Tuesday, May 25, 2010

Anatomy of a Modern Compromised Website

In the security community, little attention is paid to compromised websites that don't serve up malware. The malicious URL lists maintained by the anti-virus companies, by Google, and by nearly every other source of malicious URLs rely on anti-virus to trigger on exploits and malware to determine if a site is malicious. In a few select cases, behavioral analysis may be used to determine if a visit to a website will lead to an infected computer. But sites that are taken over by hackers are frequently used for other purposes besides directly serving up viruses or redirecting to sites that do.

When a hacker gains control of a site, they generally do one of several things:

  1. Nothing -- they sit on it waiting for a later date,
  2. Malware -- they load on exploits and malware or links to sites that host these in an attempt to infect visitors to the site,
  3. Defacement -- they put up a big notice saying they hacked the site,
  4. Attack relay -- they use the site as part of a chain of sites that lead to malware, or
  5. Hijacked advertising -- they put ads on the site or change ads on the site to make themselves the beneficiaries
  6. Blackhat SEO -- they use the site to trick search engines into thinking that some other site or sites are very popular and should be elevated in search page results

It is the last one, Blackhat Search Engine Optimization (SEO), where hackers are seeing so much success (see our previous blogs on this topic). SEO is the pseudo science of increasing a website's ranking in a set of search results. Landing at or near the top means more traffic to a website, which can mean advertising revenue or, if the site is malicious, a larger number of infected computers. In either case, the motive is money. And in some cases, hackers sell their SEO services and make money by increasing that search engine ranking.

In any case, search engine rankings are largely driven by popularity. The top results have links coming from many other sites where the more popular the sites that link, the higher the popularity of the site being linked. We call it Blackhat SEO because hackers use the websites they've compromised to host links to a website that they want to appear high up in search results. These links are usually hidden so that casually visitors to the site and the site's maintainers don't see them. The links are disguised by putting them off screen or using other techniques to make them invisible to a human visitor, while they remain perfectly visible to computers like Google's crawlers.

Take, for example, the case of Nauman Sod Farms, a small business in Iowa with a simple website that eSoft first flagged as compromised on February 4th, 2009. It was continuously rechecked and found by eSoft to be infected from then up through this posting.

It is easy to see why someone would think this site is innocent. To a normal user, it appears perfectly fine, but this small business is being exploited by hackers. If you view their home page without security precautions, everything looks normal. If you then disable javascript (using the NoScript plugin or your browser preferences) and reload the home page, you’ll see a long stream of cell phone related links show up at the bottom of the page including:

  • cf card gsm review siemens
  • unlocking nokia 5210e
  • tocatta and fugue in d minor ringtone verizon
  • motorola e1 secret codes
  • samsung le32r41bd
  • free download polyphonic ringtones through sms
  • motorola java games
  • law and order ringtone

In this case, javascript was used to hide the links, but that is not necessarily the case. And in this case, the links are search engine bait for various mobile phone searches, but we more often see links to pornography sites and malicious sites inside these PageRank Bombs.

In this case, two pieces of obfuscated javascript (meaning it is loosely encrypted to evade anti-virus signatures) add some code to the page that hides the links for those who have javascript enabled. This obfuscated javascript looks like this:



and basically evaluates to this:

   document.write('<div style="height:1px;overflow:auto;\">');

where that height of 1 pixel is what instructs the browser to hide the links from a visiting user.

Scanning this compromised page with novirusthanks.org shows that of their 20 AV scanners, none detect a problem. Similarly, not one other URL checker shows any problem with this site including Google’s Safe Search and SiteAdvisor.

Unfortunately, in the case of this particular site, the infection runs deeper. Clicking through into the site offers up a new threat. At the bottom of the page, a hidden iframe has been injected. Essentially this means that the attackers have chosen to have the browser fetch content from another site but not for the purpose of displaying anything to the user. These are typically used to embed exploits hosted on another site onto the compromised site while reducing the maintenance effort. In this particular case, the iframe links to a page that is now missing, so for the moment, visitors are not being infected with malware. Based on our records though, the embedded iframe used to lead to malware, meaning that visitors to this site were targeted with viruses.

This site has been compromised like this for over a year without the owner of the web site knowing -- and this is quite common. It is difficult for security companies like eSoft to automatically notify website owners when their websites are compromised since public information about sites is frequently hidden through privacy screens or else leads to spam traps. eSoft's Threat Prevention Team reached out to Nauman Sod Farms four days ago using the email address on their site to alert them to the problem, but so far there has been no response and the website remains under the control of hackers. Until this is fixed and because of the likelihood of that the hackers may again start infecting visitors with malware, we recommend that folks avoid this site for now. Users of eSoft's secure web filtering will see this site marked as Compromised.

In general, we believe it is important to identify sites that are under the control of hackers even when those sites aren't being used to propagate computer viruses. These sites may at any time become threatening in that way and are frequently used as part of the machine that drives other sites where the actual malware is stored. The industry as a whole needs to pay more attention to these sites. In the meantime, eSoft does provide protection from these sites and identifies thousands like this one every day.

Friday, May 14, 2010

Phishing Scams Lure Twitter Users

The newest phishing scam on Twitter has snared thousands of users hoping to increase their number of followers.  Instead, users are sent off to a phishing page where cybercriminals steal their Twitter logins using them to generate more spam.

Thousands of spam messages are floating around on Twitter with links to increase the users’ follower count:

CHECK out this site, im a member of it, gets you more followers
If you trying to get more followers check out
Get more followers for free!

The cybercriminals use shortened URLs to prevent spam detection on Twitter.  Scammers are using a variety of URL shortening services to evade standard security precautions.

The shortened links lead to phishing pages capturing the users Twitter login, but never doing anything to increase the users following. The compromised accounts are then used to send more spam and lure in more unsuspecting users.

With more followers on Twitter, you’re able to expand your reach and connect with more people.  This makes for a very effective social engineering trick; taking advantage of user tendencies for malicious purposes. Users are typically none the wiser until spam messages start appearing from their account.

There are now a tremendous amount of 3rd party sites and services available to support the Twitter crowd.  It’s important that users remember not to give out login information without first verifying the legitimacy of Twitter applications and websites.  Most legitimate services now redirect users directly to the Twitter API and use the OAuth method of authentication.  Users should look closely at their URL bar to be sure they are on Twitter's site before entering their login credentials.

If you see strange spam messages like these showing up on your account, change your password immediately.  eSoft protects SiteFilter users from these phishing sites with the “Phishing & Fraud” category and is actively flagging new sites as they’re discovered.

Wednesday, May 12, 2010

Google Groups Latest Hot Spot for Rogue AV and Malware

eSoft researchers have been tracking a recent campaign abusing Google Groups to spread malicious links in Spam emails.  Users following the link are infected with a Downloader Trojan, silently infecting the machine with various types of malware including Rogue Anti-Virus.

The scam starts with an email asking the user to update their email settings according to the linked instructions.  The URL in the message brings the user to a Google Groups page linking to a malicious download.

Sample Email:

The link on the Google Groups page is a Downloader Trojan with better than normal virus detection.  58% of virus scanners detected the file as malicious on Virus Total.

The Downloader then does its job, downloading a mixed bag of malware from several locations. eSoft is currently blocking all known distribution points.  Among the malware downloaded is Desktop Security 2010, a Rogue Anti-Virus program.

A fake system scan is run notifying the user they’ve been infected and prompting the user to purchase a license key to remove the malware.

For only $89.95 you can get a lifetime license with special support. Users following through on the purchase have handed their credit card and other personal information to cybercriminals on a silver platter.

Access to the Internet through the browser is blocked until you’ve purchased a license, adding a hint of Ransomware to the mix.  Between this tactic and the official looking interface, unsavvy users are unfortunately easy prey.

Use of community sites like Google Groups, Windows Live, Blogger and others is becoming commonplace for cybercriminals looking to get the upper hand on web and spamfilters.  Secure Web Filtering with a combination of granular classifications and real-time URL lookups is the most effective way to combat these threats.

eSoft is actively identifying and flagging select Google Groups pages as Compromised as they’re discovered.  Other sites involved with this attack are blocked as Malware Distribution Points.

Update: May 12th 10:00 AM

It appears the spammers have switched tactics and are now sending fake ecards claiming to be from 123greetings.com. Users receive an email in the form below with an image link.  The links in the email use the same Google Groups URLs and present the same dangerous malware.  This new round of spam uses an even more effective social engineering trick than in the first campaign, and more unsuspecting users will certainly fall victim.