyharvestpr.com
esperantox.com
eventklik.com
evergreenrugby.com
evropskemesto.cz
famiri-lisse.com
fishbowlpr.com
flyingphoenixheavenlyhealingchikung.com
fma.or.th
focusonyourfuture.com
freshoutsourcing.com
freshwaterbolivar.com
frittomisto.co.uk
gattos.co.uk
ghtex.com
gibreview.com
glenwinfield.com
globalclear.org
globalfreejob.com
globalhudson.com
globalstandards.com.au
guneseviprojesi.com
gvdiabetes.com
hamroyatayat.com
hcasaints.net
health-only.com
heliossrl.eu
herenistarion.org
herenya.com
highereducationmanagement.eu
hiregolfclubsdubai.com
hostiopatiacancun.com
hostmyreports.com
host.nodesixvps.com
htdquailguideservice.com
huacatambo.com
hypnosis-mp3.com
iajgs.org
ibeatradio.com
ibexevents.com.au
icoayouths.com
idiverseme.com
ihelpchurch.com
infopascani.ro
internal.mmi.co.id
intimacyquestions.com
ioc3.unesco.org
ipeterborough.com
ipitest.com
issnaf.org
iwebxpert.net
jackogle.info
jaguar.boxsecured.com
jaildata.net
jamskater.com
jewelrywebstores.com
jini.gr
jinovc.com
jmandgroup.com
joomfish.org
joomla2me.com
jrosecatering.com
juarezcustomhomes.com
jyperkins.com
kaarigar.net
kedema.com
khushab.org
killtribe.com
kycstudios.com
lagartozero.com
lapocioni.net
lawyerarlington.com
learn-web-hacking.com
levietphuc.com
lexprototus.com
liquidcrystalsounds.com
livingoceansfoundation.org
llstoreuk.com
loungebase.com
lovekeke.com
low-gi.info
macmagicians.com
mad-as-hell.org
malandscape.net
mambo.web-joy.de
marksotelo.com
mathewgagnon.net
mekofa.dbbank.net
mikestute.com
mileagecorrectionservices.com
mindyourbusiness.net
mit.undip.ac.id
mjkltd.net
modavideolari.com
mongoosepress.info
montrealquebeclatino.com
morgansisland.net
motobuzz.co.cc
mountainxtra.com
mpninsider.com
mthoodfun.com
muddyjosh.com
mylanka.org
myperfectalgeria.com
mywillinstructed.com
nappydread-i.com
naturwissenschaftler.de
neidevserver.net
newgrantinfo.com
newsitebuilders.com
number12secret.com
obcian.com
ocsopedia.com
odw.biz
oldbenzhome.com
oldchevyshome.com
oldcornersaloon.com
oldfordshome.com
oldminishome.com
oldmoparshome.com
oldrovershome.com
oldtruckshome.com
oldvwshome.com
olympusmobile.net
omnium-gatherum.net
organics-recycling.org.uk
organizeutah.com
ost-au.com
osteopatiacancun.com
parrishwomble.com
pasautorepair.com
pcb-design.org
pfoa-mc.org
pfoa-ms.org
pieceofcakekitchen.com
pilsum.com
platinum-cars-uk.com
plot-shop-online.de
poderesaude.com.br
postcardsfromlasvegas.com
prezemi.com
primetarget.org
primrosetelecom.co.uk
profootballdraftinsider.com
prohairsupplies.com
projectnucleus.org
protestthehero.eu
purebreaddeli.com
quadcitysquares.com
rainbowextravaganza.com
rapatsa.com
rarenovaction.com
rawinontario.com
rechtsanwalt-online.eu
remembertheyard.com
roomatthecastle.com
roylon.com
rshm.gov.tr
saletop.com
salvitae.eu
sandyrosenbaum.com
sarah-kurtz.org
scenicworld.co.uk
scienceworksforus.org
sdakinship.net
seblod-dev.com
seegchina.eu
serenajohnson.org
sharelancer.com
silverstarmountain.ca
silvertipgroup.com
simplyaskus.com
sindhhyd.com
siparuntum.com
siteground11.com
sjubc.com
sovereignty-empire.com
spoorsweb.nl
sportingconservation.org
spravochnic.com
stalyticsdemo.com
stampsales.net
stanleyvictor.com
stefanomazza.net
stmarkcentre.org.uk
sunithi.freei.me
superhorsetraining.com
swimwithjenny.co.uk
synopticcoders.co.uk
sysexpo.com
tamilcircle.net
team4fun.eu
testingforclient.com
tfmandassociatesinc.com
thebattleforliberty.com
theeyesarethesame.com
themandalfamily.com
tibebat.com
time4nascar.com
tingtinghan.net
tinocoysantamaria.com
ti-wow.com
town.williston.vt.us
tpsacanada.com
translationmanager.org
trkconsulting.org
tropicaleditions.com
tuxpro.com
tychoseye.nl
un-instraw.org
unitekk.com
usaffiliates.net
usroot.com
vajira.ac.th
ventaszonafranca.com
vibranted.com
virtualpbxcompare.info
vividtuning.com
waverleywoollahra.ses.nsw.gov.au
websauce.org.au
welldone-hannah.com
westsidepawn.biz
wetzlar-kurier.net
wheninvisiblechildrensing.org
whereyougot.com
wilhelminaschool.eu
windjammerlodge.com
wolverine2812.com
womenoftheucc.com
ws1.njpac.org
wtfchefs.us
www3a.biotec.or.th
xband.eu
xenones.gr
xpand-productions.com
xperteaze.net
yahyaayhanacar.com
yarmouthnet.com
yellow-advertising.com
yourchoicetech.com
youreasymemories.com
zephyrfm.com
zombiz.net

Anyone delving into Web-Application Security issues would realize that simply throwing up a bunch of WAFs to deal with code-injection attacks is not the greatest solution. Code injection attacks are constantly evolving because they provide hackers with a great medium with which to deliver malicious code to unsuspecting Internet surfers. It is not because of the lack of effort on part of WAF developers that code injection attacks are not being nipped in the bud, instead it is because this attack vector presents such an attractive medium for hackers to further their nefarious intentions, with comparatively less effort than other more involved hacking techniques.

Bottom line, code injection attacks and signatures are constantly changing. WAFs used by many hosting companies cannot guarantee full protection against them.

Two big reasons it is difficult to protect websites:

1. You can only protect against what you know about
2. WAFs are not self-learning and self-tuning

At StopTheHacker.com, our approach is to develop systems based on Artificial Intelligence techniques which can learn from attacks and adapt using machine learning to block and identify previously unknown code-injection incidents.

In this article we try to identify how many sites from each of the top few web-hosting companies are currently blacklisted. This gives us an indication of the kind of security being employed and the effectiveness of the systems.

This test was conducted on January 19, 2010. The AS data was mined from CAIDA and was correlated with Google Safe Browsing data.

Number of sites blacklisted by hosting company:

Hosting Company Name           ASN  Sites Blacklisted

IX WebHosting                32392               4160
GoDaddy                      26496              12648
DreamHost                    26347               5636
GigeNet                      32181                647
Peer 1                       11388               2332
Lunar Pages                  15244               3754
iWeb                         32613               2161
ThePlanet/HostGator          21844              11347
Bluehost/Hostmonster         11798               6232
LiquidWeb                    32244               3113
Leaseweb                     16265               2393
Schlund (1&1)                 8560               9105
Tele2 Telecommunication GmbH  8437               8229
China Telecom                 4812               4919
Inetwork/iEurop              29629               3197
NetworkSolutions              6245                739
RackSpace                    33070                698

Clearly, whatever security mechanism are being employed by these hosting companies, they are not enough to stop hordes of their websites falling prey to code-injection attacks and other forms of malicious attacks. Perhaps owners of these large numbers of compromised websites will force web-hosting companies to take a more proactive approach to safe hosting for their clients.

Interestingly, a web-hosting company which focuses on a secure hosting experience maps to ASN 7819, which seems to host 26 malicious sites.

EDIT: On Jan 20 2010, 7:05 AM PST, we received feedback from the webhosting company which focuses on a secure webhosting experience, that the IP ranges mentioned (below)  in this article are not used by them to host websites, but are simply the ones that belong to the datacenter they employ.  We will be very interested in re-evaluating IP ranges that are used by them to present websites on the Internet.

List of IP addresses associated with ASN 7819 is below:

38.114.116.0/22
66.128.48.0/20
66.128.48.0/21
66.128.48.0/24
66.128.49.0/24
66.128.50.0/24
66.128.51.0/24
66.128.52.0/24
66.128.53.0/24
66.128.56.0/21
66.128.56.0/23
66.128.58.0/24
66.128.59.0/24
66.128.60.0/22
66.128.60.0/24
66.128.61.0/24
67.210.224.0/20
67.210.224.0/24
67.210.225.0/24
67.210.226.0/24
67.210.227.0/24
67.210.230.0/24
67.210.232.0/24
67.210.235.0/24
67.210.238.0/23
67.210.238.0/24
67.210.239.0/24
67.210.240.0/22
67.210.240.0/24
67.210.244.0/24
67.210.245.0/24
67.210.246.0/24
67.210.247.0/24
69.26.161.0/24
69.26.163.0/24
69.39.240.0/20
208.80.16.0/24
208.80.17.0/24
208.80.18.0/24

AV Engines are not very effective at spotting web-based malware

There is every indication from sources internal to StopTheHacker.com and external sources comprised of web hosting companies, administrators, security companies and government organizations that the threat from web based malware is looming large and is only going to intensify in the coming years.

Website owners, and administrators, even website hosting companies are the directly affected ones. However, it is me and you, the web surfer, who visits supposedly benign sites which have been compromised by malicious individuals who are at great risk.

To protect the client, i.e. you, security experts rightly recommend antivirus (AV). These AVs are good at detecting pieces of code which have been classified and adhere to well known malicious behavior.  Consumers need to know that most of these AV engines are not tuned to detect web-based malware threats.

Below we present a small test we performed consisting of 159 unique pieces of web-based malware captured during the last few weeks by our detection systems. We compared four popular AV engines and found that none of them are very effective at detecting malware from compromised websites.

Note that all AV engines used were at the latest version available for our systems and were updates with the latest virus definitions. All samples used Javascript to execute their malicious content.

Brief highlights:
1. AV engines used: AVG, ClamAV, F-prot, Avast
2. None of the AV engines detected more than 11% of the malicious samples
3. AVG detected: 6.92%, ClamAV detected: 10.69%, F-prot detected: 10.06%, Avast detected: 2.52% of the samples respectively
4. Only one sample was detected by all four AV engines. This sample was extremely similar to a POC exploit code from milw0rm.com

This limited experiment shows that traditional AV engines have a long way to go when it comes to detecting web-based malware. Jaal uses proprietary detection technology which is based on artificial intelligence and machine learning algorithms which can understand how malicious pieces of code behave and profile and classify them with high accuracy and recall.

The SHA1 hashes of the samples used to test are presented below.

816633098ae005d8dbc7a25993da84d4035d03fa
9b19e082e4f96ba904a96b91521ea965423fdf78
390c6ee940db43d1916b8d5d35d6e26ee820adc6
1eff7745d4fdcd5454ce35cefaaf9fdcd992c7d2
2e546e478a2e7782f71e57aba2db4c39618a6ea0
e20e4102bb3fe18d1bacb1cbd9decb3df231b54f
6911103499818938e1f4ad589382f78555e5c3d5
f635909927c4605f382e4206472ed2eb319c7fe7
b87996d1842c3fa7656f2923e4ca9d984f67e927
ba507a2ddf54868038d2a233824d954e76e7de7d
5b145e8e1379513ee7fdcc254052aa63401bfbb2
47b99826d6beedd4eafd90a6b1f6bfc58037516f
25a5b980a32f02115ae6b39ba23233d3395cc8be
d5e44799006af551a6ed428fbbf5c719fde9f0d2
16169f2bc458bbcfbe440bf6e144072440437b8f
fac205896b1d8caa027493ff347b1283a8a5ea9a
26efc96af2f3c4f40de0122e2a17a96e179dae10
1ceda4089f55b0ae00e5f68c1fc168854262ba0a
107069c13e14f8ae02764420f7b73abc3b12b9ec
000e94d6f8569152b4f722b534c3446b33e80edb
a26b7469375e87ed511813753690621b7c1c59cb
c618cee125d8f03f2e389259dc4fb64c817c8cae
169df559a4489f4ebd968a54a7e985bd59996f44
79afd6b751faaa5030bdc9b6f8ac63e58e19f8bd
f5788e9ca15f873b571a30cf549c2cf96e81d4e9
af8308df0d38052a1f2b2a1e9e4ce20a508d5029
9d6a35ed08772fb824a3c2804f03418fb317b316
9ad9673f55a0013d4065c4139777ca681e0cea0b
58afa0e9fa175f8cec1c6ca37261adb7fbe71080
68a1f2a03397b5c36a29c118d85b6da7de37d69c
92962ff677a0f41e36c6279fea8c3c1bf6cffeb7
f4024a56993ca0e38f4095a2f9cf0e6f111dc1
854cdc64aa29d3b4073ba4827eff8c6976189eff
ee4054c22e26a9e7da91927f8b423309db3c37ce
b07bef2b0d7b10ca7054f9450a78ae4cc616282a
430f69f19ec142eb443a3003ece46ee3fe02d316
70333f39c08c02fb468dd7f305034fe8e69438a4
e77b9cff1b75f4cbaeedfd59c925a4b4a0bbf253
28846dd8ba590b9c7cca6a8061c35446ddf4b9ba
9c8671398aed3b785bea22f51afe66485bbcac42
cfe3e42c266064cda45fd11e5c0e3dc7504134ed
35cfebaee69b89e2cabba05f130071d18a3d0632
51a2dd0515ec5d7cf9bf55e7226c800f3ab34b01
9fbae2b1d97783782b6c22a8eacf9b408dfa7622
5da9312edbc420750839d98a62b4db3fcf37e79e
2fd92d853236eec5030c2b2e68519e338fbae703
9e522249da94e5361f4b1b76d028325c963d2f8f
c1fffcc3872a0c5b198ce0b0e2b6c48122afbfe3
a085342ffddeb129b4d503d769337254f12128ab
b0cc0131e64e3cc6be595244cb6d06459415fd86
f5788e9ca15f873b571a30cf549c2cf96e81d4e9
5d5acfbfaeb0964a90afdc34027d31dd8c087b72
d83b73c795242984efe288a4131f10898cee4726
230bd24350242a1fcc48d304bb6a0b41e11e56bd
236526ddf3243ecc869e2dc496e5e123836c1139
9de098b4ca80fde754a6d0779eda2230c304dda2
ba5bc790b05eef01db9c80b44b0478ad29637117
9dab8e1b7e6c38ff4034e702215b43a83f503845
abfd93aca22ee2475952ed145394d9edf270ec97
9e1e1a1efd527ea05f43dbd3c74fcd235603ae25
d929e444c10d08f427fe3136fda94c9459ec8a90
a7c8cd2edf0fbae0e2747ebba3b0347e21d82f83
1f3b5c82f9077896ded6ad0417840108660bdb6f
6d8eb97d34acd9fe3c54bdfefc3b4eec38187a7e
1bb8371b3dad51c8cfa2fcf2430174954b65490c
70f55d55796b58e906359fc7ec2b71ee2f6b475f
64df75a0a427cc74397cd831c5dae977b960319b
060b75af1239a7e882c75600f05cd4a29981cf63
9611d0eabd35cad386b6e55377e13862300753d0
f61dfa94e8d26143541ffa8556001addc9043233
9c6859961beaff0d0e2c8254fd0d9170f17764c4
f7e902c1653c596672e3ef9dff5be8ce9dbacc04
6fef84bcaee61ddbe4731a3fdc6c10a8e7b2e118
e4bd561881cbe8692cef393519fa9d3feb94e4
4493e82d5648ef18bffe0cf577dfff977c4c2b61
2914adab79ace690911928734d71f41e0eaf3deb
a209fce0c7e8d7de6f1667f8855b441ad9199479
fe97812acb6005bc730df70a02949f85791ccc26
6fef84bcaee61ddbe4731a3fdc6c10a8e7b2e118
f7e902c1653c596672e3ef9dff5be8ce9dbacc04
9d26667c6ada57160863dbd8fc0f906facd26a31
6d1cf3bb7c692cf79b496971082d63c4fe6f9d3b
f61dfa94e8d26143541ffa8556001addc9043233
9d9bc778aa7dd0c6aaebce544038afb72ca89a3b
eb870d52963b9dfffa1418206d9fd2248105e7d5
b5b975f530907b3cc8a06cc544ee59af1c65c0ad
f1f93eae3c23b8db58fa57e03ccbaabacd26edf0
13337e99806ec2d9b0cc65130b276d212b66c6ef
d4f883d6fca63206aaa5773d21bd391aafd6b69b
89b092cf10887728965e92a1743b211981e2c509
93e32b1813e8f62bc48afb34435c27922dd15854
9170e68703b30d9653c1afc2e2367ef9e3e857d1
7f927ce60b92fcada6d0029f05372bcc55e76061
ff1e5838891686428ee55e651ae7ae4af8f54833
ac79dfd852843af7de7b5b9c0312d281b2584c46
04c5946fd347bc61a2276567bd00a8140a3792f7
21bf2da8630e8bbbe80fb18ca8b5d6cf1ad1801a
62127899a333ded181e82fd6b6194fb55cc45f1b
47dd8eb5a532965ac85140ed50b491e9a79827d4
50db943eb42397bd9391bba998cb75f2d6a27abd
f90cd2ad1db2c3bebeb88db6a3b4c0afd5a2c3bc
f90cd2ad1db2c3bebeb88db6a3b4c0afd5a2c3bc
1921c236990bf3d282d85c7f73929f179d77bbbe
1921c236990bf3d282d85c7f73929f179d77bbbe
f4b6889f98fff03fe1a452c872046560c5b7b2b6
c3655fd13f4f020100106d33c7ed8b64a5b697b5
f1f93eae3c23b8db58fa57e03ccbaabacd26edf0
13337e99806ec2d9b0cc65130b276d212b66c6ef
37fb254190ef250ec17c51af8a8ce9492f229045
5cf6b5e79088c31adebd9239b6a0fe85dae4bdc8
4b68192c2a1d56c933b0b4d3a511d20f5ab5109a
2fc8b84f43b780c50ebfb0d1dee0bd6a663faa34
816633098ae005d8dbc7a25993da84d4035d03fa
a938feaee3f8088ca09fa55547e7d32f3eeb2342
5872a0f83149116751c99204af687a0d9fd2d013
6c3a63406e834212ee21150ed9dae027916c9aba
61bd5b21316aebe72d9eb0fbec86aa54eeaef41e
974ab3a4840c3036494e1b5ff44149addc352c09
f995e8fe220bb5734a12a3181da0891ae2102eee
974ab3a4840c3036494e1b5ff44149addc352c09
2fc8b84f43b780c50ebfb0d1dee0bd6a663faa34
816633098ae005d8dbc7a25993da84d4035d03fa
d9a413e9eaf045c80a7a3a3b220425e0ae10f36a
a938feaee3f8088ca09fa55547e7d32f3eeb2342
3dfd2d40357887f5c43fa33c064d8ee5f4aee03b
b9328bb760b294fa524830a8920a0a90a2e33eac
169df559a4489f4ebd968a54a7e985bd59996f44
584fbb7d467834132bd9e28db43e5fcbcefc24e8
768709cbc7ffd499cc26be93e2558ba80059793a
ffb3394a91961dfb67a4e16eab998c225baf93e0
12a594de0c4c0351387c40275db09ef4b2e4025b
4a7afd95db6923e4220a65040357bfbbf2b55077
6a9ab50dafae402bf230879471206b6479c33692
6a9ab50dafae402bf230879471206b6479c33692
c3655fd13f4f020100106d33c7ed8b64a5b697b5
3e6944e6957b8d09759328bb6e4b1d40ed61a94d
77b5099de69d17088f47991543ac952748f51318
a448b4b7df37d40db78a61123379424884957e5f
9dace6f32725175bafd0a09de6d6bb822d116250
4d03ef449ef5eaa2ed4504b926af218fcd49af66
e026b0f4b1c412fd98efaae3741d7d137647f07e
681f9c9d1ca13424dbb3328e8e7f4cd9404e93fc
8fa128f2e88f51486dd6e14f6394066c52cd6d30
7dba6533187fd7df6a6b7654841d7de41c8ec3bc
e72f7680b93ca124077ab5fe6f78daf8df24db2f
c662974ce089e0979811db9752601ba0deb56ca5
14cb17f7f0379a81cf6cd0a0bcb58d3ccca848a3
b36ef96e09c30b195ac291fa5a3dae8fc89960f2
74c204f8dc182949217be29d36d7d38ea3ba9f7b
2642a2c2cce3cea5a175cae5d021272d87d94908
1be051d87ace905c7c16d08545f13395362c0feb
276f5f4b144e86d07d76fbeecf2e39250c9d65e5
c66dc101b4aeb6a0416be21e5c9ed09dc162f338
8c40b59bbbfc9dd02725ce8c891e4d9fa0f5ce26
efaef489856ac430f2fc8a2c2437a61922e2c877
93ddf8b9b206e6ae88c75ac7ca28991be19d63ac
c26e2cf8e848deb09ca72d5e692809fbbd21e07c
5e920705466955c69dd1c4474d3022489de8e3bc
e7149aaed102653f45e17afcb3d0d426a8cf11d

We at StopTheHacker.com have conducted a study to ascertain if these top financial institutions are really secure or not. The findings, including a graphical summary, are also available in a PDF report attached at the end of this article.

Security Level of Top US Financial Institutions in 2009

The results were astonishing: 13 out of 14 websites had at least one critical vulnerability. In more detail, we highlight some key results below:

1. On average, there are 1.5 critical security issues in each financial institution
2. On average, there are 1.2 important security issues in each financial institution
3. On average, there are 7.9 general security issues in each financial institution
4. The highest company valuation in total assets does not correlate to the highest security
5. The financial institution in our set with the least valuation had zero critical security holes

The identified vulnerabilities are very serious: critical security issues/holes are widely seen as major security concerns by security experts, and security standards.

The most prevalent vulnerability among all of those discovered, allows a hacker to spawn what is known as a shell, more commonly known as the command-prompt, and thereby remotely executing harmful commands on the web server. Other vulnerabilities range from major Cross Site Scripting (XSS) vulnerabilities, which can enable hacker to steal credentials of website visitors, to a plethora of concerns with various software installations used on these systems.

For more information, please feel free to contact us.

• Download the Whitepaper