StopBadware blogs

Huge brute force attack targets popular blogging platforms worldwide

ccondon — Sat, 13 Apr 2013 16:03:33 +0000

Over the past 48 hours or so, a large, highly-distributed attack has been hitting WordPress and Joomla sites worldwide. Hosting providers have noted a significant uptick in the number of login attempts, particularly for WordPress (e.g., wp-login.php). The attacks are reportedly coming from a botnet using more than 90,000 servers. Hosting providers around the world have noted the prevalence of the attacks and detailed some security measures they’re taking, along with measures they encourage customers to take.

This, as many others have observed, is a brute force attack. That means: Attackers hit access points with thousands upon thousands of common username and password combinations in quick succession. In this case, the usernames that hosts/security experts are seeing are admin, Admin, administrator, test, and root. They are tried in combination with dictionary words and common passwords that everyone’s been warning about for years (e.g., 12345678, password, qwerty, monkey, etc). Sites that are hacked as a result of the brute force attack are infected with malware, laced with a backdoor that allows attackers to maintain access, and conscripted into the botnet perpetrating the attacks.

Security blogger Brian Krebs has a good summary of the attacks and a sample list of the username-password combinations being used, courtesy of security company (and StopBadware Partner) Sucuri. Sucuri also has an excellent article on the attacks and the data they’ve collected.

If you’re the owner of a WordPress or Joomla site (or any other site, for that matter):

Make sure you’re using a strong password. This means long, it means complex, it means avoid those dictionary words. You can use this tool from Microsoft to check your password strength.
Not using a strong password? Log into your site and change it. Right now.
Get rid of that “admin” or other default username. By keeping it around, you’re making half of your username-password combo easy to guess. Not sure how to delete the admin user? Here’s an easy how-to.
Use two-factor authentication. You can find directions for doing this on WordPress.com here. If you’re using WordPress.org, there are a number of third-party plugins that allow you to do this.
If you suspect you’ve been infected, get in touch with your hosting provider. Keep in mind that many hosts are dealing with the fallout from this attack and may be strapped for resources. You may also have trouble logging into your site because of the sheer volume of the attack.

The two hosting providers mentioned in the first paragraph, InMotion and Melbourne Hosting, have good information on the attacks and how to protect yourself. Our partners Sucuri, Sophos, and CloudFlare have also been covering the attacks and publishing useful data for site owners and security companies.

[More information on protecting your website or your WordPress site]

UPDATE (15 April 2013): One of our BadwareBusters.org volunteers contacted us with some useful information:

While many of the suggestions here are good, changing the username isn't slowing down the attacks. On our honeypots we've been seeing this:

http://www.(yourdomain.com)/(blog)/?author=1
http://www.(yourdomain.com)/(blog)/?author=2
http://www.(yourdomain.com)/(blog)/?author=3

This enumerates the userID's. If you've changed the admin username, the first one will return:

Sorry, but you are looking for something that isn’t here.

However, if you keep incrementing the last number, you'll eventually see this in your browser address bar:

http://www.(yourdomain.com)/(blog)/author/(newadminusername)

Now the hacker knows the userID and username. They find this, add their dictionary of passwords and continue right along. Strong passwords and two-factor authentication seem to be the best. Captcha is an option as well, although we still see hackers trying various schemes to crack Captcha.

(Thanks to Thomas Raef of We Watch Your Website for the info.)

Tags:

wordpress, joomla, password, security, hack, stopbadware, StopBadware Partners

Protecting osCommerce Sites Against Malware

ccondon — Tue, 02 Apr 2013 14:17:42 +0000

The following is a guest article by Anirban Banerjee, CTO & co-founder of StopTheHacker. StopTheHacker is a StopBadware Partner, and Dr. Banerjee is a regular contributor to StopBadware's community forum, BadwareBusters.org.

When it comes to starting an online store, osCommerce is a popular choice of e-commerce software. Like many other content management systems, osCommerce offers users free tools to set up and host online stores. osCommerce’s popularity can also make it attractive to hackers and malware authors. When your livelihood depends upon your website, it’s up to you to protect it from malware.

What Malware Does to Your Online Retail Store

If a hacker plants malware on your website, the upload may result in several unfortunate issues for you and your customers, including:

Opening pop-up ads whenever a user opens your page.
Receipt of multiple spam emails by customers that appear to come from you.
Slowing of the user's Internet connection or crashing of the user's computer.
Redirection to pages with viruses or malware.
Stealing of personal information.

As an online retailer, it’s easy to understand how badly a malware attack can affect your relationship with your customers. Customers can potentially suffer long-term consequences from a malware attack on your site, and your reputation will suffer, too.

Taking Care of Business

If you had a brick and mortar storefront, you would have insurance in case of an emergency, but you would also have locks on the doors. Having an online retail store is no excuse to skip this basic level of protection. Your store is a source of income, and you need to protect that income source against potential invaders. With a few simple steps, you can “lock up" your osCommerce store.

Upgrade to the latest osCommerce online merchant package as soon as it’s available. Each update of the osCommerce package includes the latest security measures.
Avoid third-party add-ons. osCommerce provides plenty of add-ons to enhance your site. Third-party add-ons can increase your risk of hosting vulnerable code on your site; if you do use code from third parties, you should always know where it comes from and how it's maintained.
Don’t wait for an attack to happen. Keep an eye out for any unauthorized changes or users. You can also scan your website regularly with an online malware scanner or other security tool to make sure hackers have not breached your site’s security.
Consider signing up for website security. Website security companies can have trained experts monitor your site for suspicious activity, increasing the chances you’ll catch malware before it becomes an issue.
Be proactive. This might include steps like:
- Changing the name of the osCommerce “admin” folder before launching your site.
- Choosing a difficult password that contains both numbers and characters to reduce the chance of a hacker figuring out your password.
- Not using the same password with osCommerce that you use on any other website.
- Deleting the “file_manager.php” and “define_language.php” files from osCommerce admin. According to osCommerce users, these files have known vulnerabilities.

If your site does get infected with malware, take it offline as soon as something bad is detected and clean it up. Detection tools and webmaster forums (such as BadwareBusters.org) can help you do this; if you subscribe to a malware protection service, they can help you clean up quickly.

If you are looking to try your hand at online sales, osCommerce and other e-commerce management systems can be good options. Your osCommerce site is only as good as its security; by keeping it secure, you protect both your revenue stream and your customers.

StopTheHacker is a security company whose suite of technologies are designed to keep websites safe. They are also a StopBadware Sponsoring Partner. For more information, visit www.stopthehacker.com.

Tags:

malware, osCommerce, stopbadware, StopTheHacker

StopBadware welcomes a new executive director

mweinstein — Mon, 25 Mar 2013 18:17:11 +0000

It is my privilege to announce that Bryan Gulachenski will be stepping in starting today to lead StopBadware as the new interim executive director. Bryan is a security industry veteran with over 20 years of experience managing and developing security programs in the financial services, insurance, and government sectors. He originally cut his teeth in security engineering at GTE and MITRE before moving into the financial sector, where he worked for companies like Fidelity and John Hancock Financial Services. His most recent role was VP and Director of Information Security at the Federal Home Loan Bank of Boston.

On top of his impressive credentials, Bryan also happens to be a thoughtful, genuinely nice guy with great team-building skills. Both the StopBadware Board and our staff are excited to have him around to drive the next phase of StopBadware’s development; the whole team is looking forward to working with him over the coming months to make an even bigger impact in creating a safer Web for everyone.

I will be around this week helping Bryan with the transition, and I will continue to serve on StopBadware’s Board of Directors. Thanks to all for your support and encouragement during this exciting change!

New Google series helps webmasters recover hacked sites

ccondon — Tue, 12 Mar 2013 17:18:21 +0000

Today Google launched a new informational series called Help for hacked sites to help website owners whose sites have been compromised by spam or malware recover those sites. The new series includes over a dozen articles and more than an hour of video tutorials for webmasters of hacked sites; the videos help answer key questions, like how and why a site gets hacked, how to verify site ownership in Webmaster Tools, and how to use freely available tools to assess damage done to a hacked site.

Check out Google's overview video for hacked site owners:

StopBadware and Google have been working together for years to help site owners clean up and recover their hacked websites. Both we at StopBadware and our partners at Google understand how frustrating it can be to diagnose and recover a hacked site, and we want website owners to have all the help they can get to do it quickly and effectively. Many individuals and small businesses rely on their websites to stay in touch, drive traffic, and create profits that keep them going. A hack isn’t a small problem for most Web authors, so we’re thrilled that the Google team has put so much work into these new resources for webmasters.

Take a look at all Google’s new material at www.google.com/webmasters/hacked. We’ll be adding Google’s great new stuff to our own resources for hacked site owners in the days to come!

Tags:

stopbadware, StopBadware Partners, hacked sites, google

Internet Identity becomes a StopBadware Partner

ccondon — Fri, 08 Mar 2013 19:43:49 +0000

We’re pleased to welcome Internet Identity as a new StopBadware Partner! We’ve been talking to the good people at IID for a few months, and we couldn’t be happier to formalize the relationship. IID has been busting bad guys on the Web since the Ice Age of the Internet. Back in the day, they discovered and nixed one of the first phishing attacks against AOL, and they recently unveiled a platform called ActiveTrust that enables threat intelligence sharing across industries. As we’re currently developing a data sharing program of our own, we’re understandably excited to draw on their knowledge of threat sharing infrastructure and processes. And of course we’re happy to have another experienced, collaborative voice to join our regular Partners Forum discussions.

The Internet Identity crew describe themselves as a company of passionate professionals who care about Internet security. We’re with them—and so are the rest of our Partner companies.

Tags:

StopBadware Partners

StopBadware is hiring a Web Security Technologist

ccondon — Thu, 28 Feb 2013 19:55:40 +0000

We're hiring an addition to our fun, hard-working team in Cambridge!

A special thank you

mweinstein — Fri, 15 Feb 2013 15:52:52 +0000

All of us at StopBadware would like to extend a special thank you to our board member and Treasurer, Esther Dyson. Esther recently accepted a generous donation to StopBadware in lieu of an honorarium for keynoting the upcoming Congress on the Future of Engineering Software (COFES). Thanks, as well, to Brad Holtz of Cyon Research, the organizer of COFES, for making this possible.

Tags:

stopbadware

A Fuzzy Border: Malvertising

imeister — Fri, 01 Feb 2013 15:12:55 +0000

Earlier this week, my colleague Caitlin blogged at some length about the way Web users perceive malware warnings, and how they are couched in the media. I wholeheartedly concur with her that good Internet hygiene dictates that when in doubt, respect your search provider’s and/or browser vendor’s malware warnings. It’s interesting to feel out some of the contours of that doubt by looking at one of the the more ‘controversial’ blacklisting practices out there today: blacklisting websites that have been shown to serve a malvertisement. (A malvertisement here refers to a Web advertisement that contains malicious code, using our standard definition of ‘badware’ as what constitutes ‘malice’ here.)

Most popular websites incorporate code received from advertising networks. From time to time, these advertising networks may find themselves compromised by enterprising coding or incompletely vetted sourcing. Websites blacklisted for malvertising have not themselves been compromised, but instead incorporate third party code that is detected to be suspicious. This, as the argument runs, means they are guilty of a venal sin instead of a mortal one—and that they therefore do not merit the sternly-worded warnings that are shown to their visitors.There are some appealing elements to this argument: that sites should not be punished for displaying, in good faith, content that is not directly of their making; that modern ad networks so carefully tailor and so frequently rotate the content they show to consumers that the actual infection surface created by a single bad ad is small enough to outweigh the reputational damage associated with a blacklisting; and that it is sufficient simply to blacklist the URLs or domains associated with the advertiser, not the site on which the actual adverts run.

For the reasons Caitlin so eloquently stated, I don’t think this argument stands up to scrutiny as a matter of public policy — in large part because it’s difficult for the automated systems that support and define many large blacklisting efforts to content-neutrally weigh the equities of displaying a warning. But there’s something to the idea of blacklist operators trying to distinguish programmatically between maliciousness that is resident on a site rather than a visitor from an ad company. Another way to look at it is this: are there characteristics that one finds in advertisements that deliver malware (other than the actual observed delivery of malware) that are clearly distinct from regular ad content?

The distinction isn’t quite as clear cut as it may appear. In the course of testing websites as part of our reviews process, we frequently find examples of code that we may have difficulty classing as malware-distributing or not. (Bear in mind that most modern malware delivery code is heavily obfuscated and is designed to evade execution in a controlled environment, so sometimes the puzzling code is all we have to go on.) Caitlin referred me to this code sample on Pastebin which may have been the code flagged by an automated malware detection system as malicious, and digging into it, it’s easy to see why. Take just two examples:

line 4: var m3_r = Math.floor(Math.random()*99999999999);

Using the Math.random function to fill a value in a variable with a junk name is really common when distributing malware.

line 6: document.write ("<scr"+"ipt type='text/javascript

This looks like an attempt to evade detection of script invocation by the browser, perhaps to confuse a browser ad-blocking extension — a goal that advertisers and malware distributors frequently share, since both want their content to be consumed, and in both cases a visitor is generally not seeking out the offending content as a primary goal.

None of this is to cast any aspersions on the motivations of the programmers who wrote that ad code — I suspect that this script serves a legitimate and legal function, unlike any malware distribution. It does serve to underscore, however, how the boundary between legal, legitimate, and potentially unwanted code and illegal, illegitimate, and certainly unwanted code is not a boundary that is easily susceptible to analysis at human scale—much less at Web scale. And given the very real threat malware distribution poses to the health of the Internet (and its users), as well as the difficulty in using ‘obvious’ characteristics in code to divine that code’s intent, it is an understandable choice for blacklist operators to alert users about a site that has actually distributed malware and has suspicious-looking code on it.

At present, it is the conventional wisdom (for good reason) that website security remains the responsibility of site owners — including advertising and other third-party content. But there’s an opportunity for those with much more tech savvy (ad networks) to take steps to assist those with much less. It would be a very positive development for the web ecosystem as a whole if advertisers were to take voluntary steps to disclose compromises in their network, and to write their code to a set of identifiable, specific standards that can help to steer clear from these gray areas.

MarkMonitor, Fortinet, and Sucuri are new StopBadware Partners

ccondon — Thu, 31 Jan 2013 19:27:58 +0000

Therefore and thusly we doth decree: StopBadware’s first new partnerships of 2013 have been formed! Today we welcome a trio of security samurais, a triplicate of vulnerability vanquishers, a boisterous band of badware bashers: MarkMonitor, Fortinet, and Sucuri. All three of these companies will contribute their perspectives on security, recent attacks, and the evolving threatscape to StopBadware’s Partners Forum discussions. And more: Fortinet has signed on to participate in our new data sharing initiative, MarkMonitor was instrumental in helping to get the Ads Integrity Alliance’s Web presence up and running, and Sucuri’s crew of website experts have been helping webmasters on our community forum for several years. A big, formal welcome to these three great companies!

Our partner companies have always spanned an impressive breadth and depth of security interests and expertise. Incorporating all these diverse perspectives into an ongoing, actionable conversation is a constant challenge, but it’s a challenge we’ve come to welcome, and from which we consistently benefit. MarkMonitor, Fortinet, and Sucuri are a perfect example of our supporters’ outstanding diversity: these three new StopBadware Partners represent leadership in online brand protection, network security and unified threat management, and website malware protection and cleanup. As broad as their interests are, they join a distinguished crew in working toward a singular, grand goal: finding new ways to make the Web safer for everyone.

Tags:

stopbadware, partners

Recent misconceptions about malware warnings

ccondon — Tue, 29 Jan 2013 18:05:50 +0000

We’ve seen quite a few news articles recently about malware warnings on high-profile websites. The stories we’ve been reading have two things in common: first, they’ve all been about warnings that occur because of an advertisement’s being detected as malware; second, many or even most of them have dismissed the malware warnings as incorrect, overly alarming, and/or too wide in scope.

To be clear, StopBadware is not in a position to comment on whether any of these incidents were, as many have been quick to claim, false positives. While extremely rare, false positives are not impossible. We’ve seen very, very few false positives in our years of reviewing websites big and small, but we know there have been a few. In short, we won’t rule it out.

What disturbs us about the recent spate of news coverage, however, is the attitude that malware warnings in general are error-prone, arbitrary, or to be taken with a grain of salt. This is not the case. Malware warnings in modern browsers exist first and foremost to protect users by informing them and offering them a clear choice about what happens to their computers. Their accuracy is extremely high, they are content-neutral, and heeding them protects millions of users from becoming victims of badware.

Among the recent complaints:

The warnings are arbitrary advisories about site contents.
False positives are common.
The warnings are unjustly alarmist.
A whole site or page shouldn’t be blacklisted when “only the ad is bad."

Some background: The malware warnings shown by many major browsers and search engines are based on blacklists curated by companies who put lots of resources into detecting and analyzing malware. These companies have automated detection systems that constantly scan the Web for malicious activity. When a site is blacklisted, it’s because these systems encountered code on that site that caused something bad to happen without asking the visiting entity for consent. Examples of “something bad” might include a redirect to a malicious domain or a download that starts silently in the background while a user is browsing the site.

A great many websites blacklisted by security companies are legitimate sites that have been infected with malware without the knowledge or permission of their owners. There are more than a few organizations that realize this and provide avenues to help webmasters clean up and remove their sites from blacklists as quickly as possible. Google and Microsoft both do this, as do some smaller security firms. StopBadware helps several companies, including Google, provide due process for owners of blacklisted sites by offering independent reviews and cleanup help.

StopBadware often receives emails and other communications from people who are indignant about a big, popular site’s being blacklisted by Google or another company. These people are sure that these incidents must be false positives, because they are understandably unaware that even big sites with high security can be compromised and blacklisted. Infected ad networks are one of the common ways big, high-traffic sites are compromised to deliver malware. Just as a website’s being compromised should not necessarily reflect negatively on the site owner, an advertising platform’s being compromised is not always (or even usually) an indication that the ad provider is irresponsible or negligent. Many advertising platforms take great pains to prevent bad ads and protect the publishers they serve.

When a malicious ad does make it onto a popular site despite the best intentions of the ad provider or the site administrator, that ad has the potential to do a lot of damage. Often, visitors to a site serving a bad ad don’t even need to click on the ad for it to cause harm; their machines are infected as soon as the ad loads in their browsers. In cases like this, warnings are there to help Web users make informed choices about what happens to their computers. At present, it’s not technically feasible to warn about only an embedded ad in a Web page.

Visitors to blacklisted sites are always free to ignore the warnings and continue on to the blacklisted site if they wish. The language in the warnings, however, is deliberately strong and designed to discourage users from clicking through. If a popular site was detected to be doing something bad (like serving a drive-by download or redirecting to a domain doling out the Black Hole Exploit Kit), people should be wary of clicking through a warning. Yes, the warnings are designed to be alarming. They wouldn't be called warnings otherwise.

As we mentioned, malware warnings in most modern browsers are generated based on automated detection systems. Key word = automated. Site contents—the text, brand, politics, or anything else that lends meaning and substance—are not ever taken into consideration. Automated malware detection systems don’t detect personal opinions or copyright infringement. They simply look for bad behavior, whether that behavior is detected on a community forum, a warez site, or a government portal. This is a major advantage of automated systems: they’re fundamentally unbiased.

Code is not perfect, and neither are any given company’s methods for detecting bad code. The bad guys are always updating and adapting their malware delivery techniques; logically, it follows that the companies who work to detect malicious code must also be constantly evolving and improving their detection mechanisms. As you might expect, the dynamic nature of this process can lead to a false positive every once in a while. Once again, however, we’d like to stress the infrequency of this. In the overwhelming majority of cases, browser or search engine malware warnings alert users to real danger that can cause real damage.

Please, don’t ignore malware warnings—or encourage others to—because a high-profile case or two claim to have been false positives. It’s up to all of us to help stop badware, and malware warnings play a critical role in protecting the Internet ecosystem.

Tags:

malware warnings, false positive, malware, stopbadware